From 95b5560efbdb1847489d40ab6c32f24aa1038f38 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Dec 06 2016 15:40:28 +0000 Subject: import 389-ds-base-1.3.5.10-12.el7_3 --- diff --git a/SOURCES/0051-Ticket-48992-Total-init-may-fail-if-the-pushed-schem.patch b/SOURCES/0051-Ticket-48992-Total-init-may-fail-if-the-pushed-schem.patch new file mode 100644 index 0000000..a1762b6 --- /dev/null +++ b/SOURCES/0051-Ticket-48992-Total-init-may-fail-if-the-pushed-schem.patch @@ -0,0 +1,83 @@ +From 8e9222ed1edb8f5f234fa2451d17e4f8ac726998 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Thu, 22 Sep 2016 20:48:13 +0200 +Subject: [PATCH 51/55] Ticket 48992: Total init may fail if the pushed schema + is rejected + +Bug Description: + In the early phase of total update (or incremental update), the supplier may send its schema. + A supplier will send its schema to the consumer at the condition its nsSchemaCSN is greater than + the consumer nsSchemaCSN. + If it is the case, a 1.2.11 supplier will systematically send its schema, while a 1.3 supplier will + check that its schema is a superset of the consumer schema before sending it. + If a 1.2.11 supplier sends its schema and that schema is a subset of consumer one, then + the >1.3 consumer will detect it is a subset and reject the update. + In that case the >1.3 consumer rejects a replicated update. + + On the consumer side, with the fix https://fedorahosted.org/389/ticket/47788, if a + replication operation fails, it may trigger the closure of the replication connection. + The fix decides, based on the type of failure, if the failure can be ignored (leave the connection + opened) or is fatal (close the connection). + This is detected, on the consumer side, in multimaster_postop_*->process_postop->ignore_error_and_keep_going. + + In the current version, if a replicated update of the schema fails it return LDAP_UNWILLING_TO_PERFORM. + This is a fatal error regarding ignore_error_and_keep_going that then close the connection + and interrupt the total/incremental update. + + Note this bug can be transient as, the schema learning mechanism (on consumer) may learn from + the received schema (even if it is rejected) and update its local schema that increase + nsSchemaCSN. If this occur, a later replication session finding a greater nsSchemaCSN on the + consumer side will not push the schema + +Fix Description: + When the update of the schema is rejected make it not fatal, switching the returned + code from LDAP_UNWILLING_TO_PERFORM to LDAP_CONSTRAINT_VIOLATION + +https://fedorahosted.org/389/ticket/48992 + +Reviewed by: Noriko Hosoi, Ludwig Krispenz (thanks to you !) + +Platforms tested: 7.3 + +Flag Day: no + +Doc impact: no + +(cherry picked from commit e2bc8fd60bf232cd4c1bc9a6860b7bd570a9dff1) +--- + ldap/servers/slapd/schema.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c +index 7689aa9..4b8910d 100644 +--- a/ldap/servers/slapd/schema.c ++++ b/ldap/servers/slapd/schema.c +@@ -2120,7 +2120,24 @@ modify_schema_dse (Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry *entr + slapi_log_error(SLAPI_LOG_FATAL, "schema", + "[C] Local %s must not be overwritten (set replication log for additional info)\n", + attr_name); +- *returncode = LDAP_UNWILLING_TO_PERFORM; ++ /* ++ * If the update (replicated) of the schema is rejected then ++ * process_postop->ignore_error_and_keep_going will decide if ++ * this failure is fatal or can be ignored. ++ * LDAP_UNWILLING_TO_PERFORM is considered as fatal error --> close the connection ++ * ++ * A 6.x supplier may send a subset schema and trigger this error, that ++ * will break the replication session. ++ * ++ * With new "learning" mechanism this is not that important if the ++ * update of the schema is successful or not. Just be permissive ++ * ignoring that failure to let the full replication session going on ++ * So return LDAP_CONSTRAINT_VIOLATION (in place of LDAP_UNWILLING_TO_PERFORM) ++ * is pick up as best choice of non fatal returncode. ++ * (others better choices UNWILLING_TO_PERFORM, OPERATION_ERROR or ldap_error ++ * are unfortunately all fatal). ++ */ ++ *returncode = LDAP_CONSTRAINT_VIOLATION; + return (SLAPI_DSE_CALLBACK_ERROR); + } + } +-- +2.4.11 + diff --git a/SOURCES/0052-Ticket-48909-Replication-stops-working-in-FIPS-mode.patch b/SOURCES/0052-Ticket-48909-Replication-stops-working-in-FIPS-mode.patch new file mode 100644 index 0000000..a39326b --- /dev/null +++ b/SOURCES/0052-Ticket-48909-Replication-stops-working-in-FIPS-mode.patch @@ -0,0 +1,77 @@ +From 4a45817827bd657e94ff483d35f572b0c0c33a17 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 14 Oct 2016 16:17:46 -0400 +Subject: [PATCH 52/55] Ticket 48909 - Replication stops working in FIPS mode + +Bug Description: When FIPS mode is enabled on the security database, the + token name is changed. This prevents the server from + reverse decoding the replication manager's password. Which + prevents replication sessions from getting established. + +Fix Description: Instead of getting the key slot from the harded coded token + name, call slapd_pk11_getInternalKeySlot() which gets the + current slot. + +https://fedorahosted.org/389/ticket/48909 + +Reviewed by: nhosoi(Thanks!) + +(cherry picked from commit 61c72f966bda17993f483e8f79d97dff20b7cc93) +(cherry picked from commit 9982033b7cd888bd30400001e10158a9bbf9b863) +--- + ldap/servers/plugins/rever/pbe.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/ldap/servers/plugins/rever/pbe.c b/ldap/servers/plugins/rever/pbe.c +index 0588c73..4034ac5 100644 +--- a/ldap/servers/plugins/rever/pbe.c ++++ b/ldap/servers/plugins/rever/pbe.c +@@ -69,7 +69,7 @@ struct pk11ContextStore + + static int encode_path(char *inPlain, char **outCipher, char *path, int mech); + static int decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid); +-static SVRCOREError genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *algid); ++static SVRCOREError genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *algid); + static SVRCOREError cryptPassword(struct pk11ContextStore *store, char * clear, unsigned char **out); + static SVRCOREError decryptPassword(struct pk11ContextStore *store, unsigned char *cipher, char **out, int len); + static void freePBE(struct pk11ContextStore *store); +@@ -102,7 +102,7 @@ encode_path(char *inPlain, char **outCipher, char *path, int mech) + *outCipher = NULL; + err = 1; + +- if ( genKey(&context, tokPBE, path, mech, arena, NULL) == SVRCORE_Success ){ ++ if ( genKey(&context, path, mech, arena, NULL) == SVRCORE_Success ){ + /* Try an encryption */ + if ( cryptPassword(context, inPlain, &cipher) == SVRCORE_Success ){ + base = BTOA_DataToAscii(cipher, context->length); +@@ -160,7 +160,7 @@ decode_path(char *inCipher, char **outPlain, char *path, int mech, char *algid) + *outPlain = NULL; + err = 1; + +- if ( genKey(&context, tokPBE, path, mech, arena, algid) == SVRCORE_Success ){ ++ if ( genKey(&context, path, mech, arena, algid) == SVRCORE_Success ){ + /* it seems that there is memory leak in that function: bug 400170 */ + base = ATOB_AsciiToData(inCipher, (unsigned int*)&len); + if ( base != NULL ){ +@@ -196,7 +196,7 @@ freePBE(struct pk11ContextStore *store) + } + + static SVRCOREError +-genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, PRArenaPool *arena, char *alg) ++genKey(struct pk11ContextStore **out, char *path, int mech, PRArenaPool *arena, char *alg) + { + SVRCOREError err = SVRCORE_Success; + struct pk11ContextStore *store = NULL; +@@ -223,8 +223,7 @@ genKey(struct pk11ContextStore **out, const char *token, char *path, int mech, P + } + *out = store; + +- /* Use the tokenName to find a PKCS11 slot */ +- store->slot = slapd_pk11_findSlotByName((char *)token); ++ store->slot = slapd_pk11_getInternalKeySlot(); + if (store->slot == NULL){ + err = SVRCORE_NoSuchToken_Error; + goto done; +-- +2.4.11 + diff --git a/SOURCES/0053-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch b/SOURCES/0053-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch new file mode 100644 index 0000000..3e04e53 --- /dev/null +++ b/SOURCES/0053-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch @@ -0,0 +1,62 @@ +From 1087a64b461358888ac50d47fde7f9be71449481 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 20 Oct 2016 12:38:49 -0400 +Subject: [PATCH 53/55] Ticket 49014 - ns-accountstatus.pl shows wrong status + for accounts inactivated by Account policy plugin + +Bug Description: ns-accountstatus.pl shows wrong status for accounts inactivated + by inactivity. If there is no acct policy subentry the wrong + basedn was used to get the inactivity limit. This prevented the + script from detecting if an account was inactivated due to inactivity. + +Fix Description: If there is no subentry, then use the existing config entry + to get the inactivity limit. + +https://fedorahosted.org/389/ticket/49014 + +Reviewed by: nhosoi(Thanks!) + +(cherry picked from commit 2e494bc7e5e73f97e8a425b22706418ff8879336) +(cherry picked from commit 1c6b1c99b576e7b9ffdc217d20737e216ec40a24) +--- + ldap/admin/src/scripts/ns-accountstatus.pl.in | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/ldap/admin/src/scripts/ns-accountstatus.pl.in b/ldap/admin/src/scripts/ns-accountstatus.pl.in +index 37fc7fa..a20d2df 100644 +--- a/ldap/admin/src/scripts/ns-accountstatus.pl.in ++++ b/ldap/admin/src/scripts/ns-accountstatus.pl.in +@@ -474,7 +474,7 @@ sub getAcctPolicy + close(LDAP1); + + # +- # Now, get the DN for the cos template from the entry ++ # Now, get the DN for the account policy subEntry from the entry (if available) + # + $srch{base} = $entry; + $srch{filter} = "(objectclass=*)"; +@@ -486,14 +486,19 @@ sub getAcctPolicy + s/\n //g; + if (/^$cosspecattr: (.*)/i){ + $templateDN = $1; ++ break; + } + } + close(LDAP1); + + # +- # Get the inactivity limit from the template] ++ # Get the inactivity limit + # +- $srch{base} = $templateDN; ++ $srch{base} = $configentry; ++ if ($templateDN){ ++ # Use subEntry DN ++ $srch{base} = $templateDN; ++ } + $srch{filter} = "($limitattr=*)"; + $srch{scope} = "base"; + $srch{attrs} = "$limitattr"; +-- +2.4.11 + diff --git a/SOURCES/0054-Ticket-49009-args-debug-logging-must-be-more-restric.patch b/SOURCES/0054-Ticket-49009-args-debug-logging-must-be-more-restric.patch new file mode 100644 index 0000000..5774107 --- /dev/null +++ b/SOURCES/0054-Ticket-49009-args-debug-logging-must-be-more-restric.patch @@ -0,0 +1,47 @@ +From b2abc3558e531356385ff996512c742f65048fa7 Mon Sep 17 00:00:00 2001 +From: Ludwig Krispenz +Date: Fri, 14 Oct 2016 13:50:18 +0200 +Subject: [PATCH 54/55] Ticket 49009 - args debug logging must be more + restrictive + +Bug Description: turning on args debugging logs all attribute value, including #unhashed# + +Fix Description: filter unhashed attrs + +https://fedorahosted.org/389/ticket/49009 + +Reviewed by: ? + +(cherry picked from commit 39870194a094ca8ebe3e8c7dea9090c2360307cf) +--- + ldap/servers/slapd/entry.c | 1 + + ldap/servers/slapd/entrywsi.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c +index d38f970..0cd3b60 100644 +--- a/ldap/servers/slapd/entry.c ++++ b/ldap/servers/slapd/entry.c +@@ -3659,6 +3659,7 @@ entry_apply_mod( Slapi_Entry *e, const LDAPMod *mod ) + if((strcasecmp(mod->mod_type,"objectclass") == 0) + && (strncasecmp((const char *)mod->mod_bvalues[i]->bv_val,"ldapsubentry",mod->mod_bvalues[i]->bv_len) == 0)) + sawsubentry=PR_TRUE; ++ if (0==strcasecmp(PSEUDO_ATTR_UNHASHEDUSERPASSWORD,mod->mod_type)) continue; + LDAPDebug( LDAP_DEBUG_ARGS, " %s: %s\n", mod->mod_type, mod->mod_bvalues[i]->bv_val, 0 ); + } + bvcnt = i; +diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c +index a8f8455..1a4c6aa 100644 +--- a/ldap/servers/slapd/entrywsi.c ++++ b/ldap/servers/slapd/entrywsi.c +@@ -920,6 +920,7 @@ entry_apply_mod_wsi(Slapi_Entry *e, const LDAPMod *mod, const CSN *csn, int urp) + for ( i = 0; + mod->mod_bvalues != NULL && mod->mod_bvalues[i] != NULL; + i++ ) { ++ if (0==strcasecmp(PSEUDO_ATTR_UNHASHEDUSERPASSWORD,mod->mod_type)) continue; + LDAPDebug( LDAP_DEBUG_ARGS, " %s: %s\n", + mod->mod_type, mod->mod_bvalues[i]->bv_val, 0 ); + } +-- +2.4.11 + diff --git a/SOURCES/0055-Ticket-48328-Add-missing-dependency.patch b/SOURCES/0055-Ticket-48328-Add-missing-dependency.patch new file mode 100644 index 0000000..2259a09 --- /dev/null +++ b/SOURCES/0055-Ticket-48328-Add-missing-dependency.patch @@ -0,0 +1,39 @@ +From b096ca5e299599081da15554df51b2a06db57a89 Mon Sep 17 00:00:00 2001 +From: Viktor Ashirov +Date: Tue, 18 Oct 2016 10:31:16 +0200 +Subject: [PATCH 55/55] Ticket 48328 - Add missing dependency + +Bug Description: +`host` utility is used in setup process to determine CNAME, but +389-ds-base rpm package doesn't depend on bind-utils, which contains it. + +Fix Description: +Add missing dependency for bind-utils. + +https://fedorahosted.org/389/ticket/48328 + +Reviewed by: nhosoi@redhat.com (Thanks!) + +(cherry picked from commit 68a76403a6b240ad95d7f9457e01486f128ac4e9) +(cherry picked from commit ed829078c9dc7b8a940119298f3e12a37034ecf4) +--- + rpm/389-ds-base.spec.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in +index 0924cb5..404152d 100644 +--- a/rpm/389-ds-base.spec.in ++++ b/rpm/389-ds-base.spec.in +@@ -123,6 +123,9 @@ Requires(post): systemd-units + Requires(preun): systemd-units + Requires(postun): systemd-units + ++# for setup-ds.pl ++Requires: bind-utils ++ + # for setup-ds.pl to support ipv6 + %if %{use_Socket6} + Requires: perl-Socket6 +-- +2.4.11 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index e700853..db66f3e 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -34,7 +34,7 @@ Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.3.5.10 -Release: %{?relprefix}11%{?prerel}%{?dist} +Release: %{?relprefix}12%{?prerel}%{?dist} License: GPLv3+ URL: https://port389.org/ Group: System Environment/Daemons @@ -114,6 +114,9 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units +# for setup-ds.pl +Requires: bind-utils + # for setup-ds.pl to support ipv6 %if %{use_Socket6} Requires: perl-Socket6 @@ -183,6 +186,11 @@ Patch47: 0047-Ticket-48975-Disabling-CLEAR-password-storage-scheme.patc Patch48: 0048-Ticket-48957-Update-repl-monitor-to-handle-new-statu.patch Patch49: 0049-Ticket-48969-nsslapd-auditfaillog-always-has-an-expl.patch Patch50: 0050-Bug-1321124-use-a-consumer-maxcsn-only-as-anchor-if-.patch +Patch51: 0051-Ticket-48992-Total-init-may-fail-if-the-pushed-schem.patch +Patch52: 0052-Ticket-48909-Replication-stops-working-in-FIPS-mode.patch +Patch53: 0053-Ticket-49014-ns-accountstatus.pl-shows-wrong-status-.patch +Patch54: 0054-Ticket-49009-args-debug-logging-must-be-more-restric.patch +Patch55: 0055-Ticket-48328-Add-missing-dependency.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -319,6 +327,11 @@ cp %{SOURCE2} README.devel %patch48 -p1 %patch49 -p1 %patch50 -p1 +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 %build %if %{use_nunc_stans} @@ -556,6 +569,14 @@ fi %{_sysconfdir}/%{pkgname}/dirsrvtests %changelog +* Mon Oct 31 2016 Noriko Hosoi - 1.3.5.10-12 +- Release 1.3.5.10-12 +- Resolves: bug 1384785 - Replica install fails with old IPA master sometimes during replication process (DS 48992) +- Resolves: bug 1388501 - 389-ds-base is missing runtime dependency - bind-utils (DS 48328) +- Resolves: bug 1388581 - Replication stops working only when fips mode is set to true (DS 48909) +- Resolves: bug 1390342 - ns-accountstatus.pl shows wrong status for accounts inactivated by Account policy plugin (DS 49014) +- Resolves: bug 1390343 - trace args debug logging must be more restrictive (DS 49009) + * Tue Sep 13 2016 Noriko Hosoi - 1.3.5.10-11 - Release 1.3.5.10-11 - Resolves: bug 1321124 - Replication changelog can incorrectly skip over updates