diff --git a/SOURCES/0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch b/SOURCES/0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch
new file mode 100644
index 0000000..b0bc6a8
--- /dev/null
+++ b/SOURCES/0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch
@@ -0,0 +1,263 @@
+From 9a8ee0954699da05501ded2900a834584346ef85 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Mon, 25 Nov 2019 10:59:44 +0100
+Subject: [PATCH] Ticket 50736 - RetroCL trimming may crash at shutdown if
+ trimming configuration is invalid
+
+Bug Description:
+ If config of retroCL trimming contains invalid value for trim-interval
+ and/or maxage, then the trimming initialization is skipped.
+ In such case the trimming structures are not allocated and if they
+ are freed at shutdown it triggers a crash
+
+Fix Description:
+ When trimming mechanism is stopped (at shutdown) check that
+ it was successfully initialized before freeing the structs
+
+https://pagure.io/389-ds-base/issue/50736
+
+Reviewed by: Mark Reynolds
+
+Platforms tested: F30
+
+Flag Day: no
+
+Doc impact: no
+---
+ .../suites/replication/changelog_test.py | 185 ++++++++++++++++++
+ ldap/servers/plugins/retrocl/retrocl_trim.c | 17 +-
+ 2 files changed, 196 insertions(+), 6 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/replication/changelog_test.py b/dirsrvtests/tests/suites/replication/changelog_test.py
+index 0b6b886f3..0d3e85bb2 100755
+--- a/dirsrvtests/tests/suites/replication/changelog_test.py
++++ b/dirsrvtests/tests/suites/replication/changelog_test.py
+@@ -16,6 +16,12 @@ from lib389.replica import Replicas
+ from lib389.idm.user import UserAccounts
+ from lib389.topologies import topology_m2 as topo
+ from lib389._constants import *
++from lib389.plugins import RetroChangelogPlugin
++from lib389.dseldif import DSEldif
++from lib389.tasks import *
++from lib389.utils import *
++
++pytestmark = pytest.mark.tier1
+
+ TEST_ENTRY_NAME = 'replusr'
+ NEW_RDN_NAME = 'cl5usr'
+@@ -235,6 +241,185 @@ def test_verify_changelog_offline_backup(topo):
+ _check_changelog_ldif(topo, changelog_ldif)
+
+
++@pytest.mark.ds47669
++def test_changelog_maxage(topo, changelog_init):
++ """Check nsslapd-changelog max age values
++
++ :id: d284ff27-03b2-412c-ac74-ac4f2d2fae3b
++ :setup: Replication with two master, change nsslapd-changelogdir to
++ '/var/lib/dirsrv/slapd-master1/changelog' and
++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++ :steps:
++ 1. Set nsslapd-changelogmaxage in cn=changelog5,cn=config to values - '12345','10s','30M','12h','2D','4w'
++ 2. Set nsslapd-changelogmaxage in cn=changelog5,cn=config to values - '-123','xyz'
++
++ :expectedresults:
++ 1. Operation should be successful
++ 2. Operation should be unsuccessful
++ """
++ log.info('1. Test nsslapd-changelogmaxage in cn=changelog5,cn=config')
++
++ # bind as directory manager
++ topo.ms["master1"].log.info("Bind as %s" % DN_DM)
++ topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD)
++
++ add_and_check(topo, CHANGELOG, MAXAGE, '12345', True)
++ add_and_check(topo, CHANGELOG, MAXAGE, '10s', True)
++ add_and_check(topo, CHANGELOG, MAXAGE, '30M', True)
++ add_and_check(topo, CHANGELOG, MAXAGE, '12h', True)
++ add_and_check(topo, CHANGELOG, MAXAGE, '2D', True)
++ add_and_check(topo, CHANGELOG, MAXAGE, '4w', True)
++ add_and_check(topo, CHANGELOG, MAXAGE, '-123', False)
++ add_and_check(topo, CHANGELOG, MAXAGE, 'xyz', False)
++
++
++@pytest.mark.ds47669
++def test_ticket47669_changelog_triminterval(topo, changelog_init):
++ """Check nsslapd-changelog triminterval values
++
++ :id: 8f850c37-7e7c-49dd-a4e0-9344638616d6
++ :setup: Replication with two master, change nsslapd-changelogdir to
++ '/var/lib/dirsrv/slapd-master1/changelog' and
++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++ :steps:
++ 1. Set nsslapd-changelogtrim-interval in cn=changelog5,cn=config to values -
++ '12345','10s','30M','12h','2D','4w'
