diff --git a/SOURCES/0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch b/SOURCES/0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch new file mode 100644 index 0000000..b04ee47 --- /dev/null +++ b/SOURCES/0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch @@ -0,0 +1,136 @@ +From 896091407c244ed151f2fad39a82881a6e991d26 Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Tue, 29 Oct 2013 13:47:35 -0600 +Subject: [PATCH] Ticket #47605 CVE-2013-4485: DoS due to improper handling of ger attr searches + +https://fedorahosted.org/389/ticket/47605 +Reviewed by: nhosoi (Thanks!) +Branch: 389-ds-base-1.3.1 +Fix Description: The traversal of the attr list looking for GER objectclasses +was modifying the same attribute twice, removing the "@" from it. The second +time, since there was no "@" in the string, the strchr would return NULL, and +the code would not check for it. +The code was simplified and rewritten to use charray_merge_nodup +to build the gerattrs list with unique objectclass values, which I believe was +the intention of the original code. I also added some error checking to look +for invalid attributes like "@name" "name@" and "name@name@name". +Platforms tested: RHEL6 x86_64 +Flag Day: no +Doc impact: no +(cherry picked from commit 7e03702932546e74f0044d11832e7e7e395cbb36) +(cherry picked from commit 12e54af6982ab5406f4bba6a02dd0724a0415501) +(cherry picked from commit 8c5e74b291d08c66e0afbf766f77f955725b9bf4) +--- + ldap/servers/slapd/search.c | 79 +++++++++---------------------------------- + 1 files changed, 16 insertions(+), 63 deletions(-) + +diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c +index da1772f..59c4afb 100644 +--- a/ldap/servers/slapd/search.c ++++ b/ldap/servers/slapd/search.c +@@ -246,8 +246,6 @@ do_search( Slapi_PBlock *pb ) + } + + if ( attrs != NULL ) { +- int gerattrsiz = 1; +- int gerattridx = 0; + int aciin = 0; + /* + * . store gerattrs if any +@@ -257,66 +255,25 @@ do_search( Slapi_PBlock *pb ) + { + char *p = NULL; + /* check if @ is included */ +- p = strchr(attrs[i], '@'); +- if ( p && '\0' != *(p+1) ) /* don't store "*@", e.g. */ ++ p = strchr(attrs[i], '@'); ++ if ( p ) + { +- int j = 0; +- if (gerattridx + 1 >= gerattrsiz) ++ char *dummyary[2]; /* need a char ** for charray_merge_nodup */ ++ if ((*(p + 1) == '\0') || (p == attrs[i]) || (strchr(p+1, '@'))) /* e.g. "foo@" or "@objectclassname" or "foo@bar@baz" */ + { +- char **tmpgerattrs; +- gerattrsiz *= 2; +- tmpgerattrs = +- (char **)slapi_ch_calloc(1, gerattrsiz*sizeof(char *)); +- if (NULL != gerattrs) +- { +- memcpy(tmpgerattrs, gerattrs, gerattrsiz*sizeof(char *)); +- slapi_ch_free((void **)&gerattrs); +- } +- gerattrs = tmpgerattrs; +- } +- for ( j = 0; gerattrs; j++ ) +- { +- char *attri = NULL; +- if ( NULL == gerattrs[j] ) +- { +- if (0 == j) +- { +- /* first time */ +- gerattrs[gerattridx++] = attrs[i]; +- /* get rid of "@" part from the attr +- list, which is needed only in gerattr list */ +- *p = '\0'; +- attri = slapi_ch_strdup(attrs[i]); +- attrs[i] = attri; +- *p = '@'; +- } +- else +- { +- break; /* done */ +- } +- } +- else if ( 0 == strcasecmp( attrs[i], gerattrs[j] )) +- { +- /* skip if attrs[i] is already in gerattrs */ +- continue; +- } +- else +- { +- char *q = strchr(gerattrs[j], '@'); /* q never be 0 */ +- if ( 0 != strcasecmp( p+1, q+1 )) +- { +- /* you don't want to display the same template +- entry multiple times */ +- gerattrs[gerattridx++] = attrs[i]; +- } +- /* get rid of "@" part from the attr +- list, which is needed only in gerattr list */ +- *p = '\0'; +- attri = slapi_ch_strdup(attrs[i]); +- attrs[i] = attri; +- *p = '@'; +- } ++ slapi_log_error( SLAPI_LOG_ARGS, "do_search", ++ "invalid attribute [%s] in list - must be of the form " ++ "attributename@objectclassname where attributename is the " ++ "name of an attribute or \"*\" or \"+\" and objectclassname " ++ "is the name of an objectclass\n", attrs[i] ); ++ continue; + } ++ dummyary[0] = p; /* p = @objectclassname */ ++ dummyary[1] = NULL; ++ /* copy string to gerattrs with leading @ - disallow dups */ ++ charray_merge_nodup(&gerattrs, dummyary, 1); ++ /* null terminate the attribute name at the @ after it has been copied */ ++ *p = '\0'; + } + else if ( !aciin && strcasecmp(attrs[i], LDAP_ALL_USER_ATTRS) == 0 ) + { +@@ -324,10 +281,6 @@ do_search( Slapi_PBlock *pb ) + aciin = 1; + } + } +- if (NULL != gerattrs) +- { +- gerattrs[gerattridx] = NULL; +- } + + if (config_get_return_orig_type_switch()) { + /* return the original type, e.g., "sn (surname)" */ +-- +1.7.1 + diff --git a/SOURCES/0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch b/SOURCES/0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch new file mode 100644 index 0000000..9050947 --- /dev/null +++ b/SOURCES/0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch @@ -0,0 +1,497 @@ +From e5cb97a16fa44e6944e234b9cf509ddb614559a3 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 9 Dec 2013 16:57:35 -0500 +Subject: [PATCH 52/65] Ticket 47622 - Automember betxnpreoperation - + transaction not aborted when group entry does not exist + +Bug Description: If the group defined in the automember plugin does not exist, than any add operation + that should trigger an update, succeeds even though the automember update failed. + +Fix Description: Return an error if a automember post operation update fails - previously we always + returned success. + + Updated plugin_call_func() to check the result of betxn postop plugins. + + Also added return text to the result message when a betxn plugin fails. This is + useful for clients to explain why the operation failed. + +https://fedorahosted.org/389/ticket/47622 + +Jenkins: passed +Valgrind: passed +Coverity: passed + +Reviewed by: rmeggins(Thanks!) +(cherry picked from commit 1214168a222a35627b2bb9964600fad0246558cd) +(cherry picked from commit 6de4616f2506b4e093429cc1093e4ad21b22e6c9) +--- + ldap/servers/plugins/automember/automember.c | 151 ++++++++++++++++++++++----- + ldap/servers/slapd/back-ldbm/ldbm_add.c | 4 +- + ldap/servers/slapd/back-ldbm/ldbm_delete.c | 5 + + ldap/servers/slapd/back-ldbm/ldbm_modify.c | 2 + + ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 3 + + ldap/servers/slapd/plugin.c | 3 +- + 6 files changed, 137 insertions(+), 31 deletions(-) + +diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c +index c7168cb..3214ea1 100644 +--- a/ldap/servers/plugins/automember/automember.c ++++ b/ldap/servers/plugins/automember/automember.c +@@ -103,8 +103,8 @@ static struct automemberRegexRule *automember_parse_regex_rule(char *rule_string + static void automember_free_regex_rule(struct automemberRegexRule *rule); + static int automember_parse_grouping_attr(char *value, char **grouping_attr, + char **grouping_value); +-static void automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileDesc *ldif_fd); +-static void automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, ++static int automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileDesc *ldif_fd); ++static int automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, + char *grouping_attr, char *grouping_value, PRFileDesc *ldif_fd); + const char *fetch_attr(Slapi_Entry *e, const char *attrname, const char *default_val); + +@@ -1401,7 +1401,7 @@ automember_parse_grouping_attr(char *value, char **grouping_attr, char **groupin + * Determines which target groups need to be updated according to + * the rules in config, then performs the updates. + */ +-static void ++static int + automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileDesc *ldif_fd) + { + PRCList *rule = NULL; +@@ -1412,10 +1412,11 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD + Slapi_DN *last = NULL; + PRCList *curr_exclusion = NULL; + char **vals = NULL; ++ int rc = 0; + int i = 0; + + if (!config || !e) { +- return; ++ return -1; + } + + slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM, +@@ -1555,15 +1556,23 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD + if (PR_CLIST_IS_EMPTY(&targets)) { + /* Add to each default group. */ + for (i = 0; config->default_groups && config->default_groups[i]; i++) { +- automember_add_member_value(e, config->default_groups[i], +- config->grouping_attr, config->grouping_value, ldif_fd); ++ if(automember_add_member_value(e, config->default_groups[i], config->grouping_attr, ++ config->grouping_value, ldif_fd)) ++ { ++ rc = SLAPI_PLUGIN_FAILURE; ++ goto out; ++ } + } + } else { + /* Update the target groups. */ + dnitem = (struct automemberDNListItem *)PR_LIST_HEAD(&targets); + while ((PRCList *)dnitem != &targets) { +- automember_add_member_value(e, slapi_sdn_get_dn(dnitem->dn), +- config->grouping_attr, config->grouping_value, ldif_fd); ++ if(automember_add_member_value(e, slapi_sdn_get_dn(dnitem->dn),config->grouping_attr, ++ config->grouping_value, ldif_fd)) ++ { ++ rc = SLAPI_PLUGIN_FAILURE; ++ goto out; ++ } + dnitem = (struct automemberDNListItem *)PR_NEXT_LINK((PRCList *)dnitem); + } + } +@@ -1582,6 +1591,9 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD + slapi_ch_free((void**)&dnitem); + } + ++out: ++ ++ return rc; + } + + /* +@@ -1589,7 +1601,7 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD + * + * Adds a member entry to a group. + */ +-static void ++static int + automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, char *grouping_attr, + char *grouping_value, PRFileDesc *ldif_fd) + { +@@ -1600,6 +1612,7 @@ automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, char *g + char *vals[2]; + char *member_value = NULL; + int freeit = 0; ++ int rc = 0; + + /* If grouping_value is dn, we need to fetch the dn instead. */ + if (slapi_attr_type_cmp(grouping_value, "dn", SLAPI_TYPE_CMP_EXACT) == 0) { +@@ -1649,6 +1662,7 @@ automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, char *g + "a \"%s\" value to group \"%s\" (%s).\n", + member_value, grouping_attr, group_dn, + ldap_err2string(result)); ++ rc = result; + } + } else { + slapi_log_error(SLAPI_LOG_FATAL, AUTOMEMBER_PLUGIN_SUBSYSTEM, +@@ -1662,8 +1676,9 @@ out: + if (freeit) { + slapi_ch_free_string(&member_value); + } +- + slapi_pblock_destroy(mod_pb); ++ ++ return rc; + } + + +@@ -1833,6 +1848,7 @@ automember_add_post_op(Slapi_PBlock *pb) + Slapi_DN *sdn = NULL; + struct configEntry *config = NULL; + PRCList *list = NULL; ++ int rc = SLAPI_PLUGIN_SUCCESS; + + slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM, + "--> automember_add_post_op\n"); +@@ -1848,8 +1864,9 @@ automember_add_post_op(Slapi_PBlock *pb) + } + } else { + slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM, +- "automember_add_post_op: Error " +- "retrieving dn\n"); ++ "automember_add_post_op: Error retrieving dn\n"); ++ ++ rc = SLAPI_PLUGIN_FAILURE; + goto bail; + } + +@@ -1863,12 +1880,11 @@ automember_add_post_op(Slapi_PBlock *pb) + + if (e) { + /* If the entry is a tombstone, just bail. */ +- Slapi_Value *tombstone = +- slapi_value_new_string(SLAPI_ATTR_VALUE_TOMBSTONE); +- int rc = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS, +- tombstone); ++ Slapi_Value *tombstone = slapi_value_new_string(SLAPI_ATTR_VALUE_TOMBSTONE); ++ int is_tombstone = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS, ++ tombstone); + slapi_value_free(&tombstone); +- if (rc) { ++ if (is_tombstone) { + return SLAPI_PLUGIN_SUCCESS; + } + +@@ -1891,7 +1907,10 @@ automember_add_post_op(Slapi_PBlock *pb) + if (slapi_dn_issuffix(slapi_sdn_get_dn(sdn), config->scope) && + (slapi_filter_test_simple(e, config->filter) == 0)) { + /* Find out what membership changes are needed and make them. */ +- automember_update_membership(config, e, NULL); ++ if(automember_update_membership(config, e, NULL)){ ++ rc = SLAPI_PLUGIN_FAILURE; ++ break; ++ } + } + + list = PR_NEXT_LINK(list); +@@ -1904,11 +1923,21 @@ automember_add_post_op(Slapi_PBlock *pb) + "automember_add_post_op: Error " + "retrieving post-op entry %s\n", slapi_sdn_get_dn(sdn)); + } ++ + bail: + slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM, +- "<-- automember_add_post_op\n"); ++ "<-- automember_add_post_op (%d)\n", rc); + +- return SLAPI_PLUGIN_SUCCESS; ++ if(rc){ ++ char errtxt[SLAPI_DSE_RETURNTEXT_SIZE]; ++ int result = LDAP_UNWILLING_TO_PERFORM; ++ ++ PR_snprintf(errtxt, SLAPI_DSE_RETURNTEXT_SIZE, "Automember Plugin update unexpectedly failed.\n"); ++ slapi_pblock_set(pb, SLAPI_RESULT_CODE, &result); ++ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, &errtxt); ++ } ++ ++ return rc; + } + + /* +@@ -2216,7 +2245,11 @@ void automember_rebuild_task_thread(void *arg){ + if (slapi_dn_issuffix(slapi_entry_get_dn(entries[i]), config->scope) && + (slapi_filter_test_simple(entries[i], config->filter) == 0)) + { +- automember_update_membership(config, entries[i], NULL); ++ if(automember_update_membership(config, entries[i], NULL)){ ++ result = SLAPI_PLUGIN_FAILURE; ++ automember_config_unlock(); ++ goto out; ++ } + } + list = PR_NEXT_LINK(list); + } +@@ -2416,7 +2449,7 @@ void automember_export_task_thread(void *arg){ + /* make sure the plugin is still up, as this loop could run for awhile */ + if (!g_plugin_started) { + automember_config_unlock(); +- result = -1; ++ result = SLAPI_DSE_CALLBACK_ERROR; + goto out; + } + if (!PR_CLIST_IS_EMPTY(g_automember_config)) { +@@ -2426,7 +2459,11 @@ void automember_export_task_thread(void *arg){ + if (slapi_dn_issuffix(slapi_sdn_get_dn(td->base_dn), config->scope) && + (slapi_filter_test_simple(entries[i], config->filter) == 0)) + { +- automember_update_membership(config, entries[i], ldif_fd); ++ if(automember_update_membership(config, entries[i], ldif_fd)){ ++ result = SLAPI_DSE_CALLBACK_ERROR; ++ automember_config_unlock(); ++ goto out; ++ } + } + list = PR_NEXT_LINK(list); + } +@@ -2624,7 +2661,13 @@ void automember_map_task_thread(void *arg){ + if (slapi_dn_issuffix(slapi_entry_get_dn_const(e), config->scope) && + (slapi_filter_test_simple(e, config->filter) == 0)) + { +- automember_update_membership(config, e, ldif_fd_out); ++ if(automember_update_membership(config, e, ldif_fd_out)){ ++ result = SLAPI_DSE_CALLBACK_ERROR; ++ slapi_entry_free(e); ++ slapi_ch_free_string(&entrystr); ++ automember_config_unlock(); ++ goto out; ++ } + } + list = PR_NEXT_LINK(list); + } +@@ -2635,7 +2678,7 @@ void automember_map_task_thread(void *arg){ + slapi_task_log_notice(task, "Automember map task, skipping invalid entry."); + slapi_task_log_status(task, "Automember map task, skipping invalid entry."); + } +- slapi_ch_free((void **)&entrystr); ++ slapi_ch_free_string(&entrystr); + } + automember_config_unlock(); + +@@ -2666,6 +2709,9 @@ automember_modrdn_post_op(Slapi_PBlock *pb) + Slapi_DN *old_sdn = NULL; + Slapi_DN *new_sdn = NULL; + Slapi_Entry *post_e = NULL; ++ struct configEntry *config = NULL; ++ PRCList *list = NULL; ++ int rc = SLAPI_PLUGIN_SUCCESS; + + slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM, + "--> automember_modrdn_post_op\n"); +@@ -2684,7 +2730,7 @@ automember_modrdn_post_op(Slapi_PBlock *pb) + slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM, + "automember_modrdn_post_op: Error " + "retrieving post-op entry\n"); +- return 0; ++ return SLAPI_PLUGIN_FAILURE; + } + + if ((old_sdn = automember_get_sdn(pb))) { +@@ -2694,11 +2740,58 @@ automember_modrdn_post_op(Slapi_PBlock *pb) + slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM, + "automember_modrdn_post_op: Error " + "retrieving dn\n"); ++ return SLAPI_PLUGIN_FAILURE; + } + +- slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM, +- "<-- automember_modrdn_post_op\n"); ++ /* If replication, just bail. */ ++ if (automember_isrepl(pb)) { ++ return SLAPI_PLUGIN_SUCCESS; ++ } + +- return 0; ++ /* ++ * Check if a config entry applies to the entry(post modrdn) ++ */ ++ automember_config_read_lock(); ++ ++ /* Bail out if the plug-in close function was just called. */ ++ if (!g_plugin_started) { ++ automember_config_unlock(); ++ return SLAPI_PLUGIN_SUCCESS; ++ } ++ ++ if (!PR_CLIST_IS_EMPTY(g_automember_config)) { ++ list = PR_LIST_HEAD(g_automember_config); ++ while (list != g_automember_config) { ++ config = (struct configEntry *)list; ++ ++ /* Does the entry meet scope and filter requirements? */ ++ if (slapi_dn_issuffix(slapi_sdn_get_dn(new_sdn), config->scope) && ++ (slapi_filter_test_simple(post_e, config->filter) == 0)) { ++ /* Find out what membership changes are needed and make them. */ ++ if(automember_update_membership(config, post_e, NULL)){ ++ rc = SLAPI_PLUGIN_FAILURE; ++ break; ++ } ++ } ++ ++ list = PR_NEXT_LINK(list); ++ } ++ } ++ ++ automember_config_unlock(); ++ ++ if(rc){ ++ char errtxt[SLAPI_DSE_RETURNTEXT_SIZE]; ++ int result = LDAP_UNWILLING_TO_PERFORM; ++ ++ PR_snprintf(errtxt, SLAPI_DSE_RETURNTEXT_SIZE, "Automember Plugin update unexpectedly failed. " ++ "Please see the server errors log for more information.\n"); ++ slapi_pblock_set(pb, SLAPI_RESULT_CODE, &result); ++ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, &errtxt); ++ } ++ ++ slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM, ++ "<-- automember_modrdn_post_op (%d)\n", rc); ++ return rc; + } + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c +index fa1e9bc..e5b9eeb 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c +@@ -357,7 +357,7 @@ ldbm_back_add( Slapi_PBlock *pb ) + /* make sure opreturn is set for the postop plugins */ + slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &rc); + } +- ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + /* +@@ -795,6 +795,7 @@ ldbm_back_add( Slapi_PBlock *pb ) + if (!opreturn) { + slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + +@@ -1046,6 +1047,7 @@ ldbm_back_add( Slapi_PBlock *pb ) + if (!opreturn) { + slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c +index 6725123..367ab99 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c +@@ -325,6 +325,7 @@ ldbm_back_delete( Slapi_PBlock *pb ) + if (!opreturn) { + slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &rc ); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + /* the flag could be set in a preop plugin (e.g., USN) */ +@@ -354,6 +355,7 @@ ldbm_back_delete( Slapi_PBlock *pb ) + ldap_result_code ? + &ldap_result_code : &retval ); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + +@@ -603,6 +605,7 @@ ldbm_back_delete( Slapi_PBlock *pb ) + ldap_result_code ? + &ldap_result_code : &retval ); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + } +@@ -633,6 +636,7 @@ ldbm_back_delete( Slapi_PBlock *pb ) + &ldap_result_code : &rc ); + } + /* retval is -1 */ ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + slapi_pblock_set( pb, SLAPI_DELETE_BEPREOP_ENTRY, orig_entry ); +@@ -1105,6 +1109,7 @@ ldbm_back_delete( Slapi_PBlock *pb ) + if (!opreturn) { + slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, &retval ); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c +index b5bdb41..f3b099d 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c +@@ -582,6 +582,7 @@ ldbm_back_modify( Slapi_PBlock *pb ) + if (!opreturn) { + slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + +@@ -752,6 +753,7 @@ ldbm_back_modify( Slapi_PBlock *pb ) + if (!opreturn) { + slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c +index 4908751..1162fdb 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c +@@ -466,6 +466,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb ) + if (!opreturn) { + slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &rc ); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + /* +@@ -890,6 +891,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb ) + if (!opreturn) { + slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval ); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + +@@ -1130,6 +1132,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb ) + if (!opreturn) { + slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval ); + } ++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); + goto error_return; + } + +diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c +index 5f66ab2..1ca4dc5 100644 +--- a/ldap/servers/slapd/plugin.c ++++ b/ldap/servers/slapd/plugin.c +@@ -1467,7 +1467,8 @@ plugin_call_func (struct slapdplugin *list, int operation, Slapi_PBlock *pb, int + } + else if (SLAPI_PLUGIN_BEPREOPERATION == list->plg_type || + SLAPI_PLUGIN_BETXNPREOPERATION == list->plg_type || +- SLAPI_PLUGIN_BEPOSTOPERATION == list->plg_type) ++ SLAPI_PLUGIN_BEPOSTOPERATION == list->plg_type || ++ SLAPI_PLUGIN_BETXNPOSTOPERATION == list->plg_type ) + { + /* + * respect fatal error SLAPI_PLUGIN_FAILURE (-1); +-- +1.8.1.4 + diff --git a/SOURCES/0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch b/SOURCES/0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch new file mode 100644 index 0000000..a93d34f --- /dev/null +++ b/SOURCES/0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch @@ -0,0 +1,63 @@ +From a886214ba26d9b74895269d83de62bd310b7d18c Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 2 Dec 2013 15:08:15 -0500 +Subject: [PATCH 53/65] Ticket 47613 - Impossible to configure + nsslapd-allowed-sasl-mechanisms + +Bug Description: The design doc sasy you can use comma separated list of supported mechanisms, + but in fact this was not supported. + +Fix Description: Allow comma separated lists. + +https://fedorahosted.org/389/ticket/47613 + +Reviewed by: richm(Thanks!) +(cherry picked from commit 6200f6812682760cd2a54d6a3bcbb009a0dffe79) +(cherry picked from commit f1461312fc9e221413b19d6babbdf5a886794d10) +--- + ldap/servers/slapd/libglobs.