diff --git a/.389-ds-base.metadata b/.389-ds-base.metadata index ffac167..c4b1e1e 100644 --- a/.389-ds-base.metadata +++ b/.389-ds-base.metadata @@ -1,2 +1,2 @@ -50c525db2c9adfc7cca119ed13110a42d88d079c SOURCES/389-ds-base-1.4.1.3.tar.bz2 -5a5255f7bca3e79a063f26f292cf93f17fe3b14f SOURCES/jemalloc-5.2.0.tar.bz2 +fcf4e095176c048550be8838df112b8d247f34db SOURCES/389-ds-base-1.4.2.4.tar.bz2 +9e06b5cc57fd185379d007696da153893cf73e30 SOURCES/jemalloc-5.2.1.tar.bz2 diff --git a/.gitignore b/.gitignore index ab2d85c..8e144dc 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/389-ds-base-1.4.1.3.tar.bz2 -SOURCES/jemalloc-5.2.0.tar.bz2 +SOURCES/389-ds-base-1.4.2.4.tar.bz2 +SOURCES/jemalloc-5.2.1.tar.bz2 diff --git a/SOURCES/0000-Issue-49602-Revise-replication-status-messages.patch b/SOURCES/0000-Issue-49602-Revise-replication-status-messages.patch deleted file mode 100644 index 949a707..0000000 --- a/SOURCES/0000-Issue-49602-Revise-replication-status-messages.patch +++ /dev/null @@ -1,353 +0,0 @@ -From 45f4abd6befa50b129fc49b331b42c280f37199a Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 13 Jun 2019 13:01:35 -0400 -Subject: [PATCH] Issue 49602 - Revise replication status messages - -Bug Description: All agreement status messages start with "Error (##)" followed - by a text string. Even success states start with "Error", and - this is confusing. - - Added new attributes to display the status in a JSON format - for easier parsing for applications: - - replicaLastUpdateStatusJSON - replicaLastInitStatusJSON - -Design Doc: https://www.port389.org/docs/389ds/design/repl-agmt-status-design.html - -https://pagure.io/389-ds-base/issue/49602 - -Reviewed by: firstyear(Thanks!) ---- - .../suites/replication/single_master_test.py | 19 +++-- - ldap/schema/01core389.ldif | 2 + - ldap/servers/plugins/replication/repl5_agmt.c | 84 ++++++++++++++++--- - .../plugins/replication/repl5_protocol_util.c | 13 +-- - 4 files changed, 96 insertions(+), 22 deletions(-) - -diff --git a/dirsrvtests/tests/suites/replication/single_master_test.py b/dirsrvtests/tests/suites/replication/single_master_test.py -index 5b73e23ae..78f849da7 100644 ---- a/dirsrvtests/tests/suites/replication/single_master_test.py -+++ b/dirsrvtests/tests/suites/replication/single_master_test.py -@@ -23,6 +23,7 @@ from lib389._constants import (ReplicaRole, DEFAULT_SUFFIX, REPLICAID_MASTER_1, - REPLICATION_BIND_METHOD, REPLICATION_TRANSPORT, DEFAULT_BACKUPDIR, - RA_NAME, RA_BINDDN, RA_BINDPW, RA_METHOD, RA_TRANSPORT_PROT, - defaultProperties) -+import json - - pytestmark = pytest.mark.tier1 - -@@ -95,7 +96,7 @@ def test_mail_attr_repl(topo_r): - consumer.start() - - log.info("Make a search for mail attribute in attempt to crash server") -- consumer.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, "(mail=testuser@redhat.com)", ["mail"]) -+ c_user.get_attr_val("mail") - - log.info("Make sure that server hasn't crashed") - repl.test_replication(master, consumer) -@@ -111,11 +112,13 @@ def test_lastupdate_attr_before_init(topo_nr): - 1. Check nsds5replicaLastUpdateStart value - 2. Check nsds5replicaLastUpdateEnd value - 3. Check nsds5replicaLastUpdateStatus value -+ 4. Check nsds5replicaLastUpdateStatusJSON is parsable - :expectedresults: - 1. nsds5replicaLastUpdateStart should be equal to 0 - 2. nsds5replicaLastUpdateEnd should be equal to 0 - 3. nsds5replicaLastUpdateStatus should not be equal -- to "0 Replica acquired successfully: Incremental update started" -+ to "Replica acquired successfully: Incremental update started" -+ 4. Success - """ - - master = topo_nr.ins["standalone1"] -@@ -139,11 +142,15 @@ def test_lastupdate_attr_before_init(topo_nr): - with pytest.raises(Exception): - repl.wait_for_replication(master, consumer, timeout=5) - -- assert agmt.get_attr_val_bytes('nsds5replicaLastUpdateStart') == b"19700101000000Z" -- assert agmt.get_attr_val_bytes("nsds5replicaLastUpdateEnd") == b"19700101000000Z" -- assert b"Replica acquired successfully" not in agmt.get_attr_val_bytes("nsds5replicaLastUpdateStatus") -- -+ assert agmt.get_attr_val_utf8('nsds5replicaLastUpdateStart') == "19700101000000Z" -+ assert agmt.get_attr_val_utf8("nsds5replicaLastUpdateEnd") == "19700101000000Z" -+ assert "replica acquired successfully" not in agmt.get_attr_val_utf8_l("nsds5replicaLastUpdateStatus") - -+ # make sure the JSON attribute is parsable -+ json_status = agmt.get_attr_val_utf8("nsds5replicaLastUpdateStatusJSON") -+ if json_status is not None: -+ json_obj = json.loads(json_status) -+ log.debug("JSON status message: {}".format(json_obj)) - - if __name__ == '__main__': - # Run isolated -diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif -index 993fa4a6d..7bf4acc5b 100644 ---- a/ldap/schema/01core389.ldif -+++ b/ldap/schema/01core389.ldif -@@ -312,6 +312,8 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2341 NAME 'nsslapd-changelogmaxentries' - attributeTypes: ( 2.16.840.1.113730.3.1.2344 NAME 'nsslapd-tls-check-crl' DESC 'Check CRL when opening outbound TLS connections. Valid options are none, peer, all.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2353 NAME 'nsslapd-encryptionalgorithm' DESC 'The encryption algorithm used to encrypt the changelog' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2084 NAME 'nsSymmetricKey' DESC 'A symmetric key - currently used by attribute encryption' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'attribute encryption' ) -+attributeTypes: ( 2.16.840.1.113730.3.1.2364 NAME 'nsds5replicaLastInitStatusJSON' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'Netscape Directory Server' ) -+attributeTypes: ( 2.16.840.1.113730.3.1.2365 NAME 'nsds5replicaLastUpdateStatusJSON' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'Netscape Directory Server' ) - # - # objectclasses - # -diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c -index 53e6708c8..8e4586d8b 100644 ---- a/ldap/servers/plugins/replication/repl5_agmt.c -+++ b/ldap/servers/plugins/replication/repl5_agmt.c -@@ -60,7 +60,11 @@ - #define DEFAULT_TIMEOUT 120 /* (seconds) default outbound LDAP connection */ - #define DEFAULT_FLOWCONTROL_WINDOW 1000 /* #entries sent without acknowledgment */ - #define DEFAULT_FLOWCONTROL_PAUSE 2000 /* msec of pause when #entries sent witout acknowledgment */ --#define STATUS_LEN 1024 -+#define STATUS_LEN 2048 -+#define STATUS_GOOD "green" -+#define STATUS_WARNING "amber" -+#define STATUS_BAD "red" -+ - - struct changecounter - { -@@ -93,11 +97,13 @@ typedef struct repl5agmt - time_t last_update_start_time; /* Local start time of last update session */ - time_t last_update_end_time; /* Local end time of last update session */ - char last_update_status[STATUS_LEN]; /* Status of last update. Format = numeric code textual description */ -+ char last_update_status_json[STATUS_LEN]; - PRBool update_in_progress; - PRBool is_enabled; - time_t last_init_start_time; /* Local start time of last total init */ - time_t last_init_end_time; /* Local end time of last total init */ - char last_init_status[STATUS_LEN]; /* Status of last total init. Format = numeric code textual description */ -+ char last_init_status_json[STATUS_LEN]; - PRLock *lock; - Object *consumerRUV; /* last RUV received from the consumer - used for changelog purging */ - CSN *consumerSchemaCSN; /* last schema CSN received from the consumer */ -@@ -2443,6 +2449,21 @@ agmt_set_last_init_end(Repl_Agmt *ra, time_t end_time) - } - } - -+static void -+agmt_set_last_update_status_json(Repl_Agmt *ra, char *state, int ldaprc, int replrc) -+{ -+ char ts[SLAPI_TIMESTAMP_BUFSIZE]; -+ time_t now; -+ -+ time(&now); -+ strftime(ts, sizeof ts, "%FT%TZ", gmtime(&now)); -+ PR_snprintf(ra->last_update_status_json, STATUS_LEN, -+ "{\"state\": \"%s\", \"ldap_rc\": \"%d\", \"ldap_rc_text\": \"%s\", " -+ "\"repl_rc\": \"%d\", \"repl_rc_text\": \"%s\", \"date\": \"%s\", \"message\": \"%s\"}", -+ state, ldaprc, ldap_err2string(ldaprc), replrc, protocol_response2string(replrc), -+ ts, ra->last_update_status); -+} -+ - void - agmt_set_last_update_status(Repl_Agmt *ra, int ldaprc, int replrc, const char *message) - { -@@ -2463,19 +2484,29 @@ agmt_set_last_update_status(Repl_Agmt *ra, int ldaprc, int replrc, const char *m - PR_snprintf(ra->last_update_status, STATUS_LEN, "Error (%d) %s%s - LDAP error: %s%s%s%s", - ldaprc, message ? message : "", message ? "" : " - ", - slapi_err2string(ldaprc), replmsg ? " (" : "", replmsg ? replmsg : "", replmsg ? ")" : ""); -+ agmt_set_last_update_status_json(ra, STATUS_BAD, ldaprc, replrc); - } - /* ldaprc == LDAP_SUCCESS */ - else if (replrc != 0) { - if (replrc == NSDS50_REPL_REPLICA_BUSY) { - PR_snprintf(ra->last_update_status, STATUS_LEN, -- "Error (%d) Can't acquire busy replica", replrc); -+ "Error (%d) Can't acquire busy replica (%s)", -+ replrc, message ? message : ""); -+ agmt_set_last_update_status_json(ra, STATUS_WARNING, ldaprc, replrc); -+ } else if (replrc == NSDS50_REPL_TRANSIENT_ERROR || replrc == NSDS50_REPL_BACKOFF) { -+ PR_snprintf(ra->last_update_status, STATUS_LEN, -+ "Error (%d) Can't acquire replica (%s)", -+ replrc, message ? message : ""); -+ agmt_set_last_update_status_json(ra, STATUS_WARNING, ldaprc, replrc); - } else if (replrc == NSDS50_REPL_REPLICA_RELEASE_SUCCEEDED) { - PR_snprintf(ra->last_update_status, STATUS_LEN, "Error (0) Replication session successful"); -+ agmt_set_last_update_status_json(ra, STATUS_GOOD, ldaprc, replrc); - } else if (replrc == NSDS50_REPL_DISABLED) { - PR_snprintf(ra->last_update_status, STATUS_LEN, "Error (%d) Incremental update aborted: " - "Replication agreement for %s\n can not be updated while the replica is disabled.\n" - "(If the suffix is disabled you must enable it then restart the server for replication to take place).", - replrc, ra->long_name ? ra->long_name : "a replica"); -+ agmt_set_last_update_status_json(ra, STATUS_BAD, ldaprc, replrc); - /* Log into the errors log, as "ra->long_name" is not accessible from the caller */ - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, - "Incremental update aborted: Replication agreement for \"%s\" " -@@ -2487,17 +2518,35 @@ agmt_set_last_update_status(Repl_Agmt *ra, int ldaprc, int replrc, const char *m - PR_snprintf(ra->last_update_status, STATUS_LEN, - "Error (%d) Replication error acquiring replica: %s%s(%s)", - replrc, message ? message : "", message ? " " : "", protocol_response2string(replrc)); -+ agmt_set_last_update_status_json(ra, STATUS_BAD, ldaprc, replrc); - } - } else if (message != NULL) /* replrc == NSDS50_REPL_REPLICA_READY == 0 */ - { - PR_snprintf(ra->last_update_status, STATUS_LEN, - "Error (0) Replica acquired successfully: %s", message); -+ agmt_set_last_update_status_json(ra, STATUS_GOOD, ldaprc, replrc); - } else { /* agmt_set_last_update_status(0,0,NULL) to reset agmt */ - ra->last_update_status[0] = '\0'; -+ ra->last_update_status_json[0] = '\0'; - } - } - } - -+static void -+agmt_set_last_init_status_json(Repl_Agmt *ra, char *state, int ldaprc, int replrc, int connrc) -+{ -+ char ts[SLAPI_TIMESTAMP_BUFSIZE]; -+ time_t now; -+ -+ time(&now); -+ strftime(ts, sizeof ts, "%FT%TZ", gmtime(&now)); -+ PR_snprintf(ra->last_init_status_json, STATUS_LEN, -+ "{\"state\": \"%s\", \"ldap_rc\": \"%d\", \"ldap_rc_text\": \"%s\", \"repl_rc\": \"%d\", \"repl_rc_text\": \"%s\", " -+ "\"conn_rc\": \"%d\", \"conn_rc_text\": \"%s\", \"date\": \"%s\", \"message\": \"%s\"}", -+ state, ldaprc, ldap_err2string(ldaprc), replrc, protocol_response2string(replrc), -+ connrc, conn_result2string(connrc), ts, ra->last_init_status); -+} -+ - void - agmt_set_last_init_status(Repl_Agmt *ra, int ldaprc, int replrc, int connrc, const char *message) - { -@@ -2523,16 +2572,16 @@ agmt_set_last_init_status(Repl_Agmt *ra, int ldaprc, int replrc, int connrc, con - replmsg = NULL; - } - } -- PR_snprintf(ra->last_init_status, STATUS_LEN, "Error (%d) %s%sLDAP error: %s%s%s%s%s", -+ PR_snprintf(ra->last_init_status, STATUS_LEN, "Error (%d)%s%sLDAP error: %s%s%s%s%s", - ldaprc, message ? message : "", message ? "" : " - ", - slapi_err2string(ldaprc), replmsg ? " - " : "", replmsg ? replmsg : "", - connrc ? " - " : "", connrc ? connmsg : ""); -+ agmt_set_last_init_status_json(ra, STATUS_BAD, ldaprc, replrc, connrc); - } - /* ldaprc == LDAP_SUCCESS */ - else if (replrc != 0) { - if (replrc == NSDS50_REPL_REPLICA_RELEASE_SUCCEEDED) { -- PR_snprintf(ra->last_init_status, STATUS_LEN, "Error (%d) %s", -- ldaprc, "Replication session successful"); -+ PR_snprintf(ra->last_init_status, STATUS_LEN, "Replication session successful"); - } else if (replrc == NSDS50_REPL_DISABLED) { - if (agmt_is_enabled(ra)) { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "Total update aborted: " -@@ -2543,6 +2592,7 @@ agmt_set_last_init_status(Repl_Agmt *ra, int ldaprc, int replrc, int connrc, con - "Replication agreement for \"%s\" can not be updated while the suffix is disabled.\n" - "You must enable it then restart the server for replication to take place).", - replrc, ra->long_name ? ra->long_name : "a replica"); -+ agmt_set_last_init_status_json(ra, STATUS_BAD, ldaprc, replrc, connrc); - } else { - /* You do not need to restart the server after enabling the agreement */ - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "Total update aborted: " -@@ -2551,6 +2601,7 @@ agmt_set_last_init_status(Repl_Agmt *ra, int ldaprc, int replrc, int connrc, con - PR_snprintf(ra->last_init_status, STATUS_LEN, "Error (%d) Total update aborted: " - "Replication agreement for \"%s\" can not be updated while the agreement is disabled.", - replrc, ra->long_name ? ra->long_name : "a replica"); -+ agmt_set_last_init_status_json(ra, STATUS_BAD, ldaprc, replrc, connrc); - } - } else { - PR_snprintf(ra->last_init_status, STATUS_LEN, -@@ -2558,19 +2609,21 @@ agmt_set_last_init_status(Repl_Agmt *ra, int ldaprc, int replrc, int connrc, con - replrc, protocol_response2string(replrc), - message ? " - " : "", message ? message : "", - connrc ? " - " : "", connrc ? connmsg : ""); -+ agmt_set_last_init_status_json(ra, STATUS_BAD, ldaprc, replrc, connrc); - } - } else if (connrc != CONN_OPERATION_SUCCESS) { - PR_snprintf(ra->last_init_status, STATUS_LEN, - "Error (%d) connection error: %s%s%s", - connrc, connmsg, - message ? " - " : "", message ? message : ""); -- } else if (message != NULL) /* replrc == NSDS50_REPL_REPLICA_READY == 0 */ -- { -+ agmt_set_last_init_status_json(ra, STATUS_BAD, ldaprc, replrc, connrc); -+ } else if (message != NULL) { /* replrc == NSDS50_REPL_REPLICA_READY == 0 */ - PR_snprintf(ra->last_init_status, STATUS_LEN, -- "Error (%d) %s", -- ldaprc, message); -+ "Error (%d) %s", ldaprc, message); -+ agmt_set_last_init_status_json(ra, STATUS_GOOD, ldaprc, replrc, connrc); - } else { /* agmt_set_last_init_status(0,0,NULL) to reset agmt */ -- PR_snprintf(ra->last_init_status, STATUS_LEN, "Error (%d)", ldaprc); -+ ra->last_init_status[0] = '\0'; -+ ra->last_init_status_json[0] = '\0'; - } - } - } -@@ -2705,10 +2758,20 @@ get_agmt_status(Slapi_PBlock *pb __attribute__((unused)), - agmt_get_changecount_string(ra, changecount_string, sizeof(changecount_string)); - slapi_entry_add_string(e, "nsds5replicaChangesSentSinceStartup", changecount_string); - if (ra->last_update_status[0] == '\0') { -+ char status_msg[STATUS_LEN]; -+ char ts[SLAPI_TIMESTAMP_BUFSIZE]; -+ time_t now; -+ time(&now); -+ strftime(ts, sizeof ts, "%FT%TZ", gmtime(&now)); - slapi_entry_add_string(e, "nsds5replicaLastUpdateStatus", - "Error (0) No replication sessions started since server startup"); -+ PR_snprintf(status_msg, STATUS_LEN, -+ "{\"state\": \"green\", \"ldap_rc\": \"0\", \"ldap_rc_text\": \"success\", \"repl_rc\": \"0\", \"repl_rc_text\": \"replica acquired\", " -+ "\"date\": \"%s\", \"message\": \"Error (0) No replication sessions started since server startup\"}", ts); -+ slapi_entry_add_string(e, "nsds5replicaLastUpdateStatusJSON", status_msg); - } else { - slapi_entry_add_string(e, "nsds5replicaLastUpdateStatus", ra->last_update_status); -+ slapi_entry_add_string(e, "nsds5replicaLastUpdateStatusJSON", ra->last_update_status_json); - } - slapi_entry_add_string(e, "nsds5replicaUpdateInProgress", ra->update_in_progress ? "TRUE" : "FALSE"); - -@@ -2724,6 +2787,7 @@ get_agmt_status(Slapi_PBlock *pb __attribute__((unused)), - - if (ra->last_init_status[0] != '\0') { - slapi_entry_add_string(e, "nsds5replicaLastInitStatus", ra->last_init_status); -+ slapi_entry_add_string(e, "nsds5replicaLastInitStatusJSON", ra->last_init_status_json); - } - } - bail: -diff --git a/ldap/servers/plugins/replication/repl5_protocol_util.c b/ldap/servers/plugins/replication/repl5_protocol_util.c -index a48d4d02a..bb9f9e7e1 100644 ---- a/ldap/servers/plugins/replication/repl5_protocol_util.c -+++ b/ldap/servers/plugins/replication/repl5_protocol_util.c -@@ -374,13 +374,13 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "has the same Replica ID as this one. " - "Replication is aborting.\n", - agmt_get_long_name(prp->agmt)); -- agmt_set_last_update_status(prp->agmt, 0, 0, -- "Unable to aquire replica: the replica has the same " -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_REPLICAID_ERROR, -+ "Unable to acquire replica: the replica has the same " - "Replica ID as this one. Replication is aborting."); - return_value = ACQUIRE_FATAL_ERROR; - break; - case NSDS50_REPL_BACKOFF: -- /* A replication sesssion hook on the replica -+ /* A replication session hook on the replica - * wants us to go into backoff mode. */ - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, - "acquire_replica - " -@@ -487,9 +487,8 @@ acquire_replica(Private_Repl_Protocol *prp, char *prot_oid, RUV **ruv) - "%s: Unable to obtain current CSN. " - "Replication is aborting.\n", - agmt_get_long_name(prp->agmt)); -- agmt_set_last_update_status(prp->agmt, 0, 0, -- "Unable to obtain current CSN. " -- "Replication is aborting."); -+ agmt_set_last_update_status(prp->agmt, 0, NSDS50_REPL_INTERNAL_ERROR, -+ "Unable to obtain current CSN. Replication is aborting."); - return_value = ACQUIRE_FATAL_ERROR; - } - } -@@ -665,6 +664,8 @@ protocol_response2string(int response) - return "transient warning"; - case NSDS50_REPL_RUV_ERROR: - return "RUV error"; -+ case NSDS50_REPL_REPLICA_NO_RESPONSE: -+ return "no response received"; - default: - return "unknown error"; - } --- -2.21.0 - diff --git a/SOURCES/0000-Issue-50712-Version-comparison-doesn-t-work-correctl.patch b/SOURCES/0000-Issue-50712-Version-comparison-doesn-t-work-correctl.patch new file mode 100644 index 0000000..5398ed4 --- /dev/null +++ b/SOURCES/0000-Issue-50712-Version-comparison-doesn-t-work-correctl.patch @@ -0,0 +1,161 @@ +From b823da0b0e3f02a7972ebec4e714877d2ee2170e Mon Sep 17 00:00:00 2001 +From: Viktor Ashirov +Date: Fri, 15 Nov 2019 11:55:07 +0100 +Subject: [PATCH 1/2] Issue 50712 - Version comparison doesn't work correctly + on git builds + +Bug Description: +`python3-packaging` is not shipped in RHEL8. But it's bundled with +`setuptools` which is present in all major distributions. + +Fix Description: +Use `pkg_resources` module from `setuptools` which provides needed +functionality, change lib389 and rpm dependencies accordingly. + +Unfortunately, `pkg_resources.parse_version()` returns different +objects for different strings too, so use `LegacyVersion` directly +from `pkg_resources.extern.packaging.version`. + +Fixes: https://pagure.io/389-ds-base/issue/50712 +Relates: https://pagure.io/389-ds-base/issue/50706 +--- + rpm/389-ds-base.spec.in | 2 +- + src/lib389/lib389/tests/utils_test.py | 29 +++++++++++++++++++++++++++ + src/lib389/lib389/utils.py | 11 +++++----- + src/lib389/requirements.txt | 2 +- + src/lib389/setup.py | 2 +- + 5 files changed, 38 insertions(+), 8 deletions(-) + +diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in +index e60b0f3c5..6f4a1e1a9 100644 +--- a/rpm/389-ds-base.spec.in ++++ b/rpm/389-ds-base.spec.in +@@ -130,7 +130,6 @@ BuildRequires: python%{python3_pkgversion}-argcomplete + BuildRequires: python%{python3_pkgversion}-argparse-manpage + BuildRequires: python%{python3_pkgversion}-policycoreutils + BuildRequires: python%{python3_pkgversion}-libselinux +-BuildRequires: python%{python3_pkgversion}-packaging + + # For cockpit + BuildRequires: rsync +@@ -303,6 +302,7 @@ Requires: python%{python3_pkgversion}-pyasn1-modules + Requires: python%{python3_pkgversion}-dateutil + Requires: python%{python3_pkgversion}-argcomplete + Requires: python%{python3_pkgversion}-libselinux ++Requires: python%{python3_pkgversion}-setuptools + %{?python_provide:%python_provide python%{python3_pkgversion}-lib389} + + %description -n python%{python3_pkgversion}-lib389 +diff --git a/src/lib389/lib389/tests/utils_test.py b/src/lib389/lib389/tests/utils_test.py +index 5378066b6..a696eb5c9 100644 +--- a/src/lib389/lib389/tests/utils_test.py ++++ b/src/lib389/lib389/tests/utils_test.py +@@ -145,6 +145,35 @@ def test_get_log_data(data): + assert display_log_data(before) == after + + ++@pytest.mark.parametrize('ds_ver, cmp_ver', [ ++ ('1.3.1', '1.3.2'), ++ ('1.3.1', '1.3.10'), ++ ('1.3.2', '1.3.10'), ++ ('1.3.9', ('1.3.10', '1.4.2.0')), ++ ('1.4.0.1', ('1.3.9', '1.4.1.0', '1.4.2.1')), ++ ('1.4.1', '1.4.2.0-20191115gitbadc0ffee' ), ++]) ++def test_ds_is_older_versions(ds_ver, cmp_ver): ++ if isinstance(cmp_ver, tuple): ++ assert ds_is_related('older', ds_ver, *cmp_ver) ++ else: ++ assert ds_is_related('older', ds_ver, cmp_ver) ++ ++@pytest.mark.parametrize('ds_ver, cmp_ver', [ ++ ('1.3.2', '1.3.1'), ++ ('1.3.10', '1.3.1'), ++ ('1.3.10', '1.3.2'), ++ ('1.3.10', ('1.3.9', '1.4.2.0')), ++ ('1.4.2.1', ('1.3.9', '1.4.0.1', '1.4.2.0')), ++ ('1.4.2.0-20191115gitbadc0ffee', '1.4.1' ), ++]) ++def test_ds_is_newer_versions(ds_ver, cmp_ver): ++ if isinstance(cmp_ver, tuple): ++ assert ds_is_related('newer', ds_ver, *cmp_ver) ++ else: ++ assert ds_is_related('newer', ds_ver, cmp_ver) ++ ++ + if __name__ == "__main__": + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s -v %s" % CURRENT_FILE) +diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py +index 3234cdccb..b9eacfdea 100644 +--- a/src/lib389/lib389/utils.py ++++ b/src/lib389/lib389/utils.py +@@ -40,7 +40,7 @@ import shlex + import operator + import subprocess + import math +-from packaging.version import LegacyVersion ++from pkg_resources.extern.packaging.version import LegacyVersion + from socket import getfqdn + from ldapurl import LDAPUrl + from contextlib import closing +@@ -1067,13 +1067,12 @@ def get_ds_version(): + return p.version + + +-def ds_is_related(relation, *ver): ++def ds_is_related(relation, ds_ver, *ver): + """ + Return a result of a comparison between the current version of ns-slapd and a provided version. + """ + ops = {'older': operator.lt, + 'newer': operator.ge} +- ds_ver = get_ds_version() + if len(ver) > 1: + for cmp_ver in ver: + if cmp_ver.startswith(ds_ver[:3]): +@@ -1086,14 +1085,16 @@ def ds_is_older(*ver): + """ + Return True if the current version of ns-slapd is older than a provided version + """ +- return ds_is_related('older', *ver) ++ ds_ver = get_ds_version() ++ return ds_is_related('older', ds_ver, *ver) + + + def ds_is_newer(*ver): + """ + Return True if the current version of ns-slapd is newer than a provided version + """ +- return ds_is_related('newer', *ver) ++ ds_ver = get_ds_version() ++ return ds_is_related('newer', ds_ver, *ver) + + + def gentime_to_datetime(gentime): +diff --git a/src/lib389/requirements.txt b/src/lib389/requirements.txt +index 5cce1d04b..eb2475f3b 100644 +--- a/src/lib389/requirements.txt ++++ b/src/lib389/requirements.txt +@@ -6,4 +6,4 @@ six + argcomplete + argparse-manpage + python-ldap +-packaging ++setuptools +diff --git a/src/lib389/setup.py b/src/lib389/setup.py +index f2e404333..056173936 100644 +--- a/src/lib389/setup.py ++++ b/src/lib389/setup.py +@@ -82,7 +82,7 @@ setup( + 'argcomplete', + 'argparse-manpage', + 'python-ldap', +- 'packaging', ++ 'setuptools', + ], + + cmdclass={ +-- +2.21.0 + diff --git a/SOURCES/0001-Issue-49875-Move-SystemD-service-config-to-a-drop-in.patch b/SOURCES/0001-Issue-49875-Move-SystemD-service-config-to-a-drop-in.patch deleted file mode 100644 index 5664290..0000000 --- a/SOURCES/0001-Issue-49875-Move-SystemD-service-config-to-a-drop-in.patch +++ /dev/null @@ -1,336 +0,0 @@ -From 5b36c591ef0e79ee1fd4a0db4644d9d0e8d183ca Mon Sep 17 00:00:00 2001 -From: Matus Honek -Date: Mon, 27 May 2019 10:59:03 +0000 -Subject: [PATCH] Issue 49875 - Move SystemD service config to a drop-in file - -Bug Description: -Runtime configuration options are mixed into the service specification -which should seldom be changed by users. - -Fix Description: -Move the runtime configuration options into a drop-in file. These options -are then automatically pulled in by SystemD. - -Additional Info: -Erasing the default values of the mentioned options to implicitly pull in -system defaults which are more sane nowadays. - -The .service file is now common for xsan and non-xsan builds, the former -differring only by an additional drop-in file. - -Related https://pagure.io/389-ds-base/issue/49875 - -Author: Matus Honek - -Review by: firstyear, mreynolds, vashirov (thanks!) ---- - Makefile.am | 23 ++++-- - configure.ac | 2 + - .../systemd.template.service.custom.conf.in | 52 +++++++++++++ - wrappers/systemd.template.service.in | 57 +------------- - .../systemd.template.service.xsan.conf.in | 11 +++ - wrappers/systemd.template.xsan.service.in | 77 ------------------- - 6 files changed, 85 insertions(+), 137 deletions(-) - create mode 100644 wrappers/systemd.template.service.custom.conf.in - create mode 100644 wrappers/systemd.template.service.xsan.conf.in - delete mode 100644 wrappers/systemd.template.xsan.service.in - -diff --git a/Makefile.am b/Makefile.am -index 01ac3a04d..de9e0c460 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -300,6 +300,7 @@ serverdir = $(libdir)/@serverdir@ - serverplugindir = $(libdir)@serverplugindir@ - taskdir = $(datadir)@scripttemplatedir@ - systemdsystemunitdir = @with_systemdsystemunitdir@ -+systemdsystemunitdropindir = @with_systemdsystemunitdir@/$(PACKAGE_NAME)@.service.d - systemdsystemconfdir = @with_systemdsystemconfdir@ - systemdgroupname = @with_systemdgroupname@ - initdir = @initdir@ -@@ -880,6 +881,11 @@ if SYSTEMD - systemdsystemunit_DATA = wrappers/$(PACKAGE_NAME)@.service \ - wrappers/$(systemdgroupname) \ - wrappers/$(PACKAGE_NAME)-snmp.service -+ -+systemdsystemunitdropin_DATA = wrappers/$(PACKAGE_NAME)@.service.d/custom.conf -+if with_sanitizer -+systemdsystemunitdropin_DATA += wrappers/$(PACKAGE_NAME)@.service.d/xsan.conf -+endif - else - if INITDDIR - init_SCRIPTS = wrappers/$(PACKAGE_NAME) \ -@@ -2314,12 +2320,17 @@ endif - # yes, that is an @ in the filename . . . - %/$(PACKAGE_NAME)@.service: %/systemd.template.service.in - if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi -- if [ ! -z ${SANITIZER} ] ; then \ -- service_template=$(shell echo $^ | sed 's/template/template.xsan/g'); \ -- else \ -- service_template=$^; \ -- fi; \ -- $(fixupcmd) $$service_template > $@ -+ $(fixupcmd) $^ > $@ -+ -+%/$(PACKAGE_NAME)@.service.d/custom.conf: %/systemd.template.service.custom.conf.in -+ if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi -+ $(fixupcmd) $^ > $@ -+ -+if with_sanitizer -+%/$(PACKAGE_NAME)@.service.d/xsan.conf: %/systemd.template.service.xsan.conf.in -+ if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi -+ $(fixupcmd) $^ > $@ -+endif - - %/$(systemdgroupname): %/systemd.group.in - if [ ! -d $(dir $@) ] ; then mkdir -p $(dir $@) ; fi -diff --git a/configure.ac b/configure.ac -index 3660e6816..d329e84a9 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -196,6 +196,8 @@ AC_SUBST([ubsan_cflags]) - AC_SUBST([ubsan_rust_defs]) - AM_CONDITIONAL(enable_ubsan,test "$enable_ubsan" = "yes") - -+AM_CONDITIONAL(with_sanitizer,test "$enable_asan" = "yes" -o "$enable_msan" = "yes" -o "$enable_tsan" = "yes" -o "$enable_ubsan" = "yes") -+ - # Enable CLANG - AC_MSG_CHECKING(for --enable-clang) - AC_ARG_ENABLE(clang, AS_HELP_STRING([--enable-clang], [Enable clang (default: no)]), -diff --git a/wrappers/systemd.template.service.custom.conf.in b/wrappers/systemd.template.service.custom.conf.in -new file mode 100644 -index 000000000..0dce62826 ---- /dev/null -+++ b/wrappers/systemd.template.service.custom.conf.in -@@ -0,0 +1,52 @@ -+# To change any of the below values, please use a drop-in file in which -+# you can declare overrides according to systemd.unit(5), either of: -+# - applying to all instances: -+# /etc/systemd/system/dirsrv@.service.d/custom.conf -+# - applying to a single instance (overriding the above): -+# /etc/systemd/system/dirsrv@.service.d/custom.conf -+# -+# Some of the most interesting coniguration options are mentioned below. -+# See systemd.service(5) and systemd.exec(5) for the respective documentation. -+# -+# After updating the service configuration, do not forget to apply the changes: -+# - reload systemd configuration: systemctl daemon-reload -+# - restart the service: systemctl restart @package_name@@.service -+ -+[Service] -+TimeoutStartSec=0 -+TimeoutStopSec=600 -+ -+# These are from man systemd.exec and man systemd.resource-control -+ -+# This controls the resources to the direct child of systemd, in -+# this case ns-slapd. Because we are type notify we recieve these -+# limits correctly. -+ -+# This controls the number of file handles avaliable. File handles -+# correlate to sockets for the process, and our access to logs and -+# databases. Note, the configuration setting in Directory Server, -+# "nsslapd-maxdescriptors", can override this limit. -+#LimitNOFILE= -+ -+# You can limit the memory in the cgroup with these, and ns-slapd -+# will account for them in it's autotuning. -+# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf -+#MemoryAccounting=yes -+#MemoryLimit= -+ -+# Limits on the size of coredump that may be produced by the process. It's not -+# specified how this interacts with coredumpd. -+# 0 means not to produce cores. -+#LimitCORE= -+ -+# Limit number of processes (threads) we may spawn. We don't advise you change -+# this as DS will autodetect your threads / cpus and adjust as needed. -+#LimitNPROC= -+ -+# Possible hardening options: -+#PrivateDevices=yes -+#ProtectSystem=yes -+#ProtectHome=yes -+#PrivateTmp=yes -+ -+ -diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in -index 7142c3492..2ac6f978f 100644 ---- a/wrappers/systemd.template.service.in -+++ b/wrappers/systemd.template.service.in -@@ -1,17 +1,6 @@ --# you usually do not want to edit this file - instead, edit the --# @initconfigdir@/@package_name@.systemd file instead - otherwise, --# do not edit this file in /lib/systemd/system - instead, do the following: --# cp /lib/systemd/system/dirsrv\@.service /etc/systemd/system/dirsrv\@.service --# mkdir -p /etc/systemd/system/@systemdgroupname@.wants --# edit /etc/systemd/system/dirsrv\@.service - uncomment the LimitNOFILE=8192 line --# where %i is the name of the instance --# you may already have a symlink in --# /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service pointing to --# /lib/systemd/system/dirsrv\@.service - you will have to change it to link --# to /etc/systemd/system/dirsrv\@.service instead --# ln -s /etc/systemd/system/dirsrv\@.service /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service --# systemctl daemon-reload --# systemctl (re)start @systemdgroupname@ -+# You should not need to edit this file. Instead, use a drop-in file as described in: -+# /usr/lib/systemd/system/@package_name@@.service.d/custom.conf -+ - [Unit] - Description=@capbrand@ Directory Server %i. - PartOf=@systemdgroupname@ -@@ -21,51 +10,11 @@ Before=radiusd.service - [Service] - Type=notify - NotifyAccess=all --TimeoutStartSec=0 --TimeoutStopSec=600 - EnvironmentFile=-@initconfigdir@/@package_name@ - EnvironmentFile=-@initconfigdir@/@package_name@-%i - PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid - ExecStartPre=@libexecdir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif - ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid - --#### To change any of these values or directives, you should use a drop in file --# such as: /etc/systemd/system/dirsrv@.d/custom.conf -- --# These are from man systemd.exec and man systemd.resource-control -- --# This controls the resources to the direct child of systemd, in --# this case ns-slapd. Because we are type notify we recieve these --# limits correctly. -- --# This controls the number of file handles avaliable. File handles --# correlate to sockets for the process, and our access to logs and --# databases. Note, the configuration setting in Directory Server, --# "nsslapd-maxdescriptors", can override this limit. --LimitNOFILE=16384 -- --# You can limit the memory in the cgroup with these, and ns-slapd --# will account for them in it's autotuning. --# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf --# MemoryAccounting=true --# MemoryLimit=bytes -- --# Limits on the size of coredump that may be produced by the process. It's not --# specified how this interacts with coredumpd. --# 0 means not to produce cores. --# This value is 64G --LimitCORE=68719476736 -- --# Limit number of processes (threads) we may spawn. We don't advise you change --# this as DS will autodetect your threads / cpus and adjust as needed. --# LimitNPROC= -- --# Hardening options: --# PrivateDevices=true --# ProtectSystem=true --# ProtectHome=true --# PrivateTmp=true -- - [Install] - WantedBy=multi-user.target -- -diff --git a/wrappers/systemd.template.service.xsan.conf.in b/wrappers/systemd.template.service.xsan.conf.in -new file mode 100644 -index 000000000..f4bf809b9 ---- /dev/null -+++ b/wrappers/systemd.template.service.xsan.conf.in -@@ -0,0 +1,11 @@ -+# This file is present because the server has been built with a sanitizer. -+# It is not meant for a production usage. -+[Unit] -+Description=@capbrand@ Directory Server with @SANITIZER@ %i. -+ -+[Service] -+# We can't symbolize here, as llvm symbolize crashes when it goes near systemd. -+Environment=ASAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.asan:print_stacktrace=1 -+Environment=TSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.tsan:print_stacktrace=1:second_deadlock_stack=1:history_size=7 -+Environment=MSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.msan:print_stacktrace=1 -+Environment=UBSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.ubsan:print_stacktrace=1 -diff --git a/wrappers/systemd.template.xsan.service.in b/wrappers/systemd.template.xsan.service.in -deleted file mode 100644 -index 541392ff8..000000000 ---- a/wrappers/systemd.template.xsan.service.in -+++ /dev/null -@@ -1,77 +0,0 @@ --# you usually do not want to edit this file - instead, edit the --# @initconfigdir@/@package_name@.systemd file instead - otherwise, --# do not edit this file in /lib/systemd/system - instead, do the following: --# cp /lib/systemd/system/dirsrv\@.service /etc/systemd/system/dirsrv\@.service --# mkdir -p /etc/systemd/system/@systemdgroupname@.wants --# edit /etc/systemd/system/dirsrv\@.service - uncomment the LimitNOFILE=8192 line --# where %i is the name of the instance --# you may already have a symlink in --# /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service pointing to --# /lib/systemd/system/dirsrv\@.service - you will have to change it to link --# to /etc/systemd/system/dirsrv\@.service instead --# ln -s /etc/systemd/system/dirsrv\@.service /etc/systemd/system/@systemdgroupname@.wants/dirsrv@%i.service --# systemctl daemon-reload --# systemctl (re)start @systemdgroupname@ --[Unit] --Description=@capbrand@ Directory Server with @SANITIZER@ %i. --PartOf=@systemdgroupname@ --After=chronyd.service ntpd.service network-online.target syslog.target --Before=radiusd.service -- --[Service] --Type=notify --NotifyAccess=all --TimeoutStartSec=0 --TimeoutStopSec=600 --EnvironmentFile=@initconfigdir@/@package_name@ --EnvironmentFile=@initconfigdir@/@package_name@-%i --PIDFile=@localstatedir@/run/@package_name@/slapd-%i.pid --# We can't symbolize here, as llvm symbolize crashes when it goes near systemd. --Environment=ASAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.asan:print_stacktrace=1 --Environment=TSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.tsan:print_stacktrace=1:second_deadlock_stack=1:history_size=7 --Environment=MSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.msan:print_stacktrace=1 --Environment=UBSAN_OPTIONS=log_path=@localstatedir@/run/@package_name@/ns-slapd-%i.ubsan:print_stacktrace=1 --LimitCORE=infinity --ExecStartPre=@libexecdir@/ds_systemd_ask_password_acl @instconfigdir@/slapd-%i/dse.ldif --ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/@package_name@/slapd-%i.pid -- --#### To change any of these values or directives, you should use a drop in file --# such as: /etc/systemd/system/dirsrv@.d/custom.conf -- --# These are from man systemd.exec and man systemd.resource-control -- --# This controls the resources to the direct child of systemd, in --# this case ns-slapd. Because we are type notify we recieve these --# limits correctly. -- --# This controls the number of file handles avaliable. File handles --# correlate to sockets for the process, and our access to logs and --# databases. --LimitNOFILE=16384 -- --# You can limit the memory in the cgroup with these, and ns-slapd --# will account for them in it's autotuning. --# Memory account may be controlled by DefaultMemoryAccounting= in systemd-system.conf --# MemoryAccounting=true --# MemoryLimit=bytes -- --# Limits on the size of coredump that may be produced by the process. It's not --# specified how this interacts with coredumpd. --# 0 means not to produce cores. --# This value is 64G --LimitCORE=68719476736 -- --# Limit number of processes (threads) we may spawn. We don't advise you change --# this as DS will autodetect your threads / cpus and adjust as needed. --# LimitNPROC= -- --# Hardening options: --# PrivateDevices=true --# ProtectSystem=true --# ProtectHome=true --# PrivateTmp=true -- -- --[Install] --WantedBy=multi-user.target -- --- -2.21.0 - diff --git a/SOURCES/0001-Issue-50499-Fix-npm-audit-issues.patch b/SOURCES/0001-Issue-50499-Fix-npm-audit-issues.patch new file mode 100644 index 0000000..842237e --- /dev/null +++ b/SOURCES/0001-Issue-50499-Fix-npm-audit-issues.patch @@ -0,0 +1,59 @@ +From 00bc5150aeb5e0d7676d0c578cd64a3977ae5d85 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 15 Nov 2019 11:04:14 -0500 +Subject: [PATCH 2/2] Issue 50499 - Fix npm audit issues + +Description: Updated npm handlebars package to 4.5.2 + +relates: https://pagure.io/389-ds-base/issue/50499 +--- + src/cockpit/389-console/package-lock.json | 12 ++++++------ + src/cockpit/389-console/package.json | 2 +- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/src/cockpit/389-console/package-lock.json b/src/cockpit/389-console/package-lock.json +index 7207e92a0..f61e48985 100644 +--- a/src/cockpit/389-console/package-lock.json ++++ b/src/cockpit/389-console/package-lock.json +@@ -6053,9 +6053,9 @@ + "integrity": "sha512-zGEOVKFM5sVPPrYs7J5/hYEw2Pof8KCyOwyhG8sAF26mCAeUFAcYPu1mwB7hhpIP29zOIBaDqwuHdLp0jvZXjw==" + }, + "handlebars": { +- "version": "4.5.1", +- "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.5.1.tgz", +- "integrity": "sha512-C29UoFzHe9yM61lOsIlCE5/mQVGrnIOrOq7maQl76L7tYPCgC1og0Ajt6uWnX4ZTxBPnjw+CUvawphwCfJgUnA==", ++ "version": "4.5.2", ++ "resolved": "https://registry.npmjs.org/handlebars/-/handlebars-4.5.2.tgz", ++ "integrity": "sha512-29Zxv/cynYB7mkT1rVWQnV7mGX6v7H/miQ6dbEpYTKq5eJBN7PsRB+ViYJlcT6JINTSu4dVB9kOqEun78h6Exg==", + "requires": { + "neo-async": "^2.6.0", + "optimist": "^0.6.1", +@@ -6075,9 +6075,9 @@ + "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==" + }, + "uglify-js": { +- "version": "3.6.7", +- "resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-3.6.7.tgz", +- "integrity": "sha512-4sXQDzmdnoXiO+xvmTzQsfIiwrjUCSA95rSP4SEd8tDb51W2TiDOlL76Hl+Kw0Ie42PSItCW8/t6pBNCF2R48A==", ++ "version": "3.6.9", ++ "resolved": "https://registry.npmjs.org/uglify-js/-/uglify-js-3.6.9.tgz", ++ "integrity": "sha512-pcnnhaoG6RtrvHJ1dFncAe8Od6Nuy30oaJ82ts6//sGSXOP5UjBMEthiProjXmMNHOfd93sqlkztifFMcb+4yw==", + "optional": true, + "requires": { + "commander": "~2.20.3", +diff --git a/src/cockpit/389-console/package.json b/src/cockpit/389-console/package.json +index ffa429d83..fb2449675 100644 +--- a/src/cockpit/389-console/package.json ++++ b/src/cockpit/389-console/package.json +@@ -52,7 +52,7 @@ + "@patternfly/react-core": "^3.58.1", + "bootstrap": "^4.3.1", + "file-loader": "^4.1.0", +- "handlebars": "^4.4.5", ++ "handlebars": "^4.5.2", + "node-sass": "4.12.0", + "patternfly": "^3.59.3", + "patternfly-react": "^2.34.3", +-- +2.21.0 + diff --git a/SOURCES/0002-Issue-50701-Add-additional-healthchecks-to-dsconf.patch b/SOURCES/0002-Issue-50701-Add-additional-healthchecks-to-dsconf.patch new file mode 100644 index 0000000..dd043a5 --- /dev/null +++ b/SOURCES/0002-Issue-50701-Add-additional-healthchecks-to-dsconf.patch @@ -0,0 +1,1395 @@ +From 09326585a5561480d44beb508af2cb1da52bfff6 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 18 Nov 2019 12:02:39 -0500 +Subject: [PATCH] Issue 50701 - Add additional healthchecks to dsconf + +Description: New checks and several design changes have been implemented + + Design changes: + - Moved to a "yield" design, where a lint function can return multiple results + - Revised the lint report so it's easier to read and distiguish between multiple + errors + - Revised most lint errors to include CLI examples on how to fix the issue + + New Checks: + - Check TLS certs for expired/expiring + - Add RI plugin checks for missing indexes for RI member attributes + - Added Disk Space check + - Add Virtual Attribute index check + - Add replication agmt status check + - Add replication conflict entry check + - File System checks (/etc/revolv.conf, and NSS pin files) + - Replication changelog trimming + +relates: https://pagure.io/389-ds-base/issue/50701 + +Reviewed by: firstyear, mhonek, tbordaz, and spichugi (Thanks!!!!) + +add suggested changes + +Improved the replication agreement health checks to use the new +state levels (red, amber, green), and we use that to generate +different reports. + +Also improved report example autofilling of the values, so the exact +commands can be copied and pasted. + +Added a changelog trimming check as well. + +Updated the help section to wanr that htehealthcheck feature should +only be run on the local instance + +Moved healthcheck to dsctl and added file permission checks +--- + src/lib389/cli/dsconf | 2 - + src/lib389/cli/dsctl | 10 +- + src/lib389/lib389/_mapped_object.py | 6 +- + src/lib389/lib389/agreement.py | 67 +++++-- + src/lib389/lib389/backend.py | 122 +++++++++--- + src/lib389/lib389/cli_base/dsrc.py | 6 +- + src/lib389/lib389/cli_conf/health.py | 62 ------ + src/lib389/lib389/cli_ctl/health.py | 123 ++++++++++++ + src/lib389/lib389/config.py | 18 +- + src/lib389/lib389/dseldif.py | 43 +++- + src/lib389/lib389/lint.py | 287 +++++++++++++++++++++++---- + src/lib389/lib389/monitor.py | 14 ++ + src/lib389/lib389/nss_ssl.py | 35 +++- + src/lib389/lib389/plugins.py | 46 ++++- + src/lib389/lib389/properties.py | 1 + + src/lib389/lib389/replica.py | 70 +++++++ + 16 files changed, 746 insertions(+), 166 deletions(-) + delete mode 100644 src/lib389/lib389/cli_conf/health.py + create mode 100644 src/lib389/lib389/cli_ctl/health.py + +diff --git a/src/lib389/cli/dsconf b/src/lib389/cli/dsconf +index 6e3ef19c3..5143756c8 100755 +--- a/src/lib389/cli/dsconf ++++ b/src/lib389/cli/dsconf +@@ -21,7 +21,6 @@ from lib389.cli_conf import backend as cli_backend + from lib389.cli_conf import directory_manager as cli_directory_manager + from lib389.cli_conf import plugin as cli_plugin + from lib389.cli_conf import schema as cli_schema +-from lib389.cli_conf import health as cli_health + from lib389.cli_conf import monitor as cli_monitor + from lib389.cli_conf import saslmappings as cli_sasl + from lib389.cli_conf import pwpolicy as cli_pwpolicy +@@ -80,7 +79,6 @@ cli_backup.create_parser(subparsers) + cli_chaining.create_parser(subparsers) + cli_config.create_parser(subparsers) + cli_directory_manager.create_parsers(subparsers) +-cli_health.create_parser(subparsers) + cli_monitor.create_parser(subparsers) + cli_plugin.create_parser(subparsers) + cli_pwpolicy.create_parser(subparsers) +diff --git a/src/lib389/cli/dsctl b/src/lib389/cli/dsctl +index 31e906b7d..8b86629ac 100755 +--- a/src/lib389/cli/dsctl ++++ b/src/lib389/cli/dsctl +@@ -16,14 +16,17 @@ import sys + import signal + import os + from lib389.utils import get_instance_list +-from lib389.cli_base import _get_arg, setup_script_logger, disconnect_instance + from lib389 import DirSrv + from lib389.cli_ctl import instance as cli_instance + from lib389.cli_ctl import dbtasks as cli_dbtasks +-from lib389.cli_base import disconnect_instance, setup_script_logger +-from lib389.cli_base import format_error_to_dict + from lib389.cli_ctl import tls as cli_tls ++from lib389.cli_ctl import health as cli_health + from lib389.cli_ctl.instance import instance_remove_all ++from lib389.cli_base import ( ++ _get_arg, ++ disconnect_instance, ++ setup_script_logger, ++ format_error_to_dict) + from lib389._constants import DSRC_CONTAINER + + parser = argparse.ArgumentParser() +@@ -54,6 +57,7 @@ if not os.path.exists(DSRC_CONTAINER): + cli_instance.create_parser(subparsers) + cli_dbtasks.create_parser(subparsers) + cli_tls.create_parser(subparsers) ++cli_health.create_parser(subparsers) + + argcomplete.autocomplete(parser) + +diff --git a/src/lib389/lib389/_mapped_object.py b/src/lib389/lib389/_mapped_object.py +index e331b3b27..4da112d25 100644 +--- a/src/lib389/lib389/_mapped_object.py ++++ b/src/lib389/lib389/_mapped_object.py +@@ -978,9 +978,9 @@ class DSLdapObject(DSLogging): + return None + results = [] + for fn in self._lint_functions: +- result = fn() +- if result: +- results.append(result) ++ for result in fn(): ++ if result is not None: ++ results.append(result) + return results + + +diff --git a/src/lib389/lib389/agreement.py b/src/lib389/lib389/agreement.py +index a0d4597ec..93fd72895 100644 +--- a/src/lib389/lib389/agreement.py ++++ b/src/lib389/lib389/agreement.py +@@ -105,6 +105,9 @@ class Agreement(DSLdapObject): + time.sleep(2) + return (done, error) + ++ def get_name(self): ++ return self.get_attr_val_utf8_l('cn') ++ + def get_agmt_maxcsn(self): + """Get the agreement maxcsn from the database RUV entry + :returns: CSN string if found, otherwise None is returned +@@ -202,7 +205,7 @@ class Agreement(DSLdapObject): + consumer.close() + return result_msg + +- def get_agmt_status(self, binddn=None, bindpw=None): ++ def get_agmt_status(self, binddn=None, bindpw=None, return_json=False): + """Return the status message + :param binddn: Specifies a specific bind DN to use when contacting the remote consumer + :type binddn: str +@@ -211,33 +214,55 @@ class Agreement(DSLdapObject): + :returns: A status message about the replication agreement + """ + status = "Unknown" +- ++ con_maxcsn = "Unknown" + try: + agmt_maxcsn = self.get_agmt_maxcsn() ++ agmt_status = json.loads(self.get_attr_val_utf8_l(AGMT_UPDATE_STATUS_JSON)) + if agmt_maxcsn is not None: +- con_maxcsn = self.get_consumer_maxcsn(binddn=binddn, bindpw=bindpw) +- if con_maxcsn: +- if agmt_maxcsn == con_maxcsn: +- status = "In Synchronization" +- else: +- # Not in sync - attempt to discover the cause +- repl_msg = "Unknown" +- if self.get_attr_val_utf8_l(AGMT_UPDATE_IN_PROGRESS) == 'true': +- # Replication is on going - this is normal +- repl_msg = "Replication still in progress" +- elif "can't contact ldap" in \ +- self.get_attr_val_utf8_l(AGMT_UPDATE_STATUS): +- # Consumer is down +- repl_msg = "Consumer can not be contacted" +- +- status = ("Not in Synchronization: supplier " + +- "(%s) consumer (%s) Reason(%s)" % +- (agmt_maxcsn, con_maxcsn, repl_msg)) ++ try: ++ con_maxcsn = self.get_consumer_maxcsn(binddn=binddn, bindpw=bindpw) ++ if con_maxcsn: ++ if agmt_maxcsn == con_maxcsn: ++ if return_json: ++ return json.dumps({ ++ 'msg': "In Synchronization", ++ 'agmt_maxcsn': agmt_maxcsn, ++ 'con_maxcsn': con_maxcsn, ++ 'state': agmt_status['state'], ++ 'reason': agmt_status['message'] ++ }) ++ else: ++ return "In Synchronization" ++ except: ++ pass ++ else: ++ agmt_maxcsn = "Unknown" ++ ++ # Not in sync - attempt to discover the cause ++ repl_msg = agmt_status['message'] ++ if self.get_attr_val_utf8_l(AGMT_UPDATE_IN_PROGRESS) == 'true': ++ # Replication is on going - this is normal ++ repl_msg = "Replication still in progress" ++ elif "can't contact ldap" in agmt_status['message']: ++ # Consumer is down ++ repl_msg = "Consumer can not be contacted" ++ ++ if return_json: ++ return json.dumps({ ++ 'msg': "Not in Synchronization", ++ 'agmt_maxcsn': agmt_maxcsn, ++ 'con_maxcsn': con_maxcsn, ++ 'state': agmt_status['state'], ++ 'reason': repl_msg ++ }) ++ else: ++ return ("Not in Synchronization: supplier " + ++ "(%s) consumer (%s) State (%s) Reason (%s)" % ++ (agmt_maxcsn, con_maxcsn, agmt_status['state'], repl_msg)) + except ldap.INVALID_CREDENTIALS as e: + raise(e) + except ldap.LDAPError as e: + raise ValueError(str(e)) +- return status + + def get_lag_time(self, suffix, agmt_name, binddn=None, bindpw=None): + """Get the lag time between the supplier and the consumer +diff --git a/src/lib389/lib389/backend.py b/src/lib389/lib389/backend.py +index 62fd0ae94..ac2af021c 100644 +--- a/src/lib389/lib389/backend.py ++++ b/src/lib389/lib389/backend.py +@@ -7,6 +7,7 @@ + # --- END COPYRIGHT BLOCK --- + + from datetime import datetime ++import copy + import ldap + from lib389._constants import * + from lib389.properties import * +@@ -19,6 +20,8 @@ from lib389._mapped_object import DSLdapObjects, DSLdapObject + from lib389.mappingTree import MappingTrees + from lib389.exceptions import NoSuchEntryError, InvalidArgumentError + from lib389.replica import Replicas ++from lib389.cos import (CosTemplates, CosIndirectDefinitions, ++ CosPointerDefinitions, CosClassicDefinitions) + + # We need to be a factor to the backend monitor + from lib389.monitor import MonitorBackend +@@ -30,7 +33,7 @@ from lib389.encrypted_attributes import EncryptedAttr, EncryptedAttrs + # This is for sample entry creation. + from lib389.configurations import get_sample_entries + +-from lib389.lint import DSBLE0001 ++from lib389.lint import DSBLE0001, DSBLE0002, DSBLE0003, DSVIRTLE0001 + + + class BackendLegacy(object): +@@ -410,10 +413,92 @@ class Backend(DSLdapObject): + self._must_attributes = ['nsslapd-suffix', 'cn'] + self._create_objectclasses = ['top', 'extensibleObject', BACKEND_OBJECTCLASS_VALUE] + self._protected = False +- self._lint_functions = [self._lint_mappingtree] ++ self._lint_functions = [self._lint_mappingtree, self._lint_search, self._lint_virt_attrs] + # Check if a mapping tree for this suffix exists. + self._mts = MappingTrees(self._instance) + ++ def _lint_virt_attrs(self): ++ """Check if any virtual attribute are incorrectly indexed""" ++ indexes = self.get_indexes() ++ suffix = self.get_attr_val_utf8('nsslapd-suffix') ++ ++ # First check nsrole ++ try: ++ indexes.get('nsrole') ++ report = copy.deepcopy(DSVIRTLE0001) ++ report['detail'] = report['detail'].replace('ATTR', 'nsrole') ++ report['fix'] = report['fix'].replace('ATTR', 'nsrole') ++ report['fix'] = report['fix'].replace('SUFFIX', suffix) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ report['items'].append(suffix) ++ report['items'].append('nsrole') ++ yield report ++ except: ++ pass ++ ++ # Check COS next ++ for cosDefType in [CosIndirectDefinitions, CosPointerDefinitions, CosClassicDefinitions]: ++ defs = cosDefType(self._instance, self._dn).list() ++ for cosDef in defs: ++ attrs = cosDef.get_attr_val_utf8_l("cosAttribute").split() ++ for attr in attrs: ++ if attr in ["default", "override", "operational", "operational-default", "merge-schemes"]: ++ # We are at the end, just break out ++ break ++ try: ++ indexes.get(attr) ++ # If we got here there is an index (bad) ++ report = copy.deepcopy(DSVIRTLE0001) ++ report['detail'] = report['detail'].replace('ATTR', attr) ++ report['fix'] = report['fix'].replace('ATTR', attr) ++ report['fix'] = report['fix'].replace('SUFFIX', suffix) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ report['items'].append(suffix) ++ report['items'].append("Class Of Service (COS)") ++ report['items'].append("cosAttribute: " + attr) ++ yield report ++ except: ++ # this is what we hope for ++ pass ++ ++ def _lint_search(self): ++ """Perform a search and make sure an entry is accessible ++ """ ++ dn = self.get_attr_val_utf8('nsslapd-suffix') ++ suffix = DSLdapObject(self._instance, dn=dn) ++ try: ++ suffix.get_attr_val('objectclass') ++ except ldap.NO_SUCH_OBJECT: ++ # backend root entry not created yet ++ DSBLE0003['items'] = [dn, ] ++ yield DSBLE0003 ++ except ldap.LDAPError as e: ++ # Some other error ++ DSBLE0002['detail'] = DSBLE0002['detail'].replace('ERROR', str(e)) ++ DSBLE0002['items'] = [dn, ] ++ yield DSBLE0002 ++ ++ def _lint_mappingtree(self): ++ """Backend lint ++ ++ This should check for: ++ * missing mapping tree entries for the backend ++ * missing indices if we are local and have log access? ++ """ ++ ++ # Check for the missing mapping tree. ++ suffix = self.get_attr_val_utf8('nsslapd-suffix') ++ bename = self.get_attr_val_bytes('cn') ++ try: ++ mt = self._mts.get(suffix) ++ if mt.get_attr_val_bytes('nsslapd-backend') != bename and mt.get_attr_val('nsslapd-state') != ensure_bytes('backend'): ++ raise ldap.NO_SUCH_OBJECT("We have a matching suffix, but not a backend or correct database name.") ++ except ldap.NO_SUCH_OBJECT: ++ result = DSBLE0001 ++ result['items'] = [bename, ] ++ yield result ++ return None ++ + def create_sample_entries(self, version): + """Creates sample entries under nsslapd-suffix value + +@@ -552,27 +637,6 @@ class Backend(DSLdapObject): + # Now remove our children, this is all ldbm config + self._instance.delete_branch_s(self._dn, ldap.SCOPE_SUBTREE) + +- def _lint_mappingtree(self): +- """Backend lint +- +- This should check for: +- * missing mapping tree entries for the backend +- * missing indices if we are local and have log access? +- """ +- +- # Check for the missing mapping tree. +- suffix = self.get_attr_val_utf8('nsslapd-suffix') +- bename = self.get_attr_val_bytes('cn') +- try: +- mt = self._mts.get(suffix) +- if mt.get_attr_val_bytes('nsslapd-backend') != bename and mt.get_attr_val('nsslapd-state') != ensure_bytes('backend'): +- raise ldap.NO_SUCH_OBJECT("We have a matching suffix, but not a backend or correct database name.") +- except ldap.NO_SUCH_OBJECT: +- result = DSBLE0001 +- result['items'] = [bename, ] +- return result +- return None +- + def get_suffix(self): + return self.get_attr_val_utf8_l('nsslapd-suffix') + +@@ -753,6 +817,18 @@ class Backend(DSLdapObject): + break + return subsuffixes + ++ def get_cos_indirect_defs(self): ++ return CosIndirectDefinitions(self._instance, self._dn).list() ++ ++ def get_cos_pointer_defs(self): ++ return CosPointerDefinitions(self._instance, self._dn).list() ++ ++ def get_cos_classic_defs(self): ++ return CosClassicDefinitions(self._instance, self._dn).list() ++ ++ def get_cos_templates(self): ++ return CosTemplates(self._instance, self._dn).list() ++ + + class Backends(DSLdapObjects): + """DSLdapObjects that represents DN_LDBM base DN +diff --git a/src/lib389/lib389/cli_base/dsrc.py b/src/lib389/lib389/cli_base/dsrc.py +index bbd160e8e..20b240df5 100644 +--- a/src/lib389/lib389/cli_base/dsrc.py ++++ b/src/lib389/lib389/cli_base/dsrc.py +@@ -41,12 +41,15 @@ def dsrc_arg_concat(args, dsrc_inst): + 'uri': args.instance, + 'basedn': args.basedn, + 'binddn': args.binddn, ++ 'bindpw': None, + 'saslmech': None, + 'tls_cacertdir': None, + 'tls_cert': None, + 'tls_key': None, + 'tls_reqcert': ldap.OPT_X_TLS_HARD, + 'starttls': args.starttls, ++ 'prompt': False, ++ 'pwdfile': None, + 'args': {} + } + # Now gather the args +@@ -137,7 +140,8 @@ def dsrc_to_ldap(path, instance_name, log): + else: + dsrc_inst['tls_reqcert'] = ldap.OPT_X_TLS_HARD + dsrc_inst['starttls'] = config.getboolean(instance_name, 'starttls', fallback=False) +- ++ dsrc_inst['pwdfile'] = None ++ dsrc_inst['prompt'] = False + # Now gather the args + dsrc_inst['args'][SER_LDAP_URL] = dsrc_inst['uri'] + dsrc_inst['args'][SER_ROOT_DN] = dsrc_inst['binddn'] +diff --git a/src/lib389/lib389/cli_conf/health.py b/src/lib389/lib389/cli_conf/health.py +deleted file mode 100644 +index 040d85674..000000000 +--- a/src/lib389/lib389/cli_conf/health.py ++++ /dev/null +@@ -1,62 +0,0 @@ +-# --- BEGIN COPYRIGHT BLOCK --- +-# Copyright (C) 2016 Red Hat, Inc. +-# All rights reserved. +-# +-# License: GPL (version 3 or any later version). +-# See LICENSE for details. +-# --- END COPYRIGHT BLOCK --- +- +-from lib389.backend import Backend, Backends +-from lib389.config import Encryption, Config +-from lib389 import plugins +- +-# These get all instances, then check them all. +-CHECK_MANY_OBJECTS = [ +- Backends, +-] +- +-# These get single instances and check them. +-CHECK_OBJECTS = [ +- Config, +- Encryption, +- plugins.ReferentialIntegrityPlugin +-] +- +- +-def _format_check_output(log, result): +- log.info("==== DS Lint Error: %s ====" % result['dsle']) +- log.info(" Severity: %s " % result['severity']) +- log.info(" Affects:") +- for item in result['items']: +- log.info(" -- %s" % item) +- log.info(" Details:") +- log.info(result['detail']) +- log.info(" Resolution:") +- log.info(result['fix']) +- +- +-def health_check_run(inst, basedn, log, args): +- log.info("Beginning lint report, this could take a while ...") +- report = [] +- for lo in CHECK_MANY_OBJECTS: +- log.info("Checking %s ..." % lo.__name__) +- lo_inst = lo(inst) +- for clo in lo_inst.list(): +- result = clo.lint() +- if result is not None: +- report += result +- for lo in CHECK_OBJECTS: +- log.info("Checking %s ..." % lo.__name__) +- lo_inst = lo(inst) +- result = lo_inst.lint() +- if result is not None: +- report += result +- log.info("Healthcheck complete!") +- for item in report: +- _format_check_output(log, item) +- +- +-def create_parser(subparsers): +- run_healthcheck_parser = subparsers.add_parser('healthcheck', help="Run a healthcheck report on your Directory Server instance. This is a safe, read only operation.") +- run_healthcheck_parser.set_defaults(func=health_check_run) +- +diff --git a/src/lib389/lib389/cli_ctl/health.py b/src/lib389/lib389/cli_ctl/health.py +new file mode 100644 +index 000000000..d8f3d732b +--- /dev/null ++++ b/src/lib389/lib389/cli_ctl/health.py +@@ -0,0 +1,123 @@ ++# --- BEGIN COPYRIGHT BLOCK --- ++# Copyright (C) 2016 Red Hat, Inc. ++# All rights reserved. ++# ++# License: GPL (version 3 or any later version). ++# See LICENSE for details. ++# --- END COPYRIGHT BLOCK --- ++ ++import json ++from getpass import getpass ++from lib389.cli_base import connect_instance, disconnect_instance, format_error_to_dict ++from lib389.cli_base.dsrc import dsrc_to_ldap, dsrc_arg_concat ++from lib389.backend import Backend, Backends ++from lib389.config import Encryption, Config ++from lib389.monitor import MonitorDiskSpace ++from lib389.replica import Replica, Changelog5 ++from lib389.nss_ssl import NssSsl ++from lib389.dseldif import FSChecks ++from lib389 import plugins ++from lib389._constants import DSRC_HOME ++ ++# These get all instances, then check them all. ++CHECK_MANY_OBJECTS = [ ++ Backends, ++] ++ ++# These get single instances and check them. ++CHECK_OBJECTS = [ ++ Config, ++ Encryption, ++ FSChecks, ++ plugins.ReferentialIntegrityPlugin, ++ MonitorDiskSpace, ++ Replica, ++ Changelog5, ++ NssSsl, ++] ++ ++ ++def _format_check_output(log, result, idx): ++ log.info("\n\n[{}] DS Lint Error: {}".format(idx, result['dsle'])) ++ log.info("-" * 80) ++ log.info("Severity: %s " % result['severity']) ++ log.info("Affects:") ++ for item in result['items']: ++ log.info(" -- %s" % item) ++ log.info("\nDetails:") ++ log.info('-----------') ++ log.info(result['detail']) ++ log.info("\nResolution:") ++ log.info('-----------') ++ log.info(result['fix']) ++ ++ ++def health_check_run(inst, log, args): ++ """Connect to the local server using LDAPI, and perform various health checks ++ """ ++ ++ # update the args for connect_instance() ++ args.basedn = None ++ args.binddn = None ++ args.bindpw = None ++ args.starttls = None ++ args.pwdfile = None ++ args.prompt = False ++ dsrc_inst = dsrc_to_ldap(DSRC_HOME, args.instance, log.getChild('dsrc')) ++ dsrc_inst = dsrc_arg_concat(args, dsrc_inst) ++ try: ++ inst = connect_instance(dsrc_inst=dsrc_inst, verbose=args.verbose, args=args) ++ except Exception as e: ++ raise ValueError('Failed to connect to Directory Server instance: ' + str(e)) ++ ++ if not args.json: ++ log.info("Beginning lint report, this could take a while ...") ++ report = [] ++ for lo in CHECK_MANY_OBJECTS: ++ if not args.json: ++ log.info("Checking %s ..." % lo.__name__) ++ lo_inst = lo(inst) ++ for clo in lo_inst.list(): ++ result = clo.lint() ++ if result is not None: ++ report += result ++ for lo in CHECK_OBJECTS: ++ if not args.json: ++ log.info("Checking %s ..." % lo.__name__) ++ lo_inst = lo(inst) ++ result = lo_inst.lint() ++ if result is not None: ++ report += result ++ if not args.json: ++ log.info("Healthcheck complete.") ++ count = len(report) ++ if count == 0: ++ if not args.json: ++ log.info("No issues found.") ++ else: ++ log.info(json.dumps(report)) ++ else: ++ plural = "" ++ if count > 1: ++ plural = "s" ++ if not args.json: ++ log.info("{} Issue{} found! Generating report ...".format(count, plural)) ++ idx = 1 ++ for item in report: ++ _format_check_output(log, item, idx) ++ idx += 1 ++ log.info('\n\n===== End Of Report ({} Issue{} found) ====='.format(count, plural)) ++ else: ++ log.info(json.dumps(report)) ++ ++ disconnect_instance(inst) ++ ++ ++def create_parser(subparsers): ++ run_healthcheck_parser = subparsers.add_parser('healthcheck', help= ++ "Run a healthcheck report on a local Directory Server instance. This " ++ "is a safe and read-only operation. Do not attempt to run this on a " ++ "remote Directory Server as this tool needs access to local resources, " ++ "otherwise the report may be inaccurate.") ++ run_healthcheck_parser.set_defaults(func=health_check_run) ++ +diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py +index db5359a68..f71baf2d8 100644 +--- a/src/lib389/lib389/config.py ++++ b/src/lib389/lib389/config.py +@@ -16,6 +16,7 @@ + DirSrv.backend.methodName() + """ + ++import copy + import ldap + from lib389._constants import * + from lib389 import Entry +@@ -199,17 +200,18 @@ class Config(DSLdapObject): + def _lint_hr_timestamp(self): + hr_timestamp = self.get_attr_val('nsslapd-logging-hr-timestamps-enabled') + if ensure_bytes('on') != hr_timestamp: +- return DSCLE0001 +- pass # nsslapd-logging-hr-timestamps-enabled ++ report = copy.deepcopy(DSCLE0001) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ yield report + + def _lint_passwordscheme(self): + allowed_schemes = ['SSHA512', 'PBKDF2_SHA256'] + u_password_scheme = self.get_attr_val_utf8('passwordStorageScheme') + u_root_scheme = self.get_attr_val_utf8('nsslapd-rootpwstoragescheme') + if u_root_scheme not in allowed_schemes or u_password_scheme not in allowed_schemes: +- return DSCLE0002 +- return None +- ++ report = copy.deepcopy(DSCLE0002) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ yield report + + class Encryption(DSLdapObject): + """ +@@ -237,8 +239,10 @@ class Encryption(DSLdapObject): + def _lint_check_tls_version(self): + tls_min = self.get_attr_val('sslVersionMin') + if tls_min < ensure_bytes('TLS1.1'): +- return DSELE0001 +- return None ++ report = copy.deepcopy(DSELE0001) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ yield report ++ yield None + + @property + def ciphers(self): +diff --git a/src/lib389/lib389/dseldif.py b/src/lib389/lib389/dseldif.py +index dfe3b91e2..4155abcdd 100644 +--- a/src/lib389/lib389/dseldif.py ++++ b/src/lib389/lib389/dseldif.py +@@ -1,14 +1,17 @@ + # --- BEGIN COPYRIGHT BLOCK --- +-# Copyright (C) 2017 Red Hat, Inc. ++# Copyright (C) 2019 Red Hat, Inc. + # All rights reserved. + # + # License: GPL (version 3 or any later version). + # See LICENSE for details. + # --- END COPYRIGHT BLOCK --- + # ++ ++import copy + import os ++from stat import ST_MODE + from lib389.paths import Paths +- ++from lib389.lint import DSPERMLE0001, DSPERMLE0002 + + class DSEldif(object): + """A class for working with dse.ldif file +@@ -155,3 +158,39 @@ class DSEldif(object): + self._instance.log.debug("During replace operation: {}".format(e)) + self.add(entry_dn, attr, value) + self._update() ++ ++ ++class FSChecks(object): ++ """This is for the healthcheck feature, check commonly used system config files the ++ server uses. This is here for lack of a better place to add this class. ++ """ ++ def __init__(self, dirsrv=None): ++ self.dirsrv = dirsrv ++ self._certdb = self.dirsrv.get_cert_dir() ++ self.ds_files = [ ++ ('/etc/resolv.conf', '644', DSPERMLE0001), ++ (self._certdb + "/pin.txt", '600', DSPERMLE0002), ++ (self._certdb + "/pwdfile.txt", '600', DSPERMLE0002), ++ ] ++ self._lint_functions = [self._lint_file_perms] ++ ++ def lint(self): ++ results = [] ++ for fn in self._lint_functions: ++ for result in fn(): ++ if result is not None: ++ results.append(result) ++ return results ++ ++ def _lint_file_perms(self): ++ # Check file permissions are correct ++ for ds_file in self.ds_files: ++ perms = str(oct(os.stat(ds_file[0])[ST_MODE])[-3:]) ++ if perms != ds_file[1]: ++ report = copy.deepcopy(ds_file[2]) ++ report['items'].append(ds_file[0]) ++ report['detail'] = report['detail'].replace('FILE', ds_file[0]) ++ report['detail'] = report['detail'].replace('PERMS', ds_file[1]) ++ report['fix'] = report['fix'].replace('FILE', ds_file[0]) ++ report['fix'] = report['fix'].replace('PERMS', ds_file[1]) ++ yield report +diff --git a/src/lib389/lib389/lint.py b/src/lib389/lib389/lint.py +index 8c4b4dedc..515711136 100644 +--- a/src/lib389/lib389/lint.py ++++ b/src/lib389/lib389/lint.py +@@ -1,5 +1,5 @@ + # --- BEGIN COPYRIGHT BLOCK --- +-# Copyright (C) 2017 Red Hat, Inc. ++# Copyright (C) 2019 Red Hat, Inc. + # All rights reserved. + # + # License: GPL (version 3 or any later version). +@@ -10,12 +10,12 @@ + # as well as some functions to help process them. + + ++# Database checks + DSBLE0001 = { + 'dsle': 'DSBLE0001', + 'severity': 'MEDIUM', + 'items' : [], +- 'detail' : """ +-This backend may be missing the correct mapping tree references. Mapping Trees allow ++ 'detail' : """This backend may be missing the correct mapping tree references. Mapping Trees allow + the directory server to determine which backend an operation is routed to in the + abscence of other information. This is extremely important for correct functioning + of LDAP ADD for example. +@@ -31,20 +31,35 @@ objectClass: top + objectClass: extensibleObject + objectClass: nsMappingTree + +- """, +- 'fix' : """ +-Either you need to create the mapping tree, or you need to repair the related ++""", ++ 'fix' : """Either you need to create the mapping tree, or you need to repair the related + mapping tree. You will need to do this by hand by editing cn=config, or stopping + the instance and editing dse.ldif. +- """ ++""" + } + ++DSBLE0002 = { ++ 'dsle': 'DSBLE0002', ++ 'severity': 'HIGH', ++ 'items' : [], ++ 'detail' : """Unable to querying the backend. LDAP error (ERROR)""", ++ 'fix' : """Check the server's error and access logs for more information.""" ++} ++ ++DSBLE0003 = { ++ 'dsle': 'DSBLE0002', ++ 'severity': 'LOW', ++ 'items' : [], ++ 'detail' : """The backend database has not been initialized yet""", ++ 'fix' : """You need to import an LDIF file, or create the suffix entry, in order to initialize the database.""" ++} ++ ++# Config checks + DSCLE0001 = { + 'dsle' : 'DSCLE0001', + 'severity' : 'LOW', + 'items': ['cn=config', ], +- 'detail' : """ +-nsslapd-logging-hr-timestamps-enabled changes the log format in directory server from ++ 'detail' : """nsslapd-logging-hr-timestamps-enabled changes the log format in directory server from + + [07/Jun/2017:17:15:58 +1000] + +@@ -54,18 +69,18 @@ to + + This actually provides a performance improvement. Additionally, this setting will be + removed in a future release. +- """, +- 'fix' : """ +-Set nsslapd-logging-hr-timestamps-enabled to on. +- """ ++""", ++ 'fix' : """Set nsslapd-logging-hr-timestamps-enabled to on. ++You can use 'dsconf' to set this attribute. Here is an example: ++ ++ # dsconf slapd-YOUR_INSTANCE config replace nsslapd-logging-hr-timestamps-enabled=on""" + } + + DSCLE0002 = { + 'dsle': 'DSCLE0002', + 'severity': 'HIGH', + 'items' : ['cn=config', ], +- 'detail' : """ +-Password storage schemes in Directory Server define how passwords are hashed via a ++ 'detail' : """Password storage schemes in Directory Server define how passwords are hashed via a + one-way mathematical function for storage. Knowing the hash it is difficult to gain + the input, but knowing the input you can easily compare the hash. + +@@ -79,53 +94,253 @@ for "legacy" support (SSHA512). + + Your configuration does not use these for password storage or the root password storage + scheme. +- """, +- 'fix': """ +-Perform a configuration reset of the values: ++""", ++ 'fix': """Perform a configuration reset of the values: + + passwordStorageScheme + nsslapd-rootpwstoragescheme + + IE, stop Directory Server, and in dse.ldif delete these two lines. When Directory Server + is started, they will use the server provided defaults that are secure. +- """ ++ ++You can also use 'dsconf' to replace these values. Here is an example: ++ ++ # dsconf slapd-YOUR_INSTANCE config replace passwordStorageScheme=PBKDF2_SHA256 nsslapd-rootpwstoragescheme=PBKDF2_SHA256""" + } + ++# Security checks + DSELE0001 = { + 'dsle': 'DSELE0001', + 'severity': 'MEDIUM', + 'items' : ['cn=encryption,cn=config', ], +- 'detail': """ +-This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to ++ 'detail': """This Directory Server may not be using strong TLS protocol versions. TLS1.0 is known to + have a number of issues with the protocol. Please see: + + https://tools.ietf.org/html/rfc7457 + +-It is advised you set this value to the maximum possible. +- """, +- 'fix' : """ +-set cn=encryption,cn=config sslVersionMin to a version greater than TLS1.0 +- """ ++It is advised you set this value to the maximum possible.""", ++ 'fix' : """There are two options for setting the TLS minimum version allowed. You, ++can set "sslVersionMin" in "cn=encryption,cn=config" to a version greater than "TLS1.0" ++You can also use 'dsconf' to set this value. Here is an example: ++ ++ # dsconf slapd-YOUR_INSTANCE security set --tls-protocol-min=TLS1.2 ++ ++You must restart the Directory Server for this change to take effect. ++ ++Or, you can set the system wide crypto policy to FUTURE which will use a higher TLS ++minimum version, but doing this affects the entire system: ++ ++ # update-crypto-policies --set FUTURE""" + } + ++# RI plugin checks + DSRILE0001 = { + 'dsle': 'DSRLE0001', + 'severity': 'LOW', + 'items' : ['cn=referential integrity postoperation,cn=plugins,cn=config', ], +- 'detail': """ +-The referential integrity plugin has an asynchronous processing mode. This is controlled by the update-delay flag. +- +-When this value is 0, referential integrity plugin processes these changes inside of the operation that modified the entry - ie these are synchronous. ++ 'detail': """The referential integrity plugin has an asynchronous processing mode. ++This is controlled by the update-delay flag. When this value is 0, referential ++integrity plugin processes these changes inside of the operation that modified ++the entry - ie these are synchronous. + + However, when this is > 0, these are performed asynchronously. + +-This leads to only having refint enabled on one master in MMR to prevent replication conflicts and loops. ++This leads to only having referint enabled on one master in MMR to prevent replication conflicts and loops. + Additionally, because these are performed in the background these updates may cause spurious update + delays to your server by batching changes rather than smaller updates during sync processing. + +-We advise that you set this value to 0, and enable refint on all masters as it provides a more predictable behaviour. +- """, +- 'fix' : """ +-Set referint-update-delay to 0. +- """ ++We advise that you set this value to 0, and enable referint on all masters as it provides a more predictable behaviour. ++""", ++ 'fix' : """Set referint-update-delay to 0. ++ ++You can use 'dsconf' to set this value. Here is an example: ++ ++ # dsconf slapd-YOUR_INSTANCE plugin referential-integrity set --update-delay 0 ++ ++You must restart the Directory Server for this change to take effect.""" ++} ++ ++# Note - ATTR and BACKEND are replaced by the reporting function ++DSRILE0002 = { ++ 'dsle': 'DSRLE0002', ++ 'severity': 'HIGH', ++ 'items' : ['cn=referential integrity postoperation,cn=plugins,cn=config'], ++ 'detail': """The referential integrity plugin is configured to use an attribute (ATTR) ++that does not have an "equality" index in backend (BACKEND). ++Failure to have the proper indexing will lead to unindexed searches which ++cause high CPU and can significantly slow the server down.""", ++ 'fix' : """Check the attributes set in "referint-membership-attr" to make sure they have ++an index defined that has at least the equality "eq" index type. You will ++need to reindex the database after adding the missing index type. Here is an ++example using dsconf: ++ ++ # dsconf slapd-YOUR_INSTANCE backend index --attr=ATTR --reindex --index-type=eq BACKEND ++""" ++} ++ ++# Disk Space check. Note - PARTITION is replaced by the calling function ++DSDSLE0001 = { ++ 'dsle': 'DSDSLE0001', ++ 'severity': 'HIGH', ++ 'items' : ['Server', 'cn=config'], ++ 'detail': """The disk partition used by the server (PARTITION), either for the database, the ++configuration files, or the logs is over 90% full. If the partition becomes ++completely filled serious problems can occur with the database or the server's ++stability.""", ++ 'fix' : """Attempt to free up disk space. Also try removing old rotated logs, or disable any ++verbose logging levels that might have been set. You might consider enabling ++the "Disk Monitoring" feature in cn=config to help prevent a disorderly shutdown ++of the server: ++ ++ nsslapd-disk-monitoring: on ++ ++You can use 'dsconf' to set this value. Here is an example: ++ ++ # dsconf slapd-YOUR_INSTANCE config replace nsslapd-disk-monitoring=on ++ ++You must restart the Directory Server for this change to take effect. ++ ++Please see the Administration guide for more information: ++ ++ https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/diskmonitoring ++""" ++} ++ ++# Replication check. Note - AGMT and SUFFIX are replaced by the reporting function ++DSREPLLE0001 = { ++ 'dsle': 'DSREPLLE0001', ++ 'severity': 'HIGH', ++ 'items' : ['Replication', 'Agreement'], ++ 'detail': """The replication agreement (AGMT) under "SUFFIX" is not in synchronization.""", ++ 'fix' : """You may need to reinitialize this replication agreement. Please check the errors ++log for more information. If you do need to reinitialize the agreement you can do so ++using dsconf. Here is an example: ++ ++ # dsconf slapd-YOUR_INSTANCE repl-agmt init "AGMT" --suffix SUFFIX""" ++} ++ ++# Note - SUFFIX and COUNT will be replaced by the calling function ++DSREPLLE0002 = { ++ 'dsle': 'DSREPLLE0002', ++ 'severity': 'LOW', ++ 'items' : ['Replication', 'Conflict Entries'], ++ 'detail': """There were COUNT conflict entries found under the replication suffix "SUFFIX". ++Status message: MSG""", ++ 'fix' : """While conflict entries are expected to occur in an MMR environment, they ++should be resolved. In regards to conflict entries there is always the original/counterpart ++entry that has a normal DN, and then the conflict version of that entry. Technically both ++entries are valid, you as the administrator, needs to decide which entry you want to keep. ++First examine/compare both entries to determine which one you want to keep or remove. You ++can use the CLI tool "dsconf" to resolve the conflict. Here is an example: ++ ++ List the conflict entries: ++ ++ # dsconf slapd-YOUR_INSTANCE repl-conflict list dc=example,dc=com ++ ++ Examine conflict entry and its counterpart entry: ++ ++ # dsconf slapd-YOUR_INSTANCE repl-conflict compare ++ ++ Remove conflict entry and keep only the original/counterpart entry: ++ ++ # dsconf slapd-YOUR_INSTANCE repl-conflict remove ++ ++ Replace the original/counterpart entry with the conflict entry: ++ ++ # dsconf slapd-YOUR_INSTANCE repl-conflict swap ++""" ++} ++ ++DSREPLLE0003 = { ++ 'dsle': 'DSREPLLE0003', ++ 'severity': 'MEDIUM', ++ 'items' : ['Replication', 'Agreement'], ++ 'detail': """The replication agreement (AGMT) under "SUFFIX" is not in synchronization. ++Status message: MSG""", ++ 'fix' : """Replication is not in synchronization but it may recover. Continue to ++monitor this agreement.""" ++} ++ ++DSREPLLE0004 = { ++ 'dsle': 'DSREPLLE0004', ++ 'severity': 'MEDIUM', ++ 'items' : ['Replication', 'Agreement'], ++ 'detail': """Failed to get the agreement status for agreement (AGMT) under "SUFFIX". Error (ERROR).""", ++ 'fix' : """None""" ++} ++ ++DSREPLLE0005 = { ++ 'dsle': 'DSREPLLE0005', ++ 'severity': 'MEDIUM', ++ 'items' : ['Replication', 'Agreement'], ++ 'detail': """The replication agreement (AGMT) under "SUFFIX" is not in synchronization, ++because the consumer server is not reachable.""", ++ 'fix' : """Check if the consumer is running, and also check the errors log for more information.""" ++} ++ ++# Replication changelog ++DSCLLE0001 = { ++ 'dsle': 'DSCLLE0001', ++ 'severity': 'LOW', ++ 'items' : ['Replication', 'Changelog'], ++ 'detail': """The replication changelog does have any kind of trimming configured. This will ++lead to the changelog size growing indefinitely.""", ++ 'fix' : """Configure changelog trimming, preferably by setting the maximum age of a changelog ++record. Here is an example: ++ ++ # dsconf slapd-YOUR_INSTANCE replication set-changelog --max-age 30d""" ++} ++ ++# Certificate checks ++DSCERTLE0001 = { ++ 'dsle': 'DSCERTLE0001', ++ 'severity': 'MEDIUM', ++ 'items' : ['Expiring Certificate'], ++ 'detail': """The certificate (CERT) will expire in less than 30 days""", ++ 'fix' : """Renew the certificate before it expires to prevent disruptions with TLS connections.""" ++} ++ ++DSCERTLE0002 = { ++ 'dsle': 'DSCERTLE0002', ++ 'severity': 'HIGH', ++ 'items' : ['Expired Certificate'], ++ 'detail': """The certificate (CERT) has expired""", ++ 'fix' : """Renew or remove the certificate.""" ++} ++ ++# Virtual Attrs & COS. Note - ATTR and SUFFIX are replaced by the reporting function ++DSVIRTLE0001 = { ++ 'dsle': 'DSVIRTLE0001', ++ 'severity': 'HIGH', ++ 'items' : ['Virtual Attributes'], ++ 'detail': """You should not index virtual attributes, and as this will break searches that ++use the attribute in a filter.""", ++ 'fix' : """Remove the index for this attribute from the backend configuration. ++Here is an example using 'dsconf' to remove an index: ++ ++ # dsconf slapd-YOUR_INSTANCE backend index delete --attr ATTR SUFFIX""" ++} ++ ++# File permissions (resolv.conf ++DSPERMLE0001 = { ++ 'dsle': 'DSPERMLE0001', ++ 'severity': 'MEDIUM', ++ 'items' : ['File Permissions'], ++ 'detail': """The file "FILE" does not have the expected permissions (PERMS). This ++can cause issues with replication and chaining.""", ++ 'fix' : """Change the file permissions: ++ ++ # chmod PERMS FILE""" ++} ++ ++# TLS db password/pin files ++DSPERMLE0002 = { ++ 'dsle': 'DSPERMLE0002', ++ 'severity': 'HIGH', ++ 'items' : ['File Permissions'], ++ 'detail': """The file "FILE" does not have the expected permissions (PERMS). The ++security database pin/password files should only be readable by Directory Server user.""", ++ 'fix' : """Change the file permissions: ++ ++ # chmod PERMS FILE""" + } +diff --git a/src/lib389/lib389/monitor.py b/src/lib389/lib389/monitor.py +index 5ca967c64..290cad5e2 100644 +--- a/src/lib389/lib389/monitor.py ++++ b/src/lib389/lib389/monitor.py +@@ -9,6 +9,7 @@ + from lib389._constants import * + from lib389._mapped_object import DSLdapObject + from lib389.utils import (ds_is_older) ++from lib389.lint import DSDSLE0001 + + + class Monitor(DSLdapObject): +@@ -254,6 +255,19 @@ class MonitorDiskSpace(DSLdapObject): + def __init__(self, instance, dn=None): + super(MonitorDiskSpace, self).