From 74ca47f593480fdf5fc3bc80523dc7099318ff5c Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:44:16 +0000 Subject: import 389-ds-base-1.3.6.1-16.el7 --- diff --git a/.389-ds-base.metadata b/.389-ds-base.metadata index e422dd9..3a558a8 100644 --- a/.389-ds-base.metadata +++ b/.389-ds-base.metadata @@ -1,2 +1 @@ -b598dfe4a27f2518a6625f3852f8462553a6a483 SOURCES/389-ds-base-1.3.5.10.tar.bz2 -835c9788650d1b9ef0896c267b06b9e529612835 SOURCES/nunc-stans-0.1.8.tar.bz2 +debdbca81fda1651bf73e504ca8bc8c1b48a3b59 SOURCES/389-ds-base-1.3.6.1.tar.bz2 diff --git a/.gitignore b/.gitignore index cf11ad0..a990b51 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ -SOURCES/389-ds-base-1.3.5.10.tar.bz2 -SOURCES/nunc-stans-0.1.8.tar.bz2 +SOURCES/389-ds-base-1.3.6.1.tar.bz2 diff --git a/SOURCES/0000-Ticket-48743-If-a-cipher-is-disabled-do-not-attempt-.patch b/SOURCES/0000-Ticket-48743-If-a-cipher-is-disabled-do-not-attempt-.patch deleted file mode 100644 index 42ca5ca..0000000 --- a/SOURCES/0000-Ticket-48743-If-a-cipher-is-disabled-do-not-attempt-.patch +++ /dev/null @@ -1,36 +0,0 @@ -From e39b61ea17ae2cecbadee304678f6506d228c504 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 7 Jul 2016 14:53:48 -0400 -Subject: [PATCH 0/3] Ticket 48743 - If a cipher is disabled do not attempt to - look it up - -Description: Even if a SSL cipher is disabled the server still attempts - to locate the cipher in the security library. If the disabled - cipher is unknown it logs a warning at server startup, but - if it's disabled there is no reason to check if it exists. - -https://fedorahosted.org/389/ticket/48743 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 6b61e05e04661312871c0b1c6121901d786d54c3) ---- - ldap/servers/slapd/ssl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c -index 12a0360..b176460 100644 ---- a/ldap/servers/slapd/ssl.c -+++ b/ldap/servers/slapd/ssl.c -@@ -749,7 +749,7 @@ _conf_setciphers(char *ciphers, int flags) - if (lookup) { /* lookup with old cipher name and get NSS cipherSuiteName */ - for (i = 0; _lookup_cipher[i].alias; i++) { - if (!PL_strcasecmp(ciphers, _lookup_cipher[i].alias)) { -- if (!_lookup_cipher[i].name[0]) { -+ if (enabled && !_lookup_cipher[i].name[0]) { - slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s", - ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers); - continue; --- -2.4.11 - diff --git a/SOURCES/0000-Ticket-49164-Change-NS-to-acq-rel-semantics-for-atom.patch b/SOURCES/0000-Ticket-49164-Change-NS-to-acq-rel-semantics-for-atom.patch new file mode 100644 index 0000000..a779d35 --- /dev/null +++ b/SOURCES/0000-Ticket-49164-Change-NS-to-acq-rel-semantics-for-atom.patch @@ -0,0 +1,67 @@ +From 70230bf894d9c0150dca8dc6fccc2712187f7b86 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Mon, 13 Mar 2017 13:29:43 +1000 +Subject: [PATCH 1/5] Ticket 49164 - Change NS to acq-rel semantics for atomics + +Bug Description: We were using seq_cst to guarantee our operations +as a poc. Changing to acq/rel allows us the same guarantees, but +with less overheads. + +Fix Description: Change the barrier type. + +https://gcc.gnu.org/wiki/Atomic/GCCMM/AtomicSync + +https://pagure.io/389-ds-base/issue/49164 + +Author: wibrown + +Review by: mreynolds (Thanks!) + +(cherry picked from commit b1b0574d2cdb012ab206999ed51f08d3340386ce) +--- + src/nunc-stans/ns/ns_thrpool.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c +index 744749b..a867b39 100644 +--- a/src/nunc-stans/ns/ns_thrpool.c ++++ b/src/nunc-stans/ns/ns_thrpool.c +@@ -167,7 +167,7 @@ ns_thrpool_is_shutdown(struct ns_thrpool_t *tp) + { + /* We need to barrier this somehow? */ + int32_t result = 0; +- __atomic_load(&(tp->shutdown), &result, __ATOMIC_SEQ_CST); ++ __atomic_load(&(tp->shutdown), &result, __ATOMIC_ACQUIRE); + return result; + } + +@@ -176,7 +176,7 @@ ns_thrpool_is_event_shutdown(struct ns_thrpool_t *tp) + { + /* We need to barrier this somehow? */ + int32_t result = 0; +- __atomic_load(&(tp->shutdown_event_loop), &result, __ATOMIC_SEQ_CST); ++ __atomic_load(&(tp->shutdown_event_loop), &result, __ATOMIC_ACQUIRE); + return result; + } + +@@ -1402,7 +1402,7 @@ ns_thrpool_destroy(struct ns_thrpool_t *tp) + #endif + if (tp) { + /* Set the flag to shutdown the event loop. */ +- __atomic_add_fetch(&(tp->shutdown_event_loop), 1, __ATOMIC_SEQ_CST); ++ __atomic_add_fetch(&(tp->shutdown_event_loop), 1, __ATOMIC_RELEASE); + + /* Finish the event queue wakeup job. This has the + * side effect of waking up the event loop thread, which +@@ -1491,7 +1491,7 @@ ns_thrpool_shutdown(struct ns_thrpool_t *tp) + } + /* Set the shutdown flag. This will cause the worker + * threads to exit after they finish all remaining work. */ +- __atomic_add_fetch(&(tp->shutdown), 1, __ATOMIC_SEQ_CST); ++ __atomic_add_fetch(&(tp->shutdown), 1, __ATOMIC_RELEASE); + + /* Wake up the idle worker threads so they can exit. */ + pthread_mutex_lock(&(tp->work_q_lock)); +-- +2.9.3 + diff --git a/SOURCES/0001-Issue-49170-sync-plugin-thread-count-not-handled-cor.patch b/SOURCES/0001-Issue-49170-sync-plugin-thread-count-not-handled-cor.patch new file mode 100644 index 0000000..28d65ec --- /dev/null +++ b/SOURCES/0001-Issue-49170-sync-plugin-thread-count-not-handled-cor.patch @@ -0,0 +1,71 @@ +From a00917eec0bcef75180eaf4dd9b360519b9e2644 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 14 Mar 2017 14:35:05 -0400 +Subject: [PATCH 2/5] Issue 49170 - sync plugin thread count not handled + correctly + +Bug Description: If sync repl connections get aborted the thread_count is + not properly updated which leads to the server hanging + on shutdown. + +Fix Description: When connections get aborted we still need to shutdown + the result thread cleanly: remove the req, update thread + count, etc. + +https://pagure.io/389-ds-base/issue/49170 + +Reviewed by: nhosoi(Thanks!) + +(cherry picked from commit 770fcf4349ccf9e07ff0e1cf0d6991927ec9ba75) +--- + ldap/servers/plugins/sync/sync_persist.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/ldap/servers/plugins/sync/sync_persist.c b/ldap/servers/plugins/sync/sync_persist.c +index d0c8da2..667a529 100644 +--- a/ldap/servers/plugins/sync/sync_persist.c ++++ b/ldap/servers/plugins/sync/sync_persist.c +@@ -548,16 +548,16 @@ sync_send_results( void *arg ) + slapi_pblock_get(req->req_pblock, SLAPI_CONNECTION, &conn); + if (NULL == conn) { + slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM, +- "sync_send_results - conn=%" NSPRIu64 " op=%d Null connection - aborted\n", +- connid, opid); +- return; ++ "sync_send_results - conn=%" NSPRIu64 " op=%d Null connection - aborted\n", ++ connid, opid); ++ goto done; + } + conn_acq_flag = sync_acquire_connection (conn); + if (conn_acq_flag) { + slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM, +- "sync_send_results - conn=%" NSPRIu64 " op=%d Could not acquire the connection - aborted\n", +- connid, opid); +- return; ++ "sync_send_results - conn=%" NSPRIu64 " op=%d Could not acquire the connection - aborted\n", ++ connid, opid); ++ goto done; + } + + PR_Lock( sync_request_list->sync_req_cvarlock ); +@@ -658,15 +658,14 @@ sync_send_results( void *arg ) + } + } + PR_Unlock( sync_request_list->sync_req_cvarlock ); +- sync_remove_request( req ); + + /* indicate the end of search */ +- + sync_release_connection(req->req_pblock, conn, op, conn_acq_flag == 0); + ++done: ++ sync_remove_request( req ); + PR_DestroyLock ( req->req_lock ); + req->req_lock = NULL; +- + slapi_ch_free((void **) &req->req_pblock ); + slapi_ch_free((void **) &req->req_orig_base ); + slapi_filter_free(req->req_filter, 1); +-- +2.9.3 + diff --git a/SOURCES/0001-Ticket-48755-moving-an-entry-could-make-the-online-i.patch b/SOURCES/0001-Ticket-48755-moving-an-entry-could-make-the-online-i.patch deleted file mode 100644 index bb5a3b0..0000000 --- a/SOURCES/0001-Ticket-48755-moving-an-entry-could-make-the-online-i.patch +++ /dev/null @@ -1,33 +0,0 @@ -From e23985aa9123b5dda2c7fe6d5205356d3fc4f5b7 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 7 Jul 2016 16:38:13 -0700 -Subject: [PATCH 1/3] Ticket #48755 - moving an entry could make the online - init fail - -Description: The upgrade script template 91reindex.pl.in had a syntax error. -See also Bug 1353592 - Setup-ds.pl --update fails - -https://fedorahosted.org/389/ticket/48755 - -Note: one character fix. -(cherry picked from commit aa64641d1974bb52fc4d02808362e76dd86d9cd0) ---- - ldap/admin/src/scripts/91reindex.pl.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/admin/src/scripts/91reindex.pl.in b/ldap/admin/src/scripts/91reindex.pl.in -index c861f64..99b08e3 100644 ---- a/ldap/admin/src/scripts/91reindex.pl.in -+++ b/ldap/admin/src/scripts/91reindex.pl.in -@@ -12,7 +12,7 @@ sub runinst { - # rdn-format value. See $rdn_format set below. - # If equal to or greater than this value, no need to reindex. - # If it needs to be unconditionally reindexed, set 0. -- my @rdnconditions = (4) -+ my @rdnconditions = (4); - - my $config = $conn->search("cn=config", "base", "(objectclass=*)"); - if (!$config) { --- -2.4.11 - diff --git a/SOURCES/0002-Ticket-48914-db2bak.pl-task-enters-infinitive-loop-w.patch b/SOURCES/0002-Ticket-48914-db2bak.pl-task-enters-infinitive-loop-w.patch deleted file mode 100644 index 163431f..0000000 --- a/SOURCES/0002-Ticket-48914-db2bak.pl-task-enters-infinitive-loop-w.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 320ad877fc74b2396fd5dad59cfa990c3ace09f9 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Sat, 9 Jul 2016 18:36:17 -0700 -Subject: [PATCH 2/3] Ticket #48914 - db2bak.pl task enters infinitive loop - when bak fs is almost full - -Description: A backend helper function dblayer_copyfile returns an error -when any of the copy operation fails. But one of the caller functions -dblayer_backup ignored the error. - -This patch checks the error returned from dblayer_copyfile and abort the -back-up. - -Also, more error info is added to the log messages. - -https://fedorahosted.org/389/ticket/48914 - -Reviewed by mreynolds@redhat.com (Thank you, Mark!!) - -(cherry picked from commit ff997cd6fa5f2a0678721ba0b6a56fdce327feb0) ---- - ldap/servers/slapd/back-ldbm/dblayer.c | 95 ++++++++++++++++++++++------------ - 1 file changed, 61 insertions(+), 34 deletions(-) - -diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c -index 93d42be..783d104 100644 ---- a/ldap/servers/slapd/back-ldbm/dblayer.c -+++ b/ldap/servers/slapd/back-ldbm/dblayer.c -@@ -5643,18 +5643,16 @@ dblayer_copyfile(char *source, char *destination, int overwrite, int mode) - source_fd = OPEN_FUNCTION(source,O_RDONLY,0); - if (-1 == source_fd) - { -- LDAPDebug1Arg(LDAP_DEBUG_ANY, -- "dblayer_copyfile: failed to open source file: %s\n", -- source); -+ LDAPDebug2Args(LDAP_DEBUG_ANY, "dblayer_copyfile: failed to open source file %s by \"%s\"\n", -+ source, strerror(errno)); - goto error; - } - /* Open destination file */ - dest_fd = OPEN_FUNCTION(destination,O_CREAT | O_WRONLY, mode); - if (-1 == dest_fd) - { -- LDAPDebug1Arg(LDAP_DEBUG_ANY, -- "dblayer_copyfile: failed to open dest file: %s\n", -- destination); -+ LDAPDebug2Args(LDAP_DEBUG_ANY, "dblayer_copyfile: failed to open dest file %s by \"%s\"\n", -+ destination, strerror(errno)); - goto error; - } - LDAPDebug2Args(LDAP_DEBUG_BACKLDBM, -@@ -5662,24 +5660,38 @@ dblayer_copyfile(char *source, char *destination, int overwrite, int mode) - /* Loop round reading data and writing it */ - while (1) - { -+ int i; -+ char *ptr = NULL; - return_value = read(source_fd,buffer,64*1024); -- if (return_value <= 0) -- { -+ if (return_value <= 0) { - /* means error or EOF */ -- if (return_value < 0) -- { -- LDAPDebug1Arg(LDAP_DEBUG_ANY, -- "dblayer_copyfile: failed to read: %d\n", errno); -+ if (return_value < 0) { -+ LDAPDebug2Args(LDAP_DEBUG_ANY, "dblayer_copyfile: failed to read by \"%s\": rval = %d\n", -+ strerror(errno), return_value); - } - break; - } - bytes_to_write = return_value; -- return_value = write(dest_fd,buffer,bytes_to_write); -- if (return_value != bytes_to_write) -- { -- /* means error */ -- LDAPDebug1Arg(LDAP_DEBUG_ANY, -- "dblayer_copyfile: failed to write: %d\n", errno); -+ ptr = buffer; -+#define CPRETRY 4 -+ for (i = 0; i < CPRETRY; i++) { /* retry twice */ -+ return_value = write(dest_fd, ptr, bytes_to_write); -+ if (return_value == bytes_to_write) { -+ break; -+ } else { -+ /* means error */ -+ LDAPDebug(LDAP_DEBUG_ANY, "dblayer_copyfile: failed to write by \"%s\"; real: %d bytes, exp: %d bytes\n", -+ strerror(errno), return_value, bytes_to_write); -+ if (return_value > 0) { -+ bytes_to_write -= return_value; -+ ptr += return_value; -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "dblayer_copyfile: retrying to write %d bytes\n", bytes_to_write); -+ } else { -+ break; -+ } -+ } -+ } -+ if ((CPRETRY == i) || (return_value < 0)) { - return_value = -1; - break; - } -@@ -5906,10 +5918,15 @@ dblayer_copy_directory(struct ldbminfo *li, - return_value = dblayer_copyfile(filename1, filename2, - 0, priv->dblayer_file_mode); - } -+ if (return_value < 0) { -+ LDAPDebug2Args(LDAP_DEBUG_ANY, "dblayer_copy_directory: Failed to copy file %s to %s\n", -+ filename1, filename2); -+ slapi_ch_free((void**)&filename1); -+ slapi_ch_free((void**)&filename2); -+ break; -+ } - slapi_ch_free((void**)&filename1); - slapi_ch_free((void**)&filename2); -- if (0 > return_value) -- break; - - (*cnt)++; - } -@@ -6165,9 +6182,14 @@ dblayer_backup(struct ldbminfo *li, char *dest_dir, Slapi_Task *task) - changelog_destdir, DBVERSION_FILENAME); - return_value = dblayer_copyfile(pathname1, pathname2, - 0, priv->dblayer_file_mode); -- slapi_ch_free_string(&pathname1); - slapi_ch_free_string(&pathname2); - slapi_ch_free_string(&changelog_destdir); -+ if (0 > return_value) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "Backup: Failed to copy file %s\n", pathname1); -+ slapi_ch_free_string(&pathname1); -+ goto bail; -+ } -+ slapi_ch_free_string(&pathname1); - } - if (priv->dblayer_enable_transactions) { - /* now, get the list of logfiles that still exist */ -@@ -6240,15 +6262,15 @@ dblayer_backup(struct ldbminfo *li, char *dest_dir, Slapi_Task *task) - return_value = dblayer_copyfile(pathname1, pathname2, - 0, priv->dblayer_file_mode); - if (0 > return_value) { -- LDAPDebug2Args(LDAP_DEBUG_ANY, "Backup: error in " -- "copying file '%s' (err=%d) -- Starting over...\n", -- pathname1, return_value); -+ LDAPDebug2Args(LDAP_DEBUG_ANY, "Backup: error in copying file '%s' (err=%d)\n", -+ pathname1, return_value); - if (task) { -- slapi_task_log_notice(task, -- "Error copying file '%s' (err=%d) -- Starting " -- "over...", pathname1, return_value); -+ slapi_task_log_notice(task, "Error copying file '%s' (err=%d)", -+ pathname1, return_value); - } -- ok = 0; -+ slapi_ch_free((void **)&pathname1); -+ slapi_ch_free((void **)&pathname2); -+ goto bail; - } - if ( g_get_shutdown() || c_get_shutdown() ) { - LDAPDebug0Args(LDAP_DEBUG_ANY, "Backup aborted\n"); -@@ -6276,9 +6298,8 @@ dblayer_backup(struct ldbminfo *li, char *dest_dir, Slapi_Task *task) - slapi_task_log_notice(task, "Backing up file %d (%s)", cnt, pathname2); - slapi_task_log_status(task, "Backing up file %d (%s)", cnt, pathname2); - } -- return_value = -- dblayer_copyfile(pathname1, pathname2, 0, priv->dblayer_file_mode); -- if (return_value) { -+ return_value = dblayer_copyfile(pathname1, pathname2, 0, priv->dblayer_file_mode); -+ if (0 > return_value) { - LDAPDebug(LDAP_DEBUG_ANY, - "Backup: error in copying version file " - "(%s -> %s): err=%d\n", -@@ -6458,11 +6479,12 @@ static int dblayer_copy_dirand_contents(char* src_dir, char* dst_dir, int mode, - slapi_task_log_status(task, "Moving file %s", - filename2); - } -- return_value = dblayer_copyfile(filename1, filename2, 0, -- mode); -+ return_value = dblayer_copyfile(filename1, filename2, 0, mode); - } -- if (0 > return_value) -+ if (0 > return_value) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "dblayer_copy_dirand_contents: failed to copy file %s\n", filename1); - break; -+ } - } - PR_CloseDir(dirhandle); - } -@@ -6838,6 +6860,10 @@ int dblayer_restore(struct ldbminfo *li, char *src_dir, Slapi_Task *task, char * - changelogdir, DBVERSION_FILENAME); - return_value = dblayer_copyfile(filename1, filename2, - 0, priv->dblayer_file_mode); -+ if (0 > return_value) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "Restore: failed to copy file %s\n", filename1); -+ goto error_out; -+ } - } - continue; - } -@@ -6897,6 +6923,7 @@ int dblayer_restore(struct ldbminfo *li, char *src_dir, Slapi_Task *task, char * - return_value = dblayer_copyfile(filename1, filename2, 0, - priv->dblayer_file_mode); - if (0 > return_value) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "Restore: failed to copy file %s\n", filename1); - goto error_out; - } - cnt++; --- -2.4.11 - diff --git a/SOURCES/0002-Ticket-49165-pw_verify-did-not-handle-external-auth.patch b/SOURCES/0002-Ticket-49165-pw_verify-did-not-handle-external-auth.patch new file mode 100644 index 0000000..bbc9972 --- /dev/null +++ b/SOURCES/0002-Ticket-49165-pw_verify-did-not-handle-external-auth.patch @@ -0,0 +1,174 @@ +From 22f1ff8d87a7daf9fbbe2ddfbd195a6bfdae1cd6 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Tue, 14 Mar 2017 14:01:33 +1000 +Subject: [PATCH 3/5] Ticket 49165 pw_verify did not handle external auth + +Bug Description: During the change to improve sasl and simple bind, +we externalised the backend selection outside of do_bind. In an +auto_bind scenario however, this mean the be was null, causing the +dn to always be invalidated. + +Fix Description: Add a pw_validate_be_dn function, that correctly +checks if we are anonymous, a real be dn, or rootdn. This then allows +the correct authentication of autobinds. + +https://pagure.io/389-ds-base/issue/49165 + +Author: wibrown + +Review by: mreynolds (Thanks!) + +(cherry picked from commit 8dbfff1ff4152afb018490886a612c448ea2a1b0) +--- + ldap/servers/slapd/bind.c | 9 +++++-- + ldap/servers/slapd/dn.c | 5 ++++ + ldap/servers/slapd/pw_verify.c | 57 +++++++++++++++++++++++++++++++++++++-- + ldap/servers/slapd/pw_verify.h | 1 + + ldap/servers/slapd/slapi-plugin.h | 9 +++++++ + 5 files changed, 77 insertions(+), 4 deletions(-) + +diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c +index b4bb363..5c4fada 100644 +--- a/ldap/servers/slapd/bind.c ++++ b/ldap/servers/slapd/bind.c +@@ -656,7 +656,12 @@ do_bind( Slapi_PBlock *pb ) + /* We could be serving multiple database backends. Select the appropriate one */ + /* pw_verify_be_dn will select the backend we need for us. */ + +- rc = pw_verify_be_dn(pb, &referral); ++ if (auto_bind) { ++ /* We have no password material. We should just check who we are binding as. */ ++ rc = pw_validate_be_dn(pb, &referral); ++ } else { ++ rc = pw_verify_be_dn(pb, &referral); ++ } + + if (rc == SLAPI_BIND_NO_BACKEND) { + send_nobackend_ldap_result( pb ); +@@ -715,7 +720,7 @@ do_bind( Slapi_PBlock *pb ) + * + */ + slapi_pblock_get(pb, SLAPI_BACKEND, &be); +- if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { ++ if (!isroot && !slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { + bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); + myrc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1); + if (1 == myrc) { /* account is locked */ +diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c +index d043f2a..fa3909f 100644 +--- a/ldap/servers/slapd/dn.c ++++ b/ldap/servers/slapd/dn.c +@@ -1738,6 +1738,11 @@ slapi_dn_isroot( const char *dn ) + return( rc ); + } + ++int32_t ++slapi_sdn_isroot(const Slapi_DN *sdn) { ++ return slapi_dn_isroot(slapi_sdn_get_ndn(sdn)); ++} ++ + int + slapi_is_rootdse( const char *dn ) + { +diff --git a/ldap/servers/slapd/pw_verify.c b/ldap/servers/slapd/pw_verify.c +index 93e5ff3..529bb83 100644 +--- a/ldap/servers/slapd/pw_verify.c ++++ b/ldap/servers/slapd/pw_verify.c +@@ -88,8 +88,61 @@ pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral) + return rc; + } + ++/* ++ * Resolve the dn we have been requested to bind with and verify it's ++ * valid, and has a backend. ++ * ++ * We are checking: ++ * * is this anonymous? ++ * * is this the rootdn? ++ * * is this a real dn, which associates to a real backend. ++ * ++ * This is used in SASL autobinds, so we need to handle this validation. ++ */ ++ + int +-pw_verify_dn() ++pw_validate_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral) + { +- return LDAP_OPERATIONS_ERROR; ++ int rc = 0; ++ Slapi_Backend *be = NULL; ++ Slapi_DN *pb_sdn; ++ struct berval *cred; ++ ber_tag_t method; ++ ++ ++ slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &pb_sdn); ++ slapi_pblock_get(pb, SLAPI_BIND_CREDENTIALS, &cred); ++ slapi_pblock_get(pb, SLAPI_BIND_METHOD, &method); ++ ++ if (pb_sdn != NULL || cred != NULL) { ++ return LDAP_OPERATIONS_ERROR; ++ } ++ ++ if (*referral) { ++ return SLAPI_BIND_REFERRAL; ++ } ++ ++ /* We need a slapi_sdn_isanon? */ ++ if (method == LDAP_AUTH_SIMPLE && cred->bv_len == 0) { ++ return SLAPI_BIND_ANONYMOUS; ++ } ++ ++ if (slapi_sdn_isroot(pb_sdn)) { ++ /* This is a real identity */ ++ return SLAPI_BIND_SUCCESS; ++ } ++ ++ if (slapi_mapping_tree_select(pb, &be, referral, NULL, 0) != LDAP_SUCCESS) { ++ return SLAPI_BIND_NO_BACKEND; ++ } ++ slapi_be_Unlock(be); ++ ++ slapi_pblock_set(pb, SLAPI_BACKEND, be); ++ slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database); ++ /* Make sure the result handlers are setup */ ++ set_db_default_result_handlers(pb); ++ ++ /* The backend associated with this identity is real. */ ++ ++ return SLAPI_BIND_SUCCESS; + } +diff --git a/ldap/servers/slapd/pw_verify.h b/ldap/servers/slapd/pw_verify.h +index fc34fd1..5137027 100644 +--- a/ldap/servers/slapd/pw_verify.h ++++ b/ldap/servers/slapd/pw_verify.h +@@ -11,5 +11,6 @@ + + int pw_verify_root_dn(const char *dn, const Slapi_Value *cred); + int pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral); ++int pw_validate_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral); + + #endif /* _SLAPD_PW_VERIFY_H_ */ +diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h +index b223f65..1bd8fc8 100644 +--- a/ldap/servers/slapd/slapi-plugin.h ++++ b/ldap/servers/slapd/slapi-plugin.h +@@ -3800,6 +3800,15 @@ int slapi_dn_isparent( const char *parentdn, const char *childdn ); + int slapi_dn_isroot( const char *dn ); + + /** ++ * Determines if an SDN is the root DN. ++ * ++ * \param sdn The DN to check ++ * \return \c 1 if the DN is the root DN. ++ * \return \c 0 if the DN is not the root DN. ++ */ ++int32_t slapi_sdn_isroot( const Slapi_DN *sdn ); ++ ++/** + * Checks if a DN is the backend suffix. + * + * \param pb A parameter block with the backend set. +-- +2.9.3 + diff --git a/SOURCES/0003-Issue-49169-Fix-covscan-errors.patch b/SOURCES/0003-Issue-49169-Fix-covscan-errors.patch new file mode 100644 index 0000000..d989fed --- /dev/null +++ b/SOURCES/0003-Issue-49169-Fix-covscan-errors.patch @@ -0,0 +1,266 @@ +From 97f09918ef370c3be5aa64dcfeb3bb21e762f90d Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 14 Mar 2017 20:23:07 -0400 +Subject: [PATCH 4/5] Issue 49169 - Fix covscan errors + +src/libsds/bpt/map.c - resource leak +ldap/servers/slapd/vattr.c - resource leak +ldap/servers/slapd/task.c: resource leaks +ldap/servers/slapd/str2filter.c - resource leak +ldap/servers/slapd/pw.c - resource leak +ldap/servers/slapd/back-ldbm/import-threads.c - resource leak +ldap/servers/plugins/uiduniq/uid.c:536 - resource leak +ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c:164 - resource leak +ldap/servers/plugins/linkedattrs/linked_attrs.c:1672 - resource leak +ldap/servers/plugins/addn/addn.c:419 +ldap/servers/slapd/ssl.c - dead code +ldap/servers/slapd/index_subsystem.c - null dereference + +https://pagure.io/389-ds-base/issue/49169 + +Reviewed by: nkinder & wibrown(Thanks!!) + +(cherry picked from commit c75126be1edece121826e336141f9b0b9c0bddfd) +--- + ldap/servers/plugins/addn/addn.c | 4 +++- + ldap/servers/plugins/linkedattrs/linked_attrs.c | 2 ++ + ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c | 1 + + ldap/servers/plugins/uiduniq/uid.c | 6 +++++- + ldap/servers/slapd/back-ldbm/import-threads.c | 1 + + ldap/servers/slapd/index_subsystem.c | 27 +++++++++++++------------ + ldap/servers/slapd/pw.c | 1 + + ldap/servers/slapd/pw_verify.c | 1 - + ldap/servers/slapd/ssl.c | 8 +++----- + ldap/servers/slapd/str2filter.c | 1 + + ldap/servers/slapd/task.c | 3 +-- + ldap/servers/slapd/vattr.c | 6 +++--- + src/libsds/sds/bpt/map.c | 1 + + 13 files changed, 36 insertions(+), 26 deletions(-) + +diff --git a/ldap/servers/plugins/addn/addn.c b/ldap/servers/plugins/addn/addn.c +index 3abc112..6ba7833 100644 +--- a/ldap/servers/plugins/addn/addn.c ++++ b/ldap/servers/plugins/addn/addn.c +@@ -415,7 +415,9 @@ addn_start(Slapi_PBlock *pb) + domain = slapi_entry_attr_get_charptr(plugin_entry, "addn_default_domain"); + + if (domain == NULL) { +- slapi_log_err(SLAPI_LOG_ERR, plugin_name, "addn_start: CRITICAL: No default domain in configuration, you must set addn_default_domain!\n"); ++ slapi_log_err(SLAPI_LOG_ERR, plugin_name, ++ "addn_start: CRITICAL: No default domain in configuration, you must set addn_default_domain!\n"); ++ slapi_ch_free((void**)&config); + return SLAPI_PLUGIN_FAILURE; + } + +diff --git a/ldap/servers/plugins/linkedattrs/linked_attrs.c b/ldap/servers/plugins/linkedattrs/linked_attrs.c +index b5adb21..d046542 100644 +--- a/ldap/servers/plugins/linkedattrs/linked_attrs.c ++++ b/ldap/servers/plugins/linkedattrs/linked_attrs.c +@@ -1669,6 +1669,8 @@ linked_attrs_mod_post_op(Slapi_PBlock *pb) + /* Bail out if the plug-in close function was just called. */ + if (!slapi_plugin_running(pb)) { + linked_attrs_unlock(); ++ slapi_mod_free(&next_mod); ++ slapi_mods_free(&smods); + return SLAPI_PLUGIN_SUCCESS; + } + +diff --git a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c +index 1b3e555..b228700 100644 +--- a/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c ++++ b/ldap/servers/plugins/pwdstorage/pbkdf2_pwd.c +@@ -161,6 +161,7 @@ pbkdf2_sha256_pw_enc(const char *pwd) + */ + if ( pbkdf2_sha256_hash(hash + PBKDF2_ITERATIONS_LENGTH + PBKDF2_SALT_LENGTH, PBKDF2_HASH_LENGTH, &passItem, &saltItem, PBKDF2_ITERATIONS) != SECSuccess ) { + slapi_log_err(SLAPI_LOG_ERR, (char *)schemeName, "Could not generate pbkdf2_sha256_hash!\n"); ++ slapi_ch_free_string(&enc); + return NULL; + } + +diff --git a/ldap/servers/plugins/uiduniq/uid.c b/ldap/servers/plugins/uiduniq/uid.c +index ae9320e..46554b2 100644 +--- a/ldap/servers/plugins/uiduniq/uid.c ++++ b/ldap/servers/plugins/uiduniq/uid.c +@@ -533,7 +533,11 @@ create_filter(const char **attributes, const struct berval *value, const char *r + + /* Place value in filter */ + if (ldap_quote_filter_value(value->bv_val, value->bv_len, +- fp, max-fp, &valueLen)) { slapi_ch_free((void**)&filter); return 0; } ++ fp, max-fp, &valueLen)) { ++ slapi_ch_free((void**)&filter); ++ slapi_ch_free((void**)&attrLen); ++ return 0; ++ } + fp += valueLen; + + strcpy(fp, ")"); +diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c +index 5b81427..087103b 100644 +--- a/ldap/servers/slapd/back-ldbm/import-threads.c ++++ b/ldap/servers/slapd/back-ldbm/import-threads.c +@@ -1647,6 +1647,7 @@ upgradedn_producer(void *param) + } + e = slapi_str2entry_ext(normdn, NULL, data.dptr, + SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT); ++ slapi_ch_free_string(&rdn); + } + } else { + e = +diff --git a/ldap/servers/slapd/index_subsystem.c b/ldap/servers/slapd/index_subsystem.c +index 57d4f58..8f9fe6d 100644 +--- a/ldap/servers/slapd/index_subsystem.c ++++ b/ldap/servers/slapd/index_subsystem.c +@@ -185,27 +185,28 @@ static int index_subsys_index_matches_filter(indexEntry *index, Slapi_Filter *f) + */ + int index_subsys_assign_filter_decoders(Slapi_PBlock *pb) + { +- int rc; ++ int rc = 0; + Slapi_Filter *f; + char *subsystem = "index_subsys_assign_filter_decoders"; + char logbuf[ 1024 ]; + + /* extract the filter */ + slapi_pblock_get(pb, SLAPI_SEARCH_FILTER, &f); ++ if (f) { ++ if ( loglevel_is_set( LDAP_DEBUG_FILTER )) { ++ logbuf[0] = '\0'; ++ slapi_log_err(SLAPI_LOG_DEBUG, subsystem, "before: %s\n", ++ slapi_filter_to_string(f, logbuf, sizeof(logbuf))); ++ } + +- if ( loglevel_is_set( LDAP_DEBUG_FILTER ) && NULL != f ) { +- logbuf[0] = '\0'; +- slapi_log_err(SLAPI_LOG_DEBUG, subsystem, "before: %s\n", +- slapi_filter_to_string(f, logbuf, sizeof(logbuf))); +- } +- +- /* find decoders */ +- rc = index_subsys_assign_decoders(f); ++ /* find decoders */ ++ rc = index_subsys_assign_decoders(f); + +- if ( loglevel_is_set( LDAP_DEBUG_FILTER ) && NULL != f ) { +- logbuf[0] = '\0'; +- slapi_log_err(SLAPI_LOG_DEBUG, subsystem, " after: %s\n", +- slapi_filter_to_string(f, logbuf, sizeof(logbuf))); ++ if ( loglevel_is_set( LDAP_DEBUG_FILTER )) { ++ logbuf[0] = '\0'; ++ slapi_log_err(SLAPI_LOG_DEBUG, subsystem, " after: %s\n", ++ slapi_filter_to_string(f, logbuf, sizeof(logbuf))); ++ } + } + + return rc; +diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c +index 215c9eb..378d148 100644 +--- a/ldap/servers/slapd/pw.c ++++ b/ldap/servers/slapd/pw.c +@@ -1512,6 +1512,7 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char + ep = sp + strlen(sp); + ep = ldap_utf8prevn(sp, ep, toklen); + if (!ep || (sp >= ep)) { ++ slapi_ch_free_string(&sp); + continue; + } + /* See if the password contains the value */ +diff --git a/ldap/servers/slapd/pw_verify.c b/ldap/servers/slapd/pw_verify.c +index 529bb83..a9fd9ec 100644 +--- a/ldap/servers/slapd/pw_verify.c ++++ b/ldap/servers/slapd/pw_verify.c +@@ -103,7 +103,6 @@ pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral) + int + pw_validate_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral) + { +- int rc = 0; + Slapi_Backend *be = NULL; + Slapi_DN *pb_sdn; + struct berval *cred; +diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c +index f35b3f1..050e7b5 100644 +--- a/ldap/servers/slapd/ssl.c ++++ b/ldap/servers/slapd/ssl.c +@@ -1418,12 +1418,10 @@ slapd_ssl_init() + errorCode = PR_GetError(); + slapd_SSL_error("Failed to retrieve SSL " + "configuration information (" +- SLAPI_COMPONENT_NAME_NSPR " error %d - %s): " ++ SLAPI_COMPONENT_NAME_NSPR " error %d - not found): " + "nssslSessionTimeout: %s ", +- errorCode, slapd_pr_strerror(errorCode), +- (val ? "found" : "not found")); +- slapi_ch_free((void **) &val); +- slapi_ch_free((void **) &ciphers); ++ errorCode, slapd_pr_strerror(errorCode)); ++ slapi_ch_free((void **)&ciphers); + freeConfigEntry( &entry ); + return -1; + } +diff --git a/ldap/servers/slapd/str2filter.c b/ldap/servers/slapd/str2filter.c +index ebd5c5d..744c93f 100644 +--- a/ldap/servers/slapd/str2filter.c ++++ b/ldap/servers/slapd/str2filter.c +@@ -344,6 +344,7 @@ str2simple( char *str , int unescape_filter) + *endp = '\0'; + rc = _parse_ext_filter(str, extp, &f->f_mr_type, &f->f_mr_oid, &f->f_mr_dnAttrs); + if (rc) { ++ slapi_filter_free(f, 1); + return NULL; /* error */ + } else { + f->f_choice = LDAP_FILTER_EXTENDED; +diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c +index ad52e9d..eabd517 100644 +--- a/ldap/servers/slapd/task.c ++++ b/ldap/servers/slapd/task.c +@@ -2389,7 +2389,6 @@ task_fixup_tombstones_add(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter, + slapi_task_finish(task, *returncode); + slapi_ch_array_free(base); + slapi_ch_free((void **)&task_data); +- return SLAPI_DSE_CALLBACK_ERROR; + } + + done: +@@ -2507,9 +2506,9 @@ task_des2aes(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter, + error: + if (rc == SLAPI_DSE_CALLBACK_ERROR){ + slapi_ch_array_free(bases); +- slapi_ch_array_free(suffix); + slapi_ch_free((void **)&task_data); + } ++ slapi_ch_array_free(suffix); + return rc; + } + +diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c +index 34665de..599b54e 100644 +--- a/ldap/servers/slapd/vattr.c ++++ b/ldap/servers/slapd/vattr.c +@@ -753,10 +753,10 @@ slapi_vattr_values_get_sp(vattr_context *c, + } + if (use_local_ctx) { + /* slapi_pblock_destroy cleans up pb_vattr_context, as well */ +- slapi_pblock_destroy(local_pb); +- } else { +- vattr_context_ungrok(&c); ++ slapi_pblock_destroy(local_pb); ++ ctx->pb = NULL; + } ++ vattr_context_ungrok(&ctx); + return rc; + } + +diff --git a/src/libsds/sds/bpt/map.c b/src/libsds/sds/bpt/map.c +index 4205aa5..2c3468b 100644 +--- a/src/libsds/sds/bpt/map.c ++++ b/src/libsds/sds/bpt/map.c +@@ -18,6 +18,7 @@ sds_bptree_map_nodes(sds_bptree_instance *binst, sds_bptree_node *root, sds_resu + sds_bptree_node_list *tail = cur; + + if (binst == NULL) { ++ sds_free(cur); + return SDS_NULL_POINTER; + } + +-- +2.9.3 + diff --git a/SOURCES/0003-Ticket-48918-Upgrade-to-389-ds-base-1.3.5.5-doesn-t-.patch b/SOURCES/0003-Ticket-48918-Upgrade-to-389-ds-base-1.3.5.5-doesn-t-.patch deleted file mode 100644 index 47a9740..0000000 --- a/SOURCES/0003-Ticket-48918-Upgrade-to-389-ds-base-1.3.5.5-doesn-t-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 6e3de01c0a6f07f82d514d0d7f546a4eb408a445 Mon Sep 17 00:00:00 2001 -From: Viktor Ashirov -Date: Mon, 11 Jul 2016 10:10:42 +0200 -Subject: [PATCH 3/3] Ticket #48918 - Upgrade to 389-ds-base >= 1.3.5.5 doesn't - install 389-ds-base-snmp - -Bug description: -During upgrade from 389-ds-base version <1.3.5.5 additional -package 389-ds-base-snmp is not installed. - -Fix description: -Move "Obsoletes:" section from %description to %package. - -https://fedorahosted.org/389/ticket/48918 - -Reviewed by: nhosoi@redhat.com. - -(cherry picked from commit f593ae7790e3372c6812bfe59e58e6d709ec171f) ---- - rpm/389-ds-base.spec.in | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in -index d08d379..0924cb5 100644 ---- a/rpm/389-ds-base.spec.in -+++ b/rpm/389-ds-base.spec.in -@@ -47,6 +47,8 @@ Group: System Environment/Daemons - BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) - Obsoletes: %{name}-selinux - Conflicts: selinux-policy-base < 3.9.8 -+# upgrade path from monolithic %{name} (including -libs & -devel) to %{name} + %{name}-snmp -+Obsoletes: %{name} <= 1.3.5.4 - Requires: %{name}-libs = %{version}-%{release} - Provides: ldif2ldbm - -@@ -152,9 +154,6 @@ isn't what you want. Please contact support immediately. - Please see http://seclists.org/oss-sec/2016/q1/363 for more information. - %endif - --# upgrade path from monolithic %{name} (including -libs & -devel) to %{name} + %{name}-snmp --Obsoletes: %{name} <= 1.3.5.4 -- - %package libs - Summary: Core libraries for 389 Directory Server (%{variant}) - Group: System Environment/Daemons -@@ -213,13 +212,12 @@ Development Libraries and headers for the 389 Directory Server base package. - Summary: SNMP Agent for 389 Directory Server - Group: System Environment/Daemons - Requires: %{name} = %{version}-%{release} -+# upgrade path from monolithic %{name} (including -libs & -devel) to %{name} + %{name}-snmp -+Obsoletes: %{name} <= 1.3.5.4 - - %description snmp - SNMP Agent for the 389 Directory Server base package. - --# upgrade path from monolithic %{name} (including -libs & -devel) to %{name} + %{name}-snmp --Obsoletes: %{name} <= 1.3.5.4 -- - %package tests - Summary: The lib389 Continuous Integration Tests - Group: Development/Libraries --- -2.4.11 - diff --git a/SOURCES/0004-Ticket-48916-DNA-Threshold-set-to-0-causes-SIGFPE.patch b/SOURCES/0004-Ticket-48916-DNA-Threshold-set-to-0-causes-SIGFPE.patch deleted file mode 100644 index 7ba20c3..0000000 --- a/SOURCES/0004-Ticket-48916-DNA-Threshold-set-to-0-causes-SIGFPE.patch +++ /dev/null @@ -1,462 +0,0 @@ -From 80e8d8fc8eb44d45af5285308cda37553611f688 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Sat, 9 Jul 2016 19:02:37 +1000 -Subject: [PATCH 04/15] Ticket 48916 - DNA Threshold set to 0 causes SIGFPE - -Bug Description: If the DNA threshold was set to 0, a divide by zero would -occur when requesting ranges. - -Fix Description: Prevent the config from setting a value of 0 for dna threshold. - -If an existing site has a threshold of 0, we guard the divide operation, and -return an operations error instead. - -https://fedorahosted.org/389/ticket/48916 - -Author: wibrown - -Review by: nhosoi, mreynolds (Thank you!) - -(cherry picked from commit 05ebb6d10cf0ec8e03c59bade7f819ddb1fdcf78) ---- - .gitignore | 1 + - dirsrvtests/tests/tickets/ticket48916_test.py | 253 ++++++++++++++++++++++++++ - ldap/servers/plugins/dna/dna.c | 40 +++- - 3 files changed, 289 insertions(+), 5 deletions(-) - create mode 100644 dirsrvtests/tests/tickets/ticket48916_test.py - -diff --git a/.gitignore b/.gitignore -index f6583c2..f92bcd8 100644 ---- a/.gitignore -+++ b/.gitignore -@@ -5,6 +5,7 @@ autom4te.cache - .cproject - .project - .settings -+.cache - *.a - *.dirstamp - *.la -diff --git a/dirsrvtests/tests/tickets/ticket48916_test.py b/dirsrvtests/tests/tickets/ticket48916_test.py -new file mode 100644 -index 0000000..44c96da ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket48916_test.py -@@ -0,0 +1,253 @@ -+import os -+import sys -+import time -+import ldap -+import logging -+import pytest -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+from lib389.utils import * -+ -+DEBUGGING = False -+ -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+ -+ -+log = logging.getLogger(__name__) -+ -+ -+class TopologyReplication(object): -+ """The Replication Topology Class""" -+ def __init__(self, master1, master2): -+ """Init""" -+ master1.open() -+ self.master1 = master1 -+ master2.open() -+ self.master2 = master2 -+ -+ -+@pytest.fixture(scope="module") -+def topology(request): -+ """Create Replication Deployment""" -+ -+ # Creating master 1... -+ if DEBUGGING: -+ master1 = DirSrv(verbose=True) -+ else: -+ master1 = DirSrv(verbose=False) -+ args_instance[SER_HOST] = HOST_MASTER_1 -+ args_instance[SER_PORT] = PORT_MASTER_1 -+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_1 -+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -+ args_master = args_instance.copy() -+ master1.allocate(args_master) -+ instance_master1 = master1.exists() -+ if instance_master1: -+ master1.delete() -+ master1.create() -+ master1.open() -+ master1.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_1) -+ -+ # Creating master 2... -+ if DEBUGGING: -+ master2 = DirSrv(verbose=True) -+ else: -+ master2 = DirSrv(verbose=False) -+ args_instance[SER_HOST] = HOST_MASTER_2 -+ args_instance[SER_PORT] = PORT_MASTER_2 -+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_2 -+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -+ args_master = args_instance.copy() -+ master2.allocate(args_master) -+ instance_master2 = master2.exists() -+ if instance_master2: -+ master2.delete() -+ master2.create() -+ master2.open() -+ master2.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_2) -+ -+ # -+ # Create all the agreements -+ # -+ # Creating agreement from master 1 to master 2 -+ properties = {RA_NAME: 'meTo_' + master2.host + ':' + str(master2.port), -+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN], -+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW], -+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD], -+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]} -+ m1_m2_agmt = master1.agreement.create(suffix=SUFFIX, host=master2.host, port=master2.port, properties=properties) -+ if not m1_m2_agmt: -+ log.fatal("Fail to create a master -> master replica agreement") -+ sys.exit(1) -+ log.debug("%s created" % m1_m2_agmt) -+ -+ # Creating agreement from master 2 to master 1 -+ properties = {RA_NAME: 'meTo_' + master1.host + ':' + str(master1.port), -+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN], -+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW], -+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD], -+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]} -+ m2_m1_agmt = master2.agreement.create(suffix=SUFFIX, host=master1.host, port=master1.port, properties=properties) -+ if not m2_m1_agmt: -+ log.fatal("Fail to create a master -> master replica agreement") -+ sys.exit(1) -+ log.debug("%s created" % m2_m1_agmt) -+ -+ # Allow the replicas to get situated with the new agreements... -+ time.sleep(5) -+ -+ # -+ # Initialize all the agreements -+ # -+ master1.agreement.init(SUFFIX, HOST_MASTER_2, PORT_MASTER_2) -+ master1.waitForReplInit(m1_m2_agmt) -+ -+ # Check replication is working... -+ if master1.testReplication(DEFAULT_SUFFIX, master2): -+ log.info('Replication is working.') -+ else: -+ log.fatal('Replication is not working.') -+ assert False -+ -+ def fin(): -+ """If we are debugging just stop the instances, otherwise remove -+ them -+ """ -+ if DEBUGGING: -+ master1.stop() -+ master2.stop() -+ else: -+ master1.delete() -+ master2.delete() -+ -+ request.addfinalizer(fin) -+ -+ # Clear out the tmp dir -+ master1.clearTmpDir(__file__) -+ -+ return TopologyReplication(master1, master2) -+ -+ -+def _create_user(inst, idnum): -+ inst.add_s(Entry( -+ ('uid=user%s,ou=People,%s' % (idnum, DEFAULT_SUFFIX), { -+ 'objectClass' : 'top account posixAccount'.split(' '), -+ 'cn' : 'user', -+ 'uid' : 'user%s' % idnum, -+ 'homeDirectory' : '/home/user%s' % idnum, -+ 'loginShell' : '/bin/nologin', -+ 'gidNumber' : '-1', -+ 'uidNumber' : '-1', -+ }) -+ )) -+ -+def test_ticket48916(topology): -+ """ -+ https://bugzilla.redhat.com/show_bug.cgi?id=1353629 -+ -+ This is an issue with ID exhaustion in DNA causing a crash. -+ -+ To access each DirSrv instance use: topology.master1, topology.master2, -+ ..., topology.hub1, ..., topology.consumer1,... -+ -+ -+ """ -+ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ -+ # Enable the plugin on both servers -+ -+ dna_m1 = topology.master1.plugins.get('Distributed Numeric Assignment Plugin') -+ dna_m2 = topology.master2.plugins.get('Distributed Numeric Assignment Plugin') -+ -+ # Configure it -+ # Create the container for the ranges to go into. -+ -+ topology.master1.add_s(Entry( -+ ('ou=Ranges,%s' % DEFAULT_SUFFIX, { -+ 'objectClass' : 'top organizationalUnit'.split(' '), -+ 'ou' : 'Ranges', -+ }) -+ )) -+ -+ # Create the dnaAdmin? -+ -+ # For now we just pinch the dn from the dna_m* types, and add the relevant child config -+ # but in the future, this could be a better plugin template type from lib389 -+ -+ config_dn = dna_m1.dn -+ -+ topology.master1.add_s(Entry( -+ ('cn=uids,%s' % config_dn, { -+ 'objectClass' : 'top dnaPluginConfig'.split(' '), -+ 'cn': 'uids', -+ 'dnatype': 'uidNumber gidNumber'.split(' '), -+ 'dnafilter': '(objectclass=posixAccount)', -+ 'dnascope': '%s' % DEFAULT_SUFFIX, -+ 'dnaNextValue': '1', -+ 'dnaMaxValue': '50', -+ 'dnasharedcfgdn': 'ou=Ranges,%s' % DEFAULT_SUFFIX, -+ 'dnaThreshold': '0', -+ 'dnaRangeRequestTimeout': '60', -+ 'dnaMagicRegen': '-1', -+ 'dnaRemoteBindDN': 'uid=dnaAdmin,ou=People,%s' % DEFAULT_SUFFIX, -+ 'dnaRemoteBindCred': 'secret123', -+ 'dnaNextRange': '80-90' -+ }) -+ )) -+ -+ topology.master2.add_s(Entry( -+ ('cn=uids,%s' % config_dn, { -+ 'objectClass' : 'top dnaPluginConfig'.split(' '), -+ 'cn': 'uids', -+ 'dnatype': 'uidNumber gidNumber'.split(' '), -+ 'dnafilter': '(objectclass=posixAccount)', -+ 'dnascope': '%s' % DEFAULT_SUFFIX, -+ 'dnaNextValue': '61', -+ 'dnaMaxValue': '70', -+ 'dnasharedcfgdn': 'ou=Ranges,%s' % DEFAULT_SUFFIX, -+ 'dnaThreshold': '2', -+ 'dnaRangeRequestTimeout': '60', -+ 'dnaMagicRegen': '-1', -+ 'dnaRemoteBindDN': 'uid=dnaAdmin,ou=People,%s' % DEFAULT_SUFFIX, -+ 'dnaRemoteBindCred': 'secret123', -+ }) -+ )) -+ -+ -+ # Enable the plugins -+ dna_m1.enable() -+ dna_m2.enable() -+ -+ # Restart the instances -+ topology.master1.restart(60) -+ topology.master2.restart(60) -+ -+ # Wait for a replication ..... -+ time.sleep(40) -+ -+ # Allocate the 10 members to exhaust -+ -+ for i in range(1,11): -+ _create_user(topology.master2, i) -+ -+ # Allocate the 11th -+ _create_user(topology.master2, 11) -+ -+ log.info('Test PASSED') -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c -index 2908443..cf640d8 100644 ---- a/ldap/servers/plugins/dna/dna.c -+++ b/ldap/servers/plugins/dna/dna.c -@@ -1244,6 +1244,12 @@ dna_parse_config_entry(Slapi_PBlock *pb, Slapi_Entry * e, int apply) - slapi_log_error(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, - "----------> %s [%s]\n", DNA_THRESHOLD, value); - -+ if (entry->threshold <= 0) { -+ entry->threshold = 1; -+ slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, -+ "----------> %s too low, setting to [%s]\n", DNA_THRESHOLD, value); -+ } -+ - slapi_ch_free_string(&value); - } else { - entry->threshold = 1; -@@ -2171,7 +2177,7 @@ static int dna_dn_is_config(char *dn) - int ret = 0; - - slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, -- "--> dna_is_config\n"); -+ "--> dna_is_config %s\n", dn); - - if (slapi_dn_issuffix(dn, getPluginDN())) { - ret = 1; -@@ -3404,18 +3410,21 @@ _dna_pre_op_add(Slapi_PBlock *pb, Slapi_Entry *e, char **errstr) - - /* Did we already service all of these configured types? */ - if (dna_list_contains_types(generated_types, config_entry->types)) { -+ slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, " no types to act upon.\n"); - goto next; - } - - /* is the entry in scope? */ - if (config_entry->scope && - !slapi_dn_issuffix(dn, config_entry->scope)) { -+ slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, " dn not in scope\n"); - goto next; - } - - /* is this entry in an excluded scope? */ - for (i = 0; config_entry->excludescope && config_entry->excludescope[i]; i++) { - if (slapi_dn_issuffix(dn, slapi_sdn_get_dn(config_entry->excludescope[i]))) { -+ slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, " dn in excluded scope\n"); - goto next; - } - } -@@ -3424,7 +3433,8 @@ _dna_pre_op_add(Slapi_PBlock *pb, Slapi_Entry *e, char **errstr) - if (config_entry->slapi_filter) { - ret = slapi_vattr_filter_test(pb, e, config_entry->slapi_filter, 0); - if (LDAP_SUCCESS != ret) { -- goto next; -+ slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, " dn does not match filter\n"); -+ goto next; - } - } - -@@ -3454,6 +3464,8 @@ _dna_pre_op_add(Slapi_PBlock *pb, Slapi_Entry *e, char **errstr) - } - - if (types_to_generate && types_to_generate[0]) { -+ -+ slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, " adding %s to %s as -2\n", types_to_generate[0], dn); - /* add - add to entry */ - for (i = 0; types_to_generate && types_to_generate[i]; i++) { - slapi_entry_attr_set_charptr(e, types_to_generate[i], -@@ -3492,6 +3504,7 @@ _dna_pre_op_add(Slapi_PBlock *pb, Slapi_Entry *e, char **errstr) - slapi_lock_mutex(config_entry->lock); - - ret = dna_first_free_value(config_entry, &setval); -+ slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, " retrieved value %" PRIu64 " ret %d\n", setval, ret); - if (LDAP_SUCCESS != ret) { - /* check if we overflowed the configured range */ - if (setval > config_entry->maxval) { -@@ -4022,18 +4035,22 @@ static int dna_be_txn_pre_op(Slapi_PBlock *pb, int modtype) - "--> dna_be_txn_pre_op\n"); - - if (!slapi_plugin_running(pb)) { -+ slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, " --x bailing, plugin not running\n"); - goto bail; - } - - if (0 == (dn = dna_get_dn(pb))) { -+ slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, " --x bailing, is dna dn\n"); - goto bail; - } - - if (dna_dn_is_config(dn)) { -+ slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, " --x bailing is dna config dn\n"); - goto bail; - } - - if (dna_isrepl(pb)) { -+ slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, " --x bailing replicated operation\n"); - /* if repl, the dna values should be already in the entry. */ - goto bail; - } -@@ -4045,6 +4062,7 @@ static int dna_be_txn_pre_op(Slapi_PBlock *pb, int modtype) - } - - if (e == NULL) { -+ slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, " --x bailing entry is NULL\n"); - goto bail; - } else if (LDAP_CHANGETYPE_MODIFY == modtype) { - slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); -@@ -4056,32 +4074,39 @@ static int dna_be_txn_pre_op(Slapi_PBlock *pb, int modtype) - - if (!PR_CLIST_IS_EMPTY(dna_global_config)) { - list = PR_LIST_HEAD(dna_global_config); -+ slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, " using global config...\n"); - - while (list != dna_global_config && LDAP_SUCCESS == ret) { - config_entry = (struct configEntry *) list; - - /* Did we already service all of these configured types? */ - if (dna_list_contains_types(generated_types, config_entry->types)) { -+ slapi_log_error(SLAPI_LOG_TRACE, DNA_PLUGIN_SUBSYSTEM, " All types already serviced\n"); - goto next; - } - - /* is the entry in scope? */ - if (config_entry->scope) { -- if (!slapi_dn_issuffix(dn, config_entry->scope)) -+ if (!slapi_dn_issuffix(dn, config_entry->scope)) { -+ slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, " Entry not in scope of dnaScope!\n"); - goto next; -+ } - } - - /* is this entry in an excluded scope? */ - for (i = 0; config_entry->excludescope && config_entry->excludescope[i]; i++) { - if (slapi_dn_issuffix(dn, slapi_sdn_get_dn(config_entry->excludescope[i]))) { -+ slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, " Entry in excluded scope, next\n"); - goto next; - } - } -- -+ - /* does the entry match the filter? */ - if (config_entry->slapi_filter) { -- if(LDAP_SUCCESS != slapi_vattr_filter_test(pb,e,config_entry->slapi_filter, 0)) -+ if(LDAP_SUCCESS != slapi_vattr_filter_test(pb,e,config_entry->slapi_filter, 0)) { -+ slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, " Entry does not match filter\n"); - goto next; -+ } - } - - if (LDAP_CHANGETYPE_ADD == modtype) { -@@ -4526,6 +4551,11 @@ dna_release_range(char *range_dn, PRUint64 *lower, PRUint64 *upper) - * it instead of from the active range */ - if (config_entry->next_range_lower != 0) { - /* Release up to half of our values from the next range. */ -+ if (config_entry->threshold == 0) { -+ ret = LDAP_UNWILLING_TO_PERFORM; -+ goto bail; -+ } -+ - release = (((config_entry->next_range_upper - config_entry->next_range_lower + 1) / - 2) / config_entry->threshold) * config_entry->threshold; - --- -2.4.11 - diff --git a/SOURCES/0004-Ticket-49171-Nunc-Stans-incorrectly-reports-a-timeou.patch b/SOURCES/0004-Ticket-49171-Nunc-Stans-incorrectly-reports-a-timeou.patch new file mode 100644 index 0000000..4f04068 --- /dev/null +++ b/SOURCES/0004-Ticket-49171-Nunc-Stans-incorrectly-reports-a-timeou.patch @@ -0,0 +1,96 @@ +From 645e628626f4a3d4b662c067584b4efc6b5c70c5 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Wed, 15 Mar 2017 10:46:38 +1000 +Subject: [PATCH 5/5] Ticket 49171 - Nunc Stans incorrectly reports a timeout + +Bug Description: In some cases nunc-stans would incorrectly report +and IO timeout. + +Fix Description: Make the io output type volatile to prevent re-arranging +of the code. We then make timeout exclusive to read, write and signal. +Finally, we add an extra check into ns_handle_pr_read_ready that +asserts we truly have an idle timeout. It issues a warning now +instead if this scenario occurs, rather than closing the +connection. + +https://pagure.io/389-ds-base/issue/49171 + +Author: wibrown + +Review by: mreynolds (thanks!) + +(cherry picked from commit c8ce1b32cc365174c8280111c2d55bba45f7949f) +--- + ldap/servers/slapd/daemon.c | 15 +++++++++++---- + src/nunc-stans/ns/ns_event_fw_event.c | 28 ++++++++++++++++------------ + 2 files changed, 27 insertions(+), 16 deletions(-) + +diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c +index a37c8c6..6b3331d 100644 +--- a/ldap/servers/slapd/daemon.c ++++ b/ldap/servers/slapd/daemon.c +@@ -1970,11 +1970,18 @@ ns_handle_pr_read_ready(struct ns_job_t *job) + connection_release_nolock_ext(c, 1); /* release ref acquired when job was added */ + if (CONN_NEEDS_CLOSING(c)) { + ns_handle_closure_nomutex(c); ++ /* We shouldn't need the c_idletimeout check here because of how libevent works. ++ * consider testing this and removing it oneday. ++ */ + } else if (NS_JOB_IS_TIMER(ns_job_get_output_type(job))) { +- /* idle timeout */ +- disconnect_server_nomutex_ext(c, c->c_connid, -1, +- SLAPD_DISCONNECT_IDLE_TIMEOUT, EAGAIN, +- 0 /* do not schedule closure, do it next */); ++ if (c->c_idletimeout > 0) { ++ /* idle timeout */ ++ disconnect_server_nomutex_ext(c, c->c_connid, -1, ++ SLAPD_DISCONNECT_IDLE_TIMEOUT, EAGAIN, ++ 0 /* do not schedule closure, do it next */); ++ } else { ++ slapi_log_err(SLAPI_LOG_WARNING, "ns_handle_pr_read_ready", "Received idletime out with c->c_idletimeout as 0. Ignoring.\n"); ++ } + ns_handle_closure_nomutex(c); + } else if ((connection_activity(c, maxthreads)) == -1) { + /* This might happen as a result of +diff --git a/src/nunc-stans/ns/ns_event_fw_event.c b/src/nunc-stans/ns/ns_event_fw_event.c +index 58dac28..3acbaf7 100644 +--- a/src/nunc-stans/ns/ns_event_fw_event.c ++++ b/src/nunc-stans/ns/ns_event_fw_event.c +@@ -71,18 +71,22 @@ event_logger_cb(int severity, const char *msg) + static ns_job_type_t + event_flags_to_type(short events) + { +- ns_job_type_t job_type = 0; +- if (events & EV_READ) { +- job_type |= NS_JOB_READ; +- } +- if (events & EV_WRITE) { +- job_type |= NS_JOB_WRITE; +- } +- if (events & EV_TIMEOUT) { +- job_type |= NS_JOB_TIMER; +- } +- if (events & EV_SIGNAL) { +- job_type |= NS_JOB_SIGNAL; ++ /* The volatile here prevents gcc rearranging this code within the thread. */ ++ volatile ns_job_type_t job_type = 0; ++ ++ /* Either we timeout *or* we are a real event */ ++ if (!(events & EV_TIMEOUT)) { ++ if (events & EV_READ) { ++ job_type |= NS_JOB_READ; ++ } ++ if (events & EV_WRITE) { ++ job_type |= NS_JOB_WRITE; ++ } ++ if (events & EV_SIGNAL) { ++ job_type |= NS_JOB_SIGNAL; ++ } ++ } else { ++ job_type = NS_JOB_TIMER; + } + return job_type; + } +-- +2.9.3 + diff --git a/SOURCES/0005-Issue-49169-Fix-covscan-errors-regression.patch b/SOURCES/0005-Issue-49169-Fix-covscan-errors-regression.patch new file mode 100644 index 0000000..757a4dc --- /dev/null +++ b/SOURCES/0005-Issue-49169-Fix-covscan-errors-regression.patch @@ -0,0 +1,36 @@ +From 6dde613c1a44731e017d262c2b5868dbe333da74 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 15 Mar 2017 09:00:19 -0400 +Subject: [PATCH] Issue 49169 - Fix covscan errors(regression) + +Description: The change to vattr.c caused problems with the tests. + Removing change. + +https://pagure.io/389-ds-base/issue/49169 + +Reviewed by: one line commit rule + +(cherry picked from commit 314e9ecf310d4ab8e8fc700bd5d3477d52e4fa19) +--- + ldap/servers/slapd/vattr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c +index 599b54e..ef4d7f2 100644 +--- a/ldap/servers/slapd/vattr.c ++++ b/ldap/servers/slapd/vattr.c +@@ -754,9 +754,9 @@ slapi_vattr_values_get_sp(vattr_context *c, + if (use_local_ctx) { + /* slapi_pblock_destroy cleans up pb_vattr_context, as well */ + slapi_pblock_destroy(local_pb); +- ctx->pb = NULL; ++ } else { ++ vattr_context_ungrok(&c); + } +- vattr_context_ungrok(&ctx); + return rc; + } + +-- +2.9.3 + diff --git a/SOURCES/0005-Ticket-48144-Add-usr-sbin-status-dirsrv-script-to-ge.patch b/SOURCES/0005-Ticket-48144-Add-usr-sbin-status-dirsrv-script-to-ge.patch deleted file mode 100644 index 3999d39..0000000 --- a/SOURCES/0005-Ticket-48144-Add-usr-sbin-status-dirsrv-script-to-ge.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 1de87b6fa85221c874bc4449d81655302540ec22 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Mon, 11 Jul 2016 19:09:24 -0700 -Subject: [PATCH 05/15] Ticket #48144 - Add /usr/sbin/status-dirsrv script to - get the status of the directory server instance. - -Description: -Analysis by vashirov@redhat.com: - https://bugzilla.redhat.com/show_bug.cgi?id=1209128#c11 - The error comes from bash built-in `return`. bash version prior to - 4.3 didn't support negative numbers as argument for `return`. - See for reference: http://wiki.bash-hackers.org/scripting/bashchanges - -As suggested in the comment, instead of -1, 255 should be returned in -this error case: - > 255 is returned if the instance does not exist. - -https://fedorahosted.org/389/ticket/48144 - -Viktor's proposal is reviewed by nhosoi@redhat.com. - -(cherry picked from commit a8b07cd2671c82421830ae94584b370436ef3434) ---- - ldap/admin/src/scripts/status-dirsrv.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ldap/admin/src/scripts/status-dirsrv.in b/ldap/admin/src/scripts/status-dirsrv.in -index 0f01eaa..9042899 100755 ---- a/ldap/admin/src/scripts/status-dirsrv.in -+++ b/ldap/admin/src/scripts/status-dirsrv.in -@@ -11,14 +11,14 @@ status_instance() { - SERV_ID=$1 - shift - -- initfile=`get_init_file $initconfig_dir $SERV_ID` || { echo Instance $SERV_ID not found. ; return -1 ; } -+ initfile=`get_init_file $initconfig_dir $SERV_ID` || { echo Instance $SERV_ID not found. ; return 255 ; } - - # source env. for this instance - if [ -f $initfile ] ; then - . $initfile - else - echo Instance $SERV_ID not found. -- return -1 -+ return 255 - fi - - prefix="$DS_ROOT" --- -2.4.11 - diff --git a/SOURCES/0006-Issue-49062-Reset-agmt-update-staus-and-total-init b/SOURCES/0006-Issue-49062-Reset-agmt-update-staus-and-total-init new file mode 100644 index 0000000..77c5104 --- /dev/null +++ b/SOURCES/0006-Issue-49062-Reset-agmt-update-staus-and-total-init @@ -0,0 +1,29 @@ +From 310b8f8b3c59423b9dfa3a6ea30f4a719f342fc9 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 1 Mar 2017 10:56:40 -0500 +Subject: [PATCH] Issue 49062 - Reset agmt update staus and total init + +Description: Make sure we always reset the agmt status after doing a reinit + +https://pagure.io/389-ds-base/issue/49062 + +Reviewed by: tbordaz & nhosoi(Thanks!!) +--- + ldap/servers/plugins/replication/repl5_tot_protocol.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ldap/servers/plugins/replication/repl5_tot_protocol.c b/ldap/servers/plugins/replication/repl5_tot_protocol.c +index 57d9de2..45a084a 100644 +--- a/ldap/servers/plugins/replication/repl5_tot_protocol.c ++++ b/ldap/servers/plugins/replication/repl5_tot_protocol.c +@@ -591,6 +591,7 @@ retry: + "\"%s\". Sent %lu entries.\n", + agmt_get_long_name(prp->agmt), cb_data.num_entries); + agmt_set_last_init_status(prp->agmt, 0, 0, 0, "Total update succeeded"); ++ agmt_set_last_update_status(prp->agmt, 0, 0, NULL); + } + + done: +-- +2.9.3 + diff --git a/SOURCES/0006-Ticket-48767-flow-control-in-replication-also-blocks.patch b/SOURCES/0006-Ticket-48767-flow-control-in-replication-also-blocks.patch deleted file mode 100644 index bb6aa23..0000000 --- a/SOURCES/0006-Ticket-48767-flow-control-in-replication-also-blocks.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 05b04751367b628819d6f0a5a533d1af4eb423ba Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 11 Jul 2016 10:30:04 -0400 -Subject: [PATCH 06/15] Ticket 48767 - flow control in replication also blocks - receiving results - -Bug Description: In ticket 47942 a flow control was introduced to reduce - the load of a replication consumer. It adds some pauses - in the asynch sending of updates. Unfortunately while it - pauses it holds the reader lock, so that the result reader - thread is also paused. - -Fix Description: If we need to pause the sending of updates then also release - the Result Data lock so the reader thread is not blocked. - -https://fedorahosted.org/389/ticket/48767 - -Reviewed by: nhosi(Thanks!) - -(cherry picked from commit ba636587e77423c7773df60894344dea0377c36f) ---- - ldap/servers/plugins/replication/repl5_inc_protocol.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c -index d6fb898..27bac5d 100644 ---- a/ldap/servers/plugins/replication/repl5_inc_protocol.c -+++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c -@@ -479,9 +479,11 @@ repl5_inc_flow_control_results(Repl_Agmt *agmt, result_data *rd) - if ((rd->last_message_id_received <= rd->last_message_id_sent) && - ((rd->last_message_id_sent - rd->last_message_id_received) >= agmt_get_flowcontrolwindow(agmt))) { - rd->flowcontrol_detection++; -+ PR_Unlock(rd->lock); - DS_Sleep(PR_MillisecondsToInterval(agmt_get_flowcontrolpause(agmt))); -+ } else { -+ PR_Unlock(rd->lock); - } -- PR_Unlock(rd->lock); - } - - static int --- -2.4.11 - diff --git a/SOURCES/0007-Issue-49065-dbmon.sh-fails-if-you-have-nsslapd-requi.patch b/SOURCES/0007-Issue-49065-dbmon.sh-fails-if-you-have-nsslapd-requi.patch new file mode 100644 index 0000000..b27dbb5 --- /dev/null +++ b/SOURCES/0007-Issue-49065-dbmon.sh-fails-if-you-have-nsslapd-requi.patch @@ -0,0 +1,174 @@ +From edf3d210e9ba9006f87e0597b052fa925c68ddc2 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 20 Mar 2017 17:35:10 -0400 +Subject: [PATCH] Issue 49065 - dbmon.sh fails if you have + nsslapd-require-secure-binds enabled + +Description: Add the ability to detect if security is enabled, if so connect using + start TLS. Added a new param SERVID for specifying which instance + you want to look at. + +https://pagure.io/389-ds-base/issue/49065 + +Reviewed by: firstyear(Thanks!) +--- + Makefile.am | 2 +- + ldap/admin/src/scripts/{dbmon.sh => dbmon.sh.in} | 62 ++++++++++++++++++++++-- + man/man8/dbmon.sh.8 | 14 +++--- + 3 files changed, 65 insertions(+), 13 deletions(-) + rename ldap/admin/src/scripts/{dbmon.sh => dbmon.sh.in} (81%) + mode change 100755 => 100644 + +diff --git a/Makefile.am b/Makefile.am +index 9aebb6b..4a4b2d3 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -235,7 +235,7 @@ CLEANFILES = dberrstrs.h ns-slapd.properties \ + ldap/admin/src/scripts/usn-tombstone-cleanup.pl ldap/admin/src/scripts/verify-db.pl \ + ldap/admin/src/scripts/ds_selinux_port_query ldap/admin/src/scripts/ds_selinux_enabled \ + ldap/admin/src/scripts/dbverify ldap/admin/src/scripts/readnsstate \ +- doxyfile.stamp \ ++ doxyfile.stamp ldap/admin/src/scripts/dbmon.sh \ + $(NULL) + + clean-local: +diff --git a/ldap/admin/src/scripts/dbmon.sh b/ldap/admin/src/scripts/dbmon.sh.in +old mode 100755 +new mode 100644 +similarity index 81% +rename from ldap/admin/src/scripts/dbmon.sh +rename to ldap/admin/src/scripts/dbmon.sh.in +index 3b8b4d1..4ee6adc +--- a/ldap/admin/src/scripts/dbmon.sh ++++ b/ldap/admin/src/scripts/dbmon.sh.in +@@ -8,10 +8,11 @@ + # END COPYRIGHT BLOCK + # + ++. @datadir@/@package_name@/data/DSSharedLib ++ + DURATION=${DURATION:-0} + INCR=${INCR:-1} +-HOST=${HOST:-localhost} +-PORT=${PORT:-389} ++SERVID=${SERVID} + BINDDN=${BINDDN:-"cn=directory manager"} + BINDPW=${BINDPW:-"secret"} + DBLIST=${DBLIST:-all} +@@ -180,10 +181,63 @@ parseldif() { + } + + dodbmon() { ++ initfile=$(get_init_file "@initconfigdir@" $SERVID) ++ if [ $? -eq 1 ] ++ then ++ echo "You must supply a valid server instance identifier (via SERVID)." ++ echo "Available instances: $initfile" ++ exit 1 ++ fi ++ ++ . $initfile ++ ++ process_dse $CONFIG_DIR $$ ++ file="/tmp/DSSharedLib.$$" ++ port=$(grep -i 'nsslapd-port' $file | awk '{print $2}' ) ++ host=$(grep -i 'nsslapd-localhost' $file | awk '{print $2}' ) ++ security=$(grep -i 'nsslapd-security' $file | awk '{print $2}' ) ++ certdir=$(grep -i 'nsslapd-certdir' $file | awk '{print $2}' ) ++ rm $file ++ ++ if [ -n "$ldapiURL" ] ++ then ++ ldapiURL=`echo "$ldapiURL" | sed -e 's/\//%2f/g'` ++ ldapiURL="ldapi://"$ldapiURL ++ fi ++ ++ client_type=`ldapsearch -V 2>&1`; ++ echo "$client_type" | grep -q "OpenLDAP" ++ if [ $? -eq 0 ] ++ then ++ openldap="yes" ++ export LDAPTLS_CACERTDIR=$certdir ++ fi ++ ++ if [ -z $security ]; then ++ security="off" ++ fi ++ + while [ 1 ] ; do + date +- ldapsearch -xLLL -h $HOST -p $PORT -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \ +- | parseldif ++ if [ "$security" = "on" ]; then ++ # STARTTLS ++ if [ "$openldap" = "yes" ]; then ++ ldapsearch -x -LLL -ZZ -h $host -p $port -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \ ++ | parseldif ++ else ++ ldapsearch -ZZZ -P $certdir -h $host -p $port -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \ ++ | parseldif ++ fi ++ else ++ # LDAP ++ if [ "$openldap" = "yes" ]; then ++ ldapsearch -x -LLL -h $host -p $port -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \ ++ | parseldif ++ else ++ ldapsearch -h $host -p $port -D "$BINDDN" -w "$BINDPW" -b "$ldbmdn" '(|(cn=config)(cn=database)(cn=monitor))' \ ++ | parseldif ++ fi ++ fi + echo "" + sleep $INCR + done +diff --git a/man/man8/dbmon.sh.8 b/man/man8/dbmon.sh.8 +index 49e61d0..ad318a1 100644 +--- a/man/man8/dbmon.sh.8 ++++ b/man/man8/dbmon.sh.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DBMON.SH 8 "Jul 25, 2014" ++.TH DBMON.SH 8 "Mar 20, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -18,7 +18,7 @@ + .SH NAME + dbmon.sh - Directory Server script for monitoring database and entry cache usage + .SH SYNOPSIS +-[INCR=num] [HOST=hostname] [PORT=num] [BINDDN=binddn] [BINDPW=password] [DBLIST=databases] [INDEXLIST=indexes] [VERBOSE=num] dbmon.sh ++[INCR=num] [SERVID=server_id][BINDDN=binddn] [BINDPW=password] [DBLIST=databases] [INDEXLIST=indexes] [VERBOSE=num] dbmon.sh + .SH DESCRIPTION + dbmon.sh is a tool used to monitor database and entry cache usage. It is especially useful for database cache and entry/dn cache tuning - how much space is left, is the cache full, how much space on average do I need per entry/dn. + .SH OPTIONS +@@ -31,9 +31,7 @@ All arguments are optional, but you will most likely have to provide BINDPW + .TP + .B \fBINCR\fR - show results every INCR seconds - default is 1 second + .TP +-.B \fBHOST\fR - name of host or IP address - default is "localhost" +-.TP +-.B \fBPORT\fR - port number (LDAP not LDAPS) - default is 389 ++.B \fBSERVID\fR - Name of the server instance + .TP + .B \fBBINDDN\fR - DN to use to bind - must have permission to read everything under cn=config - default is cn=Directory Manager + .TP +@@ -46,11 +44,11 @@ All arguments are optional, but you will most likely have to provide BINDPW + .B \fBVERBOSE\fR - output level - 0 == suitable for parsing by a script - 1 == has column headings - 2 == provides detailed descriptions of the data - default is 0 + + .SH EXAMPLE +-INCR=1 HOST=ldap.example.com BINDDN="cn=directory manager" BINDPW="secret" VERBOSE=2 dbmon.sh ++INCR=1 SERVID=slapd-localhost BINDDN="cn=directory manager" BINDPW="secret" VERBOSE=2 dbmon.sh + + .SH AUTHOR + dbmon.sh was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2014 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +-- +2.9.3 + diff --git a/SOURCES/0007-Ticket-48922-Fix-crash-when-deleting-backend-while-i.patch b/SOURCES/0007-Ticket-48922-Fix-crash-when-deleting-backend-while-i.patch deleted file mode 100644 index 97f9316..0000000 --- a/SOURCES/0007-Ticket-48922-Fix-crash-when-deleting-backend-while-i.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 74df3c57e0de786f001285429501c518d70abb13 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 13 Jul 2016 16:24:19 -0400 -Subject: [PATCH 07/15] Ticket 48922 - Fix crash when deleting backend while - import is running - -Bug Description: If you delete a backend from the config while an - import is running the server can crash. - -Fix Description: When deleting a backend from the config wait for the - backend instance to not be busy before removing the - indexes. Otherwise the dbenv is not stable and this - can cause the crash. - -https://fedorahosted.org/389/ticket/48922 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 6c77c37ae5ce847ffa2bd75287dbd157c2f2d6af) ---- - ldap/servers/slapd/back-ldbm/ldbm_index_config.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_index_config.c b/ldap/servers/slapd/back-ldbm/ldbm_index_config.c -index 3e59e72..c5ceacf 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_index_config.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_index_config.c -@@ -151,6 +151,12 @@ ldbm_instance_index_config_delete_callback(Slapi_PBlock *pb, Slapi_Entry* e, Sla - rc = SLAPI_DSE_CALLBACK_ERROR; - goto bail; - } -+ -+ while(is_instance_busy(inst)){ -+ /* Wait for import/indexing job to complete */ -+ DS_Sleep(PR_SecondsToInterval(1)); -+ } -+ - *returncode = LDAP_SUCCESS; - - slapi_entry_attr_find(e, "cn", &attr); --- -2.4.11 - diff --git a/SOURCES/0008-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch b/SOURCES/0008-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch new file mode 100644 index 0000000..d3cbdb1 --- /dev/null +++ b/SOURCES/0008-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch @@ -0,0 +1,157 @@ +From abc9ff876209819c8f0dd7e799f1ab6a1b084fe5 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 20 Mar 2017 15:08:45 -0400 +Subject: [PATCH] Issue 49095 - targetattr wildcard evaluation is incorrectly + case sensitive + +Description: When processing an aci that uses a wildcard targetattr, the + comparision should be done using case insensitive functions. + +https://pagure.io/389-ds-base/issue/49095 + +Reviewed by: firstyear(Thanks!) +--- + dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++ + ldap/servers/plugins/acl/acl.c | 10 ++-- + 2 files changed, 90 insertions(+), 5 deletions(-) + create mode 100644 dirsrvtests/tests/tickets/ticket49095_test.py + +diff --git a/dirsrvtests/tests/tickets/ticket49095_test.py b/dirsrvtests/tests/tickets/ticket49095_test.py +new file mode 100644 +index 0000000..04f92b2 +--- /dev/null ++++ b/dirsrvtests/tests/tickets/ticket49095_test.py +@@ -0,0 +1,85 @@ ++import time ++import ldap ++import logging ++import pytest ++from lib389 import DirSrv, Entry, tools, tasks ++from lib389.tools import DirSrvTools ++from lib389._constants import * ++from lib389.properties import * ++from lib389.tasks import * ++from lib389.utils import * ++from lib389.topologies import topology_st as topo ++ ++DEBUGGING = os.getenv("DEBUGGING", default=False) ++if DEBUGGING: ++ logging.getLogger(__name__).setLevel(logging.DEBUG) ++else: ++ logging.getLogger(__name__).setLevel(logging.INFO) ++log = logging.getLogger(__name__) ++ ++USER_DN = 'uid=testuser,dc=example,dc=com' ++acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', ++ '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', ++ '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', ++ '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)'] ++ ++ ++def test_ticket49095(topo): ++ """Check that target attrbiutes with wildcards are case insensitive ++ """ ++ ++ # Add an entry ++ try: ++ topo.standalone.add_s(Entry((USER_DN, { ++ 'objectclass': 'top extensibleObject'.split(), ++ 'uid': 'testuser', ++ 'telephonenumber': '555-555-5555' ++ }))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add test user: ' + e.message['desc']) ++ assert False ++ ++ for aci in acis: ++ # Add ACI ++ try: ++ topo.standalone.modify_s(DEFAULT_SUFFIX, ++ [(ldap.MOD_REPLACE, 'aci', aci)]) ++ ++ except ldap.LDAPError as e: ++ log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc']) ++ assert False ++ ++ # Set Anonymous Bind to test aci ++ try: ++ topo.standalone.simple_bind_s("", "") ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind anonymously: ' + e.message['desc']) ++ assert False ++ ++ # Search for entry - should not get any results ++ try: ++ entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE, ++ 'telephonenumber=*') ++ if entry: ++ log.fatal('The entry was incorrectly returned') ++ assert False ++ except ldap.LDAPError as e: ++ log.fatal('Failed to search anonymously: ' + e.message['desc']) ++ assert False ++ ++ # Set root DN Bind so we can update aci's ++ try: ++ topo.standalone.simple_bind_s(DN_DM, PASSWORD) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind anonymously: ' + e.message['desc']) ++ assert False ++ ++ log.info("Test Passed") ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main("-s %s" % CURRENT_FILE) ++ +diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c +index 0a93808..48b8efc 100644 +--- a/ldap/servers/plugins/acl/acl.c ++++ b/ldap/servers/plugins/acl/acl.c +@@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) + } + + /* this assumes that str and the filter components are already +- * normalized. If not, it shoul be done ++ * normalized. If not, it should be done + */ + if ( initial != NULL) { + len = strlen(initial); + if (exact_match) { +- int rc = strncmp(p, initial, len); ++ int rc = strncasecmp(p, initial, len); + if (rc) { + return ACL_FALSE; + } else { + p += len; + } + } else { +- p = strstr(p, initial); ++ p = strcasestr(p, initial); + if (p) { + p += len; + } else { +@@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) + + if ( any != NULL) { + for (i = 0; any && any[i] != NULL; i++) { +- p = strstr(p, any[i]); ++ p = strcasestr(p, any[i]); + if (p) { + p += strlen(any[i]); + } else { +@@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) + len = strlen(final); + tlen = strlen(p); + if (len > tlen) return ACL_FALSE; +- if (strcmp(p+tlen-len, final)) return ACL_FALSE; ++ if (strcasecmp(p+tlen-len, final)) return ACL_FALSE; + } + + return ACL_TRUE; +-- +2.9.3 + diff --git a/SOURCES/0008-Ticket-48924-Fixup-tombstone-task-needs-to-set-prope.patch b/SOURCES/0008-Ticket-48924-Fixup-tombstone-task-needs-to-set-prope.patch deleted file mode 100644 index 0ee4947..0000000 --- a/SOURCES/0008-Ticket-48924-Fixup-tombstone-task-needs-to-set-prope.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 4c154182cd680f458b016abf60760328d0979b63 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 13 Jul 2016 15:51:56 -0400 -Subject: [PATCH 08/15] Ticket 48924 - Fixup tombstone task needs to set proper - flag when updating tombstones - -Bug Description: The fixup tombstone task is not updating tombstones due to - TOMBSTONE_INCLUDE not being set when looking up the entry to - modify. - -Fix Description: If fixing up tombstones called find_entry2modify_only_ext with - the TOMBSTONE_INCLUDED flag. - -https://fedorahosted.org/389/ticket/48924 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 8cfb650170bbb4f6ce328b827dc294437ee38c4b) ---- - ldap/servers/slapd/back-ldbm/ldbm_modify.c | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c -index 37225cd..9b3062c 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c -@@ -465,9 +465,14 @@ ldbm_back_modify( Slapi_PBlock *pb ) - */ - if ( MANAGE_ENTRY_BEFORE_DBLOCK(li)) { - /* find and lock the entry we are about to modify */ -- if ( (e = find_entry2modify( pb, be, addr, &txn )) == NULL ) { -+ if (fixup_tombstone) { -+ e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn ); -+ } else { -+ e = find_entry2modify( pb, be, addr, &txn ); -+ } -+ if (e == NULL) { - ldap_result_code= -1; -- goto error_return; /* error result sent by find_entry2modify() */ -+ goto error_return; /* error result sent by find_entry2modify() */ - } - } - -@@ -545,9 +550,14 @@ ldbm_back_modify( Slapi_PBlock *pb ) - if (0 == retry_count) { /* just once */ - if ( !MANAGE_ENTRY_BEFORE_DBLOCK(li)) { - /* find and lock the entry we are about to modify */ -- if ( (e = find_entry2modify( pb, be, addr, &txn )) == NULL ) { -+ if (fixup_tombstone) { -+ e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn ); -+ } else { -+ e = find_entry2modify( pb, be, addr, &txn ); -+ } -+ if (e == NULL) { - ldap_result_code= -1; -- goto error_return; /* error result sent by find_entry2modify() */ -+ goto error_return; /* error result sent by find_entry2modify() */ - } - } - --- -2.4.11 - diff --git a/SOURCES/0009-Issue-49157-ds-logpipe.py-crashes-for-non-existing-u.patch b/SOURCES/0009-Issue-49157-ds-logpipe.py-crashes-for-non-existing-u.patch new file mode 100644 index 0000000..a79e911 --- /dev/null +++ b/SOURCES/0009-Issue-49157-ds-logpipe.py-crashes-for-non-existing-u.patch @@ -0,0 +1,75 @@ +From e33f58d5a9984fd5d5533425fb420d05e6484d7f Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 20 Mar 2017 15:29:48 -0400 +Subject: [PATCH] Issue 49157 - ds-logpipe.py crashes for non-existing users + +Description: Added try/except's for various OS function calls, as the tool + should gracefully exit when there is a problem and not crash + +https://pagure.io/389-ds-base/issue/49157 + +Reviewed by: firstyear(Thanks!) +--- + ldap/admin/src/scripts/ds-logpipe.py | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +diff --git a/ldap/admin/src/scripts/ds-logpipe.py b/ldap/admin/src/scripts/ds-logpipe.py +index 4ba4d1b..dc1856a 100644 +--- a/ldap/admin/src/scripts/ds-logpipe.py ++++ b/ldap/admin/src/scripts/ds-logpipe.py +@@ -262,7 +262,8 @@ def parse_options(): + + options, logfname = parse_options() + +-if options.debug: debug = True ++if options.debug: ++ debug = True + + if len(plgfuncs) == 0: + plgfuncs.append(defaultplugin) +@@ -270,9 +271,15 @@ if len(plgpostfuncs) == 0: + plgpostfuncs.append(defaultpost) + + if options.user: +- try: userid = int(options.user) +- except ValueError: # not a numeric userid - look it up +- userid = pwd.getpwnam(options.user)[2] ++ try: ++ userid = int(options.user) ++ except ValueError: # not a numeric userid - look it up ++ try: ++ userid = pwd.getpwnam(options.user)[2] ++ except Exception as e: ++ print("Failed to lookup name (%s) error: %s" % ++ (options.user, str(e))) ++ sys.exit(1) + os.seteuid(userid) + + if options.scriptpidfile: +@@ -298,8 +305,12 @@ except OSError as e: + if e.errno == errno.ENOENT: + if debug: + print("Creating log pipe", logfname) +- os.mkfifo(logfname) +- os.chmod(logfname, 0o600) ++ try: ++ os.mkfifo(logfname) ++ os.chmod(logfname, 0o600) ++ except Exception as e: ++ print("Failed to create log pipe: " + str(e)) ++ sys.exit(1) + else: + raise Exception("%s [%d]" % (e.strerror, e.errno)) + +@@ -393,7 +404,7 @@ while not done: + else: # we read something + # pipe closed - usually when server shuts down + done = True +- ++ + if not done and debug: + print("log pipe", logfname, "closed - reopening - read", totallines, "total lines") + +-- +2.9.3 + diff --git a/SOURCES/0009-Ticket-48919-Compiler-warnings-while-building-389-ds.patch b/SOURCES/0009-Ticket-48919-Compiler-warnings-while-building-389-ds.patch deleted file mode 100644 index bec769a..0000000 --- a/SOURCES/0009-Ticket-48919-Compiler-warnings-while-building-389-ds.patch +++ /dev/null @@ -1,480 +0,0 @@ -From 3fbe8ab77452998fd646bf26ee8162aab0ae8659 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Wed, 13 Jul 2016 18:59:01 -0700 -Subject: [PATCH 09/15] Ticket #48919 - Compiler warnings while building - 389-ds-base on RHEL7 - -Description: Cleaned up warnings from gcc and clang. - -https://fedorahosted.org/389/ticket/48919 - -Reviewed by wibrown@redhat.com (Thank you, William!!) - -(cherry picked from commit 18c6029f64c48b330a101cbadceb8293d39bf5e2) ---- - ldap/servers/plugins/acl/acllas.c | 1 - - ldap/servers/slapd/agtmmap.c | 10 +++++++++- - ldap/servers/slapd/back-ldbm/idl_new.c | 4 ++-- - .../servers/slapd/back-ldbm/ldbm_instance_config.c | 5 +++++ - ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 15 ++++++++++----- - ldap/servers/slapd/detach.c | 11 +++++++---- - ldap/servers/slapd/localhost.c | 10 +++++++--- - ldap/servers/slapd/protect_db.c | 22 +++++++++++++++------- - ldap/servers/slapd/protect_db.h | 3 +++ - ldap/servers/slapd/saslbind.c | 3 +++ - ldap/servers/slapd/tools/ldclt/ldapfct.c | 5 ++++- - ldap/servers/slapd/tools/ldif.c | 5 ++++- - ldap/servers/slapd/tools/mmldif.c | 20 ++++++++++++-------- - ldap/servers/slapd/util.c | 9 ++++++--- - ldap/servers/snmp/main.c | 15 ++++++++++++--- - lib/base/file.cpp | 1 - - lib/base/fsmutex.cpp | 10 +++++++--- - 17 files changed, 106 insertions(+), 43 deletions(-) - -diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c -index ff9b450..47ac0b8 100644 ---- a/ldap/servers/plugins/acl/acllas.c -+++ b/ldap/servers/plugins/acl/acllas.c -@@ -190,7 +190,6 @@ extern int ldapu_member_certificate_match (void* cert, const char* desc); - /****************************************************************************/ - /* Defines, Constants, ande Declarations */ - /****************************************************************************/ --static char* const type_objectClass = "objectclass"; - static char* const filter_groups = "(|(objectclass=groupOfNames) (objectclass=groupOfUniqueNames)(objectclass=groupOfCertificates)(objectclass=groupOfURLs))"; - static char* const type_member = "member"; - static char* const type_uniquemember = "uniquemember"; -diff --git a/ldap/servers/slapd/agtmmap.c b/ldap/servers/slapd/agtmmap.c -index 6f72d57..629bc1b 100644 ---- a/ldap/servers/slapd/agtmmap.c -+++ b/ldap/servers/slapd/agtmmap.c -@@ -160,7 +160,15 @@ agt_mopen_stats (char * statsfile, int mode, int *hdl) - { - /* Without this we will get segv when we try to read/write later */ - buf = calloc (1, sz); -- (void)write (fd, buf, sz); -+ if (write(fd, buf, sz) < 0) { -+ err = errno; -+#if (0) -+ fprintf (stderr, "write failed errno=%d from %s(line: %d)\n", err, __FILE__, __LINE__); -+#endif -+ rc = err; -+ free (buf); -+ goto bail; -+ } - free (buf); - } - -diff --git a/ldap/servers/slapd/back-ldbm/idl_new.c b/ldap/servers/slapd/back-ldbm/idl_new.c -index 63df49f..a8d76d8 100644 ---- a/ldap/servers/slapd/back-ldbm/idl_new.c -+++ b/ldap/servers/slapd/back-ldbm/idl_new.c -@@ -403,8 +403,8 @@ idl_new_range_fetch( - time_t curtime; - void *saved_key = NULL; - int coreop = operator & SLAPI_OP_RANGE; -- ID key; -- ID suffix; -+ ID key = 0xff; /* random- to suppress compiler warning */ -+ ID suffix = 0; /* random- to suppress compiler warning */ - idl_range_id_pair *leftover = NULL; - size_t leftoverlen = 32; - int leftovercnt = 0; -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c -index 9302410..698be66 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c -@@ -1155,6 +1155,11 @@ ldbm_instance_post_delete_instance_entry_callback(Slapi_PBlock *pb, Slapi_Entry* - rc = PR_Delete(dbp); - } - PR_ASSERT(rc == 0); -+ if (rc != 0) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, -+ "ldbm_instance_post_delete_instance_entry_callback:" -+ " failed to delete %s\n", dbp); -+ } - PR_smprintf_free(dbp); - } - PR_CloseDir(dirhandle); -diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -index 0b2eab2..52338c2 100644 ---- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -@@ -1009,7 +1009,6 @@ export_one_entry(struct ldbminfo *li, - } - slapi_ch_free_string(&pw); - } -- rc = 0; - data.data = slapi_entry2str_with_options(expargs->ep->ep_entry, - &len, expargs->options); - data.size = len + 1; -@@ -1018,10 +1017,14 @@ export_one_entry(struct ldbminfo *li, - char idstr[32]; - - sprintf(idstr, "# entry-id: %lu\n", (u_long)expargs->ep->ep_id); -- write(expargs->fd, idstr, strlen(idstr)); -+ rc = write(expargs->fd, idstr, strlen(idstr)); -+ PR_ASSERT(rc > 0); - } -- write(expargs->fd, data.data, len); -- write(expargs->fd, "\n", 1); -+ rc = write(expargs->fd, data.data, len); -+ PR_ASSERT(rc > 0); -+ rc = write(expargs->fd, "\n", 1); -+ PR_ASSERT(rc > 0); -+ rc = 0; - if ((*expargs->cnt) % 1000 == 0) { - int percent; - -@@ -1350,7 +1353,9 @@ ldbm_back_ldbm2ldif( Slapi_PBlock *pb ) - */ - - sprintf(vstr, "version: %d\n\n", myversion); -- write(fd, vstr, strlen(vstr)); -+ rc = write(fd, vstr, strlen(vstr)); -+ PR_ASSERT(rc > 0); -+ rc = 0; - } - - eargs.decrypt = decrypt; -diff --git a/ldap/servers/slapd/detach.c b/ldap/servers/slapd/detach.c -index b5af952..b055a5c 100644 ---- a/ldap/servers/slapd/detach.c -+++ b/ldap/servers/slapd/detach.c -@@ -48,7 +48,7 @@ int - detach( int slapd_exemode, int importexport_encrypt, - int s_port, daemon_ports_t *ports_info ) - { -- int i, sd; -+ int i, sd, rc; - char *workingdir = 0; - char *errorlog = 0; - char *ptr = 0; -@@ -84,13 +84,15 @@ detach( int slapd_exemode, int importexport_encrypt, - if ( NULL == workingdir ) { - errorlog = config_get_errorlog(); - if ( NULL == errorlog ) { -- (void) chdir( "/" ); -+ rc = chdir( "/" ); -+ PR_ASSERT(rc == 0); - } else { - if ((ptr = strrchr(errorlog, '/')) || - (ptr = strrchr(errorlog, '\\'))) { - *ptr = 0; - } -- (void) chdir( errorlog ); -+ rc = chdir( errorlog ); -+ PR_ASSERT(rc == 0); - config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, errorlog, NULL, 1); - slapi_ch_free_string(&errorlog); - } -@@ -99,7 +101,8 @@ detach( int slapd_exemode, int importexport_encrypt, - if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, workingdir, NULL, 0) == LDAP_OPERATIONS_ERROR) { - return 1; - } -- (void) chdir( workingdir ); -+ rc = chdir( workingdir ); -+ PR_ASSERT(rc == 0); - slapi_ch_free_string(&workingdir); - } - -diff --git a/ldap/servers/slapd/localhost.c b/ldap/servers/slapd/localhost.c -index 2c40493..7b4e903 100644 ---- a/ldap/servers/slapd/localhost.c -+++ b/ldap/servers/slapd/localhost.c -@@ -118,9 +118,13 @@ find_localhost_DNS() - #ifndef NO_DOMAINNAME - if (domain == NULL) { - /* No domain found. Try getdomainname. */ -- getdomainname (line, sizeof(line)); -- LDAPDebug (LDAP_DEBUG_CONFIG, "getdomainname(%s)\n", line, 0, 0); -- if (line[0] != 0) { -+ line[0] = '\0'; -+ if (getdomainname(line, sizeof(line)) < 0) { /* failure */ -+ slapi_log_error(SLAPI_LOG_FATAL, "localhost_DNS", "getdomainname failed\n"); -+ } else { -+ slapi_log_error(SLAPI_LOG_CONFIG, "localhost_DNS", "getdomainname(%s)\n", line); -+ } -+ if (line[0] != '\0') { - domain = &line[0]; - } - } -diff --git a/ldap/servers/slapd/protect_db.c b/ldap/servers/slapd/protect_db.c -index b22daa1..4579852 100644 ---- a/ldap/servers/slapd/protect_db.c -+++ b/ldap/servers/slapd/protect_db.c -@@ -42,7 +42,7 @@ grab_lockfile() - { - pid_t pid, owning_pid; - char lockfile[MAXPATHLEN]; -- int fd, x; -+ int fd, x, rc; - int removed_lockfile = 0; - struct timeval t; - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -@@ -60,8 +60,12 @@ grab_lockfile() - /* Try to grab it */ - if ((fd = open(lockfile, O_RDWR | O_CREAT | O_EXCL, 0644)) != -1) { - /* We got the lock, write our pid to the file */ -- write(fd, (void *) &pid, sizeof(pid_t)); -- close(fd); -+ rc = write(fd, (void *) &pid, sizeof(pid_t)); -+ close(fd); -+ if (rc < 0) { -+ fprintf(stderr, ERROR_WRITING_LOCKFILE, lockfile); -+ return rc; -+ } - return 0; - } - -@@ -74,13 +78,17 @@ grab_lockfile() - - while(1) { - /* Try to grab the lockfile NUM_TRIES times waiting WAIT_TIME milliseconds after each try */ -- t.tv_sec = 0; -- t.tv_usec = WAIT_TIME * 1000; -+ t.tv_sec = 0; -+ t.tv_usec = WAIT_TIME * 1000; - for(x = 0; x < NUM_TRIES; x++) { - if ((fd = open(lockfile, O_RDWR | O_CREAT | O_EXCL, 0644)) != -1) { - /* Got the lock */ -- write(fd, (void *) &pid, sizeof(pid_t)); -- close(fd); -+ rc = write(fd, (void *) &pid, sizeof(pid_t)); -+ close(fd); -+ if (rc < 0) { -+ fprintf(stderr, ERROR_WRITING_LOCKFILE, lockfile); -+ return rc; -+ } - return 0; - } - select(0, NULL, NULL, NULL, &t); -diff --git a/ldap/servers/slapd/protect_db.h b/ldap/servers/slapd/protect_db.h -index 0f729a2..66adfb3 100644 ---- a/ldap/servers/slapd/protect_db.h -+++ b/ldap/servers/slapd/protect_db.h -@@ -26,6 +26,9 @@ void remove_slapd_process(); - #define ERROR_ACCESSING_LOCKFILE "Error - Problem accessing the lockfile %s\n" - /* name of lockfile */ - -+#define ERROR_WRITING_LOCKFILE "Error - Problem writing the lockfile %s\n" -+ /* name of lockfile */ -+ - #define LOCKFILE_DEAD_OWNER "Error - The lockfile, %s, is held by process %d,\nwhich no longer seems to be running. If this is\nthe case, please remove the lockfile\n" - /* name of lockfile, pid of owning process */ - -diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c -index eb68209..37175f4 100644 ---- a/ldap/servers/slapd/saslbind.c -+++ b/ldap/servers/slapd/saslbind.c -@@ -547,6 +547,9 @@ int ids_sasl_init(void) - LDAPDebug( LDAP_DEBUG_TRACE, "=> ids_sasl_init\n", 0, 0, 0 ); - - PR_ASSERT(inited == 0); -+ if (inited != 0) { -+ LDAPDebug0Args(LDAP_DEBUG_ANY, "ids_sasl_init is called more than once.\n"); -+ } - inited = 1; - - serverfqdn = get_localhost_DNS(); -diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c -index e13983d..f084cb4 100644 ---- a/ldap/servers/slapd/tools/ldclt/ldapfct.c -+++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c -@@ -2552,7 +2552,10 @@ int ldclt_write_genldif_nb; - void - ldclt_flush_genldif (void) - { -- write (mctx.genldifFile, ldclt_write_genldif_buf, ldclt_write_genldif_nb); -+ if (write (mctx.genldifFile, ldclt_write_genldif_buf, ldclt_write_genldif_nb) < 0) { -+ printf("ldclt[%d]: ldclt_flush_genldif: Failed to write (%s) error=%d\n", -+ mctx.pid, ldclt_write_genldif_buf, errno); -+ } - ldclt_write_genldif_pt = ldclt_write_genldif_buf; - ldclt_write_genldif_nb = 0; - } -diff --git a/ldap/servers/slapd/tools/ldif.c b/ldap/servers/slapd/tools/ldif.c -index 1050fbd..5973c6b 100644 ---- a/ldap/servers/slapd/tools/ldif.c -+++ b/ldap/servers/slapd/tools/ldif.c -@@ -132,7 +132,10 @@ int main( int argc, char **argv ) - free( buf ); - return( 1 ); - } -- (void)fgets(buf+curlen, maxlen/2 + 1, stdin); -+ if (NULL == fgets(buf+curlen, maxlen/2 + 1, stdin)) { -+ /* no more input to read. */ -+ break; -+ } - } - /* we have a full line, chop potential newline and turn into ldif */ - if( buf[curlen-1] == '\n' ) -diff --git a/ldap/servers/slapd/tools/mmldif.c b/ldap/servers/slapd/tools/mmldif.c -index 1f846d0..ddfaf6c 100644 ---- a/ldap/servers/slapd/tools/mmldif.c -+++ b/ldap/servers/slapd/tools/mmldif.c -@@ -766,8 +766,7 @@ readrec(edfFILE * edf1, attrib1_t ** attrib) - while (*vptr == ' ') vptr++; /* skip optional spaces */ - b64 = initDec64((unsigned char *)att->value, 0x20000); - if (Dec64(b64, (unsigned char *) vptr)) { -- LDAPDebug(LDAP_DEBUG_TRACE, "%s\n invalid input line\n", -- line, 0, 0); -+ LDAPDebug(LDAP_DEBUG_TRACE, "%s\n invalid input line\n", line, 0, 0); - continue; /* invalid line, but we'll just skip it */ - } - toolong = FALSE; -@@ -775,7 +774,11 @@ readrec(edfFILE * edf1, attrib1_t ** attrib) - lookahead = fgetc(edf1->fp); - if (lookahead != ' ') - break; -- (void)fgets(line, sizeof(line), edf1->fp); -+ line[0] = '\0'; -+ if (NULL == fgets(line, sizeof(line), edf1->fp)) { -+ LDAPDebug0Args(LDAP_DEBUG_TRACE, "readrec: failed to read line\n"); -+ break; -+ } - len = strlen(line); - for (lptr = line+len-1; len; len--, lptr--) { - if ((*lptr != '\n') && (*lptr != '\r')) -@@ -785,16 +788,14 @@ readrec(edfFILE * edf1, attrib1_t ** attrib) - rc = Dec64(b64, (unsigned char *)line); - if (rc == -1) - { -- LDAPDebug(LDAP_DEBUG_TRACE, -- "%s\n invalid input line\n", line, 0, 0); -+ LDAPDebug(LDAP_DEBUG_TRACE, "%s\n invalid input line\n", line, 0, 0); - continue; /* invalid line, but we'll just skip it */ - } - - if (rc) { - if (!toolong) { - toolong = TRUE; -- LDAPDebug(LDAP_DEBUG_TRACE, -- "%s\n line too long\n", line, 0, 0); -+ LDAPDebug(LDAP_DEBUG_TRACE, "%s\n line too long\n", line, 0, 0); - } - continue; - } -@@ -813,7 +814,10 @@ readrec(edfFILE * edf1, attrib1_t ** attrib) - lookahead = fgetc(edf1->fp); - if (lookahead != ' ') - break; -- (void)fgets(line, sizeof(line), edf1->fp); -+ if (NULL == fgets(line, sizeof(line), edf1->fp)) { -+ LDAPDebug0Args(LDAP_DEBUG_TRACE, "readrec: failed to read line\n"); -+ break; -+ } - len = strlen(line); - for (lptr = line+len-1; len; len--, lptr--) { - if ((*lptr != '\n') && (*lptr != '\r')) -diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c -index a5327d1..1ebdf2e 100644 ---- a/ldap/servers/slapd/util.c -+++ b/ldap/servers/slapd/util.c -@@ -1592,7 +1592,9 @@ int util_info_sys_pages(size_t *pagesize, size_t *pages, size_t *procpages, size - return 1; - } - while (! feof(f)) { -- fgets(s, 79, f); -+ if (!fgets(s, 79, f)) { -+ break; /* error or eof */ -+ } - if (feof(f)) { - break; - } -@@ -1614,8 +1616,9 @@ int util_info_sys_pages(size_t *pagesize, size_t *pages, size_t *procpages, size - return 1; - } - while (! feof(fm)) { -- fgets(s, 79, fm); -- /* Is this really needed? */ -+ if (!fgets(s, 79, fm)) { -+ break; /* error or eof */ -+ } - if (feof(fm)) { - break; - } -diff --git a/ldap/servers/snmp/main.c b/ldap/servers/snmp/main.c -index 3f96627..ea5050b 100644 ---- a/ldap/servers/snmp/main.c -+++ b/ldap/servers/snmp/main.c -@@ -44,7 +44,7 @@ main (int argc, char *argv[]) { - netsnmp_log_handler *log_hdl = NULL; - int c, log_level = LOG_WARNING; - struct stat logdir_s; -- pid_t child_pid; -+ pid_t child_pid = 0; - FILE *pid_fp; - - /* Load options */ -@@ -74,7 +74,11 @@ main (int argc, char *argv[]) { - - /* check if we're already running as another process */ - if ((pid_fp = fopen(pidfile, "r")) != NULL) { -- fscanf(pid_fp, "%d", &child_pid); -+ int rc = fscanf(pid_fp, "%d", &child_pid); -+ if ((rc == 0) || (rc == EOF)) { -+ printf("ldap-agent: Failed to get pid from %s\n", pidfile); -+ exit(1); -+ } - fclose(pid_fp); - if (kill(child_pid, SIGUSR1) == 0) { - printf("ldap-agent: Already running as pid %d!\n", child_pid); -@@ -145,6 +149,7 @@ main (int argc, char *argv[]) { - /* run as a daemon */ - if (netsnmp_daemonize(0, 0)) { - int i; -+ int rc; - - /* sleep to allow pidfile to be created by child */ - for (i=0; i < 3; i++) { -@@ -159,7 +164,11 @@ main (int argc, char *argv[]) { - exit(1); - } - -- fscanf(pid_fp, "%d", &child_pid); -+ rc = fscanf(pid_fp, "%d", &child_pid); -+ if ((rc == 0) || (rc == EOF)) { -+ printf("ldap-agent: Failed to get pid from %s\n", pidfile); -+ exit(1); -+ } - fclose(pid_fp); - printf("ldap-agent: Started as pid %d\n", child_pid); - exit(0); -diff --git a/lib/base/file.cpp b/lib/base/file.cpp -index 8c9274a..ad4333e 100644 ---- a/lib/base/file.cpp -+++ b/lib/base/file.cpp -@@ -38,7 +38,6 @@ extern "C" char *nscperror_lookup(int err); - /* PRFileDesc * SYS_ERROR_FD = NULL; */ - - const int errbuf_size = 256; --const unsigned int LOCKFILERANGE=0x7FFFFFFF; - PRLock *_atomic_write_lock = NULL; - - /* --------------------------------- stat --------------------------------- */ -diff --git a/lib/base/fsmutex.cpp b/lib/base/fsmutex.cpp -index e8f2aff..a0e30fd 100644 ---- a/lib/base/fsmutex.cpp -+++ b/lib/base/fsmutex.cpp -@@ -85,11 +85,15 @@ fsmutex_init(char *name, int number, int flags) - NSAPI_PUBLIC void - fsmutex_setowner(FSMUTEX fsm, uid_t uid, gid_t gid) - { -- if(!geteuid()) -- (void) chown( ((fsmutex_s *)fsm)->id, uid, gid); -+ if(!geteuid()) { -+ int rc = chown( ((fsmutex_s *)fsm)->id, uid, gid); -+ PR_ASSERT(rc == 0); -+ if (rc != 0 ) { -+ return; /* just to suppress compiler warning... */ -+ } -+ } - } - -- - /* -------------------------- fsmutex_terminate --------------------------- */ - - static void --- -2.4.11 - diff --git a/SOURCES/0010-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch b/SOURCES/0010-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch deleted file mode 100644 index 4f6a8b6..0000000 --- a/SOURCES/0010-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch +++ /dev/null @@ -1,1000 +0,0 @@ -From ef8228ad564f31992386bfc61553df8387d9e306 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Wed, 13 Jul 2016 14:49:18 -0700 -Subject: [PATCH 10/15] Bug 1347760 - CVE-2016-4992 389-ds-base: Information - disclosure via repeated use of LDAP ADD operation, etc. - -Description: If a bind user has no rights, it should not disclose -any information including the existence of the entry. - -Fix description: -1) ALREADY_EXISTS in add -- If to be added entry is found existing - in ldbm_back_add, it checks the ACI and if there is no rights, - it returns INSUFFICIENT_ACCESS instead of ALREADY_EXISTS. -2) NO_SUCH_OBJECT in other update operations -- If the target entry - is found not existing, it checks the ancestor entry's access - rights in find_entry. If it is not allowed to access the subtree, - it returns INSUFFICIENT_ACCESS instead of NO_SUC_OBJECT. Plus, - it supresses the "Matched" ancestor message. -3) NO_SUCH_OBJECT in search -- If a bind entry has no rights to read - a subtree, it returns no search results with SUCCESS. It should - be applied to the no existing subtree if the bind entry has no - rights to the super tree. -4) If bind fails because of the non-existence of the bind user or - the parent nodes, the bind returns LDAP_INVALID_CREDENTIALS to - the client with no other information. - The detailed cause is logged in the access log as follows: - RESULT err=49 .. etime=0 - No such suffix () - RESULT err=49 .. etime=0 - Invalid credentials - RESULT err=49 .. etime=0 - No such entry - -https://bugzilla.redhat.com/show_bug.cgi?id=1347760 - -Reviewed by lkrispen@redhat.com, mreynolds@redhat.com, and tbordaz@redhat.com. -Thank you!!! - -(cherry picked from commit 0b932d4b926d46ac5060f02617330dc444e06da1) ---- - ldap/servers/slapd/back-ldbm/dn2entry.c | 17 ++- - ldap/servers/slapd/back-ldbm/findentry.c | 139 +++++++++++++++++++------ - ldap/servers/slapd/back-ldbm/ldbm_add.c | 21 +++- - ldap/servers/slapd/back-ldbm/ldbm_bind.c | 11 +- - ldap/servers/slapd/back-ldbm/ldbm_compare.c | 2 +- - ldap/servers/slapd/back-ldbm/ldbm_delete.c | 9 +- - ldap/servers/slapd/back-ldbm/ldbm_modify.c | 18 ++-- - ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 15 +-- - ldap/servers/slapd/back-ldbm/ldbm_search.c | 2 +- - ldap/servers/slapd/back-ldbm/misc.c | 2 +- - ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 14 +-- - ldap/servers/slapd/back-ldbm/vlv_srch.c | 2 +- - ldap/servers/slapd/bind.c | 75 ++++++------- - ldap/servers/slapd/defbackend.c | 82 ++++++++++++++- - ldap/servers/slapd/result.c | 16 ++- - 15 files changed, 311 insertions(+), 114 deletions(-) - -diff --git a/ldap/servers/slapd/back-ldbm/dn2entry.c b/ldap/servers/slapd/back-ldbm/dn2entry.c -index 6d1d92f..7656688 100644 ---- a/ldap/servers/slapd/back-ldbm/dn2entry.c -+++ b/ldap/servers/slapd/back-ldbm/dn2entry.c -@@ -151,14 +151,15 @@ struct backentry * - dn2ancestor( - Slapi_Backend *be, - const Slapi_DN *sdn, -- Slapi_DN *ancestordn, -+ Slapi_DN *ancestordn, - back_txn *txn, -- int *err -+ int *err, -+ int allow_suffix - ) - { -- struct backentry *e = NULL; -+ struct backentry *e = NULL; - -- LDAPDebug( LDAP_DEBUG_TRACE, "=> dn2ancestor \"%s\"\n", slapi_sdn_get_dn(sdn), 0, 0 ); -+ LDAPDebug( LDAP_DEBUG_TRACE, "=> dn2ancestor \"%s\"\n", slapi_sdn_get_dn(sdn), 0, 0 ); - - /* first, check to see if the given sdn is empty or a root suffix of the - given backend - if so, it has no parent */ -@@ -190,7 +191,13 @@ dn2ancestor( - */ - - /* stop when we get to "", or a backend suffix point */ -- while (!e && !slapi_sdn_isempty(&ancestorndn) && !slapi_be_issuffix( be, &ancestorndn )) { -+ while (!e && !slapi_sdn_isempty(&ancestorndn)) { -+ if (!allow_suffix) { -+ /* Original behavior. */ -+ if (slapi_be_issuffix(be, &ancestorndn)) { -+ break; -+ } -+ } - /* find the entry - it uses the ndn, so no further conversion is necessary */ - e= dn2entry(be,&ancestorndn,txn,err); - if (!e) { -diff --git a/ldap/servers/slapd/back-ldbm/findentry.c b/ldap/servers/slapd/back-ldbm/findentry.c -index 4a574bf..8b842e3 100644 ---- a/ldap/servers/slapd/back-ldbm/findentry.c -+++ b/ldap/servers/slapd/back-ldbm/findentry.c -@@ -16,8 +16,8 @@ - #include "back-ldbm.h" - - --static struct backentry *find_entry_internal_dn(Slapi_PBlock *pb, backend *be, const Slapi_DN *sdn, int lock, back_txn *txn, int flags); --static struct backentry * find_entry_internal(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, int lock, back_txn *txn, int flags); -+static struct backentry *find_entry_internal_dn(Slapi_PBlock *pb, backend *be, const Slapi_DN *sdn, int lock, back_txn *txn, int flags, int *rc); -+static struct backentry * find_entry_internal(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, int lock, back_txn *txn, int flags, int *rc); - /* The flags take these values */ - #define FE_TOMBSTONE_INCLUDED TOMBSTONE_INCLUDED /* :1 defined in back-ldbm.h */ - #define FE_REALLY_INTERNAL 0x2 -@@ -27,7 +27,7 @@ check_entry_for_referral(Slapi_PBlock *pb, Slapi_Entry *entry, char *matched, co - { - int rc=0, i=0, numValues=0; - Slapi_Attr *attr; -- Slapi_Value *val=NULL; -+ Slapi_Value *val=NULL; - struct berval **refscopy=NULL; - struct berval **url=NULL; - -@@ -80,12 +80,13 @@ out: - - static struct backentry * - find_entry_internal_dn( -- Slapi_PBlock *pb, -+ Slapi_PBlock *pb, - backend *be, - const Slapi_DN *sdn, - int lock, -- back_txn *txn, -- int flags -+ back_txn *txn, -+ int flags, -+ int *rc /* return code */ - ) - { - struct backentry *e; -@@ -93,9 +94,14 @@ find_entry_internal_dn( - int err; - ldbm_instance *inst = (ldbm_instance *) be->be_instance_info; - size_t tries = 0; -+ int isroot = 0; -+ int op_type; -+ char *errbuf = NULL; - - /* get the managedsait ldap message control */ -- slapi_pblock_get( pb, SLAPI_MANAGEDSAIT, &managedsait ); -+ slapi_pblock_get(pb, SLAPI_MANAGEDSAIT, &managedsait); -+ slapi_pblock_get(pb, SLAPI_REQUESTOR_ISROOT, &isroot); -+ slapi_pblock_get(pb, SLAPI_OPERATION_TYPE, &op_type); - - while ( (tries < LDBM_CACHE_RETRY_COUNT) && - (e = dn2entry_ext( be, sdn, txn, flags & TOMBSTONE_INCLUDED, &err )) -@@ -113,6 +119,9 @@ find_entry_internal_dn( - if(check_entry_for_referral(pb, e->ep_entry, NULL, "find_entry_internal_dn")) - { - CACHE_RETURN( &inst->inst_cache, &e ); -+ if (rc) { /* if check_entry_for_referral returns non-zero, result is sent. */ -+ *rc = FE_RC_SENT_RESULT; -+ } - return( NULL ); - } - } -@@ -151,27 +160,89 @@ find_entry_internal_dn( - struct backentry *me; - Slapi_DN ancestorsdn; - slapi_sdn_init(&ancestorsdn); -- me= dn2ancestor(pb->pb_backend,sdn,&ancestorsdn,txn,&err); -+ me = dn2ancestor(pb->pb_backend, sdn, &ancestorsdn, txn, &err, 1 /* allow_suffix */); - if ( !managedsait && me != NULL ) { - /* if the entry is a referral send the referral */ - if(check_entry_for_referral(pb, me->ep_entry, (char*)slapi_sdn_get_dn(&ancestorsdn), "find_entry_internal_dn")) - { - CACHE_RETURN( &inst->inst_cache, &me ); - slapi_sdn_done(&ancestorsdn); -+ if (rc) { /* if check_entry_for_referral returns non-zero, result is sent. */ -+ *rc = FE_RC_SENT_RESULT; -+ } - return( NULL ); - } - /* else fall through to no such object */ - } - - /* entry not found */ -- slapi_send_ldap_result( pb, ( 0 == err || DB_NOTFOUND == err ) ? -- LDAP_NO_SUCH_OBJECT : ( LDAP_INVALID_DN_SYNTAX == err ) ? -- LDAP_INVALID_DN_SYNTAX : LDAP_OPERATIONS_ERROR, -- (char*)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL ); -+ if ((0 == err) || (DB_NOTFOUND == err)) { -+ if (me && !isroot) { -+ /* If not root, you may not want to reveal it. */ -+ int acl_type = -1; -+ int return_err = LDAP_NO_SUCH_OBJECT; -+ err = LDAP_SUCCESS; -+ switch (op_type) { -+ case SLAPI_OPERATION_ADD: -+ acl_type = SLAPI_ACL_ADD; -+ return_err = LDAP_INSUFFICIENT_ACCESS; -+ break; -+ case SLAPI_OPERATION_DELETE: -+ acl_type = SLAPI_ACL_DELETE; -+ return_err = LDAP_INSUFFICIENT_ACCESS; -+ break; -+ case SLAPI_OPERATION_MODDN: -+ acl_type = SLAPI_ACL_MODDN; -+ return_err = LDAP_INSUFFICIENT_ACCESS; -+ break; -+ case SLAPI_OPERATION_MODIFY: -+ acl_type = SLAPI_ACL_WRITE; -+ return_err = LDAP_INSUFFICIENT_ACCESS; -+ break; -+ case SLAPI_OPERATION_SEARCH: -+ case SLAPI_OPERATION_COMPARE: -+ return_err = LDAP_SUCCESS; -+ acl_type = SLAPI_ACL_READ; -+ break; -+ case SLAPI_OPERATION_BIND: -+ acl_type = -1; /* skip acl check. acl is not set up for bind. */ -+ return_err = LDAP_INVALID_CREDENTIALS; -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry"); -+ break; -+ } -+ if (acl_type > 0) { -+ err = plugin_call_acl_plugin(pb, me->ep_entry, NULL, NULL, acl_type, -+ ACLPLUGIN_ACCESS_DEFAULT, &errbuf); -+ } -+ if (((acl_type > 0) && err) || (op_type == SLAPI_OPERATION_BIND)) { -+ /* -+ * Operations to be checked && ACL returns disallow. -+ * Not to disclose the info about the entry's existence, -+ * do not return the "matched" DN. -+ * Plus, the bind case returns LDAP_INAPPROPRIATE_AUTH. -+ */ -+ slapi_send_ldap_result(pb, return_err, NULL, NULL, 0, NULL); -+ } else { -+ slapi_send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, -+ (char*)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL); -+ } -+ } else { -+ slapi_send_ldap_result( pb, LDAP_NO_SUCH_OBJECT, -+ (char*)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL); -+ } -+ } else { -+ slapi_send_ldap_result( pb, ( LDAP_INVALID_DN_SYNTAX == err ) ? -+ LDAP_INVALID_DN_SYNTAX : LDAP_OPERATIONS_ERROR, -+ (char*)slapi_sdn_get_dn(&ancestorsdn), NULL, 0, NULL ); -+ } -+ if (rc) { -+ *rc = FE_RC_SENT_RESULT; -+ } - slapi_sdn_done(&ancestorsdn); - CACHE_RETURN( &inst->inst_cache, &me ); - } - -+ slapi_ch_free_string(&errbuf); - LDAPDebug( LDAP_DEBUG_TRACE, "<= find_entry_internal_dn not found (%s)\n", - slapi_sdn_get_dn(sdn), 0, 0 ); - return( NULL ); -@@ -183,11 +254,11 @@ find_entry_internal_dn( - */ - static struct backentry * - find_entry_internal_uniqueid( -- Slapi_PBlock *pb, -+ Slapi_PBlock *pb, - backend *be, -- const char *uniqueid, -+ const char *uniqueid, - int lock, -- back_txn *txn -+ back_txn *txn - ) - { - ldbm_instance *inst = (ldbm_instance *) be->be_instance_info; -@@ -243,8 +314,9 @@ find_entry_internal( - Slapi_Backend *be, - const entry_address *addr, - int lock, -- back_txn *txn, -- int flags -+ back_txn *txn, -+ int flags, -+ int *rc - ) - { - /* check if we should search based on uniqueid or dn */ -@@ -261,11 +333,9 @@ find_entry_internal( - LDAPDebug( LDAP_DEBUG_TRACE, "=> find_entry_internal (dn=%s) lock %d\n", - slapi_sdn_get_dn(addr->sdn), lock, 0 ); - if (addr->sdn) { -- entry = find_entry_internal_dn (pb, be, addr->sdn, -- lock, txn, flags); -+ entry = find_entry_internal_dn (pb, be, addr->sdn, lock, txn, flags, rc); - } else { -- LDAPDebug0Args( LDAP_DEBUG_ANY, -- "find_entry_internal: Null target dn\n" ); -+ LDAPDebug0Args( LDAP_DEBUG_ANY, "find_entry_internal: Null target dn\n" ); - } - - LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= find_entry_internal\n" ); -@@ -278,10 +348,11 @@ find_entry( - Slapi_PBlock *pb, - Slapi_Backend *be, - const entry_address *addr, -- back_txn *txn -+ back_txn *txn, -+ int *rc - ) - { -- return( find_entry_internal( pb, be, addr, 0/*!lock*/, txn, 0/*flags*/ ) ); -+ return(find_entry_internal(pb, be, addr, 0/*!lock*/, txn, 0/*flags*/, rc)); - } - - struct backentry * -@@ -289,10 +360,11 @@ find_entry2modify( - Slapi_PBlock *pb, - Slapi_Backend *be, - const entry_address *addr, -- back_txn *txn -+ back_txn *txn, -+ int *rc - ) - { -- return( find_entry_internal( pb, be, addr, 1/*lock*/, txn, 0/*flags*/ ) ); -+ return(find_entry_internal(pb, be, addr, 1/*lock*/, txn, 0/*flags*/, rc)); - } - - /* New routines which do not do any referral stuff. -@@ -304,10 +376,11 @@ find_entry_only( - Slapi_PBlock *pb, - Slapi_Backend *be, - const entry_address *addr, -- back_txn *txn -+ back_txn *txn, -+ int *rc - ) - { -- return( find_entry_internal( pb, be, addr, 0/*!lock*/, txn, FE_REALLY_INTERNAL ) ); -+ return(find_entry_internal(pb, be, addr, 0/*!lock*/, txn, FE_REALLY_INTERNAL, rc)); - } - - struct backentry * -@@ -315,10 +388,11 @@ find_entry2modify_only( - Slapi_PBlock *pb, - Slapi_Backend *be, - const entry_address *addr, -- back_txn *txn -+ back_txn *txn, -+ int *rc - ) - { -- return( find_entry_internal( pb, be, addr, 1/*lock*/, txn, FE_REALLY_INTERNAL ) ); -+ return(find_entry_internal(pb, be, addr, 1/*lock*/, txn, 0 /* to check aci, disable INTERNAL */, rc)); - } - - struct backentry * -@@ -327,10 +401,9 @@ find_entry2modify_only_ext( - Slapi_Backend *be, - const entry_address *addr, - int flags, -- back_txn *txn -- -+ back_txn *txn, -+ int *rc - ) - { -- return( find_entry_internal( pb, be, addr, 1/*lock*/, txn, -- FE_REALLY_INTERNAL | flags )); -+ return(find_entry_internal(pb, be, addr, 1/*lock*/, txn, FE_REALLY_INTERNAL | flags, rc)); - } -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c -index 7eb8fe9..f462376 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_add.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c -@@ -93,6 +93,7 @@ ldbm_back_add( Slapi_PBlock *pb ) - int myrc = 0; - PRUint64 conn_id; - int op_id; -+ int result_sent = 0; - if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) { - conn_id = 0; /* connection is NULL */ - } -@@ -379,7 +380,7 @@ ldbm_back_add( Slapi_PBlock *pb ) - addr.sdn = &parentsdn; - addr.udn = NULL; - addr.uniqueid = operation->o_params.p.p_add.parentuniqueid; -- parententry = find_entry2modify_only(pb,be,&addr,&txn); -+ parententry = find_entry2modify_only(pb, be, &addr, &txn, &result_sent); - if (parententry && parententry->ep_entry) { - if (!operation->o_params.p.p_add.parentuniqueid){ - /* Set the parentuniqueid now */ -@@ -431,6 +432,14 @@ ldbm_back_add( Slapi_PBlock *pb ) - /* The entry already exists */ - ldap_result_code = LDAP_ALREADY_EXISTS; - } -+ if ((LDAP_ALREADY_EXISTS == ldap_result_code) && !isroot && !is_replicated_operation) { -+ myrc = plugin_call_acl_plugin(pb, e, NULL, NULL, SLAPI_ACL_ADD, -+ ACLPLUGIN_ACCESS_DEFAULT, &errbuf); -+ if (myrc) { -+ ldap_result_code = myrc; -+ ldap_result_message = errbuf; -+ } -+ } - goto error_return; - } - else -@@ -447,7 +456,7 @@ ldbm_back_add( Slapi_PBlock *pb ) - Slapi_DN ancestorsdn; - struct backentry *ancestorentry; - slapi_sdn_init(&ancestorsdn); -- ancestorentry= dn2ancestor(pb->pb_backend,sdn,&ancestorsdn,&txn,&err); -+ ancestorentry = dn2ancestor(pb->pb_backend, sdn, &ancestorsdn, &txn, &err, 0); - slapi_sdn_done(&ancestorsdn); - if ( ancestorentry != NULL ) - { -@@ -495,7 +504,7 @@ ldbm_back_add( Slapi_PBlock *pb ) - addr.udn = NULL; - addr.sdn = NULL; - addr.uniqueid = (char *)slapi_entry_get_uniqueid(e); /* jcm - cast away const */ -- tombstoneentry = find_entry2modify( pb, be, &addr, &txn ); -+ tombstoneentry = find_entry2modify(pb, be, &addr, &txn, &result_sent); - if ( tombstoneentry==NULL ) - { - ldap_result_code= -1; -@@ -712,7 +721,7 @@ ldbm_back_add( Slapi_PBlock *pb ) - LDAPDebug1Arg(LDAP_DEBUG_BACKLDBM, "ldbm_add: Parent \"%s\" does not exist. " - "It might be a conflict entry.\n", slapi_sdn_get_dn(&parentsdn)); - slapi_sdn_init(&ancestorsdn); -- ancestorentry = dn2ancestor(be, &parentsdn, &ancestorsdn, &txn, &err ); -+ ancestorentry = dn2ancestor(be, &parentsdn, &ancestorsdn, &txn, &err, 1); - CACHE_RETURN( &inst->inst_cache, &ancestorentry ); - - ldap_result_code= LDAP_NO_SUCH_OBJECT; -@@ -1349,7 +1358,9 @@ common_return: - * And we don't want the supplier to halt sending the updates. */ - ldap_result_code = LDAP_SUCCESS; - } -- slapi_send_ldap_result( pb, ldap_result_code, ldap_result_matcheddn, ldap_result_message, 0, NULL ); -+ if (!result_sent) { -+ slapi_send_ldap_result(pb, ldap_result_code, ldap_result_matcheddn, ldap_result_message, 0, NULL); -+ } - } - backentry_free(&originalentry); - backentry_free(&tmpentry); -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_bind.c b/ldap/servers/slapd/back-ldbm/ldbm_bind.c -index ea0df33..99a0818 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_bind.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_bind.c -@@ -29,6 +29,7 @@ ldbm_back_bind( Slapi_PBlock *pb ) - entry_address *addr; - back_txn txn = {NULL}; - int rc = SLAPI_BIND_SUCCESS; -+ int result_sent = 0; - - /* get parameters */ - slapi_pblock_get( pb, SLAPI_BACKEND, &be ); -@@ -63,8 +64,12 @@ ldbm_back_bind( Slapi_PBlock *pb ) - * find the target entry. find_entry() takes care of referrals - * and sending errors if the entry does not exist. - */ -- if (( e = find_entry( pb, be, addr, &txn )) == NULL ) { -+ if ((e = find_entry( pb, be, addr, &txn, &result_sent)) == NULL) { - rc = SLAPI_BIND_FAIL; -+ /* In the failure case, the result is supposed to be sent in the backend. */ -+ if (!result_sent) { -+ slapi_send_ldap_result(pb, LDAP_INAPPROPRIATE_AUTH, NULL, NULL, 0, NULL); -+ } - goto bail; - } - -@@ -82,8 +87,8 @@ ldbm_back_bind( Slapi_PBlock *pb ) - bvals= attr_get_present_values(attr); - slapi_value_init_berval(&cv,cred); - if ( slapi_pw_find_sv( bvals, &cv ) != 0 ) { -- slapi_send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL, -- NULL, 0, NULL ); -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials"); -+ slapi_send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL ); - CACHE_RETURN( &inst->inst_cache, &e ); - value_done(&cv); - rc = SLAPI_BIND_FAIL; -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_compare.c b/ldap/servers/slapd/back-ldbm/ldbm_compare.c -index e52cd6c..e9973a9 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_compare.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_compare.c -@@ -56,7 +56,7 @@ ldbm_back_compare( Slapi_PBlock *pb ) - /* get the namespace dn */ - namespace_dn = (Slapi_DN*)slapi_be_getsuffix(be, 0); - -- if ( (e = find_entry( pb, be, addr, &txn )) == NULL ) { -+ if ((e = find_entry(pb, be, addr, &txn, NULL)) == NULL) { - ret = -1; /* error result sent by find_entry() */ - goto bail; - } -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -index 5b24af2..f801e01 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -@@ -77,6 +77,7 @@ ldbm_back_delete( Slapi_PBlock *pb ) - int op_id; - ID ep_id = 0; - ID tomb_ep_id = 0; -+ int result_sent = 0; - - if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) { - conn_id = 0; /* connection is NULL */ -@@ -266,7 +267,7 @@ ldbm_back_delete( Slapi_PBlock *pb ) - * deleted. That is, the entry 'e' found with "addr" is a tomb- - * stone. If it is the case, we need to back off. - */ -- if ( (e = find_entry2modify( pb, be, addr, &txn )) == NULL ) -+ if ((e = find_entry2modify(pb, be, addr, &txn, &result_sent)) == NULL) - { - ldap_result_code= LDAP_NO_SUCH_OBJECT; - retval = -1; -@@ -507,7 +508,7 @@ ldbm_back_delete( Slapi_PBlock *pb ) - parent_addr.uniqueid = NULL; - } - parent_addr.sdn = &parentsdn; -- parent = find_entry2modify_only_ext(pb, be, &parent_addr, TOMBSTONE_INCLUDED, &txn); -+ parent = find_entry2modify_only_ext(pb, be, &parent_addr, TOMBSTONE_INCLUDED, &txn, &result_sent); - } - if (parent) { - int isglue; -@@ -1466,7 +1467,9 @@ diskfull_return: - * And we don't want the supplier to halt sending the updates. */ - ldap_result_code = LDAP_SUCCESS; - } -- slapi_send_ldap_result( pb, ldap_result_code, NULL, ldap_result_message, 0, NULL ); -+ if (!result_sent) { -+ slapi_send_ldap_result( pb, ldap_result_code, NULL, ldap_result_message, 0, NULL ); -+ } - } - slapi_log_error(SLAPI_LOG_BACKLDBM, "ldbm_back_delete", - "conn=%lu op=%d modify_term: old_entry=0x%p, new_entry=0x%p, in_cache=%d\n", -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c -index 9b3062c..34d9861 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c -@@ -392,6 +392,7 @@ ldbm_back_modify( Slapi_PBlock *pb ) - int not_an_error = 0; - int fixup_tombstone = 0; - int ec_locked = 0; -+ int result_sent = 0; - - slapi_pblock_get( pb, SLAPI_BACKEND, &be); - slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li ); -@@ -466,12 +467,12 @@ ldbm_back_modify( Slapi_PBlock *pb ) - if ( MANAGE_ENTRY_BEFORE_DBLOCK(li)) { - /* find and lock the entry we are about to modify */ - if (fixup_tombstone) { -- e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn ); -+ e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn, &result_sent ); - } else { -- e = find_entry2modify( pb, be, addr, &txn ); -+ e = find_entry2modify( pb, be, addr, &txn, &result_sent ); - } - if (e == NULL) { -- ldap_result_code= -1; -+ ldap_result_code = -1; - goto error_return; /* error result sent by find_entry2modify() */ - } - } -@@ -551,12 +552,12 @@ ldbm_back_modify( Slapi_PBlock *pb ) - if ( !MANAGE_ENTRY_BEFORE_DBLOCK(li)) { - /* find and lock the entry we are about to modify */ - if (fixup_tombstone) { -- e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn ); -+ e = find_entry2modify_only_ext( pb, be, addr, TOMBSTONE_INCLUDED, &txn, &result_sent ); - } else { -- e = find_entry2modify( pb, be, addr, &txn ); -+ e = find_entry2modify( pb, be, addr, &txn, &result_sent ); - } - if (e == NULL) { -- ldap_result_code= -1; -+ ldap_result_code = -1; - goto error_return; /* error result sent by find_entry2modify() */ - } - } -@@ -966,7 +967,10 @@ common_return: - * And we don't want the supplier to halt sending the updates. */ - ldap_result_code = LDAP_SUCCESS; - } -- slapi_send_ldap_result( pb, ldap_result_code, NULL, ldap_result_message, 0, NULL ); -+ if (!result_sent) { -+ /* result is already sent in find_entry. */ -+ slapi_send_ldap_result( pb, ldap_result_code, NULL, ldap_result_message, 0, NULL ); -+ } - } - - /* free our backups */ -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c -index c0cd2ab..f934305 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c -@@ -95,6 +95,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb ) - int myrc = 0; - PRUint64 conn_id; - int op_id; -+ int result_sent = 0; - if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) { - conn_id = 0; /* connection is NULL */ - } -@@ -474,7 +475,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb ) - /* find and lock the entry we are about to modify */ - /* JCMREPL - Argh, what happens about the stinking referrals? */ - slapi_pblock_get (pb, SLAPI_TARGET_ADDRESS, &old_addr); -- e = find_entry2modify( pb, be, old_addr, &txn ); -+ e = find_entry2modify(pb, be, old_addr, &txn, &result_sent); - if ( e == NULL ) - { - ldap_result_code= -1; -@@ -510,7 +511,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb ) - } else { - oldparent_addr.uniqueid = NULL; - } -- parententry = find_entry2modify_only( pb, be, &oldparent_addr, &txn ); -+ parententry = find_entry2modify_only(pb, be, &oldparent_addr, &txn, &result_sent); - modify_init(&parent_modify_context,parententry); - - /* Fetch and lock the new parent of the entry that is moving */ -@@ -520,7 +521,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb ) - if (is_resurect_operation) { - newsuperior_addr->uniqueid = slapi_entry_attr_get_charptr(e->ep_entry, SLAPI_ATTR_VALUE_PARENT_UNIQUEID); - } -- newparententry = find_entry2modify_only( pb, be, newsuperior_addr, &txn ); -+ newparententry = find_entry2modify_only(pb, be, newsuperior_addr, &txn, &result_sent); - slapi_ch_free_string(&newsuperior_addr->uniqueid); - modify_init(&newparent_modify_context,newparententry); - } -@@ -581,7 +582,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb ) - Slapi_DN ancestorsdn; - struct backentry *ancestorentry; - slapi_sdn_init(&ancestorsdn); -- ancestorentry= dn2ancestor(be,&dn_newdn,&ancestorsdn,&txn,&err); -+ ancestorentry = dn2ancestor(be, &dn_newdn, &ancestorsdn, &txn, &err, 0); - CACHE_RETURN( &inst->inst_cache, &ancestorentry ); - ldap_result_matcheddn= slapi_ch_strdup((char *) slapi_sdn_get_dn(&ancestorsdn)); - ldap_result_code= LDAP_NO_SUCH_OBJECT; -@@ -1486,8 +1487,10 @@ common_return: - * And we don't want the supplier to halt sending the updates. */ - ldap_result_code = LDAP_SUCCESS; - } -- slapi_send_ldap_result( pb, ldap_result_code, ldap_result_matcheddn, -- ldap_result_message, 0,NULL ); -+ if (!result_sent) { -+ slapi_send_ldap_result(pb, ldap_result_code, ldap_result_matcheddn, -+ ldap_result_message, 0, NULL); -+ } - } - slapi_mods_done(&smods_operation_wsi); - slapi_mods_done(&smods_generated); -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c -index 535529c..cda1714 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_search.