diff --git a/.389-ds-base.metadata b/.389-ds-base.metadata
index 6d7d3f7..d09f29f 100644
--- a/.389-ds-base.metadata
+++ b/.389-ds-base.metadata
@@ -1 +1 @@
-77dee99c82e77c3c3c8579b443ebb68e63d51702 SOURCES/389-ds-base-1.3.7.5.tar.bz2
+930c13abb2fc444f1dbd0443ed72a5d5b14c48da SOURCES/389-ds-base-1.3.8.4.tar.bz2
diff --git a/.gitignore b/.gitignore
index 18dc925..740caa7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/389-ds-base-1.3.7.5.tar.bz2
+SOURCES/389-ds-base-1.3.8.4.tar.bz2
diff --git a/SOURCES/0000-Ticket-49305-Need-to-wrap-atomic-calls.patch b/SOURCES/0000-Ticket-49305-Need-to-wrap-atomic-calls.patch
deleted file mode 100644
index 2710342..0000000
--- a/SOURCES/0000-Ticket-49305-Need-to-wrap-atomic-calls.patch
+++ /dev/null
@@ -1,1514 +0,0 @@
-From f19dec383e24e2aaa40a6bdce2ca0e657ffc6e10 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Wed, 27 Sep 2017 09:26:14 -0400
-Subject: [PATCH] Ticket 49305 - Need to wrap atomic calls
-
-Bug Description: Some RHEL 7.5 platforms (ppc 32bit) still do not support
- all the gcc builtin atomics. This breaks the downstream
- builds.
-
-Fix Description: Use wrapper functions for the atomic's using #define's
- to detect if builtin atomics are supported, otherwise
- use the egneric nspr atomic functions.
-
-https://pagure.io/389-ds-base/issue/49305
-
-Reviewed by: tbordaz(Thanks!)
-
-(cherry picked from commit af723fd632d355642babeed1dbdb5a308c21fa79)
----
- ldap/servers/slapd/attrsyntax.c | 8 +-
- ldap/servers/slapd/back-ldbm/dblayer.c | 66 +++++-----
- ldap/servers/slapd/entry.c | 11 +-
- ldap/servers/slapd/libglobs.c | 161 ++++++++++++-----------
- ldap/servers/slapd/log.c | 9 +-
- ldap/servers/slapd/mapping_tree.c | 28 ++--
- ldap/servers/slapd/object.c | 8 +-
- ldap/servers/slapd/psearch.c | 7 +-
- ldap/servers/slapd/slapi-plugin.h | 52 ++++++++
- ldap/servers/slapd/slapi_counter.c | 100 ++++++++++++++
- ldap/servers/slapd/thread_data.c | 2 +-
- src/nunc-stans/ns/ns_thrpool.c | 17 ++-
- src/nunc-stans/test/test_nuncstans_stress_core.c | 42 +++++-
- 13 files changed, 361 insertions(+), 150 deletions(-)
-
-diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c
-index 03f05d9..a0a60c4 100644
---- a/ldap/servers/slapd/attrsyntax.c
-+++ b/ldap/servers/slapd/attrsyntax.c
-@@ -274,7 +274,7 @@ attr_syntax_get_by_oid_locking_optional(const char *oid, PRBool use_lock, PRUint
- }
- asi = (struct asyntaxinfo *)PL_HashTableLookup_const(ht, oid);
- if (asi) {
-- __atomic_add_fetch_8(&(asi->asi_refcnt), 1, __ATOMIC_RELEASE);
-+ slapi_atomic_incr(&(asi->asi_refcnt), __ATOMIC_RELEASE, ATOMIC_LONG);
- }
- if (use_lock) {
- AS_UNLOCK_READ(oid2asi_lock);
-@@ -371,7 +371,7 @@ attr_syntax_get_by_name_locking_optional(const char *name, PRBool use_lock, PRUi
- }
- asi = (struct asyntaxinfo *)PL_HashTableLookup_const(ht, name);
- if (NULL != asi) {
-- __atomic_add_fetch_8(&(asi->asi_refcnt), 1, __ATOMIC_RELEASE);
-+ slapi_atomic_incr(&(asi->asi_refcnt), __ATOMIC_RELEASE, ATOMIC_LONG);
- }
- if (use_lock) {
- AS_UNLOCK_READ(name2asi_lock);
-@@ -406,7 +406,7 @@ attr_syntax_return_locking_optional(struct asyntaxinfo *asi, PRBool use_lock)
- }
- if (NULL != asi) {
- PRBool delete_it = PR_FALSE;
-- if (0 == __atomic_sub_fetch_8(&(asi->asi_refcnt), 1, __ATOMIC_ACQ_REL)) {
-+ if (0 == slapi_atomic_decr(&(asi->asi_refcnt), __ATOMIC_ACQ_REL, ATOMIC_LONG)) {
- delete_it = asi->asi_marked_for_delete;
- }
-
-@@ -540,7 +540,7 @@ attr_syntax_delete_no_lock(struct asyntaxinfo *asi,
- PL_HashTableRemove(ht, asi->asi_aliases[i]);
- }
- }
-- if (__atomic_load_8(&(asi->asi_refcnt), __ATOMIC_ACQUIRE) > 0) {
-+ if (slapi_atomic_load(&(asi->asi_refcnt), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) {
- asi->asi_marked_for_delete = PR_TRUE;
- } else {
- /* This is ok, but the correct thing is to call delete first,
-diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
-index d43258d..c4c4959 100644
---- a/ldap/servers/slapd/back-ldbm/dblayer.c
-+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
-@@ -2860,16 +2860,16 @@ int
- dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flags)
- {
- /*
-- * We either already have a DB* handle in the attrinfo structure.
-- * in which case we simply return it to the caller, OR:
-- * we need to make one. We do this as follows:
-- * 1a) acquire the mutex that protects the handle list.
-- * 1b) check that the DB* is still null.
-- * 2) get the filename, and call libdb to open it
-- * 3) if successful, store the result in the attrinfo stucture
-- * 4) store the DB* in our own list so we can close it later.
-- * 5) release the mutex.
-- */
-+ * We either already have a DB* handle in the attrinfo structure.
-+ * in which case we simply return it to the caller, OR:
-+ * we need to make one. We do this as follows:
-+ * 1a) acquire the mutex that protects the handle list.
-+ * 1b) check that the DB* is still null.
-+ * 2) get the filename, and call libdb to open it
-+ * 3) if successful, store the result in the attrinfo stucture
-+ * 4) store the DB* in our own list so we can close it later.
-+ * 5) release the mutex.
-+ */
- ldbm_instance *inst = (ldbm_instance *)be->be_instance_info;
- int return_value = -1;
- DB *pDB = NULL;
-@@ -2878,9 +2878,9 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag
- *ppDB = NULL;
-
- /* it's like a semaphore -- when count > 0, any file handle that's in
-- * the attrinfo will remain valid from here on.
-- */
-- __atomic_add_fetch_8(&(a->ai_dblayer_count), 1, __ATOMIC_RELEASE);
-+ * the attrinfo will remain valid from here on.
-+ */
-+ slapi_atomic_incr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG);
-
- if (a->ai_dblayer && ((dblayer_handle *)(a->ai_dblayer))->dblayer_dbp) {
- /* This means that the pointer is valid, so we should return it. */
-@@ -2888,9 +2888,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag
- return 0;
- }
-
-- /* attrinfo handle is NULL, at least for now -- grab the mutex and try
-- * again.
-- */
-+ /* attrinfo handle is NULL, at least for now -- grab the mutex and try again. */
- PR_Lock(inst->inst_handle_list_mutex);
- if (a->ai_dblayer && ((dblayer_handle *)(a->ai_dblayer))->dblayer_dbp) {
- /* another thread set the handle while we were waiting on the lock */
-@@ -2900,8 +2898,8 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag
- }
-
- /* attrinfo handle is still blank, and we have the mutex: open the
-- * index file and stuff it in the attrinfo.
-- */
-+ * index file and stuff it in the attrinfo.
-+ */
- return_value = dblayer_open_file(be, attribute_name, open_flags,
- a, &pDB);
- if (0 == return_value) {
-@@ -2911,40 +2909,36 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag
-
- PR_ASSERT(NULL != pDB);
- /* Store the returned DB* in our own private list of
-- * open files */
-+ * open files */
- if (NULL == prev_handle) {
- /* List was empty */
- inst->inst_handle_tail = handle;
- inst->inst_handle_head = handle;
- } else {
-- /* Chain the handle onto the last structure in the
-- * list */
-+ /* Chain the handle onto the last structure in the list */
- inst->inst_handle_tail = handle;
- prev_handle->dblayer_handle_next = handle;
- }
-- /* Stash a pointer to our wrapper structure in the
-- * attrinfo structure */
-+ /* Stash a pointer to our wrapper structure in the attrinfo structure */
- handle->dblayer_dbp = pDB;
- /* And, most importantly, return something to the caller!*/
- *ppDB = pDB;
-- /* and save the hande in the attrinfo structure for
-- * next time */
-+ /* and save the hande in the attrinfo structure for next time */
- a->ai_dblayer = handle;
- /* don't need to update count -- we incr'd it already */
- handle->dblayer_handle_ai_backpointer = &(a->ai_dblayer);
- } else {
- /* Did not open it OK ! */
- /* Do nothing, because return value and fact that we didn't
-- * store a DB* in the attrinfo is enough
-- */
-+ * store a DB* in the attrinfo is enough */
- }
- PR_Unlock(inst->inst_handle_list_mutex);
-
- if (return_value != 0) {
- /* some sort of error -- we didn't open a handle at all.
-- * decrement the refcount back to where it was.
-- */
-- __atomic_sub_fetch_8(&(a->ai_dblayer_count), 1, __ATOMIC_RELEASE);
-+ * decrement the refcount back to where it was.
-+ */
-+ slapi_atomic_decr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG);
- }
-
- return return_value;
-@@ -2956,7 +2950,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag
- int
- dblayer_release_index_file(backend *be __attribute__((unused)), struct attrinfo *a, DB *pDB __attribute__((unused)))
- {
-- __atomic_sub_fetch_8(&(a->ai_dblayer_count), 1, __ATOMIC_RELEASE);
-+ slapi_atomic_decr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG);
- return 0;
- }
-
-@@ -3063,13 +3057,13 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in
-
- dblayer_release_index_file(be, a, db);
-
-- while (__atomic_load_8(&(a->ai_dblayer_count), __ATOMIC_ACQUIRE) > 0) {
-+ while (slapi_atomic_load(&(a->ai_dblayer_count), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) {
- /* someone is using this index file */
- /* ASSUMPTION: you have already set the INDEX_OFFLINE flag, because
-- * you intend to mess with this index. therefore no new requests
-- * for this indexfile should happen, so the dblayer_count should
-- * NEVER increase.
-- */
-+ * you intend to mess with this index. therefore no new requests
-+ * for this indexfile should happen, so the dblayer_count should
-+ * NEVER increase.
-+ */
- PR_ASSERT(a->ai_indexmask & INDEX_OFFLINE);
- PR_Unlock(inst->inst_handle_list_mutex);
- DS_Sleep(DBLAYER_CACHE_DELAY);
-diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
-index 62d10c2..289a149 100644
---- a/ldap/servers/slapd/entry.c
-+++ b/ldap/servers/slapd/entry.c
-@@ -2244,18 +2244,19 @@ slapi_entry_attr_find(const Slapi_Entry *e, const char *type, Slapi_Attr **a)
-
- /* the following functions control virtual attribute cache invalidation */
-
--static uint32_t g_virtual_watermark = 0; /* good enough to init */
-+static int32_t g_virtual_watermark = 0; /* good enough to init */
-
- int
- slapi_entry_vattrcache_watermark_isvalid(const Slapi_Entry *e)
- {
-- return e->e_virtual_watermark == __atomic_load_4(&g_virtual_watermark, __ATOMIC_ACQUIRE);
-+ return e->e_virtual_watermark == slapi_atomic_load(&g_virtual_watermark, __ATOMIC_ACQUIRE, ATOMIC_INT);
-+
- }
-
- void
- slapi_entry_vattrcache_watermark_set(Slapi_Entry *e)
- {
-- e->e_virtual_watermark = __atomic_load_4(&g_virtual_watermark, __ATOMIC_ACQUIRE);
-+ e->e_virtual_watermark = slapi_atomic_load(&g_virtual_watermark, __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- void
-@@ -2268,8 +2269,8 @@ void
- slapi_entrycache_vattrcache_watermark_invalidate()
- {
- /* Make sure the value is never 0 */
-- if (__atomic_add_fetch_4(&g_virtual_watermark, 1, __ATOMIC_RELEASE) == 0) {
-- __atomic_add_fetch_4(&g_virtual_watermark, 1, __ATOMIC_RELEASE);
-+ if (slapi_atomic_incr(&g_virtual_watermark, __ATOMIC_RELEASE, ATOMIC_INT) == 0) {
-+ slapi_atomic_incr(&g_virtual_watermark, __ATOMIC_RELEASE, ATOMIC_INT);
- }
- }
-
-diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
-index 0eeb16a..4c54cf7 100644
---- a/ldap/servers/slapd/libglobs.c
-+++ b/ldap/servers/slapd/libglobs.c
-@@ -1335,19 +1335,19 @@ static uint64_t active_threads = 0;
- void
- g_incr_active_threadcnt(void)
- {
-- __atomic_add_fetch_8(&active_threads, 1, __ATOMIC_RELEASE);
-+ slapi_atomic_incr(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG);
- }
-
- void
- g_decr_active_threadcnt(void)
- {
-- __atomic_sub_fetch_8(&active_threads, 1, __ATOMIC_RELEASE);
-+ slapi_atomic_decr(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG);
- }
-
- uint64_t
- g_get_active_threadcnt(void)
- {
-- return __atomic_load_8(&active_threads, __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG);
- }
-
- /*
-@@ -1936,7 +1936,7 @@ config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf,
- size = NDN_DEFAULT_SIZE;
- }
- if (apply) {
-- __atomic_store_8(&(slapdFrontendConfig->ndn_cache_max_size), size, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->ndn_cache_max_size), &size, __ATOMIC_RELEASE, ATOMIC_LONG);
- }
-
- return retVal;
-@@ -3476,7 +3476,8 @@ int32_t
- config_get_dynamic_plugins(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->dynamic_plugins), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->dynamic_plugins), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+
- }
-
- int32_t
-@@ -3498,7 +3499,7 @@ int32_t
- config_get_cn_uses_dn_syntax_in_dns()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->cn_uses_dn_syntax_in_dns), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->cn_uses_dn_syntax_in_dns), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
-@@ -3543,7 +3544,7 @@ config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char *
- newval = LDAP_OFF;
- }
-
-- __atomic_store_4(configvalue, newval, __ATOMIC_RELEASE);
-+ slapi_atomic_store(configvalue, &newval, __ATOMIC_RELEASE, ATOMIC_INT);
-
- return retVal;
- }
-@@ -3915,7 +3916,7 @@ config_set_threadnumber(const char *attrname, char *value, char *errorbuf, int a
- retVal = LDAP_OPERATIONS_ERROR;
- }
- if (apply) {
-- __atomic_store_4(&(slapdFrontendConfig->threadnumber), threadnum, __ATOMIC_RELAXED);
-+ slapi_atomic_store(&(slapdFrontendConfig->threadnumber), &threadnum, __ATOMIC_RELAXED, ATOMIC_INT);
- }
- return retVal;
- }
-@@ -3944,7 +3945,7 @@ config_set_maxthreadsperconn(const char *attrname, char *value, char *errorbuf,
- }
-
- if (apply) {
-- __atomic_store_4(&(slapdFrontendConfig->maxthreadsperconn), maxthreadnum, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->maxthreadsperconn), &maxthreadnum, __ATOMIC_RELEASE, ATOMIC_INT);
- }
- return retVal;
- }
-@@ -4102,7 +4103,7 @@ config_set_ioblocktimeout(const char *attrname, char *value, char *errorbuf, int
- }
-
- if (apply) {
-- __atomic_store_4(&(slapdFrontendConfig->ioblocktimeout), nValue, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->ioblocktimeout), &nValue, __ATOMIC_RELEASE, ATOMIC_INT);
- }
- return retVal;
- }
-@@ -4606,21 +4607,22 @@ int32_t
- config_get_sasl_mapping_fallback()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->sasl_mapping_fallback), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->sasl_mapping_fallback), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+
- }
-
- int32_t
- config_get_disk_monitoring()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->disk_monitoring), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->disk_monitoring), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_disk_logging_critical()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->disk_logging_critical), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->disk_logging_critical), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int
-@@ -4667,14 +4669,14 @@ int32_t
- config_get_ldapi_switch()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->ldapi_switch), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->ldapi_switch), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_ldapi_bind_switch()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->ldapi_bind_switch), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->ldapi_bind_switch), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- char *
-@@ -4693,7 +4695,7 @@ int
- config_get_ldapi_map_entries()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->ldapi_map_entries), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->ldapi_map_entries), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- char *
-@@ -4763,7 +4765,8 @@ int32_t
- config_get_slapi_counters()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->slapi_counters), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->slapi_counters), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+
- }
-
- char *
-@@ -4945,7 +4948,7 @@ int32_t
- config_get_pw_change(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_change), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_change), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
-
-@@ -4953,7 +4956,7 @@ int32_t
- config_get_pw_history(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_history), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_history), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
-
-@@ -4961,21 +4964,21 @@ int32_t
- config_get_pw_must_change(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_must_change), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_must_change), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_allow_hashed_pw(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->allow_hashed_pw), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->allow_hashed_pw), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_pw_syntax(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_syntax), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_syntax), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
-
-@@ -5164,21 +5167,21 @@ int32_t
- config_get_pw_is_global_policy(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->pw_is_global_policy), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->pw_is_global_policy), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_pw_is_legacy_policy(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_is_legacy), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_is_legacy), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_pw_exp(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_exp), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_exp), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
-
-@@ -5186,14 +5189,14 @@ int32_t
- config_get_pw_unlock(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_unlock), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_unlock), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_pw_lockout()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_lockout), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_lockout), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int
-@@ -5213,112 +5216,112 @@ int32_t
- config_get_lastmod()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->lastmod), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->lastmod), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_enquote_sup_oc()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->enquote_sup_oc), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->enquote_sup_oc), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_nagle(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->nagle), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->nagle), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_accesscontrol(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->accesscontrol), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->accesscontrol), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_return_exact_case(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->return_exact_case), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->return_exact_case), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_result_tweak(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->result_tweak), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->result_tweak), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_moddn_aci(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->moddn_aci), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->moddn_aci), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_security(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->security), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->security), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- slapi_config_get_readonly(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->readonly), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->readonly), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_schemacheck(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->schemacheck), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->schemacheck), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_schemamod(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->schemamod), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->schemamod), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_syntaxcheck(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->syntaxcheck), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->syntaxcheck), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_syntaxlogging(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->syntaxlogging), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->syntaxlogging), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_dn_validate_strict(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->dn_validate_strict), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->dn_validate_strict), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_ds4_compatible_schema(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->ds4_compatible_schema), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->ds4_compatible_schema), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_schema_ignore_trailing_spaces(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->schema_ignore_trailing_spaces), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->schema_ignore_trailing_spaces), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- char *
-@@ -5402,7 +5405,7 @@ config_get_threadnumber(void)
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- int32_t retVal;
-
-- retVal = __atomic_load_4(&(slapdFrontendConfig->threadnumber), __ATOMIC_RELAXED);
-+ retVal = slapi_atomic_load(&(slapdFrontendConfig->threadnumber), __ATOMIC_RELAXED, ATOMIC_INT);
-
- if (retVal <= 0) {
- retVal = util_get_hardware_threads();
-@@ -5420,7 +5423,7 @@ int32_t
- config_get_maxthreadsperconn()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->maxthreadsperconn), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->maxthreadsperconn), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int
-@@ -5452,7 +5455,7 @@ int32_t
- config_get_ioblocktimeout()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->ioblocktimeout), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->ioblocktimeout), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int
-@@ -5769,21 +5772,21 @@ int32_t
- config_get_unauth_binds_switch(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->allow_unauth_binds), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->allow_unauth_binds), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_require_secure_binds(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->require_secure_binds), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->require_secure_binds), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_anon_access_switch(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->allow_anon_access), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->allow_anon_access), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int
-@@ -6025,7 +6028,8 @@ int32_t
- config_get_minssf_exclude_rootdse()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->minssf_exclude_rootdse), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->minssf_exclude_rootdse), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+
- }
-
- int
-@@ -6034,18 +6038,17 @@ config_set_max_filter_nest_level(const char *attrname, char *value, char *errorb
- int retVal = LDAP_SUCCESS;
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- char *endp;
-- long level;
-+ int32_t level;
-
- if (config_value_is_null(attrname, value, errorbuf, 0)) {
- return LDAP_OPERATIONS_ERROR;
- }
-
- errno = 0;
-- level = strtol(value, &endp, 10);
-+ level = (int32_t)strtol(value, &endp, 10);
- if (*endp != '\0' || errno == ERANGE) {
-- slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "(%s) value (%s) "
-- "is invalid\n",
-- attrname, value);
-+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
-+ "(%s) value (%s) is invalid\n", attrname, value);
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
- }
-@@ -6054,7 +6057,7 @@ config_set_max_filter_nest_level(const char *attrname, char *value, char *errorb
- return retVal;
- }
-
-- __atomic_store_4(&(slapdFrontendConfig->max_filter_nest_level), level, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->max_filter_nest_level), &level, __ATOMIC_RELEASE, ATOMIC_INT);
- return retVal;
- }
-
-@@ -6062,29 +6065,28 @@ int32_t
- config_get_max_filter_nest_level()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->max_filter_nest_level), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->max_filter_nest_level), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- uint64_t
- config_get_ndn_cache_size()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
--
-- return __atomic_load_8(&(slapdFrontendConfig->ndn_cache_max_size), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->ndn_cache_max_size), __ATOMIC_ACQUIRE, ATOMIC_LONG);
- }
-
- int32_t
- config_get_ndn_cache_enabled()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->ndn_cache_enabled), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->ndn_cache_enabled), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_return_orig_type_switch()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->return_orig_type), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->return_orig_type), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- char *
-@@ -6786,7 +6788,7 @@ int32_t
- config_get_force_sasl_external(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->force_sasl_external), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->force_sasl_external), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
-@@ -6808,7 +6810,7 @@ int32_t
- config_get_entryusn_global(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->entryusn_global), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->entryusn_global), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
-@@ -7046,21 +7048,21 @@ int32_t
- config_get_enable_turbo_mode(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->enable_turbo_mode), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->enable_turbo_mode), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_connection_nocanon(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->connection_nocanon), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->connection_nocanon), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_plugin_logging(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->plugin_logging), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->plugin_logging), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
-@@ -7073,21 +7075,21 @@ int32_t
- config_get_unhashed_pw_switch()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->unhashed_pw_switch), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->unhashed_pw_switch), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_ignore_time_skew(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->ignore_time_skew), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->ignore_time_skew), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
- config_get_global_backend_lock()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return __atomic_load_4(&(slapdFrontendConfig->global_backend_lock), __ATOMIC_ACQUIRE);
-+ return slapi_atomic_load(&(slapdFrontendConfig->global_backend_lock), __ATOMIC_ACQUIRE, ATOMIC_INT);
- }
-
- int32_t
-@@ -7163,8 +7165,9 @@ config_get_connection_buffer(void)
- int
- config_set_connection_buffer(const char *attrname, char *value, char *errorbuf, int apply)
- {
-- int retVal = LDAP_SUCCESS;
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-+ int retVal = LDAP_SUCCESS;
-+ int32_t val;
-
- if (config_value_is_null(attrname, value, errorbuf, 0)) {
- return LDAP_OPERATIONS_ERROR;
-@@ -7181,7 +7184,9 @@ config_set_connection_buffer(const char *attrname, char *value, char *errorbuf,
- return retVal;
- }
-
-- __atomic_store_4(&(slapdFrontendConfig->connection_buffer), atoi(value), __ATOMIC_RELEASE);
-+ val = atoi(value);
-+ slapi_atomic_store(&(slapdFrontendConfig->connection_buffer), &val, __ATOMIC_RELEASE, ATOMIC_INT);
-+
- return retVal;
- }
-
-@@ -7204,7 +7209,7 @@ config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf
- }
-
- if (apply) {
-- __atomic_store_4(&(slapdFrontendConfig->listen_backlog_size), size, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->listen_backlog_size), &size, __ATOMIC_RELEASE, ATOMIC_INT);
- }
- return LDAP_SUCCESS;
- }
-@@ -7617,7 +7622,7 @@ config_set_accesslog_enabled(int value)
- char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
- errorbuf[0] = '\0';
-
-- __atomic_store_4(&(slapdFrontendConfig->accesslog_logging_enabled), value, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->accesslog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT);
- if (value) {
- log_set_logging(CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_ACCESS_LOG, errorbuf, CONFIG_APPLY);
- } else {
-@@ -7635,7 +7640,7 @@ config_set_auditlog_enabled(int value)
- char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
- errorbuf[0] = '\0';
-
-- __atomic_store_4(&(slapdFrontendConfig->auditlog_logging_enabled), value, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->auditlog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT);
- if (value) {
- log_set_logging(CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_AUDIT_LOG, errorbuf, CONFIG_APPLY);
- } else {
-@@ -7653,7 +7658,7 @@ config_set_auditfaillog_enabled(int value)
- char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
- errorbuf[0] = '\0';
-
-- __atomic_store_4(&(slapdFrontendConfig->auditfaillog_logging_enabled), value, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->auditfaillog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT);
- if (value) {
- log_set_logging(CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_AUDITFAIL_LOG, errorbuf, CONFIG_APPLY);
- } else {
-@@ -7744,7 +7749,7 @@ config_set_malloc_mxfast(const char *attrname, char *value, char *errorbuf, int
- value, CONFIG_MALLOC_MXFAST, max);
- return LDAP_OPERATIONS_ERROR;
- }
-- __atomic_store_4(&(slapdFrontendConfig->malloc_mxfast), mxfast, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->malloc_mxfast), &mxfast, __ATOMIC_RELEASE, ATOMIC_INT);
-
- if ((mxfast >= 0) && (mxfast <= max)) {
- mallopt(M_MXFAST, mxfast);
-@@ -7784,7 +7789,7 @@ config_set_malloc_trim_threshold(const char *attrname, char *value, char *errorb
- return LDAP_OPERATIONS_ERROR;
- }
-
-- __atomic_store_4(&(slapdFrontendConfig->malloc_trim_threshold), trim_threshold, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->malloc_trim_threshold), &trim_threshold, __ATOMIC_RELEASE, ATOMIC_INT);
-
- if (trim_threshold >= -1) {
- mallopt(M_TRIM_THRESHOLD, trim_threshold);
-@@ -7831,7 +7836,7 @@ config_set_malloc_mmap_threshold(const char *attrname, char *value, char *errorb
- return LDAP_OPERATIONS_ERROR;
- }
-
-- __atomic_store_4(&(slapdFrontendConfig->malloc_mmap_threshold), mmap_threshold, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(slapdFrontendConfig->malloc_mmap_threshold), &mmap_threshold, __ATOMIC_RELEASE, ATOMIC_INT);
-
- if ((mmap_threshold >= 0) && (mmap_threshold <= max)) {
- mallopt(M_MMAP_THRESHOLD, mmap_threshold);
-diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
-index 41b5c99..4d44c87 100644
---- a/ldap/servers/slapd/log.c
-+++ b/ldap/servers/slapd/log.c
-@@ -4942,12 +4942,13 @@ static LogBufferInfo *
- log_create_buffer(size_t sz)
- {
- LogBufferInfo *lbi;
-+ uint64_t init_val = 0;
-
- lbi = (LogBufferInfo *)slapi_ch_malloc(sizeof(LogBufferInfo));
- lbi->top = (char *)slapi_ch_malloc(sz);
- lbi->current = lbi->top;
- lbi->maxsize = sz;
-- __atomic_store_8(&(lbi->refcount), 0, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(lbi->refcount), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG);
- return lbi;
- }
-
-@@ -5009,7 +5010,7 @@ log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_t size1, cha
- insert_point = lbi->current;
- lbi->current += size;
- /* Increment the copy refcount */
-- __atomic_add_fetch_8(&(lbi->refcount), 1, __ATOMIC_RELEASE);
-+ slapi_atomic_incr(&(lbi->refcount), __ATOMIC_RELEASE, ATOMIC_LONG);
- PR_Unlock(lbi->lock);
-
- /* Now we can copy without holding the lock */
-@@ -5017,7 +5018,7 @@ log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_t size1, cha
- memcpy(insert_point + size1, msg2, size2);
-
- /* Decrement the copy refcount */
-- __atomic_sub_fetch_8(&(lbi->refcount), 1, __ATOMIC_RELEASE);
-+ slapi_atomic_decr(&(lbi->refcount), __ATOMIC_RELEASE, ATOMIC_LONG);
-
- /* If we are asked to sync to disk immediately, do so */
- if (!slapdFrontendConfig->accesslogbuffering) {
-@@ -5037,7 +5038,7 @@ log_flush_buffer(LogBufferInfo *lbi, int type, int sync_now)
- if (type == SLAPD_ACCESS_LOG) {
-
- /* It is only safe to flush once any other threads which are copying are finished */
-- while (__atomic_load_8(&(lbi->refcount), __ATOMIC_ACQUIRE) > 0) {
-+ while (slapi_atomic_load(&(lbi->refcount), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) {
- /* It's ok to sleep for a while because we only flush every second or so */
- DS_Sleep(PR_MillisecondsToInterval(1));
- }
-diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c
-index 651d70e..6621ceb 100644
---- a/ldap/servers/slapd/mapping_tree.c
-+++ b/ldap/servers/slapd/mapping_tree.c
-@@ -1647,7 +1647,7 @@ mapping_tree_init()
-
- /* we call this function from a single thread, so it should be ok */
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shutdown has been detected */
- return 0;
- }
-@@ -1759,6 +1759,8 @@ mtn_free_node(mapping_tree_node **node)
- void
- mapping_tree_free()
- {
-+ int init_val = 1;
-+
- /* unregister dse callbacks */
- slapi_config_remove_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, MAPPING_TREE_BASE_DN, LDAP_SCOPE_BASE, "(objectclass=*)", mapping_tree_entry_modify_callback);
- slapi_config_remove_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, MAPPING_TREE_BASE_DN, LDAP_SCOPE_BASE, "(objectclass=*)", mapping_tree_entry_add_callback);
-@@ -1771,7 +1773,7 @@ mapping_tree_free()
- slapi_unregister_backend_state_change_all();
- /* recursively free tree nodes */
- mtn_free_node(&mapping_tree_root);
-- __atomic_store_4(&mapping_tree_freed, 1, __ATOMIC_RELAXED);
-+ slapi_atomic_store(&mapping_tree_freed, &init_val, __ATOMIC_RELAXED, ATOMIC_INT);
- }
-
- /* This function returns the first node to parse when a search is done
-@@ -2022,7 +2024,7 @@ slapi_dn_write_needs_referral(Slapi_DN *target_sdn, Slapi_Entry **referral)
- mapping_tree_node *target_node = NULL;
- int ret = 0;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shutdown detected */
- goto done;
- }
-@@ -2093,7 +2095,7 @@ slapi_mapping_tree_select(Slapi_PBlock *pb, Slapi_Backend **be, Slapi_Entry **re
- int fixup = 0;
-
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shutdown detected */
- return LDAP_OPERATIONS_ERROR;
- }
-@@ -2198,7 +2200,7 @@ slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list, Slapi_E
- int flag_partial_result = 0;
- int op_type;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- return LDAP_OPERATIONS_ERROR;
- }
-
-@@ -2358,7 +2360,7 @@ slapi_mapping_tree_select_and_check(Slapi_PBlock *pb, char *newdn, Slapi_Backend
- int ret;
- int need_unlock = 0;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- return LDAP_OPERATIONS_ERROR;
- }
-
-@@ -2524,7 +2526,7 @@ mtn_get_be(mapping_tree_node *target_node, Slapi_PBlock *pb, Slapi_Backend **be,
- int flag_stop = 0;
- struct slapi_componentid *cid = NULL;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shut down detected */
- return LDAP_OPERATIONS_ERROR;
- }
-@@ -2712,7 +2714,7 @@ best_matching_child(mapping_tree_node *parent,
- mapping_tree_node *highest_match_node = NULL;
- mapping_tree_node *current;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2739,7 +2741,7 @@ mtn_get_mapping_tree_node_by_entry(mapping_tree_node *node, const Slapi_DN *dn)
- {
- mapping_tree_node *found_node = NULL;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2782,7 +2784,7 @@ slapi_get_mapping_tree_node_by_dn(const Slapi_DN *dn)
- mapping_tree_node *current_best_match = mapping_tree_root;
- mapping_tree_node *next_best_match = mapping_tree_root;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2816,7 +2818,7 @@ get_mapping_tree_node_by_name(mapping_tree_node *node, char *be_name)
- int i;
- mapping_tree_node *found_node = NULL;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2863,7 +2865,7 @@ slapi_get_mapping_tree_node_configdn(const Slapi_DN *root)
- {
- char *dn = NULL;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2890,7 +2892,7 @@ slapi_get_mapping_tree_node_configsdn(const Slapi_DN *root)
- char *dn = NULL;
- Slapi_DN *sdn = NULL;
-
-- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) {
-+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
- /* shutdown detected */
- return NULL;
- }
-diff --git a/ldap/servers/slapd/object.c b/ldap/servers/slapd/object.c
-index 84845d3..6a1a9a5 100644
---- a/ldap/servers/slapd/object.c
-+++ b/ldap/servers/slapd/object.c
-@@ -43,10 +43,12 @@ Object *
- object_new(void *user_data, FNFree destructor)
- {
- Object *o;
-+ uint64_t init_val = 1;
-+
- o = (object *)slapi_ch_malloc(sizeof(object));
- o->destructor = destructor;
- o->data = user_data;
-- __atomic_store_8(&(o->refcnt), 1, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(o->refcnt), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG);
- return o;
- }
-
-@@ -60,7 +62,7 @@ void
- object_acquire(Object *o)
- {
- PR_ASSERT(NULL != o);
-- __atomic_add_fetch_8(&(o->refcnt), 1, __ATOMIC_RELEASE);
-+ slapi_atomic_incr(&(o->refcnt), __ATOMIC_RELEASE, ATOMIC_LONG);
- }
-
-
-@@ -75,7 +77,7 @@ object_release(Object *o)
- PRInt32 refcnt_after_release;
-
- PR_ASSERT(NULL != o);
-- refcnt_after_release = __atomic_sub_fetch_8(&(o->refcnt), 1, __ATOMIC_ACQ_REL);
-+ refcnt_after_release = slapi_atomic_decr(&(o->refcnt), __ATOMIC_ACQ_REL, ATOMIC_LONG);
- if (refcnt_after_release == 0) {
- /* Object can be destroyed */
- if (o->destructor)
-diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c
-index 0489122..70c530b 100644
---- a/ldap/servers/slapd/psearch.c
-+++ b/ldap/servers/slapd/psearch.c
-@@ -134,7 +134,7 @@ ps_stop_psearch_system()
- if (PS_IS_INITIALIZED()) {
- PSL_LOCK_WRITE();
- for (ps = psearch_list->pl_head; NULL != ps; ps = ps->ps_next) {
-- __atomic_add_fetch_8(&(ps->ps_complete), 1, __ATOMIC_RELEASE);
-+ slapi_atomic_incr(&(ps->ps_complete), __ATOMIC_RELEASE, ATOMIC_LONG);
- }
- PSL_UNLOCK_WRITE();
- ps_wakeup_all();
-@@ -285,7 +285,7 @@ ps_send_results(void *arg)
-
- PR_Lock(psearch_list->pl_cvarlock);
-
-- while ((conn_acq_flag == 0) && __atomic_load_8(&(ps->ps_complete), __ATOMIC_ACQUIRE) == 0) {
-+ while ((conn_acq_flag == 0) && slapi_atomic_load(&(ps->ps_complete), __ATOMIC_ACQUIRE, ATOMIC_LONG) == 0) {
- /* Check for an abandoned operation */
- if (pb_op == NULL || slapi_op_abandoned(ps->ps_pblock)) {
- slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results",
-@@ -427,6 +427,7 @@ static PSearch *
- psearch_alloc(void)
- {
- PSearch *ps;
-+ uint64_t init_val = 0;
-
- ps = (PSearch *)slapi_ch_calloc(1, sizeof(PSearch));
-
-@@ -437,7 +438,7 @@ psearch_alloc(void)
- slapi_ch_free((void **)&ps);
- return (NULL);
- }
-- __atomic_store_8(&(ps->ps_complete), 0, __ATOMIC_RELEASE);
-+ slapi_atomic_store(&(ps->ps_complete), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG);
- ps->ps_eq_head = ps->ps_eq_tail = (PSEQNode *)NULL;
- ps->ps_lasttime = (time_t)0L;
- ps->ps_next = NULL;
-diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
-index 3397c63..c434add 100644
---- a/ldap/servers/slapd/slapi-plugin.h
-+++ b/ldap/servers/slapd/slapi-plugin.h
-@@ -8202,6 +8202,58 @@ void slapi_operation_time_initiated(Slapi_Operation *o, struct timespec *initiat
- */
- #endif
-
-+/* See: https://gcc.gnu.org/ml/gcc/2016-11/txt6ZlA_JS27i.txt */
-+#define ATOMIC_GENERIC 0
-+#define ATOMIC_INT 4
-+#define ATOMIC_LONG 8
-+#define ATOMIC_INT128 16 /* Future */
-+
-+/**
-+ * Store an integral value atomicly
-+ *
-+ * \param ptr - integral pointer
-+ * \param val - pointer to integral value (use integral type int32_t with ATOMIC_INT, or uint64_t
-+ * with ATOMIC_LONG & ATOMIC_GENERIC)
-+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
-+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-+ * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG
-+ */
-+void slapi_atomic_store(void *ptr, void *val, int memorder, int type);
-+
-+/**
-+ * Get an integral value atomicly
-+ *
-+ * \param ptr - integral pointer
-+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
-+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-+ * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG
-+ * \return -
-+ */
-+uint64_t slapi_atomic_load(void *ptr, int memorder, int type);
-+
-+/**
-+ * Increment integral atomicly
-+ *
-+ * \param ptr - pointer to integral to increment
-+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
-+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-+ * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG
-+ * \return - new value of ptr
-+ */
-+uint64_t slapi_atomic_incr(void *ptr, int memorder, int type);
-+
-+/**
-+ * Decrement integral atomicly
-+ *
-+ * \param ptr - pointer to integral to decrement
-+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
-+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-+ * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG
-+ * \return - new value of ptr
-+ */
-+uint64_t slapi_atomic_decr(void *ptr, int memorder, int type);
-+
-+
- #ifdef __cplusplus
- }
- #endif
-diff --git a/ldap/servers/slapd/slapi_counter.c b/ldap/servers/slapd/slapi_counter.c
-index ba0091f..9e705b3 100644
---- a/ldap/servers/slapd/slapi_counter.c
-+++ b/ldap/servers/slapd/slapi_counter.c
-@@ -283,3 +283,103 @@ slapi_counter_get_value(Slapi_Counter *counter)
-
- return value;
- }
-+
-+
-+/*
-+ *
-+ * Atomic functions
-+ *
-+ * ptr - a pointer to an integral type variable: int, uint32_t, uint64_t, etc
-+ *
-+ * memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
-+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, or __ATOMIC_SEQ_CST
-+ *
-+ * See: https://gcc.gnu.org/onlinedocs/gcc-4.9.2/gcc/_005f_005fatomic-Builtins.html
-+ *
-+ * type_size - ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG, see slapi-plugin.h for more info
-+ *
-+ * Future:
-+ * If we need to support ATOMIC_INT128 (not available on 32bit systems):
-+ * __atomic_store_16((uint64_t *)&ptr, val, memorder);
-+ * __atomic_load_16((uint64_t *)&ptr, memorder);
-+ * __atomic_add_fetch_16((uint64_t *)&ptr, 1, memorder);
-+ * __atomic_sub_fetch_16((uint64_t *)&ptr, 1, memorder);
-+ */
-+
-+/*
-+ * "val" must be either int32_t or uint64_t
-+ */
-+void
-+slapi_atomic_store(void *ptr, void *val, int memorder, int type_size)
-+{
-+#ifdef ATOMIC_64BIT_OPERATIONS
-+ if (type_size == ATOMIC_INT) {
-+ __atomic_store_4((int32_t *)ptr, *(int32_t *)val, memorder);
-+ } else if (type_size == ATOMIC_LONG) {
-+ __atomic_store_8((uint64_t *)ptr, *(uint64_t *)val, memorder);
-+ } else {
-+ /* ATOMIC_GENERIC or unknown size */
-+ __atomic_store((uint64_t *)&ptr, (uint64_t *)val, memorder);
-+ }
-+#else
-+ PRInt32 *pr_ptr = (PRInt32 *)ptr;
-+ PR_AtomicSet(pr_ptr, *(PRInt32 *)val);
-+#endif
-+}
-+
-+uint64_t
-+slapi_atomic_load(void *ptr, int memorder, int type_size)
-+{
-+#ifdef ATOMIC_64BIT_OPERATIONS
-+ uint64_t ret;
-+
-+ if (type_size == ATOMIC_INT) {
-+ return __atomic_load_4((int32_t *)ptr, memorder);
-+ } else if (type_size == ATOMIC_LONG) {
-+ return __atomic_load_8((uint64_t *)ptr, memorder);
-+ } else {
-+ /* ATOMIC_GENERIC or unknown size */
-+ __atomic_load((uint64_t *)ptr, &ret, memorder);
-+ return ret;
-+ }
-+#else
-+ PRInt32 *pr_ptr = (PRInt32 *)ptr;
-+ return PR_AtomicAdd(pr_ptr, 0);
-+#endif
-+}
-+
-+uint64_t
-+slapi_atomic_incr(void *ptr, int memorder, int type_size)
-+{
-+#ifdef ATOMIC_64BIT_OPERATIONS
-+ if (type_size == ATOMIC_INT) {
-+ return __atomic_add_fetch_4((int32_t *)ptr, 1, memorder);
-+ } else if (type_size == ATOMIC_LONG) {
-+ return __atomic_add_fetch_8((uint64_t *)ptr, 1, memorder);
-+ } else {
-+ /* ATOMIC_GENERIC or unknown size */
-+ return __atomic_add_fetch((uint64_t *)ptr, 1, memorder);
-+ }
-+#else
-+ PRInt32 *pr_ptr = (PRInt32 *)ptr;
-+ return PR_AtomicIncrement(pr_ptr);
-+#endif
-+}
-+
-+uint64_t
-+slapi_atomic_decr(void *ptr, int memorder, int type_size)
-+{
-+#ifdef ATOMIC_64BIT_OPERATIONS
-+ if (type_size == ATOMIC_INT) {
-+ return __atomic_sub_fetch_4((int32_t *)ptr, 1, memorder);
-+ } else if (type_size == ATOMIC_LONG) {
-+ return __atomic_sub_fetch_8((uint64_t *)ptr, 1, memorder);
-+ } else {
-+ /* ATOMIC_GENERIC or unknown size */
-+ return __atomic_sub_fetch((uint64_t *)ptr, 1, memorder);
-+ }
-+#else
-+ PRInt32 *pr_ptr = (PRInt32 *)ptr;
-+ return PR_AtomicDecrement(pr_ptr);
-+#endif
-+}
-diff --git a/ldap/servers/slapd/thread_data.c b/ldap/servers/slapd/thread_data.c
-index 9964832..d473710 100644
---- a/ldap/servers/slapd/thread_data.c
-+++ b/ldap/servers/slapd/thread_data.c
-@@ -9,7 +9,7 @@
- /*
- * Thread Local Storage Functions
- */
--#include <slapi-plugin.h>
-+#include "slap.h"
- #include <prthread.h>
-
- void td_dn_destructor(void *priv);
-diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c
-index 7921cbc..2ad0bd7 100644
---- a/src/nunc-stans/ns/ns_thrpool.c
-+++ b/src/nunc-stans/ns/ns_thrpool.c
-@@ -169,7 +169,11 @@ int32_t
- ns_thrpool_is_shutdown(struct ns_thrpool_t *tp)
- {
- int32_t result = 0;
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_load(&(tp->shutdown), &result, __ATOMIC_ACQUIRE);
-+#else
-+ result = PR_AtomicAdd(&(tp->shutdown), 0);
-+#endif
- return result;
- }
-
-@@ -177,7 +181,11 @@ int32_t
- ns_thrpool_is_event_shutdown(struct ns_thrpool_t *tp)
- {
- int32_t result = 0;
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_load(&(tp->shutdown_event_loop), &result, __ATOMIC_ACQUIRE);
-+#else
-+ result = PR_AtomicAdd(&(tp->shutdown_event_loop), 0);
-+#endif
- return result;
- }
-
-@@ -1442,8 +1450,11 @@ ns_thrpool_destroy(struct ns_thrpool_t *tp)
- #endif
- if (tp) {
- /* Set the flag to shutdown the event loop. */
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&(tp->shutdown_event_loop), 1, __ATOMIC_RELEASE);
--
-+#else
-+ PR_AtomicIncrement(&(tp->shutdown_event_loop));
-+#endif
- /* Finish the event queue wakeup job. This has the
- * side effect of waking up the event loop thread, which
- * will cause it to exit since we set the event loop
-@@ -1532,7 +1543,11 @@ ns_thrpool_shutdown(struct ns_thrpool_t *tp)
-
- /* Set the shutdown flag. This will cause the worker
- * threads to exit after they finish all remaining work. */
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&(tp->shutdown), 1, __ATOMIC_RELEASE);
-+#else
-+ PR_AtomicIncrement(&(tp->shutdown));
-+#endif
-
- /* Send worker shutdown jobs into the queues. This allows
- * currently queued jobs to complete.
-diff --git a/src/nunc-stans/test/test_nuncstans_stress_core.c b/src/nunc-stans/test/test_nuncstans_stress_core.c
-index a678800..2fc4ef4 100644
---- a/src/nunc-stans/test/test_nuncstans_stress_core.c
-+++ b/src/nunc-stans/test/test_nuncstans_stress_core.c
-@@ -128,7 +128,11 @@ server_conn_write(struct ns_job_t *job)
- assert(connctx != NULL);
- if (NS_JOB_IS_TIMER(ns_job_get_output_type(job))) {
- do_logging(LOG_ERR, "conn_write: job [%p] timeout\n", job);
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&server_fail_count, 1, __ATOMIC_SEQ_CST);
-+#else
-+ PR_AtomicIncrement(&server_fail_count);
-+#endif
- conn_ctx_free(connctx);
- assert_int_equal(ns_job_done(job), 0);
- return;
-@@ -173,7 +177,11 @@ server_conn_read(struct ns_job_t *job)
- if (NS_JOB_IS_TIMER(ns_job_get_output_type(job))) {
- /* The event that triggered this call back is because we timed out waiting for IO */
- do_logging(LOG_ERR, "conn_read: job [%p] timed out\n", job);
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&server_fail_count, 1, __ATOMIC_SEQ_CST);
-+#else
-+ PR_AtomicIncrement(&server_fail_count);
-+#endif
- conn_ctx_free(connctx);
- assert_int_equal(ns_job_done(job), 0);
- return;
-@@ -204,7 +212,11 @@ server_conn_read(struct ns_job_t *job)
- return;
- } else {
- do_logging(LOG_ERR, "conn_read: read error for job [%p] %d: %s\n", job, PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT));
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&server_fail_count, 1, __ATOMIC_SEQ_CST);
-+#else
-+ PR_AtomicIncrement(&server_fail_count);
-+#endif
- conn_ctx_free(connctx);
- assert_int_equal(ns_job_done(job), 0);
- return;
-@@ -214,7 +226,11 @@ server_conn_read(struct ns_job_t *job)
- /* Didn't read anything */
- do_logging(LOG_DEBUG, "conn_read: job [%p] closed\n", job);
- /* Increment the success */
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&server_success_count, 1, __ATOMIC_SEQ_CST);
-+#else
-+ PR_AtomicIncrement(&server_success_count);
-+#endif
- conn_ctx_free(connctx);
- assert_int_equal(ns_job_done(job), 0);
- return;
-@@ -314,26 +330,41 @@ client_response_cb(struct ns_job_t *job)
- if (len < 0) {
- /* PRErrorCode prerr = PR_GetError(); */
- do_logging(LOG_ERR, "FAIL: connection error, no data \n");
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&client_fail_count, 1, __ATOMIC_SEQ_CST);
-+#else
-+ PR_AtomicIncrement(&client_fail_count);
-+#endif
- goto done;
- } else if (len == 0) {
- do_logging(LOG_ERR, "FAIL: connection closed, no data \n");
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&client_fail_count, 1, __ATOMIC_SEQ_CST);
-+#else
-+ PR_AtomicIncrement(&client_fail_count);
-+#endif
- goto done;
- } else {
- /* Be paranoid, force last byte null */
- buffer[buflen - 1] = '\0';
- if (strncmp("this is a test!\n", buffer, strlen("this is a test!\n")) != 0) {
- do_logging(LOG_ERR, "FAIL: connection incorrect response, no data \n");
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&client_fail_count, 1, __ATOMIC_SEQ_CST);
-+#else
-+ PR_AtomicIncrement(&client_fail_count);
-+#endif
- goto done;
- }
- }
-
- struct timespec ts;
- clock_gettime(CLOCK_MONOTONIC, &ts);
--
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&client_success_count, 1, __ATOMIC_SEQ_CST);
-+#else
-+ PR_AtomicIncrement(&client_success_count);
-+#endif
- do_logging(LOG_ERR, "PASS: %ld.%ld %d\n", ts.tv_sec, ts.tv_nsec, client_success_count);
-
- done:
-@@ -354,7 +385,11 @@ client_initiate_connection_cb(struct ns_job_t *job)
- char *err = NULL;
- PR_GetErrorText(err);
- do_logging(LOG_ERR, "FAIL: Socket failed, %d -> %s\n", PR_GetError(), err);
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&client_fail_count, 1, __ATOMIC_SEQ_CST);
-+#else
-+ PR_AtomicIncrement(&client_fail_count);
-+#endif
- goto done;
- }
-
-@@ -368,8 +403,11 @@ client_initiate_connection_cb(struct ns_job_t *job)
- PR_GetErrorText(err);
- do_logging(LOG_ERR, "FAIL: cannot connect, timeout %d -> %s \n", PR_GetError(), err);
- /* Atomic increment fail */
-+#ifdef ATOMIC_64BIT_OPERATIONS
- __atomic_add_fetch(&client_timeout_count, 1, __ATOMIC_SEQ_CST);
--
-+#else
-+ PR_AtomicIncrement(&client_timeout_count);
-+#endif
- if (sock != NULL) {
- PR_Close(sock);
- }
---
-2.9.5
-
diff --git a/SOURCES/0000-Ticket-49830-Import-fails-if-backend-name-is-default.patch b/SOURCES/0000-Ticket-49830-Import-fails-if-backend-name-is-default.patch
new file mode 100644
index 0000000..6f16723
--- /dev/null
+++ b/SOURCES/0000-Ticket-49830-Import-fails-if-backend-name-is-default.patch
@@ -0,0 +1,190 @@
+From da5a1bbb4e4352b8df10c84572441d47217b6c2c Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Fri, 6 Jul 2018 11:37:56 -0400
+Subject: [PATCH] Ticket 49830 - Import fails if backend name is "default"
+
+Bug Description: The server was previously reserving the backend
+ name "default". If you tried to import on a
+ backend with this name the import would skip all
+ child entries
+
+Fix Description: Change the default backend name to something
+ obscure, instead of "default".
+
+ Also improved lib389's dbgen to generate the
+ correct "dc" attribute value in the root node.
+
+https://pagure.io/389-ds-base/issue/49830
+
+Reviewed by: spichugi(Thanks!)
+
+(cherry picked from commit 8fa838a4ffd4d0c15ae51cb21f246bb1f2dea2a1)
+---
+ .../tests/suites/import/regression_test.py | 46 +++++++++++++++++++
+ ldap/servers/slapd/defbackend.c | 4 +-
+ ldap/servers/slapd/mapping_tree.c | 7 ++-
+ ldap/servers/slapd/slap.h | 3 ++
+ src/lib389/lib389/dbgen.py | 13 +++++-
+ 5 files changed, 66 insertions(+), 7 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/import/regression_test.py b/dirsrvtests/tests/suites/import/regression_test.py
+index ad51721a1..d83d00323 100644
+--- a/dirsrvtests/tests/suites/import/regression_test.py
++++ b/dirsrvtests/tests/suites/import/regression_test.py
+@@ -23,6 +23,52 @@ TEST_SUFFIX1 = "dc=importest1,dc=com"
+ TEST_BACKEND1 = "importest1"
+ TEST_SUFFIX2 = "dc=importest2,dc=com"
+ TEST_BACKEND2 = "importest2"
++TEST_DEFAULT_SUFFIX = "dc=default,dc=com"
++TEST_DEFAULT_NAME = "default"
++
++
++def test_import_be_default(topo):
++ """ Create a backend using the name "default". previously this name was
++ used int
++
++ :id: 8e507beb-e917-4330-8cac-1ff0eee10508
++ :feature: Import
++ :setup: Standalone instance
++ :steps:
++ 1. Create a test suffix using the be name of "default"
++ 2. Create an ldif for the "default" backend
++ 3. Import ldif
++ 4. Verify all entries were imported
++ :expectedresults:
++ 1. Success
++ 2. Success
++ 3. Success
++ 4. Success
++ """
++ log.info('Adding suffix:{} and backend: {}...'.format(TEST_DEFAULT_SUFFIX,
++ TEST_DEFAULT_NAME))
++ backends = Backends(topo.standalone)
++ backends.create(properties={BACKEND_SUFFIX: TEST_DEFAULT_SUFFIX,
++ BACKEND_NAME: TEST_DEFAULT_NAME})
++
++ log.info('Create LDIF file and import it...')
++ ldif_dir = topo.standalone.get_ldif_dir()
++ ldif_file = os.path.join(ldif_dir, 'default.ldif')
++ dbgen(topo.standalone, 5, ldif_file, TEST_DEFAULT_SUFFIX)
++
++ log.info('Stopping the server and running offline import...')
++ topo.standalone.stop()
++ assert topo.standalone.ldif2db(TEST_DEFAULT_NAME, None, None,
++ None, ldif_file)
++ topo.standalone.start()
++
++ log.info('Verifying entry count after import...')
++ entries = topo.standalone.search_s(TEST_DEFAULT_SUFFIX,
++ ldap.SCOPE_SUBTREE,
++ "(objectclass=*)")
++ assert len(entries) > 1
++
++ log.info('Test PASSED')
+
+
+ def test_del_suffix_import(topo):
+diff --git a/ldap/servers/slapd/defbackend.c b/ldap/servers/slapd/defbackend.c
+index aa709da87..b0465e297 100644
+--- a/ldap/servers/slapd/defbackend.c
++++ b/ldap/servers/slapd/defbackend.c
+@@ -23,8 +23,6 @@
+ /*
+ * ---------------- Macros ---------------------------------------------------
+ */
+-#define DEFBACKEND_TYPE "default"
+-
+ #define DEFBACKEND_OP_NOT_HANDLED 0
+ #define DEFBACKEND_OP_HANDLED 1
+
+@@ -65,7 +63,7 @@ defbackend_init(void)
+ /*
+ * create a new backend
+ */
+- defbackend_backend = slapi_be_new(DEFBACKEND_TYPE, DEFBACKEND_TYPE, 1 /* Private */, 0 /* Do Not Log Changes */);
++ defbackend_backend = slapi_be_new(DEFBACKEND_TYPE, DEFBACKEND_NAME, 1 /* Private */, 0 /* Do Not Log Changes */);
+ if ((rc = slapi_pblock_set(pb, SLAPI_BACKEND, defbackend_backend)) != 0) {
+ errmsg = "slapi_pblock_set SLAPI_BACKEND failed";
+ goto cleanup_and_return;
+diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c
+index 472a2f6aa..834949a67 100644
+--- a/ldap/servers/slapd/mapping_tree.c
++++ b/ldap/servers/slapd/mapping_tree.c
+@@ -748,7 +748,7 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep)
+ be_names = (char **)slapi_ch_calloc(1, sizeof(char *));
+ be_states = (int *)slapi_ch_calloc(1, sizeof(int));
+
+- tmp_backend_name = (char *)slapi_ch_strdup("default"); /* "NULL_CONTAINER" */
++ tmp_backend_name = (char *)slapi_ch_strdup(DEFBACKEND_NAME); /* "NULL_CONTAINER" */
+ (be_names)[be_list_count] = tmp_backend_name;
+
+ /* set backend as started by default */
+@@ -2250,7 +2250,10 @@ slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list, Slapi_E
+ if (ret != LDAP_SUCCESS) {
+ /* flag we have problems at least on part of the tree */
+ flag_partial_result = 1;
+- } else if ((((!slapi_sdn_issuffix(sdn, slapi_mtn_get_dn(node)) && !slapi_sdn_issuffix(slapi_mtn_get_dn(node), sdn))) || ((node_list == mapping_tree_root) && node->mtn_private && (scope != LDAP_SCOPE_BASE))) && (!be || strncmp(be->be_name, "default", 8))) {
++ } else if ((((!slapi_sdn_issuffix(sdn, slapi_mtn_get_dn(node)) && !slapi_sdn_issuffix(slapi_mtn_get_dn(node), sdn))) ||
++ ((node_list == mapping_tree_root) && node->mtn_private && (scope != LDAP_SCOPE_BASE))) &&
++ (!be || strncmp(be->be_name, DEFBACKEND_NAME, 8)))
++ {
+ if (be && !be_isdeleted(be)) {
+ /* wrong backend or referall, ignore it */
+ slapi_log_err(SLAPI_LOG_ARGS, "slapi_mapping_tree_select_all",
+diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
+index 7378c2d2a..eb97cdcc4 100644
+--- a/ldap/servers/slapd/slap.h
++++ b/ldap/servers/slapd/slap.h
+@@ -45,6 +45,9 @@ static char ptokPBE[34] = "Internal (Software) Token ";
+ #define SLAPD_EXEMODE_DBVERIFY 12
+ #define SLAPD_EXEMODE_UPGRADEDNFORMAT 13
+
++#define DEFBACKEND_TYPE "default"
++#define DEFBACKEND_NAME "DirectoryServerDefaultBackend"
++
+ #define LDAP_SYSLOG
+ #include <syslog.h>
+ #define RLIM_TYPE int
+diff --git a/src/lib389/lib389/dbgen.py b/src/lib389/lib389/dbgen.py
+index a0cda9430..68455b480 100644
+--- a/src/lib389/lib389/dbgen.py
++++ b/src/lib389/lib389/dbgen.py
+@@ -113,8 +113,13 @@ usercertificate;binary:: MIIBvjCCASegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAnMQ8wDQYD
+ DBGEN_HEADER = """dn: {SUFFIX}
+ objectClass: top
+ objectClass: domain
++<<<<<<< HEAD
+ dc: example
+ aci: (target=ldap:///{SUFFIX})(targetattr=*)(version 3.0; acl "acl1"; allow(write) userdn = "ldap:///self";)
++=======
++dc: {RDN}
++aci: (target=ldap:///{SUFFIX})(targetattr=*)(version 3.0; acl "acl1"; allow(write) userdn = "ldap:///self";)
++>>>>>>> 8fa838a4f... Ticket 49830 - Import fails if backend name is "default"
+ aci: (target=ldap:///{SUFFIX})(targetattr=*)(version 3.0; acl "acl2"; allow(write) groupdn = "ldap:///cn=Directory Administrators, {SUFFIX}";)
+ aci: (target=ldap:///{SUFFIX})(targetattr=*)(version 3.0; acl "acl3"; allow(read, search, compare) userdn = "ldap:///anyone";)
+
+@@ -145,7 +150,7 @@ ou: Payroll
+
+ """
+
+-def dbgen(instance, number, ldif_file, suffix):
++def dbgen(instance, number, ldif_file, suffix, pseudol10n=False):
+ familyname_file = os.path.join(instance.ds_paths.data_dir, 'dirsrv/data/dbgen-FamilyNames')
+ givename_file = os.path.join(instance.ds_paths.data_dir, 'dirsrv/data/dbgen-GivenNames')
+ familynames = []
+@@ -156,7 +161,11 @@ def dbgen(instance, number, ldif_file, suffix):
+ givennames = [n.strip() for n in f]
+
+ with open(ldif_file, 'w') as output:
+- output.write(DBGEN_HEADER.format(SUFFIX=suffix))
++ rdn = suffix.split(",", 1)[0].split("=", 1)[1]
++ output.write(DBGEN_HEADER.format(SUFFIX=suffix, RDN=rdn))
++ for ou in DBGEN_OUS:
++ ou = pseudolocalize(ou) if pseudol10n else ou
++ output.write(DBGEN_OU_TEMPLATE.format(SUFFIX=suffix, OU=ou))
+ for i in range(0, number):
+ # Pick a random ou
+ ou = random.choice(DBGEN_OUS)
+--
+2.17.1
+
diff --git a/SOURCES/0001-Ticket-48818-For-a-replica-bindDNGroup-should-be-fet.patch b/SOURCES/0001-Ticket-48818-For-a-replica-bindDNGroup-should-be-fet.patch
new file mode 100644
index 0000000..4571372
--- /dev/null
+++ b/SOURCES/0001-Ticket-48818-For-a-replica-bindDNGroup-should-be-fet.patch
@@ -0,0 +1,51 @@
+From 0ea14f45cbc834e4791fdc393c5a2a042fd08101 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Tue, 10 Jul 2018 12:07:45 +0200
+Subject: [PATCH] Ticket 48818 - For a replica bindDNGroup, should be fetched
+ the first time it is used not when the replica is started
+
+Bug Description:
+ The fetching of the bindDNGroup is working as designed but this ticket is to make it more flexible
+
+ At startup, if the group does not contain the replica_mgr.
+ No replication session will succeed until bindDnGroupCheckInterval delay.
+ updatedn_group_last_check is the timestamp of the last fetch. At startup
+ updatedn_group_last_check is set to the current time. So the next fetch will happen not before
+ updatedn_group_last_check+bindDnGroupCheckInterval.
+
+ If the groupDn is changed after startup, no incoming replication can happen for the first
+ bindDnGroupCheckInterval seconds
+
+Fix Description:
+ The fix consist to unset updatedn_group_last_check so that the group will be fetch when the first
+ incoming replication session will happen.
+
+https://pagure.io/389-ds-base/issue/49818
+
+Reviewed by: Mark Reynolds, Simon Spichugi (thanks !!!)
+
+Platforms tested: F27
+
+Flag Day: no
+
+Doc impact: no
+---
+ ldap/servers/plugins/replication/repl5_replica.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
+index dee20875e..41cad3bf0 100644
+--- a/ldap/servers/plugins/replication/repl5_replica.c
++++ b/ldap/servers/plugins/replication/repl5_replica.c
+@@ -2026,7 +2026,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
+ /* get replication bind dn groups */
+ r->updatedn_groups = replica_updatedn_group_new(e);
+ r->groupdn_list = replica_groupdn_list_new(r->updatedn_groups);
+- r->updatedn_group_last_check = time(NULL);
++ r->updatedn_group_last_check = 0;
+ /* get groupdn check interval */
+ if ((val = slapi_entry_attr_get_charptr(e, attr_replicaBindDnGroupCheckInterval))) {
+ if (repl_config_valid_num(attr_replicaBindDnGroupCheckInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) {
+--
+2.17.1
+
diff --git a/SOURCES/0001-Ticket-49305-Need-to-wrap-atomic-calls.patch b/SOURCES/0001-Ticket-49305-Need-to-wrap-atomic-calls.patch
deleted file mode 100644
index 93820e4..0000000
--- a/SOURCES/0001-Ticket-49305-Need-to-wrap-atomic-calls.patch
+++ /dev/null
@@ -1,1325 +0,0 @@
-From 76e8c99e00f776fdab6cf834923d19f911f06fb9 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 28 Sep 2017 10:38:20 -0400
-Subject: [PATCH] Ticket 49305 - Need to wrap atomic calls
-
-Bug Description: Some RHEL 7.5 platforms (ppc 32bit) still do not support
- all the gcc built-in atomics. This breaks the downstream
- builds.
-
-Fix Description: Use wrapper functions for the atomic's using #define's
- to detect if builtin atomics are supported, otherwise
- use the generic nspr atomic functions.
-
-https://pagure.io/389-ds-base/issue/49305
-
-Reviewed by: tbordaz, lkrispen, and wibrown(Thanks!!!)
-
-(cherry picked from commit 93a29584ddae52497b898b451c2c810244627acb)
----
- ldap/servers/slapd/attrsyntax.c | 8 +-
- ldap/servers/slapd/back-ldbm/dblayer.c | 8 +-
- ldap/servers/slapd/entry.c | 8 +-
- ldap/servers/slapd/libglobs.c | 154 ++++++++++++++++-----------------
- ldap/servers/slapd/log.c | 9 +-
- ldap/servers/slapd/mapping_tree.c | 28 +++---
- ldap/servers/slapd/object.c | 7 +-
- ldap/servers/slapd/psearch.c | 7 +-
- ldap/servers/slapd/slapi-plugin.h | 65 ++++++++++----
- ldap/servers/slapd/slapi_counter.c | 113 +++++++++++++-----------
- 10 files changed, 223 insertions(+), 184 deletions(-)
-
-diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c
-index a0a60c4..1a9efef 100644
---- a/ldap/servers/slapd/attrsyntax.c
-+++ b/ldap/servers/slapd/attrsyntax.c
-@@ -274,7 +274,7 @@ attr_syntax_get_by_oid_locking_optional(const char *oid, PRBool use_lock, PRUint
- }
- asi = (struct asyntaxinfo *)PL_HashTableLookup_const(ht, oid);
- if (asi) {
-- slapi_atomic_incr(&(asi->asi_refcnt), __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_incr_64(&(asi->asi_refcnt), __ATOMIC_RELEASE);
- }
- if (use_lock) {
- AS_UNLOCK_READ(oid2asi_lock);
-@@ -371,7 +371,7 @@ attr_syntax_get_by_name_locking_optional(const char *name, PRBool use_lock, PRUi
- }
- asi = (struct asyntaxinfo *)PL_HashTableLookup_const(ht, name);
- if (NULL != asi) {
-- slapi_atomic_incr(&(asi->asi_refcnt), __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_incr_64(&(asi->asi_refcnt), __ATOMIC_RELEASE);
- }
- if (use_lock) {
- AS_UNLOCK_READ(name2asi_lock);
-@@ -406,7 +406,7 @@ attr_syntax_return_locking_optional(struct asyntaxinfo *asi, PRBool use_lock)
- }
- if (NULL != asi) {
- PRBool delete_it = PR_FALSE;
-- if (0 == slapi_atomic_decr(&(asi->asi_refcnt), __ATOMIC_ACQ_REL, ATOMIC_LONG)) {
-+ if (0 == slapi_atomic_decr_64(&(asi->asi_refcnt), __ATOMIC_ACQ_REL)) {
- delete_it = asi->asi_marked_for_delete;
- }
-
-@@ -540,7 +540,7 @@ attr_syntax_delete_no_lock(struct asyntaxinfo *asi,
- PL_HashTableRemove(ht, asi->asi_aliases[i]);
- }
- }
-- if (slapi_atomic_load(&(asi->asi_refcnt), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) {
-+ if (slapi_atomic_load_64(&(asi->asi_refcnt), __ATOMIC_ACQUIRE) > 0) {
- asi->asi_marked_for_delete = PR_TRUE;
- } else {
- /* This is ok, but the correct thing is to call delete first,
-diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
-index c4c4959..9e557a2 100644
---- a/ldap/servers/slapd/back-ldbm/dblayer.c
-+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
-@@ -2880,7 +2880,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag
- /* it's like a semaphore -- when count > 0, any file handle that's in
- * the attrinfo will remain valid from here on.
- */
-- slapi_atomic_incr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_incr_64(&(a->ai_dblayer_count), __ATOMIC_RELEASE);
-
- if (a->ai_dblayer && ((dblayer_handle *)(a->ai_dblayer))->dblayer_dbp) {
- /* This means that the pointer is valid, so we should return it. */
-@@ -2938,7 +2938,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag
- /* some sort of error -- we didn't open a handle at all.
- * decrement the refcount back to where it was.
- */
-- slapi_atomic_decr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_decr_64(&(a->ai_dblayer_count), __ATOMIC_RELEASE);
- }
-
- return return_value;
-@@ -2950,7 +2950,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag
- int
- dblayer_release_index_file(backend *be __attribute__((unused)), struct attrinfo *a, DB *pDB __attribute__((unused)))
- {
-- slapi_atomic_decr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_decr_64(&(a->ai_dblayer_count), __ATOMIC_RELEASE);
- return 0;
- }
-
-@@ -3057,7 +3057,7 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in
-
- dblayer_release_index_file(be, a, db);
-
-- while (slapi_atomic_load(&(a->ai_dblayer_count), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) {
-+ while (slapi_atomic_load_64(&(a->ai_dblayer_count), __ATOMIC_ACQUIRE) > 0) {
- /* someone is using this index file */
- /* ASSUMPTION: you have already set the INDEX_OFFLINE flag, because
- * you intend to mess with this index. therefore no new requests
-diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
-index 289a149..fbbc8fa 100644
---- a/ldap/servers/slapd/entry.c
-+++ b/ldap/servers/slapd/entry.c
-@@ -2249,14 +2249,14 @@ static int32_t g_virtual_watermark = 0; /* good enough to init */
- int
- slapi_entry_vattrcache_watermark_isvalid(const Slapi_Entry *e)
- {
-- return e->e_virtual_watermark == slapi_atomic_load(&g_virtual_watermark, __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return e->e_virtual_watermark == slapi_atomic_load_32(&g_virtual_watermark, __ATOMIC_ACQUIRE);
-
- }
-
- void
- slapi_entry_vattrcache_watermark_set(Slapi_Entry *e)
- {
-- e->e_virtual_watermark = slapi_atomic_load(&g_virtual_watermark, __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ e->e_virtual_watermark = slapi_atomic_load_32(&g_virtual_watermark, __ATOMIC_ACQUIRE);
- }
-
- void
-@@ -2269,8 +2269,8 @@ void
- slapi_entrycache_vattrcache_watermark_invalidate()
- {
- /* Make sure the value is never 0 */
-- if (slapi_atomic_incr(&g_virtual_watermark, __ATOMIC_RELEASE, ATOMIC_INT) == 0) {
-- slapi_atomic_incr(&g_virtual_watermark, __ATOMIC_RELEASE, ATOMIC_INT);
-+ if (slapi_atomic_incr_32(&g_virtual_watermark, __ATOMIC_RELEASE) == 0) {
-+ slapi_atomic_incr_32(&g_virtual_watermark, __ATOMIC_RELEASE);
- }
- }
-
-diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
-index 4c54cf7..1ba3000 100644
---- a/ldap/servers/slapd/libglobs.c
-+++ b/ldap/servers/slapd/libglobs.c
-@@ -1335,19 +1335,19 @@ static uint64_t active_threads = 0;
- void
- g_incr_active_threadcnt(void)
- {
-- slapi_atomic_incr(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_incr_64(&active_threads, __ATOMIC_RELEASE);
- }
-
- void
- g_decr_active_threadcnt(void)
- {
-- slapi_atomic_decr(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_decr_64(&active_threads, __ATOMIC_RELEASE);
- }
-
- uint64_t
- g_get_active_threadcnt(void)
- {
-- return slapi_atomic_load(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG);
-+ return slapi_atomic_load_64(&active_threads, __ATOMIC_RELEASE);
- }
-
- /*
-@@ -1936,7 +1936,7 @@ config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf,
- size = NDN_DEFAULT_SIZE;
- }
- if (apply) {
-- slapi_atomic_store(&(slapdFrontendConfig->ndn_cache_max_size), &size, __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_store_64(&(slapdFrontendConfig->ndn_cache_max_size), size, __ATOMIC_RELEASE);
- }
-
- return retVal;
-@@ -3476,7 +3476,7 @@ int32_t
- config_get_dynamic_plugins(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->dynamic_plugins), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->dynamic_plugins), __ATOMIC_ACQUIRE);
-
- }
-
-@@ -3499,7 +3499,7 @@ int32_t
- config_get_cn_uses_dn_syntax_in_dns()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->cn_uses_dn_syntax_in_dns), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->cn_uses_dn_syntax_in_dns), __ATOMIC_ACQUIRE);
- }
-
- int32_t
-@@ -3544,7 +3544,7 @@ config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char *
- newval = LDAP_OFF;
- }
-
-- slapi_atomic_store(configvalue, &newval, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(configvalue, newval, __ATOMIC_RELEASE);
-
- return retVal;
- }
-@@ -3916,7 +3916,7 @@ config_set_threadnumber(const char *attrname, char *value, char *errorbuf, int a
- retVal = LDAP_OPERATIONS_ERROR;
- }
- if (apply) {
-- slapi_atomic_store(&(slapdFrontendConfig->threadnumber), &threadnum, __ATOMIC_RELAXED, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->threadnumber), threadnum, __ATOMIC_RELAXED);
- }
- return retVal;
- }
-@@ -3925,7 +3925,7 @@ int
- config_set_maxthreadsperconn(const char *attrname, char *value, char *errorbuf, int apply)
- {
- int retVal = LDAP_SUCCESS;
-- long maxthreadnum = 0;
-+ int32_t maxthreadnum = 0;
- char *endp = NULL;
-
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-@@ -3935,7 +3935,7 @@ config_set_maxthreadsperconn(const char *attrname, char *value, char *errorbuf,
- }
-
- errno = 0;
-- maxthreadnum = strtol(value, &endp, 10);
-+ maxthreadnum = (int32_t)strtol(value, &endp, 10);
-
- if (*endp != '\0' || errno == ERANGE || maxthreadnum < 1 || maxthreadnum > 65535) {
- slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
-@@ -3945,7 +3945,7 @@ config_set_maxthreadsperconn(const char *attrname, char *value, char *errorbuf,
- }
-
- if (apply) {
-- slapi_atomic_store(&(slapdFrontendConfig->maxthreadsperconn), &maxthreadnum, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->maxthreadsperconn), maxthreadnum, __ATOMIC_RELEASE);
- }
- return retVal;
- }
-@@ -4083,7 +4083,7 @@ int
- config_set_ioblocktimeout(const char *attrname, char *value, char *errorbuf, int apply)
- {
- int retVal = LDAP_SUCCESS;
-- long nValue = 0;
-+ int32_t nValue = 0;
- char *endp = NULL;
-
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-@@ -4093,7 +4093,7 @@ config_set_ioblocktimeout(const char *attrname, char *value, char *errorbuf, int
- }
-
- errno = 0;
-- nValue = strtol(value, &endp, 10);
-+ nValue = (int32_t)strtol(value, &endp, 10);
-
- if (*endp != '\0' || errno == ERANGE || nValue < 0) {
- slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", I/O block timeout must range from 0 to %lld",
-@@ -4103,7 +4103,7 @@ config_set_ioblocktimeout(const char *attrname, char *value, char *errorbuf, int
- }
-
- if (apply) {
-- slapi_atomic_store(&(slapdFrontendConfig->ioblocktimeout), &nValue, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->ioblocktimeout), nValue, __ATOMIC_RELEASE);
- }
- return retVal;
- }
-@@ -4607,7 +4607,7 @@ int32_t
- config_get_sasl_mapping_fallback()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->sasl_mapping_fallback), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->sasl_mapping_fallback), __ATOMIC_ACQUIRE);
-
- }
-
-@@ -4615,14 +4615,14 @@ int32_t
- config_get_disk_monitoring()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->disk_monitoring), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->disk_monitoring), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_disk_logging_critical()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->disk_logging_critical), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->disk_logging_critical), __ATOMIC_ACQUIRE);
- }
-
- int
-@@ -4669,14 +4669,14 @@ int32_t
- config_get_ldapi_switch()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->ldapi_switch), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->ldapi_switch), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_ldapi_bind_switch()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->ldapi_bind_switch), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->ldapi_bind_switch), __ATOMIC_ACQUIRE);
- }
-
- char *
-@@ -4695,7 +4695,7 @@ int
- config_get_ldapi_map_entries()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->ldapi_map_entries), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->ldapi_map_entries), __ATOMIC_ACQUIRE);
- }
-
- char *
-@@ -4765,7 +4765,7 @@ int32_t
- config_get_slapi_counters()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->slapi_counters), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->slapi_counters), __ATOMIC_ACQUIRE);
-
- }
-
-@@ -4948,7 +4948,7 @@ int32_t
- config_get_pw_change(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_change), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_change), __ATOMIC_ACQUIRE);
- }
-
-
-@@ -4956,7 +4956,7 @@ int32_t
- config_get_pw_history(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_history), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_history), __ATOMIC_ACQUIRE);
- }
-
-
-@@ -4964,21 +4964,21 @@ int32_t
- config_get_pw_must_change(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_must_change), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_must_change), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_allow_hashed_pw(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->allow_hashed_pw), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->allow_hashed_pw), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_pw_syntax(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_syntax), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_syntax), __ATOMIC_ACQUIRE);
- }
-
-
-@@ -5167,21 +5167,21 @@ int32_t
- config_get_pw_is_global_policy(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->pw_is_global_policy), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_is_global_policy), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_pw_is_legacy_policy(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_is_legacy), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_is_legacy), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_pw_exp(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_exp), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_exp), __ATOMIC_ACQUIRE);
- }
-
-
-@@ -5189,14 +5189,14 @@ int32_t
- config_get_pw_unlock(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_unlock), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_unlock), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_pw_lockout()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_lockout), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_lockout), __ATOMIC_ACQUIRE);
- }
-
- int
-@@ -5216,112 +5216,112 @@ int32_t
- config_get_lastmod()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->lastmod), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->lastmod), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_enquote_sup_oc()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->enquote_sup_oc), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->enquote_sup_oc), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_nagle(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->nagle), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->nagle), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_accesscontrol(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->accesscontrol), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->accesscontrol), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_return_exact_case(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->return_exact_case), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->return_exact_case), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_result_tweak(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->result_tweak), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->result_tweak), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_moddn_aci(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->moddn_aci), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->moddn_aci), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_security(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->security), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->security), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- slapi_config_get_readonly(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->readonly), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->readonly), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_schemacheck(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->schemacheck), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->schemacheck), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_schemamod(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->schemamod), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->schemamod), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_syntaxcheck(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->syntaxcheck), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->syntaxcheck), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_syntaxlogging(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->syntaxlogging), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->syntaxlogging), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_dn_validate_strict(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->dn_validate_strict), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->dn_validate_strict), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_ds4_compatible_schema(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->ds4_compatible_schema), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->ds4_compatible_schema), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_schema_ignore_trailing_spaces(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->schema_ignore_trailing_spaces), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->schema_ignore_trailing_spaces), __ATOMIC_ACQUIRE);
- }
-
- char *
-@@ -5405,7 +5405,7 @@ config_get_threadnumber(void)
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- int32_t retVal;
-
-- retVal = slapi_atomic_load(&(slapdFrontendConfig->threadnumber), __ATOMIC_RELAXED, ATOMIC_INT);
-+ retVal = slapi_atomic_load_32(&(slapdFrontendConfig->threadnumber), __ATOMIC_RELAXED);
-
- if (retVal <= 0) {
- retVal = util_get_hardware_threads();
-@@ -5423,7 +5423,7 @@ int32_t
- config_get_maxthreadsperconn()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->maxthreadsperconn), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->maxthreadsperconn), __ATOMIC_ACQUIRE);
- }
-
- int
-@@ -5455,7 +5455,7 @@ int32_t
- config_get_ioblocktimeout()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->ioblocktimeout), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->ioblocktimeout), __ATOMIC_ACQUIRE);
- }
-
- int
-@@ -5772,21 +5772,21 @@ int32_t
- config_get_unauth_binds_switch(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->allow_unauth_binds), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->allow_unauth_binds), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_require_secure_binds(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->require_secure_binds), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->require_secure_binds), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_anon_access_switch(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->allow_anon_access), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->allow_anon_access), __ATOMIC_ACQUIRE);
- }
-
- int
-@@ -6028,7 +6028,7 @@ int32_t
- config_get_minssf_exclude_rootdse()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->minssf_exclude_rootdse), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->minssf_exclude_rootdse), __ATOMIC_ACQUIRE);
-
- }
-
-@@ -6057,7 +6057,7 @@ config_set_max_filter_nest_level(const char *attrname, char *value, char *errorb
- return retVal;
- }
-
-- slapi_atomic_store(&(slapdFrontendConfig->max_filter_nest_level), &level, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->max_filter_nest_level), level, __ATOMIC_RELEASE);
- return retVal;
- }
-
-@@ -6065,28 +6065,28 @@ int32_t
- config_get_max_filter_nest_level()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->max_filter_nest_level), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->max_filter_nest_level), __ATOMIC_ACQUIRE);
- }
-
- uint64_t
- config_get_ndn_cache_size()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->ndn_cache_max_size), __ATOMIC_ACQUIRE, ATOMIC_LONG);
-+ return slapi_atomic_load_64(&(slapdFrontendConfig->ndn_cache_max_size), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_ndn_cache_enabled()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->ndn_cache_enabled), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->ndn_cache_enabled), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_return_orig_type_switch()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->return_orig_type), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->return_orig_type), __ATOMIC_ACQUIRE);
- }
-
- char *
-@@ -6788,7 +6788,7 @@ int32_t
- config_get_force_sasl_external(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->force_sasl_external), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->force_sasl_external), __ATOMIC_ACQUIRE);
- }
-
- int32_t
-@@ -6810,7 +6810,7 @@ int32_t
- config_get_entryusn_global(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->entryusn_global), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->entryusn_global), __ATOMIC_ACQUIRE);
- }
-
- int32_t
-@@ -7048,21 +7048,21 @@ int32_t
- config_get_enable_turbo_mode(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->enable_turbo_mode), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->enable_turbo_mode), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_connection_nocanon(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->connection_nocanon), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->connection_nocanon), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_plugin_logging(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->plugin_logging), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->plugin_logging), __ATOMIC_ACQUIRE);
- }
-
- int32_t
-@@ -7075,21 +7075,21 @@ int32_t
- config_get_unhashed_pw_switch()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->unhashed_pw_switch), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->unhashed_pw_switch), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_ignore_time_skew(void)
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->ignore_time_skew), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->ignore_time_skew), __ATOMIC_ACQUIRE);
- }
-
- int32_t
- config_get_global_backend_lock()
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- return slapi_atomic_load(&(slapdFrontendConfig->global_backend_lock), __ATOMIC_ACQUIRE, ATOMIC_INT);
-+ return slapi_atomic_load_32(&(slapdFrontendConfig->global_backend_lock), __ATOMIC_ACQUIRE);
- }
-
- int32_t
-@@ -7185,7 +7185,7 @@ config_set_connection_buffer(const char *attrname, char *value, char *errorbuf,
- }
-
- val = atoi(value);
-- slapi_atomic_store(&(slapdFrontendConfig->connection_buffer), &val, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->connection_buffer), val, __ATOMIC_RELEASE);
-
- return retVal;
- }
-@@ -7209,7 +7209,7 @@ config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf
- }
-
- if (apply) {
-- slapi_atomic_store(&(slapdFrontendConfig->listen_backlog_size), &size, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->listen_backlog_size), size, __ATOMIC_RELEASE);
- }
- return LDAP_SUCCESS;
- }
-@@ -7622,7 +7622,7 @@ config_set_accesslog_enabled(int value)
- char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
- errorbuf[0] = '\0';
-
-- slapi_atomic_store(&(slapdFrontendConfig->accesslog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->accesslog_logging_enabled), value, __ATOMIC_RELEASE);
- if (value) {
- log_set_logging(CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_ACCESS_LOG, errorbuf, CONFIG_APPLY);
- } else {
-@@ -7640,7 +7640,7 @@ config_set_auditlog_enabled(int value)
- char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
- errorbuf[0] = '\0';
-
-- slapi_atomic_store(&(slapdFrontendConfig->auditlog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->auditlog_logging_enabled), value, __ATOMIC_RELEASE);
- if (value) {
- log_set_logging(CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_AUDIT_LOG, errorbuf, CONFIG_APPLY);
- } else {
-@@ -7658,7 +7658,7 @@ config_set_auditfaillog_enabled(int value)
- char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
- errorbuf[0] = '\0';
-
-- slapi_atomic_store(&(slapdFrontendConfig->auditfaillog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->auditfaillog_logging_enabled), value, __ATOMIC_RELEASE);
- if (value) {
- log_set_logging(CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_AUDITFAIL_LOG, errorbuf, CONFIG_APPLY);
- } else {
-@@ -7736,7 +7736,7 @@ config_set_malloc_mxfast(const char *attrname, char *value, char *errorbuf, int
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- int max = 80 * (sizeof(size_t) / 4);
-- int mxfast;
-+ int32_t mxfast;
- char *endp = NULL;
-
- if (config_value_is_null(attrname, value, errorbuf, 0)) {
-@@ -7749,7 +7749,7 @@ config_set_malloc_mxfast(const char *attrname, char *value, char *errorbuf, int
- value, CONFIG_MALLOC_MXFAST, max);
- return LDAP_OPERATIONS_ERROR;
- }
-- slapi_atomic_store(&(slapdFrontendConfig->malloc_mxfast), &mxfast, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->malloc_mxfast), mxfast, __ATOMIC_RELEASE);
-
- if ((mxfast >= 0) && (mxfast <= max)) {
- mallopt(M_MXFAST, mxfast);
-@@ -7775,7 +7775,7 @@ int
- config_set_malloc_trim_threshold(const char *attrname, char *value, char *errorbuf, int apply __attribute__((unused)))
- {
- slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-- int trim_threshold;
-+ int32_t trim_threshold;
- char *endp = NULL;
-
- if (config_value_is_null(attrname, value, errorbuf, 0)) {
-@@ -7789,7 +7789,7 @@ config_set_malloc_trim_threshold(const char *attrname, char *value, char *errorb
- return LDAP_OPERATIONS_ERROR;
- }
-
-- slapi_atomic_store(&(slapdFrontendConfig->malloc_trim_threshold), &trim_threshold, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->malloc_trim_threshold), trim_threshold, __ATOMIC_RELEASE);
-
- if (trim_threshold >= -1) {
- mallopt(M_TRIM_THRESHOLD, trim_threshold);
-@@ -7836,7 +7836,7 @@ config_set_malloc_mmap_threshold(const char *attrname, char *value, char *errorb
- return LDAP_OPERATIONS_ERROR;
- }
-
-- slapi_atomic_store(&(slapdFrontendConfig->malloc_mmap_threshold), &mmap_threshold, __ATOMIC_RELEASE, ATOMIC_INT);
-+ slapi_atomic_store_32(&(slapdFrontendConfig->malloc_mmap_threshold), mmap_threshold, __ATOMIC_RELEASE);
-
- if ((mmap_threshold >= 0) && (mmap_threshold <= max)) {
- mallopt(M_MMAP_THRESHOLD, mmap_threshold);
-diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
-index 4d44c87..e16d89c 100644
---- a/ldap/servers/slapd/log.c
-+++ b/ldap/servers/slapd/log.c
-@@ -4942,13 +4942,12 @@ static LogBufferInfo *
- log_create_buffer(size_t sz)
- {
- LogBufferInfo *lbi;
-- uint64_t init_val = 0;
-
- lbi = (LogBufferInfo *)slapi_ch_malloc(sizeof(LogBufferInfo));
- lbi->top = (char *)slapi_ch_malloc(sz);
- lbi->current = lbi->top;
- lbi->maxsize = sz;
-- slapi_atomic_store(&(lbi->refcount), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_store_64(&(lbi->refcount), 0, __ATOMIC_RELEASE);
- return lbi;
- }
-
-@@ -5010,7 +5009,7 @@ log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_t size1, cha
- insert_point = lbi->current;
- lbi->current += size;
- /* Increment the copy refcount */
-- slapi_atomic_incr(&(lbi->refcount), __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_incr_64(&(lbi->refcount), __ATOMIC_RELEASE);
- PR_Unlock(lbi->lock);
-
- /* Now we can copy without holding the lock */
-@@ -5018,7 +5017,7 @@ log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_t size1, cha
- memcpy(insert_point + size1, msg2, size2);
-
- /* Decrement the copy refcount */
-- slapi_atomic_decr(&(lbi->refcount), __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_decr_64(&(lbi->refcount), __ATOMIC_RELEASE);
-
- /* If we are asked to sync to disk immediately, do so */
- if (!slapdFrontendConfig->accesslogbuffering) {
-@@ -5038,7 +5037,7 @@ log_flush_buffer(LogBufferInfo *lbi, int type, int sync_now)
- if (type == SLAPD_ACCESS_LOG) {
-
- /* It is only safe to flush once any other threads which are copying are finished */
-- while (slapi_atomic_load(&(lbi->refcount), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) {
-+ while (slapi_atomic_load_64(&(lbi->refcount), __ATOMIC_ACQUIRE) > 0) {
- /* It's ok to sleep for a while because we only flush every second or so */
- DS_Sleep(PR_MillisecondsToInterval(1));
- }
-diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c
-index 6621ceb..8cc5318 100644
---- a/ldap/servers/slapd/mapping_tree.c
-+++ b/ldap/servers/slapd/mapping_tree.c
-@@ -1647,7 +1647,7 @@ mapping_tree_init()
-
- /* we call this function from a single thread, so it should be ok */
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shutdown has been detected */
- return 0;
- }
-@@ -1759,8 +1759,6 @@ mtn_free_node(mapping_tree_node **node)
- void
- mapping_tree_free()
- {
-- int init_val = 1;
--
- /* unregister dse callbacks */
- slapi_config_remove_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, MAPPING_TREE_BASE_DN, LDAP_SCOPE_BASE, "(objectclass=*)", mapping_tree_entry_modify_callback);
- slapi_config_remove_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, MAPPING_TREE_BASE_DN, LDAP_SCOPE_BASE, "(objectclass=*)", mapping_tree_entry_add_callback);
-@@ -1773,7 +1771,7 @@ mapping_tree_free()
- slapi_unregister_backend_state_change_all();
- /* recursively free tree nodes */
- mtn_free_node(&mapping_tree_root);
-- slapi_atomic_store(&mapping_tree_freed, &init_val, __ATOMIC_RELAXED, ATOMIC_INT);
-+ slapi_atomic_store_32(&mapping_tree_freed, 1, __ATOMIC_RELAXED);
- }
-
- /* This function returns the first node to parse when a search is done
-@@ -2024,7 +2022,7 @@ slapi_dn_write_needs_referral(Slapi_DN *target_sdn, Slapi_Entry **referral)
- mapping_tree_node *target_node = NULL;
- int ret = 0;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shutdown detected */
- goto done;
- }
-@@ -2095,7 +2093,7 @@ slapi_mapping_tree_select(Slapi_PBlock *pb, Slapi_Backend **be, Slapi_Entry **re
- int fixup = 0;
-
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shutdown detected */
- return LDAP_OPERATIONS_ERROR;
- }
-@@ -2200,7 +2198,7 @@ slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list, Slapi_E
- int flag_partial_result = 0;
- int op_type;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- return LDAP_OPERATIONS_ERROR;
- }
-
-@@ -2360,7 +2358,7 @@ slapi_mapping_tree_select_and_check(Slapi_PBlock *pb, char *newdn, Slapi_Backend
- int ret;
- int need_unlock = 0;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- return LDAP_OPERATIONS_ERROR;
- }
-
-@@ -2526,7 +2524,7 @@ mtn_get_be(mapping_tree_node *target_node, Slapi_PBlock *pb, Slapi_Backend **be,
- int flag_stop = 0;
- struct slapi_componentid *cid = NULL;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shut down detected */
- return LDAP_OPERATIONS_ERROR;
- }
-@@ -2714,7 +2712,7 @@ best_matching_child(mapping_tree_node *parent,
- mapping_tree_node *highest_match_node = NULL;
- mapping_tree_node *current;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2741,7 +2739,7 @@ mtn_get_mapping_tree_node_by_entry(mapping_tree_node *node, const Slapi_DN *dn)
- {
- mapping_tree_node *found_node = NULL;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2784,7 +2782,7 @@ slapi_get_mapping_tree_node_by_dn(const Slapi_DN *dn)
- mapping_tree_node *current_best_match = mapping_tree_root;
- mapping_tree_node *next_best_match = mapping_tree_root;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2818,7 +2816,7 @@ get_mapping_tree_node_by_name(mapping_tree_node *node, char *be_name)
- int i;
- mapping_tree_node *found_node = NULL;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2865,7 +2863,7 @@ slapi_get_mapping_tree_node_configdn(const Slapi_DN *root)
- {
- char *dn = NULL;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shutdown detected */
- return NULL;
- }
-@@ -2892,7 +2890,7 @@ slapi_get_mapping_tree_node_configsdn(const Slapi_DN *root)
- char *dn = NULL;
- Slapi_DN *sdn = NULL;
-
-- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) {
-+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) {
- /* shutdown detected */
- return NULL;
- }
-diff --git a/ldap/servers/slapd/object.c b/ldap/servers/slapd/object.c
-index 6a1a9a5..8e55a16 100644
---- a/ldap/servers/slapd/object.c
-+++ b/ldap/servers/slapd/object.c
-@@ -43,12 +43,11 @@ Object *
- object_new(void *user_data, FNFree destructor)
- {
- Object *o;
-- uint64_t init_val = 1;
-
- o = (object *)slapi_ch_malloc(sizeof(object));
- o->destructor = destructor;
- o->data = user_data;
-- slapi_atomic_store(&(o->refcnt), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_store_64(&(o->refcnt), 1, __ATOMIC_RELEASE);
- return o;
- }
-
-@@ -62,7 +61,7 @@ void
- object_acquire(Object *o)
- {
- PR_ASSERT(NULL != o);
-- slapi_atomic_incr(&(o->refcnt), __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_incr_64(&(o->refcnt), __ATOMIC_RELEASE);
- }
-
-
-@@ -77,7 +76,7 @@ object_release(Object *o)
- PRInt32 refcnt_after_release;
-
- PR_ASSERT(NULL != o);
-- refcnt_after_release = slapi_atomic_decr(&(o->refcnt), __ATOMIC_ACQ_REL, ATOMIC_LONG);
-+ refcnt_after_release = slapi_atomic_decr_64(&(o->refcnt), __ATOMIC_ACQ_REL);
- if (refcnt_after_release == 0) {
- /* Object can be destroyed */
- if (o->destructor)
-diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c
-index 70c530b..e0dd2bf 100644
---- a/ldap/servers/slapd/psearch.c
-+++ b/ldap/servers/slapd/psearch.c
-@@ -134,7 +134,7 @@ ps_stop_psearch_system()
- if (PS_IS_INITIALIZED()) {
- PSL_LOCK_WRITE();
- for (ps = psearch_list->pl_head; NULL != ps; ps = ps->ps_next) {
-- slapi_atomic_incr(&(ps->ps_complete), __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_incr_64(&(ps->ps_complete), __ATOMIC_RELEASE);
- }
- PSL_UNLOCK_WRITE();
- ps_wakeup_all();
-@@ -285,7 +285,7 @@ ps_send_results(void *arg)
-
- PR_Lock(psearch_list->pl_cvarlock);
-
-- while ((conn_acq_flag == 0) && slapi_atomic_load(&(ps->ps_complete), __ATOMIC_ACQUIRE, ATOMIC_LONG) == 0) {
-+ while ((conn_acq_flag == 0) && slapi_atomic_load_64(&(ps->ps_complete), __ATOMIC_ACQUIRE) == 0) {
- /* Check for an abandoned operation */
- if (pb_op == NULL || slapi_op_abandoned(ps->ps_pblock)) {
- slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results",
-@@ -427,7 +427,6 @@ static PSearch *
- psearch_alloc(void)
- {
- PSearch *ps;
-- uint64_t init_val = 0;
-
- ps = (PSearch *)slapi_ch_calloc(1, sizeof(PSearch));
-
-@@ -438,7 +437,7 @@ psearch_alloc(void)
- slapi_ch_free((void **)&ps);
- return (NULL);
- }
-- slapi_atomic_store(&(ps->ps_complete), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG);
-+ slapi_atomic_store_64(&(ps->ps_complete), 0, __ATOMIC_RELEASE);
- ps->ps_eq_head = ps->ps_eq_tail = (PSEQNode *)NULL;
- ps->ps_lasttime = (time_t)0L;
- ps->ps_next = NULL;
-diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
-index c434add..4566202 100644
---- a/ldap/servers/slapd/slapi-plugin.h
-+++ b/ldap/servers/slapd/slapi-plugin.h
-@@ -8202,56 +8202,87 @@ void slapi_operation_time_initiated(Slapi_Operation *o, struct timespec *initiat
- */
- #endif
-
--/* See: https://gcc.gnu.org/ml/gcc/2016-11/txt6ZlA_JS27i.txt */
--#define ATOMIC_GENERIC 0
--#define ATOMIC_INT 4
--#define ATOMIC_LONG 8
--#define ATOMIC_INT128 16 /* Future */
-+/**
-+ * Store a 32bit integral value atomicly
-+ *
-+ * \param ptr - integral pointer
-+ * \param val - pointer to integral value (use integral type int32_t with ATOMIC_INT, or uint64_t
-+ * with ATOMIC_LONG & ATOMIC_GENERIC)
-+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
-+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-+ */
-+void slapi_atomic_store_32(int32_t *ptr, int32_t val, int memorder);
-
- /**
-- * Store an integral value atomicly
-+ * Store a 64bit integral value atomicly
- *
- * \param ptr - integral pointer
- * \param val - pointer to integral value (use integral type int32_t with ATOMIC_INT, or uint64_t
- * with ATOMIC_LONG & ATOMIC_GENERIC)
- * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
- * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-- * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG
- */
--void slapi_atomic_store(void *ptr, void *val, int memorder, int type);
-+void slapi_atomic_store_64(uint64_t *ptr, uint64_t val, int memorder);
-
- /**
-- * Get an integral value atomicly
-+ * Get a 32bit integral value atomicly
- *
- * \param ptr - integral pointer
- * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
- * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-- * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG
- * \return -
- */
--uint64_t slapi_atomic_load(void *ptr, int memorder, int type);
-+int32_t slapi_atomic_load_32(int32_t *ptr, int memorder);
-
- /**
-- * Increment integral atomicly
-+ * Get a 64bit integral value atomicly
-+ *
-+ * \param ptr - integral pointer
-+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
-+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-+ * \return ptr value
-+ */
-+uint64_t slapi_atomic_load_64(uint64_t *ptr, int memorder);
-+
-+/**
-+ * Increment a 32bit integral atomicly
- *
- * \param ptr - pointer to integral to increment
- * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
- * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-- * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG
- * \return - new value of ptr
- */
--uint64_t slapi_atomic_incr(void *ptr, int memorder, int type);
-+int32_t slapi_atomic_incr_32(int32_t *ptr, int memorder);
-+
-+/**
-+ * Increment a 64bitintegral atomicly
-+ *
-+ * \param ptr - pointer to integral to increment
-+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
-+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-+ * \return - new value of ptr
-+ */
-+uint64_t slapi_atomic_incr_64(uint64_t *ptr, int memorder);
-+
-+/**
-+ * Decrement a 32bit integral atomicly
-+ *
-+ * \param ptr - pointer to integral to decrement
-+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
-+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-+ * \return - new value of ptr
-+ */
-+int32_t slapi_atomic_decr_32(int32_t *ptr, int memorder);
-
- /**
-- * Decrement integral atomicly
-+ * Decrement a 64bitintegral atomicly
- *
- * \param ptr - pointer to integral to decrement
- * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE,
- * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST
-- * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG
- * \return - new value of ptr
- */
--uint64_t slapi_atomic_decr(void *ptr, int memorder, int type);
-+uint64_t slapi_atomic_decr_64(uint64_t *ptr, int memorder);
-
-
- #ifdef __cplusplus
-diff --git a/ldap/servers/slapd/slapi_counter.c b/ldap/servers/slapd/slapi_counter.c
-index 9e705b3..c5cae27 100644
---- a/ldap/servers/slapd/slapi_counter.c
-+++ b/ldap/servers/slapd/slapi_counter.c
-@@ -295,53 +295,41 @@ slapi_counter_get_value(Slapi_Counter *counter)
- * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, or __ATOMIC_SEQ_CST
- *
- * See: https://gcc.gnu.org/onlinedocs/gcc-4.9.2/gcc/_005f_005fatomic-Builtins.html
-- *
-- * type_size - ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG, see slapi-plugin.h for more info
-- *
-- * Future:
-- * If we need to support ATOMIC_INT128 (not available on 32bit systems):
-- * __atomic_store_16((uint64_t *)&ptr, val, memorder);
-- * __atomic_load_16((uint64_t *)&ptr, memorder);
-- * __atomic_add_fetch_16((uint64_t *)&ptr, 1, memorder);
-- * __atomic_sub_fetch_16((uint64_t *)&ptr, 1, memorder);
- */
-
- /*
-- * "val" must be either int32_t or uint64_t
-+ * atomic store functions (32bit and 64bit)
- */
- void
--slapi_atomic_store(void *ptr, void *val, int memorder, int type_size)
-+slapi_atomic_store_32(int32_t *ptr, int32_t val, int memorder)
- {
- #ifdef ATOMIC_64BIT_OPERATIONS
-- if (type_size == ATOMIC_INT) {
-- __atomic_store_4((int32_t *)ptr, *(int32_t *)val, memorder);
-- } else if (type_size == ATOMIC_LONG) {
-- __atomic_store_8((uint64_t *)ptr, *(uint64_t *)val, memorder);
-- } else {
-- /* ATOMIC_GENERIC or unknown size */
-- __atomic_store((uint64_t *)&ptr, (uint64_t *)val, memorder);
-- }
-+ __atomic_store_4(ptr, val, memorder);
- #else
- PRInt32 *pr_ptr = (PRInt32 *)ptr;
-- PR_AtomicSet(pr_ptr, *(PRInt32 *)val);
-+ PR_AtomicSet(pr_ptr, (PRInt32)val);
- #endif
- }
-
--uint64_t
--slapi_atomic_load(void *ptr, int memorder, int type_size)
-+void
-+slapi_atomic_store_64(uint64_t *ptr, uint64_t val, int memorder)
- {
- #ifdef ATOMIC_64BIT_OPERATIONS
-- uint64_t ret;
-+ __atomic_store_8(ptr, val, memorder);
-+#else
-+ PRInt32 *pr_ptr = (PRInt32 *)ptr;
-+ PR_AtomicSet(pr_ptr, (PRInt32)val);
-+#endif
-+}
-
-- if (type_size == ATOMIC_INT) {
-- return __atomic_load_4((int32_t *)ptr, memorder);
-- } else if (type_size == ATOMIC_LONG) {
-- return __atomic_load_8((uint64_t *)ptr, memorder);
-- } else {
-- /* ATOMIC_GENERIC or unknown size */
-- __atomic_load((uint64_t *)ptr, &ret, memorder);
-- return ret;
-- }
-+/*
-+ * atomic load functions (32bit and 64bit)
-+ */
-+int32_t
-+slapi_atomic_load_32(int32_t *ptr, int memorder)
-+{
-+#ifdef ATOMIC_64BIT_OPERATIONS
-+ return __atomic_load_4(ptr, memorder);
- #else
- PRInt32 *pr_ptr = (PRInt32 *)ptr;
- return PR_AtomicAdd(pr_ptr, 0);
-@@ -349,17 +337,24 @@ slapi_atomic_load(void *ptr, int memorder, int type_size)
- }
-
- uint64_t
--slapi_atomic_incr(void *ptr, int memorder, int type_size)
-+slapi_atomic_load_64(uint64_t *ptr, int memorder)
- {
- #ifdef ATOMIC_64BIT_OPERATIONS
-- if (type_size == ATOMIC_INT) {
-- return __atomic_add_fetch_4((int32_t *)ptr, 1, memorder);
-- } else if (type_size == ATOMIC_LONG) {
-- return __atomic_add_fetch_8((uint64_t *)ptr, 1, memorder);
-- } else {
-- /* ATOMIC_GENERIC or unknown size */
-- return __atomic_add_fetch((uint64_t *)ptr, 1, memorder);
-- }
-+ return __atomic_load_8(ptr, memorder);
-+#else
-+ PRInt32 *pr_ptr = (PRInt32 *)ptr;
-+ return PR_AtomicAdd(pr_ptr, 0);
-+#endif
-+}
-+
-+/*
-+ * atomic increment functions (32bit and 64bit)
-+ */
-+int32_t
-+slapi_atomic_incr_32(int32_t *ptr, int memorder)
-+{
-+#ifdef ATOMIC_64BIT_OPERATIONS
-+ return __atomic_add_fetch_4(ptr, 1, memorder);
- #else
- PRInt32 *pr_ptr = (PRInt32 *)ptr;
- return PR_AtomicIncrement(pr_ptr);
-@@ -367,17 +362,35 @@ slapi_atomic_incr(void *ptr, int memorder, int type_size)
- }
-
- uint64_t
--slapi_atomic_decr(void *ptr, int memorder, int type_size)
-+slapi_atomic_incr_64(uint64_t *ptr, int memorder)
- {
- #ifdef ATOMIC_64BIT_OPERATIONS
-- if (type_size == ATOMIC_INT) {
-- return __atomic_sub_fetch_4((int32_t *)ptr, 1, memorder);
-- } else if (type_size == ATOMIC_LONG) {
-- return __atomic_sub_fetch_8((uint64_t *)ptr, 1, memorder);
-- } else {
-- /* ATOMIC_GENERIC or unknown size */
-- return __atomic_sub_fetch((uint64_t *)ptr, 1, memorder);
-- }
-+ return __atomic_add_fetch_8(ptr, 1, memorder);
-+#else
-+ PRInt32 *pr_ptr = (PRInt32 *)ptr;
-+ return PR_AtomicIncrement(pr_ptr);
-+#endif
-+}
-+
-+/*
-+ * atomic decrement functions (32bit and 64bit)
-+ */
-+int32_t
-+slapi_atomic_decr_32(int32_t *ptr, int memorder)
-+{
-+#ifdef ATOMIC_64BIT_OPERATIONS
-+ return __atomic_sub_fetch_4(ptr, 1, memorder);
-+#else
-+ PRInt32 *pr_ptr = (PRInt32 *)ptr;
-+ return PR_AtomicDecrement(pr_ptr);
-+#endif
-+}
-+
-+uint64_t
-+slapi_atomic_decr_64(uint64_t *ptr, int memorder)
-+{
-+#ifdef ATOMIC_64BIT_OPERATIONS
-+ return __atomic_sub_fetch_8(ptr, 1, memorder);
- #else
- PRInt32 *pr_ptr = (PRInt32 *)ptr;
- return PR_AtomicDecrement(pr_ptr);
---
-2.9.5
-
diff --git a/SOURCES/0002-Ticket-49385-Fix-coverity-warnings.patch b/SOURCES/0002-Ticket-49385-Fix-coverity-warnings.patch
deleted file mode 100644
index 64e030f..0000000
--- a/SOURCES/0002-Ticket-49385-Fix-coverity-warnings.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-From 8308e20075adacfdf1827aaa3230e503207832bc Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 2 Oct 2017 09:33:29 -0400
-Subject: [PATCH] Ticket 49385 - Fix coverity warnings
-
-Description: This fixes coverity issues found from RHEL build of 1.3.7
-
-https://pagure.io/389-ds-base/issue/49385
-
-Reviewed by: lkrispenz(Thanks!)
-
-(cherry picked from commit 805e8f4d3016eb9c7906c1416482047a234d51ba)
----
- ldap/servers/plugins/http/http_impl.c | 1 +
- ldap/servers/plugins/replication/urp.c | 10 ++++++----
- ldap/servers/plugins/syntaxes/string.c | 1 +
- ldap/servers/slapd/back-ldbm/dbversion.c | 2 +-
- ldap/servers/slapd/back-ldbm/index.c | 1 +
- ldap/servers/slapd/conntable.c | 2 +-
- ldap/servers/slapd/modify.c | 1 +
- ldap/servers/slapd/plugin.c | 3 ++-
- ldap/servers/slapd/referral.c | 18 +++++++++---------
- ldap/servers/slapd/task.c | 8 ++++++--
- ldap/servers/snmp/main.c | 13 +++++++++++--
- 11 files changed, 40 insertions(+), 20 deletions(-)
-
-diff --git a/ldap/servers/plugins/http/http_impl.c b/ldap/servers/plugins/http/http_impl.c
-index d8bbe38..350c839 100644
---- a/ldap/servers/plugins/http/http_impl.c
-+++ b/ldap/servers/plugins/http/http_impl.c
-@@ -601,6 +601,7 @@ sendPostReq(PRFileDesc *fd, const char *path, httpheader **httpheaderArray, char
- if (path) {
- path_len = strlen(path);
- } else {
-+ path = "";
- path_len = 0;
- }
-
-diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c
-index 3d63c64..9534c03 100644
---- a/ldap/servers/plugins/replication/urp.c
-+++ b/ldap/servers/plugins/replication/urp.c
-@@ -856,7 +856,7 @@ urp_post_delete_operation(Slapi_PBlock *pb)
- static int
- urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
- {
-- Slapi_PBlock *add_pb = slapi_pblock_new();
-+ Slapi_PBlock *add_pb;
- Slapi_Entry *cenotaph = NULL;
- Slapi_Entry *pre_entry = NULL;
- int ret = 0;
-@@ -886,6 +886,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
- slapi_rdn_remove_attr (rdn, SLAPI_ATTR_UNIQUEID );
- slapi_rdn_add(rdn, "cenotaphID", uniqueid);
- newdn = slapi_ch_smprintf("%s,%s", slapi_rdn_get_rdn(rdn), parentdn);
-+ slapi_rdn_free(&rdn);
- slapi_ch_free_string(&parentdn);
- /* slapi_sdn_free(&pre_sdn); */
-
-@@ -902,6 +903,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
-
- slapi_log_err(SLAPI_LOG_REPL, sessionid,
- "urp_fixup_add_cenotaph - addinng cenotaph: %s \n", newdn);
-+ add_pb = slapi_pblock_new();
- slapi_pblock_init(add_pb);
-
- slapi_add_entry_internal_set_pb(add_pb,
-@@ -1661,8 +1663,8 @@ urp_conflict_to_glue (char *sessionid, const Slapi_Entry *entry, Slapi_DN *paren
- "urp_conflict_to_glue failed(%d) - %s --> %s\n", op_result, basedn, newrdn);
- rc = 1;
- }
-- slapi_ch_free ( (void**)&newrdn );
- }
-+ slapi_rdn_free(&parentrdn);
- return rc;
- }
- /*
-@@ -2166,11 +2168,11 @@ mod_objectclass_attr(const char *uniqueid, const Slapi_DN *entrysdn, const Slapi
- {
- Slapi_Mods smods;
- int op_result;
-- char csnstr[CSN_STRSIZE+1];
-+ char csnstr[CSN_STRSIZE+1] = {0};
-
- slapi_mods_init(&smods, 3);
- slapi_mods_add(&smods, LDAP_MOD_ADD, "objectclass", strlen("ldapsubentry"),"ldapsubentry");
-- slapi_mods_add(&smods, LDAP_MOD_REPLACE, "conflictcsn", strlen(csnstr),csn_as_string(opcsn, PR_FALSE, csnstr));
-+ slapi_mods_add(&smods, LDAP_MOD_REPLACE, "conflictcsn", CSN_STRSIZE, csn_as_string(opcsn, PR_FALSE, csnstr));
- op_result = urp_fixup_modify_entry(uniqueid, entrysdn, opcsn, &smods, 0);
- slapi_mods_done(&smods);
- if (op_result == LDAP_TYPE_OR_VALUE_EXISTS) {
-diff --git a/ldap/servers/plugins/syntaxes/string.c b/ldap/servers/plugins/syntaxes/string.c
-index f50dc13..e05ca7f 100644
---- a/ldap/servers/plugins/syntaxes/string.c
-+++ b/ldap/servers/plugins/syntaxes/string.c
-@@ -391,6 +391,7 @@ bailout:
- if (free_re) {
- slapi_re_free(re);
- }
-+ slapi_ch_free_string(&alt);
- slapi_ch_free((void **)&tmpbuf); /* NULL is fine */
- slapi_ch_free((void **)&bigpat); /* NULL is fine */
-
-diff --git a/ldap/servers/slapd/back-ldbm/dbversion.c b/ldap/servers/slapd/back-ldbm/dbversion.c
-index 01f86f4..5a77abd 100644
---- a/ldap/servers/slapd/back-ldbm/dbversion.c
-+++ b/ldap/servers/slapd/back-ldbm/dbversion.c
-@@ -159,7 +159,7 @@ dbversion_read(struct ldbminfo *li, const char *directory, char **ldbmversion, c
- }
- (void)PR_Close(prfd);
-
-- if (*dataversion == NULL) {
-+ if (dataversion == NULL || *dataversion == NULL) {
- slapi_log_err(SLAPI_LOG_DEBUG, "dbversion_read", "dataversion not present in \"%s\"\n", filename);
- }
- if (*ldbmversion == NULL) {
-diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
-index 798480e..58b11ed 100644
---- a/ldap/servers/slapd/back-ldbm/index.c
-+++ b/ldap/servers/slapd/back-ldbm/index.c
-@@ -1063,6 +1063,7 @@ index_read_ext_allids(
- /* The database might not exist. We have to assume it means empty set */
- slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "Failed to access idl index for %s\n", basetype);
- slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "Assuming %s has no index values\n", basetype);
-+ idl_free(&idl);
- idl = idl_alloc(0);
- break;
- } else {
-diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c
-index c04ca0f..7c57b47 100644
---- a/ldap/servers/slapd/conntable.c
-+++ b/ldap/servers/slapd/conntable.c
-@@ -347,7 +347,7 @@ connection_table_as_entry(Connection_Table *ct, Slapi_Entry *e)
-
- PR_EnterMonitor(ct->c[i].c_mutex);
- if (ct->c[i].c_sd != SLAPD_INVALID_SOCKET) {
-- char buf2[20];
-+ char buf2[SLAPI_TIMESTAMP_BUFSIZE+1];
- size_t lendn = ct->c[i].c_dn ? strlen(ct->c[i].c_dn) : 6; /* "NULLDN" */
- size_t lenip = ct->c[i].c_ipaddr ? strlen(ct->c[i].c_ipaddr) : 0;
- size_t lenconn = 1;
-diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
-index 4b5a676..6309975 100644
---- a/ldap/servers/slapd/modify.c
-+++ b/ldap/servers/slapd/modify.c
-@@ -923,6 +923,7 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
- if (pw_encodevals_ext(pb, sdn, va)) {
- slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
- send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
-+ valuearray_free(&va);
- goto free_and_return;
- }
-
-diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
-index f47ff9b..e02133a 100644
---- a/ldap/servers/slapd/plugin.c
-+++ b/ldap/servers/slapd/plugin.c
-@@ -4242,7 +4242,7 @@ bail:
- int
- slapi_set_plugin_default_config(const char *type, Slapi_Value *value)
- {
-- Slapi_PBlock *pb = slapi_pblock_new();
-+ Slapi_PBlock *pb;
- Slapi_Entry **entries = NULL;
- int rc = LDAP_SUCCESS;
- char **search_attrs = NULL; /* used by search */
-@@ -4251,6 +4251,7 @@ slapi_set_plugin_default_config(const char *type, Slapi_Value *value)
- return rc;
- }
-
-+ pb = slapi_pblock_new();
- charray_add(&search_attrs, slapi_ch_strdup(type));
-
- /* cn=plugin default config,cn=config */
-diff --git a/ldap/servers/slapd/referral.c b/ldap/servers/slapd/referral.c
-index c5d9ffc..5935820 100644
---- a/ldap/servers/slapd/referral.c
-+++ b/ldap/servers/slapd/referral.c
-@@ -153,7 +153,7 @@ referrals_free(void)
- struct berval **
- ref_adjust(Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn, int is_reference)
- {
-- int i, len, scope;
-+ int i, len, scope = 0;
- Slapi_DN *sdn = NULL;
- char *p, *opdn_norm;
- struct berval **urlscopy;
-@@ -195,9 +195,9 @@ ref_adjust(Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn, int i
-
- for (i = 0; urls[i] != NULL; ++i) {
- /*
-- * duplicate the URL, stripping off the label if there is one and
-- * leaving extra room for "??base" in case we need to append that.
-- */
-+ * duplicate the URL, stripping off the label if there is one and
-+ * leaving extra room for "??base" in case we need to append that.
-+ */
- urlscopy[i] = (struct berval *)slapi_ch_malloc(
- sizeof(struct berval));
- if ((p = strchr(urls[i]->bv_val, ' ')) == NULL) {
-@@ -210,16 +210,16 @@ ref_adjust(Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn, int i
- urlscopy[i]->bv_val[len] = '\0';
-
- /*
-- * adjust the baseDN as needed and set the length
-- */
-+ * adjust the baseDN as needed and set the length
-+ */
- adjust_referral_basedn(&urlscopy[i]->bv_val, refsdn,
- opdn_norm, is_reference);
- urlscopy[i]->bv_len = strlen(urlscopy[i]->bv_val);
-
- /*
-- * if we are dealing with a continuation reference that resulted
-- * from a one-level search, add a scope of base to the URL.
-- */
-+ * if we are dealing with a continuation reference that resulted
-+ * from a one-level search, add a scope of base to the URL.
-+ */
- if (is_reference && operation_get_type(op) == SLAPI_OPERATION_SEARCH &&
- scope == LDAP_SCOPE_ONELEVEL) {
- strcat(urlscopy[i]->bv_val, "??base");
-diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
-index f3d02d9..53a0af5 100644
---- a/ldap/servers/slapd/task.c
-+++ b/ldap/servers/slapd/task.c
-@@ -278,6 +278,10 @@ slapi_task_log_notice(Slapi_Task *task, char *format, ...)
- char buffer[LOG_BUFFER];
- size_t len;
-
-+ if (task == NULL) {
-+ return;
-+ }
-+
- va_start(ap, format);
- PR_vsnprintf(buffer, LOG_BUFFER, format, ap);
- va_end(ap);
-@@ -1089,11 +1093,11 @@ task_export_thread(void *arg)
- slapi_pblock_get(pb, SLAPI_BACKEND_TASK, &task);
-
- g_incr_active_threadcnt();
-- for (count = 0, inp = instance_names; *inp; inp++, count++)
-+ for (count = 0, inp = instance_names; inp && *inp; inp++, count++)
- ;
- slapi_task_begin(task, count);
-
-- for (inp = instance_names; *inp; inp++) {
-+ for (inp = instance_names; inp && *inp; inp++) {
- int release_me = 0;
- /* lookup the backend */
- be = slapi_be_select_by_instance_name((const char *)*inp);
-diff --git a/ldap/servers/snmp/main.c b/ldap/servers/snmp/main.c
-index 8477831..5bd318d 100644
---- a/ldap/servers/snmp/main.c
-+++ b/ldap/servers/snmp/main.c
-@@ -21,6 +21,7 @@
- #include "ldap.h"
- #include "ldif.h"
- #include <ctype.h>
-+#include <errno.h>
-
- static char *agentx_master = NULL;
- static char *agent_logdir = NULL;
-@@ -54,9 +55,17 @@ main(int argc, char *argv[])
- {
- char *s = getenv("DEBUG_SLEEP");
- if ((s != NULL) && isdigit(*s)) {
-- int secs = atoi(s);
-+ char *endp = NULL;
-+ long secs;
-+ errno = 0;
-+
- printf("%s pid is %d\n", argv[0], getpid());
-- sleep(secs);
-+ secs = strtol(s, &endp, 10);
-+ if (*endp != '\0' || errno == ERANGE) {
-+ sleep(10);
-+ } else {
-+ sleep(secs);
-+ }
- }
- }
-
---
-2.9.5
-
diff --git a/SOURCES/0002-Ticket-49546-Fix-issues-with-MIB-file.patch b/SOURCES/0002-Ticket-49546-Fix-issues-with-MIB-file.patch
new file mode 100644
index 0000000..620cd85
--- /dev/null
+++ b/SOURCES/0002-Ticket-49546-Fix-issues-with-MIB-file.patch
@@ -0,0 +1,178 @@
+From 9f1bbff43c3e6ec01e60d35082b21b83a8795dc2 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 12 Jul 2018 10:48:11 -0400
+Subject: [PATCH] Ticket 49546 - Fix issues with MIB file
+
+Description: Change dsMaxThreadsHit to dsMaxThreadsHits, and set the
+ proper object type for dsIntIndex
+
+https://pagure.io/389-ds-base/issue/49546
+
+Reviewed by: spichugi & firstyear(Thanks!!)
+
+(cherry picked from commit 6d4caac04be4223971de54d292db82734f6d6a44)
+---
+ ldap/servers/slapd/agtmmap.c | 2 +-
+ ldap/servers/slapd/agtmmap.h | 2 +-
+ ldap/servers/slapd/connection.c | 2 +-
+ ldap/servers/slapd/slap.h | 2 +-
+ ldap/servers/slapd/snmp_collator.c | 6 +++---
+ ldap/servers/snmp/ldap-agent.c | 4 ++--
+ ldap/servers/snmp/ldap-agent.h | 2 +-
+ ldap/servers/snmp/redhat-directory.mib | 8 ++++----
+ 8 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/ldap/servers/slapd/agtmmap.c b/ldap/servers/slapd/agtmmap.c
+index fbc730db6..352ccefda 100644
+--- a/ldap/servers/slapd/agtmmap.c
++++ b/ldap/servers/slapd/agtmmap.c
+@@ -298,7 +298,7 @@ agt_mread_stats(int hdl, struct hdr_stats_t *pHdrInfo, struct ops_stats_t *pDsOp
+ pDsOpsTbl->dsErrors = pfile_stats->ops_stats.dsErrors;
+ pDsOpsTbl->dsConnections = pfile_stats->ops_stats.dsConnections;
+ pDsOpsTbl->dsConnectionsInMaxThreads = pfile_stats->ops_stats.dsConnectionsInMaxThreads;
+- pDsOpsTbl->dsMaxThreadsHit = pfile_stats->ops_stats.dsMaxThreadsHit;
++ pDsOpsTbl->dsMaxThreadsHits = pfile_stats->ops_stats.dsMaxThreadsHits;
+ }
+
+ if (pDsEntTbl != NULL) {
+diff --git a/ldap/servers/slapd/agtmmap.h b/ldap/servers/slapd/agtmmap.h
+index 2397dad3c..fb27ab2c4 100644
+--- a/ldap/servers/slapd/agtmmap.h
++++ b/ldap/servers/slapd/agtmmap.h
+@@ -102,7 +102,7 @@ struct ops_stats_t
+ uint64_t dsErrors;
+ uint64_t dsConnections; /* Number of currently connected clients */
+ uint64_t dsConnectionSeq; /* Monotonically increasing number bumped on each new conn est */
+- uint64_t dsMaxThreadsHit; /* Number of times a connection hit max threads */
++ uint64_t dsMaxThreadsHits; /* Number of times a connection hit max threads */
+ uint64_t dsConnectionsInMaxThreads; /* current number of connections that are in max threads */
+ uint64_t dsBytesRecv; /* Count of bytes read from clients */
+ uint64_t dsBytesSent; /* Count of bytes sent to clients */
+diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
+index 1dbb49f06..188383b97 100644
+--- a/ldap/servers/slapd/connection.c
++++ b/ldap/servers/slapd/connection.c
+@@ -1911,7 +1911,7 @@ connection_activity(Connection *conn, int maxthreads)
+ slapi_counter_increment(max_threads_count);
+ slapi_counter_increment(conns_in_maxthreads);
+ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsConnectionsInMaxThreads);
+- slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHit);
++ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHits);
+ }
+ op_stack_obj = connection_get_operation();
+ connection_add_operation(conn, op_stack_obj->op);
+diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
+index eb97cdcc4..a02792648 100644
+--- a/ldap/servers/slapd/slap.h
++++ b/ldap/servers/slapd/slap.h
+@@ -1889,7 +1889,7 @@ struct snmp_ops_tbl_t
+ Slapi_Counter *dsBytesSent; /* Count of bytes sent to clients */
+ Slapi_Counter *dsEntriesReturned;
+ Slapi_Counter *dsReferralsReturned;
+- Slapi_Counter *dsMaxThreadsHit;
++ Slapi_Counter *dsMaxThreadsHits;
+ Slapi_Counter *dsConnectionsInMaxThreads;
+ };
+
+diff --git a/ldap/servers/slapd/snmp_collator.c b/ldap/servers/slapd/snmp_collator.c
+index d56379466..1da7ccbb2 100644
+--- a/ldap/servers/slapd/snmp_collator.c
++++ b/ldap/servers/slapd/snmp_collator.c
+@@ -122,7 +122,7 @@ snmp_collator_init(void)
+ g_get_global_snmp_vars()->ops_tbl.dsEntriesReturned = slapi_counter_new();
+ g_get_global_snmp_vars()->ops_tbl.dsReferralsReturned = slapi_counter_new();
+ g_get_global_snmp_vars()->ops_tbl.dsConnectionsInMaxThreads = slapi_counter_new();
+- g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHit = slapi_counter_new();
++ g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHits = slapi_counter_new();
+ g_get_global_snmp_vars()->entries_tbl.dsMasterEntries = slapi_counter_new();
+ g_get_global_snmp_vars()->entries_tbl.dsCopyEntries = slapi_counter_new();
+ g_get_global_snmp_vars()->entries_tbl.dsCacheEntries = slapi_counter_new();
+@@ -592,7 +592,7 @@ snmp_update_ops_table(void)
+ stats->ops_stats.dsConnections = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnections);
+ stats->ops_stats.dsConnectionSeq = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnectionSeq);
+ stats->ops_stats.dsConnectionsInMaxThreads = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnectionsInMaxThreads);
+- stats->ops_stats.dsMaxThreadsHit = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHit);
++ stats->ops_stats.dsMaxThreadsHits = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHits);
+ stats->ops_stats.dsBytesRecv = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsBytesRecv);
+ stats->ops_stats.dsBytesSent = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsBytesSent);
+ stats->ops_stats.dsEntriesReturned = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsEntriesReturned);
+@@ -738,7 +738,7 @@ snmp_as_entry(Slapi_Entry *e)
+ add_counter_to_value(e, "Connections", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnections));
+ add_counter_to_value(e, "ConnectionSeq", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnectionSeq));
+ add_counter_to_value(e, "ConnectionsInMaxThreads", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnectionsInMaxThreads));
+- add_counter_to_value(e, "ConnectionsMaxThreadsCount", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHit));
++ add_counter_to_value(e, "ConnectionsMaxThreadsCount", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHits));
+ add_counter_to_value(e, "BytesRecv", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsBytesRecv));
+ add_counter_to_value(e, "BytesSent", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsBytesSent));
+ add_counter_to_value(e, "EntriesReturned", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsEntriesReturned));
+diff --git a/ldap/servers/snmp/ldap-agent.c b/ldap/servers/snmp/ldap-agent.c
+index 4393a8956..bd9b8dd9b 100644
+--- a/ldap/servers/snmp/ldap-agent.c
++++ b/ldap/servers/snmp/ldap-agent.c
+@@ -496,8 +496,8 @@ dsOpsTable_get_value(netsnmp_request_info *request,
+ the_stat = &context->ops_tbl.dsConnectionsInMaxThreads;
+ break;
+
+- case COLUMN_DSMAXTHREADSHIT:
+- the_stat = &context->ops_tbl.dsMaxThreadsHit;
++ case COLUMN_DSMAXTHREADSHITS:
++ the_stat = &context->ops_tbl.dsMaxThreadsHits;
+ break;
+
+ default: /* We shouldn't get here */
+diff --git a/ldap/servers/snmp/ldap-agent.h b/ldap/servers/snmp/ldap-agent.h
+index 935d3a611..c98e467dd 100644
+--- a/ldap/servers/snmp/ldap-agent.h
++++ b/ldap/servers/snmp/ldap-agent.h
+@@ -161,7 +161,7 @@ extern size_t snmptrap_oid_len;
+ #define COLUMN_DSERRORS 20
+ #define COLUMN_DSCONNECTIONS 21
+ #define COLUMN_DSCONNECTIONSINMAXTHREADS 22
+-#define COLUMN_DSMAXTHREADSHIT 23
++#define COLUMN_DSMAXTHREADSHITS 23
+ #define dsOpsTable_COL_MIN 1
+ #define dsOpsTable_COL_MAX 23
+
+diff --git a/ldap/servers/snmp/redhat-directory.mib b/ldap/servers/snmp/redhat-directory.mib
+index c8608972e..579be8ee4 100644
+--- a/ldap/servers/snmp/redhat-directory.mib
++++ b/ldap/servers/snmp/redhat-directory.mib
+@@ -87,7 +87,7 @@ RHDS-MIB DEFINITIONS ::= BEGIN
+ dsErrors,
+ dsConnections,
+ dsConnectionsInMaxThreads,
+- dsMaxThreadsHit,
++ dsMaxThreadsHits,
+ dsMasterEntries,
+ dsCopyEntries,
+ dsCacheEntries,
+@@ -190,7 +190,7 @@ RHDS-MIB DEFINITIONS ::= BEGIN
+ Counter64,
+ dsConnectionsInMaxThreads
+ Counter64,
+- dsMaxThreadsHit
++ dsMaxThreadsHits
+ Counter64
+
+ }
+@@ -472,7 +472,7 @@ RHDS-MIB DEFINITIONS ::= BEGIN
+ "Redhat defined 1.2."
+ ::= { dsOpsEntry 22 }
+
+- dsMaxThreadsHit OBJECT-TYPE
++ dsMaxThreadsHits OBJECT-TYPE
+ SYNTAX Counter64
+ MAX-ACCESS read-only
+ STATUS current
+@@ -596,7 +596,7 @@ RHDS-MIB DEFINITIONS ::= BEGIN
+
+ DsIntEntry ::= SEQUENCE {
+ dsIntIndex
+- INTEGER,
++ Integer32,
+ dsName
+ DistinguishedName,
+ dsTimeOfCreation
+--
+2.17.1
+
diff --git a/SOURCES/0003-Ticket-49180-errors-log-filled-with-attrlist_replace.patch b/SOURCES/0003-Ticket-49180-errors-log-filled-with-attrlist_replace.patch
deleted file mode 100644
index 2be7aa7..0000000
--- a/SOURCES/0003-Ticket-49180-errors-log-filled-with-attrlist_replace.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 62fbb3423b26426e735e134134ab710945514ca6 Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Tue, 26 Sep 2017 15:51:41 +0200
-Subject: [PATCH] Ticket: 49180 - errors log filled with attrlist_replace -
- attr_replace
-
-Bug: If a RUV contains the same URL with different replica IDs the created referrals contain duplicates
-
-Fix: check duplicate referrals
-
-Reviewed by: Mark, thanks
----
- ldap/servers/plugins/replication/repl5_ruv.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c
-index 40dc0928b..7bfdc3425 100644
---- a/ldap/servers/plugins/replication/repl5_ruv.c
-+++ b/ldap/servers/plugins/replication/repl5_ruv.c
-@@ -1386,7 +1386,17 @@ ruv_replica_count(const RUV *ruv)
- * Extract all the referral URL's from the RUV (but self URL),
- * returning them in an array of strings, that
- * the caller must free.