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index f8c5b01..b925a2c 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -125,6 +125,7 @@ static int config_set_onoff( const char *attrname, char *value, + int *configvalue, char *errorbuf, int apply ); + static int config_set_schemareplace ( const char *attrname, char *value, + char *errorbuf, int apply ); ++static void remove_commas(char *str); + + /* Keeping the initial values */ + /* CONFIG_INT/CONFIG_LONG */ +@@ -6764,6 +6765,9 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, + return LDAP_SUCCESS; + } + ++ /* cyrus sasl doesn't like comma separated lists */ ++ remove_commas(value); ++ + CFG_LOCK_WRITE(slapdFrontendConfig); + slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value); + CFG_UNLOCK_WRITE(slapdFrontendConfig); +@@ -7434,3 +7438,17 @@ slapi_err2string(int result) + #endif + } + ++/* replace commas with spaces */ ++static void ++remove_commas(char *str) ++{ ++ int i; ++ ++ for (i = 0; str && str[i]; i++) ++ { ++ if (str[i] == ',') ++ { ++ str[i] = ' '; ++ } ++ } ++} +-- +1.8.1.4 + diff --git a/SOURCES/0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch b/SOURCES/0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch new file mode 100644 index 0000000..5454e51 --- /dev/null +++ b/SOURCES/0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch @@ -0,0 +1,174 @@ +From 690fd89fb94621a4cafee1e4064d7e42ceaae6db Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 5 Dec 2013 11:58:56 -0500 +Subject: [PATCH 54/65] Ticket 47587 - hard coded limit of 64 masters in + agreement and changelog code + +Bug Description: Need to remove hardcoded limit of 64 masters. + +Fix Description: Changed the default limit to 256, and then we resize the array + as needed. + +https://fedorahosted.org/389/ticket/47587 + +Reviewed by: richm & tbordaz(Thanks!!) +(cherry picked from commit bae797c94207d15025e763cfea0634f42eeb1210) +(cherry picked from commit 457cd16908071f3faddb021c12c792d22f64ab5c) +--- + ldap/servers/plugins/replication/cl5_clcache.c | 22 +++++++++++++++++----- + ldap/servers/plugins/replication/repl5.h | 4 ++-- + ldap/servers/plugins/replication/repl5_agmt.c | 18 ++++++++++++++---- + 3 files changed, 33 insertions(+), 11 deletions(-) + +diff --git a/ldap/servers/plugins/replication/cl5_clcache.c b/ldap/servers/plugins/replication/cl5_clcache.c +index 8218312..d86620f 100644 +--- a/ldap/servers/plugins/replication/cl5_clcache.c ++++ b/ldap/servers/plugins/replication/cl5_clcache.c +@@ -113,8 +113,9 @@ struct clc_buffer { + CSN *buf_missing_csn; /* used to detect persistent missing of CSN */ + + /* fields for control the CSN sequence sent to the consumer */ +- struct csn_seq_ctrl_block *buf_cscbs [MAX_NUM_OF_MASTERS]; ++ struct csn_seq_ctrl_block **buf_cscbs; + int buf_num_cscbs; /* number of csn sequence ctrl blocks */ ++ int buf_max_cscbs; + + /* fields for debugging stat */ + int buf_load_cnt; /* number of loads for session */ +@@ -256,12 +257,15 @@ clcache_get_buffer ( CLC_Buffer **buf, DB *db, ReplicaId consumer_rid, const RUV + (*buf)->buf_record_cnt = 0; + (*buf)->buf_record_skipped = 0; + (*buf)->buf_cursor = NULL; +- (*buf)->buf_num_cscbs = 0; + (*buf)->buf_skipped_new_rid = 0; + (*buf)->buf_skipped_csn_gt_cons_maxcsn = 0; + (*buf)->buf_skipped_up_to_date = 0; + (*buf)->buf_skipped_csn_gt_ruv = 0; + (*buf)->buf_skipped_csn_covered = 0; ++ (*buf)->buf_cscbs = (struct csn_seq_ctrl_block **) slapi_ch_calloc(MAX_NUM_OF_MASTERS + 1, ++ sizeof(struct csn_seq_ctrl_block *)); ++ (*buf)->buf_num_cscbs = 0; ++ (*buf)->buf_max_cscbs = MAX_NUM_OF_MASTERS; + } + else { + *buf = clcache_new_buffer ( consumer_rid ); +@@ -311,7 +315,7 @@ clcache_return_buffer ( CLC_Buffer **buf ) + for ( i = 0; i < (*buf)->buf_num_cscbs; i++ ) { + clcache_free_cscb ( &(*buf)->buf_cscbs[i] ); + } +- (*buf)->buf_num_cscbs = 0; ++ slapi_ch_free((void **)&(*buf)->buf_cscbs); + + if ( (*buf)->buf_cursor ) { + +@@ -554,7 +558,7 @@ clcache_refresh_consumer_maxcsns ( CLC_Buffer *buf ) + static int + clcache_refresh_local_maxcsn ( const ruv_enum_data *rid_data, void *data ) + { +- CLC_Buffer *buf = (CLC_Buffer*) data; ++ struct clc_buffer *buf = (struct clc_buffer*) data; + ReplicaId rid; + int rc = 0; + int i; +@@ -575,7 +579,12 @@ clcache_refresh_local_maxcsn ( const ruv_enum_data *rid_data, void *data ) + break; + } + if ( i >= buf->buf_num_cscbs ) { +- buf->buf_cscbs[i] = clcache_new_cscb (); ++ if( i + 1 > buf->buf_max_cscbs){ ++ buf->buf_cscbs = (struct csn_seq_ctrl_block **) slapi_ch_realloc((char *)buf->buf_cscbs, ++ (i + 2) * sizeof(struct csn_seq_ctrl_block *)); ++ buf->buf_max_cscbs = i + 1; ++ } ++ buf->buf_cscbs[i] = clcache_new_cscb(); + if ( buf->buf_cscbs[i] == NULL ) { + return -1; + } +@@ -878,6 +887,9 @@ clcache_new_buffer ( ReplicaId consumer_rid ) + buf->buf_agmt_name = get_thread_private_agmtname(); + buf->buf_consumer_rid = consumer_rid; + buf->buf_num_cscbs = 0; ++ buf->buf_max_cscbs = MAX_NUM_OF_MASTERS; ++ buf->buf_cscbs = (struct csn_seq_ctrl_block **) slapi_ch_calloc(MAX_NUM_OF_MASTERS + 1, ++ sizeof(struct csn_seq_ctrl_block *)); + + welldone = 1; + +diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h +index 5bec1c7..92a9229 100644 +--- a/ldap/servers/plugins/replication/repl5.h ++++ b/ldap/servers/plugins/replication/repl5.h +@@ -140,11 +140,11 @@ + + #define DEFAULT_PROTOCOL_TIMEOUT 120 + +-/* To Allow Consumer Initialisation when adding an agreement - */ ++/* To Allow Consumer Initialization when adding an agreement - */ + #define STATE_PERFORMING_TOTAL_UPDATE 501 + #define STATE_PERFORMING_INCREMENTAL_UPDATE 502 + +-#define MAX_NUM_OF_MASTERS 64 ++#define MAX_NUM_OF_MASTERS 256 + #define REPL_SESSION_ID_SIZE 64 + + #define REPL_GET_DN(addrp) slapi_sdn_get_dn((addrp)->sdn) +diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c +index b7d107e..90d94f8 100644 +--- a/ldap/servers/plugins/replication/repl5_agmt.c ++++ b/ldap/servers/plugins/replication/repl5_agmt.c +@@ -111,8 +111,9 @@ typedef struct repl5agmt { + const Slapi_RDN *rdn; /* RDN of replication agreement entry */ + char *long_name; /* Long name (rdn + host, port) of entry, for logging */ + Repl_Protocol *protocol; /* Protocol object - manages protocol */ +- struct changecounter *changecounters[MAX_NUM_OF_MASTERS]; /* changes sent/skipped since server start up */ ++ struct changecounter **changecounters; /* changes sent/skipped since server start up */ + int num_changecounters; ++ int max_changecounters; + time_t last_update_start_time; /* Local start time of last update session */ + time_t last_update_end_time; /* Local end time of last update session */ + char last_update_status[STATUS_LEN]; /* Status of last update. Format = numeric code textual description */ +@@ -435,14 +436,17 @@ agmt_new_from_entry(Slapi_Entry *e) + /* Initialize status information */ + ra->last_update_start_time = 0UL; + ra->last_update_end_time = 0UL; +- ra->num_changecounters = 0; + ra->last_update_status[0] = '\0'; + ra->update_in_progress = PR_FALSE; + ra->stop_in_progress = PR_FALSE; + ra->last_init_end_time = 0UL; + ra->last_init_start_time = 0UL; + ra->last_init_status[0] = '\0'; +- ++ ra->changecounters = (struct changecounter**) slapi_ch_calloc(MAX_NUM_OF_MASTERS + 1, ++ sizeof(struct changecounter *)); ++ ra->num_changecounters = 0; ++ ra->max_changecounters = MAX_NUM_OF_MASTERS; ++ + /* Fractional attributes */ + slapi_entry_attr_find(e, type_nsds5ReplicatedAttributeList, &sattr); + +@@ -599,6 +603,7 @@ agmt_delete(void **rap) + { + slapi_ch_free((void **)&ra->changecounters[ra->num_changecounters]); + } ++ slapi_ch_free((void **)&ra->changecounters); + + if (ra->agreement_type == REPLICA_TYPE_WINDOWS) + { +@@ -2305,7 +2310,12 @@ agmt_inc_last_update_changecount (Repl_Agmt *ra, ReplicaId rid, int skipped) + } + else + { +- ra->num_changecounters ++; ++ ra->num_changecounters++; ++ if(ra->num_changecounters > ra->max_changecounters){ ++ ra->changecounters = (struct changecounter**) slapi_ch_realloc((char *)ra->changecounters, ++ (ra->num_changecounters + 1) * sizeof(struct changecounter*)); ++ ra->max_changecounters = ra->num_changecounters; ++ } + ra->changecounters[i] = (struct changecounter*) slapi_ch_calloc(1, sizeof(struct changecounter)); + ra->changecounters[i]->rid = rid; + if ( skipped ) +-- +1.8.1.4 + diff --git a/SOURCES/0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch b/SOURCES/0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch new file mode 100644 index 0000000..beaa27a --- /dev/null +++ b/SOURCES/0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch @@ -0,0 +1,51 @@ +From ef2f198a69dcd707c8101ab1e31b8360ac27c952 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 18 Nov 2013 12:49:48 -0500 +Subject: [PATCH 55/65] Ticket 47597 - Convert retro changelog plug-in to betxn + +Retro cl plugin is already betxn aware. The template and 20betxn.pl script +needed to be updated to reflect the new default. + +https://fedorahosted.org/389/ticket/47597 + +Reviewed by: richm(Thanks!) +(cherry picked from commit 3dca85ec629be641f07ae2ecfef59609d4dc88e2) +(cherry picked from commit 229d270428dc4cfabd7d367444f1c0b10a60ef87) +--- + ldap/admin/src/scripts/20betxn.pl | 4 +++- + ldap/ldif/template-dse.ldif.in | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ldap/admin/src/scripts/20betxn.pl b/ldap/admin/src/scripts/20betxn.pl +index 2c56707..6f9b5e1 100644 +--- a/ldap/admin/src/scripts/20betxn.pl ++++ b/ldap/admin/src/scripts/20betxn.pl +@@ -12,10 +12,12 @@ sub runinst { + # cn=Multimaster Replication Plugin + # cn=Roles Plugin,cn=plugins,cn=config + # cn=USN,cn=plugins,cn=config ++ # cn=Retro Changelog Plugin,cn=plugins,cn=config + my @objplugins = ( + "cn=Multimaster Replication Plugin,cn=plugins,cn=config", + "cn=Roles Plugin,cn=plugins,cn=config", +- "cn=USN,cn=plugins,cn=config" ++ "cn=USN,cn=plugins,cn=config", ++ "cn=Retro Changelog Plugin,cn=plugins,cn=config" + ); + foreach my $plugin (@objplugins) { + my $ent = $conn->search($plugin, "base", "(cn=*)"); +diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in +index 95ed60c..12df7b6 100644 +--- a/ldap/ldif/template-dse.ldif.in ++++ b/ldap/ldif/template-dse.ldif.in +@@ -557,6 +557,7 @@ cn: Retro Changelog Plugin + nsslapd-pluginpath: libretrocl-plugin + nsslapd-plugininitfunc: retrocl_plugin_init + nsslapd-plugintype: object ++nsslapd-pluginbetxn: on + nsslapd-pluginenabled: off + nsslapd-pluginprecedence: 25 + nsslapd-plugin-depends-on-type: database +-- +1.8.1.4 + diff --git a/SOURCES/0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch b/SOURCES/0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch new file mode 100644 index 0000000..3996d76 --- /dev/null +++ b/SOURCES/0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch @@ -0,0 +1,153 @@ +From 88315fddb145da4d3d0601d020c61b25aed66366 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 19 Nov 2013 09:45:03 -0500 +Subject: [PATCH 56/65] Ticket 47598 - Convert ldbm_back_seq code to be + transaction aware + +Description: Attempt to retrieve the transaction, and pass it to the db + functions, and id2entry. Also did a little code cleanup. + +https://fedorahosted.org/389/ticket/47598 + +Reviewed by: richm(Thanks!) +(cherry picked from commit 50272119bbff52c5d9b6ce5d7302aef763aa96ec) +(cherry picked from commit da9fed74c2a04dc45b4354f436e70020bcbd7cd2) +--- + ldap/servers/slapd/back-ldbm/seq.c | 61 +++++++++++++++++++++----------------- + 1 file changed, 34 insertions(+), 27 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/seq.c b/ldap/servers/slapd/back-ldbm/seq.c +index ab473bd..27da2a4 100644 +--- a/ldap/servers/slapd/back-ldbm/seq.c ++++ b/ldap/servers/slapd/back-ldbm/seq.c +@@ -68,20 +68,21 @@ + int + ldbm_back_seq( Slapi_PBlock *pb ) + { +- backend *be; +- ldbm_instance *inst; +- struct ldbminfo *li; +- IDList *idl = NULL; +- int err = LDAP_SUCCESS; +- DB *db; +- DBC *dbc = NULL; +- int type; +- char *attrname, *val; +- int isroot; ++ backend *be; ++ ldbm_instance *inst; ++ struct ldbminfo *li; ++ IDList *idl = NULL; ++ back_txn txn = {NULL}; + struct attrinfo *ai = NULL; ++ DB *db; ++ DBC *dbc = NULL; ++ char *attrname, *val; ++ int err = LDAP_SUCCESS; + int return_value = -1; +- int nentries = 0; +- int retry_count=0; ++ int nentries = 0; ++ int retry_count = 0; ++ int isroot; ++ int type; + + /* Decode arguments */ + slapi_pblock_get( pb, SLAPI_BACKEND, &be); +@@ -90,9 +91,15 @@ ldbm_back_seq( Slapi_PBlock *pb ) + slapi_pblock_get( pb, SLAPI_SEQ_ATTRNAME, &attrname ); + slapi_pblock_get( pb, SLAPI_SEQ_VAL, &val ); + slapi_pblock_get( pb, SLAPI_REQUESTOR_ISROOT, &isroot ); ++ slapi_pblock_get( pb, SLAPI_TXN, &txn.back_txn_txn ); + + inst = (ldbm_instance *) be->be_instance_info; + ++ if ( !txn.back_txn_txn ) { ++ dblayer_txn_init( li, &txn ); ++ slapi_pblock_set( pb, SLAPI_TXN, txn.back_txn_txn ); ++ } ++ + /* Validate arguments */ + if ( type != SLAPI_SEQ_FIRST && + type != SLAPI_SEQ_LAST && +@@ -114,7 +121,7 @@ ldbm_back_seq( Slapi_PBlock *pb ) + LDAPDebug( LDAP_DEBUG_TRACE, + "seq: caller specified un-indexed attribute %s\n", + attrname ? attrname : "", 0, 0 ); +- slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, ++ slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL, + "Unindexed seq access type", 0, NULL ); + return -1; + } +@@ -123,13 +130,13 @@ ldbm_back_seq( Slapi_PBlock *pb ) + LDAPDebug( LDAP_DEBUG_ANY, + "<= ldbm_back_seq NULL (could not open index file for attribute %s)\n", + attrname, 0, 0 ); +- slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL ); ++ slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL ); + return -1; + } + + /* First, get a database cursor */ + +- return_value = db->cursor(db,NULL,&dbc,0); ++ return_value = db->cursor(db, txn.back_txn_txn, &dbc, 0); + + if (0 == return_value) + { +@@ -160,7 +167,7 @@ ldbm_back_seq( Slapi_PBlock *pb ) + big_buffer = slapi_ch_malloc(key_length); + if (NULL == big_buffer) { + /* memory allocation failure */ +- dblayer_release_index_file( be, ai, db ); ++ dblayer_release_index_file( be, ai, db ); + return -1; + } + key.data = big_buffer; +@@ -234,24 +241,24 @@ ldbm_back_seq( Slapi_PBlock *pb ) + /* Retrieve the idlist for this key */ + key.flags = 0; + for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) { +- err = NEW_IDL_DEFAULT; +- idl = idl_fetch( be, db, &key, NULL, ai, &err ); +- if(err == DB_LOCK_DEADLOCK) { +- ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err); ++ err = NEW_IDL_DEFAULT; ++ idl = idl_fetch( be, db, &key, txn.back_txn_txn, ai, &err ); ++ if(err == DB_LOCK_DEADLOCK) { ++ ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err); + #ifdef FIX_TXN_DEADLOCKS + #error if txn != NULL, have to retry the entire transaction + #endif +- continue; +- } else { +- break; +- } ++ continue; ++ } else { ++ break; ++ } + } + } + } + if(retry_count == IDL_FETCH_RETRY_COUNT) { +- ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err); ++ ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err); + } else if ( err != 0 && err != DB_NOTFOUND ) { +- ldbm_nasty("ldbm_back_seq database error", 1650, err); ++ ldbm_nasty("ldbm_back_seq database error", 1650, err); + } + slapi_ch_free( &(data.data) ); + if ( key.data != little_buffer && key.data != &keystring ) { +@@ -272,7 +279,7 @@ ldbm_back_seq( Slapi_PBlock *pb ) + for ( id = idl_firstid( idl ); id != NOID; + id = idl_nextid( idl, id )) + { +- if (( e = id2entry( be, id, NULL, &err )) == NULL ) ++ if (( e = id2entry( be, id, &txn, &err )) == NULL ) + { + if ( err != LDAP_SUCCESS ) + { +-- +1.8.1.4 + diff --git a/SOURCES/0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch b/SOURCES/0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch new file mode 100644 index 0000000..918d98d --- /dev/null +++ b/SOURCES/0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch @@ -0,0 +1,213 @@ +From a111165bab37e74bcaa76b1ba6182549a785361d Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 20 Nov 2013 09:08:50 -0500 +Subject: [PATCH 57/65] Ticket 47599 - Reduce lock scope in retro changelog + plug-in + +Description: Use RW locks for protecting the change numbers. + + We still need to do the locking in retrocl_po.c as we need to + serialize the actual updates. + +https://fedorahosted.org/389/ticket/47599 + +Reviewed by: richm(Thanks!!) +(cherry picked from commit e2c42bced86bac235ac56ae98eed303f61ebd15e) +(cherry picked from commit 03f6347eb72d3cbb49ae33312f32df9f91a2fd4c) +--- + ldap/servers/plugins/retrocl/retrocl.c | 3 ++- + ldap/servers/plugins/retrocl/retrocl.h | 1 + + ldap/servers/plugins/retrocl/retrocl_cn.c | 42 +++++++++++++++++++++---------- + ldap/servers/plugins/retrocl/retrocl_po.c | 2 +- + 4 files changed, 33 insertions(+), 15 deletions(-) + +diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c +index 90c3455..3e426a7 100644 +--- a/ldap/servers/plugins/retrocl/retrocl.c ++++ b/ldap/servers/plugins/retrocl/retrocl.c +@@ -465,7 +465,8 @@ retrocl_plugin_init(Slapi_PBlock *pb) + if (!is_betxn) { + rc= slapi_register_plugin_ext("internalpostoperation", 1 /* Enabled */, "retrocl_internalpostop_init", retrocl_internalpostop_init, "Retrocl internal postoperation plugin", NULL, identity, precedence); + } +- ++ retrocl_cn_lock = slapi_new_rwlock(); ++ if(retrocl_cn_lock == NULL) return -1; + retrocl_internal_lock = PR_NewLock(); + if (retrocl_internal_lock == NULL) return -1; + } +diff --git a/ldap/servers/plugins/retrocl/retrocl.h b/ldap/servers/plugins/retrocl/retrocl.h +index 276912b..bfebe2e 100644 +--- a/ldap/servers/plugins/retrocl/retrocl.h ++++ b/ldap/servers/plugins/retrocl/retrocl.h +@@ -130,6 +130,7 @@ extern const char *attr_nsuniqueid; + extern const char *attr_isreplicated; + + extern PRLock *retrocl_internal_lock; ++extern Slapi_RWLock *retrocl_cn_lock; + + /* Functions */ + +diff --git a/ldap/servers/plugins/retrocl/retrocl_cn.c b/ldap/servers/plugins/retrocl/retrocl_cn.c +index d2b15a4..f816730 100644 +--- a/ldap/servers/plugins/retrocl/retrocl_cn.c ++++ b/ldap/servers/plugins/retrocl/retrocl_cn.c +@@ -163,8 +163,9 @@ int retrocl_get_changenumbers(void) + NULL,NULL,0,&cr,NULL,handle_cnum_result, + handle_cnum_entry, NULL); + +- retrocl_first_cn = cr.cr_cnum; ++ slapi_rwlock_wrlock(retrocl_cn_lock); + ++ retrocl_first_cn = cr.cr_cnum; + slapi_ch_free(( void **) &cr.cr_time ); + + slapi_seq_callback(RETROCL_CHANGELOG_DN,SLAPI_SEQ_LAST, +@@ -178,6 +179,8 @@ int retrocl_get_changenumbers(void) + retrocl_first_cn, + retrocl_internal_cn); + ++ slapi_rwlock_unlock(retrocl_cn_lock); ++ + slapi_ch_free(( void **) &cr.cr_time ); + + return 0; +@@ -238,10 +241,10 @@ time_t retrocl_getchangetime( int type, int *err ) + + void retrocl_forget_changenumbers(void) + { +- PR_Lock(retrocl_internal_lock); ++ slapi_rwlock_wrlock(retrocl_cn_lock); + retrocl_first_cn = 0; + retrocl_internal_cn = 0; +- PR_Unlock(retrocl_internal_lock); ++ slapi_rwlock_unlock(retrocl_cn_lock); + } + + /* +@@ -258,9 +261,11 @@ void retrocl_forget_changenumbers(void) + changeNumber retrocl_get_first_changenumber(void) + { + changeNumber cn; +- PR_Lock(retrocl_internal_lock); ++ ++ slapi_rwlock_rdlock(retrocl_cn_lock); + cn = retrocl_first_cn; +- PR_Unlock(retrocl_internal_lock); ++ slapi_rwlock_unlock(retrocl_cn_lock); ++ + return cn; + } + +@@ -277,9 +282,9 @@ changeNumber retrocl_get_first_changenumber(void) + + void retrocl_set_first_changenumber(changeNumber cn) + { +- PR_Lock(retrocl_internal_lock); ++ slapi_rwlock_wrlock(retrocl_cn_lock); + retrocl_first_cn = cn; +- PR_Unlock(retrocl_internal_lock); ++ slapi_rwlock_unlock(retrocl_cn_lock); + } + + +@@ -297,9 +302,11 @@ void retrocl_set_first_changenumber(changeNumber cn) + changeNumber retrocl_get_last_changenumber(void) + { + changeNumber cn; +- PR_Lock(retrocl_internal_lock); ++ ++ slapi_rwlock_rdlock(retrocl_cn_lock); + cn = retrocl_internal_cn; +- PR_Unlock(retrocl_internal_lock); ++ slapi_rwlock_unlock(retrocl_cn_lock); ++ + return cn; + } + +@@ -316,9 +323,11 @@ changeNumber retrocl_get_last_changenumber(void) + + void retrocl_commit_changenumber(void) + { ++ slapi_rwlock_wrlock(retrocl_cn_lock); + if ( retrocl_first_cn == 0) { + retrocl_first_cn = retrocl_internal_cn; + } ++ slapi_rwlock_unlock(retrocl_cn_lock); + } + + /* +@@ -333,8 +342,10 @@ void retrocl_commit_changenumber(void) + */ + + void retrocl_release_changenumber(void) +-{ ++{ ++ slapi_rwlock_wrlock(retrocl_cn_lock); + retrocl_internal_cn--; ++ slapi_rwlock_unlock(retrocl_cn_lock); + } + + /* +@@ -342,7 +353,7 @@ void retrocl_release_changenumber(void) + * + * Returns: 0/-1 + * +- * Arguments: none ++ * Arguments: none. The caller should have taken write lock for the change numbers + * + * Description: reads the last entry in the changelog to obtain + * the last change number. +@@ -355,6 +366,7 @@ int retrocl_update_lastchangenumber(void) + + if (retrocl_be_changelog == NULL) return -1; + ++ slapi_rwlock_unlock(retrocl_cn_lock); + cr.cr_cnum = 0; + cr.cr_time = 0; + slapi_seq_callback(RETROCL_CHANGELOG_DN,SLAPI_SEQ_LAST, +@@ -362,7 +374,7 @@ int retrocl_update_lastchangenumber(void) + NULL,NULL,0,&cr,NULL,handle_cnum_result, + handle_cnum_entry, NULL); + +- ++ slapi_rwlock_wrlock(retrocl_cn_lock); + retrocl_internal_cn = cr.cr_cnum; + slapi_log_error(SLAPI_LOG_PLUGIN,"retrocl","Refetched last changenumber = %lu \n", + retrocl_internal_cn); +@@ -394,6 +406,8 @@ changeNumber retrocl_assign_changenumber(void) + * validity of the internal assignment of retrocl_internal_cn + * we had from the startup */ + ++ slapi_rwlock_wrlock(retrocl_cn_lock); ++ + if(retrocl_internal_cn <= retrocl_first_cn){ + /* the numbers have become out of sync - retrocl_get_changenumbers + * gets called only once during startup and it may have had a problem +@@ -404,8 +418,10 @@ changeNumber retrocl_assign_changenumber(void) + */ + retrocl_update_lastchangenumber(); + } +- + retrocl_internal_cn++; + cn = retrocl_internal_cn; ++ ++ slapi_rwlock_unlock(retrocl_cn_lock); ++ + return cn; + } +diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c +index 382c98a..cd290f2 100644 +--- a/ldap/servers/plugins/retrocl/retrocl_po.c ++++ b/ldap/servers/plugins/retrocl/retrocl_po.c +@@ -372,7 +372,7 @@ write_replog_db( + retrocl_release_changenumber(); + } else { + /* Tell the change numbering system this one's committed to disk */ +- retrocl_commit_changenumber( ); ++ retrocl_commit_changenumber(); + } + } else { + slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME, +-- +1.8.1.4 + diff --git a/SOURCES/0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch b/SOURCES/0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch new file mode 100644 index 0000000..83bbf7b --- /dev/null +++ b/SOURCES/0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch @@ -0,0 +1,33 @@ +From 6a670438877eecc6b75407e548dbb51bb849a9ff Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Fri, 22 Nov 2013 16:51:55 -0700 +Subject: [PATCH 58/65] Ticket 47599 - Reduce lock scope in retro changelog + plug-in + +Description: Forgot to add definition of retrocl_cn_lock + +https://fedorahosted.org/389/ticket/47599 + +Reviewed by: richm(Thanks!!) +(cherry picked from commit b330876a1bccd93a8e906ac56a10c002c981ecfc) +(cherry picked from commit f4d5900579c773e5cf4b69eaeba6104078512ab0) +(cherry picked from commit b19239fdca5c00865471acfd5ffc8502c66b914a) +--- + ldap/servers/plugins/retrocl/retrocl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c +index 3e426a7..528434e 100644 +--- a/ldap/servers/plugins/retrocl/retrocl.c ++++ b/ldap/servers/plugins/retrocl/retrocl.c +@@ -77,6 +77,7 @@ void* g_plg_identity [PLUGIN_MAX]; + + Slapi_Backend *retrocl_be_changelog = NULL; + PRLock *retrocl_internal_lock = NULL; ++Slapi_RWLock *retrocl_cn_lock; + int retrocl_nattributes = 0; + char **retrocl_attributes = NULL; + char **retrocl_aliases = NULL; +-- +1.8.1.4 + diff --git a/SOURCES/0059-Ticket-47599-fix-memory-leak.patch b/SOURCES/0059-Ticket-47599-fix-memory-leak.patch new file mode 100644 index 0000000..9ecbd7f --- /dev/null +++ b/SOURCES/0059-Ticket-47599-fix-memory-leak.patch @@ -0,0 +1,32 @@ +From bda97e4f914e18d9d7b2de9b0e9bdc4014c73855 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 25 Nov 2013 09:36:25 -0500 +Subject: [PATCH 59/65] Ticket 47599 - fix memory leak + +Coverity 12410 + +https://fedorahosted.org/389/ticket/47599 + +Reviewed by: richm(Thanks!) +(cherry picked from commit a16bf1b3c4ff0412c2481baace9b427750c11f8c) +(cherry picked from commit c7e7c68ea4779601ec4896b1d90f3b6d347f047f) +(cherry picked from commit 08dc37dc832e1ce78d27012a60b1691dba2f6501) +--- + ldap/servers/slapd/back-ldbm/seq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ldap/servers/slapd/back-ldbm/seq.c b/ldap/servers/slapd/back-ldbm/seq.c +index 27da2a4..10484fd 100644 +--- a/ldap/servers/slapd/back-ldbm/seq.c ++++ b/ldap/servers/slapd/back-ldbm/seq.c +@@ -242,6 +242,7 @@ ldbm_back_seq( Slapi_PBlock *pb ) + key.flags = 0; + for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) { + err = NEW_IDL_DEFAULT; ++ idl_free(idl); + idl = idl_fetch( be, db, &key, txn.back_txn_txn, ai, &err ); + if(err == DB_LOCK_DEADLOCK) { + ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err); +-- +1.8.1.4 + diff --git a/SOURCES/0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch b/SOURCES/0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch new file mode 100644 index 0000000..cd8e564 --- /dev/null +++ b/SOURCES/0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch @@ -0,0 +1,117 @@ +From 7b257e2f72ac674025f894ec5fdcc2eaca34b0a2 Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Fri, 15 Nov 2013 10:24:26 -0700 +Subject: [PATCH 60/65] Ticket #47596 attrcrypt fails to find unlocked key + +https://fedorahosted.org/389/ticket/47596 +Reviewed by: nkinder (Thanks!) +Branch: 389-ds-base-1.3.1 +Fix Description: There should always be a pre-authenticated slot/token that +has the servers cert and key. Just loop through all of the slots that the +server's cert is found on, and use the first one that is authenticated. +Platforms tested: RHEL6 x86_64 +Flag Day: no +Doc impact: no +(cherry picked from commit b1fad4e35c0f963bf4678a2ed9a068dbe4fb159c) +(cherry picked from commit cf091de4ae70ad8d683ff33c57e75e58ff900502) +(cherry picked from commit 92b46296c0b4ab9aa436ae09bca95832e2276c6e) +--- + ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 2 +- + ldap/servers/slapd/proto-slap.h | 1 + + ldap/servers/slapd/ssl.c | 58 +++++++++++++++++++++++++++ + 3 files changed, 60 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c +index 09cce9b..f4a5d1a 100644 +--- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c ++++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c +@@ -425,7 +425,7 @@ attrcrypt_fetch_private_key(SECKEYPrivateKey **private_key) + LDAPDebug(LDAP_DEBUG_ANY,"Can't find certificate %s in attrcrypt_fetch_private_key: %d - %s\n", cert_name, errorCode, slapd_pr_strerror(errorCode)); + } + if( cert != NULL ) { +- key = slapd_pk11_findKeyByAnyCert(cert, NULL); ++ key = slapd_get_unlocked_key_for_cert(cert, NULL); + } + if (key == NULL) { + errorCode = PR_GetError(); +diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h +index 4c1dab9..39c1f54 100644 +--- a/ldap/servers/slapd/proto-slap.h ++++ b/ldap/servers/slapd/proto-slap.h +@@ -1012,6 +1012,7 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS); + int slapd_security_library_is_initialized(); + int slapd_ssl_listener_is_initialized(); + int slapd_SSL_client_auth (LDAP* ld); ++SECKEYPrivateKey *slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg); + + /* + * security_wrappers.c +diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c +index f515b8e..8b80acb 100644 +--- a/ldap/servers/slapd/ssl.c ++++ b/ldap/servers/slapd/ssl.c +@@ -1577,3 +1577,61 @@ char* slapd_get_tmp_dir() + #endif + return ( tmpdir ); + } ++ ++SECKEYPrivateKey * ++slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg) ++{ ++ SECKEYPrivateKey *key = NULL; ++ PK11SlotListElement *sle; ++ PK11SlotList *slotlist = PK11_GetAllSlotsForCert(cert, NULL); ++ const char *certsubject = cert->subjectName ? cert->subjectName : "unknown cert"; ++ ++ if (!slotlist) { ++ PRErrorCode errcode = PR_GetError(); ++ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert", ++ "Error: cannot get slot list for certificate [%s] (%d: %s)\n", ++ certsubject, errcode, slapd_pr_strerror(errcode)); ++ return key; ++ } ++ ++ for (sle = slotlist->head; sle; sle = sle->next) { ++ PK11SlotInfo *slot = sle->slot; ++ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot"; ++ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token"; ++ if (!slot) { ++ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert", ++ "Missing slot for slot list element for certificate [%s]\n", ++ certsubject); ++ } else if (PK11_IsLoggedIn(slot, pin_arg)) { ++ key = PK11_FindKeyByDERCert(slot, cert, pin_arg); ++ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert", ++ "Found unlocked slot [%s] token [%s] for certificate [%s]\n", ++ slotname, tokenname, certsubject); ++ break; ++ } else { ++ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert", ++ "Skipping locked slot [%s] token [%s] for certificate [%s]\n", ++ slotname, tokenname, certsubject); ++ } ++ } ++ ++ if (!key) { ++ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert", ++ "Error: could not find any unlocked slots for certificate [%s]. " ++ "Please review your TLS/SSL configuration. The following slots were found:\n", ++ certsubject); ++ for (sle = slotlist->head; sle; sle = sle->next) { ++ PK11SlotInfo *slot = sle->slot; ++ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot"; ++ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token"; ++ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert", ++ "Slot [%s] token [%s] was locked.\n", ++ slotname, tokenname); ++ } ++ ++ } ++ ++ PK11_FreeSlotList(slotlist); ++ return key; ++} ++ +-- +1.8.1.4 + diff --git a/SOURCES/0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch b/SOURCES/0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch new file mode 100644 index 0000000..75736c5 --- /dev/null +++ b/SOURCES/0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch @@ -0,0 +1,39 @@ +From 13dee95761221c2849523acf3276242416a7a01a Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Tue, 26 Nov 2013 08:14:07 -0700 +Subject: [PATCH 61/65] Ticket #47596 attrcrypt fails to find unlocked key + +https://fedorahosted.org/389/ticket/47596 +Reviewed by: nkinder (Thanks!) +Branch: 389-ds-base-1.3.1 +Fix Description: Additional fix to the previous fix. As it turns out, the +function PK11_IsLoggedIn() only returns true if the slot has been unlocked +with a pin or password. If the slot does not need a login at all, because +the cert/key db has no password, PK11_IsLoggedIn will return false. The code +must check for PK11_NeedLogin too. +Platforms tested: RHEL6 x86_64 +Flag Day: no +Doc impact: no +(cherry picked from commit e66c4cecc47eff659a72a51c1e1722fb41c1dfbc) +(cherry picked from commit f608a943745e51fe4b5dbfb18bada2e2d13e0d6a) +(cherry picked from commit 5d2a20b4881d5374a9088ed1504b2d7e753976bb) +--- + ldap/servers/slapd/ssl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c +index 8b80acb..61809aa 100644 +--- a/ldap/servers/slapd/ssl.c ++++ b/ldap/servers/slapd/ssl.c +@@ -1602,7 +1602,7 @@ slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg) + slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert", + "Missing slot for slot list element for certificate [%s]\n", + certsubject); +- } else if (PK11_IsLoggedIn(slot, pin_arg)) { ++ } else if (!PK11_NeedLogin(slot) || PK11_IsLoggedIn(slot, pin_arg)) { + key = PK11_FindKeyByDERCert(slot, cert, pin_arg); + slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert", + "Found unlocked slot [%s] token [%s] for certificate [%s]\n", +-- +1.8.1.4 + diff --git a/SOURCES/0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch b/SOURCES/0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch new file mode 100644 index 0000000..5e03ea0 --- /dev/null +++ b/SOURCES/0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch @@ -0,0 +1,113 @@ +From 5edce023ae5977bebfdfd05ad21febc51c5b428b Mon Sep 17 00:00:00 2001 +From: Ludwig Krispenz +Date: Tue, 26 Nov 2013 09:15:53 +0100 +Subject: [PATCH 62/65] Ticket 47591 - entries with empty objectclass attribute + value can be hidden + +Bug Description: The problem is that for the empty value + + objectClass;vdcsn-5283b8e0000000c80000;deleted + + it is compared to "ldapsubentry" and "nstombstone" + + 'if (PL_strncasecmp(type.bv_val,"tombstone",0)' + + and with length 0, this is always true. + +Fix Description: add a check bv_len >= strlen(valuetocompare) + or bv_len == strlen(valuetocompare) + define constants for lengths + +https://fedorahosted.org/389/ticket/47591 + +Reviewed by: richm, thanks +(cherry picked from commit 6b47eb4f54ff1e0a8b9c4aa9f3e6c3c3d958fd56) +--- + ldap/servers/slapd/entry.c | 15 ++++++++------- + ldap/servers/slapd/slapi-plugin.h | 15 ++++++++++++++- + 2 files changed, 22 insertions(+), 8 deletions(-) + +diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c +index e0248c8..60e1dfe 100644 +--- a/ldap/servers/slapd/entry.c ++++ b/ldap/servers/slapd/entry.c +@@ -340,7 +340,7 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in + rawdn = NULL; /* Set once in the loop. + This won't affect the caller's passed address. */ + } +- if ( PL_strncasecmp( type.bv_val, "dn", type.bv_len ) == 0 ) { ++ if ( type.bv_len == SLAPI_ATTR_DN_LENGTH && PL_strncasecmp( type.bv_val, SLAPI_ATTR_DN, type.bv_len ) == 0 ) { + if ( slapi_entry_get_dn_const(e)!=NULL ) { + char ebuf[ BUFSIZ ]; + LDAPDebug( LDAP_DEBUG_TRACE, +@@ -376,7 +376,7 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in + continue; + } + +- if ( PL_strncasecmp( type.bv_val, "rdn", type.bv_len ) == 0 ) { ++ if ( type.bv_len == SLAPI_ATTR_RDN_LENGTH && PL_strncasecmp( type.bv_val, SLAPI_ATTR_RDN, type.bv_len ) == 0 ) { + if ( NULL == slapi_entry_get_rdn_const( e )) { + slapi_entry_set_rdn( e, value.bv_val ); + } +@@ -387,13 +387,13 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in + + /* If SLAPI_STR2ENTRY_NO_ENTRYDN is set, skip entrydn */ + if ( (flags & SLAPI_STR2ENTRY_NO_ENTRYDN) && +- PL_strncasecmp( type.bv_val, "entrydn", type.bv_len ) == 0 ) { ++ type.bv_len == SLAPI_ATTR_ENTRYDN_LENGTH && PL_strncasecmp( type.bv_val, SLAPI_ATTR_ENTRYDN, type.bv_len ) == 0 ) { + if (freeval) slapi_ch_free_string(&value.bv_val); + continue; + } + + /* retrieve uniqueid */ +- if ( PL_strncasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID, type.bv_len) == 0 ){ ++ if ( type.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH && PL_strncasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID, type.bv_len) == 0 ){ + + if (e->e_uniqueid != NULL){ + LDAPDebug (LDAP_DEBUG_TRACE, +@@ -411,10 +411,11 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in + continue; + } + +- if (PL_strncasecmp(type.bv_val,"objectclass",type.bv_len) == 0) { +- if (PL_strncasecmp(value.bv_val,"ldapsubentry",value.bv_len) == 0) ++ if (value_state == VALUE_PRESENT && type.bv_len >= SLAPI_ATTR_OBJECTCLASS_LENGTH ++ && PL_strncasecmp(type.bv_val, SLAPI_ATTR_OBJECTCLASS, type.bv_len) == 0) { ++ if (value.bv_len >= SLAPI_ATTR_VALUE_SUBENTRY_LENGTH && PL_strncasecmp(value.bv_val,SLAPI_ATTR_VALUE_SUBENTRY,value.bv_len) == 0) + e->e_flags |= SLAPI_ENTRY_LDAPSUBENTRY; +- if (PL_strncasecmp(value.bv_val, SLAPI_ATTR_VALUE_TOMBSTONE,value.bv_len) == 0) ++ if (value.bv_len >= SLAPI_ATTR_VALUE_TOMBSTONE_LENGTH && PL_strncasecmp(value.bv_val, SLAPI_ATTR_VALUE_TOMBSTONE,value.bv_len) == 0) + e->e_flags |= SLAPI_ENTRY_FLAG_TOMBSTONE; + } + +diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h +index d456af8..d8cfe33 100644 +--- a/ldap/servers/slapd/slapi-plugin.h ++++ b/ldap/servers/slapd/slapi-plugin.h +@@ -395,9 +395,22 @@ NSPR_API(PRUint32) PR_fprintf(struct PRFileDesc* fd, const char *fmt, ...) + #define SLAPI_ATTR_OBJECTCLASS "objectclass" + #define SLAPI_ATTR_VALUE_TOMBSTONE "nsTombstone" + #define SLAPI_ATTR_VALUE_PARENT_UNIQUEID "nsParentUniqueID" ++#define SLAPI_ATTR_VALUE_SUBENTRY "ldapsubentry" + #define SLAPI_ATTR_NSCP_ENTRYDN "nscpEntryDN" + #define SLAPI_ATTR_ENTRYUSN "entryusn" +-#define SLAPI_ATTR_ENTRYDN "entrydn" ++#define SLAPI_ATTR_ENTRYDN "entrydn" ++#define SLAPI_ATTR_DN "dn" ++#define SLAPI_ATTR_RDN "rdn" ++#define SLAPI_ATTR_UNIQUEID_LENGTH 10 ++#define SLAPI_ATTR_OBJECTCLASS_LENGTH 11 ++#define SLAPI_ATTR_VALUE_TOMBSTONE_LENGTH 11 ++#define SLAPI_ATTR_VALUE_PARENT_UNIQUEID_LENGTH 16 ++#define SLAPI_ATTR_VALUE_SUBENTRY_LENGTH 12 ++#define SLAPI_ATTR_NSCP_ENTRYDN_LENGTH 11 ++#define SLAPI_ATTR_ENTRYUSN_LENGTH 8 ++#define SLAPI_ATTR_ENTRYDN_LENGTH 7 ++#define SLAPI_ATTR_DN_LENGTH 2 ++#define SLAPI_ATTR_RDN_LENGTH 3 + + + /* opaque structures */ +-- +1.8.1.4 + diff --git a/SOURCES/0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch b/SOURCES/0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch new file mode 100644 index 0000000..ae284b7 --- /dev/null +++ b/SOURCES/0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch @@ -0,0 +1,106 @@ +From 58b738e455355344acbfcac556600b2e19ade1a3 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 2 Dec 2013 17:13:55 -0500 +Subject: [PATCH 63/65] Ticket 47614 - Possible to specify invalid SASL + mechanism in nsslapd-allowed-sasl-mechanisms + +Bug Description: Invalid values could be specified in the allowed sasl mechanisms configuration + attribute. These values are directly passed to the sasl library. + +Fix Description: Follow RFR 4422, only allow upto 20 characters that are ASCII upper-case letters, + digits, hyphens, or underscores. + +https://fedorahosted.org/389/ticket/47614 + +Reviewed by: richm(Thanks!) +(cherry picked from commit 7e8a5fc7183f7c08212bfb746ea8c5ceedee0132) +(cherry picked from commit f00321f892545d59e07c1a944936153660640e47) +--- + ldap/servers/slapd/libglobs.c | 60 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 60 insertions(+) + +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index b925a2c..a763135 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -126,6 +126,7 @@ static int config_set_onoff( const char *attrname, char *value, + static int config_set_schemareplace ( const char *attrname, char *value, + char *errorbuf, int apply ); + static void remove_commas(char *str); ++static int invalid_sasl_mech(char *str); + + /* Keeping the initial values */ + /* CONFIG_INT/CONFIG_LONG */ +@@ -6768,6 +6769,13 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, + /* cyrus sasl doesn't like comma separated lists */ + remove_commas(value); + ++ if(invalid_sasl_mech(value)){ ++ LDAPDebug(LDAP_DEBUG_ANY,"Invalid value/character for sasl mechanism (%s). Use ASCII " ++ "characters, upto 20 characters, that are upper-case letters, " ++ "digits, hyphens, or underscores\n", value, 0, 0); ++ return LDAP_UNWILLING_TO_PERFORM; ++ } ++ + CFG_LOCK_WRITE(slapdFrontendConfig); + slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value); + CFG_UNLOCK_WRITE(slapdFrontendConfig); +@@ -7452,3 +7460,55 @@ remove_commas(char *str) + } + } + } ++ ++/* ++ * Check the SASL mechanism values ++ * ++ * As per RFC 4422: ++ * SASL mechanisms are named by character strings, from 1 to 20 ++ * characters in length, consisting of ASCII [ASCII] uppercase letters, ++ * digits, hyphens, and/or underscores. ++ */ ++static int ++invalid_sasl_mech(char *str) ++{ ++ char *mech = NULL, *token = NULL, *next = NULL; ++ int i; ++ ++ if(str == NULL){ ++ return 0; ++ } ++ ++ /* ++ * Check the length for each mechanism ++ */ ++ token = slapi_ch_strdup(str); ++ for (mech = ldap_utf8strtok_r(token, " ", &next); mech; ++ mech = ldap_utf8strtok_r(NULL, " ", &next)) ++ { ++ if(strlen(mech) == 0 || strlen(mech) > 20){ ++ /* invalid length */ ++ slapi_ch_free_string(&token); ++ return 1; ++ } ++ } ++ slapi_ch_free_string(&token); ++ ++ /* ++ * Check the individual characters ++ */ ++ for (i = 0; str[i]; i++){ ++ if ( ((int)str[i] < 48 || (int)str[i] > 57) && /* not a digit */ ++ ((int)str[i] < 65 || (int)str[i] > 90) && /* not upper case */ ++ (int)str[i] != 32 && /* not a space (between mechanisms) */ ++ (int)str[i] != 45 && /* not a hyphen */ ++ (int)str[i] != 95 ) /* not an underscore */ ++ { ++ /* invalid character */ ++ return 1; ++ } ++ } ++ ++ /* Mechanism value is valid */ ++ return 0; ++} +-- +1.8.1.4 + diff --git a/SOURCES/0064-Ticket-47592-automember-plugin-task-memory-leaks.patch b/SOURCES/0064-Ticket-47592-automember-plugin-task-memory-leaks.patch new file mode 100644 index 0000000..c82571a --- /dev/null +++ b/SOURCES/0064-Ticket-47592-automember-plugin-task-memory-leaks.patch @@ -0,0 +1,54 @@ +From 2429e72646b1bb30f8566b59dd370eb2ff1ac131 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 27 Nov 2013 10:58:43 -0500 +Subject: [PATCH 64/65] Ticket 47592 - automember plugin task memory leaks + +The search pblock was not destroyed at the end of the export and rebuild +tasks. + +https://fedorahosted.org/389/ticket/47592 + +Reviewed by: richm(Thanks!) +(cherry picked from commit 085c6d494f90231f2e572a668ab601c321bffb01) +(cherry picked from commit c9c7d545a987f8f52c9752ba1181d1885b74480c) +--- + ldap/servers/plugins/automember/automember.