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c -@@ -584,7 +584,7 @@ ldbm_back_search( Slapi_PBlock *pb ) - } - else - { -- if ( ( e = find_entry( pb, be, addr, &txn )) == NULL ) -+ if ((e = find_entry(pb, be, addr, &txn, NULL)) == NULL) - { - /* error or referral sent by find_entry */ - return ldbm_back_search_cleanup(pb, li, sort_control, -diff --git a/ldap/servers/slapd/back-ldbm/misc.c b/ldap/servers/slapd/back-ldbm/misc.c -index 77c1e70..516b32d 100644 ---- a/ldap/servers/slapd/back-ldbm/misc.c -+++ b/ldap/servers/slapd/back-ldbm/misc.c -@@ -412,7 +412,7 @@ ldbm_txn_ruv_modify_context( Slapi_PBlock *pb, modify_context *mc ) - - /* Note: if we find the bentry, it will stay locked until someone calls - * modify_term on the mc we'll be associating the bentry with */ -- bentry = find_entry2modify_only( pb, be, &bentry_addr, &txn ); -+ bentry = find_entry2modify_only(pb, be, &bentry_addr, &txn, NULL); - - if (NULL == bentry) { - /* Uh oh, we couldn't find and lock the RUV entry! */ -diff --git a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h -index 86e2237..8c813dd 100644 ---- a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h -+++ b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h -@@ -174,7 +174,7 @@ int ldbm_back_ctrl_info(Slapi_Backend *be, int cmd, void *info); - struct backentry *dn2entry(Slapi_Backend *be, const Slapi_DN *sdn, back_txn *txn, int *err); - struct backentry *dn2entry_ext(Slapi_Backend *be, const Slapi_DN *sdn, back_txn *txn, int flags, int *err); - struct backentry *dn2entry_or_ancestor(Slapi_Backend *be, const Slapi_DN *sdn, Slapi_DN *ancestor, back_txn *txn, int *err); --struct backentry *dn2ancestor(Slapi_Backend *be,const Slapi_DN *sdn,Slapi_DN *ancestordn,back_txn *txn,int *err); -+struct backentry *dn2ancestor(Slapi_Backend *be,const Slapi_DN *sdn,Slapi_DN *ancestordn,back_txn *txn,int *err, int allow_suffix); - int get_copy_of_entry(Slapi_PBlock *pb, const entry_address *addr, back_txn *txn, int plock_parameter, int must_exist); - int get_copy_of_entry_ext(Slapi_PBlock *pb, ID id, const entry_address *addr, back_txn *txn, int plock_parameter, int must_exist); - void done_with_pblock_entry(Slapi_PBlock *pb, int plock_parameter); -@@ -194,11 +194,13 @@ IDList * filter_candidates_ext( Slapi_PBlock *pb, backend *be, const char *base, - /* - * findentry.c - */ --struct backentry * find_entry2modify( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn ); --struct backentry * find_entry( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn ); --struct backentry * find_entry2modify_only( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn); --struct backentry * find_entry2modify_only_ext( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, int flags, back_txn *txn); --struct backentry * find_entry_only( Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn); -+/* Return code */ -+#define FE_RC_SENT_RESULT 1 -+struct backentry *find_entry2modify(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn, int *rc); -+struct backentry *find_entry(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn, int *rc); -+struct backentry *find_entry2modify_only(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn, int *rc); -+struct backentry *find_entry2modify_only_ext(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, int flags, back_txn *txn, int *rc); -+struct backentry *find_entry_only(Slapi_PBlock *pb, Slapi_Backend *be, const entry_address *addr, back_txn *txn, int *rc); - int check_entry_for_referral(Slapi_PBlock *pb, Slapi_Entry *entry, char *matched, const char *callingfn); - - /* -diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.c b/ldap/servers/slapd/back-ldbm/vlv_srch.c -index fcd0c2d..df378211 100644 ---- a/ldap/servers/slapd/back-ldbm/vlv_srch.c -+++ b/ldap/servers/slapd/back-ldbm/vlv_srch.c -@@ -162,7 +162,7 @@ vlvSearch_init(struct vlvSearch* p, Slapi_PBlock *pb, const Slapi_Entry *e, ldbm - - addr.sdn = p->vlv_base; - addr.uniqueid = NULL; -- e = find_entry( pb, inst->inst_be, &addr, &txn ); -+ e = find_entry(pb, inst->inst_be, &addr, &txn, NULL); - /* Check to see if the entry is absent. If it is, mark this search - * as not initialized */ - if (NULL == e) { -diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c -index 1ffec4e..b441615 100644 ---- a/ldap/servers/slapd/bind.c -+++ b/ldap/servers/slapd/bind.c -@@ -438,8 +438,8 @@ do_bind( Slapi_PBlock *pb ) - * to an LDAP DN, fail and return an invalidCredentials error. - */ - if ( NULL == pb->pb_conn->c_external_dn ) { -- send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL, -- "client certificate mapping failed", 0, NULL ); -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Client certificate mapping failed"); -+ send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL); - /* call postop plugins */ - plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN ); - goto free_and_return; -@@ -556,33 +556,32 @@ do_bind( Slapi_PBlock *pb ) - /* Check if simple binds are allowed over an insecure channel. We only check - * this for authenticated binds. */ - } else if (config_get_require_secure_binds() == 1) { -- Connection *conn = NULL; -- int sasl_ssf = 0; -- int local_ssf = 0; -- -- /* Allow simple binds only for SSL/TLS established connections -- * or connections using SASL privacy layers */ -- conn = pb->pb_conn; -- if ( slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { -- slapi_log_error( SLAPI_LOG_PLUGIN, "do_bind", -- "Could not get SASL SSF from connection\n" ); -- sasl_ssf = 0; -- } -+ Connection *conn = NULL; -+ int sasl_ssf = 0; -+ int local_ssf = 0; -+ -+ /* Allow simple binds only for SSL/TLS established connections -+ * or connections using SASL privacy layers */ -+ conn = pb->pb_conn; -+ if ( slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { -+ slapi_log_error( SLAPI_LOG_PLUGIN, "do_bind", -+ "Could not get SASL SSF from connection\n" ); -+ sasl_ssf = 0; -+ } - -- if ( slapi_pblock_get(pb, SLAPI_CONN_LOCAL_SSF, &local_ssf) != 0) { -- slapi_log_error( SLAPI_LOG_PLUGIN, "do_bind", -- "Could not get local SSF from connection\n" ); -- local_ssf = 0; -- } -+ if ( slapi_pblock_get(pb, SLAPI_CONN_LOCAL_SSF, &local_ssf) != 0) { -+ slapi_log_error( SLAPI_LOG_PLUGIN, "do_bind", -+ "Could not get local SSF from connection\n" ); -+ local_ssf = 0; -+ } - -- if (((conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) && -- (sasl_ssf <= 1) && (local_ssf <= 1)) { -- send_ldap_result(pb, LDAP_CONFIDENTIALITY_REQUIRED, NULL, -- "Operation requires a secure connection", -- 0, NULL); -- slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); -- goto free_and_return; -- } -+ if (((conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) && -+ (sasl_ssf <= 1) && (local_ssf <= 1)) { -+ send_ldap_result(pb, LDAP_CONFIDENTIALITY_REQUIRED, NULL, -+ "Operation requires a secure connection", 0, NULL); -+ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); -+ goto free_and_return; -+ } - } - break; - default: -@@ -627,6 +626,7 @@ do_bind( Slapi_PBlock *pb ) - /* - * right dn, wrong passwd - reject with invalid credentials - */ -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "Invalid credentials"); - send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL ); - /* increment BindSecurityErrorcount */ - slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); -@@ -686,7 +686,8 @@ do_bind( Slapi_PBlock *pb ) - slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &pb_sdn); - if (!pb_sdn) { - slapi_create_errormsg(errorbuf, sizeof(errorbuf), "Pre-bind plug-in set NULL dn\n"); -- send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, errorbuf, 0, NULL); -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errorbuf); -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "", 0, NULL); - goto free_and_return; - } else if ((pb_sdn != sdn) || (sdn_updated = slapi_sdn_compare(original_sdn, pb_sdn))) { - /* -@@ -696,8 +697,10 @@ do_bind( Slapi_PBlock *pb ) - sdn = pb_sdn; - dn = slapi_sdn_get_dn(sdn); - if (!dn) { -- slapi_create_errormsg(errorbuf, sizeof(errorbuf), "Pre-bind plug-in set corrupted dn\n"); -- send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, errorbuf, 0, NULL); -+ char *udn = slapi_sdn_get_udn(sdn); -+ slapi_create_errormsg(errorbuf, sizeof(errorbuf), "Pre-bind plug-in set corrupted dn %s\n", udn?udn:""); -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errorbuf); -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "", 0, NULL); - goto free_and_return; - } - if (!sdn_updated) { /* pb_sdn != sdn; need to compare the dn's. */ -@@ -711,7 +714,8 @@ do_bind( Slapi_PBlock *pb ) - slapi_pblock_set( pb, SLAPI_BACKEND, be ); - } else { - slapi_create_errormsg(errorbuf, sizeof(errorbuf), "No matching backend for %s\n", dn); -- send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, errorbuf, 0, NULL); -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errorbuf); -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "", 0, NULL); - goto free_and_return; - } - } -@@ -790,7 +794,8 @@ do_bind( Slapi_PBlock *pb ) - goto account_locked; - } - } else { -- send_ldap_result(pb, LDAP_NO_SUCH_OBJECT, NULL, "", 0, NULL); -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry"); -+ send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL); - goto free_and_return; - } - } -@@ -850,8 +855,7 @@ account_locked: - * the front end. - */ - if ( rc == SLAPI_BIND_SUCCESS || rc == SLAPI_BIND_ANONYMOUS) { -- send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, -- 0, NULL ); -+ send_ldap_result( pb, LDAP_SUCCESS, NULL, NULL, 0, NULL ); - } - - slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, &rc ); -@@ -876,8 +880,7 @@ free_and_return:; - slapi_sdn_free(&sdn); - slapi_ch_free_string( &saslmech ); - slapi_ch_free( (void **)&cred.bv_val ); -- if ( bind_target_entry != NULL ) -- slapi_entry_free(bind_target_entry); -+ slapi_entry_free(bind_target_entry); - } - - -diff --git a/ldap/servers/slapd/defbackend.c b/ldap/servers/slapd/defbackend.c -index 7d73501..da4a701 100644 ---- a/ldap/servers/slapd/defbackend.c -+++ b/ldap/servers/slapd/defbackend.c -@@ -171,6 +171,51 @@ defbackend_abandon( Slapi_PBlock *pb ) - } - - -+#define DEFBE_NO_SUCH_SUFFIX "No such suffix" -+/* -+ * Generate a "No such suffix" return text -+ * Example: -+ * cn=X,dc=bogus,dc=com ==> "No such suffix (dc=bogus,dc=com)" -+ * if the last rdn starts with "dc=", print all last dc= rdn's. -+ * cn=X,cn=bogus ==> "No such suffix (cn=bogus)" -+ * otherwise, print the very last rdn. -+ * cn=X,z=bogus ==> "No such suffix (x=bogus)" -+ * it is true even if it is an invalid rdn. -+ * cn=X,bogus ==> "No such suffix (bogus)" -+ * another example of invalid rdn. -+ */ -+static void -+_defbackend_gen_returntext(char *buffer, size_t buflen, char **dns) -+{ -+ int dnidx; -+ int sidx; -+ struct suffix_repeat { -+ char *suffix; -+ int size; -+ } candidates[] = { -+ {"dc=", 3}, /* dc could be repeated. otherwise the last rdn is used. */ -+ {NULL, 0} -+ }; -+ PR_snprintf(buffer, buflen, "%s (", DEFBE_NO_SUCH_SUFFIX); -+ for (dnidx = 0; dns[dnidx]; dnidx++) ; /* finding the last */ -+ dnidx--; /* last rdn */ -+ for (sidx = 0; candidates[sidx].suffix; sidx++) { -+ if (!PL_strncasecmp(dns[dnidx], candidates[sidx].suffix, candidates[sidx].size)) { -+ while (!PL_strncasecmp(dns[--dnidx], candidates[sidx].suffix, candidates[sidx].size)) ; -+ PL_strcat(buffer, dns[++dnidx]); /* the first "dn=", e.g. */ -+ for (++dnidx; dns[dnidx]; dnidx++) { -+ PL_strcat(buffer, ","); -+ PL_strcat(buffer, dns[dnidx]); -+ } -+ PL_strcat(buffer, ")"); -+ return; /* finished the task */ -+ } -+ } -+ PL_strcat(buffer, dns[dnidx]); -+ PL_strcat(buffer, ")"); -+ return; -+} -+ - static int - defbackend_bind( Slapi_PBlock *pb ) - { -@@ -188,11 +233,40 @@ defbackend_bind( Slapi_PBlock *pb ) - slapi_pblock_get( pb, SLAPI_BIND_METHOD, &method ); - slapi_pblock_get( pb, SLAPI_BIND_CREDENTIALS, &cred ); - if ( method == LDAP_AUTH_SIMPLE && cred->bv_len == 0 ) { -- slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds); -- rc = SLAPI_BIND_ANONYMOUS; -+ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds); -+ rc = SLAPI_BIND_ANONYMOUS; - } else { -- send_nobackend_ldap_result( pb ); -- rc = SLAPI_BIND_FAIL; -+ Slapi_DN *sdn = NULL; -+ char *suffix = NULL; -+ char **dns = NULL; -+ -+ if (pb->pb_op) { -+ sdn = operation_get_target_spec(pb->pb_op); -+ if (sdn) { -+ dns = slapi_ldap_explode_dn(slapi_sdn_get_dn(sdn), 0); -+ if (dns) { -+ size_t dnlen = slapi_sdn_get_ndn_len(sdn); -+ size_t len = dnlen + sizeof(DEFBE_NO_SUCH_SUFFIX) + 4; -+ suffix = slapi_ch_malloc(len); -+ if (dnlen) { -+ _defbackend_gen_returntext(suffix, len, dns); -+ } else { -+ PR_snprintf(suffix, len, "%s", DEFBE_NO_SUCH_SUFFIX); -+ } -+ } -+ } -+ } -+ if (suffix) { -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, suffix); -+ } else { -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, DEFBE_NO_SUCH_SUFFIX); -+ } -+ send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL); -+ if (dns) { -+ slapi_ldap_value_free(dns); -+ } -+ slapi_ch_free_string(&suffix); -+ rc = SLAPI_BIND_FAIL; - } - - return( rc ); -diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c -index 506da92..c2a0206 100644 ---- a/ldap/servers/slapd/result.c -+++ b/ldap/servers/slapd/result.c -@@ -2067,14 +2067,26 @@ log_result( Slapi_PBlock *pb, Operation *op, int err, ber_tag_t tag, int nentrie - } - else if ( !internal_op ) - { -+ char *pbtxt = NULL; -+ char *ext_str = NULL; -+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &pbtxt); -+ if (pbtxt) { -+ ext_str = slapi_ch_smprintf(" - %s", pbtxt); -+ } else { -+ ext_str = ""; -+ } - slapi_log_access( LDAP_DEBUG_STATS, - "conn=%" NSPRIu64 " op=%d RESULT err=%d" -- " tag=%" BERTAG_T " nentries=%d etime=%s%s%s\n", -+ " tag=%" BERTAG_T " nentries=%d etime=%s%s%s%s\n", - op->o_connid, - op->o_opid, - err, tag, nentries, - etime, -- notes_str, csn_str ); -+ notes_str, csn_str, ext_str); -+ if (pbtxt) { -+ /* if !pbtxt ==> ext_str == "". Don't free ext_str. */ -+ slapi_ch_free_string(&ext_str); -+ } - } - else - { --- -2.4.11 - diff --git a/SOURCES/0010-Fix-double-free-in-_cl5NewDBFile-error-path.patch b/SOURCES/0010-Fix-double-free-in-_cl5NewDBFile-error-path.patch new file mode 100644 index 0000000..44813e8 --- /dev/null +++ b/SOURCES/0010-Fix-double-free-in-_cl5NewDBFile-error-path.patch @@ -0,0 +1,40 @@ +From 8c39c9dbe69949065940019e930c37b8f5450a75 Mon Sep 17 00:00:00 2001 +From: Adam Tkac +Date: Sat, 18 Mar 2017 23:34:54 +0100 +Subject: [PATCH] Fix double-free in _cl5NewDBFile() error path + +Although slapi_ch_free should prevent double-free errors, it doesn't work +in old code because after assignment + +(*dbFile)->name = name; + +two independent pointers points to the same allocated area and both pointers +are free()-ed (one directly in error path in _cl5NewDBFile and the second +in _cl5DBCloseFile, called in error path as well). + +Signed-off-by: Mark Reynolds +--- + ldap/servers/plugins/replication/cl5_api.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c +index fc70ab7..5c2233f 100644 +--- a/ldap/servers/plugins/replication/cl5_api.c ++++ b/ldap/servers/plugins/replication/cl5_api.c +@@ -6269,9 +6269,10 @@ out: + } + + (*dbFile)->db = db; +- (*dbFile)->name = name; +- (*dbFile)->replName = slapi_ch_strdup (replName); +- (*dbFile)->replGen = slapi_ch_strdup (replGen); ++ (*dbFile)->name = name; ++ name = NULL; /* transfer ownership to dbFile struct */ ++ (*dbFile)->replName = slapi_ch_strdup (replName); ++ (*dbFile)->replGen = slapi_ch_strdup (replGen); + + /* + * Considerations for setting up cl semaphore: +-- +2.9.3 + diff --git a/SOURCES/0011-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch b/SOURCES/0011-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch deleted file mode 100644 index 30adc8e..0000000 --- a/SOURCES/0011-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch +++ /dev/null @@ -1,28 +0,0 @@ -From b6fd1033881ce21513ba95b533fd35942e5b66f1 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 14 Jul 2016 10:33:15 -0700 -Subject: [PATCH 11/15] Bug 1347760 - CVE-2016-4992 389-ds-base: Information - disclosure via repeated use of LDAP ADD operation, etc. - -Description: Fixing a compiler warning. -(cherry picked from commit 590e2fb86ee2e1d6f169169c83917d18872a95d0) ---- - ldap/servers/slapd/bind.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c -index b441615..702d4c2 100644 ---- a/ldap/servers/slapd/bind.c -+++ b/ldap/servers/slapd/bind.c -@@ -697,7 +697,7 @@ do_bind( Slapi_PBlock *pb ) - sdn = pb_sdn; - dn = slapi_sdn_get_dn(sdn); - if (!dn) { -- char *udn = slapi_sdn_get_udn(sdn); -+ const char *udn = slapi_sdn_get_udn(sdn); - slapi_create_errormsg(errorbuf, sizeof(errorbuf), "Pre-bind plug-in set corrupted dn %s\n", udn?udn:""); - slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, errorbuf); - send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "", 0, NULL); --- -2.4.11 - diff --git a/SOURCES/0011-Issue-49188-retrocl-can-crash-server-at-shutdown.patch b/SOURCES/0011-Issue-49188-retrocl-can-crash-server-at-shutdown.patch new file mode 100644 index 0000000..994fa70 --- /dev/null +++ b/SOURCES/0011-Issue-49188-retrocl-can-crash-server-at-shutdown.patch @@ -0,0 +1,34 @@ +From 8f908a1de1906a0b7451505d9640e2fd2f9fa7eb Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 22 Mar 2017 10:18:13 -0400 +Subject: [PATCH] Issue 49188 - retrocl can crash server at shutdown + +Description: We do not calloc enough elements when processing nsslapd-attribute + from the retrocl plugin configuration. This causes invalid memory + to be freed at shutdown(via slapi_ch_array_free). + +https://pagure.io/389-ds-base/issue/49188 + +Reviewed by: mreynolds(one line commit rule) +--- + ldap/servers/plugins/retrocl/retrocl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c +index 32b30c7..6e68667 100644 +--- a/ldap/servers/plugins/retrocl/retrocl.c ++++ b/ldap/servers/plugins/retrocl/retrocl.c +@@ -470,8 +470,8 @@ static int retrocl_start (Slapi_PBlock *pb) + + retrocl_nattributes = n; + +- retrocl_attributes = (char **)slapi_ch_calloc(n, sizeof(char *)); +- retrocl_aliases = (char **)slapi_ch_calloc(n, sizeof(char *)); ++ retrocl_attributes = (char **)slapi_ch_calloc(n + 1, sizeof(char *)); ++ retrocl_aliases = (char **)slapi_ch_calloc(n + 1, sizeof(char *)); + + slapi_log_err(SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME, "retrocl_start - Attributes:\n"); + +-- +2.9.3 + diff --git a/SOURCES/0012-Bug-1347760-CI-test-test-case-for-bug-1347760.patch b/SOURCES/0012-Bug-1347760-CI-test-test-case-for-bug-1347760.patch deleted file mode 100644 index 0b18c51..0000000 --- a/SOURCES/0012-Bug-1347760-CI-test-test-case-for-bug-1347760.patch +++ /dev/null @@ -1,461 +0,0 @@ -From 845915e82846c3e84a9c7585ff584da32c1c5f38 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Tue, 12 Jul 2016 14:33:17 -0700 -Subject: [PATCH 12/15] Bug 1347760 - CI test: test case for bug 1347760 - -Description: Information disclosure via repeated use of LDAP ADD operation, etc. -(cherry picked from commit 27b8987108d875e3e9ee0d844548f8d94db350d1) ---- - dirsrvtests/tests/tickets/ticket1347760_test.py | 440 ++++++++++++++++++++++++ - 1 file changed, 440 insertions(+) - create mode 100644 dirsrvtests/tests/tickets/ticket1347760_test.py - -diff --git a/dirsrvtests/tests/tickets/ticket1347760_test.py b/dirsrvtests/tests/tickets/ticket1347760_test.py -new file mode 100644 -index 0000000..d2e9e37 ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket1347760_test.py -@@ -0,0 +1,440 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2016 Red Hat, Inc. -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+import os -+import sys -+import time -+import ldap -+import logging -+import pytest -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+from lib389.utils import * -+ -+logging.getLogger(__name__).setLevel(logging.DEBUG) -+log = logging.getLogger(__name__) -+ -+installation1_prefix = None -+ -+CONFIG_DN = 'cn=config' -+BOU = 'BOU' -+BINDOU = 'ou=%s,%s' % (BOU, DEFAULT_SUFFIX) -+BUID = 'buser123' -+TUID = 'tuser0' -+BINDDN = 'uid=%s,%s' % (BUID, BINDOU) -+BINDPW = BUID -+TESTDN = 'uid=%s,ou=people,%s' % (TUID, DEFAULT_SUFFIX) -+TESTPW = TUID -+BOGUSDN = 'uid=bogus,%s' % DEFAULT_SUFFIX -+BOGUSDN2 = 'uid=bogus,ou=people,%s' % DEFAULT_SUFFIX -+BOGUSSUFFIX = 'uid=bogus,ou=people,dc=bogus' -+GROUPOU = 'ou=groups,%s' % DEFAULT_SUFFIX -+BOGUSOU = 'ou=OU,%s' % DEFAULT_SUFFIX -+ -+logging.getLogger(__name__).setLevel(logging.DEBUG) -+log = logging.getLogger(__name__) -+ -+installation1_prefix = None -+ -+class TopologyStandalone(object): -+ def __init__(self, standalone): -+ standalone.open() -+ self.standalone = standalone -+ -+ -+@pytest.fixture(scope="module") -+def topology(request): -+ global installation1_prefix -+ if installation1_prefix: -+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix -+ -+ # Creating standalone instance ... -+ standalone = DirSrv(verbose=False) -+ args_instance[SER_HOST] = HOST_STANDALONE -+ args_instance[SER_PORT] = PORT_STANDALONE -+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE -+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -+ args_standalone = args_instance.copy() -+ standalone.allocate(args_standalone) -+ instance_standalone = standalone.exists() -+ if instance_standalone: -+ standalone.delete() -+ standalone.create() -+ standalone.open() -+ -+ # Delete each instance in the end -+# def fin(): -+# standalone.delete() -+# request.addfinalizer(fin) -+ -+ # Clear out the tmp dir -+ standalone.clearTmpDir(__file__) -+ -+ return TopologyStandalone(standalone) -+ -+def pattern_accesslog(file, log_pattern): -+ try: -+ pattern_accesslog.last_pos += 1 -+ except AttributeError: -+ pattern_accesslog.last_pos = 0 -+ -+ found = None -+ file.seek(pattern_accesslog.last_pos) -+ -+ # Use a while true iteration because 'for line in file: hit a -+ # python bug that break file.tell() -+ while True: -+ line = file.readline() -+ found = log_pattern.search(line) -+ if ((line == '') or (found)): -+ break -+ -+ pattern_accesslog.last_pos = file.tell() -+ if found: -+ return line -+ else: -+ return None -+ -+def check_op_result(server, op, dn, superior, exists, rc): -+ targetdn = dn -+ if op == 'search': -+ if exists: -+ opstr = 'Searching existing entry' -+ else: -+ opstr = 'Searching non-existing entry' -+ elif op == 'add': -+ if exists: -+ opstr = 'Adding existing entry' -+ else: -+ opstr = 'Adding non-existing entry' -+ elif op == 'modify': -+ if exists: -+ opstr = 'Modifying existing entry' -+ else: -+ opstr = 'Modifying non-existing entry' -+ elif op == 'modrdn': -+ if superior != None: -+ targetdn = superior -+ if exists: -+ opstr = 'Moving to existing superior' -+ else: -+ opstr = 'Moving to non-existing superior' -+ else: -+ if exists: -+ opstr = 'Renaming existing entry' -+ else: -+ opstr = 'Renaming non-existing entry' -+ elif op == 'delete': -+ if exists: -+ opstr = 'Deleting existing entry' -+ else: -+ opstr = 'Deleting non-existing entry' -+ -+ if ldap.SUCCESS == rc: -+ expstr = 'be ok' -+ else: -+ expstr = 'fail with %s' % rc.__name__ -+ -+ log.info('%s %s, which should %s.' % (opstr, targetdn, expstr)) -+ hit = 0 -+ try: -+ if op == 'search': -+ centry = server.search_s(dn, ldap.SCOPE_BASE, 'objectclass=*') -+ elif op == 'add': -+ server.add_s(Entry((dn, {'objectclass': 'top extensibleObject'.split(), -+ 'cn': 'test entry'}))) -+ elif op == 'modify': -+ server.modify_s(dn, [(ldap.MOD_REPLACE, 'description', 'test')]) -+ elif op == 'modrdn': -+ if superior != None: -+ server.rename_s(dn, 'uid=new', newsuperior=superior, delold=1) -+ else: -+ server.rename_s(dn, 'uid=new', delold=1) -+ elif op == 'delete': -+ server.delete_s(dn) -+ else: -+ log.fatal('Unknown operation %s' % op) -+ assert False -+ except ldap.LDAPError as e: -+ hit = 1 -+ log.info("Exception (expected): %s" % type(e).__name__) -+ log.info('Desc ' + e.message['desc']) -+ assert isinstance(e, rc) -+ if e.message.has_key('matched'): -+ log.info('Matched is returned: ' + e.message['matched']) -+ if rc != ldap.NO_SUCH_OBJECT: -+ assert False -+ -+ if ldap.SUCCESS == rc: -+ if op == 'search': -+ log.info('Search should return none') -+ assert len(centry) == 0 -+ else: -+ if 0 == hit: -+ log.info('Expected to fail with %s, but passed' % rc.__name__) -+ assert False -+ -+ log.info('PASSED\n') -+ -+def test_ticket1347760(topology): -+ """ -+ Prevent revealing the entry info to whom has no access rights. -+ """ -+ log.info('Testing Bug 1347760 - Information disclosure via repeated use of LDAP ADD operation, etc.') -+ -+ log.info('Disabling accesslog logbuffering') -+ topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-accesslog-logbuffering', 'off')]) -+ -+ log.info('Bind as {%s,%s}' % (DN_DM, PASSWORD)) -+ topology.standalone.simple_bind_s(DN_DM, PASSWORD) -+ -+ log.info('Adding ou=%s a bind user belongs to.' % BOU) -+ topology.standalone.add_s(Entry((BINDOU, { -+ 'objectclass': 'top organizationalunit'.split(), -+ 'ou': BOU}))) -+ -+ log.info('Adding a bind user.') -+ topology.standalone.add_s(Entry((BINDDN, -+ {'objectclass': "top person organizationalPerson inetOrgPerson".split(), -+ 'cn': 'bind user', -+ 'sn': 'user', -+ 'userPassword': BINDPW}))) -+ -+ log.info('Adding a test user.') -+ topology.standalone.add_s(Entry((TESTDN, -+ {'objectclass': "top person organizationalPerson inetOrgPerson".split(), -+ 'cn': 'test user', -+ 'sn': 'user', -+ 'userPassword': TESTPW}))) -+ -+ log.info('Deleting aci in %s.' % DEFAULT_SUFFIX) -+ topology.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_DELETE, 'aci', None)]) -+ -+ log.info('Bind case 1. the bind user has no rights to read the entry itself, bind should be successful.') -+ log.info('Bind as {%s,%s} who has no access rights.' % (BINDDN, BINDPW)) -+ try: -+ topology.standalone.simple_bind_s(BINDDN, BINDPW) -+ except ldap.LDAPError as e: -+ log.info('Desc ' + e.message['desc']) -+ assert False -+ -+ file_path = os.path.join(topology.standalone.prefix, 'var/log/dirsrv/slapd-%s/access' % topology.standalone.serverid) -+ file_obj = open(file_path, "r") -+ log.info('Access log path: %s' % file_path) -+ -+ log.info('Bind case 2-1. the bind user does not exist, bind should fail with error %s' % ldap.INVALID_CREDENTIALS.__name__) -+ log.info('Bind as {%s,%s} who does not exist.' % (BOGUSDN, 'bogus')) -+ try: -+ topology.standalone.simple_bind_s(BOGUSDN, 'bogus') -+ except ldap.LDAPError as e: -+ log.info("Exception (expected): %s" % type(e).__name__) -+ log.info('Desc ' + e.message['desc']) -+ assert isinstance(e, ldap.INVALID_CREDENTIALS) -+ regex = re.compile('No such entry') -+ cause = pattern_accesslog(file_obj, regex) -+ if cause == None: -+ log.fatal('Cause not found - %s' % cause) -+ assert False -+ else: -+ log.info('Cause found - %s' % cause) -+ -+ log.info('Bind case 2-2. the bind user\'s suffix does not exist, bind should fail with error %s' % ldap.INVALID_CREDENTIALS.__name__) -+ log.info('Bind as {%s,%s} who does not exist.' % (BOGUSSUFFIX, 'bogus')) -+ try: -+ topology.standalone.simple_bind_s(BOGUSSUFFIX, 'bogus') -+ except ldap.LDAPError as e: -+ log.info("Exception (expected): %s" % type(e).__name__) -+ log.info('Desc ' + e.message['desc']) -+ assert isinstance(e, ldap.INVALID_CREDENTIALS) -+ regex = re.compile('No such suffix') -+ cause = pattern_accesslog(file_obj, regex) -+ if cause == None: -+ log.fatal('Cause not found - %s' % cause) -+ assert False -+ else: -+ log.info('Cause found - %s' % cause) -+ -+ log.info('Bind case 2-3. the bind user\'s password is wrong, bind should fail with error %s' % ldap.INVALID_CREDENTIALS.__name__) -+ log.info('Bind as {%s,%s} who does not exist.' % (BINDDN, 'bogus')) -+ try: -+ topology.standalone.simple_bind_s(BINDDN, 'bogus') -+ except ldap.LDAPError as e: -+ log.info("Exception (expected): %s" % type(e).__name__) -+ log.info('Desc ' + e.message['desc']) -+ assert isinstance(e, ldap.INVALID_CREDENTIALS) -+ regex = re.compile('Invalid credentials') -+ cause = pattern_accesslog(file_obj, regex) -+ if cause == None: -+ log.fatal('Cause not found - %s' % cause) -+ assert False -+ else: -+ log.info('Cause found - %s' % cause) -+ -+ log.info('Adding aci for %s to %s.' % (BINDDN, BINDOU)) -+ acival = '(targetattr="*")(version 3.0; acl "%s"; allow(all) userdn = "ldap:///%s";)' % (BUID, BINDDN) -+ log.info('aci: %s' % acival) -+ log.info('Bind as {%s,%s}' % (DN_DM, PASSWORD)) -+ topology.standalone.simple_bind_s(DN_DM, PASSWORD) -+ topology.standalone.modify_s(BINDOU, [(ldap.MOD_ADD, 'aci', acival)]) -+ -+ log.info('Bind case 3. the bind user has the right to read the entry itself, bind should be successful.') -+ log.info('Bind as {%s,%s} which should be ok.\n' % (BINDDN, BINDPW)) -+ topology.standalone.simple_bind_s(BINDDN, BINDPW) -+ -+ log.info('The following operations are against the subtree the bind user %s has no rights.' % BINDDN) -+ # Search -+ exists = True -+ rc = ldap.SUCCESS -+ log.info('Search case 1. the bind user has no rights to read the search entry, it should return no search results with %s' % rc) -+ check_op_result(topology.standalone, 'search', TESTDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.SUCCESS -+ log.info('Search case 2-1. the search entry does not exist, the search should return no search results with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'search', BOGUSDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.SUCCESS -+ log.info('Search case 2-2. the search entry does not exist, the search should return no search results with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'search', BOGUSDN2, None, exists, rc) -+ -+ # Add -+ exists = True -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Add case 1. the bind user has no rights AND the adding entry exists, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'add', TESTDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Add case 2-1. the bind user has no rights AND the adding entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'add', BOGUSDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Add case 2-2. the bind user has no rights AND the adding entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'add', BOGUSDN2, None, exists, rc) -+ -+ # Modify -+ exists = True -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Modify case 1. the bind user has no rights AND the modifying entry exists, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modify', TESTDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Modify case 2-1. the bind user has no rights AND the modifying entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modify', BOGUSDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Modify case 2-2. the bind user has no rights AND the modifying entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modify', BOGUSDN2, None, exists, rc) -+ -+ # Modrdn -+ exists = True -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Modrdn case 1. the bind user has no rights AND the renaming entry exists, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modrdn', TESTDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Modrdn case 2-1. the bind user has no rights AND the renaming entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modrdn', BOGUSDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Modrdn case 2-2. the bind user has no rights AND the renaming entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modrdn', BOGUSDN2, None, exists, rc) -+ -+ exists = True -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Modrdn case 3. the bind user has no rights AND the node moving an entry to exists, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modrdn', TESTDN, GROUPOU, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Modrdn case 4-1. the bind user has no rights AND the node moving an entry to does not, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modrdn', TESTDN, BOGUSOU, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Modrdn case 4-2. the bind user has no rights AND the node moving an entry to does not, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modrdn', TESTDN, BOGUSOU, exists, rc) -+ -+ # Delete -+ exists = True -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Delete case 1. the bind user has no rights AND the deleting entry exists, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'delete', TESTDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Delete case 2-1. the bind user has no rights AND the deleting entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'delete', BOGUSDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.INSUFFICIENT_ACCESS -+ log.info('Delete case 2-2. the bind user has no rights AND the deleting entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'delete', BOGUSDN2, None, exists, rc) -+ -+ log.info('EXTRA: Check no regressions') -+ log.info('Adding aci for %s to %s.' % (BINDDN, DEFAULT_SUFFIX)) -+ acival = '(targetattr="*")(version 3.0; acl "%s-all"; allow(all) userdn = "ldap:///%s";)' % (BUID, BINDDN) -+ log.info('Bind as {%s,%s}' % (DN_DM, PASSWORD)) -+ topology.standalone.simple_bind_s(DN_DM, PASSWORD) -+ topology.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_ADD, 'aci', acival)]) -+ -+ log.info('Bind as {%s,%s}.' % (BINDDN, BINDPW)) -+ try: -+ topology.standalone.simple_bind_s(BINDDN, BINDPW) -+ except ldap.LDAPError as e: -+ log.info('Desc ' + e.message['desc']) -+ assert False -+ -+ exists = False -+ rc = ldap.NO_SUCH_OBJECT -+ log.info('Search case. the search entry does not exist, the search should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'search', BOGUSDN2, None, exists, rc) -+ file_obj.close() -+ -+ exists = True -+ rc = ldap.ALREADY_EXISTS -+ log.info('Add case. the adding entry already exists, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'add', TESTDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.NO_SUCH_OBJECT -+ log.info('Modify case. the modifying entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modify', BOGUSDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.NO_SUCH_OBJECT -+ log.info('Modrdn case 1. the renaming entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modrdn', BOGUSDN, None, exists, rc) -+ -+ exists = False -+ rc = ldap.NO_SUCH_OBJECT -+ log.info('Modrdn case 2. the node moving an entry to does not, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'modrdn', TESTDN, BOGUSOU, exists, rc) -+ -+ exists = False -+ rc = ldap.NO_SUCH_OBJECT -+ log.info('Delete case. the deleting entry does not exist, it should fail with %s' % rc.__name__) -+ check_op_result(topology.standalone, 'delete', BOGUSDN, None, exists, rc) -+ -+ log.info('SUCCESS') -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) --- -2.4.11 - diff --git a/SOURCES/0012-Ticket-49177-rpm-would-not-create-valid-pkgconfig-fi.patch b/SOURCES/0012-Ticket-49177-rpm-would-not-create-valid-pkgconfig-fi.patch new file mode 100644 index 0000000..8b25c83 --- /dev/null +++ b/SOURCES/0012-Ticket-49177-rpm-would-not-create-valid-pkgconfig-fi.patch @@ -0,0 +1,131 @@ +From fffbb3d39a2ea12a2b3a72c729e76c1e69a19d8f Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 27 Mar 2017 14:33:17 -0400 +Subject: [PATCH] Ticket 49177 - rpm would not create valid pkgconfig files + + Bug Description: pkgconfig from the rpm was not valid. + + Fix Description: Resolve an issue in the way we handle the file + substiution to resolve this issue. + + https://pagure.io/389-ds-base/issue/49177 +--- + Makefile.am | 10 ++-------- + configure.ac | 3 +++ + m4/mozldap.m4 | 4 ++++ + m4/openldap.m4 | 4 ++++ + src/pkgconfig/dirsrv.pc.in | 4 ++++ + 5 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 4a4b2d3..982dd28 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -110,14 +110,12 @@ if OPENLDAP + # shared lib _fini for one will stomp on the other, and the program will crash + LDAPSDK_LINK_NOTHR = @openldap_lib@ -lldap@ol_libver@ @ldap_lib_ldif@ -llber@ol_libver@ + LDAPSDK_LINK = @openldap_lib@ -lldap_r@ol_libver@ @ldap_lib_ldif@ -llber@ol_libver@ +-ldaplib = openldap +-ldaplib_defs = -DUSE_OPENLDAP + else + LDAPSDK_LINK = @ldapsdk_lib@ -lssldap60 -lprldap60 -lldap60 -lldif60 + LDAPSDK_LINK_NOTHR = $(LDAPSDK_LINK) +-ldaplib = mozldap +-ldaplib_defs = + endif ++ldaplib = @ldaplib@ ++ldaplib_defs = @ldaplib_defs@ + + DB_LINK = @db_lib@ -ldb-@db_libver@ + SASL_LINK = @sasl_lib@ -lsasl2 +@@ -2237,10 +2235,6 @@ else + $(fixupcmd) $^ | sed -n -e 's/@preamble@//' -e '/^#/{p;d;}' -e '/^$$/{p;d;}' -e 's/^\([^=]*\)\(=.*\)$$/\1\2 ; export \1/ ; p' > $@ + endif + +-%/$(PACKAGE_NAME).pc: %/dirsrv.pc.in +- if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi +- $(fixupcmd) $^ > $@ +- + %/$(PACKAGE_NAME)-snmp: %/ldap-agent-initscript.in + if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi + $(fixupcmd) $^ > $@ +diff --git a/configure.ac b/configure.ac +index 4e3e9fb..3f2aa75 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -785,6 +785,8 @@ AC_SUBST(openldap_inc) + AC_SUBST(openldap_lib) + AC_SUBST(openldap_libdir) + AC_SUBST(openldap_bindir) ++AC_SUBST(ldaplib) ++AC_SUBST(ldaplib_defs) + AC_SUBST(ldaptool_bindir) + AC_SUBST(ldaptool_opts) + AC_SUBST(plainldif_opts) +@@ -853,6 +855,7 @@ if test "$GCC" != yes ; then + fi + + # Build our pkgconfig files ++# This currently conflicts with %.in: rule in Makefile.am, which should be removed eventually. + AC_CONFIG_FILES([src/pkgconfig/dirsrv.pc src/pkgconfig/nunc-stans.pc src/pkgconfig/libsds.pc]) + + AC_CONFIG_FILES([Makefile rpm/389-ds-base.spec ]) +diff --git a/m4/mozldap.m4 b/m4/mozldap.m4 +index 4352151..8084ed8 100644 +--- a/m4/mozldap.m4 ++++ b/m4/mozldap.m4 +@@ -15,6 +15,8 @@ AC_ARG_WITH(ldapsdk, AS_HELP_STRING([--with-ldapsdk@<:@=PATH@:>@],[Mozilla LDAP + if test "$withval" = yes + then + AC_MSG_RESULT(yes) ++ ldaplib="mozldap" ++ ldaplib_defs="" + elif test "$withval" = no + then + AC_MSG_RESULT(no) +@@ -22,6 +24,8 @@ AC_ARG_WITH(ldapsdk, AS_HELP_STRING([--with-ldapsdk@<:@=PATH@:>@],[Mozilla LDAP + then + AC_MSG_RESULT([using $withval]) + LDAPSDKDIR=$withval ++ ldaplib="mozldap" ++ ldaplib_defs="" + ldapsdk_inc="-I$LDAPSDKDIR/include" + ldapsdk_lib="-L$LDAPSDKDIR/lib" + ldapsdk_libdir="$LDAPSDKDIR/lib" +diff --git a/m4/openldap.m4 b/m4/openldap.m4 +index 417bf43..f45637c 100644 +--- a/m4/openldap.m4 ++++ b/m4/openldap.m4 +@@ -15,6 +15,8 @@ AC_ARG_WITH(openldap, AS_HELP_STRING([--with-openldap@<:@=PATH@:>@],[Use OpenLDA + if test "$withval" = yes + then + AC_MSG_RESULT([using system OpenLDAP]) ++ ldaplib="openldap" ++ ldaplib_defs="-DUSE_OPENLDAP" + elif test "$withval" = no + then + AC_MSG_RESULT(no) +@@ -22,6 +24,8 @@ AC_ARG_WITH(openldap, AS_HELP_STRING([--with-openldap@<:@=PATH@:>@],[Use OpenLDA + then + AC_MSG_RESULT([using $withval]) + OPENLDAPDIR=$withval ++ ldaplib="openldap" ++ ldaplib_defs="-DUSE_OPENLDAP" + openldap_incdir="$OPENLDAPDIR/include" + openldap_inc="-I$openldap_incdir" + openldap_lib="-L$OPENLDAPDIR/lib" +diff --git a/src/pkgconfig/dirsrv.pc.in b/src/pkgconfig/dirsrv.pc.in +index 4140031..df433cf 100644 +--- a/src/pkgconfig/dirsrv.pc.in ++++ b/src/pkgconfig/dirsrv.pc.in +@@ -1,3 +1,7 @@ ++prefix=@prefix@ ++exec_prefix=@exec_prefix@ ++libdir=@libdir@ ++includedir=@includedir@ + ldaplib=@ldaplib@ + + Name: dirsrv +-- +2.9.3 + diff --git a/SOURCES/0013-Ticket-48925-slapd-crash-with-SIGILL-Dsktune-should-.patch b/SOURCES/0013-Ticket-48925-slapd-crash-with-SIGILL-Dsktune-should-.patch deleted file mode 100644 index c5e693a..0000000 --- a/SOURCES/0013-Ticket-48925-slapd-crash-with-SIGILL-Dsktune-should-.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 9f8d3fc5bd7cb1e00b6bd48669b8074849f4c5da Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Thu, 14 Jul 2016 13:47:11 +1000 -Subject: [PATCH 13/15] Ticket 48925 - slapd crash with SIGILL: Dsktune should - detect lack of CMPXCHG16B - -Bug Description: On older AMD the CMPXCHG16B is not present. This is critical -to the correct operation of lfds. Without out it we are unable to use nunc-stans - -Fix Description: dsktune should warn if CMPXCHG16B (flag cx16) is not present. -In a future release we will NOT allow installation upon a platform that lacks -this instruction. - -https://fedorahosted.org/389/ticket/48925 - -Author: wibrown - -Review by: nhosoi (Thank you!) - -(cherry picked from commit 5eb19778f7939967e8ca714c4d4cb03ffa11064d) ---- - ldap/systools/idsktune.c | 40 +++++++++++++++++++++++++++++++++++++++- - 1 file changed, 39 insertions(+), 1 deletion(-) - -diff --git a/ldap/systools/idsktune.c b/ldap/systools/idsktune.c -index c7e76e7..b6c352a 100644 ---- a/ldap/systools/idsktune.c -+++ b/ldap/systools/idsktune.c -@@ -11,11 +11,12 @@ - # include - #endif - -+#define _GNU_SOURCE - - /* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - * Don't forget to update build_date when the patch sets are updated. - * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! */ --static char *build_date = "23-FEBRUARY-2012"; -+static char *build_date = "14-JULY-2016"; - - #if defined(linux) || defined(__linux) || defined(__linux__) - #define IDDS_LINUX_INCLUDE 1 -@@ -32,10 +33,12 @@ static char *build_date = "23-FEBRUARY-2012"; - #include - #include - #endif -+ - #include - #include - #include - #include -+ - #if !defined(__VMS) && !defined(IDDS_LINUX_INCLUDE) - #if defined(__hpux) && defined(f_type) - #undef f_type -@@ -864,6 +867,39 @@ done: - free(cmd); - } - } -+ -+ -+static void -+linux_check_cpu_features(void) -+{ -+ FILE *cpuinfo = fopen("/proc/cpuinfo", "rb"); -+ char *arg = 0; -+ char *token = NULL; -+ size_t size = 0; -+ int found = 0; -+ while(getline(&arg, &size, cpuinfo) != -1) -+ { -+ if (strncmp("flags", arg, 5) == 0) { -+ token = strtok(arg, " "); -+ while (token != NULL) { -+ if (strncmp(token, "cx16", 4) == 0) { -+ found += 1; -+ } -+ token = strtok(NULL, " "); -+ } -+ } -+ } -+ free(arg); -+ fclose(cpuinfo); -+ -+ if (found == 0) { -+ flag_os_bad = 1; -+ printf("ERROR: This system does not support CMPXCHG16B instruction (cpuflag cx16).\n"); -+ printf(" nsslapd-enable-nunc-stans must be set to "off" on this system. \n"); -+ printf(" In a future release of Directory Server this platform will NOT be supported.\n\n"); -+ } -+ -+} - #endif /* IDDS_LINUX_INCLUDE */ - - -@@ -976,6 +1012,8 @@ static void gen_tests (void) - - #if defined(IDDS_LINUX_INCLUDE) - linux_check_release(); -+ -+ linux_check_cpu_features(); - #endif - - --- -2.4.11 - diff --git a/SOURCES/0013-Ticket-49076-To-debug-DB_DEADLOCK-condition-allow-to.patch b/SOURCES/0013-Ticket-49076-To-debug-DB_DEADLOCK-condition-allow-to.patch new file mode 100644 index 0000000..7d0d1c3 --- /dev/null +++ b/SOURCES/0013-Ticket-49076-To-debug-DB_DEADLOCK-condition-allow-to.patch @@ -0,0 +1,245 @@ +From 1a66f5f232d6c2869ef4e439eafe5a820f61a976 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Wed, 15 Feb 2017 11:31:27 +0100 +Subject: [PATCH] Ticket 49076 - To debug DB_DEADLOCK condition, allow to reset + DB_TXN_NOWAIT flag on txn_begin + +Bug Description: + For debug reason it is interesting to have a new configuration ldbm backend config + option (nsslapd-db-transaction-wait) that allows to hang on deadlock + rather to let the server handling retries. + +Fix Description: + The fix introduce a new attribute nsslapd-db-transaction-wait under + "cn=config,cn=ldbm database,cn=plugins,cn=config". + By default it is "off" (ldbm returns DB_DEADLOCK) and can be changed + online. + It is taken into account when a new transcation begin. + +https://pagure.io/389-ds-base/issue/49076 + +Reviewed by: William Brown, Ludwig Krispenz + +Platforms tested: F23 + +Flag Day: no + +Doc impact: no +--- + dirsrvtests/tests/tickets/ticket49076_test.py | 103 ++++++++++++++++++++++++++ + ldap/servers/slapd/back-ldbm/dblayer.c | 9 ++- + ldap/servers/slapd/back-ldbm/dblayer.h | 3 + + ldap/servers/slapd/back-ldbm/ldbm_config.c | 22 ++++++ + ldap/servers/slapd/back-ldbm/ldbm_config.h | 1 + + 5 files changed, 137 insertions(+), 1 deletion(-) + create mode 100644 dirsrvtests/tests/tickets/ticket49076_test.py + +diff --git a/dirsrvtests/tests/tickets/ticket49076_test.py b/dirsrvtests/tests/tickets/ticket49076_test.py +new file mode 100644 +index 0000000..c4a2c1b +--- /dev/null ++++ b/dirsrvtests/tests/tickets/ticket49076_test.py +@@ -0,0 +1,103 @@ ++import time ++import ldap ++import logging ++import pytest ++from lib389 import DirSrv, Entry, tools, tasks ++from lib389.tools import DirSrvTools ++from lib389._constants import * ++from lib389.properties import * ++from lib389.tasks import * ++from lib389.utils import * ++from lib389.topologies import topology_st as topo ++ ++DEBUGGING = os.getenv("DEBUGGING", default=False) ++if DEBUGGING: ++ logging.getLogger(__name__).setLevel(logging.DEBUG) ++else: ++ logging.getLogger(__name__).setLevel(logging.INFO) ++log = logging.getLogger(__name__) ++ ++ldbm_config = "cn=config,%s" % (DN_LDBM) ++txn_begin_flag = "nsslapd-db-transaction-wait" ++TEST_USER_DN = 'cn=test,%s' % SUFFIX ++TEST_USER = "test" ++ ++def _check_configured_value(topology_st, attr=txn_begin_flag, expected_value=None, required=False): ++ entries = topology_st.standalone.search_s(ldbm_config, ldap.SCOPE_BASE, 'cn=config') ++ if required: ++ assert (entries[0].hasValue(attr)) ++ if entries[0].hasValue(attr): ++ topology_st.standalone.log.info('Current value is %s' % entries[0].getValue(attr)) ++ assert (entries[0].getValue(attr) == expected_value) ++ ++def _update_db(topology_st): ++ topology_st.standalone.add_s( ++ Entry((TEST_USER_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(), ++ 'cn': TEST_USER, ++ 'sn': TEST_USER, ++ 'givenname': TEST_USER}))) ++ topology_st.standalone.delete_s(TEST_USER_DN) ++ ++def test_ticket49076(topo): ++ """Write your testcase here... ++ ++ Also, if you need any testcase initialization, ++ please, write additional fixture for that(include finalizer). ++ """ ++ ++ # check default value is DB_TXN_NOWAIT ++ _check_configured_value(topo, expected_value="off") ++ ++ # tests we are able to update DB ++ _update_db(topo) ++ ++ # switch to wait mode ++ topo.standalone.modify_s(ldbm_config, ++ [(ldap.MOD_REPLACE, txn_begin_flag, "on")]) ++ # check default value is DB_TXN_NOWAIT ++ _check_configured_value(topo, expected_value="on") ++ _update_db(topo) ++ ++ ++ # switch back to "normal mode" ++ topo.standalone.modify_s(ldbm_config, ++ [(ldap.MOD_REPLACE, txn_begin_flag, "off")]) ++ # check default value is DB_TXN_NOWAIT ++ _check_configured_value(topo, expected_value="off") ++ # tests we are able to update DB ++ _update_db(topo) ++ ++ # check that settings are not reset by restart ++ topo.standalone.modify_s(ldbm_config, ++ [(ldap.MOD_REPLACE, txn_begin_flag, "on")]) ++ # check default value is DB_TXN_NOWAIT ++ _check_configured_value(topo, expected_value="on") ++ _update_db(topo) ++ topo.standalone.restart(timeout=10) ++ _check_configured_value(topo, expected_value="on") ++ _update_db(topo) ++ ++ # switch default value ++ topo.standalone.modify_s(ldbm_config, ++ [(ldap.MOD_DELETE, txn_begin_flag, None)]) ++ # check default value is DB_TXN_NOWAIT ++ _check_configured_value(topo, expected_value="off") ++ # tests we are able to update DB ++ _update_db(topo) ++ topo.standalone.restart(timeout=10) ++ _check_configured_value(topo, expected_value="off") ++ # tests we are able to update DB ++ _update_db(topo) ++ ++ ++ if DEBUGGING: ++ # Add debugging steps(if any)... ++ pass ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main("-s %s" % CURRENT_FILE) ++ +diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c +index 683994f..507a3cc 100644 +--- a/ldap/servers/slapd/back-ldbm/dblayer.c ++++ b/ldap/servers/slapd/back-ldbm/dblayer.c +@@ -3374,6 +3374,8 @@ dblayer_txn_begin_ext(struct ldbminfo *li, back_txnid parent_txn, back_txn *txn, + + if (priv->dblayer_enable_transactions) + { ++ int txn_begin_flags; ++ + dblayer_private_env *pEnv = priv->dblayer_env; + if(use_lock) slapi_rwlock_rdlock(pEnv->dblayer_env_lock); + if (!parent_txn) +@@ -3383,11 +3385,16 @@ dblayer_txn_begin_ext(struct ldbminfo *li, back_txnid parent_txn, back_txn *txn, + if (par_txn_txn) { + parent_txn = par_txn_txn->back_txn_txn; + } ++ } ++ if (priv->dblayer_txn_wait) { ++ txn_begin_flags = 0; ++ } else { ++ txn_begin_flags = DB_TXN_NOWAIT; + } + return_value = TXN_BEGIN(pEnv->dblayer_DB_ENV, + (DB_TXN*)parent_txn, + &new_txn.back_txn_txn, +- DB_TXN_NOWAIT); ++ txn_begin_flags); + if (0 != return_value) + { + if(use_lock) slapi_rwlock_unlock(priv->dblayer_env->dblayer_env_lock); +diff --git a/ldap/servers/slapd/back-ldbm/dblayer.h b/ldap/servers/slapd/back-ldbm/dblayer.h +index e02e6e0..e4307fc 100644 +--- a/ldap/servers/slapd/back-ldbm/dblayer.h ++++ b/ldap/servers/slapd/back-ldbm/dblayer.h +@@ -104,6 +104,9 @@ struct dblayer_private + * the mpool */ + int dblayer_recovery_required; + int dblayer_enable_transactions; ++ int dblayer_txn_wait; /* Default is "off" (DB_TXN_NOWAIT) but for ++ * support purpose it could be helpful to set ++ * "on" so that backend hang on deadlock */ + int dblayer_durable_transactions; + int dblayer_checkpoint_interval; + int dblayer_circular_logging; +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c +index 8541224..dfe7a13 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c +@@ -636,6 +636,27 @@ static int ldbm_config_db_transaction_logging_set(void *arg, void *value, char * + return retval; + } + ++ ++static void *ldbm_config_db_transaction_wait_get(void *arg) ++{ ++ struct ldbminfo *li = (struct ldbminfo *) arg; ++ ++ return (void *) ((uintptr_t)li->li_dblayer_private->dblayer_txn_wait); ++} ++ ++static int ldbm_config_db_transaction_wait_set(void *arg, void *value, char *errorbuf, int phase, int apply) ++{ ++ struct ldbminfo *li = (struct ldbminfo *) arg; ++ int retval = LDAP_SUCCESS; ++ int val = (int) ((uintptr_t)value); ++ ++ if (apply) { ++ li->li_dblayer_private->dblayer_txn_wait = val; ++ } ++ ++ return retval; ++} ++ + static void *ldbm_config_db_logbuf_size_get(void *arg) + { + struct ldbminfo *li = (struct ldbminfo *) arg; +@@ -1517,6 +1538,7 @@ static config_info ldbm_config[] = { + {CONFIG_DB_DURABLE_TRANSACTIONS, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_durable_transactions_get, &ldbm_config_db_durable_transactions_set, CONFIG_FLAG_ALWAYS_SHOW}, + {CONFIG_DB_CIRCULAR_LOGGING, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_circular_logging_get, &ldbm_config_db_circular_logging_set, 0}, + {CONFIG_DB_TRANSACTION_LOGGING, CONFIG_TYPE_ONOFF, "on", &ldbm_config_db_transaction_logging_get, &ldbm_config_db_transaction_logging_set, 0}, ++ {CONFIG_DB_TRANSACTION_WAIT, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_transaction_wait_get, &ldbm_config_db_transaction_wait_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, + {CONFIG_DB_CHECKPOINT_INTERVAL, CONFIG_TYPE_INT, "60", &ldbm_config_db_checkpoint_interval_get, &ldbm_config_db_checkpoint_interval_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, + {CONFIG_DB_COMPACTDB_INTERVAL, CONFIG_TYPE_INT, "2592000"/*30days*/, &ldbm_config_db_compactdb_interval_get, &ldbm_config_db_compactdb_interval_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, + {CONFIG_DB_TRANSACTION_BATCH, CONFIG_TYPE_INT, "0", &dblayer_get_batch_transactions, &dblayer_set_batch_transactions, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.h b/ldap/servers/slapd/back-ldbm/ldbm_config.h +index f481937..ddec3a8 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_config.h ++++ b/ldap/servers/slapd/back-ldbm/ldbm_config.h +@@ -80,6 +80,7 @@ struct config_info { + #define CONFIG_DB_DURABLE_TRANSACTIONS "nsslapd-db-durable-transaction" + #define CONFIG_DB_CIRCULAR_LOGGING "nsslapd-db-circular-logging" + #define CONFIG_DB_TRANSACTION_LOGGING "nsslapd-db-transaction-logging" ++#define CONFIG_DB_TRANSACTION_WAIT "nsslapd-db-transaction-wait" + #define CONFIG_DB_CHECKPOINT_INTERVAL "nsslapd-db-checkpoint-interval" + #define CONFIG_DB_COMPACTDB_INTERVAL "nsslapd-db-compactdb-interval" + #define CONFIG_DB_TRANSACTION_BATCH "nsslapd-db-transaction-batch-val" +-- +2.9.3 + diff --git a/SOURCES/0014-Issue-49192-Deleting-suffix-can-hang-server.patch b/SOURCES/0014-Issue-49192-Deleting-suffix-can-hang-server.patch new file mode 100644 index 0000000..60a04d2 --- /dev/null +++ b/SOURCES/0014-Issue-49192-Deleting-suffix-can-hang-server.patch @@ -0,0 +1,244 @@ +From 353955ba9b4c487e30315d39d1880b6b784817d2 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 27 Mar 2017 10:59:40 -0400 +Subject: [PATCH] Issue 49192 - Deleting suffix can hang server + +Description: If you attempt to bind as an inactive user the backend rwlock + is not unlocked. Regression introduced from issue 49051. + +https://pagure.io/389-ds-base/issue/49192 + +Reviewed by: nhosoi(Thanks!) +--- + dirsrvtests/tests/tickets/ticket49192_test.py | 177 ++++++++++++++++++++++++++ + ldap/servers/slapd/bind.c | 3 - + ldap/servers/slapd/pw_verify.c | 8 +- + 3 files changed, 179 insertions(+), 9 deletions(-) + create mode 100644 dirsrvtests/tests/tickets/ticket49192_test.py + +diff --git a/dirsrvtests/tests/tickets/ticket49192_test.py b/dirsrvtests/tests/tickets/ticket49192_test.py +new file mode 100644 +index 0000000..f770ba7 +--- /dev/null ++++ b/dirsrvtests/tests/tickets/ticket49192_test.py +@@ -0,0 +1,177 @@ ++import time ++import ldap ++import logging ++import pytest ++from lib389 import Entry ++from lib389._constants import * ++from lib389.properties import * ++from lib389.tasks import * ++from lib389.utils import * ++from lib389.topologies import topology_st as topo ++ ++DEBUGGING = os.getenv("DEBUGGING", default=False) ++if DEBUGGING: ++ logging.getLogger(__name__).setLevel(logging.DEBUG) ++else: ++ logging.getLogger(__name__).setLevel(logging.INFO) ++log = logging.getLogger(__name__) ++ ++INDEX_DN = 'cn=index,cn=Second_Backend,cn=ldbm database,cn=plugins,cn=config' ++SUFFIX_DN = 'cn=Second_Backend,cn=ldbm database,cn=plugins,cn=config' ++MY_SUFFIX = "o=hang.com" ++USER_DN = 'uid=user,' + MY_SUFFIX ++ ++ ++def test_ticket49192(topo): ++ """Trigger deadlock when removing suffix ++ """ ++ ++ # ++ # Create a second suffix/backend ++ # ++ log.info('Creating second backend...') ++ topo.standalone.backends.create(None, properties={ ++ BACKEND_NAME: "Second_Backend", ++ 'suffix': "o=hang.com", ++ }) ++ try: ++ topo.standalone.add_s(Entry(("o=hang.com", { ++ 'objectclass': 'top organization'.split(), ++ 'o': 'hang.com'}))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to create 2nd suffix: error ' + e.message['desc']) ++ assert False ++ ++ # ++ # Add roles ++ # ++ log.info('Adding roles...') ++ try: ++ topo.standalone.add_s(Entry(('cn=nsManagedDisabledRole,' + MY_SUFFIX, { ++ 'objectclass': ['top', 'LdapSubEntry', ++ 'nsRoleDefinition', ++ 'nsSimpleRoleDefinition', ++ 'nsManagedRoleDefinition'], ++ 'cn': 'nsManagedDisabledRole'}))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add managed role: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ topo.standalone.add_s(Entry(('cn=nsDisabledRole,' + MY_SUFFIX, { ++ 'objectclass': ['top', 'LdapSubEntry', ++ 'nsRoleDefinition', ++ 'nsComplexRoleDefinition', ++ 'nsNestedRoleDefinition'], ++ 'cn': 'nsDisabledRole', ++ 'nsRoledn': 'cn=nsManagedDisabledRole,' + MY_SUFFIX}))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add nested role: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ topo.standalone.add_s(Entry(('cn=nsAccountInactivationTmp,' + MY_SUFFIX, { ++ 'objectclass': ['top', 'nsContainer'], ++ 'cn': 'nsAccountInactivationTmp'}))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add container: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ topo.standalone.add_s(Entry(('cn=\"cn=nsDisabledRole,' + MY_SUFFIX + '\",cn=nsAccountInactivationTmp,' + MY_SUFFIX, { ++ 'objectclass': ['top', 'extensibleObject', 'costemplate', ++ 'ldapsubentry'], ++ 'nsAccountLock': 'true'}))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add cos1: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ topo.standalone.add_s(Entry(('cn=nsAccountInactivation_cos,' + MY_SUFFIX, { ++ 'objectclass': ['top', 'LdapSubEntry', 'cosSuperDefinition', ++ 'cosClassicDefinition'], ++ 'cn': 'nsAccountInactivation_cos', ++ 'cosTemplateDn': 'cn=nsAccountInactivationTmp,' + MY_SUFFIX, ++ 'cosSpecifier': 'nsRole', ++ 'cosAttribute': 'nsAccountLock operational'}))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add cos2 : error ' + e.message['desc']) ++ assert False ++ ++ # ++ # Add test entry ++ # ++ try: ++ topo.standalone.add_s(Entry((USER_DN, { ++ 'objectclass': 'top extensibleObject'.split(), ++ 'uid': 'user', ++ 'userpassword': 'password', ++ }))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add user: error ' + e.message['desc']) ++ assert False ++ ++ # ++ # Inactivate the user account ++ # ++ try: ++ topo.standalone.modify_s(USER_DN, ++ [(ldap.MOD_ADD, ++ 'nsRoleDN', ++ 'cn=nsManagedDisabledRole,' + MY_SUFFIX)]) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to disable user: error ' + e.message['desc']) ++ assert False ++ ++ time.sleep(1) ++ ++ # Bind as user (should fail) ++ try: ++ topo.standalone.simple_bind_s(USER_DN, 'password') ++ log.error("Bind incorrectly worked") ++ assert False ++ except ldap.UNWILLING_TO_PERFORM: ++ log.info('Got error 53 as expected') ++ except ldap.LDAPError as e: ++ log.fatal('Bind has unexpected error ' + e.message['desc']) ++ assert False ++ ++ # Bind as root DN ++ try: ++ topo.standalone.simple_bind_s(DN_DM, PASSWORD) ++ except ldap.LDAPError as e: ++ log.fatal('RootDN Bind has unexpected error ' + e.message['desc']) ++ assert False ++ ++ # ++ # Delete suffix ++ # ++ log.info('Delete the suffix and children...') ++ try: ++ index_entries = topo.standalone.search_s( ++ SUFFIX_DN, ldap.SCOPE_SUBTREE, 'objectclass=top') ++ except ldap.LDAPError as e: ++ log.error('Failed to search: %s - error %s' % (SUFFIX_DN, str(e))) ++ ++ for entry in reversed(index_entries): ++ try: ++ log.info("Deleting: " + entry.dn) ++ if entry.dn != SUFFIX_DN and entry.dn != INDEX_DN: ++ topo.standalone.search_s(entry.dn, ++ ldap.SCOPE_ONELEVEL, ++ 'objectclass=top') ++ topo.standalone.delete_s(entry.dn) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to delete entry: %s - error %s' % ++ (entry.dn, str(e))) ++ assert False ++ ++ log.info("Test Passed") ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main("-s %s" % CURRENT_FILE) ++ +diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c +index 5c4fada..f83df7d 100644 +--- a/ldap/servers/slapd/bind.c ++++ b/ldap/servers/slapd/bind.c +@@ -771,9 +771,6 @@ do_bind( Slapi_PBlock *pb ) + /* need_new_pw failed; need_new_pw already send_ldap_result in it. */ + goto free_and_return; + } +- if (be) { +- slapi_be_Unlock(be); +- } + } else { /* anonymous */ + /* set bind creds here so anonymous limits are set */ + bind_credentials_set(pb->pb_conn, authtype, NULL, NULL, NULL, NULL, NULL); +diff --git a/ldap/servers/slapd/pw_verify.c b/ldap/servers/slapd/pw_verify.c +index a9fd9ec..852b027 100644 +--- a/ldap/servers/slapd/pw_verify.c ++++ b/ldap/servers/slapd/pw_verify.c +@@ -50,8 +50,6 @@ pw_verify_root_dn(const char *dn, const Slapi_Value *cred) + * + * In the future, this will use the credentials and do mfa. + * +- * If you get SLAPI_BIND_SUCCESS or SLAPI_BIND_ANONYMOUS you need to unlock +- * the backend. + * All other results, it's already released. + */ + int +@@ -81,10 +79,8 @@ pw_verify_be_dn(Slapi_PBlock *pb, Slapi_Entry **referral) + set_db_default_result_handlers(pb); + /* now take the dn, and check it */ + rc = (*be->be_bind)(pb); +- /* now attempt the bind. */ +- if (rc != SLAPI_BIND_SUCCESS && rc != SLAPI_BIND_ANONYMOUS) { +- slapi_be_Unlock(be); +- } ++ slapi_be_Unlock(be); ++ + return rc; + } + +-- +2.9.3 + diff --git a/SOURCES/0014-Ticket-48925-slapd-crash-with-SIGILL-Dsktune-should-.patch b/SOURCES/0014-Ticket-48925-slapd-crash-with-SIGILL-Dsktune-should-.patch deleted file mode 100644 index d9c3309..0000000 --- a/SOURCES/0014-Ticket-48925-slapd-crash-with-SIGILL-Dsktune-should-.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 8464ea4aa20182d3f56c06287cbb8a2ff71e2837 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 14 Jul 2016 15:36:03 -0700 -Subject: [PATCH 14/15] Ticket 48925 - slapd crash with SIGILL: Dsktune should - detect lack of CMPXCHG16B - -Description: escaping '"' in the ERROR message. - -Reviewed by: one-line rule - -(cherry picked from commit 975e0fae044a08d2755b2394bac09d722bd1bae0) ---- - ldap/systools/idsktune.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/systools/idsktune.c b/ldap/systools/idsktune.c -index b6c352a..ad6a39e 100644 ---- a/ldap/systools/idsktune.c -+++ b/ldap/systools/idsktune.c -@@ -895,7 +895,7 @@ linux_check_cpu_features(void) - if (found == 0) { - flag_os_bad = 1; - printf("ERROR: This system does not support CMPXCHG16B instruction (cpuflag cx16).\n"); -- printf(" nsslapd-enable-nunc-stans must be set to "off" on this system. \n"); -+ printf(" nsslapd-enable-nunc-stans must be set to \"off\" on this system. \n"); - printf(" In a future release of Directory Server this platform will NOT be supported.\n\n"); - } - --- -2.4.11 - diff --git a/SOURCES/0015-Ticket-48919-Compiler-warnings-while-building-389-ds.patch b/SOURCES/0015-Ticket-48919-Compiler-warnings-while-building-389-ds.patch deleted file mode 100644 index 3998c3a..0000000 --- a/SOURCES/0015-Ticket-48919-Compiler-warnings-while-building-389-ds.patch +++ /dev/null @@ -1,74 +0,0 @@ -From bd07b274a2bdbb1accf0d808c1c6a774c95d10db Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 14 Jul 2016 16:35:38 -0700 -Subject: [PATCH 15/15] Ticket #48919 - Compiler warnings while building - 389-ds-base on RHEL7 - -Description: Fixing additional complier warnings. -1. ldap/servers/slapd/attrsyntax.c - attr_syntax_force_to_delete(struct asyntaxinfo *asip, void *arg) - This function does not care the attr_syntax_enum_flaginfo. -2. ldap/servers/slapd/detach.c - Let detach use the rc which must be 0 (success). -3. ldap/systools/idsktune.c - Removing #define _GNU_SOURCE from idsktune.c. - The macro is defined in config.h generated by configure. - $ egrep _GNU_SOURCE config.h - #define _GNU_SOURCE 1 - -https://fedorahosted.org/389/ticket/48919 - -Reviewed by wibrown@redhat.com (Thanks, William!) - -(cherry picked from commit 7c9853e07a85db3b46cd1eb6eacdacf3f17c39a0) ---- - ldap/servers/slapd/attrsyntax.c | 4 ---- - ldap/servers/slapd/detach.c | 2 +- - ldap/systools/idsktune.c | 2 -- - 3 files changed, 1 insertion(+), 7 deletions(-) - -diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c -index 8b2a77a..aec6d21 100644 ---- a/ldap/servers/slapd/attrsyntax.c -+++ b/ldap/servers/slapd/attrsyntax.c -@@ -1390,11 +1390,7 @@ attr_syntax_delete_if_not_flagged(struct asyntaxinfo *asip, void *arg) - static int - attr_syntax_force_to_delete(struct asyntaxinfo *asip, void *arg) - { -- struct attr_syntax_enum_flaginfo *fi; -- - PR_ASSERT( asip != NULL ); -- fi = (struct attr_syntax_enum_flaginfo *)arg; -- PR_ASSERT( fi != NULL ); - - attr_syntax_delete_no_lock( asip, PR_FALSE, 0 ); - return ATTR_SYNTAX_ENUM_REMOVE; -diff --git a/ldap/servers/slapd/detach.c b/ldap/servers/slapd/detach.c -index b055a5c..54c6028 100644 ---- a/ldap/servers/slapd/detach.c -+++ b/ldap/servers/slapd/detach.c -@@ -133,7 +133,7 @@ detach( int slapd_exemode, int importexport_encrypt, - } - - (void) SIGNAL( SIGPIPE, SIG_IGN ); -- return 0; -+ return rc; - } - - /* -diff --git a/ldap/systools/idsktune.c b/ldap/systools/idsktune.c -index ad6a39e..4c96529 100644 ---- a/ldap/systools/idsktune.c -+++ b/ldap/systools/idsktune.c -@@ -11,8 +11,6 @@ - # include - #endif - --#define _GNU_SOURCE -- - /* !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - * Don't forget to update build_date when the patch sets are updated. - * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! */ --- -2.4.11 - diff --git a/SOURCES/0015-Ticket-49174-nunc-stans-can-not-use-negative-timeout.patch b/SOURCES/0015-Ticket-49174-nunc-stans-can-not-use-negative-timeout.patch new file mode 100644 index 0000000..f780980 --- /dev/null +++ b/SOURCES/0015-Ticket-49174-nunc-stans-can-not-use-negative-timeout.patch @@ -0,0 +1,200 @@ +From 4f90e73538f1faf101733fcd95392bb77ba9467c Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Wed, 22 Mar 2017 14:10:11 +1000 +Subject: [PATCH] Ticket 49174 - nunc-stans can not use negative timeout + +Bug Description: FreeIPA regularly sets up service accounts with +an nsIdleTimeout of -1. As a result of an issue with NS and libevent +this would cause an instant timeout and disconnect of the service +account. + +Fix Description: Correctly check that jobs are registered to NS. +Add validation to NS for negative timeouts. During the job registration, +we force the timeout to be a valid value. + +https://pagure.io/389-ds-base/issue/49174 + +Author: wibrown + +Review by: mreynolds(Thanks!!!) + +Signed-off-by: Mark Reynolds +--- + ldap/servers/slapd/daemon.c | 39 ++++++++++++++++++++++++++++------- + src/nunc-stans/ns/ns_event_fw_event.c | 8 ------- + src/nunc-stans/ns/ns_thrpool.c | 16 ++++++++++++++ + src/nunc-stans/test/test_nuncstans.c | 20 ++++++++++++++++++ + 4 files changed, 68 insertions(+), 15 deletions(-) + +diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c +index e17a858..a4ea4c0 100644 +--- a/ldap/servers/slapd/daemon.c ++++ b/ldap/servers/slapd/daemon.c +@@ -1891,15 +1891,32 @@ ns_connection_post_io_or_closing(Connection *conn) + tv.tv_usec = slapd_wakeup_timer * 1000; + conn->c_ns_close_jobs++; /* now 1 active closure job */ + connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */ +- ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER, ++ PRStatus job_result = ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER, + ns_handle_closure, conn, NULL); +- slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post closure job " +- "for conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); ++#ifdef DEBUG ++ PR_ASSERT(job_result == PR_SUCCESS); ++#endif ++ if (job_result != PR_SUCCESS) { ++ slapi_log_err(SLAPI_LOG_WARNING, "ns_connection_post_io_or_closing", "post closure job " ++ "for conn %" NSPRIu64 " for fd=%d failed to be added to event queue\n", conn->c_connid, conn->c_sd); ++ } else { ++ slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post closure job " ++ "for conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); ++ } + + } + } else { + /* process event normally - wait for I/O until idletimeout */ +- tv.tv_sec = conn->c_idletimeout; ++ /* With nunc-stans there is a quirk. When we have idleTimeout of -1 ++ * which is set on some IPA bind dns for infinite, this causes libevent ++ * to *instantly* timeout. So if we detect < 0, we set 0 to this timeout, to ++ * catch all possible times that an admin could set. ++ */ ++ if (conn->c_idletimeout < 0) { ++ tv.tv_sec = 0; ++ } else { ++ tv.tv_sec = conn->c_idletimeout; ++ } + tv.tv_usec = 0; + #ifdef DEBUG + PR_ASSERT(0 == connection_acquire_nolock(conn)); +@@ -1913,11 +1930,19 @@ ns_connection_post_io_or_closing(Connection *conn) + return; + } + #endif +- ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv, ++ PRStatus job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv, + NS_JOB_READ|NS_JOB_PRESERVE_FD, + ns_handle_pr_read_ready, conn, NULL); +- slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post I/O job for " +- "conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); ++#ifdef DEBUG ++ PR_ASSERT(job_result == PR_SUCCESS); ++#endif ++ if (job_result != PR_SUCCESS) { ++ slapi_log_err(SLAPI_LOG_WARNING, "ns_connection_post_io_or_closing", "post I/O job for " ++ "conn %" NSPRIu64 " for fd=%d failed to be added to event queue\n", conn->c_connid, conn->c_sd); ++ } else { ++ slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post I/O job for " ++ "conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); ++ } + } + #endif + } +diff --git a/src/nunc-stans/ns/ns_event_fw_event.c b/src/nunc-stans/ns/ns_event_fw_event.c +index 3acbaf7..76936de 100644 +--- a/src/nunc-stans/ns/ns_event_fw_event.c ++++ b/src/nunc-stans/ns/ns_event_fw_event.c +@@ -48,7 +48,6 @@ typedef struct event ns_event_fw_sig_t; + #include "ns_event_fw.h" + #include + +- + static void + event_logger_cb(int severity, const char *msg) + { +@@ -248,13 +247,6 @@ ns_event_fw_mod_io( + } + if (events) { + job->ns_event_fw_fd->ev_events = events; +- +-#ifdef DEBUG_FSM +- /* REALLY make sure that we aren't being re-added */ +- if (event_pending(job->ns_event_fw_fd, events, tv)) { +- abort(); +- } +-#endif + event_add(job->ns_event_fw_fd, tv); + } else { + /* setting the job_type to remove IO events will remove it from the event system */ +diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c +index a867b39..9d87384 100644 +--- a/src/nunc-stans/ns/ns_thrpool.c ++++ b/src/nunc-stans/ns/ns_thrpool.c +@@ -180,6 +180,14 @@ ns_thrpool_is_event_shutdown(struct ns_thrpool_t *tp) + return result; + } + ++static int32_t ++validate_event_timeout(struct timeval *tv) { ++ if (tv->tv_sec < 0 || tv->tv_usec < 0) { ++ /* If we get here, you have done something WRONG */ ++ return 1; ++ } ++ return 0; ++} + + static void + job_queue_cleanup(void *arg) { +@@ -864,6 +872,10 @@ ns_add_timeout_job(ns_thrpool_t *tp, struct timeval *tv, ns_job_type_t job_type, + return PR_FAILURE; + } + ++ if (validate_event_timeout(tv)) { ++ return PR_FAILURE; ++ } ++ + /* get an event context for a timer job */ + _job = alloc_timeout_context(tp, tv, job_type, func, data); + if (!_job) { +@@ -900,6 +912,10 @@ ns_add_io_timeout_job(ns_thrpool_t *tp, PRFileDesc *fd, struct timeval *tv, + return PR_FAILURE; + } + ++ if (validate_event_timeout(tv)) { ++ return PR_FAILURE; ++ } ++ + /* Don't allow an accept job to be run outside of the event thread. + * We do this so a listener job won't shut down while still processing + * current connections in other threads. +diff --git a/src/nunc-stans/test/test_nuncstans.c b/src/nunc-stans/test/test_nuncstans.c +index 8eef9e6..2795302 100644 +--- a/src/nunc-stans/test/test_nuncstans.c ++++ b/src/nunc-stans/test/test_nuncstans.c +@@ -385,6 +385,23 @@ ns_job_signal_cb_test(void **state) + assert_int_equal(ns_job_done(job), 0); + } + ++/* ++ * Test that given a timeout of -1, we fail to create a job. ++ */ ++ ++static void ++ns_job_neg_timeout_test(void **state) ++{ ++ struct ns_thrpool_t *tp = *state; ++ ++ struct timeval tv = { -1, 0 }; ++ ++ PR_ASSERT(PR_FAILURE == ns_add_io_timeout_job(tp, 0, &tv, NS_JOB_THREAD, ns_init_do_nothing_cb, NULL, NULL)); ++ ++ PR_ASSERT(PR_FAILURE == ns_add_timeout_job(tp, &tv, NS_JOB_THREAD, ns_init_do_nothing_cb, NULL, NULL)); ++ ++} ++ + int + main(void) + { +@@ -410,6 +427,9 @@ main(void) + cmocka_unit_test_setup_teardown(ns_job_signal_cb_test, + ns_test_setup, + ns_test_teardown), ++ cmocka_unit_test_setup_teardown(ns_job_neg_timeout_test, ++ ns_test_setup, ++ ns_test_teardown), + }; + return cmocka_run_group_tests(tests, NULL, NULL); + } +-- +2.9.3 + diff --git a/SOURCES/0016-Issue-48989-Integer-overflow.patch b/SOURCES/0016-Issue-48989-Integer-overflow.patch new file mode 100644 index 0000000..484ad26 --- /dev/null +++ b/SOURCES/0016-Issue-48989-Integer-overflow.patch @@ -0,0 +1,1366 @@ +From be621fcd9f2215bba4c9190fd63815dc395814d8 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 28 Mar 2017 11:39:16 -0400 +Subject: [PATCH] Issue 48989 - Integer overflow + +Redo slapi_counters and monitors +--- + Makefile.am | 4 +- + configure.ac | 74 +++-- + ldap/servers/plugins/dna/dna.c | 20 +- + ldap/servers/plugins/posix-winsync/posix-winsync.c | 12 +- + ldap/servers/plugins/replication/repl5_init.c | 2 +- + ldap/servers/plugins/replication/repl_extop.c | 2 +- + ldap/servers/plugins/usn/usn.c | 16 +- + ldap/servers/slapd/back-ldbm/monitor.c | 4 +- + ldap/servers/slapd/back-ldbm/perfctrs.c | 12 +- + ldap/servers/slapd/back-ldbm/perfctrs.h | 74 ++--- + ldap/servers/slapd/back-ldbm/vlv_srch.h | 2 +- + ldap/servers/slapd/conntable.c | 14 +- + ldap/servers/slapd/entry.c | 4 +- + ldap/servers/slapd/log.c | 13 +- + ldap/servers/slapd/monitor.c | 14 +- + ldap/servers/slapd/slapi-plugin.h | 14 +- + ldap/servers/slapd/slapi_counter.c | 333 ++++----------------- + ldap/servers/slapd/slapi_counter_sunos_sparcv9.S | 105 ------- + ldap/servers/slapd/snmp_collator.c | 2 +- + test/libslapd/test.c | 2 + + test/test_slapd.h | 4 + + 21 files changed, 205 insertions(+), 522 deletions(-) + delete mode 100644 ldap/servers/slapd/slapi_counter_sunos_sparcv9.S + +diff --git a/Makefile.am b/Makefile.am +index df4a037..982dd28 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1222,9 +1222,6 @@ libslapd_la_SOURCES = ldap/servers/slapd/add.c \ + $(libavl_a_SOURCES) + + libslapd_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_INCLUDES) @db_inc@ $(SVRCORE_INCLUDES) @kerberos_inc@ @pcre_inc@ +-if SPARC +-libslapd_la_SOURCES += ldap/servers/slapd/slapi_counter_sunos_sparcv9.S +-endif + libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(SVRCORE_LINK) $(NSS_LINK) $(NSPR_LINK) $(KERBEROS_LINK) $(PCRE_LINK) $(THREADLIB) $(SYSTEMD_LINK) + libslapd_la_LDFLAGS = $(AM_LDFLAGS) $(SLAPD_LDFLAGS) + +@@ -2004,6 +2001,7 @@ TESTS = test_slapd \ + + test_slapd_SOURCES = test/main.c \ + test/libslapd/test.c \ ++ test/libslapd/counters/atomic.c \ + test/libslapd/pblock/analytics.c \ + test/libslapd/pblock/v3_compat.c \ + test/libslapd/operation/v3_compat.c +diff --git a/configure.ac b/configure.ac +index 3f2aa75..8172bab 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -555,7 +555,6 @@ case $host in + case $host in + i*86-*-linux*) + AC_DEFINE([CPU_x86], [], [cpu type x86]) +- AC_DEFINE([ATOMIC_64BIT_OPERATIONS], [1], [enabling atomic counter]) + ;; + x86_64-*-linux*) + with_xsixfour="yes" +@@ -565,23 +564,6 @@ case $host in + # wibrown -- 2017-02-21 disabled temporarily + # with_atomic_queue="yes" + # AC_DEFINE([ATOMIC_QUEUE_OPERATIONS], [1], [enabling atomic queue operations]) +- AC_DEFINE([ATOMIC_64BIT_OPERATIONS], [1], [enabling atomic counter]) +- +- AC_MSG_CHECKING([for SSE4.2 features ...]) +- save_CFLAGS="$CFLAGS" +- CFLAGS="$CFLAGS -msse4.2" +- AC_TRY_COMPILE( +- [], +- [return 0;], +- [ +- AC_DEFINE([HAVE_SSE4_2], [1], [Have sss4.2 on this platform arch]) +- AC_MSG_RESULT([SSE4.2 avaliable on this platform]) +- ], +- [ +- AC_MSG_RESULT([SSE4.2 not avaliable on this platform]) +- ] +- ) +- CFLAGS="$save_CFLAGS" + ;; + aarch64-*-linux*) + AC_DEFINE([CPU_arm], [], [cpu type arm]) +@@ -600,17 +582,6 @@ case $host in + s390x-*-linux*) + ;; + esac +- AC_MSG_CHECKING([for GCC provided 64-bit atomic bool cas function ...]) +- AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], +- [[long long ptrval = 0, val = 0, newval = 1; (void)__sync_bool_compare_and_swap_8(&ptrval, val, newval);]])], +- [AC_DEFINE([HAVE_64BIT_ATOMIC_CAS_FUNC], [1], [have 64-bit atomic bool compare and swap function provided by gcc])AC_MSG_RESULT([yes])], +- [AC_MSG_RESULT([no])]) +- AC_MSG_CHECKING([for GCC provided 64-bit atomic ops functions ...]) +- AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], +- [[long long ptrval = 0, val = 0; (void)__sync_add_and_fetch_8(&ptrval, val);]])], +- [AC_DEFINE([HAVE_64BIT_ATOMIC_OP_FUNCS], [1], [have 64-bit atomic operation functions provided by gcc])AC_MSG_RESULT([yes])], +- [AC_MSG_RESULT([no])]) +- + # some programs use the native thread library directly + THREADLIB=-lpthread + AC_SUBST([THREADLIB], [$THREADLIB]) +@@ -654,7 +625,6 @@ case $host in + AC_DEFINE([_POSIX_C_SOURCE], [199506L], [POSIX revision]) + AC_DEFINE([_HPUX_SOURCE], [1], [Source namespace]) + AC_DEFINE([_INCLUDE_STDC__SOURCE_199901], [1], [to pick up all of the printf format macros in inttypes.h]) +- AC_DEFINE([ATOMIC_64BIT_OPERATIONS], [1], [enabling atomic counter]) + # assume 64 bit + initconfigdir="/$PACKAGE_NAME/config" + perlexec='/opt/perl_64/bin/perl' +@@ -689,12 +659,11 @@ dnl Cstd and Crun are required to link any C++ related code + initdir='$(sysconfdir)/init.d' + case $host in + i?86-*-solaris2.1[[0-9]]*) +-dnl I dont know why i386 need this explicit ++ dnl I dont know why i386 need this explicit + AC_DEFINE([HAVE_GETPEERUCRED], [1], [have getpeerucred]) + ;; + sparc-*-solaris*) +-dnl includes some assembler stuff in counter.o +- AC_DEFINE([ATOMIC_64BIT_OPERATIONS], [1], [enabling atomic counter]) ++ dnl includes some assembler stuff in counter.o + AC_DEFINE([CPU_sparc], [], [cpu type sparc]) + TARGET='SPARC' + ;; +@@ -705,6 +674,45 @@ dnl includes some assembler stuff in counter.o + ;; + esac + ++AC_MSG_CHECKING([for SSE4.2 features ...]) ++save_CFLAGS="$CFLAGS" ++CFLAGS="$CFLAGS -msse4.2" ++AC_TRY_COMPILE( ++ [], ++ [return 0;], ++ [ ++ AC_DEFINE([HAVE_SSE4_2], [1], [Have sss4.2 on this platform arch]) ++ AC_MSG_RESULT([SSE4.2 avaliable on this platform]) ++ ], ++ [ ++ AC_MSG_RESULT([SSE4.2 not avaliable on this platform]) ++ ] ++) ++CFLAGS="$save_CFLAGS" ++ ++AC_MSG_CHECKING([for GCC provided 64-bit atomic operations]) ++AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ++ #include ++ ]], ++ [[ ++ uint64_t t_counter = 0; ++ uint64_t t_oldval = 0; ++ uint64_t t_newval = 1; ++ ++ __atomic_compare_exchange_8(&t_counter, &t_oldval, t_newval, 0, __ATOMIC_SEQ_CST, __ATOMIC_SEQ_CST); ++ __atomic_add_fetch_8(&t_counter, t_newval, __ATOMIC_SEQ_CST); ++ __atomic_sub_fetch_8(&t_counter, t_newval, __ATOMIC_SEQ_CST); ++ __atomic_load(&t_counter, &t_oldval, __ATOMIC_SEQ_CST); ++ return 0; ++ ]])], ++ [ ++ AC_DEFINE([ATOMIC_64BIT_OPERATIONS], [1], [have 64-bit atomic operation functions provided by gcc]) ++ AC_MSG_RESULT([yes]) ++ ], ++ [ ++ AC_MSG_RESULT([no]) ++ ] ++) + + # cmd line overrides default setting above + if test -n "$with_initddir" ; then +diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c +index 54bbe86..34011b9 100644 +--- a/ldap/servers/plugins/dna/dna.c ++++ b/ldap/servers/plugins/dna/dna.c +@@ -2497,7 +2497,7 @@ static int dna_get_next_value(struct configEntry *config_entry, + if ((config_entry->maxval == -1) || + (nextval <= (config_entry->maxval + config_entry->interval))) { + /* try to set the new next value in the config entry */ +- PR_snprintf(next_value, sizeof(next_value),"%" NSPRIu64, nextval); ++ snprintf(next_value, sizeof(next_value),"%" NSPRIu64, nextval); + + /* set up our replace modify operation */ + replace_val[0] = next_value; +@@ -2565,13 +2565,13 @@ dna_get_shared_config_attr_val(struct configEntry *config_entry, char *attr, cha + if(slapi_sdn_compare(server->sdn, server_sdn) == 0){ + if(strcmp(attr, DNA_REMOTE_BIND_METHOD) == 0){ + if (server->remote_bind_method) { +- PR_snprintf(value, DNA_REMOTE_BUFSIZ, "%s", server->remote_bind_method); ++ snprintf(value, DNA_REMOTE_BUFSIZ, "%s", server->remote_bind_method); + found = 1; + } + break; + } else if(strcmp(attr, DNA_REMOTE_CONN_PROT) == 0){ + if (server->remote_conn_prot) { +- PR_snprintf(value, DNA_REMOTE_BUFSIZ, "%s", server->remote_conn_prot); ++ snprintf(value, DNA_REMOTE_BUFSIZ, "%s", server->remote_conn_prot); + found = 1; + } + break; +@@ -2609,7 +2609,7 @@ dna_update_shared_config(struct configEntry *config_entry) + + /* We store the number of remaining assigned values + * in the shared config entry. */ +- PR_snprintf(remaining_vals, sizeof(remaining_vals),"%" NSPRIu64, ++ snprintf(remaining_vals, sizeof(remaining_vals),"%" NSPRIu64, + config_entry->remaining); + + /* set up our replace modify operation */ +@@ -2709,7 +2709,7 @@ dna_update_next_range(struct configEntry *config_entry, + int ret = 0; + + /* Try to set the new next range in the config entry. */ +- PR_snprintf(nextrange_value, sizeof(nextrange_value), "%" NSPRIu64 "-%" NSPRIu64, ++ snprintf(nextrange_value, sizeof(nextrange_value), "%" NSPRIu64 "-%" NSPRIu64, + lower, upper); + + /* set up our replace modify operation */ +@@ -2778,8 +2778,8 @@ dna_activate_next_range(struct configEntry *config_entry) + int ret = 0; + + /* Setup the modify operation for the config entry */ +- PR_snprintf(maxval_val, sizeof(maxval_val),"%" NSPRIu64, config_entry->next_range_upper); +- PR_snprintf(nextval_val, sizeof(nextval_val),"%" NSPRIu64, config_entry->next_range_lower); ++ snprintf(maxval_val, sizeof(maxval_val),"%" NSPRIu64, config_entry->next_range_upper); ++ snprintf(nextval_val, sizeof(nextval_val),"%" NSPRIu64, config_entry->next_range_lower); + + maxval_vals[0] = maxval_val; + maxval_vals[1] = 0; +@@ -4411,8 +4411,8 @@ static int dna_extend_exop(Slapi_PBlock *pb) + char highstr[16]; + + /* Create the exop response */ +- PR_snprintf(lowstr, sizeof(lowstr), "%" NSPRIu64, lower); +- PR_snprintf(highstr, sizeof(highstr), "%" NSPRIu64, upper); ++ snprintf(lowstr, sizeof(lowstr), "%" NSPRIu64, lower); ++ snprintf(highstr, sizeof(highstr), "%" NSPRIu64, upper); + range_low.bv_val = lowstr; + range_low.bv_len = strlen(range_low.bv_val); + range_high.bv_val = highstr; +@@ -4588,7 +4588,7 @@ dna_release_range(char *range_dn, PRUint64 *lower, PRUint64 *upper) + *lower = *upper - release + 1; + + /* try to set the new maxval in the config entry */ +- PR_snprintf(max_value, sizeof(max_value),"%" NSPRIu64, (*lower - 1)); ++ snprintf(max_value, sizeof(max_value),"%" NSPRIu64, (*lower - 1)); + + /* set up our replace modify operation */ + replace_val[0] = max_value; +diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync.c b/ldap/servers/plugins/posix-winsync/posix-winsync.c +index a7e024d..63444e5 100644 +--- a/ldap/servers/plugins/posix-winsync/posix-winsync.c ++++ b/ldap/servers/plugins/posix-winsync/posix-winsync.c +@@ -234,7 +234,7 @@ sync_acct_disable(void *cbdata, /* the usual domain config data */ + { + int ds_is_enabled = 1; /* default to true */ + int ad_is_enabled = 1; /* default to true */ +- unsigned long adval = 0; /* raw account val from ad entry */ ++ uint64_t adval = 0; /* raw account val from ad entry */ + int isvirt = 0; + + /* get the account lock state of the ds entry */ +@@ -270,9 +270,8 @@ sync_acct_disable(void *cbdata, /* the usual domain config data */ + if (update_entry) { + slapi_entry_attr_set_ulong(update_entry, "userAccountControl", adval); + slapi_log_err(SLAPI_LOG_PLUGIN, posix_winsync_plugin_name, +- "<-- sync_acct_disable - %s AD account [%s] - " +- "new value is [%ld]\n", (ds_is_enabled) ? "enabled" : "disabled", +- slapi_entry_get_dn_const(update_entry), adval); ++ "<-- sync_acct_disable - %s AD account [%s] - new value is [%" NSPRIu64 "]\n", ++ (ds_is_enabled) ? "enabled" : "disabled", slapi_entry_get_dn_const(update_entry), adval); + } else { + /* iterate through the mods - if there is already a mod + for userAccountControl, change it - otherwise, add it */ +@@ -327,9 +326,8 @@ sync_acct_disable(void *cbdata, /* the usual domain config data */ + mod_bval->bv_len = strlen(acctvalstr); + } + slapi_log_err(SLAPI_LOG_PLUGIN, posix_winsync_plugin_name, +- "<-- sync_acct_disable - %s AD account [%s] - " +- "new value is [%ld]\n", (ds_is_enabled) ? "enabled" : "disabled", +- slapi_entry_get_dn_const(ad_entry), adval); ++ "<-- sync_acct_disable - %s AD account [%s] - new value is [%" NSPRIu64 "]\n", ++ (ds_is_enabled) ? "enabled" : "disabled", slapi_entry_get_dn_const(ad_entry), adval); + } + } + +diff --git a/ldap/servers/plugins/replication/repl5_init.c b/ldap/servers/plugins/replication/repl5_init.c +index 0945f7b..9549dcf 100644 +--- a/ldap/servers/plugins/replication/repl5_init.c ++++ b/ldap/servers/plugins/replication/repl5_init.c +@@ -208,7 +208,7 @@ get_repl_session_id (Slapi_PBlock *pb, char *idstr, CSN **csn) + /* Avoid "Connection is NULL and hence cannot access SLAPI_CONN_ID" */ + if (opid) { + slapi_pblock_get (pb, SLAPI_CONN_ID, &connid); +- PR_snprintf (idstr, REPL_SESSION_ID_SIZE, "conn=%" NSPRIu64 " op=%d", ++ snprintf (idstr, REPL_SESSION_ID_SIZE, "conn=%" NSPRIu64 " op=%d", + connid, opid); + } + +diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c +index 948f38d..80580f9 100644 +--- a/ldap/servers/plugins/replication/repl_extop.c ++++ b/ldap/servers/plugins/replication/repl_extop.c +@@ -865,7 +865,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + * the session's conn id and op id to identify the the supplier. + */ + /* junkrc = ruv_get_first_id_and_purl(supplier_ruv, &junkrid, &locking_purl); */ +- PR_snprintf(locking_session, sizeof(locking_session), "conn=%" NSPRIu64 " id=%d", ++ snprintf(locking_session, sizeof(locking_session), "conn=%" NSPRIu64 " id=%d", + connid, opid); + locking_purl = &locking_session[0]; + if (replica_get_exclusive_access(replica, &isInc, connid, opid, +diff --git a/ldap/servers/plugins/usn/usn.c b/ldap/servers/plugins/usn/usn.c +index 6fe8d2e..5e67e0a 100644 +--- a/ldap/servers/plugins/usn/usn.c ++++ b/ldap/servers/plugins/usn/usn.c +@@ -360,7 +360,7 @@ _usn_mod_next_usn(LDAPMod ***mods, Slapi_Backend *be) + + /* add next USN to the mods; "be" contains the usn counter */ + usn_berval.bv_val = counter_buf; +- PR_snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRIu64, ++ snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRIu64, + slapi_counter_get_value(be->be_usn_counter)); + usn_berval.bv_len = strlen(usn_berval.bv_val); + bvals[0] = &usn_berval; +@@ -670,7 +670,7 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, + /* nsslapd-entryusn-global: on*/ + /* root dse shows ... + * lastusn: */ +- PR_snprintf(attr, USN_LAST_USN_ATTR_CORE_LEN + 1, "%s", USN_LAST_USN); ++ snprintf(attr, USN_LAST_USN_ATTR_CORE_LEN + 1, "%s", USN_LAST_USN); + for (be = slapi_get_first_backend(&cookie); be; + be = slapi_get_next_backend(cookie)) { + if (be->be_usn_counter) { +@@ -681,10 +681,10 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, + /* get a next USN counter from be_usn_counter; + * then minus 1 from it (except if be_usn_counter has value 0) */ + if (slapi_counter_get_value(be->be_usn_counter)) { +- PR_snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRIu64, ++ snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRIu64, + slapi_counter_get_value(be->be_usn_counter)-1); + } else { +- PR_snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "-1"); ++ snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "-1"); + } + usn_berval.bv_len = strlen(usn_berval.bv_val); + slapi_entry_attr_replace(e, attr, vals); +@@ -693,7 +693,7 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, + /* nsslapd-entryusn-global: off (default) */ + /* root dse shows ... + * lastusn;: */ +- PR_snprintf(attr, USN_LAST_USN_ATTR_CORE_LEN + 2, "%s;", USN_LAST_USN); ++ snprintf(attr, USN_LAST_USN_ATTR_CORE_LEN + 2, "%s;", USN_LAST_USN); + attr_subp = attr + USN_LAST_USN_ATTR_CORE_LEN + 1; + for (be = slapi_get_first_backend(&cookie); be; + be = slapi_get_next_backend(cookie)) { +@@ -704,10 +704,10 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, + /* get a next USN counter from be_usn_counter; + * then minus 1 from it (except if be_usn_counter has value 0) */ + if (slapi_counter_get_value(be->be_usn_counter)) { +- PR_snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRIu64, ++ snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRIu64, + slapi_counter_get_value(be->be_usn_counter)-1); + } else { +- PR_snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "-1"); ++ snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "-1"); + } + usn_berval.bv_len = strlen(usn_berval.bv_val); + +@@ -716,7 +716,7 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, + attr = (char *)slapi_ch_realloc(attr, attr_len); + attr_subp = attr + USN_LAST_USN_ATTR_CORE_LEN; + } +- PR_snprintf(attr_subp, attr_len - USN_LAST_USN_ATTR_CORE_LEN, ++ snprintf(attr_subp, attr_len - USN_LAST_USN_ATTR_CORE_LEN, + "%s", be->be_name); + slapi_entry_attr_replace(e, attr, vals); + } +diff --git a/ldap/servers/slapd/back-ldbm/monitor.c b/ldap/servers/slapd/back-ldbm/monitor.c +index dfcc735..757792b 100644 +--- a/ldap/servers/slapd/back-ldbm/monitor.c ++++ b/ldap/servers/slapd/back-ldbm/monitor.c +@@ -26,7 +26,7 @@ + + #define MSETF(_attr, _x) do { \ + char tmp_atype[37]; \ +- PR_snprintf(tmp_atype, sizeof(tmp_atype), _attr, _x); \ ++ snprintf(tmp_atype, sizeof(tmp_atype), _attr, _x); \ + MSET(tmp_atype); \ + } while (0) + +@@ -86,7 +86,7 @@ int ldbm_back_monitor_instance_search(Slapi_PBlock *pb, Slapi_Entry *e, + MSET("entryCacheHits"); + sprintf(buf, "%lu", (long unsigned int)tries); + MSET("entryCacheTries"); +- sprintf(buf, "%lu", (unsigned long)(100.0*(double)hits / (double)(tries > 0 ? tries : 1))); ++ sprintf(buf, "%lu", (long unsigned int)(100.0*(double)hits / (double)(tries > 0 ? tries : 1))); + MSET("entryCacheHitRatio"); + sprintf(buf, "%lu", (long unsigned int)size); + MSET("currentEntryCacheSize"); +diff --git a/ldap/servers/slapd/back-ldbm/perfctrs.c b/ldap/servers/slapd/back-ldbm/perfctrs.c +index 2bd18bd..5929dea 100644 +--- a/ldap/servers/slapd/back-ldbm/perfctrs.c ++++ b/ldap/servers/slapd/back-ldbm/perfctrs.c +@@ -49,7 +49,7 @@ + + static void perfctrs_update(perfctrs_private *priv, DB_ENV *db_env); + static void perfctr_add_to_entry( Slapi_Entry *e, char *type, +- PRUint32 countervalue ); ++ uint64_t countervalue ); + + /* Init perf ctrs */ + void perfctrs_init(struct ldbminfo *li, perfctrs_private **ret_priv) +@@ -304,17 +304,13 @@ perfctrs_as_entry( Slapi_Entry *e, perfctrs_private *priv, DB_ENV *db_env ) + */ + for ( i = 0; i < SLAPI_LDBM_PERFCTR_AT_MAP_COUNT; ++i ) { + perfctr_add_to_entry( e, perfctr_at_map[i].pam_type, +- *((PRUint32 *)((char *)perf + perfctr_at_map[i].pam_offset))); ++ *((uint64_t *)((char *)perf + perfctr_at_map[i].pam_offset))); + } + } + + + static void +-perfctr_add_to_entry( Slapi_Entry *e, char *type, PRUint32 countervalue ) ++perfctr_add_to_entry( Slapi_Entry *e, char *type, uint64_t countervalue ) + { +- /* +- * XXXmcs: the following line assumes that long's are 32 bits or larger, +- * which we assume in other places too I am sure. +- */ +- slapi_entry_attr_set_ulong( e, type, (unsigned long)countervalue ); ++ slapi_entry_attr_set_ulong( e, type, countervalue ); + } +diff --git a/ldap/servers/slapd/back-ldbm/perfctrs.h b/ldap/servers/slapd/back-ldbm/perfctrs.h +index 65a7850..57be1d1 100644 +--- a/ldap/servers/slapd/back-ldbm/perfctrs.h ++++ b/ldap/servers/slapd/back-ldbm/perfctrs.h +@@ -11,46 +11,48 @@ + # include + #endif + ++#include ++ + /* Structure definition for performance data */ + /* This stuff goes in shared memory, so make sure the packing is consistent */ + + struct _performance_counters { +- PRUint32 sequence_number; +- PRUint32 lock_region_wait_rate; +- PRUint32 deadlock_rate; +- PRUint32 configured_locks; +- PRUint32 current_locks; +- PRUint32 max_locks; +- PRUint32 lockers; +- PRUint32 current_lock_objects; +- PRUint32 max_lock_objects; +- PRUint32 lock_conflicts; +- PRUint32 lock_request_rate; +- PRUint32 log_region_wait_rate; +- PRUint32 log_write_rate; +- PRUint32 log_bytes_since_checkpoint; +- PRUint32 cache_size_bytes; +- PRUint32 page_access_rate; +- PRUint32 cache_hit; +- PRUint32 cache_try; +- PRUint32 page_create_rate; +- PRUint32 page_read_rate; +- PRUint32 page_write_rate; +- PRUint32 page_ro_evict_rate; +- PRUint32 page_rw_evict_rate; +- PRUint32 hash_buckets; +- PRUint32 hash_search_rate; +- PRUint32 longest_chain_length; +- PRUint32 hash_elements_examine_rate; +- PRUint32 pages_in_use; +- PRUint32 dirty_pages; +- PRUint32 clean_pages; +- PRUint32 page_trickle_rate; +- PRUint32 cache_region_wait_rate; +- PRUint32 active_txns; +- PRUint32 commit_rate; +- PRUint32 abort_rate; +- PRUint32 txn_region_wait_rate; ++ uint64_t sequence_number; ++ uint64_t lock_region_wait_rate; ++ uint64_t deadlock_rate; ++ uint64_t configured_locks; ++ uint64_t current_locks; ++ uint64_t max_locks; ++ uint64_t lockers; ++ uint64_t current_lock_objects; ++ uint64_t max_lock_objects; ++ uint64_t lock_conflicts; ++ uint64_t lock_request_rate; ++ uint64_t log_region_wait_rate; ++ uint64_t log_write_rate; ++ uint64_t log_bytes_since_checkpoint; ++ uint64_t cache_size_bytes; ++ uint64_t page_access_rate; ++ uint64_t cache_hit; ++ uint64_t cache_try; ++ uint64_t page_create_rate; ++ uint64_t page_read_rate; ++ uint64_t page_write_rate; ++ uint64_t page_ro_evict_rate; ++ uint64_t page_rw_evict_rate; ++ uint64_t hash_buckets; ++ uint64_t hash_search_rate; ++ uint64_t longest_chain_length; ++ uint64_t hash_elements_examine_rate; ++ uint64_t pages_in_use; ++ uint64_t dirty_pages; ++ uint64_t clean_pages; ++ uint64_t page_trickle_rate; ++ uint64_t cache_region_wait_rate; ++ uint64_t active_txns; ++ uint64_t commit_rate; ++ uint64_t abort_rate; ++ uint64_t txn_region_wait_rate; + }; + typedef struct _performance_counters performance_counters; + +diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.h b/ldap/servers/slapd/back-ldbm/vlv_srch.h +index d1eba08..6322f80 100644 +--- a/ldap/servers/slapd/back-ldbm/vlv_srch.h ++++ b/ldap/servers/slapd/back-ldbm/vlv_srch.h +@@ -92,7 +92,7 @@ struct vlvIndex + time_t vlv_lastchecked; + + /* The number of uses this search has received since start up */ +- PRUint32 vlv_uses; ++ uint64_t vlv_uses; + + struct backend* vlv_be; /* need backend to remove the index when done */ + +diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c +index 004aeae..bcafa4e 100644 +--- a/ldap/servers/slapd/conntable.c ++++ b/ldap/servers/slapd/conntable.c +@@ -395,7 +395,7 @@ connection_table_as_entry(Connection_Table *ct, Slapi_Entry *e) + * 3 = The number of operations attempted that were blocked + * by max threads. + */ +- PR_snprintf(maxthreadbuf, sizeof(maxthreadbuf), "%d:%"NSPRIu64":%"NSPRIu64"", ++ snprintf(maxthreadbuf, sizeof(maxthreadbuf), "%d:%"NSPRIu64":%"NSPRIu64"", + maxthreadstate, ct->c[i].c_maxthreadscount, + ct->c[i].c_maxthreadsblocked); + +@@ -426,32 +426,32 @@ connection_table_as_entry(Connection_Table *ct, Slapi_Entry *e) + PR_ExitMonitor(ct->c[i].c_mutex); + } + +- PR_snprintf( buf, sizeof(buf), "%d", nconns ); ++ snprintf( buf, sizeof(buf), "%d", nconns ); + val.bv_val = buf; + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "currentconnections", vals ); + +- PR_snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(num_conns)); ++ snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(num_conns)); + val.bv_val = buf; + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "totalconnections", vals ); + +- PR_snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(conns_in_maxthreads)); ++ snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(conns_in_maxthreads)); + val.bv_val = buf; + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "currentconnectionsatmaxthreads", vals ); + +- PR_snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(max_threads_count)); ++ snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(max_threads_count)); + val.bv_val = buf; + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "maxthreadsperconnhits", vals ); + +- PR_snprintf( buf, sizeof(buf), "%d", (ct!=NULL?ct->size:0) ); ++ snprintf( buf, sizeof(buf), "%d", (ct!=NULL?ct->size:0) ); + val.bv_val = buf; + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "dtablesize", vals ); + +- PR_snprintf( buf, sizeof(buf), "%d", nreadwaiters ); ++ snprintf( buf, sizeof(buf), "%d", nreadwaiters ); + val.bv_val = buf; + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "readwaiters", vals ); +diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c +index 7bbd2f4..abacc57 100644 +--- a/ldap/servers/slapd/entry.c ++++ b/ldap/servers/slapd/entry.c +@@ -3088,14 +3088,14 @@ slapi_entry_attr_set_longlong( Slapi_Entry* e, const char *type, long long l) + } + + void +-slapi_entry_attr_set_ulong( Slapi_Entry* e, const char *type, unsigned long l) ++slapi_entry_attr_set_ulong( Slapi_Entry* e, const char *type, uint64_t l) + { + char value[16]; + struct berval bv; + struct berval *bvals[2]; + bvals[0] = &bv; + bvals[1] = NULL; +- sprintf(value,"%lu",l); ++ sprintf(value,"%" NSPRIu64, l); + bv.bv_val = value; + bv.bv_len = strlen( value ); + slapi_entry_attr_replace( e, type, bvals ); +diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c +index 2f43a98..afedd5b 100644 +--- a/ldap/servers/slapd/log.c ++++ b/ldap/servers/slapd/log.c +@@ -2327,11 +2327,11 @@ vslapd_log_error( + char buffer[SLAPI_LOG_BUFSIZ]; + char sev_name[10]; + int blen = TBUFSIZE; +- char *vbuf; ++ char *vbuf = NULL; + int header_len = 0; + int err = 0; + +- if ((vbuf = PR_vsmprintf(fmt, ap)) == NULL) { ++ if (vasprintf(&vbuf, fmt, ap) == -1) { + log__error_emergency("CRITICAL: vslapd_log_error, Unable to format message", 1 , locked); + return -1; + } +@@ -2381,10 +2381,10 @@ vslapd_log_error( + /* blen = strlen(buffer); */ + /* This truncates again .... But we have the nice smprintf above! */ + if (subsystem == NULL) { +- PR_snprintf (buffer+blen, sizeof(buffer)-blen, "- %s - %s", ++ snprintf (buffer+blen, sizeof(buffer)-blen, "- %s - %s", + get_log_sev_name(sev_level, sev_name), vbuf); + } else { +- PR_snprintf (buffer+blen, sizeof(buffer)-blen, "- %s - %s - %s", ++ snprintf (buffer+blen, sizeof(buffer)-blen, "- %s - %s - %s", + get_log_sev_name(sev_level, sev_name), subsystem, vbuf); + } + +@@ -2418,7 +2418,7 @@ vslapd_log_error( + g_set_shutdown( SLAPI_SHUTDOWN_EXIT ); + } + +- PR_smprintf_free (vbuf); ++ slapi_ch_free_string(&vbuf); + return( 0 ); + } + +@@ -2520,8 +2520,7 @@ static int vslapd_log_access(char *fmt, va_list ap) + time_t tnl; + + /* We do this sooner, because that we we can use the message in other calls */ +- vlen = PR_vsnprintf(vbuf, SLAPI_LOG_BUFSIZ, fmt, ap); +- if (! vlen) { ++ if ((vlen = vsnprintf(vbuf, SLAPI_LOG_BUFSIZ, fmt, ap)) == -1){ + log__error_emergency("CRITICAL: vslapd_log_access, Unable to format message", 1 ,0); + return -1; + } +diff --git a/ldap/servers/slapd/monitor.c b/ldap/servers/slapd/monitor.c +index 0917bc8..f1fb38f 100644 +--- a/ldap/servers/slapd/monitor.c ++++ b/ldap/servers/slapd/monitor.c +@@ -54,25 +54,25 @@ monitor_info(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, int *ret + attrlist_replace( &e->e_attrs, "version", vals ); + slapi_ch_free( (void **) &val.bv_val ); + +- val.bv_len = PR_snprintf( buf, sizeof(buf), "%d", g_get_active_threadcnt() ); ++ val.bv_len = snprintf( buf, sizeof(buf), "%d", g_get_active_threadcnt() ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "threads", vals ); + + connection_table_as_entry(the_connection_table, e); + +- val.bv_len = PR_snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(ops_initiated) ); ++ val.bv_len = snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(ops_initiated) ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "opsinitiated", vals ); + +- val.bv_len = PR_snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(ops_completed) ); ++ val.bv_len = snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(ops_completed) ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "opscompleted", vals ); + +- val.bv_len = PR_snprintf ( buf, sizeof(buf), "%" NSPRIu64, g_get_num_entries_sent() ); ++ val.bv_len = snprintf ( buf, sizeof(buf), "%" NSPRIu64, g_get_num_entries_sent() ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "entriessent", vals ); + +- val.bv_len = PR_snprintf ( buf, sizeof(buf), "%" NSPRIu64, g_get_num_bytes_sent() ); ++ val.bv_len = snprintf ( buf, sizeof(buf), "%" NSPRIu64, g_get_num_bytes_sent() ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "bytessent", vals ); + +@@ -88,12 +88,12 @@ monitor_info(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, int *ret + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "starttime", vals ); + +- val.bv_len = PR_snprintf( buf, sizeof(buf), "%d", be_nbackends_public() ); ++ val.bv_len = snprintf( buf, sizeof(buf), "%d", be_nbackends_public() ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "nbackends", vals ); + + #ifdef THREAD_SUNOS5_LWP +- val.bv_len = PR_snprintf( buf, sizeof(buf), "%d", thr_getconcurrency() ); ++ val.bv_len = snprintf( buf, sizeof(buf), "%d", thr_getconcurrency() ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "concurrency", vals ); + #endif +diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h +index 1bd8fc8..725fa1c 100644 +--- a/ldap/servers/slapd/slapi-plugin.h ++++ b/ldap/servers/slapd/slapi-plugin.h +@@ -1954,7 +1954,7 @@ void slapi_entry_attr_set_longlong( Slapi_Entry* e, const char *type, long long + * \param type Attribute type in which you want to set the value. + * \param l Unsigned long value that you want to assign to the attribute. + */ +-void slapi_entry_attr_set_ulong(Slapi_Entry* e, const char *type, unsigned long l); ++void slapi_entry_attr_set_ulong(Slapi_Entry* e, const char *type, uint64_t l); + + /** + * Check if an attribute is set in the entry +@@ -6746,12 +6746,12 @@ void slapi_destroy_task(void *arg); + Slapi_Counter *slapi_counter_new(void); + void slapi_counter_init(Slapi_Counter *counter); + void slapi_counter_destroy(Slapi_Counter **counter); +-PRUint64 slapi_counter_increment(Slapi_Counter *counter); +-PRUint64 slapi_counter_decrement(Slapi_Counter *counter); +-PRUint64 slapi_counter_add(Slapi_Counter *counter, PRUint64 addvalue); +-PRUint64 slapi_counter_subtract(Slapi_Counter *counter, PRUint64 subvalue); +-PRUint64 slapi_counter_set_value(Slapi_Counter *counter, PRUint64 newvalue); +-PRUint64 slapi_counter_get_value(Slapi_Counter *counter); ++uint64_t slapi_counter_increment(Slapi_Counter *counter); ++uint64_t slapi_counter_decrement(Slapi_Counter *counter); ++uint64_t slapi_counter_add(Slapi_Counter *counter, uint64_t addvalue); ++uint64_t slapi_counter_subtract(Slapi_Counter *counter, uint64_t subvalue); ++uint64_t slapi_counter_set_value(Slapi_Counter *counter, uint64_t newvalue); ++uint64_t slapi_counter_get_value(Slapi_Counter *counter); + + /* Binder-based (connection centric) resource limits */ + /* +diff --git a/ldap/servers/slapd/slapi_counter.c b/ldap/servers/slapd/slapi_counter.c +index c3ac846..9904fe9 100644 +--- a/ldap/servers/slapd/slapi_counter.c ++++ b/ldap/servers/slapd/slapi_counter.c +@@ -12,37 +12,21 @@ + + #include "slap.h" + +-#ifdef SOLARIS +-PRUint64 _sparcv9_AtomicSet(PRUint64 *address, PRUint64 newval); +-PRUint64 _sparcv9_AtomicAdd(PRUint64 *address, PRUint64 val); +-PRUint64 _sparcv9_AtomicSub(PRUint64 *address, PRUint64 val); ++#ifndef ATOMIC_64BIT_OPERATIONS ++#include + #endif + + #ifdef HPUX +-#ifdef ATOMIC_64BIT_OPERATIONS + #include + #endif +-#endif +- +-#ifdef ATOMIC_64BIT_OPERATIONS +-#if defined(LINUX) && !HAVE_64BIT_ATOMIC_OP_FUNCS +-/* On systems that don't have the 64-bit GCC atomic builtins, we need to +- * implement our own atomic functions using inline assembly code. */ +-PRUint64 __sync_add_and_fetch_8(PRUint64 *ptr, PRUint64 addval); +-PRUint64 __sync_sub_and_fetch_8(PRUint64 *ptr, PRUint64 subval); +-#define __sync_add_and_fetch __sync_add_and_fetch_8 +-#define __sync_sub_and_fetch __sync_sub_and_fetch_8 +-#endif +-#endif /* ATOMIC_64BIT_OPERATIONS */ +- + + /* + * Counter Structure + */ + typedef struct slapi_counter { +- PRUint64 value; ++ uint64_t value; + #ifndef ATOMIC_64BIT_OPERATIONS +- Slapi_Mutex *lock; ++ pthread_mutex_t _lock; + #endif + } slapi_counter; + +@@ -72,15 +56,11 @@ Slapi_Counter *slapi_counter_new() + void slapi_counter_init(Slapi_Counter *counter) + { + if (counter != NULL) { +-#ifndef ATOMIC_64BIT_OPERATIONS +- /* Create the lock if necessary. */ +- if (counter->lock == NULL) { +- counter->lock = slapi_new_mutex(); +- } +-#endif +- + /* Set the value to 0. */ + slapi_counter_set_value(counter, 0); ++#ifndef ATOMIC_64BIT_OPERATIONS ++ pthread_mutex_init(&(counter->_lock), NULL); ++#endif + } + } + +@@ -94,7 +74,7 @@ void slapi_counter_destroy(Slapi_Counter **counter) + { + if ((counter != NULL) && (*counter != NULL)) { + #ifndef ATOMIC_64BIT_OPERATIONS +- slapi_destroy_mutex((*counter)->lock); ++ pthread_mutex_destroy(&((*counter)->_lock)); + #endif + slapi_ch_free((void **)counter); + } +@@ -105,7 +85,7 @@ void slapi_counter_destroy(Slapi_Counter **counter) + * + * Atomically increments a Slapi_Counter. + */ +-PRUint64 slapi_counter_increment(Slapi_Counter *counter) ++uint64_t slapi_counter_increment(Slapi_Counter *counter) + { + return slapi_counter_add(counter, 1); + } +@@ -117,7 +97,7 @@ PRUint64 slapi_counter_increment(Slapi_Counter *counter) + * that this will not prevent you from wrapping + * around 0. + */ +-PRUint64 slapi_counter_decrement(Slapi_Counter *counter) ++uint64_t slapi_counter_decrement(Slapi_Counter *counter) + { + return slapi_counter_subtract(counter, 1); + } +@@ -127,28 +107,18 @@ PRUint64 slapi_counter_decrement(Slapi_Counter *counter) + * + * Atomically add a value to a Slapi_Counter. + */ +-PRUint64 slapi_counter_add(Slapi_Counter *counter, PRUint64 addvalue) ++uint64_t slapi_counter_add(Slapi_Counter *counter, uint64_t addvalue) + { +- PRUint64 newvalue = 0; +-#ifdef HPUX +- PRUint64 prev = 0; +-#endif ++ uint64_t newvalue = 0; + + if (counter == NULL) { + return newvalue; + } +- +-#ifndef ATOMIC_64BIT_OPERATIONS +- slapi_lock_mutex(counter->lock); +- counter->value += addvalue; +- newvalue = counter->value; +- slapi_unlock_mutex(counter->lock); ++#ifdef ATOMIC_64BIT_OPERATIONS ++ newvalue = __atomic_add_fetch_8(&(counter->value), addvalue, __ATOMIC_SEQ_CST); + #else +-#ifdef LINUX +- newvalue = __sync_add_and_fetch(&(counter->value), addvalue); +-#elif defined(SOLARIS) +- newvalue = _sparcv9_AtomicAdd(&(counter->value), addvalue); +-#elif defined(HPUX) ++#ifdef HPUX ++ uint64_t prev = 0; + /* fetchadd only works with values of 1, 4, 8, and 16. In addition, it requires + * it's argument to be an integer constant. */ + if (addvalue == 1) { +@@ -172,8 +142,13 @@ PRUint64 slapi_counter_add(Slapi_Counter *counter, PRUint64 addvalue) + _Asm_mov_to_ar(_AREG_CCV, prev); + } while (prev != _Asm_cmpxchg(_FASZ_D, _SEM_ACQ, &(counter->value), newvalue, _LDHINT_NONE)); + } ++#else ++ pthread_mutex_lock(&(counter->_lock)); ++ counter->value += addvalue; ++ newvalue = counter->value; ++ pthread_mutex_unlock(&(counter->_lock)); ++#endif + #endif +-#endif /* ATOMIC_64BIT_OPERATIONS */ + + return newvalue; + } +@@ -184,28 +159,19 @@ PRUint64 slapi_counter_add(Slapi_Counter *counter, PRUint64 addvalue) + * Atomically subtract a value from a Slapi_Counter. Note + * that this will not prevent you from wrapping around 0. + */ +-PRUint64 slapi_counter_subtract(Slapi_Counter *counter, PRUint64 subvalue) ++uint64_t slapi_counter_subtract(Slapi_Counter *counter, uint64_t subvalue) + { +- PRUint64 newvalue = 0; +-#ifdef HPUX +- PRUint64 prev = 0; +-#endif ++ uint64_t newvalue = 0; + + if (counter == NULL) { + return newvalue; + } + +-#ifndef ATOMIC_64BIT_OPERATIONS +- slapi_lock_mutex(counter->lock); +- counter->value -= subvalue; +- newvalue = counter->value; +- slapi_unlock_mutex(counter->lock); ++#ifdef ATOMIC_64BIT_OPERATIONS ++ newvalue = __atomic_sub_fetch_8(&(counter->value), subvalue, __ATOMIC_SEQ_CST); + #else +-#ifdef LINUX +- newvalue = __sync_sub_and_fetch(&(counter->value), subvalue); +-#elif defined(SOLARIS) +- newvalue = _sparcv9_AtomicSub(&(counter->value), subvalue); +-#elif defined(HPUX) ++#ifdef HPUX ++ uint64_t prev = 0; + /* fetchadd only works with values of -1, -4, -8, and -16. In addition, it requires + * it's argument to be an integer constant. */ + if (subvalue == 1) { +@@ -229,8 +195,13 @@ PRUint64 slapi_counter_subtract(Slapi_Counter *counter, PRUint64 subvalue) + _Asm_mov_to_ar(_AREG_CCV, prev); + } while (prev != _Asm_cmpxchg(_FASZ_D, _SEM_ACQ, &(counter->value), newvalue, _LDHINT_NONE)); + } ++#else ++ pthread_mutex_lock(&(counter->_lock)); ++ counter->value -= subvalue; ++ newvalue = counter->value; ++ pthread_mutex_unlock(&(counter->_lock)); ++#endif + #endif +-#endif /* ATOMIC_64BIT_OPERATIONS */ + + return newvalue; + } +@@ -240,76 +211,30 @@ PRUint64 slapi_counter_subtract(Slapi_Counter *counter, PRUint64 subvalue) + * + * Atomically sets the value of a Slapi_Counter. + */ +-PRUint64 slapi_counter_set_value(Slapi_Counter *counter, PRUint64 newvalue) ++uint64_t slapi_counter_set_value(Slapi_Counter *counter, uint64_t newvalue) + { +- PRUint64 value = 0; ++ uint64_t value = 0; + + if (counter == NULL) { + return value; + } + +-#ifndef ATOMIC_64BIT_OPERATIONS +- slapi_lock_mutex(counter->lock); +- counter->value = newvalue; +- slapi_unlock_mutex(counter->lock); +- return newvalue; +-#else +-#ifdef LINUX +-/* Use our own inline assembly for an atomic set if +- * the builtins aren't available. */ +-#if !HAVE_64BIT_ATOMIC_CAS_FUNC +- /* +- * %0 = counter->value +- * %1 = newvalue +- */ +- __asm__ __volatile__( +-#ifdef CPU_x86 +- /* Save the PIC register */ +- " pushl %%ebx;" +-#endif /* CPU_x86 */ +- /* Put value of counter->value in EDX:EAX */ +- "retryset: movl %0, %%eax;" +- " movl 4%0, %%edx;" +- /* Put newval in ECX:EBX */ +- " movl %1, %%ebx;" +- " movl 4+%1, %%ecx;" +- /* If EDX:EAX and counter-> are the same, +- * replace *ptr with ECX:EBX */ +- " lock; cmpxchg8b %0;" +- " jnz retryset;" +-#ifdef CPU_x86 +- /* Restore the PIC register */ +- " popl %%ebx" +-#endif /* CPU_x86 */ +- : "+o" (counter->value) +- : "m" (newvalue) +-#ifdef CPU_x86 +- : "memory", "eax", "ecx", "edx", "cc"); +-#else +- : "memory", "eax", "ebx", "ecx", "edx", "cc"); +-#endif +- +- return newvalue; +-#else +- while (1) { +- value = counter->value; +- if (__sync_bool_compare_and_swap(&(counter->value), value, newvalue)) { +- return newvalue; +- } +- } +-#endif /* CPU_x86 || !HAVE_DECL___SYNC_ADD_AND_FETCH */ +-#elif defined(SOLARIS) +- _sparcv9_AtomicSet(&(counter->value), newvalue); +- return newvalue; +-#elif defined(HPUX) ++#ifdef ATOMIC_64BIT_OPERATIONS ++ __atomic_store_8(&(counter->value), newvalue, __ATOMIC_SEQ_CST); ++#else /* HPUX */ ++#ifdef HPUX + do { + value = counter->value; + /* Put value in a register for cmpxchg to compare against */ + _Asm_mov_to_ar(_AREG_CCV, value); + } while (value != _Asm_cmpxchg(_FASZ_D, _SEM_ACQ, &(counter->value), newvalue, _LDHINT_NONE)); +- return newvalue; ++#else ++ pthread_mutex_lock(&(counter->_lock)); ++ counter->value = newvalue; ++ pthread_mutex_unlock(&(counter->_lock)); ++#endif + #endif +-#endif /* ATOMIC_64BIT_OPERATIONS */ ++ return newvalue; + } + + /* +@@ -317,174 +242,30 @@ PRUint64 slapi_counter_set_value(Slapi_Counter *counter, PRUint64 newvalue) + * + * Returns the value of a Slapi_Counter. + */ +-PRUint64 slapi_counter_get_value(Slapi_Counter *counter) ++uint64_t slapi_counter_get_value(Slapi_Counter *counter) + { +- PRUint64 value = 0; ++ uint64_t value = 0; + + if (counter == NULL) { + return value; + } + +-#ifndef ATOMIC_64BIT_OPERATIONS +- slapi_lock_mutex(counter->lock); +- value = counter->value; +- slapi_unlock_mutex(counter->lock); +-#else +-#ifdef LINUX +-/* Use our own inline assembly for an atomic get if +- * the builtins aren't available. */ +-#if !HAVE_64BIT_ATOMIC_CAS_FUNC +- /* +- * %0 = counter->value +- * %1 = value +- */ +- __asm__ __volatile__( +-#ifdef CPU_x86 +- /* Save the PIC register */ +- " pushl %%ebx;" +-#endif /* CPU_x86 */ +- /* Put value of counter->value in EDX:EAX */ +- "retryget: movl %0, %%eax;" +- " movl 4%0, %%edx;" +- /* Copy EDX:EAX to ECX:EBX */ +- " movl %%eax, %%ebx;" +- " movl %%edx, %%ecx;" +- /* If EDX:EAX and counter->value are the same, +- * replace *ptr with ECX:EBX */ +- " lock; cmpxchg8b %0;" +- " jnz retryget;" +- /* Put retrieved value into value */ +- " movl %%ebx, %1;" +- " movl %%ecx, 4%1;" +-#ifdef CPU_x86 +- /* Restore the PIC register */ +- " popl %%ebx" +-#endif /* CPU_x86 */ +- : "+o" (counter->value), "=m" (value) +- : +-#ifdef CPU_x86 +- : "memory", "eax", "ecx", "edx", "cc"); +-#else +- : "memory", "eax", "ebx", "ecx", "edx", "cc"); +-#endif +-#else +- while (1) { +- value = counter->value; +- if (__sync_bool_compare_and_swap(&(counter->value), value, value)) { +- break; +- } +- } +-#endif /* CPU_x86 || !HAVE_DECL___SYNC_ADD_AND_FETCH */ +-#elif defined(SOLARIS) +- while (1) { +- value = counter->value; +- if (value == _sparcv9_AtomicSet(&(counter->value), value)) { +- break; +- } +- } +-#elif defined(HPUX) ++#ifdef ATOMIC_64BIT_OPERATIONS ++ value = __atomic_load_8(&(counter->value), __ATOMIC_SEQ_CST); ++#else /* HPUX */ ++#ifdef HPUX + do { + value = counter->value; + /* Put value in a register for cmpxchg to compare against */ + _Asm_mov_to_ar(_AREG_CCV, value); + } while (value != _Asm_cmpxchg(_FASZ_D, _SEM_ACQ, &(counter->value), value, _LDHINT_NONE)); +-#endif +-#endif /* ATOMIC_64BIT_OPERATIONS */ +- +- return value; +-} +- +-#ifdef ATOMIC_64BIT_OPERATIONS +-#if defined(LINUX) && !HAVE_64BIT_ATOMIC_OP_FUNCS +-/* On systems that don't have the 64-bit GCC atomic builtins, we need to +- * implement our own atomic add and subtract functions using inline +- * assembly code. */ +-PRUint64 __sync_add_and_fetch_8(PRUint64 *ptr, PRUint64 addval) +-{ +- PRUint64 retval = 0; +- +- /* +- * %0 = *ptr +- * %1 = retval +- * %2 = addval +- */ +- __asm__ __volatile__( +-#ifdef CPU_x86 +- /* Save the PIC register */ +- " pushl %%ebx;" +-#endif /* CPU_x86 */ +- /* Put value of *ptr in EDX:EAX */ +- "retryadd: movl %0, %%eax;" +- " movl 4%0, %%edx;" +- /* Put addval in ECX:EBX */ +- " movl %2, %%ebx;" +- " movl 4+%2, %%ecx;" +- /* Add value from EDX:EAX to value in ECX:EBX */ +- " addl %%eax, %%ebx;" +- " adcl %%edx, %%ecx;" +- /* If EDX:EAX and *ptr are the same, replace ptr with ECX:EBX */ +- " lock; cmpxchg8b %0;" +- " jnz retryadd;" +- /* Put new value into retval */ +- " movl %%ebx, %1;" +- " movl %%ecx, 4%1;" +-#ifdef CPU_x86 +- /* Restore the PIC register */ +- " popl %%ebx" +-#endif /* CPU_x86 */ +- : "+o" (*ptr), "=m" (retval) +- : "m" (addval) +-#ifdef CPU_x86 +- : "memory", "eax", "ecx", "edx", "cc"); + #else +- : "memory", "eax", "ebx", "ecx", "edx", "cc"); ++ pthread_mutex_lock(&(counter->_lock)); ++ value = counter->value; ++ pthread_mutex_unlock(&(counter->_lock)); + #endif +- +- return retval; +-} +- +-PRUint64 __sync_sub_and_fetch_8(PRUint64 *ptr, PRUint64 subval) +-{ +- PRUint64 retval = 0; +- +- /* +- * %0 = *ptr +- * %1 = retval +- * %2 = subval +- */ +- __asm__ __volatile__( +-#ifdef CPU_x86 +- /* Save the PIC register */ +- " pushl %%ebx;" +-#endif /* CPU_x86 */ +- /* Put value of *ptr in EDX:EAX */ +- "retrysub: movl %0, %%eax;" +- " movl 4%0, %%edx;" +- /* Copy EDX:EAX to ECX:EBX */ +- " movl %%eax, %%ebx;" +- " movl %%edx, %%ecx;" +- /* Subtract subval from value in ECX:EBX */ +- " subl %2, %%ebx;" +- " sbbl 4+%2, %%ecx;" +- /* If EDX:EAX and ptr are the same, replace *ptr with ECX:EBX */ +- " lock; cmpxchg8b %0;" +- " jnz retrysub;" +- /* Put new value into retval */ +- " movl %%ebx, %1;" +- " movl %%ecx, 4%1;" +-#ifdef CPU_x86 +- /* Restore the PIC register */ +- " popl %%ebx" +-#endif /* CPU_x86 */ +- : "+o" (*ptr), "=m" (retval) +- : "m" (subval) +-#ifdef CPU_x86 +- : "memory", "eax", "ecx", "edx", "cc"); +-#else +- : "memory", "eax", "ebx", "ecx", "edx", "cc"); + #endif + +- return retval; ++ return value; + } +-#endif /* LINUX && !HAVE_64BIT_ATOMIC_OP_FUNCS */ +-#endif /* ATOMIC_64BIT_OPERATIONS */ ++ +diff --git a/ldap/servers/slapd/slapi_counter_sunos_sparcv9.S b/ldap/servers/slapd/slapi_counter_sunos_sparcv9.S +deleted file mode 100644 +index e582c2a..0000000 +--- a/ldap/servers/slapd/slapi_counter_sunos_sparcv9.S ++++ /dev/null +@@ -1,105 +0,0 @@ +-! BEGIN COPYRIGHT BLOCK +-! The Original Code is the Netscape Portable Runtime (NSPR). +-! +-! The Initial Developer of the Original Code is +-! Netscape Communications Corporation. +-! Portions created by the Initial Developer are Copyright (C) 1998-2000 +-! the Initial Developer. All Rights Reserved. +-! +-! The original code has been modified to support 64-bit atomic increments by +-! Red Hat, Inc. These portions are Copyright (C) 2008 Red Hat, Inc. All Rights +-! reserved. +-! +-! License: GPL (version 3 or any later version). +-! See LICENSE for details. +-! END COPYRIGHT BLOCK +-! +- +-#define _ASM 1 /* force to set an assembler code macro _ASM */ +-#include +- +-! ====================================================================== +-! +-! Perform the sequence a = b atomically with respect to other +-! fetch-and-stores to location a in a wait-free fashion. +-! +-! usage : old_val = PR_AtomicSet(address, newval) +-! +-! ----------------------- +-! Note on REGISTER USAGE: +-! as this is a LEAF procedure, a new stack frame is not created; +-! we use the caller's stack frame so what would normally be %i (input) +-! registers are actually %o (output registers). Also, we must not +-! overwrite the contents of %l (local) registers as they are not +-! assumed to be volatile during calls. +-! ----------------------- +- +- ENTRY(_sparcv9_AtomicSet) ! standard assembler/ELF prologue +- +-retryAS: +- ldx [%o0], %o2 ! set o2 to the current value +- mov %o1, %o3 ! set up the new value +- casx [%o0], %o2, %o3 ! atomically set if o0 hasn't changed +- cmp %o2, %o3 ! see if we set the value +- bne retryAS ! if not, try again +- nop ! empty out the branch pipeline +- retl ! return back to the caller +- mov %o3, %o0 ! set the return code to the prev value +- +- SET_SIZE(_sparcv9_AtomicSet) ! standard assembler/ELF epilogue +- +-! +-! end +-! +-! ====================================================================== +-! +-! Perform the sequence a = a + b atomically with respect to other +-! fetch-and-adds to location a in a wait-free fashion. +-! +-! usage : newval = PR_AtomicAdd(address, val) +-! return: the value after addition +-! +- ENTRY(_sparcv9_AtomicAdd) ! standard assembler/ELF prologue +- +-retryAA: +- ldx [%o0], %o2 ! set o2 to the current value +- addx %o2, %o1, %o3 ! calc the new value +- mov %o3, %o4 ! save the return value +- casx [%o0], %o2, %o3 ! atomically set if o0 hasn't changed +- cmp %o2, %o3 ! see if we set the value +- bne retryAA ! if not, try again +- nop ! empty out the branch pipeline +- retl ! return back to the caller +- mov %o4, %o0 ! set the return code to the new value +- +- SET_SIZE(_sparcv9_AtomicAdd) ! standard assembler/ELF epilogue +- +-! +-! end +-! +-! ====================================================================== +-! +-! Perform the sequence a = a - b atomically with respect to other +-! fetch-and-subs to location a in a wait-free fashion. +-! +-! usage : newval = PR_AtomicSub(address, val) +-! return: the value after addition +-! +- ENTRY(_sparcv9_AtomicSub) ! standard assembler/ELF prologue +- +-retryAU: +- ldx [%o0], %o2 ! set o2 to the current value +- subx %o2, %o1, %o3 ! calc the new value +- mov %o3, %o4 ! save the return value +- casx [%o0], %o2, %o3 ! atomically set if o0 hasn't changed +- cmp %o2, %o3 ! see if we set the value +- bne retryAU ! if not, try again +- nop ! empty out the branch pipeline +- retl ! return back to the caller +- mov %o4, %o0 ! set the return code to the new value +- +- SET_SIZE(_sparcv9_AtomicSub) ! standard assembler/ELF epilogue +- +-! +-! end +-! +diff --git a/ldap/servers/slapd/snmp_collator.c b/ldap/servers/slapd/snmp_collator.c +index 841922f..b0c873d 100644 +--- a/ldap/servers/slapd/snmp_collator.c ++++ b/ldap/servers/slapd/snmp_collator.c +@@ -711,7 +711,7 @@ static void + add_counter_to_value(Slapi_Entry *e, const char *type, PRUint64 countervalue) + { + char value[40]; +- PR_snprintf(value,sizeof(value),"%" NSPRIu64, countervalue); ++ snprintf(value,sizeof(value),"%" NSPRIu64, countervalue); + slapi_entry_attr_set_charptr( e, type, value); + } + +diff --git a/test/libslapd/test.c b/test/libslapd/test.c +index 37d5543..6e1171a 100644 +--- a/test/libslapd/test.c ++++ b/test/libslapd/test.c +@@ -24,6 +24,8 @@ run_libslapd_tests (void) { + cmocka_unit_test(test_libslapd_pblock_v3c_original_target_dn), + cmocka_unit_test(test_libslapd_pblock_v3c_target_uniqueid), + cmocka_unit_test(test_libslapd_operation_v3c_target_spec), ++ cmocka_unit_test(test_libslapd_counters_atomic_usage), ++ cmocka_unit_test(test_libslapd_counters_atomic_overflow), + }; + return cmocka_run_group_tests(tests, NULL, NULL); + } +diff --git a/test/test_slapd.h b/test/test_slapd.h +index 02eefdd..b8f1aba 100644 +--- a/test/test_slapd.h ++++ b/test/test_slapd.h +@@ -37,4 +37,8 @@ void test_libslapd_pblock_v3c_target_uniqueid(void **state); + /* libslapd-operation-v3_compat */ + void test_libslapd_operation_v3c_target_spec(void **state); + ++/* libslapd-counters-atomic */ ++ ++void test_libslapd_counters_atomic_usage(void **state); ++void test_libslapd_counters_atomic_overflow(void **state); + +-- +2.9.3 + diff --git a/SOURCES/0016-Ticket-48919-Compiler-warnings-while-building-389-ds.patch b/SOURCES/0016-Ticket-48919-Compiler-warnings-while-building-389-ds.patch deleted file mode 100644 index 57e4f2e..0000000 --- a/SOURCES/0016-Ticket-48919-Compiler-warnings-while-building-389-ds.