-+ * We also check and remove duplicates (caused by unclean RUVs)
- */
-+static int
-+ruv_referral_exists(unsigned char *purl, char **refs, int count)
-+{
-+ for (size_t j=0; j<count; j++) {
-+ if (0 == slapi_utf8casecmp(purl, (unsigned char *)refs[j]))
-+ return 1;
-+ }
-+ return 0;
-+}
- char **
- ruv_get_referrals(const RUV *ruv)
- {
-@@ -1407,7 +1417,8 @@ ruv_get_referrals(const RUV *ruv)
- /* Add URL into referrals if doesn't match self URL */
- if ((replica->replica_purl != NULL) &&
- (slapi_utf8casecmp((unsigned char *)replica->replica_purl,
-- (unsigned char *)mypurl) != 0)) {
-+ (unsigned char *)mypurl) != 0) &&
-+ !ruv_referral_exists((unsigned char *)replica->replica_purl, r, i)) {
- r[i] = slapi_ch_strdup(replica->replica_purl);
- i++;
- }
---
-2.13.6
-
diff --git a/SOURCES/0003-Ticket-49840-ds-replcheck-command-returns-traceback-.patch b/SOURCES/0003-Ticket-49840-ds-replcheck-command-returns-traceback-.patch
new file mode 100644
index 0000000..d163168
--- /dev/null
+++ b/SOURCES/0003-Ticket-49840-ds-replcheck-command-returns-traceback-.patch
@@ -0,0 +1,149 @@
+From 6361810037bc32c22e3e00a16bc53b34d0b0d610 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 9 Jul 2018 15:50:09 -0400
+Subject: [PATCH] Ticket 49840 - ds-replcheck command returns traceback errors
+ against ldif files having garbage content when run in offline mode
+
+Description: Added a basic check to see if the LDIF files are actually
+ LDIF files. Also added checks that the database RUV are
+ present as well.
+
+https://pagure.io/389-ds-base/issue/49840
+
+Reviewed by: spichugi(Thanks!)
+
+(cherry picked from commit 60cb52040704686d9541a2e2eb2765d86cb10af2)
+---
+ ldap/admin/src/scripts/ds-replcheck | 53 +++++++++++++++++++++++------
+ 1 file changed, 43 insertions(+), 10 deletions(-)
+
+diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck
+index 62f911034..5c195f983 100755
+--- a/ldap/admin/src/scripts/ds-replcheck
++++ b/ldap/admin/src/scripts/ds-replcheck
+@@ -10,18 +10,19 @@
+ #
+
+ import os
++import sys
+ import re
+ import time
+ import ldap
+ import ldapurl
+ import argparse
+ import getpass
+-
++from ldif import LDIFRecordList
+ from ldap.ldapobject import SimpleLDAPObject
+ from ldap.cidict import cidict
+ from ldap.controls import SimplePagedResultsControl
+
+-VERSION = "1.3"
++VERSION = "1.4"
+ RUV_FILTER = '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
+ LDAP = 'ldap'
+ LDAPS = 'ldaps'
+@@ -386,14 +387,17 @@ def ldif_search(LDIF, dn):
+ return result
+
+
+-def get_dns(LDIF, opts):
++def get_dns(LDIF, filename, opts):
+ ''' Get all the DN's from an LDIF file
+ '''
+ dns = []
+ found = False
++ found_ruv = False
++ LDIF.seek(0)
+ for line in LDIF:
+ if line.startswith('dn: ') and line[4:].startswith('nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff'):
+ opts['ruv_dn'] = line[4:].lower().strip()
++ found_ruv = True
+ elif line.startswith('dn: '):
+ found = True
+ dn = line[4:].lower().strip()
+@@ -407,6 +411,14 @@ def get_dns(LDIF, opts):
+ found = False
+ dns.append(dn)
+
++ if not found_ruv:
++ print('Failed to find the database RUV in the LDIF file: ' + filename + ', the LDIF ' +
++ 'file must contain replication state information.')
++ dns = None
++ else:
++ # All good, reset cursor
++ LDIF.seek(0)
++
+ return dns
+
+
+@@ -415,6 +427,7 @@ def get_ldif_ruv(LDIF, opts):
+ '''
+ LDIF.seek(0)
+ result = ldif_search(LDIF, opts['ruv_dn'])
++ LDIF.seek(0) # Reset cursor
+ return result['entry'].data['nsds50ruv']
+
+
+@@ -549,6 +562,7 @@ def do_offline_report(opts, output_file=None):
+ rconflicts = []
+ rtombstones = 0
+ mtombstones = 0
++ idx = 0
+
+ # Open LDIF files
+ try:
+@@ -561,12 +575,36 @@ def do_offline_report(opts, output_file=None):
+ RLDIF = open(opts['rldif'], "r")
+ except Exception as e:
+ print('Failed to open Replica LDIF: ' + str(e))
++ MLDIF.close()
++ return None
++
++ # Verify LDIF Files
++ try:
++ print("Validating Master ldif file ({})...".format(opts['mldif']))
++ LDIFRecordList(MLDIF).parse()
++ except ValueError:
++ print('Master LDIF file in invalid, aborting...')
++ MLDIF.close()
++ RLDIF.close()
++ return None
++ try:
++ print("Validating Replica ldif file ({})...".format(opts['rldif']))
++ LDIFRecordList(RLDIF).parse()
++ except ValueError:
++ print('Replica LDIF file is invalid, aborting...')
++ MLDIF.close()
++ RLDIF.close()
+ return None
+
+ # Get all the dn's, and entry counts
+ print ("Gathering all the DN's...")
+- master_dns = get_dns(MLDIF, opts)
+- replica_dns = get_dns(RLDIF, opts)
++ master_dns = get_dns(MLDIF, opts['mldif'], opts)
++ replica_dns = get_dns(RLDIF, opts['rldif'], opts)
++ if master_dns is None or replica_dns is None:
++ print("Aborting scan...")
++ MLDIF.close()
++ RLDIF.close()
++ sys.exit(1)
+ m_count = len(master_dns)
+ r_count = len(replica_dns)
+
+@@ -575,11 +613,6 @@ def do_offline_report(opts, output_file=None):
+ opts['master_ruv'] = get_ldif_ruv(MLDIF, opts)
+ opts['replica_ruv'] = get_ldif_ruv(RLDIF, opts)
+
+- # Reset the cursors
+- idx = 0
+- MLDIF.seek(idx)
+- RLDIF.seek(idx)
+-
+ """ Compare the master entries with the replica's. Take our list of dn's from
+ the master ldif and get that entry( dn) from the master and replica ldif. In
+ this phase we keep keep track of conflict/tombstone counts, and we check for
+--
+2.17.1
+
diff --git a/SOURCES/0004-Ticket-49388-repl-monitor-matches-null-string-many-t.patch b/SOURCES/0004-Ticket-49388-repl-monitor-matches-null-string-many-t.patch
deleted file mode 100644
index 2af9083..0000000
--- a/SOURCES/0004-Ticket-49388-repl-monitor-matches-null-string-many-t.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 80631ee86fa951f18ed25f61ca72734931eb5387 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 2 Oct 2017 16:19:47 -0400
-Subject: [PATCH] Ticket 49388 - repl-monitor - matches null string many times
- in regex
-
-Bug Description: When using a wildcard(*) for the hostname, some of the
- regex's for parsing the various configurations throws
- out warnings.
-
-Fix Description: When a wildcard is detected reset the hostnode variable
- to nothing.
-
-https://pagure.io/389-ds-base/issue/49388
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit 4b41a02484db645a593b9d6ac6c4e062dd374395)
----
- ldap/admin/src/scripts/repl-monitor.pl.in | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in
-index a3efa8e6e..97c1462a5 100755
---- a/ldap/admin/src/scripts/repl-monitor.pl.in
-+++ b/ldap/admin/src/scripts/repl-monitor.pl.in
-@@ -1053,6 +1053,10 @@ sub add_server
- # Remove the domain name from the host name
- my ($hostnode) = $host;
- $hostnode = $1 if $host =~ /^(.+?)\./;
-+ if ($hostnode eq "*") {
-+ # handle wild card correctly for regex
-+ $hostnode = "";
-+ }
-
- # new host:port
- if (!$binddn || $binddn eq "" || $binddn eq "*" ||
---
-2.13.6
-
diff --git a/SOURCES/0004-Ticket-49893-disable-nunc-stans-by-default.patch b/SOURCES/0004-Ticket-49893-disable-nunc-stans-by-default.patch
new file mode 100644
index 0000000..4044649
--- /dev/null
+++ b/SOURCES/0004-Ticket-49893-disable-nunc-stans-by-default.patch
@@ -0,0 +1,32 @@
+From 83949e7e4f3370f48ea5c5fabdb9af04e3d11c75 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 8 Aug 2018 17:19:27 -0400
+Subject: [PATCH] Ticket 49893 - disable nunc-stans by default
+
+Description: Until nunc-stans is stablized we need to disable it
+
+https://pagure.io/389-ds-base/issue/49893
+
+Reviewed by: ?
+
+(cherry picked from commit 2f2d3b1d7e7d847de1bb9ddf2f63e71dbc90f710)
+---
+ ldap/servers/slapd/libglobs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
+index 12f6ec396..56b67b79b 100644
+--- a/ldap/servers/slapd/libglobs.c
++++ b/ldap/servers/slapd/libglobs.c
+@@ -1683,7 +1683,7 @@ FrontendConfig_init(void)
+ cfg->maxbersize = SLAPD_DEFAULT_MAXBERSIZE;
+ cfg->logging_backend = slapi_ch_strdup(SLAPD_INIT_LOGGING_BACKEND_INTERNAL);
+ cfg->rootdn = slapi_ch_strdup(SLAPD_DEFAULT_DIRECTORY_MANAGER);
+- init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_ON;
++ init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_OFF;
+ #if defined(LINUX)
+ init_malloc_mxfast = cfg->malloc_mxfast = DEFAULT_MALLOC_UNSET;
+ init_malloc_trim_threshold = cfg->malloc_trim_threshold = DEFAULT_MALLOC_UNSET;
+--
+2.17.1
+
diff --git a/SOURCES/0005-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch b/SOURCES/0005-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch
deleted file mode 100644
index bdd9627..0000000
--- a/SOURCES/0005-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch
+++ /dev/null
@@ -1,257 +0,0 @@
-From bb2d74ebe9d725b47e35893a2d8c8bd713d6dd4b Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Tue, 3 Oct 2017 17:22:37 -0400
-Subject: [PATCH] Ticket 49389 - unable to retrieve specific cosAttribute when
- subtree password policy is configured
-
-Bug Description: If indirect cos is being used and a subtree password
- policy is added, th orignal COS attributes aren't always
- returned. The issue is that when the subtree password
- policy attribute was encountered during the virtual
- attribute processing it set a flag that said the attribute
- was operational (which is correct for the password policy
- attr: pwdpolicysubentry).
-
- However, this flag was accidentally carried over to the
- following virtual attributes that were being processed.
- Which caused those attributes to be seen as operational
- which is why it was no longer being returned to the client.
-
-Fix Description: Reset the prop flags before processing the next COS attribute
-
-https://pagure.io/389-ds-base/issue/49389
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit 0953e6011368bc29300990e9493ac13e5aba9586)
----
- dirsrvtests/tests/suites/cos/__init__.py | 0
- dirsrvtests/tests/suites/cos/indirect_cos_test.py | 191 ++++++++++++++++++++++
- ldap/servers/plugins/cos/cos_cache.c | 2 +-
- 3 files changed, 192 insertions(+), 1 deletion(-)
- create mode 100644 dirsrvtests/tests/suites/cos/__init__.py
- create mode 100644 dirsrvtests/tests/suites/cos/indirect_cos_test.py
-
-diff --git a/dirsrvtests/tests/suites/cos/__init__.py b/dirsrvtests/tests/suites/cos/__init__.py
-new file mode 100644
-index 000000000..e69de29bb
-diff --git a/dirsrvtests/tests/suites/cos/indirect_cos_test.py b/dirsrvtests/tests/suites/cos/indirect_cos_test.py
-new file mode 100644
-index 000000000..1aac6b8ed
---- /dev/null
-+++ b/dirsrvtests/tests/suites/cos/indirect_cos_test.py
-@@ -0,0 +1,191 @@
-+import logging
-+import pytest
-+import os
-+import ldap
-+import time
-+import subprocess
-+
-+from lib389 import Entry
-+from lib389.idm.user import UserAccounts
-+from lib389.topologies import topology_st as topo
-+from lib389._constants import (DEFAULT_SUFFIX, DN_DM, PASSWORD, HOST_STANDALONE,
-+ SERVERID_STANDALONE, PORT_STANDALONE)
-+
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+TEST_USER_DN = "uid=test_user,ou=people,dc=example,dc=com"
-+OU_PEOPLE = 'ou=people,{}'.format(DEFAULT_SUFFIX)
-+
-+PW_POLICY_CONT_PEOPLE = 'cn="cn=nsPwPolicyEntry,' \
-+ 'ou=people,dc=example,dc=com",' \
-+ 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com'
-+
-+PW_POLICY_CONT_PEOPLE2 = 'cn="cn=nsPwPolicyEntry,' \
-+ 'dc=example,dc=com",' \
-+ 'cn=nsPwPolicyContainerdc=example,dc=com'
-+
-+
-+def check_user(inst):
-+ """Search the test user and make sure it has the execpted attrs
-+ """
-+ try:
-+ entries = inst.search_s('dc=example,dc=com', ldap.SCOPE_SUBTREE, "uid=test_user")
-+ log.debug('user: \n' + str(entries[0]))
-+ assert entries[0].hasAttr('ou'), "Entry is missing ou cos attribute"
-+ assert entries[0].hasAttr('x-department'), "Entry is missing description cos attribute"
-+ assert entries[0].hasAttr('x-en-ou'), "Entry is missing givenname cos attribute"
-+ except ldap.LDAPError as e:
-+ log.fatal('Failed to search for user: ' + str(e))
-+ raise e
-+
-+
-+def setup_subtree_policy(topo):
-+ """Set up subtree password policy
-+ """
-+ try:
-+ topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE,
-+ 'nsslapd-pwpolicy-local',
-+ 'on')])
-+ except ldap.LDAPError as e:
-+ log.error('Failed to set fine-grained policy: error {}'.format(
-+ e.message['desc']))
-+ raise e
-+
-+ log.info('Create password policy for subtree {}'.format(OU_PEOPLE))
-+ try:
-+ subprocess.call(['%s/ns-newpwpolicy.pl' % topo.standalone.get_sbin_dir(),
-+ '-D', DN_DM, '-w', PASSWORD,
-+ '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE,
-+ '-S', DEFAULT_SUFFIX, '-Z', SERVERID_STANDALONE])
-+ except subprocess.CalledProcessError as e:
-+ log.error('Failed to create pw policy policy for {}: error {}'.format(
-+ OU_PEOPLE, e.message['desc']))
-+ raise e
-+
-+ log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE))
-+ try:
-+ topo.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_REPLACE,
-+ 'pwdpolicysubentry',
-+ PW_POLICY_CONT_PEOPLE2)])
-+ except ldap.LDAPError as e:
-+ log.error('Failed to pwdpolicysubentry pw policy '
-+ 'policy for {}: error {}'.format(OU_PEOPLE, e.message['desc']))
-+ raise e
-+ time.sleep(1)
-+
-+
-+def setup_indirect_cos(topo):
-+ """Setup indirect COS definition and template
-+ """
-+ cosDef = Entry(('cn=cosDefinition,dc=example,dc=com',
-+ {'objectclass': ['top', 'ldapsubentry',
-+ 'cossuperdefinition',
-+ 'cosIndirectDefinition'],
-+ 'cosAttribute': ['ou merge-schemes',
-+ 'x-department merge-schemes',
-+ 'x-en-ou merge-schemes'],
-+ 'cosIndirectSpecifier': 'seeAlso',
-+ 'cn': 'cosDefinition'}))
-+
-+ cosTemplate = Entry(('cn=cosTemplate,dc=example,dc=com',
-+ {'objectclass': ['top',
-+ 'extensibleObject',
-+ 'cosTemplate'],
-+ 'ou': 'My COS Org',
-+ 'x-department': 'My COS x-department',
-+ 'x-en-ou': 'my COS x-en-ou',
-+ 'cn': 'cosTemplate'}))
-+ try:
-+ topo.standalone.add_s(cosDef)
-+ topo.standalone.add_s(cosTemplate)
-+ except ldap.LDAPError as e:
-+ log.fatal('Failed to add cos: error ' + str(e))
-+ raise e
-+ time.sleep(1)
-+
-+
-+@pytest.fixture(scope="module")
-+def setup(topo, request):
-+ """Add schema, and test user
-+ """
-+ log.info('Add custom schema...')
-+ try:
-+ ATTR_1 = ("( 1.3.6.1.4.1.409.389.2.189 NAME 'x-department' " +
-+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
-+ ATTR_2 = ("( 1.3.6.1.4.1.409.389.2.187 NAME 'x-en-ou' " +
-+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
-+ OC = ("( xPerson-oid NAME 'xPerson' DESC '' SUP person STRUCTURAL MAY " +
-+ "( x-department $ x-en-ou ) X-ORIGIN 'user defined' )")
-+ topo.standalone.modify_s("cn=schema", [(ldap.MOD_ADD, 'attributeTypes', ATTR_1),
-+ (ldap.MOD_ADD, 'attributeTypes', ATTR_2),
-+ (ldap.MOD_ADD, 'objectClasses', OC)])
-+ except ldap.LDAPError as e:
-+ log.fatal('Failed to add custom schema')
-+ raise e
-+ time.sleep(1)
-+
-+ log.info('Add test user...')
-+ users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
-+
-+ user_properties = {
-+ 'uid': 'test_user',
-+ 'cn': 'test user',
-+ 'sn': 'user',
-+ 'uidNumber': '1000',
-+ 'gidNumber': '2000',
-+ 'homeDirectory': '/home/test_user',
-+ 'seeAlso': 'cn=cosTemplate,dc=example,dc=com'
-+ }
-+ users.create(properties=user_properties)
-+ try:
-+ topo.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_ADD,
-+ 'objectclass',
-+ 'xPerson')])
-+ except ldap.LDAPError as e:
-+ log.fatal('Failed to add objectclass to user')
-+ raise e
-+
-+ # Setup COS
-+ log.info("Setup indirect COS...")
-+ setup_indirect_cos(topo)
-+
-+
-+def test_indirect_cos(topo, setup):
-+ """Test indirect cos
-+
-+ :id: 890d5929-7d52-4a56-956e-129611b4649a
-+ :setup: standalone
-+ :steps:
-+ 1. Test cos is working for test user
-+ 2. Add subtree password policy
-+ 3. Test cos is working for test user
-+ :expectedresults:
-+ 1. User has expected cos attrs
-+ 2. Substree password policy setup is successful
-+ 3 User still has expected cos attrs
-+ """
-+
-+ # Step 1 - Search user and see if the COS attrs are included
-+ log.info('Checking user...')
-+ check_user(topo.standalone)
-+
-+ # Step 2 - Add subtree password policy (Second COS - operational attribute)
-+ setup_subtree_policy(topo)
-+
-+ # Step 3 - Check user again now hat we have a mix of vattrs
-+ log.info('Checking user...')
-+ check_user(topo.standalone)
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main("-s %s" % CURRENT_FILE)
-+
-diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
-index c7897ba05..9ae15db15 100644
---- a/ldap/servers/plugins/cos/cos_cache.c
-+++ b/ldap/servers/plugins/cos/cos_cache.c
-@@ -2094,7 +2094,6 @@ cos_cache_vattr_types(vattr_sp_handle *handle __attribute__((unused)),
- int index = 0;
- cosCache *pCache;
- char *lastattr = "thisisfakeforcos";
-- int props = 0;
-
- slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "--> cos_cache_vattr_types\n");
-
-@@ -2105,6 +2104,7 @@ cos_cache_vattr_types(vattr_sp_handle *handle __attribute__((unused)),
- }
-
- while (index < pCache->attrCount) {
-+ int props = 0;
- if (slapi_utf8casecmp(
- (unsigned char *)pCache->ppAttrIndex[index]->pAttrName,
- (unsigned char *)lastattr)) {
---
-2.13.6
-
diff --git a/SOURCES/0005-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch b/SOURCES/0005-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch
new file mode 100644
index 0000000..6a1d09a
--- /dev/null
+++ b/SOURCES/0005-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch
@@ -0,0 +1,137 @@
+From a21ba4722268349b9c63000145e5d119e1fddd60 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 9 Aug 2018 15:27:59 -0400
+Subject: [PATCH] Ticket 49890 : ldapsearch with server side sort crashes the
+ ldap server
+
+Bug Description:
+ Server side sort with a specified matching rule trigger a crash
+
+Fix Description:
+ Check if the we are able to index the provided value.
+ If we are not then slapd_qsort returns an error (LDAP_OPERATION_ERROR)
+
+https://pagure.io/389-ds-base/issue/49890
+
+Reviewed by: mreynolds
+
+Platforms tested: F27
+
+Flag Day: no
+
+Doc impact: no
+
+(cherry picked from commit c989e18f7a3da060b16d39919b920b6b2a19a0ac)
+---
+ dirsrvtests/tests/suites/syntax/mr_test.py | 59 ++++++++++++++++++++++
+ ldap/servers/slapd/back-ldbm/sort.c | 14 +++++
+ 2 files changed, 73 insertions(+)
+ create mode 100644 dirsrvtests/tests/suites/syntax/mr_test.py
+
+diff --git a/dirsrvtests/tests/suites/syntax/mr_test.py b/dirsrvtests/tests/suites/syntax/mr_test.py
+new file mode 100644
+index 000000000..57061222a
+--- /dev/null
++++ b/dirsrvtests/tests/suites/syntax/mr_test.py
+@@ -0,0 +1,59 @@
++import logging
++import pytest
++import os
++import ldap
++from lib389.dbgen import dbgen
++from lib389._constants import *
++from lib389.topologies import topology_st as topo
++from lib389._controls import SSSRequestControl
++
++DEBUGGING = os.getenv("DEBUGGING", default=False)
++if DEBUGGING:
++ logging.getLogger(__name__).setLevel(logging.DEBUG)
++else:
++ logging.getLogger(__name__).setLevel(logging.INFO)
++log = logging.getLogger(__name__)
++
++
++def test_sss_mr(topo):
++ """Test matching rule/server side sort does not crash DS
++
++ :id: 48c73d76-1694-420f-ab55-187135f2d260
++ :setup: Standalone Instance
++ :steps:
++ 1. Add sample entries to the database
++ 2. Perform search using server side control (uid:2.5.13.3)
++ :expectedresults:
++ 1. Success
++ 2. Success
++ """
++
++ log.info("Creating LDIF...")
++ ldif_dir = topo.standalone.get_ldif_dir()
++ ldif_file = os.path.join(ldif_dir, 'mr-crash.ldif')
++ dbgen(topo.standalone, 5, ldif_file, DEFAULT_SUFFIX)
++
++ log.info("Importing LDIF...")
++ topo.standalone.stop()
++ assert topo.standalone.ldif2db(DEFAULT_BENAME, None, None, None, ldif_file)
++ topo.standalone.start()
++
++ log.info('Search using server side sorting using undefined mr in the attr...')
++ sort_ctrl = SSSRequestControl(True, ['uid:2.5.13.3'])
++ controls = [sort_ctrl]
++ msg_id = topo.standalone.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
++ "objectclass=*", serverctrls=controls)
++ try:
++ rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(msg_id)
++ except ldap.OPERATIONS_ERROR:
++ pass
++
++ log.info("Test PASSED")
++
++
++if __name__ == '__main__':
++ # Run isolated
++ # -s for DEBUG mode
++ CURRENT_FILE = os.path.realpath(__file__)
++ pytest.main(["-s", CURRENT_FILE])
++
+diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c
+index 5b84d87f3..70ac60803 100644
+--- a/ldap/servers/slapd/back-ldbm/sort.c
++++ b/ldap/servers/slapd/back-ldbm/sort.c
+@@ -546,6 +546,16 @@ compare_entries_sv(ID *id_a, ID *id_b, sort_spec *s, baggage_carrier *bc, int *e
+ /* Now copy it, so the second call doesn't crap on it */
+ value_a = slapi_ch_bvecdup(temp_value); /* Really, we'd prefer to not call the chXXX variant...*/
+ matchrule_values_to_keys(this_one->mr_pb, actual_value_b, &value_b);
++
++ if ((actual_value_a && !value_a) ||
++ (actual_value_b && !value_b)) {
++ ber_bvecfree(actual_value_a);
++ ber_bvecfree(actual_value_b);
++ CACHE_RETURN(&inst->inst_cache, &a);
++ CACHE_RETURN(&inst->inst_cache, &b);
++ *error = 1;
++ return 0;
++ }
+ if (actual_value_a)
+ ber_bvecfree(actual_value_a);
+ if (actual_value_b)
+@@ -717,6 +727,8 @@ recurse:
+ A[i] >= A[lo] for higuy <= i <= hi */
+
+ do {
++ if (error)
++ return LDAP_OPERATIONS_ERROR;
+ loguy++;
+ } while (loguy <= hi && compare_entries_sv(loguy, lo, s, bc, &error) <= 0);
+
+@@ -724,6 +736,8 @@ recurse:
+ either loguy > hi or A[loguy] > A[lo] */
+
+ do {
++ if (error)
++ return LDAP_OPERATIONS_ERROR;
+ higuy--;
+ } while (higuy > lo && compare_entries_sv(higuy, lo, s, bc, &error) >= 0);
+
+--
+2.17.1
+
diff --git a/SOURCES/0006-Bug-1614820-Crash-in-vslapd_log_emergency_error.patch b/SOURCES/0006-Bug-1614820-Crash-in-vslapd_log_emergency_error.patch
new file mode 100644
index 0000000..b49777d
--- /dev/null
+++ b/SOURCES/0006-Bug-1614820-Crash-in-vslapd_log_emergency_error.patch
@@ -0,0 +1,85 @@
+From 59071a77774c530f0ab570dda27e23a021d23972 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 23 Aug 2018 10:09:58 -0400
+Subject: [PATCH] Bug 1614820 - Crash in vslapd_log_emergency_error
+
+Description: We were not locking the error log fd before closing and reopening
+ the log file. This could cause a crash when multiple threads are
+ trying to log tothe errors log.
+---
+ ldap/servers/slapd/log.c | 22 ++++++++++++++++------
+ 1 file changed, 16 insertions(+), 6 deletions(-)
+
+diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
+index 2e4ee03a8..7dd71541b 100644
+--- a/ldap/servers/slapd/log.c
++++ b/ldap/servers/slapd/log.c
+@@ -2231,11 +2231,11 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked)
+ if (logging_hr_timestamps_enabled == 1) {
+ struct timespec tsnow;
+ if (clock_gettime(CLOCK_REALTIME, &tsnow) != 0) {
+- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s", msg);
++ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s\n", msg);
+ return;
+ }
+ if (format_localTime_hr_log(tsnow.tv_sec, tsnow.tv_nsec, sizeof(tbuf), tbuf, &size) != 0) {
+- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg);
++ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg);
+ return;
+ }
+ } else {
+@@ -2243,14 +2243,14 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked)
+ time_t tnl;
+ tnl = slapi_current_utc_time();
+ if (format_localTime_log(tnl, sizeof(tbuf), tbuf, &size) != 0) {
+- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg);
++ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg);
+ return;
+ }
+ #ifdef HAVE_CLOCK_GETTIME
+ }
+ #endif
+
+- PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s", tbuf, msg);
++ PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s\n", tbuf, msg);
+ size = strlen(buffer);
+
+ if (!locked) {
+@@ -2531,7 +2531,7 @@ vslapd_log_access(char *fmt, va_list ap)
+
+ if (SLAPI_LOG_BUFSIZ - blen < vlen) {
+ /* We won't be able to fit the message in! Uh-oh! */
+- /* Should we actually just do the snprintf, and warn that message was trunced? */
++ /* Should we actually just do the snprintf, and warn that message was truncated? */
+ log__error_emergency("Insufficent buffer capacity to fit timestamp and message!", 1, 0);
+ return -1;
+ }
+@@ -4486,6 +4486,13 @@ log__error_emergency(const char *errstr, int reopen, int locked)
+ if (!reopen) {
+ return;
+ }
++ if (!locked) {
++ /*
++ * Take the lock because we are closing and reopening the error log (fd),
++ * and we don't want any other threads trying to use this fd
++ */
++ LOG_ERROR_LOCK_WRITE();
++ }
+ if (NULL != loginfo.log_error_fdes) {
+ LOG_CLOSE(loginfo.log_error_fdes);
+ }
+@@ -4494,7 +4501,10 @@ log__error_emergency(const char *errstr, int reopen, int locked)
+ PRErrorCode prerr = PR_GetError();
+ syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr));
+ } else {
+- vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked);
++ vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, 1 /* locked */);
++ }
++ if (!locked) {
++ LOG_ERROR_UNLOCK_WRITE();
+ }
+ return;
+ }
+--
+2.17.1
+
diff --git a/SOURCES/0006-Ticket-49320-Activating-already-active-role-returns-.patch b/SOURCES/0006-Ticket-49320-Activating-already-active-role-returns-.patch
deleted file mode 100644
index c169905..0000000
--- a/SOURCES/0006-Ticket-49320-Activating-already-active-role-returns-.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From 50d62b6d5ea69e5cad6359dbd1dccb09fcfa1a6b Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Tue, 3 Oct 2017 09:51:53 -0400
-Subject: [PATCH] Ticket 49320 - Activating already active role returns error
- 16
-
-Bug Description: ns-activate.pl returns error 16 when trying to activate an
- already active role.
-
-Fix Description: Check for error 16 (no such attr), and return error 100.
- Also added a "redirect"otion to the ldapmod function to
- hide any errors printed to STDERR, so that the script can
- display its own error message.
-
-https://pagure.io/389-ds-base/issue/49320
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit 406084847f29aa44ffd81de746770aeff6b67c61)
----
- ldap/admin/src/scripts/DSUtil.pm.in | 18 +++++++++++-------
- ldap/admin/src/scripts/ns-activate.pl.in | 9 ++++++++-
- 2 files changed, 19 insertions(+), 8 deletions(-)
-
-diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in
-index 805a9b91d..791464d0a 100644
---- a/ldap/admin/src/scripts/DSUtil.pm.in
-+++ b/ldap/admin/src/scripts/DSUtil.pm.in
-@@ -1447,6 +1447,10 @@ sub ldapmod {
- close (FILE);
- }
-
-+ if ($info{redirect} eq ""){
-+ $info{redirect} = "> /dev/null";
-+ }
-+
- #
- # Check the protocol, and reset it if it's invalid
- #
-@@ -1470,9 +1474,9 @@ sub ldapmod {
- print "STARTTLS)\n";
- }
- if($info{openldap} eq "yes"){
-- system "ldapmodify -x -ZZ -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
-+ system "ldapmodify -x -ZZ -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
- } else {
-- system "ldapmodify -ZZZ -P \"$info{certdir}\" -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
-+ system "ldapmodify -ZZZ -P \"$info{certdir}\" -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
- }
- } elsif (($info{security} eq "on" && $info{protocol} eq "") || ($info{security} eq "on" && $info{protocol} =~ m/LDAPS/i) ){
- #
-@@ -1482,9 +1486,9 @@ sub ldapmod {
- print "LDAPS)\n";
- }
- if($info{openldap} eq "yes"){
-- system "ldapmodify -x -H \"ldaps://$info{host}:$info{secure_port}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
-+ system "ldapmodify -x -H \"ldaps://$info{host}:$info{secure_port}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
- } else {
-- system "ldapmodify -Z -P \"$info{certdir}\" -p $info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
-+ system "ldapmodify -Z -P \"$info{certdir}\" -p $info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
- }
- } elsif (($info{openldap} eq "yes") && (($info{ldapi} eq "on" && $info{protocol} eq "") || ($info{ldapi} eq "on" && $info{protocol} =~ m/LDAPI/i)) ){
- #
-@@ -1499,7 +1503,7 @@ sub ldapmod {
- if($protocol_error eq "yes"){
- print "LDAPI)\n";
- }
-- system "ldapmodify -x -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
-+ system "ldapmodify -x -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
- }
- } else {
- #
-@@ -1509,9 +1513,9 @@ sub ldapmod {
- print "LDAP)\n";
- }
- if($info{openldap} eq "yes"){
-- system "ldapmodify -x -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
-+ system "ldapmodify -x -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
- } else {
-- system "ldapmodify -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null";
-+ system "ldapmodify -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}";
- }
- }
- unlink ($file);
-diff --git a/ldap/admin/src/scripts/ns-activate.pl.in b/ldap/admin/src/scripts/ns-activate.pl.in
-index 5922c9aab..bec19c8e7 100644
---- a/ldap/admin/src/scripts/ns-activate.pl.in
-+++ b/ldap/admin/src/scripts/ns-activate.pl.in
-@@ -731,11 +731,18 @@ if ( $single == 1 ){
- }
-
- $info{args} = "-c";
-+$info{redirect} = "> /dev/null 2>&1";
- DSUtil::ldapmod($record, %info);
- if( $? != 0 ){
- debug("delete, $entry\n");
- $retCode=$?>>8;
-- exit $retCode;
-+ if ($retCode == "16") { # Error 16 (no such attr) - already activated
-+ out("$entry already $state.\n");
-+ exit 100;
-+ } else {
-+ out("Failed to activate $entry, error $retCode\n");
-+ exit $retCode;
-+ }
- }
-
- out("$entry $state.\n");
---
-2.13.6
-
diff --git a/SOURCES/0007-Ticket-48235-Remove-memberOf-global-lock.patch b/SOURCES/0007-Ticket-48235-Remove-memberOf-global-lock.patch
deleted file mode 100644
index 42b3757..0000000
--- a/SOURCES/0007-Ticket-48235-Remove-memberOf-global-lock.patch
+++ /dev/null
@@ -1,914 +0,0 @@
-From cbe71d7e4901232eaa423b9dc55dba9401c05bec Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 13 Oct 2017 07:09:08 -0400
-Subject: [PATCH] Ticket 48235 - Remove memberOf global lock
-
-Bug Description: The memberOf global lock no longer servers a purpose since
- the plugin is BETXN. This was causing potential deadlocks
- when multiple backends are used.
-
-Fix Description: Remove the lock, and rework the fixup/ancestors caches/hashtables.
- Instead of reusing a single cache, we create a fresh cache
- when we copy the plugin config (which only happens at the start
- of an operation). Then we destroy the caches when we free
- the config.
-
-https://pagure.io/389-ds-base/issue/48235
-
-Reviewed by: firstyear & tbordaz(Thanks!!)
-
-(cherry picked from commit 184b8a164f4ed456c72d58038aa9a0d512be61fa)
----
- ldap/servers/plugins/memberof/memberof.c | 326 +++---------------------
- ldap/servers/plugins/memberof/memberof.h | 17 ++
- ldap/servers/plugins/memberof/memberof_config.c | 166 +++++++++++-
- 3 files changed, 210 insertions(+), 299 deletions(-)
-
-diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
-index a0f997ddf..a23c52abe 100644
---- a/ldap/servers/plugins/memberof/memberof.c
-+++ b/ldap/servers/plugins/memberof/memberof.c
-@@ -48,14 +48,11 @@ static Slapi_PluginDesc pdesc = {"memberof", VENDOR,
- static void *_PluginID = NULL;
- static Slapi_DN *_ConfigAreaDN = NULL;
- static Slapi_RWLock *config_rwlock = NULL;
--static Slapi_DN *_pluginDN = NULL;
--static PRMonitor *memberof_operation_lock = 0;
-+static Slapi_DN* _pluginDN = NULL;
- MemberOfConfig *qsortConfig = 0;
- static int usetxn = 0;
- static int premodfn = 0;
--#define MEMBEROF_HASHTABLE_SIZE 1000
--static PLHashTable *fixup_entry_hashtable = NULL; /* global hash table protected by memberof_lock (memberof_operation_lock) */
--static PLHashTable *group_ancestors_hashtable = NULL; /* global hash table protected by memberof_lock (memberof_operation_lock) */
-+
-
- typedef struct _memberofstringll
- {
-@@ -73,18 +70,6 @@ typedef struct _memberof_get_groups_data
- PRBool use_cache;
- } memberof_get_groups_data;
-
--/* The key to access the hash table is the normalized DN
-- * The normalized DN is stored in the value because:
-- * - It is used in slapi_valueset_find
-- * - It is used to fill the memberof_get_groups_data.group_norm_vals
-- */
--typedef struct _memberof_cached_value
--{
-- char *key;
-- char *group_dn_val;
-- char *group_ndn_val;
-- int valid;
--} memberof_cached_value;
- struct cache_stat
- {
- int total_lookup;
-@@ -164,14 +149,9 @@ static int memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data);
- static int memberof_entry_in_scope(MemberOfConfig *config, Slapi_DN *sdn);
- static int memberof_add_objectclass(char *auto_add_oc, const char *dn);
- static int memberof_add_memberof_attr(LDAPMod **mods, const char *dn, char *add_oc);
--static PLHashTable *hashtable_new();
--static void fixup_hashtable_empty(char *msg);
--static PLHashTable *hashtable_new();
--static void ancestor_hashtable_empty(char *msg);
--static void ancestor_hashtable_entry_free(memberof_cached_value *entry);
--static memberof_cached_value *ancestors_cache_lookup(const char *ndn);
--static PRBool ancestors_cache_remove(const char *ndn);
--static PLHashEntry *ancestors_cache_add(const void *key, void *value);
-+static memberof_cached_value *ancestors_cache_lookup(MemberOfConfig *config, const char *ndn);
-+static PRBool ancestors_cache_remove(MemberOfConfig *config, const char *ndn);
-+static PLHashEntry *ancestors_cache_add(MemberOfConfig *config, const void *key, void *value);
-
- /*** implementation ***/
-
-@@ -344,11 +324,6 @@ memberof_postop_start(Slapi_PBlock *pb)
- slapi_log_err(SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM,
- "--> memberof_postop_start\n");
-
-- memberof_operation_lock = PR_NewMonitor();
-- if (0 == memberof_operation_lock) {
-- rc = -1;
-- goto bail;
-- }
- if (config_rwlock == NULL) {
- if ((config_rwlock = slapi_new_rwlock()) == NULL) {
- rc = -1;
-@@ -356,9 +331,6 @@ memberof_postop_start(Slapi_PBlock *pb)
- }
- }
-
-- fixup_entry_hashtable = hashtable_new();
-- group_ancestors_hashtable = hashtable_new();
--
- /* Set the alternate config area if one is defined. */
- slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_AREA, &config_area);
- if (config_area) {
-@@ -413,13 +385,13 @@ memberof_postop_start(Slapi_PBlock *pb)
- goto bail;
- }
-
--/*
-+ /*
- * TODO: start up operation actor thread
- * need to get to a point where server failure
-- * or shutdown doesn't hose our operations
-- * so we should create a task entry that contains
-+ * or shutdown doesn't hose our operations
-+ * so we should create a task entry that contains
- * all required information to complete the operation
-- * then the tasks can be restarted safely if
-+ * then the tasks can be restarted safely if
- * interrupted
- */
-
-@@ -451,18 +423,7 @@ memberof_postop_close(Slapi_PBlock *pb __attribute__((unused)))
- slapi_sdn_free(&_pluginDN);
- slapi_destroy_rwlock(config_rwlock);
- config_rwlock = NULL;
-- PR_DestroyMonitor(memberof_operation_lock);
-- memberof_operation_lock = NULL;
--
-- if (fixup_entry_hashtable) {
-- fixup_hashtable_empty("memberof_postop_close empty fixup_entry_hastable");
-- PL_HashTableDestroy(fixup_entry_hashtable);
-- }
-
-- if (group_ancestors_hashtable) {
-- ancestor_hashtable_empty("memberof_postop_close empty group_ancestors_hashtable");
-- PL_HashTableDestroy(group_ancestors_hashtable);
-- }
- slapi_log_err(SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM,
- "<-- memberof_postop_close\n");
- return 0;
-@@ -524,7 +485,7 @@ memberof_postop_del(Slapi_PBlock *pb)
- {
- int ret = SLAPI_PLUGIN_SUCCESS;
- MemberOfConfig *mainConfig = NULL;
-- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
-+ MemberOfConfig configCopy = {0};
- Slapi_DN *sdn;
- void *caller_id = NULL;
-
-@@ -553,9 +514,6 @@ memberof_postop_del(Slapi_PBlock *pb)
- memberof_copy_config(&configCopy, memberof_get_config());
- memberof_unlock_config();
-
-- /* get the memberOf operation lock */
-- memberof_lock();
--
- /* remove this DN from the
- * membership lists of groups
- */
-@@ -563,7 +521,6 @@ memberof_postop_del(Slapi_PBlock *pb)
- slapi_log_err(SLAPI_LOG_ERR, MEMBEROF_PLUGIN_SUBSYSTEM,
- "memberof_postop_del - Error deleting dn (%s) from group. Error (%d)\n",
- slapi_sdn_get_dn(sdn), ret);
-- memberof_unlock();
- goto bail;
- }
-
-@@ -583,7 +540,6 @@ memberof_postop_del(Slapi_PBlock *pb)
- }
- }
- }
-- memberof_unlock();
- bail:
- memberof_free_config(&configCopy);
- }
-@@ -776,7 +732,7 @@ memberof_call_foreach_dn(Slapi_PBlock *pb __attribute__((unused)), Slapi_DN *sdn
- memberof_cached_value *ht_grp = NULL;
- const char *ndn = slapi_sdn_get_ndn(sdn);
-
-- ht_grp = ancestors_cache_lookup((const void *)ndn);
-+ ht_grp = ancestors_cache_lookup(config, (const void *)ndn);
- if (ht_grp) {
- #if MEMBEROF_CACHE_DEBUG
- slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_call_foreach_dn: Ancestors of %s already cached (%x)\n", ndn, ht_grp);
-@@ -918,7 +874,7 @@ memberof_postop_modrdn(Slapi_PBlock *pb)
-
- if (memberof_oktodo(pb)) {
- MemberOfConfig *mainConfig = 0;
-- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
-+ MemberOfConfig configCopy = {0};
- struct slapi_entry *pre_e = NULL;
- struct slapi_entry *post_e = NULL;
- Slapi_DN *pre_sdn = 0;
-@@ -944,8 +900,6 @@ memberof_postop_modrdn(Slapi_PBlock *pb)
- goto bail;
- }
-
-- memberof_lock();
--
- /* update any downstream members */
- if (pre_sdn && post_sdn && configCopy.group_filter &&
- 0 == slapi_filter_test_simple(post_e, configCopy.group_filter)) {
-@@ -1010,7 +964,6 @@ memberof_postop_modrdn(Slapi_PBlock *pb)
- }
- }
- }
-- memberof_unlock();
- bail:
- memberof_free_config(&configCopy);
- }
-@@ -1166,7 +1119,7 @@ memberof_postop_modify(Slapi_PBlock *pb)
- if (memberof_oktodo(pb)) {
- int config_copied = 0;
- MemberOfConfig *mainConfig = 0;
-- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
-+ MemberOfConfig configCopy = {0};
-
- /* get the mod set */
- slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
-@@ -1209,8 +1162,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
- if (interested) {
- int op = slapi_mod_get_operation(smod);
-
-- memberof_lock();
--
- /* the modify op decides the function */
- switch (op & ~LDAP_MOD_BVALUES) {
- case LDAP_MOD_ADD: {
-@@ -1221,7 +1172,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
- "Error (%d)\n",
- slapi_sdn_get_dn(sdn), ret);
- slapi_mod_done(next_mod);
-- memberof_unlock();
- goto bail;
- }
- break;
-@@ -1239,7 +1189,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
- "Error (%d)\n",
- slapi_sdn_get_dn(sdn), ret);
- slapi_mod_done(next_mod);
-- memberof_unlock();
- goto bail;
- }
- } else {
-@@ -1250,7 +1199,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
- "Error (%d)\n",
- slapi_sdn_get_dn(sdn), ret);
- slapi_mod_done(next_mod);
-- memberof_unlock();
- goto bail;
- }
- }
-@@ -1265,7 +1213,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
- "Error (%d)\n",
- slapi_sdn_get_dn(sdn), ret);
- slapi_mod_done(next_mod);
-- memberof_unlock();
- goto bail;
- }
- break;
-@@ -1280,8 +1227,6 @@ memberof_postop_modify(Slapi_PBlock *pb)
- break;
- }
- }
--
-- memberof_unlock();
- }
-
- slapi_mod_done(next_mod);
-@@ -1336,7 +1281,7 @@ memberof_postop_add(Slapi_PBlock *pb)
-
- if (memberof_oktodo(pb) && (sdn = memberof_getsdn(pb))) {
- struct slapi_entry *e = NULL;
-- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
-+ MemberOfConfig configCopy = {0};
- MemberOfConfig *mainConfig;
- slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &e);
-
-@@ -1361,8 +1306,6 @@ memberof_postop_add(Slapi_PBlock *pb)
- int i = 0;
- Slapi_Attr *attr = 0;
-
-- memberof_lock();
--
- for (i = 0; configCopy.groupattrs && configCopy.groupattrs[i]; i++) {
- if (0 == slapi_entry_attr_find(e, configCopy.groupattrs[i], &attr)) {
- if ((ret = memberof_add_attr_list(pb, &configCopy, sdn, attr))) {
-@@ -1373,8 +1316,6 @@ memberof_postop_add(Slapi_PBlock *pb)
- }
- }
- }
--
-- memberof_unlock();
- memberof_free_config(&configCopy);
- }
- }
-@@ -2094,7 +2035,7 @@ dump_cache_entry(memberof_cached_value *double_check, const char *msg)
- * the firsts elements of the array has 'valid=1' and the dn/ndn of group it belong to
- */
- static void
--cache_ancestors(Slapi_Value **member_ndn_val, memberof_get_groups_data *groups)
-+cache_ancestors(MemberOfConfig *config, Slapi_Value **member_ndn_val, memberof_get_groups_data *groups)
- {
- Slapi_ValueSet *groupvals = *((memberof_get_groups_data *)groups)->groupvals;
- Slapi_Value *sval;
-@@ -2191,14 +2132,14 @@ cache_ancestors(Slapi_Value **member_ndn_val, memberof_get_groups_data *groups)
- #if MEMBEROF_CACHE_DEBUG
- dump_cache_entry(cache_entry, key);
- #endif
-- if (ancestors_cache_add((const void *)key_copy, (void *)cache_entry) == NULL) {
-- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache_ancestors: Failed to cache ancestor of %s\n", key);
-+ if (ancestors_cache_add(config, (const void*) key_copy, (void *) cache_entry) == NULL) {
-+ slapi_log_err( SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache_ancestors: Failed to cache ancestor of %s\n", key);
- ancestor_hashtable_entry_free(cache_entry);
-- slapi_ch_free((void **)&cache_entry);
-+ slapi_ch_free ((void**)&cache_entry);
- return;
- }
- #if MEMBEROF_CACHE_DEBUG
-- if (double_check = ancestors_cache_lookup((const void *)key)) {
-+ if (double_check = ancestors_cache_lookup(config, (const void*) key)) {
- dump_cache_entry(double_check, "read back");
- }
- #endif
-@@ -2283,8 +2224,7 @@ memberof_get_groups_r(MemberOfConfig *config, Slapi_DN *member_sdn, memberof_get
-
- merge_ancestors(&member_ndn_val, &member_data, data);
- if (!cached && member_data.use_cache)
-- cache_ancestors(&member_ndn_val, &member_data);
--
-+ cache_ancestors(config, &member_ndn_val, &member_data);
-
- slapi_value_free(&member_ndn_val);
- slapi_valueset_free(groupvals);
-@@ -2825,49 +2765,10 @@ memberof_qsort_compare(const void *a, const void *b)
- val1, val2);
- }
-
--/* betxn: This locking mechanism is necessary to guarantee the memberof
-- * consistency */
--void
--memberof_lock()
--{
-- if (usetxn) {
-- PR_EnterMonitor(memberof_operation_lock);
-- }
-- if (fixup_entry_hashtable) {
-- fixup_hashtable_empty("memberof_lock");
-- }
-- if (group_ancestors_hashtable) {
-- ancestor_hashtable_empty("memberof_lock empty group_ancestors_hashtable");
-- memset(&cache_stat, 0, sizeof(cache_stat));
-- }
--}
--
--void
--memberof_unlock()
--{
-- if (group_ancestors_hashtable) {
-- ancestor_hashtable_empty("memberof_unlock empty group_ancestors_hashtable");
--#if MEMBEROF_CACHE_DEBUG
-- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache statistics: total lookup %d (success %d), add %d, remove %d, enum %d\n",
-- cache_stat.total_lookup, cache_stat.successfull_lookup,
-- cache_stat.total_add, cache_stat.total_remove, cache_stat.total_enumerate);
-- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache statistics duration: lookup %ld, add %ld, remove %ld, enum %ld\n",
-- cache_stat.cumul_duration_lookup, cache_stat.cumul_duration_add,
-- cache_stat.cumul_duration_remove, cache_stat.cumul_duration_enumerate);
--#endif
-- }
-- if (fixup_entry_hashtable) {
-- fixup_hashtable_empty("memberof_lock");
-- }
-- if (usetxn) {
-- PR_ExitMonitor(memberof_operation_lock);
-- }
--}
--
- void
- memberof_fixup_task_thread(void *arg)
- {
-- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
-+ MemberOfConfig configCopy = {0};
- Slapi_Task *task = (Slapi_Task *)arg;
- task_data *td = NULL;
- int rc = 0;
-@@ -2933,9 +2834,6 @@ memberof_fixup_task_thread(void *arg)
- /* do real work */
- rc = memberof_fix_memberof(&configCopy, task, td);
-
-- /* release the memberOf operation lock */
-- memberof_unlock();
--
- done:
- if (usetxn && fixup_pb) {
- if (rc) { /* failed */
-@@ -3100,7 +2998,7 @@ memberof_fix_memberof(MemberOfConfig *config, Slapi_Task *task, task_data *td)
- }
-
- static memberof_cached_value *
--ancestors_cache_lookup(const char *ndn)
-+ancestors_cache_lookup(MemberOfConfig *config, const char *ndn)
- {
- memberof_cached_value *e;
- #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
-@@ -3118,7 +3016,7 @@ ancestors_cache_lookup(const char *ndn)
- }
- #endif
-
-- e = (memberof_cached_value *)PL_HashTableLookupConst(group_ancestors_hashtable, (const void *)ndn);
-+ e = (memberof_cached_value *) PL_HashTableLookupConst(config->ancestors_cache, (const void *) ndn);
-
- #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
- if (start) {
-@@ -3133,7 +3031,7 @@ ancestors_cache_lookup(const char *ndn)
- return e;
- }
- static PRBool
--ancestors_cache_remove(const char *ndn)
-+ancestors_cache_remove(MemberOfConfig *config, const char *ndn)
- {
- PRBool rc;
- #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
-@@ -3151,7 +3049,8 @@ ancestors_cache_remove(const char *ndn)
- }
- #endif
-
-- rc = PL_HashTableRemove(group_ancestors_hashtable, (const void *)ndn);
-+
-+ rc = PL_HashTableRemove(config->ancestors_cache, (const void *)ndn);
-
- #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
- if (start) {
-@@ -3164,7 +3063,7 @@ ancestors_cache_remove(const char *ndn)
- }
-
- static PLHashEntry *
--ancestors_cache_add(const void *key, void *value)
-+ancestors_cache_add(MemberOfConfig *config, const void *key, void *value)
- {
- PLHashEntry *e;
- #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
-@@ -3181,7 +3080,7 @@ ancestors_cache_add(const void *key, void *value)
- }
- #endif
-
-- e = PL_HashTableAdd(group_ancestors_hashtable, key, value);
-+ e = PL_HashTableAdd(config->ancestors_cache, key, value);
-
- #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
- if (start) {
-@@ -3211,7 +3110,6 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
- const char *ndn;
- char *dn_copy;
-
--
- /*
- * If the server is ordered to shutdown, stop the fixup and return an error.
- */
-@@ -3222,7 +3120,7 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
-
- /* Check if the entry has not already been fixed */
- ndn = slapi_sdn_get_ndn(sdn);
-- if (ndn && fixup_entry_hashtable && PL_HashTableLookupConst(fixup_entry_hashtable, (void *)ndn)) {
-+ if (ndn && config->fixup_cache && PL_HashTableLookupConst(config->fixup_cache, (void *)ndn)) {
- slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: Entry %s already fixed up\n", ndn);
- goto bail;
- }
-@@ -3240,12 +3138,13 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
- * so free this memory
- */
- ndn = slapi_sdn_get_ndn(sdn);
-+
- #if MEMBEROF_CACHE_DEBUG
- slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: This is NOT a group %s\n", ndn);
- #endif
-- ht_grp = ancestors_cache_lookup((const void *)ndn);
-+ ht_grp = ancestors_cache_lookup(config, (const void *)ndn);
- if (ht_grp) {
-- if (ancestors_cache_remove((const void *)ndn)) {
-+ if (ancestors_cache_remove(config, (const void *)ndn)) {
- slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: free cached values for %s\n", ndn);
- ancestor_hashtable_entry_free(ht_grp);
- slapi_ch_free((void **)&ht_grp);
-@@ -3297,11 +3196,11 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data)
- slapi_valueset_free(groups);
-
- /* records that this entry has been fixed up */
-- if (fixup_entry_hashtable) {
-+ if (config->fixup_cache) {
- dn_copy = slapi_ch_strdup(ndn);
-- if (PL_HashTableAdd(fixup_entry_hashtable, dn_copy, dn_copy) == NULL) {
-+ if (PL_HashTableAdd(config->fixup_cache, dn_copy, dn_copy) == NULL) {
- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: "
-- "failed to add dn (%s) in the fixup hashtable; NSPR error - %d\n",
-+ "failed to add dn (%s) in the fixup hashtable; NSPR error - %d\n",
- dn_copy, PR_GetError());
- slapi_ch_free((void **)&dn_copy);
- /* let consider this as not a fatal error, it just skip an optimization */
-@@ -3397,157 +3296,8 @@ memberof_add_objectclass(char *auto_add_oc, const char *dn)
- return rc;
- }
-
--static PRIntn
--memberof_hash_compare_keys(const void *v1, const void *v2)
--{
-- PRIntn rc;
-- if (0 == strcasecmp((const char *)v1, (const char *)v2)) {
-- rc = 1;
-- } else {
-- rc = 0;
-- }
-- return rc;
--}
--
--static PRIntn
--memberof_hash_compare_values(const void *v1, const void *v2)
--{
-- PRIntn rc;
-- if ((char *)v1 == (char *)v2) {
-- rc = 1;
-- } else {
-- rc = 0;
-- }
-- return rc;
--}
--
--/*
-- * Hashing function using Bernstein's method
-- */
--static PLHashNumber
--memberof_hash_fn(const void *key)
--{
-- PLHashNumber hash = 5381;
-- unsigned char *x = (unsigned char *)key;
-- int c;
--
-- while ((c = *x++)) {
-- hash = ((hash << 5) + hash) ^ c;
-- }
-- return hash;
--}
--
--/* allocates the plugin hashtable
-- * This hash table is used by operation and is protected from
-- * concurrent operations with the memberof_lock (if not usetxn, memberof_lock
-- * is not implemented and the hash table will be not used.
-- *
-- * The hash table contains all the DN of the entries for which the memberof
-- * attribute has been computed/updated during the current operation
-- *
-- * hash table should be empty at the beginning and end of the plugin callback
-- */
--static PLHashTable *
--hashtable_new()
--{
-- if (!usetxn) {
-- return NULL;
-- }
--
-- return PL_NewHashTable(MEMBEROF_HASHTABLE_SIZE,
-- memberof_hash_fn,
-- memberof_hash_compare_keys,
-- memberof_hash_compare_values, NULL, NULL);
--}
--/* this function called for each hash node during hash destruction */
--static PRIntn
--fixup_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused)))
--{
-- char *dn_copy;
--
-- if (he == NULL) {
-- return HT_ENUMERATE_NEXT;
-- }
-- dn_copy = (char *)he->value;
-- slapi_ch_free_string(&dn_copy);
--
-- return HT_ENUMERATE_REMOVE;
--}
--
--static void
--fixup_hashtable_empty(char *msg)
--{
-- if (fixup_entry_hashtable) {
-- PL_HashTableEnumerateEntries(fixup_entry_hashtable, fixup_hashtable_remove, msg);
-- }
--}
--
--
--/* allocates the plugin hashtable
-- * This hash table is used by operation and is protected from
-- * concurrent operations with the memberof_lock (if not usetxn, memberof_lock
-- * is not implemented and the hash table will be not used.
-- *
-- * The hash table contains all the DN of the entries for which the memberof
-- * attribute has been computed/updated during the current operation
-- *
-- * hash table should be empty at the beginning and end of the plugin callback
-- */
--
--static void
--ancestor_hashtable_entry_free(memberof_cached_value *entry)
--{
-- int i;
-- for (i = 0; entry[i].valid; i++) {
-- slapi_ch_free((void **)&entry[i].group_dn_val);
-- slapi_ch_free((void **)&entry[i].group_ndn_val);
-- }
-- /* Here we are at the ending element containing the key */
-- slapi_ch_free((void **)&entry[i].key);
--}
--/* this function called for each hash node during hash destruction */
--static PRIntn
--ancestor_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused)))
--{
-- memberof_cached_value *group_ancestor_array;
--
-- if (he == NULL) {
-- return HT_ENUMERATE_NEXT;
-- }
--
--
-- group_ancestor_array = (memberof_cached_value *)he->value;
-- ancestor_hashtable_entry_free(group_ancestor_array);
-- slapi_ch_free((void **)&group_ancestor_array);
--
-- return HT_ENUMERATE_REMOVE;
--}
--
--static void
--ancestor_hashtable_empty(char *msg)
-+int
-+memberof_use_txn()
- {
--#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
-- long int start;
-- struct timespec tsnow;
--#endif
--
-- if (group_ancestors_hashtable) {
-- cache_stat.total_enumerate++;
--#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
-- if (clock_gettime(CLOCK_REALTIME, &tsnow) != 0) {
-- start = 0;
-- } else {
-- start = tsnow.tv_nsec;
-- }
--#endif
-- PL_HashTableEnumerateEntries(group_ancestors_hashtable, ancestor_hashtable_remove, msg);
--
--#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME)
-- if (start) {
-- if (clock_gettime(CLOCK_REALTIME, &tsnow) == 0) {
-- cache_stat.cumul_duration_enumerate += (tsnow.tv_nsec - start);
-- }
-- }
--#endif
-- }
-+ return usetxn;
- }
-diff --git a/ldap/servers/plugins/memberof/memberof.h b/ldap/servers/plugins/memberof/memberof.h
-index 4833ce221..ba64e9dfa 100644
---- a/ldap/servers/plugins/memberof/memberof.h
-+++ b/ldap/servers/plugins/memberof/memberof.h
-@@ -64,8 +64,22 @@ typedef struct memberofconfig
- int skip_nested;
- int fixup_task;
- char *auto_add_oc;
-+ PLHashTable *ancestors_cache;
-+ PLHashTable *fixup_cache;
- } MemberOfConfig;
-
-+/* The key to access the hash table is the normalized DN
-+ * The normalized DN is stored in the value because:
-+ * - It is used in slapi_valueset_find
-+ * - It is used to fill the memberof_get_groups_data.group_norm_vals
-+ */
-+typedef struct _memberof_cached_value
-+{
-+ char *key;
-+ char *group_dn_val;
-+ char *group_ndn_val;
-+ int valid;
-+} memberof_cached_value;
-
- /*
- * functions
-@@ -89,5 +103,8 @@ int memberof_apply_config(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entr
- void *memberof_get_plugin_id(void);
- void memberof_release_config(void);
- PRUint64 get_plugin_started(void);
-+void ancestor_hashtable_entry_free(memberof_cached_value *entry);
-+PLHashTable *hashtable_new();
-+int memberof_use_txn();
-
- #endif /* _MEMBEROF_H_ */
-diff --git a/ldap/servers/plugins/memberof/memberof_config.c b/ldap/servers/plugins/memberof/memberof_config.c
-index c5ca4b137..3f22d95d6 100644
---- a/ldap/servers/plugins/memberof/memberof_config.c
-+++ b/ldap/servers/plugins/memberof/memberof_config.c
-@@ -14,12 +14,12 @@
- * memberof_config.c - configuration-related code for memberOf plug-in
- *
- */
--
-+#include "plhash.h"
- #include <plstr.h>
--
- #include "memberof.h"
-
- #define MEMBEROF_CONFIG_FILTER "(objectclass=*)"
-+#define MEMBEROF_HASHTABLE_SIZE 1000
-
- /*
- * The configuration attributes are contained in the plugin entry e.g.
-@@ -34,14 +34,16 @@
- /*
- * function prototypes
- */
--static int memberof_validate_config(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry *e, int *returncode, char *returntext, void *arg);
--static int
--memberof_search(Slapi_PBlock *pb __attribute__((unused)),
-- Slapi_Entry *entryBefore __attribute__((unused)),
-- Slapi_Entry *e __attribute__((unused)),
-- int *returncode __attribute__((unused)),
-- char *returntext __attribute__((unused)),
-- void *arg __attribute__((unused)))
-+static void fixup_hashtable_empty( MemberOfConfig *config, char *msg);
-+static void ancestor_hashtable_empty(MemberOfConfig *config, char *msg);
-+static int memberof_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e,
-+ int *returncode, char *returntext, void *arg);
-+static int memberof_search (Slapi_PBlock *pb __attribute__((unused)),
-+ Slapi_Entry* entryBefore __attribute__((unused)),
-+ Slapi_Entry* e __attribute__((unused)),
-+ int *returncode __attribute__((unused)),
-+ char *returntext __attribute__((unused)),
-+ void *arg __attribute__((unused)))
- {
- return SLAPI_DSE_CALLBACK_OK;
- }
-@@ -52,7 +54,7 @@ memberof_search(Slapi_PBlock *pb __attribute__((unused)),
- /* This is the main configuration which is updated from dse.ldif. The
- * config will be copied when it is used by the plug-in to prevent it
- * being changed out from under a running memberOf operation. */
--static MemberOfConfig theConfig = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
-+static MemberOfConfig theConfig = {0};
- static Slapi_RWLock *memberof_config_lock = 0;
- static int inited = 0;
-
-@@ -693,6 +695,13 @@ void
- memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src)
- {
- if (dest && src) {
-+
-+ /* Allocate our caches here since we only copy the config at the start of an op */
-+ if (memberof_use_txn() == 1){
-+ dest->ancestors_cache = hashtable_new();
-+ dest->fixup_cache = hashtable_new();
-+ }
-+
- /* Check if the copy is already up to date */
- if (src->groupattrs) {
- int i = 0, j = 0;
-@@ -787,6 +796,14 @@ memberof_free_config(MemberOfConfig *config)
- slapi_ch_free_string(&config->memberof_attr);
- memberof_free_scope(&(config->entryScopes), &config->entryScopeCount);
- memberof_free_scope(&(config->entryScopeExcludeSubtrees), &config->entryExcludeScopeCount);
-+ if (config->fixup_cache) {
-+ fixup_hashtable_empty(config, "memberof_free_config empty fixup_entry_hastable");
-+ PL_HashTableDestroy(config->fixup_cache);
-+ }
-+ if (config->ancestors_cache) {
-+ ancestor_hashtable_empty(config, "memberof_free_config empty group_ancestors_hashtable");
-+ PL_HashTableDestroy(config->ancestors_cache);
-+ }
- }
- }
-
-@@ -982,3 +999,130 @@ bail:
-
- return ret;
- }
-+
-+
-+static PRIntn memberof_hash_compare_keys(const void *v1, const void *v2)
-+{
-+ PRIntn rc;
-+ if (0 == strcasecmp((const char *) v1, (const char *) v2)) {
-+ rc = 1;
-+ } else {
-+ rc = 0;
-+ }
-+ return rc;
-+}
-+
-+static PRIntn memberof_hash_compare_values(const void *v1, const void *v2)
-+{
-+ PRIntn rc;
-+ if ((char *) v1 == (char *) v2) {
-+ rc = 1;
-+ } else {
-+ rc = 0;
-+ }
-+ return rc;
-+}
-+
-+/*
-+ * Hashing function using Bernstein's method
-+ */
-+static PLHashNumber memberof_hash_fn(const void *key)
-+{
-+ PLHashNumber hash = 5381;
-+ unsigned char *x = (unsigned char *)key;
-+ int c;
-+
-+ while ((c = *x++)){
-+ hash = ((hash << 5) + hash) ^ c;
-+ }
-+ return hash;
-+}
-+
-+/* allocates the plugin hashtable
-+ * This hash table is used by operation and is protected from
-+ * concurrent operations with the memberof_lock (if not usetxn, memberof_lock
-+ * is not implemented and the hash table will be not used.
-+ *
-+ * The hash table contains all the DN of the entries for which the memberof
-+ * attribute has been computed/updated during the current operation
-+ *
-+ * hash table should be empty at the beginning and end of the plugin callback
-+ */
-+PLHashTable *hashtable_new(int usetxn)
-+{
-+ if (!usetxn) {
-+ return NULL;
-+ }
-+
-+ return PL_NewHashTable(MEMBEROF_HASHTABLE_SIZE,
-+ memberof_hash_fn,
-+ memberof_hash_compare_keys,
-+ memberof_hash_compare_values, NULL, NULL);
-+}
-+
-+/* this function called for each hash node during hash destruction */
-+static PRIntn fixup_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused)))
-+{
-+ char *dn_copy;
-+
-+ if (he == NULL) {
-+ return HT_ENUMERATE_NEXT;
-+ }
-+ dn_copy = (char*) he->value;
-+ slapi_ch_free_string(&dn_copy);
-+
-+ return HT_ENUMERATE_REMOVE;
-+}
-+
-+static void fixup_hashtable_empty(MemberOfConfig *config, char *msg)
-+{
-+ if (config->fixup_cache) {
-+ PL_HashTableEnumerateEntries(config->fixup_cache, fixup_hashtable_remove, msg);
-+ }
-+}
-+
-+
-+/* allocates the plugin hashtable
-+ * This hash table is used by operation and is protected from
-+ * concurrent operations with the memberof_lock (if not usetxn, memberof_lock
-+ * is not implemented and the hash table will be not used.
-+ *
-+ * The hash table contains all the DN of the entries for which the memberof
-+ * attribute has been computed/updated during the current operation
-+ *
-+ * hash table should be empty at the beginning and end of the plugin callback
-+ */
-+
-+void ancestor_hashtable_entry_free(memberof_cached_value *entry)
-+{
-+ int i;
-+
-+ for (i = 0; entry[i].valid; i++) {
-+ slapi_ch_free((void **) &entry[i].group_dn_val);
-+ slapi_ch_free((void **) &entry[i].group_ndn_val);
-+ }
-+ /* Here we are at the ending element containing the key */
-+ slapi_ch_free((void**) &entry[i].key);
-+}
-+
-+/* this function called for each hash node during hash destruction */
-+static PRIntn ancestor_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused)))
-+{
-+ memberof_cached_value *group_ancestor_array;
-+
-+ if (he == NULL) {
-+ return HT_ENUMERATE_NEXT;
-+ }
-+ group_ancestor_array = (memberof_cached_value *) he->value;
-+ ancestor_hashtable_entry_free(group_ancestor_array);
-+ slapi_ch_free((void **)&group_ancestor_array);
-+
-+ return HT_ENUMERATE_REMOVE;
-+}
-+
-+static void ancestor_hashtable_empty(MemberOfConfig *config, char *msg)
-+{
-+ if (config->ancestors_cache) {
-+ PL_HashTableEnumerateEntries(config->ancestors_cache, ancestor_hashtable_remove, msg);
-+ }
-+}
---
-2.13.6
-
diff --git a/SOURCES/0007-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch b/SOURCES/0007-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch
new file mode 100644
index 0000000..68427ae
--- /dev/null
+++ b/SOURCES/0007-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch
@@ -0,0 +1,39 @@
+From de03e7456108de3f3d28c6a5d33926525b70557f Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 30 Aug 2018 14:28:10 -0400
+Subject: [PATCH] Ticket 49932 - Crash in delete_passwdPolicy when persistent
+ search connections are terminated unexpectedly
+
+Bug Description: We clone a pblock in a psearch search, and under certain
+ error conditions this pblock is freed, but it frees the
+ password policy struct which can lead to a double free
+ when the original pblock is destroyed.
+
+Fix Description: During the cloning, set the pwppolicy struct to NULL
+ so the clone allocates its own policy if needed
+
+https://pagure.io/389-ds-base/issue/49932
+
+Reviewed by: ?
+
+(cherry picked from commit 78fc627accacfa4061ce48977e22301f81ea8d73)
+---
+ ldap/servers/slapd/pblock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
+index 4514c3ce6..bc18a7b18 100644
+--- a/ldap/servers/slapd/pblock.c
++++ b/ldap/servers/slapd/pblock.c
+@@ -322,6 +322,8 @@ slapi_pblock_clone(Slapi_PBlock *pb)
+ if (pb->pb_intop != NULL) {
+ _pblock_assert_pb_intop(new_pb);
+ *(new_pb->pb_intop) = *(pb->pb_intop);
++ /* set pwdpolicy to NULL so this clone allocates its own policy */
++ new_pb->pb_intop->pwdpolicy = NULL;
+ }
+ if (pb->pb_intplugin != NULL) {
+ _pblock_assert_pb_intplugin(new_pb);
+--
+2.17.1
+
diff --git a/SOURCES/0008-Bug-1624004-potential-denial-of-service-attack.patch b/SOURCES/0008-Bug-1624004-potential-denial-of-service-attack.patch
new file mode 100644
index 0000000..aafb6eb
--- /dev/null
+++ b/SOURCES/0008-Bug-1624004-potential-denial-of-service-attack.patch
@@ -0,0 +1,99 @@
+From ab7848a4a30d79c7433a1689ba1ea18897b73453 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 18 Sep 2018 16:39:26 -0400
+Subject: [PATCH] Bug 1624004 - potential denial of service attack
+
+Bug: a search request passing 8MB of NULL bytes as search attributes will
+ keep one thread busy for a long time.
+ The reason is that the attr array is copied/normalized to the searchattrs in
+ the search operation and does this using charray_add() which iterates thru
+ the array to determine the size of the array and then allocate one element more.
+ so this means we iterat 8 million times an array with a then average size of
+ 4 million elements.
+
+Fix: We already have traversed the array once and know the size, so we can allocate
+ the needed size once and only copy the element.
+ In addition we check for the kind of degenerated attributes "" as used in this
+ test scenario.
+ So the fix will reject invalid attr liste and improve performance for valid ones
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1624004
+---
+ ldap/servers/slapd/search.c | 16 ++++++++++++++--
+ ldap/servers/slapd/unbind.c | 4 ++--
+ 2 files changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
+index 731c6519e..dc26fc4d2 100644
+--- a/ldap/servers/slapd/search.c
++++ b/ldap/servers/slapd/search.c
+@@ -209,6 +209,7 @@ do_search(Slapi_PBlock *pb)
+ if (attrs != NULL) {
+ char *normaci = slapi_attr_syntax_normalize("aci");
+ int replace_aci = 0;
++ int attr_count = 0;
+ if (!normaci) {
+ normaci = slapi_ch_strdup("aci");
+ } else if (strcasecmp(normaci, "aci")) {
+@@ -218,9 +219,19 @@ do_search(Slapi_PBlock *pb)
+ /*
+ * . store gerattrs if any
+ * . add "aci" once if "*" is given
++ * . check that attrs are not degenerated
+ */
+ for (i = 0; attrs[i] != NULL; i++) {
+ char *p = NULL;
++ attr_count++;
++
++ if ( attrs[i][0] == '\0') {
++ log_search_access(pb, base, scope, fstr, "invalid attribute request");
++ send_ldap_result(pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL);
++ slapi_ch_free_string(&normaci);
++ goto free_and_return;
++ }
++
+ /* check if @<objectclass> is included */
+ p = strchr(attrs[i], '@');
+ if (p) {
+@@ -244,6 +255,7 @@ do_search(Slapi_PBlock *pb)
+ } else if (strcmp(attrs[i], LDAP_ALL_USER_ATTRS /* '*' */) == 0) {
+ if (!charray_inlist(attrs, normaci)) {
+ charray_add(&attrs, slapi_ch_strdup(normaci));
++ attr_count++;
+ }
+ } else if (replace_aci && (strcasecmp(attrs[i], "aci") == 0)) {
+ slapi_ch_free_string(&attrs[i]);
+@@ -263,13 +275,13 @@ do_search(Slapi_PBlock *pb)
+ }
+ } else {
+ /* return the chopped type, e.g., "sn" */
+- operation->o_searchattrs = NULL;
++ operation->o_searchattrs = (char **)slapi_ch_calloc(sizeof(char *), attr_count+1);
+ for (i = 0; attrs[i] != NULL; i++) {
+ char *type;
+ type = slapi_attr_syntax_normalize_ext(attrs[i],
+ ATTR_SYNTAX_NORM_ORIG_ATTR);
+ /* attrs[i] is consumed */
+- charray_add(&operation->o_searchattrs, attrs[i]);
++ operation->o_searchattrs[i] = attrs[i];
+ attrs[i] = type;
+ }
+ }
+diff --git a/ldap/servers/slapd/unbind.c b/ldap/servers/slapd/unbind.c
+index 90f7b1546..686e27a8e 100644
+--- a/ldap/servers/slapd/unbind.c
++++ b/ldap/servers/slapd/unbind.c
+@@ -87,8 +87,8 @@ do_unbind(Slapi_PBlock *pb)
+ /* pass the unbind to all backends */
+ be_unbindall(pb_conn, operation);
+
++free_and_return:;
++
+ /* close the connection to the client */
+ disconnect_server(pb_conn, operation->o_connid, operation->o_opid, SLAPD_DISCONNECT_UNBIND, 0);
+-
+-free_and_return:;
+ }
+--
+2.17.1
+
diff --git a/SOURCES/0008-Ticket-48235-remove-memberof-lock-cherry-pick-error.patch b/SOURCES/0008-Ticket-48235-remove-memberof-lock-cherry-pick-error.patch
deleted file mode 100644
index 67d6c96..0000000
--- a/SOURCES/0008-Ticket-48235-remove-memberof-lock-cherry-pick-error.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 23a82820bce65653f96450fcc410706fa555fbfd Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 16 Oct 2017 10:44:29 -0400
-Subject: [PATCH] Ticket 48235 - remove memberof lock (cherry-pick error)
-
-Description: Fix cherry-pick error
-
-https://pagure.io/389-ds-base/issue/48235
-
-Reviewed by: mreynolds(one line commit rule)
-
-(cherry picked from commit 3eb443b0ee11f3cf642ebfbcd135868a72ce39da)
----
- ldap/servers/plugins/memberof/memberof.c | 3 ---
- ldap/servers/plugins/memberof/memberof.h | 2 --
- 2 files changed, 5 deletions(-)
-
-diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
-index a23c52abe..bae242c81 100644
---- a/ldap/servers/plugins/memberof/memberof.c
-+++ b/ldap/servers/plugins/memberof/memberof.c
-@@ -2828,9 +2828,6 @@ memberof_fixup_task_thread(void *arg)
- }
- }
-
-- /* get the memberOf operation lock */
-- memberof_lock();
--
- /* do real work */
- rc = memberof_fix_memberof(&configCopy, task, td);
-
-diff --git a/ldap/servers/plugins/memberof/memberof.h b/ldap/servers/plugins/memberof/memberof.h
-index ba64e9dfa..cf028453c 100644
---- a/ldap/servers/plugins/memberof/memberof.h
-+++ b/ldap/servers/plugins/memberof/memberof.h
-@@ -88,8 +88,6 @@ int memberof_config(Slapi_Entry *config_e, Slapi_PBlock *pb);
- void memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src);
- void memberof_free_config(MemberOfConfig *config);
- MemberOfConfig *memberof_get_config(void);
--void memberof_lock(void);
--void memberof_unlock(void);
- void memberof_rlock_config(void);
- void memberof_wlock_config(void);
- void memberof_unlock_config(void);
---
-2.13.6
-
diff --git a/SOURCES/0009-Bug-1624004-fix-regression-in-empty-attribute-list.patch b/SOURCES/0009-Bug-1624004-fix-regression-in-empty-attribute-list.patch
new file mode 100644
index 0000000..49fe251
--- /dev/null
+++ b/SOURCES/0009-Bug-1624004-fix-regression-in-empty-attribute-list.patch
@@ -0,0 +1,43 @@
+From 55e961338810d89a6f45f31f27b3fd609535b1da Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 19 Sep 2018 09:26:59 -0400
+Subject: [PATCH] Bug 1624004 - fix regression in empty attribute list
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1624004
+---
+ ldap/servers/slapd/search.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
+index dc26fc4d2..7e253f535 100644
+--- a/ldap/servers/slapd/search.c
++++ b/ldap/servers/slapd/search.c
+@@ -210,6 +210,7 @@ do_search(Slapi_PBlock *pb)
+ char *normaci = slapi_attr_syntax_normalize("aci");
+ int replace_aci = 0;
+ int attr_count = 0;
++ int empty_attrs = 0;
+ if (!normaci) {
+ normaci = slapi_ch_strdup("aci");
+ } else if (strcasecmp(normaci, "aci")) {
+@@ -226,10 +227,13 @@ do_search(Slapi_PBlock *pb)
+ attr_count++;
+
+ if ( attrs[i][0] == '\0') {
+- log_search_access(pb, base, scope, fstr, "invalid attribute request");
+- send_ldap_result(pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL);
+- slapi_ch_free_string(&normaci);
+- goto free_and_return;
++ empty_attrs++;
++ if (empty_attrs > 1) {
++ log_search_access(pb, base, scope, fstr, "invalid attribute request");
++ send_ldap_result(pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL);
++ slapi_ch_free_string(&normaci);
++ goto free_and_return;
++ }
+ }
+
+ /* check if @<objectclass> is included */
+--
+2.17.1
+
diff --git a/SOURCES/0009-Ticket-49394-slapi_pblock_get-may-leave-unchanged-th.patch b/SOURCES/0009-Ticket-49394-slapi_pblock_get-may-leave-unchanged-th.patch
deleted file mode 100644
index e2b42d7..0000000
--- a/SOURCES/0009-Ticket-49394-slapi_pblock_get-may-leave-unchanged-th.patch
+++ /dev/null
@@ -1,703 +0,0 @@
-From 0b58d1a62679c3961bc41e03591c4277fb9f183e Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Thu, 5 Oct 2017 12:50:50 +0200
-Subject: [PATCH] Ticket 49394 - slapi_pblock_get may leave unchanged the
- provided variable
-
-Bug Description:
- Since 1.3.6.4 the pblock struct is a split in sub-structs
- (https://pagure.io/389-ds-base/issue/49097)
-
- Before, it was a quite flat calloc struct and any slapi-pblock-get
- retrieved the field (NULL if not previously slapi_pblock_set) and
- assigned the provided variable.
-
- Now, the sub-struct are allocated on demand (slapi_pblock_set).
- If a substruct that contains the requested field is not allocated the
- provided variable is unchanged.
-
- This is a change of behavior, because a uninitialized local variable can
- get random value (stack) if the lookup field/struct has not been set.
-
-Fix Description:
- Update slapi_pblock_set so that it systematically sets the
- provided variable when those substructs are NULL
- pb_mr
- pb_dse
- pb_task
- pb_misc
- pb_intop
- pb_intplugin
- pb_deprecated
-
-https://pagure.io/389-ds-base/issue/49394
-
-Reviewed by: Mark Reynolds, William Brown
-
-Platforms tested: F23
-
-Flag Day: no
-
-Doc impact: no
----
- ldap/servers/slapd/pblock.c | 166 +++++++++++++++++++++++++++++++++++++++++++-
- 1 file changed, 165 insertions(+), 1 deletion(-)
-
-diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
-index 077684d23..8f87de5b5 100644
---- a/ldap/servers/slapd/pblock.c
-+++ b/ldap/servers/slapd/pblock.c
-@@ -379,6 +379,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_BACKEND_COUNT:
- if (pblock->pb_misc != NULL) {
- (*(int *)value) = pblock->pb_misc->pb_backend_count;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_BE_TYPE:
-@@ -616,6 +618,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_REQUESTOR_ISROOT:
- if (pblock->pb_intop != NULL) {
- (*(int *)value) = pblock->pb_intop->pb_requestor_isroot;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_SKIP_MODIFIED_ATTRS:
-@@ -657,6 +661,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_DESTROY_CONTENT:
- if (pblock->pb_deprecated != NULL) {
- (*(int *)value) = pblock->pb_deprecated->pb_destroy_content;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
-@@ -685,16 +691,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_PLUGIN_OPRETURN:
- if (pblock->pb_intop != NULL) {
- (*(int *)value) = pblock->pb_intop->pb_opreturn;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_PLUGIN_OBJECT:
- if (pblock->pb_intplugin != NULL) {
- (*(void **)value) = pblock->pb_intplugin->pb_object;
-+ } else {
-+ (*(void **)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_DESTROY_FN:
- if (pblock->pb_intplugin != NULL) {
- (*(IFP *)value) = pblock->pb_intplugin->pb_destroy_fn;
-+ } else {
-+ (*(IFP *)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_DESCRIPTION:
-@@ -703,11 +715,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_PLUGIN_IDENTITY:
- if (pblock->pb_intplugin != NULL) {
- (*(void **)value) = pblock->pb_intplugin->pb_plugin_identity;
-+ } else {
-+ (*(void **)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_CONFIG_AREA:
- if (pblock->pb_intplugin != NULL) {
- (*(char **)value) = pblock->pb_intplugin->pb_plugin_config_area;
-+ } else {
-+ (*(char **)value) = 0;
- }
- break;
- case SLAPI_PLUGIN_CONFIG_DN:
-@@ -718,16 +734,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_PLUGIN_INTOP_RESULT:
- if (pblock->pb_intop != NULL) {
- (*(int *)value) = pblock->pb_intop->pb_internal_op_result;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES:
- if (pblock->pb_intop != NULL) {
- (*(Slapi_Entry ***)value) = pblock->pb_intop->pb_plugin_internal_search_op_entries;
-+ } else {
-+ (*(Slapi_Entry ***)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_INTOP_SEARCH_REFERRALS:
- if (pblock->pb_intop != NULL) {
- (*(char ***)value) = pblock->pb_intop->pb_plugin_internal_search_op_referrals;
-+ } else {
-+ (*(char ***)value) = NULL;
- }
- break;
-
-@@ -1167,11 +1189,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_ENTRY_PRE_OP:
- if (pblock->pb_intop != NULL) {
- (*(Slapi_Entry **)value) = pblock->pb_intop->pb_pre_op_entry;
-+ } else {
-+ (*(Slapi_Entry **)value) = NULL;
- }
- break;
- case SLAPI_ENTRY_POST_OP:
- if (pblock->pb_intop != NULL) {
- (*(Slapi_Entry **)value) = pblock->pb_intop->pb_post_op_entry;
-+ } else {
-+ (*(Slapi_Entry **)value) = NULL;
- }
- break;
-
-@@ -1419,12 +1445,16 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_CONTROLS_ARG: /* used to pass control argument before operation is created */
- if (pblock->pb_intop != NULL) {
- (*(LDAPControl ***)value) = pblock->pb_intop->pb_ctrls_arg;
-+ } else {
-+ (*(LDAPControl ***)value) = NULL;
- }
- break;
- /* notes to be added to the access log RESULT line for this op. */
- case SLAPI_OPERATION_NOTES:
- if (pblock->pb_intop != NULL) {
- (*(unsigned int *)value) = pblock->pb_intop->pb_operation_notes;
-+ } else {
-+ (*(unsigned int *)value) = 0;
- }
- break;
-
-@@ -1486,6 +1516,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_SYNTAX_SUBSTRLENS: /* aka SLAPI_MR_SUBSTRLENS */
- if (pblock->pb_intplugin != NULL) {
- (*(int **)value) = pblock->pb_intplugin->pb_substrlens;
-+ } else {
-+ (*(int **)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_SYNTAX_VALIDATE:
-@@ -1505,11 +1537,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_MANAGEDSAIT:
- if (pblock->pb_intop != NULL) {
- (*(int *)value) = pblock->pb_intop->pb_managedsait;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_PWPOLICY:
- if (pblock->pb_intop != NULL) {
- (*(int *)value) = pblock->pb_intop->pb_pwpolicy_ctrl;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
-@@ -1522,11 +1558,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_ADD_EXISTING_DN_ENTRY:
- if (pblock->pb_intop != NULL) {
- (*(Slapi_Entry **)value) = pblock->pb_intop->pb_existing_dn_entry;
-+ } else {
-+ (*(Slapi_Entry **)value) = NULL;
- }
- break;
- case SLAPI_ADD_EXISTING_UNIQUEID_ENTRY:
- if (pblock->pb_intop != NULL) {
- (*(Slapi_Entry **)value) = pblock->pb_intop->pb_existing_uniqueid_entry;
-+ } else {
-+ (*(Slapi_Entry **)value) = NULL;
- }
- break;
- case SLAPI_ADD_PARENT_ENTRY:
-@@ -1537,6 +1577,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_ADD_PARENT_UNIQUEID:
- if (pblock->pb_op != NULL) {
- (*(char **)value) = pblock->pb_op->o_params.p.p_add.parentuniqueid;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
-@@ -1624,16 +1666,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_MODRDN_PARENT_ENTRY:
- if (pblock->pb_intop != NULL) {
- (*(Slapi_Entry **)value) = pblock->pb_intop->pb_parent_entry;
-+ } else {
-+ (*(Slapi_Entry **)value) = NULL;
- }
- break;
- case SLAPI_MODRDN_NEWPARENT_ENTRY:
- if (pblock->pb_intop != NULL) {
- (*(Slapi_Entry **)value) = pblock->pb_intop->pb_newparent_entry;
-+ } else {
-+ (*(Slapi_Entry **)value) = NULL;
- }
- break;
- case SLAPI_MODRDN_TARGET_ENTRY:
- if (pblock->pb_intop != NULL) {
- (*(Slapi_Entry **)value) = pblock->pb_intop->pb_target_entry;
-+ } else {
-+ (*(Slapi_Entry **)value) = NULL;
- }
- break;
- case SLAPI_MODRDN_NEWSUPERIOR_ADDRESS:
-@@ -1740,26 +1788,36 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_PLUGIN_MR_FILTER_MATCH_FN:
- if (pblock->pb_mr != NULL) {
- (*(mrFilterMatchFn *)value) = pblock->pb_mr->filter_match_fn;
-+ } else {
-+ (*(mrFilterMatchFn *)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_MR_FILTER_INDEX_FN:
- if (pblock->pb_mr != NULL) {
- (*(IFP *)value) = pblock->pb_mr->filter_index_fn;
-+ } else {
-+ (*(IFP *)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_MR_FILTER_RESET_FN:
- if (pblock->pb_mr != NULL) {
- (*(IFP *)value) = pblock->pb_mr->filter_reset_fn;
-+ } else {
-+ (*(IFP *)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_MR_INDEX_FN:
- if (pblock->pb_mr != NULL) {
- (*(IFP *)value) = pblock->pb_mr->index_fn;
-+ } else {
-+ (*(IFP *)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_MR_INDEX_SV_FN:
- if (pblock->pb_mr != NULL) {
- (*(IFP *)value) = pblock->pb_mr->index_sv_fn;
-+ } else {
-+ (*(IFP *)value) = NULL;
- }
- break;
-
-@@ -1767,41 +1825,57 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_PLUGIN_MR_OID:
- if (pblock->pb_mr != NULL) {
- (*(char **)value) = pblock->pb_mr->oid;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_MR_TYPE:
- if (pblock->pb_mr != NULL) {
- (*(char **)value) = pblock->pb_mr->type;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_MR_VALUE:
- if (pblock->pb_mr != NULL) {
- (*(struct berval **)value) = pblock->pb_mr->value;
-+ } else {
-+ (*(struct berval **)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_MR_VALUES:
- if (pblock->pb_mr != NULL) {
- (*(struct berval ***)value) = pblock->pb_mr->values;
-+ } else {
-+ (*(struct berval ***)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_MR_KEYS:
- if (pblock->pb_mr != NULL) {
- (*(struct berval ***)value) = pblock->pb_mr->keys;
-+ } else {
-+ (*(struct berval ***)value) = NULL;
- }
- break;
- case SLAPI_PLUGIN_MR_FILTER_REUSABLE:
- if (pblock->pb_mr != NULL) {
- (*(unsigned int *)value) = pblock->pb_mr->filter_reusable;
-+ } else {
-+ (*(unsigned int *)value) = 0;
- }
- break;
- case SLAPI_PLUGIN_MR_QUERY_OPERATOR:
- if (pblock->pb_mr != NULL) {
- (*(int *)value) = pblock->pb_mr->query_operator;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_PLUGIN_MR_USAGE:
- if (pblock->pb_mr != NULL) {
- (*(unsigned int *)value) = pblock->pb_mr->usage;
-+ } else {
-+ (*(unsigned int *)value) = 0;
- }
- break;
-
-@@ -1865,16 +1939,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_SEQ_TYPE:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->seq_type;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_SEQ_ATTRNAME:
- if (pblock->pb_task != NULL) {
- (*(char **)value) = pblock->pb_task->seq_attrname;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
- case SLAPI_SEQ_VAL:
- if (pblock->pb_task != NULL) {
- (*(char **)value) = pblock->pb_task->seq_val;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
-@@ -1882,47 +1962,65 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_LDIF2DB_FILE:
- if (pblock->pb_task != NULL) {
- (*(char ***)value) = pblock->pb_task->ldif_files;
-+ } else {
-+ (*(char ***)value) = NULL;
- }
- break;
- case SLAPI_LDIF2DB_REMOVEDUPVALS:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->removedupvals;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_DB2INDEX_ATTRS:
- if (pblock->pb_task != NULL) {
- (*(char ***)value) = pblock->pb_task->db2index_attrs;
-+ } else {
-+ (*(char ***)value) = NULL;
- }
- break;
- case SLAPI_LDIF2DB_NOATTRINDEXES:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->ldif2db_noattrindexes;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_LDIF2DB_INCLUDE:
- if (pblock->pb_task != NULL) {
- (*(char ***)value) = pblock->pb_task->ldif_include;
-+ } else {
-+ (*(char ***)value) = NULL;
- }
- break;
- case SLAPI_LDIF2DB_EXCLUDE:
- if (pblock->pb_task != NULL) {
- (*(char ***)value) = pblock->pb_task->ldif_exclude;
-+ } else {
-+ (*(char ***)value) = NULL;
- }
- break;
- case SLAPI_LDIF2DB_GENERATE_UNIQUEID:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->ldif_generate_uniqueid;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_LDIF2DB_ENCRYPT:
- case SLAPI_DB2LDIF_DECRYPT:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->ldif_encrypt;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_LDIF2DB_NAMESPACEID:
- if (pblock->pb_task != NULL) {
- (*(char **)value) = pblock->pb_task->ldif_namespaceid;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
-@@ -1930,16 +2028,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_DB2LDIF_PRINTKEY:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->ldif_printkey;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_DB2LDIF_DUMP_UNIQUEID:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->ldif_dump_uniqueid;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_DB2LDIF_FILE:
- if (pblock->pb_task != NULL) {
- (*(char **)value) = pblock->pb_task->ldif_file;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
-@@ -1947,37 +2051,51 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_BACKEND_INSTANCE_NAME:
- if (pblock->pb_task != NULL) {
- (*(char **)value) = pblock->pb_task->instance_name;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
- case SLAPI_BACKEND_TASK:
- if (pblock->pb_task != NULL) {
- (*(Slapi_Task **)value) = pblock->pb_task->task;
-+ } else {
-+ (*(Slapi_Task **)value) = NULL;
- }
- break;
- case SLAPI_TASK_FLAGS:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->task_flags;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_DB2LDIF_SERVER_RUNNING:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->server_running;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_BULK_IMPORT_ENTRY:
- if (pblock->pb_task != NULL) {
- (*(Slapi_Entry **)value) = pblock->pb_task->import_entry;
-+ } else {
-+ (*(Slapi_Entry **)value) = NULL;
- }
- break;
- case SLAPI_BULK_IMPORT_STATE:
- if (pblock->pb_task != NULL) {
- (*(int *)value) = pblock->pb_task->import_state;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- /* dbverify */
- case SLAPI_DBVERIFY_DBDIR:
- if (pblock->pb_task != NULL) {
- (*(char **)value) = pblock->pb_task->dbverify_dbdir;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
-@@ -1993,11 +2111,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_TXN:
- if (pblock->pb_intop != NULL) {
- (*(void **)value) = pblock->pb_intop->pb_txn;
-+ } else {
-+ (*(void **)value) = NULL;
- }
- break;
- case SLAPI_TXN_RUV_MODS_FN:
- if (pblock->pb_intop != NULL) {
- (*(IFP *)value) = pblock->pb_intop->pb_txn_ruv_mods_fn;
-+ } else {
-+ (*(IFP *)value) = NULL;
- }
- break;
-
-@@ -2052,6 +2174,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_PB_RESULT_TEXT:
- if (pblock->pb_intop != NULL) {
- *((char **)value) = pblock->pb_intop->pb_result_text;
-+ } else {
-+ *((char **)value) = NULL;
- }
- break;
-
-@@ -2059,6 +2183,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_DBSIZE:
- if (pblock->pb_misc != NULL) {
- (*(unsigned int *)value) = pblock->pb_misc->pb_dbsize;
-+ } else {
-+ (*(unsigned int *)value) = 0;
- }
- break;
-
-@@ -2153,11 +2279,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_ARGC:
- if (pblock->pb_misc != NULL) {
- (*(int *)value) = pblock->pb_misc->pb_slapd_argc;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
- case SLAPI_ARGV:
- if (pblock->pb_misc != NULL) {
- (*(char ***)value) = pblock->pb_misc->pb_slapd_argv;
-+ } else {
-+ (*(char ***)value) = NULL;
- }
- break;
-
-@@ -2165,6 +2295,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_CONFIG_DIRECTORY:
- if (pblock->pb_intplugin != NULL) {
- (*(char **)value) = pblock->pb_intplugin->pb_slapd_configdir;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
-@@ -2175,12 +2307,16 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_PLUGIN_PWD_STORAGE_SCHEME_USER_PWD:
- if (pblock->pb_deprecated != NULL) {
- (*(char **)value) = pblock->pb_deprecated->pb_pwd_storage_scheme_user_passwd;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
- case SLAPI_PLUGIN_PWD_STORAGE_SCHEME_DB_PWD:
- if (pblock->pb_deprecated != NULL) {
- (*(char **)value) = pblock->pb_deprecated->pb_pwd_storage_scheme_db_passwd;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
-@@ -2208,6 +2344,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_PLUGIN_ENABLED:
- if (pblock->pb_intplugin != NULL) {
- *((int *)value) = pblock->pb_intplugin->pb_plugin_enabled;
-+ } else {
-+ *((int *)value) = 0;
- }
- break;
-
-@@ -2215,6 +2353,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_DSE_DONT_WRITE_WHEN_ADDING:
- if (pblock->pb_dse != NULL) {
- (*(int *)value) = pblock->pb_dse->dont_add_write;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
-@@ -2222,6 +2362,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_DSE_MERGE_WHEN_ADDING:
- if (pblock->pb_dse != NULL) {
- (*(int *)value) = pblock->pb_dse->add_merge;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
-@@ -2229,6 +2371,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_DSE_DONT_CHECK_DUPS:
- if (pblock->pb_dse != NULL) {
- (*(int *)value) = pblock->pb_dse->dont_check_dups;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
-@@ -2236,6 +2380,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_DSE_REAPPLY_MODS:
- if (pblock->pb_dse != NULL) {
- (*(int *)value) = pblock->pb_dse->reapply_mods;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
-@@ -2243,6 +2389,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_DSE_IS_PRIMARY_FILE:
- if (pblock->pb_dse != NULL) {
- (*(int *)value) = pblock->pb_dse->is_primary_file;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
-@@ -2250,42 +2398,56 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_SCHEMA_FLAGS:
- if (pblock->pb_dse != NULL) {
- (*(int *)value) = pblock->pb_dse->schema_flags;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
- case SLAPI_URP_NAMING_COLLISION_DN:
- if (pblock->pb_intop != NULL) {
- (*(char **)value) = pblock->pb_intop->pb_urp_naming_collision_dn;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
- case SLAPI_URP_TOMBSTONE_UNIQUEID:
- if (pblock->pb_intop != NULL) {
- (*(char **)value) = pblock->pb_intop->pb_urp_tombstone_uniqueid;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
- case SLAPI_URP_TOMBSTONE_CONFLICT_DN:
- if (pblock->pb_intop != NULL) {
-- (*(char **)value) = pblock->pb_intop->pb_urp_tombstone_conflict_dn;
-+ (*(char **)value) = pblock->pb_intop->pb_urp_tombstone_conflict_dn;
-+ } else {
-+ (*(char **)value) = NULL;
- }
- break;
-
- case SLAPI_SEARCH_CTRLS:
- if (pblock->pb_intop != NULL) {
- (*(LDAPControl ***)value) = pblock->pb_intop->pb_search_ctrls;
-+ } else {
-+ (*(LDAPControl ***)value) = NULL;
- }
- break;
-
- case SLAPI_PLUGIN_SYNTAX_FILTER_NORMALIZED:
- if (pblock->pb_intplugin != NULL) {
- (*(int *)value) = pblock->pb_intplugin->pb_syntax_filter_normalized;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
- case SLAPI_PLUGIN_SYNTAX_FILTER_DATA:
- if (pblock->pb_intplugin != NULL) {
- (*(void **)value) = pblock->pb_intplugin->pb_syntax_filter_data;
-+ } else {
-+ (*(void **)value) = NULL;
- }
- break;
-
-@@ -2311,6 +2473,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- case SLAPI_ACI_TARGET_CHECK:
- if (pblock->pb_misc != NULL) {
- (*(int *)value) = pblock->pb_misc->pb_aci_target_check;
-+ } else {
-+ (*(int *)value) = 0;
- }
- break;
-
---
-2.13.6
-
diff --git a/SOURCES/0010-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch b/SOURCES/0010-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch
deleted file mode 100644
index de029d8..0000000
--- a/SOURCES/0010-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 697e01b0ca2d028f0d2cabc47ab2335de93b0491 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 16 Oct 2017 12:52:46 -0400
-Subject: [PATCH] Ticket 49402 - Adding a database entry with the same database
- name that was deleted hangs server at shutdown
-
-Bug Description: At shutdown, after a backend was deleted, which also had a import
- task run, the server hangs at shutdown. The issue is that the
- import task destructor used the ldbm inst struct to see if it was
- busy, but the inst was freed and the destructor was checking invalid
- memory which caused a false positive on the "busy" check.
-
-Fix Description: Do not check if the instance is busy to tell if it's okay to remove
- the task, instead just check the task's state.
-
-https://pagure.io/389-ds-base/issue/49402
-
-Reviewed by: lkrispen(Thanks!)
-
-(cherry picked from commit bc6dbf15c160ac7e6c553133b2b936a981cfb7b6)
----
- ldap/servers/slapd/back-ldbm/import.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/servers/slapd/back-ldbm/import.c b/ldap/servers/slapd/back-ldbm/import.c
-index e8f4a5615..42e2696d3 100644
---- a/ldap/servers/slapd/back-ldbm/import.c
-+++ b/ldap/servers/slapd/back-ldbm/import.c
-@@ -244,7 +244,7 @@ import_task_destroy(Slapi_Task *task)
- return;
- }
-
-- while (is_instance_busy(job->inst)) {
-+ while (task->task_state == SLAPI_TASK_RUNNING) {
- /* wait for the job to finish before freeing it */
- DS_Sleep(PR_SecondsToInterval(1));
- }
---
-2.13.6
-
diff --git a/SOURCES/0011-Ticket-49064-RFE-allow-to-enable-MemberOf-plugin-in-.patch b/SOURCES/0011-Ticket-49064-RFE-allow-to-enable-MemberOf-plugin-in-.patch
deleted file mode 100644
index 914e1d0..0000000
--- a/SOURCES/0011-Ticket-49064-RFE-allow-to-enable-MemberOf-plugin-in-.patch
+++ /dev/null
@@ -1,332 +0,0 @@
-From 4af03a6a2a59684950d887d42c6e9d8b027d71f5 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Mon, 16 Oct 2017 11:21:51 +0200
-Subject: [PATCH] Ticket 49064 - RFE allow to enable MemberOf plugin in
- dedicated consumer
-
-Bug Description:
- memberof triggers some internal updates to add/del 'memberof' values.
- on a readonly consumer, those updates selects a REFERRAL_ON_UPDATE backend
- and that is not followed by internal updates.
- At the end of the day, the update is rejected and if memberof plugin is enabled
- replication will stuck on that rejected update
-
-Fix Description:
- internal updates from memberof need to bypassing referrals.
- So they flag internal updates SLAPI_OP_FLAG_BYPASS_REFERRALS, so that mtn_get_be
- (mapping tree selection) will not return the referrals.
-
-https://pagure.io/389-ds-base/issue/49064
-
-Reviewed by: Ludwig Krispenz, William Brown (thanks a LOT !)
-
-Platforms tested: F23 (all tickets + basic suite)
-
-Flag Day: no
-
-Doc impact: no
----
- dirsrvtests/tests/tickets/ticket49064_test.py | 259 ++++++++++++++++++++++++++
- ldap/servers/plugins/memberof/memberof.c | 6 +-
- 2 files changed, 262 insertions(+), 3 deletions(-)
- create mode 100644 dirsrvtests/tests/tickets/ticket49064_test.py
-
-diff --git a/dirsrvtests/tests/tickets/ticket49064_test.py b/dirsrvtests/tests/tickets/ticket49064_test.py
-new file mode 100644
-index 000000000..b4b6de4b9
---- /dev/null
-+++ b/dirsrvtests/tests/tickets/ticket49064_test.py
-@@ -0,0 +1,259 @@
-+import logging
-+import pytest
-+import os
-+import time
-+import ldap
-+import subprocess
-+from lib389.utils import ds_is_older
-+from lib389.topologies import topology_m1h1c1 as topo
-+from lib389._constants import *
-+from lib389 import Entry
-+
-+# Skip on older versions
-+pytestmark = pytest.mark.skipif(ds_is_older('1.3.7'), reason="Not implemented")
-+
-+USER_CN='user_'
-+GROUP_CN='group_'
-+FIXUP_FILTER = '(objectClass=*)'
-+FIXUP_CMD = 'fixup-memberof.pl'
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+def memberof_fixup_task(server):
-+ sbin_dir = server.get_sbin_dir()
-+ memof_task = os.path.join(sbin_dir, FIXUP_CMD)
-+ try:
-+ output = subprocess.check_output(
-+ [memof_task, '-D', DN_DM, '-w', PASSWORD, '-b', SUFFIX, '-Z', SERVERID_CONSUMER_1, '-f', FIXUP_FILTER])
-+ except subprocess.CalledProcessError as err:
-+ output = err.output
-+ log.info('output: {}'.format(output))
-+ expected = "Successfully added task entry"
-+ assert expected in output
-+
-+def config_memberof(server):
-+
-+ server.plugins.enable(name=PLUGIN_MEMBER_OF)
-+ MEMBEROF_PLUGIN_DN = ('cn=' + PLUGIN_MEMBER_OF + ',cn=plugins,cn=config')
-+ server.modify_s(MEMBEROF_PLUGIN_DN, [(ldap.MOD_REPLACE,
-+ 'memberOfAllBackends',
-+ 'on'),
-+ (ldap.MOD_REPLACE, 'memberOfAutoAddOC', 'nsMemberOf')])
-+ # Configure fractional to prevent total init to send memberof
-+ ents = server.agreement.list(suffix=DEFAULT_SUFFIX)
-+ for ent in ents:
-+ log.info('update %s to add nsDS5ReplicatedAttributeListTotal' % ent.dn)
-+ server.modify_s(ent.dn,
-+ [(ldap.MOD_REPLACE,
-+ 'nsDS5ReplicatedAttributeListTotal',
-+ '(objectclass=*) $ EXCLUDE '),
-+ (ldap.MOD_REPLACE,
-+ 'nsDS5ReplicatedAttributeList',
-+ '(objectclass=*) $ EXCLUDE memberOf')])
-+
-+
-+def send_updates_now(server):
-+
-+ ents = server.agreement.list(suffix=DEFAULT_SUFFIX)
-+ for ent in ents:
-+ server.agreement.pause(ent.dn)
-+ server.agreement.resume(ent.dn)
-+
-+def add_user(server, no, desc='dummy', sleep=True):
-+ cn = '%s%d' % (USER_CN, no)
-+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX)
-+ log.fatal('Adding user (%s): ' % dn)
-+ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'inetuser'],
-+ 'sn': ['_%s' % cn],
-+ 'description': [desc]})))
-+ if sleep:
-+ time.sleep(2)
-+
-+def add_group(server, nr, sleep=True):
-+ cn = '%s%d' % (GROUP_CN, nr)
-+ dn = 'cn=%s,ou=groups,%s' % (cn, SUFFIX)
-+ server.add_s(Entry((dn, {'objectclass': ['top', 'groupofnames'],
-+ 'description': 'group %d' % nr})))
-+ if sleep:
-+ time.sleep(2)
-+
-+def update_member(server, member_dn, group_dn, op, sleep=True):
-+ mod = [(op, 'member', member_dn)]
-+ server.modify_s(group_dn, mod)
-+ if sleep:
-+ time.sleep(2)
-+
-+def _find_memberof(server, member_dn, group_dn, find_result=True):
-+ ent = server.getEntry(member_dn, ldap.SCOPE_BASE, "(objectclass=*)", ['memberof'])
-+ found = False
-+ if ent.hasAttr('memberof'):
-+
-+ for val in ent.getValues('memberof'):
-+ server.log.info("!!!!!!! %s: memberof->%s" % (member_dn, val))
-+ server.log.info("!!!!!!! %s" % (val))
-+ server.log.info("!!!!!!! %s" % (group_dn))
-+ if val.lower() == group_dn.lower():
-+ found = True
-+ break
-+
-+ if find_result:
-+ assert (found)
-+ else:
-+ assert (not found)
-+
-+
-+def test_ticket49064(topo):
-+ """Specify a test case purpose or name here
-+
-+ :id: 60c11636-55a1-4704-9e09-2c6bcc828de4
-+ :setup: 1 Master - 1 Hub - 1 Consumer
-+ :steps:
-+ 1. Configure replication to EXCLUDE memberof
-+ 2. Enable memberof plugin
-+ 3. Create users/groups
-+ 4. make user_1 member of group_1
-+ 5. Checks that user_1 is memberof group_1 on M,H,C
-+ 6. make group_1 member of group_2 (nest group)
-+ 7. Checks that user_1 is memberof group_1 and group_2 on M,H,C
-+ 8. Check group_1 is memberof group_2 on M,H,C
-+ 9. remove group_1 from group_2
-+ 10. Check group_1 and user_1 are NOT memberof group_2 on M,H,C
-+ 11. remove user_1 from group_1
-+ 12. Check user_1 is NOT memberof group_1 and group_2 on M,H,C
-+ 13. Disable memberof on C1
-+ 14. make user_1 member of group_1
-+ 15. Checks that user is memberof group_1 on M,H but not on C
-+ 16. Enable memberof on C1
-+ 17. Checks that user is memberof group_1 on M,H but not on C
-+ 18. Run memberof fixup task
-+ 19. Checks that user is memberof group_1 on M,H,C
-+
-+
-+ :expectedresults:
-+ no assert for membership check
-+ """
-+
-+
-+ M1 = topo.ms["master1"]
-+ H1 = topo.hs["hub1"]
-+ C1 = topo.cs["consumer1"]
-+
-+ # Step 1 & 2
-+ M1.config.enable_log('audit')
-+ config_memberof(M1)
-+ M1.restart()
-+
-+ H1.config.enable_log('audit')
-+ config_memberof(H1)
-+ H1.restart()
-+
-+ C1.config.enable_log('audit')
-+ config_memberof(C1)
-+ C1.restart()
-+
-+ # Step 3
-+ for i in range(10):
-+ add_user(M1, i, desc='add on m1')
-+ for i in range(3):
-+ add_group(M1, i)
-+
-+ # Step 4
-+ member_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
-+ group_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
-+ update_member(M1, member_dn, group_dn, ldap.MOD_ADD, sleep=True)
-+
-+ # Step 5
-+ for i in [M1, H1, C1]:
-+ _find_memberof(i, member_dn, group_dn, find_result=True)
-+
-+
-+ # Step 6
-+ user_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
-+ grp1_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
-+ grp2_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 2, SUFFIX)
-+ update_member(M1, grp1_dn, grp2_dn, ldap.MOD_ADD, sleep=True)
-+
-+ # Step 7
-+ for i in [grp1_dn, grp2_dn]:
-+ for inst in [M1, H1, C1]:
-+ _find_memberof(inst, user_dn, i, find_result=True)
-+
-+ # Step 8
-+ for i in [M1, H1, C1]:
-+ _find_memberof(i, grp1_dn, grp2_dn, find_result=True)
-+
-+ # Step 9
-+ user_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
-+ grp1_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
-+ grp2_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 2, SUFFIX)
-+ update_member(M1, grp1_dn, grp2_dn, ldap.MOD_DELETE, sleep=True)
-+
-+ # Step 10
-+ for inst in [M1, H1, C1]:
-+ for i in [grp1_dn, user_dn]:
-+ _find_memberof(inst, i, grp2_dn, find_result=False)
-+
-+ # Step 11
-+ member_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
-+ group_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
-+ update_member(M1, member_dn, group_dn, ldap.MOD_DELETE, sleep=True)
-+
-+ # Step 12
-+ for inst in [M1, H1, C1]:
-+ for grp in [grp1_dn, grp2_dn]:
-+ _find_memberof(inst, member_dn, grp, find_result=False)
-+
-+ # Step 13
-+ C1.plugins.disable(name=PLUGIN_MEMBER_OF)
-+ C1.restart()
-+
-+ # Step 14
-+ member_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX)
-+ group_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX)
-+ update_member(M1, member_dn, group_dn, ldap.MOD_ADD, sleep=True)
-+
-+ # Step 15
-+ for i in [M1, H1]:
-+ _find_memberof(i, member_dn, group_dn, find_result=True)
-+ _find_memberof(C1, member_dn, group_dn, find_result=False)
-+
-+ # Step 16
-+ C1.plugins.enable(name=PLUGIN_MEMBER_OF)
-+ C1.restart()
-+
-+ # Step 17
-+ for i in [M1, H1]:
-+ _find_memberof(i, member_dn, group_dn, find_result=True)
-+ _find_memberof(C1, member_dn, group_dn, find_result=False)
-+
-+ # Step 18
-+ memberof_fixup_task(C1)
-+ time.sleep(5)
-+
-+ # Step 19
-+ for i in [M1, H1, C1]:
-+ _find_memberof(i, member_dn, group_dn, find_result=True)
-+
-+ # If you need any test suite initialization,
-+ # please, write additional fixture for that (including finalizer).
-+ # Topology for suites are predefined in lib389/topologies.py.
-+
-+ # If you need host, port or any other data about instance,
-+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid)
-+
-+ if DEBUGGING:
-+ # Add debugging steps(if any)...
-+ pass
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main("-s %s" % CURRENT_FILE)
-+
-diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
-index bae242c81..44b52edbb 100644
---- a/ldap/servers/plugins/memberof/memberof.c
-+++ b/ldap/servers/plugins/memberof/memberof.c
-@@ -609,7 +609,7 @@ memberof_del_dn_type_callback(Slapi_Entry *e, void *callback_data)
- slapi_modify_internal_set_pb_ext(
- mod_pb, slapi_entry_get_sdn(e),
- mods, 0, 0,
-- memberof_get_plugin_id(), 0);
-+ memberof_get_plugin_id(), SLAPI_OP_FLAG_BYPASS_REFERRALS);
-
- slapi_modify_internal_pb(mod_pb);
-
-@@ -3224,7 +3224,7 @@ memberof_add_memberof_attr(LDAPMod **mods, const char *dn, char *add_oc)
- mod_pb = slapi_pblock_new();
- slapi_modify_internal_set_pb(
- mod_pb, dn, mods, 0, 0,
-- memberof_get_plugin_id(), 0);
-+ memberof_get_plugin_id(), SLAPI_OP_FLAG_BYPASS_REFERRALS);
- slapi_modify_internal_pb(mod_pb);
-
- slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
-@@ -3279,7 +3279,7 @@ memberof_add_objectclass(char *auto_add_oc, const char *dn)
-
- slapi_modify_internal_set_pb(
- mod_pb, dn, mods, 0, 0,
-- memberof_get_plugin_id(), 0);
-+ memberof_get_plugin_id(), SLAPI_OP_FLAG_BYPASS_REFERRALS);
- slapi_modify_internal_pb(mod_pb);
-
- slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
---
-2.13.6
-
diff --git a/SOURCES/0012-Ticket-49378-server-init-fails.patch b/SOURCES/0012-Ticket-49378-server-init-fails.patch
deleted file mode 100644
index 80c658b..0000000
--- a/SOURCES/0012-Ticket-49378-server-init-fails.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 82e092e9debce16f048b4fe0f38265bc8d80f63d Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Thu, 28 Sep 2017 09:11:00 +1000
-Subject: [PATCH] Ticket 49378 server init fails
-
-Bug Description: We used our own target for DS installation, but
-we should just use multi-user like anything else.
-
-Fix Description: Change service template to multi-user. This should
-be a seamless upgrade to most consumers.
-
-https://pagure.io/389-ds-base/issue/49378
-
-Author: wibrown
-
-Review by: mreynolds (Thanks!)
-
-(cherry picked from commit e9ad5f5aca64f65fa2c9b2dc5132b0dacf131c99)
----
- wrappers/systemd.template.asan.service.in | 2 +-
- wrappers/systemd.template.service.in | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/wrappers/systemd.template.asan.service.in b/wrappers/systemd.template.asan.service.in
-index 1fe321ccb..52681f632 100644
---- a/wrappers/systemd.template.asan.service.in
-+++ b/wrappers/systemd.template.asan.service.in
-@@ -36,5 +36,5 @@ ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/
- .include @initconfigdir@/@package_name@.systemd
-
- [Install]
--WantedBy=dirsrv.target
-+WantedBy=multi-user.target
-
-diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in
-index 30b9e4b78..0d88900b6 100644
---- a/wrappers/systemd.template.service.in
-+++ b/wrappers/systemd.template.service.in
-@@ -40,5 +40,5 @@ ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/
- .include @initconfigdir@/@package_name@.systemd
-
- [Install]
--WantedBy=dirsrv.target
-+WantedBy=multi-user.target
-
---
-2.13.6
-
diff --git a/SOURCES/0013-Ticket-49392-memavailable-not-available.patch b/SOURCES/0013-Ticket-49392-memavailable-not-available.patch
deleted file mode 100644
index fabb740..0000000
--- a/SOURCES/0013-Ticket-49392-memavailable-not-available.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 9369164f45ba19519158286590aaefae1c64ef05 Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Thu, 5 Oct 2017 09:54:48 +1000
-Subject: [PATCH] Ticket 49392 - memavailable not available
-
-Bug Description: On certain linux platforms memAvailable is
-not actually available! This means that the value was 0, so
-cgroup max was read instead, setting the system ram to:
-
-9223372036854771712
-
-That's a bit excessive, and can cause memory allocations to fail.
-
-Fix Description: If memavail can't be found, fall back to
-memtotal instead.
-
-https://pagure.io/389-ds-base/issue/49392
-
-Author: wibrown
-
-Review by: mreynolds (Thanks!)
----
- ldap/servers/slapd/slapi_pal.c | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/ldap/servers/slapd/slapi_pal.c b/ldap/servers/slapd/slapi_pal.c
-index 38c178cfa..600d03d4d 100644
---- a/ldap/servers/slapd/slapi_pal.c
-+++ b/ldap/servers/slapd/slapi_pal.c
-@@ -155,7 +155,16 @@ spal_meminfo_get()
-
- /* Both memtotal and memavail are in kb */
- memtotal = memtotal * 1024;
-- memavail = memavail * 1024;
-+
-+ /*
-+ * Oracle Enterprise Linux doesn't provide a valid memavail value, so fall
-+ * back to 80% of memtotal.
-+ */
-+ if (memavail == 0) {
-+ memavail = memtotal * 0.8;
-+ } else {
-+ memavail = memavail * 1024;
-+ }
-
- /* If it's possible, get our cgroup info */
- uint64_t cg_mem_soft = 0;
---
-2.13.6
-
diff --git a/SOURCES/0014-Ticket-48006-Missing-warning-for-invalid-replica-bac.patch b/SOURCES/0014-Ticket-48006-Missing-warning-for-invalid-replica-bac.patch
deleted file mode 100644
index c7e308a..0000000
--- a/SOURCES/0014-Ticket-48006-Missing-warning-for-invalid-replica-bac.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From 73c72aba0ab31f9d16cdfd8879e9da5f3fb985e0 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Tue, 17 Oct 2017 12:39:18 -0400
-Subject: [PATCH] Ticket 48006 - Missing warning for invalid replica backoff
- configuration
-
-Description: Add warning if you try to set a min backoff time that is
- greater than the configured maximum, or the max time that
- is less than the minimum.
-
- Also fixed compiler warning in ldbm_config.c
-
-https://pagure.io/389-ds-base/issue/48006
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit e123acb6987c75f6d7282b32c4f279b976eb6f5e)
----
- .../plugins/replication/repl5_replica_config.c | 24 ++++++++++++++++++++--
- ldap/servers/slapd/back-ldbm/ldbm_config.c | 2 +-
- 2 files changed, 23 insertions(+), 3 deletions(-)
-
-diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
-index f28044c19..22d766143 100644
---- a/ldap/servers/plugins/replication/repl5_replica_config.c
-+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
-@@ -465,7 +465,8 @@ replica_config_modify(Slapi_PBlock *pb,
- }
- } else if (strcasecmp(config_attr, type_replicaBackoffMin) == 0) {
- if (apply_mods) {
-- PRUint64 val = atoll(config_attr_value);
-+ uint64_t val = atoll(config_attr_value);
-+ uint64_t max;
-
- if (val <= 0) {
- *returncode = LDAP_UNWILLING_TO_PERFORM;
-@@ -475,11 +476,21 @@ replica_config_modify(Slapi_PBlock *pb,
- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
- break;
- }
-+ max = replica_get_backoff_max(r);
-+ if (val > max){
-+ *returncode = LDAP_UNWILLING_TO_PERFORM;
-+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-+ "Attribute %s value (%s) is invalid, must be a number less than the max backoff time (%d).\n",
-+ config_attr, config_attr_value, (int)max);
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-+ break;
-+ }
- replica_set_backoff_min(r, val);
- }
- } else if (strcasecmp(config_attr, type_replicaBackoffMax) == 0) {
- if (apply_mods) {
-- PRUint64 val = atoll(config_attr_value);
-+ uint64_t val = atoll(config_attr_value);
-+ uint64_t min;
-
- if (val <= 0) {
- *returncode = LDAP_UNWILLING_TO_PERFORM;
-@@ -490,6 +501,15 @@ replica_config_modify(Slapi_PBlock *pb,
- errortext);
- break;
- }
-+ min = replica_get_backoff_min(r);
-+ if (val < min) {
-+ *returncode = LDAP_UNWILLING_TO_PERFORM;
-+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-+ "Attribute %s value (%s) is invalid, must be a number more than the min backoff time (%d).\n",
-+ config_attr, config_attr_value, (int)min);
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-+ break;
-+ }
- replica_set_backoff_max(r, val);
- }
- } else if (strcasecmp(config_attr, type_replicaPrecisePurge) == 0) {
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
-index 2ef4652ce..feb993366 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
-@@ -388,7 +388,7 @@ ldbm_config_directory_set(void *arg, void *value, char *errorbuf, int phase, int
- goto done;
- }
- slapi_pblock_destroy(search_pb);
-- if (NULL == s || '\0' == s || 0 == PL_strcmp(s, "(null)")) {
-+ if (NULL == s || '\0' == *s || 0 == PL_strcmp(s, "(null)")) {
- slapi_log_err(SLAPI_LOG_ERR,
- "ldbm_config_directory_set", "db directory is not set; check %s in the db config: %s\n",
- CONFIG_DIRECTORY, CONFIG_LDBM_DN);
---
-2.13.6
-
diff --git a/SOURCES/0015-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch b/SOURCES/0015-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch
deleted file mode 100644
index 26780eb..0000000
--- a/SOURCES/0015-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 4569da8f2c55d54a34f31312ee5756c70a7f463c Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 19 Oct 2017 17:33:10 -0400
-Subject: [PATCH] Ticket 49408 - Server allows to set any nsds5replicaid in the
- existing replica entry
-
-Description: There was no value validation for replica ID. Now there is.
-
-https://pagure.io/389-ds-base/issue/49408
-
-Reviewed by: tbordaz(Thanks!)
-
-(cherry picked from commit 296f0abb78b7ec82580d039d9c505506f6ce07be)
----
- ldap/servers/plugins/replication/repl5_replica_config.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
-index 22d766143..7477a292c 100644
---- a/ldap/servers/plugins/replication/repl5_replica_config.c
-+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
-@@ -411,6 +411,18 @@ replica_config_modify(Slapi_PBlock *pb,
- slapi_ch_free_string(&new_repl_type);
- new_repl_type = slapi_ch_strdup(config_attr_value);
- } else if (strcasecmp(config_attr, attr_replicaId) == 0) {
-+ char *endp = NULL;
-+ int64_t rid = 0;
-+ errno = 0;
-+ rid = strtoll(config_attr_value, &endp, 10);
-+ if (*endp != '\0' || rid > 65535 || rid < 1 || errno == ERANGE) {
-+ *returncode = LDAP_UNWILLING_TO_PERFORM;
-+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-+ "Attribute %s value (%s) is invalid, must be a number between 1 and 65535.\n",
-+ config_attr, config_attr_value);
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-+ break;
-+ }
- slapi_ch_free_string(&new_repl_id);
- new_repl_id = slapi_ch_strdup(config_attr_value);
- } else if (strcasecmp(config_attr, attr_flags) == 0) {
---
-2.13.6
-
diff --git a/SOURCES/0016-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch b/SOURCES/0016-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch
deleted file mode 100644
index c66717f..0000000
--- a/SOURCES/0016-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 70d236dedadc030fd2b450d7607b395b50523538 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 19 Oct 2017 17:02:20 -0400
-Subject: [PATCH] Ticket 49407 - status-dirsrv shows ellipsed lines
-
-Bug Description: To show the full output you have to pass "-l" to systemctl,
- but there is no way to use this option with the current design.
-
-Fix Description: Just show the full lines by default, as adding options can break
- the script's current usage.
-
-https://pagure.io/389-ds-base/issue/49407
-
-Reviewed by: tbordaz(Thanks!)
-
-(cherry picked from commit 45d2fd4b50227687ad042a0e17d8dcd9e4cd3023)
----
- ldap/admin/src/scripts/status-dirsrv.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ldap/admin/src/scripts/status-dirsrv.in b/ldap/admin/src/scripts/status-dirsrv.in
-index 90428990b..8e492c115 100755
---- a/ldap/admin/src/scripts/status-dirsrv.in
-+++ b/ldap/admin/src/scripts/status-dirsrv.in
-@@ -37,7 +37,7 @@ status_instance() {
- # Use systemctl if available.
- #
- if [ -d "@systemdsystemunitdir@" ] && [ $(id -u) -eq 0 ];then
-- @bindir@/systemctl status @package_name@@$SERV_ID.service
-+ @bindir@/systemctl status @package_name@@$SERV_ID.service -l
- rv=$?
- if [ $rv -ne 0 ]; then
- return 1
-@@ -65,7 +65,7 @@ found=0
- if [ $# -eq 0 ]; then
- # We're reporting the status of all instances.
- ret=0
-- @bindir@/systemctl status @package_name@.target
-+ @bindir@/systemctl status @package_name@.target -l
- initfiles=`get_initconfig_files $initconfig_dir` || { echo No instances found in $initconfig_dir ; exit 1 ; }
- for i in $initfiles; do
- inst=`normalize_server_id $i`
---
-2.13.6
-
diff --git a/SOURCES/0017-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch b/SOURCES/0017-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch
deleted file mode 100644
index bf19308..0000000
--- a/SOURCES/0017-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From b7cca69de5f6cda32bc38504a7aa7e5bc786bbe6 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 19 Oct 2017 14:44:38 -0400
-Subject: [PATCH] Ticket 48681 - Use of uninitialized value in string ne at
- /usr/bin/logconv.pl line 2565, <$LOGFH> line 4
-
-Bug description: The original fix for 48681 added a regression in regards to perl
- warning everytime you ran the script. That was due to a new hash
- for sasl binds that was not initialized.
-
-Fix Description: Check is the saslbind hash "exists" before checking its value.
-
-https://pagure.io/389-ds-base/issue/48681
-
-Reviewed by: mreynolds (one line fix)
-
-(cherry picked from commit e46749b77d95ad8fedf07d38890573b2862badf7)
----
- ldap/admin/src/logconv.pl | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
-index 4932db42e..473c71f21 100755
---- a/ldap/admin/src/logconv.pl
-+++ b/ldap/admin/src/logconv.pl
-@@ -2562,7 +2562,7 @@ sub parseLineNormal
- if ($_ =~ /conn= *([0-9A-Z]+) +op= *([0-9\-]+)/i){
- $conn = $1;
- $op = $2;
-- if ($hashes->{saslconnop}->{$conn-$op} ne ""){
-+ if (exists $hashes->{saslconnop}->{$conn-$op} && $hashes->{saslconnop}->{$conn-$op} ne ""){
- # This was a SASL BIND - record the dn
- if ($binddn ne ""){
- if($binddn eq $rootDN){ $rootDNBindCount++; }
---
-2.13.6
-
diff --git a/SOURCES/0018-Ticket-49374-server-fails-to-start-because-maxdisksi.patch b/SOURCES/0018-Ticket-49374-server-fails-to-start-because-maxdisksi.patch
deleted file mode 100644
index 61ab747..0000000
--- a/SOURCES/0018-Ticket-49374-server-fails-to-start-because-maxdisksi.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From 4ecec8dac601b77a25ebc390f138aad1ee48d805 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 19 Oct 2017 12:20:48 -0400
-Subject: [PATCH] Ticket 49374 - server fails to start because maxdisksize is
- recognized incorrectly
-
-Bug Description: When directly editting dse.ldif, the server had a check
- when setting the log maxdiskspace vs maxlogsize. If the
- maxlogsize is processed first and it is higher than the
- default maxdisksspace then it throw an error and the server
- fails to start.
-
- If you attempt this same operation using ldapmodify it
- works as "live" updates check all the mods first, so the
- order of the attributes does not matter.
-
-Fix description: Remove the size checks from the attribute set function.
- It is technically redundant since it is correctly checked
- by the configdse code.
-
-https://pagure.io/389-ds-base/issue/49374
-
-Reviewed by: tbordaz(Thanks!)
-
-(cherry picked from commit 63a0a59c9b09af08151831209ee6711b4363aee2)
----
- ldap/servers/slapd/log.c | 60 ++++++++++++------------------------------------
- 1 file changed, 15 insertions(+), 45 deletions(-)
-
-diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
-index e16d89cc5..998efaef3 100644
---- a/ldap/servers/slapd/log.c
-+++ b/ldap/servers/slapd/log.c
-@@ -960,7 +960,6 @@ int
- log_set_logsize(const char *attrname, char *logsize_str, int logtype, char *returntext, int apply)
- {
- int rv = LDAP_SUCCESS;
-- PRInt64 mdiskspace = 0; /* in bytes */
- PRInt64 max_logsize; /* in bytes */
- int logsize; /* in megabytes */
- slapdFrontendConfig_t *fe_cfg = getFrontendConfig();
-@@ -979,72 +978,43 @@ log_set_logsize(const char *attrname, char *logsize_str, int logtype, char *retu
-
- switch (logtype) {
- case SLAPD_ACCESS_LOG:
-- LOG_ACCESS_LOCK_WRITE();
-- mdiskspace = loginfo.log_access_maxdiskspace;
-- break;
-- case SLAPD_ERROR_LOG:
-- LOG_ERROR_LOCK_WRITE();
-- mdiskspace = loginfo.log_error_maxdiskspace;
-- break;
-- case SLAPD_AUDIT_LOG:
-- LOG_AUDIT_LOCK_WRITE();
-- mdiskspace = loginfo.log_audit_maxdiskspace;
-- break;
-- case SLAPD_AUDITFAIL_LOG:
-- LOG_AUDITFAIL_LOCK_WRITE();
-- mdiskspace = loginfo.log_auditfail_maxdiskspace;
-- break;
-- default:
-- PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
-- "%s: invalid logtype %d", attrname, logtype);
-- rv = LDAP_OPERATIONS_ERROR;
-- }
--
-- if ((max_logsize > mdiskspace) && (mdiskspace != -1)) {
-- rv = 2;
-- }
--
-- switch (logtype) {
-- case SLAPD_ACCESS_LOG:
-- if (!rv && apply) {
-+ if (apply) {
-+ LOG_ACCESS_LOCK_WRITE();
- loginfo.log_access_maxlogsize = max_logsize;
- fe_cfg->accesslog_maxlogsize = logsize;
-+ LOG_ACCESS_UNLOCK_WRITE();
- }
-- LOG_ACCESS_UNLOCK_WRITE();
- break;
- case SLAPD_ERROR_LOG:
-- if (!rv && apply) {
-+ if (apply) {
-+ LOG_ERROR_LOCK_WRITE();
- loginfo.log_error_maxlogsize = max_logsize;
- fe_cfg->errorlog_maxlogsize = logsize;
-+ LOG_ERROR_UNLOCK_WRITE();
- }
-- LOG_ERROR_UNLOCK_WRITE();
- break;
- case SLAPD_AUDIT_LOG:
-- if (!rv && apply) {
-+ if (apply) {
-+ LOG_AUDIT_LOCK_WRITE();
- loginfo.log_audit_maxlogsize = max_logsize;
- fe_cfg->auditlog_maxlogsize = logsize;
-+ LOG_AUDIT_UNLOCK_WRITE();
- }
-- LOG_AUDIT_UNLOCK_WRITE();
- break;
- case SLAPD_AUDITFAIL_LOG:
-- if (!rv && apply) {
-+ if (apply) {
-+ LOG_AUDITFAIL_LOCK_WRITE();
- loginfo.log_auditfail_maxlogsize = max_logsize;
- fe_cfg->auditfaillog_maxlogsize = logsize;
-+ LOG_AUDITFAIL_UNLOCK_WRITE();
- }
-- LOG_AUDITFAIL_UNLOCK_WRITE();
- break;
- default:
-- rv = 1;
-- }
-- /* logsize is in MB */
-- if (rv == 2) {
-- slapi_log_err(SLAPI_LOG_ERR, "log_set_logsize",
-- "Invalid value for Maximum log size:"
-- "Maxlogsize:%d (MB) exceeds Maxdisksize:%ld (MB)\n",
-- logsize, (long int)(mdiskspace / LOG_MB_IN_BYTES));
--
-+ PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE,
-+ "%s: invalid logtype %d", attrname, logtype);
- rv = LDAP_OPERATIONS_ERROR;
- }
-+
- return rv;
- }
-
---
-2.13.6
-
diff --git a/SOURCES/0019-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch b/SOURCES/0019-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch
deleted file mode 100644
index d92ffd6..0000000
--- a/SOURCES/0019-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From ef4ac2d45c9ea99fbb1ae6cee97745161f193bf9 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Wed, 25 Oct 2017 10:53:28 -0400
-Subject: [PATCH] Ticket 48681 - Use of uninitialized value in string ne at
- /usr/bin/logconv.pl
-
-Bug Description: ldapi connections were not properly porcessed by the
- connection parsing code which lead to uninitialized errors.