__init__(instance=instance, dn=dn) + self._dn = "cn=disk space,cn=monitor" ++ self._lint_functions = [self._lint_disk_space] ++ ++ def _lint_disk_space(self): ++ partitions = self.get_attr_vals_utf8_l("dsDisk") ++ for partition in partitions: ++ parts = partition.split() ++ percent = parts[4].split('=')[1].strip('"') ++ if int(percent) >= 90: ++ # this partition is over 90% full, not good ++ report = copy.deepcopy(DSDSLE0001) ++ report['detail'] = report['detail'].replace('PARTITION', parts[0].split('=')[1].strip('"')) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ yield report + + def get_disks(self): + """Get an information about partitions which contains a Directory Server data""" +diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py +index afe921385..2a7d1637c 100644 +--- a/src/lib389/lib389/nss_ssl.py ++++ b/src/lib389/lib389/nss_ssl.py +@@ -9,6 +9,7 @@ + """Helpers for managing NSS databases in Directory Server + """ + ++import copy + import os + import re + import socket +@@ -17,10 +18,10 @@ import shutil + import logging + # from nss import nss + import subprocess +-from datetime import datetime, timedelta ++from datetime import datetime, timedelta, date + from subprocess import check_output + from lib389.passwd import password_generate +- ++from lib389.lint import DSCERTLE0001, DSCERTLE0002 + from lib389.utils import ensure_str, format_cmd_list + import uuid + +@@ -58,6 +59,36 @@ class NssSsl(object): + self.db_files = {"dbm_backend": ["%s/%s" % (self._certdb, f) for f in ("key3.db", "cert8.db", "secmod.db")], + "sql_backend": ["%s/%s" % (self._certdb, f) for f in ("key4.db", "cert9.db", "pkcs11.txt")], + "support": ["%s/%s" % (self._certdb, f) for f in ("noise.txt", PIN_TXT, PWD_TXT)]} ++ self._lint_functions = [self._lint_certificate_expiration,] ++ ++ def lint(self): ++ results = [] ++ for fn in self._lint_functions: ++ for result in fn(): ++ if result is not None: ++ results.append(result) ++ return results ++ ++ def _lint_certificate_expiration(self): ++ """Check all the certificates in the db if they will expire within 30 days ++ or have already expired. ++ """ ++ cert_list = [] ++ all_certs = self._rsa_cert_list() ++ for cert in all_certs: ++ cert_list.append(self.get_cert_details(cert[0])) ++ ++ for cert in cert_list: ++ if date.fromisoformat(cert[3].split()[0]) - date.today() < timedelta(days=0): ++ # Expired ++ report = copy.deepcopy(DSCERTLE0002) ++ report['detail'] = report['detail'].replace('CERT', cert[0]) ++ yield report ++ elif date.fromisoformat(cert[3].split()[0]) - date.today() < timedelta(days=30): ++ # Expiring ++ report = copy.deepcopy(DSCERTLE0001) ++ report['detail'] = report['detail'].replace('CERT', cert[0]) ++ yield report + + def detect_alt_names(self, alt_names=[]): + """Attempt to determine appropriate subject alternate names for a host. +diff --git a/src/lib389/lib389/plugins.py b/src/lib389/lib389/plugins.py +index a8b8985fc..97c5d1d3b 100644 +--- a/src/lib389/lib389/plugins.py ++++ b/src/lib389/lib389/plugins.py +@@ -10,10 +10,9 @@ import collections + import ldap + import copy + import os.path +- + from lib389 import tasks + from lib389._mapped_object import DSLdapObjects, DSLdapObject +-from lib389.lint import DSRILE0001 ++from lib389.lint import DSRILE0001, DSRILE0002 + from lib389.utils import ensure_str, ensure_list_bytes + from lib389.schema import Schema + from lib389._constants import DN_PLUGIN +@@ -432,7 +431,7 @@ class ReferentialIntegrityPlugin(Plugin): + 'referint-logfile', + 'referint-membership-attr', + ]) +- self._lint_functions = [self._lint_update_delay] ++ self._lint_functions = [self._lint_update_delay, self._lint_attr_indexes] + + def create(self, rdn=None, properties=None, basedn=None): + """Create an instance of the plugin""" +@@ -448,7 +447,46 @@ class ReferentialIntegrityPlugin(Plugin): + if self.status(): + delay = self.get_attr_val_int("referint-update-delay") + if delay is not None and delay != 0: +- return DSRILE0001 ++ report = copy.deepcopy(DSRILE0001) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ yield report ++ ++ def _lint_attr_indexes(self): ++ if self.status(): ++ from lib389.backend import Backends ++ backends = Backends(self._instance).list() ++ for backend in backends: ++ indexes = backend.get_indexes() ++ suffix = backend.get_attr_val_utf8_l('nsslapd-suffix') ++ attrs = self.get_attr_vals_utf8_l("referint-membership-attr") ++ for attr in attrs: ++ report = copy.deepcopy(DSRILE0002) ++ try: ++ index = indexes.get(attr) ++ types = index.get_attr_vals_utf8_l("nsIndexType") ++ valid = False ++ if "eq" in types: ++ valid = True ++ ++ if not valid: ++ report['detail'] = report['detail'].replace('ATTR', attr) ++ report['detail'] = report['detail'].replace('BACKEND', suffix) ++ report['fix'] = report['fix'].replace('ATTR', attr) ++ report['fix'] = report['fix'].replace('BACKEND', suffix) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ report['items'].append(suffix) ++ report['items'].append(attr) ++ yield report ++ except: ++ # No index at all, bad ++ report['detail'] = report['detail'].replace('ATTR', attr) ++ report['detail'] = report['detail'].replace('BACKEND', suffix) ++ report['fix'] = report['fix'].replace('ATTR', attr) ++ report['fix'] = report['fix'].replace('BACKEND', suffix) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ report['items'].append(suffix) ++ report['items'].append(attr) ++ yield report + + def get_update_delay(self): + """Get referint-update-delay attribute""" +diff --git a/src/lib389/lib389/properties.py b/src/lib389/lib389/properties.py +index d18249d20..9d7ce4161 100644 +--- a/src/lib389/lib389/properties.py ++++ b/src/lib389/lib389/properties.py +@@ -319,6 +319,7 @@ AGMT_UPDATE_START = 'nsds5replicaLastUpdateStart' + AGMT_UPDATE_END = 'nsds5replicaLastUpdateEnd' + AGMT_CHANGES_SINCE_STARTUP = 'nsds5replicaChangesSentSinceStartup' # base64 + AGMT_UPDATE_STATUS = 'nsds5replicaLastUpdateStatus' ++AGMT_UPDATE_STATUS_JSON = 'nsds5replicaLastUpdateStatusJSON' + AGMT_UPDATE_IN_PROGRESS = 'nsds5replicaUpdateInProgress' + AGMT_INIT_START = 'nsds5replicaLastInitStart' + AGMT_INIT_END = 'nsds5replicaLastInitEnd' +diff --git a/src/lib389/lib389/replica.py b/src/lib389/lib389/replica.py +index 7145e86f9..9b84d8f7e 100644 +--- a/src/lib389/lib389/replica.py ++++ b/src/lib389/lib389/replica.py +@@ -15,6 +15,7 @@ import datetime + import logging + import uuid + import json ++import copy + from operator import itemgetter + from itertools import permutations + from lib389._constants import * +@@ -31,6 +32,9 @@ from lib389.idm.domain import Domain + from lib389.idm.group import Groups + from lib389.idm.services import ServiceAccounts + from lib389.idm.organizationalunit import OrganizationalUnits ++from lib389.conflicts import ConflictEntries ++from lib389.lint import (DSREPLLE0001, DSREPLLE0002, DSREPLLE0003, DSREPLLE0004, ++ DSREPLLE0005, DSCLLE0001) + + + class ReplicaLegacy(object): +@@ -1044,6 +1048,19 @@ class Changelog5(DSLdapObject): + 'extensibleobject', + ] + self._protected = False ++ self._lint_functions = [self._lint_cl_trimming] ++ ++ def _lint_cl_trimming(self): ++ """Check that cl trimming is at least defined to prevent unbounded growth""" ++ try: ++ if self.get_attr_val_utf8('nsslapd-changelogmaxentries') is None and \ ++ self.get_attr_val_utf8('nsslapd-changelogmaxage') is None: ++ report = copy.deepcopy(DSCLLE0001) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ yield report ++ except: ++ # No changelog ++ pass + + def set_max_entries(self, value): + """Configure the max entries the changelog can hold. +@@ -1102,6 +1119,59 @@ class Replica(DSLdapObject): + self._create_objectclasses.append('extensibleobject') + self._protected = False + self._suffix = None ++ self._lint_functions = [self._lint_agmts_status, self._lint_conflicts] ++ ++ def _lint_agmts_status(self): ++ replicas = Replicas(self._instance).list() ++ for replica in replicas: ++ agmts = replica.get_agreements().list() ++ suffix = replica.get_suffix() ++ for agmt in agmts: ++ try: ++ status = json.loads(agmt.get_agmt_status(return_json=True)) ++ if "Not in Synchronization" in status['msg'] and not "Replication still in progress" in status['reason']: ++ agmt_name = agmt.get_name() ++ if status['state'] == 'red': ++ # Serious error ++ if "Consumer can not be contacted" in status['reason']: ++ report = copy.deepcopy(DSREPLLE0005) ++ report['detail'] = report['detail'].replace('SUFFIX', suffix) ++ report['detail'] = report['detail'].replace('AGMT', agmt_name) ++ yield report ++ else: ++ report = copy.deepcopy(DSREPLLE0001) ++ report['detail'] = report['detail'].replace('SUFFIX', suffix) ++ report['detail'] = report['detail'].replace('AGMT', agmt_name) ++ report['detail'] = report['detail'].replace('MSG', status['reason']) ++ report['fix'] = report['fix'].replace('SUFFIX', suffix) ++ report['fix'] = report['fix'].replace('AGMT', agmt_name) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ yield report ++ elif status['state'] == 'amber': ++ # Warning ++ report = copy.deepcopy(DSREPLLE0003) ++ report['detail'] = report['detail'].replace('SUFFIX', suffix) ++ report['detail'] = report['detail'].replace('AGMT', agmt_name) ++ report['detail'] = report['detail'].replace('MSG', status['reason']) ++ yield report ++ except ldap.LDAPError as e: ++ report = copy.deepcopy(DSREPLLE0004) ++ report['detail'] = report['detail'].replace('SUFFIX', suffix) ++ report['detail'] = report['detail'].replace('AGMT', agmt_name) ++ report['detail'] = report['detail'].replace('ERROR', str(e)) ++ yield report ++ ++ def _lint_conflicts(self): ++ replicas = Replicas(self._instance).list() ++ for replica in replicas: ++ conflicts = ConflictEntries(self._instance, replica.get_suffix()).list() ++ suffix = replica.get_suffix() ++ if len(conflicts) > 0: ++ report = copy.deepcopy(DSREPLLE0002) ++ report['detail'] = report['detail'].replace('SUFFIX', suffix) ++ report['detail'] = report['detail'].replace('COUNT', len(conflicts)) ++ report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) ++ yield report + + def _validate(self, rdn, properties, basedn): + (tdn, str_props) = super(Replica, self)._validate(rdn, properties, basedn) +-- +2.21.0 + diff --git a/SOURCES/0002-Ticket-50355-NSS-can-change-the-requested-SSL-min-an.patch b/SOURCES/0002-Ticket-50355-NSS-can-change-the-requested-SSL-min-an.patch deleted file mode 100644 index 3196f08..0000000 --- a/SOURCES/0002-Ticket-50355-NSS-can-change-the-requested-SSL-min-an.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 9208a7d1a9869a963c29d11def4a31a85eeaeeec Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 14 May 2019 16:58:55 -0400 -Subject: [PATCH] Ticket 50355 - NSS can change the requested SSL min and max - versions - -Description: If we try and set a min and max SSL version in the server, - it is actually only a request. After setting the min and - max, you need to retrieve the min and max to see what NSS - did. Then you have to reset the min and max versions one - more time to actually set the valid range. So yes, you do - have to do a set() -> get() -> set(). - - There also another outstanding issue with NSS where it says - the default max SSL version in FIPS mode is 1.3, but in fact - it is 1.2. So this patch has a hack fix to workaround that - bug. It should be able to be removed soon... - -https://pagure.io/389-ds-base/issue/50355 - -Reviewed by: mhonek(Thanks!) ---- - ldap/servers/slapd/ssl.c | 95 ++++++++++++++++++++++++---------------- - 1 file changed, 57 insertions(+), 38 deletions(-) - -diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c -index a7c3ab7b1..2d7bc2bd6 100644 ---- a/ldap/servers/slapd/ssl.c -+++ b/ldap/servers/slapd/ssl.c -@@ -41,15 +41,15 @@ - * Default SSL Version Rule - * Old SSL version attributes: - * nsSSL3: off -- nsSSL3 == SSL_LIBRARY_VERSION_3_0 -- * nsTLS1: on -- nsTLS1 == SSL_LIBRARY_VERSION_TLS_1_0 and greater -+ * nsTLS1: on -- nsTLS1 == SSL_LIBRARY_VERSION_TLS_1_2 and greater - * Note: TLS1.0 is defined in RFC2246, which is close to SSL 3.0. - * New SSL version attributes: -- * sslVersionMin: TLS1.0 -+ * sslVersionMin: TLS1.2 - * sslVersionMax: max ssl version supported by NSS - ******************************************************************************/ - --#define DEFVERSION "TLS1.0" --#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_0 -+#define DEFVERSION "TLS1.2" -+#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_2 - - extern char *slapd_SSL3ciphers; - extern symbol_t supported_ciphers[]; -@@ -435,8 +435,13 @@ getSSLVersionRange(char **min, char **max) - return -1; - } - if (!slapd_ssl_listener_is_initialized()) { -+ /* -+ * We have not initialized NSS yet, so we will set the default for -+ * now. Then it will get adjusted to NSS's default min and max once -+ * we complete the security initialization in slapd_ssl_init2() -+ */ - if (min) { -- *min = slapi_getSSLVersion_str(LDAP_OPT_X_TLS_PROTOCOL_TLS1_0, NULL, 0); -+ *min = slapi_getSSLVersion_str(LDAP_OPT_X_TLS_PROTOCOL_TLS1_2, NULL, 0); - } - if (max) { - *max = slapi_getSSLVersion_str(LDAP_OPT_X_TLS_PROTOCOL_TLS1_2, NULL, 0); -@@ -457,7 +462,7 @@ getSSLVersionRangeOL(int *min, int *max) - { - /* default range values */ - if (min) { -- *min = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0; -+ *min = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2; - } - if (max) { - *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2; -@@ -2099,43 +2104,57 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) - } - } - -- if (NSSVersionMin > 0) { -- /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */ -- slapdNSSVersions.min = NSSVersionMin; -- slapdNSSVersions.max = NSSVersionMax; -- restrict_SSLVersionRange(); -- (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); -- (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); -- slapi_log_err(SLAPI_LOG_INFO, "Security Initialization", -- "slapd_ssl_init2 - Configured SSL version range: min: %s, max: %s\n", -- mymin, mymax); -+ /* Handle the SSL version range */ -+ slapdNSSVersions.min = NSSVersionMin; -+ slapdNSSVersions.max = NSSVersionMax; -+ restrict_SSLVersionRange(); -+ (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); -+ (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); -+ slapi_log_err(SLAPI_LOG_INFO, "Security Initialization", -+ "slapd_ssl_init2 - Configured SSL version range: min: %s, max: %s\n", -+ mymin, mymax); -+ sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions); -+ if (sslStatus != SECSuccess) { -+ errorCode = PR_GetError(); -+ slapd_SSL_error("Security Initialization - " -+ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n", -+ mymin, mymax, errorCode, slapd_pr_strerror(errorCode)); -+ } -+ /* -+ * Get the version range as NSS might have adjusted our requested range. FIPS mode is -+ * pretty picky about this stuff. -+ */ -+ sslStatus = SSL_VersionRangeGet(pr_sock, &slapdNSSVersions); -+ if (sslStatus == SECSuccess) { -+ if (slapdNSSVersions.max > LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 && slapd_pk11_isFIPS()) { -+ /* -+ * FIPS & NSS currently only support a max version of TLS1.2 -+ * (although NSS advertises 1.3 as a max range in FIPS mode), -+ * hopefully this code block can be removed soon... -+ */ -+ slapdNSSVersions.max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2; -+ } -+ /* Reset request range */ - sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions); - if (sslStatus == SECSuccess) { -- /* Set the restricted value to the cn=encryption entry */ -+ (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); -+ (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); -+ slapi_log_err(SLAPI_LOG_INFO, "Security Initialization", -+ "slapd_ssl_init2 - NSS adjusted SSL version range: min: %s, max: %s\n", -+ mymin, mymax); - } else { -+ errorCode = PR_GetError(); -+ (void)slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); -+ (void)slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); - slapd_SSL_error("Security Initialization - " -- "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s\n", -- mymin, mymax); -+ "slapd_ssl_init2 - Failed to set SSL range: min: %s, max: %s - error %d (%s)\n", -+ mymin, mymax, errorCode, slapd_pr_strerror(errorCode)); - } - } else { -- /* deprecated code */ -- sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, enableSSL3); -- if (sslStatus != SECSuccess) { -- errorCode = PR_GetError(); -- slapd_SSL_warn("Failed to %s SSLv3 " -- "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", -- enableSSL3 ? "enable" : "disable", -- errorCode, slapd_pr_strerror(errorCode)); -- } -- -- sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_TLS, enableTLS1); -- if (sslStatus != SECSuccess) { -- errorCode = PR_GetError(); -- slapd_SSL_warn("Failed to %s TLSv1 " -- "on the imported socket (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", -- enableTLS1 ? "enable" : "disable", -- errorCode, slapd_pr_strerror(errorCode)); -- } -+ errorCode = PR_GetError(); -+ slapd_SSL_error("Security Initialization - ", -+ "slapd_ssl_init2 - Failed to get SSL range from socket - error %d (%s)\n", -+ errorCode, slapd_pr_strerror(errorCode)); - } - - val = NULL; -@@ -2221,7 +2240,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) - * that matters. */ - - if (!startTLS) -- _ssl_listener_initialized = 1; /* --ugaston */ -+ _ssl_listener_initialized = 1; - - return 0; - } --- -2.21.0 - diff --git a/SOURCES/0003-Issue-50701-Fix-type-in-lint-report.patch b/SOURCES/0003-Issue-50701-Fix-type-in-lint-report.patch new file mode 100644 index 0000000..ac87b47 --- /dev/null +++ b/SOURCES/0003-Issue-50701-Fix-type-in-lint-report.patch @@ -0,0 +1,30 @@ +From 1f4955d5e09f44f19b96dc671a1462cc43ee29a8 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 25 Nov 2019 17:24:04 -0500 +Subject: [PATCH] Issue 50701 - Fix type in lint report + +Description: Fix typo introduced from the previous commit for 50701 + +relates: https://pagure.io/389-ds-base/issue/50701 + +Reviewed by: firstyear(Thanks!) +--- + src/lib389/lib389/lint.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib389/lib389/lint.py b/src/lib389/lib389/lint.py +index 515711136..736dffa14 100644 +--- a/src/lib389/lib389/lint.py ++++ b/src/lib389/lib389/lint.py +@@ -42,7 +42,7 @@ DSBLE0002 = { + 'dsle': 'DSBLE0002', + 'severity': 'HIGH', + 'items' : [], +- 'detail' : """Unable to querying the backend. LDAP error (ERROR)""", ++ 'detail' : """Unable to query the backend. LDAP error (ERROR)""", + 'fix' : """Check the server's error and access logs for more information.""" + } + +-- +2.21.0 + diff --git a/SOURCES/0003-Ticket-49361-Use-IPv6-friendly-network-functions.patch b/SOURCES/0003-Ticket-49361-Use-IPv6-friendly-network-functions.patch deleted file mode 100644 index 5af8d83..0000000 --- a/SOURCES/0003-Ticket-49361-Use-IPv6-friendly-network-functions.patch +++ /dev/null @@ -1,1002 +0,0 @@ -From a652ff67c89888a61ce3da7cc55c45fb1f63cf7f Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 30 May 2019 16:52:58 -0400 -Subject: [PATCH] Ticket 49361 - Use IPv6 friendly network functions - -Description: We use these functions that are not reliable with IPv6: - - - gethostbyname() - - inet_ntoa() - - inet_aton() - - inet_addr() - - This patch replaces these calls using one of the following - preferred functions: - - - inet_ntop() - - inet_pton() - - Also fixed a few failures in the replication CI test - regression_test.py as replication uses code touched by this - patch. - -ASAN approved - -https://pagure.io/389-ds-base/issue/49361 - -Reviewed by: firstyear(Thanks!) ---- - Makefile.am | 2 - - configure.ac | 2 +- - .../suites/replication/regression_test.py | 53 ++++--- - include/base/util.h | 3 - - ldap/include/portable.h | 50 ------ - ldap/servers/slapd/connection.c | 70 +++++---- - ldap/servers/slapd/localhost.c | 61 ++++---- - ldap/servers/slapd/tools/ldclt/repcheck.c | 30 +++- - ldap/servers/slapd/tools/ldclt/repslave.c | 25 ++- - lib/base/dns.cpp | 142 ------------------ - lib/base/net.cpp | 66 -------- - 11 files changed, 134 insertions(+), 370 deletions(-) - delete mode 100644 lib/base/dns.cpp - delete mode 100644 lib/base/net.cpp - -diff --git a/Makefile.am b/Makefile.am -index de9e0c460..c23686ea3 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -1260,12 +1260,10 @@ libns_dshttpd_la_SOURCES = lib/libaccess/access_plhash.cpp \ - lib/libadmin/template.c \ - lib/libadmin/util.c \ - lib/base/crit.cpp \ -- lib/base/dns.cpp \ - lib/base/dnsdmain.cpp \ - lib/base/ereport.cpp \ - lib/base/file.cpp \ - lib/base/fsmutex.cpp \ -- lib/base/net.cpp \ - lib/base/nscperror.c \ - lib/base/plist.cpp \ - lib/base/pool.cpp \ -diff --git a/configure.ac b/configure.ac -index d329e84a9..0cc36fabe 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -76,7 +76,7 @@ AC_FUNC_STAT - AC_FUNC_STRERROR_R - AC_FUNC_STRFTIME - AC_FUNC_VPRINTF --AC_CHECK_FUNCS([endpwent ftruncate getcwd gethostbyname inet_ntoa localtime_r memmove memset mkdir munmap putenv rmdir setrlimit socket strcasecmp strchr strcspn strdup strerror strncasecmp strpbrk strrchr strstr strtol tzset]) -+AC_CHECK_FUNCS([endpwent ftruncate getcwd getaddrinfo inet_pton inet_ntop localtime_r memmove memset mkdir munmap putenv rmdir setrlimit socket strcasecmp strchr strcspn strdup strerror strncasecmp strpbrk strrchr strstr strtol tzset]) - - # These functions are *required* without option. - AC_CHECK_FUNCS([clock_gettime], [], AC_MSG_ERROR([unable to locate required symbol clock_gettime])) -diff --git a/dirsrvtests/tests/suites/replication/regression_test.py b/dirsrvtests/tests/suites/replication/regression_test.py -index cf34a1a6a..830ef63ab 100644 ---- a/dirsrvtests/tests/suites/replication/regression_test.py -+++ b/dirsrvtests/tests/suites/replication/regression_test.py -@@ -13,11 +13,9 @@ from lib389.idm.user import TEST_USER_PROPERTIES, UserAccounts - from lib389.utils import * - from lib389.topologies import topology_m2 as topo_m2, TopologyMain, topology_m3 as topo_m3, create_topology, _remove_ssca_db - from lib389._constants import * --from . import get_repl_entries - from lib389.idm.organizationalunit import OrganizationalUnits - from lib389.agreement import Agreements - from lib389.idm.user import UserAccount --from lib389 import Entry - from lib389.idm.group import Groups, Group - from lib389.replica import Replicas, ReplicationManager - from lib389.changelog import Changelog5 -@@ -40,6 +38,7 @@ else: - logging.getLogger(__name__).setLevel(logging.INFO) - log = logging.getLogger(__name__) - -+ - def find_start_location(file, no): - log_pattern = re.compile("slapd_daemon - slapd started.") - count = 0 -@@ -59,7 +58,7 @@ def find_start_location(file, no): - def pattern_errorlog(file, log_pattern, start_location=0): - - count = 0 -- log.debug("_pattern_errorlog: start from the beginning" ) -+ log.debug("_pattern_errorlog: start from the beginning") - file.seek(start_location) - - # Use a while true iteration because 'for line in file: hit a -@@ -76,6 +75,7 @@ def pattern_errorlog(file, log_pattern, start_location=0): - log.debug("_pattern_errorlog: complete (count=%d)" % count) - return count - -+ - def _move_ruv(ldif_file): - """ Move RUV entry in an ldif file to the top""" - -@@ -108,16 +108,13 @@ def topo_with_sigkill(request): - subprocess.Popen(cmd, stdout=subprocess.PIPE) - - def fin(): -+ # Kill the hanging process at the end of test to prevent failures in the following tests - if DEBUGGING: -- # Kill the hanging process at the end of test to prevent failures in the following tests - [_kill_ns_slapd(inst) for inst in topology] -- #[inst.stop() for inst in topology] - else: -- # Kill the hanging process at the end of test to prevent failures in the following tests - [_kill_ns_slapd(inst) for inst in topology] - assert _remove_ssca_db(topology) - [inst.delete() for inst in topology if inst.exists()] -- - request.addfinalizer(fin) - - return topology -@@ -167,6 +164,7 @@ def test_double_delete(topo_m2, create_entry): - repl.test_replication(m1, m2) - repl.test_replication(m2, m1) - -+ - @pytest.mark.bz1506831 - def test_repl_modrdn(topo_m2): - """Test that replicated MODRDN does not break replication -@@ -228,10 +226,10 @@ def test_repl_modrdn(topo_m2): - topo_m2.pause_all_replicas() - - log.info("Apply modrdn to M1 - move test user from OU A -> C") -- master1.rename_s(tuser_A.dn,'uid=testuser1',newsuperior=OU_C.dn,delold=1) -+ master1.rename_s(tuser_A.dn, 'uid=testuser1', newsuperior=OU_C.dn, delold=1) - - log.info("Apply modrdn on M2 - move test user from OU B -> C") -- master2.rename_s(tuser_B.dn,'uid=testuser1',newsuperior=OU_C.dn,delold=1) -+ master2.rename_s(tuser_B.dn, 'uid=testuser1', newsuperior=OU_C.dn, delold=1) - - log.info("Start Replication") - topo_m2.resume_all_replicas() -@@ -252,7 +250,6 @@ def test_repl_modrdn(topo_m2): - repl.test_replication(master2, master1) - - -- - def test_password_repl_error(topo_m2, create_entry): - """Check that error about userpassword replication is properly logged - -@@ -329,7 +326,7 @@ def test_invalid_agmt(topo_m2): - 'cn': 'whatever', - 'nsDS5ReplicaRoot': DEFAULT_SUFFIX, - 'nsDS5ReplicaBindDN': 'cn=replication manager,cn=config', -- 'nsDS5ReplicaBindMethod': 'simple' , -+ 'nsDS5ReplicaBindMethod': 'simple', - 'nsDS5ReplicaTransportInfo': 'LDAP', - 'nsds5replicaTimeout': '5', - 'description': "test agreement", -@@ -344,6 +341,7 @@ def test_invalid_agmt(topo_m2): - repl.test_replication(m1, m2) - repl.test_replication(m2, m1) - -+ - def test_fetch_bindDnGroup(topo_m2): - """Check the bindDNGroup is fetched on first replication session - -@@ -380,13 +378,13 @@ def test_fetch_bindDnGroup(topo_m2): - M2 = topo_m2.ms['master2'] - - # Enable replication log level. Not really necessary -- M1.modify_s('cn=config',[(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', b'8192')]) -- M2.modify_s('cn=config',[(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', b'8192')]) -+ M1.modify_s('cn=config', [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', b'8192')]) -+ M2.modify_s('cn=config', [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', b'8192')]) - - # Create a group and a user - PEOPLE = "ou=People,%s" % SUFFIX - PASSWD = 'password' -- REPL_MGR_BOUND_DN='repl_mgr_bound_dn' -+ REPL_MGR_BOUND_DN = 'repl_mgr_bound_dn' - - uid = REPL_MGR_BOUND_DN.encode() - users = UserAccounts(M1, PEOPLE, rdn=None) -@@ -396,14 +394,12 @@ def test_fetch_bindDnGroup(topo_m2): - - groups_M1 = Groups(M1, DEFAULT_SUFFIX) - group_properties = { -- 'cn' : 'group1', -- 'description' : 'testgroup'} -+ 'cn': 'group1', -+ 'description': 'testgroup'} - group_M1 = groups_M1.create(properties=group_properties) - group_M2 = Group(M2, group_M1.dn) - assert(not group_M1.is_member(create_user.dn)) - -- -- - # Check that M1 and M2 are in sync - repl = ReplicationManager(DEFAULT_SUFFIX) - repl.wait_for_replication(M1, M2, timeout=20) -@@ -414,13 +410,11 @@ def test_fetch_bindDnGroup(topo_m2): - replica.apply_mods([(ldap.MOD_REPLACE, 'nsDS5ReplicaBindDnGroupCheckInterval', '60'), - (ldap.MOD_REPLACE, 'nsDS5ReplicaBindDnGroup', group_M1.dn)]) - -- - replicas = Replicas(M2) - replica = replicas.list()[0] - replica.apply_mods([(ldap.MOD_REPLACE, 'nsDS5ReplicaBindDnGroupCheckInterval', '60'), - (ldap.MOD_REPLACE, 'nsDS5ReplicaBindDnGroup', group_M1.dn)]) - -- - # Then pause the replication agreement to prevent them trying to acquire - # while the user is not member of the group - topo_m2.pause_all_replicas() -@@ -432,7 +426,6 @@ def test_fetch_bindDnGroup(topo_m2): - agmt.replace('nsDS5ReplicaBindDN', create_user.dn.encode()) - agmt.replace('nsds5ReplicaCredentials', PASSWD.encode()) - -- - # Key step - # The restart will fetch the group/members define in the replica - # -@@ -451,8 +444,8 @@ def test_fetch_bindDnGroup(topo_m2): - topo_m2.resume_all_replicas() - - # trigger updates to be sure to have a replication session, giving some time -- M1.modify_s(create_user.dn,[(ldap.MOD_ADD, 'description', b'value_1_1')]) -- M2.modify_s(create_user.dn,[(ldap.MOD_ADD, 'description', b'value_2_2')]) -+ M1.modify_s(create_user.dn, [(ldap.MOD_ADD, 'description', b'value_1_1')]) -+ M2.modify_s(create_user.dn, [(ldap.MOD_ADD, 'description', b'value_2_2')]) - time.sleep(10) - - # Check replication is working -@@ -494,12 +487,13 @@ def test_fetch_bindDnGroup(topo_m2): - count = pattern_errorlog(errorlog_M1, regex, start_location=restart_location_M1) - assert(count <= 1) - count = pattern_errorlog(errorlog_M2, regex, start_location=restart_location_M2) -- assert(count <=1) -+ assert(count <= 1) - - if DEBUGGING: - # Add debugging steps(if any)... - pass - -+ - def test_cleanallruv_repl(topo_m3): - """Test that cleanallruv could not break replication if anchor csn in ruv originated in deleted replica - :id: 46faba9a-897e-45b8-98dc-aec7fa8cec9a -@@ -546,7 +540,7 @@ def test_cleanallruv_repl(topo_m3): - user_props = TEST_USER_PROPERTIES.copy() - - user_props.update({'uid': "testuser10"}) -- user10 = users_m1.create(properties=user_props) -+ user10 = users_m1.create(properties=user_props) - - user_props.update({'uid': "testuser20"}) - user20 = users_m2.create(properties=user_props) -@@ -587,7 +581,7 @@ def test_cleanallruv_repl(topo_m3): - # ClearRuv is launched but with Force - M3.stop() - M1.tasks.cleanAllRUV(suffix=SUFFIX, replicaid='3', -- force=True,args={TASK_WAIT: False}) -+ force=True, args={TASK_WAIT: False}) - - # here M1 should clear 31 - M2.start() -@@ -595,11 +589,16 @@ def test_cleanallruv_repl(topo_m3): - M1.agreement.resume(m1_m2[0].dn) - time.sleep(10) - -- #Check the users after CleanRUV -+ # Check the users after CleanRUV - expected_m1_users = [user31.dn, user11.dn, user21.dn, user32.dn, user33.dn, user12.dn] -+ expected_m1_users = [x.lower() for x in expected_m1_users] - expected_m2_users = [user31.dn, user11.dn, user21.dn, user12.dn] -+ expected_m2_users = [x.lower() for x in expected_m2_users] -+ - current_m1_users = [user.dn for user in users_m1.list()] -+ current_m1_users = [x.lower() for x in current_m1_users] - current_m2_users = [user.dn for user in users_m2.list()] -+ current_m2_users = [x.lower() for x in current_m2_users] - - assert set(expected_m1_users).issubset(current_m1_users) - assert set(expected_m2_users).issubset(current_m2_users) -diff --git a/include/base/util.h b/include/base/util.h -index 94506d5e0..8ad5ddfbb 100644 ---- a/include/base/util.h -+++ b/include/base/util.h -@@ -36,8 +36,6 @@ - - NSPR_BEGIN_EXTERN_C - --NSAPI_PUBLIC char *INTutil_hostname(void); -- - NSAPI_PUBLIC int INTutil_itoa(int i, char *a); - - NSAPI_PUBLIC -@@ -75,7 +73,6 @@ NSAPI_PUBLIC int INTutil_strncasecmp(CASECMPARG_T char *one, CASECMPARG_T char * - - NSPR_END_EXTERN_C - --#define util_hostname INTutil_hostname - #define util_itoa INTutil_itoa - #define util_vsprintf INTutil_vsprintf - #define util_sprintf INTutil_sprintf -diff --git a/ldap/include/portable.h b/ldap/include/portable.h -index 63cc4d461..fddc9c80e 100644 ---- a/ldap/include/portable.h -+++ b/ldap/include/portable.h -@@ -241,30 +241,9 @@ int strncasecmp(const char *, const char *, size_t); - #endif /* SNI || LINUX1_2 */ - - #if defined(_WINDOWS) || defined(macintosh) --#define GETHOSTBYNAME(n, r, b, l, e) gethostbyname(n) - #define CTIME(c, b, l) ctime(c) - #define STRTOK(s1, s2, l) strtok(s1, s2) - #else /* UNIX */ --#if defined(sgi) || defined(HPUX9) || defined(LINUX1_2) || defined(SCOOS) || \ -- defined(UNIXWARE) || defined(SUNOS4) || defined(SNI) || defined(BSDI) || \ -- defined(NCR) || defined(OSF1) || defined(NEC) || \ -- (defined(HPUX10) && !defined(_REENTRANT)) || defined(HPUX11) || \ -- defined(UnixWare) || defined(LINUX) || defined(__FreeBSD__) --#define GETHOSTBYNAME(n, r, b, l, e) gethostbyname(n) --#elif defined(AIX) --#define GETHOSTBYNAME_BUF_T struct hostent_data --#define GETHOSTBYNAME(n, r, b, l, e) \ -- (memset(&b, 0, l), gethostbyname_r(n, r, &b) ? NULL : r) --#elif defined(HPUX10) --#define GETHOSTBYNAME_BUF_T struct hostent_data --#define GETHOSTBYNAME(n, r, b, l, e) nsldapi_compat_gethostbyname_r(n, r, (char *)&b, l, e) --#else --#include /* BUFSIZ */ --typedef char GETHOSTBYNAME_buf_t[BUFSIZ /* XXX might be too small */]; --#define GETHOSTBYNAME_BUF_T GETHOSTBYNAME_buf_t --#define GETHOSTBYNAME(n, r, b, l, e) gethostbyname_r(n, r, b, l, e) --#endif -- - /* - * XXXmcs: GETHOSTBYADDR() is only defined for IRIX/SGI and Solaris for now. - */ -@@ -319,35 +298,6 @@ extern char *strdup(); - #include /* for inet_addr() */ - #endif /* SOLARIS */ - --#ifdef SUNOS4 --#include /* for toupper() */ --int fprintf(FILE *, char *, ...); --int fseek(FILE *, long, int); --int fread(char *, int, int, FILE *); --int fclose(FILE *); --int fflush(FILE *); --int rewind(FILE *); --void *memmove(void *, const void *, size_t); --int strcasecmp(char *, char *); --int strncasecmp(char *, char *, int); --time_t time(time_t *); --void perror(char *); --int fputc(char, FILE *); --int fputs(char *, FILE *); --int LDAP_CALL re_exec(char *); --int socket(int, int, int); --void bzero(char *, int); --unsigned long inet_addr(char *); --char *inet_ntoa(struct in_addr); --int getdtablesize(); --int connect(int, struct sockaddr *, int); --#endif /* SUNOS4 */ -- --/* #if defined(SUNOS4) || defined(SNI) */ --#if defined(SUNOS4) --int select(int, fd_set *, fd_set *, fd_set *, struct timeval *); --#endif /* SUNOS4 || SNI */ -- - /* - * SAFEMEMCPY is an overlap-safe copy from s to d of n bytes - */ -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index 1dc53434c..4a611e7f4 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -244,6 +244,28 @@ connection_cleanup(Connection *conn) - conn->c_ns_close_jobs = 0; - } - -+static char * -+get_ip_str(struct sockaddr *addr, char *str) -+{ -+ switch(addr->sa_family) { -+ case AF_INET: -+ if (sizeof(str) < INET_ADDRSTRLEN) { -+ break; -+ } -+ inet_ntop(AF_INET, &(((struct sockaddr_in *)addr)->sin_addr), str, INET_ADDRSTRLEN); -+ break; -+ -+ case AF_INET6: -+ if (sizeof(str) < INET6_ADDRSTRLEN) { -+ break; -+ } -+ inet_ntop(AF_INET6, &(((struct sockaddr_in6 *)addr)->sin6_addr), str, INET6_ADDRSTRLEN); -+ break; -+ } -+ -+ return str; -+} -+ - /* - * Callers of connection_reset() must hold the conn->c_mutex lock. - */ -@@ -252,7 +274,8 @@ connection_reset(Connection *conn, int ns, PRNetAddr *from, int fromLen __attrib - { - char *pTmp = is_SSL ? "SSL " : ""; - char *str_ip = NULL, *str_destip; -- char buf_ip[256], buf_destip[256]; -+ char buf_ip[INET6_ADDRSTRLEN + 1] = {0}; -+ char buf_destip[INET6_ADDRSTRLEN + 1] = {0}; - char *str_unknown = "unknown"; - int in_referral_mode = config_check_referral_mode(); - -@@ -288,10 +311,10 @@ connection_reset(Connection *conn, int ns, PRNetAddr *from, int fromLen __attrib - (from->ipv6.ip.pr_s6_addr32[1] != 0) || - (from->ipv6.ip.pr_s6_addr32[2] != 0) || - (from->ipv6.ip.pr_s6_addr32[3] != 0)) || -- ((conn->c_prfd != NULL) && (PR_GetPeerName(conn->c_prfd, from) == 0))) { -+ ((conn->c_prfd != NULL) && (PR_GetPeerName(conn->c_prfd, from) == 0))) -+ { - conn->cin_addr = (PRNetAddr *)slapi_ch_malloc(sizeof(PRNetAddr)); - memcpy(conn->cin_addr, from, sizeof(PRNetAddr)); -- - if (PR_IsNetAddrType(conn->cin_addr, PR_IpAddrV4Mapped)) { - PRNetAddr v4addr = {{0}}; - v4addr.inet.family = PR_AF_INET; -@@ -305,7 +328,7 @@ connection_reset(Connection *conn, int ns, PRNetAddr *from, int fromLen __attrib - } else { - /* try syscall since "from" was not given and PR_GetPeerName failed */ - /* a corner case */ -- struct sockaddr_in addr = {0}; /* assuming IPv4 */ -+ struct sockaddr addr = {0}; - #if (defined(hpux)) - int addrlen; - #else -@@ -315,23 +338,15 @@ connection_reset(Connection *conn, int ns, PRNetAddr *from, int fromLen __attrib - addrlen = sizeof(addr); - - if ((conn->c_prfd == NULL) && -- (getpeername(conn->c_sd, (struct sockaddr *)&addr, &addrlen) == 0)) { -+ (getpeername(conn->c_sd, (struct sockaddr *)&addr, &addrlen) == 0)) -+ { - conn->cin_addr = (PRNetAddr *)slapi_ch_malloc(sizeof(PRNetAddr)); - memset(conn->cin_addr, 0, sizeof(PRNetAddr)); - PR_NetAddrFamily(conn->cin_addr) = AF_INET6; - /* note: IPv4-mapped IPv6 addr does not work on Windows */ -- PR_ConvertIPv4AddrToIPv6(addr.sin_addr.s_addr, &(conn->cin_addr->ipv6.ip)); -- PRLDAP_SET_PORT(conn->cin_addr, addr.sin_port); -- -- /* copy string equivalent of address into a buffer to use for -- * logging since each call to inet_ntoa() returns a pointer to a -- * single thread-specific buffer (which prevents us from calling -- * inet_ntoa() twice in one call to slapi_log_access()). -- */ -- str_ip = inet_ntoa(addr.sin_addr); -- strncpy(buf_ip, str_ip, sizeof(buf_ip) - 1); -- buf_ip[sizeof(buf_ip) - 1] = '\0'; -- str_ip = buf_ip; -+ PR_ConvertIPv4AddrToIPv6(((struct sockaddr_in *)&addr)->sin_addr.s_addr, &(conn->cin_addr->ipv6.ip)); -+ PRLDAP_SET_PORT(conn->cin_addr, ((struct sockaddr_in *)&addr)->sin_port); -+ str_ip = get_ip_str(&addr, buf_ip); - } else { - str_ip = str_unknown; - } -@@ -367,38 +382,27 @@ connection_reset(Connection *conn, int ns, PRNetAddr *from, int fromLen __attrib - } else { - /* try syscall since c_prfd == NULL */ - /* a corner case */ -- struct sockaddr_in destaddr = {0}; /* assuming IPv4 */ -+ struct sockaddr destaddr = {0}; /* assuming IPv4 */ - #if (defined(hpux)) - int destaddrlen; - #else - socklen_t destaddrlen; - #endif -- - destaddrlen = sizeof(destaddr); - -- if ((getsockname(conn->c_sd, (struct sockaddr *)&destaddr, &destaddrlen) == 0)) { -+ if ((getsockname(conn->c_sd, &destaddr, &destaddrlen) == 0)) { - conn->cin_destaddr = (PRNetAddr *)slapi_ch_malloc(sizeof(PRNetAddr)); - memset(conn->cin_destaddr, 0, sizeof(PRNetAddr)); - PR_NetAddrFamily(conn->cin_destaddr) = AF_INET6; -- PRLDAP_SET_PORT(conn->cin_destaddr, destaddr.sin_port); -+ PRLDAP_SET_PORT(conn->cin_destaddr, ((struct sockaddr_in *)&destaddr)->sin_port); - /* note: IPv4-mapped IPv6 addr does not work on Windows */ -- PR_ConvertIPv4AddrToIPv6(destaddr.sin_addr.s_addr, &(conn->cin_destaddr->ipv6.ip)); -- -- /* copy string equivalent of address into a buffer to use for -- * logging since each call to inet_ntoa() returns a pointer to a -- * single thread-specific buffer (which prevents us from calling -- * inet_ntoa() twice in one call to slapi_log_access()). -- */ -- str_destip = inet_ntoa(destaddr.sin_addr); -- strncpy(buf_destip, str_destip, sizeof(buf_destip) - 1); -- buf_destip[sizeof(buf_destip) - 1] = '\0'; -- str_destip = buf_destip; -+ PR_ConvertIPv4AddrToIPv6(((struct sockaddr_in *)&destaddr)->sin_addr.s_addr, &(conn->cin_destaddr->ipv6.ip)); -+ str_destip = get_ip_str(&destaddr, buf_destip); - } else { - str_destip = str_unknown; - } - } - -- - if (!in_referral_mode) { - /* create a sasl connection */ - ids_sasl_server_new(conn); -diff --git a/ldap/servers/slapd/localhost.c b/ldap/servers/slapd/localhost.c -index f2aff28f4..993143cbd 100644 ---- a/ldap/servers/slapd/localhost.c -+++ b/ldap/servers/slapd/localhost.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -45,22 +46,14 @@ - static char * - find_localhost_DNS(void) - { -- /* This implementation could (and should) be entirely replaced by: -- dns_ip2host ("127.0.0.1", 1); defined in ldapserver/lib/base/dns.c -- */ - char hostname[MAXHOSTNAMELEN + 1]; -- struct hostent *hp; --#ifdef GETHOSTBYNAME_BUF_T -- struct hostent hent; -- GETHOSTBYNAME_BUF_T hbuf; -- int err; --#endif -- char **alias; - FILE *f; - char *cp; - char *domain; - char line[MAXHOSTNAMELEN + 8]; -- -+ int gai_result; -+ struct addrinfo hints = {0}; -+ struct addrinfo *info = NULL, *p = NULL; - if (gethostname(hostname, MAXHOSTNAMELEN)) { - int oserr = errno; - -@@ -69,32 +62,34 @@ find_localhost_DNS(void) - oserr, slapd_system_strerror(oserr)); - return NULL; - } -- hp = GETHOSTBYNAME(hostname, &hent, hbuf, sizeof(hbuf), &err); -- if (hp == NULL) { -- int oserr = errno; - -- slapi_log_err(SLAPI_LOG_ERR, -- "find_localhost_DNS - gethostbyname(\"%s\") failed, error %d (%s)\n", -- hostname, oserr, slapd_system_strerror(oserr)); -- return NULL; -- } -- if (hp->h_name == NULL) { -+ hints.ai_family = AF_UNSPEC; -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_CANONNAME; -+ if ((gai_result = getaddrinfo(hostname, NULL, &hints, &info)) != 0) { - slapi_log_err(SLAPI_LOG_ERR, "find_localhost_DNS", -- "gethostbyname(\"%s\")->h_name == NULL\n", hostname); -+ "getaddrinfo: %s\n", gai_strerror(gai_result)); - return NULL; - } -- if (strchr(hp->h_name, '.') != NULL) { -- slapi_log_err(SLAPI_LOG_CONFIG, "find_localhost_DNS", "h_name == %s\n", hp->h_name); -- return slapi_ch_strdup(hp->h_name); -- } else if (hp->h_aliases != NULL) { -- for (alias = hp->h_aliases; *alias != NULL; ++alias) { -- if (strchr(*alias, '.') != NULL && -- strncmp(*alias, hp->h_name, strlen(hp->h_name))) { -- slapi_log_err(SLAPI_LOG_CONFIG, "find_localhost_DNS", "h_alias == %s\n", *alias); -- return slapi_ch_strdup(*alias); -- } -+ -+ if (strchr(info->ai_canonname, '.') != NULL) { -+ char *return_name = slapi_ch_strdup(info->ai_canonname); -+ freeaddrinfo(info); -+ slapi_log_err(SLAPI_LOG_CONFIG, "find_localhost_DNS", "initial ai_canonname == %s\n", return_name); -+ return return_name; -+ } -+ for(p = info; p != NULL; p = p->ai_next) { -+ if (strchr(p->ai_canonname, '.') != NULL && -+ strncmp(p->ai_canonname, info->ai_canonname, strlen(info->ai_canonname))) -+ { -+ char *return_name = slapi_ch_strdup(p->ai_canonname); -+ freeaddrinfo(info); -+ slapi_log_err(SLAPI_LOG_CONFIG, "find_localhost_DNS", "next ai_canonname == %s\n", return_name); -+ return return_name; - } - } -+ -+ - /* The following is copied from dns_guess_domain(), - in ldapserver/lib/base/dnsdmain.c */ - domain = NULL; -@@ -134,9 +129,10 @@ find_localhost_DNS(void) - } - #endif - if (domain == NULL) { -+ freeaddrinfo(info); - return NULL; - } -- PL_strncpyz(hostname, hp->h_name, sizeof(hostname)); -+ PL_strncpyz(hostname, info->ai_canonname, sizeof(hostname)); - if (domain[0] == '.') - ++domain; - if (domain[0]) { -@@ -144,6 +140,7 @@ find_localhost_DNS(void) - PL_strcatn(hostname, sizeof(hostname), domain); - } - slapi_log_err(SLAPI_LOG_CONFIG, "find_localhost_DNS", "hostname == %s\n", hostname); -+ freeaddrinfo(info); - return slapi_ch_strdup(hostname); - } - -diff --git a/ldap/servers/slapd/tools/ldclt/repcheck.c b/ldap/servers/slapd/tools/ldclt/repcheck.c -index 4340055e5..05ea65a8b 100644 ---- a/ldap/servers/slapd/tools/ldclt/repcheck.c -+++ b/ldap/servers/slapd/tools/ldclt/repcheck.c -@@ -19,6 +19,10 @@ - #include "remote.h" - #include "lber.h" - #include "ldap.h" -+#include -+#include -+#include -+ - - enum - { -@@ -90,13 +94,15 @@ send_op(char *s, int sfd) - - main(int argc, char **argv) - { -- int i, port = 16000; -- int sockfd; -+ struct sockaddr_in srvsaddr; - static char logline[512]; - char **tmp; -- struct hostent *serveraddr; -- struct sockaddr_in srvsaddr; - char *p; -+ struct addrinfo hints = {0}; -+ struct addrinfo *info = NULL; -+ int gai_result = 0; -+ int i, port = 16000; -+ int sockfd; - - while ((i = getopt(argc, argv, "p:")) != EOF) { - switch (i) { -@@ -105,15 +111,25 @@ main(int argc, char **argv) - break; - } - } -- serveraddr = gethostbyname(argv[optind]); -- srvsaddr.sin_addr.s_addr = htonl(*((u_long *)(serveraddr->h_addr_list[0]))); -+ -+ hints.ai_family = AF_UNSPEC; -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_CANONNAME; -+ if ((gai_result = getaddrinfo(argv[optind], NULL, &hints, &info)) != 0) { -+ slapi_log_err(SLAPI_LOG_ERR, "ldclt", -+ "getaddrinfo: %s\n", gai_strerror(gai_result)); -+ return NULL; -+ } -+ -+ srvsaddr.sin_addr.s_addr = htonl(*((u_long *)(info->ai_addr))); - srvsaddr.sin_family = AF_INET; - srvsaddr.sin_port = htons(port); -+ freeaddrinfo(info); - maxop = npend = 0; - pendops = (Optype *)malloc(sizeof(Optype) * 20); - sigset(SIGPIPE, SIG_IGN); - while (fgets(logline, sizeof(logline), stdin)) { -- if (p = strchr(logline, '\n')) { -+ if ((p = strchr(logline, '\n'))) { - *p = 0; - } - if (!connected) { -diff --git a/ldap/servers/slapd/tools/ldclt/repslave.c b/ldap/servers/slapd/tools/ldclt/repslave.c -index a04a73f5c..8df2a0ace 100644 ---- a/ldap/servers/slapd/tools/ldclt/repslave.c -+++ b/ldap/servers/slapd/tools/ldclt/repslave.c -@@ -62,6 +62,9 @@ dd/mm/yy | Author | Comments - #include "remote.h" - #include "lber.h" - #include "ldap.h" -+#include -+#include -+#include - - /* - * Enumeration for internal list -@@ -221,7 +224,8 @@ main(int argc, char **argv) - int sockfd, log = 0; - static char logline[512]; - char **tmp, *hn, *hp, *hf; -- struct hostent *serveraddr; -+ struct addrinfo hints = {0}; -+ struct addrinfo *info = NULL; - - while ((i = getopt(argc, argv, "tdP:s:")) != EOF) { - switch (i) { -@@ -251,12 +255,17 @@ main(int argc, char **argv) - /* - * Get master address, just the first. - */ -- if ((serveraddr = gethostbyname(hn)) == NULL) { -+ -+ hints.ai_family = AF_UNSPEC; -+ hints.ai_socktype = SOCK_STREAM; -+ hints.ai_flags = AI_CANONNAME; -+ if (getaddrinfo(hn, NULL, &hints, &info) != 0) { - printf("Unknown host %s\n", hn); - break; - } -+ - srvlist = (Towho *)realloc(srvlist, (nsrv + 1) * sizeof(Towho)); -- srvlist[nsrv].addr.sin_addr.s_addr = htonl(*((u_long *)(serveraddr->h_addr_list[0]))); -+ srvlist[nsrv].addr.sin_addr.s_addr = htonl(*((u_long *)(info->ai_addr))); - srvlist[nsrv].addr.sin_family = AF_INET; - srvlist[nsrv].addr.sin_port = htonl((hp == hf ? port : atoi(hp))); - if ((srvlist[nsrv].filter = regcmp(hf, NULL)) == NULL) -@@ -264,6 +273,7 @@ main(int argc, char **argv) - srvlist[nsrv].fd = open_cnx((struct sockaddr *)&srvlist[nsrv].addr); - srvlist[nsrv].hname = strdup(hn); - nsrv++; -+ freeaddrinfo(info); - break; - } - } -@@ -273,18 +283,19 @@ main(int argc, char **argv) - printf("\t-t\tprints input on stdout.\n\t-d\tdebug mode.\n"); - exit(1); - } -- srvlist = (Towho *)malloc(sizeof(Towho)); -- if ((serveraddr = gethostbyname(argv[optind])) == NULL) { -- printf("Unknown host %s\n", argv[optind]); -+ if (getaddrinfo(argv[optind], NULL, &hints, &info) != 0) { -+ printf("Unknown host %s\n", hn); - exit(1); - } -- srvlist[nsrv].addr.sin_addr.s_addr = htonl(*((u_long *)(serveraddr->h_addr_list[0]))); -+ srvlist = (Towho *)malloc(sizeof(Towho)); -+ srvlist[nsrv].addr.sin_addr.s_addr = htonl(*((u_long *)(info->ai_addr))); - srvlist[nsrv].addr.sin_family = AF_INET; - srvlist[nsrv].addr.sin_port = htons(port); - srvlist[nsrv].filter = NULL; - srvlist[nsrv].fd = open_cnx((struct sockaddr *)&srvlist[nsrv].addr); - srvlist[nsrv].hname = strdup(argv[optind]); - nsrv++; -+ freeaddrinfo(info); - } - maxop = npend = 0; - pendops = (Optype *)malloc(sizeof(Optype) * 20); -diff --git a/lib/base/dns.cpp b/lib/base/dns.cpp -deleted file mode 100644 -index e704094db..000000000 ---- a/lib/base/dns.cpp -+++ /dev/null -@@ -1,142 +0,0 @@ --/** BEGIN COPYRIGHT BLOCK -- * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. -- * Copyright (C) 2005 Red Hat, Inc. -- * All rights reserved. -- * -- * License: GPL (version 3 or any later version). -- * See LICENSE for details. -- * END COPYRIGHT BLOCK **/ -- --#ifdef HAVE_CONFIG_H --# include --#endif -- --/* -- * dns.c: DNS resolution routines -- * -- * Rob McCool -- */ --#define DNS_GUESSING -- --#include "netsite.h" --#include "systems.h" -- --/* Under NT, these are taken care of by net.h including winsock.h */ --#include /* inet_ntoa */ --#include /* struct hostent */ --#ifdef NEED_GHN_PROTO --extern "C" int gethostname (char *name, size_t namelen); --#endif --#include --#include -- --/* ---------------------------- dns_find_fqdn ----------------------------- */ -- -- --/* defined in dnsdmain.c */ --extern "C" NSAPI_PUBLIC char *dns_guess_domain(char * hname); -- --char *net_find_fqdn(PRHostEnt *p) --{ -- int x; -- -- if((!p->h_name) || (!p->h_aliases)) -- return NULL; -- -- if(!strchr(p->h_name, '.')) { -- for(x = 0; p->h_aliases[x]; ++x) { -- if((strchr(p->h_aliases[x], '.')) && -- (!strncmp(p->h_aliases[x], p->h_name, strlen(p->h_name)))) -- { -- return STRDUP(p->h_aliases[x]); -- } -- } --#ifdef DNS_GUESSING -- return dns_guess_domain(p->h_name); --#else -- return NULL; --#endif /* DNS_GUESSING */ -- } -- else -- return STRDUP(p->h_name); --} -- -- --/* ----------------------------- dns_ip2host ------------------------------ */ -- -- --char *dns_ip2host(char *ip, int verify) --{ -- /* struct in_addr iaddr; */ -- PRNetAddr iaddr; -- char *hn; -- static unsigned long laddr = 0; -- static char myhostname[256]; -- PRHostEnt hent; -- char buf[PR_NETDB_BUF_SIZE]; -- PRStatus err; -- -- -- err = PR_InitializeNetAddr(PR_IpAddrNull, 0, &iaddr); -- -- /* richm: ipv6 cleanup - use inet_aton or other more appropriate function -- instead of inet_addr */ -- if((iaddr.inet.ip = inet_addr(ip)) == (in_addr_t)-1) -- goto bong; -- -- /* -- * See if it happens to be the localhost IP address, and try -- * the local host name if so. -- */ -- if (laddr == 0) { -- laddr = inet_addr("127.0.0.1"); -- myhostname[0] = 0; -- PR_GetSystemInfo(PR_SI_HOSTNAME, myhostname, sizeof(myhostname)); -- } -- -- /* Have to match the localhost IP address and have a hostname */ -- if ((iaddr.inet.ip == laddr) && (myhostname[0] != 0)) { -- /* -- * Now try for a fully-qualified domain name, starting with -- * the local hostname. -- */ -- err = PR_GetHostByName(myhostname, -- buf, -- PR_NETDB_BUF_SIZE, -- &hent); -- -- /* Don't verify if we get a fully-qualified name this way */ -- verify = 0; -- } -- else { -- err = PR_GetHostByAddr(&iaddr, -- buf, -- PR_NETDB_BUF_SIZE, -- &hent); -- } -- -- if ((err == PR_FAILURE) || !(hn = net_find_fqdn(&hent))) goto bong; -- -- -- if(verify) { -- char **haddr = 0; -- err = PR_GetHostByName(hn, -- buf, -- PR_NETDB_BUF_SIZE, -- &hent); -- -- if(err == PR_SUCCESS) { -- for(haddr = hent.h_addr_list; *haddr; haddr++) { -- if(((struct in_addr *)(*haddr))->s_addr == iaddr.inet.ip) -- break; -- } -- } -- -- if((err == PR_FAILURE) || (!(*haddr))) -- goto bong; -- } -- -- return hn; -- bong: -- return NULL; --} -diff --git a/lib/base/net.cpp b/lib/base/net.cpp -deleted file mode 100644 -index 7227d9584..000000000 ---- a/lib/base/net.cpp -+++ /dev/null -@@ -1,66 +0,0 @@ --/** BEGIN COPYRIGHT BLOCK -- * Copyright (C) 2001 Sun Microsystems, Inc. Used by permission. -- * Copyright (C) 2005 Red Hat, Inc. -- * All rights reserved. -- * -- * License: GPL (version 3 or any later version). -- * See LICENSE for details. -- * END COPYRIGHT BLOCK **/ -- --#ifdef HAVE_CONFIG_H --# include --#endif -- --/* -- * net.c: sockets abstraction and DNS related things -- * -- * Note: sockets created with net_socket are placed in non-blocking mode, -- * however this API simulates that the calls are blocking. -- * -- * Rob McCool -- */ -- -- --#include "netsite.h" --#include -- --#include "util.h" --#include --#include /* inet_ntoa */ --#include /* hostent stuff */ --#ifdef NEED_GHN_PROTO --extern "C" int gethostname (char *name, size_t namelen); --#endif --#ifdef LINUX --#include /* ioctl */ --#endif -- --#include "libadmin/libadmin.h" -- --/* ---------------------------- util_hostname ----------------------------- */ -- -- --#include -- --/* Defined in dns.cpp */ --char *net_find_fqdn(PRHostEnt *p); -- --NSAPI_PUBLIC char *util_hostname(void) --{ -- char str[MAXHOSTNAMELEN]; -- PRHostEnt hent; -- char buf[PR_NETDB_BUF_SIZE]; -- PRStatus err; -- -- gethostname(str, MAXHOSTNAMELEN); -- err = PR_GetHostByName( -- str, -- buf, -- PR_NETDB_BUF_SIZE, -- &hent); -- -- if (err == PR_FAILURE) -- return NULL; -- return net_find_fqdn(&hent); --} -- --- -2.21.0 - diff --git a/SOURCES/0004-Issue-50816-dsconf-allows-the-root-password-to-be-se.patch b/SOURCES/0004-Issue-50816-dsconf-allows-the-root-password-to-be-se.patch new file mode 100644 index 0000000..482edb9 --- /dev/null +++ b/SOURCES/0004-Issue-50816-dsconf-allows-the-root-password-to-be-se.patch @@ -0,0 +1,33 @@ +From 44e46e0dd71567756928be3f773d09cc2cee22c2 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 13 Jan 2020 17:58:52 -0500 +Subject: [PATCH] Issue 50816 - dsconf allows the root password to be set to + nothing + +Bug Description: dsconf allows you to set the root DN password to nothing/ + +Fix Description: Do not allow the root DN password to be set to nothing + +relates: https://pagure.io/389-ds-base/issue/50816 + +Reviewed by: firstyear(Thanks!) +--- + src/lib389/lib389/idm/directorymanager.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/lib389/lib389/idm/directorymanager.py b/src/lib389/lib389/idm/directorymanager.py +index bb3b58355..4c573e7b4 100644 +--- a/src/lib389/lib389/idm/directorymanager.py ++++ b/src/lib389/lib389/idm/directorymanager.py +@@ -31,6 +31,8 @@ class DirectoryManager(Account): + self._protected = True + + def change_password(self, new_password): ++ if new_password == "": ++ raise ValueError("You can not set the Directory Manager password to nothing") + self._instance.config.set('nsslapd-rootpw', new_password) + + def bind(self, password=PW_DM, *args, **kwargs): +-- +2.21.1 + diff --git a/SOURCES/0004-Ticket-50431-Fix-covscan-warnings.patch b/SOURCES/0004-Ticket-50431-Fix-covscan-warnings.patch deleted file mode 100644 index 302ce9d..0000000 --- a/SOURCES/0004-Ticket-50431-Fix-covscan-warnings.patch +++ /dev/null @@ -1,1635 +0,0 @@ -From 3d8e1c62134fe5e98edef167ce88f473adda722a Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 5 Jun 2019 14:09:52 -0400 -Subject: [PATCH] Ticket 50431 - Fix covscan warnings - -Description: Most coverity errors happen when something fails. - -https://pagure.io/389-ds-base/issue/50431 - -Reviewed by: firstyear & spichugi(Thanks!) ---- - autogen.sh | 8 ++- - ldap/servers/plugins/acl/acl.c | 15 ++--- - ldap/servers/plugins/acl/acleffectiverights.c | 12 ++-- - ldap/servers/plugins/acl/acllist.c | 4 +- - .../plugins/linkedattrs/linked_attrs.c | 4 +- - .../plugins/memberof/memberof_config.c | 12 +++- - .../plugins/posix-winsync/posix-winsync.c | 2 +- - ldap/servers/plugins/replication/cl5_api.c | 1 + - .../plugins/replication/repl5_replica.c | 2 +- - .../replication/repl5_replica_config.c | 8 ++- - ldap/servers/plugins/replication/urp.c | 1 + - ldap/servers/plugins/roles/roles_cache.c | 2 + - ldap/servers/plugins/views/views.c | 16 ++++-- - ldap/servers/slapd/agtmmap.c | 2 +- - ldap/servers/slapd/back-ldbm/dblayer.c | 55 ++++++++++-------- - ldap/servers/slapd/back-ldbm/index.c | 9 +-- - ldap/servers/slapd/back-ldbm/ldbm_add.c | 3 +- - .../slapd/back-ldbm/ldbm_attrcrypt_config.c | 4 +- - ldap/servers/slapd/back-ldbm/ldbm_delete.c | 3 +- - ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 4 +- - ldap/servers/slapd/back-ldbm/vlv_srch.c | 3 +- - ldap/servers/slapd/connection.c | 1 + - ldap/servers/slapd/dse.c | 7 ++- - ldap/servers/slapd/entrywsi.c | 57 ++++++++++--------- - ldap/servers/slapd/main.c | 9 +-- - ldap/servers/slapd/mapping_tree.c | 46 +++++++-------- - ldap/servers/slapd/modify.c | 6 +- - ldap/servers/slapd/opshared.c | 3 +- - ldap/servers/slapd/plugin_internal_op.c | 3 +- - ldap/servers/slapd/plugin_syntax.c | 4 +- - ldap/servers/slapd/rdn.c | 5 +- - ldap/servers/slapd/sasl_map.c | 4 +- - ldap/servers/slapd/schema.c | 6 +- - ldap/servers/slapd/search.c | 7 ++- - ldap/servers/slapd/tools/dbscan.c | 9 ++- - ldap/servers/slapd/tools/ldclt/ldapfct.c | 8 +-- - ldap/servers/slapd/tools/ldclt/ldclt.c | 2 +- - ldap/servers/slapd/tools/ldif.c | 10 +++- - ldap/servers/slapd/tools/mmldif.c | 5 +- - ldap/servers/slapd/tools/pwenc.c | 1 + - ldap/servers/slapd/tools/rsearch/infadd.c | 2 +- - ldap/servers/slapd/tools/rsearch/rsearch.c | 5 +- - lib/ldaputil/certmap.c | 15 ++--- - lib/libaccess/usrcache.cpp | 6 +- - .../389-console/src/lib/database/chaining.jsx | 2 +- - .../389-console/src/lib/database/suffix.jsx | 4 +- - src/cockpit/389-console/src/replication.js | 2 +- - src/lib389/lib389/agreement.py | 1 + - src/lib389/lib389/backend.py | 8 ++- - src/lib389/lib389/cli_conf/backend.py | 2 +- - 50 files changed, 229 insertions(+), 181 deletions(-) - -diff --git a/autogen.sh b/autogen.sh -index 8bb628b25..06a5facd1 100755 ---- a/autogen.sh -+++ b/autogen.sh -@@ -35,12 +35,16 @@ checkvers() { - vers="$1"; shift - needmaj="$1"; shift - needmin="$1"; shift -- needrev="$1"; shift -+ if [ "$#" != "0" ]; then -+ needrev="$1"; shift -+ fi - verslist=`echo $vers | tr '.' ' '` - set $verslist - maj=$1; shift - min=$1; shift -- rev=$1; shift -+ if [ "$#" != "0" ]; then -+ rev=$1; shift -+ fi - if [ "$maj" -gt "$needmaj" ] ; then return 0; fi - if [ "$maj" -lt "$needmaj" ] ; then return 1; fi - # if we got here, maj == needmaj -diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c -index 6d105f4fa..5680de669 100644 ---- a/ldap/servers/plugins/acl/acl.c -+++ b/ldap/servers/plugins/acl/acl.c -@@ -644,7 +644,8 @@ cleanup_and_ret: - if (aclpb) - aclpb->aclpb_curr_attrEval = NULL; - -- print_access_control_summary("main", ret_val, clientDn, aclpb, right, -+ print_access_control_summary("main", ret_val, clientDn, aclpb, -+ (right ? right : "NULL"), - (attr ? attr : "NULL"), n_edn, - &decision_reason); - TNF_PROBE_0_DEBUG(acl_cleanup_end, "ACL", ""); -@@ -2590,12 +2591,9 @@ acl__resource_match_aci(Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int *a - * that applies to the current attribute. - * Then the (attribute,value) pair being added/deleted better - * match that filter. -- * -- * - */ -- - Targetattrfilter **attrFilterArray = NULL; -- Targetattrfilter *attrFilter; -+ Targetattrfilter *attrFilter = NULL; - int found = 0; - - if ((aclpb->aclpb_access & ACLPB_SLAPI_ACL_WRITE_ADD) && -@@ -2606,15 +2604,13 @@ acl__resource_match_aci(Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int *a - attrFilterArray = aci->targetAttrDelFilters; - } - -- - /* - * Scan this filter list for an applicable filter. - */ -- - found = 0; - num_attrs = 0; - -- while (attrFilterArray[num_attrs] && !found) { -+ while (attrFilterArray && attrFilterArray[num_attrs] && !found) { - attrFilter = attrFilterArray[num_attrs]; - - /* If this filter applies to the attribute, stop. */ -@@ -2630,8 +2626,7 @@ acl__resource_match_aci(Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int *a - * Here, if found an applicable filter, then apply the filter to the - * (attr,val) pair. - * Otherwise, ignore the targetattrfilters. -- */ -- -+ */ - if (found) { - - if (acl__make_filter_test_entry(&aclpb->aclpb_filter_test_entry, -diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c -index 8a0cb9122..5dd46a064 100644 ---- a/ldap/servers/plugins/acl/acleffectiverights.c -+++ b/ldap/servers/plugins/acl/acleffectiverights.c -@@ -869,14 +869,14 @@ _ger_generate_template_entry( - if (dntype) { - siz += strlen(dntype) + 30 + strlen(object) + strlen(dn); - } else { -- siz += strlen(attrs[0]) + 30 + strlen(object) + strlen(dn); -+ siz += strlen(attrs[0] ? attrs[0] : "") + 30 + strlen(object) + strlen(dn); - } - } else { - /* dn: =\n\0 */ - if (dntype) { - siz += strlen(dntype) + 30 + strlen(object); - } else { -- siz += strlen(attrs[0]) + 30 + strlen(object); -+ siz += strlen(attrs[0] ? attrs[0] : "") + 30 + strlen(object); - } - } - templateentry = (char *)slapi_ch_malloc(siz); -@@ -1030,7 +1030,9 @@ bailout: - * slapi_pblock_set() will free any previous data, and - * pblock_done() will free SLAPI_PB_RESULT_TEXT. - */ -- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, gerstr); -+ if (gerstr) { -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, gerstr); -+ } - - if (!iscritical) { - /* -@@ -1040,7 +1042,7 @@ bailout: - rc = LDAP_SUCCESS; - } - -- slapi_ch_free((void **)&subjectndn); -- slapi_ch_free((void **)&gerstr); -+ slapi_ch_free_string(&subjectndn); -+ slapi_ch_free_string(&gerstr); - return rc; - } -diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c -index 79786b723..e80c567c3 100644 ---- a/ldap/servers/plugins/acl/acllist.c -+++ b/ldap/servers/plugins/acl/acllist.c -@@ -255,7 +255,9 @@ __acllist_add_aci(aci_t *aci) - t_aci = t_aci->aci_next; - - /* Now add the new one to the end of the list */ -- t_aci->aci_next = aci; -+ if (t_aci) { -+ t_aci->aci_next = aci; -+ } - - slapi_log_err(SLAPI_LOG_ACL, plugin_name, "__acllist_add_aci - Added the ACL:%s to existing container:[%d]%s\n", - aci->aclName, head->acic_index, slapi_sdn_get_ndn(head->acic_sdn)); -diff --git a/ldap/servers/plugins/linkedattrs/linked_attrs.c b/ldap/servers/plugins/linkedattrs/linked_attrs.c -index f6eee1957..4f9fb102b 100644 ---- a/ldap/servers/plugins/linkedattrs/linked_attrs.c -+++ b/ldap/servers/plugins/linkedattrs/linked_attrs.c -@@ -1256,7 +1256,9 @@ linked_attrs_del_backpointers(Slapi_PBlock *pb, char *linkdn, struct configEntry - - slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &pre_e); - slapi_entry_attr_find(pre_e, config->linktype, &pre_attr); -- slapi_attr_get_valueset(pre_attr, &vals); -+ if (pre_attr) { -+ slapi_attr_get_valueset(pre_attr, &vals); -+ } - } else { - vals = slapi_valueset_new(); - slapi_valueset_set_from_smod(vals, smod); -diff --git a/ldap/servers/plugins/memberof/memberof_config.c b/ldap/servers/plugins/memberof/memberof_config.c -index 89fd012e7..124217ee0 100644 ---- a/ldap/servers/plugins/memberof/memberof_config.c -+++ b/ldap/servers/plugins/memberof/memberof_config.c -@@ -550,13 +550,17 @@ memberof_apply_config(Slapi_PBlock *pb __attribute__((unused)), - } - - /* Build the new list */ -- for (i = 0; theConfig.group_slapiattrs && theConfig.groupattrs && theConfig.groupattrs[i]; i++) { -+ for (i = 0; theConfig.group_slapiattrs && theConfig.group_slapiattrs[i] && -+ theConfig.groupattrs && theConfig.groupattrs[i]; i++) -+ { - theConfig.group_slapiattrs[i] = slapi_attr_new(); - slapi_attr_init(theConfig.group_slapiattrs[i], theConfig.groupattrs[i]); - } - - /* Terminate the list. */ -- theConfig.group_slapiattrs[i] = NULL; -+ if (theConfig.group_slapiattrs) { -+ theConfig.group_slapiattrs[i] = NULL; -+ } - - /* The filter is based off of the groupattr, so we update it here too. */ - slapi_filter_free(theConfig.group_filter, 1); -@@ -736,7 +740,9 @@ memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src) - } - - /* Terminate the array. */ -- dest->group_slapiattrs[i] = NULL; -+ if (dest->group_slapiattrs) { -+ dest->group_slapiattrs[i] = NULL; -+ } - } - - if (src->memberof_attr) { -diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync.c b/ldap/servers/plugins/posix-winsync/posix-winsync.c -index 8e5ca4fff..c56e55f49 100644 ---- a/ldap/servers/plugins/posix-winsync/posix-winsync.c -+++ b/ldap/servers/plugins/posix-winsync/posix-winsync.c -@@ -1114,7 +1114,7 @@ posix_winsync_pre_ds_mod_group_cb(void *cbdata __attribute__((unused)), - - slapi_value_init_string(voc, "posixGroup"); - slapi_entry_attr_find(ds_entry, "objectClass", &oc_attr); -- if (slapi_attr_value_find(oc_attr, slapi_value_get_berval(voc)) != 0) { -+ if (oc_attr && slapi_attr_value_find(oc_attr, slapi_value_get_berval(voc)) != 0) { - Slapi_ValueSet *oc_vs = NULL; - Slapi_Value *oc_nv = slapi_value_new(); - -diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c -index c035db290..6b5b28b0b 100644 ---- a/ldap/servers/plugins/replication/cl5_api.c -+++ b/ldap/servers/plugins/replication/cl5_api.c -@@ -2749,6 +2749,7 @@ _cl5UpgradeMajor(char *fromVersion, char *toVersion) - if (rc != CL5_SUCCESS) { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name_cl, - "_cl5UpgradeMajor - Failed to open the db env\n"); -+ s_cl5Desc.dbOpenMode = backup; - return rc; - } - s_cl5Desc.dbOpenMode = backup; -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index b3d619862..6a5363e43 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -2317,7 +2317,7 @@ replica_check_for_tasks(time_t when __attribute__((unused)), void *arg) - "missing original task flag. Aborting abort task!\n", - clean_vals[i]); - replica_delete_task_config(e, (char *)type_replicaAbortCleanRUV, orig_val); -- goto done; -+ goto done2; - } - - if (!is_cleaned_rid(rid)) { -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 02b645f41..7649aa14e 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -223,6 +223,7 @@ replica_config_add(Slapi_PBlock *pb __attribute__((unused)), - } - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_add - "MSG_NOREPLICANORMRDN); - slapi_rdn_free(&replicardn); -+ slapi_ch_free_string(&replica_root); - *returncode = LDAP_UNWILLING_TO_PERFORM; - return SLAPI_DSE_CALLBACK_ERROR; - } else { -@@ -232,6 +233,7 @@ replica_config_add(Slapi_PBlock *pb __attribute__((unused)), - } - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name,"replica_config_add - "MSG_CNREPLICA, nrdn, REPLICA_RDN); - slapi_rdn_free(&replicardn); -+ slapi_ch_free_string(&replica_root); - *returncode = LDAP_UNWILLING_TO_PERFORM; - return SLAPI_DSE_CALLBACK_ERROR; - } -@@ -242,6 +244,7 @@ replica_config_add(Slapi_PBlock *pb __attribute__((unused)), - strcpy(errortext, MSG_NOREPLICARDN); - } - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_add - "MSG_NOREPLICARDN); -+ slapi_ch_free_string(&replica_root); - *returncode = LDAP_UNWILLING_TO_PERFORM; - return SLAPI_DSE_CALLBACK_ERROR; - } -@@ -287,7 +290,7 @@ done: - - PR_Unlock(s_configLock); - /* slapi_ch_free accepts NULL pointer */ -- slapi_ch_free((void **)&replica_root); -+ slapi_ch_free_string(&replica_root); - - if (*returncode != LDAP_SUCCESS) { - if (mtnode_ext->replica) -@@ -2083,7 +2086,6 @@ check_replicas_are_done_cleaning(cleanruv_data *data) - while (not_all_cleaned && !is_task_aborted(data->rid) && !slapi_is_shutting_down()) { - agmt_obj = agmtlist_get_first_agreement_for_replica(data->replica); - if (agmt_obj == NULL) { -- not_all_cleaned = 0; - break; - } - while (agmt_obj && !slapi_is_shutting_down()) { -@@ -2196,7 +2198,6 @@ check_replicas_are_done_aborting(cleanruv_data *data) - while (not_all_aborted && !slapi_is_shutting_down()) { - agmt_obj = agmtlist_get_first_agreement_for_replica(data->replica); - if (agmt_obj == NULL) { -- not_all_aborted = 0; - break; - } - while (agmt_obj && !slapi_is_shutting_down()) { -@@ -2803,6 +2804,7 @@ delete_cleaned_rid_config(cleanruv_data *clean_data) - cleanruv_log(clean_data->task, clean_data->rid, CLEANALLRUV_ID, SLAPI_LOG_ERR, - "delete_cleaned_rid_config - Failed to remove task data from (%s) error (%d), rid (%d)", - edn, rc, clean_data->rid); -+ slapi_ch_array_free(attr_val); - goto bail; - } - } -diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c -index 37fe77379..b134409e4 100644 ---- a/ldap/servers/plugins/replication/urp.c -+++ b/ldap/servers/plugins/replication/urp.c -@@ -1602,6 +1602,7 @@ urp_find_tombstone_for_glue (Slapi_PBlock *pb, char *sessionid, const Slapi_Entr - for (int i = 0; entries && (entries[i] != NULL); i++) { - char *tombstone_csn_value = slapi_entry_attr_get_charptr(entries[i], "nstombstonecsn"); - if (tombstone_csn_value) { -+ csn_free(&tombstone_csn); - tombstone_csn = csn_new_by_string(tombstone_csn_value); - slapi_ch_free_string(&tombstone_csn_value); - if( csn_compare(tombstone_csn, conflict_csn) > 0 ) { -diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c -index 1e5865af8..4e3b0af54 100644 ---- a/ldap/servers/plugins/roles/roles_cache.c -+++ b/ldap/servers/plugins/roles/roles_cache.c -@@ -1276,6 +1276,8 @@ roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_object **resu - - if (rc == 0) { - *result = this_role; -+ } else { -+ slapi_ch_free((void **)&this_role); - } - - slapi_log_err(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, -diff --git a/ldap/servers/plugins/views/views.c b/ldap/servers/plugins/views/views.c -index 6f784f599..5d8464761 100644 ---- a/ldap/servers/plugins/views/views.c -+++ b/ldap/servers/plugins/views/views.c -@@ -783,10 +783,12 @@ views_cache_create_applied_filter(viewEntry *pView) - "views_cache_create_applied_filter - View filter [%s] in entry [%s] is not valid\n", - buf, current->pDn); - } -- if (pBuiltFilter && pCurrentFilter) -+ if (pBuiltFilter && pCurrentFilter) { - pBuiltFilter = slapi_filter_join_ex(LDAP_FILTER_AND, pBuiltFilter, pCurrentFilter, 0); -- else -+ } else { -+ slapi_filter_free(pBuiltFilter, 1); - pBuiltFilter = pCurrentFilter; -+ } - - slapi_ch_free((void **)&buf); - -@@ -952,10 +954,12 @@ views_cache_create_descendent_filter(viewEntry *ancestor, PRBool useEntryID) - "views_cache_create_descendent_filter - View filter [%s] in entry [%s] is invalid\n", - buf, currentChild->pDn); - } -- if (pOrSubFilter && pCurrentFilter) -+ if (pOrSubFilter && pCurrentFilter) { - pOrSubFilter = slapi_filter_join_ex(LDAP_FILTER_OR, pOrSubFilter, pCurrentFilter, 0); -- else -+ } else { -+ slapi_filter_free(pOrSubFilter, 1); - pOrSubFilter = pCurrentFilter; -+ } - - PR_smprintf_free(buf); - } -@@ -1756,7 +1760,9 @@ view_search_rewrite_callback(Slapi_PBlock *pb) - #endif - - /* make it happen */ -- slapi_pblock_set(pb, SLAPI_SEARCH_FILTER, outFilter); -+ if (outFilter) { -+ slapi_pblock_set(pb, SLAPI_SEARCH_FILTER, outFilter); -+ } - - ret = -2; - -diff --git a/ldap/servers/slapd/agtmmap.c b/ldap/servers/slapd/agtmmap.c -index 352ccefda..bc5fe1ee1 100644 ---- a/ldap/servers/slapd/agtmmap.c -+++ b/ldap/servers/slapd/agtmmap.c -@@ -243,7 +243,7 @@ agt_mread_stats(int hdl, struct hdr_stats_t *pHdrInfo, struct ops_stats_t *pDsOp - return (EINVAL); /* Inavlid handle */ - } - -- if (mmap_tbl[hdl].fp <= (caddr_t)0) { -+ if (mmap_tbl[hdl].fp <= 0) { - return (EFAULT); /* Something got corrupted */ - } - -diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c -index f813447b6..1fee8050a 100644 ---- a/ldap/servers/slapd/back-ldbm/dblayer.c -+++ b/ldap/servers/slapd/back-ldbm/dblayer.c -@@ -3009,7 +3009,7 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in - ldbm_instance *inst = NULL; - dblayer_handle *handle = NULL; - char dbName[MAXPATHLEN] = {0}; -- char *dbNamep; -+ char *dbNamep = NULL; - char *p; - int dbbasenamelen, dbnamelen; - int rc = 0; -@@ -3102,11 +3102,12 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in - sprintf(p, "%c%s%s", get_sep(dbNamep), a->ai_type, LDBM_FILENAME_SUFFIX); - rc = dblayer_db_remove_ex(pEnv, dbNamep, 0, 0); - a->ai_dblayer = NULL; -- if (dbNamep != dbName) -- slapi_ch_free_string(&dbNamep); - } else { - rc = -1; - } -+ if (dbNamep != dbName) { -+ slapi_ch_free_string(&dbNamep); -+ } - slapi_ch_free((void **)&handle); - } else { - /* no handle to close */ -@@ -5661,7 +5662,9 @@ dblayer_copy_directory(struct ldbminfo *li, - inst_dir, MAXPATHLEN); - if (!inst_dirp || !*inst_dirp) { - slapi_log_err(SLAPI_LOG_ERR, "dblayer_copy_directory", "Instance dir is NULL.\n"); -- slapi_ch_free_string(&inst_dirp); -+ if (inst_dirp != inst_dir) { -+ slapi_ch_free_string(&inst_dirp); -+ } - return return_value; - } - len = strlen(inst_dirp); -@@ -5975,7 +5978,9 @@ dblayer_backup(struct ldbminfo *li, char *dest_dir, Slapi_Task *task) - slapi_task_log_notice(task, - "Backup: Instance dir is empty\n"); - } -- slapi_ch_free_string(&inst_dirp); -+ if (inst_dirp != inst_dir) { -+ slapi_ch_free_string(&inst_dirp); -+ } - return_value = -1; - goto bail; - } -@@ -5993,8 +5998,9 @@ dblayer_backup(struct ldbminfo *li, char *dest_dir, Slapi_Task *task) - "(%s -> %s): err=%d\n", - inst_dirp, dest_dir, return_value); - } -- if (inst_dirp != inst_dir) -+ if (inst_dirp != inst_dir) { - slapi_ch_free_string(&inst_dirp); -+ } - goto bail; - } - if (inst_dirp != inst_dir) -@@ -6292,7 +6298,6 @@ dblayer_copy_dirand_contents(char *src_dir, char *dst_dir, int mode, Slapi_Task - break; - } - -- - PR_snprintf(filename1, MAXPATHLEN, "%s/%s", src_dir, direntry->name); - PR_snprintf(filename2, MAXPATHLEN, "%s/%s", dst_dir, direntry->name); - slapi_log_err(SLAPI_LOG_ERR, "dblayer_copy_dirand_contents", "Moving file %s\n", -@@ -6305,8 +6310,7 @@ dblayer_copy_dirand_contents(char *src_dir, char *dst_dir, int mode, Slapi_Task - mode, task); - if (return_value) { - if (task) { -- slapi_task_log_notice(task, -- "Failed to copy directory %s", filename1); -+ slapi_task_log_notice(task, "Failed to copy directory %s", filename1); - } - break; - } -@@ -6523,13 +6527,13 @@ dblayer_restore(struct ldbminfo *li, char *src_dir, Slapi_Task *task, char *bena - return LDAP_UNWILLING_TO_PERFORM; - } - if (!dbversion_exists(li, src_dir)) { -- slapi_log_err(SLAPI_LOG_ERR, "dblayer_restore", "Backup directory %s does not " -- "contain a complete backup\n", -+ slapi_log_err(SLAPI_LOG_ERR, "dblayer_restore", -+ "Backup directory %s does not contain a complete backup\n", - src_dir); - if (task) { -- slapi_task_log_notice(task, "Restore: backup directory %s does not " -- "contain a complete backup", -- src_dir); -+ slapi_task_log_notice(task, -+ "Restore: backup directory %s does not contain a complete backup", -+ src_dir); - } - return LDAP_UNWILLING_TO_PERFORM; - } -@@ -6585,13 +6589,10 @@ dblayer_restore(struct ldbminfo *li, char *src_dir, Slapi_Task *task, char *bena - } - if (slapd_comp_path(src_dir, inst->inst_parent_dir_name) == 0) { - slapi_log_err(SLAPI_LOG_ERR, -- "dblayer_restore", "Backup dir %s and target dir %s " -- "are identical\n", -+ "dblayer_restore", "Backup dir %s and target dir %s are identical\n", - src_dir, inst->inst_parent_dir_name); - if (task) { - slapi_task_log_notice(task, -- "Restore: backup dir %s and target dir %s " -- "are identical\n", - src_dir, inst->inst_parent_dir_name); - } - PR_CloseDir(dirhandle); -@@ -7060,8 +7061,12 @@ dblayer_get_instance_data_dir(backend *be) - full_namep = dblayer_get_full_inst_dir(inst->inst_li, inst, - full_name, MAXPATHLEN); - if (!full_namep || !*full_namep) { -+ if (full_namep != full_name) { -+ slapi_ch_free_string(&full_namep); -+ } - return ret; - } -+ - /* Does this directory already exist? */ - if ((db_dir = PR_OpenDir(full_namep)) != NULL) { - /* yep. */ -@@ -7072,8 +7077,9 @@ dblayer_get_instance_data_dir(backend *be) - ret = mkdir_p(full_namep, 0700); - } - -- if (full_name != full_namep) -+ if (full_name != full_namep) { - slapi_ch_free_string(&full_namep); -+ } - - return ret; - } -@@ -7097,7 +7103,6 @@ dblayer_in_import(ldbm_instance *inst) - inst_dirp = dblayer_get_full_inst_dir(inst->inst_li, inst, - inst_dir, MAXPATHLEN); - if (!inst_dirp || !*inst_dirp) { -- slapi_ch_free_string(&inst_dirp); - rval = -1; - goto done; - } -@@ -7117,8 +7122,9 @@ dblayer_in_import(ldbm_instance *inst) - } - PR_CloseDir(dirhandle); - done: -- if (inst_dirp != inst_dir) -+ if (inst_dirp != inst_dir) { - slapi_ch_free_string(&inst_dirp); -+ } - return rval; - } - -@@ -7149,7 +7155,9 @@ dblayer_update_db_ext(ldbm_instance *inst, char *oldext, char *newext) - if (NULL == inst_dirp || '\0' == *inst_dirp) { - slapi_log_err(SLAPI_LOG_ERR, - "dblayer_update_db_ext", "Instance dir is NULL\n"); -- slapi_ch_free_string(&inst_dirp); -+ if (inst_dirp != inst_dir) { -+ slapi_ch_free_string(&inst_dirp); -+ } - return -1; /* non zero */ - } - for (a = (struct attrinfo *)avl_getfirst(inst->inst_attrs); -@@ -7210,8 +7218,9 @@ dblayer_update_db_ext(ldbm_instance *inst, char *oldext, char *newext) - done: - slapi_ch_free_string(&ofile); - slapi_ch_free_string(&nfile); -- if (inst_dirp != inst_dir) -+ if (inst_dirp != inst_dir) { - slapi_ch_free_string(&inst_dirp); -+ } - - return rval; - } -diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c -index f0b969ff4..2a7529b81 100644 ---- a/ldap/servers/slapd/back-ldbm/index.c -+++ b/ldap/servers/slapd/back-ldbm/index.c -@@ -1776,13 +1776,14 @@ index_range_read_ext( - } - #endif - error: -+ slapi_log_err(SLAPI_LOG_TRACE, "index_range_read_ext", "(%s,%s) %lu candidates\n", -+ type, prefix ? prefix : "", (u_long)IDL_NIDS(idl)); -+ - index_free_prefix(prefix); - DBT_FREE_PAYLOAD(cur_key); - DBT_FREE_PAYLOAD(upperkey); -- - dblayer_release_index_file(be, ai, db); -- slapi_log_err(SLAPI_LOG_TRACE, "index_range_read_ext", "(%s,%s) %lu candidates\n", -- type, prefix, (u_long)IDL_NIDS(idl)); -+ - return (idl); - } - -@@ -2406,7 +2407,7 @@ index_free_prefix(char *prefix) - prefix == prefix_SUB) { - /* do nothing */ - } else { -- slapi_ch_free((void **)&prefix); -+ slapi_ch_free_string(&prefix); - } - } - -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c -index 0d82ae92b..a2585575f 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_add.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c -@@ -162,7 +162,8 @@ ldbm_back_add(Slapi_PBlock *pb) - txn.back_txn_txn = parent_txn; - } else { - parent_txn = txn.back_txn_txn; -- slapi_pblock_set(pb, SLAPI_TXN, parent_txn); -+ if (parent_txn) -+ slapi_pblock_set(pb, SLAPI_TXN, parent_txn); - } - - /* The dblock serializes writes to the database, -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c -index 9ecb09903..fd2c7dbc8 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c -@@ -142,7 +142,7 @@ ldbm_instance_attrcrypt_config_add_callback(Slapi_PBlock *pb __attribute__((unus - - /* If the cipher was invalid, return unwilling to perform */ - if (0 == cipher) { -- returntext = "invalid cipher"; -+ PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "invalid cipher"); - *returncode = LDAP_UNWILLING_TO_PERFORM; - ret = SLAPI_DSE_CALLBACK_ERROR; - } else { -@@ -167,7 +167,7 @@ ldbm_instance_attrcrypt_config_add_callback(Slapi_PBlock *pb __attribute__((unus - slapi_log_err(SLAPI_LOG_ERR, "ldbm_instance_attrcrypt_config_add_callback - " - "Attempt to encryption on a non-existent attribute: %s\n", - attribute_name, 0, 0); -- returntext = "attribute does not exist"; -+ PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "attribute does not exist"); - *returncode = LDAP_UNWILLING_TO_PERFORM; - ret = SLAPI_DSE_CALLBACK_ERROR; - } -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -index e9f3e32cc..76e37ae14 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -@@ -113,7 +113,8 @@ ldbm_back_delete(Slapi_PBlock *pb) - txn.back_txn_txn = parent_txn; - } else { - parent_txn = txn.back_txn_txn; -- slapi_pblock_set(pb, SLAPI_TXN, parent_txn); -+ if (parent_txn) -+ slapi_pblock_set(pb, SLAPI_TXN, parent_txn); - } - - if (pb_conn) { -diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -index 60437f116..fb0fc5d1e 100644 ---- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -@@ -1154,7 +1154,7 @@ ldbm_back_ldbm2ldif(Slapi_PBlock *pb) - int task_flags; - Slapi_Task *task; - int run_from_cmdline = 0; -- char *instance_name; -+ char *instance_name = NULL; - ldbm_instance *inst = NULL; - int str2entry_options = 0; - int retry; -@@ -1203,11 +1203,11 @@ ldbm_back_ldbm2ldif(Slapi_PBlock *pb) - goto bye; - } - -+ slapi_pblock_get(pb, SLAPI_BACKEND_INSTANCE_NAME, &instance_name); - if (run_from_cmdline) { - - /* Now that we have processed the config information, we look for - * the be that should do the db2ldif. */ -- slapi_pblock_get(pb, SLAPI_BACKEND_INSTANCE_NAME, &instance_name); - inst = ldbm_instance_find_by_name(li, instance_name); - if (NULL == inst) { - slapi_task_log_notice(task, "Unknown backend instance: %s", instance_name); -diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.c b/ldap/servers/slapd/back-ldbm/vlv_srch.c -index 368417483..1ac3e009e 100644 ---- a/ldap/servers/slapd/back-ldbm/vlv_srch.c -+++ b/ldap/servers/slapd/back-ldbm/vlv_srch.c -@@ -168,7 +168,8 @@ vlvSearch_init(struct vlvSearch *p, Slapi_PBlock *pb, const Slapi_Entry *e, ldbm - - /* switch context back to the DSE backend */ - slapi_pblock_set(pb, SLAPI_BACKEND, oldbe); -- slapi_pblock_set(pb, SLAPI_PLUGIN, oldbe ? oldbe->be_database: NULL); -+ if (oldbe) -+ slapi_pblock_set(pb, SLAPI_PLUGIN, oldbe->be_database); - } - - /* make (&(parentid=idofbase)(|(originalfilter)(objectclass=referral))) */ -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index 4a611e7f4..d3bf82b67 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -1864,6 +1864,7 @@ connection_threadmain() - signal_listner(); - } - } else if (1 == is_timedout) { -+ /* covscan reports this code is unreachable (2019/6/4) */ - connection_make_readable_nolock(conn); - signal_listner(); - } -diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c -index 1f1f51630..125684329 100644 ---- a/ldap/servers/slapd/dse.c -+++ b/ldap/servers/slapd/dse.c -@@ -2530,7 +2530,8 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi - dse_call_callback(pdse, pb, SLAPI_OPERATION_DELETE, DSE_FLAG_POSTOP, ec, NULL, &returncode, returntext); - done: - slapi_pblock_get(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, &orig_entry); -- slapi_pblock_set(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, ec); -+ if (ec) -+ slapi_pblock_set(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, ec); - /* make sure OPRETURN and RESULT_CODE are set */ - slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &rc); - if (returncode || rc) { -@@ -2571,8 +2572,8 @@ done: - rc = LDAP_UNWILLING_TO_PERFORM; - } - } -- -- slapi_pblock_set(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, orig_entry); -+ if (orig_entry) -+ slapi_pblock_set(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, orig_entry); - slapi_send_ldap_result(pb, returncode, NULL, returntext, 0, NULL); - return dse_delete_return(returncode, ec); - } -diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c -index 080eb15aa..5d1d7238a 100644 ---- a/ldap/servers/slapd/entrywsi.c -+++ b/ldap/servers/slapd/entrywsi.c -@@ -359,7 +359,6 @@ entry_add_present_attribute_wsi(Slapi_Entry *e, Slapi_Attr *a) - * Preserves LDAP Information Model constraints, - * returning an LDAP result code. - */ --static void entry_dump_stateinfo(char *msg, Slapi_Entry* e); - static Slapi_Value *attr_most_recent_deleted_value(Slapi_Attr *a); - static void resolve_single_valued_two_values(Slapi_Entry *e, Slapi_Attr *a, int attribute_state, Slapi_Value *current_value, Slapi_Value *second_current_value); - static void resolve_single_valued_check_restore_deleted_value(Slapi_Entry *e, Slapi_Attr *a); -@@ -397,6 +396,7 @@ entry_add_present_values_wsi(Slapi_Entry *e, const char *type, struct berval **b - /* Used for debug purpose, it dumps into the error log the - * entry with the replication stateinfo - */ -+#if 0 - static void - entry_dump_stateinfo(char *msg, Slapi_Entry* e) - { -@@ -407,6 +407,7 @@ entry_dump_stateinfo(char *msg, Slapi_Entry* e) - slapi_log_err(SLAPI_LOG_ERR, msg, "%s\n", s); - slapi_ch_free((void **)&s); - } -+#endif - - static int - entry_add_present_values_wsi_single_valued(Slapi_Entry *e, const char *type, struct berval **bervals, const CSN *csn, int urp, long flags) -@@ -1270,7 +1271,7 @@ attr_most_recent_deleted_value(Slapi_Attr *a) - most_recent_v = v; - - while (i != -1) { -- vdcsn = value_get_csn(v, CSN_TYPE_VALUE_DELETED); -+ vdcsn = (CSN *)value_get_csn(v, CSN_TYPE_VALUE_DELETED); - - if (csn_compare((const CSN *)most_recent_vdcsn, (const CSN *)vdcsn) < 0) { - most_recent_v = v; -@@ -1289,20 +1290,20 @@ static void - resolve_single_valued_two_values(Slapi_Entry *e, Slapi_Attr *a, int attribute_state, Slapi_Value *current_value, Slapi_Value *second_current_value) - { - -- CSN *current_value_vucsn; -- CSN *second_current_value_vucsn; -+ const CSN *current_value_vucsn; -+ const CSN *second_current_value_vucsn; - Slapi_Value *value_to_zap; - - current_value_vucsn = value_get_csn(current_value, CSN_TYPE_VALUE_UPDATED); - second_current_value_vucsn = value_get_csn(second_current_value, CSN_TYPE_VALUE_UPDATED); - - /* First determine which present value will be zapped */ -- if (csn_compare((const CSN *)second_current_value_vucsn, (const CSN *)current_value_vucsn) < 0) { -+ if (csn_compare(second_current_value_vucsn, current_value_vucsn) < 0) { - /* - * The second value is older but was distinguished at the time the current value was added - * then the second value should become current - */ -- if (value_distinguished_at_csn(e, a, second_current_value, (const CSN *)current_value_vucsn)) { -+ if (value_distinguished_at_csn(e, a, second_current_value, current_value_vucsn)) { - value_to_zap = current_value; - } else { - /* The second value being not distinguished, zap it as it is a single valued attribute */ -@@ -1311,7 +1312,7 @@ resolve_single_valued_two_values(Slapi_Entry *e, Slapi_Attr *a, int attribute_st - - } else { - /* Here the current_value is older than the second_current_value */ -- if (value_distinguished_at_csn(e, a, current_value, (const CSN *)second_current_value_vucsn)) { -+ if (value_distinguished_at_csn(e, a, current_value, second_current_value_vucsn)) { - /* current_value was distinguished at the time the second value was added - * then the current_value should become the current */ - value_to_zap = second_current_value; -@@ -1348,17 +1349,17 @@ resolve_single_valued_check_restore_deleted_value(Slapi_Entry *e, Slapi_Attr *a) - /* An attribute needs a present value */ - entry_deleted_value_to_present_value(a, deleted_value); - } else { -- CSN *current_value_vucsn; -- CSN *deleted_value_vucsn; -- CSN *deleted_value_vdcsn; -+ const CSN *current_value_vucsn; -+ const CSN *deleted_value_vucsn; -+ const CSN *deleted_value_vdcsn; - - deleted_value_vucsn = value_get_csn(deleted_value, CSN_TYPE_VALUE_UPDATED); - deleted_value_vdcsn = value_get_csn(deleted_value, CSN_TYPE_VALUE_DELETED); - current_value_vucsn = value_get_csn(current_value, CSN_TYPE_VALUE_UPDATED); - if (deleted_value_vucsn && -- !value_distinguished_at_csn(e, a, current_value, (const CSN *)deleted_value_vucsn) && -- (csn_compare((const CSN *)current_value_vucsn, (const CSN *)deleted_value_vucsn) < 0) && -- (csn_compare((const CSN *)deleted_value_vdcsn, (const CSN *)current_value_vucsn) < 0)) { -+ !value_distinguished_at_csn(e, a, current_value, deleted_value_vucsn) && -+ (csn_compare((const CSN *)current_value_vucsn, deleted_value_vucsn) < 0) && -+ (csn_compare((const CSN *)deleted_value_vdcsn, current_value_vucsn) < 0)) { - /* the condition to resurrect the deleted value is - * - it is more recent than the current value - * - its value was deleted before the current value -@@ -1376,8 +1377,8 @@ static void - resolve_single_valued_zap_current(Slapi_Entry *e, Slapi_Attr *a) - { - Slapi_Value *current_value = NULL; -- CSN *current_value_vucsn; -- CSN *adcsn; -+ const CSN *current_value_vucsn; -+ const CSN *adcsn; - - /* check if the current value should be deleted because - * older than adcsn and not distinguished -@@ -1386,7 +1387,7 @@ resolve_single_valued_zap_current(Slapi_Entry *e, Slapi_Attr *a) - current_value_vucsn = value_get_csn(current_value, CSN_TYPE_VALUE_UPDATED); - adcsn = attr_get_deletion_csn(a); - if (current_value != NULL) { -- if (csn_compare((const CSN *)adcsn, (const CSN *) current_value_vucsn) > 0) { -+ if (csn_compare(adcsn, (const CSN *) current_value_vucsn) > 0) { - /* the attribute was deleted after the value was last updated */ - if (!value_distinguished_at_csn(e, a, current_value, (const CSN *) current_value_vucsn)) { - entry_present_value_to_zapped_value(a, current_value); -@@ -1404,17 +1405,17 @@ resolve_single_valued_set_adcsn(Slapi_Attr *a) - { - Slapi_Value *deleted_value = NULL; - Slapi_Value *current_value = NULL; -- CSN *current_value_vucsn; -- CSN *deleted_value_vucsn; -- CSN *adcsn; -+ const CSN *current_value_vucsn; -+ const CSN *deleted_value_vucsn; -+ const CSN *adcsn; - - slapi_attr_first_value(a, ¤t_value); - current_value_vucsn = value_get_csn(current_value, CSN_TYPE_VALUE_UPDATED); - deleted_value = attr_most_recent_deleted_value(a); - deleted_value_vucsn = value_get_csn(deleted_value, CSN_TYPE_VALUE_UPDATED); - adcsn = attr_get_deletion_csn(a); -- if ((deleted_value != NULL && (csn_compare(adcsn, (const CSN *) deleted_value_vucsn) < 0)) || -- (deleted_value == NULL && (csn_compare(adcsn, (const CSN *) current_value_vucsn) < 0))) { -+ if ((deleted_value != NULL && (csn_compare(adcsn, deleted_value_vucsn) < 0)) || -+ (deleted_value == NULL && (csn_compare(adcsn, current_value_vucsn) < 0))) { - attr_set_deletion_csn(a, NULL); - } - } -@@ -1430,10 +1431,10 @@ resolve_single_valued_zap_deleted(Slapi_Attr *a) - { - Slapi_Value *deleted_value = NULL; - Slapi_Value *current_value = NULL; -- CSN *current_value_vucsn; -- CSN *deleted_value_vucsn; -- CSN *deleted_value_vdcsn; -- CSN *deleted_value_csn; -+ const CSN *current_value_vucsn; -+ const CSN *deleted_value_vucsn; -+ const CSN *deleted_value_vdcsn; -+ const CSN *deleted_value_csn; - PRBool deleted_on_mod_del = PR_FALSE; /* flag if a value was deleted specifically */ - - /* Now determine if the deleted value worth to be kept */ -@@ -1445,16 +1446,16 @@ resolve_single_valued_zap_deleted(Slapi_Attr *a) - deleted_value_vdcsn = value_get_csn(deleted_value, CSN_TYPE_VALUE_DELETED); - - /* get the appropriate csn to take into consideration: either from MOD_REPL or from MOD_DEL_specific */ -- if (csn_compare((const CSN *) deleted_value_vdcsn, (const CSN *) deleted_value_vucsn) <= 0) { -+ if (csn_compare(deleted_value_vdcsn, deleted_value_vucsn) <= 0) { - deleted_value_csn = deleted_value_vucsn; - } else { - deleted_value_csn = deleted_value_vdcsn; -- if (0 == csn_compare_ext((const CSN *) current_value_vucsn, (const CSN *) deleted_value_vdcsn, CSN_COMPARE_SKIP_SUBSEQ)) { -+ if (0 == csn_compare_ext(current_value_vucsn, deleted_value_vdcsn, CSN_COMPARE_SKIP_SUBSEQ)) { - /* the deleted value was specifically delete in the same operation that set the current value */ - deleted_on_mod_del = PR_TRUE; - } - } -- if ((csn_compare((const CSN *) deleted_value_csn, (const CSN *) current_value_vucsn) < 0) || deleted_on_mod_del) { -+ if ((csn_compare(deleted_value_csn, current_value_vucsn) < 0) || deleted_on_mod_del) { - entry_deleted_value_to_zapped_value(a, deleted_value); - } - } -diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c -index 33ca9ce1d..2c7b53214 100644 ---- a/ldap/servers/slapd/main.c -+++ b/ldap/servers/slapd/main.c -@@ -1220,6 +1220,7 @@ main(int argc, char **argv) - vattr_cleanup(); - sasl_map_done(); - cleanup: -+ slapi_ch_free_string(&(mcfg.myname)); - compute_terminate(); - SSL_ShutdownServerSessionIDCache(); - SSL_ClearSessionCache(); -@@ -2194,7 +2195,6 @@ slapd_exemode_ldif2db(struct main_config *mcfg) - return_value = -1; - } - slapi_pblock_destroy(pb); -- slapi_ch_free((void **)&(mcfg->myname)); - charray_free(instances); - charray_free(mcfg->cmd_line_instance_names); - charray_free(mcfg->db2ldif_include); -@@ -2377,7 +2377,6 @@ slapd_exemode_db2ldif(int argc, char **argv, struct main_config *mcfg) - slapi_ch_free((void **)&my_ldiffile); - } - } -- slapi_ch_free((void **)&(mcfg->myname)); - charray_free(mcfg->cmd_line_instance_names); - charray_free(mcfg->db2ldif_include); - if (mcfg->db2ldif_dump_replica) { -@@ -2505,8 +2504,6 @@ slapd_exemode_db2index(struct main_config *mcfg) - - slapi_pblock_destroy(pb); - charray_free(mcfg->db2index_attrs); -- slapi_ch_free((void **)&(mcfg->myname)); -- - charray_free(mcfg->db2ldif_include); - /* This frees mcfg->cmd_line_instance_name */ - charray_free(instances); -@@ -2557,7 +2554,6 @@ slapd_exemode_db2archive(struct main_config *mcfg) - int32_t task_flags = SLAPI_TASK_RUNNING_FROM_COMMANDLINE; - slapi_pblock_set(pb, SLAPI_TASK_FLAGS, &task_flags); - return_value = (backend_plugin->plg_db2archive)(pb); -- slapi_ch_free((void **)&(mcfg->myname)); - slapi_pblock_destroy(pb); - return return_value; - } -@@ -2605,7 +2601,6 @@ slapd_exemode_archive2db(struct main_config *mcfg) - slapi_pblock_set(pb, SLAPI_TASK_FLAGS, &task_flags); - slapi_pblock_set(pb, SLAPI_BACKEND_INSTANCE_NAME, mcfg->cmd_line_instance_name); - return_value = (backend_plugin->plg_archive2db)(pb); -- slapi_ch_free((void **)&(mcfg->myname)); - slapi_pblock_destroy(pb); - return return_value; - } -@@ -2674,7 +2669,6 @@ slapd_exemode_upgradedb(struct main_config *mcfg) - return_value = -1; - } - slapi_pblock_destroy(pb); -- slapi_ch_free((void **)&(mcfg->myname)); - return (return_value); - } - -@@ -2747,7 +2741,6 @@ slapd_exemode_upgradednformat(struct main_config *mcfg) - } - slapi_pblock_destroy(pb); - bail: -- slapi_ch_free((void **)&(mcfg->myname)); - return (rc); - } - -diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c -index 834949a67..b90424985 100644 ---- a/ldap/servers/slapd/mapping_tree.c -+++ b/ldap/servers/slapd/mapping_tree.c -@@ -539,9 +539,6 @@ free_mapping_tree_node_arrays(backend ***be_list, char ***be_names, int **be_sta - { - int i; - -- /* sanity check */ -- PR_ASSERT(be_list != NULL && be_names != NULL && be_states != NULL && be_list_count != NULL); -- - if (*be_names != NULL) - for (i = 0; i < *be_list_count; ++i) { - slapi_ch_free((void **)&((*be_names)[i])); -@@ -647,9 +644,7 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) - - if (get_backends_from_attr(attr, &be_list, &be_names, &be_states, - &be_list_count, &be_list_size, NULL)) { -- free_mapping_tree_node_arrays(&be_list, &be_names, &be_states, &be_list_count); -- slapi_sdn_free(&subtree); -- return lderr; -+ goto free_and_return; - } - - if (NULL == be_list) { -@@ -660,6 +655,7 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) - } - - } else if (!strcasecmp(type, "nsslapd-referral")) { -+ slapi_ch_array_free(referral); - referral = mtn_get_referral_from_entry(entry); - - } else if (!strcasecmp(type, "nsslapd-state")) { -@@ -684,6 +680,7 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) - slapi_entry_get_dn(entry)); - continue; - } -+ slapi_ch_free_string(&plugin_lib); - plugin_lib = slapi_ch_strdup(slapi_value_get_string(val)); - } else if (!strcasecmp(type, "nsslapd-distribution-funct")) { - slapi_attr_first_value(attr, &val); -@@ -693,6 +690,7 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) - slapi_entry_get_dn(entry)); - continue; - } -+ slapi_ch_free_string(&plugin_funct); - plugin_funct = slapi_ch_strdup(slapi_value_get_string(val)); - } else if (!strcasecmp(type, "nsslapd-distribution-root-update")) { - const char *sval; -@@ -737,13 +735,16 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) - if (be == NULL) { - slapi_log_err(SLAPI_LOG_ERR, "mapping_tree_entry_add", - "Default container has not been created for the NULL SUFFIX node.