++ 2. Set nsslapd-changelogtrim-interval in cn=changelog5,cn=config to values - '-123','xyz'
++
++ :expectedresults:
++ 1. Operation should be successful
++ 2. Operation should be unsuccessful
++ """
++ log.info('2. Test nsslapd-changelogtrim-interval in cn=changelog5,cn=config')
++
++ # bind as directory manager
++ topo.ms["master1"].log.info("Bind as %s" % DN_DM)
++ topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD)
++
++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '12345', True)
++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '10s', True)
++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '30M', True)
++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '12h', True)
++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '2D', True)
++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '4w', True)
++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '-123', False)
++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, 'xyz', False)
++
++
++@pytest.mark.ds47669
++def test_changelog_compactdbinterval(topo, changelog_init):
++ """Check nsslapd-changelog compactdbinterval values
++
++ :id: 0f4b3118-9dfa-4c2a-945c-72847b42a48c
++ :setup: Replication with two master, change nsslapd-changelogdir to
++ '/var/lib/dirsrv/slapd-master1/changelog' and
++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++ :steps:
++ 1. Set nsslapd-changelogcompactdb-interval in cn=changelog5,cn=config to values -
++ '12345','10s','30M','12h','2D','4w'
++ 2. Set nsslapd-changelogcompactdb-interval in cn=changelog5,cn=config to values -
++ '-123','xyz'
++
++ :expectedresults:
++ 1. Operation should be successful
++ 2. Operation should be unsuccessful
++ """
++ log.info('3. Test nsslapd-changelogcompactdb-interval in cn=changelog5,cn=config')
++
++ # bind as directory manager
++ topo.ms["master1"].log.info("Bind as %s" % DN_DM)
++ topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD)
++
++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '12345', True)
++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '10s', True)
++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '30M', True)
++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '12h', True)
++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '2D', True)
++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '4w', True)
++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '-123', False)
++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, 'xyz', False)
++
++
++@pytest.mark.ds47669
++def test_retrochangelog_maxage(topo, changelog_init):
++ """Check nsslapd-retrochangelog max age values
++
++ :id: 0cb84d81-3e86-4dbf-84a2-66aefd8281db
++ :setup: Replication with two master, change nsslapd-changelogdir to
++ '/var/lib/dirsrv/slapd-master1/changelog' and
++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++ :steps:
++ 1. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to values -
++ '12345','10s','30M','12h','2D','4w'
++ 2. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to values -
++ '-123','xyz'
++
++ :expectedresults:
++ 1. Operation should be successful
++ 2. Operation should be unsuccessful
++ """
++ log.info('4. Test nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config')
++
++ # bind as directory manager
++ topo.ms["master1"].log.info("Bind as %s" % DN_DM)
++ topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD)
++
++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '12345', True)
++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '10s', True)
++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '30M', True)
++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '12h', True)
++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '2D', True)
++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '4w', True)
++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '-123', False)
++ add_and_check(topo, RETROCHANGELOG, MAXAGE, 'xyz', False)
++
++ topo.ms["master1"].log.info("ticket47669 was successfully verified.")