-
-Fix Description: Modify the connection IP address regex's to include "local"
-
-https://pagure.io/389-ds-base/issue/48681
-
-Reviewd by: mreynolds (one line commit rule)
-
-(cherry picked from commit 6098e7b927b64ba300567e71ea611140c47676a1)
----
- ldap/admin/src/logconv.pl | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
-index 473c71f21..e36386e11 100755
---- a/ldap/admin/src/logconv.pl
-+++ b/ldap/admin/src/logconv.pl
-@@ -809,9 +809,9 @@ if ($totalTimeInNsecs == 0){
- print "Restarts: $serverRestartCount\n";
-
- if(%cipher){
-- print " Secure Protocol Versions:\n";
-+ print "Secure Protocol Versions:\n";
- foreach my $key (sort { $b cmp $a } keys %cipher) {
-- print " - $key - $cipher{$key}\n";
-+ print " - $key ($cipher{$key} connections)\n";
- }
- print "\n";
- }
-@@ -1754,7 +1754,7 @@ parseLineBind {
- ($end) = $endTime =~ /\D*(\S*)/;
- }
- }
-- if ($_ =~ /connection from *([0-9A-Fa-f\.\:]+)/i ) {
-+ if ($_ =~ /connection from *([0-9A-Za-z\.\:]+)/i ) {
- my $skip = "yes";
- for (my $excl =0; $excl < $#excludeIP; $excl++){
- if ($excludeIP[$excl] eq $1){
-@@ -2085,7 +2085,7 @@ sub parseLineNormal
- }
- if (m/ connection from/){
- my $ip;
-- if ($_ =~ /connection from *([0-9A-Fa-f\.\:]+)/i ){
-+ if ($_ =~ /connection from *([0-9A-Za-z\.\:]+)/i ){
- $ip = $1;
- for (my $xxx =0; $xxx < $#excludeIP; $xxx++){
- if ($excludeIP[$xxx] eq $ip){$exc = "yes";}
-@@ -2253,7 +2253,7 @@ sub parseLineNormal
- }
- if ($usage =~ /g/ || $usage =~ /c/ || $usage =~ /i/ || $usage =~ /f/ || $usage =~ /u/ || $usage =~ /U/ || $verb eq "yes"){
- $exc = "no";
-- if ($_ =~ /connection from *([0-9A-fa-f\.\:]+)/i ) {
-+ if ($_ =~ /connection from *([0-9A-Za-z\.\:]+)/i ) {
- for (my $xxx = 0; $xxx < $#excludeIP; $xxx++){
- if ($1 eq $excludeIP[$xxx]){
- $exc = "yes";
---
-2.13.6
-
diff --git a/SOURCES/0020-Ticket-49401-improve-valueset-sorted-performance-on-.patch b/SOURCES/0020-Ticket-49401-improve-valueset-sorted-performance-on-.patch
deleted file mode 100644
index 657dfe6..0000000
--- a/SOURCES/0020-Ticket-49401-improve-valueset-sorted-performance-on-.patch
+++ /dev/null
@@ -1,250 +0,0 @@
-From a59b2f4129565dbfa1b63899dd550e9c22b02923 Mon Sep 17 00:00:00 2001
-From: Mohammad Nweider <nweiderm@amazon.com>
-Date: Wed, 18 Oct 2017 13:02:15 +0000
-Subject: [PATCH] Ticket 49401 - improve valueset sorted performance on delete
-
-Bug Description: valueset sorted maintains a list of syntax sorted
-references to the attributes of the entry. During addition these are
-modified and added properly, so they stay sorted.
-
-However, in the past to maintain the sorted property, during a delete
-we would need to remove the vs->sorted array, and recreate it via qsort,
-
-While this was an improvement from past (where we would removed
-vs->sorted during an attr delete), it still has performance implications
-on very very large datasets, IE 50,000 member groups with
-addition/deletion, large entry caches and replication.
-
-Fix Description: Implement a new algorithm that is able to maintain
-existing sort data in a near linear time.
-
-https://pagure.io/389-ds-base/issue/49401
-
-Author: nweiderm, wibrown
-
-Review by: wibrown, lkrispen, tbordaz (Thanks nweiderm!)
-
-(cherry picked from commit a43a8efc7907116146b505ac40f18fac71f474b0)
----
- ldap/servers/slapd/valueset.c | 171 +++++++++++++++++++++++++-----------------
- 1 file changed, 103 insertions(+), 68 deletions(-)
-
-diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
-index d2c67d2fb..1c1bc150a 100644
---- a/ldap/servers/slapd/valueset.c
-+++ b/ldap/servers/slapd/valueset.c
-@@ -677,100 +677,136 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
- size_t i = 0;
- size_t j = 0;
- int nextValue = 0;
-+ int nv = 0;
- int numValues = 0;
-+ Slapi_Value **va2 = NULL;
-+ int *sorted2 = NULL;
-
- /* Loop over all the values freeing the old ones. */
-- for (i = 0; i < vs->num; i++) {
-+ for(i = 0; i < vs->num; i++)
-+ {
- /* If we have the sorted array, find the va array ref by it. */
- if (vs->sorted) {
- j = vs->sorted[i];
- } else {
- j = i;
- }
-- csnset_purge(&(vs->va[j]->v_csnset), csn);
-- if (vs->va[j]->v_csnset == NULL) {
-- slapi_value_free(&vs->va[j]);
-- vs->va[j] = NULL;
-- } else if (vs->va[j] != NULL) {
-- /* This value survived, we should count it. */
-- numValues++;
-+ if (vs->va[j]) {
-+ csnset_purge(&(vs->va[j]->v_csnset),csn);
-+ if (vs->va[j]->v_csnset == NULL) {
-+ slapi_value_free(&vs->va[j]);
-+ /* Set the removed value to NULL so we know later to skip it */
-+ vs->va[j] = NULL;
-+ if (vs->sorted) {
-+ /* Mark the value in sorted for removal */
-+ vs->sorted[i] = -1;
-+ }
-+ } else {
-+ /* This value survived, we should count it. */
-+ numValues++;
-+ }
- }
- }
-
-- /* Now compact the value/sorted list. */
-+ /* Compact vs->va and vs->sorted only when there're
-+ * remaining values ie: numValues is greater than 0 */
- /*
-- * Because we want to preserve the sorted array, this is complicated.
-+ * Algorithm explination: We start with a pair of arrays - the attrs, and the sorted array that provides
-+ * a lookup into it:
-+ *
-+ * va: [d e a c b] sorted: [2 4 3 0 1]
-+ *
-+ * When we remove the element b, we NULL it, and we have to mark the place where it "was" as a -1 to
-+ * flag it's removal.
-+ *
-+ * va: [d e a c NULL] sorted: [2 -1 3 0 1]
-+ *
-+ * Now a second va is created with the reduced allocation,
-+ *
-+ * va2: [ X X X X ] ....
-+ *
-+ * Now we loop over sorted, skipping -1 that we find. In a new counter we create new sorted
-+ * references, and move the values compacting them in the process.
-+ * va: [d e a c NULL]
-+ * va2: [a x x x]
-+ * sorted: [_0 -1 3 0 1]
-+ *
-+ * Looping a few more times would yield:
- *
-- * We have an array of values:
-- * [ b, a, c, NULL, e, NULL, NULL, d]
-- * And an array of indicies that are sorted.
-- * [ 1, 0, 2, 7, 4, 3, 5, 6 ]
-- * Were we to iterate over the sorted array, we get refs to the values in
-- * some order.
-- * The issue is now we must *remove* from both the values *and* the sorted.
-+ * va2: [a c x x]
-+ * sorted: [_0 _1 3 0 1]
- *
-- * Previously, we just discarded this, because too hard. Now we try to keep
-- * it. The issue is that this is surprisingly hard to actually keep in
-- * sync.
-+ * va2: [a c d x]
-+ * sorted: [_0 _1 _2 0 1]
- *
-- * We can't just blindly move the values down: That breaks the sorted array
-- * and we would need to iterate over the sorted array multiple times to
-- * achieve this.
-+ * va2: [a c d e]
-+ * sorted: [_0 _1 _2 _3 1]
-+ *
-+ * Not only does this sort va, but with sorted, we have a faster lookup, and it will benefit cache
-+ * lookup.
- *
-- * It's actually going to be easier to just ditch the sorted, compact vs
-- * and then qsort the array.
- */
-+ if (numValues > 0) {
-+ if(vs->sorted) {
-+ /* Let's allocate va2 and sorted2 */
-+ va2 = (Slapi_Value **) slapi_ch_malloc( (numValues + 1) * sizeof(Slapi_Value *));
-+ sorted2 = (int *) slapi_ch_malloc( (numValues + 1)* sizeof(int));
-+ }
-
-- j = 0;
-- while (nextValue < numValues && j < vs->num) {
-- /* nextValue is what we are looking at now
-- * j tracks along the array getting next elements.
-- *
-- * [ b, a, c, NULL, e, NULL, NULL, d]
-- * ^nv ^j
-- * [ b, a, c, e, NULL, NULL, NULL, d]
-- * ^nv ^j
-- * [ b, a, c, e, NULL, NULL, NULL, d]
-- * ^nv ^j
-- * [ b, a, c, e, NULL, NULL, NULL, d]
-- * ^nv ^j
-- * [ b, a, c, e, NULL, NULL, NULL, d]
-- * ^nv ^j
-- * [ b, a, c, e, d, NULL, NULL, NULL]
-- * ^nv ^j
-- */
-- if (vs->va[nextValue] == NULL) {
-- /* Advance j till we find something */
-- while (vs->va[j] == NULL) {
-- j++;
-+ /* I is the index for the *new* va2 array */
-+ for(i=0; i<vs->num; i++) {
-+ if (vs->sorted) {
-+ /* Skip any removed values from the index */
-+ while((nv < vs->num) && (-1 == vs->sorted[nv])) {
-+ nv++;
-+ }
-+ /* We have a remaining value, add it to the va */
-+ if(nv < vs->num) {
-+ va2[i] = vs->va[vs->sorted[nv]];
-+ sorted2[i] = i;
-+ nv++;
-+ }
-+ } else {
-+ while((nextValue < vs->num) && (NULL == vs->va[nextValue])) {
-+ nextValue++;
-+ }
-+
-+ if(nextValue < vs->num) {
-+ vs->va[i] = vs->va[nextValue];
-+ nextValue++;
-+ } else {
-+ break;
-+ }
- }
-- /* We have something! */
-- vs->va[nextValue] = vs->va[j];
-- vs->va[j] = NULL;
- }
-- nextValue++;
-- }
-- /* Fix up the number of values */
-- vs->num = numValues;
-- /* Should we re-alloc values to be smaller? */
-- /* Other parts of DS are lazy. Lets clean our list */
-- for (j = vs->num; j < vs->max; j++) {
-- vs->va[j] = NULL;
-- }
-
-- /* All the values were deleted, we can discard the whole array. */
-- if (vs->num == 0) {
- if (vs->sorted) {
-+ /* Finally replace the valuearray and adjust num, max */
-+ slapi_ch_free((void **)&vs->va);
- slapi_ch_free((void **)&vs->sorted);
-+ vs->va = va2;
-+ vs->sorted = sorted2;
-+ vs->num = numValues;
-+ vs->max = vs->num + 1;
-+ } else {
-+ vs->num = numValues;
- }
-- slapi_ch_free((void **)&vs->va);
-- vs->va = NULL;
-- vs->max = 0;
-- } else if (vs->sorted != NULL) {
-- /* We still have values! rebuild the sorted array */
-- valueset_array_to_sorted(a, vs);
-+
-+ for (j = vs->num; j < vs->max; j++) {
-+ vs->va[j] = NULL;
-+ if (vs->sorted) {
-+ vs->sorted[j] = -1;
-+ }
-+ }
-+ } else {
-+ slapi_valueset_done(vs);
- }
-
-+ /* We still have values but not sorted array! rebuild it */
-+ if(vs->num > VALUESET_ARRAY_SORT_THRESHOLD && vs->sorted == NULL) {
-+ vs->sorted = (int *) slapi_ch_malloc( vs->max* sizeof(int));
-+ valueset_array_to_sorted(a, vs);
-+ }
- #ifdef DEBUG
- PR_ASSERT(vs->num == 0 || (vs->num > 0 && vs->va[0] != NULL));
- size_t index = 0;
-@@ -781,7 +817,6 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
- PR_ASSERT(vs->va[index] == NULL);
- }
- #endif
--
- /* return the number of remaining values */
- return numValues;
- }
---
-2.13.6
-
diff --git a/SOURCES/0021-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch b/SOURCES/0021-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch
deleted file mode 100644
index 8438d01..0000000
--- a/SOURCES/0021-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 308691e03cc6312bde3409b346df3156d34db0fe Mon Sep 17 00:00:00 2001
-From: Mohammad Nweider <nweiderm@amazon.com>
-Date: Wed, 25 Oct 2017 16:26:54 +0000
-Subject: [PATCH] Ticket 49401 - Fix compiler incompatible-pointer-types
- warnings
-
-Bug Description: vs->sorted was integer pointer in older versions,
- but now it's size_t pointer, this is causing compiler warnings
- during the build
-
-Fix Description: use size_t pointers instead of integer pointers for vs->sorted and sorted2
-
-Review By: mreynolds
-
-Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
-(cherry picked from commit 52ba2aba49935989152010aee0d40b01d7a78432)
----
- ldap/servers/slapd/valueset.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
-index 1c1bc150a..dc0360738 100644
---- a/ldap/servers/slapd/valueset.c
-+++ b/ldap/servers/slapd/valueset.c
-@@ -680,7 +680,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
- int nv = 0;
- int numValues = 0;
- Slapi_Value **va2 = NULL;
-- int *sorted2 = NULL;
-+ size_t *sorted2 = NULL;
-
- /* Loop over all the values freeing the old ones. */
- for(i = 0; i < vs->num; i++)
-@@ -750,7 +750,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
- if(vs->sorted) {
- /* Let's allocate va2 and sorted2 */
- va2 = (Slapi_Value **) slapi_ch_malloc( (numValues + 1) * sizeof(Slapi_Value *));
-- sorted2 = (int *) slapi_ch_malloc( (numValues + 1)* sizeof(int));
-+ sorted2 = (size_t *) slapi_ch_malloc( (numValues + 1)* sizeof(size_t));
- }
-
- /* I is the index for the *new* va2 array */
-@@ -804,7 +804,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn)
-
- /* We still have values but not sorted array! rebuild it */
- if(vs->num > VALUESET_ARRAY_SORT_THRESHOLD && vs->sorted == NULL) {
-- vs->sorted = (int *) slapi_ch_malloc( vs->max* sizeof(int));
-+ vs->sorted = (size_t *) slapi_ch_malloc( vs->max* sizeof(size_t));
- valueset_array_to_sorted(a, vs);
- }
- #ifdef DEBUG
---
-2.13.6
-
diff --git a/SOURCES/0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch b/SOURCES/0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch
deleted file mode 100644
index 8e2be67..0000000
--- a/SOURCES/0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From dba89dd23d2d62686de192e0986eba65270a62c7 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 26 Oct 2017 10:03:39 -0400
-Subject: [PATCH] Ticket 48894 - harden valueset_array_to_sorted_quick valueset
- access
-
-Description: It's possible during the sorting of a valueset to access an
- array element past the allocated size, and also go below the index 0.
-
-https://pagure.io/389-ds-base/issue/48894
-
-Reviewed by: nweiderm (Thanks!)
-
-(cherry picked from commit 2086d052e338ddcbcf6bd3222617991641573a12)
----
- ldap/servers/slapd/valueset.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
-index dc0360738..14ebc48e6 100644
---- a/ldap/servers/slapd/valueset.c
-+++ b/ldap/servers/slapd/valueset.c
-@@ -1019,11 +1019,11 @@ valueset_array_to_sorted_quick(const Slapi_Attr *a, Slapi_ValueSet *vs, size_t l
- while (1) {
- do {
- i++;
-- } while (valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
-+ } while (i < vs->max && valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0);
-
- do {
- j--;
-- } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0);
-+ } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0 && j > 0);
-
- if (i >= j) {
- break;
---
-2.13.6
-
diff --git a/SOURCES/0023-Ticket-49424-Resolve-csiphash-alignment-issues.patch b/SOURCES/0023-Ticket-49424-Resolve-csiphash-alignment-issues.patch
deleted file mode 100644
index 5dde249..0000000
--- a/SOURCES/0023-Ticket-49424-Resolve-csiphash-alignment-issues.patch
+++ /dev/null
@@ -1,176 +0,0 @@
-From 5909e20899334816f36cac0e47105e56df52ad3c Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Mon, 30 Oct 2017 12:01:34 +1000
-Subject: [PATCH] Ticket 49424 - Resolve csiphash alignment issues
-
-Bug Description: On some platforms, uint64_t is not the same size
-as a void * - as well, if the input is not aligned correctly, then
-a number of nasty crashes can result
-
-Fix Description: Instead of relying on alignment to be correct,
-we should memcpy the data to inputs instead.
-
-https://pagure.io/389-ds-base/issue/49424
-
-Author: wibrown
-
-Review by: lslebodn, cgrzemba, vashirov, mreynolds (Thanks!)
-
-(cherry picked from commit 751446440f5269a246e6e652a64e63aa5933734a)
----
- src/libsds/external/csiphash/csiphash.c | 52 +++++++++++++++++++--------------
- src/libsds/test/test_sds_csiphash.c | 43 +++++++++++++++++++++------
- 2 files changed, 64 insertions(+), 31 deletions(-)
-
-diff --git a/src/libsds/external/csiphash/csiphash.c b/src/libsds/external/csiphash/csiphash.c
-index 0089c82f7..2351db6cf 100644
---- a/src/libsds/external/csiphash/csiphash.c
-+++ b/src/libsds/external/csiphash/csiphash.c
-@@ -32,6 +32,9 @@
- #include <inttypes.h>
- #include <stddef.h> /* for size_t */
-
-+#include <stdlib.h> /* calloc,free */
-+#include <string.h> /* memcpy */
-+
- #include <config.h>
-
- #if defined(HAVE_SYS_ENDIAN_H)
-@@ -75,11 +78,24 @@
- uint64_t
- sds_siphash13(const void *src, size_t src_sz, const char key[16])
- {
-- const uint64_t *_key = (uint64_t *)key;
-+ uint64_t _key[2] = {0};
-+ memcpy(_key, key, 16);
- uint64_t k0 = _le64toh(_key[0]);
- uint64_t k1 = _le64toh(_key[1]);
- uint64_t b = (uint64_t)src_sz << 56;
-- const uint64_t *in = (uint64_t *)src;
-+
-+ size_t input_sz = (src_sz / sizeof(uint64_t)) + 1;
-+
-+ /* Account for non-uint64_t alligned input */
-+ /* Could make this stack allocation */
-+ uint64_t *in = calloc(1, input_sz * sizeof(uint64_t));
-+ /*
-+ * Because all crypto code sucks, they modify *in
-+ * during operation, so we stash a copy of the ptr here.
-+ * alternately, we could use stack allocated array, but gcc
-+ * will complain about the vla being unbounded.
-+ */
-+ uint64_t *in_ptr = memcpy(in, src, src_sz);
-
- uint64_t v0 = k0 ^ 0x736f6d6570736575ULL;
- uint64_t v1 = k1 ^ 0x646f72616e646f6dULL;
-@@ -96,27 +112,15 @@ sds_siphash13(const void *src, size_t src_sz, const char key[16])
- v0 ^= mi;
- }
-
-+ /*
-+ * Because we allocate in as size + 1, we can over-read 0
-+ * for this buffer to be padded correctly. in here is a pointer to the
-+ * excess data because the while loop above increments the in pointer
-+ * to point to the excess once src_sz drops < 8.
-+ */
- uint64_t t = 0;
-- uint8_t *pt = (uint8_t *)&t;
-- uint8_t *m = (uint8_t *)in;
--
-- switch (src_sz) {
-- case 7:
-- pt[6] = m[6]; /* FALLTHRU */
-- case 6:
-- pt[5] = m[5]; /* FALLTHRU */
-- case 5:
-- pt[4] = m[4]; /* FALLTHRU */
-- case 4:
-- *((uint32_t *)&pt[0]) = *((uint32_t *)&m[0]);
-- break;
-- case 3:
-- pt[2] = m[2]; /* FALLTHRU */
-- case 2:
-- pt[1] = m[1]; /* FALLTHRU */
-- case 1:
-- pt[0] = m[0]; /* FALLTHRU */
-- }
-+ memcpy(&t, in, sizeof(uint64_t));
-+
- b |= _le64toh(t);
-
- v3 ^= b;
-@@ -126,5 +130,9 @@ sds_siphash13(const void *src, size_t src_sz, const char key[16])
- v2 ^= 0xff;
- // dround
- dROUND(v0, v1, v2, v3);
-+
-+ free(in_ptr);
-+
- return (v0 ^ v1) ^ (v2 ^ v3);
- }
-+
-diff --git a/src/libsds/test/test_sds_csiphash.c b/src/libsds/test/test_sds_csiphash.c
-index cdb6b7f46..cc9a6b2b5 100644
---- a/src/libsds/test/test_sds_csiphash.c
-+++ b/src/libsds/test/test_sds_csiphash.c
-@@ -25,23 +25,48 @@
- static void
- test_siphash(void **state __attribute__((unused)))
- {
--
-- //
- uint64_t value = 0;
- uint64_t hashout = 0;
- char key[16] = {0};
-
-- uint64_t test_a = 15794382300316794652U;
-- uint64_t test_b = 13042610424265326907U;
-+ uint64_t test_simple = 15794382300316794652U;
-
-- // Initial simple test
-+ /* Initial simple test */
- value = htole64(5);
- hashout = sds_siphash13(&value, sizeof(uint64_t), key);
-- assert_true(hashout == test_a);
-+ assert_int_equal(hashout, test_simple);
-+
-+ /* Test a range of input sizes to check endianness behaviour */
-+
-+ hashout = sds_siphash13("a", 1, key);
-+ assert_int_equal(hashout, 0x407448d2b89b1813U);
-+
-+ hashout = sds_siphash13("aa", 2, key);
-+ assert_int_equal(hashout, 0x7910e0436ed8d1deU);
-+
-+ hashout = sds_siphash13("aaa", 3, key);
-+ assert_int_equal(hashout, 0xf752893a6c769652U);
-+
-+ hashout = sds_siphash13("aaaa", 4, key);
-+ assert_int_equal(hashout, 0x8b02350718d87164U);
-+
-+ hashout = sds_siphash13("aaaaa", 5, key);
-+ assert_int_equal(hashout, 0x92a991474c7eef2U);
-+
-+ hashout = sds_siphash13("aaaaaa", 6, key);
-+ assert_int_equal(hashout, 0xf0ab815a640277ccU);
-+
-+ hashout = sds_siphash13("aaaaaaa", 7, key);
-+ assert_int_equal(hashout, 0x33f3c6d7dbc82c0dU);
-+
-+ hashout = sds_siphash13("aaaaaaaa", 8, key);
-+ assert_int_equal(hashout, 0xc501b12e18428c92U);
-+
-+ hashout = sds_siphash13("aaaaaaaabbbb", 12, key);
-+ assert_int_equal(hashout, 0xcddca673069ade64U);
-
-- char *test = "abc";
-- hashout = sds_siphash13(test, 4, key);
-- assert_true(hashout == test_b);
-+ hashout = sds_siphash13("aaaaaaaabbbbbbbb", 16, key);
-+ assert_int_equal(hashout, 0xdc54f0bfc0e1deb0U);
- }
-
- int
---
-2.13.6
-
diff --git a/SOURCES/0024-Ticket-49436-double-free-in-COS-in-some-conditions.patch b/SOURCES/0024-Ticket-49436-double-free-in-COS-in-some-conditions.patch
deleted file mode 100644
index 4309a5f..0000000
--- a/SOURCES/0024-Ticket-49436-double-free-in-COS-in-some-conditions.patch
+++ /dev/null
@@ -1,258 +0,0 @@
-From dcf75750dff23e848cde2ae63a0778b123de6dd7 Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Thu, 2 Nov 2017 13:32:41 +1000
-Subject: [PATCH] Ticket 49436 - double free in COS in some conditions
-
-Bug Description: virtualattrs and COS have some serious memory
-ownership issues. What was happening is that COS with multiple
-attributes using the same sp_handle would cause a structure
-to be registered twice. During shutdown we would then trigger
-a double free in the process.
-
-Fix Description: Change the behaviour of sp_handles to use a
-handle *per* attribute we register to guarantee the assocation
-between them.
-
-https://pagure.io/389-ds-base/issue/49436
-
-Author: wibrown
-
-Review by: mreynolds, vashirov (Thanks!)
-
-(cherry pick from commit ee4428a3f5d2d8e37a7107c7dce9d622fc17d41c)
----
- dirsrvtests/tests/suites/cos/indirect_cos_test.py | 43 +++++++----------------
- ldap/servers/plugins/cos/cos_cache.c | 32 +++++++++--------
- ldap/servers/plugins/roles/roles_cache.c | 8 ++---
- ldap/servers/slapd/vattr.c | 28 +++++++++------
- 4 files changed, 51 insertions(+), 60 deletions(-)
-
-diff --git a/dirsrvtests/tests/suites/cos/indirect_cos_test.py b/dirsrvtests/tests/suites/cos/indirect_cos_test.py
-index 1aac6b8ed..452edcdf8 100644
---- a/dirsrvtests/tests/suites/cos/indirect_cos_test.py
-+++ b/dirsrvtests/tests/suites/cos/indirect_cos_test.py
-@@ -7,6 +7,7 @@ import subprocess
-
- from lib389 import Entry
- from lib389.idm.user import UserAccounts
-+from lib389.idm.domain import Domain
- from lib389.topologies import topology_st as topo
- from lib389._constants import (DEFAULT_SUFFIX, DN_DM, PASSWORD, HOST_STANDALONE,
- SERVERID_STANDALONE, PORT_STANDALONE)
-@@ -48,14 +49,8 @@ def check_user(inst):
- def setup_subtree_policy(topo):
- """Set up subtree password policy
- """
-- try:
-- topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE,
-- 'nsslapd-pwpolicy-local',
-- 'on')])
-- except ldap.LDAPError as e:
-- log.error('Failed to set fine-grained policy: error {}'.format(
-- e.message['desc']))
-- raise e
-+
-+ topo.standalone.config.set('nsslapd-pwpolicy-local', 'on')
-
- log.info('Create password policy for subtree {}'.format(OU_PEOPLE))
- try:
-@@ -68,15 +63,9 @@ def setup_subtree_policy(topo):
- OU_PEOPLE, e.message['desc']))
- raise e
-
-- log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE))
-- try:
-- topo.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_REPLACE,
-- 'pwdpolicysubentry',
-- PW_POLICY_CONT_PEOPLE2)])
-- except ldap.LDAPError as e:
-- log.error('Failed to pwdpolicysubentry pw policy '
-- 'policy for {}: error {}'.format(OU_PEOPLE, e.message['desc']))
-- raise e
-+ domain = Domain(topo.standalone, DEFAULT_SUFFIX)
-+ domain.replace('pwdpolicysubentry', PW_POLICY_CONT_PEOPLE2)
-+
- time.sleep(1)
-
-
-@@ -116,12 +105,9 @@ def setup(topo, request):
- """
- log.info('Add custom schema...')
- try:
-- ATTR_1 = ("( 1.3.6.1.4.1.409.389.2.189 NAME 'x-department' " +
-- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
-- ATTR_2 = ("( 1.3.6.1.4.1.409.389.2.187 NAME 'x-en-ou' " +
-- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
-- OC = ("( xPerson-oid NAME 'xPerson' DESC '' SUP person STRUCTURAL MAY " +
-- "( x-department $ x-en-ou ) X-ORIGIN 'user defined' )")
-+ ATTR_1 = (b"( 1.3.6.1.4.1.409.389.2.189 NAME 'x-department' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
-+ ATTR_2 = (b"( 1.3.6.1.4.1.409.389.2.187 NAME 'x-en-ou' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )")
-+ OC = (b"( xPerson-oid NAME 'xPerson' DESC '' SUP person STRUCTURAL MAY ( x-department $ x-en-ou ) X-ORIGIN 'user defined' )")
- topo.standalone.modify_s("cn=schema", [(ldap.MOD_ADD, 'attributeTypes', ATTR_1),
- (ldap.MOD_ADD, 'attributeTypes', ATTR_2),
- (ldap.MOD_ADD, 'objectClasses', OC)])
-@@ -142,14 +128,9 @@ def setup(topo, request):
- 'homeDirectory': '/home/test_user',
- 'seeAlso': 'cn=cosTemplate,dc=example,dc=com'
- }
-- users.create(properties=user_properties)
-- try:
-- topo.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_ADD,
-- 'objectclass',
-- 'xPerson')])
-- except ldap.LDAPError as e:
-- log.fatal('Failed to add objectclass to user')
-- raise e
-+ user = users.create(properties=user_properties)
-+
-+ user.add('objectClass', 'xPerson')
-
- # Setup COS
- log.info("Setup indirect COS...")
-diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
-index 9ae15db15..662dace35 100644
---- a/ldap/servers/plugins/cos/cos_cache.c
-+++ b/ldap/servers/plugins/cos/cos_cache.c
-@@ -109,9 +109,6 @@ void *cos_get_plugin_identity(void);
- #define COSTYPE_INDIRECT 3
- #define COS_DEF_ERROR_NO_TEMPLATES -2
-
--/* the global plugin handle */
--static volatile vattr_sp_handle *vattr_handle = NULL;
--
- /* both variables are protected by change_lock */
- static int cos_cache_notify_flag = 0;
- static PRBool cos_cache_at_work = PR_FALSE;
-@@ -323,16 +320,6 @@ cos_cache_init(void)
- views_api = 0;
- }
-
-- if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
-- cos_cache_vattr_get,
-- cos_cache_vattr_compare,
-- cos_cache_vattr_types) != 0) {
-- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM,
-- "cos_cache_init - Cannot register as service provider\n");
-- ret = -1;
-- goto out;
-- }
--
- if (PR_CreateThread(PR_USER_THREAD,
- cos_cache_wait_on_change,
- NULL,
-@@ -860,8 +847,23 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data)
- dnVals[valIndex]->bv_val);
- }
-
-- slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle,
-- dnVals[valIndex]->bv_val, NULL, NULL);
-+ /*
-+ * Each SP_handle is associated to one and only one vattr.
-+ * We could consider making this a single function rather
-+ * than the double-call.
-+ */
-+
-+ vattr_sp_handle *vattr_handle = NULL;
-+
-+ if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
-+ cos_cache_vattr_get,
-+ cos_cache_vattr_compare,
-+ cos_cache_vattr_types) != 0) {
-+ slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider for %s\n", dnVals[valIndex]->bv_val);
-+ } else {
-+ slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL);
-+ }
-+
- } /* if(attrType is cosAttribute) */
-
- /*
-diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c
-index 59f5a6081..1e5865af8 100644
---- a/ldap/servers/plugins/roles/roles_cache.c
-+++ b/ldap/servers/plugins/roles/roles_cache.c
-@@ -47,9 +47,6 @@ static char *allUserAttributes[] = {
- /* views scoping */
- static void **views_api;
-
--/* Service provider handler */
--static vattr_sp_handle *vattr_handle = NULL;
--
- /* List of nested roles */
- typedef struct _role_object_nested
- {
-@@ -224,6 +221,10 @@ roles_cache_init()
- so that we update the corresponding cache */
- slapi_register_backend_state_change(NULL, roles_cache_trigger_update_suffix);
-
-+ /* Service provider handler - only used once! and freed by vattr! */
-+ vattr_sp_handle *vattr_handle = NULL;
-+
-+
- if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
- roles_sp_get_value,
- roles_sp_compare_value,
-@@ -622,7 +623,6 @@ roles_cache_stop()
- current_role = next_role;
- }
- slapi_rwlock_unlock(global_lock);
-- slapi_ch_free((void **)&vattr_handle);
- roles_list = NULL;
-
- slapi_log_err(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "<-- roles_cache_stop\n");
-diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
-index 82deb41fe..432946c79 100644
---- a/ldap/servers/slapd/vattr.c
-+++ b/ldap/servers/slapd/vattr.c
-@@ -1864,7 +1864,12 @@ vattr_map_create(void)
- void
- vattr_map_entry_free(vattr_map_entry *vae)
- {
-- slapi_ch_free((void **)&(vae->sp_list));
-+ vattr_sp_handle *list_entry = vae->sp_list;
-+ while (list_entry != NULL) {
-+ vattr_sp_handle *next_entry = list_entry->next;
-+ slapi_ch_free((void **)&list_entry);
-+ list_entry = next_entry;
-+ }
- slapi_ch_free_string(&(vae->type_name));
- slapi_ch_free((void **)&vae);
- }
-@@ -2143,16 +2148,9 @@ slapi_vattr_schema_check_type(Slapi_Entry *e, char *type)
- vattr_map_entry *
- vattr_map_entry_new(char *type_name, vattr_sp_handle *sph, void *hint)
- {
-- vattr_map_entry *result = NULL;
-- vattr_sp_handle *sp_copy = NULL;
--
-- sp_copy = (vattr_sp_handle *)slapi_ch_calloc(1, sizeof(vattr_sp_handle));
-- sp_copy->sp = sph->sp;
-- sp_copy->hint = hint;
--
-- result = (vattr_map_entry *)slapi_ch_calloc(1, sizeof(vattr_map_entry));
-+ vattr_map_entry *result = (vattr_map_entry *)slapi_ch_calloc(1, sizeof(vattr_map_entry));
- result->type_name = slapi_ch_strdup(type_name);
-- result->sp_list = sp_copy;
-+ result->sp_list = sph;
-
- /* go get schema */
- result->objectclasses = vattr_map_entry_build_schema(type_name);
-@@ -2273,6 +2271,16 @@ we'd need to hold a lock on the read path, which we don't want to do.
- So any SP which relinquishes its need to handle a type needs to continue
- to handle the calls on it, but return nothing */
- /* DBDB need to sort out memory ownership here, it's not quite right */
-+/*
-+ * This function was inconsistent. We would allocated and "kind of",
-+ * copy the sp_handle here for the vattr_map_entry_new path. But we
-+ * would "take ownership" for the existing entry and the list addition
-+ * path. Instead now, EVERY sp_handle we take, we take ownership of
-+ * and the CALLER must allocate a new one each time.
-+ *
-+ * Better idea, is that regattr should just take the fn pointers
-+ * and callers never *see* the sp_handle structure at all.
-+ */
-
- int
- vattr_map_sp_insert(char *type_to_add, vattr_sp_handle *sp, void *hint)
---
-2.13.6
-
diff --git a/SOURCES/0025-Ticket-48393-Improve-replication-config-validation.patch b/SOURCES/0025-Ticket-48393-Improve-replication-config-validation.patch
deleted file mode 100644
index 748eb78..0000000
--- a/SOURCES/0025-Ticket-48393-Improve-replication-config-validation.patch
+++ /dev/null
@@ -1,1719 +0,0 @@
-From c1ac23d7f5f6f14d75bd02cfd55818e2558f7cb9 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 3 Nov 2017 09:30:01 -0400
-Subject: [PATCH] Ticket 48393 - Improve replication config validation
-
-Bug Description: There was inconsistent behavior when modifying and adding replication
- configurations and agreements. There were also a few places where
- unsigned ints were used for values which made checking for negative
- values impossible.
-
-Fix Description: Added a new function to properly check "number" attribute values.
- Also forced failure on the actual update if an invalid value was used
- (previously we would log an error and use some default value). Also
- made all the int types consistent.
-
-https://pagure.io/389-ds-base/issue/48393
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit f6b0e1841059460d6d0071cc771e3fbe834af393)
----
- .../suites/replication/replica_config_test.py | 397 +++++++++++++++++++++
- ldap/schema/01core389.ldif | 3 +-
- ldap/servers/plugins/replication/repl5.h | 54 +--
- ldap/servers/plugins/replication/repl5_agmt.c | 173 +++++----
- ldap/servers/plugins/replication/repl5_replica.c | 280 +++++++++------
- .../plugins/replication/repl5_replica_config.c | 158 ++++----
- ldap/servers/plugins/replication/replutil.c | 26 ++
- 7 files changed, 792 insertions(+), 299 deletions(-)
- create mode 100644 dirsrvtests/tests/suites/replication/replica_config_test.py
-
-diff --git a/dirsrvtests/tests/suites/replication/replica_config_test.py b/dirsrvtests/tests/suites/replication/replica_config_test.py
-new file mode 100644
-index 000000000..50ea2ece9
---- /dev/null
-+++ b/dirsrvtests/tests/suites/replication/replica_config_test.py
-@@ -0,0 +1,397 @@
-+import logging
-+import pytest
-+import copy
-+import os
-+import ldap
-+from lib389._constants import *
-+from lib389 import Entry
-+from lib389.topologies import topology_st as topo
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+REPLICA_DN = 'cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config'
-+AGMT_DN = 'cn=test_agreement,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config'
-+notnum = 'invalid'
-+too_big = '9223372036854775807'
-+overflow = '9999999999999999999999999999999999999999999999999999999999999999999'
-+
-+replica_dict = {'objectclass': 'top nsDS5Replica'.split(),
-+ 'nsDS5ReplicaRoot': 'dc=example,dc=com',
-+ 'nsDS5ReplicaType': '3',
-+ 'nsDS5Flags': '1',
-+ 'nsDS5ReplicaId': '65535',
-+ 'nsds5ReplicaPurgeDelay': '604800',
-+ 'nsDS5ReplicaBindDN': 'cn=u',
-+ 'cn': 'replica'}
-+
-+agmt_dict = {'objectClass': 'top nsDS5ReplicationAgreement'.split(),
-+ 'cn': 'test_agreement',
-+ 'nsDS5ReplicaRoot': 'dc=example,dc=com',
-+ 'nsDS5ReplicaHost': 'localhost.localdomain',
-+ 'nsDS5ReplicaPort': '5555',
-+ 'nsDS5ReplicaBindDN': 'uid=tester',
-+ 'nsds5ReplicaCredentials': 'password',
-+ 'nsDS5ReplicaTransportInfo': 'LDAP',
-+ 'nsDS5ReplicaBindMethod': 'SIMPLE'}
-+
-+
-+repl_add_attrs = [('nsDS5ReplicaType', '-1', '4', overflow, notnum, '1'),
-+ ('nsDS5Flags', '-1', '2', overflow, notnum, '1'),
-+ ('nsDS5ReplicaId', '0', '65536', overflow, notnum, '1'),
-+ ('nsds5ReplicaPurgeDelay', '-2', too_big, overflow, notnum, '1'),
-+ ('nsDS5ReplicaBindDnGroupCheckInterval', '-2', too_big, overflow, notnum, '1'),
-+ ('nsds5ReplicaTombstonePurgeInterval', '-2', too_big, overflow, notnum, '1'),
-+ ('nsds5ReplicaProtocolTimeout', '-1', too_big, overflow, notnum, '1'),
-+ ('nsds5ReplicaReleaseTimeout', '-1', too_big, overflow, notnum, '1'),
-+ ('nsds5ReplicaBackoffMin', '0', too_big, overflow, notnum, '3'),
-+ ('nsds5ReplicaBackoffMax', '0', too_big, overflow, notnum, '6')]
-+
-+repl_mod_attrs = [('nsDS5Flags', '-1', '2', overflow, notnum, '1'),
-+ ('nsds5ReplicaPurgeDelay', '-2', too_big, overflow, notnum, '1'),
-+ ('nsDS5ReplicaBindDnGroupCheckInterval', '-2', too_big, overflow, notnum, '1'),
-+ ('nsds5ReplicaTombstonePurgeInterval', '-2', too_big, overflow, notnum, '1'),
-+ ('nsds5ReplicaProtocolTimeout', '-1', too_big, overflow, notnum, '1'),
-+ ('nsds5ReplicaReleaseTimeout', '-1', too_big, overflow, notnum, '1'),
-+ ('nsds5ReplicaBackoffMin', '0', too_big, overflow, notnum, '3'),
-+ ('nsds5ReplicaBackoffMax', '0', too_big, overflow, notnum, '6')]
-+
-+agmt_attrs = [('nsds5ReplicaPort', '0', '65536', overflow, notnum, '389'),
-+ ('nsds5ReplicaTimeout', '-1', too_big, overflow, notnum, '6'),
-+ ('nsds5ReplicaBusyWaitTime', '-1', too_big, overflow, notnum, '6'),
-+ ('nsds5ReplicaSessionPauseTime', '-1', too_big, overflow, notnum, '6'),
-+ ('nsds5ReplicaFlowControlWindow', '-1', too_big, overflow, notnum, '6'),
-+ ('nsds5ReplicaFlowControlPause', '-1', too_big, overflow, notnum, '6'),
-+ ('nsds5ReplicaProtocolTimeout', '-1', too_big, overflow, notnum, '6')]
-+
-+
-+def replica_setup(topo):
-+ """Add a valid replica config entry to modify
-+ """
-+ try:
-+ topo.standalone.delete_s(REPLICA_DN)
-+ except:
-+ pass
-+
-+ try:
-+ topo.standalone.add_s(Entry((REPLICA_DN, replica_dict)))
-+ except ldap.LDAPError as e:
-+ log.fatal("Failed to add replica entry: " + str(e))
-+ assert False
-+
-+
-+def replica_reset(topo):
-+ try:
-+ topo.standalone.delete_s(REPLICA_DN)
-+ except:
-+ pass
-+
-+
-+def agmt_setup(topo):
-+ """Add a valid replica config entry to modify
-+ """
-+ try:
-+ topo.standalone.delete_s(AGMT_DN)
-+ except:
-+ pass
-+
-+ try:
-+ topo.standalone.add_s(Entry((AGMT_DN, agmt_dict)))
-+ except ldap.LDAPError as e:
-+ log.fatal("Failed to add agreement entry: " + str(e))
-+ assert False
-+
-+
-+def agmt_reset(topo):
-+ try:
-+ topo.standalone.delete_s(AGMT_DN)
-+ except:
-+ pass
-+
-+
-+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", repl_add_attrs)
-+def test_replica_num_add(topo, attr, too_small, too_big, overflow, notnum, valid):
-+ """Test all the number values you can set for a replica config entry
-+
-+ :id: a8b47d4a-a089-4d70-8070-e6181209bf92
-+ :setup: standalone instance
-+ :steps:
-+ 1. Use a value that is too small
-+ 2. Use a value that is too big
-+ 3. Use a value that overflows the int
-+ 4. Use a value with character value (not a number)
-+ 5. Use a valid value
-+ :expectedresults:
-+ 1. Add is rejected
-+ 2. Add is rejected
-+ 3. Add is rejected
-+ 4. Add is rejected
-+ 5. Add is allowed
-+ """
-+
-+ replica_reset(topo)
-+
-+ # Test too small
-+ my_replica = copy.deepcopy(replica_dict)
-+ my_replica[attr] = too_small
-+ try:
-+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
-+ log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, too_small))
-+ assert False
-+ except ldap.LDAPError as e:
-+ log.info("Correctly failed to add replica entry with {}:{} error: {}".format(attr, too_small, str(e)))
-+
-+ # Test too big
-+ my_replica = copy.deepcopy(replica_dict)
-+ my_replica[attr] = too_big
-+ try:
-+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
-+ log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, too_big))
-+ assert False
-+ except ldap.LDAPError as e:
-+ log.info("Correctly failed to add replica entry with {}:{} error: {}".format(attr, too_big, str(e)))
-+
-+ # Test overflow
-+ my_replica = copy.deepcopy(replica_dict)
-+ my_replica[attr] = overflow
-+ try:
-+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
-+ log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, overflow))
-+ assert False
-+ except ldap.LDAPError as e:
-+ log.info("Correctly failed to add replica entry with {}:{} error: {}".format(attr, overflow, str(e)))
-+
-+ # test not a number
-+ my_replica = copy.deepcopy(replica_dict)
-+ my_replica[attr] = notnum
-+ try:
-+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
-+ log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, notnum))
-+ assert False
-+ except ldap.LDAPError as e:
-+ log.info("Correctly failed to add replica entry with {}:{} error: {}".format(attr, notnum, str(e)))
-+
-+ # Test valid value
-+ my_replica = copy.deepcopy(replica_dict)
-+ my_replica[attr] = valid
-+ try:
-+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica)))
-+ log.info("Correctly allowed to add replica entry with {}: {}".format(attr, valid))
-+ except ldap.LDAPError as e:
-+ log.fatal("Incorrectly failed to add replica entry with {}: {} error: {}".format(attr, valid, str(e)))
-+ assert False
-+
-+
-+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", repl_mod_attrs)
-+def test_replica_num_modify(topo, attr, too_small, too_big, overflow, notnum, valid):
-+ """Test all the number values you can set for a replica config entry
-+
-+ :id: a8b47d4a-a089-4d70-8070-e6181209bf93
-+ :setup: standalone instance
-+ :steps:
-+ 1. Replace a value that is too small
-+ 2. Repalce a value that is too big
-+ 3. Replace a value that overflows the int
-+ 4. Replace a value with character value (not a number)
-+ 5. Replace a vlue with a valid value
-+ :expectedresults:
-+ 1. Value is rejected
-+ 2. Value is rejected
-+ 3. Value is rejected
-+ 4. Value is rejected
-+ 5. Value is allowed
-+ """
-+
-+ # Value too small
-+ replica_setup(topo)
-+ try:
-+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, too_small)])
-+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_small))
-+ assert False
-+ except:
-+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_small))
-+
-+ # Value too big
-+ replica_setup(topo)
-+ try:
-+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, too_big)])
-+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_big))
-+ assert False
-+ except:
-+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_big))
-+
-+ # Value overflow
-+ replica_setup(topo)
-+ try:
-+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, overflow)])
-+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, overflow))
-+ assert False
-+ except:
-+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, overflow))
-+
-+ # Value not a number
-+ replica_setup(topo)
-+ try:
-+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, notnum)])
-+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, notnum))
-+ assert False
-+ except:
-+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, notnum))
-+
-+ # Value is valid
-+ replica_setup(topo)
-+ try:
-+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, valid)])
-+ log.info('Correctly added valid agreement attribute value: {}:{}'.format(attr, valid))
-+ except ldap.LDAPError as e:
-+ log.fatal('Valid value for {}:{} was incorrectly rejected. Error {}'.format(attr, valid, str(e)))
-+ assert False
-+
-+
-+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", agmt_attrs)
-+def test_agmt_num_add(topo, attr, too_small, too_big, overflow, notnum, valid):
-+ """Test all the number values you can set for a replica config entry
-+
-+ :id: a8b47d4a-a089-4d70-8070-e6181209bf94
-+ :setup: standalone instance
-+ :steps:
-+ 1. Use a value that is too small
-+ 2. Use a value that is too big
-+ 3. Use a value that overflows the int
-+ 4. Use a value with character value (not a number)
-+ 5. Use a valid value
-+ :expectedresults:
-+ 1. Add is rejected
-+ 2. Add is rejected
-+ 3. Add is rejected
-+ 4. Add is rejected
-+ 5. Add is allowed
-+ """
-+ agmt_reset(topo)
-+
-+ # Test too small
-+ my_agmt = copy.deepcopy(agmt_dict)
-+ my_agmt[attr] = too_small
-+ try:
-+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
-+ log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, too_small))
-+ assert False
-+ except ldap.LDAPError as e:
-+ log.info("Correctly failed to add agreement entry with {}:{} error: {}".format(attr, too_small, str(e)))
-+
-+ # Test too big
-+ my_agmt = copy.deepcopy(agmt_dict)
-+ my_agmt[attr] = too_big
-+ try:
-+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
-+ log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, too_big))
-+ assert False
-+ except ldap.LDAPError as e:
-+ log.info("Correctly failed to add agreement entry with {}:{} error: {}".format(attr, too_big, str(e)))
-+
-+ # Test overflow
-+ my_agmt = copy.deepcopy(agmt_dict)
-+ my_agmt[attr] = overflow
-+ try:
-+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
-+ log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, overflow))
-+ assert False
-+ except ldap.LDAPError as e:
-+ log.info("Correctly failed to add agreement entry with {}:{} error: {}".format(attr, overflow, str(e)))
-+
-+ # test not a number
-+ my_agmt = copy.deepcopy(agmt_dict)
-+ my_agmt[attr] = notnum
-+ try:
-+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
-+ log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, notnum))
-+ assert False
-+ except ldap.LDAPError as e:
-+ log.info("Correctly failed to add agreement entry with {}:{} error: {}".format(attr, notnum, str(e)))
-+
-+ # Test valid value
-+ my_agmt = copy.deepcopy(agmt_dict)
-+ my_agmt[attr] = valid
-+ try:
-+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt)))
-+ log.info("Correctly allowed to add agreement entry with {}: {}".format(attr, valid))
-+ except ldap.LDAPError as e:
-+ log.fatal("Incorrectly failed to add agreement entry with {}: {} error: {}".format(attr, valid, str(e)))
-+ assert False
-+
-+
-+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", agmt_attrs)
-+def test_agmt_num_modify(topo, attr, too_small, too_big, overflow, notnum, valid):
-+ """Test all the number values you can set for a replica config entry
-+
-+ :id: a8b47d4a-a089-4d70-8070-e6181209bf95
-+ :setup: standalone instance
-+ :steps:
-+ 1. Replace a value that is too small
-+ 2. Replace a value that is too big
-+ 3. Replace a value that overflows the int
-+ 4. Replace a value with character value (not a number)
-+ 5. Replace a vlue with a valid value
-+ :expectedresults:
-+ 1. Value is rejected
-+ 2. Value is rejected
-+ 3. Value is rejected
-+ 4. Value is rejected
-+ 5. Value is allowed
-+ """
-+
-+ # Value too small
-+ agmt_setup(topo)
-+ try:
-+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, too_small)])
-+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_small))
-+ assert False
-+ except:
-+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_small))
-+
-+ # Value too big
-+ agmt_setup(topo)
-+ try:
-+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, too_big)])
-+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_big))
-+ assert False
-+ except:
-+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_big))
-+
-+ # Value overflow
-+ agmt_setup(topo)
-+ try:
-+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, overflow)])
-+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, overflow))
-+ assert False
-+ except:
-+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, overflow))
-+
-+ # Value not a number
-+ agmt_setup(topo)
-+ try:
-+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, notnum)])
-+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, notnum))
-+ assert False
-+ except:
-+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, notnum))
-+
-+ # Value is valid
-+ agmt_setup(topo)
-+ try:
-+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, valid)])
-+ except ldap.LDAPError as e:
-+ log.fatal('Valid value for {}:{} was incorrectly rejected. Error {}'.format(attr, valid, str(e)))
-+ assert False
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main("-s %s" % CURRENT_FILE)
-+
-diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
-index 246495214..ab124c86c 100644
---- a/ldap/schema/01core389.ldif
-+++ b/ldap/schema/01core389.ldif
-@@ -303,6 +303,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2331 NAME 'nsslapd-logging-hr-timestamps
- attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
- attributeTypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
- attributeTypes: ( 2.16.840.1.113730.3.1.2335 NAME 'nsds5ReplicaIgnoreMissingChange' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
-+attributeTypes: ( 2.16.840.1.113730.3.1.2336 NAME 'nsDS5ReplicaBindDnGroupCheckInterval' DESC 'Replication configuration setting for controlling the bind dn group check interval' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
- #
- # objectclasses
- #
-@@ -312,7 +313,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.44 NAME 'nsIndex' DESC 'Netscape defined
- objectClasses: ( 2.16.840.1.113730.3.2.109 NAME 'nsBackendInstance' DESC 'Netscape defined objectclass' SUP top MUST ( CN ) X-ORIGIN 'Netscape Directory Server' )
- objectClasses: ( 2.16.840.1.113730.3.2.110 NAME 'nsMappingTree' DESC 'Netscape defined objectclass' SUP top MUST ( CN ) X-ORIGIN 'Netscape Directory Server' )
- objectClasses: ( 2.16.840.1.113730.3.2.104 NAME 'nsContainer' DESC 'Netscape defined objectclass' SUP top MUST ( CN ) X-ORIGIN 'Netscape Directory Server' )
--objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Netscape defined objectclass' SUP top MUST ( nsDS5ReplicaRoot $ nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax $ nsds5ReplicaReleaseTimeout ) X-ORIGIN 'Netscape Directory Server' )
-+objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Replication configuration objectclass' SUP top MUST ( nsDS5ReplicaRoot $ nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax $ nsds5ReplicaReleaseTimeout $ nsDS5ReplicaBindDnGroupCheckInterval ) X-ORIGIN 'Netscape Directory Server' )
- objectClasses: ( 2.16.840.1.113730.3.2.113 NAME 'nsTombstone' DESC 'Netscape defined objectclass' SUP top MAY ( nstombstonecsn $ nsParentUniqueId $ nscpEntryDN ) X-ORIGIN 'Netscape Directory Server' )
- objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5ReplicaWaitForAsyncResults $ nsds5ReplicaIgnoreMissingChange) X-ORIGIN 'Netscape Directory Server' )
- objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
-diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
-index 3bd878d4d..c6e79b7e2 100644
---- a/ldap/servers/plugins/replication/repl5.h
-+++ b/ldap/servers/plugins/replication/repl5.h
-@@ -330,8 +330,8 @@ void replsupplier_configure(Repl_Supplier *rs, Slapi_PBlock *pb);
- void replsupplier_start(Repl_Supplier *rs);
- void replsupplier_stop(Repl_Supplier *rs);
- void replsupplier_destroy(Repl_Supplier **rs);
--void replsupplier_notify(Repl_Supplier *rs, PRUint32 eventmask);
--PRUint32 replsupplier_get_status(Repl_Supplier *rs);
-+void replsupplier_notify(Repl_Supplier *rs, uint32_t eventmask);
-+uint32_t replsupplier_get_status(Repl_Supplier *rs);
-
- /* In repl5_plugins.c */
- int multimaster_set_local_purl(void);
-@@ -383,7 +383,7 @@ int agmt_stop(Repl_Agmt *ra);
- int agmt_replicate_now(Repl_Agmt *ra);
- char *agmt_get_hostname(const Repl_Agmt *ra);
- int agmt_get_port(const Repl_Agmt *ra);
--PRUint32 agmt_get_transport_flags(const Repl_Agmt *ra);
-+uint32_t agmt_get_transport_flags(const Repl_Agmt *ra);
- char *agmt_get_binddn(const Repl_Agmt *ra);
- struct berval *agmt_get_credentials(const Repl_Agmt *ra);
- int agmt_get_bindmethod(const Repl_Agmt *ra);
-@@ -448,8 +448,8 @@ int agmt_set_attrs_to_strip(Repl_Agmt *ra, Slapi_Entry *e);
- int agmt_set_timeout(Repl_Agmt *ra, long timeout);
- int agmt_set_ignoremissing(Repl_Agmt *ra, long ignoremissing);
- void agmt_update_done(Repl_Agmt *ra, int is_total);
--PRUint64 agmt_get_protocol_timeout(Repl_Agmt *agmt);
--void agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout);
-+uint64_t agmt_get_protocol_timeout(Repl_Agmt *agmt);
-+void agmt_set_protocol_timeout(Repl_Agmt *agmt, uint64_t timeout);
- void agmt_update_maxcsn(Replica *r, Slapi_DN *sdn, int op, LDAPMod **mods, CSN *csn);
- void add_agmt_maxcsns(Slapi_Entry *e, Replica *r);
- void agmt_remove_maxcsn(Repl_Agmt *ra);
-@@ -532,8 +532,8 @@ void *consumer_connection_extension_constructor(void *object, void *parent);
- void consumer_connection_extension_destructor(void *ext, void *object, void *parent);
-
- /* extension helpers for managing exclusive access */
--consumer_connection_extension *consumer_connection_extension_acquire_exclusive_access(void *conn, PRUint64 connid, int opid);
--int consumer_connection_extension_relinquish_exclusive_access(void *conn, PRUint64 connid, int opid, PRBool force);
-+consumer_connection_extension *consumer_connection_extension_acquire_exclusive_access(void *conn, uint64_t connid, int opid);
-+int consumer_connection_extension_relinquish_exclusive_access(void *conn, uint64_t connid, int opid, PRBool force);
-
- /* mapping tree extension - stores replica object */
- typedef struct multimaster_mtnode_extension
-@@ -666,8 +666,8 @@ Replica *replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_o
- void replica_destroy(void **arg);
- int replica_subentry_update(Slapi_DN *repl_root, ReplicaId rid);
- int replica_subentry_check(Slapi_DN *repl_root, ReplicaId rid);
--PRBool replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opid, const char *locking_purl, char **current_purl);
--void replica_relinquish_exclusive_access(Replica *r, PRUint64 connid, int opid);
-+PRBool replica_get_exclusive_access(Replica *r, PRBool *isInc, uint64_t connid, int opid, const char *locking_purl, char **current_purl);
-+void replica_relinquish_exclusive_access(Replica *r, uint64_t connid, int opid);
- PRBool replica_get_tombstone_reap_active(const Replica *r);
- const Slapi_DN *replica_get_root(const Replica *r);
- const char *replica_get_name(const Replica *r);
-@@ -685,11 +685,13 @@ PRBool replica_is_updatedn(Replica *r, const Slapi_DN *sdn);
- void replica_set_updatedn(Replica *r, const Slapi_ValueSet *vs, int mod_op);
- void replica_set_groupdn(Replica *r, const Slapi_ValueSet *vs, int mod_op);
- char *replica_get_generation(const Replica *r);
-+
- /* currently supported flags */
- #define REPLICA_LOG_CHANGES 0x1 /* enable change logging */
--PRBool replica_is_flag_set(const Replica *r, PRUint32 flag);
--void replica_set_flag(Replica *r, PRUint32 flag, PRBool clear);
--void replica_replace_flags(Replica *r, PRUint32 flags);
-+
-+PRBool replica_is_flag_set(const Replica *r, uint32_t flag);
-+void replica_set_flag(Replica *r, uint32_t flag, PRBool clear);
-+void replica_replace_flags(Replica *r, uint32_t flags);
- void replica_dump(Replica *r);
- void replica_set_enabled(Replica *r, PRBool enable);
- Object *replica_get_replica_from_dn(const Slapi_DN *dn);
-@@ -720,7 +722,7 @@ int replica_delete_by_dn(const char *dn);
- int replica_is_being_configured(const char *dn);
- void consumer5_set_mapping_tree_state_for_replica(const Replica *r, RUV *supplierRuv);
- Object *replica_get_for_backend(const char *be_name);
--void replica_set_purge_delay(Replica *r, PRUint32 purge_delay);
-+void replica_set_purge_delay(Replica *r, uint32_t purge_delay);
- void replica_set_tombstone_reap_interval(Replica *r, long interval);
- void replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv);
- void replica_set_ruv_dirty(Replica *r);
-@@ -730,20 +732,20 @@ char *replica_get_dn(Replica *r);
- void replica_check_for_tasks(Replica *r, Slapi_Entry *e);
- void replica_update_state(time_t when, void *arg);
- void replica_reset_csn_pl(Replica *r);
--PRUint64 replica_get_protocol_timeout(Replica *r);
--void replica_set_protocol_timeout(Replica *r, PRUint64 timeout);
--PRUint64 replica_get_release_timeout(Replica *r);
--void replica_set_release_timeout(Replica *r, PRUint64 timeout);
-+uint64_t replica_get_protocol_timeout(Replica *r);
-+void replica_set_protocol_timeout(Replica *r, uint64_t timeout);
-+uint64_t replica_get_release_timeout(Replica *r);
-+void replica_set_release_timeout(Replica *r, uint64_t timeout);
- void replica_set_groupdn_checkinterval(Replica *r, int timeout);
--PRUint64 replica_get_backoff_min(Replica *r);
--PRUint64 replica_get_backoff_max(Replica *r);
--void replica_set_backoff_min(Replica *r, PRUint64 min);
--void replica_set_backoff_max(Replica *r, PRUint64 max);
-+uint64_t replica_get_backoff_min(Replica *r);
-+uint64_t replica_get_backoff_max(Replica *r);
-+void replica_set_backoff_min(Replica *r, uint64_t min);
-+void replica_set_backoff_max(Replica *r, uint64_t max);
- int replica_get_agmt_count(Replica *r);
- void replica_incr_agmt_count(Replica *r);
- void replica_decr_agmt_count(Replica *r);
--PRUint64 replica_get_precise_purging(Replica *r);
--void replica_set_precise_purging(Replica *r, PRUint64 on_off);
-+uint64_t replica_get_precise_purging(Replica *r);
-+void replica_set_precise_purging(Replica *r, uint64_t on_off);
- PRBool ignore_error_and_keep_going(int error);
- void replica_check_release_timeout(Replica *r, Slapi_PBlock *pb);
- void replica_lock_replica(Replica *r);
-@@ -764,8 +766,8 @@ void replica_unlock_replica(Replica *r);
- is active, RECV should back off. And vice versa. But SEND can coexist. */
- #define REPLICA_TOTAL_EXCL_RECV 32 /* ditto */
-
--PRBool replica_is_state_flag_set(Replica *r, PRInt32 flag);
--void replica_set_state_flag(Replica *r, PRUint32 flag, PRBool clear);
-+PRBool replica_is_state_flag_set(Replica *r, int32_t flag);
-+void replica_set_state_flag(Replica *r, uint32_t flag, PRBool clear);
- void replica_set_tombstone_reap_stop(Replica *r, PRBool val);
- void replica_enable_replication(Replica *r);
- void replica_disable_replication(Replica *r, Object *r_obj);
-@@ -836,6 +838,8 @@ LDAPControl *create_managedsait_control(void);
- LDAPControl *create_backend_control(Slapi_DN *sdn);
- void repl_set_mtn_state_and_referrals(const Slapi_DN *sdn, const char *mtn_state, const RUV *ruv, char **ruv_referrals, char **other_referrals);
- void repl_set_repl_plugin_path(const char *path);
-+int repl_config_valid_num(const char *config_attr, char *config_attr_value, int64_t min, int64_t max,
-+ int *returncode, char *errortext, int64_t *retval);
-
- /* repl5_updatedn_list.c */
- typedef void *ReplicaUpdateDNList;
-diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
-index e2ab320e4..78fb91ae6 100644
---- a/ldap/servers/plugins/replication/repl5_agmt.c
-+++ b/ldap/servers/plugins/replication/repl5_agmt.c
-@@ -65,31 +65,31 @@
- struct changecounter
- {
- ReplicaId rid;
-- PRUint32 num_replayed;
-- PRUint32 num_skipped;
-+ uint32_t num_replayed;
-+ uint32_t num_skipped;
- };
-
- typedef struct repl5agmt
- {
- char *hostname; /* remote hostname */
-- int port; /* port of remote server */
-- PRUint32 transport_flags; /* SSL, TLS, etc. */
-+ int64_t port; /* port of remote server */
-+ uint32_t transport_flags; /* SSL, TLS, etc. */
- char *binddn; /* DN to bind as */
- struct berval *creds; /* Password, or certificate */
-- int bindmethod; /* Bind method - simple, SSL */
-+ int64_t bindmethod; /* Bind method - simple, SSL */
- Slapi_DN *replarea; /* DN of replicated area */
- char **frac_attrs; /* list of fractional attributes to be replicated */
- char **frac_attrs_total; /* list of fractional attributes to be replicated for total update protocol */
- PRBool frac_attr_total_defined; /* TRUE if frac_attrs_total is defined */
- Schedule *schedule; /* Scheduling information */
-- int auto_initialize; /* 1 = automatically re-initialize replica */
-+ int64_t auto_initialize; /* 1 = automatically re-initialize replica */
- const Slapi_DN *dn; /* DN of replication agreement entry */
- const Slapi_RDN *rdn; /* RDN of replication agreement entry */
- char *long_name; /* Long name (rdn + host, port) of entry, for logging */
- Repl_Protocol *protocol; /* Protocol object - manages protocol */
- struct changecounter **changecounters; /* changes sent/skipped since server start up */
-- int num_changecounters;
-- int max_changecounters;
-+ int64_t num_changecounters;
-+ int64_t max_changecounters;
- time_t last_update_start_time; /* Local start time of last update session */
- time_t last_update_end_time; /* Local end time of last update session */
- char last_update_status[STATUS_LEN]; /* Status of last update. Format = numeric code <space> textual description */
-@@ -102,35 +102,35 @@ typedef struct repl5agmt
- Object *consumerRUV; /* last RUV received from the consumer - used for changelog purging */
- CSN *consumerSchemaCSN; /* last schema CSN received from the consumer */
- ReplicaId consumerRID; /* indicates if the consumer is the originator of a CSN */
-- int tmpConsumerRID; /* Indicates the consumer rid was set from the agmt maxcsn - it should be refreshed */
-- long timeout; /* timeout (in seconds) for outbound LDAP connections to remote server */
-+ int64_t tmpConsumerRID; /* Indicates the consumer rid was set from the agmt maxcsn - it should be refreshed */
-+ int64_t timeout; /* timeout (in seconds) for outbound LDAP connections to remote server */
- PRBool stop_in_progress; /* set by agmt_stop when shutting down */
-- long busywaittime; /* time in seconds to wait after getting a REPLICA BUSY from the consumer -
-- to allow another supplier to finish sending its updates -
-- if set to 0, this means to use the default value if we get a busy
-- signal from the consumer */
-- long pausetime; /* time in seconds to pause after sending updates -
-- to allow another supplier to send its updates -
-- should be greater than busywaittime -
-- if set to 0, this means do not pause */
-+ int64_t busywaittime; /* time in seconds to wait after getting a REPLICA BUSY from the consumer -
-+ * to allow another supplier to finish sending its updates -
-+ * if set to 0, this means to use the default value if we get a busy
-+ * signal from the consumer
-+ */
-+ int64_t pausetime; /* time in seconds to pause after sending updates -
-+ * to allow another supplier to send its updates -
-+ * should be greater than busywaittime -
-+ * if set to 0, this means do not pause
-+ */
- void *priv; /* private data, used for windows-specific agreement data
-- for sync agreements or for replication session plug-in
-- private data for normal replication agreements */
-+ * for sync agreements or for replication session plug-in
-+ * private data for normal replication agreements
-+ */
- char **attrs_to_strip; /* for fractional replication, if a "mod" is empty, strip out these attributes:
-- * modifiersname, modifytimestamp, internalModifiersname, internalModifyTimestamp, etc */
-- int agreement_type;
-+ * modifiersname, modifytimestamp, internalModifiersname, internalModifyTimestamp, etc */
-+ int64_t agreement_type;
- Slapi_Counter *protocol_timeout;
-- char *maxcsn; /* agmt max csn */
-- long flowControlWindow; /* This is the maximum number of entries
-- * sent without acknowledgment
-- */
-- long flowControlPause; /* When nb of not acknowledged entries overpass totalUpdateWindow
-- * This is the duration (in msec) that the RA will pause before sending the next entry
-- */
-- long ignoreMissingChange; /* if set replication will try to continue even if change cannot be found in changelog */
-- Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */
-- int WaitForAsyncResults; /* Pass to DS_Sleep(PR_MillisecondsToInterval(WaitForAsyncResults))
-- * in repl5_inc_waitfor_async_results */
-+ char *maxcsn; /* agmt max csn */
-+ int64_t flowControlWindow; /* This is the maximum number of entries sent without acknowledgment */
-+ int64_t flowControlPause; /* When nb of not acknowledged entries overpass totalUpdateWindow
-+ * This is the duration (in msec) that the RA will pause before sending the next entry */
-+ int64_t ignoreMissingChange; /* if set replication will try to continue even if change cannot be found in changelog */
-+ Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */
-+ int64_t WaitForAsyncResults; /* Pass to DS_Sleep(PR_MillisecondsToInterval(WaitForAsyncResults))
-+ * in repl5_inc_waitfor_async_results */
- } repl5agmt;
-
- /* Forward declarations */
-@@ -182,7 +182,7 @@ agmt_is_valid(Repl_Agmt *ra)
- }
- if (ra->port <= 0) {
- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "agmt_is_valid - Replication agreement \"%s\" "
-- "is malformed: invalid port number %d.\n",
-+ "is malformed: invalid port number %ld.\n",
- slapi_sdn_get_dn(ra->dn), ra->port);
- return_value = 0;
- }
-@@ -241,10 +241,14 @@ agmt_new_from_entry(Slapi_Entry *e)
- {
- Repl_Agmt *ra;
- Slapi_Attr *sattr;
-+ char errormsg[SLAPI_DSE_RETURNTEXT_SIZE];
- char *tmpstr;
- char **denied_attrs = NULL;
- char *auto_initialize = NULL;
- char *val_nsds5BeginReplicaRefresh = "start";
-+ char *val = NULL;
-+ int64_t ptimeout = 0;
-+ int rc = 0;
-
- ra = (Repl_Agmt *)slapi_ch_calloc(1, sizeof(repl5agmt));
- if ((ra->lock = PR_NewLock()) == NULL) {
-@@ -283,8 +287,17 @@ agmt_new_from_entry(Slapi_Entry *e)
-
- /* Host name of remote replica */
- ra->hostname = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaHost);
-+
- /* Port number for remote replica instance */
-- ra->port = slapi_entry_attr_get_int(e, type_nsds5ReplicaPort);
-+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaPort))){
-+ int64_t port;
-+ if (repl_config_valid_num(type_nsds5ReplicaPort, val, 1, 65535, &rc, errormsg, &port) != 0) {
-+ goto loser;
-+ }
-+ slapi_ch_free_string(&val);
-+ ra->port = port;
-+ }
-+
- /* SSL, TLS, or other transport stuff */
- ra->transport_flags = 0;
- (void)agmt_set_transportinfo_no_lock(ra, e);
-@@ -313,29 +326,35 @@ agmt_new_from_entry(Slapi_Entry *e)
-
- /* timeout. */
- ra->timeout = DEFAULT_TIMEOUT;
-- if (slapi_entry_attr_find(e, type_nsds5ReplicaTimeout, &sattr) == 0) {
-- Slapi_Value *sval;
-- if (slapi_attr_first_value(sattr, &sval) == 0) {
-- ra->timeout = slapi_value_get_long(sval);
-+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaTimeout))){
-+ int64_t timeout;
-+ if (repl_config_valid_num(type_nsds5ReplicaTimeout, val, 0, INT_MAX, &rc, errormsg, &timeout) != 0) {
-+ goto loser;
- }
-+ slapi_ch_free_string(&val);
-+ ra->timeout = timeout;
- }
-
- /* flow control update window. */
- ra->flowControlWindow = DEFAULT_FLOWCONTROL_WINDOW;
-- if (slapi_entry_attr_find(e, type_nsds5ReplicaFlowControlWindow, &sattr) == 0) {
-- Slapi_Value *sval;
-- if (slapi_attr_first_value(sattr, &sval) == 0) {
-- ra->flowControlWindow = slapi_value_get_long(sval);
-+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaFlowControlWindow))){
-+ int64_t flow;
-+ if (repl_config_valid_num(type_nsds5ReplicaTimeout, val, 0, INT_MAX, &rc, errormsg, &flow) != 0) {
-+ goto loser;
- }
-+ slapi_ch_free_string(&val);
-+ ra->flowControlWindow = flow;
- }
-
- /* flow control update pause. */
- ra->flowControlPause = DEFAULT_FLOWCONTROL_PAUSE;
-- if (slapi_entry_attr_find(e, type_nsds5ReplicaFlowControlPause, &sattr) == 0) {
-- Slapi_Value *sval;
-- if (slapi_attr_first_value(sattr, &sval) == 0) {
-- ra->flowControlPause = slapi_value_get_long(sval);
-+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaFlowControlPause))){
-+ int64_t pause;
-+ if (repl_config_valid_num(type_nsds5ReplicaFlowControlPause, val, 0, INT_MAX, &rc, errormsg, &pause) != 0) {
-+ goto loser;
- }
-+ slapi_ch_free_string(&val);
-+ ra->flowControlPause = pause;
- }
-
- /* continue on missing change ? */
-@@ -357,7 +376,6 @@ agmt_new_from_entry(Slapi_Entry *e)
- if (NULL != tmpstr) {
- Object *repl_obj;
- Replica *replica;
-- PRUint64 ptimeout = 0;
-
- ra->replarea = slapi_sdn_new_dn_passin(tmpstr);
-
-@@ -367,14 +385,18 @@ agmt_new_from_entry(Slapi_Entry *e)
- replica_incr_agmt_count(replica);
- }
- }
-+ }
-
-- /* If this agmt has its own timeout, grab it, otherwise use the replica's protocol timeout */
-- ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
-- if (ptimeout) {
-- slapi_counter_set_value(ra->protocol_timeout, ptimeout);
-+ /* If this agmt has its own timeout, grab it, otherwise use the replica's protocol timeout */
-+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaProtocolTimeout))){
-+ if (repl_config_valid_num(type_replicaProtocolTimeout, val, 0, INT_MAX, &rc, errormsg, &ptimeout) != 0) {
-+ goto loser;
- }
-+ slapi_ch_free_string(&val);
-+ slapi_counter_set_value(ra->protocol_timeout, ptimeout);
- }
-
-+
- /* Replica enabled */
- tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaEnabled);
- if (NULL != tmpstr) {
-@@ -384,9 +406,8 @@ agmt_new_from_entry(Slapi_Entry *e)
- ra->is_enabled = PR_TRUE;
- } else {
- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "agmt_new_from_entry - "
-- "Warning invalid value for nsds5ReplicaEnabled (%s), value must be \"on\" or \"off\". "
-- "Ignoring this repl agreement.\n",
-- tmpstr);
-+ "Warning invalid value for nsds5ReplicaEnabled (%s), value must be \"on\" or \"off\". "
-+ "Ignoring this repl agreement.\n", tmpstr);
- slapi_ch_free_string(&tmpstr);
- goto loser;
- }
-@@ -402,11 +423,24 @@ agmt_new_from_entry(Slapi_Entry *e)
- }
-
- /* busy wait time - time to wait after getting REPLICA BUSY from consumer */
-- ra->busywaittime = slapi_entry_attr_get_long(e, type_nsds5ReplicaBusyWaitTime);
-+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBusyWaitTime))){
-+ int64_t busytime = 0;
-+ if (repl_config_valid_num(type_nsds5ReplicaBusyWaitTime, val, 0, INT_MAX, &rc, errormsg, &busytime) != 0) {
-+ goto loser;
-+ }
-+ slapi_ch_free_string(&val);
-+ ra->busywaittime = busytime;
-+ }
-
- /* pause time - time to pause after a session has ended */
-- ra->pausetime = slapi_entry_attr_get_long(e, type_nsds5ReplicaSessionPauseTime);
--
-+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaSessionPauseTime))){
-+ int64_t pausetime = 0;
-+ if (repl_config_valid_num(type_nsds5ReplicaSessionPauseTime, val, 0, INT_MAX, &rc, errormsg, &pausetime) != 0) {
-+ goto loser;
-+ }
-+ slapi_ch_free_string(&val);
-+ ra->pausetime = pausetime;
-+ }
- /* consumer's RUV */
- if (slapi_entry_attr_find(e, type_ruvElement, &sattr) == 0) {
- RUV *ruv;
-@@ -434,7 +468,7 @@ agmt_new_from_entry(Slapi_Entry *e)
- if (dot) {
- *dot = '\0';
- }
-- ra->long_name = slapi_ch_smprintf("agmt=\"%s\" (%s:%d)", agmtname, hostname, ra->port);
-+ ra->long_name = slapi_ch_smprintf("agmt=\"%s\" (%s:%ld)", agmtname, hostname, ra->port);
- }
-
- /* DBDB: review this code */
-@@ -534,6 +568,9 @@ agmt_new_from_entry(Slapi_Entry *e)
-
- return ra;
- loser:
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,
-+ "agmt_new_from_entry - Failed to parse agreement, skipping.\n");
-+ slapi_ch_free_string(&val);
- agmt_delete((void **)&ra);
- return NULL;
- }
-@@ -754,10 +791,10 @@ agmt_start(Repl_Agmt *ra)
- char buf[BUFSIZ];
- char unavail_buf[BUFSIZ];
-
-- PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%d;", slapi_sdn_get_dn(repl_sdn),
-+ PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%ld;", slapi_sdn_get_dn(repl_sdn),
- slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)),
- ra->hostname, ra->port);
-- PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%d;unavailable", slapi_sdn_get_dn(repl_sdn),
-+ PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%ld;unavailable", slapi_sdn_get_dn(repl_sdn),
- slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)),
- ra->hostname, ra->port);
- if (strstr(maxcsns[i], buf) || strstr(maxcsns[i], unavail_buf)) {
-@@ -901,7 +938,7 @@ agmt_get_port(const Repl_Agmt *ra)
- /*
- * Return the transport flags for this agreement.
- */
--PRUint32
-+uint32_t
- agmt_get_transport_flags(const Repl_Agmt *ra)
- {
- unsigned int return_value;
-@@ -2919,7 +2956,7 @@ agmt_update_done(Repl_Agmt *agmt, int is_total)
- }
- }
-
--PRUint64
-+uint64_t
- agmt_get_protocol_timeout(Repl_Agmt *agmt)
- {
- if (agmt) {
-@@ -2930,7 +2967,7 @@ agmt_get_protocol_timeout(Repl_Agmt *agmt)
- }
-
- void
--agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout)
-+agmt_set_protocol_timeout(Repl_Agmt *agmt, uint64_t timeout)
- {
- if (agmt) {
- slapi_counter_set_value(agmt->protocol_timeout, timeout);
-@@ -2992,11 +3029,11 @@ agmt_update_maxcsn(Replica *r, Slapi_DN *sdn, int op, LDAPMod **mods, CSN *csn)
- * temporarily mark it as "unavailable".
- */
- slapi_ch_free_string(&agmt->maxcsn);
-- agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%d;unavailable", slapi_sdn_get_dn(agmt->replarea),
-+ agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%ld;unavailable", slapi_sdn_get_dn(agmt->replarea),
- slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(agmt->rdn)), agmt->hostname, agmt->port);
- } else if (rid == oprid) {
- slapi_ch_free_string(&agmt->maxcsn);
-- agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%d;%d;%s", slapi_sdn_get_dn(agmt->replarea),
-+ agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%ld;%d;%s", slapi_sdn_get_dn(agmt->replarea),
- slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(agmt->rdn)), agmt->hostname,
- agmt->port, agmt->consumerRID, maxcsn);
- }
-@@ -3190,10 +3227,10 @@ agmt_remove_maxcsn(Repl_Agmt *ra)
- char unavail_buf[BUFSIZ];
- struct berval val;
-
-- PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%d;", slapi_sdn_get_dn(ra->replarea),
-+ PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%ld;", slapi_sdn_get_dn(ra->replarea),
- slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)),
- ra->hostname, ra->port);
-- PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%d;unavailable",
-+ PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%ld;unavailable",
- slapi_sdn_get_dn(ra->replarea),
- slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)),
- ra->hostname, ra->port);
-diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
-index 92f847f24..e5296bf1c 100644
---- a/ldap/servers/plugins/replication/repl5_replica.c
-+++ b/ldap/servers/plugins/replication/repl5_replica.c
-@@ -33,42 +33,40 @@ struct replica
- Slapi_DN *repl_root; /* top of the replicated are */
- char *repl_name; /* unique replica name */
- PRBool new_name; /* new name was generated - need to be saved */
-- ReplicaUpdateDNList updatedn_list; /* list of dns with which a supplier should bind
-- to update this replica */
-- Slapi_ValueSet *updatedn_groups; /* set of groups whose memebers are
-- * allowed to update replica */
-+ ReplicaUpdateDNList updatedn_list; /* list of dns with which a supplier should bind to update this replica */
-+ Slapi_ValueSet *updatedn_groups; /* set of groups whose memebers are allowed to update replica */
- ReplicaUpdateDNList groupdn_list; /* exploded listof dns from update group */
-- PRUint32 updatedn_group_last_check;
-- int updatedn_group_check_interval;
-- ReplicaType repl_type; /* is this replica read-only ? */
-- ReplicaId repl_rid; /* replicaID */
-- Object *repl_ruv; /* replica update vector */
-- PRBool repl_ruv_dirty; /* Dirty flag for ruv */
-- CSNPL *min_csn_pl; /* Pending list for minimal CSN */
-- void *csn_pl_reg_id; /* registration assignment for csn callbacks */
-- unsigned long repl_state_flags; /* state flags */
-- PRUint32 repl_flags; /* persistent, externally visible flags */
-- PRMonitor *repl_lock; /* protects entire structure */
-- Slapi_Eq_Context repl_eqcxt_rs; /* context to cancel event that saves ruv */
-- Slapi_Eq_Context repl_eqcxt_tr; /* context to cancel event that reaps tombstones */
-- Object *repl_csngen; /* CSN generator for this replica */
-- PRBool repl_csn_assigned; /* Flag set when new csn is assigned. */
-- PRUint32 repl_purge_delay; /* When purgeable, CSNs are held on to for this many extra seconds */
-- PRBool tombstone_reap_stop; /* TRUE when the tombstone reaper should stop */
-- PRBool tombstone_reap_active; /* TRUE when the tombstone reaper is running */
-- long tombstone_reap_interval; /* Time in seconds between tombstone reaping */
-- Slapi_ValueSet *repl_referral; /* A list of administrator provided referral URLs */
-- PRBool state_update_inprogress; /* replica state is being updated */
-- PRLock *agmt_lock; /* protects agreement creation, start and stop */
-- char *locking_purl; /* supplier who has exclusive access */
-- uint64_t locking_conn; /* The supplier's connection id */
-- Slapi_Counter *protocol_timeout; /* protocol shutdown timeout */
-- Slapi_Counter *backoff_min; /* backoff retry minimum */
-- Slapi_Counter *backoff_max; /* backoff retry maximum */
-- Slapi_Counter *precise_purging; /* Enable precise tombstone purging */
-- PRUint64 agmt_count; /* Number of agmts */
-- Slapi_Counter *release_timeout; /* The amount of time to wait before releasing active replica */
-- PRUint64 abort_session; /* Abort the current replica session */
-+ uint32_t updatedn_group_last_check; /* the time of the last group check */
-+ int64_t updatedn_group_check_interval; /* the group check interval */
-+ ReplicaType repl_type; /* is this replica read-only ? */
-+ ReplicaId repl_rid; /* replicaID */
-+ Object *repl_ruv; /* replica update vector */
-+ PRBool repl_ruv_dirty; /* Dirty flag for ruv */
-+ CSNPL *min_csn_pl; /* Pending list for minimal CSN */
-+ void *csn_pl_reg_id; /* registration assignment for csn callbacks */
-+ unsigned long repl_state_flags; /* state flags */
-+ uint32_t repl_flags; /* persistent, externally visible flags */
-+ PRMonitor *repl_lock; /* protects entire structure */
-+ Slapi_Eq_Context repl_eqcxt_rs; /* context to cancel event that saves ruv */
-+ Slapi_Eq_Context repl_eqcxt_tr; /* context to cancel event that reaps tombstones */
-+ Object *repl_csngen; /* CSN generator for this replica */
-+ PRBool repl_csn_assigned; /* Flag set when new csn is assigned. */
-+ int64_t repl_purge_delay; /* When purgeable, CSNs are held on to for this many extra seconds */
-+ PRBool tombstone_reap_stop; /* TRUE when the tombstone reaper should stop */
-+ PRBool tombstone_reap_active; /* TRUE when the tombstone reaper is running */
-+ int64_t tombstone_reap_interval; /* Time in seconds between tombstone reaping */
-+ Slapi_ValueSet *repl_referral; /* A list of administrator provided referral URLs */
-+ PRBool state_update_inprogress; /* replica state is being updated */
-+ PRLock *agmt_lock; /* protects agreement creation, start and stop */
-+ char *locking_purl; /* supplier who has exclusive access */
-+ uint64_t locking_conn; /* The supplier's connection id */
-+ Slapi_Counter *protocol_timeout; /* protocol shutdown timeout */
-+ Slapi_Counter *backoff_min; /* backoff retry minimum */
-+ Slapi_Counter *backoff_max; /* backoff retry maximum */
-+ Slapi_Counter *precise_purging; /* Enable precise tombstone purging */
-+ uint64_t agmt_count; /* Number of agmts */
-+ Slapi_Counter *release_timeout; /* The amount of time to wait before releasing active replica */
-+ uint64_t abort_session; /* Abort the current replica session */
- };
-
-
-@@ -532,7 +530,7 @@ replica_subentry_update(Slapi_DN *repl_root, ReplicaId rid)
- * current_purl is the supplier who already has access, if any
- */
- PRBool
--replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opid, const char *locking_purl, char **current_purl)
-+replica_get_exclusive_access(Replica *r, PRBool *isInc, uint64_t connid, int opid, const char *locking_purl, char **current_purl)
- {
- PRBool rval = PR_TRUE;
-
-@@ -608,7 +606,7 @@ done:
- * Relinquish exclusive access to the replica
- */
- void
--replica_relinquish_exclusive_access(Replica *r, PRUint64 connid, int opid)
-+replica_relinquish_exclusive_access(Replica *r, uint64_t connid, int opid)
- {
- PRBool isInc;
-
-@@ -915,7 +913,7 @@ replica_get_type(const Replica *r)
- return r->repl_type;
- }
-
--PRUint64
-+uint64_t
- replica_get_protocol_timeout(Replica *r)
- {
- if (r) {
-@@ -925,7 +923,7 @@ replica_get_protocol_timeout(Replica *r)
- }
- }
-
--PRUint64
-+uint64_t
- replica_get_release_timeout(Replica *r)
- {
- if (r) {
-@@ -936,7 +934,7 @@ replica_get_release_timeout(Replica *r)
- }
-
- void
--replica_set_release_timeout(Replica *r, PRUint64 limit)
-+replica_set_release_timeout(Replica *r, uint64_t limit)
- {
- if (r) {
- slapi_counter_set_value(r->release_timeout, limit);
-@@ -944,7 +942,7 @@ replica_set_release_timeout(Replica *r, PRUint64 limit)
- }
-
- void
--replica_set_protocol_timeout(Replica *r, PRUint64 timeout)
-+replica_set_protocol_timeout(Replica *r, uint64_t timeout)
- {
- if (r) {
- slapi_counter_set_value(r->protocol_timeout, timeout);
-@@ -1182,7 +1180,7 @@ replica_get_generation(const Replica *r)
- }
-
- PRBool
--replica_is_flag_set(const Replica *r, PRUint32 flag)
-+replica_is_flag_set(const Replica *r, uint32_t flag)
- {
- if (r)
- return (r->repl_flags & flag);
-@@ -1191,7 +1189,7 @@ replica_is_flag_set(const Replica *r, PRUint32 flag)
- }
-
- void
--replica_set_flag(Replica *r, PRUint32 flag, PRBool clear)
-+replica_set_flag(Replica *r, uint32_t flag, PRBool clear)
- {
- if (r == NULL)
- return;
-@@ -1208,7 +1206,7 @@ replica_set_flag(Replica *r, PRUint32 flag, PRBool clear)
- }
-
- void
--replica_replace_flags(Replica *r, PRUint32 flags)
-+replica_replace_flags(Replica *r, uint32_t flags)
- {
- if (r) {
- replica_lock(r->repl_lock);
-@@ -1829,17 +1827,18 @@ _replica_check_validity(const Replica *r)
- static int
- _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
- {
-- Slapi_Attr *a = NULL;
- Slapi_Attr *attr;
- CSNGen *gen;
- char *precise_purging = NULL;
- char buf[SLAPI_DSE_RETURNTEXT_SIZE];
- char *errormsg = errortext ? errortext : buf;
- char *val;
-- int backoff_min;
-- int backoff_max;
-- int ptimeout = 0;
-- int release_timeout = 0;
-+ int64_t backoff_min;
-+ int64_t backoff_max;
-+ int64_t ptimeout = 0;
-+ int64_t release_timeout = 0;
-+ int64_t interval = 0;
-+ int64_t rtype = 0;
- int rc;
-
- PR_ASSERT(r && e);
-@@ -1847,7 +1846,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
- /* get replica root */
- val = slapi_entry_attr_get_charptr(e, attr_replicaRoot);
- if (val == NULL) {
-- PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, "Failed to retrieve %s attribute from (%s)\n",
-+ PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, "Failed to retrieve %s attribute from (%s)",
- attr_replicaRoot,
- (char *)slapi_entry_get_dn((Slapi_Entry *)e));
- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - %s\n",
-@@ -1858,66 +1857,94 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
- r->repl_root = slapi_sdn_new_dn_passin(val);
-
- /* get replica type */
-- val = slapi_entry_attr_get_charptr(e, attr_replicaType);
-- if (val) {
-- r->repl_type = atoi(val);
-- slapi_ch_free((void **)&val);
-+ if (slapi_entry_attr_exists(e, attr_replicaType)) {
-+ if ((val = slapi_entry_attr_get_charptr(e, attr_replicaType))) {
-+ if (repl_config_valid_num(attr_replicaType, val, 0, REPLICA_TYPE_UPDATABLE, &rc, errormsg, &rtype) != 0) {
-+ slapi_ch_free_string(&val);
-+ return -1;
-+ }
-+ r->repl_type = rtype;
-+ slapi_ch_free_string(&val);
-+ } else {
-+ r->repl_type = REPLICA_TYPE_READONLY;
-+ }
- } else {
- r->repl_type = REPLICA_TYPE_READONLY;
- }
-
-- /* grab and validate the backoff retry settings */
-+ /* grab and validate the backoff min retry settings */
- if (slapi_entry_attr_exists(e, type_replicaBackoffMin)) {
-- backoff_min = slapi_entry_attr_get_int(e, type_replicaBackoffMin);
-- if (backoff_min <= 0) {
-- slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - "
-- "Invalid value for %s: %d Using default value (%d)\n",
-- type_replicaBackoffMin, backoff_min, PROTOCOL_BACKOFF_MINIMUM);
-+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaBackoffMin))) {
-+ if (repl_config_valid_num(type_replicaBackoffMin, val, 1, INT_MAX, &rc, errormsg, &backoff_min) != 0) {
-+ slapi_ch_free_string(&val);
-+ return -1;
-+ }
-+ slapi_ch_free_string(&val);
-+ } else {
- backoff_min = PROTOCOL_BACKOFF_MINIMUM;
- }
- } else {
- backoff_min = PROTOCOL_BACKOFF_MINIMUM;
- }
-
-+ /* grab and validate the backoff max retry settings */
- if (slapi_entry_attr_exists(e, type_replicaBackoffMax)) {
-- backoff_max = slapi_entry_attr_get_int(e, type_replicaBackoffMax);
-- if (backoff_max <= 0) {
-- slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - "
-- "Invalid value for %s: %d Using default value (%d)\n",
-- type_replicaBackoffMax, backoff_max, PROTOCOL_BACKOFF_MAXIMUM);
-+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaBackoffMax))) {
-+ if (repl_config_valid_num(type_replicaBackoffMax, val, 1, INT_MAX, &rc, errormsg, &backoff_max) != 0) {
-+ slapi_ch_free_string(&val);
-+ return -1;
-+ }
-+ slapi_ch_free_string(&val);
-+ } else {
- backoff_max = PROTOCOL_BACKOFF_MAXIMUM;
- }
- } else {
- backoff_max = PROTOCOL_BACKOFF_MAXIMUM;
- }
-
-+ /* Verify backoff min and max work together */
- if (backoff_min > backoff_max) {
-- /* Ok these values are invalid, reset back the defaults */
-- slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - "
-- "Backoff minimum (%d) can not be greater than "
-- "the backoff maximum (%d). Using default values: min (%d) max (%d)\n",
-- backoff_min, backoff_max, PROTOCOL_BACKOFF_MINIMUM, PROTOCOL_BACKOFF_MAXIMUM);
-- slapi_counter_set_value(r->backoff_min, PROTOCOL_BACKOFF_MINIMUM);
-- slapi_counter_set_value(r->backoff_max, PROTOCOL_BACKOFF_MAXIMUM);
-+ PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE,
-+ "Backoff minimum (%ld) can not be greater than the backoff maximum (%ld).",
-+ backoff_min, backoff_max);
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - "
-+ "%s\n", errormsg);
-+ return -1;
- } else {
- slapi_counter_set_value(r->backoff_min, backoff_min);
- slapi_counter_set_value(r->backoff_max, backoff_max);
- }
-
- /* get the protocol timeout */
-- ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
-- if (ptimeout <= 0) {
-- slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT);
-+ if (slapi_entry_attr_exists(e, type_replicaProtocolTimeout)) {
-+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaProtocolTimeout))) {
-+ if (repl_config_valid_num(type_replicaProtocolTimeout, val, 0, INT_MAX, &rc, errormsg, &ptimeout) != 0) {
-+ slapi_ch_free_string(&val);
-+ return -1;
-+ }
-+ slapi_ch_free_string(&val);
-+ slapi_counter_set_value(r->protocol_timeout, ptimeout);
-+ } else {
-+ slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT);
-+ }
- } else {
-- slapi_counter_set_value(r->protocol_timeout, ptimeout);
-+ slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT);
- }
-
- /* Get the release timeout */
-- release_timeout = slapi_entry_attr_get_int(e, type_replicaReleaseTimeout);
-- if (release_timeout <= 0) {
-- slapi_counter_set_value(r->release_timeout, 0);
-+ if (slapi_entry_attr_exists(e, type_replicaReleaseTimeout)) {
-+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaReleaseTimeout))) {
-+ if (repl_config_valid_num(type_replicaReleaseTimeout, val, 0, INT_MAX, &rc, errortext, &release_timeout) != 0) {
-+ slapi_ch_free_string(&val);
-+ return -1;
-+ }
-+ slapi_counter_set_value(r->release_timeout, release_timeout);
-+ slapi_ch_free_string(&val);
-+ } else {
-+ slapi_counter_set_value(r->release_timeout, 0);
-+ }
- } else {
-- slapi_counter_set_value(r->release_timeout, release_timeout);
-+ slapi_counter_set_value(r->release_timeout, 0);
- }
-
- /* check for precise tombstone purging */
-@@ -1929,10 +1956,11 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
- slapi_counter_set_value(r->precise_purging, 0);
- } else {
- /* Invalid value */
-- slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - "
-- "Invalid value for %s: %s Using default value (off)\n",
-- type_replicaPrecisePurge, precise_purging);
-- slapi_counter_set_value(r->precise_purging, 0);
-+ PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, "Invalid value for %s: %s",
-+ type_replicaPrecisePurge, precise_purging);
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - "
-+ "%s\n", errormsg);
-+ return -1;
- }
- slapi_ch_free_string(&precise_purging);
- } else {
-@@ -1940,7 +1968,19 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
- }
-
- /* get replica flags */
-- r->repl_flags = slapi_entry_attr_get_ulong(e, attr_flags);
-+ if (slapi_entry_attr_exists(e, attr_flags)) {
-+ int64_t rflags;
-+ if((val = slapi_entry_attr_get_charptr(e, attr_flags))) {
-+ if (repl_config_valid_num(attr_flags, val, 0, 1, &rc, errortext, &rflags) != 0) {
-+ return -1;
-+ }
-+ r->repl_flags = (uint32_t)rflags;
-+ } else {
-+ r->repl_flags = 0;
-+ }
-+ } else {
-+ r->repl_flags = 0;
-+ }
-
- /*
- * Get replicaid
-@@ -1955,20 +1995,13 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
- else if (r->repl_type == REPLICA_TYPE_UPDATABLE ||
- r->repl_type == REPLICA_TYPE_PRIMARY) {
- if ((val = slapi_entry_attr_get_charptr(e, attr_replicaId))) {
-- int temprid = atoi(val);
-- slapi_ch_free((void **)&val);
-- if (temprid <= 0 || temprid >= READ_ONLY_REPLICA_ID) {
-- PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE,
-- "Attribute %s must have a value greater than 0 "
-- "and less than %d: entry %s",
-- attr_replicaId, READ_ONLY_REPLICA_ID,
-- (char *)slapi_entry_get_dn((Slapi_Entry *)e));
-- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,
-- "_replica_init_from_config - %s\n", errormsg);
-+ int64_t rid;
-+ if (repl_config_valid_num(attr_replicaId, val, 1, 65535, &rc, errormsg, &rid) != 0) {
-+ slapi_ch_free_string(&val);
- return -1;
-- } else {
-- r->repl_rid = (ReplicaId)temprid;
- }
-+ r->repl_rid = (ReplicaId)rid;
-+ slapi_ch_free_string(&val);
- } else {
- PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE,
- "Failed to retrieve required %s attribute from %s",
-@@ -2003,10 +2036,13 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
- r->groupdn_list = replica_groupdn_list_new(r->updatedn_groups);
- r->updatedn_group_last_check = time(NULL);
- /* get groupdn check interval */
-- val = slapi_entry_attr_get_charptr(e, attr_replicaBindDnGroupCheckInterval);
-- if (val) {
-- r->updatedn_group_check_interval = atoi(val);
-- slapi_ch_free((void **)&val);
-+ if ((val = slapi_entry_attr_get_charptr(e, attr_replicaBindDnGroupCheckInterval))) {
-+ if (repl_config_valid_num(attr_replicaBindDnGroupCheckInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) {
-+ slapi_ch_free_string(&val);
-+ return -1;
-+ }
-+ r->updatedn_group_check_interval = interval;
-+ slapi_ch_free_string(&val);
- } else {
- r->updatedn_group_check_interval = -1;
- }
-@@ -2041,18 +2077,26 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
- * since we don't know about LCUP replicas, and they can just
- * turn up whenever they want to.
- */
-- if (slapi_entry_attr_find(e, type_replicaPurgeDelay, &a) == -1) {
-- /* No purge delay provided, so use default */
-- r->repl_purge_delay = 60 * 60 * 24 * 7; /* One week, in seconds */
-+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaPurgeDelay))) {
-+ if (repl_config_valid_num(type_replicaPurgeDelay, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) {
-+ slapi_ch_free_string(&val);
-+ return -1;
-+ }
-+ r->repl_purge_delay = interval;
-+ slapi_ch_free_string(&val);
- } else {
-- r->repl_purge_delay = slapi_entry_attr_get_uint(e, type_replicaPurgeDelay);
-+ r->repl_purge_delay = 60 * 60 * 24 * 7; /* One week, in seconds */
- }
-
-- if (slapi_entry_attr_find(e, type_replicaTombstonePurgeInterval, &a) == -1) {
-- /* No reap interval provided, so use default */
-- r->tombstone_reap_interval = 3600 * 24; /* One day */
-+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaTombstonePurgeInterval))) {
-+ if (repl_config_valid_num(type_replicaTombstonePurgeInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) {
-+ slapi_ch_free_string(&val);
-+ return -1;
-+ }
-+ r->tombstone_reap_interval = interval;
-+ slapi_ch_free_string(&val);
- } else {
-- r->tombstone_reap_interval = slapi_entry_attr_get_int(e, type_replicaTombstonePurgeInterval);
-+ r->tombstone_reap_interval = 3600 * 24; /* One week, in seconds */
- }
-
- r->tombstone_reap_stop = r->tombstone_reap_active = PR_FALSE;
-@@ -3534,7 +3578,7 @@ replica_log_ruv_elements_nolock(const Replica *r)
- }
-
- void
--replica_set_purge_delay(Replica *r, PRUint32 purge_delay)
-+replica_set_purge_delay(Replica *r, uint32_t purge_delay)
- {
- PR_ASSERT(r);
- replica_lock(r->repl_lock);
-@@ -3710,7 +3754,7 @@ replica_set_ruv_dirty(Replica *r)
- }
-
- PRBool
--replica_is_state_flag_set(Replica *r, PRInt32 flag)
-+replica_is_state_flag_set(Replica *r, int32_t flag)
- {
- PR_ASSERT(r);
- if (r)
-@@ -3720,7 +3764,7 @@ replica_is_state_flag_set(Replica *r, PRInt32 flag)
- }
-
- void
--replica_set_state_flag(Replica *r, PRUint32 flag, PRBool clear)
-+replica_set_state_flag(Replica *r, uint32_t flag, PRBool clear)
- {
- if (r == NULL)
- return;
-@@ -3994,7 +4038,7 @@ replica_get_attr(Slapi_PBlock *pb, const char *type, void *value)
- return rc;
- }
-
--PRUint64
-+uint64_t
- replica_get_backoff_min(Replica *r)
- {
- if (r) {
-@@ -4004,7 +4048,7 @@ replica_get_backoff_min(Replica *r)
- }
- }
-
--PRUint64
-+uint64_t
- replica_get_backoff_max(Replica *r)
- {
- if (r) {
-@@ -4015,7 +4059,7 @@ replica_get_backoff_max(Replica *r)
- }
-
- void
--replica_set_backoff_min(Replica *r, PRUint64 min)
-+replica_set_backoff_min(Replica *r, uint64_t min)
- {
- if (r) {
- slapi_counter_set_value(r->backoff_min, min);
-@@ -4023,7 +4067,7 @@ replica_set_backoff_min(Replica *r, PRUint64 min)
- }
-
- void
--replica_set_backoff_max(Replica *r, PRUint64 max)
-+replica_set_backoff_max(Replica *r, uint64_t max)
- {
- if (r) {
- slapi_counter_set_value(r->backoff_max, max);
-@@ -4031,14 +4075,14 @@ replica_set_backoff_max(Replica *r, PRUint64 max)
- }
-
- void
--replica_set_precise_purging(Replica *r, PRUint64 on_off)
-+replica_set_precise_purging(Replica *r, uint64_t on_off)
- {
- if (r) {
- slapi_counter_set_value(r->precise_purging, on_off);
- }
- }
-
--PRUint64
-+uint64_t
- replica_get_precise_purging(Replica *r)
- {
- if (r) {
-diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
-index 7477a292c..9c3c75458 100644
---- a/ldap/servers/plugins/replication/repl5_replica_config.c
-+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
-@@ -405,28 +405,35 @@ replica_config_modify(Slapi_PBlock *pb,
- } else if (strcasecmp(config_attr, attr_replicaBindDnGroup) == 0) {
- *returncode = replica_config_change_updatedngroup(r, mods[i], errortext, apply_mods);
- } else if (strcasecmp(config_attr, attr_replicaBindDnGroupCheckInterval) == 0) {
-- int interval = atoi(config_attr_value);
-- replica_set_groupdn_checkinterval(r, interval);
-+ int64_t interval = 0;
-+ if (repl_config_valid_num(config_attr, config_attr_value, -1, INT_MAX, returncode, errortext, &interval) == 0) {
-+ replica_set_groupdn_checkinterval(r, interval);
-+ } else {
-+ break;
-+ }
- } else if (strcasecmp(config_attr, attr_replicaType) == 0) {
-+ int64_t rtype;
- slapi_ch_free_string(&new_repl_type);
-- new_repl_type = slapi_ch_strdup(config_attr_value);
-+ if (repl_config_valid_num(config_attr, config_attr_value, 1, 3, returncode, errortext, &rtype) == 0) {
-+ new_repl_type = slapi_ch_strdup(config_attr_value);
-+ } else {
-+ break;
-+ }
- } else if (strcasecmp(config_attr, attr_replicaId) == 0) {
-- char *endp = NULL;
- int64_t rid = 0;
-- errno = 0;
-- rid = strtoll(config_attr_value, &endp, 10);
-- if (*endp != '\0' || rid > 65535 || rid < 1 || errno == ERANGE) {
-- *returncode = LDAP_UNWILLING_TO_PERFORM;
-- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-- "Attribute %s value (%s) is invalid, must be a number between 1 and 65535.\n",
-- config_attr, config_attr_value);
-- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-+ if (repl_config_valid_num(config_attr, config_attr_value, 1, 65535, returncode, errortext, &rid) == 0) {
-+ slapi_ch_free_string(&new_repl_id);
-+ new_repl_id = slapi_ch_strdup(config_attr_value);
-+ } else {
- break;
- }
-- slapi_ch_free_string(&new_repl_id);
-- new_repl_id = slapi_ch_strdup(config_attr_value);
- } else if (strcasecmp(config_attr, attr_flags) == 0) {
-- *returncode = replica_config_change_flags(r, config_attr_value, errortext, apply_mods);
-+ int64_t rflags = 0;
-+ if (repl_config_valid_num(config_attr, config_attr_value, 0, 1, returncode, errortext, &rflags) == 0) {
-+ *returncode = replica_config_change_flags(r, config_attr_value, errortext, apply_mods);
-+ } else {
-+ break;
-+ }
- } else if (strcasecmp(config_attr, TASK_ATTR) == 0) {
- *returncode = replica_execute_task(mtnode_ext->replica, config_attr_value, errortext, apply_mods);
- } else if (strcasecmp(config_attr, attr_replicaReferral) == 0) {
-@@ -442,18 +449,21 @@ replica_config_modify(Slapi_PBlock *pb,
- }
- } else if (strcasecmp(config_attr, type_replicaPurgeDelay) == 0) {
- if (apply_mods && config_attr_value[0]) {
-- PRUint32 delay;
-- if (isdigit(config_attr_value[0])) {
-- delay = (unsigned int)atoi(config_attr_value);
-+ int64_t delay = 0;
-+ if (repl_config_valid_num(config_attr, config_attr_value, -1, INT_MAX, returncode, errortext, &delay) == 0) {
- replica_set_purge_delay(r, delay);
-- } else
-- *returncode = LDAP_OPERATIONS_ERROR;
-+ } else {
-+ break;
-+ }
- }
- } else if (strcasecmp(config_attr, type_replicaTombstonePurgeInterval) == 0) {
- if (apply_mods && config_attr_value[0]) {
-- long interval;
-- interval = atol(config_attr_value);
-- replica_set_tombstone_reap_interval(r, interval);
-+ int64_t interval;
-+ if (repl_config_valid_num(config_attr, config_attr_value, -1, INT_MAX, returncode, errortext, &interval) == 0) {
-+ replica_set_tombstone_reap_interval(r, interval);
-+ } else {
-+ break;
-+ }
- }
- }
- /* ignore modifiers attributes added by the server */
-@@ -461,73 +471,55 @@ replica_config_modify(Slapi_PBlock *pb,
- *returncode = LDAP_SUCCESS;
- } else if (strcasecmp(config_attr, type_replicaProtocolTimeout) == 0) {
- if (apply_mods) {
-- PRUint64 ptimeout = 0;
--
-- ptimeout = atoll(config_attr_value);
--
-- if (ptimeout <= 0) {
-- *returncode = LDAP_UNWILLING_TO_PERFORM;
-- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-- "Attribute %s value (%s) is invalid, must be a number greater than zero.\n",
-- config_attr, config_attr_value);
-- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-+ int64_t ptimeout = 0;
-+ if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &ptimeout) == 0) {
-+ replica_set_protocol_timeout(r, ptimeout);
-+ } else {
- break;
- }
-- replica_set_protocol_timeout(r, ptimeout);
- }
- } else if (strcasecmp(config_attr, type_replicaBackoffMin) == 0) {
- if (apply_mods) {
-- uint64_t val = atoll(config_attr_value);
-- uint64_t max;
--
-- if (val <= 0) {
-- *returncode = LDAP_UNWILLING_TO_PERFORM;
-- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-- "Attribute %s value (%s) is invalid, must be a number greater than zero.\n",
-- config_attr, config_attr_value);
-- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-- break;
-- }
-- max = replica_get_backoff_max(r);
-- if (val > max){
-- *returncode = LDAP_UNWILLING_TO_PERFORM;
-- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-- "Attribute %s value (%s) is invalid, must be a number less than the max backoff time (%d).\n",
-- config_attr, config_attr_value, (int)max);
-- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-+ int64_t val = 0;
-+ int64_t max;
-+ if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &val) == 0) {
-+ max = replica_get_backoff_max(r);
-+ if (val > max){
-+ *returncode = LDAP_UNWILLING_TO_PERFORM;
-+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-+ "Attribute %s value (%s) is invalid, must be a number less than the max backoff time (%d).\n",
-+ config_attr, config_attr_value, (int)max);
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-+ break;
-+ }
-+ replica_set_backoff_min(r, val);
-+ } else {
- break;
- }
-- replica_set_backoff_min(r, val);
- }
- } else if (strcasecmp(config_attr, type_replicaBackoffMax) == 0) {
- if (apply_mods) {
-- uint64_t val = atoll(config_attr_value);
-- uint64_t min;
--
-- if (val <= 0) {
-- *returncode = LDAP_UNWILLING_TO_PERFORM;
-- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-- "Attribute %s value (%s) is invalid, must be a number greater than zero.\n",
-- config_attr, config_attr_value);
-- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n",
-- errortext);
-- break;
-- }
-- min = replica_get_backoff_min(r);
-- if (val < min) {
-- *returncode = LDAP_UNWILLING_TO_PERFORM;
-- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-- "Attribute %s value (%s) is invalid, must be a number more than the min backoff time (%d).\n",
-- config_attr, config_attr_value, (int)min);
-- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-+ int64_t val = 0;
-+ int64_t min;
-+ if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &val) == 0) {
-+ min = replica_get_backoff_min(r);
-+ if (val < min) {
-+ *returncode = LDAP_UNWILLING_TO_PERFORM;
-+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-+ "Attribute %s value (%s) is invalid, must be a number more than the min backoff time (%d).\n",
-+ config_attr, config_attr_value, (int)min);
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext);
-+ break;
-+ }
-+ replica_set_backoff_max(r, val);
-+ } else {
- break;
- }
-- replica_set_backoff_max(r, val);
- }
- } else if (strcasecmp(config_attr, type_replicaPrecisePurge) == 0) {
- if (apply_mods) {
- if (config_attr_value[0]) {
-- PRUint64 on_off = 0;
-+ uint64_t on_off = 0;
-
- if (strcasecmp(config_attr_value, "on") == 0) {
- on_off = 1;
-@@ -550,19 +542,11 @@ replica_config_modify(Slapi_PBlock *pb,
- }
- } else if (strcasecmp(config_attr, type_replicaReleaseTimeout) == 0) {
- if (apply_mods) {
-- long val = atol(config_attr_value);
--
-- if (val < 0) {
-- *returncode = LDAP_UNWILLING_TO_PERFORM;
-- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-- "Attribute %s value (%s) is invalid, must be a number zero or greater.\n",
-- config_attr, config_attr_value);
-- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,
-- "replica_config_modify - %s\n", errortext);
-- break;
-- } else {
-- /* Set the timeout */
-+ int64_t val;
-+ if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &val) == 0) {
- replica_set_release_timeout(r, val);
-+ } else {
-+ break;
- }
- }
- } else {
-@@ -1011,7 +995,7 @@ replica_config_change_flags(Replica *r, const char *new_flags, char *returntext
- PR_ASSERT(r);
-
- if (apply_mods) {
-- PRUint32 flags;
-+ uint32_t flags;
-
- flags = atol(new_flags);
-
-diff --git a/ldap/servers/plugins/replication/replutil.c b/ldap/servers/plugins/replication/replutil.c
-index 1b0446788..7cc132362 100644
---- a/ldap/servers/plugins/replication/replutil.c
-+++ b/ldap/servers/plugins/replication/replutil.c
-@@ -1061,3 +1061,29 @@ repl_set_repl_plugin_path(const char *path)
- {
- replpluginpath = slapi_ch_strdup(path);
- }
-+
-+int
-+repl_config_valid_num(const char *config_attr, char *config_attr_value, int64_t min, int64_t max,
-+ int *returncode, char *errortext, int64_t *retval)
-+{
-+ int rc = 0;
-+ char *endp = NULL;
-+ int64_t val;
-+ errno = 0;
-+
-+ val = strtol(config_attr_value, &endp, 10);
-+ if (*endp != '\0' || val < min || val > max || errno == ERANGE) {
-+ *returncode = LDAP_UNWILLING_TO_PERFORM;
-+ if (errortext){
-+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE,
-+ "Attribute %s value (%s) is invalid, must be a number between %ld and %ld.",
-+ config_attr, config_attr_value, min, max);
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "repl_config_valid_num - %s\n",
-+ errortext);
-+ }
-+ rc = -1;
-+ } else {
-+ *retval = val;
-+ }
-+ return rc;
-+}
---
-2.13.6
-
diff --git a/SOURCES/0026-Ticket-49439-cleanallruv-is-not-logging-information.patch b/SOURCES/0026-Ticket-49439-cleanallruv-is-not-logging-information.patch
deleted file mode 100644
index 5a52e68..0000000
--- a/SOURCES/0026-Ticket-49439-cleanallruv-is-not-logging-information.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-From 403c5b61efb5aca3cbea31170d13dfba190ef355 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 2 Nov 2017 12:55:11 -0400
-Subject: [PATCH] Ticket 49439 - cleanallruv is not logging information
-
-Bug Description: During the logging refector effro from ticket 48978
- a mistake was made and cleanruv_log() was using
- LOG_NOTICE (which is not a true log level), it was
- supposed to be SLAPI_LOG_NOTICE.
-
- We also use DEBUG defines to contorl the logging for
- debug builds
-
-Fix Description: Remove the LDAP_DEBUG defines in cleanruv_log, and set
- the correct logging severity level.
-
-https://pagure.io/389-ds-base/issue/49439
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit e1f866a5e3ccce8e061e361c0e3dd11175a8acf2)
----
- .../plugins/replication/repl5_replica_config.c | 30 ++++++++++------------
- 1 file changed, 14 insertions(+), 16 deletions(-)
-
-diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
-index 9c3c75458..9c8d6adbb 100644
---- a/ldap/servers/plugins/replication/repl5_replica_config.c
-+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
-@@ -1783,7 +1783,7 @@ replica_cleanallruv_thread(void *arg)
- /*
- * need to sleep between passes
- */
-- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Not all replicas have received the "
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Not all replicas have received the "
- "cleanallruv extended op, retrying in %d seconds",
- interval);
- if (!slapi_is_shutting_down()) {
-@@ -1825,7 +1825,7 @@ replica_cleanallruv_thread(void *arg)
- found_dirty_rid = 0;
- } else {
- found_dirty_rid = 1;
-- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Replica is not cleaned yet (%s)",
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Replica is not cleaned yet (%s)",
- agmt_get_long_name(agmt));
- break;
- }
-@@ -1843,7 +1843,7 @@ replica_cleanallruv_thread(void *arg)
- * Need to sleep between passes unless we are shutting down
- */
- if (!slapi_is_shutting_down()) {
-- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Replicas have not been cleaned yet, "
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Replicas have not been cleaned yet, "
- "retrying in %d seconds",
- interval);
- PR_Lock(notify_lock);
-@@ -1883,10 +1883,10 @@ done:
- * Shutdown or abort
- */
- if (!is_task_aborted(data->rid) || slapi_is_shutting_down()) {
-- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE,
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
- "Server shutting down. Process will resume at server startup");
- } else {
-- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Task aborted for rid(%d).", data->rid);
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Task aborted for rid(%d).", data->rid);
- delete_cleaned_rid_config(data);
- remove_cleaned_rid(data->rid);
- }
-@@ -2053,7 +2053,7 @@ check_replicas_are_done_cleaning(cleanruv_data *data)
- break;
- }
-
-- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE,
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
- "Not all replicas finished cleaning, retrying in %d seconds",
- interval);
- if (!slapi_is_shutting_down()) {
-@@ -2163,7 +2163,7 @@ check_replicas_are_done_aborting(cleanruv_data *data)
- if (not_all_aborted == 0) {
- break;
- }
-- cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, LOG_NOTICE,
-+ cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
- "Not all replicas finished aborting, retrying in %d seconds", interval);
- if (!slapi_is_shutting_down()) {
- PR_Lock(notify_lock);
-@@ -2210,7 +2210,7 @@ check_agmts_are_caught_up(cleanruv_data *data, char *maxcsn)
- not_all_caughtup = 0;
- } else {
- not_all_caughtup = 1;
-- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE,
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
- "Replica not caught up (%s)", agmt_get_long_name(agmt));
- break;
- }
-@@ -2220,7 +2220,7 @@ check_agmts_are_caught_up(cleanruv_data *data, char *maxcsn)
- if (not_all_caughtup == 0 || is_task_aborted(data->rid)) {
- break;
- }
-- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE,
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
- "Not all replicas caught up, retrying in %d seconds", interval);
- if (!slapi_is_shutting_down()) {
- PR_Lock(notify_lock);
-@@ -2270,7 +2270,7 @@ check_agmts_are_alive(Replica *replica, ReplicaId rid, Slapi_Task *task)
- not_all_alive = 0;
- } else {
- not_all_alive = 1;
-- cleanruv_log(task, rid, CLEANALLRUV_ID, LOG_NOTICE, "Replica not online (%s)",
-+ cleanruv_log(task, rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Replica not online (%s)",
- agmt_get_long_name(agmt));
- break;
- }
-@@ -2280,7 +2280,7 @@ check_agmts_are_alive(Replica *replica, ReplicaId rid, Slapi_Task *task)
- if (not_all_alive == 0 || is_task_aborted(rid)) {
- break;
- }
-- cleanruv_log(task, rid, CLEANALLRUV_ID, LOG_NOTICE, "Not all replicas online, retrying in %d seconds...",
-+ cleanruv_log(task, rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Not all replicas online, retrying in %d seconds...",
- interval);
-
- if (!slapi_is_shutting_down()) {
-@@ -3063,7 +3063,7 @@ replica_abort_task_thread(void *arg)
- * Need to sleep between passes. unless we are shutting down
- */
- if (!slapi_is_shutting_down()) {
-- cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, LOG_NOTICE, "Retrying in %d seconds", interval);
-+ cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Retrying in %d seconds", interval);
- PR_Lock(notify_lock);
- PR_WaitCondVar(notify_cvar, PR_SecondsToInterval(interval));
- PR_Unlock(notify_lock);
-@@ -3184,7 +3184,7 @@ replica_cleanallruv_send_extop(Repl_Agmt *ra, cleanruv_data *clean_data, int che
- /* extop was accepted */
- rc = 0;
- } else {
-- cleanruv_log(clean_data->task, clean_data->rid, CLEANALLRUV_ID, LOG_NOTICE,
-+ cleanruv_log(clean_data->task, clean_data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
- "Replica %s does not support the CLEANALLRUV task. "
- "Sending replica CLEANRUV task...",
- slapi_sdn_get_dn(agmt_get_dn_byref(ra)));
-@@ -3352,7 +3352,7 @@ replica_cleanallruv_check_maxcsn(Repl_Agmt *agmt, char *basedn, char *rid_text,
- csn_init_by_string(repl_max, remote_maxcsn);
- if (csn_compare(repl_max, max) < 0) {
- /* we are not caught up yet, free, and return */
-- cleanruv_log(task, atoi(rid_text), CLEANALLRUV_ID, LOG_NOTICE,
-+ cleanruv_log(task, atoi(rid_text), CLEANALLRUV_ID, SLAPI_LOG_NOTICE,
- "Replica maxcsn (%s) is not caught up with deleted replica's maxcsn(%s)",
- remote_maxcsn, maxcsn);
- rc = -1;
-@@ -3525,7 +3525,6 @@ stop_ruv_cleaning()
- void
- cleanruv_log(Slapi_Task *task, int rid, char *task_type, int sev_level, char *fmt, ...)
- {
--#ifdef LDAP_DEBUG
- va_list ap1;
- va_list ap2;
- va_list ap3;
-@@ -3550,7 +3549,6 @@ cleanruv_log(Slapi_Task *task, int rid, char *task_type, int sev_level, char *fm
- va_end(ap2);
- va_end(ap3);
- va_end(ap4);
--#endif
- }
-
- char *
---
-2.13.6
-
diff --git a/SOURCES/0027-Ticket-48393-fix-copy-and-paste-error.patch b/SOURCES/0027-Ticket-48393-fix-copy-and-paste-error.patch
deleted file mode 100644
index d59c217..0000000
--- a/SOURCES/0027-Ticket-48393-fix-copy-and-paste-error.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 3d045a240bb32b66e15401bf89eff5b980420b24 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 3 Nov 2017 12:18:26 -0400
-Subject: [PATCH] Ticket 48393 - fix copy and paste error
-
-Description: Copy and paste error when validating repl agmt
-
-https://pagure.io/389-ds-base/issue/48393
-
-Reviewed by: mreynolds(one line commit rule)
-
-(cherry picked from commit 431647039c5e6d860d8866542050d456f69bb600)
----
- ldap/servers/plugins/replication/repl5_agmt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
-index 78fb91ae6..ee396c8ef 100644
---- a/ldap/servers/plugins/replication/repl5_agmt.c
-+++ b/ldap/servers/plugins/replication/repl5_agmt.c
-@@ -339,7 +339,7 @@ agmt_new_from_entry(Slapi_Entry *e)
- ra->flowControlWindow = DEFAULT_FLOWCONTROL_WINDOW;
- if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaFlowControlWindow))){
- int64_t flow;
-- if (repl_config_valid_num(type_nsds5ReplicaTimeout, val, 0, INT_MAX, &rc, errormsg, &flow) != 0) {
-+ if (repl_config_valid_num(type_nsds5ReplicaFlowControlWindow, val, 0, INT_MAX, &rc, errormsg, &flow) != 0) {
- goto loser;
- }
- slapi_ch_free_string(&val);
---
-2.13.6
-
diff --git a/SOURCES/0028-Ticket-49038-remove-legacy-replication-change-cleanu.patch b/SOURCES/0028-Ticket-49038-remove-legacy-replication-change-cleanu.patch
deleted file mode 100644
index dd889f9..0000000
--- a/SOURCES/0028-Ticket-49038-remove-legacy-replication-change-cleanu.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 2b5b09a7a871d626bb45888f948126732d0893f3 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Wed, 4 Oct 2017 12:55:30 -0400
-Subject: [PATCH] Ticket 49038 - remove legacy replication - change cleanup
- script precedence
-
-Description: Bump the cleanup scripts precendance so it happens after the
- main plugin upgrade scripts are called.
-
-https://pagure.io/389-ds-base/issue/49038
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit 1fe2c761103c36090ab67df0271dfdb3012037fb)
----
- Makefile.am | 2 +-
- ...{50removeLegacyReplication.ldif => 60removeLegacyReplication.ldif} | 0
- rpm/389-ds-base.spec.in | 4 ++--
- 3 files changed, 3 insertions(+), 3 deletions(-)
- rename ldap/admin/src/scripts/{50removeLegacyReplication.ldif => 60removeLegacyReplication.ldif} (100%)
-
-diff --git a/Makefile.am b/Makefile.am
-index 09a6bc296..8834a7819 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -942,7 +942,7 @@ update_DATA = ldap/admin/src/scripts/exampleupdate.pl \
- ldap/admin/src/scripts/50telexnumbersyntaxplugin.ldif \
- ldap/admin/src/scripts/50guidesyntaxplugin.ldif \
- ldap/admin/src/scripts/50targetuniqueid.ldif \
-- ldap/admin/src/scripts/50removeLegacyReplication.ldif \
-+ ldap/admin/src/scripts/60removeLegacyReplication.ldif \
- ldap/admin/src/scripts/50linkedattrsplugin.ldif \
- ldap/admin/src/scripts/50usnplugin.ldif \
- ldap/admin/src/scripts/50smd5pwdstorageplugin.ldif \
-diff --git a/ldap/admin/src/scripts/50removeLegacyReplication.ldif b/ldap/admin/src/scripts/60removeLegacyReplication.ldif
-similarity index 100%
-rename from ldap/admin/src/scripts/50removeLegacyReplication.ldif
-rename to ldap/admin/src/scripts/60removeLegacyReplication.ldif
-diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
-index 1e5c2cfd3..30a1d7d9a 100644
---- a/rpm/389-ds-base.spec.in
-+++ b/rpm/389-ds-base.spec.in
-@@ -395,9 +395,9 @@ echo remove pid files . . . >> $output 2>&1 || :
- echo upgrading instances . . . >> $output 2>&1 || :
- DEBUGPOSTSETUPOPT=`/usr/bin/echo $DEBUGPOSTSETUP | /usr/bin/sed -e "s/[^d]//g"`
- if [ -n "$DEBUGPOSTSETUPOPT" ] ; then
-- %{_sbindir}/setup-ds.pl -l $output2 -$DEBUGPOSTSETUPOPT -u -s General.UpdateMode=offline >> $output 2>&1 || :
-+ %{_sbindir}/setup-ds.pl -$DEBUGPOSTSETUPOPT -u -s General.UpdateMode=offline >> $output 2>&1 || :
- else
-- %{_sbindir}/setup-ds.pl -l $output2 -u -s General.UpdateMode=offline >> $output 2>&1 || :
-+ %{_sbindir}/setup-ds.pl -u -s General.UpdateMode=offline >> $output 2>&1 || :
- fi
-
- # restart instances that require it
---
-2.13.6
-
diff --git a/SOURCES/0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch b/SOURCES/0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch
deleted file mode 100644
index c46e333..0000000
--- a/SOURCES/0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From b1dfe53aaf7cb0260286423b9abf7d71f8edd421 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Wed, 15 Nov 2017 13:27:58 -0500
-Subject: [PATCH] Ticket 49454 - SSL Client Authentication breaks in FIPS mode
-
-Bug Description: Replication using SSL Client Auth breaks when FIPS
- is enabled. This is because FIPS mode changes the
- internal certificate token name.
-
-Fix Description: If FIPS is enabled grab the token name from the internal
- slot instead of using the default hardcoded internal
- token name.
-
-https://pagure.io/389-ds-base/issue/49454
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit 6e794a8eff213d49c933f781006e234984160db2)
----
- ldap/servers/slapd/proto-slap.h | 1 +
- ldap/servers/slapd/security_wrappers.c | 6 ++++++
- ldap/servers/slapd/ssl.c | 24 +++++++++++++++++-------
- 3 files changed, 24 insertions(+), 7 deletions(-)
-
-diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
-index 4a30def8b..3b7ab53b2 100644
---- a/ldap/servers/slapd/proto-slap.h
-+++ b/ldap/servers/slapd/proto-slap.h
-@@ -1130,6 +1130,7 @@ PRBool slapd_pk11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type);
- PK11SymKey *slapd_pk11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags, PRBool isPerm);
- PK11SymKey *slapd_pk11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx);
- CK_MECHANISM_TYPE slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECItem *pwitem);
-+char *slapd_PK11_GetTokenName(PK11SlotInfo *slot);
-
- /*
- * start_tls_extop.c
-diff --git a/ldap/servers/slapd/security_wrappers.c b/ldap/servers/slapd/security_wrappers.c
-index bec28d2f3..41fe03608 100644
---- a/ldap/servers/slapd/security_wrappers.c
-+++ b/ldap/servers/slapd/security_wrappers.c
-@@ -401,3 +401,9 @@ slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECIte
- {
- return PK11_GetPBECryptoMechanism(algid, params, pwitem);
- }
-+
-+char *
-+slapd_PK11_GetTokenName(PK11SlotInfo *slot)
-+{
-+ return PK11_GetTokenName(slot);
-+}
-diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
-index efe32d5d0..52ac7ea9f 100644
---- a/ldap/servers/slapd/ssl.c
-+++ b/ldap/servers/slapd/ssl.c
-@@ -2365,13 +2365,23 @@ slapd_SSL_client_auth(LDAP *ld)
- ssltoken = slapi_entry_attr_get_charptr(entry, "nsssltoken");
- if (ssltoken && personality) {
- if (!PL_strcasecmp(ssltoken, "internal") ||
-- !PL_strcasecmp(ssltoken, "internal (software)")) {
--
-- /* Translate config internal name to more
-- * readable form. Certificate name is just
-- * the personality for internal tokens.
-- */
-- token = slapi_ch_strdup(internalTokenName);
-+ !PL_strcasecmp(ssltoken, "internal (software)"))
-+ {
-+ if ( slapd_pk11_isFIPS() ) {
-+ /*
-+ * FIPS mode changes the internal token name, so we need to
-+ * grab the new token name from the internal slot.
-+ */
-+ PK11SlotInfo *slot = slapd_pk11_getInternalSlot();
-+ token = slapi_ch_strdup(slapd_PK11_GetTokenName(slot));
-+ PK11_FreeSlot(slot);
-+ } else {
-+ /*
-+ * Translate config internal name to more readable form.
-+ * Certificate name is just the personality for internal tokens.
-+ */
-+ token = slapi_ch_strdup(internalTokenName);
-+ }
- #if defined(USE_OPENLDAP)
- /* openldap needs tokenname:certnick */
- PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
---
-2.13.6
-
diff --git a/SOURCES/0030-Ticket-49435-Fix-NS-race-condition-on-loaded-test-sy.patch b/SOURCES/0030-Ticket-49435-Fix-NS-race-condition-on-loaded-test-sy.patch
deleted file mode 100644
index 771963c..0000000
--- a/SOURCES/0030-Ticket-49435-Fix-NS-race-condition-on-loaded-test-sy.patch
+++ /dev/null
@@ -1,1029 +0,0 @@
-From 04605da5c813ffc818d874ae0a14790c166d792d Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Mon, 6 Nov 2017 08:56:01 +1000
-Subject: [PATCH] Ticket 49435 - Fix NS race condition on loaded test systems
-
-Bug Description: During a test run, on a heavily loaded systems
-some events would time out before they could occur correctly.
-
-Fix Description: Change the structure of events to mitigate
-a deref performance hit, and add a ns_job_wait conditional
-that allows blocking on a job to complete so that tests do not
-require time based checks.
-
-https://pagure.io/389-ds-base/issue/49435
-
-Author: wibrown
-
-Review by: mreynolds (Thanks!)
----
- src/nunc-stans/include/nunc-stans.h | 12 +++
- src/nunc-stans/ns/ns_event_fw.h | 3 +-
- src/nunc-stans/ns/ns_thrpool.c | 175 +++++++++++++++++++++--------------
- src/nunc-stans/test/test_nuncstans.c | 156 ++++++++++++++++++-------------
- 4 files changed, 209 insertions(+), 137 deletions(-)
-
-diff --git a/src/nunc-stans/include/nunc-stans.h b/src/nunc-stans/include/nunc-stans.h
-index 386a8d283..192e38ec3 100644
---- a/src/nunc-stans/include/nunc-stans.h
-+++ b/src/nunc-stans/include/nunc-stans.h
-@@ -77,6 +77,10 @@ typedef enum _ns_result_t {
- * This occurs when a lower level OS issue occurs, generally thread related.
- */
- NS_THREAD_FAILURE = 5,
-+ /**
-+ * The job is being deleted
-+ */
-+ NS_DELETING = 6,
- } ns_result_t;
-
- /**
-@@ -837,6 +841,14 @@ ns_job_type_t ns_job_get_output_type(struct ns_job_t *job);
- ns_result_t ns_job_set_done_cb(struct ns_job_t *job, ns_job_func_t func);
-
- /**
-+ * Block until a job is completed. This returns the next state of the job as as a return.
-+ *
-+ * \param job The job to set the callback for.
-+ * \retval ns_job_state_t The next state the job will move to. IE, WAITING, DELETED, ARMED.
-+ */
-+ns_result_t ns_job_wait(struct ns_job_t *job);
-+
-+/**
- * Creates a new thread pool
- *
- * Must be called with a struct ns_thrpool_config that has been
-diff --git a/src/nunc-stans/ns/ns_event_fw.h b/src/nunc-stans/ns/ns_event_fw.h
-index 436b28269..88997b24d 100644
---- a/src/nunc-stans/ns/ns_event_fw.h
-+++ b/src/nunc-stans/ns/ns_event_fw.h
-@@ -80,7 +80,8 @@ typedef enum _ns_job_state {
- interface between the app/thread pool/event framework */
- typedef struct ns_job_t
- {
-- pthread_mutex_t *monitor;
-+ pthread_mutex_t monitor;
-+ pthread_cond_t notify;
- struct ns_thrpool_t *tp;
- ns_job_func_t func;
- struct ns_job_data_t *data;
-diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c
-index 2ad0bd799..1d8bb03f1 100644
---- a/src/nunc-stans/ns/ns_thrpool.c
-+++ b/src/nunc-stans/ns/ns_thrpool.c
-@@ -214,7 +214,7 @@ job_queue_cleanup(void *arg)
- static void
- internal_ns_job_done(ns_job_t *job)
- {
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "internal_ns_job_done %x state %d moving to NS_JOB_DELETED\n", job, job->state);
- #endif
-@@ -239,9 +239,9 @@ internal_ns_job_done(ns_job_t *job)
- job->done_cb(job);
- }
-
-- pthread_mutex_unlock(job->monitor);
-- pthread_mutex_destroy(job->monitor);
-- ns_free(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
-+ pthread_mutex_destroy(&(job->monitor));
-+ pthread_cond_destroy(&(job->notify));
-
- ns_free(job);
- }
-@@ -250,7 +250,7 @@ internal_ns_job_done(ns_job_t *job)
- static void
- internal_ns_job_rearm(ns_job_t *job)
- {
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- PR_ASSERT(job->state == NS_JOB_NEEDS_ARM);
- /* Don't think I need to check persistence here, it could be the first arm ... */
- #ifdef DEBUG
-@@ -267,7 +267,7 @@ internal_ns_job_rearm(ns_job_t *job)
- /* Prevents an un-necessary queue / dequeue to the event_q */
- work_q_notify(job);
- }
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- }
-
- static void
-@@ -281,7 +281,7 @@ work_job_execute(ns_job_t *job)
- * DELETED! Crashes abound, you have been warned ...