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c +index 3214ea1..cfea69d 100644 +--- a/ldap/servers/plugins/automember/automember.c ++++ b/ldap/servers/plugins/automember/automember.c +@@ -2256,7 +2256,6 @@ void automember_rebuild_task_thread(void *arg){ + } + } + automember_config_unlock(); +- slapi_free_search_results_internal(search_pb); + + out: + if (plugin_is_betxn && fixup_pb) { +@@ -2267,6 +2266,8 @@ out: + } + slapi_pblock_destroy(fixup_pb); + } ++ slapi_free_search_results_internal(search_pb); ++ slapi_pblock_destroy(search_pb); + + if(result){ + /* error */ +@@ -2470,9 +2471,11 @@ void automember_export_task_thread(void *arg){ + } + } + automember_config_unlock(); +- slapi_free_search_results_internal(search_pb); + + out: ++ slapi_free_search_results_internal(search_pb); ++ slapi_pblock_destroy(search_pb); ++ + if(ldif_fd){ + PR_Close(ldif_fd); + } +-- +1.8.1.4 + diff --git a/SOURCES/0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch b/SOURCES/0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch new file mode 100644 index 0000000..68c7063 --- /dev/null +++ b/SOURCES/0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch @@ -0,0 +1,563 @@ +From 39af2e9e98c895c5145090865d5ab7cde6cc12fd Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 6 Dec 2013 16:57:41 -0500 +Subject: [PATCH 65/65] Ticket 47620 - 389-ds rejects + nsds5ReplicaProtocolTimeout attribute + +Bug Description: Attempting to add/modify/delete nsds5ReplicaProtocolTimeout + results in an error 53 (unwilling to perform). + +Fix Description: Allow nsds5ReplicaProtocolTimeout to be updated in agreements + and the replica configuration. Also, made the config timeout + setting dynamic. + +https://fedorahosted.org/389/ticket/47620 + +Reviewed by: rmeggins(Thanks!) +(cherry picked from commit 58fca2c4e4f2120cb6e5fb249008be8f551e944c) +(cherry picked from commit 490360fd96121d06fa8813e182b44d045257be98) +--- + ldap/servers/plugins/replication/repl5.h | 12 +++-- + ldap/servers/plugins/replication/repl5_agmt.c | 54 ++++++++++++++++------ + ldap/servers/plugins/replication/repl5_agmtlist.c | 27 +++++++++-- + .../plugins/replication/repl5_inc_protocol.c | 23 +++++++-- + .../plugins/replication/repl5_prot_private.h | 1 - + ldap/servers/plugins/replication/repl5_protocol.c | 13 ++---- + ldap/servers/plugins/replication/repl5_replica.c | 54 ++++++++++++++-------- + .../plugins/replication/repl5_replica_config.c | 25 +++++++++- + .../plugins/replication/repl5_tot_protocol.c | 17 +++++-- + 9 files changed, 169 insertions(+), 57 deletions(-) + +diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h +index 92a9229..321a285 100644 +--- a/ldap/servers/plugins/replication/repl5.h ++++ b/ldap/servers/plugins/replication/repl5.h +@@ -386,9 +386,15 @@ char **agmt_get_attrs_to_strip(Repl_Agmt *ra); + int agmt_set_attrs_to_strip(Repl_Agmt *ra, Slapi_Entry *e); + int agmt_set_timeout(Repl_Agmt *ra, long timeout); + void agmt_update_done(Repl_Agmt *ra, int is_total); +-int agmt_get_protocol_timeout(Repl_Agmt *agmt); + + typedef struct replica Replica; ++PRUint64 agmt_get_protocol_timeout(Repl_Agmt *agmt); ++void agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout); ++void agmt_update_maxcsn(Replica *r, Slapi_DN *sdn, int op, LDAPMod **mods, CSN *csn); ++void add_agmt_maxcsns(Slapi_Entry *e, Replica *r); ++void agmt_set_maxcsn(Repl_Agmt *ra); ++void agmt_remove_maxcsn(Repl_Agmt *ra); ++int agmt_maxcsn_to_smod (Replica *r, Slapi_Mod *smod); + + /* In repl5_agmtlist.c */ + int agmtlist_config_init(); +@@ -494,7 +500,6 @@ void prot_notify_window_opened (Repl_Protocol *rp); + void prot_notify_window_closed (Repl_Protocol *rp); + Object *prot_get_replica_object(Repl_Protocol *rp); + void prot_replicate_now(Repl_Protocol *rp); +-int prot_get_timeout(Repl_Protocol *rp); + + Repl_Protocol *agmt_get_protocol(Repl_Agmt *ra); + +@@ -591,7 +596,8 @@ char *replica_get_dn(Replica *r); + void replica_check_for_tasks(Replica*r, Slapi_Entry *e); + void replica_update_state (time_t when, void *arg); + void replica_reset_csn_pl(Replica *r); +-int replica_get_protocol_timeout(Replica *r); ++PRUint64 replica_get_protocol_timeout(Replica *r); ++void replica_set_protocol_timeout(Replica *r, PRUint64 timeout); + int replica_get_backoff_min(Replica *r); + int replica_get_backoff_max(Replica *r); + void replica_set_backoff_min(Replica *r, int min); +diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c +index 90d94f8..b0da172 100644 +--- a/ldap/servers/plugins/replication/repl5_agmt.c ++++ b/ldap/servers/plugins/replication/repl5_agmt.c +@@ -142,7 +142,9 @@ typedef struct repl5agmt { + char **attrs_to_strip; /* for fractional replication, if a "mod" is empty, strip out these attributes: + * modifiersname, modifytimestamp, internalModifiersname, internalModifyTimestamp, etc */ + int agreement_type; +- PRUint64 protocol_timeout; ++ Slapi_Counter *protocol_timeout; ++ char *maxcsn; /* agmt max csn */ ++ Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */ + } repl5agmt; + + /* Forward declarations */ +@@ -265,6 +267,14 @@ agmt_new_from_entry(Slapi_Entry *e) + slapi_entry_get_dn_const(e)); + goto loser; + } ++ if ((ra->attr_lock = slapi_new_rwlock()) == NULL) ++ { ++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "Unable to create new attr lock " ++ "for replication agreement \"%s\" - agreement ignored.\n", ++ slapi_entry_get_dn_const(e)); ++ goto loser; ++ } ++ ra->protocol_timeout = slapi_counter_new(); + + /* Find all the stuff we need for the agreement */ + +@@ -338,19 +348,14 @@ agmt_new_from_entry(Slapi_Entry *e) + tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaRoot); + if (NULL != tmpstr) + { ++ PRUint64 ptimeout = 0; ++ + ra->replarea = slapi_sdn_new_dn_passin(tmpstr); + + /* If this agmt has its own timeout, grab it, otherwise use the replica's protocol timeout */ +- ra->protocol_timeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout); +- if(ra->protocol_timeout == 0){ +- /* grab the replica protocol timeout */ +- Object *replobj = replica_get_replica_from_dn(ra->replarea); +- if(replobj){ +- Replica *replica =(Replica*)object_get_data (replobj); +- ra->protocol_timeout = replica_get_protocol_timeout(replica); +- } else { +- ra->protocol_timeout = DEFAULT_PROTOCOL_TIMEOUT; +- } ++ ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout); ++ if(ptimeout){ ++ slapi_counter_set_value(ra->protocol_timeout, ptimeout); + } + } + +@@ -613,6 +618,17 @@ agmt_delete(void **rap) + if(ra->attrs_to_strip){ + slapi_ch_array_free(ra->attrs_to_strip); + } ++ if(ra->maxcsn){ ++ slapi_ch_free_string(&ra->maxcsn); ++ } ++ schedule_destroy(ra->schedule); ++ slapi_ch_free_string(&ra->long_name); ++ ++ slapi_counter_destroy(&ra->protocol_timeout); ++ ++ /* free the locks */ ++ PR_DestroyLock(ra->lock); ++ slapi_destroy_rwlock(ra->attr_lock); + + schedule_destroy(ra->schedule); + slapi_ch_free((void **)&ra->long_name); +@@ -2663,9 +2679,21 @@ agmt_update_done(Repl_Agmt *agmt, int is_total) + windows_update_done(agmt, is_total); + } + +-int ++PRUint64 + agmt_get_protocol_timeout(Repl_Agmt *agmt) + { +- return (int)agmt->protocol_timeout; ++ if(agmt){ ++ return slapi_counter_get_value(agmt->protocol_timeout); ++ } else { ++ return 0; ++ } ++} ++ ++void ++agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout) ++{ ++ if(agmt){ ++ slapi_counter_set_value(agmt->protocol_timeout, timeout); ++ } + } + +diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c +index 1167b0c..04891b7 100644 +--- a/ldap/servers/plugins/replication/repl5_agmtlist.c ++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c +@@ -209,6 +209,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + LDAPMod **mods; + char buff [SLAPI_DSE_RETURNTEXT_SIZE]; + char *errortext = returntext ? returntext : buff; ++ char *val = NULL; + int rc = SLAPI_DSE_CALLBACK_OK; + Slapi_Operation *op; + void *identity; +@@ -243,16 +244,21 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); + for (i = 0; NULL != mods && NULL != mods[i]; i++) + { ++ slapi_ch_free_string(&val); + if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize)) + { + /* we don't allow delete attribute operations unless it was issued by + the replication plugin - handled above */ + if (mods[i]->mod_op & LDAP_MOD_DELETE) + { +- if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0){ ++ if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0 ){ + /* allow the deletion of cleanallruv agmt attr */ + continue; + } ++ if(strcasecmp (mods[i]->mod_type, type_replicaProtocolTimeout) == 0){ ++ agmt_set_protocol_timeout(agmt, 0); ++ continue; ++ } + + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " + "deletion of %s attribute is not allowed\n", type_nsds5ReplicaInitialize); +@@ -262,8 +268,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + } + else + { +- char *val; +- + if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0]) + val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]); + else +@@ -304,7 +308,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + val, mods[i]->mod_type); + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: %s\n", errortext); + } +- slapi_ch_free ((void**)&val); + } + } + else if (slapi_attr_types_equivalent(mods[i]->mod_type, +@@ -511,6 +514,21 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + rc = SLAPI_DSE_CALLBACK_ERROR; + } + } ++ else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){ ++ if (val){ ++ long ptimeout = atol(val); ++ ++ if(ptimeout <= 0){ ++ *returncode = LDAP_UNWILLING_TO_PERFORM; ++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, " ++ "must be a number greater than zero.\n", ++ type_replicaProtocolTimeout, val); ++ rc = SLAPI_DSE_CALLBACK_ERROR; ++ break; ++ } ++ agmt_set_protocol_timeout(agmt, ptimeout); ++ } ++ } + else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e)) + { + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " +@@ -561,6 +579,7 @@ done: + { + agmtlist_release_agmt(agmt); + } ++ slapi_ch_free_string(&val); + + return rc; + } +diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c +index 612fe46..05074b0 100644 +--- a/ldap/servers/plugins/replication/repl5_inc_protocol.c ++++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c +@@ -1921,10 +1921,24 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu + static int + repl5_inc_stop(Private_Repl_Protocol *prp) + { +- int return_value; + PRIntervalTime start, maxwait, now; ++ Replica *replica = NULL; ++ PRUint64 timeout; ++ int return_value; ++ ++ if((timeout = agmt_get_protocol_timeout(prp->agmt)) == 0){ ++ timeout = DEFAULT_PROTOCOL_TIMEOUT; ++ if(prp->replica_object){ ++ object_acquire(prp->replica_object); ++ replica = object_get_data(prp->replica_object); ++ if((timeout = replica_get_protocol_timeout(replica)) == 0){ ++ timeout = DEFAULT_PROTOCOL_TIMEOUT; ++ } ++ object_release(prp->replica_object); ++ } ++ } + +- maxwait = PR_SecondsToInterval(prp->timeout); ++ maxwait = PR_SecondsToInterval(timeout); + prp->terminate = 1; + event_notify(prp, EVENT_PROTOCOL_SHUTDOWN); + start = PR_IntervalNow(); +@@ -1939,8 +1953,8 @@ repl5_inc_stop(Private_Repl_Protocol *prp) + /* Isn't listening. Do something drastic. */ + return_value = -1; + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, +- "%s: repl5_inc_stop: protocol does not stop after %d seconds\n", +- agmt_get_long_name(prp->agmt), (int)prp->timeout); ++ "%s: repl5_inc_stop: protocol does not stop after %llu seconds\n", ++ agmt_get_long_name(prp->agmt), (long long unsigned int)timeout); + } + else + { +@@ -2044,7 +2058,6 @@ Repl_5_Inc_Protocol_new(Repl_Protocol *rp) + prp->notify_window_closed = repl5_inc_notify_window_closed; + prp->update_now = repl5_inc_update_now; + prp->replica_object = prot_get_replica_object(rp); +- prp->timeout = prot_get_timeout(rp); + if ((prp->lock = PR_NewLock()) == NULL) + { + goto loser; +diff --git a/ldap/servers/plugins/replication/repl5_prot_private.h b/ldap/servers/plugins/replication/repl5_prot_private.h +index 37072ee..586e1eb 100644 +--- a/ldap/servers/plugins/replication/repl5_prot_private.h ++++ b/ldap/servers/plugins/replication/repl5_prot_private.h +@@ -75,7 +75,6 @@ typedef struct private_repl_protocol + int repl50consumer; /* Flag to tell us if this is a 5.0-style consumer we're talking to */ + int repl71consumer; /* Flag to tell us if this is a 7.1-style consumer we're talking to */ + int repl90consumer; /* Flag to tell us if this is a 9.0-style consumer we're talking to */ +- PRUint64 timeout; + } Private_Repl_Protocol; + + extern Private_Repl_Protocol *Repl_5_Inc_Protocol_new(); +diff --git a/ldap/servers/plugins/replication/repl5_protocol.c b/ldap/servers/plugins/replication/repl5_protocol.c +index 34fe8a0..0e9668d 100644 +--- a/ldap/servers/plugins/replication/repl5_protocol.c ++++ b/ldap/servers/plugins/replication/repl5_protocol.c +@@ -71,8 +71,7 @@ typedef struct repl_protocol + Object *replica_object; /* Local replica. If non-NULL, replica object is acquired */ + int state; + int next_state; +- PRUint64 protocol_timeout; +- PRThread *agmt_thread; ++ PRThread *agmt_thread; + PRLock *lock; + } repl_protocol; + +@@ -134,16 +133,17 @@ prot_new(Repl_Agmt *agmt, int protocol_state) + rp->prp_total = private_protocol_factory(rp, PROTOCOL_WINDOWS_TOTAL); + rp->delete_conn = windows_conn_delete; + } +- rp->protocol_timeout = agmt_get_protocol_timeout(agmt); +- + /* XXXggood register callback handlers for entries updated, and + schedule window enter/leave. */ + + goto done; ++ + loser: + prot_delete(&rp); ++ + done: + slapi_sdn_free(&replarea_sdn); ++ + return rp; + } + +@@ -593,8 +593,3 @@ private_protocol_factory(Repl_Protocol *rp, int type) + return prp; + } + +-int +-prot_get_timeout(Repl_Protocol *rp) +-{ +- return (int)rp->protocol_timeout; +-} +diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c +index 8a1c590..02d4e74 100644 +--- a/ldap/servers/plugins/replication/repl5_replica.c ++++ b/ldap/servers/plugins/replication/repl5_replica.c +@@ -87,7 +87,7 @@ struct replica { + PRBool state_update_inprogress; /* replica state is being updated */ + PRLock *agmt_lock; /* protects agreement creation, start and stop */ + char *locking_purl; /* supplier who has exclusive access */ +- PRUint64 protocol_timeout; /* protocol shutdown timeout */ ++ Slapi_Counter *protocol_timeout; /* protocol shutdown timeout */ + PRUint64 backoff_min; /* backoff retry minimum */ + PRUint64 backoff_max; /* backoff retry maximum */ + }; +@@ -164,26 +164,26 @@ replica_new(const Slapi_DN *root) + Replica * + replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation) + { +- int rc = 0; +- Replica *r; ++ int rc = 0; ++ Replica *r; + char *repl_name = NULL; + +- if (e == NULL) +- { +- if (NULL != errortext) ++ if (e == NULL) ++ { ++ if (NULL != errortext) + { +- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "NULL entry"); ++ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "NULL entry"); + } +- return NULL; +- } ++ return NULL; ++ } + +- r = (Replica *)slapi_ch_calloc(1, sizeof(Replica)); ++ r = (Replica *)slapi_ch_calloc(1, sizeof(Replica)); + +- if (!r) ++ if (!r) + { +- if (NULL != errortext) ++ if (NULL != errortext) + { +- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Out of memory"); ++ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Out of memory"); + } + rc = -1; + goto done; +@@ -208,6 +208,7 @@ replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation + rc = -1; + goto done; + } ++ r->protocol_timeout = slapi_counter_new(); + + /* read parameters from the replica config entry */ + rc = _replica_init_from_config (r, e, errortext); +@@ -403,6 +404,8 @@ replica_destroy(void **arg) + csnplFree(&r->min_csn_pl);; + } + ++ slapi_counter_destroy(&r->protocol_timeout); ++ + slapi_ch_free((void **)arg); + } + +@@ -796,10 +799,22 @@ replica_get_type (const Replica *r) + return r->repl_type; + } + +-int ++PRUint64 + replica_get_protocol_timeout(Replica *r) + { +- return (int)r->protocol_timeout; ++ if(r){ ++ return slapi_counter_get_value(r->protocol_timeout); ++ } else { ++ return 0; ++ } ++} ++ ++void ++replica_set_protocol_timeout(Replica *r, PRUint64 timeout) ++{ ++ if(r){ ++ slapi_counter_set_value(r->protocol_timeout, timeout); ++ } + } + + /* +@@ -1659,6 +1674,7 @@ _replica_init_from_config (Replica *r, Slapi_Entry *e, char *errortext) + char *val; + int backoff_min; + int backoff_max; ++ int ptimeout = 0; + int rc; + + PR_ASSERT (r && e); +@@ -1731,9 +1747,11 @@ _replica_init_from_config (Replica *r, Slapi_Entry *e, char *errortext) + } + + /* get the protocol timeout */ +- r->protocol_timeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout); +- if(r->protocol_timeout == 0){ +- r->protocol_timeout = DEFAULT_PROTOCOL_TIMEOUT; ++ ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout); ++ if(ptimeout <= 0){ ++ slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT); ++ } else { ++ slapi_counter_set_value(r->protocol_timeout, ptimeout); + } + + /* get replica flags */ +diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c +index 94c23c0..9452d51 100644 +--- a/ldap/servers/plugins/replication/repl5_replica_config.c ++++ b/ldap/servers/plugins/replication/repl5_replica_config.c +@@ -396,9 +396,16 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* + else if (strcasecmp (config_attr, type_replicaCleanRUV) == 0 || + strcasecmp (config_attr, type_replicaAbortCleanRUV) == 0) + { +- /* only allow the deletion of the cleanAllRUV config attributes */ ++ /* ++ * Only allow the deletion of the cleanAllRUV config attributes, and the ++ * protocol timeout. ++ */ + continue; + } ++ else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ) ++ { ++ replica_set_protocol_timeout(r, DEFAULT_PROTOCOL_TIMEOUT); ++ } + else + { + *returncode = LDAP_UNWILLING_TO_PERFORM; +@@ -487,6 +494,22 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* + { + *returncode = LDAP_SUCCESS; + } ++ else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ){ ++ if (apply_mods && config_attr_value && config_attr_value[0]) ++ { ++ long ptimeout = atol(config_attr_value); ++ ++ if(ptimeout <= 0){ ++ *returncode = LDAP_UNWILLING_TO_PERFORM; ++ PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, ++ "attribute %s value (%s) is invalid, must be a number greater than zero.