++
++@pytest.mark.ds50736
++def test_retrochangelog_trimming_crash(topo, changelog_init):
++ """Check that when retroCL nsslapd-retrocthangelog contains invalid
++ value, then the instance does not crash at shutdown
++
++ :id: 5d9bd7ca-e9bf-4be9-8fc8-902aa5513052
++ :setup: Replication with two master, change nsslapd-changelogdir to
++ '/var/lib/dirsrv/slapd-master1/changelog' and
++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on'
++ :steps:
++ 1. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to value '-1'
++ This value is invalid. To disable retroCL trimming it should be set to 0
++ 2. Do several restart
++ 3. check there is no 'Detected Disorderly Shutdown' message (crash)
++ 4. restore valid value for nsslapd-changelogmaxage '1w'
++
++ :expectedresults:
++ 1. Operation should be successful
++ 2. Operation should be successful
++ 3. Operation should be successful
++ 4. Operation should be successful
++ """
++ log.info('1. Test retroCL trimming crash in cn=Retro Changelog Plugin,cn=plugins,cn=config')
++
++ # set the nsslapd-changelogmaxage directly on dse.ldif
++ # because the set value is invalid
++ topo.ms["master1"].log.info("ticket50736 start verification")
++ topo.ms["master1"].stop()
++ retroPlugin = RetroChangelogPlugin(topo.ms["master1"])
++ dse_ldif = DSEldif(topo.ms["master1"])
++ dse_ldif.replace(retroPlugin.dn, 'nsslapd-changelogmaxage', '-1')
++ topo.ms["master1"].start()
++
++ # The crash should be systematic, but just in case do several restart
++ # with a delay to let all plugin init
++ for i in range(5):
++ time.sleep(1)
++ topo.ms["master1"].stop()
++ topo.ms["master1"].start()
++
++ assert not topo.ms["master1"].detectDisorderlyShutdown()
++
++ topo.ms["master1"].log.info("ticket 50736 was successfully verified.")
++
++
+ if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+diff --git a/ldap/servers/plugins/retrocl/retrocl_trim.c b/ldap/servers/plugins/retrocl/retrocl_trim.c
+index a46534984..0378eb7f6 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_trim.c
++++ b/ldap/servers/plugins/retrocl/retrocl_trim.c
+@@ -481,11 +481,16 @@ retrocl_init_trimming(void)
+ void
+ retrocl_stop_trimming(void)
+ {
+- retrocl_trimming = 0;
+- if (retrocl_trim_ctx) {
+- slapi_eq_cancel(retrocl_trim_ctx);
+- retrocl_trim_ctx = NULL;
++ if (retrocl_trimming) {
++ /* RetroCL trimming config was valid and trimming struct allocated
++ * Let's free them
++ */
++ retrocl_trimming = 0;
++ if (retrocl_trim_ctx) {
++ slapi_eq_cancel(retrocl_trim_ctx);
++ retrocl_trim_ctx = NULL;
++ }
++ PR_DestroyLock(ts.ts_s_trim_mutex);
++ ts.ts_s_trim_mutex = NULL;
+ }
+- PR_DestroyLock(ts.ts_s_trim_mutex);
+- ts.ts_s_trim_mutex = NULL;
+ }
+--
+2.21.1
+
diff --git a/SOURCES/0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch b/SOURCES/0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch
new file mode 100644
index 0000000..0eeb397
--- /dev/null
+++ b/SOURCES/0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch
@@ -0,0 +1,37 @@
+From 37449e509f4a4253bacea57adf6c1d860eaaf1bb Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Fri, 2 Aug 2019 12:07:07 -0400
+Subject: [PATCH] Issue 50529 - LDAP server returning PWP controls in
+ different sequence
+
+Description: The server returns password policy controls in different orders
+ depending on the state of grace logins. The requested control,
+ if any, should be returned first, followed by any controls the
+ server might add.
+
+relates: https://pagure.io/389-ds-base/issue/50529
+
+Reviewed by: mreynolds (one line commit rule)
+---
+ ldap/servers/slapd/pw_mgmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
+index befac50cd..ca76fc12f 100644
+--- a/ldap/servers/slapd/pw_mgmt.c
++++ b/ldap/servers/slapd/pw_mgmt.c
+@@ -207,10 +207,10 @@ skip:
+
+ /* password expired and user exceeded limit of grace attemps.