- */
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "work_job_execute %x state %d moving to NS_JOB_RUNNING\n", job, job->state);
- #endif
-@@ -303,7 +303,12 @@ work_job_execute(ns_job_t *job)
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "work_job_execute %x state %d job func complete, sending to job_done...\n", job, job->state);
- #endif
-- pthread_mutex_unlock(job->monitor);
-+ /*
-+ * Let waiters know we are done, they'll pick up once
-+ * we unlock.
-+ */
-+ pthread_cond_signal(&(job->notify));
-+ pthread_mutex_unlock(&(job->monitor));
- internal_ns_job_done(job);
- /* MUST NOT ACCESS JOB AGAIN.*/
- } else if (job->state == NS_JOB_NEEDS_ARM) {
-@@ -311,7 +316,8 @@ work_job_execute(ns_job_t *job)
- ns_log(LOG_DEBUG, "work_job_execute %x state %d job func complete, sending to rearm...\n", job, job->state);
- #endif
- /* Rearm the job! */
-- pthread_mutex_unlock(job->monitor);
-+ /* We *don't* notify here because we ARE NOT done! */
-+ pthread_mutex_unlock(&(job->monitor));
- internal_ns_job_rearm(job);
- } else {
- #ifdef DEBUG
-@@ -321,7 +327,12 @@ work_job_execute(ns_job_t *job)
- PR_ASSERT(!NS_JOB_IS_PERSIST(job->job_type));
- /* We are now idle, set waiting. */
- job->state = NS_JOB_WAITING;
-- pthread_mutex_unlock(job->monitor);
-+ /*
-+ * Let waiters know we are done, they'll pick up once
-+ * we unlock.
-+ */
-+ pthread_cond_signal(&(job->notify));
-+ pthread_mutex_unlock(&(job->monitor));
- }
- /* MUST NOT ACCESS JOB AGAIN */
- }
-@@ -338,7 +349,7 @@ static void
- work_q_notify(ns_job_t *job)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "work_q_notify %x state %d\n", job, job->state);
- #endif
-@@ -346,12 +357,12 @@ work_q_notify(ns_job_t *job)
- if (job->state != NS_JOB_ARMED) {
- /* Maybe we should return some error here? */
- ns_log(LOG_ERR, "work_q_notify %x state %d is not ARMED, cannot queue!\n", job, job->state);
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return;
- }
- /* MUST NOT ACCESS job after enqueue. So we stash tp.*/
- ns_thrpool_t *ltp = job->tp;
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- sds_lqueue_enqueue(ltp->work_q, (void *)job);
- pthread_mutex_lock(&(ltp->work_q_lock));
- pthread_cond_signal(&(ltp->work_q_cv));
-@@ -411,13 +422,13 @@ static void
- update_event(ns_job_t *job)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "update_event %x state %d\n", job, job->state);
- #endif
- PR_ASSERT(job->state == NS_JOB_NEEDS_DELETE || job->state == NS_JOB_ARMED);
- if (job->state == NS_JOB_NEEDS_DELETE) {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- internal_ns_job_done(job);
- return;
- } else if (NS_JOB_IS_IO(job->job_type) || job->ns_event_fw_fd) {
-@@ -426,7 +437,7 @@ update_event(ns_job_t *job)
- } else {
- job->tp->ns_event_fw->ns_event_fw_mod_io(job->tp->ns_event_fw_ctx, job);
- }
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- /* We need these returns to prevent a race on the next else if condition when we release job->monitor */
- return;
- } else if (NS_JOB_IS_TIMER(job->job_type) || job->ns_event_fw_time) {
-@@ -435,7 +446,7 @@ update_event(ns_job_t *job)
- } else {
- job->tp->ns_event_fw->ns_event_fw_mod_timer(job->tp->ns_event_fw_ctx, job);
- }
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return;
- } else if (NS_JOB_IS_SIGNAL(job->job_type) || job->ns_event_fw_sig) {
- if (!job->ns_event_fw_sig) {
-@@ -443,15 +454,15 @@ update_event(ns_job_t *job)
- } else {
- job->tp->ns_event_fw->ns_event_fw_mod_signal(job->tp->ns_event_fw_ctx, job);
- }
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return;
- } else {
- /* It's a "run now" job. */
- if (NS_JOB_IS_THREAD(job->job_type)) {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- work_q_notify(job);
- } else {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- event_q_notify(job);
- }
- }
-@@ -602,14 +613,14 @@ event_cb(ns_job_t *job)
- */
-
- /* There is no guarantee this won't be called once we start to enter the shutdown, especially with timers .... */
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
-
- PR_ASSERT(job->state == NS_JOB_ARMED || job->state == NS_JOB_NEEDS_DELETE);
- if (job->state == NS_JOB_ARMED && NS_JOB_IS_THREAD(job->job_type)) {
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "event_cb %x state %d threaded, send to work_q\n", job, job->state);
- #endif
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- work_q_notify(job);
- } else if (job->state == NS_JOB_NEEDS_DELETE) {
- #ifdef DEBUG
-@@ -620,14 +631,14 @@ event_cb(ns_job_t *job)
- * It's here because it's been QUEUED for deletion and *may* be coming
- * from the thrpool destroy thread!
- */
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
-
- } else {
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "event_cb %x state %d non-threaded, execute right meow\n", job, job->state);
- #endif
- /* Not threaded, execute now! */
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- work_job_execute(job);
- /* MUST NOT ACCESS JOB FROM THIS POINT */
- }
-@@ -682,12 +693,12 @@ static ns_job_t *
- new_ns_job(ns_thrpool_t *tp, PRFileDesc *fd, ns_job_type_t job_type, ns_job_func_t func, struct ns_job_data_t *data)
- {
- ns_job_t *job = ns_calloc(1, sizeof(ns_job_t));
-- job->monitor = ns_calloc(1, sizeof(pthread_mutex_t));
-
- pthread_mutexattr_t *monitor_attr = ns_calloc(1, sizeof(pthread_mutexattr_t));
- pthread_mutexattr_init(monitor_attr);
- pthread_mutexattr_settype(monitor_attr, PTHREAD_MUTEX_RECURSIVE);
-- assert(pthread_mutex_init(job->monitor, monitor_attr) == 0);
-+ assert(pthread_mutex_init(&(job->monitor), monitor_attr) == 0);
-+ assert(pthread_cond_init(&(job->notify), NULL) == 0);
- ns_free(monitor_attr);
-
- job->tp = tp;
-@@ -746,14 +757,14 @@ ns_job_done(ns_job_t *job)
- /* Get the shutdown state ONCE at the start, atomically */
- int32_t shutdown_state = ns_thrpool_is_shutdown(job->tp);
-
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
-
- if (job->state == NS_JOB_NEEDS_DELETE || job->state == NS_JOB_DELETED) {
- /* Just return if the job has been marked for deletion */
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "ns_job_done %x tp shutdown -> %x state %d return early\n", job, shutdown_state, job->state);
- #endif
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NS_SUCCESS;
- }
-
-@@ -762,7 +773,7 @@ ns_job_done(ns_job_t *job)
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "ns_job_done %x tp shutdown -> false state %d failed to mark as done\n", job, job->state);
- #endif
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NS_INVALID_STATE;
- }
-
-@@ -773,13 +784,13 @@ ns_job_done(ns_job_t *job)
- ns_log(LOG_DEBUG, "ns_job_done %x tp shutdown -> false state %d setting to async NS_JOB_NEEDS_DELETE\n", job, job->state);
- #endif
- job->state = NS_JOB_NEEDS_DELETE;
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- } else if (!shutdown_state) {
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "ns_job_done %x tp shutdown -> false state %d setting NS_JOB_NEEDS_DELETE and queuing\n", job, job->state);
- #endif
- job->state = NS_JOB_NEEDS_DELETE;
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- event_q_notify(job);
- } else {
- #ifdef DEBUG
-@@ -787,7 +798,7 @@ ns_job_done(ns_job_t *job)
- #endif
- job->state = NS_JOB_NEEDS_DELETE;
- /* We are shutting down, just remove it! */
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- internal_ns_job_done(job);
- }
- return NS_SUCCESS;
-@@ -849,12 +860,12 @@ ns_add_io_job(ns_thrpool_t *tp, PRFileDesc *fd, ns_job_type_t job_type, ns_job_f
- return NS_ALLOCATION_FAILURE;
- }
-
-- pthread_mutex_lock(_job->monitor);
-+ pthread_mutex_lock(&(_job->monitor));
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "ns_add_io_job state %d moving to NS_JOB_ARMED\n", (_job)->state);
- #endif
- _job->state = NS_JOB_NEEDS_ARM;
-- pthread_mutex_unlock(_job->monitor);
-+ pthread_mutex_unlock(&(_job->monitor));
- internal_ns_job_rearm(_job);
-
- /* fill in a pointer to the job for the caller if requested */
-@@ -889,12 +900,12 @@ ns_add_timeout_job(ns_thrpool_t *tp, struct timeval *tv, ns_job_type_t job_type,
- return NS_ALLOCATION_FAILURE;
- }
-
-- pthread_mutex_lock(_job->monitor);
-+ pthread_mutex_lock(&(_job->monitor));
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "ns_add_timeout_job state %d moving to NS_JOB_ARMED\n", (_job)->state);
- #endif
- _job->state = NS_JOB_NEEDS_ARM;
-- pthread_mutex_unlock(_job->monitor);
-+ pthread_mutex_unlock(&(_job->monitor));
- internal_ns_job_rearm(_job);
-
- /* fill in a pointer to the job for the caller if requested */
-@@ -944,14 +955,14 @@ ns_add_io_timeout_job(ns_thrpool_t *tp, PRFileDesc *fd, struct timeval *tv, ns_j
- if (!_job) {
- return NS_ALLOCATION_FAILURE;
- }
-- pthread_mutex_lock(_job->monitor);
-+ pthread_mutex_lock(&(_job->monitor));
- _job->tv = *tv;
-
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "ns_add_io_timeout_job state %d moving to NS_JOB_ARMED\n", (_job)->state);
- #endif
- _job->state = NS_JOB_NEEDS_ARM;
-- pthread_mutex_unlock(_job->monitor);
-+ pthread_mutex_unlock(&(_job->monitor));
- internal_ns_job_rearm(_job);
-
- /* fill in a pointer to the job for the caller if requested */
-@@ -982,12 +993,12 @@ ns_add_signal_job(ns_thrpool_t *tp, int32_t signum, ns_job_type_t job_type, ns_j
- return NS_ALLOCATION_FAILURE;
- }
-
-- pthread_mutex_lock(_job->monitor);
-+ pthread_mutex_lock(&(_job->monitor));
- #ifdef DEBUG
- ns_log(LOG_DEBUG, "ns_add_signal_job state %d moving to NS_JOB_ARMED\n", (_job)->state);
- #endif
- _job->state = NS_JOB_NEEDS_ARM;
-- pthread_mutex_unlock(_job->monitor);
-+ pthread_mutex_unlock(&(_job->monitor));
- internal_ns_job_rearm(_job);
-
- /* fill in a pointer to the job for the caller if requested */
-@@ -1038,9 +1049,9 @@ ns_add_shutdown_job(ns_thrpool_t *tp)
- if (!_job) {
- return NS_ALLOCATION_FAILURE;
- }
-- pthread_mutex_lock(_job->monitor);
-+ pthread_mutex_lock(&(_job->monitor));
- _job->state = NS_JOB_NEEDS_ARM;
-- pthread_mutex_unlock(_job->monitor);
-+ pthread_mutex_unlock(&(_job->monitor));
- internal_ns_job_rearm(_job);
- return NS_SUCCESS;
- }
-@@ -1061,13 +1072,13 @@ void *
- ns_job_get_data(ns_job_t *job)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- PR_ASSERT(job->state != NS_JOB_DELETED);
- if (job->state != NS_JOB_DELETED) {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return job->data;
- } else {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NULL;
- }
- }
-@@ -1076,14 +1087,14 @@ ns_result_t
- ns_job_set_data(ns_job_t *job, void *data)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- PR_ASSERT(job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING);
- if (job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING) {
- job->data = data;
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NS_SUCCESS;
- } else {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NS_INVALID_STATE;
- }
- }
-@@ -1092,13 +1103,13 @@ ns_thrpool_t *
- ns_job_get_tp(ns_job_t *job)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- PR_ASSERT(job->state != NS_JOB_DELETED);
- if (job->state != NS_JOB_DELETED) {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return job->tp;
- } else {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NULL;
- }
- }
-@@ -1107,13 +1118,13 @@ ns_job_type_t
- ns_job_get_output_type(ns_job_t *job)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- PR_ASSERT(job->state == NS_JOB_RUNNING);
- if (job->state == NS_JOB_RUNNING) {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return job->output_job_type;
- } else {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return 0;
- }
- }
-@@ -1122,13 +1133,13 @@ ns_job_type_t
- ns_job_get_type(ns_job_t *job)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- PR_ASSERT(job->state != NS_JOB_DELETED);
- if (job->state != NS_JOB_DELETED) {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return job->job_type;
- } else {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return 0;
- }
- }
-@@ -1137,13 +1148,13 @@ PRFileDesc *
- ns_job_get_fd(ns_job_t *job)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- PR_ASSERT(job->state != NS_JOB_DELETED);
- if (job->state != NS_JOB_DELETED) {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return job->fd;
- } else {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NULL;
- }
- }
-@@ -1152,18 +1163,40 @@ ns_result_t
- ns_job_set_done_cb(struct ns_job_t *job, ns_job_func_t func)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- PR_ASSERT(job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING);
- if (job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING) {
- job->done_cb = func;
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NS_SUCCESS;
- } else {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NS_INVALID_STATE;
- }
- }
-
-+ns_result_t
-+ns_job_wait(struct ns_job_t *job) {
-+ PR_ASSERT(job);
-+ pthread_mutex_lock(&(job->monitor));
-+ if (job->state == NS_JOB_WAITING) {
-+ /* It's done */
-+ pthread_mutex_unlock(&(job->monitor));
-+ return NS_SUCCESS;
-+ } else {
-+ pthread_cond_wait(&(job->notify), &(job->monitor));
-+ ns_job_state_t result = job->state;
-+ pthread_mutex_unlock(&(job->monitor));
-+ if (result == NS_JOB_WAITING) {
-+ return NS_SUCCESS;
-+ } else if (result == NS_JOB_NEEDS_DELETE) {
-+ return NS_DELETING;
-+ } else {
-+ PR_ASSERT(1 == 0);
-+ return NS_INVALID_STATE;
-+ }
-+ }
-+}
-
- /*
- * This is a convenience function - use if you need to re-arm the same event
-@@ -1173,7 +1206,7 @@ ns_result_t
- ns_job_rearm(ns_job_t *job)
- {
- PR_ASSERT(job);
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
- PR_ASSERT(job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING);
-
- if (ns_thrpool_is_shutdown(job->tp)) {
-@@ -1186,7 +1219,7 @@ ns_job_rearm(ns_job_t *job)
- #endif
- job->state = NS_JOB_NEEDS_ARM;
- internal_ns_job_rearm(job);
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NS_SUCCESS;
- } else if (!NS_JOB_IS_PERSIST(job->job_type) && job->state == NS_JOB_RUNNING) {
- /* For this to be called, and NS_JOB_RUNNING, we *must* be the callback thread! */
-@@ -1195,10 +1228,10 @@ ns_job_rearm(ns_job_t *job)
- ns_log(LOG_DEBUG, "ns_rearm_job %x state %d setting NS_JOB_NEEDS_ARM\n", job, job->state);
- #endif
- job->state = NS_JOB_NEEDS_ARM;
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NS_SUCCESS;
- } else {
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- return NS_INVALID_STATE;
- }
- /* Unreachable code .... */
-@@ -1254,7 +1287,7 @@ setup_event_q_wakeup(ns_thrpool_t *tp)
- NS_JOB_READ | NS_JOB_PERSIST | NS_JOB_PRESERVE_FD,
- wakeup_cb, NULL);
-
-- pthread_mutex_lock(job->monitor);
-+ pthread_mutex_lock(&(job->monitor));
-
- /* The event_queue wakeup is ready, arm it. */
- #ifdef DEBUG
-@@ -1267,7 +1300,7 @@ setup_event_q_wakeup(ns_thrpool_t *tp)
-
- /* Stash the wakeup job in tp so we can release it later. */
- tp->event_q_wakeup_job = job;
-- pthread_mutex_unlock(job->monitor);
-+ pthread_mutex_unlock(&(job->monitor));
- }
-
- /* Initialize the thrpool config */
-@@ -1463,7 +1496,7 @@ ns_thrpool_destroy(struct ns_thrpool_t *tp)
- * and use it to wake up the event loop.
- */
-
-- pthread_mutex_lock(tp->event_q_wakeup_job->monitor);
-+ pthread_mutex_lock(&(tp->event_q_wakeup_job->monitor));
-
- // tp->event_q_wakeup_job->job_type |= NS_JOB_THREAD;
- /* This triggers the job to "run", which will cause a shutdown cascade */
-@@ -1471,7 +1504,7 @@ ns_thrpool_destroy(struct ns_thrpool_t *tp)
- ns_log(LOG_DEBUG, "ns_thrpool_destroy %x state %d moving to NS_JOB_NEEDS_DELETE\n", tp->event_q_wakeup_job, tp->event_q_wakeup_job->state);
- #endif
- tp->event_q_wakeup_job->state = NS_JOB_NEEDS_DELETE;
-- pthread_mutex_unlock(tp->event_q_wakeup_job->monitor);
-+ pthread_mutex_unlock(&(tp->event_q_wakeup_job->monitor));
- /* Has to be event_q_notify, not internal_job_done */
- event_q_notify(tp->event_q_wakeup_job);
-
-diff --git a/src/nunc-stans/test/test_nuncstans.c b/src/nunc-stans/test/test_nuncstans.c
-index 629377a89..afe3c02fc 100644
---- a/src/nunc-stans/test/test_nuncstans.c
-+++ b/src/nunc-stans/test/test_nuncstans.c
-@@ -55,14 +55,21 @@
- /* We need the internal headers for state checks */
- #include "../ns/ns_event_fw.h"
-
-+#include <assert.h>
-+
-+#include <time.h>
-+
- #ifdef HAVE_STDLIB_H
- #include <stdlib.h>
- #endif
-
-
- static int cb_check = 0;
--static PRLock *cb_lock = NULL;
--static PRCondVar *cb_cond = NULL;
-+
-+static pthread_mutex_t cb_lock;
-+static pthread_cond_t cb_cond;
-+// static PRLock *cb_lock = NULL;
-+// static PRCondVar *cb_cond = NULL;
-
- void
- ns_test_logger(int priority __attribute__((unused)), const char *fmt, va_list varg)
-@@ -71,6 +78,19 @@ ns_test_logger(int priority __attribute__((unused)), const char *fmt, va_list va
- vprintf(fmt, varg);
- }
-
-+static int
-+cond_wait_rel(pthread_cond_t *restrict cond, pthread_mutex_t *restrict mutex, const struct timespec *restrict reltime) {
-+ struct timespec now;
-+ struct timespec abswait;
-+
-+ clock_gettime(CLOCK_REALTIME, &now);
-+
-+ abswait.tv_sec = now.tv_sec + reltime->tv_sec;
-+ abswait.tv_nsec = now.tv_nsec + reltime->tv_nsec;
-+
-+ return pthread_cond_timedwait(cond, mutex, &abswait);
-+}
-+
- /* All our other tests will use this in some form. */
- static int
- ns_test_setup(void **state)
-@@ -81,8 +101,8 @@ ns_test_setup(void **state)
- /* Reset the callback check */
- cb_check = 0;
- /* Create the cond var the CB check will use. */
-- cb_lock = PR_NewLock();
-- cb_cond = PR_NewCondVar(cb_lock);
-+ assert(pthread_mutex_init(&cb_lock, NULL) == 0);
-+ assert(pthread_cond_init(&cb_cond, NULL) == 0);
-
- ns_thrpool_config_init(&ns_config);
-
-@@ -105,8 +125,8 @@ ns_test_teardown(void **state)
-
- ns_thrpool_destroy(tp);
-
-- PR_DestroyCondVar(cb_cond);
-- PR_DestroyLock(cb_lock);
-+ pthread_cond_destroy(&cb_cond);
-+ pthread_mutex_destroy(&cb_lock);
-
- return 0;
- }
-@@ -114,24 +134,23 @@ ns_test_teardown(void **state)
- static void
- ns_init_test_job_cb(struct ns_job_t *job __attribute__((unused)))
- {
-+ pthread_mutex_lock(&cb_lock);
- cb_check += 1;
-- PR_Lock(cb_lock);
-- PR_NotifyCondVar(cb_cond);
-- PR_Unlock(cb_lock);
-+ pthread_cond_signal(&cb_cond);
-+ pthread_mutex_unlock(&cb_lock);
- }
-
- static void
- ns_init_disarm_job_cb(struct ns_job_t *job)
- {
- if (ns_job_done(job) == NS_SUCCESS) {
-+ pthread_mutex_lock(&cb_lock);
- cb_check = 1;
-+ pthread_cond_signal(&cb_cond);
-+ pthread_mutex_unlock(&cb_lock);
- } else {
- assert_int_equal(1, 0);
- }
-- PR_Lock(cb_lock);
-- PR_NotifyCondVar(cb_cond);
-- /* Disarm ourselves */
-- PR_Unlock(cb_lock);
- }
-
- static void
-@@ -146,20 +165,20 @@ ns_init_test(void **state)
- {
- struct ns_thrpool_t *tp = *state;
- struct ns_job_t *job = NULL;
-+ struct timespec timeout = {1, 0};
-
-- PR_Lock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
- assert_int_equal(
- ns_add_job(tp, NS_JOB_NONE | NS_JOB_THREAD, ns_init_test_job_cb, NULL, &job),
- 0);
-
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1));
-- PR_Unlock(cb_lock);
-+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0);
-+ pthread_mutex_unlock(&cb_lock);
-
- assert_int_equal(cb_check, 1);
-
- /* Once the job is done, it's not in the event queue, and it's complete */
-- /* We have to stall momentarily to let the work_job_execute release the job to us */
-- PR_Sleep(PR_SecondsToInterval(1));
-+ assert(ns_job_wait(job) == NS_SUCCESS);
- assert_int_equal(ns_job_done(job), NS_SUCCESS);
- }
-
-@@ -169,19 +188,20 @@ ns_set_data_test(void **state)
- /* Add a job with data */
- struct ns_thrpool_t *tp = *state;
- struct ns_job_t *job = NULL;
-+ struct timespec timeout = {1, 0};
-
- char *data = malloc(6);
-
- strcpy(data, "first");
-
-- PR_Lock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
- assert_int_equal(
- ns_add_job(tp, NS_JOB_NONE | NS_JOB_THREAD, ns_init_test_job_cb, data, &job),
- NS_SUCCESS);
-
- /* Let the job run */
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1));
-- PR_Unlock(cb_lock);
-+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0);
-+ pthread_mutex_unlock(&cb_lock);
-
- /* Check that the data is correct */
- char *retrieved = (char *)ns_job_get_data(job);
-@@ -193,16 +213,14 @@ ns_set_data_test(void **state)
- data = malloc(7);
- strcpy(data, "second");
-
-- while (job->state != NS_JOB_WAITING) {
-- PR_Sleep(PR_MillisecondsToInterval(50));
-- }
-+ assert(ns_job_wait(job) == NS_SUCCESS);
- ns_job_set_data(job, data);
-
- /* Rearm, and let it run again. */
-- PR_Lock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
- ns_job_rearm(job);
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1));
-- PR_Unlock(cb_lock);
-+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0);
-+ pthread_mutex_unlock(&cb_lock);
-
- /* Make sure it's now what we expect */
- retrieved = (char *)ns_job_get_data(job);
-@@ -218,9 +236,7 @@ ns_set_data_test(void **state)
- * waiting. we might need a load barrier here ...
- */
-
-- while (job->state != NS_JOB_WAITING) {
-- PR_Sleep(PR_MillisecondsToInterval(50));
-- }
-+ assert(ns_job_wait(job) == NS_SUCCESS);
-
- assert_int_equal(ns_job_done(job), NS_SUCCESS);
- }
-@@ -230,8 +246,9 @@ ns_job_done_cb_test(void **state)
- {
- struct ns_thrpool_t *tp = *state;
- struct ns_job_t *job = NULL;
-+ struct timespec timeout = {1, 0};
-
-- PR_Lock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
- assert_int_equal(
- ns_create_job(tp, NS_JOB_NONE | NS_JOB_THREAD, ns_init_do_nothing_cb, &job),
- NS_SUCCESS);
-@@ -240,8 +257,8 @@ ns_job_done_cb_test(void **state)
- /* Remove it */
- assert_int_equal(ns_job_done(job), NS_SUCCESS);
-
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1));
-- PR_Unlock(cb_lock);
-+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0);
-+ pthread_mutex_unlock(&cb_lock);
-
- assert_int_equal(cb_check, 1);
- }
-@@ -250,16 +267,15 @@ static void
- ns_init_rearm_job_cb(struct ns_job_t *job)
- {
- if (ns_job_rearm(job) != NS_SUCCESS) {
-+ pthread_mutex_lock(&cb_lock);
- cb_check = 1;
- /* we failed to re-arm as expected, let's go away ... */
- assert_int_equal(ns_job_done(job), NS_SUCCESS);
-+ pthread_cond_signal(&cb_cond);
-+ pthread_mutex_unlock(&cb_lock);
- } else {
- assert_int_equal(1, 0);
- }
-- PR_Lock(cb_lock);
-- PR_NotifyCondVar(cb_cond);
-- /* Disarm ourselves */
-- PR_Unlock(cb_lock);
- }
-
- static void
-@@ -268,8 +284,9 @@ ns_job_persist_rearm_ignore_test(void **state)
- /* Test that rearm ignores the persistent job. */
- struct ns_thrpool_t *tp = *state;
- struct ns_job_t *job = NULL;
-+ struct timespec timeout = {1, 0};
-
-- PR_Lock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
- assert_int_equal(
- ns_create_job(tp, NS_JOB_NONE | NS_JOB_THREAD | NS_JOB_PERSIST, ns_init_rearm_job_cb, &job),
- NS_SUCCESS);
-@@ -281,8 +298,8 @@ ns_job_persist_rearm_ignore_test(void **state)
- * should see only 1 in the cb_check.
- */
-
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1));
-- PR_Unlock(cb_lock);
-+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0);
-+ pthread_mutex_unlock(&cb_lock);
-
- /* If we fail to rearm, this is set to 1 Which is what we want. */
- assert_int_equal(cb_check, 1);
-@@ -294,6 +311,7 @@ ns_job_persist_disarm_test(void **state)
- /* Make a persistent job */
- struct ns_thrpool_t *tp = *state;
- struct ns_job_t *job = NULL;
-+ struct timespec timeout = {2, 0};
-
- assert_int_equal(
- ns_create_job(tp, NS_JOB_NONE | NS_JOB_PERSIST, ns_init_disarm_job_cb, &job),
-@@ -302,9 +320,9 @@ ns_job_persist_disarm_test(void **state)
- assert_int_equal(ns_job_rearm(job), NS_SUCCESS);
-
- /* In the callback it should disarm */
-- PR_Lock(cb_lock);
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1));
-- PR_Unlock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
-+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0);
-+ pthread_mutex_unlock(&cb_lock);
- /* Make sure it did */
- assert_int_equal(cb_check, 1);
- }
-@@ -329,14 +347,13 @@ ns_job_persist_disarm_test(void **state)
- static void
- ns_init_race_done_job_cb(struct ns_job_t *job)
- {
-- cb_check += 1;
- ns_job_done(job);
- /* We need to sleep to let the job race happen */
- PR_Sleep(PR_SecondsToInterval(2));
-- PR_Lock(cb_lock);
-- PR_NotifyCondVar(cb_cond);
-- /* Disarm ourselves */
-- PR_Unlock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
-+ cb_check += 1;
-+ pthread_cond_signal(&cb_cond);
-+ pthread_mutex_unlock(&cb_lock);
- }
-
- static void
-@@ -344,14 +361,15 @@ ns_job_race_done_test(void **state)
- {
- struct ns_thrpool_t *tp = *state;
- struct ns_job_t *job = NULL;
-+ struct timespec timeout = {5, 0};
-
-- PR_Lock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
- assert_int_equal(
- ns_add_job(tp, NS_JOB_NONE | NS_JOB_THREAD, ns_init_race_done_job_cb, NULL, &job),
- NS_SUCCESS);
-
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(5));
-- PR_Unlock(cb_lock);
-+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0);
-+ pthread_mutex_unlock(&cb_lock);
-
- assert_int_equal(cb_check, 1);
- }
-@@ -365,8 +383,9 @@ ns_job_signal_cb_test(void **state)
- {
- struct ns_thrpool_t *tp = *state;
- struct ns_job_t *job = NULL;
-+ struct timespec timeout = {1, 0};
-
-- PR_Lock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
- assert_int_equal(
- ns_add_signal_job(tp, SIGUSR1, NS_JOB_SIGNAL, ns_init_test_job_cb, NULL, &job),
- NS_SUCCESS);
-@@ -376,8 +395,8 @@ ns_job_signal_cb_test(void **state)
- /* Send the signal ... */
- raise(SIGUSR1);
-
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1));
-- PR_Unlock(cb_lock);
-+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0);
-+ pthread_mutex_unlock(&cb_lock);
-
- assert_int_equal(cb_check, 1);
-
-@@ -408,12 +427,11 @@ ns_job_neg_timeout_test(void **state)
- static void
- ns_timer_job_cb(struct ns_job_t *job)
- {
-- cb_check += 1;
- ns_job_done(job);
-- PR_Lock(cb_lock);
-- PR_NotifyCondVar(cb_cond);
-- /* Disarm ourselves */
-- PR_Unlock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
-+ cb_check += 1;
-+ pthread_cond_signal(&cb_cond);
-+ pthread_mutex_unlock(&cb_lock);
- }
-
- static void
-@@ -421,16 +439,19 @@ ns_job_timer_test(void **state)
- {
- struct ns_thrpool_t *tp = *state;
- struct ns_job_t *job = NULL;
-- struct timeval tv = {2, 0};
-+ struct timeval tv = {3, 0};
-+ struct timespec timeout = {2, 0};
-
-- PR_Lock(cb_lock);
-+ pthread_mutex_lock(&cb_lock);
- assert_true(ns_add_timeout_job(tp, &tv, NS_JOB_THREAD, ns_timer_job_cb, NULL, &job) == NS_SUCCESS);
-
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1));
-+ cond_wait_rel(&cb_cond, &cb_lock, &timeout);
-+ // pthread_mutex_unlock(&cb_lock);
- assert_int_equal(cb_check, 0);
-
-- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(2));
-- PR_Unlock(cb_lock);
-+ // pthread_mutex_lock(&cb_lock);
-+ cond_wait_rel(&cb_cond, &cb_lock, &timeout);
-+ pthread_mutex_unlock(&cb_lock);
- assert_int_equal(cb_check, 1);
- }
-
-@@ -441,7 +462,9 @@ ns_job_timer_test(void **state)
- static void
- ns_timer_persist_job_cb(struct ns_job_t *job)
- {
-+ pthread_mutex_lock(&cb_lock);
- cb_check += 1;
-+ pthread_mutex_unlock(&cb_lock);
- if (cb_check < 10) {
- ns_job_rearm(job);
- } else {
-@@ -456,16 +479,19 @@ ns_job_timer_persist_test(void **state)
- struct ns_job_t *job = NULL;
- struct timeval tv = {1, 0};
-
-- PR_Lock(cb_lock);
- assert_true(ns_add_timeout_job(tp, &tv, NS_JOB_THREAD, ns_timer_persist_job_cb, NULL, &job) == NS_SUCCESS);
-
- PR_Sleep(PR_SecondsToInterval(5));
-
-+ pthread_mutex_lock(&cb_lock);
- assert_true(cb_check <= 6);
-+ pthread_mutex_unlock(&cb_lock);
-
- PR_Sleep(PR_SecondsToInterval(6));
-
-+ pthread_mutex_lock(&cb_lock);
- assert_int_equal(cb_check, 10);
-+ pthread_mutex_unlock(&cb_lock);
- }
-
- int
---
-2.13.6
-
diff --git a/SOURCES/0031-Ticket-49410-opened-connection-can-remain-no-longer-.patch b/SOURCES/0031-Ticket-49410-opened-connection-can-remain-no-longer-.patch
deleted file mode 100644
index b62e8b8..0000000
--- a/SOURCES/0031-Ticket-49410-opened-connection-can-remain-no-longer-.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 11cea14acfc11d0328013b61a3e1396e97dfe577 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Tue, 14 Nov 2017 16:29:03 +0100
-Subject: [PATCH] Ticket 49410 - opened connection can remain no longer poll,
- like hanging
-
-Bug Description:
- Some opened connection are no longer poll.
- Those connections has 'gettingber' toggle set although there is
- no more worker thread reading it.
- The reason they have gettingber set is that the last
- operation had 'persistent search' flag. With such flag
- gettingber is not reset.
- persistent flag is set even when no persistent search/sync_repl
- was received on the connection.
- The problem is that the flag is tested on the wrong operation.
- The tested operation can be
- - the first operation when the connection entered in turbo mode
- - the previous operation if several ops PDUs were read on the network
- - accessing random memory
-
- In theory testing the flag can lead to sigsev even
- if it never crash
-
-Fix Description:
- The fix is to use the operation that is in the pblock
- In such case pb_op is no longer used, so we can get rid of it.
- In addition make pb_conn a local variable where it is used
-
-https://pagure.io/389-ds-base/issue/49410
-
-Reviewed by: Ludwig Krispenz, Mark Reynolds
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
----
- ldap/servers/slapd/connection.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index 24a7a1c05..3f19b9765 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -1498,8 +1498,6 @@ connection_threadmain()
- int maxthreads = 0;
- int enable_nunc_stans = 0;
- long bypasspollcnt = 0;
-- Connection *pb_conn = NULL;
-- Operation *pb_op = NULL;
-
- enable_nunc_stans = config_get_enable_nunc_stans();
- #if defined(hpux)
-@@ -1520,6 +1518,8 @@ connection_threadmain()
- }
-
- if (!thread_turbo_flag && !more_data) {
-+ Connection *pb_conn = NULL;
-+
- /* If more data is left from the previous connection_read_operation,
- we should finish the op now. Client might be thinking it's
- done sending the request and wait for the response forever.
-@@ -1530,7 +1530,6 @@ connection_threadmain()
- * Connection wait for new work provides the conn and op for us.
- */
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
-
- switch (ret) {
- case CONN_NOWORK:
-@@ -1786,7 +1785,7 @@ connection_threadmain()
- /* total number of ops for the server */
- slapi_counter_increment(ops_completed);
- /* If this op isn't a persistent search, remove it */
-- if (pb_op->o_flags & OP_FLAG_PS) {
-+ if (op->o_flags & OP_FLAG_PS) {
- PR_EnterMonitor(conn->c_mutex);
- connection_release_nolock(conn); /* psearch acquires ref to conn - release this one now */
- PR_ExitMonitor(conn->c_mutex);
---
-2.13.6
-
diff --git a/SOURCES/0032-Ticket-49443-scope-one-searches-in-1.3.7-give-incorr.patch b/SOURCES/0032-Ticket-49443-scope-one-searches-in-1.3.7-give-incorr.patch
deleted file mode 100644
index b90b8b2..0000000
--- a/SOURCES/0032-Ticket-49443-scope-one-searches-in-1.3.7-give-incorr.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 5f38be985bc98969b0fdaa6ece8f84b11bdddc2f Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Thu, 9 Nov 2017 10:20:44 +0100
-Subject: [PATCH] Ticket 49443 - scope one searches in 1.3.7 give incorrect
- results
-
-Bug: if a onelevel search is done for an unidexed attribute, the filter test is skipped
- and all children of the search base are returned
-
-Fix: enforce filter test if allids
-
-Reviewed by: Mark, thanks
----
- ldap/servers/slapd/back-ldbm/idl_set.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/ldap/servers/slapd/back-ldbm/idl_set.c b/ldap/servers/slapd/back-ldbm/idl_set.c
-index ba39ff03f..b68e7ab76 100644
---- a/ldap/servers/slapd/back-ldbm/idl_set.c
-+++ b/ldap/servers/slapd/back-ldbm/idl_set.c
-@@ -349,6 +349,11 @@ idl_set_intersect(IDListSet *idl_set, backend *be)
- {
- IDList *result_list = NULL;
-
-+ if (idl_set->allids) {
-+ /* if any component was allids we have to apply the filtertest */
-+ slapi_be_set_flag(be, SLAPI_BE_FLAG_DONT_BYPASS_FILTERTEST);
-+ }
-+
- if (idl_set->allids != 0 && idl_set->count == 0) {
- /*
- * We only have allids, so must be allids.
---
-2.13.6
-
diff --git a/SOURCES/0033-Ticket-49441-Import-crashes-with-large-indexed-binar.patch b/SOURCES/0033-Ticket-49441-Import-crashes-with-large-indexed-binar.patch
deleted file mode 100644
index d304225..0000000
--- a/SOURCES/0033-Ticket-49441-Import-crashes-with-large-indexed-binar.patch
+++ /dev/null
@@ -1,1048 +0,0 @@
-From 737a34433df469e0e2de9e70e3960eb253448109 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 6 Nov 2017 21:58:52 -0500
-Subject: [PATCH] Ticket 49441 - Import crashes with large indexed binary
- attributes
-
-Bug Description: Importing an ldif file that contains entries with large
- binary attributes that are indexed crashes the server.
- The crash occurs when "encoding" the binary value to a
- string for debug logging, where we "underflow" the buffer
- space index which then allows the string buffer to overflow.
-
-Fix Description: While filling the string buffer with the encoded binary
- value we need to make sure if the buffer space is greater
- than zero before decrementing it.
-
- Also check if trace logging is being used before we actually
- call the logging function which calls the "encoded" function
- first. This way we avoid this costly "encoding" on every
- index call we make.
-
-https://pagure.io/389-ds-base/issue/49441
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit b4497c4f28501b188797e12909983853642af967)
----
- dirsrvtests/tests/data/ticket49441/binary.ldif | 858 +++++++++++++++++++++++++
- dirsrvtests/tests/tickets/ticket49441_test.py | 74 +++
- ldap/servers/slapd/back-ldbm/index.c | 21 +-
- 3 files changed, 943 insertions(+), 10 deletions(-)
- create mode 100644 dirsrvtests/tests/data/ticket49441/binary.ldif
- create mode 100644 dirsrvtests/tests/tickets/ticket49441_test.py
-
-diff --git a/dirsrvtests/tests/data/ticket49441/binary.ldif b/dirsrvtests/tests/data/ticket49441/binary.ldif
-new file mode 100644
-index 000000000..bdebaf817
---- /dev/null
-+++ b/dirsrvtests/tests/data/ticket49441/binary.ldif
-@@ -0,0 +1,858 @@
-+version: 1
-+
-+# entry-id: 1
-+dn: dc=example,dc=com
-+objectClass: domain
-+objectClass: top
-+dc: example
-+nsUniqueId: f49ca102-c2ee11e7-9170b029-e68fda34
-+creatorsName:
-+modifiersName:
-+createTimestamp: 20171106123544Z
-+modifyTimestamp: 20171106123544Z
-+
-+# entry-id: 2
-+dn: ou=binary,dc=example,dc=com
-+certificateRevocationList;binary:: MIITbjCCElYCAQEwDQYJKoZIhvcNAQEFBQAwVzELMAk
-+ GA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9y
-+ aXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQRcNMTcxMDE2MTUxNjAyWhcNMTcxMDE5MTUxNjAyWjCCE
-+ ZcwIwIEV4cj0hcNMTYxMTMwMDAyNDA0WjAMMAoGA1UdFQQDCgEAMCMCBFeHI9EXDTE2MTEzMDAwMj
-+ gwNVowDDAKBgNVHRUEAwoBADAjAgRXhyPPFw0xNjExMzAwMDIxNDJaMAwwCgYDVR0VBAMKAQAwIwI
-+ EV4cjzhcNMTYxMTMwMDAzMTE0WjAMMAoGA1UdFQQDCgEAMCMCBFeHI2gXDTE2MTEyOTE1MTM0M1ow
-+ DDAKBgNVHRUEAwoBADA9AgRXhwCzFw0xNjExMDIyMjQ0NThaMCYwCgYDVR0VBAMKAQEwGAYDVR0YB
-+ BEYDzIwMTYwOTA3MDEzODU1WjAjAgRXhvE4Fw0xNjA4MDExNDA5MTFaMAwwCgYDVR0VBAMKAQAwIw
-+ IEV4bxNxcNMTYwODAxMTQwODU4WjAMMAoGA1UdFQQDCgEAMCMCBEkD2YYXDTE2MDcwNTE1NTg0NVo
-+ wDDAKBgNVHRUEAwoBADAjAgRJA9mFFw0xNjA3MDUxNTU1MTlaMAwwCgYDVR0VBAMKAQAwIwIESQPT
-+ cRcNMTYxMTMwMDAyODA1WjAMMAoGA1UdFQQDCgEAMCMCBEkD03AXDTE2MTEzMDAwMjgwNVowDDAKB
-+ gNVHRUEAwoBADAjAgRJA9NuFw0xNjA2MjAxNjQ4NTlaMAwwCgYDVR0VBAMKAQAwIwIESQPSOBcNMT
-+ YwNjE3MTU1OTM4WjAMMAoGA1UdFQQDCgEAMCMCBEkD0jcXDTE2MTEzMDAwMzExNFowDDAKBgNVHRU
-+ EAwoBADAjAgRJA9I0Fw0xNjA2MjAxNzAyMDJaMAwwCgYDVR0VBAMKAQAwIwIESQPSMxcNMTYwNjIw
-+ MTcwMjAyWjAMMAoGA1UdFQQDCgEAMCMCBEkD0jEXDTE2MDYxNzE1NDgwMlowDDAKBgNVHRUEAwoBA
-+ DAjAgRJA9IwFw0xNjExMzAwMDMxMTRaMAwwCgYDVR0VBAMKAQAwIwIESQPSLhcNMTYwNjE3MTU0MD
-+ A2WjAMMAoGA1UdFQQDCgEAMCMCBEkD0VIXDTE2MTEzMDAwMzExNFowDDAKBgNVHRUEAwoBADAjAgR
-+ JA9FRFw0xNjExMzAwMDMxMTRaMAwwCgYDVR0VBAMKAQAwIwIESQPRTxcNMTYwNjE1MTkyMDU4WjAM
-+ MAoGA1UdFQQDCgEAMCMCBEkD0U4XDTE2MDYxNTE5MjYyMlowDDAKBgNVHRUEAwoBADAjAgRJA9FLF
-+ w0xNjA2MTUxODQ5MzZaMAwwCgYDVR0VBAMKAQAwIwIESQPRShcNMTYwNjE1MTQzNDU1WjAMMAoGA1
-+ UdFQQDCgEAMCMCBEkD0UkXDTE2MDYxNTE0MzEyMlowDDAKBgNVHRUEAwoBADAjAgRJA9FIFw0xNjA
-+ 2MTUxNDMwMTdaMAwwCgYDVR0VBAMKAQAwIwIESQPQexcNMTYwNjE1MTkyNjIyWjAMMAoGA1UdFQQD
-+ CgEAMCMCBEkD0HoXDTE2MDYxNTE5MjYyMlowDDAKBgNVHRUEAwoBADAjAgRJA9B4Fw0xNjA2MTQxM
-+ TQ3MzlaMAwwCgYDVR0VBAMKAQAwIwIESQPQdxcNMTYwNjE1MTkyNTU5WjAMMAoGA1UdFQQDCgEAMC
-+ MCBEkD0HYXDTE2MDYxNTE5MjU1OVowDDAKBgNVHRUEAwoBADAjAgRJA9B0Fw0xNjA2MTQxMTQzMzh
-+ aMAwwCgYDVR0VBAMKAQAwIwIESQPQcxcNMTYwNjE0MTE0MDU4WjAMMAoGA1UdFQQDCgEAMCMCBEkD
-+ 0HIXDTE2MDYxNTE5MjU0NlowDDAKBgNVHRUEAwoBADAjAgRJA9BwFw0xNjA2MTQxMTE3NDlaMAwwC
-+ gYDVR0VBAMKAQAwIwIESQPLhhcNMTYwNjAxMjI1NTA1WjAMMAoGA1UdFQQDCgEAMCMCBEkDyRgXDT
-+ E2MDUyNjIxNDQwOFowDDAKBgNVHRUEAwoBADAjAgRJA8kXFw0xNjA1MjYyMTQzMjdaMAwwCgYDVR0
-+ VBAMKAQAwIwIESQPIsRcNMTYwNTI2MTUxOTMwWjAMMAoGA1UdFQQDCgEAMCMCBEkDmmEXDTE2MDYx
-+ NTE5MjU0NlowDDAKBgNVHRUEAwoBADAjAgRJA5pgFw0xNjA2MTUxOTI1NDZaMAwwCgYDVR0VBAMKA
-+ QAwIwIESQOZ9RcNMTYwNjE1MTkyNDQzWjAMMAoGA1UdFQQDCgEFMCMCBEkDmfQXDTE2MDYxNTE5Mj
-+ Q0M1owDDAKBgNVHRUEAwoBBTAjAgRJA5nyFw0xNjAyMDExOTM0MTlaMAwwCgYDVR0VBAMKAQAwIwI
-+ ESQOXgBcNMTYwMTI2MTUwNTE5WjAMMAoGA1UdFQQDCgEAMCMCBEkDh0oXDTE1MTIxNzE3MzE0NVow
-+ DDAKBgNVHRUEAwoBAzAjAgRJA3ZBFw0xNjAyMDIxNDM3MTZaMAwwCgYDVR0VBAMKAQMwIwIESQN2Q
-+ BcNMTYwMjAyMTQzNzAzWjAMMAoGA1UdFQQDCgEDMCMCBEkDXsUXDTE1MTIwODIwMTM0OVowDDAKBg
-+ NVHRUEAwoBAzAjAgRJA17EFw0xNTEyMDgyMDEzNDlaMAwwCgYDVR0VBAMKAQMwIwIESQNewxcNMTU
-+ xMjA4MjAxMzUwWjAMMAoGA1UdFQQDCgEDMCMCBEkDWrkXDTE1MTIwODIwMTM1MFowDDAKBgNVHRUE
-+ AwoBAzAjAgRJA1q4Fw0xNTEyMDgyMDEzNTBaMAwwCgYDVR0VBAMKAQMwIwIESQNatxcNMTUxMjA4M
-+ jAxMzUwWjAMMAoGA1UdFQQDCgEDMCMCBEkDNjMXDTE2MDcwNTIwMDcxMlowDDAKBgNVHRUEAwoBBT
-+ AjAgRJAwpwFw0xNjA2MTUxOTQwMDNaMAwwCgYDVR0VBAMKAQAwIwIESQMKbxcNMTYwNjE1MTk0MDA
-+ zWjAMMAoGA1UdFQQDCgEAMCMCBEkC2Z0XDTE0MTAyMDE2NDgzN1owDDAKBgNVHRUEAwoBBTAjAgRJ
-+ AthhFw0xNDEwMjAxNjQ4MzdaMAwwCgYDVR0VBAMKAQUwIwIESQLX7RcNMTQxMTEyMjAyNjA1WjAMM
-+ AoGA1UdFQQDCgEFMCMCBEkC1+sXDTE0MTAyNzE1NTI1OVowDDAKBgNVHRUEAwoBAzAjAgRJAn2hFw
-+ 0xNDAzMTMxNjUwMjZaMAwwCgYDVR0VBAMKAQAwIwIESQJ9MxcNMTQwMzEyMTUxODI5WjAMMAoGA1U
-+ dFQQDCgEAMCMCBEkCfTEXDTE0MDMxMjExMzMzNVowDDAKBgNVHRUEAwoBADAjAgRJAn0wFw0xNDAz
-+ MTIxMjE4MjFaMAwwCgYDVR0VBAMKAQAwIwIESQJ8YxcNMTQwMzEyMTEyNzEwWjAMMAoGA1UdFQQDC
-+ gEAMCMCBEkCfGEXDTE0MDMxMDE0NTYxNlowDDAKBgNVHRUEAwoBADAjAgRJAnxgFw0xNDAzMTAxNT
-+ A4MTVaMAwwCgYDVR0VBAMKAQAwIwIESQJ8XhcNMTQwMzEwMTIzMDM3WjAMMAoGA1UdFQQDCgEAMCM
-+ CBEkCfF0XDTE0MDMxMDE0NTMyMlowDDAKBgNVHRUEAwoBADAjAgRJAnxbFw0xNDAzMTAxMDQ5NDBa
-+ MAwwCgYDVR0VBAMKAQAwIwIESQJ8WhcNMTQwMzEwMTIwOTM2WjAMMAoGA1UdFQQDCgEAMCMCBEkCe
-+ ywXDTE0MDMwNzEwMzcxM1owDDAKBgNVHRUEAwoBADAjAgRJAnsrFw0xNDAzMTAxMDQ3MTdaMAwwCg
-+ YDVR0VBAMKAQAwIwIESQJ6xRcNMTQwMzA2MTEwMDM3WjAMMAoGA1UdFQQDCgEAMCMCBEkCesQXDTE
-+ 0MDMwNzEwMzMyNVowDDAKBgNVHRUEAwoBADAjAgRJAm7jFw0xNDAyMDQyMTMwMjFaMAwwCgYDVR0V
-+ BAMKAQAwIwIESQJrWhcNMTQwMTI3MTIyMTI0WjAMMAoGA1UdFQQDCgEAMCMCBEkCa1kXDTE0MDMwN
-+ jEwNTY0OFowDDAKBgNVHRUEAwoBADAjAgRJAmjyFw0xNDAxMjExMDEyMTlaMAwwCgYDVR0VBAMKAQ
-+ AwIwIESQJiPRcNMTQwMTAyMTYwMjIxWjAMMAoGA1UdFQQDCgEAMCMCBEkCXFgXDTEzMTIxODE3NTI
-+ wNVowDDAKBgNVHRUEAwoBADAjAgRJAlW1Fw0xMzEyMDIxNTAzNTVaMAwwCgYDVR0VBAMKAQAwIwIE
-+ SQJVshcNMTMxMjAyMTQ1NTM2WjAMMAoGA1UdFQQDCgEAMCMCBEkCVbEXDTEzMTIwMjE0NTk1OVowD
-+ DAKBgNVHRUEAwoBADAjAgRJAlWvFw0xMzEyMDIxNDE3MzBaMAwwCgYDVR0VBAMKAQAwIwIESQJVrh
-+ cNMTMxMjAyMTQ0OTMxWjAMMAoGA1UdFQQDCgEAMCMCBEkCVawXDTEzMTIwMjEzMTA1OFowDDAKBgN
-+ VHRUEAwoBADAjAgRJAlWrFw0xMzEyMDIxNDEyMTVaMAwwCgYDVR0VBAMKAQAwIwIESQJONRcNMTMx
-+ MTEyMjExMzI0WjAMMAoGA1UdFQQDCgEAMCMCBEkCJrkXDTEzMDkxMDA2NDUyNFowDDAKBgNVHRUEA
-+ woBADAjAgRJAhmPFw0xMzA4MjExMDM0MTFaMAwwCgYDVR0VBAMKAQAwIwIESQIVrBcNMTMwODEyMT
-+ g1NTU1WjAMMAoGA1UdFQQDCgEAMCMCBEkCFasXDTEzMTIxODE3MDQ0MlowDDAKBgNVHRUEAwoBADA
-+ jAgRJAhAoFw0xMzA3MjkxNjAwMzVaMAwwCgYDVR0VBAMKAQAwIwIESQIQJxcNMTQwMTAyMTU1MDUy
-+ WjAMMAoGA1UdFQQDCgEAMCMCBEkCCh8XDTEzMDcxNTA3MzY1NlowDDAKBgNVHRUEAwoBADAjAgRJA
-+ gexFw0xMzA3MDgxNTU5MTRaMAwwCgYDVR0VBAMKAQAwIwIESQH73BcNMTMwNzI5MTU1NTAzWjAMMA
-+ oGA1UdFQQDCgEAMCMCBEkB5EcXDTEzMDUyOTE0MDUyNVowDDAKBgNVHRUEAwoBADAjAgRJAcDtFw0
-+ xMzA1MTAyMDExNTBaMAwwCgYDVR0VBAMKAQAwIwIESQGmXBcNMTMwNDEwMDkyMTI2WjAMMAoGA1Ud
-+ FQQDCgEAMCMCBEkBnj0XDTEzMDMyNTE4MTc0MFowDDAKBgNVHRUEAwoBADAjAgRJAYMOFw0xMzAyM
-+ TExMTEwNDdaMAwwCgYDVR0VBAMKAQAwIwIESQF4PRcNMTMwODEyMTg0ODE2WjAMMAoGA1UdFQQDCg
-+ EAMCMCBEkBcwcXDTEzMDEwMzE2NTgyMFowDDAKBgNVHRUEAwoBADAjAgRJAXMEFw0xMzAxMDMxMDA
-+ yMjRaMAwwCgYDVR0VBAMKAQAwIwIESQFuRxcNMTMxMDA3MTMwMjM1WjAMMAoGA1UdFQQDCgEFMCMC
-+ BEkBaLsXDTEzMDQxMDA5MTY1NVowDDAKBgNVHRUEAwoBADAjAgRJAWaQFw0xMjExMjkxNjAxMzJaM
-+ AwwCgYDVR0VBAMKAQAwIwIESQFmhBcNMTIxMTI5MTE1NTIyWjAMMAoGA1UdFQQDCgEAMCMCBEkBZo
-+ MXDTEyMTEyOTE1MjYwNVowDDAKBgNVHRUEAwoBADAjAgRJAWaBFw0xMjExMjkxMTAzNTJaMAwwCgY
-+ DVR0VBAMKAQAwIwIESQFmgBcNMTIxMTI5MTE1MTU4WjAMMAoGA1UdFQQDCgEAMCMCBEkBYT8XDTEy
-+ MTExNTA5NTI1OVowDDAKBgNVHRUEAwoBADAjAgRJAWCrFw0xMjExMTQxNDM2NDVaMAwwCgYDVR0VB
-+ AMKAQAwIwIESQFgqhcNMTIxMTE1MDk0ODI1WjAMMAoGA1UdFQQDCgEAMCMCBEkBXT4XDTEzMTIwMj
-+ EzMDcwMVowDDAKBgNVHRUEAwoBADAjAgRJAVvbFw0xMjExMjkxMTAwMzFaMAwwCgYDVR0VBAMKAQC
-+ gMDAuMAsGA1UdFAQEAgIo8DAfBgNVHSMEGDAWgBT0Fi4Bu6uQGaQoQg2dwB+crxCGKzANBgkqhkiG
-+ 9w0BAQUFAAOCAQEATe14zpsSjrGcW4yNZrdGtsupuJge+DQV+h1ZwBEQtsmOmMvbSdMsu+vMvTzHQ
-+ KWJq56picjixY6v4vPqhRRZWP8evOc0NuoxpiUhgez3CKFQoJ2bdeaS/WCfqss3Sa4FZTUzkVWZde
-+ moDH8CcHt5in3H7SwF5i9/rKB/bLuTjQg+LRKh2E9+FAkJn1S/ZRh1Vjd/KuRFOXD6odjV54oTWE0
-+ 6PcHBdwip62ridLdQopt3+e1UgwKBNJAmBD6uMN1tPmenUYWxh4xI7Ft4HQR58TdIiTZmfQHmEkjl
-+ dBNEAoUK1hvRy6E2mSdRq9Yex8f+rGdxI1+++6lHaN1+M8jQ4g==
-+userCertificate;binary:: MIKE/jCCg+YCAQEwX6FdMFukWTBXMQswCQYDVQQGEwJVUzEQMA4GA
-+ 1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECx
-+ MJRENvbVN1YkNBMGegZTBjMFukWTBXMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCA
-+ GA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBAgRIwMPg
-+ MA0GCSqGSIb3DQEBBQUAAgRXh6kjMCIYDzIwMTcxMDE1MjI0NjEzWhgPMjAxNzExMTQyMjQ2MTNaM
-+ IKCuTCCEQoGCSqGSIb2fQdEADGCEPswghD3gAEEMIIQ8DBvMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQ
-+ QKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwl
-+ EQ29tU3ViQ0EWFENBIERvbWFpbiBTZWFyY2hiYXNlME4wPzEVMBMGCgmSJomT8ixkARkWBWxvY2Fs
-+ MRQwEgYKCZImiZPyLGQBGRYEVGVzdDEQMA4GA1UECxMHRGV2aWNlcxYLQ0xTIERldmljZXMwgYswa
-+ DEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRQwEgYKCZImiZPyLGQBGRYEVGVzdDETMBEGA1UECxMKVG
-+ VzdCBVc2VyczEkMCIGA1UECxMbU1NPIEFkbWluaXN0cmF0aW9uIEFjY291bnRzFh9DTFMgU1NPIEF
-+ kbWluaXN0cmF0aW9uIEFjY291bnRzMFQwQjEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRQwEgYKCZIm
-+ iZPyLGQBGRYEVGVzdDETMBEGA1UECxMKVGVzdCBVc2VycxYOQ0xTIFRlc3QgVXNlcnMwfDBfMRUwE
-+ wYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRUZXN0MRswGQYDVQQLExJEb21haW
-+ 4gQ29udHJvbGxlcnMxEzARBgNVBAsTCkdCIFNlcnZlcnMWGUNMUyBHQiBEb21haW4gQ29udHJvbGx
-+ lcnMwfDBfMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgR0ZXN0MRswGQYD
-+ VQQLExJEb21haW4gQ29udHJvbGxlcnMxEzARBgNVBAsTClVTIFNlcnZlcnMWGUNMUyBVUyBEb21ha
-+ W4gQ29udHJvbGxlcnMwgaIwgY4xFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgmSJomT8ixkAR
-+ kWBFRlc3QxFDASBgNVBAsTC1Rlc3QtT2ZmaWNlMRAwDgYDVQQLEwdTZXJ2ZXJzMRMwEQYDVQQLEwp
-+ HQiBTZXJ2ZXJzMRQwEgYDVQQLEwtBcHBsaWNhdGlvbjEMMAoGA1UECxMDV0VCFg9DTFMgR0IgV2Vi
-+ IEFwcHMwgbUwgaExFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgmSJomT8ixkARkWBFRlc3QxF
-+ DASBgNVBAsTC1Rlc3QtT2ZmaWNlMRAwDgYDVQQLEwdTZXJ2ZXJzMRMwEQYDVQQLEwpHQiBTZXJ2ZX
-+ JzMRQwEgYDVQQLEwtBcHBsaWNhdGlvbjEMMAoGA1UECxMDV0VCMREwDwYDVQQLEwhJbnRyYW5ldBY
-+ PQ0xTIEdCIEludHJhbmV0MIG1MIGhMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/Is
-+ ZAEZFgRUZXN0MRQwEgYDVQQLEwtUZXN0LU9mZmljZTEQMA4GA1UECxMHU2VydmVyczETMBEGA1UEC
-+ xMKVVMgU2VydmVyczEUMBIGA1UECxMLQXBwbGljYXRpb24xDDAKBgNVBAsTA1dFQjERMA8GA1UECx
-+ MISW50cmFuZXQWD0NMUyBVUyBJbnRyYW5ldDA8MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnR
-+ ydXN0MRAwDgYDVQQLEwdEeW5Db3JwFgdEeW5Db3JwMEowODELMAkGA1UEBhMCVVMxEDAOBgNVBAoT
-+ B0VudHJ1c3QxFzAVBgNVBAsTDkFkbWluaXN0cmF0b3JzFg5BZG1pbmlzdHJhdG9yczBKMDgxCzAJB
-+ gNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MRcwFQYDVQQLEw5HZW5lcmFsIE1vdG9ycxYOR2VuZX
-+ JhbCBNb3RvcnMwczBZMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEXMBUGA1UECxMOR2V
-+ uZXJhbCBNb3RvcnMxHzAdBgNVBAsTFkdNIFVzZXIgQWRtaW5pc3RyYXRvcnMWFkdNIFVzZXIgQWRt
-+ aW5pc3RyYXRvcnMwXzBPMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEXMBUGA1UECxMOR
-+ 2VuZXJhbCBNb3RvcnMxFTATBgNVBAsTDEdNIEVuZCBVc2VycxYMR00gRW5kIFVzZXJzMFYwQzEVMB
-+ MGCgmSJomT8ixkARkWBWxvY2FsMRQwEgYKCZImiZPyLGQBGRYEVGVzdDEUMBIGA1UECxMLV2ViIFN
-+ lcnZlcnMWD0NMUyBXZWIgU2VydmVyczBeMEcxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgmS
-+ JomT8ixkARkWBFRlc3QxGDAWBgNVBAsTD0NNUyBBZG1pbiBVc2VycxYTQ0xTIENNUyBBZG1pbiBVc
-+ 2VyczBeMEcxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgmSJomT8ixkARkWBFRlc3QxGDAWBg
-+ NVBAsTD1BLSSBBZG1pbiBVc2VycxYTQ0xTIFBLSSBBZG1pbiBVc2VyczBLMD8xCzAJBgNVBAYTAnV
-+ zMRAwDgYDVQQKEwdlbnRydXN0MQ8wDQYDVQQLEwZtb2JpbGUxDTALBgNVBAsTBGRlbW8WCERlbW8g
-+ TURNMEgwMzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxEjAQBgNVBAsTCUVtcGxveWVlc
-+ xYRRW50cnVzdCBFbXBsb3llZXMwWzBQMRUwEwYKCZImiZPyLGQBGRYFTG9jYWwxFDASBgoJkiaJk/
-+ IsZAEZFgRUZXN0MRMwEQYDVQQLEwpUZXN0IFVzZXJzMQwwCgYDVQQHEwNERVYWB0NMUyBERVYwJDA
-+ cMQswCQYDVQQGEwJ1czENMAsGA1UEChMETklTVBYETklTVDB2MGcxCzAJBgNVBAYTAlVTMRAwDgYD
-+ VQQKEwdFbnRydXN0MRkwFwYDVQQLExBNYW5hZ2VkIFNlcnZpY2VzMRkwFwYDVQQLExBEZW1vIENvb
-+ VByaXYgU3ViMRAwDgYDVQQLEwdEZXZpY2VzFgtNU08gRGV2aWNlczCBhDBuMQswCQYDVQQGEwJVUz
-+ EQMA4GA1UEChMHRW50cnVzdDEZMBcGA1UECxMQTWFuYWdlZCBTZXJ2aWNlczEZMBcGA1UECxMQRGV
-+ tbyBDb21Qcml2IFN1YjEXMBUGA1UECxMOQWRtaW5pc3RyYXRvcnMWEk1TTyBBZG1pbmlzdHJhdG9y
-+ czB6MGkxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MRkwFwYDVQQLExBNYW5hZ2VkIFNlc
-+ nZpY2VzMRkwFwYDVQQLExBEZW1vIENvbVByaXYgU3ViMRIwEAYDVQQLEwlFbXBsb3llZXMWDU1TTy
-+ BFbXBsb3llZXMwRDAxMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHR290U3ZlbjEQMA4GA1UECxMHRGV
-+ 2aWNlcxYPR290U3ZlbiBEZXZpY2VzMIGEMFoxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0
-+ MSAwHgYDVQQLExdFbnRydXN0IFNhbGVzIEVuZ2luZWVyczEXMBUGA1UECxMOQWRtaW5pc3RyYXRvc
-+ nMWJkVudHJ1c3QgU2FsZXMgRW5naW5lZXJzIEFkbWluaXN0cmF0b3JzMHYwUzELMAkGA1UEBhMCVV
-+ MxEDAOBgNVBAoTB0VudHJ1c3QxIDAeBgNVBAsTF0VudHJ1c3QgU2FsZXMgRW5naW5lZXJzMRAwDgY
-+ DVQQLEwdEZXZpY2VzFh9FbnRydXN0IFNhbGVzIEVuZ2luZWVycyBEZXZpY2VzMHIwUTELMAkGA1UE
-+ BhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIDAeBgNVBAsTF0VudHJ1c3QgU2FsZXMgRW5naW5lZXJzM
-+ Q4wDAYDVQQLEwVDYXJkcxYdRW50cnVzdCBTYWxlcyBFbmdpbmVlcnMgQ2FyZHMwdDBSMQswCQYDVQ
-+ QGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEgMB4GA1UECxMXRW50cnVzdCBTYWxlcyBFbmdpbmVlcnM
-+ xDzANBgNVBAsTBlBlb3BsZRYeRW50cnVzdCBTYWxlcyBFbmdpbmVlcnMgUGVvcGxlMIGKMF0xCzAJ
-+ BgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSMwIQYDVQQLExpFbnRydXN0IFByb2R1Y3QgTWFuY
-+ WdlbWVudDEXMBUGA1UECxMOQWRtaW5pc3RyYXRvcnMWKUVudHJ1c3QgUHJvZHVjdCBNYW5hZ2VtZW
-+ 50IEFkbWluaXN0cmF0b3JzMHwwVjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIzAhBgN
-+ VBAsTGkVudHJ1c3QgUHJvZHVjdCBNYW5hZ2VtZW50MRAwDgYDVQQLEwdEZXZpY2VzFiJFbnRydXN0
-+ IFByb2R1Y3QgTWFuYWdlbWVudCBEZXZpY2VzMHgwVDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0Vud
-+ HJ1c3QxIzAhBgNVBAsTGkVudHJ1c3QgUHJvZHVjdCBNYW5hZ2VtZW50MQ4wDAYDVQQLEwVDYXJkcx
-+ YgRW50cnVzdCBQcm9kdWN0IE1hbmFnZW1lbnQgQ2FyZHMwejBVMQswCQYDVQQGEwJVUzEQMA4GA1U
-+ EChMHRW50cnVzdDEjMCEGA1UECxMaRW50cnVzdCBQcm9kdWN0IE1hbmFnZW1lbnQxDzANBgNVBAsT
-+ BlBlb3BsZRYhRW50cnVzdCBQcm9kdWN0IE1hbmFnZW1lbnQgUGVvcGxlMCQwHDELMAkGA1UEBhMCT
-+ loxDTALBgNVBAoTBExJTloWBExJTlowTDA1MQswCQYDVQQGEwJOWjENMAsGA1UEChMETElOWjEXMB
-+ UGA1UECxMOQWRtaW5pc3RyYXRvcnMWE0xJTlogQWRtaW5pc3RyYXRvcnMwPjAuMQswCQYDVQQGEwJ
-+ OWjENMAsGA1UEChMETElOWjEQMA4GA1UECxMHRGV2aWNlcxYMTElOWiBEZXZpY2VzMDwwLTELMAkG
-+ A1UEBhMCTloxDTALBgNVBAoTBExJTloxDzANBgNVBAsTBlBlb3BsZRYLTElOWiBQZW9wbGUwVDA0M
-+ QswCQYDVQQGEwJVUzElMCMGA1UEChMcTWFnZWxsYW4gSGVhbHRoIFNlcnZpY2VzIEluYxYcTWFnZW
-+ xsYW4gSGVhbHRoIFNlcnZpY2VzIEluYzBnMFExFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgm
-+ SJomT8ixkARkWBHRlc3QxEzARBgNVBAsTClRlc3QgVXNlcnMxDTALBgNVBAcTBFRlc3QWEkNMUyBU
-+ ZXN0IFVzZXIgVGVzdDBEMDoxCzAJBgNVBAYTAnVzMSswKQYDVQQKEyJGZWRlcmFsIEhvbWUgTG9hb
-+ iBCYW5rIG9mIE5ldyBZb3JrFgZGSExCTlkwWjBKMQswCQYDVQQGEwJ1czErMCkGA1UEChMiRmVkZX
-+ JhbCBIb21lIExvYW4gQmFuayBvZiBOZXcgWW9yazEOMAwGA1UECxMFMUxpbmsWDEZITEJOWSAxTGl
-+ uazBcMEsxCzAJBgNVBAYTAnVzMSswKQYDVQQKEyJGZWRlcmFsIEhvbWUgTG9hbiBCYW5rIG9mIE5l
-+ dyBZb3JrMQ8wDQYDVQQLEwZBZG1pbnMWDUZITEJOWSBBZG1pbnMwSAYJKoZIhvZ9B0QQMTswOTAQA
-+ gEAAgEAAgEIAgEPAwIDeDAQAgEAAgEAAgEIAgEKAwIAeTAQAgEAAgEAAgEIAgEKAwIAeQMBADBxBg
-+ kqhkiG9n0HTUAxZAxiQUVTLUNCQy0xMjgsIEFFUy1DQkMtMjU2LCBBRVMtR0NNLTEyOCwgQUVTLUd
-+ DTS0yNTYsIFRSSVBMRURFUy1DQkMtMTkyLCBDQVNUNS1DQkMtODAsIENBU1Q1LUNCQy0xMjgwdgYJ
-+ KoZIhvZ9B01BMWkMZ0VDRFNBLVJFQ09NTUVOREVELCBSU0FQU1MtUkVDT01NRU5ERUQsIFJTQS1SR
-+ UNPTU1FTkRFRCwgRFNBLVJFQ09NTUVOREVELCBFQ0RTQS1TSEExLCBSU0EtU0hBMSwgRFNBLVNIQT
-+ EwFwYJKoZIhvZ9B00QMQoECFJTQS0yMDQ4MIIWSQYJKoZIhvZ9B00AMYIWOjCCFjYwgYACAQAwADB
-+ 5MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBB
-+ dXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSAwHgYDVQQDExdTZWN1cml0eSBPZmZpY2VyI
-+ FBvbGljeTB9AgEBMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGU
-+ NlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWR
-+ taW5pc3RyYXRvciBQb2xpY3kweAIBAjAAMHExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0
-+ MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExG
-+ DAWBgNVBAMTD0VuZCBVc2VyIFBvbGljeTB9AgEDMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0
-+ VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21
-+ TdWJDQTEdMBsGA1UEAxMUQWRtaW5pc3RyYXRvciBQb2xpY3kwfQIBBDAAMHYxCzAJBgNVBAYTAlVT
-+ MRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwE
-+ AYDVQQLEwlEQ29tU3ViQ0ExHTAbBgNVBAMTFEFkbWluaXN0cmF0b3IgUG9saWN5MHMCAQUwADBsMQ
-+ swCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXR
-+ ob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRMwEQYDVQQDEwpBU0ggUG9saWN5MH0CAQYwADB2
-+ MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBd
-+ XRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbG
-+ ljeTB9AgEHMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnR
-+ pZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWRtaW5p
-+ c3RyYXRvciBQb2xpY3kwfAIBCDAAMHUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwI
-+ AYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHDAaBg
-+ NVBAMTE1NlcnZlciBMb2dpbiBQb2xpY3kwfAIBCTAAMHUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwd
-+ FbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29t
-+ U3ViQ0ExHDAaBgNVBAMTE1NlcnZlciBMb2dpbiBQb2xpY3kwfQIBCjAAMHYxCzAJBgNVBAYTAlVTM
-+ RAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEA
-+ YDVQQLEwlEQ29tU3ViQ0ExHTAbBgNVBAMTFEFkbWluaXN0cmF0b3IgUG9saWN5MIGAAgEMMAAweTE
-+ LMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0
-+ aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEgMB4GA1UEAxMXQ0xTIFNlcnZlciBMb2dpbiBQb
-+ 2xpY3kwgYACAQ0wADB5MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2
-+ VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSAwHgYDVQQDExdTZWN
-+ 1cml0eSBPZmZpY2VyIFBvbGljeTCBgAIBDjAAMHkxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRy
-+ dXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ
-+ 0ExIDAeBgNVBAMTF1NlY3VyaXR5IE9mZmljZXIgUG9saWN5MH0CAQ8wADB2MQswCQYDVQQGEwJVUz
-+ EQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBA
-+ GA1UECxMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTB9AgERMAAwdjEL
-+ MAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0a
-+ G9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWRtaW5pc3RyYXRvciBQb2xpY3
-+ kwfAIBCzAAMHUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZ
-+ pY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHDAaBgNVBAMTE0NMUyBFbmQg
-+ VXNlciBQb2xpY3kwfQIBEjAAMHYxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDV
-+ QQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHTAbBgNVBA
-+ MTFEFkbWluaXN0cmF0b3IgUG9saWN5MH0CARMwADB2MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW5
-+ 0cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1
-+ YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTCBgAIBFDAAMHkxCzAJBgNVBAYTAlVTM
-+ RAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEA
-+ YDVQQLEwlEQ29tU3ViQ0ExIDAeBgNVBAMTF0R5bkNvcnAgRW5kIFVzZXIgUG9saWN5MH8CASAwADB
-+ 4MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBB
-+ dXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMR8wHQYDVQQDExZDU1JFUyBSZXF1ZXN0b3IgU
-+ G9saWN5MHkCASEwADByMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2
-+ VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRkwFwYDVQQDExBNRE1
-+ XUyBYQVAgUG9saWN5MEkCASIwADBCMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEhMB8G
-+ A1UEAxMYU09BUCBBZG1pbiBFeHBvcnQgUG9saWN5MIGDAgEjMAAwfDELMAkGA1UEBhMCVVMxEDAOB
-+ gNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBA
-+ sTCURDb21TdWJDQTEjMCEGA1UEAxMaRXhwb3J0YWJsZSBFbmQgVXNlciBQb2xpY3kweAIBJDAAMHE
-+ xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1
-+ dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGDAWBgNVBAMTD0VuZCBVc2VyIFBvbGljeTB9A
-+ gElMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYX
-+ Rpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWRtaW5pc3RyYXR
-+ vciBQb2xpY3kwfQIBJjAAMHYxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQL
-+ ExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHTAbBgNVBAMTF
-+ E1vYmlsZSBEZXZpY2UgUG9saWN5MHwCAScwADB1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cn
-+ VzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkN
-+ BMRwwGgYDVQQDExNTZXJ2ZXIgTG9naW4gUG9saWN5MH0CASgwADB2MQswCQYDVQQGEwJVUzEQMA4G
-+ A1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UEC
-+ xMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTCBgQIBKTAAMHoxCzAJBg
-+ NVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml
-+ 0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExITAfBgNVBAMTGFNQT0MgU2VydmVyIExvZ2luIFBvbGlj
-+ eTCBggIBKjAAMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0a
-+ WZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExIjAgBgNVBAMTGVNQT0MgQW
-+ RtaW5pc3RyYXRvciBQb2xpY3kwfAIBKzAAMHUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN
-+ 0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0Ex
-+ HDAaBgNVBAMTE1NlcnZlciBMb2dpbiBQb2xpY3kwgZECASwwADCBiTELMAkGA1UEBhMCVVMxEDAOB
-+ gNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBA
-+ sTCURDb21TdWJDQTEwMC4GA1UEAxMnTWFzdGVyIExpc3QgU2lnbmVyIEFkbWluaXN0cmF0b3IgUG9
-+ saWN5MH0CAS0wADB2MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2Vy
-+ dGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pb
-+ mlzdHJhdG9yIFBvbGljeTB4AgEuMAAwcTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIj
-+ AgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEYMBY
-+ GA1UEAxMPRW5kIFVzZXIgUG9saWN5MH0CAS8wADB2MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50
-+ cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1Y
-+ kNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTB4AgExMAAwcTELMAkGA1UEBhMCVVMxED
-+ AOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgN
-+ VBAsTCURDb21TdWJDQTEYMBYGA1UEAxMPRW5kIFVzZXIgUG9saWN5MH0CATIwADB2MQswCQYDVQQG
-+ EwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllc
-+ zESMBAGA1UECxMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTB8AgEwMA
-+ AwdTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24
-+ gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEcMBoGA1UEAxMTU2VydmVyIExvZ2luIFBv
-+ bGljeTB9AgEzMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlc
-+ nRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWRtaW
-+ 5pc3RyYXRvciBQb2xpY3kwfQIBNTAAMHYxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSI
-+ wIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHTAb
-+ BgNVBAMTFENhcmQgRW5kIFVzZXIgUG9saWN5MHgCATQwADBxMQswCQYDVQQGEwJVUzEQMA4GA1UEC
-+ hMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRE
-+ NvbVN1YkNBMRgwFgYDVQQDEw9FbmQgVXNlciBQb2xpY3kwfAIBNjAAMHUxCzAJBgNVBAYTAlVTMRA
-+ wDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYD
-+ VQQLEwlEQ29tU3ViQ0ExHDAaBgNVBAMTE01ETSBFbmQgVXNlciBQb2xpY3kwfAIBNzAAMHUxCzAJB
-+ gNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcm
-+ l0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHDAaBgNVBAMTE1NlcnZlciBMb2dpbiBQb2xpY3kwgYU
-+ CATgwADB+MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNh
-+ dGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSUwIwYDVQQDExxNU08gVU1TIEFkb
-+ WluaXN0cmF0b3IgUG9saWN5MIJZ7wYKKoZIhvZ9B00uADGCWd8wglnbMDEwFwwSY3NjX3BpdjFrX2
-+ NhcmRhdXRoAgEnMBYwFDASDA1QaXYxS0NhcmRBdXRoAgFDMEwwEwwOY3NjX3Bpdm1peGVkXzMCASg
-+ wNTAQMA4MCVBpdjFLQXV0aAIBRDAPMA0MCFBpdjJLRW5jAgFFMBAwDgwJUGl2MktTaWduAgFGMIG4
-+ MBAMC2VudF9hZF9jbHMxAgE3MIGjMIGgMA4MCUR1YWxVc2FnZQIBXDCBjTELMAkGA1UEBhMCVVMxE
-+ DAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBg
-+ NVBAsTCURDb21TdWJDQTE0MDIGA1UEAxMrQ0xTIDF5ciBEb21haW4gQ29udHJvbGxlciBEdWFsIFV
-+ zYWdlIFBvbGljeTCBuDAQDAtlbnRfYWRfY2xzMgIBODCBozCBoDAODAlEdWFsVXNhZ2UCAV0wgY0x
-+ CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1d
-+ Ghvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExNDAyBgNVBAMTK0NMUyAyeXIgRG9tYWluIENvbn
-+ Ryb2xsZXIgRHVhbCBVc2FnZSBQb2xpY3kwdTARDAxlbnRfYWRfY2xzMm0CAVIwTjAjMBAMCkVuY3J
-+ 5cHRpb24CAgCQog8MCkVuY3J5cHRpb24CAQEwJzASDAxWZXJpZmljYXRpb24CAgCRohEMDFZlcmlm
-+ aWNhdGlvbgIBAqIQDAtlbnRfZGVmYXVsdAIBAzCBvjASDA1lbnRfYWRfY2xzMm1hAgFUMIGnMIGkM
-+ A8MCUR1YWxVc2FnZQICAJQwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQ
-+ QLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExNzA1BgNVBAM
-+ TLkNMUyAybW9udGggRG9tYWluIENvbnRyb2xsZXIgRHVhbCBVc2FnZSBQb2xpY3kwgbAwDgwJZW50
-+ X2FkX2RjAgF4MIGdMIGaMBAMCkR1YWwgVXNhZ2UCAgDSMIGFMQswCQYDVQQGEwJVUzEQMA4GA1UEC
-+ hMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRE
-+ NvbVN1YkNBMSwwKgYDVQQDEyNFbnRlcnByaXNlIERvbWFpbiBDb250cm9sbGVyIFBvbGljeTBHMBk
-+ ME2VudF9hZG1zcnZjc191bXNfZWECAgCLMCowEjAQDApFbmNyeXB0aW9uAgIA9DAUMBIMDFZlcmlm
-+ aWNhdGlvbgICAPUwRTAZDBRlbnRfYWRtc3J2Y3NfdXNlcnJlZwIBEjAoMBEwDwwKRW5jcnlwdGlvb
-+ gIBHjATMBEMDFZlcmlmaWNhdGlvbgIBHzCBzzAZDBRlbnRfYWRtc3J2Y3NfdXNybWdtdAIBETCBsT
-+ ARMA8MCkVuY3J5cHRpb24CARwwgZswEQwMVmVyaWZpY2F0aW9uAgEdMIGFMQswCQYDVQQGEwJVUzE
-+ QMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAG
-+ A1UECxMJRENvbVN1YkNBMSwwKgYDVQQDEyNUcnVlUGFzcyBTZXJ2ZXIgVmVyaWZpY2F0aW9uIFBvb
-+ GljeTA6MA4MCWVudF9iYXNpYwIBJjAoMBEwDwwKRW5jcnlwdGlvbgIBQTATMBEMDFZlcmlmaWNhdG
-+ lvbgIBQjCCATkwDQwIZW50X2NsczECAS8wggEmMIGOMA8MCkVuY3J5cHRpb24CAVIwezELMAkGA1U
-+ EBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRp
-+ ZXMxEjAQBgNVBAsTCURDb21TdWJDQTEiMCAGA1UEAxMZQ0xTIDF5ciBFbmNyeXB0aW9uIFBvbGlje
-+ TCBkjARDAxWZXJpZmljYXRpb24CAVMwfTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIj
-+ AgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEkMCI
-+ GA1UEAxMbQ0xTIDF5ciBWZXJpZmljYXRpb24gUG9saWN5MIIBOTANDAhlbnRfY2xzMgIBMDCCASYw
-+ gY4wDwwKRW5jcnlwdGlvbgIBVDB7MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA
-+ 1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSIwIAYDVQ
-+ QDExlDTFMgMnlyIEVuY3J5cHRpb24gUG9saWN5MIGSMBEMDFZlcmlmaWNhdGlvbgIBVTB9MQswCQY
-+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp
-+ dGllczESMBAGA1UECxMJRENvbVN1YkNBMSQwIgYDVQQDExtDTFMgMnlyIFZlcmlmaWNhdGlvbiBQb
-+ 2xpY3kwQDASDA1lbnRfY2xzX2FkbWluAgFXMCowEjAQDApFbmNyeXB0aW9uAgIAmDAUMBIMDFZlcm
-+ lmaWNhdGlvbgICAJkwggFPMBMMDmVudF9jbHNfYWRtaW4yAgFWMIIBNjCBljAQDApFbmNyeXB0aW9
-+ uAgIAljCBgTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmlj
-+ YXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEoMCYGA1UEAxMfQ0xTIEFkbWluI
-+ DJ5ciBFbmNyeXB0aW9uIFBvbGljeTCBmjASDAxWZXJpZmljYXRpb24CAgCXMIGDMQswCQYDVQQGEw
-+ JVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczE
-+ SMBAGA1UECxMJRENvbVN1YkNBMSowKAYDVQQDEyFDTFMgQWRtaW4gMnlyIFZlcmlmaWNhdGlvbiBQ
-+ b2xpY3kwgbgwFwwSZW50X2Ntc2NsaWVudF9jbHMxAgExMIGcMIGZMA8MCkR1YWwgVXNhZ2UCAVYwg
-+ YUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIE
-+ F1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExLDAqBgNVBAMTI0NMUyAxeXIgQUkgQ2xpZW5
-+ 0IER1YWwgVXNhZ2UgUG9saWN5MIG/MBkMFGVudF9jbXNjbGllbnRfY2xzMV9mAgEzMIGhMIGeMA8M
-+ CkR1YWwgVXNhZ2UCAVgwgYoxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLE
-+ xlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExMTAvBgNVBAMTKE
-+ NMUyAxeXIgQUkgQ2xpZW50IEZpbGUgRHVhbCBVc2FnZSBQb2xpY3kwgbgwFwwSZW50X2Ntc2NsaWV
-+ udF9jbHMyAgEyMIGcMIGZMA8MCkR1YWwgVXNhZ2UCAVcwgYUxCzAJBgNVBAYTAlVTMRAwDgYDVQQK
-+ EwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ
-+ 29tU3ViQ0ExLDAqBgNVBAMTI0NMUyAyeXIgQUkgQ2xpZW50IER1YWwgVXNhZ2UgUG9saWN5MIG/MB
-+ kMFGVudF9jbXNjbGllbnRfY2xzMl9mAgE0MIGhMIGeMA8MCkR1YWwgVXNhZ2UCAVkwgYoxCzAJBgN
-+ VBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
-+ aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExMTAvBgNVBAMTKENMUyAyeXIgQUkgQ2xpZW50IEZpbGUgR
-+ HVhbCBVc2FnZSBQb2xpY3kwLjAXDBJlbnRfY21zY2xpZW50X3NrZHUCASowEzARMA8MCkR1YWwgVX
-+ NhZ2UCAUkwMDAZDBRlbnRfY21zY2xpZW50X3NrZHVfZgIBKzATMBEwDwwKRHVhbCBVc2FnZQIBSjC
-+ BuDAXDBJlbnRfY21zc2VydmVyX2NsczECATUwgZwwgZkwDwwKRHVhbCBVc2FnZQIBWjCBhTELMAkG
-+ A1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9ya
-+ XRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEsMCoGA1UEAxMjQ0xTIDF5ciBBSSBTZXJ2ZXIgRHVhbC
-+ BVc2FnZSBQb2xpY3kwgbgwFwwSZW50X2Ntc3NlcnZlcl9jbHMyAgE2MIGcMIGZMA8MCkR1YWwgVXN
-+ hZ2UCAVswgYUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZp
-+ Y2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExLDAqBgNVBAMTI0NMUyAyeXIgQ
-+ UkgU2VydmVyIER1YWwgVXNhZ2UgUG9saWN5MC4wFwwSZW50X2Ntc3NlcnZlcl9za2R1AgEsMBMwET
-+ APDApEdWFsIFVzYWdlAgFLMEYwGAwSZW50X2NzcmVzX2FwcHJvdmVyAgIAjDAqMBIwEAwKRW5jcnl
-+ wdGlvbgICAPYwFDASDAxWZXJpZmljYXRpb24CAgD3MEYwGAwTZW50X2NzcmVzX3JlcXVlc3RvcgIB
-+ bzAqMBIwEAwKRW5jcnlwdGlvbgICAMUwFDASDAxWZXJpZmljYXRpb24CAgDGMDwwEAwLZW50X2RlZ
-+ mF1bHQCAQMwKDARMA8MCkVuY3J5cHRpb24CAQEwEzARDAxWZXJpZmljYXRpb24CAQIwggE8MBAMC2
-+ VudF9kZXNrdG9wAgEHMIIBJjCBjjAPDApFbmNyeXB0aW9uAgEJMHsxCzAJBgNVBAYTAlVTMRAwDgY
-+ DVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQL
-+ EwlEQ29tU3ViQ0ExIjAgBgNVBAMTGVNhZmVOZXQgRW5jcnlwdGlvbiBQb2xpY3kwgZIwEQwMVmVya
-+ WZpY2F0aW9uAgEKMH0xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZX
-+ J0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExJDAiBgNVBAMTG1NhZmV
-+ OZXQgVmVyaWZpY2F0aW9uIFBvbGljeTCBpDAVDBBlbnRfZHVfYmFzaWNfZWt1AgFtMIGKMIGHMBAM
-+ CkR1YWwgVXNhZ2UCAgDCMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLE
-+ xlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGjAYBgNVBAMTEU
-+ R1YWwgVXNhZ2UgUG9saWN5MEMwFQwQZW50X2VhY2NhdHRhY2hlZAIBaDAqMBIwEAwKRW5jcnlwdGl
-+ vbgICALgwFDASDAxWZXJpZmljYXRpb24CAgC5MD0wDwwKZW50X2VhY2NvbgIBajAqMBIwEAwKRW5j
-+ cnlwdGlvbgICALwwFDASDAxWZXJpZmljYXRpb24CAgC9MEUwFwwSZW50X2VhY2NzdGFuZGFsb25lA
-+ gFpMCowEjAQDApFbmNyeXB0aW9uAgIAujAUMBIMDFZlcmlmaWNhdGlvbgICALswggGiMAwMB2VudF
-+ 9lZnMCARUwggGQMHgwCAwDRUZTAgEnMGwxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSI
-+ wIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExEzAR
-+ BgNVBAMTCkVGUyBQb2xpY3kwgYYwDwwKRW5jcnlwdGlvbgIBJTBzMQswCQYDVQQGEwJVUzEQMA4GA
-+ 1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECx
-+ MJRENvbVN1YkNBMRowGAYDVQQDExFFbmNyeXB0aW9uIFBvbGljeTCBijARDAxWZXJpZmljYXRpb24
-+ CASYwdTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRp
-+ b24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEcMBoGA1UEAxMTVmVyaWZpY2F0aW9uI
-+ FBvbGljeTBEMBgME2VudF9lc3Zwbl9jb21tZWRvaWQCASUwKDARMA8MCkVuY3J5cHRpb24CAT8wEz
-+ ARDAxWZXJpZmljYXRpb24CAUAwggE7MA8MCmVudF9ldG9rZW4CAWwwggEmMIGOMBAMCkVuY3J5cHR
-+ pb24CAgDAMHoxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZp
-+ Y2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExITAfBgNVBAMTGGVUb2tlbiBFb
-+ mNyeXB0aW9uIFBvbGljeTCBkjASDAxWZXJpZmljYXRpb24CAgDBMHwxCzAJBgNVBAYTAlVTMRAwDg
-+ YDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQ
-+ LEwlEQ29tU3ViQ0ExIzAhBgNVBAMTGmVUb2tlbiBWZXJpZmljYXRpb24gUG9saWN5MIIBOTAPDApl
-+ bnRfZXhwb3J0AgEGMIIBJDCBjTAPDApFbmNyeXB0aW9uAgEHMHoxCzAJBgNVBAYTAlVTMRAwDgYDV
-+ QQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEw
-+ lEQ29tU3ViQ0ExITAfBgNVBAMUGEVuY3J5cHRpb24gUG9saWN5X0V4cG9ydDCBkTARDAxWZXJpZml
-+ jYXRpb24CAQgwfDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRp
-+ ZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEjMCEGA1UEAxQaVmVyaWZpY
-+ 2F0aW9uIFBvbGljeV9FeHBvcnQwggE9MBQMD2VudF9nZW1hbHRvX2NzcAIBXjCCASMwgYowEAwKRW
-+ 5jcnlwdGlvbgICAKswdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUN
-+ lcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUR00g
-+ RW5jcnlwdGlvbiBQb2xpY3kwgZMwEgwMVmVyaWZpY2F0aW9uAgIArDB9MQswCQYDVQQGEwJVUzEQM
-+ A4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1
-+ UECxMJRENvbVN1YkNBMSQwIgYDVQQDExtHZW1hbHRvIFZlcmlmaWNhdGlvbiBQb2xpY3kwgb8wFgw
-+ RZW50X2lpc19za2R1X2NsczECATkwgaQwgaEwDwwKRHVhbCBVc2FnZQIBXjCBjTELMAkGA1UEBhMC
-+ VVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxE
-+ jAQBgNVBAsTCURDb21TdWJDQTE0MDIGA1UEAxMrQ0xTIDF5ciBJSVMgRHVhbCBVc2FnZSBObyBLZX
-+ kgQmFja3VwIFBvbGljeTCBvzAWDBFlbnRfaWlzX3NrZHVfY2xzMgIBOjCBpDCBoTAPDApEdWFsIFV
-+ zYWdlAgFfMIGNMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlm
-+ aWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMTQwMgYDVQQDEytDTFMgMnlyI
-+ ElJUyBEdWFsIFVzYWdlIE5vIEtleSBCYWNrdXAgUG9saWN5MHswFwwSZW50X2lpc19za2R1X2Nscz
-+ JtAgFTME4wIzAQDApFbmNyeXB0aW9uAgIAkqIPDApFbmNyeXB0aW9uAgEBMCcwEgwMVmVyaWZpY2F
-+ 0aW9uAgIAk6IRDAxWZXJpZmljYXRpb24CAQKiEAwLZW50X2RlZmF1bHQCAQMwgcUwGAwTZW50X2lp
-+ c19za2R1X2NsczJtYQIBVTCBqDCBpTAQDApEdWFsIFVzYWdlAgIAlTCBkDELMAkGA1UEBhMCVVMxE
-+ DAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBg
-+ NVBAsTCURDb21TdWJDQTE3MDUGA1UEAxMuQ0xTIDJtb250aCBJSVMgRHVhbCBVc2FnZSBObyBLZXk
-+ gQmFja3VwIFBvbGljeTCBpzAQDAtlbnRfbWFjaGluZQIBeTCBkjCBjzAQDApEdWFsIFVzYWdlAgIA
-+ 0zB7MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvb
-+ iBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSIwIAYDVQQDExlFbnRlcnByaXNlIE1hY2
-+ hpbmUgUG9saWN5MEAwEgwNZW50X21kbXdzX2NsaQIBcDAqMBIwEAwKRW5jcnlwdGlvbgICAMcwFDA
-+ SDAxWZXJpZmljYXRpb24CAgDIMEIwFAwPZW50X21saXN0X2FkbWluAgF/MCowEjAQDApFbmNyeXB0
-+ aW9uAgIA3jAUMBIMDFZlcmlmaWNhdGlvbgICAN8wggE5MBUMEGVudF9tbGlzdF9zaWduZXICAX4wg
-+ gEeMIGHMBAMCkVuY3J5cHRpb24CAgDcMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MS
-+ IwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGjA
-+ YBgNVBAMTEUVuY3J5cHRpb24gUG9saWN5MIGRMBIMDFZlcmlmaWNhdGlvbgICAN0wezELMAkGA1UE
-+ BhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZ
-+ XMxEjAQBgNVBAsTCURDb21TdWJDQTEiMCAGA1UEAxMZTWFzdGVyIExpc3QgU2lnbmVyIFBvbGljeT
-+ CCAeQwGAwTZW50X21zX3NjX2NhcGlfY2xzMQIBLTCCAcYwgZ0wDwwKRHVhbCBVc2FnZQIBTDCBiTE
-+ LMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0
-+ aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEwMC4GA1UEAxMnQ0xTIDF5ciBEdWFsIFVzYWdlI
-+ E5vIEtleSBCYWNrdXAgUG9saWN5MIGOMA8MCkVuY3J5cHRpb24CAU4wezELMAkGA1UEBhMCVVMxED
-+ AOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgN
-+ VBAsTCURDb21TdWJDQTEiMCAGA1UEAxMZQ0xTIDF5ciBFbmNyeXB0aW9uIFBvbGljeTCBkjARDAxW
-+ ZXJpZmljYXRpb24CAU0wfTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTG
-+ UNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEkMCIGA1UEAxMbQ0
-+ xTIDF5ciBWZXJpZmljYXRpb24gUG9saWN5MIIB5DAYDBNlbnRfbXNfc2NfY2FwaV9jbHMyAgEuMII
-+ BxjCBnTAPDApEdWFsIFVzYWdlAgFPMIGJMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEi
-+ MCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMTAwL
-+ gYDVQQDEydDTFMgMnlyIER1YWwgVXNhZ2UgTm8gS2V5IEJhY2t1cCBQb2xpY3kwgY4wDwwKRW5jcn
-+ lwdGlvbgIBUTB7MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGl
-+ maWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSIwIAYDVQQDExlDTFMgMnly
-+ IEVuY3J5cHRpb24gUG9saWN5MIGSMBEMDFZlcmlmaWNhdGlvbgIBUDB9MQswCQYDVQQGEwJVUzEQM
-+ A4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1
-+ UECxMJRENvbVN1YkNBMSQwIgYDVQQDExtDTFMgMnlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwggHyMBk
-+ MFGVudF9tc19zY19jYXBpX2NsczJtAgFRMIIB0zCBoTAQDApEdWFsIFVzYWdlAgIAjTCBjDELMAkG
-+ A1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9ya
-+ XRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEzMDEGA1UEAxMqQ0xTIDJtb250aCBEdWFsIFVzYWdlIE
-+ 5vIEtleSBCYWNrdXAgUG9saWN5MIGSMBAMCkVuY3J5cHRpb24CAgCPMH4xCzAJBgNVBAYTAlVTMRA
-+ wDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYD
-+ VQQLEwlEQ29tU3ViQ0ExJTAjBgNVBAMTHENMUyAybW9udGggRW5jcnlwdGlvbiBQb2xpY3kwgZcwE
-+ gwMVmVyaWZpY2F0aW9uAgIAjjCBgDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBg
-+ NVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEnMCUGA1U
-+ EAxMeQ0xTIDJtb250aCBWZXJpZmljYXRpb24gUG9saWN5MIIB5zAYDBNlbnRfbXNfc2NfY2FwaV9j
-+ bHM0AgFPMIIByTCBnjAQDApEdWFsIFVzYWdlAgIAhzCBiTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB
-+ 0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb2
-+ 1TdWJDQTEwMC4GA1UEAxMnQ0xTIDR5ciBEdWFsIFVzYWdlIE5vIEtleSBCYWNrdXAgUG9saWN5MIG
-+ PMBAMCkVuY3J5cHRpb24CAgCJMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYD
-+ VQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExIjAgBgNVB
-+ AMTGUNMUyA0eXIgRW5jcnlwdGlvbiBQb2xpY3kwgZMwEgwMVmVyaWZpY2F0aW9uAgIAiDB9MQswCQ
-+ YDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3J
-+ pdGllczESMBAGA1UECxMJRENvbVN1YkNBMSQwIgYDVQQDExtDTFMgNHlyIFZlcmlmaWNhdGlvbiBQ
-+ b2xpY3kwggHnMBgME2VudF9tc19zY19jYXBpX2NsczUCAVAwggHJMIGeMBAMCkR1YWwgVXNhZ2UCA
-+ gCKMIGJMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdG
-+ lvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMTAwLgYDVQQDEydDTFMgNXlyIER1YWw
-+ gVXNhZ2UgTm8gS2V5IEJhY2t1cCBQb2xpY3kwgY8wEAwKRW5jcnlwdGlvbgICAIwwezELMAkGA1UE
-+ BhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZ
-+ XMxEjAQBgNVBAsTCURDb21TdWJDQTEiMCAGA1UEAxMZQ0xTIDV5ciBFbmNyeXB0aW9uIFBvbGljeT
-+ CBkzASDAxWZXJpZmljYXRpb24CAgCLMH0xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSI
-+ wIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExJDAi
-+ BgNVBAMTG0NMUyA1eXIgVmVyaWZpY2F0aW9uIFBvbGljeTCCAfgwGAwTZW50X21zX3NjX2NsczRfM
-+ TAyNAIBXDCCAdowgaMwEAwKRHVhbCBVc2FnZQICAKUwgY4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEw
-+ dFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29
-+ tU3ViQ0ExNTAzBgNVBAMTLENMUyAxMDI0IDR5ciBEdWFsIFVzYWdlIE5vIEtleSBCYWNrdXAgUG9s
-+ aWN5MIGVMBAMCkVuY3J5cHRpb24CAgCnMIGAMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzd
-+ DEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMS
-+ cwJQYDVQQDEx5DTFMgMTAyNCA0eXIgRW5jcnlwdGlvbiBQb2xpY3kwgZkwEgwMVmVyaWZpY2F0aW9
-+ uAgIApjCBgjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmlj
-+ YXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEpMCcGA1UEAxMgQ0xTIDEwMjQgN
-+ HlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwggH4MBgME2VudF9tc19zY19jbHM0XzIwNDgCAVowggHaMI
-+ GjMBAMCkR1YWwgVXNhZ2UCAgCfMIGOMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCA
-+ GA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMTUwMwYD
-+ VQQDEyxDTFMgMjA0OCA0eXIgRHVhbCBVc2FnZSBObyBLZXkgQmFja3VwIFBvbGljeTCBlTAQDApFb
-+ mNyeXB0aW9uAgIAoTCBgDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGU
-+ NlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEnMCUGA1UEAxMeQ0x
-+ TIDIwNDggNHlyIEVuY3J5cHRpb24gUG9saWN5MIGZMBIMDFZlcmlmaWNhdGlvbgICAKAwgYIxCzAJ
-+ BgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvc
-+ ml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExKTAnBgNVBAMTIENMUyAyMDQ4IDR5ciBWZXJpZmljYX
-+ Rpb24gUG9saWN5MIIB+DAYDBNlbnRfbXNfc2NfY2xzNV8xMDI0AgFdMIIB2jCBozAQDApEdWFsIFV
-+ zYWdlAgIAqDCBjjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRp
-+ ZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTE1MDMGA1UEAxMsQ0xTIDEwM
-+ jQgNXlyIER1YWwgVXNhZ2UgTm8gS2V5IEJhY2t1cCBQb2xpY3kwgZUwEAwKRW5jcnlwdGlvbgICAK
-+ owgYAxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9
-+ uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExJzAlBgNVBAMTHkNMUyAxMDI0IDV5ciBF
-+ bmNyeXB0aW9uIFBvbGljeTCBmTASDAxWZXJpZmljYXRpb24CAgCpMIGCMQswCQYDVQQGEwJVUzEQM
-+ A4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1
-+ UECxMJRENvbVN1YkNBMSkwJwYDVQQDEyBDTFMgMTAyNCA1eXIgVmVyaWZpY2F0aW9uIFBvbGljeTC
-+ CAfgwGAwTZW50X21zX3NjX2NsczVfMjA0OAIBWzCCAdowgaMwEAwKRHVhbCBVc2FnZQICAKIwgY4x
-+ CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1d
-+ Ghvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExNTAzBgNVBAMTLENMUyAyMDQ4IDV5ciBEdWFsIF
-+ VzYWdlIE5vIEtleSBCYWNrdXAgUG9saWN5MIGVMBAMCkVuY3J5cHRpb24CAgCkMIGAMQswCQYDVQQ
-+ GEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGll
-+ czESMBAGA1UECxMJRENvbVN1YkNBMScwJQYDVQQDEx5DTFMgMjA0OCA1eXIgRW5jcnlwdGlvbiBQb
-+ 2xpY3kwgZkwEgwMVmVyaWZpY2F0aW9uAgIAozCBgjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudH
-+ J1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJ
-+ DQTEpMCcGA1UEAxMgQ0xTIDIwNDggNXlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwggHpMBcMEmVudF9t
-+ c19zY19jbHNfMjA0OAIBWDCCAcwwgZ8wEAwKRHVhbCBVc2FnZQICAJowgYoxCzAJBgNVBAYTAlVTM
-+ RAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEA
-+ YDVQQLEwlEQ29tU3ViQ0ExMTAvBgNVBAMTKENMUyAyMDQ4IER1YWwgVXNhZ2UgTm8gS2V5IEJhY2t
-+ 1cCBQb2xpY3kwgZAwEAwKRW5jcnlwdGlvbgICAJwwfDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0Vu
-+ dHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21Td
-+ WJDQTEjMCEGA1UEAxMaQ0xTIDIwNDggRW5jcnlwdGlvbiBQb2xpY3kwgZQwEgwMVmVyaWZpY2F0aW
-+ 9uAgIAmzB+MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWN
-+ hdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSUwIwYDVQQDExxDTFMgMjA0OCBW
-+ ZXJpZmljYXRpb24gUG9saWN5MIG1MBgME2VudF9tc19zbXJ0Y3JkX2NhcGkCAQ8wgZgwgZUwDwwKR
-+ HVhbCBVc2FnZQIBGTCBgTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGU
-+ NlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEoMCYGA1UEAxMfRHV
-+ hbCBVc2FnZSBObyBLZXkgQmFja3VwIFBvbGljeTCCAakwEAwKZW50X21zY2FwaQICAIEwggGTMHkw
-+ CQwDRUZTAgIA4zBsMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2Vyd
-+ GlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRMwEQYDVQQDEwpFRlMgUG
-+ 9saWN5MIGHMBAMCkVuY3J5cHRpb24CAgDhMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN
-+ 0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0Ex
-+ GjAYBgNVBAMTEUVuY3J5cHRpb24gUG9saWN5MIGLMBIMDFZlcmlmaWNhdGlvbgICAOIwdTELMAkGA
-+ 1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaX
-+ RpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEcMBoGA1UEAxMTVmVyaWZpY2F0aW9uIFBvbGljeTBDMBc
-+ MEmVudF9tc2Z0X3NtYXJ0Y2FyZAIBDjAoMBEwDwwKRW5jcnlwdGlvbgIBFzATMBEMDFZlcmlmaWNh
-+ dGlvbgIBGDA/MBMMDmVudF9tc2dzY2FubmVyAgENMCgwETAPDApFbmNyeXB0aW9uAgEVMBMwEQwMV
-+ mVyaWZpY2F0aW9uAgEWMD4wEgwNZW50X21zZ3NlcnZlcgIBDDAoMBEwDwwKRW5jcnlwdGlvbgIBEz
-+ ATMBEMDFZlcmlmaWNhdGlvbgIBFDBAMBIMDGVudF9tc29hZG1pbgICAIkwKjASMBAMCkVuY3J5cHR
-+ pb24CAgDxMBQwEgwMVmVyaWZpY2F0aW9uAgIA8DCCATkwFQwQZW50X21zdHdva2V5cGFpcgIBWTCC
-+ AR4wgYowEAwKRW5jcnlwdGlvbgICAJ0wdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxI
-+ jAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMB
-+ sGA1UEAxMUR00gRW5jcnlwdGlvbiBQb2xpY3kwgY4wEgwMVmVyaWZpY2F0aW9uAgIAnjB4MQswCQY
-+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp
-+ dGllczESMBAGA1UECxMJRENvbVN1YkNBMR8wHQYDVQQDExZHTSBWZXJpZmljYXRpb24gUG9saWN5M
-+ IIBvjARDAxlbnRfbm9ucmVwdWQCARQwggGnMIGGMA8MCkVuY3J5cHRpb24CASIwczELMAkGA1UEBh
-+ MCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXM
-+ xEjAQBgNVBAsTCURDb21TdWJDQTEaMBgGA1UEAxMRRW5jcnlwdGlvbiBQb2xpY3kwgY4wEwwOTm9u
-+ cmVwdWRpYXRpb24CASQwdzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTG
-+ UNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEeMBwGA1UEAxMVTm
-+ 9ucmVwdWRpYXRpb24gUG9saWN5MIGKMBEMDFZlcmlmaWNhdGlvbgIBIzB1MQswCQYDVQQGEwJVUzE
-+ QMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAG
-+ A1UECxMJRENvbVN1YkNBMRwwGgYDVQQDExNWZXJpZmljYXRpb24gUG9saWN5MIICQDAZDBRlbnRfb
-+ m9ucmVwdWRfYW5kX2VmcwIBFzCCAiEweDAIDANFRlMCAS0wbDELMAkGA1UEBhMCVVMxEDAOBgNVBA
-+ oTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCUR
-+ Db21TdWJDQTETMBEGA1UEAxMKRUZTIFBvbGljeTCBhjAPDApFbmNyeXB0aW9uAgEqMHMxCzAJBgNV
-+ BAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0a
-+ WVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGjAYBgNVBAMTEUVuY3J5cHRpb24gUG9saWN5MIGOMBMMDk
-+ 5vbnJlcHVkaWF0aW9uAgEsMHcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQ
-+ LExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHjAcBgNVBAMT
-+ FU5vbnJlcHVkaWF0aW9uIFBvbGljeTCBijARDAxWZXJpZmljYXRpb24CASswdTELMAkGA1UEBhMCV
-+ VMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEj
-+ AQBgNVBAsTCURDb21TdWJDQTEcMBoGA1UEAxMTVmVyaWZpY2F0aW9uIFBvbGljeTA5MA0MCGVudF9
-+ vY3NwAgEpMCgwETAPDApFbmNyeXB0aW9uAgFHMBMwEQwMVmVyaWZpY2F0aW9uAgFIMD0wEQwMZW50
-+ X3Byb2ZzcnZyAgEFMCgwETAPDApFbmNyeXB0aW9uAgEFMBMwEQwMVmVyaWZpY2F0aW9uAgEGMDgwD
-+ AwHZW50X3JkcAIBQDAoMBEwDwwKRW5jcnlwdGlvbgIBaTATMBEMDFZlcmlmaWNhdGlvbgIBajCBqj
-+ ASDA1lbnRfc2lnbl9uaXN0AgFyMIGTMIGQMBIMDFZlcmlmaWNhdGlvbgICAMowejELMAkGA1UEBhM
-+ CVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMx
-+ EjAQBgNVBAsTCURDb21TdWJDQTEhMB8GA1UEAxMYTklTVCBWZXJpZmljYXRpb24gUG9saWN5MIGkM
-+ BYMEWVudF9za3BfZHVhbHVzYWdlAgEYMIGJMIGGMA8MCkR1YWwgVXNhZ2UCAS4wczELMAkGA1UEBh
-+ MCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXM
-+ xEjAQBgNVBAsTCURDb21TdWJDQTEaMBgGA1UEAxMRRHVhbCBVc2FnZSBQb2xpY3kwLTATDA1lbnRf
-+ c2twbm9ucmVwAgIAgDAWMBQwEgwMVmVyaWZpY2F0aW9uAgIA4DAwMBgMEmVudF9za3Bub25yZXBfY
-+ XV0aAICAIYwFDASMBAMCkR1YWwgVXNhZ2UCAgDrMEEwEwwOZW50X3Nwb2NfYWRtaW4CAXwwKjASMB
-+ AMCkVuY3J5cHRpb24CAgDYMBQwEgwMVmVyaWZpY2F0aW9uAgIA2TBCMBQMD2VudF9zcG9jX2NsaWV
-+ udAIBejAqMBIwEAwKRW5jcnlwdGlvbgICANQwFDASDAxWZXJpZmljYXRpb24CAgDVMD4wEAwLZW50
-+ X3Nwb2NfZHYCAX0wKjASMBAMCkVuY3J5cHRpb24CAgDaMBQwEgwMVmVyaWZpY2F0aW9uAgIA2zBCM
-+ BQMD2VudF9zcG9jX3NlcnZlcgIBezAqMBIwEAwKRW5jcnlwdGlvbgICANYwFDASDAxWZXJpZmljYX
-+ Rpb24CAgDXMIG+MBMMDWVudF9zc2xfYmFzaWMCAgCIMIGmMBIwEAwKRW5jcnlwdGlvbgICAO8wgY8
-+ wEgwMVmVyaWZpY2F0aW9uAgIA7jB5MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAG
-+ A1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSAwHgYDV
-+ QQDFBdWZXJpZmljYXRpb25fcDEwIFBvbGljeTB7MBIMDGVudF9zc2xfY2VydAICAIcwUDAkMBAMCk
-+ VuY3J5cHRpb24CAgDsohAMCkVuY3J5cHRpb24CAgDvMCgwEgwMVmVyaWZpY2F0aW9uAgIA7aISDAx
-+ WZXJpZmljYXRpb24CAgDuohMMDWVudF9zc2xfYmFzaWMCAgCIMIIBKDAXDBJlbnRfc3RhbmRhbG9u
-+ ZV9lZnMCARYwggELMIGLMBAMC0NNUCBTaWduaW5nAgEpMHcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKE
-+ wdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ2
-+ 9tU3ViQ0ExHjAcBgNVBAMTFU1TIENNUCBTaWduaW5nIFBvbGljeTB7MAgMA0VGUwIBKDBvMQswCQY
-+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp
-+ dGllczESMBAGA1UECxMJRENvbVN1YkNBMRYwFAYDVQQDEw1NUyBFRlMgUG9saWN5MD4wEgwNZW50X
-+ 3RpbWVzdGFtcAIBBDAoMBEwDwwKRW5jcnlwdGlvbgIBAzATMBEMDFZlcmlmaWNhdGlvbgIBBDBDMB
-+ UMEGVudF90aW1lc3RhbXBpbmcCAXcwKjASMBAMCkVuY3J5cHRpb24CAgDQMBQwEgwMVmVyaWZpY2F
-+ 0aW9uAgIA0TCBxzARDAxlbnRfdHJ1ZXBhc3MCAQgwgbEwETAPDApFbmNyeXB0aW9uAgELMIGbMBEM
-+ DFZlcmlmaWNhdGlvbgIBDDCBhTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVB
-+ AsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEsMCoGA1UEAx
-+ MjVHJ1ZVBhc3MgU2VydmVyIFZlcmlmaWNhdGlvbiBQb2xpY3kwgc0wFwwSZW50X3RydWVwYXNzX21
-+ 1bHRpAgEJMIGxMBEwDwwKRW5jcnlwdGlvbgIBDTCBmzARDAxWZXJpZmljYXRpb24CAQ4wgYUxCzAJ
-+ BgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvc
-+ ml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExLDAqBgNVBAMTI1RydWVQYXNzIFNlcnZlciBWZXJpZm
-+ ljYXRpb24gUG9saWN5MIIBLzATDA5lbnRfdHdva2V5cGFpcgIBEzCCARYwgYYwDwwKRW5jcnlwdGl
-+ vbgIBIDBzMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNh
-+ dGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRowGAYDVQQDExFFbmNyeXB0aW9uI
-+ FBvbGljeTCBijARDAxWZXJpZmljYXRpb24CASEwdTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudH
-+ J1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJ
-+ DQTEcMBoGA1UEAxMTVmVyaWZpY2F0aW9uIFBvbGljeTCCAUMwFwwSZW50X3R3b2tleXBhaXJfcDEw
-+ AgEkMIIBJjCBjjATDA5FbmNyeXB0aW9uX3AxMAIBPTB3MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHR
-+ W50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbV
-+ N1YkNBMR4wHAYDVQQDFBVFbmNyeXB0aW9uX3AxMCBQb2xpY3kwgZIwFQwQVmVyaWZpY2F0aW9uX3A
-+ xMAIBPjB5MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNh
-+ dGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSAwHgYDVQQDFBdWZXJpZmljYXRpb
-+ 25fcDEwIFBvbGljeTBBMBMMDWVudF91bXNfYWRtaW4CAgCKMCowEjAQDApFbmNyeXB0aW9uAgIA8j
-+ AUMBIMDFZlcmlmaWNhdGlvbgICAPMwOzAPDAplbnRfeGFwc3J2AgEQMCgwETAPDApFbmNyeXB0aW9
-+ uAgEaMBMwEQwMVmVyaWZpY2F0aW9uAgEbMIGuMBUMEGVwYXNzX2RvY19zaWduZXICAWQwgZQwgZEw
-+ FQwPRG9jdW1lbnQgU2lnbmVyAgIAtzB4MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiM
-+ CAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMR8wHQ
-+ YDVQQDExZEb2N1bWVudCBTaWduZXIgUG9saWN5MIGzMBoMFGVwYXNzX2RvY19zaWduZXJfZHRsAgI
-+ AhDCBlDCBkTAVDA9Eb2N1bWVudCBTaWduZXICAgDoMHgxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdF
-+ bnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU
-+ 3ViQ0ExHzAdBgNVBAMTFkRvY3VtZW50IFNpZ25lciBQb2xpY3kwgbYwFwwSZXBhc3NfbWxpc3Rfc2
-+ lnbmVyAgFjMIGaMIGXMBgMEk1hc3RlciBMaXN0IFNpZ25lcgICALYwezELMAkGA1UEBhMCVVMxEDA
-+ OBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNV
-+ BAsTCURDb21TdWJDQTEiMCAGA1UEAxMZTWFzdGVyIExpc3QgU2lnbmVyIFBvbGljeTAqMBIMDW1vY
-+ mlsZV9kZXZpY2UCAXEwFDASMBAMCkR1YWwgVXNhZ2UCAgDJMIG4MBYMEW1vYmlsZV9kZXZpY2VfMW
-+ twAgF2MIGdMIGaMBIMDFZlcmlmaWNhdGlvbgICAM8wgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwd
-+ FbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29t
-+ U3ViQ0ExKjAoBgNVBAMTIU1vYmlsZSBEZXZpY2UgVmVyaWZpY2F0aW9uIFBvbGljeTCCAVowEAwKb
-+ XNfdGhyZWV5cgICAIUwggFEMIGdMBAMCkVuY3J5cHRpb24CAgDpMIGIMQswCQYDVQQGEwJVUzEQMA
-+ 4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1U
-+ ECxMJRENvbVN1YkNBMS8wLQYDVQQDEyZNaWNyb1NvZnQgVGhyZWUgWWVhciBFbmNyeXB0aW9uIFBv
-+ bGljeTCBoTASDAxWZXJpZmljYXRpb24CAgDqMIGKMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50c
-+ nVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1Yk
-+ NBMTEwLwYDVQQDEyhNaWNyb1NvZnQgVGhyZWUgWWVhciBWZXJpZmljYXRpb24gUG9saWN5MD4wEgw
-+ NbXNfdnBuX3NlcnZlcgIBIDAoMBEwDwwKRW5jcnlwdGlvbgIBODATMBEMDFZlcmlmaWNhdGlvbgIB
-+ OTCBmDAPDApzc2xfZGV2aWNlAgFzMIGEMIGBMAkMA3NzbAICAMswdDELMAkGA1UEBhMCVVMxEDAOB
-+ gNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBA
-+ sTCURDb21TdWJDQTEbMBkGA1UEAxMSU1NMIEludGVyb3AgUG9saWN5MIIBQDAXDBJzc2xfZGV2aWN
-+ lX2ludGVyb3ACAXQwggEjMIGQMAoMBHNzbDECAgDMMIGBMQswCQYDVQQGEwJVUzEQMA4GA1UEChMH
-+ RW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvb
-+ VN1YkNBMSgwJgYDVQQDEx9TU0wgSW50ZXJvcCBWZXJpZmljYXRpb24gUG9saWN5MIGNMAoMBHNzbD
-+ ICAgDNMH8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F
-+ 0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExJjAkBgNVBAMTHVNTTCBJbnRlcm9w
-+ IEVuY3J5cHRpb24gUG9saWN5MEMwFwwSdnBuX2NsaWVudF9tYWNoaW5lAgEhMCgwETAPDApFbmNye
-+ XB0aW9uAgE6MBMwEQwMVmVyaWZpY2F0aW9uAgE7MIGiMBQMD3Zwbl9jbGllbnRfdXNlcgIBGTCBiT
-+ CBhjAPDApEdWFsIFVzYWdlAgEvMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAY
-+ DVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGjAYBgNV
-+ BAMTEUR1YWwgVXNhZ2UgUG9saWN5MDgwDAwHdnBuX2RpcgIBCjAoMBEwDwwKRW5jcnlwdGlvbgIBD
-+ zATMBEMDFZlcmlmaWNhdGlvbgIBEDA6MA4MCXZwbl9ub2RpcgIBCzAoMBEwDwwKRW5jcnlwdGlvbg
-+ IBETATMBEMDFZlcmlmaWNhdGlvbgIBEjA6MA4MCXdlYl9hZF9kYwIBHzAoMBEwDwwKRW5jcnlwdGl
-+ vbgIBNjATMBEMDFZlcmlmaWNhdGlvbgIBNzA/MBMMDndlYl9hZF9kY19jbHMxAgFDMCgwETAPDApF
-+ bmNyeXB0aW9uAgFvMBMwEQwMVmVyaWZpY2F0aW9uAgFwMD8wEwwOd2ViX2FkX2RjX2NsczICAUQwK
-+ DARMA8MCkVuY3J5cHRpb24CAXEwEzARDAxWZXJpZmljYXRpb24CAXIwggE+MBAMC3dlYl9hZF9zdn
-+ IyAgFhMIIBKDCBjzAQDApFbmNyeXB0aW9uAgIAsTB7MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW5
-+ 0cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1
-+ YkNBMSIwIAYDVQQDExlDTFMgMnlyIEVuY3J5cHRpb24gUG9saWN5MIGTMBIMDFZlcmlmaWNhdGlvb
-+ gICALIwfTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYX
-+ Rpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEkMCIGA1UEAxMbQ0xTIDJ5ciBWZXJ
-+ pZmljYXRpb24gUG9saWN5MIIBLjAQDAt3ZWJfYWRfc3ZyMwIBYjCCARgwgYcwEAwKRW5jcnlwdGlv
-+ bgICALMwczELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljY
-+ XRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEaMBgGA1UEAxMRRW5jcnlwdGlvbi
-+ BQb2xpY3kwgYswEgwMVmVyaWZpY2F0aW9uAgIAtDB1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW5
-+ 0cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1
-+ YkNBMRwwGgYDVQQDExNWZXJpZmljYXRpb24gUG9saWN5MD8wEwwOd2ViX2FpX2Ntc19jbGkCAT4wK
-+ DARMA8MCkVuY3J5cHRpb24CAWUwEzARDAxWZXJpZmljYXRpb24CAWYwPjASDA13ZWJfYWlfY21zX2
-+ RzAgE/MCgwETAPDApFbmNyeXB0aW9uAgFnMBMwEQwMVmVyaWZpY2F0aW9uAgFoMD8wEwwOd2ViX2F
-+ pX2Ntc19zdnICAT0wKDARMA8MCkVuY3J5cHRpb24CAWMwEzARDAxWZXJpZmljYXRpb24CAWQwPDAO
-+ DAl3ZWJfYmFzaWMCAWswKjASMBAMCkVuY3J5cHRpb24CAgC+MBQwEgwMVmVyaWZpY2F0aW9uAgIAv
-+ zBCMBQMDndlYl9jbGlzdnJfZXhwAgIAgjAqMBIwEAwKRW5jcnlwdGlvbgICAOQwFDASDAxWZXJpZm
-+ ljYXRpb24CAgDlMDkwDQwId2ViX2NsczECAUUwKDARMA8MCkVuY3J5cHRpb24CAXMwEzARDAxWZXJ
-+ pZmljYXRpb24CAXQwOTANDAh3ZWJfY2xzMgIBRjAoMBEwDwwKRW5jcnlwdGlvbgIBdTATMBEMDFZl
-+ cmlmaWNhdGlvbgIBdjA+MBIMDXdlYl9jbXNjbGllbnQCAUEwKDARMA8MCkVuY3J5cHRpb24CAWswE
-+ zARDAxWZXJpZmljYXRpb24CAWwwRDAXDBJ3ZWJfY21zY2xpZW50X2NsczECAUswKTARMA8MCkVuY3
-+ J5cHRpb24CAX8wFDASDAxWZXJpZmljYXRpb24CAgCAMEUwFwwSd2ViX2Ntc2NsaWVudF9jbHMyAgF
-+ MMCowEjAQDApFbmNyeXB0aW9uAgIAgTAUMBIMDFZlcmlmaWNhdGlvbgICAIIwPjASDA13ZWJfY21z
-+ c2VydmVyAgFCMCgwETAPDApFbmNyeXB0aW9uAgFtMBMwEQwMVmVyaWZpY2F0aW9uAgFuMEUwFwwSd
-+ 2ViX2Ntc3NlcnZlcl9jbHMxAgFNMCowEjAQDApFbmNyeXB0aW9uAgIAgzAUMBIMDFZlcmlmaWNhdG
-+ lvbgICAIQwRTAXDBJ3ZWJfY21zc2VydmVyX2NsczICAU4wKjASMBAMCkVuY3J5cHRpb24CAgCFMBQ
-+ wEgwMVmVyaWZpY2F0aW9uAgIAhjA9MBEMDHdlYl9jb2Rlc2lnbgIBHjAoMBEwDwwKRW5jcnlwdGlv
-+ bgIBNDATMBEMDFZlcmlmaWNhdGlvbgIBNTBCMBYMEXdlYl9jb2Rlc2lnbl9jbHMxAgFJMCgwETAPD
-+ ApFbmNyeXB0aW9uAgF7MBMwEQwMVmVyaWZpY2F0aW9uAgF8MEIwFgwRd2ViX2NvZGVzaWduX2Nscz
-+ ICAUowKDARMA8MCkVuY3J5cHRpb24CAX0wEzARDAxWZXJpZmljYXRpb24CAX4wggEsMBAMC3dlYl9
-+ kZWZhdWx0AgEcMIIBFjCBhjAPDApFbmNyeXB0aW9uAgEwMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQK
-+ EwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ
-+ 29tU3ViQ0ExGjAYBgNVBAMTEUVuY3J5cHRpb24gUG9saWN5MIGKMBEMDFZlcmlmaWNhdGlvbgIBMT
-+ B1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiB
-+ BdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRwwGgYDVQQDExNWZXJpZmljYXRpb24gUG9s
-+ aWN5MCwwEwwOd2ViX29uZWtleXBhaXICATwwFTATMBEMDFZlcmlmaWNhdGlvbgIBYjA7MA8MCndlY
-+ l9zZXJ2ZXICAR0wKDARMA8MCkVuY3J5cHRpb24CATIwEzARDAxWZXJpZmljYXRpb24CATMwKjAQDA
-+ t3ZWJfc2VydmVyMgIBdTAWMBQwEgwMVmVyaWZpY2F0aW9uAgIAzjBEMBYMEHdlYl9zZXJ2ZXJfYmF
-+ zaWMCAgCDMCowEjAQDApFbmNyeXB0aW9uAgIA5jAUMBIMDFZlcmlmaWNhdGlvbgICAOcwQDAUDA93
-+ ZWJfc2VydmVyX2NsczECAUcwKDARMA8MCkVuY3J5cHRpb24CAXcwEzARDAxWZXJpZmljYXRpb24CA
-+ XgwggFAMBQMD3dlYl9zZXJ2ZXJfY2xzMgIBSDCCASYwgY4wDwwKRW5jcnlwdGlvbgIBeTB7MQswCQ
-+ YDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3J
-+ pdGllczESMBAGA1UECxMJRENvbVN1YkNBMSIwIAYDVQQDExlDTFMgMnlyIEVuY3J5cHRpb24gUG9s
-+ aWN5MIGSMBEMDFZlcmlmaWNhdGlvbgIBejB9MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzd
-+ DEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMS
-+ QwIgYDVQQDExtDTFMgMnlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwggEyMBQMD3dlYl9zZXJ2ZXJfY2x
-+ zMwIBYDCCARgwgYcwEAwKRW5jcnlwdGlvbgICAK8wczELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0Vu
-+ dHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21Td
-+ WJDQTEaMBgGA1UEAxMRRW5jcnlwdGlvbiBQb2xpY3kwgYswEgwMVmVyaWZpY2F0aW9uAgIAsDB1MQ
-+ swCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXR
-+ ob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRwwGgYDVQQDExNWZXJpZmljYXRpb24gUG9saWN5
-+ MIIBQjAUDA93ZWJfc2VydmVyX2NsczQCAV8wggEoMIGPMBAMCkVuY3J5cHRpb24CAgCtMHsxCzAJB
-+ gNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcm
-+ l0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExIjAgBgNVBAMTGUNMUyA0eXIgRW5jcnlwdGlvbiBQb2x
-+ pY3kwgZMwEgwMVmVyaWZpY2F0aW9uAgIArjB9MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVz
-+ dDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBM
-+ SQwIgYDVQQDExtDTFMgNHlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwRjAYDBN3ZWJfc2VydmVyX2V4cG
-+ VyaWFuAgFuMCowEjAQDApFbmNyeXB0aW9uAgIAwzAUMBIMDFZlcmlmaWNhdGlvbgICAMQwQDAUDA9
-+ 3ZWJfc2VydmVyX2hpZ2gCATswKDARMA8MCkVuY3J5cHRpb24CAWAwEzARDAxWZXJpZmljYXRpb24C
-+ AWEwGwYJKoZIhvZ9B000MQ4wDAYKKoZIhvZ9B001ATAhMB8GA1UdIwQYMBaAFDy++9gIa1JL8T+Oh
-+ 9HW5F160lV9MA0GCSqGSIb3DQEBBQUAA4IBAQBelvaP82tFhjcHOTSDP97QLcqo2yE9RjjLtC/In8
-+ u/Zi/8y6jR9GRE11U6GbF+5+EJ5pckTMJ8Oorn3ZVOl4dKyzTN9m2rLjdUXNWd/th8Ja1RD/9hpMD
-+ o5HUUYJEoOQxufTZnWfEZ2AISB7rXLCFZpdHGvc3H2ORtkhV+SuTmLpNkN1Zsbv8TXNi4szuX5sbA
-+ y/mX7G8q0Twbb+GGpZjlKV226xc2Ejy3uYGrUK0kEr6u/ONTK1844vsuZPkcJOMcj7/c4o8oKKVMT
-+ Fyafl1swsxHWn6MTh6WqI5k2LBcyEZSptDcG1brE7BU1JAOE9F7nkaoOOWefJs3n7B8piLg
-+crossCertificatePair;binary:: MIIGUqCCBk4wggZKMIIFMqADAgECAgRIwMPgMA0GCSqGSIb3
-+ DQEBBQUAMFgxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY
-+ 2F0aW9uIEF1dGhvcml0aWVzMRMwEQYDVQQLEwpEQ29tUm9vdENBMB4XDTEwMDQyMDE0NDQwNloXDT
-+ MwMDMyMDE1MTQwNlowVzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUN
-+ lcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTCCASIwDQYJKoZIhvcN
-+ AQEBBQADggEPADCCAQoCggEBAOMj486WAJ+GC3aOTn7g1p3+tzHJ8YUAoLW0y4WC6eleA+Yq9M+FP
-+ Xlo+E6AMak4+HENfQMBa5bUgqJMGL20ZOktm0jpMtGtbS/J6Y9TrujpysVnO4SZwuWJOlwV+DLfgH
-+ JYFcE/oeVej/TcoQw+zV0RkeDVA4npgOw5FWKzPlnKANF8KN598KK92jx+p60egFYyIY04MknO/cH
-+ APZXT7tVIp1ljyHyNwMPWiwYdyVdR7IkrFQrb55lHEj4/KdHoLISe4/sQB1Yw6S9fz+A7HhF3BBkb
-+ tNJk+jfjDL2/hNq0VP9b9zURJKSGEUTBaoAbvcWw7p7v2t7VOTB5Wb496SECAwEAAaOCAxswggMXM
-+ A4GA1UdDwEB/wQEAwIBBjA8BgNVHSAENTAzMA8GDWCGSAGG+muBSAMKAgEwDwYNYIZIAYb6a4FIAw
-+ oCAjAPBg1ghkgBhvprgUgDCgIDMA8GA1UdEwEB/wQFMAMBAf8wggEBBggrBgEFBQcBAQSB9DCB8TC
-+ BnQYIKwYBBQUHMAKGgZBsZGFwOi8vZGNvbWRpcjEubWFuYWdlZC5lbnRydXN0LmNvbS9vdT1EQ29t
-+ Um9vdENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxvPUVudHJ1c3QsYz1VUz9jQUNlc
-+ nRpZmljYXRlO2JpbmFyeSxjcm9zc0NlcnRpZmljYXRlUGFpcjtiaW5hcnkwTwYIKwYBBQUHMAKGQ2
-+ h0dHA6Ly9kY29td2ViMS5tYW5hZ2VkLmVudHJ1c3QuY29tL0FJQS9DZXJ0c0lzc3VlZFRvRENvbVJ
-+ vb3RDQS5wN2MwggFUBgNVHR8EggFLMIIBRzCB06CB0KCBzYY4aHR0cDovL2Rjb213ZWIxLm1hbmFn
-+ ZWQuZW50cnVzdC5jb20vQ1JMcy9EQ29tUm9vdENBMS5jcmyGgZBsZGFwOi8vZGNvbWRpcjEubWFuY
-+ WdlZC5lbnRydXN0LmNvbS9jbj1XaW5Db21iaW5lZDEsb3U9RENvbVJvb3RDQSxvdT1DZXJ0aWZpY2
-+ F0aW9uJTIwQXV0aG9yaXRpZXMsbz1FbnRydXN0LGM9VVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGl
-+ zdDtiaW5hcnkwb6BtoGukaTBnMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UE
-+ CxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczETMBEGA1UECxMKRENvbVJvb3RDQTENMAsGA1UEA
-+ xMEQ1JMMTAfBgNVHSMEGDAWgBRFx/xyHQhRD4vvL4V0iTRGDDP/JTAdBgNVHQ4EFgQUPL772AhrUk
-+ vxP46H0dbkXXrSVX0wGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQADggE
-+ BAJQrdloQCgTe0ahJyTU/fsKLzYXVGJOwnrwyof/+7emUfZS/OhKYuCfQ9w/wWLhT5SUzm9GDlUfk
-+ YUfpL+/5joymDJO8/thcEq/k2PJepSFf7IMY8635kNz27kI9fA8JQGn7nEI8WBjX26qs7Ho7QKVkv
-+ 6YEDuGeJwBLTGyNerDEf5n+DdMvrDmVAOs62T8uTZDb9gn/uIEGv3vaR+rs3KxvDhEr/2OFJtDWHw
-+ PdHFOrr1pNkNWqdStwoE2/fxUfccQhLn+H5GgKLD7YT74uUCi+VFP1juV3F7jUlytgtMnnbqRIbDn
-+ 4bMPn2HOmxdQ20amsdKX4bfosqFMepfSxWRQ=
-+crossCertificatePair;binary:: MIIGQaCCBj0wggY5MIIFIaADAgECAgRIwJY0MA0GCSqGSIb3
-+ DQEBBQUAMFgxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY
-+ 2F0aW9uIEF1dGhvcml0aWVzMRMwEQYDVQQLEwpEQ29tUm9vdENBMB4XDTA4MDkwNTE4MDQxMVoXDT
-+ E4MDkwNTAyMTMzN1owVzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUN
-+ lcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTCCASIwDQYJKoZIhvcN
-+ AQEBBQADggEPADCCAQoCggEBAL+MSY0GXRSMIIm5l+bMpXvk8rlG/Rjqaw0TNZ2w+KsG6ktNWXDll
-+ A1i1l0Fvx2qj4O/z5bNfgmUmJZFamyWOS6TkwX2C+2DspI7P3a+gVTVu+7VJkevo3Hye2Pd6bAf/+
-+ bfV2IhSyAOe0wW0sANyQrIjzsU1r6YBjpcT1E5QZdnzSrEYRoBhJGXf8/v+Zu21AqOZ9EpagpvmsZ
-+ 4UI8ORFg2PV0UOmnwNkMVO21JH1sUGYfKP9JAoO8vTzgwYbDN1w5DMC7SqWBl00OF6pGGaglJ5D16
-+ OcopR8aZVePxj+dW+MADgEufai5CqhUKZ6CA1pa+P6c1lPcFEGgz9AQS420CAwEAAaOCAwowggMGM
-+ A4GA1UdDwEB/wQEAwIBBjA8BgNVHSAENTAzMA8GDWCGSAGG+muBSAMKAgEwDwYNYIZIAYb6a4FIAw
-+ oCAjAPBg1ghkgBhvprgUgDCgIDMA8GA1UdEwEB/wQFMAMBAf8wggEBBggrBgEFBQcBAQSB9DCB8TC
-+ BnQYIKwYBBQUHMAKGgZBsZGFwOi8vZGNvbWRpcjEubWFuYWdlZC5lbnRydXN0LmNvbS9vdT1EQ29t
-+ Um9vdENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxvPUVudHJ1c3QsYz1VUz9jQUNlc
-+ nRpZmljYXRlO2JpbmFyeSxjcm9zc0NlcnRpZmljYXRlUGFpcjtiaW5hcnkwTwYIKwYBBQUHMAKGQ2
-+ h0dHA6Ly9kY29td2ViMS5tYW5hZ2VkLmVudHJ1c3QuY29tL0FJQS9DZXJ0c0lzc3VlZFRvRENvbVJ
-+ vb3RDQS5wN2MwggFDBgNVHR8EggE6MIIBNjCBwqCBv6CBvIaBgGxkYXA6Ly9kY29tZGlyMS5tYW5h
-+ Z2VkLmVudHJ1c3QuY29tL291PURDb21Sb290Q0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhvcml0a
-+ WVzLG89RW50cnVzdCxjPVVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5hjdodHRwOi
-+ 8vZGNvbXdlYjEubWFuYWdlZC5lbnRydXN0LmNvbS9DUkxzL0RDb21Sb290Q0EuY3JsMG+gbaBrpGk
-+ wZzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24g
-+ QXV0aG9yaXRpZXMxEzARBgNVBAsTCkRDb21Sb290Q0ExDTALBgNVBAMTBENSTDEwHwYDVR0jBBgwF
-+ oAUh1mBY1JFXsCw39HI6bl1OBAu3tkwHQYDVR0OBBYEFPQWLgG7q5AZpChCDZ3AH5yvEIYrMBkGCS
-+ qGSIb2fQdBAAQMMAobBFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4IBAQCrafi2DFqdhpXtzeJpUgZ
-+ glNOwZUBOp5thJUH7+yMcgl5Ka4JIqqNpw3ZbFPFT9Ni4IzDmJYyPgqHmgRubxFWpAHdP8SjEK7pl
-+ 6DwDmbCAWBiq7SmSfqt502FUUyiTcZsCLi6GqE4fetej41t3NaGidqyVQXPJ26Ti2jNT4NzRnADi6
-+ vOzMzxMSkWH1OaHoGLtTVpIjkbJZygnSmof4+gs4M1fmH4FVTcWV6t8zbTwkH4RTYSHVX04aM4ZBp
-+ nhMq6sk9uNL+qndpWkO7u7zr6K527kl6/t1Xr9/vnzD0ACVk/gluI7MvCUIzP55o01Rp90ZCMIMak
-+ u0qrESgh0GXln
-+cACertificate;binary:: MIIGSjCCBTKgAwIBAgIESMDD4DANBgkqhkiG9w0BAQUFADBYMQswCQY
-+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp
-+ dGllczETMBEGA1UECxMKRENvbVJvb3RDQTAeFw0xMDA0MjAxNDQ0MDZaFw0zMDAzMjAxNTE0MDZaM
-+ FcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIE
-+ F1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggE
-+ KAoIBAQDjI+POlgCfhgt2jk5+4Nad/rcxyfGFAKC1tMuFgunpXgPmKvTPhT15aPhOgDGpOPhxDX0D
-+ AWuW1IKiTBi9tGTpLZtI6TLRrW0vyemPU67o6crFZzuEmcLliTpcFfgy34ByWBXBP6HlXo/03KEMP
-+ s1dEZHg1QOJ6YDsORVisz5ZygDRfCjeffCivdo8fqetHoBWMiGNODJJzv3BwD2V0+7VSKdZY8h8jc
-+ DD1osGHclXUeyJKxUK2+eZRxI+PynR6CyEnuP7EAdWMOkvX8/gOx4RdwQZG7TSZPo34wy9v4TatFT
-+ /W/c1ESSkhhFEwWqAG73FsO6e79re1TkweVm+PekhAgMBAAGjggMbMIIDFzAOBgNVHQ8BAf8EBAMC
-+ AQYwPAYDVR0gBDUwMzAPBg1ghkgBhvprgUgDCgIBMA8GDWCGSAGG+muBSAMKAgIwDwYNYIZIAYb6a
-+ 4FIAwoCAzAPBgNVHRMBAf8EBTADAQH/MIIBAQYIKwYBBQUHAQEEgfQwgfEwgZ0GCCsGAQUFBzACho
-+ GQbGRhcDovL2Rjb21kaXIxLm1hbmFnZWQuZW50cnVzdC5jb20vb3U9RENvbVJvb3RDQSxvdT1DZXJ
-+ 0aWZpY2F0aW9uJTIwQXV0aG9yaXRpZXMsbz1FbnRydXN0LGM9VVM/Y0FDZXJ0aWZpY2F0ZTtiaW5h
-+ cnksY3Jvc3NDZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5ME8GCCsGAQUFBzAChkNodHRwOi8vZGNvbXdlY
-+ jEubWFuYWdlZC5lbnRydXN0LmNvbS9BSUEvQ2VydHNJc3N1ZWRUb0RDb21Sb290Q0EucDdjMIIBVA
-+ YDVR0fBIIBSzCCAUcwgdOggdCggc2GOGh0dHA6Ly9kY29td2ViMS5tYW5hZ2VkLmVudHJ1c3QuY29
-+ tL0NSTHMvRENvbVJvb3RDQTEuY3JshoGQbGRhcDovL2Rjb21kaXIxLm1hbmFnZWQuZW50cnVzdC5j
-+ b20vY249V2luQ29tYmluZWQxLG91PURDb21Sb290Q0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhvc
-+ ml0aWVzLG89RW50cnVzdCxjPVVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MG+gba
-+ BrpGkwZzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXR
-+ pb24gQXV0aG9yaXRpZXMxEzARBgNVBAsTCkRDb21Sb290Q0ExDTALBgNVBAMTBENSTDEwHwYDVR0j
-+ BBgwFoAURcf8ch0IUQ+L7y+FdIk0Rgwz/yUwHQYDVR0OBBYEFDy++9gIa1JL8T+Oh9HW5F160lV9M
-+ BkGCSqGSIb2fQdBAAQMMAobBFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4IBAQCUK3ZaEAoE3tGoSc
-+ k1P37Ci82F1RiTsJ68MqH//u3plH2UvzoSmLgn0PcP8Fi4U+UlM5vRg5VH5GFH6S/v+Y6MpgyTvP7
-+ YXBKv5NjyXqUhX+yDGPOt+ZDc9u5CPXwPCUBp+5xCPFgY19uqrOx6O0ClZL+mBA7hnicAS0xsjXqw
-+ xH+Z/g3TL6w5lQDrOtk/Lk2Q2/YJ/7iBBr972kfq7Nysbw4RK/9jhSbQ1h8D3RxTq69aTZDVqnUrc
-+ KBNv38VH3HEIS5/h+RoCiw+2E++LlAovlRT9Y7ldxe41JcrYLTJ526kSGw5+GzD59hzpsXUNtGprH
-+ Sl+G36LKhTHqX0sVkU
-+cACertificate;binary:: MIIGOTCCBSGgAwIBAgIESMCWNDANBgkqhkiG9w0BAQUFADBYMQswCQY
-+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp
-+ dGllczETMBEGA1UECxMKRENvbVJvb3RDQTAeFw0wODA5MDUxODA0MTFaFw0xODA5MDUwMjEzMzdaM
-+ FcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIE
-+ F1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggE
-+ KAoIBAQC/jEmNBl0UjCCJuZfmzKV75PK5Rv0Y6msNEzWdsPirBupLTVlw5ZQNYtZdBb8dqo+Dv8+W
-+ zX4JlJiWRWpsljkuk5MF9gvtg7KSOz92voFU1bvu1SZHr6Nx8ntj3emwH//m31diIUsgDntMFtLAD
-+ ckKyI87FNa+mAY6XE9ROUGXZ80qxGEaAYSRl3/P7/mbttQKjmfRKWoKb5rGeFCPDkRYNj1dFDpp8D
-+ ZDFTttSR9bFBmHyj/SQKDvL084MGGwzdcOQzAu0qlgZdNDheqRhmoJSeQ9ejnKKUfGmVXj8Y/nVvj
-+ AA4BLn2ouQqoVCmeggNaWvj+nNZT3BRBoM/QEEuNtAgMBAAGjggMKMIIDBjAOBgNVHQ8BAf8EBAMC
-+ AQYwPAYDVR0gBDUwMzAPBg1ghkgBhvprgUgDCgIBMA8GDWCGSAGG+muBSAMKAgIwDwYNYIZIAYb6a
-+ 4FIAwoCAzAPBgNVHRMBAf8EBTADAQH/MIIBAQYIKwYBBQUHAQEEgfQwgfEwgZ0GCCsGAQUFBzACho
-+ GQbGRhcDovL2Rjb21kaXIxLm1hbmFnZWQuZW50cnVzdC5jb20vb3U9RENvbVJvb3RDQSxvdT1DZXJ
-+ 0aWZpY2F0aW9uJTIwQXV0aG9yaXRpZXMsbz1FbnRydXN0LGM9VVM/Y0FDZXJ0aWZpY2F0ZTtiaW5h
-+ cnksY3Jvc3NDZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5ME8GCCsGAQUFBzAChkNodHRwOi8vZGNvbXdlY
-+ jEubWFuYWdlZC5lbnRydXN0LmNvbS9BSUEvQ2VydHNJc3N1ZWRUb0RDb21Sb290Q0EucDdjMIIBQw
-+ YDVR0fBIIBOjCCATYwgcKggb+ggbyGgYBsZGFwOi8vZGNvbWRpcjEubWFuYWdlZC5lbnRydXN0LmN
-+ vbS9vdT1EQ29tUm9vdENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxvPUVudHJ1c3Qs
-+ Yz1VUz9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeYY3aHR0cDovL2Rjb213ZWIxLm1hb
-+ mFnZWQuZW50cnVzdC5jb20vQ1JMcy9EQ29tUm9vdENBLmNybDBvoG2ga6RpMGcxCzAJBgNVBAYTAl
-+ VTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRM
-+ wEQYDVQQLEwpEQ29tUm9vdENBMQ0wCwYDVQQDEwRDUkwxMB8GA1UdIwQYMBaAFIdZgWNSRV7AsN/R
-+ yOm5dTgQLt7ZMB0GA1UdDgQWBBT0Fi4Bu6uQGaQoQg2dwB+crxCGKzAZBgkqhkiG9n0HQQAEDDAKG
-+ wRWNy4xAwIAgTANBgkqhkiG9w0BAQUFAAOCAQEAq2n4tgxanYaV7c3iaVIGYJTTsGVATqebYSVB+/
-+ sjHIJeSmuCSKqjacN2WxTxU/TYuCMw5iWMj4Kh5oEbm8RVqQB3T/EoxCu6Zeg8A5mwgFgYqu0pkn6
-+ redNhVFMok3GbAi4uhqhOH3rXo+NbdzWhonaslUFzyduk4tozU+Dc0ZwA4urzszM8TEpFh9Tmh6Bi
-+ 7U1aSI5GyWcoJ0pqH+PoLODNX5h+BVU3FlerfM208JB+EU2Eh1V9OGjOGQaZ4TKurJPbjS/qp3aVp
-+ Du7u86+iudu5Jev7dV6/f758w9AAlZP4JbiOzLwlCMz+eaNNUafdGQjCDGpLtKqxEoIdBl5Zw==
-+objectClass: organizationalUnit
-+objectClass: top
-+objectClass: extensibleobject
-+ou: binary
-+nsUniqueId: f49ca103-c2ee11e7-9170b029-e68fda34
-+creatorsName:
-+modifiersName:
-+createTimestamp: 20171106123544Z
-+modifyTimestamp: 20171106123544Z
-+
-+# entry-id: 3
-+dn: cn=test,ou=binary,dc=example,dc=com
-+userCertificate:: MIIGfzCCBWcCAQEwgYOhgYAwfqR8MHoxCzAJBgNVBAYTAlVTMRAwDgYDVQQK
-+ EwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ
-+ 29tU3ViQ0ExITAfBgNVBAMTGFNQT0MgU2VydmVyIExvZ2luIFBvbGljeTBnoGUwYzBbpFkwVzELMA
-+ kGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9
-+ yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQQIESMDD4DANBgkqhkiG9w0BAQUFAAIEV4eo1TAiGA8y
-+ MDE3MTAxNTIyNDYwOVoYDzIwMTcxMTE0MjI0NjA5WjCCBBUwHwYJKoZIhvZ9B00BMRIwEAIBAAIBC
-+ AIBCAIBCgMCAGkwFAYJKoZIhvZ9B00DMQcwBQwDQUxMMBEGCSqGSIb2fQdNBTEEAwID2DAPBgkqhk
-+ iG9n0HTQYxAgwAMBcGCSqGSIb2fQdNCTEKDAhSU0EtMjA0ODApBgkqhkiG9n0HTQ4xHDAaDAlwcml
-+ udGFibGUMB3RlbGV0ZXgMBHV0ZjgwEQYJKoZIhvZ9B00PMQQDAgeAMBEGCSqGSIb2fQdNFTEEAwIH
-+ gDAQBgkqhkiG9n0HTRYxAwMBADAQBgkqhkiG9n0HTQgxAwMBADAQBgkqhkiG9n0HTSwxAwMBADAPB
-+ gkqhkiG9n0HTQsxAjAAMBAGCSqGSIb2fQdNDDEDAwEAMBAGCSqGSIb2fQdNDTEDAgEeMA8GCSqGSI
-+ b2fQdNEzECDAAwEAYJKoZIhvZ9B00XMQMBAQAwEQYJKoZIhvZ9B00YMQQCAgfQMBAGCSqGSIb2fQd
-+ NHzEDAQEAMBAGCSqGSIb2fQdNJjEDAwEAMBAGCSqGSIb2fQdNGTEDAgECMBAGCSqGSIb2fQdNGzED
-+ AQEAMBAGCSqGSIb2fQdNKTEDAQEAMBAGCSqGSIb2fQdNHDEDAgEAMBAGCSqGSIb2fQdNHTEDAgEBM
-+ BAGCSqGSIb2fQdNIDEDAwEAMBEGCSqGSIb2fQdNITEEAwIE8DAPBgkqhkiG9n0HTSMxAgwAMA8GCS
-+ qGSIb2fQdNJDECDAAwJAYJKoZIhvZ9B00lMRcwFQwJRGlyZWN0b3J5DANFQUIMA0dBTDAQBgkqhki
-+ G9n0HTSsxAwMBADAPBgkqhkiG9n0HTTYxAgwAMBEGCSqGSIb2fQdNMzEEAwIHgDAPBgkqhkiG9n0H
-+ TScxAgwAMBAGCSqGSIb2fQdNETEDAgECMBAGCSqGSIb2fQdNKDEDAgFkMBEGCiqGSIb2fQdNLQExA
-+ wIBAzBEBgoqhkiG9n0HTS0CMTYwNAwMZW50ZWxsaWdlbmNlDAZkaXJlY3QMCHpmLWxvY2FsDAp6Zi
-+ 1yb2FtaW5nDAZ6Zi1tc2YwFwYKKoZIhvZ9B00tAzEJDAdleGVjdXRlMBAGCSqGSIb2fQdNMTEDAQE
-+ AMBAGCSqGSIb2fQdNMjEDAQEAMBAGCSqGSIb2fQdNOTEDAQH/MA8GCSqGSIb2fQdNLzECDAAwEAYJ
-+ KoZIhvZ9B004MQMBAQAwEwYJKoZIhvZ9B003MQYMBENBU1QwEAYJKoZIhvZ9B007MQMBAQAwFgYJK
-+ oZIhvZ9B009MQkMB0VudHJ1c3QwEAYJKoZIhvZ9B00+MQMBAQAwEAYJKoZIhvZ9B00/MQMBAQAwFw
-+ YJKoZIhvZ9B00KMQoMCFJTQS0yMDQ4MBAGCSqGSIb2fQdNQzEDAQEAMCEwHwYDVR0jBBgwFoAUPL7
-+ 72AhrUkvxP46H0dbkXXrSVX0wDQYJKoZIhvcNAQEFBQADggEBADrezRWX0fuPC415BUa3tafMLaVO
-+ 24v3CP+qYud4Z6IKI7jNtt2pcneaYjQ7iaxypE3N7Wwlim6Ak4yuwwJ9SrKOSe7YPiFOuugvNy2fk
-+ +f2h3bFkLm40bkjPPH8bih4sLyU8RcN2cAJLxHINwXO3ALKBo3IdxrfcoKquO7g+R4+ZPvmS/95J9
-+ aQ08FZKpkv+ORPRZySkr0zMUARdBBguklHqFeczn5tQnmJcsfVlP4DC7IPqw2xM8l3b+iAH5pyqgb
-+ o/Lk11VWkD11s3K8/Bf40eH23upDOwmYBAszHdXU4+5HNZ/An6xfVEjr/+KxUAEVD5TGQMVJY6SCS
-+ zN3ONRc=
-+objectClass: top
-+objectClass: extensibleobject
-+cn: test
-+nsUniqueId: f49ca104-c2ee11e7-9170b029-e68fda34
-+creatorsName:
-+modifiersName:
-+createTimestamp: 20171106123544Z
-+modifyTimestamp: 20171106123544Z
-+
-diff --git a/dirsrvtests/tests/tickets/ticket49441_test.py b/dirsrvtests/tests/tickets/ticket49441_test.py
-new file mode 100644
-index 000000000..e50ebc128
---- /dev/null
-+++ b/dirsrvtests/tests/tickets/ticket49441_test.py
-@@ -0,0 +1,74 @@
-+import logging
-+import pytest
-+import os
-+import ldap
-+from lib389._constants import *
-+from lib389.topologies import topology_st as topo
-+from lib389.utils import *
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+
-+def test_ticket49441(topo):
-+ """Import ldif with large indexed binary attributes, the server should not
-+ crash
-+
-+ :id: 4e5df145-cbd1-4955-8f77-6a7eaa14beba
-+ :setup: standalone topology
-+ :steps:
-+ 1. Add indexes for binary attributes
-+ 2. Perform online import
-+ 3. Verify server is still running
-+ :expectedresults:
-+ 1. Indexes are successfully added
-+ 2. Import succeeds
-+ 3. Server is still running
-+ """
-+
-+ log.info('Position ldif files, and add indexes...')