\n", ++ config_attr, config_attr_value); ++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "replica_config_modify: %s\n", errortext); ++ } else { ++ replica_set_protocol_timeout(r, ptimeout); ++ } ++ } ++ } + else + { + *returncode = LDAP_UNWILLING_TO_PERFORM; +diff --git a/ldap/servers/plugins/replication/repl5_tot_protocol.c b/ldap/servers/plugins/replication/repl5_tot_protocol.c +index 5bb203a..a241128 100644 +--- a/ldap/servers/plugins/replication/repl5_tot_protocol.c ++++ b/ldap/servers/plugins/replication/repl5_tot_protocol.c +@@ -505,11 +505,22 @@ static int + repl5_tot_stop(Private_Repl_Protocol *prp) + { + int return_value; +- int seconds = 600; + PRIntervalTime start, maxwait, now; ++ PRUint64 timeout = DEFAULT_PROTOCOL_TIMEOUT; ++ Replica *replica = NULL; ++ ++ if((timeout = agmt_get_protocol_timeout(prp->agmt)) == 0){ ++ timeout = DEFAULT_PROTOCOL_TIMEOUT; ++ if(prp->replica_object){ ++ replica = object_get_data(prp->replica_object); ++ if((timeout = replica_get_protocol_timeout(replica)) == 0){ ++ timeout = DEFAULT_PROTOCOL_TIMEOUT; ++ } ++ } ++ } + + prp->terminate = 1; +- maxwait = PR_SecondsToInterval(seconds); ++ maxwait = PR_SecondsToInterval(timeout); + start = PR_IntervalNow(); + now = start; + while (!prp->stopped && ((now - start) < maxwait)) +@@ -567,7 +578,6 @@ Repl_5_Tot_Protocol_new(Repl_Protocol *rp) + prp->notify_window_opened = repl5_tot_noop; + prp->notify_window_closed = repl5_tot_noop; + prp->update_now = repl5_tot_noop; +- prp->timeout = DEFAULT_PROTOCOL_TIMEOUT; + if ((prp->lock = PR_NewLock()) == NULL) + { + goto loser; +@@ -588,6 +598,7 @@ Repl_5_Tot_Protocol_new(Repl_Protocol *rp) + prp->repl50consumer = 0; + prp->repl71consumer = 0; + prp->repl90consumer = 0; ++ prp->replica_object = prot_get_replica_object(rp); + return prp; + loser: + repl5_tot_delete(&prp); +-- +1.8.1.4 + diff --git a/SOURCES/0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch b/SOURCES/0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch new file mode 100644 index 0000000..d6780c7 --- /dev/null +++ b/SOURCES/0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch @@ -0,0 +1,72 @@ +From 26a0d63bcbf280d20bd984fd00fd82e82ed62de5 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 12 Dec 2013 12:48:08 -0500 +Subject: [PATCH 66/78] Ticket 47613 - Issues setting allowed mechanisms + +Bug Description: Adding an empty value for nsslapd-allowed-sasl-mechanisms blocks all + sasl authentication. Also changing the allowed sasl mechansism does + require a restart after making a change. + +Fix Description: Reject an empty values for nsslapd-allowed-sasl-mechanisms, and allow + config changes to occur without restarting the server. + +https://fedorahosted.org/389/ticket/47613 + +Reviewed by: nhosoi(Thanks!) +(cherry picked from commit 43959232f792db2b79e614f6db78f7569920fdc1) +(cherry picked from commit a1e386188663c9197b80b3b51cca0d58ce0c9181) +--- + ldap/servers/slapd/configdse.c | 1 - + ldap/servers/slapd/libglobs.c | 10 +++++++--- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c +index bd1566e..b54062d 100644 +--- a/ldap/servers/slapd/configdse.c ++++ b/ldap/servers/slapd/configdse.c +@@ -81,7 +81,6 @@ static const char *requires_restart[] = { + #endif + "cn=config:" CONFIG_RETURN_EXACT_CASE_ATTRIBUTE, + "cn=config:" CONFIG_SCHEMA_IGNORE_TRAILING_SPACES, +- "cn=config:nsslapd-allowed-sasl-mechanisms", + "cn=config,cn=ldbm:nsslapd-idlistscanlimit", + "cn=config,cn=ldbm:nsslapd-parentcheck", + "cn=config,cn=ldbm:nsslapd-dbcachesize", +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index a763135..64510d6 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -6761,8 +6761,7 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, + { + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + +- if(!apply || slapdFrontendConfig->allowed_sasl_mechs){ +- /* we only set this at startup, if we try again just return SUCCESS */ ++ if(!apply){ + return LDAP_SUCCESS; + } + +@@ -6777,6 +6776,7 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, + } + + CFG_LOCK_WRITE(slapdFrontendConfig); ++ slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs); + slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value); + CFG_UNLOCK_WRITE(slapdFrontendConfig); + +@@ -7476,7 +7476,11 @@ invalid_sasl_mech(char *str) + int i; + + if(str == NULL){ +- return 0; ++ return 1; ++ } ++ if(strlen(str) < 1){ ++ /* ignore empty values */ ++ return 1; + } + + /* +-- +1.8.1.4 + diff --git a/SOURCES/0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch b/SOURCES/0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch new file mode 100644 index 0000000..1419218 --- /dev/null +++ b/SOURCES/0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch @@ -0,0 +1,51 @@ +From 00a0b5f1d506f5f79f4b27859355db8d5a70a249 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 12 Dec 2013 15:36:11 -0500 +Subject: [PATCH 67/78] Ticket 47620 - Fix cherry-pick error for 1.3.2 and + 1.3.1 + +Description: During the cherry-pick process I had to make some manual changes, + and there were two schedule_destroy() calls made which lead to + a dereferenced point. + +https://fedorahosted.org/389/ticket/47620 + +Reviewed by: rmeggins(Thanks!) +(cherry picked from commit 3ae6900d8269926a1da097e3818aa444137aa9d9) +(cherry picked from commit 5d4ac7c8c5d48be0796cdbf2ae7b9c40460de18c) +--- + ldap/servers/plugins/replication/repl5_agmt.c | 2 -- + ldap/servers/plugins/replication/repl5_schedule.c | 4 ++++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c +index b0da172..14c2fb4 100644 +--- a/ldap/servers/plugins/replication/repl5_agmt.c ++++ b/ldap/servers/plugins/replication/repl5_agmt.c +@@ -630,8 +630,6 @@ agmt_delete(void **rap) + PR_DestroyLock(ra->lock); + slapi_destroy_rwlock(ra->attr_lock); + +- schedule_destroy(ra->schedule); +- slapi_ch_free((void **)&ra->long_name); + slapi_ch_free((void **)rap); + } + +diff --git a/ldap/servers/plugins/replication/repl5_schedule.c b/ldap/servers/plugins/replication/repl5_schedule.c +index 419e3ec..1db06a6 100644 +--- a/ldap/servers/plugins/replication/repl5_schedule.c ++++ b/ldap/servers/plugins/replication/repl5_schedule.c +@@ -159,6 +159,10 @@ schedule_destroy(Schedule *s) + { + int i; + ++ if(s == NULL){ ++ return; ++ } ++ + /* unschedule update window event if exists */ + unschedule_window_state_change_event (s); + +-- +1.8.1.4 + diff --git a/SOURCES/0068-Ticket-47620-Config-value-validation-improvement.patch b/SOURCES/0068-Ticket-47620-Config-value-validation-improvement.patch new file mode 100644 index 0000000..1bc77b1 --- /dev/null +++ b/SOURCES/0068-Ticket-47620-Config-value-validation-improvement.patch @@ -0,0 +1,119 @@ +From 014aaa8b331e9af9f36432000c4c99b9f60687ae Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 13 Dec 2013 11:43:47 -0500 +Subject: [PATCH 68/78] Ticket 47620 - Config value validation improvement + +Bug Description: When setting the replication protocol timeout, it is possible + to set a negative number(it should be rejected), and when + setting the timeout for an agreement using letters, we get an + invalid syntax error, but it should really be an error 53 to + be consistent with how the invalid timeout error that is given + when updating the replica entry. + +Fix Description: In the agmt modify code, we did not have the actual modify value + during the validation. This allowed the value to be added, which + was later caught for the invalid syntax. Then improved the overall + logic to the validation to also catch the negative numbers. + +https://fedorahosted.org/389/ticket/47620 + +Reviewed by: rmeggins(Thanks!) +(cherry picked from commit 8a4bbc7c74a6847d75e4d6e9e0b16859a5da8ec0) +(cherry picked from commit 1bbb27b522dd8eb36f09f47c144fd65511c132b5) +--- + ldap/servers/plugins/replication/repl5_agmtlist.c | 32 ++++++++++++---------- + .../plugins/replication/repl5_replica_config.c | 12 +++++--- + 2 files changed, 25 insertions(+), 19 deletions(-) + +diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c +index 04891b7..bd14202 100644 +--- a/ldap/servers/plugins/replication/repl5_agmtlist.c ++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c +@@ -245,6 +245,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + for (i = 0; NULL != mods && NULL != mods[i]; i++) + { + slapi_ch_free_string(&val); ++ val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]); + if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize)) + { + /* we don't allow delete attribute operations unless it was issued by +@@ -268,10 +269,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + } + else + { +- if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0]) +- val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]); +- else +- { ++ if(val == NULL){ + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " + "no value provided for %s attribute\n", type_nsds5ReplicaInitialize); + *returncode = LDAP_UNWILLING_TO_PERFORM; +@@ -515,19 +513,23 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + } + } + else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){ +- if (val){ +- long ptimeout = atol(val); ++ long ptimeout = 0; + +- if(ptimeout <= 0){ +- *returncode = LDAP_UNWILLING_TO_PERFORM; +- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, " +- "must be a number greater than zero.\n", +- type_replicaProtocolTimeout, val); +- rc = SLAPI_DSE_CALLBACK_ERROR; +- break; +- } +- agmt_set_protocol_timeout(agmt, ptimeout); ++ if (val){ ++ ptimeout = atol(val); ++ } ++ if(ptimeout <= 0){ ++ *returncode = LDAP_UNWILLING_TO_PERFORM; ++ PR_snprintf (returntext, SLAPI_DSE_RETURNTEXT_SIZE, ++ "attribute %s value (%s) is invalid, must be a number greater than zero.\n", ++ type_replicaProtocolTimeout, val ? val : ""); ++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, " ++ "must be a number greater than zero.\n", ++ type_replicaProtocolTimeout, val ? val : ""); ++ rc = SLAPI_DSE_CALLBACK_ERROR; ++ break; + } ++ agmt_set_protocol_timeout(agmt, ptimeout); + } + else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e)) + { +diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c +index 9452d51..74e1fb7 100644 +--- a/ldap/servers/plugins/replication/repl5_replica_config.c ++++ b/ldap/servers/plugins/replication/repl5_replica_config.c +@@ -497,17 +497,21 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* + else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ){ + if (apply_mods && config_attr_value && config_attr_value[0]) + { +- long ptimeout = atol(config_attr_value); ++ long ptimeout = 0; ++ ++ if(config_attr_value){ ++ ptimeout = atol(config_attr_value); ++ } + + if(ptimeout <= 0){ + *returncode = LDAP_UNWILLING_TO_PERFORM; + PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, + "attribute %s value (%s) is invalid, must be a number greater than zero.\n", +- config_attr, config_attr_value); ++ config_attr, config_attr_value ? config_attr_value : ""); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "replica_config_modify: %s\n", errortext); +- } else { +- replica_set_protocol_timeout(r, ptimeout); ++ break; + } ++ replica_set_protocol_timeout(r, ptimeout); + } + } + else +-- +1.8.1.4 + diff --git a/SOURCES/0069-Ticket-47620-Fix-logically-dead-code.patch b/SOURCES/0069-Ticket-47620-Fix-logically-dead-code.patch new file mode 100644 index 0000000..42b192d --- /dev/null +++ b/SOURCES/0069-Ticket-47620-Fix-logically-dead-code.patch @@ -0,0 +1,56 @@ +From 1eece8d6d6dc88eb214927992840e5edf270786b Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 16 Dec 2013 09:48:12 -0500 +Subject: [PATCH 69/78] Ticket 47620 - Fix logically dead code. + +Coverity issues: 12419 & 12420 + +https://fedorahosted.org/389/ticket/47620 + +Reviewed by: rmeggins(Thanks!) +(cherry picked from commit 080cb44f5eaa794375a8e69b6e1ac09fcae9a961) +(cherry picked from commit c094a9f1a758dabd1164bf979a4ac22bb3720d63) +--- + ldap/servers/plugins/replication/repl5_agmtlist.c | 12 +----------- + ldap/servers/plugins/replication/repl5_replica_config.c | 2 +- + 2 files changed, 2 insertions(+), 12 deletions(-) + +diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c +index bd14202..5219c92 100644 +--- a/ldap/servers/plugins/replication/repl5_agmtlist.c ++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c +@@ -277,17 +277,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + break; + } + +- /* Start replica initialization */ +- if (val == NULL) +- { +- PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "No value supplied for attr (%s)", mods[i]->mod_type); +- slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: %s\n", +- errortext); +- *returncode = LDAP_UNWILLING_TO_PERFORM; +- rc = SLAPI_DSE_CALLBACK_ERROR; +- break; +- } +- ++ /* Start replica initialization */ + if (strcasecmp (val, "start") == 0) + { + start_initialize = 1; +diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c +index 74e1fb7..853bcde 100644 +--- a/ldap/servers/plugins/replication/repl5_replica_config.c ++++ b/ldap/servers/plugins/replication/repl5_replica_config.c +@@ -495,7 +495,7 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* + *returncode = LDAP_SUCCESS; + } + else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ){ +- if (apply_mods && config_attr_value && config_attr_value[0]) ++ if (apply_mods) + { + long ptimeout = 0; + +-- +1.8.1.4 + diff --git a/SOURCES/0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch b/SOURCES/0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch new file mode 100644 index 0000000..5a3a162 --- /dev/null +++ b/SOURCES/0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch @@ -0,0 +1,36 @@ +From 3d941308ae833a59cad81951793b6374a8c15a56 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 17 Dec 2013 13:11:03 -0500 +Subject: [PATCH 70/78] Ticket 47620 - Fix dereferenced NULL pointer in + agmtlist_modify_callback() + +The server would dereference a NULL point if an attribute was deleted from a replication +agreement. + +https://fedorahosted.org/389/ticket/47620 + +Reviewed by: rmeggins(Thanks!) +(cherry picked from commit 8baed897f504e75478b5dbbe736c1eaf6d2d7fa9) +(cherry picked from commit 60d263f7bc52e4b5186a01c38868763a275abadc) +--- + ldap/servers/plugins/replication/repl5_agmtlist.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c +index 5219c92..6e8b82c 100644 +--- a/ldap/servers/plugins/replication/repl5_agmtlist.c ++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c +@@ -245,7 +245,9 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + for (i = 0; NULL != mods && NULL != mods[i]; i++) + { + slapi_ch_free_string(&val); +- val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]); ++ if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0]) ++ val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]); ++ } + if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize)) + { + /* we don't allow delete attribute operations unless it was issued by +-- +1.8.1.4 + diff --git a/SOURCES/0071-Ticket-47620-Fix-missing-left-bracket.patch b/SOURCES/0071-Ticket-47620-Fix-missing-left-bracket.patch new file mode 100644 index 0000000..b25fa51 --- /dev/null +++ b/SOURCES/0071-Ticket-47620-Fix-missing-left-bracket.patch @@ -0,0 +1,28 @@ +From 854e1f23218b8e81db2c05728f8e21cd09dd69eb Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 17 Dec 2013 14:01:34 -0500 +Subject: [PATCH 71/78] Ticket 47620 - Fix missing left bracket + +https://fedorahosted.org/389/ticket/47620 +(cherry picked from commit 3a4d39e166449177c85b92af8b47c5c6848c4d02) +(cherry picked from commit b143477e186734333b6cfae615484b886b204e0e) +--- + ldap/servers/plugins/replication/repl5_agmtlist.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c +index 6e8b82c..9e0291f 100644 +--- a/ldap/servers/plugins/replication/repl5_agmtlist.c ++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c +@@ -245,7 +245,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + for (i = 0; NULL != mods && NULL != mods[i]; i++) + { + slapi_ch_free_string(&val); +- if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0]) ++ if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0]){ + val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]); + } + if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize)) +-- +1.8.1.4 + diff --git a/SOURCES/0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch b/SOURCES/0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch new file mode 100644 index 0000000..a0f65bd --- /dev/null +++ b/SOURCES/0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch @@ -0,0 +1,83 @@ +From d695afb6a637432e880296d8552f466981c0796c Mon Sep 17 00:00:00 2001 +From: "Thierry bordaz (tbordaz)" +Date: Thu, 16 May 2013 15:28:47 +0200 +Subject: [PATCH 72/78] Ticket 571 (dup 47361) - Empty control list causes LDAP + protocol error is thrown + +Bug Description: + + If a request contains a list of controls containing zero control, it does + not conform RFC http://tools.ietf.org/html/rfc4511#section-4.1.11. Then the + server returns a Protocol Error. + This is too restrictive for some applications. + Note: such application needs to be linked with old version of mozldap or openldap + because recent version skip sending empty list of controls + +Fix Description: + The fix is to ignore this error and let the operation complete + + Note: ticket 571 (bz 918717) is a duplicate of 47361 (bz 963234). 47361 was used to + backport in 1.2.11. 571 is used to backport in 1.3.1. + This bug is fixed since 1.3.2 + +https://fedorahosted.org/389/ticket/571 +https://fedorahosted.org/389/ticket/47361 + +Reviewed by: Rich Megginson (thanks Rich !) + +Platforms tested: F17 (unit + acceptance vlv/proxy/managed/psearch/tls/bindcontrol) + +Flag Day: no + +Doc impact: no +(cherry picked from commit dea2a254117f1e9f4be1068c6784b2780fec933f) +--- + ldap/servers/slapd/control.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c +index fc3ab9f..e614d50 100644 +--- a/ldap/servers/slapd/control.c ++++ b/ldap/servers/slapd/control.c +@@ -354,17 +354,27 @@ get_ldapmessage_controls_ext( + len = -1; /* reset for next loop iter */ + } + +- if ( (tag != LBER_END_OF_SEQORSET) && (len != -1) ) { +- goto free_and_return; +- } +- +- slapi_pblock_set( pb, SLAPI_REQCONTROLS, ctrls ); +- managedsait = slapi_control_present( ctrls, +- LDAP_CONTROL_MANAGEDSAIT, NULL, NULL ); +- slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, &managedsait ); +- pwpolicy_ctrl = slapi_control_present( ctrls, +- LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL ); +- slapi_pblock_set( pb, SLAPI_PWPOLICY, &pwpolicy_ctrl ); ++ if (curcontrols == 0) { ++ int ctrl_not_found = 0; /* means that a given control is not present in the request */ ++ ++ slapi_pblock_set(pb, SLAPI_REQCONTROLS, NULL); ++ slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found); ++ slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found); ++ slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%d op=%d contains an empty list of controls\n", ++ pb->pb_conn->c_connid, pb->pb_op->o_opid); ++ } else { ++ if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) { ++ goto free_and_return; ++ } ++ ++ slapi_pblock_set(pb, SLAPI_REQCONTROLS, ctrls); ++ managedsait = slapi_control_present(ctrls, ++ LDAP_CONTROL_MANAGEDSAIT, NULL, NULL); ++ slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &managedsait); ++ pwpolicy_ctrl = slapi_control_present(ctrls, ++ LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL); ++ slapi_pblock_set(pb, SLAPI_PWPOLICY, &pwpolicy_ctrl); ++ } + + if ( controlsp != NULL ) { + *controlsp = ctrls; +-- +1.8.1.4 + diff --git a/SOURCES/0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch b/SOURCES/0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch new file mode 100644 index 0000000..9207ccf --- /dev/null +++ b/SOURCES/0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch @@ -0,0 +1,189 @@ +From 298ada3b2f7b8aa770df9a5a7d8129f46b4417d7 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Mon, 16 Dec 2013 13:03:19 -0800 +Subject: [PATCH 73/78] Ticket #47606 - replica init/bulk import errors should + be more verbose + +Description: +1. maxbersize: If the size of an entry is larger than the consumer's + maxbersize, the following error used to be logged: + Incoming BER Element was too long, max allowable is ### bytes. + Change the nsslapd-maxbersize attribute in cn=config to increase. + This message does not indicate how large the maxbersize needs to be. + This patch adds the code to retrieve the failed ber size. + Revised message: + Incoming BER Element was @@@ bytes, max allowable is ### bytes. + Change the nsslapd-maxbersize attribute in cn=config to increase. + Note: There is no lber API that returns the ber size if it fails to + handle the ber. This patch borrows the internal structure of ber + and get the size. This could be risky since the size or structure + of the ber could be updated in the openldap/mozldap lber. +2. cache size: The bulk import depends upon the nsslapd-cachememsize + value in the backend instance entry (e.g., cn=userRoot,cn=ldbm + database,cn=plugins,cn=config). If an entry size is larger than + the cachememsize, the bulk import used to fail with this message: + import userRoot: REASON: entry too large (@@@ bytes) for the + import buffer size (### bytes). Try increasing nsslapd- + cachememsize. + Also, the message follows the skipping entry message: + import userRoot: WARNING: skipping entry "" + but actually, it did NOT "skip" the entry and continue the bulk + import, but it failed there and completely wiped out the backend + database. + This patch modifies the message as follows: + import userRoot: REASON: entry too large (@@@ bytes) for the + effective import buffer size (### bytes). Try increasing nsslapd- + cachememsize for the backend instance "userRoot". + and as the message mentions, it just skips the failed entry and + continues the bulk import. +3. In repl5_tot_result_threadmain, when conn_read_result_ex returns + non zero (non SUCCESS), it sets abort, but does not set any error + code to rc (return code), which is not considered as "finished" in + repl5_tot_waitfor_async_results and it contines waiting until the + code reaches the max loop count (about 5 minutes). This patch sets + LDAP_CONNECT_ERROR to the return code along with setting abort, if + conn_read_result_ex returns CONN_NOT_CONNECTED. This makes the bulk + import finishes quickly when it fails. + +https://fedorahosted.org/389/ticket/47606 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!!) +(cherry picked from commit 1119083d3d99993421609783efcb8962d78724fc) +(cherry picked from commit fde9ed5bf74b4ea1fff875bcb421137c78af1227) +(cherry picked from commit c9d0b6ccad84dd56a536da883f5a8e5acb01bc4e) +--- + .../plugins/replication/repl5_tot_protocol.c | 3 ++ + ldap/servers/slapd/back-ldbm/import-threads.c | 8 ++--- + ldap/servers/slapd/connection.c | 36 ++++++++++++++++++---- + ldap/servers/slapd/openldapber.h | 25 +++++++++++++++ + 4 files changed, 62 insertions(+), 10 deletions(-) + create mode 100644 ldap/servers/slapd/openldapber.h + +diff --git a/ldap/servers/plugins/replication/repl5_tot_protocol.c b/ldap/servers/plugins/replication/repl5_tot_protocol.c +index a241128..3895ace 100644 +--- a/ldap/servers/plugins/replication/repl5_tot_protocol.c ++++ b/ldap/servers/plugins/replication/repl5_tot_protocol.c +@@ -203,6 +203,9 @@ static void repl5_tot_result_threadmain(void *param) + /* If so then we need to