+ * Send result and also the control */
+- slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
+ if (pwresponse_req) {
+ slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED);
+ }
++ slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0);
+ slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
+ "password expired!", 0, NULL);
+
+--
+2.21.1
+
diff --git a/SOURCES/0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch b/SOURCES/0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch
new file mode 100644
index 0000000..4441022
--- /dev/null
+++ b/SOURCES/0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch
@@ -0,0 +1,153 @@
+From c0f3b0c3c95aad6b67a80643bbf389acf7aa191d Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@redhat.com>
+Date: Thu, 29 Aug 2019 15:51:56 +0200
+Subject: [PATCH] Issue 50572 - After running cl-dump dbdir/cldb/*ldif.done are
+ not deleted
+
+Description: By default, remove ldif.done files after running cl-dump.
+Add an option '-l' which allows keep the files.
+Update man files.
+
+https://pagure.io/389-ds-base/issue/50572
+
+Reviewed by: firstyear, mreynolds (Thanks!)
+---
+ ldap/admin/src/scripts/cl-dump.pl | 23 +++++++++++++++--------
+ man/man1/cl-dump.1 | 11 +++++++----
+ 2 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/ldap/admin/src/scripts/cl-dump.pl b/ldap/admin/src/scripts/cl-dump.pl
+index f4ad5dd33..2e7f20413 100755
+--- a/ldap/admin/src/scripts/cl-dump.pl
++++ b/ldap/admin/src/scripts/cl-dump.pl
+@@ -5,7 +5,7 @@
+ # All rights reserved.
+ #
+ # License: GPL (version 3 or any later version).
+-# See LICENSE for details.
++# See LICENSE for details.
+ # END COPYRIGHT BLOCK
+ ###################################################################################
+ #
+@@ -13,7 +13,7 @@
+ #
+ # SYNOPSIS:
+ # cl-dump.pl [-h host] [-p port] [-D bind-dn] -w bind-password | -P bind-cert
+-# [-r replica-roots] [-o output-file] [-c] [-v]
++# [-r replica-roots] [-o output-file] [-c] [-l] [-v]
+ #
+ # cl-dump.pl -i changelog-ldif-file-with-base64encoding [-o output-file] [-c]
+ #
+@@ -22,7 +22,7 @@
+ #
+ # OPTIONS:
+ # -c Dump and interpret CSN only. This option can be used with or
+-# without -i option.
++# without -i option.
+ #
+ # -D bind-dn
+ # Directory server's bind DN. Default to "cn=Directory Manager" if
+@@ -32,6 +32,8 @@
+ # Directory server's host. Default to the server where the script
+ # is running.
+ #
++# -l Preserve generated ldif.done files from changelogdir
++#
+ # -i changelog-ldif-file-with-base64encoding
+ # If you already have a ldif-like changelog, but the changes
+ # in that file are encoded, you may use this option to
+@@ -68,7 +70,7 @@
+ # all of this nonsense can be omitted if the mozldapsdk and perldap are
+ # installed in the operating system locations (e.g. /usr/lib /usr/lib/perl5)
+
+-$usage="Usage: $0 [-h host] [-p port] [-D bind-dn] [-w bind-password | -P bind-cert] [-r replica-roots] [-o output-file] [-c] [-v]\n\n $0 -i changelog-ldif-file-with-base64encoding [-o output-file] [-c]\n";
++$usage="Usage: $0 [-h host] [-p port] [-D bind-dn] [-w bind-password | -P bind-cert] [-r replica-roots] [-o output-file] [-c] [-l] [-v]\n\n $0 -i changelog-ldif-file-with-base64encoding [-o output-file] [-c]\n";
+
+ use Getopt::Std; # Parse command line arguments
+ use Mozilla::LDAP::Conn; # LDAP module for Perl
+@@ -86,7 +88,7 @@ $version = "Directory Server Changelog Dump - Version 1.0";
+ $| = 1;
+
+ # Check for legal options
+- if (!getopts('h:p:D:w:P:r:o:cvi:')) {
++ if (!getopts('h:p:D:w:P:r:o:clvi:')) {
+ print $usage;
+ exit -1;
+ }
+@@ -123,7 +125,7 @@ sub validateArgs
+ if ($opt_o && ! open (OUTPUT, ">$opt_o")) {
+ print "Can't create output file $opt_o\n";
+ $rc = -1;
+- }
++ }
+ # Open STDOUT if option -o is missing
+ open (OUTPUT, ">-") if !$opt_o;
+
+@@ -194,10 +196,15 @@ sub cl_dump_and_decode
+ else {
+ &cl_decode ($_);
+ }
+- # Test op -M doesn't work well so we use rename
++ # Test op -M doesn't work well so we use rename/remove
+ # here to avoid reading the same ldif file more
+ # than once.