-+ ldif_dir = topo.standalone.get_ldif_dir() + "binary.ldif"
-+ ldif_file = (topo.standalone.getDir(__file__, DATA_DIR) +
-+ "ticket49441/binary.ldif")
-+ shutil.copyfile(ldif_file, ldif_dir)
-+ args = {INDEX_TYPE: ['eq', 'pres']}
-+ for attr in ('usercertificate', 'authorityrevocationlist',
-+ 'certificaterevocationlist', 'crosscertificatepair',
-+ 'cacertificate'):
-+ try:
-+ topo.standalone.index.create(suffix=DEFAULT_SUFFIX,
-+ be_name='userroot',
-+ attr=attr, args=args)
-+ except ldap.LDAPError as e:
-+ log.fatal("Failed to add index '{}' error: {}".format(attr, str(e)))
-+ raise e
-+
-+ log.info('Import LDIF with large indexed binary attributes...')
-+ try:
-+ topo.standalone.tasks.importLDIF(suffix=DEFAULT_SUFFIX,
-+ input_file=ldif_dir,
-+ args={TASK_WAIT: True})
-+ except:
-+ log.fatal('Import failed!')
-+ assert False
-+
-+ log.info('Verify server is still running...')
-+ try:
-+ topo.standalone.search_s("", ldap.SCOPE_BASE, "objectclass=*")
-+ except ldap.LDAPError as e:
-+ log.fatal('Server is not alive: ' + str(e))
-+ assert False
-+
-+ log.info('Test PASSED')
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main("-s %s" % CURRENT_FILE)
-+
-diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
-index 58b11ed99..a565db87b 100644
---- a/ldap/servers/slapd/back-ldbm/index.c
-+++ b/ldap/servers/slapd/back-ldbm/index.c
-@@ -827,8 +827,10 @@ encode(const struct berval *data, char buf[BUFSIZ])
- bufSpace -= (s - first);
- }
- do {
-- *bufNext++ = '\\';
-- --bufSpace;
-+ if (bufSpace) {
-+ *bufNext++ = '\\';
-+ --bufSpace;
-+ }
- if (bufSpace < 2) {
- memcpy(bufNext, "..", 2);
- bufNext += 2;
-@@ -926,8 +928,10 @@ index_read_ext_allids(
- slapi_log_err(SLAPI_LOG_ERR, "index_read_ext_allids", "NULL prefix\n");
- return NULL;
- }
-- slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "=> ( \"%s\" %s \"%s\" )\n",
-- type, prefix, encode(val, buf));
-+ if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) {
-+ slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "=> ( \"%s\" %s \"%s\" )\n",
-+ type, prefix, encode(val, buf));
-+ }
-
- basetype = typebuf;
- if ((basetmp = slapi_attr_basetype(type, typebuf, sizeof(typebuf))) != NULL) {
-@@ -1773,8 +1777,7 @@ addordel_values(
- */
- key.flags = DB_DBT_USERMEM;
- key.ulen = tmpbuflen;
--#ifdef LDAP_ERROR_LOGGING
-- /* XXX if ( slapd_ldap_debug & LDAP_DEBUG_TRACE ) XXX */
-+ if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) {
- {
- char encbuf[BUFSIZ];
-
-@@ -1782,7 +1785,6 @@ addordel_values(
- (flags & BE_INDEX_ADD) ? "add" : "del",
- encoded (&key, encbuf));
- }
--#endif
-
- if (NULL != txn) {
- db_txn = txn->back_txn_txn;
-@@ -1939,8 +1941,8 @@ addordel_values_sv(
- */
- key.flags = DB_DBT_USERMEM;
- key.ulen = tmpbuflen;
--#ifdef LDAP_ERROR_LOGGING
-- /* XXX if ( slapd_ldap_debug & LDAP_DEBUG_TRACE ) XXX */
-+
-+ if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) {
- {
- char encbuf[BUFSIZ];
-
-@@ -1948,7 +1950,6 @@ addordel_values_sv(
- (flags & BE_INDEX_ADD) ? "add" : "del",
- encoded(&key, encbuf));
- }
--#endif
-
- if (NULL != txn) {
- db_txn = txn->back_txn_txn;
---
-2.13.6
-
diff --git a/SOURCES/0034-Ticket-49441-Import-crashes-oneline-fix.patch b/SOURCES/0034-Ticket-49441-Import-crashes-oneline-fix.patch
deleted file mode 100644
index d9b84d3..0000000
--- a/SOURCES/0034-Ticket-49441-Import-crashes-oneline-fix.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 2c868707b3ae1a4255ea33610b177f8a98f4a3f3 Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Tue, 7 Nov 2017 17:09:18 +1000
-Subject: [PATCH] Ticket 49441 - Import crashes - oneline fix
-
-Bug Description: index.c fails to compile.
-
-Fix Description: Excess braces due to copy paste issue.
-
-https://pagure.io/389-ds-base/issue/49441
-
-Author: wibrown
-
-Review by: oneline rule
-
-(cherry picked from commit be4d7e5a82c1616317fa52968d2814e3f922254c)
----
- ldap/servers/slapd/back-ldbm/index.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
-index a565db87b..587f4d991 100644
---- a/ldap/servers/slapd/back-ldbm/index.c
-+++ b/ldap/servers/slapd/back-ldbm/index.c
-@@ -1778,7 +1778,6 @@ addordel_values(
- key.flags = DB_DBT_USERMEM;
- key.ulen = tmpbuflen;
- if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) {
-- {
- char encbuf[BUFSIZ];
-
- slapi_log_err(SLAPI_LOG_TRACE, "addordel_values", "%s_value(\"%s\")\n",
-@@ -1943,7 +1942,6 @@ addordel_values_sv(
- key.ulen = tmpbuflen;
-
- if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) {
-- {
- char encbuf[BUFSIZ];
-
- slapi_log_err(SLAPI_LOG_TRACE, "addordel_values_sv", "%s_value(\"%s\")\n",
---
-2.13.6
-
diff --git a/SOURCES/0035-Ticket-49377-Incoming-BER-too-large-with-TLS-on-plai.patch b/SOURCES/0035-Ticket-49377-Incoming-BER-too-large-with-TLS-on-plai.patch
deleted file mode 100644
index 6d7c5f4..0000000
--- a/SOURCES/0035-Ticket-49377-Incoming-BER-too-large-with-TLS-on-plai.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 40811ab7571ddf0a6905b3b019229bdb555bd04d Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Tue, 7 Nov 2017 12:42:11 +1000
-Subject: [PATCH] Ticket 49377 - Incoming BER too large with TLS on plain port
-
-Bug Description: When doing TLS to a plain port, a message of
-"ber element 3 bytes too large for max ber" when max ber > 3.
-
-Fix Description: When ber_len < maxber, report that the request
-may be misformed instead of "oversize" instead. This can lead
-to a better diagnosis.
-
-https://pagure.io/389-ds-base/issue/49377
-
-Author: wibrown
-
-Review by: mreynolds (thanks!)
-
-Cherry picked from commit b3629af054760d9421a41d63b8b8ed513bb6944d
----
- ldap/servers/slapd/connection.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index 3f19b9765..8ef115691 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -2176,6 +2176,13 @@ log_ber_too_big_error(const Connection *conn, ber_len_t ber_len, ber_len_t maxbe
- " is %" BERLEN_T " bytes. Change the nsslapd-maxbersize attribute in"
- " cn=config to increase.\n",
- conn->c_connid, conn->c_sd, maxbersize);
-+ } else if (ber_len < maxbersize) {
-+ /* This means the request was misformed, not too large. */
-+ slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error",
-+ "conn=%" PRIu64 " fd=%d Incoming BER Element may be misformed. "
-+ "This may indicate an attempt to use TLS on a plaintext port, "
-+ "IE ldaps://localhost:389. Check your client LDAP_URI settings.\n",
-+ conn->c_connid, conn->c_sd);
- } else {
- slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error",
- "conn=%" PRIu64 " fd=%d Incoming BER Element was %" BERLEN_T " bytes, max allowable"
---
-2.13.6
-
diff --git a/SOURCES/0036-Ticket-48118-At-startup-changelog-can-be-erronously-.patch b/SOURCES/0036-Ticket-48118-At-startup-changelog-can-be-erronously-.patch
deleted file mode 100644
index 1aa02b6..0000000
--- a/SOURCES/0036-Ticket-48118-At-startup-changelog-can-be-erronously-.patch
+++ /dev/null
@@ -1,244 +0,0 @@
-From 127e0d954eb7741c4afdc0305f7970b7ea164e8d Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Thu, 9 Nov 2017 11:28:34 +0100
-Subject: [PATCH] Ticket 48118 - At startup, changelog can be erronously
- rebuilt after a normal shutdown
-
- Problem: There are two problems that can lead to inconsistent database and changelog maxruv:
- 1] the database ruv is written periodically in th ehouskeeping thread and at shutdown. It
- relies on teh ruv_dirty flag, but due to a race condition this can be reset befor writing
- the ruv
- 2] the changelog max ruv is updated whenever an operation is commutted, but in case of internal
- operations inside the txn for a client operation, if the operation is aborted the cl maxruv
- is not reset. Since it is only written at shutdown this normally is no problem, but if the
- aborted operation is the last before shutdown or is aborted by shutdown the cl ruv is incorrect
-
- Fix: the fix is in two parts:
- 1] remove the use of the dirty flag, ensure that the ruv is always written. The overhead for writing
- a database ruv that has not changed is minimal
- 2] when writing the changelog maxruv check if the macsns it contains are really present in the
- changelog. If not the maxruv is not written, it will be reconstructed at the next startup
-
- Reviewed by: William,Thierry - Thanks
----
- ldap/servers/plugins/replication/cl5_api.c | 39 ++++++++++++++++++++++
- ldap/servers/plugins/replication/repl5.h | 1 -
- ldap/servers/plugins/replication/repl5_replica.c | 32 +-----------------
- .../plugins/replication/repl5_replica_config.c | 2 --
- 4 files changed, 40 insertions(+), 34 deletions(-)
-
-diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
-index ec648c014..55032dfb0 100644
---- a/ldap/servers/plugins/replication/cl5_api.c
-+++ b/ldap/servers/plugins/replication/cl5_api.c
-@@ -250,6 +250,8 @@ static void _cl5ReadBerval(struct berval *bv, char **buff);
- static void _cl5WriteBerval(struct berval *bv, char **buff);
- static int _cl5ReadBervals(struct berval ***bv, char **buff, unsigned int size);
- static int _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size);
-+static int64_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv);
-+static int64_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg);
-
- /* replay iteration */
- #ifdef FOR_DEBUGGING
-@@ -2716,6 +2718,36 @@ _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size)
- return CL5_SUCCESS;
- }
-
-+static int64_t
-+_cl5CheckCSNinCL(const ruv_enum_data *element, void *arg)
-+{
-+ CL5DBFile *file = (CL5DBFile *)arg;
-+ int rc = 0;
-+
-+ DBT key = {0}, data = {0};
-+ char csnStr[CSN_STRSIZE];
-+
-+ /* construct the key */
-+ key.data = csn_as_string(element->csn, PR_FALSE, csnStr);
-+ key.size = CSN_STRSIZE;
-+
-+ data.flags = DB_DBT_MALLOC;
-+
-+ rc = file->db->get(file->db, NULL /*txn*/, &key, &data, 0);
-+
-+ slapi_ch_free(&(data.data));
-+ return rc;
-+}
-+
-+static int64_t
-+_cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv)
-+{
-+ int rc = 0;
-+
-+ rc = ruv_enumerate_elements(maxruv, _cl5CheckCSNinCL, (void *)file);
-+
-+ return rc;
-+}
- /* upgrade from db33 to db41
- * 1. Run recovery on the database environment using the DB_ENV->open method
- * 2. Remove any Berkeley DB environment using the DB_ENV->remove method
-@@ -4010,6 +4042,13 @@ _cl5WriteRUV(CL5DBFile *file, PRBool purge)
- rc = ruv_to_bervals(file->maxRUV, &vals);
- }
-
-+ if (!purge && _cl5CheckMaxRUV(file, file->maxRUV)) {
-+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name_cl,
-+ "_cl5WriteRUV - changelog maxRUV not found in changelog for file %s\n",
-+ file->name);
-+ return CL5_DB_ERROR;
-+ }
-+
- key.size = CSN_STRSIZE;
-
- rc = _cl5WriteBervals(vals, &buff, &data.size);
-diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
-index c6e79b7e2..4e206a0fc 100644
---- a/ldap/servers/plugins/replication/repl5.h
-+++ b/ldap/servers/plugins/replication/repl5.h
-@@ -725,7 +725,6 @@ Object *replica_get_for_backend(const char *be_name);
- void replica_set_purge_delay(Replica *r, uint32_t purge_delay);
- void replica_set_tombstone_reap_interval(Replica *r, long interval);
- void replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv);
--void replica_set_ruv_dirty(Replica *r);
- Slapi_Entry *get_in_memory_ruv(Slapi_DN *suffix_sdn);
- int replica_write_ruv(Replica *r);
- char *replica_get_dn(Replica *r);
-diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
-index e5296bf1c..77f4f18e4 100644
---- a/ldap/servers/plugins/replication/repl5_replica.c
-+++ b/ldap/servers/plugins/replication/repl5_replica.c
-@@ -41,7 +41,6 @@ struct replica
- ReplicaType repl_type; /* is this replica read-only ? */
- ReplicaId repl_rid; /* replicaID */
- Object *repl_ruv; /* replica update vector */
-- PRBool repl_ruv_dirty; /* Dirty flag for ruv */
- CSNPL *min_csn_pl; /* Pending list for minimal CSN */
- void *csn_pl_reg_id; /* registration assignment for csn callbacks */
- unsigned long repl_state_flags; /* state flags */
-@@ -788,7 +787,6 @@ replica_set_ruv(Replica *r, RUV *ruv)
- }
-
- r->repl_ruv = object_new((void *)ruv, (FNFree)ruv_destroy);
-- r->repl_ruv_dirty = PR_TRUE;
-
- replica_unlock(r->repl_lock);
- }
-@@ -860,9 +858,6 @@ replica_update_ruv(Replica *r, const CSN *updated_csn, const char *replica_purl)
- "to update RUV for replica %s, csn = %s\n",
- slapi_sdn_get_dn(r->repl_root),
- csn_as_string(updated_csn, PR_FALSE, csn_str));
-- } else {
-- /* RUV updated - mark as dirty */
-- r->repl_ruv_dirty = PR_TRUE;
- }
- } else {
- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,
-@@ -1347,8 +1342,6 @@ replica_dump(Replica *r)
- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\tupdate dn: %s\n",
- updatedn_list ? updatedn_list : "not configured");
- slapi_ch_free_string(&updatedn_list);
-- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\truv: %s configured and is %sdirty\n",
-- r->repl_ruv ? "" : "not", r->repl_ruv_dirty ? "" : "not ");
- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\tCSN generator: %s configured\n",
- r->repl_csngen ? "" : "not");
- /* JCMREPL - Dump Referrals */
-@@ -1675,7 +1668,6 @@ replica_check_for_data_reload(Replica *r, void *arg __attribute__((unused)))
-
- ruv_force_csn_update_from_ruv(upper_bound_ruv, r_ruv,
- "Force update of database RUV (from CL RUV) -> ", SLAPI_LOG_NOTICE);
-- replica_set_ruv_dirty(r);
- }
-
- } else {
-@@ -2778,11 +2770,6 @@ replica_write_ruv(Replica *r)
-
- replica_lock(r->repl_lock);
-
-- if (!r->repl_ruv_dirty) {
-- replica_unlock(r->repl_lock);
-- return rc;
-- }
--
- PR_ASSERT(r->repl_ruv);
-
- ruv_to_smod((RUV *)object_get_data(r->repl_ruv), &smod);
-@@ -2817,14 +2804,10 @@ replica_write_ruv(Replica *r)
- /* ruv does not exist - create one */
- replica_lock(r->repl_lock);
-
-- if (rc == LDAP_SUCCESS) {
-- r->repl_ruv_dirty = PR_FALSE;
-- } else if (rc == LDAP_NO_SUCH_OBJECT) {
-+ if (rc == LDAP_NO_SUCH_OBJECT) {
- /* this includes an internal operation - but since this only happens
- during server startup - its ok that we have lock around it */
- rc = _replica_configure_ruv(r, PR_TRUE);
-- if (rc == 0)
-- r->repl_ruv_dirty = PR_FALSE;
- } else /* error */
- {
- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name,
-@@ -3325,7 +3308,6 @@ replica_create_ruv_tombstone(Replica *r)
-
- if (ruv_init_new(csnstr, r->repl_rid, purl, &ruv) == RUV_SUCCESS) {
- r->repl_ruv = object_new((void *)ruv, (FNFree)ruv_destroy);
-- r->repl_ruv_dirty = PR_TRUE;
- return_value = LDAP_SUCCESS;
- } else {
- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_create_ruv_tombstone - "
-@@ -3365,8 +3347,6 @@ replica_create_ruv_tombstone(Replica *r)
- slapi_add_internal_pb(pb);
- e = NULL; /* add consumes e, upon success or failure */
- slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &return_value);
-- if (return_value == LDAP_SUCCESS)
-- r->repl_ruv_dirty = PR_FALSE;
-
- done:
- slapi_entry_free(e);
-@@ -3630,7 +3610,6 @@ replica_strip_cleaned_rids(Replica *r)
- ruv_get_cleaned_rids(ruv, rid);
- while (rid[i] != 0) {
- ruv_delete_replica(ruv, rid[i]);
-- replica_set_ruv_dirty(r);
- if (replica_write_ruv(r)) {
- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name,
- "replica_strip_cleaned_rids - Failed to write RUV\n");
-@@ -3744,15 +3723,6 @@ replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv)
- }
- }
-
--void
--replica_set_ruv_dirty(Replica *r)
--{
-- PR_ASSERT(r);
-- replica_lock(r->repl_lock);
-- r->repl_ruv_dirty = PR_TRUE;
-- replica_unlock(r->repl_lock);
--}
--
- PRBool
- replica_is_state_flag_set(Replica *r, int32_t flag)
- {
-diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
-index 9c8d6adbb..e025f34d8 100644
---- a/ldap/servers/plugins/replication/repl5_replica_config.c
-+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
-@@ -937,7 +937,6 @@ replica_config_change_type_and_id(Replica *r, const char *new_type, const char *
- replica_reset_csn_pl(r);
- }
- ruv_delete_replica(ruv, oldrid);
-- replica_set_ruv_dirty(r);
- cl5CleanRUV(oldrid);
- replica_set_csn_assigned(r);
- }
-@@ -1323,7 +1322,6 @@ replica_execute_cleanruv_task(Object *r, ReplicaId rid, char *returntext __attri
- return LDAP_UNWILLING_TO_PERFORM;
- }
- rc = ruv_delete_replica(local_ruv, rid);
-- replica_set_ruv_dirty(replica);
- if (replica_write_ruv(replica)) {
- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "cleanAllRUV_task - Could not write RUV\n");
- }
---
-2.13.6
-
diff --git a/SOURCES/0037-Ticket-48118-fix-compiler-warning-for-incorrect-retu.patch b/SOURCES/0037-Ticket-48118-fix-compiler-warning-for-incorrect-retu.patch
deleted file mode 100644
index f592cba..0000000
--- a/SOURCES/0037-Ticket-48118-fix-compiler-warning-for-incorrect-retu.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From fd06b282ffd06a5b3807c0396bff442f0c7568b1 Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Wed, 15 Nov 2017 13:17:00 +0100
-Subject: [PATCH] Ticket 48118 - fix compiler warning for incorrect return type
-
----
- ldap/servers/plugins/replication/cl5_api.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
-index 55032dfb0..721013abf 100644
---- a/ldap/servers/plugins/replication/cl5_api.c
-+++ b/ldap/servers/plugins/replication/cl5_api.c
-@@ -250,8 +250,8 @@ static void _cl5ReadBerval(struct berval *bv, char **buff);
- static void _cl5WriteBerval(struct berval *bv, char **buff);
- static int _cl5ReadBervals(struct berval ***bv, char **buff, unsigned int size);
- static int _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size);
--static int64_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv);
--static int64_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg);
-+static int32_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv);
-+static int32_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg);
-
- /* replay iteration */
- #ifdef FOR_DEBUGGING
-@@ -2718,7 +2718,7 @@ _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size)
- return CL5_SUCCESS;
- }
-
--static int64_t
-+static int32_t
- _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg)
- {
- CL5DBFile *file = (CL5DBFile *)arg;
-@@ -2739,7 +2739,7 @@ _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg)
- return rc;
- }
-
--static int64_t
-+static int32_t
- _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv)
- {
- int rc = 0;
---
-2.13.6
-
diff --git a/SOURCES/0038-Ticket-49298-Correct-error-codes-with-config-restore.patch b/SOURCES/0038-Ticket-49298-Correct-error-codes-with-config-restore.patch
deleted file mode 100644
index 5e0db58..0000000
--- a/SOURCES/0038-Ticket-49298-Correct-error-codes-with-config-restore.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From e3dea0043973faf42f7756d840bc55aa8f143eb1 Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Wed, 15 Nov 2017 13:44:02 +1000
-Subject: [PATCH] Ticket 49298 - Correct error codes with config restore.
-
-Bug Description: The piece of code uses 0 as an error - not 1,
-and in some cases did not even check the codes or use the
-correct logic.
-
-Fix Description: Cleanup dse_check_file to better check the
-content of files and communicate issues to the admin. Correct
-slapd_bootstrap_config to correctly handle the cases of removal
-and restore.
-
-https://pagure.io/389-ds-base/issue/49298
-
-Author: wibrown
-
-Review by: mreynoolds & spichugi
-
-Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
-(cherry picked from commit 75e55e26579955adf058e8adcba9a28779583b7b)
----
- .../suites/config/removed_config_49298_test.py | 81 ++++++++++++++++++++++
- ldap/servers/slapd/config.c | 15 ++--
- ldap/servers/slapd/dse.c | 42 ++++++++---
- 3 files changed, 119 insertions(+), 19 deletions(-)
- create mode 100644 dirsrvtests/tests/suites/config/removed_config_49298_test.py
-
-diff --git a/dirsrvtests/tests/suites/config/removed_config_49298_test.py b/dirsrvtests/tests/suites/config/removed_config_49298_test.py
-new file mode 100644
-index 000000000..e65236924
---- /dev/null
-+++ b/dirsrvtests/tests/suites/config/removed_config_49298_test.py
-@@ -0,0 +1,81 @@
-+# --- BEGIN COPYRIGHT BLOCK ---
-+# Copyright (C) 2017 Red Hat, Inc.
-+# All rights reserved.
-+#
-+# License: GPL (version 3 or any later version).
-+# See LICENSE for details.
-+# --- END COPYRIGHT BLOCK ---
-+#
-+import pytest
-+import os
-+import logging
-+import subprocess
-+
-+from lib389.topologies import topology_st as topo
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+def test_restore_config(topo):
-+ """
-+ Check that if a dse.ldif and backup are removed, that the server still starts.
-+
-+ :id: e1c38fa7-30bc-46f2-a934-f8336f387581
-+ :setup: Standalone instance
-+ :steps:
-+ 1. Stop the instance
-+ 2. Delete 'dse.ldif'
-+ 3. Start the instance
-+ :expectedresults:
-+ 1. Steps 1 and 2 succeed.
-+ 2. Server will succeed to start with restored cfg.
-+ """
-+ topo.standalone.stop()
-+
-+ dse_path = topo.standalone.get_config_dir()
-+
-+ log.info(dse_path)
-+
-+ for i in ('dse.ldif', 'dse.ldif.startOK'):
-+ p = os.path.join(dse_path, i)
-+ os.remove(p)
-+
-+ # This will pass.
-+ topo.standalone.start()
-+
-+def test_removed_config(topo):
-+ """
-+ Check that if a dse.ldif and backup are removed, that the server
-+ exits better than "segfault".
-+
-+ :id: b45272d1-c197-473e-872f-07257fcb2ec0
-+ :setup: Standalone instance
-+ :steps:
-+ 1. Stop the instance
-+ 2. Delete 'dse.ldif', 'dse.ldif.bak', 'dse.ldif.startOK'
-+ 3. Start the instance
-+ :expectedresults:
-+ 1. Steps 1 and 2 succeed.
-+ 2. Server will fail to start, but will not crash.
-+ """
-+ topo.standalone.stop()
-+
-+ dse_path = topo.standalone.get_config_dir()
-+
-+ log.info(dse_path)
-+
-+ for i in ('dse.ldif', 'dse.ldif.bak', 'dse.ldif.startOK'):
-+ p = os.path.join(dse_path, i)
-+ os.remove(p)
-+
-+ # We actually can't check the log output, because it can't read dse.ldif,
-+ # don't know where to write it yet! All we want is the server fail to
-+ # start here, rather than infinite run + segfault.
-+ with pytest.raises(subprocess.CalledProcessError):
-+ topo.standalone.start()
-+
-+
-diff --git a/ldap/servers/slapd/config.c b/ldap/servers/slapd/config.c
-index afe07df84..c8d57e747 100644
---- a/ldap/servers/slapd/config.c
-+++ b/ldap/servers/slapd/config.c
-@@ -121,14 +121,13 @@ slapd_bootstrap_config(const char *configdir)
- "Passed null config directory\n");
- return rc; /* Fail */
- }
-- PR_snprintf(configfile, sizeof(configfile), "%s/%s", configdir,
-- CONFIG_FILENAME);
-- PR_snprintf(tmpfile, sizeof(tmpfile), "%s/%s.tmp", configdir,
-- CONFIG_FILENAME);
-- if ((rc = dse_check_file(configfile, tmpfile)) == 0) {
-- PR_snprintf(tmpfile, sizeof(tmpfile), "%s/%s.bak", configdir,
-- CONFIG_FILENAME);
-- rc = dse_check_file(configfile, tmpfile);
-+ PR_snprintf(configfile, sizeof(configfile), "%s/%s", configdir, CONFIG_FILENAME);
-+ PR_snprintf(tmpfile, sizeof(tmpfile), "%s/%s.bak", configdir, CONFIG_FILENAME);
-+ rc = dse_check_file(configfile, tmpfile);
-+ if (rc == 0) {
-+ /* EVERYTHING IS GOING WRONG, ARRGHHHHHH */
-+ slapi_log_err(SLAPI_LOG_ERR, "slapd_bootstrap_config", "No valid configurations can be accessed! You must restore %s from backup!\n", configfile);
-+ return 0;
- }
-
- if ((rc = PR_GetFileInfo64(configfile, &prfinfo)) != PR_SUCCESS) {
-diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
-index 420248c24..653009f53 100644
---- a/ldap/servers/slapd/dse.c
-+++ b/ldap/servers/slapd/dse.c
-@@ -609,29 +609,49 @@ dse_check_file(char *filename, char *backupname)
-
- if (PR_GetFileInfo64(filename, &prfinfo) == PR_SUCCESS) {
- if (prfinfo.size > 0) {
-- return (1);
-+ /* File exists and has content. */
-+ return 1;
- } else {
-+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
-+ "The config %s has zero length. Attempting restore ... \n", filename, rc);
- rc = PR_Delete(filename);
- }
-+ } else {
-+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
-+ "The config %s can not be accessed. Attempting restore ... (reason: %d)\n", filename, rc);
- }
-
- if (backupname) {
-+
-+ if (PR_GetFileInfo64(backupname, &prfinfo) != PR_SUCCESS) {
-+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
-+ "The backup %s can not be accessed. Check it exists and permissions.\n", backupname);
-+ return 0;
-+ }
-+
-+ if (prfinfo.size <= 0) {
-+ slapi_log_err(SLAPI_LOG_ERR, "dse_check_file",
-+ "The backup file %s has zero length, refusing to restore it.\n", backupname);
-+ return 0;
-+ }
-+
- rc = PR_Rename(backupname, filename);
-- } else {
-- return (0);
-- }
-+ if (rc != PR_SUCCESS) {
-+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
-+ "The configuration file %s was NOT able to be restored from %s, error %d\n", filename, backupname, rc);
-+ return 0;
-+ }
-
-- if (PR_GetFileInfo64(filename, &prfinfo) == PR_SUCCESS && prfinfo.size > 0) {
- slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
-- "The configuration file %s was restored from backup %s\n", filename, backupname);
-- return (1);
-+ "The configuration file %s was restored from backup %s\n", filename, backupname);
-+ return 1;
-+
- } else {
-- slapi_log_err(SLAPI_LOG_ERR, "dse_check_file",
-- "The configuration file %s was not restored from backup %s, error %d\n",
-- filename, backupname, rc);
-- return (0);
-+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file", "No backup filename provided.\n");
-+ return 0;
- }
- }
-+
- static int
- dse_read_one_file(struct dse *pdse, const char *filename, Slapi_PBlock *pb, int primary_file)
- {
---
-2.13.6
-
diff --git a/SOURCES/0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch b/SOURCES/0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch
deleted file mode 100644
index 7ba646d..0000000
--- a/SOURCES/0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From bfaf5b56bb1a416c5e058a9925642098c87e0330 Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Thu, 30 Nov 2017 14:06:59 +0100
-Subject: [PATCH] Ticket 49474 - sasl allow mechs does not operate correctly
-
-Bug Description: In a fix to sasl allowed mechs, the logic
-was not properly configured.
-
-Fix Description: Alter the ids_sasl_supported_mech to be
-clearer and simpler in it's design.
-
-https://pagure.io/389-ds-base/issue/49474
-
-Author: wibrown
-
-Review by: tbordaz (Thank you!)
-
-Cherry picked from f75cfbce07b79272a7f1a2e387dc232d45c169f5
----
- ldap/servers/slapd/saslbind.c | 49 ++++++++-----------------------------------
- 1 file changed, 9 insertions(+), 40 deletions(-)
-
-diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
-index 6734c32a7..67da97148 100644
---- a/ldap/servers/slapd/saslbind.c
-+++ b/ldap/servers/slapd/saslbind.c
-@@ -835,52 +835,21 @@ ids_sasl_listmech(Slapi_PBlock *pb)
- static int
- ids_sasl_mech_supported(Slapi_PBlock *pb, const char *mech)
- {
-- int i, ret = 0;
-- char **mechs;
-- char **allowed_mechs = NULL;
-- char *dupstr;
-- const char *str;
-- int sasl_result = 0;
-- Connection *pb_conn = NULL;
--
-- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-- sasl_conn_t *sasl_conn = (sasl_conn_t *)pb_conn->c_sasl_conn;
- slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_mech_supported", "=>\n");
-
-- /* sasl_listmech is not thread-safe - caller must lock pb_conn */
-- sasl_result = sasl_listmech(sasl_conn,
-- NULL, /* username */
-- "", ",", "",
-- &str, NULL, NULL);
-- if (sasl_result != SASL_OK) {
-- return 0;
-- }
--
-- dupstr = slapi_ch_strdup(str);
-- mechs = slapi_str2charray(dupstr, ",");
-- allowed_mechs = config_get_allowed_sasl_mechs_array();
-+ char **allowed_mechs = ids_sasl_listmech(pb);
-
-- for (i = 0; mechs[i] != NULL; i++) {
-- if (strcasecmp(mech, mechs[i]) == 0) {
-- if (allowed_mechs) {
-- if (charray_inlist(allowed_mechs, (char *)mech) == 0) {
-- ret = 1;
-- }
-- break;
-- } else {
-- ret = 1;
-- break;
-- }
-- }
-+ /* 0 indicates "now allowed" */
-+ int allowed_mech_present = 0;
-+ if (allowed_mechs != NULL) {
-+ /* Returns 1 if present and allowed. */
-+ allowed_mech_present = charray_inlist(allowed_mechs, (char *)mech);
-+ charray_free(allowed_mechs);
- }
-
-- charray_free(allowed_mechs);
-- charray_free(mechs);
-- slapi_ch_free((void **)&dupstr);
--
- slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_mech_supported", "<=\n");
-
-- return ret;
-+ return allowed_mech_present;
- }
-
- /*
-@@ -944,7 +913,7 @@ ids_sasl_check_bind(Slapi_PBlock *pb)
- * different error code to SASL_NOMECH. Must be called
- * while holding the pb_conn lock
- */
-- if (!ids_sasl_mech_supported(pb, mech)) {
-+ if (ids_sasl_mech_supported(pb, mech) == 0) {
- rc = SASL_NOMECH;
- goto sasl_check_result;
- }
---
-2.13.6
-
diff --git a/SOURCES/0040-Ticket-49470-overflow-in-pblock_get.patch b/SOURCES/0040-Ticket-49470-overflow-in-pblock_get.patch
deleted file mode 100644
index 6c9225b..0000000
--- a/SOURCES/0040-Ticket-49470-overflow-in-pblock_get.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 30fa0e4c993d4a91a90327329b50f02e637fe049 Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Tue, 28 Nov 2017 15:31:25 +0100
-Subject: [PATCH] Ticket 49470 - overflow in pblock_get
-
-Bug Description: While getting the connection id we used an int
-not a uint64_t
-
-Fix Description: Make the stack size uint64_t instead.
-
-https://pagure.io/389-ds-base/issue/49470
-
-Author: wibrown
-
-Review by: tbordaz
----
- ldap/servers/slapd/modify.c | 5 +++--
- ldap/servers/slapd/pblock.c | 4 ++--
- ldap/servers/slapd/slap.h | 2 +-
- 3 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
-index 6309975ae..0dcac646b 100644
---- a/ldap/servers/slapd/modify.c
-+++ b/ldap/servers/slapd/modify.c
-@@ -281,11 +281,12 @@ do_modify(Slapi_PBlock *pb)
-
- if (ignored_some_mods && (0 == smods.num_elements)) {
- if (pb_conn->c_isreplication_session) {
-- int connid, opid;
-+ uint64_t connid;
-+ int32_t opid;
- slapi_pblock_get(pb, SLAPI_CONN_ID, &connid);
- slapi_pblock_get(pb, SLAPI_OPERATION_ID, &opid);
- slapi_log_err(SLAPI_LOG_ERR, "do_modify",
-- "Rejecting replicated password policy operation(conn=%d op=%d) for "
-+ "Rejecting replicated password policy operation(conn=%"PRIu64" op=%d) for "
- "entry %s. To allow these changes to be accepted, set passwordIsGlobalPolicy to 'on' in "
- "cn=config.\n",
- connid, opid, rawdn);
-diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
-index 8f87de5b5..4514c3ce6 100644
---- a/ldap/servers/slapd/pblock.c
-+++ b/ldap/servers/slapd/pblock.c
-@@ -412,7 +412,7 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value)
- "slapi_pblock_get", "Connection is NULL and hence cannot access SLAPI_CONN_ID \n");
- return (-1);
- }
-- (*(PRUint64 *)value) = pblock->pb_conn->c_connid;
-+ (*(uint64_t *)value) = pblock->pb_conn->c_connid;
- break;
- case SLAPI_CONN_DN:
- /*
-@@ -2538,7 +2538,7 @@ slapi_pblock_set(Slapi_PBlock *pblock, int arg, void *value)
- "slapi_pblock_set", "Connection is NULL and hence cannot access SLAPI_CONN_ID \n");
- return (-1);
- }
-- pblock->pb_conn->c_connid = *((PRUint64 *)value);
-+ pblock->pb_conn->c_connid = *((uint64_t *)value);
- break;
- case SLAPI_CONN_DN:
- /*
-diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
-index 44632580a..830944f72 100644
---- a/ldap/servers/slapd/slap.h
-+++ b/ldap/servers/slapd/slap.h
-@@ -1604,7 +1604,7 @@ typedef struct conn
- int c_gettingber; /* in the middle of ber_get_next */
- BerElement *c_currentber; /* ber we're getting */
- time_t c_starttime; /* when the connection was opened */
-- PRUint64 c_connid; /* id of this connection for stats*/
-+ uint64_t c_connid; /* id of this connection for stats*/
- PRUint64 c_maxthreadscount; /* # of times a conn hit max threads */
- PRUint64 c_maxthreadsblocked; /* # of operations blocked by maxthreads */
- int c_opsinitiated; /* # ops initiated/next op id */
---
-2.13.6
-
diff --git a/SOURCES/0041-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch b/SOURCES/0041-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch
deleted file mode 100644
index 14a79cd..0000000
--- a/SOURCES/0041-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch
+++ /dev/null
@@ -1,161 +0,0 @@
-From 25844922007eea26f78d18171e51be3aa7b5e949 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Wed, 6 Dec 2017 15:14:57 +0100
-Subject: [PATCH] Ticket 49471 - heap-buffer-overflow in ss_unescape
-
-Bug Description:
- Two problems here
- - when searching for wildcard and escape char, ss_unescape assumes the string
- is at least 3 chars longs. So memcmp can overflow a shorter string
- - while splitting a string into substring pattern, it loops over
- wildcard and can overpass the string end
-
-Fix Description:
- For the first problem, it checks the string size is long enough to memcmp
- a wildcard or an escape
- For the second it exits from the loop as soon as the end of the string is reached
-
-https://pagure.io/389-ds-base/issue/49471
-
-Reviewed by: William Brown
-
-Platforms tested: F23
-
-Flag Day: no
-
-Doc impact: no
-
-(cherry picked from commit 5991388ce75fba8885579b769711d57acfd43cd3)
----
- dirsrvtests/tests/tickets/ticket49471_test.py | 79 +++++++++++++++++++++++++++
- ldap/servers/plugins/collation/orfilter.c | 14 +++--
- 2 files changed, 87 insertions(+), 6 deletions(-)
- create mode 100644 dirsrvtests/tests/tickets/ticket49471_test.py
-
-diff --git a/dirsrvtests/tests/tickets/ticket49471_test.py b/dirsrvtests/tests/tickets/ticket49471_test.py
-new file mode 100644
-index 000000000..0456a5182
---- /dev/null
-+++ b/dirsrvtests/tests/tickets/ticket49471_test.py
-@@ -0,0 +1,79 @@
-+import logging
-+import pytest
-+import os
-+import time
-+import ldap
-+from lib389._constants import *
-+from lib389.topologies import topology_st as topo
-+from lib389 import Entry
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+
-+USER_CN='user_'
-+def _user_get_dn(no):
-+ cn = '%s%d' % (USER_CN, no)
-+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX)
-+ return (cn, dn)
-+
-+def add_user(server, no, desc='dummy', sleep=True):
-+ (cn, dn) = _user_get_dn(no)
-+ log.fatal('Adding user (%s): ' % dn)
-+ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'inetuser', 'userSecurityInformation'],
-+ 'cn': [cn],
-+ 'description': [desc],
-+ 'sn': [cn],
-+ 'description': ['add on that host']})))
-+ if sleep:
-+ time.sleep(2)
-+
-+def test_ticket49471(topo):
-+ """Specify a test case purpose or name here
-+
-+ :id: 457ab172-9455-4eb2-89a0-150e3de5993f
-+ :setup: Fill in set up configuration here
-+ :steps:
-+ 1. Fill in test case steps here
-+ 2. And indent them like this (RST format requirement)
-+ :expectedresults:
-+ 1. Fill in the result that is expected
-+ 2. For each test step
-+ """
-+
-+ # If you need any test suite initialization,
-+ # please, write additional fixture for that (including finalizer).
-+ # Topology for suites are predefined in lib389/topologies.py.
-+
-+ # If you need host, port or any other data about instance,
-+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid)
-+
-+ S1 = topo.standalone
-+ add_user(S1, 1)
-+
-+ Filter = "(description:2.16.840.1.113730.3.3.2.1.1.6:=\*on\*)"
-+ ents = S1.search_s(SUFFIX, ldap.SCOPE_SUBTREE, Filter)
-+ assert len(ents) == 1
-+
-+ #
-+ # The following is for the test 49491
-+ # skipped here else it crashes in ASAN
-+ #Filter = "(description:2.16.840.1.113730.3.3.2.1.1.6:=\*host)"
-+ #ents = S1.search_s(SUFFIX, ldap.SCOPE_SUBTREE, Filter)
-+ #assert len(ents) == 1
-+
-+ if DEBUGGING:
-+ # Add debugging steps(if any)...
-+ pass
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main("-s %s" % CURRENT_FILE)
-+
-diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c
-index 5a2d8a0ab..a98d90219 100644
---- a/ldap/servers/plugins/collation/orfilter.c
-+++ b/ldap/servers/plugins/collation/orfilter.c
-@@ -313,12 +313,12 @@ ss_unescape(struct berval *val)
- char *t = s;
- char *limit = s + val->bv_len;
- while (s < limit) {
-- if (!memcmp(s, "\\2a", 3) ||
-- !memcmp(s, "\\2A", 3)) {
-+ if (((limit - s) >= 3) &&
-+ (!memcmp(s, "\\2a", 3) || !memcmp(s, "\\2A", 3))) {
- *t++ = WILDCARD;
- s += 3;
-- } else if (!memcmp(s, "\\5c", 3) ||
-- !memcmp(s, "\\5C", 3)) {
-+ } else if ((limit - s) >= 3 &&
-+ (!memcmp(s, "\\5c", 3) || !memcmp(s, "\\5C", 3))) {
- *t++ = '\\';
- s += 3;
- } else {
-@@ -409,13 +409,15 @@ ss_filter_values(struct berval *pattern, int *query_op)
- switch (*p) {
- case WILDCARD:
- result[n++] = ss_filter_value(s, p - s, &val);
-- while (++p != plimit && *p == WILDCARD)
-- ;
-+ while (p != plimit && *p == WILDCARD) p++;
- s = p;
- break;
- default:
- break;
- }
-+ if (p >= plimit) {
-+ break;
-+ }
- }
- if (p != s || s == plimit) {
- result[n++] = ss_filter_value(s, p - s, &val);
---
-2.13.6
-
diff --git a/SOURCES/0042-Ticket-49298-fix-complier-warn.patch b/SOURCES/0042-Ticket-49298-fix-complier-warn.patch
deleted file mode 100644
index 8cc97dc..0000000
--- a/SOURCES/0042-Ticket-49298-fix-complier-warn.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 189c3ce4d5b5c9341a60d4056dad26133d9607ca Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Fri, 17 Nov 2017 11:43:36 +1000
-Subject: [PATCH] Ticket 49298 - fix complier warn
-
-Bug Description: Extra argument to error log in dse.c
-
-Fix Description: Remove extra argument.
-
-https://pagure.io/389-ds-base/issue/49298
-
-Author: wibrown
-
-Review by: oneline rule.
----
- ldap/servers/slapd/dse.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
-index 653009f53..662e91aa7 100644
---- a/ldap/servers/slapd/dse.c
-+++ b/ldap/servers/slapd/dse.c
-@@ -613,7 +613,7 @@ dse_check_file(char *filename, char *backupname)
- return 1;
- } else {
- slapi_log_err(SLAPI_LOG_INFO, "dse_check_file",
-- "The config %s has zero length. Attempting restore ... \n", filename, rc);
-+ "The config %s has zero length. Attempting restore ... \n", filename);
- rc = PR_Delete(filename);
- }
- } else {
---
-2.13.6
-
diff --git a/SOURCES/0043-Ticket-49495-Fix-memory-management-is-vattr.patch b/SOURCES/0043-Ticket-49495-Fix-memory-management-is-vattr.patch
deleted file mode 100644
index 670891a..0000000
--- a/SOURCES/0043-Ticket-49495-Fix-memory-management-is-vattr.patch
+++ /dev/null
@@ -1,153 +0,0 @@
-From 2c56e7dc08a41fc1dfa6a79213e93686f553847c Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Mon, 11 Dec 2017 15:48:24 +0100
-Subject: [PATCH] Ticket 49495 - Fix memory management is vattr.
-
-Bug Description: During the fix for
-https://pagure.io/389-ds-base/issue/49436 a issue was exposed
-in how registration of attributes to cos work. With the change
-to handle -> attr link, this exposed that cos treats each attribute
-and template pair as a new type for the handle. As aresult, this
-caused the sp_list to create a long linked list of M*N entries
-for each attr - template value. Obviously, this is extremely
-slow to traverse during a search!
-
-Fix Description: Undo part of the SLL next change and convert
-to reference counting. The issue remains that there is a defect
-in how cos handles attribute registration, but this can not be
-resolved without a significant rearchitecture of the code
-related to virtual attributes.
-
-https://pagure.io/389-ds-base/issue/49495
-
-Author: wibrown
-
-Review by: tbordaz, lkrispen (Thanks!)
----
- ldap/servers/plugins/cos/cos_cache.c | 28 +++++++++++-----------------
- ldap/servers/slapd/vattr.c | 23 +++++++++++++++++++++--
- 2 files changed, 32 insertions(+), 19 deletions(-)
-
-diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
-index 662dace35..3b3c05783 100644
---- a/ldap/servers/plugins/cos/cos_cache.c
-+++ b/ldap/servers/plugins/cos/cos_cache.c
-@@ -275,7 +275,7 @@ static Slapi_Mutex *start_lock;
- static Slapi_Mutex *stop_lock;
- static Slapi_CondVar *something_changed = NULL;
- static Slapi_CondVar *start_cond = NULL;
--
-+static vattr_sp_handle *vattr_handle = NULL;
-
- /*
- cos_cache_init
-@@ -314,6 +314,15 @@ cos_cache_init(void)
- goto out;
- }
-
-+ if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
-+ cos_cache_vattr_get,
-+ cos_cache_vattr_compare,
-+ cos_cache_vattr_types) != 0) {
-+ slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider\n");
-+ ret = -1;
-+ goto out;
-+ }
-+
- /* grab the views interface */
- if (slapi_apib_get_interface(Views_v1_0_GUID, &views_api)) {
- /* lets be tolerant if views is disabled */
-@@ -847,22 +856,7 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data)
- dnVals[valIndex]->bv_val);
- }
-
-- /*
-- * Each SP_handle is associated to one and only one vattr.
-- * We could consider making this a single function rather
-- * than the double-call.
-- */
--
-- vattr_sp_handle *vattr_handle = NULL;
--
-- if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle,
-- cos_cache_vattr_get,
-- cos_cache_vattr_compare,
-- cos_cache_vattr_types) != 0) {
-- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider for %s\n", dnVals[valIndex]->bv_val);
-- } else {
-- slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL);
-- }
-+ slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL);
-
- } /* if(attrType is cosAttribute) */
-
-diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
-index 432946c79..13e527188 100644
---- a/ldap/servers/slapd/vattr.c
-+++ b/ldap/servers/slapd/vattr.c
-@@ -1544,6 +1544,7 @@ struct _vattr_sp_handle
- vattr_sp *sp;
- struct _vattr_sp_handle *next; /* So we can link them together in the map */
- void *hint; /* Hint to the SP */
-+ uint64_t rc;
- };
-
- /* Calls made by Service Providers */
-@@ -1770,7 +1771,7 @@ is a separate thing in the insterests of stability.
-
- */
-
--#define VARRT_MAP_HASHTABLE_SIZE 10
-+#define VARRT_MAP_HASHTABLE_SIZE 32
-
- /* Attribute map oject */
- /* Needs to contain: a linked list of pointers to provider handles handles,
-@@ -1867,7 +1868,10 @@ vattr_map_entry_free(vattr_map_entry *vae)
- vattr_sp_handle *list_entry = vae->sp_list;
- while (list_entry != NULL) {
- vattr_sp_handle *next_entry = list_entry->next;
-- slapi_ch_free((void **)&list_entry);
-+ if (slapi_atomic_decr_64(&(list_entry->rc), __ATOMIC_RELAXED) == 0) {
-+ /* Only free on RC 0 */
-+ slapi_ch_free((void **)&list_entry);
-+ }
- list_entry = next_entry;
- }
- slapi_ch_free_string(&(vae->type_name));
-@@ -2280,6 +2284,17 @@ to handle the calls on it, but return nothing */
- *
- * Better idea, is that regattr should just take the fn pointers
- * and callers never *see* the sp_handle structure at all.
-+ *
-+ * This leaves us with some quirks today. First: if you have plugin A
-+ * and B, A registers attr 1 and B 1 and 2, it's possible that if you
-+ * register A1 first, then B1, you have B->A in next. Then when you
-+ * register B2, because we take 0==result from map_lookup, we add sp
-+ * "as is" to the map. This means that B2 now has the same next to A1
-+ * handle. This won't add a bug, because A1 won't be able to service the
-+ * attr, but it could cause some head scratching ...
-+ *
-+ * Again, to fix this, the whole vattr external interface needs a
-+ * redesign ... :(
- */
-
- int
-@@ -2304,11 +2319,15 @@ vattr_map_sp_insert(char *type_to_add, vattr_sp_handle *sp, void *hint)
- if (found) {
- return 0;
- }
-+ /* Increase the ref count of the sphandle */
-+ slapi_atomic_incr_64(&(sp->rc), __ATOMIC_RELAXED);
- /* We insert the SP handle into the linked list at the head */
- sp->next = map_entry->sp_list;
- map_entry->sp_list = sp;
- } else {
- /* If not, add it */
-+ /* Claim a reference on the sp ... */
-+ slapi_atomic_incr_64(&(sp->rc), __ATOMIC_RELAXED);
- map_entry = vattr_map_entry_new(type_to_add, sp, hint);
- if (NULL == map_entry) {
- return ENOMEM;
---
-2.13.6
-
diff --git a/SOURCES/0044-Ticket-48184-close-connections-at-shutdown-cleanly.patch b/SOURCES/0044-Ticket-48184-close-connections-at-shutdown-cleanly.patch
deleted file mode 100644
index 7d58838..0000000
--- a/SOURCES/0044-Ticket-48184-close-connections-at-shutdown-cleanly.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-From 0c1fbfaf77d6f7b2a6628deaf309bbe1c3e7a8e8 Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Tue, 28 Nov 2017 13:39:19 +0100
-Subject: [PATCH] Ticket 48184 - close connections at shutdown cleanly.
-
-Bug Description: During shutdown we would not close connections.
-In the past this may have just been an annoyance, but now with the way
-nunc-stans works, io events can still trigger on open xeisting connectinos
-during shutdown.
-
-Fix Description: Close connections during shutdown rather than
-leaving them alive.
-
-https://pagure.io/389-ds-base/issue/48184
-
-Author: wibrown
-
-Review by: lkrispen, vashirov (Thank you!)
----
- ldap/servers/slapd/conntable.c | 13 +++++++
- ldap/servers/slapd/daemon.c | 77 ++++++++++++++++++++++++++----------------
- ldap/servers/slapd/fe.h | 1 +
- ldap/servers/slapd/slap.h | 1 +
- 4 files changed, 63 insertions(+), 29 deletions(-)
-
-diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c
-index 7c57b47cd..f2f763dfa 100644
---- a/ldap/servers/slapd/conntable.c
-+++ b/ldap/servers/slapd/conntable.c
-@@ -91,6 +91,19 @@ connection_table_abandon_all_operations(Connection_Table *ct)
- }
- }
-
-+void
-+connection_table_disconnect_all(Connection_Table *ct)
-+{
-+ for (size_t i = 0; i < ct->size; i++) {
-+ if (ct->c[i].c_mutex) {
-+ Connection *c = &(ct->c[i]);
-+ PR_EnterMonitor(c->c_mutex);
-+ disconnect_server_nomutex(c, c->c_connid, -1, SLAPD_DISCONNECT_ABORT, ECANCELED);
-+ PR_ExitMonitor(c->c_mutex);
-+ }
-+ }
-+}
-+
- /* Given a file descriptor for a socket, this function will return
- * a slot in the connection table to use.
- *
-diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
-index 4e0466ab3..c245a4d4e 100644
---- a/ldap/servers/slapd/daemon.c
-+++ b/ldap/servers/slapd/daemon.c
-@@ -1176,6 +1176,30 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp)
- housekeeping_stop(); /* Run this after op_thread_cleanup() logged sth */
- disk_monitoring_stop();
-
-+ /*
-+ * Now that they are abandonded, we need to mark them as done.
-+ * In NS while it's safe to allow excess jobs to be cleaned by
-+ * by the walk and ns_job_done of remaining queued events, the
-+ * issue is that if we allow something to live past this point
-+ * the CT is freed from underneath, and bad things happen (tm).
-+ *
-+ * NOTE: We do this after we stop psearch, because there could
-+ * be a race between flagging the psearch done, and users still
-+ * try to send on the connection. Similar with op_threads.
-+ */
-+ connection_table_disconnect_all(the_connection_table);
-+
-+ /*
-+ * WARNING: Normally we should close the tp in main
-+ * but because of issues in the current connection design
-+ * we need to close it here to guarantee events won't fire!
-+ *
-+ * All the connection close jobs "should" complete before
-+ * shutdown at least.
-+ */
-+ ns_thrpool_shutdown(tp);
-+ ns_thrpool_wait(tp);
-+
- threads = g_get_active_threadcnt();
- if (threads > 0) {
- slapi_log_err(SLAPI_LOG_INFO, "slapd_daemon",
-@@ -1628,23 +1652,18 @@ ns_handle_closure(struct ns_job_t *job)
- Connection *c = (Connection *)ns_job_get_data(job);
- int do_yield = 0;
-
--/* this function must be called from the event loop thread */
--#ifdef DEBUG
-- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job)));
--#else
-- /* This doesn't actually confirm it's in the event loop thread, but it's a start */
-- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) {
-- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_closure", "Attempt to close outside of event loop thread %" PRIu64 " for fd=%d\n",
-- c->c_connid, c->c_sd);
-- return;
-- }
--#endif
- PR_EnterMonitor(c->c_mutex);
-+ /* Assert we really have the right job state. */
-+ PR_ASSERT(job == c->c_job);
-+
- connection_release_nolock_ext(c, 1); /* release ref acquired for event framework */
- PR_ASSERT(c->c_ns_close_jobs == 1); /* should be exactly 1 active close job - this one */
- c->c_ns_close_jobs--; /* this job is processing closure */
-+ /* Because handle closure will add a new job, we need to detach our current one. */
-+ c->c_job = NULL;
- do_yield = ns_handle_closure_nomutex(c);
- PR_ExitMonitor(c->c_mutex);
-+ /* Remove this task now. */
- ns_job_done(job);
- if (do_yield) {
- /* closure not done - another reference still outstanding */
-@@ -1667,6 +1686,14 @@ ns_connection_post_io_or_closing(Connection *conn)
- return;
- }
-
-+ /*
-+ * Cancel any existing ns jobs we have registered.
-+ */
-+ if (conn->c_job != NULL) {
-+ ns_job_done(conn->c_job);
-+ conn->c_job = NULL;
-+ }
-+
- if (CONN_NEEDS_CLOSING(conn)) {
- /* there should only ever be 0 or 1 active closure jobs */
- PR_ASSERT((conn->c_ns_close_jobs == 0) || (conn->c_ns_close_jobs == 1));
-@@ -1676,13 +1703,10 @@ ns_connection_post_io_or_closing(Connection *conn)
- conn->c_connid, conn->c_sd);
- return;
- } else {
-- /* just make sure we schedule the event to be closed in a timely manner */
-- tv.tv_sec = 0;
-- tv.tv_usec = slapd_wakeup_timer * 1000;
- conn->c_ns_close_jobs++; /* now 1 active closure job */
- connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */
-- ns_result_t job_result = ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER,
-- ns_handle_closure, conn, NULL);
-+ /* Close the job asynchronously. Why? */
-+ ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handle_closure, conn, &(conn->c_job));
- if (job_result != NS_SUCCESS) {
- if (job_result == NS_SHUTDOWN) {
- slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post closure job "
-@@ -1726,7 +1750,7 @@ ns_connection_post_io_or_closing(Connection *conn)
- #endif
- ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv,
- NS_JOB_READ | NS_JOB_PRESERVE_FD,
-- ns_handle_pr_read_ready, conn, NULL);
-+ ns_handle_pr_read_ready, conn, &(conn->c_job));
- if (job_result != NS_SUCCESS) {
- if (job_result == NS_SHUTDOWN) {
- slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post I/O job for "
-@@ -1755,19 +1779,13 @@ ns_handle_pr_read_ready(struct ns_job_t *job)
- int maxthreads = config_get_maxthreadsperconn();
- Connection *c = (Connection *)ns_job_get_data(job);
-
--/* this function must be called from the event loop thread */
--#ifdef DEBUG
-- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job)));
--#else
-- /* This doesn't actually confirm it's in the event loop thread, but it's a start */
-- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) {
-- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "Attempt to handle read ready outside of event loop thread %" PRIu64 " for fd=%d\n",
-- c->c_connid, c->c_sd);
-- return;
-- }
--#endif
--
- PR_EnterMonitor(c->c_mutex);
-+ /* Assert we really have the right job state. */
-+ PR_ASSERT(job == c->c_job);
-+
-+ /* On all code paths we remove the job, so set it null now */
-+ c->c_job = NULL;
-+
- slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "activity on conn %" PRIu64 " for fd=%d\n",
- c->c_connid, c->c_sd);
- /* if we were called due to some i/o event, see what the state of the socket is */
-@@ -1826,6 +1844,7 @@ ns_handle_pr_read_ready(struct ns_job_t *job)
- slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "queued conn %" PRIu64 " for fd=%d\n",
- c->c_connid, c->c_sd);
- }
-+ /* Since we call done on the job, we need to remove it here. */
- PR_ExitMonitor(c->c_mutex);
- ns_job_done(job);
- return;
-diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h
-index 4d25a9fb8..f47bb6145 100644
---- a/ldap/servers/slapd/fe.h
-+++ b/ldap/servers/slapd/fe.h
-@@ -100,6 +100,7 @@ extern Connection_Table *the_connection_table; /* JCM - Exported from globals.c
- Connection_Table *connection_table_new(int table_size);
- void connection_table_free(Connection_Table *ct);
- void connection_table_abandon_all_operations(Connection_Table *ct);
-+void connection_table_disconnect_all(Connection_Table *ct);
- Connection *connection_table_get_connection(Connection_Table *ct, int sd);
- int connection_table_move_connection_out_of_active_list(Connection_Table *ct, Connection *c);
- void connection_table_move_connection_on_to_active_list(Connection_Table *ct, Connection *c);
-diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
-index 830944f72..08754d8fb 100644
---- a/ldap/servers/slapd/slap.h
-+++ b/ldap/servers/slapd/slap.h
-@@ -1644,6 +1644,7 @@ typedef struct conn
- void *c_io_layer_cb_data; /* callback data */
- struct connection_table *c_ct; /* connection table that this connection belongs to */
- ns_thrpool_t *c_tp; /* thread pool for this connection */
-+ struct ns_job_t *c_job; /* If it exists, the current ns_job_t */
- int c_ns_close_jobs; /* number of current close jobs */
- char *c_ipaddr; /* ip address str - used by monitor */
- } Connection;
---
-2.13.6
-
diff --git a/SOURCES/0045-Ticket-49509-Indexing-of-internationalized-matching-.patch b/SOURCES/0045-Ticket-49509-Indexing-of-internationalized-matching-.patch
deleted file mode 100644
index ec43a14..0000000
--- a/SOURCES/0045-Ticket-49509-Indexing-of-internationalized-matching-.patch
+++ /dev/null
@@ -1,239 +0,0 @@
-From 8d79d7c81157e77f4da595a723a6ed10a8e9789b Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Thu, 11 Jan 2018 18:52:43 +0100
-Subject: [PATCH] Ticket 49509 - Indexing of internationalized matching rules
- is failing
-
-Bug Description:
- Indexing of the internationalized matching rules tests if a
- matching rule indexer handle or not a given OID.
- A side effect of https://pagure.io/389-ds-base/issue/49097 is that
- the returned indexing callbacks are lost.
- Indeed, the indexing callbacks (and potentially others fields) were
- stored in the temporary pblock that was memcpy to the provided
- pblock in case of success
-
-Fix Description:
- The fix basically restores the previous behavior but do not
- memcpy pblock. It read/store the pblock fields that are
- inputs/outputs of slapi_mr_indexer_create.
-
-https://pagure.io/389-ds-base/issue/49509
-
-Reviewed by: Ludwig Krispenz
-
-Platforms tested: F23
-
-Flag Day: no
-
-Doc impact: no
----
- ldap/servers/slapd/plugin_mr.c | 148 ++++++++++++++++++++++++++++-------------
- 1 file changed, 103 insertions(+), 45 deletions(-)
-
-diff --git a/ldap/servers/slapd/plugin_mr.c b/ldap/servers/slapd/plugin_mr.c
-index bd2baff6c..ca4fe00e1 100644
---- a/ldap/servers/slapd/plugin_mr.c
-+++ b/ldap/servers/slapd/plugin_mr.c
-@@ -143,6 +143,82 @@ plugin_mr_bind(char *oid, struct slapdplugin *plugin)
- slapi_log_err(SLAPI_LOG_FILTER, "plugin_mr_bind", "<=\n");
- }
-
-+void
-+mr_indexer_init_pb(Slapi_PBlock* src_pb, Slapi_PBlock* dst_pb)
-+{
-+ char* oid;
-+ char *type;
-+ uint32_t usage;
-+ void *object;
-+ IFP destroyFn;
-+ IFP indexFn, indexSvFn;
-+
-+ /* matching rule plugin arguments */
-+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_OID, &oid);
-+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_TYPE, &type);
-+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_USAGE, &usage);
-+
-+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_OID, oid);
-+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_TYPE, type);
-+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_USAGE, &usage);
-+
-+ /* matching rule plugin functions */
-+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn);
-+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn);
-+
-+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_INDEX_FN, indexFn);
-+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, indexSvFn);
-+
-+ /* common */
-+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_OBJECT, &object);
-+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_DESTROY_FN, &destroyFn);
-+
-+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_OBJECT, object);
-+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_DESTROY_FN, destroyFn);
-+
-+
-+}
-+
-+/*
-+ * Retrieves the matching rule plugin able to index/sort the provided OID/type
-+ *
-+ * The Matching rules able to index/sort a given OID are stored in a global list: global_mr_oids
-+ *
-+ * The retrieval is done in 3 phases:
-+ * - It first searches (in global_mr_oids) for the already bound OID->MR
-+ * - Else, look first in old style MR plugin
-+ * for each registered 'syntax' and 'matchingrule' plugins having a
-+ * SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, it binds (plugin_mr_bind) the first
-+ * plugin that support the OID
-+ * - Else, look in new style MR plugin
-+ * for each registered 'syntax' and 'matchingrule' plugins, it binds (plugin_mr_bind) the first
-+ * plugin that contains OID in its plg_mr_names
-+ *
-+ * Inputs:
-+ * SLAPI_PLUGIN_MR_OID
-+ * should contain the OID of the matching rule that you want used for indexing or sorting.
-+ * SLAPI_PLUGIN_MR_TYPE
-+ * should contain the attribute type that you want used for indexing or sorting.
-+ * SLAPI_PLUGIN_MR_USAGE
-+ * should specify if the indexer will be used for indexing (SLAPI_PLUGIN_MR_USAGE_INDEX)
-+ * or for sorting (SLAPI_PLUGIN_MR_USAGE_SORT)
-+ *
-+ *
-+ * Output:
-+ *
-+ * SLAPI_PLUGIN_MR_OID
-+ * contain the OFFICIAL OID of the matching rule that you want used for indexing or sorting.
-+ * SLAPI_PLUGIN_MR_INDEX_FN
-+ * specifies the indexer function responsible for indexing or sorting of struct berval **
-+ * SLAPI_PLUGIN_MR_INDEX_SV_FN
-+ * specifies the indexer function responsible for indexing or sorting of Slapi_Value **
-+ * SLAPI_PLUGIN_OBJECT
-+ * contain any information that you want passed to the indexer function.
-+ * SLAPI_PLUGIN_DESTROY_FN
-+ * specifies the function responsible for freeing any memory allocated by this indexer factory function.
-+ * For example, memory allocated for a structure that you pass to the indexer function using SLAPI_PLUGIN_OBJECT.
-+ *
-+ */
- int /* an LDAP error code, hopefully LDAP_SUCCESS */
- slapi_mr_indexer_create(Slapi_PBlock *opb)
- {
-@@ -152,28 +228,33 @@ int /* an LDAP error code, hopefully LDAP_SUCCESS */
- IFP createFn = NULL;
- struct slapdplugin *mrp = plugin_mr_find_registered(oid);
- if (mrp != NULL) {
-+ /* Great the matching OID -> MR plugin was already found, just reuse it */
- if (!(rc = slapi_pblock_set(opb, SLAPI_PLUGIN, mrp)) &&
- !(rc = slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) &&
- createFn != NULL) {
- rc = createFn(opb);
- }
- } else {
-- /* call each plugin, until one is able to handle this request. */
-+ /* We need to find in the MR plugins list, the MR plugin that will be able to handle OID
-+ *
-+ * It can be "old style" MR plugin (i.e. collation) that define indexer
-+ *
-+ * It can be "now style" MR plugin that contain OID string in 'plg_mr_names'
-+ * (ie. ces, cis, bin...) where plg_mr_names is defined in 'mr_plugin_table' in each file
-+ * ces.c, cis.c...
-+ * New style MR plugin have NULL indexer create function but rather use a default indexer
-+ */
-+
-+ /* Look for a old syntax-style mr plugin
-+ * call each plugin, until one is able to handle this request.
-+ */
- rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION;
-- // We need to get the type and usage from the caller.
-- char *type;
-- uint32_t usage;
-- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_TYPE, &type);
-- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_USAGE, &usage);
-+
- for (mrp = get_plugin_list(PLUGIN_LIST_MATCHINGRULE); mrp != NULL; mrp = mrp->plg_next) {
-
- Slapi_PBlock *pb = slapi_pblock_new();
-+ mr_indexer_init_pb(opb, pb);
- slapi_pblock_set(pb, SLAPI_PLUGIN, mrp);
-- /* From filtercmp.c and matchrule.c, these are the values we need to set. into pb */
-- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_OID, oid);
-- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_TYPE, type);
-- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_USAGE, &usage);
--
- /* This is associated with the pb_plugin struct, so it comes with mrp */
- if (slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) {
- /* plugin not a matchingrule type */
-@@ -185,14 +266,11 @@ int /* an LDAP error code, hopefully LDAP_SUCCESS */
- IFP indexFn = NULL;
- IFP indexSvFn = NULL;
- /* These however, are in the pblock direct, so we need to copy them. */
-- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn);
-- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn);
-- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_FN, indexFn);
-- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, indexSvFn);
-+ slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn);
-+ slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn);
- if (indexFn || indexSvFn) {
- /* Success: this plugin can handle it. */
-- /* call create on the opb? */
-- createFn(opb);
-+ mr_indexer_init_pb(pb, opb);
- plugin_mr_bind(oid, mrp); /* for future reference */
- rc = 0; /* success */
- slapi_pblock_destroy(pb);
-@@ -205,37 +283,12 @@ int /* an LDAP error code, hopefully LDAP_SUCCESS */
- /* look for a new syntax-style mr plugin */
- struct slapdplugin *pi = plugin_mr_find(oid);
- if (pi) {
-- Slapi_PBlock *pb = slapi_pblock_new();
-- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_OID, oid);
-- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_TYPE, type);
-- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_USAGE, &usage);
-- slapi_pblock_set(pb, SLAPI_PLUGIN, pi);
-- rc = default_mr_indexer_create(pb);
-+ slapi_pblock_set(opb, SLAPI_PLUGIN, pi);
-+ rc = default_mr_indexer_create(opb);
- if (!rc) {
-- /* On success, copy the needed values in. These are added by default_mr_indexer_create */
-- void *pb_object = NULL;
-- IFP destroy_fn = NULL;
-- IFP index_fn = NULL;
-- IFP index_sv_fn = NULL;
--
-- slapi_pblock_get(pb, SLAPI_PLUGIN_OBJECT, &pb_object);
-- slapi_pblock_get(pb, SLAPI_PLUGIN_DESTROY_FN, &destroy_fn);
-- slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_FN, &index_fn);
-- slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &index_sv_fn);
--
-- /* SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, and SLAPI_PLUGIN_MR_FILTER_CREATE_FN, are part of pb_plugin */
-- slapi_pblock_set(opb, SLAPI_PLUGIN, pi);
-- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_OID, oid);
-- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_TYPE, type);
-- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_USAGE, &usage);
-- slapi_pblock_set(opb, SLAPI_PLUGIN_OBJECT, pb_object);
-- slapi_pblock_set(opb, SLAPI_PLUGIN_DESTROY_FN, destroy_fn);
-- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_INDEX_FN, index_fn);
-- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_INDEX_SV_FN, index_sv_fn);
--
- plugin_mr_bind(oid, pi); /* for future reference */
- }
-- slapi_pblock_destroy(pb);
-+ slapi_pblock_set(opb, SLAPI_PLUGIN, NULL);
- }
- }
- }
-@@ -706,6 +759,11 @@ default_mr_indexer_create(Slapi_PBlock *pb)
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_FN, mr_wrap_mr_index_fn);
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, mr_wrap_mr_index_sv_fn);
- slapi_pblock_set(pb, SLAPI_PLUGIN_DESTROY_FN, default_mr_indexer_destroy);
-+
-+ /* Note the two following setting are in the slapdplugin struct SLAPI_PLUGIN
-+ * so they are not really output of the function but will just
-+ * be stored in the bound (OID <--> plugin) list (plugin_mr_find_registered/plugin_mr_bind)
-+ */
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, default_mr_indexer_create);
- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_FILTER_CREATE_FN, default_mr_filter_create);
- rc = 0;
---
-2.13.6
-
diff --git a/SOURCES/0046-Ticket-49493-heap-use-after-free-in-csn_as_string.patch b/SOURCES/0046-Ticket-49493-heap-use-after-free-in-csn_as_string.patch
deleted file mode 100644
index 84d1d21..0000000
--- a/SOURCES/0046-Ticket-49493-heap-use-after-free-in-csn_as_string.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From a7a0db402b32dcec7fc93bcbef42174163ae9c12 Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Tue, 12 Dec 2017 12:46:37 +0100
-Subject: [PATCH] Ticket 49493 - heap use after free in csn_as_string
-
-Bug: If write_changlog_and_ruv failed teh csn pending list was not properly
- cleand and references to the prim csn were kept, but the prim csn was reset
-
-Fix: check the return code for the mmr postop plugin and aset error codes properly
- that will triger cancel_opcsn
-
-Reviewed by: Thierry, thanks
-Tested by: Viktor, thanks
----
- ldap/servers/slapd/back-ldbm/ldbm_add.c | 22 +---------------------
- ldap/servers/slapd/back-ldbm/ldbm_delete.c | 4 ++++
- ldap/servers/slapd/back-ldbm/ldbm_modify.c | 4 ++++
- ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 4 ++++
- ldap/servers/slapd/back-ldbm/misc.c | 18 ++++++++++++++++++
- ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 1 +
- 6 files changed, 32 insertions(+), 21 deletions(-)
-
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
-index b7e17ad50..f29945a7e 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
-@@ -22,7 +22,6 @@ extern char *hassubordinates;
-
- static void delete_update_entrydn_operational_attributes(struct backentry *ep);
-
--static int set_error(Slapi_PBlock *pb, int retval, int ldap_result_code, char **ldap_result_message);
- #define ADD_SET_ERROR(rc, error, count) \
- { \
- (rc) = (error); \
-@@ -1201,7 +1200,7 @@ ldbm_back_add(Slapi_PBlock *pb)
-
- retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_ADD_FN);
- if (retval) {
-- set_error(pb, retval, ldap_result_code, &ldap_result_message);
-+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message);
- goto error_return;
- }
-
-@@ -1471,22 +1470,3 @@ delete_update_entrydn_operational_attributes(struct backentry *ep)
- slapi_entry_attr_delete(ep->ep_entry, LDBM_ENTRYDN_STR);
- }
-
--static int
--set_error(Slapi_PBlock *pb, int retval, int ldap_result_code, char **ldap_result_message)
--{
-- int opreturn = 0;
-- if (!ldap_result_code) {
-- slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code);
-- }
-- if (!ldap_result_code) {
-- ldap_result_code = LDAP_OPERATIONS_ERROR;
-- slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code);
-- }
-- slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn);
-- if (!opreturn) {
-- slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
-- }
-- slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
--
-- return opreturn;
--}
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
-index db463c18c..be0db1bd0 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
-@@ -1276,6 +1276,10 @@ replace_entry:
- }
-
- retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN);
-+ if (retval) {
-+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message);
-+ goto error_return;
-+ }
-
- commit_return:
- /* Release SERIAL LOCK */
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
-index 7ee796fd2..cc4319e5f 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
-@@ -867,6 +867,10 @@ ldbm_back_modify(Slapi_PBlock *pb)
- goto error_return;
- }
- retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN);
-+ if (retval) {
-+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message);
-+ goto error_return;
-+ }
-
- /* Release SERIAL LOCK */
- retval = dblayer_txn_commit(be, &txn);
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
-index 2c0cb074e..93fb77dc9 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
-@@ -1211,6 +1211,10 @@ ldbm_back_modrdn(Slapi_PBlock *pb)
- goto error_return;
- }
- retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN);
-+ if (retval) {
-+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message);
-+ goto error_return;
-+ }
-
- /* Release SERIAL LOCK */
- retval = dblayer_txn_commit(be, &txn);
-diff --git a/ldap/servers/slapd/back-ldbm/misc.c b/ldap/servers/slapd/back-ldbm/misc.c
-index df1afdfb1..c52e58a4a 100644
---- a/ldap/servers/slapd/back-ldbm/misc.c
-+++ b/ldap/servers/slapd/back-ldbm/misc.c
-@@ -16,6 +16,24 @@
-
- #include "back-ldbm.h"
-
-+void
-+ldbm_set_error(Slapi_PBlock *pb, int retval, int *ldap_result_code, char **ldap_result_message)
-+{
-+ int opreturn = 0;
-+ if (!(*ldap_result_code)) {
-+ slapi_pblock_get(pb, SLAPI_RESULT_CODE, ldap_result_code);
-+ }
-+ if (!(*ldap_result_code)) {
-+ *ldap_result_code = LDAP_OPERATIONS_ERROR;
-+ slapi_pblock_set(pb, SLAPI_RESULT_CODE, ldap_result_code);
-+ }
-+ slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn);
-+ if (!opreturn) {
-+ slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, *ldap_result_code ? ldap_result_code : &retval);
-+ }
-+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, ldap_result_message);
-+}
-+
- /* Takes a return code supposed to be errno or from lidb
- which we don't expect to see and prints a handy log message */
- void
-diff --git a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
-index 0cee3df62..da3eef18b 100644
---- a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
-+++ b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
-@@ -379,6 +379,7 @@ int ldbm_txn_ruv_modify_context(Slapi_PBlock *pb, modify_context *mc);
- int get_value_from_string(const char *string, char *type, char **value);
- int get_values_from_string(const char *string, char *type, char ***valuearray);
- void normalize_dir(char *dir);
-+void ldbm_set_error(Slapi_PBlock *pb, int retval, int *ldap_result_code, char **ldap_result_message);
-
- /*
- * nextid.c
---
-2.13.6
-
diff --git a/SOURCES/0047-Ticket-49524-Password-policy-minimum-token-length-fa.patch b/SOURCES/0047-Ticket-49524-Password-policy-minimum-token-length-fa.patch
deleted file mode 100644
index ee2f366..0000000
--- a/SOURCES/0047-Ticket-49524-Password-policy-minimum-token-length-fa.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From a85f64d2c4fa2718748a205d4ae0ebab47513199 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 8 Jan 2018 11:34:02 -0500
-Subject: [PATCH] Ticket 49524 - Password policy: minimum token length fails
- when the token length is equal to attribute length
-
-Bug Description: The token checking breaks when the password is the
- exact value of the entry attribute.
-
-Fix Description: Remove the "equal" part of the string comparisons.
-
-https://pagure.io/389-ds-base/issue/49524
-
-Reviewed by: firstyear & spichugi(Thanks!!)
-
-(cherry picked from commit 790be09fc434d394239bf2486d01f212b36cf0e3)
----
- .../tests/suites/password/pwdPolicy_token_test.py | 75 ++++++++++++++++++++++
- ldap/servers/slapd/pw.c | 2 +-
- ldap/servers/slapd/utf8.c | 2 +-
- 3 files changed, 77 insertions(+), 2 deletions(-)
- create mode 100644 dirsrvtests/tests/suites/password/pwdPolicy_token_test.py
-
-diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py
-new file mode 100644
-index 000000000..7a4de9c85
---- /dev/null
-+++ b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py
-@@ -0,0 +1,75 @@
-+import logging
-+import pytest
-+import os
-+import time
-+import ldap
-+from lib389._constants import *
-+from lib389.idm.user import UserAccounts
-+from lib389.topologies import topology_st as topo
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+USER_DN = 'uid=Test_user1,ou=People,dc=example,dc=com'
-+TOKEN = 'test_user1'
-+
-+user_properties = {
-+ 'uid': 'Test_user1',
-+ 'cn': 'test_user1',
-+ 'sn': 'test_user1',
-+ 'uidNumber': '1001',
-+ 'gidNumber': '2001',
-+ 'userpassword': PASSWORD,
-+ 'description': 'userdesc',
-+ 'homeDirectory': '/home/{}'.format('test_user')}
-+
-+
-+def pwd_setup(topo):
-+ topo.standalone.config.replace_many(('passwordCheckSyntax', 'on'),
-+ ('passwordMinLength', '4'),
-+ ('passwordMinCategories', '1'))
-+ users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
-+ return users.create(properties=user_properties)
-+
-+
-+def test_token_lengths(topo):
-+ """Test that password token length is enforced for various lengths including
-+ the same length as the attribute being checked by the policy.
-+
-+ :id: dae9d916-2a03-4707-b454-9e901d295b13
-+ :setup: Standalone instance
-+ :steps:
-+ 1. Test token length rejects password of the same length as rdn value
-+ :expectedresults:
-+ 1. Passwords are rejected
-+ """
-+ user = pwd_setup(topo)
-+ for length in ['4', '6', '10']:
-+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
-+ topo.standalone.config.set('passwordMinTokenLength', length)
-+ topo.standalone.simple_bind_s(USER_DN, PASSWORD)
-+ time.sleep(1)
-+
-+ try:
-+ passwd = TOKEN[:int(length)]
-+ log.info("Testing password len {} token ({})".format(length, passwd))
-+ user.replace('userpassword', passwd)
-+ log.fatal('Password incorrectly allowed!')
-+ assert False
-+ except ldap.CONSTRAINT_VIOLATION as e:
-+ log.info('Password correctly rejected: ' + str(e))
-+ except ldap.LDAPError as e:
-+ log.fatal('Unexpected failure ' + str(e))
-+ assert False
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main("-s %s" % CURRENT_FILE)
-+
-diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
-index e625962e8..0cf795b41 100644
---- a/ldap/servers/slapd/pw.c
-+++ b/ldap/servers/slapd/pw.c
-@@ -1465,7 +1465,7 @@ check_trivial_words(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char *
- sp = slapi_ch_strdup(slapi_value_get_string(valp));
- ep = sp + strlen(sp);
- ep = ldap_utf8prevn(sp, ep, toklen);
-- if (!ep || (sp >= ep)) {
-+ if (!ep || (sp > ep)) {
- slapi_ch_free_string(&sp);
- continue;
- }
-diff --git a/ldap/servers/slapd/utf8.c b/ldap/servers/slapd/utf8.c
-index b0667c636..4538625b3 100644
---- a/ldap/servers/slapd/utf8.c
-+++ b/ldap/servers/slapd/utf8.c
-@@ -152,7 +152,7 @@ ldap_utf8prevn(char *s, char *from, int n)
- }
- for (; n > 0; --n) {
- prev = ldap_utf8prev(prev);
-- if ((prev <= s) && (n > 0)) {
-+ if ((n > 0) && (prev < s)) {
- return NULL;
- }
- }
---
-2.13.6
-
diff --git a/SOURCES/0048-Ticket-49446-cleanallruv-should-ignore-cleaned-repli.patch b/SOURCES/0048-Ticket-49446-cleanallruv-should-ignore-cleaned-repli.patch
deleted file mode 100644
index e77d26e..0000000
--- a/SOURCES/0048-Ticket-49446-cleanallruv-should-ignore-cleaned-repli.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 7fa2f146c80ed64217bb0c1022c99bd1948cdc7c Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Thu, 11 Jan 2018 15:56:21 +0100
-Subject: [PATCH] Ticket 49446 - cleanallruv should ignore cleaned replica Id
- in processing changelog if in force mode
-
-Bug: If the startcsn is calculated based on a cleaned rid, it could be missing from the changelog.
-
-Fix: In force mode we do not care that the topology gets in sync for the cleaned RID, so we can ignore it
- in an earlier stage, instead of setting it to precleane only.
-
-Reviewed by: Thierry, thanks
----
- ldap/servers/plugins/replication/repl5_replica_config.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
-index e025f34d8..005528a41 100644
---- a/ldap/servers/plugins/replication/repl5_replica_config.c
-+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
-@@ -1688,9 +1688,15 @@ replica_cleanallruv_thread(void *arg)
- }
- /*
- * Presetting the rid prevents duplicate thread creation, but allows the db and changelog to still
-- * process updates from the rid. set_cleaned_rid() blocks updates, so we don't want to do that... yet.
-+ * process updates from the rid.
-+ * set_cleaned_rid() blocks updates, so we don't want to do that... yet unless we are in force mode.
-+ * If we are forcing a clean independent of state of other servers for this RID we can set_cleaned_rid()
- */
-- preset_cleaned_rid(data->rid);
-+ if (data->force) {
-+ set_cleaned_rid(data->rid);
-+ } else {
-+ preset_cleaned_rid(data->rid);
-+ }
- rid_text = slapi_ch_smprintf("%d", data->rid);
- csn_as_string(data->maxcsn, PR_FALSE, csnstr);
- /*
---
-2.13.6
-
diff --git a/SOURCES/0049-Ticket-49413-Changelog-trimming-ignores-disabled-rep.patch b/SOURCES/0049-Ticket-49413-Changelog-trimming-ignores-disabled-rep.patch
deleted file mode 100644
index bbf059c..0000000
--- a/SOURCES/0049-Ticket-49413-Changelog-trimming-ignores-disabled-rep.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 7cb2e56db2da439c90bbfd35f132a85708942490 Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Tue, 14 Nov 2017 11:25:18 +0100
-Subject: [PATCH] Ticket 49413 - Changelog trimming ignores disabled
- replica-agreement
-
-Bug: if a replication agreement is disabled it is not taken into account when
- changelog trimming determines where to stop.
- If the agreement is reenabled later replication can fail
-
-Fix: do not ignore disabled agreements in changelog trimming
-
-Reviewed by: Thierry, thanks
----
- ldap/servers/plugins/replication/cl5_api.c | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
-
-diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
-index 721013abf..dc2857910 100644
---- a/ldap/servers/plugins/replication/cl5_api.c
-+++ b/ldap/servers/plugins/replication/cl5_api.c
-@@ -4283,12 +4283,10 @@ _cl5GetRUV2Purge2(Object *fileObj, RUV **ruv)
- while (agmtObj) {
- agmt = (Repl_Agmt *)object_get_data(agmtObj);
- PR_ASSERT(agmt);
--
-- if (!agmt_is_enabled(agmt)) {
-- agmtObj = agmtlist_get_next_agreement_for_replica(r, agmtObj);
-- continue;
-- }
--
-+ /* we need to handle all agreements, also if they are not enabled
-+ * if they will be later enabled and changes are trimmed
-+ * replication can fail
-+ */
- consRUVObj = agmt_get_consumer_ruv(agmt);
- if (consRUVObj) {
- consRUV = (RUV *)object_get_data(consRUVObj);
---
-2.13.6
-
diff --git a/SOURCES/0050-Ticket-49278-GetEffectiveRights-gives-false-negative.patch b/SOURCES/0050-Ticket-49278-GetEffectiveRights-gives-false-negative.patch
deleted file mode 100644
index f43d383..0000000
--- a/SOURCES/0050-Ticket-49278-GetEffectiveRights-gives-false-negative.patch
+++ /dev/null
@@ -1,330 +0,0 @@
-From 6e00c3bac13811bc6d94b810b17a59f9428c29f6 Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Thu, 11 Jan 2018 15:17:56 +0100
-Subject: [PATCH] Ticket 49278 - GetEffectiveRights gives false-negative
-
- Bug: If geteffective rights was issued for an non existing entry the
- mechanism to genrate a template entry no longer worked and no results were
- returned.
- Fix: Improve the handling in itreating the result set, so that template entries (if
- requested) are genereated and are not applied to existing entries.
- Also some code cleanup in iterate()
- Reviewed by: Thierry, thanks
----
- ldap/servers/slapd/opshared.c | 239 ++++++++++++++++++++----------------------
- 1 file changed, 114 insertions(+), 125 deletions(-)
-
-diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
-index 24157120e..46dcf6fba 100644
---- a/ldap/servers/slapd/opshared.c
-+++ b/ldap/servers/slapd/opshared.c
-@@ -33,6 +33,7 @@ static char *pwpolicy_lock_attrs_all[] = {"passwordRetryCount",
- static void compute_limits(Slapi_PBlock *pb);
- static int send_results_ext(Slapi_PBlock *pb, int send_result, int *nentries, int pagesize, unsigned int *pr_stat);
- static int process_entry(Slapi_PBlock *pb, Slapi_Entry *e, int send_result);
-+static void send_entry(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Operation *operation, char **attrs, int attrsonly, int *pnentries);
-
- int
- op_shared_is_allowed_attr(const char *attr_name, int replicated_op)
-@@ -1040,6 +1041,31 @@ process_entry(Slapi_PBlock *pb, Slapi_Entry *e, int send_result)
-
- return 0;
- }
-+static void
-+send_entry(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Operation *operation, char **attrs, int attrsonly, int *pnentries)
-+{
-+ /*
-+ * It's a regular entry, or it's a referral and
-+ * managedsait control is on. In either case, send
-+ * the entry.
-+ */
-+ switch (send_ldap_search_entry(pb, e, NULL, attrs, attrsonly)) {
-+ case 0: /* entry sent ok */
-+ (*pnentries)++;
-+ slapi_pblock_set(pb, SLAPI_NENTRIES, pnentries);
-+ break;
-+ case 1: /* entry not sent */
-+ break;
-+ case -1: /* connection closed */
-+ /*
-+ * mark the operation as abandoned so the backend
-+ * next entry function gets called again and has
-+ * a chance to clean things up.
-+ */
-+ operation->o_status = SLAPI_OP_STATUS_ABANDONED;
-+ break;
-+ }
-+}
-
- #if 0
- /* Loops through search entries and sends them to the client.
-@@ -1214,7 +1240,7 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in
- *pnentries = 0;
-
- while (!done) {
-- Slapi_Entry *gerentry = NULL;
-+ Slapi_Entry *ger_template_entry = NULL;
- Slapi_Operation *operation;
-
- slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
-@@ -1236,57 +1262,57 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in
- slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &e);
-
- /* Check for possible get_effective_rights control */
-- if (e) {
-- if (operation->o_flags & OP_FLAG_GET_EFFECTIVE_RIGHTS) {
-- char *errbuf = NULL;
-+ if (operation->o_flags & OP_FLAG_GET_EFFECTIVE_RIGHTS) {
-+ char *errbuf = NULL;
-+
-+ if (PAGEDRESULTS_PAGE_END == pr_stat) {
-+ /*
-+ * read ahead -- there is at least more entry.
-+ * undo it and return the PAGE_END
-+ */
-+ be->be_prev_search_results(pb);
-+ done = 1;
-+ continue;
-+ }
-+ if ( e == NULL ) {
- char **gerattrs = NULL;
- char **gerattrsdup = NULL;
- char **gap = NULL;
- char *gapnext = NULL;
--
-- if (PAGEDRESULTS_PAGE_END == pr_stat) {
-- /*
-- * read ahead -- there is at least more entry.
-- * undo it and return the PAGE_END
-+ /* we have no more entries
-+ * but we might create a template entry for GER
-+ * so we need to continue, but make sure to stop
-+ * after handling the template entry.
-+ * the template entry is a temporary entry returned by the acl
-+ * plugin in the pblock and will be freed
- */
-- be->be_prev_search_results(pb);
-- done = 1;
-- continue;
-- }
-+ done = 1;
-+ pr_stat = PAGEDRESULTS_SEARCH_END;
-
- slapi_pblock_get(pb, SLAPI_SEARCH_GERATTRS, &gerattrs);
- gerattrsdup = cool_charray_dup(gerattrs);
- gap = gerattrsdup;
-- do {
-+ while (gap && *gap) {
- gapnext = NULL;
-- if (gap) {
-- if (*gap && *(gap + 1)) {
-- gapnext = *(gap + 1);
-- *(gap + 1) = NULL;
-- }
-- slapi_pblock_set(pb, SLAPI_SEARCH_GERATTRS, gap);
-- rc = plugin_call_acl_plugin(pb, e, attrs, NULL,
-- SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS,
-- &errbuf);
-- if (NULL != gapnext) {
-- *(gap + 1) = gapnext;
-- }
-- } else if (NULL != e) {
-- rc = plugin_call_acl_plugin(pb, e, attrs, NULL,
-- SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS,
-- &errbuf);
-+ if (*(gap + 1)) {
-+ gapnext = *(gap + 1);
-+ *(gap + 1) = NULL;
-+ }
-+ slapi_pblock_set(pb, SLAPI_SEARCH_GERATTRS, gap);
-+ rc = plugin_call_acl_plugin(pb, e, attrs, NULL,
-+ SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS,
-+ &errbuf);
-+ if (NULL != gapnext) {
-+ *(gap + 1) = gapnext;
- }
-+ gap++;
-+ /* get the template entry, if any */
-+ slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &e);
- if (NULL == e) {
-- /* get the template entry, if any */
-- slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &e);
-- if (NULL == e) {
-- /* everything is ok - don't send the result */
-- pr_stat = PAGEDRESULTS_SEARCH_END;
-- done = 1;
-- continue;
-- }
-- gerentry = e;
-+ /* everything is ok - don't send the result */
-+ continue;
- }
-+ ger_template_entry = e;
- if (rc != LDAP_SUCCESS) {
- /* Send error result and
- abort op if the control is critical */
-@@ -1294,65 +1320,53 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in
- "Failed to get effective rights for entry (%s), rc=%d\n",
- slapi_entry_get_dn_const(e), rc);
- send_ldap_result(pb, rc, NULL, errbuf, 0, NULL);
-- slapi_ch_free((void **)&errbuf);
-- if (gerentry) {
-- slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, NULL);
-- slapi_entry_free(gerentry);
-- gerentry = e = NULL;
-- }
-- pr_stat = PAGEDRESULTS_SEARCH_END;
- rval = -1;
-- done = 1;
-- continue;
-- }
-- slapi_ch_free((void **)&errbuf);
-- if (process_entry(pb, e, send_result)) {
-- /* shouldn't send this entry */
-- if (gerentry) {
-- slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, NULL);
-- slapi_entry_free(gerentry);
-- gerentry = e = NULL;
-+ } else {
-+ if (!process_entry(pb, e, send_result)) {
-+ /* should send this entry now*/
-+ send_entry(pb, e, operation, attrs, attrsonly, pnentries);
- }
-- continue;
- }
-
-- /*
-- * It's a regular entry, or it's a referral and
-- * managedsait control is on. In either case, send
-- * the entry.
-- */
-- switch (send_ldap_search_entry(pb, e, NULL, attrs, attrsonly)) {
-- case 0: /* entry sent ok */
-- (*pnentries)++;
-- slapi_pblock_set(pb, SLAPI_NENTRIES, pnentries);
-- break;
-- case 1: /* entry not sent */
-- break;
-- case -1: /* connection closed */
-- /*
-- * mark the operation as abandoned so the backend
-- * next entry function gets called again and has
-- * a chance to clean things up.
-- */
-- operation->o_status = SLAPI_OP_STATUS_ABANDONED;
-- break;
-- }
-- if (gerentry) {
-+ slapi_ch_free((void **)&errbuf);
-+ if (ger_template_entry) {
- slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, NULL);
-- slapi_entry_free(gerentry);
-- gerentry = e = NULL;
-+ slapi_entry_free(ger_template_entry);
-+ ger_template_entry = e = NULL;
- }
-- } while (gap && ++gap && *gap);
-+ } /* while ger template */
- slapi_pblock_set(pb, SLAPI_SEARCH_GERATTRS, gerattrs);
- cool_charray_free(gerattrsdup);
-- if (pagesize == *pnentries) {
-- /* PAGED RESULTS: reached the pagesize */
-- /* We don't set "done = 1" here.
-- * We read ahead next entry to check whether there is
-- * more entries to return or not. */
-- pr_stat = PAGEDRESULTS_PAGE_END;
-+ } else {
-+ /* we are processing geteffective rights for an existing entry */
-+ rc = plugin_call_acl_plugin(pb, e, attrs, NULL,
-+ SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS,
-+ &errbuf);
-+ if (rc != LDAP_SUCCESS) {
-+ /* Send error result and
-+ abort op if the control is critical */
-+ slapi_log_err(SLAPI_LOG_ERR, "iterate",
-+ "Failed to get effective rights for entry (%s), rc=%d\n",
-+ slapi_entry_get_dn_const(e), rc);
-+ send_ldap_result(pb, rc, NULL, errbuf, 0, NULL);
-+ rval = -1;
-+ } else {
-+ if (!process_entry(pb, e, send_result)) {
-+ /* should send this entry now*/
-+ send_entry(pb, e, operation, attrs, attrsonly, pnentries);
-+ if (pagesize == *pnentries) {
-+ /* PAGED RESULTS: reached the pagesize */
-+ /* We don't set "done = 1" here.
-+ * We read ahead next entry to check whether there is
-+ * more entries to return or not. */
-+ pr_stat = PAGEDRESULTS_PAGE_END;
-+ }
-+ }
- }
-- } else { /* not GET_EFFECTIVE_RIGHTS */
-+ slapi_ch_free((void **)&errbuf);
-+ }
-+ /* not GET_EFFECTIVE_RIGHTS */
-+ } else if (e) {
- if (PAGEDRESULTS_PAGE_END == pr_stat) {
- /*
- * read ahead -- there is at least more entry.
-@@ -1364,46 +1378,21 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in
- }
- /* Adding shadow password attrs. */
- add_shadow_ext_password_attrs(pb, &e);
-- if (process_entry(pb, e, send_result)) {
-- /* shouldn't send this entry */
-- struct slapi_entry *pb_pw_entry = slapi_pblock_get_pw_entry(pb);
-- slapi_entry_free(pb_pw_entry);
-- slapi_pblock_set_pw_entry(pb, NULL);
-- continue;
-- }
--
-- /*
-- * It's a regular entry, or it's a referral and
-- * managedsait control is on. In either case, send
-- * the entry.
-- */
-- switch (send_ldap_search_entry(pb, e, NULL, attrs, attrsonly)) {
-- case 0: /* entry sent ok */
-- (*pnentries)++;
-- slapi_pblock_set(pb, SLAPI_NENTRIES, pnentries);
-- break;
-- case 1: /* entry not sent */
-- break;
-- case -1: /* connection closed */
-- /*
-- * mark the operation as abandoned so the backend
-- * next entry function gets called again and has
-- * a chance to clean things up.
-- */
-- operation->o_status = SLAPI_OP_STATUS_ABANDONED;
-- break;
-+ if (!process_entry(pb, e, send_result)) {
-+ /*this entry was not sent, do it now*/
-+ send_entry(pb, e, operation, attrs, attrsonly, pnentries);
-+ if (pagesize == *pnentries) {
-+ /* PAGED RESULTS: reached the pagesize */
-+ /* We don't set "done = 1" here.
-+ * We read ahead next entry to check whether there is
-+ * more entries to return or not. */
-+ pr_stat = PAGEDRESULTS_PAGE_END;
-+ }
- }
-+ /* cleanup pw entry . sent or not */
- struct slapi_entry *pb_pw_entry = slapi_pblock_get_pw_entry(pb);
- slapi_entry_free(pb_pw_entry);
- slapi_pblock_set_pw_entry(pb, NULL);
-- if (pagesize == *pnentries) {
-- /* PAGED RESULTS: reached the pagesize */
-- /* We don't set "done = 1" here.
-- * We read ahead next entry to check whether there is
-- * more entries to return or not. */
-- pr_stat = PAGEDRESULTS_PAGE_END;
-- }
-- }
- } else {
- /* no more entries */
- done = 1;
---
-2.13.6
-
diff --git a/SOURCES/0051-Ticket-49531-coverity-issues-fix-memory-leaks.patch b/SOURCES/0051-Ticket-49531-coverity-issues-fix-memory-leaks.patch
deleted file mode 100644
index b264ff5..0000000
--- a/SOURCES/0051-Ticket-49531-coverity-issues-fix-memory-leaks.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 7acfb18228322ab2e331720bd7fe083da04625a2 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 12 Jan 2018 09:50:34 -0500
-Subject: [PATCH] Ticket 49531 - coverity issues - fix memory leaks
-
-Description: There were two false positives around pwpolicy struct
- being leaked, but it is freed when the pblock is
- destroyed. The other two leaks were real, but they
- only occurred during error conditions.
-
-https://pagure.io/389-ds-base/issue/49531
-
-Reviewed by: lkrispen (Thanks!)
-
-(cherry picked from commit 700d7422e6309d2d405961abbb805fbfe852e53c)
----
- ldap/servers/plugins/replication/cl5_api.c | 1 +
- ldap/servers/plugins/replication/urp.c | 3 ++-
- 2 files changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
-index dc2857910..89ae9956c 100644
---- a/ldap/servers/plugins/replication/cl5_api.c
-+++ b/ldap/servers/plugins/replication/cl5_api.c
-@@ -4046,6 +4046,7 @@ _cl5WriteRUV(CL5DBFile *file, PRBool purge)
- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name_cl,
- "_cl5WriteRUV - changelog maxRUV not found in changelog for file %s\n",
- file->name);
-+ ber_bvecfree(vals);
- return CL5_DB_ERROR;
- }
-
-diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c
-index 9534c0322..d4556d7fd 100644
---- a/ldap/servers/plugins/replication/urp.c
-+++ b/ldap/servers/plugins/replication/urp.c
-@@ -861,7 +861,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
- Slapi_Entry *pre_entry = NULL;
- int ret = 0;
- Slapi_DN *pre_sdn = NULL;
-- Slapi_RDN *rdn = slapi_rdn_new();
-+ Slapi_RDN *rdn = NULL;
- char *parentdn = NULL;
- char *newdn;
- const char *entrydn;
-@@ -882,6 +882,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
- entrydn = slapi_entry_get_ndn (pre_entry);*/
- uniqueid = slapi_entry_get_uniqueid (pre_entry);
- parentdn = slapi_dn_parent(entrydn);
-+ rdn = slapi_rdn_new();
- slapi_sdn_get_rdn(pre_sdn, rdn);
- slapi_rdn_remove_attr (rdn, SLAPI_ATTR_UNIQUEID );
- slapi_rdn_add(rdn, "cenotaphID", uniqueid);
---
-2.13.6
-
diff --git a/SOURCES/0052-Ticket-49529-Fix-Coverity-warnings-invalid-deference.patch b/SOURCES/0052-Ticket-49529-Fix-Coverity-warnings-invalid-deference.patch
deleted file mode 100644
index 1d91b81..0000000
--- a/SOURCES/0052-Ticket-49529-Fix-Coverity-warnings-invalid-deference.patch
+++ /dev/null
@@ -1,503 +0,0 @@
-From 0b5cbcf45f3fb4b03a1f762c5704183787d30696 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 12 Jan 2018 08:38:22 -0500
-Subject: [PATCH] Ticket 49529 - Fix Coverity warnings: invalid deferences
-
-Description: So many of the warnings were false positives, but
- I "fixed" 90% of them anyway for these two reasons:
-
- One, it's possible that a future change could actually
- result in a NULL pointer being referenced.
-
- Two, it would be nice to stop these coverity warnings
- so we can focus on real warnings. Auto waivers also
- don't always work as the surrounding code changes.
-
-https://pagure.io/389-ds-base/issue/49529
-
-Reviewed by: firstyear (Thanks!)
-
-(cherry picked from commit 7e27face5ef021d883a44d70bb3e9732b115016f)
----
- ldap/servers/slapd/abandon.c | 10 ++++++++--
- ldap/servers/slapd/add.c | 18 +++++++++++++++---
- ldap/servers/slapd/bind.c | 20 +++++++++++++++-----
- ldap/servers/slapd/compare.c | 17 +++++++++++++----
- ldap/servers/slapd/connection.c | 19 +++++++++++++------
- ldap/servers/slapd/delete.c | 4 ++--
- ldap/servers/slapd/dn.c | 7 +++++++
- ldap/servers/slapd/entry.c | 10 +++++++++-
- ldap/servers/slapd/extendop.c | 7 +++++++
- ldap/servers/slapd/filter.c | 6 +++++-
- ldap/servers/slapd/modify.c | 18 ++++++++++++++++--
- ldap/servers/slapd/passwd_extop.c | 4 ++++
- ldap/servers/slapd/psearch.c | 13 +++++++++----
- ldap/servers/slapd/result.c | 14 +++++++++++++-
- ldap/servers/slapd/search.c | 5 ++++-
- ldap/servers/slapd/task.c | 5 +++++
- 16 files changed, 145 insertions(+), 32 deletions(-)
-
-diff --git a/ldap/servers/slapd/abandon.c b/ldap/servers/slapd/abandon.c
-index 5c30c972d..e2237e5fc 100644
---- a/ldap/servers/slapd/abandon.c
-+++ b/ldap/servers/slapd/abandon.c
-@@ -42,10 +42,16 @@ do_abandon(Slapi_PBlock *pb)
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-
-- BerElement *ber = pb_op->o_ber;
--
- slapi_log_err(SLAPI_LOG_TRACE, "do_abandon", "->\n");
-
-+ if (pb_op == NULL || pb_conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "do_abandon", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n",
-+ pb_conn, pb_op);
-+ return;
-+ }
-+
-+ BerElement *ber = pb_op->o_ber;
-+
- /*
- * Parse the abandon request. It looks like this:
- *
-diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
-index 0a4a5d7b2..8f2fdeac8 100644
---- a/ldap/servers/slapd/add.c
-+++ b/ldap/servers/slapd/add.c
-@@ -66,6 +66,14 @@ do_add(Slapi_PBlock *pb)
-
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
- slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
-+
-+
-+ if (operation == NULL || pb_conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "do_add", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n",
-+ pb_conn, operation);
-+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "param error", 0, NULL);
-+ return;
-+ }
- ber = operation->o_ber;
-
- /* count the add request */
-@@ -450,8 +458,8 @@ op_shared_add(Slapi_PBlock *pb)
-
- if (!internal_op) {
- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d ADD dn=\"%s\"%s\n",
-- pb_conn->c_connid,
-- operation->o_opid,
-+ pb_conn ? pb_conn->c_connid : -1,
-+ operation ? operation->o_opid: -1,
- slapi_entry_get_dn_const(e),
- proxystr ? proxystr : "");
- } else {
-@@ -865,7 +873,11 @@ handle_fast_add(Slapi_PBlock *pb, Slapi_Entry *entry)
- int ret;
-
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
--
-+ if (pb_conn == NULL){
-+ slapi_log_err(SLAPI_LOG_ERR, "handle_fast_add", "NULL param: pb_conn (0x%p)\n", pb_conn);
-+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "param error", 0, NULL);
-+ return;
-+ }
- be = pb_conn->c_bi_backend;
-
- if ((be == NULL) || (be->be_wire_import == NULL)) {
-diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
-index 4a8e4deaf..a34a21a77 100644
---- a/ldap/servers/slapd/bind.c
-+++ b/ldap/servers/slapd/bind.c
-@@ -54,11 +54,7 @@ do_bind(Slapi_PBlock *pb)
- {
- Operation *pb_op = NULL;
- Connection *pb_conn = NULL;
--
-- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
-- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
--
-- BerElement *ber = pb_op->o_ber;
-+ BerElement *ber;
- int err, isroot;
- ber_tag_t method = LBER_DEFAULT;
- ber_int_t version = -1;
-@@ -83,6 +79,16 @@ do_bind(Slapi_PBlock *pb)
-
- slapi_log_err(SLAPI_LOG_TRACE, "do_bind", "=>\n");
-
-+ slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
-+ slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-+ if (pb_op == NULL || pb_conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "do_bind", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n",
-+ pb_conn, pb_op);
-+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL);
-+ goto free_and_return;
-+ }
-+ ber = pb_op->o_ber;
-+
- /*
- * Parse the bind request. It looks like this:
- *
-@@ -856,6 +862,10 @@ log_bind_access(
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-
-+ if (pb_op == NULL || pb_conn == NULL) {
-+ return;
-+ }
-+
- if (method == LDAP_AUTH_SASL && saslmech && msg) {
- slapi_log_access(LDAP_DEBUG_STATS,
- "conn=%" PRIu64 " op=%d BIND dn=\"%s\" "
-diff --git a/ldap/servers/slapd/compare.c b/ldap/servers/slapd/compare.c
-index 9bc6b693a..2626d91d0 100644
---- a/ldap/servers/slapd/compare.c
-+++ b/ldap/servers/slapd/compare.c
-@@ -35,10 +35,7 @@ do_compare(Slapi_PBlock *pb)
- {
- Operation *pb_op = NULL;
- Connection *pb_conn = NULL;
-- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
-- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
--
-- BerElement *ber = pb_op->o_ber;
-+ BerElement *ber;
- char *rawdn = NULL;
- const char *dn = NULL;
- struct ava ava = {0};
-@@ -50,6 +47,18 @@ do_compare(Slapi_PBlock *pb)
-
- slapi_log_err(SLAPI_LOG_TRACE, "do_compare", "=>\n");
-
-+ slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
-+ slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-+
-+ if (pb_op == NULL || pb_conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "do_compare", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n",
-+ pb_conn, pb_op);
-+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL);
-+ goto free_and_return;
-+ }
-+
-+ ber = pb_op->o_ber;
-+
- /* count the compare request */
- slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsCompareOps);
-
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index 8ef115691..fa24ec040 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -1518,7 +1518,7 @@ connection_threadmain()
- }
-
- if (!thread_turbo_flag && !more_data) {
-- Connection *pb_conn = NULL;
-+ Connection *pb_conn = NULL;
-
- /* If more data is left from the previous connection_read_operation,
- we should finish the op now. Client might be thinking it's
-@@ -1530,6 +1530,13 @@ connection_threadmain()
- * Connection wait for new work provides the conn and op for us.