take steps to abort the update process */ + PR_Lock(cb->lock); + cb->abort = 1; ++ if (conres == CONN_NOT_CONNECTED) { ++ cb->rc = LDAP_CONNECT_ERROR; ++ } + PR_Unlock(cb->lock); + } + /* Should we stop ? */ +diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c +index c0475c6..95433aa 100644 +--- a/ldap/servers/slapd/back-ldbm/import-threads.c ++++ b/ldap/servers/slapd/back-ldbm/import-threads.c +@@ -3330,11 +3330,11 @@ static int bulk_import_queue(ImportJob *job, Slapi_Entry *entry) + + newesize = (slapi_entry_size(ep->ep_entry) + sizeof(struct backentry)); + if (newesize > job->fifo.bsize) { /* entry too big */ +- import_log_notice(job, "WARNING: skipping entry \"%s\"", +- slapi_entry_get_dn(ep->ep_entry)); + import_log_notice(job, "REASON: entry too large (%lu bytes) for " +- "the import buffer size (%lu bytes). Try increasing nsslapd-cachememsize.", +- (long unsigned int)newesize, (long unsigned int)job->fifo.bsize); ++ "the effective import buffer size (%lu bytes). " ++ "Try increasing nsslapd-cachememsize for the backend instance \"%s\".", ++ (long unsigned int)newesize, (long unsigned int)job->fifo.bsize, ++ job->inst->inst_name); + backentry_clear_entry(ep); /* entry is released in the frontend on failure*/ + backentry_free( &ep ); /* release the backend wrapper, here */ + PR_Unlock(job->wire_lock); +diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c +index fed3512..02c86c5 100644 +--- a/ldap/servers/slapd/connection.c ++++ b/ldap/servers/slapd/connection.c +@@ -1749,6 +1749,32 @@ void connection_make_new_pb(Slapi_PBlock **ppb, Connection *conn) + } + + ++#ifdef USE_OPENLDAP ++#include "openldapber.h" ++#else ++#include "mozldap.h" ++#endif ++ ++static ber_tag_t ++_ber_get_len(BerElement *ber, ber_len_t *lenp) ++{ ++#ifdef USE_OPENLDAP ++ OLBerElement *lber = (OLBerElement *)ber; ++#else ++ MozElement *lber = (MozElement *)ber; ++#endif ++ ++ if (NULL == lenp) { ++ return LBER_DEFAULT; ++ } ++ *lenp = 0; ++ if (NULL == lber) { ++ return LBER_DEFAULT; ++ } ++ *lenp = lber->ber_len; ++ return lber->ber_tag; ++} ++ + /* + * Utility function called by connection_read_operation(). This is a + * small wrapper on top of libldap's ber_get_next_buffer_ext(). +@@ -1787,18 +1813,16 @@ get_next_from_buffer( void *buffer, size_t buffer_size, ber_len_t *lenp, + if ((LBER_OVERFLOW == *tagp || LBER_DEFAULT == *tagp) && 0 == bytes_scanned && + !SLAPD_SYSTEM_WOULD_BLOCK_ERROR(errno)) + { +- if (LBER_OVERFLOW == *tagp) +- { +- err = SLAPD_DISCONNECT_BER_TOO_BIG; +- } +- else if (errno == ERANGE) ++ if ((LBER_OVERFLOW == *tagp) || (errno == ERANGE)) + { + ber_len_t maxbersize = config_get_maxbersize(); ++ ber_len_t tmplen = 0; ++ (void)_ber_get_len(ber, &tmplen); + /* openldap does not differentiate between length == 0 + and length > max - all we know is that there was a + problem with the length - assume too big */ + err = SLAPD_DISCONNECT_BER_TOO_BIG; +- log_ber_too_big_error(conn, 0, maxbersize); ++ log_ber_too_big_error(conn, tmplen, maxbersize); + } + else + { +diff --git a/ldap/servers/slapd/openldapber.h b/ldap/servers/slapd/openldapber.h +new file mode 100644 +index 0000000..52644a5 +--- /dev/null ++++ b/ldap/servers/slapd/openldapber.h +@@ -0,0 +1,25 @@ ++/* ++ * openldap lber library does not provide an API which returns the ber size ++ * (ber->ber_len) when the ber tag is LBER_DEFAULT or LBER_OVERFLOW. ++ * The ber size is useful when issuing an error message to indicate how ++ * large the maxbersize needs to be set. ++ * Borrowed from liblber/lber-int.h ++ */ ++struct lber_options { ++ short lbo_valid; ++ unsigned short lbo_options; ++ int lbo_debug; ++}; ++struct berelement { ++ struct lber_options ber_opts; ++ ber_tag_t ber_tag; ++ ber_len_t ber_len; ++ ber_tag_t ber_usertag; ++ char *ber_buf; ++ char *ber_ptr; ++ char *ber_end; ++ char *ber_sos_ptr; ++ char *ber_rwptr; ++ void *ber_memctx; ++}; ++typedef struct berelement OLBerElement; +-- +1.8.1.4 + diff --git a/SOURCES/0074-Ticket-47623-fix-memleak-caused-by-47347.patch b/SOURCES/0074-Ticket-47623-fix-memleak-caused-by-47347.patch new file mode 100644 index 0000000..e692ddd --- /dev/null +++ b/SOURCES/0074-Ticket-47623-fix-memleak-caused-by-47347.patch @@ -0,0 +1,42 @@ +From b910f02f74410f44d0285d77b15e5d399df3c1a8 Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Mon, 9 Dec 2013 17:00:32 -0700 +Subject: [PATCH 74/78] Ticket #47623 fix memleak caused by 47347 + +https://fedorahosted.org/389/ticket/47623 +Reviewed by: nhosoi (Thanks!) +Branch: 389-ds-base-1.3.1 +Fix Description: Only need to create the mutex when creating a new PR object. +Platforms tested: RHEL6 x86_64 +Flag Day: no +Doc impact: no +(cherry picked from commit 98ccb602058270e97a3702ae2b81c17635af8d27) +(cherry picked from commit 65c51555c0ecc94c5d93f09124168697ba1db6b3) +(cherry picked from commit 8a2c666df491b7c8666f8a70a5038b35c43fbc3b) +--- + ldap/servers/slapd/pagedresults.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c +index 78bd6b0..a835d6b 100644 +--- a/ldap/servers/slapd/pagedresults.c ++++ b/ldap/servers/slapd/pagedresults.c +@@ -122,6 +122,7 @@ pagedresults_parse_control_value( Slapi_PBlock *pb, + sizeof(PagedResults) * maxlen); + } + *index = maxlen; /* the first position in the new area */ ++ conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock(); + } else { + for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) { + if (!conn->c_pagedresults.prl_list[i].pr_current_be) { +@@ -131,7 +132,6 @@ pagedresults_parse_control_value( Slapi_PBlock *pb, + } + } + conn->c_pagedresults.prl_count++; +- conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock(); + } else { + /* Repeated paged results request. + * PagedResults is already allocated. */ +-- +1.8.1.4 + diff --git a/SOURCES/0075-Ticket-47623-fix-memleak-caused-by-47347.patch b/SOURCES/0075-Ticket-47623-fix-memleak-caused-by-47347.patch new file mode 100644 index 0000000..128c3f4 --- /dev/null +++ b/SOURCES/0075-Ticket-47623-fix-memleak-caused-by-47347.patch @@ -0,0 +1,44 @@ +From 0cd6aca794ccbd064c0609c45f8dc6333ad8ca8a Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Tue, 10 Dec 2013 08:08:35 -0700 +Subject: [PATCH 75/78] Ticket #47623 fix memleak caused by 47347 + +https://fedorahosted.org/389/ticket/47623 +Reviewed by: tbordaz, nhosoi (Thanks!) +Branch: 389-ds-base-1.3.1 +Fix Description: Create the mutex if it doesn't exist. +Platforms tested: RHEL6 x86_64 +Flag Day: no +Doc impact: no +(cherry picked from commit 0d4849dd7551347f0e24ac1027f4d0501084dcf3) +(cherry picked from commit 5d3ae5f709964cd7dfb73b631a22389223f5ef25) +(cherry picked from commit 5c649ddacd1d2c11b6e922b29472094b780c2a0e) +--- + ldap/servers/slapd/pagedresults.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c +index a835d6b..9af5773 100644 +--- a/ldap/servers/slapd/pagedresults.c ++++ b/ldap/servers/slapd/pagedresults.c +@@ -122,7 +122,6 @@ pagedresults_parse_control_value( Slapi_PBlock *pb, + sizeof(PagedResults) * maxlen); + } + *index = maxlen; /* the first position in the new area */ +- conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock(); + } else { + for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) { + if (!conn->c_pagedresults.prl_list[i].pr_current_be) { +@@ -131,6 +130,9 @@ pagedresults_parse_control_value( Slapi_PBlock *pb, + } + } + } ++ if (!conn->c_pagedresults.prl_list[*index].pr_mutex) { ++ conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock(); ++ } + conn->c_pagedresults.prl_count++; + } else { + /* Repeated paged results request. +-- +1.8.1.4 + diff --git a/SOURCES/0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch b/SOURCES/0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch new file mode 100644 index 0000000..3906b84 --- /dev/null +++ b/SOURCES/0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch @@ -0,0 +1,150 @@ +From ea86342f0497a2d4c45c337ada9ec9e8329fc7cd Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 11 Dec 2013 11:25:44 -0500 +Subject: [PATCH 76/78] Ticket 47627 - changelog iteration should ignore + cleaned rids when getting the minCSN + +Description: If a change is not found in the change log the server will look for a min csn + to start the replay. This minCSN should not come from a cleaned RUV element. + +https://fedorahosted.org/389/ticket/47627 + +Reviewed by: rmeggins & lkrispenz(Thanks!!) +(cherry picked from commit 9c6e9bb12327a2d50e651221614d34984b605427) +(cherry picked from commit 8004449ae206d0d417497324ffedf79ca9e25572) +--- + ldap/servers/plugins/replication/cl5_api.c | 2 +- + ldap/servers/plugins/replication/repl5_ruv.c | 42 ++++++++++++++++++++++------ + ldap/servers/plugins/replication/repl5_ruv.h | 3 ++ + 3 files changed, 37 insertions(+), 10 deletions(-) + +diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c +index 7bedc2c..064a628 100644 +--- a/ldap/servers/plugins/replication/cl5_api.c ++++ b/ldap/servers/plugins/replication/cl5_api.c +@@ -5172,7 +5172,7 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum + { + /* use the supplier min csn for the buffer start csn - we know + this csn is in our changelog */ +- if ((RUV_SUCCESS == ruv_get_min_csn(supplierRuv, &startCSN)) && ++ if ((RUV_SUCCESS == ruv_get_min_csn_ext(supplierRuv, &startCSN, 1 /* ignore cleaned rids */)) && + startCSN) + { /* must now free startCSN */ + if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) { +diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c +index 7395195..dc83555 100644 +--- a/ldap/servers/plugins/replication/repl5_ruv.c ++++ b/ldap/servers/plugins/replication/repl5_ruv.c +@@ -998,9 +998,9 @@ ruv_covers_csn_cleanallruv(const RUV *ruv, const CSN *csn) + * or max{maxcsns of all ruv elements} if get_the_max != 0. + */ + static int +-ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid) ++ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid, int ignore_cleaned_rid) + { +- int return_value; ++ int return_value = RUV_SUCCESS; + + if (ruv == NULL || csn == NULL) + { +@@ -1012,6 +1012,7 @@ ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid + CSN *found = NULL; + RUVElement *replica; + int cookie; ++ + slapi_rwlock_rdlock (ruv->lock); + for (replica = dl_get_first (ruv->elements, &cookie); replica; + replica = dl_get_next (ruv->elements, &cookie)) +@@ -1028,6 +1029,10 @@ ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid + { + continue; + } ++ if(ignore_cleaned_rid && is_cleaned_rid(replica->rid)){ ++ continue; ++ } ++ + if(rid){ /* we are only interested in this rid's maxcsn */ + if(replica->rid == rid){ + found = replica->csn; +@@ -1041,36 +1046,55 @@ ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid + found = replica->csn; + } + } +- } ++ } ++ + if (found == NULL) + { +- *csn = NULL; ++ *csn = NULL; + } + else + { + *csn = csn_dup (found); + } + slapi_rwlock_unlock (ruv->lock); +- return_value = RUV_SUCCESS; + } + return return_value; + } + + int +-ruv_get_rid_max_csn(const RUV *ruv, CSN **csn, ReplicaId rid){ +- return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, rid); ++ruv_get_rid_max_csn(const RUV *ruv, CSN **csn, ReplicaId rid) ++{ ++ return ruv_get_rid_max_csn_ext(ruv, csn, rid, 0); ++} ++ ++int ++ruv_get_rid_max_csn_ext(const RUV *ruv, CSN **csn, ReplicaId rid, int ignore_cleaned_rid) ++{ ++ return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, rid, ignore_cleaned_rid); + } + + int + ruv_get_max_csn(const RUV *ruv, CSN **csn) + { +- return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, 0 /* rid */); ++ return ruv_get_max_csn_ext(ruv, csn, 0); ++} ++ ++int ++ruv_get_max_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid) ++{ ++ return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, 0 /* rid */, ignore_cleaned_rid); + } + + int + ruv_get_min_csn(const RUV *ruv, CSN **csn) + { +- return ruv_get_min_or_max_csn(ruv, csn, 0 /* get the min */, 0 /* rid */); ++ return ruv_get_min_csn_ext(ruv, csn, 0); ++} ++ ++int ++ruv_get_min_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid) ++{ ++ return ruv_get_min_or_max_csn(ruv, csn, 0 /* get the min */, 0 /* rid */, ignore_cleaned_rid); + } + + int +diff --git a/ldap/servers/plugins/replication/repl5_ruv.h b/ldap/servers/plugins/replication/repl5_ruv.h +index 799dc7f..4593b84 100644 +--- a/ldap/servers/plugins/replication/repl5_ruv.h ++++ b/ldap/servers/plugins/replication/repl5_ruv.h +@@ -123,8 +123,11 @@ PRBool ruv_covers_csn(const RUV *ruv, const CSN *csn); + PRBool ruv_covers_csn_strict(const RUV *ruv, const CSN *csn); + PRBool ruv_covers_csn_cleanallruv(const RUV *ruv, const CSN *csn); + int ruv_get_min_csn(const RUV *ruv, CSN **csn); ++int ruv_get_min_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid); + int ruv_get_max_csn(const RUV *ruv, CSN **csn); ++int ruv_get_max_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid); + int ruv_get_rid_max_csn(const RUV *ruv, CSN **csn, ReplicaId rid); ++int ruv_get_rid_max_csn_ext(const RUV *ruv, CSN **csn, ReplicaId rid, int ignore_cleaned_rid); + int ruv_enumerate_elements (const RUV *ruv, FNEnumRUV fn, void *arg); + int ruv_to_smod(const RUV *ruv, Slapi_Mod *smod); + int ruv_last_modified_to_smod(const RUV *ruv, Slapi_Mod *smod); +-- +1.8.1.4 + diff --git a/SOURCES/0077-Ticket-47627-Fix-replication-logging.patch b/SOURCES/0077-Ticket-47627-Fix-replication-logging.patch new file mode 100644 index 0000000..65c7da6 --- /dev/null +++ b/SOURCES/0077-Ticket-47627-Fix-replication-logging.patch @@ -0,0 +1,61 @@ +From 30144a9dabfe221cdded349078eaedf91cb53e88 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Sat, 14 Dec 2013 07:38:12 -0500 +Subject: [PATCH 77/78] Ticket 47627 - Fix replication logging + +We printed the same CSN for the missing CSN and the supplier min CSN because +we reused the same CSN pointer. + +https://fedorahosted.org/389/ticket/47627 + +Reviewed by: rmeggins(Thanks!) +(cherry picked from commit 20cccf58108099cead2412a979e70e4f5972b806) +(cherry picked from commit ae3daa16783bab18f202a71b81177f4407dccdcd) +--- + ldap/servers/plugins/replication/cl5_api.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c +index 064a628..abcc39a 100644 +--- a/ldap/servers/plugins/replication/cl5_api.c ++++ b/ldap/servers/plugins/replication/cl5_api.c +@@ -5081,6 +5081,7 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum + int i; + CSN **csns = NULL; + CSN *startCSN = NULL; ++ CSN *minCSN = NULL; + char csnStr [CSN_STRSIZE]; + int rc = CL5_SUCCESS; + Object *supplierRuvObj = NULL; +@@ -5170,20 +5171,24 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum + */ + if ((rc == DB_NOTFOUND) && !ruv_has_csns(file->purgeRUV)) + { ++ char mincsnStr[CSN_STRSIZE]; ++ + /* use the supplier min csn for the buffer start csn - we know + this csn is in our changelog */ +- if ((RUV_SUCCESS == ruv_get_min_csn_ext(supplierRuv, &startCSN, 1 /* ignore cleaned rids */)) && +- startCSN) ++ if ((RUV_SUCCESS == ruv_get_min_csn_ext(supplierRuv, &minCSN, 1 /* ignore cleaned rids */)) && ++ minCSN) + { /* must now free startCSN */ + if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) { +- csn_as_string(startCSN, PR_FALSE, csnStr); ++ csn_as_string(startCSN, PR_FALSE, csnStr); ++ csn_as_string(minCSN, PR_FALSE, mincsnStr); + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, + "%s: CSN %s not found and no purging, probably a reinit\n", + agmt_name, csnStr); + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, + "%s: Will try to use supplier min CSN %s to load changelog\n", +- agmt_name, csnStr); ++ agmt_name, mincsnStr); + } ++ startCSN = minCSN; + rc = clcache_load_buffer (clcache, startCSN, DB_SET); + } + else +-- +1.8.1.4 + diff --git a/SOURCES/0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch b/SOURCES/0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch new file mode 100644 index 0000000..2acccad --- /dev/null +++ b/SOURCES/0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch @@ -0,0 +1,69 @@ +From 31a7087a26c153ff3430a1028be34c64839d0fd0 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Wed, 8 Jan 2014 10:30:04 -0800 +Subject: [PATCH 78/78] Ticket #447 - Possible to add invalid attribute to + nsslapd-allowed-to-delete-attrs + +Bug description: If given value of nsslapd-allowed-to-delete-attrs are +all invalid attributes, e.g., + nsslapd-allowed-to-delete-attrs: invalid0 invalid1 +they were logged as invalid, but accidentally set to nsslapd-allowed- +to-delete-attrs. + +Fix description: This patch checks the validation result and if there +is no valid attributes given to nsslapd-allowed-to-delete-attrs, it +issues a message in the error log: + nsslapd-allowed-to-delete-attrs: Given attributes are all invalid. + No effects. +and it returns an error. The modify operation fails with "DSA is +unwilling to perform". + +https://fedorahosted.org/389/ticket/447 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!) +(cherry picked from commit 31cd7a838aef30d80be6efe519cc2e821811c645) +(cherry picked from commit eab32225c129f6a5115bbd5ac2a3c2035f4393b2) +(cherry picked from commit c392aa891e67b8be189d3e354a179fc376998642) +--- + ldap/servers/slapd/libglobs.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index 64510d6..6df225d 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -6720,15 +6720,23 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value, + /* given value included unknown attribute, + * we need to re-create a value. */ + /* reuse the duplicated string for the new attr value. */ +- for (s = allowed, d = vcopy; s && *s; s++) { +- size_t slen = strlen(*s); +- memmove(d, *s, slen); +- d += slen; +- memmove(d, " ", 1); +- d++; ++ if (allowed && (NULL == *allowed)) { ++ /* all the values to allow to delete are invalid */ ++ slapi_log_error(SLAPI_LOG_FATAL, "config", ++ "%s: Given attributes are all invalid. No effects.\n", ++ CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE); ++ return LDAP_NO_SUCH_ATTRIBUTE; ++ } else { ++ for (s = allowed, d = vcopy; s && *s; s++) { ++ size_t slen = strlen(*s); ++ memmove(d, *s, slen); ++ d += slen; ++ memmove(d, " ", 1); ++ d++; ++ } ++ *(d-1) = '\0'; ++ strcpy(value, vcopy); /* original value needs to be refreshed */ + } +- *(d-1) = '\0'; +- strcpy(value, vcopy); /* original value needs to be refreshed */ + } else { + slapi_ch_free_string(&vcopy); + vcopy = slapi_ch_strdup(value); +-- +1.8.1.4 + diff --git a/SOURCES/0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch b/SOURCES/0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch new file mode 100644 index 0000000..582c8a1 --- /dev/null +++ b/SOURCES/0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch @@ -0,0 +1,50 @@ +From d30caf438689760dd4fce8dc914070daae47de72 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Mon, 13 Jan 2014 11:03:46 -0800 +Subject: [PATCH 79/83] Ticket #47660 - config_set_allowed_to_delete_attrs: + Valgrind reports Invalid read + +Description: There was a logic error in checking the availability of +a pointer. Before checking the contents of an address, the correctness +of the pointer needed to be checked. + +Also, one memory leak was found in the error return case. + +Note: these 2 issues were introduece by this commit: +commit 94b123780b21e503b78bceca9d60904206ef91fa +Trac Ticket #447 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs + +https://fedorahosted.org/389/ticket/47660 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!) +(cherry picked from commit 1a788bf35a138d221f2bfb88d6da5fc5244d738c) +(cherry picked from commit 22c24f0d133cfcfc9f7457a84282d223ea3f6e25) +(cherry picked from commit 4aa849fa0a32d90e7d88574f35e1e17fbaf1034f) +--- + ldap/servers/slapd/libglobs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index 6df225d..bcf7db4 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -6704,7 +6704,7 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value, + int needcopy = 0; + allowed = slapi_str2charray_ext(vcopy, " ", 0); + for (s = allowed; s && *s; s++) ; +- for (--s; s && *s && (s >= allowed); s--) { ++ for (--s; s && (s >= allowed) && *s; s--) { + cgas = (struct config_get_and_set *)PL_HashTableLookup(confighash, + *s); + if (!cgas && PL_strcasecmp(*s, "aci") /* aci is an exception */) { +@@ -6725,6 +6725,7 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value, + slapi_log_error(SLAPI_LOG_FATAL, "config", + "%s: Given attributes are all invalid. No effects.