+- rename ($ldif, "$ldif.done");
++ if ($opt_l) {
++ rename ($ldif, "$ldif.done");
++ } else {
++ # Remove the file - default behaviou when '-l' is not specified
++ unlink ($ldif)
++ }
+ }
+ &print_header ($replica, "Not Found") if !$gotldif;
+ }
+diff --git a/man/man1/cl-dump.1 b/man/man1/cl-dump.1
+index db736aca9..fbb836a72 100644
+--- a/man/man1/cl-dump.1
++++ b/man/man1/cl-dump.1
+@@ -20,7 +20,7 @@ cl-dump \- Dump and decode Directory Server replication change log
+ .SH SYNOPSIS
+ .B cl\-dump
+ [\fI\-h host\fR] [\fI\-p port\fR] [\fI\-D bind\(hydn\fR] \-w bind\(hypassword | \-P bind\(hycert
+- [\fI\-r replica\(hyroots\fR] [\fI\-o output\(hyfile\fR] [\fI\-c\fR] [\fI\-v\fR]
++ [\fI\-r replica\(hyroots\fR] [\fI\-o output\(hyfile\fR] [\fI\-c\fR] [\fI\-l\fR] [\fI\-v\fR]
+
+ .PP
+ .B cl\-dump
+@@ -30,12 +30,12 @@ cl-dump \- Dump and decode Directory Server replication change log
+ Dump and decode Directory Server replication change log
+ .PP
+ .\" TeX users may be more comfortable with the \fB<whatever>\fP and
+-.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
++.\" \fI<whatever>\fP escape sequences to invode bold face and italics,
+ .\" respectively.
+ .SH OPTIONS
+ A summary of options is included below.
+ .TP
+-.B \-c
++.B \-c
+ Dump and interpret CSN only. This option can be used with or
+ without \-i option.
+ .TP
+@@ -47,6 +47,9 @@ the option is omitted.
+ Directory server's host. Default to the server where the script
+ is running.
+ .TP
++.B \-l
++Preserve generated ldif.done files from changelogdir
++.TP
+ .B \-i changelog\(hyldif\(hyfile\(hywith\(hybase64encoding
+ If you already have a ldif-like changelog, but the changes
+ in that file are encoded, you may use this option to
+@@ -66,7 +69,7 @@ Specify replica roots whose changelog you want to dump. The replica
+ roots may be separated by comma. All the replica roots would be
+ dumped if the option is omitted.
+ .TP
+-.B \-v
++.B \-v
+ Print the version of this script.
+ .TP
+ .B \-w bind\(hypassword
+--
+2.21.1
+
diff --git a/SOURCES/0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch b/SOURCES/0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch
new file mode 100644
index 0000000..975ce26
--- /dev/null
+++ b/SOURCES/0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch
@@ -0,0 +1,32 @@
+From c8977a03f2c65978ad7977030d55bc830bc1f852 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 16 Oct 2019 16:52:59 -0400
+Subject: [PATCH] Issue 50655 - access log etime is not properly formatted
+
+Description: The wrong printf format was used for displaying the nanosecond etime
+ in the access log.
+
+relates: https://pagure.io/389-ds-base/issue/50655
+
+Reviewed by: firstyear(Thanks!)