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 6f55a77b49ecdec56817039308f7c07da820fb62 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 14 Jul 2016 19:09:21 -0700 -Subject: [PATCH] Ticket #48919 - Compiler warnings while building 389-ds-base - on RHEL7 - -Description: Fixing additional covscan errors. -1. RESOURCE_LEAK - ldap/servers/slapd/agtmmap.c - agt_mopen_stats - leaked_handle: Handle variable "fd" going out of scope leaks the handle. -2. CHECKED_RETURN - ldap/servers/slapd/back-ldbm/cache.c - entrycache_return - check_return: Calling "remove_hash" without checking return value -3. NULL_RETURNS - ldap/systools/idsktune.c - linux_check_cpu_features - dereference: Dereferencing a pointer that might be null "cpuinfo" when calling "fclose". -4. UNINIT - ldap/servers/slapd/detach.c - detach - uninit_use: Using uninitialized value "rc". - -https://fedorahosted.org/389/ticket/48919 -(cherry picked from commit 381caf52a06ad8cefa9daa99586878249a4aa4f2) ---- - ldap/servers/slapd/agtmmap.c | 1 + - ldap/servers/slapd/back-ldbm/cache.c | 6 ++++-- - ldap/servers/slapd/detach.c | 3 ++- - ldap/systools/idsktune.c | 4 ++++ - 4 files changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ldap/servers/slapd/agtmmap.c b/ldap/servers/slapd/agtmmap.c -index 629bc1b..b9d66d9 100644 ---- a/ldap/servers/slapd/agtmmap.c -+++ b/ldap/servers/slapd/agtmmap.c -@@ -167,6 +167,7 @@ agt_mopen_stats (char * statsfile, int mode, int *hdl) - #endif - rc = err; - free (buf); -+ close(fd); - goto bail; - } - free (buf); -diff --git a/ldap/servers/slapd/back-ldbm/cache.c b/ldap/servers/slapd/back-ldbm/cache.c -index bb4e55e..015cd48 100644 ---- a/ldap/servers/slapd/back-ldbm/cache.c -+++ b/ldap/servers/slapd/back-ldbm/cache.c -@@ -1142,7 +1142,9 @@ entrycache_return(struct cache *cache, struct backentry **bep) - * so we need to remove the entry from the DN cache because - * we don't/can't always call cache_remove(). - */ -- remove_hash(cache->c_dntable, (void *)ndn, strlen(ndn)); -+ if (remove_hash(cache->c_dntable, (void *)ndn, strlen(ndn)) == 0) { -+ LOG("entrycache_return: failed to remove %s from dn table\n", ndn, 0, 0); -+ } - } - backentry_free(bep); - } else { -@@ -1392,7 +1394,7 @@ entrycache_add_int(struct cache *cache, struct backentry *e, int state, - return 0; - } - if(remove_hash(cache->c_dntable, (void *)ndn, strlen(ndn)) == 0){ -- LOG("entrycache_add_int: failed to remove %s from dn table\n", 0, 0, 0); -+ LOG("entrycache_add_int: failed to remove %s from dn table\n", ndn, 0, 0); - } - e->ep_state |= ENTRY_STATE_NOTINCACHE; - cache_unlock(cache); -diff --git a/ldap/servers/slapd/detach.c b/ldap/servers/slapd/detach.c -index 54c6028..84a9eef 100644 ---- a/ldap/servers/slapd/detach.c -+++ b/ldap/servers/slapd/detach.c -@@ -48,7 +48,8 @@ int - detach( int slapd_exemode, int importexport_encrypt, - int s_port, daemon_ports_t *ports_info ) - { -- int i, sd, rc; -+ int i, sd; -+ int rc = 0; - char *workingdir = 0; - char *errorlog = 0; - char *ptr = 0; -diff --git a/ldap/systools/idsktune.c b/ldap/systools/idsktune.c -index 4c96529..08b7f12 100644 ---- a/ldap/systools/idsktune.c -+++ b/ldap/systools/idsktune.c -@@ -875,6 +875,10 @@ linux_check_cpu_features(void) - char *token = NULL; - size_t size = 0; - int found = 0; -+ if (NULL == cpuinfo) { -+ printf("ERROR: Unable to check cpu features since opening \"/proc/cpuinfo\" failed.\n"); -+ return; -+ } - while(getline(&arg, &size, cpuinfo) != -1) - { - if (strncmp("flags", arg, 5) == 0) { --- -2.4.11 - diff --git a/SOURCES/0017-Issue-49035-dbmon.sh-shows-pages-in-use-that-exceeds.patch b/SOURCES/0017-Issue-49035-dbmon.sh-shows-pages-in-use-that-exceeds.patch new file mode 100644 index 0000000..bb75d3f --- /dev/null +++ b/SOURCES/0017-Issue-49035-dbmon.sh-shows-pages-in-use-that-exceeds.patch @@ -0,0 +1,38 @@ +From c14b2d88497724c4e19e5fae89bb40c95a61e1cb Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 30 Mar 2017 15:26:00 -0400 +Subject: [PATCH] Issue 49035 - dbmon.sh shows pages-in-use that exceeds the + cache size + +Bug Description: dbmon shows negative free cache stats because the pages-in-use exceeds + the expected size of the cache. This is because on caches smaller + than 500mb, libdb automatically increases the size by ~25%. The tool + is only checking the configured db cache size, and in this case its + actaully larger than what was conigured in dse.ldif. + +Fix Description: dbmon.sh should use the libdb's "cache size in bytes", instead of + nsslapd-dbcachesize - as it could be different. + +https://pagure.io/389-ds-base/issue/49035 + +Reviewed by: nhosoi & wibrown (Thanks!!) +--- + ldap/admin/src/scripts/dbmon.sh.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/admin/src/scripts/dbmon.sh.in b/ldap/admin/src/scripts/dbmon.sh.in +index 4ee6adc..46796e2 100644 +--- a/ldap/admin/src/scripts/dbmon.sh.in ++++ b/ldap/admin/src/scripts/dbmon.sh.in +@@ -47,7 +47,7 @@ parseldif() { + } + /^[^ ]|^$/ {origline = $0; $0 = unwrapline; unwrapline = origline} + /^ / {sub(/^ /, ""); unwrapline = unwrapline $0; next} +- /^nsslapd-dbcachesize/ { dbcachesize=$2 } ++ /^nsslapd-db-cache-size-bytes/ { dbcachesize=$2 } + /^nsslapd-db-page-size/ { pagesize=$2 } + /^dbcachehitratio/ { dbhitratio=$2 } + /^dbcachepagein/ { dbcachepagein=$2 } +-- +2.9.3 + diff --git a/SOURCES/0017-Ticket-48928-log-of-page-result-cookie-should-log-em.patch b/SOURCES/0017-Ticket-48928-log-of-page-result-cookie-should-log-em.patch deleted file mode 100644 index 01bd08c..0000000 --- a/SOURCES/0017-Ticket-48928-log-of-page-result-cookie-should-log-em.patch +++ /dev/null @@ -1,48 +0,0 @@ -From f6f6340afaea6f26d188f875b15f966e03cb7f50 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Mon, 18 Jul 2016 18:30:28 +0200 -Subject: [PATCH 17/29] Ticket 48928 log of page result cookie should log empty - cookie with a different value than 0 - -Bug Description: - With the ticket https://fedorahosted.org/389/ticket/48752, the cookie value - is logged with each page result RESULT. - When the page result is completed (no more entry to return), the returned cookie is 'pr_cookie=0'. - Else the cookie value is logged 'pr_cookie='. Unfortunately the index ranges [0..N]. - - So when the value pr_cookie=0 is logged, it is not possible to know if it is an empty cookie or a valid cookie with the value 0. - -Fix Description: - Log the empty cookie with a value '-1' - -https://fedorahosted.org/389/ticket/48928 - -Reviewed by: Noriko Hosoi, Simon Pichugin (thanks !!!!) - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit 73ff835f29514e33433de9f2be74f73efe6943ce) ---- - ldap/servers/slapd/pagedresults.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c -index 07a7b69..6fec344 100644 ---- a/ldap/servers/slapd/pagedresults.c -+++ b/ldap/servers/slapd/pagedresults.c -@@ -247,7 +247,7 @@ pagedresults_set_response_control( Slapi_PBlock *pb, int iscritical, - - /* begin sequence, payload, end sequence */ - if (current_search_count < 0) { -- cookie = 0; -+ cookie = -1; - cookie_str = slapi_ch_strdup(""); - } else { - cookie = index; --- -2.4.11 - diff --git a/SOURCES/0018-Issue-49177-Fix-pkg-config-file.patch b/SOURCES/0018-Issue-49177-Fix-pkg-config-file.patch new file mode 100644 index 0000000..143e956 --- /dev/null +++ b/SOURCES/0018-Issue-49177-Fix-pkg-config-file.patch @@ -0,0 +1,56 @@ +From a1c4718d9db069ab088914ec983af8125eba3ac6 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 31 Mar 2017 09:34:27 -0400 +Subject: [PATCH] Issue 49177 - Fix pkg-config file + +Description: Need to remove the slash in front of the package name + +https://pagure.io/389-ds-base/issue/49177 + +Reviewed by: lslebodn & wibrown (Thanks!!) +--- + Makefile.am | 4 ++-- + configure.ac | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 982dd28..485a460 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -261,7 +261,7 @@ sampledatadir = $(datadir)@sampledatadir@ + systemschemadir = $(datadir)@systemschemadir@ + propertydir = $(datadir)@propertydir@ + schemadir = $(sysconfdir)@schemadir@ +-serverdir = $(libdir)@serverdir@ ++serverdir = $(libdir)/@serverdir@ + serverplugindir = $(libdir)@serverplugindir@ + taskdir = $(datadir)@scripttemplatedir@ + systemdsystemunitdir = @with_systemdsystemunitdir@ +@@ -276,7 +276,7 @@ infdir = $(datadir)@infdir@ + mibdir = $(datadir)@mibdir@ + updatedir = $(datadir)@updatedir@ + pkgconfigdir = $(libdir)/pkgconfig +-serverincdir = $(includedir)@serverincdir@ ++serverincdir = $(includedir)/@serverincdir@ + + defaultuser=@defaultuser@ + defaultgroup=@defaultgroup@ +diff --git a/configure.ac b/configure.ac +index 8172bab..51c4414 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -361,9 +361,9 @@ else + # relative to datadir + updatedir=/$PACKAGE_NAME/updates + # relative to libdir +- serverdir=/$PACKAGE_NAME ++ serverdir=$PACKAGE_NAME + # relative to includedir +- serverincdir=/$PACKAGE_NAME ++ serverincdir=$PACKAGE_NAME + # relative to libdir + serverplugindir=/$PACKAGE_NAME/plugins + # relative to datadir +-- +2.9.3 + diff --git a/SOURCES/0018-Ticket-48939-nsslapd-workingdir-is-empty-when-ns-sla.patch b/SOURCES/0018-Ticket-48939-nsslapd-workingdir-is-empty-when-ns-sla.patch deleted file mode 100644 index 2907565..0000000 --- a/SOURCES/0018-Ticket-48939-nsslapd-workingdir-is-empty-when-ns-sla.patch +++ /dev/null @@ -1,141 +0,0 @@ -From c78cee0747aaa7f3ba7ad77d683d382308992952 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Tue, 26 Jul 2016 16:51:41 -0700 -Subject: [PATCH 18/29] Ticket #48939 - nsslapd-workingdir is empty when - ns-slapd is started by systemd - -Description: If the Type of the service is notify in systemd, the server -process does not fork. Setting nsslapd-workingdir was missing in the not- -fork path. This patch adds it. - -https://fedorahosted.org/389/ticket/48939 - -Reviewed by wibrown@redhat.com (Thank you, William!!) - -(cherry picked from commit a06cb4269613224e1454ed8c1ad6f702cc247b2b) ---- - ldap/servers/slapd/detach.c | 81 ++++++++++++++++++++++++++------------------- - 1 file changed, 47 insertions(+), 34 deletions(-) - -diff --git a/ldap/servers/slapd/detach.c b/ldap/servers/slapd/detach.c -index 84a9eef..cd13a99 100644 ---- a/ldap/servers/slapd/detach.c -+++ b/ldap/servers/slapd/detach.c -@@ -44,16 +44,50 @@ - #include - #endif /* USE_SYSCONF */ - --int --detach( int slapd_exemode, int importexport_encrypt, -- int s_port, daemon_ports_t *ports_info ) -+static int -+set_workingdir() - { -- int i, sd; - int rc = 0; -- char *workingdir = 0; -+ char *workingdir = config_get_workingdir(); - char *errorlog = 0; - char *ptr = 0; - extern char *config_get_errorlog(void); -+ extern int config_set_workingdir(const char *attrname, char *value, char *errorbuf, int apply); -+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE]; -+ -+ if ( NULL == workingdir ) { -+ errorlog = config_get_errorlog(); -+ if (NULL == errorlog) { -+ rc = chdir("/"); -+ } else { -+ ptr = strrchr(errorlog, '/'); -+ if (ptr) { -+ *ptr = '\0'; -+ } -+ rc = chdir(errorlog); -+ if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, errorlog, errorbuf, 1) == LDAP_OPERATIONS_ERROR) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: set workingdir failed with \"%s\"\n", errorbuf); -+ } -+ slapi_ch_free_string(&errorlog); -+ } -+ } else { -+ /* calling config_set_workingdir to check for validity of directory, don't apply */ -+ if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, workingdir, errorbuf, 0) == LDAP_OPERATIONS_ERROR) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: set workingdir failed with \"%s\"\n", errorbuf); -+ rc = chdir("/"); -+ } else { -+ rc = chdir(workingdir); -+ } -+ slapi_ch_free_string(&workingdir); -+ } -+ return rc; -+} -+ -+int -+detach( int slapd_exemode, int importexport_encrypt, -+ int s_port, daemon_ports_t *ports_info ) -+{ -+ int i, sd; - - if ( should_detach ) { - for ( i = 0; i < 5; i++ ) { -@@ -76,35 +110,12 @@ detach( int slapd_exemode, int importexport_encrypt, - } - - /* call this right after the fork, but before closing stdin */ -- if (slapd_do_all_nss_ssl_init(slapd_exemode, importexport_encrypt, -- s_port, ports_info)) { -+ if (slapd_do_all_nss_ssl_init(slapd_exemode, importexport_encrypt, s_port, ports_info)) { - return 1; - } - -- workingdir = config_get_workingdir(); -- if ( NULL == workingdir ) { -- errorlog = config_get_errorlog(); -- if ( NULL == errorlog ) { -- rc = chdir( "/" ); -- PR_ASSERT(rc == 0); -- } else { -- if ((ptr = strrchr(errorlog, '/')) || -- (ptr = strrchr(errorlog, '\\'))) { -- *ptr = 0; -- } -- rc = chdir( errorlog ); -- PR_ASSERT(rc == 0); -- config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, errorlog, NULL, 1); -- slapi_ch_free_string(&errorlog); -- } -- } else { -- /* calling config_set_workingdir to check for validity of directory, don't apply */ -- if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, workingdir, NULL, 0) == LDAP_OPERATIONS_ERROR) { -- return 1; -- } -- rc = chdir( workingdir ); -- PR_ASSERT(rc == 0); -- slapi_ch_free_string(&workingdir); -+ if (set_workingdir()) { -+ LDAPDebug0Args(LDAP_DEBUG_ANY, "detach: chdir to workingdir failed.\n"); - } - - if ( (sd = open( "/dev/null", O_RDWR )) == -1 ) { -@@ -127,14 +138,16 @@ detach( int slapd_exemode, int importexport_encrypt, - - g_set_detached(1); - } else { /* not detaching - call nss/ssl init */ -- if (slapd_do_all_nss_ssl_init(slapd_exemode, importexport_encrypt, -- s_port, ports_info)) { -+ if (slapd_do_all_nss_ssl_init(slapd_exemode, importexport_encrypt, s_port, ports_info)) { - return 1; - } -+ if (set_workingdir()) { -+ LDAPDebug0Args(LDAP_DEBUG_ANY, "detach: chdir to workingdir failed.\n"); -+ } - } - - (void) SIGNAL( SIGPIPE, SIG_IGN ); -- return rc; -+ return 0; - } - - /* --- -2.4.11 - diff --git a/SOURCES/0019-Issue-49205-Fix-logconv.pl-man-page.patch b/SOURCES/0019-Issue-49205-Fix-logconv.pl-man-page.patch new file mode 100644 index 0000000..3520f71 --- /dev/null +++ b/SOURCES/0019-Issue-49205-Fix-logconv.pl-man-page.patch @@ -0,0 +1,1438 @@ +From 6cad70f25460f3ede0429ce11d5e60946acf1174 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 31 Mar 2017 11:23:50 -0400 +Subject: [PATCH] Issue 49205 - Fix logconv.pl man page + +Description: Fixed mistake in wording in the logconv.pl man page. Also + updated all the man pages with the new pagure ticket url. + +https://pagure.io/389-ds-base/issue/49205 + +Reviewed by: nhosoi(Thanks!) +--- + man/man1/cl-dump.1 | 6 +++--- + man/man1/dbgen.pl.1 | 6 +++--- + man/man1/dbscan.1 | 6 +++--- + man/man1/ds-logpipe.py.1 | 6 +++--- + man/man1/dsktune.1 | 6 +++--- + man/man1/infadd.1 | 6 +++--- + man/man1/ldap-agent.1 | 6 +++--- + man/man1/ldclt.1 | 6 +++--- + man/man1/ldif.1 | 6 +++--- + man/man1/logconv.pl.1 | 10 +++++----- + man/man1/migratecred.1 | 6 +++--- + man/man1/mmldif.1 | 6 +++--- + man/man1/pwdhash.1 | 6 +++--- + man/man1/readnsstate.1 | 6 +++--- + man/man1/repl-monitor.1 | 8 ++++---- + man/man1/rsearch.1 | 6 +++--- + man/man8/bak2db.8 | 6 +++--- + man/man8/bak2db.pl.8 | 6 +++--- + man/man8/cleanallruv.pl.8 | 6 +++--- + man/man8/db2bak.8 | 6 +++--- + man/man8/db2bak.pl.8 | 6 +++--- + man/man8/db2index.8 | 6 +++--- + man/man8/db2index.pl.8 | 6 +++--- + man/man8/db2ldif.8 | 6 +++--- + man/man8/db2ldif.pl.8 | 6 +++--- + man/man8/dbverify.8 | 6 +++--- + man/man8/dn2rdn.8 | 6 +++--- + man/man8/fixup-linkedattrs.pl.8 | 6 +++--- + man/man8/fixup-memberof.pl.8 | 6 +++--- + man/man8/ldif2db.8 | 6 +++--- + man/man8/ldif2db.pl.8 | 6 +++--- + man/man8/ldif2ldap.8 | 6 +++--- + man/man8/migrate-ds.pl.8 | 18 +++++++++--------- + man/man8/monitor.8 | 6 +++--- + man/man8/ns-accountstatus.pl.8 | 6 +++--- + man/man8/ns-activate.pl.8 | 6 +++--- + man/man8/ns-inactivate.pl.8 | 6 +++--- + man/man8/ns-newpwpolicy.pl.8 | 6 +++--- + man/man8/ns-slapd.8 | 6 +++--- + man/man8/remove-ds.pl.8 | 6 +++--- + man/man8/restart-dirsrv.8 | 6 +++--- + man/man8/restoreconfig.8 | 6 +++--- + man/man8/saveconfig.8 | 6 +++--- + man/man8/schema-reload.pl.8 | 6 +++--- + man/man8/setup-ds.pl.8 | 6 +++--- + man/man8/start-dirsrv.8 | 6 +++--- + man/man8/status-dirsrv.8 | 6 +++--- + man/man8/stop-dirsrv.8 | 6 +++--- + man/man8/suffix2instance.8 | 6 +++--- + man/man8/syntax-validate.pl.8 | 6 +++--- + man/man8/upgradedb.8 | 6 +++--- + man/man8/upgradednformat.8 | 6 +++--- + man/man8/usn-tombstone-cleanup.pl.8 | 6 +++--- + man/man8/verify-db.pl.8 | 6 +++--- + man/man8/vlvindex.8 | 6 +++--- + 55 files changed, 174 insertions(+), 174 deletions(-) + +diff --git a/man/man1/cl-dump.1 b/man/man1/cl-dump.1 +index f9dedbe..db736ac 100644 +--- a/man/man1/cl-dump.1 ++++ b/man/man1/cl-dump.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH CL-DUMP 1 "May 18, 2008" ++.TH CL-DUMP 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -81,11 +81,11 @@ is running, and from where the server's changelog directory is accessible. + .SH AUTHOR + cl-dump was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/dbgen.pl.1 b/man/man1/dbgen.pl.1 +index 6f25080..c238c9c 100644 +--- a/man/man1/dbgen.pl.1 ++++ b/man/man1/dbgen.pl.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DBGEN.PL 1 "May 18, 2008" ++.TH DBGEN.PL 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -78,11 +78,11 @@ Add groups containing uniquemembers; generate a group for every 100 user entries + .SH AUTHOR + dbgen.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/dbscan.1 b/man/man1/dbscan.1 +index e5ff0a7..641a3af 100644 +--- a/man/man1/dbscan.1 ++++ b/man/man1/dbscan.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DBSCAN 1 "May 18, 2008" ++.TH DBSCAN 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -91,11 +91,11 @@ dbscan \fB\-f\fR objectclass.db4 + .SH AUTHOR + dbscan was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/ds-logpipe.py.1 b/man/man1/ds-logpipe.py.1 +index c7ea93d..0a6c15a 100644 +--- a/man/man1/ds-logpipe.py.1 ++++ b/man/man1/ds-logpipe.py.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DS-LOGPIPE.PY 1 "November 24, 2009" ++.TH DS-LOGPIPE.PY 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -90,9 +90,9 @@ The error log and audit log have similarly named configuration attributes e.g. n + .SH AUTHOR + ds-logpipe.py was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2009 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This is free software. You may redistribute copies of it under the terms of + the Directory Server license found in the LICENSE file of this +diff --git a/man/man1/dsktune.1 b/man/man1/dsktune.1 +index 19a6229..b3a5f7b 100644 +--- a/man/man1/dsktune.1 ++++ b/man/man1/dsktune.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DSKTUNE 1 "May 18, 2008" ++.TH DSKTUNE 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -49,11 +49,11 @@ specify alternate server installation directory + .SH AUTHOR + dsktune was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/infadd.1 b/man/man1/infadd.1 +index 0969019..75c2f42 100644 +--- a/man/man1/infadd.1 ++++ b/man/man1/infadd.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH INFADD 1 "May 18, 2008" ++.TH INFADD 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -67,11 +67,11 @@ add binary blob of average size of bytes + .SH AUTHOR + infadd was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/ldap-agent.1 b/man/man1/ldap-agent.1 +index 50d80c3..f2d6576 100644 +--- a/man/man1/ldap-agent.1 ++++ b/man/man1/ldap-agent.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH LDAP-AGENT 1 "May 18, 2008" ++.TH LDAP-AGENT 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -44,11 +44,11 @@ Sample usage: + .SH AUTHOR + ldap\-agent was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/ldclt.1 b/man/man1/ldclt.1 +index 4105f42..451a88b 100644 +--- a/man/man1/ldclt.1 ++++ b/man/man1/ldclt.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH LDCLT 1 "May 18, 2008" ++.TH LDCLT 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -220,11 +220,11 @@ Execution parameters: + .SH AUTHOR + ldclt was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/ldif.1 b/man/man1/ldif.1 +index f5fa99b..c2398b4 100644 +--- a/man/man1/ldif.1 ++++ b/man/man1/ldif.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH LDIF 1 "May 18, 2008" ++.TH LDIF 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -40,11 +40,11 @@ ldif dn < /tmp/ldif + .SH AUTHOR + ldif was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/logconv.pl.1 b/man/man1/logconv.pl.1 +index e4c1d13..13db49f 100644 +--- a/man/man1/logconv.pl.1 ++++ b/man/man1/logconv.pl.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH LOGCONV.PL 1 "May 18, 2008" ++.TH LOGCONV.PL 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -38,7 +38,7 @@ DEFAULT \-> cn=directory manager + .B \fB\-D, \-\-data\fR + DEFAULT \-> /tmp + .br +-TIP \-> If there is not enough RAM, a RAM disk can be used instead: ++TIP \-> If there is enough RAM, a RAM disk can be used instead: + + mkdir /dev/shm/logconv, and use this directory for the "\-D" value. + .TP +@@ -115,7 +115,7 @@ Examples: + .IP + logconv.pl \fB\-s\fR 10 \fB\-V\fR access + .IP +-logconv.pl \fB\-d\fR "cn=directory manager" /export/server4/slapd\-host/logs/access* ++logconv.pl \fB\-d\fR "cn=directory manager" /var/log/dirsrv/slapd\-host/access* + .IP + logconv.pl \fB\-s\fR 50 \fB\-ibgju\fR access* + .IP +@@ -124,11 +124,11 @@ logconv.pl \fB\-S\fR "[28/Mar/2002:13:14:22 \fB\-0800]\fR" \fB\-E\fR "[28/Mar/20 + .SH AUTHOR + logconv.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/migratecred.1 b/man/man1/migratecred.1 +index 50fbe0a..e935b5f 100644 +--- a/man/man1/migratecred.1 ++++ b/man/man1/migratecred.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH MIGRATECRED 1 "May 18, 2008" ++.TH MIGRATECRED 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -50,11 +50,11 @@ New plugin path (of the new instance) + .SH AUTHOR + migratecred was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/mmldif.1 b/man/man1/mmldif.1 +index e3f31ca..bde95d1 100644 +--- a/man/man1/mmldif.1 ++++ b/man/man1/mmldif.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH MMLDIF 1 "May 18, 2008" ++.TH MMLDIF 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -46,11 +46,11 @@ Write authoritative data to this file + .SH AUTHOR + mmldif was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/pwdhash.1 b/man/man1/pwdhash.1 +index 3ef5c9d..96194b3 100644 +--- a/man/man1/pwdhash.1 ++++ b/man/man1/pwdhash.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH PWDHASH 1 "May 18, 2008" ++.TH PWDHASH 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -47,11 +47,11 @@ Takes the password schema directly from the ns-slapd configuration + .SH AUTHOR + dbscan was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man1/readnsstate.1 b/man/man1/readnsstate.1 +index 0edf352..b18f49a 100644 +--- a/man/man1/readnsstate.1 ++++ b/man/man1/readnsstate.1 +@@ -1,4 +1,4 @@ +-.TH READNSSTATE 1 "May 13 2016" ++.TH READNSSTATE 1 "March 31, 2017" + .SH NAME + readnsstate \- interpret the contents of cn=replica's nsState value + .B readnsstate +@@ -38,9 +38,9 @@ For replica cn=replica,cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config + .SH AUTHOR + readnsstate was written by the 389 Project by richm. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2016 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by William Brown , + for the 389 Directory Server Project. +diff --git a/man/man1/repl-monitor.1 b/man/man1/repl-monitor.1 +index 17b9c4b..2e4fc77 100644 +--- a/man/man1/repl-monitor.1 ++++ b/man/man1/repl-monitor.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH REPL-MONITOR 1 "Jun 28, 2016" ++.TH REPL-MONITOR 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -121,16 +121,16 @@ MY_SYSTEM2 = localhost2.localdomain:3892 + .SH AUTHOR + repl-monitor was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2016 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). + .br +-Manual page updated by Mark Reynolds 6/28/2016 ++Manual page updated by Mark Reynolds 3/31/2017 + .br + This is free software. You may redistribute copies of it under the terms of + the Directory Server license found in the LICENSE file of this +diff --git a/man/man1/rsearch.1 b/man/man1/rsearch.1 +index 319bfc1..ec269a5 100644 +--- a/man/man1/rsearch.1 ++++ b/man/man1/rsearch.1 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH RSEARCH 1 "May 18, 2008" ++.TH RSEARCH 1 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -123,11 +123,11 @@ Use \fB\-B\fR file for binding; ignored if \fB\-B\fR is not given + .SH AUTHOR + rsearch was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man8/bak2db.8 b/man/man8/bak2db.8 +index 77864728..74e5e58 100644 +--- a/man/man8/bak2db.8 ++++ b/man/man8/bak2db.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH BAK2DB 8 "Mar 5, 2013" ++.TH BAK2DB 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -57,6 +57,6 @@ to standard error. + .SH AUTHOR + bak2db was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/bak2db.pl.8 b/man/man8/bak2db.pl.8 +index 1bb76c5..01a41c1 100644 +--- a/man/man8/bak2db.pl.8 ++++ b/man/man8/bak2db.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH BAK2DB.PL 8 "Mar 5, 2013" ++.TH BAK2DB.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -73,6 +73,6 @@ to standard error. + .SH AUTHOR + bak2db.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/cleanallruv.pl.8 b/man/man8/cleanallruv.pl.8 +index 55678ac..3afc688 100644 +--- a/man/man8/cleanallruv.pl.8 ++++ b/man/man8/cleanallruv.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH CLEANALLRUV.PL 8 " Mar 5, 2013" ++.TH CLEANALLRUV.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -76,6 +76,6 @@ to standard error. + .SH AUTHOR + cleanallruv.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/db2bak.8 b/man/man8/db2bak.8 +index 5de017e..727867a 100644 +--- a/man/man8/db2bak.8 ++++ b/man/man8/db2bak.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DB2BAK 8 "Mar 5, 2013" ++.TH DB2BAK 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -58,6 +58,6 @@ to standard error. + .SH AUTHOR + db2bak was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/db2bak.pl.8 b/man/man8/db2bak.pl.8 +index 9a34d51..a752885 100644 +--- a/man/man8/db2bak.pl.8 ++++ b/man/man8/db2bak.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DB2BAK.PL 8 "Mar 5, 2013" ++.TH DB2BAK.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -72,6 +72,6 @@ to standard error. + .SH AUTHOR + db2bak.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/db2index.8 b/man/man8/db2index.8 +index 1e70cc9..f70ba67 100644 +--- a/man/man8/db2index.8 ++++ b/man/man8/db2index.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DB2INDEX 8 "Mar 5, 2013" ++.TH DB2INDEX 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -62,6 +62,6 @@ to standard error. + .SH AUTHOR + db2index was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/db2index.pl.8 b/man/man8/db2index.pl.8 +index 4ff9c7a..7297fae 100644 +--- a/man/man8/db2index.pl.8 ++++ b/man/man8/db2index.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DB2INDEX.PL 8 "Mar 5, 2013" ++.TH DB2INDEX.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -76,6 +76,6 @@ to standard error. + .SH AUTHOR + db2index.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/db2ldif.8 b/man/man8/db2ldif.8 +index 2a787f2..31f686b 100644 +--- a/man/man8/db2ldif.8 ++++ b/man/man8/db2ldif.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DB2LDIF 8 "Mar 5, 2013" ++.TH DB2LDIF 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -101,6 +101,6 @@ to standard error. + .SH AUTHOR + db2ldif was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/db2ldif.pl.8 b/man/man8/db2ldif.pl.8 +index f02d3ed..babd225 100644 +--- a/man/man8/db2ldif.pl.8 ++++ b/man/man8/db2ldif.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DB2LDIF.PL 8 "Mar 5, 2013" ++.TH DB2LDIF.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -115,6 +115,6 @@ to standard error. + .SH AUTHOR + db2ldif.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/dbverify.8 b/man/man8/dbverify.8 +index c74747a..256e0aa 100644 +--- a/man/man8/dbverify.8 ++++ b/man/man8/dbverify.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DBVERIFY 8 "Mar 5, 2013" ++.TH DBVERIFY 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -58,6 +58,6 @@ to standard error. + .SH AUTHOR + dbverify was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/dn2rdn.8 b/man/man8/dn2rdn.8 +index d6cd3cc..98d74da 100644 +--- a/man/man8/dn2rdn.8 ++++ b/man/man8/dn2rdn.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH DN2RDN 8 "Mar 5, 2013" ++.TH DN2RDN 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -53,6 +53,6 @@ to standard error. + .SH AUTHOR + dn2rdn was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/fixup-linkedattrs.pl.8 b/man/man8/fixup-linkedattrs.pl.8 +index ee484c8..1189cb8 100644 +--- a/man/man8/fixup-linkedattrs.pl.8 ++++ b/man/man8/fixup-linkedattrs.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH FIXUP-LINKEDATTRS.PL 8 "Mar 5, 2013" ++.TH FIXUP-LINKEDATTRS.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -67,6 +67,6 @@ to standard error. + .SH AUTHOR + fixup-linkedattrs.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/fixup-memberof.pl.8 b/man/man8/fixup-memberof.pl.8 +index 55b7503..f80043c 100644 +--- a/man/man8/fixup-memberof.pl.8 ++++ b/man/man8/fixup-memberof.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH FIXUP-MEMBEROF.PL 8 "Mar 5, 2013" ++.TH FIXUP-MEMBEROF.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -71,6 +71,6 @@ to standard error. + .SH AUTHOR + fixup-memberof.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/ldif2db.8 b/man/man8/ldif2db.8 +index a5db3ea..9e3b149 100644 +--- a/man/man8/ldif2db.8 ++++ b/man/man8/ldif2db.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH LDIF2DB 8 "Mar 5, 2013" ++.TH LDIF2DB 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -84,6 +84,6 @@ to standard error. + .SH AUTHOR + ldif2db was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/ldif2db.pl.8 b/man/man8/ldif2db.pl.8 +index cc3e316..3c02d03 100644 +--- a/man/man8/ldif2db.pl.8 ++++ b/man/man8/ldif2db.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH LDIF2DB.PL 8 "Mar 5, 2013" ++.TH LDIF2DB.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -93,6 +93,6 @@ to standard error. + .SH AUTHOR + ldif2db.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/ldif2ldap.8 b/man/man8/ldif2ldap.8 +index 117a1f7..b89f464 100644 +--- a/man/man8/ldif2ldap.8 ++++ b/man/man8/ldif2ldap.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH LDIF2LDAP 8 "Mar 5, 2013" ++.TH LDIF2LDAP 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -57,6 +57,6 @@ to standard error. + .SH AUTHOR + ldif2ldap was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/migrate-ds.pl.8 b/man/man8/migrate-ds.pl.8 +index 65a62d0..24eac5a 100644 +--- a/man/man8/migrate-ds.pl.8 ++++ b/man/man8/migrate-ds.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH MIGRATE-DS.PL 8 "May 18, 2008" ++.TH MIGRATE-DS.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -121,15 +121,15 @@ for migration. Changelog information will not be migrated, and replicas + will need to be reinitialized (if migrating masters or hubs). This type + of migration requires that all of your old databases have been dumped + to LDIF format, and the LDIF file must be in the default database directory +-(usually /opt/fedora\-ds/slapd\-instance/db), and the LDIF file must have ++(usually /var/lib/dirsrv/slapd\-instance/db), and the LDIF file must have + the same name as the database instance directory, with a ".ldif". For + example, if you have + .IP + .ad l + .nf +-/opt/fedora\-ds/slapd\-instance/db/userRoot/ ++/var/lib/dirsrv/slapd\-instance/db/userRoot/ + and +-/opt/fedora\-ds/slapd\-instance/db/NetscapeRoot/ ++/var/lib/dirsrv/slapd\-instance/db/NetscapeRoot/ + .na + .fi + .PP +@@ -137,9 +137,9 @@ you must first use db2ldif to export these databases to LDIF e.g. + .IP + .ad l + .nf +-cd /opt/fedora\-ds/slapd\-instance +-\&./db2ldif \fB\-n\fR userRoot \fB\-a\fR /opt/fedora\-ds/slapd\-instance/db/userRoot.ldif and +-\&./db2ldif \fB\-n\fR NetscapeRoot \fB\-a\fR /opt/fedora\-ds/slapd\-instance/db/NetscapeRoot.ldif ++cd /var/lib/dirsrv/slapd\-instance ++\&./db2ldif \fB\-n\fR userRoot \fB\-a\fR /var/lib/dirsrv/slapd\-instance/ldif/userRoot.ldif and ++\&./db2ldif \fB\-n\fR NetscapeRoot \fB\-a\fR /var/lib/dirsrv/slapd\-instance/ldif/NetscapeRoot.ldif + .fi + .na + .PP +@@ -151,9 +151,9 @@ directory on the destination machine. + .SH AUTHOR + migrate-ds.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man8/monitor.8 b/man/man8/monitor.8 +index 1cc2166..1e75fcf 100644 +--- a/man/man8/monitor.8 ++++ b/man/man8/monitor.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH MONITOR 8 "Mar 5, 2013" ++.TH MONITOR 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -62,6 +62,6 @@ to standard error. + .SH AUTHOR + monitor was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/ns-accountstatus.pl.8 b/man/man8/ns-accountstatus.pl.8 +index 9ffc4d3..ceba3e6 100644 +--- a/man/man8/ns-accountstatus.pl.8 ++++ b/man/man8/ns-accountstatus.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH NS-ACCOUNTSTATUS.PL 8 "Feb 8, 2016" ++.TH NS-ACCOUNTSTATUS.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -90,6 +90,6 @@ to standard error. + .SH AUTHOR + ns-accountstatus.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2016 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/ns-activate.pl.8 b/man/man8/ns-activate.pl.8 +index 4b6f46d..2d4b82c 100644 +--- a/man/man8/ns-activate.pl.8 ++++ b/man/man8/ns-activate.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH NS-ACTIVATE.PL 8 "Mar 5, 2013" ++.TH NS-ACTIVATE.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -68,6 +68,6 @@ to standard error. + .SH AUTHOR + ns-activate.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/ns-inactivate.pl.8 b/man/man8/ns-inactivate.pl.8 +index 9e8ad77..f71a63f 100644 +--- a/man/man8/ns-inactivate.pl.8 ++++ b/man/man8/ns-inactivate.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH NS-INACTIVATE.PL 8 "Mar 5, 2013" ++.TH NS-INACTIVATE.PL 8 "Mar 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -67,6 +67,6 @@ to standard error. + .SH AUTHOR + ns-inactivate.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/ns-newpwpolicy.pl.8 b/man/man8/ns-newpwpolicy.pl.8 +index 1c38748..795bdc9 100644 +--- a/man/man8/ns-newpwpolicy.pl.8 ++++ b/man/man8/ns-newpwpolicy.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH NS-NEWPWPOLICY.PL 8 "Mar 5, 2013" ++.TH NS-NEWPWPOLICY.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -74,6 +74,6 @@ to standard error. + .SH AUTHOR + ns-newpwpolicy.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/ns-slapd.8 b/man/man8/ns-slapd.8 +index 7c61533..96f995e 100644 +--- a/man/man8/ns-slapd.8 ++++ b/man/man8/ns-slapd.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH NS-SLAPD 8 "May 18, 2008" ++.TH NS-SLAPD 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -45,11 +45,11 @@ Specifies file where the pid of the process will be stored + .SH AUTHOR + ns-slapd was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT + Copyright \(co 2001 Sun Microsystems, Inc. Used by permission. + .br +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man8/remove-ds.pl.8 b/man/man8/remove-ds.pl.8 +index 0568ff8..5d60e47 100644 +--- a/man/man8/remove-ds.pl.8 ++++ b/man/man8/remove-ds.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH REMOVE-DS.PL 8 "Feb 13, 2009" ++.TH REMOVE-DS.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -48,9 +48,9 @@ The full name of the instance to remove (e.g. slapd\(hyexample) + .SH AUTHOR + remove-ds.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2009 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This is free software. You may redistribute copies of it under the terms of + the Directory Server license found in the LICENSE file of this +diff --git a/man/man8/restart-dirsrv.8 b/man/man8/restart-dirsrv.8 +index c8af2ce..c82ec2b 100644 +--- a/man/man8/restart-dirsrv.8 ++++ b/man/man8/restart-dirsrv.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH RESTART-DIRSRV 8 "Jun 8, 2010" ++.TH RESTART-DIRSRV 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -40,9 +40,9 @@ Sample usage: + .SH AUTHOR + restart\-dirsrv was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2010 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This is free software. You may redistribute copies of it under the terms of + the Directory Server license found in the LICENSE file of this +diff --git a/man/man8/restoreconfig.8 b/man/man8/restoreconfig.8 +index 18b27f5..97642b6 100644 +--- a/man/man8/restoreconfig.8 ++++ b/man/man8/restoreconfig.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH RESTORECONFIG 8 "Mar 5, 2013" ++.TH RESTORECONFIG 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -43,6 +43,6 @@ to standard error. + .SH AUTHOR + restoreconfig was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/saveconfig.8 b/man/man8/saveconfig.8 +index 8ba8a1d..1597043 100644 +--- a/man/man8/saveconfig.8 ++++ b/man/man8/saveconfig.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH SAVECONFIG 8 "Mar 5, 2013" ++.TH SAVECONFIG 8 "March 31, 2013" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -43,6 +43,6 @@ to standard error. + .SH AUTHOR + saveconfig was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/schema-reload.pl.8 b/man/man8/schema-reload.pl.8 +index 17380cf..85797f3 100644 +--- a/man/man8/schema-reload.pl.8 ++++ b/man/man8/schema-reload.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH SCHEMA-RELOAD.PL 8 "Mar 5, 2013" ++.TH SCHEMA-RELOAD.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -65,6 +65,6 @@ to standard error. + .SH AUTHOR + schema-reload.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/setup-ds.pl.8 b/man/man8/setup-ds.pl.8 +index 11e0966..b491e18 100644 +--- a/man/man8/setup-ds.pl.8 ++++ b/man/man8/setup-ds.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH SETUP-DS.PL 8 "May 18, 2008" ++.TH SETUP-DS.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -103,9 +103,9 @@ Offline \- servers \fBmust be shutdown\fR - no username or password required + .SH AUTHOR + setup-ds.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2008 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This manual page was written by Michele Baldessari , + for the Debian project (but may be used by others). +diff --git a/man/man8/start-dirsrv.8 b/man/man8/start-dirsrv.8 +index f34da66..34f3988 100644 +--- a/man/man8/start-dirsrv.8 ++++ b/man/man8/start-dirsrv.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH START-DIRSRV 8 "Jun 8, 2010" ++.TH START-DIRSRV 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -40,9 +40,9 @@ Sample usage: + .SH AUTHOR + start\-dirsrv was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2010 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This is free software. You may redistribute copies of it under the terms of + the Directory Server license found in the LICENSE file of this +diff --git a/man/man8/status-dirsrv.8 b/man/man8/status-dirsrv.8 +index 83844b3..862c871 100644 +--- a/man/man8/status-dirsrv.8 ++++ b/man/man8/status-dirsrv.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH STATUS-DIRSRV 8 "Jan 20, 2016" ++.TH STATUS-DIRSRV 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -45,9 +45,9 @@ If a single Directory Server instance is specified, 0 is returned if the instanc + .SH AUTHOR + status\-dirsrv was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2016 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This is free software. You may redistribute copies of it under the terms of + the Directory Server license found in the LICENSE file of this +diff --git a/man/man8/stop-dirsrv.8 b/man/man8/stop-dirsrv.8 +index 08bf493..fdca0a9 100644 +--- a/man/man8/stop-dirsrv.8 ++++ b/man/man8/stop-dirsrv.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH STOP-DIRSRV 8 "Jun 8, 2010" ++.TH STOP-DIRSRV 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -40,9 +40,9 @@ Sample usage: + .SH AUTHOR + stop\-dirsrv was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2010 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + .br + This is free software. You may redistribute copies of it under the terms of + the Directory Server license found in the LICENSE file of this +diff --git a/man/man8/suffix2instance.8 b/man/man8/suffix2instance.8 +index 8e30f4a..0e4cf69 100644 +--- a/man/man8/suffix2instance.8 ++++ b/man/man8/suffix2instance.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH SUFFIX2INSTANCE 8 "Mar 5, 2013" ++.TH SUFFIX2INSTANCE 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -46,6 +46,6 @@ to standard error. + .SH AUTHOR + suffix2instance was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/syntax-validate.pl.8 b/man/man8/syntax-validate.pl.8 +index ece2d59..d34c49d 100644 +--- a/man/man8/syntax-validate.pl.8 ++++ b/man/man8/syntax-validate.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH SYNTAX-VALIDATE.PL 8 "Mar 5, 2013" ++.TH SYNTAX-VALIDATE.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -68,6 +68,6 @@ to standard error. + .SH AUTHOR + syntax-validate.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/upgradedb.8 b/man/man8/upgradedb.8 +index 495c722..70d1c5f 100644 +--- a/man/man8/upgradedb.8 ++++ b/man/man8/upgradedb.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH UPGRADEDB 8 "Mar 5, 2013" ++.TH UPGRADEDB 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -50,7 +50,7 @@ to standard error. + .SH AUTHOR + upgradedb was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. + +diff --git a/man/man8/upgradednformat.8 b/man/man8/upgradednformat.8 +index 3f3f58f..7513994 100644 +--- a/man/man8/upgradednformat.8 ++++ b/man/man8/upgradednformat.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH UPGRADEDNFORMAT 8 "Mar 5, 2013" ++.TH UPGRADEDNFORMAT 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -50,6 +50,6 @@ to standard error. + .SH AUTHOR + upgradednformat was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/usn-tombstone-cleanup.pl.8 b/man/man8/usn-tombstone-cleanup.pl.8 +index f78b230..c5aabc5 100644 +--- a/man/man8/usn-tombstone-cleanup.pl.8 ++++ b/man/man8/usn-tombstone-cleanup.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH USN-TOMBSTONE-CLEANUP.PL 8 "Mar 5, 2013" ++.TH USN-TOMBSTONE-CLEANUP.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -71,6 +71,6 @@ to standard error. + .SH AUTHOR + usn-tombstone-cleanup.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/verify-db.pl.8 b/man/man8/verify-db.pl.8 +index 500b713..0de3af5 100644 +--- a/man/man8/verify-db.pl.8 ++++ b/man/man8/verify-db.pl.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH VERIFY-DB.PL 8 "Mar 5, 2013" ++.TH VERIFY-DB.PL 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -44,6 +44,6 @@ to standard error. + .SH AUTHOR + verify-db.pl was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +diff --git a/man/man8/vlvindex.8 b/man/man8/vlvindex.8 +index 154f1c2..f3e1748 100644 +--- a/man/man8/vlvindex.8 ++++ b/man/man8/vlvindex.8 +@@ -2,7 +2,7 @@ + .\" First parameter, NAME, should be all caps + .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection + .\" other parameters are allowed: see man(7), man(1) +-.TH VLVINDEX 8 "Mar 5, 2013" ++.TH VLVINDEX 8 "March 31, 2017" + .\" Please adjust this date whenever revising the manpage. + .\" + .\" Some roff macros, for reference: +@@ -53,6 +53,6 @@ to standard error. + .SH AUTHOR + vlvindex was written by the 389 Project. + .SH "REPORTING BUGS" +-Report bugs to https://fedorahosted.org/389/newticket. ++Report bugs to https://pagure.io/389-ds-base/new_issue + .SH COPYRIGHT +-Copyright \(co 2013 Red Hat, Inc. ++Copyright \(co 2017 Red Hat, Inc. +-- +2.9.3 + diff --git a/SOURCES/0019-Ticket-48939-nsslapd-workingdir-is-empty-when-ns-sla.patch b/SOURCES/0019-Ticket-48939-nsslapd-workingdir-is-empty-when-ns-sla.patch deleted file mode 100644 index 06e3ccb..0000000 --- a/SOURCES/0019-Ticket-48939-nsslapd-workingdir-is-empty-when-ns-sla.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 6b5c8ba040fa482c1817c044716bb994f173d373 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Wed, 27 Jul 2016 11:23:17 -0700 -Subject: [PATCH 19/29] Ticket #48939 - nsslapd-workingdir is empty when - ns-slapd is started by systemd - -Description: Thanks to tbordaz@redhat.com for suggesting to reset the -working dir in the error cases. I've added more error checks and -resetting the nsslapd-workingdir values. - -https://fedorahosted.org/389/ticket/48939 - -Reviewed by mreynolds@redhat.com (Thank you, Mark!!) - -(cherry picked from commit 70d06dab96468e0c6712482186f22de8e2c33e17) ---- - ldap/servers/slapd/detach.c | 45 +++++++++++++++++++++++++++++++++++++++++---- - 1 file changed, 41 insertions(+), 4 deletions(-) - -diff --git a/ldap/servers/slapd/detach.c b/ldap/servers/slapd/detach.c -index cd13a99..2f5667f 100644 ---- a/ldap/servers/slapd/detach.c -+++ b/ldap/servers/slapd/detach.c -@@ -59,14 +59,41 @@ set_workingdir() - errorlog = config_get_errorlog(); - if (NULL == errorlog) { - rc = chdir("/"); -+ if (0 == rc) { -+ if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, "/", errorbuf, 1) == LDAP_OPERATIONS_ERROR) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: set workingdir failed with \"%s\"\n", errorbuf); -+ } -+ } else { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: failed to chdir to %s\n", "/"); -+ } - } else { - ptr = strrchr(errorlog, '/'); - if (ptr) { - *ptr = '\0'; - } - rc = chdir(errorlog); -- if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, errorlog, errorbuf, 1) == LDAP_OPERATIONS_ERROR) { -- LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: set workingdir failed with \"%s\"\n", errorbuf); -+ if (0 == rc) { -+ if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, errorlog, errorbuf, 1) == LDAP_OPERATIONS_ERROR) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: set workingdir failed with \"%s\"\n", errorbuf); -+ rc = chdir("/"); -+ if (0 == rc) { -+ if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, "/", errorbuf, 1) == LDAP_OPERATIONS_ERROR) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: set workingdir failed with \"%s\"\n", errorbuf); -+ } -+ } else { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: failed to chdir to %s\n", "/"); -+ } -+ } -+ } else { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: failed to chdir to %s\n", errorlog); -+ rc = chdir("/"); -+ if (0 == rc) { -+ if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, "/", errorbuf, 1) == LDAP_OPERATIONS_ERROR) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: set workingdir failed with \"%s\"\n", errorbuf); -+ } -+ } else { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: failed to chdir to %s\n", "/"); -+ } - } - slapi_ch_free_string(&errorlog); - } -@@ -75,8 +102,18 @@ set_workingdir() - if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, workingdir, errorbuf, 0) == LDAP_OPERATIONS_ERROR) { - LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: set workingdir failed with \"%s\"\n", errorbuf); - rc = chdir("/"); -+ if (0 == rc) { -+ if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, "/", errorbuf, 1) == LDAP_OPERATIONS_ERROR) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: set workingdir failed with \"%s\"\n", errorbuf); -+ } -+ } else { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: failed to chdir to %s\n", "/"); -+ } - } else { - rc = chdir(workingdir); -+ if (rc) { -+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "detach: failed to chdir to %s\n", workingdir); -+ } - } - slapi_ch_free_string(&workingdir); - } -@@ -115,7 +152,7 @@ detach( int slapd_exemode, int importexport_encrypt, - } - - if (set_workingdir()) { -- LDAPDebug0Args(LDAP_DEBUG_ANY, "detach: chdir to workingdir failed.\n"); -+ LDAPDebug0Args(LDAP_DEBUG_ANY, "detach: set_workingdir failed.\n"); - } - - if ( (sd = open( "/dev/null", O_RDWR )) == -1 ) { -@@ -142,7 +179,7 @@ detach( int slapd_exemode, int importexport_encrypt, - return 1; - } - if (set_workingdir()) { -- LDAPDebug0Args(LDAP_DEBUG_ANY, "detach: chdir to workingdir failed.\n"); -+ LDAPDebug0Args(LDAP_DEBUG_ANY, "detach: set_workingdir failed.\n"); - } - } - --- -2.4.11 - diff --git a/SOURCES/0020-Issue-49039-password-min-age-should-be-ignored-if-pa.patch b/SOURCES/0020-Issue-49039-password-min-age-should-be-ignored-if-pa.patch new file mode 100644 index 0000000..68aedd6 --- /dev/null +++ b/SOURCES/0020-Issue-49039-password-min-age-should-be-ignored-if-pa.patch @@ -0,0 +1,121 @@ +From 578d207cd66e97e9ff8211559c62114a961e35a8 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 28 Mar 2017 14:21:47 -0400 +Subject: [PATCH] Issue 49039 - password min age should be ignored if password + needs to be reset + +Description: Do not check the password minimum age when changing a password + if the password "must" be reset. + +https://pagure.io/389-ds-base/issue/49039 + +Reviewed by: firstyear(Thanks!) +--- + dirsrvtests/tests/tickets/ticket49039_test.py | 79 +++++++++++++++++++++++++++ + ldap/servers/slapd/modify.c | 4 +- + 2 files changed, 81 insertions(+), 2 deletions(-) + create mode 100644 dirsrvtests/tests/tickets/ticket49039_test.py + +diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py +new file mode 100644 +index 0000000..e6d4c03 +--- /dev/null ++++ b/dirsrvtests/tests/tickets/ticket49039_test.py +@@ -0,0 +1,79 @@ ++import time ++import ldap ++import logging ++import pytest ++from lib389 import Entry ++from lib389._constants import * ++from lib389.properties import * ++from lib389.tasks import * ++from lib389.utils import * ++from lib389.topologies import topology_st as topo ++ ++DEBUGGING = os.getenv("DEBUGGING", default=False) ++if DEBUGGING: ++ logging.getLogger(__name__).setLevel(logging.DEBUG) ++else: ++ logging.getLogger(__name__).setLevel(logging.INFO) ++log = logging.getLogger(__name__) ++ ++USER_DN = 'uid=user,dc=example,dc=com' ++ ++ ++def test_ticket49039(topo): ++ """Test "password must change" verses "password min age". Min age should not ++ block password update if the password was reset. ++ """ ++ ++ # Configure password policy ++ try: ++ topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'), ++ (ldap.MOD_REPLACE, 'passwordMustChange', 'on'), ++ (ldap.MOD_REPLACE, 'passwordExp', 'on'), ++ (ldap.MOD_REPLACE, 'passwordMaxAge', '86400000'), ++ (ldap.MOD_REPLACE, 'passwordMinAge', '8640000'), ++ (ldap.MOD_REPLACE, 'passwordChange', 'on')]) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to set password policy: ' + str(e)) ++ ++ # Add user, bind, and set password ++ try: ++ topo.standalone.add_s(Entry((USER_DN, { ++ 'objectclass': 'top extensibleObject'.split(), ++ 'uid': 'user1', ++ 'userpassword': PASSWORD ++ }))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add user: error ' + e.message['desc']) ++ assert False ++ ++ # Reset password as RootDN ++ try: ++ topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)]) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind: error ' + e.message['desc']) ++ assert False ++ ++ time.sleep(1) ++ ++ # Reset password as user ++ try: ++ topo.standalone.simple_bind_s(USER_DN, PASSWORD) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)]) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to change password: error ' + e.message['desc']) ++ assert False ++ ++ log.info('Test Passed') ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main("-s %s" % CURRENT_FILE) ++ +diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c +index 4bef90a..32defae 100644 +--- a/ldap/servers/slapd/modify.c ++++ b/ldap/servers/slapd/modify.c +@@ -1326,8 +1326,8 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old + + /* check if password is within password minimum age; + error result is sent directly from check_pw_minage */ +- if ((internal_op || !pb->pb_conn->c_needpw) && +- check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) ++ if (!pb->pb_conn->c_needpw && ++ check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) + { + if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) + { +-- +2.9.3 + diff --git a/SOURCES/0020-Ticket-48934-remove-ds.pl-deletes-an-instance-even-i.patch b/SOURCES/0020-Ticket-48934-remove-ds.pl-deletes-an-instance-even-i.patch deleted file mode 100644 index 643f3b7..0000000 --- a/SOURCES/0020-Ticket-48934-remove-ds.pl-deletes-an-instance-even-i.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 8f761940cb93fc8e64ed9022c3a6f21e90c281aa Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Wed, 27 Jul 2016 12:40:25 -0700 -Subject: [PATCH 20/29] Ticket #48934 - remove-ds.pl deletes an instance even - if wrong prefix was specified - -Description: remove-ds.pl skipped to check "slapd" part of "slapd-instance". -This patch adds the check and if it is not "slapd", it quits with the error -message. For example: -Error: Invalid instance name "bogus-test" - -https://fedorahosted.org/389/ticket/48934 - -Reviewed by mreynolds@redhat.com (Thanks, Mark!!) - -(cherry picked from commit 2b341922a42f305122fbd6eb97e96e0612f8e5d2) ---- - ldap/admin/src/scripts/remove-ds.pl.in | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/ldap/admin/src/scripts/remove-ds.pl.in b/ldap/admin/src/scripts/remove-ds.pl.in -index b35ae32..252f3f9 100755 ---- a/ldap/admin/src/scripts/remove-ds.pl.in -+++ b/ldap/admin/src/scripts/remove-ds.pl.in -@@ -52,6 +52,10 @@ unless ($inst) { - print STDERR "Full instance name must be specified (e.g. - slapd-example)\n"; - exit 1; - } -+unless ($slapd eq "slapd") { -+ print STDERR "Error: Invalid instance name \"$instname\"\n"; -+ exit 1; -+} - - my @errs = removeDSInstance($inst, $force, $all, $initconfig_dir); - if (@errs) { --- -2.4.11 - diff --git a/SOURCES/0021-Ticket-48940-DS-logs-have-warning-ancestorid-not-ind.patch b/SOURCES/0021-Ticket-48940-DS-logs-have-warning-ancestorid-not-ind.patch deleted file mode 100644 index 868a653..0000000 --- a/SOURCES/0021-Ticket-48940-DS-logs-have-warning-ancestorid-not-ind.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 9cffd76c95e679042861881182ab8567915b4ad8 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Wed, 27 Jul 2016 14:37:13 -0700 -Subject: [PATCH 21/29] Ticket #48940 - DS logs have warning:ancestorid not - indexed - -Description: When reindexing, the subtree to be reindexed is empty, -a cryptic warning message is logged in the error log: - warning: ancestorid not indexed on 10; possibly, the entry id ## - has no descendants yet. -This message is benign and not to be logged as DEBUG_ANY/FATAL. - -The message is logged when the log level is set to BACKLDBM = 0x080000 - # vlvindex -Z test -n userRoot -T testIndex -d 524288 -as follows: - Info: Entry id ### has no descendants according to ancestorid. Index - file created by this reindex will be empty. - -https://fedorahosted.org/389/ticket/48940 - -Reviewed by wibrown@redhat.com (Thank you, William!!) - -(cherry picked from commit 17dc978c84e6099e4abe884a535067147b618c37) ---- - ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -index 52338c2..5898361 100644 ---- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -@@ -903,11 +903,10 @@ static IDList *ldbm_fetch_subtrees(backend *be, char **include, int *err) - slapi_sdn_done(&sdn); - if (idl == NULL) { - if (DB_NOTFOUND == *err) { -- LDAPDebug(LDAP_DEBUG_ANY, -- "warning: %s not indexed on %lu; " -- "possibly, the entry id %lu has no descendants yet.\n", -- entryrdn_get_noancestorid()?"entryrdn":"ancestorid", -- id, id); -+ LDAPDebug2Args(LDAP_DEBUG_BACKLDBM, -+ "Info: Entry id %lu has no descendants according to %s. " -+ "Index file created by this reindex will be empty.\n", -+ id, entryrdn_get_noancestorid()?"entryrdn":"ancestorid"); - *err = 0; /* not a problem */ - } else { - LDAPDebug(LDAP_DEBUG_ANY, --- -2.4.11 - diff --git a/SOURCES/0021-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch b/SOURCES/0021-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch new file mode 100644 index 0000000..15f6cd2 --- /dev/null +++ b/SOURCES/0021-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch @@ -0,0 +1,110 @@ +From ea60248d99abb8fed9f7a2b1ab7325c5523b8562 Mon Sep 17 00:00:00 2001 +From: Ludwig Krispenz +Date: Mon, 3 Apr 2017 09:32:20 +0200 +Subject: [PATCH] fix for cve 2017-2668 - simple return text if suffix not + found + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1436575 + +Signed-off-by: Mark Reynolds +--- + ldap/servers/slapd/defbackend.c | 75 ++--------------------------------------- + 1 file changed, 2 insertions(+), 73 deletions(-) + +diff --git a/ldap/servers/slapd/defbackend.c b/ldap/servers/slapd/defbackend.c +index 6fd74a3..6cd2c04 100644 +--- a/ldap/servers/slapd/defbackend.c ++++ b/ldap/servers/slapd/defbackend.c +@@ -166,50 +166,7 @@ defbackend_abandon( Slapi_PBlock *pb ) + } + + +-#define DEFBE_NO_SUCH_SUFFIX "No such suffix" +-/* +- * Generate a "No such suffix" return text +- * Example: +- * cn=X,dc=bogus,dc=com ==> "No such suffix (dc=bogus,dc=com)" +- * if the last rdn starts with "dc=", print all last dc= rdn's. +- * cn=X,cn=bogus ==> "No such suffix (cn=bogus)" +- * otherwise, print the very last rdn. +- * cn=X,z=bogus ==> "No such suffix (x=bogus)" +- * it is true even if it is an invalid rdn. +- * cn=X,bogus ==> "No such suffix (bogus)" +- * another example of invalid rdn. +- */ +-static void +-_defbackend_gen_returntext(char *buffer, size_t buflen, char **dns) +-{ +- int dnidx; +- int sidx; +- struct suffix_repeat { +- char *suffix; +- int size; +- } candidates[] = { +- {"dc=", 3}, /* dc could be repeated. otherwise the last rdn is used. */ +- {NULL, 0} +- }; +- PR_snprintf(buffer, buflen, "%s (", DEFBE_NO_SUCH_SUFFIX); +- for (dnidx = 0; dns[dnidx]; dnidx++) ; /* finding the last */ +- dnidx--; /* last rdn */ +- for (sidx = 0; candidates[sidx].suffix; sidx++) { +- if (!PL_strncasecmp(dns[dnidx], candidates[sidx].suffix, candidates[sidx].size)) { +- while (!PL_strncasecmp(dns[--dnidx], candidates[sidx].suffix, candidates[sidx].size)) ; +- PL_strcat(buffer, dns[++dnidx]); /* the first "dn=", e.g. */ +- for (++dnidx; dns[dnidx]; dnidx++) { +- PL_strcat(buffer, ","); +- PL_strcat(buffer, dns[dnidx]); +- } +- PL_strcat(buffer, ")"); +- return; /* finished the task */ +- } +- } +- PL_strcat(buffer, dns[dnidx]); +- PL_strcat(buffer, ")"); +- return; +-} ++#define DEFBE_NO_SUCH_SUFFIX "No suffix for bind dn found" + + static int + defbackend_bind( Slapi_PBlock *pb ) +@@ -231,36 +188,8 @@ defbackend_bind( Slapi_PBlock *pb ) + slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds); + rc = SLAPI_BIND_ANONYMOUS; + } else { +- Slapi_DN *sdn = NULL; +- char *suffix = NULL; +- char **dns = NULL; +- +- if (pb->pb_op) { +- sdn = operation_get_target_spec(pb->pb_op); +- if (sdn) { +- dns = slapi_ldap_explode_dn(slapi_sdn_get_dn(sdn), 0); +- if (dns) { +- size_t dnlen = slapi_sdn_get_ndn_len(sdn); +- size_t len = dnlen + sizeof(DEFBE_NO_SUCH_SUFFIX) + 4; +- suffix = slapi_ch_malloc(len); +- if (dnlen) { +- _defbackend_gen_returntext(suffix, len, dns); +- } else { +- PR_snprintf(suffix, len, "%s", DEFBE_NO_SUCH_SUFFIX); +- } +- } +- } +- } +- if (suffix) { +- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, suffix); +- } else { +- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, DEFBE_NO_SUCH_SUFFIX); +- } ++ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, DEFBE_NO_SUCH_SUFFIX); + send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL); +- if (dns) { +- slapi_ldap_value_free(dns); +- } +- slapi_ch_free_string(&suffix); + rc = SLAPI_BIND_FAIL; + } + +-- +2.9.3 + diff --git a/SOURCES/0022-Issue-47662-CLI-args-get-removed.patch b/SOURCES/0022-Issue-47662-CLI-args-get-removed.patch new file mode 100644 index 0000000..6bd0608 --- /dev/null +++ b/SOURCES/0022-Issue-47662-CLI-args-get-removed.patch @@ -0,0 +1,63 @@ +From 3937047eee31638df068b3294aa90ef603915676 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 10 Apr 2017 14:55:55 -0400 +Subject: [PATCH] Issue 47662 - CLI args get removed + +Bug Description. Regression from previous fix. The process to check unknown + CLI options blows away the built-in arg list "$@" + +Fix Description: Make a copy of $@, and use it as needed. + +https://pagure.io/389-ds-base/issue/47662 + +Reviewed by: nhosoi(Thanks!) +--- + ldap/admin/src/scripts/db2ldif.in | 3 ++- + ldap/admin/src/scripts/ldif2db.in | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ldap/admin/src/scripts/db2ldif.in b/ldap/admin/src/scripts/db2ldif.in +index 85854b3..08f30e4 100755 +--- a/ldap/admin/src/scripts/db2ldif.in ++++ b/ldap/admin/src/scripts/db2ldif.in +@@ -130,6 +130,7 @@ do + esac + done + ++ARGS=$@ + shift $(($OPTIND - 1)) + if [ $1 ] + then +@@ -156,7 +157,7 @@ fi + servid=`normalize_server_id $initfile` + . $initfile + +-ldif_file=`make_ldiffile $@` ++ldif_file=`make_ldiffile $ARGS` + rn=$? + + echo "Exported ldif file: $ldif_file" +diff --git a/ldap/admin/src/scripts/ldif2db.in b/ldap/admin/src/scripts/ldif2db.in +index f968303..20c7d46 100755 +--- a/ldap/admin/src/scripts/ldif2db.in ++++ b/ldap/admin/src/scripts/ldif2db.in +@@ -87,6 +87,7 @@ then + exit 1 + fi + ++ARGS=$@ + shift $(($OPTIND - 1)) + if [ $1 ] + then +@@ -106,7 +107,7 @@ fi + + . $initfile + +-handleopts $@ ++handleopts $ARGS + quiet=$? + if [ $quiet -eq 0 ]; then + echo importing data ... +-- +2.9.3 + diff --git a/SOURCES/0022-Ticket-48882-server-can-hang-in-connection-list-proc.patch b/SOURCES/0022-Ticket-48882-server-can-hang-in-connection-list-proc.patch deleted file mode 100644 index 79a896d..0000000 --- a/SOURCES/0022-Ticket-48882-server-can-hang-in-connection-list-proc.patch +++ /dev/null @@ -1,115 +0,0 @@ -From f993a9b5a1ac95728baae201543cad5993a28da1 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Mon, 1 Aug 2016 10:47:31 +0200 -Subject: [PATCH 22/29] Ticket 48882 - server can hang in connection list - processing - -Bug Description: if a thread holding the connection monitor - is stuck in polling and the client doesn't - respond, the main thread can be blocked on - this connection when iterating the connection - table. - -Fix Description: Implement a test and enter function for the connection - monitor, so the main thread will never wait for a - connection monitor already owned by an other thread - -https://fedorahosted.org/389/ticket/48882 - -Reviewed by: Noriko, Thanks - -(cherry picked from commit 7110db91e75f392f1c83643d9aa88895992d9c01) ---- - ldap/servers/slapd/daemon.c | 69 ++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 68 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c -index 81a54cf..23c30c3 100644 ---- a/ldap/servers/slapd/daemon.c -+++ b/ldap/servers/slapd/daemon.c -@@ -164,6 +164,67 @@ static void unfurl_banners(Connection_Table *ct,daemon_ports_t *ports, PRFileDes - static int write_pid_file(); - static int init_shutdown_detect(); - -+/* -+ * NSPR has different implementations for PRMonitor, depending -+ * on the availble threading model -+ * The PR_TestAndEnterMonitor is not available for pthreads -+ * so this is a implementation based on the code in -+ * prmon.c adapted to resemble the implementation in ptsynch.c -+ * -+ * The function needs access to the elements of the PRMonitor struct. -+ * Therfor the pthread variant of PRMonitor is copied here. -+ */ -+typedef struct MY_PRMonitor { -+ const char* name; -+ pthread_mutex_t lock; -+ pthread_t owner; -+ pthread_cond_t entryCV; -+ pthread_cond_t waitCV; -+ PRInt32 refCount; -+ PRUint32 entryCount; -+ PRIntn notifyTimes; -+} MY_PRMonitor; -+ -+static PRBool MY_TestAndEnterMonitor(MY_PRMonitor *mon) -+{ -+ pthread_t self = pthread_self(); -+ PRStatus rv; -+ PRBool rc = PR_FALSE; -+ -+ PR_ASSERT(mon != NULL); -+ rv = pthread_mutex_lock(&mon->lock); -+ if (rv != 0) { -+ slapi_log_error(SLAPI_LOG_FATAL ,"TestAndEnterMonitor", -+ "Failed to acquire monitor mutex, error (%d)\n", rv); -+ return rc; -+ } -+ if (mon->entryCount != 0) { -+ if (pthread_equal(mon->owner, self)) -+ goto done; -+ rv = pthread_mutex_unlock(&mon->lock); -+ if (rv != 0) { -+ slapi_log_error(SLAPI_LOG_FATAL ,"TestAndEnterMonitor", -+ "Failed to release monitor mutex, error (%d)\n", rv); -+ } -+ return PR_FALSE; -+ } -+ /* and now I have the monitor */ -+ PR_ASSERT(mon->notifyTimes == 0); -+ PR_ASSERT((mon->owner) == 0); -+ mon->owner = self; -+ -+done: -+ mon->entryCount += 1; -+ rv = pthread_mutex_unlock(&mon->lock); -+ if (rv == PR_SUCCESS) { -+ rc = PR_TRUE; -+ } else { -+ slapi_log_error(SLAPI_LOG_FATAL ,"TestAndEnterMonitor", -+ "Failed to release monitor mutex, error (%d)\n", rv); -+ rc = PR_FALSE; -+ } -+ return rc; -+} - /* Globals which are used to store the sockets between - * calls to daemon_pre_setuid_init() and the daemon thread - * creation. */ -@@ -1552,7 +1613,13 @@ setup_pr_read_pds(Connection_Table *ct, PRFileDesc **n_tcps, PRFileDesc **s_tcps - } - else - { -- PR_EnterMonitor(c->c_mutex); -+ /* we try to acquire the connection mutex, if it is already -+ * acquired by another thread, don't wait -+ */ -+ if (PR_FALSE == MY_TestAndEnterMonitor((MY_PRMonitor *)c->c_mutex)) { -+ c = next; -+ continue; -+ } - if (c->c_flags & CONN_FLAG_CLOSING) - { - /* A worker thread has marked that this connection --- -2.4.11 - diff --git a/SOURCES/0023-Issue-49210-Fix-regression-when-checking-is-password.patch b/SOURCES/0023-Issue-49210-Fix-regression-when-checking-is-password.patch new file mode 100644 index 0000000..850d829 --- /dev/null +++ b/SOURCES/0023-Issue-49210-Fix-regression-when-checking-is-password.patch @@ -0,0 +1,141 @@ +From 5854fc41c6620567f0356e382baec4eda1e645b2 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 5 Apr 2017 11:05:28 -0400 +Subject: [PATCH] Issue 49210 - Fix regression when checking is password min + age should be checked + +Bug Description: If a plugin makes an internal modification of userpassword + the connection structure in the pblock is null, and it was + being dereferenced. + +Fix Description: These internal operations do not need to have the password + policy checks done. They are intended to be unrestricted. + So we only need to check password policy on client connections. + The fix frist hecks if the connection structy is present, + only then it continues. + + Revised test script to include the tool: ldappasswd + +https://pagure.io/389-ds-base/issue/49210 + +Reviewed by: firstyear(Thanks!) +--- + dirsrvtests/tests/tickets/ticket49039_test.py | 62 +++++++++++++++++++++++++++ + ldap/servers/slapd/modify.c | 2 +- + 2 files changed, 63 insertions(+), 1 deletion(-) + +diff --git a/dirsrvtests/tests/tickets/ticket49039_test.py b/dirsrvtests/tests/tickets/ticket49039_test.py +index e6d4c03..f0b224c 100644 +--- a/dirsrvtests/tests/tickets/ticket49039_test.py ++++ b/dirsrvtests/tests/tickets/ticket49039_test.py +@@ -2,6 +2,7 @@ import time + import ldap + import logging + import pytest ++import os + from lib389 import Entry + from lib389._constants import * + from lib389.properties import * +@@ -9,6 +10,7 @@ from lib389.tasks import * + from lib389.utils import * + from lib389.topologies import topology_st as topo + ++ + DEBUGGING = os.getenv("DEBUGGING", default=False) + if DEBUGGING: + logging.getLogger(__name__).setLevel(logging.DEBUG) +@@ -19,11 +21,39 @@ log = logging.getLogger(__name__) + USER_DN = 'uid=user,dc=example,dc=com' + + ++def ssl_init(topo): ++ """ Setup TLS ++ """ ++ topo.standalone.stop() ++ # Prepare SSL but don't enable it. ++ for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'): ++ try: ++ os.remove("%s/%s" % (topo.standalone.confdir, f)) ++ except: ++ pass ++ assert(topo.standalone.nss_ssl.reinit() is True) ++ assert(topo.standalone.nss_ssl.create_rsa_ca() is True) ++ assert(topo.standalone.nss_ssl.create_rsa_key_and_cert() is True) ++ # Start again ++ topo.standalone.start() ++ topo.standalone.rsa.create() ++ topo.standalone.config.set('nsslapd-ssl-check-hostname', 'off') ++ topo.standalone.config.set('nsslapd-secureport', '%s' % ++ SECUREPORT_STANDALONE1) ++ topo.standalone.config.set('nsslapd-security', 'on') ++ topo.standalone.restart() ++ ++ log.info("SSL setup complete\n") ++ ++ + def test_ticket49039(topo): + """Test "password must change" verses "password min age". Min age should not + block password update if the password was reset. + """ + ++ # Setup SSL (for ldappasswd test) ++ ssl_init(topo) ++ + # Configure password policy + try: + topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on'), +@@ -68,6 +98,38 @@ def test_ticket49039(topo): + log.fatal('Failed to change password: error ' + e.message['desc']) + assert False + ++ ################################### ++ # Make sure ldappasswd also works ++ ################################### ++ ++ # Reset password as RootDN ++ try: ++ topo.standalone.simple_bind_s(DN_DM, PASSWORD) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind as rootdn: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ topo.standalone.modify_s(USER_DN, [(ldap.MOD_REPLACE, 'userpassword', PASSWORD)]) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind: error ' + e.message['desc']) ++ assert False ++ ++ time.sleep(1) ++ ++ # Run ldappasswd as the User. ++ cmd = ('LDAPTLS_REQCERT=never LDAPTLS_CACERTDIR=' + topo.standalone.get_cert_dir() + ++ ' ldappasswd' + ' -h ' + topo.standalone.host + ' -Z -p 38901 -D ' + USER_DN + ++ ' -w password -a password -s password2 ' + USER_DN) ++ os.system(cmd) ++ time.sleep(1) ++ ++ try: ++ topo.standalone.simple_bind_s(USER_DN, "password2") ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind: error ' + e.message['desc']) ++ assert False ++ + log.info('Test Passed') + + +diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c +index 32defae..e23fe67 100644 +--- a/ldap/servers/slapd/modify.c ++++ b/ldap/servers/slapd/modify.c +@@ -1326,7 +1326,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old + + /* check if password is within password minimum age; + error result is sent directly from check_pw_minage */ +- if (!pb->pb_conn->c_needpw && ++ if (pb->pb_conn && !pb->pb_conn->c_needpw && + check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) + { + if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) +-- +2.9.3 + diff --git a/SOURCES/0023-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch b/SOURCES/0023-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch deleted file mode 100644 index 911a66b..0000000 --- a/SOURCES/0023-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch +++ /dev/null @@ -1,369 +0,0 @@ -From f0e03b5a51972a125fe78f448d1f68e288782d1e Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Thu, 21 Jul 2016 13:22:30 +1000 -Subject: [PATCH 23/29] Ticket bz1358565 - clear and unsalted password types - are vulnerable to timing attack - -Bug Description: Clear and unsalted password types were vulnerable to a timing -attack. This is due to the use of memcmp and strcmp in their comparison. - -Fix Description: Add a constant time memcmp function, that does not shortcircuit. -Change all password comparison to use the constant time check. For the clear -scheme, alter the way we do the check to prevent length disclosure timing -attacks. - -This resolves CVE-2016-5405 - -https://bugzilla.redhat.com/show_bug.cgi?id=1358565 - -https://access.redhat.com/security/cve/CVE-2016-5405 - -Author: wibrown - -Review by: nhosoi (Thanks!) - -(cherry picked from commit 9dcaa4a0c866d8696e0a2616ccf962af2833f0b8) ---- - dirsrvtests/tests/suites/password/pwd_algo_test.py | 143 +++++++++++++++++++++ - ldap/servers/plugins/pwdstorage/clear_pwd.c | 33 ++++- - ldap/servers/plugins/pwdstorage/crypt_pwd.c | 2 +- - ldap/servers/plugins/pwdstorage/md5_pwd.c | 2 +- - ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c | 1 + - ldap/servers/plugins/pwdstorage/sha_pwd.c | 15 ++- - ldap/servers/plugins/pwdstorage/smd5_pwd.c | 2 +- - ldap/servers/slapd/ch_malloc.c | 22 ++++ - ldap/servers/slapd/slapi-plugin.h | 16 +++ - 9 files changed, 226 insertions(+), 10 deletions(-) - create mode 100644 dirsrvtests/tests/suites/password/pwd_algo_test.py - -diff --git a/dirsrvtests/tests/suites/password/pwd_algo_test.py b/dirsrvtests/tests/suites/password/pwd_algo_test.py -new file mode 100644 -index 0000000..aa8cbf5 ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/pwd_algo_test.py -@@ -0,0 +1,143 @@ -+import os -+import sys -+import time -+import ldap -+import logging -+import pytest -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+from lib389.utils import * -+ -+DEBUGGING = True -+USER_DN = 'uid=user,ou=People,%s' % DEFAULT_SUFFIX -+ -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+ -+ -+log = logging.getLogger(__name__) -+ -+ -+class TopologyStandalone(object): -+ """The DS Topology Class""" -+ def __init__(self, standalone): -+ """Init""" -+ standalone.open() -+ self.standalone = standalone -+ -+ -+@pytest.fixture(scope="module") -+def topology(request): -+ """Create DS Deployment""" -+ -+ # Creating standalone instance ... -+ if DEBUGGING: -+ standalone = DirSrv(verbose=True) -+ else: -+ standalone = DirSrv(verbose=False) -+ args_instance[SER_HOST] = HOST_STANDALONE -+ args_instance[SER_PORT] = PORT_STANDALONE -+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE -+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -+ args_standalone = args_instance.copy() -+ standalone.allocate(args_standalone) -+ instance_standalone = standalone.exists() -+ if instance_standalone: -+ standalone.delete() -+ standalone.create() -+ standalone.open() -+ -+ def fin(): -+ """If we are debugging just stop the instances, otherwise remove -+ them -+ """ -+ if DEBUGGING: -+ standalone.stop() -+ else: -+ standalone.delete() -+ -+ request.addfinalizer(fin) -+ -+ # Clear out the tmp dir -+ standalone.clearTmpDir(__file__) -+ -+ return TopologyStandalone(standalone) -+ -+def _test_bind(inst, password): -+ result = True -+ userconn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE)) -+ try: -+ userconn.simple_bind_s(USER_DN, password) -+ userconn.unbind_s() -+ except ldap.INVALID_CREDENTIALS: -+ result = False -+ return result -+ -+def _test_algo(inst, algo_name): -+ inst.config.set('passwordStorageScheme', algo_name) -+ -+ if DEBUGGING: -+ print('Testing %s', algo_name) -+ -+ # Create the user with a password -+ inst.add_s(Entry(( -+ USER_DN, { -+ 'objectClass': 'top account simplesecurityobject'.split(), -+ 'uid': 'user', -+ 'userpassword': 'Secret123' -+ }))) -+ -+ # Make sure when we read the userPassword field, it is the correct ALGO -+ pw_field = inst.search_s(USER_DN, ldap.SCOPE_BASE, '(objectClass=*)', ['userPassword'] )[0] -+ -+ if DEBUGGING: -+ print(pw_field.getValue('userPassword')) -+ -+ if algo_name != 'CLEAR': -+ assert(algo_name.lower() in pw_field.getValue('userPassword').lower()) -+ # Now make sure a bind works -+ assert(_test_bind(inst, 'Secret123')) -+ # Bind with a wrong shorter password, should fail -+ assert(not _test_bind(inst, 'Wrong')) -+ # Bind with a wrong longer password, should fail -+ assert(not _test_bind(inst, 'This is even more wrong')) -+ # Bind with a wrong exact length password. -+ assert(not _test_bind(inst, 'Alsowrong')) -+ # Bind with a subset password, should fail -+ assert(not _test_bind(inst, 'Secret')) -+ if algo_name != 'CRYPT': -+ # Bind with a subset password that is 1 char shorter, to detect off by 1 in clear -+ assert(not _test_bind(inst, 'Secret12')) -+ # Bind with a superset password, should fail -+ assert(not _test_bind(inst, 'Secret123456')) -+ # Delete the user -+ inst.delete_s(USER_DN) -+ # done! -+ -+def test_pwd_algo_test(topology): -+ """ -+ Assert that all of our password algorithms correctly PASS and FAIL varying -+ password conditions. -+ -+ """ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ -+ for algo in ('CLEAR', 'CRYPT', 'MD5', 'SHA', 'SHA256', 'SHA384', 'SHA512', 'SMD5', 'SSHA', 'SSHA256', 'SSHA384', 'SSHA512'): -+ _test_algo(topology.standalone, algo) -+ -+ log.info('Test PASSED') -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c -index 84dac2a..2afe16e 100644 ---- a/ldap/servers/plugins/pwdstorage/clear_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c -@@ -25,7 +25,38 @@ - int - clear_pw_cmp( const char *userpwd, const char *dbpwd ) - { -- return( strcmp( userpwd, dbpwd )); -+ int result = 0; -+ int len = 0; -+ int len_user = strlen(userpwd); -+ int len_dbp = strlen(dbpwd); -+ if ( len_user != len_dbp ) { -+ result = 1; -+ } -+ /* We have to do this comparison ANYWAY else we have a length timing attack. */ -+ if ( len_user >= len_dbp ) { -+ /* -+ * If they are the same length, result will be 0 here, and if we pass -+ * the check, we don't update result either. IE we pass. -+ * However, even if the first part of userpw matches dbpwd, but len !=, we -+ * have already failed anyawy. This prevents substring matching. -+ */ -+ if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) { -+ result = 1; -+ } -+ } else { -+ /* -+ * If we stretched the userPassword, we'll allow a new timing attack, where -+ * if we see a delay on a short pw, we know we are stretching. -+ * when the delay goes away, it means we've found the length. -+ * Instead, because we don't want to use the short pw for comp, we just compare -+ * dbpwd to itself. We have already got result == 1 if we are here, so we are -+ * just trying to take up time! -+ */ -+ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) { -+ /* Do nothing, we have the if to fix a coverity check. */ -+ } -+ } -+ return result; - } - - char * -diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -index 29355a2..93b54b2 100644 ---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -@@ -54,7 +54,7 @@ crypt_pw_cmp( const char *userpwd, const char *dbpwd ) - /* we use salt (first 2 chars) of encoded password in call to crypt() */ - cp = crypt( userpwd, dbpwd ); - if (cp) { -- rc= strcmp( dbpwd, cp); -+ rc= slapi_ct_memcmp( dbpwd, cp, strlen(dbpwd)); - } else { - rc = -1; - } -diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c -index 0bc8f3c..181661a 100644 ---- a/ldap/servers/plugins/pwdstorage/md5_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c -@@ -57,7 +57,7 @@ md5_pw_cmp( const char *userpwd, const char *dbpwd ) - bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item); - /* bver points to b2a_out upon success */ - if (bver) { -- rc = strcmp(bver,dbpwd); -+ rc = slapi_ct_memcmp(bver,dbpwd, strlen(dbpwd)); - } else { - slapi_log_error(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, - "Could not base64 encode hashed value for password compare"); -diff --git a/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c b/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c -index 2fed61f..ae1f7b8 100644 ---- a/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/ns-mta-md5_pwd.c -@@ -84,6 +84,7 @@ ns_mta_md5_pw_cmp(const char * clear, const char *mangled) - - mta_hash[32] = mta_salt[32] = 0; - -+ /* This is salted, so we don't need to change it for constant time */ - return( strcmp(mta_hash,ns_mta_hash_alg(buffer,mta_salt,clear))); - } - -diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c -index 9594ac9..2e4973b 100644 ---- a/ldap/servers/plugins/pwdstorage/sha_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c -@@ -120,13 +120,16 @@ sha_pw_cmp (const char *userpwd, const char *dbpwd, unsigned int shaLen ) - } - - /* the proof is in the comparison... */ -- result = ( hash_len >= shaLen ) ? -- ( memcmp( userhash, dbhash, shaLen ) ) : /* include salt */ -- ( memcmp( userhash, dbhash + OLD_SALT_LENGTH, -- hash_len - OLD_SALT_LENGTH ) ); /* exclude salt */ -+ if ( hash_len >= shaLen ) { -+ result = slapi_ct_memcmp( userhash, dbhash, shaLen ); -+ } else { -+ result = slapi_ct_memcmp( userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH ); -+ } - -- loser: -- if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( &dbhash ); -+loser: -+ if ( dbhash && dbhash != quick_dbhash ) { -+ slapi_ch_free_string( &dbhash ); -+ } - return result; - } - -diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c -index f4c92f1..79c2846 100644 ---- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c -@@ -80,7 +80,7 @@ smd5_pw_cmp( const char *userpwd, const char *dbpwd ) - PK11_DestroyContext(ctx, 1); - - /* Compare everything up to the salt. */ -- rc = memcmp( userhash, dbhash, MD5_LENGTH ); -+ rc = slapi_ct_memcmp( userhash, dbhash, MD5_LENGTH ); - - loser: - if ( dbhash && dbhash != quick_dbhash ) slapi_ch_free_string( (char **)&dbhash ); -diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c -index 10870df..a38268c 100644 ---- a/ldap/servers/slapd/ch_malloc.c -+++ b/ldap/servers/slapd/ch_malloc.c -@@ -365,3 +365,25 @@ slapi_ch_smprintf(const char *fmt, ...) - return p; - } - #endif -+ -+/* Constant time memcmp. Does not shortcircuit on failure! */ -+/* This relies on p1 and p2 both being size at least n! */ -+int -+slapi_ct_memcmp( const void *p1, const void *p2, size_t n) -+{ -+ int result = 0; -+ const unsigned char *_p1 = (const unsigned char *)p1; -+ const unsigned char *_p2 = (const unsigned char *)p2; -+ -+ if (_p1 == NULL || _p2 == NULL) { -+ return 2; -+ } -+ -+ for (size_t i = 0; i < n; i++) { -+ if (_p1[i] ^ _p2[i]) { -+ result = 1; -+ } -+ } -+ return result; -+} -+ -diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h -index a7e544a..165fb05 100644 ---- a/ldap/servers/slapd/slapi-plugin.h -+++ b/ldap/servers/slapd/slapi-plugin.h -@@ -5825,6 +5825,22 @@ char * slapi_ch_smprintf(const char *fmt, ...) - #else - ; - #endif -+/** -+ * slapi_ct_memcmp is a constant time memory comparison function. This is for -+ * use with password hashes and other locations which could lead to a timing -+ * attack due to early shortcut returns. This function *does not* shortcircuit -+ * during the comparison, always checking every byte regardless if it has already -+ * found that the memory does not match. -+ * -+ * WARNING! p1 and p2 must both reference content that is at least of size 'n'. -+ * Else this function may over-run (And will certainly fail). -+ * -+ * \param p1 pointer to first value to check. -+ * \param p2 pointer to second value to check. -+ * \param n length in bytes of the content of p1 AND p2. -+ * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2. -+ */ -+int slapi_ct_memcmp( const void *p1, const void *p2, size_t n); - - /* - * syntax plugin routines --- -2.4.11 - diff --git a/SOURCES/0024-Ticket-48943-When-fine-grained-policy-is-applied-a-s.patch b/SOURCES/0024-Ticket-48943-When-fine-grained-policy-is-applied-a-s.patch deleted file mode 100644 index ddaf136..0000000 --- a/SOURCES/0024-Ticket-48943-When-fine-grained-policy-is-applied-a-s.patch +++ /dev/null @@ -1,48 +0,0 @@ -From c9561cbb81fe1504a5741df44dd8c1103134c065 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Sat, 30 Jul 2016 16:56:57 -0700 -Subject: [PATCH 24/29] Ticket #48943 - When fine-grained policy is applied, a - sub-tree has a priority over a user while changing password - -Description: If the user entry has a pwdpolicysubentry, the configuration -in the pwpolicy should be the strongest and respected. If the entry does -not have it, it retrieves the pwpolicy from the CoS Cache, which is the -current behaviour. - -https://fedorahosted.org/389/ticket/48943 - -Reviewed by wibrown@redhat.com (Thank you, William!!) - -(cherry picked from commit 802224f2846900c870a780fe7608782792806d85) ---- - ldap/servers/slapd/pw.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index 498afd4..6b865ec 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -1777,9 +1777,17 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - attribute in the target entry itself. */ - } else { - if ( (e = get_entry( pb, dn )) != NULL ) { -- rc = slapi_vattr_values_get(e, "pwdpolicysubentry", &values, -- &type_name_disposition, &actual_type_name, -- SLAPI_VIRTUALATTRS_REQUEST_POINTERS, &attr_free_flags); -+ Slapi_Attr* attr = NULL; -+ rc = slapi_entry_attr_find(e, "pwdpolicysubentry", &attr); -+ if (attr && (0 == rc)) { -+ /* If the entry has pwdpolicysubentry, use the PwPolicy. */ -+ values = valueset_dup(&attr->a_present_values); -+ } else { -+ /* Otherwise, retrieve the policy from CoS Cache */ -+ rc = slapi_vattr_values_get(e, "pwdpolicysubentry", &values, -+ &type_name_disposition, &actual_type_name, -+ SLAPI_VIRTUALATTRS_REQUEST_POINTERS, &attr_free_flags); -+ } - if (rc) { - values = NULL; - } --- -2.4.11 - diff --git a/SOURCES/0024-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch b/SOURCES/0024-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch new file mode 100644 index 0000000..e10387c --- /dev/null +++ b/SOURCES/0024-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch @@ -0,0 +1,42 @@ +From 765520fa7bf49f2de542d619b0fce99e13e4d53a Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Tue, 4 Apr 2017 10:44:55 +0200 +Subject: [PATCH] Ticket 49209 - Hang due to omitted replica lock release + +Bug Description: + When an operation is canceled (failure), its csn is aborted + and removed from the pending list. + If at that time the pending list is empty or the csn is not found + in that list, the cancel callback forgots to release the replica lock + +Fix Description: + Release replica lock systematically, whether cnsplRemove fails or not + +https://pagure.io/389-ds-base/issue/49209 + +Reviewed by: Mark Reynolds (thanks Mark !!) + +Platforms tested: F23 + +Flag Day: no + +Doc impact: no +--- + ldap/servers/plugins/replication/repl5_replica.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c +index 7beef50..5718a98 100644 +--- a/ldap/servers/plugins/replication/repl5_replica.c ++++ b/ldap/servers/plugins/replication/repl5_replica.c +@@ -3662,6 +3662,7 @@ abort_csn_callback(const CSN *csn, void *data) + int rc = csnplRemove(r->min_csn_pl, csn); + if (rc) { + slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "abort_csn_callback - csnplRemove failed"); ++ replica_unlock(r->repl_lock); + return; + } + } +-- +2.9.3 + diff --git a/SOURCES/0025-Ticket-48943-Add-CI-Test-for-the-password-test-suite.patch b/SOURCES/0025-Ticket-48943-Add-CI-Test-for-the-password-test-suite.patch deleted file mode 100644 index 048a4f4..0000000 --- a/SOURCES/0025-Ticket-48943-Add-CI-Test-for-the-password-test-suite.patch +++ /dev/null @@ -1,268 +0,0 @@ -From c8c5237c0dc6b5b1a0dc0b040bf2ca5058222141 Mon Sep 17 00:00:00 2001 -From: Simon Pichugin -Date: Thu, 28 Jul 2016 11:53:47 +0200 -Subject: [PATCH 25/29] Ticket 48943 - Add CI Test for the password test suite - -Description: Test that fine-grained pwdpolicy on the entry has a -priority over fine-grained pwdpolicy on the subtree the entry belongs -to. Use passwordChange attribute to verify that. - -https://fedorahosted.org/389/ticket/48943 - -Reviewed by: mreynolds (Thanks!) - -(cherry picked from commit a20538f482089615ceff1947a3e237a87f31a781) ---- - .../tests/suites/password/pwd_change_policytest.py | 240 +++++++++++++++++++++ - 1 file changed, 240 insertions(+) - create mode 100644 dirsrvtests/tests/suites/password/pwd_change_policytest.py - -diff --git a/dirsrvtests/tests/suites/password/pwd_change_policytest.py b/dirsrvtests/tests/suites/password/pwd_change_policytest.py -new file mode 100644 -index 0000000..1d48c65 ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/pwd_change_policytest.py -@@ -0,0 +1,240 @@ -+import os -+import sys -+import time -+import subprocess -+import ldap -+import logging -+import pytest -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+from lib389.utils import * -+ -+DEBUGGING = False -+OU_PEOPLE = 'ou=people,{}'.format(DEFAULT_SUFFIX) -+TEST_USER_NAME = 'simplepaged_test' -+TEST_USER_DN = 'uid={},{}'.format(TEST_USER_NAME, OU_PEOPLE) -+TEST_USER_PWD = 'simplepaged_test' -+PW_POLICY_CONT_USER = 'cn="cn=nsPwPolicyEntry,uid=simplepaged_test,'\ -+ 'ou=people,dc=example,dc=com",'\ -+ 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com' -+PW_POLICY_CONT_PEOPLE = 'cn="cn=nsPwPolicyEntry,'\ -+ 'ou=people,dc=example,dc=com",'\ -+ 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com' -+ -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+ -+log = logging.getLogger(__name__) -+ -+ -+class TopologyStandalone(object): -+ """The DS Topology Class""" -+ def __init__(self, standalone): -+ """Init""" -+ standalone.open() -+ self.standalone = standalone -+ -+ -+@pytest.fixture(scope="module") -+def topology(request): -+ """Create DS Deployment""" -+ -+ # Creating standalone instance ... -+ if DEBUGGING: -+ standalone = DirSrv(verbose=True) -+ else: -+ standalone = DirSrv(verbose=False) -+ args_instance[SER_HOST] = HOST_STANDALONE -+ args_instance[SER_PORT] = PORT_STANDALONE -+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE -+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -+ args_standalone = args_instance.copy() -+ standalone.allocate(args_standalone) -+ instance_standalone = standalone.exists() -+ if instance_standalone: -+ standalone.delete() -+ standalone.create() -+ standalone.open() -+ -+ def fin(): -+ """If we are debugging just stop the instances, otherwise remove -+ them -+ """ -+ if DEBUGGING: -+ standalone.stop() -+ else: -+ standalone.delete() -+ -+ request.addfinalizer(fin) -+ -+ -+ return TopologyStandalone(standalone) -+ -+ -+@pytest.fixture(scope="module") -+def test_user(topology, request): -+ """User for binding operation""" -+ -+ log.info('Adding user {}'.format(TEST_USER_DN)) -+ try: -+ topology.standalone.add_s(Entry((TEST_USER_DN, { -+ 'objectclass': 'top person'.split(), -+ 'objectclass': 'organizationalPerson', -+ 'objectclass': 'inetorgperson', -+ 'cn': TEST_USER_NAME, -+ 'sn': TEST_USER_NAME, -+ 'userpassword': TEST_USER_PWD, -+ 'mail': '%s@redhat.com' % TEST_USER_NAME, -+ 'uid': TEST_USER_NAME -+ }))) -+ except ldap.LDAPError as e: -+ log.error('Failed to add user (%s): error (%s)' % (TEST_USER_DN, -+ e.message['desc'])) -+ raise e -+ -+ def fin(): -+ log.info('Deleting user {}'.format(TEST_USER_DN)) -+ topology.standalone.delete_s(TEST_USER_DN) -+ request.addfinalizer(fin) -+ -+ -+@pytest.fixture(scope="module") -+def password_policy(topology, test_user): -+ """Set up password policy for subtree and user""" -+ -+ log.info('Enable fine-grained policy') -+ try: -+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, -+ 'nsslapd-pwpolicy-local', -+ 'on')]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set fine-grained policy: error {}'.format( -+ e.message['desc'])) -+ raise e -+ -+ log.info('Create password policy for subtree {}'.format(OU_PEOPLE)) -+ try: -+ subprocess.call(['ns-newpwpolicy.pl', '-D', DN_DM, '-w', PASSWORD, -+ '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE, -+ '-S', OU_PEOPLE, '-Z', SERVERID_STANDALONE]) -+ except subprocess.CalledProcessError as e: -+ log.error('Failed to create pw policy policy for {}: error {}'.format( -+ OU_PEOPLE, e.message['desc'])) -+ raise e -+ -+ log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE)) -+ try: -+ topology.standalone.modify_s(OU_PEOPLE, [(ldap.MOD_REPLACE, -+ 'pwdpolicysubentry', -+ PW_POLICY_CONT_PEOPLE)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to pwdpolicysubentry pw policy '\ -+ 'policy for {}: error {}'.format(OU_PEOPLE, -+ e.message['desc'])) -+ raise e -+ -+ log.info('Create password policy for subtree {}'.format(TEST_USER_DN)) -+ try: -+ subprocess.call(['ns-newpwpolicy.pl', '-D', DN_DM, '-w', PASSWORD, -+ '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE, -+ '-U', TEST_USER_DN, '-Z', SERVERID_STANDALONE]) -+ except subprocess.CalledProcessError as e: -+ log.error('Failed to create pw policy policy for {}: error {}'.format( -+ TEST_USER_DN, e.message['desc'])) -+ raise e -+ -+ log.info('Add pwdpolicysubentry attribute to {}'.format(TEST_USER_DN)) -+ try: -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'pwdpolicysubentry', -+ PW_POLICY_CONT_USER)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to pwdpolicysubentry pw policy '\ -+ 'policy for {}: error {}'.format(TEST_USER_DN, -+ e.message['desc'])) -+ raise e -+ -+ -+@pytest.mark.parametrize('subtree_pwchange,user_pwchange,exception', -+ [('off', 'on', None), ('on', 'on', None), -+ ('on', 'off', ldap.UNWILLING_TO_PERFORM), -+ ('off', 'off', ldap.UNWILLING_TO_PERFORM)]) -+def test_change_pwd(topology, test_user, password_policy, -+ subtree_pwchange, user_pwchange, exception): -+ """Verify that 'passwordChange' attr works as expected -+ User should have a priority over a subtree. -+ -+ :Feature: Password policy -+ -+ :Setup: Standalone instance, test user, -+ password policy entries for a user and a subtree -+ -+ :Steps: 1. Set passwordChange on the user and the subtree -+ to various combinations -+ 2. Bind as test user -+ 3. Try to change password -+ -+ :Assert: Subtree/User passwordChange - result -+ off/on, on/on - success -+ on/off, off/off - UNWILLING_TO_PERFORM -+ """ -+ -+ log.info('Set passwordChange to "{}" - {}'.format(subtree_pwchange, -+ PW_POLICY_CONT_PEOPLE)) -+ try: -+ topology.standalone.modify_s(PW_POLICY_CONT_PEOPLE, [(ldap.MOD_REPLACE, -+ 'passwordChange', -+ subtree_pwchange)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set passwordChange '\ -+ 'policy for {}: error {}'.format(PW_POLICY_CONT_PEOPLE, -+ e.message['desc'])) -+ raise e -+ -+ -+ log.info('Set passwordChange to "{}" - {}'.format(user_pwchange, -+ PW_POLICY_CONT_USER)) -+ try: -+ topology.standalone.modify_s(PW_POLICY_CONT_USER, [(ldap.MOD_REPLACE, -+ 'passwordChange', -+ user_pwchange)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set passwordChange '\ -+ 'policy for {}: error {}'.format(PW_POLICY_CONT_USER, -+ e.message['desc'])) -+ raise e -+ -+ try: -+ log.info('Bind as user and modify userPassword') -+ topology.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD) -+ if exception: -+ with pytest.raises(exception): -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ 'new_pass')]) -+ else: -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ 'new_pass')]) -+ except ldap.LDAPError as e: -+ log.error('Failed to change userpassword for {}: error {}'.format( -+ TEST_USER_DN, e.message['info'])) -+ raise e -+ finally: -+ log.info('Bind as DM') -+ topology.standalone.simple_bind_s(DN_DM, PASSWORD) -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ TEST_USER_PWD)]) -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) --- -2.4.11 - diff --git a/SOURCES/0025-Ticket-49184-Overflow-in-memberof.patch b/SOURCES/0025-Ticket-49184-Overflow-in-memberof.patch new file mode 100644 index 0000000..be478e0 --- /dev/null +++ b/SOURCES/0025-Ticket-49184-Overflow-in-memberof.patch @@ -0,0 +1,299 @@ +From 710b0a6aaf1c648bc8fd33d4ab5bcc859a0ed851 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Thu, 13 Apr 2017 15:21:49 +0200 +Subject: [PATCH] Ticket 49184 - Overflow in memberof + +Bug Description: + The function memberof_call_foreach_dn can be used to retrieve ancestors of a + given entry. (ancestors are groups owning directly or indirectly a given entry). + + With the use of group cache in memberof, at the entrance of memberof_call_foreach_dn + there is an attempt to get the entry ancestors from the cache. + + Before doing so it needs to test if the cache is safe. In fact in case of + circular groups the use of the cache is disabled and lookup in the cache should not + happend. + + To know if the cache is safe it needs to access a flag (use_cache) in callback_data. + The callback_data structure is opaque at this level. So accessing it + while its structure is unknown is dangerous. + + The bug is that we may read an 'int' at an offset that overflow the actual structure. + This is just a test and should not trigger a crash. + +Fix Description: + Add a flag to call memberof_call_foreach_dn so that, that indicates if + it is valid to use the group cache. + +https://pagure.io/389-ds-base/issue/49184 + +Reviewed by: William Brown and Mark Reynolds (thanks to you !!) + +Platforms tested: F23 + +Flag Day: no + +Doc impact: no +--- + dirsrvtests/tests/tickets/ticket49184_test.py | 146 ++++++++++++++++++++++++++ + ldap/servers/plugins/memberof/memberof.c | 38 ++++--- + 2 files changed, 167 insertions(+), 17 deletions(-) + create mode 100644 dirsrvtests/tests/tickets/ticket49184_test.py + +diff --git a/dirsrvtests/tests/tickets/ticket49184_test.py b/dirsrvtests/tests/tickets/ticket49184_test.py +new file mode 100644 +index 0000000..20edfde +--- /dev/null ++++ b/dirsrvtests/tests/tickets/ticket49184_test.py +@@ -0,0 +1,146 @@ ++import time ++import ldap ++import logging ++import pytest ++from lib389 import DirSrv, Entry, tools, tasks ++from lib389.tools import DirSrvTools ++from lib389._constants import * ++from lib389.properties import * ++from lib389.tasks import * ++from lib389.utils import * ++from lib389.topologies import topology_st as topo ++ ++DEBUGGING = os.getenv("DEBUGGING", default=False) ++GROUP_DN_1 = ("cn=group1," + DEFAULT_SUFFIX) ++GROUP_DN_2 = ("cn=group2," + DEFAULT_SUFFIX) ++SUPER_GRP1 = ("cn=super_grp1," + DEFAULT_SUFFIX) ++SUPER_GRP2 = ("cn=super_grp2," + DEFAULT_SUFFIX) ++SUPER_GRP3 = ("cn=super_grp3," + DEFAULT_SUFFIX) ++ ++if DEBUGGING: ++ logging.getLogger(__name__).setLevel(logging.DEBUG) ++else: ++ logging.getLogger(__name__).setLevel(logging.INFO) ++log = logging.getLogger(__name__) ++ ++def _add_group_with_members(topo, group_dn): ++ # Create group ++ try: ++ topo.standalone.add_s(Entry((group_dn, ++ {'objectclass': 'top groupofnames extensibleObject'.split(), ++ 'cn': 'group'}))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add group: error ' + e.message['desc']) ++ assert False ++ ++ # Add members to the group - set timeout ++ log.info('Adding members to the group...') ++ for idx in range(1, 5): ++ try: ++ MEMBER_VAL = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX)) ++ topo.standalone.modify_s(group_dn, ++ [(ldap.MOD_ADD, ++ 'member', ++ MEMBER_VAL)]) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to update group: member (%s) - error: %s' % ++ (MEMBER_VAL, e.message['desc'])) ++ assert False ++ ++def _check_memberof(topo, member=None, memberof=True, group_dn=None): ++ # Check that members have memberof attribute on M1 ++ for idx in range(1, 5): ++ try: ++ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX)) ++ ent = topo.standalone.getEntry(USER_DN, ldap.SCOPE_BASE, "(objectclass=*)") ++ if presence_flag: ++ assert ent.hasAttr('memberof') and ent.getValue('memberof') == group_dn ++ else: ++ assert not ent.hasAttr('memberof') ++ except ldap.LDAPError as e: ++ log.fatal('Failed to retrieve user (%s): error %s' % (USER_DN, e.message['desc'])) ++ assert False ++ ++def _check_memberof(topo, member=None, memberof=True, group_dn=None): ++ ent = topo.standalone.getEntry(member, ldap.SCOPE_BASE, "(objectclass=*)") ++ if memberof: ++ assert group_dn ++ assert ent.hasAttr('memberof') and group_dn in ent.getValues('memberof') ++ else: ++ if ent.hasAttr('memberof'): ++ assert group_dn not in ent.getValues('memberof') ++ ++ ++def test_ticket49184(topo): ++ """Write your testcase here... ++ ++ Also, if you need any testcase initialization, ++ please, write additional fixture for that(include finalizer). ++ """ ++ ++ topo.standalone.plugins.enable(name=PLUGIN_MEMBER_OF) ++ topo.standalone.restart(timeout=10) ++ ++ # ++ # create some users and a group ++ # ++ log.info('create users and group...') ++ for idx in range(1, 5): ++ try: ++ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX)) ++ topo.standalone.add_s(Entry((USER_DN, ++ {'objectclass': 'top extensibleObject'.split(), ++ 'uid': 'member%d' % (idx)}))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add user (%s): error %s' % (USER_DN, e.message['desc'])) ++ assert False ++ ++ # add all users in GROUP_DN_1 and checks each users is memberof GROUP_DN_1 ++ _add_group_with_members(topo, GROUP_DN_1) ++ for idx in range(1, 5): ++ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX)) ++ _check_memberof(topo, member=USER_DN, memberof=True, group_dn=GROUP_DN_1 ) ++ ++ # add all users in GROUP_DN_2 and checks each users is memberof GROUP_DN_2 ++ _add_group_with_members(topo, GROUP_DN_2) ++ for idx in range(1, 5): ++ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX)) ++ _check_memberof(topo, member=USER_DN, memberof=True, group_dn=GROUP_DN_2 ) ++ ++ # add the level 2, 3 and 4 group ++ for super_grp in (SUPER_GRP1, SUPER_GRP2, SUPER_GRP3): ++ topo.standalone.add_s(Entry((super_grp, ++ {'objectclass': 'top groupofnames extensibleObject'.split(), ++ 'cn': 'super_grp'}))) ++ topo.standalone.modify_s(SUPER_GRP1, ++ [(ldap.MOD_ADD, ++ 'member', ++ GROUP_DN_1), ++ (ldap.MOD_ADD, ++ 'member', ++ GROUP_DN_2)]) ++ topo.standalone.modify_s(SUPER_GRP2, ++ [(ldap.MOD_ADD, ++ 'member', ++ GROUP_DN_1), ++ (ldap.MOD_ADD, ++ 'member', ++ GROUP_DN_2)]) ++ return ++ topo.standalone.delete_s(GROUP_DN_2) ++ for idx in range(1, 5): ++ USER_DN = ("uid=member%d,%s" % (idx, DEFAULT_SUFFIX)) ++ _check_memberof(topo, member=USER_DN, memberof=True, group_dn=GROUP_DN_1 ) ++ _check_memberof(topo, member=USER_DN, memberof=False, group_dn=GROUP_DN_2 ) ++ ++ if DEBUGGING: ++ # Add debugging steps(if any)... ++ pass ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main("-s %s" % CURRENT_FILE) ++ +diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c +index 81ef092..5cd2c01 100644 +--- a/ldap/servers/plugins/memberof/memberof.c ++++ b/ldap/servers/plugins/memberof/memberof.c +@@ -159,7 +159,7 @@ static int memberof_qsort_compare(const void *a, const void *b); + static void memberof_load_array(Slapi_Value **array, Slapi_Attr *attr); + static int memberof_del_dn_from_groups(Slapi_PBlock *pb, MemberOfConfig *config, Slapi_DN *sdn); + static int memberof_call_foreach_dn(Slapi_PBlock *pb, Slapi_DN *sdn, MemberOfConfig *config, +- char **types, plugin_search_entry_callback callback, void *callback_data, int *cached); ++ char **types, plugin_search_entry_callback callback, void *callback_data, int *cached, PRBool use_grp_cache); + static int memberof_is_direct_member(MemberOfConfig *config, Slapi_Value *groupdn, + Slapi_Value *memberdn); + static int memberof_is_grouping_attr(char *type, MemberOfConfig *config); +@@ -659,7 +659,7 @@ memberof_del_dn_from_groups(Slapi_PBlock *pb, MemberOfConfig *config, Slapi_DN * + + slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_del_dn_from_groups: Ancestors of %s\n", slapi_sdn_get_dn(sdn)); + rc = memberof_call_foreach_dn(pb, sdn, config, groupattrs, +- memberof_del_dn_type_callback, &data, &cached); ++ memberof_del_dn_type_callback, &data, &cached, PR_FALSE); + } + + return rc; +@@ -776,8 +776,8 @@ add_ancestors_cbdata(memberof_cached_value *ancestors, void *callback_data) + * could want type to be either "member" or "memberOf" depending on the case. + */ + int +-memberof_call_foreach_dn(Slapi_PBlock *pb, Slapi_DN *sdn, +- MemberOfConfig *config, char **types, plugin_search_entry_callback callback, void *callback_data, int *cached) ++memberof_call_foreach_dn(Slapi_PBlock *pb __attribute__((unused)), Slapi_DN *sdn, ++ MemberOfConfig *config, char **types, plugin_search_entry_callback callback, void *callback_data, int *cached, PRBool use_grp_cache) + { + Slapi_PBlock *search_pb = NULL; + Slapi_DN *base_sdn = NULL; +@@ -792,9 +792,6 @@ memberof_call_foreach_dn(Slapi_PBlock *pb, Slapi_DN *sdn, + int free_it = 0; + int rc = 0; + int i = 0; +- memberof_cached_value *ht_grp = NULL; +- memberof_get_groups_data *data = (memberof_get_groups_data*) callback_data; +- const char *ndn = slapi_sdn_get_ndn(sdn); + + *cached = 0; + +@@ -802,17 +799,24 @@ memberof_call_foreach_dn(Slapi_PBlock *pb, Slapi_DN *sdn, + return (rc); + } + +- /* Here we will retrieve the ancestor of sdn. +- * The key access is the normalized sdn +- * This is done through recursive internal searches of parents +- * If the ancestors of sdn are already cached, just use +- * this value ++ /* This flags indicates memberof_call_foreach_dn is called to retrieve ancestors (groups). ++ * To improve performance, it can use a cache. (it will not in case of circular groups) ++ * When this flag is true it means no circular group are detected (so far) so we can use the cache + */ +- if (data && data->use_cache) { ++ if (use_grp_cache) { ++ /* Here we will retrieve the ancestor of sdn. ++ * The key access is the normalized sdn ++ * This is done through recursive internal searches of parents ++ * If the ancestors of sdn are already cached, just use ++ * this value ++ */ ++ memberof_cached_value *ht_grp = NULL; ++ const char *ndn = slapi_sdn_get_ndn(sdn); ++ + ht_grp = ancestors_cache_lookup((const void *) ndn); + if (ht_grp) { + #if MEMBEROF_CACHE_DEBUG +- slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_call_foreach_dn: Ancestors of %s already cached (%x)\n", ndn, ht_grp); ++ slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_call_foreach_dn: Ancestors of %s already cached (%x)\n", ndn, ht_grp); + #endif + add_ancestors_cbdata(ht_grp, callback_data); + *cached = 1; +@@ -1106,7 +1110,7 @@ memberof_replace_dn_from_groups(Slapi_PBlock *pb, MemberOfConfig *config, + slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_replace_dn_from_groups: Ancestors of %s\n", slapi_sdn_get_dn(post_sdn)); + if((ret = memberof_call_foreach_dn(pb, pre_sdn, config, groupattrs, + memberof_replace_dn_type_callback, +- &data, &cached))) ++ &data, &cached, PR_FALSE))) + { + break; + } +@@ -2383,7 +2387,7 @@ memberof_get_groups_r(MemberOfConfig *config, Slapi_DN *member_sdn, + slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_get_groups_r: Ancestors of %s\n", slapi_sdn_get_dn(member_sdn)); + #endif + rc = memberof_call_foreach_dn(NULL, member_sdn, config, config->groupattrs, +- memberof_get_groups_callback, &member_data, &cached); ++ memberof_get_groups_callback, &member_data, &cached, member_data.use_cache); + + merge_ancestors(&member_ndn_val, &member_data, data); + if (!cached && member_data.use_cache) +@@ -2578,7 +2582,7 @@ memberof_test_membership(Slapi_PBlock *pb, MemberOfConfig *config, + int cached = 0; + + return memberof_call_foreach_dn(pb, group_sdn, config, attrs, +- memberof_test_membership_callback, config, &cached); ++ memberof_test_membership_callback, config, &cached, PR_FALSE); + } + + /* +-- +2.9.3 + diff --git a/SOURCES/0026-Ticket-48936-Duplicate-collation-entries.patch b/SOURCES/0026-Ticket-48936-Duplicate-collation-entries.patch deleted file mode 100644 index c7bda39..0000000 --- a/SOURCES/0026-Ticket-48936-Duplicate-collation-entries.patch +++ /dev/null @@ -1,66 +0,0 @@ -From f6f3f89e723d26cdad16e0d70d21e2361b9ac8bb Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 28 Jul 2016 22:23:20 -0700 -Subject: [PATCH 26/29] Ticket #48936 - Duplicate collation entries - -Description: In the fix for "Ticket #53 - Need to update supported locales", -some locales were not set country and variant codes correctly, which caused -the duplicate matchintRules. Also, ig-NG was mapped to a wrong locale. - -An example of the broken matchingRules. -Before the fix> - matchingRules: ( 2.16.840.1.113730.3.3.2.42.1 NAME 'caseIgnoreOrderingMatch-sk' DESC 'sk' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - matchingRules: ( 2.16.840.1.113730.3.3.2.211.1 NAME 'caseIgnoreOrderingMatch-sk' DESC 'sk' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -After the fix> - matchingRules: ( 2.16.840.1.113730.3.3.2.42.1 NAME 'caseIgnoreOrderingMatch-sk' DESC 'sk' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - matchingRules: ( 2.16.840.1.113730.3.3.2.211.1 NAME 'caseIgnoreOrderingMatch-sk-SK' DESC 'sk-SK' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) - -https://fedorahosted.org/389/ticket/48936 - -Reviewed by rmeggins@redhat.com (Thank you, Rich!!) - -(cherry picked from commit 3e3dff89c29afdf52a32e4d44f01bddedd60bcd3) ---- - ldap/schema/slapd-collations.conf | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/ldap/schema/slapd-collations.conf b/ldap/schema/slapd-collations.conf -index 9f653e4..31fa477 100644 ---- a/ldap/schema/slapd-collations.conf -+++ b/ldap/schema/slapd-collations.conf -@@ -88,7 +88,7 @@ collation as "" "" 1 3 2.16.840.1.113730.3.3.2.71.1 as - collation as IN "" 1 3 2.16.840.1.113730.3.3.2.72.1 as-IN - collation az "" "" 1 3 2.16.840.1.113730.3.3.2.73.1 az - collation az Latn "" 1 3 2.16.840.1.113730.3.3.2.74.1 az-Latn --collation az Latn_AZ "" 1 3 2.16.840.1.113730.3.3.2.75.1 az-Latn-AZ -+collation az Latn AZ 1 3 2.16.840.1.113730.3.3.2.75.1 az-Latn-AZ - collation bn "" "" 1 3 2.16.840.1.113730.3.3.2.76.1 bn - collation bn BD "" 1 3 2.16.840.1.113730.3.3.2.77.1 bn-BD - collation bn IN "" 1 3 2.16.840.1.113730.3.3.2.78.1 bn-IN -@@ -189,8 +189,8 @@ collation ha Latn NG 1 3 2.16.840.1.113730.3.3.2.172.1 ha-Latn-NG - collation he "" "" 1 3 2.16.840.1.113730.3.3.2.173.1 he he-IL - collation hi "" "" 1 3 2.16.840.1.113730.3.3.2.174.1 hi hi-IN - collation hy "" "" 1 3 2.16.840.1.113730.3.3.2.175.1 hy hy-AM --collation id "" "" 1 3 2.16.840.1.113730.3.3.2.176.1 id-ID --collation id ID "" 1 3 2.16.840.1.113730.3.3.2.177.1 ig-NG -+collation id "" "" 1 3 2.16.840.1.113730.3.3.2.176.1 id id-ID -+collation ig "" "" 1 3 2.16.840.1.113730.3.3.2.177.1 ig ig-NG - collation it IT "" 1 3 2.16.840.1.113730.3.3.2.178.1 it-IT - collation ka "" "" 1 3 2.16.840.1.113730.3.3.2.179.1 ka - collation ka GE "" 1 3 2.16.840.1.113730.3.3.2.180.1 ka-GE -@@ -224,9 +224,9 @@ collation ru MD "" 1 3 2.16.840.1.113730.3.3.2.207.1 ru-MD - collation ru RU "" 1 3 2.16.840.1.113730.3.3.2.208.1 ru-RU - collation ru UA "" 1 3 2.16.840.1.113730.3.3.2.209.1 ru-UA - collation si "" "" 1 3 2.16.840.1.113730.3.3.2.210.1 si si-LK --collation sk "" "" 1 3 2.16.840.1.113730.3.3.2.211.1 sk sk-SK --collation sl "" "" 1 3 2.16.840.1.113730.3.3.2.212.1 sl sl-SI --collation sq "" "" 1 3 2.16.840.1.113730.3.3.2.213.1 sq sq-AL -+collation sk SK "" 1 3 2.16.840.1.113730.3.3.2.211.1 sk-SK -+collation sl SI "" 1 3 2.16.840.1.113730.3.3.2.212.1 sl-SI -+collation sq AL "" 1 3 2.16.840.1.113730.3.3.2.213.1 sq-AL - collation sr Cyrl "" 1 3 2.16.840.1.113730.3.3.2.214.1 sr-Cyrl - collation sr Cyrl BA 1 3 2.16.840.1.113730.3.3.2.215.1 sr-Cyrl-BA - collation sr Cyrl ME 1 3 2.16.840.1.113730.3.3.2.216.1 sr-Cyrl-ME --- -2.4.11 - diff --git a/SOURCES/0026-Ticket-49196-Autotune-generates-crit-messages.patch b/SOURCES/0026-Ticket-49196-Autotune-generates-crit-messages.patch new file mode 100644 index 0000000..a2875dd --- /dev/null +++ b/SOURCES/0026-Ticket-49196-Autotune-generates-crit-messages.patch @@ -0,0 +1,42 @@ +From 8a0b4643e1119e994370089fd52721373e88bb51 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Wed, 29 Mar 2017 10:59:14 +1000 +Subject: [PATCH] Ticket 49196 - Autotune generates crit messages + +Bug Description: The cache sanity check generates critical messages. + +Fix Description: Make the sanity check generate warning messages. + +https://pagure.io/389-ds-base/issue/49196 + +Author: wibrown + +Review by: mreynolds (Thanks!) +--- + ldap/servers/slapd/back-ldbm/start.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/start.c b/ldap/servers/slapd/back-ldbm/start.c +index 759af8a..1ae9858 100644 +--- a/ldap/servers/slapd/back-ldbm/start.c ++++ b/ldap/servers/slapd/back-ldbm/start.c +@@ -265,12 +265,12 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + issane = util_is_cachesize_sane(&total_cache_size); + if (!issane) { + /* Right, it's time to panic */ +- slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "It is highly likely your memory configuration of all backends will EXCEED your systems memory.\n"); +- slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "In a future release this WILL prevent server start up. You MUST alter your configuration.\n"); +- slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "Total entry cache size: %lu B; dbcache size: %lu B; available memory size: %lu B; \n", ++ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "It is highly likely your memory configuration of all backends will EXCEED your systems memory.\n"); ++ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "In a future release this WILL prevent server start up. You MUST alter your configuration.\n"); ++ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "Total entry cache size: %lu B; dbcache size: %lu B; available memory size: %lu B; \n", + (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, availpages * pagesize + ); +- slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "%s\n", msg); ++ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "%s\n", msg); + /* WB 2016 - This should be UNCOMMENTED in a future release */ + /* return SLAPI_FAIL_GENERAL; */ + } +-- +2.9.3 + diff --git a/SOURCES/0027-Issue-49221-During-an-upgrade-the-provided-localhost.patch b/SOURCES/0027-Issue-49221-During-an-upgrade-the-provided-localhost.patch new file mode 100644 index 0000000..8eb11b7 --- /dev/null +++ b/SOURCES/0027-Issue-49221-During-an-upgrade-the-provided-localhost.patch @@ -0,0 +1,36 @@ +From 4e66114109263fff6b13192e07be9bbd9e493fee Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 17 Apr 2017 17:06:19 -0400 +Subject: [PATCH 1/2] Issue 49221 - During an upgrade the provided localhost + name is ignored + +Description: If the FullMachine name, or localhost, is provided in an INF + it is ignored during the upgrade the value of nsslapd-localhost + from the current server is used instead. We should only override + the localhost value if it is missing. + +https://pagure.io/389-ds-base/issue/49221 + +Reviewed by: nhosoi(Thanks!) +--- + ldap/admin/src/scripts/DSUpdate.pm.in | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ldap/admin/src/scripts/DSUpdate.pm.in b/ldap/admin/src/scripts/DSUpdate.pm.in +index e84a9a9..8b24b47 100644 +--- a/ldap/admin/src/scripts/DSUpdate.pm.in ++++ b/ldap/admin/src/scripts/DSUpdate.pm.in +@@ -435,7 +435,9 @@ sub initInfFromInst { + my $servid = $inst; + $servid =~ s/slapd-//; + +- $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost"); ++ if (!$inf->{General}->{FullMachineName}) { ++ $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost"); ++ } + $inf->{General}->{SuiteSpotUserID} = $entry->getValue("nsslapd-localuser"); + $inf->{slapd}->{ServerPort} = $entry->getValue("nsslapd-port"); + $inf->{slapd}->{ldapifilepath} = $entry->getValue("nsslapd-ldapifilepath"); +-- +2.9.3 + diff --git a/SOURCES/0027-Ticket-48450-Add-prestart-work-around-for-systemd-as.patch b/SOURCES/0027-Ticket-48450-Add-prestart-work-around-for-systemd-as.patch deleted file mode 100644 index 7e2dfcf..0000000 --- a/SOURCES/0027-Ticket-48450-Add-prestart-work-around-for-systemd-as.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 8afc979b47994c8bebae22868b86761590231e09 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Fri, 29 Jul 2016 14:36:19 +1000 -Subject: [PATCH 27/29] Ticket 48450 - Add prestart work around for systemd ask - password - -Bug Description: Due to a lack of response to fix the systemd ask password -permissions, we must resolve this ourselves. Without this, we cannot utilise -the ask password feature at all. - -Fix Description: We add an execstartpre script, that parses dse.ldif for -the running server user. If found, we add the acl to ask-password directory -which will allow the server to start. We do this so that if each instance -has a unique user, they can all use ask pass correctly. - -https://fedorahosted.org/389/ticket/48450 - -Author: wibrown - -Review by: nhosoi (Thanks) - -(cherry picked from commit e6b48924adb753f47683f25fab6e2b8e5d3cf84c) ---- - Makefile.am | 3 ++- - wrappers/ds_systemd_ask_password_acl.in | 34 +++++++++++++++++++++++++++++++ - wrappers/systemd.template.asan.service.in | 1 + - wrappers/systemd.template.service.in | 1 + - 4 files changed, 38 insertions(+), 1 deletion(-) - create mode 100644 wrappers/ds_systemd_ask_password_acl.in - -diff --git a/Makefile.am b/Makefile.am -index ed3d462..3e1bf47 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -620,7 +620,8 @@ sbin_SCRIPTS = ldap/admin/src/scripts/setup-ds.pl \ - ldap/admin/src/scripts/dbmon.sh \ - ldap/admin/src/scripts/ds_selinux_enabled \ - ldap/admin/src/scripts/ds_selinux_port_query \ -- wrappers/ldap-agent -+ wrappers/ds_systemd_ask_password_acl \ -+ wrappers/ldap-agent - - bin_SCRIPTS = ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl \ - wrappers/dbscan \ -diff --git a/wrappers/ds_systemd_ask_password_acl.in b/wrappers/ds_systemd_ask_password_acl.in -new file mode 100644 -index 0000000..59bffc5 ---- /dev/null -+++ b/wrappers/ds_systemd_ask_password_acl.in -@@ -0,0 +1,34 @@ -+#!/bin/sh -+# BEGIN COPYRIGHT BLOCK -+# Copyright (C) 2016 Red Hat, Inc. -+# -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# END COPYRIGHT BLOCK -+ -+# Systemd has not fixed the issue at https://bugzilla.redhat.com/show_bug.cgi?id=1322167 -+# As a result, we need a way to fix the permissions as we start. -+# We have to reset these each time, as this folder is on a tmpfs. -+# If we don't do this, we can't prompt for the password! -+# If you want this script to go away, fix the bugzilla so we don't need it! -+ -+# Make sure we have the path to the dse.ldif -+if [ -z $1 ] -+then -+ echo "usage: ${0} /etc/dirsrv/slapd-/dse.ldif" -+ exit 1 -+fi -+ -+# Grep the user out -+ -+DS_USER=`grep 'nsslapd-localuser: ' $1 | awk '{print $2}'` -+ -+# Now apply the acl -+ -+if [ -d /var/run/systemd/ask-password ] -+then -+ setfacl -m u:${DS_USER}:rwx /var/run/systemd/ask-password -+fi -+ -diff --git a/wrappers/systemd.template.asan.service.in b/wrappers/systemd.template.asan.service.in -index dd361b4..5de91de 100644 ---- a/wrappers/systemd.template.asan.service.in -+++ b/wrappers/systemd.template.asan.service.in -@@ -25,6 +25,7 @@ PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid - # We can't symbolize here, as llvm symbolize crashes when it goes near systemd. - Environment='ASAN_OPTIONS="detect_leaks=1 symbolize=0 log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.asan detect_deadlocks=1"' - LimitCORE=infinity -+ExecStartPre=@sbindir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif - ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid - # if you need to set other directives e.g. LimitNOFILE=8192 - # set them in this file -diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in -index a045036..6f096b7 100644 ---- a/wrappers/systemd.template.service.in -+++ b/wrappers/systemd.template.service.in -@@ -22,6 +22,7 @@ Type=notify - EnvironmentFile=@initconfigdir@/@package_name@ - EnvironmentFile=@initconfigdir@/@package_name@-%i - PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid -+ExecStartPre=@sbindir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif - ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid - # if you need to set other directives e.g. LimitNOFILE=8192 - # set them in this file --- -2.4.11 - diff --git a/SOURCES/0028-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch b/SOURCES/0028-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch deleted file mode 100644 index bad5476..0000000 --- a/SOURCES/0028-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 0f22cc8a2ab2a968b5ff0878b81bb5d39fa5a35e Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Tue, 26 Jul 2016 18:08:38 -0700 -Subject: [PATCH 28/29] Bug 1347760 - CVE-2016-4992 389-ds-base: Information - disclosure via repeated use of LDAP ADD operation, etc. - -Description: -1. When an account is inactivated, the error UNWILLING_TO_PERFORM with - the inactivated message should be returned only when the bind is - successful. -2. When SASL bind fails, instead of returning the cause of the failure - directly to the client, but logging it in the access log. - -https://bugzilla.redhat.com/show_bug.cgi?id=1347760 - -Reviewed by wibrown@redhat.com (Thank you, William!) - -(cherry picked from commit b8767d510d11c7cbfede24daaae3348b9f028f47) ---- - ldap/servers/slapd/bind.c | 49 ++++++++++++++++++++----------------------- - ldap/servers/slapd/saslbind.c | 4 ++-- - 2 files changed, 25 insertions(+), 28 deletions(-) - -diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c -index 702d4c2..c271577 100644 ---- a/ldap/servers/slapd/bind.c -+++ b/ldap/servers/slapd/bind.c -@@ -720,25 +720,6 @@ do_bind( Slapi_PBlock *pb ) - } - } - } -- -- /* -- * Is this account locked ? -- * could be locked through the account inactivation -- * or by the password policy -- * -- * rc=0: account not locked -- * rc=1: account locked, can not bind, result has been sent -- * rc!