\n"); -- slapi_sdn_free(&subtree); -- return -1; -+ lderr = -1; -+ goto free_and_return; - } - - be_list_size = 1; - be_list_count = 0; - -+ /* We're in a loop and potentially overwriting these pointers so free them first */ -+ free_mapping_tree_node_arrays(&be_list, &be_names, &be_states, &be_list_count); -+ - be_list = (backend **)slapi_ch_calloc(1, sizeof(backend *)); - be_names = (char **)slapi_ch_calloc(1, sizeof(char *)); - be_states = (int *)slapi_ch_calloc(1, sizeof(int)); -@@ -767,17 +768,13 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) - slapi_log_err(SLAPI_LOG_ERR, - "Node %s must define a backend\n", - slapi_entry_get_dn(entry), 0, 0); -- slapi_sdn_free(&subtree); -- free_mapping_tree_node_arrays(&be_list, &be_names, &be_states, &be_list_count); -- return lderr; -+ goto free_and_return; - } - if (((state == MTN_REFERRAL) || (state == MTN_REFERRAL_ON_UPDATE)) && (referral == NULL)) { - slapi_log_err(SLAPI_LOG_ERR, - "Node %s must define referrals to be in referral state\n", - slapi_entry_get_dn(entry), 0, 0); -- slapi_sdn_free(&subtree); -- free_mapping_tree_node_arrays(&be_list, &be_names, &be_states, &be_list_count); -- return lderr; -+ goto free_and_return; - } - - if (plugin_lib && plugin_funct) { -@@ -787,11 +784,7 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) - slapi_log_err(SLAPI_LOG_ERR, "mapping_tree_entry_add", - "Node %s cannot find distribution plugin. " SLAPI_COMPONENT_NAME_NSPR " %d (%s)\n", - slapi_entry_get_dn(entry), PR_GetError(), slapd_pr_strerror(PR_GetError())); -- slapi_sdn_free(&subtree); -- slapi_ch_free((void **)&plugin_funct); -- slapi_ch_free((void **)&plugin_lib); -- free_mapping_tree_node_arrays(&be_list, &be_names, &be_states, &be_list_count); -- return lderr; -+ goto free_and_return; - } - } else if ((plugin_lib == NULL) && (plugin_funct == NULL)) { - /* nothing configured -> OK */ -@@ -801,11 +794,7 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) - slapi_log_err(SLAPI_LOG_ERR, "mapping_tree_entry_add", - "Node %s must define both lib and funct for distribution plugin\n", - slapi_entry_get_dn(entry)); -- slapi_sdn_free(&subtree); -- slapi_ch_free((void **)&plugin_funct); -- slapi_ch_free((void **)&plugin_lib); -- free_mapping_tree_node_arrays(&be_list, &be_names, &be_states, &be_list_count); -- return lderr; -+ goto free_and_return; - } - - /* Now we can create the node for this mapping tree entry. */ -@@ -838,6 +827,15 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) - *newnodep = node; - } - -+ return lderr; -+ -+free_and_return: -+ slapi_sdn_free(&subtree); -+ slapi_ch_array_free(referral); -+ slapi_ch_free_string(&plugin_funct); -+ slapi_ch_free_string(&plugin_lib); -+ free_mapping_tree_node_arrays(&be_list, &be_names, &be_states, &be_list_count); -+ - return lderr; - } - -diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c -index 896cccfb9..bbc0ab71a 100644 ---- a/ldap/servers/slapd/modify.c -+++ b/ldap/servers/slapd/modify.c -@@ -1444,9 +1444,11 @@ optimize_mods(Slapi_Mods *smods) - - prev_mod = slapi_mods_get_first_mod(smods); - while ((mod = slapi_mods_get_next_mod(smods))) { -- if ((SLAPI_IS_MOD_ADD(prev_mod->mod_op) || SLAPI_IS_MOD_DELETE(prev_mod->mod_op)) && -+ if (prev_mod && -+ (SLAPI_IS_MOD_ADD(prev_mod->mod_op) || SLAPI_IS_MOD_DELETE(prev_mod->mod_op)) && - (prev_mod->mod_op == mod->mod_op) && -- (!strcasecmp(prev_mod->mod_type, mod->mod_type))) { -+ (!strcasecmp(prev_mod->mod_type, mod->mod_type))) -+ { - /* Get the current number of mod values from the previous mod. Do it once per attr */ - if (mod_count == 0) { - for (; prev_mod->mod_bvalues != NULL && prev_mod->mod_bvalues[mod_count] != NULL; mod_count++) -diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c -index dd6917363..dac42eb13 100644 ---- a/ldap/servers/slapd/opshared.c -+++ b/ldap/servers/slapd/opshared.c -@@ -998,7 +998,8 @@ free_and_return_nolock: - slapi_sdn_free(&sdn); - } - slapi_sdn_free(&basesdn); -- slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, orig_sdn); -+ if (orig_sdn) -+ slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, orig_sdn); - - slapi_ch_free_string(&proxydn); - slapi_ch_free_string(&proxystr); -diff --git a/ldap/servers/slapd/plugin_internal_op.c b/ldap/servers/slapd/plugin_internal_op.c -index 9da266b61..622daffdb 100644 ---- a/ldap/servers/slapd/plugin_internal_op.c -+++ b/ldap/servers/slapd/plugin_internal_op.c -@@ -368,7 +368,8 @@ seq_internal_callback_pb(Slapi_PBlock *pb, void *callback_data, plugin_result_ca - slapi_pblock_set(pb, SLAPI_BACKEND, be); - slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database); - slapi_pblock_set(pb, SLAPI_SEQ_ATTRNAME, attrname); -- slapi_pblock_set(pb, SLAPI_SEQ_VAL, val); -+ if (val) -+ slapi_pblock_set(pb, SLAPI_SEQ_VAL, val); - slapi_pblock_set(pb, SLAPI_REQCONTROLS, controls); - - /* set actions taken to process the operation */ -diff --git a/ldap/servers/slapd/plugin_syntax.c b/ldap/servers/slapd/plugin_syntax.c -index e208442d5..dc7106da5 100644 ---- a/ldap/servers/slapd/plugin_syntax.c -+++ b/ldap/servers/slapd/plugin_syntax.c -@@ -247,7 +247,9 @@ plugin_call_syntax_filter_sub_sv( - Operation *op = NULL; - /* to pass SLAPI_SEARCH_TIMELIMIT & SLAPI_OPINITATED_TIME */ - slapi_pblock_get(pb, SLAPI_OPERATION, &op); -- slapi_pblock_set(pipb, SLAPI_OPERATION, op); -+ if (op) { -+ slapi_pblock_set(pipb, SLAPI_OPERATION, op); -+ } - } - rc = (*sub_fn)(pipb, fsub->sf_initial, fsub->sf_any, fsub->sf_final, va); - } else { -diff --git a/ldap/servers/slapd/rdn.c b/ldap/servers/slapd/rdn.c -index 41c075036..fdb6b1773 100644 ---- a/ldap/servers/slapd/rdn.c -+++ b/ldap/servers/slapd/rdn.c -@@ -934,10 +934,7 @@ slapi_rdn_get_dn(Slapi_RDN *srdn, char **dn) - if (NULL == srdn || NULL == srdn->all_rdns || NULL == dn) { - return -1; - } -- for (rdnp = srdn->all_rdns; rdnp && *rdnp; rdnp++) { -- len += strlen(*rdnp) + 1; /* 1 for ',' */ -- } -- len += 1; -+ - len = slapi_rdn_get_dn_len(srdn); - *dn = (char *)slapi_ch_malloc(len); - enddn = *dn + len - 1; -diff --git a/ldap/servers/slapd/sasl_map.c b/ldap/servers/slapd/sasl_map.c -index 72bd01079..9593fd075 100644 ---- a/ldap/servers/slapd/sasl_map.c -+++ b/ldap/servers/slapd/sasl_map.c -@@ -336,7 +336,9 @@ _sasl_unescape_parenthesis(char *input) - *d++ = *s; - } - } -- *d = '\0'; -+ if (d) { -+ *d = '\0'; -+ } - return input; - } - -diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c -index 379fe208b..f609c220d 100644 ---- a/ldap/servers/slapd/schema.c -+++ b/ldap/servers/slapd/schema.c -@@ -2363,9 +2363,9 @@ schema_delete_attributes(Slapi_Entry *entryBefore __attribute__((unused)), LDAPM - attr_ldif[k] = tolower(attr_ldif[k]); - } - -- sizedbuffer_allocate(psbAttrName, strlen(attr_ldif)); -- sizedbuffer_allocate(psbAttrOid, strlen(attr_ldif)); -- sizedbuffer_allocate(psbAttrSyntax, strlen(attr_ldif)); -+ sizedbuffer_allocate(psbAttrName, strlen(attr_ldif) + 1); -+ sizedbuffer_allocate(psbAttrOid, strlen(attr_ldif) + 1); -+ sizedbuffer_allocate(psbAttrSyntax, strlen(attr_ldif) + 1); - - sscanf(attr_ldif, "%s name %s syntax %s", - psbAttrOid->buffer, psbAttrName->buffer, psbAttrSyntax->buffer); -diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c -index 7e253f535..953227ba0 100644 ---- a/ldap/servers/slapd/search.c -+++ b/ldap/servers/slapd/search.c -@@ -37,7 +37,7 @@ do_search(Slapi_PBlock *pb) - { - Slapi_Operation *operation; - BerElement *ber; -- int i, err, attrsonly; -+ int i, err = 0, attrsonly; - ber_int_t scope, deref, sizelimit, timelimit; - char *rawbase = NULL; - int rawbase_set_in_pb = 0; /* was rawbase set in pb? */ -@@ -232,6 +232,7 @@ do_search(Slapi_PBlock *pb) - log_search_access(pb, base, scope, fstr, "invalid attribute request"); - send_ldap_result(pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL); - slapi_ch_free_string(&normaci); -+ err = 1; /* Make sure we free everything */ - goto free_and_return; - } - } -@@ -357,8 +358,8 @@ do_search(Slapi_PBlock *pb) - ps_add(pb, changetypes, send_entchg_controls); - } - --free_and_return:; -- if (!psearch || rc != 0) { -+free_and_return: -+ if (!psearch || rc != 0 || err != 0) { - slapi_ch_free_string(&fstr); - slapi_filter_free(filter, 1); - slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &attrs); -diff --git a/ldap/servers/slapd/tools/dbscan.c b/ldap/servers/slapd/tools/dbscan.c -index 53cdb8985..c74d4823c 100644 ---- a/ldap/servers/slapd/tools/dbscan.c -+++ b/ldap/servers/slapd/tools/dbscan.c -@@ -532,7 +532,7 @@ print_changelog(unsigned char *data, int len __attribute__((unused))) - replgen = ntohl(thetime32); - pos += sizeof(uint32_t); - thetime = (time_t)replgen; -- db_printf("\treplgen: %ld %s", replgen, ctime((time_t *)&thetime)); -+ db_printf("\treplgen: %u %s", replgen, ctime((time_t *)&thetime)); - - /* read csn */ - print_attr("csn", &pos); -@@ -717,12 +717,15 @@ display_item(DBC *cursor, DBT *key, DBT *data) - tmpbuflen = (key->size > data->size ? key->size : data->size) + 1024; - } - if (buflen < tmpbuflen) { -+ unsigned char *tmp = NULL; - buflen = tmpbuflen; -- buf = (unsigned char *)realloc(buf, buflen); -- if (NULL == buf) { -+ tmp = (unsigned char *)realloc(buf, buflen); -+ if (NULL == tmp) { -+ free(buf); - printf("\t(malloc failed -- %d bytes)\n", buflen); - return; - } -+ buf = tmp; - } - - if (display_mode & RAWDATA) { -diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c -index 373076500..ca0912d6c 100644 ---- a/ldap/servers/slapd/tools/ldclt/ldapfct.c -+++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c -@@ -986,9 +986,9 @@ buildVersatileAttribute( - break; - default: - /* -- * Should not happen, unless new variant parsed and not -- * integrated here, or "jardinage".... -- */ -+ * Should not happen, unless new variant parsed and not -+ * integrated here, or "jardinage".... -+ */ - field = NULL; - field->how = 22; /* Crash !!! */ - break; -@@ -3231,7 +3231,7 @@ doExactSearch( - case LDAP_RES_SEARCH_ENTRY: - nentries++; - /* get dereferenced value into resctrls: deref parsing */ -- parse_rc = ldap_get_entry_controls(tttctx->ldapCtx, e, &resctrls); -+ ldap_get_entry_controls(tttctx->ldapCtx, e, &resctrls); - if (resctrls != NULL) { /* parse it only when we have return saved in server control */ - /* get dn */ - if ((dn = ldap_get_dn(tttctx->ldapCtx, e)) != NULL) { -diff --git a/ldap/servers/slapd/tools/ldclt/ldclt.c b/ldap/servers/slapd/tools/ldclt/ldclt.c -index e72b775e2..586a14713 100644 ---- a/ldap/servers/slapd/tools/ldclt/ldclt.c -+++ b/ldap/servers/slapd/tools/ldclt/ldclt.c -@@ -816,7 +816,7 @@ trapVector( - int - initMainThread(void) - { -- struct sigaction act; -+ struct sigaction act = {0}; - - /* - * Trap SIGINT. -diff --git a/ldap/servers/slapd/tools/ldif.c b/ldap/servers/slapd/tools/ldif.c -index 3548c7d49..a13e99f89 100644 ---- a/ldap/servers/slapd/tools/ldif.c -+++ b/ldap/servers/slapd/tools/ldif.c -@@ -92,11 +92,13 @@ main(int argc, char **argv) - } - if (nread + cur > max) { - max += BUFSIZ; -- if ((val = (char *)realloc(val, max)) == -- NULL) { -+ char *tmp = NULL; -+ if ((tmp = (char *)realloc(val, max)) == NULL) { -+ free(val); - perror("realloc"); - return (1); - } -+ val = tmp; - } - memcpy(val + cur, buf, nread); - cur += nread; -@@ -125,12 +127,14 @@ main(int argc, char **argv) - /* if buffer was filled, expand and keep reading unless last char - is linefeed, in which case it is OK for buffer to be full */ - while (((curlen = strlen(buf)) == (maxlen - 1)) && buf[curlen - 1] != '\n') { -+ char *tmp = NULL; - maxlen *= 2; -- if ((buf = (char *)realloc(buf, maxlen)) == NULL) { -+ if ((tmp = (char *)realloc(buf, maxlen)) == NULL) { - perror("realloc"); - free(buf); - return (1); - } -+ buf = tmp; - if (NULL == fgets(buf + curlen, maxlen / 2 + 1, stdin)) { - /* no more input to read. */ - break; -diff --git a/ldap/servers/slapd/tools/mmldif.c b/ldap/servers/slapd/tools/mmldif.c -index cdcf4b16d..96b606a29 100644 ---- a/ldap/servers/slapd/tools/mmldif.c -+++ b/ldap/servers/slapd/tools/mmldif.c -@@ -700,7 +700,6 @@ readrec(edfFILE *edf1, attrib1_t **attrib) - attrib1_t *freelist = *attrib; - attrib1_t *newlist = NULL; - attrib1_t *a; -- int ignore_rec = FALSE; - int free_it = 0; - - *attrib = NULL; -@@ -758,7 +757,7 @@ readrec(edfFILE *edf1, attrib1_t **attrib) - if (!stricmp(line, "authoritative")) - continue; - if (!freelist) { -- att = (attrib1_t *)malloc(sizeof(attrib1_t)); -+ att = (attrib1_t *)calloc(1, sizeof(struct attrib1_t *)); - free_it = 1; - } else { - att = freelist; -@@ -881,8 +880,6 @@ readrec(edfFILE *edf1, attrib1_t **attrib) - } - *attrib = newlist; - freefreelist(freelist); -- if (ignore_rec) -- return IDDS_MM_ABSENT; - return IDDS_MM_OK; - } - -diff --git a/ldap/servers/slapd/tools/pwenc.c b/ldap/servers/slapd/tools/pwenc.c -index d92e94e17..87ca17488 100644 ---- a/ldap/servers/slapd/tools/pwenc.c -+++ b/ldap/servers/slapd/tools/pwenc.c -@@ -362,6 +362,7 @@ slapd_config(const char *configdir, const char *givenconfigfile) - } - } else if (slapi_sdn_compare(&config_dn, slapi_entry_get_sdn_const(e)) == 0) { - /* Get the root scheme out and initialise it (if it exists) */ -+ slapi_ch_free_string(&rootschemename); - rootschemename = slapi_entry_attr_get_charptr(e, CONFIG_ROOTPWSTORAGESCHEME_ATTRIBUTE); - } - -diff --git a/ldap/servers/slapd/tools/rsearch/infadd.c b/ldap/servers/slapd/tools/rsearch/infadd.c -index db6fb23ae..6fe84f9e1 100644 ---- a/ldap/servers/slapd/tools/rsearch/infadd.c -+++ b/ldap/servers/slapd/tools/rsearch/infadd.c -@@ -309,7 +309,7 @@ main(int argc, char **argv) - at_getThread(threads[x], NULL), min, max, count, - ntot); - } -- if (!quiet && (numThreads > 1 || !verbose)) { -+ if (numThreads > 1 && !quiet && !verbose) { - double val = 1000.0 * (double)total / (double)sampleInterval; - fprintf(stdout, "Rate: %7.2f/thr (%6.2f/sec =%7.4fms/op), " - "total: %u (%d thr)\n", -diff --git a/ldap/servers/slapd/tools/rsearch/rsearch.c b/ldap/servers/slapd/tools/rsearch/rsearch.c -index 7602b16d8..347c84d2a 100644 ---- a/ldap/servers/slapd/tools/rsearch/rsearch.c -+++ b/ldap/servers/slapd/tools/rsearch/rsearch.c -@@ -467,7 +467,10 @@ main(int argc, char **argv) - printf("T%d min=%4ums, max=%4ums, count = %u\n", - st_getThread(threads[x], NULL), min, max, count); - } -- rate = (double)total / (double)numThreads; -+ rate = 0.0; -+ if (numThreads) { -+ rate = (double)total / (double)numThreads; -+ } - val = 1000.0 * (double)total / (double)sampleInterval; - cumrate += rate; - if ((numThreads > 1) || (!verbose)) { -diff --git a/lib/ldaputil/certmap.c b/lib/ldaputil/certmap.c -index efe531a51..dc2fdde43 100644 ---- a/lib/ldaputil/certmap.c -+++ b/lib/ldaputil/certmap.c -@@ -374,6 +374,7 @@ dbinfo_to_certinfo(DBConfDBInfo_t *db_info, - rv = ldapu_list_add_info(propval_list, propval); - - if (rv != LDAPU_SUCCESS) { -+ ldapu_propval_free((void *)propval, (void *)propval); - goto error; - } - -@@ -700,15 +701,14 @@ certmap_read_certconfig_file(const char *file) - while (curdb) { - nextdb = curdb->next; - rv = dbinfo_to_certinfo(curdb, &certinfo); -- - if (rv != LDAPU_SUCCESS) { - dbconf_free_confinfo(conf_info); - return rv; - } - - rv = process_certinfo(certinfo); -- - if (rv != LDAPU_SUCCESS) { -+ ldapu_certinfo_free(certinfo); - dbconf_free_confinfo(conf_info); - return rv; - } -@@ -1330,8 +1330,11 @@ ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage * - - rv = (*mapfn)(cert, ld, certmap_info, &ldapDN, &filter); - -- if (rv != LDAPU_SUCCESS) -+ if (rv != LDAPU_SUCCESS) { -+ free(ldapDN); -+ free(filter); - return rv; -+ } - - /* Get the search function from the certmap_info - certinfo maybe NULL */ - searchfn = ldapu_get_cert_searchfn_sub(certmap_info); -@@ -1339,10 +1342,8 @@ ldapu_cert_to_ldap_entry(void *cert, LDAP *ld, const char *basedn, LDAPMessage * - rv = (*searchfn)(cert, ld, certmap_info, basedn, ldapDN, filter, - certmap_attrs, &res_array); - -- if (ldapDN) -- free(ldapDN); -- if (filter) -- free(filter); -+ free(ldapDN); -+ free(filter); - - /* - * Get the verify cert function & call it. -diff --git a/lib/libaccess/usrcache.cpp b/lib/libaccess/usrcache.cpp -index 5ea8259fe..b6ac58d3c 100644 ---- a/lib/libaccess/usrcache.cpp -+++ b/lib/libaccess/usrcache.cpp -@@ -157,11 +157,11 @@ int acl_usr_cache_init () - } - else { - singleDbTable = 0; -- databaseUserCacheTable = PR_NewHashTable(0, -+ databaseUserCacheTable = PR_NewHashTable(0, - PR_HashCaseString, - PR_CompareCaseStrings, - PR_CompareValues, -- &ACLPermAllocOps, -+ &ACLPermAllocOps, - usrcache_pool); - } - -@@ -176,7 +176,7 @@ int acl_usr_cache_init () - for(i = 0; i < num_usrobj; i++){ - usrobj = (UserCacheObj *)pool_malloc(usrcache_pool, - sizeof(UserCacheObj)); -- -+ - if (!usrobj) return -1; - memset((void *)usrobj, 0, sizeof(UserCacheObj)); - PR_INSERT_AFTER(&usrobj->list, usrobj_list); -diff --git a/src/cockpit/389-console/src/lib/database/chaining.jsx b/src/cockpit/389-console/src/lib/database/chaining.jsx -index 3dd3ec48e..c169e7bd3 100644 ---- a/src/cockpit/389-console/src/lib/database/chaining.jsx -+++ b/src/cockpit/389-console/src/lib/database/chaining.jsx -@@ -916,7 +916,7 @@ export class ChainingConfig extends React.Component { - ; - } else { - proxiedAuth = -- - Allow Proxied Authentication - ; -diff --git a/src/cockpit/389-console/src/lib/database/suffix.jsx b/src/cockpit/389-console/src/lib/database/suffix.jsx -index 9cfb95b92..3f3bc82ec 100644 ---- a/src/cockpit/389-console/src/lib/database/suffix.jsx -+++ b/src/cockpit/389-console/src/lib/database/suffix.jsx -@@ -254,10 +254,10 @@ export class Suffix extends React.Component { - // Do import - let export_cmd = [ - "dsconf", "-j", "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket", -- "backend", "export", this.props.suffix, "--ldif=" + this.state.ldifLocation, "--encrypted" -+ "backend", "export", this.props.suffix, "--ldif=" + this.state.ldifLocation - ]; - -- if (this.state.attrEncrpytion) { -+ if (this.state.attrEncryption) { - export_cmd.push("--encrypted"); - } - -diff --git a/src/cockpit/389-console/src/replication.js b/src/cockpit/389-console/src/replication.js -index 6ef363523..2fe3a6e48 100644 ---- a/src/cockpit/389-console/src/replication.js -+++ b/src/cockpit/389-console/src/replication.js -@@ -1185,7 +1185,7 @@ $(document).ready( function() { - } - } else { - if ( !('nsds5replicatedattributelisttotal' in repl_agmt_values) || -- agmt_tot_exclude != repl_agmt_values['nsds5replicatedattributelisttotal'].replace(frac_prefix, "")); -+ agmt_tot_exclude != repl_agmt_values['nsds5replicatedattributelisttotal'].replace(frac_prefix, "")) - { - cmd_args.push('--frac-list-total=' + frac_prefix + ' ' + agmt_tot_exclude); - } -diff --git a/src/lib389/lib389/agreement.py b/src/lib389/lib389/agreement.py -index dcab900b8..84e2f8c61 100644 ---- a/src/lib389/lib389/agreement.py -+++ b/src/lib389/lib389/agreement.py -@@ -266,6 +266,7 @@ class Agreement(DSLdapObject): - - # Extract the csn timstamps and compare them - agmt_time = 0 -+ con_time = 0 - match = Agreement.csnre.match(agmt_maxcsn) - if match: - agmt_time = int(match.group(1), 16) -diff --git a/src/lib389/lib389/backend.py b/src/lib389/lib389/backend.py -index 64a40c15a..353a3e117 100644 ---- a/src/lib389/lib389/backend.py -+++ b/src/lib389/lib389/backend.py -@@ -480,6 +480,9 @@ class Backend(DSLdapObject): - :returns: DSLdapObject of the created entry - """ - -+ sample_entries = False -+ parent_suffix = False -+ - # normalize suffix (remove spaces between comps) - if dn is not None: - dn_comps = ldap.dn.explode_dn(dn.lower()) -@@ -490,9 +493,8 @@ class Backend(DSLdapObject): - dn_comps = ldap.dn.explode_dn(suffix_dn) - ndn = ",".join(dn_comps) - properties['nsslapd-suffix'] = ndn -- -- sample_entries = properties.pop(BACKEND_SAMPLE_ENTRIES, False) -- parent_suffix = properties.pop('parent', False) -+ sample_entries = properties.pop(BACKEND_SAMPLE_ENTRIES, False) -+ parent_suffix = properties.pop('parent', False) - - # Okay, now try to make the backend. - super(Backend, self).create(dn, properties, basedn) -diff --git a/src/lib389/lib389/cli_conf/backend.py b/src/lib389/lib389/cli_conf/backend.py -index 77ce3ddec..36e32ec48 100644 ---- a/src/lib389/lib389/cli_conf/backend.py -+++ b/src/lib389/lib389/cli_conf/backend.py -@@ -422,7 +422,7 @@ def backend_set(inst, basedn, log, args): - if args.add_referral: - be.add('nsslapd-referral', args.add_referral) - if args.del_referral: -- be.remove('nsslapd-referral', args.add_referral) -+ be.remove('nsslapd-referral', args.del_referral) - if args.cache_size: - be.set('nsslapd-cachesize', args.cache_size) - if args.cache_memsize: --- -2.21.0 - diff --git a/SOURCES/0005-Issue-50431-Fix-regression-from-coverity-fix.patch b/SOURCES/0005-Issue-50431-Fix-regression-from-coverity-fix.patch deleted file mode 100644 index 799619b..0000000 --- a/SOURCES/0005-Issue-50431-Fix-regression-from-coverity-fix.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 6aa839f96f5ac880d45b0e98ed05445784476745 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 13 Jun 2019 17:55:25 -0400 -Subject: [PATCH] Issue 50431 - Fix regression from coverity fix - -Description: Fix a regression from the initial coverity commit - where we did not allow NULL pointers to set into - the pblock. They were false positives reported by - covscan. - -https://pagure.io/389-ds-base/issue/50431 - -Reviewed by: mreynolds (one line commit rule) ---- - ldap/servers/plugins/acl/acleffectiverights.c | 4 +--- - ldap/servers/plugins/views/views.c | 4 +--- - ldap/servers/slapd/back-ldbm/vlv_srch.c | 3 ++- - ldap/servers/slapd/dse.c | 6 ++---- - ldap/servers/slapd/opshared.c | 3 +-- - ldap/servers/slapd/plugin_internal_op.c | 3 +-- - ldap/servers/slapd/plugin_syntax.c | 4 +--- - 7 files changed, 9 insertions(+), 18 deletions(-) - -diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c -index 5dd46a064..8a34ac5eb 100644 ---- a/ldap/servers/plugins/acl/acleffectiverights.c -+++ b/ldap/servers/plugins/acl/acleffectiverights.c -@@ -1030,9 +1030,7 @@ bailout: - * slapi_pblock_set() will free any previous data, and - * pblock_done() will free SLAPI_PB_RESULT_TEXT. - */ -- if (gerstr) { -- slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, gerstr); -- } -+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, gerstr); - - if (!iscritical) { - /* -diff --git a/ldap/servers/plugins/views/views.c b/ldap/servers/plugins/views/views.c -index 5d8464761..64e305a3f 100644 ---- a/ldap/servers/plugins/views/views.c -+++ b/ldap/servers/plugins/views/views.c -@@ -1760,9 +1760,7 @@ view_search_rewrite_callback(Slapi_PBlock *pb) - #endif - - /* make it happen */ -- if (outFilter) { -- slapi_pblock_set(pb, SLAPI_SEARCH_FILTER, outFilter); -- } -+ slapi_pblock_set(pb, SLAPI_SEARCH_FILTER, outFilter); - - ret = -2; - -diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.c b/ldap/servers/slapd/back-ldbm/vlv_srch.c -index 1ac3e009e..65b876647 100644 ---- a/ldap/servers/slapd/back-ldbm/vlv_srch.c -+++ b/ldap/servers/slapd/back-ldbm/vlv_srch.c -@@ -168,8 +168,9 @@ vlvSearch_init(struct vlvSearch *p, Slapi_PBlock *pb, const Slapi_Entry *e, ldbm - - /* switch context back to the DSE backend */ - slapi_pblock_set(pb, SLAPI_BACKEND, oldbe); -- if (oldbe) -+ if (oldbe) { - slapi_pblock_set(pb, SLAPI_PLUGIN, oldbe->be_database); -+ } - } - - /* make (&(parentid=idofbase)(|(originalfilter)(objectclass=referral))) */ -diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c -index 125684329..8f2a14c9a 100644 ---- a/ldap/servers/slapd/dse.c -+++ b/ldap/servers/slapd/dse.c -@@ -2530,8 +2530,7 @@ dse_delete(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi - dse_call_callback(pdse, pb, SLAPI_OPERATION_DELETE, DSE_FLAG_POSTOP, ec, NULL, &returncode, returntext); - done: - slapi_pblock_get(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, &orig_entry); -- if (ec) -- slapi_pblock_set(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, ec); -+ slapi_pblock_set(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, ec); - /* make sure OPRETURN and RESULT_CODE are set */ - slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &rc); - if (returncode || rc) { -@@ -2572,8 +2571,7 @@ done: - rc = LDAP_UNWILLING_TO_PERFORM; - } - } -- if (orig_entry) -- slapi_pblock_set(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, orig_entry); -+ slapi_pblock_set(pb, SLAPI_DELETE_BEPOSTOP_ENTRY, orig_entry); - slapi_send_ldap_result(pb, returncode, NULL, returntext, 0, NULL); - return dse_delete_return(returncode, ec); - } -diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c -index dac42eb13..dd6917363 100644 ---- a/ldap/servers/slapd/opshared.c -+++ b/ldap/servers/slapd/opshared.c -@@ -998,8 +998,7 @@ free_and_return_nolock: - slapi_sdn_free(&sdn); - } - slapi_sdn_free(&basesdn); -- if (orig_sdn) -- slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, orig_sdn); -+ slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, orig_sdn); - - slapi_ch_free_string(&proxydn); - slapi_ch_free_string(&proxystr); -diff --git a/ldap/servers/slapd/plugin_internal_op.c b/ldap/servers/slapd/plugin_internal_op.c -index 622daffdb..9da266b61 100644 ---- a/ldap/servers/slapd/plugin_internal_op.c -+++ b/ldap/servers/slapd/plugin_internal_op.c -@@ -368,8 +368,7 @@ seq_internal_callback_pb(Slapi_PBlock *pb, void *callback_data, plugin_result_ca - slapi_pblock_set(pb, SLAPI_BACKEND, be); - slapi_pblock_set(pb, SLAPI_PLUGIN, be->be_database); - slapi_pblock_set(pb, SLAPI_SEQ_ATTRNAME, attrname); -- if (val) -- slapi_pblock_set(pb, SLAPI_SEQ_VAL, val); -+ slapi_pblock_set(pb, SLAPI_SEQ_VAL, val); - slapi_pblock_set(pb, SLAPI_REQCONTROLS, controls); - - /* set actions taken to process the operation */ -diff --git a/ldap/servers/slapd/plugin_syntax.c b/ldap/servers/slapd/plugin_syntax.c -index dc7106da5..e208442d5 100644 ---- a/ldap/servers/slapd/plugin_syntax.c -+++ b/ldap/servers/slapd/plugin_syntax.c -@@ -247,9 +247,7 @@ plugin_call_syntax_filter_sub_sv( - Operation *op = NULL; - /* to pass SLAPI_SEARCH_TIMELIMIT & SLAPI_OPINITATED_TIME */ - slapi_pblock_get(pb, SLAPI_OPERATION, &op); -- if (op) { -- slapi_pblock_set(pipb, SLAPI_OPERATION, op); -- } -+ slapi_pblock_set(pipb, SLAPI_OPERATION, op); - } - rc = (*sub_fn)(pipb, fsub->sf_initial, fsub->sf_any, fsub->sf_final, va); - } else { --- -2.21.0 - diff --git a/SOURCES/0005-Issue-50812-dscontainer-executable-should-be-placed-.patch b/SOURCES/0005-Issue-50812-dscontainer-executable-should-be-placed-.patch new file mode 100644 index 0000000..46ee67d --- /dev/null +++ b/SOURCES/0005-Issue-50812-dscontainer-executable-should-be-placed-.patch @@ -0,0 +1,97 @@ +From f570348659620a59b681e7bf315bd979cd7de497 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 13 Jan 2020 14:40:49 -0500 +Subject: [PATCH] Issue 50812 - dscontainer executable should be placed under + /usr/libexec/dirsrv/ + +Description: dscontainer is not a user-runnable executable. Per packaging + guidelines it should be placed under /usr/libexec/dirsrv/ + +relates: https://pagure.io/389-ds-base/issue/50812 + +Reviewed by: firstyear & mhonek (Thanks!!) +--- + docker/389-ds-fedora/Dockerfile | 6 +++--- + docker/389-ds-suse/Dockerfile | 4 ++-- + docker/389-ds-suse/Dockerfile.release | 2 +- + rpm/389-ds-base.spec.in | 2 +- + src/lib389/setup.py | 4 +++- + 5 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/docker/389-ds-fedora/Dockerfile b/docker/389-ds-fedora/Dockerfile +index d61df8cba..45523ccf1 100644 +--- a/docker/389-ds-fedora/Dockerfile ++++ b/docker/389-ds-fedora/Dockerfile +@@ -40,7 +40,7 @@ VOLUME /etc/dirsrv + VOLUME /var/log/dirsrv + VOLUME /var/lib/dirsrv + +-# Or, run them as dirsrv +-USER dirsrv +-CMD ["/usr/sbin/ns-slapd", "-d", "0", "-D", "/etc/dirsrv/slapd-localhost", "-i", "/var/run/dirsrv/slapd-localhost.pid"] ++HEALTHCHECK --start-period=5m --timeout=5s --interval=5s --retries=2 \ ++ CMD /usr/libexec/dirsrv/dscontainer -H + ++CMD [ "/usr/libexec/dirsrv/dscontainer", "-r" ] +diff --git a/docker/389-ds-suse/Dockerfile b/docker/389-ds-suse/Dockerfile +index 1e56e1f5a..6022d04c6 100644 +--- a/docker/389-ds-suse/Dockerfile ++++ b/docker/389-ds-suse/Dockerfile +@@ -76,7 +76,7 @@ VOLUME /data + # USER dirsrv + + HEALTHCHECK --start-period=5m --timeout=5s --interval=5s --retries=2 \ +- CMD /usr/sbin/dscontainer -H ++ CMD /usr/libexec/dirsrv/dscontainer -H + +-CMD [ "/usr/sbin/dscontainer", "-r" ] ++CMD [ "/usr/libexec/dirsrv/dscontainer", "-r" ] + +diff --git a/docker/389-ds-suse/Dockerfile.release b/docker/389-ds-suse/Dockerfile.release +index c934edaf0..6f4adf735 100644 +--- a/docker/389-ds-suse/Dockerfile.release ++++ b/docker/389-ds-suse/Dockerfile.release +@@ -69,4 +69,4 @@ VOLUME /data + # here and ds should do the right thing if a non root user runs the server. + # USER dirsrv + +-CMD [ "/usr/sbin/dscontainer", "-r" ] ++CMD [ "/usr/libexec/dirsrv/dscontainer", "-r" ] +diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in +index 6f4a1e1a9..6491bda00 100644 +--- a/rpm/389-ds-base.spec.in ++++ b/rpm/389-ds-base.spec.in +@@ -806,7 +806,7 @@ exit 0 + %{_mandir}/man8/dsctl.8.gz + %{_sbindir}/dsidm + %{_mandir}/man8/dsidm.8.gz +-%{_sbindir}/dscontainer ++%{_libexecdir}/%{pkgname}/dscontainer + + %files -n cockpit-389-ds -f cockpit.list + %{_datarootdir}/metainfo/389-console/org.port389.cockpit_console.metainfo.xml +diff --git a/src/lib389/setup.py b/src/lib389/setup.py +index 056173936..296b555a4 100644 +--- a/src/lib389/setup.py ++++ b/src/lib389/setup.py +@@ -63,7 +63,6 @@ setup( + 'cli/dsconf', + 'cli/dscreate', + 'cli/dsidm', +- 'cli/dscontainer', + ]), + ('/usr/share/man/man8', [ + 'man/dsctl.8', +@@ -71,6 +70,9 @@ setup( + 'man/dscreate.8', + 'man/dsidm.8', + ]), ++ ('/usr/libexec/dirsrv/', [ ++ 'cli/dscontainer', ++ ]), + ], + + install_requires=[ +-- +2.21.1 + diff --git a/SOURCES/0006-Revert-Issue-49960-Core-schema-contains-strings-inst.patch b/SOURCES/0006-Revert-Issue-49960-Core-schema-contains-strings-inst.patch deleted file mode 100644 index 5b170bb..0000000 --- a/SOURCES/0006-Revert-Issue-49960-Core-schema-contains-strings-inst.patch +++ /dev/null @@ -1,316 +0,0 @@ -From d5e6f5a3faa2ee4e488cabb575f36f55009d10bd Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 7 Jun 2019 14:38:50 -0400 -Subject: [PATCH 02/12] Revert "Issue 49960 - Core schema contains strings - instead of numer oids" - -This reverts commit 2738fd00ffd7b9bced16e2e9ce61da80eec51206. ---- - ldap/schema/01core389.ldif | 28 ++++---- - ldap/schema/30ns-common.ldif | 102 +++++++++++++++--------------- - ldap/schema/50ns-admin.ldif | 62 +++++++++--------- - ldap/schema/50ns-certificate.ldif | 4 +- - ldap/schema/50ns-directory.ldif | 4 +- - ldap/schema/50ns-mail.ldif | 4 +- - 6 files changed, 102 insertions(+), 102 deletions(-) - -diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif -index 7bf4acc5b..f4123f29e 100644 ---- a/ldap/schema/01core389.ldif -+++ b/ldap/schema/01core389.ldif -@@ -86,26 +86,26 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2064 NAME 'nsSaslMapRegexString' DESC 'N - attributeTypes: ( 2.16.840.1.113730.3.1.2065 NAME 'nsSaslMapBaseDNTemplate' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2066 NAME 'nsSaslMapFilterTemplate' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2142 NAME 'nsSaslMapPriority' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) --attributeTypes: ( 2.16.840.1.113730.3.1.309 NAME 'nsCertfile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.310 NAME 'nsKeyfile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.311 NAME 'nsSSL2' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.312 NAME 'nsSSL3' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsCertfile-oid NAME 'nsCertfile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsKeyfile-oid NAME 'nsKeyfile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSL2-oid NAME 'nsSSL2' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSL3-oid NAME 'nsSSL3' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( nsTLS1-oid NAME 'nsTLS1' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( nsTLS10-oid NAME 'nsTLS10' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( nsTLS11-oid NAME 'nsTLS11' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( nsTLS12-oid NAME 'nsTLS12' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( sslVersionMin-oid NAME 'sslVersionMin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( sslVersionMax-oid NAME 'sslVersionMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.313 NAME 'nsSSLClientAuth' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.314 NAME 'nsSSLSessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.315 NAME 'nsSSL3SessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.316 NAME 'nsSSL2Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.317 NAME 'nsSSL3Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSLClientAuth-oid NAME 'nsSSLClientAuth' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSLSessionTimeout-oid NAME 'nsSSLSessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSL2Ciphers-oid NAME 'nsSSL2Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSL3Ciphers-oid NAME 'nsSSL3Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( nsSSLSupportedCiphers-oid NAME 'nsSSLSupportedCiphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( allowWeakCipher-oid NAME 'allowWeakCipher' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.318 NAME 'nsSSLToken' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.319 NAME 'nsSSLPersonalitySSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.320 NAME 'nsSSLActivation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSLToken-oid NAME 'nsSSLToken' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSLPersonalitySSL-oid NAME 'nsSSLPersonalitySSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSSLActivation-oid NAME 'nsSSLActivation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( CACertExtractFile-oid NAME 'CACertExtractFile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( nsTLSAllowClientRenegotiation-oid NAME 'nsTLSAllowClientRenegotiation' DESC 'Allow clients to renegotiate open TLS connections using RFC 5746 secure renegotiation' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( ServerKeyExtractFile-oid NAME 'ServerKeyExtractFile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -@@ -329,8 +329,8 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC - objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' ) --objectClasses: ( 2.16.840.1.113730.3.2.60 NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $ CACertExtractFile $ allowWeakDHParam $ nsTLSAllowClientRenegotiation ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.61 NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation $ ServerKeyExtractFile $ ServerCertExtractFile ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $ CACertExtractFile $ allowWeakDHParam $ nsTLSAllowClientRenegotiation ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation $ ServerKeyExtractFile $ ServerCertExtractFile ) X-ORIGIN 'Netscape' ) - objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' ) - objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.332 NAME 'nsChangelogConfig' DESC 'Configuration of the changelog5 object' SUP top MUST ( cn $ nsslapd-changelogdir ) MAY ( nsslapd-changelogmaxage $ nsslapd-changelogtrim-interval $ nsslapd-changelogmaxentries $ nsslapd-changelogsuffix $ nsslapd-changelogcompactdb-interval $ nsslapd-encryptionalgorithm $ nsSymmetricKey ) X-ORIGIN '389 Directory Server' ) -diff --git a/ldap/schema/30ns-common.ldif b/ldap/schema/30ns-common.ldif -index 58eeae5b0..80b8cf6fc 100644 ---- a/ldap/schema/30ns-common.ldif -+++ b/ldap/schema/30ns-common.ldif -@@ -12,60 +12,60 @@ - # Common Netscape schema. - # - dn: cn=schema --attributeTypes: ( 2.16.840.1.113730.3.1.276 NAME 'nsServerID' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.277 NAME 'nsBaseDN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.278 NAME 'nsBindDN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.279 NAME 'nsBindPassword' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.280 NAME 'nsServerPort' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.281 NAME 'nsServerAddress' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.282 NAME 'nsDirectoryInfoRef' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.283 NAME 'nsDirectoryURL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape' ) --attributeTypes: ( 1.3.6.1.4.1.42.2.27.10.1.31 NAME 'nsDirectoryFailoverList' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.284 NAME 'nsAdminDomainName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.285 NAME 'nsHostLocation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.286 NAME 'nsHardwarePlatform' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.287 NAME 'nsOsVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.288 NAME 'nsAdminGroupName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.289 NAME 'nsConfigRoot' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 1.3.6.1.4.1.42.2.27.10.1.72 NAME 'nsAdminSIEDN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.290 NAME 'nsVendor' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.291 NAME 'nsProductName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.292 NAME 'nsNickName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.293 NAME 'nsProductVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.294 NAME 'nsBuildNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.295 NAME 'nsRevisionNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.296 NAME 'nsSerialNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.297 NAME 'nsInstalledLocation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.298 NAME 'nsExpirationDate' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.299 NAME 'nsBuildSecurity' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.300 NAME 'nsServerMigrationClassname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.301 NAME 'nsServerCreationClassname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.302 NAME 'nsLdapSchemaVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.303 NAME 'nsSuiteSpotUser' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.304 NAME 'nsErrorLog' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.305 NAME 'nsPidLog' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.306 NAME 'nsAccessLog' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.307 NAME 'nsDefaultAcceptLanguage' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.308 NAME 'nsServerSecurity' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.321 NAME 'nsTaskLabel' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.322 NAME 'nsHelpRef' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.323 NAME 'nsExecRef' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.329 NAME 'nsLogSuppress' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.324 NAME 'nsJarfilename' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) --attributeTypes: ( 2.16.840.1.113730.3.1.325 NAME 'nsClassname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsServerID-oid NAME 'nsServerID' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsBaseDN-oid NAME 'nsBaseDN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsBindDN-oid NAME 'nsBindDN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsBindPassword-oid NAME 'nsBindPassword' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsServerPort-oid NAME 'nsServerPort' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsServerAddress-oid NAME 'nsServerAddress' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsDirectoryInfoRef-oid NAME 'nsDirectoryInfoRef' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsDirectoryURL-oid NAME 'nsDirectoryURL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsDirectoryFailoverList-oid NAME 'nsDirectoryFailoverList' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsAdminDomainName-oid NAME 'nsAdminDomainName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsHostLocation-oid NAME 'nsHostLocation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsHardwarePlatform-oid NAME 'nsHardwarePlatform' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsOsVersion-oid NAME 'nsOsVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsAdminGroupName-oid NAME 'nsAdminGroupName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsConfigRoot-oid NAME 'nsConfigRoot' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsAdminSIEDN-oid NAME 'nsAdminSIEDN' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsVendor-oid NAME 'nsVendor' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsProductName-oid NAME 'nsProductName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsNickName-oid NAME 'nsNickName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsProductVersion-oid NAME 'nsProductVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsBuildNumber-oid NAME 'nsBuildNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsRevisionNumber-oid NAME 'nsRevisionNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSerialNumber-oid NAME 'nsSerialNumber' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsInstalledLocation-oid NAME 'nsInstalledLocation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsExpirationDate-oid NAME 'nsExpirationDate' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsBuildSecurity-oid NAME 'nsBuildSecurity' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsServerMigrationClassname-oid NAME 'nsServerMigrationClassname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsServerCreationClassname-oid NAME 'nsServerCreationClassname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsLdapSchemaVersion-oid NAME 'nsLdapSchemaVersion' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsSuiteSpotUser-oid NAME 'nsSuiteSpotUser' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsErrorLog-oid NAME 'nsErrorLog' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsPidLog-oid NAME 'nsPidLog' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsAccessLog-oid NAME 'nsAccessLog' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsDefaultAcceptLanguage-oid NAME 'nsDefaultAcceptLanguage' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsServerSecurity-oid NAME 'nsServerSecurity' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsTaskLabel-oid NAME 'nsTaskLabel' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsHelpRef-oid NAME 'nsHelpRef' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsExecRef-oid NAME 'nsExecRef' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsLogSuppress-oid NAME 'nsLogSuppress' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsJarfilename-oid NAME 'nsJarfilename' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) -+attributeTypes: ( nsClassname-oid NAME 'nsClassname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2337 NAME 'nsCertSubjectDN' DESC 'An x509 DN from a certificate used to map during a TLS bind process' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN '389 Directory Server Project' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2342 NAME 'nsSshPublicKey' DESC 'An nsSshPublicKey record' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN '389 Directory Server Project' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2343 NAME 'legalName' DESC 'An individuals legalName' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server Project' ) --objectClasses: ( 2.16.840.1.113730.3.2.56 NAME 'nsAdminDomain' DESC 'Netscape defined objectclass' SUP organizationalUnit MAY ( nsAdminDomainName ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.57 NAME 'nsHost' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( serverHostName $ description $ l $ nsHostLocation $ nsHardwarePlatform $ nsOsVersion ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.58 NAME 'nsAdminGroup' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsAdminGroupName $ description $ nsConfigRoot $ nsAdminSIEDN ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.59 NAME 'nsApplication' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsVendor $ description $ nsProductName $ nsNickName $ nsProductVersion $ nsBuildNumber $ nsRevisionNumber $ nsSerialNumber $ nsInstalledLocation $ installationTimeStamp $ nsExpirationDate $ nsBuildSecurity $ nsLdapSchemaVersion $ nsServerMigrationClassname $ nsServerCreationClassname ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.62 NAME 'nsResourceRef' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( seeAlso ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.63 NAME 'nsTask' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsTaskLabel $ nsHelpref $ nsExecref $ nsLogSuppress ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.64 NAME 'nsTaskGroup' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsTaskLabel ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.65 NAME 'nsAdminObject' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsJarFilename $ nsClassName ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.66 NAME 'nsConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( description $ nsServerPort $ nsServerAddress $ nsSuiteSpotUser $ nsErrorLog $ nsPidLog $ nsAccessLog $ nsDefaultAcceptLanguage $ nsServerSecurity ) X-ORIGIN 'Netscape' ) --objectClasses: ( 2.16.840.1.113730.3.2.67 NAME 'nsDirectoryInfo' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsBindDN $ nsBindPassword $ nsDirectoryURL $ nsDirectoryFailoverList $ nsDirectoryInfoRef ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsAdminDomain-oid NAME 'nsAdminDomain' DESC 'Netscape defined objectclass' SUP organizationalUnit MAY ( nsAdminDomainName ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsHost-oid NAME 'nsHost' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( serverHostName $ description $ l $ nsHostLocation $ nsHardwarePlatform $ nsOsVersion ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsAdminGroup-oid NAME 'nsAdminGroup' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsAdminGroupName $ description $ nsConfigRoot $ nsAdminSIEDN ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsApplication-oid NAME 'nsApplication' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsVendor $ description $ nsProductName $ nsNickName $ nsProductVersion $ nsBuildNumber $ nsRevisionNumber $ nsSerialNumber $ nsInstalledLocation $ installationTimeStamp $ nsExpirationDate $ nsBuildSecurity $ nsLdapSchemaVersion $ nsServerMigrationClassname $ nsServerCreationClassname ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsResourceRef-oid NAME 'nsResourceRef' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( seeAlso ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsTask-oid NAME 'nsTask' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsTaskLabel $ nsHelpref $ nsExecref $ nsLogSuppress ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsTaskGroup-oid NAME 'nsTaskGroup' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsTaskLabel ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsAdminObject-oid NAME 'nsAdminObject' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsJarFilename $ nsClassName ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsConfig-oid NAME 'nsConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( description $ nsServerPort $ nsServerAddress $ nsSuiteSpotUser $ nsErrorLog $ nsPidLog $ nsAccessLog $ nsDefaultAcceptLanguage $ nsServerSecurity ) X-ORIGIN 'Netscape' ) -+objectClasses: ( nsDirectoryInfo-oid NAME 'nsDirectoryInfo' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsBindDN $ nsBindPassword $ nsDirectoryURL $ nsDirectoryFailoverList $ nsDirectoryInfoRef ) X-ORIGIN 'Netscape' ) - objectClasses: ( 2.16.840.1.113730.3.2.329 NAME 'nsMemberOf' DESC 'Allow memberOf assignment on groups for nesting and users' SUP top AUXILIARY MAY ( memberOf ) X-ORIGIN '389 Directory Server Project' ) - objectClasses: ( 2.16.840.1.113730.3.2.331 NAME 'nsAccount' DESC 'A representation of a binding user in a directory server' SUP top AUXILIARY MAY ( userCertificate $ nsCertSubjectDN $ nsSshPublicKey $ userPassword ) X-ORIGIN '389 Directory Server Project' ) - objectClasses: ( 2.16.840.1.113730.3.2.333 NAME 'nsPerson' DESC 'A representation of a person in a directory server' SUP top STRUCTURAL MUST ( displayName $ cn ) MAY ( userPassword $ seeAlso $ description $ legalName $ mail $ preferredLanguage ) X-ORIGIN '389 Directory Server Project' ) -diff --git a/ldap/schema/50ns-admin.ldif b/ldap/schema/50ns-admin.ldif -index a553c58cc..aceaf759a 100644 ---- a/ldap/schema/50ns-admin.ldif -+++ b/ldap/schema/50ns-admin.ldif -@@ -12,34 +12,34 @@ - # Schema used by Netscape Administration Services - # - dn: cn=schema --attributeTypes: ( 2.16.840.1.113730.3.1.255 NAME 'nsAdminCgiWaitPid' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.256 NAME 'nsAdminUsers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.257 NAME 'nsAdminAccessHosts' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.258 NAME 'nsAdminAccessAddresses' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.259 NAME 'nsAdminOneACLDir' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.260 NAME 'nsAdminEnableDSGW' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.261 NAME 'nsAdminEnableEnduser' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.262 NAME 'nsAdminCacheLifetime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.263 NAME 'nsAdminAccountInfo' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.264 NAME 'nsDeleteclassname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.265 NAME 'nsAdminEndUserHTMLIndex' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.266 NAME 'nsUniqueAttribute' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.267 NAME 'nsUserIDFormat' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.268 NAME 'nsUserRDNComponent' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.269 NAME 'nsGroupRDNComponent' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.270 NAME 'nsWellKnownJarfiles' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.271 NAME 'nsNYR' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.272 NAME 'nsDefaultObjectClass' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.273 NAME 'nsPreference' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.274 NAME 'nsDisplayName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --attributeTypes: ( 2.16.840.1.113730.3.1.275 NAME 'nsViewConfiguration' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.46 NAME 'nsAdminServer' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsServerID ) MAY ( description ) X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.47 NAME 'nsAdminConfig' DESC 'Netscape defined objectclass' SUP nsConfig MAY ( nsAdminCgiWaitPid $ nsAdminUsers $ nsAdminAccessHosts $ nsAdminAccessAddresses $ nsAdminOneACLDir $ nsAdminEnableDSGW $ nsAdminEnableEnduser $ nsAdminCacheLifetime ) X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.48 NAME 'nsAdminResourceEditorExtension' DESC 'Netscape defined objectclass' SUP nsAdminObject MUST ( cn ) MAY ( nsAdminAccountInfo $ nsDeleteclassname ) X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.49 NAME 'nsAdminGlobalParameters' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsAdminEndUserHTMLIndex $ nsNickname ) X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.50 NAME 'nsGlobalParameters' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsUniqueAttribute $ nsUserIDFormat $ nsUserRDNComponent $ nsGroupRDNComponent $ nsWellKnownJarFiles $ nsNYR ) X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.51 NAME 'nsDefaultObjectClasses' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsDefaultObjectClass ) X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.52 NAME 'nsAdminConsoleUser' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsPreference ) X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.53 NAME 'nsCustomView' DESC 'Netscape defined objectclass' SUP nsAdminObject MAY ( nsDisplayName ) X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.54 NAME 'nsTopologyCustomView' DESC 'Netscape defined objectclass' SUP nsCustomView MUST ( cn ) MAY ( nsViewConfiguration ) X-ORIGIN 'Netscape Administration Services' ) --objectClasses: ( 2.16.840.1.113730.3.2.55 NAME 'nsTopologyPlugin' DESC 'Netscape defined objectclass' SUP nsAdminObject X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminCgiWaitPid-oid NAME 'nsAdminCgiWaitPid' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminUsers-oid NAME 'nsAdminUsers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminAccessHosts-oid NAME 'nsAdminAccessHosts' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminAccessAddresses-oid NAME 'nsAdminAccessAddresses' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminOneACLDir-oid NAME 'nsAdminOneACLDir' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminEnableDSGW-oid NAME 'nsAdminEnableDSGW' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminEnableEnduser-oid NAME 'nsAdminEnableEnduser' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminCacheLifetime-oid NAME 'nsAdminCacheLifetime' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminAccountInfo-oid NAME 'nsAdminAccountInfo' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsDeleteclassname-oid NAME 'nsDeleteclassname' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsAdminEndUserHTMLIndex-oid NAME 'nsAdminEndUserHTMLIndex' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsUniqueAttribute-oid NAME 'nsUniqueAttribute' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsUserIDFormat-oid NAME 'nsUserIDFormat' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsUserRDNComponent-oid NAME 'nsUserRDNComponent' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsGroupRDNComponent-oid NAME 'nsGroupRDNComponent' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsWellKnownJarfiles-oid NAME 'nsWellKnownJarfiles' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsNYR-oid NAME 'nsNYR' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsDefaultObjectClass-oid NAME 'nsDefaultObjectClass' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsPreference-oid NAME 'nsPreference' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsDisplayName-oid NAME 'nsDisplayName' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+attributeTypes: ( nsViewConfiguration-oid NAME 'nsViewConfiguration' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsAdminServer-oid NAME 'nsAdminServer' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsServerID ) MAY ( description ) X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsAdminConfig-oid NAME 'nsAdminConfig' DESC 'Netscape defined objectclass' SUP nsConfig MAY ( nsAdminCgiWaitPid $ nsAdminUsers $ nsAdminAccessHosts $ nsAdminAccessAddresses $ nsAdminOneACLDir $ nsAdminEnableDSGW $ nsAdminEnableEnduser $ nsAdminCacheLifetime ) X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsAdminResourceEditorExtension-oid NAME 'nsAdminResourceEditorExtension' DESC 'Netscape defined objectclass' SUP nsAdminObject MUST ( cn ) MAY ( nsAdminAccountInfo $ nsDeleteclassname ) X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsAdminGlobalParameters-oid NAME 'nsAdminGlobalParameters' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsAdminEndUserHTMLIndex $ nsNickname ) X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsGlobalParameters-oid NAME 'nsGlobalParameters' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsUniqueAttribute $ nsUserIDFormat $ nsUserRDNComponent $ nsGroupRDNComponent $ nsWellKnownJarFiles $ nsNYR ) X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsDefaultObjectClasses-oid NAME 'nsDefaultObjectClasses' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsDefaultObjectClass ) X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsAdminConsoleUser-oid NAME 'nsAdminConsoleUser' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsPreference ) X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsCustomView-oid NAME 'nsCustomView' DESC 'Netscape defined objectclass' SUP nsAdminObject MAY ( nsDisplayName ) X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsTopologyCustomView-oid NAME 'nsTopologyCustomView' DESC 'Netscape defined objectclass' SUP nsCustomView MUST ( cn ) MAY ( nsViewConfiguration ) X-ORIGIN 'Netscape Administration Services' ) -+objectClasses: ( nsTopologyPlugin-oid NAME 'nsTopologyPlugin' DESC 'Netscape defined objectclass' SUP nsAdminObject X-ORIGIN 'Netscape Administration Services' ) -diff --git a/ldap/schema/50ns-certificate.ldif b/ldap/schema/50ns-certificate.ldif -index 42d0f3e70..e89680a18 100644 ---- a/ldap/schema/50ns-certificate.ldif -+++ b/ldap/schema/50ns-certificate.ldif -@@ -12,6 +12,6 @@ - # Schema for Netscape Certificate Management System - # - dn: cn=schema --attributeTypes: ( 1.3.6.1.4.1.42.2.27.10.1.190 NAME 'nsCertConfig' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Certificate Management System' ) -+attributeTypes: ( nsCertConfig-oid NAME 'nsCertConfig' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Certificate Management System' ) - objectClasses: ( 2.16.840.1.113730.3.2.18 NAME 'netscapeCertificateServer' DESC 'Netscape defined objectclass' SUP top MUST ( objectclass ) X-ORIGIN 'Netscape Certificate Management System' ) --objectClasses: ( 1.3.6.1.4.1.42.2.27.10.2.32 NAME 'nsCertificateServer' DESC 'Netscape defined objectclass' SUP top MUST ( objectclass $ nsServerID ) MAY ( serverHostName $ nsServerPort $ nsCertConfig ) X-ORIGIN 'Netscape Certificate Management System' ) -+objectClasses: ( nsCertificateServer-oid NAME 'nsCertificateServer' DESC 'Netscape defined objectclass' SUP top MUST ( objectclass $ nsServerID ) MAY ( serverHostName $ nsServerPort $ nsCertConfig ) X-ORIGIN 'Netscape Certificate Management System' ) -diff --git a/ldap/schema/50ns-directory.ldif b/ldap/schema/50ns-directory.ldif -index 63502482b..298d60770 100644 ---- a/ldap/schema/50ns-directory.ldif -+++ b/ldap/schema/50ns-directory.ldif -@@ -12,7 +12,7 @@ - # Additional schema used by Netscape Directory Server 4.x - # - dn: cn=schema --attributeTypes: ( 1.3.6.1.4.1.42.2.27.10.1.73 NAME 'nsSecureServerPort' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) -+attributeTypes: ( nsSecureServerPort-oid NAME 'nsSecureServerPort' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.206 NAME 'filterInfo' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.48 NAME 'replicaPort' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.49 NAME 'replicaUpdateFailedAt' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) -@@ -83,7 +83,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.57 NAME 'replicaRoot' DESC 'Netscape def - attributeTypes: ( 2.16.840.1.113730.3.1.58 NAME 'replicaBindDn' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.69 NAME 'subtreeACI' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Directory Server 1.0' ) - objectClasses: ( 2.16.840.1.113730.3.2.23 NAME 'netscapeDirectoryServer' DESC 'Netscape defined objectclass' SUP top MUST ( objectclass ) X-ORIGIN 'Netscape Directory Server' ) --objectClasses: ( 1.3.6.1.4.1.42.2.27.10.2.31 NAME 'nsDirectoryServer' DESC 'Netscape defined objectclass' SUP top MUST ( objectclass $ nsServerID ) MAY ( serverHostName $ nsServerPort $ nsSecureServerPort $ nsBindPassword $ nsBindDN $ nsBaseDN ) X-ORIGIN 'Netscape Directory Server' ) -+objectClasses: ( nsDirectoryServer-oid NAME 'nsDirectoryServer' DESC 'Netscape defined objectclass' SUP top MUST ( objectclass $ nsServerID ) MAY ( serverHostName $ nsServerPort $ nsSecureServerPort $ nsBindPassword $ nsBindDN $ nsBaseDN ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.8 NAME 'ntUser' DESC 'Netscape defined objectclass' SUP top MUST ( ntUserDomainId ) MAY ( description $ l $ ou $ seeAlso $ ntUserPriv $ ntUserHomeDir $ ntUserComment $ ntUserFlags $ ntUserScriptPath $ ntUserAuthFlags $ ntUserUsrComment $ ntUserParms $ ntUserWorkstations $ ntUserLastLogon $ ntUserLastLogoff $ ntUserAcctExpires $ ntUserMaxStorage $ ntUserUnitsPerWeek $ ntUserLogonHours $ ntUserBadPwCount $ ntUserNumLogons $ ntUserLogonServer $ ntUserCountryCode $ ntUserCodePage $ ntUserUniqueId $ ntUserPrimaryGroupId $ ntUserProfile $ ntUserHomeDirDrive $ ntUserPasswordExpired $ ntUserCreateNewAccount $ ntUserDeleteAccount $ ntUniqueId $ ntUserNtPassword ) X-ORIGIN 'Netscape NT Synchronization' ) - objectClasses: ( 2.16.840.1.113730.3.2.9 NAME 'ntGroup' DESC 'Netscape defined objectclass' SUP top MUST ( ntUserDomainId ) MAY ( description $ l $ ou $ seeAlso $ ntGroupId $ ntGroupAttributes $ ntGroupCreateNewGroup $ ntGroupDeleteGroup $ ntGroupType $ ntUniqueId $ mail ) X-ORIGIN 'Netscape NT Synchronization' ) - objectClasses: ( 2.16.840.1.113730.3.2.82 NAME 'nsChangelog4Config' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' ) -diff --git a/ldap/schema/50ns-mail.ldif b/ldap/schema/50ns-mail.ldif -index 3e4783e6c..53d766977 100644 ---- a/ldap/schema/50ns-mail.ldif -+++ b/ldap/schema/50ns-mail.ldif -@@ -18,7 +18,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.707 NAME ( 'vacationstartdate' ) DESC 'N - attributeTypes: ( 2.16.840.1.113730.3.1.18 NAME ( 'mailHost' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.33 NAME ( 'mgrpModerator' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.25 NAME ( 'mgrpDeliverTo' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Messaging Server 4.x' ) --attributeTypes: ( 1.3.6.1.4.1.42.2.27.10.1.81 NAME ( 'mgrpApprovePassword' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'Netscape Messaging Server 4.x' ) -+attributeTypes: ( mgrpApprovePassword-oid NAME ( 'mgrpApprovePassword' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.31 NAME ( 'mailEnhancedUniqueMember' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.781 NAME ( 'mgrpAddHeader' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.22 NAME ( 'mgrpAllowedBroadcaster' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Messaging Server 4.x' ) -@@ -39,7 +39,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.520 NAME ( 'nswmExtendedUserPrefs' ) DES - attributeTypes: ( 2.16.840.1.113730.3.1.26 NAME ( 'mgrpErrorsTo' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.23 NAME ( 'mgrpAllowedDomain' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.28 NAME ( 'mgrpMsgRejectAction' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server 4.x' ) --attributeTypes: ( 1.3.6.1.4.1.42.2.27.10.1.79 NAME ( 'nsmsgDisallowAccess' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Messaging Server 4.x' ) -+attributeTypes: ( nsmsgDisallowAccess-oid NAME ( 'nsmsgDisallowAccess' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.17 NAME ( 'mailForwardingAddress' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.32 NAME ( 'mgrpMsgMaxSize' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Messaging Server 4.x' ) - attributeTypes: ( 2.16.840.1.113730.3.1.29 NAME ( 'mgrpMsgRejectText' ) DESC 'Netscape Messaging Server 4.x defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Messaging Server 4.x' ) --- -2.21.0 - diff --git a/SOURCES/0006-Ticket-50741-bdb_start-Detected-Disorderly-Shutdown-.patch b/SOURCES/0006-Ticket-50741-bdb_start-Detected-Disorderly-Shutdown-.patch new file mode 100644 index 0000000..f50b46c --- /dev/null +++ b/SOURCES/0006-Ticket-50741-bdb_start-Detected-Disorderly-Shutdown-.patch @@ -0,0 +1,74 @@ +From b5d7a0b34d532335da7171dd7a308f95638c91c8 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Tue, 19 Nov 2019 09:56:46 +0100 +Subject: [PATCH] Ticket 50741 - bdb_start - Detected Disorderly Shutdown last + time Directory Server was running + +Bug description: + At startup plugins are started (plugin_dependency_startall) including ldbm database + that read/remove the guardian file (bdb_start). + If one of the plugin fails to start, for example because of a missing dependency, + the statup function just exits without recreating the guardian file. + The next restart will not find the guardian file, trigger a recovery and + log the alarming message "Detected Disorderly Shutdown last time Directory Server was running..." + +Fix description: + In case the startup function fails it should call the closing function of all + started plugin: plugin_closeall + The fix also contains fixes for plugin acceptance tests. If DS startup is expected + to fail, it is caught by subprocess.CalledProcessError but actually the startup + function can also return ValueError exception + +https://pagure.io/389-ds-base/issue/50741 + +Reviewed By: Mark Reynolds +--- + dirsrvtests/tests/suites/plugins/acceptance_test.py | 6 +++--- + ldap/servers/slapd/plugin.c | 1 + + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/dirsrvtests/tests/suites/plugins/acceptance_test.py b/dirsrvtests/tests/suites/plugins/acceptance_test.py +index 8aacb74be..cdb629eef 100644 +--- a/dirsrvtests/tests/suites/plugins/acceptance_test.py ++++ b/dirsrvtests/tests/suites/plugins/acceptance_test.py +@@ -64,7 +64,7 @@ def check_dependency(inst, plugin, online=True): + acct_usability.remove('nsslapd-plugin-depends-on-named', plugin.rdn) + else: + plugin.disable() +- with pytest.raises(subprocess.CalledProcessError): ++ with pytest.raises((subprocess.CalledProcessError, ValueError)): + inst.restart() + dse_ldif = DSEldif(inst) + dse_ldif.delete(acct_usability.dn, 'nsslapd-plugin-depends-on-named') +@@ -1739,14 +1739,14 @@ def test_rootdn(topo, args=None): + # First, test that invalid plugin changes are rejected + if args is None: + plugin.replace('rootdn-deny-ip', '12.12.ZZZ.12') +- with pytest.raises(subprocess.CalledProcessError): ++ with pytest.raises((subprocess.CalledProcessError, ValueError)): + inst.restart() + dse_ldif = DSEldif(inst) + dse_ldif.delete(plugin.dn, 'rootdn-deny-ip') + _rootdn_restart(inst) + + plugin.replace('rootdn-allow-host', 'host._.com') +- with pytest.raises(subprocess.CalledProcessError): ++ with pytest.raises((subprocess.CalledProcessError, ValueError)): + inst.restart() + dse_ldif = DSEldif(inst) + dse_ldif.delete(plugin.dn, 'rootdn-allow-host') +diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c +index a77bb5aa7..b00c1bd8f 100644 +--- a/ldap/servers/slapd/plugin.c ++++ b/ldap/servers/slapd/plugin.c +@@ -1811,6 +1811,7 @@ plugin_dependency_startall(int argc, char **argv, char *errmsg __attribute__((un + } + i++; + } ++ plugin_closeall(1 /* Close Backends */, 1 /* Close Globals */); + exit(1); + } + +-- +2.21.1 + diff --git a/SOURCES/0007-Issue-50378-ACI-s-with-IPv4-and-IPv6-bind-rules-do-n.patch b/SOURCES/0007-Issue-50378-ACI-s-with-IPv4-and-IPv6-bind-rules-do-n.patch deleted file mode 100644 index ef6b95b..0000000 --- a/SOURCES/0007-Issue-50378-ACI-s-with-IPv4-and-IPv6-bind-rules-do-n.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 76d8b45b71563d6158464f7a34bcb57d470993dc Mon Sep 17 00:00:00 2001 -From: Viktor Ashirov -Date: Fri, 21 Jun 2019 16:41:34 +0200 -Subject: [PATCH 03/12] Issue 50378 - ACI's with IPv4 and IPv6 bind rules do - not work for IPv6 clients - -Description: - -Add a new test case for #50378 instead of the older one that was testing -an unsupported corner case (ip=*). - -Relates: https://pagure.io/389-ds-base/issue/50378 - -Reviewed by: mreynolds (Thanks!) ---- - dirsrvtests/tests/suites/acl/keywords_test.py | 29 ++++++++++--------- - 1 file changed, 16 insertions(+), 13 deletions(-) - -diff --git a/dirsrvtests/tests/suites/acl/keywords_test.py b/dirsrvtests/tests/suites/acl/keywords_test.py -index c8c19127b..6a494a4b6 100644 ---- a/dirsrvtests/tests/suites/acl/keywords_test.py -+++ b/dirsrvtests/tests/suites/acl/keywords_test.py -@@ -430,30 +430,33 @@ def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user): - with pytest.raises(ldap.INSUFFICIENT_ACCESS): - org.replace("seeAlso", "cn=1") - -- --def test_user_can_access_the_data_when_connecting_from_any_machine_2(topo, add_user, aci_of_user): -+@pytest.mark.ds50378 -+@pytest.mark.bz1710848 -+@pytest.mark.parametrize("ip_addr", ['127.0.0.1', "[::1]"]) -+def test_user_can_access_from_ipv4_or_ipv6_address(topo, add_user, aci_of_user, ip_addr): - """ -- User can access the data when connecting from any machine as per the ACI. -+ User can modify the data when accessing the server from the allowed IPv4 and IPv6 addresses - - :id:461e761e-7ac5-11e8-9ae4-8c16451d917b - :setup: Standalone Server - :steps: -- 1. Add test entry -- 2. Add ACI -- 3. User should follow ACI role -+ 1. Add ACI that has both IPv4 and IPv6 -+ 2. Connect from one of the IPs allowed in ACI -+ 3. Modify an attribute - :expectedresults: -- 1. Entry should be added -- 2. Operation should succeed -- 3. Operation should succeed -+ 1. ACI should be added -+ 2. Conection should be successful -+ 3. Operation should be successful - """ -- # Add ACI -+ # Add ACI that contains both IPv4 and IPv6 - Domain(topo.standalone, DEFAULT_SUFFIX).\ -- add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr=*)' -+ add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr=*) ' - f'(version 3.0; aci "IP aci"; allow(all) ' -- f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)') -+ f'userdn = "ldap:///{FULLIP_KEY}" and (ip = "127.0.0.1" or ip = "::1");)') - - # Create a new connection for this test. -- conn = UserAccount(topo.standalone, FULLIP_KEY).bind(PW_DM) -+ conn = UserAccount(topo.standalone, FULLIP_KEY).bind(PW_DM, uri=f'ldap://{ip_addr}:{topo.standalone.port}') -+ - # Perform Operation - OrganizationalUnit(conn, IP_OU_KEY).replace("seeAlso", "cn=1") - --- -2.21.0 - diff --git a/SOURCES/0007-Ticket-50667-dsctl-l-did-not-respect-PREFIX.patch b/SOURCES/0007-Ticket-50667-dsctl-l-did-not-respect-PREFIX.patch new file mode 100644 index 0000000..071233a --- /dev/null +++ b/SOURCES/0007-Ticket-50667-dsctl-l-did-not-respect-PREFIX.patch @@ -0,0 +1,80 @@ +From f77760fb4e39e6d5b673ee8c5388407ff1ae98be Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Wed, 23 Oct 2019 12:01:04 +1000 +Subject: [PATCH] Ticket 50667 - dsctl -l did not respect PREFIX + +Bug Description: dsctl list was not coded to allow +using the paths module. + +Fix Description: Change to the paths module to allow +better and consistent CLI handling. + +https://pagure.io/389-ds-base/issue/50667 + +Author: William Brown + +Review by: mreynolds, spichugi (thanks) +--- + src/lib389/cli/dsctl | 4 ++-- + src/lib389/lib389/cli_ctl/instance.py | 2 +- + src/lib389/lib389/utils.py | 8 ++++++-- + 3 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/lib389/cli/dsctl b/src/lib389/cli/dsctl +index 8b86629ac..47ca8269b 100755 +--- a/src/lib389/cli/dsctl ++++ b/src/lib389/cli/dsctl +@@ -46,8 +46,8 @@ parser.add_argument('-l', '--list', + default=False, action='store_true' + ) + +-parser.add_argument('--remove-all', nargs="?", default=False, const=None, +- help="Remove all instances of Directory Server (you can also provide an optional directory prefix for this argument)", ++parser.add_argument('--remove-all', default=False, action='store_true', ++ help=argparse.SUPPRESS + ) + + subparsers = parser.add_subparsers(help="action") +diff --git a/src/lib389/lib389/cli_ctl/instance.py b/src/lib389/lib389/cli_ctl/instance.py +index 95958e14c..f0111f35b 100644 +--- a/src/lib389/lib389/cli_ctl/instance.py ++++ b/src/lib389/lib389/cli_ctl/instance.py +@@ -127,7 +127,7 @@ def instance_remove_all(log, args): + """Remove all instances - clean sweep! + """ + +- inst_names = get_instance_list(args.remove_all) ++ inst_names = get_instance_list() + if len(inst_names) > 0: + answer = input("Are you sure you want to remove all the Directory Server instances? Enter \"Yes\" to continue: ") + if answer != 'Yes': +diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py +index b9eacfdea..587c7b07b 100644 +--- a/src/lib389/lib389/utils.py ++++ b/src/lib389/lib389/utils.py +@@ -1244,9 +1244,10 @@ def get_ldapurl_from_serverid(instance): + return ("ldap://{}:{}".format(host, port), None) + + +-def get_instance_list(prefix=None): ++def get_instance_list(): + # List all server instances +- conf_dir = (prefix or "") + "/etc/dirsrv/" ++ paths = Paths() ++ conf_dir = os.path.join(paths.sysconf_dir, 'dirsrv') + insts = [] + try: + for inst in os.listdir(conf_dir): +@@ -1254,6 +1255,9 @@ def get_instance_list(prefix=None): + insts.append(inst) + except OSError as e: + log.error("Failed to check directory: {} - {}".format(conf_dir, str(e))) ++ except IOError as e: ++ log.error(e) ++ log.error("Perhaps you need to be a different user?") + insts.sort() + return insts + +-- +2.21.1 + diff --git a/SOURCES/0008-Issue-50177-Add-a-new-CI-test-case-also-added-fixes-.patch b/SOURCES/0008-Issue-50177-Add-a-new-CI-test-case-also-added-fixes-.patch deleted file mode 100644 index edfa32f..0000000 --- a/SOURCES/0008-Issue-50177-Add-a-new-CI-test-case-also-added-fixes-.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 96e4ad85a6fce9e140658b57146830b85c951415 Mon Sep 17 00:00:00 2001 -From: Akshay Adhikari -Date: Fri, 28 Jun 2019 17:27:08 +0530 -Subject: [PATCH 04/12] Issue 50177 - Add a new CI test case, also added fixes - in lib389 - -Bug Description: Import task should not be deleted too rapidely after import finishes -to be able to query the status. - -Fix Description: A new attribute 'ttl' is order to tune the life time of the task. -The default value is increased to '86400'. Added a test to check that and added it -to ImportTask & ExportTask classes in lib389 so it will create ttl attribute by default. - -Fixes: https://pagure.io/389-ds-base/issue/50177 - -Review by: mreynolds (Thanks!) ---- - dirsrvtests/tests/suites/basic/basic_test.py | 1 + - src/lib389/lib389/_constants.py | 2 ++ - src/lib389/lib389/tasks.py | 2 ++ - 3 files changed, 5 insertions(+) - -diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py -index 1e8662642..d2f8262fb 100644 ---- a/dirsrvtests/tests/suites/basic/basic_test.py -+++ b/dirsrvtests/tests/suites/basic/basic_test.py -@@ -274,6 +274,7 @@ def test_basic_import_export(topology_st, import_example_ldif): - assert r.present('nstasklog') - assert r.present('nstaskcurrentitem') - assert r.present('nstasktotalitems') -+ assert r.present('ttl') - - r.wait() - -diff --git a/src/lib389/lib389/_constants.py b/src/lib389/lib389/_constants.py -index ee5ed9e3e..e65613128 100644 ---- a/src/lib389/lib389/_constants.py -+++ b/src/lib389/lib389/_constants.py -@@ -20,6 +20,8 @@ INSTALL_LATEST_CONFIG = '999999999' - - REPLICA_FLAGS_CON = 0 - -+TTL_DEFAULT_VAL = '86400' -+ - # The structure is convenient for replica promote/demote methods - ReplicaRole = Enum("Replica role", "CONSUMER HUB MASTER STANDALONE") - -diff --git a/src/lib389/lib389/tasks.py b/src/lib389/lib389/tasks.py -index 6a86a422a..f12943fed 100644 ---- a/src/lib389/lib389/tasks.py -+++ b/src/lib389/lib389/tasks.py -@@ -275,6 +275,7 @@ class ImportTask(Task): - _properties = { - 'nsFilename': ldiffile, - 'nsIncludeSuffix': suffix, -+ 'ttl': TTL_DEFAULT_VAL, - } - self.create(properties=_properties) - -@@ -300,6 +301,7 @@ class ExportTask(Task): - _properties = { - 'nsFilename': ldiffile, - 'nsIncludeSuffix': suffix, -+ 'ttl': TTL_DEFAULT_VAL, - } - self.create(properties=_properties) - --- -2.21.0 - diff --git a/SOURCES/0008-Ticket-50709-Several-memory-leaks-reported-by-Valgri.patch b/SOURCES/0008-Ticket-50709-Several-memory-leaks-reported-by-Valgri.patch new file mode 100644 index 0000000..fb1c33d --- /dev/null +++ b/SOURCES/0008-Ticket-50709-Several-memory-leaks-reported-by-Valgri.patch @@ -0,0 +1,186 @@ +From 2040a0a1e517b444fef35a30c86bc6380b03bb21 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Fri, 8 Nov 2019 18:16:06 +0100 +Subject: [PATCH] Ticket 50709: Several memory leaks reported by Valgrind for + 389-ds 1.3.9.1-10 + +Description of the problem: + + When evaluating an ACI with 'ip' subject, it adds a PRNetAddr to the subject + property list. When the list is free (acl__done_aclpb) the property is not freed. + +Description of the fix: + + Add the property to the pblock (SLAPI_CONN_CLIENTNETADDR_ACLIP) so that it + the property is freed with acl pblock. + +https://pagure.io/389-ds-base/issue/50709 + +Reviewed by: Mark Reynolds, William Brown, Ludwig Krispenz +--- + ldap/servers/plugins/acl/acllas.c | 51 ++++++++++++++++++++----------- + ldap/servers/slapd/connection.c | 2 ++ + ldap/servers/slapd/pblock.c | 16 ++++++++++ + ldap/servers/slapd/slap.h | 1 + + ldap/servers/slapd/slapi-plugin.h | 1 + + 5 files changed, 53 insertions(+), 18 deletions(-) + +diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c +index 3950fd405..dd41d41bd 100644 +--- a/ldap/servers/plugins/acl/acllas.c ++++ b/ldap/servers/plugins/acl/acllas.c +@@ -251,6 +251,7 @@ DS_LASIpGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_in + { + struct acl_pblock *aclpb = NULL; + PRNetAddr *client_praddr = NULL; ++ PRNetAddr *pb_client_praddr = NULL; + char ip_str[256]; + int rv = LAS_EVAL_TRUE; + +@@ -262,25 +263,39 @@ DS_LASIpGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_in + return LAS_EVAL_FAIL; + } + +- client_praddr = (PRNetAddr *)slapi_ch_malloc(sizeof(PRNetAddr)); +- if (client_praddr == NULL) { +- slapi_log_err(SLAPI_LOG_ERR, plugin_name, "DS_LASIpGetter - Failed to allocate client_praddr\n"); +- return (LAS_EVAL_FAIL); +- } ++ slapi_pblock_get(aclpb->aclpb_pblock, SLAPI_CONN_CLIENTNETADDR_ACLIP, &pb_client_praddr); ++ if (pb_client_praddr == NULL) { + +- if (slapi_pblock_get(aclpb->aclpb_pblock, SLAPI_CONN_CLIENTNETADDR, client_praddr) != 0) { +- slapi_log_err(SLAPI_LOG_ERR, plugin_name, "DS_LASIpGetter - Could not get client IP.\n"); +- slapi_ch_free((void **)&client_praddr); +- return (LAS_EVAL_FAIL); +- } ++ client_praddr = (PRNetAddr *) slapi_ch_malloc(sizeof (PRNetAddr)); ++ if (client_praddr == NULL) { ++ slapi_log_err(SLAPI_LOG_ERR, plugin_name, "DS_LASIpGetter - Failed to allocate client_praddr\n"); ++ return (LAS_EVAL_FAIL); ++ } + +- rv = PListInitProp(subject, 0, ACL_ATTR_IP, (void *)client_praddr, NULL); +- if (rv < 0) { +- slapi_log_err(SLAPI_LOG_ACL, plugin_name, "DS_LASIpGetter - " +- "Couldn't set the client addr property(%d)\n", +- rv); +- slapi_ch_free((void **)&client_praddr); +- return LAS_EVAL_FAIL; ++ if (slapi_pblock_get(aclpb->aclpb_pblock, SLAPI_CONN_CLIENTNETADDR, client_praddr) != 0) { ++ slapi_log_err(SLAPI_LOG_ERR, plugin_name, "DS_LASIpGetter - Could not get client IP.