- */
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-+ if (pb_conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain",
-+ "pb_conn is NULL\n");
-+ slapi_pblock_destroy(pb);
-+ g_decr_active_threadcnt();
-+ return;
-+ }
-
- switch (ret) {
- case CONN_NOWORK:
-@@ -1702,11 +1709,11 @@ connection_threadmain()
- * so need locking from here on */
- signal_listner();
- /* with nunc-stans, I see an enormous amount of time spent in the poll() in
-- * connection_read_operation() when the below code is enabled - not sure why
-- * nunc-stans makes such a huge difference - for now, just disable this code
-- * when using nunc-stans - it is supposed to be an optimization but turns out
-- * to not be the opposite with nunc-stans
-- */
-+ * connection_read_operation() when the below code is enabled - not sure why
-+ * nunc-stans makes such a huge difference - for now, just disable this code
-+ * when using nunc-stans - it is supposed to be an optimization but turns out
-+ * to not be the opposite with nunc-stans
-+ */
- } else if (!enable_nunc_stans) { /* more data in conn - just put back on work_q - bypass poll */
- bypasspollcnt++;
- PR_EnterMonitor(conn->c_mutex);
-diff --git a/ldap/servers/slapd/delete.c b/ldap/servers/slapd/delete.c
-index ba238b18f..49cdab138 100644
---- a/ldap/servers/slapd/delete.c
-+++ b/ldap/servers/slapd/delete.c
-@@ -262,8 +262,8 @@ op_shared_delete(Slapi_PBlock *pb)
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d DEL dn=\"%s\"%s\n",
-- pb_conn->c_connid,
-- pb_op->o_opid,
-+ pb_conn ? pb_conn->c_connid : -1,
-+ pb_op ? pb_op->o_opid : -1,
- slapi_sdn_get_dn(sdn),
- proxystr ? proxystr : "");
- } else {
-diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
-index afca37214..abc155533 100644
---- a/ldap/servers/slapd/dn.c
-+++ b/ldap/servers/slapd/dn.c
-@@ -2477,6 +2477,13 @@ slapi_sdn_copy(const Slapi_DN *from, Slapi_DN *to)
- {
- SDN_DUMP(from, "slapi_sdn_copy from");
- SDN_DUMP(to, "slapi_sdn_copy to");
-+
-+ if (to == NULL || from == NULL){
-+ slapi_log_err(SLAPI_LOG_ERR, "slapi_sdn_copy",
-+ "NULL param: from (0x%p) to (0x%p)\n", from, to);
-+ return;
-+ }
-+
- slapi_sdn_done(to);
- if (from->udn) {
- to->flag = slapi_setbit_uchar(to->flag, FLAG_UDN);
-diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
-index fbbc8faa0..32828b4e2 100644
---- a/ldap/servers/slapd/entry.c
-+++ b/ldap/servers/slapd/entry.c
-@@ -1998,6 +1998,10 @@ slapi_entry_dup(const Slapi_Entry *e)
- struct attrs_in_extension *aiep;
-
- PR_ASSERT(NULL != e);
-+ if (e == NULL){
-+ slapi_log_err(SLAPI_LOG_ERR, "slapi_entry_dup", "entry is NULL\n");
-+ return NULL;
-+ }
-
- ec = slapi_entry_alloc();
-
-@@ -3660,7 +3664,11 @@ delete_values_sv_internal(
- Slapi_Attr *a;
- int retVal = LDAP_SUCCESS;
-
--/*
-+ if (e == NULL){
-+ slapi_log_err(SLAPI_LOG_ERR, "delete_values_sv_internal", "entry is NULL\n");
-+ return LDAP_OPERATIONS_ERROR;
-+ }
-+ /*
- * If type is in the protected_attrs_all list, we could ignore the failure,
- * as the attribute could only exist in the entry in the memory when the
- * add/mod operation is done, while the retried entry from the db does not
-diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c
-index 1594a8c9c..815949be6 100644
---- a/ldap/servers/slapd/extendop.c
-+++ b/ldap/servers/slapd/extendop.c
-@@ -219,6 +219,13 @@ do_extended(Slapi_PBlock *pb)
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-
-+ if (pb_conn == NULL || pb_op == NULL) {
-+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "param error", 0, NULL);
-+ slapi_log_err(SLAPI_LOG_ERR, "do_extended",
-+ "NULL param error: conn (0x%p) op (0x%p)\n", pb_conn, pb_op);
-+ goto free_and_return;
-+ }
-+
- /*
- * Parse the extended request. It looks like this:
- *
-diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
-index fe3525f34..ef975e679 100644
---- a/ldap/servers/slapd/filter.c
-+++ b/ldap/servers/slapd/filter.c
-@@ -292,7 +292,11 @@ get_filter_internal(Connection *conn, BerElement *ber, struct slapi_filter **fil
-
- case LDAP_FILTER_EXTENDED:
- slapi_log_err(SLAPI_LOG_FILTER, "get_filter_internal", "EXTENDED\n");
-- if (conn->c_ldapversion < 3) {
-+ if (conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "get_filter_internal",
-+ "NULL param: conn (0x%p)\n", conn);
-+ err = LDAP_OPERATIONS_ERROR;
-+ } else if (conn->c_ldapversion < 3) {
- slapi_log_err(SLAPI_LOG_ERR, "get_filter_internal",
- "Extensible filter received from v2 client\n");
- err = LDAP_PROTOCOL_ERROR;
-diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
-index 0dcac646b..10d263159 100644
---- a/ldap/servers/slapd/modify.c
-+++ b/ldap/servers/slapd/modify.c
-@@ -122,9 +122,16 @@ do_modify(Slapi_PBlock *pb)
- slapi_log_err(SLAPI_LOG_TRACE, "do_modify", "=>\n");
-
- slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
-- ber = operation->o_ber;
--
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-+ if (operation == NULL) {
-+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR,
-+ NULL, "operation is NULL parameter", 0, NULL);
-+ slapi_log_err(SLAPI_LOG_ERR, "do_modify",
-+ "NULL param: pb_conn (0x%p) operation (0x%p)\n", pb_conn, operation);
-+ return;
-+ }
-+
-+ ber = operation->o_ber;
-
- /* count the modify request */
- slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsModifyEntryOps);
-@@ -1165,6 +1172,13 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
- internal_op = operation_is_flag_set(operation, OP_FLAG_INTERNAL);
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-
-+ if (pb_conn == NULL || operation == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "op_shared_allow_pw_change",
-+ "NULL param error: conn (0x%p) op (0x%p)\n", pb_conn, operation);
-+ rc = -1;
-+ goto done;
-+ }
-+
- slapi_sdn_init_dn_byref(&sdn, dn);
- pwpolicy = new_passwdPolicy(pb, (char *)slapi_sdn_get_ndn(&sdn));
-
-diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c
-index 54a9a6716..40145af2e 100644
---- a/ldap/servers/slapd/passwd_extop.c
-+++ b/ldap/servers/slapd/passwd_extop.c
-@@ -486,6 +486,10 @@ passwd_modify_extop(Slapi_PBlock *pb)
- /* Allow password modify only for SSL/TLS established connections and
- * connections using SASL privacy layers */
- slapi_pblock_get(pb, SLAPI_CONNECTION, &conn);
-+ if (conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "passwd_modify_extop", "conn is NULL");
-+ goto free_and_return;
-+ }
- if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
- errMesg = "Could not get SASL SSF from connection\n";
- rc = LDAP_OPERATIONS_ERROR;
-diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c
-index e0dd2bf89..1bf062954 100644
---- a/ldap/servers/slapd/psearch.c
-+++ b/ldap/servers/slapd/psearch.c
-@@ -271,6 +271,11 @@ ps_send_results(void *arg)
- slapi_pblock_get(ps->ps_pblock, SLAPI_CONNECTION, &pb_conn);
- slapi_pblock_get(ps->ps_pblock, SLAPI_OPERATION, &pb_op);
-
-+ if (pb_conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "ps_send_results", "pb_conn is NULL\n");
-+ return;
-+ }
-+
- /* need to acquire a reference to this connection so that it will not
- be released or cleaned up out from under us */
- PR_EnterMonitor(pb_conn->c_mutex);
-@@ -280,7 +285,7 @@ ps_send_results(void *arg)
- if (conn_acq_flag) {
- slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results",
- "conn=%" PRIu64 " op=%d Could not acquire the connection - psearch aborted\n",
-- pb_conn->c_connid, pb_op->o_opid);
-+ pb_conn->c_connid, pb_op ? pb_op->o_opid : -1);
- }
-
- PR_Lock(psearch_list->pl_cvarlock);
-@@ -290,7 +295,7 @@ ps_send_results(void *arg)
- if (pb_op == NULL || slapi_op_abandoned(ps->ps_pblock)) {
- slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results",
- "conn=%" PRIu64 " op=%d The operation has been abandoned\n",
-- pb_conn->c_connid, pb_op->o_opid);
-+ pb_conn->c_connid, pb_op ? pb_op->o_opid : -1);
- break;
- }
- if (NULL == ps->ps_eq_head) {
-@@ -532,7 +537,7 @@ ps_service_persistent_searches(Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t chg
- slapi_log_err(SLAPI_LOG_CONNS, "ps_service_persistent_searches",
- "conn=%" PRIu64 " op=%d entry %s with chgtype %d "
- "matches the ps changetype %d\n",
-- pb_conn->c_connid,
-+ pb_conn ? pb_conn->c_connid : -1,
- pb_op->o_opid,
- edn, chgtype, ps->ps_changetypes);
-
-@@ -609,7 +614,7 @@ ps_service_persistent_searches(Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t chg
- /* Turn 'em loose */
- ps_wakeup_all();
- slapi_log_err(SLAPI_LOG_TRACE, "ps_service_persistent_searches", "Enqueued entry "
-- "\"%s\" on %d persistent search lists\n",
-+ "\"%s\" on %d persistent search lists\n",
- slapi_entry_get_dn_const(e), matched);
- } else {
- slapi_log_err(SLAPI_LOG_TRACE, "ps_service_persistent_searches",
-diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
-index 2302ae96b..ce394d948 100644
---- a/ldap/servers/slapd/result.c
-+++ b/ldap/servers/slapd/result.c
-@@ -396,7 +396,7 @@ send_ldap_result_ext(
- break;
-
- case LDAP_REFERRAL:
-- if (conn->c_ldapversion > LDAP_VERSION2) {
-+ if (conn && conn->c_ldapversion > LDAP_VERSION2) {
- tag = LDAP_TAG_REFERRAL;
- break;
- }
-@@ -645,6 +645,11 @@ process_read_entry_controls(Slapi_PBlock *pb, char *oid)
- BerElement *req_ber = NULL;
- Operation *op = NULL;
- slapi_pblock_get(pb, SLAPI_OPERATION, &op);
-+ if (op == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "process_read_entry_controls", "op is NULL\n");
-+ rc = -1;
-+ goto done;
-+ }
-
- if (strcmp(oid, LDAP_CONTROL_PRE_READ_ENTRY) == 0) {
- /* first verify this is the correct operation for a pre-read entry control */
-@@ -2145,6 +2150,13 @@ encode_read_entry(Slapi_PBlock *pb, Slapi_Entry *e, char **attrs, int alluseratt
- slapi_pblock_get(pb, SLAPI_OPERATION, &op);
- slapi_pblock_get(pb, SLAPI_CONNECTION, &conn);
-
-+ if (conn == NULL || op == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "encode_read_entry",
-+ "NULL param error: conn (0x%p) op (0x%p)\n", conn, op);
-+ rc = -1;
-+ goto cleanup;
-+ }
-+
- /* Start the ber encoding with the DN */
- rc = ber_printf(ber, "t{s{", LDAP_RES_SEARCH_ENTRY, slapi_entry_get_dn_const(e));
- if (rc == -1) {
-diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
-index 5e3413245..731c6519e 100644
---- a/ldap/servers/slapd/search.c
-+++ b/ldap/servers/slapd/search.c
-@@ -125,7 +125,10 @@ do_search(Slapi_PBlock *pb)
- goto free_and_return;
- }
-
-- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-+ if (slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn) != 0 || pb_conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "do_search", "pb_conn is NULL\n");
-+ goto free_and_return;
-+ }
-
- /*
- * If nsslapd-minssf-exclude-rootdse is on, the minssf check has been
-diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
-index 53a0af52d..002083c04 100644
---- a/ldap/servers/slapd/task.c
-+++ b/ldap/servers/slapd/task.c
-@@ -199,6 +199,11 @@ slapi_task_log_status(Slapi_Task *task, char *format, ...)
- {
- va_list ap;
-
-+ if (task == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "slapi_task_log_status",
-+ "Slapi_Task is NULL, can not log status\n");
-+ return;
-+ }
- if (!task->task_status)
- task->task_status = (char *)slapi_ch_malloc(10 * LOG_BUFFER);
- if (!task->task_status)
---
-2.13.6
-
diff --git a/SOURCES/0053-Ticket-49463-After-cleanALLruv-there-is-a-flow-of-ke.patch b/SOURCES/0053-Ticket-49463-After-cleanALLruv-there-is-a-flow-of-ke.patch
deleted file mode 100644
index c0f08f7..0000000
--- a/SOURCES/0053-Ticket-49463-After-cleanALLruv-there-is-a-flow-of-ke.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-From 0ac68e15a9a4048d3c1ad4519000996cd65fdefb Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Fri, 1 Dec 2017 16:23:11 +0100
-Subject: [PATCH] Ticket 49463 - After cleanALLruv, there is a flow of keep
- alive DEL
-
-Bug Description:
- When cleanAllRuv is launched, it spawn cleanAllRuv on all replicas.
- Each replica will clean its changelog and database RUV AND in addition
- will DEL the keep alive entry of the target ReplicaID.
- So for the same entry (keep alive) there will be as many DEL as there are replicas
-
- This flow of DEL is useless as only one DEL is enough.
- In addition because of https://pagure.io/389-ds-base/issue/49466, replication may
- loop on each of those DELs.
-
-Fix Description:
- The fix is only to prevent the flow of DEL.
- It adds a flag ('original_task') in the task payload.
- The server receiving the task (replica_execute_cleanall_ruv_task) flags the
- task as 'original_task'.
- In the opposite, the propagated cleanAllRuv (multimaster_extop_cleanruv) does
- not flag the task as 'original_task'
- Only original task does the DEL of the keep alive entry.
- Note the propageted payload (extop) is not changed. In a mixed version
- environment "old" servers will DEL the keep alive and flow can still happen
-
-https://pagure.io/389-ds-base/issue/49466
-
-Reviewed by: Ludwig Krispenz
-
-Platforms tested: F23
-
-Flag Day: no
-
-Doc impact: no
----
- ldap/servers/plugins/replication/repl5.h | 49 ++++++++++++----------
- ldap/servers/plugins/replication/repl5_replica.c | 21 ++++++++++
- .../plugins/replication/repl5_replica_config.c | 32 +++++++++++---
- ldap/servers/plugins/replication/repl_extop.c | 2 +
- 4 files changed, 76 insertions(+), 28 deletions(-)
-
-diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
-index 4e206a0fc..e08fec752 100644
---- a/ldap/servers/plugins/replication/repl5.h
-+++ b/ldap/servers/plugins/replication/repl5.h
-@@ -783,12 +783,37 @@ void multimaster_mtnode_construct_replicas(void);
-
- void multimaster_be_state_change(void *handle, char *be_name, int old_be_state, int new_be_state);
-
-+#define CLEANRIDSIZ 64 /* maximum number for concurrent CLEANALLRUV tasks */
-+
-+typedef struct _cleanruv_data
-+{
-+ Object *repl_obj;
-+ Replica *replica;
-+ ReplicaId rid;
-+ Slapi_Task *task;
-+ struct berval *payload;
-+ CSN *maxcsn;
-+ char *repl_root;
-+ Slapi_DN *sdn;
-+ char *certify;
-+ char *force;
-+ PRBool original_task;
-+} cleanruv_data;
-+
-+typedef struct _cleanruv_purge_data
-+{
-+ int cleaned_rid;
-+ const Slapi_DN *suffix_sdn;
-+ char *replName;
-+ char *replGen;
-+} cleanruv_purge_data;
-+
- /* In repl5_replica_config.c */
- int replica_config_init(void);
- void replica_config_destroy(void);
- int get_replica_type(Replica *r);
- int replica_execute_cleanruv_task_ext(Object *r, ReplicaId rid);
--void add_cleaned_rid(ReplicaId rid, Replica *r, char *maxcsn, char *forcing);
-+void add_cleaned_rid(cleanruv_data *data, char *maxcsn);
- int is_cleaned_rid(ReplicaId rid);
- int replica_cleanall_ruv_abort(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter, int *returncode, char *returntext, void *arg);
- void replica_cleanallruv_thread_ext(void *arg);
-@@ -808,29 +833,7 @@ void set_cleaned_rid(ReplicaId rid);
- void cleanruv_log(Slapi_Task *task, int rid, char *task_type, int sev_level, char *fmt, ...);
- char *replica_cleanallruv_get_local_maxcsn(ReplicaId rid, char *base_dn);
-
--#define CLEANRIDSIZ 64 /* maximum number for concurrent CLEANALLRUV tasks */
-
--typedef struct _cleanruv_data
--{
-- Object *repl_obj;
-- Replica *replica;
-- ReplicaId rid;
-- Slapi_Task *task;
-- struct berval *payload;
-- CSN *maxcsn;
-- char *repl_root;
-- Slapi_DN *sdn;
-- char *certify;
-- char *force;
--} cleanruv_data;
--
--typedef struct _cleanruv_purge_data
--{
-- int cleaned_rid;
-- const Slapi_DN *suffix_sdn;
-- char *replName;
-- char *replGen;
--} cleanruv_purge_data;
-
- /* replutil.c */
- LDAPControl *create_managedsait_control(void);
-diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
-index 77f4f18e4..e75807a62 100644
---- a/ldap/servers/plugins/replication/repl5_replica.c
-+++ b/ldap/servers/plugins/replication/repl5_replica.c
-@@ -2120,6 +2120,7 @@ replica_check_for_tasks(Replica *r, Slapi_Entry *e)
- char csnstr[CSN_STRSIZE];
- char *token = NULL;
- char *forcing;
-+ PRBool original_task;
- char *csnpart;
- char *ridstr;
- char *iter = NULL;
-@@ -2151,8 +2152,15 @@ replica_check_for_tasks(Replica *r, Slapi_Entry *e)
- csn_init_by_string(maxcsn, csnpart);
- csn_as_string(maxcsn, PR_FALSE, csnstr);
- forcing = ldap_utf8strtok_r(iter, ":", &iter);
-+ original_task = PR_TRUE;
- if (forcing == NULL) {
- forcing = "no";
-+ } else if (!strcasecmp(forcing, "yes") || !strcasecmp(forcing, "no")) {
-+ /* forcing was correctly set, lets try to read the original task flag */
-+ token = ldap_utf8strtok_r(iter, ":", &iter);
-+ if (token && !atoi(token)) {
-+ original_task = PR_FALSE;
-+ }
- }
-
- slapi_log_err(SLAPI_LOG_NOTICE, repl_plugin_name, "CleanAllRUV Task - cleanAllRUV task found, "
-@@ -2190,6 +2198,13 @@ replica_check_for_tasks(Replica *r, Slapi_Entry *e)
- data->force = slapi_ch_strdup(forcing);
- data->repl_root = NULL;
-
-+ /* This is a corner case, a cleanAllRuv task was interrupted by a shutdown or a crash
-+ * We retrieved from type_replicaCleanRUV if the cleanAllRuv request
-+ * was received from a direct task ADD or if was received via
-+ * the cleanAllRuv extop.
-+ */
-+ data->original_task = original_task;
-+
- thread = PR_CreateThread(PR_USER_THREAD, replica_cleanallruv_thread_ext,
- (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
- PR_UNJOINABLE_THREAD, SLAPD_DEFAULT_THREAD_STACKSIZE);
-@@ -2284,6 +2299,12 @@ replica_check_for_tasks(Replica *r, Slapi_Entry *e)
- data->sdn = slapi_sdn_dup(r->repl_root);
- data->certify = slapi_ch_strdup(certify);
-
-+ /* This is a corner case, a cleanAllRuv task was interrupted by a shutdown or a crash
-+ * Let's assum this replica was the original receiver of the task.
-+ * This flag has no impact on Abort cleanAllRuv
-+ */
-+ data->original_task = PR_TRUE;
-+
- thread = PR_CreateThread(PR_USER_THREAD, replica_abort_task_thread,
- (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
- PR_UNJOINABLE_THREAD, SLAPD_DEFAULT_THREAD_STACKSIZE);
-diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
-index 005528a41..95b933bb8 100644
---- a/ldap/servers/plugins/replication/repl5_replica_config.c
-+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
-@@ -1573,6 +1573,11 @@ replica_execute_cleanall_ruv_task(Object *r, ReplicaId rid, Slapi_Task *task, co
- data->repl_root = slapi_ch_strdup(basedn);
- data->force = slapi_ch_strdup(force_cleaning);
-
-+ /* It is either a consequence of a direct ADD cleanAllRuv task
-+ * or modify of the replica to add nsds5task: cleanAllRuv
-+ */
-+ data->original_task = PR_TRUE;
-+
- thread = PR_CreateThread(PR_USER_THREAD, replica_cleanallruv_thread,
- (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
- PR_UNJOINABLE_THREAD, SLAPD_DEFAULT_THREAD_STACKSIZE);
-@@ -1702,7 +1707,7 @@ replica_cleanallruv_thread(void *arg)
- /*
- * Add the cleanallruv task to the repl config - so we can handle restarts
- */
-- add_cleaned_rid(data->rid, data->replica, csnstr, data->force); /* marks config that we started cleaning a rid */
-+ add_cleaned_rid(data, csnstr); /* marks config that we started cleaning a rid */
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Cleaning rid (%d)...", data->rid);
- /*
- * First, wait for the maxcsn to be covered
-@@ -1878,7 +1883,13 @@ done:
- */
- delete_cleaned_rid_config(data);
- check_replicas_are_done_cleaning(data);
-- remove_keep_alive_entry(data->task, data->rid, data->repl_root);
-+ if (data->original_task) {
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Original task deletes Keep alive entry (%d).", data->rid);
-+ remove_keep_alive_entry(data->task, data->rid, data->repl_root);
-+ } else {
-+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Propagated task does not delete Keep alive entry (%d).", data->rid);
-+ }
-+
- clean_agmts(data);
- remove_cleaned_rid(data->rid);
- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Successfully cleaned rid(%d).", data->rid);
-@@ -2029,7 +2040,7 @@ check_replicas_are_done_cleaning(cleanruv_data *data)
- "Waiting for all the replicas to finish cleaning...");
-
- csn_as_string(data->maxcsn, PR_FALSE, csnstr);
-- filter = PR_smprintf("(%s=%d:%s:%s)", type_replicaCleanRUV, (int)data->rid, csnstr, data->force);
-+ filter = PR_smprintf("(%s=%d:%s:%s:%d)", type_replicaCleanRUV, (int)data->rid, csnstr, data->force, data->original_task ? 1 : 0);
- while (not_all_cleaned && !is_task_aborted(data->rid) && !slapi_is_shutting_down()) {
- agmt_obj = agmtlist_get_first_agreement_for_replica(data->replica);
- if (agmt_obj == NULL) {
-@@ -2502,7 +2513,7 @@ set_cleaned_rid(ReplicaId rid)
- * Add the rid and maxcsn to the repl config (so we can resume after a server restart)
- */
- void
--add_cleaned_rid(ReplicaId rid, Replica *r, char *maxcsn, char *forcing)
-+add_cleaned_rid(cleanruv_data *cleanruv_data, char *maxcsn)
- {
- Slapi_PBlock *pb;
- struct berval *vals[2];
-@@ -2512,6 +2523,16 @@ add_cleaned_rid(ReplicaId rid, Replica *r, char *maxcsn, char *forcing)
- char data[CSN_STRSIZE + 10];
- char *dn;
- int rc;
-+ ReplicaId rid;
-+ Replica *r;
-+ char *forcing;
-+
-+ if (data == NULL) {
-+ return;
-+ }
-+ rid = cleanruv_data->rid;
-+ r = cleanruv_data->replica;
-+ forcing = cleanruv_data->force;
-
- if (r == NULL || maxcsn == NULL) {
- return;
-@@ -2519,7 +2540,7 @@ add_cleaned_rid(ReplicaId rid, Replica *r, char *maxcsn, char *forcing)
- /*
- * Write the rid & maxcsn to the config entry
- */
-- val.bv_len = PR_snprintf(data, sizeof(data), "%d:%s:%s", rid, maxcsn, forcing);
-+ val.bv_len = PR_snprintf(data, sizeof(data), "%d:%s:%s:%d", rid, maxcsn, forcing, cleanruv_data->original_task ? 1 : 0);
- dn = replica_get_dn(r);
- pb = slapi_pblock_new();
- mod.mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES;
-@@ -2961,6 +2982,7 @@ replica_cleanall_ruv_abort(Slapi_PBlock *pb __attribute__((unused)),
- data->repl_root = slapi_ch_strdup(base_dn);
- data->sdn = NULL;
- data->certify = slapi_ch_strdup(certify_all);
-+ data->original_task = PR_TRUE;
-
- thread = PR_CreateThread(PR_USER_THREAD, replica_abort_task_thread,
- (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
-diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c
-index c49c6bd8d..68e2544b4 100644
---- a/ldap/servers/plugins/replication/repl_extop.c
-+++ b/ldap/servers/plugins/replication/repl_extop.c
-@@ -1412,6 +1412,7 @@ multimaster_extop_abort_cleanruv(Slapi_PBlock *pb)
- data->rid = rid;
- data->repl_root = slapi_ch_strdup(repl_root);
- data->certify = slapi_ch_strdup(certify_all);
-+ data->original_task = PR_FALSE;
- /*
- * Set the aborted rid and stop the cleaning
- */
-@@ -1555,6 +1556,7 @@ multimaster_extop_cleanruv(Slapi_PBlock *pb)
- data->payload = slapi_ch_bvdup(extop_payload);
- data->force = slapi_ch_strdup(force);
- data->repl_root = slapi_ch_strdup(repl_root);
-+ data->original_task = PR_FALSE;
-
- thread = PR_CreateThread(PR_USER_THREAD, replica_cleanallruv_thread_ext,
- (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD,
---
-2.13.6
-
diff --git a/SOURCES/0054-Ticket-49532-coverity-issues-fix-compiler-warnings-c.patch b/SOURCES/0054-Ticket-49532-coverity-issues-fix-compiler-warnings-c.patch
deleted file mode 100644
index 278a45e..0000000
--- a/SOURCES/0054-Ticket-49532-coverity-issues-fix-compiler-warnings-c.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From cfa194289ee0c9d26d5775f0b67cf9b481bf357f Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 12 Jan 2018 10:37:18 -0500
-Subject: [PATCH] Ticket 49532 - coverity issues - fix compiler warnings &
- clang issues
-
-Description: Fixed all the warnings
-
-https://pagure.io/389-ds-base/issue/49532
-
-Reviewed by: tbordaz(Thanks!)
-
-(cherry picked from commit 05907ae05c8a88a64b86747879c002d55d356673)
----
- ldap/servers/slapd/back-ldbm/idl_set.c | 4 ++--
- ldap/servers/slapd/control.c | 2 +-
- src/nunc-stans/ns/ns_thrpool.c | 7 ++++++-
- 3 files changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/ldap/servers/slapd/back-ldbm/idl_set.c b/ldap/servers/slapd/back-ldbm/idl_set.c
-index b68e7ab76..f9a900f1f 100644
---- a/ldap/servers/slapd/back-ldbm/idl_set.c
-+++ b/ldap/servers/slapd/back-ldbm/idl_set.c
-@@ -270,7 +270,7 @@ idl_set_union(IDListSet *idl_set, backend *be)
- * Allocate a new set based on the size of our sets.
- */
- IDList *result_list = idl_alloc(idl_set->total_size);
-- IDList *idl = idl_set->head;
-+ IDList *idl = NULL;
- IDList *idl_del = NULL;
- IDList *prev_idl = NULL;
- NIDS last_min = 0;
-@@ -398,7 +398,7 @@ idl_set_intersect(IDListSet *idl_set, backend *be)
- * we don't care if we have allids here, because we'll ignore it anyway.
- */
- result_list = idl_alloc(idl_set->minimum->b_nids);
-- IDList *idl = idl_set->head;
-+ IDList *idl = NULL;
-
- /* The previous value we inserted. */
- NIDS last_min = 0;
-diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c
-index 91d8abb95..366ec7897 100644
---- a/ldap/servers/slapd/control.c
-+++ b/ldap/servers/slapd/control.c
-@@ -337,7 +337,7 @@ get_ldapmessage_controls_ext(
- slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found);
- slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found);
- slapi_log_err(SLAPI_LOG_CONNS, "get_ldapmessage_controls_ext", "Warning: conn=%" PRIu64 " op=%d contains an empty list of controls\n",
-- pb_conn->c_connid, pb_op->o_opid);
-+ pb_conn ? pb_conn->c_connid : -1, pb_op ? pb_op->o_opid : -1);
- } else {
- /* len, ber_len_t is uint, not int, cannot be != -1, may be better to remove this check. */
- if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) {
-diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c
-index 1d8bb03f1..d95b0c38b 100644
---- a/src/nunc-stans/ns/ns_thrpool.c
-+++ b/src/nunc-stans/ns/ns_thrpool.c
-@@ -1587,7 +1587,12 @@ ns_thrpool_shutdown(struct ns_thrpool_t *tp)
- */
- for (size_t i = 0; i < tp->thread_count; i++) {
- ns_result_t result = ns_add_shutdown_job(tp);
-- PR_ASSERT(result == NS_SUCCESS);
-+ if (result != NS_SUCCESS) {
-+#ifdef DEBUG
-+ ns_log(LOG_DEBUG, "ns_thrpool_shutdown - Failed to add shutdown job: error (%d)\n", result);
-+#endif
-+ PR_ASSERT(0);
-+ }
- }
- /* Make sure all threads are woken up to their shutdown jobs. */
- pthread_mutex_lock(&(tp->work_q_lock));
---
-2.13.6
-
diff --git a/SOURCES/0055-Ticket-49523-memberof-schema-violation-error-message.patch b/SOURCES/0055-Ticket-49523-memberof-schema-violation-error-message.patch
deleted file mode 100644
index d55ffac..0000000
--- a/SOURCES/0055-Ticket-49523-memberof-schema-violation-error-message.patch
+++ /dev/null
@@ -1,225 +0,0 @@
-From 60198729ba59f673aae2ae1db1d9668b674ad429 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Fri, 5 Jan 2018 15:31:44 +0100
-Subject: [PATCH] Ticket 49523 - memberof: schema violation error message is
- confusing as memberof will likely repair target entry
-
-Bug Description:
- When memberof is enabled it adds 'memberof' attribute to members entries.
- If a member entry has not the appropriate objectclass to support 'memberof' attribute an ERR is logged.
-
- ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed
-
- This is confusing because memberof will catch this violation and may try to repair it.
- So although this message is alarming, the target entry may finally have the 'memberof' attribute.
-
- This is especially confusing since https://pagure.io/389-ds-base/issue/48985 where the repair operation
- is done by default (if schema is violated)
-
- We can not (and should not) eliminate the schema violation message.
- But memberof should log a additional warning (beside the schema violation msg) stating it repaired the violation.
-
-Fix Description:
-
- Add a warning message upon repair operation
- ERR - oc_check_allowed_sv - Entry "<entry_dn>" -- attribute "memberOf" not allowed
- WARN - memberof-plugin - Entry <entry_dn> - schema violation caught - repair operation succeeded
-
-https://pagure.io/389-ds-base/issue/49523
-
-Reviewed by: Mark Reynolds
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
----
- dirsrvtests/tests/tickets/ticket49523_test.py | 154 ++++++++++++++++++++++++++
- ldap/servers/plugins/memberof/memberof.c | 8 +-
- 2 files changed, 161 insertions(+), 1 deletion(-)
- create mode 100644 dirsrvtests/tests/tickets/ticket49523_test.py
-
-diff --git a/dirsrvtests/tests/tickets/ticket49523_test.py b/dirsrvtests/tests/tickets/ticket49523_test.py
-new file mode 100644
-index 000000000..c3296ef07
---- /dev/null
-+++ b/dirsrvtests/tests/tickets/ticket49523_test.py
-@@ -0,0 +1,154 @@
-+import logging
-+import pytest
-+import os
-+import ldap
-+import time
-+import re
-+from lib389.plugins import MemberOfPlugin
-+from lib389._constants import *
-+from lib389.topologies import topology_st as topo
-+from lib389 import Entry
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+
-+USER_CN='user_'
-+GROUP_CN='group_'
-+def _user_get_dn(no):
-+ cn = '%s%d' % (USER_CN, no)
-+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX)
-+ return (cn, dn)
-+
-+def add_user(server, no, desc='dummy', sleep=True):
-+ (cn, dn) = _user_get_dn(no)
-+ log.fatal('Adding user (%s): ' % dn)
-+ server.add_s(Entry((dn, {'objectclass': ['top', 'person'],
-+ 'cn': [cn],
-+ 'description': [desc],
-+ 'sn': [cn],
-+ 'description': ['add on that host']})))
-+ if sleep:
-+ time.sleep(2)
-+
-+def add_group(server, nr, sleep=True):
-+ cn = '%s%d' % (GROUP_CN, nr)
-+ dn = 'cn=%s,ou=groups,%s' % (cn, SUFFIX)
-+ server.add_s(Entry((dn, {'objectclass': ['top', 'groupofnames'],
-+ 'description': 'group %d' % nr})))
-+ if sleep:
-+ time.sleep(2)
-+
-+def update_member(server, member_dn, group_dn, op, sleep=True):
-+ mod = [(op, 'member', member_dn)]
-+ server.modify_s(group_dn, mod)
-+ if sleep:
-+ time.sleep(2)
-+
-+def _find_memberof(server, member_dn, group_dn, find_result=True):
-+ ent = server.getEntry(member_dn, ldap.SCOPE_BASE, "(objectclass=*)", ['memberof'])
-+ found = False
-+ if ent.hasAttr('memberof'):
-+
-+ for val in ent.getValues('memberof'):
-+ server.log.info("!!!!!!! %s: memberof->%s" % (member_dn, val))
-+ server.log.info("!!!!!!! %s" % (val))
-+ server.log.info("!!!!!!! %s" % (group_dn))
-+ if val.lower() == group_dn.lower():
-+ found = True
-+ break
-+
-+ if find_result:
-+ assert (found)
-+ else:
-+ assert (not found)
-+
-+def pattern_accesslog(server, log_pattern):
-+ file_obj = open(server.accesslog, "r")
-+
-+ found = False
-+ # Use a while true iteration because 'for line in file: hit a
-+ while True:
-+ line = file_obj.readline()
-+ found = log_pattern.search(line)
-+ if ((line == '') or (found)):
-+ break
-+
-+ return found
-+
-+def pattern_errorlog(server, log_pattern):
-+ file_obj = open(server.errlog, "r")
-+
-+ found = None
-+ # Use a while true iteration because 'for line in file: hit a
-+ while True:
-+ line = file_obj.readline()
-+ found = log_pattern.search(line)
-+ server.log.fatal("%s --> %s" % (line, found))
-+ if ((line == '') or (found)):
-+ break
-+
-+ return found
-+
-+def test_ticket49523(topo):
-+ """Specify a test case purpose or name here
-+
-+ :id: e2af0aaa-447e-4e85-a5ce-57ae66260d0b
-+ :setup: Fill in set up configuration here
-+ :steps:
-+ 1. Fill in test case steps here
-+ 2. And indent them like this (RST format requirement)
-+ :expectedresults:
-+ 1. Fill in the result that is expected
-+ 2. For each test step
-+ """
-+
-+ # If you need any test suite initialization,
-+ # please, write additional fixture for that (including finalizer).
-+ # Topology for suites are predefined in lib389/topologies.py.
-+
-+ # If you need host, port or any other data about instance,
-+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid)
-+ inst = topo.standalone
-+ memberof = MemberOfPlugin(inst)
-+ memberof.enable()
-+ memberof.set_autoaddoc('nsMemberOf')
-+ inst.restart()
-+
-+ # Step 2
-+ for i in range(10):
-+ add_user(inst, i, desc='add user')
-+
-+ add_group(inst, 1)
-+
-+ group_parent_dn = 'ou=groups,%s' % (SUFFIX)
-+ group_rdn = 'cn=%s%d' % (GROUP_CN, 1)
-+ group_dn = '%s,%s' % (group_rdn, group_parent_dn)
-+ (member_cn, member_dn) = _user_get_dn(1)
-+ update_member(inst, member_dn, group_dn, ldap.MOD_ADD, sleep=False)
-+
-+ _find_memberof(inst, member_dn, group_dn, find_result=True)
-+
-+ pattern = ".*oc_check_allowed_sv - Entry.*cn=%s.* -- attribute.*not allowed.*" % member_cn
-+ log.fatal("pattern = %s" % pattern)
-+ regex = re.compile(pattern)
-+ assert pattern_errorlog(inst, regex)
-+
-+ regex = re.compile(".*schema violation caught - repair operation.*")
-+ assert pattern_errorlog(inst, regex)
-+
-+ if DEBUGGING:
-+ # Add debugging steps(if any)...
-+ pass
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main("-s %s" % CURRENT_FILE)
-+
-diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
-index 44b52edbb..fcfa7817d 100644
---- a/ldap/servers/plugins/memberof/memberof.c
-+++ b/ldap/servers/plugins/memberof/memberof.c
-@@ -3236,8 +3236,14 @@ memberof_add_memberof_attr(LDAPMod **mods, const char *dn, char *add_oc)
- */
- break;
- }
-- if (memberof_add_objectclass(add_oc, dn)) {
-+ rc = memberof_add_objectclass(add_oc, dn);
-+ slapi_log_err(SLAPI_LOG_WARNING, MEMBEROF_PLUGIN_SUBSYSTEM,
-+ "Entry %s - schema violation caught - repair operation %s\n",
-+ dn ? dn : "unknown",
-+ rc ? "failed" : "succeeded");
-+ if (rc) {
- /* Failed to add objectclass */
-+ rc = LDAP_OBJECT_CLASS_VIOLATION;
- break;
- }
- added_oc = 1;
---
-2.13.6
-
diff --git a/SOURCES/0056-Ticket-49534-Fix-coverity-issues-and-regression.patch b/SOURCES/0056-Ticket-49534-Fix-coverity-issues-and-regression.patch
deleted file mode 100644
index a465a4d..0000000
--- a/SOURCES/0056-Ticket-49534-Fix-coverity-issues-and-regression.patch
+++ /dev/null
@@ -1,1495 +0,0 @@
-From 961a1d68274453a9a0e79acdd4a3d6e3da146722 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Tue, 16 Jan 2018 10:14:34 -0500
-Subject: [PATCH] Ticket 49534 - Fix coverity issues and regression
-
-Description: Fix regression introdcued in the previous coverity patch.
-
- Also fixed many other coverity issues.
-
-https://pagure.io/389-ds-base/issue/49534
-
-Reviewed by: wibrown, tbordaz, lkrispen(Thanks!)
-
-(cherry picked from commit 7658232cc427a5c46e94989eec9195f0392ee540)
----
- ldap/servers/plugins/acl/acl.c | 6 ++++
- ldap/servers/plugins/acl/acllas.c | 13 +++++--
- ldap/servers/plugins/automember/automember.c | 6 ++++
- ldap/servers/plugins/cos/cos_cache.c | 16 +++++++--
- ldap/servers/plugins/memberof/memberof_config.c | 8 ++---
- ldap/servers/plugins/replication/cl5_clcache.c | 9 +++--
- .../plugins/replication/repl5_replica_config.c | 3 --
- ldap/servers/plugins/rootdn_access/rootdn_access.c | 7 +++-
- ldap/servers/plugins/uiduniq/7bit.c | 18 +++++-----
- ldap/servers/plugins/views/views.c | 3 ++
- ldap/servers/slapd/auth.c | 3 +-
- ldap/servers/slapd/back-ldbm/dblayer.c | 5 ++-
- ldap/servers/slapd/back-ldbm/filterindex.c | 2 +-
- ldap/servers/slapd/back-ldbm/import-threads.c | 10 +++---
- ldap/servers/slapd/back-ldbm/index.c | 3 +-
- ldap/servers/slapd/back-ldbm/instance.c | 4 +++
- ldap/servers/slapd/back-ldbm/ldbm_add.c | 18 +++++++---
- .../slapd/back-ldbm/ldbm_attrcrypt_config.c | 7 ++--
- .../servers/slapd/back-ldbm/ldbm_instance_config.c | 2 +-
- ldap/servers/slapd/back-ldbm/ldbm_search.c | 4 +--
- ldap/servers/slapd/back-ldbm/vlv.c | 2 +-
- ldap/servers/slapd/back-ldbm/vlv_srch.c | 2 +-
- ldap/servers/slapd/backend.c | 2 +-
- ldap/servers/slapd/compare.c | 7 ++--
- ldap/servers/slapd/connection.c | 40 ++++++++++++----------
- ldap/servers/slapd/control.c | 6 ++++
- ldap/servers/slapd/dse.c | 5 +--
- ldap/servers/slapd/eventq.c | 2 +-
- ldap/servers/slapd/extendop.c | 10 +++---
- ldap/servers/slapd/filter.c | 12 ++++---
- ldap/servers/slapd/index_subsystem.c | 2 +-
- ldap/servers/slapd/main.c | 19 ++++++++--
- ldap/servers/slapd/mapping_tree.c | 2 +-
- ldap/servers/slapd/modify.c | 39 ++++++++++-----------
- ldap/servers/slapd/opshared.c | 7 ++++
- ldap/servers/slapd/passwd_extop.c | 4 +++
- ldap/servers/slapd/plugin.c | 8 +++--
- ldap/servers/slapd/plugin_internal_op.c | 1 +
- ldap/servers/slapd/psearch.c | 6 ++--
- ldap/servers/slapd/pw.c | 3 +-
- ldap/servers/slapd/pw_mgmt.c | 30 ++++++++++------
- ldap/servers/slapd/result.c | 2 +-
- ldap/servers/slapd/saslbind.c | 5 +++
- ldap/servers/slapd/task.c | 5 +--
- ldap/servers/slapd/util.c | 12 ++++---
- ldap/servers/slapd/valueset.c | 10 ++++--
- ldap/servers/slapd/vattr.c | 20 ++++++++---
- ldap/servers/snmp/main.c | 19 ++++++----
- 48 files changed, 276 insertions(+), 153 deletions(-)
-
-diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
-index f10c9f6b5..bc154c78f 100644
---- a/ldap/servers/plugins/acl/acl.c
-+++ b/ldap/servers/plugins/acl/acl.c
-@@ -437,6 +437,12 @@ acl_access_allowed(
- * pointers to them--we must always start afresh (see psearch.c).
- */
- slapi_pblock_get(pb, SLAPI_OPERATION, &op);
-+ if (op == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, plugin_name,
-+ "acl_access_allowed - NULL op\n");
-+ ret_val = LDAP_OPERATIONS_ERROR;
-+ goto cleanup_and_ret;
-+ }
- if (operation_is_flag_set(op, OP_FLAG_PS) ||
- (aclpb->aclpb_curr_entry_sdn == NULL) ||
- (slapi_sdn_compare(aclpb->aclpb_curr_entry_sdn, e_sdn) != 0) ||
-diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
-index b9bea205c..3950fd405 100644
---- a/ldap/servers/plugins/acl/acllas.c
-+++ b/ldap/servers/plugins/acl/acllas.c
-@@ -4260,7 +4260,7 @@ acllas_replace_attr_macro(char *rule, lasInfo *lasinfo)
- /*
- * working_rule is the first member of working_list.
- * str points to the next $attr.attrName in working_rule.
-- * each member of working_list needs to have each occurence of
-+ * each member of working_list needs to have each occurrence of
- * $attr.atrName replaced with the value of attrName in e.
- * If attrName is multi valued then this generates another
- * list which replaces the old one.
-@@ -4273,8 +4273,7 @@ acllas_replace_attr_macro(char *rule, lasInfo *lasinfo)
- str = strstr(macro_str, ".");
- if (!str) {
- slapi_log_err(SLAPI_LOG_ERR, plugin_name,
-- "acllas_replace_attr_macro - Invalid macro \"%s\".",
-- macro_str);
-+ "acllas_replace_attr_macro - Invalid macro \"%s\".", macro_str);
- slapi_ch_free_string(¯o_str);
- charray_free(working_list);
- return NULL;
-@@ -4282,10 +4281,18 @@ acllas_replace_attr_macro(char *rule, lasInfo *lasinfo)
-
- str++; /* skip the . */
- l = acl_strstr(&str[0], ")");
-+ if (l == -1){
-+ slapi_log_err(SLAPI_LOG_ERR, plugin_name,
-+ "acllas_replace_attr_macro - Invalid macro str \"%s\".", str);
-+ slapi_ch_free_string(¯o_str);
-+ charray_free(working_list);
-+ return NULL;
-+ }
- macro_attr_name = slapi_ch_malloc(l + 1);
- strncpy(macro_attr_name, &str[0], l);
- macro_attr_name[l] = '\0';
-
-+
- slapi_entry_attr_find(e, macro_attr_name, &attr);
- if (NULL == attr) {
-
-diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
-index 4c008e1f2..cbd25915a 100644
---- a/ldap/servers/plugins/automember/automember.c
-+++ b/ldap/servers/plugins/automember/automember.c
-@@ -1047,6 +1047,7 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e)
- /* Order rules by target group DN */
- if (slapi_sdn_compare(rule->target_group_dn, curr_rule->target_group_dn) < 0) {
- PR_INSERT_BEFORE(&(rule->list), list);
-+ rule = NULL;
- break;
- }
-
-@@ -1055,9 +1056,11 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e)
- /* If we hit the end of the list, add to the tail. */
- if ((PRCList *)config->inclusive_rules == list) {
- PR_INSERT_BEFORE(&(rule->list), list);
-+ rule = NULL;
- break;
- }
- }
-+ automember_free_regex_rule(rule);
- } else {
- /* Add to head of list */
- PR_INSERT_LINK(&(rule->list), (PRCList *)config->inclusive_rules);
-@@ -1101,6 +1104,7 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e)
- /* Order rules by target group DN */
- if (slapi_sdn_compare(rule->target_group_dn, curr_rule->target_group_dn) < 0) {
- PR_INSERT_BEFORE(&(rule->list), list);
-+ rule = NULL;
- break;
- }
-
-@@ -1109,6 +1113,7 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e)
- /* If we hit the end of the list, add to the tail. */
- if ((PRCList *)config->exclusive_rules == list) {
- PR_INSERT_BEFORE(&(rule->list), list);
-+ rule = NULL;
- break;
- }
- }
-@@ -1116,6 +1121,7 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e)
- /* Add to head of list */
- PR_INSERT_LINK(&(rule->list), (PRCList *)config->exclusive_rules);
- }
-+ automember_free_regex_rule(rule);
- } else {
- slapi_log_err(SLAPI_LOG_ERR, AUTOMEMBER_PLUGIN_SUBSYSTEM,
- "automember_parse_regex_entry - Skipping invalid exclusive "
-diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
-index 3b3c05783..5e0cf1725 100644
---- a/ldap/servers/plugins/cos/cos_cache.c
-+++ b/ldap/servers/plugins/cos/cos_cache.c
-@@ -874,7 +874,7 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data)
-
- if (pCosAttribute && (!pCosTargetTree || !pCosTemplateDn)) {
- /* get the parent of the definition */
-- char *orig = slapi_dn_parent(pDn->val);
-+ char *orig = pDn ? slapi_dn_parent(pDn->val) : NULL;
- char *parent = NULL;
- if (orig) {
- parent = slapi_create_dn_string("%s", orig);
-@@ -900,7 +900,7 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data)
- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM,
- "cos_dn_defs_cb - "
- "Failed to get parent dn of cos definition %s.\n",
-- pDn->val);
-+ pDn ? pDn->val : "<NONE>");
- if (!pCosTemplateDn) {
- if (!pCosTargetTree) {
- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_dn_defs_cb - cosTargetTree and cosTemplateDn are not set.\n");
-@@ -1843,6 +1843,13 @@ cos_cache_add_tmpl(cosTemplates **pTemplates, cosAttrValue *dn, cosAttrValue *ob
-
- slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "--> cos_cache_add_tmpl\n");
-
-+ if (dn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM,
-+ "cos_cache_add_tmpl - param cosAttrValue dn is NULL\n");
-+ ret = -1;
-+ goto done;
-+ }
-+
- /* create the attribute */
- theTemp = (cosTemplates *)slapi_ch_malloc(sizeof(cosTemplates));
- if (theTemp) {
-@@ -1851,7 +1858,9 @@ cos_cache_add_tmpl(cosTemplates **pTemplates, cosAttrValue *dn, cosAttrValue *ob
- int index = 0;
- int template_default = 0;
- char *ptr = NULL;
-- char *normed = slapi_create_dn_string("%s", dn->val);
-+ char *normed = NULL;
-+
-+ normed = slapi_create_dn_string("%s", dn->val);
- if (normed) {
- slapi_ch_free_string(&dn->val);
- dn->val = normed;
-@@ -1964,6 +1973,7 @@ cos_cache_add_tmpl(cosTemplates **pTemplates, cosAttrValue *dn, cosAttrValue *ob
- ret = -1;
- }
-
-+done:
- slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "<-- cos_cache_add_tmpl\n");
- return ret;
- }
-diff --git a/ldap/servers/plugins/memberof/memberof_config.c b/ldap/servers/plugins/memberof/memberof_config.c
-index 3f22d95d6..8a27f5250 100644
---- a/ldap/servers/plugins/memberof/memberof_config.c
-+++ b/ldap/servers/plugins/memberof/memberof_config.c
-@@ -550,7 +550,7 @@ memberof_apply_config(Slapi_PBlock *pb __attribute__((unused)),
- }
-
- /* Build the new list */
-- for (i = 0; theConfig.groupattrs[i]; i++) {
-+ for (i = 0; theConfig.groupattrs && theConfig.groupattrs[i]; i++) {
- theConfig.group_slapiattrs[i] = slapi_attr_new();
- slapi_attr_init(theConfig.group_slapiattrs[i], theConfig.groupattrs[i]);
- }
-@@ -572,7 +572,7 @@ memberof_apply_config(Slapi_PBlock *pb __attribute__((unused)),
- bytes_out = snprintf(filter_str, filter_str_len - bytes_out, "(|");
-
- /* Add filter section for each groupattr. */
-- for (i = 0; theConfig.groupattrs[i]; i++) {
-+ for (i = 0; theConfig.groupattrs && theConfig.groupattrs[i]; i++) {
- bytes_out += snprintf(filter_str + bytes_out, filter_str_len - bytes_out, "(%s=*)", theConfig.groupattrs[i]);
- }
-
-@@ -721,7 +721,7 @@ memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src)
- }
-
- /* Count how many values we have in the source list. */
-- for (j = 0; src->group_slapiattrs[j]; j++) {
-+ for (j = 0; src->group_slapiattrs && src->group_slapiattrs[j]; j++) {
- /* Do nothing. */
- }
-
-@@ -731,7 +731,7 @@ memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src)
- }
-
- /* Copy the attributes. */
-- for (i = 0; src->group_slapiattrs[i]; i++) {
-+ for (i = 0; src->group_slapiattrs && src->group_slapiattrs[i]; i++) {
- dest->group_slapiattrs[i] = slapi_attr_dup(src->group_slapiattrs[i]);
- }
-
-diff --git a/ldap/servers/plugins/replication/cl5_clcache.c b/ldap/servers/plugins/replication/cl5_clcache.c
-index 40985b9a7..a8477a83a 100644
---- a/ldap/servers/plugins/replication/cl5_clcache.c
-+++ b/ldap/servers/plugins/replication/cl5_clcache.c
-@@ -676,7 +676,7 @@ clcache_initial_anchorcsn(CLC_Buffer *buf, int *flag)
- buf->buf_state = CLC_STATE_DONE;
- } else {
- csn_init_by_csn(buf->buf_current_csn, anchorcsn);
-- csn_as_string(buf->buf_current_csn, 0, (char *)buf->buf_key.data);
-+ buf->buf_key.data = csn_as_string(buf->buf_current_csn, 0, (char *)buf->buf_key.data);
- slapi_log_err(SLAPI_LOG_REPL, "clcache_initial_anchorcsn",
- "anchor is now: %s\n", (char *)buf->buf_key.data);
- }
-@@ -746,10 +746,9 @@ clcache_adjust_anchorcsn(CLC_Buffer *buf, int *flag)
- buf->buf_state = CLC_STATE_DONE;
- } else {
- csn_init_by_csn(buf->buf_current_csn, anchorcsn);
-- csn_as_string(buf->buf_current_csn, 0, (char *)buf->buf_key.data);
-- slapi_log_err(SLAPI_LOG_REPL, buf->buf_agmt_name, "clcache_adjust_anchorcsn - "
-- "anchor is now: %s\n",
-- (char *)buf->buf_key.data);
-+ buf->buf_key.data = csn_as_string(buf->buf_current_csn, 0, (char *)buf->buf_key.data);
-+ slapi_log_err(SLAPI_LOG_REPL, buf->buf_agmt_name,
-+ "clcache_adjust_anchorcsn - anchor is now: %s\n", (char *)buf->buf_key.data);
- }
-
- return buf->buf_state;
-diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
-index 95b933bb8..bda333362 100644
---- a/ldap/servers/plugins/replication/repl5_replica_config.c
-+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
-@@ -2527,9 +2527,6 @@ add_cleaned_rid(cleanruv_data *cleanruv_data, char *maxcsn)
- Replica *r;
- char *forcing;
-
-- if (data == NULL) {
-- return;
-- }
- rid = cleanruv_data->rid;
- r = cleanruv_data->replica;
- forcing = cleanruv_data->force;
-diff --git a/ldap/servers/plugins/rootdn_access/rootdn_access.c b/ldap/servers/plugins/rootdn_access/rootdn_access.c
-index b4db1202a..1cb999792 100644
---- a/ldap/servers/plugins/rootdn_access/rootdn_access.c
-+++ b/ldap/servers/plugins/rootdn_access/rootdn_access.c
-@@ -459,7 +459,7 @@ rootdn_check_access(Slapi_PBlock *pb)
- PRNetAddr *client_addr = NULL;
- PRHostEnt *host_entry = NULL;
- time_t curr_time;
-- struct tm *timeinfo;
-+ struct tm *timeinfo = NULL;
- char *dnsName = NULL;
- int isRoot = 0;
- int rc = SLAPI_PLUGIN_SUCCESS;
-@@ -478,6 +478,11 @@ rootdn_check_access(Slapi_PBlock *pb)
- if (open_time || daysAllowed) {
- curr_time = slapi_current_utc_time();
- timeinfo = localtime(&curr_time);
-+ if (timeinfo == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM,
-+ "rootdn_check_access - Failed to get localtime\n");
-+ return -1;
-+ }
- }
- /*
- * First check TOD restrictions, continue through if we are in the open "window"
-diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c
-index b23e652cf..60fcbab93 100644
---- a/ldap/servers/plugins/uiduniq/7bit.c
-+++ b/ldap/servers/plugins/uiduniq/7bit.c
-@@ -715,18 +715,18 @@ preop_modrdn(Slapi_PBlock *pb)
- int
- NS7bitAttr_Init(Slapi_PBlock *pb)
- {
-- int err = 0;
-+ int32_t err = 0;
- Slapi_Entry *plugin_entry = NULL;
- char *plugin_type = NULL;
-- int preadd = SLAPI_PLUGIN_PRE_ADD_FN;
-- int premod = SLAPI_PLUGIN_PRE_MODIFY_FN;
-- int premdn = SLAPI_PLUGIN_PRE_MODRDN_FN;
-+ int32_t preadd = SLAPI_PLUGIN_PRE_ADD_FN;
-+ int32_t premod = SLAPI_PLUGIN_PRE_MODIFY_FN;
-+ int32_t premdn = SLAPI_PLUGIN_PRE_MODRDN_FN;
-
- BEGIN
-- int attr_count = 0;
-- int argc;
-- char **argv;
-- int valid_suffix = 0;
-+ int32_t attr_count = 0;
-+ int32_t argc = 0;
-+ char **argv = NULL;
-+ int32_t valid_suffix = 0;
-
- /* Declare plugin version */
- err = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION,
-@@ -752,7 +752,7 @@ NS7bitAttr_Init(Slapi_PBlock *pb)
- break;
-
- err = slapi_pblock_get(pb, SLAPI_PLUGIN_ARGV, &argv);
-- if (err)
-+ if (err || argv == NULL)
- break;
-
- for (attr_count = 0; argv && argv[attr_count]; attr_count++) {
-diff --git a/ldap/servers/plugins/views/views.c b/ldap/servers/plugins/views/views.c
-index 6ba3e290d..6f784f599 100644
---- a/ldap/servers/plugins/views/views.c
-+++ b/ldap/servers/plugins/views/views.c
-@@ -558,6 +558,9 @@ views_cache_index(void)
- /* copy over the views */
- for (i = 0; i < theCache.view_count; i++) {
- theCache.ppViewIndex[i] = theView;
-+ if (theView == NULL){
-+ break;
-+ }
- theView = theView->list.pNext;
- }
-
-diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c
-index b8e171b27..a2050b990 100644
---- a/ldap/servers/slapd/auth.c
-+++ b/ldap/servers/slapd/auth.c
-@@ -463,7 +463,8 @@ handle_handshake_done(PRFileDesc *prfd, void *clientData)
- slapi_log_access(LDAP_DEBUG_STATS,
- "conn=%" PRIu64 " %s %i-bit %s; client %s; issuer %s\n",
- conn->c_connid,
-- sslversion, keySize, cipher ? cipher : "NULL",
-+ sslversion, keySize,
-+ cipher ? cipher : "NULL",
- subject ? escape_string(subject, sbuf) : "NULL",
- issuer ? escape_string(issuer, ibuf) : "NULL");
- if (issuer)
-diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c
-index 9e557a24a..5d870e364 100644
---- a/ldap/servers/slapd/back-ldbm/dblayer.c
-+++ b/ldap/servers/slapd/back-ldbm/dblayer.c
-@@ -3007,7 +3007,7 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in
- struct dblayer_private_env *pEnv = NULL;
- ldbm_instance *inst = NULL;
- dblayer_handle *handle = NULL;
-- char dbName[MAXPATHLEN];
-+ char dbName[MAXPATHLEN] = {0};
- char *dbNamep;
- char *p;
- int dbbasenamelen, dbnamelen;
-@@ -3098,8 +3098,7 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in
- dbNamep = (char *)slapi_ch_realloc(dbNamep, dbnamelen);
- }
- p = dbNamep + dbbasenamelen;
-- sprintf(p, "%c%s%s",
-- get_sep(dbNamep), a->ai_type, LDBM_FILENAME_SUFFIX);
-+ sprintf(p, "%c%s%s", get_sep(dbNamep), a->ai_type, LDBM_FILENAME_SUFFIX);
- rc = dblayer_db_remove_ex(pEnv, dbNamep, 0, 0);
- a->ai_dblayer = NULL;
- if (dbNamep != dbName)
-diff --git a/ldap/servers/slapd/back-ldbm/filterindex.c b/ldap/servers/slapd/back-ldbm/filterindex.c
-index fd079077c..e8c3c2008 100644
---- a/ldap/servers/slapd/back-ldbm/filterindex.c
-+++ b/ldap/servers/slapd/back-ldbm/filterindex.c
-@@ -563,7 +563,7 @@ range_candidates(
-
- /* Check if it is for bulk import. */
- slapi_pblock_get(pb, SLAPI_OPERATION, &op);
-- if (entryrdn_get_switch() && operation_is_flag_set(op, OP_FLAG_INTERNAL) &&
-+ if (entryrdn_get_switch() && op && operation_is_flag_set(op, OP_FLAG_INTERNAL) &&
- operation_is_flag_set(op, OP_FLAG_BULK_IMPORT)) {
- /* parentid is treated specially that is needed for the bulk import. (See #48755) */
- operator= SLAPI_OP_RANGE_NO_IDL_SORT | SLAPI_OP_RANGE_NO_ALLIDS;
-diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
-index b8cd9aaa0..0419865c9 100644
---- a/ldap/servers/slapd/back-ldbm/import-threads.c
-+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
-@@ -1664,8 +1664,7 @@ upgradedn_producer(void *param)
- slapi_ch_free_string(&rdn);
- }
- } else {
-- e =
-- slapi_str2entry(data.data, SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT);
-+ e = slapi_str2entry(data.data, SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT);
- rdn = slapi_ch_strdup(slapi_entry_get_rdn_const(e));
- if (NULL == rdn) {
- Slapi_RDN srdn;
-@@ -1683,6 +1682,7 @@ upgradedn_producer(void *param)
- slapi_log_err(SLAPI_LOG_WARNING, "upgradedn_producer",
- "%s: Skipping badly formatted entry (id %lu)\n",
- inst->inst_name, (u_long)temp_id);
-+ slapi_ch_free_string(&rdn);
- continue;
- }
-
-@@ -2183,6 +2183,7 @@ done:
- free_IDarray(&dn_norm_sp_conflicts);
- slapi_ch_free_string(&ecopy);
- slapi_ch_free(&(data.data));
-+ slapi_ch_free_string(&rdn);
- if (job->upgradefd) {
- fclose(job->upgradefd);
- }
-@@ -3783,7 +3784,7 @@ out:
- slapi_ch_free_string(&search_scope);
-
-
-- if (fd > 0) {
-+ if (fd >= 0) {
- close(fd);
- }
-
-@@ -3949,8 +3950,7 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info,
- rc = slapi_rdn_add_srdn_to_all_rdns(srdn, &mysrdn);
- if (rc) {
- slapi_log_err(SLAPI_LOG_ERR, "import_get_and_add_parent_rdns",
-- "Failed to merge Slapi_RDN %s to RDN\n",
-- slapi_sdn_get_dn(bdn->dn_sdn));
-+ "Failed to merge Slapi_RDN to RDN\n");
- }
- bail:
- slapi_ch_free(&data.data);
-diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
-index 587f4d991..7e1cdd0db 100644
---- a/ldap/servers/slapd/back-ldbm/index.c
-+++ b/ldap/servers/slapd/back-ldbm/index.c
-@@ -749,7 +749,7 @@ index_add_mods(
- mods[i]->mod_type,
- &curr_attr);
- if (curr_attr) {
-- for (j = 0; mods_valueArray[j] != NULL; j++) {
-+ for (j = 0; mods_valueArray && mods_valueArray[j] != NULL; j++) {
- if (!slapi_valueset_find(curr_attr, all_vals, mods_valueArray[j])) {
- /*
- * If the mod del value is not found in all_vals
-@@ -1054,6 +1054,7 @@ index_read_ext_allids(
- for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) {
- *err = NEW_IDL_DEFAULT;
- PRIntervalTime interval;
-+ idl_free(&idl);
- idl = idl_fetch_ext(be, db, &key, db_txn, ai, err, allidslimit);
- if (*err == DB_LOCK_DEADLOCK) {
- ldbm_nasty("index_read_ext_allids", "index read retrying transaction", 1045, *err);
-diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c
-index d4715ab9c..7f9f423a5 100644
---- a/ldap/servers/slapd/back-ldbm/instance.c
-+++ b/ldap/servers/slapd/back-ldbm/instance.c
-@@ -352,6 +352,10 @@ ldbm_instance_find_by_name(struct ldbminfo *li, char *name)
- Object *inst_obj;
- ldbm_instance *inst;
-
-+ if (name == NULL) {
-+ return NULL;
-+ }
-+
- inst_obj = objset_first_obj(li->li_instance_set);
- while (inst_obj != NULL) {
- inst = (ldbm_instance *)object_get_data(inst_obj);
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
-index f29945a7e..c93d44a65 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
-@@ -60,7 +60,7 @@ ldbm_back_add(Slapi_PBlock *pb)
- ID pid;
- int isroot;
- char *errbuf = NULL;
-- back_txn txn;
-+ back_txn txn = {0};
- back_txnid parent_txn;
- int retval = -1;
- char *msg;
-@@ -96,6 +96,7 @@ ldbm_back_add(Slapi_PBlock *pb)
- PRUint64 conn_id;
- int op_id;
- int result_sent = 0;
-+
- if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) {
- conn_id = 0; /* connection is NULL */
- }
-@@ -109,6 +110,11 @@ ldbm_back_add(Slapi_PBlock *pb)
- slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_replicated_operation);
- slapi_pblock_get(pb, SLAPI_BACKEND, &be);
-
-+ if (operation == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_add", "NULL operation\n");
-+ return LDAP_OPERATIONS_ERROR;
-+ }
-+
- is_resurect_operation = operation_is_flag_set(operation, OP_FLAG_RESURECT_ENTRY);
- is_tombstone_operation = operation_is_flag_set(operation, OP_FLAG_TOMBSTONE_ENTRY);
- is_fixup_operation = operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP);
-@@ -126,6 +132,11 @@ ldbm_back_add(Slapi_PBlock *pb)
- goto error_return;
- }
-
-+ if (e == NULL){
-+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_add", "entry is NULL.\n");
-+ goto error_return;
-+ }
-+
- /* sdn & parentsdn need to be initialized before "goto *_return" */
- slapi_sdn_init(&parentsdn);
-
-@@ -169,9 +180,8 @@ ldbm_back_add(Slapi_PBlock *pb)
- * before we make our last abandon check to avoid race conditions in
- * the code that processes abandon operations.
- */
-- if (operation) {
-- operation->o_status = SLAPI_OP_STATUS_WILL_COMPLETE;
-- }
-+ operation->o_status = SLAPI_OP_STATUS_WILL_COMPLETE;
-+
- if (slapi_op_abandoned(pb)) {
- ldap_result_code = -1; /* needs to distinguish from "success" */
- goto error_return;
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c
-index e792c26cf..9ecb09903 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c
-@@ -124,8 +124,8 @@ ldbm_instance_attrcrypt_config_add_callback(Slapi_PBlock *pb __attribute__((unus
- {
- ldbm_instance *inst = (ldbm_instance *)arg;
- char *attribute_name = NULL;
-- int cipher = 0;
-- int ret = 0;
-+ int32_t cipher = 0;
-+ int32_t ret = SLAPI_DSE_CALLBACK_OK;
-
- returntext[0] = '\0';
-
-@@ -146,7 +146,6 @@ ldbm_instance_attrcrypt_config_add_callback(Slapi_PBlock *pb __attribute__((unus
- *returncode = LDAP_UNWILLING_TO_PERFORM;
- ret = SLAPI_DSE_CALLBACK_ERROR;
- } else {
--
- ainfo_get(inst->inst_be, attribute_name, &ai);
- /* If we couldn't find a non-default attrinfo, then that means
- * that no indexing or encryption has yet been defined for this attribute
-@@ -172,9 +171,7 @@ ldbm_instance_attrcrypt_config_add_callback(Slapi_PBlock *pb __attribute__((unus
- *returncode = LDAP_UNWILLING_TO_PERFORM;
- ret = SLAPI_DSE_CALLBACK_ERROR;
- }
-- ret = SLAPI_DSE_CALLBACK_OK;
- }
--
- } else {
- ret = SLAPI_DSE_CALLBACK_ERROR;
- }
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
-index c2e49d5ab..eb2603897 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
-@@ -1307,7 +1307,7 @@ ldbm_instance_delete_instance_entry_callback(Slapi_PBlock *pb __attribute__((unu
- char *returntext,
- void *arg)
- {
-- char *instance_name;
-+ char *instance_name = NULL;
- struct ldbminfo *li = (struct ldbminfo *)arg;
- struct ldbm_instance *inst = NULL;
-
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
-index 02a21bf92..8f3111813 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
-@@ -1157,7 +1157,7 @@ subtree_candidates(
- slapi_pblock_get(pb, SLAPI_REQUESTOR_ISROOT, &isroot);
- /* Check if it is for bulk import. */
- slapi_pblock_get(pb, SLAPI_OPERATION, &op);
-- if (entryrdn_get_switch() && operation_is_flag_set(op, OP_FLAG_INTERNAL) &&
-+ if (op && entryrdn_get_switch() && operation_is_flag_set(op, OP_FLAG_INTERNAL) &&
- operation_is_flag_set(op, OP_FLAG_BULK_IMPORT)) {
- is_bulk_import = PR_TRUE;
- }
-@@ -1168,7 +1168,7 @@ subtree_candidates(
- * since tombstone entries are not indexed in the ancestorid index.
- * Note: they are indexed in the entryrdn index.
- */
-- if (candidates != NULL && (idl_length(candidates) > FILTER_TEST_THRESHOLD)) {
-+ if (candidates != NULL && (idl_length(candidates) > FILTER_TEST_THRESHOLD) && e) {
- IDList *tmp = candidates, *descendants = NULL;
- back_txn txn = {NULL};
-
-diff --git a/ldap/servers/slapd/back-ldbm/vlv.c b/ldap/servers/slapd/back-ldbm/vlv.c
-index 9a1a1c63e..23825c2d5 100644
---- a/ldap/servers/slapd/back-ldbm/vlv.c
-+++ b/ldap/servers/slapd/back-ldbm/vlv.c
-@@ -1518,7 +1518,7 @@ vlv_trim_candidates_byvalue(backend *be, const IDList *candidates, const sort_sp
- {
- PRUint32 si = 0; /* The Selected Index */
- PRUint32 low = 0;
-- PRUint32 high = candidates->b_nids - 1;
-+ PRUint32 high = 0;
- PRUint32 current = 0;
- ID id = NOID;
- int found = 0;
-diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.c b/ldap/servers/slapd/back-ldbm/vlv_srch.c
-index e9780b590..c4c0875ad 100644
---- a/ldap/servers/slapd/back-ldbm/vlv_srch.c
-+++ b/ldap/servers/slapd/back-ldbm/vlv_srch.c
-@@ -168,7 +168,7 @@ vlvSearch_init(struct vlvSearch *p, Slapi_PBlock *pb, const Slapi_Entry *e, ldbm
-
- /* switch context back to the DSE backend */
- slapi_pblock_set(pb, SLAPI_BACKEND, oldbe);
-- slapi_pblock_set(pb, SLAPI_PLUGIN, oldbe->be_database);
-+ slapi_pblock_set(pb, SLAPI_PLUGIN, oldbe ? oldbe->be_database: NULL);
- }
-
- /* make (&(parentid=idofbase)(|(originalfilter)(objectclass=referral))) */
-diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c
-index fb3eb77a3..78c00a5a8 100644
---- a/ldap/servers/slapd/backend.c
-+++ b/ldap/servers/slapd/backend.c
-@@ -171,7 +171,7 @@ slapi_be_issuffix(const Slapi_Backend *be, const Slapi_DN *suffix)
- struct suffixlist *list;
- int r = 0;
- /* this backend is no longer valid */
-- if (be->be_state != BE_STATE_DELETED) {
-+ if (be && be->be_state != BE_STATE_DELETED) {
- int i = 0, count;
-
- count = slapi_counter_get_value(be->be_suffixcounter);
-diff --git a/ldap/servers/slapd/compare.c b/ldap/servers/slapd/compare.c
-index 2626d91d0..88a6c3599 100644
---- a/ldap/servers/slapd/compare.c
-+++ b/ldap/servers/slapd/compare.c
-@@ -47,9 +47,11 @@ do_compare(Slapi_PBlock *pb)
-
- slapi_log_err(SLAPI_LOG_TRACE, "do_compare", "=>\n");
-
-+ /* have to init this here so we can "done" it below if we short circuit */
-+ slapi_sdn_init(&sdn);
-+
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
--
- if (pb_op == NULL || pb_conn == NULL) {
- slapi_log_err(SLAPI_LOG_ERR, "do_compare", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n",
- pb_conn, pb_op);
-@@ -62,9 +64,6 @@ do_compare(Slapi_PBlock *pb)
- /* count the compare request */
- slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsCompareOps);
-
-- /* have to init this here so we can "done" it below if we short circuit */
-- slapi_sdn_init(&sdn);
--
- /*
- * Parse the compare request. It looks like this:
- *
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index fa24ec040..5d2b64ed2 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -1526,18 +1526,6 @@ connection_threadmain()
- [blackflag 624234] */
- ret = connection_wait_for_new_work(pb, interval);
-
-- /*
-- * Connection wait for new work provides the conn and op for us.
-- */
-- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-- if (pb_conn == NULL) {
-- slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain",
-- "pb_conn is NULL\n");
-- slapi_pblock_destroy(pb);
-- g_decr_active_threadcnt();
-- return;
-- }
--
- switch (ret) {
- case CONN_NOWORK:
- PR_ASSERT(interval != PR_INTERVAL_NO_TIMEOUT); /* this should never happen with PR_INTERVAL_NO_TIMEOUT */
-@@ -1550,15 +1538,22 @@ connection_threadmain()
- return;
- case CONN_FOUND_WORK_TO_DO:
- /* note - don't need to lock here - connection should only
-- be used by this thread - since c_gettingber is set to 1
-- in connection_activity when the conn is added to the
-- work queue, setup_pr_read_pds won't add the connection prfd
-- to the poll list */
-+ be used by this thread - since c_gettingber is set to 1
-+ in connection_activity when the conn is added to the
-+ work queue, setup_pr_read_pds won't add the connection prfd
-+ to the poll list */
-+ slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-+ if (pb_conn == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain", "pb_conn is NULL\n");
-+ slapi_pblock_destroy(pb);
-+ g_decr_active_threadcnt();
-+ return;
-+ }
- if (pb_conn->c_opscompleted == 0) {
- /*
-- * We have a new connection, set the anonymous reslimit idletimeout
-- * if applicable.
-- */
-+ * We have a new connection, set the anonymous reslimit idletimeout
-+ * if applicable.
-+ */
- char *anon_dn = config_get_anon_limits_dn();
- int idletimeout;
- /* If an anonymous limits dn is set, use it to set the limits. */
-@@ -1578,6 +1573,7 @@ connection_threadmain()
- slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain",
- "Could not add/remove IO layers from connection\n");
- }
-+ break;
- default:
- break;
- }
-@@ -1604,6 +1600,12 @@ connection_threadmain()
- /* Once we're here we have a pb */
- slapi_pblock_get(pb, SLAPI_CONNECTION, &conn);
- slapi_pblock_get(pb, SLAPI_OPERATION, &op);
-+ if (conn == NULL || op == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain", "NULL param: conn (0x%p) op (0x%p)\n", conn, op);
-+ slapi_pblock_destroy(pb);
-+ g_decr_active_threadcnt();
-+ return;
-+ }
- maxthreads = config_get_maxthreadsperconn();
- more_data = 0;
- ret = connection_read_operation(conn, op, &tag, &more_data);
-diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c
-index 366ec7897..4fd8473be 100644
---- a/ldap/servers/slapd/control.c
-+++ b/ldap/servers/slapd/control.c
-@@ -304,6 +304,12 @@ get_ldapmessage_controls_ext(
-
- Operation *pb_op = NULL;
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
-+ if (pb_op == NULL) {
-+ rc = LDAP_OPERATIONS_ERROR;
-+ slapi_log_err(SLAPI_LOG_ERR, "get_ldapmessage_controls_ext", "NULL pb_op\n");
-+ slapi_rwlock_unlock(supported_controls_lock);
-+ goto free_and_return;
-+ }
-
- if (supported_controls == NULL ||
- supported_controls[i] == NULL ||
-diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c
-index 662e91aa7..932912c17 100644
---- a/ldap/servers/slapd/dse.c
-+++ b/ldap/servers/slapd/dse.c
-@@ -1727,8 +1727,9 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi
- }
-
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
-- internal_op = operation_is_flag_set(pb_op, OP_FLAG_INTERNAL);
--
-+ if (pb_op){
-+ internal_op = operation_is_flag_set(pb_op, OP_FLAG_INTERNAL);
-+ }
- /* Find the entry we are about to modify. */
- ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK);
- if (ec == NULL) {
-diff --git a/ldap/servers/slapd/eventq.c b/ldap/servers/slapd/eventq.c
-index 8fccf38a8..a491acd0a 100644
---- a/ldap/servers/slapd/eventq.c
-+++ b/ldap/servers/slapd/eventq.c
-@@ -462,7 +462,7 @@ slapi_eq_get_arg(Slapi_Eq_Context ctx)
- slapi_eq_context **p;
-
- PR_ASSERT(eq_initialized);
-- if (!eq_stopped) {
-+ if (eq && !eq_stopped) {
- PR_Lock(eq->eq_lock);
- p = &(eq->eq_queue);
- while (p && *p != NULL) {
-diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c
-index 815949be6..98595bcaa 100644
---- a/ldap/servers/slapd/extendop.c
-+++ b/ldap/servers/slapd/extendop.c
-@@ -135,10 +135,12 @@ extop_handle_import_start(Slapi_PBlock *pb, char *extoid __attribute__((unused))
- * connection block & mark this connection as belonging to a bulk import
- */
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-- PR_EnterMonitor(pb_conn->c_mutex);
-- pb_conn->c_flags |= CONN_FLAG_IMPORT;
-- pb_conn->c_bi_backend = be;
-- PR_ExitMonitor(pb_conn->c_mutex);
-+ if (pb_conn) {
-+ PR_EnterMonitor(pb_conn->c_mutex);
-+ pb_conn->c_flags |= CONN_FLAG_IMPORT;
-+ pb_conn->c_bi_backend = be;
-+ PR_ExitMonitor(pb_conn->c_mutex);
-+ }
-
- slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, EXTOP_BULK_IMPORT_START_OID);
- bv.bv_val = NULL;
-diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
-index ef975e679..2ac3d2cd8 100644
---- a/ldap/servers/slapd/filter.c
-+++ b/ldap/servers/slapd/filter.c
-@@ -686,11 +686,13 @@ slapi_filter_dup(Slapi_Filter *f)
- outl = &out->f_list;
- for (fl = f->f_list; fl != NULL; fl = fl->f_next) {
- (*outl) = slapi_filter_dup(fl);
-- (*outl)->f_next = 0;
-- if (lastout)
-- lastout->f_next = *outl;
-- lastout = *outl;
-- outl = &((*outl)->f_next);
-+ if (*outl){
-+ (*outl)->f_next = 0;
-+ if (lastout)
-+ lastout->f_next = *outl;
-+ lastout = *outl;
-+ outl = &((*outl)->f_next);
-+ }
- }
- break;
-
-diff --git a/ldap/servers/slapd/index_subsystem.c b/ldap/servers/slapd/index_subsystem.c
-index 47ca90047..97cb7b489 100644
---- a/ldap/servers/slapd/index_subsystem.c
-+++ b/ldap/servers/slapd/index_subsystem.c
-@@ -1179,7 +1179,7 @@ index_subsys_assign_decoder(Slapi_Filter *f)
- * have the same associated attributes configuration for now
- * though they may have different namespaces
- */
-- if (index_subsys_index_matches_index(f->assigned_decoder, index)) {
-+ if (index_subsys_index_matches_index(f->assigned_decoder, index) && last) {
- /* add to end */
- last->list.pNext = index_subsys_index_shallow_dup(index);
- last = last->list.pNext;
-diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
-index ddaceffea..e1493bb80 100644
---- a/ldap/servers/slapd/main.c
-+++ b/ldap/servers/slapd/main.c
-@@ -683,13 +683,26 @@ main(int argc, char **argv)
- {
- char *s = getenv("DEBUG_SLEEP");
- if ((s != NULL) && isdigit(*s)) {
-- int secs = atoi(s);
-- printf("slapd pid is %d\n", getpid());
-+ char *endp = NULL;
-+ int64_t secs;
-+ errno = 0;
-+
-+ secs = strtol(s, &endp, 10);
-+ if ( endp == s ||
-+ *endp != '\0' ||
-+ ((secs == LONG_MIN || secs == LONG_MAX) && errno == ERANGE) ||
-+ secs < 1 )
-+ {
-+ /* Invalid value, default to 30 seconds */
-+ secs = 30;
-+ } else if (secs > 3600) {
-+ secs = 3600;
-+ }
-+ printf("slapd pid is %d - sleeping for %ld\n", getpid(), secs);
- sleep(secs);
- }
- }
-
--
- /* used to set configfile to the default config file name here */
- if ((mcfg.myname = strrchr(argv[0], '/')) == NULL) {
- mcfg.myname = slapi_ch_strdup(argv[0]);
-diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c
-index 8cc531834..472a2f6aa 100644
---- a/ldap/servers/slapd/mapping_tree.c
-+++ b/ldap/servers/slapd/mapping_tree.c
-@@ -2629,7 +2629,7 @@ mtn_get_be(mapping_tree_node *target_node, Slapi_PBlock *pb, Slapi_Backend **be,
- (target_node->mtn_be_states[*index] == SLAPI_BE_STATE_OFFLINE)) {
- slapi_log_err(SLAPI_LOG_TRACE, "mtn_get_be",
- "Operation attempted on backend in OFFLINE state : %s\n",
-- target_node->mtn_backend_names[*index]);
-+ target_node->mtn_backend_names ? target_node->mtn_backend_names[*index] : "Unknown backend");
- result = LDAP_OPERATIONS_ERROR;
- *be = defbackend_get_backend();
- }
-diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
-index 10d263159..f2f6d1783 100644
---- a/ldap/servers/slapd/modify.c
-+++ b/ldap/servers/slapd/modify.c
-@@ -123,7 +123,7 @@ do_modify(Slapi_PBlock *pb)
-
- slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-- if (operation == NULL) {
-+ if (operation == NULL || pb_conn == NULL) {
- send_ldap_result(pb, LDAP_OPERATIONS_ERROR,
- NULL, "operation is NULL parameter", 0, NULL);
- slapi_log_err(SLAPI_LOG_ERR, "do_modify",
-@@ -1156,6 +1156,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
- char *proxydn = NULL;
- char *proxystr = NULL;
- char *errtext = NULL;
-+ int32_t needpw = 0;
-
- slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op);
- if (repl_op) {
-@@ -1169,24 +1170,23 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
- slapi_pblock_get(pb, SLAPI_REQUESTOR_ISROOT, &isroot);
- slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
- slapi_pblock_get(pb, SLAPI_PWPOLICY, &pwresponse_req);
-- internal_op = operation_is_flag_set(operation, OP_FLAG_INTERNAL);
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-+ slapi_sdn_init_dn_byref(&sdn, dn);
-
-- if (pb_conn == NULL || operation == NULL) {
-- slapi_log_err(SLAPI_LOG_ERR, "op_shared_allow_pw_change",
-- "NULL param error: conn (0x%p) op (0x%p)\n", pb_conn, operation);
-+ if (operation == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "op_shared_allow_pw_change", "NULL operation\n");
- rc = -1;
- goto done;
- }
--
-- slapi_sdn_init_dn_byref(&sdn, dn);
-- pwpolicy = new_passwdPolicy(pb, (char *)slapi_sdn_get_ndn(&sdn));
-+ if (pb_conn) {
-+ needpw = pb_conn->c_needpw;
-+ }
-
- /* get the proxy auth dn if the proxy auth control is present */
- if ((proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext)) != LDAP_SUCCESS) {
- if (operation_is_flag_set(operation, OP_FLAG_ACTION_LOG_ACCESS)) {
- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"\n",
-- pb_conn->c_connid, operation->o_opid,
-+ pb_conn ? pb_conn->c_connid: -1, operation->o_opid,
- slapi_sdn_get_dn(&sdn));
- }
-
-@@ -1195,6 +1195,9 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
- goto done;
- }
-
-+ pwpolicy = new_passwdPolicy(pb, (char *)slapi_sdn_get_ndn(&sdn));
-+ internal_op = operation_is_flag_set(operation, OP_FLAG_INTERNAL);
-+
- /* internal operation has root permissions for subtrees it is allowed to access */
- if (!internal_op) {
- /* slapi_acl_check_mods needs an array of LDAPMods, but
-@@ -1225,7 +1228,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
- proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn);
- }
- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s\n",
-- pb_conn->c_connid, operation->o_opid,
-+ pb_conn ? pb_conn->c_connid : -1, operation->o_opid,
- slapi_sdn_get_dn(&sdn), proxystr ? proxystr : "");
- }
-
-@@ -1254,7 +1257,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
-
- /* Check if password policy allows users to change their passwords.*/
- if (!operation->o_isroot && slapi_sdn_compare(&sdn, &operation->o_sdn) == 0 &&
-- !pb_conn->c_needpw && !pwpolicy->pw_change) {
-+ !needpw && !pwpolicy->pw_change) {
- if (pwresponse_req == 1) {
- slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED);
- }
-@@ -1267,7 +1270,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
- }
-
- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s, %s\n",
-- pb_conn->c_connid, operation->o_opid,
-+ pb_conn ? pb_conn->c_connid : -1, operation->o_opid,
- slapi_sdn_get_dn(&sdn),
- proxystr ? proxystr : "",
- "user is not allowed to change password");
-@@ -1280,8 +1283,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
-
- /* check if password is within password minimum age;
- error result is sent directly from check_pw_minage */
-- if (pb_conn && !pb_conn->c_needpw &&
-- check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) {
-+ if (!needpw && check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) {
- if (operation_is_flag_set(operation, OP_FLAG_ACTION_LOG_ACCESS)) {
- if (proxydn) {
- proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn);
-@@ -1289,7 +1291,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
-
- if (!internal_op) {
- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s, %s\n",
-- pb_conn->c_connid,
-+ pb_conn ? pb_conn->c_connid : -1,
- operation->o_opid,
- slapi_sdn_get_dn(&sdn),
- proxystr ? proxystr : "",
-@@ -1303,17 +1305,14 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
- "within password minimum age");
- }
- }
--
- rc = -1;
- goto done;
- }
-
--
- /* check password syntax; remember the old password;
- error sent directly from check_pw_syntax function */
- valuearray_init_bervalarray(mod->mod_bvalues, &values);
-- switch (check_pw_syntax_ext(pb, &sdn, values, old_pw, NULL,
-- mod->mod_op, smods)) {
-+ switch (check_pw_syntax_ext(pb, &sdn, values, old_pw, NULL, mod->mod_op, smods)) {
- case 0: /* success */
- rc = 1;
- break;
-@@ -1326,7 +1325,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M
-
- if (!internal_op) {
- slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s, %s\n",
-- pb_conn->c_connid,
-+ pb_conn ? pb_conn->c_connid : -1,
- operation->o_opid,
- slapi_sdn_get_dn(&sdn),
- proxystr ? proxystr : "",
-diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
-index 46dcf6fba..50b7ae8f6 100644
---- a/ldap/servers/slapd/opshared.c
-+++ b/ldap/servers/slapd/opshared.c
-@@ -276,6 +276,13 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
- slapi_pblock_get(pb, SLAPI_SEARCH_STRFILTER, &fstr);
- slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &attrs);
- slapi_pblock_get(pb, SLAPI_OPERATION, &operation);
-+ if (operation == NULL) {
-+ op_shared_log_error_access(pb, "SRCH", base, "NULL operation");
-+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "NULL operation", 0, NULL);
-+ rc = -1;
-+ goto free_and_return_nolock;
-+ }
-+
- internal_op = operation_is_flag_set(operation, OP_FLAG_INTERNAL);
- flag_psearch = operation_is_flag_set(operation, OP_FLAG_PS);
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c
-index 40145af2e..5f21f2f71 100644
---- a/ldap/servers/slapd/passwd_extop.c
-+++ b/ldap/servers/slapd/passwd_extop.c
-@@ -727,6 +727,10 @@ parse_req_done:
- */
- Operation *pb_op = NULL;
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
-+ if (pb_op == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "passwd_modify_extop", "pb_op is NULL");
-+ goto free_and_return;
-+ }
-
- operation_set_target_spec(pb_op, slapi_entry_get_sdn(targetEntry));
- slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &pb_op->o_isroot);
-diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
-index e02133abc..2db3c7fcd 100644
---- a/ldap/servers/slapd/plugin.c
-+++ b/ldap/servers/slapd/plugin.c
-@@ -3625,9 +3625,11 @@ plugin_invoke_plugin_pb(struct slapdplugin *plugin, int operation, Slapi_PBlock
- return PR_TRUE;
-
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
--
--
-- PR_ASSERT(pb_op);
-+ if (pb_op == NULL) {
-+ slapi_log_err(SLAPI_LOG_ERR, "plugin_invoke_plugin_pb", "pb_op is NULL");
-+ PR_ASSERT(0);
-+ return PR_FALSE;
-+ }
-
- target_spec = operation_get_target_spec(pb_op);
-
-diff --git a/ldap/servers/slapd/plugin_internal_op.c b/ldap/servers/slapd/plugin_internal_op.c
-index 52b8df8c3..f6bbafb92 100644
---- a/ldap/servers/slapd/plugin_internal_op.c
-+++ b/ldap/servers/slapd/plugin_internal_op.c
-@@ -527,6 +527,7 @@ internal_plugin_search_entry_callback(Slapi_Entry *e, void *callback_data)
- this_entry = (Entry_Node *)slapi_ch_calloc(1, sizeof(Entry_Node));
-
- if ((this_entry->data = slapi_entry_dup(e)) == NULL) {
-+ slapi_ch_free((void**)&this_entry);
- return (0);
- }
-
-diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c
-index 1bf062954..8ad268a85 100644
---- a/ldap/servers/slapd/psearch.c
-+++ b/ldap/servers/slapd/psearch.c
-@@ -353,8 +353,8 @@ ps_send_results(void *arg)
- if (rc) {
- slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results",
- "conn=%" PRIu64 " op=%d Error %d sending entry %s with op status %d\n",
-- pb_conn->c_connid, pb_op->o_opid,
-- rc, slapi_entry_get_dn_const(ec), pb_op->o_status);
-+ pb_conn->c_connid, pb_op ? pb_op->o_opid: -1,
-+ rc, slapi_entry_get_dn_const(ec), pb_op ? pb_op->o_status : -1);
- }
- }
-
-@@ -401,7 +401,7 @@ ps_send_results(void *arg)
-
- slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results",
- "conn=%" PRIu64 " op=%d Releasing the connection and operation\n",
-- conn->c_connid, pb_op->o_opid);
-+ conn->c_connid, pb_op ? pb_op->o_opid : -1);
- /* Delete this op from the connection's list */
- connection_remove_operation_ext(ps->ps_pblock, conn, pb_op);
-
-diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
-index 0cf795b41..53464c64a 100644
---- a/ldap/servers/slapd/pw.c
-+++ b/ldap/servers/slapd/pw.c
-@@ -1741,7 +1741,6 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
- pwdpolicy->pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT;
- pwdpolicy->pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS;
- pwdpolicy->pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES;
-- pwdpolicy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
- pwdpolicy->pw_maxage = SLAPD_DEFAULT_PW_MAXAGE;
- pwdpolicy->pw_minage = SLAPD_DEFAULT_PW_MINAGE;
- pwdpolicy->pw_warning = SLAPD_DEFAULT_PW_WARNING;
-@@ -2229,7 +2228,7 @@ slapi_check_account_lock(Slapi_PBlock *pb, Slapi_Entry *bind_target_entry, int p
- /*
- * Check if the password policy has to be checked or not
- */
-- if (!check_password_policy || pwpolicy->pw_lockout == 0) {
-+ if (!check_password_policy || !pwpolicy || pwpolicy->pw_lockout == 0) {
- goto notlocked;
- }
-
-diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
-index 50bcbde99..602868470 100644
---- a/ldap/servers/slapd/pw_mgmt.c
-+++ b/ldap/servers/slapd/pw_mgmt.c
-@@ -44,6 +44,7 @@ need_new_pw(Slapi_PBlock *pb, Slapi_Entry *e, int pwresponse_req)
- char graceUserTime[16] = {0};
- Connection *pb_conn = NULL;
- long t;
-+ int needpw = 0;
-
- if (NULL == e) {
- return (-1);
-@@ -91,6 +92,9 @@ need_new_pw(Slapi_PBlock *pb, Slapi_Entry *e, int pwresponse_req)
- slapi_ch_free_string(&passwordExpirationTime);
-
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
-+ if (pb_conn) {
-+ needpw = pb_conn->c_needpw;
-+ }
-
- /* Check if password has been reset */
- if (pw_exp_date == NO_TIME) {
-@@ -99,7 +103,11 @@ need_new_pw(Slapi_PBlock *pb, Slapi_Entry *e, int pwresponse_req)
- if (pwpolicy->pw_must_change) {
- /* set c_needpw for this connection to be true. this client
- now can only change its own password */
-- pb_conn->c_needpw = 1;
-+ if (pb_conn){
-+ pb_conn->c_needpw = needpw = 1;
-+ } else {
-+ needpw = 1;
-+ }
- t = 0;
- /* We need to include "changeafterreset" error in
- * passwordpolicy response control. So, we will not be
-@@ -121,7 +129,7 @@ skip:
- /* if password never expires, don't need to go on; return 0 */
- if (pwpolicy->pw_exp == 0) {
- /* check for "changeafterreset" condition */
-- if (pb_conn->c_needpw == 1) {
-+ if (needpw == 1) {
- if (pwresponse_req) {
- slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_CHGAFTERRESET);
- }
-@@ -150,7 +158,7 @@ skip:
- slapi_mods_done(&smods);
- if (pwresponse_req) {
- /* check for "changeafterreset" condition */
-- if (pb_conn->c_needpw == 1) {
-+ if (needpw == 1) {
- slapi_pwpolicy_make_response_control(pb, -1,
- ((pwpolicy->pw_gracelimit) - pwdGraceUserTime),
- LDAP_PWPOLICY_CHGAFTERRESET);
-@@ -182,9 +190,11 @@ skip:
- if (pb_conn && (LDAP_VERSION2 == pb_conn->c_ldapversion)) {
- Operation *pb_op = NULL;
- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op);
-- /* We close the connection only with LDAPv2 connections */
-- disconnect_server(pb_conn, pb_op->o_connid,
-- pb_op->o_opid, SLAPD_DISCONNECT_UNBIND, 0);
-+ if (pb_op) {
-+ /* We close the connection only with LDAPv2 connections */
-+ disconnect_server(pb_conn, pb_op->o_connid,
-+ pb_op->o_opid, SLAPD_DISCONNECT_UNBIND, 0);
-+ }
- }
- /* Apply current modifications */
- pw_apply_mods(sdn, &smods);
-@@ -207,7 +217,7 @@ skip:
- /* reset the expiration time to current + warning time
- * and set passwordExpWarned to true
- */
-- if (pb_conn->c_needpw != 1) {
-+ if (needpw != 1) {
- pw_exp_date = time_plus_sec(cur_time, pwpolicy->pw_warning);
- }
-
-@@ -227,14 +237,14 @@ skip:
- slapi_mods_done(&smods);
- if (pwresponse_req) {
- /* check for "changeafterreset" condition */
-- if (pb_conn->c_needpw == 1) {
-+ if (needpw == 1) {
- slapi_pwpolicy_make_response_control(pb, t, -1, LDAP_PWPOLICY_CHGAFTERRESET);
- } else {
- slapi_pwpolicy_make_response_control(pb, t, -1, -1);
- }
- }
-
-- if (pb_conn->c_needpw == 1) {
-+ if (needpw == 1) {
- slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
- } else {
- slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRING, t);
-@@ -250,7 +260,7 @@ skip:
- pw_apply_mods(sdn, &smods);
- slapi_mods_done(&smods);
- /* Leftover from "changeafterreset" condition */
-- if (pb_conn->c_needpw == 1) {
-+ if (needpw == 1) {
- slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
- }
- /* passes checking, return 0 */
-diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
-index ce394d948..6892ccfdc 100644
---- a/ldap/servers/slapd/result.c
-+++ b/ldap/servers/slapd/result.c
-@@ -1340,7 +1340,7 @@ send_specific_attrs(Slapi_Entry *e, char **attrs, Slapi_Operation *op, Slapi_PBl
- attrs = attrs_ext;
- }
-
-- for (i = 0; attrs && attrs[i] != NULL; i++) {
-+ for (i = 0; my_searchattrs && attrs && attrs[i] != NULL; i++) {
- char *current_type_name = attrs[i];
- Slapi_ValueSet **values = NULL;
- int attr_free_flags = 0;
-diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
-index 67da97148..0907c623f 100644
---- a/ldap/servers/slapd/saslbind.c
-+++ b/ldap/servers/slapd/saslbind.c
-@@ -884,6 +884,11 @@ ids_sasl_check_bind(Slapi_PBlock *pb)
- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn);
- PR_ASSERT(pb_conn);
-
-+ if (pb_conn == NULL){
-+ slapi_log_err(SLAPI_LOG_ERR, "ids_sasl_check_bind", "pb_conn is NULL\n");
-+ return;
-+ }
-+
- PR_EnterMonitor(pb_conn->c_mutex); /* BIG LOCK */
- continuing = pb_conn->c_flags & CONN_FLAG_SASL_CONTINUE;
- pb_conn->c_flags &= ~CONN_FLAG_SASL_CONTINUE; /* reset flag */
-diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
-index 002083c04..4bd8895ff 100644
---- a/ldap/servers/slapd/task.c
-+++ b/ldap/servers/slapd/task.c
-@@ -2335,8 +2335,9 @@ task_fixup_tombstone_thread(void *arg)
- Slapi_Task *task = task_data->task;
- char **base = task_data->base;
- char *filter = NULL;
-- int fixup_count = 0;
-- int rc, i, j;
-+ int32_t fixup_count = 0;
-+ int32_t rc = 0;
-+ int32_t i, j;
-
- if (!task) {
- return; /* no task */
-diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
-index a0f3268da..a72de9b07 100644
---- a/ldap/servers/slapd/util.c
-+++ b/ldap/servers/slapd/util.c
-@@ -746,8 +746,9 @@ normalize_mods2bvals(const LDAPMod **mods)
- struct berval **mbvp = NULL;
-
- for (mbvp = mods[w]->mod_bvalues,
-- normmbvp = normalized_mods[w]->mod_bvalues;
-- mbvp && *mbvp; mbvp++, normmbvp++) {
-+ normmbvp = normalized_mods[w]->mod_bvalues;
-+ normmbvp && mbvp && *mbvp; mbvp++, normmbvp++)
-+ {
- if (is_dn_syntax) {
- Slapi_DN *sdn = slapi_sdn_new_dn_byref((*mbvp)->bv_val);
- if (slapi_sdn_get_dn(sdn)) {
-@@ -769,8 +770,9 @@ normalize_mods2bvals(const LDAPMod **mods)
- char **mvp = NULL;
-
- for (mvp = mods[w]->mod_values,
-- normmbvp = normalized_mods[w]->mod_bvalues;
-- mvp && *mvp; mvp++, normmbvp++) {
-+ normmbvp = normalized_mods[w]->mod_bvalues;
-+ normmbvp && mvp && *mvp; mvp++, normmbvp++)
-+ {
- vlen = strlen(*mvp);
-
- *normmbvp =
-@@ -801,7 +803,7 @@ normalize_mods2bvals(const LDAPMod **mods)
- PR_ASSERT(normmbvp - normalized_mods[w]->mod_bvalues <= num_values);
-
- /* don't forget to null terminate it */
-- if (num_values > 0) {
-+ if (num_values > 0 && normmbvp) {
- *normmbvp = NULL;
- }
- }
-diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c
-index 14ebc48e6..2af3ee18d 100644
---- a/ldap/servers/slapd/valueset.c
-+++ b/ldap/servers/slapd/valueset.c
-@@ -121,7 +121,9 @@ valuearray_add_valuearray_fast(Slapi_Value ***vals,
- j++;
- }
- }
-- (*vals)[nvals + j] = NULL;
-+ if (*vals) {
-+ (*vals)[nvals + j] = NULL;
-+ }
- }
-
- void
-@@ -1138,7 +1140,7 @@ slapi_valueset_add_attr_valuearray_ext(const Slapi_Attr *a, Slapi_ValueSet *vs,
- }
-
- for (size_t i = 0; i < naddvals; i++) {
-- if (addvals[i] != NULL) {
-+ if (addvals[i] != NULL && vs->va) {
- if (passin) {
- /* We consume the values */
- (vs->va)[vs->num] = addvals[i];
-@@ -1166,7 +1168,9 @@ slapi_valueset_add_attr_valuearray_ext(const Slapi_Attr *a, Slapi_ValueSet *vs,
- }
- }
- }
-- (vs->va)[vs->num] = NULL;
-+ if (vs->va){
-+ (vs->va)[vs->num] = NULL;
-+ }
-
- PR_ASSERT((vs->sorted == NULL) || (vs->num < VALUESET_ARRAY_SORT_THRESHOLD) || ((vs->num >= VALUESET_ARRAY_SORT_THRESHOLD) && (vs->sorted[0] < vs->num)));
- return (rc);
-diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c
-index 13e527188..f7c473ab1 100644
---- a/ldap/servers/slapd/vattr.c
-+++ b/ldap/servers/slapd/vattr.c
-@@ -316,13 +316,19 @@ vattr_context_check(vattr_context *c)
- static void
- vattr_context_mark(vattr_context *c)
- {
-- c->vattr_context_loop_count += 1;
-+ if (c) {
-+ c->vattr_context_loop_count += 1;
-+ }
- }
-
- static int
- vattr_context_unmark(vattr_context *c)
- {
-- return (c->vattr_context_loop_count -= 1);
-+ if (c) {
-+ return (c->vattr_context_loop_count -= 1);
-+ } else {
-+ return 0;
-+ }
- }
-
- /* modify the context structure on exit from a vattr sp function */
-@@ -385,13 +391,19 @@ vattr_context_grok(vattr_context **c)
- static void
- vattr_context_set_loop_msg_displayed(vattr_context **c)
- {
-- (*c)->error_displayed = 1;
-+ if (c && *c){
-+ (*c)->error_displayed = 1;
-+ }
- }
-
- static int
- vattr_context_is_loop_msg_displayed(vattr_context **c)
- {
-- return (*c)->error_displayed;
-+ if (c && *c){
-+ return (*c)->error_displayed;
-+ } else {
-+ return 0;
-+ }
- }
-
- /*
-diff --git a/ldap/servers/snmp/main.c b/ldap/servers/snmp/main.c
-index 5bd318df4..95cc26148 100644
---- a/ldap/servers/snmp/main.c
-+++ b/ldap/servers/snmp/main.c
-@@ -21,6 +21,7 @@
- #include "ldap.h"
- #include "ldif.h"
- #include <ctype.h>
-+#include <limits.h>
- #include <errno.h>
-
- static char *agentx_master = NULL;
-@@ -56,16 +57,22 @@ main(int argc, char *argv[])
- char *s = getenv("DEBUG_SLEEP");
- if ((s != NULL) && isdigit(*s)) {
- char *endp = NULL;
-- long secs;
-+ int64_t secs;
- errno = 0;
-
-- printf("%s pid is %d\n", argv[0], getpid());
- secs = strtol(s, &endp, 10);
-- if (*endp != '\0' || errno == ERANGE) {
-- sleep(10);
-- } else {
-- sleep(secs);
-+ if ( endp == s ||
-+ *endp != '\0' ||
-+ ((secs == LONG_MIN || secs == LONG_MAX) && errno == ERANGE) ||
-+ secs < 1 )
-+ {
-+ /* Invalid value, default to 30 seconds */
-+ secs = 30;
-+ } else if (secs > 3600) {
-+ secs = 3600;
- }
-+ printf("%s pid is %d - sleeping for %ld\n", argv[0], getpid(), secs);
-+ sleep(secs);
- }
- }
-
---
-2.13.6
-
diff --git a/SOURCES/0057-Ticket-49370-Add-all-the-password-policy-defaults-to.patch b/SOURCES/0057-Ticket-49370-Add-all-the-password-policy-defaults-to.patch
deleted file mode 100644
index 239c6cb..0000000
--- a/SOURCES/0057-Ticket-49370-Add-all-the-password-policy-defaults-to.patch
+++ /dev/null
@@ -1,288 +0,0 @@
-From 86efa0314c59550f0660c8d143a52a57b1dffb96 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 18 Jan 2018 09:56:17 -0500
-Subject: [PATCH] Ticket 49370 - Add all the password policy defaults to a new
- local policy
-
-Bug Description: When processing a local password policy we were not pulling
- in the defaults for the "on/off" settings. This patch
- addresses that.
-
-Fix Description: Create common default init functions for all password policies
-
-https://pagure.io/389-ds-base/issue/49370
-
-Reviewed by: tbordaz, wibrown, and spichugi (Thanks!!!)
-
-(cherry picked from commit c8b388bf9f5269e1e1dc8c7c70ec8e58e825204a)
----
- .../tests/suites/password/regression_test.py | 58 +++++++++++++--
- ldap/servers/slapd/libglobs.c | 84 ++++++++++++++--------
- ldap/servers/slapd/pw.c | 29 ++------
- ldap/servers/slapd/slap.h | 2 +
- 4 files changed, 113 insertions(+), 60 deletions(-)
-
-diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py
-index f6ee16773..800294057 100644
---- a/dirsrvtests/tests/suites/password/regression_test.py
-+++ b/dirsrvtests/tests/suites/password/regression_test.py
-@@ -6,9 +6,10 @@
- # --- END COPYRIGHT BLOCK ---
- #
- import pytest
--from lib389._constants import SUFFIX, PASSWORD
-+import time
-+from lib389._constants import SUFFIX, PASSWORD, DN_DM
- from lib389.idm.user import UserAccounts
--from lib389.utils import ldap, os, logging
-+from lib389.utils import ldap, os, logging, ensure_bytes
- from lib389.topologies import topology_st as topo
-
- DEBUGGING = os.getenv("DEBUGGING", default=False)
-@@ -20,6 +21,7 @@ log = logging.getLogger(__name__)
-
- user_data = {'cn': 'CNpwtest1', 'sn': 'SNpwtest1', 'uid': 'UIDpwtest1', 'mail': 'MAILpwtest1@redhat.com',
- 'givenname': 'GNpwtest1'}
-+
- TEST_PASSWORDS = list(user_data.values())
- # Add substring/token values of "CNpwtest1"
- TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1',
-@@ -37,13 +39,20 @@ def passw_policy(topo, request):
- """Configure password policy with PasswordCheckSyntax attribute set to on"""
-
- log.info('Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to on')
-+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
- topo.standalone.config.set('PasswordExp', 'on')
- topo.standalone.config.set('PasswordCheckSyntax', 'off')
- topo.standalone.config.set('nsslapd-pwpolicy-local', 'on')
-
- subtree = 'ou=people,{}'.format(SUFFIX)
- log.info('Configure subtree password policy for {}'.format(subtree))
-- topo.standalone.subtreePwdPolicy(subtree, {'passwordchange': 'on', 'passwordCheckSyntax': 'on'})
-+ topo.standalone.subtreePwdPolicy(subtree, {'passwordchange': ensure_bytes('on'),
-+ 'passwordCheckSyntax': ensure_bytes('on'),
-+ 'passwordLockout': ensure_bytes('on'),
-+ 'passwordResetFailureCount': ensure_bytes('3'),
-+ 'passwordLockoutDuration': ensure_bytes('3'),
-+ 'passwordMaxFailure': ensure_bytes('2')})
-+ time.sleep(1)
-
- def fin():
- log.info('Reset pwpolicy configuration settings')
-@@ -76,6 +85,47 @@ def test_user(topo, request):
- return tuser
-
-
-+def test_pwp_local_unlock(topo, passw_policy, test_user):
-+ """Test subtree policies use the same global default for passwordUnlock
-+
-+ :id: 741a8417-5f65-4012-b9ed-87987ce3ca1b
-+ :setup: Standalone instance
-+ :steps:
-+ 1. Test user can bind
-+ 2. Bind with bad passwords to lockout account, and verify account is locked
-+ 3. Wait for lockout interval, and bind with valid password
-+ :expectedresults:
-+ 1. Bind successful
-+ 2. Entry is locked
-+ 3. Entry can bind with correct password
-+ """
-+
-+ log.info("Verify user can bind...")
-+ test_user.bind(PASSWORD)
-+
-+ log.info('Test passwordUnlock default - user should be able to reset password after lockout')
-+ for i in range(0,2):
-+ try:
-+ test_user.bind("bad-password")
-+ except ldap.INVALID_CREDENTIALS:
-+ # expected
-+ pass
-+ except ldap.LDAPError as e:
-+ log.fatal("Got unexpected failure: " + atr(e))
-+ raise e
-+
-+
-+ log.info('Verify account is locked')
-+ with pytest.raises(ldap.CONSTRAINT_VIOLATION):
-+ test_user.bind(PASSWORD)
-+
-+ log.info('Wait for lockout duration...')
-+ time.sleep(4)
-+
-+ log.info('Check if user can now bind with correct password')
-+ test_user.bind(PASSWORD)
-+
-+
- @pytest.mark.bz1465600
- @pytest.mark.parametrize("user_pasw", TEST_PASSWORDS)
- def test_trivial_passw_check(topo, passw_policy, test_user, user_pasw):
-@@ -143,4 +193,4 @@ if __name__ == '__main__':
- # Run isolated
- # -s for DEBUG mode
- CURRENT_FILE = os.path.realpath(__file__)
-- pytest.main("-s {}".format(CURRENT_FILE))
-+ pytest.main(["-s", CURRENT_FILE])
-diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
-index 1ba30002f..c1a765aca 100644
---- a/ldap/servers/slapd/libglobs.c
-+++ b/ldap/servers/slapd/libglobs.c
-@@ -1401,6 +1401,56 @@ getFrontendConfig(void)
- */
-
- void
-+pwpolicy_init_defaults (passwdPolicy *pw_policy)
-+{
-+ pw_policy->pw_change = LDAP_ON;
-+ pw_policy->pw_must_change = LDAP_OFF;
-+ pw_policy->pw_syntax = LDAP_OFF;
-+ pw_policy->pw_exp = LDAP_OFF;
-+ pw_policy->pw_send_expiring = LDAP_OFF;
-+ pw_policy->pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH;
-+ pw_policy->pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS;
-+ pw_policy->pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS;
-+ pw_policy->pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS;
-+ pw_policy->pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS;
-+ pw_policy->pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS;
-+ pw_policy->pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT;
-+ pw_policy->pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS;
-+ pw_policy->pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES;
-+ pw_policy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
-+ pw_policy->pw_maxage = SLAPD_DEFAULT_PW_MAXAGE;
-+ pw_policy->pw_minage = SLAPD_DEFAULT_PW_MINAGE;
-+ pw_policy->pw_warning = SLAPD_DEFAULT_PW_WARNING;
-+ pw_policy->pw_history = LDAP_OFF;
-+ pw_policy->pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY;
-+ pw_policy->pw_lockout = LDAP_OFF;
-+ pw_policy->pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE;
-+ pw_policy->pw_unlock = LDAP_ON;
-+ pw_policy->pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION;
-+ pw_policy->pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT;
-+ pw_policy->pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT;
-+ pw_policy->pw_admin = NULL;
-+ pw_policy->pw_admin_user = NULL;
-+ pw_policy->pw_is_legacy = LDAP_ON;
-+ pw_policy->pw_track_update_time = LDAP_OFF;
-+}
-+
-+static void
-+pwpolicy_fe_init_onoff(passwdPolicy *pw_policy)
-+{
-+ init_pw_change = pw_policy->pw_change;
-+ init_pw_must_change = pw_policy->pw_must_change;
-+ init_pw_syntax = pw_policy->pw_syntax;
-+ init_pw_exp = pw_policy->pw_exp;
-+ init_pw_send_expiring = pw_policy->pw_send_expiring;
-+ init_pw_history = pw_policy->pw_history;
-+ init_pw_lockout = pw_policy->pw_lockout;
-+ init_pw_unlock = pw_policy->pw_unlock;
-+ init_pw_is_legacy = pw_policy->pw_is_legacy;
-+ init_pw_track_update_time = pw_policy->pw_track_update_time;
-+}
-+
-+void
- FrontendConfig_init(void)
- {
- slapdFrontendConfig_t *cfg = getFrontendConfig();
-@@ -1511,41 +1561,13 @@ FrontendConfig_init(void)
- * let clients abide by the LDAP standards and send us a SASL/EXTERNAL bind
- * if that's what they want to do */
- init_force_sasl_external = cfg->force_sasl_external = LDAP_OFF;
--
- init_readonly = cfg->readonly = LDAP_OFF;
-+
-+ pwpolicy_init_defaults(&cfg->pw_policy);
-+ pwpolicy_fe_init_onoff(&cfg->pw_policy);
- init_pwpolicy_local = cfg->pwpolicy_local = LDAP_OFF;
- init_pwpolicy_inherit_global = cfg->pwpolicy_inherit_global = LDAP_OFF;
-- init_pw_change = cfg->pw_policy.pw_change = LDAP_ON;
-- init_pw_must_change = cfg->pw_policy.pw_must_change = LDAP_OFF;
- init_allow_hashed_pw = cfg->allow_hashed_pw = LDAP_OFF;
-- init_pw_syntax = cfg->pw_policy.pw_syntax = LDAP_OFF;
-- init_pw_exp = cfg->pw_policy.pw_exp = LDAP_OFF;
-- init_pw_send_expiring = cfg->pw_policy.pw_send_expiring = LDAP_OFF;
-- cfg->pw_policy.pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH;
-- cfg->pw_policy.pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS;
-- cfg->pw_policy.pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS;
-- cfg->pw_policy.pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS;
-- cfg->pw_policy.pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS;
-- cfg->pw_policy.pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS;
-- cfg->pw_policy.pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT;
-- cfg->pw_policy.pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS;
-- cfg->pw_policy.pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES;
-- cfg->pw_policy.pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
-- cfg->pw_policy.pw_maxage = SLAPD_DEFAULT_PW_MAXAGE;
-- cfg->pw_policy.pw_minage = SLAPD_DEFAULT_PW_MINAGE;
-- cfg->pw_policy.pw_warning = SLAPD_DEFAULT_PW_WARNING;
-- init_pw_history = cfg->pw_policy.pw_history = LDAP_OFF;
-- cfg->pw_policy.pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY;
-- init_pw_lockout = cfg->pw_policy.pw_lockout = LDAP_OFF;
-- cfg->pw_policy.pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE;
-- init_pw_unlock = cfg->pw_policy.pw_unlock = LDAP_ON;
-- cfg->pw_policy.pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION;
-- cfg->pw_policy.pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT;
-- cfg->pw_policy.pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT;
-- cfg->pw_policy.pw_admin = NULL;
-- cfg->pw_policy.pw_admin_user = NULL;
-- init_pw_is_legacy = cfg->pw_policy.pw_is_legacy = LDAP_ON;
-- init_pw_track_update_time = cfg->pw_policy.pw_track_update_time = LDAP_OFF;
- init_pw_is_global_policy = cfg->pw_is_global_policy = LDAP_OFF;
-
- init_accesslog_logging_enabled = cfg->accesslog_logging_enabled = LDAP_ON;
-diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
-index 53464c64a..3a545e12e 100644
---- a/ldap/servers/slapd/pw.c
-+++ b/ldap/servers/slapd/pw.c
-@@ -1730,32 +1730,11 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
- goto done;
- }
-
-- /* Set the default values */
-- pwdpolicy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH;
-- pwdpolicy->pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH;
-- pwdpolicy->pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS;
-- pwdpolicy->pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS;
-- pwdpolicy->pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS;
-- pwdpolicy->pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS;
-- pwdpolicy->pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS;
-- pwdpolicy->pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT;
-- pwdpolicy->pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS;
-- pwdpolicy->pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES;
-- pwdpolicy->pw_maxage = SLAPD_DEFAULT_PW_MAXAGE;
-- pwdpolicy->pw_minage = SLAPD_DEFAULT_PW_MINAGE;
-- pwdpolicy->pw_warning = SLAPD_DEFAULT_PW_WARNING;
-- pwdpolicy->pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY;
-- pwdpolicy->pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE;
-- pwdpolicy->pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION;
-- pwdpolicy->pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT;
-- pwdpolicy->pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT;
--
-- /* set the default passwordLegacyPolicy setting */
-- pwdpolicy->pw_is_legacy = 1;
--
-- /* set passwordTrackUpdateTime */
-- pwdpolicy->pw_track_update_time = slapdFrontendConfig->pw_policy.pw_track_update_time;
-+ /* Set the default values (from libglobs.c) */
-+ pwpolicy_init_defaults(pwdpolicy);
-+ pwdpolicy->pw_storagescheme = slapdFrontendConfig->pw_storagescheme;
-
-+ /* Set the defined values now */
- for (slapi_entry_first_attr(pw_entry, &attr); attr;
- slapi_entry_next_attr(pw_entry, attr, &attr)) {
- slapi_attr_get_type(attr, &attr_name);
-diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
-index 08754d8fb..f6fc374a4 100644
---- a/ldap/servers/slapd/slap.h
-+++ b/ldap/servers/slapd/slap.h
-@@ -1773,6 +1773,8 @@ typedef struct passwordpolicyarray
- Slapi_DN **pw_admin_user;
- } passwdPolicy;
-
-+void pwpolicy_init_defaults (passwdPolicy *pw_policy);
-+
- Slapi_PBlock *slapi_pblock_clone(Slapi_PBlock *pb); /* deprecated */
-
- passwdPolicy *slapi_pblock_get_pwdpolicy(Slapi_PBlock *pb);
---
-2.13.6
-
diff --git a/SOURCES/0058-Ticket-49541-repl-config-should-not-allow-rid-65535-.patch b/SOURCES/0058-Ticket-49541-repl-config-should-not-allow-rid-65535-.patch
deleted file mode 100644
index 63a6136..0000000
--- a/SOURCES/0058-Ticket-49541-repl-config-should-not-allow-rid-65535-.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 38ca528af83f1874a79ad6744215bd4af1404414 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 18 Jan 2018 13:17:08 -0500
-Subject: [PATCH] Ticket 49541 - repl config should not allow rid 65535 for
- masters
-
-Description: Reject adding a replica config entry with a rid of 65535 or higher,
- and prevent setting master's rid to 65535 or higher.
-
-https://pagure.io/389-ds-base/issue/49541
-
-Reviewed by: mreynolds(one line commit rule)
-
-(cherry picked from commit ebb00a4180693225cf3c2f4aced54dc33141fa77)
----
- dirsrvtests/tests/suites/replication/replica_config_test.py | 9 +++++----
- ldap/servers/plugins/replication/repl5_replica.c | 2 +-
- 2 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/dirsrvtests/tests/suites/replication/replica_config_test.py b/dirsrvtests/tests/suites/replication/replica_config_test.py
-index 50ea2ece9..143a12479 100644
---- a/dirsrvtests/tests/suites/replication/replica_config_test.py
-+++ b/dirsrvtests/tests/suites/replication/replica_config_test.py
-@@ -24,7 +24,7 @@ replica_dict = {'objectclass': 'top nsDS5Replica'.split(),
- 'nsDS5ReplicaRoot': 'dc=example,dc=com',
- 'nsDS5ReplicaType': '3',
- 'nsDS5Flags': '1',
-- 'nsDS5ReplicaId': '65535',
-+ 'nsDS5ReplicaId': '65534',
- 'nsds5ReplicaPurgeDelay': '604800',
- 'nsDS5ReplicaBindDN': 'cn=u',
- 'cn': 'replica'}
-@@ -42,7 +42,7 @@ agmt_dict = {'objectClass': 'top nsDS5ReplicationAgreement'.split(),
-
- repl_add_attrs = [('nsDS5ReplicaType', '-1', '4', overflow, notnum, '1'),
- ('nsDS5Flags', '-1', '2', overflow, notnum, '1'),
-- ('nsDS5ReplicaId', '0', '65536', overflow, notnum, '1'),
-+ ('nsDS5ReplicaId', '0', '65535', overflow, notnum, '1'),
- ('nsds5ReplicaPurgeDelay', '-2', too_big, overflow, notnum, '1'),
- ('nsDS5ReplicaBindDnGroupCheckInterval', '-2', too_big, overflow, notnum, '1'),
- ('nsds5ReplicaTombstonePurgeInterval', '-2', too_big, overflow, notnum, '1'),
-@@ -60,7 +60,8 @@ repl_mod_attrs = [('nsDS5Flags', '-1', '2', overflow, notnum, '1'),
- ('nsds5ReplicaBackoffMin', '0', too_big, overflow, notnum, '3'),
- ('nsds5ReplicaBackoffMax', '0', too_big, overflow, notnum, '6')]
-
--agmt_attrs = [('nsds5ReplicaPort', '0', '65536', overflow, notnum, '389'),
-+agmt_attrs = [
-+ ('nsds5ReplicaPort', '0', '65535', overflow, notnum, '389'),
- ('nsds5ReplicaTimeout', '-1', too_big, overflow, notnum, '6'),
- ('nsds5ReplicaBusyWaitTime', '-1', too_big, overflow, notnum, '6'),
- ('nsds5ReplicaSessionPauseTime', '-1', too_big, overflow, notnum, '6'),
-@@ -393,5 +394,5 @@ if __name__ == '__main__':
- # Run isolated
- # -s for DEBUG mode
- CURRENT_FILE = os.path.realpath(__file__)
-- pytest.main("-s %s" % CURRENT_FILE)
-+ pytest.main(["-s", CURRENT_FILE])
-
-diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
-index e75807a62..bdb8a5167 100644
---- a/ldap/servers/plugins/replication/repl5_replica.c
-+++ b/ldap/servers/plugins/replication/repl5_replica.c
-@@ -1988,7 +1988,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext)
- r->repl_type == REPLICA_TYPE_PRIMARY) {
- if ((val = slapi_entry_attr_get_charptr(e, attr_replicaId))) {
- int64_t rid;
-- if (repl_config_valid_num(attr_replicaId, val, 1, 65535, &rc, errormsg, &rid) != 0) {
-+ if (repl_config_valid_num(attr_replicaId, val, 1, 65534, &rc, errormsg, &rid) != 0) {
- slapi_ch_free_string(&val);
- return -1;
- }
---
-2.13.6
-
diff --git a/SOURCES/0059-CVE-2017-15134-crash-in-slapi_filter_sprintf.patch b/SOURCES/0059-CVE-2017-15134-crash-in-slapi_filter_sprintf.patch
deleted file mode 100644
index 8d43a80..0000000
--- a/SOURCES/0059-CVE-2017-15134-crash-in-slapi_filter_sprintf.patch
+++ /dev/null
@@ -1,111 +0,0 @@
-From cb008bcace2510f157ccec2df4e5ff254513b7c4 Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Mon, 15 Jan 2018 10:24:41 +0100
-Subject: [PATCH] CVE 2017-15134 - crash in slapi_filter_sprintf
-
-Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
----
- ldap/servers/slapd/util.c | 36 +++++++++++++++++++++++++++++++-----
- 1 file changed, 31 insertions(+), 5 deletions(-)
-
-diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
-index a72de9b07..ddb2cc899 100644
---- a/ldap/servers/slapd/util.c
-+++ b/ldap/servers/slapd/util.c
-@@ -238,9 +238,10 @@ escape_string_for_filename(const char *str, char buf[BUFSIZ])
- struct filter_ctx
- {
- char *buf;
-- char attr[ATTRSIZE];
-+ char *attr;
- int attr_position;
- int attr_found;
-+ size_t attr_size;
- int buf_size;
- int buf_len;
- int next_arg_needs_esc_norm;
-@@ -279,7 +280,7 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
- * Start collecting the attribute name so we can use the correct
- * syntax normalization func.
- */
-- if (ctx->attr_found == 0 && ctx->attr_position < (ATTRSIZE - 1)) {
-+ if (ctx->attr_found == 0 && ctx->attr_position < (ctx->attr_size - 1)) {
- if (ctx->attr[0] == '\0') {
- if (strstr(val, "=")) {
- /* we have an attr we need to record */
-@@ -293,6 +294,14 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
- * attr with val. The next pass should be '=', otherwise we will
- * reset it.
- */
-+ if (slen > ctx->attr_size) {
-+ if (ctx->attr_size == ATTRSIZE) {
-+ ctx->attr = slapi_ch_calloc(sizeof(char), slen+1);
-+ } else {
-+ ctx->attr = slapi_ch_realloc(ctx->attr, sizeof(char) * (slen+1));
-+ }
-+ ctx->attr_size = slen+1;
-+ }
- memcpy(ctx->attr, val, slen);
- ctx->attr_position = slen;
- }
-@@ -302,9 +311,20 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
- } else {
- if (special_attr_char(val[0])) {
- /* this is not an attribute, we should not be collecting this, reset everything */
-- memset(ctx->attr, '\0', ATTRSIZE);
-+ memset(ctx->attr, '\0', ctx->attr_size);
- ctx->attr_position = 0;
- } else {
-+ /* we can be adding char by char and overrun allocated size */
-+ if (ctx->attr_position >= ctx->attr_size) {
-+ if (ctx->attr_size == ATTRSIZE) {
-+ char *ctxattr = slapi_ch_calloc(sizeof(char), ctx->attr_size + ATTRSIZE);
-+ memcpy(ctxattr, ctx->attr, ctx->attr_size);
-+ ctx->attr = ctxattr;
-+ } else {
-+ ctx->attr = slapi_ch_realloc(ctx->attr, sizeof(char) * (ctx->attr_size + ATTRSIZE));
-+ }
-+ ctx->attr_size = ctx->attr_size + ATTRSIZE;
-+ }
- memcpy(ctx->attr + ctx->attr_position, val, 1);
- ctx->attr_position++;
- }
-@@ -377,7 +397,7 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen)
- ctx->next_arg_needs_esc_norm = 0;
- ctx->attr_found = 0;
- ctx->attr_position = 0;
-- memset(ctx->attr, '\0', ATTRSIZE);
-+ memset(ctx->attr, '\0', ctx->attr_size);
- slapi_ch_free_string(&buf);
-
- return filter_len;
-@@ -416,12 +436,14 @@ slapi_filter_sprintf(const char *fmt, ...)
- {
- struct filter_ctx ctx = {0};
- va_list args;
-+ char attr_static[ATTRSIZE] = {0};
- char *buf;
- int rc;
-
- buf = slapi_ch_calloc(sizeof(char), FILTER_BUF + 1);
- ctx.buf = buf;
-- memset(ctx.attr, '\0', ATTRSIZE);
-+ ctx.attr = attr_static;
-+ ctx.attr_size = ATTRSIZE;
- ctx.attr_position = 0;
- ctx.attr_found = 0;
- ctx.buf_len = FILTER_BUF;
-@@ -438,6 +460,10 @@ slapi_filter_sprintf(const char *fmt, ...)
- }
- va_end(args);
-
-+ if (ctx.attr_size > ATTRSIZE) {
-+ slapi_ch_free_string(&ctx.attr);
-+ }
-+
- return ctx.buf;
- }
-
---
-2.13.6
-
diff --git a/SOURCES/0060-Ticket-49534-Fix-coverity-regression.patch b/SOURCES/0060-Ticket-49534-Fix-coverity-regression.patch
deleted file mode 100644
index b5adec3..0000000
--- a/SOURCES/0060-Ticket-49534-Fix-coverity-regression.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 3c605035eff49e603c8e4a4c0886499913924529 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Wed, 24 Jan 2018 14:24:08 -0500
-Subject: [PATCH] Ticket 49534 - Fix coverity regression
-
-Description: In automembers plugin a free was in the wrong spot
- which later led to a double free for the "rule".
-
-https://pagure.io/389-ds-base/issue/49534
-
-Reviewed by: mreynolds (one line commit rule)
-
-(cherry picked from commit b3768e602fdfc2ea1fc645b17ad61c8592ab87fa)
----
- ldap/servers/plugins/automember/automember.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
-index cbd25915a..c91aa4e8e 100644
---- a/ldap/servers/plugins/automember/automember.c
-+++ b/ldap/servers/plugins/automember/automember.c
-@@ -1117,11 +1117,11 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e)
- break;
- }
- }
-+ automember_free_regex_rule(rule);
- } else {
- /* Add to head of list */
- PR_INSERT_LINK(&(rule->list), (PRCList *)config->exclusive_rules);
- }
-- automember_free_regex_rule(rule);
- } else {
- slapi_log_err(SLAPI_LOG_ERR, AUTOMEMBER_PLUGIN_SUBSYSTEM,
- "automember_parse_regex_entry - Skipping invalid exclusive "
---
-2.13.6
-
diff --git a/SOURCES/0061-Ticket-49541-Replica-ID-config-validation-fix.patch b/SOURCES/0061-Ticket-49541-Replica-ID-config-validation-fix.patch
deleted file mode 100644
index 5520757..0000000
--- a/SOURCES/0061-Ticket-49541-Replica-ID-config-validation-fix.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From d39be97021f273548957a9f26ca35d5faab20318 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 29 Jan 2018 21:13:16 -0500
-Subject: [PATCH] Ticket 49541 - Replica ID config validation fix
-
-Description: Is is possible to set the replica ID to 65535 with a modify
- operation, which is reserved for hubs/consumers.
-
-https://pagure.io/389-ds-base/issue/49541
-
-Reviewed by: mreynolds (one line commit rule)
----
- ldap/servers/plugins/replication/repl5_replica_config.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
-index bda333362..ea430d9a4 100644
---- a/ldap/servers/plugins/replication/repl5_replica_config.c
-+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
-@@ -421,7 +421,7 @@ replica_config_modify(Slapi_PBlock *pb,
- }
- } else if (strcasecmp(config_attr, attr_replicaId) == 0) {
- int64_t rid = 0;
-- if (repl_config_valid_num(config_attr, config_attr_value, 1, 65535, returncode, errortext, &rid) == 0) {
-+ if (repl_config_valid_num(config_attr, config_attr_value, 1, 65534, returncode, errortext, &rid) == 0) {
- slapi_ch_free_string(&new_repl_id);
- new_repl_id = slapi_ch_strdup(config_attr_value);
- } else {
---
-2.13.6
-
diff --git a/SOURCES/0062-Ticket-49370-Crash-when-using-a-global-and-local-pw.patch b/SOURCES/0062-Ticket-49370-Crash-when-using-a-global-and-local-pw.patch
deleted file mode 100644
index 19077f9..0000000
--- a/SOURCES/0062-Ticket-49370-Crash-when-using-a-global-and-local-pw.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 3bdd7b5cccd2993c5ae5b9d893be15c71373aaf8 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 29 Jan 2018 11:53:33 -0500
-Subject: [PATCH] Ticket 49370 - Crash when using a global and local pw
- policies
-
-Description: This a regression from the previous patch. We were
- accidently using a reference to the global pw policy
- password storage scheme, which was getting freed after
- pblock was done from an operation. The next operation
- then used(and double freed) this memory on the next
- operation.
-
-https://pagure.io/389-ds-base/issue/49370
-
-Reviewed by: tbordaz (Thanks!)
-
-(cherry picked from commit d86e0f9634e694feb378ee335d29b2e89fd27e2c)
----
- ldap/servers/slapd/pw.c | 32 +++++++++++++++++---------------
- 1 file changed, 17 insertions(+), 15 deletions(-)
-
-diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
-index 3a545e12e..451be364d 100644
---- a/ldap/servers/slapd/pw.c
-+++ b/ldap/servers/slapd/pw.c
-@@ -209,7 +209,7 @@ pw_name2scheme(char *name)
- struct pw_scheme *pwsp;
- struct slapdplugin *p;
-
-- if ((p = plugin_get_pwd_storage_scheme(name, strlen(name), PLUGIN_LIST_PWD_STORAGE_SCHEME)) != NULL) {
-+ if (name != NULL && (p = plugin_get_pwd_storage_scheme(name, strlen(name), PLUGIN_LIST_PWD_STORAGE_SCHEME)) != NULL) {
- pwsp = (struct pw_scheme *)slapi_ch_malloc(sizeof(struct pw_scheme));
- if (pwsp != NULL) {
- typedef int (*CMPFP)(char *, char *);
-@@ -1612,18 +1612,18 @@ pw_get_admin_users(passwdPolicy *pwp)
- passwdPolicy *
- new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
- {
-+ slapdFrontendConfig_t *slapdFrontendConfig = NULL;
- Slapi_ValueSet *values = NULL;
-+ Slapi_Value **sval = NULL;
- Slapi_Entry *e = NULL, *pw_entry = NULL;
-- int type_name_disposition = 0;
-+ passwdPolicy *pwdpolicy = NULL;
-+ Slapi_Attr *attr = NULL;
-+ char *pwscheme_name = NULL;
-+ char *attr_name = NULL;
- char *actual_type_name = NULL;
-+ int type_name_disposition = 0;
- int attr_free_flags = 0;
- int rc = 0;
-- passwdPolicy *pwdpolicy = NULL;
-- struct pw_scheme *pwdscheme = NULL;
-- Slapi_Attr *attr;
-- char *attr_name;
-- Slapi_Value **sval;
-- slapdFrontendConfig_t *slapdFrontendConfig;
- int optype = -1;
-
- /* If we already allocated a pw policy, return it */
-@@ -1717,9 +1717,7 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
- pw_entry = get_entry(pb, bvp->bv_val);
- }
- }
--
- slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
--
- slapi_entry_free(e);
-
- if (pw_entry == NULL) {
-@@ -1732,7 +1730,11 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
-
- /* Set the default values (from libglobs.c) */
- pwpolicy_init_defaults(pwdpolicy);
-- pwdpolicy->pw_storagescheme = slapdFrontendConfig->pw_storagescheme;
-+
-+ /* Set the current storage scheme */
-+ pwscheme_name = config_get_pw_storagescheme();
-+ pwdpolicy->pw_storagescheme = pw_name2scheme(pwscheme_name);
-+ slapi_ch_free_string(&pwscheme_name);
-
- /* Set the defined values now */
- for (slapi_entry_first_attr(pw_entry, &attr); attr;
-@@ -1865,6 +1867,7 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
- }
- } else if (!strcasecmp(attr_name, "passwordstoragescheme")) {
- if ((sval = attr_get_present_values(attr))) {
-+ free_pw_scheme(pwdpolicy->pw_storagescheme);
- pwdpolicy->pw_storagescheme =
- pw_name2scheme((char *)slapi_value_get_string(*sval));
- }
-@@ -1924,10 +1927,9 @@ done:
- * structure from slapdFrontendconfig
- */
- *pwdpolicy = slapdFrontendConfig->pw_policy;
-- pwdscheme = (struct pw_scheme *)slapi_ch_calloc(1, sizeof(struct pw_scheme));
-- *pwdscheme = *slapdFrontendConfig->pw_storagescheme;
-- pwdscheme->pws_name = strdup(slapdFrontendConfig->pw_storagescheme->pws_name);
-- pwdpolicy->pw_storagescheme = pwdscheme;
-+ pwscheme_name = config_get_pw_storagescheme();
-+ pwdpolicy->pw_storagescheme = pw_name2scheme(pwscheme_name);
-+ slapi_ch_free_string(&pwscheme_name);
- pwdpolicy->pw_admin = slapi_sdn_dup(slapdFrontendConfig->pw_policy.pw_admin);
- pw_get_admin_users(pwdpolicy);
- if (pb) {
---
-2.13.6
-
diff --git a/SOURCES/0063-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch b/SOURCES/0063-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch
deleted file mode 100644
index b79ed65..0000000
--- a/SOURCES/0063-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch
+++ /dev/null
@@ -1,320 +0,0 @@
-From 656b141630c5f37a953a75ff05d3a1a30b14eef1 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 1 Feb 2018 14:28:24 -0500
-Subject: [PATCH] Ticket 49557 - Add config option for checking CRL on outbound
- SSL Connections
-
-Bug Description: There are cases where a CRL is not available during an outbound
- replication connection. This is seen as an error by openldap,
- and the connection fails.
-
-Fix Description: Add on/off option for checking the CRL. The default is not to
- check the CRL.