=0 and rc!=1: error. Result was not sent, lets be_bind -- * deal with it. -- * -- */ -- -- /* get the entry now, so that we can give it to slapi_check_account_lock and reslimit_update_from_dn */ -- if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { -- bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); -- rc = slapi_check_account_lock ( pb, bind_target_entry, pw_response_requested, 1, 1); -- } -- - slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database ); - set_db_default_result_handlers(pb); - if ( (rc != 1) && -@@ -777,6 +758,28 @@ do_bind( Slapi_PBlock *pb ) - - if ( rc == SLAPI_BIND_SUCCESS ) { - int myrc = 0; -+ /* -+ * The bind is successful. -+ * We can give it to slapi_check_account_lock and reslimit_update_from_dn. -+ */ -+ /* -+ * Is this account locked ? -+ * could be locked through the account inactivation -+ * or by the password policy -+ * -+ * rc=0: account not locked -+ * rc=1: account locked, can not bind, result has been sent -+ * rc!=0 and rc!=1: error. Result was not sent, lets be_bind -+ * deal with it. -+ * -+ */ -+ if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { -+ bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); -+ rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1); -+ if (1 == rc) { /* account is locked */ -+ goto account_locked; -+ } -+ } - if (!auto_bind) { - /* - * There could be a race that bind_target_entry was not added -@@ -787,13 +790,7 @@ do_bind( Slapi_PBlock *pb ) - if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) && - !bind_target_entry) { - bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); -- if (bind_target_entry) { -- myrc = slapi_check_account_lock(pb, bind_target_entry, -- pw_response_requested, 1, 1); -- if (1 == myrc) { /* account is locked */ -- goto account_locked; -- } -- } else { -+ if (!bind_target_entry) { - slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry"); - send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL); - goto free_and_return; -diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c -index 37175f4..742987e 100644 ---- a/ldap/servers/slapd/saslbind.c -+++ b/ldap/servers/slapd/saslbind.c -@@ -1051,8 +1051,8 @@ sasl_check_result: - errstr = sasl_errdetail(sasl_conn); - - PR_ExitMonitor(pb->pb_conn->c_mutex); /* BIG LOCK */ -- send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, -- (char*)errstr, 0, NULL); -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, (void *)errstr); -+ send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL); - break; - } - --- -2.4.11 - diff --git a/SOURCES/0028-Ticket-48864-Add-cgroup-memory-limit-detection-to-38.patch b/SOURCES/0028-Ticket-48864-Add-cgroup-memory-limit-detection-to-38.patch new file mode 100644 index 0000000..1a6d37b --- /dev/null +++ b/SOURCES/0028-Ticket-48864-Add-cgroup-memory-limit-detection-to-38.patch @@ -0,0 +1,4106 @@ +From 57b6e5afb6265363ede667ad450e267f8a803b9e Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 19 Apr 2017 13:37:10 -0400 +Subject: [PATCH] Ticket 48864 - Add cgroup memory limit detection to 389-ds + +Bug Description: Previously our memory limits only check hardware + limits and shell resource limits. However, we may be in a container + like docker or lxc, and unable to detect these limits. This can lead + to crash conditions or worse, especially with autosizing + on import we may have conditions where the server may not + even be able to install. + +Fix Description: Add support for cgroup memory limit detection + so that we can properly determine our resource availability regardless + of lxc, docker, systemd or others. + +https://pagure.io/389-ds-base/issue/48864 + +Author: wibrown + +Review by: mreynolds (Thanks!) +--- + Makefile.am | 7 +- + ldap/servers/plugins/acl/acl.c | 18 +- + ldap/servers/plugins/acl/acl.h | 16 - + ldap/servers/plugins/acl/aclanom.c | 8 +- + ldap/servers/plugins/dna/dna.c | 50 ++- + ldap/servers/plugins/posix-winsync/posix-winsync.c | 4 +- + ldap/servers/plugins/replication/repl.h | 17 +- + .../plugins/replication/repl5_inc_protocol.c | 2 +- + ldap/servers/plugins/replication/repl5_init.c | 2 +- + ldap/servers/plugins/replication/repl5_plugins.c | 2 +- + ldap/servers/plugins/replication/repl5_replica.c | 8 +- + ldap/servers/plugins/replication/repl5_total.c | 4 +- + ldap/servers/plugins/replication/repl_connext.c | 20 +- + ldap/servers/plugins/replication/repl_extop.c | 26 +- + ldap/servers/plugins/sync/sync_persist.c | 6 +- + ldap/servers/plugins/syntaxes/validate_task.c | 6 +- + ldap/servers/plugins/usn/usn.c | 8 +- + ldap/servers/slapd/abandon.c | 8 +- + ldap/servers/slapd/add.c | 4 +- + ldap/servers/slapd/auth.c | 18 +- + ldap/servers/slapd/back-ldbm/back-ldbm.h | 23 +- + ldap/servers/slapd/back-ldbm/cache.c | 34 +- + ldap/servers/slapd/back-ldbm/dblayer.c | 72 ++-- + ldap/servers/slapd/back-ldbm/dblayer.h | 8 - + ldap/servers/slapd/back-ldbm/import-threads.c | 2 +- + ldap/servers/slapd/back-ldbm/import.c | 12 +- + ldap/servers/slapd/back-ldbm/ldbm_config.c | 32 +- + ldap/servers/slapd/back-ldbm/ldbm_delete.c | 4 +- + .../servers/slapd/back-ldbm/ldbm_instance_config.c | 20 +- + ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 4 +- + ldap/servers/slapd/back-ldbm/ldbm_search.c | 4 +- + ldap/servers/slapd/back-ldbm/misc.c | 2 +- + ldap/servers/slapd/back-ldbm/monitor.c | 10 +- + ldap/servers/slapd/back-ldbm/perfctrs.h | 2 +- + ldap/servers/slapd/back-ldbm/start.c | 113 +++---- + ldap/servers/slapd/bind.c | 8 +- + ldap/servers/slapd/compare.c | 2 +- + ldap/servers/slapd/connection.c | 72 ++-- + ldap/servers/slapd/conntable.c | 8 +- + ldap/servers/slapd/control.c | 2 +- + ldap/servers/slapd/daemon.c | 48 +-- + ldap/servers/slapd/delete.c | 2 +- + ldap/servers/slapd/entry.c | 2 +- + ldap/servers/slapd/extendop.c | 4 +- + ldap/servers/slapd/log.c | 10 +- + ldap/servers/slapd/modify.c | 12 +- + ldap/servers/slapd/modrdn.c | 6 +- + ldap/servers/slapd/monitor.c | 8 +- + ldap/servers/slapd/operation.c | 6 +- + ldap/servers/slapd/opshared.c | 4 +- + ldap/servers/slapd/pagedresults.c | 2 +- + ldap/servers/slapd/psearch.c | 10 +- + ldap/servers/slapd/result.c | 12 +- + ldap/servers/slapd/sasl_io.c | 52 +-- + ldap/servers/slapd/saslbind.c | 2 +- + ldap/servers/slapd/search.c | 2 +- + ldap/servers/slapd/slap.h | 9 +- + ldap/servers/slapd/slapi-plugin.h | 14 +- + ldap/servers/slapd/slapi-private.h | 38 ++- + ldap/servers/slapd/slapi_pal.c | 311 +++++++++++++++++ + ldap/servers/slapd/slapi_pal.h | 62 ++++ + ldap/servers/slapd/snmp_collator.c | 2 +- + ldap/servers/slapd/unbind.c | 6 +- + ldap/servers/slapd/util.c | 376 +-------------------- + test/libslapd/spal/meminfo.c | 54 +++ + test/libslapd/test.c | 2 + + test/test_slapd.h | 5 + + 67 files changed, 870 insertions(+), 859 deletions(-) + create mode 100644 ldap/servers/slapd/slapi_pal.c + create mode 100644 ldap/servers/slapd/slapi_pal.h + create mode 100644 test/libslapd/spal/meminfo.c + +diff --git a/Makefile.am b/Makefile.am +index 485a460..429a345 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -481,6 +481,7 @@ dist_noinst_HEADERS = \ + ldap/servers/slapd/pw_verify.h \ + ldap/servers/slapd/secerrstrs.h \ + ldap/servers/slapd/slap.h \ ++ ldap/servers/slapd/slapi_pal.h \ + ldap/servers/slapd/slapi-plugin-compat4.h \ + ldap/servers/slapd/slapi-plugin.h \ + ldap/servers/slapd/slapi-private.h \ +@@ -850,6 +851,7 @@ pkgconfig_DATA = src/pkgconfig/dirsrv.pc \ + # header files + #------------------------ + serverinc_HEADERS = ldap/servers/plugins/replication/repl-session-plugin.h \ ++ ldap/servers/slapd/slapi_pal.h \ + ldap/servers/slapd/slapi-plugin.h \ + ldap/servers/plugins/replication/winsync-plugin.h \ + src/nunc-stans/include/nunc-stans.h \ +@@ -1219,6 +1221,7 @@ libslapd_la_SOURCES = ldap/servers/slapd/add.c \ + ldap/servers/slapd/value.c \ + ldap/servers/slapd/valueset.c \ + ldap/servers/slapd/vattr.c \ ++ ldap/servers/slapd/slapi_pal.c \ + $(libavl_a_SOURCES) + + libslapd_la_CPPFLAGS = $(AM_CPPFLAGS) $(DSPLUGIN_CPPFLAGS) $(SASL_INCLUDES) @db_inc@ $(SVRCORE_INCLUDES) @kerberos_inc@ @pcre_inc@ +@@ -2004,7 +2007,9 @@ test_slapd_SOURCES = test/main.c \ + test/libslapd/counters/atomic.c \ + test/libslapd/pblock/analytics.c \ + test/libslapd/pblock/v3_compat.c \ +- test/libslapd/operation/v3_compat.c ++ test/libslapd/operation/v3_compat.c \ ++ test/libslapd/spal/meminfo.c ++ + test_slapd_LDADD = libslapd.la + test_slapd_LDFLAGS = $(AM_CPPFLAGS) $(CMOCKA_LINKS) + ### WARNING: Slap.h needs cert.h, which requires the -I/lib/ldaputil!!! +diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c +index 48b8efc..561dd91 100644 +--- a/ldap/servers/plugins/acl/acl.c ++++ b/ldap/servers/plugins/acl/acl.c +@@ -276,7 +276,7 @@ acl_access_allowed( + + if ( !privateBackend && (be_readonly || slapi_config_get_readonly () )){ + slapi_log_err(loglevel, plugin_name, +- "acl_access_allowed - conn=%" NSPRIu64 " op=%d (main): Deny %s on entry(%s)" ++ "acl_access_allowed - conn=%" PRIu64 " op=%d (main): Deny %s on entry(%s)" + ": readonly backend\n", + o_connid, o_opid, + acl_access2str(access), +@@ -289,7 +289,7 @@ acl_access_allowed( + TNF_PROBE_0_DEBUG(acl_skipaccess_start,"ACL",""); + if ( acl_skip_access_check ( pb, e, access )) { + slapi_log_err(loglevel, plugin_name, +- "acl_access_allowed - conn=%" NSPRIu64 " op=%d (main): Allow %s on entry(%s)" ++ "acl_access_allowed - conn=%" PRIu64 " op=%d (main): Allow %s on entry(%s)" + ": root user\n", + o_connid, o_opid, + acl_access2str(access), +@@ -448,7 +448,7 @@ acl_access_allowed( + TNF_PROBE_0_DEBUG(acl_entry_first_touch_start,"ACL",""); + + slapi_log_err(loglevel, plugin_name, +- "acl_access_allowed - #### conn=%" NSPRIu64 " op=%d binddn=\"%s\"\n", ++ "acl_access_allowed - #### conn=%" PRIu64 " op=%d binddn=\"%s\"\n", + o_connid, o_opid, clientDn); + aclpb->aclpb_stat_total_entries++; + +@@ -776,7 +776,7 @@ print_access_control_summary( char *source, int ret_val, char *clientDn, + null_user); + if (strcasecmp(right, access_str_moddn) == 0) { + slapi_log_err(loglevel, plugin_name, "print_access_control_summary - " +- "conn=%" NSPRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) [from %s] to proxy (%s)" ++ "conn=%" PRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) [from %s] to proxy (%s)" + ": %s\n", + o_connid, o_opid, + source, +@@ -790,7 +790,7 @@ print_access_control_summary( char *source, int ret_val, char *clientDn, + + } else { + slapi_log_err(loglevel, plugin_name, +- "print_access_control_summary - conn=%" NSPRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) to proxy (%s)" ++ "print_access_control_summary - conn=%" PRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) to proxy (%s)" + ": %s\n", + o_connid, o_opid, + source, +@@ -805,7 +805,7 @@ print_access_control_summary( char *source, int ret_val, char *clientDn, + proxy_user = null_user; + if (strcasecmp(right, access_str_moddn) == 0) { + slapi_log_err(loglevel, plugin_name, +- "print_access_control_summary - conn=%" NSPRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) [from %s] to proxy (%s)" ++ "print_access_control_summary - conn=%" PRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) [from %s] to proxy (%s)" + ": %s\n", + o_connid, o_opid, + source, +@@ -819,7 +819,7 @@ print_access_control_summary( char *source, int ret_val, char *clientDn, + + } else { + slapi_log_err(loglevel, plugin_name, +- "print_access_control_summary - conn=%" NSPRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) to proxy (%s)" ++ "print_access_control_summary - conn=%" PRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) to proxy (%s)" + ": %s\n", + o_connid, o_opid, + source, +@@ -834,7 +834,7 @@ print_access_control_summary( char *source, int ret_val, char *clientDn, + } else { + if (strcasecmp(right, access_str_moddn) == 0) { + slapi_log_err(loglevel, plugin_name, +- "print_access_control_summary - conn=%" NSPRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) [from %s] to %s" ++ "print_access_control_summary - conn=%" PRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) [from %s] to %s" + ": %s\n", + o_connid, o_opid, + source, +@@ -848,7 +848,7 @@ print_access_control_summary( char *source, int ret_val, char *clientDn, + + } else { + slapi_log_err(loglevel, plugin_name, +- "print_access_control_summary - conn=%" NSPRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) to %s" ++ "print_access_control_summary - conn=%" PRIu64 " op=%d (%s): %s %s on entry(%s).attr(%s) to %s" + ": %s\n", + o_connid, o_opid, + source, +diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h +index 91f5071..8b3486c 100644 +--- a/ldap/servers/plugins/acl/acl.h ++++ b/ldap/servers/plugins/acl/acl.h +@@ -20,22 +20,6 @@ + #ifndef _ACL_H_ + #define _ACL_H_ + +-/* Required to get portable printf/scanf format macros */ +-#ifdef HAVE_INTTYPES_H +-#include +- +-/* NSPR uses the print macros a bit differently than ANSI C. We +- * need to use ll for a 64-bit integer, even when a long is 64-bit. +- */ +-#undef PRIu64 +-#define PRIu64 "llu" +-#undef PRI64 +-#define PRI64 "ll" +- +-#else +-#error Need to define portable format macros such as PRIu64 +-#endif /* HAVE_INTTYPES_H */ +- + #include + #include + #include +diff --git a/ldap/servers/plugins/acl/aclanom.c b/ldap/servers/plugins/acl/aclanom.c +index 5462d87..96d0d9f 100644 +--- a/ldap/servers/plugins/acl/aclanom.c ++++ b/ldap/servers/plugins/acl/aclanom.c +@@ -523,7 +523,7 @@ aclanom_match_profile (Slapi_PBlock *pb, struct acl_pblock *aclpb, Slapi_Entry * + aci_ndn = slapi_sdn_get_ndn (acl_anom_profile->anom_targetinfo[i].anom_target); + if (access & SLAPI_ACL_MODDN) { + slapi_log_err(loglevel, plugin_name, +- "aclanom_match_profile - conn=%" NSPRIu64 " op=%d: Allow access on entry(%s).attr(%s) (from %s) to anonymous: acidn=\"%s\"\n", ++ "aclanom_match_profile - conn=%" PRIu64 " op=%d: Allow access on entry(%s).attr(%s) (from %s) to anonymous: acidn=\"%s\"\n", + o_connid, o_opid, + ndn, + attr ? attr:"NULL", +@@ -532,7 +532,7 @@ aclanom_match_profile (Slapi_PBlock *pb, struct acl_pblock *aclpb, Slapi_Entry * + + } else { + slapi_log_err(loglevel, plugin_name, +- "aclanom_match_profile - conn=%" NSPRIu64 " op=%d: Allow access on entry(%s).attr(%s) to anonymous: acidn=\"%s\"\n", ++ "aclanom_match_profile - conn=%" PRIu64 " op=%d: Allow access on entry(%s).attr(%s) to anonymous: acidn=\"%s\"\n", + o_connid, o_opid, + ndn, + attr ? attr:"NULL", +@@ -541,13 +541,13 @@ aclanom_match_profile (Slapi_PBlock *pb, struct acl_pblock *aclpb, Slapi_Entry * + } else { + if (access & SLAPI_ACL_MODDN) { + slapi_log_err(loglevel, plugin_name, +- "aclanom_match_profile - conn=%" NSPRIu64 " op=%d: Deny access on entry(%s).attr(%s) (from %s) to anonymous\n", ++ "aclanom_match_profile - conn=%" PRIu64 " op=%d: Deny access on entry(%s).attr(%s) (from %s) to anonymous\n", + o_connid, o_opid, + ndn, attr ? attr:"NULL" , + aclpb->aclpb_moddn_source_sdn ? slapi_sdn_get_dn(aclpb->aclpb_moddn_source_sdn) : "NULL"); + } else { + slapi_log_err(loglevel, plugin_name, +- "aclanom_match_profile - conn=%" NSPRIu64 " op=%d: Deny access on entry(%s).attr(%s) to anonymous\n", ++ "aclanom_match_profile - conn=%" PRIu64 " op=%d: Deny access on entry(%s).attr(%s) to anonymous\n", + o_connid, o_opid, + ndn, attr ? attr:"NULL" ); + } +diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c +index 34011b9..a085941 100644 +--- a/ldap/servers/plugins/dna/dna.c ++++ b/ldap/servers/plugins/dna/dna.c +@@ -23,14 +23,6 @@ + #include "slapi-private.h" + #include "prclist.h" + +-/* Required to get portable printf/scanf format macros */ +-#ifdef HAVE_INTTYPES_H +-#include +- +-#else +-#error Need to define portable format macros such as PRIu64 +-#endif /* HAVE_INTTYPES_H */ +- + #include + + #define DNA_PLUGIN_SUBSYSTEM "dna-plugin" +@@ -997,7 +989,7 @@ dna_parse_config_entry(Slapi_PBlock *pb, Slapi_Entry * e, int apply) + } + + slapi_log_err(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, +- "dna_parse_config_entry - %s [%" NSPRIu64 "]\n", DNA_NEXTVAL, ++ "dna_parse_config_entry - %s [%" PRIu64 "]\n", DNA_NEXTVAL, + entry->nextval); + + value = slapi_entry_attr_get_charptr(e, DNA_PREFIX); +@@ -1026,7 +1018,7 @@ dna_parse_config_entry(Slapi_PBlock *pb, Slapi_Entry * e, int apply) + } + + slapi_log_err(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, +- "dna_parse_config_entry - %s [%" NSPRIu64 "]\n", DNA_INTERVAL, entry->interval); ++ "dna_parse_config_entry - %s [%" PRIu64 "]\n", DNA_INTERVAL, entry->interval); + #endif + + value = slapi_entry_attr_get_charptr(e, DNA_GENERATE); +@@ -1126,7 +1118,7 @@ dna_parse_config_entry(Slapi_PBlock *pb, Slapi_Entry * e, int apply) + } + + slapi_log_err(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, +- "dna_parse_config_entry - %s [%" NSPRIu64 "]\n", DNA_MAXVAL, ++ "dna_parse_config_entry - %s [%" PRIu64 "]\n", DNA_MAXVAL, + entry->maxval); + + /* get the global bind dn and password(if any) */ +@@ -1256,7 +1248,7 @@ dna_parse_config_entry(Slapi_PBlock *pb, Slapi_Entry * e, int apply) + } + + slapi_log_err(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, +- "dna_parse_config_entry - %s [%" NSPRIu64 "]\n", DNA_THRESHOLD, ++ "dna_parse_config_entry - %s [%" PRIu64 "]\n", DNA_THRESHOLD, + entry->threshold); + + value = slapi_entry_attr_get_charptr(e, DNA_RANGE_REQUEST_TIMEOUT); +@@ -1268,7 +1260,7 @@ dna_parse_config_entry(Slapi_PBlock *pb, Slapi_Entry * e, int apply) + } + + slapi_log_err(SLAPI_LOG_CONFIG, DNA_PLUGIN_SUBSYSTEM, +- "dna_parse_config_entry - %s [%" NSPRIu64 "]\n", DNA_RANGE_REQUEST_TIMEOUT, ++ "dna_parse_config_entry - %s [%" PRIu64 "]\n", DNA_RANGE_REQUEST_TIMEOUT, + entry->timeout); + + value = slapi_entry_attr_get_charptr(e, DNA_NEXT_RANGE); +@@ -2307,7 +2299,7 @@ dna_first_free_value(struct configEntry *config_entry, + return LDAP_OPERATIONS_ERROR; + } + +- filter = slapi_ch_smprintf("(&%s(&(%s>=%" NSPRIu64 ")(%s<=%" NSPRIu64 ")))", ++ filter = slapi_ch_smprintf("(&%s(&(%s>=%" PRIu64 ")(%s<=%" PRIu64 ")))", + config_entry->filter, + config_entry->types[0], tmpval, + config_entry->types[0], config_entry->maxval); +@@ -2497,7 +2489,7 @@ static int dna_get_next_value(struct configEntry *config_entry, + if ((config_entry->maxval == -1) || + (nextval <= (config_entry->maxval + config_entry->interval))) { + /* try to set the new next value in the config entry */ +- snprintf(next_value, sizeof(next_value),"%" NSPRIu64, nextval); ++ snprintf(next_value, sizeof(next_value),"%" PRIu64, nextval); + + /* set up our replace modify operation */ + replace_val[0] = next_value; +@@ -2524,7 +2516,7 @@ static int dna_get_next_value(struct configEntry *config_entry, + + if (LDAP_SUCCESS == ret) { + slapi_ch_free_string(next_value_ret); +- *next_value_ret = slapi_ch_smprintf("%" NSPRIu64, setval); ++ *next_value_ret = slapi_ch_smprintf("%" PRIu64, setval); + if (NULL == *next_value_ret) { + ret = LDAP_OPERATIONS_ERROR; + goto done; +@@ -2609,7 +2601,7 @@ dna_update_shared_config(struct configEntry *config_entry) + + /* We store the number of remaining assigned values + * in the shared config entry. */ +- snprintf(remaining_vals, sizeof(remaining_vals),"%" NSPRIu64, ++ snprintf(remaining_vals, sizeof(remaining_vals),"%" PRIu64, + config_entry->remaining); + + /* set up our replace modify operation */ +@@ -2709,7 +2701,7 @@ dna_update_next_range(struct configEntry *config_entry, + int ret = 0; + + /* Try to set the new next range in the config entry. */ +- snprintf(nextrange_value, sizeof(nextrange_value), "%" NSPRIu64 "-%" NSPRIu64, ++ snprintf(nextrange_value, sizeof(nextrange_value), "%" PRIu64 "-%" PRIu64, + lower, upper); + + /* set up our replace modify operation */ +@@ -2778,8 +2770,8 @@ dna_activate_next_range(struct configEntry *config_entry) + int ret = 0; + + /* Setup the modify operation for the config entry */ +- snprintf(maxval_val, sizeof(maxval_val),"%" NSPRIu64, config_entry->next_range_upper); +- snprintf(nextval_val, sizeof(nextval_val),"%" NSPRIu64, config_entry->next_range_lower); ++ snprintf(maxval_val, sizeof(maxval_val),"%" PRIu64, config_entry->next_range_upper); ++ snprintf(nextval_val, sizeof(nextval_val),"%" PRIu64, config_entry->next_range_lower); + + maxval_vals[0] = maxval_val; + maxval_vals[1] = 0; +@@ -3319,7 +3311,7 @@ dna_create_valcheck_filter(struct configEntry *config_entry, PRUint64 value, cha + * - the string length of the filter in the config + * - the string length sum of all configured types + * - 23 bytes for each type (20 for the max string +- * representation of a NSPRIu64, 3 for "(=)" ++ * representation of a PRIu64, 3 for "(=)" + * - 3 bytes for the beginning and end of the filter - "(&" and ")" + * - 3 bytes to OR together multiple types (if present) - "(|" and ")" + * - the string length of the prefix (if one is configured) for each type +@@ -3556,8 +3548,8 @@ _dna_pre_op_add(Slapi_PBlock *pb, Slapi_Entry *e, char **errstr) + (config_entry->remaining <= config_entry->threshold)) { + slapi_log_err(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, + "_dna_pre_op_add - Passed threshold of %" +- NSPRIu64 " remaining values " +- "for range %s. (%" NSPRIu64 " values remain)\n", ++ PRIu64 " remaining values " ++ "for range %s. (%" PRIu64 " values remain)\n", + config_entry->threshold, config_entry->dn, + config_entry->remaining); + dna_fix_maxval(config_entry, 0); +@@ -3828,8 +3820,8 @@ _dna_pre_op_modify(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Mods *smods, char **e + (config_entry->remaining <= config_entry->threshold)) { + slapi_log_err(SLAPI_LOG_ERR, DNA_PLUGIN_SUBSYSTEM, + "_dna_pre_op_modify - Passed threshold of %" +- NSPRIu64 " remaining values " +- "for range %s. (%" NSPRIu64 " values remain)\n", ++ PRIu64 " remaining values " ++ "for range %s. (%" PRIu64 " values remain)\n", + config_entry->threshold, config_entry->dn, + config_entry->remaining); + dna_fix_maxval(config_entry, 0); +@@ -4411,8 +4403,8 @@ static int dna_extend_exop(Slapi_PBlock *pb) + char highstr[16]; + + /* Create the exop response */ +- snprintf(lowstr, sizeof(lowstr), "%" NSPRIu64, lower); +- snprintf(highstr, sizeof(highstr), "%" NSPRIu64, upper); ++ snprintf(lowstr, sizeof(lowstr), "%" PRIu64, lower); ++ snprintf(highstr, sizeof(highstr), "%" PRIu64, upper); + range_low.bv_val = lowstr; + range_low.bv_len = strlen(range_low.bv_val); + range_high.bv_val = highstr; +@@ -4445,7 +4437,7 @@ static int dna_extend_exop(Slapi_PBlock *pb) + ber_bvfree(respdata); + + slapi_log_err(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, +- "dna_extend_exop - Released range %" NSPRIu64 "-%" NSPRIu64 ".\n", ++ "dna_extend_exop - Released range %" PRIu64 "-%" PRIu64 ".\n", + lower, upper); + } + +@@ -4588,7 +4580,7 @@ dna_release_range(char *range_dn, PRUint64 *lower, PRUint64 *upper) + *lower = *upper - release + 1; + + /* try to set the new maxval in the config entry */ +- snprintf(max_value, sizeof(max_value),"%" NSPRIu64, (*lower - 1)); ++ snprintf(max_value, sizeof(max_value),"%" PRIu64, (*lower - 1)); + + /* set up our replace modify operation */ + replace_val[0] = max_value; +diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync.c b/ldap/servers/plugins/posix-winsync/posix-winsync.c +index 63444e5..21e4ad0 100644 +--- a/ldap/servers/plugins/posix-winsync/posix-winsync.c ++++ b/ldap/servers/plugins/posix-winsync/posix-winsync.c +@@ -270,7 +270,7 @@ sync_acct_disable(void *cbdata, /* the usual domain config data */ + if (update_entry) { + slapi_entry_attr_set_ulong(update_entry, "userAccountControl", adval); + slapi_log_err(SLAPI_LOG_PLUGIN, posix_winsync_plugin_name, +- "<-- sync_acct_disable - %s AD account [%s] - new value is [%" NSPRIu64 "]\n", ++ "<-- sync_acct_disable - %s AD account [%s] - new value is [%" PRIu64 "]\n", + (ds_is_enabled) ? "enabled" : "disabled", slapi_entry_get_dn_const(update_entry), adval); + } else { + /* iterate through the mods - if there is already a mod +@@ -326,7 +326,7 @@ sync_acct_disable(void *cbdata, /* the usual domain config data */ + mod_bval->bv_len = strlen(acctvalstr); + } + slapi_log_err(SLAPI_LOG_PLUGIN, posix_winsync_plugin_name, +- "<-- sync_acct_disable - %s AD account [%s] - new value is [%" NSPRIu64 "]\n", ++ "<-- sync_acct_disable - %s AD account [%s] - new value is [%" PRIu64 "]\n", + (ds_is_enabled) ? "enabled" : "disabled", slapi_entry_get_dn_const(ad_entry), adval); + } + } +diff --git a/ldap/servers/plugins/replication/repl.h b/ldap/servers/plugins/replication/repl.h +index 89ad481..9460ca9 100644 +--- a/ldap/servers/plugins/replication/repl.h ++++ b/ldap/servers/plugins/replication/repl.h +@@ -15,21 +15,8 @@ + #ifndef _REPL_H_ + #define _REPL_H_ + +-/* Required to get portable printf/scanf format macros */ +-#ifdef HAVE_INTTYPES_H +-#include +- +-/* NSPR uses the print macros a bit differently than ANSI C. We +- * need to use ll for a 64-bit integer, even when a long is 64-bit. +- */ +-#undef PRIu64 +-#define PRIu64 "llu" +-#undef PRI64 +-#define PRI64 "ll" +- +-#else +-#error Need to define portable format macros such as PRIu64 +-#endif /* HAVE_INTTYPES_H */ ++/* Provides our int types and platform specific requirements. */ ++#include + + #include + #include +diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c +index a5ae885..36c279e 100644 +--- a/ldap/servers/plugins/replication/repl5_inc_protocol.c ++++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c +@@ -2104,7 +2104,7 @@ repl5_inc_stop(Private_Repl_Protocol *prp) + /* Isn't listening. Do something drastic. */ + return_value = -1; + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, +- "repl5_inc_stop - %s: Protocol does not stop after %" NSPRIu64 " seconds\n", ++ "repl5_inc_stop - %s: Protocol does not stop after %" PRIu64 " seconds\n", + agmt_get_long_name(prp->agmt), timeout); + } + else +diff --git a/ldap/servers/plugins/replication/repl5_init.c b/ldap/servers/plugins/replication/repl5_init.c +index 9549dcf..edffb84 100644 +--- a/ldap/servers/plugins/replication/repl5_init.c ++++ b/ldap/servers/plugins/replication/repl5_init.c +@@ -208,7 +208,7 @@ get_repl_session_id (Slapi_PBlock *pb, char *idstr, CSN **csn) + /* Avoid "Connection is NULL and hence cannot access SLAPI_CONN_ID" */ + if (opid) { + slapi_pblock_get (pb, SLAPI_CONN_ID, &connid); +- snprintf (idstr, REPL_SESSION_ID_SIZE, "conn=%" NSPRIu64 " op=%d", ++ snprintf (idstr, REPL_SESSION_ID_SIZE, "conn=%" PRIu64 " op=%d", + connid, opid); + } + +diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c +index 357c093..ebcc230 100644 +--- a/ldap/servers/plugins/replication/repl5_plugins.c ++++ b/ldap/servers/plugins/replication/repl5_plugins.c +@@ -1335,7 +1335,7 @@ process_postop (Slapi_PBlock *pb) + { + slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, + "process_postop - Failed to apply update (%s) error (%d). " +- "Aborting replication session(conn=%" NSPRIu64 " op=%d)\n", ++ "Aborting replication session(conn=%" PRIu64 " op=%d)\n", + csn_as_string(opcsn, PR_FALSE, csn_str), retval, + connid, opid); + /* +diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c +index 5718a98..a106f8b 100644 +--- a/ldap/servers/plugins/replication/repl5_replica.c ++++ b/ldap/servers/plugins/replication/repl5_replica.c +@@ -596,7 +596,7 @@ replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opi + + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "replica_get_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": " ++ "conn=%" PRIu64 " op=%d repl=\"%s\": " + "Replica in use locking_purl=%s\n", + connid, opid, + slapi_sdn_get_dn(r->repl_root), +@@ -620,7 +620,7 @@ replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opi + { + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "replica_get_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": Acquired replica\n", ++ "conn=%" PRIu64 " op=%d repl=\"%s\": Acquired replica\n", + connid, opid, + slapi_sdn_get_dn(r->repl_root)); + r->repl_state_flags |= REPLICA_IN_USE; +@@ -664,13 +664,13 @@ replica_relinquish_exclusive_access(Replica *r, PRUint64 connid, int opid) + { + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "replica_relinquish_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": " ++ "conn=%" PRIu64 " op=%d repl=\"%s\": " + "Replica not in use\n", + connid, opid, slapi_sdn_get_dn(r->repl_root)); + } else { + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "replica_relinquish_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": " ++ "conn=%" PRIu64 " op=%d repl=\"%s\": " + "Released replica held by locking_purl=%s\n", + connid, opid, + slapi_sdn_get_dn(r->repl_root), r->locking_purl); +diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c +index af570a8..064a099 100644 +--- a/ldap/servers/plugins/replication/repl5_total.c ++++ b/ldap/servers/plugins/replication/repl5_total.c +@@ -853,7 +853,7 @@ multimaster_extop_NSDS50ReplicationEntry(Slapi_PBlock *pb) + const char *dn = slapi_entry_get_dn_const(e); + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_NSDS50ReplicationEntry - " +- "Error %d: could not import entry dn %s for total update operation conn=%" NSPRIu64 " op=%d\n", ++ "Error %d: could not import entry dn %s for total update operation conn=%" PRIu64 " op=%d\n", + rc, dn, connid, opid); + rc = -1; + } +@@ -864,7 +864,7 @@ multimaster_extop_NSDS50ReplicationEntry(Slapi_PBlock *pb) + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_NSDS50ReplicationEntry - " + "Error %d: could not decode the total update extop " +- "for total update operation conn=%" NSPRIu64 " op=%d\n", ++ "for total update operation conn=%" PRIu64 " op=%d\n", + rc, connid, opid); + } + +diff --git a/ldap/servers/plugins/replication/repl_connext.c b/ldap/servers/plugins/replication/repl_connext.c +index 29dc2a7..ba0fa15 100644 +--- a/ldap/servers/plugins/replication/repl_connext.c ++++ b/ldap/servers/plugins/replication/repl_connext.c +@@ -84,7 +84,7 @@ void consumer_connection_extension_destructor (void *ext, void *object, void *pa + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_destructor - " + "Aborting total update in progress for replicated " +- "area %s connid=%" NSPRIu64 "\n", slapi_sdn_get_dn(repl_root_sdn), connid); ++ "area %s connid=%" PRIu64 "\n", slapi_sdn_get_dn(repl_root_sdn), connid); + slapi_stop_bulk_import(pb); + } + else +@@ -156,7 +156,7 @@ consumer_connection_extension_acquire_exclusive_access(void* conn, PRUint64 conn + ret = connext; + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_acquire_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d Acquired consumer connection extension\n", ++ "conn=%" PRIu64 " op=%d Acquired consumer connection extension\n", + connid, opid); + } + else if (opid == connext->in_use_opid) +@@ -164,14 +164,14 @@ consumer_connection_extension_acquire_exclusive_access(void* conn, PRUint64 conn + ret = connext; + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_acquire_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d Reacquired consumer connection extension\n", ++ "conn=%" PRIu64 " op=%d Reacquired consumer connection extension\n", + connid, opid); + } + else + { + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_acquire_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d Could not acquire consumer connection extension; it is in use by op=%d\n", ++ "conn=%" PRIu64 " op=%d Could not acquire consumer connection extension; it is in use by op=%d\n", + connid, opid, connext->in_use_opid); + } + +@@ -182,7 +182,7 @@ consumer_connection_extension_acquire_exclusive_access(void* conn, PRUint64 conn + { + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_acquire_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d Could not acquire consumer extension, it is NULL!\n", ++ "conn=%" PRIu64 " op=%d Could not acquire consumer extension, it is NULL!\n", + connid, opid); + } + +@@ -221,7 +221,7 @@ consumer_connection_extension_relinquish_exclusive_access(void* conn, PRUint64 c + { + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_relinquish_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d Consumer connection extension is not in use\n", ++ "conn=%" PRIu64 " op=%d Consumer connection extension is not in use\n", + connid, opid); + ret = 2; + } +@@ -230,7 +230,7 @@ consumer_connection_extension_relinquish_exclusive_access(void* conn, PRUint64 c + /* step 4, relinquish it (normal) */ + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_relinquish_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d Relinquishing consumer connection extension\n", ++ "conn=%" PRIu64 " op=%d Relinquishing consumer connection extension\n", + connid, opid); + connext->in_use_opid = -1; + ret = 1; +@@ -240,7 +240,7 @@ consumer_connection_extension_relinquish_exclusive_access(void* conn, PRUint64 c + /* step 4, relinquish it (forced) */ + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_relinquish_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d Forced to relinquish consumer connection extension held by op=%d\n", ++ "conn=%" PRIu64 " op=%d Forced to relinquish consumer connection extension held by op=%d\n", + connid, opid, connext->in_use_opid); + connext->in_use_opid = -1; + ret = 1; +@@ -249,7 +249,7 @@ consumer_connection_extension_relinquish_exclusive_access(void* conn, PRUint64 c + { + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_relinquish_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d Not relinquishing consumer connection extension, it is held by op=%d!\n", ++ "conn=%" PRIu64 " op=%d Not relinquishing consumer connection extension, it is held by op=%d!\n", + connid, opid, connext->in_use_opid); + } + +@@ -260,7 +260,7 @@ consumer_connection_extension_relinquish_exclusive_access(void* conn, PRUint64 c + { + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "consumer_connection_extension_relinquish_exclusive_access - " +- "conn=%" NSPRIu64 " op=%d Could not relinquish consumer extension, it is NULL!\n", ++ "conn=%" PRIu64 " op=%d Could not relinquish consumer extension, it is NULL!\n", + connid, opid); + } + +diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c +index 80580f9..412caec 100644 +--- a/ldap/servers/plugins/replication/repl_extop.c ++++ b/ldap/servers/plugins/replication/repl_extop.c +@@ -668,7 +668,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + connext->repl_protocol_version = REPL_PROTOCOL_50_INCREMENTAL; + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": Begin incremental protocol\n", ++ "conn=%" PRIu64 " op=%d repl=\"%s\": Begin incremental protocol\n", + connid, opid, repl_root); + isInc = PR_TRUE; + } +@@ -695,7 +695,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + } + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": Begin total protocol\n", ++ "conn=%" PRIu64 " op=%d repl=\"%s\": Begin total protocol\n", + connid, opid, repl_root); + isInc = PR_FALSE; + } +@@ -705,7 +705,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + connext->repl_protocol_version = REPL_PROTOCOL_50_INCREMENTAL; + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": Begin 7.1 incremental protocol\n", ++ "conn=%" PRIu64 " op=%d repl=\"%s\": Begin 7.1 incremental protocol\n", + connid, opid, repl_root); + isInc = PR_TRUE; + } +@@ -718,7 +718,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + } + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": Begin 7.1 total protocol\n", ++ "conn=%" PRIu64 " op=%d repl=\"%s\": Begin 7.1 total protocol\n", + connid, opid, repl_root); + isInc = PR_FALSE; + } +@@ -741,7 +741,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + { + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d replica=\"%s\": " ++ "conn=%" PRIu64 " op=%d replica=\"%s\": " + "Replica is being configured: try again later\n", + connid, opid, repl_root); + response = NSDS50_REPL_REPLICA_BUSY; +@@ -814,7 +814,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + { + slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": " ++ "conn=%" PRIu64 " op=%d repl=\"%s\": " + "Excessive clock skew from supplier RUV\n", + connid, opid, repl_root); + response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW; +@@ -852,7 +852,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + if (check_replica_id_uniqueness(replica, supplier_ruv) != 0){ + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": " ++ "conn=%" PRIu64 " op=%d repl=\"%s\": " + "Replica has same replicaID %d as supplier\n", + connid, opid, repl_root, replica_get_rid(replica)); + response = NSDS50_REPL_REPLICAID_ERROR; +@@ -865,7 +865,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + * the session's conn id and op id to identify the the supplier. + */ + /* junkrc = ruv_get_first_id_and_purl(supplier_ruv, &junkrid, &locking_purl); */ +- snprintf(locking_session, sizeof(locking_session), "conn=%" NSPRIu64 " id=%d", ++ snprintf(locking_session, sizeof(locking_session), "conn=%" PRIu64 " id=%d", + connid, opid); + locking_purl = &locking_session[0]; + if (replica_get_exclusive_access(replica, &isInc, connid, opid, +@@ -892,7 +892,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + int max = 480 * 5; + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": " ++ "conn=%" PRIu64 " op=%d repl=\"%s\": " + "374 - Starting sleep: connext->repl_protocol_version == %d\n", + connid, opid, repl_root, connext->repl_protocol_version); + +@@ -902,7 +902,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": " ++ "conn=%" PRIu64 " op=%d repl=\"%s\": " + "374 - Finished sleep: connext->repl_protocol_version == %d\n", + connid, opid, repl_root, connext->repl_protocol_version); + } +@@ -997,7 +997,7 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + response = NSDS50_REPL_INTERNAL_ERROR; + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": " ++ "conn=%" PRIu64 " op=%d repl=\"%s\": " + "Unexpected update protocol received: %d. " + "Expected incremental or total.\n", + connid, opid, repl_root, connext->repl_protocol_version); +@@ -1039,7 +1039,7 @@ send_response: + slapi_log_err (resp_log_level, + repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d replica=\"%s\": " ++ "conn=%" PRIu64 " op=%d replica=\"%s\": " + "Unable to acquire replica: error: %s%s\n", + connid, opid, + (replica ? slapi_sdn_get_dn(replica_get_root(replica)) : "unknown"), +@@ -1092,7 +1092,7 @@ send_response: + slapi_pblock_set(pb, SLAPI_EXT_OP_RET_VALUE, resp_bval); + slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, + "multimaster_extop_StartNSDS50ReplicationRequest - " +- "conn=%" NSPRIu64 " op=%d repl=\"%s\": " ++ "conn=%" PRIu64 " op=%d repl=\"%s\": " + "%s: response=%d rc=%d\n", + connid, opid, repl_root, + is90 ? "StartNSDS90ReplicationRequest" : +diff --git a/ldap/servers/plugins/sync/sync_persist.c b/ldap/servers/plugins/sync/sync_persist.c +index 667a529..bd856cb 100644 +--- a/ldap/servers/plugins/sync/sync_persist.c ++++ b/ldap/servers/plugins/sync/sync_persist.c +@@ -548,14 +548,14 @@ sync_send_results( void *arg ) + slapi_pblock_get(req->req_pblock, SLAPI_CONNECTION, &conn); + if (NULL == conn) { + slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM, +- "sync_send_results - conn=%" NSPRIu64 " op=%d Null connection - aborted\n", ++ "sync_send_results - conn=%" PRIu64 " op=%d Null connection - aborted\n", + connid, opid); + goto done; + } + conn_acq_flag = sync_acquire_connection (conn); + if (conn_acq_flag) { + slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM, +- "sync_send_results - conn=%" NSPRIu64 " op=%d Could not acquire the connection - aborted\n", ++ "sync_send_results - conn=%" PRIu64 " op=%d Could not acquire the connection - aborted\n", + connid, opid); + goto done; + } +@@ -566,7 +566,7 @@ sync_send_results( void *arg ) + /* Check for an abandoned operation */ + if ( op == NULL || slapi_is_operation_abandoned( op ) ) { + slapi_log_err(SLAPI_LOG_PLUGIN, SYNC_PLUGIN_SUBSYSTEM, +- "sync_send_results - conn=%" NSPRIu64 " op=%d Operation no longer active - terminating\n", ++ "sync_send_results - conn=%" PRIu64 " op=%d Operation no longer active - terminating\n", + connid, opid); + break; + } +diff --git a/ldap/servers/plugins/syntaxes/validate_task.c b/ldap/servers/plugins/syntaxes/validate_task.c +index eae2d2a..c051573 100644 +--- a/ldap/servers/plugins/syntaxes/validate_task.c ++++ b/ldap/servers/plugins/syntaxes/validate_task.c +@@ -201,12 +201,12 @@ syntax_validate_task_thread(void *arg) + slapi_pblock_destroy(search_pb); + + /* Log finished message. */ +- slapi_task_log_notice(task, "Syntax validate task complete. Found %" NSPRIu64 ++ slapi_task_log_notice(task, "Syntax validate task complete. Found %" PRIu64 + " invalid entries.\n", slapi_counter_get_value(td->invalid_entries)); +- slapi_task_log_status(task, "Syntax validate task complete. Found %" NSPRIu64 ++ slapi_task_log_status(task, "Syntax validate task complete. Found %" PRIu64 + " invalid entries.\n", slapi_counter_get_value(td->invalid_entries)); + slapi_log_err(SLAPI_LOG_ERR, SYNTAX_PLUGIN_SUBSYSTEM, "syntax_validate_task_thread - Complete." +- " Found %" NSPRIu64 " invalid entries.\n", ++ " Found %" PRIu64 " invalid entries.\n", + slapi_counter_get_value(td->invalid_entries)); + slapi_task_inc_progress(task); + +diff --git a/ldap/servers/plugins/usn/usn.c b/ldap/servers/plugins/usn/usn.c +index 5e67e0a..54ebc31 100644 +--- a/ldap/servers/plugins/usn/usn.c ++++ b/ldap/servers/plugins/usn/usn.c +@@ -320,7 +320,7 @@ _usn_add_next_usn(Slapi_Entry *e, Slapi_Backend *be) + "--> _usn_add_next_usn\n"); + + /* add next USN to the entry; "be" contains the usn counter */ +- usn_berval.bv_val = slapi_ch_smprintf("%" NSPRIu64, ++ usn_berval.bv_val = slapi_ch_smprintf("%" PRIu64, + slapi_counter_get_value(be->be_usn_counter)); + usn_berval.bv_len = strlen(usn_berval.bv_val); + slapi_entry_attr_find(e, SLAPI_ATTR_ENTRYUSN, &attr); +@@ -360,7 +360,7 @@ _usn_mod_next_usn(LDAPMod ***mods, Slapi_Backend *be) + + /* add next USN to the mods; "be" contains the usn counter */ + usn_berval.bv_val = counter_buf; +- snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRIu64, ++ snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" PRIu64, + slapi_counter_get_value(be->be_usn_counter)); + usn_berval.bv_len = strlen(usn_berval.bv_val); + bvals[0] = &usn_berval; +@@ -681,7 +681,7 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, + /* get a next USN counter from be_usn_counter; + * then minus 1 from it (except if be_usn_counter has value 0) */ + if (slapi_counter_get_value(be->be_usn_counter)) { +- snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRIu64, ++ snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" PRIu64, + slapi_counter_get_value(be->be_usn_counter)-1); + } else { + snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "-1"); +@@ -704,7 +704,7 @@ usn_rootdse_search(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, + /* get a next USN counter from be_usn_counter; + * then minus 1 from it (except if be_usn_counter has value 0) */ + if (slapi_counter_get_value(be->be_usn_counter)) { +- snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" NSPRIu64, ++ snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "%" PRIu64, + slapi_counter_get_value(be->be_usn_counter)-1); + } else { + snprintf(usn_berval.bv_val, USN_COUNTER_BUF_LEN, "-1"); +diff --git a/ldap/servers/slapd/abandon.c b/ldap/servers/slapd/abandon.c +index 18ff8ce..0485006 100644 +--- a/ldap/servers/slapd/abandon.c ++++ b/ldap/servers/slapd/abandon.c +@@ -119,19 +119,19 @@ do_abandon( Slapi_PBlock *pb ) + } + + if ( 0 == pagedresults_free_one_msgid_nolock(pb->pb_conn, id) ) { +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 + " op=%d ABANDON targetop=Simple Paged Results msgid=%d\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, id ); + } else if ( NULL == o ) { +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d ABANDON" ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d ABANDON" + " targetop=NOTFOUND msgid=%d\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, id ); + } else if ( suppressed_by_plugin ) { +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d ABANDON" ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d ABANDON" + " targetop=SUPPRESSED-BY-PLUGIN msgid=%d\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, id ); + } else { +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d ABANDON" ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d ABANDON" + " targetop=%d msgid=%d nentries=%d etime=%ld\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, o->o_opid, id, + o->o_results.r.r_search.nentries, current_time() - o->o_time ); +diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c +index 1b994a0..9c4001e 100644 +--- a/ldap/servers/slapd/add.c ++++ b/ldap/servers/slapd/add.c +@@ -168,7 +168,7 @@ do_add( Slapi_PBlock *pb ) + if (( rc = slapi_entry_add_values( e, normtype, vals )) + != LDAP_SUCCESS ) { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d ADD dn=\"%s\", add values for type %s failed\n", ++ "conn=%" PRIu64 " op=%d ADD dn=\"%s\", add values for type %s failed\n", + pb->pb_conn->c_connid, operation->o_opid, + slapi_entry_get_dn_const(e), normtype ); + send_ldap_result( pb, rc, NULL, NULL, 0, NULL ); +@@ -460,7 +460,7 @@ static void op_shared_add (Slapi_PBlock *pb) + + if ( !internal_op ) + { +- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d ADD dn=\"%s\"%s\n", ++ slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d ADD dn=\"%s\"%s\n", + pb->pb_conn->c_connid, + operation->o_opid, + slapi_entry_get_dn_const(e), +diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c +index c787dd4..da1b586 100644 +--- a/ldap/servers/slapd/auth.c ++++ b/ldap/servers/slapd/auth.c +@@ -366,7 +366,7 @@ handle_bad_certificate (void* clientData, PRFileDesc *prfd) + char* subject = subject_of (clientCert); + char* issuer = issuer_of (clientCert); + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " " SLAPI_COMPONENT_NAME_NSPR " error %i (%s); unauthenticated client %s; issuer %s\n", ++ "conn=%" PRIu64 " " SLAPI_COMPONENT_NAME_NSPR " error %i (%s); unauthenticated client %s; issuer %s\n", + conn->c_connid, errorCode, slapd_pr_strerror(errorCode), + subject ? escape_string( subject, sbuf ) : "NULL", + issuer ? escape_string( issuer, ibuf ) : "NULL" ); +@@ -402,7 +402,7 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) + if ( (slapd_ssl_getChannelInfo (prfd, &channelInfo, sizeof(channelInfo))) != SECSuccess ) { + PRErrorCode errorCode = PR_GetError(); + slapi_log_access (LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " SSL failed to obtain channel info; " ++ "conn=%" PRIu64 " SSL failed to obtain channel info; " + SLAPI_COMPONENT_NAME_NSPR " error %i (%s)\n", + conn->c_connid, errorCode, slapd_pr_strerror(errorCode)); + goto done; +@@ -411,7 +411,7 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) + != SECSuccess) { + PRErrorCode errorCode = PR_GetError(); + slapi_log_access (LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " SSL failed to obtain cipher info; " ++ "conn=%" PRIu64 " SSL failed to obtain cipher info; " + SLAPI_COMPONENT_NAME_NSPR " error %i (%s)\n", + conn->c_connid, errorCode, slapd_pr_strerror(errorCode)); + goto done; +@@ -432,14 +432,14 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) + + if (config_get_SSLclientAuth() == SLAPD_SSLCLIENTAUTH_OFF ) { + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion)); +- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n", ++ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" PRIu64 " %s %i-bit %s\n", + conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL" ); + goto done; + } + if (clientCert == NULL) { + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, sslversion, sizeof(sslversion)); +- slapi_log_access (LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " %s %i-bit %s\n", ++ slapi_log_access (LDAP_DEBUG_STATS, "conn=%" PRIu64 " %s %i-bit %s\n", + conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL" ); + } else { +@@ -448,7 +448,7 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, + sslversion, sizeof(sslversion)); + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " %s %i-bit %s; missing subject\n", ++ "conn=%" PRIu64 " %s %i-bit %s; missing subject\n", + conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL"); + goto done; +@@ -459,7 +459,7 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, + sslversion, sizeof(sslversion)); + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " %s %i-bit %s; client %s; issuer %s\n", ++ "conn=%" PRIu64 " %s %i-bit %s; client %s; issuer %s\n", + conn->c_connid, + sslversion, keySize, cipher ? cipher : "NULL", + subject ? escape_string( subject, sbuf ) : "NULL", +@@ -503,14 +503,14 @@ handle_handshake_done (PRFileDesc *prfd, void* clientData) + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, + sslversion, sizeof(sslversion)); + slapi_log_access (LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " %s client bound as %s\n", ++ "conn=%" PRIu64 " %s client bound as %s\n", + conn->c_connid, + sslversion, clientDN); + } else if (clientCert != NULL) { + (void) slapi_getSSLVersion_str(channelInfo.protocolVersion, + sslversion, sizeof(sslversion)); + slapi_log_access (LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " %s failed to map client " ++ "conn=%" PRIu64 " %s failed to map client " + "certificate to LDAP DN (%s)\n", + conn->c_connid, + sslversion, extraErrorMsg); +diff --git a/ldap/servers/slapd/back-ldbm/back-ldbm.h b/ldap/servers/slapd/back-ldbm/back-ldbm.h +index a5fc540..0bb15e3 100644 +--- a/ldap/servers/slapd/back-ldbm/back-ldbm.h ++++ b/ldap/servers/slapd/back-ldbm/back-ldbm.h +@@ -28,21 +28,8 @@ + #endif + #endif + +-/* Required to get portable printf/scanf format macros */ +-#ifdef HAVE_INTTYPES_H +-#include +- +-/* NSPR uses the print macros a bit differently than ANSI C. We +- * need to use ll for a 64-bit integer, even when a long is 64-bit. +- */ +-#undef PRIu64 +-#define PRIu64 "llu" +-#undef PRI64 +-#define PRI64 "ll" +- +-#else +-#error Need to define portable format macros such as PRIu64 +-#endif /* HAVE_INTTYPES_H */ ++/* Provides our int types and platform specific requirements. */ ++#include + + /* A bunch of random system headers taken from all the source files, no source file should #include + any system headers now */ +@@ -162,11 +149,11 @@ typedef unsigned short u_int16_t; + #define DBVERSION_FILENAME "DBVERSION" + /* 0 here means to let the autotuning reset the value on first run */ + /* cache can't get any smaller than this (in bytes) */ +-#define MINCACHESIZE (size_t)512000 +-#define DEFAULT_CACHE_SIZE (size_t)0 ++#define MINCACHESIZE (uint64_t)512000 ++#define DEFAULT_CACHE_SIZE (uint64_t)0 + #define DEFAULT_CACHE_SIZE_STR "0" + #define DEFAULT_CACHE_ENTRIES -1 /* no limit */ +-#define DEFAULT_DNCACHE_SIZE (size_t)16777216 ++#define DEFAULT_DNCACHE_SIZE (uint64_t)16777216 + #define DEFAULT_DNCACHE_SIZE_STR "16777216" + #define DEFAULT_DNCACHE_MAXCOUNT -1 /* no limit */ + #define DEFAULT_DBCACHE_SIZE 33554432 +diff --git a/ldap/servers/slapd/back-ldbm/cache.c b/ldap/servers/slapd/back-ldbm/cache.c +index ade2240..0f0cf3b 100644 +--- a/ldap/servers/slapd/back-ldbm/cache.c ++++ b/ldap/servers/slapd/back-ldbm/cache.c +@@ -649,7 +649,7 @@ void cache_set_max_size(struct cache *cache, size_t bytes, int type) + } + } + +-static void entrycache_set_max_size(struct cache *cache, size_t bytes) ++static void entrycache_set_max_size(struct cache *cache, uint64_t bytes) + { + struct backentry *eflush = NULL; + struct backentry *eflushtemp = NULL; +@@ -659,16 +659,17 @@ static void entrycache_set_max_size(struct cache *cache, size_t bytes) + * to happen. In that case, suppress this warning. + */ + if (bytes > 0) { +- slapi_log_err(SLAPI_LOG_WARNING, "entrycache_set_max_size", "Minimum cache size is %lu -- rounding up\n", MINCACHESIZE); ++ slapi_log_err(SLAPI_LOG_WARNING, "entrycache_set_max_size", "Minimum cache size is %"PRIu64" -- rounding up\n", MINCACHESIZE); + } + bytes = MINCACHESIZE; + } + cache_lock(cache); + cache->c_maxsize = bytes; +- LOG("entry cache size set to %lu\n", bytes); ++ LOG("entry cache size set to %"PRIu64"\n", bytes); + /* check for full cache, and clear out if necessary */ +- if (CACHE_FULL(cache)) ++ if (CACHE_FULL(cache)) { + eflush = entrycache_flush(cache); ++ } + while (eflush) + { + eflushtemp = BACK_LRU_NEXT(eflush, struct backentry *); +@@ -686,12 +687,11 @@ static void entrycache_set_max_size(struct cache *cache, size_t bytes) + /* This may already have been called by one of the functions in + * ldbm_instance_config + */ +- if (! util_is_cachesize_sane(&bytes)) { +- slapi_log_err(SLAPI_LOG_WARNING, +- "entrycache_set_max_size", "Possible CONFIGURATION ERROR -- cachesize " +- "(%lu) may be configured to use more than the available " +- "physical memory.\n", bytes); ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ if (util_is_cachesize_sane(mi, &bytes) != UTIL_CACHESIZE_VALID) { ++ slapi_log_err(SLAPI_LOG_WARNING, "entrycache_set_max_size", "Cachesize (%"PRIu64") may use more than the available physical memory.\n", bytes); + } ++ spal_meminfo_destroy(mi); + } + + void cache_set_max_entries(struct cache *cache, long entries) +@@ -1597,7 +1597,7 @@ dn_same_id(const void *bdn, const void *k) + } + + static void +-dncache_set_max_size(struct cache *cache, size_t bytes) ++dncache_set_max_size(struct cache *cache, uint64_t bytes) + { + struct backdn *dnflush = NULL; + struct backdn *dnflushtemp = NULL; +@@ -1609,12 +1609,12 @@ dncache_set_max_size(struct cache *cache, size_t bytes) + if (bytes < MINCACHESIZE) { + bytes = MINCACHESIZE; + slapi_log_err(SLAPI_LOG_WARNING, +- "dncache_set_max_size", "Minimum cache size is %lu -- rounding up\n", ++ "dncache_set_max_size", "Minimum cache size is %"PRIu64" -- rounding up\n", + MINCACHESIZE); + } + cache_lock(cache); + cache->c_maxsize = bytes; +- LOG("entry cache size set to %lu\n", bytes); ++ LOG("entry cache size set to %"PRIu64"\n", bytes); + /* check for full cache, and clear out if necessary */ + if (CACHE_FULL(cache)) { + dnflush = dncache_flush(cache); +@@ -1636,12 +1636,12 @@ dncache_set_max_size(struct cache *cache, size_t bytes) + /* This may already have been called by one of the functions in + * ldbm_instance_config + */ +- if (! util_is_cachesize_sane(&bytes)) { +- slapi_log_err(SLAPI_LOG_WARNING, +- "dncache_set_max_size", "Possible CONFIGURATION ERROR -- cachesize " +- "(%lu) may be configured to use more than the available " +- "physical memory.\n", bytes); ++ ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ if (util_is_cachesize_sane(mi, &bytes) != UTIL_CACHESIZE_VALID) { ++ slapi_log_err(SLAPI_LOG_WARNING, "dncache_set_max_size", "Cachesize (%"PRIu64") may use more than the available physical memory.\n", bytes); + } ++ spal_meminfo_destroy(mi); + } + + /* remove a dn from the cache */ +diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c +index 507a3cc..3c1fbb0 100644 +--- a/ldap/servers/slapd/back-ldbm/dblayer.c ++++ b/ldap/servers/slapd/back-ldbm/dblayer.c +@@ -1386,14 +1386,16 @@ dblayer_start(struct ldbminfo *li, int dbmode) + + /* Sanity check on cache size on platforms which allow us to figure out + * the available phys mem */ +- if (!util_is_cachesize_sane(&(priv->dblayer_cachesize))) { ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ if (!util_is_cachesize_sane(mi, &(priv->dblayer_cachesize))) { + /* Oops---looks like the admin misconfigured, let's warn them */ + slapi_log_err(SLAPI_LOG_WARNING,"dblayer_start", "Likely CONFIGURATION ERROR -" + "dbcachesize is configured to use more than the available " +- "physical memory, decreased to the largest available size (%lu bytes).\n", ++ "physical memory, decreased to the largest available size (%"PRIu64" bytes).\n", + priv->dblayer_cachesize); + li->li_dbcachesize = priv->dblayer_cachesize; + } ++ spal_meminfo_destroy(mi); + + /* fill in DB_ENV stuff from the common configuration */ + return_value = dblayer_make_env(&pEnv, li); +@@ -1690,9 +1692,6 @@ dblayer_start(struct ldbminfo *li, int dbmode) + * nsslapd-import-cache-autosize: 0 + * get the nsslapd-import-cachesize. + * Calculate the memory size left after allocating the import cache size. +- * If the size is less than the hard limit, it issues an error and quit. +- * If the size is greater than the hard limit and less than the soft limit, +- * it issues a warning, but continues the import task. + * + * Note: this function is called only if the import is executed as a stand + * alone command line (ldif2db). +@@ -1700,27 +1699,17 @@ dblayer_start(struct ldbminfo *li, int dbmode) + int + check_and_set_import_cache(struct ldbminfo *li) + { +- size_t import_pages = 0; +- size_t pagesize, pages, procpages, availpages; +- size_t soft_limit = 0; +- size_t hard_limit = 0; +- size_t page_delta = 0; ++ uint64_t import_cache = 0; + char s[64]; /* big enough to hold %ld */ ++ /* Get our platform memory values. */ ++ slapi_pal_meminfo *mi = spal_meminfo_get(); + +- if (util_info_sys_pages(&pagesize, &pages, &procpages, &availpages) != 0 || 0 == pagesize || 0 == pages) { +- slapi_log_err(SLAPI_LOG_ERR, "check_and_set_import_cache", +- "Failed to get pagesize: %ld or pages: %ld\n", +- pagesize, pages); ++ if (mi == NULL) { ++ slapi_log_err(SLAPI_LOG_ERR, "check_and_set_import_cache", "Failed to get system memory infomation\n"); + return ENOENT; + } +- slapi_log_err(SLAPI_LOG_INFO, "check_and_set_import_cache", +- "pagesize: %ld, pages: %ld, procpages: %ld\n", +- pagesize, pages, procpages); ++ slapi_log_err(SLAPI_LOG_INFO, "check_and_set_import_cache", "pagesize: %"PRIu64", available bytes %"PRIu64", process usage %"PRIu64" \n", mi->pagesize_bytes, mi->system_available_bytes, mi->process_consumed_bytes); + +- /* Soft limit: pages equivalent to 1GB (defined in dblayer.h) */ +- soft_limit = (DBLAYER_IMPORTCACHESIZE_SL*1024) / (pagesize/1024); +- /* Hard limit: pages equivalent to 100MB (defined in dblayer.h) */ +- hard_limit = (DBLAYER_IMPORTCACHESIZE_HL*1024) / (pagesize/1024); + /* + * default behavior for ldif2db import cache, + * nsslapd-import-cache-autosize==-1, +@@ -1741,48 +1730,29 @@ check_and_set_import_cache(struct ldbminfo *li) + + if (li->li_import_cache_autosize == 0) { + /* user specified importCache */ +- import_pages = li->li_import_cachesize / pagesize; ++ import_cache = li->li_import_cachesize; + + } else { + /* autosizing importCache */ + /* ./125 instead of ./100 is for adjusting the BDB overhead. */ +-#ifdef LINUX +- /* On linux, availpages is correct so we should use it! */ +- import_pages = (li->li_import_cache_autosize * availpages) / 125; +-#else +- import_pages = (li->li_import_cache_autosize * pages) / 125; +-#endif ++ import_cache = (li->li_import_cache_autosize * mi->system_available_bytes) / 125; + } + +- page_delta = pages - import_pages; +- if (page_delta < hard_limit) { +- slapi_log_err(SLAPI_LOG_ERR, +- "check_and_set_import_cache", "After allocating import cache %ldKB, " +- "the available memory is %ldKB, " +- "which is less than the hard limit %ldKB. " +- "Please decrease the import cache size and rerun import.\n", +- import_pages*(pagesize/1024), page_delta*(pagesize/1024), +- hard_limit*(pagesize/1024)); ++ if (util_is_cachesize_sane(mi, &import_cache) == UTIL_CACHESIZE_ERROR) { ++ ++ slapi_log_err(SLAPI_LOG_INFO, "check_and_set_import_cache", "Import failed to run: unable to validate system memory limits.\n"); ++ spal_meminfo_destroy(mi); + return ENOMEM; + } +- if (page_delta < soft_limit) { +- slapi_log_err(SLAPI_LOG_WARNING, +- "check_and_set_import_cache", "After allocating import cache %ldKB, " +- "the available memory is %ldKB, " +- "which is less than the soft limit %ldKB. " +- "You may want to decrease the import cache size and " +- "rerun import.\n", +- import_pages*(pagesize/1024), page_delta*(pagesize/1024), +- soft_limit*(pagesize/1024)); +- } + +- slapi_log_err(SLAPI_LOG_INFO, "check_and_set_import_cache", "Import allocates %ldKB import cache.\n", +- import_pages*(pagesize/1024)); +- if (li->li_import_cache_autosize > 0) { /* import cache autosizing */ ++ slapi_log_err(SLAPI_LOG_INFO, "check_and_set_import_cache", "Import allocates %"PRIu64"KB import cache.\n", import_cache / 1024); ++ if (li->li_import_cache_autosize > 0) { ++ /* import cache autosizing */ + /* set the calculated import cache size to the config */ +- sprintf(s, "%lu", (unsigned long)(import_pages * pagesize)); ++ sprintf(s, "%"PRIu64, import_cache); + ldbm_config_internal_set(li, CONFIG_IMPORT_CACHESIZE, s); + } ++ spal_meminfo_destroy(mi); + return 0; + } + +diff --git a/ldap/servers/slapd/back-ldbm/dblayer.h b/ldap/servers/slapd/back-ldbm/dblayer.h +index e4307fc..816c943 100644 +--- a/ldap/servers/slapd/back-ldbm/dblayer.h ++++ b/ldap/servers/slapd/back-ldbm/dblayer.h +@@ -68,14 +68,6 @@ + #define DB_REGION_NAME 25 /* DB: named regions, no backing file. */ + #endif + +-/* Used in check_and_set_import_cache */ +-/* After allocating the import cache, free memory must be left more than +- * the hard limit to run import. */ +-/* If the free memory size left is greater than hard limit and less than +- * soft limit, the import utility issues a warning, but it runs */ +-#define DBLAYER_IMPORTCACHESIZE_HL 100 /* import cache hard limit 100MB */ +-#define DBLAYER_IMPORTCACHESIZE_SL 1024 /* import cache soft limit 1GB */ +- + struct dblayer_private_env { + DB_ENV *dblayer_DB_ENV; + Slapi_RWLock * dblayer_env_lock; +diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c +index 087103b..ab32e0a 100644 +--- a/ldap/servers/slapd/back-ldbm/import-threads.c ++++ b/ldap/servers/slapd/back-ldbm/import-threads.c +@@ -3979,7 +3979,7 @@ _get_import_entryusn(ImportJob *job, Slapi_Value **usn_value) + * Use the counter which stores the old DB's + * next entryusn. */ + PR_snprintf(counter_buf, sizeof(counter_buf), +- "%" NSPRIu64, slapi_counter_get_value(be->be_usn_counter)); ++ "%" PRIu64, slapi_counter_get_value(be->be_usn_counter)); + } else { + /* import_init value is digit. + * Initialize the entryusn values with the digit */ +diff --git a/ldap/servers/slapd/back-ldbm/import.c b/ldap/servers/slapd/back-ldbm/import.c +index d0cef1a..7161bac 100644 +--- a/ldap/servers/slapd/back-ldbm/import.c ++++ b/ldap/servers/slapd/back-ldbm/import.c +@@ -84,17 +84,19 @@ static int import_fifo_init(ImportJob *job) + int import_fifo_validate_capacity_or_expand(ImportJob *job, size_t entrysize) { + int result = 1; + /* We shoot for four times as much to start with. */ +- size_t request = entrysize * 4; +- int sane = 0; ++ uint64_t request = entrysize * 4; ++ util_cachesize_result sane; + + if (entrysize > job->fifo.bsize) { + /* Check the amount of memory on the system */ +- sane = util_is_cachesize_sane(&request); +- if (!sane && entrysize <= request) { ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ sane = util_is_cachesize_sane(mi, &request); ++ spal_meminfo_destroy(mi); ++ if (sane == UTIL_CACHESIZE_REDUCED && entrysize <= request) { + /* Did the amount cachesize set still exceed entrysize? It'll do ... */ + job->fifo.bsize = request; + result = 0; +- } else if (!sane) { ++ } else if (sane != UTIL_CACHESIZE_VALID) { + /* Can't allocate! No!!! */ + result = 1; + } else { +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c +index dfe7a13..d5120d3 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c +@@ -403,8 +403,8 @@ static int ldbm_config_dbcachesize_set(void *arg, void *value, char *errorbuf, i + { + struct ldbminfo *li = (struct ldbminfo *) arg; + int retval = LDAP_SUCCESS; +- size_t val = (size_t)value; +- size_t delta = (size_t)value; ++ uint64_t val = (size_t)value; ++ uint64_t delta = (size_t)value; + + /* There is an error here. We check the new val against our current mem-alloc + * Issue is that we already are using system pages, so while our value *might* +@@ -430,7 +430,13 @@ static int ldbm_config_dbcachesize_set(void *arg, void *value, char *errorbuf, i + val = DBDEFMINSIZ; + } else if (val > li->li_dbcachesize) { + delta = val - li->li_dbcachesize; +- if (!util_is_cachesize_sane(&delta)){ ++ ++ util_cachesize_result sane; ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ sane = util_is_cachesize_sane(mi, &delta); ++ spal_meminfo_destroy(mi); ++ ++ if (sane != UTIL_CACHESIZE_VALID){ + slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: nsslapd-dbcachesize value is too large."); + slapi_log_err(SLAPI_LOG_ERR, "ldbm_config_dbcachesize_set", + "nsslapd-dbcachesize value is too large.\n"); +@@ -1086,7 +1092,7 @@ static int ldbm_config_db_cache_set(void *arg, void *value, char *errorbuf, int + struct ldbminfo *li = (struct ldbminfo *) arg; + int retval = LDAP_SUCCESS; + int val = ((uintptr_t)value); +- size_t delta = 0; ++ uint64_t delta = 0; + + /* There is an error here. We check the new val against our current mem-alloc + * Issue is that we already are using system pages, so while our value *might* +@@ -1101,7 +1107,13 @@ static int ldbm_config_db_cache_set(void *arg, void *value, char *errorbuf, int + if (apply) { + if (val > li->li_dblayer_private->dblayer_cache_config) { + delta = val - li->li_dblayer_private->dblayer_cache_config; +- if (!util_is_cachesize_sane(&delta)){ ++ util_cachesize_result sane; ++ ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ sane = util_is_cachesize_sane(mi, &delta); ++ spal_meminfo_destroy(mi); ++ ++ if (sane != UTIL_CACHESIZE_VALID){ + slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: db cachesize value is too large"); + slapi_log_err(SLAPI_LOG_ERR,"ldbm_config_db_cache_set", "db cachesize value is too large.\n"); + return LDAP_UNWILLING_TO_PERFORM; +@@ -1219,7 +1231,7 @@ static int ldbm_config_import_cachesize_set(void *arg, void *value, char *errorb + { + struct ldbminfo *li = (struct ldbminfo *)arg; + size_t val = (size_t)value; +- size_t delta = (size_t)value; ++ uint64_t delta = (size_t)value; + /* There is an error here. We check the new val against our current mem-alloc + * Issue is that we already are using system pages, so while our value *might* + * be valid, we may reject it here due to the current procs page usage. +@@ -1232,7 +1244,13 @@ static int ldbm_config_import_cachesize_set(void *arg, void *value, char *errorb + if (apply){ + if (val > li->li_import_cachesize) { + delta = val - li->li_import_cachesize; +- if (!util_is_cachesize_sane(&delta)){ ++ ++ util_cachesize_result sane; ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ sane = util_is_cachesize_sane(mi, &delta); ++ spal_meminfo_destroy(mi); ++ ++ if (sane != UTIL_CACHESIZE_VALID){ + slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: import cachesize value is too large."); + slapi_log_err(SLAPI_LOG_ERR,"ldbm_config_import_cachesize_set", + "Import cachesize value is too large.\n"); +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c +index 92d982e..0b0b37e 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c +@@ -107,7 +107,7 @@ ldbm_back_delete( Slapi_PBlock *pb ) + + if (pb->pb_conn) + { +- slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_delete", "Enter conn=%" NSPRIu64 " op=%d\n", ++ slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_delete", "Enter conn=%" PRIu64 " op=%d\n", + pb->pb_conn->c_connid, operation->o_opid); + } + +@@ -1493,7 +1493,7 @@ diskfull_return: + slapi_sdn_done(&parentsdn); + if (pb->pb_conn) + { +- slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_delete", "leave conn=%" NSPRIu64 " op=%d\n", ++ slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_delete", "leave conn=%" PRIu64 " op=%d\n", + pb->pb_conn->c_connid, operation->o_opid); + } + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c +index e03954d..62cdbc3 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c +@@ -92,7 +92,7 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in + ldbm_instance *inst = (ldbm_instance *) arg; + int retval = LDAP_SUCCESS; + size_t val = (size_t) value; +- size_t delta = 0; ++ uint64_t delta = 0; + + /* Do whatever we can to make sure the data is ok. */ + /* There is an error here. We check the new val against our current mem-alloc +@@ -108,7 +108,13 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in + if (apply) { + if (val > inst->inst_cache.c_maxsize) { + delta = val - inst->inst_cache.c_maxsize; +- if (!util_is_cachesize_sane(&delta)){ ++ ++ util_cachesize_result sane; ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ sane = util_is_cachesize_sane(mi, &delta); ++ spal_meminfo_destroy(mi); ++ ++ if (sane != UTIL_CACHESIZE_VALID){ + slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: cachememsize value is too large."); + slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "cachememsize value is too large.\n"); + return LDAP_UNWILLING_TO_PERFORM; +@@ -134,7 +140,7 @@ ldbm_instance_config_dncachememsize_set(void *arg, void *value, char *errorbuf, + ldbm_instance *inst = (ldbm_instance *) arg; + int retval = LDAP_SUCCESS; + size_t val = (size_t)value; +- size_t delta = 0; ++ uint64_t delta = 0; + + /* Do whatever we can to make sure the data is ok. */ + /* There is an error here. We check the new val against our current mem-alloc +@@ -150,7 +156,13 @@ ldbm_instance_config_dncachememsize_set(void *arg, void *value, char *errorbuf, + if (apply) { + if (val > inst->inst_dncache.c_maxsize) { + delta = val - inst->inst_dncache.c_maxsize; +- if (!util_is_cachesize_sane(&delta)){ ++ ++ util_cachesize_result sane; ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ sane = util_is_cachesize_sane(mi, &delta); ++ spal_meminfo_destroy(mi); ++ ++ if (sane != UTIL_CACHESIZE_VALID){ + slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, + "Error: dncachememsize value is too large."); + slapi_log_err(SLAPI_LOG_ERR,"ldbm_instance_config_dncachememsize_set", +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c +index a78d850..533273b 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c +@@ -142,7 +142,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb ) + + if (pb->pb_conn) + { +- slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_modrdn", "enter conn=%" NSPRIu64 " op=%d\n", ++ slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_modrdn", "enter conn=%" PRIu64 " op=%d\n", + pb->pb_conn->c_connid, operation->o_opid); + } + +@@ -1539,7 +1539,7 @@ common_return: + if (pb->pb_conn) + { + slapi_log_err(SLAPI_LOG_TRACE, "ldbm_back_modrdn", +- "leave conn=%" NSPRIu64 " op=%d\n", ++ "leave conn=%" PRIu64 " op=%d\n", + pb->pb_conn->c_connid, operation->o_opid); + } + return retval; +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c +index a6c3b74..cfb0d6b 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c +@@ -407,7 +407,7 @@ ldbm_back_search( Slapi_PBlock *pb ) + slapi_pblock_get(pb, SLAPI_OPERATION_ID, &op_id); + + slapi_log_err(SLAPI_LOG_WARNING, +- "ldbm_back_search", "Sort control ignored for conn=%" NSPRIu64 " op=%d\n", ++ "ldbm_back_search", "Sort control ignored for conn=%" PRIu64 " op=%d\n", + conn_id, op_id); + } + } else { +@@ -442,7 +442,7 @@ ldbm_back_search( Slapi_PBlock *pb ) + slapi_pblock_get(pb, SLAPI_OPERATION_ID, &op_id); + + slapi_log_err(SLAPI_LOG_WARNING, +- "ldbm_back_search", "VLV control ignored for conn=%" NSPRIu64 " op=%d\n", ++ "ldbm_back_search", "VLV control ignored for conn=%" PRIu64 " op=%d\n", + conn_id, op_id); + } + +diff --git a/ldap/servers/slapd/back-ldbm/misc.c b/ldap/servers/slapd/back-ldbm/misc.c +index 5268087..7192b3a 100644 +--- a/ldap/servers/slapd/back-ldbm/misc.c ++++ b/ldap/servers/slapd/back-ldbm/misc.c +@@ -54,7 +54,7 @@ void ldbm_log_access_message(Slapi_PBlock *pblock,char *string) + return; + } + operation_id = operation->o_opid; +- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d %s\n", ++ slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d %s\n", + connection_id, operation_id, string); + } + +diff --git a/ldap/servers/slapd/back-ldbm/monitor.c b/ldap/servers/slapd/back-ldbm/monitor.c +index 757792b..c58b069 100644 +--- a/ldap/servers/slapd/back-ldbm/monitor.c ++++ b/ldap/servers/slapd/back-ldbm/monitor.c +@@ -101,9 +101,9 @@ int ldbm_back_monitor_instance_search(Slapi_PBlock *pb, Slapi_Entry *e, + /* fetch cache statistics */ + cache_get_stats(&(inst->inst_dncache), &hits, &tries, + &nentries, &maxentries, &size, &maxsize); +- sprintf(buf, "%" NSPRIu64, hits); ++ sprintf(buf, "%" PRIu64, hits); + MSET("dnCacheHits"); +- sprintf(buf, "%" NSPRIu64, tries); ++ sprintf(buf, "%" PRIu64, tries); + MSET("dnCacheTries"); + sprintf(buf, "%lu", (unsigned long)(100.0*(double)hits / (double)(tries > 0 ? tries : 1))); + MSET("dnCacheHitRatio"); +@@ -119,11 +119,11 @@ int ldbm_back_monitor_instance_search(Slapi_PBlock *pb, Slapi_Entry *e, + /* normalized dn cache stats */ + if(ndn_cache_started()){ + ndn_cache_get_stats(&hits, &tries, &size, &maxsize, &count); +- sprintf(buf, "%" NSPRIu64, tries); ++ sprintf(buf, "%" PRIu64, tries); + MSET("normalizedDnCacheTries"); +- sprintf(buf, "%" NSPRIu64, hits); ++ sprintf(buf, "%" PRIu64, hits); + MSET("normalizedDnCacheHits"); +- sprintf(buf, "%" NSPRIu64, (tries - hits)); ++ sprintf(buf, "%" PRIu64, (tries - hits)); + MSET("normalizedDnCacheMisses"); + sprintf(buf, "%lu", (unsigned long)(100.0*(double)hits / (double)(tries > 0 ? tries : 1))); + MSET("normalizedDnCacheHitRatio"); +diff --git a/ldap/servers/slapd/back-ldbm/perfctrs.h b/ldap/servers/slapd/back-ldbm/perfctrs.h +index 57be1d1..64c79e1 100644 +--- a/ldap/servers/slapd/back-ldbm/perfctrs.h ++++ b/ldap/servers/slapd/back-ldbm/perfctrs.h +@@ -11,7 +11,7 @@ + # include + #endif + +-#include ++#include + + /* Structure definition for performance data */ + /* This stuff goes in shared memory, so make sure the packing is consistent */ +diff --git a/ldap/servers/slapd/back-ldbm/start.c b/ldap/servers/slapd/back-ldbm/start.c +index 1ae9858..a207bd8 100644 +--- a/ldap/servers/slapd/back-ldbm/start.c ++++ b/ldap/servers/slapd/back-ldbm/start.c +@@ -32,34 +32,25 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + Object *inst_obj = NULL; + ldbm_instance *inst = NULL; + /* size_t is a platform unsigned int, IE uint64_t */ +- size_t total_cache_size = 0; +- size_t pagesize = 0; +- size_t pages = 0; +- size_t procpages __attribute__((unused)) = 0; +- size_t availpages = 0; +- size_t cache_size_to_configure = 0; +- size_t zone_pages = 0; +- size_t db_pages = 0; +- size_t entry_pages = 0; +- size_t import_pages = 0; +- size_t zone_size = 0; +- size_t import_size = 0; +- size_t cache_size = 0; +- size_t db_size = 0; ++ uint64_t total_cache_size = 0; ++ uint64_t entry_size = 0; ++ uint64_t zone_size = 0; ++ uint64_t import_size = 0; ++ uint64_t cache_size = 0; ++ uint64_t db_size = 0; + /* For clamping the autotune value to a 64Mb boundary */ +- size_t clamp_pages = 0; +- size_t clamp_div = 0; +- size_t clamp_mod = 0; ++ uint64_t clamp_div = 0; + /* Backend count */ +- size_t backend_count = 0; ++ uint64_t backend_count = 0; + + int_fast32_t autosize_percentage = 0; + int_fast32_t autosize_db_percentage_split = 0; + int_fast32_t import_percentage = 0; +- int32_t issane = 0; ++ util_cachesize_result issane; + char *msg = ""; /* This will be set by one of the two cache sizing paths below. */ + char size_to_str[32]; /* big enough to hold %ld */ + ++ + /* == Begin autotune == */ + + /* +@@ -120,42 +111,34 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + return SLAPI_FAIL_GENERAL; + } + +- if (util_info_sys_pages(&pagesize, &pages, &procpages, &availpages) != 0) { ++ /* Get our platform memory values. */ ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ if (mi == NULL) { + slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "Unable to determine system page limits\n"); + return SLAPI_FAIL_GENERAL; + } + +- if (pagesize == 0) { +- /* If this happens, we are in a very bad state indeed... */ +- slapi_log_err(SLAPI_LOG_CRIT, "ldbm_back_start", "Unable to determine system page size\n"); +- return SLAPI_FAIL_GENERAL; +- } +- + /* calculate the needed values */ +- zone_pages = (autosize_percentage * pages) / 100; +- zone_size = zone_pages * pagesize; ++ zone_size = (autosize_percentage * mi->system_total_bytes) / 100; + /* This is how much we "might" use, lets check it's sane. */ + /* In the case it is not, this will *reduce* the allocation */ +- issane = util_is_cachesize_sane(&zone_size); +- if (!issane) { ++ issane = util_is_cachesize_sane(mi, &zone_size); ++ if (issane == UTIL_CACHESIZE_REDUCED) { + slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "Your autosized cache values have been reduced. Likely your nsslapd-cache-autosize percentage is too high.\n"); + slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "%s", msg); + } + /* It's valid, lets divide it up and set according to user prefs */ +- zone_pages = zone_size / pagesize; +- db_pages = (autosize_db_percentage_split * zone_pages) / 100; ++ db_size = (autosize_db_percentage_split * zone_size) / 100; + + /* Cap the DB size at 512MB, as this doesn't help perf much more (lkrispen's advice) */ +- if ((db_pages * pagesize) > (512 * MEGABYTE)) { +- db_pages = (512 * MEGABYTE) / pagesize; ++ if (db_size > (512 * MEGABYTE)) { ++ db_size = (512 * MEGABYTE); + } + + if (backend_count > 0 ) { + /* Number of entry cache pages per backend. */ +- entry_pages = (zone_pages - db_pages) / backend_count; ++ entry_size = (zone_size - db_size) / backend_count; + /* Now, clamp this value to a 64mb boundary. */ +- /* How many pages are in 64mb? */ +- clamp_pages = (64 * MEGABYTE) / pagesize; + /* Now divide the entry pages by this, and also mod. If mod != 0, we need + * to add 1 to the diveded number. This should give us: + * 510 * 1024 * 1024 == 510MB +@@ -166,17 +149,15 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + * 130560 % 16384 = 15872 which is != 0 + * therfore 7 + 1, aka 8 * 16384 = 131072 pages = 536870912 bytes = 512MB. + */ +- clamp_div = entry_pages / clamp_pages; +- clamp_mod = entry_pages % clamp_pages; +- if (clamp_mod != 0) { +- /* If we want to clamp down, remove this line. This would change the above from 510mb -> 448mb. */ +- clamp_div += 1; +- entry_pages = clamp_div * clamp_pages; ++ if (entry_size % (64 * MEGABYTE) != 0) { ++ /* If we want to clamp down, remove the "+1". This would change the above from 510mb -> 448mb. */ ++ clamp_div = (entry_size / (64 * MEGABYTE)) + 1; ++ entry_size = clamp_div * (64 * MEGABYTE); + } + } + +- slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "found %luk physical memory\n", pages*(pagesize/1024)); +- slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "found %luk avaliable\n", zone_pages*(pagesize/1024)); ++ slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "found %luk physical memory\n", mi->system_total_bytes / 1024); ++ slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "found %luk avaliable\n", mi->system_available_bytes / 1024); + + /* We've now calculated the autotuning values. Do we need to apply it? + * we use the logic of "if size is 0, or autosize is > 0. This way three +@@ -191,13 +172,12 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + + /* First, check the dbcache */ + if (li->li_dbcachesize == 0 || li->li_cache_autosize > 0) { +- slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "cache autosizing: db cache: %luk\n", db_pages*(pagesize/1024)); +- cache_size_to_configure = (unsigned long)(db_pages * pagesize); +- if (cache_size_to_configure < (500 * MEGABYTE)) { +- cache_size_to_configure = (unsigned long)((db_pages * pagesize) / 1.25); ++ slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "cache autosizing: db cache: %luk\n", db_size / 1024); ++ if (db_size < (500 * MEGABYTE)) { ++ db_size = db_size / 1.25; + } + /* Have to set this value through text. */ +- sprintf(size_to_str, "%lu", cache_size_to_configure); ++ sprintf(size_to_str, "%" PRIu64 , db_size); + ldbm_config_internal_set(li, CONFIG_DBCACHESIZE, size_to_str); + } + total_cache_size += li->li_dbcachesize; +@@ -205,7 +185,7 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + /* For each backend */ + /* apply the appropriate cache size if 0 */ + if (backend_count > 0 ) { +- li->li_cache_autosize_ec = (unsigned long)entry_pages * pagesize; ++ li->li_cache_autosize_ec = entry_size; + } + + for (inst_obj = objset_first_obj(li->li_instance_set); inst_obj; +@@ -220,7 +200,7 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + * it's highly unlikely. + */ + if (cache_size == 0 || cache_size == MINCACHESIZE || li->li_cache_autosize > 0) { +- slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "cache autosizing: %s entry cache (%lu total): %luk\n", inst->inst_name, backend_count, entry_pages*(pagesize/1024)); ++ slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "cache autosizing: %s entry cache (%lu total): %luk\n", inst->inst_name, backend_count, entry_size / 1024); + cache_set_max_entries(&(inst->inst_cache), -1); + cache_set_max_size(&(inst->inst_cache), li->li_cache_autosize_ec, CACHE_TYPE_ENTRY); + } +@@ -229,8 +209,8 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + db_size = dblayer_get_id2entry_size(inst); + if (cache_size < db_size) { + slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", +- "%s: entry cache size %lu B is " +- "less than db size %lu B; " ++ "%s: entry cache size %"PRIu64" B is " ++ "less than db size %"PRIu64" B; " + "We recommend to increase the entry cache size " + "nsslapd-cachememsize.\n", + inst->inst_name, cache_size, db_size); +@@ -244,37 +224,36 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + /* autosizing importCache */ + if (li->li_import_cache_autosize > 0) { + /* Use import percentage here, as it's been corrected for -1 behaviour */ +- import_pages = (import_percentage * pages) / 100; +- import_size = import_pages * pagesize; +- issane = util_is_cachesize_sane(&import_size); +- if (!issane) { ++ import_size = (import_percentage * mi->system_total_bytes) / 100; ++ issane = util_is_cachesize_sane(mi, &import_size); ++ if (issane == UTIL_CACHESIZE_REDUCED) { + slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "Your autosized import cache values have been reduced. Likely your nsslapd-import-cache-autosize percentage is too high.\n"); + } + /* We just accept the reduced allocation here. */ +- import_pages = import_size / pagesize; +- slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "cache autosizing: import cache: %luk\n", +- import_pages*(pagesize/1024)); ++ slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "cache autosizing: import cache: %"PRIu64"k\n", import_size / 1024); + +- sprintf(size_to_str, "%lu", (unsigned long)(import_pages * pagesize)); ++ sprintf(size_to_str, "%"PRIu64, import_size); + ldbm_config_internal_set(li, CONFIG_IMPORT_CACHESIZE, size_to_str); + } + + /* Finally, lets check that the total result is sane. */ +- slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "total cache size: %lu B; \n", total_cache_size); ++ slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "total cache size: %"PRIu64" B; \n", total_cache_size); + +- issane = util_is_cachesize_sane(&total_cache_size); +- if (!issane) { ++ issane = util_is_cachesize_sane(mi, &total_cache_size); ++ if (issane != UTIL_CACHESIZE_VALID) { + /* Right, it's time to panic */ + slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "It is highly likely your memory configuration of all backends will EXCEED your systems memory.\n"); + slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "In a future release this WILL prevent server start up. You MUST alter your configuration.\n"); +- slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "Total entry cache size: %lu B; dbcache size: %lu B; available memory size: %lu B; \n", +- (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, availpages * pagesize ++ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "Total entry cache size: %"PRIu64" B; dbcache size: %"PRIu64" B; available memory size: %"PRIu64" B; \n", ++ total_cache_size, (uint64_t)li->li_dbcachesize, mi->system_available_bytes + ); + slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_start", "%s\n", msg); + /* WB 2016 - This should be UNCOMMENTED in a future release */ + /* return SLAPI_FAIL_GENERAL; */ + } + ++ spal_meminfo_destroy(mi); ++ + /* == End autotune == */ + return 0; + } +diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c +index f83df7d..648a0f9 100644 +--- a/ldap/servers/slapd/bind.c ++++ b/ldap/servers/slapd/bind.c +@@ -853,25 +853,25 @@ log_bind_access ( + { + if (method == LDAP_AUTH_SASL && saslmech && msg) { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d BIND dn=\"%s\" " ++ "conn=%" PRIu64 " op=%d BIND dn=\"%s\" " + "method=sasl version=%d mech=%s, %s\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, dn, + version, saslmech, msg ); + } else if (method == LDAP_AUTH_SASL && saslmech) { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d BIND dn=\"%s\" " ++ "conn=%" PRIu64 " op=%d BIND dn=\"%s\" " + "method=sasl version=%d mech=%s\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, dn, + version, saslmech ); + } else if (msg) { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d BIND dn=\"%s\" " ++ "conn=%" PRIu64 " op=%d BIND dn=\"%s\" " + "method=%" BERTAG_T " version=%d, %s\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, dn, + method, version, msg ); + } else { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d BIND dn=\"%s\" " ++ "conn=%" PRIu64 " op=%d BIND dn=\"%s\" " + "method=%" BERTAG_T " version=%d\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, dn, + method, version ); +diff --git a/ldap/servers/slapd/compare.c b/ldap/servers/slapd/compare.c +index 07ded98..3c03053 100644 +--- a/ldap/servers/slapd/compare.c ++++ b/ldap/servers/slapd/compare.c +@@ -111,7 +111,7 @@ do_compare( Slapi_PBlock *pb ) + rawdn, ava.ava_type, 0 ); + + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d CMP dn=\"%s\" attr=\"%s\"\n", ++ "conn=%" PRIu64 " op=%d CMP dn=\"%s\" attr=\"%s\"\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, dn, ava.ava_type ); + + /* +diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c +index 7c83c66..359b59a 100644 +--- a/ldap/servers/slapd/connection.c ++++ b/ldap/servers/slapd/connection.c +@@ -411,7 +411,7 @@ connection_reset(Connection* conn, int ns, PRNetAddr * from, int fromLen, int is + + /* log useful stuff to our access log */ + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " fd=%d slot=%d %sconnection from %s to %s\n", ++ "conn=%" PRIu64 " fd=%d slot=%d %sconnection from %s to %s\n", + conn->c_connid, conn->c_sd, ns, pTmp, str_ip, str_destip ); + + /* initialize the remaining connection fields */ +@@ -511,7 +511,7 @@ connection_need_new_password(const Connection *conn, const Operation *op, Slapi_ + op->o_tag != LDAP_REQ_ABANDON && op->o_tag != LDAP_REQ_EXTENDED) + { + slapi_add_pwd_control ( pb, LDAP_CONTROL_PWEXPIRED, 0); +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d %s\n", ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d %s\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, + "UNPROCESSED OPERATION - need new password" ); + send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, +@@ -562,7 +562,7 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb) + (op->o_tag != LDAP_REQ_EXTENDED) && (op->o_tag != LDAP_REQ_UNBIND) && + (op->o_tag != LDAP_REQ_ABANDON)) { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d UNPROCESSED OPERATION" ++ "conn=%" PRIu64 " op=%d UNPROCESSED OPERATION" + " - Insufficient SSF (local_ssf=%d sasl_ssf=%d ssl_ssf=%d)\n", + conn->c_connid, op->o_opid, conn->c_local_ssf, + conn->c_sasl_ssf, conn->c_ssl_ssf ); +@@ -591,7 +591,7 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb) + (op->o_tag != LDAP_REQ_ABANDON) && (op->o_tag != LDAP_REQ_SEARCH)))) + { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d UNPROCESSED OPERATION" ++ "conn=%" PRIu64 " op=%d UNPROCESSED OPERATION" + " - Anonymous access not allowed\n", + conn->c_connid, op->o_opid ); + +@@ -650,7 +650,7 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb) + int ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i)); + if (ret < 0) { + slapi_log_err(SLAPI_LOG_ERR, "connection_dispatch_operation", +- "Failed to set TCP_CORK on connection %" NSPRIu64 "\n",conn->c_connid); ++ "Failed to set TCP_CORK on connection %" PRIu64 "\n",conn->c_connid); + } + pop_cork = 1; + } +@@ -664,7 +664,7 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb) + int ret = setsockopt(conn->c_sd,IPPROTO_TCP,TCP_CORK,&i,sizeof(i)); + if (ret < 0) { + slapi_log_err(SLAPI_LOG_ERR, "connection_dispatch_operation", +- "Failed to clear TCP_CORK on connection %" NSPRIu64 "\n",conn->c_connid); ++ "Failed to clear TCP_CORK on connection %" PRIu64 "\n",conn->c_connid); + } + } + #endif +@@ -690,7 +690,7 @@ connection_dispatch_operation(Connection *conn, Operation *op, Slapi_PBlock *pb) + + default: + slapi_log_err(SLAPI_LOG_ERR, +- "connection_dispatch_operation", "Ignoring unknown LDAP request (conn=%" NSPRIu64 ", tag=0x%lx)\n", ++ "connection_dispatch_operation", "Ignoring unknown LDAP request (conn=%" PRIu64 ", tag=0x%lx)\n", + conn->c_connid, op->o_tag); + break; + } +@@ -702,7 +702,7 @@ int connection_release_nolock_ext (Connection *conn, int release_only) + if (conn->c_refcnt <= 0) + { + slapi_log_err(SLAPI_LOG_ERR, "connection_release_nolock_ext", +- "conn=%" NSPRIu64 " fd=%d Attempt to release connection that is not acquired\n", ++ "conn=%" PRIu64 " fd=%d Attempt to release connection that is not acquired\n", + conn->c_connid, conn->c_sd); + PR_ASSERT (PR_FALSE); + return -1; +@@ -734,7 +734,7 @@ int connection_acquire_nolock_ext (Connection *conn, int allow_when_closing) + { + /* This may happen while other threads are still working on this connection */ + slapi_log_err(SLAPI_LOG_ERR, "connection_acquire_nolock_ext", +- "conn=%" NSPRIu64 " fd=%d Attempt to acquire connection in the closing state\n", ++ "conn=%" PRIu64 " fd=%d Attempt to acquire connection in the closing state\n", + conn->c_connid, conn->c_sd); + return -1; + } +@@ -1070,7 +1070,7 @@ get_next_from_buffer( void *buffer, size_t buffer_size, ber_len_t *lenp, + syserr = errno; + /* Bad stuff happened, like the client sent us some junk */ + slapi_log_err(SLAPI_LOG_CONNS, "get_next_from_buffer", +- "ber_get_next failed for connection %" NSPRIu64 "\n", conn->c_connid); ++ "ber_get_next failed for connection %" PRIu64 "\n", conn->c_connid); + /* reset private buffer */ + conn->c_private->c_buffer_bytes = conn->c_private->c_buffer_offset = 0; + +@@ -1232,7 +1232,7 @@ int connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, i + /* Otherwise we loop, unless we exceeded the ioblock timeout */ + if (waits_done > ioblocktimeout_waits) { + slapi_log_err(SLAPI_LOG_CONNS,"connection_read_operation", +- "ioblocktimeout expired on connection %" NSPRIu64 "\n", conn->c_connid); ++ "ioblocktimeout expired on connection %" PRIu64 "\n", conn->c_connid); + disconnect_server_nomutex( conn, conn->c_connid, -1, + SLAPD_DISCONNECT_IO_TIMEOUT, 0 ); + ret = CONN_DONE; +@@ -1253,19 +1253,19 @@ int connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, i + err = PR_GetError(); + syserr = PR_GetOSError(); + slapi_log_err(SLAPI_LOG_ERR, "connection_read_operation", +- "PR_Poll for connection %" NSPRIu64 " returns %d (%s)\n", conn->c_connid, err, slapd_pr_strerror( err ) ); ++ "PR_Poll for connection %" PRIu64 " returns %d (%s)\n", conn->c_connid, err, slapd_pr_strerror( err ) ); + /* If this happens we should close the connection */ + disconnect_server_nomutex( conn, conn->c_connid, -1, err, syserr ); + ret = CONN_DONE; + goto done; + } + slapi_log_err(SLAPI_LOG_CONNS, +- "connection_read_operation", "connection %" NSPRIu64 " waited %d times for read to be ready\n", conn->c_connid, waits_done); ++ "connection_read_operation", "connection %" PRIu64 " waited %d times for read to be ready\n", conn->c_connid, waits_done); + } else { + /* Some other error, typically meaning bad stuff */ + syserr = PR_GetOSError(); + slapi_log_err(SLAPI_LOG_CONNS, "connection_read_operation", +- "PR_Recv for connection %" NSPRIu64 " returns %d (%s)\n", conn->c_connid, err, slapd_pr_strerror( err ) ); ++ "PR_Recv for connection %" PRIu64 " returns %d (%s)\n", conn->c_connid, err, slapd_pr_strerror( err ) ); + /* If this happens we should close the connection */ + disconnect_server_nomutex( conn, conn->c_connid, -1, err, syserr ); + ret = CONN_DONE; +@@ -1286,7 +1286,7 @@ int connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, i + } + } + slapi_log_err(SLAPI_LOG_CONNS, +- "connection_read_operation", "connection %" NSPRIu64 " read %d bytes\n", conn->c_connid, ret); ++ "connection_read_operation", "connection %" PRIu64 " read %d bytes\n", conn->c_connid, ret); + + new_operation = 0; + ret = CONN_FOUND_WORK_TO_DO; +@@ -1307,7 +1307,7 @@ int connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, i + * We received a non-LDAP message. Log and close connection. + */ + slapi_log_err(SLAPI_LOG_ERR, +- "connection_read_operation", "conn=%" NSPRIu64 " received a non-LDAP message (tag 0x%lx, expected 0x%lx)\n", ++ "connection_read_operation", "conn=%" PRIu64 " received a non-LDAP message (tag 0x%lx, expected 0x%lx)\n", + conn->c_connid, *tag, LDAP_TAG_MESSAGE ); + disconnect_server_nomutex( conn, conn->c_connid, -1, + SLAPD_DISCONNECT_BAD_BER_TAG, EPROTO ); +@@ -1319,7 +1319,7 @@ int connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, i + != LDAP_TAG_MSGID ) { + /* log, close and send error */ + slapi_log_err(SLAPI_LOG_ERR, +- "connection_read_operation", "conn=%" NSPRIu64 " unable to read tag for incoming request\n", conn->c_connid); ++ "connection_read_operation", "conn=%" PRIu64 " unable to read tag for incoming request\n", conn->c_connid); + disconnect_server_nomutex( conn, conn->c_connid, -1, SLAPD_DISCONNECT_BAD_BER_TAG, EPROTO ); + ret = CONN_DONE; + goto done; +@@ -1337,7 +1337,7 @@ int connection_read_operation(Connection *conn, Operation *op, ber_tag_t *tag, i + case LDAP_TAG_LDAPDN: /* optional username, for CLDAP */ + /* log, close and send error */ + slapi_log_err(SLAPI_LOG_ERR, +- "connection_read_operation", "conn=%" NSPRIu64 " ber_peek_tag returns 0x%lx\n", conn->c_connid, *tag); ++ "connection_read_operation", "conn=%" PRIu64 " ber_peek_tag returns 0x%lx\n", conn->c_connid, *tag); + disconnect_server_nomutex( conn, conn->c_connid, -1, SLAPD_DISCONNECT_BER_PEEK, EPROTO ); + ret = CONN_DONE; + goto done; +@@ -1361,7 +1361,7 @@ void connection_make_readable(Connection *conn) + void connection_make_readable_nolock(Connection *conn) + { + conn->c_gettingber = 0; +- slapi_log_err(SLAPI_LOG_CONNS, "connection_make_readable_nolock", "making readable conn %" NSPRIu64 " fd=%d\n", ++ slapi_log_err(SLAPI_LOG_CONNS, "connection_make_readable_nolock", "making readable conn %" PRIu64 " fd=%d\n", + conn->c_connid, conn->c_sd); + if (!(conn->c_flags & CONN_FLAG_CLOSING)) { + /* if the connection is closing, try the close in connection_release_nolock */ +@@ -1388,7 +1388,7 @@ void connection_check_activity_level(Connection *conn) + /* update the last checked time */ + conn->c_private->previous_count_check_time = current_time(); + PR_ExitMonitor(conn->c_mutex); +- slapi_log_err(SLAPI_LOG_CONNS,"connection_check_activity_level", "conn %" NSPRIu64 " activity level = %d\n",conn->c_connid,delta_count); ++ slapi_log_err(SLAPI_LOG_CONNS,"connection_check_activity_level", "conn %" PRIu64 " activity level = %d\n",conn->c_connid,delta_count); + } + + typedef struct table_iterate_info_struct { +@@ -1450,7 +1450,7 @@ void connection_enter_leave_turbo(Connection *conn, int current_turbo_flag, int + double activet = 0.0; + connection_find_our_rank(conn,&connection_count, &our_rank); + slapi_log_err(SLAPI_LOG_CONNS,"connection_enter_leave_turbo", +- "conn %" NSPRIu64 " turbo rank = %d out of %d conns\n",conn->c_connid,our_rank,connection_count); ++ "conn %" PRIu64 " turbo rank = %d out of %d conns\n",conn->c_connid,our_rank,connection_count); + activet = (double)g_get_active_threadcnt(); + threshold_rank = (int)(activet * ((double)CONN_TURBO_PERCENTILE / 100.0)); + +@@ -1491,9 +1491,9 @@ void connection_enter_leave_turbo(Connection *conn, int current_turbo_flag, int + PR_ExitMonitor(conn->c_mutex); + if (current_mode != new_mode) { + if (current_mode) { +- slapi_log_err(SLAPI_LOG_CONNS,"connection_enter_leave_turbo", "conn %" NSPRIu64 " leaving turbo mode\n",conn->c_connid); ++ slapi_log_err(SLAPI_LOG_CONNS,"connection_enter_leave_turbo", "conn %" PRIu64 " leaving turbo mode\n",conn->c_connid); + } else { +- slapi_log_err(SLAPI_LOG_CONNS,"connection_enter_leave_turbo", "conn %" NSPRIu64 " entering turbo mode\n",conn->c_connid); ++ slapi_log_err(SLAPI_LOG_CONNS,"connection_enter_leave_turbo", "conn %" PRIu64 " entering turbo mode\n",conn->c_connid); + } + } + *new_turbo_flag = new_mode; +@@ -1617,12 +1617,12 @@ connection_threadmain() + ret = connection_read_operation(conn, op, &tag, &more_data); + if ((ret == CONN_DONE) || (ret == CONN_TIMEDOUT)) { + slapi_log_err(SLAPI_LOG_CONNS, "connection_threadmain", +- "conn %" NSPRIu64 " read not ready due to %d - thread_turbo_flag %d more_data %d " ++ "conn %" PRIu64 " read not ready due to %d - thread_turbo_flag %d more_data %d " + "ops_initiated %d refcnt %d flags %d\n", conn->c_connid, ret, thread_turbo_flag, more_data, + conn->c_opsinitiated, conn->c_refcnt, conn->c_flags); + } else if (ret == CONN_FOUND_WORK_TO_DO) { + slapi_log_err(SLAPI_LOG_CONNS, "connection_threadmain", +- "conn %" NSPRIu64 " read operation successfully - thread_turbo_flag %d more_data %d " ++ "conn %" PRIu64 " read operation successfully - thread_turbo_flag %d more_data %d " + "ops_initiated %d refcnt %d flags %d\n", conn->c_connid, thread_turbo_flag, more_data, + conn->c_opsinitiated, conn->c_refcnt, conn->c_flags); + } +@@ -1648,7 +1648,7 @@ connection_threadmain() + if (thread_turbo_flag && !WORK_Q_EMPTY) { + thread_turbo_flag = 0; + slapi_log_err(SLAPI_LOG_CONNS,"connection_threadmain", +- "conn %" NSPRIu64 " leaving turbo mode - pb_q is not empty %d\n", ++ "conn %" PRIu64 " leaving turbo mode - pb_q is not empty %d\n", + conn->c_connid,work_q_size); + } + #endif +@@ -1675,7 +1675,7 @@ connection_threadmain() + * connection_make_readable(conn); + */ + slapi_log_err(SLAPI_LOG_CONNS,"connection_threadmain", +- "conn %" NSPRIu64 " leaving turbo mode due to %d\n", ++ "conn %" PRIu64 " leaving turbo mode due to %d\n", + conn->c_connid,ret); + goto done; + case CONN_SHUTDOWN: +@@ -1732,7 +1732,7 @@ connection_threadmain() + */ + conn->c_idlesince = curtime; + connection_activity(conn, maxthreads); +- slapi_log_err(SLAPI_LOG_CONNS,"connection_threadmain", "conn %" NSPRIu64 " queued because more_data\n", ++ slapi_log_err(SLAPI_LOG_CONNS,"connection_threadmain", "conn %" PRIu64 " queued because more_data\n", + conn->c_connid); + } else { + /* keep count of how many times maxthreads has blocked an operation */ +@@ -1814,7 +1814,7 @@ done: + /* If we're in turbo mode, we keep our reference to the connection alive */ + /* can't use the more_data var because connection could have changed in another thread */ + more_data = conn_buffered_data_avail_nolock(conn, &conn_closed) ? 1 : 0; +- slapi_log_err(SLAPI_LOG_CONNS,"connection_threadmain", "conn %" NSPRIu64 " check more_data %d thread_turbo_flag %d\n", ++ slapi_log_err(SLAPI_LOG_CONNS,"connection_threadmain", "conn %" PRIu64 " check more_data %d thread_turbo_flag %d\n", + conn->c_connid,more_data,thread_turbo_flag); + if (!more_data) { + if (!thread_turbo_flag) { +@@ -1863,7 +1863,7 @@ connection_activity(Connection *conn, int maxthreads) + + if (connection_acquire_nolock (conn) == -1) { + slapi_log_err(SLAPI_LOG_CONNS, +- "connection_activity", "Could not acquire lock in connection_activity as conn %" NSPRIu64 " closing fd=%d\n", ++ "connection_activity", "Could not acquire lock in connection_activity as conn %" PRIu64 " closing fd=%d\n", + conn->c_connid,conn->c_sd); + /* XXX how to handle this error? */ + /* MAB: 25 Jan 01: let's return on error and pray this won't leak */ +@@ -2046,7 +2046,7 @@ connection_remove_operation( Connection *conn, Operation *op ) + + if ( *tmp == NULL ) + { +- slapi_log_err(SLAPI_LOG_ERR, "connection_remove_operation", "Can't find op %d for conn %" NSPRIu64 "\n", ++ slapi_log_err(SLAPI_LOG_ERR, "connection_remove_operation", "Can't find op %d for conn %" PRIu64 "\n", + (int)op->o_msgid, conn->c_connid); + } + else +@@ -2187,13 +2187,13 @@ log_ber_too_big_error(const Connection *conn, ber_len_t ber_len, + } + if (0 == ber_len) { + slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error", +- "conn=%" NSPRIu64 " fd=%d Incoming BER Element was too long, max allowable" ++ "conn=%" PRIu64 " fd=%d Incoming BER Element was too long, max allowable" + " is %" BERLEN_T " bytes. Change the nsslapd-maxbersize attribute in" + " cn=config to increase.\n", + conn->c_connid, conn->c_sd, maxbersize ); + } else { + slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error", +- "conn=%" NSPRIu64 " fd=%d Incoming BER Element was %" BERLEN_T " bytes, max allowable" ++ "conn=%" PRIu64 " fd=%d Incoming BER Element was %" BERLEN_T " bytes, max allowable" + " is %" BERLEN_T " bytes. Change the nsslapd-maxbersize attribute in" + " cn=config to increase.\n", + conn->c_connid, conn->c_sd, ber_len, maxbersize ); +@@ -2224,7 +2224,7 @@ disconnect_server_nomutex_ext( Connection *conn, PRUint64 opconnid, int opid, PR + if ( ( conn->c_sd != SLAPD_INVALID_SOCKET && + conn->c_connid == opconnid ) && !(conn->c_flags & CONN_FLAG_CLOSING) ) + { +- slapi_log_err(SLAPI_LOG_CONNS, "disconnect_server_nomutex_ext", "Setting conn %" NSPRIu64 " fd=%d " ++ slapi_log_err(SLAPI_LOG_CONNS, "disconnect_server_nomutex_ext", "Setting conn %" PRIu64 " fd=%d " + "to be disconnected: reason %d\n", conn->c_connid, conn->c_sd, reason); + /* + * PR_Close must be called before anything else is done because +@@ -2248,13 +2248,13 @@ disconnect_server_nomutex_ext( Connection *conn, PRUint64 opconnid, int opid, PR + */ + if (error && (EPIPE != error) ) { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d fd=%d closed error %d (%s) - %s\n", ++ "conn=%" PRIu64 " op=%d fd=%d closed error %d (%s) - %s\n", + conn->c_connid, opid, conn->c_sd, error, + slapd_system_strerror(error), + slapd_pr_strerror(reason)); + } else { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d fd=%d closed - %s\n", ++ "conn=%" PRIu64 " op=%d fd=%d closed - %s\n", + conn->c_connid, opid, conn->c_sd, + slapd_pr_strerror(reason)); + } +diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c +index bcafa4e..30da055 100644 +--- a/ldap/servers/slapd/conntable.c ++++ b/ldap/servers/slapd/conntable.c +@@ -395,7 +395,7 @@ connection_table_as_entry(Connection_Table *ct, Slapi_Entry *e) + * 3 = The number of operations attempted that were blocked + * by max threads. + */ +- snprintf(maxthreadbuf, sizeof(maxthreadbuf), "%d:%"NSPRIu64":%"NSPRIu64"", ++ snprintf(maxthreadbuf, sizeof(maxthreadbuf), "%d:%"PRIu64":%"PRIu64"", + maxthreadstate, ct->c[i].c_maxthreadscount, + ct->c[i].c_maxthreadsblocked); + +@@ -431,17 +431,17 @@ connection_table_as_entry(Connection_Table *ct, Slapi_Entry *e) + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "currentconnections", vals ); + +- snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(num_conns)); ++ snprintf( buf, sizeof(buf), "%" PRIu64, slapi_counter_get_value(num_conns)); + val.bv_val = buf; + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "totalconnections", vals ); + +- snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(conns_in_maxthreads)); ++ snprintf( buf, sizeof(buf), "%" PRIu64, slapi_counter_get_value(conns_in_maxthreads)); + val.bv_val = buf; + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "currentconnectionsatmaxthreads", vals ); + +- snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(max_threads_count)); ++ snprintf( buf, sizeof(buf), "%" PRIu64, slapi_counter_get_value(max_threads_count)); + val.bv_val = buf; + val.bv_len = strlen( buf ); + attrlist_replace( &e->e_attrs, "maxthreadsperconnhits", vals ); +diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c +index 8f9e74e..52f2519 100644 +--- a/ldap/servers/slapd/control.c ++++ b/ldap/servers/slapd/control.c +@@ -335,7 +335,7 @@ get_ldapmessage_controls_ext( + slapi_pblock_set(pb, SLAPI_REQCONTROLS, NULL); + slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found); + slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found); +- slapi_log_err(SLAPI_LOG_CONNS, "get_ldapmessage_controls_ext", "Warning: conn=%" NSPRIu64 " op=%d contains an empty list of controls\n", ++ slapi_log_err(SLAPI_LOG_CONNS, "get_ldapmessage_controls_ext", "Warning: conn=%" PRIu64 " op=%d contains an empty list of controls\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid); + } else { + /* len, ber_len_t is uint, not int, cannot be != -1, may be better to remove this check. */ +diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c +index a4ea4c0..5f2471e 100644 +--- a/ldap/servers/slapd/daemon.c ++++ b/ldap/servers/slapd/daemon.c +@@ -616,7 +616,7 @@ disk_monitoring_thread(void *nothing) + */ + if(disk_space < 4096){ /* 4 k */ + slapi_log_err(SLAPI_LOG_ALERT, "disk_monitoring_thread", "Disk space is critically low on disk (%s), " +- "remaining space: %" NSPRIu64 " Kb. Signaling slapd for shutdown...\n", dirstr , (disk_space / 1024)); ++ "remaining space: %" PRIu64 " Kb. Signaling slapd for shutdown...\n", dirstr , (disk_space / 1024)); + g_set_shutdown( SLAPI_SHUTDOWN_EXIT ); + return; + } +@@ -626,7 +626,7 @@ disk_monitoring_thread(void *nothing) + */ + if(verbose_logging != 0 && verbose_logging != LDAP_DEBUG_ANY){ + slapi_log_err(SLAPI_LOG_ALERT, "disk_monitoring_thread", "Disk space is low on disk (%s), remaining space: " +- "%" NSPRIu64 " Kb, temporarily setting error loglevel to the default level(%d).\n", dirstr, ++ "%" PRIu64 " Kb, temporarily setting error loglevel to the default level(%d).\n", dirstr, + (disk_space / 1024), SLAPD_DEFAULT_ERRORLOG_LEVEL); + /* Setting the log level back to zero, actually sets the value to LDAP_DEBUG_ANY */ + config_set_errorlog_level(CONFIG_LOGLEVEL_ATTRIBUTE, +@@ -640,7 +640,7 @@ disk_monitoring_thread(void *nothing) + */ + if(!logs_disabled && !logging_critical){ + slapi_log_err(SLAPI_LOG_ALERT, "disk_monitoring_thread", "Disk space is too low on disk (%s), remaining " +- "space: %" NSPRIu64 " Kb, disabling access and audit logging.\n", dirstr, (disk_space / 1024)); ++ "space: %" PRIu64 " Kb, disabling access and audit logging.\n", dirstr, (disk_space / 1024)); + config_set_accesslog_enabled(LOGGING_OFF); + config_set_auditlog_enabled(LOGGING_OFF); + config_set_auditfaillog_enabled(LOGGING_OFF); +@@ -653,7 +653,7 @@ disk_monitoring_thread(void *nothing) + */ + if(!deleted_rotated_logs && !logging_critical){ + slapi_log_err(SLAPI_LOG_ALERT, "disk_monitoring_thread", "Disk space is too low on disk (%s), remaining " +- "space: %" NSPRIu64 " Kb, deleting rotated logs.\n", dirstr, (disk_space / 1024)); ++ "space: %" PRIu64 " Kb, deleting rotated logs.\n", dirstr, (disk_space / 1024)); + log__delete_rotated_logs(); + deleted_rotated_logs = 1; + continue; +@@ -663,7 +663,7 @@ disk_monitoring_thread(void *nothing) + */ + if(disk_space < previous_mark){ + slapi_log_err(SLAPI_LOG_ALERT, "disk_monitoring_thread", "Disk space is too low on disk (%s), remaining " +- "space: %" NSPRIu64 " Kb\n", dirstr, (disk_space / 1024)); ++ "space: %" PRIu64 " Kb\n", dirstr, (disk_space / 1024)); + } + /* + * +@@ -674,7 +674,7 @@ disk_monitoring_thread(void *nothing) + * + */ + if(disk_space < halfway){ +- slapi_log_err(SLAPI_LOG_ALERT, "disk_monitoring_thread", "Disk space on (%s) is too far below the threshold(%" NSPRIu64 " bytes). " ++ slapi_log_err(SLAPI_LOG_ALERT, "disk_monitoring_thread", "Disk space on (%s) is too far below the threshold(%" PRIu64 " bytes). " + "Waiting %d minutes for disk space to be cleaned up before shutting slapd down...\n", + dirstr, threshold, (grace_period / 60)); + time(&start); +@@ -697,7 +697,7 @@ disk_monitoring_thread(void *nothing) + * Excellent, we are back to acceptable levels, reset everything... + */ + slapi_log_err(SLAPI_LOG_INFO, "disk_monitoring_thread", "Available disk space is now " +- "acceptable (%" NSPRIu64 " bytes). Aborting shutdown, and restoring the log settings.\n", ++ "acceptable (%" PRIu64 " bytes). Aborting shutdown, and restoring the log settings.\n", + disk_space); + if(logs_disabled && using_accesslog){ + config_set_accesslog_enabled(LOGGING_ON); +@@ -721,7 +721,7 @@ disk_monitoring_thread(void *nothing) + * Disk space is critical, log an error, and shut it down now! + */ + slapi_log_err(SLAPI_LOG_ALERT, "disk_monitoring_thread", "Disk space is critically low " +- "on disk (%s), remaining space: %" NSPRIu64 " Kb. Signaling slapd for shutdown...\n", ++ "on disk (%s), remaining space: %" PRIu64 " Kb. Signaling slapd for shutdown...\n", + dirstr, (disk_space / 1024)); + g_set_shutdown( SLAPI_SHUTDOWN_DISKFULL ); + return; +@@ -739,7 +739,7 @@ disk_monitoring_thread(void *nothing) + * If disk space was freed up we would of detected in the above while loop. So shut it down. + */ + slapi_log_err(SLAPI_LOG_ALERT, "disk_monitoring_thread", "Disk space is still too low " +- "(%" NSPRIu64 " Kb). Signaling slapd for shutdown...\n", (disk_space / 1024)); ++ "(%" PRIu64 " Kb). Signaling slapd for shutdown...\n", (disk_space / 1024)); + g_set_shutdown( SLAPI_SHUTDOWN_DISKFULL ); + + return; +@@ -1785,7 +1785,7 @@ handle_pr_read_ready(Connection_Table *ct, PRIntn num_poll) + * trying to acquire a closing connection + */ + slapi_log_err(SLAPI_LOG_ERR, +- "handle_pr_read_ready", "connection_activity: abandoning conn %" NSPRIu64 " as " ++ "handle_pr_read_ready", "connection_activity: abandoning conn %" PRIu64 " as " + "fd=%d is already closing\n", c->c_connid,c->c_sd); + /* The call disconnect_server should do nothing, + * as the connection c should be already set to CLOSING */ +@@ -1843,7 +1843,7 @@ ns_handle_closure(struct ns_job_t *job) + #else + /* This doesn't actually confirm it's in the event loop thread, but it's a start */ + if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) { +- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_closure", "Attempt to close outside of event loop thread %" NSPRIu64 " for fd=%d\n", ++ slapi_log_err(SLAPI_LOG_ERR, "ns_handle_closure", "Attempt to close outside of event loop thread %" PRIu64 " for fd=%d\n", + c->c_connid, c->c_sd); + return; + } +@@ -1883,7 +1883,7 @@ ns_connection_post_io_or_closing(Connection *conn) + PR_ASSERT((conn->c_ns_close_jobs == 0) || (conn->c_ns_close_jobs == 1)); + if (conn->c_ns_close_jobs) { + slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "Already a close " +- "job in progress on conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); ++ "job in progress on conn %" PRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); + return; + } else { + /* just make sure we schedule the event to be closed in a timely manner */ +@@ -1898,10 +1898,10 @@ ns_connection_post_io_or_closing(Connection *conn) + #endif + if (job_result != PR_SUCCESS) { + slapi_log_err(SLAPI_LOG_WARNING, "ns_connection_post_io_or_closing", "post closure job " +- "for conn %" NSPRIu64 " for fd=%d failed to be added to event queue\n", conn->c_connid, conn->c_sd); ++ "for conn %" PRIu64 " for fd=%d failed to be added to event queue\n", conn->c_connid, conn->c_sd); + } else { + slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post closure job " +- "for conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); ++ "for conn %" PRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); + } + + } +@@ -1938,10 +1938,10 @@ ns_connection_post_io_or_closing(Connection *conn) + #endif + if (job_result != PR_SUCCESS) { + slapi_log_err(SLAPI_LOG_WARNING, "ns_connection_post_io_or_closing", "post I/O job for " +- "conn %" NSPRIu64 " for fd=%d failed to be added to event queue\n", conn->c_connid, conn->c_sd); ++ "conn %" PRIu64 " for fd=%d failed to be added to event queue\n", conn->c_connid, conn->c_sd); + } else { + slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "post I/O job for " +- "conn %" NSPRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); ++ "conn %" PRIu64 " for fd=%d\n", conn->c_connid, conn->c_sd); + } + } + #endif +@@ -1964,14 +1964,14 @@ ns_handle_pr_read_ready(struct ns_job_t *job) + #else + /* This doesn't actually confirm it's in the event loop thread, but it's a start */ + if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) { +- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "Attempt to handle read ready outside of event loop thread %" NSPRIu64 " for fd=%d\n", ++ slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "Attempt to handle read ready outside of event loop thread %" PRIu64 " for fd=%d\n", + c->c_connid, c->c_sd); + return; + } + #endif + + PR_EnterMonitor(c->c_mutex); +- slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "activity on conn %" NSPRIu64 " for fd=%d\n", ++ slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "activity on conn %" PRIu64 " for fd=%d\n", + c->c_connid, c->c_sd); + /* if we were called due to some i/o event, see what the state of the socket is */ + if (slapi_is_loglevel_set(SLAPI_LOG_CONNS) && !NS_JOB_IS_TIMER(ns_job_get_output_type(job)) && c && c->c_sd) { +@@ -1980,16 +1980,16 @@ ns_handle_pr_read_ready(struct ns_job_t *job) + ssize_t rc = recv(c->c_sd, buf, sizeof(buf), MSG_PEEK); + if (!rc) { + slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "socket is closed conn" +- " %" NSPRIu64 " for fd=%d\n", c->c_connid, c->c_sd); ++ " %" PRIu64 " for fd=%d\n", c->c_connid, c->c_sd); + } else if (rc > 0) { + slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "socket read data available" +- " for conn %" NSPRIu64 " for fd=%d\n", c->c_connid, c->c_sd); ++ " for conn %" PRIu64 " for fd=%d\n", c->c_connid, c->c_sd); + } else if ((errno == EAGAIN) || (errno == EWOULDBLOCK)) { + slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "socket has no data available" +- " conn %" NSPRIu64 " for fd=%d\n", c->c_connid, c->c_sd); ++ " conn %" PRIu64 " for fd=%d\n", c->c_connid, c->c_sd); + } else { + slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "socket has error [%d] " +- "conn %" NSPRIu64 " for fd=%d\n", errno, c->c_connid, c->c_sd); ++ "conn %" PRIu64 " for fd=%d\n", errno, c->c_connid, c->c_sd); + } + } + connection_release_nolock_ext(c, 1); /* release ref acquired when job was added */ +@@ -2013,7 +2013,7 @@ ns_handle_pr_read_ready(struct ns_job_t *job) + * trying to acquire a closing connection + */ + slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "connection_activity: abandoning" +- " conn %" NSPRIu64 " as fd=%d is already closing\n", c->c_connid, c->c_sd); ++ " conn %" PRIu64 " as fd=%d is already closing\n", c->c_connid, c->c_sd); + /* The call disconnect_server should do nothing, + * as the connection c should be already set to CLOSING */ + disconnect_server_nomutex_ext(c, c->c_connid, -1, +@@ -2021,7 +2021,7 @@ ns_handle_pr_read_ready(struct ns_job_t *job) + 0 /* do not schedule closure, do it next */); + ns_handle_closure_nomutex(c); + } else { +- slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "queued conn %" NSPRIu64 " for fd=%d\n", ++ slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "queued conn %" PRIu64 " for fd=%d\n", + c->c_connid, c->c_sd); + } + PR_ExitMonitor(c->c_mutex); +diff --git a/ldap/servers/slapd/delete.c b/ldap/servers/slapd/delete.c +index a16718a..e4e82a3 100644 +--- a/ldap/servers/slapd/delete.c ++++ b/ldap/servers/slapd/delete.c +@@ -260,7 +260,7 @@ static void op_shared_delete (Slapi_PBlock *pb) + + if (!internal_op ) + { +- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d DEL dn=\"%s\"%s\n", ++ slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d DEL dn=\"%s\"%s\n", + pb->pb_conn->c_connid, + pb->pb_op->o_opid, + slapi_sdn_get_dn(sdn), +diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c +index abacc57..b56e3da 100644 +--- a/ldap/servers/slapd/entry.c ++++ b/ldap/servers/slapd/entry.c +@@ -3095,7 +3095,7 @@ slapi_entry_attr_set_ulong( Slapi_Entry* e, const char *type, uint64_t l) + struct berval *bvals[2]; + bvals[0] = &bv; + bvals[1] = NULL; +- sprintf(value,"%" NSPRIu64, l); ++ sprintf(value,"%" PRIu64, l); + bv.bv_val = value; + bv.bv_len = strlen( value ); + slapi_entry_attr_replace( e, type, bvals ); +diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c +index 7e41b8c..6a5d2e3 100644 +--- a/ldap/servers/slapd/extendop.c ++++ b/ldap/servers/slapd/extendop.c +@@ -247,14 +247,14 @@ do_extended( Slapi_PBlock *pb ) + if ( NULL == ( name = extended_op_oid2string( extoid ))) { + slapi_log_err(SLAPI_LOG_ARGS, "do_extended", "oid (%s)\n", extoid); + +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d EXT oid=\"%s\"\n", ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d EXT oid=\"%s\"\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, extoid ); + } else { + slapi_log_err(SLAPI_LOG_ARGS, "do_extended", "oid (%s-%s)\n", + extoid, name); + + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d EXT oid=\"%s\" name=\"%s\"\n", ++ "conn=%" PRIu64 " op=%d EXT oid=\"%s\" name=\"%s\"\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, extoid, name ); + } + +diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c +index afedd5b..a63c6a6 100644 +--- a/ldap/servers/slapd/log.c ++++ b/ldap/servers/slapd/log.c +@@ -2769,7 +2769,7 @@ log__open_accesslogfile(int logfile_state, int locked) + while ( logp) { + log_convert_time (logp->l_ctime, tbuf, 1 /*short*/); + PR_snprintf(buffer, sizeof(buffer), "LOGINFO:%s%s.%s (%lu) (%" +- NSPRI64 "d)\n", PREVLOGFILE, loginfo.log_access_file, tbuf, ++ PRId64 "d)\n", PREVLOGFILE, loginfo.log_access_file, tbuf, + logp->l_ctime, logp->l_size); + LOG_WRITE(fpinfo, buffer, strlen(buffer), 0); + logp = logp->l_next; +@@ -2907,7 +2907,7 @@ log_rotate: + if (type == LOG_SIZE_EXCEEDED) { + slapi_log_err(SLAPI_LOG_TRACE, "log__needrotation", + "LOGINFO:End of Log because size exceeded(Max:%" +- NSPRI64 "d bytes) (Is:%" NSPRI64 "d bytes)\n", ++ PRId64 "d bytes) (Is:%" PRId64 "d bytes)\n", + maxlogsize, f_size); + } else if ( type == LOG_EXPIRED) { + slapi_log_err(SLAPI_LOG_TRACE, "log__needrotation", +@@ -4636,7 +4636,7 @@ log__open_errorlogfile(int logfile_state, int locked) + while (logp) { + log_convert_time (logp->l_ctime, tbuf, 1 /*short */); + PR_snprintf(buffer, sizeof(buffer), "LOGINFO:%s%s.%s (%lu) (%" +- NSPRI64 "d)\n", PREVLOGFILE, loginfo.log_error_file, tbuf, ++ PRId64 "d)\n", PREVLOGFILE, loginfo.log_error_file, tbuf, + logp->l_ctime, logp->l_size); + LOG_WRITE(fpinfo, buffer, strlen(buffer), 0); + logp = logp->l_next; +@@ -4763,7 +4763,7 @@ log__open_auditlogfile(int logfile_state, int locked) + while ( logp) { + log_convert_time (logp->l_ctime, tbuf, 1 /*short */); + PR_snprintf(buffer, sizeof(buffer), "LOGINFO:%s%s.%s (%lu) (%" +- NSPRI64 "d)\n", PREVLOGFILE, loginfo.log_audit_file, tbuf, ++ PRId64 "d)\n", PREVLOGFILE, loginfo.log_audit_file, tbuf, + logp->l_ctime, logp->l_size); + LOG_WRITE(fpinfo, buffer, strlen(buffer), 0); + logp = logp->l_next; +@@ -4889,7 +4889,7 @@ log__open_auditfaillogfile(int logfile_state, int locked) + while ( logp) { + log_convert_time (logp->l_ctime, tbuf, 1 /*short */); + PR_snprintf(buffer, sizeof(buffer), "LOGINFO:%s%s.