+---
+ ldap/servers/slapd/result.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
+index d9f431cc5..393b3f6cd 100644
+--- a/ldap/servers/slapd/result.c
++++ b/ldap/servers/slapd/result.c
+@@ -1920,7 +1920,8 @@ log_result(Slapi_PBlock *pb, Operation *op, int err, ber_tag_t tag, int nentries
+ struct timespec o_hr_time_end;
+ slapi_operation_time_elapsed(op, &o_hr_time_end);
+
+- snprintf(etime, ETIME_BUFSIZ, "%" PRId64 ".%010" PRId64 "", (int64_t)o_hr_time_end.tv_sec, (int64_t)o_hr_time_end.tv_nsec);
++
++ snprintf(etime, ETIME_BUFSIZ, "%" PRId64 ".%.09" PRId64 "", (int64_t)o_hr_time_end.tv_sec, (int64_t)o_hr_time_end.tv_nsec);
+
+ slapi_pblock_get(pb, SLAPI_OPERATION_NOTES, &operation_notes);
+
+--
+2.21.1
+
diff --git a/SOURCES/0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch b/SOURCES/0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch
new file mode 100644
index 0000000..27b3324
--- /dev/null
+++ b/SOURCES/0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch
@@ -0,0 +1,35 @@
+From 5c4e9f2017ba6c0415fe8352587db61dd9451ee4 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 20 Jan 2020 13:16:36 -0500
+Subject: [PATCH] Issue 50834 - Incorrectly setting the NSS default SSL version
+ max
+
+Description: We've been using the wrong function to get the NSS max
+ version We were calling SSL_VersionRangeGetSupported()
+ which gets the versions NSS "can" handle, but
+ SSL_VersionRangeGetDefault() gets the versions that
+ are actually "enabled".
+
+relates: https://pagure.io/389-ds-base/issue/50834
+
+Reviewed by: mreynolds(one line commit rule)
+---
+ ldap/servers/slapd/ssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
+index ed054db44..c71e3019b 100644
+--- a/ldap/servers/slapd/ssl.c
++++ b/ldap/servers/slapd/ssl.c
+@@ -1164,7 +1164,7 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr
+ char *certdir;
+ char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH];
+ /* Get the range of the supported SSL version */
+- SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions);
++ SSL_VersionRangeGetDefault(ssl_variant_stream, &enabledNSSVersions);
+
+ (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin));
+ (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax));
+--
+2.21.1
+
diff --git a/SOURCES/0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch b/SOURCES/0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch
new file mode 100644
index 0000000..90f1370
--- /dev/null
+++ b/SOURCES/0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch
@@ -0,0 +1,43 @@
+From 572ed29e447141f532f2d84f9ea78c48308ad684 Mon Sep 17 00:00:00 2001
+From: Thierry Bordaz <tbordaz@redhat.com>
+Date: Fri, 7 Jun 2019 11:35:46 +0200
+Subject: [PATCH] Ticket 50428 - Log the actual base DN when the search fails
+ with "invalid attribute request"
+
+Bug Description:
+ When a search request contains invalid parameters (attribute list with empty attribute
+ name, unknown scope, invalid filter..) the search is rejected but the access log
+ contains a wrong base search: ... SRCH base="(null)"...
+ This is because it does not use for logging the variable that gather the actual base ('rawbase')
+
+Fix Description:
+ Use 'rawbase' value for logging
+
+https://pagure.io/389-ds-base/issue/50428
+
+Reviewed by: Mark Reynolds
+
+Platforms tested: F28
+
+Flag Day: no
+
+Doc impact: no
+---
+ ldap/servers/slapd/search.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
+index 7e253f535..2a9979552 100644
+--- a/ldap/servers/slapd/search.c
++++ b/ldap/servers/slapd/search.c
+@@ -154,6 +154,7 @@ do_search(Slapi_PBlock *pb)
+ goto free_and_return;
+ }
+ }
++ base = rawbase;
+
+ /*
+ * ignore negative time and size limits since they make no sense
+--
+2.21.1
+
diff --git a/SOURCES/0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch b/SOURCES/0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch
new file mode 100644
index 0000000..3836923
--- /dev/null
+++ b/SOURCES/0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch
@@ -0,0 +1,146 @@
+From c629c7ffe35bb2a09ad4dfa60d56fb01a51915d0 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Fri, 2 Aug 2019 14:36:24 -0400
+Subject: [PATCH] Issue 50530 - Directory Server not RFC 4511 compliant with
+ requested attr "1.1"
+
+Bug Description: A regression was introduced some time back that changed the
+ behavior of how the server handled the "1.1" requested attribute
+ in a search request. If "1.1" was requested along with other
+ attributes then no attibutes were returned, but in this case "1.1"
+ is expected to be ignroed.