\n"); ++ slapi_ch_free((void **) &client_praddr); ++ return (LAS_EVAL_FAIL); ++ } ++ ++ rv = PListInitProp(subject, 0, ACL_ATTR_IP, (void *) client_praddr, NULL); ++ if (rv < 0) { ++ slapi_log_err(SLAPI_LOG_ACL, plugin_name, "DS_LASIpGetter - " ++ "Couldn't set the client addr property(%d)\n", ++ rv); ++ slapi_ch_free((void **) &client_praddr); ++ return LAS_EVAL_FAIL; ++ } ++ ++ } else { ++ client_praddr = pb_client_praddr; ++ rv = PListInitProp(subject, 0, ACL_ATTR_IP, (void *) client_praddr, NULL); ++ if (rv < 0) { ++ slapi_log_err(SLAPI_LOG_ACL, plugin_name, "DS_LASIpGetter - " ++ "Couldn't set the client addr property(%d)\n", ++ rv); ++ return LAS_EVAL_FAIL; ++ } + } + if (PR_NetAddrToString(client_praddr, ip_str, sizeof(ip_str)) == PR_SUCCESS) { + slapi_log_err(SLAPI_LOG_ACL, plugin_name, "DS_LASIpGetter - " +@@ -290,7 +305,7 @@ DS_LASIpGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_in + slapi_log_err(SLAPI_LOG_ACL, plugin_name, "DS_LASIpGetter - " + "Returning client ip address 'unknown'\n"); + } +- ++ slapi_pblock_set(aclpb->aclpb_pblock, SLAPI_CONN_CLIENTNETADDR_ACLIP, client_praddr); + return LAS_EVAL_TRUE; + } + +diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c +index e124303be..da954ada6 100644 +--- a/ldap/servers/slapd/connection.c ++++ b/ldap/servers/slapd/connection.c +@@ -206,6 +206,7 @@ connection_cleanup(Connection *conn) + conn->c_isreplication_session = 0; + slapi_ch_free((void **)&conn->cin_addr); + slapi_ch_free((void **)&conn->cin_destaddr); ++ slapi_ch_free((void **)&conn->cin_addr_aclip); + slapi_ch_free_string(&conn->c_ipaddr); + if (conn->c_domain != NULL) { + ber_bvecfree(conn->c_domain); +@@ -408,6 +409,7 @@ connection_reset(Connection *conn, int ns, PRNetAddr *from, int fromLen __attrib + str_destip = str_unknown; + } + } ++ slapi_ch_free((void **)&conn->cin_addr_aclip); + + if (!in_referral_mode) { + /* create a sasl connection */ +diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c +index cc44ace30..348cc6f1a 100644 +--- a/ldap/servers/slapd/pblock.c ++++ b/ldap/servers/slapd/pblock.c +@@ -482,6 +482,14 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) + } + pthread_mutex_unlock(&(pblock->pb_conn->c_mutex)); + break; ++ case SLAPI_CONN_CLIENTNETADDR_ACLIP: ++ if (pblock->pb_conn == NULL) { ++ break; ++ } ++ pthread_mutex_lock(&(pblock->pb_conn->c_mutex)); ++ (*(PRNetAddr **) value) = pblock->pb_conn->cin_addr_aclip; ++ pthread_mutex_unlock(&(pblock->pb_conn->c_mutex)); ++ break; + case SLAPI_CONN_SERVERNETADDR: + if (pblock->pb_conn == NULL) { + memset(value, 0, sizeof(PRNetAddr)); +@@ -2571,6 +2579,14 @@ slapi_pblock_set(Slapi_PBlock *pblock, int arg, void *value) + pblock->pb_conn->c_authtype = slapi_ch_strdup((char *)value); + pthread_mutex_unlock(&(pblock->pb_conn->c_mutex)); + break; ++ case SLAPI_CONN_CLIENTNETADDR_ACLIP: ++ if (pblock->pb_conn == NULL) { ++ break; ++ } ++ pthread_mutex_lock(&(pblock->pb_conn->c_mutex)); ++ slapi_ch_free((void **)&pblock->pb_conn->cin_addr_aclip); ++ pblock->pb_conn->cin_addr_aclip = (PRNetAddr *)value; ++ pthread_mutex_unlock(&(pblock->pb_conn->c_mutex)); + case SLAPI_CONN_IS_REPLICATION_SESSION: + if (pblock->pb_conn == NULL) { + slapi_log_err(SLAPI_LOG_ERR, +diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h +index 0aa2dcc1a..8a2748519 100644 +--- a/ldap/servers/slapd/slap.h ++++ b/ldap/servers/slapd/slap.h +@@ -1634,6 +1634,7 @@ typedef struct conn + char *c_external_dn; /* client DN of this SSL session */ + char *c_external_authtype; /* used for c_external_dn */ + PRNetAddr *cin_addr; /* address of client on this conn */ ++ PRNetAddr *cin_addr_aclip; /* address of client allocated by acl with 'ip' subject */ + PRNetAddr *cin_destaddr; /* address client connected to */ + struct berval **c_domain; /* DNS names of client */ + Operation *c_ops; /* list of pending operations */ +diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h +index 01dcb0554..29a6238d9 100644 +--- a/ldap/servers/slapd/slapi-plugin.h ++++ b/ldap/servers/slapd/slapi-plugin.h +@@ -6930,6 +6930,7 @@ slapi_timer_result slapi_timespec_expire_check(struct timespec *expire); + #define SLAPI_CONN_DN 143 + #define SLAPI_CONN_CLIENTNETADDR 850 + #define SLAPI_CONN_SERVERNETADDR 851 ++#define SLAPI_CONN_CLIENTNETADDR_ACLIP 853 + #define SLAPI_CONN_IS_REPLICATION_SESSION 149 + #define SLAPI_CONN_IS_SSL_SESSION 747 + #define SLAPI_CONN_CERT 743 +-- +2.21.1 + diff --git a/SOURCES/0009-Ticket-50217-Implement-dsconf-security-section.patch b/SOURCES/0009-Ticket-50217-Implement-dsconf-security-section.patch deleted file mode 100644 index 0de98fd..0000000 --- a/SOURCES/0009-Ticket-50217-Implement-dsconf-security-section.patch +++ /dev/null @@ -1,457 +0,0 @@ -From 2307e77efb6a75091b9152f81a52c83b8282d61a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C3=BA=C5=A1=20Hon=C4=9Bk?= -Date: Thu, 31 Jan 2019 10:44:55 +0100 -Subject: [PATCH 05/12] Ticket 50217 - Implement dsconf security section - -Bug Description: -dsconf lacks options to configure security options - -Fix Description: -Implementing options to configure security related attributes and handle ciphers -configuration. - -Fixes: https://pagure.io/389-ds-base/issue/50217 - -Author: Matus Honek - -Review by: firstyear, mreynolds (Thanks!) ---- - src/lib389/cli/dsconf | 2 + - src/lib389/lib389/cli_conf/security.py | 244 +++++++++++++++++++++++++ - src/lib389/lib389/config.py | 97 +++++++++- - src/lib389/lib389/nss_ssl.py | 7 +- - 4 files changed, 343 insertions(+), 7 deletions(-) - create mode 100644 src/lib389/lib389/cli_conf/security.py - -diff --git a/src/lib389/cli/dsconf b/src/lib389/cli/dsconf -index f81516290..c0c0b4dfe 100755 ---- a/src/lib389/cli/dsconf -+++ b/src/lib389/cli/dsconf -@@ -32,6 +32,7 @@ from lib389.cli_conf import backup as cli_backup - from lib389.cli_conf import replication as cli_replication - from lib389.cli_conf import chaining as cli_chaining - from lib389.cli_conf import conflicts as cli_repl_conflicts -+from lib389.cli_conf import security as cli_security - from lib389.cli_base import disconnect_instance, connect_instance - from lib389.cli_base.dsrc import dsrc_to_ldap, dsrc_arg_concat - from lib389.cli_base import setup_script_logger -@@ -87,6 +88,7 @@ cli_plugin.create_parser(subparsers) - cli_pwpolicy.create_parser(subparsers) - cli_replication.create_parser(subparsers) - cli_sasl.create_parser(subparsers) -+cli_security.create_parser(subparsers) - cli_schema.create_parser(subparsers) - cli_repl_conflicts.create_parser(subparsers) - -diff --git a/src/lib389/lib389/cli_conf/security.py b/src/lib389/lib389/cli_conf/security.py -new file mode 100644 -index 000000000..6d8c1ae0f ---- /dev/null -+++ b/src/lib389/lib389/cli_conf/security.py -@@ -0,0 +1,244 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2019 Red Hat, Inc. -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+ -+from collections import OrderedDict, namedtuple -+import json -+ -+from lib389.config import Config, Encryption, RSA -+from lib389.nss_ssl import NssSsl -+ -+ -+Props = namedtuple('Props', ['cls', 'attr', 'help', 'values']) -+ -+onoff = ('on', 'off') -+protocol_versions = ('SSLv3', 'TLS1.0', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3', '') -+SECURITY_ATTRS_MAP = OrderedDict([ -+ ('security', Props(Config, 'nsslapd-security', -+ 'Enable or disable security', -+ onoff)), -+ ('listen-host', Props(Config, 'nsslapd-securelistenhost', -+ 'Host/address to listen on for LDAPS', -+ str)), -+ ('secure-port', Props(Config, 'nsslapd-securePort', -+ 'Port for LDAPS to listen on', -+ range(1, 65536))), -+ ('tls-client-auth', Props(Config, 'nsSSLClientAuth', -+ 'Client authentication requirement', -+ ('off', 'allowed', 'required'))), -+ ('require-secure-authentication', Props(Config, 'nsslapd-require-secure-binds', -+ 'Require binds over LDAPS, StartTLS, or SASL', -+ onoff)), -+ ('check-hostname', Props(Config, 'nsslapd-ssl-check-hostname', -+ 'Check Subject of remote certificate against the hostname', -+ onoff)), -+ ('verify-cert-chain-on-startup', Props(Config, 'nsslapd-validate-cert', -+ 'Validate server certificate during startup', -+ ('warn', *onoff))), -+ ('session-timeout', Props(Encryption, 'nsSSLSessionTimeout', -+ 'Secure session timeout', -+ int)), -+ ('tls-protocol-min', Props(Encryption, 'sslVersionMin', -+ 'Secure protocol minimal allowed version', -+ protocol_versions)), -+ ('tls-protocol-max', Props(Encryption, 'sslVersionMax', -+ 'Secure protocol maximal allowed version', -+ protocol_versions)), -+ ('allow-insecure-ciphers', Props(Encryption, 'allowWeakCipher', -+ 'Allow weak ciphers for legacy use', -+ onoff)), -+ ('allow-weak-dh-param', Props(Encryption, 'allowWeakDHParam', -+ 'Allow short DH params for legacy use', -+ onoff)), -+]) -+ -+RSA_ATTRS_MAP = OrderedDict([ -+ ('tls-allow-rsa-certificates', Props(RSA, 'nsSSLActivation', -+ 'Activate use of RSA certificates', -+ onoff)), -+ ('nss-cert-name', Props(RSA, 'nsSSLPersonalitySSL', -+ 'Server certificate name in NSS DB', -+ str)), -+ ('nss-token', Props(RSA, 'nsSSLToken', -+ 'Security token name (module of NSS DB)', -+ str)) -+]) -+ -+ -+def _security_generic_get(inst, basedn, logs, args, attrs_map): -+ result = {} -+ for attr, props in attrs_map.items(): -+ val = props.cls(inst).get_attr_val_utf8(props.attr) -+ result[props.attr] = val -+ if args.json: -+ print(json.dumps({'type': 'list', 'items': result})) -+ else: -+ print('\n'.join([f'{attr}: {value or ""}' for attr, value in result.items()])) -+ -+ -+def _security_generic_set(inst, basedn, logs, args, attrs_map): -+ for attr, props in attrs_map.items(): -+ arg = getattr(args, attr.replace('-', '_')) -+ if arg is None: -+ continue -+ dsobj = props.cls(inst) -+ dsobj.replace(props.attr, arg) -+ -+ -+def _security_generic_get_parser(parent, attrs_map, help): -+ p = parent.add_parser('get', help=help) -+ p.set_defaults(func=lambda *args: _security_generic_get(*args, attrs_map)) -+ return p -+ -+ -+def _security_generic_set_parser(parent, attrs_map, help, description): -+ p = parent.add_parser('set', help=help, description=description) -+ p.set_defaults(func=lambda *args: _security_generic_set(*args, attrs_map)) -+ for opt, params in attrs_map.items(): -+ p.add_argument(f'--{opt}', help=f'{params[2]} ({params[1]})') -+ return p -+ -+ -+def _security_ciphers_change(mode, ciphers, inst, log): -+ log = log.getChild('_security_ciphers_change') -+ if ('default' in ciphers) or ('all' in ciphers): -+ log.error(('Use ciphers\' names only. Keywords "default" and "all" are ignored. ' -+ 'Please, instead specify them manually using \'set\' command.')) -+ return -+ enc = Encryption(inst) -+ if enc.change_ciphers(mode, ciphers) is False: -+ log.error('Setting new ciphers failed.') -+ -+ -+def _security_generic_toggle(inst, basedn, log, args, cls, attr, value, thing): -+ cls(inst).set(attr, value) -+ -+ -+def _security_generic_toggle_parsers(parent, cls, attr, help_pattern): -+ def add_parser(action, value): -+ p = parent.add_parser(action.lower(), help=help_pattern.format(action)) -+ p.set_defaults(func=lambda *args: _security_generic_toggle(*args, cls, attr, value, action)) -+ return p -+ -+ return list(map(add_parser, ('Enable', 'Disable'), ('on', 'off'))) -+ -+ -+def security_enable(inst, basedn, log, args): -+ dbpath = inst.get_cert_dir() -+ tlsdb = NssSsl(dbpath=dbpath) -+ if not tlsdb._db_exists(even_partial=True): # we want to be very careful -+ log.info(f'Secure database does not exist. Creating a new one in {dbpath}.') -+ tlsdb.reinit() -+ -+ Config(inst).set('nsslapd-security', 'on') -+ -+ -+def security_disable(inst, basedn, log, args): -+ Config(inst).set('nsslapd-security', 'off') -+ -+ -+def security_ciphers_enable(inst, basedn, log, args): -+ _security_ciphers_change('+', args.cipher, inst, log) -+ -+ -+def security_ciphers_disable(inst, basedn, log, args): -+ _security_ciphers_change('-', args.cipher, inst, log) -+ -+ -+def security_ciphers_set(inst, basedn, log, args): -+ enc = Encryption(inst) -+ enc.ciphers = args.cipher_string.split(',') -+ -+ -+def security_ciphers_get(inst, basedn, log, args): -+ enc = Encryption(inst) -+ if args.json: -+ print({'type': 'list', 'items': enc.ciphers}) -+ else: -+ val = ','.join(enc.ciphers) -+ print(val if val != '' else '') -+ -+ -+def security_ciphers_list(inst, basedn, log, args): -+ enc = Encryption(inst) -+ -+ if args.enabled: -+ lst = enc.enabled_ciphers -+ elif args.supported: -+ lst = enc.supported_ciphers -+ elif args.disabled: -+ lst = set(enc.supported_ciphers) - set(enc.enabled_ciphers) -+ else: -+ lst = enc.ciphers -+ -+ if args.json: -+ print(json.dumps({'type': 'list', 'items': lst})) -+ else: -+ if lst == []: -+ log.getChild('security').warn('List of ciphers is empty') -+ else: -+ print(*lst, sep='\n') -+ -+ -+def create_parser(subparsers): -+ security = subparsers.add_parser('security', help='Query and manipulate security options') -+ security_sub = security.add_subparsers(help='security') -+ security_set = _security_generic_set_parser(security_sub, SECURITY_ATTRS_MAP, 'Set general security options', -+ ('Use this command for setting security related options located in cn=config and cn=encryption,cn=config.' -+ '\n\nTo enable/disable security you can use enable and disable commands instead.')) -+ security_get = _security_generic_get_parser(security_sub, SECURITY_ATTRS_MAP, 'Get general security options') -+ security_enable_p = security_sub.add_parser('enable', help='Enable security', description=( -+ 'If missing, create security database, then turn on security functionality. Please note this is usually not' -+ ' enought for TLS connections to work - proper setup of CA and server certificate is necessary.')) -+ security_enable_p.set_defaults(func=security_enable) -+ security_disable_p = security_sub.add_parser('disable', help='Disable security', description=( -+ 'Turn off security functionality. The rest of the configuration will be left untouched.')) -+ security_disable_p.set_defaults(func=security_disable) -+ -+ rsa = security_sub.add_parser('rsa', help='Query and mainpulate RSA security options') -+ rsa_sub = rsa.add_subparsers(help='rsa') -+ rsa_set = _security_generic_set_parser(rsa_sub, RSA_ATTRS_MAP, 'Set RSA security options', -+ ('Use this command for setting RSA (private key) related options located in cn=RSA,cn=encryption,cn=config.' -+ '\n\nTo enable/disable RSA you can use enable and disable commands instead.')) -+ rsa_get = _security_generic_get_parser(rsa_sub, RSA_ATTRS_MAP, 'Get RSA security options') -+ rsa_toggles = _security_generic_toggle_parsers(rsa_sub, RSA, 'nsSSLActivation', '{} RSA') -+ -+ ciphers = security_sub.add_parser('ciphers', help='Manage secure ciphers') -+ ciphers_sub = ciphers.add_subparsers(help='ciphers') -+ -+ ciphers_enable = ciphers_sub.add_parser('enable', help='Enable ciphers', description=( -+ 'Use this command to enable specific ciphers.')) -+ ciphers_enable.set_defaults(func=security_ciphers_enable) -+ ciphers_enable.add_argument('cipher', nargs='+') -+ -+ ciphers_disable = ciphers_sub.add_parser('disable', help='Disable ciphers', description=( -+ 'Use this command to disable specific ciphers.')) -+ ciphers_disable.set_defaults(func=security_ciphers_disable) -+ ciphers_disable.add_argument('cipher', nargs='+') -+ -+ ciphers_get = ciphers_sub.add_parser('get', help='Get ciphers attribute', description=( -+ 'Use this command to get contents of nsSSL3Ciphers attribute.')) -+ ciphers_get.set_defaults(func=security_ciphers_get) -+ -+ ciphers_set = ciphers_sub.add_parser('set', help='Set ciphers attribute', description=( -+ 'Use this command to directly set nsSSL3Ciphers attribute. It is a comma separated list ' -+ 'of cipher names (prefixed with + or -), optionaly including +all or -all. The attribute ' -+ 'may optionally be prefixed by keyword default. Please refer to documentation of ' -+ 'the attribute for a more detailed description.')) -+ ciphers_set.set_defaults(func=security_ciphers_set) -+ ciphers_set.add_argument('cipher_string', metavar='cipher-string') -+ -+ ciphers_list = ciphers_sub.add_parser('list', help='List ciphers', description=( -+ 'List secure ciphers. Without arguments, list ciphers as configured in nsSSL3Ciphers attribute.')) -+ ciphers_list.set_defaults(func=security_ciphers_list) -+ ciphers_list_group = ciphers_list.add_mutually_exclusive_group() -+ ciphers_list_group.add_argument('--enabled', action='store_true', -+ help='Only enabled ciphers') -+ ciphers_list_group.add_argument('--supported', action='store_true', -+ help='Only supported ciphers') -+ ciphers_list_group.add_argument('--disabled', action='store_true', -+ help='Only supported ciphers without enabled ciphers') -diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py -index b462585df..c2a34fa07 100644 ---- a/src/lib389/lib389/config.py -+++ b/src/lib389/lib389/config.py -@@ -1,5 +1,5 @@ - # --- BEGIN COPYRIGHT BLOCK --- --# Copyright (C) 2015 Red Hat, Inc. -+# Copyright (C) 2019 Red Hat, Inc. - # All rights reserved. - # - # License: GPL (version 3 or any later version). -@@ -202,14 +202,16 @@ class Config(DSLdapObject): - return DSCLE0002 - return None - -+ - class Encryption(DSLdapObject): - """ - Manage "cn=encryption,cn=config" tree, including: - - ssl ciphers - - ssl / tls levels - """ -- def __init__(self, conn): -+ def __init__(self, conn, dn=None): - """@param conn - a DirSrv instance """ -+ assert dn is None # compatibility with Config class - super(Encryption, self).__init__(instance=conn) - self._dn = 'cn=encryption,%s' % DN_CONFIG - self._create_objectclasses = ['top', 'nsEncryptionConfig'] -@@ -225,11 +227,97 @@ class Encryption(DSLdapObject): - super(Encryption, self).create(properties=properties) - - def _lint_check_tls_version(self): -- tls_min = self.get_attr_val('sslVersionMin'); -+ tls_min = self.get_attr_val('sslVersionMin') - if tls_min < ensure_bytes('TLS1.1'): - return DSELE0001 - return None - -+ @property -+ def ciphers(self): -+ """List of requested ciphers. -+ -+ Each is represented by a string, either of: -+ - "+all" or "-all" -+ - TLS cipher RFC name, prefixed with either "+" or "-" -+ -+ Optionally, first element may be a string "default". -+ -+ :returns: list of str -+ """ -+ val = self.get_attr_val_utf8('nsSSL3Ciphers') -+ return val.split(',') if val else [] -+ -+ @ciphers.setter -+ def ciphers(self, ciphers): -+ """List of requested ciphers. -+ -+ :param ciphers: Ciphers to enable -+ :type ciphers: list of str -+ """ -+ self.set('nsSSL3Ciphers', ','.join(ciphers)) -+ self._log.info('Remeber to restart the server to apply the new cipher set.') -+ self._log.info('Some ciphers may be disabled anyway due to allowWeakCipher attribute.') -+ -+ def _get_listed_ciphers(self, attr): -+ """Remove features of ciphers that come after first :: occurence.""" -+ return [c[:c.index('::')] for c in self.get_attr_vals_utf8(attr)] -+ -+ @property -+ def enabled_ciphers(self): -+ """List currently enabled ciphers. -+ -+ :returns: list of str -+ """ -+ return self._get_listed_ciphers('nsSSLEnabledCiphers') -+ -+ @property -+ def supported_ciphers(self): -+ """List currently supported ciphers. -+ -+ :returns: list of str -+ """ -+ return self._get_listed_ciphers('nsSSLSupportedCiphers') -+ -+ def _check_ciphers_supported(self, ciphers): -+ good = True -+ for c in ciphers: -+ if c not in self.supported_ciphers: -+ self._log.warn(f'Cipher {c} is not supported.') -+ good = False -+ return good -+ -+ def change_ciphers(self, mode, ciphers): -+ """Enable or disable ciphers of the nsSSL3Ciphers attribute. -+ -+ :param mode: '+'/'-' string to enable/disable the ciphers -+ :type mode: str -+ :param ciphers: List of ciphers to enable/disable -+ :type ciphers: list of string -+ -+ :returns: False if some cipher is not supported -+ """ -+ if ('default' in ciphers) or 'all' in ciphers: -+ raise NotImplementedError('Processing "default" and "all" is not implemented.') -+ if not self._check_ciphers_supported(ciphers): -+ return False -+ -+ if mode == '+': -+ to_change = [c for c in ciphers if c not in self.enabled_ciphers] -+ elif mode == '-': -+ to_change = [c for c in ciphers if c in self.enabled_ciphers] -+ else: -+ raise ValueError('Incorrect mode. Use - or + sign.') -+ if len(to_change) != len(ciphers): -+ self._log.info( -+ ('Applying changes only for the following ciphers, the rest is up to date. ' -+ 'If this does not seem to be correct, please make sure the effective ' -+ 'set of enabled ciphers is up to date with configured ciphers ' -+ '- a server restart is needed for these to be applied.\n' -+ f'... {to_change}')) -+ cleaned = [c for c in self.ciphers if c[1:] not in to_change] -+ self.ciphers = cleaned + list(map(lambda c: mode + c, to_change)) -+ -+ - class RSA(DSLdapObject): - """ - Manage the "cn=RSA,cn=encryption,cn=config" object -@@ -237,8 +325,9 @@ class RSA(DSLdapObject): - - Database path - - ssl token name - """ -- def __init__(self, conn): -+ def __init__(self, conn, dn=None): - """@param conn - a DirSrv instance """ -+ assert dn is None # compatibility with Config class - super(RSA, self).__init__(instance=conn) - self._dn = 'cn=RSA,cn=encryption,%s' % DN_CONFIG - self._create_objectclasses = ['top', 'nsEncryptionModule'] -diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py -index 7a8f2a5bd..a54095cd4 100644 ---- a/src/lib389/lib389/nss_ssl.py -+++ b/src/lib389/lib389/nss_ssl.py -@@ -162,11 +162,12 @@ only. - self.log.debug("nss output: %s", result) - return True - -- def _db_exists(self): -+ def _db_exists(self, even_partial=False): - """Check that a nss db exists at the certpath""" - -- if all(map(os.path.exists, self.db_files["dbm_backend"])) or \ -- all(map(os.path.exists, self.db_files["sql_backend"])): -+ fn = any if even_partial else all -+ if fn(map(os.path.exists, self.db_files["dbm_backend"])) or \ -+ fn(map(os.path.exists, self.db_files["sql_backend"])): - return True - return False - --- -2.21.0 - diff --git a/SOURCES/0009-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch b/SOURCES/0009-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch new file mode 100644 index 0000000..3b48ca4 --- /dev/null +++ b/SOURCES/0009-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch @@ -0,0 +1,125 @@ +From 4ea3c4aa8118933fd22721dcf9b9e6c4a498736c Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Mon, 25 Nov 2019 10:59:44 +0100 +Subject: [PATCH] Ticket 50736 - RetroCL trimming may crash at shutdown if + trimming configuration is invalid + +Bug Description: + If config of retroCL trimming contains invalid value for trim-interval + and/or maxage, then the trimming initialization is skipped. + In such case the trimming structures are not allocated and if they + are freed at shutdown it triggers a crash + +Fix Description: + When trimming mechanism is stopped (at shutdown) check that + it was successfully initialized before freeing the structs + +https://pagure.io/389-ds-base/issue/50736 + +Reviewed by: Mark Reynolds + +Platforms tested: F30 + +Flag Day: no + +Doc impact: no +--- + .../suites/replication/changelog_test.py | 47 +++++++++++++++++++ + ldap/servers/plugins/retrocl/retrocl_trim.c | 17 ++++--- + 2 files changed, 58 insertions(+), 6 deletions(-) + +diff --git a/dirsrvtests/tests/suites/replication/changelog_test.py b/dirsrvtests/tests/suites/replication/changelog_test.py +index a257e0272..e648478d0 100644 +--- a/dirsrvtests/tests/suites/replication/changelog_test.py ++++ b/dirsrvtests/tests/suites/replication/changelog_test.py +@@ -16,6 +16,8 @@ from lib389.replica import Replicas + from lib389.idm.user import UserAccounts + from lib389.topologies import topology_m2 as topo + from lib389._constants import * ++from lib389.plugins import RetroChangelogPlugin ++from lib389.dseldif import DSEldif + from lib389.tasks import * + from lib389.utils import * + +@@ -452,6 +454,51 @@ def test_retrochangelog_maxage(topo, changelog_init): + + topo.ms["master1"].log.info("ticket47669 was successfully verified.") + ++@pytest.mark.ds50736 ++def test_retrochangelog_trimming_crash(topo, changelog_init): ++ """Check that when retroCL nsslapd-retrocthangelog contains invalid ++ value, then the instance does not crash at shutdown ++ ++ :id: 5d9bd7ca-e9bf-4be9-8fc8-902aa5513052 ++ :setup: Replication with two master, change nsslapd-changelogdir to ++ '/var/lib/dirsrv/slapd-master1/changelog' and ++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on' ++ :steps: ++ 1. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to value '-1' ++ This value is invalid. To disable retroCL trimming it should be set to 0 ++ 2. Do several restart ++ 3. check there is no 'Detected Disorderly Shutdown' message (crash) ++ 4. restore valid value for nsslapd-changelogmaxage '1w' ++ ++ :expectedresults: ++ 1. Operation should be successful ++ 2. Operation should be successful ++ 3. Operation should be successful ++ 4. Operation should be successful ++ """ ++ log.info('1. Test retroCL trimming crash in cn=Retro Changelog Plugin,cn=plugins,cn=config') ++ ++ # set the nsslapd-changelogmaxage directly on dse.ldif ++ # because the set value is invalid ++ topo.ms["master1"].log.info("ticket50736 start verification") ++ topo.ms["master1"].stop() ++ retroPlugin = RetroChangelogPlugin(topo.ms["master1"]) ++ dse_ldif = DSEldif(topo.ms["master1"]) ++ dse_ldif.replace(retroPlugin.dn, 'nsslapd-changelogmaxage', '-1') ++ topo.ms["master1"].start() ++ ++ # The crash should be systematic, but just in case do several restart ++ # with a delay to let all plugin init ++ for i in range(5): ++ time.sleep(1) ++ topo.ms["master1"].stop() ++ topo.ms["master1"].start() ++ ++ assert not topo.ms["master1"].detectDisorderlyShutdown() ++ ++ topo.ms["master1"].log.info("ticket 50736 was successfully verified.") ++ ++ + + if __name__ == '__main__': + # Run isolated +diff --git a/ldap/servers/plugins/retrocl/retrocl_trim.c b/ldap/servers/plugins/retrocl/retrocl_trim.c +index a46534984..0378eb7f6 100644 +--- a/ldap/servers/plugins/retrocl/retrocl_trim.c ++++ b/ldap/servers/plugins/retrocl/retrocl_trim.c +@@ -481,11 +481,16 @@ retrocl_init_trimming(void) + void + retrocl_stop_trimming(void) + { +- retrocl_trimming = 0; +- if (retrocl_trim_ctx) { +- slapi_eq_cancel(retrocl_trim_ctx); +- retrocl_trim_ctx = NULL; ++ if (retrocl_trimming) { ++ /* RetroCL trimming config was valid and trimming struct allocated ++ * Let's free them ++ */ ++ retrocl_trimming = 0; ++ if (retrocl_trim_ctx) { ++ slapi_eq_cancel(retrocl_trim_ctx); ++ retrocl_trim_ctx = NULL; ++ } ++ PR_DestroyLock(ts.ts_s_trim_mutex); ++ ts.ts_s_trim_mutex = NULL; + } +- PR_DestroyLock(ts.ts_s_trim_mutex); +- ts.ts_s_trim_mutex = NULL; + } +-- +2.21.1 + diff --git a/SOURCES/0010-Issue-50431-Fix-regression-from-coverity-fix.patch b/SOURCES/0010-Issue-50431-Fix-regression-from-coverity-fix.patch deleted file mode 100644 index 0f60f04..0000000 --- a/SOURCES/0010-Issue-50431-Fix-regression-from-coverity-fix.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ae86b58838fc3cc5978312b61613c10ce7fb6aa0 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 8 Jul 2019 14:00:28 -0400 -Subject: [PATCH 06/12] Issue 50431 - Fix regression from coverity fix - -Description: Fix a regression from the initial coverity commit that - caused the memebrOf groupattrs to become corrupted and - crash the server. - -https://pagure.io/389-ds-base/issue/50431 - -Reviewed by: vashirov(Thanks!) ---- - ldap/servers/plugins/memberof/memberof_config.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/ldap/servers/plugins/memberof/memberof_config.c b/ldap/servers/plugins/memberof/memberof_config.c -index 124217ee0..6729c3a7e 100644 ---- a/ldap/servers/plugins/memberof/memberof_config.c -+++ b/ldap/servers/plugins/memberof/memberof_config.c -@@ -550,8 +550,9 @@ memberof_apply_config(Slapi_PBlock *pb __attribute__((unused)), - } - - /* Build the new list */ -- for (i = 0; theConfig.group_slapiattrs && theConfig.group_slapiattrs[i] && -- theConfig.groupattrs && theConfig.groupattrs[i]; i++) -+ for (i = 0; theConfig.group_slapiattrs && -+ theConfig.groupattrs && -+ theConfig.groupattrs[i]; i++) - { - theConfig.group_slapiattrs[i] = slapi_attr_new(); - slapi_attr_init(theConfig.group_slapiattrs[i], theConfig.groupattrs[i]); --- -2.21.0 - diff --git a/SOURCES/0010-Issue-50806-Fix-minor-issues-in-lib389-health-checks.patch b/SOURCES/0010-Issue-50806-Fix-minor-issues-in-lib389-health-checks.patch new file mode 100644 index 0000000..f071219 --- /dev/null +++ b/SOURCES/0010-Issue-50806-Fix-minor-issues-in-lib389-health-checks.patch @@ -0,0 +1,111 @@ +From 5f4281601966e9edeabdcec0e9f934c79d4ad8ed Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 10 Jan 2020 10:29:02 -0500 +Subject: [PATCH] Issue 50806 - Fix minor issues in lib389 health checks + +Description: For permissions checks, add a list of permissions + that is acceptable instead of single value. + + For RI plugin attribute indexing checks, we now check + if a container scope is specified. If it is set, we + skip all the other backends that are not in the scope. + This prevents false positives. + +relates: https://pagure.io/389-ds-base/issue/50806 + +Reviewed by: mhonek(Thanks!) +--- + src/lib389/lib389/dseldif.py | 40 +++++++++++++++++++++++++----------- + src/lib389/lib389/plugins.py | 13 ++++++++++-- + 2 files changed, 39 insertions(+), 14 deletions(-) + +diff --git a/src/lib389/lib389/dseldif.py b/src/lib389/lib389/dseldif.py +index 4155abcdd..fbb50623b 100644 +--- a/src/lib389/lib389/dseldif.py ++++ b/src/lib389/lib389/dseldif.py +@@ -168,13 +168,27 @@ class FSChecks(object): + self.dirsrv = dirsrv + self._certdb = self.dirsrv.get_cert_dir() + self.ds_files = [ +- ('/etc/resolv.conf', '644', DSPERMLE0001), +- (self._certdb + "/pin.txt", '600', DSPERMLE0002), +- (self._certdb + "/pwdfile.txt", '600', DSPERMLE0002), ++ { ++ 'name': '/etc/resolv.conf', ++ 'perms': [644], ++ 'report': DSPERMLE0001 ++ }, ++ { ++ 'name': self._certdb + "/pin.txt", ++ 'perms': [400, 600], ++ 'report': DSPERMLE0002 ++ }, ++ { ++ 'name': self._certdb + "/pwdfile.txt", ++ 'perms': [400, 600], ++ 'report': DSPERMLE0002 ++ }, + ] + self._lint_functions = [self._lint_file_perms] + + def lint(self): ++ """Run a lint/healthcheck for this class ++ """ + results = [] + for fn in self._lint_functions: + for result in fn(): +@@ -183,14 +197,16 @@ class FSChecks(object): + return results + + def _lint_file_perms(self): +- # Check file permissions are correct ++ """Test file permissions are safe ++ """ + for ds_file in self.ds_files: +- perms = str(oct(os.stat(ds_file[0])[ST_MODE])[-3:]) +- if perms != ds_file[1]: +- report = copy.deepcopy(ds_file[2]) +- report['items'].append(ds_file[0]) +- report['detail'] = report['detail'].replace('FILE', ds_file[0]) +- report['detail'] = report['detail'].replace('PERMS', ds_file[1]) +- report['fix'] = report['fix'].replace('FILE', ds_file[0]) +- report['fix'] = report['fix'].replace('PERMS', ds_file[1]) ++ perms = int(oct(os.stat(ds_file['name'])[ST_MODE])[-3:]) ++ if perms not in ds_file['perms']: ++ perms = str(ds_file['perms'][0]) ++ report = copy.deepcopy(ds_file['report']) ++ report['items'].append(ds_file['name']) ++ report['detail'] = report['detail'].replace('FILE', ds_file['name']) ++ report['detail'] = report['detail'].replace('PERMS', perms) ++ report['fix'] = report['fix'].replace('FILE', ds_file['name']) ++ report['fix'] = report['fix'].replace('PERMS', perms) + yield report +diff --git a/src/lib389/lib389/plugins.py b/src/lib389/lib389/plugins.py +index 97c5d1d3b..0775e464f 100644 +--- a/src/lib389/lib389/plugins.py ++++ b/src/lib389/lib389/plugins.py +@@ -455,10 +455,19 @@ class ReferentialIntegrityPlugin(Plugin): + if self.status(): + from lib389.backend import Backends + backends = Backends(self._instance).list() ++ attrs = self.get_attr_vals_utf8_l("referint-membership-attr") ++ container = self.get_attr_val_utf8_l("nsslapd-plugincontainerscope") + for backend in backends: +- indexes = backend.get_indexes() + suffix = backend.get_attr_val_utf8_l('nsslapd-suffix') +- attrs = self.get_attr_vals_utf8_l("referint-membership-attr") ++ if suffix == "cn=changelog": ++ # Always skip retro changelog ++ continue ++ if container is not None: ++ # Check if this backend is in the scope ++ if not container.endswith(suffix): ++ # skip this backend that is not in the scope ++ continue ++ indexes = backend.get_indexes() + for attr in attrs: + report = copy.deepcopy(DSRILE0002) + try: +-- +2.21.1 + diff --git a/SOURCES/0011-Issue-50599-Remove-db-region-files-prior-to-db-recov.patch b/SOURCES/0011-Issue-50599-Remove-db-region-files-prior-to-db-recov.patch new file mode 100644 index 0000000..9abbbc3 --- /dev/null +++ b/SOURCES/0011-Issue-50599-Remove-db-region-files-prior-to-db-recov.patch @@ -0,0 +1,264 @@ +From 74525da09050809a55e2c6bba4c42b27d5326a8f Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Sun, 12 Jan 2020 20:11:07 -0500 +Subject: [PATCH] Issue 50599 - Remove db region files prior to db recovery + +Bug Description: If the server crashes then the region files can become + corrupted and this prevents the server from starting. + +Fix Description: If we encounter a disorderly shutdown, then remove + the region files so there is a clean slate to start + with. + + Also cleaned up function typo: slapi_disordely_shutdown + +relates: https://pagure.io/389-ds-base/issue/50599 + +Reviewed by: firstyear & lkrispen (Thanks!!) +--- + .../plugins/replication/repl5_replica.c | 4 +- + .../slapd/back-ldbm/db-bdb/bdb_layer.c | 88 ++++++++++--------- + ldap/servers/slapd/plugin.c | 8 +- + ldap/servers/slapd/slapi-plugin.h | 2 +- + 4 files changed, 54 insertions(+), 48 deletions(-) + +diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c +index 94507bff8..02caa88d9 100644 +--- a/ldap/servers/plugins/replication/repl5_replica.c ++++ b/ldap/servers/plugins/replication/repl5_replica.c +@@ -1657,7 +1657,7 @@ replica_check_for_data_reload(Replica *r, void *arg __attribute__((unused))) + * sessions. + */ + +- if (slapi_disordely_shutdown(PR_FALSE)) { ++ if (slapi_disorderly_shutdown(PR_FALSE)) { + slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "replica_check_for_data_reload - " + "Disorderly shutdown for replica %s. Check if DB RUV needs to be updated\n", + slapi_sdn_get_dn(r->repl_root)); +@@ -1701,7 +1701,7 @@ replica_check_for_data_reload(Replica *r, void *arg __attribute__((unused))) + slapi_sdn_get_dn(r->repl_root)); + rc = 0; + } +- } /* slapi_disordely_shutdown */ ++ } /* slapi_disorderly_shutdown */ + + object_release(ruv_obj); + } else /* we have no changes currently logged for this replica */ +diff --git a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c +index 10f6d401e..2103dac38 100644 +--- a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c ++++ b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c +@@ -15,6 +15,8 @@ + #include + #include + #include ++#include ++ + + #define DB_OPEN(oflags, db, txnid, file, database, type, flags, mode, rval) \ + { \ +@@ -990,10 +992,9 @@ bdb_start(struct ldbminfo *li, int dbmode) + return_value = dblayer_grok_directory(region_dir, + DBLAYER_DIRECTORY_READWRITE_ACCESS); + if (0 != return_value) { +- slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", "Can't start because the database " +- "directory \"%s\" either doesn't exist, or is not " +- "accessible\n", +- region_dir); ++ slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", ++ "Can't start because the database directory \"%s\" either doesn't exist, or is not accessible\n", ++ region_dir); + return return_value; + } + +@@ -1003,10 +1004,9 @@ bdb_start(struct ldbminfo *li, int dbmode) + return_value = dblayer_grok_directory(log_dir, + DBLAYER_DIRECTORY_READWRITE_ACCESS); + if (0 != return_value) { +- slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", "Can't start because the log " +- "directory \"%s\" either doesn't exist, or is not " +- "accessible\n", +- log_dir); ++ slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", ++ "Can't start because the log directory \"%s\" either doesn't exist, or is not accessible\n", ++ log_dir); + return return_value; + } + } +@@ -1057,15 +1057,27 @@ bdb_start(struct ldbminfo *li, int dbmode) + if (conf->bdb_recovery_required) { + open_flags |= DB_RECOVER; + if (DBLAYER_RESTORE_MODE & dbmode) { +- slapi_log_err(SLAPI_LOG_NOTICE, "bdb_start", "Recovering database after restore " +- "from archive.\n"); ++ slapi_log_err(SLAPI_LOG_NOTICE, "bdb_start", ++ "Recovering database after restore from archive.\n"); + } else if (DBLAYER_CLEAN_RECOVER_MODE & dbmode) { +- slapi_log_err(SLAPI_LOG_NOTICE, "bdb_start", "Clean up db environment and start " +- "from archive.\n"); ++ slapi_log_err(SLAPI_LOG_NOTICE, "bdb_start", ++ "Clean up db environment and start from archive.\n"); + } else { +- slapi_log_err(SLAPI_LOG_NOTICE, "bdb_start", "Detected Disorderly Shutdown last " +- "time Directory Server was running, recovering database.\n"); +- slapi_disordely_shutdown(PR_TRUE); ++ glob_t globbuf; ++ char file_pattern[MAXPATHLEN]; ++ ++ slapi_log_err(SLAPI_LOG_NOTICE, "bdb_start", ++ "Detected Disorderly Shutdown last time Directory Server was running, recovering database.\n"); ++ slapi_disorderly_shutdown(PR_TRUE); ++ ++ /* Better wipe out the region files to help ensure a clean start */ ++ PR_snprintf(file_pattern, MAXPATHLEN, "%s/%s", region_dir, "__db.*"); ++ if (glob(file_pattern, GLOB_DOOFFS, NULL, &globbuf) == 0) { ++ for (size_t i = 0; i < globbuf.gl_pathc; i++) { ++ remove(globbuf.gl_pathv[i]); ++ } ++ globfree(&globbuf); ++ } + } + } + switch (dbmode & DBLAYER_RESTORE_MASK) { +@@ -1121,7 +1133,7 @@ bdb_start(struct ldbminfo *li, int dbmode) + */ + if (conf->bdb_lock_config <= BDB_LOCK_NB_MIN) { + slapi_log_err(SLAPI_LOG_NOTICE, "bdb_start", "New max db lock count is too small. " +- "Resetting it to the default value %d.\n", ++ "Resetting it to the default value %d.\n", + BDB_LOCK_NB_MIN); + conf->bdb_lock_config = BDB_LOCK_NB_MIN; + } +@@ -1165,29 +1177,26 @@ bdb_start(struct ldbminfo *li, int dbmode) + if ((open_flags & DB_RECOVER) || (open_flags & DB_RECOVER_FATAL)) { + /* Recover, then close, then open again */ + int recover_flags = open_flags & ~DB_THREAD; +- + if (DBLAYER_CLEAN_RECOVER_MODE & dbmode) /* upgrade case */ + { + DB_ENV *thisenv = pEnv->bdb_DB_ENV; + return_value = thisenv->remove(thisenv, region_dir, DB_FORCE); + if (0 != return_value) { +- slapi_log_err(SLAPI_LOG_CRIT, +- "bdb_start", "Failed to remove old db env " +- "in %s: %s\n", +- region_dir, +- dblayer_strerror(return_value)); ++ slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", ++ "Failed to remove old db env in %s: %s\n", ++ region_dir, dblayer_strerror(return_value)); + return return_value; + } + dbmode = DBLAYER_NORMAL_MODE; + + if ((return_value = bdb_make_env(&pEnv, li)) != 0) { +- slapi_log_err(SLAPI_LOG_CRIT, +- "bdb_start", "Failed to create DBENV (returned: %d).\n", +- return_value); ++ slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", ++ "Failed to create DBENV (returned: %d).\n", return_value); + return return_value; + } + } + ++ + return_value = (pEnv->bdb_DB_ENV->open)( + pEnv->bdb_DB_ENV, + region_dir, +@@ -1201,27 +1210,25 @@ bdb_start(struct ldbminfo *li, int dbmode) + */ + slapi_log_err(SLAPI_LOG_CRIT, + "bdb_start", "mmap in opening database environment (recovery mode) " +- "failed trying to allocate %" PRIu64 " bytes. (OS err %d - %s)\n", ++ "failed trying to allocate %" PRIu64 " bytes. (OS err %d - %s)\n", + li->li_dbcachesize, return_value, dblayer_strerror(return_value)); + bdb_free_env(&priv->dblayer_env); + priv->dblayer_env = CATASTROPHIC; + } else { + slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", "Database Recovery Process FAILED. " +- "The database is not recoverable. err=%d: %s\n", ++ "The database is not recoverable. err=%d: %s\n", + return_value, dblayer_strerror(return_value)); +- slapi_log_err(SLAPI_LOG_CRIT, +- "bdb_start", "Please make sure there is enough disk space for " +- "dbcache (%" PRIu64 " bytes) and db region files\n", +- li->li_dbcachesize); ++ slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", ++ "Please make sure there is enough disk space for dbcache (%" PRIu64 " bytes) and db region files\n", ++ li->li_dbcachesize); + } + return return_value; + } else { + open_flags &= ~(DB_RECOVER | DB_RECOVER_FATAL); + pEnv->bdb_DB_ENV->close(pEnv->bdb_DB_ENV, 0); + if ((return_value = bdb_make_env(&pEnv, li)) != 0) { +- slapi_log_err(SLAPI_LOG_CRIT, +- "bdb_start", "Failed to create DBENV (returned: %d).\n", +- return_value); ++ slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", ++ "Failed to create DBENV (returned: %d).\n", return_value); + return return_value; + } + bdb_free_env(&priv->dblayer_env); +@@ -1288,16 +1295,15 @@ bdb_start(struct ldbminfo *li, int dbmode) + * https://blackflag.mcom.com/show_bug.cgi?id=557319 + * Crash ns-slapd while running scalab01 after restart slapd + */ +- slapi_log_err(SLAPI_LOG_CRIT, +- "bdb_start", "mmap in opening database environment " +- "failed trying to allocate %" PRIu64 " bytes. (OS err %d - %s)\n", +- li->li_dbcachesize, return_value, dblayer_strerror(return_value)); ++ slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", ++ "mmap in opening database environment failed trying to allocate %" PRIu64 " bytes. (OS err %d - %s)\n", ++ li->li_dbcachesize, return_value, dblayer_strerror(return_value)); + bdb_free_env(&priv->dblayer_env); + priv->dblayer_env = CATASTROPHIC; + } else { +- slapi_log_err(SLAPI_LOG_CRIT, +- "bdb_start", "Opening database environment (%s) failed. err=%d: %s\n", +- region_dir, return_value, dblayer_strerror(return_value)); ++ slapi_log_err(SLAPI_LOG_CRIT, "bdb_start", ++ "Opening database environment (%s) failed. err=%d: %s\n", ++ region_dir, return_value, dblayer_strerror(return_value)); + } + } + return return_value; +diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c +index b00c1bd8f..282b98738 100644 +--- a/ldap/servers/slapd/plugin.c ++++ b/ldap/servers/slapd/plugin.c +@@ -4383,14 +4383,14 @@ slapi_set_plugin_open_rootdn_bind(Slapi_PBlock *pb) + } + + PRBool +-slapi_disordely_shutdown(PRBool set) ++slapi_disorderly_shutdown(PRBool set) + { +- static PRBool is_disordely_shutdown = PR_FALSE; ++ static PRBool is_disorderly_shutdown = PR_FALSE; + + if (set) { +- is_disordely_shutdown = PR_TRUE; ++ is_disorderly_shutdown = PR_TRUE; + } +- return (is_disordely_shutdown); ++ return (is_disorderly_shutdown); + } + + /* +diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h +index 29a6238d9..50b8d12c8 100644 +--- a/ldap/servers/slapd/slapi-plugin.h ++++ b/ldap/servers/slapd/slapi-plugin.h +@@ -7900,7 +7900,7 @@ uint64_t slapi_str_to_u64(const char *s); + + void slapi_set_plugin_open_rootdn_bind(Slapi_PBlock *pb); + +-PRBool slapi_disordely_shutdown(PRBool set); ++PRBool slapi_disorderly_shutdown(PRBool set); + + /* + * Public entry extension getter/setter functions +-- +2.21.1 + diff --git a/SOURCES/0011-Ticket-50413-ds-replcheck-Always-display-the-Result-.patch b/SOURCES/0011-Ticket-50413-ds-replcheck-Always-display-the-Result-.patch deleted file mode 100644 index 661493f..0000000 --- a/SOURCES/0011-Ticket-50413-ds-replcheck-Always-display-the-Result-.patch +++ /dev/null @@ -1,98 +0,0 @@ -From e064b0b340936756e5d35180eb68d121ae828de4 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 30 May 2019 15:38:27 -0400 -Subject: [PATCH 07/12] Ticket 50413 - ds-replcheck - Always display the Result - Summary - -Description: Previously we only printed a "Result Summary" if there - were no inconsistencies and the entry counts matched. - However, the entry counts do not need to match. So - this made the "Result Summary" checks too strict, and - if things were out of sync there was no Result Summary - printed at all. This fix just always prints a result - summary and it removes the entry count check. - -https://pagure.io/389-ds-base/issue/50413 - -Reviewed by: ? ---- - ldap/admin/src/scripts/ds-replcheck | 29 +++++++++++++++++------------ - 1 file changed, 17 insertions(+), 12 deletions(-) - -diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck -index 5d7295e50..4abb417af 100755 ---- a/ldap/admin/src/scripts/ds-replcheck -+++ b/ldap/admin/src/scripts/ds-replcheck -@@ -661,14 +661,14 @@ def do_offline_report(opts, output_file=None): - MLDIF = open(opts['mldif'], "r") - except Exception as e: - print('Failed to open Master LDIF: ' + str(e)) -- return None -+ return - - try: - RLDIF = open(opts['rldif'], "r") - except Exception as e: - print('Failed to open Replica LDIF: ' + str(e)) - MLDIF.close() -- return None -+ return - - # Verify LDIF Files - try: -@@ -679,7 +679,7 @@ def do_offline_report(opts, output_file=None): - print('Master LDIF file in invalid, aborting...') - MLDIF.close() - RLDIF.close() -- return None -+ return - try: - if opts['verbose']: - print("Validating Replica ldif file ({})...".format(opts['rldif'])) -@@ -688,7 +688,7 @@ def do_offline_report(opts, output_file=None): - print('Replica LDIF file is invalid, aborting...') - MLDIF.close() - RLDIF.close() -- return None -+ return - - # Get all the dn's, and entry counts - if opts['verbose']: -@@ -845,10 +845,13 @@ def do_offline_report(opts, output_file=None): - final_report += ('=====================================================\n\n') - for diff in diff_report: - final_report += ('%s\n' % (diff)) -- if missing_report == "" and len(diff_report) == 0 and m_count == r_count: -- final_report += ('\nResult\n') -- final_report += ('=====================================================\n\n') -- final_report += ('No differences between Master and Replica\n') -+ -+ final_report += ('\nResult\n') -+ final_report += ('=====================================================\n\n') -+ if missing_report == "" and len(diff_report) == 0: -+ final_report += ('No replication differences between Master and Replica\n') -+ else: -+ final_report += ('There are replication differences between Master and Replica\n') - - if output_file: - output_file.write(final_report) -@@ -1130,10 +1133,12 @@ def print_online_report(report, opts, output_file): - for diff in report['diff']: - final_report += ('%s\n' % (diff)) - -- if not missing and len(report['diff']) == 0 and report['m_count'] == report['r_count']: -- final_report += ('\nResult\n') -- final_report += ('=====================================================\n\n') -- final_report += ('No differences between Master and Replica\n') -+ final_report += ('\nResult\n') -+ final_report += ('=====================================================\n\n') -+ if not missing and len(report['diff']) == 0: -+ final_report += ('No replication differences between Master and Replica\n') -+ else: -+ final_report += ('There are replication differences between Master and Replica\n') - - if output_file: - output_file.write(final_report) --- -2.21.0 - diff --git a/SOURCES/0012-Issue-49239-Add-a-new-CI-test-case.patch b/SOURCES/0012-Issue-49239-Add-a-new-CI-test-case.patch deleted file mode 100644 index 81eab76..0000000 --- a/SOURCES/0012-Issue-49239-Add-a-new-CI-test-case.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 2f42d3575b9dd781e7d351853df984db367507af Mon Sep 17 00:00:00 2001 -From: Akshay Adhikari -Date: Wed, 26 Jun 2019 13:56:05 +0530 -Subject: [PATCH 08/12] Issue 49239 - Add a new CI test case - -Bug Description: ds-replcheck unreliable, showing false positives, showing missing tombstone entries -in the report. - -Fix Description: Added a test case to check missing tombstone entries is not reported, also fixed -py3 issue in ds-replcheck by explicitly adding bytes. - -Relates: https://pagure.io/389-ds-base/issue/49239 - -Review by: vashirov, mreynolds (Thanks!) ---- - ldap/admin/src/scripts/ds-replcheck | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck -index 4abb417af..30bcfd65d 100755 ---- a/ldap/admin/src/scripts/ds-replcheck -+++ b/ldap/admin/src/scripts/ds-replcheck -@@ -142,7 +142,7 @@ def convert_entries(entries): - continue - - # lowercase all the objectclass values (easier for tombstone checking) -- oc_vals = new_entry.data['objectclass'] -+ oc_vals = ensure_list_str(new_entry.data['objectclass']) - new_oc_vals = [] - for val in oc_vals: - new_oc_vals.append(val.lower()) --- -2.21.0 - diff --git a/SOURCES/0012-Issue-50798-incorrect-bytes-in-format-string-fix-imp.patch b/SOURCES/0012-Issue-50798-incorrect-bytes-in-format-string-fix-imp.patch new file mode 100644 index 0000000..9551d31 --- /dev/null +++ b/SOURCES/0012-Issue-50798-incorrect-bytes-in-format-string-fix-imp.patch @@ -0,0 +1,45 @@ +From d9b1b71b87517d12b88464d5475baff4c6cc25ab Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 13 Jan 2020 17:17:40 -0500 +Subject: [PATCH] Issue 50798 - incorrect bytes in format string(fix import + issue) + +Description: The previous commit did not import ensure_list_str() from + utils.py + +relates: https://pagure.io/389-ds-base/issue/50798 + +Reviewed by: mreynolds (one line commit rule) +--- + src/lib389/lib389/instance/remove.py | 2 +- + src/lib389/lib389/instance/setup.py | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/lib389/lib389/instance/remove.py b/src/lib389/lib389/instance/remove.py +index c9a872eb7..7a69da514 100644 +--- a/src/lib389/lib389/instance/remove.py ++++ b/src/lib389/lib389/instance/remove.py +@@ -11,7 +11,7 @@ import shutil + import subprocess + import logging + from lib389.nss_ssl import NssSsl +-from lib389.utils import selinux_label_port, assert_c ++from lib389.utils import selinux_label_port, assert_c, ensure_list_str + + + ######################## WARNING ############################# +diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py +index bb0ff32f5..61ffc32ee 100644 +--- a/src/lib389/lib389/instance/setup.py ++++ b/src/lib389/lib389/instance/setup.py +@@ -33,6 +33,7 @@ from lib389.utils import ( + assert_c, + is_a_dn, + ensure_str, ++ ensure_list_str, + normalizeDN, + socket_check_open, + selinux_label_port, +-- +2.21.1 + diff --git a/SOURCES/0013-Issue-50824-dsctl-remove-fails-with-name-ensure_str-.patch b/SOURCES/0013-Issue-50824-dsctl-remove-fails-with-name-ensure_str-.patch new file mode 100644 index 0000000..7afbc3d --- /dev/null +++ b/SOURCES/0013-Issue-50824-dsctl-remove-fails-with-name-ensure_str-.patch @@ -0,0 +1,39 @@ +From 5f3f69533a2298cc0f2b45e17184c479b0708687 Mon Sep 17 00:00:00 2001 +From: Matus Honek +Date: Thu, 16 Jan 2020 12:21:45 +0100 +Subject: [PATCH] Issue 50824 - dsctl remove fails with "name 'ensure_str' is + not defined" + +Bug Description: +Missing import since commit c39c7bb. + +Fix Description: +Add the import. + +Fixes https://pagure.io/389-ds-base/issue/50824 + +Author: Matus Honek + +Review by: Mark (thanks!) + +(cherry picked from commit 4f9aafca9a9927812da5e37ce71d79d1fd23b25a) +--- + src/lib389/lib389/instance/remove.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib389/lib389/instance/remove.py b/src/lib389/lib389/instance/remove.py +index 7a69da514..77f5a45f7 100644 +--- a/src/lib389/lib389/instance/remove.py ++++ b/src/lib389/lib389/instance/remove.py +@@ -11,7 +11,7 @@ import shutil + import subprocess + import logging + from lib389.nss_ssl import NssSsl +-from lib389.utils import selinux_label_port, assert_c, ensure_list_str ++from lib389.utils import selinux_label_port, assert_c, ensure_str, ensure_list_str + + + ######################## WARNING ############################# +-- +2.21.1 + diff --git a/SOURCES/0013-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch b/SOURCES/0013-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch deleted file mode 100644 index c06d4f2..0000000 --- a/SOURCES/0013-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a4f09a83a8899b52e1cf6a96b75483c576dd5bb2 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 7 Jun 2019 11:35:46 +0200 -Subject: [PATCH] Ticket 50428 - Log the actual base DN when the search fails - with "invalid attribute request" - -Bug Description: - When a search request contains invalid parameters (attribute list with empty attribute - name, unknown scope, invalid filter..) the search is rejected but the access log - contains a wrong base search: ... SRCH base="(null)"... - This is because it does not use for logging the variable that gather the actual base ('rawbase') - -Fix Description: - Use 'rawbase' value for logging - -https://pagure.io/389-ds-base/issue/50428 - -Reviewed by: Mark Reynolds - -Platforms tested: F28 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/slapd/search.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c -index 953227ba0..75accbba6 100644 ---- a/ldap/servers/slapd/search.c -+++ b/ldap/servers/slapd/search.c -@@ -154,6 +154,7 @@ do_search(Slapi_PBlock *pb) - goto free_and_return; - } - } -+ base = rawbase; - - /* - * ignore negative time and size limits since they make no sense --- -2.21.0 - diff --git a/SOURCES/0014-Issue-50474-Unify-result-codes-for-add-and-modify-of.patch b/SOURCES/0014-Issue-50474-Unify-result-codes-for-add-and-modify-of.patch deleted file mode 100644 index 618e688..0000000 --- a/SOURCES/0014-Issue-50474-Unify-result-codes-for-add-and-modify-of.patch +++ /dev/null @@ -1,382 +0,0 @@ -From 62af3beb9b2a3137a76456f534db7be1b172210c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Mat=C3=BA=C5=A1=20Hon=C4=9Bk?= -Date: Wed, 16 Jan 2019 09:49:28 +0100 -Subject: [PATCH] Issue 50474 - Unify result codes for add and modify of repl5 - config - -Bug Description: -Same constraints resulting in error are reported as different LDAP -result codes when using different operation for adjusting these. - -Fix Description: -A part of the code had not conveyed the error reason down the stack, -therefore adding this information and returning the proper code. - -Fixes: https://pagure.io/389-ds-base/issue/50474 - -Author: Matus Honek - -Review by: mreynolds, spichugi (thanks!) ---- - .../suites/replication/replica_config_test.py | 25 +++++-- - ldap/servers/plugins/replication/repl5.h | 2 +- - .../plugins/replication/repl5_replica.c | 71 +++++++++++-------- - .../replication/repl5_replica_config.c | 3 +- - 4 files changed, 63 insertions(+), 38 deletions(-) - -diff --git a/dirsrvtests/tests/suites/replication/replica_config_test.py b/dirsrvtests/tests/suites/replication/replica_config_test.py -index 9a0e1b41f..3dc03713a 100644 ---- a/dirsrvtests/tests/suites/replication/replica_config_test.py -+++ b/dirsrvtests/tests/suites/replication/replica_config_test.py -@@ -4,7 +4,6 @@ import copy - import os - import ldap - from lib389._constants import * --from lib389 import Entry - from lib389.topologies import topology_st as topo - - from lib389.replica import Replicas -@@ -104,12 +103,14 @@ def agmt_setup(topo): - def perform_invalid_create(many, properties, attr, value): - my_properties = copy.deepcopy(properties) - my_properties[attr] = value -- with pytest.raises(ldap.LDAPError): -+ with pytest.raises(ldap.LDAPError) as ei: - many.create(properties=my_properties) -+ return ei.value - - def perform_invalid_modify(o, attr, value): -- with pytest.raises(ldap.LDAPError): -+ with pytest.raises(ldap.LDAPError) as ei: - o.replace(attr, value) -+ return ei.value - - @pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", repl_add_attrs) - def test_replica_num_add(topo, attr, too_small, too_big, overflow, notnum, valid): -@@ -254,9 +255,25 @@ def test_agmt_num_modify(topo, attr, too_small, too_big, overflow, notnum, valid - # Value is valid - agmt.replace(attr, valid) - -+ -+@pytest.mark.bz1546739 -+def test_same_attr_yields_same_return_code(topo): -+ """Test that various operations with same incorrect attribute value yield same return code -+ """ -+ attr = 'nsDS5ReplicaId' -+ -+ replica_reset(topo) -+ replicas = Replicas(topo.standalone) -+ e = perform_invalid_create(replicas, replica_dict, attr, too_big) -+ assert type(e) is ldap.UNWILLING_TO_PERFORM -+ -+ replica = replica_setup(topo) -+ e = perform_invalid_modify(replica, attr, too_big) -+ assert type(e) is ldap.UNWILLING_TO_PERFORM -+ -+ - if __name__ == '__main__': - # Run isolated - # -s for DEBUG mode - CURRENT_FILE = os.path.realpath(__file__) - pytest.main(["-s", CURRENT_FILE]) -- -diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h -index 138578d5f..1801a333e 100644 ---- a/ldap/servers/plugins/replication/repl5.h -+++ b/ldap/servers/plugins/replication/repl5.h -@@ -662,7 +662,7 @@ Replica *replica_new(const Slapi_DN *root); - Replica *windows_replica_new(const Slapi_DN *root); - /* this function should be called to construct the replica object - during addition of the replica over LDAP */ --Replica *replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation); -+int replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation, Replica **r); - void replica_destroy(void **arg); - int replica_subentry_update(Slapi_DN *repl_root, ReplicaId rid); - int replica_subentry_check(Slapi_DN *repl_root, ReplicaId rid); -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index 6a5363e43..b3f03d5c0 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -128,8 +128,9 @@ replica_new(const Slapi_DN *root) - e = _replica_get_config_entry(root, NULL); - if (e) { - errorbuf[0] = '\0'; -- r = replica_new_from_entry(e, errorbuf, -- PR_FALSE /* not a newly added entry */); -+ replica_new_from_entry(e, errorbuf, -+ PR_FALSE, /* not a newly added entry */ -+ &r); - - if (NULL == r) { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_new - " -@@ -143,17 +144,17 @@ replica_new(const Slapi_DN *root) - } - - /* constructs the replica object from the newly added entry */ --Replica * --replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation) -+int -+replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation, Replica **rp) - { -- int rc = 0; - Replica *r; -+ int rc = LDAP_SUCCESS; - - if (e == NULL) { - if (NULL != errortext) { - PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "NULL entry"); - } -- return NULL; -+ return LDAP_OTHER; - } - - r = (Replica *)slapi_ch_calloc(1, sizeof(Replica)); -@@ -162,7 +163,7 @@ replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation) - if (NULL != errortext) { - PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Out of memory"); - } -- rc = -1; -+ rc = LDAP_OTHER; - goto done; - } - -@@ -170,7 +171,7 @@ replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation) - if (NULL != errortext) { - PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "failed to create replica lock"); - } -- rc = -1; -+ rc = LDAP_OTHER; - goto done; - } - -@@ -178,7 +179,7 @@ replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation) - if (NULL != errortext) { - PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "failed to create replica lock"); - } -- rc = -1; -+ rc = LDAP_OTHER; - goto done; - } - -@@ -191,14 +192,17 @@ replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation) - - /* read parameters from the replica config entry */ - rc = _replica_init_from_config(r, e, errortext); -- if (rc != 0) { -+ if (rc != LDAP_SUCCESS) { - goto done; - } - - /* configure ruv */ - rc = _replica_configure_ruv(r, PR_FALSE); - if (rc != 0) { -+ rc = LDAP_OTHER; - goto done; -+ } else { -+ rc = LDAP_SUCCESS; - } - - /* If smallest csn exists in RUV for our local replica, it's ok to begin iteration */ -@@ -217,8 +221,12 @@ replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation) - * (done by the update state event scheduled below) - */ - } -- if (rc != 0) -+ if (rc != 0) { -+ rc = LDAP_OTHER; - goto done; -+ } else { -+ rc = LDAP_SUCCESS; -+ } - - /* ONREPL - the state update can occur before the entry is added to the DIT. - In that case the updated would fail but nothing bad would happen. The next -@@ -237,11 +245,12 @@ replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_operation) - } - - done: -- if (rc != 0 && r) { -+ if (rc != LDAP_SUCCESS && r) { - replica_destroy((void **)&r); - } - -- return r; -+ *rp = r; -+ return rc; - } - - -@@ -1789,9 +1798,9 @@ _replica_check_validity(const Replica *r) - - if (r->repl_root == NULL || r->repl_type == 0 || r->repl_rid == 0 || - r->repl_csngen == NULL || r->repl_name == NULL) { -- return -1; -+ return LDAP_OTHER; - } else { -- return 0; -+ return LDAP_SUCCESS; - } - } - -@@ -1841,7 +1850,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - (char *)slapi_entry_get_dn((Slapi_Entry *)e)); - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - %s\n", - errormsg); -- return -1; -+ return LDAP_OTHER; - } - - r->repl_root = slapi_sdn_new_dn_passin(val); -@@ -1851,7 +1860,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - if ((val = slapi_entry_attr_get_charptr(e, attr_replicaType))) { - if (repl_config_valid_num(attr_replicaType, val, 0, REPLICA_TYPE_UPDATABLE, &rc, errormsg, &rtype) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - r->repl_type = rtype; - slapi_ch_free_string(&val); -@@ -1867,7 +1876,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - if ((val = slapi_entry_attr_get_charptr(e, type_replicaBackoffMin))) { - if (repl_config_valid_num(type_replicaBackoffMin, val, 1, INT_MAX, &rc, errormsg, &backoff_min) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - slapi_ch_free_string(&val); - } else { -@@ -1882,7 +1891,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - if ((val = slapi_entry_attr_get_charptr(e, type_replicaBackoffMax))) { - if (repl_config_valid_num(type_replicaBackoffMax, val, 1, INT_MAX, &rc, errormsg, &backoff_max) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - slapi_ch_free_string(&val); - } else { -@@ -1899,7 +1908,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - backoff_min, backoff_max); - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - " - "%s\n", errormsg); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } else { - slapi_counter_set_value(r->backoff_min, backoff_min); - slapi_counter_set_value(r->backoff_max, backoff_max); -@@ -1910,7 +1919,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - if ((val = slapi_entry_attr_get_charptr(e, type_replicaProtocolTimeout))) { - if (repl_config_valid_num(type_replicaProtocolTimeout, val, 0, INT_MAX, &rc, errormsg, &ptimeout) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - slapi_ch_free_string(&val); - slapi_counter_set_value(r->protocol_timeout, ptimeout); -@@ -1926,7 +1935,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - if ((val = slapi_entry_attr_get_charptr(e, type_replicaReleaseTimeout))) { - if (repl_config_valid_num(type_replicaReleaseTimeout, val, 0, INT_MAX, &rc, errortext, &release_timeout) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - slapi_counter_set_value(r->release_timeout, release_timeout); - slapi_ch_free_string(&val); -@@ -1950,7 +1959,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - type_replicaPrecisePurge, precise_purging); - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - " - "%s\n", errormsg); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - slapi_ch_free_string(&precise_purging); - } else { -@@ -1963,7 +1972,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - if((val = slapi_entry_attr_get_charptr(e, attr_flags))) { - if (repl_config_valid_num(attr_flags, val, 0, 1, &rc, errortext, &rflags) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - r->repl_flags = (uint32_t)rflags; - slapi_ch_free_string(&val); -@@ -1990,7 +1999,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - int64_t rid; - if (repl_config_valid_num(attr_replicaId, val, 1, 65534, &rc, errormsg, &rid) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - r->repl_rid = (ReplicaId)rid; - slapi_ch_free_string(&val); -@@ -2000,7 +2009,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - attr_replicaId, (char *)slapi_entry_get_dn((Slapi_Entry *)e)); - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, - "_replica_init_from_config - %s\n", errormsg); -- return -1; -+ return LDAP_OTHER; - } - } - -@@ -2013,7 +2022,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - (char *)slapi_entry_get_dn((Slapi_Entry *)e)); - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, - "_replica_init_from_config - %s\n", errormsg); -- return -1; -+ return LDAP_OTHER; - } - r->repl_csngen = object_new((void *)gen, (FNFree)csngen_free); - -@@ -2031,7 +2040,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - if ((val = slapi_entry_attr_get_charptr(e, attr_replicaBindDnGroupCheckInterval))) { - if (repl_config_valid_num(attr_replicaBindDnGroupCheckInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - r->updatedn_group_check_interval = interval; - slapi_ch_free_string(&val); -@@ -2051,7 +2060,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - (char *)slapi_entry_get_dn((Slapi_Entry *)e), rc); - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - %s\n", - errormsg); -- return -1; -+ return LDAP_OTHER; - } else - r->new_name = PR_TRUE; - } -@@ -2072,7 +2081,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - if ((val = slapi_entry_attr_get_charptr(e, type_replicaPurgeDelay))) { - if (repl_config_valid_num(type_replicaPurgeDelay, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - r->repl_purge_delay = interval; - slapi_ch_free_string(&val); -@@ -2083,7 +2092,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - if ((val = slapi_entry_attr_get_charptr(e, type_replicaTombstonePurgeInterval))) { - if (repl_config_valid_num(type_replicaTombstonePurgeInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) { - slapi_ch_free_string(&val); -- return -1; -+ return LDAP_UNWILLING_TO_PERFORM; - } - r->tombstone_reap_interval = interval; - slapi_ch_free_string(&val); -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 7649aa14e..749e90936 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -267,9 +267,8 @@ replica_config_add(Slapi_PBlock *pb __attribute__((unused)), - } - - /* create replica object */ -- r = replica_new_from_entry(e, errortext, PR_TRUE /* is a newly added entry */); -+ *returncode = replica_new_from_entry(e, errortext, PR_TRUE /* is a newly added entry */, &r); - if (r == NULL) { -- *returncode = LDAP_OPERATIONS_ERROR; - goto done; - } - --- -2.21.0 - diff --git a/SOURCES/0014-Issue-50818-dsconf-pwdpolicy-get-error.patch b/SOURCES/0014-Issue-50818-dsconf-pwdpolicy-get-error.patch new file mode 100644 index 0000000..3ae0e71 --- /dev/null +++ b/SOURCES/0014-Issue-50818-dsconf-pwdpolicy-get-error.patch @@ -0,0 +1,49 @@ +From f05d6e7bfc4e829118e53f69f247d345a90e7796 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 13 Jan 2020 19:17:04 -0500 +Subject: [PATCH] Issue 50818 - dsconf pwdpolicy get error + +Description: When trying to retrieve a global or local policy we now see: + + policyError: 'PwPolicyManager' object has no attribute 'get_attr_list' + + Someone removed the function get_attr_list() along the way. + Added the same logic back, and improved it to only report attributes + that are set. + +relates: https://pagure.io/389-ds-base/issue/50818 + +Reviewed by: spichugi(Thanks!) +--- + src/lib389/lib389/cli_conf/pwpolicy.py | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/lib389/lib389/cli_conf/pwpolicy.py b/src/lib389/lib389/cli_conf/pwpolicy.py +index f911997bf..67bfd8767 100644 +--- a/src/lib389/lib389/cli_conf/pwpolicy.py ++++ b/src/lib389/lib389/cli_conf/pwpolicy.py +@@ -35,16 +35,17 @@ def _get_policy_type(inst, dn=None): + def _get_pw_policy(inst, targetdn, log, use_json=None): + pwp_manager = PwPolicyManager(inst) + policy_type = _get_policy_type(inst, targetdn) +- attr_list = pwp_manager.get_attr_list() ++ attr_list = list(pwp_manager.arg_to_attr.values()) + if "global" in policy_type.lower(): + targetdn = 'cn=config' + attr_list.extend(['passwordIsGlobalPolicy', 'nsslapd-pwpolicy_local']) +- attrs = inst.config.get_attrs_vals_utf8(attr_list) ++ all_attrs = inst.config.get_attrs_vals_utf8(attr_list) ++ attrs = {k: v for k, v in all_attrs.items() if len(v) > 0} + else: + policy = pwp_manager.get_pwpolicy_entry(targetdn) + targetdn = policy.dn +- attrs = policy.get_attrs_vals_utf8(attr_list) +- ++ all_attrs = policy.get_attrs_vals_utf8(attr_list) ++ attrs = {k: v for k, v in all_attrs.items() if len(v) > 0} + if use_json: + print(json.dumps({"type": "entry", "pwp_type": policy_type, "dn": ensure_str(targetdn), "attrs": attrs})) + else: +-- +2.21.1 + diff --git a/SOURCES/0015-Ticket-49789-By-default-do-not-manage-unhashed-passw.patch b/SOURCES/0015-Ticket-49789-By-default-do-not-manage-unhashed-passw.patch deleted file mode 100644 index 03e5d35..0000000 --- a/SOURCES/0015-Ticket-49789-By-default-do-not-manage-unhashed-passw.patch +++ /dev/null @@ -1,192 +0,0 @@ -From d9e895e928c39ca66e272a61a431fa3bfc3d8f5c Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 13 Jul 2018 17:55:27 +0200 -Subject: [PATCH] Ticket 49789 - By default, do not manage unhashed password - -Bug Description: - By default, unhashed#user#password is recorded into changelog database. - It is a specific use when some plugin need to know the clear text password on update. - This should be disabled ('off') by default - -Fix Description: - Switch the default value from 'on' to 'off' - -https://pagure.io/389-ds-base/issue/49789 - -Reviewed by: Viktor Ashirov, Simon Pichugi, Mark Reynolds - -Platforms tested: F28 - -Flag Day: no - -Doc impact: no ---- - .../tests/suites/password/regression_test.py | 121 +++++++++++++++++- - ldap/servers/slapd/slap.h | 4 +- - 2 files changed, 122 insertions(+), 3 deletions(-) - -diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py -index b01b73e2e..c239799e4 100644 ---- a/dirsrvtests/tests/suites/password/regression_test.py -+++ b/dirsrvtests/tests/suites/password/regression_test.py -@@ -8,8 +8,11 @@ - import pytest - import time - from lib389._constants import PASSWORD, DN_DM, DEFAULT_SUFFIX -+from lib389._constants import SUFFIX, PASSWORD, DN_DM, DN_CONFIG, PLUGIN_RETRO_CHANGELOG, DEFAULT_SUFFIX, DEFAULT_CHANGELOG_DB -+from lib389 import Entry -+from lib389.topologies import topology_m1 as topo_master - from lib389.idm.user import UserAccounts --from lib389.utils import ldap, os, logging -+from lib389.utils import ldap, os, logging, ensure_bytes - from lib389.topologies import topology_st as topo - from lib389.idm.organizationalunit import OrganizationalUnits - -@@ -36,6 +39,23 @@ TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1', - TEST_PASSWORDS2 = ( - 'CN12pwtest31', 'SN3pwtest231', 'UID1pwtest123', 'MAIL2pwtest12@redhat.com', '2GN1pwtest123', 'People123') - -+def _check_unhashed_userpw(inst, user_dn, is_present=False): -+ """Check if unhashed#user#password attribute is present of not in the changelog""" -+ unhashed_pwd_attribute = 'unhashed#user#password' -+ -+ changelog_dbdir = os.path.join(os.path.dirname(inst.dbdir), DEFAULT_CHANGELOG_DB) -+ for dbfile in os.listdir(changelog_dbdir): -+ if dbfile.endswith('.db'): -+ changelog_dbfile = os.path.join(changelog_dbdir, dbfile) -+ log.info('Changelog dbfile file exist: {}'.format(changelog_dbfile)) -+ log.info('Running dbscan -f to check {} attr'.format(unhashed_pwd_attribute)) -+ dbscanOut = inst.dbscan(DEFAULT_CHANGELOG_DB, changelog_dbfile) -+ for entry in dbscanOut.split(b'dbid: '): -+ if ensure_bytes('operation: modify') in entry and ensure_bytes(user_dn) in entry and ensure_bytes('userPassword') in entry: -+ if is_present: -+ assert ensure_bytes(unhashed_pwd_attribute) in entry -+ else: -+ assert ensure_bytes(unhashed_pwd_attribute) not in entry - - @pytest.fixture(scope="module") - def passw_policy(topo, request): -@@ -193,6 +213,105 @@ def test_global_vs_local(topo, passw_policy, create_user, user_pasw): - # reset password - create_user.set('userPassword', PASSWORD) - -+@pytest.mark.ds49789 -+def test_unhashed_pw_switch(topo_master): -+ """Check that nsslapd-unhashed-pw-switch works corrently -+ -+ :id: e5aba180-d174-424d-92b0-14fe7bb0b92a -+ :setup: Master Instance -+ :steps: -+ 1. A Master is created, enable retrocl (not used here) -+ 2. create a set of users -+ 3. update userpassword of user1 and check that unhashed#user#password is not logged (default) -+ 4. udpate userpassword of user2 and check that unhashed#user#password is not logged ('nolog') -+ 5. udpate userpassword of user3 and check that unhashed#user#password is logged ('on') -+ :expectedresults: -+ 1. Success -+ 2. Success -+ 3 Success (unhashed#user#password is not logged in the replication changelog) -+ 4. Success (unhashed#user#password is not logged in the replication changelog) -+ 5. Success (unhashed#user#password is logged in the replication changelog) -+ """ -+ MAX_USERS = 10 -+ PEOPLE_DN = ("ou=people," + DEFAULT_SUFFIX) -+ -+ inst = topo_master.ms["master1"] -+ inst.modify_s("cn=Retro Changelog Plugin,cn=plugins,cn=config", -+ [(ldap.MOD_REPLACE, 'nsslapd-changelogmaxage', b'2m'), -+ (ldap.MOD_REPLACE, 'nsslapd-changelog-trim-interval', b"5s"), -+ (ldap.MOD_REPLACE, 'nsslapd-logAccess', b'on')]) -+ inst.config.loglevel(vals=[256 + 4], service='access') -+ inst.restart() -+ # If you need any test suite initialization, -+ # please, write additional fixture for that (including finalizer). -+ # Topology for suites are predefined in lib389/topologies.py. -+ -+ # enable dynamic plugins, memberof and retro cl plugin -+ # -+ log.info('Enable plugins...') -+ try: -+ inst.modify_s(DN_CONFIG, -+ [(ldap.MOD_REPLACE, -+ 'nsslapd-dynamic-plugins', -+ b'on')]) -+ except ldap.LDAPError as e: -+ ldap.error('Failed to enable dynamic plugins! ' + e.message['desc']) -+ assert False -+ -+ #topology_st.standalone.plugins.enable(name=PLUGIN_MEMBER_OF) -+ inst.plugins.enable(name=PLUGIN_RETRO_CHANGELOG) -+ #topology_st.standalone.modify_s("cn=changelog,cn=ldbm database,cn=plugins,cn=config", [(ldap.MOD_REPLACE, 'nsslapd-cachememsize', str(100000))]) -+ inst.restart() -+ -+ log.info('create users and group...') -+ for idx in range(1, MAX_USERS): -+ try: -+ USER_DN = ("uid=member%d,%s" % (idx, PEOPLE_DN)) -+ inst.add_s(Entry((USER_DN, -+ {'objectclass': 'top extensibleObject'.split(), -+ 'uid': 'member%d' % (idx)}))) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to add user (%s): error %s' % (USER_DN, e.message['desc'])) -+ assert False -+ -+ # Check default is that unhashed#user#password is not logged -+ user = "uid=member1,%s" % (PEOPLE_DN) -+ inst.modify_s(user, [(ldap.MOD_REPLACE, -+ 'userpassword', -+ PASSWORD.encode())]) -+ inst.stop() -+ _check_unhashed_userpw(inst, user, is_present=False) -+ -+ # Check with nolog that unhashed#user#password is not logged -+ inst.modify_s(DN_CONFIG, -+ [(ldap.MOD_REPLACE, -+ 'nsslapd-unhashed-pw-switch', -+ b'nolog')]) -+ inst.restart() -+ user = "uid=member2,%s" % (PEOPLE_DN) -+ inst.modify_s(user, [(ldap.MOD_REPLACE, -+ 'userpassword', -+ PASSWORD.encode())]) -+ inst.stop() -+ _check_unhashed_userpw(inst, user, is_present=False) -+ -+ # Check with value 'on' that unhashed#user#password is logged -+ inst.modify_s(DN_CONFIG, -+ [(ldap.MOD_REPLACE, -+ 'nsslapd-unhashed-pw-switch', -+ b'on')]) -+ inst.restart() -+ user = "uid=member3,%s" % (PEOPLE_DN) -+ inst.modify_s(user, [(ldap.MOD_REPLACE, -+ 'userpassword', -+ PASSWORD.encode())]) -+ inst.stop() -+ _check_unhashed_userpw(inst, user, is_present=True) -+ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ - - if __name__ == '__main__': - # Run isolated -diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h -index b3ede6f7c..a1b68b7b6 100644 ---- a/ldap/servers/slapd/slap.h -+++ b/ldap/servers/slapd/slap.h -@@ -295,8 +295,8 @@ typedef void (*VFPV)(); /* takes undefined arguments */ - #define SLAPD_DEFAULT_VALIDATE_CERT SLAPD_VALIDATE_CERT_WARN - #define SLAPD_DEFAULT_VALIDATE_CERT_STR "warn" - --#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH SLAPD_UNHASHED_PW_ON --#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH_STR "on" -+#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH SLAPD_UNHASHED_PW_OFF -+#define SLAPD_DEFAULT_UNHASHED_PW_SWITCH_STR "off" - - #define SLAPD_DEFAULT_LDAPI_SEARCH_BASE "dc=example,dc=com" - #define SLAPD_DEFAULT_LDAPI_AUTO_DN "cn=peercred,cn=external,cn=auth" --- -2.21.0 - diff --git a/SOURCES/0015-Ticket-50709-cont-Several-memory-leaks-reported-by-V.patch b/SOURCES/0015-Ticket-50709-cont-Several-memory-leaks-reported-by-V.patch new file mode 100644 index 0000000..f14ed79 --- /dev/null +++ b/SOURCES/0015-Ticket-50709-cont-Several-memory-leaks-reported-by-V.patch @@ -0,0 +1,43 @@ +From 0e216aef4bdf62c1053e827b8d4657e88fda89cf Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Mon, 20 Jan 2020 10:41:08 +0100 +Subject: [PATCH] Ticket 50709 - (cont) Several memory leaks reported by + Valgrind for 389-ds 1.3.9.1-10 + +Description of the problem: + + Original fix was incorrect as it set again in pblock (SLAPI_CONN_CLIENTNETADDR_ACLIP) + the same structure. As old structure is freed during the slapi_pblock_set, + pblock refers to a freed structure. + Later an other threads using the same aclpb contain will use it after free + (see https://pagure.io/389-ds-base/issue/50709#comment-621129) + +Description of the fix: + Only sets in pblock a newly allocated structure + +https://pagure.io/389-ds-base/issue/50709 + +Reviewed by: Mark Reynolds (Thanks !) +--- + ldap/servers/plugins/acl/acllas.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c +index dd41d41bd..a5602e198 100644 +--- a/ldap/servers/plugins/acl/acllas.c ++++ b/ldap/servers/plugins/acl/acllas.c +@@ -305,7 +305,10 @@ DS_LASIpGetter(NSErr_t *errp, PList_t subject, PList_t resource, PList_t auth_in + slapi_log_err(SLAPI_LOG_ACL, plugin_name, "DS_LASIpGetter - " + "Returning client ip address 'unknown'\n"); + } +- slapi_pblock_set(aclpb->aclpb_pblock, SLAPI_CONN_CLIENTNETADDR_ACLIP, client_praddr); ++ if (client_praddr != pb_client_praddr) { ++ /* Set it in pblock only if it is newly allocated */ ++ slapi_pblock_set(aclpb->aclpb_pblock, SLAPI_CONN_CLIENTNETADDR_ACLIP, client_praddr); ++ } + return LAS_EVAL_TRUE; + } + +-- +2.21.1 + diff --git a/SOURCES/0016-Issue-50829-Disk-monitoring-rotated-log-cleanup-caus.patch b/SOURCES/0016-Issue-50829-Disk-monitoring-rotated-log-cleanup-caus.patch new file mode 100644 index 0000000..32df847 --- /dev/null +++ b/SOURCES/0016-Issue-50829-Disk-monitoring-rotated-log-cleanup-caus.patch @@ -0,0 +1,39 @@ +From aa65a78d49eb7c5ab1e35cd1ab2aa9c2bc6a209b Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 17 Jan 2020 15:42:00 -0500 +Subject: [PATCH] Issue 50829 - Disk monitoring rotated log cleanup causes + heap-use-after-free + +Description: When Disk Monitoring finds that disk space is too low it starts + freeing up disk space by removing rotated logs. However the log + list struct was not properly reset after freeing all the files + in the list. This is what allowed the heap-use-after-free to + occur. + +relates: https://pagure.io/389-ds-base/issue/50829 + +Reviewed by: firstyear(Thanks!) +--- + ldap/servers/slapd/log.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c +index bfcf57475..b16e56b21 100644 +--- a/ldap/servers/slapd/log.c ++++ b/ldap/servers/slapd/log.c +@@ -3243,6 +3243,12 @@ log__delete_rotated_logs() + logp = logp->l_next; + slapi_ch_free((void **)&prev_log); + } ++ ++ /* reset the log struct */ ++ loginfo.log_access_logchain = NULL; ++ loginfo.log_audit_logchain = NULL; ++ loginfo.log_auditfail_logchain = NULL; ++ loginfo.log_error_logchain = NULL; + } + + #define ERRORSLOG 1 +-- +2.21.1 + diff --git a/SOURCES/0016-Ticket-50329-2nd-Possible-Security-Issue-DOS-due-to-.patch b/SOURCES/0016-Ticket-50329-2nd-Possible-Security-Issue-DOS-due-to-.patch deleted file mode 100644 index 11bbfa5..0000000 --- a/SOURCES/0016-Ticket-50329-2nd-Possible-Security-Issue-DOS-due-to-.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 5da265eb9a023964f00d3ff6b54bcc64107dcf5a Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Wed, 15 May 2019 17:46:14 +0200 -Subject: [PATCH] Ticket 50329 - (2nd) Possible Security Issue: DOS due to - ioblocktimeout not applying to TLS - -Bug Description: - A secure socket is configured in blocking mode. If an event - is detected on a secure socket a worker tries to receive the request. - If handshake occurs during the read, it can hang longer than - ioblocktimeout because it takes into account the socket option - rather than the timeout used for the ssl_Recv - -Fix Description: - The fix is specific to secure socket and set this socket option - to do non blocking IO. - -https://pagure.io/389-ds-base/issue/50329 - -Reviewed by: ? - -Platforms tested: F28, RHEL7.6 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/slapd/daemon.