%s (%lu) (%" +- NSPRI64 "d)\n", PREVLOGFILE, loginfo.log_auditfail_file, tbuf, ++ PRId64 "d)\n", PREVLOGFILE, loginfo.log_auditfail_file, tbuf, + logp->l_ctime, logp->l_size); + LOG_WRITE(fpinfo, buffer, strlen(buffer), 0); + logp = logp->l_next; +diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c +index e23fe67..da66b44 100644 +--- a/ldap/servers/slapd/modify.c ++++ b/ldap/servers/slapd/modify.c +@@ -680,7 +680,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) + + if ( !internal_op ) + { +- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s\n", ++ slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s\n", + pb->pb_conn->c_connid, + pb->pb_op->o_opid, + slapi_sdn_get_dn(sdn), +@@ -1227,7 +1227,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old + { + if (operation_is_flag_set(operation,OP_FLAG_ACTION_LOG_ACCESS)) + { +- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"\n", ++ slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, + slapi_sdn_get_dn(&sdn)); + } +@@ -1267,7 +1267,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old + if (proxydn){ + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } +- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s\n", ++ slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, + slapi_sdn_get_dn(&sdn), proxystr ? proxystr : ""); + } +@@ -1312,7 +1312,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + +- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", ++ slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, + slapi_sdn_get_dn(&sdn), + proxystr ? proxystr : "", +@@ -1338,7 +1338,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old + + if ( !internal_op ) + { +- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", ++ slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", + pb->pb_conn->c_connid, + pb->pb_op->o_opid, + slapi_sdn_get_dn(&sdn), +@@ -1381,7 +1381,7 @@ static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old + + if ( !internal_op ) + { +- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", ++ slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", + pb->pb_conn->c_connid, + pb->pb_op->o_opid, + slapi_sdn_get_dn(&sdn), +diff --git a/ldap/servers/slapd/modrdn.c b/ldap/servers/slapd/modrdn.c +index 15f5210..69cca40 100644 +--- a/ldap/servers/slapd/modrdn.c ++++ b/ldap/servers/slapd/modrdn.c +@@ -463,7 +463,7 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) + if ( !internal_op ) + { + slapi_log_access(LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n", ++ "conn=%" PRIu64 " op=%d MODRDN dn=\"%s\" newrdn=\"%s\" newsuperior=\"%s\"%s\n", + pb->pb_conn->c_connid, + pb->pb_op->o_opid, + dn, +@@ -497,7 +497,7 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) + { + if ( !internal_op ) { + slapi_log_err(SLAPI_LOG_ARGS, "op_shared_rename", +- "conn=%" NSPRIu64 " op=%d MODRDN invalid new RDN (\"%s\")\n", ++ "conn=%" PRIu64 " op=%d MODRDN invalid new RDN (\"%s\")\n", + pb->pb_conn->c_connid, + pb->pb_op->o_opid, + (NULL == newrdn) ? "(null)" : newrdn); +@@ -531,7 +531,7 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args) + "Syntax check of newSuperior failed\n"); + if (!internal_op) { + slapi_log_err(SLAPI_LOG_ARGS, "op_shared_rename", +- "conn=%" NSPRIu64 " op=%d MODRDN invalid new superior (\"%s\")", ++ "conn=%" PRIu64 " op=%d MODRDN invalid new superior (\"%s\")", + pb->pb_conn->c_connid, + pb->pb_op->o_opid, + newsuperior ? newsuperior : "(null)"); +diff --git a/ldap/servers/slapd/monitor.c b/ldap/servers/slapd/monitor.c +index f1fb38f..8d1788f 100644 +--- a/ldap/servers/slapd/monitor.c ++++ b/ldap/servers/slapd/monitor.c +@@ -60,19 +60,19 @@ monitor_info(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, int *ret + + connection_table_as_entry(the_connection_table, e); + +- val.bv_len = snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(ops_initiated) ); ++ val.bv_len = snprintf( buf, sizeof(buf), "%" PRIu64, slapi_counter_get_value(ops_initiated) ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "opsinitiated", vals ); + +- val.bv_len = snprintf( buf, sizeof(buf), "%" NSPRIu64, slapi_counter_get_value(ops_completed) ); ++ val.bv_len = snprintf( buf, sizeof(buf), "%" PRIu64, slapi_counter_get_value(ops_completed) ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "opscompleted", vals ); + +- val.bv_len = snprintf ( buf, sizeof(buf), "%" NSPRIu64, g_get_num_entries_sent() ); ++ val.bv_len = snprintf ( buf, sizeof(buf), "%" PRIu64, g_get_num_entries_sent() ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "entriessent", vals ); + +- val.bv_len = snprintf ( buf, sizeof(buf), "%" NSPRIu64, g_get_num_bytes_sent() ); ++ val.bv_len = snprintf ( buf, sizeof(buf), "%" PRIu64, g_get_num_bytes_sent() ); + val.bv_val = buf; + attrlist_replace( &e->e_attrs, "bytessent", vals ); + +diff --git a/ldap/servers/slapd/operation.c b/ldap/servers/slapd/operation.c +index ccbc549..00fb9b8 100644 +--- a/ldap/servers/slapd/operation.c ++++ b/ldap/servers/slapd/operation.c +@@ -580,7 +580,7 @@ int slapi_connection_acquire(Slapi_Connection *conn) + { + /* This may happen while other threads are still working on this connection */ + slapi_log_err(SLAPI_LOG_ERR, "slapi_connection_acquire", +- "conn=%" NSPRIu64 " fd=%d Attempt to acquire connection in the closing state\n", ++ "conn=%" PRIu64 " fd=%d Attempt to acquire connection in the closing state\n", + conn->c_connid, conn->c_sd); + rc = -1; + } +@@ -606,7 +606,7 @@ slapi_connection_remove_operation( Slapi_PBlock *pb, Slapi_Connection *conn, Sla + if ( *tmp == NULL ) { + if (op) { + slapi_log_err(SLAPI_LOG_ERR, "slapi_connection_remove_operation", +- "Can't find op %d for conn %" NSPRIu64 "\n", ++ "Can't find op %d for conn %" PRIu64 "\n", + (int)op->o_msgid, conn->c_connid); + } else { + slapi_log_err(SLAPI_LOG_ERR, "slapi_connection_remove_operation", +@@ -620,7 +620,7 @@ slapi_connection_remove_operation( Slapi_PBlock *pb, Slapi_Connection *conn, Sla + /* connection_release_nolock(conn); */ + if (conn->c_refcnt <= 0) { + slapi_log_err(SLAPI_LOG_ERR, "slapi_connection_remove_operation", +- "conn=%" NSPRIu64 " fd=%d Attempt to release connection that is not acquired\n", ++ "conn=%" PRIu64 " fd=%d Attempt to release connection that is not acquired\n", + conn->c_connid, conn->c_sd); + rc = -1; + } else { +diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c +index 3ce7970..4682a73 100644 +--- a/ldap/servers/slapd/opshared.c ++++ b/ldap/servers/slapd/opshared.c +@@ -289,7 +289,7 @@ op_shared_search (Slapi_PBlock *pb, int send_result) + { + char *fmtstr; + +-#define SLAPD_SEARCH_FMTSTR_BASE "conn=%" NSPRIu64 " op=%d SRCH base=\"%s\" scope=%d " ++#define SLAPD_SEARCH_FMTSTR_BASE "conn=%" PRIu64 " op=%d SRCH base=\"%s\" scope=%d " + #define SLAPD_SEARCH_FMTSTR_BASE_INT "conn=%s op=%d SRCH base=\"%s\" scope=%d " + #define SLAPD_SEARCH_FMTSTR_REMAINDER " attrs=%s%s%s\n" + +@@ -1744,7 +1744,7 @@ void op_shared_log_error_access (Slapi_PBlock *pb, const char *type, const char + proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); + } + +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d %s dn=\"%s\"%s, %s\n", ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d %s dn=\"%s\"%s, %s\n", + ( pb->pb_conn ? pb->pb_conn->c_connid : 0), + ( pb->pb_op ? pb->pb_op->o_opid : 0), + type, +diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c +index a30e2fa..e8c80e7 100644 +--- a/ldap/servers/slapd/pagedresults.c ++++ b/ldap/servers/slapd/pagedresults.c +@@ -310,7 +310,7 @@ pagedresults_free_one( Connection *conn, Operation *op, int index ) + PR_EnterMonitor(conn->c_mutex); + if (conn->c_pagedresults.prl_count <= 0) { + slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_free_one", +- "conn=%" NSPRIu64 " paged requests list count is %d\n", ++ "conn=%" PRIu64 " paged requests list count is %d\n", + conn->c_connid, conn->c_pagedresults.prl_count); + } else if (index < conn->c_pagedresults.prl_maxlen) { + PagedResults *prp = conn->c_pagedresults.prl_list + index; +diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c +index 793bea3..2d0badc 100644 +--- a/ldap/servers/slapd/psearch.c ++++ b/ldap/servers/slapd/psearch.c +@@ -283,7 +283,7 @@ ps_send_results( void *arg ) + + if (conn_acq_flag) { + slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", +- "conn=%" NSPRIu64 " op=%d Could not acquire the connection - psearch aborted\n", ++ "conn=%" PRIu64 " op=%d Could not acquire the connection - psearch aborted\n", + ps->ps_pblock->pb_conn->c_connid, ps->ps_pblock->pb_op->o_opid); + } + +@@ -293,7 +293,7 @@ ps_send_results( void *arg ) + /* Check for an abandoned operation */ + if ( ps->ps_pblock->pb_op == NULL || slapi_op_abandoned( ps->ps_pblock ) ) { + slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", +- "conn=%" NSPRIu64 " op=%d The operation has been abandoned\n", ++ "conn=%" PRIu64 " op=%d The operation has been abandoned\n", + ps->ps_pblock->pb_conn->c_connid, ps->ps_pblock->pb_op->o_opid); + break; + } +@@ -351,7 +351,7 @@ ps_send_results( void *arg ) + ectrls, attrs, attrsonly ); + if (rc) { + slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", +- "conn=%" NSPRIu64 " op=%d Error %d sending entry %s with op status %d\n", ++ "conn=%" PRIu64 " op=%d Error %d sending entry %s with op status %d\n", + ps->ps_pblock->pb_conn->c_connid, ps->ps_pblock->pb_op->o_opid, + rc, slapi_entry_get_dn_const(ec), ps->ps_pblock->pb_op->o_status); + } +@@ -400,7 +400,7 @@ ps_send_results( void *arg ) + PR_EnterMonitor(conn->c_mutex); + + slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", +- "conn=%" NSPRIu64 " op=%d Releasing the connection and operation\n", ++ "conn=%" PRIu64 " op=%d Releasing the connection and operation\n", + conn->c_connid, ps->ps_pblock->pb_op->o_opid); + /* Delete this op from the connection's list */ + connection_remove_operation_ext( ps->ps_pblock, conn, ps->ps_pblock->pb_op ); +@@ -535,7 +535,7 @@ ps_service_persistent_searches( Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t ch + } + + slapi_log_err(SLAPI_LOG_CONNS, "ps_service_persistent_searches", +- "conn=%" NSPRIu64 " op=%d entry %s with chgtype %d " ++ "conn=%" PRIu64 " op=%d entry %s with chgtype %d " + "matches the ps changetype %d\n", + ps->ps_pblock->pb_conn->c_connid, + ps->ps_pblock->pb_op->o_opid, +diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c +index 5c38bae..56257c3 100644 +--- a/ldap/servers/slapd/result.c ++++ b/ldap/servers/slapd/result.c +@@ -1980,7 +1980,7 @@ log_result( Slapi_PBlock *pb, Operation *op, int err, ber_tag_t tag, int nentrie + if ( !internal_op ) + { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d RESULT err=%d" ++ "conn=%" PRIu64 " op=%d RESULT err=%d" + " tag=%" BERTAG_T " nentries=%d etime=%s%s%s" + ", SASL bind in progress\n", + op->o_connid, +@@ -2012,7 +2012,7 @@ log_result( Slapi_PBlock *pb, Operation *op, int err, ber_tag_t tag, int nentrie + if ( !internal_op ) + { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d RESULT err=%d" ++ "conn=%" PRIu64 " op=%d RESULT err=%d" + " tag=%" BERTAG_T " nentries=%d etime=%s%s%s" + " dn=\"%s\"\n", + op->o_connid, +@@ -2040,7 +2040,7 @@ log_result( Slapi_PBlock *pb, Operation *op, int err, ber_tag_t tag, int nentrie + if ( !internal_op ) + { + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d RESULT err=%d" ++ "conn=%" PRIu64 " op=%d RESULT err=%d" + " tag=%" BERTAG_T " nentries=%d etime=%s%s%s" + " pr_idx=%d pr_cookie=%d\n", + op->o_connid, +@@ -2073,7 +2073,7 @@ log_result( Slapi_PBlock *pb, Operation *op, int err, ber_tag_t tag, int nentrie + ext_str = ""; + } + slapi_log_access( LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d RESULT err=%d" ++ "conn=%" PRIu64 " op=%d RESULT err=%d" + " tag=%" BERTAG_T " nentries=%d etime=%s%s%s%s\n", + op->o_connid, + op->o_opid, +@@ -2142,7 +2142,7 @@ log_entry( Operation *op, Slapi_Entry *e ) + + if ( !internal_op ) + { +- slapi_log_access( LDAP_DEBUG_STATS2, "conn=%" NSPRIu64 " op=%d ENTRY dn=\"%s\"\n", ++ slapi_log_access( LDAP_DEBUG_STATS2, "conn=%" PRIu64 " op=%d ENTRY dn=\"%s\"\n", + op->o_connid, op->o_opid, + slapi_entry_get_dn_const(e)); + } +@@ -2167,7 +2167,7 @@ log_referral( Operation *op ) + + if ( !internal_op ) + { +- slapi_log_access( LDAP_DEBUG_STATS2, "conn=%" NSPRIu64 " op=%d REFERRAL\n", ++ slapi_log_access( LDAP_DEBUG_STATS2, "conn=%" PRIu64 " op=%d REFERRAL\n", + op->o_connid, op->o_opid ); + } + else +diff --git a/ldap/servers/slapd/sasl_io.c b/ldap/servers/slapd/sasl_io.c +index 1337e1c..9458083 100644 +--- a/ldap/servers/slapd/sasl_io.c ++++ b/ldap/servers/slapd/sasl_io.c +@@ -198,17 +198,17 @@ sasl_io_start_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt + /* first we need the length bytes */ + ret = PR_Recv(fd->lower, buffer, amount, flags, timeout); + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", +- "Read sasl packet length returned %d on connection %" NSPRIu64 "\n", ++ "Read sasl packet length returned %d on connection %" PRIu64 "\n", + ret, c->c_connid); + if (ret <= 0) { + *err = PR_GetError(); + if (ret == 0) { + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", +- "Connection closed while reading sasl packet length on connection %" NSPRIu64 "\n", ++ "Connection closed while reading sasl packet length on connection %" PRIu64 "\n", + c->c_connid ); + } else { + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", +- "Error reading sasl packet length on connection %" NSPRIu64 " %d:%s\n", ++ "Error reading sasl packet length on connection %" PRIu64 " %d:%s\n", + c->c_connid, *err, slapd_pr_strerror(*err) ); + } + return ret; +@@ -226,7 +226,7 @@ sasl_io_start_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt + if (sp->encrypted_buffer_offset < sizeof(buffer)) { + slapi_log_err(SLAPI_LOG_CONNS, + "sasl_io_start_packet", "Read only %d bytes of sasl packet " +- "length on connection %" NSPRIu64 "\n", ret, c->c_connid ); ++ "length on connection %" PRIu64 "\n", ret, c->c_connid ); + #if defined(EWOULDBLOCK) + errno = EWOULDBLOCK; + #elif defined(EAGAIN) +@@ -251,7 +251,7 @@ sasl_io_start_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt + ber_len_t ber_len = 0; + ber_tag_t tag = 0; + +- slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", "conn=%" NSPRIu64 " fd=%d " ++ slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", "conn=%" PRIu64 " fd=%d " + "Sent an LDAP message that was not encrypted.\n", c->c_connid, + c->c_sd); + +@@ -265,7 +265,7 @@ sasl_io_start_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt + /* Is the ldap operation too large? */ + if(ber_len > maxbersize){ + slapi_log_err(SLAPI_LOG_ERR, "sasl_io_start_packet", +- "conn=%" NSPRIu64 " fd=%d Incoming BER Element was too long, max allowable " ++ "conn=%" PRIu64 " fd=%d Incoming BER Element was too long, max allowable " + "is %" BERLEN_T " bytes. Change the nsslapd-maxbersize attribute in " + "cn=config to increase.\n", + c->c_connid, c->c_sd, maxbersize ); +@@ -305,7 +305,7 @@ sasl_io_start_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt + } else if (ret > 0) { + slapi_log_err(SLAPI_LOG_CONNS, + "sasl_io_start_packet", +- "Continued: read sasl packet length returned %d on connection %" NSPRIu64 "\n", ++ "Continued: read sasl packet length returned %d on connection %" PRIu64 "\n", + ret, c->c_connid); + if((ret + sp->encrypted_buffer_offset) > sp->encrypted_buffer_size){ + sasl_io_resize_encrypted_buffer(sp, ret + sp->encrypted_buffer_offset); +@@ -316,7 +316,7 @@ sasl_io_start_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt + *err = PR_GetError(); + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", + "Error reading sasl packet length on connection " +- "%" NSPRIu64 " %d:%s\n", c->c_connid, *err, slapd_pr_strerror(*err) ); ++ "%" PRIu64 " %d:%s\n", c->c_connid, *err, slapd_pr_strerror(*err) ); + return ret; + } + } +@@ -360,7 +360,7 @@ sasl_io_start_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt + tag = *ber->ber_ptr++; + if (*ber->ber_ptr == LDAP_REQ_UNBIND){ + #endif +- slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", "conn=%" NSPRIu64 " fd=%d " ++ slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", "conn=%" PRIu64 " fd=%d " + "Received unencrypted UNBIND operation.\n", c->c_connid, + c->c_sd); + sp->encrypted_buffer_count = sp->encrypted_buffer_offset; +@@ -368,7 +368,7 @@ sasl_io_start_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt + ber_free(ber, 1); + return SASL_IO_BUFFER_NOT_ENCRYPTED; + } +- slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", "conn=%" NSPRIu64 " fd=%d " ++ slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", "conn=%" PRIu64 " fd=%d " + "Error: received an LDAP message (tag 0x%lx) that was not encrypted.\n", + #ifdef USE_OPENLDAP + c->c_connid, c->c_sd, (long unsigned int)tag); +@@ -380,7 +380,7 @@ sasl_io_start_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt + + done: + /* If we got here we have garbage, or a denied LDAP operation */ +- slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", "conn=%" NSPRIu64 " fd=%d " ++ slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", "conn=%" PRIu64 " fd=%d " + "Error: received an invalid message that was not encrypted.\n", + c->c_connid, c->c_sd); + +@@ -399,7 +399,7 @@ done: + packet_length += sizeof(uint32_t); + + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_start_packet", +- "read sasl packet length %ld on connection %" NSPRIu64 "\n", ++ "read sasl packet length %ld on connection %" PRIu64 "\n", + packet_length, c->c_connid ); + + /* Check if the packet length is larger than our max allowed. A +@@ -432,17 +432,17 @@ sasl_io_read_packet(PRFileDesc *fd, PRIntn flags, PRIntervalTime timeout, PRInt3 + size_t bytes_remaining_to_read = sp->encrypted_buffer_count - sp->encrypted_buffer_offset; + + slapi_log_err(SLAPI_LOG_CONNS, +- "sasl_io_read_packet", "Reading %lu bytes for connection %" NSPRIu64 "\n", ++ "sasl_io_read_packet", "Reading %lu bytes for connection %" PRIu64 "\n", + bytes_remaining_to_read, c->c_connid ); + ret = PR_Recv(fd->lower, sp->encrypted_buffer + sp->encrypted_buffer_offset, bytes_remaining_to_read, flags, timeout); + if (ret <= 0) { + *err = PR_GetError(); + if (ret == 0) { + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_read_packet", +- "Connection closed while reading sasl packet on connection %" NSPRIu64 "\n", c->c_connid ); ++ "Connection closed while reading sasl packet on connection %" PRIu64 "\n", c->c_connid ); + } else { + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_read_packet", +- "Error reading sasl packet on connection %" NSPRIu64 " %d:%s\n", ++ "Error reading sasl packet on connection %" PRIu64 " %d:%s\n", + c->c_connid, *err, slapd_pr_strerror(*err) ); + } + return ret; +@@ -464,10 +464,10 @@ sasl_io_recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, + /* Do we have decrypted data buffered from 'before' ? */ + bytes_in_buffer = sp->decrypted_buffer_count - sp->decrypted_buffer_offset; + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_recv", +- "Connection %" NSPRIu64 " len %d bytes_in_buffer %lu\n", ++ "Connection %" PRIu64 " len %d bytes_in_buffer %lu\n", + c->c_connid, len, bytes_in_buffer ); + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_recv", +- "Connection %" NSPRIu64 " len %d encrypted buffer count %lu\n", ++ "Connection %" PRIu64 " len %d encrypted buffer count %lu\n", + c->c_connid, len, sp->encrypted_buffer_count ); + if (0 == bytes_in_buffer) { + /* If there wasn't buffered decrypted data, we need to get some... */ +@@ -502,7 +502,7 @@ sasl_io_recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, + */ + if (!sasl_io_finished_packet(sp)) { + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_recv", +- "Connection %" NSPRIu64 " - not finished reading packet yet\n", c->c_connid); ++ "Connection %" PRIu64 " - not finished reading packet yet\n", c->c_connid); + #if defined(EWOULDBLOCK) + errno = EWOULDBLOCK; + #elif defined(EAGAIN) +@@ -516,7 +516,7 @@ sasl_io_recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, + const char *output_buffer = NULL; + unsigned int output_length = 0; + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_recv", +- "Finished reading packet for connection %" NSPRIu64 "\n", c->c_connid ); ++ "Finished reading packet for connection %" PRIu64 "\n", c->c_connid ); + /* Now decode it */ + ret = sasl_decode(c->c_sasl_conn,sp->encrypted_buffer,sp->encrypted_buffer_count,&output_buffer,&output_length); + /* even if decode fails, need re-initialize the encrypted_buffer */ +@@ -524,7 +524,7 @@ sasl_io_recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, + sp->encrypted_buffer_count = 0; + if (SASL_OK == ret) { + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_recv", +- "Decoded packet length %u for connection %" NSPRIu64 "\n", output_length, c->c_connid ); ++ "Decoded packet length %u for connection %" PRIu64 "\n", output_length, c->c_connid ); + if (output_length) { + sasl_io_resize_decrypted_buffer(sp,output_length); + memcpy(sp->decrypted_buffer,output_buffer,output_length); +@@ -534,7 +534,7 @@ sasl_io_recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, + } + } else { + slapi_log_err(SLAPI_LOG_ERR, "sasl_io_recv", +- "Failed to decode packet for connection %" NSPRIu64 "\n", c->c_connid ); ++ "Failed to decode packet for connection %" PRIu64 "\n", c->c_connid ); + PR_SetError(PR_IO_ERROR, 0); + return PR_FAILURE; + } +@@ -552,11 +552,11 @@ sasl_io_recv(PRFileDesc *fd, void *buf, PRInt32 len, PRIntn flags, + sp->decrypted_buffer_offset = 0; + sp->decrypted_buffer_count = 0; + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_recv", +- "All decrypted data returned for connection %" NSPRIu64 "\n", c->c_connid ); ++ "All decrypted data returned for connection %" PRIu64 "\n", c->c_connid ); + } else { + sp->decrypted_buffer_offset += bytes_to_return; + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_recv", +- "Returning %lu bytes to caller %lu bytes left to return for connection %" NSPRIu64 "\n", ++ "Returning %lu bytes to caller %lu bytes left to return for connection %" PRIu64 "\n", + bytes_to_return, sp->decrypted_buffer_count - sp->decrypted_buffer_offset, c->c_connid ); + } + ret = bytes_to_return; +@@ -772,11 +772,11 @@ sasl_io_enable(Connection *c, void *data /* UNUSED */) + rv = PR_PushIOLayer(c->c_prfd, PR_TOP_IO_LAYER, layer); + if (rv) { + slapi_log_err(SLAPI_LOG_ERR, "sasl_io_enable", +- "Error enabling sasl io on connection %" NSPRIu64 " %d:%s\n", ++ "Error enabling sasl io on connection %" PRIu64 " %d:%s\n", + c->c_connid, rv, slapd_pr_strerror(rv) ); + } else { + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_enable", +- "Enabled sasl io on connection %" NSPRIu64 " \n", c->c_connid); ++ "Enabled sasl io on connection %" PRIu64 " \n", c->c_connid); + debug_print_layers(c->c_prfd); + } + } +@@ -794,7 +794,7 @@ sasl_io_cleanup(Connection *c, void *data /* UNUSED */) + int ret = 0; + + slapi_log_err(SLAPI_LOG_CONNS, "sasl_io_cleanup", +- "Connection %" NSPRIu64 "\n", c->c_connid); ++ "Connection %" PRIu64 "\n", c->c_connid); + + ret = sasl_pop_IO_layer(c->c_prfd, 0 /* do not close */); + +diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c +index 9e5d1f0..2d6fb64 100644 +--- a/ldap/servers/slapd/saslbind.c ++++ b/ldap/servers/slapd/saslbind.c +@@ -929,7 +929,7 @@ void ids_sasl_check_bind(Slapi_PBlock *pb) + Slapi_Operation *operation; + slapi_pblock_get( pb, SLAPI_OPERATION, &operation); + slapi_log_err(SLAPI_LOG_CONNS, "ids_sasl_check_bind", +- "cleaning up sasl IO conn=%" NSPRIu64 " op=%d complete=%d continuing=%d\n", ++ "cleaning up sasl IO conn=%" PRIu64 " op=%d complete=%d continuing=%d\n", + pb->pb_conn->c_connid, operation->o_opid, + (pb->pb_conn->c_flags & CONN_FLAG_SASL_COMPLETE), continuing); + /* reset flag */ +diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c +index 670347e..ea8b479 100644 +--- a/ldap/servers/slapd/search.c ++++ b/ldap/servers/slapd/search.c +@@ -380,7 +380,7 @@ free_and_return:; + static void log_search_access (Slapi_PBlock *pb, const char *base, int scope, const char *fstr, const char *msg) + { + slapi_log_access(LDAP_DEBUG_STATS, +- "conn=%" NSPRIu64 " op=%d SRCH base=\"%s\" scope=%d filter=\"%s\", %s\n", ++ "conn=%" PRIu64 " op=%d SRCH base=\"%s\" scope=%d filter=\"%s\", %s\n", + pb->pb_conn->c_connid, pb->pb_op->o_opid, + base, scope, fstr, msg ? msg : ""); + +diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h +index 5871bf0..abfad20 100644 +--- a/ldap/servers/slapd/slap.h ++++ b/ldap/servers/slapd/slap.h +@@ -72,13 +72,8 @@ static char ptokPBE[34] = "Internal (Software) Token "; + #include + #include + +-/* Required to get portable printf/scanf format macros */ +-#ifdef HAVE_INTTYPES_H +-#include +- +-#else +-#error Need to define portable format macros such as PRIu64 +-#endif /* HAVE_INTTYPES_H */ ++/* Provides our int types and platform specific requirements. */ ++#include + + #define LOG_INTERNAL_OP_CON_ID "Internal" + #define LOG_INTERNAL_OP_OP_ID -1 +diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h +index 725fa1c..ec8917d 100644 +--- a/ldap/servers/slapd/slapi-plugin.h ++++ b/ldap/servers/slapd/slapi-plugin.h +@@ -27,6 +27,9 @@ + extern "C" { + #endif + ++/* Provides our int types and platform specific requirements. */ ++#include ++ + #include "prtypes.h" + #include "ldap.h" + #include "prprf.h" +@@ -57,17 +60,6 @@ NSPR_API(PRUint32) PR_fprintf(struct PRFileDesc* fd, const char *fmt, ...) + ; + #endif + +-/* NSPR uses the print macros a bit differently than ANSI C. We +- * need to use ll for a 64-bit integer, even when a long is 64-bit. +- */ +-#if defined(HAVE_LONG_LONG) && PR_BYTES_PER_LONG == 8 && !defined(PR_ALTERNATE_INT64_TYPEDEF) +-#define NSPRIu64 "lu" +-#define NSPRI64 "l" +-#else /* just assume long long is used */ +-#define NSPRIu64 "llu" +-#define NSPRI64 "ll" +-#endif +- + /* OpenLDAP uses unsigned long for ber_tag_t and ber_len_t but mozldap uses unsigned int */ + /* use this macro for printf statements for ber_tag_t and ber_len_t */ + #if defined(USE_OPENLDAP) +diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h +index dd180a7..0c76580 100644 +--- a/ldap/servers/slapd/slapi-private.h ++++ b/ldap/servers/slapd/slapi-private.h +@@ -30,6 +30,9 @@ extern "C" { + */ + #include "slapi-plugin-compat4.h" + ++/* slapi platform abstraction functions. */ ++#include ++ + /* Define our internal logging macro */ + #define slapi_log_err(level, subsystem, fmt, ...) + #ifdef LDAP_ERROR_LOGGING +@@ -1363,26 +1366,33 @@ long long slapi_parse_duration_longlong(const char *value); + int slapi_is_duration_valid(const char *value); + + /** +- * Populate the pointers with the system memory information. +- * At this time, Linux is the only "reliable" system for returning these values +- * +- * \param pagesize Will return the system page size in bytes. +- * \param pages The total number of memory pages on the system. May include swap pages depending on OS. +- * \param procpages Number of memory pages our current process is consuming. May not be accurate on all platforms as this could be the VMSize rather than the actual number of consumed pages. +- * \param availpages Number of available pages of memory on the system. Not all operating systems set this correctly. +- * +- * \return 0 on success, non-zero on failure to determine memory sizings. ++ * Possible results of a cachesize check + */ +-int util_info_sys_pages(size_t *pagesize, size_t *pages, size_t *procpages, size_t *availpages); +- ++typedef enum _util_cachesize_result { ++ /** ++ * The requested cachesize was valid and can be used. ++ */ ++ UTIL_CACHESIZE_VALID = 0, ++ /** ++ * The requested cachesize may cause OOM and was reduced. ++ */ ++ UTIL_CACHESIZE_REDUCED = 1, ++ /** ++ * An error occured resolving the cache size. You must stop processing. ++ */ ++ UTIL_CACHESIZE_ERROR = 2, ++} util_cachesize_result; + /** +- * Determine if the requested cachesize will exceed the system memory limits causing an out of memory condition ++ * Determine if the requested cachesize will exceed the system memory limits causing an out of memory condition. You must ++ * check the result before proceeding to correctly use the cache. + * ++ * \param mi. The system memory infomation. You should retrieve this with spal_meminfo_get(), and destroy it after use. + * \param cachesize. The requested allocation. If this value is greater than the memory available, this value will be REDUCED to be valid. + * +- * \return 0 if the size is "sane". 1 if the value will cause OOM and has been REDUCED ++ * \return util_cachesize_result. ++ * \sa util_cachesize_result, spal_meminfo_get + */ +-int util_is_cachesize_sane(size_t *cachesize); ++util_cachesize_result util_is_cachesize_sane(slapi_pal_meminfo *mi, size_t *cachesize); + + /** + * Retrieve the number of threads the server should run with based on this hardware. +diff --git a/ldap/servers/slapd/slapi_pal.c b/ldap/servers/slapd/slapi_pal.c +new file mode 100644 +index 0000000..91576ca +--- /dev/null ++++ b/ldap/servers/slapd/slapi_pal.c +@@ -0,0 +1,311 @@ ++/** BEGIN COPYRIGHT BLOCK ++ * Copyright (C) 2017 Red Hat, Inc. ++ * All rights reserved. ++ * ++ * License: GPL (version 3 or any later version). ++ * See LICENSE for details. ++ * END COPYRIGHT BLOCK **/ ++ ++/* ++ * Implementation of functions to abstract from platform ++ * specific issues. ++ */ ++ ++/* Provide ch_malloc etc. */ ++#include ++/* Provide slapi_log_err macro wrapper */ ++#include ++#include ++ ++/* Assert macros */ ++#include ++/* Access errno */ ++#include ++ ++/* For getpagesize */ ++#include ++ ++/* For rlimit */ ++#include ++#include ++ ++#ifdef OS_solaris ++#include ++#endif ++ ++#if defined ( hpux ) ++#include ++#endif ++ ++static int_fast32_t ++_spal_rlimit_get(int resource, uint64_t *soft_limit, uint64_t *hard_limit) { ++ struct rlimit rl = {0}; ++ ++ if (getrlimit(resource, &rl) != 0) { ++ int errsrv = errno; ++ slapi_log_err(SLAPI_LOG_ERR, "_spal_rlimit_mem_get", "Failed to access system resource limits %d\n", errsrv); ++ return 1; ++ } ++ ++ if (rl.rlim_cur != RLIM_INFINITY) { ++ *soft_limit = (uint64_t)rl.rlim_cur; ++ } ++ if (rl.rlim_max != RLIM_INFINITY) { ++ *hard_limit = (uint64_t)rl.rlim_max; ++ } ++ ++ return 0; ++} ++ ++ ++#ifdef LINUX ++static int_fast32_t ++_spal_uint64_t_file_get(char *name, char *prefix, uint64_t *dest) { ++ FILE *f; ++ char s[40] = {0}; ++ size_t prefix_len = 0; ++ ++ if (prefix != NULL) { ++ prefix_len = strlen(prefix); ++ } ++ ++ /* Make sure we can fit into our buffer */ ++ assert((prefix_len + 20) < 39); ++ ++ f = fopen(name, "r"); ++ if (!f) { /* fopen failed */ ++ int errsrv = errno; ++ slapi_log_err(SLAPI_LOG_ERR,"_spal_get_uint64_t_file", "Unable to open file \"%s\". errno=%d\n", name, errsrv); ++ return 1; ++ } ++ ++ int_fast32_t retval = 0; ++ while (! feof(f)) { ++ if (!fgets(s, 39, f)) { ++ retval = 1; ++ break; /* error or eof */ ++ } ++ if (feof(f)) { ++ retval = 1; ++ break; ++ } ++ if (prefix_len > 0 && strncmp(s, prefix, prefix_len) == 0) { ++ sscanf(s + prefix_len, "%"SCNu64, dest); ++ break; ++ } else if (prefix_len == 0) { ++ sscanf(s, "%"SCNu64, dest); ++ break; ++ } ++ } ++ fclose(f); ++ return retval; ++} ++ ++ ++ ++slapi_pal_meminfo * ++spal_meminfo_get() { ++ slapi_pal_meminfo *mi = (slapi_pal_meminfo *)slapi_ch_calloc(1, sizeof(slapi_pal_meminfo)); ++ ++ mi->pagesize_bytes = getpagesize(); ++ ++ /* ++ * We have to compare values from a number of sources to ensure we have ++ * the correct result. ++ */ ++ ++ char f_proc_status[30] = {0}; ++ sprintf(f_proc_status, "/proc/%d/status", getpid()); ++ char *p_vmrss = "VmRSS:"; ++ uint64_t vmrss = 0; ++ ++ if (_spal_uint64_t_file_get(f_proc_status, p_vmrss, &vmrss)) { ++ slapi_log_err(SLAPI_LOG_ERR, "spal_meminfo_get", "Unable to retrieve vmrss\n"); ++ } ++ ++ /* vmrss is in kb, so convert to bytes */ ++ vmrss = vmrss * 1024; ++ ++ uint64_t rl_mem_soft = 0; ++ uint64_t rl_mem_hard = 0; ++ uint64_t rl_mem_soft_avail = 0; ++ ++ if (_spal_rlimit_get(RLIMIT_AS, &rl_mem_soft, &rl_mem_hard)) { ++ slapi_log_err(SLAPI_LOG_ERR, "spal_meminfo_get", "Unable to retrieve memory rlimit\n"); ++ } ++ ++ if (rl_mem_soft != 0 && vmrss != 0 && rl_mem_soft > vmrss) { ++ rl_mem_soft_avail = rl_mem_soft - vmrss; ++ } ++ ++ char *f_meminfo = "/proc/meminfo"; ++ char *p_memtotal = "MemTotal:"; ++ char *p_memavail = "MemAvailable:"; ++ ++ uint64_t memtotal = 0; ++ uint64_t memavail = 0; ++ ++ if (_spal_uint64_t_file_get(f_meminfo, p_memtotal, &memtotal)) { ++ slapi_log_err(SLAPI_LOG_ERR, "spal_meminfo_get", "Unable to retrieve %s : %s\n", f_meminfo, p_memtotal); ++ } ++ ++ if (_spal_uint64_t_file_get(f_meminfo, p_memavail, &memavail)) { ++ slapi_log_err(SLAPI_LOG_ERR, "spal_meminfo_get", "Unable to retrieve %s : %s\n", f_meminfo, p_memavail); ++ } ++ ++ /* Both memtotal and memavail are in kb */ ++ memtotal = memtotal * 1024; ++ memavail = memavail * 1024; ++ ++ /* If it's possible, get our cgroup info */ ++ uint64_t cg_mem_soft = 0; ++ uint64_t cg_mem_hard = 0; ++ uint64_t cg_mem_usage = 0; ++ uint64_t cg_mem_soft_avail = 0; ++ ++ char *f_cg_soft = "/sys/fs/cgroup/memory/memory.soft_limit_in_bytes"; ++ char *f_cg_hard = "/sys/fs/cgroup/memory/memory.limit_in_bytes"; ++ char *f_cg_usage = "/sys/fs/cgroup/memory/memory.usage_in_bytes"; ++ ++ if (_spal_uint64_t_file_get(f_cg_soft, NULL, &cg_mem_soft)) { ++ slapi_log_err(SLAPI_LOG_WARNING, "spal_meminfo_get", "Unable to retrieve %s. There may be no cgroup support on this platform\n", f_cg_soft); ++ } ++ ++ if (_spal_uint64_t_file_get(f_cg_hard, NULL, &cg_mem_hard)) { ++ slapi_log_err(SLAPI_LOG_WARNING, "spal_meminfo_get", "Unable to retrieve %s. There may be no cgroup support on this platform\n", f_cg_hard); ++ } ++ ++ if (_spal_uint64_t_file_get(f_cg_usage, NULL, &cg_mem_usage)) { ++ slapi_log_err(SLAPI_LOG_WARNING, "spal_meminfo_get", "Unable to retrieve %s. There may be no cgroup support on this platform\n", f_cg_hard); ++ } ++ ++ /* ++ * In some conditions, like docker, we only have a *hard* limit set. ++ * This obviously breaks our logic, so we need to make sure we correct this ++ */ ++ ++ if (cg_mem_hard != 0 && cg_mem_soft != 0 && cg_mem_hard < cg_mem_soft) { ++ /* Right, we only have a hard limit. Impose a 10% watermark. */ ++ cg_mem_soft = cg_mem_hard * 0.9; ++ } ++ ++ if (cg_mem_soft != 0 && cg_mem_usage != 0 && cg_mem_soft > cg_mem_usage) { ++ cg_mem_soft_avail = cg_mem_soft - cg_mem_usage; ++ } ++ ++ ++ /* Now, compare the values and make a choice to which is provided */ ++ ++ /* Process consumed memory */ ++ mi->process_consumed_bytes = vmrss; ++ mi->process_consumed_pages = vmrss / mi->pagesize_bytes; ++ ++ /* System Total memory */ ++ /* If we have a memtotal, OR if no memtotal but rlimit */ ++ if (rl_mem_hard != 0 && ++ ((memtotal != 0 && rl_mem_hard < memtotal) || memtotal == 0) && ++ ((cg_mem_hard != 0 && rl_mem_hard < cg_mem_hard) || cg_mem_hard == 0) ++ ) ++ { ++ slapi_log_err(SLAPI_LOG_TRACE, "spal_meminfo_get", "system_total_bytes - using rlimit\n"); ++ mi->system_total_bytes = rl_mem_hard; ++ mi->system_total_pages = rl_mem_hard / mi->pagesize_bytes; ++ } else if (cg_mem_hard != 0 && ((memtotal != 0 && cg_mem_hard < memtotal) || memtotal == 0)) { ++ slapi_log_err(SLAPI_LOG_TRACE, "spal_meminfo_get", "system_total_bytes - using cgroup\n"); ++ mi->system_total_bytes = cg_mem_hard; ++ mi->system_total_pages = cg_mem_hard / mi->pagesize_bytes; ++ } else if (memtotal != 0) { ++ slapi_log_err(SLAPI_LOG_TRACE, "spal_meminfo_get", "system_total_bytes - using memtotal\n"); ++ mi->system_total_bytes = memtotal; ++ mi->system_total_pages = memtotal / mi->pagesize_bytes; ++ } else { ++ slapi_log_err(SLAPI_LOG_CRIT, "spal_meminfo_get", "Unable to determine system total memory!\n"); ++ spal_meminfo_destroy(mi); ++ return NULL; ++ } ++ ++ /* System Available memory */ ++ ++ if (rl_mem_soft_avail != 0 && ++ ((memavail != 0 && (rl_mem_soft_avail) < memavail) || memavail == 0) && ++ ((cg_mem_soft_avail != 0 && rl_mem_soft_avail < cg_mem_soft_avail) || cg_mem_soft_avail == 0) ++ ) ++ { ++ slapi_log_err(SLAPI_LOG_TRACE, "spal_meminfo_get", "system_available_bytes - using rlimit\n"); ++ mi->system_available_bytes = rl_mem_soft_avail; ++ mi->system_available_pages = rl_mem_soft_avail / mi->pagesize_bytes; ++ } else if (cg_mem_soft_avail != 0 && ((memavail != 0 && (cg_mem_soft_avail) < memavail) || memavail == 0)) { ++ slapi_log_err(SLAPI_LOG_TRACE, "spal_meminfo_get", "system_available_bytes - using cgroup\n"); ++ mi->system_available_bytes = cg_mem_soft_avail; ++ mi->system_available_pages = cg_mem_soft_avail / mi->pagesize_bytes; ++ } else if (memavail != 0) { ++ slapi_log_err(SLAPI_LOG_TRACE, "spal_meminfo_get", "system_available_bytes - using memavail\n"); ++ mi->system_available_bytes = memavail; ++ mi->system_available_pages = memavail / mi->pagesize_bytes; ++ } else { ++ slapi_log_err(SLAPI_LOG_CRIT, "spal_meminfo_get", "Unable to determine system available memory!\n"); ++ spal_meminfo_destroy(mi); ++ return NULL; ++ } ++ ++ slapi_log_err(SLAPI_LOG_TRACE, "spal_meminfo_get", "{pagesize_bytes = %"PRIu64", system_total_pages = %"PRIu64", system_total_bytes = %"PRIu64", process_consumed_pages = %"PRIu64", process_consumed_bytes = %"PRIu64", system_available_pages = %"PRIu64", system_available_bytes = %"PRIu64"},\n", ++ mi->pagesize_bytes, mi->system_total_pages, mi->system_total_bytes, mi->process_consumed_pages, mi->process_consumed_bytes, mi->system_available_pages, mi->system_available_bytes); ++ ++ return mi; ++} ++ ++ ++#endif ++ ++#ifdef OS_solaris ++uint64_t ++_spal_solaris_resident_pages_get() { ++ uint64_t procpages = 0; ++ struct prpsinfo psi = {0}; ++ char fn[40]; ++ int fd; ++ ++ sprintf(fn, "/proc/%d", getpid()); ++ fd = open(fn, O_RDONLY); ++ if (fd >= 0) { ++ if (ioctl(fd, PIOCPSINFO, (void *)&psi) == 0) { ++ procpages = (uint64_t)psi.pr_size; ++ } ++ close(fd); ++ } ++ return procpages; ++} ++ ++slapi_pal_meminfo * ++spal_meminfo_get() { ++ slapi_pal_meminfo *mi = (slapi_pal_meminfo *)slapi_ch_calloc(1, sizeof(slapi_pal_meminfo)); ++ ++ uint64_t rl_mem_soft = 0; ++ uint64_t rl_mem_hard = 0; ++ ++ if (_spal_rlimit_get(RLIMIT_AS, &rl_mem_soft, &rl_mem_hard)) { ++ slapi_log_err(SLAPI_LOG_ERR, "spal_meminfo_get", "Unable to retrieve memory rlimit\n"); ++ } ++ ++ mi->pagesize_bytes = sysconf(_SC_PAGESIZE); ++ mi->system_total_pages = sysconf(_SC_PHYS_PAGES); ++ mi->system_total_bytes = mi->system_total_pages * mi->pagesize_bytes; ++ mi->system_available_bytes = rl_mem_soft; ++ if (rl_mem_soft != 0) { ++ mi->system_available_pages = rl_mem_soft / mi->pagesize_bytes; ++ } ++ mi->process_consumed_pages = _spal_solaris_resident_pages_get(); ++ mi->process_consumed_bytes = mi->process_consumed_pages * mi->pagesize_bytes; ++ ++ return mi; ++ ++} ++#endif ++ ++#ifdef HPUX ++#endif ++ ++void ++spal_meminfo_destroy(slapi_pal_meminfo *mi) { ++ slapi_ch_free((void **)&mi); ++} +diff --git a/ldap/servers/slapd/slapi_pal.h b/ldap/servers/slapd/slapi_pal.h +new file mode 100644 +index 0000000..cb61d84 +--- /dev/null ++++ b/ldap/servers/slapd/slapi_pal.h +@@ -0,0 +1,62 @@ ++/** BEGIN COPYRIGHT BLOCK ++ * Copyright (C) 2017 Red Hat, Inc. ++ * All rights reserved. ++ * ++ * License: GPL (version 3 or any later version). ++ * See LICENSE for details. ++ * END COPYRIGHT BLOCK **/ ++ ++/* ++ * Header for the slapi platform abstraction layer. ++ * ++ * This implements a number of functions that help to provide vendor ++ * neutral requests. Candidates for this are memory, thread, disk size ++ * and other operations. ++ * ++ * Basically anywhere you see a "ifdef PLATFORM" is a candidate ++ * for this. ++ */ ++ ++#pragma once ++ ++#include ++ ++#ifdef HAVE_INTTYPES_H ++#include ++#else ++#error Need to define portable format macros such as PRIu64 ++#endif /* HAVE_INTTYPES_H */ ++ ++/** ++ * Structure that contains our system memory information in bytes and pages. ++ * ++ */ ++typedef struct _slapi_pal_meminfo { ++ uint64_t pagesize_bytes; ++ uint64_t system_total_pages; ++ uint64_t system_total_bytes; ++ uint64_t process_consumed_pages; ++ uint64_t process_consumed_bytes; ++ /* This value may be limited by cgroup or others. */ ++ uint64_t system_available_pages; ++ uint64_t system_available_bytes; ++} slapi_pal_meminfo; ++ ++/** ++ * Allocate and returne a populated memory info structure. This will be NULL ++ * on error, or contain a structure populated with platform information on ++ * success. You should free this with spal_meminfo_destroy. ++ * ++ * \return slapi_pal_meminfo * pointer to structure containing data, or NULL. ++ */ ++slapi_pal_meminfo * spal_meminfo_get(); ++ ++/** ++ * Destroy an allocated memory info structure. The caller is responsible for ++ * ensuring this is called. ++ * ++ * \param mi the allocated slapi_pal_meminfo structure from spal_meminfo_get(); ++ */ ++void spal_meminfo_destroy(slapi_pal_meminfo *mi); ++ ++ +diff --git a/ldap/servers/slapd/snmp_collator.c b/ldap/servers/slapd/snmp_collator.c +index b0c873d..21043d9 100644 +--- a/ldap/servers/slapd/snmp_collator.c ++++ b/ldap/servers/slapd/snmp_collator.c +@@ -711,7 +711,7 @@ static void + add_counter_to_value(Slapi_Entry *e, const char *type, PRUint64 countervalue) + { + char value[40]; +- snprintf(value,sizeof(value),"%" NSPRIu64, countervalue); ++ snprintf(value,sizeof(value),"%" PRIu64, countervalue); + slapi_entry_attr_set_charptr( e, type, value); + } + +diff --git a/ldap/servers/slapd/unbind.c b/ldap/servers/slapd/unbind.c +index fd44249..92dd905 100644 +--- a/ldap/servers/slapd/unbind.c ++++ b/ldap/servers/slapd/unbind.c +@@ -49,7 +49,7 @@ do_unbind( Slapi_PBlock *pb ) + * UnBindRequest ::= NULL + */ + if ( ber_get_null( ber ) == LBER_ERROR ) { +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d UNBIND," ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d UNBIND," + " decoding error: UnBindRequest not null\n", + pb->pb_conn->c_connid, operation->o_opid ); + /* LDAPv3 does not allow a response to an unbind... so just return. */ +@@ -64,7 +64,7 @@ do_unbind( Slapi_PBlock *pb ) + * MUST ignore the criticality field of controls + */ + if ( (err = get_ldapmessage_controls_ext( pb, ber, NULL, ignore_criticality )) != 0 ) { +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d UNBIND," ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d UNBIND," + " error processing controls - error %d (%s)\n", + pb->pb_conn->c_connid, operation->o_opid, + err, ldap_err2string( err )); +@@ -79,7 +79,7 @@ do_unbind( Slapi_PBlock *pb ) + + /* ONREPL - plugins should be called and passed bind dn and, possibly, other data */ + +- slapi_log_access( LDAP_DEBUG_STATS, "conn=%" NSPRIu64 " op=%d UNBIND\n", ++ slapi_log_access( LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d UNBIND\n", + pb->pb_conn->c_connid, operation->o_opid ); + + /* pass the unbind to all backends */ +diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c +index 48fa3c4..012e83d 100644 +--- a/ldap/servers/slapd/util.c ++++ b/ldap/servers/slapd/util.c +@@ -40,20 +40,8 @@ + #define FILTER_BUF 128 /* initial buffer size for attr value */ + #define BUF_INCR 16 /* the amount to increase the FILTER_BUF once it fills up */ + +-/* Used by our util_info_sys_pages function +- * +- * platforms supported so far: +- * Solaris, Linux, Windows +- */ +-#ifdef OS_solaris +-#include +-#endif +-#ifdef LINUX +-#include +-#endif +-#if defined ( hpux ) +-#include +-#endif ++/* slapi-private contains the pal. */ ++#include + + static int special_filename(unsigned char c) + { +@@ -1471,361 +1459,25 @@ slapi_uniqueIDRdnSize(void) + return util_uniqueidlen; + } + +- +-/** +- * Get the virtual memory size as defined by system rlimits. +- * +- * \return size_t bytes available +- */ +-static size_t util_getvirtualmemsize(void) +-{ +- struct rlimit rl; +- /* the maximum size of a process's total available memory, in bytes */ +- if (getrlimit(RLIMIT_AS, &rl) != 0) { +- /* We received an error condition. There are a number of possible +- * reasons we have have gotten here, but most likely is EINVAL, where +- * rlim->rlim_cur was greater than rlim->rlim_max. +- * As a result, we should return a 0, to tell the system we can't alloc +- * memory. +- */ +- int errsrv = errno; +- slapi_log_err(SLAPI_LOG_ERR,"util_getvirtualmemsize", +- "getrlimit returned non-zero. errno=%u\n", errsrv); +- return 0; +- } +- return rl.rlim_cur; +-} +- +-/* pages = number of pages of physical ram on the machine (corrected for 32-bit build on 64-bit machine). +- * procpages = pages currently used by this process (or working set size, sometimes) +- * availpages = some notion of the number of pages 'free'. Typically this number is not useful. +- */ +-int util_info_sys_pages(size_t *pagesize, size_t *pages, size_t *procpages, size_t *availpages) +-{ +- if ((NULL == pagesize) || (NULL == pages) || (NULL == procpages) || (NULL == availpages)) { +- slapi_log_err(SLAPI_LOG_ERR, "util_info_sys_pages", +- "Null return variables are passed. Skip getting the system info.\n"); +- return 1; +- } +- *pagesize = 0; +- *pages = 0; +- *availpages = 0; +- *procpages = 0; +- +-#ifdef OS_solaris +- *pagesize = (int)sysconf(_SC_PAGESIZE); +- *pages = (int)sysconf(_SC_PHYS_PAGES); +- *availpages = util_getvirtualmemsize() / *pagesize; +- /* solaris has THE most annoying way to get this info */ +- { +- struct prpsinfo psi = {0}; +- char fn[40]; +- int fd; +- +- sprintf(fn, "/proc/%d", getpid()); +- fd = open(fn, O_RDONLY); +- if (fd >= 0) { +- if (ioctl(fd, PIOCPSINFO, (void *)&psi) == 0) { +- *procpages = psi.pr_size; +- } +- close(fd); +- } +- } +-#endif +- +-#ifdef LINUX +- { +- /* +- * On linux because of the way that the virtual memory system works, we +- * don't really need to think about other processes, or fighting them. +- * But that's not without quirks. +- * +- * We are given a virtual memory space, represented by vsize (man 5 proc) +- * This space is a "funny number". It's a best effort based system +- * where linux instead of telling us how much memory *actually* exists +- * for us to use, gives us a virtual memory allocation which is the +- * value of ram + swap.... sometimes. Depends on platform. +- * +- * But none of these pages even exist or belong to us on the real system +- * until will malloc them AND write a non-zero to them. +- * +- * The biggest issue with this is that vsize does NOT consider the +- * effect other processes have on the system. So a process can malloc +- * 2 Gig from the host, and our vsize doesn't reflect that until we +- * suddenly can't malloc anything. +- * +- * We can see exactly what we are using inside of the vmm by +- * looking at rss (man 5 proc). This shows us the current actual +- * allocation of memory we are using. This is a good thing. +- * +- * We obviously don't want to have any pages in swap, but sometimes we +- * can't help that: And there is also no guarantee that while we have +- * X bytes in vsize, that we can even allocate any of them. Plus, we +- * don't know if we are about to allocate to swap or not .... or get us +- * killed in a blaze of oom glory. +- * +- * So there are now two strategies avaliable in this function. +- * The first is to blindly accept what the VMM tells us about vsize +- * while we hope and pray that we don't get nailed because we used +- * too much. +- * +- * The other is a more conservative approach: We check vsize from +- * proc/pid/status, and we check /proc/meminfo for freemem +- * Which ever value is "lower" is the upper bound on pages we could +- * potentially allocate: generally, this will be MemAvailable. +- */ +- +- size_t freesize = 0; +- size_t rlimsize = 0; +- +- *pagesize = getpagesize(); +- +- /* Get the amount of freeram, rss */ +- +- FILE *f; +- char fn[40], s[80]; +- +- sprintf(fn, "/proc/%d/status", getpid()); +- f = fopen(fn, "r"); +- if (!f) { /* fopen failed */ +- /* We should probably make noise here! */ +- int errsrv = errno; +- slapi_log_err(SLAPI_LOG_ERR,"util_info_sys_pages", "Unable to open file /proc/%d/status. errno=%u\n", getpid(), errsrv); +- return 1; +- } +- while (! feof(f)) { +- if (!fgets(s, 79, f)) { +- break; /* error or eof */ +- } +- if (feof(f)) { +- break; +- } +- /* VmRSS shows us what we are ACTUALLY using for proc pages +- * Rather than "funny" pages. +- */ +- if (strncmp(s, "VmRSS:", 6) == 0) { +- sscanf(s+6, "%lu", (long unsigned int *)procpages); +- } +- } +- fclose(f); +- +- FILE *fm; +- char *fmn = "/proc/meminfo"; +- fm = fopen(fmn, "r"); +- if (!fm) { +- int errsrv = errno; +- slapi_log_err(SLAPI_LOG_ERR,"util_info_sys_pages", "Unable to open file /proc/meminfo. errno=%u\n", errsrv); +- return 1; +- } +- while (! feof(fm)) { +- if (!fgets(s, 79, fm)) { +- break; /* error or eof */ +- } +- if (feof(fm)) { +- break; +- } +- if (strncmp(s, "MemTotal:", 9) == 0) { +- sscanf(s+9, "%lu", (long unsigned int *)pages); +- } +- if (strncmp(s, "MemAvailable:", 13) == 0) { +- sscanf(s+13, "%lu", (long unsigned int *)&freesize); +- } +- } +- fclose(fm); +- +- +- *pages /= (*pagesize / 1024); +- freesize /= (*pagesize / 1024); +- /* procpages is now in kb not pages... */ +- *procpages /= (*pagesize / 1024); +- +- rlimsize = util_getvirtualmemsize(); +- /* On a 64 bit system, this is uint64 max, but on 32 it's -1 */ +- /* Either way, we should be ignoring it at this point if it's infinite */ +- if (rlimsize != RLIM_INFINITY) { +- /* This is in bytes, make it pages */ +- rlimsize = rlimsize / *pagesize; +- } +- +- /* Pages is the total ram on the system. */ +- slapi_log_err(SLAPI_LOG_TRACE,"util_info_sys_pages", "pages=%lu, \n", +- (unsigned long) *pages); +- slapi_log_err(SLAPI_LOG_TRACE,"util_info_sys_pages", "using pages for pages \n"); +- +- /* Availpages is how much we *could* alloc. We should take the smallest: +- * - pages +- * - getrlimit (availpages) +- * - freesize +- */ +- if (rlimsize == RLIM_INFINITY) { +- slapi_log_err(SLAPI_LOG_TRACE,"util_info_sys_pages", "pages=%lu, getrlim=RLIM_INFINITY, freesize=%lu\n", +- (unsigned long)*pages, (unsigned long)freesize); +- } else { +- slapi_log_err(SLAPI_LOG_TRACE,"util_info_sys_pages", "pages=%lu, getrlim=%lu, freesize=%lu\n", +- (unsigned long)*pages, (unsigned long)*availpages, (unsigned long)freesize); +- } +- +- if (rlimsize != RLIM_INFINITY && rlimsize < freesize && rlimsize < *pages && rlimsize > 0) { +- slapi_log_err(SLAPI_LOG_TRACE,"util_info_sys_pages", "using getrlim for availpages \n"); +- *availpages = rlimsize; +- } else if (freesize < *pages && freesize > 0) { +- slapi_log_err(SLAPI_LOG_TRACE,"util_info_sys_pages", "using freesize for availpages \n"); +- *availpages = freesize; +- } else { +- slapi_log_err(SLAPI_LOG_TRACE,"util_info_sys_pages", "using pages for availpages \n"); +- *availpages = *pages; +- } +- +- } +-#endif /* linux */ +- +- +- +-#if defined ( hpux ) +- { +- struct pst_static pst; +- int rval = pstat_getstatic(&pst, sizeof(pst), (size_t)1, 0); +- if (rval < 0) { /* pstat_getstatic failed */ +- return 1; +- } +- *pagesize = pst.page_size; +- *pages = pst.physical_memory; +- *availpages = util_getvirtualmemsize() / *pagesize; +- if (procpages) +- { +-#define BURST (size_t)32 /* get BURST proc info at one time... */ +- struct pst_status psts[BURST]; +- int i, count; +- int idx = 0; /* index within the context */ +- int mypid = getpid(); +- +- *procpages = 0; +- /* loop until count == 0, will occur all have been returned */ +- while ((count = pstat_getproc(psts, sizeof(psts[0]), BURST, idx)) > 0) { +- /* got count (max of BURST) this time. process them */ +- for (i = 0; i < count; i++) { +- if (psts[i].pst_pid == mypid) +- { +- *procpages = (size_t)(psts[i].pst_dsize + psts[i].pst_tsize + psts[i].pst_ssize); +- break; +- } +- } +- if (i < count) +- break; +- +- /* +- * now go back and do it again, using the next index after +- * the current 'burst' +- */ +- idx = psts[count-1].pst_idx + 1; +- } +- } +- } +-#endif +- /* If this is a 32-bit build, it might be running on a 64-bit machine, +- * in which case, if the box has tons of ram, we can end up telling +- * the auto cache code to use more memory than the process can address. +- * so we cap the number returned here. +- */ +-#if defined(__LP64__) || defined (_LP64) +-#else +- { +-#define GIGABYTE (1024*1024*1024) +- size_t one_gig_pages = GIGABYTE / *pagesize; +- if (*pages > (2 * one_gig_pages) ) { +- slapi_log_err(SLAPI_LOG_TRACE,"util_info_sys_pages", +- "More than 2Gbytes physical memory detected. Since this is a 32-bit process, truncating memory size used for auto cache calculations to 2Gbytes\n"); +- *pages = (2 * one_gig_pages); +- } +- } +-#endif +- +- /* This is stupid. If you set %u to %zu to print a size_t, you get literal %zu in your logs +- * So do the filthy cast instead. +- */ +- slapi_log_err(SLAPI_LOG_TRACE,"util_info_sys_pages", "USING pages=%lu, procpages=%lu, availpages=%lu \n", +- (unsigned long)*pages, (unsigned long)*procpages, (unsigned long)*availpages); +- return 0; +- +-} +- +-int util_is_cachesize_sane(size_t *cachesize) ++util_cachesize_result ++util_is_cachesize_sane(slapi_pal_meminfo *mi, uint64_t *cachesize) + { +- size_t pages = 0; +- size_t pagesize = 0; +- size_t procpages = 0; +- size_t availpages = 0; +- +- size_t cachepages = 0; +- +- int issane = 1; +- +- if (util_info_sys_pages(&pagesize, &pages, &procpages, &availpages) != 0) { +- goto out; +- } +-#ifdef LINUX +- /* Linux we calculate availpages correctly, so USE IT */ +- if (!pagesize || !availpages) { +- goto out; +- } +-#else +- if (!pagesize || !pages) { +- goto out; ++ /* Check we have a valid meminfo struct */ ++ if (mi->system_available_bytes == 0) { ++ slapi_log_err(SLAPI_LOG_CRIT, "util_is_cachesize_sane", "Invalid system memory info, can not proceed."); ++ return UTIL_CACHESIZE_ERROR; + } +-#endif +- /* do nothing when we can't get the avail mem */ +- +- +- /* If the requested cache size is larger than the remaining physical memory +- * after the current working set size for this process has been subtracted, +- * then we say that's insane and try to correct. +- */ +- +- cachepages = *cachesize / pagesize; +- slapi_log_err(SLAPI_LOG_TRACE,"util_is_cachesize_sane", "cachesize=%lu / pagesize=%lu \n", +- (unsigned long)*cachesize,(unsigned long)pagesize); +- +-#ifdef LINUX +- /* Linux we calculate availpages correctly, so USE IT */ +- issane = (int)(cachepages <= availpages); +- slapi_log_err(SLAPI_LOG_TRACE,"util_is_cachesize_sane", "cachepages=%lu <= availpages=%lu\n", +- (unsigned long)cachepages,(unsigned long)availpages); + +- if (!issane) { ++ slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", "Available bytes %"PRIu64", requested bytes %"PRIu64"\n", mi->system_available_bytes, *cachesize); ++ if (*cachesize > mi->system_available_bytes) { + /* Since we are ask for more than what's available, we give 3/4 of the remaining. + * the remaining system mem to the cachesize instead, and log a warning + */ +- *cachesize = (size_t)((availpages * 0.75 ) * pagesize); +- /* These are now trace warnings, because it was to confusing to log this *then* kill the request anyway. +- * Instead, we will let the caller worry about the notification, and we'll just use this in debugging and tracing. +- */ +- slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", +- "Available pages %lu, requested pages %lu, pagesize %lu\n", (unsigned long)availpages, (unsigned long)cachepages, (unsigned long)pagesize); +- slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", +- "WARNING adjusted cachesize to %lu\n", (unsigned long)*cachesize); +- } +-#else +- size_t freepages = 0; +- freepages = pages - procpages; +- slapi_log_err(SLAPI_LOG_TRACE,"util_is_cachesize_sane", "pages=%lu - procpages=%lu\n", +- (unsigned long)pages,(unsigned long)procpages); +- +- issane = (int)(cachepages <= freepages); +- slapi_log_err(SLAPI_LOG_TRACE,"util_is_cachesize_sane", "cachepages=%lu <= freepages=%lu\n", +- (unsigned long)cachepages,(unsigned long)freepages); +- +- if (!issane) { +- *cachesize = (size_t)((pages - procpages) * pagesize); +- slapi_log_err(SLAPI_LOG_WARNING, "util_is_cachesize_sane", "WARNING adjusted cachesize to %lu\n", +- (unsigned long )*cachesize); ++ *cachesize = (mi->system_available_bytes * 0.75); ++ slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", "Adjusted cachesize to %"PRIu64"\n", *cachesize); ++ return UTIL_CACHESIZE_REDUCED; + } +-#endif +-out: +- if (!issane) { +- slapi_log_err(SLAPI_LOG_TRACE,"util_is_cachesize_sane", "WARNING: Cachesize not sane \n"); +- } +- +- return issane; ++ return UTIL_CACHESIZE_VALID; + } + + long +diff --git a/test/libslapd/spal/meminfo.c b/test/libslapd/spal/meminfo.c +new file mode 100644 +index 0000000..776141a +--- /dev/null ++++ b/test/libslapd/spal/meminfo.c +@@ -0,0 +1,54 @@ ++/** BEGIN COPYRIGHT BLOCK ++ * Copyright (C) 2017 Red Hat, Inc. ++ * All rights reserved. ++ * ++ * License: GPL (version 3 or any later version). ++ * See LICENSE for details. ++ * END COPYRIGHT BLOCK **/ ++ ++#include "../../test_slapd.h" ++ ++#include ++#include ++ ++/* ++ * Assert that our meminfo interface in slapi_pal works. ++ */ ++ ++void ++test_libslapd_pal_meminfo(void **state __attribute__((unused))) { ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ assert_true(mi->pagesize_bytes > 0); ++ assert_true(mi->system_total_pages > 0); ++ assert_true(mi->system_total_bytes > 0); ++ assert_true(mi->process_consumed_pages > 0); ++ assert_true(mi->process_consumed_bytes > 0); ++ assert_true(mi->system_available_pages > 0); ++ assert_true(mi->system_available_bytes > 0); ++ spal_meminfo_destroy(mi); ++} ++ ++void ++test_libslapd_util_cachesane(void **state __attribute__((unused))) { ++ slapi_pal_meminfo *mi = spal_meminfo_get(); ++ uint64_t request = 0; ++ mi->system_available_bytes = 0; ++ assert_true(util_is_cachesize_sane(mi, &request) == UTIL_CACHESIZE_ERROR); ++ ++ // Set the values to known quantities ++ request = 50000; ++ mi->system_available_bytes = 99999; ++ assert_true(util_is_cachesize_sane(mi, &request) == UTIL_CACHESIZE_VALID); ++ ++ request = 99999; ++ assert_true(util_is_cachesize_sane(mi, &request) == UTIL_CACHESIZE_VALID); ++ ++ request = 100000; ++ assert_true(util_is_cachesize_sane(mi, &request) == UTIL_CACHESIZE_REDUCED); ++ assert_true(request <= 75000); ++ ++ spal_meminfo_destroy(mi); ++} ++ ++ ++ +diff --git a/test/libslapd/test.c b/test/libslapd/test.c +index 6e1171a..6fa7996 100644 +--- a/test/libslapd/test.c ++++ b/test/libslapd/test.c +@@ -26,6 +26,8 @@ run_libslapd_tests (void) { + cmocka_unit_test(test_libslapd_operation_v3c_target_spec), + cmocka_unit_test(test_libslapd_counters_atomic_usage), + cmocka_unit_test(test_libslapd_counters_atomic_overflow), ++ cmocka_unit_test(test_libslapd_pal_meminfo), ++ cmocka_unit_test(test_libslapd_util_cachesane), + }; + return cmocka_run_group_tests(tests, NULL, NULL); + } +diff --git a/test/test_slapd.h b/test/test_slapd.h +index b8f1aba..50de11b 100644 +--- a/test/test_slapd.h ++++ b/test/test_slapd.h +@@ -42,3 +42,8 @@ void test_libslapd_operation_v3c_target_spec(void **state); + void test_libslapd_counters_atomic_usage(void **state); + void test_libslapd_counters_atomic_overflow(void **state); + ++/* libslapd-pal-meminfo */ ++ ++void test_libslapd_pal_meminfo(void **state); ++void test_libslapd_util_cachesane(void **state); ++ +-- +2.9.3 + diff --git a/SOURCES/0029-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch b/SOURCES/0029-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch deleted file mode 100644 index d41f609..0000000 --- a/SOURCES/0029-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 114221f292d0f8609d98bdad59feb3d460639673 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Thu, 4 Aug 2016 11:45:49 -0700 -Subject: [PATCH 29/29] Bug 1347760 - CVE-2016-4992 389-ds-base: Information - disclosure via repeated use of LDAP ADD operation, etc. - -Description: do not overwrite rc used to decide if bind was successful. -When the bind is through ldapi/autobind, an entry does not exist to be -checked with slapi_check_account_lock. In that case, a variable rc is -not supposed to be modified which confuses the following code path. - -Reviewed by nhosoi@redhat.com. - -(cherry picked from commit caa351ae0cc81cbf2309a43c5f74b359cda152d0) ---- - ldap/servers/slapd/bind.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c -index c271577..3054c1f 100644 ---- a/ldap/servers/slapd/bind.c -+++ b/ldap/servers/slapd/bind.c -@@ -775,10 +775,12 @@ do_bind( Slapi_PBlock *pb ) - */ - if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) { - bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn)); -- rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1); -- if (1 == rc) { /* account is locked */ -+ myrc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1); -+ if (1 == myrc) { /* account is locked */ -+ rc = myrc; - goto account_locked; - } -+ myrc = 0; - } - if (!auto_bind) { - /* --- -2.4.11 - diff --git a/SOURCES/0029-Ticket-49204-Fix-lower-bounds-on-import-autosize-On-.patch b/SOURCES/0029-Ticket-49204-Fix-lower-bounds-on-import-autosize-On-.patch new file mode 100644 index 0000000..1e28e73 --- /dev/null +++ b/SOURCES/0029-Ticket-49204-Fix-lower-bounds-on-import-autosize-On-.patch @@ -0,0 +1,296 @@ +From 9be74e83539e204e9a56721da5c22bd9abf38195 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 19 Apr 2017 13:41:22 -0400 +Subject: [PATCH] Ticket 49204 - Fix lower bounds on import autosize + On small + VM, autotune breaks the access of the suffixes + + Bug Description: + ldif2db in some cases may set a cache of 0, which may y break imports. + + Under memory pressure, the amount of available memory at startup + can be so low that the configured cachememsize will be rejected + (unwilling to perform). + This should leave the cachememsize being "0" (default) + This conduct to be unable to access the suffix pages. + + Fix Description: + + * autosize set an incorrect percentage which was too high. + * we did not check the lower bound of the allocation + so we now set that we must have a minimum allocation. + * Set entrycache to a minimal value, even if it looks insane + * add a cap on reduction of caches, so we always allocate a few pages + at least, and prevent returning 0 to the caller. + + https://pagure.io/389-ds-base/issue/49204 + + Author: wibrown, tbordaz + + Review by: tbordaz (Thanks mate, great work with this :) ) +--- + ldap/servers/slapd/back-ldbm/cache.c | 4 +-- + ldap/servers/slapd/back-ldbm/dblayer.c | 33 +++++++++++++--------- + ldap/servers/slapd/back-ldbm/dblayer.h | 12 ++++---- + ldap/servers/slapd/back-ldbm/ldbm_config.c | 4 +-- + .../servers/slapd/back-ldbm/ldbm_instance_config.c | 23 +++++++++++++-- + ldap/servers/slapd/slapi-private.h | 2 +- + ldap/servers/slapd/util.c | 20 +++++++++---- + 7 files changed, 65 insertions(+), 33 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/cache.c b/ldap/servers/slapd/back-ldbm/cache.c +index 0f0cf3b..c6638a2 100644 +--- a/ldap/servers/slapd/back-ldbm/cache.c ++++ b/ldap/servers/slapd/back-ldbm/cache.c +@@ -65,7 +65,7 @@ + + /* static functions */ + static void entrycache_clear_int(struct cache *cache); +-static void entrycache_set_max_size(struct cache *cache, size_t bytes); ++static void entrycache_set_max_size(struct cache *cache, uint64_t bytes); + static int entrycache_remove_int(struct cache *cache, struct backentry *e); + static void entrycache_return(struct cache *cache, struct backentry **bep); + static int entrycache_replace(struct cache *cache, struct backentry *olde, struct backentry *newe); +@@ -77,7 +77,7 @@ static void entry_lru_verify(struct cache *cache, struct backentry *e, int in); + + static int dn_same_id(const void *bdn, const void *k); + static void dncache_clear_int(struct cache *cache); +-static void dncache_set_max_size(struct cache *cache, size_t bytes); ++static void dncache_set_max_size(struct cache *cache, uint64_t bytes); + static int dncache_remove_int(struct cache *cache, struct backdn *dn); + static void dncache_return(struct cache *cache, struct backdn **bdn); + static int dncache_replace(struct cache *cache, struct backdn *olddn, struct backdn *newdn); +diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c +index 3c1fbb0..f834322 100644 +--- a/ldap/servers/slapd/back-ldbm/dblayer.c ++++ b/ldap/servers/slapd/back-ldbm/dblayer.c +@@ -1237,8 +1237,8 @@ no_diskspace(struct ldbminfo *li, int dbenv_flags) + struct statvfs db_buf; + int using_region_files = !(dbenv_flags & ( DB_PRIVATE | DB_SYSTEM_MEM)); + /* value of 10 == 10% == little more than the average overhead calculated for very large files on 64-bit system for bdb 4.7 */ +- PRUint64 expected_siz = li->li_dbcachesize + li->li_dbcachesize/10; /* dbcache + region files */ +- PRUint64 fsiz; ++ uint64_t expected_siz = li->li_dbcachesize + li->li_dbcachesize/10; /* dbcache + region files */ ++ uint64_t fsiz; + char *region_dir; + + if (statvfs(li->li_directory, &db_buf) < 0){ +@@ -1263,7 +1263,7 @@ no_diskspace(struct ldbminfo *li, int dbenv_flags) + li->li_dblayer_private->dblayer_dbhome_directory); + return 1; + } +- fsiz = ((PRUint64)dbhome_buf.f_bavail) * ((PRUint64)dbhome_buf.f_bsize); ++ fsiz = ((uint64_t)dbhome_buf.f_bavail) * ((uint64_t)dbhome_buf.f_bsize); + region_dir = li->li_dblayer_private->dblayer_dbhome_directory; + } else { + /* Shared/private memory. No need to check disk space, return success */ +@@ -1387,12 +1387,17 @@ dblayer_start(struct ldbminfo *li, int dbmode) + /* Sanity check on cache size on platforms which allow us to figure out + * the available phys mem */ + slapi_pal_meminfo *mi = spal_meminfo_get(); +- if (!util_is_cachesize_sane(mi, &(priv->dblayer_cachesize))) { ++ util_cachesize_result result = util_is_cachesize_sane(mi, &(priv->dblayer_cachesize)); ++ if (result == UTIL_CACHESIZE_ERROR) { ++ slapi_log_err(SLAPI_LOG_CRIT, "dblayer_start", "Unable to determine if cachesize was valid!!!"); ++ } else if (result == UTIL_CACHESIZE_REDUCED) { ++ /* In some cases we saw this go to 0, prevent this. */ ++ if (priv->dblayer_cachesize < MINCACHESIZE) { ++ priv->dblayer_cachesize = MINCACHESIZE; ++ } + /* Oops---looks like the admin misconfigured, let's warn them */ +- slapi_log_err(SLAPI_LOG_WARNING,"dblayer_start", "Likely CONFIGURATION ERROR -" +- "dbcachesize is configured to use more than the available " +- "physical memory, decreased to the largest available size (%"PRIu64" bytes).\n", +- priv->dblayer_cachesize); ++ slapi_log_err(SLAPI_LOG_WARNING, "dblayer_start", "Likely CONFIGURATION ERROR - dbcachesize is configured to use more than the available " ++ "memory, decreased to (%"PRIu64" bytes).\n", priv->dblayer_cachesize); + li->li_dbcachesize = priv->dblayer_cachesize; + } + spal_meminfo_destroy(mi); +@@ -3816,7 +3821,7 @@ static const u_int32_t default_flags = DB_NEXT; + typedef struct txn_test_iter { + DB *db; + DBC *cur; +- size_t cnt; ++ uint64_t cnt; + const char *attr; + u_int32_t flags; + backend *be; +@@ -3938,10 +3943,10 @@ static int txn_test_threadmain(void *param) + Object *inst_obj; + int rc = 0; + txn_test_iter **ttilist = NULL; +- size_t tticnt = 0; ++ uint64_t tticnt = 0; + DB_TXN *txn = NULL; + txn_test_cfg cfg = {0}; +- size_t counter = 0; ++ uint64_t counter = 0; + char keybuf[8192]; + char databuf[8192]; + int dbattempts = 0; +@@ -4062,9 +4067,9 @@ retry_txn: + if (!rc) { + DBT key; + DBT data; +- size_t ii; +- size_t donecnt = 0; +- size_t cnt = 0; ++ uint64_t ii; ++ uint64_t donecnt = 0; ++ uint64_t cnt = 0; + + /* phase 1 - open a cursor to each db */ + if (cfg.verbose) { +diff --git a/ldap/servers/slapd/back-ldbm/dblayer.h b/ldap/servers/slapd/back-ldbm/dblayer.h +index 816c943..77b04fa 100644 +--- a/ldap/servers/slapd/back-ldbm/dblayer.h ++++ b/ldap/servers/slapd/back-ldbm/dblayer.h +@@ -90,8 +90,8 @@ struct dblayer_private + int dblayer_ncache; + int dblayer_previous_ncache; + int dblayer_tx_max; +- size_t dblayer_cachesize; +- size_t dblayer_previous_cachesize; /* Cache size when we last shut down-- ++ uint64_t dblayer_cachesize; ++ uint64_t dblayer_previous_cachesize; /* Cache size when we last shut down-- + * used to determine if we delete + * the mpool */ + int dblayer_recovery_required; +@@ -102,15 +102,15 @@ struct dblayer_private + int dblayer_durable_transactions; + int dblayer_checkpoint_interval; + int dblayer_circular_logging; +- size_t dblayer_page_size; /* db page size if configured, ++ uint64_t dblayer_page_size; /* db page size if configured, + * otherwise default to DBLAYER_PAGESIZE */ +- size_t dblayer_index_page_size; /* db index page size if configured, ++ uint64_t dblayer_index_page_size; /* db index page size if configured, + * otherwise default to + * DBLAYER_INDEX_PAGESIZE */ + int dblayer_idl_divisor; /* divide page size by this to get IDL + * size */ +- size_t dblayer_logfile_size; /* How large can one logfile be ? */ +- size_t dblayer_logbuf_size; /* how large log buffer can be */ ++ uint64_t dblayer_logfile_size; /* How large can one logfile be ? */ ++ uint64_t dblayer_logbuf_size; /* how large log buffer can be */ + int dblayer_file_mode; /* pmode for files we create */ + int dblayer_verbose; /* Get libdb to exhale debugging info */ + int dblayer_debug; /* Will libdb emit debugging info into +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c +index d5120d3..401cd60 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c +@@ -1582,9 +1582,9 @@ static config_info ldbm_config[] = { + {CONFIG_DB_DEBUG_CHECKPOINTING, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_debug_checkpointing_get, &ldbm_config_db_debug_checkpointing_set, 0}, + {CONFIG_DB_HOME_DIRECTORY, CONFIG_TYPE_STRING, "", &ldbm_config_db_home_directory_get, &ldbm_config_db_home_directory_set, 0}, + {CONFIG_IMPORT_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "-1", &ldbm_config_import_cache_autosize_get, &ldbm_config_import_cache_autosize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, +- {CONFIG_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "0", &ldbm_config_cache_autosize_get, &ldbm_config_cache_autosize_set, 0}, ++ {CONFIG_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "10", &ldbm_config_cache_autosize_get, &ldbm_config_cache_autosize_set, 0}, + {CONFIG_CACHE_AUTOSIZE_SPLIT, CONFIG_TYPE_INT, "40", &ldbm_config_cache_autosize_split_get, &ldbm_config_cache_autosize_split_set, 0}, +- {CONFIG_IMPORT_CACHESIZE, CONFIG_TYPE_SIZE_T, "20000000", &ldbm_config_import_cachesize_get, &ldbm_config_import_cachesize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, ++ {CONFIG_IMPORT_CACHESIZE, CONFIG_TYPE_SIZE_T, "16777216", &ldbm_config_import_cachesize_get, &ldbm_config_import_cachesize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, + {CONFIG_IDL_SWITCH, CONFIG_TYPE_STRING, "new", &ldbm_config_idl_get_idl_new, &ldbm_config_idl_set_tune, CONFIG_FLAG_ALWAYS_SHOW}, + {CONFIG_IDL_UPDATE, CONFIG_TYPE_ONOFF, "on", &ldbm_config_idl_get_update, &ldbm_config_idl_set_update, 0}, + {CONFIG_BYPASS_FILTER_TEST, CONFIG_TYPE_STRING, "on", &ldbm_config_get_bypass_filter_test, &ldbm_config_set_bypass_filter_test, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c +index 62cdbc3..36d830d 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c +@@ -93,6 +93,7 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in + int retval = LDAP_SUCCESS; + size_t val = (size_t) value; + uint64_t delta = 0; ++ uint64_t delta_original = 0; + + /* Do whatever we can to make sure the data is ok. */ + /* There is an error here. We check the new val against our current mem-alloc +@@ -108,18 +109,34 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in + if (apply) { + if (val > inst->inst_cache.c_maxsize) { + delta = val - inst->inst_cache.c_maxsize; ++ delta_original = delta; + + util_cachesize_result sane; + slapi_pal_meminfo *mi = spal_meminfo_get(); + sane = util_is_cachesize_sane(mi, &delta); + spal_meminfo_destroy(mi); + +- if (sane != UTIL_CACHESIZE_VALID){ +- slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: cachememsize value is too large."); +- slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "cachememsize value is too large.\n"); ++ if (sane == UTIL_CACHESIZE_ERROR){ ++ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: unable to determine system memory limits."); ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "Enable to determine system memory limits.\n"); + return LDAP_UNWILLING_TO_PERFORM; ++ } else if (sane == UTIL_CACHESIZE_REDUCED) { ++ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_instance_config_cachememsize_set", "delta +%"PRIu64" of request %"PRIu64" reduced to %"PRIu64"\n", delta_original, val, delta); ++ /* ++ * This works as: value = 100 ++ * delta_original to inst, 20; ++ * delta reduced to 5: ++ * 100 - (20 - 5) == 85; ++ * so if you recalculated delta now (val - inst), it would be 5. ++ */ ++ val = val - (delta_original - delta); + } + } ++ if (inst->inst_cache.c_maxsize < MINCACHESIZE || val < MINCACHESIZE) { ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "force a minimal value %"PRIu64"\n", MINCACHESIZE); ++ /* This value will trigger an autotune next start up, but it should increase only */ ++ val = MINCACHESIZE; ++ } + cache_set_max_size(&(inst->inst_cache), val, CACHE_TYPE_ENTRY); + } + +diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h +index 0c76580..d9547d8 100644 +--- a/ldap/servers/slapd/slapi-private.h ++++ b/ldap/servers/slapd/slapi-private.h +@@ -1392,7 +1392,7 @@ typedef enum _util_cachesize_result { + * \return util_cachesize_result. + * \sa util_cachesize_result, spal_meminfo_get + */ +-util_cachesize_result util_is_cachesize_sane(slapi_pal_meminfo *mi, size_t *cachesize); ++util_cachesize_result util_is_cachesize_sane(slapi_pal_meminfo *mi, uint64_t *cachesize); + + /** + * Retrieve the number of threads the server should run with based on this hardware. +diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c +index 012e83d..4ff6d41 100644 +--- a/ldap/servers/slapd/util.c ++++ b/ldap/servers/slapd/util.c +@@ -1468,16 +1468,26 @@ util_is_cachesize_sane(slapi_pal_meminfo *mi, uint64_t *cachesize) + return UTIL_CACHESIZE_ERROR; + } + ++ util_cachesize_result result = UTIL_CACHESIZE_VALID; + slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", "Available bytes %"PRIu64", requested bytes %"PRIu64"\n", mi->system_available_bytes, *cachesize); + if (*cachesize > mi->system_available_bytes) { +- /* Since we are ask for more than what's available, we give 3/4 of the remaining. ++ /* Since we are ask for more than what's available, we give 1/2 of the remaining. + * the remaining system mem to the cachesize instead, and log a warning + */ +- *cachesize = (mi->system_available_bytes * 0.75); +- slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", "Adjusted cachesize to %"PRIu64"\n", *cachesize); +- return UTIL_CACHESIZE_REDUCED; ++ uint64_t adjust_cachesize = (mi->system_available_bytes * 0.5); ++ if (adjust_cachesize > *cachesize) { ++ slapi_log_err(SLAPI_LOG_CRIT, "util_is_cachesize_sane", "Invalid adjusted cachesize is greater than request %"PRIu64, adjust_cachesize); ++ return UTIL_CACHESIZE_ERROR; ++ } ++ if (adjust_cachesize < (16 * mi->pagesize_bytes)) { ++ /* At minimum respond with 16 pages - that's 64k on x86_64 */ ++ adjust_cachesize = 16 * mi->pagesize_bytes; ++ } ++ *cachesize = adjust_cachesize; ++ slapi_log_err(SLAPI_LOG_TRACE, "util_is_cachesize_sane", "Adjusted cachesize down to %"PRIu64"\n", *cachesize); ++ result = UTIL_CACHESIZE_REDUCED; + } +- return UTIL_CACHESIZE_VALID; ++ return result; + } + + long +-- +2.9.3 + diff --git a/SOURCES/0030-Ticket-49231-fix-sasl-mech-handling.patch b/SOURCES/0030-Ticket-49231-fix-sasl-mech-handling.patch new file mode 100644 index 0000000..8d5d46f --- /dev/null +++ b/SOURCES/0030-Ticket-49231-fix-sasl-mech-handling.patch @@ -0,0 +1,328 @@ +From 88a0ce3c3f89244a77dfa618c8a5064bda30f376 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Wed, 26 Apr 2017 15:48:30 +1000 +Subject: [PATCH] Ticket 49231 - fix sasl mech handling + +Bug Description: In our sasl code we had two issues. One was that +we did not correctly apply the list of sasl allowed mechs to our +rootdse list in ids_sasl_listmech. The second was that on config +reset, we did not correctly set null to the value. + +Fix Description: Fix the handling of the mech lists to allow +reset, and allow the mech list to be updated properly. + +https://pagure.io/389-ds-base/issue/49231 + +Author: wibrown + +Review by: mreynolds (Thanks!) +--- + dirsrvtests/tests/suites/sasl/allowed_mechs.py | 43 ++++++++++++++++++ + ldap/servers/slapd/charray.c | 48 +++++++++++++++++--- + ldap/servers/slapd/libglobs.c | 62 ++++++++++++++++++++------ + ldap/servers/slapd/proto-slap.h | 1 + + ldap/servers/slapd/saslbind.c | 21 ++++++++- + ldap/servers/slapd/slap.h | 1 + + ldap/servers/slapd/slapi-private.h | 1 + + 7 files changed, 156 insertions(+), 21 deletions(-) + create mode 100644 dirsrvtests/tests/suites/sasl/allowed_mechs.py + +diff --git a/dirsrvtests/tests/suites/sasl/allowed_mechs.py b/dirsrvtests/tests/suites/sasl/allowed_mechs.py +new file mode 100644 +index 0000000..a3e385e +--- /dev/null ++++ b/dirsrvtests/tests/suites/sasl/allowed_mechs.py +@@ -0,0 +1,43 @@ ++# --- BEGIN COPYRIGHT BLOCK --- ++# Copyright (C) 2017 Red Hat, Inc. ++# All rights reserved. ++# ++# License: GPL (version 3 or any later version). ++# See LICENSE for details. ++# --- END COPYRIGHT BLOCK --- ++# ++ ++import pytest ++import ldap ++ ++import time ++ ++from lib389.topologies import topology_st ++ ++def test_sasl_allowed_mechs(topology_st): ++ standalone = topology_st.standalone ++ ++ # Get the supported mechs. This should contain PLAIN, GSSAPI, EXTERNAL at least ++ orig_mechs = standalone.rootdse.supported_sasl() ++ print(orig_mechs) ++ assert('GSSAPI' in orig_mechs) ++ assert('PLAIN' in orig_mechs) ++ assert('EXTERNAL' in orig_mechs) ++ ++ # Now edit the supported mechs. CHeck them again. ++ standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'EXTERNAL, PLAIN') ++ ++ limit_mechs = standalone.rootdse.supported_sasl() ++ print(limit_mechs) ++ assert('PLAIN' in limit_mechs) ++ assert('EXTERNAL' in limit_mechs) ++ assert('GSSAPI' not in limit_mechs) ++ ++ # Do a config reset ++ standalone.config.reset('nsslapd-allowed-sasl-mechanisms') ++ ++ # check the supported list is the same as our first check. ++ final_mechs = standalone.rootdse.supported_sasl() ++ print(final_mechs) ++ assert(set(final_mechs) == set(orig_mechs)) ++ +diff --git a/ldap/servers/slapd/charray.c b/ldap/servers/slapd/charray.c +index 5551dcc..6b89714 100644 +--- a/ldap/servers/slapd/charray.c ++++ b/ldap/servers/slapd/charray.c +@@ -348,8 +348,9 @@ slapi_str2charray_ext( char *str, char *brkstr, int allow_dups ) + } + } + +- if ( !dup_found ) ++ if ( !dup_found ) { + res[i++] = slapi_ch_strdup( s ); ++ } + } + res[i] = NULL; + +@@ -413,10 +414,11 @@ charray_subtract(char **a, char **b, char ***c) + char **bp, **cp, **tmp; + char **p; + +- if (c) ++ if (c) { + tmp = *c = cool_charray_dup(a); +- else ++ } else { + tmp = a; ++ } + + for (cp = tmp; cp && *cp; cp++) { + for (bp = b; bp && *bp; bp++) { +@@ -433,12 +435,48 @@ charray_subtract(char **a, char **b, char ***c) + for (p = cp+1; *p && *p == (char *)SUBTRACT_DEL; p++) + ; + *cp = *p; +- if (*p == NULL) ++ if (*p == NULL) { + break; +- else ++ } else { + *p = SUBTRACT_DEL; ++ } ++ } ++ } ++} ++ ++/* ++ * Provides the intersection of two arrays. ++ * IE if you have: ++ * (A, B, C) ++ * (B, D, E) ++ * result is (B,) ++ * a and b are NOT consumed in the process. ++ */ ++char ** ++charray_intersection(char **a, char **b) { ++ char **result; ++ size_t rp = 0; ++ ++ if (a == NULL || b == NULL) { ++ return NULL; ++ } ++ ++ size_t a_len = 0; ++ /* Find how long A is. */ ++ for (; a[a_len] != NULL; a_len++); ++ ++ /* Allocate our result, it can't be bigger than A */ ++ result = (char **)slapi_ch_calloc(1, sizeof(char *) * (a_len + 1)); ++ ++ /* For each in A, see if it's in b */ ++ for (size_t i = 0; a[i] != NULL; i++) { ++ if (charray_get_index(b, a[i]) != -1) { ++ result[rp] = slapi_ch_strdup(a[i]); ++ rp++; + } + } ++ ++ return result; + } + + int +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index 0e818a9..2fc9fbf 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -7090,9 +7090,30 @@ config_set_entryusn_import_init( const char *attrname, char *value, + return retVal; + } + ++char ** ++config_get_allowed_sasl_mechs_array(void) ++{ ++ /* ++ * array of mechs. If is null, returns NULL thanks to ch_array_dup. ++ * Caller must free! ++ */ ++ char **retVal; ++ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); ++ ++ CFG_LOCK_READ(slapdFrontendConfig); ++ retVal = slapi_ch_array_dup(slapdFrontendConfig->allowed_sasl_mechs_array); ++ CFG_UNLOCK_READ(slapdFrontendConfig); ++ ++ return retVal; ++} ++ + char * +-config_get_allowed_sasl_mechs() ++config_get_allowed_sasl_mechs(void) + { ++ /* ++ * Space seperated list of allowed mechs ++ * if this is NULL, means *all* mechs are allowed! ++ */ + char *retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + +@@ -7113,22 +7134,35 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, + return LDAP_SUCCESS; + } + +- /* cyrus sasl doesn't like comma separated lists */ +- remove_commas(value); ++ /* During a reset, the value is "", so we have to handle this case. */ ++ if (strcmp(value, "") != 0) { ++ /* cyrus sasl doesn't like comma separated lists */ ++ remove_commas(value); ++ ++ if(invalid_sasl_mech(value)){ ++ slapi_log_err(SLAPI_LOG_ERR,"config_set_allowed_sasl_mechs", ++ "Invalid value/character for sasl mechanism (%s). Use ASCII " ++ "characters, upto 20 characters, that are upper-case letters, " ++ "digits, hyphens, or underscores\n", value); ++ return LDAP_UNWILLING_TO_PERFORM; ++ } + +- if(invalid_sasl_mech(value)){ +- slapi_log_err(SLAPI_LOG_ERR,"config_set_allowed_sasl_mechs", +- "Invalid value/character for sasl mechanism (%s). Use ASCII " +- "characters, upto 20 characters, that are upper-case letters, " +- "digits, hyphens, or underscores\n", value); +- return LDAP_UNWILLING_TO_PERFORM; ++ CFG_LOCK_WRITE(slapdFrontendConfig); ++ slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs); ++ slapi_ch_array_free(slapdFrontendConfig->allowed_sasl_mechs_array); ++ slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value); ++ slapdFrontendConfig->allowed_sasl_mechs_array = slapi_str2charray_ext(value, " ", 0); ++ CFG_UNLOCK_WRITE(slapdFrontendConfig); ++ } else { ++ /* If this value is "", we need to set the list to *all* possible mechs */ ++ CFG_LOCK_WRITE(slapdFrontendConfig); ++ slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs); ++ slapi_ch_array_free(slapdFrontendConfig->allowed_sasl_mechs_array); ++ slapdFrontendConfig->allowed_sasl_mechs = NULL; ++ slapdFrontendConfig->allowed_sasl_mechs_array = NULL; ++ CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + +- CFG_LOCK_WRITE(slapdFrontendConfig); +- slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs); +- slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value); +- CFG_UNLOCK_WRITE(slapdFrontendConfig); +- + return LDAP_SUCCESS; + } + +diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h +index fdb4bf0..9696ead 100644 +--- a/ldap/servers/slapd/proto-slap.h ++++ b/ldap/servers/slapd/proto-slap.h +@@ -553,6 +553,7 @@ size_t config_get_ndn_cache_size(void); + int config_get_ndn_cache_enabled(void); + int config_get_return_orig_type_switch(void); + char *config_get_allowed_sasl_mechs(void); ++char **config_get_allowed_sasl_mechs_array(void); + int config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int apply); + int config_get_schemamod(void); + int config_set_ignore_vattrs(const char *attrname, char *value, char *errorbuf, int apply); +diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c +index 2d6fb64..6e544e6 100644 +--- a/ldap/servers/slapd/saslbind.c ++++ b/ldap/servers/slapd/saslbind.c +@@ -744,7 +744,10 @@ void ids_sasl_server_new(Connection *conn) + */ + char **ids_sasl_listmech(Slapi_PBlock *pb) + { +- char **ret, **others; ++ char **ret; ++ char **config_ret; ++ char **sup_ret; ++ char **others; + const char *str; + char *dupstr; + sasl_conn_t *sasl_conn; +@@ -754,7 +757,7 @@ char **ids_sasl_listmech(Slapi_PBlock *pb) + PR_ASSERT(pb); + + /* hard-wired mechanisms and slapi plugin registered mechanisms */ +- ret = slapi_get_supported_saslmechanisms_copy(); ++ sup_ret = slapi_get_supported_saslmechanisms_copy(); + + if (pb->pb_conn == NULL) return ret; + +@@ -777,6 +780,20 @@ char **ids_sasl_listmech(Slapi_PBlock *pb) + } + PR_ExitMonitor(pb->pb_conn->c_mutex); + ++ /* Get the servers "allowed" list */ ++ config_ret = config_get_allowed_sasl_mechs_array(); ++ ++ /* Remove any content that isn't in the allowed list */ ++ if (config_ret != NULL) { ++ /* Get the set of supported mechs in the insection of the two */ ++ ret = charray_intersection(sup_ret, config_ret); ++ charray_free(sup_ret); ++ charray_free(config_ret); ++ } else { ++ /* The allowed list was empty, just take our supported list. */ ++ ret = sup_ret; ++ } ++ + slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_listmech", "<=\n"); + + return ret; +diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h +index abfad20..5e44cc8 100644 +--- a/ldap/servers/slapd/slap.h ++++ b/ldap/servers/slapd/slap.h +@@ -2577,6 +2577,7 @@ typedef struct _slapdFrontendConfig { + int pagedsizelimit; + char *default_naming_context; /* Default naming context (normalized) */ + char *allowed_sasl_mechs; /* comma/space separated list of allowed sasl mechs */ ++ char **allowed_sasl_mechs_array; /* Array of allow sasl mechs */ + int sasl_max_bufsize; /* The max receive buffer size for SASL */ + + /* disk monitoring */ +diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h +index d9547d8..3f732e8 100644 +--- a/ldap/servers/slapd/slapi-private.h ++++ b/ldap/servers/slapd/slapi-private.h +@@ -831,6 +831,7 @@ int charray_remove(char **a, const char *s, int freeit); + char ** cool_charray_dup( char **a ); + void cool_charray_free( char **array ); + void charray_subtract( char **a, char **b, char ***c ); ++char **charray_intersection(char **a, char **b); + int charray_get_index(char **array, char *s); + int charray_normdn_add(char ***chararray, char *dn, char *errstr); + +-- +2.9.3 + diff --git a/SOURCES/0030-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch b/SOURCES/0030-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch deleted file mode 100644 index 39bef22..0000000 --- a/SOURCES/0030-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 741e8534323f6b7eb5565f8ec09ab2731e52735b Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 4 Aug 2016 13:26:44 -0700 -Subject: [PATCH] Ticket bz1358565 - clear and unsalted password types are - vulnerable to timing attack - -Description: Build fails with the commit f0e03b5a51972a125fe78f448d1f68e288782d1e: - error: 'for' loop initial declarations are only allowed in C99 mode - for (size_t i = 0; i < n; i++) { - ^ -Moved "size_t i;" to the top of slapi_ct_memcmp. ---- - ldap/servers/slapd/ch_malloc.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c -index a38268c..705ea86 100644 ---- a/ldap/servers/slapd/ch_malloc.c -+++ b/ldap/servers/slapd/ch_malloc.c -@@ -374,12 +374,13 @@ slapi_ct_memcmp( const void *p1, const void *p2, size_t n) - int result = 0; - const unsigned char *_p1 = (const unsigned char *)p1; - const unsigned char *_p2 = (const unsigned char *)p2; -+ size_t i; - - if (_p1 == NULL || _p2 == NULL) { - return 2; - } - -- for (size_t i = 0; i < n; i++) { -+ for (i = 0; i < n; i++) { - if (_p1[i] ^ _p2[i]) { - result = 1; - } --- -2.4.11 - diff --git a/SOURCES/0031-Ticket-48450-Autotools-components-for-ds_systemd_ask.patch b/SOURCES/0031-Ticket-48450-Autotools-components-for-ds_systemd_ask.patch deleted file mode 100644 index df4c700..0000000 --- a/SOURCES/0031-Ticket-48450-Autotools-components-for-ds_systemd_ask.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 1d4ad57ad50a33b8a1ef2db7d592f2adb09c3083 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Mon, 8 Aug 2016 13:56:02 +1000 -Subject: [PATCH 31/32] Ticket 48450 - Autotools components for - ds_systemd_ask_password_acl - -Bug Description: William forgot to add the Makefile.in to the commit. This was -found in the rpm build because it does not run autoreconf to regenerate the -Makefile.in, manifiesting as a missing file. - -Fix Description: Commit Makefile.in - -https://fedorahosted.org/389/ticket/48450 - -Author: wibrown - -Review by: nhosoi@redhat.com - -(cherry picked from commit c5e4ca4e1e0f1ab8be60df7453e6f0b126e6581c) ---- - Makefile.in | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/Makefile.in b/Makefile.in -index 8109469..6788fe1 100644 ---- a/Makefile.in -+++ b/Makefile.in -@@ -2044,7 +2044,8 @@ sbin_SCRIPTS = ldap/admin/src/scripts/setup-ds.pl \ - ldap/admin/src/scripts/dbmon.sh \ - ldap/admin/src/scripts/ds_selinux_enabled \ - ldap/admin/src/scripts/ds_selinux_port_query \ -- wrappers/ldap-agent -+ wrappers/ds_systemd_ask_password_acl \ -+ wrappers/ldap-agent - - bin_SCRIPTS = ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl \ - wrappers/dbscan \ -@@ -10359,7 +10360,7 @@ distdir: $(DISTFILES) - ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ - || chmod -R a+r "$(distdir)" - dist-gzip: distdir -- tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz -+ tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz - $(am__post_remove_distdir) - dist-bzip2: distdir - tardir=$(distdir) && $(am__tar) | BZIP2=$${BZIP2--9} bzip2 -c >$(distdir).tar.bz2 -@@ -10384,7 +10385,7 @@ dist-shar: distdir - @echo WARNING: "Support for shar distribution archives is" \ - "deprecated." >&2 - @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 -- shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz -+ shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz - $(am__post_remove_distdir) - - dist-zip: distdir -@@ -10402,7 +10403,7 @@ dist dist-all: - distcheck: dist - case '$(DIST_ARCHIVES)' in \ - *.tar.gz*) \ -- GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ -+ eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\ - *.tar.bz2*) \ - bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ - *.tar.lz*) \ -@@ -10412,7 +10413,7 @@ distcheck: dist - *.tar.Z*) \ - uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ - *.shar.gz*) \ -- GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ -+ eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ - *.zip*) \ - unzip $(distdir).zip ;;\ - esac --- -2.4.11 - diff --git a/SOURCES/0031-Ticket-49230-slapi_register_plugin-creates-config-en.patch b/SOURCES/0031-Ticket-49230-slapi_register_plugin-creates-config-en.patch new file mode 100644 index 0000000..f8e5141 --- /dev/null +++ b/SOURCES/0031-Ticket-49230-slapi_register_plugin-creates-config-en.patch @@ -0,0 +1,50 @@ +From 91a162d66c2fe239c009f1ee16974d310b333e7e Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Fri, 21 Apr 2017 17:16:55 +0200 +Subject: [PATCH] Ticket 49230 - slapi_register_plugin creates config entry + where it should not + +Bug Description: + slapi-register-plugin systematically create an entry under + 'cn=plugins,cn=config' because it is not taking into account + the flag 'add_entry in 'plugin_setup'. + + This is potentially a regression introduced by + https://pagure.io/389-ds-base/issue/49066 (TBC) + +Fix Description: + Test 'add_entry' before adding the entry + + https://pagure.io/389-ds-base/issue/49230 + +Review by: Mark Reynolds, William Brown +--- + ldap/servers/slapd/plugin.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c +index ac8306f..a5e0724 100644 +--- a/ldap/servers/slapd/plugin.c ++++ b/ldap/servers/slapd/plugin.c +@@ -3132,11 +3132,13 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group, + add_plugin_entry_dn(dn_copy); + } + +- /* make a copy of the plugin entry for our own use because it will +- be freed later by the caller */ +- Slapi_Entry *e_copy = slapi_entry_dup(plugin_entry); +- /* new_plugin_entry(&plugin_entries, plugin_entry, plugin); */ +- new_plugin_entry(&dep_plugin_entries, e_copy, plugin); ++ if (add_entry) { ++ /* make a copy of the plugin entry for our own use because it will ++ be freed later by the caller */ ++ Slapi_Entry *e_copy = slapi_entry_dup(plugin_entry); ++ /* new_plugin_entry(&plugin_entries, plugin_entry, plugin); */ ++ new_plugin_entry(&dep_plugin_entries, e_copy, plugin); ++ } + + PLUGIN_CLEANUP: + if (status) { +-- +2.9.3 + diff --git a/SOURCES/0032-49227-ldapsearch-for-nsslapd-errorlog-level-re.patch b/SOURCES/0032-49227-ldapsearch-for-nsslapd-errorlog-level-re.patch new file mode 100644 index 0000000..d2fd071 --- /dev/null +++ b/SOURCES/0032-49227-ldapsearch-for-nsslapd-errorlog-level-re.patch @@ -0,0 +1,221 @@ +From e5f78f9f6a8cab7bfbd33e14912508183f9da283 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 20 Apr 2017 15:01:33 -0400 +Subject: [PATCH] Issue 49227 - ldapsearch for nsslapd-errorlog-level returns + incorrect values + +Bug Description: ldapsearch for the error log level returns the internal + bitmask value and not the value set in cn=config. + +Fix Description: When setting the error log level store the initial/untouched + value in the config entry first, then set the bitmasked + global log level variable. + +https://pagure.io/389-ds-base/issue/49227 + +Reviewed by: nhosoi(Thanks!) +--- + dirsrvtests/tests/tickets/ticket49227_test.py | 111 ++++++++++++++++++++++++++ + ldap/servers/slapd/configdse.c | 4 +- + ldap/servers/slapd/libglobs.c | 11 +-- + ldap/servers/slapd/slap.h | 3 +- + 4 files changed, 121 insertions(+), 8 deletions(-) + create mode 100644 dirsrvtests/tests/tickets/ticket49227_test.py + +diff --git a/dirsrvtests/tests/tickets/ticket49227_test.py b/dirsrvtests/tests/tickets/ticket49227_test.py +new file mode 100644 +index 0000000..86e0b9a +--- /dev/null ++++ b/dirsrvtests/tests/tickets/ticket49227_test.py +@@ -0,0 +1,111 @@ ++import os ++import time ++import ldap ++import logging ++import pytest ++from lib389._constants import * ++from lib389.properties import * ++from lib389.tasks import * ++from lib389.utils import * ++from lib389.topologies import topology_st as topo ++ ++DEBUGGING = os.getenv("DEBUGGING", default=False) ++if DEBUGGING: ++ logging.getLogger(__name__).setLevel(logging.DEBUG) ++else: ++ logging.getLogger(__name__).setLevel(logging.INFO) ++log = logging.getLogger(__name__) ++DEFAULT_LEVEL = "16384" ++ ++ ++def set_level(topo, level): ++ ''' Set the error log level ++ ''' ++ try: ++ topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', level)]) ++ time.sleep(1) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to set loglevel to %s - error: %s' % (level, str(e))) ++ assert False ++ ++ ++def get_level(topo): ++ ''' Set the error log level ++ ''' ++ try: ++ config = topo.standalone.search_s("cn=config", ldap.SCOPE_BASE, "objectclass=top") ++ time.sleep(1) ++ return config[0].getValue('nsslapd-errorlog-level') ++ except ldap.LDAPError as e: ++ log.fatal('Failed to get loglevel - error: %s' % (str(e))) ++ assert False ++ ++ ++def get_log_size(topo): ++ ''' Get the errors log size ++ ''' ++ statinfo = os.stat(topo.standalone.errlog) ++ return statinfo.st_size ++ ++ ++def test_ticket49227(topo): ++ """Set the error log to varying levels, and make sure a search for that value ++ reflects the expected value (not the bitmasked value. ++ """ ++ log_size = get_log_size(topo) ++ ++ # Check the default level ++ level = get_level(topo) ++ if level != DEFAULT_LEVEL: ++ log.fatal('Incorrect default logging level: %s' % (level)) ++ assert False ++ ++ # Set connection logging ++ set_level(topo, '8') ++ level = get_level(topo) ++ if level != '8': ++ log.fatal('Incorrect connection logging level: %s' % (level)) ++ assert False ++ ++ # Check the actual log ++ new_size = get_log_size(topo) ++ if new_size == log_size: ++ # Size should be different ++ log.fatal('Connection logging is not working') ++ assert False ++ ++ # Set default logging using zero ++ set_level(topo, '0') ++ log_size = get_log_size(topo) ++ level = get_level(topo) ++ if level != DEFAULT_LEVEL: ++ log.fatal('Incorrect default logging level: %s' % (level)) ++ assert False ++ ++ # Check the actual log ++ new_size = get_log_size(topo) ++ if new_size != log_size: ++ # Size should be the size ++ log.fatal('Connection logging is still on') ++ assert False ++ ++ # Set default logging using the default value ++ set_level(topo, DEFAULT_LEVEL) ++ level = get_level(topo) ++ if level != DEFAULT_LEVEL: ++ log.fatal('Incorrect default logging level: %s' % (level)) ++ assert False ++ ++ # Check the actual log ++ new_size = get_log_size(topo) ++ if new_size != log_size: ++ # Size should be the size ++ log.fatal('Connection logging is still on') ++ assert False ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main("-s %s" % CURRENT_FILE) ++ +diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c +index 78162c9..08d1ace 100644 +--- a/ldap/servers/slapd/configdse.c ++++ b/ldap/servers/slapd/configdse.c +@@ -404,12 +404,12 @@ modify_config_dse(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, in + config_attr); + rc = LDAP_UNWILLING_TO_PERFORM; + } else if (ignore_attr_type(config_attr)) { +- slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse", ++ slapi_log_err(SLAPI_LOG_CONFIG, "modify_config_dse", + "Modification of attribute \"%s\" is not allowed, ignoring!\n", + config_attr); + } else if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { + if (apply_mods) { /* log warning once */ +- slapi_log_err(SLAPI_LOG_WARNING, "modify_config_dse", ++ slapi_log_err(SLAPI_LOG_CONFIG, "modify_config_dse", + "Adding configuration attribute \"%s\"\n", + config_attr); + } +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index 2fc9fbf..bb51827 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -308,7 +308,7 @@ static struct config_get_and_set { + {CONFIG_LOGLEVEL_ATTRIBUTE, config_set_errorlog_level, + NULL, 0, + (void**)&global_slapdFrontendConfig.errorloglevel, +- CONFIG_SPECIAL_ERRORLOGLEVEL, NULL, SLAPD_DEFAULT_ERRORLOG_LEVEL_STR}, ++ CONFIG_SPECIAL_ERRORLOGLEVEL, NULL, SLAPD_DEFAULT_FE_ERRORLOG_LEVEL_STR}, + {CONFIG_ERRORLOG_LOGGING_ENABLED_ATTRIBUTE, NULL, + log_set_logging, SLAPD_ERROR_LOG, + (void**)&global_slapdFrontendConfig.errorlog_logging_enabled, +@@ -1597,7 +1597,7 @@ FrontendConfig_init(void) { + cfg->errorlog_minfreespace = SLAPD_DEFAULT_LOG_MINFREESPACE; + cfg->errorlog_exptime = SLAPD_DEFAULT_LOG_EXPTIME; + cfg->errorlog_exptimeunit = slapi_ch_strdup(SLAPD_INIT_LOG_EXPTIMEUNIT); +- cfg->errorloglevel = SLAPD_DEFAULT_ERRORLOG_LEVEL; ++ cfg->errorloglevel = SLAPD_DEFAULT_FE_ERRORLOG_LEVEL; + + init_auditlog_logging_enabled = cfg->auditlog_logging_enabled = LDAP_OFF; + cfg->auditlog_mode = slapi_ch_strdup(SLAPD_INIT_LOG_MODE); +@@ -4474,9 +4474,10 @@ config_set_errorlog_level( const char *attrname, char *value, char *errorbuf, in + + if ( apply ) { + CFG_LOCK_WRITE(slapdFrontendConfig); +- level |= SLAPD_DEFAULT_ERRORLOG_LEVEL; /* Always apply the new default error levels for now */ +- slapd_ldap_debug = level; + slapdFrontendConfig->errorloglevel = level; ++ /* Set the internal value - apply the default error level */ ++ level |= SLAPD_DEFAULT_ERRORLOG_LEVEL; ++ slapd_ldap_debug = level; + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + return retVal; +@@ -5771,7 +5772,7 @@ config_get_errorlog_level(){ + retVal = slapdFrontendConfig->errorloglevel; + CFG_UNLOCK_READ(slapdFrontendConfig); + +- return retVal; ++ return retVal |= SLAPD_DEFAULT_ERRORLOG_LEVEL; + } + + /* return integer -- don't worry about locking similar to config_check_referral_mode +diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h +index 5e44cc8..04c9b79 100644 +--- a/ldap/servers/slapd/slap.h ++++ b/ldap/servers/slapd/slap.h +@@ -343,7 +343,8 @@ typedef void (*VFPV)(); /* takes undefined arguments */ + * LDAP_DEBUG_WARNING | LDAP_DEBUG_NOTICE | LDAP_DEBUG_INFO) + */ + #define SLAPD_DEFAULT_ERRORLOG_LEVEL 266354688 +-#define SLAPD_DEFAULT_ERRORLOG_LEVEL_STR "266354688" ++#define SLAPD_DEFAULT_FE_ERRORLOG_LEVEL 16384 /* frontend log level */ ++#define SLAPD_DEFAULT_FE_ERRORLOG_LEVEL_STR "16384" + #define SLAPD_DEFAULT_ACCESSLOG_LEVEL 256 + #define SLAPD_DEFAULT_ACCESSLOG_LEVEL_STR "256" + +-- +2.9.3 + diff --git a/SOURCES/0032-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch b/SOURCES/0032-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch deleted file mode 100644 index 8a84fdc..0000000 --- a/SOURCES/0032-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch +++ /dev/null @@ -1,27 +0,0 @@ -From bf87f952dc7a07786ddb9e895a956505cd951cf3 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Mon, 8 Aug 2016 10:12:33 -0700 -Subject: [PATCH 32/32] Ticket bz1358565 - clear and unsalted password types - are vulnerable to timing attack - -Description: Fixing a compiler warning introduced by commit -f0e03b5a51972a125fe78f448d1f68e288782d1e. ---- - ldap/servers/plugins/pwdstorage/clear_pwd.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c -index 2afe16e..b9b362d 100644 ---- a/ldap/servers/plugins/pwdstorage/clear_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c -@@ -26,7 +26,6 @@ int - clear_pw_cmp( const char *userpwd, const char *dbpwd ) - { - int result = 0; -- int len = 0; - int len_user = strlen(userpwd); - int len_dbp = strlen(dbpwd); - if ( len_user != len_dbp ) { --- -2.4.11 - diff --git a/SOURCES/0033-Ticket-48950-Change-example-in-etc-sysconfig-dirsrv-.patch b/SOURCES/0033-Ticket-48950-Change-example-in-etc-sysconfig-dirsrv-.patch deleted file mode 100644 index 6862b7e..0000000 --- a/SOURCES/0033-Ticket-48950-Change-example-in-etc-sysconfig-dirsrv-.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cb23f2f29464f9f800a4cf1f1e3d48e0c66358c7 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 11 Aug 2016 10:50:02 -0400 -Subject: [PATCH 33/35] Ticket 48950 - Change example in /etc/sysconfig/dirsrv - to use tcmalloc - -Description: Update the example to use tcmalloc instead of jemalloc. - -https://fedorahosted.org/389/ticket/48950 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 06a4adb4ad42a2d7cee383d6e2ef69a7188251a2) ---- - ldap/admin/src/base-initconfig.in | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/ldap/admin/src/base-initconfig.in b/ldap/admin/src/base-initconfig.in -index e803a36..0481c3e 100644 ---- a/ldap/admin/src/base-initconfig.in -+++ b/ldap/admin/src/base-initconfig.in -@@ -43,8 +43,8 @@ - # if using systemd, omit the "; export VARNAME" at the end - #PID_TIME=600 ; export PID_TIME - --# jemalloc is a general purpose malloc implementation that emphasizes --# fragmentation avoidance and scalable concurrency support. jemalloc --# has been shown to have a significant positive impact on the Directory --# Server's process size/growth. --#LD_PRELOAD=@libdir@/@package_name@/libjemalloc.so.1 ; export LD_PRELOAD -+# The tcmalloc memory allocator has been shown to have a positive impact on -+# the Directory Server's virtual & resident memory size/growth. tcmalloc is -+# available on RHEL/Fedora in the gperftools package (this could be different -+# on other platforms). Here is an example of preloading tcmalloc: -+#LD_PRELOAD=@libdir@/libtcmalloc.so.4 ; export LD_PRELOAD --- -2.4.11 - diff --git a/SOURCES/0033-Ticket-48989-fix-perf-counters.patch b/SOURCES/0033-Ticket-48989-fix-perf-counters.patch new file mode 100644 index 0000000..fd75c88 --- /dev/null +++ b/SOURCES/0033-Ticket-48989-fix-perf-counters.patch @@ -0,0 +1,57 @@ +From a7b9a9ddbff47c2226e60e403374d5e451fac344 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 2 May 2017 13:48:33 -0400 +Subject: [PATCH] Ticket 48989 - fix perf counters + +Description: There was a copy & paste error where page_access_rate + was added, but it listed the wrong attribute name. However, + the page_access_rate formula doesn't make sense, nor are + there more page stats to use from Berklely DB. Because + of this I just removed page_access_rate. + +https://pagure.io/389-ds-base/issue/48989 + +Reviewed by: firstyear(Thanks!) + +(cherry picked from commit 18a77e957119bd9994833b7290747f99d73b3745) +--- + ldap/servers/slapd/back-ldbm/perfctrs.c | 3 --- + ldap/servers/slapd/back-ldbm/perfctrs.h | 1 - + 2 files changed, 4 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/perfctrs.c b/ldap/servers/slapd/back-ldbm/perfctrs.c +index 5929dea..9132097 100644 +--- a/ldap/servers/slapd/back-ldbm/perfctrs.c ++++ b/ldap/servers/slapd/back-ldbm/perfctrs.c +@@ -165,7 +165,6 @@ void perfctrs_update(perfctrs_private *priv, DB_ENV *db_env) + if (0 == ret) { + #define ONEG 1073741824 + perf->cache_size_bytes = mpstat->st_gbytes * ONEG + mpstat->st_bytes; +- perf->page_access_rate = mpstat->st_cache_hit + mpstat->st_cache_miss; + perf->cache_hit = mpstat->st_cache_hit; + perf->cache_try = mpstat->st_cache_hit + mpstat->st_cache_miss; + perf->page_create_rate = mpstat->st_page_create; +@@ -257,8 +256,6 @@ static SlapiLDBMPerfctrATMap perfctr_at_map[] = { + offsetof( performance_counters, log_write_rate ) }, + { SLAPI_LDBM_PERFCTR_AT_PREFIX "longest-chain-length", + offsetof( performance_counters, longest_chain_length ) }, +- { SLAPI_LDBM_PERFCTR_AT_PREFIX "objects-locked", +- offsetof( performance_counters, page_access_rate ) }, + { SLAPI_LDBM_PERFCTR_AT_PREFIX "page-create-rate", + offsetof( performance_counters, page_create_rate ) }, + { SLAPI_LDBM_PERFCTR_AT_PREFIX "page-read-rate", +diff --git a/ldap/servers/slapd/back-ldbm/perfctrs.h b/ldap/servers/slapd/back-ldbm/perfctrs.h +index 64c79e1..a6213ec 100644 +--- a/ldap/servers/slapd/back-ldbm/perfctrs.h ++++ b/ldap/servers/slapd/back-ldbm/perfctrs.h +@@ -32,7 +32,6 @@ struct _performance_counters { + uint64_t log_write_rate; + uint64_t log_bytes_since_checkpoint; + uint64_t cache_size_bytes; +- uint64_t page_access_rate; + uint64_t cache_hit; + uint64_t cache_try; + uint64_t page_create_rate; +-- +2.9.3 + diff --git a/SOURCES/0034-Ticket-48681-logconv.pl-fix-sasl-bind-stats.patch b/SOURCES/0034-Ticket-48681-logconv.pl-fix-sasl-bind-stats.patch new file mode 100644 index 0000000..9d63e57 --- /dev/null +++ b/SOURCES/0034-Ticket-48681-logconv.pl-fix-sasl-bind-stats.patch @@ -0,0 +1,41 @@ +From e9514af2fed9f882a8d11d509ffb99e49a304438 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 2 May 2017 16:49:59 -0400 +Subject: [PATCH] Ticket 48681 - logconv.pl - fix sasl/bind stats + +Description: Fixed the bind and sasl bind total counts, also adjusted the + v3 bind count to match the sasl bind. + +https://pagure.io/389-ds-base/issue/48681 + +Reviewed by: firstyear(Thanks!) + +(cherry picked from commit 770bf3a2341f1ea2e0778a6443b0f89ed77e73af) +--- + ldap/admin/src/logconv.pl | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl +index 96639f2..c30e175 100755 +--- a/ldap/admin/src/logconv.pl ++++ b/ldap/admin/src/logconv.pl +@@ -2533,6 +2533,7 @@ sub parseLineNormal + } + if (/ BIND / && /method=sasl/i){ + $saslBindCount++; ++ $bindCount++; + if ($_ =~ /mech=(.*)/i ){ + my $mech = $1; + $hashes->{saslmech}->{$mech}++; +@@ -2550,6 +2551,8 @@ sub parseLineNormal + if (/ RESULT err=14 tag=97 / && / SASL bind in progress/){ + # Drop the sasl bind count since this is step in the bind process + $saslBindCount--; ++ $bindCount--; ++ $v3BindCount--; + my ($conn, $op); + if ($_ =~ /conn= *([0-9A-Z]+) +op= *([0-9\-]+)/i){ + $conn = $1; +-- +2.9.3 + diff --git a/SOURCES/0034-Ticket-48954-replication-fails-because-anchorcsn-can.patch b/SOURCES/0034-Ticket-48954-replication-fails-because-anchorcsn-can.patch deleted file mode 100644 index 8cc9460..0000000 --- a/SOURCES/0034-Ticket-48954-replication-fails-because-anchorcsn-can.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 1cd2d9b06b8bc006078ed26bb0d3cbe808681a86 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Fri, 12 Aug 2016 14:06:21 +0200 -Subject: [PATCH 34/35] Ticket 48954 - replication fails because anchorcsn - cannot be found - -Bug Description: the anchorcsn is calculated based on supploier and consumer - ruv. If this csn is not found in the changelog - replication stops. - -Fix Description: Fix consists of two parts - 1. log start-iteration csn record for all replicas - after initialization - 2. If the csn still cannot be found - - log an error - - use the closest csn available by calling - cursor->c_get with DB_SET_RANGE instead of DB_SET - -https://fedorahosted.org/389/ticket/48954 - -Reviewed by: Noriko, Thierry. thanks - -(cherry picked from commit 0721856d5a203689c15ea66ffe6c94ce4d785bd7) ---- - ldap/servers/plugins/replication/cl5_clcache.c | 32 +++++++++++-- - ldap/servers/plugins/replication/repl5_replica.c | 58 ++++++++++++++++-------- - 2 files changed, 67 insertions(+), 23 deletions(-) - -diff --git a/ldap/servers/plugins/replication/cl5_clcache.c b/ldap/servers/plugins/replication/cl5_clcache.c -index 2d3bb28..74f0fec 100644 ---- a/ldap/servers/plugins/replication/cl5_clcache.c -+++ b/ldap/servers/plugins/replication/cl5_clcache.c -@@ -376,6 +376,7 @@ clcache_load_buffer_bulk ( CLC_Buffer *buf, int flag ) - DBC *cursor = NULL; - int rc = 0; - int tries = 0; -+ int use_flag = flag; - - #if 0 /* txn control seems not improving anything so turn it off */ - if ( *(_pool->pl_dbenv) ) { -@@ -400,20 +401,44 @@ clcache_load_buffer_bulk ( CLC_Buffer *buf, int flag ) - retry: - if ( 0 == ( rc = clcache_open_cursor ( txn, buf, &cursor )) ) { - -- if ( flag == DB_NEXT ) { -+ if ( use_flag == DB_NEXT ) { - /* For bulk read, position the cursor before read the next block */ - rc = cursor->c_get ( cursor, - & buf->buf_key, - & buf->buf_data, - DB_SET ); -+ if (rc == DB_NOTFOUND) { -+ /* the start position in the changelog is not found -+ * 1. log an error -+ * 2. try to find another starting position as close -+ * as possible -+ */ -+ slapi_log_error ( SLAPI_LOG_FATAL, "clcache_load_buffer_bulk", -+ "changelog record with csn (%s) not found for DB_NEXT\n", -+ (char *)buf->buf_key.data ); -+ rc = cursor->c_get ( cursor, & buf->buf_key, & buf->buf_data, -+ DB_SET_RANGE ); -+ /* this moves the cursor ahead of the tageted csn, -+ * so we achieved what was intended with DB_SET/DB_NEXT -+ * continute at this csn. -+ */ -+ use_flag = DB_CURRENT; -+ } - } - - /* - * Continue if the error is no-mem since we don't need to - * load in the key record anyway with DB_SET. - */ -- if ( 0 == rc || DB_BUFFER_SMALL == rc ) -- rc = clcache_cursor_get ( cursor, buf, flag ); -+ if ( 0 == rc || DB_BUFFER_SMALL == rc ) { -+ rc = clcache_cursor_get ( cursor, buf, use_flag ); -+ if ( rc == DB_NOTFOUND && use_flag == DB_SET) { -+ slapi_log_error ( SLAPI_LOG_FATAL, "clcache_load_buffer_bulk", -+ "changelog record with csn (%s) not found for DB_SET\n", -+ (char *)buf->buf_key.data ); -+ rc = clcache_cursor_get ( cursor, buf, DB_SET_RANGE ); -+ } -+ } - - } - -@@ -434,6 +459,7 @@ retry: - /* back off */ - interval = PR_MillisecondsToInterval(slapi_rand() % 100); - DS_Sleep(interval); -+ use_flag = flag; - goto retry; - } - if ((rc == DB_LOCK_DEADLOCK) && (tries >= MAX_TRIALS)) { -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index b5d65ef..7360d97 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -3794,41 +3794,59 @@ replica_remove_legacy_attr (const Slapi_DN *repl_root_sdn, const char *attr) - slapi_mods_done (&smods); - slapi_pblock_destroy (pb); - } -+typedef struct replinfo { -+ char *repl_gen; -+ char *repl_name; -+} replinfo; -+ -+static int -+replica_log_start_iteration(const ruv_enum_data *rid_data, void *data) -+{ -+ int rc = 0; -+ replinfo *r_info = (replinfo *)data; -+ slapi_operation_parameters op_params; -+ -+ if (rid_data->csn == NULL) return 0; -+ -+ memset (&op_params, 0, sizeof (op_params)); -+ op_params.operation_type = SLAPI_OPERATION_DELETE; -+ op_params.target_address.sdn = slapi_sdn_new_ndn_byval(START_ITERATION_ENTRY_DN); -+ op_params.target_address.uniqueid = START_ITERATION_ENTRY_UNIQUEID; -+ op_params.csn = csn_dup(rid_data->csn); -+ rc = cl5WriteOperation(r_info->repl_name, r_info->repl_gen, &op_params, PR_FALSE); -+ if (rc == CL5_SUCCESS) -+ rc = 0; -+ else -+ rc = -1; -+ -+ slapi_sdn_free(&op_params.target_address.sdn); -+ csn_free (&op_params.csn); -+ -+ return rc; -+} - - static int - replica_log_ruv_elements_nolock (const Replica *r) - { - int rc = 0; -- slapi_operation_parameters op_params; - RUV *ruv; - char *repl_gen; -- CSN *csn = NULL; -+ replinfo r_info; - - ruv = (RUV*) object_get_data (r->repl_ruv); - PR_ASSERT (ruv); - -- if ((ruv_get_min_csn(ruv, &csn) == RUV_SUCCESS) && csn) -- { - /* we log it as a delete operation to have the least number of fields - to set. the entry can be identified by a special target uniqueid and - special target dn */ -- memset (&op_params, 0, sizeof (op_params)); -- op_params.operation_type = SLAPI_OPERATION_DELETE; -- op_params.target_address.sdn = slapi_sdn_new_ndn_byval(START_ITERATION_ENTRY_DN); -- op_params.target_address.uniqueid = START_ITERATION_ENTRY_UNIQUEID; -- op_params.csn = csn; -- repl_gen = ruv_get_replica_generation (ruv); -- -- rc = cl5WriteOperation(r->repl_name, repl_gen, &op_params, PR_FALSE); -- if (rc == CL5_SUCCESS) -- rc = 0; -- else -- rc = -1; -+ repl_gen = ruv_get_replica_generation (ruv); - -- slapi_ch_free ((void**)&repl_gen); -- slapi_sdn_free(&op_params.target_address.sdn); -- csn_free (&csn); -- } -+ r_info.repl_name = r->repl_name; -+ r_info.repl_gen = repl_gen; -+ -+ rc = ruv_enumerate_elements(ruv, replica_log_start_iteration, &r_info); -+ -+ slapi_ch_free ((void**)&repl_gen); - - return rc; - } --- -2.4.11 - diff --git a/SOURCES/0035-Ticket-48956-ns-accountstatus.pl-showing-activated-u.patch b/SOURCES/0035-Ticket-48956-ns-accountstatus.pl-showing-activated-u.patch deleted file mode 100644 index 2a21292..0000000 --- a/SOURCES/0035-Ticket-48956-ns-accountstatus.pl-showing-activated-u.patch +++ /dev/null @@ -1,320 +0,0 @@ -From 3d1a6717b4b8c11dda68dd3d1a923acb2e6c5eeb Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Wed, 17 Aug 2016 16:46:47 +0200 -Subject: [PATCH 35/35] Ticket 48956 ns-accountstatus.pl showing "activated" - user even if it is inactivated - -Bug Description: - If the account policy DN is long (suffix is long), it is fold on several lines. - So when looking for it, the base DN is invalid and fail to retrieve it and the limit value. - -Fix Description: - Change the DSutil search to be in no fold - -https://fedorahosted.org/389/ticket/48956 - -Reviewed by: Noriko Hosoi (Thanks Noriko) - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit 3cce9f9188a38e1a5043c9659ecbc5955ddb0242) ---- - dirsrvtests/tests/tickets/ticket48956_test.py | 167 ++++++++++++++++++++++++++ - ldap/admin/src/scripts/DSUtil.pm.in | 34 +++--- - 2 files changed, 185 insertions(+), 16 deletions(-) - create mode 100644 dirsrvtests/tests/tickets/ticket48956_test.py - -diff --git a/dirsrvtests/tests/tickets/ticket48956_test.py b/dirsrvtests/tests/tickets/ticket48956_test.py -new file mode 100644 -index 0000000..291dd4e ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket48956_test.py -@@ -0,0 +1,167 @@ -+import os -+import sys -+import time -+import ldap -+import logging -+import pytest -+import subprocess -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+from lib389.utils import * -+ -+ -+DEBUGGING = False -+ -+RDN_LONG_SUFFIX = 'this' -+LONG_SUFFIX = "dc=%s,dc=is,dc=a,dc=very,dc=long,dc=suffix,dc=so,dc=long,dc=suffix,dc=extremely,dc=long,dc=suffix" % RDN_LONG_SUFFIX -+LONG_SUFFIX_BE = 'ticket48956' -+ -+ -+ACCT_POLICY_PLUGIN_DN = 'cn=%s,cn=plugins,cn=config' % PLUGIN_ACCT_POLICY -+ACCT_POLICY_CONFIG_DN = 'cn=config,%s' % ACCT_POLICY_PLUGIN_DN -+ -+ -+INACTIVITY_LIMIT = '9' -+SEARCHFILTER = '(objectclass=*)' -+ -+TEST_USER = 'ticket48956user' -+TEST_USER_PW = '%s' % TEST_USER -+ -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+ -+class TopologyStandalone(object): -+ """The DS Topology Class""" -+ def __init__(self, standalone): -+ """Init""" -+ standalone.open() -+ self.standalone = standalone -+ -+ -+@pytest.fixture(scope="module") -+def topology(request): -+ """Create DS Deployment""" -+ -+ # Creating standalone instance ... -+ if DEBUGGING: -+ standalone = DirSrv(verbose=True) -+ else: -+ standalone = DirSrv(verbose=False) -+ args_instance[SER_HOST] = HOST_STANDALONE -+ args_instance[SER_PORT] = PORT_STANDALONE -+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE -+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -+ args_standalone = args_instance.copy() -+ standalone.allocate(args_standalone) -+ instance_standalone = standalone.exists() -+ if instance_standalone: -+ standalone.delete() -+ standalone.create() -+ standalone.open() -+ -+ def fin(): -+ """If we are debugging just stop the instances, otherwise remove them -+ """ -+ if DEBUGGING: -+ standalone.stop() -+ else: -+ standalone.delete() -+ request.addfinalizer(fin) -+ -+ return TopologyStandalone(standalone) -+ -+def _check_status(topology, user, expected): -+ nsaccountstatus = '%s/sbin/ns-accountstatus.pl' % topology.standalone.prefix -+ proc = subprocess.Popen([nsaccountstatus, '-Z', 'standalone', '-D', DN_DM, '-w', PASSWORD, '-p', str(topology.standalone.port), '-I', user], stdout=subprocess.PIPE, stderr=subprocess.PIPE) -+ -+ found = False -+ while True: -+ l = proc.stdout.readline() -+ log.info("output: %s" % l) -+ if l == "": -+ break -+ if expected in l: -+ found = True -+ break -+ return found -+ -+def _check_inactivity(topology, mysuffix): -+ ACCT_POLICY_DN = 'cn=Account Inactivation Policy,%s' % mysuffix -+ log.info("\n######################### Adding Account Policy entry: %s ######################\n" % ACCT_POLICY_DN) -+ topology.standalone.add_s(Entry((ACCT_POLICY_DN, {'objectclass': "top ldapsubentry extensibleObject accountpolicy".split(), -+ 'accountInactivityLimit': INACTIVITY_LIMIT}))) -+ TEST_USER_DN = 'uid=%s,%s' % (TEST_USER, mysuffix) -+ log.info("\n######################### Adding Test User entry: %s ######################\n" % TEST_USER_DN) -+ topology.standalone.add_s(Entry((TEST_USER_DN, {'objectclass': "top person organizationalPerson inetOrgPerson".split(), -+ 'cn': TEST_USER, -+ 'sn': TEST_USER, -+ 'givenname': TEST_USER, -+ 'userPassword': TEST_USER_PW, -+ 'acctPolicySubentry': ACCT_POLICY_DN}))) -+ -+ # Setting the lastLoginTime -+ try: -+ topology.