-
-https://pagure.io/389-ds-base/issue/49557
-
-Reviewed by: wibrown, Ludwig Krispenz, Thierry Bordaz
----
- dirsrvtests/tests/suites/{ssl => tls}/__init__.py | 0
- dirsrvtests/tests/suites/tls/tls_check_crl_test.py | 52 +++++++++++++++++
- ldap/schema/01core389.ldif | 1 +
- ldap/servers/slapd/ldaputil.c | 9 ++-
- ldap/servers/slapd/libglobs.c | 66 +++++++++++++++++++++-
- ldap/servers/slapd/proto-slap.h | 2 +
- ldap/servers/slapd/slap.h | 10 +++-
- 7 files changed, 135 insertions(+), 5 deletions(-)
- rename dirsrvtests/tests/suites/{ssl => tls}/__init__.py (100%)
- create mode 100644 dirsrvtests/tests/suites/tls/tls_check_crl_test.py
-
-diff --git a/dirsrvtests/tests/suites/ssl/__init__.py b/dirsrvtests/tests/suites/tls/__init__.py
-similarity index 100%
-rename from dirsrvtests/tests/suites/ssl/__init__.py
-rename to dirsrvtests/tests/suites/tls/__init__.py
-diff --git a/dirsrvtests/tests/suites/tls/tls_check_crl_test.py b/dirsrvtests/tests/suites/tls/tls_check_crl_test.py
-new file mode 100644
-index 000000000..8b4d07f94
---- /dev/null
-+++ b/dirsrvtests/tests/suites/tls/tls_check_crl_test.py
-@@ -0,0 +1,52 @@
-+# --- BEGIN COPYRIGHT BLOCK ---
-+# Copyright (C) 2018 Red Hat, Inc.
-+# All rights reserved.
-+#
-+# License: GPL (version 3 or any later version).
-+# See LICENSE for details.
-+# --- END COPYRIGHT BLOCK ---
-+#
-+
-+
-+import pytest
-+import ldap
-+from lib389.topologies import topology_st
-+
-+def test_tls_check_crl(topology_st):
-+ """Test that TLS check_crl configurations work as expected.
-+
-+ :id:
-+ :steps:
-+ 1. Enable TLS
-+ 2. Set invalid value
-+ 3. Set valid values
-+ 4. Check config reset
-+ :expectedresults:
-+ 1. TlS is setup
-+ 2. The invalid value is rejected
-+ 3. The valid values are used
-+ 4. The value can be reset
-+ """
-+ standalone = topology_st.standalone
-+ # Enable TLS
-+ standalone.enable_tls()
-+ # Check all the valid values.
-+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
-+ with pytest.raises(ldap.OPERATIONS_ERROR):
-+ standalone.config.set('nsslapd-tls-check-crl', 'tnhoeutnoeutn')
-+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
-+
-+ standalone.config.set('nsslapd-tls-check-crl', 'peer')
-+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'peer')
-+
-+ standalone.config.set('nsslapd-tls-check-crl', 'none')
-+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
-+
-+ standalone.config.set('nsslapd-tls-check-crl', 'all')
-+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'all')
-+
-+ standalone.config.remove_all('nsslapd-tls-check-crl')
-+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none')
-+
-+
-+
-diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
-index ab124c86c..c7f9fef2b 100644
---- a/ldap/schema/01core389.ldif
-+++ b/ldap/schema/01core389.ldif
-@@ -304,6 +304,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netsc
- attributeTypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
- attributeTypes: ( 2.16.840.1.113730.3.1.2335 NAME 'nsds5ReplicaIgnoreMissingChange' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
- attributeTypes: ( 2.16.840.1.113730.3.1.2336 NAME 'nsDS5ReplicaBindDnGroupCheckInterval' DESC 'Replication configuration setting for controlling the bind dn group check interval' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
-+attributeTypes: ( 2.16.840.1.113730.3.1.2344 NAME 'nsslapd-tls-check-crl' DESC 'Check CRL when opening outbound TLS connections. Valid options are none, peer, all.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
- #
- # objectclasses
- #
-diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
-index fa9d276a3..2fc2f0615 100644
---- a/ldap/servers/slapd/ldaputil.c
-+++ b/ldap/servers/slapd/ldaputil.c
-@@ -570,6 +570,7 @@ slapi_ldif_parse_line(
- }
-
- #if defined(USE_OPENLDAP)
-+
- static int
- setup_ol_tls_conn(LDAP *ld, int clientauth)
- {
-@@ -602,7 +603,13 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
- }
- }
- if (slapi_client_uses_openssl(ld)) {
-- const int crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
-+ int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
-+ tls_check_crl_t tls_check_state = config_get_tls_check_crl();
-+ if (tls_check_state == TLS_CHECK_PEER) {
-+ crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
-+ } else if (tls_check_state == TLS_CHECK_ALL) {
-+ crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
-+ }
- /* Sets the CRL evaluation strategy. */
- rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
- if (rc) {
-diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
-index c1a765aca..eb6552af1 100644
---- a/ldap/servers/slapd/libglobs.c
-+++ b/ldap/servers/slapd/libglobs.c
-@@ -157,7 +157,8 @@ typedef enum {
- CONFIG_STRING_OR_EMPTY, /* use an empty string */
- CONFIG_SPECIAL_ANON_ACCESS_SWITCH, /* maps strings to an enumeration */
- CONFIG_SPECIAL_VALIDATE_CERT_SWITCH, /* maps strings to an enumeration */
-- CONFIG_SPECIAL_UNHASHED_PW_SWITCH /* unhashed pw: on/off/nolog */
-+ CONFIG_SPECIAL_UNHASHED_PW_SWITCH, /* unhashed pw: on/off/nolog */
-+ CONFIG_SPECIAL_TLS_CHECK_CRL, /* maps enum tls_check_crl_t to char * */
- } ConfigVarType;
-
- static int32_t config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char *errorbuf, int apply);
-@@ -1173,7 +1174,15 @@ static struct config_get_and_set
- {CONFIG_LOGGING_BACKEND, NULL,
- log_set_backend, 0,
- (void **)&global_slapdFrontendConfig.logging_backend,
-- CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL}};
-+ CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL},
-+ {CONFIG_TLS_CHECK_CRL_ATTRIBUTE, config_set_tls_check_crl,
-+ NULL, 0,
-+ (void **)&global_slapdFrontendConfig.tls_check_crl,
-+ CONFIG_SPECIAL_TLS_CHECK_CRL, (ConfigGetFunc)config_get_tls_check_crl,
-+ "none" /* Allow reset to this value */}
-+
-+ /* End config */
-+ };
-
- /*
- * hashNocaseString - used for case insensitive hash lookups
-@@ -1506,7 +1515,6 @@ FrontendConfig_init(void)
- cfg->maxdescriptors = SLAPD_DEFAULT_MAXDESCRIPTORS;
- cfg->groupevalnestlevel = SLAPD_DEFAULT_GROUPEVALNESTLEVEL;
- cfg->snmp_index = SLAPD_DEFAULT_SNMP_INDEX;
--
- cfg->SSLclientAuth = SLAPD_DEFAULT_SSLCLIENTAUTH;
-
- #ifdef USE_SYSCONF
-@@ -1524,6 +1532,7 @@ FrontendConfig_init(void)
- #endif
- init_security = cfg->security = LDAP_OFF;
- init_ssl_check_hostname = cfg->ssl_check_hostname = LDAP_ON;
-+ cfg->tls_check_crl = TLS_CHECK_NONE;
- init_return_exact_case = cfg->return_exact_case = LDAP_ON;
- init_result_tweak = cfg->result_tweak = LDAP_OFF;
- init_attrname_exceptions = cfg->attrname_exceptions = LDAP_OFF;
-@@ -2042,6 +2051,7 @@ config_set_port(const char *attrname, char *port, char *errorbuf, int apply)
- return retVal;
- }
-
-+
- int
- config_set_secureport(const char *attrname, char *port, char *errorbuf, int apply)
- {
-@@ -2073,6 +2083,33 @@ config_set_secureport(const char *attrname, char *port, char *errorbuf, int appl
- }
-
-
-+int32_t
-+config_set_tls_check_crl(const char *attrname, char *value, char *errorbuf, int apply)
-+{
-+ int32_t retVal = LDAP_SUCCESS;
-+ /* Default */
-+ tls_check_crl_t state = TLS_CHECK_NONE;
-+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-+
-+ if (strcasecmp(value, "none") == 0) {
-+ state = TLS_CHECK_NONE;
-+ } else if (strcasecmp(value, "peer") == 0) {
-+ state = TLS_CHECK_PEER;
-+ } else if (strcasecmp(value, "all") == 0) {
-+ state = TLS_CHECK_ALL;
-+ } else {
-+ retVal = LDAP_OPERATIONS_ERROR;
-+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: unsupported value: %s", attrname, value);
-+ }
-+
-+ if (retVal == LDAP_SUCCESS && apply) {
-+ slapi_atomic_store_32((int32_t *)&(slapdFrontendConfig->tls_check_crl), state, __ATOMIC_RELEASE);
-+ }
-+
-+ return retVal;
-+}
-+
-+
- int
- config_set_SSLclientAuth(const char *attrname, char *value, char *errorbuf, int apply)
- {
-@@ -4591,6 +4628,12 @@ config_set_versionstring(const char *attrname __attribute__((unused)), char *ver
-
- #define config_copy_strval(s) s ? slapi_ch_strdup(s) : NULL;
-
-+tls_check_crl_t
-+config_get_tls_check_crl() {
-+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-+ return (tls_check_crl_t)slapi_atomic_load_32((int32_t *)&(slapdFrontendConfig->tls_check_crl), __ATOMIC_ACQUIRE);
-+}
-+
- int
- config_get_port()
- {
-@@ -7439,6 +7482,23 @@ config_set_value(
- slapi_entry_attr_set_int(e, cgas->attr_name, ival);
- break;
-
-+ case CONFIG_SPECIAL_TLS_CHECK_CRL:
-+ if (!value) {
-+ slapi_entry_attr_set_charptr(e, cgas->attr_name, (char *)cgas->initvalue);
-+ break;
-+ }
-+ tls_check_crl_t state = *(tls_check_crl_t *)value;
-+
-+ if (state == TLS_CHECK_ALL) {
-+ sval = "all";
-+ } else if (state == TLS_CHECK_PEER) {
-+ sval = "peer";
-+ } else {
-+ sval = "none";
-+ }
-+ slapi_entry_attr_set_charptr(e, cgas->attr_name, sval);
-+ break;
-+
- case CONFIG_SPECIAL_SSLCLIENTAUTH:
- if (!value) {
- slapi_entry_attr_set_charptr(e, cgas->attr_name, "off");
-diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
-index 3b7ab53b2..b13334ad1 100644
---- a/ldap/servers/slapd/proto-slap.h
-+++ b/ldap/servers/slapd/proto-slap.h
-@@ -236,6 +236,7 @@ int config_set_port(const char *attrname, char *port, char *errorbuf, int apply)
- int config_set_secureport(const char *attrname, char *port, char *errorbuf, int apply);
- int config_set_SSLclientAuth(const char *attrname, char *value, char *errorbuf, int apply);
- int config_set_ssl_check_hostname(const char *attrname, char *value, char *errorbuf, int apply);
-+int32_t config_set_tls_check_crl(const char *attrname, char *value, char *errorbuf, int apply);
- int config_set_SSL3ciphers(const char *attrname, char *value, char *errorbuf, int apply);
- int config_set_localhost(const char *attrname, char *value, char *errorbuf, int apply);
- int config_set_listenhost(const char *attrname, char *value, char *errorbuf, int apply);
-@@ -397,6 +398,7 @@ void log_disable_hr_timestamps(void);
-
- int config_get_SSLclientAuth(void);
- int config_get_ssl_check_hostname(void);
-+tls_check_crl_t config_get_tls_check_crl(void);
- char *config_get_SSL3ciphers(void);
- char *config_get_localhost(void);
- char *config_get_listenhost(void);
-diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
-index 216d94afd..443d90094 100644
---- a/ldap/servers/slapd/slap.h
-+++ b/ldap/servers/slapd/slap.h
-@@ -443,6 +443,13 @@ typedef void (*VFPV)(); /* takes undefined arguments */
- typedef int32_t slapi_onoff_t;
- typedef int32_t slapi_int_t;
-
-+typedef enum _tls_check_crl_t {
-+ TLS_CHECK_NONE = 0,
-+ TLS_CHECK_PEER = 1,
-+ TLS_CHECK_ALL = 2,
-+} tls_check_crl_t;
-+
-+
- struct subfilt
- {
- char *sf_type;
-@@ -2151,6 +2158,7 @@ typedef struct _slapdEntryPoints
- #define CONFIG_RUNDIR_ATTRIBUTE "nsslapd-rundir"
- #define CONFIG_SSLCLIENTAUTH_ATTRIBUTE "nsslapd-SSLclientAuth"
- #define CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE "nsslapd-ssl-check-hostname"
-+#define CONFIG_TLS_CHECK_CRL_ATTRIBUTE "nsslapd-tls-check-crl"
- #define CONFIG_HASH_FILTERS_ATTRIBUTE "nsslapd-hash-filters"
- #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout"
- #define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external"
-@@ -2263,6 +2271,7 @@ typedef struct _slapdFrontendConfig
- slapi_onoff_t security;
- int SSLclientAuth;
- slapi_onoff_t ssl_check_hostname;
-+ tls_check_crl_t tls_check_crl;
- int validate_cert;
- int sizelimit;
- int SNMPenabled;
-@@ -2294,7 +2303,6 @@ typedef struct _slapdFrontendConfig
- slapi_onoff_t plugin_track;
- slapi_onoff_t moddn_aci;
- struct pw_scheme *pw_storagescheme;
--
- slapi_onoff_t pwpolicy_local;
- slapi_onoff_t pw_is_global_policy;
- slapi_onoff_t pwpolicy_inherit_global;
---
-2.13.6
-
diff --git a/SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch b/SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch
deleted file mode 100644
index d4eeeeb..0000000
--- a/SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Tue, 6 Feb 2018 19:49:22 +0100
-Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by
- default as openldap is moving to openssl
-
-Bug Description:
- Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL),
- the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE,
- need to specify path to PEM files.
-
- Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx
-
- Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'.
-
- The default value is 'off', that prevent secure outgoing connection.
-
-Fix Description:
-
- Enable nsslapd-extract-pemfiles by default
- Then when establishing an outgoing connection, if it is not using NSS crypto layer
- and the pem files have been extracted then use the PEM files
-
-https://pagure.io/389-ds-base/issue/49560
-
-Reviewed by: mreynolds & mhonek
-
-Platforms tested: RHEL 7.5
-
-Flag Day: no
-
-Doc impact: no
-
-Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
-(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6)
----
- ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++----------------
- ldap/servers/slapd/libglobs.c | 2 +-
- ldap/servers/slapd/ssl.c | 2 +-
- 3 files changed, 18 insertions(+), 18 deletions(-)
-
-diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
-index 2fc2f0615..fcf22e632 100644
---- a/ldap/servers/slapd/ldaputil.c
-+++ b/ldap/servers/slapd/ldaputil.c
-@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
- slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
- "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
- }
-- if (slapi_client_uses_non_nss(ld)) {
-+ if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) {
- cacert = slapi_get_cacertfile();
- if (cacert) {
- /* CA Cert PEM file exists. Set the path to openldap option. */
-@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
- cacert, rc, ldap_err2string(rc));
- }
- }
-- if (slapi_client_uses_openssl(ld)) {
-- int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
-- tls_check_crl_t tls_check_state = config_get_tls_check_crl();
-- if (tls_check_state == TLS_CHECK_PEER) {
-- crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
-- } else if (tls_check_state == TLS_CHECK_ALL) {
-- crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
-- }
-- /* Sets the CRL evaluation strategy. */
-- rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
-- if (rc) {
-- slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
-- "Could not set CRLCHECK [%d]: %d:%s\n",
-- crlcheck, rc, ldap_err2string(rc));
-- }
-+ }
-+ if (slapi_client_uses_openssl(ld)) {
-+ int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE;
-+ tls_check_crl_t tls_check_state = config_get_tls_check_crl();
-+ if (tls_check_state == TLS_CHECK_PEER) {
-+ crlcheck = LDAP_OPT_X_TLS_CRL_PEER;
-+ } else if (tls_check_state == TLS_CHECK_ALL) {
-+ crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
-+ }
-+ /* Sets the CRL evaluation strategy. */
-+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
-+ if (rc) {
-+ slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn",
-+ "Could not set CRLCHECK [%d]: %d:%s\n",
-+ crlcheck, rc, ldap_err2string(rc));
- }
- }
- /* tell it where our cert db/file is */
-diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
-index eb6552af1..3bd5c1826 100644
---- a/ldap/servers/slapd/libglobs.c
-+++ b/ldap/servers/slapd/libglobs.c
-@@ -1688,7 +1688,7 @@ FrontendConfig_init(void)
- init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET;
- #endif
-
-- init_extract_pem = cfg->extract_pem = LDAP_OFF;
-+ init_extract_pem = cfg->extract_pem = LDAP_ON;
-
- /* Done, unlock! */
- CFG_UNLOCK_WRITE(cfg);
-diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
-index 52ac7ea9f..36b09fd16 100644
---- a/ldap/servers/slapd/ssl.c
-+++ b/ldap/servers/slapd/ssl.c
-@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld)
- errorCode, slapd_pr_strerror(errorCode));
- } else {
- #if defined(USE_OPENLDAP)
-- if (slapi_client_uses_non_nss(ld)) {
-+ if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) {
- char *certdir = config_get_certdir();
- char *keyfile = NULL;
- char *certfile = NULL;
---
-2.13.6
-
diff --git a/SOURCES/0065-Ticket-bz1525628-invalid-password-migration-causes-u.patch b/SOURCES/0065-Ticket-bz1525628-invalid-password-migration-causes-u.patch
deleted file mode 100644
index 981ce22..0000000
--- a/SOURCES/0065-Ticket-bz1525628-invalid-password-migration-causes-u.patch
+++ /dev/null
@@ -1,286 +0,0 @@
-From 40fcaabfaa2c865471cc5fb1fab04106bc3ec611 Mon Sep 17 00:00:00 2001
-From: William Brown <firstyear@redhat.com>
-Date: Thu, 18 Jan 2018 11:27:58 +1000
-Subject: [PATCH] Ticket bz1525628 - invalid password migration causes unauth
- bind
-
-Bug Description: Slapi_ct_memcmp expects both inputs to be
-at LEAST size n. If they are not, we only compared UP to n.
-
-Invalid migrations of passwords (IE {CRYPT}XX) would create
-a pw which is just salt and no hash. ct_memcmp would then
-only verify the salt bits and would allow the authentication.
-
-This relies on an administrative mistake both of allowing
-password migration (nsslapd-allow-hashed-passwords) and then
-subsequently migrating an INVALID password to the server.
-
-Fix Description: slapi_ct_memcmp now access n1, n2 size
-and will FAIL if they are not the same, but will still compare
-n bytes, where n is the "longest" memory, to the first byte
-of the other to prevent length disclosure of the shorter
-value (generally the mis-migrated password)
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1525628
-
-Author: wibrown
-
-Review by: ???
-
-Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
----
- .../bz1525628_ct_memcmp_invalid_hash_test.py | 56 ++++++++++++++++++++++
- ldap/servers/plugins/pwdstorage/clear_pwd.c | 4 +-
- ldap/servers/plugins/pwdstorage/crypt_pwd.c | 4 +-
- ldap/servers/plugins/pwdstorage/md5_pwd.c | 4 +-
- ldap/servers/plugins/pwdstorage/sha_pwd.c | 16 +++++--
- ldap/servers/plugins/pwdstorage/smd5_pwd.c | 2 +-
- ldap/servers/slapd/ch_malloc.c | 36 ++++++++++++--
- ldap/servers/slapd/slapi-plugin.h | 2 +-
- 8 files changed, 108 insertions(+), 16 deletions(-)
- create mode 100644 dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
-
-diff --git a/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
-new file mode 100644
-index 000000000..2f38384a1
---- /dev/null
-+++ b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py
-@@ -0,0 +1,56 @@
-+# --- BEGIN COPYRIGHT BLOCK ---
-+# Copyright (C) 2018 Red Hat, Inc.
-+# All rights reserved.
-+#
-+# License: GPL (version 3 or any later version).
-+# See LICENSE for details.
-+# --- END COPYRIGHT BLOCK ---
-+#
-+
-+import ldap
-+import pytest
-+import logging
-+from lib389.topologies import topology_st
-+from lib389._constants import PASSWORD, DEFAULT_SUFFIX
-+
-+from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES
-+
-+logging.getLogger(__name__).setLevel(logging.DEBUG)
-+log = logging.getLogger(__name__)
-+
-+def test_invalid_hash_fails(topology_st):
-+ """When given a malformed hash from userpassword migration
-+ slapi_ct_memcmp would check only to the length of the shorter
-+ field. This affects some values where it would ONLY verify
-+ the salt is valid, and thus would allow any password to bind.
-+
-+ :id: 8131c029-7147-47db-8d03-ec5db2a01cfb
-+ :setup: Standalone Instance
-+ :steps:
-+ 1. Create a user
-+ 2. Add an invalid password hash (truncated)
-+ 3. Attempt to bind
-+ :expectedresults:
-+ 1. User is added
-+ 2. Invalid pw hash is added
-+ 3. Bind fails
-+ """
-+ log.info("Running invalid hash test")
-+
-+ # Allow setting raw password hashes for migration.
-+ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
-+
-+ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
-+ user = users.create(properties=TEST_USER_PROPERTIES)
-+ user.set('userPassword', '{CRYPT}XX')
-+
-+ # Attempt to bind. This should fail.
-+ with pytest.raises(ldap.INVALID_CREDENTIALS):
-+ user.bind(PASSWORD)
-+ with pytest.raises(ldap.INVALID_CREDENTIALS):
-+ user.bind('XX')
-+ with pytest.raises(ldap.INVALID_CREDENTIALS):
-+ user.bind('{CRYPT}XX')
-+
-+ log.info("PASSED")
-+
-diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c
-index f5e6f9d4c..3d340752d 100644
---- a/ldap/servers/plugins/pwdstorage/clear_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c
-@@ -39,7 +39,7 @@ clear_pw_cmp(const char *userpwd, const char *dbpwd)
- * However, even if the first part of userpw matches dbpwd, but len !=, we
- * have already failed anyawy. This prevents substring matching.
- */
-- if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) {
-+ if (slapi_ct_memcmp(userpwd, dbpwd, len_user, len_dbp) != 0) {
- result = 1;
- }
- } else {
-@@ -51,7 +51,7 @@ clear_pw_cmp(const char *userpwd, const char *dbpwd)
- * dbpwd to itself. We have already got result == 1 if we are here, so we are
- * just trying to take up time!
- */
-- if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) {
-+ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp, len_dbp)) {
- /* Do nothing, we have the if to fix a coverity check. */
- }
- }
-diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-index 3bd226581..0dccd1b51 100644
---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-@@ -65,13 +65,13 @@ crypt_close(Slapi_PBlock *pb __attribute__((unused)))
- int
- crypt_pw_cmp(const char *userpwd, const char *dbpwd)
- {
-- int rc;
-+ int32_t rc;
- char *cp;
- PR_Lock(cryptlock);
- /* we use salt (first 2 chars) of encoded password in call to crypt() */
- cp = crypt(userpwd, dbpwd);
- if (cp) {
-- rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd));
-+ rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd), strlen(cp));
- } else {
- rc = -1;
- }
-diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c
-index 1e2cf58e7..2c2aacaa6 100644
---- a/ldap/servers/plugins/pwdstorage/md5_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c
-@@ -30,7 +30,7 @@
- int
- md5_pw_cmp(const char *userpwd, const char *dbpwd)
- {
-- int rc = -1;
-+ int32_t rc = -1;
- char *bver;
- PK11Context *ctx = NULL;
- unsigned int outLen;
-@@ -57,7 +57,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd)
- bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item);
- /* bver points to b2a_out upon success */
- if (bver) {
-- rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd));
-+ rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd), strlen(bver));
- } else {
- slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME,
- "Could not base64 encode hashed value for password compare");
-diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c
-index 1fbe0bc82..381b31d7c 100644
---- a/ldap/servers/plugins/pwdstorage/sha_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c
-@@ -49,7 +49,7 @@ sha_pw_cmp(const char *userpwd, const char *dbpwd, unsigned int shaLen)
- char userhash[MAX_SHA_HASH_SIZE];
- char quick_dbhash[MAX_SHA_HASH_SIZE + SHA_SALT_LENGTH + 3];
- char *dbhash = quick_dbhash;
-- struct berval salt;
-+ struct berval salt = {0};
- PRUint32 hash_len;
- unsigned int secOID;
- char *schemeName;
-@@ -122,9 +122,19 @@ sha_pw_cmp(const char *userpwd, const char *dbpwd, unsigned int shaLen)
-
- /* the proof is in the comparison... */
- if (hash_len >= shaLen) {
-- result = slapi_ct_memcmp(userhash, dbhash, shaLen);
-+ /*
-+ * This say "if the hash has a salt IE >, OR if they are equal, check the hash component ONLY.
-+ * This is why we repeat shaLen twice, even though it seems odd. If you have a dbhast of ssha
-+ * it's len is 28, and the userpw is 20, but 0 - 20 is the sha, and 21-28 is the salt, which
-+ * has already been processed into userhash.
-+ * The case where dbpwd is truncated is handled above in "invalid base64" arm.
-+ */
-+ result = slapi_ct_memcmp(userhash, dbhash, shaLen, shaLen);
- } else {
-- result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH);
-+ /* This case is for if the salt is at the START, which only applies to DS40B1 case.
-+ * May never be a valid check...
-+ */
-+ result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, shaLen, hash_len - OLD_SALT_LENGTH);
- }
-
- loser:
-diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
-index a83ac6fa4..cbfc74ff3 100644
---- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c
-@@ -82,7 +82,7 @@ smd5_pw_cmp(const char *userpwd, const char *dbpwd)
- PK11_DestroyContext(ctx, 1);
-
- /* Compare everything up to the salt. */
-- rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH);
-+ rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH, MD5_LENGTH);
-
- loser:
- if (dbhash && dbhash != quick_dbhash)
-diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c
-index ef436b3e8..90a2b2c1a 100644
---- a/ldap/servers/slapd/ch_malloc.c
-+++ b/ldap/servers/slapd/ch_malloc.c
-@@ -336,8 +336,8 @@ slapi_ch_smprintf(const char *fmt, ...)
-
- /* Constant time memcmp. Does not shortcircuit on failure! */
- /* This relies on p1 and p2 both being size at least n! */
--int
--slapi_ct_memcmp(const void *p1, const void *p2, size_t n)
-+int32_t
-+slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2)
- {
- int result = 0;
- const unsigned char *_p1 = (const unsigned char *)p1;
-@@ -347,9 +347,35 @@ slapi_ct_memcmp(const void *p1, const void *p2, size_t n)
- return 2;
- }
-
-- for (size_t i = 0; i < n; i++) {
-- if (_p1[i] ^ _p2[i]) {
-- result = 1;
-+ if (n1 == n2) {
-+ for (size_t i = 0; i < n1; i++) {
-+ if (_p1[i] ^ _p2[i]) {
-+ result = 1;
-+ }
-+ }
-+ } else {
-+ const unsigned char *_pa;
-+ const unsigned char *_pb;
-+ size_t nl;
-+ if (n2 > n1) {
-+ _pa = _p2;
-+ _pb = _p2;
-+ nl = n2;
-+ } else {
-+ _pa = _p1;
-+ _pb = _p1;
-+ nl = n1;
-+ }
-+ /* We already fail as n1 != n2 */
-+ result = 3;
-+ for (size_t i = 0; i < nl; i++) {
-+ if (_pa[i] ^ _pb[i]) {
-+ /*
-+ * If we don't mutate result here, dead code elimination
-+ * we remove for loop.
-+ */
-+ result = 4;
-+ }
- }
- }
- return result;
-diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
-index 4566202d3..95cdcc0da 100644
---- a/ldap/servers/slapd/slapi-plugin.h
-+++ b/ldap/servers/slapd/slapi-plugin.h
-@@ -5862,7 +5862,7 @@ char *slapi_ch_smprintf(const char *fmt, ...)
- * \param n length in bytes of the content of p1 AND p2.
- * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2.
- */
--int slapi_ct_memcmp(const void *p1, const void *p2, size_t n);
-+int32_t slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2);
-
- /*
- * syntax plugin routines
---
-2.13.6
-
diff --git a/SOURCES/0066-Ticket-49545-final-substring-extended-filter-search-.patch b/SOURCES/0066-Ticket-49545-final-substring-extended-filter-search-.patch
deleted file mode 100644
index 6aea31b..0000000
--- a/SOURCES/0066-Ticket-49545-final-substring-extended-filter-search-.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From 183517787fe86c1bc2359ad807318b8bca573d17 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Fri, 19 Jan 2018 16:34:36 +0100
-Subject: [PATCH] Ticket 49545 - final substring extended filter search returns
- invalid result
-
-Bug Description:
- During a search (using extended filter with final substring), the server
- checks the filter before returning the matching entries.
- When checking the attribute value against the filter, it
- uses the wrong value.
-
-Fix Description:
- Make suree it uses the right portion of the attribute value, in order
- to generate the keys to compare.
-
-https://pagure.io/389-ds-base/issue/49545
-
-Reviewed by: Ludwig Krispenz
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
-
-Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
----
- ldap/servers/plugins/collation/orfilter.c | 20 ++++++++++++++++++--
- 1 file changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c
-index a98d90219..672ee7b19 100644
---- a/ldap/servers/plugins/collation/orfilter.c
-+++ b/ldap/servers/plugins/collation/orfilter.c
-@@ -182,17 +182,33 @@ ss_filter_match(or_filter_t * or, struct berval **vals)
- } else { /* final */
- auto size_t attempts = MAX_CHAR_COMBINING;
- auto char *limit = v.bv_val;
-+ auto char *end;
- auto struct berval **vkeys;
- auto struct berval *vals[2];
- auto struct berval key;
-+
- rc = -1;
- vals[0] = &v;
- vals[1] = NULL;
- key.bv_val = (*k)->bv_val;
- key.bv_len = (*k)->bv_len - 1;
-- v.bv_val = (*vals)->bv_val + (*vals)->bv_len;
-+ /* In the following lines it will loop to find
-+ * if the end of the attribute value matches the 'final' of the filter
-+ * Short summary:
-+ * vals contains the attribute value :for example "hello world"
-+ * key contain the key generated from the indexing of final part of the filter.
-+ * for example filter=(<attribut>=*ld), so key contains the indexing("ld").
-+ *
-+ * The loop will iterate over the attribute value (vals) from the end of string
-+ * to the begining. So it will try to index('d'), index('ld'), index('rld'), index('orld')...
-+ *
-+ * At each iteration if the key generated from indexing the portion of vals, matches
-+ * the key generate from the final part of the filter, then the loop stops => we are done
-+ */
-+ end = v.bv_val + v.bv_len - 1;
-+ v.bv_val = end;
- while (1) {
-- v.bv_len = (*vals)->bv_len - (v.bv_val - (*vals)->bv_val);
-+ v.bv_len = end - v.bv_val + 1;
- vkeys = ix->ix_index(ix, vals, NULL);
- if (vkeys && vkeys[0]) {
- auto const struct berval *vkey = vkeys[0];
---
-2.13.6
-
diff --git a/SOURCES/0067-Ticket-49551-v3-correct-handling-of-numsubordinates-.patch b/SOURCES/0067-Ticket-49551-v3-correct-handling-of-numsubordinates-.patch
deleted file mode 100644
index 8c41a91..0000000
--- a/SOURCES/0067-Ticket-49551-v3-correct-handling-of-numsubordinates-.patch
+++ /dev/null
@@ -1,296 +0,0 @@
-From 233b64f26df76aa50f4b37aaf6b3804d208fdc1b Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Mon, 12 Feb 2018 09:24:25 +0100
-Subject: [PATCH] Ticket 49551 - v3 - correct handling of numsubordinates for
- cenotaphs and tombstone delete
-
- Bug: The ticket exposed several problems with tombstone handling.
- - tombstone entries of conflicts were not purged in tombstone purging
- - cenotaphs are tombstone, but the subordinate count was not managed properly
- - direct delete of tombstones failed with err=1
- - delete of entry with only conflict children failed correctly, but gave no hint why
-
- Fix: update the correct numsobordinates attribut for cenotaphs
- set proper flag in directly deleting a tombstone
- change search filter for tombstone purging to include ldapsubentries
- check for conflict children if a delete is rejected and add a message to the response
-
- Reviewed by; Thierry, William - thanks
----
- ldap/servers/plugins/replication/repl5_replica.c | 14 +++++++++--
- ldap/servers/plugins/replication/urp.c | 8 +++---
- ldap/servers/slapd/back-ldbm/ldbm_add.c | 8 +++---
- ldap/servers/slapd/back-ldbm/ldbm_delete.c | 14 ++++++++---
- ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 3 ++-
- ldap/servers/slapd/back-ldbm/parents.c | 12 ++++++---
- ldap/servers/slapd/entry.c | 31 ++++++++++++++++++++++++
- ldap/servers/slapd/slapi-plugin.h | 2 ++
- ldap/servers/slapd/slapi-private.h | 1 +
- ldap/servers/slapd/task.c | 4 +--
- 10 files changed, 78 insertions(+), 19 deletions(-)
-
-diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
-index bdb8a5167..628fb9ceb 100644
---- a/ldap/servers/plugins/replication/repl5_replica.c
-+++ b/ldap/servers/plugins/replication/repl5_replica.c
-@@ -3017,6 +3017,16 @@ process_reap_entry(Slapi_Entry *entry, void *cb_data)
- search in the future, see _replica_reap_tombstones below and add more to the
- attrs array */
- deletion_csn = entry_get_deletion_csn(entry);
-+ if (deletion_csn == NULL) {
-+ /* this might be a tombstone which was directly added, eg a cenotaph
-+ * check if a tombstonecsn exist and use it
-+ */
-+ char *tombstonecsn = slapi_entry_attr_get_charptr(entry, SLAPI_ATTR_TOMBSTONE_CSN);
-+ if (tombstonecsn) {
-+ deletion_csn = csn_new_by_string(tombstonecsn);
-+ slapi_ch_free_string(&tombstonecsn);
-+ }
-+ }
-
- if ((NULL == deletion_csn || csn_compare(deletion_csn, purge_csn) < 0) &&
- (!is_ruv_tombstone_entry(entry))) {
-@@ -3116,11 +3126,11 @@ _replica_reap_tombstones(void *arg)
- */
- csn_as_string(purge_csn, PR_FALSE, deletion_csn_str);
- PR_snprintf(tombstone_filter, 128,
-- "(&(%s<=%s)(objectclass=nsTombstone))", SLAPI_ATTR_TOMBSTONE_CSN,
-+ "(&(%s<=%s)(objectclass=nsTombstone)(|(objectclass=*)(objectclass=ldapsubentry)))", SLAPI_ATTR_TOMBSTONE_CSN,
- csn_as_string(purge_csn, PR_FALSE, deletion_csn_str));
- } else {
- /* Use the old inefficient filter */
-- PR_snprintf(tombstone_filter, 128, "(objectclass=nsTombstone)");
-+ PR_snprintf(tombstone_filter, 128, "(&(objectclass=nsTombstone)(|(objectclass=*)(objectclass=ldapsubentry)))");
- }
-
- /* we just need the objectclass - for the deletion csn
-diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c
-index d4556d7fd..11c5da7cf 100644
---- a/ldap/servers/plugins/replication/urp.c
-+++ b/ldap/servers/plugins/replication/urp.c
-@@ -911,7 +911,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn)
- cenotaph,
- NULL,
- repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION),
-- OP_FLAG_REPL_FIXUP|OP_FLAG_NOOP);
-+ OP_FLAG_REPL_FIXUP|OP_FLAG_NOOP|OP_FLAG_CENOTAPH_ENTRY);
- slapi_add_internal_pb(add_pb);
- slapi_pblock_get(add_pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
-
-@@ -1922,7 +1922,7 @@ done:
- newpb = NULL;
-
- slapi_log_err(SLAPI_LOG_REPL, sessionid,
-- "urp_get_min_naming_conflict_entry - Found %d entries\n", i);
-+ "urp_get_min_naming_conflict_entry - Found %d entries\n", min_csn?1:0);
-
- return min_naming_conflict_entry;
- }
-@@ -2172,8 +2172,8 @@ mod_objectclass_attr(const char *uniqueid, const Slapi_DN *entrysdn, const Slapi
- char csnstr[CSN_STRSIZE+1] = {0};
-
- slapi_mods_init(&smods, 3);
-- slapi_mods_add(&smods, LDAP_MOD_ADD, "objectclass", strlen("ldapsubentry"),"ldapsubentry");
-- slapi_mods_add(&smods, LDAP_MOD_REPLACE, "conflictcsn", CSN_STRSIZE, csn_as_string(opcsn, PR_FALSE, csnstr));
-+ slapi_mods_add_string(&smods, LDAP_MOD_ADD, "objectclass", "ldapsubentry");
-+ slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, "conflictcsn", csn_as_string(opcsn, PR_FALSE, csnstr));
- op_result = urp_fixup_modify_entry(uniqueid, entrysdn, opcsn, &smods, 0);
- slapi_mods_done(&smods);
- if (op_result == LDAP_TYPE_OR_VALUE_EXISTS) {
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
-index c93d44a65..f0a3262ec 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
-@@ -81,6 +81,7 @@ ldbm_back_add(Slapi_PBlock *pb)
- Slapi_Operation *operation;
- int is_replicated_operation = 0;
- int is_resurect_operation = 0;
-+ int is_cenotaph_operation = 0;
- int is_tombstone_operation = 0;
- int is_fixup_operation = 0;
- int is_remove_from_cache = 0;
-@@ -116,6 +117,7 @@ ldbm_back_add(Slapi_PBlock *pb)
- }
-
- is_resurect_operation = operation_is_flag_set(operation, OP_FLAG_RESURECT_ENTRY);
-+ is_cenotaph_operation = operation_is_flag_set(operation, OP_FLAG_CENOTAPH_ENTRY);
- is_tombstone_operation = operation_is_flag_set(operation, OP_FLAG_TOMBSTONE_ENTRY);
- is_fixup_operation = operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP);
- is_ruv = operation_is_flag_set(operation, OP_FLAG_REPL_RUV);
-@@ -846,9 +848,9 @@ ldbm_back_add(Slapi_PBlock *pb)
- the in-memory state of the parent to reflect the new child (update
- subordinate count specifically */
- if (parententry) {
-- retval = parent_update_on_childchange(&parent_modify_c,
-- is_resurect_operation ? PARENTUPDATE_RESURECT : PARENTUPDATE_ADD,
-- NULL);
-+ int op = is_resurect_operation ? PARENTUPDATE_RESURECT : PARENTUPDATE_ADD;
-+ if (is_cenotaph_operation ) op |= PARENTUPDATE_CREATE_TOMBSTONE;
-+ retval = parent_update_on_childchange(&parent_modify_c, op, NULL);
- slapi_log_err(SLAPI_LOG_BACKLDBM, "ldbm_back_add",
- "conn=%lu op=%d parent_update_on_childchange: old_entry=0x%p, new_entry=0x%p, rc=%d\n",
- conn_id, op_id, parent_modify_c.old_entry, parent_modify_c.new_entry, retval);
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
-index be0db1bd0..bc0a3654e 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
-@@ -291,9 +291,16 @@ replace_entry:
- retval = slapi_entry_has_children(e->ep_entry);
- if (retval && !is_replicated_operation) {
- ldap_result_code= LDAP_NOT_ALLOWED_ON_NONLEAF;
-- slapi_log_err(SLAPI_LOG_BACKLDBM, "ldbm_back_delete",
-- "conn=%lu op=%d Deleting entry %s has %d children.\n",
-- conn_id, op_id, slapi_entry_get_dn(e->ep_entry), retval);
-+ if (slapi_entry_has_conflict_children(e->ep_entry, (void *)li->li_identity) > 0) {
-+ ldap_result_message = "Entry has replication conflicts as children";
-+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_delete",
-+ "conn=%lu op=%d Deleting entry %s has replication conflicts as children.\n",
-+ conn_id, op_id, slapi_entry_get_dn(e->ep_entry));
-+ } else {
-+ slapi_log_err(SLAPI_LOG_BACKLDBM, "ldbm_back_delete",
-+ "conn=%lu op=%d Deleting entry %s has %d children.\n",
-+ conn_id, op_id, slapi_entry_get_dn(e->ep_entry), retval);
-+ }
- retval = -1;
- goto error_return;
- }
-@@ -431,6 +438,7 @@ replace_entry:
- slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_delete",
- "Attempt to Tombstone again a tombstone entry %s\n", dn);
- delete_tombstone_entry = 1;
-+ operation_set_flag(operation, OP_FLAG_TOMBSTONE_ENTRY);
- }
- }
-
-diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
-index b41a2d241..5797dd779 100644
---- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
-+++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
-@@ -2824,7 +2824,8 @@ _entryrdn_delete_key(backend *be,
- break;
- }
- childelem = (rdn_elem *)dataret.data;
-- if (!slapi_is_special_rdn(childelem->rdn_elem_nrdn_rdn, RDN_IS_TOMBSTONE)) {
-+ if (!slapi_is_special_rdn(childelem->rdn_elem_nrdn_rdn, RDN_IS_TOMBSTONE) &&
-+ !strcasestr(childelem->rdn_elem_nrdn_rdn, "cenotaphid")) {
- /* there's at least one live child */
- slapi_log_err(SLAPI_LOG_ERR, "_entryrdn_delete_key",
- "Failed to remove %s; has a child %s\n", nrdn,
-diff --git a/ldap/servers/slapd/back-ldbm/parents.c b/ldap/servers/slapd/back-ldbm/parents.c
-index 79e66451e..1afc795c0 100644
---- a/ldap/servers/slapd/back-ldbm/parents.c
-+++ b/ldap/servers/slapd/back-ldbm/parents.c
-@@ -89,7 +89,11 @@ parent_update_on_childchange(modify_context *mc, int op, size_t *new_sub_count)
- }
- }
-
-- if (PARENTUPDATE_DELETE_TOMBSTONE != repl_op) {
-+ if ((PARENTUPDATE_ADD == op) && (PARENTUPDATE_CREATE_TOMBSTONE == repl_op)) {
-+ /* we are directly adding a tombstone entry, only need to
-+ * update the tombstone subordinates
-+ */
-+ } else if (PARENTUPDATE_DELETE_TOMBSTONE != repl_op) {
- /* are we adding ? */
- if (((PARENTUPDATE_ADD == op) || (PARENTUPDATE_RESURECT == op)) && !already_present) {
- /* If so, and the parent entry does not already have a subcount
-@@ -136,10 +140,10 @@ parent_update_on_childchange(modify_context *mc, int op, size_t *new_sub_count)
- }
- }
-
-- /* tombstoneNumSubordinates is needed only when this is repl op
-- * and a child is being deleted */
-+ /* tombstoneNumSubordinates has to be updated if a tombstone child has been
-+ * deleted or a tombstone has been directly added (cenotaph) */
- current_sub_count = LDAP_MAXINT;
-- if ((repl_op && (PARENTUPDATE_DEL == op)) || (PARENTUPDATE_RESURECT == op)) {
-+ if (repl_op) {
- ret = slapi_entry_attr_find(mc->old_entry->ep_entry,
- tombstone_numsubordinates, &read_attr);
- if (0 == ret) {
-diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
-index 32828b4e2..b85e9f5b0 100644
---- a/ldap/servers/slapd/entry.c
-+++ b/ldap/servers/slapd/entry.c
-@@ -3238,6 +3238,37 @@ slapi_entry_has_children(const Slapi_Entry *entry)
- return slapi_entry_has_children_ext(entry, 0);
- }
-
-+int
-+slapi_entry_has_conflict_children(const Slapi_Entry *entry, void *plg_id)
-+{
-+ Slapi_PBlock *search_pb = NULL;
-+ Slapi_Entry **entries;
-+ int rc = 0;
-+
-+ search_pb = slapi_pblock_new();
-+ slapi_search_internal_set_pb(search_pb, slapi_entry_get_dn_const(entry),
-+ LDAP_SCOPE_ONELEVEL,
-+ "(&(objectclass=ldapsubentry)(nsds5ReplConflict=namingConflict*))",
-+ NULL, 0, NULL, NULL, plg_id, 0);
-+ slapi_search_internal_pb(search_pb);
-+ slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
-+ if (rc) {
-+ rc = -1;
-+ } else {
-+ slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
-+ if (entries && entries[0]) {
-+ /* we found at least one conflict entry */
-+ rc = 1;
-+ } else {
-+ rc = 0;
-+ }
-+ slapi_free_search_results_internal(search_pb);
-+ }
-+ slapi_pblock_destroy(search_pb);
-+
-+ return rc;
-+}
-+
- /*
- * Renames an entry to simulate a MODRDN operation
- */
-diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
-index 95cdcc0da..6978e258f 100644
---- a/ldap/servers/slapd/slapi-plugin.h
-+++ b/ldap/servers/slapd/slapi-plugin.h
-@@ -2000,6 +2000,8 @@ int slapi_entry_has_children(const Slapi_Entry *e);
- */
- int slapi_entry_has_children_ext(const Slapi_Entry *e, int include_tombstone);
-
-+int slapi_entry_has_conflict_children(const Slapi_Entry *e, void *plg_id);
-+
- /**
- * This function determines if an entry is the root DSE.
- *
-diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
-index 548d5cabb..b08c0d7ce 100644
---- a/ldap/servers/slapd/slapi-private.h
-+++ b/ldap/servers/slapd/slapi-private.h
-@@ -403,6 +403,7 @@ char *slapi_filter_to_string_internal(const struct slapi_filter *f, char *buf, s
- #define OP_FLAG_NEVER_CHAIN SLAPI_OP_FLAG_NEVER_CHAIN /* 0x000800 */
- #define OP_FLAG_TOMBSTONE_ENTRY SLAPI_OP_FLAG_TOMBSTONE_ENTRY /* 0x001000 */
- #define OP_FLAG_RESURECT_ENTRY 0x002000
-+#define OP_FLAG_CENOTAPH_ENTRY 0x004000
- #define OP_FLAG_ACTION_NOLOG 0x008000 /* Do not log the entry in \
- * audit log or change log \
- */
-diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
-index 4bd8895ff..3f9d5d995 100644
---- a/ldap/servers/slapd/task.c
-+++ b/ldap/servers/slapd/task.c
-@@ -2352,10 +2352,10 @@ task_fixup_tombstone_thread(void *arg)
-
- if (task_data->stripcsn) {
- /* find tombstones with nsTombstoneCSN */
-- filter = "(&(nstombstonecsn=*)(objectclass=nsTombstone))";
-+ filter = "(&(nstombstonecsn=*)(objectclass=nsTombstone)(|(objectclass=*)(objectclass=ldapsubentry)))";
- } else {
- /* find tombstones missing nsTombstoneCSN */
-- filter = "(&(!(nstombstonecsn=*))(objectclass=nsTombstone))";
-+ filter = "(&(!(nstombstonecsn=*))(objectclass=nsTombstone)(|(objectclass=*)(objectclass=ldapsubentry)))";
- }
-
- /* Okay check the specified backends only */
---
-2.13.6
-
diff --git a/SOURCES/0068-Ticket-49551-fix-memory-leak-found-by-coverity.patch b/SOURCES/0068-Ticket-49551-fix-memory-leak-found-by-coverity.patch
deleted file mode 100644
index efa2ee4..0000000
--- a/SOURCES/0068-Ticket-49551-fix-memory-leak-found-by-coverity.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From a88eea7e06a8e0a7367b2d266f9db37f6d5bbb4a Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Mon, 12 Feb 2018 16:27:03 +0100
-Subject: [PATCH] Ticket 49551 - fix memory leak found by coverity
-
----
- ldap/servers/plugins/replication/repl5_replica.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
-index 628fb9ceb..e3ddd783d 100644
---- a/ldap/servers/plugins/replication/repl5_replica.c
-+++ b/ldap/servers/plugins/replication/repl5_replica.c
-@@ -3002,6 +3002,7 @@ process_reap_entry(Slapi_Entry *entry, void *cb_data)
- if the value is set in the replica, we will know about it immediately */
- PRBool *tombstone_reap_stop = ((reap_callback_data *)cb_data)->tombstone_reap_stop;
- const CSN *deletion_csn = NULL;
-+ int deletion_csn_free = 0;
- int rc = -1;
-
- /* abort reaping if we've been told to stop or we're shutting down */
-@@ -3024,6 +3025,7 @@ process_reap_entry(Slapi_Entry *entry, void *cb_data)
- char *tombstonecsn = slapi_entry_attr_get_charptr(entry, SLAPI_ATTR_TOMBSTONE_CSN);
- if (tombstonecsn) {
- deletion_csn = csn_new_by_string(tombstonecsn);
-+ deletion_csn_free = 1;
- slapi_ch_free_string(&tombstonecsn);
- }
- }
-@@ -3056,6 +3058,9 @@ process_reap_entry(Slapi_Entry *entry, void *cb_data)
- /* Don't update the count for the database tombstone entry */
- (*num_entriesp)++;
- }
-+ if (deletion_csn_free) {
-+ csn_free(&deletion_csn);
-+ }
-
- return 0;
- }
---
-2.13.6
-
diff --git a/SOURCES/0069-Ticket-48184-revert-previous-patch-around-nunc-stans.patch b/SOURCES/0069-Ticket-48184-revert-previous-patch-around-nunc-stans.patch
deleted file mode 100644
index a87c42e..0000000
--- a/SOURCES/0069-Ticket-48184-revert-previous-patch-around-nunc-stans.patch
+++ /dev/null
@@ -1,204 +0,0 @@
-From 7d5ae77d840afda65020237f87a4535f09f0b462 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 29 Mar 2018 13:24:47 -0400
-Subject: [PATCH] Ticket 48184 - revert previous patch around unuc-stans
- shutdown crash
-
-https://pagure.io/389-ds-base/issue/48184
----
- ldap/servers/slapd/conntable.c | 13 --------
- ldap/servers/slapd/daemon.c | 76 +++++++++++++++++-------------------------
- ldap/servers/slapd/fe.h | 1 -
- ldap/servers/slapd/slap.h | 1 -
- 4 files changed, 30 insertions(+), 61 deletions(-)
-
-diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c
-index f2f763dfa..7c57b47cd 100644
---- a/ldap/servers/slapd/conntable.c
-+++ b/ldap/servers/slapd/conntable.c
-@@ -91,19 +91,6 @@ connection_table_abandon_all_operations(Connection_Table *ct)
- }
- }
-
--void
--connection_table_disconnect_all(Connection_Table *ct)
--{
-- for (size_t i = 0; i < ct->size; i++) {
-- if (ct->c[i].c_mutex) {
-- Connection *c = &(ct->c[i]);
-- PR_EnterMonitor(c->c_mutex);
-- disconnect_server_nomutex(c, c->c_connid, -1, SLAPD_DISCONNECT_ABORT, ECANCELED);
-- PR_ExitMonitor(c->c_mutex);
-- }
-- }
--}
--
- /* Given a file descriptor for a socket, this function will return
- * a slot in the connection table to use.
- *
-diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
-index c245a4d4e..fcc461a90 100644
---- a/ldap/servers/slapd/daemon.c
-+++ b/ldap/servers/slapd/daemon.c
-@@ -1176,30 +1176,6 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp)
- housekeeping_stop(); /* Run this after op_thread_cleanup() logged sth */
- disk_monitoring_stop();
-
-- /*
-- * Now that they are abandonded, we need to mark them as done.
-- * In NS while it's safe to allow excess jobs to be cleaned by
-- * by the walk and ns_job_done of remaining queued events, the
-- * issue is that if we allow something to live past this point
-- * the CT is freed from underneath, and bad things happen (tm).
-- *
-- * NOTE: We do this after we stop psearch, because there could
-- * be a race between flagging the psearch done, and users still
-- * try to send on the connection. Similar with op_threads.
-- */
-- connection_table_disconnect_all(the_connection_table);
--
-- /*
-- * WARNING: Normally we should close the tp in main
-- * but because of issues in the current connection design
-- * we need to close it here to guarantee events won't fire!
-- *
-- * All the connection close jobs "should" complete before
-- * shutdown at least.
-- */
-- ns_thrpool_shutdown(tp);
-- ns_thrpool_wait(tp);
--
- threads = g_get_active_threadcnt();
- if (threads > 0) {
- slapi_log_err(SLAPI_LOG_INFO, "slapd_daemon",
-@@ -1652,18 +1628,25 @@ ns_handle_closure(struct ns_job_t *job)
- Connection *c = (Connection *)ns_job_get_data(job);
- int do_yield = 0;
-
-+/* this function must be called from the event loop thread */
-+#ifdef DEBUG
-+ PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job)));
-+#else
-+ /* This doesn't actually confirm it's in the event loop thread, but it's a start */
-+ if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) {
-+ slapi_log_err(SLAPI_LOG_ERR, "ns_handle_closure", "Attempt to close outside of event loop thread %" PRIu64 " for fd=%d\n",
-+ c->c_connid, c->c_sd);
-+ return;
-+ }
-+#endif
-+
- PR_EnterMonitor(c->c_mutex);
-- /* Assert we really have the right job state. */
-- PR_ASSERT(job == c->c_job);
-
- connection_release_nolock_ext(c, 1); /* release ref acquired for event framework */
- PR_ASSERT(c->c_ns_close_jobs == 1); /* should be exactly 1 active close job - this one */
- c->c_ns_close_jobs--; /* this job is processing closure */
-- /* Because handle closure will add a new job, we need to detach our current one. */
-- c->c_job = NULL;
- do_yield = ns_handle_closure_nomutex(c);
- PR_ExitMonitor(c->c_mutex);
-- /* Remove this task now. */
- ns_job_done(job);
- if (do_yield) {
- /* closure not done - another reference still outstanding */
-@@ -1686,14 +1669,6 @@ ns_connection_post_io_or_closing(Connection *conn)
- return;
- }
-
-- /*
-- * Cancel any existing ns jobs we have registered.
-- */
-- if (conn->c_job != NULL) {
-- ns_job_done(conn->c_job);
-- conn->c_job = NULL;
-- }
--
- if (CONN_NEEDS_CLOSING(conn)) {
- /* there should only ever be 0 or 1 active closure jobs */
- PR_ASSERT((conn->c_ns_close_jobs == 0) || (conn->c_ns_close_jobs == 1));
-@@ -1703,10 +1678,13 @@ ns_connection_post_io_or_closing(Connection *conn)
- conn->c_connid, conn->c_sd);
- return;
- } else {
-+ /* just make sure we schedule the event to be closed in a timely manner */
-+ tv.tv_sec = 0;
-+ tv.tv_usec = slapd_wakeup_timer * 1000;
- conn->c_ns_close_jobs++; /* now 1 active closure job */
- connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */
-- /* Close the job asynchronously. Why? */
-- ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handle_closure, conn, &(conn->c_job));
-+ ns_result_t job_result = ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER,
-+ ns_handle_closure, conn, NULL);
- if (job_result != NS_SUCCESS) {
- if (job_result == NS_SHUTDOWN) {
- slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post closure job "
-@@ -1750,7 +1728,7 @@ ns_connection_post_io_or_closing(Connection *conn)
- #endif
- ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv,
- NS_JOB_READ | NS_JOB_PRESERVE_FD,
-- ns_handle_pr_read_ready, conn, &(conn->c_job));
-+ ns_handle_pr_read_ready, conn, NULL);
- if (job_result != NS_SUCCESS) {
- if (job_result == NS_SHUTDOWN) {
- slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post I/O job for "
-@@ -1779,12 +1757,19 @@ ns_handle_pr_read_ready(struct ns_job_t *job)
- int maxthreads = config_get_maxthreadsperconn();
- Connection *c = (Connection *)ns_job_get_data(job);
-
-- PR_EnterMonitor(c->c_mutex);
-- /* Assert we really have the right job state. */
-- PR_ASSERT(job == c->c_job);
-+/* this function must be called from the event loop thread */
-+#ifdef DEBUG
-+ PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job)));
-+#else
-+ /* This doesn't actually confirm it's in the event loop thread, but it's a start */
-+ if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) {
-+ slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "Attempt to handle read ready outside of event loop thread %" PRIu64 " for fd=%d\n",
-+ c->c_connid, c->c_sd);
-+ return;
-+ }
-+#endif
-
-- /* On all code paths we remove the job, so set it null now */
-- c->c_job = NULL;
-+ PR_EnterMonitor(c->c_mutex);
-
- slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "activity on conn %" PRIu64 " for fd=%d\n",
- c->c_connid, c->c_sd);
-@@ -1844,7 +1829,6 @@ ns_handle_pr_read_ready(struct ns_job_t *job)
- slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "queued conn %" PRIu64 " for fd=%d\n",
- c->c_connid, c->c_sd);
- }
-- /* Since we call done on the job, we need to remove it here. */
- PR_ExitMonitor(c->c_mutex);
- ns_job_done(job);
- return;
-diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h
-index f47bb6145..4d25a9fb8 100644
---- a/ldap/servers/slapd/fe.h
-+++ b/ldap/servers/slapd/fe.h
-@@ -100,7 +100,6 @@ extern Connection_Table *the_connection_table; /* JCM - Exported from globals.c
- Connection_Table *connection_table_new(int table_size);
- void connection_table_free(Connection_Table *ct);
- void connection_table_abandon_all_operations(Connection_Table *ct);
--void connection_table_disconnect_all(Connection_Table *ct);
- Connection *connection_table_get_connection(Connection_Table *ct, int sd);
- int connection_table_move_connection_out_of_active_list(Connection_Table *ct, Connection *c);
- void connection_table_move_connection_on_to_active_list(Connection_Table *ct, Connection *c);
-diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
-index 443d90094..9b10aa19e 100644
---- a/ldap/servers/slapd/slap.h
-+++ b/ldap/servers/slapd/slap.h
-@@ -1651,7 +1651,6 @@ typedef struct conn
- void *c_io_layer_cb_data; /* callback data */
- struct connection_table *c_ct; /* connection table that this connection belongs to */
- ns_thrpool_t *c_tp; /* thread pool for this connection */
-- struct ns_job_t *c_job; /* If it exists, the current ns_job_t */
- int c_ns_close_jobs; /* number of current close jobs */
- char *c_ipaddr; /* ip address str - used by monitor */
- } Connection;
---
-2.13.6
-
diff --git a/SOURCES/0070-Ticket-49619-adjustment-of-csn_generator-can-fail-so.patch b/SOURCES/0070-Ticket-49619-adjustment-of-csn_generator-can-fail-so.patch
deleted file mode 100644
index 7fc3da9..0000000
--- a/SOURCES/0070-Ticket-49619-adjustment-of-csn_generator-can-fail-so.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From d606691d341dfffee0b02fc55fb29f74f975e775 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Wed, 21 Mar 2018 18:26:16 +0100
-Subject: [PATCH] Ticket 49619 - adjustment of csn_generator can fail so next
- generated csn can be equal to the most recent one received
-
-Bug Description:
- On consumer side csn_generator ajustment occurs (let CSN = highest known csn)
-
- when a replication session starts
- when a csn is generated locally and than csn is <= CSN
-
- During adjustment, in the case
-
- there is no remote/local offset (time change)
- the current_time on the consumer is identical to CSN
-
- Then next locally generated csn will only differ with seqnum
-
- The seqnum of the csn_generator is increased only if CSN.seqnum is larger
- than the csn_generator one.
- In case of egality, it remains unchanged.
-
- The consequence is that the next locally generated csn will be identical to CSN (except for the RID).
- So even after csn_generator adjustment, csn_generator may create csn that are not larger than the CSN
-
-Fix Description:
- compare the new generated timestamp (time+offsets) with adjustment one.
- If the new is greater or EQUAL, make sure the local seqnum is ahead the remote one
-
-https://pagure.io/389-ds-base/issue/49619
-
-Reviewed by: Mark Reynolds
-
-Platforms tested: F27
-
-Flag Day: no
-
-Doc impact: no
----
- ldap/servers/slapd/csngen.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/servers/slapd/csngen.c b/ldap/servers/slapd/csngen.c
-index 287ea847e..4ac45acf0 100644
---- a/ldap/servers/slapd/csngen.c
-+++ b/ldap/servers/slapd/csngen.c
-@@ -331,7 +331,7 @@ csngen_adjust_time(CSNGen *gen, const CSN *csn)
- /* let's revisit the seq num - if the new time is > the old
- tiem, we should reset the seq number to remote + 1 if
- this won't cause a wrap around */
-- if (new_time > cur_time) {
-+ if (new_time >= cur_time) {
- /* just set seq_num regardless of whether the current one
- is < or > than the remote one - the goal of this function
- is to make sure we generate CSNs > the remote CSN - if
---
-2.13.6
-
diff --git a/SOURCES/0071-Ticket-49161-memberof-fails-if-group-is-moved-into-s.patch b/SOURCES/0071-Ticket-49161-memberof-fails-if-group-is-moved-into-s.patch
deleted file mode 100644
index 411720a..0000000
--- a/SOURCES/0071-Ticket-49161-memberof-fails-if-group-is-moved-into-s.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 293361f34d935080c1d8d0e73b4355b48faebe2a Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Tue, 27 Feb 2018 13:56:14 +0100
-Subject: [PATCH] Ticket 49161 - memberof fails if group is moved into scope
-
-if the DEL part of the replace of memberof fails because it does not exist
-just add the new memberof values
-
-Reviwed by: Mark, thanks
----
- ldap/servers/plugins/memberof/memberof.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
-index fcfa7817d..2f46167dc 100644
---- a/ldap/servers/plugins/memberof/memberof.c
-+++ b/ldap/servers/plugins/memberof/memberof.c
-@@ -1710,6 +1710,13 @@ memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig *config, int mod_o
- replace_mod.mod_values = replace_val;
- }
- rc = memberof_add_memberof_attr(mods, op_to, config->auto_add_oc);
-+ if (rc == LDAP_NO_SUCH_ATTRIBUTE) {
-+ /* the memberof values to be replaced do not exist
-+ * just add the new values */
-+ mods[0] = mods[1];
-+ mods[1] = NULL;
-+ rc = memberof_add_memberof_attr(mods, op_to, config->auto_add_oc);
-+ }
- }
- }
-
---
-2.13.6
-
diff --git a/SOURCES/0072-Ticket-49296-Fix-race-condition-in-connection-code-w.patch b/SOURCES/0072-Ticket-49296-Fix-race-condition-in-connection-code-w.patch
deleted file mode 100644
index e920975..0000000
--- a/SOURCES/0072-Ticket-49296-Fix-race-condition-in-connection-code-w.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From dd12327d1523f3ff9d6ae8b44b640fb9d0d2d53b Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 19 Feb 2018 10:44:36 -0500
-Subject: [PATCH] Ticket 49296 - Fix race condition in connection code with
- anonymous limits
-
-Bug Description: When a connection first comes in we set the anonymous
- resource limits (if set) before we do anything else. The
- way we check if the connection is "new" was flawed. It
- assumed the connection was new if no operations were
- completed yet, but there was a small window between sending
- the result and setting that the operation completed in the
- connection struct.
-
- So on a connection that binds and then does a search, when
- the server sends the bind result the client sends the search,
- but the search op/activity can be picked up before we set
- c_opscompleted. This opens a window where the code thinks
- the search op is the first op(new connection), and it incorrectly
- sets the anonymous limits for the bind dn.
-
-Fix description: Do not use c_opscompleted to determine if a connection is new,
- instead use a new flag to set the connection "initialized",
- which prevents the race condition.
-
-https://pagure.io/389-ds-base/issue/49296
-
-Reviewed by: firstyear(Thanks!)
-
-(cherry picked from commit 0d5214d08e6b5b39fb9d5ef5cf3d8834574954f1)
----
- ldap/servers/slapd/connection.c | 12 +++++++++++-
- ldap/servers/slapd/slap.h | 7 +++----
- 2 files changed, 14 insertions(+), 5 deletions(-)
-
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index 5d2b64ed2..5ca32a333 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -217,6 +217,7 @@ connection_cleanup(Connection *conn)
- conn->c_connid = 0;
- conn->c_opsinitiated = 0;
- conn->c_opscompleted = 0;
-+ conn->c_anonlimits_set = 0;
- conn->c_threadnumber = 0;
- conn->c_refcnt = 0;
- conn->c_idlesince = 0;
-@@ -1549,7 +1550,9 @@ connection_threadmain()
- g_decr_active_threadcnt();
- return;
- }
-- if (pb_conn->c_opscompleted == 0) {
-+
-+ PR_EnterMonitor(pb_conn->c_mutex);
-+ if (pb_conn->c_anonlimits_set == 0) {
- /*
- * We have a new connection, set the anonymous reslimit idletimeout
- * if applicable.
-@@ -1568,7 +1571,14 @@ connection_threadmain()
- }
- }
- slapi_ch_free_string(&anon_dn);
-+ /*
-+ * Set connection as initialized to avoid setting anonymous limits
-+ * multiple times on the same connection
-+ */
-+ pb_conn->c_anonlimits_set = 1;
- }
-+ PR_ExitMonitor(pb_conn->c_mutex);
-+
- if (connection_call_io_layer_callbacks(pb_conn)) {
- slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain",
- "Could not add/remove IO layers from connection\n");
-diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
-index 9b10aa19e..03355f5fe 100644
---- a/ldap/servers/slapd/slap.h
-+++ b/ldap/servers/slapd/slap.h
-@@ -1616,6 +1616,7 @@ typedef struct conn
- PRUint64 c_maxthreadsblocked; /* # of operations blocked by maxthreads */
- int c_opsinitiated; /* # ops initiated/next op id */
- PRInt32 c_opscompleted; /* # ops completed */
-+ uint64_t c_anonlimits_set; /* default anon limits are set */
- PRInt32 c_threadnumber; /* # threads used in this conn */
- int c_refcnt; /* # ops refering to this conn */
- PRMonitor *c_mutex; /* protect each conn structure; need to be re-entrant */
-@@ -1623,10 +1624,8 @@ typedef struct conn
- time_t c_idlesince; /* last time of activity on conn */
- int c_idletimeout; /* local copy of idletimeout */
- int c_idletimeout_handle; /* the resource limits handle */
-- Conn_private *c_private; /* data which is not shared outside*/
-- /* connection.c */
-- int c_flags; /* Misc flags used only for SSL */
-- /* status currently */
-+ Conn_private *c_private; /* data which is not shared outside connection.c */
-+ int c_flags; /* Misc flags used only for SSL status currently */
- int c_needpw; /* need new password */
- CERTCertificate *c_client_cert; /* Client's Cert */
- PRFileDesc *c_prfd; /* NSPR 2.1 FileDesc */
---
-2.13.6
-
diff --git a/SOURCES/0073-Ticket-49540-Indexing-task-is-reported-finished-too-.patch b/SOURCES/0073-Ticket-49540-Indexing-task-is-reported-finished-too-.patch
deleted file mode 100644
index b811f38..0000000
--- a/SOURCES/0073-Ticket-49540-Indexing-task-is-reported-finished-too-.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From 3dac3503087b6bae9e6e3d63a8214e8be65a145b Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Fri, 19 Jan 2018 17:50:59 +0100
-Subject: [PATCH 05/10] Ticket 49540 - Indexing task is reported finished too
- early regarding the backend status
-
-Bug Description:
- If a task complete successfully, its status is updated before the backend
- can receive update.
-
-Fix Description:
- postpone the task status update after backend is reenabled
-
-https://pagure.io/389-ds-base/issue/49540
-
-Reviewed by: Ludwig Krispenz
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
----
- dirsrvtests/tests/tickets/ticket49540_test.py | 135 ++++++++++++++++++++++++++
- ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 16 +--
- 2 files changed, 145 insertions(+), 6 deletions(-)
- create mode 100644 dirsrvtests/tests/tickets/ticket49540_test.py
-
-diff --git a/dirsrvtests/tests/tickets/ticket49540_test.py b/dirsrvtests/tests/tickets/ticket49540_test.py
-new file mode 100644
-index 000000000..1fbfde2c5
---- /dev/null
-+++ b/dirsrvtests/tests/tickets/ticket49540_test.py
-@@ -0,0 +1,135 @@
-+import logging
-+import pytest
-+import os
-+import ldap
-+import time
-+import re
-+from lib389._constants import *
-+from lib389.tasks import *
-+from lib389.topologies import topology_st as topo
-+from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES
-+from lib389 import Entry
-+
-+
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+HOMEDIRECTORY_INDEX = 'cn=homeDirectory,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config'
-+HOMEDIRECTORY_CN = "homedirectory"
-+MATCHINGRULE = 'nsMatchingRule'
-+USER_CN = 'user_'
-+
-+def create_index_entry(topo):
-+ log.info("\n\nindex homeDirectory")
-+ try:
-+ ent = topo.getEntry(HOMEDIRECTORY_INDEX, ldap.SCOPE_BASE)
-+ except ldap.NO_SUCH_OBJECT:
-+ topo.add_s(Entry((HOMEDIRECTORY_INDEX, {
-+ 'objectclass': "top nsIndex".split(),
-+ 'cn': HOMEDIRECTORY_CN,
-+ 'nsSystemIndex': 'false',
-+ MATCHINGRULE: ['caseIgnoreIA5Match', 'caseExactIA5Match' ],
-+ 'nsIndexType': ['eq', 'sub', 'pres']})))
-+
-+
-+def provision_users(topo):
-+ test_users = []
-+ homeValue = b'x' * (32 * 1024) # just to slow down indexing
-+ for i in range(100):
-+ CN = '%s%d' % (USER_CN, i)
-+ users = UserAccounts(topo, SUFFIX)
-+ user_props = TEST_USER_PROPERTIES.copy()
-+ user_props.update({'uid': CN, 'cn': CN, 'sn': '_%s' % CN, HOMEDIRECTORY_CN: homeValue})
-+ testuser = users.create(properties=user_props)
-+ test_users.append(testuser)
-+ return test_users
-+
-+def start_start_status(server):
-+ args = {TASK_WAIT: False}
-+ indexTask = Tasks(server)
-+ indexTask.reindex(suffix=SUFFIX, attrname='homeDirectory', args=args)
-+ return indexTask
-+
-+def check_task_status(server, indexTask, test_entry):
-+ finish_pattern = re.compile(".*Finished indexing.*")
-+ mod = [(ldap.MOD_REPLACE, 'sn', b'foo')]
-+ for i in range(10):
-+ log.info("check_task_status =========> %d th loop" % i)
-+ try:
-+ ent = server.getEntry(indexTask.dn, ldap.SCOPE_BASE)
-+ if ent.hasAttr('nsTaskStatus'):
-+ value = str(ent.getValue('nsTaskStatus'))
-+ finish = finish_pattern.search(value)
-+ log.info("%s ---> %s" % (indexTask.dn, value))
-+ else:
-+ finish = None
-+ log.info("%s ---> NO STATUS" % (indexTask.dn))
-+
-+ if not finish:
-+ # This is not yet finished try an update
-+ try:
-+ server.modify_s(test_entry, mod)
-+
-+ # weird, may be indexing just complete
-+ ent = server.getEntry(indexTask.dn, ldap.SCOPE_BASE, ['nsTaskStatus'])
-+ assert (ent.hasAttr('nsTaskStatus') and regex.search(ent.getValue('nsTaskStatus')))
-+ log.info("Okay, it just finished so the MOD was successful")
-+ except ldap.UNWILLING_TO_PERFORM:
-+ log.info("=========> Great it was expected in the middle of index")
-+ else:
-+ # The update should be successful
-+ server.modify_s(test_entry, mod)
-+
-+ except ldap.NO_SUCH_OBJECT:
-+ log.info("%s: no found" % (indexTask.dn))
-+
-+ time.sleep(1)
-+
-+def test_ticket49540(topo):
-+ """Specify a test case purpose or name here
-+
-+ :id: 1df16d5a-1b92-46b7-8435-876b87545748
-+ :setup: Standalone Instance
-+ :steps:
-+ 1. Create homeDirectory index (especially with substring)
-+ 2. Creates 100 users with large homeDirectory value => long to index
-+ 3. Start an indexing task WITHOUT waiting for its completion
-+ 4. Monitor that until task.status = 'Finish', any update -> UNWILLING to perform
-+ :expectedresults:
-+ 1. Index configuration succeeds
-+ 2. users entry are successfully created
-+ 3. Indexing task is started
-+ 4. If the task.status does not contain 'Finished indexing', any update should return UNWILLING_TO_PERFORM
-+ When it contains 'Finished indexing', updates should be successful
-+ """
-+
-+ server = topo.standalone
-+ create_index_entry(server)
-+ test_users = provision_users(server)
-+
-+ indexTask = start_start_status(server)
-+ check_task_status(server, indexTask, test_users[0].dn)
-+
-+ # If you need any test suite initialization,
-+ # please, write additional fixture for that (including finalizer).
-+ # Topology for suites are predefined in lib389/topologies.py.
-+
-+ # If you need host, port or any other data about instance,
-+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid)
-+
-+ if DEBUGGING:
-+ # Add debugging steps(if any)...
-+ pass
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main(["-s", CURRENT_FILE])
-+
-diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
-index 4347c1721..16b87ee6b 100644
---- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
-+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
-@@ -2562,12 +2562,7 @@ ldbm_back_ldbm2index(Slapi_PBlock *pb)
- vlvIndex_go_online(pvlv[vlvidx], be);
- }
-
-- if (task) {
-- slapi_task_log_status(task, "%s: Finished indexing.",
-- inst->inst_name);
-- slapi_task_log_notice(task, "%s: Finished indexing.",
-- inst->inst_name);
-- }
-+ /* if it was a task, its status will be updated later after backend is ready for update */
- slapi_log_err(SLAPI_LOG_INFO, "ldbm_back_ldbm2index", "%s: Finished indexing.\n",
- inst->inst_name);
- return_value = 0; /* success */
-@@ -2591,6 +2586,15 @@ err_min:
- dblayer_release_id2entry(be, db); /* nope */
- instance_set_not_busy(inst);
-
-+ if (return_value == 0) {
-+ if (task) {
-+ slapi_task_log_status(task, "%s: Finished indexing.",
-+ inst->inst_name);
-+ slapi_task_log_notice(task, "%s: Finished indexing.",
-+ inst->inst_name);
-+ }
-+ }
-+
- if (run_from_cmdline) {
- dblayer_instance_close(be);
- if (0 != dblayer_close(li, DBLAYER_INDEX_MODE)) {
---
-2.13.6
-
diff --git a/SOURCES/0074-Ticket-49566-ds-replcheck-needs-to-work-with-hidden-.patch b/SOURCES/0074-Ticket-49566-ds-replcheck-needs-to-work-with-hidden-.patch
deleted file mode 100644
index d311158..0000000
--- a/SOURCES/0074-Ticket-49566-ds-replcheck-needs-to-work-with-hidden-.patch
+++ /dev/null
@@ -1,157 +0,0 @@
-From 22cf575ae7aea204c3e3974c645725a25f4e09e6 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Wed, 14 Feb 2018 20:25:34 -0500
-Subject: [PATCH] Ticket 49566 - ds-replcheck needs to work with hidden
- conflict entries
-
-Description: Conflict entries are now hidden and the tool needs to account
- for it. The filter needs to include "objectclass=ldapsubentry"
-
- Added option to prompt for password, and cleaned up man page.
-
-https://pagure.io/389-ds-base/issue/49566
-
-Reviewed by: spichugi(Thanks!)
-
-(cherry picked from commit 9e2009ae7105dda5493d4d60b20f15ffb369ab26)
----
- ldap/admin/src/scripts/ds-replcheck | 23 ++++++++++++++++-------
- man/man1/ds-replcheck.1 | 14 +++++++++++---
- 2 files changed, 27 insertions(+), 10 deletions(-)
-
-diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck
-index 0b7e70ee8..45c4670a3 100755
---- a/ldap/admin/src/scripts/ds-replcheck
-+++ b/ldap/admin/src/scripts/ds-replcheck
-@@ -14,6 +14,7 @@ import time
- import ldap
- import ldapurl
- import argparse
-+import getpass
-
- from ldap.ldapobject import SimpleLDAPObject
- from ldap.cidict import cidict
-@@ -878,14 +879,16 @@ def do_online_report(opts, output_file=None):
- controls = [paged_ctrl]
- req_pr_ctrl = controls[0]
- try:
-- master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, "objectclass=*",
-+ master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
-+ "(|(objectclass=*)(objectclass=ldapsubentry))",
- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'],
- serverctrls=controls)
- except ldap.LDAPError as e:
- print("Error: Failed to get Master entries: %s", str(e))
- exit(1)
- try:
-- replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, "objectclass=*",
-+ replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
-+ "(|(objectclass=*)(objectclass=ldapsubentry))",
- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'],
- serverctrls=controls)
- except ldap.LDAPError as e:
-@@ -928,7 +931,8 @@ def do_online_report(opts, output_file=None):
- if m_pctrls[0].cookie:
- # Copy cookie from response control to request control
- req_pr_ctrl.cookie = m_pctrls[0].cookie
-- master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, "objectclass=*",
-+ master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
-+ "(|(objectclass=*)(objectclass=ldapsubentry))",
- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], serverctrls=controls)
- else:
- m_done = True # No more pages available
-@@ -947,7 +951,8 @@ def do_online_report(opts, output_file=None):
- if r_pctrls[0].cookie:
- # Copy cookie from response control to request control
- req_pr_ctrl.cookie = r_pctrls[0].cookie
-- replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, "objectclass=*",
-+ replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
-+ "(|(objectclass=*)(objectclass=ldapsubentry))",
- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], serverctrls=controls)
- else:
- r_done = True # No more pages available
-@@ -976,8 +981,9 @@ def main():
- parser = argparse.ArgumentParser(description=desc)
- parser.add_argument('-v', '--verbose', help='Verbose output', action='store_true', default=False, dest='verbose')
- parser.add_argument('-o', '--outfile', help='The output file', dest='file', default=None)
-- parser.add_argument('-D', '--binddn', help='The Bind DN', dest='binddn', default="")
-- parser.add_argument('-w', '--bindpw', help='The Bind password', dest='bindpw', default="")
-+ parser.add_argument('-D', '--binddn', help='The Bind DN', dest='binddn', default=None)
-+ parser.add_argument('-w', '--bindpw', help='The Bind password', dest='bindpw', default=None)
-+ parser.add_argument('-W', '--prompt', help='Prompt for the bind password', action='store_true', dest='prompt', default=False)
- parser.add_argument('-m', '--master_url', help='The LDAP URL for the Master server (REQUIRED)',
- dest='murl', default=None)
- parser.add_argument('-r', '--replica_url', help='The LDAP URL for the Replica server (REQUIRED)',
-@@ -1012,7 +1018,7 @@ def main():
- elif (args.mldif is None and
- (args.suffix is None or
- args.binddn is None or
-- args.bindpw is None or
-+ (args.bindpw is None and args.prompt is False) or
- args.murl is None or
- args.rurl is None)):
- print("\n-------> Missing required options for online mode!\n")
-@@ -1098,6 +1104,9 @@ def main():
- print("Can't open file: " + args.file)
- exit(1)
-
-+ if args.prompt:
-+ opts['bindpw'] = getpass.getpass('Enter password:')
-+
- if opts['mldif'] is not None and opts['rldif'] is not None:
- print ("Performing offline report...")
- do_offline_report(opts, OUTPUT_FILE)
-diff --git a/man/man1/ds-replcheck.1 b/man/man1/ds-replcheck.1
-index 21b4802a5..3f14e11c8 100644
---- a/man/man1/ds-replcheck.1
-+++ b/man/man1/ds-replcheck.1
-@@ -2,7 +2,7 @@
- .\" First parameter, NAME, should be all caps
- .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
- .\" other parameters are allowed: see man(7), man(1)
--.TH DS-REPLCHECK 1 "May 2, 2017"
-+.TH DS-REPLCHECK 1 "Feb 14, 2018"
- .\" Please adjust this date whenever revising the manpage.
- .\"
- .\" Some roff macros, for reference:
-@@ -19,7 +19,7 @@
- ds-replcheck - Performs replication synchronization report between two replicas
-
- .SH SYNOPSIS
--ds-replcheck [-h] [-o FILE] [-D BINDDN] [-w BINDPW] [-m MURL]
-+ds-replcheck [-h] [-o FILE] [-D BINDDN] [[-w BINDPW] [-W]] [-m MURL]
- [-r RURL] [-b SUFFIX] [-l LAG] [-Z CERTDIR]
- [-i IGNORE] [-p PAGESIZE] [-M MLDIF] [-R RLDIF]
-
-@@ -41,6 +41,10 @@ The Directory Manager DN, or root DN.a (online mode)
- .B \fB\-w\fR \fIPASSWORD\fR
- The Directory Manager password (online mode)
- .TP
-+.B \fB\-W\fR
-+.br
-+Prompt for the Directory Manager password (online mode)
-+.TP
- .B \fB\-m\fR \fILDAP_URL\fR
- The LDAP Url for the first replica (online mode)
- .TP
-@@ -59,6 +63,10 @@ The directory containing a certificate database for StartTLS/SSL connections. (
- .B \fB\-i\fR \fIIGNORE LIST\fR
- Comma separated list of attributes to ignore in the report (online & offline)
- .TP
-+.B \fB\-c\fR
-+.br
-+Display verbose conflict entry information
-+.TP
- .B \fB\-M\fR \fILDIF FILE\fR
- The LDIF file for the first replica (offline mode)
- .TP
-@@ -81,5 +89,5 @@ ds-replcheck was written by the 389 Project.
- .SH "REPORTING BUGS"
- Report bugs to https://pagure.io/389-ds-base/new_issue
- .SH COPYRIGHT
--Copyright \(co 2017 Red Hat, Inc.
-+Copyright \(co 2018 Red Hat, Inc.
-
---
-2.13.6
-
diff --git a/SOURCES/0075-Ticket-49460-replica_write_ruv-log-a-failure-even-wh.patch b/SOURCES/0075-Ticket-49460-replica_write_ruv-log-a-failure-even-wh.patch
deleted file mode 100644
index 9120697..0000000
--- a/SOURCES/0075-Ticket-49460-replica_write_ruv-log-a-failure-even-wh.patch
+++ /dev/null
@@ -1,169 +0,0 @@
-From a0c4a8d69735cb37e5b52b195ec632ce6d1f028f Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Tue, 21 Nov 2017 17:23:29 +0100
-Subject: [PATCH] Ticket 49460 - replica_write_ruv log a failure even when it
- succeeds
-
-Bug Description:
- Minor issue
- If the update of the DB RUV returns a success LDAP_SUCCESS (internal modify),
- it however logs an error as if it failed
-
- side effect of https://pagure.io/389-ds-base/issue/48118
-
-Fix Description:
- Log a message only on failure
-
-https://pagure.io/389-ds-base/issue/49460
-
-Reviewed by: Ludwig Krispenz, William Brown
-
-Platforms tested: F23
-
-Flag Day: no
-
-Doc impact: no
----
- dirsrvtests/tests/tickets/ticket49460_test.py | 115 +++++++++++++++++++++++
- ldap/servers/plugins/replication/repl5_replica.c | 3 +-
- 2 files changed, 116 insertions(+), 2 deletions(-)
- create mode 100644 dirsrvtests/tests/tickets/ticket49460_test.py
-
-diff --git a/dirsrvtests/tests/tickets/ticket49460_test.py b/dirsrvtests/tests/tickets/ticket49460_test.py
-new file mode 100644
-index 000000000..296b3c9aa
---- /dev/null
-+++ b/dirsrvtests/tests/tickets/ticket49460_test.py
-@@ -0,0 +1,115 @@
-+import time
-+import ldap
-+import logging
-+import pytest
-+import os
-+import re
-+from lib389._constants import *
-+from lib389.config import Config
-+from lib389 import DirSrv, Entry
-+from lib389.topologies import topology_m3 as topo
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+USER_CN="user"
-+
-+def add_user(server, no, desc='dummy', sleep=True):
-+ cn = '%s%d' % (USER_CN, no)
-+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX)
-+ log.fatal('Adding user (%s): ' % dn)
-+ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'inetuser', 'userSecurityInformation'],
-+ 'sn': ['_%s' % cn],
-+ 'description': [desc]})))
-+ time.sleep(1)
-+
-+def check_user(server, no, timeout=10):
-+
-+ cn = '%s%d' % (USER_CN, no)
-+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX)
-+ found = False
-+ cpt = 0
-+ while cpt < timeout:
-+ try:
-+ server.getEntry(dn, ldap.SCOPE_BASE, "(objectclass=*)")
-+ found = True
-+ break
-+ except ldap.NO_SUCH_OBJECT:
-+ time.sleep(1)
-+ cpt += 1
-+ return found
-+
-+def pattern_errorlog(server, log_pattern):
-+ file_obj = open(server.errlog, "r")
-+
-+ found = None
-+ # Use a while true iteration because 'for line in file: hit a
-+ while True:
-+ line = file_obj.readline()
-+ found = log_pattern.search(line)
-+ if ((line == '') or (found)):
-+ break
-+
-+ return found
-+
-+def test_ticket_49460(topo):
-+ """Specify a test case purpose or name here
-+
-+ :id: d1aa2e8b-e6ab-4fc6-9c63-c6f622544f2d
-+ :setup: Fill in set up configuration here
-+ :steps:
-+ 1. Enable replication logging
-+ 2. Do few updates to generatat RUV update
-+ :expectedresults:
-+ 1. No report of failure when the RUV is updated
-+ """
-+
-+ M1 = topo.ms["master1"]
-+ M2 = topo.ms["master2"]
-+ M3 = topo.ms["master3"]
-+
-+ for i in (M1, M2, M3):
-+ i.config.loglevel(vals=[256 + 4], service='access')
-+ i.config.loglevel(vals=[LOG_REPLICA, LOG_DEFAULT], service='error')
-+
-+ add_user(M1, 11, desc="add to M1")
-+ add_user(M2, 21, desc="add to M2")
-+ add_user(M3, 31, desc="add to M3")
-+
-+ for i in (M1, M2, M3):
-+ assert check_user(i, 11)
-+ assert check_user(i, 21)
-+ assert check_user(i, 31)
-+
-+ time.sleep(10)
-+
-+ #M1.tasks.cleanAllRUV(suffix=SUFFIX, replicaid='3',
-+ # force=False, args={TASK_WAIT: True})
-+ #time.sleep(10)
-+ regex = re.compile(".*Failed to update RUV tombstone.*LDAP error - 0")
-+ assert not pattern_errorlog(M1, regex)
-+ assert not pattern_errorlog(M2, regex)
-+ assert not pattern_errorlog(M3, regex)
-+
-+ # If you need any test suite initialization,
-+ # please, write additional fixture for that (including finalizer).
-+ # Topology for suites are predefined in lib389/topologies.py.
-+
-+ # If you need host, port or any other data about instance,
-+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid)
-+
-+ if DEBUGGING:
-+ # Add debugging steps(if any)...
-+ pass
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main("-s %s" % CURRENT_FILE)
-+
-diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
-index e3ddd783d..c6d6ee746 100644
---- a/ldap/servers/plugins/replication/repl5_replica.c
-+++ b/ldap/servers/plugins/replication/repl5_replica.c
-@@ -2829,8 +2829,7 @@ replica_write_ruv(Replica *r)
- /* this includes an internal operation - but since this only happens
- during server startup - its ok that we have lock around it */
- rc = _replica_configure_ruv(r, PR_TRUE);
-- } else /* error */
-- {
-+ } else if (rc != LDAP_SUCCESS) { /* error */
- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name,
- "replica_write_ruv - Failed to update RUV tombstone for %s; "
- "LDAP error - %d\n",
---
-2.13.6
-
diff --git a/SOURCES/0076-Ticket-49631-same-csn-generated-twice.patch b/SOURCES/0076-Ticket-49631-same-csn-generated-twice.patch
deleted file mode 100644
index 9058223..0000000
--- a/SOURCES/0076-Ticket-49631-same-csn-generated-twice.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 9c929dbfcd1687ba43b2b2ee649c0e6522365fad Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Wed, 4 Apr 2018 08:59:15 +0200
-Subject: [PATCH] Ticket 49631 - same csn generated twice
-
-Bug: if in the csn adjustment the local time was less or equal than the remote time
- the sequence number has always been adjusted to remote++
- but if the csn time was equal and the local seq number was larger the effect
- was a reset of the csn generato.
-
-Fix: correctly handles seqnum in csn adjustment
-
-Reviewed by: Mark, thanks
----
- ldap/servers/slapd/csngen.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/ldap/servers/slapd/csngen.c b/ldap/servers/slapd/csngen.c
-index 4ac45acf0..3afc9176b 100644
---- a/ldap/servers/slapd/csngen.c
-+++ b/ldap/servers/slapd/csngen.c
-@@ -338,7 +338,11 @@ csngen_adjust_time(CSNGen *gen, const CSN *csn)
- we have increased the time, we can decrease the seqnum
- and still guarantee that any new CSNs generated will be
- > any current CSNs we have generated */
-- gen->state.seq_num = remote_seqnum + 1;
-+ if (remote_seqnum < gen->state.seq_num) {
-+ gen->state.seq_num ++;
-+ } else {
-+ gen->state.seq_num = remote_seqnum + 1;
-+ }
- }
- if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) {
- slapi_log_err(SLAPI_LOG_REPL, "csngen_adjust_time",
---
-2.13.6
-
diff --git a/SOURCES/0077-CVE-2018-1089-Crash-from-long-search-filter.patch b/SOURCES/0077-CVE-2018-1089-Crash-from-long-search-filter.patch
deleted file mode 100644
index 007cb29..0000000
--- a/SOURCES/0077-CVE-2018-1089-Crash-from-long-search-filter.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 71b87e678bcc03bb9a0802f7dffc97cf354ee69a Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 5 Apr 2018 14:52:34 -0400
-Subject: [PATCH] CVE-2018-1089 - Crash from long search filter
-
----
- ldap/servers/slapd/filter.c | 8 ++++----
- ldap/servers/slapd/util.c | 10 +++++-----
- 2 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
-index 2ac3d2cd8..393a4dcee 100644
---- a/ldap/servers/slapd/filter.c
-+++ b/ldap/servers/slapd/filter.c
-@@ -472,7 +472,7 @@ get_substring_filter(
- f->f_sub_initial = val;
- eval = (char *)slapi_escape_filter_value(val, -1);
- if (eval) {
-- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
-+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
- fstr_len += (strlen(eval) + 1) * 2;
- *fstr = slapi_ch_realloc(*fstr, fstr_len);
- }
-@@ -486,7 +486,7 @@ get_substring_filter(
- charray_add(&f->f_sub_any, val);
- eval = (char *)slapi_escape_filter_value(val, -1);
- if (eval) {
-- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
-+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
- fstr_len += (strlen(eval) + 1) * 2;
- *fstr = slapi_ch_realloc(*fstr, fstr_len);
- }
-@@ -504,7 +504,7 @@ get_substring_filter(
- f->f_sub_final = val;
- eval = (char *)slapi_escape_filter_value(val, -1);
- if (eval) {
-- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) {
-+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) {
- fstr_len += (strlen(eval) + 1) * 2;
- *fstr = slapi_ch_realloc(*fstr, fstr_len);
- }
-@@ -530,7 +530,7 @@ get_substring_filter(
- }
-
- filter_compute_hash(f);
-- if (fstr_len < strlen(*fstr) + 3) {
-+ if (fstr_len <= strlen(*fstr) + 3) {
- fstr_len += 3;
- *fstr = slapi_ch_realloc(*fstr, fstr_len);
- }
-diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
-index ddb2cc899..cb46efb3d 100644
---- a/ldap/servers/slapd/util.c
-+++ b/ldap/servers/slapd/util.c
-@@ -161,6 +161,11 @@ do_escape_string(
- break;
- }
- do {
-+ if (bufSpace < 4) {
-+ memcpy(bufNext, "..", 2);
-+ bufNext += 2;
-+ goto bail;
-+ }
- if (esc == UTIL_ESCAPE_BACKSLASH) {
- /* *s is '\\' */
- /* If *(s+1) and *(s+2) are both hex digits,
-@@ -179,11 +184,6 @@ do_escape_string(
- *bufNext++ = '\\';
- --bufSpace;
- }
-- if (bufSpace < 3) {
-- memcpy(bufNext, "..", 2);
-- bufNext += 2;
-- goto bail;
-- }
- PR_snprintf(bufNext, 3, "%02x", *(unsigned char *)s);
- bufNext += 2;
- bufSpace -= 2;
---
-2.13.6
-
diff --git a/SOURCES/0078-Ticket-49649.patch b/SOURCES/0078-Ticket-49649.patch
deleted file mode 100644
index 887eefd..0000000
--- a/SOURCES/0078-Ticket-49649.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From e4d51884e3ca36b8256c33936dc31e77e0ad4736 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Tue, 8 May 2018 12:35:43 -0400
-Subject: [PATCH] Ticket 49649
-
-Description: Fix crpyt.h include
-
-https://pagure.io/389-ds-base/issue/49649
-
-Reviewed by: mreynolds(one line commit rule)
-
-(cherry picked from commit 2817f0c49401056835a79aafd8f8d4edc9113d1d)
----
- ldap/servers/plugins/pwdstorage/crypt_pwd.c | 10 +---------
- 1 file changed, 1 insertion(+), 9 deletions(-)
-
-diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-index 0dccd1b51..19894bd80 100644
---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
-@@ -20,15 +20,7 @@
- #include <string.h>
- #include <sys/types.h>
- #include <sys/socket.h>
--#if defined(hpux) || defined(LINUX) || defined(__FreeBSD__)
--#ifndef __USE_XOPEN
--#define __USE_XOPEN /* linux */
--#endif /* __USE_XOPEN */
--#include <unistd.h>
--#else /* hpux */
--#include <crypt.h>
--#endif /* hpux */
--
-+#include <crypt.h> /* for crypt_r */
- #include "pwdstorage.h"
-
- static PRLock *cryptlock = NULL; /* Some implementations of crypt are not thread safe. ie. ours & Irix */
---
-2.13.6
-
diff --git a/SOURCES/0079-Ticket-49665-Upgrade-script-doesn-t-enable-PBKDF2-pa.patch b/SOURCES/0079-Ticket-49665-Upgrade-script-doesn-t-enable-PBKDF2-pa.patch
deleted file mode 100644
index a34d3b1..0000000
--- a/SOURCES/0079-Ticket-49665-Upgrade-script-doesn-t-enable-PBKDF2-pa.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From a13a83465c685d6ec8d47b6f10646986ded16a68 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Wed, 9 May 2018 16:36:48 -0400
-Subject: [PATCH] Ticket 49665 - Upgrade script doesn't enable PBKDF2 password
- storage plug-in
-
-Description: There is no upgrade script to add the PBKDF2 plugin, this
- fix adds the script.
-
-https://pagure.io/389-ds-base/issue/49665
-
-Reviewed by: ?
-
-(cherry picked from commit dc690dd231a626b3b6a2019fee51e3cb15db7962)
----
- Makefile.am | 1 +
- ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif | 12 ++++++++++++
- 2 files changed, 13 insertions(+)
- create mode 100644 ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif
-
-diff --git a/Makefile.am b/Makefile.am
-index 8834a7819..055d480aa 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -949,6 +949,7 @@ update_DATA = ldap/admin/src/scripts/exampleupdate.pl \
- ldap/admin/src/scripts/50refintprecedence.ldif \
- ldap/admin/src/scripts/50retroclprecedence.ldif \
- ldap/admin/src/scripts/50rootdnaccesscontrolplugin.ldif \
-+ ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif \
- ldap/admin/src/scripts/50contentsync.ldif \
- ldap/admin/src/scripts/60upgradeschemafiles.pl \
- ldap/admin/src/scripts/60upgradeconfigfiles.pl \
-diff --git a/ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif b/ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif
-new file mode 100644
-index 000000000..462d5534a
---- /dev/null
-+++ b/ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif
-@@ -0,0 +1,12 @@
-+dn: cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
-+objectclass: top
-+objectclass: nsSlapdPlugin
-+cn: PBKDF2_SHA256
-+nsslapd-pluginpath: libpwdstorage-plugin
-+nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init
-+nsslapd-plugintype: pwdstoragescheme
-+nsslapd-pluginenabled: on
-+nsslapd-pluginDescription: DESC
-+nsslapd-pluginVersion: PACKAGE_VERSION
-+nsslapd-pluginVendor: VENDOR
-+nsslapd-pluginid: ID
---
-2.13.6
-
diff --git a/SOURCES/0080-Ticket-49665-Upgrade-script-doesn-t-enable-CRYPT-pas.patch b/SOURCES/0080-Ticket-49665-Upgrade-script-doesn-t-enable-CRYPT-pas.patch
deleted file mode 100644
index 0bf3735..0000000
--- a/SOURCES/0080-Ticket-49665-Upgrade-script-doesn-t-enable-CRYPT-pas.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 1c077cff1ce49f5380192325a6947c623019c365 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Wed, 9 May 2018 16:39:23 -0400
-Subject: [PATCH] Ticket 49665 - Upgrade script doesn't enable CRYPT password
- storage plug-in
-
-Description: There is no upgrade script to add the new CRYPT plugins, this
- fix adds the script.
-
-https://pagure.io/389-ds-base/issue/49665
-
-Reviewed by: vashirov(Thanks!)
-
-(cherry picked from commit 91dc832411a1bb6e8bf62bb72c36777ddc63770f)
----
- Makefile.am | 1 +
- .../admin/src/scripts/50cryptpwdstorageplugin.ldif | 38 ++++++++++++++++++++++
- 2 files changed, 39 insertions(+)
- create mode 100644 ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif
-
-diff --git a/Makefile.am b/Makefile.am
-index 055d480aa..4f62a899b 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -950,6 +950,7 @@ update_DATA = ldap/admin/src/scripts/exampleupdate.pl \
- ldap/admin/src/scripts/50retroclprecedence.ldif \
- ldap/admin/src/scripts/50rootdnaccesscontrolplugin.ldif \
- ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif \
-+ ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif \
- ldap/admin/src/scripts/50contentsync.ldif \
- ldap/admin/src/scripts/60upgradeschemafiles.pl \
- ldap/admin/src/scripts/60upgradeconfigfiles.pl \
-diff --git a/ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif b/ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif
-new file mode 100644
-index 000000000..0a4a50776
---- /dev/null
-+++ b/ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif
-@@ -0,0 +1,38 @@
-+dn: cn=CRYPT-MD5,cn=Password Storage Schemes,cn=plugins,cn=config
-+objectClass: top
-+objectClass: nsSlapdPlugin
-+cn: CRYPT-MD5
-+nsslapd-pluginPath: libpwdstorage-plugin
-+nsslapd-pluginInitfunc: crypt_md5_pwd_storage_scheme_init
-+nsslapd-pluginType: pwdstoragescheme
-+nsslapd-pluginEnabled: on
-+nsslapd-pluginId: ID
-+nsslapd-pluginVersion: PACKAGE_VERSION
-+nsslapd-pluginVendor: VENDOR
-+nsslapd-pluginDescription: DESC
-+
-+dn: cn=CRYPT-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config
-+objectClass: top
-+objectClass: nsSlapdPlugin
-+cn: CRYPT-SHA256
-+nsslapd-pluginPath: libpwdstorage-plugin
-+nsslapd-pluginInitfunc: crypt_sha256_pwd_storage_scheme_init
-+nsslapd-pluginType: pwdstoragescheme
-+nsslapd-pluginEnabled: on
-+nsslapd-pluginId: ID
-+nsslapd-pluginVersion: PACKAGE_VERSION
-+nsslapd-pluginVendor: VENDOR
-+nsslapd-pluginDescription: DESC
-+
-+dn: cn=CRYPT-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config
-+objectClass: top
-+objectClass: nsSlapdPlugin
-+cn: CRYPT-SHA512
-+nsslapd-pluginPath: libpwdstorage-plugin
-+nsslapd-pluginInitfunc: crypt_sha512_pwd_storage_scheme_init
-+nsslapd-pluginType: pwdstoragescheme
-+nsslapd-pluginEnabled: on
-+nsslapd-pluginId: ID
-+nsslapd-pluginVersion: PACKAGE_VERSION
-+nsslapd-pluginVendor: VENDOR
-+nsslapd-pluginDescription: DESC
---
-2.13.6
-
diff --git a/SOURCES/0081-Ticket-49671-Readonly-replicas-should-not-write-inte.patch b/SOURCES/0081-Ticket-49671-Readonly-replicas-should-not-write-inte.patch
deleted file mode 100644
index 534b4c5..0000000
--- a/SOURCES/0081-Ticket-49671-Readonly-replicas-should-not-write-inte.patch
+++ /dev/null
@@ -1,205 +0,0 @@
-From 279489884f56cfc97d1ad9afdf92da3ad3b05b70 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 11 May 2018 10:53:06 -0400
-Subject: [PATCH] Ticket 49671 - Readonly replicas should not write internal
- ops to changelog
-
-Bug Description: When a hub receives an update that triggers the memberOf
- plugin, but that interal operation has no csn and that
- causes the update to the changelog to fail and break
- replication.
-
-Fix Description: Do not write internal updates with no csns to the changelog
- on read-only replicas.
-
-https://pagure.io/389-ds-base/issue/49671
-
-Reviewed by: simon, tbordaz, and lkrispen (Thanks!!!)
-
-(cherry picked from commit afb755bd95f1643665ea34c5a5fa2bb26bfa21b9)
----
- .../tests/suites/replication/cascading_test.py | 150 +++++++++++++++++++++
- ldap/servers/plugins/replication/repl5_plugins.c | 10 ++
- 2 files changed, 160 insertions(+)
- create mode 100644 dirsrvtests/tests/suites/replication/cascading_test.py
-
-diff --git a/dirsrvtests/tests/suites/replication/cascading_test.py b/dirsrvtests/tests/suites/replication/cascading_test.py
-new file mode 100644
-index 000000000..7331f20e9
---- /dev/null
-+++ b/dirsrvtests/tests/suites/replication/cascading_test.py
-@@ -0,0 +1,150 @@
-+# --- BEGIN COPYRIGHT BLOCK ---
-+# Copyright (C) 2018 Red Hat, Inc.
-+# All rights reserved.
-+#
-+# License: GPL (version 3 or any later version).
-+# See LICENSE for details.
-+# --- END COPYRIGHT BLOCK ---
-+#
-+import logging
-+import pytest
-+import os
-+import ldap
-+from lib389._constants import *
-+from lib389.replica import ReplicationManager
-+from lib389.plugins import MemberOfPlugin
-+from lib389.agreement import Agreements
-+from lib389.idm.user import UserAccount, TEST_USER_PROPERTIES
-+from lib389.idm.group import Groups
-+from lib389.topologies import topology_m1h1c1 as topo
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+BIND_DN = 'uid=tuser1,ou=People,dc=example,dc=com'
-+BIND_RDN = 'tuser1'
-+
-+
-+def config_memberof(server):
-+ """Configure memberOf plugin and configure fractional
-+ to prevent total init to send memberof
-+ """
-+
-+ memberof = MemberOfPlugin(server)
-+ memberof.enable()
-+ memberof.set_autoaddoc('nsMemberOf')
-+ server.restart()
-+ agmts = Agreements(server)
-+ for agmt in agmts.list():
-+ log.info('update %s to add nsDS5ReplicatedAttributeListTotal' % agmt.dn)
-+ agmt.replace_many(('nsDS5ReplicatedAttributeListTotal', '(objectclass=*) $ EXCLUDE '),
-+ ('nsDS5ReplicatedAttributeList', '(objectclass=*) $ EXCLUDE memberOf'))
-+
-+
-+def test_basic_with_hub(topo):
-+ """Check that basic operations work in cascading replication, this includes
-+ testing plugins that perform internal operatons, and replicated password
-+ policy state attributes.
-+
-+ :id: 4ac85552-45bc-477b-89a4-226dfff8c6cc
-+ :setup: 1 master, 1 hub, 1 consumer
-+ :steps:
-+ 1. Enable memberOf plugin and set password account lockout settings
-+ 2. Restart the instance
-+ 3. Add a user
-+ 4. Add a group
-+ 5. Test that the replication works
-+ 6. Add the user as a member to the group
-+ 7. Test that the replication works
-+ 8. Issue bad binds to update passwordRetryCount
-+ 9. Test that replicaton works
-+ 10. Check that passwordRetyCount was replicated
-+ :expectedresults:
-+ 1. Should be a success
-+ 2. Should be a success
-+ 3. Should be a success
-+ 4. Should be a success
-+ 5. Should be a success
-+ 6. Should be a success
-+ 7. Should be a success
-+ 8. Should be a success
-+ 9. Should be a success
-+ 10. Should be a success
-+ """
-+
-+ repl_manager = ReplicationManager(DEFAULT_SUFFIX)
-+ master = topo.ms["master1"]
-+ consumer = topo.cs["consumer1"]
-+ hub = topo.hs["hub1"]
-+
-+ for inst in topo:
-+ config_memberof(inst)
-+ inst.config.set('passwordlockout', 'on')
-+ inst.config.set('passwordlockoutduration', '60')
-+ inst.config.set('passwordmaxfailure', '3')
-+ inst.config.set('passwordIsGlobalPolicy', 'on')
-+
-+ # Create user
-+ user1 = UserAccount(master, BIND_DN)
-+ user_props = TEST_USER_PROPERTIES.copy()
-+ user_props.update({'sn': BIND_RDN,
-+ 'cn': BIND_RDN,
-+ 'uid': BIND_RDN,
-+ 'inetUserStatus': '1',
-+ 'objectclass': 'extensibleObject',
-+ 'userpassword': PASSWORD})
-+ user1.create(properties=user_props, basedn=SUFFIX)
-+
-+ # Create group
-+ groups = Groups(master, DEFAULT_SUFFIX)
-+ group = groups.create(properties={'cn': 'group'})
-+
-+ # Test replication
-+ repl_manager.test_replication(master, consumer)
-+
-+ # Trigger memberOf plugin by adding user to group
-+ group.replace('member', user1.dn)
-+
-+ # Test replication once more
-+ repl_manager.test_replication(master, consumer)
-+
-+ # Issue bad password to update passwordRetryCount
-+ try:
-+ master.simple_bind_s(user1.dn, "badpassword")
-+ except:
-+ pass
-+
-+ # Test replication one last time
-+ master.simple_bind_s(DN_DM, PASSWORD)
-+ repl_manager.test_replication(master, consumer)
-+
-+ # Finally check if passwordRetyCount was replicated to the hub and consumer
-+ user1 = UserAccount(hub, BIND_DN)
-+ count = user1.get_attr_val_int('passwordRetryCount')
-+ if count is None:
-+ log.fatal('PasswordRetyCount was not replicated to hub')
-+ assert False
-+ if int(count) != 1:
-+ log.fatal('PasswordRetyCount has unexpected value: {}'.format(count))
-+ assert False
-+
-+ user1 = UserAccount(consumer, BIND_DN)
-+ count = user1.get_attr_val_int('passwordRetryCount')
-+ if count is None:
-+ log.fatal('PasswordRetyCount was not replicated to consumer')
-+ assert False
-+ if int(count) != 1:
-+ log.fatal('PasswordRetyCount has unexpected value: {}'.format(count))
-+ assert False
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main(["-s", CURRENT_FILE])
-+
-diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c
-index 0aee8829a..324e38263 100644
---- a/ldap/servers/plugins/replication/repl5_plugins.c
-+++ b/ldap/servers/plugins/replication/repl5_plugins.c
-@@ -1059,6 +1059,16 @@ write_changelog_and_ruv(Slapi_PBlock *pb)
- goto common_return;
- }
-
-+ /* Skip internal operations with no op csn if this is a read-only replica */
-+ if (op_params->csn == NULL &&
-+ operation_is_flag_set(op, OP_FLAG_INTERNAL) &&
-+ replica_get_type(r) == REPLICA_TYPE_READONLY)
-+ {
-+ slapi_log_err(SLAPI_LOG_REPL, "write_changelog_and_ruv",
-+ "Skipping internal operation on read-only replica\n");
-+ goto common_return;
-+ }
-+
- /* we might have stripped all the mods - in that case we do not
- log the operation */
- if (op_params->operation_type != SLAPI_OPERATION_MODIFY ||
---
-2.13.6
-
diff --git a/SOURCES/0082-Ticket-49696-replicated-operations-should-be-seriali.patch b/SOURCES/0082-Ticket-49696-replicated-operations-should-be-seriali.patch
deleted file mode 100644
index b84eaef..0000000
--- a/SOURCES/0082-Ticket-49696-replicated-operations-should-be-seriali.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From f0b41ec12f957612c69ae5be3bbbb6e2d6db2530 Mon Sep 17 00:00:00 2001
-From: Ludwig Krispenz <lkrispen@redhat.com>
-Date: Thu, 17 May 2018 10:31:58 +0200
-Subject: [PATCH] Ticket 49696: replicated operations should be serialized
-
- Bug: there was a scenario where two threads could process replication operations in parallel.
- The reason was that for a new repl start request the repl conn flag is not set and the
- connection is made readable.
- When the start repl op is finished, the flagi set, but in a small window the supplier could
- already have sent updates and more_data would trigger this thread also to continue to process
- repl operations.
-
- Fix: In the situation where a thread successfully processed a start repl request and just set the repl_conn
- flag do not use more_data.
-
- Reviewed by: Thierry, thanks
----
- ldap/servers/slapd/connection.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index 5ca32a333..b5030f0cb 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -1822,9 +1822,17 @@ connection_threadmain()
-
- /* If we're in turbo mode, we keep our reference to the connection alive */
- /* can't use the more_data var because connection could have changed in another thread */
-- more_data = conn_buffered_data_avail_nolock(conn, &conn_closed) ? 1 : 0;
-- slapi_log_err(SLAPI_LOG_CONNS, "connection_threadmain", "conn %" PRIu64 " check more_data %d thread_turbo_flag %d\n",
-- conn->c_connid, more_data, thread_turbo_flag);
-+ slapi_log_err(SLAPI_LOG_CONNS, "connection_threadmain", "conn %" PRIu64 " check more_data %d thread_turbo_flag %d"
-+ "repl_conn_bef %d, repl_conn_now %d\n",
-+ conn->c_connid, more_data, thread_turbo_flag,
-+ replication_connection, conn->c_isreplication_session);
-+ if (!replication_connection && conn->c_isreplication_session) {
-+ /* it a connection that was just flagged as replication connection */
-+ more_data = 0;
-+ } else {
-+ /* normal connection or already established replication connection */
-+ more_data = conn_buffered_data_avail_nolock(conn, &conn_closed) ? 1 : 0;
-+ }
- if (!more_data) {
- if (!thread_turbo_flag) {
- /*
---
-2.13.6
-
diff --git a/SOURCES/0083-Ticket-48184-clean-up-and-delete-connections-at-shut.patch b/SOURCES/0083-Ticket-48184-clean-up-and-delete-connections-at-shut.patch
deleted file mode 100644
index 29170f4..0000000
--- a/SOURCES/0083-Ticket-48184-clean-up-and-delete-connections-at-shut.patch
+++ /dev/null
@@ -1,335 +0,0 @@
-From 5a5d3dffd0b36edb543fd31fa53d7128dd5161c2 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Fri, 18 May 2018 10:13:46 +0200
-Subject: [PATCH] Ticket 48184 - clean up and delete connections at shutdown
- (2nd try)
-
-Bug description:
- During shutdown we would not close connections.
- In the past this may have just been an annoyance, but now with the way
- nunc-stans works, io events can still trigger on open xeisting connectinos
- during shutdown.
-
- Because of NS dynamic it can happen that several jobs wants to work on the
- same connection. In such case (a job is already set in c_job) we delay the
- new job that will retry.
- In addition:
- - some call needed c_mutex
- - test uninitialized nunc-stans in case of shutdown while startup is not completed
-
-Fix Description: Close connections during shutdown rather than
- leaving them alive.
-
-https://pagure.io/389-ds-base/issue/48184
-
-Reviewed by:
- Original was Ludwig and Viktor
- Second fix reviewed by Mark
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
-
-(cherry picked from commit e562157ca3e97867d902996cc18fb04f90dc10a8)
----
- ldap/servers/slapd/connection.c | 2 +
- ldap/servers/slapd/conntable.c | 13 ++++
- ldap/servers/slapd/daemon.c | 131 ++++++++++++++++++++++++++++------------
- ldap/servers/slapd/fe.h | 1 +
- ldap/servers/slapd/slap.h | 1 +
- 5 files changed, 108 insertions(+), 40 deletions(-)
-
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index b5030f0cb..76e83112b 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -1716,7 +1716,9 @@ connection_threadmain()
- if ((tag != LDAP_REQ_UNBIND) && !thread_turbo_flag && !replication_connection) {
- if (!more_data) {
- conn->c_flags &= ~CONN_FLAG_MAX_THREADS;
-+ PR_EnterMonitor(conn->c_mutex);
- connection_make_readable_nolock(conn);
-+ PR_ExitMonitor(conn->c_mutex);
- /* once the connection is readable, another thread may access conn,
- * so need locking from here on */
- signal_listner();
-diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c
-index 7c57b47cd..f2f763dfa 100644
---- a/ldap/servers/slapd/conntable.c
-+++ b/ldap/servers/slapd/conntable.c
-@@ -91,6 +91,19 @@ connection_table_abandon_all_operations(Connection_Table *ct)
- }
- }
-
-+void
-+connection_table_disconnect_all(Connection_Table *ct)
-+{
-+ for (size_t i = 0; i < ct->size; i++) {
-+ if (ct->c[i].c_mutex) {
-+ Connection *c = &(ct->c[i]);
-+ PR_EnterMonitor(c->c_mutex);
-+ disconnect_server_nomutex(c, c->c_connid, -1, SLAPD_DISCONNECT_ABORT, ECANCELED);
-+ PR_ExitMonitor(c->c_mutex);
-+ }
-+ }
-+}
-+
- /* Given a file descriptor for a socket, this function will return
- * a slot in the connection table to use.
- *
-diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
-index fcc461a90..50e67474e 100644
---- a/ldap/servers/slapd/daemon.c
-+++ b/ldap/servers/slapd/daemon.c
-@@ -1087,12 +1087,18 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp)
- /* we have exited from ns_thrpool_wait. This means we are shutting down! */
- /* Please see https://firstyear.fedorapeople.org/nunc-stans/md_docs_job-safety.html */
- /* tldr is shutdown needs to run first to allow job_done on an ARMED job */
-- for (size_t i = 0; i < listeners; i++) {
-- PRStatus shutdown_status = ns_job_done(listener_idxs[i].ns_job);
-- if (shutdown_status != PR_SUCCESS) {
-- slapi_log_err(SLAPI_LOG_CRIT, "ns_set_shutdown", "Failed to shutdown listener idx %" PRIu64 " !\n", i);
-+ for (uint64_t i = 0; i < listeners; i++) {
-+ PRStatus shutdown_status;
-+
-+ if (listener_idxs[i].ns_job) {
-+ shutdown_status = ns_job_done(listener_idxs[i].ns_job);
-+ if (shutdown_status != PR_SUCCESS) {
-+ slapi_log_err(SLAPI_LOG_CRIT, "ns_set_shutdown", "Failed to shutdown listener idx %" PRIu64 " !\n", i);
-+ }
-+ PR_ASSERT(shutdown_status == PR_SUCCESS);
-+ } else {
-+ slapi_log_err(SLAPI_LOG_CRIT, "slapd_daemon", "Listeners uninitialized. Possibly the server was shutdown while starting\n");
- }
-- PR_ASSERT(shutdown_status == PR_SUCCESS);
- listener_idxs[i].ns_job = NULL;
- }
- } else {
-@@ -1176,6 +1182,32 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp)
- housekeeping_stop(); /* Run this after op_thread_cleanup() logged sth */
- disk_monitoring_stop();
-
-+ /*
-+ * Now that they are abandonded, we need to mark them as done.
-+ * In NS while it's safe to allow excess jobs to be cleaned by
-+ * by the walk and ns_job_done of remaining queued events, the
-+ * issue is that if we allow something to live past this point
-+ * the CT is freed from underneath, and bad things happen (tm).
-+ *
-+ * NOTE: We do this after we stop psearch, because there could
-+ * be a race between flagging the psearch done, and users still
-+ * try to send on the connection. Similar with op_threads.
-+ */
-+ connection_table_disconnect_all(the_connection_table);
-+
-+ /*
-+ * WARNING: Normally we should close the tp in main
-+ * but because of issues in the current connection design
-+ * we need to close it here to guarantee events won't fire!
-+ *
-+ * All the connection close jobs "should" complete before
-+ * shutdown at least.
-+ */
-+ if (enable_nunc_stans) {
-+ ns_thrpool_shutdown(tp);
-+ ns_thrpool_wait(tp);
-+ }
-+
- threads = g_get_active_threadcnt();
- if (threads > 0) {
- slapi_log_err(SLAPI_LOG_INFO, "slapd_daemon",
-@@ -1628,25 +1660,18 @@ ns_handle_closure(struct ns_job_t *job)
- Connection *c = (Connection *)ns_job_get_data(job);
- int do_yield = 0;
-
--/* this function must be called from the event loop thread */
--#ifdef DEBUG
-- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job)));
--#else
-- /* This doesn't actually confirm it's in the event loop thread, but it's a start */
-- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) {
-- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_closure", "Attempt to close outside of event loop thread %" PRIu64 " for fd=%d\n",
-- c->c_connid, c->c_sd);
-- return;
-- }
--#endif
--
- PR_EnterMonitor(c->c_mutex);
-+ /* Assert we really have the right job state. */
-+ PR_ASSERT(job == c->c_job);
-
- connection_release_nolock_ext(c, 1); /* release ref acquired for event framework */
- PR_ASSERT(c->c_ns_close_jobs == 1); /* should be exactly 1 active close job - this one */
- c->c_ns_close_jobs--; /* this job is processing closure */
-+ /* Because handle closure will add a new job, we need to detach our current one. */
-+ c->c_job = NULL;
- do_yield = ns_handle_closure_nomutex(c);
- PR_ExitMonitor(c->c_mutex);
-+ /* Remove this task now. */
- ns_job_done(job);
- if (do_yield) {
- /* closure not done - another reference still outstanding */
-@@ -1659,14 +1684,25 @@ ns_handle_closure(struct ns_job_t *job)
- /**
- * Schedule more I/O for this connection, or make sure that it
- * is closed in the event loop.
-+ * caller must hold c_mutex
-+ * It returns
-+ * 0 on success
-+ * 1 on need to retry
- */
--void
--ns_connection_post_io_or_closing(Connection *conn)
-+static int
-+ns_connection_post_io_or_closing_try(Connection *conn)
- {
- struct timeval tv;
-
- if (!enable_nunc_stans) {
-- return;
-+ return 0;
-+ }
-+
-+ /*
-+ * Cancel any existing ns jobs we have registered.
-+ */
-+ if (conn->c_job != NULL) {
-+ return 1;
- }
-
- if (CONN_NEEDS_CLOSING(conn)) {
-@@ -1676,15 +1712,12 @@ ns_connection_post_io_or_closing(Connection *conn)
- slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "Already a close "
- "job in progress on conn %" PRIu64 " for fd=%d\n",
- conn->c_connid, conn->c_sd);
-- return;
-+ return 0;
- } else {
-- /* just make sure we schedule the event to be closed in a timely manner */
-- tv.tv_sec = 0;
-- tv.tv_usec = slapd_wakeup_timer * 1000;
- conn->c_ns_close_jobs++; /* now 1 active closure job */
- connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */
-- ns_result_t job_result = ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER,
-- ns_handle_closure, conn, NULL);
-+ /* Close the job asynchronously. Why? */
-+ ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handle_closure, conn, &(conn->c_job));
- if (job_result != NS_SUCCESS) {
- if (job_result == NS_SHUTDOWN) {
- slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post closure job "
-@@ -1723,12 +1756,12 @@ ns_connection_post_io_or_closing(Connection *conn)
- * The error occurs when we get a connection in a closing state.
- * For now we return, but there is probably a better way to handle the error case.
- */
-- return;
-+ return 0;
- }
- #endif
- ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv,
- NS_JOB_READ | NS_JOB_PRESERVE_FD,
-- ns_handle_pr_read_ready, conn, NULL);
-+ ns_handle_pr_read_ready, conn, &(conn->c_job));
- if (job_result != NS_SUCCESS) {
- if (job_result == NS_SHUTDOWN) {
- slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post I/O job for "
-@@ -1745,6 +1778,28 @@ ns_connection_post_io_or_closing(Connection *conn)
- conn->c_connid, conn->c_sd);
- }
- }
-+ return 0;
-+}
-+void
-+ns_connection_post_io_or_closing(Connection *conn)
-+{
-+ while (ns_connection_post_io_or_closing_try(conn)) {
-+ /* we should retry later */
-+
-+ /* We are not suppose to work immediately on the connection that is taken by
-+ * another job
-+ * release the lock and give some time
-+ */
-+
-+ if (CONN_NEEDS_CLOSING(conn) && conn->c_ns_close_jobs) {
-+ return;
-+ } else {
-+ PR_ExitMonitor(conn->c_mutex);
-+ DS_Sleep(PR_MillisecondsToInterval(100));
-+
-+ PR_EnterMonitor(conn->c_mutex);
-+ }
-+ }
- }
-
- /* This function must be called without the thread flag, in the
-@@ -1757,19 +1812,12 @@ ns_handle_pr_read_ready(struct ns_job_t *job)
- int maxthreads = config_get_maxthreadsperconn();
- Connection *c = (Connection *)ns_job_get_data(job);
-
--/* this function must be called from the event loop thread */
--#ifdef DEBUG
-- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job)));
--#else
-- /* This doesn't actually confirm it's in the event loop thread, but it's a start */
-- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) {
-- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "Attempt to handle read ready outside of event loop thread %" PRIu64 " for fd=%d\n",
-- c->c_connid, c->c_sd);
-- return;
-- }
--#endif
--
- PR_EnterMonitor(c->c_mutex);
-+ /* Assert we really have the right job state. */
-+ PR_ASSERT(job == c->c_job);
-+
-+ /* On all code paths we remove the job, so set it null now */
-+ c->c_job = NULL;
-
- slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "activity on conn %" PRIu64 " for fd=%d\n",
- c->c_connid, c->c_sd);
-@@ -1829,6 +1877,7 @@ ns_handle_pr_read_ready(struct ns_job_t *job)
- slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "queued conn %" PRIu64 " for fd=%d\n",
- c->c_connid, c->c_sd);
- }
-+ /* Since we call done on the job, we need to remove it here. */
- PR_ExitMonitor(c->c_mutex);
- ns_job_done(job);
- return;
-@@ -2451,7 +2500,9 @@ ns_handle_new_connection(struct ns_job_t *job)
- * that poll() was avoided, even at the expense of putting this new fd back
- * in nunc-stans to poll for read ready.
- */
-+ PR_EnterMonitor(c->c_mutex);
- ns_connection_post_io_or_closing(c);
-+ PR_ExitMonitor(c->c_mutex);
- return;
- }
-
-diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h
-index 4d25a9fb8..f47bb6145 100644
---- a/ldap/servers/slapd/fe.h
-+++ b/ldap/servers/slapd/fe.h
-@@ -100,6 +100,7 @@ extern Connection_Table *the_connection_table; /* JCM - Exported from globals.c
- Connection_Table *connection_table_new(int table_size);
- void connection_table_free(Connection_Table *ct);
- void connection_table_abandon_all_operations(Connection_Table *ct);
-+void connection_table_disconnect_all(Connection_Table *ct);
- Connection *connection_table_get_connection(Connection_Table *ct, int sd);
- int connection_table_move_connection_out_of_active_list(Connection_Table *ct, Connection *c);
- void connection_table_move_connection_on_to_active_list(Connection_Table *ct, Connection *c);
-diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
-index 03355f5fe..de4ac35c0 100644
---- a/ldap/servers/slapd/slap.h
-+++ b/ldap/servers/slapd/slap.h
-@@ -1650,6 +1650,7 @@ typedef struct conn
- void *c_io_layer_cb_data; /* callback data */
- struct connection_table *c_ct; /* connection table that this connection belongs to */
- ns_thrpool_t *c_tp; /* thread pool for this connection */
-+ struct ns_job_t *c_job; /* If it exists, the current ns_job_t */
- int c_ns_close_jobs; /* number of current close jobs */
- char *c_ipaddr; /* ip address str - used by monitor */
- } Connection;
---
-2.13.6
-
diff --git a/SOURCES/0084-Ticket-49576-Update-ds-replcheck-for-new-conflict-en.patch b/SOURCES/0084-Ticket-49576-Update-ds-replcheck-for-new-conflict-en.patch
deleted file mode 100644
index 8d21a62..0000000
--- a/SOURCES/0084-Ticket-49576-Update-ds-replcheck-for-new-conflict-en.patch
+++ /dev/null
@@ -1,938 +0,0 @@
-From 19945c4807f6b3269fb65100ddaea5f596f68e72 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 18 May 2018 07:29:11 -0400
-Subject: [PATCH 1/6] Ticket 49576 - Update ds-replcheck for new conflict
- entries
-
-Description: This patch addresses the recvent changes to conflict
- entries and tombstones.
-
-https://pagure.io/389-ds-base/issue/49576
-
-Reviewed by: tbordaz(Thanks!)
-
-(cherry picked from commit 53e58cdbfb2a2672ac21cd9b6d59f8b345478324)
----
- ldap/admin/src/scripts/ds-replcheck | 456 +++++++++++++++++++---------
- 1 file changed, 312 insertions(+), 144 deletions(-)
-
-diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck
-index 45c4670a3..b801ccaa8 100755
---- a/ldap/admin/src/scripts/ds-replcheck
-+++ b/ldap/admin/src/scripts/ds-replcheck
-@@ -1,7 +1,7 @@
- #!/usr/bin/python
-
- # --- BEGIN COPYRIGHT BLOCK ---
--# Copyright (C) 2017 Red Hat, Inc.
-+# Copyright (C) 2018 Red Hat, Inc.
- # All rights reserved.
- #
- # License: GPL (version 3 or any later version).
-@@ -9,6 +9,7 @@
- # --- END COPYRIGHT BLOCK ---
- #
-
-+import os
- import re
- import time
- import ldap
-@@ -20,7 +21,7 @@ from ldap.ldapobject import SimpleLDAPObject
- from ldap.cidict import cidict
- from ldap.controls import SimplePagedResultsControl
-
--VERSION = "1.2"
-+VERSION = "1.3"
- RUV_FILTER = '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))'
- LDAP = 'ldap'
- LDAPS = 'ldaps'
-@@ -36,6 +37,7 @@ class Entry(object):
- ''' This is a stripped down version of Entry from python-lib389.
- Once python-lib389 is released on RHEL this class will go away.
- '''
-+
- def __init__(self, entrydata):
- if entrydata:
- self.dn = entrydata[0]
-@@ -51,7 +53,7 @@ class Entry(object):
-
-
- def get_entry(entries, dn):
-- ''' Loop over enties looking for a matching dn
-+ ''' Loop over a list of enties looking for a matching dn
- '''
- for entry in entries:
- if entry.dn == dn:
-@@ -60,7 +62,7 @@ def get_entry(entries, dn):
-
-
- def remove_entry(rentries, dn):
-- ''' Remove an entry from the array of entries
-+ ''' Remove an entry from the list of entries
- '''
- for entry in rentries:
- if entry.dn == dn:
-@@ -69,7 +71,7 @@ def remove_entry(rentries, dn):
-
-
- def extract_time(stateinfo):
-- ''' Take the nscpEntryWSI attribute and get the most recent timestamp from
-+ ''' Take the nscpEntryWSI(state info) attribute and get the most recent timestamp from
- one of the csns (vucsn, vdcsn, mdcsn, adcsn)
-
- Return the timestamp in decimal
-@@ -87,7 +89,7 @@ def extract_time(stateinfo):
-
-
- def convert_timestamp(timestamp):
-- ''' Convert createtimestamp to ctime: 20170405184656Z -> Wed Apr 5 19:46:56 2017
-+ ''' Convert createtimestamp to ctime: 20170405184656Z ----> Wed Apr 5 19:46:56 2017
- '''
- time_tuple = (int(timestamp[:4]), int(timestamp[4:6]), int(timestamp[6:8]),
- int(timestamp[8:10]), int(timestamp[10:12]), int(timestamp[12:14]),
-@@ -97,27 +99,43 @@ def convert_timestamp(timestamp):
-
-
- def convert_entries(entries):
-- '''Convert and normalize the ldap entries. Take note of conflicts and tombstones
-- '''
-+ '''For online report. Convert and normalize the ldap entries. Take note of
-+ conflicts and tombstones '''
- new_entries = []
- conflict_entries = []
-+ glue_entries = []
- result = {}
- tombstones = 0
-+
- for entry in entries:
- new_entry = Entry(entry)
- new_entry.data = {k.lower(): v for k, v in list(new_entry.data.items())}
-- if 'nsds5replconflict' in new_entry.data:
-+ if new_entry.dn.endswith("cn=mapping tree,cn=config"):
-+ '''Skip replica entry (ldapsearch brings this in because the filter
-+ we use triggers an internal operation to return the config entry - so
-+ it must be skipped
-+ '''
-+ continue
-+ if ('nsds5replconflict' in new_entry.data and 'nsTombstone' not in new_entry.data['objectclass'] and
-+ 'nstombstone' not in new_entry.data['objectclass']):
-+ # This is a conflict entry that is NOT a tombstone entry (should this be reconsidered?)
- conflict_entries.append(new_entry)
-+ if 'glue' in new_entry.data['objectclass']:
-+ # A glue entry here is not necessarily a glue entry there. Keep track of
-+ # them for when we check missing entries
-+ glue_entries.append(new_entry)
- else:
- new_entries.append(new_entry)
-
- if 'nstombstonecsn' in new_entry.data:
-+ # Maintain tombstone count
- tombstones += 1
- del entries
-
- result['entries'] = new_entries
- result['conflicts'] = conflict_entries
- result['tombstones'] = tombstones
-+ result['glue'] = glue_entries
-
- return result
-
-@@ -174,20 +192,60 @@ def get_ruv_report(opts):
- return report
-
-
-+def remove_attr_state_info(attr):
-+ state_attr = None
-+ idx = attr.find(';')
-+ if idx > 0:
-+ state_attr = attr # preserve state info for diff report
-+ if ";deleted" in attr:
-+ # Ignore this attribute it was deleted
-+ return None, state_attr
-+ attr = attr[:idx]
-+
-+ return attr.lower(), state_attr
-+
-+def add_attr_entry(entry, val, attr, state_attr):
-+ ''' Offline mode (ldif comparision) Add the attr to the entry, and if there
-+ is state info add nscpentrywsi attr - we need consistency with online mode
-+ to make code simpler '''
-+ if attr is not None:
-+ if attr in entry:
-+ entry[attr].append(val)
-+ else:
-+ entry[attr] = [val]
-+
-+ # Handle state info for diff report
-+ if state_attr is not None:
-+ state_attr = state_attr + ": " + val
-+ if 'nscpentrywsi' in entry:
-+ entry['nscpentrywsi'].append(state_attr)
-+ else:
-+ entry['nscpentrywsi'] = [state_attr]
-+ val = ""
-+
-+
- #
- # Offline mode helper functions
- #
--def ldif_search(LDIF, dn, conflicts=False):
-- ''' Search ldif by DN
-+def ldif_search(LDIF, dn):
-+ ''' Offline mode - Search ldif for a single DN. We need to factor in that
-+ DN's and attribute values can wrap lines and are identified by a leading
-+ white space. So we can't fully process an attribute until we get to the
-+ next attribute.
- '''
- result = {}
- data = {}
- found_conflict = False
-+ found_subentry = False
- found_part_dn = False
-+ found_part_val = False
-+ found_attr = False
-+ found_tombstone = False
-+ found_glue = False
- found = False
-- reset_line = False
- count = 0
--
-+ ignore_list = ['conflictcsn', 'modifytimestamp', 'modifiersname']
-+ val = ""
- result['entry'] = None
- result['conflict'] = None
- result['tombstone'] = False
-@@ -195,54 +253,132 @@ def ldif_search(LDIF, dn, conflicts=False):
- for line in LDIF:
- count += 1
- line = line.rstrip()
-- if reset_line:
-- reset_line = False
-- line = prev_line
-+
- if found:
-+ # We found our entry, now build up the entry (account from line wrap)
- if line == "":
-- # End of entry
-+ # End of entry - update entry's last attribute value and break out
-+ add_attr_entry(data, val, attr, state_attr)
-+ val = ""
-+ # Done!