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c -index 2daa21034..519fd2f86 100644 ---- a/ldap/servers/slapd/daemon.c -+++ b/ldap/servers/slapd/daemon.c -@@ -3174,7 +3174,7 @@ configure_pr_socket(PRFileDesc **pr_socket, int secure, int local) - - if (secure) { - pr_socketoption.option = PR_SockOpt_Nonblocking; -- pr_socketoption.value.non_blocking = 0; -+ pr_socketoption.value.non_blocking = 1; - if (PR_SetSocketOption(*pr_socket, &pr_socketoption) == PR_FAILURE) { - PRErrorCode prerr = PR_GetError(); - slapi_log_err(SLAPI_LOG_ERR, --- -2.21.0 - diff --git a/SOURCES/0017-Issue-50538-cleanAllRUV-task-limit-is-not-enforced-f.patch b/SOURCES/0017-Issue-50538-cleanAllRUV-task-limit-is-not-enforced-f.patch deleted file mode 100644 index 49e24f3..0000000 --- a/SOURCES/0017-Issue-50538-cleanAllRUV-task-limit-is-not-enforced-f.patch +++ /dev/null @@ -1,779 +0,0 @@ -From bc438614f71d18e337a56b49a67627299658b649 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 7 Aug 2019 20:36:53 -0400 -Subject: [PATCH 1/4] Issue 50538 - cleanAllRUV task limit is not enforced for - replicated tasks - -Bug Description: - -There is a hard limit of 64 concurrent cleanAllRUV tasks, but this limit is -only enforced when creating "new" tasks. It was not enforced when a task was -received via an extended operation. There were also race conditions in the -existing logic that allowed the array of cleaned rids to get corrupted . This -allowed for a very large number of task threads to be created. - -Fix Description: - -Maintain a new counter to keep track of the number of clean and abort threads -to make sure it never over runs the rid array buffers. - -relates: https://pagure.io/389-ds-base/issue/50538 - -Reviewed by: lkrispenz(Thanks!) ---- - .../suites/replication/cleanallruv_test.py | 144 +++++++++- - ldap/servers/plugins/replication/repl5.h | 7 +- - .../replication/repl5_replica_config.c | 247 ++++++++++-------- - ldap/servers/plugins/replication/repl_extop.c | 19 +- - 4 files changed, 299 insertions(+), 118 deletions(-) - -diff --git a/dirsrvtests/tests/suites/replication/cleanallruv_test.py b/dirsrvtests/tests/suites/replication/cleanallruv_test.py -index 09805d6b2..4893b81fe 100644 ---- a/dirsrvtests/tests/suites/replication/cleanallruv_test.py -+++ b/dirsrvtests/tests/suites/replication/cleanallruv_test.py -@@ -1,5 +1,5 @@ - # --- BEGIN COPYRIGHT BLOCK --- --# Copyright (C) 2016 Red Hat, Inc. -+# Copyright (C) 2019 Red Hat, Inc. - # All rights reserved. - # - # License: GPL (version 3 or any later version). -@@ -7,7 +7,6 @@ - # --- END COPYRIGHT BLOCK --- - # - import threading -- - import pytest - import random - from lib389 import DirSrv -@@ -721,6 +720,147 @@ def test_multiple_tasks_with_force(topology_m4, m4rid): - log.fatal('test_abort: CleanAllRUV task was not aborted') - assert False - -+ -+@pytest.mark.bz1466441 -+@pytest.mark.ds50370 -+def test_clean_shutdown_crash(topology_m2): -+ """Check that server didn't crash after shutdown when running CleanAllRUV task -+ -+ :id: c34d0b40-3c3e-4f53-8656-5e4c2a310aaf -+ :setup: Replication setup with two masters -+ :steps: -+ 1. Enable TLS on both masters -+ 2. Reconfigure both agreements to use TLS Client auth -+ 3. Stop master2 -+ 4. Run the CleanAllRUV task -+ 5. Restart master1 -+ 6. Check if master1 didn't crash -+ 7. Restart master1 again -+ 8. Check if master1 didn't crash -+ -+ :expectedresults: -+ 1. Success -+ 2. Success -+ 3. Success -+ 4. Success -+ 5. Success -+ 6. Success -+ 7. Success -+ 8. Success -+ """ -+ -+ m1 = topology_m2.ms["master1"] -+ m2 = topology_m2.ms["master2"] -+ -+ repl = ReplicationManager(DEFAULT_SUFFIX) -+ -+ cm_m1 = CertmapLegacy(m1) -+ cm_m2 = CertmapLegacy(m2) -+ -+ certmaps = cm_m1.list() -+ certmaps['default']['DNComps'] = None -+ certmaps['default']['CmapLdapAttr'] = 'nsCertSubjectDN' -+ -+ cm_m1.set(certmaps) -+ cm_m2.set(certmaps) -+ -+ log.info('Enabling TLS') -+ [i.enable_tls() for i in topology_m2] -+ -+ log.info('Creating replication dns') -+ services = ServiceAccounts(m1, DEFAULT_SUFFIX) -+ repl_m1 = services.get('%s:%s' % (m1.host, m1.sslport)) -+ repl_m1.set('nsCertSubjectDN', m1.get_server_tls_subject()) -+ -+ repl_m2 = services.get('%s:%s' % (m2.host, m2.sslport)) -+ repl_m2.set('nsCertSubjectDN', m2.get_server_tls_subject()) -+ -+ log.info('Changing auth type') -+ replica_m1 = Replicas(m1).get(DEFAULT_SUFFIX) -+ agmt_m1 = replica_m1.get_agreements().list()[0] -+ agmt_m1.replace_many( -+ ('nsDS5ReplicaBindMethod', 'SSLCLIENTAUTH'), -+ ('nsDS5ReplicaTransportInfo', 'SSL'), -+ ('nsDS5ReplicaPort', '%s' % m2.sslport), -+ ) -+ -+ agmt_m1.remove_all('nsDS5ReplicaBindDN') -+ -+ replica_m2 = Replicas(m2).get(DEFAULT_SUFFIX) -+ agmt_m2 = replica_m2.get_agreements().list()[0] -+ -+ agmt_m2.replace_many( -+ ('nsDS5ReplicaBindMethod', 'SSLCLIENTAUTH'), -+ ('nsDS5ReplicaTransportInfo', 'SSL'), -+ ('nsDS5ReplicaPort', '%s' % m1.sslport), -+ ) -+ agmt_m2.remove_all('nsDS5ReplicaBindDN') -+ -+ log.info('Stopping master2') -+ m2.stop() -+ -+ log.info('Run the cleanAllRUV task') -+ cruv_task = CleanAllRUVTask(m1) -+ cruv_task.create(properties={ -+ 'replica-id': repl.get_rid(m1), -+ 'replica-base-dn': DEFAULT_SUFFIX, -+ 'replica-force-cleaning': 'no', -+ 'replica-certify-all': 'yes' -+ }) -+ -+ m1.restart() -+ -+ log.info('Check if master1 crashed') -+ assert not m1.detectDisorderlyShutdown() -+ -+ log.info('Repeat') -+ m1.restart() -+ assert not m1.detectDisorderlyShutdown() -+ -+ -+def test_max_tasks(topology_m4): -+ """Test we can not create more than 64 cleaning tasks -+ -+ :id: c34d0b40-3c3e-4f53-8656-5e4c2a310a1f -+ :setup: Replication setup with four masters -+ :steps: -+ 1. Stop masters 3 & 4 -+ 2. Create over 64 tasks between m1 and m2 -+ 3. Check logs to see if (>65) tasks were rejected -+ -+ :expectedresults: -+ 1. Success -+ 2. Success -+ 3. Success -+ """ -+ -+ # Stop masters 3 & 4 -+ m1 = topology_m4.ms["master1"] -+ m2 = topology_m4.ms["master2"] -+ m3 = topology_m4.ms["master3"] -+ m4 = topology_m4.ms["master4"] -+ m3.stop() -+ m4.stop() -+ -+ # Add over 64 tasks between master1 & 2 to try to exceed the 64 task limit -+ for i in range(1, 64): -+ cruv_task = CleanAllRUVTask(m1) -+ cruv_task.create(properties={ -+ 'replica-id': str(i), -+ 'replica-base-dn': DEFAULT_SUFFIX, -+ 'replica-force-cleaning': 'no', # This forces these tasks to stick around -+ }) -+ cruv_task = CleanAllRUVTask(m2) -+ cruv_task.create(properties={ -+ 'replica-id': "10" + str(i), -+ 'replica-base-dn': DEFAULT_SUFFIX, -+ 'replica-force-cleaning': 'yes', # This allows the tasks to propagate -+ }) -+ -+ # Check the errors log for our error message in master 1 -+ assert m1.searchErrorsLog('Exceeded maximum number of active CLEANALLRUV tasks') -+ -+ - if __name__ == '__main__': - # Run isolated - # -s for DEBUG mode -diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h -index 1801a333e..9d25f2305 100644 ---- a/ldap/servers/plugins/replication/repl5.h -+++ b/ldap/servers/plugins/replication/repl5.h -@@ -80,6 +80,8 @@ - #define CLEANRUV_FINISHED "finished" - #define CLEANRUV_CLEANING "cleaning" - #define CLEANRUV_NO_MAXCSN "no maxcsn" -+#define CLEANALLRUV_ID "CleanAllRUV Task" -+#define ABORT_CLEANALLRUV_ID "Abort CleanAllRUV Task" - - /* DS 5.0 replication protocol error codes */ - #define NSDS50_REPL_REPLICA_READY 0x00 /* Replica ready, go ahead */ -@@ -784,6 +786,7 @@ void multimaster_mtnode_construct_replicas(void); - void multimaster_be_state_change(void *handle, char *be_name, int old_be_state, int new_be_state); - - #define CLEANRIDSIZ 64 /* maximum number for concurrent CLEANALLRUV tasks */ -+#define CLEANRID_BUFSIZ 128 - - typedef struct _cleanruv_data - { -@@ -815,6 +818,8 @@ int get_replica_type(Replica *r); - int replica_execute_cleanruv_task_ext(Object *r, ReplicaId rid); - void add_cleaned_rid(cleanruv_data *data); - int is_cleaned_rid(ReplicaId rid); -+int32_t check_and_set_cleanruv_task_count(ReplicaId rid); -+int32_t check_and_set_abort_cleanruv_task_count(void); - int replica_cleanall_ruv_abort(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter, int *returncode, char *returntext, void *arg); - void replica_cleanallruv_thread_ext(void *arg); - void stop_ruv_cleaning(void); -@@ -833,8 +838,6 @@ void set_cleaned_rid(ReplicaId rid); - void cleanruv_log(Slapi_Task *task, int rid, char *task_type, int sev_level, char *fmt, ...); - char *replica_cleanallruv_get_local_maxcsn(ReplicaId rid, char *base_dn); - -- -- - /* replutil.c */ - LDAPControl *create_managedsait_control(void); - LDAPControl *create_backend_control(Slapi_DN *sdn); -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 749e90936..c66a1c81d 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -30,17 +30,18 @@ - #define CLEANALLRUV "CLEANALLRUV" - #define CLEANALLRUVLEN 11 - #define REPLICA_RDN "cn=replica" --#define CLEANALLRUV_ID "CleanAllRUV Task" --#define ABORT_CLEANALLRUV_ID "Abort CleanAllRUV Task" - - int slapi_log_urp = SLAPI_LOG_REPL; --static ReplicaId cleaned_rids[CLEANRIDSIZ + 1] = {0}; --static ReplicaId pre_cleaned_rids[CLEANRIDSIZ + 1] = {0}; --static ReplicaId aborted_rids[CLEANRIDSIZ + 1] = {0}; --static Slapi_RWLock *rid_lock = NULL; --static Slapi_RWLock *abort_rid_lock = NULL; -+static ReplicaId cleaned_rids[CLEANRID_BUFSIZ] = {0}; -+static ReplicaId pre_cleaned_rids[CLEANRID_BUFSIZ] = {0}; -+static ReplicaId aborted_rids[CLEANRID_BUFSIZ] = {0}; -+static PRLock *rid_lock = NULL; -+static PRLock *abort_rid_lock = NULL; - static PRLock *notify_lock = NULL; - static PRCondVar *notify_cvar = NULL; -+static PRLock *task_count_lock = NULL; -+static int32_t clean_task_count = 0; -+static int32_t abort_task_count = 0; - - /* Forward Declartions */ - static int replica_config_add(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *entryAfter, int *returncode, char *returntext, void *arg); -@@ -67,8 +68,6 @@ static int replica_cleanallruv_send_abort_extop(Repl_Agmt *ra, Slapi_Task *task, - static int replica_cleanallruv_check_maxcsn(Repl_Agmt *agmt, char *basedn, char *rid_text, char *maxcsn, Slapi_Task *task); - static int replica_cleanallruv_replica_alive(Repl_Agmt *agmt); - static int replica_cleanallruv_check_ruv(char *repl_root, Repl_Agmt *ra, char *rid_text, Slapi_Task *task, char *force); --static int get_cleanruv_task_count(void); --static int get_abort_cleanruv_task_count(void); - static int replica_cleanup_task(Object *r, const char *task_name, char *returntext, int apply_mods); - static int replica_task_done(Replica *replica); - static void delete_cleaned_rid_config(cleanruv_data *data); -@@ -114,20 +113,27 @@ replica_config_init() - PR_GetError()); - return -1; - } -- rid_lock = slapi_new_rwlock(); -+ rid_lock = PR_NewLock(); - if (rid_lock == NULL) { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_init - " - "Failed to create rid_lock; NSPR error - %d\n", - PR_GetError()); - return -1; - } -- abort_rid_lock = slapi_new_rwlock(); -+ abort_rid_lock = PR_NewLock(); - if (abort_rid_lock == NULL) { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_init - " - "Failed to create abort_rid_lock; NSPR error - %d\n", - PR_GetError()); - return -1; - } -+ task_count_lock = PR_NewLock(); -+ if (task_count_lock == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_init - " -+ "Failed to create task_count_lock; NSPR error - %d\n", -+ PR_GetError()); -+ return -1; -+ } - if ((notify_lock = PR_NewLock()) == NULL) { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_init - " - "Failed to create notify lock; NSPR error - %d\n", -@@ -1533,12 +1539,6 @@ replica_execute_cleanall_ruv_task(Object *r, ReplicaId rid, Slapi_Task *task, co - - cleanruv_log(pre_task, rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Initiating CleanAllRUV Task..."); - -- if (get_cleanruv_task_count() >= CLEANRIDSIZ) { -- /* we are already running the maximum number of tasks */ -- cleanruv_log(pre_task, rid, CLEANALLRUV_ID, SLAPI_LOG_ERR, -- "Exceeded maximum number of active CLEANALLRUV tasks(%d)", CLEANRIDSIZ); -- return LDAP_UNWILLING_TO_PERFORM; -- } - /* - * Grab the replica - */ -@@ -1590,6 +1590,13 @@ replica_execute_cleanall_ruv_task(Object *r, ReplicaId rid, Slapi_Task *task, co - goto fail; - } - -+ if (check_and_set_cleanruv_task_count(rid) != LDAP_SUCCESS) { -+ cleanruv_log(NULL, rid, CLEANALLRUV_ID, SLAPI_LOG_ERR, -+ "Exceeded maximum number of active CLEANALLRUV tasks(%d)", CLEANRIDSIZ); -+ rc = LDAP_UNWILLING_TO_PERFORM; -+ goto fail; -+ } -+ - /* - * Launch the cleanallruv thread. Once all the replicas are cleaned it will release the rid - */ -@@ -1597,6 +1604,9 @@ replica_execute_cleanall_ruv_task(Object *r, ReplicaId rid, Slapi_Task *task, co - if (data == NULL) { - cleanruv_log(pre_task, rid, CLEANALLRUV_ID, SLAPI_LOG_ERR, "Failed to allocate cleanruv_data. Aborting task."); - rc = -1; -+ PR_Lock(task_count_lock); -+ clean_task_count--; -+ PR_Unlock(task_count_lock); - goto fail; - } - data->repl_obj = r; -@@ -1679,13 +1689,13 @@ replica_cleanallruv_thread(void *arg) - int aborted = 0; - int rc = 0; - -- if (!data || slapi_is_shutting_down()) { -- return; /* no data */ -- } -- - /* Increase active thread count to prevent a race condition at server shutdown */ - g_incr_active_threadcnt(); - -+ if (!data || slapi_is_shutting_down()) { -+ goto done; -+ } -+ - if (data->task) { - slapi_task_inc_refcount(data->task); - slapi_log_err(SLAPI_LOG_PLUGIN, repl_plugin_name, -@@ -1732,16 +1742,13 @@ replica_cleanallruv_thread(void *arg) - slapi_task_begin(data->task, 1); - } - /* -- * Presetting the rid prevents duplicate thread creation, but allows the db and changelog to still -- * process updates from the rid. -- * set_cleaned_rid() blocks updates, so we don't want to do that... yet unless we are in force mode. -- * If we are forcing a clean independent of state of other servers for this RID we can set_cleaned_rid() -+ * We have already preset this rid, but if we are forcing a clean independent of state -+ * of other servers for this RID we can set_cleaned_rid() - */ - if (data->force) { - set_cleaned_rid(data->rid); -- } else { -- preset_cleaned_rid(data->rid); - } -+ - rid_text = slapi_ch_smprintf("%d", data->rid); - csn_as_string(data->maxcsn, PR_FALSE, csnstr); - /* -@@ -1911,6 +1918,9 @@ done: - /* - * If the replicas are cleaned, release the rid - */ -+ if (slapi_is_shutting_down()) { -+ stop_ruv_cleaning(); -+ } - if (!aborted && !slapi_is_shutting_down()) { - /* - * Success - the rid has been cleaned! -@@ -1929,10 +1939,9 @@ done: - } else { - cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Propagated task does not delete Keep alive entry (%d).", data->rid); - } -- - clean_agmts(data); - remove_cleaned_rid(data->rid); -- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Successfully cleaned rid(%d).", data->rid); -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Successfully cleaned rid(%d)", data->rid); - } else { - /* - * Shutdown or abort -@@ -1965,6 +1974,10 @@ done: - slapi_ch_free_string(&data->force); - slapi_ch_free_string(&rid_text); - slapi_ch_free((void **)&data); -+ /* decrement task count */ -+ PR_Lock(task_count_lock); -+ clean_task_count--; -+ PR_Unlock(task_count_lock); - g_decr_active_threadcnt(); - } - -@@ -2462,16 +2475,14 @@ replica_send_cleanruv_task(Repl_Agmt *agmt, cleanruv_data *clean_data) - int - is_cleaned_rid(ReplicaId rid) - { -- int i; -- -- slapi_rwlock_rdlock(rid_lock); -- for (i = 0; i < CLEANRIDSIZ && cleaned_rids[i] != 0; i++) { -+ PR_Lock(rid_lock); -+ for (size_t i = 0; i < CLEANRID_BUFSIZ; i++) { - if (rid == cleaned_rids[i]) { -- slapi_rwlock_unlock(rid_lock); -+ PR_Unlock(rid_lock); - return 1; - } - } -- slapi_rwlock_unlock(rid_lock); -+ PR_Unlock(rid_lock); - - return 0; - } -@@ -2479,16 +2490,14 @@ is_cleaned_rid(ReplicaId rid) - int - is_pre_cleaned_rid(ReplicaId rid) - { -- int i; -- -- slapi_rwlock_rdlock(rid_lock); -- for (i = 0; i < CLEANRIDSIZ && pre_cleaned_rids[i] != 0; i++) { -+ PR_Lock(rid_lock); -+ for (size_t i = 0; i < CLEANRID_BUFSIZ; i++) { - if (rid == pre_cleaned_rids[i]) { -- slapi_rwlock_unlock(rid_lock); -+ PR_Unlock(rid_lock); - return 1; - } - } -- slapi_rwlock_unlock(rid_lock); -+ PR_Unlock(rid_lock); - - return 0; - } -@@ -2501,14 +2510,14 @@ is_task_aborted(ReplicaId rid) - if (rid == 0) { - return 0; - } -- slapi_rwlock_rdlock(abort_rid_lock); -- for (i = 0; i < CLEANRIDSIZ && aborted_rids[i] != 0; i++) { -+ PR_Lock(abort_rid_lock); -+ for (i = 0; i < CLEANRID_BUFSIZ && aborted_rids[i] != 0; i++) { - if (rid == aborted_rids[i]) { -- slapi_rwlock_unlock(abort_rid_lock); -+ PR_Unlock(abort_rid_lock); - return 1; - } - } -- slapi_rwlock_unlock(abort_rid_lock); -+ PR_Unlock(abort_rid_lock); - return 0; - } - -@@ -2517,15 +2526,14 @@ preset_cleaned_rid(ReplicaId rid) - { - int i; - -- slapi_rwlock_wrlock(rid_lock); -- for (i = 0; i < CLEANRIDSIZ; i++) { -+ PR_Lock(rid_lock); -+ for (i = 0; i < CLEANRID_BUFSIZ && pre_cleaned_rids[i] != rid; i++) { - if (pre_cleaned_rids[i] == 0) { - pre_cleaned_rids[i] = rid; -- pre_cleaned_rids[i + 1] = 0; - break; - } - } -- slapi_rwlock_unlock(rid_lock); -+ PR_Unlock(rid_lock); - } - - /* -@@ -2538,14 +2546,13 @@ set_cleaned_rid(ReplicaId rid) - { - int i; - -- slapi_rwlock_wrlock(rid_lock); -- for (i = 0; i < CLEANRIDSIZ; i++) { -+ PR_Lock(rid_lock); -+ for (i = 0; i < CLEANRID_BUFSIZ && cleaned_rids[i] != rid; i++) { - if (cleaned_rids[i] == 0) { - cleaned_rids[i] = rid; -- cleaned_rids[i + 1] = 0; - } - } -- slapi_rwlock_unlock(rid_lock); -+ PR_Unlock(rid_lock); - } - - /* -@@ -2621,15 +2628,14 @@ add_aborted_rid(ReplicaId rid, Replica *r, char *repl_root, char *certify_all, P - int rc; - int i; - -- slapi_rwlock_wrlock(abort_rid_lock); -- for (i = 0; i < CLEANRIDSIZ; i++) { -+ PR_Lock(abort_rid_lock); -+ for (i = 0; i < CLEANRID_BUFSIZ; i++) { - if (aborted_rids[i] == 0) { - aborted_rids[i] = rid; -- aborted_rids[i + 1] = 0; - break; - } - } -- slapi_rwlock_unlock(abort_rid_lock); -+ PR_Unlock(abort_rid_lock); - /* - * Write the rid to the config entry - */ -@@ -2672,21 +2678,24 @@ delete_aborted_rid(Replica *r, ReplicaId rid, char *repl_root, char *certify_all - char *data; - char *dn; - int rc; -- int i; - - if (r == NULL) - return; - - if (skip) { - /* skip the deleting of the config, and just remove the in memory rid */ -- slapi_rwlock_wrlock(abort_rid_lock); -- for (i = 0; i < CLEANRIDSIZ && aborted_rids[i] != rid; i++) -- ; /* found rid, stop */ -- for (; i < CLEANRIDSIZ; i++) { -- /* rewrite entire array */ -- aborted_rids[i] = aborted_rids[i + 1]; -- } -- slapi_rwlock_unlock(abort_rid_lock); -+ ReplicaId new_abort_rids[CLEANRID_BUFSIZ] = {0}; -+ int32_t idx = 0; -+ -+ PR_Lock(abort_rid_lock); -+ for (size_t i = 0; i < CLEANRID_BUFSIZ; i++) { -+ if (aborted_rids[i] != rid) { -+ new_abort_rids[idx] = aborted_rids[i]; -+ idx++; -+ } -+ } -+ memcpy(aborted_rids, new_abort_rids, sizeof(new_abort_rids)); -+ PR_Unlock(abort_rid_lock); - } else { - /* only remove the config, leave the in-memory rid */ - dn = replica_get_dn(r); -@@ -2832,27 +2841,31 @@ bail: - void - remove_cleaned_rid(ReplicaId rid) - { -- int i; -- /* -- * Remove this rid, and optimize the array -- */ -- slapi_rwlock_wrlock(rid_lock); -+ ReplicaId new_cleaned_rids[CLEANRID_BUFSIZ] = {0}; -+ ReplicaId new_pre_cleaned_rids[CLEANRID_BUFSIZ] = {0}; -+ size_t idx = 0; -+ -+ PR_Lock(rid_lock); - -- for (i = 0; i < CLEANRIDSIZ && cleaned_rids[i] != rid; i++) -- ; /* found rid, stop */ -- for (; i < CLEANRIDSIZ; i++) { -- /* rewrite entire array */ -- cleaned_rids[i] = cleaned_rids[i + 1]; -+ for (size_t i = 0; i < CLEANRID_BUFSIZ; i++) { -+ if (cleaned_rids[i] != rid) { -+ new_cleaned_rids[idx] = cleaned_rids[i]; -+ idx++; -+ } - } -+ memcpy(cleaned_rids, new_cleaned_rids, sizeof(new_cleaned_rids)); -+ - /* now do the preset cleaned rids */ -- for (i = 0; i < CLEANRIDSIZ && pre_cleaned_rids[i] != rid; i++) -- ; /* found rid, stop */ -- for (; i < CLEANRIDSIZ; i++) { -- /* rewrite entire array */ -- pre_cleaned_rids[i] = pre_cleaned_rids[i + 1]; -+ idx = 0; -+ for (size_t i = 0; i < CLEANRID_BUFSIZ; i++) { -+ if (pre_cleaned_rids[i] != rid) { -+ new_pre_cleaned_rids[idx] = pre_cleaned_rids[i]; -+ idx++; -+ } - } -+ memcpy(pre_cleaned_rids, new_pre_cleaned_rids, sizeof(new_pre_cleaned_rids)); - -- slapi_rwlock_unlock(rid_lock); -+ PR_Unlock(rid_lock); - } - - /* -@@ -2882,16 +2895,6 @@ replica_cleanall_ruv_abort(Slapi_PBlock *pb __attribute__((unused)), - char *ridstr = NULL; - int rc = SLAPI_DSE_CALLBACK_OK; - -- if (get_abort_cleanruv_task_count() >= CLEANRIDSIZ) { -- /* we are already running the maximum number of tasks */ -- PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, -- "Exceeded maximum number of active ABORT CLEANALLRUV tasks(%d)", -- CLEANRIDSIZ); -- cleanruv_log(task, -1, ABORT_CLEANALLRUV_ID, SLAPI_LOG_ERR, "%s", returntext); -- *returncode = LDAP_OPERATIONS_ERROR; -- return SLAPI_DSE_CALLBACK_ERROR; -- } -- - /* allocate new task now */ - task = slapi_new_task(slapi_entry_get_ndn(e)); - -@@ -2976,6 +2979,16 @@ replica_cleanall_ruv_abort(Slapi_PBlock *pb __attribute__((unused)), - */ - certify_all = "no"; - } -+ -+ if (check_and_set_abort_cleanruv_task_count() != LDAP_SUCCESS) { -+ /* we are already running the maximum number of tasks */ -+ PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, -+ "Exceeded maximum number of active ABORT CLEANALLRUV tasks(%d)", -+ CLEANRIDSIZ); -+ cleanruv_log(task, -1, ABORT_CLEANALLRUV_ID, SLAPI_LOG_ERR, "%s", returntext); -+ *returncode = LDAP_UNWILLING_TO_PERFORM; -+ goto out; -+ } - /* - * Create payload - */ -@@ -3190,6 +3203,9 @@ done: - slapi_ch_free_string(&data->certify); - slapi_sdn_free(&data->sdn); - slapi_ch_free((void **)&data); -+ PR_Lock(task_count_lock); -+ abort_task_count--; -+ PR_Unlock(task_count_lock); - g_decr_active_threadcnt(); - } - -@@ -3541,36 +3557,43 @@ replica_cleanallruv_check_ruv(char *repl_root, Repl_Agmt *agmt, char *rid_text, - return rc; - } - --static int --get_cleanruv_task_count(void) -+/* -+ * Before starting a cleanAllRUV task make sure there are not -+ * too many task threads already running. If everything is okay -+ * also pre-set the RID now so rebounding extended ops do not -+ * try to clean it over and over. -+ */ -+int32_t -+check_and_set_cleanruv_task_count(ReplicaId rid) - { -- int i, count = 0; -+ int32_t rc = 0; - -- slapi_rwlock_wrlock(rid_lock); -- for (i = 0; i < CLEANRIDSIZ; i++) { -- if (pre_cleaned_rids[i] != 0) { -- count++; -- } -+ PR_Lock(task_count_lock); -+ if (clean_task_count >= CLEANRIDSIZ) { -+ rc = -1; -+ } else { -+ clean_task_count++; -+ preset_cleaned_rid(rid); - } -- slapi_rwlock_unlock(rid_lock); -+ PR_Unlock(task_count_lock); - -- return count; -+ return rc; - } - --static int --get_abort_cleanruv_task_count(void) -+int32_t -+check_and_set_abort_cleanruv_task_count(void) - { -- int i, count = 0; -+ int32_t rc = 0; - -- slapi_rwlock_wrlock(rid_lock); -- for (i = 0; i < CLEANRIDSIZ; i++) { -- if (aborted_rids[i] != 0) { -- count++; -+ PR_Lock(task_count_lock); -+ if (abort_task_count > CLEANRIDSIZ) { -+ rc = -1; -+ } else { -+ abort_task_count++; - } -- } -- slapi_rwlock_unlock(rid_lock); -+ PR_Unlock(task_count_lock); - -- return count; -+ return rc; - } - - /* -diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c -index b49cb8cd5..5bed84958 100644 ---- a/ldap/servers/plugins/replication/repl_extop.c -+++ b/ldap/servers/plugins/replication/repl_extop.c -@@ -1393,6 +1393,12 @@ multimaster_extop_abort_cleanruv(Slapi_PBlock *pb) - rc = LDAP_OPERATIONS_ERROR; - goto out; - } -+ if (check_and_set_abort_cleanruv_task_count() != LDAP_SUCCESS) { -+ cleanruv_log(NULL, rid, CLEANALLRUV_ID, SLAPI_LOG_ERR, -+ "Exceeded maximum number of active abort CLEANALLRUV tasks(%d)", CLEANRIDSIZ); -+ rc = LDAP_UNWILLING_TO_PERFORM; -+ goto out; -+ } - /* - * Prepare the abort data - */ -@@ -1499,6 +1505,7 @@ multimaster_extop_cleanruv(Slapi_PBlock *pb) - if (force == NULL) { - force = "no"; - } -+ - maxcsn = csn_new(); - csn_init_by_string(maxcsn, csnstr); - /* -@@ -1535,13 +1542,21 @@ multimaster_extop_cleanruv(Slapi_PBlock *pb) - goto free_and_return; - } - -+ if (check_and_set_cleanruv_task_count((ReplicaId)rid) != LDAP_SUCCESS) { -+ cleanruv_log(NULL, rid, CLEANALLRUV_ID, SLAPI_LOG_ERR, -+ "Exceeded maximum number of active CLEANALLRUV tasks(%d)", CLEANRIDSIZ); -+ rc = LDAP_UNWILLING_TO_PERFORM; -+ goto free_and_return; -+ } -+ - if (replica_get_type(r) != REPLICA_TYPE_READONLY) { - /* - * Launch the cleanruv monitoring thread. Once all the replicas are cleaned it will release the rid - * - * This will also release mtnode_ext->replica - */ -- slapi_log_err(SLAPI_LOG_INFO, repl_plugin_name, "multimaster_extop_cleanruv - CleanAllRUV Task - Launching cleanAllRUV thread...\n"); -+ -+ cleanruv_log(NULL, rid, CLEANALLRUV_ID, SLAPI_LOG_ERR, "Launching cleanAllRUV thread...\n"); - data = (cleanruv_data *)slapi_ch_calloc(1, sizeof(cleanruv_data)); - if (data == NULL) { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "multimaster_extop_cleanruv - CleanAllRUV Task - Failed to allocate " -@@ -1635,7 +1650,7 @@ free_and_return: - ber_printf(resp_bere, "{s}", CLEANRUV_ACCEPTED); - ber_flatten(resp_bere, &resp_bval); - slapi_pblock_set(pb, SLAPI_EXT_OP_RET_VALUE, resp_bval); -- slapi_send_ldap_result(pb, LDAP_SUCCESS, NULL, NULL, 0, NULL); -+ slapi_send_ldap_result(pb, rc, NULL, NULL, 0, NULL); - /* resp_bere */ - if (NULL != resp_bere) { - ber_free(resp_bere, 1); --- -2.21.0 - diff --git a/SOURCES/0017-Ticket-50745-ns-slapd-hangs-during-CleanAllRUV-tests.patch b/SOURCES/0017-Ticket-50745-ns-slapd-hangs-during-CleanAllRUV-tests.patch new file mode 100644 index 0000000..5033966 --- /dev/null +++ b/SOURCES/0017-Ticket-50745-ns-slapd-hangs-during-CleanAllRUV-tests.patch @@ -0,0 +1,67 @@ +From 06e1fe32e47b98efaa3598629fb59e5f7791e28d Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Wed, 27 Nov 2019 14:04:14 +0100 +Subject: [PATCH] Ticket 50745: ns-slapd hangs during CleanAllRUV tests + +Bug Description: + The hang condition: + - is not systematic + - occurs in rare case, for example here during the deletion of a replica. + - a thread is waiting for a dblock that an other thread "forgot" to + release. + - have always existed, at least since 1.4.0 but likely since 1.2.x + + When deleting a replica, the replica is retrieved from + mapping tree structure (mtnode). + The replica is also retrieved through the mapping tree + when writing updates to the changelog. + + When deleting the replica, mapping tree structure is cleared + after the changelog is deleted (that can take some cycles). + There is a window where an update can retrieve the replica, + from the not yet cleared MT, while the changelog being removed. + + At the end, the update will update the changelog that is + currently removed and keeps an unfree lock in the DB. + +Fix description: + Ideally mapping tree should be protected by a lock but it + is not done systematically (e.g. slapi_get_mapping_tree_node). + Using a lock looks an overkill and can probably introduce + deadlock and performance hit. + The idea of the fix is to reduce the window, moving the + mapping tree clear before the changelog removal. + +https://pagure.io/389-ds-base/issue/50745 + +Reviewed by: Mark Reynolds, Ludwig Krispenz +--- + ldap/servers/plugins/replication/repl5_replica_config.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c +index 79b257564..02b36f6ad 100644 +--- a/ldap/servers/plugins/replication/repl5_replica_config.c ++++ b/ldap/servers/plugins/replication/repl5_replica_config.c +@@ -757,6 +757,10 @@ replica_config_delete(Slapi_PBlock *pb __attribute__((unused)), + if (mtnode_ext->replica) { + /* remove object from the hash */ + r = (Replica *)object_get_data(mtnode_ext->replica); ++ mtnode_ext->replica = NULL; /* moving it before deleting the CL because ++ * deletion can take some time giving the opportunity ++ * to an operation to start while CL is deleted ++ */ + PR_ASSERT(r); + /* The changelog for this replica is no longer valid, so we should remove it. */ + slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "replica_config_delete - " +@@ -765,7 +769,6 @@ replica_config_delete(Slapi_PBlock *pb __attribute__((unused)), + slapi_sdn_get_dn(replica_get_root(r))); + cl5DeleteDBSync(r); + replica_delete_by_name(replica_get_name(r)); +- mtnode_ext->replica = NULL; + } + + PR_Unlock(s_configLock); +-- +2.21.1 + diff --git a/SOURCES/0018-CVE-2019-14824-BZ-1748201-deref-plugin-displays-rest.patch b/SOURCES/0018-CVE-2019-14824-BZ-1748201-deref-plugin-displays-rest.patch deleted file mode 100644 index e213cc1..0000000 --- a/SOURCES/0018-CVE-2019-14824-BZ-1748201-deref-plugin-displays-rest.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 9e244c9344a73af93cc79dd1176ce78971747027 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 3 Sep 2019 14:53:09 -0400 -Subject: [PATCH] CVE-2019-14824 (BZ#1748201) - deref plugin displays - restricted attributes - -Bug Description: If there is an ACI that allows "search" access to an attribute, - the deref plugin access control checks sees this is a "read" - privilege and returns the attribute's value. - -Fix description: For deref plugin we are only concerned with "read" access, not - "search" access. Removed the SLAPI_ACL_SEARCH right flag when - checking access for an attribute. - -Reviewed by: lkrispen & tbordaz(Thanks!) ---- - ldap/servers/plugins/deref/deref.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c -index cb5ebb830..ec1884ba3 100644 ---- a/ldap/servers/plugins/deref/deref.c -+++ b/ldap/servers/plugins/deref/deref.c -@@ -573,7 +573,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, - Slapi_Entry **entries = NULL; - int rc; - -- /* If the access check on the attributes is done without retrieveing the entry -+ /* If the access check on the attributes is done without retrieving the entry - * it cannot handle acis which need teh entry, eg to apply a targetfilter rule - * So the determination of attrs which can be dereferenced is delayed - */ -@@ -596,7 +596,7 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, - int ii; - int needattrvals = 1; /* need attrvals sequence? */ - if (deref_check_access(pb, entries[0], derefdn, attrs, &retattrs, -- (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) { -+ SLAPI_ACL_READ)) { - slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM, - "deref_do_deref_attr - The client does not have permission to read the requested " - "attributes in entry %s\n", -@@ -714,7 +714,7 @@ deref_pre_entry(Slapi_PBlock *pb) - attrs[1] = NULL; - - if (deref_check_access(pb, ent, NULL, attrs, &retattrs, -- (SLAPI_ACL_SEARCH | SLAPI_ACL_READ))) { -+ SLAPI_ACL_READ)) { - slapi_log_err(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM, - "deref_pre_entry - The client does not have permission to read attribute %s in entry %s\n", - spec->derefattr, slapi_entry_get_dn_const(ent)); --- -2.21.0 - diff --git a/SOURCES/0018-Ticket-50727-change-syntax-validate-by-default-in-1..patch b/SOURCES/0018-Ticket-50727-change-syntax-validate-by-default-in-1..patch new file mode 100644 index 0000000..1bfae46 --- /dev/null +++ b/SOURCES/0018-Ticket-50727-change-syntax-validate-by-default-in-1..patch @@ -0,0 +1,57 @@ +From 961d91d16f26f03812c83143cbb7dc3e37677bf6 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Wed, 18 Dec 2019 13:14:24 +1000 +Subject: [PATCH 1/2] Ticket 50727 - change syntax validate by default in 1.4.2 + +Bug Description: The default syntax validate for 1.4.2 should be changed to +a softer introduction so that admins have time to prepare for the change +of query behaviour in 1.4.3. + +Fix Description: Change default in 1.4.2 to warn-invalid, 1.4.3 will +remain as process-safe. + +https://pagure.io/389-ds-base/issue/50727 + +Author: William Brown + +Review by: tbordaz (Thanks) +--- + ldap/servers/slapd/libglobs.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index db61ee0b8..b9cdb6b37 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -1783,7 +1783,7 @@ FrontendConfig_init(void) + * scheme set in cn=config + */ + init_enable_upgrade_hash = cfg->enable_upgrade_hash = LDAP_ON; +- init_verify_filter_schema = cfg->verify_filter_schema = SLAPI_WARN; ++ init_verify_filter_schema = cfg->verify_filter_schema = SLAPI_WARN_UNSAFE; + + /* Done, unlock! */ + CFG_UNLOCK_WRITE(cfg); +@@ -7689,7 +7689,7 @@ config_set_onoffwarn(slapdFrontendConfig_t *slapdFrontendConfig, slapi_onwarnoff + return LDAP_OPERATIONS_ERROR; + } + +- slapi_onwarnoff_t p_val = SLAPI_OFF; ++ slapi_special_filter_verify_t p_val = SLAPI_WARN_UNSAFE; + + if (strcasecmp(value, "on") == 0) { + p_val = SLAPI_ON; +@@ -8033,8 +8033,8 @@ config_set_value( + } else if (*((slapi_onwarnoff_t *)value) == SLAPI_WARN) { + slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn"); + } else { +- slapi_entry_attr_set_charptr(e, cgas->attr_name, "off"); +- /* Default to off. */ ++ /* Default to safe warn-proccess-safely */ ++ slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn-invalid"); + } + + break; +-- +2.21.1 + diff --git a/SOURCES/0019-Ticket-50727-correct-mistaken-options-in-filter-vali.patch b/SOURCES/0019-Ticket-50727-correct-mistaken-options-in-filter-vali.patch new file mode 100644 index 0000000..4e038ba --- /dev/null +++ b/SOURCES/0019-Ticket-50727-correct-mistaken-options-in-filter-vali.patch @@ -0,0 +1,730 @@ +From 918df0a60a9cf1e3a836165f1044ea63c88bdd72 Mon Sep 17 00:00:00 2001 +From: William Brown +Date: Fri, 6 Dec 2019 14:04:45 +1000 +Subject: [PATCH] Ticket 50727 - correct mistaken options in filter validation + patch + +Bug Description: Because William of the past missed (forgot) to make +some agreed upon changes, we shipped the feature for filter validation +in a state that was a bit unclear for users. + +Fix Description: Fix the options to now be clearer in what is +expected/demaned from admins. We now have 4 possible states for +the value of the config: + +* reject-invalid (prev on) +* process-safe (prev warn) +* warn-invalid (new!) +* off (prev off) + +These behave as: + +* reject-invalid - reject queries that contain unknown attributes +* process-safe - log a notes=F that an attr is missing, and idl_alloc(0) + the missing attribute for RFC4511 compliance. +* warn-invalid - log a notes=F that an attr is missing, and process + as ALLIDS (the legacy behaviour) +* off - process as ALLIDs (the legacy behaviour) + +The default is "process-safe". + +https://pagure.io/389-ds-base/issue/50727 + +Author: William Brown + +Review by: tbordaz, lkrispen (thanks) +--- + .../suites/filter/schema_validation_test.py | 112 ++++++++++++++++-- + ldap/servers/slapd/back-ldbm/filterindex.c | 28 +++-- + ldap/servers/slapd/libglobs.c | 78 +++++++----- + ldap/servers/slapd/schema.c | 26 ++-- + ldap/servers/slapd/slap.h | 21 ++-- + ldap/servers/slapd/slapi-plugin.h | 1 + + ldap/servers/slapd/slapi-private.h | 3 +- + src/lib389/lib389/extensibleobject.py | 53 +++++++++ + 8 files changed, 258 insertions(+), 64 deletions(-) + create mode 100644 src/lib389/lib389/extensibleobject.py + +diff --git a/dirsrvtests/tests/suites/filter/schema_validation_test.py b/dirsrvtests/tests/suites/filter/schema_validation_test.py +index 4ac9fa8ff..d0d67ca95 100644 +--- a/dirsrvtests/tests/suites/filter/schema_validation_test.py ++++ b/dirsrvtests/tests/suites/filter/schema_validation_test.py +@@ -9,14 +9,29 @@ + + import pytest + import ldap +-from lib389.topologies import topology_st ++from lib389.topologies import topology_st as topology_st_pre + from lib389.dirsrv_log import DirsrvAccessLog + from lib389._mapped_object import DSLdapObjects + from lib389._constants import DEFAULT_SUFFIX ++from lib389.extensibleobject import UnsafeExtensibleObjects + +-def _check_value(inst_cfg, value): ++def _check_value(inst_cfg, value, exvalue=None): ++ if exvalue is None: ++ exvalue = value + inst_cfg.set('nsslapd-verify-filter-schema', value) +- assert(inst_cfg.get_attr_val_utf8('nsslapd-verify-filter-schema') == value) ++ assert(inst_cfg.get_attr_val_utf8('nsslapd-verify-filter-schema') == exvalue) ++ ++@pytest.fixture(scope="module") ++def topology_st(topology_st_pre): ++ raw_objects = UnsafeExtensibleObjects(topology_st_pre.standalone, basedn=DEFAULT_SUFFIX) ++ # Add an object that won't be able to be queried due to invalid attrs. ++ raw_objects.create(properties = { ++ "cn": "test_obj", ++ "a": "a", ++ "b": "b", ++ "uid": "foo" ++ }) ++ return topology_st_pre + + + @pytest.mark.ds50349 +@@ -51,8 +66,14 @@ def test_filter_validation_config(topology_st): + + initial_value = inst_cfg.get_attr_val_utf8('nsslapd-verify-filter-schema') + +- _check_value(inst_cfg, "on") +- _check_value(inst_cfg, "warn") ++ # Check legacy values that may have been set ++ _check_value(inst_cfg, "on", "reject-invalid") ++ _check_value(inst_cfg, "warn", "process-safe") ++ _check_value(inst_cfg, "off") ++ # Check the more descriptive values ++ _check_value(inst_cfg, "reject-invalid") ++ _check_value(inst_cfg, "process-safe") ++ _check_value(inst_cfg, "warn-invalid") + _check_value(inst_cfg, "off") + + # This should fail +@@ -85,7 +106,7 @@ def test_filter_validation_enabled(topology_st): + inst = topology_st.standalone + + # In case the default has changed, we set the value to warn. +- inst.config.set("nsslapd-verify-filter-schema", "on") ++ inst.config.set("nsslapd-verify-filter-schema", "reject-invalid") + raw_objects = DSLdapObjects(inst, basedn=DEFAULT_SUFFIX) + + # Check a good query has no errors. +@@ -104,9 +125,9 @@ def test_filter_validation_enabled(topology_st): + + + @pytest.mark.ds50349 +-def test_filter_validation_warning(topology_st): ++def test_filter_validation_warn_safe(topology_st): + """Test that queries which are invalid, are correctly marked as "notes=F" in +- the access log. ++ the access log, and return no entries or partial sets. + + :id: 8b2b23fe-d878-435c-bc84-8c298be4ca1f + :setup: Standalone instance +@@ -122,7 +143,7 @@ def test_filter_validation_warning(topology_st): + inst = topology_st.standalone + + # In case the default has changed, we set the value to warn. +- inst.config.set("nsslapd-verify-filter-schema", "warn") ++ inst.config.set("nsslapd-verify-filter-schema", "process-safe") + # Set the access log to un-buffered so we get it immediately. + inst.config.set("nsslapd-accesslog-logbuffering", "off") + +@@ -139,20 +160,93 @@ def test_filter_validation_warning(topology_st): + + # Check a good query has no warnings. + r = raw_objects.filter("(objectClass=*)") ++ assert(len(r) > 0) + r_s1 = access_log.match(".*notes=F.*") + # Should be the same number of log lines IE 0. + assert(len(r_init) == len(r_s1)) + + # Check a bad one DOES emit a warning. + r = raw_objects.filter("(a=a)") ++ assert(len(r) == 0) + r_s2 = access_log.match(".*notes=F.*") + # Should be the greate number of log lines IE +1 + assert(len(r_init) + 1 == len(r_s2)) + + # Check a bad complex one does emit a warning. + r = raw_objects.filter("(&(a=a)(b=b)(objectClass=*))") ++ assert(len(r) == 0) + r_s3 = access_log.match(".*notes=F.*") + # Should be the greate number of log lines IE +2 + assert(len(r_init) + 2 == len(r_s3)) + ++ # Check that we can still get things when partial ++ r = raw_objects.filter("(|(a=a)(b=b)(uid=foo))") ++ assert(len(r) == 1) ++ r_s4 = access_log.match(".*notes=F.*") ++ # Should be the greate number of log lines IE +2 ++ assert(len(r_init) + 3 == len(r_s4)) ++ ++ ++@pytest.mark.ds50349 ++def test_filter_validation_warn_unsafe(topology_st): ++ """Test that queries which are invalid, are correctly marked as "notes=F" in ++ the access log, and uses the legacy query behaviour to return unsafe sets. ++ ++ :id: 8b2b23fe-d878-435c-bc84-8c298be4ca1f ++ :setup: Standalone instance ++ :steps: ++ 1. Search a well formed query ++ 2. Search a poorly formed query ++ 3. Search a poorly formed complex (and/or) query ++ :expectedresults: ++ 1. No warnings ++ 2. notes=F is present ++ 3. notes=F is present ++ """ ++ inst = topology_st.standalone ++ ++ # In case the default has changed, we set the value to warn. ++ inst.config.set("nsslapd-verify-filter-schema", "warn-invalid") ++ # Set the access log to un-buffered so we get it immediately. ++ inst.config.set("nsslapd-accesslog-logbuffering", "off") ++ ++ # Setup the query object. ++ # Now we don't care if there are any results, we only care about good/bad queries. ++ # To do this we have to bypass some of the lib389 magic, and just emit raw queries ++ # to check them. Turns out lib389 is well designed and this just works as expected ++ # if you use a single DSLdapObjects and filter. :) ++ raw_objects = DSLdapObjects(inst, basedn=DEFAULT_SUFFIX) ++ ++ # Find any initial notes=F ++ access_log = DirsrvAccessLog(inst) ++ r_init = access_log.match(".*notes=(U,)?F.*") ++ ++ # Check a good query has no warnings. ++ r = raw_objects.filter("(objectClass=*)") ++ assert(len(r) > 0) ++ r_s1 = access_log.match(".*notes=(U,)?F.*") ++ # Should be the same number of log lines IE 0. ++ assert(len(r_init) == len(r_s1)) ++ ++ # Check a bad one DOES emit a warning. ++ r = raw_objects.filter("(a=a)") ++ assert(len(r) == 1) ++ # NOTE: Unlike warn-process-safely, these become UNINDEXED and show in the logs. ++ r_s2 = access_log.match(".*notes=(U,)?F.*") ++ # Should be the greate number of log lines IE +1 ++ assert(len(r_init) + 1 == len(r_s2)) ++ ++ # Check a bad complex one does emit a warning. ++ r = raw_objects.filter("(&(a=a)(b=b)(objectClass=*))") ++ assert(len(r) == 1) ++ r_s3 = access_log.match(".*notes=(U,)?F.*") ++ # Should be the greate number of log lines IE +2 ++ assert(len(r_init) + 2 == len(r_s3)) ++ ++ # Check that we can still get things when partial ++ r = raw_objects.filter("(|(a=a)(b=b)(uid=foo))") ++ assert(len(r) == 1) ++ r_s4 = access_log.match(".*notes=(U,)?F.*") ++ # Should be the greate number of log lines IE +2 ++ assert(len(r_init) + 3 == len(r_s4)) + +diff --git a/ldap/servers/slapd/back-ldbm/filterindex.c b/ldap/servers/slapd/back-ldbm/filterindex.c +index 7e65f73ca..8a79848c3 100644 +--- a/ldap/servers/slapd/back-ldbm/filterindex.c ++++ b/ldap/servers/slapd/back-ldbm/filterindex.c +@@ -223,13 +223,15 @@ ava_candidates( + + switch (ftype) { + case LDAP_FILTER_GE: +- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) { ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) { + /* + * REMEMBER: this flag is only set on WARN levels. If the filter verify + * is on strict, we reject in search.c, if we ar off, the flag will NOT + * be set on the filter at all! + */ + slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID); ++ } ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) { + idl = idl_alloc(0); + } else { + idl = range_candidates(pb, be, type, bval, NULL, err, &sattr, allidslimit); +@@ -239,13 +241,15 @@ ava_candidates( + goto done; + break; + case LDAP_FILTER_LE: +- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) { ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) { + /* + * REMEMBER: this flag is only set on WARN levels. If the filter verify + * is on strict, we reject in search.c, if we ar off, the flag will NOT + * be set on the filter at all! + */ + slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID); ++ } ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) { + idl = idl_alloc(0); + } else { + idl = range_candidates(pb, be, type, NULL, bval, err, &sattr, allidslimit); +@@ -293,13 +297,15 @@ ava_candidates( + ptr[1] = NULL; + ivals = ptr; + +- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) { ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) { + /* + * REMEMBER: this flag is only set on WARN levels. If the filter verify + * is on strict, we reject in search.c, if we ar off, the flag will NOT + * be set on the filter at all! + */ + slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID); ++ } ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) { + idl = idl_alloc(0); + } else { + slapi_attr_assertion2keys_ava_sv(&sattr, &tmp, (Slapi_Value ***)&ivals, LDAP_FILTER_EQUALITY_FAST); +@@ -326,13 +332,15 @@ ava_candidates( + slapi_ch_free((void **)&ivals); + } + } else { +- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) { ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) { + /* + * REMEMBER: this flag is only set on WARN levels. If the filter verify + * is on strict, we reject in search.c, if we ar off, the flag will NOT + * be set on the filter at all! + */ + slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID); ++ } ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) { + idl = idl_alloc(0); + } else { + slapi_value_init_berval(&sv, bval); +@@ -382,13 +390,15 @@ presence_candidates( + } + slapi_pblock_get(pb, SLAPI_TXN, &txn.back_txn_txn); + +- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) { ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) { + /* + * REMEMBER: this flag is only set on WARN levels. If the filter verify + * is on strict, we reject in search.c, if we ar off, the flag will NOT + * be set on the filter at all! + */ + slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID); ++ } ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) { + idl = idl_alloc(0); + } else { + idl = index_read_ext_allids(pb, be, type, indextype_PRESENCE, +@@ -485,13 +495,15 @@ extensible_candidates( + slapi_pblock_get(pb, SLAPI_PLUGIN_MR_KEYS, &keys)) { + /* something went wrong. bail. */ + break; +- } else if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) { ++ } else if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) { + /* + * REMEMBER: this flag is only set on WARN levels. If the filter verify + * is on strict, we reject in search.c, if we ar off, the flag will NOT + * be set on the filter at all! + */ + slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID); ++ } ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) { + idl = idl_alloc(0); + } else if (keys == NULL || keys[0] == NULL) { + /* no keys */ +@@ -986,13 +998,15 @@ substring_candidates( + * look up each key in the index, ANDing the resulting + * IDLists together. + */ +- if (f->f_flags & SLAPI_FILTER_INVALID_ATTR) { ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_WARN) { + /* + * REMEMBER: this flag is only set on WARN levels. If the filter verify + * is on strict, we reject in search.c, if we ar off, the flag will NOT + * be set on the filter at all! + */ + slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_FILTER_INVALID); ++ } ++ if (f->f_flags & SLAPI_FILTER_INVALID_ATTR_UNDEFINE) { + idl = idl_alloc(0); + } else { + slapi_pblock_get(pb, SLAPI_TXN, &txn.back_txn_txn); +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index b9cdb6b37..66170ebc6 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -166,7 +166,7 @@ typedef enum { + CONFIG_SPECIAL_VALIDATE_CERT_SWITCH, /* maps strings to an enumeration */ + CONFIG_SPECIAL_UNHASHED_PW_SWITCH, /* unhashed pw: on/off/nolog */ + CONFIG_SPECIAL_TLS_CHECK_CRL, /* maps enum tls_check_crl_t to char * */ +- CONFIG_ON_OFF_WARN, /* maps to a config on/warn/off enum */ ++ CONFIG_SPECIAL_FILTER_VERIFY, /* maps to a config strict/warn-strict/warn/off enum */ + } ConfigVarType; + + static int32_t config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char *errorbuf, int apply); +@@ -256,7 +256,7 @@ slapi_int_t init_malloc_mmap_threshold; + slapi_onoff_t init_extract_pem; + slapi_onoff_t init_ignore_vattrs; + slapi_onoff_t init_enable_upgrade_hash; +-slapi_onwarnoff_t init_verify_filter_schema; ++slapi_special_filter_verify_t init_verify_filter_schema; + + static int + isInt(ConfigVarType type) +@@ -1248,7 +1248,7 @@ static struct config_get_and_set + {CONFIG_VERIFY_FILTER_SCHEMA, config_set_verify_filter_schema, + NULL, 0, + (void **)&global_slapdFrontendConfig.verify_filter_schema, +- CONFIG_ON_OFF_WARN, (ConfigGetFunc)config_get_verify_filter_schema, ++ CONFIG_SPECIAL_FILTER_VERIFY, (ConfigGetFunc)config_get_verify_filter_schema, + &init_verify_filter_schema}, + /* End config */ + }; +@@ -7659,18 +7659,21 @@ config_initvalue_to_onoff(struct config_get_and_set *cgas, char *initvalbuf, siz + } + + static char * +-config_initvalue_to_onwarnoff(struct config_get_and_set *cgas, char *initvalbuf, size_t initvalbufsize) { ++config_initvalue_to_special_filter_verify(struct config_get_and_set *cgas, char *initvalbuf, size_t initvalbufsize) { + char *retval = NULL; +- if (cgas->config_var_type == CONFIG_ON_OFF_WARN) { +- slapi_onwarnoff_t *value = (slapi_onwarnoff_t *)(intptr_t)cgas->initvalue; ++ if (cgas->config_var_type == CONFIG_SPECIAL_FILTER_VERIFY) { ++ slapi_special_filter_verify_t *value = (slapi_special_filter_verify_t *)(intptr_t)cgas->initvalue; + if (value != NULL) { +- if (*value == SLAPI_ON) { +- PR_snprintf(initvalbuf, initvalbufsize, "%s", "on"); ++ if (*value == SLAPI_STRICT) { ++ PR_snprintf(initvalbuf, initvalbufsize, "%s", "reject-invalid"); + retval = initvalbuf; +- } else if (*value == SLAPI_WARN) { +- PR_snprintf(initvalbuf, initvalbufsize, "%s", "warn"); ++ } else if (*value == SLAPI_WARN_SAFE) { ++ PR_snprintf(initvalbuf, initvalbufsize, "%s", "process-safe"); + retval = initvalbuf; +- } else if (*value == SLAPI_OFF) { ++ } else if (*value == SLAPI_WARN_UNSAFE) { ++ PR_snprintf(initvalbuf, initvalbufsize, "%s", "warn-invalid"); ++ retval = initvalbuf; ++ } else if (*value == SLAPI_OFF_UNSAFE) { + PR_snprintf(initvalbuf, initvalbufsize, "%s", "off"); + retval = initvalbuf; + } +@@ -7680,7 +7683,7 @@ config_initvalue_to_onwarnoff(struct config_get_and_set *cgas, char *initvalbuf, + } + + static int32_t +-config_set_onoffwarn(slapdFrontendConfig_t *slapdFrontendConfig, slapi_onwarnoff_t *target, const char *attrname, char *value, char *errorbuf, int apply) { ++config_set_specialfilterverify(slapdFrontendConfig_t *slapdFrontendConfig, slapi_special_filter_verify_t *target, const char *attrname, char *value, char *errorbuf, int apply) { + if (target == NULL) { + return LDAP_OPERATIONS_ERROR; + } +@@ -7691,15 +7694,23 @@ config_set_onoffwarn(slapdFrontendConfig_t *slapdFrontendConfig, slapi_onwarnoff + + slapi_special_filter_verify_t p_val = SLAPI_WARN_UNSAFE; + ++ /* on/warn/off retained for legacy reasons due to wbrown making terrible mistakes :( :( */ + if (strcasecmp(value, "on") == 0) { +- p_val = SLAPI_ON; ++ p_val = SLAPI_STRICT; + } else if (strcasecmp(value, "warn") == 0) { +- p_val = SLAPI_WARN; ++ p_val = SLAPI_WARN_SAFE; ++ /* The new fixed/descriptive names */ ++ } else if (strcasecmp(value, "reject-invalid") == 0) { ++ p_val = SLAPI_STRICT; ++ } else if (strcasecmp(value, "process-safe") == 0) { ++ p_val = SLAPI_WARN_SAFE; ++ } else if (strcasecmp(value, "warn-invalid") == 0) { ++ p_val = SLAPI_WARN_UNSAFE; + } else if (strcasecmp(value, "off") == 0) { +- p_val = SLAPI_OFF; ++ p_val = SLAPI_OFF_UNSAFE; + } else { + slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, +- "%s: invalid value \"%s\". Valid values are \"on\", \"warn\" or \"off\".", attrname, value); ++ "%s: invalid value \"%s\". Valid values are \"reject-invalid\", \"process-safe\", \"warn-invalid\" or \"off\". If in doubt, choose \"process-safe\"", attrname, value); + return LDAP_OPERATIONS_ERROR; + } + +@@ -7718,14 +7729,14 @@ config_set_onoffwarn(slapdFrontendConfig_t *slapdFrontendConfig, slapi_onwarnoff + int32_t + config_set_verify_filter_schema(const char *attrname, char *value, char *errorbuf, int apply) { + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); +- slapi_onwarnoff_t *target = &(slapdFrontendConfig->verify_filter_schema); +- return config_set_onoffwarn(slapdFrontendConfig, target, attrname, value, errorbuf, apply); ++ slapi_special_filter_verify_t *target = &(slapdFrontendConfig->verify_filter_schema); ++ return config_set_specialfilterverify(slapdFrontendConfig, target, attrname, value, errorbuf, apply); + } + + Slapi_Filter_Policy + config_get_verify_filter_schema() + { +- slapi_onwarnoff_t retVal; ++ slapi_special_filter_verify_t retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->verify_filter_schema; +@@ -7733,10 +7744,13 @@ config_get_verify_filter_schema() + + /* Now map this to a policy that the fns understand. */ + switch (retVal) { +- case SLAPI_ON: ++ case SLAPI_STRICT: + return FILTER_POLICY_STRICT; + break; +- case SLAPI_WARN: ++ case SLAPI_WARN_SAFE: ++ return FILTER_POLICY_PROTECT; ++ break; ++ case SLAPI_WARN_UNSAFE: + return FILTER_POLICY_WARNING; + break; + default: +@@ -7794,8 +7808,8 @@ config_set(const char *attr, struct berval **values, char *errorbuf, int apply) + void *initval = cgas->initvalue; + if (cgas->config_var_type == CONFIG_ON_OFF) { + initval = (void *)config_initvalue_to_onoff(cgas, initvalbuf, sizeof(initvalbuf)); +- } else if (cgas->config_var_type == CONFIG_ON_OFF_WARN) { +- initval = (void *)config_initvalue_to_onwarnoff(cgas, initvalbuf, sizeof(initvalbuf)); ++ } else if (cgas->config_var_type == CONFIG_SPECIAL_FILTER_VERIFY) { ++ initval = (void *)config_initvalue_to_special_filter_verify(cgas, initvalbuf, sizeof(initvalbuf)); + } + if (cgas->setfunc) { + retval = (cgas->setfunc)(cgas->attr_name, initval, errorbuf, apply); +@@ -8021,20 +8035,24 @@ config_set_value( + + break; + +- case CONFIG_ON_OFF_WARN: ++ case CONFIG_SPECIAL_FILTER_VERIFY: + /* Is this the right default here? */ + if (!value) { +- slapi_entry_attr_set_charptr(e, cgas->attr_name, "off"); ++ slapi_entry_attr_set_charptr(e, cgas->attr_name, "process-safe"); + break; + } + +- if (*((slapi_onwarnoff_t *)value) == SLAPI_ON) { +- slapi_entry_attr_set_charptr(e, cgas->attr_name, "on"); +- } else if (*((slapi_onwarnoff_t *)value) == SLAPI_WARN) { +- slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn"); ++ if (*((slapi_special_filter_verify_t *)value) == SLAPI_STRICT) { ++ slapi_entry_attr_set_charptr(e, cgas->attr_name, "reject-invalid"); ++ } else if (*((slapi_special_filter_verify_t *)value) == SLAPI_WARN_SAFE) { ++ slapi_entry_attr_set_charptr(e, cgas->attr_name, "process-safe"); ++ } else if (*((slapi_special_filter_verify_t *)value) == SLAPI_WARN_UNSAFE) { ++ slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn-invalid"); ++ } else if (*((slapi_special_filter_verify_t *)value) == SLAPI_OFF_UNSAFE) { ++ slapi_entry_attr_set_charptr(e, cgas->attr_name, "off"); + } else { + /* Default to safe warn-proccess-safely */ +- slapi_entry_attr_set_charptr(e, cgas->attr_name, "warn-invalid"); ++ slapi_entry_attr_set_charptr(e, cgas->attr_name, "process-safe"); + } + + break; +diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c +index 6e853fc7c..d7c3c139e 100644 +--- a/ldap/servers/slapd/schema.c ++++ b/ldap/servers/slapd/schema.c +@@ -698,7 +698,7 @@ out: + } + + static Slapi_Filter_Result +-slapi_filter_schema_check_inner(Slapi_Filter *f) { ++slapi_filter_schema_check_inner(Slapi_Filter *f, slapi_filter_flags flags) { + /* + * Default response to Ok. If any more severe things happen we + * alter this to reflect it. IE we bubble up more severe errors +@@ -712,26 +712,26 @@ slapi_filter_schema_check_inner(Slapi_Filter *f) { + case LDAP_FILTER_LE: + case LDAP_FILTER_APPROX: + if (!attr_syntax_exist_by_name_nolock(f->f_avtype)) { +- f->f_flags |= SLAPI_FILTER_INVALID_ATTR; ++ f->f_flags |= flags; + r = FILTER_SCHEMA_WARNING; + } + break; + case LDAP_FILTER_PRESENT: + if (!attr_syntax_exist_by_name_nolock(f->f_type)) { +- f->f_flags |= SLAPI_FILTER_INVALID_ATTR; ++ f->f_flags |= flags; + r = FILTER_SCHEMA_WARNING; + } + break; + case LDAP_FILTER_SUBSTRINGS: + if (!attr_syntax_exist_by_name_nolock(f->f_sub_type)) { +- f->f_flags |= SLAPI_FILTER_INVALID_ATTR; ++ f->f_flags |= flags; + r = FILTER_SCHEMA_WARNING; + } + break; + case LDAP_FILTER_EXTENDED: + /* I don't have any examples of this, so I'm not 100% on how to check it */ + if (!attr_syntax_exist_by_name_nolock(f->f_mr_type)) { +- f->f_flags |= SLAPI_FILTER_INVALID_ATTR; ++ f->f_flags |= flags; + r = FILTER_SCHEMA_WARNING; + } + break; +@@ -740,7 +740,7 @@ slapi_filter_schema_check_inner(Slapi_Filter *f) { + case LDAP_FILTER_NOT: + /* Recurse and check all elemments of the filter */ + for (Slapi_Filter *f_child = f->f_list; f_child != NULL; f_child = f_child->f_next) { +- Slapi_Filter_Result ri = slapi_filter_schema_check_inner(f_child); ++ Slapi_Filter_Result ri = slapi_filter_schema_check_inner(f_child, flags); + if (ri > r) { + r = ri; + } +@@ -769,12 +769,24 @@ slapi_filter_schema_check(Slapi_Filter *f, Slapi_Filter_Policy fp) { + return FILTER_SCHEMA_SUCCESS; + } + ++ /* ++ * There are two possible warning types - it's not up to us to warn into ++ * the logs, that's the backends job. So we have to flag a hint into the ++ * filter about what it should do. This is why there are two FILTER_INVALID ++ * types in filter_flags, one for logging it, and one for actually doing ++ * the rejection. ++ */ ++ slapi_filter_flags flags = SLAPI_FILTER_INVALID_ATTR_WARN; ++ if (fp == FILTER_POLICY_PROTECT) { ++ flags |= SLAPI_FILTER_INVALID_ATTR_UNDEFINE; ++ } ++ + /* + * Filters are nested, recursive structures, so we actually have to call an inner + * function until we have a result! + */ + attr_syntax_read_lock(); +- Slapi_Filter_Result r = slapi_filter_schema_check_inner(f); ++ Slapi_Filter_Result r = slapi_filter_schema_check_inner(f, flags); + attr_syntax_unlock_read(); + + /* If any warning occured, ensure we fail it. */ +diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h +index 8a2748519..d73e9aaae 100644 +--- a/ldap/servers/slapd/slap.h ++++ b/ldap/servers/slapd/slap.h +@@ -457,12 +457,12 @@ typedef enum _tls_check_crl_t { + TLS_CHECK_ALL = 2, + } tls_check_crl_t; + +-typedef enum _slapi_onwarnoff_t { +- SLAPI_OFF = 0, +- SLAPI_WARN = 1, +- SLAPI_ON = 2, +-} slapi_onwarnoff_t; +- ++typedef enum _slapi_special_filter_verify_t { ++ SLAPI_STRICT = 0, ++ SLAPI_WARN_SAFE = 1, ++ SLAPI_WARN_UNSAFE = 2, ++ SLAPI_OFF_UNSAFE = 3, ++} slapi_special_filter_verify_t; + + struct subfilt + { +@@ -2547,11 +2547,12 @@ typedef struct _slapdFrontendConfig + slapi_onoff_t enable_upgrade_hash; /* If on, upgrade hashes for PW at bind */ + /* + * Do we verify the filters we recieve by schema? +- * on - yes, and reject if attribute not found +- * warn - yes, and warn that the attribute is unknown and unindexed +- * off - no, do whatever (old status-quo) ++ * reject-invalid - reject filter if there is anything invalid ++ * process-safe - allow the filter, warn about what's invalid, and then idl_alloc(0) with rfc compliance ++ * warn-invalid - allow the filter, warn about the invalid, and then do a ALLIDS (may lead to full table scan) ++ * off - don't warn, just allow anything. This is the legacy behaviour. + */ +- slapi_onwarnoff_t verify_filter_schema; ++ slapi_special_filter_verify_t verify_filter_schema; + } slapdFrontendConfig_t; + + /* possible values for slapdFrontendConfig_t.schemareplace */ +diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h +index 50b8d12c8..40b5c911a 100644 +--- a/ldap/servers/slapd/slapi-plugin.h ++++ b/ldap/servers/slapd/slapi-plugin.h +@@ -1571,6 +1571,7 @@ int slapi_entry_syntax_check(Slapi_PBlock *pb, Slapi_Entry *e, int override); + typedef enum { + FILTER_POLICY_OFF, + FILTER_POLICY_WARNING, ++ FILTER_POLICY_PROTECT, + FILTER_POLICY_STRICT, + } Slapi_Filter_Policy; + +diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h +index 04c045532..1f17eda12 100644 +--- a/ldap/servers/slapd/slapi-private.h ++++ b/ldap/servers/slapd/slapi-private.h +@@ -54,7 +54,8 @@ typedef enum _slapi_filter_flags_t { + SLAPI_FILTER_RUV = 4, + SLAPI_FILTER_NORMALIZED_TYPE = 8, + SLAPI_FILTER_NORMALIZED_VALUE = 16, +- SLAPI_FILTER_INVALID_ATTR = 32, ++ SLAPI_FILTER_INVALID_ATTR_UNDEFINE = 32, ++ SLAPI_FILTER_INVALID_ATTR_WARN = 64, + } slapi_filter_flags; + + #define SLAPI_ENTRY_LDAPSUBENTRY 2 +diff --git a/src/lib389/lib389/extensibleobject.py b/src/lib389/lib389/extensibleobject.py +new file mode 100644 +index 000000000..8fe37f980 +--- /dev/null ++++ b/src/lib389/lib389/extensibleobject.py +@@ -0,0 +1,53 @@ ++# --- BEGIN COPYRIGHT BLOCK --- ++# Copyright (C) 2019, William Brown ++# All rights reserved. ++# ++# License: GPL (version 3 or any later version). ++# See LICENSE for details. ++# --- END COPYRIGHT BLOCK --- ++ ++from lib389._mapped_object import DSLdapObject, DSLdapObjects ++from lib389.utils import ensure_str ++ ++class UnsafeExtensibleObject(DSLdapObject): ++ """A single instance of an extensible object. Extensible object by it's ++ nature is unsafe, eliminating rules around attribute checking. It may ++ cause unsafe or other unknown behaviour if not handled correctly. ++ ++ :param instance: An instance ++ :type instance: lib389.DirSrv ++ :param dn: Entry DN ++ :type dn: str ++ """ ++ ++ def __init__(self, instance, dn=None): ++ super(UnsafeExtensibleObject, self).__init__(instance, dn) ++ self._rdn_attribute = "cn" ++ # Can I generate these from schema? ++ self._must_attributes = [] ++ self._create_objectclasses = [ ++ 'top', ++ 'extensibleObject', ++ ] ++ self._protected = False ++ ++class UnsafeExtensibleObjects(DSLdapObjects): ++ """DSLdapObjects that represents all extensible objects. Extensible Objects ++ are unsafe in their nature, disabling many checks around schema and attribute ++ handling. You should really really REALLY not use this unless you have specific ++ needs for testing. ++ ++ :param instance: An instance ++ :type instance: lib389.DirSrv ++ :param basedn: Base DN for all group entries below ++ :type basedn: str ++ """ ++ ++ def __init__(self, instance, basedn): ++ super(UnsafeExtensibleObjects, self).__init__(instance) ++ self._objectclasses = [ ++ 'extensibleObject', ++ ] ++ self._filterattrs = ["cn"] ++ self._childobject = UnsafeExtensibleObject ++ self._basedn = ensure_str(basedn) +-- +2.21.1 + diff --git a/SOURCES/0020-Issue-50599-Fix-memory-leak-when-removing-db-region-.patch b/SOURCES/0020-Issue-50599-Fix-memory-leak-when-removing-db-region-.patch new file mode 100644 index 0000000..8c5f04a --- /dev/null +++ b/SOURCES/0020-Issue-50599-Fix-memory-leak-when-removing-db-region-.patch @@ -0,0 +1,32 @@ +From 0513da63603cfc5730d34cc10aaf3a23beec210c Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 16 Jan 2020 15:11:34 -0500 +Subject: [PATCH] Issue 50599 - Fix memory leak when removing db region files + +Description: An unnecessary flag was set in glob() that was resulting + in a memory leak in the DS code. Removing this flag + eliminated the leak. + +relates: https://pagure.io/389-ds-base/issue/50599 + +Reviewed by: +--- + ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c +index 2103dac38..5a6a2a2e5 100644 +--- a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c ++++ b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c +@@ -1072,7 +1072,7 @@ bdb_start(struct ldbminfo *li, int dbmode) + + /* Better wipe out the region files to help ensure a clean start */ + PR_snprintf(file_pattern, MAXPATHLEN, "%s/%s", region_dir, "__db.*"); +- if (glob(file_pattern, GLOB_DOOFFS, NULL, &globbuf) == 0) { ++ if (glob(file_pattern, 0, NULL, &globbuf) == 0) { + for (size_t i = 0; i < globbuf.gl_pathc; i++) { + remove(globbuf.gl_pathv[i]); + } +-- +2.21.1 + diff --git a/SOURCES/0021-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch b/SOURCES/0021-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch new file mode 100644 index 0000000..c5a47e9 --- /dev/null +++ b/SOURCES/0021-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch @@ -0,0 +1,35 @@ +From e169d4690fb37be4fa9be1b2624c72ec90b1b68e Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 20 Jan 2020 13:16:36 -0500 +Subject: [PATCH] Issue 50834 - Incorrectly setting the NSS default SSL version + max + +Description: We've been using the wrong function to get the NSS max + version We were calling SSL_VersionRangeGetSupported() + which gets the versions NSS "can" handle, but + SSL_VersionRangeGetDefault() gets the versions that + are actually "enabled". + +relates: https://pagure.io/389-ds-base/issue/50834 + +Reviewed by: mreynolds(one line commit rule) +--- + ldap/servers/slapd/ssl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c +index 6a07f1ab0..71f91f761 100644 +--- a/ldap/servers/slapd/ssl.c ++++ b/ldap/servers/slapd/ssl.c +@@ -936,7 +936,7 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr + char *certdir; + char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; + /* Get the range of the supported SSL version */ +- SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions); ++ SSL_VersionRangeGetDefault(ssl_variant_stream, &enabledNSSVersions); + + (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); + (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); +-- +2.21.1 + diff --git a/SOURCES/0022-Ticket-50741-cont-bdb_start-Detected-Disorderly-Shut.patch b/SOURCES/0022-Ticket-50741-cont-bdb_start-Detected-Disorderly-Shut.patch new file mode 100644 index 0000000..455ec9c --- /dev/null +++ b/SOURCES/0022-Ticket-50741-cont-bdb_start-Detected-Disorderly-Shut.patch @@ -0,0 +1,281 @@ +From 1d2dca488c7b646dcf5d482414dec2ee032edea6 Mon Sep 17 00:00:00 2001 +From: Ludwig Krispenz +Date: Fri, 6 Dec 2019 13:54:04 +0100 +Subject: [PATCH] Ticket 50741-cont bdb_start - Detected Disorderly Shutdown + +Bug: Offline import does no longer write guardian file, next + normal start will raise a Disorderly Shutdown + +Fix: The bug was introduced with the fix for #50659 when dblayer_close() was + removed from import_moain_offline becasue it was called twice in some + scenarios. But it did miss in ldif2db. Add it there. + Also correct function reference in error messages + +Reviewed by: Thierry, thanks +--- + .../slapd/back-ldbm/db-bdb/bdb_import.c | 60 +++++++++---------- + .../slapd/back-ldbm/db-bdb/bdb_ldif2db.c | 3 + + 2 files changed, 33 insertions(+), 30 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_import.c b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_import.c +index 60b6e13eb..15574e60f 100644 +--- a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_import.c ++++ b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_import.c +@@ -2274,7 +2274,7 @@ bdb_import_main(void *arg) + producer, PR_PRIORITY_NORMAL, PR_GLOBAL_BOUND_THREAD, + PR_UNJOINABLE_THREAD, SLAPD_DEFAULT_THREAD_STACKSIZE)) { + PRErrorCode prerr = PR_GetError(); +- slapi_log_err(SLAPI_LOG_ERR, "import_main_offline", ++ slapi_log_err(SLAPI_LOG_ERR, "bdb_import_main", + "Unable to spawn upgrade dn producer thread, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", + prerr, slapd_pr_strerror(prerr)); + goto error; +@@ -2285,19 +2285,19 @@ bdb_import_main(void *arg) + PR_UNJOINABLE_THREAD, + SLAPD_DEFAULT_THREAD_STACKSIZE)) { + PRErrorCode prerr = PR_GetError(); +- slapi_log_err(SLAPI_LOG_ERR, "import_main_offline", ++ slapi_log_err(SLAPI_LOG_ERR, "bdb_import_main", + "Unable to spawn index producer thread, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", + prerr, slapd_pr_strerror(prerr)); + goto error; + } + } else { +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", "Beginning import job..."); ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", "Beginning import job..."); + if (!CREATE_THREAD(PR_USER_THREAD, (VFP)import_producer, producer, + PR_PRIORITY_NORMAL, PR_GLOBAL_BOUND_THREAD, + PR_UNJOINABLE_THREAD, + SLAPD_DEFAULT_THREAD_STACKSIZE)) { + PRErrorCode prerr = PR_GetError(); +- slapi_log_err(SLAPI_LOG_ERR, "import_main_offline", ++ slapi_log_err(SLAPI_LOG_ERR, "bdb_import_main", + "Unable to spawn import producer thread, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", + prerr, slapd_pr_strerror(prerr)); + goto error; +@@ -2305,9 +2305,9 @@ bdb_import_main(void *arg) + } + + if (0 == job->job_index_buffer_suggestion) +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", "Index buffering is disabled."); ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", "Index buffering is disabled."); + else +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", + "Index buffering enabled with bucket size %lu", + (long unsigned int)job->job_index_buffer_suggestion); + +@@ -2343,13 +2343,13 @@ bdb_import_main(void *arg) + if (ret == ERR_IMPORT_ABORTED) { + /* at least one of the threads has aborted -- shut down ALL + * of the threads */ +- import_log_notice(job, SLAPI_LOG_ERR, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_ERR, "bdb_import_main", + "Aborting all %s threads...", opstr); + /* this abort sets the abort flag on the threads and will block for + * the exit of all threads + */ + import_set_abort_flag_all(job, 1); +- import_log_notice(job, SLAPI_LOG_ERR, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_ERR, "bdb_import_main", + "%s threads aborted.", opstr); + aborted = 1; + goto error; +@@ -2359,7 +2359,7 @@ bdb_import_main(void *arg) + goto error; + } else if (0 != ret) { + /* Some horrible fate has befallen the import */ +- import_log_notice(job, SLAPI_LOG_ERR, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_ERR, "bdb_import_main", + "Fatal pass error %d", ret); + goto error; + } +@@ -2405,7 +2405,7 @@ bdb_import_main(void *arg) + job->first_ID = job->ready_ID + 1; + import_free_thread_data(job); + job->worker_list = producer; +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", + "Beginning pass number %d", job->total_pass + 1); + } else { + /* Bizarro-slapd */ +@@ -2416,7 +2416,7 @@ bdb_import_main(void *arg) + + /* kill the producer now; we're done */ + if (producer) { +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", "Cleaning up producer thread..."); ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", "Cleaning up producer thread..."); + producer->command = STOP; + /* wait for the lead thread to stop */ + while (producer->state != FINISHED) { +@@ -2424,18 +2424,18 @@ bdb_import_main(void *arg) + } + } + +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", "Indexing complete. Post-processing..."); ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", "Indexing complete. Post-processing..."); + /* Now do the numsubordinates attribute */ + /* [610066] reindexed db cannot be used in the following backup/restore */ +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", + "Generating numsubordinates (this may take several minutes to complete)..."); + if ((!(job->flags & FLAG_REINDEXING) || (job->flags & FLAG_DN2RDN)) && + (ret = bdb_update_subordinatecounts(be, job, NULL)) != 0) { +- import_log_notice(job, SLAPI_LOG_ERR, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_ERR, "bdb_import_main", + "Failed to update numsubordinates attributes"); + goto error; + } +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", + "Generating numSubordinates complete."); + + if (!entryrdn_get_noancestorid()) { +@@ -2446,12 +2446,12 @@ bdb_import_main(void *arg) + ainfo_get(be, "ancestorid", &ai); + dblayer_erase_index_file(be, ai, PR_TRUE, 0); + if ((ret = bdb_ancestorid_create_index(be, job)) != 0) { +- import_log_notice(job, SLAPI_LOG_ERR, "import_main_offline", "Failed to create ancestorid index"); ++ import_log_notice(job, SLAPI_LOG_ERR, "bdb_import_main", "Failed to create ancestorid index"); + goto error; + } + } + +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", "Flushing caches..."); ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", "Flushing caches..."); + + /* New way to exit the routine: check the return code. + * If it's non-zero, delete the database files. +@@ -2462,7 +2462,7 @@ bdb_import_main(void *arg) + error: + /* If we fail, the database is now in a mess, so we delete it + except dry run mode */ +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", "Closing files..."); ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", "Closing files..."); + cache_clear(&job->inst->inst_cache, CACHE_TYPE_ENTRY); + if (entryrdn_get_switch()) { + cache_clear(&job->inst->inst_dncache, CACHE_TYPE_DN); +@@ -2476,14 +2476,14 @@ error: + /* initialize the entry cache */ + if (!cache_init(&(inst->inst_cache), DEFAULT_CACHE_SIZE, + DEFAULT_CACHE_ENTRIES, CACHE_TYPE_ENTRY)) { +- slapi_log_err(SLAPI_LOG_ERR, "import_main_offline", ++ slapi_log_err(SLAPI_LOG_ERR, "bdb_import_main", + "cache_init failed. Server should be restarted.\n"); + } + + /* initialize the dn cache */ + if (!cache_init(&(inst->inst_dncache), DEFAULT_DNCACHE_SIZE, + DEFAULT_DNCACHE_MAXCOUNT, CACHE_TYPE_DN)) { +- slapi_log_err(SLAPI_LOG_ERR, "import_main_offline", ++ slapi_log_err(SLAPI_LOG_ERR, "bdb_import_main", + "dn cache_init failed. Server should be restarted.\n"); + } + } +@@ -2496,7 +2496,7 @@ error: + } + } else { + if (0 != (ret = dblayer_instance_close(job->inst->inst_be))) { +- import_log_notice(job, SLAPI_LOG_WARNING, "import_main_offline", "Failed to close database"); ++ import_log_notice(job, SLAPI_LOG_WARNING, "bdb_import_main", "Failed to close database"); + } + } + end = slapi_current_utc_time(); +@@ -2508,7 +2508,7 @@ error: + + if (job->not_here_skipped) { + if (job->skipped) { +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", + "%s complete. Processed %lu entries " + "(%d bad entries were skipped, " + "%d entries were skipped because they don't " +@@ -2518,7 +2518,7 @@ error: + job->skipped, job->not_here_skipped, + seconds_to_import, entries_per_second); + } else { +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", + "%s complete. Processed %lu entries " + "(%d entries were skipped because they don't " + "belong to this database) " +@@ -2529,7 +2529,7 @@ error: + } + } else { + if (job->skipped) { +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", + "%s complete. Processed %lu entries " + "(%d were skipped) in %d seconds. " + "(%.2f entries/sec)", +@@ -2537,7 +2537,7 @@ error: + job->skipped, seconds_to_import, + entries_per_second); + } else { +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", + "%s complete. Processed %lu entries " + "in %d seconds. (%.2f entries/sec)", + opstr, (long unsigned int)entries_processed, +@@ -2548,7 +2548,7 @@ error: + + if (job->flags & (FLAG_DRYRUN | FLAG_UPGRADEDNFORMAT_V1)) { + if (0 == ret) { +- import_log_notice(job, SLAPI_LOG_INFO, "import_main_offline", "%s complete. %s is up-to-date.", ++ import_log_notice(job, SLAPI_LOG_INFO, "bdb_import_main", "%s complete. %s is up-to-date.", + opstr, job->inst->inst_name); + ret = 0; + if (job->task) { +@@ -2556,7 +2556,7 @@ error: + } + import_all_done(job, ret); + } else if (NEED_DN_NORM_BT == ret) { +- import_log_notice(job, SLAPI_LOG_NOTICE, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_NOTICE, "bdb_import_main", + "%s complete. %s needs upgradednformat all.", + opstr, job->inst->inst_name); + if (job->task) { +@@ -2565,7 +2565,7 @@ error: + import_all_done(job, ret); + ret = 1; + } else if (NEED_DN_NORM == ret) { +- import_log_notice(job, SLAPI_LOG_NOTICE, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_NOTICE, "bdb_import_main", + "%s complete. %s needs upgradednformat.", + opstr, job->inst->inst_name); + if (job->task) { +@@ -2574,7 +2574,7 @@ error: + import_all_done(job, ret); + ret = 2; + } else if (NEED_DN_NORM_SP == ret) { +- import_log_notice(job, SLAPI_LOG_NOTICE, "import_main_offline", ++ import_log_notice(job, SLAPI_LOG_NOTICE, "bdb_import_main", + "%s complete. %s needs upgradednformat spaces.", + opstr, job->inst->inst_name); + if (job->task) { +@@ -2589,7 +2589,7 @@ error: + } + } + } else if (0 != ret) { +- import_log_notice(job, SLAPI_LOG_ERR, "import_main_offline", "%s failed.", opstr); ++ import_log_notice(job, SLAPI_LOG_ERR, "bdb_import_main", "%s failed.", opstr); + if (job->task != NULL) { + slapi_task_finish(job->task, ret); + } +diff --git a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_ldif2db.c b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_ldif2db.c +index bb411a539..542147c3d 100644 +--- a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_ldif2db.c ++++ b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_ldif2db.c +@@ -383,6 +383,9 @@ bdb_ldif2db(Slapi_PBlock *pb) + /* always use "new" import code now */ + slapi_pblock_set(pb, SLAPI_BACKEND, inst->inst_be); + ret = bdb_back_ldif2db(pb); ++ if (task_flags & SLAPI_TASK_RUNNING_FROM_COMMANDLINE) { ++ dblayer_close(li, DBLAYER_IMPORT_MODE); ++ } + if (ret == 0) { + if (task_flags & SLAPI_TASK_RUNNING_FROM_COMMANDLINE) { + dblayer_import_file_update(inst); +-- +2.21.1 + diff --git a/SOURCES/0023-Issue-49254-Fix-compiler-failures-and-warnings.patch b/SOURCES/0023-Issue-49254-Fix-compiler-failures-and-warnings.patch new file mode 100644 index 0000000..b6a9ffa --- /dev/null +++ b/SOURCES/0023-Issue-49254-Fix-compiler-failures-and-warnings.patch @@ -0,0 +1,240 @@ +From 585d536de6927cf47ef817f541db392dfca4526b Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 22 Jan 2020 15:10:04 -0500 +Subject: [PATCH] Issue 49254 - Fix compiler failures and warnings + +Description: Fix issues with new gcc compiler flag "-fno-common", + and clean up doxygen warnings around libsds + +relates: https://pagure.io/389-ds-base/issue/49254 + +Reviewed by: mhonek, spichugi, and tbordaz (Thanks!!!) +--- + docs/slapi.doxy.in | 2 - + ldap/servers/plugins/acl/acl.c | 1 + + ldap/servers/plugins/acl/acl.h | 4 +- + ldap/servers/plugins/acl/acl_ext.c | 2 + + ldap/servers/slapd/result.c | 8 ++-- + ldap/servers/slapd/slap.h | 4 +- + ldap/servers/slapd/tools/ldclt/ldapfct.c | 2 +- + src/libsds/include/sds.h | 56 ++++++++++++++---------- + 8 files changed, 47 insertions(+), 32 deletions(-) + +diff --git a/docs/slapi.doxy.in b/docs/slapi.doxy.in +index 2cc2d5f47..b1e4810ab 100644 +--- a/docs/slapi.doxy.in ++++ b/docs/slapi.doxy.in +@@ -760,7 +760,6 @@ WARN_LOGFILE = + + INPUT = src/libsds/include/sds.h \ + docs/job-safety.md \ +- src/nunc-stans/include/nunc-stans.h + # ldap/servers/slapd/slapi-plugin.h \ + + # This tag can be used to specify the character encoding of the source files +@@ -1101,7 +1100,6 @@ HTML_EXTRA_STYLESHEET = docs/custom.css + + # HTML_EXTRA_FILES = docs/nunc-stans-intro.png \ + # docs/nunc-stans-job-states.png +-HTML_EXTRA_FILES = docs/nunc-stans-job-states.png + + # The HTML_COLORSTYLE_HUE tag controls the color of the HTML output. Doxygen + # will adjust the colors in the style sheet and background images according to +diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c +index 5680de669..41a909a18 100644 +--- a/ldap/servers/plugins/acl/acl.c ++++ b/ldap/servers/plugins/acl/acl.c +@@ -13,6 +13,7 @@ + + #include "acl.h" + ++ + /**************************************************************************** + * + * acl.c +diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h +index 5d453d825..becc7f920 100644 +--- a/ldap/servers/plugins/acl/acl.h ++++ b/ldap/servers/plugins/acl/acl.h +@@ -311,8 +311,8 @@ typedef struct aci + #define ATTR_ACLPB_MAX_SELECTED_ACLS "nsslapd-aclpb-max-selected-acls" + #define DEFAULT_ACLPB_MAX_SELECTED_ACLS 200 + +-int aclpb_max_selected_acls; /* initialized from plugin config entry */ +-int aclpb_max_cache_results; /* initialized from plugin config entry */ ++extern int aclpb_max_selected_acls; /* initialized from plugin config entry */ ++extern int aclpb_max_cache_results; /* initialized from plugin config entry */ + + typedef struct result_cache + { +diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c +index 31c61c2f4..797c5d2fd 100644 +--- a/ldap/servers/plugins/acl/acl_ext.c ++++ b/ldap/servers/plugins/acl/acl_ext.c +@@ -23,6 +23,8 @@ static int acl__put_aclpb_back_to_pool(Acl_PBlock *aclpb); + static Acl_PBlock *acl__malloc_aclpb(void); + static void acl__free_aclpb(Acl_PBlock **aclpb_ptr); + ++int aclpb_max_selected_acls = DEFAULT_ACLPB_MAX_SELECTED_ACLS; ++int aclpb_max_cache_results = DEFAULT_ACLPB_MAX_SELECTED_ACLS; + + struct acl_pbqueue + { +diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c +index 89f776716..0b13c30e9 100644 +--- a/ldap/servers/slapd/result.c ++++ b/ldap/servers/slapd/result.c +@@ -1954,9 +1954,11 @@ notes2str(unsigned int notes, char *buf, size_t buflen) + */ + buflen -= len; + p += len; +- /* Put in the end quote, then back track p. */ +- *p++ = '"'; +- *p--; ++ /* ++ * Put in the end quote. If another snp_detail is append a comma ++ * will overwrite the quote. ++ */ ++ *(p + 1) = '"'; + } + } + +diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h +index d73e9aaae..44f6be97a 100644 +--- a/ldap/servers/slapd/slap.h ++++ b/ldap/servers/slapd/slap.h +@@ -935,7 +935,7 @@ enum + }; + + /* DataList definition */ +-struct datalist ++typedef struct datalist + { + void **elements; /* array of elements */ + int element_count; /* number of elements in the array */ +@@ -1737,7 +1737,7 @@ typedef struct conn + * * Online tasks interface (to support import, export, etc) + * * After some cleanup, we could consider making these public. + * */ +-struct slapi_task ++typedef struct slapi_task + { + struct slapi_task *next; + char *task_dn; +diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c b/ldap/servers/slapd/tools/ldclt/ldapfct.c +index ca0912d6c..dbfc553d3 100644 +--- a/ldap/servers/slapd/tools/ldclt/ldapfct.c ++++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c +@@ -698,7 +698,7 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const char *bufPass + } + if (mode & VERY_VERBOSE) + printf("ldclt[%d]: T%03d: Before ldap_simple_bind_s (%s, %s)\n", +- mctx.pid, thrdNum, binddn, ++ mctx.pid, thrdNum, binddn ? binddn : "Anonymous", + passwd ? passwd : "NO PASSWORD PROVIDED"); + ret = ldap_sasl_bind_s(ld, binddn, + LDAP_SASL_SIMPLE, &cred, NULL, NULL, &servercredp); /*JLS 05-01-01*/ +diff --git a/src/libsds/include/sds.h b/src/libsds/include/sds.h +index c649c036d..3f0dd8684 100644 +--- a/src/libsds/include/sds.h ++++ b/src/libsds/include/sds.h +@@ -221,13 +221,13 @@ void sds_free(void *ptr); + * sds_crc32c uses the crc32c algorithm to create a verification checksum of data. + * This checksum is for data verification, not cryptographic purposes. It is used + * largely in debugging to find cases when bytes in structures are updated incorrectly, +- * or to find memory bit flips during operation. If avaliable, this will use the ++ * or to find memory bit flips during operation. If available, this will use the + * intel sse4 crc32c hardware acceleration. + * + * \param crc The running CRC value. Initially should be 0. If in doubt, use 0. + * \param data Pointer to the data to checksum. + * \param length number of bytes to validate. +- * \retval crc The crc of this data. May be re-used in subsequent sds_crc32c calls ++ * \retval rcrc The crc of this data. May be re-used in subsequent sds_crc32c calls + * for certain datatypes. + */ + uint32_t sds_crc32c(uint32_t crc, const unsigned char *data, size_t length); +@@ -1356,48 +1356,60 @@ typedef enum _sds_ht_slot_state { + SDS_HT_BRANCH = 2, + } sds_ht_slot_state; + ++/** ++ * ht values ++ */ + typedef struct _sds_ht_value + { +- uint32_t checksum; +- void *key; +- void *value; ++ uint32_t checksum; /**< the checksum */ ++ void *key; /**< the key */ ++ void *value; /**< the key value */ + // may make this a LL of values later for collisions + } sds_ht_value; + ++/** ++ * ht slot ++ */ + typedef struct _sds_ht_slot + { +- sds_ht_slot_state state; ++ sds_ht_slot_state state; /**< the checksum */ + union + { + sds_ht_value *value; + struct _sds_ht_node *node; +- } slot; ++ } slot; /**< slot union */ + } sds_ht_slot; + ++/** ++ * ht node ++ */ + typedef struct _sds_ht_node + { +- uint32_t checksum; +- uint64_t txn_id; +- uint_fast32_t count; ++ uint32_t checksum; /**< the checksum */ ++ uint64_t txn_id; /**< transaction id */ ++ uint_fast32_t count; /**< the count */ + #ifdef SDS_DEBUG + uint64_t depth; + #endif +- struct _sds_ht_node *parent; +- size_t parent_slot; +- sds_ht_slot slots[HT_SLOTS]; ++ struct _sds_ht_node *parent; /**< the parent */ ++ size_t parent_slot; /**< the parent slot */ ++ sds_ht_slot slots[HT_SLOTS]; /**< the slots */ + } sds_ht_node; + ++/** ++ * ht instance ++ */ + typedef struct _sds_ht_instance + { +- uint32_t checksum; +- char hkey[16]; +- sds_ht_node *root; +- int64_t (*key_cmp_fn)(void *a, void *b); +- uint64_t (*key_size_fn)(void *key); +- void *(*key_dup_fn)(void *key); +- void (*key_free_fn)(void *key); +- void *(*value_dup_fn)(void *value); +- void (*value_free_fn)(void *value); ++ uint32_t checksum; /**< the checksum */ ++ char hkey[16]; /**< the key */ ++ sds_ht_node *root; /**< the root */ ++ int64_t (*key_cmp_fn)(void *a, void *b); /**< the keycompare function */ ++ uint64_t (*key_size_fn)(void *key); /**< the key size function */ ++ void *(*key_dup_fn)(void *key); /**< the key dup function */ ++ void (*key_free_fn)(void *key); /**< the key free function */ ++ void *(*value_dup_fn)(void *value); /**< the value dup function */ ++ void (*value_free_fn)(void *value); /**< the value free function */ + } sds_ht_instance; + + uint64_t sds_uint64_t_size(void *key); +-- +2.21.1 + diff --git a/SOURCES/0024-Issue-49990-Need-to-enforce-a-hard-maximum-limit-for.patch b/SOURCES/0024-Issue-49990-Need-to-enforce-a-hard-maximum-limit-for.patch new file mode 100644 index 0000000..74a41a9 --- /dev/null +++ b/SOURCES/0024-Issue-49990-Need-to-enforce-a-hard-maximum-limit-for.patch @@ -0,0 +1,71 @@ +From 34c90ca8448890a439aa4282025955b0dfcfb1c3 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 23 Jan 2020 14:38:13 -0500 +Subject: [PATCH 01/12] Issue 49990 - Need to enforce a hard maximum limit for + file descriptors + +Description: on some platforms the maximum FD limit is high it can cause + a OOM at server startup. So we need to add a hard maximum + limit. + +relates: https://pagure.io/389-ds-base/issue/49990 + +Reviewed by: firstyear & tbordaz (Thanks!!) +--- + ldap/servers/slapd/libglobs.c | 10 +++++++--- + ldap/servers/slapd/slap.h | 4 ++-- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index 66170ebc6..348de43cd 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -1559,7 +1559,9 @@ FrontendConfig_init(void) + #endif + /* Default the maximum fd's to the maximum allowed */ + if (getrlimit(RLIMIT_NOFILE, &rlp) == 0) { +- maxdescriptors = (int64_t)rlp.rlim_max; ++ if ((int64_t)rlp.rlim_max < SLAPD_DEFAULT_MAXDESCRIPTORS) { ++ maxdescriptors = (int64_t)rlp.rlim_max; ++ } + } + + /* Take the lock to make sure we barrier correctly. */ +@@ -4324,7 +4326,7 @@ config_set_maxdescriptors(const char *attrname, char *value, char *errorbuf, int + { + int32_t retVal = LDAP_SUCCESS; + int64_t nValue = 0; +- int64_t maxVal = 524288; ++ int64_t maxVal = SLAPD_DEFAULT_MAXDESCRIPTORS; + struct rlimit rlp; + char *endp = NULL; + +@@ -4335,7 +4337,9 @@ config_set_maxdescriptors(const char *attrname, char *value, char *errorbuf, int + } + + if (0 == getrlimit(RLIMIT_NOFILE, &rlp)) { +- maxVal = (int)rlp.rlim_max; ++ if ((int64_t)rlp.rlim_max < maxVal) { ++ maxVal = (int64_t)rlp.rlim_max; ++ } + } + + errno = 0; +diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h +index 44f6be97a..96ce7d402 100644 +--- a/ldap/servers/slapd/slap.h ++++ b/ldap/servers/slapd/slap.h +@@ -348,8 +348,8 @@ typedef void (*VFPV)(); /* takes undefined arguments */ + + #define SLAPD_DEFAULT_PAGEDSIZELIMIT 0 + #define SLAPD_DEFAULT_PAGEDSIZELIMIT_STR "0" +-#define SLAPD_DEFAULT_MAXDESCRIPTORS 8192 +-#define SLAPD_DEFAULT_MAXDESCRIPTORS_STR "8192" ++#define SLAPD_DEFAULT_MAXDESCRIPTORS 1048576 ++#define SLAPD_DEFAULT_MAXDESCRIPTORS_STR "1048576" + #define SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL 40 + #define SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL_STR "40" + #define SLAPD_DEFAULT_GROUPEVALNESTLEVEL 0 +-- +2.21.1 + diff --git a/SOURCES/0025-Issue-50850-Fix-dsctl-healthcheck-for-python36.patch b/SOURCES/0025-Issue-50850-Fix-dsctl-healthcheck-for-python36.patch new file mode 100644 index 0000000..6dab88e --- /dev/null +++ b/SOURCES/0025-Issue-50850-Fix-dsctl-healthcheck-for-python36.patch @@ -0,0 +1,43 @@ +From b941befe083a02ed0e4d5bc6c3c50f1a82f04012 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 23 Jan 2020 12:22:21 -0500 +Subject: [PATCH] Issue 50850 - Fix dsctl healthcheck for python36 + +Description: dsctl health check, specifically the certificate expiring + checks, were using python37 specific functions, but these + do not work on python36. Needed to replace fromisoformat() + with something more portable. + +relates: https://pagure.io/389-ds-base/issue/50850 + +Reviewed by: firstyear(Thanks!) +--- + src/lib389/lib389/nss_ssl.