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PW) -+ except ldap.CONSTRAINT_VIOLATION as e: -+ log.error('CONSTRAINT VIOLATION ' + e.message['desc']) -+ topology.standalone.simple_bind_s(DN_DM, PASSWORD) -+ -+ -+ assert(_check_status(topology, TEST_USER_DN, '- activated')) -+ -+ time.sleep(int(INACTIVITY_LIMIT) + 5) -+ assert(_check_status(topology, TEST_USER_DN, '- inactivated (inactivity limit exceeded')) -+ -+def test_ticket48956(topology): -+ """Write your testcase here... -+ -+ Also, if you need any testcase initialization, -+ please, write additional fixture for that(include finalizer). -+ -+ """ -+ -+ topology.standalone.modify_s(ACCT_POLICY_PLUGIN_DN, [(ldap.MOD_REPLACE, 'nsslapd-pluginarg0', ACCT_POLICY_CONFIG_DN)]) -+ -+ topology.standalone.modify_s(ACCT_POLICY_CONFIG_DN, [(ldap.MOD_REPLACE, 'alwaysrecordlogin', 'yes'), -+ (ldap.MOD_REPLACE, 'stateattrname', 'lastLoginTime'), -+ (ldap.MOD_REPLACE, 'altstateattrname', 'createTimestamp'), -+ (ldap.MOD_REPLACE, 'specattrname', 'acctPolicySubentry'), -+ (ldap.MOD_REPLACE, 'limitattrname', 'accountInactivityLimit')]) -+ -+ # Enable the plugins -+ topology.standalone.plugins.enable(name=PLUGIN_ACCT_POLICY) -+ -+ topology.standalone.restart(timeout=10) -+ -+ # Check inactivity on standard suffix (short) -+ _check_inactivity(topology, SUFFIX) -+ -+ # Check inactivity on a long suffix -+ topology.standalone.backend.create(LONG_SUFFIX, {BACKEND_NAME: LONG_SUFFIX_BE}) -+ topology.standalone.mappingtree.create(LONG_SUFFIX, bename=LONG_SUFFIX_BE) -+ topology.standalone.add_s(Entry((LONG_SUFFIX, { -+ 'objectclass': "top domain".split(), -+ 'dc': RDN_LONG_SUFFIX}))) -+ _check_inactivity(topology, LONG_SUFFIX) -+ -+ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ -+ log.info('Test PASSED') -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in -index f53f0c0..756d6ea 100644 ---- a/ldap/admin/src/scripts/DSUtil.pm.in -+++ b/ldap/admin/src/scripts/DSUtil.pm.in -@@ -1201,8 +1201,10 @@ sub get_info { - my $toollib = `ldapsearch -V 2>&1`; - if ($toollib =~ /OpenLDAP/) { - $info{openldap} = "yes"; -+ $info{nofold} = "-o ldif-wrap=no"; - } else { - $info{openldap} = "no"; -+ $info{nofold} = "-T"; - } - - # -@@ -1537,10 +1539,10 @@ sub ldapsrch { - print "STARTTLS)\n"; - } - if($info{openldap} eq "yes"){ -- $search = "ldapsearch -x -LLL -ZZ -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw " . -+ $search = "ldapsearch -x -LLL -ZZ -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} " . - "$info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs}"; - } else { -- $search = "ldapsearch -ZZZ -P \"$info{certdir}\" -p $info{port} -h $info{host} -D \"$info{rootdn}\" " . -+ $search = "ldapsearch -ZZZ -P \"$info{certdir}\" -p $info{port} -h $info{host} -D \"$info{rootdn}\" $info{nofold} " . - "-w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs}"; - } - } elsif (($info{security} eq "on" && $info{protocol} eq "") || ($info{security} eq "on" && $info{protocol} =~ m/LDAPS/i) ){ -@@ -1551,10 +1553,10 @@ sub ldapsrch { - print "LDAPS)\n"; - } - if($info{openldap} eq "yes"){ -- $search = "ldapsearch -x -LLL -H \"ldaps://$info{host}:$info{secure_port}\" -D \"$info{rootdn}\" " . -+ $search = "ldapsearch -x -LLL -H \"ldaps://$info{host}:$info{secure_port}\" -D \"$info{rootdn}\" $info{nofold} " . - "-w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs}"; - } else { -- $search = "ldapsearch -Z -P \"$info{certdir}\" -p $info{secure_port} -h $info{host} -D \"$info{rootdn}\" " . -+ $search = "ldapsearch -Z -P \"$info{certdir}\" -p $info{secure_port} -h $info{host} -D \"$info{rootdn}\" $info{nofold} " . - "-w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs}"; - } - } elsif (($info{openldap} eq "yes") && (($info{ldapi} eq "on" && $info{protocol} eq "") || ($info{ldapi} eq "on" && $info{protocol} =~ m/LDAPI/i)) ){ -@@ -1562,10 +1564,10 @@ sub ldapsrch { - # LDAPI - # - if ($< == 0 && $info{autobind} eq "on"){ -- $search = "ldapsearch -LLL -H \"$info{ldapiURL}\" -Y EXTERNAL " . -+ $search = "ldapsearch -LLL -H \"$info{ldapiURL}\" -Y EXTERNAL $info{nofold} " . - "$info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} 2>/dev/null"; - } else { -- $search = "ldapsearch -x -LLL -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw " . -+ $search = "ldapsearch -x -LLL -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} " . - "$info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs}"; - } - } else { -@@ -1576,10 +1578,10 @@ sub ldapsrch { - print "LDAP)\n"; - } - if($info{openldap} eq "yes"){ -- $search = "ldapsearch -x -LLL -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw " . -+ $search = "ldapsearch -x -LLL -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} " . - "$info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs}"; - } else { -- $search = "ldapsearch -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw " . -+ $search = "ldapsearch -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} " . - "$info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs}"; - } - } -@@ -1611,9 +1613,9 @@ sub ldapsrch_ext { - print "STARTTLS)\n"; - } - if($info{openldap} eq "yes"){ -- return `ldapsearch -x -LLL -ZZ -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; -+ return `ldapsearch -x -LLL -ZZ -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; - } else { -- return `ldapsearch -ZZZ -P $info{certdir} -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; -+ return `ldapsearch -ZZZ -P $info{certdir} -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; - } - } elsif (($info{security} eq "on" && $info{protocol} eq "") || ($info{security} eq "on" && $info{protocol} =~ m/LDAPS/i) ){ - # -@@ -1623,18 +1625,18 @@ sub ldapsrch_ext { - print "LDAPS)\n"; - } - if($info{openldap} eq "yes"){ -- return `ldapsearch -x -LLL -H ldaps://$info{host}:$info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; -+ return `ldapsearch -x -LLL -H ldaps://$info{host}:$info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; - } else { -- return `ldapsearch -Z -P $info{certdir} -p $info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; -+ return `ldapsearch -Z -P $info{certdir} -p $info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; - } - } elsif (($info{openldap} eq "yes") && (($info{ldapi} eq "on" && $info{protocol} eq "") || ($info{ldapi} eq "on" && $info{protocol} =~ m/LDAPI/i)) ){ - # - # LDAPI - # - if ($< == 0 && $info{autobind} eq "on"){ -- return `ldapsearch -LLL -H \"$info{ldapiURL}\" -Y EXTERNAL $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect} 2>/dev/null`; -+ return `ldapsearch -LLL -H \"$info{ldapiURL}\" -Y EXTERNAL $info{nofold} $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect} 2>/dev/null`; - } else { -- return `ldapsearch -x -LLL -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; -+ return `ldapsearch -x -LLL -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; - } - } else { - # -@@ -1644,9 +1646,9 @@ sub ldapsrch_ext { - print "LDAP)\n"; - } - if($info{openldap} eq "yes"){ -- return `ldapsearch -x -LLL -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; -+ return `ldapsearch -x -LLL -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; - } else { -- return `ldapsearch -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; -+ return `ldapsearch -p $info{port} -h $info{host} -D \"$info{rootdn}\" -w $myrootdnpw $info{nofold} $info{srch_args} -b \"$info{base}\" -s $info{scope} \"$info{filter}\" $info{attrs} $info{redirect}`; - } - } - } --- -2.4.11 - diff --git a/SOURCES/0035-Ticket-49241-Update-man-page-and-usage-for-db2bak.pl.patch b/SOURCES/0035-Ticket-49241-Update-man-page-and-usage-for-db2bak.pl.patch new file mode 100644 index 0000000..6cd8932 --- /dev/null +++ b/SOURCES/0035-Ticket-49241-Update-man-page-and-usage-for-db2bak.pl.patch @@ -0,0 +1,51 @@ +From cdcc387f6f1287da1edda418d746e6c2c772e5bd Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 4 May 2017 15:44:51 -0400 +Subject: [PATCH] Ticket 49241 - Update man page and usage for db2bak.pl + +Description: The usage and man page should state thtthe backup directory + is actually a symlink to the the server's backup directory. + Otherwise it is misleading, and could eventaully lead to + diskspace issues. + +https://pagure.io/389-ds-base/issue/49241 + +Reviewed by: firstyear(Thanks!) + +(cherry picked from commit 0804c43991fa29ef7bd946b3e5a37844e2b87da4) +--- + ldap/admin/src/scripts/db2bak.pl.in | 4 ++-- + man/man8/db2bak.pl.8 | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ldap/admin/src/scripts/db2bak.pl.in b/ldap/admin/src/scripts/db2bak.pl.in +index c73caa1..73d4187 100644 +--- a/ldap/admin/src/scripts/db2bak.pl.in ++++ b/ldap/admin/src/scripts/db2bak.pl.in +@@ -33,8 +33,8 @@ sub usage { + print(STDERR " -w - - Prompt for Directory Manager's password\n"); + print(STDERR " -Z serverID - Server instance identifier\n"); + print(STDERR " -j filename - Read Directory Manager's password from file\n"); +- print(STDERR " -A backupdir - Backup directory (backupdir/ID-)\n"); +- print(STDERR " -a backupdir - Backup directory\n"); ++ print(STDERR " -A backupdir - Backup directory symlink(backupdir/ID-)\n"); ++ print(STDERR " -a backupdir - Backup directory symlink\n"); + print(STDERR " -t dbtype - Database type (default: ldbm database)\n"); + print(STDERR " -P protocol - STARTTLS, LDAPS, LDAPI, LDAP (default: uses most secure protocol available)\n"); + print(STDERR " -h - Display usage\n"); +diff --git a/man/man8/db2bak.pl.8 b/man/man8/db2bak.pl.8 +index a752885..c51ccae 100644 +--- a/man/man8/db2bak.pl.8 ++++ b/man/man8/db2bak.pl.8 +@@ -47,7 +47,7 @@ The name of the file that contains the root DN password. + The backend database type (default: ldbm database). + .TP + .B \fB\-a\fR \fIbackupdir\fR +-The directory where the backup should be stored. ++The directory where the backup should be stored. This directory is a symbolic link to the actual backup files located under "nsslapd-bakdir" directory that is set in the "cn=config" entry. + .TP + .B \fB\-A\fR \fIbackupdir\fR + This is similar to \fB-a\fR, except that a sub-directory of \fIbackupdir\fR will be created for the backup, and the name of the sub-directory will be a timestamp of the form \fIserver-instance-date_time\fR. +-- +2.9.3 + diff --git a/SOURCES/0036-Ticket-48958-Audit-fail-log-doesn-t-work-if-audit-lo.patch b/SOURCES/0036-Ticket-48958-Audit-fail-log-doesn-t-work-if-audit-lo.patch deleted file mode 100644 index f48a0e5..0000000 --- a/SOURCES/0036-Ticket-48958-Audit-fail-log-doesn-t-work-if-audit-lo.patch +++ /dev/null @@ -1,212 +0,0 @@ -From 4525faed1a8cb985596c0617abc6ce32fb85b7c2 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Fri, 19 Aug 2016 12:49:17 +1000 -Subject: [PATCH 36/45] Ticket 48958 - Audit fail log doesn't work if audit log - disabled. - -Bug Description: Due to a configuration interpretation issue, when audit was -not enabled, but auditfail was with no log defined, the fail log should write to -the audit log location on failed events, but audit events should not be written. -This did not work. - -Fix Description: This was because when we wrote to the audit file in the -abscence of the auditfail log, the audit enabled state was checked. This adds a -check to determine what the source event was from, and to check the correct log -enabled state during the event processing. - -https://fedorahosted.org/389/ticket/48958 - -Author: wibrown - -Review by: nhosoi (Thank you!) - -(cherry picked from commit 5fed8021a0487c092af6038d4a7dcce1ef3fab75) ---- - ldap/servers/slapd/auditlog.c | 15 +++++---- - ldap/servers/slapd/log.c | 71 ++++++++++++++++++++++++----------------- - ldap/servers/slapd/proto-slap.h | 4 +-- - 3 files changed, 53 insertions(+), 37 deletions(-) - -diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c -index 0f4cc94..ec7111b 100644 ---- a/ldap/servers/slapd/auditlog.c -+++ b/ldap/servers/slapd/auditlog.c -@@ -33,7 +33,7 @@ static int audit_hide_unhashed_pw = 1; - static int auditfail_hide_unhashed_pw = 1; - - /* Forward Declarations */ --static void write_audit_file(int logtype, int optype, const char *dn, void *change, int flag, time_t curtime, int rc ); -+static void write_audit_file(int logtype, int optype, const char *dn, void *change, int flag, time_t curtime, int rc, int sourcelog ); - - static const char *modrdn_changes[4]; - -@@ -98,7 +98,7 @@ write_audit_log_entry( Slapi_PBlock *pb ) - curtime = current_time(); - /* log the raw, unnormalized DN */ - dn = slapi_sdn_get_udn(sdn); -- write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, LDAP_SUCCESS); -+ write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, LDAP_SUCCESS, SLAPD_AUDIT_LOG); - } - - void -@@ -169,10 +169,10 @@ write_auditfail_log_entry( Slapi_PBlock *pb ) - auditfail_config = config_get_auditfaillog(); - if (auditfail_config == NULL || strlen(auditfail_config) == 0) { - /* If no auditfail log write to audit log */ -- write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc); -+ write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc, SLAPD_AUDITFAIL_LOG); - } else { - /* If we have our own auditfail log path */ -- write_audit_file(SLAPD_AUDITFAIL_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc); -+ write_audit_file(SLAPD_AUDITFAIL_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc, SLAPD_AUDITFAIL_LOG); - } - slapi_ch_free_string(&auditfail_config); - } -@@ -181,6 +181,7 @@ write_auditfail_log_entry( Slapi_PBlock *pb ) - /* - * Function: write_audit_file - * Arguments: -+ * logtype - Destination where the message will go. - * optype - type of LDAP operation being logged - * dn - distinguished name of entry being changed - * change - pointer to the actual change operation -@@ -188,6 +189,7 @@ write_auditfail_log_entry( Slapi_PBlock *pb ) - * flag - only used by modrdn operations - value of deleteoldrdn flag - * curtime - the current time - * rc - The ldap result code. Used in conjunction with auditfail -+ * sourcelog - The source of the message (audit or auditfail) - * Returns: nothing - */ - static void -@@ -198,7 +200,8 @@ write_audit_file( - void *change, - int flag, - time_t curtime, -- int rc -+ int rc, -+ int sourcelog - ) - { - LDAPMod **mods; -@@ -359,7 +362,7 @@ write_audit_file( - switch (logtype) - { - case SLAPD_AUDIT_LOG: -- slapd_log_audit (l->ls_buf, l->ls_len); -+ slapd_log_audit (l->ls_buf, l->ls_len, sourcelog); - break; - case SLAPD_AUDITFAIL_LOG: - slapd_log_auditfail (l->ls_buf, l->ls_len); -diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c -index a16c395..ae8b5f8 100644 ---- a/ldap/servers/slapd/log.c -+++ b/ldap/servers/slapd/log.c -@@ -1962,14 +1962,26 @@ auditfail_log_openf( char *pathname, int locked) - - int - slapd_log_audit ( -- char *buffer, -- int buf_len) -+ char *buffer, -+ int buf_len, -+ int sourcelog) - { - /* We use this to route audit log entries to where they need to go */ - int retval = LDAP_SUCCESS; - int lbackend = loginfo.log_backend; /* We copy this to make these next checks atomic */ -+ -+ int state = 0; -+ if (sourcelog == SLAPD_AUDIT_LOG) { -+ state = loginfo.log_audit_state; -+ } else if (sourcelog == SLAPD_AUDITFAIL_LOG ) { -+ state = loginfo.log_auditfail_state; -+ } else { -+ /* How did we even get here! */ -+ return 1; -+ } -+ - if (lbackend & LOGGING_BACKEND_INTERNAL) { -- retval = slapd_log_audit_internal(buffer, buf_len); -+ retval = slapd_log_audit_internal(buffer, buf_len, state); - } - - if (retval != LDAP_SUCCESS) { -@@ -1989,33 +2001,34 @@ slapd_log_audit ( - - int - slapd_log_audit_internal ( -- char *buffer, -- int buf_len) -+ char *buffer, -+ int buf_len, -+ int state) - { -- if ( (loginfo.log_audit_state & LOGGING_ENABLED) && (loginfo.log_audit_file != NULL) ){ -- LOG_AUDIT_LOCK_WRITE( ); -- if (log__needrotation(loginfo.log_audit_fdes, -- SLAPD_AUDIT_LOG) == LOG_ROTATE) { -- if (log__open_auditlogfile(LOGFILE_NEW, 1) != LOG_SUCCESS) { -- LDAPDebug(LDAP_DEBUG_ANY, -- "LOGINFO: Unable to open audit file:%s\n", -- loginfo.log_audit_file,0,0); -- LOG_AUDIT_UNLOCK_WRITE(); -- return 0; -- } -- while (loginfo.log_audit_rotationsyncclock <= loginfo.log_audit_ctime) { -- loginfo.log_audit_rotationsyncclock += PR_ABS(loginfo.log_audit_rotationtime_secs); -- } -- } -- if (loginfo.log_audit_state & LOGGING_NEED_TITLE) { -- log_write_title( loginfo.log_audit_fdes); -- loginfo.log_audit_state &= ~LOGGING_NEED_TITLE; -- } -- LOG_WRITE_NOW_NO_ERR(loginfo.log_audit_fdes, buffer, buf_len, 0); -- LOG_AUDIT_UNLOCK_WRITE(); -- return 0; -- } -- return 0; -+ if ( (state & LOGGING_ENABLED) && (loginfo.log_audit_file != NULL) ){ -+ LOG_AUDIT_LOCK_WRITE( ); -+ if (log__needrotation(loginfo.log_audit_fdes, -+ SLAPD_AUDIT_LOG) == LOG_ROTATE) { -+ if (log__open_auditlogfile(LOGFILE_NEW, 1) != LOG_SUCCESS) { -+ LDAPDebug(LDAP_DEBUG_ANY, -+ "LOGINFO: Unable to open audit file:%s\n", -+ loginfo.log_audit_file,0,0); -+ LOG_AUDIT_UNLOCK_WRITE(); -+ return 0; -+ } -+ while (loginfo.log_audit_rotationsyncclock <= loginfo.log_audit_ctime) { -+ loginfo.log_audit_rotationsyncclock += PR_ABS(loginfo.log_audit_rotationtime_secs); -+ } -+ } -+ if (state & LOGGING_NEED_TITLE) { -+ log_write_title( loginfo.log_audit_fdes); -+ state &= ~LOGGING_NEED_TITLE; -+ } -+ LOG_WRITE_NOW_NO_ERR(loginfo.log_audit_fdes, buffer, buf_len, 0); -+ LOG_AUDIT_UNLOCK_WRITE(); -+ return 0; -+ } -+ return 0; - } - /****************************************************************************** - * write in the audit fail log -diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h -index 6bc1065..1f37010 100644 ---- a/ldap/servers/slapd/proto-slap.h -+++ b/ldap/servers/slapd/proto-slap.h -@@ -766,8 +766,8 @@ int slapi_log_access( int level, char *fmt, ... ) - #else - ; - #endif --int slapd_log_audit(char *buffer, int buf_len); --int slapd_log_audit_internal(char *buffer, int buf_len); -+int slapd_log_audit(char *buffer, int buf_len, int sourcelog); -+int slapd_log_audit_internal(char *buffer, int buf_len, int state); - int slapd_log_auditfail(char *buffer, int buf_len); - int slapd_log_auditfail_internal(char *buffer, int buf_len); - void log_access_flush(); --- -2.4.11 - diff --git a/SOURCES/0036-Ticket-7662-db2index-not-properly-evalauating-argume.patch b/SOURCES/0036-Ticket-7662-db2index-not-properly-evalauating-argume.patch new file mode 100644 index 0000000..a088384 --- /dev/null +++ b/SOURCES/0036-Ticket-7662-db2index-not-properly-evalauating-argume.patch @@ -0,0 +1,72 @@ +From 0ac013079796cafb119379e40f24559187935851 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 3 May 2017 14:50:15 -0400 +Subject: [PATCH] Ticket 7662 - db2index not properly evalauating arguments + +Description: Fix a regression where the argument count gets adjusted + before it is checked for errors. The fix is to copy the + number before we shift the arguments, and use that copy + for the usage check. + +https://pagure.io/389-ds-base/issue/47662 + +Reviewed by: firstyear(Thanks!) + +(cherry picked from commit 46011e24580fcee2f438506f91b9fc119306defc) +--- + ldap/admin/src/scripts/db2index.in | 11 ++++++----- + ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 2 +- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/ldap/admin/src/scripts/db2index.in b/ldap/admin/src/scripts/db2index.in +index fec082e..04183d3 100755 +--- a/ldap/admin/src/scripts/db2index.in ++++ b/ldap/admin/src/scripts/db2index.in +@@ -52,6 +52,7 @@ do + esac + done + ++argnum=$# + shift $(($OPTIND - 1)) + if [ $1 ] + then +@@ -71,18 +72,18 @@ fi + + idxall=0 + print_usage=0 +-if [ -z $servid ] && [ $# -eq 0 ]; then ++if [ -z $servid ] && [ $argnum -eq 0 ]; then + idxall=1 +-elif [ "$servid" ] && [ $# -eq 2 ]; then ++elif [ "$servid" ] && [ $argnum -eq 2 ]; then + idxall=1 + elif [ -z $benameopt ] && [ -z $includeSuffix ]; then + print_usage=1 + fi +-if [ -z $servid ] && [ $# -lt 2 ]; then ++if [ -z $servid ] && [ $argnum -lt 2 ]; then + print_usage=1 +-elif [ -n "$servid" ] && [ $# -lt 4 ]; then ++elif [ -n "$servid" ] && [ $argnum -lt 4 ]; then + print_usage=1 +-elif [ -n "$servid" ] && [ $# -eq 4 ]; then ++elif [ -n "$servid" ] && [ $argnum -eq 4 ]; then + idxall=1 + fi + +diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c +index f8fed7c..a0710f7 100644 +--- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c ++++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c +@@ -3225,7 +3225,7 @@ upgradedb_core(Slapi_PBlock *pb, ldbm_instance *inst) + run_from_cmdline = (task_flags & SLAPI_TASK_RUNNING_FROM_COMMANDLINE); + + be = inst->inst_be; +- slapi_log_err(SLAPI_LOG_ERR, "upgradedb_core", ++ slapi_log_err(SLAPI_LOG_INFO, "upgradedb_core", + "%s: Start upgradedb.\n", inst->inst_name); + + if (!run_from_cmdline) +-- +2.9.3 + diff --git a/SOURCES/0037-Ticket-48960-Crash-in-import_wait_for_space_in_fifo.patch b/SOURCES/0037-Ticket-48960-Crash-in-import_wait_for_space_in_fifo.patch deleted file mode 100644 index 07ea823..0000000 --- a/SOURCES/0037-Ticket-48960-Crash-in-import_wait_for_space_in_fifo.patch +++ /dev/null @@ -1,88 +0,0 @@ -From b20743a90c1eac752341d19a283e7d3ebf07ac10 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 19 Aug 2016 14:32:47 +0200 -Subject: [PATCH 37/45] Ticket 48960 Crash in import_wait_for_space_in_fifo(). - -Bug Description: - At online total import on a consumer, the total import startup - function allocates a fifo queue and monitor the overall import. - This queue contain the entries later received during import. - - When monitoring ends (import complete or error) it frees - the queue. - - Under error condition, there is a possibility that monitoring - ends while entries are still received (bulk_import_queue). - So there is a risk that the received entries will be added into - the queue at the same time the monitoring thread frees the queue - -Fix Description: - The thread storing the entries into the queue runs while - holding the job->wire_lock. - - To prevent the monitoring thread to frees the queue under - bulk_import_queue, make sure to acquire job->wire_lock - before calling import_free_job - -https://fedorahosted.org/389/ticket/48960 - -Reviewed by: Mark Reynolds (thanks Mark !) - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit 776d94214295cc95f9a906d4bb6268397a6bf091) ---- - ldap/servers/slapd/back-ldbm/import-threads.c | 5 +++++ - ldap/servers/slapd/back-ldbm/import.c | 15 ++++++++++++++- - 2 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c -index 1759478..c3fca2b 100644 ---- a/ldap/servers/slapd/back-ldbm/import-threads.c -+++ b/ldap/servers/slapd/back-ldbm/import-threads.c -@@ -3201,6 +3201,11 @@ static int bulk_import_queue(ImportJob *job, Slapi_Entry *entry) - return -1; - } - -+ /* The import is aborted, just ignore that entry */ -+ if(job->flags & FLAG_ABORT) { -+ return -1; -+ } -+ - PR_Lock(job->wire_lock); - /* Let's do this inside the lock !*/ - id = job->lead_ID + 1; -diff --git a/ldap/servers/slapd/back-ldbm/import.c b/ldap/servers/slapd/back-ldbm/import.c -index 9b6ae0d..78aefbf 100644 ---- a/ldap/servers/slapd/back-ldbm/import.c -+++ b/ldap/servers/slapd/back-ldbm/import.c -@@ -408,8 +408,21 @@ void import_free_job(ImportJob *job) - - ldbm_back_free_incl_excl(job->include_subtrees, job->exclude_subtrees); - charray_free(job->input_filenames); -- if (job->fifo.size) -+ if (job->fifo.size) { -+ /* bulk_import_queue is running, while holding the job lock. -+ * bulk_import_queue is using the fifo queue. -+ * To avoid freeing fifo queue under bulk_import_queue use -+ * job lock to synchronize -+ */ -+ if (job->wire_lock) -+ PR_Lock(job->wire_lock); -+ - import_fifo_destroy(job); -+ -+ if (job->wire_lock) -+ PR_Unlock(job->wire_lock); -+ } -+ - if (NULL != job->uuid_namespace) - slapi_ch_free((void **)&job->uuid_namespace); - if (job->wire_lock) --- -2.4.11 - diff --git a/SOURCES/0037-Ticket-49075-Adjust-logging-severity-levels.patch b/SOURCES/0037-Ticket-49075-Adjust-logging-severity-levels.patch new file mode 100644 index 0000000..8f0890d --- /dev/null +++ b/SOURCES/0037-Ticket-49075-Adjust-logging-severity-levels.patch @@ -0,0 +1,71 @@ +From d3771cf05358c0230c8c77d7f7dabe9219ea7c8c Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 3 May 2017 14:37:11 -0400 +Subject: [PATCH] Ticket 49075 - Adjust logging severity levels + +Description: There are places wherre we log a severity "ERR", + when in fact it is a benign message. + +https://pagure.io/389-ds-base/issue/49075 + +Reviewed by: firstyear(Thanks!) + +(cherry picked from commit 0762e393850f54ce8462c45321b3db084bd8a0e1) +--- + ldap/servers/slapd/back-ldbm/ldbm_instance_config.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c +index 36d830d..55f1887 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c +@@ -118,10 +118,12 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in + + if (sane == UTIL_CACHESIZE_ERROR){ + slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: unable to determine system memory limits."); +- slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "Enable to determine system memory limits.\n"); ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", ++ "Enable to determine system memory limits.\n"); + return LDAP_UNWILLING_TO_PERFORM; + } else if (sane == UTIL_CACHESIZE_REDUCED) { +- slapi_log_err(SLAPI_LOG_WARNING, "ldbm_instance_config_cachememsize_set", "delta +%"PRIu64" of request %"PRIu64" reduced to %"PRIu64"\n", delta_original, val, delta); ++ slapi_log_err(SLAPI_LOG_WARNING, "ldbm_instance_config_cachememsize_set", ++ "delta +%"PRIu64" of request %"PRIu64" reduced to %"PRIu64"\n", delta_original, val, delta); + /* + * This works as: value = 100 + * delta_original to inst, 20; +@@ -133,7 +135,8 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in + } + } + if (inst->inst_cache.c_maxsize < MINCACHESIZE || val < MINCACHESIZE) { +- slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", "force a minimal value %"PRIu64"\n", MINCACHESIZE); ++ slapi_log_err(SLAPI_LOG_INFO, "ldbm_instance_config_cachememsize_set", ++ "force a minimal value %"PRIu64"\n", MINCACHESIZE); + /* This value will trigger an autotune next start up, but it should increase only */ + val = MINCACHESIZE; + } +@@ -1134,7 +1137,7 @@ ldbm_instance_post_delete_instance_entry_callback(Slapi_PBlock *pb, Slapi_Entry* + return SLAPI_DSE_CALLBACK_ERROR; + } + +- slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_post_delete_instance_entry_callback", ++ slapi_log_err(SLAPI_LOG_INFO, "ldbm_instance_post_delete_instance_entry_callback", + "Removing '%s'.\n", instance_name); + + cache_destroy_please(&inst->inst_cache, CACHE_TYPE_ENTRY); +@@ -1171,9 +1174,9 @@ ldbm_instance_post_delete_instance_entry_callback(Slapi_PBlock *pb, Slapi_Entry* + dbp = PR_smprintf("%s/%s", inst_dirp, direntry->name); + if (NULL == dbp) { + slapi_log_err(SLAPI_LOG_ERR, +- "ldbm_instance_post_delete_instance_entry_callback", +- "Failed to generate db path: %s/%s\n", +- inst_dirp, direntry->name); ++ "ldbm_instance_post_delete_instance_entry_callback", ++ "Failed to generate db path: %s/%s\n", ++ inst_dirp, direntry->name); + break; + } + +-- +2.9.3 + diff --git a/SOURCES/0038-Bugzilla-1368956-man-page-of-ns-accountstatus.pl-sho.patch b/SOURCES/0038-Bugzilla-1368956-man-page-of-ns-accountstatus.pl-sho.patch deleted file mode 100644 index fd34e7e..0000000 --- a/SOURCES/0038-Bugzilla-1368956-man-page-of-ns-accountstatus.pl-sho.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 0927945fa67133654ec8d8178ffcfe0c20103454 Mon Sep 17 00:00:00 2001 -From: kamlesh -Date: Mon, 22 Aug 2016 14:20:27 +0530 -Subject: [PATCH 38/45] Bugzilla: 1368956 man page of ns-accountstatus.pl shows - redundant entries for -p port option - - Bug Description: - Description of problem: - man page of ns-accountstatus.pl contain redundant entries for -p option - - -p port - Port number of the Directory Server. - - -p port - Port number of the Directory Server. - - -p port - Port number of the Directory Server. - - Fix Description: - Delete the redundant entrys - - Platforms tested: RHEL7.3 - - Flag Day: no - - Doc impact: yes - -Signed-off-by: kamlesh -(cherry picked from commit 370a70c431d5f235d4371e4cb080215ac4500b6c) ---- - man/man8/ns-accountstatus.pl.8 | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/man/man8/ns-accountstatus.pl.8 b/man/man8/ns-accountstatus.pl.8 -index be3a8e9..9ffc4d3 100644 ---- a/man/man8/ns-accountstatus.pl.8 -+++ b/man/man8/ns-accountstatus.pl.8 -@@ -57,12 +57,6 @@ Host name of the Directory Server. - .B \fB\-p\fR \fIport\fR - Port number of the Directory Server. - .TP --.B \fB\-p\fR \fIport\fR --Port number of the Directory Server. --.TP --.B \fB\-p\fR \fIport\fR --Port number of the Directory Server. --.TP - .B \fB\-b\fR \fIbasedn\fR - The suffix DN from which to search from. - .TP --- -2.4.11 - diff --git a/SOURCES/0038-Ticket-49231-Fix-backport-issue.patch b/SOURCES/0038-Ticket-49231-Fix-backport-issue.patch new file mode 100644 index 0000000..ba41c98 --- /dev/null +++ b/SOURCES/0038-Ticket-49231-Fix-backport-issue.patch @@ -0,0 +1,62 @@ +From e0d5f86c9410bd29c0e4636d3072b24228e60128 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 5 May 2017 14:58:13 -0400 +Subject: [PATCH] Ticket 49231 - Fix backport issue + +Description: The cherry-pick was incorrect, and caused a crash +--- + ldap/servers/slapd/saslbind.c | 36 ++++++++++++++++++------------------ + 1 file changed, 18 insertions(+), 18 deletions(-) + +diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c +index 6e544e6..8d23c52 100644 +--- a/ldap/servers/slapd/saslbind.c ++++ b/ldap/servers/slapd/saslbind.c +@@ -759,26 +759,26 @@ char **ids_sasl_listmech(Slapi_PBlock *pb) + /* hard-wired mechanisms and slapi plugin registered mechanisms */ + sup_ret = slapi_get_supported_saslmechanisms_copy(); + +- if (pb->pb_conn == NULL) return ret; ++ /* If we have a connection, get the provided list from SASL */ ++ if (pb->pb_conn != NULL) { ++ sasl_conn = (sasl_conn_t*)pb->pb_conn->c_sasl_conn; + +- sasl_conn = (sasl_conn_t*)pb->pb_conn->c_sasl_conn; +- if (sasl_conn == NULL) return ret; +- +- /* sasl library mechanisms are connection dependent */ +- PR_EnterMonitor(pb->pb_conn->c_mutex); +- if (sasl_listmech(sasl_conn, +- NULL, /* username */ +- "", ",", "", +- &str, NULL, NULL) == SASL_OK) { +- slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_listmech", "sasl library mechs: %s\n", str); +- /* merge into result set */ +- dupstr = slapi_ch_strdup(str); +- others = slapi_str2charray_ext(dupstr, ",", 0 /* don't list duplicate mechanisms */); +- charray_merge(&ret, others, 1); +- charray_free(others); +- slapi_ch_free((void**)&dupstr); ++ /* sasl library mechanisms are connection dependent */ ++ PR_EnterMonitor(pb->pb_conn->c_mutex); ++ if (sasl_listmech(sasl_conn, ++ NULL, /* username */ ++ "", ",", "", ++ &str, NULL, NULL) == SASL_OK) { ++ slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_listmech", "sasl library mechs: %s\n", str); ++ /* merge into result set */ ++ dupstr = slapi_ch_strdup(str); ++ others = slapi_str2charray_ext(dupstr, ",", 0 /* don't list duplicate mechanisms */); ++ charray_merge(&ret, others, 1); ++ charray_free(others); ++ slapi_ch_free((void**)&dupstr); ++ } ++ PR_ExitMonitor(pb->pb_conn->c_mutex); + } +- PR_ExitMonitor(pb->pb_conn->c_mutex); + + /* Get the servers "allowed" list */ + config_ret = config_get_allowed_sasl_mechs_array(); +-- +2.9.3 + diff --git a/SOURCES/0039-Ticket-48964-cleanAllRUV-changelog-purging-incorrect.patch b/SOURCES/0039-Ticket-48964-cleanAllRUV-changelog-purging-incorrect.patch deleted file mode 100644 index e45ee51..0000000 --- a/SOURCES/0039-Ticket-48964-cleanAllRUV-changelog-purging-incorrect.patch +++ /dev/null @@ -1,330 +0,0 @@ -From e71e44e4393a803900ac79d26a91f96ad0068e59 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 23 Aug 2016 12:06:30 -0400 -Subject: [PATCH 39/45] Ticket 48964 - cleanAllRUV changelog purging - incorrectly processes all backends - -Bug Description: When the changelog was being purged of "cleaned" rids it was checking - all the backend changelogs, and not the one from which the - cleanAllRUV task originated from. This could corrupt a different - backend's changelog if both backends used the same RID. - -Fix Description: Purge the changelog associated with the backend that is specified in - the cleanAllRUV task. Also moved the "purging" to its own function, - and fixed a few compiler warnings. - -https://fedorahosted.org/389/ticket/48965 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit fda00435a7536c1ded72bb78a975f3370d09a3be) ---- - ldap/servers/plugins/replication/cl5_api.c | 162 +++++++++++++-------- - ldap/servers/plugins/replication/cl5_api.h | 2 +- - .../plugins/replication/repl5_replica_config.c | 2 +- - 3 files changed, 106 insertions(+), 60 deletions(-) - -diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c -index 3adaf86..6a09aea 100644 ---- a/ldap/servers/plugins/replication/cl5_api.c -+++ b/ldap/servers/plugins/replication/cl5_api.c -@@ -317,7 +317,7 @@ static int _cl5CheckMissingCSN (const CSN *minCsn, const RUV *supplierRUV, CL5DB - static int _cl5TrimInit (); - static void _cl5TrimCleanup (); - static int _cl5TrimMain (void *param); --static void _cl5DoTrimming (ReplicaId rid); -+static void _cl5DoTrimming (); - static void _cl5CompactDBs(); - static void _cl5PurgeRID(Object *obj, ReplicaId cleaned_rid); - static int _cl5PurgeGetFirstEntry (Object *obj, CL5Entry *entry, void **iterator, DB_TXN *txnid, int rid, DBT *key); -@@ -3447,43 +3447,37 @@ static int _cl5TrimMain (void *param) - return 0; - } - --/* We remove an entry if it has been replayed to all consumers and -- and the number of entries in the changelog is larger than maxEntries -- or age of the entry is larger than maxAge. -- Also we can't purge entries which correspond to max csns in the -- supplier's ruv. Here is a example where we can get into trouble: -- The server is setup with time based trimming and no consumer's -- At some point all the entries are trimmed from the changelog. -- At a later point a consumer is added and initialized online -- Then a change is made on the supplier. -- To update the consumer, the supplier would attempt to locate -- the last change sent to the consumer in the changelog and will -- fail because the change was removed. -- -+/* -+ * We remove an entry if it has been replayed to all consumers and the number -+ * of entries in the changelog is larger than maxEntries or age of the entry -+ * is larger than maxAge. Also we can't purge entries which correspond to max -+ * csns in the supplier's ruv. Here is a example where we can get into trouble: -+ * -+ * The server is setup with time based trimming and no consumer's -+ * At some point all the entries are trimmed from the changelog. -+ * At a later point a consumer is added and initialized online. -+ * Then a change is made on the supplier. -+ * To update the consumer, the supplier would attempt to locate the last -+ * change sent to the consumer in the changelog and will fail because the -+ * change was removed. - */ -- --static void _cl5DoTrimming (ReplicaId rid) -+static void _cl5DoTrimming () - { - Object *obj; - long numToTrim; - - PR_Lock (s_cl5Desc.dbTrim.lock); - -- /* ONREPL We trim file by file which means that some files will be -- trimmed more often than other. We might have to fix that by, for -- example, randomizing starting point */ -+ /* -+ * We are trimming all the changelogs. We trim file by file which -+ * means that some files will be trimmed more often than other. We -+ * might have to fix that by, for example, randomizing the starting -+ * point. -+ */ - obj = objset_first_obj (s_cl5Desc.dbFiles); -- while (obj && (_cl5CanTrim ((time_t)0, &numToTrim) || rid)) -+ while (obj && _cl5CanTrim ((time_t)0, &numToTrim)) - { -- if (rid){ -- /* -- * We are cleaning an invalid rid, and need to strip it -- * from the changelog. -- */ -- _cl5PurgeRID (obj, rid); -- } else { -- _cl5TrimFile (obj, &numToTrim); -- } -+ _cl5TrimFile (obj, &numToTrim); - obj = objset_next_obj (s_cl5Desc.dbFiles, obj); - } - -@@ -3495,6 +3489,43 @@ static void _cl5DoTrimming (ReplicaId rid) - return; - } - -+/* -+ * We are purging a changelog after a cleanAllRUV task. Find the specific -+ * changelog for the backend that is being cleaned, and purge all the records -+ * with the cleaned rid. -+ */ -+static void _cl5DoPurging (Replica *replica) -+{ -+ ReplicaId rid = replica_get_rid(replica); -+ const Slapi_DN *sdn = replica_get_root(replica); -+ const char *replName = replica_get_name(replica); -+ char *replGen = replica_get_generation(replica); -+ char *fileName; -+ Object *obj; -+ -+ PR_Lock (s_cl5Desc.dbTrim.lock); -+ fileName = _cl5MakeFileName (replName, replGen); -+ obj = objset_find(s_cl5Desc.dbFiles, _cl5CompareDBFile, fileName); -+ if (obj) { -+ /* We found our changelog, now purge it */ -+ _cl5PurgeRID (obj, rid); -+ object_release (obj); -+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, -+ "Purged rid (%d) from suffix (%s)\n", -+ rid, slapi_sdn_get_dn(sdn)); -+ } else { -+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, -+ "Purge rid (%d) failed to find changelog file (%s) for suffix (%s)\n", -+ rid, fileName, slapi_sdn_get_dn(sdn)); -+ } -+ PR_Unlock (s_cl5Desc.dbTrim.lock); -+ -+ slapi_ch_free_string(&replGen); -+ slapi_ch_free_string(&fileName); -+ -+ return; -+} -+ - /* clear free page files to reduce changelog */ - static void - _cl5CompactDBs() -@@ -4072,23 +4103,25 @@ static PRBool _cl5CanTrim (time_t time, long *numToTrim) - { - *numToTrim = 0; - -- if (s_cl5Desc.dbTrim.maxAge == 0 && s_cl5Desc.dbTrim.maxEntries == 0) -+ if (s_cl5Desc.dbTrim.maxAge == 0 && s_cl5Desc.dbTrim.maxEntries == 0) { - return PR_FALSE; -- -+ } - if (s_cl5Desc.dbTrim.maxAge == 0) - { - *numToTrim = cl5GetOperationCount (NULL) - s_cl5Desc.dbTrim.maxEntries; - return ( *numToTrim > 0 ); - } - -- if (s_cl5Desc.dbTrim.maxEntries > 0 && -- (*numToTrim = cl5GetOperationCount (NULL) - s_cl5Desc.dbTrim.maxEntries) > 0) -- return PR_TRUE; -+ if (s_cl5Desc.dbTrim.maxEntries > 0 && -+ (*numToTrim = cl5GetOperationCount (NULL) - s_cl5Desc.dbTrim.maxEntries) > 0) { -+ return PR_TRUE; -+ } - -- if (time) -+ if (time) { - return (current_time () - time > s_cl5Desc.dbTrim.maxAge); -- else -- return PR_TRUE; -+ } else { -+ return PR_TRUE; -+ } - } - - static int _cl5ReadRUV (const char *replGen, Object *obj, PRBool purge) -@@ -4101,7 +4134,6 @@ static int _cl5ReadRUV (const char *replGen, Object *obj, PRBool purge) - char *pos; - char *agmt_name; - -- - PR_ASSERT (replGen && obj); - - file = (CL5DBFile*)object_get_data (obj); -@@ -4109,13 +4141,12 @@ static int _cl5ReadRUV (const char *replGen, Object *obj, PRBool purge) - - agmt_name = get_thread_private_agmtname(); - -- if (purge) /* read purge vector entry */ -- key.data = _cl5GetHelperEntryKey (PURGE_RUV_TIME, csnStr); -- else /* read upper bound vector */ -- key.data = _cl5GetHelperEntryKey (MAX_RUV_TIME, csnStr); -- -+ if (purge) { /* read purge vector entry */ -+ key.data = _cl5GetHelperEntryKey (PURGE_RUV_TIME, csnStr); -+ } else { /* read upper bound vector */ -+ key.data = _cl5GetHelperEntryKey (MAX_RUV_TIME, csnStr); -+ } - key.size = CSN_STRSIZE; -- - data.flags = DB_DBT_MALLOC; - - rc = file->db->get(file->db, NULL/*txn*/, &key, &data, 0); -@@ -4125,13 +4156,13 @@ static int _cl5ReadRUV (const char *replGen, Object *obj, PRBool purge) - rc = _cl5ReadBervals (&vals, &pos, data.size); - slapi_ch_free (&(data.data)); - if (rc != CL5_SUCCESS) -- goto done; -+ goto done; - -- if (purge) -+ if (purge) { - rc = ruv_init_from_bervals(vals, &file->purgeRUV); -- else -+ } else { - rc = ruv_init_from_bervals(vals, &file->maxRUV); -- -+ } - if (rc != RUV_SUCCESS) - { - slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, -@@ -4139,7 +4170,7 @@ static int _cl5ReadRUV (const char *replGen, Object *obj, PRBool purge) - "RUV error %d\n", agmt_name, purge? "purge" : "upper bound", rc); - - rc = CL5_RUV_ERROR; -- goto done; -+ goto done; - } - - /* delete the entry; it is re-added when file -@@ -4151,7 +4182,7 @@ static int _cl5ReadRUV (const char *replGen, Object *obj, PRBool purge) - - case DB_NOTFOUND: /* RUV is lost - need to construct */ - rc = _cl5ConstructRUV (replGen, obj, purge); -- goto done; -+ goto done; - - default: slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, - "%s: _cl5ReadRUV: failed to get purge RUV; " -@@ -6946,12 +6977,14 @@ cl5CleanRUV(ReplicaId rid){ - slapi_rwlock_unlock (s_cl5Desc.stLock); - } - --void trigger_cl_purging(ReplicaId rid){ -+/* -+ * Create a thread to purge a changelog of cleaned RIDs -+ */ -+void trigger_cl_purging(Replica *replica){ - PRThread *trim_tid = NULL; - -- slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, "trigger_cl_purging: rid (%d)\n",(int)rid); - trim_tid = PR_CreateThread(PR_USER_THREAD, (VFP)(void*)trigger_cl_purging_thread, -- (void *)&rid, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, -+ (void *)replica, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, - PR_UNJOINABLE_THREAD, DEFAULT_THREAD_STACKSIZE); - if (NULL == trim_tid){ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, -@@ -6963,19 +6996,32 @@ void trigger_cl_purging(ReplicaId rid){ - } - } - -+/* -+ * Purge a changelog of entries that originated from a particular replica(rid) -+ */ - void - trigger_cl_purging_thread(void *arg){ -- ReplicaId rid = *(ReplicaId *)arg; -+ Replica *replica = (Replica *)arg; - -- /* make sure we have a change log, and we aren't closing it */ -- if(s_cl5Desc.dbState == CL5_STATE_CLOSED || s_cl5Desc.dbState == CL5_STATE_CLOSING){ -+ /* Make sure we have a change log, and we aren't closing it */ -+ if (replica == NULL || -+ s_cl5Desc.dbState == CL5_STATE_CLOSED || -+ s_cl5Desc.dbState == CL5_STATE_CLOSING) { - return; - } -+ -+ /* Bump the changelog thread count */ - if (CL5_SUCCESS != _cl5AddThread()) { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, -- "trigger_cl_purging: failed to increment thread count " -+ "trigger_cl_purging: Abort - failed to increment thread count " - "NSPR error - %d\n", PR_GetError ()); -+ return; - } -- _cl5DoTrimming(rid); -+ -+ /* Purge the changelog */ -+ _cl5DoPurging(replica); - _cl5RemoveThread(); -+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, -+ "trigger_cl_purging: purged changelog for (%s) rid (%d)\n", -+ slapi_sdn_get_dn(replica_get_root(replica)), replica_get_rid(replica)); - } -diff --git a/ldap/servers/plugins/replication/cl5_api.h b/ldap/servers/plugins/replication/cl5_api.h -index 4c3b8e8..1a1c2f5 100644 ---- a/ldap/servers/plugins/replication/cl5_api.h -+++ b/ldap/servers/plugins/replication/cl5_api.h -@@ -467,6 +467,6 @@ int cl5WriteRUV(); - int cl5DeleteRUV(); - void cl5CleanRUV(ReplicaId rid); - void cl5NotifyCleanup(int rid); --void trigger_cl_purging(ReplicaId rid); -+void trigger_cl_purging(Replica *replica); - - #endif -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 59d3374..011e4ca 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -1467,7 +1467,7 @@ replica_execute_cleanruv_task (Object *r, ReplicaId rid, char *returntext /* not - /* - * Now purge the changelog - */ -- trigger_cl_purging(rid); -+ trigger_cl_purging(replica); - - if (rc != RUV_SUCCESS){ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "cleanruv_task: task failed(%d)\n",rc); --- -2.4.11 - diff --git a/SOURCES/0039-Ticket-49231-Fix-backport-issue-part2.patch b/SOURCES/0039-Ticket-49231-Fix-backport-issue-part2.patch new file mode 100644 index 0000000..e9411e1 --- /dev/null +++ b/SOURCES/0039-Ticket-49231-Fix-backport-issue-part2.patch @@ -0,0 +1,25 @@ +From fe06dee8f346a8d8ded338bb5080c4cd3b230eef Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 5 May 2017 18:33:36 -0400 +Subject: [PATCH] Ticket 49231 - Fix backport issue (part2) + +--- + ldap/servers/slapd/saslbind.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c +index 8d23c52..75b83fe 100644 +--- a/ldap/servers/slapd/saslbind.c ++++ b/ldap/servers/slapd/saslbind.c +@@ -773,7 +773,7 @@ char **ids_sasl_listmech(Slapi_PBlock *pb) + /* merge into result set */ + dupstr = slapi_ch_strdup(str); + others = slapi_str2charray_ext(dupstr, ",", 0 /* don't list duplicate mechanisms */); +- charray_merge(&ret, others, 1); ++ charray_merge(&sup_ret, others, 1); + charray_free(others); + slapi_ch_free((void**)&dupstr); + } +-- +2.9.3 + diff --git a/SOURCES/0040-Ticket-48681-logconv.pl-Fix-SASL-Bind-stats-and-rewo.patch b/SOURCES/0040-Ticket-48681-logconv.pl-Fix-SASL-Bind-stats-and-rewo.patch new file mode 100644 index 0000000..7fae21f --- /dev/null +++ b/SOURCES/0040-Ticket-48681-logconv.pl-Fix-SASL-Bind-stats-and-rewo.patch @@ -0,0 +1,130 @@ +From e78c098543bbf64b03d1f3df98aa26184c435737 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 19 May 2017 11:18:20 -0400 +Subject: [PATCH] Ticket 48681 - logconv.pl - Fix SASL Bind stats and rework + report format + +Description: We were previously counting ANONYMOUS sasl bind mechanisms + as anonymous binds. The report was also changed to make the + binds stats clearer. + +https://pagure.io/389-ds-base/issue/48681 + +Reviewed by: tbordaz(Thanks!) + +(cherry picked from commit f913252541c90ab7f3d62d74818c43ad01ff5c4e) +--- + ldap/admin/src/logconv.pl | 52 ++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 40 insertions(+), 12 deletions(-) + +diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl +index c30e175..4932db4 100755 +--- a/ldap/admin/src/logconv.pl ++++ b/ldap/admin/src/logconv.pl +@@ -1099,23 +1099,23 @@ print "Max BER Size Exceeded: $maxBerSizeCount\n"; + print "\n"; + print "Binds: $bindCount\n"; + print "Unbinds: $unbindCount\n"; ++print "------------------------------"; ++print "-" x length $bindCount; ++print "\n"; + print " - LDAP v2 Binds: $v2BindCount\n"; + print " - LDAP v3 Binds: $v3BindCount\n"; +-print " - AUTOBINDs: $autobindCount\n"; ++print " - AUTOBINDs(LDAPI): $autobindCount\n"; + print " - SSL Client Binds: $sslClientBindCount\n"; + print " - Failed SSL Client Binds: $sslClientFailedCount\n"; + print " - SASL Binds: $saslBindCount\n"; + if ($saslBindCount > 0){ + my $saslmech = $hashes->{saslmech}; + foreach my $saslb ( sort {$saslmech->{$b} <=> $saslmech->{$a} } (keys %{$saslmech}) ){ +- printf " %-4s - %s\n",$saslb, $saslmech->{$saslb}; ++ printf " - %-4s: %s\n",$saslb, $saslmech->{$saslb}; + } + } +- + print " - Directory Manager Binds: $rootDNBindCount\n"; + print " - Anonymous Binds: $anonymousBindCount\n"; +-my $otherBindCount = $bindCount -($rootDNBindCount + $anonymousBindCount); +-print " - Other Binds: $otherBindCount\n\n"; + + ########################################################################## + # Verbose Logging Section # +@@ -1195,9 +1195,9 @@ if ($usage =~ /e/i || $verb eq "yes"){ + } + + #################################### +-# # ++# # + # Print Failed Logins # +-# # ++# # + #################################### + + if ($verb eq "yes" || $usage =~ /f/ ){ +@@ -2117,7 +2117,7 @@ sub parseLineNormal + ($connID) = $_ =~ /conn=(\d*)\s/; + handleConnClose($connID); + } +- if (m/ BIND/ && $_ =~ /dn=\"(.*)\" method=128/i ){ ++ if (m/ BIND / && $_ =~ /dn=\"(.*)\" method=128/i ){ + my $binddn = $1; + if($reportStats){ inc_stats('bind',$s_stats,$m_stats); } + $bindCount++; +@@ -2531,21 +2531,49 @@ sub parseLineNormal + } + } + } +- if (/ BIND / && /method=sasl/i){ ++ if (/ BIND / && $_ =~ /dn=\"(.*)\" method=sasl/i){ ++ my $binddn = $1; ++ my ($conn, $op); + $saslBindCount++; + $bindCount++; + if ($_ =~ /mech=(.*)/i ){ + my $mech = $1; + $hashes->{saslmech}->{$mech}++; +- my ($conn, $op); + if ($_ =~ /conn= *([0-9A-Z]+) +op= *([0-9\-]+)/i){ + $conn = $1; + $op = $2; + $hashes->{saslconnop}->{$conn-$op} = $mech; + } + } +- if (/ mech=ANONYMOUS/){ +- $anonymousBindCount++; ++ if ($binddn ne ""){ ++ if($binddn eq $rootDN){ $rootDNBindCount++; } ++ if($usage =~ /f/ || $usage =~ /u/ || $usage =~ /U/ || $usage =~ /b/ || $verb eq "yes"){ ++ $tmpp = $binddn; ++ $tmpp =~ tr/A-Z/a-z/; ++ $hashes->{bindlist}->{$tmpp}++; ++ $hashes->{bind_conn_op}->{"$serverRestartCount,$conn,$op"} = $tmpp; ++ } ++ } ++ } ++ if (/ RESULT err=/ && / tag=97 nentries=0 etime=/ && $_ =~ /dn=\"(.*)\"/i){ ++ # Check if this is a sasl bind, if see we need to add the RESULT's dn as a bind dn ++ my $binddn = $1; ++ my ($conn, $op); ++ if ($_ =~ /conn= *([0-9A-Z]+) +op= *([0-9\-]+)/i){ ++ $conn = $1; ++ $op = $2; ++ if ($hashes->{saslconnop}->{$conn-$op} ne ""){ ++ # This was a SASL BIND - record the dn ++ if ($binddn ne ""){ ++ if($binddn eq $rootDN){ $rootDNBindCount++; } ++ if($usage =~ /f/ || $usage =~ /u/ || $usage =~ /U/ || $usage =~ /b/ || $verb eq "yes"){ ++ $tmpp = $binddn; ++ $tmpp =~ tr/A-Z/a-z/; ++ $hashes->{bindlist}->{$tmpp}++; ++ $hashes->{bind_conn_op}->{"$serverRestartCount,$conn,$op"} = $tmpp; ++ } ++ } ++ } + } + } + if (/ RESULT err=14 tag=97 / && / SASL bind in progress/){ +-- +2.9.4 + diff --git a/SOURCES/0040-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch b/SOURCES/0040-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch deleted file mode 100644 index 8205429..0000000 --- a/SOURCES/0040-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 192deb3b1bf9e5f359e0468809cdd81df51af4a0 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Mon, 22 Aug 2016 22:24:51 -0700 -Subject: [PATCH 40/45] Ticket #48969 - nsslapd-auditfaillog always has an - explicit path - -Bug Description: -In the current implementation, nsslapd-auditfaillog is not set, -by default. Internally, the value is NULL, which let audit fail -log share the same audit log file with nsslapd-auditlog. - -Once, some path is set to nsslapd-auditfaillog, it is not allowed -to delete or set NULL or empty to it. That is, there is no way to -go back to the default behaviour. - -There is another issue for the default value. Since search for -nsslapd-auditfaillog under cn=config does not return anything, -it is hard to find out where the failed logs are written. - -Fix Description: -To solve the 2 issues, this patch changes the default value to an -explicit path /path/to/logdir/audit. - -https://fedorahosted.org/389/ticket/48969 - -Reviewed by wibrown@redhat.com (Thank you, William!) - -(cherry picked from commit ef2c3c4cc6f966935dbe367dd0d882ae81de3cc4) ---- - ldap/ldif/template-dse.ldif.in | 1 + - ldap/servers/slapd/auditlog.c | 6 ++++-- - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in -index 46b416b..8258b70 100644 ---- a/ldap/ldif/template-dse.ldif.in -+++ b/ldap/ldif/template-dse.ldif.in -@@ -53,6 +53,7 @@ nsslapd-auditlog-maxlogsize: 100 - nsslapd-auditlog-logrotationtime: 1 - nsslapd-auditlog-logrotationtimeunit: day - nsslapd-auditlog-logging-enabled: off -+nsslapd-auditfaillog: %log_dir%/audit - nsslapd-auditfaillog-logging-enabled: off - nsslapd-rootdn: %rootdn% - nsslapd-rootpw: %ds_passwd% -diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c -index ec7111b..85d136c 100644 ---- a/ldap/servers/slapd/auditlog.c -+++ b/ldap/servers/slapd/auditlog.c -@@ -112,6 +112,7 @@ write_auditfail_log_entry( Slapi_PBlock *pb ) - Operation *op; - int pbrc = 0; - char *auditfail_config = NULL; -+ char *audit_config = NULL; - - /* if the audit log is not enabled, just skip all of - this stuff */ -@@ -167,8 +168,9 @@ write_auditfail_log_entry( Slapi_PBlock *pb ) - /* log the raw, unnormalized DN */ - dn = slapi_sdn_get_udn(sdn); - auditfail_config = config_get_auditfaillog(); -- if (auditfail_config == NULL || strlen(auditfail_config) == 0) { -- /* If no auditfail log write to audit log */ -+ audit_config = config_get_auditlog(); -+ if (auditfail_config == NULL || strlen(auditfail_config) == 0 || PL_strcasecmp(auditfail_config, audit_config) == 0) { -+ /* If no auditfail log or "auditfaillog" == "auditlog", write to audit log */ - write_audit_file(SLAPD_AUDIT_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc, SLAPD_AUDITFAIL_LOG); - } else { - /* If we have our own auditfail log path */ --- -2.4.11 - diff --git a/SOURCES/0041-Ticket-48967-passwordMinAge-attribute-doesn-t-limit-.patch b/SOURCES/0041-Ticket-48967-passwordMinAge-attribute-doesn-t-limit-.patch deleted file mode 100644 index 3fed75f..0000000 --- a/SOURCES/0041-Ticket-48967-passwordMinAge-attribute-doesn-t-limit-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 755a15ebafb8ae98cef681512d3ab3ef0470e11d Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Tue, 23 Aug 2016 14:18:32 -0700 -Subject: [PATCH 41/45] Ticket #48967 - passwordMinAge attribute doesn't limit - the minimum age of the password - -Description: There was a logic error in check_pw_minage. Password- -MinAge was ignored by the error. This patch fixes the logic error. - -https://fedorahosted.org/389/ticket/48967 - -Reviewed and tested by wibrown@redhat.com and spichugi@redhat.com. -(Thank you, William and Simon!) - -(cherry picked from commit 790e723e4f30b3d245535ce7a9d5d00477878341) ---- - ldap/servers/slapd/pw.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index 6b865ec..7469b9e 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -729,7 +729,7 @@ check_pw_minage ( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) - pwpolicy = new_passwdPolicy(pb, dn); - slapi_pblock_get ( pb, SLAPI_PWPOLICY, &pwresponse_req ); - -- if (!pb->pb_op->o_isroot && !pwpolicy->pw_minage) { -+ if (!pb->pb_op->o_isroot && pwpolicy->pw_minage) { - - Slapi_Entry *e; - char *passwordAllowChangeTime; --- -2.4.11 - diff --git a/SOURCES/0041-Ticket-49157-ds-logpipe.py-crashes-for-non-existing-.patch b/SOURCES/0041-Ticket-49157-ds-logpipe.py-crashes-for-non-existing-.patch new file mode 100644 index 0000000..b8004e0 --- /dev/null +++ b/SOURCES/0041-Ticket-49157-ds-logpipe.py-crashes-for-non-existing-.patch @@ -0,0 +1,83 @@ +From a842e43becb9312574071b1460bfa835bfecc47b Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 8 May 2017 14:12:53 -0400 +Subject: [PATCH] Ticket 49157 - ds-logpipe.py crashes for non-existing users + +Description: Remove all "raises", and gracefully exit with a message + +https://pagure.io/389-ds-base/issue/49157 + +Reviewed by: firstyear(Thanks!) + +(cherry picked from commit 94ebab36770465a50e3f61590f0f1adec2cc9224) +--- + ldap/admin/src/scripts/ds-logpipe.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/ldap/admin/src/scripts/ds-logpipe.py b/ldap/admin/src/scripts/ds-logpipe.py +index dc1856a..13712ea 100644 +--- a/ldap/admin/src/scripts/ds-logpipe.py ++++ b/ldap/admin/src/scripts/ds-logpipe.py +@@ -146,7 +146,8 @@ def open_pipe(logfname): + if e.errno == errno.EINTR: + continue # open was interrupted, try again + else: # hard error +- raise Exception("%s [%d]" % (e.strerror, e.errno)) ++ print("%s [%d]" % (e.strerror, e.errno)) ++ sys.exit(1) + return logf + + def is_proc_alive(procpid): +@@ -156,7 +157,8 @@ def is_proc_alive(procpid): + except IOError as e: + if e.errno != errno.ENOENT: # may not exist yet - that's ok + # otherwise, probably permissions or other badness +- raise Exception("could not open file %s - %s [%d]" % (procfile, e.strerror, e.errno)) ++ print("could not open file %s - %s [%d]" % (procfile, e.strerror, e.errno)) ++ sys.exit(1) + # using /proc/pid failed, try kill + if not retval: + try: +@@ -177,7 +179,8 @@ def get_pid_from_file(pidfile): + except IOError as e: + if e.errno != errno.ENOENT: # may not exist yet - that's ok + # otherwise, probably permissions or other badness +- raise Exception("Could not read pid from file %s - %s [%d]" % (pidfile, e.strerror, e.errno)) ++ print("Could not read pid from file %s - %s [%d]" % (pidfile, e.strerror, e.errno)) ++ sys.exit(1) + if line: + procpid = int(line) + return procpid +@@ -188,7 +191,8 @@ def write_pid_file(pidfile): + pfd.write("%d\n" % os.getpid()) + pfd.close() + except IOError as e: +- raise Exception("Could not write pid to file %s - %s [%d]" % (pidfile, e.strerror, e.errno)) ++ print("Could not write pid to file %s - %s [%d]" % (pidfile, e.strerror, e.errno)) ++ sys.exit(1) + + def handle_script_pidfile(scriptpidfile): + scriptpid = get_pid_from_file(scriptpidfile) +@@ -216,7 +220,8 @@ def read_and_process_line(logf, plgfuncs): + if e.errno == errno.EINTR: + continue # read was interrupted, try again + else: # hard error +- raise Exception("%s [%d]" % (e.strerror, e.errno)) ++ print("%s [%d]" % (e.strerror, e.errno)) ++ sys.exit(1) + if line: # read something + for plgfunc in plgfuncs: + if not plgfunc(line): +@@ -312,7 +317,8 @@ except OSError as e: + print("Failed to create log pipe: " + str(e)) + sys.exit(1) + else: +- raise Exception("%s [%d]" % (e.strerror, e.errno)) ++ print("Failed to create log pipe - %s [error %d]" % (e.strerror, e.errno)) ++ sys.ext(1) + + if debug: + print("Listening to log pipe", logfname, "number of lines", maxlines) +-- +2.9.4 + diff --git a/SOURCES/0042-Ticket-48967-Add-CI-test-and-refactor-test-suite.patch b/SOURCES/0042-Ticket-48967-Add-CI-test-and-refactor-test-suite.patch deleted file mode 100644 index 593e292..0000000 --- a/SOURCES/0042-Ticket-48967-Add-CI-test-and-refactor-test-suite.patch +++ /dev/null @@ -1,933 +0,0 @@ -From 986930d491d64ce32b91ed70d452074f2963fc55 Mon Sep 17 00:00:00 2001 -From: Simon Pichugin -Date: Wed, 24 Aug 2016 10:08:29 +0200 -Subject: [PATCH 42/45] Ticket 48967 - Add CI test and refactor test suite - -Description: Add a test case to password policy test suite. -Refactor structure of password test suite so it would become more -logical. - -https://fedorahosted.org/389/ticket/48967 - -Reviewed by: nhosoi (Thank you, Noriko!) - -(cherry picked from commit 6abd5f49d8e32732a97794e68f642045f16f23e3) ---- - .../suites/password/pwdPolicy_attribute_test.py | 339 +++++++++++++++++++++ - .../tests/suites/password/pwdPolicy_syntax_test.py | 151 +++++++++ - .../tests/suites/password/pwdPolicy_test.py | 151 --------- - .../tests/suites/password/pwd_change_policytest.py | 240 --------------- - 4 files changed, 490 insertions(+), 391 deletions(-) - create mode 100644 dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py - create mode 100644 dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py - delete mode 100644 dirsrvtests/tests/suites/password/pwdPolicy_test.py - delete mode 100644 dirsrvtests/tests/suites/password/pwd_change_policytest.py - -diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py -new file mode 100644 -index 0000000..d3be7e2 ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py -@@ -0,0 +1,339 @@ -+import os -+import sys -+import time -+import subprocess -+import ldap -+import logging -+import pytest -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+from lib389.utils import * -+ -+DEBUGGING = False -+OU_PEOPLE = 'ou=people,{}'.format(DEFAULT_SUFFIX) -+TEST_USER_NAME = 'simplepaged_test' -+TEST_USER_DN = 'uid={},{}'.format(TEST_USER_NAME, OU_PEOPLE) -+TEST_USER_PWD = 'simplepaged_test' -+PW_POLICY_CONT_USER = 'cn="cn=nsPwPolicyEntry,uid=simplepaged_test,'\ -+ 'ou=people,dc=example,dc=com",'\ -+ 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com' -+PW_POLICY_CONT_PEOPLE = 'cn="cn=nsPwPolicyEntry,'\ -+ 'ou=people,dc=example,dc=com",'\ -+ 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com' -+ -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+ -+log = logging.getLogger(__name__) -+ -+ -+class TopologyStandalone(object): -+ """The DS Topology Class""" -+ def __init__(self, standalone): -+ """Init""" -+ standalone.open() -+ self.standalone = standalone -+ -+ -+@pytest.fixture(scope="module") -+def topology(request): -+ """Create DS Deployment""" -+ -+ # Creating standalone instance ... -+ if DEBUGGING: -+ standalone = DirSrv(verbose=True) -+ else: -+ standalone = DirSrv(verbose=False) -+ args_instance[SER_HOST] = HOST_STANDALONE -+ args_instance[SER_PORT] = PORT_STANDALONE -+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE -+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -+ args_standalone = args_instance.copy() -+ standalone.allocate(args_standalone) -+ instance_standalone = standalone.exists() -+ if instance_standalone: -+ standalone.delete() -+ standalone.create() -+ standalone.open() -+ -+ def fin(): -+ """If we are debugging just stop the instances, otherwise remove -+ them -+ """ -+ if DEBUGGING: -+ standalone.stop() -+ else: -+ standalone.delete() -+ -+ request.addfinalizer(fin) -+ -+ -+ return TopologyStandalone(standalone) -+ -+ -+@pytest.fixture(scope="module") -+def test_user(topology, request): -+ """User for binding operation""" -+ -+ log.info('Adding user {}'.format(TEST_USER_DN)) -+ try: -+ topology.standalone.add_s(Entry((TEST_USER_DN, { -+ 'objectclass': 'top person'.split(), -+ 'objectclass': 'organizationalPerson', -+ 'objectclass': 'inetorgperson', -+ 'cn': TEST_USER_NAME, -+ 'sn': TEST_USER_NAME, -+ 'userpassword': TEST_USER_PWD, -+ 'mail': '%s@redhat.com' % TEST_USER_NAME, -+ 'uid': TEST_USER_NAME -+ }))) -+ except ldap.LDAPError as e: -+ log.error('Failed to add user (%s): error (%s)' % (TEST_USER_DN, -+ e.message['desc'])) -+ raise e -+ -+ def fin(): -+ log.info('Deleting user {}'.format(TEST_USER_DN)) -+ topology.standalone.delete_s(TEST_USER_DN) -+ request.addfinalizer(fin) -+ -+ -+@pytest.fixture(scope="module") -+def password_policy(topology, test_user): -+ """Set up password policy for subtree and user""" -+ -+ log.info('Enable fine-grained policy') -+ try: -+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, -+ 'nsslapd-pwpolicy-local', -+ 'on')]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set fine-grained policy: error {}'.format( -+ e.message['desc'])) -+ raise e -+ -+ log.info('Create password policy for subtree {}'.format(OU_PEOPLE)) -+ try: -+ subprocess.call(['ns-newpwpolicy.pl', '-D', DN_DM, '-w', PASSWORD, -+ '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE, -+ '-S', OU_PEOPLE, '-Z', SERVERID_STANDALONE]) -+ except subprocess.CalledProcessError as e: -+ log.error('Failed to create pw policy policy for {}: error {}'.format( -+ OU_PEOPLE, e.message['desc'])) -+ raise e -+ -+ log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE)) -+ try: -+ topology.standalone.modify_s(OU_PEOPLE, [(ldap.MOD_REPLACE, -+ 'pwdpolicysubentry', -+ PW_POLICY_CONT_PEOPLE)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to pwdpolicysubentry pw policy '\ -+ 'policy for {}: error {}'.format(OU_PEOPLE, -+ e.message['desc'])) -+ raise e -+ -+ log.info('Create password policy for subtree {}'.format(TEST_USER_DN)) -+ try: -+ subprocess.call(['ns-newpwpolicy.pl', '-D', DN_DM, '-w', PASSWORD, -+ '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE, -+ '-U', TEST_USER_DN, '-Z', SERVERID_STANDALONE]) -+ except subprocess.CalledProcessError as e: -+ log.error('Failed to create pw policy policy for {}: error {}'.format( -+ TEST_USER_DN, e.message['desc'])) -+ raise e -+ -+ log.info('Add pwdpolicysubentry attribute to {}'.format(TEST_USER_DN)) -+ try: -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'pwdpolicysubentry', -+ PW_POLICY_CONT_USER)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to pwdpolicysubentry pw policy '\ -+ 'policy for {}: error {}'.format(TEST_USER_DN, -+ e.message['desc'])) -+ raise e -+ -+ -+@pytest.mark.parametrize('subtree_pwchange,user_pwchange,exception', -+ [('on', 'off', ldap.UNWILLING_TO_PERFORM), -+ ('off', 'off', ldap.UNWILLING_TO_PERFORM), -+ ('off', 'on', None), ('on', 'on', None)]) -+def test_change_pwd(topology, test_user, password_policy, -+ subtree_pwchange, user_pwchange, exception): -+ """Verify that 'passwordChange' attr works as expected -+ User should have a priority over a subtree. -+ -+ :Feature: Password policy -+ -+ :Setup: Standalone instance, test user, -+ password policy entries for a user and a subtree -+ -+ :Steps: 1. Set passwordChange on the user and the subtree -+ to various combinations -+ 2. Bind as test user -+ 3. Try to change password -+ -+ :Assert: Subtree/User passwordChange - result -+ off/on, on/on - success -+ on/off, off/off - UNWILLING_TO_PERFORM -+ """ -+ -+ log.info('Set passwordChange to "{}" - {}'.format(subtree_pwchange, -+ PW_POLICY_CONT_PEOPLE)) -+ try: -+ topology.standalone.modify_s(PW_POLICY_CONT_PEOPLE, [(ldap.MOD_REPLACE, -+ 'passwordChange', -+ subtree_pwchange)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set passwordChange '\ -+ 'policy for {}: error {}'.format(PW_POLICY_CONT_PEOPLE, -+ e.message['desc'])) -+ raise e -+ -+ -+ log.info('Set passwordChange to "{}" - {}'.format(user_pwchange, -+ PW_POLICY_CONT_USER)) -+ try: -+ topology.standalone.modify_s(PW_POLICY_CONT_USER, [(ldap.MOD_REPLACE, -+ 'passwordChange', -+ user_pwchange)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set passwordChange '\ -+ 'policy for {}: error {}'.format(PW_POLICY_CONT_USER, -+ e.message['desc'])) -+ raise e -+ -+ try: -+ log.info('Bind as user and modify userPassword') -+ topology.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD) -+ if exception: -+ with pytest.raises(exception): -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ 'new_pass')]) -+ else: -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ 'new_pass')]) -+ except ldap.LDAPError as e: -+ log.error('Failed to change userpassword for {}: error {}'.format( -+ TEST_USER_DN, e.message['info'])) -+ raise e -+ finally: -+ log.info('Bind as DM') -+ topology.standalone.simple_bind_s(DN_DM, PASSWORD) -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ TEST_USER_PWD)]) -+ -+ -+def test_pwd_min_age(topology, test_user, password_policy): -+ """If we set passwordMinAge to some value, for example to 10, then it -+ should not allow the user to change the password within 10 seconds after -+ his previous change. -+ -+ :Feature: Password policy -+ -+ :Setup: Standalone instance, test user, -+ password policy entries for a user and a subtree -+ -+ :Steps: 1. Set passwordMinAge to 10 on the user pwpolicy entry -+ 2. Set passwordMinAge to 10 on the subtree pwpolicy entry -+ 3. Set passwordMinAge to 10 on the cn=config entry -+ 4. Bind as test user -+ 5. Try to change password two times in a row -+ 6. Wait 12 seconds -+ 7. Try to change password -+ -+ :Assert: User should be not allowed to change the password -+ right after previous change - CONSTRAINT_VIOLATION -+ User should be not allowed to change the password -+ after 12 seconds passed -+ """ -+ -+ num_seconds = '10' -+ -+ log.info('Set passwordminage to "{}" - {}'.format(num_seconds, PW_POLICY_CONT_PEOPLE)) -+ try: -+ topology.standalone.modify_s(PW_POLICY_CONT_PEOPLE, [(ldap.MOD_REPLACE, -+ 'passwordminage', -+ num_seconds)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set passwordminage '\ -+ 'policy for {}: error {}'.format(PW_POLICY_CONT_PEOPLE, -+ e.message['desc'])) -+ raise e -+ -+ log.info('Set passwordminage to "{}" - {}'.format(num_seconds, PW_POLICY_CONT_USER)) -+ try: -+ topology.standalone.modify_s(PW_POLICY_CONT_USER, [(ldap.MOD_REPLACE, -+ 'passwordminage', -+ num_seconds)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set passwordminage '\ -+ 'policy for {}: error {}'.format(PW_POLICY_CONT_USER, -+ e.message['desc'])) -+ raise e -+ -+ log.info('Set passwordminage to "{}" - {}'.format(num_seconds, DN_CONFIG)) -+ try: -+ topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, -+ 'passwordminage', -+ num_seconds)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set passwordminage '\ -+ 'policy for {}: error {}'.format(DN_CONFIG, -+ e.message['desc'])) -+ raise e -+ -+ try: -+ log.info('Bind as user and modify userPassword') -+ topology.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD) -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ 'new_pass')]) -+ except ldap.LDAPError as e: -+ log.error('Failed to change userpassword for {}: error {}'.format( -+ TEST_USER_DN, e.message['info'])) -+ raise e -+ -+ -+ log.info('Bind as user and modify userPassword straight away after previous change') -+ topology.standalone.simple_bind_s(TEST_USER_DN, 'new_pass') -+ with pytest.raises(ldap.CONSTRAINT_VIOLATION): -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ 'new_new_pass')]) -+ -+ log.info('Wait {} second'.format(int(num_seconds) + 2)) -+ time.sleep(int(num_seconds) + 2) -+ -+ try: -+ log.info('Bind as user and modify userPassword') -+ topology.standalone.simple_bind_s(TEST_USER_DN, 'new_pass') -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ TEST_USER_PWD)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to change userpassword for {}: error {}'.format( -+ TEST_USER_DN, e.message['info'])) -+ raise e -+ finally: -+ log.info('Bind as DM') -+ topology.standalone.simple_bind_s(DN_DM, PASSWORD) -+ topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -+ 'userPassword', -+ TEST_USER_PWD)]) -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py -new file mode 100644 -index 0000000..653d033 ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/pwdPolicy_syntax_test.py -@@ -0,0 +1,151 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2015 Red Hat, Inc. -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+import os -+import sys -+import time -+import ldap -+import logging -+import pytest -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+ -+logging.getLogger(__name__).setLevel(logging.DEBUG) -+log = logging.getLogger(__name__) -+ -+from lib389.config import RSA, Encryption, Config -+ -+DEBUGGING = False -+ -+USER_DN = 'uid=user,ou=People,%s' % DEFAULT_SUFFIX -+ -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+ -+ -+log = logging.getLogger(__name__) -+ -+ -+class TopologyStandalone(object): -+ """The DS Topology Class""" -+ def __init__(self, standalone): -+ """Init""" -+ standalone.open() -+ self.standalone = standalone -+ -+ -+@pytest.fixture(scope="module") -+def topology(request): -+ """Create DS Deployment""" -+ -+ # Creating standalone instance ... -+ if DEBUGGING: -+ standalone = DirSrv(verbose=True) -+ else: -+ standalone = DirSrv(verbose=False) -+ args_instance[SER_HOST] = HOST_STANDALONE -+ args_instance[SER_PORT] = PORT_STANDALONE -+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE -+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -+ args_standalone = args_instance.copy() -+ standalone.allocate(args_standalone) -+ instance_standalone = standalone.exists() -+ if instance_standalone: -+ standalone.delete() -+ standalone.create() -+ standalone.open() -+ -+ # Deploy certs -+ # This is a trick. The nss db that ships with DS is broken -+ for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'): -+ try: -+ os.remove("%s/%s" % (topology.standalone.confdir, f )) -+ except: -+ pass -+ -+ assert(standalone.nss_ssl.reinit() is True) -+ assert(standalone.nss_ssl.create_rsa_ca() is True) -+ assert(standalone.nss_ssl.create_rsa_key_and_cert() is True) -+ -+ # Say that we accept the cert -+ # Connect again! -+ -+ # Enable the SSL options -+ standalone.rsa.create() -+ standalone.rsa.set('nsSSLPersonalitySSL', 'Server-Cert') -+ standalone.rsa.set('nsSSLToken', 'internal (software)') -+ standalone.rsa.set('nsSSLActivation', 'on') -+ -+ standalone.config.set('nsslapd-secureport', PORT_STANDALONE2) -+ standalone.config.set('nsslapd-security', 'on') -+ -+ standalone.restart() -+ -+ -+ def fin(): -+ """If we are debugging just stop the instances, otherwise remove -+ them -+ """ -+ if DEBUGGING: -+ standalone.stop() -+ else: -+ standalone.delete() -+ -+ request.addfinalizer(fin) -+ -+ # Clear out the tmp dir -+ standalone.clearTmpDir(__file__) -+ -+ return TopologyStandalone(standalone) -+ -+def _create_user(inst): -+ inst.add_s(Entry(( -+ USER_DN, { -+ 'objectClass': 'top account simplesecurityobject'.split(), -+ 'uid': 'user', -+ 'userpassword': 'password' -+ }))) -+ -+ -+def test_pwdPolicy_constraint(topology): -+ ''' -+ Password policy test: Ensure that on a password change, the policy is -+ enforced correctly. -+ ''' -+ -+ # Create a user -+ _create_user(topology.standalone) -+ # Set the password policy globally -+ topology.standalone.config.set('passwordMinLength', '10') -+ topology.standalone.config.set('passwordMinDigits', '2') -+ topology.standalone.config.set('passwordCheckSyntax', 'on') -+ topology.standalone.config.set('nsslapd-pwpolicy-local', 'off') -+ # Now open a new ldap connection with TLS -+ userconn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE)) -+ userconn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap. OPT_X_TLS_NEVER ) -+ userconn.start_tls_s() -+ userconn.simple_bind_s(USER_DN, 'password') -+ # This should have an exception! -+ try: -+ userconn.passwd_s(USER_DN, 'password', 'password1') -+ assert(False) -+ except ldap.CONSTRAINT_VIOLATION: -+ assert(True) -+ # Change the password to something invalid! -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_test.py -deleted file mode 100644 -index 653d033..0000000 ---- a/dirsrvtests/tests/suites/password/pwdPolicy_test.py -+++ /dev/null -@@ -1,151 +0,0 @@ --# --- BEGIN COPYRIGHT BLOCK --- --# Copyright (C) 2015 Red Hat, Inc. --# All rights reserved. --# --# License: GPL (version 3 or any later version). --# See LICENSE for details. --# --- END COPYRIGHT BLOCK --- --# --import os --import sys --import time --import ldap --import logging --import pytest --from lib389 import DirSrv, Entry, tools, tasks --from lib389.tools import DirSrvTools --from lib389._constants import * --from lib389.properties import * --from lib389.tasks import * -- --logging.getLogger(__name__).setLevel(logging.DEBUG) --log = logging.getLogger(__name__) -- --from lib389.config import RSA, Encryption, Config -- --DEBUGGING = False -- --USER_DN = 'uid=user,ou=People,%s' % DEFAULT_SUFFIX -- --if DEBUGGING: -- logging.getLogger(__name__).setLevel(logging.DEBUG) --else: -- logging.getLogger(__name__).setLevel(logging.INFO) -- -- --log = logging.getLogger(__name__) -- -- --class TopologyStandalone(object): -- """The DS Topology Class""" -- def __init__(self, standalone): -- """Init""" -- standalone.open() -- self.standalone = standalone -- -- --@pytest.fixture(scope="module") --def topology(request): -- """Create DS Deployment""" -- -- # Creating standalone instance ... -- if DEBUGGING: -- standalone = DirSrv(verbose=True) -- else: -- standalone = DirSrv(verbose=False) -- args_instance[SER_HOST] = HOST_STANDALONE -- args_instance[SER_PORT] = PORT_STANDALONE -- args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE -- args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -- args_standalone = args_instance.copy() -- standalone.allocate(args_standalone) -- instance_standalone = standalone.exists() -- if instance_standalone: -- standalone.delete() -- standalone.create() -- standalone.open() -- -- # Deploy certs -- # This is a trick. The nss db that ships with DS is broken -- for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'): -- try: -- os.remove("%s/%s" % (topology.standalone.confdir, f )) -- except: -- pass -- -- assert(standalone.nss_ssl.reinit() is True) -- assert(standalone.nss_ssl.create_rsa_ca() is True) -- assert(standalone.nss_ssl.create_rsa_key_and_cert() is True) -- -- # Say that we accept the cert -- # Connect again! -- -- # Enable the SSL options -- standalone.rsa.create() -- standalone.rsa.set('nsSSLPersonalitySSL', 'Server-Cert') -- standalone.rsa.set('nsSSLToken', 'internal (software)') -- standalone.rsa.set('nsSSLActivation', 'on') -- -- standalone.config.set('nsslapd-secureport', PORT_STANDALONE2) -- standalone.config.set('nsslapd-security', 'on') -- -- standalone.restart() -- -- -- def fin(): -- """If we are debugging just stop the instances, otherwise remove -- them -- """ -- if DEBUGGING: -- standalone.stop() -- else: -- standalone.delete() -- -- request.addfinalizer(fin) -- -- # Clear out the tmp dir -- standalone.clearTmpDir(__file__) -- -- return TopologyStandalone(standalone) -- --def _create_user(inst): -- inst.add_s(Entry(( -- USER_DN, { -- 'objectClass': 'top account simplesecurityobject'.split(), -- 'uid': 'user', -- 'userpassword': 'password' -- }))) -- -- --def test_pwdPolicy_constraint(topology): -- ''' -- Password policy test: Ensure that on a password change, the policy is -- enforced correctly. -- ''' -- -- # Create a user -- _create_user(topology.standalone) -- # Set the password policy globally -- topology.standalone.config.set('passwordMinLength', '10') -- topology.standalone.config.set('passwordMinDigits', '2') -- topology.standalone.config.set('passwordCheckSyntax', 'on') -- topology.standalone.config.set('nsslapd-pwpolicy-local', 'off') -- # Now open a new ldap connection with TLS -- userconn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE)) -- userconn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap. OPT_X_TLS_NEVER ) -- userconn.start_tls_s() -- userconn.simple_bind_s(USER_DN, 'password') -- # This should have an exception! -- try: -- userconn.passwd_s(USER_DN, 'password', 'password1') -- assert(False) -- except ldap.CONSTRAINT_VIOLATION: -- assert(True) -- # Change the password to something invalid! -- -- --if __name__ == '__main__': -- # Run isolated -- # -s for DEBUG mode -- CURRENT_FILE = os.path.realpath(__file__) -- pytest.main("-s %s" % CURRENT_FILE) -diff --git a/dirsrvtests/tests/suites/password/pwd_change_policytest.py b/dirsrvtests/tests/suites/password/pwd_change_policytest.py -deleted file mode 100644 -index 1d48c65..0000000 ---- a/dirsrvtests/tests/suites/password/pwd_change_policytest.py -+++ /dev/null -@@ -1,240 +0,0 @@ --import os --import sys --import time --import subprocess --import ldap --import logging --import pytest --from lib389 import DirSrv, Entry, tools, tasks --from lib389.tools import DirSrvTools --from lib389._constants import * --from lib389.properties import * --from lib389.tasks import * --from lib389.utils import * -- --DEBUGGING = False --OU_PEOPLE = 'ou=people,{}'.format(DEFAULT_SUFFIX) --TEST_USER_NAME = 'simplepaged_test' --TEST_USER_DN = 'uid={},{}'.format(TEST_USER_NAME, OU_PEOPLE) --TEST_USER_PWD = 'simplepaged_test' --PW_POLICY_CONT_USER = 'cn="cn=nsPwPolicyEntry,uid=simplepaged_test,'\ -- 'ou=people,dc=example,dc=com",'\ -- 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com' --PW_POLICY_CONT_PEOPLE = 'cn="cn=nsPwPolicyEntry,'\ -- 'ou=people,dc=example,dc=com",'\ -- 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com' -- --if DEBUGGING: -- logging.getLogger(__name__).setLevel(logging.DEBUG) --else: -- logging.getLogger(__name__).setLevel(logging.INFO) -- --log = logging.getLogger(__name__) -- -- --class TopologyStandalone(object): -- """The DS Topology Class""" -- def __init__(self, standalone): -- """Init""" -- standalone.open() -- self.standalone = standalone -- -- --@pytest.fixture(scope="module") --def topology(request): -- """Create DS Deployment""" -- -- # Creating standalone instance ... -- if DEBUGGING: -- standalone = DirSrv(verbose=True) -- else: -- standalone = DirSrv(verbose=False) -- args_instance[SER_HOST] = HOST_STANDALONE -- args_instance[SER_PORT] = PORT_STANDALONE -- args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE -- args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX -- args_standalone = args_instance.copy() -- standalone.allocate(args_standalone) -- instance_standalone = standalone.exists() -- if instance_standalone: -- standalone.delete() -- standalone.create() -- standalone.open() -- -- def fin(): -- """If we are debugging just stop the instances, otherwise remove -- them -- """ -- if DEBUGGING: -- standalone.stop() -- else: -- standalone.delete() -- -- request.addfinalizer(fin) -- -- -- return TopologyStandalone(standalone) -- -- --@pytest.fixture(scope="module") --def test_user(topology, request): -- """User for binding operation""" -- -- log.info('Adding user {}'.format(TEST_USER_DN)) -- try: -- topology.standalone.add_s(Entry((TEST_USER_DN, { -- 'objectclass': 'top person'.split(), -- 'objectclass': 'organizationalPerson', -- 'objectclass': 'inetorgperson', -- 'cn': TEST_USER_NAME, -- 'sn': TEST_USER_NAME, -- 'userpassword': TEST_USER_PWD, -- 'mail': '%s@redhat.com' % TEST_USER_NAME, -- 'uid': TEST_USER_NAME -- }))) -- except ldap.LDAPError as e: -- log.error('Failed to add user (%s): error (%s)' % (TEST_USER_DN, -- e.message['desc'])) -- raise e -- -- def fin(): -- log.info('Deleting user {}'.format(TEST_USER_DN)) -- topology.standalone.delete_s(TEST_USER_DN) -- request.addfinalizer(fin) -- -- --@pytest.fixture(scope="module") --def password_policy(topology, test_user): -- """Set up password policy for subtree and user""" -- -- log.info('Enable fine-grained policy') -- try: -- topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, -- 'nsslapd-pwpolicy-local', -- 'on')]) -- except ldap.LDAPError as e: -- log.error('Failed to set fine-grained policy: error {}'.format( -- e.message['desc'])) -- raise e -- -- log.info('Create password policy for subtree {}'.format(OU_PEOPLE)) -- try: -- subprocess.call(['ns-newpwpolicy.pl', '-D', DN_DM, '-w', PASSWORD, -- '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE, -- '-S', OU_PEOPLE, '-Z', SERVERID_STANDALONE]) -- except subprocess.CalledProcessError as e: -- log.error('Failed to create pw policy policy for {}: error {}'.format( -- OU_PEOPLE, e.message['desc'])) -- raise e -- -- log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE)) -- try: -- topology.standalone.modify_s(OU_PEOPLE, [(ldap.MOD_REPLACE, -- 'pwdpolicysubentry', -- PW_POLICY_CONT_PEOPLE)]) -- except ldap.LDAPError as e: -- log.error('Failed to pwdpolicysubentry pw policy '\ -- 'policy for {}: error {}'.format(OU_PEOPLE, -- e.message['desc'])) -- raise e -- -- log.info('Create password policy for subtree {}'.format(TEST_USER_DN)) -- try: -- subprocess.call(['ns-newpwpolicy.pl', '-D', DN_DM, '-w', PASSWORD, -- '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE, -- '-U', TEST_USER_DN, '-Z', SERVERID_STANDALONE]) -- except subprocess.CalledProcessError as e: -- log.error('Failed to create pw policy policy for {}: error {}'.format( -- TEST_USER_DN, e.message['desc'])) -- raise e -- -- log.info('Add pwdpolicysubentry attribute to {}'.format(TEST_USER_DN)) -- try: -- topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -- 'pwdpolicysubentry', -- PW_POLICY_CONT_USER)]) -- except ldap.LDAPError as e: -- log.error('Failed to pwdpolicysubentry pw policy '\ -- 'policy for {}: error {}'.format(TEST_USER_DN, -- e.message['desc'])) -- raise e -- -- --@pytest.mark.parametrize('subtree_pwchange,user_pwchange,exception', -- [('off', 'on', None), ('on', 'on', None), -- ('on', 'off', ldap.UNWILLING_TO_PERFORM), -- ('off', 'off', ldap.UNWILLING_TO_PERFORM)]) --def test_change_pwd(topology, test_user, password_policy, -- subtree_pwchange, user_pwchange, exception): -- """Verify that 'passwordChange' attr works as expected -- User should have a priority over a subtree. -- -- :Feature: Password policy -- -- :Setup: Standalone instance, test user, -- password policy entries for a user and a subtree -- -- :Steps: 1. Set passwordChange on the user and the subtree -- to various combinations -- 2. Bind as test user -- 3. Try to change password -- -- :Assert: Subtree/User passwordChange - result -- off/on, on/on - success -- on/off, off/off - UNWILLING_TO_PERFORM -- """ -- -- log.info('Set passwordChange to "{}" - {}'.format(subtree_pwchange, -- PW_POLICY_CONT_PEOPLE)) -- try: -- topology.standalone.modify_s(PW_POLICY_CONT_PEOPLE, [(ldap.MOD_REPLACE, -- 'passwordChange', -- subtree_pwchange)]) -- except ldap.LDAPError as e: -- log.error('Failed to set passwordChange '\ -- 'policy for {}: error {}'.format(PW_POLICY_CONT_PEOPLE, -- e.message['desc'])) -- raise e -- -- -- log.info('Set passwordChange to "{}" - {}'.format(user_pwchange, -- PW_POLICY_CONT_USER)) -- try: -- topology.standalone.modify_s(PW_POLICY_CONT_USER, [(ldap.MOD_REPLACE, -- 'passwordChange', -- user_pwchange)]) -- except ldap.LDAPError as e: -- log.error('Failed to set passwordChange '\ -- 'policy for {}: error {}'.format(PW_POLICY_CONT_USER, -- e.message['desc'])) -- raise e -- -- try: -- log.info('Bind as user and modify userPassword') -- topology.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD) -- if exception: -- with pytest.raises(exception): -- topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -- 'userPassword', -- 'new_pass')]) -- else: -- topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -- 'userPassword', -- 'new_pass')]) -- except ldap.LDAPError as e: -- log.error('Failed to change userpassword for {}: error {}'.format( -- TEST_USER_DN, e.message['info'])) -- raise e -- finally: -- log.info('Bind as DM') -- topology.standalone.simple_bind_s(DN_DM, PASSWORD) -- topology.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_REPLACE, -- 'userPassword', -- TEST_USER_PWD)]) -- -- --if __name__ == '__main__': -- # Run isolated -- # -s for DEBUG mode -- CURRENT_FILE = os.path.realpath(__file__) -- pytest.main("-s %s" % CURRENT_FILE) --- -2.4.11 - diff --git a/SOURCES/0042-Ticket-49249-cos_cache-is-erroneously-logging-schema.patch b/SOURCES/0042-Ticket-49249-cos_cache-is-erroneously-logging-schema.patch new file mode 100644 index 0000000..66faff3 --- /dev/null +++ b/SOURCES/0042-Ticket-49249-cos_cache-is-erroneously-logging-schema.patch @@ -0,0 +1,202 @@ +From 834b5f7355d4233c4b9d6931ba6ec8482413bca8 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Thu, 11 May 2017 09:21:38 +0200 +Subject: [PATCH] Ticket 49249 - cos_cache is erroneously logging schema + checking failure + +Bug Description: + cos is generating virtual attributes in several steps. + One of the first step is to check that the generated attribute will + conform the schema. + Then additional checks (override/merge and cos scope) are performed. + If the entry does not conform the schema, it skips the additional checks. + In such case it logs a message stating that the virtual attribute does not + apply. + During slapi-log-err refactoring (https://pagure.io/389-ds-base/issue/48978) + the logging level, in case of schema violation, was move from SLAPI_LOG_PLUGIN + to SLAPI_LOG_ERR. + + This change is incorrect because the potential failure to schema check is + normal and does not imply the cos would apply to the entry (for example if + the entry was not in the scope, the cos would also be skipped). + +Fix Description: + Move back the logging level from SLAPI_LOG_ERR to SLAPI_LOG_PLUGIN + +https://pagure.io/389-ds-base/issue/49249 + +Reviewed by: Mark Reynolds + +Platforms tested: F23 + +Flag Day: no + +Doc impact: no +--- + dirsrvtests/tests/tickets/ticket49249_test.py | 140 ++++++++++++++++++++++++++ + ldap/servers/plugins/cos/cos_cache.c | 2 +- + 2 files changed, 141 insertions(+), 1 deletion(-) + create mode 100644 dirsrvtests/tests/tickets/ticket49249_test.py + +diff --git a/dirsrvtests/tests/tickets/ticket49249_test.py b/dirsrvtests/tests/tickets/ticket49249_test.py +new file mode 100644 +index 0000000..1dfd07e +--- /dev/null ++++ b/dirsrvtests/tests/tickets/ticket49249_test.py +@@ -0,0 +1,140 @@ ++import time ++import ldap ++import logging ++import pytest ++from lib389 import DirSrv, Entry, tools, tasks ++from lib389.tools import DirSrvTools ++from lib389._constants import * ++from lib389.properties import * ++from lib389.tasks import * ++from lib389.utils import * ++from lib389.topologies import topology_st as topo ++ ++DEBUGGING = os.getenv("DEBUGGING", default=False) ++if DEBUGGING: ++ logging.getLogger(__name__).setLevel(logging.DEBUG) ++else: ++ logging.getLogger(__name__).setLevel(logging.INFO) ++log = logging.getLogger(__name__) ++ ++COS_BRANCH = 'ou=cos_scope,' + DEFAULT_SUFFIX ++COS_DEF = 'cn=cos_definition,' + COS_BRANCH ++COS_TEMPLATE = 'cn=cos_template,' + COS_BRANCH ++INVALID_USER_WITH_COS = 'cn=cos_user_no_mail,' + COS_BRANCH ++VALID_USER_WITH_COS = 'cn=cos_user_with_mail,' + COS_BRANCH ++ ++NO_COS_BRANCH = 'ou=no_cos_scope,' + DEFAULT_SUFFIX ++INVALID_USER_WITHOUT_COS = 'cn=no_cos_user_no_mail,' + NO_COS_BRANCH ++VALID_USER_WITHOUT_COS = 'cn=no_cos_user_with_mail,' + NO_COS_BRANCH ++ ++def test_ticket49249(topo): ++ """Write your testcase here... ++ ++ Also, if you need any testcase initialization, ++ please, write additional fixture for that(include finalizer). ++ """ ++ # Add the branches ++ try: ++ topo.standalone.add_s(Entry((COS_BRANCH, { ++ 'objectclass': 'top extensibleObject'.split(), ++ 'ou': 'cos_scope' ++ }))) ++ except ldap.LDAPError as e: ++ log.error('Failed to add cos_scope: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ topo.standalone.add_s(Entry((NO_COS_BRANCH, { ++ 'objectclass': 'top extensibleObject'.split(), ++ 'ou': 'no_cos_scope' ++ }))) ++ except ldap.LDAPError as e: ++ log.error('Failed to add no_cos_scope: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ topo.standalone.add_s(Entry((COS_TEMPLATE, { ++ 'objectclass': 'top ldapsubentry costemplate extensibleObject'.split(), ++ 'cn': 'cos_template', ++ 'cosPriority': '1', ++ 'cn': 'cn=nsPwTemplateEntry,ou=level1,dc=example,dc=com', ++ 'mailAlternateAddress': 'hello@world' ++ }))) ++ except ldap.LDAPError as e: ++ log.error('Failed to add cos_template: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ topo.standalone.add_s(Entry((COS_DEF, { ++ 'objectclass': 'top ldapsubentry cosSuperDefinition cosPointerDefinition'.split(), ++ 'cn': 'cos_definition', ++ 'costemplatedn': COS_TEMPLATE, ++ 'cosAttribute': 'mailAlternateAddress default' ++ }))) ++ except ldap.LDAPError as e: ++ log.error('Failed to add cos_definition: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ # This entry is not allowed to have mailAlternateAddress ++ topo.standalone.add_s(Entry((INVALID_USER_WITH_COS, { ++ 'objectclass': 'top person'.split(), ++ 'cn': 'cos_user_no_mail', ++ 'sn': 'cos_user_no_mail' ++ }))) ++ except ldap.LDAPError as e: ++ log.error('Failed to add cos_user_no_mail: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ # This entry is allowed to have mailAlternateAddress ++ topo.standalone.add_s(Entry((VALID_USER_WITH_COS, { ++ 'objectclass': 'top mailGroup'.split(), ++ 'cn': 'cos_user_with_mail' ++ }))) ++ except ldap.LDAPError as e: ++ log.error('Failed to add cos_user_no_mail: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ # This entry is not allowed to have mailAlternateAddress ++ topo.standalone.add_s(Entry((INVALID_USER_WITHOUT_COS, { ++ 'objectclass': 'top person'.split(), ++ 'cn': 'no_cos_user_no_mail', ++ 'sn': 'no_cos_user_no_mail' ++ }))) ++ except ldap.LDAPError as e: ++ log.error('Failed to add no_cos_user_no_mail: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ # This entry is allowed to have mailAlternateAddress ++ topo.standalone.add_s(Entry((VALID_USER_WITHOUT_COS, { ++ 'objectclass': 'top mailGroup'.split(), ++ 'cn': 'no_cos_user_with_mail' ++ }))) ++ except ldap.LDAPError as e: ++ log.error('Failed to add no_cos_user_with_mail: error ' + e.message['desc']) ++ assert False ++ ++ try: ++ entries = topo.standalone.search_s(SUFFIX, ldap.SCOPE_SUBTREE, '(mailAlternateAddress=*)') ++ assert len(entries) == 1 ++ assert entries[0].hasValue('mailAlternateAddress', 'hello@world') ++ except ldap.LDAPError as e: ++ log.fatal('Unable to retrieve cos_user_with_mail (only entry with mailAlternateAddress) : error %s' % (USER1_DN, e.message['desc'])) ++ assert False ++ ++ assert not topo.standalone.ds_error_log.match(".*cos attribute mailAlternateAddress failed schema.*") ++ ++ if DEBUGGING: ++ # Add debugging steps(if any)... ++ pass ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main("-s %s" % CURRENT_FILE) ++ +diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c +index 8942254..66c6c7f 100644 +--- a/ldap/servers/plugins/cos/cos_cache.c ++++ b/ldap/servers/plugins/cos/cos_cache.c +@@ -2362,7 +2362,7 @@ static int cos_cache_query_attr(cos_cache *ptheCache, vattr_context *context, + + if(!cos_cache_schema_check(pCache, attr_index, pObjclasses)) + { +- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_query_attr - cos attribute %s failed schema check on dn: %s\n",type,pDn); ++ slapi_log_err(SLAPI_LOG_PLUGIN, COS_PLUGIN_SUBSYSTEM, "cos_cache_query_attr - cos attribute %s failed schema check on dn: %s\n",type,pDn); + goto bail; + } + } +-- +2.9.4 + diff --git a/SOURCES/0043-Ticket-48950-Add-systemd-warning-to-the-LD_PRELOAD-e.patch b/SOURCES/0043-Ticket-48950-Add-systemd-warning-to-the-LD_PRELOAD-e.patch deleted file mode 100644 index be4eeee..0000000 --- a/SOURCES/0043-Ticket-48950-Add-systemd-warning-to-the-LD_PRELOAD-e.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 8bfade183d98992172425642edbfcf5952a74319 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 25 Aug 2016 13:39:25 -0400 -Subject: [PATCH 43/45] Ticket 48950 - Add systemd warning to the LD_PRELOAD - example in /etc/sysconfig/dirsrv - -Description: systemd warning about omitting the PORT was missing from the - LD_PRELOAD example. - - Also fixed up file format/layout.. - -https://fedorahosted.org/389/ticket/48950 - -Reviewed by: nhosoi, amsharma, lkrispen (Thanks!!!) - -(cherry picked from commit 1e44c1f321d03dcb30615bcacfc5c099612b1c66) ---- - ldap/admin/src/base-initconfig.in | 67 +++++++++++++++++++-------------------- - 1 file changed, 33 insertions(+), 34 deletions(-) - -diff --git a/ldap/admin/src/base-initconfig.in b/ldap/admin/src/base-initconfig.in -index 0481c3e..8507296 100644 ---- a/ldap/admin/src/base-initconfig.in -+++ b/ldap/admin/src/base-initconfig.in -@@ -7,44 +7,43 @@ - - @preamble@ - --# In order to make more file descriptors available --# to the directory server, first make sure the system --# hard limits are raised, then use ulimit - uncomment --# out the following line and change the value to the --# desired value --# ulimit -n 8192 --# note - if using systemd, ulimit won't work - you must edit --# the systemd unit file for directory server to add the --# LimitNOFILE option - see man systemd.exec for more info -- --# A per instance keytab does not make much sense for servers. --# Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN, there --# is nothing that can make a client understand how to get a per-instance ticket. --# Therefore by default a keytab should be considered a per server option. -- --# Also this file is sourced for all instances, so again all --# instances would ultimately get the same keytab. -- -+# In order to make more file descriptors available to the directory server, -+# first make sure the system hard limits are raised, then use ulimit - -+# uncomment out the following line and change the value to the desired value -+#ulimit -n 8192 -+# note - if using systemd, ulimit won't work - you must edit the systemd unit -+# file for directory server to add the LimitNOFILE option - see "man -+# systemd.exec" for more info -+ -+# A per instance keytab does not make much sense for servers. Kerberos clients -+# use the machine FQDN to obtain a ticket like ldap/FQDN, there is nothing that -+# can make a client understand how to get a per-instance ticket. Therefore by -+# default a keytab should be considered a per server option. -+# -+# Also this file is sourced for all instances, so again all instances would -+# ultimately get the same keytab. -+# - # Finally a keytab is normally named either krb5.keytab or .keytab -- --# In order to use SASL/GSSAPI (Kerberos) the directory --# server needs to know where to find its keytab --# file - uncomment the following line and set --# the path and filename appropriately --# if using systemd, omit the "; export VARNAME" at the end --# KRB5_KTNAME=@instconfigdir@/myname.keytab ; export KRB5_KTNAME -- --# how many seconds to wait for the startpid file to show --# up before we assume there is a problem and fail to start --# if using systemd, omit the "; export VARNAME" at the end -+# -+# In order to use SASL/GSSAPI (Kerberos) the directory server needs to know -+# where to find its keytab file - uncomment the following line and set the -+# path and filename appropriately. -+# If using systemd, omit the "; export VARNAME" at the end. -+#KRB5_KTNAME=@instconfigdir@/myname.keytab ; export KRB5_KTNAME -+ -+# How many seconds to wait for the startpid file to show up before we assume -+# there is a problem and fail to start. -+# If using systemd, omit the "; export STARTPID_TIME" at the end. - #STARTPID_TIME=10 ; export STARTPID_TIME --# how many seconds to wait for the pid file to show --# up before we assume there is a problem and fail to start --# if using systemd, omit the "; export VARNAME" at the end -+ -+# How many seconds to wait for the pid file to show up before we assume there -+# is a problem and fail to start. -+# If using systemd, omit the "; export PID_TIME" at the end. - #PID_TIME=600 ; export PID_TIME - - # The tcmalloc memory allocator has been shown to have a positive impact on - # the Directory Server's virtual & resident memory size/growth. tcmalloc is --# available on RHEL/Fedora in the gperftools package (this could be different --# on other platforms). Here is an example of preloading tcmalloc: -+# available on RHEL/Fedora in the gperftools-libs package (this could be -+# different on other platforms). -+# If using systemd, omit the "; export LD_PRELOAD" at the end. - #LD_PRELOAD=@libdir@/libtcmalloc.so.4 ; export LD_PRELOAD --- -2.4.11 - diff --git a/SOURCES/0043-Ticket-49238-AddressSanitizer-heap-use-after-free-in.patch b/SOURCES/0043-Ticket-49238-AddressSanitizer-heap-use-after-free-in.patch new file mode 100644 index 0000000..5e1b21b --- /dev/null +++ b/SOURCES/0043-Ticket-49238-AddressSanitizer-heap-use-after-free-in.patch @@ -0,0 +1,243 @@ +From 4182dd8bbff22f9e0e45b763a4619c0bc8dcb153 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 9 May 2017 12:31:58 -0400 +Subject: [PATCH] Ticket 49238 - AddressSanitizer: heap-use-after-free in + libreplication + +Bug Description: + The bug is detected in csn pending list component, when + accessing a csn that has already been freed. + + The bug is mostly detectable under ASAN because under normal run + the read access to the csn would only crash if the csn was in + an unmapped page (that is quite difficult to acheive). + + The bug was observed under the following conditions: + - very slow machine + - all instances running on the same machine + + The patch address 2 issues + + Issue - 1 + Under specfic circumstance (failure, like "db_deadlock" during changelog update), + the csn was freed but still present in the pending list (fix-1). + + Issue - 2 + Further investigations, showed an other corner case where a + replica could be updated by several suppliers in parallel. + In such scenario, an update (on one thread-2) with a higher csn (let csn-2) + may be applied before an update (on another thread-1) with a smaller + csn (let csn-1). + csn-2 is freed when thread-2 complete but the csn-2 will remain + in the pending list until csn-1 is commited. + so followup of pending list may access a csn that was freed + +Fix Description: + Issue - 1 + The fix in repl5_plugins.c, frees the csn (thread private area) + at the condition pending list was roll up for that csn (ruv update). + + Issue - 2 + The fix is in two parts: + If a supplier tries to acquire a replica while it is + already owner of it, the replica is granted. + + If a supplier owns a replica and is asking again for it, + but this time the replica is not granted, the replica is release and + the supplier disconnected. + +https://pagure.io/389-ds-base/issue/49238 + +Reviewed by: Mark Reynolds, Ludwig Krispenz, William Brown (thanks to you all !!) + +Platforms tested: 7.4 + +Flag Day: no + +Doc impact: no +--- + ldap/servers/plugins/replication/repl5.h | 1 + + ldap/servers/plugins/replication/repl5_plugins.c | 7 +++- + ldap/servers/plugins/replication/repl5_replica.c | 49 +++++++++++++++++++----- + ldap/servers/plugins/replication/repl_extop.c | 42 ++++++++++++++++++-- + 4 files changed, 86 insertions(+), 13 deletions(-) + +diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h +index c3bd10c..1d8989c 100644 +--- a/ldap/servers/plugins/replication/repl5.h ++++ b/ldap/servers/plugins/replication/repl5.h +@@ -549,6 +549,7 @@ void replica_relinquish_exclusive_access(Replica *r, PRUint64 connid, int opid); + PRBool replica_get_tombstone_reap_active(const Replica *r); + const Slapi_DN *replica_get_root(const Replica *r); + const char *replica_get_name(const Replica *r); ++uint64_t replica_get_locking_conn(const Replica *r); + ReplicaId replica_get_rid (const Replica *r); + void replica_set_rid (Replica *r, ReplicaId rid); + PRBool replica_is_initialized (const Replica *r); +diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c +index ebcc230..9ef06af 100644 +--- a/ldap/servers/plugins/replication/repl5_plugins.c ++++ b/ldap/servers/plugins/replication/repl5_plugins.c +@@ -1224,7 +1224,12 @@ common_return: + opcsn = operation_get_csn(op); + prim_csn = get_thread_primary_csn(); + if (csn_is_equal(opcsn, prim_csn)) { +- set_thread_primary_csn(NULL); ++ if (return_value == 0) { ++ /* the primary csn was succesfully committed ++ * unset it in the thread local data ++ */ ++ set_thread_primary_csn(NULL); ++ } + } + if (repl_obj) { + object_release (repl_obj); +diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c +index a106f8b..1bdc138 100644 +--- a/ldap/servers/plugins/replication/repl5_replica.c ++++ b/ldap/servers/plugins/replication/repl5_replica.c +@@ -64,6 +64,7 @@ struct replica { + PRBool state_update_inprogress; /* replica state is being updated */ + PRLock *agmt_lock; /* protects agreement creation, start and stop */ + char *locking_purl; /* supplier who has exclusive access */ ++ uint64_t locking_conn; /* The supplier's connection id */ + Slapi_Counter *protocol_timeout;/* protocol shutdown timeout */ + Slapi_Counter *backoff_min; /* backoff retry minimum */ + Slapi_Counter *backoff_max; /* backoff retry maximum */ +@@ -602,19 +603,32 @@ replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opi + slapi_sdn_get_dn(r->repl_root), + r->locking_purl ? r->locking_purl : "unknown"); + rval = PR_FALSE; ++ if (!(r->repl_state_flags & REPLICA_TOTAL_IN_PROGRESS)) { ++ /* inc update */ ++ if (r->locking_purl && r->locking_conn == connid) { ++ /* This is the same supplier connection, reset the replica ++ * purl, and return success */ ++ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, ++ "replica_get_exclusive_access - " ++ "This is a second acquire attempt from the same replica connection " ++ " - return success instead of busy\n"); ++ slapi_ch_free_string(&r->locking_purl); ++ r->locking_purl = slapi_ch_strdup(locking_purl); ++ rval = PR_TRUE; ++ goto done; ++ } ++ if (replica_get_release_timeout(r)) { ++ /* ++ * Abort the current session so other replicas can acquire ++ * this server. ++ */ ++ r->abort_session = ABORT_SESSION; ++ } ++ } + if (current_purl) + { + *current_purl = slapi_ch_strdup(r->locking_purl); + } +- if (!(r->repl_state_flags & REPLICA_TOTAL_IN_PROGRESS) && +- replica_get_release_timeout(r)) +- { +- /* +- * We are not doing a total update, so abort the current session +- * so other replicas can acquire this server. +- */ +- r->abort_session = ABORT_SESSION; +- } + } + else + { +@@ -642,7 +656,9 @@ replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opi + } + slapi_ch_free_string(&r->locking_purl); + r->locking_purl = slapi_ch_strdup(locking_purl); ++ r->locking_conn = connid; + } ++done: + replica_unlock(r->repl_lock); + return rval; + } +@@ -720,6 +736,18 @@ replica_get_name(const Replica *r) /* ONREPL - should we return copy instead? */ + return(r->repl_name); + } + ++/* ++ * Returns locking_conn of this replica ++ */ ++uint64_t ++replica_get_locking_conn(const Replica *r) ++{ ++ uint64_t connid; ++ replica_lock(r->repl_lock); ++ connid = r->locking_conn; ++ replica_unlock(r->repl_lock); ++ return connid; ++} + /* + * Returns replicaid of this replica + */ +@@ -2251,6 +2279,9 @@ _replica_init_from_config (Replica *r, Slapi_Entry *e, char *errortext) + } + + r->tombstone_reap_stop = r->tombstone_reap_active = PR_FALSE; ++ ++ /* No supplier holding the replica */ ++ r->locking_conn = ULONG_MAX; + + return (_replica_check_validity (r)); + } +diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c +index 412caec..a39d918 100644 +--- a/ldap/servers/plugins/replication/repl_extop.c ++++ b/ldap/servers/plugins/replication/repl_extop.c +@@ -1138,9 +1138,45 @@ send_response: + */ + if (NULL != connext && NULL != connext->replica_acquired) + { +- Object *r_obj = (Object*)connext->replica_acquired; +- replica_relinquish_exclusive_access((Replica*)object_get_data (r_obj), +- connid, opid); ++ Replica *r = (Replica*)object_get_data ((Object*)connext->replica_acquired); ++ uint64_t r_locking_conn; ++ ++ /* At this point the supplier runs a Replica Agreement for ++ * the specific replica connext->replica_acquired. ++ * The RA does not know it holds the replica (because it is ++ * sending this request). ++ * The situation is confused ++ */ ++ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "multimaster_extop_StartNSDS50ReplicationRequest - " ++ "already acquired replica: replica not ready (%d) (replica=%s)\n", response, replica_get_name(r) ? replica_get_name(r) : "no name"); ++ ++ /* ++ * On consumer side, we release the exclusive access at the ++ * condition this is this RA that holds the replica ++ */ ++ if (r) { ++ ++ r_locking_conn = replica_get_locking_conn(r); ++ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "multimaster_extop_StartNSDS50ReplicationRequest - " ++ "already acquired replica: locking_conn=%d, current connid=%d\n", (int) r_locking_conn, (int) connid); ++ ++ if ((r_locking_conn != ULONG_MAX) && (r_locking_conn == connid)) { ++ replica_relinquish_exclusive_access(r, connid, opid); ++ object_release((Object*) connext->replica_acquired); ++ connext->replica_acquired = NULL; ++ } ++ } ++ /* ++ * On consumer side we should not keep a incoming connection ++ * with replica_acquired set although the supplier is not aware of ++ * ++ * On the supplier, we need to close the connection so ++ * that the RA will restart a new session in a clear state ++ */ ++ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "multimaster_extop_StartNSDS50ReplicationRequest - " ++ "already acquired replica: disconnect conn=%d\n", connid); ++ slapi_disconnect_server(conn); ++ + } + /* Remove any flags that would indicate repl session in progress */ + if (NULL != connext) +-- +2.9.4 + diff --git a/SOURCES/0044-Ticket-48957-set-proper-update-status-to-replication.patch b/SOURCES/0044-Ticket-48957-set-proper-update-status-to-replication.patch deleted file mode 100644 index 6605130..0000000 --- a/SOURCES/0044-Ticket-48957-set-proper-update-status-to-replication.patch +++ /dev/null @@ -1,582 +0,0 @@ -From e48616639e254b698edaa778d41597094243ced5 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 26 Aug 2016 15:04:02 -0400 -Subject: [PATCH 44/45] Ticket 48957 - set proper update status to replication - agreement in case of failure - -Bug Description: If a replication agreement fails to send updates it always returns - a generic error message even though there are many ways it could be - failing. - -Fix Description: Set a proper error message when we fail to update a replica. Also made - all the messages consistent in format, and added new response strings - for known errors. - - Also fixed some minor compiler warnings. - -https://fedorahosted.org/389/ticket/48957 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit cdf4fb4ea6f26b4198d2d6b146ca51dcd51a31ef) ---- - ldap/servers/plugins/replication/repl5.h | 15 +++-- - ldap/servers/plugins/replication/repl5_agmt.c | 26 ++++---- - .../plugins/replication/repl5_inc_protocol.c | 70 ++++++++++++++-------- - .../plugins/replication/repl5_protocol_util.c | 65 ++++++++++++++++++-- - .../plugins/replication/repl5_replica_config.c | 4 +- - ldap/servers/plugins/replication/repl5_total.c | 5 +- - 6 files changed, 132 insertions(+), 53 deletions(-) - -diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h -index 6f6c81a..13a38fd 100644 ---- a/ldap/servers/plugins/replication/repl5.h -+++ b/ldap/servers/plugins/replication/repl5.h -@@ -91,11 +91,16 @@ - #define NSDS50_REPL_BELOW_PURGEPOINT 0x07 /* Supplier provided a CSN below the consumer's purge point */ - #define NSDS50_REPL_INTERNAL_ERROR 0x08 /* Something bad happened on consumer */ - #define NSDS50_REPL_REPLICA_RELEASE_SUCCEEDED 0x09 /* Replica released successfully */ --#define NSDS50_REPL_LEGACY_CONSUMER 0x0A /* replica is a legacy consumer */ --#define NSDS50_REPL_REPLICAID_ERROR 0x0B /* replicaID doesn't seem to be unique */ --#define NSDS50_REPL_DISABLED 0x0C /* replica suffix is disabled */ --#define NSDS50_REPL_UPTODATE 0x0D /* replica is uptodate */ --#define NSDS50_REPL_BACKOFF 0x0E /* replica wants master to go into backoff mode */ -+#define NSDS50_REPL_LEGACY_CONSUMER 0x0A /* replica is a legacy consumer */ -+#define NSDS50_REPL_REPLICAID_ERROR 0x0B /* replicaID doesn't seem to be unique */ -+#define NSDS50_REPL_DISABLED 0x0C /* replica suffix is disabled */ -+#define NSDS50_REPL_UPTODATE 0x0D /* replica is uptodate */ -+#define NSDS50_REPL_BACKOFF 0x0E /* replica wants master to go into backoff mode */ -+#define NSDS50_REPL_CL_ERROR 0x0F /* Problem reading changelog */ -+#define NSDS50_REPL_CONN_ERROR 0x10 /* Problem with replication connection*/ -+#define NSDS50_REPL_CONN_TIMEOUT 0x11 /* Connection timeout */ -+#define NSDS50_REPL_TRANSIENT_ERROR 0x12 /* Transient error */ -+#define NSDS50_REPL_RUV_ERROR 0x13 /* Problem with the RUV */ - #define NSDS50_REPL_REPLICA_NO_RESPONSE 0xff /* No response received */ - - /* Protocol status */ -diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c -index 76d26a1..52cc8b6 100644 ---- a/ldap/servers/plugins/replication/repl5_agmt.c -+++ b/ldap/servers/plugins/replication/repl5_agmt.c -@@ -2460,9 +2460,9 @@ agmt_set_last_update_status (Repl_Agmt *ra, int ldaprc, int replrc, const char * - replmsg = NULL; - } - } -- PR_snprintf(ra->last_update_status, STATUS_LEN, "%d %s%sLDAP error: %s%s%s", -+ PR_snprintf(ra->last_update_status, STATUS_LEN, "Error (%d) %s%s - LDAP error: %s%s%s%s", - ldaprc, message?message:"",message?"":" - ", -- slapi_err2string(ldaprc), replmsg ? " - " : "", replmsg ? replmsg : ""); -+ slapi_err2string(ldaprc), replmsg ? " (" : "", replmsg ? replmsg : "", replmsg ? ")" : ""); - } - /* ldaprc == LDAP_SUCCESS */ - else if (replrc != 0) -@@ -2470,16 +2470,15 @@ agmt_set_last_update_status (Repl_Agmt *ra, int ldaprc, int replrc, const char * - if (replrc == NSDS50_REPL_REPLICA_BUSY) - { - PR_snprintf(ra->last_update_status, STATUS_LEN, -- "%d Can't acquire busy replica", replrc ); -+ "Error (%d) Can't acquire busy replica", replrc ); - } - else if (replrc == NSDS50_REPL_REPLICA_RELEASE_SUCCEEDED) - { -- PR_snprintf(ra->last_update_status, STATUS_LEN, "%d %s", -- ldaprc, "Replication session successful"); -+ PR_snprintf(ra->last_update_status, STATUS_LEN, "Error (0) Replication session successful"); - } - else if (replrc == NSDS50_REPL_DISABLED) - { -- PR_snprintf(ra->last_update_status, STATUS_LEN, "%d Incremental update aborted: " -+ PR_snprintf(ra->last_update_status, STATUS_LEN, "Error (%d) Incremental update aborted: " - "Replication agreement for %s\n can not be updated while the replica is disabled.\n" - "(If the suffix is disabled you must enable it then restart the server for replication to take place).", - replrc, ra->long_name ? ra->long_name : "a replica"); -@@ -2493,20 +2492,18 @@ agmt_set_last_update_status (Repl_Agmt *ra, int ldaprc, int replrc, const char * - else - { - PR_snprintf(ra->last_update_status, STATUS_LEN, -- "%d Replication error acquiring replica: %s%s%s", -- replrc, protocol_response2string(replrc), -- message?" - ":"",message?message:""); -+ "Error (%d) Replication error acquiring replica: %s%s(%s)", -+ replrc, message?message:"", message?" ":"", protocol_response2string(replrc)); - } - } - else if (message != NULL) /* replrc == NSDS50_REPL_REPLICA_READY == 0 */ - { -- PR_snprintf(ra->last_update_status, STATUS_LEN, -- "%d Replica acquired successfully: %s", -- ldaprc, message); -+ PR_snprintf(ra->last_update_status, STATUS_LEN, -+ "Error (0) Replica acquired successfully: %s", message); - } - else - { /* agmt_set_last_update_status(0,0,NULL) to reset agmt */ -- PR_snprintf(ra->last_update_status, STATUS_LEN, "%d", ldaprc); -+ ra->last_update_status[0] = '\0'; - } - } - } -@@ -2737,7 +2734,8 @@ get_agmt_status(Slapi_PBlock *pb, Slapi_Entry* e, Slapi_Entry* entryAfter, - slapi_entry_add_string(e, "nsds5replicaChangesSentSinceStartup", changecount_string); - if (ra->last_update_status[0] == '\0') - { -- slapi_entry_add_string(e, "nsds5replicaLastUpdateStatus", "0 No replication sessions started since server startup"); -+ slapi_entry_add_string(e, "nsds5replicaLastUpdateStatus", -+ "Error (0) No replication sessions started since server startup"); - } - else - { -diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c -index 27bac5d..d1de6c5 100644 ---- a/ldap/servers/plugins/replication/repl5_inc_protocol.c -+++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c -@@ -671,7 +671,6 @@ repl5_inc_run(Private_Repl_Protocol *prp) - int wait_change_timer_set = 0; - int current_state = STATE_START; - int next_state = STATE_START; -- int optype, ldaprc; - int done; - int e1; - -@@ -838,14 +837,6 @@ repl5_inc_run(Private_Repl_Protocol *prp) - } else if (rc == ACQUIRE_FATAL_ERROR){ - next_state = STATE_STOP_FATAL_ERROR; - } -- -- if (rc != ACQUIRE_SUCCESS){ -- int optype, ldaprc; -- conn_get_error(prp->conn, &optype, &ldaprc); -- agmt_set_last_update_status(prp->agmt, ldaprc, -- prp->last_acquire_response_code, "Unable to acquire replica"); -- } -- - object_release(prp->replica_object); - break; - -@@ -934,10 +925,6 @@ repl5_inc_run(Private_Repl_Protocol *prp) - } else if (rc == ACQUIRE_FATAL_ERROR){ - next_state = STATE_STOP_FATAL_ERROR; - } -- if (rc != ACQUIRE_SUCCESS){ -- conn_get_error(prp->conn, &optype, &ldaprc); -- agmt_set_last_update_status(prp->agmt, ldaprc, prp->last_acquire_response_code, "Unable to acquire replica"); -- } - /* - * We either need to step the backoff timer, or - * destroy it if we don't need it anymore -@@ -1037,7 +1024,8 @@ repl5_inc_run(Private_Repl_Protocol *prp) - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Replica has no update vector. It has never been initialized.\n", - agmt_get_long_name(prp->agmt)); -- agmt_set_last_update_status(prp->agmt, 0, rc, "Replica is not initialized"); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_RUV_ERROR, -+ "Replica is not initialized"); - next_state = STATE_BACKOFF_START; - break; - case EXAMINE_RUV_GENERATION_MISMATCH: -@@ -1045,8 +1033,9 @@ repl5_inc_run(Private_Repl_Protocol *prp) - "%s: The remote replica has a different database generation ID than " - "the local database. You may have to reinitialize the remote replica, " - "or the local replica.\n", agmt_get_long_name(prp->agmt)); -- agmt_set_last_update_status(prp->agmt, 0, rc, "Replica has different database " -- "generation ID, remote replica may need to be initialized"); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_RUV_ERROR, -+ "Replica has different database generation ID, remote " -+ "replica may need to be initialized"); - next_state = STATE_BACKOFF_START; - break; - case EXAMINE_RUV_REPLICA_TOO_OLD: -@@ -1054,7 +1043,8 @@ repl5_inc_run(Private_Repl_Protocol *prp) - "%s: Replica update vector is too out of date to bring " - "into sync using the incremental protocol. The replica " - "must be reinitialized.\n", agmt_get_long_name(prp->agmt)); -- agmt_set_last_update_status(prp->agmt, 0, rc, "Replica needs to be reinitialized"); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_RUV_ERROR, -+ "Replica needs to be reinitialized"); - next_state = STATE_BACKOFF_START; - break; - case EXAMINE_RUV_OK: -@@ -1069,11 +1059,15 @@ repl5_inc_run(Private_Repl_Protocol *prp) - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Incremental protocol: fatal error - too much time skew between replicas!\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_EXCESSIVE_CLOCK_SKEW, -+ "fatal error - too much time skew between replicas"); - next_state = STATE_STOP_FATAL_ERROR; - } else if (rc != 0) /* internal error */ { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Incremental protocol: fatal internal error updating the CSN generator!\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_INTERNAL_ERROR, -+ "fatal internal error updating the CSN generator"); - next_state = STATE_STOP_FATAL_ERROR; - } else { - /* -@@ -1097,7 +1091,8 @@ repl5_inc_run(Private_Repl_Protocol *prp) - next_state = STATE_BACKOFF_START; - } else if (rc == UPDATE_TRANSIENT_ERROR){ - dev_debug("repl5_inc_run(STATE_SENDING_UPDATES) -> send_updates = UPDATE_TRANSIENT_ERROR -> STATE_BACKOFF_START"); -- agmt_set_last_update_status(prp->agmt, 0, rc, "Incremental update transient error. Backing off, will retry update later."); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_TRANSIENT_ERROR, -+ "Incremental update transient error. Backing off, will retry update later."); - next_state = STATE_BACKOFF_START; - } else if (rc == UPDATE_FATAL_ERROR){ - dev_debug("repl5_inc_run(STATE_SENDING_UPDATES) -> send_updates = UPDATE_FATAL_ERROR -> STATE_STOP_FATAL_ERROR"); -@@ -1114,11 +1109,13 @@ repl5_inc_run(Private_Repl_Protocol *prp) - conn_disconnect (prp->conn); - } else if (rc == UPDATE_CONNECTION_LOST){ - dev_debug("repl5_inc_run(STATE_SENDING_UPDATES) -> send_updates = UPDATE_CONNECTION_LOST -> STATE_BACKOFF_START"); -- agmt_set_last_update_status(prp->agmt, 0, rc, "Incremental update connection error. Backing off, will retry update later."); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CONN_ERROR, -+ "Incremental update connection error. Backing off, will retry update later."); - next_state = STATE_BACKOFF_START; - } else if (rc == UPDATE_TIMEOUT){ - dev_debug("repl5_inc_run(STATE_SENDING_UPDATES) -> send_updates = UPDATE_TIMEOUT -> STATE_BACKOFF_START"); -- agmt_set_last_update_status(prp->agmt, 0, rc, "Incremental update timeout error. Backing off, will retry update later."); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CONN_TIMEOUT, -+ "Incremental update timeout error. Backing off, will retry update later."); - next_state = STATE_BACKOFF_START; - } - /* Set the updates times based off the result of send_updates() */ -@@ -1173,8 +1170,6 @@ repl5_inc_run(Private_Repl_Protocol *prp) - /* - * We encountered some sort of a fatal error. Suspend. - */ -- /* XXXggood update state in replica */ -- agmt_set_last_update_status(prp->agmt, -1, 0, "Incremental update has failed and requires administrator action"); - dev_debug("repl5_inc_run(STATE_STOP_FATAL_ERROR)"); - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Incremental update failed and requires administrator action\n", -@@ -1630,30 +1625,40 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Invalid parameter passed to cl5CreateReplayIterator\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Invalid parameter passed to cl5CreateReplayIterator"); - return_value = UPDATE_FATAL_ERROR; - break; - case CL5_BAD_FORMAT: /* db data has unexpected format */ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Unexpected format encountered in changelog database\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Unexpected format encountered in changelog database"); - return_value = UPDATE_FATAL_ERROR; - break; - case CL5_BAD_STATE: /* changelog is in an incorrect state for attempted operation */ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Changelog database was in an incorrect state\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Changelog database was in an incorrect state"); - return_value = UPDATE_FATAL_ERROR; - break; - case CL5_BAD_DBVERSION: /* changelog has invalid dbversion */ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Incorrect dbversion found in changelog database\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Incorrect dbversion found in changelog database"); - return_value = UPDATE_FATAL_ERROR; - break; - case CL5_DB_ERROR: /* database error */ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: A changelog database error was encountered\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Changelog database error was encountered"); - return_value = UPDATE_FATAL_ERROR; - break; - case CL5_NOTFOUND: /* we have no changes to send */ -@@ -1666,6 +1671,8 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Memory allocation error occurred\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "changelog memory allocation error occurred"); - return_value = UPDATE_FATAL_ERROR; - break; - case CL5_SYSTEM_ERROR: /* NSPR error occurred: use PR_GetError for further info */ -@@ -1694,15 +1701,20 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu - break; - case CL5_PURGED_DATA: /* requested data has been purged */ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, -- "%s: Data required to update replica has been purged. " -+ "%s: Data required to update replica has been purged from the changelog. " - "The replica must be reinitialized.