+
+Fix Description: Only comply with "1.1" if it is the only requested attribute
+
+relates: https://pagure.io/389-ds-base/issue/50530
+
+Reviewed by: firstyear(Thanks!)
+---
+ dirsrvtests/tests/suites/basic/basic_test.py | 57 +++++++++++++++++---
+ ldap/servers/slapd/result.c | 7 ++-
+ 2 files changed, 57 insertions(+), 7 deletions(-)
+
+diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py
+index 0f7536b63..cea4f6bfe 100644
+--- a/dirsrvtests/tests/suites/basic/basic_test.py
++++ b/dirsrvtests/tests/suites/basic/basic_test.py
+@@ -28,6 +28,7 @@ log = logging.getLogger(__name__)
+ USER1_DN = 'uid=user1,' + DEFAULT_SUFFIX
+ USER2_DN = 'uid=user2,' + DEFAULT_SUFFIX
+ USER3_DN = 'uid=user3,' + DEFAULT_SUFFIX
++USER4_DN = 'uid=user4,' + DEFAULT_SUFFIX
+
+ ROOTDSE_DEF_ATTR_LIST = ('namingContexts',
+ 'supportedLDAPVersion',
+@@ -409,8 +410,8 @@ def test_basic_acl(topology_st, import_example_ldif):
+ 'uid': 'user1',
+ 'userpassword': PASSWORD})))
+ except ldap.LDAPError as e:
+- log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN
+- + ': error ' + e.message['desc'])
++ log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN +
++ ': error ' + e.message['desc'])
+ assert False
+
+ try:
+@@ -421,8 +422,8 @@ def test_basic_acl(topology_st, import_example_ldif):
+ 'uid': 'user2',
+ 'userpassword': PASSWORD})))
+ except ldap.LDAPError as e:
+- log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN
+- + ': error ' + e.message['desc'])
++ log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN +
++ ': error ' + e.message['desc'])
+ assert False
+
+ #
+@@ -572,6 +573,50 @@ def test_basic_searches(topology_st, import_example_ldif):
+ log.info('test_basic_searches: PASSED')
+
+
++@pytest.fixture(scope="module")
++def add_test_entry(topology_st, request):
++ # Add test entry
++ topology_st.standalone.add_s(Entry((USER4_DN,
++ {'objectclass': "top extensibleObject".split(),
++ 'cn': 'user1', 'uid': 'user1'})))
++
++
++search_params = [(['1.1'], 'cn', False),
++ (['1.1', 'cn'], 'cn', True),
++ (['+'], 'nsUniqueId', True),
++ (['*'], 'cn', True),
++ (['cn'], 'cn', True)]
++@pytest.mark.parametrize("attrs, attr, present", search_params)
++def test_search_req_attrs(topology_st, add_test_entry, attrs, attr, present):
++ """Test requested attributes in search operations.
++ :id: 426a59ff-49b8-4a70-b377-0c0634a29b6e
++ :setup: Standalone instance
++ :steps:
++ 1. Test "1.1" does not return any attributes.
++ 2. Test "1.1" is ignored if there are other requested attributes
++ 3. Test "+" returns all operational attributes
++ 4. Test "*" returns all attributes
++ 5. Test requested attributes
++
++ :expectedresults:
++ 1. Success
++ 2. Success
++ 3. Success
++ 4. Success
++ 5. Success
++ """
++
++ log.info("Testing attrs: {} attr: {} present: {}".format(attrs, attr, present))
++ entry = topology_st.standalone.search_s(USER4_DN,
++ ldap.SCOPE_BASE,
++ 'objectclass=top',
++ attrs)
++ if present:
++ assert entry[0].hasAttr(attr)
++ else:
++ assert not entry[0].hasAttr(attr)
++
++
+ def test_basic_referrals(topology_st, import_example_ldif):
+ """Test LDAP server in referral mode.