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py +index 2a7d1637c..41b19caa4 100644 +--- a/src/lib389/lib389/nss_ssl.py ++++ b/src/lib389/lib389/nss_ssl.py +@@ -79,13 +79,15 @@ class NssSsl(object): + cert_list.append(self.get_cert_details(cert[0])) + + for cert in cert_list: +- if date.fromisoformat(cert[3].split()[0]) - date.today() < timedelta(days=0): ++ cert_date = cert[3].split()[0] ++ diff_date = datetime.strptime(cert_date, '%Y-%m-%d').date() - datetime.today().date() ++ if diff_date < timedelta(days=0): + # Expired + report = copy.deepcopy(DSCERTLE0002) + report['detail'] = report['detail'].replace('CERT', cert[0]) + yield report +- elif date.fromisoformat(cert[3].split()[0]) - date.today() < timedelta(days=30): +- # Expiring ++ elif diff_date < timedelta(days=30): ++ # Expiring within 30 days + report = copy.deepcopy(DSCERTLE0001) + report['detail'] = report['detail'].replace('CERT', cert[0]) + yield report +-- +2.21.1 + diff --git a/SOURCES/0026-Ticket-49624-cont-DB-Deadlock-on-modrdn-appears-to-c.patch b/SOURCES/0026-Ticket-49624-cont-DB-Deadlock-on-modrdn-appears-to-c.patch new file mode 100644 index 0000000..d32c476 --- /dev/null +++ b/SOURCES/0026-Ticket-49624-cont-DB-Deadlock-on-modrdn-appears-to-c.patch @@ -0,0 +1,177 @@ +From f9c0ae9e0c143359ef12c8f5ae3070e34afd5495 Mon Sep 17 00:00:00 2001 +From: Ludwig Krispenz +Date: Wed, 15 Jan 2020 13:40:36 +0100 +Subject: [PATCH] Ticket 49624 cont - DB Deadlock on modrdn appears to corrupt + database and entry cache + +Bug: If there are deadlocks a transaction will be retried. In the case + of modrdn operation there is an error in handling the newsuperior + dn, which has to be reset when the txn is repeated. + There is also an error in freeing the entry stored in the pblock which can + lead to a double free + There is also a memory leak for ec entries + +Fix: check if the newsuperior in the pblock was changed before the retry and + only then free and reset it. + check and protect pblock entry from double free + remove ec entry from cache + fix the txn_test_thread to run + + There is also a message at shutdown that entries remain in the entry cache + although no leaks are reported and a hash dump didn't show entries. + Change log level to avoid confusion + +Reviewed by: Thierry, William, Viktor - Thanks +--- + ldap/servers/slapd/back-ldbm/cache.c | 2 +- + .../slapd/back-ldbm/db-bdb/bdb_layer.c | 2 +- + ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 60 +++++++++++++------ + 3 files changed, 45 insertions(+), 19 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/cache.c b/ldap/servers/slapd/back-ldbm/cache.c +index a03cdaa83..89f958a35 100644 +--- a/ldap/servers/slapd/back-ldbm/cache.c ++++ b/ldap/servers/slapd/back-ldbm/cache.c +@@ -723,7 +723,7 @@ entrycache_clear_int(struct cache *cache) + } + cache->c_maxsize = size; + if (cache->c_curentries > 0) { +- slapi_log_err(SLAPI_LOG_WARNING, ++ slapi_log_err(SLAPI_LOG_CACHE, + "entrycache_clear_int", "There are still %" PRIu64 " entries " + "in the entry cache.\n", + cache->c_curentries); +diff --git a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c +index 5a6a2a2e5..36bf42dab 100644 +--- a/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c ++++ b/ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c +@@ -3064,7 +3064,7 @@ txn_test_threadmain(void *param) + + txn_test_init_cfg(&cfg); + +- if(BDB_CONFIG(li)->bdb_enable_transactions) { ++ if(!BDB_CONFIG(li)->bdb_enable_transactions) { + goto end; + } + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c +index 433ed88fb..26698012a 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c +@@ -67,6 +67,7 @@ ldbm_back_modrdn(Slapi_PBlock *pb) + Slapi_DN *dn_newsuperiordn = NULL; + Slapi_DN dn_parentdn; + Slapi_DN *orig_dn_newsuperiordn = NULL; ++ Slapi_DN *pb_dn_newsuperiordn = NULL; /* used to check what is currently in the pblock */ + Slapi_Entry *target_entry = NULL; + Slapi_Entry *original_targetentry = NULL; + int rc; +@@ -248,30 +249,45 @@ ldbm_back_modrdn(Slapi_PBlock *pb) + slapi_sdn_set_dn_byref(&dn_newrdn, original_newrdn); + original_newrdn = slapi_ch_strdup(original_newrdn); + +- slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &dn_newsuperiordn); +- slapi_sdn_free(&dn_newsuperiordn); +- slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, orig_dn_newsuperiordn); +- dn_newsuperiordn = slapi_sdn_dup(orig_dn_newsuperiordn); ++ /* we need to restart with the original newsuperiordn which could have ++ * been modified. So check what is in the pblock, if it was changed ++ * free it, reset orig dn in th epblock and recreate a working superior ++ */ ++ slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &pb_dn_newsuperiordn); ++ if (pb_dn_newsuperiordn != orig_dn_newsuperiordn) { ++ slapi_sdn_free(&pb_dn_newsuperiordn); ++ slapi_pblock_set(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, orig_dn_newsuperiordn); ++ dn_newsuperiordn = slapi_sdn_dup(orig_dn_newsuperiordn); ++ } + /* must duplicate ec before returning it to cache, + * which could free the entry. */ +- if ((tmpentry = backentry_dup(original_entry ? original_entry : ec)) == NULL) { ++ if (!original_entry) { ++ slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_modrdn", ++ "retrying transaction, but no original entry found\n"); ++ ldap_result_code = LDAP_OPERATIONS_ERROR; ++ goto error_return; ++ } ++ if ((tmpentry = backentry_dup(original_entry)) == NULL) { + ldap_result_code = LDAP_OPERATIONS_ERROR; + goto error_return; + } + slapi_pblock_get(pb, SLAPI_MODRDN_EXISTING_ENTRY, &ent); + if (cache_is_in_cache(&inst->inst_cache, ec)) { + CACHE_REMOVE(&inst->inst_cache, ec); +- if (ent && (ent == ec->ep_entry)) { +- /* +- * On a retry, it's possible that ec is now stored in the +- * pblock as SLAPI_MODRDN_EXISTING_ENTRY. "ec" will be freed +- * by CACHE_RETURN below, so set ent to NULL so don't free +- * it again. +- */ +- ent = NULL; +- } ++ } ++ if (ent && (ent == ec->ep_entry)) { ++ /* ++ * On a retry, it's possible that ec is now stored in the ++ * pblock as SLAPI_MODRDN_EXISTING_ENTRY. "ec" will be freed ++ * by CACHE_RETURN below, so set ent to NULL so don't free ++ * it again. ++ * And it needs to be checked always. ++ */ ++ ent = NULL; + } + CACHE_RETURN(&inst->inst_cache, &ec); ++ ++ /* LK why do we need this ????? */ + if (!cache_is_in_cache(&inst->inst_cache, e)) { + if (CACHE_ADD(&inst->inst_cache, e, NULL) < 0) { + slapi_log_err(SLAPI_LOG_CACHE, +@@ -1087,8 +1103,9 @@ ldbm_back_modrdn(Slapi_PBlock *pb) + if (slapi_sdn_get_dn(dn_newsuperiordn) != NULL) { + retval = ldbm_ancestorid_move_subtree(be, sdn, &dn_newdn, e->ep_id, children, &txn); + if (retval != 0) { +- if (retval == DB_LOCK_DEADLOCK) ++ if (retval == DB_LOCK_DEADLOCK) { + continue; ++ } + if (retval == DB_RUNRECOVERY || LDBM_OS_ERR_IS_DISKFULL(retval)) + disk_full = 1; + MOD_SET_ERROR(ldap_result_code, +@@ -1108,8 +1125,9 @@ ldbm_back_modrdn(Slapi_PBlock *pb) + e->ep_id, &txn, is_tombstone); + slapi_rdn_done(&newsrdn); + if (retval != 0) { +- if (retval == DB_LOCK_DEADLOCK) ++ if (retval == DB_LOCK_DEADLOCK) { + continue; ++ } + if (retval == DB_RUNRECOVERY || LDBM_OS_ERR_IS_DISKFULL(retval)) + disk_full = 1; + MOD_SET_ERROR(ldap_result_code, LDAP_OPERATIONS_ERROR, retry_count); +@@ -1500,7 +1518,12 @@ common_return: + done_with_pblock_entry(pb, SLAPI_MODRDN_NEWPARENT_ENTRY); + done_with_pblock_entry(pb, SLAPI_MODRDN_TARGET_ENTRY); + slapi_ch_free_string(&original_newrdn); +- slapi_sdn_free(&orig_dn_newsuperiordn); ++ slapi_pblock_get(pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &pb_dn_newsuperiordn); ++ if (pb_dn_newsuperiordn != orig_dn_newsuperiordn) { ++ slapi_sdn_free(&orig_dn_newsuperiordn); ++ } else { ++ slapi_sdn_free(&dn_newsuperiordn); ++ } + backentry_free(&original_entry); + backentry_free(&tmpentry); + slapi_entry_free(original_targetentry); +@@ -1561,6 +1584,9 @@ moddn_unlock_and_return_entry( + /* Something bad happened so we should give back all the entries */ + if (*targetentry != NULL) { + cache_unlock_entry(&inst->inst_cache, *targetentry); ++ if (cache_is_in_cache(&inst->inst_cache, *targetentry)) { ++ CACHE_REMOVE(&inst->inst_cache, *targetentry); ++ } + CACHE_RETURN(&inst->inst_cache, targetentry); + *targetentry = NULL; + } +-- +2.21.1 + diff --git a/SOURCES/0027-Issue-50823-dsctl-doesn-t-work-with-slapd-in-the-ins.patch b/SOURCES/0027-Issue-50823-dsctl-doesn-t-work-with-slapd-in-the-ins.patch new file mode 100644 index 0000000..3585345 --- /dev/null +++ b/SOURCES/0027-Issue-50823-dsctl-doesn-t-work-with-slapd-in-the-ins.patch @@ -0,0 +1,55 @@ +From 442b49cc1a0d93122fa749363b5930f3acf2eaf0 Mon Sep 17 00:00:00 2001 +From: Matus Honek +Date: Wed, 29 Jan 2020 14:06:04 +0000 +Subject: [PATCH] Issue 50823 - dsctl doesn't work with 'slapd-' in the + instance name + +Bug Description: +DirSrv.list drops all occurrences of 'slapd-' within a serverid +rendering names containing it damaged. + +Fix Description: +Remove only the first occurrence of 'slapd-' in the serverid, which is +the prefix that is expected to be removed. + +Fixes https://pagure.io/389-ds-base/issue/50823 + +Author: Matus Honek + +Review by: Mark, William (thanks!) + +(cherry picked from commit 52930da0bb8abe94a56ff6dca5ea57347d3461a9) +--- + src/lib389/lib389/__init__.py | 2 +- + src/lib389/lib389/instance/setup.py | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py +index 0d1ab5747..003b686fa 100644 +--- a/src/lib389/lib389/__init__.py ++++ b/src/lib389/lib389/__init__.py +@@ -711,7 +711,7 @@ class DirSrv(SimpleLDAPObject, object): + if serverid is None and hasattr(self, 'serverid'): + serverid = self.serverid + elif serverid is not None: +- serverid = serverid.replace('slapd-', '') ++ serverid = serverid.replace('slapd-', '', 1) + + if self.serverid is None: + # Need to set the Paths in case it does exist +diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py +index 61ffc32ee..c6bb4fcdc 100644 +--- a/src/lib389/lib389/instance/setup.py ++++ b/src/lib389/lib389/instance/setup.py +@@ -219,7 +219,7 @@ class SetupDs(object): + insts = inst.list(serverid=serverid) + + if len(insts) != 1: +- log.error("No such instance to remove {}".format(serverid)) ++ self.log.error("No such instance to remove {}".format(serverid)) + return + inst.allocate(insts[0]) + remove_ds_instance(inst, force=True) +-- +2.21.1 + diff --git a/SOURCES/0028-Ticket-50857-Memory-leak-in-ACI-using-IP-subject.patch b/SOURCES/0028-Ticket-50857-Memory-leak-in-ACI-using-IP-subject.patch new file mode 100644 index 0000000..dd6abd8 --- /dev/null +++ b/SOURCES/0028-Ticket-50857-Memory-leak-in-ACI-using-IP-subject.patch @@ -0,0 +1,43 @@ +From c804325a9e06b4fabbd456b618db1417a12c135d Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Mon, 27 Jan 2020 13:49:37 +0100 +Subject: [PATCH] Ticket 50857 - Memory leak in ACI using IP subject + +Bug Description: + When a ACI is evaluated (LASIpEval) a context (cookie) is allocated. + At the end of the connection, the context is freed + via a callback (LASIpFlush). + The context contains two LASIpTree_t tree (ipv4 and ipv6) + In free callback, only ipv4 tree is freed + +Fix Description: + Free ipv6 tree in LASIpTree + +https://pagure.io/389-ds-base/issue/50857 + +Reviewed by: Mark Reynolds + +Platforms tested: F31 + +Flag Day: no + +Doc impact: no +--- + lib/libaccess/lasip.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/libaccess/lasip.cpp b/lib/libaccess/lasip.cpp +index 30c546df7..cdb88eec5 100644 +--- a/lib/libaccess/lasip.cpp ++++ b/lib/libaccess/lasip.cpp +@@ -436,6 +436,7 @@ LASIpFlush(void **las_cookie) + return; + + LASIpTreeDealloc(((LASIpContext_t *)*las_cookie)->treetop); ++ LASIpTreeDealloc(((LASIpContext_t *)*las_cookie)->treetop_ipv6); + PERM_FREE(*las_cookie); + *las_cookie = NULL; + return; +-- +2.21.1 + diff --git a/SOURCES/0029-Issue-50873-Fix-issues-with-healthcheck-tool.patch b/SOURCES/0029-Issue-50873-Fix-issues-with-healthcheck-tool.patch new file mode 100644 index 0000000..de46a68 --- /dev/null +++ b/SOURCES/0029-Issue-50873-Fix-issues-with-healthcheck-tool.patch @@ -0,0 +1,79 @@ +From 717ce8b3b50c7a92cc269836a88c3015d1786120 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 31 Jan 2020 16:36:28 -0500 +Subject: [PATCH] Issue 50873 - Fix issues with healthcheck tool + +Description: + +- Wrong error code reported with result for backend check + +- Disk Space Monitor check crashes because it is missing "import copy" + +- On a non-LDAPI instance "dsctl healthcheck" does not prompt for bind dn, only for password. + +relates: https://pagure.io/389-ds-base/issue/50873 + +Reviewed by: firstyear(Thanks!) +--- + src/lib389/lib389/cli_base/__init__.py | 16 ++++++++++------ + src/lib389/lib389/lint.py | 2 +- + src/lib389/lib389/monitor.py | 1 + + 3 files changed, 12 insertions(+), 7 deletions(-) + +diff --git a/src/lib389/lib389/cli_base/__init__.py b/src/lib389/lib389/cli_base/__init__.py +index e2e6c902a..7dd45b373 100644 +--- a/src/lib389/lib389/cli_base/__init__.py ++++ b/src/lib389/lib389/cli_base/__init__.py +@@ -129,14 +129,18 @@ def connect_instance(dsrc_inst, verbose, args): + # No password or we chose to prompt + dsargs[SER_ROOT_PW] = getpass("Enter password for {} on {}: ".format(dsrc_inst['binddn'], dsrc_inst['uri'])) + elif not ds.can_autobind(): +- # No LDAPI, prompt for password ++ # No LDAPI, prompt for password, and bind DN if necessary ++ if dsrc_inst['binddn'] is None: ++ dn = "" ++ while dn == "": ++ dn = input("Enter Bind DN: ") ++ dsrc_inst['binddn'] = dn + dsargs[SER_ROOT_PW] = getpass("Enter password for {} on {}: ".format(dsrc_inst['binddn'], dsrc_inst['uri'])) + +- if 'binddn' in dsrc_inst: +- # Allocate is an awful interface that we should stop using, but for now +- # just directly map the dsrc_inst args in (remember, dsrc_inst DOES +- # overlay cli args into the map ...) +- dsargs[SER_ROOT_DN] = dsrc_inst['binddn'] ++ # Allocate is an awful interface that we should stop using, but for now ++ # just directly map the dsrc_inst args in (remember, dsrc_inst DOES ++ # overlay cli args into the map ...) ++ dsargs[SER_ROOT_DN] = dsrc_inst['binddn'] + + ds = DirSrv(verbose=verbose) + ds.allocate(dsargs) +diff --git a/src/lib389/lib389/lint.py b/src/lib389/lib389/lint.py +index 736dffa14..68b729674 100644 +--- a/src/lib389/lib389/lint.py ++++ b/src/lib389/lib389/lint.py +@@ -47,7 +47,7 @@ DSBLE0002 = { + } + + DSBLE0003 = { +- 'dsle': 'DSBLE0002', ++ 'dsle': 'DSBLE0003', + 'severity': 'LOW', + 'items' : [], + 'detail' : """The backend database has not been initialized yet""", +diff --git a/src/lib389/lib389/monitor.py b/src/lib389/lib389/monitor.py +index 290cad5e2..d6413de98 100644 +--- a/src/lib389/lib389/monitor.py ++++ b/src/lib389/lib389/monitor.py +@@ -6,6 +6,7 @@ + # See LICENSE for details. + # --- END COPYRIGHT BLOCK --- + ++import copy + from lib389._constants import * + from lib389._mapped_object import DSLdapObject + from lib389.utils import (ds_is_older) +-- +2.21.1 + diff --git a/SOURCES/0030-Issue-50873-Fix-healthcheck-and-virtual-attr-check.patch b/SOURCES/0030-Issue-50873-Fix-healthcheck-and-virtual-attr-check.patch new file mode 100644 index 0000000..60d80ae --- /dev/null +++ b/SOURCES/0030-Issue-50873-Fix-healthcheck-and-virtual-attr-check.patch @@ -0,0 +1,30 @@ +From 8c7b89bb2a1e25041e339e9e6092f031ac26d585 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 5 Feb 2020 09:48:15 -0500 +Subject: [PATCH] Issue 50873 - Fix healthcheck and virtual attr check + +Description: Used the wrong DN to lookup COS definitions + +relates: https://pagure.io/389-ds-base/issue/50873 + +Reviewed by: mreynolds (one line commit rule) +--- + src/lib389/lib389/backend.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib389/lib389/backend.py b/src/lib389/lib389/backend.py +index ac2af021c..86ee33e6e 100644 +--- a/src/lib389/lib389/backend.py ++++ b/src/lib389/lib389/backend.py +@@ -438,7 +438,7 @@ class Backend(DSLdapObject): + + # Check COS next + for cosDefType in [CosIndirectDefinitions, CosPointerDefinitions, CosClassicDefinitions]: +- defs = cosDefType(self._instance, self._dn).list() ++ defs = cosDefType(self._instance, suffix).list() + for cosDef in defs: + attrs = cosDef.get_attr_val_utf8_l("cosAttribute").split() + for attr in attrs: +-- +2.21.1 + diff --git a/SOURCES/0031-Issue-50886-Typo-in-the-replication-debug-message.patch b/SOURCES/0031-Issue-50886-Typo-in-the-replication-debug-message.patch new file mode 100644 index 0000000..abff5ad --- /dev/null +++ b/SOURCES/0031-Issue-50886-Typo-in-the-replication-debug-message.patch @@ -0,0 +1,30 @@ +From 339a719a4049cd1b9368af1946647227ddf15390 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 6 Feb 2020 14:38:04 -0500 +Subject: [PATCH] Issue 50886 - Typo in the replication debug message + +Description: Fix typo in replication logging message + +relates: https://pagure.io/389-ds-base/issue/50886 + +Reviewed by: mreynolds (one line commit rule) +--- + ldap/servers/plugins/replication/repl5_plugins.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c +index e6b2fdb6e..caa99d1c6 100644 +--- a/ldap/servers/plugins/replication/repl5_plugins.c ++++ b/ldap/servers/plugins/replication/repl5_plugins.c +@@ -622,7 +622,7 @@ multimaster_mmr_postop (Slapi_PBlock *pb, int flags) + break; + } + slapi_log_err(SLAPI_LOG_REPL, REPLICATION_SUBSYSTEM, +- "multimaster_mmr_postop - error %d for oparation %d.\n", rc, flags); ++ "multimaster_mmr_postop - error %d for operation %d.\n", rc, flags); + return rc; + } + +-- +2.21.1 + diff --git a/SOURCES/0032-Issue-50882-Fix-healthcheck-errors-for-instances-tha.patch b/SOURCES/0032-Issue-50882-Fix-healthcheck-errors-for-instances-tha.patch new file mode 100644 index 0000000..6fb81c4 --- /dev/null +++ b/SOURCES/0032-Issue-50882-Fix-healthcheck-errors-for-instances-tha.patch @@ -0,0 +1,97 @@ +From 7130e7595ee5e919558a143e64fb08cab1e3d45d Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 6 Feb 2020 15:30:42 -0500 +Subject: [PATCH] Issue 50882 - Fix healthcheck errors for instances that do + not have TLS enabled + +Bug Description: The config and FSChecks fail when TLS is not setup + +Fix Description: Properly check for conditions when TLS is not enabled, + and ignore errors if TLS related files are not present + during the FS permissions check. + +relates: https://pagure.io/389-ds-base/issue/50882 + +Reviewed by: firstyear(thanks!) +--- + src/lib389/lib389/config.py | 2 +- + src/lib389/lib389/dseldif.py | 23 +++++++++++++---------- + src/lib389/lib389/lint.py | 3 +-- + src/lib389/lib389/nss_ssl.py | 3 +++ + 4 files changed, 18 insertions(+), 13 deletions(-) + +diff --git a/src/lib389/lib389/config.py b/src/lib389/lib389/config.py +index f71baf2d8..268b99c90 100644 +--- a/src/lib389/lib389/config.py ++++ b/src/lib389/lib389/config.py +@@ -238,7 +238,7 @@ class Encryption(DSLdapObject): + + def _lint_check_tls_version(self): + tls_min = self.get_attr_val('sslVersionMin') +- if tls_min < ensure_bytes('TLS1.1'): ++ if tls_min is not None and tls_min < ensure_bytes('TLS1.1'): + report = copy.deepcopy(DSELE0001) + report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) + yield report +diff --git a/src/lib389/lib389/dseldif.py b/src/lib389/lib389/dseldif.py +index fbb50623b..716dd46e9 100644 +--- a/src/lib389/lib389/dseldif.py ++++ b/src/lib389/lib389/dseldif.py +@@ -200,13 +200,16 @@ class FSChecks(object): + """Test file permissions are safe + """ + for ds_file in self.ds_files: +- perms = int(oct(os.stat(ds_file['name'])[ST_MODE])[-3:]) +- if perms not in ds_file['perms']: +- perms = str(ds_file['perms'][0]) +- report = copy.deepcopy(ds_file['report']) +- report['items'].append(ds_file['name']) +- report['detail'] = report['detail'].replace('FILE', ds_file['name']) +- report['detail'] = report['detail'].replace('PERMS', perms) +- report['fix'] = report['fix'].replace('FILE', ds_file['name']) +- report['fix'] = report['fix'].replace('PERMS', perms) +- yield report ++ try: ++ perms = int(oct(os.stat(ds_file['name'])[ST_MODE])[-3:]) ++ if perms not in ds_file['perms']: ++ perms = str(ds_file['perms'][0]) ++ report = copy.deepcopy(ds_file['report']) ++ report['items'].append(ds_file['name']) ++ report['detail'] = report['detail'].replace('FILE', ds_file['name']) ++ report['detail'] = report['detail'].replace('PERMS', perms) ++ report['fix'] = report['fix'].replace('FILE', ds_file['name']) ++ report['fix'] = report['fix'].replace('PERMS', perms) ++ yield report ++ except FileNotFoundError: ++ pass +diff --git a/src/lib389/lib389/lint.py b/src/lib389/lib389/lint.py +index 68b729674..742058fa1 100644 +--- a/src/lib389/lib389/lint.py ++++ b/src/lib389/lib389/lint.py +@@ -224,8 +224,7 @@ DSREPLLE0002 = { + 'dsle': 'DSREPLLE0002', + 'severity': 'LOW', + 'items' : ['Replication', 'Conflict Entries'], +- 'detail': """There were COUNT conflict entries found under the replication suffix "SUFFIX". +-Status message: MSG""", ++ 'detail': "There were COUNT conflict entries found under the replication suffix \"SUFFIX\".", + 'fix' : """While conflict entries are expected to occur in an MMR environment, they + should be resolved. In regards to conflict entries there is always the original/counterpart + entry that has a normal DN, and then the conflict version of that entry. Technically both +diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py +index 41b19caa4..c64f158d5 100644 +--- a/src/lib389/lib389/nss_ssl.py ++++ b/src/lib389/lib389/nss_ssl.py +@@ -394,6 +394,9 @@ only. + for line in lines: + if line == '': + continue ++ if line == 'Database needs user init': ++ # There are no certs, abort... ++ return [] + cert_values.append(re.match(r'^(.+[^\s])[\s]+([^\s]+)$', line.rstrip()).groups()) + return cert_values + +-- +2.21.1 + diff --git a/SOURCES/0033-Ticket-50490-objects-and-memory-leaks.patch b/SOURCES/0033-Ticket-50490-objects-and-memory-leaks.patch new file mode 100644 index 0000000..be3a901 --- /dev/null +++ b/SOURCES/0033-Ticket-50490-objects-and-memory-leaks.patch @@ -0,0 +1,45 @@ +From ffeb3389c2682b41db28062a48ff555875330098 Mon Sep 17 00:00:00 2001 +From: Ludwig Krispenz +Date: Thu, 1 Aug 2019 10:40:33 +0200 +Subject: [PATCH] Ticket 50490 objects and memory leaks + +Bug: There are severalmemory leaks for replication objects + +Fix: This patch contains a couple of fixes: + + - The balance of acquire and release for a replica object was incorrect, + but the object is allocated at startup or when a replica is added and + destroyed at shutdown. In between we know the replica exists and can be accessed directly + To ensure that no access was made until it is destroyed the shutdown order was + slightly modifed + + - other objects like RUV or AGMT were also not always correctly balanced, this + is corrected + + - in cl5_api where many types of objects are used, the variable names were changed + to bettr indicat to what an object refers + + - some other leaks, eg in repl5_total_init or op_shared_add were fixed + + - unused code has been removed + +Reviewed by: William, Thierry, Mark - thanks +--- + ldap/servers/plugins/replication/repl5_replica_config.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c +index 02b36f6ad..238522b54 100644 +--- a/ldap/servers/plugins/replication/repl5_replica_config.c ++++ b/ldap/servers/plugins/replication/repl5_replica_config.c +@@ -769,6 +769,7 @@ replica_config_delete(Slapi_PBlock *pb __attribute__((unused)), + slapi_sdn_get_dn(replica_get_root(r))); + cl5DeleteDBSync(r); + replica_delete_by_name(replica_get_name(r)); ++ mtnode_ext->replica = NULL; + } + + PR_Unlock(s_configLock); +-- +2.21.1 + diff --git a/SOURCES/0034-Issue-50780-Fix-UI-issues.patch b/SOURCES/0034-Issue-50780-Fix-UI-issues.patch new file mode 100644 index 0000000..985e591 --- /dev/null +++ b/SOURCES/0034-Issue-50780-Fix-UI-issues.patch @@ -0,0 +1,33 @@ +From 82b5436598848d6870174d04f1c3a5cf702c1508 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 11 Dec 2019 15:42:22 -0500 +Subject: [PATCH] Issue 50780 - Fix UI issues + +Description: Fixed issue with replication conflict entry modal, and + problem with the monitor's replication and suffix + state data collision that caused a crash if you first + looked at replication and then the suffix monitor + +relates: https://pagure.io/389-ds-base/issue/50780 + +Reviewed by: spichugi(Thanks!) +--- + src/lib389/lib389/replica.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/lib389/lib389/replica.py b/src/lib389/lib389/replica.py +index 9b84d8f7e..4855f03f0 100644 +--- a/src/lib389/lib389/replica.py ++++ b/src/lib389/lib389/replica.py +@@ -1169,7 +1169,7 @@ class Replica(DSLdapObject): + if len(conflicts) > 0: + report = copy.deepcopy(DSREPLLE0002) + report['detail'] = report['detail'].replace('SUFFIX', suffix) +- report['detail'] = report['detail'].replace('COUNT', len(conflicts)) ++ report['detail'] = report['detail'].replace('COUNT', str(len(conflicts))) + report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid) + yield report + +-- +2.24.1 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index 661afc1..d5ee368 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -17,7 +17,7 @@ ExcludeArch: i686 %global use_asan 0 %global use_rust 0 -%global use_perl 1 +%global use_legacy 1 %global bundle_jemalloc 1 %if %{use_asan} %global bundle_jemalloc 0 @@ -25,7 +25,7 @@ ExcludeArch: i686 %if %{bundle_jemalloc} %global jemalloc_name jemalloc -%global jemalloc_ver 5.2.0 +%global jemalloc_ver 5.2.1 %global __provides_exclude ^libjemalloc\\.so.*$ %endif @@ -44,8 +44,8 @@ ExcludeArch: i686 Summary: 389 Directory Server (base) Name: 389-ds-base -Version: 1.4.1.3 -Release: %{?relprefix}7%{?prerel}%{?dist} +Version: 1.4.2.4 +Release: %{?relprefix}8%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org Group: System Environment/Daemons @@ -150,6 +150,9 @@ Requires: cyrus-sasl-plain # this is needed for verify-db.pl Requires: libdb-utils +# Needed for password dictionary checks +Requires: cracklib-dicts + # This picks up libperl.so as a Requires, so we add this versioned one Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl-Errno >= 1.23-360 @@ -173,25 +176,41 @@ Source2: %{name}-devel.README %if %{bundle_jemalloc} Source3: https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2 %endif -Patch00: 0000-Issue-49602-Revise-replication-status-messages.patch -Patch01: 0001-Issue-49875-Move-SystemD-service-config-to-a-drop-in.patch -Patch02: 0002-Ticket-50355-NSS-can-change-the-requested-SSL-min-an.patch -Patch03: 0003-Ticket-49361-Use-IPv6-friendly-network-functions.patch -Patch04: 0004-Ticket-50431-Fix-covscan-warnings.patch -Patch05: 0005-Issue-50431-Fix-regression-from-coverity-fix.patch -Patch06: 0006-Revert-Issue-49960-Core-schema-contains-strings-inst.patch -Patch07: 0007-Issue-50378-ACI-s-with-IPv4-and-IPv6-bind-rules-do-n.patch -Patch08: 0008-Issue-50177-Add-a-new-CI-test-case-also-added-fixes-.patch -Patch09: 0009-Ticket-50217-Implement-dsconf-security-section.patch -Patch10: 0010-Issue-50431-Fix-regression-from-coverity-fix.patch -Patch11: 0011-Ticket-50413-ds-replcheck-Always-display-the-Result-.patch -Patch12: 0012-Issue-49239-Add-a-new-CI-test-case.patch -Patch13: 0013-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch -Patch14: 0014-Issue-50474-Unify-result-codes-for-add-and-modify-of.patch -Patch15: 0015-Ticket-49789-By-default-do-not-manage-unhashed-passw.patch -Patch16: 0016-Ticket-50329-2nd-Possible-Security-Issue-DOS-due-to-.patch -Patch17: 0017-Issue-50538-cleanAllRUV-task-limit-is-not-enforced-f.patch -Patch18: 0018-CVE-2019-14824-BZ-1748201-deref-plugin-displays-rest.patch +Patch00: 0000-Issue-50712-Version-comparison-doesn-t-work-correctl.patch +Patch01: 0001-Issue-50499-Fix-npm-audit-issues.patch +Patch02: 0002-Issue-50701-Add-additional-healthchecks-to-dsconf.patch +Patch03: 0003-Issue-50701-Fix-type-in-lint-report.patch +Patch04: 0004-Issue-50816-dsconf-allows-the-root-password-to-be-se.patch +Patch05: 0005-Issue-50812-dscontainer-executable-should-be-placed-.patch +Patch06: 0006-Ticket-50741-bdb_start-Detected-Disorderly-Shutdown-.patch +Patch07: 0007-Ticket-50667-dsctl-l-did-not-respect-PREFIX.patch +Patch08: 0008-Ticket-50709-Several-memory-leaks-reported-by-Valgri.patch +Patch09: 0009-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch +Patch10: 0010-Issue-50806-Fix-minor-issues-in-lib389-health-checks.patch +Patch11: 0011-Issue-50599-Remove-db-region-files-prior-to-db-recov.patch +Patch12: 0012-Issue-50798-incorrect-bytes-in-format-string-fix-imp.patch +Patch13: 0013-Issue-50824-dsctl-remove-fails-with-name-ensure_str-.patch +Patch14: 0014-Issue-50818-dsconf-pwdpolicy-get-error.patch +Patch15: 0015-Ticket-50709-cont-Several-memory-leaks-reported-by-V.patch +Patch16: 0016-Issue-50829-Disk-monitoring-rotated-log-cleanup-caus.patch +Patch17: 0017-Ticket-50745-ns-slapd-hangs-during-CleanAllRUV-tests.patch +Patch18: 0018-Ticket-50727-change-syntax-validate-by-default-in-1..patch +Patch19: 0019-Ticket-50727-correct-mistaken-options-in-filter-vali.patch +Patch20: 0020-Issue-50599-Fix-memory-leak-when-removing-db-region-.patch +Patch21: 0021-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch +Patch22: 0022-Ticket-50741-cont-bdb_start-Detected-Disorderly-Shut.patch +Patch23: 0023-Issue-49254-Fix-compiler-failures-and-warnings.patch +Patch24: 0024-Issue-49990-Need-to-enforce-a-hard-maximum-limit-for.patch +Patch25: 0025-Issue-50850-Fix-dsctl-healthcheck-for-python36.patch +Patch26: 0026-Ticket-49624-cont-DB-Deadlock-on-modrdn-appears-to-c.patch +Patch27: 0027-Issue-50823-dsctl-doesn-t-work-with-slapd-in-the-ins.patch +Patch28: 0028-Ticket-50857-Memory-leak-in-ACI-using-IP-subject.patch +Patch29: 0029-Issue-50873-Fix-issues-with-healthcheck-tool.patch +Patch30: 0030-Issue-50873-Fix-healthcheck-and-virtual-attr-check.patch +Patch31: 0031-Issue-50886-Typo-in-the-replication-debug-message.patch +Patch32: 0032-Issue-50882-Fix-healthcheck-errors-for-instances-tha.patch +Patch33: 0033-Ticket-50490-objects-and-memory-leaks.patch +Patch34: 0034-Issue-50780-Fix-UI-issues.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -227,12 +246,12 @@ Core libraries for the 389 Directory Server base package. These libraries are used by the main package and the -devel package. This allows the -devel package to be installed with just the -libs package and without the main package. +%if %{use_legacy} %package legacy-tools -Summary: Legacy utilities for 389 Directory Server (%{variant}) +Summary: Legacy utilities for 389 Directory Server Group: System Environment/Daemons Obsoletes: %{name} <= 1.4.0.9 Requires: %{name}-libs = %{version}-%{release} -%if %{use_perl} # for setup-ds.pl to support ipv6 %if %{use_Socket6} Requires: perl-Socket6 @@ -244,14 +263,15 @@ Requires: perl-NetAddr-IP Requires: perl-Mozilla-LDAP # for setup-ds.pl Requires: bind-utils +%global __provides_exclude_from %{_libdir}/%{pkgname}/perl +%global __requires_exclude perl\\((DSCreate|DSMigration|DSUpdate|DSUtil|Dialog|DialogManager|FileConn|Inf|Migration|Resource|Setup|SetupLog) %{?perl_default_filter} -%endif -# End use perl %description legacy-tools Legacy (and deprecated) utilities for 389 Directory Server. This includes the old account management and task scripts. These are deprecated in favour of the dscreate, dsctl, dsconf and dsidm tools. +%endif %package devel Summary: Development libraries for 389 Directory Server @@ -289,6 +309,7 @@ Group: Development/Libraries Requires: openssl Requires: iproute Requires: platform-python +Requires: bash-completion Requires: python%{python3_pkgversion}-ldap Requires: python%{python3_pkgversion}-six Requires: python%{python3_pkgversion}-pyasn1 @@ -296,6 +317,8 @@ Requires: python%{python3_pkgversion}-pyasn1-modules Requires: python%{python3_pkgversion}-dateutil Requires: python%{python3_pkgversion}-argcomplete Requires: python%{python3_pkgversion}-libselinux +Requires: python%{python3_pkgversion}-setuptools +Requires: python%{python3_pkgversion}-distro %{?python_provide:%python_provide python%{python3_pkgversion}-lib389} %description -n python%{python3_pkgversion}-lib389 @@ -334,10 +357,10 @@ ASAN_FLAGS="--enable-asan --enable-debug" RUST_FLAGS="--enable-rust" %endif -%if !%{use_perl} -PERL_FLAGS="--disable-perl" +%if %{use_legacy} +LEGACY_FLAGS="--enable-legacy --enable-perl" %else -PERL_FLAGS="--enable-perl" +LEGACY_FLAGS="--disable-legacy --disable-perl" %endif %if %{use_clang} @@ -368,7 +391,7 @@ autoreconf -fiv --with-systemdsystemconfdir=%{_sysconfdir}/systemd/system \ --with-systemdgroupname=%{groupname} \ --libexecdir=%{_libexecdir}/%{pkgname} \ - $NSSARGS $ASAN_FLAGS $RUST_FLAGS $PERL_FLAGS $CLANG_FLAGS \ + $NSSARGS $ASAN_FLAGS $RUST_FLAGS $LEGACY_FLAGS $CLANG_FLAGS \ --enable-cmocka # lib389 @@ -394,8 +417,7 @@ mkdir -p %{buildroot}%{_datadir}/gdb/auto-load%{_sbindir} mkdir -p %{buildroot}%{_datadir}/cockpit make DESTDIR="$RPM_BUILD_ROOT" install -# Cockpit branding, and directory and file list -mv -f %{buildroot}%{_datadir}/cockpit/389-console/rhds-banner.html %{buildroot}%{_datadir}/cockpit/389-console/banner.html +# Cockpit file list find %{buildroot}%{_datadir}/cockpit/389-console -type d | sed -e "s@%{buildroot}@@" | sed -e 's/^/\%dir /' > cockpit.list find %{buildroot}%{_datadir}/cockpit/389-console -type f | sed -e "s@%{buildroot}@@" >> cockpit.list @@ -418,7 +440,7 @@ mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/%{groupname}.wants find %{buildroot} -type f -name "*.la" -delete find %{buildroot} -type f -name "*.a" -delete -%if %{use_perl} +%if %{use_legacy} # make sure perl scripts have a proper shebang sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' $RPM_BUILD_ROOT%{_datadir}/%{pkgname}/script-templates/template-*.pl %endif @@ -490,9 +512,9 @@ fi %postun snmp %systemd_postun_with_restart %{pkgname}-snmp.service +%if %{use_legacy} %post legacy-tools -%if %{use_perl} # START UPGRADE SCRIPT if [ -n "$DEBUGPOSTTRANS" ] ; then @@ -570,11 +592,7 @@ exit 0 %dir %{_sysconfdir}/systemd/system/%{groupname}.wants %config(noreplace)%{_sysconfdir}/%{pkgname}/config/slapd-collations.conf %config(noreplace)%{_sysconfdir}/%{pkgname}/config/certmap.conf -%config(noreplace)%{_sysconfdir}/%{pkgname}/config/template-initconfig %{_datadir}/%{pkgname} -%exclude %{_datadir}/%{pkgname}/script-templates -%exclude %{_datadir}/%{pkgname}/updates -%exclude %{_datadir}/%{pkgname}/properties/*.res %{_datadir}/gdb/auto-load/* %{_unitdir} %{_bindir}/dbscan @@ -597,25 +615,8 @@ exit 0 %{_sbindir}/ns-slapd %{_mandir}/man8/ns-slapd.8.gz %{_libexecdir}/%{pkgname}/ds_systemd_ask_password_acl -%{_sbindir}/bak2db -%{_mandir}/man8/bak2db.8.gz -%{_sbindir}/db2bak -%{_mandir}/man8/db2bak.8.gz -%{_sbindir}/db2index -%{_mandir}/man8/db2index.8.gz -%{_sbindir}/db2ldif -%{_mandir}/man8/db2ldif.8.gz -%{_sbindir}/dbverify -%{_mandir}/man8/dbverify.8.gz -%{_sbindir}/ldif2db -%{_mandir}/man8/ldif2db.8.gz -%{_sbindir}/upgradedb -%{_mandir}/man8/upgradedb.8.gz -%{_sbindir}/vlvindex -%{_mandir}/man8/vlvindex.8.gz %{_mandir}/man5/99user.ldif.5.gz %{_mandir}/man5/certmap.conf.5.gz -%{_mandir}/man5/template-initconfig.5.gz %{_mandir}/man5/slapd-collations.conf.5.gz %{_mandir}/man5/dirsrv.5.gz %{_mandir}/man5/dirsrv.systemd.5.gz @@ -650,13 +651,11 @@ exit 0 %{_libdir}/libsvrcore.so %{_libdir}/%{pkgname}/libslapd.so %{_libdir}/%{pkgname}/libns-dshttpd.so -%{_libdir}/%{pkgname}/libnunc-stans.so %{_libdir}/%{pkgname}/libsds.so %{_libdir}/%{pkgname}/libldaputil.so %{_libdir}/pkgconfig/svrcore.pc %{_libdir}/pkgconfig/dirsrv.pc %{_libdir}/pkgconfig/libsds.pc -%{_libdir}/pkgconfig/nunc-stans.pc %files libs %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel @@ -664,7 +663,6 @@ exit 0 %{_libdir}/libsvrcore.so.* %{_libdir}/%{pkgname}/libslapd.so.* %{_libdir}/%{pkgname}/libns-dshttpd-*.so -%{_libdir}/%{pkgname}/libnunc-stans.so.* %{_libdir}/%{pkgname}/libsds.so.* %{_libdir}/%{pkgname}/libldaputil.so.* %if %{bundle_jemalloc} @@ -674,6 +672,7 @@ exit 0 %{_libdir}/%{pkgname}/librsds.so %endif +%if %{use_legacy} %files legacy-tools %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel %{_bindir}/infadd @@ -686,6 +685,39 @@ exit 0 %{_mandir}/man1/mmldif.1.gz %{_bindir}/rsearch %{_mandir}/man1/rsearch.1.gz +%{_libexecdir}/%{pkgname}/ds_selinux_enabled +%{_libexecdir}/%{pkgname}/ds_selinux_port_query +%config(noreplace)%{_sysconfdir}/%{pkgname}/config/template-initconfig +%{_mandir}/man5/template-initconfig.5.gz +%{_datadir}/%{pkgname}/properties/*.res +%{_datadir}/%{pkgname}/script-templates +%{_datadir}/%{pkgname}/updates +%{_sbindir}/ldif2ldap +%{_mandir}/man8/ldif2ldap.8.gz +%{_sbindir}/bak2db +%{_mandir}/man8/bak2db.8.gz +%{_sbindir}/db2bak +%{_mandir}/man8/db2bak.8.gz +%{_sbindir}/db2index +%{_mandir}/man8/db2index.8.gz +%{_sbindir}/db2ldif +%{_mandir}/man8/db2ldif.8.gz +%{_sbindir}/dbverify +%{_mandir}/man8/dbverify.8.gz +%{_sbindir}/ldif2db +%{_mandir}/man8/ldif2db.8.gz +%{_sbindir}/restart-dirsrv +%{_mandir}/man8/restart-dirsrv.8.gz +%{_sbindir}/start-dirsrv +%{_mandir}/man8/start-dirsrv.8.gz +%{_sbindir}/status-dirsrv +%{_mandir}/man8/status-dirsrv.8.gz +%{_sbindir}/stop-dirsrv +%{_mandir}/man8/stop-dirsrv.8.gz +%{_sbindir}/upgradedb +%{_mandir}/man8/upgradedb.8.gz +%{_sbindir}/vlvindex +%{_mandir}/man8/vlvindex.8.gz %{_sbindir}/monitor %{_mandir}/man8/monitor.8.gz %{_sbindir}/dbmon.sh @@ -700,18 +732,6 @@ exit 0 %{_mandir}/man8/suffix2instance.8.gz %{_sbindir}/upgradednformat %{_mandir}/man8/upgradednformat.8.gz -%{_sbindir}/restart-dirsrv -%{_mandir}/man8/restart-dirsrv.8.gz -%{_sbindir}/start-dirsrv -%{_mandir}/man8/start-dirsrv.8.gz -%{_sbindir}/status-dirsrv -%{_mandir}/man8/status-dirsrv.8.gz -%{_sbindir}/stop-dirsrv -%{_mandir}/man8/stop-dirsrv.8.gz -%if %{use_perl} -%{_datadir}/%{pkgname}/properties/*.res -%{_datadir}/%{pkgname}/script-templates -%{_datadir}/%{pkgname}/updates %{_mandir}/man1/dbgen.pl.1.gz %{_bindir}/repl-monitor %{_mandir}/man1/repl-monitor.1.gz @@ -761,8 +781,6 @@ exit 0 %{_sbindir}/verify-db.pl %{_mandir}/man8/verify-db.pl.8.gz %{_libdir}/%{pkgname}/perl -%{_libexecdir}/%{pkgname}/ds_selinux_enabled -%{_libexecdir}/%{pkgname}/ds_selinux_port_query %endif %files snmp @@ -783,3928 +801,56 @@ exit 0 %{_mandir}/man8/dsctl.8.gz %{_sbindir}/dsidm %{_mandir}/man8/dsidm.8.gz -%{_sbindir}/dscontainer +%{_libexecdir}/%{pkgname}/dscontainer %files -n cockpit-389-ds -f cockpit.list %{_datarootdir}/metainfo/389-console/org.port389.cockpit_console.metainfo.xml %doc README.md %changelog -* Tue Sep 3 2019 Mark Reynolds - 1.4.1.3-7 -- Bump version to 1.4.1.3-7 -- Resolves: Bug 1748201 - EMBARGOED CVE-2019-14824 389-ds:1.4/389-ds-base: 389-ds and IDM: allows authenticated unprivileged user to retrieve content of userPassword field for any user - -* Thu Aug 22 2019 Mark Reynolds - 1.4.1.3-6 -- Bump version to 1.4.1.3-6 -- Resolves: Bug 1739183 - CleanAllRUV task limit not enforced - -* Fri Jul 26 2019 Mark Reynolds - 1.4.1.3-5 -- Bump verison to 1.4.1.3-5 -- Resolves: Bug 1720331 - Log the actual base DN when the search fails with "invalid attribute request" -- Resolves: Bug 1725815 - consistency in the replication error codes while setting nsds5replicaid=65535 -- Resolves: Bug 1592228 - CVE-2018-10871 389-ds-base: replication and the Retro Changelog plugin store plaintext password by default -- Resolves: Bug 1699043 - CVE-2019-3883 389-ds-base: DoS via hanging secured connections -- Resolves: Bug 1444876 - Add new keyword to access logging when buffer capacity is exceeded - -* Fri Jul 12 2019 Mark Reynolds - 1.4.1.3-4 -- Bump verison to 1.4.1.3-4 -- Resolves: Bug 1712467 - Fix schema OID issue that came over from rebase - -* Fri Jun 28 2019 Mark Reynolds - 1.4.1.3-3 -- Bump verison to 1.4.1.3-3 -- Resolves: Bug 1654056 - /usr/lib/systemd/system/dirsrv@.service:40: .include directives are deprecated -- Resolves: Bug 1706224 - Protocol setting is inconsistent in FIPS mode -- Resolves: Bug 1715675 - Fix potential ipv6 issues -- Resolves: Bug 1717540 - Address covscan warnings - -* Fri May 24 2019 Mark Reynolds - 1.4.1.3-2 -- Bump version to 1.4.1.3-2 -- Resolves: Bug 1544973 - [RFE] IPA replica stuck at last update status: Error (18) Replication error acquiring replica: Incremental update transient error. - -* Fri May 24 2019 Mark Reynolds - 1.4.1.3-1 -- Bump version to 1.4.1.3-1 -- Resolves: Bug 1633718 - 389-ds module: Switched Requires from "python3" to "platform-python" -- Resolves: Bug 1654059 - 389-ds-base: dscreate and dsconf print DM's password in verbose mode -- Resolves: Bug 1712467 - Rebase 389-ds-base on RHEL 8.1 - -* Fri Feb 01 2019 Mark Reynolds - 1.4.0.20-7 -- Bump version to 1.4.0.20-7 -- Resolves: Bug 1671735 - dscreate interactive fails when the suffix contains spaces -- Resolves: Bug 1654101 - Fix cherry-pick error in setup.py - -* Thu Jan 31 2019 Mark Reynolds - 1.4.0.20-6 -- Bump version to 1.4.0.20-6 -- Resolves: Bug 1654101 - dscreate - suffix create root node option -- Resolves: Bug 1671505 - ns-slapd crashes with k5_mutex_lock: Assertion `r == 0' failed - -* Fri Jan 11 2019 Mark Reynolds - 1.4.0.20-5 -- Bump version to 1.4.0.20-5 -- Resolves: Bug 1654566 - dsctl db2ldif: Failing with error AttributeError: DirSrv has no attribute '_instance' - -* Fri Jan 4 2019 Mark Reynolds - 1.4.0.20-4 -- Bump version to 1.4.0.20-4 -- Resolves: Bug 1654105 - fix source tar ball - -* Fri Dec 21 2018 Mark Reynolds - 1.4.0.20-3 -- Bump version to 1.4.0.20-3 -- Resolves: Bug 1654105 - RHDS 11: dsconf related issues -- Resolves: Bug 1623634 - Add backend functionality to UI's Plugin Tab -- Resolves: Bug 1648971 - ssca needs to be removed after dirsrv instance is removed -- Resolves: Bug 1654430 - cockpit does not validate Directory Manager password change operation -- Resolves: Bug 1654241 - Add backend functionality to UI's Server Tab No. 2 (CLI and UI) -- Resolves: Bug 1658622 - Information disclosure while using WebUI - -* Fri Dec 14 2018 Mark Reynolds - 1.4.0.20-2 -- Bump version to 1.4.0.20-2 -- Resolves: Bug 1648937 - python3-lib389 pulls dependencies required only by tests - -* Fri Dec 14 2018 Mark Reynolds - 1.4.0.20-1 -- Bump version to 1.4.0.20-1 -- Resolves: Bug 1631461 - Python installer doesn't label ports with ldap_port_t -- Resolves: Bug 1653165 - certmap fails when Issuer DN has comma in name -- Resolves: Bug 1653469 - Customer requesting -y option for ds-replcheck -- Resolves: Bug 1654101 - dscreate related issues -- Resolves: Bug 1654116 - dsctl related issues -- Resolves: Bug 1654134 - 389 web UI gives error when try to do backup management -- Resolves: Bug 1654281 - RHDS webui console is not loading other instances apart -- Resolves: Bug 1654451 - dscreate permissions and SELinux labels "too relaxed/open", "incorrect" -- Resolves: Bug 1654518 - While creating instance getting error "ERR - createprlistensockets - PR_Bind() on All Interfaces port 392 failed: Netscape Portable Runtime error -5966 -- Resolves: Bug 1654566 - dsctl db2ldif: Failing with error AttributeError: DirSrv has no attribute '_instance' -- Resolves: Bug 1654577 - Cockpit create backup should perform backup name check -- Resolves: Bug 1654581 - dsidm: User creation failing with error AttributeError: module 'sys' has no attribute 'ext' -- Resolves: Bug 1654693 - dsconfig doesn't have option to pass password as an argument -- Resolves: Bug 1658613 - Bind password change for replica agreement breaks replication - -* Tue Nov 27 2018 Mark Reynolds - 1.4.0.19-2 -- Bump version to 1.4.0.19-2 -- Resolves: Bug 1631461 - Python installer doesn't label ports with ldap_port_t - -* Fri Nov 2 2018 Mark Reynolds - 1.4.0.19-1 -- Bump version to 1.4.0.19-1 -- Resolves: Bug 1648924 - during MODRDN referential integrity can fail erronously while updating large groups -- Resolves: Bug 1631461 - Python installer doesn't label ports with ldap_port_t - -* Fri Nov 2 2018 Mark Reynolds - 1.4.0.18-3 -- Bump version to 1.4.0.18-3 -- Resolves: Bug 1618411 - Internal operation logging counts were off - -* Mon Oct 15 2018 Mark Reynolds - 1.4.0.18-2 -- Bump version to 1.4.0.18-2 -- Resolves: Bug 1633718 - Fix regression from previous patch - -* Mon Oct 15 2018 Mark Reynolds - 1.4.0.18-1 -- Bump version to 1.4.0.18-1 -- Resolves: Bug 1602439 - Please review important issues found by covscan in "389-ds-base-1.4.0.11-1.el8+7" package -- Resolves: Bug 1623631 - Add backend functionality to UI's Replication Tab -- Resolves: Bug 1623633 - Add backend functionality to UI's Schema Tab -- Resolves: Bug 1588057 - CVE-2018-10850 389-ds-base: race condition on reference counter leads to DoS using persistent search -- Resolves: Bug 1624420 - CVE-2018-14638 389-ds-base: Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly -- Resolves: Bug 1633718 - 389-ds module: Switched Requires from "python3" to "platform-python" - -* Wed Oct 03 2018 Matus Honek - 1.4.0.17-3 -- Bump version to 1.4.0.17-3 -- Resolves: Bug 1635675 - Typo in SPEC file's 'Requires' breaks the latest compose - -* Tue Sep 25 2018 Mark Reynolds - 1.4.0.17-2 -- Bump version to 1.4.0.17-2 -- - Resolves: Bug 1623633 - Remove linux capabilities(Ticket 48432) - -* Tue Sep 25 2018 Mark Reynolds - 1.4.0.17-1 -- Bump version to 1.4.0.17-1 -- Resolves: Bug 1623633 - Add backend functionality to UI's Schema Tab -- Resolves: Bug 1602439 - Please review important issues found by covscan -- Resolves: Bug 1629676 - replica install fails on s390x arch - -* Wed Sep 19 2018 Tomas Orsava - 1.4.0.14-6 -- Require the Python interpreter directly instead of using the package name -- Related: rhbz#1619153 - -* Wed Aug 29 2018 Mark Reynolds - 1.4.0.14-5 -- Bump version to 1.4.0.14-5 -- Resolves: Bug 1591761 - Revert ticket 49372 -- Resolves: Bug 1624196 - CVE-2018-14624 389-ds-base: Server crash through modify command with large DN - -* Thu Aug 16 2018 Mark Reynolds - 1.4.0.14-4 -- Bump version to 1.4.0.14-4 -- Resolves: Bug 1618411 - Internal operation logging causes crash - -* Mon Aug 13 2018 Mark Reynolds - 1.4.0.14-3 -- Bump version to 1.4.0.14-3 -- Resolves: Bug 1591761 - Fix typo in changelog date - -* Mon Aug 13 2018 Mark Reynolds - 1.4.0.14-2 -- Bump version to 1.4.0.14-3 -- Resolves: Bug 1591761 - Only ship libjemalloc.so.2 - -* Fri Aug 10 2018 Mark Reynolds - 1.4.0.14-1 -- Bump version to 1.4.0.14 -- Resolves: Bug 1578773 - ipa-server-install fails on missing setup-ds.pl dependency -- Ticket 49891 - Use "__python3" macro for python scripts -- Ticket 49890 - ldapsearch with server side sort crashes the ldap server -- Ticket 49029 - RFE -improve internal operations logging -- Ticket 49893 - disable nunc-stans by default -- Ticket 48377 - Update file name for LD_PRELOAD -- Ticket 49884 - Improve nunc-stans test to detect socket errors sooner -- Ticket 49888 - Use perl filter in rpm specfile -- Ticket 49866 - Add password policy features to CLI/UI -- Ticket 49881 - Missing check for crack.h -- Ticket 48056 - Add more test cases to the basic suite -- Ticket 49761 - Fix replication test suite issues -- Ticket 49381 - Refactor the plugin test suite docstrings -- Ticket 49837 - Add new password policy attributes to UI -- Ticket 49794 - RFE - Add pam_pwquality features to password syntax checking -- Ticket 49867 - Fix CLI tools' double output - -* Thu Aug 09 2018 Josef Ridky - 1.4.0.13-2 -- Rebuild for Net-SNMP 5.8 - -* Thu Jul 19 2018 Mark Reynolds - 1.4.0.13-1 -- Bump version to 1.4.0.13 -- Ticket 49854 - ns-slapd should create run_dir and lock_dir directories at startup -- Ticket 49806 - Add SASL functionality to CLI/UI -- Ticket 49789 - backout original security fix as it caused a regression in FreeIPA -- Ticket 49857 - RPM scriptlet for 389-ds-base-legacy-tools throws an error - -* Tue Jul 17 2018 Mark Reynolds - 1.4.0.12-1 -- Bump version to 1.4.0.12-1 -- Ticket 48377 - Move jemalloc license to /usr/share/licences -- Ticket 49813 - Revised interactive installer -- Ticket 49789 - By default, do not manage unhashed password -- Ticket 49844 - lib389: don't set up logging at module scope -- Ticket 49546 - Fix issues with MIB file -- Ticket 49840 - ds-replcheck command returns traceback errors against ldif files having garbage content when run in offline mode -- Ticket 49640 - Cleanup plugin bootstrap logging -- Ticket 49835 - lib389: fix logging -- Ticket 48818 - For a replica bindDNGroup, should be fetched the first time it is used not when the replica is started -- Ticket 49780 - acl_copyEval_context double free -- Ticket 49830 - Import fails if backend name is "default" -- Ticket 49832 - remove tcmalloc references -- Ticket 49813 - dscreate - add interactive installer -- Ticket 49808 - Add option to add backend to dscreate -- Ticket 49811 - lib389 setup.py should install autogenerated man pages -- Ticket 49795 - UI - add "action" backend funtionality -- Ticket 49588 - Add py3 support for tickets : part-3 -- Ticket 49820 - lib389 requires wrong python ldap library -- Ticket 49791 - Update docker file for new dscreate options -- Ticket 49761 - Fix more CI test issues -- Ticket 49811 - Update man pages -- Ticket 49783 - UI - add server configuration backend -- Ticket 49717 - Add conftest.py for tests -- Ticket 49588 - Add py3 support for tickets -- Ticket 49793 - Updated descriptions in dscreate example INF file -- Ticket 49471 - Rename dscreate options -- Ticket 49751 - passwordMustChange attribute is not honored by a RO consumer if using "Chain on Update" -- Ticket 49734 - Fix various issues with Disk Monitoring -- Update Source0 URL in rpm/389-ds-base.spec.in - - -* Thu Jul 12 2018 Fedora Release Engineering - 1.4.0.11-2.5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Tue Jul 10 2018 Pete Walter - 1.4.0.11-2.4 -- Rebuild for ICU 62 - -* Tue Jul 03 2018 Petr Pisar - 1.4.0.11-2.3 -- Perl 5.28 rebuild - -* Mon Jul 02 2018 Miro Hrončok - 1.4.0.11-2.2 -- Rebuilt for Python 3.7 - -* Fri Jun 29 2018 Jitka Plesnikova - 1.4.0.11-2.1 -- Perl 5.28 rebuild - -* Thu Jun 21 2018 Mark Reynolds - 1.4.0.11-2 -- Bump version to 1.4.0.11-2 -- Add python3-lib389 requirement - -* Tue Jun 19 2018 Mark Reynolds - 1.4.0.11-1 -- Bump version to 1.4.0.11 -- Test for issue #49788 -- Fixing 4-byte UTF-8 character validation -- Ticket 49777 - add config subcommand to dsconf -- Ticket 49712 - lib389 CLI tools should return a result code on failures -- Issue 49588 - Add py3 support for tickets : part-2 -- Remove old RHEL/fedora version checking from upstream specfile -- Ticket 48204 - remove python2 from scripts -- Ticket 49576 - ds-replcheck: fix certificate directory verification -- Bug 1591761 - 389-ds-base: Remove jemalloc exports - -* Tue Jun 19 2018 Miro Hrončok - 1.4.0.10-2.1 -- Rebuilt for Python 3.7 - -* Fri Jun 8 2018 Mark Reynolds - 1.4.0.10-2 -- Bump verision to 1.4.0.10-2 -- Remove reference ro stop-dirsrv from legacy tools - -* Fri Jun 8 2018 Mark Reynolds - 1.4.0.10-1 -- Bump verision to 1.4.0.10-1 -- Ticket 49640 - Errors about PBKDF2 password storage plugin at server startup -- Ticket 49571 - perl subpackage and python installer by default -- Ticket 49740 - UI - Replication monitor color coding is not colorblind friendly -- Ticket 49741 - UI - View/Edit replication agreement hangs WebUI -- Ticket 49703 - UI - Set default values in create instance form -- Ticket 49742 - Fine grained password policy can impact search performance -- Ticket 49768 - Under network intensive load persistent search can erronously decrease connection refcnt -- Ticket 49765 - compiler warning -- Ticket 49689 - Cockpit subpackage does not build in PREFIX installations -- Ticket 49765 - Async operations can hang when the server is running nunc-stans -- Ticket 49745 - UI add filter options for error log severity levels -- Ticket 49761 - Fix test suite issues -- Ticket 49754 - instances created with dscreate can not be upgraded with setup-ds.pl -- Ticket 47902 - UI - add continuous refresh log feature -- Ticket 49381 - Add docstrings to plugin test suites - Part 1 -- Ticket 49646 - Improve TLS cert processing in lib389 CLI -- Ticket 49748 - Passthru plugin startTLS option not working -- Ticket 49732 - Optimize resource limit checking for rootdn issued searches -- Ticket 48377 - Bundle jemalloc -- Ticket 49736 - Hardening of active connection list -- Ticket 48184 - clean up and delete connections at shutdown (3rd) -- Ticket 49675 - Revise coverity fix -- Ticket 49333 - Do not remove versioned man pages -- Ticket 49683 - Add support for JSON option in lib389 CLI tools -- Ticket 49704 - Error log from the installer is concatenating all lines into one -- Ticket 49726 - DS only accepts RSA and Fortezza cipher families -- Ticket 49722 - Errors log full of " WARN - keys2idl - recieved NULL idl from index_read_ext_allids, treating as empty set" messages -- Ticket 49582 - Add py3 support to memberof_plugin test suite -- Ticket 49675 - Fix coverity issues -- Ticket 49576 - Add support of ";deletedattribute" in ds-replcheck -- Ticket 49706 - Finish UI patternfly convertions -- Ticket 49684 - AC_PROG_CC clobbers CFLAGS set by --enable-debug -- Ticket 49678 - organiSational vs organiZational spelling in lib389 -- Ticket 49689 - Fix local "make install" after adding cockpit subpackage -- Ticket 49689 - Move Cockpit UI plugin to a subpackage -- Ticket 49679 - Missing nunc-stans documentation and doxygen warnings -- Ticket 49588 - Add py3 support for tickets : part-1 -- Ticket 49576 - Update ds-replcheck for new conflict entries -- Ticket 48184 - clean up and delete connections at shutdown (2nd try) -- Ticket 49698 - Remove unneeded patternfly files from Cockpit package -- Ticket 49581 - Fix dynamic plugins test suite -- Ticket 49665 - remove obsoleted upgrade scripts -- Ticket 49693 - A DB_DEADLOCK while adding a tombstone (RUV) leads to access of an already freed entry -- Ticket 49696 - replicated operations should be serialized -- Ticket 49669 - Invalid cachemem size can crash the server during a restore -- Ticket 49684 - AC_PROG_CC clobbers CFLAGS set by --enable-debug -- Ticket 49685 - make clean fails if cargo is not installed -- Ticket 49106 - Move ds_* scripts to libexec -- Ticket 49657 - Fix cascading replication scenario in lib389 API -- Ticket 49671 - Readonly replicas should not write internal ops to changelog -- Ticket 49673 - nsslapd-cachememsize can't be set to a value bigger than MAX_INT -- Ticket 49519 - Convert Cockpit UI to use strictly patternfly stylesheets -- Ticket 49665 - Upgrade script doesn't enable CRYPT password storage plug-in -- Ticket 49665 - Upgrade script doesn't enable PBKDF2 password storage plug-in - -* Tue May 15 2018 Mark Reynolds - 1.4.0.9-2 -- Bump version to 1.4.0.9-2 -- Add openssl-perl requirement for new python installer - -* Tue May 8 2018 Mark Reynolds - 1.4.0.9-1 -- Bump version to 1.4.0.9 -- Ticket 49661 - CVE-2018-1089 - Crash from long search filter -- Ticket 49652 - DENY aci's are not handled properly -- Ticket 49650 - lib389 enable_tls doesn't work on F28 -- Ticket 49538 - replace cacertdir_rehash with openssl rehash -- Ticket 49406 - Port backend_test.py test to DSLdapObject implementation -- Ticket 49649 - Use reentrant crypt_r() -- Ticket 49642 - lib389 should generate a more complex password -- Ticket 49612 - lib389 remove_ds_instance() does not remove systemd units -- Ticket 49644 - crash in debug build - -* Mon Apr 30 2018 Pete Walter - 1.4.0.8-1.1 -- Rebuild for ICU 61.1 - -* Thu Apr 19 2018 Mark Reynolds - 1.4.0.8-1 -- Bump version to 1.4.0.8-1 -- Ticket 49639 - Crash when failing to read from SASL conn -- Ticket 49109 - nsDS5ReplicaTransportInfo should accept StartTLS as an option -- Ticket 49586 - Add py3 support to plugins test suite -- Ticket 49511 - memory leak in pwdhash - -* Mon Apr 16 2018 Mark Reynolds - 1.4.0.7-2 -- Bump version to 1.4.0.7-2 -- Fix the devel srvcore requirements - -* Fri Apr 13 2018 Mark Reynolds - 1.4.0.7-1 -- Bump version to 1.4.0.7 -- Ticket 49477 - Missing pbkdf python -- Ticket 49552 - Fix the last of the build issues on F28/29 -- Ticket 49522 - Fix build issues on F28 -- Ticket 49631 - same csn generated twice -- Ticket 49585 - Add py3 support to password test suite : part-3 -- Ticket 49585 - Add py3 support to password test suite : part-2 -- Ticket 48184 - revert previous patch around unuc-stans shutdown crash -- Ticket 49585 - Add py3 support to password test suite -- Ticket 46918 - Fix compiler warnings on arm -- Ticket 49601 - Replace HAVE_SYSTEMD define with WITH_SYSTEMD in svrcore -- Ticket 49619 - adjustment of csn_generator can fail so next generated csn can be equal to the most recent one received -- Ticket 49608 - Add support for gcc/clang sanitizers -- Ticket 49606 - Improve lib389 documentation -- Ticket 49552 - Fix build issues on F28 -- Ticket 49603 - 389-ds-base package rebuilt on EPEL can't be installed due to missing dependencies -- Ticket 49593 - NDN cache stats should be under the global stats -- Ticket 49599 - Revise replication total init status messages -- Ticket 49596 - repl-monitor.pl fails to find db tombstone/RUV entry -- Ticket 49589 - merge svrcore into 389-ds-base -- Ticket 49560 - Add a test case for extract-pemfiles -- Ticket 49239 - Add a test suite for ds-replcheck tool RFE -- Ticket 49369 - merge svrcore into 389-ds-base - -* Thu Mar 29 2018 Till Maas - 1.4.0.6-3 -- Remove BR on tcp_wrappers (https://bugzilla.redhat.com/show_bug.cgi?id=1518749) - -* Tue Mar 6 2018 Mark Reynolds - 1.4.0.6-1 -- Bump version to 1.4.0.6 -- Ticket 49545 - final substring extended filter search returns invalid result -- Ticket 49572 - ns_job_wait race on condvar -- Ticket 49584 - Fix Tickets with paged_results test suite -- Ticket 49161 - memberof fails if group is moved into scope -- Ticket 49447 - PBKDF2 on upgrade -- ticket 49551 - correctly handle subordinates and tombstone numsubordinates -- Ticket 49043 - Add replica conflict test suite -- Ticket 49296 - Fix race condition in connection code with anonymous limits -- Ticket 49568 - Fix integer overflow on 32bit platforms -- Ticket 48085 - Add encryption cl5 test suite -- Ticket 49566 - ds-replcheck needs to work with hidden conflict entries -- Ticket 49519 - Add more Cockpit UI content -- Ticket 49551 - fix memory leak found by coverity -- Ticket 49551 - v3 - correct handling of numsubordinates for cenotaphs and tombstone delete -- Ticket 49278 - Add a new CI test case -- Ticket 49560 - nsslapd-extract-pemfiles should be enabled by default as openldap is moving to openssl -- Ticket 49557 - Add config option for checking CRL on outbound SSL Connections -- Ticket 49446 - Add CI test case -- Ticket 35 - Description: Add support for managing automember to dsconf -- Ticket 49544 - cli release preperation -- Ticket 48006 - Add a new CI test case - -* Mon Feb 19 2018 Mark Reynolds - 1.4.0.5-1.7 -- Add cyrus-sasl-plain requirement - -* Thu Feb 15 2018 Mark Reynolds - 1.4.0.5-1.6 -- Fix python requirements for policycoreutils-python-utils - -* Thu Feb 15 2018 Mark Reynolds - 1.4.0.5-1.5 -- Fix package requirements to use Python 3 packages for LDAP and SELinux - -* Thu Feb 15 2018 Mark Reynolds - 1.4.0.5-1.4 -- Only exclude Ix86 arches - -* Thu Feb 15 2018 Adam Williamson - 1.4.0.5-1.3 -- Rebuild for libevent soname bump - -* Fri Feb 09 2018 Igor Gnatenko - 1.4.0.5-1.2 -- Escape macros in %%changelog - -* Wed Feb 07 2018 Fedora Release Engineering - 1.4.0.5-1.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Wed Jan 31 2018 Mark Reynolds - 1.4.0.5-1 -- Bump version to 1.4.0.5 -- CVE-2017-15134 389-ds-base: Remote DoS via search filters in slapi_filter_sprintf -- Ticket 49546 - Fix broken snmp MIB file -- Ticket 49554 - update readme -- Ticket 49554 - Update Makefile for README.md -- Ticket 49400 - Make CLANG configurable -- Ticket 49530 - Add pseudolocalization option for dbgen -- Ticket 49523 - Fixed skipif marker, topology fixture and log message -- Ticket 49544 - Double check pw prompts -- Ticket 49548 - Cockpit UI - installer should also setup Cockpit - -* Fri Jan 26 2018 Mark Reynolds - 1.4.0.4-1 -- Bump version to 1.4.0.4 -- Ticket 49540 - Indexing task is reported finished too early regarding the backend status -- Ticket 49534 - Fix coverity regression -- Ticket 49544 - cli release preperation, group improvements -- Ticket 49542 - Unpackaged files on el7 break rpm build -- Ticket 49541 - repl config should not allow rid 65535 for masters -- Ticket 49370 - Add all the password policy defaults to a new local policy -- Ticket 49425 - improve demo objects for install -- Ticket 49537 - allow asan to build with stable rustc -- Ticket 49526 - Improve create_test.py script -- Ticket 49516 - Add python 3 support for replication suite -- Ticket 49534 - Fix coverity issues and regression -- Ticket 49532 - coverity issues - fix compiler warnings & clang issues -- Ticket 49531 - coverity issues - fix memory leaks -- Ticket 49463 - After cleanALLruv, there is a flow of keep alive DEL -- Ticket 49529 - Fix Coverity warnings: invalid deferences -- Ticket 49509 - Indexing of internationalized matching rules is failing -- Ticket 49527 - Improve ds* cli tool testing -- Ticket 49474 - purge saslmaps before gssapi test -- Ticket 49413 - Changelog trimming ignores disabled replica-agreement -- Ticket 49446 - cleanallruv should ignore cleaned replica Id in processing changelog if in force mode -- Ticket 49278 - GetEffectiveRights gives false-negative -- Ticket 49508 - memory leak in cn=replica plugin setup -- Ticket 48118 - Add CI test case -- Ticket 49520 - Cockpit UI - Add database chaining HTML -- Ticket 49512 - Add ds-cockpit-setup to rpm spec file -- Ticket 49523 - Refactor CI test -- Ticket 49524 - Password policy: minimum token length fails when the token length is equal to attribute length -- Ticket 49517 - Cockpit UI - Add correct png files -- Ticket 49517 - Cockput UI - revise config layout -- Ticket 49523 - memberof: schema violation error message is confusing as memberof will likely repair target entry -- Ticket 49312 - Added a new test case for "-D configdir" -- Ticket 49512 - remove backup directories from cockpit source -- Ticket 49512 - Add initial Cockpit UI Plugin -- Ticket 49515 - cannot link, missing -fPIC -- Ticket 49474 - Improve GSSAPI testing capability -- Ticket 49493 - heap use after free in csn_as_string -- Ticket 49379 - Add Python 3 support to CI test -- Ticket 49431 - Add CI test case -- Ticket 49495 - cos stress test and improvements. -- Ticket 49495 - Fix memory management is vattr. -- Ticket 49494 - python 2 bytes mode. -- Ticket 49471 - heap-buffer-overflow in ss_unescape -- Ticket 48184 - close connections at shutdown cleanly. -- Ticket 49218 - Certmap - support TLS tests -- Ticket 49470 - overflow in pblock_get -- Ticket 49443 - Add CI test case -- Ticket 49484 - Minor cli tool fixes. -- Ticket 49486 - change ns stress core to use absolute int width. -- Ticket 49445 - Improve regression test to detect memory leak. -- Ticket 49445 - Memory leak in ldif2db -- Ticket 49485 - Typo in gccsec_defs -- Ticket 49479 - Remove unused 'batch' argument from lib389 -- Ticket 49480 - Improvements to support IPA install. -- Ticket 49474 - sasl allow mechs does not operate correctly -- Ticket 49449 - Load sysctl values on rpm upgrade. -- Ticket 49374 - Add CI test case -- Ticket 49325 - fix rust linking. -- Ticket 49475 - docker poc improvements. -- Ticket 49461 - Improve db2index handling for test 49290 -- Ticket 47536 - Add Python 3 support and move test case to suites -- Ticket 49444 - huaf in task.c during high load import -- Ticket 49460 - replica_write_ruv log a failure even when it succeeds -- Ticket 49298 - Ticket with test case and remove-ds.pl -- Ticket 49408 - Add a test case for nsds5ReplicaId checks -- Ticket 3 lib389 - python 3 support for subset of pwd cases -- Ticket 35 lib389 - dsconf automember support - -* Sat Jan 20 2018 Björn Esser - 1.4.0.3-1.2 -- Rebuilt for switch to libxcrypt - -* Thu Nov 30 2017 Pete Walter - 1.4.0.3-1.1 -- Rebuild for ICU 60.1 - -* Mon Nov 20 2017 Mark Reynolds - 1.4.0.3-1 -- Bump version to 1.4.0.3 -- Ticket 49457 - Fix spal_meminfo_get function prototype -- Ticket 49455 - Add tests to monitor test suit. -- Ticket 49448 - dynamic default pw scheme based on environment. -- Ticket 49298 - fix complier warn -- Ticket 49298 - Correct error codes with config restore. -- Ticket 49454 - SSL Client Authentication breaks in FIPS mode -- Ticket 49453 - passwd.py to use pwdhash defaults. -- Ticket 49427 - whitespace in fedse.c -- Ticket 49410 - opened connection can remain no longer poll, like hanging -- Ticket 48118 - fix compiler warning for incorrect return type -- Ticket 49451 - Add environment markers to lib389 dependencies -- Ticket 49325 - Proof of concept rust tqueue in sds -- Ticket 49443 - scope one searches in 1.3.7 give incorrect results -- Ticket 48118 - At startup, changelog can be erronously rebuilt after a normal shutdown -- Ticket 49412 - SIGSEV when setting invalid changelog config value -- Ticket 49441 - Import crashes - oneline fix -- Ticket 49377 - Incoming BER too large with TLS on plain port -- Ticket 49441 - Import crashes with large indexed binary attributes -- Ticket 49435 - Fix NS race condition on loaded test systems -- Ticket 77 - lib389 - Refactor docstrings in rST format - part 2 -- Ticket 17 - lib389 - dsremove support -- Ticket 3 - lib389 - python 3 compat for paged results test -- Ticket 3 - lib389 - Python 3 support for memberof plugin test suit -- Ticket 3 - lib389 - config test -- Ticket 3 - lib389 - python 3 support ds_logs tests -- Ticket 3 - lib389 - python 3 support for betxn test - -* Fri Nov 3 2017 Mark Reynolds - 1.4.0.2-2 -- Bump version to 1.4.0.2-2 -- Add python-lib389 build requirements - -* Fri Nov 3 2017 Mark Reynolds - 1.4.0.2-1 -- Bump version to 1.4.0.2-1 -- Ticket 48393 - fix copy and paste error -- Ticket 49439 - cleanallruv is not logging information -- Ticket 48393 - Improve replication config validation -- Ticket lib389 3 - Python 3 support for ACL test suite -- Ticket 103 - sysconfig not found -- Ticket 49436 - double free in COS in some conditions -- Ticket 48007 - CI test to test changelog trimming interval -- Ticket 49424 - Resolve csiphash alignment issues -- Ticket lib389 3 - Python 3 support for pwdPolicy_controls_test.py -- Ticket 3 - python 3 support - filter test -- Ticket 49434 - RPM build errors -- Ticket 49432 - filter optimise crash -- Ticket 49432 - Add complex fliter CI test -- Ticket 48894 - harden valueset_array_to_sorted_quick valueset access -- Ticket 49401 - Fix compiler incompatible-pointer-types warnings -- Ticket 48681 - Use of uninitialized value in string ne at /usr/bin/logconv.pl -- Ticket 49409 - Update lib389 requirements -- Ticket 49401 - improve valueset sorted performance on delete -- Ticket 49374 - server fails to start because maxdisksize is recognized incorrectly -- Ticket 49408 - Server allows to set any nsds5replicaid in the existing replica entry -- Ticket 49407 - status-dirsrv shows ellipsed lines -- Ticket 48681 - Use of uninitialized value in string ne at /usr/bin/logconv.pl -- Ticket 49386 - Memberof should be ignore MODRDN when the pre/post entry are identical -- Ticket 48006 - Missing warning for invalid replica backoff configuration -- Ticket 49064 - testcase hardening -- Ticket 49064 - RFE allow to enable MemberOf plugin in dedicated consumer -- Ticket lib389 3 - python 3 support -- Ticket 49402 - Adding a database entry with the same database name that was deleted hangs server at shutdown -- Ticket 48235 - remove memberof lock (cherry-pick error) -- Ticket 49394 - build warning -- Ticket 49381 - Refactor numerous suite docstrings - Part 2 -- Ticket 49394 - slapi_pblock_get may leave unchanged the provided variable -- Ticket 49403 - tidy ns logging -- Ticket 49381 - Refactor filter test suite docstrings -- Ticket 48235 - Remove memberOf global lock -- Ticket 103 - Make sysconfig where it is expected to exist -- Ticket 49400 - Add clang support to rpm builds -- Ticket 49381 - Refactor ACL test suite docstrings -- Ticket 49363 - Merge lib389 -- Ticket 101 - BaseException.message has been deprecated in Python3 -- Ticket 102 - referral support -- Ticket 99 - Fix typo in create_topology -- Ticket #98 - Fix dbscan output -- Ticket #77 - Fix changelogdb param issue -- Ticket #77 - Refactor docstrings in rST format - part 1 -- Ticket 96 - Change binaries' names -- Ticket 77 - Add sphinx documentation -- Ticket 43 - Add support for Referential Integrity plugin -- Ticket 45 - Add support for Rootdn Access Control plugin -- Ticket 46 - dsconf support for dynamic schema reload -- Ticket 74 - Advice users to set referint-update-delay to 0 -- Ticket 92 - display_attr() should return str not bytes in py3 -- Ticket 93 - Fix test cases in ctl_dbtasks_test.py -- Ticket 88 - python install and remove for tests -- Ticket 85 - Remove legacy replication attribute -- Ticket 91 - Fix replication topology -- Ticket 89 - Fix inconsistency with serverid -- Ticket 79 - Fix replica.py and add tests -- Ticket 86 - add build dir to gitignore -- Ticket 83 - Add an util for generating instance parameters -- Ticket 87 - Update accesslog regec for HR etimes -- Ticket 49 - Add support for whoami plugin -- Ticket 48 - Add support for USN plugin -- Ticket 78 - Add exists() method to DSLdapObject -- Ticket 31 - Allow complete removal of some memberOf attrs -- Ticket31 - Add memberOf fix-up task -- Ticket 67 - Add ensure_int function -- Ticket 59 - lib389 support for index management. -- Ticket 67 - get attr by type -- Ticket 70 - Improve repl tools -- Ticket 50 - typo in db2* in dsctl -- Ticket 31 - Add status command and SkipNested support for MemberOf -- Ticket 31 - Add functional tests for MemberOf plugin -- Ticket 66 - expand healthcheck for Directory Server -- Ticket 69 - add specfile requires -- Ticket 31 - Initial MemberOf plugin support -- Ticket 50 - Add db2* tasks to dsctl -- Ticket 65 - Add m2c2 topology -- Ticket 63 - part 2, agreement test -- Ticket 63 - lib389 python 3 fix -- Ticket 62 - dirsrv offline log -- Ticket 60 - add dsrc to dsconf and dsidm -- Ticket 32 - Add TLS external bind support for testing -- Ticket 27 - Fix get function in tests -- Ticket 28 - userAccount for older versions without nsmemberof -- Ticket 27 - Improve dseldif API -- Ticket 30 - Add initial support for account lock and unlock. -- Ticket 29 - fix incorrect format in tools -- Ticket 28 - Change default objectClasses for users and groups -- Ticket 1 - Fix missing dn / rdn on config. -- Ticket 27 - Add a module for working with dse.ldif file -- Ticket 1 - cn=config comparison -- Ticket 21 - Missing serverid in dirsrv_test due to incorrect allocation -- Ticket 26 - improve lib389 sasl support -- Ticket 24 - Join paths using os.path.join instead of string concatenation -- Ticket 25 - Fix RUV __repr__ function -- Ticket 23 - Use DirSrv.exists() instead of manually checking for instance's existence -- Ticket 1 - cn=config comparison -- Ticket 22 - Specify a basedn parameter for IDM modules -- Ticket 19 - missing readme.md in python3 -- Ticket 20 - Use the DN_DM constant instead of hard coding its value -- Ticket 19 - Missing file and improve make -- Ticket 14 - Remane dsadm to dsctl -- Ticket 16 - Reset InstScriptsEnabled argument during the init -- Ticket 14 - Remane dsadm to dsctl -- Ticket 13 - Add init function to create new domain entries -- Ticket 15 - Improve instance configuration ability -- Ticket 10 - Improve command line tool arguments -- Ticket 9 - Convert readme to MD -- Ticket 7 - Add pause and resume methods to topology fixtures -- Ticket 49172 - Allow lib389 to read system schema and instance -- Ticket 49172 - Allow lib389 to read system schema and instance -- Ticket 6 - Bump lib389 version 1.0.4 -- Ticket 5 - Fix container build on fedora -- Ticket 4 - Cert detection breaks some tests -- Ticket 49137 - Add sasl plain tests, lib389 support -- Ticket 2 - pytest mark with version relies on root -- Ticket 49126 - DIT management tool -- Ticket 49101 - Python 2 generate example entries -- Ticket 49103 - python 2 support for installer -- Ticket 47747 - Add topology_i2 and topology_i3 -- Ticket 49087 - lib389 resolve jenkins issues -- Ticket 48413 - Improvements to lib389 for rest -- Ticket 49083 - Support prefix for discovery of the defaults.inf file. -- Ticket 49055 - Fix debugging mode issue -- Ticket 49060 - Increase number of masters, hubs and consumers in topology -- Ticket 47747 - Add more topology fixtures -- Ticket 47840 - Add InstScriptsEnabled argument -- Ticket 47747 - Add topology fixtures module -- Ticket 48707 - Implement draft-wibrown-ldapssotoken-01 -- Ticket 49022 - Lib389, py3 installer cannot create entries in backend -- Ticket 49024 - Fix paths to the dbdir parent -- Ticket 49024 - Fix db_dir paths -- Ticket 49024 - Fix paths in tools module -- Ticket 48961 - Fix lib389 minor issues shown by 48961 test -- Ticket 49010 - Lib389 fails to start with systemctl changes -- Ticket 49007 - lib389 fixes for paths to use online values -- Ticket 49005 - Update lib389 to work in containers correctly. -- Ticket 48991 - Fix lib389 spec for python2 and python3 -- Ticket 48984 - Add lib389 paths module -- Ticket 48951 - dsadm dsconfig status and plugin -- Ticket 47957 - Update the replication "idle" status string -- Ticket 48951 - dsadm and dsconf base files -- Ticket 48952 - Restart command needs a sleep -- Ticket 48949 - Fix ups for style and correctness -- Ticket 48949 - added copying slapd-collations.conf -- Ticket 48949 - change default file path generation - use os.path.join -- Ticket 48949 - os.makedirs() exist_ok not python2 compatible, added try/except -- Ticket 48949 - configparser fallback not python2 compatible -- Ticket 48946 - openConnection should not fully popluate DirSrv object -- Ticket 48832 - Add DirSrvTools.getLocalhost() function -- Ticket 48382 - Fix serverCmd to get sbin dir properly -- Bug 1347760 - Information disclosure via repeated use of LDAP ADD operation, etc. -- Ticket 48937 - Cleanup valgrind wrapper script -- Ticket 48923 - Fix additional issue with serverCmd -- Ticket 48923 - serverCmd timeout not working as expected -- Ticket 48917 - Attribute presence -- Ticket 48911 - Plugin improvements for lib389 -- Ticket 48911 - Improve plugin support based on new mapped objects -- Ticket 48910 - Fixes for backend tests and lib389 reliability. -- Ticket 48860 - Add replication tools -- Ticket 48888 - Correction to create of dsldapobject -- Ticket 48886 - Fix NSS SSL library in lib389 -- Ticket 48885 - Fix spec file requires -- Ticket 48884 - Bugfixes for mapped object and new connections -- Ticket 48878 - better style for backend in backend_test.py -- Ticket 48878 - pep8 fixes part 2 -- Ticket 48878 - pep8 fixes and fix rpm to build -- Ticket 48853 - Prerelease installer -- Ticket 48820 - Begin to test compatability with py.test3, and the new orm -- Ticket 48434 - Fix for negative tz offsets -- Ticket 48857 - Remove python-krbV from lib389 -- Ticket 48820 - Fix tests to ensure they work with the new object types -- Ticket 48820 - Move Encryption and RSA to the new object types -- Ticket 48820 - Proof of concept of orm style mapping of configs and objects -- Ticket 48820 - Clitool rename -- Ticket 48431 - lib389 integrate ldclt -- Ticket 48434 - lib389 logging tools -- Ticket 48796 - add function to remove logs -- Ticket 48771 - lib389 - get ns-slapd version -- Ticket 48830 - Convert lib389 to ip route tools -- Ticket 48763 - backup should run regardless of existing backups. -- Ticket 48434 - lib389 logging tools -- Ticket 48798 - EL6 compat for lib389 tests for DH params -- Ticket 48798 - lib389 add ability to create nss ca and certificate -- Ticket 48433 - Aci linting tools -- Ticket 48791 - format args in server tools -- Ticket 48399 - Helper makefile is missing mkdir dist -- Ticket 48399 - Helper makefile is missing mkdir dist -- Ticket 48794 - lib389 build requires are on a single line -- Ticket 48660 - Add function to convert binary values in an entry to base64 -- Ticket 48764 - Fix mit krb password to be random. -- Ticket 48765 - Change default ports for standalone topology -- Ticket 48750 - Clean up logging to improve command experience -- Ticket 48751 - Improve lib389 ldapi support -- Ticket 48399 - Add helper makefile to lib389 to build and install -- Ticket 48661 - Agreement test suite fails at the test_changes case -- Ticket 48407 - Add test coverage module for lib389 repo -- Ticket 48357 - clitools should standarise their args -- Ticket 48560 - Make verbose handling consistent -- Ticket 48419 - getadminport() should not a be a static method -- Ticket 48408 - RFE escaped default suffix for tests -- Ticket 48401 - Revert typecheck -- Ticket 48401 - lib389 Entry hasAttr returs dict instead of false -- Ticket 48390 - RFE Improvements to lib389 monitor features for rest389 -- Ticket 48358 - Add new spec file -- Ticket 48371 - weaker host check on localhost.localdomain -- Ticket 58358 - Update spec file with pre-release versioning -- Ticket 48358 - Make Fedora packaging changes to the spec file -- Ticket 48358 - Prepare lib389 for Fedora Packaging -- Ticket 48364 - Fix test failures -- Ticket 48360 - Refactor the delete agreement function -- Ticket 48361 - Expand 389ds monitoring capabilities -- Ticket 48246 - Adding license/copyright to lib389 files -- Ticket 48340 - Add basic monitor support to lib389 https://fedorahosted.org/389/ticket/48340 -- Ticket 48353 - Add Replication REST support to lib389 -- Ticket 47840 - Fix regression -- Ticket 48343 - lib389 krb5 realm management https://fedorahosted.org/389/ticket/48343 -- Ticket 47840 - fix lib389 to use sbin scripts https://fedorahosted.org/389/ticket/47840 -- Ticket 48335 - Add SASL support to lib389 -- Ticket 48329 - Fix case-senstive scyheam comparisions -- Ticket 48303 - Fix lib389 broken tests -- Ticket 48329 - add matching rule functions to schema module -- Ticket 48324 - fix boolean capitalisation (one line) https://fedorahosted.org/389/ticket/48324 -- Ticket 48321 - Improve is_a_dn check to prevent mistakes with lib389 auth https://fedorahosted.org/389/ticket/48321 -- Ticket 48322 - Allow reindex function to reindex all attributes -- Ticket 48319 - Fix ldap.LDAPError exception processing -- Ticket 48318 - Do not delete a changelog while disabling a replication by suffix -- Ticket 48308 - Add __eq__ and __ne__ to Entry to allow fast comparison https://fedorahosted.org/389/ticket/48308 -- Ticket 48303 - Fix lib389 broken tests - backend_test -- Ticket 48309 - Fix lib389 lib imports -- Ticket 48303 - Fix lib389 broken tests - agreement_test -- Ticket 48303 - Fix lib389 broken tests - aci_parse_test -- Ticket 48301 - add tox support -- Ticket 48204 - update lib389 for python3 -- Ticket 48273 - Improve valgrind functions -- Ticket 48271 - Fix for self.prefix being none when SER_DEPLOYED_DIR is none https://fedorahosted.org/389/ticket/48271 -- Ticket 48259 - Add aci parsing utilities to lib389 -- Ticket 48252 - (lib389) adding get_bin_dir and dbscan -- Ticket 48247 - Change the default user to 'dirsrv' -- Ticket 47848 - Add new function to create ldif files -- Ticket 48239 - Fix for prefix allocation of un-initialised dirsrv objects -- Ticket 48237 - Add lib389 helper to enable and disable logging services. -- Ticket 48236 - Add get effective rights helper to lib389 -- Ticket 48238 - Add objectclass and attribute type query mechanisms -- Ticket 48029 - Add missing replication related functions -- Ticket 48028 - add valgrind wrapper for ns-slapd -- Ticket 48028 - lib389 - add valgrind functions -- Ticket 48022 - lib389 - Add all the server tasks -- Ticket 48023 - create function to test replication between servers -- Ticket 48020 - lib389 - need to reset args_instance with every DirSrv init -- Ticket 48000 - Repl agmts need more time to stop -- Ticket 48004 - Fix various issues -- Ticket 48000 - replica agreement pause/resume should have a short sleep -- Ticket 47990 - Add check for ".removed" instances when doing an upgrade -- Ticket 47990 - Add "upgrade" function to lib389 -- Ticket 47691 - using lib389 with RPMs -- Ticket 47848 - Add support for setuptools. -- Ticket 47855 - Add function to clear tmp directory -- Ticket 47851 - Need to retrieve tmp directory path -- Ticket 47845 - add stripcsn option to tombstone fixup task -- Ticket 47851 - Add function to retrieve dirsrvtests data directory -- Ticket 47845 - Add backup/restore/fixup tombstone tasks to lib389 -- Ticket 47819 - Add the new precise tombstone purging config attribute -- Ticket 47695 - Add plugins/tasks/Index -- Ticket 47648 - lib389 - add schema classes, methods -- Ticket 47671 - CI lib389: allow to open a DirSrv without having to create the instance -- Ticket 47600 - Replica/Agreement/Changelog not conform to the design -- Ticket 47652 - replica add fails: MT.list return a list not an entry -- Ticket 47635 - MT/Backend/Suffix to be conform with the design -- Ticket 47625 - CI lib389: DirSrv not conform to the design -- Ticket 47595 - fail to detect/reinit already existing instance/backup -- Ticket 47590 - CI tests: add/split functions around replication -- Ticket 47584 - CI tests: add backup/restore of an instance -- Ticket 47578 - CI tests: removal of 'sudo' and absolute path in lib389 -- Ticket 47568 - Rename DSAdmin class -- Ticket 47566 - Initial import of DSadmin into 389-test repos - -* Mon Oct 16 2017 Mark Reynolds - 1.4.0.1-2 -- Bump version to 1.4.0.1-2 -- Ticket 49400 - Add clang support and libatomic - -* Mon Oct 9 2017 Mark Reynolds - 1.4.0.1-1 -- Bump version to 1.4.0.1-1 -- Ticket 49038 - remove legacy replication - change cleanup script precedence -- Ticket 49392 - memavailable not available -- Ticket 49235 - pbkdf2 by default -- Ticket 49279 - remove dsktune -- Ticket 49372 - filter optimisation improvements for common queries -- Ticket 49320 - Activating already active role returns error 16 -- Ticket 49389 - unable to retrieve specific cosAttribute when subtree password policy is configured -- Ticket 49092 - Add CI test for schema-reload -- Ticket 49388 - repl-monitor - matches null string many times in regex -- Ticket 49387 - pbkdf2 settings were too aggressive -- Ticket 49385 - Fix coverity warnings -- Ticket 49305 - Need to wrap atomic calls -- Ticket 48973 - Indexing a ExactIA5Match attribute with a IgnoreIA5Match matching rule triggers a warning -- Ticket 49378 - server init fails -- Ticket 49305 - Need to wrap atomic calls -- Ticket 49180 - add CI test -- Ticket 49180 - errors log filled with attrlist_replace - attr_replace - -* Fri Sep 22 2017 Mark Reynolds - 1.4.0.0-1 -- Bump version to 1.4.0.0-1 - -* Wed Sep 6 2017 Mark Reynolds - 1.3.7.4-1 -- Bump version to 1.3.7.4 -- Ticket 49371 - Cleanup update script -- Ticket 48831 - Autotune dncache with entry cache. -- Ticket 49312 - pwdhash -D used default hash algo -- Ticket 49043 - make replication conflicts transparent to clients -- Ticket 49371 - Fix rpm build -- Ticket 49371 - Template dse.ldif did not contain all needed plugins -- Ticket 49295 - Fix CI Tests -- Ticket 49050 - make objectclass ldapsubentry effective immediately - -* Fri Sep 1 2017 Mark Reynolds - 1.3.7.3-1 -- Bump version to 1.3.7.3 -- Ticket 49354 - fix regression in total init due to mistake in range fetch -- Ticket 49370 - local password policies should use the same defaults as the global policy -- Ticket 48989 - Delete slow lib389 test -- Ticket 49367 - missing braces in idsktune -- Ticket 49364 - incorrect function declaration. -- Ticket 49275 - fix tls auth regression -- Ticket 49038 - Revise creation of cn=replication,cn=config -- Ticket 49368 - Fix typo in log message -- Ticket 48059 - Add docstrings to CLU tests -- Ticket 47840 - Add docstrings to setup tests -- Ticket 49348 - support perlless and wrapperless install - -* Tue Aug 22 2017 Mark Reynolds - 1.3.7.2-1 -- Bump verison to 1.3.7.2 -- Ticket 49038 - Fix regression from legacy code cleanup -- Ticket 49295 - Fix CI tests -- Ticket 48067 - Add bugzilla tests for ds_logs -- Ticket 49356 - mapping tree crash can occur during tot init -- Ticket 49275 - fix compiler warns for gcc 7 -- Ticket 49248 - Add a docstring to account locking test case -- Ticket 49445 - remove dead code -- Ticket 48081 - Add regression tests for pwpolicy -- Ticket 48056 - Add docstrings to basic test suite -- Ticket 49349 - global name 'imap' is not defined -- Ticket 83 - lib389 - Fix tests and create_test.py -- Ticket 48185 - Remove referint-logchanges attr from referint's config -- Ticket 48081 - Add regression tests for pwpolicy -- Ticket 83 - lib389 - Replace topology agmt objects -- Ticket 49331 - change autoscaling defaults -- Ticket 49330 - Improve ndn cache performance. -- Ticket 49347 - reproducable build numbers -- Ticket 39344 - changelog ldif import fails -- Ticket 49337 - Add regression tests for import tests -- Ticket 49309 - syntax checking on referint's delay attr -- Ticket 49336 - SECURITY: Locked account provides different return code -- Ticket 49332 - Event queue is not working -- Ticket 49313 - Change the retrochangelog default cache size -- Ticket 49329 - Descriptive error msg for USN cleanup task -- Ticket 49328 - Cleanup source code -- Ticket 49299 - Add normalized dn cache stats to dbmon.sh -- Ticket 49290 - improve idl handling in complex searches -- Ticket 49328 - Update clang-format config file -- Ticket 49091 - remove usage of changelog semaphore -- Ticket 49275 - shadow warnings for gcc7 - pass 1 -- Ticket 49316 - fix missing not condition in clock cleanu -- Ticket 49038 - Remove legacy replication -- Ticket 49287 - v3 extend csnpl handling to multiple backends -- Ticket 49310 - remove sds logging in debug builds -- Ticket 49031 - Improve memberof with a cache of group parents -- Ticket 49316 - Fix clock unsafety in DS -- Ticket 48210 - Add IP addr and connid to monitor output -- Ticket 49295 - Fix CI tests and compiler warnings -- Ticket 49295 - Fix CI tests -- Ticket 49305 - Improve atomic behaviours in 389-ds -- Ticket 49298 - fix missing header -- Ticket 49314 - Add untracked files to the .gitignore -- Ticket 49303 - Fix error in CI test -- Ticket 49302 - fix dirsrv importst due to lib389 change -- Ticket 49303 - Add option to disable TLS client-initiated renegotiation -- Ticket 49298 - force sync() on shutdown -- Ticket 49306 - make -f rpm.mk rpms produces build without tcmalloc enabled -- Ticket 49297 - improve search perf in bpt by removing a deref -- Ticket 49284 - resolve crash in memberof when deleting attrs -- Ticket 49290 - unindexed range searches don't provide notes=U -- Ticket 49301 - Add one logpipe test case - -* Fri Aug 11 2017 Igor Gnatenko - 1.3.7.1-2.5 -- Rebuilt after RPM update (№ 3) - -* Thu Aug 10 2017 Igor Gnatenko - 1.3.7.1-2.4 -- Rebuilt for RPM soname bump - -* Thu Aug 10 2017 Igor Gnatenko - 1.3.7.1-2.3 -- Rebuilt for RPM soname bump - -* Wed Aug 02 2017 Fedora Release Engineering - 1.3.7.1-2.2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Wed Jul 26 2017 Fedora Release Engineering - 1.3.7.1-2.