\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Data required to update replica has been purged from the changelog. " -+ "The replica must be reinitialized."); - return_value = UPDATE_FATAL_ERROR; - break; - case CL5_MISSING_DATA: /* data should be in the changelog, but is missing */ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Missing data encountered\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Changelog data is missing"); - return_value = UPDATE_FATAL_ERROR; - break; - case CL5_UNKNOWN_ERROR: /* unclassified error */ -@@ -1738,8 +1750,9 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu - rc = repl5_inc_create_async_result_thread(rd); - if (rc) { - slapi_log_error (SLAPI_LOG_FATAL, repl_plugin_name, "%s: repl5_inc_run: " -- "repl5_tot_create_async_result_thread failed; error - %d\n", -+ "repl5_inc_create_async_result_thread failed; error - %d\n", - agmt_get_long_name(prp->agmt), rc); -+ agmt_set_last_update_status(prp->agmt, 0, rc, "Failed to create result thread"); - return_value = UPDATE_FATAL_ERROR; - } - } -@@ -1898,6 +1911,8 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Invalid parameter passed to cl5GetNextOperationToReplay\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Invalid parameter passed to cl5GetNextOperationToReplay"); - return_value = UPDATE_FATAL_ERROR; - finished = 1; - break; -@@ -1912,6 +1927,8 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: A database error occurred (cl5GetNextOperationToReplay)\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Database error occurred while getting the next operation to replay"); - return_value = UPDATE_FATAL_ERROR; - finished = 1; - break; -@@ -1922,8 +1939,10 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu - break; - case CL5_MEMORY_ERROR: - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, -- "%s: A memory allocation error occurred (cl5GetNextOperationToRepla)\n", -+ "%s: A memory allocation error occurred (cl5GetNextOperationToReplay)\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -+ "Memory allocation error occurred (cl5GetNextOperationToReplay)"); - return_value = UPDATE_FATAL_ERROR; - break; - case CL5_IGNORE_OP: -@@ -1985,6 +2004,7 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu - if (!replarea_sdn) { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "send_updates: Unknown replication area due to agreement not found."); -+ agmt_set_last_update_status(prp->agmt, 0, -1, "Agreement is corrupted: missing suffix"); - return_value = UPDATE_FATAL_ERROR; - } else { - replica_subentry_update(replarea_sdn, rid); -diff --git a/ldap/servers/plugins/replication/repl5_protocol_util.c b/ldap/servers/plugins/replication/repl5_protocol_util.c -index ce27a8a..ce6281a 100644 ---- a/ldap/servers/plugins/replication/repl5_protocol_util.c -+++ b/ldap/servers/plugins/replication/repl5_protocol_util.c -@@ -140,10 +140,18 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - crc = conn_connect(conn); - if (CONN_OPERATION_FAILED == crc) - { -+ int operation, error; -+ conn_get_error(conn, &operation, &error); -+ agmt_set_last_update_status(prp->agmt, error, NSDS50_REPL_CONN_ERROR, -+ "Problem connecting to replica"); - return_value = ACQUIRE_TRANSIENT_ERROR; - } - else if (CONN_SSL_NOT_ENABLED == crc) - { -+ int operation, error; -+ conn_get_error(conn, &operation, &error); -+ agmt_set_last_update_status(prp->agmt, error, NSDS50_REPL_CONN_ERROR, -+ "Problem connecting to replica (SSL not enabled)"); - return_value = ACQUIRE_FATAL_ERROR; - } - else -@@ -295,6 +303,9 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "an internal error occurred on the remote replica. " - "Replication is aborting.\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, extop_result, -+ "Failed to acquire replica: " -+ "Internal error occurred on the remote replica"); - return_value = ACQUIRE_FATAL_ERROR; - break; - case NSDS50_REPL_PERMISSION_DENIED: -@@ -307,6 +318,11 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "supply replication updates to the replica. " - "Will retry later.\n", - agmt_get_long_name(prp->agmt), repl_binddn); -+ agmt_set_last_update_status(prp->agmt, 0, extop_result, -+ "Unable to acquire replica: permission denied. " -+ "The bind dn does not have permission to " -+ "supply replication updates to the replica. " -+ "Will retry later."); - slapi_ch_free((void **)&repl_binddn); - return_value = ACQUIRE_TRANSIENT_ERROR; - break; -@@ -321,6 +337,10 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "Replication is aborting.\n", - agmt_get_long_name(prp->agmt), - slapi_sdn_get_dn(repl_root)); -+ agmt_set_last_update_status(prp->agmt, 0, extop_result, -+ "Unable to acquire replica: there is no " -+ "replicated area on the consumer server. " -+ "Replication is aborting."); - slapi_sdn_free(&repl_root); - return_value = ACQUIRE_FATAL_ERROR; - break; -@@ -342,6 +362,11 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "startReplicationRequest extended operation sent by the " - "supplier. Replication is aborting.\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, extop_result, -+ "Unable to acquire replica: " -+ "the consumer was unable to decode the " -+ "startReplicationRequest extended operation sent " -+ "by the supplier. Replication is aborting."); - return_value = ACQUIRE_FATAL_ERROR; - break; - case NSDS50_REPL_REPLICA_BUSY: -@@ -365,6 +390,10 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "by another supplier. Will try later\n", - agmt_get_long_name(prp->agmt)); - } -+ agmt_set_last_update_status(prp->agmt, 0, extop_result, -+ "Unable to acquire replica: " -+ "the replica is currently being updated by another " -+ "supplier."); - return_value = ACQUIRE_REPLICA_BUSY; - break; - case NSDS50_REPL_LEGACY_CONSUMER: -@@ -373,6 +402,9 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "%s: Unable to acquire replica: the replica " - "is supplied by a legacy supplier. " - "Replication is aborting.\n", agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, extop_result, -+ "Unable to acquire replica: the replica is supplied " -+ "by a legacy supplier. Replication is aborting."); - return_value = ACQUIRE_FATAL_ERROR; - break; - case NSDS50_REPL_REPLICAID_ERROR: -@@ -382,6 +414,9 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "has the same Replica ID as this one. " - "Replication is aborting.\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, 0, -+ "Unable to aquire replica: the replica has the same " -+ "Replica ID as this one. Replication is aborting."); - return_value = ACQUIRE_FATAL_ERROR; - break; - case NSDS50_REPL_BACKOFF: -@@ -392,6 +427,9 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "the replica instructed us to go into " - "backoff mode. Will retry later.\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, extop_result, -+ "Unable to acquire replica: the replica instructed " -+ "us to go into backoff mode. Will retry later."); - return_value = ACQUIRE_TRANSIENT_ERROR; - break; - case NSDS50_REPL_REPLICA_READY: -@@ -450,6 +488,8 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - return_value = ACQUIRE_SUCCESS; - break; - default: -+ agmt_set_last_update_status(prp->agmt, 0, extop_result, -+ "Unable to acquire replica"); - return_value = ACQUIRE_FATAL_ERROR; - } - } -@@ -461,6 +501,10 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "startReplication extended operation. " - "Replication is aborting.\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_DECODING_ERROR, -+ "Unable to parse the response to the " -+ "startReplication extended operation. " -+ "Replication is aborting."); - prp->last_acquire_response_code = NSDS50_REPL_INTERNAL_ERROR; - return_value = ACQUIRE_FATAL_ERROR; - } -@@ -477,6 +521,9 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "extended operation to consumer (%s). Will retry later.\n", - agmt_get_long_name(prp->agmt), - error ? ldap_err2string(error) : "unknown error"); -+ agmt_set_last_update_status(prp->agmt, error, NSDS50_REPL_CONN_ERROR, -+ "Unable to receive the response for a startReplication " -+ "extended operation to consumer. Will retry later."); - } - } - else -@@ -486,6 +533,9 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "%s: Unable to obtain current CSN. " - "Replication is aborting.\n", - agmt_get_long_name(prp->agmt)); -+ agmt_set_last_update_status(prp->agmt, 0, 0, -+ "Unable to obtain current CSN. " -+ "Replication is aborting."); - return_value = ACQUIRE_FATAL_ERROR; - } - } -@@ -535,8 +585,8 @@ release_replica(Private_Repl_Protocol *prp) - PR_ASSERT(NULL != prp); - PR_ASSERT(NULL != prp->conn); - -- if (!prp->replica_acquired) -- return; -+ if (!prp->replica_acquired) -+ return; - - replarea_sdn = agmt_get_replarea(prp->agmt); - payload = NSDS50EndReplicationRequest_new((char *)slapi_sdn_get_dn(replarea_sdn)); /* XXXggood had to cast away const */ -@@ -650,9 +700,14 @@ protocol_response2string (int response) - case NSDS50_REPL_BELOW_PURGEPOINT: return "csn below purge point"; - case NSDS50_REPL_INTERNAL_ERROR: return "internal error"; - case NSDS50_REPL_REPLICA_RELEASE_SUCCEEDED: return "replica released"; -- case NSDS50_REPL_LEGACY_CONSUMER: return "replica is a legacy consumer"; -- case NSDS50_REPL_REPLICAID_ERROR: return "duplicate replica ID detected"; -- case NSDS50_REPL_UPTODATE: return "no change to send"; -+ case NSDS50_REPL_LEGACY_CONSUMER: return "replica is a legacy consumer"; -+ case NSDS50_REPL_REPLICAID_ERROR: return "duplicate replica ID detected"; -+ case NSDS50_REPL_UPTODATE: return "no change to send"; -+ case NSDS50_REPL_CL_ERROR: return "changelog error"; -+ case NSDS50_REPL_CONN_ERROR: return "connection error"; -+ case NSDS50_REPL_CONN_TIMEOUT: return "connection timeout"; -+ case NSDS50_REPL_TRANSIENT_ERROR: return "transient error"; -+ case NSDS50_REPL_RUV_ERROR: return "RUV error"; - default: return "unknown error"; - } - } -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 011e4ca..59e5298 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -639,8 +639,8 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* - } - - done: -- if (mtnode_ext->replica) -- object_release (mtnode_ext->replica); -+ if (mtnode_ext->replica) -+ object_release (mtnode_ext->replica); - - /* slapi_ch_free accepts NULL pointer */ - slapi_ch_free_string(&replica_root); -diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c -index 0512dfa..dcb7af5 100644 ---- a/ldap/servers/plugins/replication/repl5_total.c -+++ b/ldap/servers/plugins/replication/repl5_total.c -@@ -533,8 +533,9 @@ my_ber_scanf_value(BerElement *ber, Slapi_Value **value, PRBool *deleted) - goto loser; - } - -- if (attrval) -- ber_bvfree(attrval); -+ if (attrval) -+ ber_bvfree(attrval); -+ - return 0; - - loser: --- -2.4.11 - diff --git a/SOURCES/0044-Ticket-49246-ns-slapd-crashes-in-role-cache-creation.patch b/SOURCES/0044-Ticket-49246-ns-slapd-crashes-in-role-cache-creation.patch new file mode 100644 index 0000000..5aafc3d --- /dev/null +++ b/SOURCES/0044-Ticket-49246-ns-slapd-crashes-in-role-cache-creation.patch @@ -0,0 +1,171 @@ +From 18491418e661b5dc1b9ca4c6bb4adb85bfb0bf0d Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 9 May 2017 16:31:52 -0400 +Subject: [PATCH] Ticket 49246 - ns-slapd crashes in role cache creation + +Bug Description: Using a nested filter for a filtered role can + cause a crash. This was due to the way the filter + was being checked by the roles plugin. + +Fix Description: Properly resurse over a filter. + +https://pagure.io/389-ds-base/issue/49246 + +Reviewed by: firstyear & tbordaz(Thanks!!) + +(cherry picked from commit 54e4fca35899550e0c25b25e7f7c756302d258ce) +--- + dirsrvtests/tests/tickets/ticket49122_test.py | 61 ++++++++++++++++++--------- + ldap/servers/plugins/roles/roles_cache.c | 34 +++++++++++---- + 2 files changed, 66 insertions(+), 29 deletions(-) + +diff --git a/dirsrvtests/tests/tickets/ticket49122_test.py b/dirsrvtests/tests/tickets/ticket49122_test.py +index ff1e8d1..0945122 100644 +--- a/dirsrvtests/tests/tickets/ticket49122_test.py ++++ b/dirsrvtests/tests/tickets/ticket49122_test.py +@@ -2,8 +2,7 @@ import time + import ldap + import logging + import pytest +-from lib389 import DirSrv, Entry, tools, tasks +-from lib389.tools import DirSrvTools ++from lib389 import Entry + from lib389._constants import * + from lib389.properties import * + from lib389.tasks import * +@@ -19,6 +18,15 @@ log = logging.getLogger(__name__) + + USER_DN = 'uid=user,' + DEFAULT_SUFFIX + ROLE_DN = 'cn=Filtered_Role_That_Includes_Empty_Role,' + DEFAULT_SUFFIX ++filters = ['nsrole=cn=empty,dc=example,dc=com', ++ '(nsrole=cn=empty,dc=example,dc=com)', ++ '(&(nsrole=cn=empty,dc=example,dc=com))', ++ '(!(nsrole=cn=empty,dc=example,dc=com))', ++ '(&(|(objectclass=person)(sn=app*))(userpassword=*))', ++ '(&(|(objectclass=person)(nsrole=cn=empty,dc=example,dc=com))(userpassword=*))', ++ '(&(|(nsrole=cn=empty,dc=example,dc=com)(sn=app*))(userpassword=*))', ++ '(&(|(objectclass=person)(sn=app*))(nsrole=cn=empty,dc=example,dc=com))', ++ '(&(|(&(cn=*)(objectclass=person)(nsrole=cn=empty,dc=example,dc=com)))(uid=*))'] + + + def test_ticket49122(topo): +@@ -29,18 +37,6 @@ def test_ticket49122(topo): + topo.standalone.plugins.enable(name=PLUGIN_ROLES) + topo.standalone.restart() + +- # Add invalid role +- try: +- topo.standalone.add_s(Entry(( +- ROLE_DN, {'objectclass': ['top', 'ldapsubentry', 'nsroledefinition', +- 'nscomplexroledefinition', 'nsfilteredroledefinition'], +- 'cn': 'Filtered_Role_That_Includes_Empty_Role', +- 'nsRoleFilter': '(!(nsrole=cn=This_Is_An_Empty_Managed_NsRoleDefinition,dc=example,dc=com))', +- 'description': 'A filtered role with filter that will crash the server'}))) +- except ldap.LDAPError as e: +- topo.standalone.log.fatal('Failed to add filtered role: error ' + e.message['desc']) +- assert False +- + # Add test user + try: + topo.standalone.add_s(Entry(( +@@ -51,16 +47,39 @@ def test_ticket49122(topo): + assert False + + if DEBUGGING: +- # Add debugging steps(if any)... + print("Attach gdb") + time.sleep(20) + +- # Search for the role +- try: +- topo.standalone.search_s(USER_DN, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nsrole']) +- except ldap.LDAPError as e: +- topo.standalone.log.fatal('Search failed: error ' + str(e)) +- assert False ++ # Loop over filters ++ for role_filter in filters: ++ log.info('Testing filter: ' + role_filter) ++ ++ # Add invalid role ++ try: ++ topo.standalone.add_s(Entry(( ++ ROLE_DN, {'objectclass': ['top', 'ldapsubentry', 'nsroledefinition', ++ 'nscomplexroledefinition', 'nsfilteredroledefinition'], ++ 'cn': 'Filtered_Role_That_Includes_Empty_Role', ++ 'nsRoleFilter': role_filter, ++ 'description': 'A filtered role with filter that will crash the server'}))) ++ except ldap.LDAPError as e: ++ topo.standalone.log.fatal('Failed to add filtered role: error ' + e.message['desc']) ++ assert False ++ ++ # Search for the role ++ try: ++ topo.standalone.search_s(USER_DN, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nsrole']) ++ except ldap.LDAPError as e: ++ topo.standalone.log.fatal('Search failed: error ' + str(e)) ++ assert False ++ ++ # Cleanup ++ try: ++ topo.standalone.delete_s(ROLE_DN) ++ except ldap.LDAPError as e: ++ topo.standalone.log.fatal('delete failed: error ' + str(e)) ++ assert False ++ time.sleep(1) + + topo.standalone.log.info('Test Passed') + +diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c +index 4f27c4c..3697eaa 100644 +--- a/ldap/servers/plugins/roles/roles_cache.c ++++ b/ldap/servers/plugins/roles/roles_cache.c +@@ -1073,20 +1073,38 @@ static int roles_cache_create_role_under(roles_cache_def** roles_cache_suffix, S + } + + /* +- * Check that we are not using nsrole in the filter ++ * Check that we are not using nsrole in the filter, recurse over all the ++ * nested filters. + */ + static int roles_check_filter(Slapi_Filter *filter_list) + { + Slapi_Filter *f; + char *type = NULL; + +- for ( f = slapi_filter_list_first( filter_list ); +- f != NULL; +- f = slapi_filter_list_next( filter_list, f ) ) +- { +- slapi_filter_get_attribute_type(f, &type); +- if (strcasecmp(type, NSROLEATTR) == 0){ +- return -1; ++ f = slapi_filter_list_first( filter_list ); ++ if (f == NULL){ ++ /* Single filter */ ++ if (slapi_filter_get_attribute_type(filter_list, &type) == 0){ ++ if (strcasecmp(type, NSROLEATTR) == 0){ ++ return -1; ++ } ++ } ++ } ++ for ( ; f != NULL; f = slapi_filter_list_next(filter_list, f) ){ ++ /* Complex filter */ ++ if (slapi_filter_list_first(f)) { ++ /* Another filter list - recurse */ ++ if (roles_check_filter(f) == -1){ ++ /* Done, break out */ ++ return -1; ++ } ++ } else { ++ /* Not a filter list, so check the type */ ++ if (slapi_filter_get_attribute_type(f, &type) == 0){ ++ if (strcasecmp(type, NSROLEATTR) == 0){ ++ return -1; ++ } ++ } + } + } + +-- +2.9.4 + diff --git a/SOURCES/0045-Ticket-48972-remove-old-pwp-code-that-adds-removes-A.patch b/SOURCES/0045-Ticket-48972-remove-old-pwp-code-that-adds-removes-A.patch deleted file mode 100644 index 094033c..0000000 --- a/SOURCES/0045-Ticket-48972-remove-old-pwp-code-that-adds-removes-A.patch +++ /dev/null @@ -1,227 +0,0 @@ -From 1c4faa3c235c42abde1d7fe93cb43429772b65a6 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 26 Aug 2016 18:51:42 -0400 -Subject: [PATCH 45/45] Ticket 48972 - remove old pwp code that adds/removes - ACIs - -Bug Description: Old legacy code is still present in the DS that used - to enforce the password policy "user may change password" - using ACIs. This old code would re-add the ACI for - selfwrite on userpassword at server startup. - -Fix Description: The current password policy does not depend on these access - access control rules to enforce if a user can change their - password or not. - -https://fedorahosted.org/389/ticket/48972 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 32881be120f14b952de67a0d533ad94ba0956093) ---- - ldap/servers/slapd/add.c | 15 -------- - ldap/servers/slapd/libglobs.c | 14 ------- - ldap/servers/slapd/proto-slap.h | 3 -- - ldap/servers/slapd/pw.c | 81 ----------------------------------------- - ldap/servers/slapd/pw_mgmt.c | 9 +---- - 5 files changed, 1 insertion(+), 121 deletions(-) - -diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c -index 629017e..708d3e7 100644 ---- a/ldap/servers/slapd/add.c -+++ b/ldap/servers/slapd/add.c -@@ -643,21 +643,6 @@ static void op_shared_add (Slapi_PBlock *pb) - } - - slapi_pblock_set(pb, SLAPI_BACKEND, be); -- /* we set local password policy ACI for non-replicated operations only */ -- if (!repl_op && -- !operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP) && -- !operation_is_flag_set(operation, OP_FLAG_LEGACY_REPLICATION_DN) && -- !slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA) && -- !slapi_be_private(be) && -- slapi_be_issuffix (be, slapi_entry_get_sdn_const(e))) -- { -- /* this is a suffix. update the pw aci */ -- slapdFrontendConfig_t *slapdFrontendConfig; -- slapdFrontendConfig = getFrontendConfig(); -- pw_add_allowchange_aci(e, !slapdFrontendConfig->pw_policy.pw_change && -- !slapdFrontendConfig->pw_policy.pw_must_change); -- } -- - - if (!repl_op) - { -diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c -index a630c6c..faf521b 100644 ---- a/ldap/servers/slapd/libglobs.c -+++ b/ldap/servers/slapd/libglobs.c -@@ -2601,13 +2601,6 @@ config_set_pw_change( const char *attrname, char *value, char *errorbuf, int app - errorbuf, - apply); - -- if (retVal == LDAP_SUCCESS) { -- /* LP: Update ACI to reflect the value ! */ -- if (apply) -- pw_mod_allowchange_aci(!slapdFrontendConfig->pw_policy.pw_change && -- !slapdFrontendConfig->pw_policy.pw_must_change); -- } -- - return retVal; - } - -@@ -2638,13 +2631,6 @@ config_set_pw_must_change( const char *attrname, char *value, char *errorbuf, in - errorbuf, - apply); - -- if (retVal == LDAP_SUCCESS) { -- /* LP: Update ACI to reflect the value ! */ -- if (apply) -- pw_mod_allowchange_aci(!slapdFrontendConfig->pw_policy.pw_change && -- !slapdFrontendConfig->pw_policy.pw_must_change); -- } -- - return retVal; - } - -diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h -index 1f37010..712642f 100644 ---- a/ldap/servers/slapd/proto-slap.h -+++ b/ldap/servers/slapd/proto-slap.h -@@ -951,9 +951,6 @@ void get_old_pw( Slapi_PBlock *pb, const Slapi_DN *sdn, char **old_pw); - int check_account_lock( Slapi_PBlock *pb, Slapi_Entry * bind_target_entry, int pwresponse_req, int account_inactivation_only /*no wire/no pw policy*/); - int check_pw_minage( Slapi_PBlock *pb, const Slapi_DN *sdn, struct berval **vals) ; - void add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e ); --void mod_allowchange_aci(char *val); --void pw_mod_allowchange_aci(int pw_prohibit_change); --void pw_add_allowchange_aci(Slapi_Entry *e, int pw_prohibit_change); - - int add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e); - -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index 7469b9e..3f2cdb0 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -1337,69 +1337,6 @@ slapi_add_pwd_control ( Slapi_PBlock *pb, char *arg, long time) { - } - - void --pw_mod_allowchange_aci(int pw_prohibit_change) --{ -- const Slapi_DN *base; -- char *values_mod[2]; -- LDAPMod mod; -- LDAPMod *mods[2]; -- Slapi_Backend *be; -- char *cookie = NULL; -- -- mods[0] = &mod; -- mods[1] = NULL; -- mod.mod_type = "aci"; -- mod.mod_values = values_mod; -- -- if (pw_prohibit_change) { -- mod.mod_op = LDAP_MOD_ADD; -- } -- else -- { -- /* Allow change password by default */ -- /* remove the aci if it is there. it is ok to fail */ -- mod.mod_op = LDAP_MOD_DELETE; -- } -- -- be = slapi_get_first_backend (&cookie); -- /* Foreach backend... */ -- while (be) -- { -- /* Don't add aci on a chaining backend holding remote entries */ -- if((!be->be_private) && (!slapi_be_is_flag_set(be,SLAPI_BE_FLAG_REMOTE_DATA))) -- { -- /* There's only One suffix per DB now. No need to loop */ -- base = slapi_be_getsuffix(be, 0); -- if (base != NULL) -- { -- Slapi_PBlock pb; -- int rc; -- -- pblock_init (&pb); -- values_mod[0] = DENY_PW_CHANGE_ACI; -- values_mod[1] = NULL; -- slapi_modify_internal_set_pb_ext(&pb, base, mods, NULL, NULL, -- pw_get_componentID(), 0); -- slapi_modify_internal_pb(&pb); -- slapi_pblock_get(&pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); -- if (rc == LDAP_SUCCESS){ -- /* -- ** Since we modified the acl -- ** successfully, let's update the -- ** in-memory acl list -- */ -- slapi_pblock_set(&pb, SLAPI_TARGET_SDN, (void *)base); -- plugin_call_acl_mods_update (&pb, LDAP_REQ_MODIFY ); -- } -- pblock_done(&pb); -- } -- } -- be = slapi_get_next_backend (cookie); -- } -- slapi_ch_free((void **) &cookie); --} -- --void - add_password_attrs( Slapi_PBlock *pb, Operation *op, Slapi_Entry *e ) - { - struct berval bv; -@@ -1583,24 +1520,6 @@ check_trivial_words (Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char - return ( 0 ); - } - -- --void --pw_add_allowchange_aci(Slapi_Entry *e, int pw_prohibit_change) { -- char *aci_pw = NULL; -- const char *aciattr = "aci"; -- -- aci_pw = slapi_ch_strdup(DENY_PW_CHANGE_ACI); -- -- if (pw_prohibit_change) { -- /* Add ACI */ -- slapi_entry_add_string(e, aciattr, aci_pw); -- } else { -- /* Remove ACI */ -- slapi_entry_delete_string(e, aciattr, aci_pw); -- } -- slapi_ch_free((void **) &aci_pw); --} -- - int - pw_is_pwp_admin(Slapi_PBlock *pb, passwdPolicy *pwp){ - Slapi_DN *bind_sdn = NULL; -diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c -index 5470556..7252c08 100644 ---- a/ldap/servers/slapd/pw_mgmt.c -+++ b/ldap/servers/slapd/pw_mgmt.c -@@ -256,13 +256,8 @@ skip: - void - pw_init ( void ) - { -- slapdFrontendConfig_t *slapdFrontendConfig; -- - pw_set_componentID(generate_componentid(NULL, COMPONENT_PWPOLICY)); -- -- slapdFrontendConfig = getFrontendConfig(); -- pw_mod_allowchange_aci (!slapdFrontendConfig->pw_policy.pw_change && -- !slapdFrontendConfig->pw_policy.pw_must_change); -+ - #if defined(USE_OLD_UNHASHED) - slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD, - PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID, -@@ -273,5 +268,3 @@ pw_init ( void ) - SLAPI_ATTR_FLAG_NOEXPOSE); - #endif - } -- -- --- -2.4.11 - diff --git a/SOURCES/0045-Ticket-49258-Allow-nsslapd-cache-autosize-to-be-modi.patch b/SOURCES/0045-Ticket-49258-Allow-nsslapd-cache-autosize-to-be-modi.patch new file mode 100644 index 0000000..07892e9 --- /dev/null +++ b/SOURCES/0045-Ticket-49258-Allow-nsslapd-cache-autosize-to-be-modi.patch @@ -0,0 +1,84 @@ +From e0cb3e9ff5337cfc4ecaa6fa5efa189b7bc16246 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 15 May 2017 11:14:43 -0400 +Subject: [PATCH 05/10] Ticket 49258 - Allow nsslapd-cache-autosize to be + modified while the server is running + +Bug Description: Previously you're not allowed to set nsslapd-cache-autosize, and + nsslapd-cache-autosize-set while the server was running. The only + way to set it was to edit the dse.ldif + +Fix Description: Allow it to be set while the server is running. Also added value + validation for these settigs + +https://pagure.io/389-ds-base/issue/49258 + +Reviewed by: tbordaz(Thanks!) + +(cherry picked from commit 2d07ca48f9c1232fc544361b5103d353e4791a72) +--- + ldap/servers/slapd/back-ldbm/ldbm_config.c | 34 ++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c +index 401cd60..f7edd9e 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c +@@ -1197,8 +1197,19 @@ static int ldbm_config_cache_autosize_set(void *arg, void *value, char *errorbuf + { + struct ldbminfo *li = (struct ldbminfo *)arg; + +- if (apply) +- li->li_cache_autosize = (int)((uintptr_t)value); ++ if (apply) { ++ int val = (int)((uintptr_t)value); ++ if (val < 0 || val > 100) { ++ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, ++ "Error: Invalid value for %s (%d). The value must be between \"0\" and \"100\"\n", ++ CONFIG_CACHE_AUTOSIZE, val); ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_config_cache_autosize_set", ++ "Invalid value for %s (%d). The value must be between \"0\" and \"100\"\n", ++ CONFIG_CACHE_AUTOSIZE, val); ++ return LDAP_UNWILLING_TO_PERFORM; ++ } ++ li->li_cache_autosize = val; ++ } + return LDAP_SUCCESS; + } + +@@ -1214,8 +1225,19 @@ static int ldbm_config_cache_autosize_split_set(void *arg, void *value, char *er + { + struct ldbminfo *li = (struct ldbminfo *)arg; + +- if (apply) +- li->li_cache_autosize_split = (int)((uintptr_t)value); ++ if (apply) { ++ int val = (int)((uintptr_t)value); ++ if (val < 0 || val > 100) { ++ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, ++ "Error: Invalid value for %s (%d). The value must be between \"0\" and \"100\"\n", ++ CONFIG_CACHE_AUTOSIZE_SPLIT, val); ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_config_cache_autosize_split_set", ++ "Invalid value for %s (%d). The value must be between \"0\" and \"100\"\n", ++ CONFIG_CACHE_AUTOSIZE_SPLIT, val); ++ return LDAP_UNWILLING_TO_PERFORM; ++ } ++ li->li_cache_autosize_split = val; ++ } + return LDAP_SUCCESS; + } + +@@ -1582,8 +1604,8 @@ static config_info ldbm_config[] = { + {CONFIG_DB_DEBUG_CHECKPOINTING, CONFIG_TYPE_ONOFF, "off", &ldbm_config_db_debug_checkpointing_get, &ldbm_config_db_debug_checkpointing_set, 0}, + {CONFIG_DB_HOME_DIRECTORY, CONFIG_TYPE_STRING, "", &ldbm_config_db_home_directory_get, &ldbm_config_db_home_directory_set, 0}, + {CONFIG_IMPORT_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "-1", &ldbm_config_import_cache_autosize_get, &ldbm_config_import_cache_autosize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, +- {CONFIG_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "10", &ldbm_config_cache_autosize_get, &ldbm_config_cache_autosize_set, 0}, +- {CONFIG_CACHE_AUTOSIZE_SPLIT, CONFIG_TYPE_INT, "40", &ldbm_config_cache_autosize_split_get, &ldbm_config_cache_autosize_split_set, 0}, ++ {CONFIG_CACHE_AUTOSIZE, CONFIG_TYPE_INT, "10", &ldbm_config_cache_autosize_get, &ldbm_config_cache_autosize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, ++ {CONFIG_CACHE_AUTOSIZE_SPLIT, CONFIG_TYPE_INT, "40", &ldbm_config_cache_autosize_split_get, &ldbm_config_cache_autosize_split_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, + {CONFIG_IMPORT_CACHESIZE, CONFIG_TYPE_SIZE_T, "16777216", &ldbm_config_import_cachesize_get, &ldbm_config_import_cachesize_set, CONFIG_FLAG_ALWAYS_SHOW|CONFIG_FLAG_ALLOW_RUNNING_CHANGE}, + {CONFIG_IDL_SWITCH, CONFIG_TYPE_STRING, "new", &ldbm_config_idl_get_idl_new, &ldbm_config_idl_set_tune, CONFIG_FLAG_ALWAYS_SHOW}, + {CONFIG_IDL_UPDATE, CONFIG_TYPE_ONOFF, "on", &ldbm_config_idl_get_update, &ldbm_config_idl_set_update, 0}, +-- +2.9.4 + diff --git a/SOURCES/0046-Ticket-48970-Serverside-sorting-crashes-the-server.patch b/SOURCES/0046-Ticket-48970-Serverside-sorting-crashes-the-server.patch deleted file mode 100644 index d710373..0000000 --- a/SOURCES/0046-Ticket-48970-Serverside-sorting-crashes-the-server.patch +++ /dev/null @@ -1,192 +0,0 @@ -From d8399105d3b9ca281522624fdd471360b8ea59f6 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 30 Aug 2016 10:32:45 -0400 -Subject: [PATCH 46/47] Ticket 48970 - Serverside sorting crashes the server - -Bug Description: When using a matching rule and server side sorting - the server does a double-free on the matching rule - keys which crashes the server. - -Fix Description: Set the pblock pointer to NULL after the keys are - freed. This prevents the double free. - - Also fixed some complier warnings/indentation. - -Valgrind: passed - -https://fedorahosted.org/389/ticket/48970 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 43997fa8782ca93e20595ae10e303d85e5b765f4) ---- - ldap/servers/plugins/collation/collate.c | 14 ++++---- - ldap/servers/plugins/collation/orfilter.c | 55 ++++++++++++++++++------------- - ldap/servers/slapd/back-ldbm/sort.c | 12 +++---- - 3 files changed, 43 insertions(+), 38 deletions(-) - -diff --git a/ldap/servers/plugins/collation/collate.c b/ldap/servers/plugins/collation/collate.c -index 0480280..483a132 100644 ---- a/ldap/servers/plugins/collation/collate.c -+++ b/ldap/servers/plugins/collation/collate.c -@@ -347,23 +347,23 @@ collation_index (indexer_t* ix, struct berval** bvec, struct berval** prefixes) - return keys; - } - -+/* The destructor function for a collation-based indexer. */ - static void - collation_indexer_destroy (indexer_t* ix) -- /* The destructor function for a collation-based indexer. */ - { - collation_indexer_t* etc = (collation_indexer_t*) ix->ix_etc; - if (etc->converter) { -- ucnv_close(etc->converter); -- etc->converter = NULL; -+ ucnv_close(etc->converter); -+ etc->converter = NULL; - } - - if (etc->collator) { -- ucol_close(etc->collator); -- etc->collator = NULL; -+ ucol_close(etc->collator); -+ etc->collator = NULL; - } - if (etc->ix_keys != NULL) { -- ber_bvecfree (etc->ix_keys); -- etc->ix_keys = NULL; -+ ber_bvecfree (etc->ix_keys); -+ etc->ix_keys = NULL; - } - slapi_ch_free((void**)&ix->ix_etc); - ix->ix_etc = NULL; /* just for hygiene */ -diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c -index 8dc4246..084fdf6 100644 ---- a/ldap/servers/plugins/collation/orfilter.c -+++ b/ldap/servers/plugins/collation/orfilter.c -@@ -34,7 +34,7 @@ static void - indexer_free (indexer_t* ix) - { - if (ix->ix_destroy != NULL) { -- ix->ix_destroy (ix); -+ ix->ix_destroy (ix); - } - slapi_ch_free((void**)&ix); - } -@@ -221,23 +221,28 @@ op_filter_match (or_filter_t* or, struct berval** vals) - auto indexer_t* ix = or->or_indexer; - auto struct berval** v = ix->ix_index (ix, vals, NULL); - if (v != NULL) for (; *v; ++v) { -- auto struct berval** k = or->or_match_keys; -- if (k != NULL) for (; *k; ++k) { -- switch (or->or_op) { -- case SLAPI_OP_LESS: -- if (slapi_berval_cmp (*v, *k) < 0) return 0; break; -- case SLAPI_OP_LESS_OR_EQUAL: -- if (slapi_berval_cmp (*v, *k) <= 0) return 0; break; -- case SLAPI_OP_EQUAL: -- if (SLAPI_BERVAL_EQ (*v, *k)) return 0; break; -- case SLAPI_OP_GREATER_OR_EQUAL: -- if (slapi_berval_cmp (*v, *k) >= 0) return 0; break; -- case SLAPI_OP_GREATER: -- if (slapi_berval_cmp (*v, *k) > 0) return 0; break; -- default: -- break; -- } -- } -+ auto struct berval** k = or->or_match_keys; -+ if (k != NULL) for (; *k; ++k) { -+ switch (or->or_op) { -+ case SLAPI_OP_LESS: -+ if (slapi_berval_cmp (*v, *k) < 0) return 0; -+ break; -+ case SLAPI_OP_LESS_OR_EQUAL: -+ if (slapi_berval_cmp (*v, *k) <= 0) return 0; -+ break; -+ case SLAPI_OP_EQUAL: -+ if (SLAPI_BERVAL_EQ (*v, *k)) return 0; -+ break; -+ case SLAPI_OP_GREATER_OR_EQUAL: -+ if (slapi_berval_cmp (*v, *k) >= 0) return 0; -+ break; -+ case SLAPI_OP_GREATER: -+ if (slapi_berval_cmp (*v, *k) > 0) return 0; -+ break; -+ default: -+ break; -+ } -+ } - } - return -1; - } -@@ -570,7 +575,9 @@ op_indexer_destroy (Slapi_PBlock* pb) - auto indexer_t* ix = op_indexer_get (pb); - LDAPDebug (LDAP_DEBUG_FILTER, "op_indexer_destroy(%p)\n", (void*)ix, 0, 0); - if (ix != NULL) { -- indexer_free (ix); -+ indexer_free (ix); -+ /* The keys were freed, but we need to reset the pblock pointer */ -+ slapi_pblock_set(pb, SLAPI_PLUGIN_MR_KEYS, NULL); - } - return 0; - } -@@ -623,10 +630,10 @@ typedef struct ss_indexer_t { - static void - ss_indexer_free (ss_indexer_t* ss) - { -- slapi_ch_free((void**)&ss->ss_oid); -+ slapi_ch_free_string(&ss->ss_oid); - if (ss->ss_indexer != NULL) { -- indexer_free (ss->ss_indexer); -- ss->ss_indexer = NULL; -+ indexer_free (ss->ss_indexer); -+ ss->ss_indexer = NULL; - } - slapi_ch_free((void**)&ss); - } -@@ -647,7 +654,9 @@ ss_indexer_destroy (Slapi_PBlock* pb) - auto ss_indexer_t* ss = ss_indexer_get (pb); - LDAPDebug (LDAP_DEBUG_FILTER, "ss_indexer_destroy(%p)\n", (void*)ss, 0, 0); - if (ss) { -- ss_indexer_free (ss); -+ ss_indexer_free(ss); -+ /* The keys were freed, but we need to reset the pblock pointer */ -+ slapi_pblock_set(pb, SLAPI_PLUGIN_MR_KEYS, NULL); - } - } - -diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c -index 69fe659..46f2dbd 100644 ---- a/ldap/servers/slapd/back-ldbm/sort.c -+++ b/ldap/servers/slapd/back-ldbm/sort.c -@@ -32,15 +32,11 @@ static int print_out_sort_spec(char* buffer,sort_spec *s,int *size); - - static void sort_spec_thing_free(sort_spec_thing *s) - { -- if (NULL != s->type) { -- slapi_ch_free((void **)&s->type); -- } -- if (NULL != s->matchrule) { -- slapi_ch_free( (void**)&s->matchrule); -- } -+ slapi_ch_free_string(&s->type); -+ slapi_ch_free_string(&s->matchrule); - if (NULL != s->mr_pb) { - destroy_matchrule_indexer(s->mr_pb); -- slapi_pblock_destroy (s->mr_pb); -+ slapi_pblock_destroy (s->mr_pb); - } - attr_done(&s->sattr); - slapi_ch_free( (void**)&s); -@@ -116,7 +112,7 @@ void sort_log_access(Slapi_PBlock *pb,sort_spec_thing *s,IDList *candidates) - /* Now output it */ - ldbm_log_access_message(pb,buffer); - if (buffer != stack_buffer) { -- slapi_ch_free( (void**)&buffer); -+ slapi_ch_free_string(&buffer); - } - } - --- -2.4.11 - diff --git a/SOURCES/0046-Ticket-49261-Fix-script-usage-and-man-pages.patch b/SOURCES/0046-Ticket-49261-Fix-script-usage-and-man-pages.patch new file mode 100644 index 0000000..71857d0 --- /dev/null +++ b/SOURCES/0046-Ticket-49261-Fix-script-usage-and-man-pages.patch @@ -0,0 +1,156 @@ +From c0a50f26aa52bda451c5b5bce7fa2c7c2eb90fe6 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 17 May 2017 16:24:50 -0400 +Subject: [PATCH] Ticket 49261 - Fix script usage and man pages + +Description: We incorrectly said db2bak.pl and db2ldif.pl took a "-v" option, + but they did not. Plus the usage for some of the shell scripts + did not display "-v" option in the usage + +https://pagure.io/389-ds-base/issue/49261 + +Reviewed by: tbordaz(Thanks!) +--- + ldap/admin/src/scripts/db2bak.in | 3 ++- + ldap/admin/src/scripts/db2bak.pl.in | 2 +- + ldap/admin/src/scripts/db2index.in | 3 ++- + ldap/admin/src/scripts/db2ldif.in | 3 ++- + ldap/admin/src/scripts/db2ldif.pl.in | 2 +- + ldap/admin/src/scripts/vlvindex.in | 3 ++- + man/man8/vlvindex.8 | 6 +++++- + 7 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/ldap/admin/src/scripts/db2bak.in b/ldap/admin/src/scripts/db2bak.in +index e773b28..a13d2e2 100755 +--- a/ldap/admin/src/scripts/db2bak.in ++++ b/ldap/admin/src/scripts/db2bak.in +@@ -13,11 +13,12 @@ export SHLIB_PATH + + usage() + { +- echo "Usage: db2bak [archivedir] [-Z serverID] [-q] [-h]" ++ echo "Usage: db2bak [archivedir] [-Z serverID] [-q] [-v] [-h]" + echo "Options:" + echo " archivedir - Directory where the backup should be stored" + echo " -Z serverID - Server instance identifier" + echo " -q - Quiet mode - suppresses output" ++ echo " -v - Display version" + echo " -h - Display usage" + } + +diff --git a/ldap/admin/src/scripts/db2bak.pl.in b/ldap/admin/src/scripts/db2bak.pl.in +index 73d4187..335285e 100644 +--- a/ldap/admin/src/scripts/db2bak.pl.in ++++ b/ldap/admin/src/scripts/db2bak.pl.in +@@ -25,7 +25,7 @@ $dbtype = "ldbm database"; + $i = 0; + + sub usage { +- print(STDERR "Usage: db2bak.pl [-v] [-Z serverID] [-D rootdn] { -w password | -w - | -j filename } [-a backupdir]\n"); ++ print(STDERR "Usage: db2bak.pl [-Z serverID] [-D rootdn] { -w password | -w - | -j filename } [-a backupdir]\n"); + print(STDERR " [-t dbtype] [-P protocol] [-h]\n"); + print(STDERR "Options:\n"); + print(STDERR " -D rootdn - Directory Manager\n"); +diff --git a/ldap/admin/src/scripts/db2index.in b/ldap/admin/src/scripts/db2index.in +index 04183d3..3fc4c2c 100755 +--- a/ldap/admin/src/scripts/db2index.in ++++ b/ldap/admin/src/scripts/db2index.in +@@ -14,7 +14,7 @@ export SHLIB_PATH + usage () + { + echo "Usage: db2index [-Z serverID] [-n backend | {-s includesuffix}* -t attribute[:indextypes[:matchingrules]]" +- echo " -T vlvTag] [-h]" ++ echo " -T vlvTag] [-v] [-h]" + echo "Options:" + echo " -Z serverID - Server instance identifier" + echo " -n backend - Backend database name. Example: userRoot" +@@ -26,6 +26,7 @@ usage () + echo " - matchingrules: comma separated matrules" + echo " Example: -t foo:eq,pres" + echo " -T vlvTag - VLV index name" ++ echo " -v - Display version" + echo " -h - Display usage" + } + +diff --git a/ldap/admin/src/scripts/db2ldif.in b/ldap/admin/src/scripts/db2ldif.in +index 08f30e4..95d2754 100755 +--- a/ldap/admin/src/scripts/db2ldif.in ++++ b/ldap/admin/src/scripts/db2ldif.in +@@ -16,7 +16,7 @@ cwd=`pwd` + usage() + { + echo "Usage: db2ldif [-Z serverID] {-n backend_instance}* | {-s includesuffix}* [{-x excludesuffix}*] [-a outputfile]" +- echo " [-E] [-r] [-u] [-U] [-m] [-1] [-q] [-h]" ++ echo " [-E] [-r] [-u] [-U] [-m] [-1] [-q] [-v] [-h]" + echo "Note: either \"-n backend\" or \"-s includesuffix\" is required." + echo "Options:" + echo " -Z serverID - Server instance identifier" +@@ -31,6 +31,7 @@ usage() + echo " -m - Do not base64 encode values" + echo " -1 - Do not include version text" + echo " -q - Quiet mode - suppresses output" ++ echo " -v - Display version" + echo " -h - Display usage" + } + +diff --git a/ldap/admin/src/scripts/db2ldif.pl.in b/ldap/admin/src/scripts/db2ldif.pl.in +index 179d236..0d220f0 100644 +--- a/ldap/admin/src/scripts/db2ldif.pl.in ++++ b/ldap/admin/src/scripts/db2ldif.pl.in +@@ -38,7 +38,7 @@ $decrypt_on_export = 0; + $cwd = cwd(); + + sub usage { +- print(STDERR "Usage: db2ldif.pl [-v] [-Z serverID] [-D rootdn] { -w password | -w - | -j pwfilename }\n"); ++ print(STDERR "Usage: db2ldif.pl [-Z serverID] [-D rootdn] { -w password | -w - | -j pwfilename }\n"); + print(STDERR " [-P protocol] {-n backendname}* | {-s include}* [{-x exclude}*] [-h]\n"); + print(STDERR " [-a filename] [-m] [-M] [-r] [-u] [-C] [-N] [-U] [-E] [-1] [-a filename]\n"); + print(STDERR "Options:\n"); +diff --git a/ldap/admin/src/scripts/vlvindex.in b/ldap/admin/src/scripts/vlvindex.in +index ba2a2b3..6820de4 100755 +--- a/ldap/admin/src/scripts/vlvindex.in ++++ b/ldap/admin/src/scripts/vlvindex.in +@@ -13,7 +13,7 @@ export SHLIB_PATH + + usage () + { +- echo "Usage: vlvindex [-Z serverID] -n backendname | {-s includesuffix}* -T vlvTag [-d debuglevel] [-h]" ++ echo "Usage: vlvindex [-Z serverID] -n backendname | {-s includesuffix}* -T vlvTag [-d debuglevel] [-v] [-h]" + echo "Note: either \"-n backend\" or \"-s includesuffix\" are required." + echo "Options:" + echo " -Z serverID - Server instance identifier" +@@ -21,6 +21,7 @@ usage () + echo " -s includessuffix - Suffix to index" + echo " -T vlvTag - VLV index name" + echo " -d debuglevel - Debugging level" ++ echo " -v - Display version" + echo " -h - Display usage" + } + +diff --git a/man/man8/vlvindex.8 b/man/man8/vlvindex.8 +index f3e1748..4d9497a 100644 +--- a/man/man8/vlvindex.8 ++++ b/man/man8/vlvindex.8 +@@ -18,7 +18,7 @@ + .SH NAME + vlvindex - Directory Server script for VLV indexing + .SH SYNOPSIS +-vlvindex [\-Z serverID] \-n backendname | {\-s includesuffix}* \-T vlvTag [\-d debuglevel] [\-h] ++vlvindex [\-Z serverID] \-n backendname | {\-s includesuffix}* \-T vlvTag [\-d debuglevel] [\-v] [\-h] + .SH DESCRIPTION + Creates virtual list view (VLV) indexes, known in the Directory Server Console as browsing indexes. VLV indexes introduce flexibility in the way search results are viewed. VLV index configuration must already exist prior to running this script. The Directory Server must be stopped before running this script. + .SH OPTIONS +@@ -40,6 +40,10 @@ This is the name of the vlv index entry under cn=config. + .B \fB\-d\fR \fIDebug Level\fR + Settings the debugging level. + .TP ++.B \fB\-v\fR ++.br ++Display the version. ++.TP + .B \fB\-h\fR + .br + Display the usage. +-- +2.9.4 + diff --git a/SOURCES/0047-Ticket-48864-Fix-FreeIPA-build.patch b/SOURCES/0047-Ticket-48864-Fix-FreeIPA-build.patch new file mode 100644 index 0000000..011e441 --- /dev/null +++ b/SOURCES/0047-Ticket-48864-Fix-FreeIPA-build.patch @@ -0,0 +1,46 @@ +From f007ba9e5ac0bbeee1c1d6b4e292b293629a838c Mon Sep 17 00:00:00 2001 +From: Viktor Ashirov +Date: Wed, 17 May 2017 22:03:54 +0200 +Subject: [PATCH] Issue 48864 - Fix FreeIPA build + +Bug Description: +FreeIPA build fails because of incorrect include files + +https://pagure.io/389-ds-base/issue/48864 + +Reviewed by: mreynolds (Thanks!) +--- + ldap/servers/slapd/slapi-plugin.h | 2 +- + ldap/servers/slapd/slapi_pal.h | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h +index ec8917d..4084945 100644 +--- a/ldap/servers/slapd/slapi-plugin.h ++++ b/ldap/servers/slapd/slapi-plugin.h +@@ -28,7 +28,7 @@ extern "C" { + #endif + + /* Provides our int types and platform specific requirements. */ +-#include ++#include "slapi_pal.h" + + #include "prtypes.h" + #include "ldap.h" +diff --git a/ldap/servers/slapd/slapi_pal.h b/ldap/servers/slapd/slapi_pal.h +index cb61d84..307679d 100644 +--- a/ldap/servers/slapd/slapi_pal.h ++++ b/ldap/servers/slapd/slapi_pal.h +@@ -19,7 +19,9 @@ + + #pragma once + ++#ifdef HAVE_CONFIG_H + #include ++#endif + + #ifdef HAVE_INTTYPES_H + #include +-- +2.9.4 + diff --git a/SOURCES/0047-Ticket-48975-Disabling-CLEAR-password-storage-scheme.patch b/SOURCES/0047-Ticket-48975-Disabling-CLEAR-password-storage-scheme.patch deleted file mode 100644 index 1ad2767..0000000 --- a/SOURCES/0047-Ticket-48975-Disabling-CLEAR-password-storage-scheme.patch +++ /dev/null @@ -1,85 +0,0 @@ -From eaf8b3b97e22bf06152d42b90940212e7acc8e00 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 30 Aug 2016 14:25:15 -0400 -Subject: [PATCH 47/47] Ticket 48975- Disabling CLEAR password storage scheme - will crash server when setting a password - -Bug Description: If the CLEAR password storage scheme plugin is disabled, and a - userpassword is set, the server crashes. This is because we - expect this plugin to be enabled when working with the unhashed - password. - -Fix Description: Always check if the password scheme, returned by pw_val2scheme(), - is NULL before dereferencing it. If it is NULL treat it as a - clear text password. - -Valgrind: Passed - -https://fedorahosted.org/389/ticket/48975 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 52230585a1191bf1e747780b592f291d652e26dd) ---- - ldap/servers/slapd/modify.c | 8 ++++---- - ldap/servers/slapd/pw.c | 4 ++-- - 2 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c -index 4a5faa0..72f2db4 100644 ---- a/ldap/servers/slapd/modify.c -+++ b/ldap/servers/slapd/modify.c -@@ -827,7 +827,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) - for ( i = 0; pw_mod->mod_bvalues != NULL && pw_mod->mod_bvalues[i] != NULL; i++ ) { - password = slapi_ch_strdup(pw_mod->mod_bvalues[i]->bv_val); - pwsp = pw_val2scheme( password, &valpwd, 1 ); -- if(strcmp(pwsp->pws_name, "CLEAR") == 0){ -+ if(pwsp == NULL || strcmp(pwsp->pws_name, "CLEAR") == 0){ - /* - * CLEAR password - * -@@ -851,7 +851,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) - const char *userpwd = slapi_value_get_string(present_values[ii]); - - pass_scheme = pw_val2scheme( (char *)userpwd, &pval, 1 ); -- if(strcmp(pass_scheme->pws_name,"CLEAR")){ -+ if(pass_scheme && strcmp(pass_scheme->pws_name,"CLEAR")){ - /* its encoded, so compare it */ - if((*(pass_scheme->pws_cmp))( valpwd, pval ) == 0 ){ - /* -@@ -912,7 +912,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw) - * provided by the client. - */ - unhashed_pwsp = pw_val2scheme( (char *)unhashed_pwd, NULL, 1 ); -- if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){ -+ if(unhashed_pwsp == NULL || strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){ - if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){ - /* match, add the delete mod for this particular unhashed userpassword */ - if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) { -@@ -1156,7 +1156,7 @@ valuearray_init_bervalarray_unhashed_only(struct berval **bvals, Slapi_Value *** - *cvals = (Slapi_Value **) slapi_ch_malloc((n + 1) * sizeof(Slapi_Value *)); - for(i=0,p=0;ibv_val, NULL, 1 ); -- if(strcmp(pwsp->pws_name, "CLEAR") == 0){ -+ if(pwsp == NULL || strcmp(pwsp->pws_name, "CLEAR") == 0){ - (*cvals)[p++] = slapi_value_new_berval(bvals[i]); - } - free_pw_scheme( pwsp ); -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index 3f2cdb0..6f02f90 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -234,8 +234,8 @@ void free_pw_scheme(struct pw_scheme *pwsp) - { - if ( pwsp != NULL ) - { -- slapi_ch_free( (void**)&pwsp->pws_name ); -- slapi_ch_free( (void**)&pwsp ); -+ slapi_ch_free_string(&pwsp->pws_name); -+ slapi_ch_free((void**)&pwsp); - } - } - --- -2.4.11 - diff --git a/SOURCES/0048-Ticket-48957-Update-repl-monitor-to-handle-new-statu.patch b/SOURCES/0048-Ticket-48957-Update-repl-monitor-to-handle-new-statu.patch deleted file mode 100644 index a9753ed..0000000 --- a/SOURCES/0048-Ticket-48957-Update-repl-monitor-to-handle-new-statu.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1eebfaff67aa6af7821fcc861fcdf3ef7fc9d25a Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 1 Sep 2016 12:54:08 -0400 -Subject: [PATCH 48/49] Ticket 48957 - Update repl-monitor to handle new status - messages - -Bug Description: The replication agreement status messages have changed, - and the repl-monitor script was not updated to reflect - these changes. This lead to the html report incorrectly - color coding a successfull status. - -Fix Description: Update the script to ignore "Error (0)" - -https://fedorahosted.org/389/ticket/48957 - -Reviewed by: mreynolds (one line commit rule) - -(cherry picked from commit 32ee33b2222a9bbc0657ceb912ca3fa74ee27dcc) -(cherry picked from commit cf5683ae112528597af70a4e06cfb51e8e0c3c74) ---- - ldap/admin/src/scripts/repl-monitor.pl.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in -index aa7ab1e..a3efa8e 100755 ---- a/ldap/admin/src/scripts/repl-monitor.pl.in -+++ b/ldap/admin/src/scripts/repl-monitor.pl.in -@@ -877,7 +877,7 @@ sub print_consumers - } - my $redfontstart = ""; - my $redfontend = ""; -- if ($status =~ /error/i) { -+ if ($status !~ /Error \(0\)/i) { - $redfontstart = ""; - $redfontend = ""; - } --- -2.4.11 - diff --git a/SOURCES/0048-Ticket-49157-fix-error-in-ds-logpipe.py.patch b/SOURCES/0048-Ticket-49157-fix-error-in-ds-logpipe.py.patch new file mode 100644 index 0000000..c1017a7 --- /dev/null +++ b/SOURCES/0048-Ticket-49157-fix-error-in-ds-logpipe.py.patch @@ -0,0 +1,32 @@ +From 33dc0b3fc6de5d7a400d24a69098ec1b23917e44 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 22 May 2017 12:25:42 -0400 +Subject: [PATCH] Ticket 49157 - fix error in ds-logpipe.py + +Description: Fix typo in ds-logpipe.py + +https://pagure.io/389-ds-base/issue/49157 + +Reviewed by: mreynolds(one line commit rule) + +(cherry picked from commit 15f5f6ac42768ae0cd2040cc4169abde8187bcdf) +--- + ldap/admin/src/scripts/ds-logpipe.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/admin/src/scripts/ds-logpipe.py b/ldap/admin/src/scripts/ds-logpipe.py +index 13712ea..f29a9ff 100644 +--- a/ldap/admin/src/scripts/ds-logpipe.py ++++ b/ldap/admin/src/scripts/ds-logpipe.py +@@ -318,7 +318,7 @@ except OSError as e: + sys.exit(1) + else: + print("Failed to create log pipe - %s [error %d]" % (e.strerror, e.errno)) +- sys.ext(1) ++ sys.exit(1) + + if debug: + print("Listening to log pipe", logfname, "number of lines", maxlines) +-- +2.9.4 + diff --git a/SOURCES/0049-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch b/SOURCES/0049-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch deleted file mode 100644 index b86c3f8..0000000 --- a/SOURCES/0049-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 009e862b170b9a9037852952640558c03ecda481 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Thu, 1 Sep 2016 11:34:53 -0700 -Subject: [PATCH 49/49] Ticket #48969 - nsslapd-auditfaillog always has an - explicit path - -Description: commit ef2c3c4cc6f966935dbe367dd0d882ae81de3cc4 -introduced a RESOURCE_LEAK. - auditlog.c:180: leaked_storage: Variable "audit_config" going - out of scope leaks the storage it points to. - -Reviewed by nhosoi (one line commit rule) - -(cherry picked from commit 95d820901e7264490bae02b8ca943d09a344d7ac) -(cherry picked from commit b0fc82233a5ea929c5fad835f9e825a8f0b97968) -(cherry picked from commit fc1310e352e124d66d58d0a3e86d45c5573cbfb2) ---- - ldap/servers/slapd/auditlog.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c -index 85d136c..74d1b46 100644 ---- a/ldap/servers/slapd/auditlog.c -+++ b/ldap/servers/slapd/auditlog.c -@@ -177,6 +177,7 @@ write_auditfail_log_entry( Slapi_PBlock *pb ) - write_audit_file(SLAPD_AUDITFAIL_LOG, operation_get_type(op), dn, change, flag, curtime, pbrc, SLAPD_AUDITFAIL_LOG); - } - slapi_ch_free_string(&auditfail_config); -+ slapi_ch_free_string(&audit_config); - } - - --- -2.4.11 - diff --git a/SOURCES/0049-Ticket-49267-autosize-split-of-0-results-in-dbcache-.patch b/SOURCES/0049-Ticket-49267-autosize-split-of-0-results-in-dbcache-.patch new file mode 100644 index 0000000..7c58465 --- /dev/null +++ b/SOURCES/0049-Ticket-49267-autosize-split-of-0-results-in-dbcache-.patch @@ -0,0 +1,62 @@ +From e52c519a8553dd8abee5740714054ebbdd59e51a Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Tue, 23 May 2017 11:03:24 +1000 +Subject: [PATCH] Ticket 49267 - autosize split of 0 results in dbcache of 0 + +Bug Description: autosize split of 0 results in a dbcache of 0. This was +due to a missing bounds check on the value for 0. In theory this could +still be problematic if the value was say 1% ... But hopefully we don't +see that :) + +Fix Description: Add the bounds check. + +https://pagure.io/389-ds-base/issue/49267 + +Author: wibrown + +Review by: mreynolds (Thanks!) + +(cherry picked from commit 22d4865ea20acb6e6c11aed10d09241b09bb711c) +--- + ldap/servers/slapd/back-ldbm/start.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/back-ldbm/start.c b/ldap/servers/slapd/back-ldbm/start.c +index a207bd8..1834a19 100644 +--- a/ldap/servers/slapd/back-ldbm/start.c ++++ b/ldap/servers/slapd/back-ldbm/start.c +@@ -101,7 +101,11 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + /* This doesn't control the availability of the feature, so we can take the + * default from ldbm_config.c + */ +- autosize_db_percentage_split = li->li_cache_autosize_split; ++ if (li->li_cache_autosize_split == 0) { ++ autosize_db_percentage_split = 40; ++ } else { ++ autosize_db_percentage_split = li->li_cache_autosize_split; ++ } + + + /* Check the values are sane. */ +@@ -131,10 +135,18 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + db_size = (autosize_db_percentage_split * zone_size) / 100; + + /* Cap the DB size at 512MB, as this doesn't help perf much more (lkrispen's advice) */ ++ /* NOTE: Do we need a minimum DB size? */ + if (db_size > (512 * MEGABYTE)) { + db_size = (512 * MEGABYTE); + } + ++ /* NOTE: Because of how we workout entry_size, even if ++ * have autosize split to say ... 90% for dbcache, because ++ * we cap db_size, we use zone_size - db_size, meaning that entry ++ * cache still gets the remaining memory *even* though we didn't use it all. ++ * If we didn't do this, entry_cache would only get 10% of of the avail, even ++ * if db_size was caped at say 5% down from 90. ++ */ + if (backend_count > 0 ) { + /* Number of entry cache pages per backend. */ + entry_size = (zone_size - db_size) / backend_count; +-- +2.9.4 + diff --git a/SOURCES/0050-Bug-1321124-use-a-consumer-maxcsn-only-as-anchor-if-.patch b/SOURCES/0050-Bug-1321124-use-a-consumer-maxcsn-only-as-anchor-if-.patch deleted file mode 100644 index ba1d19b..0000000 --- a/SOURCES/0050-Bug-1321124-use-a-consumer-maxcsn-only-as-anchor-if-.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 34ef42f8f839a7c7f40366ae2516aa2692582672 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Thu, 8 Sep 2016 11:38:15 +0200 -Subject: [PATCH] Bug 1321124 - use a consumer maxcsn only as anchor if - supplier is more advanced - -(cherry picked from commit f4301f6be6bbff3c7bb0180a38f6dfd7e31b8558) ---- - ldap/servers/plugins/replication/cl5_clcache.c | 20 +++++++++----------- - 1 file changed, 9 insertions(+), 11 deletions(-) - -diff --git a/ldap/servers/plugins/replication/cl5_clcache.c b/ldap/servers/plugins/replication/cl5_clcache.c -index 74f0fec..ca8b841 100644 ---- a/ldap/servers/plugins/replication/cl5_clcache.c -+++ b/ldap/servers/plugins/replication/cl5_clcache.c -@@ -717,24 +717,22 @@ clcache_adjust_anchorcsn ( CLC_Buffer *buf, int *flag ) - curr, conmaxcsn); - } - -- if (csn_compare (cscb->local_maxcsn, cscb->prev_local_maxcsn) == 0 || -- csn_compare (cscb->prev_local_maxcsn, buf->buf_current_csn) > 0 ) { -- if (csn_compare (cscb->local_maxcsn, cscb->consumer_maxcsn) > 0 ) { -+ if (csn_compare(cscb->local_maxcsn, cscb->consumer_maxcsn) > 0) { -+ /* We have something to send for this RID */ -+ -+ if (csn_compare(cscb->local_maxcsn, cscb->prev_local_maxcsn) == 0 || -+ csn_compare(cscb->prev_local_maxcsn, buf->buf_current_csn) > 0) { -+ /* No new changes or it remains, in the buffer, updates to send */ - rid_anchor = buf->buf_current_csn; -- } -- } else { -- /* prev local max csn < csnBuffer AND different from local maxcsn */ -- if (cscb->prev_local_maxcsn == NULL) { -+ } else { -+ /* prev local max csn < csnBuffer AND different from local maxcsn */ - if (cscb->consumer_maxcsn == NULL) { - /* the consumer hasn't seen changes for this RID */ - rid_anchor = cscb->local_mincsn; - rid_flag = DB_SET; -- } else if ( csn_compare (cscb->local_maxcsn, cscb->consumer_maxcsn) > 0 ) { -+ } else { - rid_anchor = cscb->consumer_maxcsn; - } -- } else { -- /* csnPrevMaxSup > 0 */ -- rid_anchor = cscb->consumer_maxcsn; - } - } - --- -2.4.11 - diff --git a/SOURCES/0050-Ticket-49231-force-EXTERNAL-always.patch b/SOURCES/0050-Ticket-49231-force-EXTERNAL-always.patch new file mode 100644 index 0000000..685f9ba --- /dev/null +++ b/SOURCES/0050-Ticket-49231-force-EXTERNAL-always.patch @@ -0,0 +1,114 @@ +From d2648bbddbf087c4e3803a89cb67541a50682eae Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Mon, 15 May 2017 09:04:45 +1000 +Subject: [PATCH] Ticket 49231 - force EXTERNAL always + +Bug Description: Because of how our sasl code works, EXTERNAL bypasses +a number of checks so is always available. + +Fix Description: Force EXTERNAL to the present mech list, regardless +of the whitelist. + +https://pagure.io/389-ds-base/issue/49231 + +Author: wibrown + +Review by: mreynosd (Thanks!) + +(cherry picked from commit e6e0db35842fc6612134cff5a08c4968230d1b2f) +--- + dirsrvtests/tests/suites/sasl/allowed_mechs.py | 13 +++++++++++-- + ldap/servers/slapd/charray.c | 14 ++++++++++++++ + ldap/servers/slapd/saslbind.c | 9 +++++++++ + ldap/servers/slapd/slapi-private.h | 2 ++ + 4 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/dirsrvtests/tests/suites/sasl/allowed_mechs.py b/dirsrvtests/tests/suites/sasl/allowed_mechs.py +index a3e385e..7958db4 100644 +--- a/dirsrvtests/tests/suites/sasl/allowed_mechs.py ++++ b/dirsrvtests/tests/suites/sasl/allowed_mechs.py +@@ -25,12 +25,21 @@ def test_sasl_allowed_mechs(topology_st): + assert('EXTERNAL' in orig_mechs) + + # Now edit the supported mechs. CHeck them again. +- standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'EXTERNAL, PLAIN') ++ standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'PLAIN') + + limit_mechs = standalone.rootdse.supported_sasl() +- print(limit_mechs) + assert('PLAIN' in limit_mechs) ++ # Should always be in the allowed list, even if not set. + assert('EXTERNAL' in limit_mechs) ++ # Should not be there! ++ assert('GSSAPI' not in limit_mechs) ++ ++ standalone.config.set('nsslapd-allowed-sasl-mechanisms', 'PLAIN, EXTERNAL') ++ ++ limit_mechs = standalone.rootdse.supported_sasl() ++ assert('PLAIN' in limit_mechs) ++ assert('EXTERNAL' in limit_mechs) ++ # Should not be there! + assert('GSSAPI' not in limit_mechs) + + # Do a config reset +diff --git a/ldap/servers/slapd/charray.c b/ldap/servers/slapd/charray.c +index 6b89714..9056f16 100644 +--- a/ldap/servers/slapd/charray.c ++++ b/ldap/servers/slapd/charray.c +@@ -272,6 +272,20 @@ charray_utf8_inlist( + return( 0 ); + } + ++/* ++ * Assert that some str s is in the charray, or add it. ++ */ ++void ++charray_assert_present(char ***a, char *s) ++{ ++ int result = charray_utf8_inlist(*a, s); ++ /* Not in the list */ ++ if (result == 0) { ++ char *sdup = slapi_ch_strdup(s); ++ slapi_ch_array_add_ext(a, sdup); ++ } ++} ++ + int slapi_ch_array_utf8_inlist(char **a, char *s) + { + return charray_utf8_inlist(a,s); +diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c +index 75b83fe..dd0c4fb 100644 +--- a/ldap/servers/slapd/saslbind.c ++++ b/ldap/servers/slapd/saslbind.c +@@ -794,6 +794,15 @@ char **ids_sasl_listmech(Slapi_PBlock *pb) + ret = sup_ret; + } + ++ /* ++ * https://pagure.io/389-ds-base/issue/49231 ++ * Because of the way that SASL mechs are managed in bind.c and saslbind.c ++ * even if EXTERNAL was *not* in the list of allowed mechs, it was allowed ++ * in the bind process because it bypasses lots of our checking. As a result ++ * we have to always present it. ++ */ ++ charray_assert_present(&ret, "EXTERNAL"); ++ + slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_listmech", "<=\n"); + + return ret; +diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h +index 3f732e8..0836d66 100644 +--- a/ldap/servers/slapd/slapi-private.h ++++ b/ldap/servers/slapd/slapi-private.h +@@ -834,6 +834,8 @@ void charray_subtract( char **a, char **b, char ***c ); + char **charray_intersection(char **a, char **b); + int charray_get_index(char **array, char *s); + int charray_normdn_add(char ***chararray, char *dn, char *errstr); ++void charray_assert_present(char ***a, char *s); ++ + + /****************************************************************************** + * value array routines. +-- +2.9.4 + diff --git a/SOURCES/0051-Ticket-48538-Failed-to-delete-old-semaphore.patch b/SOURCES/0051-Ticket-48538-Failed-to-delete-old-semaphore.patch new file mode 100644 index 0000000..4d2d345 --- /dev/null +++ b/SOURCES/0051-Ticket-48538-Failed-to-delete-old-semaphore.patch @@ -0,0 +1,58 @@ +From bbc63ef4dab6c275b1d8b8fe6439483309781401 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Fri, 12 May 2017 10:09:32 +1000 +Subject: [PATCH] Ticket 48538 - Failed to delete old semaphore + +Bug Description: I misunderstood the sem_unlink call, and logged +the wrong filepath. + +Fix Description: Fix the file path of the semaphore. + +https://pagure.io/389-ds-base/issue/48538 + +Author: wibrown + +Review by: mreynolds (Thanks!) + +(cherry picked from commit b81c8ba38c29e15e13b0dd0bf6f5d3c773d31b20) +--- + ldap/servers/slapd/snmp_collator.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/ldap/servers/slapd/snmp_collator.c b/ldap/servers/slapd/snmp_collator.c +index 21043d9..2deab91 100644 +--- a/ldap/servers/slapd/snmp_collator.c ++++ b/ldap/servers/slapd/snmp_collator.c +@@ -458,23 +458,23 @@ snmp_collator_create_semaphore(void) + * around. Recreate it since we don't know what state it is in. */ + if (sem_unlink(stats_sem_name) != 0) { + slapi_log_err(SLAPI_LOG_EMERG, "snmp_collator_create_semaphore", +- "Failed to delete old semaphore for stats file (%s). " +- "Error %d (%s).\n", stats_sem_name, errno, slapd_system_strerror(errno) ); ++ "Failed to delete old semaphore for stats file (/dev/shm/sem.%s). " ++ "Error %d (%s).\n", stats_sem_name + 1, errno, slapd_system_strerror(errno) ); + exit(1); + } + + if ((stats_sem = sem_open(stats_sem_name, O_CREAT | O_EXCL, SLAPD_DEFAULT_FILE_MODE, 1)) == SEM_FAILED) { + /* No dice */ + slapi_log_err(SLAPI_LOG_EMERG, "snmp_collator_create_semaphore", +- "Failed to create semaphore for stats file (%s). Error %d (%s).\n", +- stats_sem_name, errno, slapd_system_strerror(errno) ); ++ "Failed to create semaphore for stats file (/dev/shm/sem.%s). Error %d (%s).\n", ++ stats_sem_name + 1, errno, slapd_system_strerror(errno) ); + exit(1); + } + } else { + /* Some other problem occurred creating the semaphore. */ + slapi_log_err(SLAPI_LOG_EMERG, "snmp_collator_create_semaphore", +- "Failed to create semaphore for stats file (%s). Error %d.(%s)\n", +- stats_sem_name, errno, slapd_system_strerror(errno) ); ++ "Failed to create semaphore for stats file (/dev/shm/sem.%s). Error %d.(%s)\n", ++ stats_sem_name + 1, errno, slapd_system_strerror(errno) ); + exit(1); + } + } +-- +2.9.4 + diff --git a/SOURCES/0051-Ticket-48992-Total-init-may-fail-if-the-pushed-schem.patch b/SOURCES/0051-Ticket-48992-Total-init-may-fail-if-the-pushed-schem.patch deleted file mode 100644 index a1762b6..0000000 --- a/SOURCES/0051-Ticket-48992-Total-init-may-fail-if-the-pushed-schem.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 8e9222ed1edb8f5f234fa2451d17e4f8ac726998 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Thu, 22 Sep 2016 20:48:13 +0200 -Subject: [PATCH 51/55] Ticket 48992: Total init may fail if the pushed schema - is rejected - -Bug Description: - In the early phase of total update (or incremental update), the supplier may send its schema. - A supplier will send its schema to the consumer at the condition its nsSchemaCSN is greater than - the consumer nsSchemaCSN. - If it is the case, a 1.2.11 supplier will systematically send its schema, while a 1.3 supplier will - check that its schema is a superset of the consumer schema before sending it. - If a 1.2.11 supplier sends its schema and that schema is a subset of consumer one, then - the >1.3 consumer will detect it is a subset and reject the update. - In that case the >1.3 consumer rejects a replicated update. - - On the consumer side, with the fix https://fedorahosted.org/389/ticket/47788, if a - replication operation fails, it may trigger the closure of the replication connection. - The fix decides, based on the type of failure, if the failure can be ignored (leave the connection - opened) or is fatal (close the connection). - This is detected, on the consumer side, in multimaster_postop_*->process_postop->ignore_error_and_keep_going. - - In the current version, if a replicated update of the schema fails it return LDAP_UNWILLING_TO_PERFORM. - This is a fatal error regarding ignore_error_and_keep_going that then close the connection - and interrupt the total/incremental update. - - Note this bug can be transient as, the schema learning mechanism (on consumer) may learn from - the received schema (even if it is rejected) and update its local schema that increase - nsSchemaCSN. If this occur, a later replication session finding a greater nsSchemaCSN on the - consumer side will not push the schema - -Fix Description: - When the update of the schema is rejected make it not fatal, switching the returned - code from LDAP_UNWILLING_TO_PERFORM to LDAP_CONSTRAINT_VIOLATION - -https://fedorahosted.org/389/ticket/48992 - -Reviewed by: Noriko Hosoi, Ludwig Krispenz (thanks to you !) - -Platforms tested: 7.3 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit e2bc8fd60bf232cd4c1bc9a6860b7bd570a9dff1) ---- - ldap/servers/slapd/schema.c | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c -index 7689aa9..4b8910d 100644 ---- a/ldap/servers/slapd/schema.c -+++ b/ldap/servers/slapd/schema.c -@@ -2120,7 +2120,24 @@ modify_schema_dse (Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry *entr - slapi_log_error(SLAPI_LOG_FATAL, "schema", - "[C] Local %s must not be overwritten (set replication log for additional info)\n", - attr_name); -- *returncode = LDAP_UNWILLING_TO_PERFORM; -+ /* -+ * If the update (replicated) of the schema is rejected then -+ * process_postop->ignore_error_and_keep_going will decide if -+ * this failure is fatal or can be ignored. -+ * LDAP_UNWILLING_TO_PERFORM is considered as fatal error --> close the connection -+ * -+ * A 6.x supplier may send a subset schema and trigger this error, that -+ * will break the replication session. -+ * -+ * With new "learning" mechanism this is not that important if the -+ * update of the schema is successful or not. Just be permissive -+ * ignoring that failure to let the full replication session going on -+ * So return LDAP_CONSTRAINT_VIOLATION (in place of LDAP_UNWILLING_TO_PERFORM) -+ * is pick up as best choice of non fatal returncode. -+ * (others better choices UNWILLING_TO_PERFORM, OPERATION_ERROR or ldap_error -+ * are unfortunately all fatal). -+ */ -+ *returncode = LDAP_CONSTRAINT_VIOLATION; - return (SLAPI_DSE_CALLBACK_ERROR); - } - } --- -2.4.11 - diff --git a/SOURCES/0052-Ticket-48909-Replication-stops-working-in-FIPS-mode.patch b/SOURCES/0052-Ticket-48909-Replication-stops-working-in-FIPS-mode.patch deleted file mode 100644 index a39326b..0000000 --- a/SOURCES/0052-Ticket-48909-Replication-stops-working-in-FIPS-mode.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 4a45817827bd657e94ff483d35f572b0c0c33a17 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 14 Oct 2016 16:17:46 -0400 -Subject: [PATCH 52/55] Ticket 48909 - Replication stops working in FIPS mode - -Bug Description: When FIPS mode is enabled on the security database, the - token name is changed. This prevents the server from - reverse decoding the replication manager's password. Which - prevents replication sessions from getting established. - -Fix Description: Instead of getting the key slot from the harded coded token - name, call slapd_pk11_getInternalKeySlot() which gets the - current slot. - -https://fedorahosted.org/389/ticket/48909 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 61c72f966bda17993f483e8f79d97dff20b7cc93) -(cherry picked from commit 9982033b7cd888bd30400001e10158a9bbf9b863) ---- - ldap/servers/plugins/rever/pbe.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/ldap/servers/plugins/rever/pbe.c b/ldap/servers/plugins/rever/pbe.c -index 0588c73..4034ac5 100644 ---- a/ldap/servers/plugins/rever/pbe.c -+++ b/ldap/servers/plugins/rever/pbe.c -@@ -69,7 +69,7 @@ struct pk11ContextStore - - static int encode_path(char *inPlain, char **outCipher, char *path, int mech); - static int decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid); --static SVRCOREError genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *algid); -+static SVRCOREError genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *algid); - static SVRCOREError cryptPassword(struct pk11ContextStore *store, char * clear, unsigned char **out); - static SVRCOREError decryptPassword(struct pk11ContextStore *store, unsigned char *cipher, char **out, int len); - static void freePBE(struct pk11ContextStore *store); -@@ -102,7 +102,7 @@ encode_path(char *inPlain, char **outCipher, char *path, int mech) - *outCipher = NULL; - err = 1; - -- if ( genKey(&context, tokPBE, path, mech, arena, NULL) == SVRCORE_Success ){ -+ if ( genKey(&context, path, mech, arena, NULL) == SVRCORE_Success ){ - /* Try an encryption */ - if ( cryptPassword(context, inPlain, &cipher) == SVRCORE_Success ){ - base = BTOA_DataToAscii(cipher, context->length); -@@ -160,7 +160,7 @@ decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid) - *outPlain = NULL; - err = 1; - -- if ( genKey(&context, tokPBE, path, mech, arena, algid) == SVRCORE_Success ){ -+ if ( genKey(&context, path, mech, arena, algid) == SVRCORE_Success ){ - /* it seems that there is memory leak in that function: bug 400170 */ - base = ATOB_AsciiToData(inCipher, (unsigned int*)&len); - if ( base != NULL ){ -@@ -196,7 +196,7 @@ freePBE(struct pk11ContextStore *store) - } - - static SVRCOREError --genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *alg) -+genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *alg) - { - SVRCOREError err = SVRCORE_Success; - struct pk11ContextStore *store = NULL; -@@ -223,8 +223,7 @@ genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, P - } - *out = store; - -- /* Use the tokenName to find a PKCS11 slot */ -- store->slot = slapd_pk11_findSlotByName((char *)token); -+ store->slot = slapd_pk11_getInternalKeySlot(); - if (store->slot == NULL){ - err = SVRCORE_NoSuchToken_Error; - goto done; --- -2.4.11 - diff --git a/SOURCES/0052-Ticket-49257-Reject-nsslapd-cachememsize-nsslapd-cac.patch b/SOURCES/0052-Ticket-49257-Reject-nsslapd-cachememsize-nsslapd-cac.patch new file mode 100644 index 0000000..b75d574 --- /dev/null +++ b/SOURCES/0052-Ticket-49257-Reject-nsslapd-cachememsize-nsslapd-cac.patch @@ -0,0 +1,131 @@ +From 0f04c8e7c1219940baf0ae9c1bcb2464ddf079df Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 16 May 2017 13:19:43 -0400 +Subject: [PATCH] Ticket 49257 - Reject nsslapd-cachememsize & + nsslapd-cachesize when nsslapd-cache-autosize is set + +Description: We need to also reject entry cache changes when cache autosizing is being used. + + I also found out that we were not registering the ldbm instance callbacks at startup. + So all those functions were only used when creating an instance, and not after it was + started. + +https://pagure.io/389-ds-base/issue/49257 + +Reviewed by: tbordaz(Thanks!) +--- + ldap/servers/slapd/back-ldbm/instance.c | 19 +++++++++---- + .../servers/slapd/back-ldbm/ldbm_instance_config.c | 32 ++++++++++++++++++++-- + ldap/servers/slapd/back-ldbm/start.c | 2 +- + 3 files changed, 44 insertions(+), 9 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c +index f79d048..8b38644 100644 +--- a/ldap/servers/slapd/back-ldbm/instance.c ++++ b/ldap/servers/slapd/back-ldbm/instance.c +@@ -302,12 +302,19 @@ ldbm_instance_startall(struct ldbminfo *li) + inst = (ldbm_instance *) object_get_data(inst_obj); + ldbm_instance_set_flags(inst); + rc1 = ldbm_instance_start(inst->inst_be); +- if (rc1 != 0) { +- rc = rc1; +- } else { +- vlv_init(inst); +- slapi_mtn_be_started(inst->inst_be); +- } ++ if (rc1 != 0) { ++ rc = rc1; ++ } else { ++ if(ldbm_instance_config_load_dse_info(inst) != 0){ ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_startall", ++ "Loading database instance configuration failed for (%s)\n", ++ inst->inst_name); ++ rc = -1; ++ } else { ++ vlv_init(inst); ++ slapi_mtn_be_started(inst->inst_be); ++ } ++ } + inst_obj = objset_next_obj(li->li_instance_set, inst_obj); + } + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c +index 55f1887..49a6cac 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c +@@ -72,6 +72,18 @@ ldbm_instance_config_cachesize_set(void *arg, void *value, char *errorbuf, int p + /* Do whatever we can to make sure the data is ok. */ + + if (apply) { ++ if (CONFIG_PHASE_RUNNING == phase) { ++ if (val > 0 && inst->inst_li->li_cache_autosize) { ++ /* We are auto-tuning the cache, so this change would be overwritten - return an error */ ++ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, ++ "Error: \"nsslapd-cachesize\" can not be updated while \"nsslapd-cache-autosize\" is set " ++ "in \"cn=config,cn=ldbm database,cn=plugins,cn=config\"."); ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachesize_set", ++ "\"nsslapd-cachesize\" can not be set while \"nsslapd-cache-autosize\" is set " ++ "in \"cn=config,cn=ldbm database,cn=plugins,cn=config\".\n"); ++ return LDAP_UNWILLING_TO_PERFORM; ++ } ++ } + cache_set_max_entries(&(inst->inst_cache), val); + } + +@@ -87,7 +99,11 @@ ldbm_instance_config_cachememsize_get(void *arg) + } + + static int +-ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, int phase, int apply) ++ldbm_instance_config_cachememsize_set(void *arg, ++ void *value, ++ char *errorbuf, ++ int phase, ++ int apply) + { + ldbm_instance *inst = (ldbm_instance *) arg; + int retval = LDAP_SUCCESS; +@@ -107,6 +123,18 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in + */ + + if (apply) { ++ if (CONFIG_PHASE_RUNNING == phase) { ++ if (val > 0 && inst->inst_li->li_cache_autosize) { ++ /* We are auto-tuning the cache, so this change would be overwritten - return an error */ ++ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, ++ "Error: \"nsslapd-cachememsize\" can not be updated while \"nsslapd-cache-autosize\" is set " ++ "in \"cn=config,cn=ldbm database,cn=plugins,cn=config\"."); ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_config_cachememsize_set", ++ "\"nsslapd-cachememsize\" can not be set while \"nsslapd-cache-autosize\" is set " ++ "in \"cn=config,cn=ldbm database,cn=plugins,cn=config\".\n"); ++ return LDAP_UNWILLING_TO_PERFORM; ++ } ++ } + if (val > inst->inst_cache.c_maxsize) { + delta = val - inst->inst_cache.c_maxsize; + delta_original = delta; +@@ -825,7 +853,7 @@ ldbm_instance_modify_config_entry_callback(Slapi_PBlock *pb, Slapi_Entry* entryB + continue; + } + +- /* This assumes there is only one bval for this mod. */ ++ /* This assumes there is only one bval for this mod. */ + if (mods[i]->mod_bvalues == NULL) { + /* This avoids the null pointer deref. + * In ldbm_config.c ldbm_config_set, it checks for the NULL. +diff --git a/ldap/servers/slapd/back-ldbm/start.c b/ldap/servers/slapd/back-ldbm/start.c +index 1834a19..d4e8bb8 100644 +--- a/ldap/servers/slapd/back-ldbm/start.c ++++ b/ldap/servers/slapd/back-ldbm/start.c +@@ -169,7 +169,7 @@ ldbm_back_start_autotune(struct ldbminfo *li) { + } + + slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "found %luk physical memory\n", mi->system_total_bytes / 1024); +- slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "found %luk avaliable\n", mi->system_available_bytes / 1024); ++ slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_back_start", "found %luk available\n", mi->system_available_bytes / 1024); + + /* We've now calculated the autotuning values. Do we need to apply it? + * we use the logic of "if size is 0, or autosize is > 0. This way three +-- +2.9.4 + diff --git a/SOURCES/0053-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch b/SOURCES/0053-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch deleted file mode 100644 index 3e04e53..0000000 --- a/SOURCES/0053-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 1087a64b461358888ac50d47fde7f9be71449481 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 20 Oct 2016 12:38:49 -0400 -Subject: [PATCH 53/55] Ticket 49014 - ns-accountstatus.pl shows wrong status - for accounts inactivated by Account policy plugin - -Bug Description: ns-accountstatus.pl shows wrong status for accounts inactivated - by inactivity. If there is no acct policy subentry the wrong - basedn was used to get the inactivity limit. This prevented the - script from detecting if an account was inactivated due to inactivity. - -Fix Description: If there is no subentry, then use the existing config entry - to get the inactivity limit. - -https://fedorahosted.org/389/ticket/49014 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 2e494bc7e5e73f97e8a425b22706418ff8879336) -(cherry picked from commit 1c6b1c99b576e7b9ffdc217d20737e216ec40a24) ---- - ldap/admin/src/scripts/ns-accountstatus.pl.in | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/ldap/admin/src/scripts/ns-accountstatus.pl.in b/ldap/admin/src/scripts/ns-accountstatus.pl.in -index 37fc7fa..a20d2df 100644 ---- a/ldap/admin/src/scripts/ns-accountstatus.pl.in -+++ b/ldap/admin/src/scripts/ns-accountstatus.pl.in -@@ -474,7 +474,7 @@ sub getAcctPolicy - close(LDAP1); - - # -- # Now, get the DN for the cos template from the entry -+ # Now, get the DN for the account policy subEntry from the entry (if available) - # - $srch{base} = $entry; - $srch{filter} = "(objectclass=*)"; -@@ -486,14 +486,19 @@ sub getAcctPolicy - s/\n //g; - if (/^$cosspecattr: (.*)/i){ - $templateDN = $1; -+ break; - } - } - close(LDAP1); - - # -- # Get the inactivity limit from the template] -+ # Get the inactivity limit - # -- $srch{base} = $templateDN; -+ $srch{base} = $configentry; -+ if ($templateDN){ -+ # Use subEntry DN -+ $srch{base} = $templateDN; -+ } - $srch{filter} = "($limitattr=*)"; - $srch{scope} = "base"; - $srch{attrs} = "$limitattr"; --- -2.4.11 - diff --git a/SOURCES/0053-Ticket-49257-Reject-dbcachesize-updates-while-auto-c.patch b/SOURCES/0053-Ticket-49257-Reject-dbcachesize-updates-while-auto-c.patch new file mode 100644 index 0000000..de2e652 --- /dev/null +++ b/SOURCES/0053-Ticket-49257-Reject-dbcachesize-updates-while-auto-c.patch @@ -0,0 +1,53 @@ +From 550d30d3aa27cd69057604e1ee7d5ca43711d718 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 15 May 2017 13:30:22 -0400 +Subject: [PATCH] Ticket 49257 - Reject dbcachesize updates while auto cache + sizing is enabled + +Description: We should reject updates to nsslapd-dbcachesize while auto cache sizing + is in effect. This is because at startup we would overwrite the + manually set dbcache size anyway. It would never take effect, so it + should be rejected. + +https://pagure.io/389-ds-base/issue/49257 + +Reviewed by: tbordaz & firstyear(Thanks!!) +--- + ldap/servers/slapd/back-ldbm/ldbm_config.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c +index f7edd9e..6c1dda0 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c +@@ -420,7 +420,7 @@ static int ldbm_config_dbcachesize_set(void *arg, void *value, char *errorbuf, i + /* Stop the user configuring a stupidly small cache */ + /* min: 8KB (page size) * def thrd cnts (threadnumber==20). */ + #define DBDEFMINSIZ 500000 +- /* We allow a value of 0, because the autotuting in start.c will ++ /* We allow a value of 0, because the autotuning in start.c will + * register that, and trigger the recalculation of the dbcachesize as + * needed on the next start up. + */ +@@ -443,7 +443,18 @@ static int ldbm_config_dbcachesize_set(void *arg, void *value, char *errorbuf, i + return LDAP_UNWILLING_TO_PERFORM; + } + } ++ + if (CONFIG_PHASE_RUNNING == phase) { ++ if (val > 0 && li->li_cache_autosize) { ++ /* We are auto-tuning the cache, so this change would be overwritten - return an error */ ++ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, ++ "Error: \"nsslapd-dbcachesize\" can not be updated while \"nsslapd-cache-autosize\" is set " ++ "in \"cn=config,cn=ldbm database,cn=plugins,cn=config\"."); ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_config_dbcachesize_set", ++ "\"nsslapd-dbcachesize\" can not be set while \"nsslapd-cache-autosize\" is set " ++ "in \"cn=config,cn=ldbm database,cn=plugins,cn=config\".\n"); ++ return LDAP_UNWILLING_TO_PERFORM; ++ } + li->li_new_dbcachesize = val; + if (val == 0) { + slapi_log_err(SLAPI_LOG_NOTICE, "ldbm_config_dbcachesize_set", "cache size reset to 0, will be autosized on next startup.\n"); +-- +2.9.4 + diff --git a/SOURCES/0054-Ticket-49009-args-debug-logging-must-be-more-restric.patch b/SOURCES/0054-Ticket-49009-args-debug-logging-must-be-more-restric.patch deleted file mode 100644 index 5774107..0000000 --- a/SOURCES/0054-Ticket-49009-args-debug-logging-must-be-more-restric.patch +++ /dev/null @@ -1,47 +0,0 @@ -From b2abc3558e531356385ff996512c742f65048fa7 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Fri, 14 Oct 2016 13:50:18 +0200 -Subject: [PATCH 54/55] Ticket 49009 - args debug logging must be more - restrictive - -Bug Description: turning on args debugging logs all attribute value, including #unhashed# - -Fix Description: filter unhashed attrs - -https://fedorahosted.org/389/ticket/49009 - -Reviewed by: ? - -(cherry picked from commit 39870194a094ca8ebe3e8c7dea9090c2360307cf) ---- - ldap/servers/slapd/entry.c | 1 + - ldap/servers/slapd/entrywsi.c | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c -index d38f970..0cd3b60 100644 ---- a/ldap/servers/slapd/entry.c -+++ b/ldap/servers/slapd/entry.c -@@ -3659,6 +3659,7 @@ entry_apply_mod( Slapi_Entry *e, const LDAPMod *mod ) - if((strcasecmp(mod->mod_type,"objectclass") == 0) - && (strncasecmp((const char *)mod->mod_bvalues[i]->bv_val,"ldapsubentry",mod->mod_bvalues[i]->bv_len) == 0)) - sawsubentry=PR_TRUE; -+ if (0==strcasecmp(PSEUDO_ATTR_UNHASHEDUSERPASSWORD,mod->mod_type)) continue; - LDAPDebug( LDAP_DEBUG_ARGS, " %s: %s\n", mod->mod_type, mod->mod_bvalues[i]->bv_val, 0 ); - } - bvcnt = i; -diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c -index a8f8455..1a4c6aa 100644 ---- a/ldap/servers/slapd/entrywsi.c -+++ b/ldap/servers/slapd/entrywsi.c -@@ -920,6 +920,7 @@ entry_apply_mod_wsi(Slapi_Entry *e, const LDAPMod *mod, const CSN *csn, int urp) - for ( i = 0; - mod->mod_bvalues != NULL && mod->mod_bvalues[i] != NULL; - i++ ) { -+ if (0==strcasecmp(PSEUDO_ATTR_UNHASHEDUSERPASSWORD,mod->mod_type)) continue; - LDAPDebug( LDAP_DEBUG_ARGS, " %s: %s\n", - mod->mod_type, mod->mod_bvalues[i]->bv_val, 0 ); - } --- -2.4.11 - diff --git a/SOURCES/0054-Ticket-49184-adjust-logging-level-in-MO-plugin.patch b/SOURCES/0054-Ticket-49184-adjust-logging-level-in-MO-plugin.patch new file mode 100644 index 0000000..7e34e4b --- /dev/null +++ b/SOURCES/0054-Ticket-49184-adjust-logging-level-in-MO-plugin.patch @@ -0,0 +1,30 @@ +From db98cb29158741cc960f1e1a2df3d4214f5bd36e Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 6 Jun 2017 10:50:19 -0400 +Subject: [PATCH] Ticket 49184 - adjust logging level in MO plugin + +Description: Change logging level for benign message + +https://pagure.io/389-ds-base/issue/49184 + +Reviewed by: mreynolds(one line commit ruile) +--- + ldap/servers/plugins/memberof/memberof.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c +index 5cd2c01..9bbe13c 100644 +--- a/ldap/servers/plugins/memberof/memberof.c ++++ b/ldap/servers/plugins/memberof/memberof.c +@@ -3396,7 +3396,7 @@ int memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data) + /* This is quite unexpected, after a call to memberof_get_groups + * ndn ancestors should be in the cache + */ +- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: Weird, %s is not in the cache\n", ndn); ++ slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: Weird, %s is not in the cache\n", ndn); + } + } + } +-- +2.9.4 + diff --git a/SOURCES/0055-Ticket-48328-Add-missing-dependency.patch b/SOURCES/0055-Ticket-48328-Add-missing-dependency.patch deleted file mode 100644 index 2259a09..0000000 --- a/SOURCES/0055-Ticket-48328-Add-missing-dependency.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b096ca5e299599081da15554df51b2a06db57a89 Mon Sep 17 00:00:00 2001 -From: Viktor Ashirov -Date: Tue, 18 Oct 2016 10:31:16 +0200 -Subject: [PATCH 55/55] Ticket 48328 - Add missing dependency - -Bug Description: -`host` utility is used in setup process to determine CNAME, but -389-ds-base rpm package doesn't depend on bind-utils, which contains it. - -Fix Description: -Add missing dependency for bind-utils. - -https://fedorahosted.org/389/ticket/48328 - -Reviewed by: nhosoi@redhat.com (Thanks!) - -(cherry picked from commit 68a76403a6b240ad95d7f9457e01486f128ac4e9) -(cherry picked from commit ed829078c9dc7b8a940119298f3e12a37034ecf4) ---- - rpm/389-ds-base.spec.in | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in -index 0924cb5..404152d 100644 ---- a/rpm/389-ds-base.spec.in -+++ b/rpm/389-ds-base.spec.in -@@ -123,6 +123,9 @@ Requires(post): systemd-units - Requires(preun): systemd-units - Requires(postun): systemd-units - -+# for setup-ds.pl -+Requires: bind-utils -+ - # for setup-ds.pl to support ipv6 - %if %{use_Socket6} - Requires: perl-Socket6 --- -2.4.11 - diff --git a/SOURCES/0055-Ticket-49241-add-symblic-link-location-to-db2bak.pl-.patch b/SOURCES/0055-Ticket-49241-add-symblic-link-location-to-db2bak.pl-.patch new file mode 100644 index 0000000..f5db74e --- /dev/null +++ b/SOURCES/0055-Ticket-49241-add-symblic-link-location-to-db2bak.pl-.patch @@ -0,0 +1,38 @@ +From 6935bd0821395051c0483b0ee393d2d4567f6f0c Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 24 May 2017 12:15:20 -0400 +Subject: [PATCH] Ticket 49241 - add symblic link location to db2bak.pl output + +Description: If a symbolic link is used for the script's backup + location then add info to the output. + +https://pagure.io/389-ds-base/issue/49241 + +Reviewed by: firstyear(Thanks!) + +(cherry picked from commit 95a7f23262076d90fdc8a9ec76e131e9e4c09bcc) +--- + ldap/admin/src/scripts/db2bak.pl.in | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ldap/admin/src/scripts/db2bak.pl.in b/ldap/admin/src/scripts/db2bak.pl.in +index 335285e..352a01e 100644 +--- a/ldap/admin/src/scripts/db2bak.pl.in ++++ b/ldap/admin/src/scripts/db2bak.pl.in +@@ -105,7 +105,12 @@ if ($archivedir eq "") { + } else { + $symname = $archivedir; + } +- print("Back up directory: $archivedir\n"); ++ if ($symname eq "") { ++ print("Back up directory: $archivedir\n"); ++ } else { ++ print("Back up directory: $archivedir -> $mybakdir/$archivebase\n"); ++ } ++ + # If an archive dir is specified, create it as a symlink pointing + # to the default backup dir not to violate the selinux policy. + $archivedir = "${mybakdir}/${archivebase}"; +-- +2.9.4 + diff --git a/SOURCES/0056-Ticket-48133-v2-Non-tombstone-entry-which-dn-startin.patch b/SOURCES/0056-Ticket-48133-v2-Non-tombstone-entry-which-dn-startin.patch deleted file mode 100644 index 413632c..0000000 --- a/SOURCES/0056-Ticket-48133-v2-Non-tombstone-entry-which-dn-startin.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 9ba44d457cbe182a9b166bff57da0f51ff2cc75c Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Fri, 21 Oct 2016 13:20:42 +0200 -Subject: [PATCH 56/57] Ticket 48133 v2 Non tombstone entry which dn starting - with "nsuniqueid=...," cannot be delete - -Bug Description: trying to delete a non tombstone entry fails when the generated tombstone is - added to the cache - -Fix Description: create a tombstone dn without exceptions - this is an addition to the original fix for this ticket - -https://fedorahosted.org/389/ticket/48133 - -Reviewed by: Noriko, Mark - thanks - -(cherry picked from commit f5f24729388c309210c8741e0da39428b024e4a5) ---- - ldap/servers/slapd/back-ldbm/ldbm_delete.c | 10 ++-------- - 1 file changed, 2 insertions(+), 8 deletions(-) - -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -index f801e01..e3abb05 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -@@ -585,14 +585,8 @@ ldbm_back_delete( Slapi_PBlock *pb ) - retval = -1; - goto error_return; - } -- if ((0 == PL_strncmp(edn + sizeof(SLAPI_ATTR_UNIQUEID), childuniqueid, strlen(childuniqueid))) && -- (*(edn + SLAPI_ATTR_UNIQUEID_LENGTH + slapi_uniqueIDSize() + 1/*=*/) == ',')) { -- /* The DN already starts with "nsuniqueid=...," */ -- tombstone_dn = slapi_ch_strdup(edn); -- } else { -- tombstone_dn = compute_entry_tombstone_dn(edn, childuniqueid); -- } -- -+ /* always create the special tombstone dn, even if it already starts with nsuniqueid */ -+ tombstone_dn = compute_entry_tombstone_dn(edn, childuniqueid); - slapi_sdn_set_ndn_byval(&nscpEntrySDN, slapi_sdn_get_ndn(slapi_entry_get_sdn(e->ep_entry))); - - /* Copy the entry unique_id for URP conflict checking */ --- -2.4.11 - diff --git a/SOURCES/0057-Ticket-49020-do-not-treat-missing-csn-as-fatal.patch b/SOURCES/0057-Ticket-49020-do-not-treat-missing-csn-as-fatal.patch deleted file mode 100644 index 09f7500..0000000 --- a/SOURCES/0057-Ticket-49020-do-not-treat-missing-csn-as-fatal.patch +++ /dev/null @@ -1,470 +0,0 @@ -From b2cda86aeddd85ecb712d047824e6d25da9222a7 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Mon, 5 Dec 2016 09:59:38 +0100 -Subject: [PATCH 57/57] Ticket 49020 - do not treat missing csn as fatal - - This patch removes the automatic choice of an alternative csn when - the calculated anchor csn is not found. - - In that case it does no longer go to fatal state but will retry later. - - It also adds a configuration parameter to thr replication agreement to - allow to pick a "next best" anchorcsn if the original is not found to - keep replicatio going. - - Reviewed by: Noriko, William - -(cherry picked from commit a2dee8fe6faa9fef5824d7852887b21f1158284a) ---- - ldap/schema/01core389.ldif | 3 +- - ldap/servers/plugins/replication/cl5_api.c | 16 ++- - ldap/servers/plugins/replication/cl5_clcache.c | 43 ++++---- - ldap/servers/plugins/replication/cl5_clcache.h | 2 +- - ldap/servers/plugins/replication/repl5.h | 4 + - ldap/servers/plugins/replication/repl5_agmt.c | 114 +++++++++++++++++++++ - ldap/servers/plugins/replication/repl5_agmtlist.c | 13 +++ - .../plugins/replication/repl5_inc_protocol.c | 12 ++- - ldap/servers/plugins/replication/repl_globals.c | 1 + - 9 files changed, 171 insertions(+), 37 deletions(-) - -diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif -index ab07a0b..dfa4729 100644 ---- a/ldap/schema/01core389.ldif -+++ b/ldap/schema/01core389.ldif -@@ -298,6 +298,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2330 NAME 'nsslapd-logging-backend' DESC - attributeTypes: ( 2.16.840.1.113730.3.1.2331 NAME 'nsslapd-logging-hr-timestamps-enabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -+attributeTypes: ( 2.16.840.1.113730.3.1.2335 NAME 'nsds5ReplicaIgnoreMissingChange' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) - # - # objectclasses - # -@@ -309,7 +310,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.110 NAME 'nsMappingTree' DESC 'Netscape d - objectClasses: ( 2.16.840.1.113730.3.2.104 NAME 'nsContainer' DESC 'Netscape defined objectclass' SUP top MUST ( CN ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Netscape defined objectclass' SUP top MUST ( nsDS5ReplicaRoot $ nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax $ nsds5ReplicaReleaseTimeout ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.113 NAME 'nsTombstone' DESC 'Netscape defined objectclass' SUP top MAY ( nstombstonecsn $ nsParentUniqueId $ nscpEntryDN ) X-ORIGIN 'Netscape Directory Server' ) --objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5ReplicaWaitForAsyncResults ) X-ORIGIN 'Netscape Directory Server' ) -+objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5ReplicaWaitForAsyncResults $ nsds5ReplicaIgnoreMissingChange) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' ) -diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c -index 6a09aea..f8b2cea 100644 ---- a/ldap/servers/plugins/replication/cl5_api.c -+++ b/ldap/servers/plugins/replication/cl5_api.c -@@ -310,7 +310,7 @@ static int _cl5WriteBervals (struct berval **bv, char** buff, u_int32_t *size); - static PRBool _cl5ValidReplayIterator (const CL5ReplayIterator *iterator); - #endif - static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consumerRuv, -- Object *replica, Object *fileObject, CL5ReplayIterator **iterator); -+ Object *replica, Object *fileObject, CL5ReplayIterator **iterator, int *continue_on_missing); - static int _cl5CheckMissingCSN (const CSN *minCsn, const RUV *supplierRUV, CL5DBFile *file); - - /* changelog trimming */ -@@ -1536,7 +1536,7 @@ int cl5CreateReplayIteratorEx (Private_Repl_Protocol *prp, const RUV *consumerRu - /* iterate through the ruv in csn order to find first master for which - we can replay changes */ - -- rc = _cl5PositionCursorForReplay (consumerRID, consumerRuv, replica, obj, iterator); -+ rc = _cl5PositionCursorForReplay (consumerRID, consumerRuv, replica, obj, iterator, NULL); - } - else - { -@@ -1597,7 +1597,13 @@ int cl5CreateReplayIterator (Private_Repl_Protocol *prp, const RUV *consumerRuv, - /* iterate through the ruv in csn order to find first master for which - we can replay changes */ - ReplicaId consumerRID = agmt_get_consumer_rid ( prp->agmt, prp->conn ); -- rc = _cl5PositionCursorForReplay (consumerRID, consumerRuv, replica, obj, iterator); -+ int continue_on_missing = agmt_get_ignoremissing ( prp->agmt); -+ int save_cont_miss = continue_on_missing; -+ rc = _cl5PositionCursorForReplay (consumerRID, consumerRuv, replica, obj, iterator, &continue_on_missing); -+ if (save_cont_miss == 1 && continue_on_missing ==0) { -+ /* the option to continue once on a missing csn was used, rest */ -+ agmt_set_ignoremissing ( prp->agmt, 0); -+ } - } - else - { -@@ -5516,7 +5522,7 @@ struct replica_hash_entry - - - static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consumerRuv, -- Object *replica, Object *fileObj, CL5ReplayIterator **iterator) -+ Object *replica, Object *fileObj, CL5ReplayIterator **iterator, int *continue_on_missing) - { - CLC_Buffer *clcache = NULL; - CL5DBFile *file; -@@ -5560,7 +5566,7 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum - rc = clcache_get_buffer ( &clcache, file->db, consumerRID, consumerRuv, supplierRuv ); - if ( rc != 0 ) goto done; - -- rc = clcache_load_buffer (clcache, &startCSN); -+ rc = clcache_load_buffer (clcache, &startCSN, continue_on_missing); - - if (rc == 0) { - haveChanges = PR_TRUE; -diff --git a/ldap/servers/plugins/replication/cl5_clcache.c b/ldap/servers/plugins/replication/cl5_clcache.c -index ca8b841..47789f4 100644 ---- a/ldap/servers/plugins/replication/cl5_clcache.c -+++ b/ldap/servers/plugins/replication/cl5_clcache.c -@@ -324,7 +324,7 @@ clcache_return_buffer ( CLC_Buffer **buf ) - * historic reason. - */ - int --clcache_load_buffer ( CLC_Buffer *buf, CSN **anchorCSN ) -+clcache_load_buffer ( CLC_Buffer *buf, CSN **anchorCSN, int *continue_on_miss ) - { - int rc = 0; - int flag = DB_NEXT; -@@ -345,6 +345,22 @@ clcache_load_buffer ( CLC_Buffer *buf, CSN **anchorCSN ) - if (anchorCSN) *anchorCSN = buf->buf_current_csn; - rc = clcache_load_buffer_bulk ( buf, flag ); - -+ if (rc == DB_NOTFOUND && continue_on_miss && *continue_on_miss) { -+ /* make replication going using next best startcsn */ -+ slapi_log_error(SLAPI_LOG_FATAL, buf->buf_agmt_name, -+ "clcache_load_buffer - Can't load changelog buffer starting at CSN %s with flag(%s). " -+ "Trying to use an alterantive start CSN.\n", -+ (char*)buf->buf_key.data, -+ flag==DB_NEXT?"DB_NEXT":"DB_SET" ); -+ rc = clcache_load_buffer_bulk ( buf, DB_SET_RANGE ); -+ if (rc == 0) { -+ slapi_log_error(SLAPI_LOG_FATAL, buf->buf_agmt_name, -+ "clcache_load_buffer - Using alternative start iteration csn: %s \n", -+ (char*)buf->buf_key.data); -+ } -+ /* the use of alternative start csns can be limited, record its usage */ -+ (*continue_on_miss)--; -+ } - /* Reset some flag variables */ - if ( rc == 0 ) { - int i; -@@ -407,23 +423,6 @@ retry: - & buf->buf_key, - & buf->buf_data, - DB_SET ); -- if (rc == DB_NOTFOUND) { -- /* the start position in the changelog is not found -- * 1. log an error -- * 2. try to find another starting position as close -- * as possible -- */ -- slapi_log_error ( SLAPI_LOG_FATAL, "clcache_load_buffer_bulk", -- "changelog record with csn (%s) not found for DB_NEXT\n", -- (char *)buf->buf_key.data ); -- rc = cursor->c_get ( cursor, & buf->buf_key, & buf->buf_data, -- DB_SET_RANGE ); -- /* this moves the cursor ahead of the tageted csn, -- * so we achieved what was intended with DB_SET/DB_NEXT -- * continute at this csn. -- */ -- use_flag = DB_CURRENT; -- } - } - - /* -@@ -432,12 +431,6 @@ retry: - */ - if ( 0 == rc || DB_BUFFER_SMALL == rc ) { - rc = clcache_cursor_get ( cursor, buf, use_flag ); -- if ( rc == DB_NOTFOUND && use_flag == DB_SET) { -- slapi_log_error ( SLAPI_LOG_FATAL, "clcache_load_buffer_bulk", -- "changelog record with csn (%s) not found for DB_SET\n", -- (char *)buf->buf_key.data ); -- rc = clcache_cursor_get ( cursor, buf, DB_SET_RANGE ); -- } - } - - } -@@ -511,7 +504,7 @@ clcache_get_next_change ( CLC_Buffer *buf, void **key, size_t *keylen, void **da - * We're done with the current buffer. Now load the next chunk. - */ - if ( NULL == *key && CLC_STATE_READY == buf->buf_state ) { -- rc = clcache_load_buffer ( buf, NULL ); -+ rc = clcache_load_buffer ( buf, NULL, NULL ); - if ( 0 == rc && buf->buf_record_ptr ) { - DB_MULTIPLE_KEY_NEXT ( buf->buf_record_ptr, &buf->buf_data, - *key, *keylen, *data, *datalen ); -diff --git a/ldap/servers/plugins/replication/cl5_clcache.h b/ldap/servers/plugins/replication/cl5_clcache.h -index 75b2817..6809542 100644 ---- a/ldap/servers/plugins/replication/cl5_clcache.h -+++ b/ldap/servers/plugins/replication/cl5_clcache.h -@@ -23,7 +23,7 @@ typedef struct clc_buffer CLC_Buffer; - int clcache_init ( DB_ENV **dbenv ); - void clcache_set_config (); - int clcache_get_buffer ( CLC_Buffer **buf, DB *db, ReplicaId consumer_rid, const RUV *consumer_ruv, const RUV *local_ruv ); --int clcache_load_buffer ( CLC_Buffer *buf, CSN **anchorCSN ); -+int clcache_load_buffer ( CLC_Buffer *buf, CSN **anchorCSN, int *continue_on_miss ); - void clcache_return_buffer ( CLC_Buffer **buf ); - int clcache_get_next_change ( CLC_Buffer *buf, void **key, size_t *keylen, void **data, size_t *datalen, CSN **csn ); - void clcache_destroy (); -diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h -index 13a38fd..6582876 100644 ---- a/ldap/servers/plugins/replication/repl5.h -+++ b/ldap/servers/plugins/replication/repl5.h -@@ -154,6 +154,7 @@ extern const char *type_replicaReleaseTimeout; - extern const char *type_replicaBackoffMin; - extern const char *type_replicaBackoffMax; - extern const char *type_replicaPrecisePurge; -+extern const char *type_replicaIgnoreMissingChange; - - /* Attribute names for windows replication agreements */ - extern const char *type_nsds7WindowsReplicaArea; -@@ -317,6 +318,7 @@ long agmt_get_busywaittime(const Repl_Agmt *ra); - long agmt_get_pausetime(const Repl_Agmt *ra); - long agmt_get_flowcontrolwindow(const Repl_Agmt *ra); - long agmt_get_flowcontrolpause(const Repl_Agmt *ra); -+long agmt_get_ignoremissing(const Repl_Agmt *ra); - int agmt_start(Repl_Agmt *ra); - int windows_agmt_start(Repl_Agmt *ra); - int agmt_stop(Repl_Agmt *ra); -@@ -339,6 +341,7 @@ int agmt_set_schedule_from_entry( Repl_Agmt *ra, const Slapi_Entry *e ); - int agmt_set_timeout_from_entry( Repl_Agmt *ra, const Slapi_Entry *e ); - int agmt_set_flowcontrolwindow_from_entry(Repl_Agmt *ra, const Slapi_Entry *e); - int agmt_set_flowcontrolpause_from_entry(Repl_Agmt *ra, const Slapi_Entry *e); -+int agmt_set_ignoremissing_from_entry(Repl_Agmt *ra, const Slapi_Entry *e); - int agmt_set_busywaittime_from_entry( Repl_Agmt *ra, const Slapi_Entry *e ); - int agmt_set_pausetime_from_entry( Repl_Agmt *ra, const Slapi_Entry *e ); - int agmt_set_credentials_from_entry( Repl_Agmt *ra, const Slapi_Entry *e ); -@@ -385,6 +388,7 @@ int agmt_set_enabled_from_entry(Repl_Agmt *ra, Slapi_Entry *e, char *returntext) - char **agmt_get_attrs_to_strip(Repl_Agmt *ra); - int agmt_set_attrs_to_strip(Repl_Agmt *ra, Slapi_Entry *e); - int agmt_set_timeout(Repl_Agmt *ra, long timeout); -+int agmt_set_ignoremissing(Repl_Agmt *ra, long ignoremissing); - void agmt_update_done(Repl_Agmt *ra, int is_total); - PRUint64 agmt_get_protocol_timeout(Repl_Agmt *agmt); - void agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout); -diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c -index 52cc8b6..b089f97 100644 ---- a/ldap/servers/plugins/replication/repl5_agmt.c -+++ b/ldap/servers/plugins/replication/repl5_agmt.c -@@ -124,6 +124,7 @@ typedef struct repl5agmt { - long flowControlPause; /* When nb of not acknowledged entries overpass totalUpdateWindow - * This is the duration (in msec) that the RA will pause before sending the next entry - */ -+ long ignoreMissingChange; /* if set replication will try to continue even if change cannot be found in changelog */ - Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */ - int WaitForAsyncResults; /* Pass to DS_Sleep(PR_MillisecondsToInterval(WaitForAsyncResults)) - * in repl5_inc_waitfor_async_results */ -@@ -137,6 +138,7 @@ static int get_agmt_status(Slapi_PBlock *pb, Slapi_Entry* e, - static int agmt_set_bind_method_no_lock(Repl_Agmt *ra, const Slapi_Entry *e); - static int agmt_set_transportinfo_no_lock(Repl_Agmt *ra, const Slapi_Entry *e); - static ReplicaId agmt_maxcsn_get_rid(char *maxcsn); -+static void agmt_replica_reset_ignoremissing (const Repl_Agmt *agmt); - - /* - Schema for replication agreement: -@@ -349,6 +351,21 @@ agmt_new_from_entry(Slapi_Entry *e) - } - } - -+ /* continue on missing change ? */ -+ ra->ignoreMissingChange = 0; -+ tmpstr = slapi_entry_attr_get_charptr(e, type_replicaIgnoreMissingChange); -+ if (NULL != tmpstr) -+ { -+ if (strcasecmp(tmpstr,"off") == 0 || strcasecmp(tmpstr,"never") == 0) { -+ ra->ignoreMissingChange = 0; -+ } else if (strcasecmp(tmpstr,"on") == 0 || strcasecmp(tmpstr,"once") == 0) { -+ ra->ignoreMissingChange = 1; -+ } else if (strcasecmp(tmpstr,"always") == 0) { -+ ra->ignoreMissingChange = -1; -+ } -+ slapi_ch_free_string(&tmpstr); -+ } -+ - /* DN of entry at root of replicated area */ - tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaRoot); - if (NULL != tmpstr) -@@ -1131,6 +1148,16 @@ agmt_get_flowcontrolpause(const Repl_Agmt *ra) - PR_Unlock(ra->lock); - return return_value; - } -+long -+agmt_get_ignoremissing(const Repl_Agmt *ra) -+{ -+ long return_value; -+ PR_ASSERT(NULL != ra); -+ PR_Lock(ra->lock); -+ return_value = ra->ignoreMissingChange; -+ PR_Unlock(ra->lock); -+ return return_value; -+} - /* - * Warning - reference to the long name of the agreement is returned. - * The long name of an agreement is the DN of the agreement entry, -@@ -1996,6 +2023,48 @@ agmt_set_flowcontrolpause_from_entry(Repl_Agmt *ra, const Slapi_Entry *e) - } - return return_value; - } -+/* add comment here */ -+int -+agmt_set_ignoremissing_from_entry(Repl_Agmt *ra, const Slapi_Entry *e) -+{ -+ Slapi_Attr *sattr = NULL; -+ int return_value = -1; -+ -+ PR_ASSERT(NULL != ra); -+ PR_Lock(ra->lock); -+ if (ra->stop_in_progress) -+ { -+ PR_Unlock(ra->lock); -+ return return_value; -+ } -+ -+ slapi_entry_attr_find(e, type_replicaIgnoreMissingChange, &sattr); -+ if (NULL != sattr) -+ { -+ Slapi_Value *sval = NULL; -+ slapi_attr_first_value(sattr, &sval); -+ if (NULL != sval) -+ { -+ const char *tmpval = slapi_value_get_string(sval); -+ if (strcasecmp(tmpval,"off") == 0 || strcasecmp(tmpval,"never") == 0) { -+ ra->ignoreMissingChange = 0; -+ return_value = 0; -+ } else if (strcasecmp(tmpval,"on") == 0 || strcasecmp(tmpval,"once") == 0) { -+ ra->ignoreMissingChange = 1; -+ return_value = 0; -+ } else if (strcasecmp(tmpval,"always") == 0) { -+ ra->ignoreMissingChange = -1; -+ return_value = 0; -+ } -+ } -+ } -+ PR_Unlock(ra->lock); -+ if (return_value == 0) -+ { -+ prot_notify_agmt_changed(ra->protocol, ra->long_name); -+ } -+ return return_value; -+} - - int - agmt_set_timeout(Repl_Agmt *ra, long timeout) -@@ -2036,6 +2105,20 @@ agmt_set_flowcontrolpause(Repl_Agmt *ra, long pause) - - return 0; - } -+int -+agmt_set_ignoremissing(Repl_Agmt *ra, long ignoremissing) -+{ -+ PR_Lock(ra->lock); -+ if (ra->stop_in_progress){ -+ PR_Unlock(ra->lock); -+ return -1; -+ } -+ ra->ignoreMissingChange = ignoremissing; -+ PR_Unlock(ra->lock); -+ /* if reset to 0 update the entry */ -+ agmt_replica_reset_ignoremissing(ra); -+ return 0; -+} - - /* - * Set or reset the busywaittime -@@ -2272,6 +2355,37 @@ agmt_replica_init_done (const Repl_Agmt *agmt) - slapi_pblock_destroy (pb); - } - -+ -+/* delete nsds5replicaIgnoreMissingChange attribute */ -+static void -+agmt_replica_reset_ignoremissing (const Repl_Agmt *agmt) -+{ -+ int rc; -+ Slapi_PBlock *pb = slapi_pblock_new (); -+ LDAPMod *mods [2]; -+ LDAPMod mod; -+ -+ mods[0] = &mod; -+ mods[1] = NULL; -+ mod.mod_op = LDAP_MOD_DELETE | LDAP_MOD_BVALUES; -+ mod.mod_type = (char*)type_replicaIgnoreMissingChange; -+ mod.mod_bvalues = NULL; -+ -+ slapi_modify_internal_set_pb_ext(pb, agmt->dn, mods, NULL/* controls */, -+ NULL/* uniqueid */, repl_get_plugin_identity (PLUGIN_MULTIMASTER_REPLICATION), 0/* flags */); -+ slapi_modify_internal_pb (pb); -+ -+ slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); -+ if (rc != LDAP_SUCCESS && rc != LDAP_NO_SUCH_ATTRIBUTE) -+ { -+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmt_replica_ignoremissing: " -+ "failed to remove (%s) attribute from (%s) entry; LDAP error - %d\n", -+ type_replicaIgnoreMissingChange, slapi_sdn_get_ndn (agmt->dn), rc); -+ } -+ -+ slapi_pblock_destroy (pb); -+} -+ - /* Agreement object is acquired on behalf of the caller. - The caller is responsible for releasing the object - when it is no longer used */ -diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c -index f50862f..2e6a7de 100644 ---- a/ldap/servers/plugins/replication/repl5_agmtlist.c -+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c -@@ -399,6 +399,19 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry - } - } - else if (slapi_attr_types_equivalent(mods[i]->mod_type, -+ type_replicaIgnoreMissingChange)) -+ { -+ /* New replica timeout */ -+ if (agmt_set_ignoremissing_from_entry(agmt, e) != 0) -+ { -+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback - " -+ "Failed to update the ignorMissingChange attribute for agreement %s\n", -+ agmt_get_long_name(agmt)); -+ *returncode = LDAP_OPERATIONS_ERROR; -+ rc = SLAPI_DSE_CALLBACK_ERROR; -+ } -+ } -+ else if (slapi_attr_types_equivalent(mods[i]->mod_type, - type_nsds5ReplicaBusyWaitTime)) - { - /* New replica busywaittime */ -diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c -index d1de6c5..5ab865a 100644 ---- a/ldap/servers/plugins/replication/repl5_inc_protocol.c -+++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c -@@ -1706,16 +1706,18 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu - agmt_get_long_name(prp->agmt)); - agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, - "Data required to update replica has been purged from the changelog. " -- "The replica must be reinitialized."); -- return_value = UPDATE_FATAL_ERROR; -+ "If the error persists the replica must be reinitialized."); -+ return_value = UPDATE_TRANSIENT_ERROR; - break; - case CL5_MISSING_DATA: /* data should be in the changelog, but is missing */ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, -- "%s: Missing data encountered\n", -+ "send_updates - %s: Missing data encountered. " -+ "If the error persists the replica must be reinitialized.\n", - agmt_get_long_name(prp->agmt)); - agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_CL_ERROR, -- "Changelog data is missing"); -- return_value = UPDATE_FATAL_ERROR; -+ "Changelog data is missing. " -+ "If the error persists the replica must be reinitialized."); -+ return_value = UPDATE_TRANSIENT_ERROR; - break; - case CL5_UNKNOWN_ERROR: /* unclassified error */ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, -diff --git a/ldap/servers/plugins/replication/repl_globals.c b/ldap/servers/plugins/replication/repl_globals.c -index 8b891fb..ab85e7f 100644 ---- a/ldap/servers/plugins/replication/repl_globals.c -+++ b/ldap/servers/plugins/replication/repl_globals.c -@@ -114,6 +114,7 @@ const char *type_nsds5ReplicaStripAttrs = "nsds5ReplicaStripAttrs"; - const char* type_nsds5ReplicaFlowControlWindow = "nsds5ReplicaFlowControlWindow"; - const char* type_nsds5ReplicaFlowControlPause = "nsds5ReplicaFlowControlPause"; - const char *type_nsds5WaitForAsyncResults = "nsds5ReplicaWaitForAsyncResults"; -+const char* type_replicaIgnoreMissingChange = "nsds5ReplicaIgnoreMissingChange"; - - /* windows sync specific attributes */ - const char *type_nsds7WindowsReplicaArea = "nsds7WindowsReplicaSubtree"; --- -2.4.11 - diff --git a/SOURCES/0058-Ticket-48964-cleanallruv-changelog-purging-removes-w.patch b/SOURCES/0058-Ticket-48964-cleanallruv-changelog-purging-removes-w.patch deleted file mode 100644 index f6b2874..0000000 --- a/SOURCES/0058-Ticket-48964-cleanallruv-changelog-purging-removes-w.patch +++ /dev/null @@ -1,209 +0,0 @@ -From abd1c1d0e098dfd071ab12dad075870d88495783 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 22 Dec 2016 14:38:27 -0500 -Subject: [PATCH] Ticket 48964 - cleanallruv changelog purging removes wrong - rid - -Bug Description: A regression from the previous patch uses the local replica - object to locate the correct changelog file, but the rid to - be clean is not the same rid from the replica object. So the - local replica object's rid is used accidentally to purge the - change log. - -Fix Description: Instead if passing the replica object to the changelog purging - code, create a new purge_data struct to hold all the neccessary - data to purge the correct changelog file and the cleaned rid. - -https://fedorahosted.org/389/ticket/48964 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit a38d76d27970b5b6facf2ffbd1bce9d6979e6297) -(cherry picked from commit 4053587d5dfb9c4b4e5cd966cabb1adc624511d6) ---- - ldap/servers/plugins/replication/cl5_api.c | 54 +++++++++++++--------- - ldap/servers/plugins/replication/cl5_api.h | 2 +- - ldap/servers/plugins/replication/repl5.h | 8 ++++ - .../plugins/replication/repl5_replica_config.c | 12 ++++- - 4 files changed, 50 insertions(+), 26 deletions(-) - -diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c -index f8b2cea..66c2677 100644 ---- a/ldap/servers/plugins/replication/cl5_api.c -+++ b/ldap/servers/plugins/replication/cl5_api.c -@@ -3500,12 +3500,12 @@ static void _cl5DoTrimming () - * changelog for the backend that is being cleaned, and purge all the records - * with the cleaned rid. - */ --static void _cl5DoPurging (Replica *replica) -+static void _cl5DoPurging (cleanruv_purge_data *purge_data) - { -- ReplicaId rid = replica_get_rid(replica); -- const Slapi_DN *sdn = replica_get_root(replica); -- const char *replName = replica_get_name(replica); -- char *replGen = replica_get_generation(replica); -+ ReplicaId rid = purge_data->cleaned_rid; -+ const Slapi_DN *suffix_sdn = purge_data->suffix_sdn; -+ const char *replName = purge_data->replName; -+ char *replGen = purge_data->replGen; - char *fileName; - Object *obj; - -@@ -3517,18 +3517,15 @@ static void _cl5DoPurging (Replica *replica) - _cl5PurgeRID (obj, rid); - object_release (obj); - slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, -- "Purged rid (%d) from suffix (%s)\n", -- rid, slapi_sdn_get_dn(sdn)); -+ "_cl5DoPurging - Purged rid (%d) from suffix (%s)\n", -+ rid, slapi_sdn_get_dn(suffix_sdn)); - } else { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, -- "Purge rid (%d) failed to find changelog file (%s) for suffix (%s)\n", -- rid, fileName, slapi_sdn_get_dn(sdn)); -+ "_cl5DoPurging - Purge rid (%d) failed to find changelog file (%s) for suffix (%s)\n", -+ rid, fileName, slapi_sdn_get_dn(suffix_sdn)); - } - PR_Unlock (s_cl5Desc.dbTrim.lock); - -- slapi_ch_free_string(&replGen); -- slapi_ch_free_string(&fileName); -- - return; - } - -@@ -6983,19 +6980,27 @@ cl5CleanRUV(ReplicaId rid){ - slapi_rwlock_unlock (s_cl5Desc.stLock); - } - -+static void free_purge_data(cleanruv_purge_data *purge_data) -+{ -+ slapi_ch_free_string(&purge_data->replGen); -+ slapi_ch_free_string(&purge_data->replName); -+ slapi_ch_free((void **)&purge_data); -+} -+ - /* - * Create a thread to purge a changelog of cleaned RIDs - */ --void trigger_cl_purging(Replica *replica){ -+void trigger_cl_purging(cleanruv_purge_data *purge_data){ - PRThread *trim_tid = NULL; - - trim_tid = PR_CreateThread(PR_USER_THREAD, (VFP)(void*)trigger_cl_purging_thread, -- (void *)replica, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, -+ (void *)purge_data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, - PR_UNJOINABLE_THREAD, DEFAULT_THREAD_STACKSIZE); - if (NULL == trim_tid){ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, -- "trigger_cl_purging: failed to create trimming " -+ "trigger_cl_purging: failed to create cl trimming " - "thread; NSPR error - %d\n", PR_GetError ()); -+ free_purge_data(purge_data); - } else { - /* need a little time for the thread to get started */ - DS_Sleep(PR_SecondsToInterval(1)); -@@ -7007,13 +7012,12 @@ void trigger_cl_purging(Replica *replica){ - */ - void - trigger_cl_purging_thread(void *arg){ -- Replica *replica = (Replica *)arg; -+ cleanruv_purge_data *purge_data = (cleanruv_purge_data *)arg; - - /* Make sure we have a change log, and we aren't closing it */ -- if (replica == NULL || -- s_cl5Desc.dbState == CL5_STATE_CLOSED || -+ if (s_cl5Desc.dbState == CL5_STATE_CLOSED || - s_cl5Desc.dbState == CL5_STATE_CLOSING) { -- return; -+ goto free_and_return; - } - - /* Bump the changelog thread count */ -@@ -7021,13 +7025,17 @@ trigger_cl_purging_thread(void *arg){ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, - "trigger_cl_purging: Abort - failed to increment thread count " - "NSPR error - %d\n", PR_GetError ()); -- return; -+ goto free_and_return; - } - - /* Purge the changelog */ -- _cl5DoPurging(replica); -+ _cl5DoPurging(purge_data); - _cl5RemoveThread(); -+ - slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, -- "trigger_cl_purging: purged changelog for (%s) rid (%d)\n", -- slapi_sdn_get_dn(replica_get_root(replica)), replica_get_rid(replica)); -+ "trigger_cl_purging_thread - purged changelog for (%s) rid (%d)\n", -+ slapi_sdn_get_dn(purge_data->suffix_sdn), purge_data->cleaned_rid); -+ -+free_and_return: -+ free_purge_data(purge_data); - } -diff --git a/ldap/servers/plugins/replication/cl5_api.h b/ldap/servers/plugins/replication/cl5_api.h -index 1a1c2f5..e33601d 100644 ---- a/ldap/servers/plugins/replication/cl5_api.h -+++ b/ldap/servers/plugins/replication/cl5_api.h -@@ -467,6 +467,6 @@ int cl5WriteRUV(); - int cl5DeleteRUV(); - void cl5CleanRUV(ReplicaId rid); - void cl5NotifyCleanup(int rid); --void trigger_cl_purging(Replica *replica); -+void trigger_cl_purging(cleanruv_purge_data *purge_data); - - #endif -diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h -index 6582876..4ab2355 100644 ---- a/ldap/servers/plugins/replication/repl5.h -+++ b/ldap/servers/plugins/replication/repl5.h -@@ -704,6 +704,14 @@ typedef struct _cleanruv_data - char *force; - } cleanruv_data; - -+typedef struct _cleanruv_purge_data -+{ -+ int cleaned_rid; -+ const Slapi_DN *suffix_sdn; -+ char *replName; -+ char *replGen; -+} cleanruv_purge_data; -+ - /* replutil.c */ - LDAPControl* create_managedsait_control (); - LDAPControl* create_backend_control(Slapi_DN *sdn); -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 59e5298..d78d982 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -1434,6 +1434,7 @@ replica_execute_cleanruv_task (Object *r, ReplicaId rid, char *returntext /* not - Object *RUVObj; - RUV *local_ruv = NULL; - Replica *replica = (Replica*)object_get_data (r); -+ cleanruv_purge_data *purge_data; - int rc = 0; - PR_ASSERT (replica); - -@@ -1465,9 +1466,16 @@ replica_execute_cleanruv_task (Object *r, ReplicaId rid, char *returntext /* not - cl5CleanRUV(rid); - - /* -- * Now purge the changelog -+ * Now purge the changelog. The purging thread will free the purge_data - */ -- trigger_cl_purging(replica); -+ if (replica){ -+ purge_data = (cleanruv_purge_data*)slapi_ch_calloc(1, sizeof(cleanruv_purge_data)); -+ purge_data->cleaned_rid = rid; -+ purge_data->suffix_sdn = replica_get_root(replica); -+ purge_data->replName = (char *)replica_get_name(replica); -+ purge_data->replGen = replica_get_generation(replica); -+ trigger_cl_purging(purge_data); -+ } - - if (rc != RUV_SUCCESS){ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "cleanruv_task: task failed(%d)\n",rc); --- -2.7.4 - diff --git a/SOURCES/0059-Ticket-48964-should-not-free-repl-name-after-purging.patch b/SOURCES/0059-Ticket-48964-should-not-free-repl-name-after-purging.patch deleted file mode 100644 index 092004a..0000000 --- a/SOURCES/0059-Ticket-48964-should-not-free-repl-name-after-purging.patch +++ /dev/null @@ -1,65 +0,0 @@ -From dd5fdbfea9fdd0ac6624faf6b6aa84c5861d824a Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 4 Jan 2017 09:41:38 -0500 -Subject: [PATCH 59/60] Ticket 48964 - should not free repl name after purging - changelog - -Bug Description: The previous commit for this ticket incorrectly - freed a replica struct const char. There was also - a minor converity issue. - -Fix Description: Do not free the repl_name after purging, and do - not check if "replica" is NULL when creating the - purge data. - -https://fedorahosted.org/389/ticket/48964 - -Reviewed by: tbordaz(Thanks!) - -(cherry picked from commit 017469a1a055da03fc3fb4b34a7732611b7bd2b0) -(cherry picked from commit 0929992503e143aaaa3cbfcafc4de170217ae0bc) ---- - ldap/servers/plugins/replication/cl5_api.c | 1 - - ldap/servers/plugins/replication/repl5_replica_config.c | 14 ++++++-------- - 2 files changed, 6 insertions(+), 9 deletions(-) - -diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c -index 66c2677..e72633a 100644 ---- a/ldap/servers/plugins/replication/cl5_api.c -+++ b/ldap/servers/plugins/replication/cl5_api.c -@@ -6983,7 +6983,6 @@ cl5CleanRUV(ReplicaId rid){ - static void free_purge_data(cleanruv_purge_data *purge_data) - { - slapi_ch_free_string(&purge_data->replGen); -- slapi_ch_free_string(&purge_data->replName); - slapi_ch_free((void **)&purge_data); - } - -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index d78d982..d10443d 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -1468,14 +1468,12 @@ replica_execute_cleanruv_task (Object *r, ReplicaId rid, char *returntext /* not - /* - * Now purge the changelog. The purging thread will free the purge_data - */ -- if (replica){ -- purge_data = (cleanruv_purge_data*)slapi_ch_calloc(1, sizeof(cleanruv_purge_data)); -- purge_data->cleaned_rid = rid; -- purge_data->suffix_sdn = replica_get_root(replica); -- purge_data->replName = (char *)replica_get_name(replica); -- purge_data->replGen = replica_get_generation(replica); -- trigger_cl_purging(purge_data); -- } -+ purge_data = (cleanruv_purge_data*)slapi_ch_calloc(1, sizeof(cleanruv_purge_data)); -+ purge_data->cleaned_rid = rid; -+ purge_data->suffix_sdn = replica_get_root(replica); -+ purge_data->replName = (char *)replica_get_name(replica); -+ purge_data->replGen = replica_get_generation(replica); -+ trigger_cl_purging(purge_data); - - if (rc != RUV_SUCCESS){ - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "cleanruv_task: task failed(%d)\n",rc); --- -2.9.3 - diff --git a/SOURCES/0060-Ticket-49074-incompatible-nsEncryptionConfig-object-.patch b/SOURCES/0060-Ticket-49074-incompatible-nsEncryptionConfig-object-.patch deleted file mode 100644 index 88b156a..0000000 --- a/SOURCES/0060-Ticket-49074-incompatible-nsEncryptionConfig-object-.patch +++ /dev/null @@ -1,57 +0,0 @@ -From fa0f215525e9bdfebdb0f84ab8e03b23dcb8197e Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Wed, 21 Dec 2016 16:31:48 +0100 -Subject: [PATCH 60/60] Ticket 49074 - incompatible nsEncryptionConfig object - definition prevents RHEL 7->6 schema replication - -Bug Description: - nsEncryptionConfig schema definition diverge since 1.3.x and 1.2.11.15-83. - Schema learning mechanism does not merge definition so the schema can not be pushed RHEL7->6. - This triggers schema violation errors - -Fix Description: - Defines nsTLS10, nsTLS11 and nsTLS12 attributetypes and add them to the allowed - attributes list of nsEncryptionConfig - -https://fedorahosted.org/389/ticket/49074 - -Reviewed by: Noriko Hosoi (thanks!!) - -Platforms tested: RHEL7.3 vs RHEL6.8 and RHEL6.9 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit 64a425e4ea868bc1f08145490a7c8c9cf5c91581) -(cherry picked from commit 238d3c74a6a289f4af2b6fdb66173df7840ff981) ---- - ldap/schema/01core389.ldif | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif -index dfa4729..5e5f69f 100644 ---- a/ldap/schema/01core389.ldif -+++ b/ldap/schema/01core389.ldif -@@ -91,6 +91,9 @@ attributeTypes: ( nsKeyfile-oid NAME 'nsKeyfile' DESC 'Netscape defined attribut - attributeTypes: ( nsSSL2-oid NAME 'nsSSL2' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( nsSSL3-oid NAME 'nsSSL3' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( nsTLS1-oid NAME 'nsTLS1' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsTLS10-oid NAME 'nsTLS10' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsTLS11-oid NAME 'nsTLS11' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsTLS12-oid NAME 'nsTLS12' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( sslVersionMin-oid NAME 'sslVersionMin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( sslVersionMax-oid NAME 'sslVersionMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( nsSSLClientAuth-oid NAME 'nsSSLClientAuth' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -@@ -314,7 +317,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC - objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' ) --objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $ CACertExtractFile $ allowWeakDHParam ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $ CACertExtractFile $ allowWeakDHParam ) X-ORIGIN 'Netscape' ) - objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation $ ServerKeyExtractFile $ ServerCertExtractFile ) X-ORIGIN 'Netscape' ) - objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' ) - objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' ) --- -2.9.3 - diff --git a/SOURCES/0061-Ticket-49080-shadowExpire-should-not-be-a-calculated.patch b/SOURCES/0061-Ticket-49080-shadowExpire-should-not-be-a-calculated.patch deleted file mode 100644 index c2a40e3..0000000 --- a/SOURCES/0061-Ticket-49080-shadowExpire-should-not-be-a-calculated.patch +++ /dev/null @@ -1,100 +0,0 @@ -From 50b73af8729b6753c71ba6206632561b5974523d Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Wed, 11 Jan 2017 14:14:40 -0800 -Subject: [PATCH 61/67] Ticket #49080 - shadowExpire should not be a calculated - value - -Description: Reverting the changes made on shadowExpire in the ticket 548. - -Thanks to Gordon Messmer (gordon.messmer@gmail.com) for providing the original patch. - -Reviewed by William Brown (Thanks!!). - -(cherry picked from commit 14eb192b0f99ae3d811fd8a5bb40713bc85ea533) -(cherry picked from commit 2ca12fc5b79dbbb8889eba6da7b4ce59cd6cb86d) ---- - ldap/servers/slapd/pw.c | 29 +++++------------------------ - 1 file changed, 5 insertions(+), 24 deletions(-) - -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index 6f02f90..ce1ca2a 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -2803,7 +2803,6 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) - const char *dn = NULL; - passwdPolicy *pwpolicy = NULL; - long long shadowval = 0; -- long long exptime = 0; - Slapi_Mods *smods = NULL; - LDAPMod **mods; - long long sval; -@@ -2811,7 +2810,6 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) - char *shmin = NULL; - char *shmax = NULL; - char *shwarn = NULL; -- char *shexp = NULL; - int rc = 0; - - if (!e || !