+
+@@ -716,8 +761,8 @@ def test_basic_systemctl(topology_st, import_example_ldif):
+ log.info('Attempting to start the server with broken dse.ldif...')
+ try:
+ topology_st.standalone.start()
+- except:
+- log.info('Server failed to start as expected')
++ except Exception as e:
++ log.info('Server failed to start as expected: ' + str(e))
+ log.info('Check the status...')
+ assert (not topology_st.standalone.status())
+ log.info('Server failed to start as expected')
+diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c
+index 393b3f6cd..61e7a70f9 100644
+--- a/ldap/servers/slapd/result.c
++++ b/ldap/servers/slapd/result.c
+@@ -1546,6 +1546,8 @@ send_ldap_search_entry_ext(
+ * "+" means all operational attributes (rfc3673)
+ * operational attributes are only retrieved if they are named
+ * specifically or when "+" is specified.
++ * In the case of "1.1", if there are other requested attributes
++ * then "1.1" should be ignored.
+ */
+
+ /* figure out if we want all user attributes or no attributes at all */
+@@ -1560,7 +1562,10 @@ send_ldap_search_entry_ext(
+ if (strcmp(LDAP_ALL_USER_ATTRS, attrs[i]) == 0) {
+ alluserattrs = 1;
+ } else if (strcmp(LDAP_NO_ATTRS, attrs[i]) == 0) {
+- noattrs = 1;
++ /* "1.1" is only valid if it's the only requested attribute */
++ if (i == 0 && attrs[1] == NULL) {
++ noattrs = 1;
++ }
+ } else if (strcmp(LDAP_ALL_OPERATIONAL_ATTRS, attrs[i]) == 0) {
+ alloperationalattrs = 1;
+ } else {
+--
+2.21.1
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 59c8cef..ac72c06 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -39,7 +39,7 @@
Summary: 389 Directory Server (%{variant})
Name: 389-ds-base
Version: 1.3.9.1
-Release: %{?relprefix}12%{?prerel}%{?dist}
+Release: %{?relprefix}13%{?prerel}%{?dist}
License: GPLv3+
URL: https://www.port389.org/
Group: System Environment/Daemons
@@ -187,6 +187,13 @@ Patch38: 0038-Issue-49850-ldbm_get_nonleaf_ids-slow-for-databases-.patc
Patch39: 0039-Ticket-49850-cont-fix-crash-in-ldbm_non_leaf.patch
Patch40: 0040-Issue-50538-cleanAllRUV-task-limit-is-not-enforced-f.patch
Patch41: 0041-Fix-cherry-pick-error-for-cleanAllRUV-issue.patch
+Patch42: 0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch
+Patch43: 0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch
+Patch44: 0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch
+Patch45: 0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch
+Patch46: 0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch
+Patch47: 0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch
+Patch48: 0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@@ -539,6 +546,17 @@ fi
%{_sysconfdir}/%{pkgname}/dirsrvtests
%changelog
+* Wed Feb 12 2020 Mark Reynolds <mreynolds@redhat.com> - 1.3.9.1-13
+- Bump version to 1.3.9.1-13
+- Resolves: Bug 1801693 - ns-slapd is crashing while restarting ipactl
+- Resolves: Bug 1801695 - LDAP server returning controltype in different sequence
+- Resolves: Bug 1801700 - After running cl-dump dbdir/cldb/*ldif.done are not deleted
+- Resolves: Bug 1801701 - etime displayed has an order of magnitude 10 times smaller than it should be
+- Resolves: Bug 1801702 - Regression: NSS has interop problems as server when using limited cipher list
+- Resolves: Bug 1801704 - Log the actual base DN when the search fails with "invalid attribute request"
+- Resolves: Bug 1801705 - Directory Server 10 not RFC 4511 compliant
+- Resolves: Bug 1801706 - Replace error by warning in the state machine defined in repl5_inc_run
+
* Fri Nov 1 2019 Mark Reynolds <mreynolds@redhat.com> - 1.3.9.1-12
- Bump version to 1.3.9.1-12
- Resolves: Bug 1767622 - CleanAllRUV task limit not enforced