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Thu Jun 29 2017 Mark Reynolds - 1.3.7.1-2 -- Bump version to 1.3.7.1-2 -- Fix specfile for python dependency issue with ds-replcheck - -* Mon Jun 26 2017 Mark Reynolds - 1.3.7.1-1 -- Bump verson to 1.3.7.1 -- Ticket 49288 - RootDN Access wrong plugin path in template-dse.ldif.in -- Ticket 49289 - Improve result handling from connections with NS -- Ticket 49294 - radiusd before in unit file -- Ticket 49293 - inttypes in nunc-stans -- Ticket 49295 - Fix latest CI test failures -- Ticket 623 - Add test case and refactor the cleanallruv suite -- Ticket 49291 - slapi_search_internal_callback_pb may SIGSEV if related pblock has not operation set -- Ticket 49008 - Fix MO plugin betxn test -- Ticket 48944 - Add CI test case -- Ticket 49227 - ldapsearch does not return the expected Error log level -- Ticket 49028 - Add autotuning test suite -- Ticket 49281 - improve db2* tests -- Ticket 49273 - bak2db doesn't operate with dbversion -- Ticket 49184 - adjust logging level in MO plugin -- Ticket 49257 - Update CI script -- Ticket 49257 - only register modify callbacks -- Ticket 49008 - Adjust CI test for new memberOf behavior -- Ticket 49273 - Fix compiler warning in dbversion_write, missing newline -- Ticket 49277 - improve out of box system tuning for EL7 -- Ticket 49273 - crash when DBVERSION is corrupt. -- Ticket 49273 - crash when DBVERSIOn is corrupt. -- Ticket 49268 - master branch fails on big endian systems -- Ticket 49271 - Fix pbkdf2 and openssl missing issue -- Ticket 49242 - add gdb script to rpm -- Ticket 49269 - Fix coverity errors -- Ticket 49241 - add symblic link location to db2bak.pl output -- Ticket #49072: memberOf fixup task does not validate args -- Ticket 49257 - Reject nsslapd-cachememsize & nsslapd-cachesize when nsslapd-cache-autosize is set -- Ticket 48538 - Failed to delete old semaphore -- Ticket 49231 - force EXTERNAL always -- Ticket 49267 - autosize split of 0 results in dbcache of 0 -- Ticket 49099 - resolve systemd startup interaction with ns -- Ticket 49157 - fix error in ds-logpipe.py -- Ticket 48864 - remove config.h from spal header. -- Ticket 48681 - logconv.pl - Fix SASL Bind stats and rework report format -- Ticket 49261 - Fix script usage and man pages -- Ticket 49238 - AddressSanitizer: heap-use-after-free in libreplication -- Ticket 48864 - Fix FreeIPA build -- Ticket 49257 - Reject dbcachesize updates while auto cache sizing is enabled -- Ticket 49249 - cos_cache is erroneously logging schema checking failure -- Ticket 49248 - update eduPerson to 201602 -- Ticket 48050 - Add a test case for an issue 49014 -- Ticket 49258 - Allow nsslapd-cache-autosize to be modified while the server is running -- Ticket 49165 - Fix compiler warnings -- Ticket 49247 - resolve build issues on debian -- Ticket 48123 - create contrib section -- Ticket 49099 - fix configure.ac due to NS change -- Ticket 49250 - remove mempool experimental! -- Ticket 49099 - ns workers prep -- Ticket 49185 - Fix leaks in compute init and dblayer -- Ticket 49246 - ns-slapd crashes in role cache creation -- Ticket 49244 - resolve various test case issues -- Ticket 49157 - ds-logpipe.py crashes for non-existing users -- Ticket 49053 - Fix rpm build -- Ticket 49237 - Drop support for libdb older than 4.7 -- Ticket 49053 - Enable flto for DS -- Ticket 49243 - segv in memberof fixup -- Ticket 48985 - Add schema for nested groups to work out of box. -- Ticket 49241 - Update man page and usage for db2bak.pl -- Ticket 49071 - Add test case to tickets -- Ticket 49075 - Adjust logging severity levels -- Ticket 47662 - db2index not properly evalauating arguments -- Ticket 49240 - ci compiler warns -- Ticket 48989 - fix perf counters -- Ticket 48681 - logconv.pl - fix sasl/bind stats -- Ticket 49097 - fix pblock whitespace -- Ticket 49097 - fix the pblock to be a hierachial structure -- Ticket 49239 - move ds-replcheck man page and add script -- Ticket 49239 - Add a tool to compare entries on LDAP servers. -- Ticket 49231 - fix sasl mech handling -- Ticket 49233 - Fix crash in persistent search -- Ticket 49225 - Fix CI Test -- Ticket 49230 - slapi_register_plugin creates config entry where it should not -- Ticket 49225 - Add additional CRYPT password storage schemes - -* Wed Jun 07 2017 Jitka Plesnikova - 1.3.6.6-3.23 -- Perl 5.26 re-rebuild of bootstrapped packages - -* Tue Jun 6 2017 Mark Reynolds - 1.3.6.6-3.2 -- Revise server upgrade logic - -* Sun Jun 04 2017 Jitka Plesnikova - 1.3.6.6-3.1 -- Perl 5.26 rebuild - -* Thu May 25 2017 Charalampos Stratakis - 1.3.6.6-3 -- Bump verstion to 1.3.6.6-3 -- Ensure the binaries are pointing to the Python 3 interpreter (rhbz#1244234) - -* Mon May 22 2017 Mark Reynolds - 1.3.6.6-2 -- Bump version to 1.3.6.6-2 -- Disable tcmalloc on ppc64 & ppc64le - crash in makstrdb during build - -* Mon May 22 2017 Mark Reynolds - 1.3.6.6-1 -- Bump version to 1.3.6.6-1 -- Ticket 49157 - fix error in ds-logpipe.py -- Ticket 48864 - remove config.h from spal header. -- Ticket 48681 - logconv.pl - Fix SASL Bind stats and rework report format -- Ticket 49261 - Fix script usage and man pages -- Ticket 49238 - AddressSanitizer: heap-use-after-free in libreplication -- Ticket 48864 - Fix FreeIPA build -- Ticket 49257 - Reject dbcachesize updates while auto cache sizing is enabled -- Ticket 49249 - cos_cache is erroneously logging schema checking failure -- Ticket 49258 - Allow nsslapd-cache-autosize to be modified while the server is running -- Ticket 49247 - resolve build issues on debian -- Ticket 49246 - ns-slapd crashes in role cache creation -- Ticket 49157 - ds-logpipe.py crashes for non-existing users -- Ticket 49241 - Update man page and usage for db2bak.pl -- Ticket 49075 - Adjust logging severity levels -- Ticket 47662 - db2index not properly evaluating arguments -- Ticket 48989 - fix perf counters - -* Thu Apr 27 2017 Mark Reynolds - 1.3.6.5-1 -- Bump version to 1.3.6.5-1 -- Ticket 49231 - fix sasl mech handling -- Ticket 49233 - Fix crash in persistent search -- Ticket 49230 - slapi_register_plugin creates config entry where it should not -- Ticket 49135 - PBKDF2 should determine rounds at startup -- Issue 49236 - Fix CI Tests -- Ticket 48310 - entry distribution should be case insensitive -- Ticket 49224 - without --prefix, $prefixdir would be NONE in defaults. - -* Fri Apr 21 2017 Mark Reynolds - 1.3.6.4-1 -- Bump version to 1.3.6.4-1 -- Ticket 49228 - Fix SSE4.2 detection. -- Ticket 49229 - Correct issues in latest commits -- Ticket 49226 - Memory leak in ldap-agent-bin -- Ticket 49214 - Implement htree concept -- Ticket 49119 - Cleanup configure.ac options and defines -- Ticket 49097 - whitespace fixes for pblock change -- Ticket 49097 - Pblock get/set cleanup -- Ticket 49222 - Resolve various test issues on rawhide -- Issue 48978 - Fix the emergency logging functions severity levels -- Issue 49227 - ldapsearch for nsslapd-errorlog-level returns incorrect values -- Ticket 49041 - nss won't start if sql db type set -- Ticket 49223 - Fix sds queue locking -- Issue 49204 - Fix 32bit arch build failures -- Issue 49204 - Need to update function declaration -- Ticket 49204 - Fix lower bounds on import autosize + On small VM, autotune breaks the access of the suffixes -- Issue 49221 - During an upgrade the provided localhost name is ignored -- Issue 49220 - Remote crash via crafted LDAP messages (SECURITY FIX) -- Ticket 49184 - Overflow in memberof -- Ticket 48050 - Add account policy tests to plugins test suite -- Ticket 49207 - Supply docker POC build for DS. -- Issue 47662 - CLI args get removed -- Issue 49210 - Fix regression when checking is password min age should be checked -- Ticket 48864 - Add cgroup memory limit detection to 389-ds -- Issue 48085 - Expand the repl acceptance test suite -- Ticket 49209 - Hang due to omitted replica lock release -- Ticket 48864 - Cleanup memory detection before we add cgroup support -- Ticket 48864 - Cleanup up broken format macros and imports -- Ticket 49153 - Remove vacuum lock on transaction cleanup -- Ticket 49200 - provide minimal dse.ldif for python installer -- Issue 49205 - Fix logconv.pl man page -- Issue 49177 - Fix pkg-config file -- Issue 49035 - dbmon.sh shows pages-in-use that exceeds the cache size -- Ticket 48432 - Linux capabilities on ns-slapd -- Ticket 49196 - Autotune generates crit messages -- Ticket 49194 - Lower default ioblock timeout -- Ticket 49193 - gcc7 warning fixes -- Issue 49039 - password min age should be ignored if password needs to be reset -- Ticket 48989 - Re-implement lock counter -- Issue 49192 - Deleting suffix can hang server -- Issue 49156 - Modify token :assert: to :expectedresults: -- Ticket 48989 - missing return in counter -- Ticket 48989 - Improve counter overflow fix -- Ticket 49190 - Upgrade lfds to 7.1.1 -- Ticket 49187 - Fix attribute definition -- Ticket 49185 - Fix memleak in compute init - -* Wed Mar 22 2017 Mark Reynolds - 1.3.6.3-4 -- Bump verson to 1.3.6.3-4 -- Issue 49177 - rpm would not create valid pkgconfig files(pt2) - -* Wed Mar 22 2017 Mark Reynolds - 1.3.6.3-3 -- Bump version to 1.3.6.3-3 -- Ticket 49186 - Fix NS to improve shutdown relability -- Ticket 49174 - nunc-stans can not use negative timeout -- Ticket 49076 - To debug DB_DEADLOCK condition, allow to reset DB_TXN_NOWAIT flag on txn_begin -- Issue 49188 - retrocl can crash server at shutdown -- Ticket 47840 - Add setup_ds test suite - -* Tue Mar 21 2017 Mark Reynolds - 1.3.6.3-2 -- Bump version to 1.3.6.3-2 -- Fix srvcore version dependancy - -* Tue Mar 21 2017 Mark Reynolds - 1.3.6.3-1 -- Bump verson to 1.3.6.3 -- Issue 48989 - Overflow in counters and monitor -- Issue 49095 - targetattr wildcard evaluation is incorrectly case sensitive -- Ticket 49177 - rpm would not create valid pkgconfig files -- Issue 49176 - Remove tcmalloc restriction from s390x -- Issue 49157 - ds-logpipe.py crashes for non-existing users -- Issue 49065 - dbmon.sh fails if you have nsslapd-require-secure-binds enabled -- Issue 49095 - Fix double-free in _cl5NewDBFile() error path - -* Wed Mar 15 2017 Mark Reynolds - 1.3.6.2-2 -- Bump verson to 1.3.6.2-2 -- Issue 49169 - Fix covscan errors(regression) -- Ticket 49172 - Fix test schema files -- Ticket 49171 - Nunc Stans incorrectly reports a timeout -- Ticket 49171 - Nunc Stans incorrectly reports a timeout -- Issue 49169 - Fix covscan errors - -* Tue Mar 14 2017 Mark Reynolds - 1.3.6.2-1 -- Bump version to 1.3.6.2-1 -- Ticket 49164 - Change NS to acq-rel semantics for atomics -- Ticket 49154 - Nunc Stans stress should assert it has 95% success rate -- Ticket 49165 - pw_verify did not handle external auth -- Issue 49062 - Reset agmt update staus and total init -- Ticket 49151 - Remove defunct selinux policy - -* Fri Mar 10 2017 Mark Reynolds - 1.3.6.1-2 -- Bump version to 1.3.6.1-2 -- Issue 49162 - Only check event.m4 if nunc-stans is enabled -- Issue 49156 - Add more IDs and fix docstrings -- Issue 49156 - Fix typo in the import -- Ticket 49160 - Fix sds benchmark and copyright -- Issue 47536 - Fix CI testcase -- Issue 49159 - test_schema_comparewithfiles fails with python-ldap>=2.4.26 -- Issue 49156 - Clean up test suites dir structure and docstrings -- Issue 49158 - fix latest coverity issues -- Ticket 49155 - Fix db2ldif path in test -- Issue 49122 - Fix rpm build -- Issue 49044 - Fix script usage and man pages -- Ticket 48707 - Update rfc to accomodate that authid is mandatory -- Ticket 49141 - Enable tcmalloc -- Ticket 49142 - bytes vs unicode in plugin tests -- Ticket 49139 - Update makefile and rpm for import -- Ticket 49139 - Import libsds and nunc-stans for bundling -- Issue 49122 - Filtered nsrole that uses nsrole crashes the server -- Issue 49147 - Fix tests compatibility with older versions -- Issue 49141 - Fix spec file for tcmalloc -- Issue 49141 - Use tcmalloc by default -- Ticket 49086 - SDN premangaling broken after SASL change -- Ticket 49137 - Add sasl plain test - ds -- Ticket 49138 - Increase systemd timout -- Issue 48226 - Fix CI test -- Ticket 49140 - Remove legacy inst reference in test -- Ticket 49134 Remove hardcoded elements from db lock test -- Fix compiler warning -- Ticket 47925 - Move add and delete operation aci checks to be before plugins. -- Ticket 49086 - public api compatability test for SDN changes. -- Ticket 49116 - Pblock usage analytics -- Ticket 49020 - Add CI test -- Revise README for pagure -- Ticket #49121 - ns-slapd crashes in ldif_sput due to the output buf size is less than the real size. -- Ticket 48085 - Add replica acceptance test suite -- Ticket 49008 - Fix regression in check if ruv element exists -- Ticket 49108 - ds_selinux_port_query doesn't detect ports labeled with range -- Ticket 49057 - Fix tests failures on older versions of DS -- Ticket 49111 - Integrate cmocka skeleton to Directory Server -- Ticket 49016 - (un)register/migration/remove may fail if there is no suffix on 'userRoot' backend -- Ticket 48085 - Add single master replication test suite -- Ticket #49104 - Add CI test -- Ticket #49104 - dbscan-bin crashing due to a segmentation fault -- Ticket 49105 - Sig FPE when ns-slapd has 0 backends. -- Ticket 49075 - Adjust log severity levels -- Ticket 49008 - Add CI test -- Ticket 49008 v2: aborted operation can leave RUV in incorrect state -- Ticket 47973 - CI Test case (test_ticket47973_case) -- Ticket 47973 - CI Test case (test_ticket47973_case) -- Ticket 47973 - custom schema is registered in small caps after schema reload -- Ticket 49089 - List library build deps -- Ticket 49085 - Make a short topology fixture alias -- Ticket #49088 - 389-ds-base rpm postinstall script bugs -- Ticket 49028 - Autosize database cache by default. -- Ticket 49089 - Fix invalid cxxlink statement from hpux -- Ticket 49087 - ds resolve jenkins issues. -- Ticket #49082 - Adjusted the CI test case to the fix. -- Ticket #49082 - Fix password expiration related shadow attributes -- Ticket #49080 - shadowExpire should not be a calculated value -- Ticket 49027 - on secfailure do not store cleartext password content -- Ticket 49031 - Improve memberof with a cache of ancestors for groups -- Ticket 49079: deadlock on cos cache rebuild -- Ticket 48665 - Fix RHEL6 test compatibility issues -- Ticket 49055 - Fix create_test.py issues -- Ticket 48797 - Add freebsd support to ns-slapd: main -- Ticket 49055 - Refactor create_test.py -- Ticket 49060 - Increase number of masters, hubs and consumers in topology -- Ticket 49055 - Clean up test tickets and suites -- Ticket 48964 - should not free repl name after purging changelog -- Ticket 48050 - Refactor acctpolicy_plugin suite -- Ticket 48964 - cleanallruv changelog purging removes wrong rid -- Ticket 49073: nsDS5ReplicatedAttributeListTotal fails when excluding no attribute -- Ticket 49074 - incompatible nsEncryptionConfig object definition prevents RHEL 7->6 schema replication -- Ticket 48835 - package tests into python site packages - fix rpm -- Ticket 49066 - Memory leaks in server - part 2 -- Ticket 49072 - validate memberof fixup task args -- Ticket 49071 - Import with duplicate DNs throws unexpected errors -- Ticket 47858 - Add test case for nsTombstone -- Ticket 48835 - Tests with setup.py.in -- Ticket 49066 - Memory leaks in server -- Ticket 47982 - Add CI test suite ds_logs -- Ticket 49052 - Environment quoting on fedora causes ds to fail to start. -- Ticket 47662 - Better input argument validation and error messages for cli tools -- Ticket 48681 - logconv.pl lists sasl binds with no dn as anonymous -- Ticket 48861: memberof plugin tests suite -- Ticket 48861: Memberof plugins can update several times the same entry to set the same values -- Ticket 48163 - Re-space schema.c -- Ticket 48163 - Read schema from multiple locations -- Ticket 48894 - improve entrywsi delete -- Ticket 49051 - Enable SASL LOGIN/PLAIN support as a precursor to LDAPSSOTOKEN -- Ticket 49020 - do not treat missing csn as fatal -- Ticket 48133 v2 Non tombstone entry which dn starting with "nsuniqueid=...," cannot be delete -- Ticket 49055 - Clean up test suites -- Ticket 48797 - Add freebsd support to ns-slapd: Configure and makefile. -- Ticket 48797 - Add freebsd support to ns-slapd: Add freebsd support for ldaputil -- Ticket 48797 - Add freebsd support to ns-slapd: Add support for dsktune -- Ticket 48797 - Add freebsd support to ns-slapd: Add support for cpp in Fbsd -- Ticket 48797 - Add freebsd support to ns-slapd: Header files -- Ticket 48978 - Fix implicit function declaration -- Ticket 49002 - Remove memset on allocation -- Ticket 49021 - Automatic thread tuning -- Ticket 48894 - Issues with delete of entrywsi with large entries. -- Ticket 49054 - Fix sasl_map unused paramater compiler warnings. -- Ticket 48050 - Add test suite to acctpolicy_plugin -- Ticket 49048 - Fix rpm build failure -- Ticket 49042 - Test failure that expects old default -- Ticket 49042 - Increase cache defaults slightly -- Ticket 48894 - Issue with high number of entry state objects. -- Ticket 48978 - Fix more log refactoring issues -- Ticket 48707 - Draft Ldap SSO Token proposal -- Ticket 49024 - Fix the rest of the CI failures -- Ticket #48987 - Heap use after free in dblayer_close_indexes -- Ticket 48945 - Improve db2ldif error message. -- Ticket 49024 - Fix inst_dir parameter in defaults.inf -- Ticket 49024 - Fix dbdir paths and adjust test cases -- Ticket 48961 - Allow reset of configuration values to defaults. -- Ticket #47911 - Move dirsrv-snmp.service to 389-ds-base-snmp package -- Ticket bz1358565 - Fix compiler warning about unused variable -- Ticket bz1358565 - clear and unsalted password types are vulnerable to timing attack -- Ticket 49016 - (un)register/migration/remove may fail if there is no suffix on 'userRoot' backend -- Ticket 397 - Add PBKDF2 to Directory Server password storage. -- Ticket 49024 - Fix CI test failures and defaults.inf -- Ticket 49026 - Support nunc-stans pkgconfig -- Ticket 49025 - Upgrade nunc-stans to 0.2.1 -- Ticket 48978 - error log refactoring error - -* Fri Feb 10 2017 Fedora Release Engineering - 1.3.6.1-1.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Thu Oct 27 2016 Noriko Hosoi - 1.3.6.1-0 -- Bump version to 1.3.6.1-1 -- Ticket 142 - Refactor and move CI test -- Ticket 47703 - remove search limit for aci group evaluation -- Ticket 47978 - Refactor slapi_log_error -- Ticket 48272 - ADDN Sytle prebind plugin -- Ticket 48272 - Fix compiler warnings for addn -- Ticket 48278 - cleanAllRUV should remove keep-alive entry -- Ticket 48328 - Add missing dependency -- Ticket 48414 - cleanAllRUV should clean the agreement RUV -- Ticket 48538 - Failed to delete old semaphore -- Ticket 48805 - Misleading indent and Uninitialised struct member -- Ticket 48805 - Sign comparison checks. -- Ticket 48832 - Fix CI test suite for password min age -- Ticket 48896 - CI test: test case for ticket 48896 -- Ticket 48896 - Default Setting for passwordMinTokenLength does not work -- Ticket 48906 - Allow nsslapd-db-locks to be configurable online -- Ticket 48909 - Replication stops working in FIPS mode -- Ticket 48921 - CI Replication stress tests have limits set too low -- Ticket 48944 - on a read only replica invalid state info can accumulate -- Ticket 48947 - Update default password hash to SSHA512 -- Ticket 48957 - Update repl-monitor to handle new status messages -- Ticket 48969 - nsslapd-auditfaillog always has an explicit path -- Ticket 48978 - Build fails on i686 -- Ticket 48978 - Convert slapi_log_error() to a variadic macro -- Ticket 48978 - Fine tune error logging -- Ticket 48978 - Fix CI test to account for new logging format -- Ticket 48978 - Fix logging format errors and replace LDAP_DEBUG -- Ticket 48978 - refactor LDADebug() to slapi_log_err() -- Ticket 48978 - refactor LDAPDebug() -- Ticket 48978 - Update error logging with new codes -- Ticket 48978 - Update the logging function to accept sev level -- Ticket 48979 - Allow to compile 389ds with warning Wstrict-prototypes -- Ticket 48979 - Strict Prototypes -- Ticket 48982 - Comment about resolving failure to open plugin. -- Ticket 48982 - Enabling a plugin that has a versioned so causes overflow -- Ticket 48982 - One line fix, remove unused variable. -- Ticket 48982 - When plugin doesn't enable, actually log the path it used -- Ticket 48983 - Configure and Makefile.in from new default paths work. -- Ticket 48983 - generate install path info from autotools scripts -- Ticket 48984 - Add lib389 paths module -- Ticket 48986 - 47808 triggers overflow in uiduniq.c -- Ticket 48992 - Total init may fail if the pushed schema is rejected -- Ticket 48996 - Fix rpm to work with ns 0.2.0 -- Ticket 48996 - remove unused variable. -- Ticket 48996 - update DS for ns 0.2.0 -- Ticket 49005 - Update lib389 to work in containers correctly. -- Ticket 49006 - Enable nunc-stans by default. -- Ticket 49006 - Nunc stans use DS stack size -- Ticket 49007 - Update configure scripts -- Ticket 49007 - Update DS basic test to better work with systemd. -- Ticket 49009 - args debug logging must be more restrictive -- Ticket 49011 - Remove configure artifacts -- Ticket 49012 - Removed un-used counters -- Ticket 49013 - Correct signal handling with NS in DS -- Ticket 49014 - ns-accountstatus.pl shows wrong status for accounts inactivated by Account policy plugin -- Ticket 49017 - Various minor test failures -- use a consumer maxcsn only as anchor if supplier is more advanced - -* Mon Oct 24 2016 Mark Reynolds - 1.3.5.14-2 -- Bump version to 1.3.5.14-2 -- Ticket 49011 - Remove configure artifacts -- Ticket 49006 - Enable nunc-stans 0.2.0 by default - -* Thu Oct 13 2016 Mark Reynolds - 1.3.5.14-1 -- Bump version to 1.3.5.14-1 -- Ticket 48992 - Total init may fail if the pushed schema is rejected -- Ticket 48832 - Fix CI test suite for password min age -- Ticket 48983 - Configure and Makefile.in from new default paths work. -- Ticket 48983 - Configure and Makefile.in from new default paths work. -- Ticket 48983 - generate install path info from autotools scripts -- Ticket 48944 - on a read only replica invalid state info can accumulate -- Ticket 48766 - use a consumer maxcsn only as anchor if supplier is more advanced -- Ticket 48921 - CI Replication stress tests have limits set too low -- Ticket 48969 - nsslapd-auditfaillog always has an explicit path -- Ticket 48957 - Update repl-monitor to handle new status messages -- Ticket 48832 - Fix CI tests -- Ticket 48975 - Disabling CLEAR password storage scheme will crash server when setting a password -- Ticket 48369 - Add CI test suite -- Ticket 48970 - Serverside sorting crashes the server -- Ticket 48972 - remove old pwp code that adds/removes ACIs -- Ticket 48957 - set proper update status to replication agreement in case of failure -- Ticket 48950 - Add systemd warning to the LD_PRELOAD example in /etc/sysconfig/dirsrv -- provide backend dir in suffix template -- Ticket 48953 - Skip labelling and unlabelling ports during the test -- Ticket 48967 - Add CI test and refactor test suite -- Ticket 48967 - passwordMinAge attribute doesn't limit the minimum age of the password -- Fix jenkins warnings about unused vars -- Ticket 48402 - v3 allow plugins to detect a restore or import -- Ticket #48969 - nsslapd-auditfaillog always has an explicit path -- Ticket 48964 - cleanAllRUV changelog purging incorrectly processes all backends -- Ticket 48965 - Fix building rpms using rpm.mk -- Ticket 48965 - Fix generation of the pre-release version -- Bugzilla 1368956 - man page of ns-accountstatus.pl shows redundant entries for -p port option -- Ticket 48960 - Crash in import_wait_for_space_in_fifo(). -- Ticket 48832 - Fix more CI test failures -- Ticket 48958 - Audit fail log doesn't work if audit log disabled. -- Ticket 48956 - ns-accountstatus.pl showing "activated" user even if it is inactivated -- Ticket 48954 - replication fails because anchorcsn cannot be found -- Ticket 48832 - Fix CI tests failures from jenkins server -- Ticket 48950 - Change example in /etc/sysconfig/dirsrv to use tcmalloc - - -* Mon Aug 8 2016 Noriko Hosoi - 1.3.5.13-1 -- Release 1.3.5.13-1 -- Ticket 48450 - Autotools components for ds_systemd_ask_password_acl - -* Thu Aug 4 2016 Noriko Hosoi - 1.3.5.12-1 -- Release 1.3.5.12-1 -- Ticket 48450 - Add prestart work around for systemd ask password -- Ticket 48943 - When fine-grained policy is applied, a sub-tree has a priority over a user while changing password -- Ticket 47976 - Add fixed CI test case -- Ticket 48882 - server can hang in connection list processing -- Ticket 48921 - Adding replication and reliability tests -- Ticket 48936 - Duplicate collation entries -- Ticket 48832 - Fix timing and localhost issues -- Ticket 48832 - Fix pytest compatibility in CI tests -- Ticket 48832 - CI Tests - make tests more portable -- Ticket 48943 - Add CI Test for the password test suite -- Ticket 48940 - DS logs have warning:ancestorid not indexed -- Ticket 48934 - remove-ds.pl deletes an instance even if wrong prefix was specified -- Ticket 48336 - Missing semanage dependency -- Bug 1347760 - Additional CI test case -- Resolves: Bug 1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc. -- Ticket 48832 - CI tests - convert all the tests to use py.test -- Ticket 48939 - nsslapd-workingdir is empty when ns-slapd is started by systemd -- Ticket 48935 - Update dirsrv.systemd file -- Ticket 48832 - Fix lib389 CI ticket/suite test failures -- Ticket 47824 - Remove CI test from tickets and add logging -- Ticket 48930 - Paged result search can hang the server -- Ticket 48191 - Move CI test to the pr suite and refactor -- Ticket 48928 - log of page result cookie should log empty cookie with a different value than 0 -- Ticket 48752 - Add CI test -- Ticket 47664 - Move CI test to the pr suite and refactor - -* Thu Jul 14 2016 Noriko Hosoi - 1.3.5.11-1 -- Release 1.3.5.11-1 -- Ticket 48144 - Add /usr/sbin/status-dirsrv script to get the status of the directory server instance. -- Ticket 48743 - If a cipher is disabled do not attempt to look it up -- Ticket 48755 - moving an entry could make the online init fail -- Ticket 48767 - flow control in replication also blocks receiving results -- Ticket 48912 - ntUserNtPassword schema -- Ticket 48914 - db2bak.pl task enters infinitive loop when bak fs is almost full -- Ticket 48916 - DNA Threshold set to 0 causes SIGFPE -- Ticket 48918 - Upgrade to 389-ds-base >= 1.3.5.5 doesn't install 389-ds-base-snmp -- Ticket 48919 - Compiler warnings while building 389-ds-base on RHEL7 -- Ticket 48920 - Memory leak in pwdhash-bin -- Ticket 48922 - Fix crash when deleting backend while import is running -- Ticket 48924 - Fixup tombstone task needs to set proper flag when updating tombstones -- Ticket 48925 - slapd crash with SIGILL: Dsktune should detect lack of CMPXCHG16B -- Bug 1347761 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc. -- Bug 1353956 - Upgrade from FreeIPA Fedora 23 container to Fedora 24 fails with syntax error at - /usr/share/dirsrv/updates/91reindex.pl line 17, near ") - Regression introduced by Ticket 48755 to 1.3.5.10-1. -- Bug 1350393 - setup-ds.pl fails on F24 if perl-Errno is not updated (DS 48901) -- Bug 1114928 - etup-ds.pl creates configuration files under /usr (DS 528, 47840) - -* Fri Jul 1 2016 Noriko Hosoi - 1.3.5.10-1 --Release 1.3.5.10-1 -- Ticket 47538 - Fix repl-monitor color and lag times -- Ticket 47538 - repl-monitor.pl legend not properly sorted -- Ticket 47538 - repl-monitor.pl not displaying correct color code for lag time -- Ticket 48109 - substring index with nssubstrbegin: 1 is not being used with filters like (attr=x*) -- Ticket 48346 - ldaputil code cleanup -- Ticket 48346 - log too verbose when re-acquiring expired ticket -- Ticket 48354 - Review of default ACI in the directory server -- Ticket 48366 - proxyauth does not work bound as directory manager -- Ticket 48449 - Import readNSState.py from RichM's repo -- Ticket 48636 - Fix config validation check -- Ticket 48637 - DN cache is not always updated when ADD operation fails -- Ticket 48745 - Matching Rule caseExactIA5Match indexes incorrectly values with upper cases -- Ticket 48755 - CI test: test case for ticket 48755 -- Ticket 48755 - moving an entry could make the online init fail -- Ticket 48889 - ldclt - fix man page and usage info -- Ticket 48891 - ns-slapd crashes during the shutdown after adding attribute with a matching rule -- Ticket 48892 - Wrong result code display in audit-failure log -- Ticket 48893 - cn=config should not have readable components to anonymous -- Ticket 48895 - tests package should be noarch -- Ticket 48898 - Crash during shutdown if nunc-stans is enabled -- Ticket 48899 - Values of dbcachetries/dbcachehits in cn=monitor could overflow. -- Ticket 48900 - Add connection perf stats to logconv.pl -- Ticket 48902 - Strdup pwdstoragescheme name to prevent misbehaving plugins -- Ticket 48904 - syncrepl search returning error 329; plugin sending a bad error code -- Ticket 48905 - coverity defects - -* Tue Jun 14 2016 Noriko Hosoi - 1.3.5.6-1 -- Release 1.3.5.6-1 -- Ticket 48234 - CI test: test case for ticket 48234 -- Ticket 48234 - "matching rules" in ACI's "bind rules not fully evaluated -- Ticket 48636 - Improve replication convergence -- Revert "Ticket 48755 - moving an entry could make the online init fail" -- Ticket 48766 - Replication changelog can incorrectly skip over updates -- Ticket 47982 - Fix log hr timestamps when invalid value is set in cn=config - -* Mon Jun 13 2016 Noriko Hosoi - 1.3.5.5-1 -- Release 1.3.5.5-1 -- Ticket 48848 - modrdn deleteoldrdn can fail to find old attribute value, perhaps due to case folding -- Ticket 48832 - CI test - fix ticket failures -- Ticket 48833 - 389 showing inconsistent values for shadowMax and shadowWarning in 1.3.5.1 -- Ticket 48873 - Backend should accept the reduced cache allocation when issane == 1 -- Ticket 48815 - ns-accountstatus.pl - fix DN normalization -- Ticket 48880 - adding pre/post extop ability -- Ticket 48449 - Import readNSState from richm's repo -- Ticket 48877 - Fixes for RPM spec with spectool -- Ticket 48404 - libslapd owned by libs and devel -- Ticket 48326 - Move CI test to config test suite and refactor -- Ticket 48755 - CI test: test case for ticket 48755 -- Ticket 48755 - moving an entry could make the online init fail -- Ticket 48870 - Correct plugin execution order due to changes in exop -- Ticket 48799 - Test cases for objectClass values being dropped. -- Ticket 48863 - remove check for vmsize from util_info_sys_pages -- Ticket 48872 - Fix segfault and use after free in plugin shutdown -- Ticket 48862 - At startup DES to AES password conversion causes timeout in start script -- Ticket 48275 - search returns no entry when OR filter component contains non readable attribute -- Ticket 47911 - split out snmp agent into a subpackageTicket 47911 -- Ticket 48336 - setup-ds should detect if port is already defined -- Ticket 48858 - Segfault changing nsslapd-rootpw -- Ticket 48855 - Add basic pwdPolicy tests -- Ticket 48747 - dirsrv service fails to start when nsslapd-listenhost is configured -- Ticket 48752 - Page result search should return empty cookie if there is no returned entry -- Ticket 48854 - Running db2index with no options breaks replication -- Ticket 48850 - Correct memory leaks in pwdhash-bin and ns-slapd -- Ticket 48849 - Systemd introduced incompatible changes that breaks ds build -- Ticket 48846 - 32 bit systems set low vmsize -- Ticket 48846 - Older kernels do not expose memavailable -- Ticket 48846 - Rlimit checks should detect RLIM_INFINITY -- Ticket 48617 - Coverity fixes -- Ticket 48745 - Matching Rule caseExactIA5Match indexes incorrectly values with upper cases -- Ticket 48844 - Regression introduced in matching rules by DS 48746 -- Ticket 48363 - CI test - add test suite -- Ticket 48795 - Make various improvements to create_test.py -- Ticket 48834 - Fix jenkins: discared qualifier on auditlog.c -- Ticket 48834 - Modifier's name is not recorded in the audit log with modrdn and moddn operations -- Ticket 48754 - ldclt should support -H - -* Thu May 19 2016 Jitka Plesnikova - 1.3.5.4-1.1 -- Perl 5.24 re-rebuild of bootstrapped packages - -* Wed May 18 2016 Noriko Hosoi - 1.3.5.4-1 -- Release 1.3.5.4-1 -- Ticket 48836 - replication session fails because of permission denied -- Ticket 47819 - RFE - improve tombstone purging performance -- Ticket 48837 - Replication: total init aborted -- Ticket 48617 - Server ram checks work in isolation -- Ticket 48220 - The "repl-monitor" web page does not display "year" in date. -- Ticket 48829 - Add gssapi sasl replication bind test -- Ticket 48497 - uncomment pytest from CI test -- Ticket 48828 - db2ldif is not taking into account multiple suffixes or backends -- Ticket 48818 - Fix case where return code is always -1 -- Ticket 48826 - 52updateAESplugin.pl may fail on older versions of perl -- Ticket 48825 - Configure make generate invalid makefile - -* Tue May 17 2016 Jitka Plesnikova - 1.3.5.3-1.1 -- Perl 5.24 rebuild - -* Sun May 8 2016 Noriko Hosoi - 1.3.5.3-1 -- Release 1.3.5.3-1 -- Ticket 47536 - Allow usage of OpenLDAP libraries that don't use NSS for crypto -- Ticket 47536 - CI test: added test cases for ticket 47536 -- Ticket 47840 - default instance scripts if undefined. -- Ticket 47888 - Add CI test -- Ticket 47888 - DES to AES password conversion fails if a backend is empty -- Ticket 47951 - Fix startpid from altering dev/null -- Ticket 47968 - Disable journald logs by default -- Ticket 47982 - HR Log timers, regression fix for subsystem logging -- Ticket 48078 - CI test - paged_results - TET part -- Ticket 48144 - Add /usr/sbin/status-dirsrv script to get the status of the directory server instance. -- Ticket 48269 - ns-accountstatus status message improvement -- Ticket 48342 - DNA: deadlock during DNA_EXTEND_EXOP_REQUEST_OID -- Ticket 48342 - DNA Deadlock test cases -- Ticket 48342 - Prevent transaction abort if a transaction has not begun -- Ticket 48350 - Integrate ASAN into our rpm build process -- Ticket 48374 - entry cache locks not released in error conditions -- Ticket 48410 - 389-ds-base - Unable to remove / unregister a DS instance from admin server -- Ticket 48447 - with-initddir should accept no -- Ticket 48450 - Systemd password agent support -- Ticket 48492 - heap corruption at schema replication. -- Ticket 48597 - Deadlock when rebuilding the group of authorized replication managers -- Ticket 48662 - db2index with no attribute args fail. -- Ticket 48710 - auto-dn-suffix unrecognized option -- Ticket 48769 - Fix white space in extendedop.c -- Ticket 48769 - RFE: Be_txn extended operation plugin type -- Ticket 48770 - Improve extended op plugin handling -- Ticket 48775 - If nsSSL3 is on, even if SSL v3 is not really enabled, a confusing message is logged. -- Ticket 48779 - Remove startpidfile check in start-dirsrv -- Ticket 48781 - Vague error message: setup_ol_tls_conn - failed: unable to create new TLS context -- Ticket 48782 - Make sure that when LDAP_OPT_X_TLS_NEWCTX is set, the value is set to zero. -- Ticket 48783 - Fix ns-accountstatus.pl syntax error -- Ticket 48784 - CI test: added test cases for ticket 48784 -- Ticket 48784 - Make the SSL version set to the client library configurable. -- Ticket 48798 - Enable DS to offer weaker DH params in NSS -- Ticket 48799 - objectclass values could be dropped on the consumer -- Ticket 48800 - Cleaning up error buffers -- Ticket 48801 - ASAN errors during tests -- Ticket 48802 - Compilation warnings from clang -- Ticket 48808 - Add test case -- Ticket 48808 - Paged results search returns the blank list of entries -- Ticket 48813 - password history is not updated when an admin resets the password -- Ticket 48815 - ns-accountstatus.sh does handle DN's with single quotes -- Ticket 48818 - In docker, no one can hear your process hang. -- Ticket 48822 - (389-ds-base-1.3.5) Fixing coverity issues. -- Ticket 48824 - Cleanup rpm.mk and 389 specfile - -* Fri Apr 15 2016 David Tardon - 1.3.5.1-3.1 -- rebuild for ICU 57.1 - -* Mon Apr 11 2016 Noriko Hosoi - 1.3.5.1-3 -- Release 1.3.5.1-3 -- Fixed the %%if expression for use_nunc_stans. -- Removed %%if % {use_nunc_stans} from Source3 as well as from nunc_stans_ver. - -* Mon Mar 28 2016 Noriko Hosoi - 1.3.5.1-2 -- Release 1.3.5.1-2 -- Fixed License to GPLv3+ -- Generate a user dirsrv in the package install. - -* Wed Mar 23 2016 Noriko Hosoi - 1.3.5.1-1 -- Release 1.3.5.1-1 -- Ticket 47982 - improve timestamp resolution in logs -- Ticket 48759 - no plugin calls in tombstone purging -- Ticket 48665 - Prevent sefault in ldbm_instance_modify_config_entry -- Ticket 48757 - License tag does not match actual license of code -- Ticket 48746 - Crash when indexing an attribute with a matching rule -- Ticket 48497 - extended search without MR indexed attribute prevents later indexing with that MR -- Ticket 48368 - Resolve the py.test conflicts with the create_test.py issue -- Ticket 48748 - Fix memory_leaks test suite teardown failure -- Ticket 48383 - import tasks with dynamic buffer sizes -- Ticket 48420 - change severity of some messages related to "keep alive" entries -- Ticket 48386 - Clean up dsktune code -- Ticket 48537 - undefined reference to `abstraction_increment' -- Ticket 48747 - dirsrv service fails to start when nsslapd-listenhost is configured - -* Tue Feb 23 2016 Noriko Hosoi - 1.3.5.0-1 -- Release 1.3.5.0 -- nunc-stans - bump version to 0.1.8 -- Ticket 132 - Makefile.am must include header files and template scripts -- Ticket 142 - [RFE] Default password syntax settings don't work with fine-grained policies -- Ticket 548 - RFE: Allow AD password sync to update shadowLastChange -- Ticket 47788 - Only check postop result if its a replication operation -- Ticket 47840 - add configure option to disable instance specific scripts -- Ticket 47968 - [RFE] Send logs to journald -- Ticket 47977 - [RFE] Implement sd_notify mechanism -- Ticket 48016 - search, matching rules and filter error "unsupported type 0xA9" -- Ticket 48144 - Add /usr/sbin/status-dirsrv script to get the status of the directory server instance. -- Ticket 48145 - RFE Add log file for rejected changes -- Ticket 48147 - Unable to enable DS service for auto start -- Ticket 48151 - Improve CleanAllRUV task logging -- Ticket 48218 - cleanAllRUV - modify the existing "force" option to bypass the "replica online" checks -- Ticket 48244 - No validation check for the value for nsslapd-db-locks. -- Ticket 48257 - Fix coverity issues - 08/24/2015 -- Ticket 48263 - allow plugins to detect tombstone operations -- Ticket 48269 - RFE: need an easy way to detect locked accounts locked by inactivity. -- Ticket 48270 - fail to index an attribute with a specific matching rule/48269 -- Ticket 48280 - enable logging of internal ops in the audit log -- Ticket 48285 - The dirsrv user/group should be created in rpm %%pre, and ideally with fixed uid/gid -- Ticket 48289 - 389-ds-base: ldclt-bin killed by SIGSEGV -- Ticket 48290 - No man page entry for - option '-u' of dbgen.pl for adding group entries with uniquemembers -- Ticket 48294 - Linked Attributes plug-in - won't update links after MODRDN operation -- Ticket 48295 - Entry cache is not rolled back -- Linked Attributes plug-in - wrong behaviour when adding valid and broken links -- Ticket 48311 - nunc-stans: Attempt to release connection that is not acquired -- Ticket 48317 - SELinux port labeling retry attempts are excessive -- Ticket 48326 - [RFE] it could be nice to have nsslapd-maxbersize default to bigger than 2Mb -- Ticket 48350 - configure.ac add options for debbuging and security analysis / hardening. -- Ticket 48351 - Fix buffer overflow error when reading url with len 0 -- Ticket 48363 - Support for rfc3673 '+' to return operational attributes -- Ticket 48369 - [RFE] response control for password age should be sent by default by RHDS -- Ticket 48384 - Server startup should warn about values consuming too much ram -- Ticket 48387 - ASAN invalid read in cos_cache.c -- Ticket 48394 - lower password history minimum to 1 -- Ticket 48395 - ASAN - Use after free in uiduniq 7bit.c -- Ticket 48398 - Coverity defect 13352 - Resource leak in auditlog.c -- Ticket 48400 - ldclt - segmentation fault error while binding -- Ticket 48445 - keep alive entries can break replication -- Ticket 48446 - logconv.pl displays negative operation speeds -- Ticket 48566 - acl.c attrFilterArray maybe uninitialised. -- Ticket 48662 - db2index with no attribute args fail. - -* Fri Feb 12 2016 Noriko Hosoi - 1.3.4.8-1 -- Release 1.3.4.8 -- Ticket 48445 - keep alive entries can break replication -- Ticket 47788 - Only check postop result if its a replication operation -- Ticket 48536 - Crash in slapi_get_object_extension -- Ticket 48492 - heap corruption at schema replication. -- Ticket 48448 - dirsrv start-stop fail in certain shell environments. - -* Tue Feb 09 2016 Mark Reynolds - 1.3.4.7-1.2 -- Fix spec file for nunc-stans build problem on Rawhide - -* Wed Feb 03 2016 Fedora Release Engineering - 1.3.4.7-1.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Mon Jan 25 2016 Noriko Hosoi - 1.3.4.7-1 -- Release 1.3.4.7 -- Bug 1299417 - worker threads do not detect abnormally closed connections (DS 48412) -- Ticket 47788 - Supplier can skip a failing update, although it should retry -- Ticket 48341 - deadlock on connection mutex -- Ticket 48406 - Avoid self deadlock by PR_Lock(conn->c_mutex) -- Revert "Ticket #48338 - SimplePagedResults -- abandon could happen between the abandon check and sending results" - -* Tue Jan 12 2016 Noriko Hosoi - 1.3.4.6-1 -- Release 1.3.4.6 -- Ticket 48388 - db2ldif -r segfaults from time to time -- Ticket 48312 - Crash when doing modrdn on managed entry -- Ticket 48332 - allow users to specify to relax the FQDN constraint -- Ticket 48375 - SimplePagedResults -- in the search error case, simple paged results slot was not released. -- Ticket 48362 - With exhausted range, part of DNA shared configuration is deleted after server restart -- Ticket 48289 - 389-ds-base: ldclt-bin killed by SIGSEGV -- Ticket 48305 - perl module conditional test is not conditional when checking SELinux policies -- Ticket 48370 - The 'eq' index does not get updated properly when deleting and re-adding attributes in the same modify operation -- Ticket 48369 - RFE - Add config setting to always send the password expiring time - -* Wed Nov 18 2015 Noriko Hosoi - 1.3.4.5-1 -- Release 1.3.4.5 -- Ticket 48316 - Perl-5.20.3-328: Use of literal control characters in variable names is deprecated -- Ticket 48348 - Running /usr/sbin/setup-ds.pl fails with Can't locate bigint.pm, plus two warnings -- Ticket 48339 - Share nsslapd-threadnumber in the case nunc-stans is enabled, as well. -- Ticket 48311 - nunc-stans: Attempt to release connection that is not acquired https://fedorahosted.org/389/ticket/48311 -- Ticket 48325 - Add lib389 test script -- Ticket 48344 - acl - regression - trailing ', (comma)' in macro matched value is not removed. -- Ticket 48325 - Replica promotion leaves RUV out of order -- Ticket 48338 - SimplePagedResults -- abandon could happen between the abandon check and sending results -- Ticket 47976 - deadlock in mep delete post op -- Ticket 48311 - nunc-stans: Attempt to release connection that is not acquired -- Ticket 47978 - Deadlock between two MODs on the same entry between entry cache and backend lock -- Ticket 48305 - perl module conditional test is not conditional when checking SELinux policies -- Ticket 47957 - Add replication test suite for a wait async feature -- Ticket 48227 - rpm.mk doesn't build srpms for 389-ds and nunc-stans -- Ticket 48264 - Ticket 47553 tests refactoring -- Ticket 48304 - ns-slapd - LOGINFO:Unable to remove file -- Ticket 48298 - ns-slapd crash during ipa-replica-manage del -- Ticket 48192 - Individual abandoned simple paged results request has no chance to be cleaned up -- Ticket 48299 - pagedresults - when timed out, search results could have been already freed. -- Ticket 48204 - update lib389 test scripts for python 3 -- Ticket 48283 - many attrlist_replace errors in connection with cleanallruv -- Ticket 48266 - do not free repl keep alive entry on error -- Ticket 48284 - free entry when internal add fails -- Ticket 48266 - Online init crashes consumer -- Ticket 48188 - segfault in ns-slapd due to accessing Slapi_DN freed in pre bind plug-in -- Ticket 48217 - cleanallruv - fix regression with server shutdown -- Ticket 48266 - coverity issue -- Ticket 48266 - Fractional replication evaluates several times the same CSN -- Ticket 48279 - Check NULL reference in nssasl_mutex_lock etc. (saslbind.c) -- Ticket 48226 - In MMR, double free coould occur under some special condition -- Ticket 48273 - Update lib389 tests for new valgrind functions -- Ticket 48276 - initialize free_flags in reslimit_update_from_entry() -- Ticket 47553 - Automated the verification procedure -- Ticket 47761 - Added a few testcases to the basic testsuite -- Ticket 48254 - Shell CLI fails with usage errors if an argument containing white spaces is given -- Ticket 47511 - bashisms in 389-ds-base admin scripts -- Ticket 48267 - Add config setting to MO plugin to add objectclass - -* Tue Nov 10 2015 Fedora Release Engineering - 1.3.4.4-1.2 -- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5 - -* Wed Oct 28 2015 David Tardon - 1.3.4.4-1.1 -- rebuild for ICU 56.1 - -* Fri Sep 4 2015 Noriko Hosoi - 1.3.4.4-1 -- Release 1.3.4.4 -- Ticket 48255 - total update request can be lost -- Ticket 48263 - allow plugins to detect tombstone operations -- Ticket 48265 - Complex filter in a search request doen't work as expected. (regression) -- Ticket 47981 - COS cache doesn't properly mark vattr cache as invalid when there are multiple suffixes -- Ticket 48204 - Convert all python scripts to support python3 -- Ticket 48258 - dna plugin needs to handle binddn groups for authorization -- Ticket 48252 - db2index creates index entry from deleted records -- Ticket 48228 - wrong password check if passwordInHistory is decreased. -- Ticket 48252 - db2index creates index entry from deleted records -- Ticket 47757 - Unable to dereference unqiemember attribute because it is dn [#UID] not dn syntax -- Ticket 48254 - Shell CLI fails with usage errors if an argument containing white spaces is given -- Ticket 48254 - CLI db2index fails with usage errors -- Ticket 47831 - remove debug logging from retro cl -- Ticket 48243 - replica upgrade failed in starting dirsrv service due to upgrade scripts did not run -- Ticket 48233 - Server crashes in ACL_LasFindFlush during shutdown if ACIs contain IP addresss restrictions -- Ticket 48250 - Slapd crashes reported from latest build -- Ticket 48249 - sync_repl uuid may be invalid -- Ticket 48245 - Man pages and help for remove-ds.pl doesn't display "-a" option -- Ticket 47511 - bashisms in 389-ds-base admin scripts -- Ticket 47686 - removing chaining database links trigger valgrind read errors -- Ticket 47931 - memberOf & retrocl deadlocks -- Ticket 48228 - wrong password check if passwordInHistory is decreased. -- Ticket 48215 - update dbverify usage in main.c -- Ticket 48215 - verify_db.pl doesn't verify DB specified by -a option -- Ticket 47810 - memberOf plugin not properly rejecting updates -- Ticket 48231 - logconv autobind handling regression caused by 47446 -- Ticket 48232 - winsync lastlogon attribute not syncing between DS and AD. - -* Mon Jul 27 2015 Noriko Hosoi - 1.3.4.3-1 -- Release 1.3.4.3 -- Ticket 48204 - Add Python 3 compatibility to ds-logpipe - -* Fri Jul 24 2015 Noriko Hosoi - 1.3.4.2-1 -- Release 1.3.4.2 -- Ticket 48010 - winsync range retrieval gets only 5000 values upon initialization -- Ticket 48206 - Crash during retro changelog trimming -- Ticket 48224 - redux 2 - logconv.pl should handle *.tar.xz, *.txz, *.xz log files -- Ticket 47910 - logconv.pl - check that the end time is greater than the start time -- Ticket 48179 - Starting a replica agreement can lead to deadlock -- Ticket 48226 - CI test: added test cases for ticket 48226 -- Ticket 48226 - In MMR, double free coould occur under some special condition -- Ticket 48224 - redux - logconv.pl should handle *.tar.xz, *.txz, *.xz log files -- Ticket 48203 - Fix coverity issues - 07/14/2015 -- Ticket 48194 - CI test: fixing test cases for ticket 48194 -- Ticket 48224 - logconv.pl should handle *.tar.xz, *.txz, *.xz log files -- Ticket 47910 - logconv.pl - validate start and end time args -- Ticket 48223 - Winsync fails when AD users have multiple spaces (two)inside the value of the rdn attribute -- Ticket 47878 - Remove warning suppression in 1.3.4 -- Ticket 48119 - Silent install needs to properly exit when INF file is missing -- Ticket 48216 - crash in ns-slapd when deleting winSyncSubtreePair from sync agreement -- Ticket 48217 - cleanAllRUV hangs shutdown if not all of the replicas are online -- Ticket 48013 - Inconsistent behaviour of DS when LDAP Sync is used with an invalid cookie -- Ticket 47799 - Any negative LDAP error code number reported as Illegal error by ldclt. -- Ticket 48208 - CleanAllRUV should completely purge changelog -- Ticket 48203 - Fix coverity issues - 07/07/2015 -- Ticket 48119 - setup-ds.pl does not log invalid --file path errors the same way as other errors. -- Ticket 48192 - Individual abandoned simple paged results request has no chance to be cleaned up -- Ticket 48214 - CI test: added test cases for ticket 48213 -- Ticket 48214 - ldapsearch on nsslapd-maxbersize returns 0 instead of current value -- Ticket 48212 - CI test: added test cases for ticket 48212 -- Ticket 48212 - Dynamic nsMatchingRule changes had no effect on the attrinfo thus following reindexing, as well. -- Ticket 48195 - Slow replication when deleting large quantities of multi-valued attributes - -* Fri Jul 24 2015 Tomas Radej - 1.3.4.1-2 -- Updated dep on policycoreutils-python-utils (semanage was moved) - -* Wed Jun 24 2015 Noriko Hosoi - 1.3.4.1-1 -- Release 1.3.4.1 -- Resolves: Bug 1234277 - distro-wide architecture set overriden by buildsystem; Upgrade nunc-stans to 0.1.5. -- Enable nunc-stans just for x86_64. -- Ticket 48203 - Fix coverity issues - 06/22/2015 - -* Fri Jun 19 2015 Noriko Hosoi - 1.3.4.0-1 -- Release 1.3.4.0 (rebase) -- Enable nunc-stans in the build. -- Ticket 47490 - test case failing if 47721 is also fixed -- Ticket 47640 - Linked attributes transaction not aborted when linked entry does not exit -- Ticket 47669 - CI test: added test cases for ticket 47669 -- Ticket 47669 - Retro Changelog Plugin accepts invalid value in nsslapd-changelogmaxage attribute -- Ticket 47723 - winsync sets AccountUserControl in AD to 544 -- Ticket 47787 - Make the test case more robust -- Ticket 47833 - TEST CASE only (modrdn fails if renamed entry member of a group and is out of memberof scope) -- Ticket 47878 - Improve setup-ds update logging -- Ticket 47893 - should use Sys::Hostname instead Net::Domain -- Ticket 47910 - allow logconv.pl -S/-E switches to work even when timestamps not present in access log -- Ticket 47913 - remove-ds.pl should not remove /var/lib/dirsrv -- Ticket 47921 - indirect cos does not reflect changes in the cos attribute -- Ticket 47927 - Uniqueness plugin: should allow to exclude some subtrees from its scope -- Ticket 47953 - testcase for removing invalid aci -- Ticket 47966 - CI test: added test cases for ticket 47966 -- Ticket 47966 - slapd crashes during Dogtag clone reinstallation -- Ticket 47972 - make parsing of nsslapd-changelogmaxage more fault tolerant -- Ticket 47972 - make parsing of nsslapd-changelogmaxage more fool proof -- Ticket 47998 - cleanup WINDOWS ifdef's -- Ticket 47998 - remove remaining obsolete OS code/files -- Ticket 47998 - remove "windows" files -- Ticket 47999 - address several race conditions in tests -- Ticket 47999 - lib389 individual tests not running correctly when run as a whole -- Ticket 48003 - build "suite" framework -- Ticket 48008 - db2bak.pl man page should be improved. -- Ticket 48017 - add script to generate lib389 CI test script -- Ticket 48019 - Remove refs to constants.py and backup/restore from lib389 tests -- Ticket 48023 - replace old replication check with lib389 function -- Ticket 48025 - add an option '-u' to dbgen.pl for adding group entries with uniquemembers -- Ticket 48026 - fix invalid write for friendly attribute names -- Ticket 48026 - Fix memory leak in uniqueness plugin -- Ticket 48026 - Support for uniqueness plugin to enforce uniqueness on a set of attributes. -- Ticket 48032 - change C code license to GPLv3; change C code license to allow openssl -- Ticket 48035 - nunc-stans - Revise shutdown sequence -- Ticket 48036 - ns_set_shutdown should call ns_job_done -- Ticket 48037 - ns_thrpool_new should take a config struct rather than many parameters -- Ticket 48038 - logging should be pluggable -- Ticket 48039 - nunc-stans malloc should be pluggable -- Ticket 48040 - preserve the FD when disabling a listener -- Ticket 48043 - use nunc-stans config initializer -- Ticket 48103 - update DS for new nunc-stans header file -- Ticket 48110 - Free all the nunc-stans signal jobs when shutdown is detected -- Ticket 48111 - "make clean" wipes out original files -- Ticket 48122 - nunc-stans FD leak -- Ticket 48127 - Using RPM, allows non root user to create/remove DS instance -- Ticket 48141 - aci with wildcard and macro not correctly evaluated -- Ticket 48143 - Password is not correctly passed to perl command line tools if it contains shell special characters. -- Ticket 48149 - ns-slapd double free or corruption crash -- Ticket 48154 - abort cleanAllRUV tasks should not certify-all by default -- Ticket 48169 - support NSS 3.18 -- Ticket 48170 - Parse nsIndexType correctly -- Ticket 48175 - Avoid using regex in ACL if possible -- Ticket 48178 - add config param to enable nunc-stans -- Ticket 48191 - CI test: added test cases for ticket 48191 -- Ticket 48191 - RFE: Adding nsslapd-maxsimplepaged-per-conn -- Ticket 48191 - RFE: Adding nsslapd-maxsimplepaged-per-conn Adding nsslapd-maxsimplepaged-per-conn -- Ticket 48194 - CI test: added test cases for ticket 48194 -- Ticket 48197 - error texts from preop plugins not sent to client - -* Wed Jun 17 2015 Noriko Hosoi - 1.3.3.12-1 -- release 1.3.3.12 -- Resolves: Bug 1232896 - CVE-2015-3230 389-ds-base: nsSSL3Ciphers preference not enforced server side - -* Tue Jun 16 2015 Fedora Release Engineering - 1.3.3.11-1.2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Thu Jun 11 2015 Jitka Plesnikova - 1.3.3.11-1.1 -- Perl 5.22 rebuild - -* Wed Jun 10 2015 Noriko Hosoi - 1.3.3.11-1 -- release 1.3.3.11 -- Ticket 48192 - Individual abandoned simple paged results request has no chance to be cleaned up -- Ticket 48190 - idm/ipa 389-ds-base entry cache converges to 500 KB in dblayer_is_cachesize_sane -- Ticket 48183 - bind on db chained to AD returns err=32 -- Ticket 48158 - cleanAllRUV task limit not being enforced correctly -- Ticket 48158 - Remove cleanAllRUV task limit of 4 -- Ticket 48146 - async simple paged results issue; need to close a small window for a pr index competed among multiple threads. -- Ticket 48146 - async simple paged results issue; log pr index -- Ticket 48109 - substring index with nssubstrbegin: 1 is not being used with filters like (attr=x*) -- Ticket 48177 - dynamic plugins should not return an error when modifying a critical plugin -- Ticket 48146 - async simple paged results issue - -* Fri Jun 05 2015 Jitka Plesnikova - 1.3.3.10-1.1 -- Perl 5.22 rebuild - -* Tue Apr 28 2015 Noriko Hosoi - 1.3.3.10-1 -- release 1.3.3.10 -- Resolves: Bug 1216203 - CVE-2015-1854 389ds-base: access control bypass with modrdn - -* Fri Mar 6 2015 Noriko Hosoi - 1.3.3.9-1 -- bump version to 1.3.3.9 -- Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all] -- Ticket 47801 - RHDS keeps on logging write_changelog_and_ruv: failed to update RUV for unknown -- Ticket 47957 - Make ReplicaWaitForAsyncResults configurable -- Ticket 47431 - CI test: added test cases for ticket 47431 -- Ticket 47431 - Duplicate values for the attribute nsslapd-pluginarg are not handled correctly -- Ticket 47936: Create a global lock to serialize write operations over several backends -- Ticket 48021 - nsDS5ReplicaBindDNGroup checkinterval not working properly -- Ticket 48048 - Fix coverity issues - 2015/3/1 -- Ticket 48109 - substring index with nssubstrbegin: 1 is not being used with filters like (attr=x*) -- Ticket 48109 - CI test: added test cases for ticket 48109 -- Ticket 48109 - substring index with nssubstrbegin: 1 is not being used with filters like (attr=x*) -- Ticket 48048 - Fix coverity issues - 2015/2/24 -- Ticket 48030 - spec file should run "systemctl stop" against each running instance instead of dirsrv.target -- Ticket 47828: DNA scope: allow to exlude some subtrees -- Ticket 47988: test case -- Ticket 47901: After total init, nsds5replicaLastInitStatus can report an erroneous error status (like 'Referral') -- Ticket 48003 - add template scripts -- Ticket 48003 - build "suite" framework -- Ticket 48005 - CI test: added test cases for ticket 48005 -- Ticket 48005 - ns-slapd crash in shutdown phase -- Ticket 47742 - 64bit problem on big endian: auth method not supported -- Ticket 47836 - Do not return '0' as empty fallback value of nsds5replicalastupdatestart and nsds5replicalastupdatestart -- Ticket 47728 - compilation failed with ' incomplete struct/union/enum' if not set USE_POSIX_RWLOCKS -- Ticket 48027 - revise the rootdn plugin configuration validation -- Ticket 47451 - dynamic plugins - fix crash caused by invalid plugin config -- Ticket 48001 - ns-activate.pl fails to activate account if it was disabled on AD - -* Wed Feb 25 2015 Noriko Hosoi - 1.3.3.8-2 -- Fixes spec file to make sure all the server instances are stopped before upgrade -- Ticket 48030 - DNS errors after IPA upgrade due to broken ReplSync - -* Wed Feb 04 2015 Noriko Hosoi - 1.3.3.8-1 -- bump version to 1.3.3.8 -- Ticket 48001 - ns-activate.pl fails to activate account if it was disabled on AD -- Ticket 47963 - memberof skip nested groups breaks the plugin - -* Wed Feb 04 2015 Petr Machata - 1.3.3.7-2.1 -- Bump for rebuild. - -* Wed Jan 28 2015 Noriko Hosoi - 1.3.3.7-2 -- removed USE_64=1 which is not used any more. - -* Wed Jan 28 2015 Noriko Hosoi - 1.3.3.7-1 -- bump version to 1.3.3.7 -- Coverity 12970 - Explicit null dereference -- Ticket 47988 - Schema learning mechanism, in replication, unable to extend an existing definition -- Ticket 47996 - ldclt needs to support SSL Version range -- Ticket 47738 - use PL_strcasestr instead of strcasestr -- Ticket 47462 - Stop using DES in the reversible password encryption plug-in -- Ticket 47807 - SLAPI_REQUESTOR_ISROOT not set for extended operation plugins -- Ticket 47991 - upgrade script fails if /etc and /var are on different file systems -- Ticket 47989 - Windows Sync accidentally cleared raw_entry -- Ticket 47964 - v2 - Incorrect search result after replacing an empty attribute -- Ticket 47934 - nsslapd-db-locks modify not taking into account. -- Ticket 47617 - replication changelog trimming setting validation -- Ticket 47905 - Bad manipulation of passwordhistory -- Ticket 47973 - During schema reload sometimes the search returns no results -- Ticket 47981 - COS cache doesn't properly mark vattr cache as invalid when there are multiple suffixes -- Ticket 47980 - Nested COS definitions can be incorrectly processed -- Ticket 47451 - Dynamic plugins - fixed thread synchronization -- Ticket 47750 - During delete operation do not refresh cache entry if it is a tombstone -- Ticket 47947 - start dirsrv after chrony on RHEL7 and Fedora -- fix jenkins warning -- Ticket 47526 - Additional fix for ticket 47526 v3 -- Ticket 47451 - Add Dynamic Plugin CI Suite -- Ticket 47965 - Fix coverity issues (2014/12/16) -- Ticket 47451 - Fix jenkins errors -- Ticket 47451 - Dynamic Plugin - various fixes -- Ticket 47935 - Error: failed to open an LDAP connection to host 'example.org' port '389' as user 'cn=Directory Manager'. Error: unknown. -- Ticket 47750 - Need to refresh cache entry after called betxn postop plugins -- Ticket 47942 - DS hangs during online total update -- Ticket 47960 - cookie_change_info returns random negative number if there was no change in a tree -- Ticket 47960 - cookie_change_info returns random negative number if there was no change in a tree -- Ticket 47722 - Using the filter file does not work -- Ticket 47636 - Error log levels not displayed correctly -- Ticket 47965 - Fix coverity issues (2014/11/24) -- Ticket 47969 - Fix coverity issue -- Ticket 47949 - logconv.pl -- support parsing/showing/reporting different protocol versions -- Ticket 47525 - Crash if setting invalid plugin config area for MemberOf Plugin -- Ticket 47970 - add lib389 testcase -- Ticket 47970 - Account lockout attributes incorrectly updated after failed SASL Bind -- Ticket 47969 - COS memory leak when rebuilding the cache -- Ticket 47967 - cos_cache_build_definition_list does not stop during server shutdown -- Ticket 47451 - Running a plugin task can crash the server -- Ticket 47963 - skip nested groups breaks memberof fixup task -- Ticket 47963 - RFE - memberOf - add option to skip nested group lookups during delete operations -- Ticket 47810 - RI plugin does not return result code if update fails - -* Mon Jan 26 2015 David Tardon - 1.3.3.6-1.1 -- rebuild for ICU 54.1 - -* Thu Nov 20 2014 Mark Reynolds - 1.3.3.6-1 -- 5d72a2f bump version to 1.3.3.6-1 -- Ticket 47950 - Bind DN tracking unable to write to internalModifiersName without special permissions -- Ticket 47958 - Memory leak in password admin if the admin entry does not exist -- Ticket 47952 - PasswordAdminDN attribute is not properly returned to client -- Ticket 47451 - Need to unregister tasks created by plugins -- Ticket 47928 - Disable SSL v3, by default. -- Ticket 47953 - Should not check aci syntax when deleting an aci -- Ticket 47948 - ldap_sasl_bind fails assertion (ld != NULL) if it is called from chainingdb_bind over SSL/startTLS -- Ticket 47945 - Add SSL/TLS version info to the access log -- Ticket 47939 - Malformed cookie for LDAP Sync makes DS crash -- Ticket 47937 - Crash in entry_add_present_values_wsi_multi_valued -- Ticket 47928 - CI test: added test cases for ticket 47928 -- Ticket 47553 - Enhance ACIs to have more control over MODRDN operations - -* Fri Oct 10 2014 Noriko Hosoi - 1.3.3.5-1 -- Release 1.3.3.5 -- Ticket 47914 - Add FreeIPA Conflicts to 389 spec file -- Ticket 47922 - dynamically added macro aci is not evaluated on the fly -- Ticket 47897 - Need to move slapi_pblock_set(pb, SLAPI_MODRDN_EXISTING_ENTRY, original_entry->ep_entry) prior to original_entry overwritten -- Ticket 47920 - Encoding of SearchResultEntry is missing tag -- Ticket 47912 - Proper handling of "No original_tombstone for changenumber" errors -- Ticket 47899 - Fix slapi_td_plugin_lock_init prototype -- Ticket 47919 - ldbm_back_modify SLAPI_PLUGIN_BE_PRE_MODIFY_FN does not return even if one of the preop plugins fails. -- Ticket 47892 - Fix remaining compiler warnings -- ticket 47916 - plugin logging parameter only triggers result logging -- Ticket 47918 - result of dna_dn_is_shared_config is incorrectly used -- Ticket 47900 - Server fails to start if password admin is set -- Ticket 47892 - coverity defects found in 1.3.3.x - -* Wed Oct 01 2014 Noriko Hosoi - 1.3.3.4-1 -- Release 1.3.3.4 -- Ticket 47880 - CI test: added test cases for ticket 47880 -- Ticket 47880 - provide enabled ciphers as search result -- Ticket 47838 - CI test: adjusted test cases based on the phase 2 fixes for ticket 47838 -- Ticket 47838 - harden the list of ciphers available by default (phase 2) -- Ticket 47900 - Adding an entry with an invalid password as rootDN is incorrectly rejected -- Ticket 47908 - 389-ds 1.3.3.0 does not adjust cipher suite configuration on upgrade, breaks itself and pki-server -- Ticket 47907 - ldclt: assertion failure with -e "add,counteach" -e "object=,rdn=uid:test[A=INCRNNOLOOP(0;24 -- Ticket 47750 - Creating a glue fails if one above level is a conflict or missing - -* Sun Sep 14 2014 Peter Robinson 1.3.3.3-2 -- Use generic 64 bit detection (fixes aarch64/ppc64le) -- PPC/s390 has lm_sensors -- Minor spec cleanups - -* Fri Sep 12 2014 Rich Megginson - 1.3.3.3-1 -- Release 1.3.3.3 -- Ticket #47892 - coverity defects found in 1.3.3.1 - -* Fri Sep 12 2014 Nathan Kinder - 1.3.3.2-1 -- Release 1.3.3.2 -- Ticket 47889 - DS crashed during ipa-server-install on test_ava_filter -- Ticket 47895 - If no effective ciphers are available, disable security setting. -- Ticket 47838 - harden the list of ciphers available by default -- Ticket 47885 - did not always return a response control -- Ticket 47890 - minor memory leaks in utilities -- Ticket 47834 - Tombstone_to_glue: if parents are also converted to glue, the target entry's DN must be adjusted. -- Ticket 47748 - Simultaneous adding a user and binding as the user could fail in the password policy check -- Ticket 47875 - dirsrv not running with old openldap -- Ticket 47885 - deref plugin should not return references with noc access rights - -* Thu Sep 04 2014 Jitka Plesnikova - 1.3.3.0-2 -- Perl 5.20 rebuild - -* Wed Sep 03 2014 Noriko Hosoi - 1.3.3.0-1 -- Release 1.3.3.0 -- Ticket 47879 - coverity defects in plugins/replication/windows_protocol_util.c -- Ticket 47876 - coverity defects in slapd/tools/mmldif.c -- Ticket 47574 - start dirsrv after ntpd -- Ticket 47838 - harden the list of ciphers available by default -- Ticket 47579 - add dbmon.sh -- Ticket 47819 - Fix memory leak -- Ticket 47819 - Improve tombstone purging performance -- Ticket 47714 - [RFE] Update lastLoginTime also in Account Policy plugin if account lockout is based on passwordExpirationTime. -- Ticket 47812 - logconv.pl missing -U option from usage -- Ticket 47664 - Page control does not work if effective rights control is specified -- Ticket 47790 - Integer config attributes accept invalid values at server startup -- Ticket 47710 - Missing warning for invalid replica backoff configuration -- Ticket 47853 - Missing newline at end of the error log messages in memberof -- Ticket 47853 - client hangs in add if memberof fails -- Ticket 47746 - ldap/servers/slapd/back-ldbm/dblayer.c: possible minor problem with sscanf -- Ticket 47711 - improve dbgen rdn generation, output and man page. -- Ticket 47855 - Fix previous commit -- Ticket 47859 - Coverity: 12692 & 12717 -- Ticket 47855 - clear tmp directory at the start of each test -- Ticket 47844 - Fix hyphens used as minus signed and other manpage mistakes -- Ticket 47843 - Fix various typos in manpages & code -- Ticket 47832 - attrcrypt_generate_key calls slapd_pk11_TokenKeyGenWithFlags with improper macro -- Ticket 47852 - Updating winsync one-way sync does not affect the behaviour dynamically -- Ticket 47846 - server crashes deleting a replication agreement -- Ticket 47823 - attribute uniqueness enforced on all subtrees -- Ticket 47654 - Fix regression (deadlock/crash) -- Ticket 47827 - Fix coverity issue 12695 -- Ticket 47829: memberof scope: allow to exclude subtrees -- Ticket 47815 - Add operations rejected by betxn plugins remain in cache -- Ticket 47808 - If be_txn plugin fails in ldbm_back_add, adding entry is double freed -- Ticket 555 - add fixup-memberuid.pl script -- Ticket 47827 - online import crashes server if using verbose error logging -- fix compiler error with alst coverity commit -- fix coverity issue 12621 -- Ticket 47810 - investigate betxn plugins to ensure they return the correct error code -- Ticket 47602 - txn commit being performed too early -- Ticket 47752 - Don't add unhashed password mod if we don't have an unhashed value -- Ticket 47803 - syncrepl crash if attribute list is non-empty -- Ticket 47466 - Fix coverity issue -- Ticket 47644 - Managed Entry Plugin - transaction not aborted upon failure to create managed entry -- Ticket 47791 - Negative value of nsSaslMapPriority is not reset to lowest priority -- Ticket 47805 - syncrepl doesn't send notification when attribute in search filter changes -- Ticket 47636 - errorlog-level 16384 is listed as 0 in cn=config -- Ticket 47451 - Remove old code from linked attr plugin -- Ticket 47756 - fix coverity issues -- Ticket 47761 - Return all attributes in rootdse without explicit request -- fix assertion failure introduced with fix for ticket 47667 -- Ticket 47712 - betxn: retro changelog broken after cancelled transaction -- Ticket 47667 - Allow nsDS5ReplicaBindDN to be a group DN -- Ticket 47655 - Improve replication total update logging -- Ticket 47756 - Improve import logging and abort processing -- Ticket 47451 - add/enable/disable/remove plugins without server restart -- Ticket 47553 - Enhance ACIs to have more control over MODRDN operations -- Ticket 47727 - Updating nsds5ReplicaHost attribute in a replication agreement fails with error 53 -- Ticket 47725 - compiler error on daemon.c -- Ticket 47701 - Make retro changelog trim interval programmable -- Ticket 47453 - configure SASL/GSSAPI/Kerberos without server restart -- Ticket 47701 - Make retro changelog trim interval programmable -- Ticket 47602 - Make ldbm_back_seq independently support transactions -- Ticket 47552 - logconv: unindexed report should list bind dn -- Ticket 47619 - cannot reindex retrochangelog -- Update test cases due to new modules: Schema, tasks, plugins and index -- Ticket 47608 - change slapi_entry_attr_get_bool to handle "on"/"off" values, support default value -- Ticket 47437 - Some attributes in cn=config should not be multivalued -- Ticket 47573 - schema push can be erronously prevented -- Ticket 47618 - Enable normalized DN cache by default -- Ticket 47570 - slapi_ldap_init unusable during independent plugin development -- Ticket 47659 - ldbm_usn_init: Valgrind reports Invalid read / SIGSEGV -- Ticket 47654 - fix double free -- Ticket 47675 - logconv errors when search has invalid bind dn -- Ticket 47657 - add schema test suite and tests for Ticket #47634 -- Ticket 47668 - test: port ticket47490_test to Replica/Agreement interface (47600) -- Ticket 47654 - Cleanup old memory leaks reported from valgrind -- Ticket 47651 - Finaliser to remove instances backups -- Ticket 47603 - should not modify pre op entry during config validation -- Ticket 47628 - port testcases to new DirSrv interface -- Ticket 47525 - Don't modify preop entry in memberOf config -- Ticket 605 - support TLS 1.1 - Fixing "Coverity 12415 - Logically dead code" -- Ticket 605 - support TLS 1.1 - lower the log level for the supported NSS version range -- Ticket 47368 - fix memory leaks -- Ticket 605 - support TLS 1.1 - adding backward compatibility -- Ticket 605 - support TLS 1.1 -- Ticket 47603 - Allow RI plugin to use alternate config area -- Ticket 47586 - Need to rebind after a stop (fix to run direct python script) -- Ticket 47525 - Need to add locking around config area access -- Ticket 47457 - default nsslapd-sasl-max-buffer-size should be 2MB -- Ticket 47525 - Fix memory leak -- Ticket 381 - Recognize compressed log files -- Ticket 47525 - Allow memberOf to use an alternate config area -- Ticket 47529 - Automember plug-in should treat MODRDN operations as ADD operations -- Ticket 47521 - Complex filter in a search request doen't work as expected. -- Ticket 47582 - agmt_count in Replica could become (PRUint64)-1 -- Ticket 47368 - Fix coverity issues -- Ticket 47555 - db2bak.pl issue when specifying non-default directory -- Ticket 47368 - Fix Jenkins errors -- Ticket 47368 - IPA server dirsrv RUV entry data excluded from replication -- Ticket 538 - - hardcoded sasl2 plugin path in ldaputil.c, saslbind.c -- Ticket 47519 - memory leaks in access control -- Ticket 47398 - memberOf on a user is converted to lowercase -- Coverity Issue 12033 -- Ticket 47530 - dbscan on entryrdn should show all matching values -- Ticket 47422 - With 1.3.04 and subtree-renaming OFF, when a user is deleted after restarting the server, the same entry can't be added -- bump autoconf to 2.69, automake to 1.13.4, libtool to 2.4.2 -- Ticket 47436 - 389-ds-base - shebang with /usr/bin/env -- Ticket 47499 - if nsslapd-cachememsize set to the number larger than the RAM available, should result in proper error message. -- Ticket 47530 - dbscan on entryrdn should show all matching values -- Ticket 47535 - update man page -- Ticket 53 - Need to update supported locales Cleaning up typos and format. -- Ticket 47535 - Logconv.pl - RFE - add on option for a minimum etime for unindexed search stats -- Ticket 47491 - Update systemd service file to use PartOf directive - -* Wed Sep 03 2014 Jitka Plesnikova - 1.3.2.23-1.1 -- Perl 5.20 rebuild - -* Wed Aug 27 2014 Noriko Hosoi - 1.3.2.23-1 -- Release 1.3.2.23 -- Ticket 47871 - 389-ds-base-1.3.2.21-1.fc20 crashed over the weekend -- Ticket 47866 - Errors after upgrading related to attribute "dnaremotebindmethod" -- Ticket 47816 - v2- internal syncrepl searches are flagged as unindexed -- Ticket 47877 - check_and_add_entry fails for changetype: add and existing entry -- Ticket 47834 - Tombstone_to_glue: if parents are also converted to glue, the target entry's DN must be adjusted. -- Ticket 47875 - dirsrv not running with old openldap -- Revert "Ticket #47875 - dirsrv not running with old openldap" -- Ticket 47875 - dirsrv not running with old openldap -- Ticket 47446 - logconv.pl memory continually grows -- Ticket 47874 - Performance degradation with scope ONE after some load -- Ticket 47872 - Filter AND with only one clause should be optimized -- Ticket 47834 - Tombstone_to_glue: if parents are also converted to glue, the target entry's DN must be adjusted. -- Ticket 47862 - repl-monitor fails to convert "*" to default values -- Ticket 47824 - paged results control is not working in some cases when we have a subsuffix. -- Ticket 47862 - Repl-monitor.pl ignores the provided connection parameters -- Ticket 346 - Fixing memory leaks -- Ticket 47753 - Add switch to disable pre-hashed password checking -- Ticket 47861 - Certain schema files are not replaced during upgrade -- Ticket 47858 - Internal searches using OP_FLAG_REVERSE_CANDIDATE_ORDER can crash the server -- Ticket 47797 - fix the indentation -- Ticket 47797 - DB deadlock when two threads (on separated backend) try to record changes in retroCL -- Ticket 47692 - single valued attribute replicated ADD does not work -- Ticket 47781 - Server deadlock if online import started while server is under load - -* Wed Aug 27 2014 Jitka Plesnikova - 1.3.2.22-1.3 -- Perl 5.20 rebuild - -* Tue Aug 26 2014 David Tardon - 1.3.2.22-1.2 -- rebuild for ICU 53.1 - -* Fri Aug 15 2014 Fedora Release Engineering - 1.3.2.22-1.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Tue Aug 12 2014 Noriko Hosoi - 1.3.2.22-1 -- Release 1.3.2.21 -- Resolves: #1127833 - Ticket 47869 - unauthenticated information disclosure (Bug 1123477) - 389-ds-base-1.3.2.22 = 389-ds-base-1.3.2.19 + Bug 1127833 fix. - -* Thu Aug 07 2014 Noriko Hosoi - 1.3.2.21-1 -- Release 1.3.2.21 -- Resolves: #1127833 - Ticket 47869 - unauthenticated information disclosure (Bug 1123477) -- Ticket 47834 - Tombstone_to_glue: if parents are also converted to glue, the target entry's DN must be adjusted. -- Ticket 47862 - repl-monitor fails to convert "*" to default values -- Ticket 47824 - paged results control is not working in some cases when we have a subsuffix. -- Ticket 47862 - Repl-monitor.pl ignores the provided connection parameters -- Ticket 346 - Fixing memory leaks - -* Tue Jul 22 2014 Noriko Hosoi - 1.3.2.20-1 -- Release 1.3.2.20 -- Ticket 47753 - Add switch to disable pre-hashed password checking -- Ticket 47861 - Certain schema files are not replaced during upgrade -- Ticket 47858 - Internal searches using OP_FLAG_REVERSE_CANDIDATE_ORDER can crash the server -- Ticket 47797 - DB deadlock when two threads (on separated backend) try to record changes in retroCL -- Ticket 47834 - Tombstone_to_glue: if parents are also converted to glue, the target entry's DN must be adjusted. -- Ticket 47692 - single valued attribute replicated ADD does not work -- Ticket 47781 - Server deadlock if online import started while server is under load - -* Thu Jul 03 2014 Noriko Hosoi - 1.3.2.19-1 -- Release 1.3.2.19 -- Ticket 47779 - Potential deadlock after startup if a dna configuration change is made -- Ticket 47839 - 389-ds production segfault: __memcpy_sse2_unaligned... - -* Tue Jul 01 2014 Noriko Hosoi - 1.3.2.18-1 -- Release 1.3.2.18 -- Ticket 47750 - Creating a glue fails if one above level is a conflict or missing -- Ticket 47763 - winsync plugin modify is broken -- Ticket 47821 - deref plugin cannot handle complex acis -- Ticket 47831 - server restart wipes out index config if there is a default index -- Ticket 47817 - The error result text message should be obtained just prior to sending result -- Ticket 47815 - Add operations rejected by betxn plugins remain in cache -- Ticket 47809 - find a way to remove replication plugin errors messages "changelog iteration code returned a dummy entry with csn %%s, skipping ..." -- Ticket 47704 - invalid sizelimits in aci group evaluation -- Ticket 47813 - remove "goto bail" from previous commit -- Ticket 47813 - managed entry plugin fails to update member pointer on modrdn operation -- Ticket 47808 - If be_txn plugin fails in ldbm_back_add, adding entry is double freed. -- Ticket 47770 - #481 breaks possibility to reassemble memberuid list - -* Fri Jun 06 2014 Fedora Release Engineering - 1.3.2.17-1.