*e) { -@@ -2861,7 +2859,6 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) - /* shadowMax - the maximum number of days for which the user password remains valid. */ - if (pwpolicy->pw_maxage > 0) { - shadowval = pwpolicy->pw_maxage / _SEC_PER_DAY; -- exptime = time_plus_sec(current_time(), pwpolicy->pw_maxage); - if (shadowval > _MAX_SHADOW) { - shadowval = _MAX_SHADOW; - } -@@ -2903,22 +2900,6 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) - shwarn = slapi_ch_smprintf("%lld", shadowval); - } - -- /* shadowExpire - the date on which the user login will be disabled. */ -- if (exptime) { -- shexp = slapi_entry_attr_get_charptr(*e, "shadowExpire"); -- exptime /= _SEC_PER_DAY; -- if (shexp) { -- sval = strtoll(shexp, NULL, 0); -- if (sval != exptime) { -- slapi_ch_free_string(&shexp); -- shexp = slapi_ch_smprintf("%lld", exptime); -- mod_num++; -- } -- } else { -- mod_num++; -- shexp = slapi_ch_smprintf("%lld", exptime); -- } -- } - smods = slapi_mods_new(); - slapi_mods_init(smods, mod_num); - if (shmin) { -@@ -2933,10 +2914,6 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) - slapi_mods_add(smods, LDAP_MOD_REPLACE, "shadowWarning", strlen(shwarn), shwarn); - slapi_ch_free_string(&shwarn); - } -- if (shexp) { -- slapi_mods_add(smods, LDAP_MOD_REPLACE, "shadowExpire", strlen(shexp), shexp); -- slapi_ch_free_string(&shexp); -- } - /* Apply the mods to create the resulting entry. */ - mods = slapi_mods_get_ldapmods_byref(smods); - if (mods) { -@@ -2947,11 +2924,15 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) - } - slapi_mods_free(&smods); - --#if 0 /* These 2 attributes are no need (or not able) to auto-fill. */ -+#if 0 /* These 3 attributes are no need (or not able) to auto-fill. */ - /* - * shadowInactive - the number of days of inactivity allowed for the user. - * Password Policy does not have the corresponding parameter. - * -+ * shadowExpire - the number of days since Jan 1, 1970 after which the -+ * account, not the password, will expire. This is not affected by the -+ * Password Policy. -+ * - * shadowFlag - not currently in use. - */ - #endif --- -2.9.3 - diff --git a/SOURCES/0062-Ticket-49082-Fix-password-expiration-related-shadow-.patch b/SOURCES/0062-Ticket-49082-Fix-password-expiration-related-shadow-.patch deleted file mode 100644 index c00b4d3..0000000 --- a/SOURCES/0062-Ticket-49082-Fix-password-expiration-related-shadow-.patch +++ /dev/null @@ -1,145 +0,0 @@ -From 96ad7ec4fa84dd32439e3473c0128612dd5f9d49 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Wed, 11 Jan 2017 15:04:42 -0800 -Subject: [PATCH 62/67] Ticket #49082 - Fix password expiration related shadow - attributes - -The original patch was provided by Gordon Messmer (gordon.messmer@gmail.com) -with the description: - Bug description: - Shadow attributes (in /etc/shadow and in LDAP) are typically unset when no - policy is in place. 389-ds will incorrectly return values (possibly set to 0) - when there is no policy. - - Fix description: - Only auto-fill shadow attributes when a password policy is available. These - are empty when no policy is in place. - - Don't auto-fill expiration related shadow attributes if passwords never expire. - -Reviewed by William Brown (Thanks!!). - -(cherry picked from commit 5bcd966b73708f6b558f01e6b11a7a11e8d3b126) -(cherry picked from commit faae0fa5a4a6b3d590c1a9e068d9436965cc49c9) ---- - ldap/servers/slapd/pw.c | 74 +++++++++++++++++++++++++------------------------ - 1 file changed, 38 insertions(+), 36 deletions(-) - -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index ce1ca2a..30a2cb9 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -2802,7 +2802,7 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) - { - const char *dn = NULL; - passwdPolicy *pwpolicy = NULL; -- long long shadowval = 0; -+ long long shadowval = -1; - Slapi_Mods *smods = NULL; - LDAPMod **mods; - long long sval; -@@ -2840,64 +2840,66 @@ add_shadow_ext_password_attrs(Slapi_PBlock *pb, Slapi_Entry **e) - if (shadowval > _MAX_SHADOW) { - shadowval = _MAX_SHADOW; - } -- } else { -- shadowval = 0; - } -- shmin = slapi_entry_attr_get_charptr(*e, "shadowMin"); -- if (shmin) { -- sval = strtoll(shmin, NULL, 0); -- if (sval != shadowval) { -- slapi_ch_free_string(&shmin); -- shmin = slapi_ch_smprintf("%lld", shadowval); -+ if (shadowval > 0) { -+ shmin = slapi_entry_attr_get_charptr(*e, "shadowMin"); -+ if (shmin) { -+ sval = strtoll(shmin, NULL, 0); -+ if (sval != shadowval) { -+ slapi_ch_free_string(&shmin); -+ shmin = slapi_ch_smprintf("%lld", shadowval); -+ mod_num++; -+ } -+ } else { - mod_num++; -+ shmin = slapi_ch_smprintf("%lld", shadowval); - } -- } else { -- mod_num++; -- shmin = slapi_ch_smprintf("%lld", shadowval); - } - - /* shadowMax - the maximum number of days for which the user password remains valid. */ -- if (pwpolicy->pw_maxage > 0) { -+ shadowval = -1; -+ if (pwpolicy->pw_exp == 1 && pwpolicy->pw_maxage > 0) { - shadowval = pwpolicy->pw_maxage / _SEC_PER_DAY; - if (shadowval > _MAX_SHADOW) { - shadowval = _MAX_SHADOW; - } -- } else { -- shadowval = _MAX_SHADOW; - } -- shmax = slapi_entry_attr_get_charptr(*e, "shadowMax"); -- if (shmax) { -- sval = strtoll(shmax, NULL, 0); -- if (sval != shadowval) { -- slapi_ch_free_string(&shmax); -- shmax = slapi_ch_smprintf("%lld", shadowval); -+ if (shadowval > 0) { -+ shmax = slapi_entry_attr_get_charptr(*e, "shadowMax"); -+ if (shmax) { -+ sval = strtoll(shmax, NULL, 0); -+ if (sval != shadowval) { -+ slapi_ch_free_string(&shmax); -+ shmax = slapi_ch_smprintf("%lld", shadowval); -+ mod_num++; -+ } -+ } else { - mod_num++; -+ shmax = slapi_ch_smprintf("%lld", shadowval); - } -- } else { -- mod_num++; -- shmax = slapi_ch_smprintf("%lld", shadowval); - } - - /* shadowWarning - the number of days of advance warning given to the user before the user password expires. */ -- if (pwpolicy->pw_warning > 0) { -+ shadowval = -1; -+ if (pwpolicy->pw_exp == 1 && pwpolicy->pw_warning > 0) { - shadowval = pwpolicy->pw_warning / _SEC_PER_DAY; - if (shadowval > _MAX_SHADOW) { - shadowval = _MAX_SHADOW; - } -- } else { -- shadowval = 0; - } -- shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning"); -- if (shwarn) { -- sval = strtoll(shwarn, NULL, 0); -- if (sval != shadowval) { -- slapi_ch_free_string(&shwarn); -- shwarn = slapi_ch_smprintf("%lld", shadowval); -+ if (shadowval > 0) { -+ shwarn = slapi_entry_attr_get_charptr(*e, "shadowWarning"); -+ if (shwarn) { -+ sval = strtoll(shwarn, NULL, 0); -+ if (sval != shadowval) { -+ slapi_ch_free_string(&shwarn); -+ shwarn = slapi_ch_smprintf("%lld", shadowval); -+ mod_num++; -+ } -+ } else { - mod_num++; -+ shwarn = slapi_ch_smprintf("%lld", shadowval); - } -- } else { -- mod_num++; -- shwarn = slapi_ch_smprintf("%lld", shadowval); - } - - smods = slapi_mods_new(); --- -2.9.3 - diff --git a/SOURCES/0063-Ticket-49082-Adjusted-the-CI-test-case-to-the-fix.patch b/SOURCES/0063-Ticket-49082-Adjusted-the-CI-test-case-to-the-fix.patch deleted file mode 100644 index 97fb5d1..0000000 --- a/SOURCES/0063-Ticket-49082-Adjusted-the-CI-test-case-to-the-fix.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ee9b5c5dc3f4382ee73abefb9d2e3c275e62d6c8 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Wed, 11 Jan 2017 15:14:07 -0800 -Subject: [PATCH 63/67] Ticket #49082 - Adjusted the CI test case to the fix. - -Description: Fix password expiration related shadow attributes -(cherry picked from commit 5a6a5a18d0458bd147af57a06158245f329ddba3) -(cherry picked from commit b9e565df5d304ba9fb516b987ad62480590a5845) ---- - dirsrvtests/tests/tickets/ticket548_test.py | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/dirsrvtests/tests/tickets/ticket548_test.py b/dirsrvtests/tests/tickets/ticket548_test.py -index d29fa53..dea7c3c 100644 ---- a/dirsrvtests/tests/tickets/ticket548_test.py -+++ b/dirsrvtests/tests/tickets/ticket548_test.py -@@ -98,6 +98,13 @@ def set_global_pwpolicy(topology, min_=1, max_=10, warn=3): - log.error('Failed to set passwordMinAge: error ' + e.message['desc']) - assert False - -+ log.info(" Set global password Expiration -- on\n") -+ try: -+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordExp', 'on')]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set passwordExp: error ' + e.message['desc']) -+ assert False -+ - log.info(" Set global password Max Age -- %s days\n" % max_) - try: - topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMaxAge', '%s' % max_secs)]) --- -2.9.3 - diff --git a/SOURCES/0064-Ticket-49008-backport-1.3.5-aborted-operation-can-le.patch b/SOURCES/0064-Ticket-49008-backport-1.3.5-aborted-operation-can-le.patch deleted file mode 100644 index 32d1bbb..0000000 --- a/SOURCES/0064-Ticket-49008-backport-1.3.5-aborted-operation-can-le.patch +++ /dev/null @@ -1,631 +0,0 @@ -From d1477e4a03d85aec79b497db4531d9e484029139 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Tue, 24 Jan 2017 15:07:19 +0100 -Subject: [PATCH 64/67] Ticket 49008 backport 1.3.5 : aborted operation can - leave RUV in incorrect state - - Bug description: - If a plugin operation succeeded, but the operation itself fails and is aborted the RUV is in an incorrect state (rolled up to the succesful plugin op) - - Fix Decription: - Introduce a "primary_csn", this is the csn of the main operation, either a client operation or a replicated operation. - csns generated by internal operations, eg by plugins are secondary csn. - - Maintain the primary csn in thread local data, like it is used for the agreement name (or txn stack): prim_csn. - - Extend the data structure of the pending list to keep prim_csn for each inserted csn - - If a csn is created or received check prim_csn: if it exists use it, if it doesn't exist set it - - when inserting a csn to the pending list pass the prim_csn - - when cancelling a csn, if it is the prim_csn also cancell all secondary csns - - when committing a csn, - - if it is not the primary csn, do nothing - - if it is the prim_csn trigger the pending list rollup, stop at the first not committed csn - - if the RID of the prim_csn is not the local RID also rollup the pending list for the local RID. - - Reviewed by: Thierry, Thanks - -(cherry picked from commit 79a3deafe943a3ce5c31c50272939146d17bd7ac) ---- - ldap/servers/plugins/replication/csnpl.c | 75 +++++++++++++++++++++--- - ldap/servers/plugins/replication/csnpl.h | 5 +- - ldap/servers/plugins/replication/repl5.h | 2 + - ldap/servers/plugins/replication/repl5_init.c | 22 +++++++ - ldap/servers/plugins/replication/repl5_plugins.c | 40 ++++++++----- - ldap/servers/plugins/replication/repl5_replica.c | 6 +- - ldap/servers/plugins/replication/repl5_ruv.c | 74 +++++++++++++++++------ - ldap/servers/plugins/replication/repl5_ruv.h | 4 +- - ldap/servers/slapd/csn.c | 15 +++++ - ldap/servers/slapd/slapi-private.h | 2 + - 10 files changed, 195 insertions(+), 50 deletions(-) - -diff --git a/ldap/servers/plugins/replication/csnpl.c b/ldap/servers/plugins/replication/csnpl.c -index acd38d0..db1ae13 100644 ---- a/ldap/servers/plugins/replication/csnpl.c -+++ b/ldap/servers/plugins/replication/csnpl.c -@@ -24,8 +24,9 @@ struct csnpl - - typedef struct _csnpldata - { -- PRBool committed; /* True if CSN committed */ -- CSN *csn; /* The actual CSN */ -+ PRBool committed; /* True if CSN committed */ -+ CSN *csn; /* The actual CSN */ -+ const CSN *prim_csn; /* The primary CSN of an operation consising of multiple sub ops*/ - } csnpldata; - - /* forward declarations */ -@@ -103,7 +104,7 @@ void csnplFree (CSNPL **csnpl) - * 1 if the csn has already been seen - * -1 for any other kind of errors - */ --int csnplInsert (CSNPL *csnpl, const CSN *csn) -+int csnplInsert (CSNPL *csnpl, const CSN *csn, const CSN *prim_csn) - { - int rc; - csnpldata *csnplnode; -@@ -131,6 +132,7 @@ int csnplInsert (CSNPL *csnpl, const CSN *csn) - csnplnode = (csnpldata *)slapi_ch_malloc(sizeof(csnpldata)); - csnplnode->committed = PR_FALSE; - csnplnode->csn = csn_dup(csn); -+ csnplnode->prim_csn = prim_csn; - csn_as_string(csn, PR_FALSE, csn_str); - rc = llistInsertTail (csnpl->csnList, csn_str, csnplnode); - -@@ -186,6 +188,57 @@ int csnplRemove (CSNPL *csnpl, const CSN *csn) - return 0; - } - -+int csnplRemoveAll (CSNPL *csnpl, const CSN *csn) -+{ -+ csnpldata *data; -+ void *iterator; -+ -+ slapi_rwlock_wrlock (csnpl->csnLock); -+ data = (csnpldata *)llistGetFirst(csnpl->csnList, &iterator); -+ while (NULL != data) -+ { -+ if (csn_is_equal(data->csn, csn) || -+ csn_is_equal(data->prim_csn, csn)) { -+ csnpldata_free(&data); -+ data = (csnpldata *)llistRemoveCurrentAndGetNext(csnpl->csnList, &iterator); -+ } else { -+ data = (csnpldata *)llistGetNext (csnpl->csnList, &iterator); -+ } -+ } -+#ifdef DEBUG -+ _csnplDumpContentNoLock(csnpl, "csnplRemoveAll"); -+#endif -+ slapi_rwlock_unlock (csnpl->csnLock); -+ return 0; -+} -+ -+ -+int csnplCommitAll (CSNPL *csnpl, const CSN *csn) -+{ -+ csnpldata *data; -+ void *iterator; -+ char csn_str[CSN_STRSIZE]; -+ -+ csn_as_string(csn, PR_FALSE, csn_str); -+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, -+ "csnplCommitALL: committing all csns for csn %s\n", csn_str); -+ slapi_rwlock_wrlock (csnpl->csnLock); -+ data = (csnpldata *)llistGetFirst(csnpl->csnList, &iterator); -+ while (NULL != data) -+ { -+ csn_as_string(data->csn, PR_FALSE, csn_str); -+ slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, -+ "csnplCommitALL: processing data csn %s\n", csn_str); -+ if (csn_is_equal(data->csn, csn) || -+ csn_is_equal(data->prim_csn, csn)) { -+ data->committed = PR_TRUE; -+ } -+ data = (csnpldata *)llistGetNext (csnpl->csnList, &iterator); -+ } -+ slapi_rwlock_unlock (csnpl->csnLock); -+ return 0; -+} -+ - int csnplCommit (CSNPL *csnpl, const CSN *csn) - { - csnpldata *data; -@@ -276,13 +329,12 @@ csnplRollUp(CSNPL *csnpl, CSN **first_commited) - *first_commited = NULL; - } - data = (csnpldata *)llistGetFirst(csnpl->csnList, &iterator); -- while (NULL != data) -+ while (NULL != data && data->committed) - { - if (NULL != largest_committed_csn && freeit) - { - csn_free(&largest_committed_csn); - } -- if (data->committed) { - freeit = PR_TRUE; - largest_committed_csn = data->csn; /* Save it */ - if (first_commited && (*first_commited == NULL)) { -@@ -294,9 +346,6 @@ csnplRollUp(CSNPL *csnpl, CSN **first_commited) - data->csn = NULL; - csnpldata_free(&data); - data = (csnpldata *)llistRemoveCurrentAndGetNext(csnpl->csnList, &iterator); -- } else { -- data = (csnpldata *)llistGetNext (csnpl->csnList, &iterator); -- } - } - - #ifdef DEBUG -@@ -326,6 +375,7 @@ static void _csnplDumpContentNoLock(CSNPL *csnpl, const char *caller) - csnpldata *data; - void *iterator; - char csn_str[CSN_STRSIZE]; -+ char primcsn_str[CSN_STRSIZE]; - - data = (csnpldata *)llistGetFirst(csnpl->csnList, &iterator); - if (data) { -@@ -334,11 +384,18 @@ static void _csnplDumpContentNoLock(CSNPL *csnpl, const char *caller) - } - while (data) - { -- slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "%s, %s\n", -+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "%s,(prim %s), %s\n", - csn_as_string(data->csn, PR_FALSE, csn_str), -+ data->prim_csn ? csn_as_string(data->prim_csn, PR_FALSE, primcsn_str) : " ", - data->committed ? "committed" : "not committed"); - data = (csnpldata *)llistGetNext (csnpl->csnList, &iterator); - } - } - #endif - -+/* wrapper around csn_free, to satisfy NSPR thread context API */ -+void -+csnplFreeCSN (void *arg) -+{ -+ csn_free((CSN **)&arg); -+} -diff --git a/ldap/servers/plugins/replication/csnpl.h b/ldap/servers/plugins/replication/csnpl.h -index 32e3ff7..f5c28f5 100644 ---- a/ldap/servers/plugins/replication/csnpl.h -+++ b/ldap/servers/plugins/replication/csnpl.h -@@ -22,10 +22,13 @@ typedef struct csnpl CSNPL; - - CSNPL* csnplNew (); - void csnplFree (CSNPL **csnpl); --int csnplInsert (CSNPL *csnpl, const CSN *csn); -+int csnplInsert (CSNPL *csnpl, const CSN *csn, const CSN *prim_csn); - int csnplRemove (CSNPL *csnpl, const CSN *csn); -+int csnplRemoveAll (CSNPL *csnpl, const CSN *csn); -+int csnplCommitAll (CSNPL *csnpl, const CSN *csn); - CSN* csnplGetMinCSN (CSNPL *csnpl, PRBool *committed); - int csnplCommit (CSNPL *csnpl, const CSN *csn); - CSN *csnplRollUp(CSNPL *csnpl, CSN ** first); - void csnplDumpContent(CSNPL *csnpl, const char *caller); -+ - #endif -diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h -index 4ab2355..27ad416 100644 ---- a/ldap/servers/plugins/replication/repl5.h -+++ b/ldap/servers/plugins/replication/repl5.h -@@ -232,6 +232,8 @@ int multimaster_be_betxnpostop_modify (Slapi_PBlock *pb); - extern int repl5_is_betxn; - char* get_thread_private_agmtname (); - void set_thread_private_agmtname (const char *agmtname); -+void set_thread_primary_csn (const CSN *prim_csn); -+CSN* get_thread_primary_csn(void); - void* get_thread_private_cache (); - void set_thread_private_cache (void *buf); - char* get_repl_session_id (Slapi_PBlock *pb, char *id, CSN **opcsn); -diff --git a/ldap/servers/plugins/replication/repl5_init.c b/ldap/servers/plugins/replication/repl5_init.c -index 0304ed5..1570655 100644 ---- a/ldap/servers/plugins/replication/repl5_init.c -+++ b/ldap/servers/plugins/replication/repl5_init.c -@@ -136,6 +136,7 @@ static int multimaster_started_flag = 0; - /* Thread private data and interface */ - static PRUintn thread_private_agmtname; /* thread private index for logging*/ - static PRUintn thread_private_cache; -+static PRUintn thread_primary_csn; - - char* - get_thread_private_agmtname() -@@ -153,6 +154,26 @@ set_thread_private_agmtname(const char *agmtname) - PR_SetThreadPrivate(thread_private_agmtname, (void *)agmtname); - } - -+CSN* -+get_thread_primary_csn(void) -+{ -+ CSN *prim_csn = NULL; -+ if (thread_primary_csn) -+ prim_csn = (CSN *)PR_GetThreadPrivate(thread_primary_csn); -+ return prim_csn; -+} -+void -+set_thread_primary_csn(const CSN *prim_csn) -+{ -+ if (thread_primary_csn) { -+ if (prim_csn) { -+ PR_SetThreadPrivate(thread_primary_csn, (void *)csn_dup(prim_csn)); -+ } else { -+ PR_SetThreadPrivate(thread_primary_csn, NULL); -+ } -+ } -+} -+ - void* - get_thread_private_cache () - { -@@ -721,6 +742,7 @@ multimaster_start( Slapi_PBlock *pb ) - /* Initialize thread private data for logging. Ignore if fails */ - PR_NewThreadPrivateIndex (&thread_private_agmtname, NULL); - PR_NewThreadPrivateIndex (&thread_private_cache, NULL); -+ PR_NewThreadPrivateIndex (&thread_primary_csn, csnplFreeCSN); - - /* Decode the command line args to see if we're dumping to LDIF */ - is_ldif_dump = check_for_ldif_dump(pb); -diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c -index b331c81..84624e9 100644 ---- a/ldap/servers/plugins/replication/repl5_plugins.c -+++ b/ldap/servers/plugins/replication/repl5_plugins.c -@@ -1033,9 +1033,11 @@ static int - write_changelog_and_ruv (Slapi_PBlock *pb) - { - Slapi_Operation *op = NULL; -+ CSN *opcsn; -+ CSN *prim_csn; - int rc; - slapi_operation_parameters *op_params = NULL; -- Object *repl_obj; -+ Object *repl_obj = NULL; - int return_value = SLAPI_PLUGIN_SUCCESS; - Replica *r; - Slapi_Backend *be; -@@ -1063,17 +1065,17 @@ write_changelog_and_ruv (Slapi_PBlock *pb) - { - return return_value; - } -+ /* we only log changes for operations applied to a replica */ -+ repl_obj = replica_get_replica_for_op (pb); -+ if (repl_obj == NULL) -+ return return_value; - - slapi_pblock_get(pb, SLAPI_RESULT_CODE, &rc); - if (rc) { /* op failed - just return */ -- return return_value; -+ cancel_opcsn(pb); -+ goto common_return; - } - -- /* we only log changes for operations applied to a replica */ -- repl_obj = replica_get_replica_for_op (pb); -- if (repl_obj == NULL) -- return return_value; -- - r = (Replica*)object_get_data (repl_obj); - PR_ASSERT (r); - -@@ -1108,7 +1110,7 @@ write_changelog_and_ruv (Slapi_PBlock *pb) - - slapi_pblock_get (pb, SLAPI_OPERATION_PARAMETERS, &op_params); - if (NULL == op_params) { -- return return_value; -+ goto common_return; - } - - /* need to set uniqueid operation parameter */ -@@ -1127,19 +1129,18 @@ write_changelog_and_ruv (Slapi_PBlock *pb) - slapi_pblock_get (pb, SLAPI_ENTRY_PRE_OP, &e); - } - if (NULL == e) { -- return return_value; -+ goto common_return; - } - uniqueid = slapi_entry_get_uniqueid (e); - if (NULL == uniqueid) { -- return return_value; -+ goto common_return; - } - op_params->target_address.uniqueid = slapi_ch_strdup (uniqueid); - } - - if( op_params->csn && is_cleaned_rid(csn_get_replicaid(op_params->csn))){ - /* this RID has been cleaned */ -- object_release (repl_obj); -- return return_value; -+ goto common_return; - } - - /* we might have stripped all the mods - in that case we do not -@@ -1152,7 +1153,7 @@ write_changelog_and_ruv (Slapi_PBlock *pb) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "write_changelog_and_ruv: Skipped due to DISKFULL\n"); -- return return_value; -+ goto common_return; - } - slapi_pblock_get(pb, SLAPI_TXN, &txn); - rc = cl5WriteOperationTxn(repl_name, repl_gen, op_params, -@@ -1188,7 +1189,6 @@ write_changelog_and_ruv (Slapi_PBlock *pb) - */ - if (0 == return_value) { - char csn_str[CSN_STRSIZE] = {'\0'}; -- CSN *opcsn; - int rc; - const char *dn = op_params ? REPL_GET_DN(&op_params->target_address) : "unknown"; - Slapi_DN *sdn = op_params ? (&op_params->target_address)->sdn : NULL; -@@ -1220,7 +1220,15 @@ write_changelog_and_ruv (Slapi_PBlock *pb) - } - } - -- object_release (repl_obj); -+common_return: -+ opcsn = operation_get_csn(op); -+ prim_csn = get_thread_primary_csn(); -+ if (csn_is_equal(opcsn, prim_csn)) { -+ set_thread_primary_csn(NULL); -+ } -+ if (repl_obj) { -+ object_release (repl_obj); -+ } - return return_value; - } - -@@ -1417,7 +1425,7 @@ cancel_opcsn (Slapi_PBlock *pb) - - ruv_obj = replica_get_ruv (r); - PR_ASSERT (ruv_obj); -- ruv_cancel_csn_inprogress ((RUV*)object_get_data (ruv_obj), opcsn); -+ ruv_cancel_csn_inprogress ((RUV*)object_get_data (ruv_obj), opcsn, replica_get_rid(r)); - object_release (ruv_obj); - } - -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index 7360d97..602653a 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -903,7 +903,7 @@ replica_update_ruv(Replica *r, const CSN *updated_csn, const char *replica_purl) - } - } - /* Update max csn for local and remote replicas */ -- rc = ruv_update_ruv (ruv, updated_csn, replica_purl, rid == r->repl_rid); -+ rc = ruv_update_ruv (ruv, updated_csn, replica_purl, r->repl_rid); - if (RUV_COVERS_CSN == rc) - { - slapi_log_error(SLAPI_LOG_REPL, -@@ -3626,7 +3626,7 @@ assign_csn_callback(const CSN *csn, void *data) - - if (NULL != r->min_csn_pl) - { -- if (csnplInsert(r->min_csn_pl, csn) != 0) -+ if (csnplInsert(r->min_csn_pl, csn, NULL) != 0) - { - char csn_str[CSN_STRSIZE]; /* For logging only */ - /* Ack, we can't keep track of min csn. Punt. */ -@@ -3674,7 +3674,7 @@ abort_csn_callback(const CSN *csn, void *data) - } - } - -- ruv_cancel_csn_inprogress (ruv, csn); -+ ruv_cancel_csn_inprogress (ruv, csn, replica_get_rid(r)); - replica_unlock(r->repl_lock); - - object_release (ruv_obj); -diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c -index 5d6e1c3..c2d3bb4 100644 ---- a/ldap/servers/plugins/replication/repl5_ruv.c -+++ b/ldap/servers/plugins/replication/repl5_ruv.c -@@ -77,6 +77,7 @@ static char *get_replgen_from_berval(const struct berval *bval); - static const char * const prefix_replicageneration = "{replicageneration}"; - static const char * const prefix_ruvcsn = "{replica "; /* intentionally missing '}' */ - -+static int ruv_update_ruv_element (RUV *ruv, RUVElement *replica, const CSN *csn, const char *replica_purl, PRBool isLocal); - - /* API implementation */ - -@@ -1602,6 +1603,7 @@ int ruv_add_csn_inprogress (RUV *ruv, const CSN *csn) - char csn_str[CSN_STRSIZE]; - int rc = RUV_SUCCESS; - int rid = csn_get_replicaid (csn); -+ CSN *prim_csn; - - PR_ASSERT (ruv && csn); - -@@ -1639,8 +1641,12 @@ int ruv_add_csn_inprogress (RUV *ruv, const CSN *csn) - rc = RUV_COVERS_CSN; - goto done; - } -- -- rc = csnplInsert (replica->csnpl, csn); -+ prim_csn = get_thread_primary_csn(); -+ if (prim_csn == NULL) { -+ set_thread_primary_csn(csn); -+ prim_csn = get_thread_primary_csn(); -+ } -+ rc = csnplInsert (replica->csnpl, csn, prim_csn); - if (rc == 1) /* we already seen this csn */ - { - if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) { -@@ -1648,6 +1654,7 @@ int ruv_add_csn_inprogress (RUV *ruv, const CSN *csn) - "the csn %s has already be seen - ignoring\n", - csn_as_string (csn, PR_FALSE, csn_str)); - } -+ set_thread_primary_csn(NULL); - rc = RUV_COVERS_CSN; - } - else if(rc != 0) -@@ -1672,24 +1679,36 @@ done: - return rc; - } - --int ruv_cancel_csn_inprogress (RUV *ruv, const CSN *csn) -+int ruv_cancel_csn_inprogress (RUV *ruv, const CSN *csn, ReplicaId local_rid) - { - RUVElement* replica; - int rc = RUV_SUCCESS; -+ CSN *prim_csn = NULL; -+ - - PR_ASSERT (ruv && csn); - -+ prim_csn = get_thread_primary_csn(); - /* locate ruvElement */ - slapi_rwlock_wrlock (ruv->lock); - replica = ruvGetReplica (ruv, csn_get_replicaid (csn)); -- if (replica == NULL) -- { -+ if (replica == NULL) { - /* ONREPL - log error */ -- rc = RUV_NOTFOUND; -- goto done; -- } -- -- rc = csnplRemove (replica->csnpl, csn); -+ rc = RUV_NOTFOUND; -+ goto done; -+ } -+ if (csn_is_equal(csn, prim_csn)) { -+ /* the prim csn is cancelled, lets remove all dependent csns */ -+ ReplicaId prim_rid = csn_get_replicaid (csn); -+ replica = ruvGetReplica (ruv, prim_rid); -+ rc = csnplRemoveAll (replica->csnpl, prim_csn); -+ if (prim_rid != local_rid) { -+ replica = ruvGetReplica (ruv, local_rid); -+ rc = csnplRemoveAll (replica->csnpl, prim_csn); -+ } -+ } else { -+ rc = csnplRemove (replica->csnpl, csn); -+ } - if (rc != 0) - rc = RUV_NOTFOUND; - else -@@ -1700,19 +1719,37 @@ done: - return rc; - } - --int ruv_update_ruv (RUV *ruv, const CSN *csn, const char *replica_purl, PRBool isLocal) -+int ruv_update_ruv (RUV *ruv, const CSN *csn, const char *replica_purl, ReplicaId local_rid) -+{ -+ int rc=RUV_SUCCESS; -+ RUVElement *replica; -+ ReplicaId prim_rid; -+ -+ CSN *prim_csn = get_thread_primary_csn(); -+ -+ if (! csn_is_equal(csn, prim_csn)) { -+ /* not a primary csn, nothing to do */ -+ return rc; -+ } -+ slapi_rwlock_wrlock (ruv->lock); -+ prim_rid = csn_get_replicaid (csn); -+ replica = ruvGetReplica (ruv, local_rid); -+ rc = ruv_update_ruv_element(ruv, replica, csn, replica_purl, PR_TRUE); -+ if ( rc || local_rid == prim_rid) goto done; -+ replica = ruvGetReplica (ruv, prim_rid); -+ rc = ruv_update_ruv_element(ruv, replica, csn, replica_purl, PR_FALSE); -+done: -+ slapi_rwlock_unlock (ruv->lock); -+ return rc; -+} -+static int -+ruv_update_ruv_element (RUV *ruv, RUVElement *replica, const CSN *csn, const char *replica_purl, PRBool isLocal) - { - int rc=RUV_SUCCESS; - char csn_str[CSN_STRSIZE]; - CSN *max_csn; - CSN *first_csn = NULL; -- RUVElement *replica; - -- PR_ASSERT (ruv && csn); -- -- slapi_rwlock_wrlock (ruv->lock); -- -- replica = ruvGetReplica (ruv, csn_get_replicaid (csn)); - if (replica == NULL) - { - /* we should have a ruv element at this point because it would have -@@ -1722,7 +1759,7 @@ int ruv_update_ruv (RUV *ruv, const CSN *csn, const char *replica_purl, PRBool i - goto done; - } - -- if (csnplCommit(replica->csnpl, csn) != 0) -+ if (csnplCommitAll(replica->csnpl, csn) != 0) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "ruv_update_ruv: cannot commit csn %s\n", - csn_as_string(csn, PR_FALSE, csn_str)); -@@ -1763,7 +1800,6 @@ int ruv_update_ruv (RUV *ruv, const CSN *csn, const char *replica_purl, PRBool i - } - - done: -- slapi_rwlock_unlock (ruv->lock); - - return rc; - } -diff --git a/ldap/servers/plugins/replication/repl5_ruv.h b/ldap/servers/plugins/replication/repl5_ruv.h -index e9eff5a..c8960fd 100644 ---- a/ldap/servers/plugins/replication/repl5_ruv.h -+++ b/ldap/servers/plugins/replication/repl5_ruv.h -@@ -109,8 +109,8 @@ PRInt32 ruv_replica_count (const RUV *ruv); - char **ruv_get_referrals(const RUV *ruv); - void ruv_dump(const RUV *ruv, char *ruv_name, PRFileDesc *prFile); - int ruv_add_csn_inprogress (RUV *ruv, const CSN *csn); --int ruv_cancel_csn_inprogress (RUV *ruv, const CSN *csn); --int ruv_update_ruv (RUV *ruv, const CSN *csn, const char *replica_purl, PRBool isLocal); -+int ruv_cancel_csn_inprogress (RUV *ruv, const CSN *csn, ReplicaId rid); -+int ruv_update_ruv (RUV *ruv, const CSN *csn, const char *replica_purl, ReplicaId local_rid); - int ruv_move_local_supplier_to_first(RUV *ruv, ReplicaId rid); - int ruv_get_first_id_and_purl(RUV *ruv, ReplicaId *rid, char **replica_purl ); - int ruv_local_contains_supplier(RUV *ruv, ReplicaId rid); -diff --git a/ldap/servers/slapd/csn.c b/ldap/servers/slapd/csn.c -index a3f4815..175f82a 100644 ---- a/ldap/servers/slapd/csn.c -+++ b/ldap/servers/slapd/csn.c -@@ -268,6 +268,21 @@ csn_as_attr_option_string(CSNType t,const CSN *csn,char *ss) - return s; - } - -+int -+csn_is_equal(const CSN *csn1, const CSN *csn2) -+{ -+ int retval = 0; -+ if ((csn1 == NULL && csn2 == NULL) || -+ (csn1 && csn2 && -+ csn1->tstamp == csn2->tstamp && -+ csn1->seqnum == csn2->seqnum && -+ csn1->rid == csn2->rid && -+ csn1->subseqnum == csn2->subseqnum)) { -+ retval = 1; -+ } -+ return retval; -+} -+ - int - csn_compare_ext(const CSN *csn1, const CSN *csn2, unsigned int flags) - { -diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h -index 52d1c4a..e909e9c 100644 ---- a/ldap/servers/slapd/slapi-private.h -+++ b/ldap/servers/slapd/slapi-private.h -@@ -166,6 +166,7 @@ time_t csn_get_time(const CSN *csn); - PRUint16 csn_get_seqnum(const CSN *csn); - PRUint16 csn_get_subseqnum(const CSN *csn); - char *csn_as_string(const CSN *csn, PRBool replicaIdOrder, char *ss); /* WARNING: ss must be CSN_STRSIZE bytes, or NULL. */ -+int csn_is_equal(const CSN *csn1, const CSN *csn2); - int csn_compare(const CSN *csn1, const CSN *csn2); - int csn_compare_ext(const CSN *csn1, const CSN *csn2, unsigned int flags); - #define CSN_COMPARE_SKIP_SUBSEQ 0x1 -@@ -181,6 +182,7 @@ const CSN *csn_max(const CSN *csn1,const CSN *csn2); - a csn from the set.*/ - int csn_increment_subsequence (CSN *csn); - -+void csnplFreeCSN (void *arg); - /* - * csnset.c - */ --- -2.9.3 - diff --git a/SOURCES/0065-Ticket-49008-backport-1.3.5-aborted-operation-can-le.patch b/SOURCES/0065-Ticket-49008-backport-1.3.5-aborted-operation-can-le.patch deleted file mode 100644 index b0782d4..0000000 --- a/SOURCES/0065-Ticket-49008-backport-1.3.5-aborted-operation-can-le.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 0085cfb4c4ff6722898e97704a67dcdfcba53388 Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Wed, 25 Jan 2017 13:39:08 -0800 -Subject: [PATCH 65/67] Ticket 49008 backport 1.3.5 : aborted operation can - leave RUV in incorrect state - -Description: Fixed 2 backport errors in commit 79a3deafe943a3ce5c31c50272939146d17bd7ac. -(cherry picked from commit 3fa6596bdc677cdb3fb65b7baf6fd567485c91a7) ---- - ldap/servers/plugins/replication/csnpl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ldap/servers/plugins/replication/csnpl.c b/ldap/servers/plugins/replication/csnpl.c -index db1ae13..a696fc1 100644 ---- a/ldap/servers/plugins/replication/csnpl.c -+++ b/ldap/servers/plugins/replication/csnpl.c -@@ -220,14 +220,14 @@ int csnplCommitAll (CSNPL *csnpl, const CSN *csn) - char csn_str[CSN_STRSIZE]; - - csn_as_string(csn, PR_FALSE, csn_str); -- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, -+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, - "csnplCommitALL: committing all csns for csn %s\n", csn_str); - slapi_rwlock_wrlock (csnpl->csnLock); - data = (csnpldata *)llistGetFirst(csnpl->csnList, &iterator); - while (NULL != data) - { - csn_as_string(data->csn, PR_FALSE, csn_str); -- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, -+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, - "csnplCommitALL: processing data csn %s\n", csn_str); - if (csn_is_equal(data->csn, csn) || - csn_is_equal(data->prim_csn, csn)) { --- -2.9.3 - diff --git a/SOURCES/0066-Ticket-49079-deadlock-on-cos-cache-rebuild.patch b/SOURCES/0066-Ticket-49079-deadlock-on-cos-cache-rebuild.patch deleted file mode 100644 index af757e4..0000000 --- a/SOURCES/0066-Ticket-49079-deadlock-on-cos-cache-rebuild.patch +++ /dev/null @@ -1,207 +0,0 @@ -From 5391c666e58af5841eab88c98505f99c8ed20d6b Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Tue, 10 Jan 2017 14:32:53 +0100 -Subject: [PATCH 66/67] Ticket 49079: deadlock on cos cache rebuild - -Bug Description: - To rebuild the cache cos_cache_creation the thread gets cos definitions from backend. - It means change_lock is held then cos_cache_creation will acquire some backend pages. - - A deadlock can happen if cos_post_op is called while backend is locked. - For example if a bepreop (urp) does an internal update on a cos definition. - Then the thread holds backend pages, that will be needed by cos_cache_creation, - and will acquire change_lock for notification of the cos_cache thread - -Fix Description: - - Let cos cache rebuild thread run without holding change_lock. - The lock prevents parallel run but a flag can do the same. - -https://fedorahosted.org/389/ticket/49079 - -Reviewed by: William Brown and Ludwig Krispenz (thanks to you both !!) - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit ac44337bd97fe63071e7d83e9dcd788f2af1feab) -(cherry picked from commit 3ac12cb94a8873b0fa4ddb12f924cc58bd9c9872) ---- - ldap/servers/plugins/cos/cos_cache.c | 73 ++++++++++++++++++++++++++++++------ - 1 file changed, 61 insertions(+), 12 deletions(-) - -diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c -index 8a32630..87b4ba5 100644 ---- a/ldap/servers/plugins/cos/cos_cache.c -+++ b/ldap/servers/plugins/cos/cos_cache.c -@@ -111,7 +111,9 @@ void * cos_get_plugin_identity(); - /* the global plugin handle */ - static volatile vattr_sp_handle *vattr_handle = NULL; - -+/* both variables are protected by change_lock */ - static int cos_cache_notify_flag = 0; -+static PRBool cos_cache_at_work = PR_FALSE; - - /* service definition cache structs */ - -@@ -199,7 +201,8 @@ typedef struct _cos_cache cosCache; - static cosCache *pCache; /* always the current global cache, only use getref to get */ - - /* the place to start if you want a new cache */ --static int cos_cache_create(); -+static int cos_cache_create_unlock(void); -+static int cos_cache_creation_lock(void); - - /* cache index related functions */ - static int cos_cache_index_all(cosCache *pCache); -@@ -386,7 +389,7 @@ static void cos_cache_wait_on_change(void *arg) - pCache = 0; - - /* create initial cache */ -- cos_cache_create(); -+ cos_cache_creation_lock(); - - slapi_lock_mutex(start_lock); - started = 1; -@@ -419,7 +422,7 @@ static void cos_cache_wait_on_change(void *arg) - * before we go running off doing lots of stuff lets check if we should stop - */ - if(keeprunning) { -- cos_cache_create(); -+ cos_cache_creation_lock(); - } - cos_cache_notify_flag = 0; /* Dealt with it */ - }/* while */ -@@ -431,22 +434,25 @@ static void cos_cache_wait_on_change(void *arg) - LDAPDebug( LDAP_DEBUG_TRACE, "<-- cos_cache_wait_on_change thread exit\n",0,0,0); - } - -+ - /* -- cos_cache_create -+ cos_cache_create_unlock - --------------------- - Walks the definitions in the DIT and creates the cache. - Once created, it swaps the new cache for the old one, - releasing its refcount to the old cache and allowing it - to be destroyed. -+ -+ called while change_lock is NOT held - */ --static int cos_cache_create() -+static int cos_cache_create_unlock(void) - { - int ret = -1; - cosCache *pNewCache; - static int firstTime = 1; - int cache_built = 0; - -- LDAPDebug( LDAP_DEBUG_TRACE, "--> cos_cache_create\n",0,0,0); -+ LDAPDebug( LDAP_DEBUG_TRACE, "--> cos_cache_create_unlock\n",0,0,0); - - pNewCache = (cosCache*)slapi_ch_malloc(sizeof(cosCache)); - if(pNewCache) -@@ -509,21 +515,21 @@ static int cos_cache_create() - { - /* we should not go on without proper schema checking */ - cos_cache_release(pNewCache); -- LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_create: failed to cache the schema\n",0,0,0); -+ LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_create_unlock: failed to cache the schema\n",0,0,0); - } - } - else - { - /* currently we cannot go on without the indexes */ - cos_cache_release(pNewCache); -- LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_create: failed to index cache\n",0,0,0); -+ LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_create_unlock: failed to index cache\n",0,0,0); - } - } - else - { - if(firstTime) - { -- LDAPDebug( LDAP_DEBUG_PLUGIN, "cos_cache_create: cos disabled\n",0,0,0); -+ LDAPDebug( LDAP_DEBUG_PLUGIN, "cos_cache_create_unlock: cos disabled\n",0,0,0); - firstTime = 0; - } - -@@ -531,7 +537,7 @@ static int cos_cache_create() - } - } - else -- LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_create: memory allocation failure\n",0,0,0); -+ LDAPDebug( LDAP_DEBUG_ANY, "cos_cache_create_unlock: memory allocation failure\n",0,0,0); - - - /* make sure we have a new cache */ -@@ -563,10 +569,53 @@ static int cos_cache_create() - - } - -- LDAPDebug( LDAP_DEBUG_TRACE, "<-- cos_cache_create\n",0,0,0); -+ LDAPDebug( LDAP_DEBUG_TRACE, "<-- cos_cache_create_unlock\n",0,0,0); - return ret; - } - -+/* cos_cache_creation_lock is called with change_lock being hold: -+ * slapi_lock_mutex(change_lock) -+ * -+ * To rebuild the cache cos_cache_creation gets cos definitions from backend, that -+ * means change_lock is held then cos_cache_creation will acquire some backend pages. -+ * -+ * A deadlock can happen if cos_post_op is called while backend is locked. -+ * For example if a bepreop (urp) does an internal update on a cos definition, -+ * the thread holds backend pages that will be needed by cos_cache_creation. -+ * -+ * A solution is to use a flag 'cos_cache_at_work' protected by change_lock, -+ * release change_lock, recreate the cos_cache, acquire change_lock reset the flag. -+ * -+ * returned value: result of cos_cache_create_unlock -+ * -+ */ -+static int cos_cache_creation_lock(void) -+{ -+ int ret = -1; -+ int max_tries = 10; -+ -+ for (; max_tries != 0; max_tries--) { -+ /* if the cos_cache is already under work (cos_cache_create_unlock) -+ * wait 1 second -+ */ -+ if (cos_cache_at_work) { -+ slapi_log_error(SLAPI_LOG_FATAL, COS_PLUGIN_SUBSYSTEM, "--> cos_cache_creation_lock already rebuilding cos_cache... retry\n"); -+ DS_Sleep (PR_MillisecondsToInterval(1000)); -+ continue; -+ } -+ cos_cache_at_work = PR_TRUE; -+ slapi_unlock_mutex(change_lock); -+ ret = cos_cache_create_unlock(); -+ slapi_lock_mutex(change_lock); -+ cos_cache_at_work = PR_FALSE; -+ break; -+ } -+ if (!max_tries) { -+ slapi_log_error(SLAPI_LOG_FATAL, COS_PLUGIN_SUBSYSTEM, "--> cos_cache_creation_lock rebuilt was to long, skip this rebuild\n"); -+ } -+ -+ return ret; -+} - - /* - cos_cache_build_definition_list -@@ -1639,7 +1688,7 @@ int cos_cache_getref(cos_cache **pptheCache) - slapi_lock_mutex(change_lock); - if(pCache == NULL) - { -- if(cos_cache_create()) -+ if(cos_cache_creation_lock()) - { - /* there was a problem or no COS definitions were found */ - LDAPDebug( LDAP_DEBUG_PLUGIN, "cos_cache_getref: no cos cache created\n",0,0,0); --- -2.9.3 - diff --git a/SOURCES/0067-Ticket-49016-un-register-migration-remove-may-fail-i.patch b/SOURCES/0067-Ticket-49016-un-register-migration-remove-may-fail-i.patch deleted file mode 100644 index b2fa67d..0000000 --- a/SOURCES/0067-Ticket-49016-un-register-migration-remove-may-fail-i.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 451838933f9989d1ff9c46dbb3cae7619166a4d8 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 21 Oct 2016 16:28:59 +0200 -Subject: [PATCH 67/67] Ticket 49016 - (un)register/migration/remove may fail - if there is no suffix on 'userRoot' backend - -Bug Description: - If an instance has no suffix on 'userRoot' backend, then the info structure - may contain empty 'Suffix'. - In fact if the last backend has no suffix (like cn=config), it overwite all - previsously found value. - This affect register (and possibly unregister/migrate/remove) - -Fix Description: - Before overwriting the 'Suffix' value, check that the found backend contains - 'nsslapd-suffix'. - -https://fedorahosted.org/389/ticket/49016 - -Reviewed by: Noriko Hosoi (Thank you Noriko) - -Platforms tested: RHEL 7.2 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit 1bafab5ae1e894ae3680679e03e457b9ace7e7d2) ---- - ldap/admin/src/scripts/DSUtil.pm.in | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in -index 756d6ea..eac59a3 100644 ---- a/ldap/admin/src/scripts/DSUtil.pm.in -+++ b/ldap/admin/src/scripts/DSUtil.pm.in -@@ -975,7 +975,9 @@ sub createInfFromConfig { - } - # use the userRoot suffix if available - while ($ent) { -- $suffix = $ent->getValues('nsslapd-suffix'); -+ if ($ent->getValues('nsslapd-suffix')) { -+ $suffix = $ent->getValues('nsslapd-suffix'); -+ } - last if ($ent->hasValue('cn', 'userRoot', 1)); - $ent = $conn->nextEntry(); - } --- -2.9.3 - diff --git a/SOURCES/0068-Ticket-49016-un-register-migration-remove-may-fail-i.patch b/SOURCES/0068-Ticket-49016-un-register-migration-remove-may-fail-i.patch deleted file mode 100644 index ba32e9c..0000000 --- a/SOURCES/0068-Ticket-49016-un-register-migration-remove-may-fail-i.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 99a0def5c6b9910616d95ee7cd15ecad5b406951 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Mon, 30 Jan 2017 17:38:01 +0100 -Subject: [PATCH] Ticket 49016 - (un)register/migration/remove may fail if - there is no suffix on 'userRoot' backend - -Bug Description: - Previous fix was incomplete in case none of the backend entries have - 'nsslapd-suffix' value - -Fix Description: - - Just return if $suffix keep unmodified - -https://fedorahosted.org/389/ticket/49016 - -Reviewed by: nhosoi - -Platforms tested: F23, F25 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit bd5fdfc8f4a560eae99672b712235c1260ee42b0) -(cherry picked from commit 1abb0ffb2930d019f58d5dac1937ddbb56c9287f) ---- - ldap/admin/src/scripts/DSUtil.pm.in | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in -index eac59a3..c8eb14d 100644 ---- a/ldap/admin/src/scripts/DSUtil.pm.in -+++ b/ldap/admin/src/scripts/DSUtil.pm.in -@@ -965,7 +965,7 @@ sub createInfFromConfig { - $inf->{slapd}->{ServerPort} = $ent->getValues('nsslapd-port'); - $inf->{slapd}->{ServerIdentifier} = $id; - -- my $suffix; -+ my $suffix = ""; - $ent = $conn->search("cn=ldbm database,cn=plugins,cn=config", - "one", "(objectclass=*)"); - if (!$ent) { -@@ -981,6 +981,12 @@ sub createInfFromConfig { - last if ($ent->hasValue('cn', 'userRoot', 1)); - $ent = $conn->nextEntry(); - } -+ if ( "" eq "$suffix" ) -+ { -+ push @{$errs}, "error_opening_dseldif", $fname, $!; -+ $conn->close(); -+ return 0; -+ } - - # we also need the instance dir - $ent = $conn->search("cn=config", "base", "(objectclass=*)"); --- -2.9.3 - diff --git a/SOURCES/0069-fix-for-reg-in-49008-check-if-ruv-element-exists.patch b/SOURCES/0069-fix-for-reg-in-49008-check-if-ruv-element-exists.patch deleted file mode 100644 index e85d043..0000000 --- a/SOURCES/0069-fix-for-reg-in-49008-check-if-ruv-element-exists.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 7a5d77d8a65d65ed7c5fa94abf952669993f45c2 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Tue, 7 Feb 2017 17:02:00 +0100 -Subject: [PATCH] fix for reg in 49008, check if ruv element exists - -(cherry picked from commit 23d98baa8aadab80691680ba065563ad1e35591c) ---- - ldap/servers/plugins/replication/repl5_ruv.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c -index c2d3bb4..5086313 100644 ---- a/ldap/servers/plugins/replication/repl5_ruv.c -+++ b/ldap/servers/plugins/replication/repl5_ruv.c -@@ -1703,8 +1703,14 @@ int ruv_cancel_csn_inprogress (RUV *ruv, const CSN *csn, ReplicaId local_rid) - replica = ruvGetReplica (ruv, prim_rid); - rc = csnplRemoveAll (replica->csnpl, prim_csn); - if (prim_rid != local_rid) { -- replica = ruvGetReplica (ruv, local_rid); -- rc = csnplRemoveAll (replica->csnpl, prim_csn); -+ if( local_rid != READ_ONLY_REPLICA_ID) { -+ replica = ruvGetReplica (ruv, local_rid); -+ if (replica) { -+ rc = csnplRemoveAll (replica->csnpl, prim_csn); -+ } else { -+ rc = RUV_NOTFOUND; -+ } -+ } - } - } else { - rc = csnplRemove (replica->csnpl, csn); --- -2.7.4 - diff --git a/SOURCES/0070-Ticket-49121-ns-slapd-crashes-in-ldif_sput-due-to-th.patch b/SOURCES/0070-Ticket-49121-ns-slapd-crashes-in-ldif_sput-due-to-th.patch deleted file mode 100644 index c95e8a0..0000000 --- a/SOURCES/0070-Ticket-49121-ns-slapd-crashes-in-ldif_sput-due-to-th.patch +++ /dev/null @@ -1,351 +0,0 @@ -From f03bfc51387fcfe15122ee994626738f71b1935c Mon Sep 17 00:00:00 2001 -From: Noriko Hosoi -Date: Sun, 12 Feb 2017 17:26:46 -0800 -Subject: [PATCH 70/71] Ticket #49121 - ns-slapd crashes in ldif_sput due to - the output buf size is less than the real size. - -Description: There were missing pieces in the entry size calculation -when an attribute had no a_present_values nor a_deleted_values. -1) There was no chance to add the size of the attribute type name since - preceding entry2str_internal_size_valueset did not add any size if - the value was empty. The type name size is now explicitly added. -2) a_deletioncsn is added in entry2str_internal_put_attrlist by calling - valueset_add_string with empty value. The size was not included in - the allocated memory to store the entire entry as a string. Now the - size is added. - -Adding CI test ticket49121_test.py. - -https://pagure.io/389-ds-base/issue/49121 - -Reviewed by wibrown@redhat.com (Thank you, William!!) - -(cherry picked from commit 543fe89edb0a6410a740a4fff738cace7bc57078) ---- - dirsrvtests/tests/data/ticket49121/utf8str.txt | 1 + - dirsrvtests/tests/tickets/ticket49121_test.py | 211 +++++++++++++++++++++++++ - ldap/servers/slapd/entry.c | 55 ++++--- - 3 files changed, 244 insertions(+), 23 deletions(-) - create mode 100644 dirsrvtests/tests/data/ticket49121/utf8str.txt - create mode 100644 dirsrvtests/tests/tickets/ticket49121_test.py - -diff --git a/dirsrvtests/tests/data/ticket49121/utf8str.txt b/dirsrvtests/tests/data/ticket49121/utf8str.txt -new file mode 100644 -index 0000000..0005c4e ---- /dev/null -+++ b/dirsrvtests/tests/data/ticket49121/utf8str.txt -@@ -0,0 +1 @@ -+あいうえお -diff --git a/dirsrvtests/tests/tickets/ticket49121_test.py b/dirsrvtests/tests/tickets/ticket49121_test.py -new file mode 100644 -index 0000000..6450297 ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket49121_test.py -@@ -0,0 +1,211 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2017 Red Hat, Inc. -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+import pytest -+import sys -+import codecs -+from lib389.tasks import * -+from lib389.utils import * -+from lib389.topologies import topology_m2 -+ -+DEBUGGING = os.getenv('DEBUGGING', False) -+ -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+ -+def test_ticket49121(topology_m2): -+ """ -+ Creating some users. -+ Deleting quite a number of attributes which may or may not be in the entry. -+ The attribute type names are to be long. -+ Under the conditions, it did not estimate the size of string format entry -+ shorter than the real size and caused the Invalid write / server crash. -+ """ -+ reload(sys) -+ sys.setdefaultencoding('utf-8') -+ log.info('DefaultEncoding: %s' % sys.getdefaultencoding()) -+ -+ utf8file = os.path.join(topology_m2.ms["master1"].getDir(__file__, DATA_DIR), "ticket49121/utf8str.txt") -+ utf8obj = codecs.open(utf8file, 'r', 'utf-8') -+ utf8strorig = utf8obj.readline() -+ utf8str = utf8strorig.encode('utf-8').rstrip('\n') -+ utf8obj.close() -+ assert(utf8str) -+ -+ # Get the sbin directory so we know where to replace 'ns-slapd' -+ sbin_dir = topology_m2.ms["master1"].get_sbin_dir() -+ log.info('sbin_dir: %s' % sbin_dir) -+ -+ # stop M1 to do the next updates -+ topology_m2.ms["master1"].stop(30) -+ topology_m2.ms["master2"].stop(30) -+ -+ # wait for the servers shutdown -+ time.sleep(5) -+ -+ # Enable valgrind -+ if not topology_m2.ms["master1"].has_asan(): -+ valgrind_enable(sbin_dir) -+ -+ # start M1 to do the next updates -+ topology_m2.ms["master1"].start() -+ topology_m2.ms["master2"].start() -+ -+ for idx in range(1, 10): -+ try: -+ USER_DN = 'CN=user%d,ou=People,%s' % (idx, DEFAULT_SUFFIX) -+ log.info('adding user %s...' % (USER_DN)) -+ topology_m2.ms["master1"].add_s(Entry((USER_DN, -+ {'objectclass': 'top person extensibleObject'.split(' '), -+ 'cn': 'user%d' % idx, -+ 'sn': 'SN%d-%s' % (idx, utf8str)}))) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to add user (%s): error %s' % (USER_DN, e.message['desc'])) -+ assert False -+ -+ for i in range(1, 3): -+ time.sleep(3) -+ for idx in range(1, 10): -+ try: -+ USER_DN = 'CN=user%d,ou=People,%s' % (idx, DEFAULT_SUFFIX) -+ log.info('[%d] modify user %s - replacing attrs...' % (i, USER_DN)) -+ topology_m2.ms["master1"].modify_s( -+ USER_DN, [(ldap.MOD_REPLACE, 'cn', 'user%d' % idx), -+ (ldap.MOD_REPLACE, 'ABCDEFGH_ID', ['239001ad-06dd-e011-80fa-c00000ad5174', -+ '240f0878-c552-e411-b0f3-000006040037']), -+ (ldap.MOD_REPLACE, 'attr1', 'NEW_ATTR'), -+ (ldap.MOD_REPLACE, 'attr20000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr30000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr40000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr50000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr600000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr7000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr8000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr900000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr1000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr110000000000000', None), -+ (ldap.MOD_REPLACE, 'attr120000000000000', None), -+ (ldap.MOD_REPLACE, 'attr130000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr140000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr150000000000000000000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr1600000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr17000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr18000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr1900000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr2000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr210000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr220000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr230000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr240000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr25000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr260000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr270000000000000000000000000000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr280000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr29000000000000000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr3000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr310000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr320000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr330000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr340000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr350000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr360000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr370000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr380000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr390000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr4000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr410000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr420000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr430000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr440000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr4500000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr460000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr470000000000000000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr480000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr49000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr5000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr510000000000000', None), -+ (ldap.MOD_REPLACE, 'attr520000000000000', None), -+ (ldap.MOD_REPLACE, 'attr530000000000000', None), -+ (ldap.MOD_REPLACE, 'attr540000000000000', None), -+ (ldap.MOD_REPLACE, 'attr550000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr5600000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr57000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr58000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr5900000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr6000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr6100000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr6200000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr6300000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr6400000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr65000000000000000000000000000000000000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr6600000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr6700000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr6800000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr690000000000000000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr7000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr71000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr72000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr73000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr74000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr750000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr7600000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr77000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr78000000000000000000000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr79000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr800000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr81000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr82000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr83000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr84000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr85000000000000000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr8600000000000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr87000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr88000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr89000000000000000000000000000000000', None), -+ (ldap.MOD_REPLACE, 'attr9000000000000000000000000000000000000000000000000000', None)]) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to modify user - deleting attrs (%s): error %s' % (USER_DN, e.message['desc'])) -+ -+ if not topology_m2.ms["master1"].has_asan(): -+ results_file = valgrind_get_results_file(topology_m2.ms["master1"]) -+ -+ # Stop master2 -+ topology_m2.ms["master1"].stop(30) -+ topology_m2.ms["master2"].stop(30) -+ -+ # Check for leak -+ if not topology_m2.ms["master1"].has_asan(): -+ # Check for invalid read/write -+ if valgrind_check_file(results_file, VALGRIND_INVALID_STR): -+ log.info('Valgrind reported invalid!') -+ assert False -+ else: -+ log.info('Valgrind is happy!') -+ -+ # Disable valgrind -+ if not topology_m2.ms["master1"].has_asan(): -+ valgrind_disable(sbin_dir) -+ -+ # start M1 to do the next updates -+ topology_m2.ms["master1"].start() -+ topology_m2.ms["master2"].start() -+ -+ log.info('Testcase PASSED') -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c -index 0cd3b60..ed99a38 100644 ---- a/ldap/servers/slapd/entry.c -+++ b/ldap/servers/slapd/entry.c -@@ -1472,7 +1472,8 @@ bail: - } - - static size_t --entry2str_internal_size_valueset( const char *attrtype, const Slapi_ValueSet *vs, int entry2str_ctrl, int attribute_state, int value_state ) -+entry2str_internal_size_valueset( const Slapi_Attr *a, const char *attrtype, const Slapi_ValueSet *vs, -+ int entry2str_ctrl, int attribute_state, int value_state ) - { - size_t elen= 0; - if(!valueset_isempty(vs)) -@@ -1485,6 +1486,12 @@ entry2str_internal_size_valueset( const char *attrtype, const Slapi_ValueSet *vs - attribute_state, value_state ); - } - } -+ if(entry2str_ctrl & SLAPI_DUMP_STATEINFO) { -+ /* ";adcsn-" + a->a_deletioncsn */ -+ if ( a && a->a_deletioncsn ) { -+ elen += 1 + LDIF_CSNPREFIX_MAXLENGTH + CSN_STRSIZE; -+ } -+ } - return elen; - } - -@@ -1501,30 +1508,34 @@ entry2str_internal_size_attrlist( const Slapi_Attr *attrlist, int entry2str_ctrl - continue; - - /* Count the space required for the present and deleted values */ -- elen+= entry2str_internal_size_valueset(a->a_type, &a->a_present_values, -- entry2str_ctrl, attribute_state, -- VALUE_PRESENT); -- if(entry2str_ctrl & SLAPI_DUMP_STATEINFO) -- { -- elen+= entry2str_internal_size_valueset(a->a_type, &a->a_deleted_values, -- entry2str_ctrl, attribute_state, -- VALUE_DELETED); -- /* ";adcsn-" + a->a_deletioncsn */ -- if ( a->a_deletioncsn ) -- { -- elen += 1 + LDIF_CSNPREFIX_MAXLENGTH + CSN_STRSIZE; -- } -- if ( valueset_isempty(&a->a_deleted_values)) { -+ elen += entry2str_internal_size_valueset(a, a->a_type, &a->a_present_values, -+ entry2str_ctrl, attribute_state, VALUE_PRESENT); -+ if (entry2str_ctrl & SLAPI_DUMP_STATEINFO) { -+ elen += entry2str_internal_size_valueset(a, a->a_type, &a->a_deleted_values, -+ entry2str_ctrl, attribute_state, VALUE_DELETED); -+ if (valueset_isempty(&a->a_deleted_values) && valueset_isempty(&a->a_present_values)) { - /* this means the entry is deleted and has no more attributes, - * when writing the attr to disk we would loose the AD-csn. -- * Add an empty value to the set of deleted values. This will -- * never be seen by any client. It will never be moved to the -+ * Add an empty value to the set of deleted values. This will -+ * never be seen by any client. It will never be moved to the - * present values and is only used to preserve the AD-csn - * We need to add the size for that. - */ - elen += 1 + LDIF_CSNPREFIX_MAXLENGTH + CSN_STRSIZE; -- /* need also space for ";deletedattribute;deleted" */ -- elen += DELETED_ATTR_STRSIZE + DELETED_VALUE_STRSIZE; -+ /* need also space for ";deletedattribute;deleted" */ -+ elen += DELETED_ATTR_STRSIZE + DELETED_VALUE_STRSIZE; -+ /* -+ * If a_deleted_values is empty && if a_deletioncsn is NULL, -+ * a_deletioncsn is initialized via valueset_add_string. -+ * The size needs to be added. -+ */ -+ /* ";adcsn-" + a->a_deletioncsn */ -+ elen += 1 + LDIF_CSNPREFIX_MAXLENGTH + CSN_STRSIZE; -+ /* -+ * When both a_present_values & a_deleted_values are empty, -+ * the type size is not added. -+ */ -+ elen += PL_strlen(a->a_type); - } - } - } -@@ -1811,10 +1822,8 @@ entry2str_internal_ext( Slapi_Entry *e, int *len, int entry2str_ctrl) - if (NULL != slapi_entry_get_rdn_const(e)) - { - slapi_value_set_string(&rdnvalue, slapi_entry_get_rdn_const(e)); -- elen += entry2str_internal_size_value("rdn", &rdnvalue, -- entry2str_ctrl, -- ATTRIBUTE_PRESENT, -- VALUE_PRESENT); -+ elen += entry2str_internal_size_value("rdn", &rdnvalue, entry2str_ctrl, -+ ATTRIBUTE_PRESENT, VALUE_PRESENT); - } - - /* Count the space required for the present attributes */ --- -2.7.4 - diff --git a/SOURCES/0071-Issue-49122-Filtered-nsrole-that-uses-nsrole-crashes.patch b/SOURCES/0071-Issue-49122-Filtered-nsrole-that-uses-nsrole-crashes.patch deleted file mode 100644 index 69ec148..0000000 --- a/SOURCES/0071-Issue-49122-Filtered-nsrole-that-uses-nsrole-crashes.patch +++ /dev/null @@ -1,465 +0,0 @@ -From a8b10d7a4f1cad499fa1ba245dd73ca7beac4589 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 27 Feb 2017 07:59:30 -0500 -Subject: [PATCH 71/71] Issue 49122 - Filtered nsrole that uses nsrole crashes - the server - -Bug Description: When evaluating a filter role that uses "nsrole" in the filter - crashes the server due infinite loop that leads to a stack - overflow. - -Fix Description: Virtual attributes are not allowed to be used in role filters. - We were already checking for COS attributes, but not nsrole. - - Also did some minor code cleanup - -https://pagure.io/389-ds-base/issue/49122 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit a95889def41d3869692d7259a9213b1f9238f3c8) -(cherry picked from commit d589950cdd8ac9a0756b67cfe4ae3a33da094065) ---- - dirsrvtests/tests/tickets/ticket49122_test.py | 73 ++++++++ - ldap/servers/plugins/roles/roles_cache.c | 235 +++++++++++++++----------- - 2 files changed, 205 insertions(+), 103 deletions(-) - create mode 100644 dirsrvtests/tests/tickets/ticket49122_test.py - -diff --git a/dirsrvtests/tests/tickets/ticket49122_test.py b/dirsrvtests/tests/tickets/ticket49122_test.py -new file mode 100644 -index 0000000..bd553f2 ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket49122_test.py -@@ -0,0 +1,73 @@ -+import time -+import ldap -+import logging -+import pytest -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+from lib389.utils import * -+from lib389.topologies import topology_st as topo -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+USER_DN = 'uid=user,' + DEFAULT_SUFFIX -+ROLE_DN = 'cn=Filtered_Role_That_Includes_Empty_Role,' + DEFAULT_SUFFIX -+ -+ -+def test_ticket49122(topo): -+ """Search for non-existant role and make sure the server does not crash -+ """ -+ -+ # Enable roles plugin -+ topo.standalone.plugins.enable(name=PLUGIN_ROLES) -+ topo.standalone.restart() -+ -+ # Add invalid role -+ try: -+ topo.standalone.add_s(Entry(( -+ ROLE_DN, {'objectclass': ['top', 'ldapsubentry', 'nsroledefinition', -+ 'nscomplexroledefinition', 'nsfilteredroledefinition'], -+ 'cn': 'Filtered_Role_That_Includes_Empty_Role', -+ 'nsRoleFilter': '(!(nsrole=cn=This_Is_An_Empty_Managed_NsRoleDefinition,dc=example,dc=com))', -+ 'description': 'A filtered role with filter that will crash the server'}))) -+ except ldap.LDAPError as e: -+ topo.standalone.log.fatal('Failed to add filtered role: error ' + e.message['desc']) -+ assert False -+ -+ # Add test user -+ try: -+ topo.standalone.add_s(Entry(( -+ USER_DN, {'objectclass': "top extensibleObject".split(), -+ 'uid': 'user'}))) -+ except ldap.LDAPError as e: -+ topo.standalone.log.fatal('Failed to add test user: error ' + str(e)) -+ assert False -+ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ print "Attach gdb" -+ time.sleep(20) -+ -+ # Search for the role -+ try: -+ topo.standalone.search_s(USER_DN, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nsrole']) -+ except ldap.LDAPError as e: -+ topo.standalone.log.fatal('Search failed: error ' + str(e)) -+ assert False -+ -+ topo.standalone.log.info('Test Passed') -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c -index 147d113..66c8553 100644 ---- a/ldap/servers/plugins/roles/roles_cache.c -+++ b/ldap/servers/plugins/roles/roles_cache.c -@@ -1073,6 +1073,26 @@ static int roles_cache_create_role_under(roles_cache_def** roles_cache_suffix, S - return(rc); - } - -+/* -+ * Check that we are not using nsrole in the filter -+ */ -+static int roles_check_filter(Slapi_Filter *filter_list) -+{ -+ Slapi_Filter *f; -+ char *type = NULL; -+ -+ for ( f = slapi_filter_list_first( filter_list ); -+ f != NULL; -+ f = slapi_filter_list_next( filter_list, f ) ) -+ { -+ slapi_filter_get_attribute_type(f, &type); -+ if (strcasecmp(type, NSROLEATTR) == 0){ -+ return -1; -+ } -+ } -+ -+ return 0; -+} - - /* roles_cache_create_object_from_entry - ------------------------------------ -@@ -1088,17 +1108,17 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob - int rc = 0; - int type = 0; - role_object *this_role = NULL; -- char *rolescopeDN = NULL; -+ char *rolescopeDN = NULL; - - slapi_log_error(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, - "--> roles_cache_create_object_from_entry\n"); - -- *result = NULL; -+ *result = NULL; - -- /* Do not allow circular dependencies */ -- if ( hint > MAX_NESTED_ROLES ) -+ /* Do not allow circular dependencies */ -+ if ( hint > MAX_NESTED_ROLES ) - { -- char *ndn = NULL; -+ char *ndn = NULL; - - ndn = slapi_entry_get_ndn( role_entry ); - slapi_log_error( -@@ -1111,85 +1131,83 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob - return (0); - } - -- /* Create the role cache definition */ -- this_role = (role_object*)slapi_ch_calloc(1, sizeof(role_object)); -- if (this_role == NULL ) -+ /* Create the role cache definition */ -+ this_role = (role_object*)slapi_ch_calloc(1, sizeof(role_object)); -+ if (this_role == NULL ) - { -- return ENOMEM; -- } -+ return ENOMEM; -+ } - -- /* Check the entry is OK */ -- /* Determine role type and assign to structure */ -- /* We determine the role type by reading the objectclass */ -+ /* Check the entry is OK */ -+ /* Determine role type and assign to structure */ -+ /* We determine the role type by reading the objectclass */ - if ( roles_cache_is_role_entry(role_entry) == 0 ) - { -- /* Bad type */ -- slapi_ch_free((void**)&this_role); -- return SLAPI_ROLE_DEFINITION_ERROR; -- } -+ /* Bad type */ -+ slapi_ch_free((void**)&this_role); -+ return SLAPI_ROLE_DEFINITION_ERROR; -+ } - -- type = roles_cache_determine_class(role_entry); -+ type = roles_cache_determine_class(role_entry); - -- if (type != 0) -+ if (type != 0) - { -- this_role->type = type; -- } -+ this_role->type = type; -+ } - else - { -- /* Bad type */ -- slapi_ch_free((void**)&this_role); -- return SLAPI_ROLE_DEFINITION_ERROR; -- } -+ /* Bad type */ -+ slapi_ch_free((void**)&this_role); -+ return SLAPI_ROLE_DEFINITION_ERROR; -+ } - - this_role->dn = slapi_sdn_new(); - slapi_sdn_copy(slapi_entry_get_sdn(role_entry),this_role->dn); -- -- rolescopeDN = slapi_entry_attr_get_charptr(role_entry, ROLE_SCOPE_DN); -- if (rolescopeDN) { -- Slapi_DN *rolescopeSDN; -- Slapi_DN *top_rolescopeSDN, *top_this_roleSDN; -- -- /* Before accepting to use this scope, first check if it belongs to the same suffix */ -- rolescopeSDN = slapi_sdn_new_dn_byref(rolescopeDN); -- if ((strlen((char *) slapi_sdn_get_ndn(rolescopeSDN)) > 0) && -- (slapi_dn_syntax_check(NULL, (char *) slapi_sdn_get_ndn(rolescopeSDN), 1) == 0)) { -- top_rolescopeSDN = roles_cache_get_top_suffix(rolescopeSDN); -- top_this_roleSDN = roles_cache_get_top_suffix(this_role->dn); -- if (slapi_sdn_compare(top_rolescopeSDN, top_this_roleSDN) == 0) { -- /* rolescopeDN belongs to the same suffix as the role, we can use this scope */ -- this_role->rolescopedn = rolescopeSDN; -- } else { -- slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, -- "%s: invalid %s - %s not in the same suffix. Scope skipped.\n", -- (char*) slapi_sdn_get_dn(this_role->dn), -- ROLE_SCOPE_DN, -- rolescopeDN); -- slapi_sdn_free(&rolescopeSDN); -- } -- slapi_sdn_free(&top_rolescopeSDN); -- slapi_sdn_free(&top_this_roleSDN); -- } else { -- /* this is an invalid DN, just ignore this parameter*/ -- slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, -- "%s: invalid %s - %s not a valid DN. Scope skipped.\n", -- (char*) slapi_sdn_get_dn(this_role->dn), -- ROLE_SCOPE_DN, -- rolescopeDN); -- slapi_sdn_free(&rolescopeSDN); -- } -- } -+ -+ rolescopeDN = slapi_entry_attr_get_charptr(role_entry, ROLE_SCOPE_DN); -+ if (rolescopeDN) { -+ Slapi_DN *rolescopeSDN; -+ Slapi_DN *top_rolescopeSDN, *top_this_roleSDN; -+ -+ /* Before accepting to use this scope, first check if it belongs to the same suffix */ -+ rolescopeSDN = slapi_sdn_new_dn_byref(rolescopeDN); -+ if ((strlen((char *) slapi_sdn_get_ndn(rolescopeSDN)) > 0) && -+ (slapi_dn_syntax_check(NULL, (char *) slapi_sdn_get_ndn(rolescopeSDN), 1) == 0)) { -+ top_rolescopeSDN = roles_cache_get_top_suffix(rolescopeSDN); -+ top_this_roleSDN = roles_cache_get_top_suffix(this_role->dn); -+ if (slapi_sdn_compare(top_rolescopeSDN, top_this_roleSDN) == 0) { -+ /* rolescopeDN belongs to the same suffix as the role, we can use this scope */ -+ this_role->rolescopedn = rolescopeSDN; -+ } else { -+ slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, -+ "roles_cache_create_object_from_entry - %s: invalid %s - %s not in the same suffix. Scope skipped.\n", -+ (char*) slapi_sdn_get_dn(this_role->dn), -+ ROLE_SCOPE_DN, -+ rolescopeDN); -+ slapi_sdn_free(&rolescopeSDN); -+ } -+ slapi_sdn_free(&top_rolescopeSDN); -+ slapi_sdn_free(&top_this_roleSDN); -+ } else { -+ /* this is an invalid DN, just ignore this parameter*/ -+ slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, -+ "roles_cache_create_object_from_entry - %s: invalid %s - %s not a valid DN. Scope skipped.\n", -+ (char*) slapi_sdn_get_dn(this_role->dn), -+ ROLE_SCOPE_DN, -+ rolescopeDN); -+ slapi_sdn_free(&rolescopeSDN); -+ } -+ } - -- /* Depending upon role type, pull out the remaining information we need */ -+ /* Depending upon role type, pull out the remaining information we need */ - switch (this_role->type) - { - case ROLE_TYPE_MANAGED: -- - /* Nothing further needed */ - break; - - case ROLE_TYPE_FILTERED: - { -- - Slapi_Filter *filter = NULL; - char *filter_attr_value = NULL; - Slapi_PBlock *pb = NULL; -@@ -1203,6 +1221,7 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob - slapi_ch_free((void**)&this_role); - return SLAPI_ROLE_ERROR_NO_FILTER_SPECIFIED; - } -+ - /* search (&(objectclass=costemplate)(filter_attr_value))*/ - /* if found, reject it (returning SLAPI_ROLE_ERROR_FILTER_BAD) */ - pb = slapi_pblock_new(); -@@ -1211,33 +1230,33 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob - Slapi_Entry **cosentries = NULL; - char *costmpl_filter = NULL; - if ((*filter_attr_value == '(') && -- (*(filter_attr_value+strlen(filter_attr_value)-1) == ')')) { -+ (*(filter_attr_value+strlen(filter_attr_value)-1) == ')')) { - costmpl_filter = -- slapi_ch_smprintf("(&(objectclass=costemplate)%s)", -- filter_attr_value); -+ slapi_ch_smprintf("(&(objectclass=costemplate)%s)", -+ filter_attr_value); - } else { - costmpl_filter = -- slapi_ch_smprintf("(&(objectclass=costemplate)(%s))", -- filter_attr_value); -+ slapi_ch_smprintf("(&(objectclass=costemplate)(%s))", -+ filter_attr_value); - } - slapi_search_internal_set_pb(pb, parent, LDAP_SCOPE_SUBTREE, -- costmpl_filter, NULL, 0, NULL, -- NULL, roles_get_plugin_identity(), -- 0); -+ costmpl_filter, NULL, 0, NULL, -+ NULL, roles_get_plugin_identity(), -+ 0); - slapi_search_internal_pb(pb); - slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, -- &cosentries); -+ &cosentries); - slapi_ch_free_string(&costmpl_filter); - slapi_ch_free_string(&parent); - if (cosentries && *cosentries) { - slapi_free_search_results_internal(pb); - slapi_pblock_destroy(pb); - slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, -- "%s: not allowed to refer virtual attribute " -- "in the value of %s %s. The %s is disabled.\n", -- (char*)slapi_sdn_get_ndn(this_role->dn), -- ROLE_FILTER_ATTR_NAME, filter_attr_value, -- ROLE_FILTER_ATTR_NAME); -+ "roles_cache_create_object_from_entry - %s: not allowed to refer virtual attribute " -+ "in the value of %s %s. The %s is disabled.\n", -+ (char*)slapi_sdn_get_ndn(this_role->dn), -+ ROLE_FILTER_ATTR_NAME, filter_attr_value, -+ ROLE_FILTER_ATTR_NAME); - slapi_ch_free_string(&filter_attr_value); - slapi_ch_free((void**)&this_role); - return SLAPI_ROLE_ERROR_FILTER_BAD; -@@ -1248,16 +1267,27 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob - - /* Turn it into a slapi filter object */ - filter = slapi_str2filter(filter_attr_value); -- slapi_ch_free_string(&filter_attr_value); -- -- if ( filter == NULL ) -+ if ( filter == NULL ) - { - /* An error has occured */ - slapi_ch_free((void**)&this_role); -+ slapi_ch_free_string(&filter_attr_value); -+ return SLAPI_ROLE_ERROR_FILTER_BAD; -+ } -+ if (roles_check_filter(filter)) { -+ slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, -+ "roles_cache_create_object_from_entry - \"%s\": not allowed to use \"nsrole\" " -+ "in the role filter \"%s\". %s is disabled.\n", -+ (char*)slapi_sdn_get_ndn(this_role->dn), -+ filter_attr_value, -+ ROLE_FILTER_ATTR_NAME); -+ slapi_ch_free((void**)&this_role); -+ slapi_ch_free_string(&filter_attr_value); - return SLAPI_ROLE_ERROR_FILTER_BAD; - } - /* Store on the object */ - this_role->filter = filter; -+ slapi_ch_free_string(&filter_attr_value); - - break; - } -@@ -1276,50 +1306,49 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob - int i = 0; - char *string = NULL; - Slapi_DN nested_role_dn; -- role_object_nested *nested_role_object = NULL; -+ role_object_nested *nested_role_object = NULL; - -- for ( i = 0; va[i] != NULL; i++ ) -+ for ( i = 0; va[i] != NULL; i++ ) - { -- string = (char*)slapi_value_get_string(va[i]); -+ string = (char*)slapi_value_get_string(va[i]); - -- /* Make a DN from the string */ -- slapi_sdn_init_dn_byref(&nested_role_dn,string); -+ /* Make a DN from the string */ -+ slapi_sdn_init_dn_byref(&nested_role_dn,string); - - slapi_log_error(SLAPI_LOG_PLUGIN, - ROLES_PLUGIN_SUBSYSTEM, "roles_cache_create_object_from_entry: dn %s, nested %s\n", - (char*)slapi_sdn_get_ndn(this_role->dn),string); - -- /* Make a role object nested from the DN */ -- rc = roles_cache_object_nested_from_dn(&nested_role_dn,&nested_role_object); -+ /* Make a role object nested from the DN */ -+ rc = roles_cache_object_nested_from_dn(&nested_role_dn,&nested_role_object); - -- /* Insert it into the nested list */ -- if ( (rc == 0) && nested_role_object) -+ /* Insert it into the nested list */ -+ if ( (rc == 0) && nested_role_object) - { - /* Add to the tree where avl_data is a role_object_nested struct */ -- rc = roles_cache_insert_object_nested(&(this_role->avl_tree),nested_role_object); -- } -- slapi_sdn_done(&nested_role_dn); -- } -- } -- -+ rc = roles_cache_insert_object_nested(&(this_role->avl_tree),nested_role_object); -+ } -+ slapi_sdn_done(&nested_role_dn); -+ } -+ } -+ - break; - } - - default: -- slapi_log_error(SLAPI_LOG_FATAL, -- ROLES_PLUGIN_SUBSYSTEM, "wrong role type\n"); -+ slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, -+ "roles_cache_create_object_from_entry - wrong role type\n"); - } - -- if ( rc == 0 ) -+ if ( rc == 0 ) - { -- *result = this_role; -- } -+ *result = this_role; -+ } - - slapi_log_error(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, -- "<-- roles_cache_create_object_from_entry\n"); -- -+ "<-- roles_cache_create_object_from_entry\n"); - -- return rc; -+ return rc; - } - - /* roles_cache_determine_class: --- -2.7.4 - diff --git a/SOURCES/0072-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch b/SOURCES/0072-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch deleted file mode 100644 index 74a3355..0000000 --- a/SOURCES/0072-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 4239f2f010e6f8126348f4cd19e2b34d371965b5 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Mon, 3 Apr 2017 09:32:20 +0200 -Subject: [PATCH] fix for cve 2017-2668 - simple return text if suffix not - found - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1436575 - -Signed-off-by: Mark Reynolds ---- - ldap/servers/slapd/defbackend.c | 75 ++--------------------------------------- - 1 file changed, 2 insertions(+), 73 deletions(-) - -diff --git a/ldap/servers/slapd/defbackend.c b/ldap/servers/slapd/defbackend.c -index da4a701..105fea9 100644 ---- a/ldap/servers/slapd/defbackend.c -+++ b/ldap/servers/slapd/defbackend.c -@@ -171,50 +171,7 @@ defbackend_abandon( Slapi_PBlock *pb ) - } - - --#define DEFBE_NO_SUCH_SUFFIX "No such suffix" --/* -- * Generate a "No such suffix" return text -- * Example: -- * cn=X,dc=bogus,dc=com ==> "No such suffix (dc=bogus,dc=com)" -- * if the last rdn starts with "dc=", print all last dc= rdn's. -- * cn=X,cn=bogus ==> "No such suffix (cn=bogus)" -- * otherwise, print the very last rdn. -- * cn=X,z=bogus ==> "No such suffix (x=bogus)" -- * it is true even if it is an invalid rdn. -- * cn=X,bogus ==> "No such suffix (bogus)" -- * another example of invalid rdn. -- */ --static void --_defbackend_gen_returntext(char *buffer, size_t buflen, char **dns) --{ -- int dnidx; -- int sidx; -- struct suffix_repeat { -- char *suffix; -- int size; -- } candidates[] = { -- {"dc=", 3}, /* dc could be repeated. otherwise the last rdn is used. */ -- {NULL, 0} -- }; -- PR_snprintf(buffer, buflen, "%s (", DEFBE_NO_SUCH_SUFFIX); -- for (dnidx = 0; dns[dnidx]; dnidx++) ; /* finding the last */ -- dnidx--; /* last rdn */ -- for (sidx = 0; candidates[sidx].suffix; sidx++) { -- if (!PL_strncasecmp(dns[dnidx], candidates[sidx].suffix, candidates[sidx].size)) { -- while (!PL_strncasecmp(dns[--dnidx], candidates[sidx].suffix, candidates[sidx].size)) ; -- PL_strcat(buffer, dns[++dnidx]); /* the first "dn=", e.g. */ -- for (++dnidx; dns[dnidx]; dnidx++) { -- PL_strcat(buffer, ","); -- PL_strcat(buffer, dns[dnidx]); -- } -- PL_strcat(buffer, ")"); -- return; /* finished the task */ -- } -- } -- PL_strcat(buffer, dns[dnidx]); -- PL_strcat(buffer, ")"); -- return; --} -+#define DEFBE_NO_SUCH_SUFFIX "No suffix for bind dn found" - - static int - defbackend_bind( Slapi_PBlock *pb ) -@@ -236,36 +193,8 @@ defbackend_bind( Slapi_PBlock *pb ) - slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsAnonymousBinds); - rc = SLAPI_BIND_ANONYMOUS; - } else { -- Slapi_DN *sdn = NULL; -- char *suffix = NULL; -- char **dns = NULL; -- -- if (pb->pb_op) { -- sdn = operation_get_target_spec(pb->pb_op); -- if (sdn) { -- dns = slapi_ldap_explode_dn(slapi_sdn_get_dn(sdn), 0); -- if (dns) { -- size_t dnlen = slapi_sdn_get_ndn_len(sdn); -- size_t len = dnlen + sizeof(DEFBE_NO_SUCH_SUFFIX) + 4; -- suffix = slapi_ch_malloc(len); -- if (dnlen) { -- _defbackend_gen_returntext(suffix, len, dns); -- } else { -- PR_snprintf(suffix, len, "%s", DEFBE_NO_SUCH_SUFFIX); -- } -- } -- } -- } -- if (suffix) { -- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, suffix); -- } else { -- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, DEFBE_NO_SUCH_SUFFIX); -- } -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, DEFBE_NO_SUCH_SUFFIX); - send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL); -- if (dns) { -- slapi_ldap_value_free(dns); -- } -- slapi_ch_free_string(&suffix); - rc = SLAPI_BIND_FAIL; - } - --- -2.9.3 - diff --git a/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch b/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch deleted file mode 100644 index 9543a1b..0000000 --- a/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 49ca93665ac6c2faf6077d6a8dc33cbea6bd0fc9 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Tue, 4 Apr 2017 10:44:55 +0200 -Subject: [PATCH] Ticket 49209 - Hang due to omitted replica lock release - -Bug Description: - When an operation is canceled (failure), its csn is aborted - and removed from the pending list. - If at that time the pending list is empty or the csn is not found - in that list, the cancel callback forgots to release the replica lock - -Fix Description: - Release replica lock systematically, whether cnsplRemove fails or not - -https://pagure.io/389-ds-base/issue/49209 - -Reviewed by: Mark Reynolds (thanks Mark !!) - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit 7dc991b16b97bacb69ddb334358e27e1220ca27b) -(cherry picked from commit 071cadabb035fbca354a233adbeba82616be3d19) ---- - ldap/servers/plugins/replication/repl5_replica.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index 602653a..9b3cec5 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -3669,7 +3669,9 @@ abort_csn_callback(const CSN *csn, void *data) - { - int rc = csnplRemove(r->min_csn_pl, csn); - if (rc) { -- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "csnplRemove failed"); -+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, -+ "abort_csn_callback - csnplRemove failed"); -+ replica_unlock(r->repl_lock); - return; - } - } --- -2.9.3 - diff --git a/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch b/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch deleted file mode 100644 index e3a6454..0000000 --- a/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch +++ /dev/null @@ -1,38 +0,0 @@ -From fea1b0b59b8c3a2bfdb294b274b6572d42075a00 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 17 Apr 2017 17:06:19 -0400 -Subject: [PATCH] Issue 49221 - During an upgrade the provided localhost name - is ignored - -Description: If the FullMachine name, or localhost, is provided in an INF - it is ignored during the upgrade the value of nsslapd-localhost - from the current server is used instead. We should only override - the localhost value if it is missing. - -https://pagure.io/389-ds-base/issue/49221 - -Reviewed by: nhosoi(Thanks!) - -(cherry picked from commit 8979cc699a7bd0459a9285f66dca472e8108b1ad) ---- - ldap/admin/src/scripts/DSUpdate.pm.in | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/ldap/admin/src/scripts/DSUpdate.pm.in b/ldap/admin/src/scripts/DSUpdate.pm.in -index e84a9a9..8b24b47 100644 ---- a/ldap/admin/src/scripts/DSUpdate.pm.in -+++ b/ldap/admin/src/scripts/DSUpdate.pm.in -@@ -435,7 +435,9 @@ sub initInfFromInst { - my $servid = $inst; - $servid =~ s/slapd-//; - -- $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost"); -+ if (!$inf->{General}->{FullMachineName}) { -+ $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost"); -+ } - $inf->{General}->{SuiteSpotUserID} = $entry->getValue("nsslapd-localuser"); - $inf->{slapd}->{ServerPort} = $entry->getValue("nsslapd-port"); - $inf->{slapd}->{ldapifilepath} = $entry->getValue("nsslapd-ldapifilepath"); --- -2.9.3 - diff --git a/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch b/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch deleted file mode 100644 index b7cb112..0000000 --- a/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch +++ /dev/null @@ -1,36 +0,0 @@ -From c101544797e0b563bc0955934a74a4dc25a5b467 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 22 Mar 2017 10:18:13 -0400 -Subject: [PATCH] Issue 49188 - retrocl can crash server at shutdown - -Description: We do not calloc enough elements when processing nsslapd-attribute - from the retrocl plugin configuration. This causes invalid memory - to be freed at shutdown(via slapi_ch_array_free). - -https://pagure.io/389-ds-base/issue/49188 - -Reviewed by: mreynolds(one line commit rule) - -(cherry picked from commit b2f76abe10bfbe621308410a1e7f41287cf2ff9e) ---- - ldap/servers/plugins/retrocl/retrocl.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c -index 0b336d5..6167e88 100644 ---- a/ldap/servers/plugins/retrocl/retrocl.c -+++ b/ldap/servers/plugins/retrocl/retrocl.c -@@ -468,8 +468,8 @@ static int retrocl_start (Slapi_PBlock *pb) - - retrocl_nattributes = n; - -- retrocl_attributes = (char **)slapi_ch_calloc(n, sizeof(char *)); -- retrocl_aliases = (char **)slapi_ch_calloc(n, sizeof(char *)); -+ retrocl_attributes = (char **)slapi_ch_calloc(n + 1, sizeof(char *)); -+ retrocl_aliases = (char **)slapi_ch_calloc(n + 1, sizeof(char *)); - - slapi_log_error(SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME, "Attributes:\n"); - --- -2.9.3 - diff --git a/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch b/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch deleted file mode 100644 index 0805c10..0000000 --- a/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 9f1d12e3de174964b02e6507494fe3de1aca1766 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 20 Mar 2017 15:08:45 -0400 -Subject: [PATCH] Issue 49095 - targetattr wildcard evaluation is incorrectly - case sensitive - -Description: When processing an aci that uses a wildcard targetattr, the - comparision should be done using case insensitive functions. - -https://pagure.io/389-ds-base/issue/49095 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit fdf78dca6c34b32522443c82ddd4c3c7ef04da80) ---- - dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++ - ldap/servers/plugins/acl/acl.c | 10 ++-- - 2 files changed, 90 insertions(+), 5 deletions(-) - create mode 100644 dirsrvtests/tests/tickets/ticket49095_test.py - -diff --git a/dirsrvtests/tests/tickets/ticket49095_test.py b/dirsrvtests/tests/tickets/ticket49095_test.py -new file mode 100644 -index 0000000..04f92b2 ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket49095_test.py -@@ -0,0 +1,85 @@ -+import time -+import ldap -+import logging -+import pytest -+from lib389 import DirSrv, Entry, tools, tasks -+from lib389.tools import DirSrvTools -+from lib389._constants import * -+from lib389.properties import * -+from lib389.tasks import * -+from lib389.utils import * -+from lib389.topologies import topology_st as topo -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+USER_DN = 'uid=testuser,dc=example,dc=com' -+acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', -+ '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', -+ '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', -+ '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)'] -+ -+ -+def test_ticket49095(topo): -+ """Check that target attrbiutes with wildcards are case insensitive -+ """ -+ -+ # Add an entry -+ try: -+ topo.standalone.add_s(Entry((USER_DN, { -+ 'objectclass': 'top extensibleObject'.split(), -+ 'uid': 'testuser', -+ 'telephonenumber': '555-555-5555' -+ }))) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to add test user: ' + e.message['desc']) -+ assert False -+ -+ for aci in acis: -+ # Add ACI -+ try: -+ topo.standalone.modify_s(DEFAULT_SUFFIX, -+ [(ldap.MOD_REPLACE, 'aci', aci)]) -+ -+ except ldap.LDAPError as e: -+ log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc']) -+ assert False -+ -+ # Set Anonymous Bind to test aci -+ try: -+ topo.standalone.simple_bind_s("", "") -+ except ldap.LDAPError as e: -+ log.fatal('Failed to bind anonymously: ' + e.message['desc']) -+ assert False -+ -+ # Search for entry - should not get any results -+ try: -+ entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE, -+ 'telephonenumber=*') -+ if entry: -+ log.fatal('The entry was incorrectly returned') -+ assert False -+ except ldap.LDAPError as e: -+ log.fatal('Failed to search anonymously: ' + e.message['desc']) -+ assert False -+ -+ # Set root DN Bind so we can update aci's -+ try: -+ topo.standalone.simple_bind_s(DN_DM, PASSWORD) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to bind anonymously: ' + e.message['desc']) -+ assert False -+ -+ log.info("Test Passed") -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c -index ba6b774..1caa88a 100644 ---- a/ldap/servers/plugins/acl/acl.c -+++ b/ldap/servers/plugins/acl/acl.c -@@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) - } - - /* this assumes that str and the filter components are already -- * normalized. If not, it shoul be done -+ * normalized. If not, it should be done - */ - if ( initial != NULL) { - len = strlen(initial); - if (exact_match) { -- int rc = strncmp(p, initial, len); -+ int rc = strncasecmp(p, initial, len); - if (rc) { - return ACL_FALSE; - } else { - p += len; - } - } else { -- p = strstr(p, initial); -+ p = strcasestr(p, initial); - if (p) { - p += len; - } else { -@@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) - - if ( any != NULL) { - for (i = 0; any && any[i] != NULL; i++) { -- p = strstr(p, any[i]); -+ p = strcasestr(p, any[i]); - if (p) { - p += strlen(any[i]); - } else { -@@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) - len = strlen(final); - tlen = strlen(p); - if (len > tlen) return ACL_FALSE; -- if (strcmp(p+tlen-len, final)) return ACL_FALSE; -+ if (strcasecmp(p+tlen-len, final)) return ACL_FALSE; - } - - return ACL_TRUE; --- -2.9.3 - diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index d73444d..f8c6789 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -11,15 +11,13 @@ %global use_db4 0 # If perl-Socket-2.000 or newer is available, set 0 to use_Socket6. %global use_Socket6 0 -# nunc-stans only builds on x86_64 for now -%ifarch x86_64 -# To build without nunc-stans, set use_nunc_stans to 0. %global use_nunc_stans 1 -%else -%global use_nunc_stans 0 -%endif -%global nunc_stans_ver 0.1.8 +%if %{_arch} != "s390x" && %{_arch} != "s390" +%global use_tcmalloc 1 +%else +%global use_tcmalloc 0 +%endif # fedora 15 and later uses tmpfiles.d # otherwise, comment this out @@ -33,16 +31,15 @@ Summary: 389 Directory Server (base) Name: 389-ds-base -Version: 1.3.5.10 -Release: %{?relprefix}21%{?prerel}%{?dist} +Version: 1.3.6.1 +Release: %{?relprefix}16%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org/ Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Obsoletes: %{name}-selinux Conflicts: selinux-policy-base < 3.9.8 Requires: %{name}-libs = %{version}-%{release} -Provides: ldif2ldbm +Provides: ldif2ldbm >= 0 BuildRequires: nspr-devel BuildRequires: nss-devel @@ -75,12 +72,26 @@ BuildRequires: tcp_wrappers BuildRequires: pam-devel BuildRequires: systemd-units BuildRequires: systemd-devel +# Needed to support regeneration of the autotool artifacts. +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +%if %{use_nunc_stans} +BuildRequires: libevent-devel +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +%endif +# For tests! +#BuildRequires: libcmocka-devel +BuildRequires: doxygen # this is needed for using semanage from our setup scripts Requires: policycoreutils-python Requires: /usr/sbin/semanage Requires: libsemanage-python +Requires: selinux-policy >= 3.13.1-137 + # the following are needed for some of our scripts %if %{use_openldap} Requires: openldap-clients @@ -98,6 +109,7 @@ Requires: nss-tools # they are required to support the mandatory LDAP SASL mechs Requires: cyrus-sasl-gssapi Requires: cyrus-sasl-md5 +Requires: cyrus-sasl-plain # this is needed for verify-db.pl %if %{use_db4} @@ -127,91 +139,75 @@ Requires: perl-NetAddr-IP Requires: systemd-libs Requires: svrcore >= 4.1.2 -# upgrade path from monolithic %{name} (including -libs & -devel) to %{name} + %{name}-snmp +# upgrade path from monolithic % {name} (including -libs & -devel) to % {name} + % {name}-snmp Obsoletes: %{name} <= 1.3.5.4 -Source0: https://port389.org/binaries/%{name}-%{version}%{?prerel}.tar.bz2 +%if %{use_tcmalloc} +BuildRequires: gperftools-devel +Requires: gperftools-libs +%endif + +Source0: http://www.port389.org/binaries/%{name}-%{version}%{?prerel}.tar.bz2 # 389-ds-git.sh should be used to generate the source tarball from git Source1: %{name}-git.sh Source2: %{name}-devel.README -Source3: https://git.fedorahosted.org/cgit/nunc-stans.git/snapshot/nunc-stans-%{nunc_stans_ver}.tar.bz2 -Patch0: 0000-Ticket-48743-If-a-cipher-is-disabled-do-not-attempt-.patch -Patch1: 0001-Ticket-48755-moving-an-entry-could-make-the-online-i.patch -Patch2: 0002-Ticket-48914-db2bak.pl-task-enters-infinitive-loop-w.patch -Patch3: 0003-Ticket-48918-Upgrade-to-389-ds-base-1.3.5.5-doesn-t-.patch -Patch4: 0004-Ticket-48916-DNA-Threshold-set-to-0-causes-SIGFPE.patch -Patch5: 0005-Ticket-48144-Add-usr-sbin-status-dirsrv-script-to-ge.patch -Patch6: 0006-Ticket-48767-flow-control-in-replication-also-blocks.patch -Patch7: 0007-Ticket-48922-Fix-crash-when-deleting-backend-while-i.patch -Patch8: 0008-Ticket-48924-Fixup-tombstone-task-needs-to-set-prope.patch -Patch9: 0009-Ticket-48919-Compiler-warnings-while-building-389-ds.patch -Patch10: 0010-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch -Patch11: 0011-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch -Patch12: 0012-Bug-1347760-CI-test-test-case-for-bug-1347760.patch -Patch13: 0013-Ticket-48925-slapd-crash-with-SIGILL-Dsktune-should-.patch -Patch14: 0014-Ticket-48925-slapd-crash-with-SIGILL-Dsktune-should-.patch -Patch15: 0015-Ticket-48919-Compiler-warnings-while-building-389-ds.patch -Patch16: 0016-Ticket-48919-Compiler-warnings-while-building-389-ds.patch -Patch17: 0017-Ticket-48928-log-of-page-result-cookie-should-log-em.patch -Patch18: 0018-Ticket-48939-nsslapd-workingdir-is-empty-when-ns-sla.patch -Patch19: 0019-Ticket-48939-nsslapd-workingdir-is-empty-when-ns-sla.patch -Patch20: 0020-Ticket-48934-remove-ds.pl-deletes-an-instance-even-i.patch -Patch21: 0021-Ticket-48940-DS-logs-have-warning-ancestorid-not-ind.patch -Patch22: 0022-Ticket-48882-server-can-hang-in-connection-list-proc.patch -Patch23: 0023-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch -Patch24: 0024-Ticket-48943-When-fine-grained-policy-is-applied-a-s.patch -Patch25: 0025-Ticket-48943-Add-CI-Test-for-the-password-test-suite.patch -Patch26: 0026-Ticket-48936-Duplicate-collation-entries.patch -Patch27: 0027-Ticket-48450-Add-prestart-work-around-for-systemd-as.patch -Patch28: 0028-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch -Patch29: 0029-Bug-1347760-CVE-2016-4992-389-ds-base-Information-di.patch -Patch30: 0030-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch -Patch31: 0031-Ticket-48450-Autotools-components-for-ds_systemd_ask.patch -Patch32: 0032-Ticket-bz1358565-clear-and-unsalted-password-types-a.patch -Patch33: 0033-Ticket-48950-Change-example-in-etc-sysconfig-dirsrv-.patch -Patch34: 0034-Ticket-48954-replication-fails-because-anchorcsn-can.patch -Patch35: 0035-Ticket-48956-ns-accountstatus.pl-showing-activated-u.patch -Patch36: 0036-Ticket-48958-Audit-fail-log-doesn-t-work-if-audit-lo.patch -Patch37: 0037-Ticket-48960-Crash-in-import_wait_for_space_in_fifo.patch -Patch38: 0038-Bugzilla-1368956-man-page-of-ns-accountstatus.pl-sho.patch -Patch39: 0039-Ticket-48964-cleanAllRUV-changelog-purging-incorrect.patch -Patch40: 0040-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch -Patch41: 0041-Ticket-48967-passwordMinAge-attribute-doesn-t-limit-.patch -Patch42: 0042-Ticket-48967-Add-CI-test-and-refactor-test-suite.patch -Patch43: 0043-Ticket-48950-Add-systemd-warning-to-the-LD_PRELOAD-e.patch -Patch44: 0044-Ticket-48957-set-proper-update-status-to-replication.patch -Patch45: 0045-Ticket-48972-remove-old-pwp-code-that-adds-removes-A.patch -Patch46: 0046-Ticket-48970-Serverside-sorting-crashes-the-server.patch -Patch47: 0047-Ticket-48975-Disabling-CLEAR-password-storage-scheme.patch -Patch48: 0048-Ticket-48957-Update-repl-monitor-to-handle-new-statu.patch -Patch49: 0049-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch -Patch50: 0050-Bug-1321124-use-a-consumer-maxcsn-only-as-anchor-if-.patch -Patch51: 0051-Ticket-48992-Total-init-may-fail-if-the-pushed-schem.patch -Patch52: 0052-Ticket-48909-Replication-stops-working-in-FIPS-mode.patch -Patch53: 0053-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch -Patch54: 0054-Ticket-49009-args-debug-logging-must-be-more-restric.patch -Patch55: 0055-Ticket-48328-Add-missing-dependency.patch -Patch56: 0056-Ticket-48133-v2-Non-tombstone-entry-which-dn-startin.patch -Patch57: 0057-Ticket-49020-do-not-treat-missing-csn-as-fatal.patch -Patch58: 0058-Ticket-48964-cleanallruv-changelog-purging-removes-w.patch -Patch59: 0059-Ticket-48964-should-not-free-repl-name-after-purging.patch -Patch60: 0060-Ticket-49074-incompatible-nsEncryptionConfig-object-.patch -Patch61: 0061-Ticket-49080-shadowExpire-should-not-be-a-calculated.patch -Patch62: 0062-Ticket-49082-Fix-password-expiration-related-shadow-.patch -Patch63: 0063-Ticket-49082-Adjusted-the-CI-test-case-to-the-fix.patch -Patch64: 0064-Ticket-49008-backport-1.3.5-aborted-operation-can-le.patch -Patch65: 0065-Ticket-49008-backport-1.3.5-aborted-operation-can-le.patch -Patch66: 0066-Ticket-49079-deadlock-on-cos-cache-rebuild.patch -Patch67: 0067-Ticket-49016-un-register-migration-remove-may-fail-i.patch -Patch68: 0068-Ticket-49016-un-register-migration-remove-may-fail-i.patch -Patch69: 0069-fix-for-reg-in-49008-check-if-ruv-element-exists.patch -Patch70: 0070-Ticket-49121-ns-slapd-crashes-in-ldif_sput-due-to-th.patch -Patch71: 0071-Issue-49122-Filtered-nsrole-that-uses-nsrole-crashes.patch -Patch72: 0072-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch -Patch73: 0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch -Patch74: 0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch -Patch75: 0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch -Patch76: 0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch +Patch0: 0000-Ticket-49164-Change-NS-to-acq-rel-semantics-for-atom.patch +Patch1: 0001-Issue-49170-sync-plugin-thread-count-not-handled-cor.patch +Patch2: 0002-Ticket-49165-pw_verify-did-not-handle-external-auth.patch +Patch3: 0003-Issue-49169-Fix-covscan-errors.patch +Patch4: 0004-Ticket-49171-Nunc-Stans-incorrectly-reports-a-timeou.patch +Patch5: 0005-Issue-49169-Fix-covscan-errors-regression.patch +Patch6: 0006-Issue-49062-Reset-agmt-update-staus-and-total-init +Patch7: 0007-Issue-49065-dbmon.sh-fails-if-you-have-nsslapd-requi.patch +Patch8: 0008-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch +Patch9: 0009-Issue-49157-ds-logpipe.py-crashes-for-non-existing-u.patch +Patch10: 0010-Fix-double-free-in-_cl5NewDBFile-error-path.patch +Patch11: 0011-Issue-49188-retrocl-can-crash-server-at-shutdown.patch +Patch12: 0012-Ticket-49177-rpm-would-not-create-valid-pkgconfig-fi.patch +Patch13: 0013-Ticket-49076-To-debug-DB_DEADLOCK-condition-allow-to.patch +Patch14: 0014-Issue-49192-Deleting-suffix-can-hang-server.patch +Patch15: 0015-Ticket-49174-nunc-stans-can-not-use-negative-timeout.patch +Patch16: 0016-Issue-48989-Integer-overflow.patch +Patch17: 0017-Issue-49035-dbmon.sh-shows-pages-in-use-that-exceeds.patch +Patch18: 0018-Issue-49177-Fix-pkg-config-file.patch +Patch19: 0019-Issue-49205-Fix-logconv.pl-man-page.patch +Patch20: 0020-Issue-49039-password-min-age-should-be-ignored-if-pa.patch +Patch21: 0021-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch +Patch22: 0022-Issue-47662-CLI-args-get-removed.patch +Patch23: 0023-Issue-49210-Fix-regression-when-checking-is-password.patch +Patch24: 0024-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch +Patch25: 0025-Ticket-49184-Overflow-in-memberof.patch +Patch26: 0026-Ticket-49196-Autotune-generates-crit-messages.patch +Patch27: 0027-Issue-49221-During-an-upgrade-the-provided-localhost.patch +Patch28: 0028-Ticket-48864-Add-cgroup-memory-limit-detection-to-38.patch +Patch29: 0029-Ticket-49204-Fix-lower-bounds-on-import-autosize-On-.patch +Patch30: 0030-Ticket-49231-fix-sasl-mech-handling.patch +Patch31: 0031-Ticket-49230-slapi_register_plugin-creates-config-en.patch +Patch32: 0032-49227-ldapsearch-for-nsslapd-errorlog-level-re.patch +Patch33: 0033-Ticket-48989-fix-perf-counters.patch +Patch34: 0034-Ticket-48681-logconv.pl-fix-sasl-bind-stats.patch +Patch35: 0035-Ticket-49241-Update-man-page-and-usage-for-db2bak.pl.patch +Patch36: 0036-Ticket-7662-db2index-not-properly-evalauating-argume.patch +Patch37: 0037-Ticket-49075-Adjust-logging-severity-levels.patch +Patch38: 0038-Ticket-49231-Fix-backport-issue.patch +Patch39: 0039-Ticket-49231-Fix-backport-issue-part2.patch +Patch40: 0040-Ticket-48681-logconv.pl-Fix-SASL-Bind-stats-and-rewo.patch +Patch41: 0041-Ticket-49157-ds-logpipe.py-crashes-for-non-existing-.patch +Patch42: 0042-Ticket-49249-cos_cache-is-erroneously-logging-schema.patch +Patch43: 0043-Ticket-49238-AddressSanitizer-heap-use-after-free-in.patch +Patch44: 0044-Ticket-49246-ns-slapd-crashes-in-role-cache-creation.patch +Patch45: 0045-Ticket-49258-Allow-nsslapd-cache-autosize-to-be-modi.patch +Patch46: 0046-Ticket-49261-Fix-script-usage-and-man-pages.patch +Patch47: 0047-Ticket-48864-Fix-FreeIPA-build.patch +Patch48: 0048-Ticket-49157-fix-error-in-ds-logpipe.py.patch +Patch49: 0049-Ticket-49267-autosize-split-of-0-results-in-dbcache-.patch +Patch50: 0050-Ticket-49231-force-EXTERNAL-always.patch +Patch51: 0051-Ticket-48538-Failed-to-delete-old-semaphore.patch +Patch52: 0052-Ticket-49257-Reject-nsslapd-cachememsize-nsslapd-cac.patch +Patch53: 0053-Ticket-49257-Reject-dbcachesize-updates-while-auto-c.patch +Patch54: 0054-Ticket-49184-adjust-logging-level-in-MO-plugin.patch +Patch55: 0055-Ticket-49241-add-symblic-link-location-to-db2bak.pl-.patch + %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -275,9 +271,8 @@ Development Libraries and headers for the 389 Directory Server base package. Summary: SNMP Agent for 389 Directory Server Group: System Environment/Daemons Requires: %{name} = %{version}-%{release} - # upgrade path from monolithic %{name} (including -libs & -devel) to %{name} + %{name}-snmp -Obsoletes: %{name} <= 1.3.5.4 +Obsoletes: %{name} <= 1.3.6.0 %description snmp SNMP Agent for the 389 Directory Server base package. @@ -293,9 +288,6 @@ The lib389 CI tests that can be run against the Directory Server. %prep %setup -q -n %{name}-%{version}%{?prerel} -%if %{use_nunc_stans} -%setup -q -n %{name}-%{version}%{?prerel} -T -D -b 3 -%endif cp %{SOURCE2} README.devel %patch0 -p1 %patch1 -p1 @@ -353,39 +345,8 @@ cp %{SOURCE2} README.devel %patch53 -p1 %patch54 -p1 %patch55 -p1 -%patch56 -p1 -%patch57 -p1 -%patch58 -p1 -%patch59 -p1 -%patch60 -p1 -%patch61 -p1 -%patch62 -p1 -%patch63 -p1 -%patch64 -p1 -%patch65 -p1 -%patch66 -p1 -%patch67 -p1 -%patch68 -p1 -%patch69 -p1 -%patch70 -p1 -%patch71 -p1 -%patch72 -p1 -%patch73 -p1 -%patch74 -p1 -%patch75 -p1 -%patch76 -p1 %build -%if %{use_nunc_stans} -pushd ../nunc-stans-%{nunc_stans_ver} -%configure --with-fhs --libdir=%{_libdir}/%{pkgname} -make %{?_smp_mflags} -mkdir -p lib -cp .libs/libnunc-stans.so.0.0.0 lib/libnunc-stans.so -mkdir -p include/nunc-stans -cp nunc-stans.h include/nunc-stans/nunc-stans.h -popd -%endif %if %{use_openldap} OPENLDAP_FLAG="--with-openldap" @@ -394,14 +355,21 @@ OPENLDAP_FLAG="--with-openldap" # hack hack hack https://bugzilla.redhat.com/show_bug.cgi?id=833529 NSSARGS="--with-svrcore-inc=%{_includedir} --with-svrcore-lib=%{_libdir} --with-nss-lib=%{_libdir} --with-nss-inc=%{_includedir}/nss3" %if %{use_nunc_stans} -NUNC_STANS_FLAGS="--enable-nunc-stans --with-nunc-stans=../nunc-stans-%{nunc_stans_ver}" +NUNC_STANS_FLAGS="--enable-nunc-stans" +%endif +%if %{use_tcmalloc} +TCMALLOC_FLAGS="--enable-tcmalloc" %endif + +# Rebuild the autotool artifacts now. +autoreconf -fiv + %configure --enable-autobind --with-selinux $OPENLDAP_FLAG $TMPFILES_FLAG \ --with-systemdsystemunitdir=%{_unitdir} \ --with-systemdsystemconfdir=%{_sysconfdir}/systemd/system \ --with-perldir=/usr/bin \ --with-systemdgroupname=%{groupname} $NSSARGS $NUNC_STANS_FLAGS \ - --with-systemd + --with-systemd $TCMALLOC_FLAGS # Generate symbolic info for debuggers export XCFLAGS=$RPM_OPT_FLAGS @@ -414,18 +382,13 @@ make %{?_smp_mflags} %install -%if %{use_nunc_stans} -pushd ../nunc-stans-%{nunc_stans_ver} -make DESTDIR="$RPM_BUILD_ROOT" install -rm -rf $RPM_BUILD_ROOT%{_includedir} $RPM_BUILD_ROOT%{_datadir} \ - $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/pkgconfig -popd -%else rm -rf $RPM_BUILD_ROOT -%endif make DESTDIR="$RPM_BUILD_ROOT" install +# Copy in our docs from doxygen. +cp -r %{_builddir}/%{name}-%{version}%{?prerel}/man/man3 $RPM_BUILD_ROOT/%{_mandir}/man3 + mkdir -p $RPM_BUILD_ROOT/var/log/%{pkgname} mkdir -p $RPM_BUILD_ROOT/var/lib/%{pkgname} mkdir -p $RPM_BUILD_ROOT/var/lock/%{pkgname} @@ -436,9 +399,10 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/%{groupname}.wants #remove libtool archives and static libs find %{buildroot} -type f -name "*.la" -delete find %{buildroot} -type f -name "*.a" -delete - -# make sure perl scripts have a proper shebang -sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' $RPM_BUILD_ROOT%{_datadir}/%{pkgname}/script-templates/template-*.pl +#rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/*.a +#rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/*.la +#rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/plugins/*.a +#rm -f $RPM_BUILD_ROOT%{_libdir}/%{pkgname}/plugins/*.la # Why are we not making this a proper python package? pushd ../%{name}-%{version}%{?prerel} @@ -448,6 +412,9 @@ find $RPM_BUILD_ROOT/%{_sysconfdir}/%{pkgname}/dirsrvtests -type f -name '*.pyo' find $RPM_BUILD_ROOT/%{_sysconfdir}/%{pkgname}/dirsrvtests -type d -name '__pycache__' -delete popd +# make sure perl scripts have a proper shebang +sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' $RPM_BUILD_ROOT%{_datadir}/%{pkgname}/script-templates/template-*.pl + %clean rm -rf $RPM_BUILD_ROOT @@ -466,30 +433,30 @@ if [ -n "$DEBUGPOSTTRANS" ] ; then output2=${DEBUGPOSTTRANS}.upgrade fi -has_dirsrv=`/usr/bin/egrep -i "^dirsrv\>" /etc/passwd` || : -if [ "$has_dirsrv" = "" ]; then - dirsrv_uid=389 - while [ "`getent passwd | awk -F: '{print $3}' | grep $dirsrv_uid`" != "" ]; do - dirsrv_uid=`expr $dirsrv_uid + 1` - done - echo "User dirsrv does not exist, create it with uid %dirsrv_uid." >> $output 2>&1 || : - /usr/sbin/useradd -c "389-ds-base" -u $dirsrv_uid \ - -s /sbin/nologin -r -d /usr/share/dirsrv dirsrv 2> /dev/null || : -fi -has_dirsrv=`/usr/bin/egrep -i "^dirsrv\>" /etc/group` || : -if [ "$has_dirsrv" = "" ]; then - dirsrv_gid=389 - while [ "`getent group | grep $dirsrv_gid`" != "" ]; do - dirsrv_gid=`expr $dirsrv_gid + 1` - done - echo "Group dirsrv does not exist, create it with uid %dirsrv_gid." >> $output 2>&1 || : - /usr/sbin/groupadd -g $dirsrv_gid -r dirsrv 2> /dev/null || : +# Soft static allocation for UID and GID +USERNAME="dirsrv" +ALLOCATED_UID=389 +GROUPNAME="dirsrv" +ALLOCATED_GID=389 +HOMEDIR="/usr/share/dirsrv" + +getent group $GROUPNAME >/dev/null || /usr/sbin/groupadd -f -g $ALLOCATED_GID -r $GROUPNAME +if ! getent passwd $USERNAME >/dev/null ; then + if ! getent passwd $ALLOCATED_UID >/dev/null ; then + /usr/sbin/useradd -r -u $ALLOCATED_UID -g $GROUPNAME -d $HOMEDIR -s /sbin/nologin -c "user for 389-ds-base" $USERNAME + else + /usr/sbin/useradd -r -g $GROUPNAME -d $HOMEDIR -s /sbin/nologin -c "user for 389-ds-base" $USERNAME + fi fi -echo looking for services in %{_sysconfdir}/systemd/system/%{groupname}.wants/* >> $output 2>&1 || : -for service in %{_sysconfdir}/systemd/system/%{groupname}.wants/* ; do - if [ ! -f "$service" ] ; then continue ; fi # in case nothing matches - inst=`echo $service | sed -e 's,%{_sysconfdir}/systemd/system/%{groupname}.wants/,,'` +echo looking for instances in %{_sysconfdir}/%{pkgname} > $output 2>&1 || : +instbase="%{_sysconfdir}/%{pkgname}" +for dir in $instbase/slapd-* ; do + echo dir = $dir >> $output 2>&1 || : + if [ ! -d "$dir" ] ; then continue ; fi + case "$dir" in *.removed) continue ;; esac + basename=`basename $dir` + inst="%{pkgname}@`echo $basename | sed -e 's/slapd-//g'`" echo found instance $inst - getting status >> $output 2>&1 || : if /bin/systemctl -q is-active $inst ; then echo instance $inst is running >> $output 2>&1 || : @@ -576,6 +543,7 @@ fi %{_mandir}/man8/* %exclude %{_sbindir}/ldap-agent* %exclude %{_mandir}/man1/ldap-agent.1.gz +%exclude %{_unitdir}/%{pkgname}-snmp.service %files devel %defattr(-,root,root,-) @@ -583,8 +551,10 @@ fi %{_includedir}/%{pkgname} %{_libdir}/%{pkgname}/libslapd.so %{_libdir}/%{pkgname}/libns-dshttpd.so +%{_mandir}/man3/* %if %{use_nunc_stans} %{_libdir}/%{pkgname}/libnunc-stans.so +%{_libdir}/%{pkgname}/libsds.so %endif %{_libdir}/pkgconfig/* @@ -593,9 +563,10 @@ fi %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel %dir %{_libdir}/%{pkgname} %{_libdir}/%{pkgname}/libslapd.so.* -%{_libdir}/%{pkgname}/libns-dshttpd.so.* +%{_libdir}/%{pkgname}/libns-dshttpd-*.so %if %{use_nunc_stans} %{_libdir}/%{pkgname}/libnunc-stans.so.* +%{_libdir}/%{pkgname}/libsds.so.* %endif %files snmp @@ -604,6 +575,7 @@ fi %config(noreplace)%{_sysconfdir}/%{pkgname}/config/ldap-agent.conf %{_sbindir}/ldap-agent* %{_mandir}/man1/ldap-agent.1.gz +%{_unitdir}/%{pkgname}-snmp.service %files tests %defattr(-,root,root,-) @@ -611,50 +583,110 @@ fi %{_sysconfdir}/%{pkgname}/dirsrvtests %changelog -* Mon Apr 24 2017 Mark Reynolds - 1.3.5.10-21 -- Bump verison to 1.3.5.10-21 -- Resolves: Bug 1440654 - Possible deadlock while installing an ipa replica -- Resolves: Bug 1445178 - Silent install localhost issue -- Resolves: Bug 1445177 - retrocl crash at shutdown -- Resolves: Bug 1445176 - case sensitivity in acl - -* Mon Apr 3 2017 Mark Reynolds - 1.3.5.10-20 -- Bump version to 1.3.5.10-20 -- Resolves: bug 1437005 - CVE-2017-2668 389-ds-base: Remote crash via crafted LDAP messages - -* Fri Mar 3 2017 Mark Reynolds - 1.3.5.10-19 -- Release 1.3.5.10-19 -- Resolves: bug 1429495 - ns-slapd dies under heavy load -- Resolves: bug 1429498 - A filtered nsrole that specifies an empty nsrole in its nsRoleFilter will result in a segfault - -* Thu Feb 16 2017 Mark Reynolds - 1.3.5.10-18 -- Release 1.3.5.10-18 -- Resolves: bug 1387340 - Aborted operation can leave RUV in incorrect state - -* Tue Jan 31 2017 Noriko Hosoi - 1.3.5.10-17 -- Release 1.3.5.10-17 -- Resolves: bug 1414677 - (un)register/migration/remove may fail if there is no suffix (DS 49016) - -* Wed Jan 25 2017 Noriko Hosoi - 1.3.5.10-16 -- Release 1.3.5.10-16 -- Resolves: bug 1414677 - (un)register/migration/remove may fail if there is no suffix (DS 49016) -- Resolves: bug 1414678 - deadlock on cos cache rebuild (DS 49079) -- Resolves: bug 1414679 - Release 1.3.5 may allow expired accounts access to systems (DS 49080, DS 49082) -- Resolves: bug 1416368 - Aborted operation can leave RUV in incorrect state (DS 49008) - -* Wed Jan 4 2017 Noriko Hosoi - 1.3.5.10-15 -- Release 1.3.5.10-15 -- Resolves: bug 1402325 - do not treat missing csn as fatal (DS 48964) -- Resolves: bug 1410080 - incompatible nsEncryptionConfig object definition prevents RHEL 7->6 schema replication (DS 49074) - -* Fri Dec 23 2016 Noriko Hosoi - 1.3.5.10-14 -- Release 1.3.5.10-14 -- Resolves: bug 1402325 - do not treat missing csn as fatal (DS 48964) - -* Mon Dec 12 2016 Noriko Hosoi - 1.3.5.10-13 -- Release 1.3.5.10-13 -- Resolves: bug 1402030 - Non tombstone entry which dn starting with "nsuniqueid=...," cannot be deleted (DS 48133) -- Resolves: bug 1402325 - do not treat missing csn as fatal (DS 49020) +* Tue Jun 6 2017 Mark Reynolds - 1.3.6.1-16 +- Bump version to 1.3.6.1-16 +- Resolves: Bug 1444938 - nsslapd-allowed-sasl-mechanisms doesn't reset to default values without a restart +- Resolves: Bug 1447015 - Adjust db2bak.pl help and man page to reflect changes introduced to the script +- Resolves: Bug 1450896 - Manual resetting of nsslapd-dbcachesize using ldapmodify +- Resolves: Bug 1454921 - Fixup memberof task throws error "memberof_fix_memberof_callback: Weird +- Resolves: Bug 1456774 - ipa-replica server fails to upgrade + +* Tue May 23 2017 Mark Reynolds - 1.3.6.1-15 +- Bump version to 1.3.6.1-15 +- Resolves: Bug 1429770 - ds-logpipe.py crashes for non-existing users +- Resolves: Bug 1444938 - nsslapd-allowed-sasl-mechanisms doesn't reset to default values without a restart +- Resolves: Bug 1450896 - Manual resetting of nsslapd-dbcachesize using ldapmodify +- Resolves: Bug 1357682 - RHDS fails to start with message: "Failed to delete old semaphore for stats file" +- Resolves: Bug 1452739 - Zero value of nsslapd-cache-autosize-split makes dbcache to be equal 0 + +* Fri May 19 2017 Mark Reynolds - 1.3.6.1-14 +- Bump version to 1.3.6.1-14 +- Resolves: Bug 1450910 - Modifying "nsslapd-cache-autosize" parameter using ldapmodify command is failing. +- Resolves: Bug 1450893 - When nsslapd-cache-autosize is not set in dse.ldif, ldapsearch does not show the default value +- Resolves: Bug 1449098 - ns-slapd crashes in role cache creation +- Resolves: Bug 1441522 - AddressSanitizer: heap-use-after-free in libreplication-plugin.so +- Resolves: Bug 1437492 - "ERR - cos-plugin - cos_cache_query_attr - cos attribute krbPwdPolicyReference failed schema check" in error log +- Resolves: Bug 1429770 - ds-logpipe.py crashes for non-existing users +- Resolves: Bug 1451657 - -v option is not working for db2ldif.pl + +* Fri May 5 2017 Mark Reynolds - 1.3.6.1-13 +- Bump version to 1.3.6.1-13 +- Resolves: Bug 1444938 - Fix backport issue from build 1.3.6.1-10 (part 2) + +* Fri May 5 2017 Mark Reynolds - 1.3.6.1-12 +- Bump version to 1.3.6.1-12 +- Resolves: Bug 1444938 - Fix backport issue from build 1.3.6.1-10 + +* Fri May 5 2017 Mark Reynolds - 1.3.6.1-11 +- Bump version to 1.3.6.1-11 +- Resolves: Bug 1410207 - Utility command had better use INFO log level for the output +- Resolves: Bug 1049190 - Better input argument validation and error messages for db2index and db2index.pl + +* Fri May 5 2017 Mark Reynolds - 1.3.6.1-10 +- Bump version to 1.3.6.1-10 +- Resolves: Bug 1444938 - nsslapd-allowed-sasl-mechanisms doesn't reset to default val +- Resolves: Bug 1111400 - logconv.pl lists sasl binds with no dn as anonymous +- Resolves: Bug 1377452 - Integer overflow in performance counters +- Resolves: Bug 1441790 - ldapserch for nsslapd-errorlog-level returns incorrect values +- Resolves: Bug 1444431 - ERR - symload_report_error - Netscape Portable Runtime error -5975 +- Resolves: Bug 1447015 - Adjust db2bak.pl help and man page to reflect changes introduced to the script + +* Wed Apr 19 2017 Mark Reynolds - 1.3.6.1-9 +- Bump version to 1.3.6.1-9 +- Resolves: Bug 1442880 - setup-ds-admin.pl -u with nsslapd-localhost changed +- Resolves: Bug 1443682 - util_info_sys_pages should be able to detect memory restrictions in a cgroup + +* Wed Apr 19 2017 Mark Reynolds - 1.3.6.1-8 +- Bump version to 1.3.6.1-8 +- Resolves: Bug 1432016 - Possible deadlock while installing an ipa replica +- Resolves: Bug 1438029 - Overflow in memberof + +* Tue Apr 11 2017 Mark Reynolds - 1.3.6.1-7 +- Bump version to 1.3.6.1-7 +- Resolves: bug 1394899 - RHDS should ignore passwordMinAge if "password must reset" is set(fix crash regression) +- Resolves: bug 1381326 - dirsrv-snmp.service is provided by 389-ds-base instead of 389-ds-base-snmp +- Resolves: bug 1049190 - Better input argument validation and error messages for db2index and db2index.pl. + +* Mon Apr 3 2017 Mark Reynolds - 1.3.6.1-6 +- Bump version to 1.3.6.1-6 +- Resolves: bug 1437006 - EMBARGOED CVE-2017-2668 389-ds-base: Remote crash via crafted LDAP messages +- Resolves: bug 1341689 - dbmon.sh / cn=monitor] nsslapd-db-pages-in-use is increasing +- Resolves: bug 1394899 - RHDS should ignore passwordMinAge if "password must reset" is set +- Resolves: bug 1397288 - typo in logconv.pl man page +- Resolves: bug 1436994 - incorrect pathes in pkg-config files +- Resolves: bug 1396448 - Add a hard dependency for >=selinux-policy-3.13.1-75 + +* Tue Mar 28 2017 Mark Reynolds - 1.3.6.1-5 +- Bump version to 1.3.6.1-5 +- Resolves: bug 1377452 - Integer overflow in counters and monitor +- Resolves: bug 1425907 - Harden password storage scheme +- Resolves: bug 1431207 - ns-slapd killed by SIGABRT + +* Mon Mar 27 2017 Mark Reynolds - 1.3.6.1-4 +- Bump version to 1.3.6.1-4 +- Resolves: bug 1379424 - Reset-agmt-update-staus-and-total-init +- Resolves: bug 1394000 - dbmon.sh-fails-if-you-have-nsslapd-requi.patch +- Resolves: bug 1417344 - targetattr-wildcard-evaluation-is-incorr.patch +- Resolves: bug 1429770 - ds-logpipe.py-crashes-for-non-existing-u.patch +- Resolves: bug 1433697 - Fix-double-free-in-_cl5NewDBFile-error-path.patch +- Resolves: bug 1433996 - retrocl-can-crash-server-at-shutdown.patch +- Resolves: bug 1434967 - rpm-would-not-create-valid-pkgconfig-fi.patch +- Resolves: bug 1417338 - To-debug-DB_DEADLOCK-condition-allow-to.patch +- Resolves: bug 1433850 - Deleting-suffix-can-hang-server.patch + +* Tue Mar 14 2017 Mark Reynolds - 1.3.6.1-3 +- Bump version to 1.3.6.1-3 +- Fix spec file to include the tests + +* Tue Mar 14 2017 Mark Reynolds - 1.3.6.1-2 +- Bump version to 1.3.6.1-2 +- Resolves: bug 1431877 - 389-1.3.6.1-1.el7 covscan errors +- Resolves: bug 1432206 - content sync plugin can hang server shutdown +- Resolves: bug 1432149 - sasl external binds fail in 1.3.6.1 + +* Wed Mar 8 2017 Mark Reynolds - 1.3.6.1-1 +- Bump version to 1.3.6.1-1 +- Resolves: bug 1388567 - Rebase 389-ds-base to 1.3.6 in RHEL-7.4 * Mon Oct 31 2016 Noriko Hosoi - 1.3.5.10-12 - Release 1.3.5.10-12