- break
-
- if line[0] == ' ':
-- # continuation line
-- prev = data[attr][len(data[attr]) - 1]
-- data[attr][len(data[attr]) - 1] = prev + line.strip()
-+ # continuation line (wrapped value)
-+ val += line[1:]
-+ found_part_val = True
- continue
-+ elif found_part_val:
-+ # We have the complete value now (it was wrapped)
-+ found_part_val = False
-+ found_attr = False
-+ add_attr_entry(data, val, attr, state_attr)
-+
-+ # Now that the value is added to the entry lets process the new attribute...
-+ value_set = line.split(":", 1)
-+ attr, state_attr = remove_attr_state_info(value_set[0])
-+
-+ if attr in ignore_list or (attr is None and state_attr is None):
-+ # Skip it
-+ found_attr = False
-+ attr = None
-+ continue
-
-- value_set = line.split(":", 1)
-- attr = value_set[0].lower()
-- if attr.startswith('nsds5replconflict'):
-- found_conflict = True
-- if attr.startswith('nstombstonecsn'):
-- result['tombstone'] = True
--
-- if attr in data:
-- data[attr].append(value_set[1].strip())
-+ val = value_set[1].strip()
-+ found_attr = True
-+
-+ if attr is not None:
-+ # Set the entry type flags
-+ if attr.startswith('nsds5replconflict'):
-+ found_conflict = True
-+ if attr.startswith("objectclass") and val == "ldapsubentry":
-+ found_subentry = True
-+ if attr.startswith('nstombstonecsn'):
-+ result['tombstone'] = True
-+ found_tombstone = True
-+ continue
- else:
-- data[attr] = [value_set[1].strip()]
-+ # New attribute...
-+ if found_attr:
-+ # But first we have to add the previous complete attr value to the entry data
-+ add_attr_entry(data, val, attr, state_attr)
-+
-+ # Process new attribute
-+ value_set = line.split(":", 1)
-+ attr, state_attr = remove_attr_state_info(value_set[0])
-+ if attr is None or attr in ignore_list:
-+ # Skip it (its deleted)
-+ found_attr = False
-+ attr = None
-+ continue
-+
-+ val = value_set[1].strip()
-+ found_attr = True
-+
-+ # Set the entry type flags
-+ if attr.startswith('nsds5replconflict'):
-+ found_conflict = True
-+ if attr.startswith("objectclass") and (val == "ldapsubentry" or val == "glue"):
-+ if val == "glue":
-+ found_glue = True
-+ found_subentry = True
-+ if attr.startswith('nstombstonecsn'):
-+ result['tombstone'] = True
-+ found_tombstone = True
-+ continue
-+
- elif found_part_dn:
- if line[0] == ' ':
-+ # DN is still wrapping, keep building up the dn value
- part_dn += line[1:].lower()
- else:
-- # We have the full dn
-+ # We now have the full dn
- found_part_dn = False
-- reset_line = True
-- prev_line = line
- if part_dn == dn:
-+ # We found our entry
- found = True
-+
-+ # But now we have a new attribute to process
-+ value_set = line.split(":", 1)
-+ attr, state_attr = remove_attr_state_info(value_set[0])
-+ if attr is None or attr in ignore_list:
-+ # Skip it (its deleted)
-+ found_attr = False
-+ attr = None
-+ continue
-+
-+ val = value_set[1].strip()
-+ found_attr = True
-+
-+ if attr.startswith('nsds5replconflict'):
-+ found_conflict = True
-+ if attr.startswith("objectclass") and val == "ldapsubentry":
-+ found_subentry = True
-+
-+ if attr.startswith('nstombstonecsn'):
-+ result['tombstone'] = True
-+ found_tombstone = True
- continue
-+
- if line.startswith('dn: '):
- if line[4:].lower() == dn:
-+ # We got our full DN, now process the entry
- found = True
- continue
- else:
-+ # DN wraps the line, keep looping until we get the whole value
- part_dn = line[4:].lower()
- found_part_dn = True
-
-+ # Keep track of entry index - we use this later when searching the LDIF again
- result['idx'] = count
-- if found_conflict:
-+
-+ result['glue'] = None
-+ if found_conflict and found_subentry and found_tombstone is False:
- result['entry'] = None
- result['conflict'] = Entry([dn, data])
-+ if found_glue:
-+ result['glue'] = result['conflict']
- elif found:
- result['conflict'] = None
- result['entry'] = Entry([dn, data])
-@@ -251,7 +387,7 @@ def ldif_search(LDIF, dn, conflicts=False):
-
-
- def get_dns(LDIF, opts):
-- ''' Get all the DN's
-+ ''' Get all the DN's from an LDIF file
- '''
- dns = []
- found = False
-@@ -275,7 +411,7 @@ def get_dns(LDIF, opts):
-
-
- def get_ldif_ruv(LDIF, opts):
-- ''' Search the ldif and get the ruv entry
-+ ''' Search the LDIF and get the ruv entry
- '''
- LDIF.seek(0)
- result = ldif_search(LDIF, opts['ruv_dn'])
-@@ -283,7 +419,7 @@ def get_ldif_ruv(LDIF, opts):
-
-
- def cmp_entry(mentry, rentry, opts):
-- ''' Compare the two entries, and return a diff map
-+ ''' Compare the two entries, and return a "diff map"
- '''
- diff = {}
- diff['dn'] = mentry['dn']
-@@ -307,6 +443,7 @@ def cmp_entry(mentry, rentry, opts):
- diff['missing'].append(" - Replica missing attribute: \"%s\"" % (mattr))
- diff_count += 1
- if 'nscpentrywsi' in mentry.data:
-+ # Great we have state info so we can provide details about the missing attribute
- found = False
- for val in mentry.data['nscpentrywsi']:
- if val.lower().startswith(mattr + ';'):
-@@ -316,6 +453,7 @@ def cmp_entry(mentry, rentry, opts):
- diff['missing'].append(" - Master's State Info: %s" % (val))
- diff['missing'].append(" - Date: %s\n" % (time.ctime(extract_time(val))))
- else:
-+ # No state info, just move on
- diff['missing'].append("")
-
- elif mentry.data[mattr] != rentry.data[mattr]:
-@@ -335,6 +473,9 @@ def cmp_entry(mentry, rentry, opts):
- if not found:
- diff['diff'].append(" Master: ")
- for val in mentry.data[mattr]:
-+ # This is an "origin" value which means it's never been
-+ # updated since replication was set up. So its the
-+ # original value
- diff['diff'].append(" - Origin value: %s" % (val))
- diff['diff'].append("")
-
-@@ -350,10 +491,13 @@ def cmp_entry(mentry, rentry, opts):
- if not found:
- diff['diff'].append(" Replica: ")
- for val in rentry.data[mattr]:
-+ # This is an "origin" value which means it's never been
-+ # updated since replication was set up. So its the
-+ # original value
- diff['diff'].append(" - Origin value: %s" % (val))
- diff['diff'].append("")
- else:
-- # no state info
-+ # no state info, report what we got
- diff['diff'].append(" Master: ")
- for val in mentry.data[mattr]:
- diff['diff'].append(" - %s: %s" % (mattr, val))
-@@ -436,40 +580,62 @@ def do_offline_report(opts, output_file=None):
- MLDIF.seek(idx)
- RLDIF.seek(idx)
-
-- # Compare the master entries with the replica's
-+ """ Compare the master entries with the replica's. Take our list of dn's from
-+ the master ldif and get that entry( dn) from the master and replica ldif. In
-+ this phase we keep keep track of conflict/tombstone counts, and we check for
-+ missing entries and entry differences. We only need to do the entry diff
-+ checking in this phase - we do not need to do it when process the replica dn's
-+ because if the entry exists in both LDIF's then we already checked or diffs
-+ while processing the master dn's.
-+ """
- print ("Comparing Master to Replica...")
- missing = False
- for dn in master_dns:
-- mresult = ldif_search(MLDIF, dn, True)
-- rresult = ldif_search(RLDIF, dn, True)
-+ mresult = ldif_search(MLDIF, dn)
-+ rresult = ldif_search(RLDIF, dn)
-+
-+ if dn in replica_dns:
-+ if (rresult['entry'] is not None or rresult['glue'] is not None or
-+ rresult['conflict'] is not None or rresult['tombstone']):
-+ """ We can safely remove this DN from the replica dn list as it
-+ does not need to be checked again. This also speeds things up
-+ when doing the replica vs master phase.
-+ """
-+ replica_dns.remove(dn)
-
- if mresult['tombstone']:
- mtombstones += 1
-+ # continue
-+ if rresult['tombstone']:
-+ rtombstones += 1
-
- if mresult['conflict'] is not None or rresult['conflict'] is not None:
-+ # If either entry is a conflict we still process it here
- if mresult['conflict'] is not None:
- mconflicts.append(mresult['conflict'])
-+ if rresult['conflict'] is not None:
-+ rconflicts.append(rresult['conflict'])
- elif rresult['entry'] is None:
-- # missing entry - restart the search from beginning
-+ # missing entry - restart the search from beginning in case it got skipped
- RLDIF.seek(0)
- rresult = ldif_search(RLDIF, dn)
-- if rresult['entry'] is None:
-- # missing entry in rentries
-- RLDIF.seek(mresult['idx']) # Set the cursor to the last good line
-+ if rresult['entry'] is None and rresult['glue'] is None:
-+ # missing entry in Replica(rentries)
-+ RLDIF.seek(mresult['idx']) # Set the LDIF cursor/index to the last good line
- if not missing:
-- missing_report += ('Replica is missing entries:\n')
-+ missing_report += (' Entries missing on Replica:\n')
- missing = True
- if mresult['entry'] and 'createtimestamp' in mresult['entry'].data:
-- missing_report += (' - %s (Master\'s creation date: %s)\n' %
-+ missing_report += (' - %s (Created on Master at: %s)\n' %
- (dn, convert_timestamp(mresult['entry'].data['createtimestamp'][0])))
- else:
- missing_report += (' - %s\n' % dn)
-- else:
-+ elif mresult['tombstone'] is False:
- # Compare the entries
- diff = cmp_entry(mresult['entry'], rresult['entry'], opts)
- if diff:
- diff_report.append(format_diff(diff))
-- else:
-+ elif mresult['tombstone'] is False:
- # Compare the entries
- diff = cmp_entry(mresult['entry'], rresult['entry'], opts)
- if diff:
-@@ -478,7 +644,10 @@ def do_offline_report(opts, output_file=None):
- if missing:
- missing_report += ('\n')
-
-- # Search Replica, and look for missing entries only. Count entries as well
-+ """ Search Replica, and look for missing entries only. We already did the
-+ diff checking, so its only missing entries we are worried about. Count the
-+ remaining conflict & tombstone entries as well.
-+ """
- print ("Comparing Replica to Master...")
- MLDIF.seek(0)
- RLDIF.seek(0)
-@@ -486,26 +655,26 @@ def do_offline_report(opts, output_file=None):
- for dn in replica_dns:
- rresult = ldif_search(RLDIF, dn)
- mresult = ldif_search(MLDIF, dn)
--
- if rresult['tombstone']:
- rtombstones += 1
-- if mresult['entry'] is not None or rresult['conflict'] is not None:
-- if rresult['conflict'] is not None:
-- rconflicts.append(rresult['conflict'])
-+ # continue
-+
-+ if rresult['conflict'] is not None:
-+ rconflicts.append(rresult['conflict'])
- elif mresult['entry'] is None:
- # missing entry
- MLDIF.seek(0)
- mresult = ldif_search(MLDIF, dn)
-- if mresult['entry'] is None and mresult['conflict'] is not None:
-- MLDIF.seek(rresult['idx']) # Set the cursor to the last good line
-+ if mresult['entry'] is None and mresult['glue'] is None:
-+ MLDIF.seek(rresult['idx']) # Set the LDIF cursor/index to the last good line
- if not missing:
-- missing_report += ('Master is missing entries:\n')
-+ missing_report += (' Entries missing on Master:\n')
- missing = True
-- if 'createtimestamp' in rresult['entry'].data:
-- missing_report += (' - %s (Replica\'s creation date: %s)\n' %
-+ if rresult['entry'] and 'createtimestamp' in rresult['entry'].data:
-+ missing_report += (' - %s (Created on Replica at: %s)\n' %
- (dn, convert_timestamp(rresult['entry'].data['createtimestamp'][0])))
- else:
-- missing_report += (' - %s\n')
-+ missing_report += (' - %s\n' % dn)
- if missing:
- missing_report += ('\n')
-
-@@ -553,8 +722,8 @@ def do_offline_report(opts, output_file=None):
- print(final_report)
-
-
--def check_for_diffs(mentries, rentries, report, opts):
-- ''' Check for diffs, return the updated report
-+def check_for_diffs(mentries, mglue, rentries, rglue, report, opts):
-+ ''' Online mode only - Check for diffs, return the updated report
- '''
- diff_report = []
- m_missing = []
-@@ -569,18 +738,26 @@ def check_for_diffs(mentries, rentries, report, opts):
- for mentry in mentries:
- rentry = get_entry(rentries, mentry.dn)
- if rentry:
-- diff = cmp_entry(mentry, rentry, opts)
-- if diff:
-- diff_report.append(format_diff(diff))
-+ if 'nsTombstone' not in rentry.data['objectclass'] and 'nstombstone' not in rentry.data['objectclass']:
-+ diff = cmp_entry(mentry, rentry, opts)
-+ if diff:
-+ diff_report.append(format_diff(diff))
- # Now remove the rentry from the rentries so we can find stragglers
- remove_entry(rentries, rentry.dn)
- else:
-- # Add missing entry in Replica
-- r_missing.append(mentry)
-+ rentry = get_entry(rglue, mentry.dn)
-+ if rentry:
-+ # Glue entry nothing to compare
-+ remove_entry(rentries, rentry.dn)
-+ else:
-+ # Add missing entry in Replica
-+ r_missing.append(mentry)
-
- for rentry in rentries:
- # We should not have any entries if we are sync
-- m_missing.append(rentry)
-+ mentry = get_entry(mglue, rentry.dn)
-+ if mentry is None:
-+ m_missing.append(rentry)
-
- if len(diff_report) > 0:
- report['diff'] += diff_report
-@@ -609,6 +786,12 @@ def connect_to_replicas(opts):
- ruri = "%s://%s:%s/" % (opts['rprotocol'], opts['rhost'], opts['rport'])
- replica = SimpleLDAPObject(ruri)
-
-+ # Set timeouts
-+ master.set_option(ldap.OPT_NETWORK_TIMEOUT,5.0)
-+ master.set_option(ldap.OPT_TIMEOUT,5.0)
-+ replica.set_option(ldap.OPT_NETWORK_TIMEOUT,5.0)
-+ replica.set_option(ldap.OPT_TIMEOUT,5.0)
-+
- # Setup Secure Conenction
- if opts['certdir'] is not None:
- # Setup Master
-@@ -620,7 +803,7 @@ def connect_to_replicas(opts):
- try:
- master.start_tls_s()
- except ldap.LDAPError as e:
-- print('TLS negotiation failed on Master: %s' % str(e))
-+ print('TLS negotiation failed on Master: {}'.format(str(e)))
- exit(1)
-
- # Setup Replica
-@@ -632,7 +815,7 @@ def connect_to_replicas(opts):
- try:
- replica.start_tls_s()
- except ldap.LDAPError as e:
-- print('TLS negotiation failed on Master: %s' % str(e))
-+ print('TLS negotiation failed on Master: {}'.format(str(e)))
- exit(1)
-
- # Open connection to master
-@@ -642,7 +825,8 @@ def connect_to_replicas(opts):
- print("Cannot connect to %r" % muri)
- exit(1)
- except ldap.LDAPError as e:
-- print("Error: Failed to authenticate to Master: %s", str(e))
-+ print("Error: Failed to authenticate to Master: ({}). "
-+ "Please check your credentials and LDAP urls are correct.".format(str(e)))
- exit(1)
-
- # Open connection to replica
-@@ -652,7 +836,8 @@ def connect_to_replicas(opts):
- print("Cannot connect to %r" % ruri)
- exit(1)
- except ldap.LDAPError as e:
-- print("Error: Failed to authenticate to Replica: %s", str(e))
-+ print("Error: Failed to authenticate to Replica: ({}). "
-+ "Please check your credentials and LDAP urls are correct.".format(str(e)))
- exit(1)
-
- # Get the RUVs
-@@ -665,7 +850,7 @@ def connect_to_replicas(opts):
- print("Error: Master does not have an RUV entry")
- exit(1)
- except ldap.LDAPError as e:
-- print("Error: Failed to get Master RUV entry: %s", str(e))
-+ print("Error: Failed to get Master RUV entry: {}".format(str(e)))
- exit(1)
-
- print ("Gathering Replica's RUV...")
-@@ -678,7 +863,7 @@ def connect_to_replicas(opts):
- exit(1)
-
- except ldap.LDAPError as e:
-- print("Error: Failed to get Replica RUV entry: %s", str(e))
-+ print("Error: Failed to get Replica RUV entry: {}".format(str(e)))
- exit(1)
-
- return (master, replica, opts)
-@@ -687,6 +872,7 @@ def connect_to_replicas(opts):
- def print_online_report(report, opts, output_file):
- ''' Print the online report
- '''
-+
- print ('Preparing final report...')
- m_missing = len(report['m_missing'])
- r_missing = len(report['r_missing'])
-@@ -711,22 +897,23 @@ def print_online_report(report, opts, output_file):
- missing = True
- final_report += ('\nMissing Entries\n')
- final_report += ('=====================================================\n\n')
-- if m_missing > 0:
-- final_report += (' Entries missing on Master:\n')
-- for entry in report['m_missing']:
-+
-+ if r_missing > 0:
-+ final_report += (' Entries missing on Replica:\n')
-+ for entry in report['r_missing']:
- if 'createtimestamp' in entry.data:
-- final_report += (' - %s (Created on Replica at: %s)\n' %
-+ final_report += (' - %s (Created on Master at: %s)\n' %
- (entry.dn, convert_timestamp(entry.data['createtimestamp'][0])))
- else:
- final_report += (' - %s\n' % (entry.dn))
-
-- if r_missing > 0:
-- if m_missing > 0:
-+ if m_missing > 0:
-+ if r_missing > 0:
- final_report += ('\n')
-- final_report += (' Entries missing on Replica:\n')
-- for entry in report['r_missing']:
-+ final_report += (' Entries missing on Master:\n')
-+ for entry in report['m_missing']:
- if 'createtimestamp' in entry.data:
-- final_report += (' - %s (Created on Master at: %s)\n' %
-+ final_report += (' - %s (Created on Replica at: %s)\n' %
- (entry.dn, convert_timestamp(entry.data['createtimestamp'][0])))
- else:
- final_report += (' - %s\n' % (entry.dn))
-@@ -751,7 +938,8 @@ def print_online_report(report, opts, output_file):
- def remove_state_info(entry):
- ''' Remove the state info for the attributes used in the conflict report
- '''
-- attrs = ['objectclass', 'nsds5replconflict', 'createtimestamp']
-+ attrs = ['objectclass', 'nsds5replconflict', 'createtimestamp' , 'modifytimestamp']
-+ # attrs = ['createtimestamp']
- for key, val in list(entry.data.items()):
- for attr in attrs:
- if key.lower().startswith(attr):
-@@ -766,9 +954,6 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False):
- r_conflicts = []
-
- for entry in mentries:
-- if format_conflicts:
-- remove_state_info(entry)
--
- if 'glue' in entry.data['objectclass']:
- m_conflicts.append({'dn': entry.dn, 'conflict': entry.data['nsds5replconflict'][0],
- 'date': entry.data['createtimestamp'][0], 'glue': 'yes'})
-@@ -776,9 +961,6 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False):
- m_conflicts.append({'dn': entry.dn, 'conflict': entry.data['nsds5replconflict'][0],
- 'date': entry.data['createtimestamp'][0], 'glue': 'no'})
- for entry in rentries:
-- if format_conflicts:
-- remove_state_info(entry)
--
- if 'glue' in entry.data['objectclass']:
- r_conflicts.append({'dn': entry.dn, 'conflict': entry.data['nsds5replconflict'][0],
- 'date': entry.data['createtimestamp'][0], 'glue': 'yes'})
-@@ -790,7 +972,7 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False):
- report = "\n\nConflict Entries\n"
- report += "=====================================================\n\n"
- if len(m_conflicts) > 0:
-- report += ('Master Conflict Entries: %d\n' % (len(m_conflicts)))
-+ report += ('Master Conflict Entries: %d\n' % (len(m_conflicts)))
- if verbose:
- for entry in m_conflicts:
- report += ('\n - %s\n' % (entry['dn']))
-@@ -799,7 +981,7 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False):
- report += (' - Created: %s\n' % (convert_timestamp(entry['date'])))
-
- if len(r_conflicts) > 0:
-- if len(m_conflicts) > 0:
-+ if len(m_conflicts) > 0 and verbose:
- report += "\n" # add spacer
- report += ('Replica Conflict Entries: %d\n' % (len(r_conflicts)))
- if verbose:
-@@ -814,46 +996,6 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False):
- return ""
-
-
--def get_tombstones(replica, opts):
-- ''' Return the number of tombstones
-- '''
-- paged_ctrl = SimplePagedResultsControl(True, size=opts['pagesize'], cookie='')
-- controls = [paged_ctrl]
-- req_pr_ctrl = controls[0]
-- count = 0
--
-- try:
-- msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
-- '(&(objectclass=nstombstone)(nstombstonecsn=*))',
-- ['dn'], serverctrls=controls)
-- except ldap.LDAPError as e:
-- print("Error: Failed to get tombstone entries: %s", str(e))
-- exit(1)
--
-- done = False
-- while not done:
-- rtype, rdata, rmsgid, rctrls = replica.result3(msgid)
-- count += len(rdata)
--
-- pctrls = [
-- c
-- for c in rctrls
-- if c.controlType == SimplePagedResultsControl.controlType
-- ]
-- if pctrls:
-- if pctrls[0].cookie:
-- # Copy cookie from response control to request control
-- req_pr_ctrl.cookie = pctrls[0].cookie
-- msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
-- '(&(objectclass=nstombstone)(nstombstonecsn=*))',
-- ['dn'], serverctrls=controls)
-- else:
-- done = True # No more pages available
-- else:
-- done = True
-- return count
--
--
- def do_online_report(opts, output_file=None):
- ''' Check for differences between two replicas
- '''
-@@ -880,7 +1022,7 @@ def do_online_report(opts, output_file=None):
- req_pr_ctrl = controls[0]
- try:
- master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
-- "(|(objectclass=*)(objectclass=ldapsubentry))",
-+ "(|(objectclass=*)(objectclass=ldapsubentry)(objectclass=nstombstone))",
- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'],
- serverctrls=controls)
- except ldap.LDAPError as e:
-@@ -888,7 +1030,7 @@ def do_online_report(opts, output_file=None):
- exit(1)
- try:
- replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
-- "(|(objectclass=*)(objectclass=ldapsubentry))",
-+ "(|(objectclass=*)(objectclass=ldapsubentry)(objectclass=nstombstone))",
- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'],
- serverctrls=controls)
- except ldap.LDAPError as e:
-@@ -918,7 +1060,9 @@ def do_online_report(opts, output_file=None):
- rconflicts += rresult['conflicts']
-
- # Check for diffs
-- report = check_for_diffs(mresult['entries'], rresult['entries'], report, opts)
-+ report = check_for_diffs(mresult['entries'], mresult['glue'],
-+ rresult['entries'], rresult['glue'],
-+ report, opts)
-
- if not m_done:
- # Master
-@@ -933,7 +1077,7 @@ def do_online_report(opts, output_file=None):
- req_pr_ctrl.cookie = m_pctrls[0].cookie
- master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
- "(|(objectclass=*)(objectclass=ldapsubentry))",
-- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], serverctrls=controls)
-+ ['*', 'createtimestamp', 'nscpentrywsi', 'conflictcsn', 'nsds5replconflict'], serverctrls=controls)
- else:
- m_done = True # No more pages available
- else:
-@@ -953,7 +1097,7 @@ def do_online_report(opts, output_file=None):
- req_pr_ctrl.cookie = r_pctrls[0].cookie
- replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE,
- "(|(objectclass=*)(objectclass=ldapsubentry))",
-- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], serverctrls=controls)
-+ ['*', 'createtimestamp', 'nscpentrywsi', 'conflictcsn', 'nsds5replconflict'], serverctrls=controls)
- else:
- r_done = True # No more pages available
- else:
-@@ -961,10 +1105,8 @@ def do_online_report(opts, output_file=None):
-
- # Get conflicts & tombstones
- report['conflict'] = get_conflict_report(mconflicts, rconflicts, opts['conflicts'])
-- report['mtombstones'] = get_tombstones(master, opts)
-- report['rtombstones'] = get_tombstones(replica, opts)
-- report['m_count'] += report['mtombstones']
-- report['r_count'] += report['rtombstones']
-+ report['mtombstones'] = mresult['tombstones']
-+ report['rtombstones'] = rresult['tombstones']
-
- # Do the final report
- print_online_report(report, opts, output_file)
-@@ -1027,11 +1169,16 @@ def main():
-
- # Parse the ldap URLs
- if args.murl is not None and args.rurl is not None:
-+ # Make sure the URLs are different
-+ if args.murl == args.rurl:
-+ print("Master and Replica LDAP URLs are the same, they must be different")
-+ exit(1)
-+
- # Parse Master url
-- murl = ldapurl.LDAPUrl(args.murl)
- if not ldapurl.isLDAPUrl(args.murl):
- print("Master LDAP URL is invalid")
- exit(1)
-+ murl = ldapurl.LDAPUrl(args.murl)
- if murl.urlscheme in VALID_PROTOCOLS:
- opts['mprotocol'] = murl.urlscheme
- else:
-@@ -1052,10 +1199,10 @@ def main():
- opts['mport'] = parts[1]
-
- # Parse Replica url
-- rurl = ldapurl.LDAPUrl(args.rurl)
- if not ldapurl.isLDAPUrl(args.rurl):
- print("Replica LDAP URL is invalid")
- exit(1)
-+ rurl = ldapurl.LDAPUrl(args.rurl)
- if rurl.urlscheme in VALID_PROTOCOLS:
- opts['rprotocol'] = rurl.urlscheme
- else:
-@@ -1075,11 +1222,19 @@ def main():
- opts['rhost'] = parts[0]
- opts['rport'] = parts[1]
-
-+ # Validate certdir
-+ opts['certdir'] = None
-+ if args.certdir:
-+ if os.path.exists() and os.path.isdir(certdir):
-+ opts['certdir'] = args.certdir
-+ else:
-+ print("certificate directory ({}) does not exist or is not a directory".format(args.certdir))
-+ exit(1)
-+
- # Initialize the options
- opts['binddn'] = args.binddn
- opts['bindpw'] = args.bindpw
- opts['suffix'] = args.suffix
-- opts['certdir'] = args.certdir
- opts['starttime'] = int(time.time())
- opts['verbose'] = args.verbose
- opts['mldif'] = args.mldif
-@@ -1109,6 +1264,18 @@ def main():
-
- if opts['mldif'] is not None and opts['rldif'] is not None:
- print ("Performing offline report...")
-+
-+ # Validate LDIF files, must exist and not be empty
-+ for ldif_dir in [opts['mldif'], opts['rldif']]:
-+ if not os.path.exists(ldif_dir):
-+ print ("LDIF file ({}) does not exist".format(ldif_dir))
-+ exit(1)
-+ if os.path.getsize(ldif_dir) == 0:
-+ print ("LDIF file ({}) is empty".format(ldif_dir))
-+ exit(1)
-+ if opts['mldif'] == opts['rldif']:
-+ print("The Master and Replica LDIF files must be different")
-+ exit(1)
- do_offline_report(opts, OUTPUT_FILE)
- else:
- print ("Performing online report...")
-@@ -1118,5 +1285,6 @@ def main():
- print('Finished writing report to "%s"' % (args.file))
- OUTPUT_FILE.close()
-
-+
- if __name__ == '__main__':
- main()
---
-2.17.0
-
diff --git a/SOURCES/0085-Ticket-49576-Add-support-of-deletedattribute-in-ds-r.patch b/SOURCES/0085-Ticket-49576-Add-support-of-deletedattribute-in-ds-r.patch
deleted file mode 100644
index 8b4e655..0000000
--- a/SOURCES/0085-Ticket-49576-Add-support-of-deletedattribute-in-ds-r.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 00ebe4e4298fb19d9b8fc78b16053fb0b92eea9f Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 25 May 2018 09:47:31 -0400
-Subject: [PATCH] Ticket 49576 - Add support of ";deletedattribute" in
- ds-replcheck
-
-Description: Also need to check for ";deletedattribute" when processing LDIF file
-
-https://pagure.io/389-ds-base/issue/49576
-
-Reviewed by: tbordaz(Thanks!)
-
-(cherry picked from commit 9e046a35a0f771e77c788cddee2cbddee6ae0571)
----
- ldap/admin/src/scripts/ds-replcheck | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck
-index b801ccaa8..661c9e0ce 100755
---- a/ldap/admin/src/scripts/ds-replcheck
-+++ b/ldap/admin/src/scripts/ds-replcheck
-@@ -197,7 +197,7 @@ def remove_attr_state_info(attr):
- idx = attr.find(';')
- if idx > 0:
- state_attr = attr # preserve state info for diff report
-- if ";deleted" in attr:
-+ if ";deleted" in attr or ";deletedattribute" in attr:
- # Ignore this attribute it was deleted
- return None, state_attr
- attr = attr[:idx]
---
-2.17.0
-
diff --git a/SOURCES/0086-Ticket-49726-DS-only-accepts-RSA-and-Fortezza-cipher.patch b/SOURCES/0086-Ticket-49726-DS-only-accepts-RSA-and-Fortezza-cipher.patch
deleted file mode 100644
index 9d14858..0000000
--- a/SOURCES/0086-Ticket-49726-DS-only-accepts-RSA-and-Fortezza-cipher.patch
+++ /dev/null
@@ -1,529 +0,0 @@
-From b6894f921a0635dba97a0745ce75917284e5e5ff Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Sun, 27 May 2018 10:48:55 -0400
-Subject: [PATCH] Ticket 49726 - DS only accepts RSA and Fortezza cipher
- families
-
-Bug Description: Currently DS only accepts fortezza and RSA cipher families.
- This prevents things like ECC certificates from being used.
-
-Fix Description: Instead of hardcoding the cipher families, just grab the
- current type and use it.
-
- Also cleaned up code: removed unncessary "ifdefs", and switched
- for loops to use size_t.
-
-https://pagure.io/389-ds-base/issue/49726
-
-Reviewed by: ?
-
-(cherry picked from commit 27a16a068887e5b9fcab3b4507d58a18e6f1d1ec)
----
- ldap/servers/slapd/ssl.c | 136 ++++++---------------------------------
- 1 file changed, 20 insertions(+), 116 deletions(-)
-
-diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
-index 36b09fd16..b8eba2da4 100644
---- a/ldap/servers/slapd/ssl.c
-+++ b/ldap/servers/slapd/ssl.c
-@@ -31,28 +31,11 @@
- #include "fe.h"
- #include "certdb.h"
-
--#if !defined(USE_OPENLDAP)
--#include "ldap_ssl.h"
--#endif
--
- /* For IRIX... */
- #ifndef MAXPATHLEN
- #define MAXPATHLEN 1024
- #endif
-
--#if NSS_VMAJOR * 100 + NSS_VMINOR >= 315
--/* TLS1.2 is defined in RFC5246. */
--#define NSS_TLS12 1
--#elif NSS_VMAJOR * 100 + NSS_VMINOR >= 314
--/* TLS1.1 is defined in RFC4346. */
--#define NSS_TLS11 1
--#else
--#define NSS_TLS10 1
--#endif
--
--#if NSS_VMAJOR * 100 + NSS_VMINOR >= 320
--#define HAVE_NSS_DHE 1
--#endif
-
- /******************************************************************************
- * Default SSL Version Rule
-@@ -70,10 +53,9 @@
-
- extern char *slapd_SSL3ciphers;
- extern symbol_t supported_ciphers[];
--#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
- static SSLVersionRange enabledNSSVersions;
- static SSLVersionRange slapdNSSVersions;
--#endif
-+
-
- /* dongle_file_name is set in slapd_nss_init when we set the path for the
- key, cert, and secmod files - the dongle file must be in the same directory
-@@ -109,12 +91,10 @@ static char *configDN = "cn=encryption,cn=config";
- #define CIPHER_SET_DEFAULTWEAKCIPHER 0x10 /* allowWeakCipher is not set in cn=encryption */
- #define CIPHER_SET_ALLOWWEAKCIPHER 0x20 /* allowWeakCipher is on */
- #define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */
--
--#ifdef HAVE_NSS_DHE
- #define CIPHER_SET_DEFAULTWEAKDHPARAM 0x100 /* allowWeakDhParam is not set in cn=encryption */
- #define CIPHER_SET_ALLOWWEAKDHPARAM 0x200 /* allowWeakDhParam is on */
- #define CIPHER_SET_DISALLOWWEAKDHPARAM 0x400 /* allowWeakDhParam is off */
--#endif
-+
-
- #define CIPHER_SET_ISDEFAULT(flag) \
- (((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
-@@ -145,10 +125,7 @@ static char *configDN = "cn=encryption,cn=config";
- #define CIPHER_IS_WEAK 0x4
- #define CIPHER_IS_DEPRECATED 0x8
-
--#ifdef HAVE_NSS_DHE
- static int allowweakdhparam = CIPHER_SET_DEFAULTWEAKDHPARAM;
--#endif
--
-
- static char **cipher_names = NULL;
- static char **enabled_cipher_names = NULL;
-@@ -225,12 +202,10 @@ static lookup_cipher _lookup_cipher[] = {
- /*{"tls_dhe_dss_1024_des_sha", ""}, */
- {"tls_dhe_dss_1024_rc4_sha", "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"},
- {"tls_dhe_dss_rc4_128_sha", "TLS_DHE_DSS_WITH_RC4_128_SHA"},
--#if defined(NSS_TLS12)
- /* New in NSS 3.15 */
- {"tls_rsa_aes_128_gcm_sha", "TLS_RSA_WITH_AES_128_GCM_SHA256"},
- {"tls_dhe_rsa_aes_128_gcm_sha", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"},
- {"tls_dhe_dss_aes_128_gcm_sha", NULL}, /* not available */
--#endif
- {NULL, NULL}};
-
- /* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */
-@@ -317,7 +292,6 @@ getSupportedCiphers(void)
- SSLCipherSuiteInfo info;
- char *sep = "::";
- int number_of_ciphers = SSL_NumImplementedCiphers;
-- int i;
- int idx = 0;
- PRBool isFIPS = slapd_pk11_isFIPS();
-
-@@ -325,7 +299,7 @@ getSupportedCiphers(void)
-
- if ((cipher_names == NULL) && (_conf_ciphers)) {
- cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
-- for (i = 0; _conf_ciphers[i].name != NULL; i++) {
-+ for (size_t i = 0; _conf_ciphers[i].name != NULL; i++) {
- SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[i].num, &info, sizeof(info));
- /* only support FIPS approved ciphers in FIPS mode */
- if (!isFIPS || info.isFIPS) {
-@@ -341,7 +315,6 @@ getSupportedCiphers(void)
- return cipher_names;
- }
-
--#ifdef HAVE_NSS_DHE
- int
- get_allow_weak_dh_param(Slapi_Entry *e)
- {
-@@ -365,7 +338,6 @@ get_allow_weak_dh_param(Slapi_Entry *e)
- slapi_ch_free((void **)&val);
- return allow;
- }
--#endif
-
-
- char **
-@@ -374,7 +346,6 @@ getEnabledCiphers(void)
- SSLCipherSuiteInfo info;
- char *sep = "::";
- int number_of_ciphers = 0;
-- int x;
- int idx = 0;
- PRBool enabled;
-
-@@ -383,14 +354,14 @@ getEnabledCiphers(void)
- return NULL;
- }
- if ((enabled_cipher_names == NULL) && _conf_ciphers) {
-- for (x = 0; _conf_ciphers[x].name; x++) {
-+ for (size_t x = 0; _conf_ciphers[x].name; x++) {
- SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
- if (enabled) {
- number_of_ciphers++;
- }
- }
- enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *));
-- for (x = 0; _conf_ciphers[x].name; x++) {
-+ for (size_t x = 0; _conf_ciphers[x].name; x++) {
- SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
- if (enabled) {
- SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num, &info, sizeof(info));
-@@ -472,9 +443,6 @@ getSSLVersionRange(char **min, char **max)
- }
- return -1;
- }
--#if defined(NSS_TLS10)
-- return -1; /* not supported */
--#else /* NSS_TLS11 or newer */
- if (min) {
- *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0);
- }
-@@ -482,10 +450,8 @@ getSSLVersionRange(char **min, char **max)
- *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0);
- }
- return 0;
--#endif
- }
-
--#if defined(USE_OPENLDAP)
- void
- getSSLVersionRangeOL(int *min, int *max)
- {
-@@ -499,10 +465,7 @@ getSSLVersionRangeOL(int *min, int *max)
- if (!slapd_ssl_listener_is_initialized()) {
- return;
- }
--#if defined(NSS_TLS10)
-- *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
-- return;
--#else /* NSS_TLS11 or newer */
-+
- if (min) {
- switch (slapdNSSVersions.min) {
- case SSL_LIBRARY_VERSION_3_0:
-@@ -550,14 +513,11 @@ getSSLVersionRangeOL(int *min, int *max)
- }
- }
- return;
--#endif
- }
--#endif /* USE_OPENLDAP */
-
- static void
- _conf_init_ciphers(void)
- {
-- int x;
- SECStatus rc;
- SSLCipherSuiteInfo info;
- const PRUint16 *implementedCiphers = SSL_GetImplementedCiphers();
-@@ -568,7 +528,7 @@ _conf_init_ciphers(void)
- }
- _conf_ciphers = (cipherstruct *)slapi_ch_calloc(SSL_NumImplementedCiphers + 1, sizeof(cipherstruct));
-
-- for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {
-+ for (size_t x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {
- rc = SSL_GetCipherSuiteInfo(implementedCiphers[x], &info, sizeof info);
- if (SECFailure == rc) {
- slapi_log_err(SLAPI_LOG_ERR, "Security Initialization",
-@@ -598,7 +558,6 @@ _conf_init_ciphers(void)
- static void
- _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
- {
-- int x;
- SECStatus rc;
- PRBool setdefault = CIPHER_SET_ISDEFAULT(flag);
- PRBool enabled = CIPHER_SET_ISALL(flag);
-@@ -608,7 +567,7 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
-
- _conf_init_ciphers();
-
-- for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {
-+ for (size_t x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {
- if (_conf_ciphers[x].flags & CIPHER_IS_DEFAULT) {
- /* certainly, not the first time. */
- setme = PR_TRUE;
-@@ -663,11 +622,10 @@ charray2str(char **ary, const char *delim)
- void
- _conf_dumpciphers(void)
- {
-- int x;
- PRBool enabled;
- /* {"SSL3","rc4", SSL_EN_RC4_128_WITH_MD5}, */
- slapd_SSL_info("Configured NSS Ciphers");
-- for (x = 0; _conf_ciphers[x].name; x++) {
-+ for (size_t x = 0; _conf_ciphers[x].name; x++) {
- SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
- if (enabled) {
- slapd_SSL_info("\t%s: enabled%s%s%s", _conf_ciphers[x].name,
-@@ -687,7 +645,8 @@ char *
- _conf_setciphers(char *setciphers, int flags)
- {
- char *t, err[MAGNUS_ERROR_LEN];
-- int x, i, active;
-+ int active;
-+ size_t x = 0;
- char *raw = setciphers;
- char **suplist = NULL;
- char **unsuplist = NULL;
-@@ -772,7 +731,7 @@ _conf_setciphers(char *setciphers, int flags)
- }
- }
- if (lookup) { /* lookup with old cipher name and get NSS cipherSuiteName */
-- for (i = 0; _lookup_cipher[i].alias; i++) {
-+ for (size_t i = 0; _lookup_cipher[i].alias; i++) {
- if (!PL_strcasecmp(setciphers, _lookup_cipher[i].alias)) {
- if (enabled && !_lookup_cipher[i].name[0]) {
- slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s",
-@@ -915,9 +874,8 @@ getChildren(char *dn)
- slapi_pblock_get(new_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result);
- slapi_pblock_get(new_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e);
- if (e != NULL) {
-- int i;
- list = (char **)slapi_ch_malloc(sizeof(*list) * (nEntries + 1));
-- for (i = 0; e[i] != NULL; i++) {
-+ for (size_t i = 0; e[i] != NULL; i++) {
- list[i] = slapi_ch_strdup(slapi_entry_get_dn(e[i]));
- }
- list[nEntries] = NULL;
-@@ -935,8 +893,7 @@ static void
- freeChildren(char **list)
- {
- if (list != NULL) {
-- int i;
-- for (i = 0; list[i] != NULL; i++) {
-+ for (size_t i = 0; list[i] != NULL; i++) {
- slapi_ch_free((void **)(&list[i]));
- }
- slapi_ch_free((void **)(&list));
-@@ -1017,7 +974,6 @@ warn_if_no_key_file(const char *dir, int no_log)
- return ret;
- }
-
--#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
- /*
- * If non NULL buf and positive bufsize is given,
- * the memory is used to store the version string.
-@@ -1183,7 +1139,6 @@ restrict_SSLVersionRange(void)
- }
- }
- }
--#endif
-
- /*
- * slapd_nss_init() is always called from main(), even if we do not
-@@ -1206,7 +1161,6 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr
- int create_certdb = 0;
- PRUint32 nssFlags = 0;
- char *certdir;
--#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
- char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
- /* Get the range of the supported SSL version */
- SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
-@@ -1216,7 +1170,6 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr
- slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization",
- "slapd_nss_init - Supported range by NSS: min: %s, max: %s\n",
- emin, emax);
--#endif
-
- /* set in slapd_bootstrap_config,
- thus certdir is available even if config_available is false */
-@@ -1385,9 +1338,7 @@ slapd_ssl_init()
- char *val = NULL;
- PK11SlotInfo *slot;
- Slapi_Entry *entry = NULL;
--#ifdef HAVE_NSS_DHE
- SECStatus rv = SECFailure;
--#endif
-
- /* Get general information */
-
-@@ -1396,7 +1347,6 @@ slapd_ssl_init()
- val = slapi_entry_attr_get_charptr(entry, "nssslSessionTimeout");
- ciphers = slapi_entry_attr_get_charptr(entry, "nsssl3ciphers");
-
--#ifdef HAVE_NSS_DHE
- allowweakdhparam = get_allow_weak_dh_param(entry);
- if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {
- slapd_SSL_warn("notice, generating new WEAK DH param");
-@@ -1405,7 +1355,6 @@ slapd_ssl_init()
- slapd_SSL_error("Warning, unable to generate weak dh parameters");
- }
- }
--#endif
-
- /* We are currently using the value of sslSessionTimeout
- for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
-@@ -1527,7 +1476,6 @@ slapd_ssl_init()
- return 0;
- }
-
--#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
- /*
- * val: sslVersionMin/Max value set in cn=encription,cn=config (INPUT)
- * rval: Corresponding value to set SSLVersionRange (OUTPUT)
-@@ -1541,7 +1489,7 @@ static int
- set_NSS_version(char *val, PRUint16 *rval, int ismin)
- {
- char *vp, *endp;
-- int vnum;
-+ int64_t vnum;
- char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
-
- if (NULL == rval) {
-@@ -1662,7 +1610,6 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
- }
- }
- } else if (tlsv < 1.3) { /* TLS1.2 */
--#if defined(NSS_TLS12)
- if (ismin) {
- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) {
- slapd_SSL_warn("The value of sslVersionMin "
-@@ -1685,7 +1632,6 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
- (*rval) = SSL_LIBRARY_VERSION_TLS_1_2;
- }
- }
--#endif
- } else { /* Specified TLS is newer than supported */
- if (ismin) {
- slapd_SSL_warn("The value of sslVersionMin "
-@@ -1720,7 +1666,6 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
- #undef SSLLEN
- #undef TLSSTR
- #undef TLSLEN
--#endif
-
- int
- slapd_ssl_init2(PRFileDesc **fd, int startTLS)
-@@ -1740,12 +1685,10 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
- char *tmpDir;
- Slapi_Entry *e = NULL;
- PRBool fipsMode = PR_FALSE;
--#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
- PRUint16 NSSVersionMin = enabledNSSVersions.min;
- PRUint16 NSSVersionMax = enabledNSSVersions.max;
- char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
- char newmax[VERSION_STR_LENGTH];
--#endif
- char cipher_string[1024];
- int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
- int_fast16_t renegotiation = (int_fast16_t)SSL_RENEGOTIATE_REQUIRES_XTN;
-@@ -1964,15 +1907,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
- }
-
- if (SECSuccess == rv) {
-+ SSLKEAType certKEA;
-
--#ifdef HAVE_NSS_DHE
-- /* Step If we want weak dh params, flag it on the socket now! */
--
-+ /* If we want weak dh params, flag it on the socket now! */
- rv = SSL_OptionSet(*fd, SSL_ENABLE_SERVER_DHE, PR_TRUE);
- if (rv != SECSuccess) {
- slapd_SSL_warn("Warning, unable to start DHE");
- }
--
- if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {
- slapd_SSL_warn("notice, allowing weak parameters on socket.");
- rv = SSL_EnableWeakDHEPrimeGroup(*fd, PR_TRUE);
-@@ -1980,13 +1921,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
- slapd_SSL_warn("Warning, unable to allow weak DH params on socket.");
- }
- }
--#endif
-
-- if (slapd_pk11_fortezzaHasKEA(cert) == PR_TRUE) {
-- rv = SSL_ConfigSecureServer(*fd, cert, key, kt_fortezza);
-- } else {
-- rv = SSL_ConfigSecureServer(*fd, cert, key, kt_rsa);
-- }
-+ certKEA = NSS_FindCertKEAType(cert);
-+ rv = SSL_ConfigSecureServer(*fd, cert, key, certKEA);
- if (SECSuccess != rv) {
- errorCode = PR_GetError();
- slapd_SSL_warn("ConfigSecureServer: "
-@@ -2140,7 +2077,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
- enableTLS1 = PR_TRUE; /* If available, enable TLS1 */
- }
- slapi_ch_free_string(&val);
--#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
- val = slapi_entry_attr_get_charptr(e, "sslVersionMin");
- if (val) {
- (void)set_NSS_version(val, &NSSVersionMin, 1);
-@@ -2161,9 +2097,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
- mymax, newmax);
- NSSVersionMax = enabledNSSVersions.max;
- }
--#endif
- }
--#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
-+
- if (NSSVersionMin > 0) {
- /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */
- slapdNSSVersions.min = NSSVersionMin;
-@@ -2183,7 +2118,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
- mymin, mymax);
- }
- } else {
--#endif
- /* deprecated code */
- sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, enableSSL3);
- if (sslStatus != SECSuccess) {
-@@ -2202,9 +2136,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
- enableTLS1 ? "enable" : "disable",
- errorCode, slapd_pr_strerror(errorCode));
- }
--#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
- }
--#endif
-
- val = NULL;
- if (e != NULL) {
-@@ -2382,12 +2314,8 @@ slapd_SSL_client_auth(LDAP *ld)
- */
- token = slapi_ch_strdup(internalTokenName);
- }
--#if defined(USE_OPENLDAP)
- /* openldap needs tokenname:certnick */
- PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
--#else
-- PL_strncpyz(cert_name, personality, sizeof(cert_name));
--#endif
- slapi_ch_free_string(&ssltoken);
- } else {
- /* external PKCS #11 token - attach token name */
-@@ -2461,7 +2389,6 @@ slapd_SSL_client_auth(LDAP *ld)
- "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- } else {
--#if defined(USE_OPENLDAP)
- if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) {
- char *certdir = config_get_certdir();
- char *keyfile = NULL;
-@@ -2532,29 +2459,6 @@ slapd_SSL_client_auth(LDAP *ld)
- cert_name);
- }
- }
--/*
-- * not sure what else needs to be done for client auth - don't
-- * currently have a way to pass in the password to use to unlock
-- * the keydb - nor a way to disable caching
-- */
--#else /* !USE_OPENLDAP */
-- rc = ldapssl_enable_clientauth(ld, SERVER_KEY_NAME, pw, cert_name);
-- if (rc != 0) {
-- errorCode = PR_GetError();
-- slapd_SSL_error("ldapssl_enable_clientauth(%s, %s) %i (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
-- SERVER_KEY_NAME, cert_name, rc,
-- errorCode, slapd_pr_strerror(errorCode));
-- } else {
-- /*
-- * We cannot allow NSS to cache outgoing client auth connections -
-- * each client auth connection must have it's own non-shared SSL
-- * connection to the peer so that it will go through the
-- * entire handshake protocol every time including the use of its
-- * own unique client cert - see bug 605457
-- */
-- ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE);
-- }
--#endif
- }
- }
-
---
-2.17.0
-
diff --git a/SOURCES/0087-Ticket-48184-clean-up-and-delete-connections-at-shut.patch b/SOURCES/0087-Ticket-48184-clean-up-and-delete-connections-at-shut.patch
deleted file mode 100644
index b49c92e..0000000
--- a/SOURCES/0087-Ticket-48184-clean-up-and-delete-connections-at-shut.patch
+++ /dev/null
@@ -1,190 +0,0 @@
-From 240cfa58c62571b92640a385cfcce6d858cb00dc Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Wed, 30 May 2018 15:48:11 +0200
-Subject: [PATCH] Ticket 48184 - clean up and delete connections at shutdown
- (3rd)
-
-Bug description:
- During shutdown we would not close connections.
- In the past this may have just been an annoyance, but now with the way
- nunc-stans works, io events can still trigger on open xeisting connectinos
- during shutdown.
-
-Fix Description:
- Because of NS dynamic it can happen that several jobs wants to work on the
- same connection. In such case (a job is already set in c_job) we delay the
- new job that will retry.
- In addition:
- - some call needed c_mutex
- - test uninitialized nunc-stans in case of shutdown while startup is not completed
-
- If it is not possible to schedule immediately a job it is sometime useless to wait:
- - if the connection is already freed, just cancel the scheduled job
- and do not register a new one
- - If we are in middle of a shutdown we do not know if the
- scheduled job is ns_handle_closure, so cancel the scheduled
- job and schedule ns_handle_closure.
-
-https://pagure.io/389-ds-base/issue/48184
-
-Reviewed by:
- Original fix reviewed by Ludwig and Viktor
- Second fix reviewed by Mark
- Third fix reviewed by Mark
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
----
- ldap/servers/slapd/connection.c | 10 +++--
- ldap/servers/slapd/conntable.c | 2 +-
- ldap/servers/slapd/daemon.c | 67 +++++++++++++++++++++++++--------
- ldap/servers/slapd/proto-slap.h | 2 +-
- 4 files changed, 60 insertions(+), 21 deletions(-)
-
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index 76e83112b..c54e7c26c 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -741,14 +741,18 @@ connection_acquire_nolock(Connection *conn)
-
- /* returns non-0 if connection can be reused and 0 otherwise */
- int
--connection_is_free(Connection *conn)
-+connection_is_free(Connection *conn, int use_lock)
- {
- int rc;
-
-- PR_EnterMonitor(conn->c_mutex);
-+ if (use_lock) {
-+ PR_EnterMonitor(conn->c_mutex);
-+ }
- rc = conn->c_sd == SLAPD_INVALID_SOCKET && conn->c_refcnt == 0 &&
- !(conn->c_flags & CONN_FLAG_CLOSING);
-- PR_ExitMonitor(conn->c_mutex);
-+ if (use_lock) {
-+ PR_ExitMonitor(conn->c_mutex);
-+ }
-
- return rc;
- }
-diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c
-index f2f763dfa..114871d17 100644
---- a/ldap/servers/slapd/conntable.c
-+++ b/ldap/servers/slapd/conntable.c
-@@ -129,7 +129,7 @@ connection_table_get_connection(Connection_Table *ct, int sd)
- break;
- }
-
-- if (connection_is_free(&(ct->c[index]))) {
-+ if (connection_is_free(&(ct->c[index]), 1 /*use lock */)) {
- break;
- }
- }
-diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
-index 50e67474e..35cfe7de0 100644
---- a/ldap/servers/slapd/daemon.c
-+++ b/ldap/servers/slapd/daemon.c
-@@ -1699,7 +1699,8 @@ ns_connection_post_io_or_closing_try(Connection *conn)
- }
-
- /*
-- * Cancel any existing ns jobs we have registered.
-+ * A job was already scheduled.
-+ * Let it be dispatched first
- */
- if (conn->c_job != NULL) {
- return 1;
-@@ -1780,25 +1781,59 @@ ns_connection_post_io_or_closing_try(Connection *conn)
- }
- return 0;
- }
-+
-+/*
-+ * Tries to schedule I/O for this connection
-+ * If the connection is already busy with a scheduled I/O
-+ * it can wait until scheduled I/O is dispatched
-+ *
-+ * caller must hold c_mutex
-+ */
- void
- ns_connection_post_io_or_closing(Connection *conn)
- {
- while (ns_connection_post_io_or_closing_try(conn)) {
-- /* we should retry later */
--
-- /* We are not suppose to work immediately on the connection that is taken by
-- * another job
-- * release the lock and give some time
-- */
--
-- if (CONN_NEEDS_CLOSING(conn) && conn->c_ns_close_jobs) {
-- return;
-- } else {
-- PR_ExitMonitor(conn->c_mutex);
-- DS_Sleep(PR_MillisecondsToInterval(100));
--
-- PR_EnterMonitor(conn->c_mutex);
-- }
-+ /* Here a job is currently scheduled (c->job is set) and not yet dispatched
-+ * Job can be either:
-+ * - ns_handle_closure
-+ * - ns_handle_pr_read_ready
-+ */
-+
-+ if (connection_is_free(conn, 0)) {
-+ PRStatus shutdown_status;
-+
-+ /* The connection being freed,
-+ * It means that ns_handle_closure already completed and the connection
-+ * is no longer on the active list.
-+ * The scheduled job is useless and scheduling a new one as well
-+ */
-+ shutdown_status = ns_job_done(conn->c_job);
-+ if (shutdown_status != PR_SUCCESS) {
-+ slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed cancel a job on a freed connection %d !\n", conn->c_sd);
-+ }
-+ conn->c_job = NULL;
-+ return;
-+ }
-+ if (g_get_shutdown() && CONN_NEEDS_CLOSING(conn)) {
-+ PRStatus shutdown_status;
-+
-+ /* This is shutting down cancel any scheduled job to register ns_handle_closure
-+ */
-+ shutdown_status = ns_job_done(conn->c_job);
-+ if (shutdown_status != PR_SUCCESS) {
-+ slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed to cancel a job during shutdown %d !\n", conn->c_sd);
-+ }
-+ conn->c_job = NULL;
-+ continue;
-+ }
-+
-+ /* We are not suppose to work immediately on the connection that is taken by
-+ * another job
-+ * release the lock and give some time
-+ */
-+ PR_ExitMonitor(conn->c_mutex);
-+ DS_Sleep(PR_MillisecondsToInterval(100));
-+ PR_EnterMonitor(conn->c_mutex);
- }
- }
-
-diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
-index b13334ad1..f54bc6bc5 100644
---- a/ldap/servers/slapd/proto-slap.h
-+++ b/ldap/servers/slapd/proto-slap.h
-@@ -1431,7 +1431,7 @@ int connection_acquire_nolock(Connection *conn);
- int connection_acquire_nolock_ext(Connection *conn, int allow_when_closing);
- int connection_release_nolock(Connection *conn);
- int connection_release_nolock_ext(Connection *conn, int release_only);
--int connection_is_free(Connection *conn);
-+int connection_is_free(Connection *conn, int user_lock);
- int connection_is_active_nolock(Connection *conn);
- #if defined(USE_OPENLDAP)
- ber_slen_t openldap_read_function(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len);
---
-2.17.0
-
diff --git a/SOURCES/0088-Ticket-49736-Hardening-of-active-connection-list.patch b/SOURCES/0088-Ticket-49736-Hardening-of-active-connection-list.patch
deleted file mode 100644
index 1a6143d..0000000
--- a/SOURCES/0088-Ticket-49736-Hardening-of-active-connection-list.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From 1f3e1ad55f72a885e27db41be28ce1037ff0ce93 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Fri, 1 Jun 2018 16:12:40 +0200
-Subject: [PATCH] Ticket 49736 - Hardening of active connection list
-
-Bug Description:
- In case of a bug in the management of the connection refcnt
- it can happen that there are several attempts to move a connection
- out of the active list.
-
- It triggers a crash because when derefencing c->c_prev.
- c_prev is never NULL on the active list
-
-Fix Description:
- The fix tests if the connection is already out of the active list.
- If such case, it just returns.
-
- A potential issue that is not addressed by this fix is:
- Thread A and Thread B are using 'c' but c->refcnt=1 (it should be 2)
- Thread A "closes" 'c', 'c' is move out of active list (free) because of refcnt=0
- A new connection happens selecting the free connection 'c', moving it to the active list.
- Thread C is using 'c' from the new connection c->refcnt=1
- Thread B "closes" 'c', 'c' is moved out of the active list.
- -> new operation coming on 'c' will not be detected
- -> Thread C will likely crash when sending result
-
-https://pagure.io/389-ds-base/issue/49736
-
-Reviewed by: Mark Reynolds (thanks!)
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
-
-(cherry picked from commit b0e05806232b781eed3ff102485045a358d7659b)
----
- ldap/servers/slapd/conntable.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c
-index 114871d17..cb68a1119 100644
---- a/ldap/servers/slapd/conntable.c
-+++ b/ldap/servers/slapd/conntable.c
-@@ -243,6 +243,27 @@ connection_table_move_connection_out_of_active_list(Connection_Table *ct, Connec
- int c_sd; /* for logging */
- /* we always have previous element because list contains a dummy header */;
- PR_ASSERT(c->c_prev);
-+ if (c->c_prev == NULL) {
-+ /* c->c_prev is set when the connection is moved ON the active list
-+ * So this connection is already OUT of the active list
-+ *
-+ * Not sure how to recover from here.
-+ * Considering c->c_prev is NULL we can assume refcnt is now 0
-+ * and connection_cleanup was already called.
-+ * If it is not the case, then consequences are:
-+ * - Leak some memory (connext, unsent page result entries, various buffers)
-+ * - hanging connection (fd not closed)
-+ * A option would be to call connection_cleanup here.
-+ *
-+ * The logged message helps to know how frequently the problem exists
-+ */
-+ slapi_log_err(SLAPI_LOG_CRIT,
-+ "connection_table_move_connection_out_of_active_list",
-+ "conn %d is already OUT of the active list (refcnt is %d)\n",
-+ c->c_sd, c->c_refcnt);
-+
-+ return 0;
-+ }
-
- #ifdef FOR_DEBUGGING
- slapi_log_err(SLAPI_LOG_DEBUG, "connection_table_move_connection_out_of_active_list", "Moving connection out of active list\n");
---
-2.17.0
-
diff --git a/SOURCES/0089-Ticket-49652-DENY-aci-s-are-not-handled-properly.patch b/SOURCES/0089-Ticket-49652-DENY-aci-s-are-not-handled-properly.patch
deleted file mode 100644
index e0a8c9b..0000000
--- a/SOURCES/0089-Ticket-49652-DENY-aci-s-are-not-handled-properly.patch
+++ /dev/null
@@ -1,285 +0,0 @@
-From 5b7d67bdef7810c661ae4ba1fdfa620c86985661 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Fri, 27 Apr 2018 08:34:51 -0400
-Subject: [PATCH] Ticket 49652 - DENY aci's are not handled properly
-
-Bug Description: There are really two issues here. One, when a resource
- is denied by a DENY aci the cached results for that resource
- are not proprely set, and on the same connection if the same
- operation repeated it will be allowed instead of denied because
- the cache result was not proprely updated.
-
- Two, if there are no ALLOW aci's on a resource, then we don't
- check the deny rules, and resources that are restricted are
- returned to the client.
-
-Fix Description: For issue one, when an entry is denied access reset all the
- attributes' cache results to DENIED as it's possible previously
- evaluated aci's granted access to some of these attributes which
- are still present in the acl result cache.
-
- For issue two, if there are no ALLOW aci's on a resource but
- there are DENY aci's, then set the aclpb state flags to
- process DENY aci's
-
-https://pagure.io/389-ds-base/issue/49652
-
-Reviewed by: tbordaz & lkrispenz(Thanks!!)
-
-(cherry picked from commit d77c7f0754f67022b42784c05be8a493a00f2ec5)
----
- dirsrvtests/tests/suites/acl/acl_deny_test.py | 198 ++++++++++++++++++
- ldap/servers/plugins/acl/acl.c | 24 ++-
- 2 files changed, 220 insertions(+), 2 deletions(-)
- create mode 100644 dirsrvtests/tests/suites/acl/acl_deny_test.py
-
-diff --git a/dirsrvtests/tests/suites/acl/acl_deny_test.py b/dirsrvtests/tests/suites/acl/acl_deny_test.py
-new file mode 100644
-index 000000000..285664150
---- /dev/null
-+++ b/dirsrvtests/tests/suites/acl/acl_deny_test.py
-@@ -0,0 +1,198 @@
-+import logging
-+import pytest
-+import os
-+import ldap
-+import time
-+from lib389._constants import *
-+from lib389.topologies import topology_st as topo
-+from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES
-+from lib389.idm.domain import Domain
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+BIND_DN2 = 'uid=tuser,ou=People,dc=example,dc=com'
-+BIND_RDN2 = 'tuser'
-+BIND_DN = 'uid=tuser1,ou=People,dc=example,dc=com'
-+BIND_RDN = 'tuser1'
-+SRCH_FILTER = "uid=tuser1"
-+SRCH_FILTER2 = "uid=tuser"
-+
-+aci_list_A = ['(targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)',
-+ '(targetattr = "*") (version 3.0;acl "allow tuser";allow (all)(userdn = "ldap:///uid=tuser5,ou=People,dc=example,dc=com");)',
-+ '(targetattr != "uid || mail") (version 3.0; acl "deny-attrs"; deny (all) (userdn = "ldap:///anyone");)',
-+ '(targetfilter = "(inetUserStatus=1)") ( version 3.0; acl "deny-specific-entry"; deny(all) (userdn = "ldap:///anyone");)']
-+
-+aci_list_B = ['(targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)',
-+ '(targetattr != "uid || mail") (version 3.0; acl "deny-attrs"; deny (all) (userdn = "ldap:///anyone");)',
-+ '(targetfilter = "(inetUserStatus=1)") ( version 3.0; acl "deny-specific-entry"; deny(all) (userdn = "ldap:///anyone");)']
-+
-+
-+@pytest.fixture(scope="module")
-+def aci_setup(topo):
-+ topo.standalone.log.info("Add {}".format(BIND_DN))
-+ user = UserAccount(topo.standalone, BIND_DN)
-+ user_props = TEST_USER_PROPERTIES.copy()
-+ user_props.update({'sn': BIND_RDN,
-+ 'cn': BIND_RDN,
-+ 'uid': BIND_RDN,
-+ 'inetUserStatus': '1',
-+ 'objectclass': 'extensibleObject',
-+ 'userpassword': PASSWORD})
-+ user.create(properties=user_props, basedn=SUFFIX)
-+
-+ topo.standalone.log.info("Add {}".format(BIND_DN2))
-+ user2 = UserAccount(topo.standalone, BIND_DN2)
-+ user_props = TEST_USER_PROPERTIES.copy()
-+ user_props.update({'sn': BIND_RDN2,
-+ 'cn': BIND_RDN2,
-+ 'uid': BIND_RDN2,
-+ 'userpassword': PASSWORD})
-+ user2.create(properties=user_props, basedn=SUFFIX)
-+
-+
-+def test_multi_deny_aci(topo, aci_setup):
-+ """Test that mutliple deny rules work, and that they the cache properly
-+ stores the result
-+
-+ :id: 294c366d-850e-459e-b5a0-3cc828ec3aca
-+ :setup: Standalone Instance
-+ :steps:
-+ 1. Add aci_list_A aci's and verify two searches on the same connection
-+ behave the same
-+ 2. Add aci_list_B aci's and verify search fails as expected
-+ :expectedresults:
-+ 1. Both searches do not return any entries
-+ 2. Seaches do not return any entries
-+ """
-+
-+ if DEBUGGING:
-+ # Maybe add aci logging?
-+ pass
-+
-+ suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
-+
-+ for run in range(2):
-+ topo.standalone.log.info("Pass " + str(run + 1))
-+
-+ # Test ACI List A
-+ topo.standalone.log.info("Testing two searches behave the same...")
-+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
-+ suffix.set('aci', aci_list_A, ldap.MOD_REPLACE)
-+ time.sleep(1)
-+
-+ topo.standalone.simple_bind_s(BIND_DN, PASSWORD)
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER)
-+ if entries and entries[0]:
-+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 1")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER)
-+ if entries and entries[0]:
-+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 2")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2)
-+ if entries is None or len(entries) == 0:
-+ topo.standalone.log.fatal("Failed to get entry as good user")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2)
-+ if entries is None or len(entries) == 0:
-+ topo.standalone.log.fatal("Failed to get entry as good user")
-+ assert False
-+
-+ # Bind a different user who has rights
-+ topo.standalone.simple_bind_s(BIND_DN2, PASSWORD)
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2)
-+ if entries is None or len(entries) == 0:
-+ topo.standalone.log.fatal("Failed to get entry as good user")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2)
-+ if entries is None or len(entries) == 0:
-+ topo.standalone.log.fatal("Failed to get entry as good user (2)")
-+ assert False
-+
-+ if run > 0:
-+ # Second pass
-+ topo.standalone.restart()
-+
-+ # Reset ACI's and do the second test
-+ topo.standalone.log.info("Testing search does not return any entries...")
-+ topo.standalone.simple_bind_s(DN_DM, PASSWORD)
-+ suffix.set('aci', aci_list_B, ldap.MOD_REPLACE)
-+ time.sleep(1)
-+
-+ topo.standalone.simple_bind_s(BIND_DN, PASSWORD)
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER)
-+ if entries and entries[0]:
-+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 1")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER)
-+ if entries and entries[0]:
-+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 2")
-+ assert False
-+
-+ if run > 0:
-+ # Second pass
-+ topo.standalone.restart()
-+
-+ # Bind as different user who has rights
-+ topo.standalone.simple_bind_s(BIND_DN2, PASSWORD)
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2)
-+ if entries is None or len(entries) == 0:
-+ topo.standalone.log.fatal("Failed to get entry as good user")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2)
-+ if entries is None or len(entries) == 0:
-+ topo.standalone.log.fatal("Failed to get entry as good user (2)")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER)
-+ if entries and entries[0]:
-+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 1")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER)
-+ if entries and entries[0]:
-+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 2")
-+ assert False
-+
-+ # back to user 1
-+ topo.standalone.simple_bind_s(BIND_DN, PASSWORD)
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2)
-+ if entries is None or len(entries) == 0:
-+ topo.standalone.log.fatal("Failed to get entry as user1")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2)
-+ if entries is None or len(entries) == 0:
-+ topo.standalone.log.fatal("Failed to get entry as user1 (2)")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER)
-+ if entries and entries[0]:
-+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 1")
-+ assert False
-+
-+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER)
-+ if entries and entries[0]:
-+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 2")
-+ assert False
-+
-+ topo.standalone.log.info("Test PASSED")
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main(["-s", CURRENT_FILE])
-+
-diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
-index bc154c78f..6d105f4fa 100644
---- a/ldap/servers/plugins/acl/acl.c
-+++ b/ldap/servers/plugins/acl/acl.c
-@@ -1088,9 +1088,23 @@ acl_read_access_allowed_on_entry(
- ** a DENY rule, then we don't have access to
- ** the entry ( nice trick to get in )
- */
-- if (aclpb->aclpb_state &
-- ACLPB_EXECUTING_DENY_HANDLES)
-+ if (aclpb->aclpb_state & ACLPB_EXECUTING_DENY_HANDLES) {
-+ aclEvalContext *c_ContextEval = &aclpb->aclpb_curr_entryEval_context;
-+ AclAttrEval *c_attrEval = NULL;
-+ /*
-+ * The entire entry is blocked, but previously evaluated allow aci's might
-+ * show some of the attributes as readable in the acl cache, so reset all
-+ * the cached attributes' status to FAIL.
-+ */
-+ for (size_t j = 0; j < c_ContextEval->acle_numof_attrs; j++) {
-+ c_attrEval = &c_ContextEval->acle_attrEval[j];
-+ c_attrEval->attrEval_r_status &= ~ACL_ATTREVAL_SUCCESS;
-+ c_attrEval->attrEval_r_status |= ACL_ATTREVAL_FAIL;
-+ c_attrEval->attrEval_s_status &= ~ACL_ATTREVAL_SUCCESS;
-+ c_attrEval->attrEval_s_status |= ACL_ATTREVAL_FAIL;
-+ }
- return LDAP_INSUFFICIENT_ACCESS;
-+ }
-
- /* The other case is I don't have an
- ** explicit allow rule -- which is fine.
-@@ -2908,6 +2922,12 @@ acl__TestRights(Acl_PBlock *aclpb, int access, const char **right, const char **
- result_reason->deciding_aci = NULL;
- result_reason->reason = ACL_REASON_NO_MATCHED_RESOURCE_ALLOWS;
-
-+ /* If we have deny handles we should process them */
-+ if (aclpb->aclpb_num_deny_handles > 0) {
-+ aclpb->aclpb_state &= ~ACLPB_EXECUTING_ALLOW_HANDLES;
-+ aclpb->aclpb_state |= ACLPB_EXECUTING_DENY_HANDLES;
-+ }
-+
- TNF_PROBE_1_DEBUG(acl__TestRights_end, "ACL", "",
- tnf_string, no_allows, "");
-
---
-2.17.0
-
diff --git a/SOURCES/0090-Ticket-49576-ds-replcheck-fix-certificate-directory-.patch b/SOURCES/0090-Ticket-49576-ds-replcheck-fix-certificate-directory-.patch
deleted file mode 100644
index fa70099..0000000
--- a/SOURCES/0090-Ticket-49576-ds-replcheck-fix-certificate-directory-.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From d385d452001c91d01893b5ddc9e47f8200223ce9 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Mon, 11 Jun 2018 11:52:57 -0400
-Subject: [PATCH] Ticket 49576 - ds-replcheck: fix certificate directory
- verification
-
-Description: The tool would crash if you attempted to use a certificate
- directory for conntacting replicas.
-
-https://pagure.io/389-ds-base/issue/49576
-
-Reviewed by: spichugi(Thanks!)
----
- ldap/admin/src/scripts/ds-replcheck | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck
-index 661c9e0ce..62f911034 100755
---- a/ldap/admin/src/scripts/ds-replcheck
-+++ b/ldap/admin/src/scripts/ds-replcheck
-@@ -1225,7 +1225,7 @@ def main():
- # Validate certdir
- opts['certdir'] = None
- if args.certdir:
-- if os.path.exists() and os.path.isdir(certdir):
-+ if os.path.exists(args.certdir) and os.path.isdir(args.certdir):
- opts['certdir'] = args.certdir
- else:
- print("certificate directory ({}) does not exist or is not a directory".format(args.certdir))
---
-2.17.0
-
diff --git a/SOURCES/0091-Ticket-49765-Async-operations-can-hang-when-the-serv.patch b/SOURCES/0091-Ticket-49765-Async-operations-can-hang-when-the-serv.patch
deleted file mode 100644
index a5387aa..0000000
--- a/SOURCES/0091-Ticket-49765-Async-operations-can-hang-when-the-serv.patch
+++ /dev/null
@@ -1,278 +0,0 @@
-From 70e6c68196d381d05d35414c138894b54939d236 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Thu, 7 Jun 2018 16:19:34 +0200
-Subject: [PATCH] Ticket 49765 - Async operations can hang when the server is
- running nunc-stans
-
-Bug Description:
- The fix https://pagure.io/389-ds-base/issue/48184 allowed to schedule
- several NS handlers where each handler waits for the dispatch of the
- previous handler before being schedule.
-
- In case the current handler is never called (connection inactivity)
- those that are waiting can wait indefinitely (until timeout or connection
- closure). But those that are waiting delay the processing of the operation
- when the scheduling is called by connection_threadmain.
-
- The some operations can appear hanging.
- This scenario happens with async operations
-
-Fix Description:
- Instead of waiting for the completion of the scheduled handler,
- evaluates if the scheduled handler needs to be cleared (ns_job_done)
- or the waiting handler to be canceled.
-
-https://pagure.io/389-ds-base/issue/49765
-
-Reviewed by: Mark Reynolds (thanks Mark !)
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
----
- ldap/servers/slapd/daemon.c | 142 +++++++++++++++-------------
- src/nunc-stans/include/nunc-stans.h | 3 +
- src/nunc-stans/ns/ns_thrpool.c | 5 +
- 3 files changed, 84 insertions(+), 66 deletions(-)
-
-diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
-index 35cfe7de0..0a723c4a8 100644
---- a/ldap/servers/slapd/daemon.c
-+++ b/ldap/servers/slapd/daemon.c
-@@ -152,12 +152,21 @@ accept_and_configure(int s __attribute__((unused)), PRFileDesc *pr_acceptfd, PRN
- */
- static int handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure, int local, Connection **newconn);
- static void ns_handle_new_connection(struct ns_job_t *job);
-+static void ns_handle_closure(struct ns_job_t *job);
- static void handle_pr_read_ready(Connection_Table *ct, PRIntn num_poll);
- static int clear_signal(struct POLL_STRUCT *fds);
- static void unfurl_banners(Connection_Table *ct, daemon_ports_t *ports, PRFileDesc **n_tcps, PRFileDesc **s_tcps, PRFileDesc **i_unix);
- static int write_pid_file(void);
- static int init_shutdown_detect(void);
-
-+#define NS_HANDLER_NEW_CONNECTION 0
-+#define NS_HANDLER_READ_CONNECTION 1
-+#define NS_HANDLER_CLOSE_CONNECTION 2
-+static ns_job_func_t ns_handlers[] = {
-+ ns_handle_new_connection,
-+ ns_handle_pr_read_ready,
-+ ns_handle_closure
-+};
- /*
- * NSPR has different implementations for PRMonitor, depending
- * on the availble threading model
-@@ -1058,7 +1067,7 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp)
- for (size_t ii = 0; ii < listeners; ++ii) {
- listener_idxs[ii].ct = the_connection_table; /* to pass to handle_new_connection */
- ns_result_t result = ns_add_io_job(tp, listener_idxs[ii].listenfd, NS_JOB_ACCEPT | NS_JOB_PERSIST | NS_JOB_PRESERVE_FD,
-- ns_handle_new_connection, &listener_idxs[ii], &(listener_idxs[ii].ns_job));
-+ ns_handlers[NS_HANDLER_NEW_CONNECTION], &listener_idxs[ii], &(listener_idxs[ii].ns_job));
- if (result != NS_SUCCESS) {
- slapi_log_err(SLAPI_LOG_CRIT, "slapd_daemon", "ns_add_io_job failed to create add acceptor %d\n", result);
- }
-@@ -1684,28 +1693,84 @@ ns_handle_closure(struct ns_job_t *job)
- /**
- * Schedule more I/O for this connection, or make sure that it
- * is closed in the event loop.
-+ *
- * caller must hold c_mutex
-- * It returns
-- * 0 on success
-- * 1 on need to retry
- */
--static int
--ns_connection_post_io_or_closing_try(Connection *conn)
-+void
-+ns_connection_post_io_or_closing(Connection *conn)
- {
- struct timeval tv;
-
- if (!enable_nunc_stans) {
-- return 0;
-+ return;
- }
-
- /*
- * A job was already scheduled.
-- * Let it be dispatched first
-+ * Check if it is the appropriate one
- */
- if (conn->c_job != NULL) {
-- return 1;
-+ if (connection_is_free(conn, 0)) {
-+ PRStatus shutdown_status;
-+
-+ /* The connection being freed,
-+ * It means that ns_handle_closure already completed and the connection
-+ * is no longer on the active list.
-+ * The scheduled job is useless and scheduling a new one as well
-+ */
-+ shutdown_status = ns_job_done(conn->c_job);
-+ if (shutdown_status != PR_SUCCESS) {
-+ slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed cancel a job on a freed connection %d !\n", conn->c_sd);
-+ }
-+ conn->c_job = NULL;
-+ return;
-+ }
-+ if (CONN_NEEDS_CLOSING(conn)) {
-+ if (ns_job_is_func(conn->c_job, ns_handlers[NS_HANDLER_CLOSE_CONNECTION])) {
-+ /* Due to the closing state we would schedule a ns_handle_closure
-+ * but one is already registered.
-+ * Just return;
-+ */
-+ slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "Already ns_handle_closure "
-+ "job in progress on conn %" PRIu64 " for fd=%d\n",
-+ conn->c_connid, conn->c_sd);
-+ return;
-+ } else {
-+ /* Due to the closing state we would schedule a ns_handle_closure
-+ * but a different handler is registered. Stop it and schedule (below) ns_handle_closure
-+ */
-+ ns_job_done(conn->c_job);
-+ conn->c_job = NULL;
-+ }
-+ } else {
-+ /* Here the connection is still active => ignore the call and return */
-+ if (ns_job_is_func(conn->c_job, ns_handlers[NS_HANDLER_READ_CONNECTION])) {
-+ /* Connection is still active and a read_ready is already scheduled
-+ * Likely a consequence of async operations
-+ * Just let the current read_ready do its job
-+ */
-+ slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "Already ns_handle_pr_read_ready "
-+ "job in progress on conn %" PRIu64 " for fd=%d\n",
-+ conn->c_connid, conn->c_sd);
-+ } else {
-+ /* Weird situation where the connection is not flagged closing but ns_handle_closure
-+ * is scheduled.
-+ * We should not try to read it anymore
-+ */
-+ PR_ASSERT(ns_job_is_func(conn->c_job, ns_handlers[NS_HANDLER_CLOSE_CONNECTION]));
-+ }
-+ return;
-+ }
- }
-
-+ /* At this point conn->c_job is NULL
-+ * Either it was null when the function was called
-+ * Or we cleared it (+ns_job_done) if the wrong (according
-+ * to the connection state) handler was scheduled
-+ *
-+ * Now we need to determine which handler to schedule
-+ */
-+
- if (CONN_NEEDS_CLOSING(conn)) {
- /* there should only ever be 0 or 1 active closure jobs */
- PR_ASSERT((conn->c_ns_close_jobs == 0) || (conn->c_ns_close_jobs == 1));
-@@ -1718,7 +1783,7 @@ ns_connection_post_io_or_closing_try(Connection *conn)
- conn->c_ns_close_jobs++; /* now 1 active closure job */
- connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */
- /* Close the job asynchronously. Why? */
-- ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handle_closure, conn, &(conn->c_job));
-+ ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handlers[NS_HANDLER_CLOSE_CONNECTION], conn, &(conn->c_job));
- if (job_result != NS_SUCCESS) {
- if (job_result == NS_SHUTDOWN) {
- slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post closure job "
-@@ -1762,7 +1827,7 @@ ns_connection_post_io_or_closing_try(Connection *conn)
- #endif
- ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv,
- NS_JOB_READ | NS_JOB_PRESERVE_FD,
-- ns_handle_pr_read_ready, conn, &(conn->c_job));
-+ ns_handlers[NS_HANDLER_READ_CONNECTION], conn, &(conn->c_job));
- if (job_result != NS_SUCCESS) {
- if (job_result == NS_SHUTDOWN) {
- slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post I/O job for "
-@@ -1782,61 +1847,6 @@ ns_connection_post_io_or_closing_try(Connection *conn)
- return 0;
- }
-
--/*
-- * Tries to schedule I/O for this connection
-- * If the connection is already busy with a scheduled I/O
-- * it can wait until scheduled I/O is dispatched
-- *
-- * caller must hold c_mutex
-- */
--void
--ns_connection_post_io_or_closing(Connection *conn)
--{
-- while (ns_connection_post_io_or_closing_try(conn)) {
-- /* Here a job is currently scheduled (c->job is set) and not yet dispatched
-- * Job can be either:
-- * - ns_handle_closure
-- * - ns_handle_pr_read_ready
-- */
--
-- if (connection_is_free(conn, 0)) {
-- PRStatus shutdown_status;
--
-- /* The connection being freed,
-- * It means that ns_handle_closure already completed and the connection
-- * is no longer on the active list.
-- * The scheduled job is useless and scheduling a new one as well
-- */
-- shutdown_status = ns_job_done(conn->c_job);
-- if (shutdown_status != PR_SUCCESS) {
-- slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed cancel a job on a freed connection %d !\n", conn->c_sd);
-- }
-- conn->c_job = NULL;
-- return;
-- }
-- if (g_get_shutdown() && CONN_NEEDS_CLOSING(conn)) {
-- PRStatus shutdown_status;
--
-- /* This is shutting down cancel any scheduled job to register ns_handle_closure
-- */
-- shutdown_status = ns_job_done(conn->c_job);
-- if (shutdown_status != PR_SUCCESS) {
-- slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed to cancel a job during shutdown %d !\n", conn->c_sd);
-- }
-- conn->c_job = NULL;
-- continue;
-- }
--
-- /* We are not suppose to work immediately on the connection that is taken by
-- * another job
-- * release the lock and give some time
-- */
-- PR_ExitMonitor(conn->c_mutex);
-- DS_Sleep(PR_MillisecondsToInterval(100));
-- PR_EnterMonitor(conn->c_mutex);
-- }
--}
--
- /* This function must be called without the thread flag, in the
- * event loop. This function may free the connection. This can
- * only be done in the event loop thread.
-diff --git a/src/nunc-stans/include/nunc-stans.h b/src/nunc-stans/include/nunc-stans.h
-index 192e38ec3..a0ddbdb42 100644
---- a/src/nunc-stans/include/nunc-stans.h
-+++ b/src/nunc-stans/include/nunc-stans.h
-@@ -959,4 +959,7 @@ ns_result_t ns_thrpool_wait(struct ns_thrpool_t *tp);
- */
- ns_result_t ns_job_rearm(struct ns_job_t *job);
-
-+int
-+ns_job_is_func(struct ns_job_t *job, ns_job_func_t func);
-+
- #endif /* NS_THRPOOL_H */
-diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c
-index d95b0c38b..774607c88 100644
---- a/src/nunc-stans/ns/ns_thrpool.c
-+++ b/src/nunc-stans/ns/ns_thrpool.c
-@@ -1237,6 +1237,11 @@ ns_job_rearm(ns_job_t *job)
- /* Unreachable code .... */
- return NS_INVALID_REQUEST;
- }
-+int
-+ns_job_is_func(struct ns_job_t *job, ns_job_func_t func)
-+{
-+ return(job && job->func == func);
-+}
-
- static void
- ns_thrpool_delete(ns_thrpool_t *tp)
---
-2.17.1
-
diff --git a/SOURCES/0092-Ticket-49765-compiler-warning.patch b/SOURCES/0092-Ticket-49765-compiler-warning.patch
deleted file mode 100644
index b28d8d2..0000000
--- a/SOURCES/0092-Ticket-49765-compiler-warning.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 2daf9be2b949b845ce18c355d862ac765a512ba7 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Fri, 8 Jun 2018 14:34:28 +0200
-Subject: [PATCH] Ticket 49765 - compiler warning
-
----
- ldap/servers/slapd/daemon.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
-index 0a723c4a8..01db503dc 100644
---- a/ldap/servers/slapd/daemon.c
-+++ b/ldap/servers/slapd/daemon.c
-@@ -1778,7 +1778,7 @@ ns_connection_post_io_or_closing(Connection *conn)
- slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "Already a close "
- "job in progress on conn %" PRIu64 " for fd=%d\n",
- conn->c_connid, conn->c_sd);
-- return 0;
-+ return;
- } else {
- conn->c_ns_close_jobs++; /* now 1 active closure job */
- connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */
-@@ -1822,7 +1822,7 @@ ns_connection_post_io_or_closing(Connection *conn)
- * The error occurs when we get a connection in a closing state.
- * For now we return, but there is probably a better way to handle the error case.
- */
-- return 0;
-+ return;
- }
- #endif
- ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv,
-@@ -1844,7 +1844,7 @@ ns_connection_post_io_or_closing(Connection *conn)
- conn->c_connid, conn->c_sd);
- }
- }
-- return 0;
-+ return;
- }
-
- /* This function must be called without the thread flag, in the
---
-2.17.1
-
diff --git a/SOURCES/0093-Ticket-49893-disable-nunc-stans-by-default.patch b/SOURCES/0093-Ticket-49893-disable-nunc-stans-by-default.patch
deleted file mode 100644
index cfc5ea5..0000000
--- a/SOURCES/0093-Ticket-49893-disable-nunc-stans-by-default.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 911038990df1357f452b0e38309261faf1de898f Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Wed, 8 Aug 2018 17:19:27 -0400
-Subject: [PATCH] Ticket 49893 - disable nunc-stans by default
-
-Description: Until nunc-stans is stablized we need to disable it
-
-https://pagure.io/389-ds-base/issue/49893
-
-Reviewed by: ?
-
-(cherry picked from commit 2f2d3b1d7e7d847de1bb9ddf2f63e71dbc90f710)
----
- ldap/servers/slapd/libglobs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
-index 3bd5c1826..f8741028d 100644
---- a/ldap/servers/slapd/libglobs.c
-+++ b/ldap/servers/slapd/libglobs.c
-@@ -1681,7 +1681,7 @@ FrontendConfig_init(void)
- cfg->maxbersize = SLAPD_DEFAULT_MAXBERSIZE;
- cfg->logging_backend = slapi_ch_strdup(SLAPD_INIT_LOGGING_BACKEND_INTERNAL);
- cfg->rootdn = slapi_ch_strdup(SLAPD_DEFAULT_DIRECTORY_MANAGER);
-- init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_ON;
-+ init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_OFF;
- #if defined(LINUX)
- init_malloc_mxfast = cfg->malloc_mxfast = DEFAULT_MALLOC_UNSET;
- init_malloc_trim_threshold = cfg->malloc_trim_threshold = DEFAULT_MALLOC_UNSET;
---
-2.17.1
-
diff --git a/SOURCES/0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch b/SOURCES/0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch
deleted file mode 100644
index 0af0b6f..0000000
--- a/SOURCES/0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-From 1013a1bfe0882d213f48e900ab89e00651188489 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 9 Aug 2018 15:27:59 -0400
-Subject: [PATCH] Ticket 49890 : ldapsearch with server side sort crashes the
- ldap server
-
-Bug Description:
- Server side sort with a specified matching rule trigger a crash
-
-Fix Description:
- Check if the we are able to index the provided value.
- If we are not then slapd_qsort returns an error (LDAP_OPERATION_ERROR)
-
-https://pagure.io/389-ds-base/issue/49890
-
-Reviewed by: mreynolds
-
-Platforms tested: F27
-
-Flag Day: no
-
-Doc impact: no
-
-(cherry picked from commit c989e18f7a3da060b16d39919b920b6b2a19a0ac)
----
- dirsrvtests/tests/suites/syntax/mr_test.py | 59 ++++++++++++++++++++++
- ldap/servers/slapd/back-ldbm/sort.c | 14 +++++
- 2 files changed, 73 insertions(+)
- create mode 100644 dirsrvtests/tests/suites/syntax/mr_test.py
-
-diff --git a/dirsrvtests/tests/suites/syntax/mr_test.py b/dirsrvtests/tests/suites/syntax/mr_test.py
-new file mode 100644
-index 000000000..57061222a
---- /dev/null
-+++ b/dirsrvtests/tests/suites/syntax/mr_test.py
-@@ -0,0 +1,59 @@
-+import logging
-+import pytest
-+import os
-+import ldap
-+from lib389.dbgen import dbgen
-+from lib389._constants import *
-+from lib389.topologies import topology_st as topo
-+from lib389._controls import SSSRequestControl
-+
-+DEBUGGING = os.getenv("DEBUGGING", default=False)
-+if DEBUGGING:
-+ logging.getLogger(__name__).setLevel(logging.DEBUG)
-+else:
-+ logging.getLogger(__name__).setLevel(logging.INFO)
-+log = logging.getLogger(__name__)
-+
-+
-+def test_sss_mr(topo):
-+ """Test matching rule/server side sort does not crash DS
-+
-+ :id: 48c73d76-1694-420f-ab55-187135f2d260
-+ :setup: Standalone Instance
-+ :steps:
-+ 1. Add sample entries to the database
-+ 2. Perform search using server side control (uid:2.5.13.3)
-+ :expectedresults:
-+ 1. Success
-+ 2. Success
-+ """
-+
-+ log.info("Creating LDIF...")
-+ ldif_dir = topo.standalone.get_ldif_dir()
-+ ldif_file = os.path.join(ldif_dir, 'mr-crash.ldif')
-+ dbgen(topo.standalone, 5, ldif_file, DEFAULT_SUFFIX)
-+
-+ log.info("Importing LDIF...")
-+ topo.standalone.stop()
-+ assert topo.standalone.ldif2db(DEFAULT_BENAME, None, None, None, ldif_file)
-+ topo.standalone.start()
-+
-+ log.info('Search using server side sorting using undefined mr in the attr...')
-+ sort_ctrl = SSSRequestControl(True, ['uid:2.5.13.3'])
-+ controls = [sort_ctrl]
-+ msg_id = topo.standalone.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,
-+ "objectclass=*", serverctrls=controls)
-+ try:
-+ rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(msg_id)
-+ except ldap.OPERATIONS_ERROR:
-+ pass
-+
-+ log.info("Test PASSED")
-+
-+
-+if __name__ == '__main__':
-+ # Run isolated
-+ # -s for DEBUG mode
-+ CURRENT_FILE = os.path.realpath(__file__)
-+ pytest.main(["-s", CURRENT_FILE])
-+
-diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c
-index 5b84d87f3..70ac60803 100644
---- a/ldap/servers/slapd/back-ldbm/sort.c
-+++ b/ldap/servers/slapd/back-ldbm/sort.c
-@@ -546,6 +546,16 @@ compare_entries_sv(ID *id_a, ID *id_b, sort_spec *s, baggage_carrier *bc, int *e
- /* Now copy it, so the second call doesn't crap on it */
- value_a = slapi_ch_bvecdup(temp_value); /* Really, we'd prefer to not call the chXXX variant...*/
- matchrule_values_to_keys(this_one->mr_pb, actual_value_b, &value_b);
-+
-+ if ((actual_value_a && !value_a) ||
-+ (actual_value_b && !value_b)) {
-+ ber_bvecfree(actual_value_a);
-+ ber_bvecfree(actual_value_b);
-+ CACHE_RETURN(&inst->inst_cache, &a);
-+ CACHE_RETURN(&inst->inst_cache, &b);
-+ *error = 1;
-+ return 0;
-+ }
- if (actual_value_a)
- ber_bvecfree(actual_value_a);
- if (actual_value_b)
-@@ -717,6 +727,8 @@ recurse:
- A[i] >= A[lo] for higuy <= i <= hi */
-
- do {
-+ if (error)
-+ return LDAP_OPERATIONS_ERROR;
- loguy++;
- } while (loguy <= hi && compare_entries_sv(loguy, lo, s, bc, &error) <= 0);
-
-@@ -724,6 +736,8 @@ recurse:
- either loguy > hi or A[loguy] > A[lo] */
-
- do {
-+ if (error)
-+ return LDAP_OPERATIONS_ERROR;
- higuy--;
- } while (higuy > lo && compare_entries_sv(higuy, lo, s, bc, &error) >= 0);
-
---
-2.17.1
-
diff --git a/SOURCES/0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch b/SOURCES/0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch
deleted file mode 100644
index 77d030c..0000000
--- a/SOURCES/0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch
+++ /dev/null
@@ -1,287 +0,0 @@
-From d1c87a502dc969198aa0e6a210e1303ae71bdeae Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Thu, 7 Jun 2018 18:35:34 +0200
-Subject: [PATCH] Ticket 49742 - Fine grained password policy can impact search
- performance
-
-Bug Description:
- new_passwdPolicy is called with an entry DN.
- In case of fine grain password policy we need to retrieve
- the possible password policy (pwdpolicysubentry) that applies to
- that entry.
- It triggers an internal search to retrieve the entry.
-
- In case of a search operation (add_shadow_ext_password_attrs), the
- entry is already in the pblock. So it is useless to do an additional
- internal search for it.
-
-Fix Description:
- in case of fine grain password policy and a SRCH operation,
- if the entry DN matches the entry stored in the pblock (SLAPI_SEARCH_RESULT_ENTRY)
- then use that entry instead of doing an internal search
-
-https://pagure.io/389-ds-base/issue/49742
-
-Reviewed by: Mark Reynolds
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
----
- dirsrvtests/tests/tickets/ticket48228_test.py | 18 +++----
- dirsrvtests/tests/tickets/ticket548_test.py | 18 ++++---
- ldap/servers/slapd/pw.c | 48 +++++++++++++++++--
- 3 files changed, 66 insertions(+), 18 deletions(-)
-
-diff --git a/dirsrvtests/tests/tickets/ticket48228_test.py b/dirsrvtests/tests/tickets/ticket48228_test.py
-index 4f4494e0b..1ab741b94 100644
---- a/dirsrvtests/tests/tickets/ticket48228_test.py
-+++ b/dirsrvtests/tests/tickets/ticket48228_test.py
-@@ -7,6 +7,7 @@
- # --- END COPYRIGHT BLOCK ---
- #
- import logging
-+import time
-
- import pytest
- from lib389.tasks import *
-@@ -33,14 +34,14 @@ def set_global_pwpolicy(topology_st, inhistory):
- topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
- # Enable password policy
- try:
-- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')])
-+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', b'on')])
- except ldap.LDAPError as e:
- log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
- assert False
-
- log.info(" Set global password history on\n")
- try:
-- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', 'on')])
-+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', b'on')])
- except ldap.LDAPError as e:
- log.error('Failed to set passwordHistory: error ' + e.message['desc'])
- assert False
-@@ -48,7 +49,7 @@ def set_global_pwpolicy(topology_st, inhistory):
- log.info(" Set global passwords in history\n")
- try:
- count = "%d" % inhistory
-- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count)])
-+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count.encode())])
- except ldap.LDAPError as e:
- log.error('Failed to set passwordInHistory: error ' + e.message['desc'])
- assert False
-@@ -113,9 +114,9 @@ def check_passwd_inhistory(topology_st, user, cpw, passwd):
- topology_st.standalone.simple_bind_s(user, cpw)
- time.sleep(1)
- try:
-- topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd)])
-+ topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd.encode())])
- except ldap.LDAPError as e:
-- log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error ' + e.message['desc'])
-+ log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error {0}'.format(e))
- inhistory = 1
- time.sleep(1)
- return inhistory
-@@ -130,7 +131,7 @@ def update_passwd(topology_st, user, passwd, times):
- # Now update the value for this iter.
- cpw = 'password%d' % i
- try:
-- topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw)])
-+ topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw.encode())])
- except ldap.LDAPError as e:
- log.fatal(
- 'test_ticket48228: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message[
-@@ -146,7 +147,6 @@ def test_ticket48228_test_global_policy(topology_st):
- """
- Check global password policy
- """
--
- log.info(' Set inhistory = 6')
- set_global_pwpolicy(topology_st, 6)
-
-@@ -201,7 +201,7 @@ def test_ticket48228_test_global_policy(topology_st):
- log.info("Global policy was successfully verified.")
-
-
--def test_ticket48228_test_subtree_policy(topology_st):
-+def text_ticket48228_text_subtree_policy(topology_st):
- """
- Check subtree level password policy
- """
-@@ -233,7 +233,7 @@ def test_ticket48228_test_subtree_policy(topology_st):
- log.info(' Set inhistory = 4')
- topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
- try:
-- topology_st.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', '4')])
-+ topology_st.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', b'4')])
- except ldap.LDAPError as e:
- log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
- assert False
-diff --git a/dirsrvtests/tests/tickets/ticket548_test.py b/dirsrvtests/tests/tickets/ticket548_test.py
-index d354cc802..0d71ab6ca 100644
---- a/dirsrvtests/tests/tickets/ticket548_test.py
-+++ b/dirsrvtests/tests/tickets/ticket548_test.py
-@@ -42,7 +42,7 @@ def set_global_pwpolicy(topology_st, min_=1, max_=10, warn=3):
- log.info(" +++++ Enable global password policy +++++\n")
- # Enable password policy
- try:
-- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')])
-+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', b'on')])
- except ldap.LDAPError as e:
- log.error('Failed to set pwpolicy-local: error ' + e.message['desc'])
- assert False
-@@ -54,28 +54,28 @@ def set_global_pwpolicy(topology_st, min_=1, max_=10, warn=3):
-
- log.info(" Set global password Min Age -- %s day\n" % min_)
- try:
-- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMinAge', '%s' % min_secs)])
-+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMinAge', ('%s' % min_secs).encode())])
- except ldap.LDAPError as e:
- log.error('Failed to set passwordMinAge: error ' + e.message['desc'])
- assert False
-
- log.info(" Set global password Expiration -- on\n")
- try:
-- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordExp', 'on')])
-+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordExp', b'on')])
- except ldap.LDAPError as e:
- log.error('Failed to set passwordExp: error ' + e.message['desc'])
- assert False
-
- log.info(" Set global password Max Age -- %s days\n" % max_)
- try:
-- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMaxAge', '%s' % max_secs)])
-+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMaxAge', ('%s' % max_secs).encode())])
- except ldap.LDAPError as e:
- log.error('Failed to set passwordMaxAge: error ' + e.message['desc'])
- assert False
-
- log.info(" Set global password Warning -- %s days\n" % warn)
- try:
-- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordWarning', '%s' % warn_secs)])
-+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordWarning', ('%s' % warn_secs).encode())])
- except ldap.LDAPError as e:
- log.error('Failed to set passwordWarning: error ' + e.message['desc'])
- assert False
-@@ -93,6 +93,8 @@ def set_subtree_pwpolicy(topology_st, min_=2, max_=20, warn=6):
- try:
- topology_st.standalone.add_s(Entry((SUBTREE_CONTAINER, {'objectclass': 'top nsContainer'.split(),
- 'cn': 'nsPwPolicyContainer'})))
-+ except ldap.ALREADY_EXISTS:
-+ pass
- except ldap.LDAPError as e:
- log.error('Failed to add subtree container: error ' + e.message['desc'])
- # assert False
-@@ -128,6 +130,8 @@ def set_subtree_pwpolicy(topology_st, min_=2, max_=20, warn=6):
- 'cosPriority': '1',
- 'cn': SUBTREE_COS_TMPLDN,
- 'pwdpolicysubentry': SUBTREE_PWP})))
-+ except ldap.ALREADY_EXISTS:
-+ pass
- except ldap.LDAPError as e:
- log.error('Failed to add COS template: error ' + e.message['desc'])
- # assert False
-@@ -139,6 +143,8 @@ def set_subtree_pwpolicy(topology_st, min_=2, max_=20, warn=6):
- 'cn': SUBTREE_PWPDN,
- 'costemplatedn': SUBTREE_COS_TMPL,
- 'cosAttribute': 'pwdpolicysubentry default operational-default'})))
-+ except ldap.ALREADY_EXISTS:
-+ pass
- except ldap.LDAPError as e:
- log.error('Failed to add COS def: error ' + e.message['desc'])
- # assert False
-@@ -150,7 +156,7 @@ def update_passwd(topology_st, user, passwd, newpasswd):
- log.info(" Bind as {%s,%s}" % (user, passwd))
- topology_st.standalone.simple_bind_s(user, passwd)
- try:
-- topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', newpasswd)])
-+ topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', newpasswd.encode())])
- except ldap.LDAPError as e:
- log.fatal('test_ticket548: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message[
- 'desc'])
-diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
-index 451be364d..10b8e7254 100644
---- a/ldap/servers/slapd/pw.c
-+++ b/ldap/servers/slapd/pw.c
-@@ -1625,6 +1625,10 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
- int attr_free_flags = 0;
- int rc = 0;
- int optype = -1;
-+ int free_e = 1; /* reset if e is taken from pb */
-+ if (pb) {
-+ slapi_pblock_get(pb, SLAPI_OPERATION_TYPE, &optype);
-+ }
-
- /* If we already allocated a pw policy, return it */
- if (pb != NULL) {
-@@ -1688,7 +1692,43 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
- /* If we're not doing an add, we look for the pwdpolicysubentry
- attribute in the target entry itself. */
- } else {
-- if ((e = get_entry(pb, dn)) != NULL) {
-+ if (optype == SLAPI_OPERATION_SEARCH) {
-+ Slapi_Entry *pb_e;
-+
-+ /* During a search the entry should be in the pblock
-+ * For safety check entry DN is identical to 'dn'
-+ */
-+ slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &pb_e);
-+ if (pb_e) {
-+ Slapi_DN * sdn;
-+ const char *ndn;
-+ char *pb_ndn;
-+
-+ pb_ndn = slapi_entry_get_ndn(pb_e);
-+
-+ sdn = slapi_sdn_new_dn_byval(dn);
-+ ndn = slapi_sdn_get_ndn(sdn);
-+
-+ if (strcasecmp(pb_ndn, ndn) == 0) {
-+ /* We are using the candidate entry that is already loaded in the pblock
-+ * Do not trigger an additional internal search
-+ * Also we will not need to free the entry that will remain in the pblock
-+ */
-+ e = pb_e;
-+ free_e = 0;
-+ } else {
-+ e = get_entry(pb, dn);
-+ }
-+ slapi_sdn_free(&sdn);
-+ } else {
-+ e = get_entry(pb, dn);
-+ }
-+ } else {
-+ /* For others operations but SEARCH */
-+ e = get_entry(pb, dn);
-+ }
-+
-+ if (e) {
- Slapi_Attr *attr = NULL;
- rc = slapi_entry_attr_find(e, "pwdpolicysubentry", &attr);
- if (attr && (0 == rc)) {
-@@ -1718,7 +1758,9 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
- }
- }
- slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags);
-- slapi_entry_free(e);
-+ if (free_e) {
-+ slapi_entry_free(e);
-+ }
-
- if (pw_entry == NULL) {
- slapi_log_err(SLAPI_LOG_ERR, "new_passwdPolicy",
-@@ -1916,7 +1958,7 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
- slapi_pblock_set_pwdpolicy(pb, pwdpolicy);
- }
- return pwdpolicy;
-- } else if (e) {
-+ } else if (free_e) {
- slapi_entry_free(e);
- }
- }
---
-2.17.1
-
diff --git a/SOURCES/0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch b/SOURCES/0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch
deleted file mode 100644
index 81a9a8a..0000000
--- a/SOURCES/0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 9d2aa18fb5c48a11300d2309df89213bbdb614e1 Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 23 Aug 2018 13:43:36 -0400
-Subject: [PATCH 1/2] Bug 1623247 - Crash in vslapd_log_emergency_error
-
- Description: We were not locking the error log fd before closing and reopening
- the log file. This could cause a crash when multiple threads are
- trying to log tothe errors log.
----
- ldap/servers/slapd/log.c | 22 ++++++++++++++++------
- 1 file changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
-index 998efaef3..90ce6ac0a 100644
---- a/ldap/servers/slapd/log.c
-+++ b/ldap/servers/slapd/log.c
-@@ -2231,11 +2231,11 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked)
- if (logging_hr_timestamps_enabled == 1) {
- struct timespec tsnow;
- if (clock_gettime(CLOCK_REALTIME, &tsnow) != 0) {
-- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s", msg);
-+ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s\n", msg);
- return;
- }
- if (format_localTime_hr_log(tsnow.tv_sec, tsnow.tv_nsec, sizeof(tbuf), tbuf, &size) != 0) {
-- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg);
-+ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg);
- return;
- }
- } else {
-@@ -2243,14 +2243,14 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked)
- time_t tnl;
- tnl = slapi_current_utc_time();
- if (format_localTime_log(tnl, sizeof(tbuf), tbuf, &size) != 0) {
-- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg);
-+ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg);
- return;
- }
- #ifdef HAVE_CLOCK_GETTIME
- }
- #endif
-
-- PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s", tbuf, msg);
-+ PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s\n", tbuf, msg);
- size = strlen(buffer);
-
- if (!locked) {
-@@ -2531,7 +2531,7 @@ vslapd_log_access(char *fmt, va_list ap)
-
- if (SLAPI_LOG_BUFSIZ - blen < vlen) {
- /* We won't be able to fit the message in! Uh-oh! */
-- /* Should we actually just do the snprintf, and warn that message was trunced? */
-+ /* Should we actually just do the snprintf, and warn that message was truncated? */
- log__error_emergency("Insufficent buffer capacity to fit timestamp and message!", 1, 0);
- return -1;
- }
-@@ -4447,6 +4447,13 @@ log__error_emergency(const char *errstr, int reopen, int locked)
- if (!reopen) {
- return;
- }
-+ if (!locked) {
-+ /*
-+ * Take the lock because we are closing and reopening the error log (fd),
-+ * and we don't want any other threads trying to use this fd
-+ */
-+ LOG_ERROR_LOCK_WRITE();
-+ }
- if (NULL != loginfo.log_error_fdes) {
- LOG_CLOSE(loginfo.log_error_fdes);
- }
-@@ -4455,7 +4462,10 @@ log__error_emergency(const char *errstr, int reopen, int locked)
- PRErrorCode prerr = PR_GetError();
- syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr));
- } else {
-- vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked);
-+ vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, 1 /* locked */);
-+ }
-+ if (!locked) {
-+ LOG_ERROR_UNLOCK_WRITE();
- }
- return;
- }
---
-2.17.1
-
diff --git a/SOURCES/0097-Ticket-49768-Under-network-intensive-load-persistent.patch b/SOURCES/0097-Ticket-49768-Under-network-intensive-load-persistent.patch
deleted file mode 100644
index cee161a..0000000
--- a/SOURCES/0097-Ticket-49768-Under-network-intensive-load-persistent.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From 2136ba8dd18e72bfbe037517c10187bfe695628f Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Thu, 24 May 2018 15:36:34 +0200
-Subject: [PATCH] Ticket 49768 - Under network intensive load persistent search
- can erronously decrease connection refcnt
-
-Bug Description:
- If a connection enters in turbo mode (because of high traffic) or
- a worker reads several requests in the read buffer (more_data), the thread
- keeps processing connection.
- In that condition it should not decrease the refcnt.
- In case the operation is a persistent search, it decreases systematically
- the refcnt.
- So refcnt can become lower than the actual number of threads active on the connection.
-
- Most of the time it can create messages like
- Attempt to release connection that is not acquired
- In some rare case, if the a connection is out of the active list but a remaining thread
- tries to remove it again it can lead to a crash
-
-Fix Description:
- The fix consist, when processing a PS, to decrease the refcnt at the condition
- the connection is not in turbo mode or in more_data.
-
-https://pagure.io/389-ds-base/issue/49768
-
-Reviewed by: Mark Reynolds
-
-Platforms tested: F26
-
-Flag Day: no
-
-Doc impact: no
----
- ldap/servers/slapd/connection.c | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
-index c54e7c26c..1dbb49f06 100644
---- a/ldap/servers/slapd/connection.c
-+++ b/ldap/servers/slapd/connection.c
-@@ -1811,9 +1811,17 @@ connection_threadmain()
- slapi_counter_increment(ops_completed);
- /* If this op isn't a persistent search, remove it */
- if (op->o_flags & OP_FLAG_PS) {
-- PR_EnterMonitor(conn->c_mutex);
-- connection_release_nolock(conn); /* psearch acquires ref to conn - release this one now */
-- PR_ExitMonitor(conn->c_mutex);
-+ /* Release the connection (i.e. decrease refcnt) at the condition
-+ * this thread will not loop on it.
-+ * If we are in turbo mode (dedicated to that connection) or
-+ * more_data (continue reading buffered req) this thread
-+ * continues to hold the connection
-+ */
-+ if (!thread_turbo_flag && !more_data) {
-+ PR_EnterMonitor(conn->c_mutex);
-+ connection_release_nolock(conn); /* psearch acquires ref to conn - release this one now */
-+ PR_ExitMonitor(conn->c_mutex);
-+ }
- /* ps_add makes a shallow copy of the pb - so we
- * can't free it or init it here - just set operation to NULL.
- * ps_send_results will call connection_remove_operation_ext to free it
---
-2.17.1
-
diff --git a/SOURCES/0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch b/SOURCES/0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch
deleted file mode 100644
index f7b8a04..0000000
--- a/SOURCES/0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 1bb5fd7fac9c5b93d3dfb8b8a2a648e238a158bc Mon Sep 17 00:00:00 2001
-From: Mark Reynolds <mreynolds@redhat.com>
-Date: Thu, 30 Aug 2018 14:28:10 -0400
-Subject: [PATCH] Ticket 49932 - Crash in delete_passwdPolicy when persistent
- search connections are terminated unexpectedly
-
-Bug Description: We clone a pblock in a psearch search, and under certain
- error conditions this pblock is freed, but it frees the
- password policy struct which can lead to a double free
- when the original pblock is destroyed.
-
-Fix Description: During the cloning, set the pwppolicy struct to NULL
- so the clone allocates its own policy if needed
-
-https://pagure.io/389-ds-base/issue/49932
-
-Reviewed by: ?
-
-(cherry picked from commit 78fc627accacfa4061ce48977e22301f81ea8d73)
----
- ldap/servers/slapd/pblock.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
-index 4514c3ce6..bc18a7b18 100644
---- a/ldap/servers/slapd/pblock.c
-+++ b/ldap/servers/slapd/pblock.c
-@@ -322,6 +322,8 @@ slapi_pblock_clone(Slapi_PBlock *pb)
- if (pb->pb_intop != NULL) {
- _pblock_assert_pb_intop(new_pb);
- *(new_pb->pb_intop) = *(pb->pb_intop);
-+ /* set pwdpolicy to NULL so this clone allocates its own policy */
-+ new_pb->pb_intop->pwdpolicy = NULL;
- }
- if (pb->pb_intplugin != NULL) {
- _pblock_assert_pb_intplugin(new_pb);
---
-2.17.1
-
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 6c9df65..09f1e05 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -38,8 +38,8 @@
Summary: 389 Directory Server (%{variant})
Name: 389-ds-base
-Version: 1.3.7.5
-Release: %{?relprefix}28%{?prerel}%{?dist}
+Version: 1.3.8.4
+Release: %{?relprefix}15%{?prerel}%{?dist}
License: GPLv3+
URL: https://www.port389.org/
Group: System Environment/Daemons
@@ -83,7 +83,7 @@ BuildRequires: libevent-devel
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
# For tests!
-#BuildRequires: libcmocka-devel
+BuildRequires: libcmocka-devel
BuildRequires: doxygen
# this is needed for using semanage from our setup scripts
@@ -102,6 +102,7 @@ Requires: perl-Mozilla-LDAP
# this is needed to setup SSL if you are not using the
# administration server package
Requires: nss-tools
+Requires: nss >= 3.34
# these are not found by the auto-dependency method
# they are required to support the mandatory LDAP SASL mechs
@@ -134,8 +135,7 @@ Requires: systemd-libs
Requires: svrcore >= 4.1.3
Requires: python-ldap
-# upgrade path from monolithic % {name} (including -libs & -devel) to % {name} + % {name}-snmp
-Obsoletes: %{name} <= 1.3.5.4
+Obsoletes: %{name} <= 1.3.7.10
%if %{use_tcmalloc}
BuildRequires: gperftools-devel
@@ -146,105 +146,16 @@ Source0: https://releases.pagure.org/389-ds-base/%{name}-%{version}%{?p
# 389-ds-git.sh should be used to generate the source tarball from git
Source1: %{name}-git.sh
Source2: %{name}-devel.README
-Patch00: 0000-Ticket-49305-Need-to-wrap-atomic-calls.patch
-Patch01: 0001-Ticket-49305-Need-to-wrap-atomic-calls.patch
-Patch02: 0002-Ticket-49385-Fix-coverity-warnings.patch
-Patch03: 0003-Ticket-49180-errors-log-filled-with-attrlist_replace.patch
-Patch04: 0004-Ticket-49388-repl-monitor-matches-null-string-many-t.patch
-Patch05: 0005-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch
-Patch06: 0006-Ticket-49320-Activating-already-active-role-returns-.patch
-Patch07: 0007-Ticket-48235-Remove-memberOf-global-lock.patch
-Patch08: 0008-Ticket-48235-remove-memberof-lock-cherry-pick-error.patch
-Patch09: 0009-Ticket-49394-slapi_pblock_get-may-leave-unchanged-th.patch
-Patch10: 0010-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch
-Patch11: 0011-Ticket-49064-RFE-allow-to-enable-MemberOf-plugin-in-.patch
-Patch12: 0012-Ticket-49378-server-init-fails.patch
-Patch13: 0013-Ticket-49392-memavailable-not-available.patch
-Patch14: 0014-Ticket-48006-Missing-warning-for-invalid-replica-bac.patch
-Patch15: 0015-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch
-Patch16: 0016-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch
-Patch17: 0017-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch
-Patch18: 0018-Ticket-49374-server-fails-to-start-because-maxdisksi.patch
-Patch19: 0019-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch
-Patch20: 0020-Ticket-49401-improve-valueset-sorted-performance-on-.patch
-Patch21: 0021-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch
-Patch22: 0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch
-Patch23: 0023-Ticket-49424-Resolve-csiphash-alignment-issues.patch
-Patch24: 0024-Ticket-49436-double-free-in-COS-in-some-conditions.patch
-Patch25: 0025-Ticket-48393-Improve-replication-config-validation.patch
-Patch26: 0026-Ticket-49439-cleanallruv-is-not-logging-information.patch
-Patch27: 0027-Ticket-48393-fix-copy-and-paste-error.patch
-Patch28: 0028-Ticket-49038-remove-legacy-replication-change-cleanu.patch
-Patch29: 0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch
-Patch30: 0030-Ticket-49435-Fix-NS-race-condition-on-loaded-test-sy.patch
-Patch31: 0031-Ticket-49410-opened-connection-can-remain-no-longer-.patch
-Patch32: 0032-Ticket-49443-scope-one-searches-in-1.3.7-give-incorr.patch
-Patch33: 0033-Ticket-49441-Import-crashes-with-large-indexed-binar.patch
-Patch34: 0034-Ticket-49441-Import-crashes-oneline-fix.patch
-Patch35: 0035-Ticket-49377-Incoming-BER-too-large-with-TLS-on-plai.patch
-Patch36: 0036-Ticket-48118-At-startup-changelog-can-be-erronously-.patch
-Patch37: 0037-Ticket-48118-fix-compiler-warning-for-incorrect-retu.patch
-Patch38: 0038-Ticket-49298-Correct-error-codes-with-config-restore.patch
-Patch39: 0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch
-Patch40: 0040-Ticket-49470-overflow-in-pblock_get.patch
-Patch41: 0041-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch
-Patch42: 0042-Ticket-49298-fix-complier-warn.patch
-Patch43: 0043-Ticket-49495-Fix-memory-management-is-vattr.patch
-Patch44: 0044-Ticket-48184-close-connections-at-shutdown-cleanly.patch
-Patch45: 0045-Ticket-49509-Indexing-of-internationalized-matching-.patch
-Patch46: 0046-Ticket-49493-heap-use-after-free-in-csn_as_string.patch
-Patch47: 0047-Ticket-49524-Password-policy-minimum-token-length-fa.patch
-Patch48: 0048-Ticket-49446-cleanallruv-should-ignore-cleaned-repli.patch
-Patch49: 0049-Ticket-49413-Changelog-trimming-ignores-disabled-rep.patch
-Patch50: 0050-Ticket-49278-GetEffectiveRights-gives-false-negative.patch
-Patch51: 0051-Ticket-49531-coverity-issues-fix-memory-leaks.patch
-Patch52: 0052-Ticket-49529-Fix-Coverity-warnings-invalid-deference.patch
-Patch53: 0053-Ticket-49463-After-cleanALLruv-there-is-a-flow-of-ke.patch
-Patch54: 0054-Ticket-49532-coverity-issues-fix-compiler-warnings-c.patch
-Patch55: 0055-Ticket-49523-memberof-schema-violation-error-message.patch
-Patch56: 0056-Ticket-49534-Fix-coverity-issues-and-regression.patch
-Patch57: 0057-Ticket-49370-Add-all-the-password-policy-defaults-to.patch
-Patch58: 0058-Ticket-49541-repl-config-should-not-allow-rid-65535-.patch
-Patch59: 0059-CVE-2017-15134-crash-in-slapi_filter_sprintf.patch
-Patch60: 0060-Ticket-49534-Fix-coverity-regression.patch
-Patch61: 0061-Ticket-49541-Replica-ID-config-validation-fix.patch
-Patch62: 0062-Ticket-49370-Crash-when-using-a-global-and-local-pw.patch
-Patch63: 0063-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch
-Patch64: 0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch
-Patch65: 0065-Ticket-bz1525628-invalid-password-migration-causes-u.patch
-Patch66: 0066-Ticket-49545-final-substring-extended-filter-search-.patch
-Patch67: 0067-Ticket-49551-v3-correct-handling-of-numsubordinates-.patch
-Patch68: 0068-Ticket-49551-fix-memory-leak-found-by-coverity.patch
-Patch69: 0069-Ticket-48184-revert-previous-patch-around-nunc-stans.patch
-Patch70: 0070-Ticket-49619-adjustment-of-csn_generator-can-fail-so.patch
-Patch71: 0071-Ticket-49161-memberof-fails-if-group-is-moved-into-s.patch
-Patch72: 0072-Ticket-49296-Fix-race-condition-in-connection-code-w.patch
-Patch73: 0073-Ticket-49540-Indexing-task-is-reported-finished-too-.patch
-Patch74: 0074-Ticket-49566-ds-replcheck-needs-to-work-with-hidden-.patch
-Patch75: 0075-Ticket-49460-replica_write_ruv-log-a-failure-even-wh.patch
-Patch76: 0076-Ticket-49631-same-csn-generated-twice.patch
-Patch77: 0077-CVE-2018-1089-Crash-from-long-search-filter.patch
-Patch78: 0078-Ticket-49649.patch
-Patch79: 0079-Ticket-49665-Upgrade-script-doesn-t-enable-PBKDF2-pa.patch
-Patch80: 0080-Ticket-49665-Upgrade-script-doesn-t-enable-CRYPT-pas.patch
-Patch81: 0081-Ticket-49671-Readonly-replicas-should-not-write-inte.patch
-Patch82: 0082-Ticket-49696-replicated-operations-should-be-seriali.patch
-Patch83: 0083-Ticket-48184-clean-up-and-delete-connections-at-shut.patch
-Patch84: 0084-Ticket-49576-Update-ds-replcheck-for-new-conflict-en.patch
-Patch85: 0085-Ticket-49576-Add-support-of-deletedattribute-in-ds-r.patch
-Patch86: 0086-Ticket-49726-DS-only-accepts-RSA-and-Fortezza-cipher.patch
-Patch87: 0087-Ticket-48184-clean-up-and-delete-connections-at-shut.patch
-Patch88: 0088-Ticket-49736-Hardening-of-active-connection-list.patch
-Patch89: 0089-Ticket-49652-DENY-aci-s-are-not-handled-properly.patch
-Patch90: 0090-Ticket-49576-ds-replcheck-fix-certificate-directory-.patch
-Patch91: 0091-Ticket-49765-Async-operations-can-hang-when-the-serv.patch
-Patch92: 0092-Ticket-49765-compiler-warning.patch
-Patch93: 0093-Ticket-49893-disable-nunc-stans-by-default.patch
-Patch94: 0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch
-Patch95: 0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch
-Patch96: 0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch
-Patch97: 0097-Ticket-49768-Under-network-intensive-load-persistent.patch
-Patch98: 0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch
+Patch00: 0000-Ticket-49830-Import-fails-if-backend-name-is-default.patch
+Patch01: 0001-Ticket-48818-For-a-replica-bindDNGroup-should-be-fet.patch
+Patch02: 0002-Ticket-49546-Fix-issues-with-MIB-file.patch
+Patch03: 0003-Ticket-49840-ds-replcheck-command-returns-traceback-.patch
+Patch04: 0004-Ticket-49893-disable-nunc-stans-by-default.patch
+Patch05: 0005-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch
+Patch06: 0006-Bug-1614820-Crash-in-vslapd_log_emergency_error.patch
+Patch07: 0007-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch
+Patch08: 0008-Bug-1624004-potential-denial-of-service-attack.patch
+Patch09: 0009-Bug-1624004-fix-regression-in-empty-attribute-list.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@@ -267,6 +178,7 @@ BuildRequires: libtevent-devel
BuildRequires: systemd-devel
%if %{use_asan}
Requires: libasan
+Requires: llvm
%endif
@@ -296,7 +208,7 @@ Development Libraries and headers for the 389 Directory Server base package.
Summary: SNMP Agent for 389 Directory Server
Group: System Environment/Daemons
Requires: %{name} = %{version}-%{release}
-Obsoletes: %{name} <= 1.3.6.0
+Obsoletes: %{name} <= 1.3.7.10
%description snmp
SNMP Agent for the 389 Directory Server base package.
@@ -336,7 +248,7 @@ autoreconf -fiv
--with-systemdsystemconfdir=%{_sysconfdir}/systemd/system \
--with-perldir=/usr/bin \
--with-systemdgroupname=%{groupname} $NSSARGS \
- --with-systemd $TCMALLOC_FLAGS $ASAN_FLAGS
+ --with-systemd --enable-cmocka $TCMALLOC_FLAGS $ASAN_FLAGS
# Generate symbolic info for debuggers
export XCFLAGS=$RPM_OPT_FLAGS
@@ -382,10 +294,10 @@ popd
# make sure perl scripts have a proper shebang
sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' $RPM_BUILD_ROOT%{_datadir}/%{pkgname}/script-templates/template-*.pl
-## exclude 32-bit platforms from running tests
+# exclude 32-bit platforms from running tests
%if %{_arch} != "s390x" && %{_arch} != "s390" && %{_arch} != "i386" && %{_arch} != "ppc"
%check
-## This checks the code, if it fails it prints why, then re-raises the fail to shortcircuit the rpm build#.
+# This checks the code, if it fails it prints why, then re-raises the fail to shortcircuit the rpm build.
if ! make DESTDIR="$RPM_BUILD_ROOT" check; then cat ./test-suite.log && false; fi
%endif
@@ -407,16 +319,15 @@ if [ -n "$DEBUGPOSTTRANS" ] ; then
output2=${DEBUGPOSTTRANS}.upgrade
fi
-# Soft static allocation for UID and GID
+# Create dirsrv user and group (if needed)
USERNAME="dirsrv"
-ALLOCATED_UID=389
GROUPNAME="dirsrv"
-ALLOCATED_GID=389
HOMEDIR="/usr/share/dirsrv"
-
-getent group $GROUPNAME >/dev/null || /usr/sbin/groupadd -f -g $ALLOCATED_GID -r $GROUPNAME
+if ! getent group $GROUPNAME >/dev/null ; then
+ /usr/sbin/groupadd -f -r $GROUPNAME
+fi
if ! getent passwd $USERNAME >/dev/null ; then
- /usr/sbin/useradd -r -u $ALLOCATED_UID -g $GROUPNAME -d $HOMEDIR -s /sbin/nologin -c "user for 389-ds-base" $USERNAME
+ /usr/sbin/useradd -r -g $GROUPNAME -d $HOMEDIR -s /sbin/nologin -c "user for 389-ds-base" $USERNAME
fi
# Reload our sysctl before we restart (if we can)
@@ -489,7 +400,6 @@ fi
%systemd_postun_with_restart %{pkgname}-snmp.service
%files
-%defattr(-,root,root,-)
%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl
%dir %{_sysconfdir}/%{pkgname}
%dir %{_sysconfdir}/%{pkgname}/schema
@@ -564,7 +474,6 @@ fi
%exclude %{_unitdir}/%{pkgname}-snmp.service
%files devel
-%defattr(-,root,root,-)
%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel
%{_includedir}/%{pkgname}
%{_libdir}/%{pkgname}/libslapd.so
@@ -576,7 +485,6 @@ fi
%{_libdir}/pkgconfig/*
%files libs
-%defattr(-,root,root,-)
%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel
%dir %{_libdir}/%{pkgname}
%{_libdir}/%{pkgname}/libslapd.so.*
@@ -586,7 +494,6 @@ fi
%{_libdir}/%{pkgname}/libldaputil.so.*
%files snmp
-%defattr(-,root,root,-)
%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel
%config(noreplace)%{_sysconfdir}/%{pkgname}/config/ldap-agent.conf
%{_sbindir}/ldap-agent*
@@ -594,64 +501,79 @@ fi
%{_unitdir}/%{pkgname}-snmp.service
%files tests
-%defattr(-,root,root,-)
%doc LICENSE LICENSE.GPLv3+
%{_sysconfdir}/%{pkgname}/dirsrvtests
%changelog
-* Thu Sep 13 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-28
-- Bump version to 1.3.7.5-28
-- Resolves: Bug 1628676 - 389-ds-base: race condition on reference counter leads to DoS using persistent search
-- Resolves: Bug 1628677 - Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly
-
-* Wed Aug 29 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-27
-- Bump version to 1.3.7.5-27
-- Resolves: Bug 1623247 - Crash in vslapd_log_emergency_error
-
-* Tue Aug 14 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-26
-- Bump version to 1.3.7.5-26
-- Resolves: Bug 1615924 - Fine grained password policy can impact search performance
-- Resolves: Bug 1614836 - Disable nunc-stans by default
-- Resolves: Bug 1614861 - ldapsearch with server side sort crashes the ldap server
-
-* Tue Jul 3 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-25
-- Bump version to 1.3.7.5-25
-- Resolves: Bug 1597530 - Async operations can hang when the server is running nunc-stans
-
-* Wed Jun 13 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-24
-- Bump version to 1.3.7.5-24
-- Resolves: Bug 1580257 - Fix certificate directory verification
-
-* Fri Jun 1 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-23
-- Bump version to 1.3.7.5-23
-- Resolves: Bug 1581588 - ACI deny rules do not work correctly
-- Resolves: Bug 1582747 - DS only accepts RSA and Fortezza cipher families
-
-* Mon May 21 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-22
-- Bump version to 1.3.5.7-22
-- Resolves: Bug 1563079 - adjustment of csn_generator can fail so next generated csn can be equal to the most recent one received
-- Resolves: Bug 1579702 - Replication stops working when MemberOf plugin is enabled on hub and consumer
-- Resolves: Bug 1579698 - replicated operations should be serialized
-- Resolves: Bug 1579700 - Upgrade script doesn't enable PBKDF password storage plug-in
-- Resolves: Bug 1580257 - ds-replcheck LDIF comparision fails when checking for conflicts
-- Resolves: Bug 1580523 - ns-slapd segfaults with ERR - connection_release_nolock_ext - conn=0 fd=0 Attempt to release connection that is not acquired
-
-* Thu Apr 5 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-21
-- Bump version to 1.3.7.5-21
-- Resolves: Bug 1559818 - EMBARGOED CVE-2018-1089 389-ds-base: ns-slapd crash via large filter value in ldapsearch
-
-* Wed Apr 4 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-20
-- Bump version to 1.3.7.5-20
-- Resolves: Bug 1563079 - adjustment of csn_generator can fail so next generated csn can be equal to the most recent one received
-- Resolves: Bug 1559764 - memberof fails if group is moved into scope
-- Resolves: Bug 1554720 - "Truncated search results" pop-up appears in user details in WebUI
-- Resolves: Bug 1553605 - ipa-server-install fails with Error: Upgrade failed with no such entry
-- Resolves: Bug 1559760 - ds-replcheck: add -W option to ask for the password from stdin instead of passing it on command line
-- Resolves: Bug 1559464 - replica_write_ruv log a failure even when it succeeds
-
-* Tue Apr 3 2018 Matus Honek <mhonek@redhat.com> - 1.3.7.5-19
-- Bump version to 1.3.7.5-19
-- Resolves: Bug 1563107 - IPA server is not responding, all authentication and admin tests failed [rhel-7.5.z]
+* Wed Sep 19 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-15
+- Bump version to 1.3.8.4-15
+- Resolves: Bug 1624004 - Fix regression in last patch
+
+* Tue Sep 18 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-14
+- Bump version to 1.3.8.4-14
+- Resolves: Bug 1624004 - potential denial of service attack
+
+* Fri Aug 31 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-13
+- Bump version to 1.3.8.4-13
+- Resolves: Bug 1623949 - Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly
+
+* Thu Aug 23 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-12
+- Bump version to 1.3.8.4-12
+- Resolves: Bug 1616412 - filter optimization fix causes regression(fix reverted)
+
+* Thu Aug 23 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-11
+- Bump version to 1.3.8.4-11
+- Resolves: Bug 1614820 - Server crash through modify command with large DN
+
+* Fri Aug 10 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-10
+- Bump verison to 1.3.8.4-10
+- Resolves: Bug 1614501 - Disable nunc-stans by default
+- Resolves: Bug 1607078 - ldapsearch with server side sort crashes the ldap server
+
+* Tue Jul 24 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-9
+- Bump version to 1.3.8.4-9
+- Resolves: Bug 1594484 - setup-ds.pl not able to handle/create the user "dirsrv" if there is an already existing user with the UID/GID 389 on the machine.
+
+* Mon Jul 23 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-8
+- Bump version to 1.3.8.4-8
+- Resolves: Bug 1594484 - setup-ds.pl not able to handle/create the user "dirsrv" if there is an already existing user with the UID/GID 389 on the machine.
+
+* Mon Jul 16 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-7
+- Bump version to 1.3.8.4-7
+- Resolves: Bug 1595766 - backout this fix for now because it breaks FreeIPA (removed patch file all together)
+
+* Mon Jul 16 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-6
+- Bump version to 1.3.8.4-6
+- Resolves: Bug 1595766 - backout this fix for now because it breaks FreeIPA
+
+* Mon Jul 16 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-5
+- Bump version to 1.3.8.4-5
+- Resolves: Bug 1595766 - CVE-2018-10871 389-ds-base: replication and the Retro Changelog plugin store plaintext password by default
+
+* Mon Jul 16 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-4
+- Bump version to 1.3.8.4-4
+- Resolves: Bug 1597384 - Async operations can hang when the server is running nunc-stans
+- Resolves: Bug 1598186 - A search with the scope "one" returns a non-matching entry
+- Resolves: Bug 1598718 - import fails if backend name is "default"
+- Resolves: Bug 1598478 - If a replica is created with a bindDNGroup, this group is taken into account only after bindDNGroupCheckInterval seconds
+- Resolves: Bug 1525256 - Invalid SNMP MIB for 389 DS
+- Resolves: Bug 1597518 - ds-replcheck command returns traceback errors against ldif files having garbage content when run in offline mode
+
+* Mon Jun 25 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-3
+- Bump version to 1.3.8.4-3
+- Resolves: Bug 1594484 - setup-ds.pl not able to handle/create the user "dirsrv" if there is an already existing user with the UID/GID 389 on the machine.
+
+* Mon Jun 25 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-2
+- Bump version to 1.3.8.4-2
+- Resolves: Bug 1594484 - setup-ds.pl not able to handle/create the user "dirsrv" if there is an already existing user with the UID/GID 389 on the machine.
+
+* Thu Jun 21 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.4-1
+- Bump version to 1.3.8.4-1
+- Resolves: Bug 1560653 - Rebase 389-ds-base in RHEL 7.6 to 1.3.8
+
+* Thu May 24 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.8.2-1
+- Bump version to 1.3.8.2-1
+- Resolves: Bug 1560653 - Rebase 389-ds-base in RHEL 7.6 to 1.3.8
* Mon Feb 12 2018 Mark Reynolds <mreynolds@redhat.com> - 1.3.7.5-18
- Bump version to 1.3.7.5-18