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Thu May 29 2014 Noriko Hosoi - 1.3.2.17-1 -- Release 1.3.2.17 -- Ticket 47446 - logconv.pl memory continually grows -- Ticket 47713 - Logconv.pl with an empty access log gives lots of errors -- Ticket 47806 - Failed deletion of aci: no such attribute -- bump version -- Ticket 47720 - Normalization from old DN format to New DN format doesnt handel condition properly when there is space in a suffix after the seperator operator. -- Ticket 47670 - Aci warnings in error log -- Ticket 47721 - Schema Replication Issue (follow up) -- Ticket 47721 - Schema Replication Issue (follow up + cleanup) -- Ticket 47721 - Schema Replication Issue -- Ticket 47676 - (cont.) Replication of the schema fails 'master branch' -> 1.2.11 or 1.3.1 -- Ticket 47676 - Replication of the schema fails 'master branch' -> 1.2.11 or 1.3.1 -- Ticket 47541 - Fix Jenkins errors -- Ticket 47541 - Replication of the schema may overwrite consumer 'attributetypes' even if consumer definition is a superset -- Ticket 47804 - db2bak.pl error with changelogdb -- Ticket 47780 - Some VLV search request causes memory leaks -- Ticket 47787 - A replicated MOD fails (Unwilling to perform) if it targets a tombstone -- Ticket 47764 - Problem with deletion while replicated -- Ticket 47750 - Creating a glue fails if one above level is a conflict or missing; Ticket 47696 - Large Searches Hang - Possibly entryrdn related -- Ticket 47772 - fix coverity issue -- Ticket 47793 - Server crashes if uniqueMember is invalid syntax and memberOf plugin is enabled. -- Ticket 47792 - database plugins need a way to call betxn plugins -- Ticket 47707 - 389 DS Server crashes and dies while handles paged searches from clients -- Ticket 47792 - code cleanup -- Ticket 47779 - Need to lock server list when removing list -- Ticket 47771 - Move parentsdn initialization to avoid crash -- Ticket 47779 - Part of DNA shared configuration is deleted after server restart -- Ticket 346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values -- Ticket 47782 - Parent numbordinate count can be incorrectly updated if an error occurs -- Ticket 47772 - empty modify returns LDAP_INVALID_DN_SYNTAX -- Ticket 47774 - mem leak in do_search - rawbase not freed upon certain errors -- Ticket 47773 - mem leak in do_bind when there is an error -- Ticket 47771 - Performing deletes during tombstone purging results in operation errors -- Ticket 47767 - Nested tombstones become orphaned after purge -- Ticket 47766 - Tombstone purging can crash the server if the backend is stopped/disabled -- Ticket 47759 - Crash in replication when server is under write load -- Ticket 47740 - Fix coverity issues(part 7) -- Ticket 47748 - Simultaneous adding a user and binding as the user could fail in the password policy check -- Ticket 47743 - Memory leak with proxy auth control -- Ticket 47740 - Crash caused by changes to certmap.c -- Ticket 47733 - ds logs many "Operation error fetching Null DN" messages -- Ticket 47740 - Fix coverity issues: null deferences - Part 6 -- Ticket 47732 - ds logs many "SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN plugin returned error" messages -- Ticket 47740 - Coverity issue in 1.3.3 -- Ticket 47735 - e_uniqueid fails to set if an entry is a conflict entry -- Ticket 47740 - Fix coverity issues - Part 5 -- Ticket 47740 - Fix coverity erorrs - Part 4 -- Ticket 47640 - Fix coverity issues - part 3 -- Ticket 47740 - Fix sync plugin resource leaks -- Ticket 47538 - RFE: repl-monitor.pl plain text output, cmdline config options -- Ticket 47740 - Coverity Fixes (Mark - part 1) -- Ticket 47734 - Change made in resolving ticket #346 fails on Debian SPARC64 -- Ticket 47722 - Fixed filter not correctly identified -- Ticket 47722 - rsearch filter error on any search filter - -* Fri Mar 14 2014 Noriko Hosoi - 1.3.2.16-1 -- Release 1.3.2.16 (This release is 1.3.2.13 + Ticket 47739) -- Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind - -* Thu Mar 13 2014 Noriko Hosoi - 1.3.2.15-1 -- Bump version to 1.3.2.15 -- Ticket 47735 - e_uniqueid fails to set if an entry is a conflict entry -- Ticket 47740 - Coverity issue in 1.3.3 -- Ticket 47740 - Fix coverity issues - Part 5 -- Ticket 47740 - Fix coverity erorrs - Part 4 -- Ticket 47640 - Fix coverity issues - part 3 -- Ticket 47740 - Fix sync plugin resource leaks -- Ticket 47538 - RFE: repl-monitor.pl plain text output, cmdline config options -- Ticket 47740 - Coverity Fixes (Mark - part 1) -- Ticket 47734 - Change made in resolving ticket #346 fails on Debian SPARC64 -- Ticket 47722 - Fixed filter not correctly identified -- Ticket 47722 - rsearch filter error on any search filter - -* Mon Mar 10 2014 Noriko Hosoi - 1.3.2.14-1 -- Bump version to 1.3.2.14 -- Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind -- Ticket 47737 - Under heavy stress, failure of turning a tombstone into glue makes the server hung -- Ticket 47735 - e_uniqueid fails to set if an entry is a conflict entry -- Ticket 47729 - Directory Server crashes if shutdown during a replication initialization -- Ticket 47637 - rsa_null_sha should not be enabled by default - -* Fri Feb 28 2014 Noriko Hosoi - 1.3.2.13-1 -- Bump version to 1.3.2.13 -- The previous version 1.3.2.12 missed to increment the version in VERSION.sh - -* Fri Feb 28 2014 Noriko Hosoi - 1.3.2.12-1 -- Bump version to 1.3.2.12 -- Ticket 408 - create a normalized dn cache -- Ticket 571 - Empty control list causes LDAP protocol error is thrown (dup 47361) -- Ticket 408 - create a normalized dn cache -- Ticket 47699 - Propagate plugin precedence to all registered function types -- Ticket 525 - Replication retry time attributes cannot be added -- Ticket 47709 - package issue in 389-ds-base -- Ticket 47700 - Unresolved external symbol references break loading of the ACL plugin -- Ticket 47642 - Windows Sync group issues -- Ticket 525 - Replication retry time attributes cannot be added -- Ticket 47692 - single valued attribute replicated ADD does not work -- Ticket 47615 - Failed to compile the DS 389 1.3.2.3 version against Berkeley DB 4.2 version -- Ticket 47677 - Size returned by slapi_entry_size is not accurate -- Ticket 47693 - Environment variables are not passed when DS is started via service - -* Thu Feb 20 2014 Noriko Hosoi - 1.3.2.11-3 -- Added arch aware python dir; moved libns-dshttpd.so* to devel and libs package. - -* Fri Feb 14 2014 Parag Nemade - 1.3.2.11-2 -- Rebuild for icu 52 - -* Wed Feb 5 2014 Noriko Hosoi - 1.3.2.11-1 -- Bump version to 1.3.2.11 -- Ticket 47653 - Need a way to allow users to create entries assigned to themselves. -- Ticket 471 - logconv.pl tool removes the access logs contents if "-M" is not correctly used -- Ticket 47374 - flush.pl is not included in perl5 -- Ticket 47649 - Server hangs in cos_cache when adding a user entry -- Ticket 443 - Deleting attribute present in nsslapd-allowed-to-delete-attrs returns Operations error -- Ticket 47638 - Overflow in nsslapd-disk-monitoring-threshold on 32bit platform -- Ticket 47641 - 7-bit check plugin not checking MODRDN operation -- Ticket 342 - better error message when cache overflows -- Ticket 47516 - replication stops with excessive clock skew -- Ticket 47620 - Unable to delete protocol timeout attribute -- Ticket 408 - Fix crash when disabling/enabling the setting -- Ticket 47629 - random crashes related to sync repl -- Ticket 47571 - targetattr ACIs ignore subtype -- Ticket 47660 - config_set_allowed_to_delete_attrs: Valgrind reports Invalid read -- Revert "Ticket 47653 - Need a way to allow users to create entries assigned to themselves" - -* Wed Jan 8 2014 Noriko Hosoi - 1.3.2.10-1 -- Bump version to 1.3.2.10 -- Ticket 447 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs -- Ticket 47653 - Need a way to allow users to create entries assigned to themselves -- Ticket 47647 - remove bogus definition in 60rfc3712.ldif -- Ticket 47634 - support AttributeTypeDescription USAGE userApplications distributedOperation dSAOperation -- Ticket 47645 - reset stack, op fields to NULL - clean up stacks at shutdown - free unused plugin config entries - -* Tue Dec 17 2013 Noriko Hosoi - 1.3.2.9-1 -- Bump version to 1.3.2.9 -- Ticket 47621 - v2 make referential integrity configuration more flexible -- Ticket 47620 - Fix missing left bracket -- Ticket 47620 - Fix dereferenced NULL pointer in agmtlist_modify_callback() -- Ticket 47606 - replica init/bulk import errors should be more verbose -- Ticket 47631 - objectclass may, must lists skip rest of objectclass once first is found in sup -- Ticket 47627 - Fix replication logging -- Ticket 47620 - Fix logically dead code. -- Ticket 47313 - Indexed search with filter containing '&' and "!" with attribute subtypes gives wrong result -- Ticket 47620 - Config value validation improvement -- Ticket 47620 - Fix cherry-pick error for 1.3.2 and 1.3.1 -- Ticket 47613 - Issues setting allowed mechanisms -- Ticket 47617 - allow configuring changelog trim interval -- Ticket 47601 - Plugin library path validation prevents intentional loading of out-of-tree modules -- Ticket 47627 - changelog iteration should ignore cleaned rids when getting the minCSN -- Ticket 47623 - fix memleak caused by 47347 -- Ticket 47622 - Automember betxnpreoperation - transaction not aborted when group entry does not exist -- Ticket 47623 - fix memleak caused by 47347 -- Ticket 47620 - 389-ds rejects nsds5ReplicaProtocolTimeout attribute - -* Fri Dec 6 2013 Noriko Hosoi - 1.3.2.8-1 -- Bump version to 1.3.2.8 -- Ticket 47612 - ns-slapd eats all the memory -- Ticket 47527 - Allow referential integrity suffixes to be configurable -- Ticket 47526 - Allow memberof suffixes to be configurable -- Ticket 342 - better error message when cache overflows (phase 2) -- Ticket 47587 - hard coded limit of 64 masters in agreement and changelog code -- Ticket 47611 - Add script to build patched RPMs -- Ticket 47614 - Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms -- Ticket 47613 - Impossible to configure nsslapd-allowed-sasl-mechanisms -- Ticket 47592 - automember plugin task memory leaks -- Ticket 47591 - entries with empty objectclass attribute value can be hidden -- Ticket 47596 - attrcrypt fails to find unlocked key - -* Mon Nov 25 2013 Mark Reynolds - 1.3.2.7-1 -- 924ead4 Bump version to 1.3.2.7 -- Ticket 47593 - Update plugin API for OTP plugin -- Ticket 47599 - fix memory leak in ldbm_back_seq() - -* Fri Nov 22 2013 Rich Megginson - 1.3.2.6-1 -- Ticket 47599 - Reduce lock scope in retro changelog plug-in -- previous fix missing defition of retrocl_cn_lock - -* Thu Nov 21 2013 Rich Megginson - 1.3.2.5-1 -- Ticket #47605 CVE-2013-4485: DoS due to improper handling of ger attr searches - -* Wed Nov 20 2013 Mark Reynolds - 1.3.2.4-1 -6cdca01 bump version to 1.3.2.4 -Ticket 47599 - Reduce lock scope in retro changelog plug-in -Ticket 47596 - attrcrypt fails to find unlocked key -Ticket 47598 - Convert ldbm_back_seq code to be transaction aware -Ticket 47597 - Convert retro changelog plug-in to betxn -Ticket 47585 - Replication Failures related to skipped entries due to cleaned rids -Ticket 47588 - Compiler warnings building on F19 -Ticket 47581 - Winsync plugin segfault during incremental backoff (phase 2) -Ticket 47581 - Winsync plugin segfault during incremental backoff -Ticket 47577 - crash when removing entries from cache -6b16d30 Revert "Ticket #47559 hung server - related to sasl and initialize" - -* Mon Oct 28 2013 Noriko Hosoi - 1.3.2.3-1 -- release 1.3.2.3 -- Ticket 47515 - Fedora 20: setup-ds-admin.pl -- Ticket 47569 - Fix build warnings -- Ticket 47569 - ACIs do not allow attribute subtypes in targetattr keyword -- Ticket 47565 - Content Sync update file needs extensibleObject -- Ticket 47560 - fixup memberof task does not work: task entry not added -- Ticket 47559 - hung server - related to sasl and initialize - -* Fri Oct 11 2013 Noriko Hosoi - 1.3.2.2-1 -- release 1.3.2.2 -- Ticket 47517 - memory leak in range searches and other various leaks -- ticket 47550 - wip (cherry picked from commit 82377636267787be5182457d619d5a0b662d2658) -- Ticket 47550 - logconv: failed logins: Use of uninitialized value in numeric comparison at logconv.pl line 949 - -* Thu Oct 10 2013 Noriko Hosoi - 1.3.2.1-1 -- release 1.3.2.1 -- Ticket 47513 - tmpfiles.d references /var/lock when they should reference /run/lock -- Ticket 47551 - logconv: -V does not produce unindexed search report -- Ticket 47490 - Schema replication between DS versions may overwrite newer base schema - -* Fri Oct 4 2013 Noriko Hosoi - 1.3.2.0-1 -- release 1.3.2.0 -- Ticket 48 - Active Directory has certain uids which are reserved and will cause a Directory Server replica initialization of an AD server to abort. -- Ticket 53 - Need to update supported locales -- Ticket 54 - locale "nl" not supported by collation plugin -- Ticket 77 - [RFE] Add ACI support for ldapi -- Ticket 123 - Enhancement request: "whoami" extended operation -- Ticket 153 - Schema file parsing overly picky? -- Ticket 182 - Pwd retry counters replication not enabled by default, and enabling it could lead to undesired results -- Ticket 197 - rhds82 rfe - BDB backend - clear free page files to reduce changelog size -- Ticket 205 - rhds81 rfe - snmp counters index strings for multiple network interfaces with ip addr and tcp port pairs -- Ticket 208 - [RFE] Roles with explicit scoping in RHDS -- Ticket 283 - Expose slapi_eq_* API -- Ticket 314 - ChainOnUpdate: "cn=directory manager" can modify userRoot on consumer without changes being chained or replicated. Directory integrity compromised. -- Ticket 411 - [RFE] mods optimizer -- Ticket 415 - winsync doesn't sync DN valued attributes if DS DN value doesn't exist -- Ticket 428 - posix winsync should support ADD user/group entries from DS to AD -- Ticket 460 - support multiple subtrees and filters -- Ticket 512 - improve performance of vattr code -- Ticket 513 - recycle operation pblocks -- Ticket 514 - investigate connection locking -- Ticket 521 - modrdn + NSMMReplicationPlugin - Consumer failed to replay change -- Ticket 564 - Is ldbm_txn_ruv_modify_context still required ? -- Ticket 568 - using transaction batchval violates durability -- Ticket 569 - examine replication code to reduce amount of stored state information -- Ticket 586 - selinux errors with /usr/sbin/setup-ds-admin.pl -- Ticket 589 - [RFE] Support RFC 4527 Read Entry Controls -- Ticket 601 - multi master replication allows schema violation -- Ticket 602 - replication inconsistency if attribute is modified several times in one operaion -- Ticket 607 - Replication issue: Entry can diverge betwen servers -- Ticket 609 - nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts. -- Ticket 615 - High contention on cos cache lock -- Ticket 617 - Possible to add invalid ACI value -- Ticket 626 - Possible to add nonexistent target to ACI -- Ticket 630 - The backend name provided to bak2db is not validated -- Ticket 47306 - execute index_add_mods only for indexed attributes -- Ticket 47310 - Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync -- Ticket 47313 - Indexed search with filter containing '&' and "!" with attribute subtypes gives wrong result -- Ticket 47314 - Winsync should support range retrieval -- Ticket 47316 - Search against 'view' is always reported as unindexed -- Ticket 47317 - should set LDAP_OPT_X_SASL_NOCANON to LDAP_OPT_ON by default -- Ticket 47319 - make connection buffer size adjustable -- Ticket 47320 - put conn on work_q not poll list if conn has buffered more_data -- Ticket 47323 - resurrected entry is not correctly indexed -- Ticket 47326 - idl switch does not work -- Ticket 47329 - Improve slapi_back_transaction_begin() return code when transactions are not available -- Ticket 47331 - Self entry access ACI not working properly -- Ticket 47337 - mep_pre_op: Unable to fetch origin entry -- Ticket 47340 - Deleting a separator ',' in 7-bit check plugin arguments makes the server fail to start with segfault -- Ticket 47350 - Allow search to look up 'in memory RUV' -- Ticket 47354 - Indexed search are logged with 'notes=U' in the access logs -- Ticket 47358 - backend performance - introduce optimization levels -- Ticket 47360 - Delete attribute could crash the server -- Ticket 47363 - 7-bit checking is not necessary for userPassword -- Ticket 47370 - DS crashes with some 7-bit check plugin configurations -- Ticket 47371 - Some updates of "passwordgraceusertime" are useless when updating "userpassword" -- Ticket 47372 - make old-idl tunable -- Ticket 47381 - nsslapd-db-transaction-batch-val turns to -1 -- Ticket 47382 - Add a warning message when a connection hits the max number of threads -- Ticket 47384 - Plugin library path validation -- Ticket 47387 - improve logconv.pl performance with large access logs -- Ticket 47388 - [RFE] Support 'Content Synchronization Operation' (SyncRepl) - RFC 4533 -- Ticket 47389 - Non-directory manager can change the individual userPassword's storage scheme -- Ticket 47394 - remove-ds.pl should remove /var/lock/dirsrv -- Ticket 47400 - MMR stress test with dna enabled causes a deadlock -- Ticket 47411 - Replace substring search with plain search in referint plugin -- Ticket 47416 - IPA replica's - "SASL encrypted packet length exceeds maximum allowed limit" -- Ticket 47423 - 7-bit check plugin does not work for userpassword attribute -- Ticket 47425 - should only call windows_update_done if repl agmt type is windows -- Ticket 47426 - move compute_idletimeout out of handle_pr_read_ready -- Ticket 47433 - With SeLinux, ports can be labelled per range. setup-ds.pl or setup-ds-admin.pl fail to detect already ranged labelled ports -- Ticket 47463 - IDL-style can become mismatched during partial restoration -- Ticket 47487 - enhance retro changelog -- Ticket 47502 - updates to ruv entry are written to retro changelog -- Ticket 47504 - idlistscanlimit per index/type/value -- Ticket 47505 - get rid of valueset_add_valuearray_ext -- Ticket 47520 - Fix various issues with logconv.pl -- Ticket 47522 - Password administrators should be able to violate password policy -- Ticket 47531 - 1.3.2 with mozldap - need to redo sasl_io_recv -- Ticket 47532 - 1.3.2 with mozldap - crashes in new operation work_q -- Ticket 47539 - Disabling DNA plug-in throws error 53 -- Ticket 47543 - mozldap - fix compiler warnings - -* Mon Sep 30 2013 Rich Megginson - 1.3.1.11-1 -- Ticket 47513 - Set localrundir outside of the "with-fhs" block -- Ticket 47513 - Refine the check for @localrundir@ -- Ticket 47510 - remove unnecessary typedef -- Ticket 47510 - Repl Sync does not compile against MozLDAP libraries - -* Fri Sep 27 2013 Rich Megginson - 1.3.1.10-1 -- Ticket #47534 - RUV tombstone search with scope "one" doesn`t work -- Ticket 47510 - 389-ds-base does not compile against MozLDAP libraries -- Ticket #47523 - Set up replcation/agreement before initializing the sub suffix, the sub suffix is not found by ldapsearch -- Ticket 47528 - 389-ds-base built with mozldap can crash from invalid free -- Ticket #47504 idlistscanlimit per index/type/value -- Ticket 47513 - tmpfiles.d references /var/lock when they should reference /run/lock -- Ticket #47492 - PassSync removes User must change password flag on the Windows side -- Ticket 47509 - CLEANALLRUV doesnt run across all replicas -- Ticket #47516 replication stops with excessive clock skew -- 6829200 Coverity fix - 11952 - for Ticket 47512 -- Ticket 47512 - backend txn plugin fixup tasks should be done in a txn - -* Fri Sep 13 2013 Noriko Hosoi - 1.3.1.9-1 -- release 1.3.1.9 -- Ticket 449 - Allow macro aci keywords to be case-insensitive -- Ticket 47489 - Under specific values of nsDS5ReplicaName, replication may get broken or updates missing -- Ticket 47507 - automember rebuild task not working as expected - -* Fri Sep 6 2013 Rich Megginson - 1.3.1.8-1 -- Ticket #47455 - valgrind - value mem leaks, uninit mem usage -- fix breakage in slapi-nis introduced with the previous fix -- Ticket 47500 - start-dirsrv/restart-dirsrv/stop-disrv do not register with systemd correctly - -* Wed Aug 28 2013 Noriko Hosoi - 1.3.1.7-1 -- bump version to 1.3.1.7 -- Bug 1002215 - CVE-2013-4283 389-ds-base: ns-slapd crash due to bogus DN -- Ticket 47488 - Users from AD sub OU does not sync to IPA -- Ticket 47461 - logconv.pl - Use of comma-less variable list is deprecated -- Ticket 47473 - setup-ds.pl doesn't lookup the "root" group correctly - -* Sat Aug 03 2013 Petr Pisar - 1.3.1.6-1.1 -- Perl 5.18 rebuild - -* Thu Aug 01 2013 Noriko Hosoi - 1.3.1.6-1 -- bump version to 1.3.1.6 -- Ticket 47455 - valgrind - value mem leaks, uninit mem usage -- fix coverity 11915 - dead code - introduced with fix for ticket 346 -- fix coverity 11895 - null deref - caused by fix to ticket 47392 -- fix compiler warning in posix winsync code for posix_group_del_memberuid_callback -- Fix compiler warnings for Ticket 47395 and 47397 -- fix compiler warning (cherry picked from commit 904416f4631d842a105851b4a9931ae17822a107) -- Ticket 47450 - Fix compiler formatting warning errors for 32/64 bit arch -- fix compiler warnings -- Fix compiler warning (cherry picked from commit ec6ebc0b0f085a82041d993ab2450a3922ef5502) - -* Wed Jul 31 2013 Noriko Hosoi - 1.3.1.5-1 -- bump version to 1.3.1.5 -- Ticket 47456 - delete present values should append values to deleted values -- Ticket 47455 - valgrind - value mem leaks, uninit mem usage -- Ticket 47448 - Segfault in 389-ds-base-1.3.1.4-1.fc19 when setting up FreeIPA replication -- Ticket 47440 - Fix runtime errors caused by last patch. -- Ticket 47440 - Fix compilation warnings and header files -- Ticket 47405 - CVE-2013-2219 ACLs inoperative in some search scenarios -- Ticket 47447 - logconv.pl man page missing -m,-M,-B,-D -- Ticket 47378 - fix recent compiler warnings -- Ticket 47427 - Overflow in nsslapd-disk-monitoring-threshold -- Ticket 47449 - deadlock after adding and deleting entries -- Ticket 47441 - Disk Monitoring not checking filesystem with logs -- Ticket 47427 - Overflow in nsslapd-disk-monitoring-threshold - -* Fri Jul 19 2013 Noriko Hosoi - 1.3.1.4-1 -- bump version to 1.3.1.4 -- Ticket 47435 - Very large entryusn values after enabling the USN plugin and the lastusn value is negative. -- Ticket 47424 - Replication problem with add-delete requests on single-valued attributes -- Ticket 47367 - (phase 2) ldapdelete returns non-leaf entry error while trying to remove a leaf entry -- Ticket 47367 - (phase 1) ldapdelete returns non-leaf entry error while trying to remove a leaf entry -- Ticket 47421 - memory leaks in set_krb5_creds -- Ticket 346 - version 4 Slow ldapmodify operation time for large quantities of multi-valued attribute values -- Ticket 47369 version2 - provide default syntax plugin -- Ticket 47427 - Overflow in nsslapd-disk-monitoring-threshold -- Ticket 47399 - RHDS denies MODRDN access if ACI list contains any DENY rule -- Ticket 47427 - Overflow in nsslapd-disk-monitoring-threshold -- Ticket 47428 - Memory leak in 389-ds-base 1.2.11.15 -- Ticket 47392 - ldbm errors when adding/modifying/deleting entries -- Ticket 47385 - Disk Monitoring is not triggered as expected. -- Ticket 47410 - changelog db deadlocks with DNA and replication - -* Wed Jul 17 2013 Petr Pisar - 1.3.1.3-1.1 -- Perl 5.18 rebuild - -* Wed Jul 03 2013 Noriko Hosoi - 1.3.1.3-1 -- bump version to 1.3.1.3 -- Ticket 47374 - flush.pl is not included in perl5 -- Ticket 47391 - deleting and adding userpassword fails to update the password (additional fix) -- Ticket 47393 - Attribute are not encrypted on a consumer after a full initialization -- Ticket 47395 47397 - v2 correct behaviour of account policy if only stateattr is configured or no alternate attr is configured -- Ticket 47396 - crash on modrdn of tombstone -- Ticket 47400 - MMR stress test with dna enabled causes a deadlock -- Ticket 47409 - allow setting db deadlock rejection policy -- Ticket 47419 - Unhashed userpassword can accidentally get removed from mods -- Ticket 47420 - An upgrade script 80upgradednformat.pl fails to handle a server instance name incuding '-' - -* Sat Jun 15 2013 Noriko Hosoi - 1.3.1.2-1 -- bump version to 1.3.1.2 -- Ticket 47391 - deleting and adding userpassword fails to update the password -- Coverity Fixes (Part 7) - -* Fri Jun 14 2013 Noriko Hosoi - 1.3.1.1-1 -- bump version to 1.3.1.1 -- Ticket 402 - nhashed#user#password in entry extension -- Ticket 511 - Revision - allow turning off vattr lookup in search entry return -- Ticket 580 - Wrong error code return when using EXTERNAL SASL and no client certificate -- Ticket 47327 - error syncing group if group member user is not synced -- Ticket 47355 - dse.ldif doesn't replicate update to nsslapd-sasl-mapping-fallback -- Ticket 47359 - new ldap connections can block ldaps and ldapi connections -- Ticket 47362 - ipa upgrade selinuxusermap data not replicating -- Ticket 47375 - flush_ber error sending back start_tls response will deadlock -- Ticket 47376 - DESC should not be empty as per RFC 2252 (ldapv3) -- Ticket 47377 - make listen backlog size configurable -- Ticket 47378 - fix recent compiler warnings -- Ticket 47383 - connections attribute in cn=snmp,cn=monitor is counted twice -- Ticket 47385 - DS not shutting down when disk monitoring threshold is reached -- Coverity Fixes (part 1) -- Coverity Fixes (Part 2) -- Coverity Fixes (Part 3) -- Coverity Fixes (Part 4) -- Coverity Fixes (Part 5) - -* Thu May 02 2013 Noriko Hosoi - 1.3.1.0-1 -- bump version to 1.3.1.0 -- Ticket 332 - Command line perl scripts should attempt most secure connection type first -- Ticket 342 - better error message when cache overflows -- Ticket 417 - RFE - forcing passwordmustchange attribute by non-cn=directory manager -- Ticket 419 - logconv.pl - improve memory management -- Ticket 422 - 389-ds-base - Can't call method "getText" -- Ticket 433 - multiple bugs in start-dirsrv, stop-dirsrv, restart-dirsrv scripts -- Ticket 458 - RFE - Make it possible for privileges to be provided to an admin user to import an LDIF file containing hashed passwords -- Ticket 471 - logconv.pl tool removes the access logs contents if "-M" is not correctly used -- Ticket 487 - Possible to add invalid attribute values to PAM PTA plugin configuration -- Ticket 502 - setup-ds.pl script should wait if "semanage.trans.LOCK" presen -- Ticket 505 - use lock-free access name2asi and oid2asi tables (additional) -- Ticket 508 - lock-free access to FrontendConfig structure -- Ticket 511 - allow turning off vattr lookup in search entry return -- Ticket 525 - Introducing a user visible configuration variable for controlling replication retry time -- Ticket 528 - RFE - get rid of instance specific scripts -- Ticket 529 - dn normalization must handle multiple space characters in attributes -- Ticket 532 - RUV is not getting updated for both Master and consumer -- Ticket 533 - only scan for attributes to decrypt if there are encrypted attrs configured -- Ticket 534 - RFE: Add SASL mappings fallback -- Ticket 537 - Improvement of range search -- Ticket 539 - logconv.pl should handle microsecond timing -- Ticket 543 - Sorting with attributes in ldapsearch gives incorrect result -- Ticket 545 - Segfault during initial LDIF import: str2entry_dupcheck() -- Ticket 547 - Incorrect assumption in ndn cache -- Ticket 550 - posix winsync will not create memberuid values if group entry become posix group in the same sync interval -- Ticket 551 - Multivalued rootdn-days-allowed in RootDN Access Control plugin always results in access control violation -- Ticket 552 - Adding rootdn-open-time without rootdn-close-time to RootDN Acess Control results in inconsistent configuration -- Ticket 558 - Replication - make timeout for protocol shutdown configurable -- Ticket 561 - disable writing unhashed#user#password to changelog -- Ticket 563 - DSCreate.pm: Error messages cannot be used in the if expression since they could be localized. -- Ticket 565 - turbo mode and replication - allow disable of turbo mode -- Ticket 571 - server does not accept 0 length LDAP Control sequence -- Ticket 574 - problems with dbcachesize disk space calculation -- Ticket 583 - dirsrv fails to start on reboot due to /var/run/dirsrv permissions -- Ticket 585 - Behaviours of "db2ldif -a " and "db2ldif.pl -a " are inconsistent -- Ticket 587 - Replication error messages in the DS error logs -- Ticket 588 - Create MAN pages for command line scripts -- Ticket 600 - Server should return unavailableCriticalExtension when processing a badly formed critical control -- Ticket 603 - A logic error in str2simple -- Ticket 604 - Required attribute not checked during search operation -- Ticket 608 - Posix Winsync plugin throws "posix_winsync_end_update_cb: failed to add task entry" error message -- Ticket 611 - logconv.pl missing stats for StartTLS, LDAPI, and AUTOBIND -- Ticket 612 - improve dbgen rdn generation, output -- Ticket 613 - ldclt: add timestamp, interval, nozeropad, other improvements -- Ticket 616 - High contention on computed attribute lock -- Ticket 618 - Crash at shutdown while stopping replica agreements -- Ticket 620 - Better logging of error messages for 389-ds-base -- Ticket 621 - modify operations without values need to be written to the changelog -- Ticket 622 - DS logging errors "libdb: BDB0171 seek: 2147483648: (262144 * 8192) + 0: No such file or directory -- Ticket 631 - Replication: "Incremental update started" status message without consumer initialized -- Ticket 633 - allow nsslapd-nagle to be disabled, and also tcp cork -- Ticket 47299 - allow cmdline scripts to work with non-root user -- Ticket 47302 - get rid of sbindir start/stop/restart slapd scripts -- Ticket 47303 - start/stop/restart dirsrv scripts should report and error if no instances -- Ticket 47304 - reinitialization of a master with a disabled agreement hangs -- Ticket 47311 - segfault in db2ldif(trigger by a cleanallruv task) -- Ticket 47312 - replace PR_GetFileInfo with PR_GetFileInfo64 -- Ticket 47315 - filter option in fixup-memberof requires more clarification -- Ticket 47325 - Crash at shutdown on a replica aggrement -- Ticket 47330 - changelog db extension / upgrade is obsolete -- Ticket 47336 - logconv.pl -m not working for all stats -- Ticket 47341 - logconv.pl -m time calculation is wrong -- Ticket 47343 - 389-ds-base: Does not support aarch64 in f19 and rawhide -- Ticket 47347 - Simple paged results should support async search -- Ticket 47348 - add etimes to per second/minute stats -- Ticket 47349 - DS instance crashes under a high load - -* Thu Mar 28 2013 Noriko Hosoi - 1.3.0.5-1 -- bump version to 1.3.0.5 -- Ticket 47308 - unintended information exposure when anonymous access is set to rootdse -- Ticket 628 - crash in aci evaluation -- Ticket 627 - ns-slapd crashes sporadically with segmentation fault in libslapd.so -- Ticket 634 - Deadlock in DNA plug-in Ticket #576 - DNA: use event queue for config update only at the start up -- Ticket 632 - 389-ds-base cannot handle Kerberos tickets with PAC -- Ticket 623 - cleanAllRUV task fails to cleanup config upon completion - -* Mon Mar 11 2013 Mark Reynolds - 1.3.0.4-1 -- e53d691 bump version to 1.3.0.4 -- Bug 912964 - CVE-2013-0312 389-ds: unauthenticated denial of service vulnerability in handling of LDAPv3 control data -- Ticket 570 - DS returns error 20 when replacing values of a multi-valued attribute (only when replication is enabled) -- Ticket 490 - Slow role performance when using a lot of roles -- Ticket 590 - ns-slapd segfaults while trying to delete a tombstone entry - -* Wed Feb 13 2013 Noriko Hosoi - 1.3.0.3-1 -- bump version to 1.3.0.3 -- Ticket #584 - Existence of an entry is not checked when its password is to be deleted -- Ticket 562 - Crash when deleting suffix - -* Fri Feb 01 2013 Parag Nemade - 1.3.0.2-2 -- Rebuild for icu 50 - -* Wed Jan 16 2013 Noriko Hosoi - 1.3.0.2-1 -- bump version to 1.3.0.2 -- Ticket #542 - Cannot dynamically set nsslapd-maxbersize - -* Wed Jan 16 2013 Noriko Hosoi - 1.3.0.1-1 -- bump version to 1.3.0.1 -- Ticket 556 - Don't overwrite certmap.conf during upgrade - -* Tue Jan 08 2013 Noriko Hosoi - 1.3.0.0-1 -- bump version to 1.3.0.0 - -* Tue Jan 08 2013 Noriko Hosoi - 1.3.0-0.3.rc3 -- bump version to 1.3.0.rc3 -- Ticket 549 - DNA plugin no longer reports additional info when range is depleted -- Ticket 541 - need to set plugin as off in ldif template -- Ticket 541 - RootDN Access Control plugin is missing after upgrade - -* Fri Dec 14 2012 Noriko Hosoi - 1.3.0-0.2.rc2 -- bump version to 1.3.0.rc2 -- Trac Ticket #497 - Escaped character cannot be used in the substring search filter -- Ticket 509 - lock-free access to be->be_suffixlock -- Trac Ticket #522 - betxn: upgrade is not implemented yet - -* Tue Dec 11 2012 Noriko Hosoi - 1.3.0-0.1.rc1 -- bump version to 1.3.0.rc1 -- Ticket #322 - Create DOAP description for the 389 Directory Server project -- Trac Ticket #499 - Handling URP results is not corrrect -- Ticket 509 - lock-free access to be->be_suffixlock -- Ticket 456 - improve entry cache sizing -- Trac Ticket #531 - loading an entry from the database should use str2entry_f -- Trac Ticket #536 - Clean up compiler warnings for 1.3 -- Trac Ticket #531 - loading an entry from the database should use str2entry_fast -- Ticket 509 - lock-free access to be->be_suffixlock -- Ticket 527 - ns-slapd segfaults if it cannot rename the logs -- Ticket 395 - RFE: 389-ds shouldn't advertise in the rootDSE that we can handle a sasl mech if we really can't -- Ticket 216 - disable replication agreements -- Ticket 518 - dse.ldif is 0 length after server kill or machine kill -- Ticket 393 - Change in winSyncInterval does not take immediate effect -- Ticket 20 - Allow automember to work on entries that have already been added -- Coverity Fixes -- Ticket 349 - nsViewFilter syntax issue in 389DS 1.2.5 -- Ticket 337 - improve CLEANRUV functionality -- Fix for ticket 504 -- Ticket 394 - modify-delete userpassword -- minor fixes for bdb 4.2/4.3 and mozldap -- Trac Ticket #276 - Multiple threads simultaneously working on connection's private buffer causes ns-slapd to abort -- Fix for ticket 465: cn=monitor showing stats for other db instances -- Ticket 507 - use mutex for FrontendConfig lock instead of rwlock -- Fix for ticket 510 Avoid creating an attribute just to determine the syntax for a type, look up the syntax directly by type -- Coverity defect: Resource leak 13110 -- Ticket 517 - crash in DNA if no dnaMagicRegen is specified -- Trac Ticket #520 - RedHat Directory Server crashes (segfaults) when moving ldap entry -- Trac Ticket #519 - Search with a complex filter including range search is slow -- Trac Ticket #500 - Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error -- Trac Ticket #311 - IP lookup failing with multiple DNS entries -- Trac Ticket #447 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs -- Trac Ticket #443 - Deleting attribute present in nsslapd-allowed-to-delete-attrs returns Operations error -- Ticket #503 - Improve AD version in winsync log message -- Trac Ticket #190 - Un-resolvable server in replication agreement produces unclear error message -- Coverity fixes -- Trac Ticket #391 - Slapd crashes when deleting backends while operations are still in progress -- Trac Ticket #448 - Possible to set invalid macros in Macro ACIs -- Trac Ticket #498 - Cannot abaondon simple paged result search -- Coverity defects -- Trac Ticket #494 - slapd entered to infinite loop during new index addition -- Fixing compiler warnings in the posix-winsync plugin -- Coverity defects -- Ticket 147 - Internal Password Policy usage very inefficient -- Ticket 495 - internalModifiersname not updated by DNA plugin -- Revert "Ticket 495 - internalModifiersname not updated by DNA plugin" -- Ticket 495 - internalModifiersname not updated by DNA plugin -- Ticket 468 - if pam_passthru is enabled, need to AC_CHECK_HEADERS([security/pam_appl.h]) -- Ticket 486 - nsslapd-enablePlugin should not be multivalued -- Ticket 488 - Doc: DS error log messages with typo -- Trac Ticket #451 - Allow db2ldif to be quiet -- Ticket #491 - multimaster_extop_cleanruv returns wrong error codes -- Ticket #481 - expand nested posix groups -- Trac Ticket #455 - Insufficient rights to unhashed#user#password when user deletes his password -- Ticket #446 - anonymous limits are being applied to directory manager - -* Tue Oct 9 2012 Mark Reynolds - 1.3.0.a1-1 -- Ticket #28 - MOD operations with chained delete/add get back error 53 on backend config -- Ticket #173 - ds-logpipe.py script's man page and script help should be updated for -t option. -- Ticket #196 - RFE: Interpret IPV6 addresses for ACIs, replication, and chaining -- Ticket #218 - RFE - Make RIP working with Replicated Entries -- Ticket #328 - make sure all internal search filters are properly escaped -- Ticket #329 - 389-admin build fails on F-18 with new apache -- Ticket #344 - deadlock in replica_write_ruv -- Ticket #351 - use betxn plugins by default -- Ticket #352 - make cos, roles, views betxn aware -- Ticket #356 - logconv.pl - RFE - track bind info -- Ticket #365 - Audit log - clear text password in user changes -- Ticket #370 - Opening merge qualifier CoS entry using RHDS console changes the entry. -- Ticket #372 - Setting nsslapd-listenhost or nsslapd-securelistenhost breaks ACI processing -- Ticket #386 - Overconsumption of memory with large cachememsize and heavy use of ldapmodify -- Ticket #402 - unhashedTicket #userTicket #password in entry extension -- Ticket #408 - Create a normalized dn cache -- Ticket #453 - db2index with -tattrname:type,type fails -- Ticket #461 - fix build problem with mozldap c sdk -- Ticket #462 - add test for include file mntent.h -- Ticket #463 - different parameters of getmntent in Solaris - -* Tue Sep 25 2012 Rich Megginson - 1.2.11.15-1 -- Trac Ticket #470 - 389 prevents from adding a posixaccount with userpassword after schema reload -- Ticket 477 - CLEANALLRUV if there are only winsync agmts task will hang -- Ticket 457 - dirsrv init script returns 0 even when few or all instances fail to start -- Ticket 473 - change VERSION.sh to have console version be major.minor -- Ticket 475 - Root DN Access Control - improve value checking for config -- Trac Ticket #466 - entry_apply_mod - ADD: Failed to set unhashed#user#password to extension -- Ticket 474 - Root DN Access Control - days allowed not working correctly -- Ticket 467 - CLEANALLRUV abort task should be able to ignore down replicas -- 0b79915 fix compiler warnings in ticket 374 code -- Ticket 452 - automember rebuild task adds users to groups that do not match the configuration scope - -* Fri Sep 7 2012 Rich Megginson - 1.2.11.14-1 -- Ticket 450 - CLEANALLRUV task gets stuck on winsync replication agreement -- Ticket 386 - large memory growth with ldapmodify(heap fragmentation) -- this patch doesn't fix the bug - it allows us to experiment with -- different values of mxfast -- Ticket #374 - consumer can go into total update mode for no reason - -* Tue Sep 4 2012 Rich Megginson - 1.2.11.13-1 -- Ticket #426 - support posix schema for user and group sync -- 1) plugin config ldif must contain pluginid, etc. during upgrade or it -- will fail due to schema errors -- 2) posix winsync should have a lower precedence (25) than the default (50) -- so that it will be run first -- 3) posix winsync should support the Winsync API v3 - the v2 functions are -- just stubs for now - but the precedence cb is active - -* Thu Aug 30 2012 Rich Megginson - 1.2.11.12-1 -- 8e5087a Coverity defects - 13089: Dereference after null check ldbm_back_delete -- Trac Ticket #437 - variable dn should not be used in ldbm_back_delete -- ba1f5b2 fix coverity resource leak in windows_plugin_add -- e3e81db Simplify program flow: change while loops to for -- a0d5dc0 Fix logic errors: del_mod should be latched (might not be last mod), and avoid skipping add-mods (int value 0) -- 0808f7e Simplify program flow: make adduids/moduids/deluids action blocks all similar -- 77eb760 Simplify program flow: eliminate unnecessary continue -- c9e9db7 Memory leaks: unmatched slapi_attr_get_valueset and slapi_value_new -- a4ca0cc Change "return"s in modGroupMembership to "break"s to avoid leaking -- d49035c Factorize into new isPosixGroup function -- 3b61c03 coverity - posix winsync mem leaks, null check, deadcode, null ref, use after free -- 33ce2a9 fix mem leaks with parent dn log message, setting winsync windows domain -- Ticket #440 - periodic dirsync timed event causes server to loop repeatedly -- Ticket #355 - winsync should not delete entry that appears to be out of scope -- Ticket 436 - nsds5ReplicaEnabled can be set with any invalid values. -- 487932d coverity - mbo dead code - winsync leaks, deadcode, null check, test code -- 2734a71 CLEANALLRUV coverity fixes -- Ticket #426 - support posix schema for user and group sync -- Ticket #430 - server to server ssl client auth broken with latest openldap - -* Mon Aug 20 2012 Mark Reynolds - 1.2.11.11-1 -6c0778f bumped version to 1.2.11.11 -Ticket 429 - added nsslapd-readonly to DS schema -Ticket 403 - fix CLEANALLRUV regression from last commit -Trac Ticket #346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values - -* Wed Aug 15 2012 Mark Reynolds - 1.2.11.10-1 -db6b354 bumped version to 1.2.11.10 -Ticket 403 - CLEANALLRUV revisions - -* Tue Aug 7 2012 Mark Reynolds - 1.2.11.9-1 -ea05e69 Bumped version to 1.2.11.9 -Ticket 407 - dna memory leak - fix crash from prev fix - -* Fri Aug 3 2012 Mark Reynolds - 1.2.11.8-1 -ddcf669 bump version to 1.2.11.8 for offical release -Ticket #425 - support multiple winsync plugins -Ticket 403 - cleanallruv coverity fixes -Ticket 407 - memory leak in dna plugin -Ticket 403 - CLEANALLRUV feature -Ticket 413 - "Server is unwilling to perform" when running ldapmodify on nsds5ReplicaStripAttrs -3168f04 Coverity defects -5ff0a02 COVERITY FIXES -Ticket #388 - Improve replication agreement status messages -0760116 Update the slapi-plugin documentation on new slapi functions, and added a slapi function for checking on shutdowns -Ticket #369 - restore of replica ldif file on second master after deleting two records shows only 1 deletion -Ticket #409 - Report during startup if nsslapd-cachememsize is too small -Ticket #412 - memberof performance enhancement -12813: Uninitialized pointer read string_values2keys -Ticket #346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values -Ticket #346 - Slow ldapmodify operation time for large quantities of multi-valued attribute values -Ticket #410 - Referential integrity plug-in does not work when update interval is not zero -Ticket #406 - Impossible to rename entry (modrdn) with Attribute Uniqueness plugin enabled -Ticket #405 - referint modrdn not working if case is different -Ticket 399 - slapi_ldap_bind() doesn't check bind results - -* Wed Jul 18 2012 Fedora Release Engineering - 1.2.11.7-2.2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Thu Jun 28 2012 Petr Pisar - 1.2.11.7-2.1 -- Perl 5.16 rebuild - -* Wed Jun 27 2012 Rich Megginson - 1.2.11.7-2 -- Ticket 378 - unhashed#user#password visible after changing password -- fix func declaration from previous patch -- Ticket 366 - Change DS to purge ticket from krb cache in case of authentication error - -* Wed Jun 27 2012 Rich Megginson - 1.2.11.7-1 -- Trac Ticket 396 - Account Usability Control Not Working - -* Thu Jun 21 2012 Rich Megginson - 1.2.11.6-1 -- Ticket #378 - audit log does not log unhashed password: enabled, by default. -- Ticket #378 - unhashed#user#password visible after changing password -- Ticket #365 - passwords in clear text in the audit log - -* Tue Jun 19 2012 Rich Megginson - 1.2.11.5-2 -- workaround for https://bugzilla.redhat.com/show_bug.cgi?id=833529 - -* Mon Jun 18 2012 Rich Megginson - 1.2.11.5-1 -- Ticket #387 - managed entry sometimes doesn't delete the managed entry -- 5903815 improve txn test index handling -- Ticket #360 - ldapmodify returns Operations error - fix delete caching -- bcfa9e3 Coverity Fix for CLEANALLRUV -- Trac Ticket #335 - transaction retries need to be cache aware -- Ticket #389 - ADD operations not in audit log -- 44cdc84 fix coverity issues with uninit vals, no return checking -- Ticket 368 - Make the cleanAllRUV task one step -- Ticket #110 - RFE limiting root DN by host, IP, time of day, day of week - -* Mon Jun 11 2012 Petr Pisar - 1.2.11.4-1.1 -- Perl 5.16 rebuild - -* Tue May 22 2012 Rich Megginson - 1.2.11.4-1 -- Ticket #360 - ldapmodify returns Operations error -- Ticket #321 - krbExtraData is being null modified and replicated on each ssh login -- Trac Ticket #359 - Database RUV could mismatch the one in changelog under the stress -- Ticket #361: Bad DNs in ACIs can segfault ns-slapd -- Trac Ticket #338 - letters in object's cn get converted to lowercase when renaming object -- Ticket #337 - Improve CLEANRUV task - -* Sat May 5 2012 Rich Megginson - 1.2.11.3-1 -- Ticket #358 - managed entry doesn't delete linked entry - -* Fri May 4 2012 Rich Megginson - 1.2.11.2-1 -- Ticket #351 - use betxn plugins by default -- revert - make no plugins betxn by default - too great a risk -- for deadlocks until we can test this better -- Ticket #348 - crash in ldap_initialize with multiple threads -- fixes PR_Init problem in ldclt - -* Wed May 2 2012 Rich Megginson - 1.2.11.1-1 -- f227f11 Suppress alert on unavailable port with forced setup -- Ticket #353 - coverity 12625-12629 - leaks, dead code, unchecked return -- Ticket #351 - use betxn plugins by default -- Trac Ticket #345 - db deadlock return should not log error -- Ticket #348 - crash in ldap_initialize with multiple threads -- Ticket #214 - Adding Replication agreement should complain if required nsds5ReplicaCredentials not supplied -- Ticket #207 - [RFE] enable attribute that tracks when a password was last set -- Ticket #216 - RFE - Disable replication agreements -- Ticket #337 - RFE - Improve CLEANRUV functionality -- Ticket #326 - MemberOf plugin should work on all backends -- Trac Ticket #19 - Convert entryUSN plugin to transaction aware type -- Ticket #347 - IPA dirsvr seg-fault during system longevity test -- Trac Ticket #310 - Avoid calling escape_string() for logged DNs -- Trac Ticket #338 - letters in object's cn get converted to lowercase when renaming object -- Ticket #183 - passwordMaxFailure should lockout password one sooner -- Trac Ticket #335 - transaction retries need to be cache aware -- Ticket #336 - [abrt] 389-ds-base-1.2.10.4-2.fc16: index_range_read_ext: Process /usr/sbin/ns-slapd was killed by signal 11 (SIGSEGV) -- Ticket #325 - logconv.pl : use of getopts to parse command line options -- Ticket #336 - [abrt] 389-ds-base-1.2.10.4-2.fc16: index_range_read_ext: Process /usr/sbin/ns-slapd was killed by signal 11 (SIGSEGV) -- 554e29d Coverity Fixes -- Trac Ticket #46 - (additional 2) setup-ds-admin.pl does not like ipv6 only hostnames -- Ticket #183 - passwordMaxFailure should lockout password one sooner - and should be configurable to avoid regressions -- Ticket #315 - small fix to libglobs -- Ticket #315 - ns-slapd exits/crashes if /var fills up -- Ticket #20 - Allow automember to work on entries that have already been added -- Trac Ticket #45 - Fine Grained Password policy: if passwordHistory is on, deleting the password fails. - -* Fri Mar 30 2012 Rich Megginson - 1.2.11-0.1.a1 -- 453eb97 schema def must have DESC '' - close paren must be preceded by space -- Trac Ticket #46 - (additional) setup-ds-admin.pl does not like ipv6 only hostnames -- Ticket #331 - transaction errors with db 4.3 and db 4.2 -- Ticket #261 - Add Solaris i386 -- Ticket #316 and Ticket #70 - add post add/mod and AD add callback hooks -- Ticket #324 - Sync with group attribute containing () fails -- Ticket #319 - ldap-agent crashes on start with signal SIGSEGV -- 77cacd9 coverity 12606 Logically dead code -- Trac Ticket #303 - make DNA range requests work with transactions -- Ticket #320 - allow most plugins to be betxn plugins -- Ticket #24 - Add nsTLS1 to the DS schema -- Ticket #271 - Slow shutdown when you have 100+ replication agreements -- TIcket #285 - compilation fixes for '--format-security' -- Ticket 211 - Avoid preop range requests non-DNA operations -- Ticket #271 - replication code cleanup -- Ticket 317 - RHDS fractional replication with excluded password policy attributes leads to wrong error messages. -- Ticket #308 - Automembership plugin fails if data and config area mixed in the plugin configuration -- Ticket #292 - logconv.pl reporting unindexed search with different search base than shown in access logs -- 6f8680a coverity 12563 Read from pointer after free (fix 2) -- e6a9b22 coverity 12563 Read from pointer after free -- 245d494 Config changes fail because of unknown attribute "internalModifiersname" -- Ticket #191 - Implement SO_KEEPALIVE in network calls -- Ticket #289 - allow betxn plugin config changes -- 93adf5f destroy the entry cache and dn cache in the dse post op delete callback -- e2532d8 init txn thread private data for all database modes -- Ticket #291 - cannot use & in a sasl map search filter -- 6bf6e79 Schema Reload crash fix -- 60b2d12 Fixing compiler warnings -- Trac Ticket #260 - 389 DS does not support multiple paging controls on a single connection -- Ticket #302 - use thread local storage for internalModifiersName & internalCreatorsName -- fdcc256 Minor bug fix introcuded by commit 69c9f3bf7dd9fe2cadd5eae0ab72ce218b78820e -- Ticket #306 - void function cannot return value -- ticket 181 - Allow PAM passthru plug-in to have multiple config entries -- ticket 211 - Use of uninitialized variables in ldbm_back_modify() -- Ticket #74 - Add schema for DNA plugin (RFE) -- Ticket #301 - implement transaction support using thread local storage -- Ticket #211 - dnaNextValue gets incremented even if the user addition fails -- 144af59 coverity uninit var and resource leak -- Trac Ticket #34 - remove-ds.pl does not remove everything -- Trac Ticket #169 - allow 389 to use db5 -- bc78101 fix compiler warning in acct policy plugin -- Trac Ticket #84 - 389 Directory Server Unnecessary Checkpoints -- Trac Ticket #27 - SASL/PLAIN binds do not work -- Ticket #129 - Should only update modifyTimestamp/modifiersName on MODIFYops -- Ticket #17 - new replication optimizations - -* Tue Mar 27 2012 Noriko Hosoi - 1.2.10.4-4 -- Ticket #46 - (revised) setup-ds-admin.pl does not like ipv6 only hostnames -- Ticket #66 - 389-ds-base spec file does not have a BuildRequires on gcc-c++ - -* Fri Mar 23 2012 Noriko Hosoi - 1.2.10.4-3 -- Ticket #46 - setup-ds-admin.pl does not like ipv6 only hostnames - -* Wed Mar 21 2012 Rich Megginson - 1.2.10.4-2 -- get rid of posttrans - move update code to post - -* Tue Mar 13 2012 Rich Megginson - 1.2.10.4-1 -- Ticket #305 - Certain CMP operations hang or cause ns-slapd to crash - -* Mon Mar 5 2012 Rich Megginson - 1.2.10.3-1 -- b05139b memleak in normalize_mods2bvals -- c0eea24 memleak in mep_parse_config_entry -- 90bc9eb handle null smods -- Ticket #305 - Certain CMP operations hang or cause ns-slapd to crash -- Ticket #306 - void function cannot return value -- ticket 304 - Fix kernel version checking in dsktune - -* Thu Feb 23 2012 Rich Megginson - 1.2.10.2-1 -- Trac Ticket #298 - crash when replicating orphaned tombstone entry -- Ticket #281 - TLS not working with latest openldap -- Trac Ticket #290 - server hangs during shutdown if betxn pre/post op fails -- Trac Ticket #26 - Please support setting defaultNamingContext in the rootdse - -* Tue Feb 14 2012 Noriko Hosoi - 1.2.10.1-2 -- Ticket #124 - add Provides: ldif2ldbm to rpm - -* Tue Feb 14 2012 Rich Megginson - 1.2.10.1-1 -- Ticket #294 - 389 DS Segfaults during replica install in FreeIPA - -* Mon Feb 13 2012 Rich Megginson - 1.2.10.0-1 -- Ticket 284 - Remove unnecessary SNMP MIB files -- Ticket 51 - memory leaks in 389-ds-base-1.2.8.2-1.el5? -- Ticket 175 - logconv.pl improvements - -* Fri Feb 10 2012 Noriko Hosoi - 1.2.10-0.10.rc1.2 -- Introducing use_db4 macro to support db5 (libdb). - -* Fri Feb 10 2012 Petr Pisar - 1.2.10-0.10.rc1.1 -- Rebuild against PCRE 8.30 - -* Thu Feb 2 2012 Rich Megginson - 1.2.10-0.10.rc1 -- ad9dd30 coverity 12488 Resource leak In attr_index_config(): Leak of memory or pointers to system resources -- Ticket #281 - TLS not working with latest openldap -- Ticket #280 - extensible binary filters do not work -- Ticket #279 - filter normalization does not use matching rules -- Trac Ticket #275 - Invalid read reported by valgrind -- Ticket #277 - cannot set repl referrals or state -- Ticket #278 - Schema replication update failed: Invalid syntax -- Ticket #39 - Account Policy Plugin does not work for simple binds when PAM Pass Through Auth plugin is enabled -- Ticket #13 - slapd process exits when put the database on read only mode while updates are coming to the server -- Ticket #87 - Manpages fixes -- c493fb4 fix a couple of minor coverity issues -- Ticket #55 - Limit of 1024 characters for nsMatchingRule -- Trac Ticket #274 - Reindexing entryrdn fails if ancestors are also tombstoned -- Ticket #6 - protocol error from proxied auth operation -- Ticket #38 - nisDomain schema is incorrect -- Ticket #273 - ruv tombstone searches don't work after reindex entryrdn -- Ticket #29 - Samba3-schema is missing sambaTrustedDomainPassword -- Ticket #22 - RFE: Support sendmail LDAP routing schema -- Ticket #161 - Review and address latest Coverity issues -- Ticket #140 - incorrect memset parameters -- Trac Ticket 35 - Log not clear enough on schema errors -- Trac Ticket 139 - eliminate the use of char *dn in favor of Slapi_DN *dn -- Trac Ticket #52 - FQDN set to nsslapd-listenhost makes the server start fail if IPv4-mapped-IPv6 address is given - -* Tue Jan 24 2012 Rich Megginson - 1.2.10-0.9.a8 -- Ticket #272 - add tombstonenumsubordinates to schema - -* Mon Jan 23 2012 Rich Megginson - 1.2.10-0.8.a7 -- fixes for systemd - remove .pid files after shutting down servers -- Ticket #263 - add systemd include directive -- Ticket #264 - upgrade needs better check for "server is running" - -* Fri Jan 20 2012 Rich Megginson - 1.2.10-0.7.a7 -- Ticket #262 - pid file not removed with systemd -- Ticket #50 - server should not call a plugin after the plugin close function is called -- Ticket #18 - Data inconsitency during replication -- Ticket #49 - better handling for server shutdown while long running tasks are active -- Ticket #15 - Get rid of rwlock.h/rwlock.c and just use slapi_rwlock instead -- Ticket #257 - repl-monitor doesn't work if leftmost hostnames are the same -- Ticket #12 - 389 DS DNA Plugin / Replication failing on GSSAPI -- 6aaeb77 add a hack to disable sasl hostname canonicalization -- Ticket 168 - minssf should not apply to rootdse -- Ticket #177 - logconv.pl doesn't detect restarts -- Ticket #159 - Managed Entry Plugin runs against managed entries upon any update without validating -- Ticket 75 - Unconfigure plugin opperations are being called. -- Ticket 26 - Please support setting defaultNamingContext in the rootdse. -- Ticket #71 - unable to delete managed entry config -- Ticket #167 - Mixing transaction and non-transaction plugins can cause deadlock -- Ticket #256 - debug build assertion in ACL_EvalDestroy() -- Ticket #4 - bak2db gets stuck in infinite loop -- Ticket #162 - Infinite loop / spin inside strcmpi_fast, acl_read_access_allowed_on_attr, server DoS -- Ticket #3: acl cache overflown problem -- Ticket 1 - pre-normalize filter and pre-compile substring regex - and other optimizations -- Ticket 2 - If node entries are tombstone'd, subordinate entries fail to get the full DN. - -* Thu Jan 12 2012 Fedora Release Engineering - 1.2.10-0.6.a6.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Thu Dec 15 2011 Rich Megginson - 1.2.10-0.6.a6 -- Bug 755725 - 389 programs linked against openldap crash during shutdown -- Bug 755754 - Unable to start dirsrv service using systemd -- Bug 745259 - Incorrect entryUSN index under high load in replicated environment -- d439e3a use slapi_hexchar2int and slapi_str_to_u8 everywhere -- 5910551 csn_init_as_string should not use sscanf -- b53ba00 reduce calls to csn_as_string and slapi_log_error -- c897267 fix member variable name error in slapi_uniqueIDFormat -- 66808e5 uniqueid formatting - use slapi_u8_to_hex instead of sprintf -- 580a875 csn_as_string - use slapi_uN_to_hex instead of sprintf -- Bug 751645 - crash when simple paged fails to send entry to client -- Bug 752155 - Use restorecon after creating init script lock file - -* Fri Nov 4 2011 Rich Megginson - 1.2.10-0.5.a5 -- Bug 751495 - 'setup-ds.pl -u' fails with undefined routine 'updateSystemD' -- Bug 750625 750624 750622 744946 Coverity issues -- Bug 748575 - part 2 - rhds81 modrdn operation and 100% cpu use in replication -- Bug 748575 - rhds81 modrn operation and 100% cpu use in replication -- Bug 745259 - Incorrect entryUSN index under high load in replicated environment -- f639711 Reduce the number of DN normalization -- c06a8fa Keep unhashed password psuedo-attribute in the adding entry -- Bug 744945 - nsslapd-counters attribute value cannot be set to "off" -- 8d3b921 Use new PLUGIN_CONFIG_ENTRY feature to allow switching between txn and regular -- d316a67 Change referential integrity to be a betxnpostoperation plugin - -* Fri Oct 7 2011 Rich Megginson - 1.2.10-0.4.a4 -- Bug 741744 - part3 - MOD operations with chained delete/add get back error 53 -- 1d2f5a0 make memberof transaction aware and able to be a betxnpostoperation plug in -- b6d3ba7 pass the plugin config entry to the plugin init function -- 28f7bfb set the ENTRY_POST_OP for modrdn betxnpostoperation plugins -- Bug 743966 - Compiler warnings in account usability plugin - -* Wed Oct 5 2011 Rich Megginson - 1.2.10.a3-0.3 -- 498c42b fix transaction support in ldbm_delete - -* Wed Oct 5 2011 Rich Megginson - 1.2.10.a2-0.2 -- Bug 740942 - allow resource limits to be set for paged searches independently of limits for other searches/operations -- Bug 741744 - MOD operations with chained delete/add get back error 53 on backend config -- Bug 742324 - allow nsslapd-idlistscanlimit to be set dynamically and per-user - -* Wed Sep 21 2011 Rich Megginson - 1.2.10.a1-0.1 -- Bug 695736 - Providing native systemd file - -* Wed Sep 7 2011 Rich Megginson - 1.2.9.10-2 -- corrected source - -* Wed Sep 7 2011 Rich Megginson - 1.2.9.10-1 -- Bug 735114 - renaming a managed entry does not update mepmanagedby - -* Thu Sep 1 2011 Rich Megginson - 1.2.9.9-1 -- Bug 735121 - simple paged search + ip/dns based ACI hangs server -- Bug 722292 - (cov#11030) Leak of mapped_sdn in winsync rename code -- Bug 703990 - cross-platform - Support upgrade from Red Hat Directory Server -- Introducing an environment variable USE_VALGRIND to clean up the entry cache and dn cache on exit. - -* Wed Aug 31 2011 Rich Megginson - 1.2.9.8-1 -- Bug 732153 - subtree and user account lockout policies implemented? -- Bug 722292 - Entries in DS are not updated properly when using WinSync API - -* Wed Aug 24 2011 Rich Megginson - 1.2.9.7-1 -- Bug 733103 - large targetattr list with syntax errors cause server to crash or hang -- Bug 633803 - passwordisglobalpolicy attribute brakes TLS chaining -- Bug 732541 - Ignore error 32 when adding automember config -- Bug 728592 - Allow ns-slapd to start with an invalid server cert - -* Wed Aug 10 2011 Rich Megginson - 1.2.9.6-1 -- Bug 728510 - Run dirsync after sending updates to AD -- Bug 729717 - Fatal error messages when syncing deletes from AD -- Bug 729369 - upgrade DB to upgrade from entrydn to entryrdn format is not working. -- Bug 729378 - delete user subtree container in AD + modify password in DS == DS crash -- Bug 723937 - Slapi_Counter API broken on 32-bit F15 -- fixed again - separate tests for atomic ops and atomic bool cas - -* Mon Aug 8 2011 Rich Megginson - 1.2.9.5-1 -- Bug 727511 - ldclt SSL search requests are failing with "illegal error number -1" error -- Fix another coverity NULL deref in previous patch - -* Thu Aug 4 2011 Rich Megginson - 1.2.9.4-1 -- Bug 727511 - ldclt SSL search requests are failing with "illegal error number -1" error -- Fix coverity NULL deref in previous patch - -* Wed Aug 3 2011 Rich Megginson - 1.2.9.3-1 -- Bug 727511 - ldclt SSL search requests are failing with "illegal error number -1" error -- previous patch broke build on el5 - -* Wed Aug 3 2011 Rich Megginson - 1.2.9.2-1 -- Bug 727511 - ldclt SSL search requests are failing with "illegal error number -1" error - -* Tue Aug 2 2011 Rich Megginson - 1.2.9.1-2 -- Bug 723937 - Slapi_Counter API broken on 32-bit F15 -- fixed to use configure test for GCC provided 64-bit atomic functions - -* Wed Jul 27 2011 Rich Megginson - 1.2.9.1-1 -- Bug 663752 - Cert renewal for attrcrypt and encchangelog -- this was "re-fixed" due to a deadlock condition with cl2ldif task cancel -- Bug 725953 - Winsync: DS entries fail to sync to AD, if the User's CN entry contains a comma -- Bug 725743 - Make memberOf use PRMonitor for it's operation lock -- Bug 725542 - Instance upgrade fails when upgrading 389-ds-base package -- Bug 723937 - Slapi_Counter API broken on 32-bit F15 - -* Thu Jul 21 2011 Petr Sabata - 1.2.9.0-1.2 -- Perl mass rebuild - -* Wed Jul 20 2011 Petr Sabata - 1.2.9.0-1.1 -- Perl mass rebuild - -* Fri Jul 15 2011 Rich Megginson - 1.2.9.0-1 -- Bug 720059 - RDN with % can cause crashes or missing entries -- Bug 709468 - RSA Authentication Server timeouts when using simple paged results on RHDS 8.2. -- Bug 691313 - Need TLS/SSL error messages in repl status and errors log -- Bug 712855 - Directory Server 8.2 logs "Netscape Portable Runtime error -5961 (TCP connection reset by peer.)" to error log whereas Directory Server 8.1 did not -- Bug 713209 - Update sudo schema -- Bug 719069 - clean up compiler warnings in 389-ds-base 1.2.9 -- Bug 718303 - Intensive updates on masters could break the consumer's cache -- Bug 711679 - unresponsive LDAP service when deleting vlv on replica - -* Mon Jun 27 2011 Rich Megginson - 1.2.9-0.2.a2 -- 389-ds-base-1.2.9.a2 -- look for separate openldap ldif library -- Split automember regex rules into separate entries -- writing Inf file shows SchemaFile = ARRAY(0xhexnum) -- add support for ldif files with changetype: add -- Bug 716980 - winsync uses old AD entry if new one not found -- Bug 697694 - rhds82 - incr update state stop_fatal_error "requires administrator action", with extop_result: 9 -- bump console version to 1.2.6 -- Bug 711679 - unresponsive LDAP service when deleting vlv on replica -- Bug 703703 - setup-ds-admin.pl asks for legal agreement to a non-existant file -- Bug 706209 - LEGAL: RHEL6.1 License issue for 389-ds-base package -- Bug 663752 - Cert renewal for attrcrypt and encchangelog -- Bug 706179 - DS can not restart after create a new objectClass has entryusn attribute -- Bug 711906 - ns-slapd segfaults using suffix referrals -- Bug 707384 - only allow FIPS approved cipher suites in FIPS mode -- Bug 710377 - Import with chain-on-update crashes ns-slapd -- Bug 709826 - Memory leak: when extra referrals configured - -* Fri Jun 17 2011 Marcela Mašláňová - 1.2.9-0.1.a1.2 -- Perl mass rebuild - -* Fri Jun 10 2011 Marcela Mašláňová - 1.2.9-0.1.a1.1 -- Perl 5.14 mass rebuild - -* Thu May 26 2011 Rich Megginson - 1.2.9-0.1.a1 -- 389-ds-base-1.2.9.a1 -- Auto Membership -- More Coverity fixes - -* Mon May 2 2011 Rich Megginson - 1.2.8.3-1 -- 389-ds-base-1.2.8.3 -- Bug 700145 - userpasswd not replicating -- Bug 700557 - Linked attrs callbacks access free'd pointers after close -- Bug 694336 - Group sync hangs Windows initial Sync -- Bug 700215 - ldclt core dumps -- Bug 695779 - windows sync can lose old values when a new value is added -- Bug 697027 - 12 - minor memory leaks found by Valgrind + TET - -* Thu Apr 14 2011 Rich Megginson - 1.2.8.2-1 -- 389-ds-base-1.2.8.2 -- Bug 696407 - If an entry with a mixed case RDN is turned to be -- a tombstone, it fails to assemble DN from entryrdn - -* Fri Apr 8 2011 Rich Megginson - 1.2.8.1-1 -- 389-ds-base-1.2.8.1 -- Bug 693962 - Full replica push loses some entries with multi-valued RDNs - -* Tue Apr 5 2011 Rich Megginson - 1.2.8.0-1 -- 389-ds-base-1.2.8.0 -- Bug 693473 - rhds82 rfe - windows_tot_run to log Sizelimit exceeded instead of LDAP error - -1 -- Bug 692991 - rhds82 - windows_tot_run: failed to obtain data to send to the consumer; LDAP error - -1 -- Bug 693466 - Unable to change schema online -- Bug 693503 - matching rules do not inherit from superior attribute type -- Bug 693455 - nsMatchingRule does not work with multiple values -- Bug 693451 - cannot use localized matching rules -- Bug 692331 - Segfault on index update during full replication push on 1.2.7.5 - -* Mon Apr 4 2011 Rich Megginson - 1.2.8-0.10.rc5 -- 389-ds-base-1.2.8.rc5 -- Bug 692469 - Replica install fails after step for "enable GSSAPI for replication" - -* Tue Mar 29 2011 Rich Megginson - 1.2.8-0.9.rc4 -- 389-ds-base-1.2.8.rc4 -- Bug 668385 - DS pipe log script is executed as many times as the dirsrv serv -ice is restarted -- 389-ds-base-1.2.8.rc3 -- Bug 690955 - Mrclone fails due to the replica generation id mismatch - -* Tue Mar 22 2011 Rich Megginson - 1.2.8-0.8.rc2 -- 389-ds-base-1.2.8 release candidate 2 - git tag 389-ds-base-1.2.8.rc2 -- Bug 689537 - (cov#10610) Fix Coverity NULL pointer dereferences -- Bug 689866 - ns-newpwpolicy.pl needs to use the new DN format -- Bug 681015 - RFE: allow fine grained password policy duration attributes -- in days, hours, minutes, as well -- Bug 684996 - Exported tombstone cannot be imported correctly -- Bug 683250 - slapd crashing when traffic replayed -- Bug 668909 - Can't modify replication agreement in some cases -- Bug 504803 - Allow maxlogsize to be set if logmaxdiskspace is -1 -- Bug 644784 - Memory leak in "testbind.c" plugin -- Bug 680558 - Winsync plugin fails to restrain itself to the configured subtree - -* Mon Mar 7 2011 Caolán McNamara - 1.2.8-0.7.rc1 -- rebuild for icu 4.6 - -* Wed Mar 2 2011 Rich Megginson - 1.2.8-0.6.rc1 -- 389-ds-base-1.2.8 release candidate 1 - git tag 389-ds-base-1.2.8.rc1 -- Bug 518890 - setup-ds-admin.pl - improve hostname validation -- Bug 681015 - RFE: allow fine grained password policy duration attributes in -- days, hours, minutes, as well -- Bug 514190 - setup-ds-admin.pl --debug does not log to file -- Bug 680555 - ns-slapd segfaults if I have more than 100 DBs -- Bug 681345 - setup-ds.pl should set SuiteSpotGroup automatically -- Bug 674852 - crash in ldap-agent when using OpenLDAP -- Bug 679978 - modifying attr value crashes the server, which is supposed to -- be indexed as substring type, but has octetstring syntax -- Bug 676655 - winsync stops working after server restart -- Bug 677705 - ds-logpipe.py script is failing to validate "-s" and -- "--serverpid" options with "-t". -- Bug 625424 - repl-monitor.pl doesn't work in hub node - -* Mon Feb 28 2011 Rich Megginson - 1.2.8-0.5.a3 -- Bug 676598 - 389-ds-base multilib: file conflicts -- split off libs into a separate -libs package - -* Thu Feb 24 2011 Rich Megginson - 1.2.8-0.4.a3 -- do not create /var/run/dirsrv - setup will create it instead -- remove the fedora-ds initscript upgrade stuff - we do not support that anymore -- convert the remaining lua stuff to plain old shell script - -* Wed Feb 9 2011 Rich Megginson - 1.2.8-0.3.a3 -- 1.2.8.a3 release - git tag 389-ds-base-1.2.8.a3 -- Bug 675320 - empty modify operation with repl on or lastmod off will crash server -- Bug 675265 - preventryusn gets added to entries on a failed delete -- Bug 677774 - added support for tmpfiles.d -- Bug 666076 - dirsrv crash (1.2.7.5) with multiple simple paged result search -es -- Bug 672468 - Don't use empty path elements in LD_LIBRARY_PATH -- Bug 671199 - Don't allow other to write to rundir -- Bug 678646 - Ignore tombstone operations in managed entry plug-in -- Bug 676053 - export task followed by import task causes cache assertion -- Bug 677440 - clean up compiler warnings in 389-ds-base 1.2.8 -- Bug 675113 - ns-slapd core dump in windows_tot_run if oneway sync is used -- Bug 676689 - crash while adding a new user to be synced to windows -- Bug 604881 - admin server log files have incorrect permissions/ownerships -- Bug 668385 - DS pipe log script is executed as many times as the dirsrv serv -ice is restarted -- Bug 675853 - dirsrv crash segfault in need_new_pw() - -* Mon Feb 07 2011 Fedora Release Engineering - 1.2.8-0.2.a2.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Thu Feb 3 2011 Rich Megginson - 1.2.8-0.2.a2 -- 1.2.8.a2 release - git tag 389-ds-base-1.2.8.a2 -- Bug 674430 - Improve error messages for attribute uniqueness -- Bug 616213 - insufficient stack size for HP-UX on PA-RISC -- Bug 615052 - intrinsics and 64-bit atomics code fails to compile -- on PA-RISC -- Bug 151705 - Need to update Console Cipher Preferences with new ciphers -- Bug 668862 - init scripts return wrong error code -- Bug 670616 - Allow SSF to be set for local (ldapi) connections -- Bug 667935 - DS pipe log script's logregex.py plugin is not redirecting the -- log output to the text file -- Bug 668619 - slapd stops responding -- Bug 624547 - attrcrypt should query the given slot/token for -- supported ciphers -- Bug 646381 - Faulty password for nsmultiplexorcredentials does not give any -- error message in logs - -* Fri Jan 21 2011 Nathan Kinder - 1.2.8-0.1.a1 -- 1.2.8-0.1.a1 release - git tag 389-ds-base-1.2.8.a1 -- many bug fixes - -* Thu Dec 16 2010 Rich Megginson - 1.2.7.5-1 -- 1.2.7.5 release - git tag 389-ds-base-1.2.7.5 -- Bug 663597 - Memory leaks in normalization code - -* Tue Dec 14 2010 Rich Megginson - 1.2.7.4-2 -- Resolves: bug 656541 - use %%ghost on files in /var/lock - -* Fri Dec 10 2010 Rich Megginson - 1.2.7.4-1 -- 1.2.7.4 release - git tag 389-ds-base-1.2.7.4 -- Bug 661792 - Valid managed entry config rejected - -* Wed Dec 8 2010 Rich Megginson - 1.2.7.3-1 -- 1.2.7.3 release - git tag 389-ds-base-1.2.7.3 -- Bug 658312 - Invalid free in Managed Entry plug-in -- Bug 641944 - Don't normalize non-DN RDN values - -* Fri Dec 3 2010 Rich Megginson - 1.2.7.2-1 -- 1.2.7.2 release - git tag 389-ds-base-1.2.7.2 -- Bug 659456 - Incorrect usage of ber_printf() in winsync code -- Bug 658309 - Process escaped characters in managed entry mappings -- Bug 197886 - Initialize return value for UUID generation code -- Bug 658312 - Allow mapped attribute types to be quoted -- Bug 197886 - Avoid overflow of UUID generator - -* Tue Nov 23 2010 Rich Megginson - 1.2.7.1-2 -- last commit had bogus commit log - -* Tue Nov 23 2010 Rich Megginson - 1.2.7.1-1 -- 1.2.7.1 release - git tag 389-ds-base-1.2.7.1 -- Bug 656515 - Allow Name and Optional UID syntax for grouping attributes -- Bug 656392 - Remove calls to ber_err_print() -- Bug 625950 - hash nsslapd-rootpw changes in audit log - -* Tue Nov 16 2010 Nathan Kinder - 1.2.7-2 -- 1.2.7 release - git tag 389-ds-base-1.2.7 - -* Fri Nov 12 2010 Nathan Kinder - 1.2.7-1 -- Bug 648949 - Merge dirsrv and dirsrv-admin policy modules into base policy - -* Tue Nov 9 2010 Rich Megginson - 1.2.7-0.6.a5 -- 1.2.7.a5 release - git tag 389-ds-base-1.2.7.a5 -- Bug 643979 - Strange byte sequence for attribute with no values (nsslapd-ref -erral) -- Bug 635009 - Add one-way AD sync capability -- Bug 572018 - Upgrading from 1.2.5 to 1.2.6.a2 deletes userRoot -- put replication config entries in separate file -- Bug 567282 - server can not abandon searchRequest of "simple paged results" -- Bug 329751 - "nested" filtered roles searches candidates more than needed -- Bug 521088 - DNA should check ACLs before getting a value from the range - -* Mon Nov 1 2010 Rich Megginson - 1.2.7-0.5.a4 -- 1.2.7.a4 release - git tag 389-ds-base-1.2.7.a4 -- Bug 647932 - multiple memberOf configuration adding memberOf where there is -no member -- Bug 491733 - dbtest crashes -- Bug 606545 - core schema should include numSubordinates -- Bug 638773 - permissions too loose on pid and lock files -- Bug 189985 - Improve attribute uniqueness error message -- Bug 619623 - attr-unique-plugin ignores requiredObjectClass on modrdn operat -ions -- Bug 619633 - Make attribute uniqueness obey requiredObjectClass - -* Wed Oct 27 2010 Rich Megginson - 1.2.7-0.4.a3 -- 1.2.7.a3 release - a2 was never released - this is a rebuild to pick up -- Bug 644608 - RHDS 8.1->8.2 upgrade fails to properly migrate ACIs -- Adding the ancestorid fix code to ##upgradednformat.pl. - -* Fri Oct 22 2010 Rich Megginson - 1.2.7-0.3.a3 -- 1.2.7.a3 release - a2 was never released -- Bug 644608 - RHDS 8.1->8.2 upgrade fails to properly migrate ACIs -- Bug 629681 - Retro Changelog trimming does not behave as expected -- Bug 645061 - Upgrade: 06inetorgperson.ldif and 05rfc4524.ldif -- are not upgraded in the server instance schema dir - -* Tue Oct 19 2010 Rich Megginson - 1.2.7-0.2.a2 -- 1.2.7.a2 release - a1 was the OpenLDAP testday release -- git tag 389-ds-base-1.2.7.a2 -- added openldap support on platforms that use openldap with moznss -- for crypto (F-14 and later) -- many bug fixes -- Account Policy Plugin (keep track of last login, disable old accounts) - -* Fri Oct 8 2010 Rich Megginson - 1.2.7-0.1.a1 -- added openldap support - -* Wed Sep 29 2010 Rich Megginson - 1.2.6.1-3 -- bump rel to rebuild again - -* Mon Sep 27 2010 Rich Megginson - 1.2.6.1-2 -- bump rel to rebuild - -* Thu Sep 23 2010 Rich Megginson - 1.2.6.1-1 -- This is the 1.2.6.1 release - git tag 389-ds-base-1.2.6.1 -- Bug 634561 - Server crushes when using Windows Sync Agreement -- Bug 635987 - Incorrect sub scope search result with ACL containing ldap:///self -- Bug 612264 - ACI issue with (targetattr='userPassword') -- Bug 606920 - anonymous resource limit- nstimelimit - also applied to "cn=directory manager" -- Bug 631862 - crash - delete entries not in cache + referint - -* Thu Aug 26 2010 Rich Megginson - 1.2.6-1 -- This is the final 1.2.6 release - -* Tue Aug 10 2010 Rich Megginson - 1.2.6-0.11.rc7 -- 1.2.6 release candidate 7 -- git tag 389-ds-base-1.2.6.rc7 -- Bug 621928 - Unable to enable replica (rdn problem?) on 1.2.6 rc6 - -* Mon Aug 2 2010 Rich Megginson - 1.2.6-0.10.rc6 -- 1.2.6 release candidate 6 -- git tag 389-ds-base-1.2.6.rc6 -- Bug 617013 - repl-monitor.pl use cpu upto 90% -- Bug 616618 - 389 v1.2.5 accepts 2 identical entries with different DN formats -- Bug 547503 - replication broken again, with 389 MMR replication and TCP errors -- Bug 613833 - Allow dirsrv_t to bind to rpc ports -- Bug 612242 - membership change on DS does not show on AD -- Bug 617629 - Missing aliases in new schema files -- Bug 619595 - Upgrading sub suffix under non-normalized suffix disappears -- Bug 616608 - SIGBUS in RDN index reads on platforms with strict alignments -- Bug 617862 - Replication: Unable to delete tombstone errors -- Bug 594745 - Get rid of dirsrv_lib_t label - -* Wed Jul 14 2010 Rich Megginson - 1.2.6-0.9.rc3 -- make selinux-devel explicit Require the base package in order -- to comply with Fedora Licensing Guidelines - -* Thu Jul 1 2010 Rich Megginson - 1.2.6-0.8.rc3 -- 1.2.6 release candidate 3 -- git tag 389-ds-base-1.2.6.rc3 -- Bug 603942 - null deref in _ger_parse_control() for subjectdn -- 609256 - Selinux: pwdhash fails if called via Admin Server CGI -- 578296 - Attribute type entrydn needs to be added when subtree rename switch is on -- 605827 - In-place upgrade: upgrade dn format should not run in setup-ds-admin.pl -- Bug 604453 - SASL Stress and Server crash: Program quits with the assertion failure in PR_Poll -- Bug 604453 - SASL Stress and Server crash: Program quits with the assertion failure in PR_Poll -- 606920 - anonymous resource limit - nstimelimit - also applied to "cn=directory manager" - -* Wed Jun 16 2010 Rich Megginson - 1.2.6-0.7.rc2 -- 1.2.6 release candidate 2 - -* Mon Jun 14 2010 Nathan Kinder - 1.2.6-0.6.rc1 -- install replication session plugin header with devel package - -* Wed Jun 9 2010 Rich Megginson - 1.2.6-0.5.rc1 -- 1.2.6 release candidate 1 - -* Tue Jun 01 2010 Marcela Maslanova - 1.2.6-0.4.a4.1 -- Mass rebuild with perl-5.12.0 - -* Wed May 26 2010 Rich Megginson - 1.2.6-0.4.a4 -- 1.2.6.a4 release - -* Wed Apr 7 2010 Nathan Kinder - 1.2.6-0.4.a3 -- 1.2.6.a3 release -- add managed entries plug-in -- many bug fixes -- moved selinux subpackage into base package - -* Fri Apr 2 2010 Caolán McNamara - 1.2.6-0.3.a2 -- rebuild for icu 4.4 - -* Tue Mar 2 2010 Rich Megginson - 1.2.6-0.2.a2 -- 1.2.6.a2 release -- add support for matching rules -- many bug fixes - -* Thu Jan 14 2010 Nathan Kinder - 1.2.6-0.1.a1 -- 1.2.6.a1 release -- Added SELinux policy and subpackages - -* Tue Jan 12 2010 Rich Megginson - 1.2.5-1 -- 1.2.5 final release - -* Mon Jan 4 2010 Rich Megginson - 1.2.5-0.5.rc4 -- 1.2.5.rc4 release - -* Thu Dec 17 2009 Rich Megginson - 1.2.5-0.4.rc3 -- 1.2.5.rc3 release - -* Mon Dec 7 2009 Rich Megginson - 1.2.5-0.3.rc2 -- 1.2.5.rc2 release - -* Wed Dec 2 2009 Rich Megginson - 1.2.5-0.2.rc1 -- 1.2.5.rc1 release - -* Thu Nov 12 2009 Rich Megginson - 1.2.5-0.1.a1 -- 1.2.5.a1 release - -* Thu Oct 29 2009 Rich Megginson - 1.2.4-1 -- 1.2.4 release -- resolves bug 221905 - added support for Salted MD5 (SMD5) passwords - primarily for migration -- resolves bug 529258 - Make upgrade remove obsolete schema from 99user.ldif - -* Mon Sep 14 2009 Rich Megginson - 1.2.3-1 -- 1.2.3 release -- added template-initconfig to %%files -- %%posttrans now runs update to update the server instances -- servers are shutdown, then restarted if running before install -- scriptlets mostly use lua now to pass data among scriptlet phases - -* Tue Sep 01 2009 Caolán McNamara - 1.2.2-2 -- rebuild with new openssl to fix dependencies - -* Tue Aug 25 2009 Rich Megginson - 1.2.2-1 -- backed out - added template-initconfig to %%files - this change is for the next major release -- bump version to 1.2.2 -- fix reopened 509472 db2index all does not reindex all the db backends correctly -- fix 518520 - pre hashed salted passwords do not work -- see https://bugzilla.redhat.com/show_bug.cgi?id=518519 for the list of -- bugs fixed in 1.2.2 - -* Fri Aug 21 2009 Tomas Mraz - 1.2.1-5 -- rebuilt with new openssl - -* Wed Aug 19 2009 Noriko Hosoi - 1.2.1-4 -- added template-initconfig to %%files - -* Wed Aug 12 2009 Rich Megginson - 1.2.1-3 -- added BuildRequires pcre - -* Fri Jul 24 2009 Fedora Release Engineering - 1.2.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Mon May 18 2009 Rich Megginson - 1.2.1-1 -- change name to 389 -- change version to 1.2.1 -- added initial support for numeric string syntax -- added initial support for syntax validation -- added initial support for paged results including sorting - -* Tue Apr 28 2009 Rich Megginson - 1.2.0-4 -- final release 1.2.0 -- Resolves: bug 475338 - LOG: the intenal type of maxlogsize, maxdiskspace and minfreespace should be 64-bit integer -- Resolves: bug 496836 - SNMP ldap-agent on Solaris: Unable to open semaphore for server: 389 -- CVS tag: FedoraDirSvr_1_2_0 FedoraDirSvr_1_2_0_20090428 - -* Mon Apr 6 2009 Rich Megginson - 1.2.0-3 -- re-enable ppc builds - -* Thu Apr 2 2009 Rich Megginson - 1.2.0-2 -- exclude ppc builds - needs extensive porting work - -* Mon Mar 30 2009 Rich Megginson - 1.2.0-1 -- new release 1.2.0 -- Made devel package depend on mozldap-devel -- only create run dir if it does not exist -- CVS tag: FedoraDirSvr_1_2_0_RC1 FedoraDirSvr_1_2_0_RC1_20090330 - -* Thu Oct 30 2008 Noriko Hosoi - 1.1.3-7 -- added db4-utils to Requires for verify-db.pl - -* Mon Oct 13 2008 Noriko Hosoi - 1.1.3-6 -- Enabled LDAPI autobind - -* Thu Oct 9 2008 Rich Megginson - 1.1.3-5 -- updated update to patch bug463991-bdb47.patch - -* Thu Oct 9 2008 Rich Megginson - 1.1.3-4 -- updated patch bug463991-bdb47.patch - -* Mon Sep 29 2008 Rich Megginson - 1.1.3-3 -- added patch bug463991-bdb47.patch -- make ds work with bdb 4.7 - -* Wed Sep 24 2008 Rich Megginson - 1.1.3-2 -- rolled back bogus winsync memory leak fix - -* Tue Sep 23 2008 Rich Megginson - 1.1.3-1 -- winsync api improvements for modify operations - -* Fri Jun 13 2008 Rich Megginson - 1.1.2-1 -- This is the 1.1.2 release. The bugs fixed can be found here -- https://bugzilla.redhat.com/showdependencytree.cgi?id=452721 -- Added winsync-plugin.h to the devel subpackage - -* Fri Jun 6 2008 Rich Megginson - 1.1.1-2 -- bump rev to rebuild and pick up new version of ICU - -* Fri May 23 2008 Rich Megginson - 1.1.1-1 -- 1.1.1 release candidate - several bug fixes - -* Wed Apr 16 2008 Rich Megginson - 1.1.0.1-4 -- fix bugzilla 439829 - patch to allow working with NSS 3.11.99 and later - -* Tue Mar 18 2008 Tom "spot" Callaway - 1.1.0.1-3 -- add patch to allow server to work with NSS 3.11.99 and later -- do NSS_Init after fork but before detaching from console - -* Tue Mar 18 2008 Tom "spot" Callaway - 1.1.0.1-3 -- add Requires for versioned perl (libperl.so) - -* Wed Feb 27 2008 Rich Megginson - 1.1.0.1-2 -- previous fix for 434403 used the wrong patch -- this is the right one - -* Wed Feb 27 2008 Rich Megginson - 1.1.0.1-1 -- Resolves bug 434403 - GCC 4.3 build fails -- Rolled new source tarball which includes Nathan's fix for the struct ucred -- NOTE: Change version back to 1.1.1 for next release -- this release was pulled from CVS tag FedoraDirSvr110_gcc43 - -* Tue Feb 19 2008 Fedora Release Engineering - 1.1.0-5 -- Autorebuild for GCC 4.3 - -* Thu Dec 20 2007 Rich Megginson - 1.1.0-4 -- This is the GA release of Fedora DS 1.1 -- Removed version numbers for BuildRequires and Requires -- Added full URL to source tarball - -* Fri Dec 07 2007 Release Engineering - 1.1.0-3 -- Rebuild for deps - -* Wed Nov 7 2007 Rich Megginson - 1.1.0-2.0 -- This is the beta2 release -- new file added to package - /etc/sysconfig/dirsrv - for setting -- daemon environment as is usual in other linux daemons - -* Thu Aug 16 2007 Rich Megginson - 1.1.0-1.2 -- fix build breakage due to open() -- mock could not find BuildRequires: db4-devel >= 4.2.52 -- mock works if >= version is removed - it correctly finds db4.6 - -* Fri Aug 10 2007 Rich Megginson - 1.1.0-1.1 -- Change pathnames to use the pkgname macro which is dirsrv -- get rid of cvsdate in source name - -* Fri Jul 20 2007 Rich Megginson - 1.1.0-0.3.20070720 -- Added Requires for perldap, cyrus sasl plugins -- Removed template-migrate* files -- Added perl module directory -- Removed install.inf - setup-ds.pl can now easily generate one - -* Mon Jun 18 2007 Nathan Kinder - 1.1.0-0.2.20070320 -- added requires for mozldap-tools - -* Tue Mar 20 2007 Rich Megginson - 1.1.0-0.1.20070320 -- update to latest sources -- added migrateTo11 to allow migrating instances from 1.0.x to 1.1 -- ldapi support -- fixed pam passthru plugin ENTRY method - -* Fri Feb 23 2007 Rich Megginson - 1.1.0-0.1.20070223 -- Renamed package to fedora-ds-base, but keep names of paths/files/services the same -- use the shortname macro (fedora-ds) for names of paths, files, and services instead -- of name, so that way we can continue to use e.g. /etc/fedora-ds instead of /etc/fedora-ds-base -- updated to latest sources - -* Tue Feb 13 2007 Rich Megginson - 1.1.0-0.1.20070213 -- More cleanup suggested by Dennis Gilmore -- This is the fedora extras candidate based on cvs tag FedoraDirSvr110a1 - -* Fri Feb 9 2007 Rich Megginson - 1.1.0-1.el4.20070209 -- latest sources -- added init scripts -- use /etc as instconfigdir - -* Wed Feb 7 2007 Rich Megginson - 1.1.0-1.el4.20070207 -- latest sources -- moved all executables to _bindir - -* Mon Jan 29 2007 Rich Megginson - 1.1.0-1.el4.20070129 -- latest sources -- added /var/tmp/fedora-ds to dirs - -* Fri Jan 26 2007 Rich Megginson - 1.1.0-8.el4.20070125 -- added logconv.pl -- added slapi-plugin.h to devel package -- added explicit dirs for /var/log/fedora-ds et. al. - -* Thu Jan 25 2007 Rich Megginson - 1.1.0-7.el4.20070125 -- just move all .so files into the base package from the devel package - -* Thu Jan 25 2007 Rich Megginson - 1.1.0-6.el4.20070125 -- Move the plugin *.so files into the main package instead of the devel -- package because they are loaded directly by name via dlopen - -* Fri Jan 19 2007 Rich Megginson - 1.1.0-5.el4.20070125 -- Move the script-templates directory to datadir/fedora-ds - -* Fri Jan 19 2007 Rich Megginson - 1.1.0-4.el4.20070119 -- change mozldap to mozldap6 - -* Fri Jan 19 2007 Rich Megginson - 1.1.0-3.el4.20070119 -- remove . from cvsdate define - -* Fri Jan 19 2007 Rich Megginson - 1.1.0-2.el4.20070119 -- Having a problem building in Brew - may be Release format - -* Fri Jan 19 2007 Rich Megginson - 1.1.0-1.el4.cvs20070119 -- Changed version to 1.1.0 and added Release 1.el4.cvs20070119 -- merged in changes from Fedora Extras candidate spec file - -* Mon Jan 15 2007 Rich Megginson - 1.1-0.1.cvs20070115 -- Bump component versions (nspr, nss, svrcore, mozldap) to their latest -- remove unneeded patches - -* Tue Jan 09 2007 Dennis Gilmore - 1.1-0.1.cvs20070108 -- update to a cvs snapshot -- fedorafy the spec -- create -devel subpackage -- apply a patch to use mozldap not mozldap6 -- apply a patch to allow --prefix to work correctly - -* Mon Dec 4 2006 Rich Megginson - 1.0.99-16 -- Fixed the problem where the server would crash upon shutdown in dblayer -- due to a race condition among the database housekeeping threads -- Fix a problem with normalized absolute paths for db directories - -* Tue Nov 28 2006 Rich Megginson - 1.0.99-15 -- Touch all of the ldap/admin/src/scripts/*.in files so that they -- will be newer than their corresponding script template files, so -- that make will rebuild them. - -* Mon Nov 27 2006 Rich Megginson - 1.0.99-14 -- Chown new schema files when copying during instance creation - -* Tue Nov 21 2006 Rich Megginson - 1.0.99-13 -- Configure will get ldapsdk_bindir from pkg-config, or $libdir/mozldap6 - -* Tue Nov 21 2006 Rich Megginson - 1.0.99-12 -- use eval to sed ./configure into ../configure - -* Tue Nov 21 2006 Rich Megginson - 1.0.99-11 -- jump through hoops to be able to run ../configure - -* Tue Nov 21 2006 Rich Megginson - 1.0.99-10 -- Need to make built dir in setup section - -* Tue Nov 21 2006 Rich Megginson - 1.0.99-9 -- The template scripts needed to use @libdir@ instead of hardcoding -- /usr/lib -- Use make DESTDIR=$RPM_BUILD_ROOT install instead of % makeinstall -- do the actual build in a "built" subdirectory, until we remove -- the old script templates - -* Thu Nov 16 2006 Rich Megginson - 1.0.99-8 -- Make replication plugin link with libdb - -* Wed Nov 15 2006 Rich Megginson - 1.0.99-7 -- Have make define LIBDIR, BINDIR, etc. for C code to use -- especially for create_instance.h - -* Tue Nov 14 2006 Rich Megginson - 1.0.99-6 -- Forgot to checkin new config.h.in for AC_CONFIG_HEADERS - -* Tue Nov 14 2006 Rich Megginson - 1.0.99-5 -- Add perldap as a Requires; update sources - -* Thu Nov 9 2006 Rich Megginson - 1.0.99-4 -- Fix ds_newinst.pl -- Remove obsolete #defines - -* Thu Nov 9 2006 Rich Megginson - 1.0.99-3 -- Update sources; rebuild to populate brew yum repo with dirsec-nss - -* Tue Nov 7 2006 Rich Megginson - 1.0.99-2 -- Update sources +* Fri Mar 6 2020 Mark Reynolds - 1.4.2.4-8 +- Bump version to 1.4.2.4-8 +- Resolves: Bug 1807971 - dsctl healthcheck fails at checking replica when conflict entries are present + +* Fri Feb 7 2020 Mark Reynolds - 1.4.2.4-7 +- Bump version to 1.4.2.4-7 +- Resolves: Bug 1744662 - DB Deadlock on modrdn appears to corrupt database and entry cache +- Resolves: Bug 1779216 - dsctl doesn't work with 'slapd-' in the instance name +- Resolves: Bug 1790984 - Crash on startup: Bus error in __env_faultmem.isra.1.part.2 +- Resolves: Bug 1793060 - dsctl healthcheck issues error : type object 'datetime.date' has no attribute 'fromisoformat' +- Resolves: Bug 1758494 - LeakSanitizer: detected memory leaks in do_add +- Resolves: Bug 1790975 - Several memory leaks reported by Valgrind for 389-ds 1.3.9.1-10. + +* Mon Jan 20 2020 Mark Reynolds - 1.4.2.4-6 +- Resolves: Bug 1776227 - Error: 'PwPolicyManager' object has no attribute 'get_attr_list' +- Resolves: Bug 1790975 - Several memory leaks reported by Valgrind for 389-ds 1.3.9.1-10(fix regression) +- Resolves: Bug 1758473 - AddressSanitizer: heap-use-after-free in log_get_loglist +- Resolves: Bug 1790259 - Change the default behavior of 'nsslapd-verify-filter-schema' +- Resolves: Bug 1773114 - ns-slapd hangs during CleanAllRUV tests + +* Tue Jan 14 2020 Mark Reynolkds - 1.4.2.4-5 +- Bump version to 1.4.2.4-5 +- Resolves: Bug 1676699 - dsconf allows to set an empty password for Directory Manager +- Resolves: Bug 1714688 - dscontainer executable should be placed under /usr/libexec/dirsrv/ +- Resolves: Bug 1773115 - bdb_start - Detected Disorderly Shutdown last time Directory Server was running +- Resolves: Bug 1790975 - Several memory leaks reported by Valgrind for 389-ds 1.3.9.1-10 +- Resolves: Bug 1790979 - ns-slapd is crashing while restarting ipactl +- Resolves: Bug 1790981 - Entry cache contention during base search +- Resolves: Bug 1790984 - Crash on startup: Bus error in __env_faultmem.isra.1.part.2 + +* Wed Nov 27 2019 Mark Reynolds - 1.4.2.4-4 +- Bump version to 1.4.2.4-4 +- Resolves: Bug 1685160 - [RFE] 389-DS Health Check Tool + +* Fri Nov 15 2019 Mark Reynolds - 1.4.2.4-3 +- Bump version to 1.4.2.4-3 +- Issue 50712 - Version comparison doesn't work correctly on git builds (relates to #1748994) + +* Fri Nov 15 2019 Matus Honek - 1.4.2.4-2 +- Bump version to 1.4.2.4-2 +- Fix missing runtime lib389 dependency (relates to #1748994) + +* Thu Nov 14 2019 Mark Reynolds - 1.4.2.4-1 +- Bump verison to 1.4.2.4-1 +- Resolves: Bug 1748994 - Rebase 389-ds-base to 1.4.2 -* Thu Nov 2 2006 Rich Megginson - 1.0.99-1 -- initial revision