\n", + CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE); ++ slapi_ch_array_free(allowed); + return LDAP_NO_SUCH_ATTRIBUTE; + } else { + for (s = allowed, d = vcopy; s && *s; s++) { +-- +1.8.1.4 + diff --git a/SOURCES/0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch b/SOURCES/0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch new file mode 100644 index 0000000..7f3d73b --- /dev/null +++ b/SOURCES/0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch @@ -0,0 +1,208 @@ +From f649d36ecf04926704add30a9f3179bd862de4c1 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 16 Jan 2014 15:21:28 -0500 +Subject: [PATCH 80/83] Ticket 408 - Fix crash when disabling/enabling the + setting + +Bug Description: Enabling/disabling can lead to crash as the setting + was not designed to be dynamically updated. + +Fix Description: Do not use the actual config setting to determine if the + cache is enabled. Instead we record when the cache is + initialized. The server still needs to be restarted for + the config change to take effect. + + Also freed the cache at server shtudown. + +https://fedorahosted.org/389/ticket/408 + +Reviewed by: rmeggins(Thanks!) +(cherry picked from commit 03c90f04065059ee310e9fa7d98228e0aa39fa50) +(cherry picked from commit 50ad64a442495810a84558c6c17dcc2263b815b6) +(cherry picked from commit e0d85bead832c6aa7a2ec01157ab786a53fb5272) +--- + ldap/servers/slapd/back-ldbm/monitor.c | 2 +- + ldap/servers/slapd/dn.c | 93 +++++++++++++++++++++++++++------- + ldap/servers/slapd/main.c | 1 + + ldap/servers/slapd/slapi-private.h | 2 + + 4 files changed, 78 insertions(+), 20 deletions(-) + +diff --git a/ldap/servers/slapd/back-ldbm/monitor.c b/ldap/servers/slapd/back-ldbm/monitor.c +index 3427809..409c771 100644 +--- a/ldap/servers/slapd/back-ldbm/monitor.c ++++ b/ldap/servers/slapd/back-ldbm/monitor.c +@@ -146,7 +146,7 @@ int ldbm_back_monitor_instance_search(Slapi_PBlock *pb, Slapi_Entry *e, + MSET("maxDnCacheCount"); + } + /* normalized dn cache stats */ +- if(config_get_ndn_cache_enabled()){ ++ if(ndn_cache_started()){ + ndn_cache_get_stats(&hits, &tries, &size, &maxsize, &count); + sprintf(buf, "%" NSPRIu64, (long long unsigned int)tries); + MSET("normalizedDnCacheTries"); +diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c +index 9530b84..1eab631 100644 +--- a/ldap/servers/slapd/dn.c ++++ b/ldap/servers/slapd/dn.c +@@ -103,6 +103,7 @@ static void ndn_cache_update_lru(struct ndn_cache_lru **node); + static void ndn_cache_add(char *dn, size_t dn_len, char *ndn, size_t ndn_len); + static void ndn_cache_delete(char *dn); + static void ndn_cache_flush(); ++static void ndn_cache_free(); + static int ndn_started = 0; + static PRLock *lru_lock = NULL; + static Slapi_RWLock *ndn_cache_lock = NULL; +@@ -2751,7 +2752,7 @@ ndn_hash_string(const void *key) + void + ndn_cache_init() + { +- if(!config_get_ndn_cache_enabled()){ ++ if(!config_get_ndn_cache_enabled() || ndn_started){ + return; + } + ndn_cache_hashtable = PL_NewHashTable( NDN_CACHE_BUCKETS, ndn_hash_string, PL_CompareStrings, PL_CompareValues, 0, 0); +@@ -2764,24 +2765,49 @@ ndn_cache_init() + ndn_cache->cache_size = sizeof(struct ndn_cache_ctx) + sizeof(PLHashTable) + sizeof(PLHashTable); + ndn_cache->head = NULL; + ndn_cache->tail = NULL; +- ++ ndn_started = 1; + if ( NULL == ( lru_lock = PR_NewLock()) || NULL == ( ndn_cache_lock = slapi_new_rwlock())) { +- char *errorbuf = NULL; +- if(ndn_cache_hashtable){ +- PL_HashTableDestroy(ndn_cache_hashtable); +- } +- ndn_cache_hashtable = NULL; +- config_set_ndn_cache_enabled(CONFIG_NDN_CACHE, "off", errorbuf, 1 ); +- slapi_counter_destroy(&ndn_cache->cache_hits); +- slapi_counter_destroy(&ndn_cache->cache_tries); +- slapi_counter_destroy(&ndn_cache->cache_misses); +- slapi_ch_free((void **)&ndn_cache); ++ ndn_cache_destroy(); + slapi_log_error( SLAPI_LOG_FATAL, "ndn_cache_init", "Failed to create locks. Disabling cache.\n" ); +- } else { +- ndn_started = 1; + } + } + ++void ++ndn_cache_destroy() ++{ ++ char *errorbuf = NULL; ++ ++ if(!ndn_started){ ++ return; ++ } ++ if(lru_lock){ ++ PR_DestroyLock(lru_lock); ++ lru_lock = NULL; ++ } ++ if(ndn_cache_lock){ ++ slapi_destroy_rwlock(ndn_cache_lock); ++ ndn_cache_lock = NULL; ++ } ++ if(ndn_cache_hashtable){ ++ ndn_cache_free(); ++ PL_HashTableDestroy(ndn_cache_hashtable); ++ ndn_cache_hashtable = NULL; ++ } ++ config_set_ndn_cache_enabled(CONFIG_NDN_CACHE, "off", errorbuf, 1 ); ++ slapi_counter_destroy(&ndn_cache->cache_hits); ++ slapi_counter_destroy(&ndn_cache->cache_tries); ++ slapi_counter_destroy(&ndn_cache->cache_misses); ++ slapi_ch_free((void **)&ndn_cache); ++ ++ ndn_started = 0; ++} ++ ++int ++ndn_cache_started() ++{ ++ return ndn_started; ++} ++ + /* + * Look up this dn in the ndn cache + */ +@@ -2994,19 +3020,48 @@ ndn_cache_flush() + slapi_log_error( SLAPI_LOG_CACHE, "ndn_cache_flush","Flushed cache.\n"); + } + ++static void ++ndn_cache_free() ++{ ++ struct ndn_cache_lru *node, *next, *flush_node; ++ ++ if(!ndn_cache){ ++ return; ++ } ++ ++ node = ndn_cache->tail; ++ while(ndn_cache->cache_count){ ++ flush_node = node; ++ /* update the lru */ ++ next = node->prev; ++ if(next){ ++ next->next = NULL; ++ } ++ ndn_cache->tail = next; ++ node = next; ++ /* now update the hash */ ++ ndn_cache->cache_count--; ++ ndn_cache_delete(flush_node->key); ++ slapi_ch_free_string(&flush_node->key); ++ slapi_ch_free((void **)&flush_node); ++ } ++} ++ + /* this is already "write" locked from ndn_cache_add */ + static void + ndn_cache_delete(char *dn) + { +- struct ndn_hash_val *ht_val; ++ struct ndn_hash_val *ht_entry; + +- ht_val = (struct ndn_hash_val *)PL_HashTableLookupConst(ndn_cache_hashtable, dn); +- if(ht_val){ +- ndn_cache->cache_size -= ht_val->size; +- slapi_ch_free_string(&ht_val->ndn); ++ ht_entry = (struct ndn_hash_val *)PL_HashTableLookupConst(ndn_cache_hashtable, dn); ++ if(ht_entry){ ++ ndn_cache->cache_size -= ht_entry->size; ++ slapi_ch_free_string(&ht_entry->ndn); ++ slapi_ch_free((void **)&ht_entry); + PL_HashTableRemove(ndn_cache_hashtable, dn); + } + } ++ + /* stats for monitor */ + void + ndn_cache_get_stats(PRUint64 *hits, PRUint64 *tries, size_t *size, size_t *max_size, long *count) +diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c +index a17a2c5..ad8dd83 100644 +--- a/ldap/servers/slapd/main.c ++++ b/ldap/servers/slapd/main.c +@@ -1280,6 +1280,7 @@ main( int argc, char **argv) + cleanup: + SSL_ShutdownServerSessionIDCache(); + SSL_ClearSessionCache(); ++ ndn_cache_destroy(); + NSS_Shutdown(); + PR_Cleanup(); + #ifdef _WIN32 +diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h +index 194f3fd..eaa5f98 100644 +--- a/ldap/servers/slapd/slapi-private.h ++++ b/ldap/servers/slapd/slapi-private.h +@@ -392,6 +392,8 @@ Slapi_DN *slapi_sdn_init_normdn_passin(Slapi_DN *sdn, const char *dn); + char *slapi_dn_normalize_original( char *dn ); + char *slapi_dn_normalize_case_original( char *dn ); + void ndn_cache_init(); ++void ndn_cache_destroy(); ++int ndn_cache_started(); + void ndn_cache_get_stats(PRUint64 *hits, PRUint64 *tries, size_t *size, size_t *max_size, long *count); + #define NDN_DEFAULT_SIZE 20971520 /* 20mb - size of normalized dn cache */ + +-- +1.8.1.4 + diff --git a/SOURCES/0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch b/SOURCES/0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch new file mode 100644 index 0000000..c8c32d9 --- /dev/null +++ b/SOURCES/0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch @@ -0,0 +1,120 @@ +From 5a79c1ecc7e706202a2a668e6cb12624f302ed35 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 17 Jan 2014 15:13:21 -0500 +Subject: [PATCH 81/83] Ticket 47620 - Unable to delete protocol timeout + attribute + +Bug Description: Attempting to delete nsds5ReplicaProtocolTimeout from a replication + agreement unexpectedly fails with an error 53. + +Fix Description: The previous delete operation check was in the wrong location, and the + delete operation was treated as a modify - which then triggered the + error 53. Added the correct check for the delete operation. + + Also removed some old code for a CLEANALLRUV attribute that was never + implemented. + +https://fedorahosted.org/389/ticket/47620 + +Reviewed by: nhosoi(Thanks!) +(cherry picked from commit 9c41a365e8fbd23cab28eb91f50cdce696a30730) +(cherry picked from commit 77380161e9e04f64a431dd35ce4b4c45ed01cae5) +--- + ldap/servers/plugins/replication/repl5.h | 1 - + ldap/servers/plugins/replication/repl5_agmtlist.c | 46 +++++++++++------------ + ldap/servers/plugins/replication/repl_globals.c | 1 - + 3 files changed, 22 insertions(+), 26 deletions(-) + +diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h +index 321a285..655e8ba 100644 +--- a/ldap/servers/plugins/replication/repl5.h ++++ b/ldap/servers/plugins/replication/repl5.h +@@ -167,7 +167,6 @@ extern const char *type_nsds5ReplicaBusyWaitTime; + extern const char *type_nsds5ReplicaSessionPauseTime; + extern const char *type_nsds5ReplicaEnabled; + extern const char *type_nsds5ReplicaStripAttrs; +-extern const char *type_nsds5ReplicaCleanRUVnotified; + extern const char *type_replicaProtocolTimeout; + extern const char *type_replicaBackoffMin; + extern const char *type_replicaBackoffMax; +diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c +index 9e0291f..0edf28a 100644 +--- a/ldap/servers/plugins/replication/repl5_agmtlist.c ++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c +@@ -254,15 +254,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + the replication plugin - handled above */ + if (mods[i]->mod_op & LDAP_MOD_DELETE) + { +- if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0 ){ +- /* allow the deletion of cleanallruv agmt attr */ +- continue; +- } +- if(strcasecmp (mods[i]->mod_type, type_replicaProtocolTimeout) == 0){ +- agmt_set_protocol_timeout(agmt, 0); +- continue; +- } +- + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " + "deletion of %s attribute is not allowed\n", type_nsds5ReplicaInitialize); + *returncode = LDAP_UNWILLING_TO_PERFORM; +@@ -505,23 +496,30 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry + } + } + else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){ +- long ptimeout = 0; +- +- if (val){ +- ptimeout = atol(val); ++ if (mods[i]->mod_op & LDAP_MOD_DELETE) ++ { ++ agmt_set_protocol_timeout(agmt, 0); + } +- if(ptimeout <= 0){ +- *returncode = LDAP_UNWILLING_TO_PERFORM; +- PR_snprintf (returntext, SLAPI_DSE_RETURNTEXT_SIZE, +- "attribute %s value (%s) is invalid, must be a number greater than zero.\n", +- type_replicaProtocolTimeout, val ? val : ""); +- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, " +- "must be a number greater than zero.\n", +- type_replicaProtocolTimeout, val ? val : ""); +- rc = SLAPI_DSE_CALLBACK_ERROR; +- break; ++ else ++ { ++ long ptimeout = 0; ++ ++ if (val){ ++ ptimeout = atol(val); ++ } ++ if(ptimeout <= 0){ ++ *returncode = LDAP_UNWILLING_TO_PERFORM; ++ PR_snprintf (returntext, SLAPI_DSE_RETURNTEXT_SIZE, ++ "attribute %s value (%s) is invalid, must be a number greater than zero.\n", ++ type_replicaProtocolTimeout, val ? val : ""); ++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, " ++ "must be a number greater than zero.\n", ++ type_replicaProtocolTimeout, val ? val : ""); ++ rc = SLAPI_DSE_CALLBACK_ERROR; ++ break; ++ } ++ agmt_set_protocol_timeout(agmt, ptimeout); + } +- agmt_set_protocol_timeout(agmt, ptimeout); + } + else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e)) + { +diff --git a/ldap/servers/plugins/replication/repl_globals.c b/ldap/servers/plugins/replication/repl_globals.c +index 7dfeb9b..305ed25 100644 +--- a/ldap/servers/plugins/replication/repl_globals.c ++++ b/ldap/servers/plugins/replication/repl_globals.c +@@ -133,7 +133,6 @@ const char *type_nsds5ReplicaBusyWaitTime = "nsds5ReplicaBusyWaitTime"; + const char *type_nsds5ReplicaSessionPauseTime = "nsds5ReplicaSessionPauseTime"; + const char *type_nsds5ReplicaEnabled = "nsds5ReplicaEnabled"; + const char *type_nsds5ReplicaStripAttrs = "nsds5ReplicaStripAttrs"; +-const char *type_nsds5ReplicaCleanRUVnotified = "nsds5ReplicaCleanRUVNotified"; + + /* windows sync specific attributes */ + const char *type_nsds7WindowsReplicaArea = "nsds7WindowsReplicaSubtree"; +-- +1.8.1.4 + diff --git a/SOURCES/0082-Ticket-47516-replication-stops-with-excessive-clock-.patch b/SOURCES/0082-Ticket-47516-replication-stops-with-excessive-clock-.patch new file mode 100644 index 0000000..56d9aea --- /dev/null +++ b/SOURCES/0082-Ticket-47516-replication-stops-with-excessive-clock-.patch @@ -0,0 +1,92 @@ +From 029e230581a4b8e955db01dd0735f1ad9db521ac Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Thu, 16 Jan 2014 12:57:22 -0700 +Subject: [PATCH 82/83] Ticket #47516 replication stops with excessive clock + skew + +https://fedorahosted.org/389/ticket/47516 +Reviewed by: nhosoi (Thanks!) +Branch: 389-ds-base-1.3.1 +Fix Description: The previous fix was not adequate. Instead, the determination +of whether or not to ignore time skew should be determined in +csngen_adjust_time(). +Platforms tested: RHEL6 x86_64 +Flag Day: no +Doc impact: yes - document new config param +(cherry picked from commit 9f2b104b0938b21d7c9fe37c736d0e6328843aeb) +(cherry picked from commit a6ec074c6295a59938f313b4fe09430e8f601fab) +(cherry picked from commit 51c1b2a0e4245b90f418f9f909c1d17c564f77f3) +--- + ldap/servers/plugins/replication/repl_extop.c | 11 ++--------- + ldap/servers/slapd/csngen.c | 8 ++++++-- + 2 files changed, 8 insertions(+), 11 deletions(-) + +diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c +index 57249a6..35014a9 100644 +--- a/ldap/servers/plugins/replication/repl_extop.c ++++ b/ldap/servers/plugins/replication/repl_extop.c +@@ -835,19 +835,12 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb) + rc = replica_update_csngen_state_ext (replica, supplier_ruv, replicacsn); /* too much skew */ + if (rc == CSN_LIMIT_EXCEEDED) + { +- extern int config_get_ignore_time_skew(); +- + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "conn=%" NSPRIu64 " op=%d repl=\"%s\": " + "Excessive clock skew from supplier RUV\n", + (long long unsigned int)connid, opid, repl_root); +- if (!config_get_ignore_time_skew()) { +- response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW; +- goto send_response; +- } else { +- /* else just continue */ +- rc = 0; +- } ++ response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW; ++ goto send_response; + } + else if (rc != 0) + { +diff --git a/ldap/servers/slapd/csngen.c b/ldap/servers/slapd/csngen.c +index 464a59e..f87f2d1 100644 +--- a/ldap/servers/slapd/csngen.c ++++ b/ldap/servers/slapd/csngen.c +@@ -326,6 +326,8 @@ int csngen_adjust_time(CSNGen *gen, const CSN* csn) + time_t remote_time, remote_offset, cur_time; + PRUint16 remote_seqnum; + int rc; ++ extern int config_get_ignore_time_skew(); ++ int ignore_time_skew = config_get_ignore_time_skew(); + + if (gen == NULL || csn == NULL) + return CSN_INVALID_PARAMETER; +@@ -380,7 +382,7 @@ int csngen_adjust_time(CSNGen *gen, const CSN* csn) + remote_offset = remote_time - cur_time; + if (remote_offset > gen->state.remote_offset) + { +- if (remote_offset <= CSN_MAX_TIME_ADJUST) ++ if (ignore_time_skew || (remote_offset <= CSN_MAX_TIME_ADJUST)) + { + gen->state.remote_offset = remote_offset; + } +@@ -651,6 +653,8 @@ _csngen_cmp_callbacks (const void *el1, const void *el2) + static int + _csngen_adjust_local_time (CSNGen *gen, time_t cur_time) + { ++ extern int config_get_ignore_time_skew(); ++ int ignore_time_skew = config_get_ignore_time_skew(); + time_t time_diff = cur_time - gen->state.sampled_time; + + if (time_diff == 0) { +@@ -714,7 +718,7 @@ _csngen_adjust_local_time (CSNGen *gen, time_t cur_time) + gen->state.remote_offset); + } + +- if (abs (time_diff) > CSN_MAX_TIME_ADJUST) ++ if (!ignore_time_skew && (abs (time_diff) > CSN_MAX_TIME_ADJUST)) + { + slapi_log_error (SLAPI_LOG_FATAL, NULL, "_csngen_adjust_local_time: " + "adjustment limit exceeded; value - %d, limit - %d\n", +-- +1.8.1.4 + diff --git a/SOURCES/0083-Ticket-342-better-error-message-when-cache-overflows.patch b/SOURCES/0083-Ticket-342-better-error-message-when-cache-overflows.patch new file mode 100644 index 0000000..8ec2bbd --- /dev/null +++ b/SOURCES/0083-Ticket-342-better-error-message-when-cache-overflows.patch @@ -0,0 +1,36 @@ +From 4730b81cfda96b8825ad0b01df2e89024f31b634 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Thu, 16 Jan 2014 11:06:22 -0800 +Subject: [PATCH 83/83] Ticket #342 - better error message when cache overflows + +Description: commit 892bf12c1bb8b10afea3d6ff711059bf04e362cc +introduced an invalid memory read/write. This patch prepares one +extra aclpblock for the acl cache overflow. + +https://fedorahosted.org/389/ticket/342 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!!) +(cherry picked from commit 3fee1fc829a4a9573d087d1ead3c949239e5e914) +(cherry picked from commit fe75b11cad371890482b7f394384083dc1b0fd70) +(cherry picked from commit aec20501db3a33df0bc151371cdec334c62af4b0) +--- + ldap/servers/plugins/acl/acl_ext.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c +index e42a7e2..ee2dd0f 100644 +--- a/ldap/servers/plugins/acl/acl_ext.c ++++ b/ldap/servers/plugins/acl/acl_ext.c +@@ -717,7 +717,8 @@ acl__malloc_aclpb ( ) + + /* allocate arrays for result cache */ + aclpb->aclpb_cache_result = (r_cache_t *) +- slapi_ch_calloc (aclpb_max_cache_results, sizeof (r_cache_t)); ++ slapi_ch_calloc (aclpb_max_cache_results + 1 /* 1 for cache overflow warning */, ++ sizeof (r_cache_t)); + + /* allocate arrays for target handles in eval_context */ + aclpb->aclpb_curr_entryEval_context.acle_handles_matched_target = (int *) +-- +1.8.1.4 + diff --git a/SOURCES/0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch b/SOURCES/0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch new file mode 100644 index 0000000..32aa515 --- /dev/null +++ b/SOURCES/0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch @@ -0,0 +1,122 @@ +From 84a58b65db55c914a800b0fb31d538bc691c2b13 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Thu, 23 Jan 2014 18:07:56 -0800 +Subject: [PATCH 84/85] Ticket #443 - Deleting attribute present in + nsslapd-allowed-to-delete-attrs returns Operations error + +Description: commit 90dd9bb3c1411daca353d055d90618e67aa1fa7e introduced +an Invalid read/write. The commit meant to allow "on" and "off" as well +as integer 0 and 1 in on/off type of config parameters. This patch converts +the integers to "on" or "off" and pass it to config set function. + +https://fedorahosted.org/389/ticket/443 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!!) +(cherry picked from commit c52987d295a9f4a091568d02679765f3a83beb69) +(cherry picked from commit 4266657727fc71afbb6b4f21886ebd86a68b2ed2) +(cherry picked from commit d68dc3235d04caf3736d3587801a3c96cfebccb6) +--- + ldap/servers/slapd/libglobs.c | 54 +++++++++++++++++++++++++------------------ + 1 file changed, 31 insertions(+), 23 deletions(-) + +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index bcf7db4..8bd4978 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -3176,8 +3176,7 @@ config_set_security( const char *attrname, char *value, char *errorbuf, int appl + } + + static int +-config_set_onoff ( const char *attrname, char *value, int *configvalue, +- char *errorbuf, int apply ) ++config_set_onoff(const char *attrname, char *value, int *configvalue, char *errorbuf, int apply) + { + int retVal = LDAP_SUCCESS; + slapi_onoff_t newval = -1; +@@ -3185,33 +3184,27 @@ config_set_onoff ( const char *attrname, char *value, int *configvalue, + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + #endif + +- if ( config_value_is_null( attrname, value, errorbuf, 0 )) { +- return LDAP_OPERATIONS_ERROR; ++ if ( config_value_is_null( attrname, value, errorbuf, 1 )) { ++ return LDAP_OPERATIONS_ERROR; + } + + CFG_ONOFF_LOCK_WRITE(slapdFrontendConfig); +- if ( strcasecmp ( value, "on" ) != 0 && +- strcasecmp ( value, "off") != 0 && +- /* initializing the value */ +- (*(int *)value != LDAP_ON) && +- (*(int *)value != LDAP_OFF)) { +- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, +- "%s: invalid value \"%s\". Valid values are \"on\" or \"off\".", +- attrname, value ); +- retVal = LDAP_OPERATIONS_ERROR; ++ if (strcasecmp(value, "on") && strcasecmp(value, "off")) { ++ PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, ++ "%s: invalid value \"%s\". Valid values are \"on\" or \"off\".", ++ attrname, value ); ++ retVal = LDAP_OPERATIONS_ERROR; + } + + if ( !apply ) { +- /* we can return now if we aren't applying the changes */ +- return retVal; ++ /* we can return now if we aren't applying the changes */ ++ return retVal; + } + + if ( strcasecmp ( value, "on" ) == 0 ) { +- newval = LDAP_ON; ++ newval = LDAP_ON; + } else if ( strcasecmp ( value, "off" ) == 0 ) { +- newval = LDAP_OFF; +- } else { /* assume it is an integer */ +- newval = *(slapi_onoff_t *)value; ++ newval = LDAP_OFF; + } + + #ifdef ATOMIC_GETSET_ONOFF +@@ -7000,6 +6993,18 @@ config_get_listen_backlog_size() + return retVal; + } + ++static char * ++config_initvalue_to_onoff(struct config_get_and_set *cgas, char *initvalbuf, size_t initvalbufsize) ++{ ++ char *retval = NULL; ++ if (cgas->config_var_type == CONFIG_ON_OFF) { ++ slapi_onoff_t *ival = (slapi_onoff_t *)(intptr_t)cgas->initvalue; ++ PR_snprintf(initvalbuf, initvalbufsize, "%s", (ival && *ival) ? "on" : "off"); ++ retval = initvalbuf; ++ } ++ return retval; ++} ++ + /* + * This function is intended to be used from the dse code modify callback. It + * is "optimized" for that case because it takes a berval** of values, which is +@@ -7048,12 +7053,15 @@ config_set(const char *attr, struct berval **values, char *errorbuf, int apply) + default: + if ((NULL == values) && + config_allowed_to_delete_attrs(cgas->attr_name)) { ++ char initvalbuf[64]; ++ void *initval = cgas->initvalue; ++ if (cgas->config_var_type == CONFIG_ON_OFF) { ++ initval = (void *)config_initvalue_to_onoff(cgas, initvalbuf, sizeof(initvalbuf)); ++ } + if (cgas->setfunc) { +- retval = (cgas->setfunc)(cgas->attr_name, cgas->initvalue, +- errorbuf, apply); ++ retval = (cgas->setfunc)(cgas->attr_name, initval, errorbuf, apply); + } else if (cgas->logsetfunc) { +- retval = (cgas->logsetfunc)(cgas->attr_name, cgas->initvalue, +- cgas->whichlog, errorbuf, apply); ++ retval = (cgas->logsetfunc)(cgas->attr_name, initval, cgas->whichlog, errorbuf, apply); + } else { + LDAPDebug1Arg(LDAP_DEBUG_ANY, + "config_set: the attribute %s is read only; " +-- +1.8.1.4 + diff --git a/SOURCES/0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch b/SOURCES/0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch new file mode 100644 index 0000000..a8a2426 --- /dev/null +++ b/SOURCES/0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch @@ -0,0 +1,173 @@ +From f86b7bd86945df33843e90a7ac84d5967a7e7e82 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Fri, 24 Jan 2014 18:12:32 -0800 +Subject: [PATCH 85/85] Ticket #47649 - Server hangs in cos_cache when adding a + user entry + +Bug description: cos_dn_defs_cb reads cosDefinition and sets up the cos +Definition part of cos cache. In the function, when processing +cosAttribute, cosTargetTree and cosTemlpateDn are missing, it sets the +parent dn of the cos definition dn. This parent setting is needed only +when the 2 attributes are completely missing from the cos definition. +But if the attributes are located below cosAttribute (see the Example +cos definition), in addition to "cn=cosTemplates,ou=people,dc=example, +dc=com", the parent of "cn=generatePostalCode,ou=People,dc=example,dc=com" +is added to the cos cache as cosTemplateDn. + Example cos definition: + dn: cn=generatePostalCode,ou=People,dc=example,dc=com + description: generate postalCode attr based on location + objectClass: top + objectClass: ldapsubentry + objectClass: cossuperdefinition + objectClass: cosClassicDefinition + cosAttribute: postalCode + costemplatedn: cn=cosTemplates,ou=people,dc=example,dc=com + cosSpecifier: l + cn: generatePostalCode +The mistakenly added cosTemplatedDn makes adding an entry under ou=People +notify recreating the cos cache. The notification needs to be outside of +backend transaction since it causes a deadlock with the cos_cache_wait_ +on_change thread which cannot read the DB due to the transaction but holds +the lock that the notifier thread is waiting for. + +Fix description: The parent of the cos definition dn is set to the +cosTargetTree and the cosTemlpateDn, only when the attributes are +completely missing. + +https://fedorahosted.org/389/ticket/47649 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!!) +(cherry picked from commit 1e52401d3abd0377f55676f4a1508a02aaa7f955) +(cherry picked from commit 01c0794cde7eb91a1a4e477a0286533df4a4ae38) +(cherry picked from commit 1ebad4bd50fb1483998a32b5d3e232e89aeda0f7) +--- + ldap/servers/plugins/cos/cos_cache.c | 82 +++++++++++++++++++++--------------- + 1 file changed, 48 insertions(+), 34 deletions(-) + +diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c +index fed2aa9..a68e59f 100644 +--- a/ldap/servers/plugins/cos/cos_cache.c ++++ b/ldap/servers/plugins/cos/cos_cache.c +@@ -727,7 +727,8 @@ struct dn_defs_info { + * if a particular attempt to add a definition fails: info.ret gets set to + * zero only if we succed to add a def. + */ +-static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) ++static int ++cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) + { + struct dn_defs_info *info; + cosAttrValue **pSneakyVal = 0; +@@ -877,31 +878,10 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) + dnVals[valIndex]->bv_val); + } + +- if(!pCosTargetTree) +- { +- /* get the parent of the definition */ +- char *orig = slapi_dn_parent(pDn->val); +- Slapi_DN *psdn = slapi_sdn_new_dn_byval(orig); +- char *parent = (char *)slapi_sdn_get_dn(psdn); +- if (!parent) { +- parent = (char *)slapi_sdn_get_udn(psdn); +- LDAPDebug(LDAP_DEBUG_ANY, +- "cos_cache_build_definition_list: " +- "failed to normalize parent dn %s. " +- "Adding the pre normalized dn.\n", +- parent, 0, 0); +- } +- cos_cache_add_attrval(&pCosTargetTree, parent); +- if (!pCosTemplateDn) { +- cos_cache_add_attrval(&pCosTemplateDn, parent); +- } +- slapi_sdn_free(&psdn); +- } +- + slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, + dnVals[valIndex]->bv_val, NULL, NULL); + } /* if(attrType is cosAttribute) */ +- ++ + /* + * Add the attributetype to the appropriate + * list. +@@ -913,6 +893,47 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) + ber_bvecfree( dnVals ); + dnVals = NULL; + } while(!slapi_entry_next_attr(e, dnAttr, &dnAttr)); ++ ++ if (pCosAttribute && (!pCosTargetTree || !pCosTemplateDn)) { ++ /* get the parent of the definition */ ++ char *orig = slapi_dn_parent(pDn->val); ++ char *parent = NULL; ++ if (orig) { ++ parent = slapi_create_dn_string("%s", orig); ++ if (!parent) { ++ parent = orig; ++ LDAPDebug1Arg(LDAP_DEBUG_ANY, ++ "cos_dn_defs_cb: " ++ "failed to normalize parent dn %s. " ++ "Adding the pre normalized dn.\n", ++ parent); ++ } ++ if (!pCosTargetTree) { ++ cos_cache_add_attrval(&pCosTargetTree, parent); ++ } ++ if (!pCosTemplateDn) { ++ cos_cache_add_attrval(&pCosTemplateDn, parent); ++ } ++ if (parent != orig) { ++ slapi_ch_free_string(&parent); ++ } ++ slapi_ch_free_string(&orig); ++ } else { ++ LDAPDebug1Arg(LDAP_DEBUG_ANY, ++ "cos_dn_defs_cb: " ++ "failed to get parent dn of cos definition %s.\n", ++ pDn->val); ++ if (!pCosTemplateDn) { ++ if (!pCosTargetTree) { ++ LDAPDebug0Args(LDAP_DEBUG_ANY, "cosTargetTree and cosTemplateDn are not set.\n"); ++ } else { ++ LDAPDebug0Args(LDAP_DEBUG_ANY, "cosTemplateDn is not set.\n"); ++ } ++ } else if (!pCosTargetTree) { ++ LDAPDebug0Args(LDAP_DEBUG_ANY, "cosTargetTree is not set.\n"); ++ } ++ } ++ } + + /* + determine the type of class of service scheme +@@ -951,9 +972,7 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data) + */ + + /* these must exist */ +- if( pDn && +- pObjectclass && +- ++ if(pDn && pObjectclass && + ( + (cosType == COSTYPE_CLASSIC && + pCosTemplateDn && +@@ -3582,14 +3601,9 @@ static int cos_cache_entry_is_cos_related( Slapi_Entry *e) { + { + pObj = (char*)slapi_value_get_string(val); + +- /* +- * objectclasses are ascii--maybe strcasecmp() is faster than +- * slapi_utf8casecmp() +- */ +- if( !strcasecmp(pObj, "cosdefinition") || +- !strcasecmp(pObj, "cossuperdefinition") || +- !strcasecmp(pObj, "costemplate") +- ) ++ if(!strcasecmp(pObj, "cosdefinition") || ++ !strcasecmp(pObj, "cossuperdefinition") || ++ !strcasecmp(pObj, "costemplate")) + { + rc = 1; + } +-- +1.8.1.4 + diff --git a/SOURCES/0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch b/SOURCES/0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch new file mode 100644 index 0000000..7322976 --- /dev/null +++ b/SOURCES/0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch @@ -0,0 +1,82 @@ +From 9b1e2d02e20f270aed32f05210d207398ae0f7a1 Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Fri, 31 Jan 2014 14:21:59 -0700 +Subject: [PATCH 86/87] Ticket #47374 - flush.pl is not included in perl5 + +https://fedorahosted.org/389/ticket/47374 +Reviewed by: nhosoi (Thanks!) +Branch: rhel-7.0 +Fix Description: Change opt_b to BeginNum and opt_r to Random_Seed. +Have to specify option as j=i because -j has an integer argument. +Get rid of opt_j and use ZeroPad instead. +Platforms tested: RHEL6 x86_64 +Flag Day: no +Doc impact: no +(cherry picked from commit f9ba01b4b9ce3881cf08433b0c43db93ab207507) +(cherry picked from commit 55df132065f109b8f548100461011c10b58843ea) +(cherry picked from commit ea868566c49869b3fa0f6e2c7194b743d22f77fe) +--- + ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in b/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in +index 51af0db..2ef76f2 100755 +--- a/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in ++++ b/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in +@@ -543,13 +543,14 @@ sub flush { + + my $Number_To_Generate = 1; + $Output_File_Name = "output.ldif"; +-$Random_Seed = 1; ++$Random_Seed = 0; + $Suffix = 'dc=example,dc=com'; + $NamingType = "uid"; + $inetOrgPerson = "objectClass: inetOrgPerson\n"; + $PrintOrgChartDat = 0; +-$DataDir = "/usr/share/dirsrv/data"; ++$DataDir = "@templatedir@"; + $BeginNum = 0; ++$ZeroPad = 0; + + $Verbose = 0; + $debug = 0; +@@ -572,7 +573,7 @@ GetOptions('number=i' => \$Number_To_Generate, + 'x' => \$opt_x, + 'y' => \$opt_y, + 'z' => \$opt_z, +- 'j' => \$opt_j, ++ 'j=i' => \$ZeroPad, + 'verbose' => \$Verbose, + 'debug' => \$debug, + 'quiet' => \$Quiet, +@@ -598,7 +599,6 @@ if ("" != $opt_y) + { + $printorgunit = 0; + } +-$ZeroPad = $opt_j; + + if ($Suffix =~ /o=/) { + ($Organization) = $Suffix =~ /o=([^,]+)/; +@@ -1029,8 +1029,8 @@ sub MakeRandomLocality { + sub MakeRandomName { + local($Given_Name, $Surname, $Full_Name, $UID, $uniq, $first, $last, $RDN); + # Get the unique number depending if a seed was set or not. +- $uniq = int rand($Random_Seed) if ($opt_r); +- $uniq = $x if (!$opt_r); ++ $uniq = int rand($Random_Seed) if ($Random_Seed); ++ $uniq = $x if (!$Random_Seed); + + $Given_Name = $given_names[rand @given_names]; + $Surname = $family_names[rand @family_names]; +@@ -1040,7 +1040,7 @@ sub MakeRandomName { + $UID = $first . $last . "$uniq"; + + # Create the uid based on the DN naming type defined +- if ($opt_b) { # use a uniquenumber for the RDN value ++ if ($BeginNum) { # use a uniquenumber for the RDN value + if ($ZeroPad) { + $RDN = sprintf "%0.${ZeroPad}d", $x; + } else { +-- +1.8.1.4 + diff --git a/SOURCES/0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch b/SOURCES/0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch new file mode 100644 index 0000000..1b62c2f --- /dev/null +++ b/SOURCES/0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch @@ -0,0 +1,74 @@ +From 7dc5c28a3beeeb90cdae084ae6d1fa338c09c50f Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Fri, 31 Jan 2014 16:49:58 -0700 +Subject: [PATCH 87/87] Ticket #471 logconv.pl tool removes the access logs + contents if "-M" is not correctly used + +https://fedorahosted.org/389/ticket/471 +Reviewed by: nhosoi (Thanks!) +Branch: rhel-7.0 +Fix Description: Do not call new_stats_block() until we verify that it is safe +to call it. It will wipe out the file. +Platforms tested: RHEL6 x86_64 +Flag Day: no +Doc impact: no +(cherry picked from commit 7447050f572fb8865145d020e9eab64032f667be) +(cherry picked from commit cfbda421535451d99d3ee774a49fc099cfb902f0) +(cherry picked from commit 811300f30264a82b6cd9d0e1d7594a066458912c) +--- + ldap/admin/src/logconv.pl | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl +index e7d7507..99e0efd 100755 +--- a/ldap/admin/src/logconv.pl ++++ b/ldap/admin/src/logconv.pl +@@ -104,6 +104,8 @@ my $reportBinds = "no"; + my $rootDN = ""; + my $needCleanup = 0; + my @scopeTxt = ("0 (base)", "1 (one)", "2 (subtree)"); ++my $reportStatsSecFile; ++my $reportStatsMinFile; + + GetOptions( + 'd|rootDN=s' => \$rootDN, +@@ -115,8 +117,8 @@ GetOptions( + 'S|startTime=s' => \$startTime, + 'E|endTime=s' => \$endTime, + 'B|bind=s' => sub { $reportBinds = "yes"; $bindReportDN=($_[1]) }, +- 'm|reportFileSecs=s' => sub { my ($opt,$value) = @_; $s_stats = new_stats_block($value); $reportStats = "-m";}, +- 'M|reportFileMins=s' => sub { my ($opt,$value) = @_; $m_stats = new_stats_block($value); $reportStats = "-M";}, ++ 'm|reportFileSecs=s' => \$reportStatsSecFile, ++ 'M|reportFileMins=s' => \$reportStatsMinFile, + 'h|help' => sub { displayUsage() }, + # usage options '-efcibaltnxgjuiryp' + 'e' => sub { $usage = $usage . "e"; }, +@@ -169,14 +171,23 @@ while($arg_count <= $#ARGV){ + } + + if($file_count == 0){ +- if($reportStats){ +- print "Usage error for option $reportStats, either the output file or access log is missing!\n\n"; ++ if($reportStatsSecFile or $reportStatsMinFile){ ++ print "Usage error for option -m or -M, either the output file or access log is missing!\n\n"; + } else { + print "There are no access logs specified!\n\n"; + } + exit 1; + } + ++if ($reportStatsSecFile) { ++ $s_stats = new_stats_block($reportStatsSecFile); ++ $reportStats = "-m"; ++} ++if ($reportStatsMinFile) { ++ $m_stats = new_stats_block($reportStatsMinFile); ++ $reportStats = "-M"; ++} ++ + if ($sizeCount eq "all"){$sizeCount = "100000";} + + ####################################### +-- +1.8.1.4 + diff --git a/SOURCES/0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch b/SOURCES/0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch new file mode 100644 index 0000000..cf4a32f --- /dev/null +++ b/SOURCES/0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch @@ -0,0 +1,45 @@ +From e585f17556d12f96683665aed7699a78a89c9ab4 Mon Sep 17 00:00:00 2001 +From: Ludwig Krispenz +Date: Tue, 18 Feb 2014 11:40:16 +0100 +Subject: [PATCH] Ticket 47704 - invalid sizelimits in aci group evaluation + +Bug Description: aci group evaluation fails because of sizelimit exceeded + but it is exceeded because it is -1476887876 or another + negative integer becasue operation parameter are a union + based on operation types and so for otehr than search + the value is dependent on the operation params + +Fix Description: treat any negative integer like -1 (unlimited). A better fix + would be to introduce a specific configuration param or + to abondon the limit in group evaluation at all. But this + could introduce backward compatibility problems and + will be handled in ticket 47703 for newer versions + +https://fedorahosted.org/389/ticket/47704 + +Reviewed by: Rich, thanks +(cherry picked from commit 377266ebb2ff488aa3cc4b96990c002db7e6103e) +--- + ldap/servers/plugins/acl/acl_ext.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c +index ee2dd0f..b9cec43 100644 +--- a/ldap/servers/plugins/acl/acl_ext.c ++++ b/ldap/servers/plugins/acl/acl_ext.c +@@ -836,6 +836,12 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy + slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit ); + if ( aclpb->aclpb_max_member_sizelimit == 0 ) { + aclpb->aclpb_max_member_sizelimit = SLAPD_DEFAULT_LOOKTHROUGHLIMIT; ++ } else if ( aclpb->aclpb_max_member_sizelimit < -1 ) { ++ /* handle the case of a negtive size limit either set or due ++ * to bug bz1065971. The member size limit should be dropped, ++ * but for backward compatibility to the best we can ++ */ ++ aclpb->aclpb_max_member_sizelimit = -1; + } + slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &aclpb->aclpb_optype ); + +-- +1.8.1.4 + diff --git a/SOURCES/0089-Ticket-47709-package-issue-in-389-ds-base.patch b/SOURCES/0089-Ticket-47709-package-issue-in-389-ds-base.patch new file mode 100644 index 0000000..c54b3b2 --- /dev/null +++ b/SOURCES/0089-Ticket-47709-package-issue-in-389-ds-base.patch @@ -0,0 +1,87 @@ +From 8cbc6f09ee63f21b235219e7ca92ed26b28c52da Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Thu, 20 Feb 2014 13:18:06 -0800 +Subject: [PATCH 89/90] Ticket #47709 - package issue in 389-ds-base + +Description: Following the package guideline, moving pytyon binaries +to the architecture aware location and libns-dshttpd.so* from 389-ds-base +to 389-ds-base-libs. + +https://fedorahosted.org/389/ticket/47709 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!!) + +(cherry picked from commit a32b2a9ddc5764d449b051c20077643585e81def) +(cherry picked from commit 011385ad8cb8afc42611b57a3a88600eb1d56932) +(cherry picked from commit f1bbfe2ff0768128b10903ca1262302313b74ad6) +--- + Makefile.am | 8 +++++--- + configure.ac | 5 +++++ + 2 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 8cf7ba7..04845a0 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -166,6 +166,7 @@ initdir = @initdir@ + initconfigdir = $(sysconfdir)@initconfigdir@ + instconfigdir = @instconfigdir@ + perldir = $(libdir)@perldir@ ++pythondir = $(libdir)@pythondir@ + infdir = $(datadir)@infdir@ + mibdir = $(datadir)@mibdir@ + updatedir = $(datadir)@updatedir@ +@@ -250,9 +251,7 @@ config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \ + # with the default schema e.g. there is + # considerable overlap of 60changelog.ldif and 01common.ldif + # and 60inetmail.ldif and 50ns-mail.ldif among others +-sampledata_DATA = ldap/admin/src/scripts/failedbinds.py \ +- ldap/admin/src/scripts/DSSharedLib \ +- ldap/admin/src/scripts/logregex.py \ ++sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \ + $(srcdir)/ldap/ldif/Ace.ldif \ + $(srcdir)/ldap/ldif/European.ldif \ + $(srcdir)/ldap/ldif/Eurosuffix.ldif \ +@@ -404,6 +403,9 @@ perl_DATA = ldap/admin/src/scripts/SetupLog.pm \ + ldap/admin/src/scripts/DSUpdate.pm \ + ldap/admin/src/scripts/DSUpdateDialogs.pm + ++python_DATA = ldap/admin/src/scripts/failedbinds.py \ ++ ldap/admin/src/scripts/logregex.py ++ + property_DATA = ldap/admin/src/scripts/setup-ds.res \ + ldap/admin/src/scripts/migrate-ds.res + +diff --git a/configure.ac b/configure.ac +index 2376b34..908683e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -264,6 +264,8 @@ if test "$with_fhs_opt" = "yes"; then + propertydir=/properties + # relative to libdir + perldir=/perl ++ # relative to libdir ++ pythondir=/python + else + if test "$with_fhs" = "yes"; then + ac_default_prefix=/usr +@@ -295,6 +297,8 @@ else + propertydir=/$PACKAGE_NAME/properties + # relative to libdir + perldir=/$PACKAGE_NAME/perl ++ # relative to libdir ++ pythondir=/$PACKAGE_NAME/python + fi + + # if mandir is the default value, override it +@@ -403,6 +407,7 @@ AC_SUBST(serverincdir) + AC_SUBST(serverplugindir) + AC_SUBST(scripttemplatedir) + AC_SUBST(perldir) ++AC_SUBST(pythondir) + AC_SUBST(infdir) + AC_SUBST(mibdir) + AC_SUBST(mandir) +-- +1.8.1.4 + diff --git a/SOURCES/0090-Ticket-47709-package-issue-in-389-ds-base.patch b/SOURCES/0090-Ticket-47709-package-issue-in-389-ds-base.patch new file mode 100644 index 0000000..4e3b58a --- /dev/null +++ b/SOURCES/0090-Ticket-47709-package-issue-in-389-ds-base.patch @@ -0,0 +1,204 @@ +From 9293031eee2e795d6712f1d92314be03fe6f0751 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Thu, 20 Feb 2014 15:31:05 -0800 +Subject: [PATCH 90/90] Ticket #47709 - package issue in 389-ds-base + +Description: Automatically generated files: Makefile.in, configure +(cherry picked from commit 99d5d3e59827c132ba2666c67f9e22bd62aaacab) +--- + Makefile.in | 65 ++++++++++++++++++++++++++++++++++++++++++------------------- + configure | 6 ++++++ + 2 files changed, 51 insertions(+), 20 deletions(-) + +diff --git a/Makefile.in b/Makefile.in +index d90f130..21d9dc5 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -144,9 +144,9 @@ am__installdirs = "$(DESTDIR)$(serverdir)" \ + "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" \ + "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" \ + "$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(propertydir)" \ +- "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" \ +- "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(updatedir)" \ +- "$(DESTDIR)$(serverincdir)" ++ "$(DESTDIR)$(pythondir)" "$(DESTDIR)$(sampledatadir)" \ ++ "$(DESTDIR)$(schemadir)" "$(DESTDIR)$(systemdsystemunitdir)" \ ++ "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(serverincdir)" + LTLIBRARIES = $(server_LTLIBRARIES) $(serverplugin_LTLIBRARIES) + am__DEPENDENCIES_1 = + libacctpolicy_plugin_la_DEPENDENCIES = libslapd.la \ +@@ -1104,8 +1104,8 @@ NROFF = nroff + MANS = $(dist_man_MANS) + DATA = $(config_DATA) $(inf_DATA) $(initconfig_DATA) $(mib_DATA) \ + $(nodist_property_DATA) $(perl_DATA) $(pkgconfig_DATA) \ +- $(property_DATA) $(sampledata_DATA) $(schema_DATA) \ +- $(systemdsystemunit_DATA) $(update_DATA) ++ $(property_DATA) $(python_DATA) $(sampledata_DATA) \ ++ $(schema_DATA) $(systemdsystemunit_DATA) $(update_DATA) + HEADERS = $(serverinc_HEADERS) + ETAGS = etags + CTAGS = ctags +@@ -1314,6 +1314,7 @@ prefix = @prefix@ + program_transform_name = @program_transform_name@ + propertydir = $(datadir)@propertydir@ + psdir = @psdir@ ++pythondir = $(libdir)@pythondir@ + sampledatadir = $(datadir)@sampledatadir@ + sasl_inc = @sasl_inc@ + sasl_lib = @sasl_lib@ +@@ -1519,9 +1520,7 @@ config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \ + # with the default schema e.g. there is + # considerable overlap of 60changelog.ldif and 01common.ldif + # and 60inetmail.ldif and 50ns-mail.ldif among others +-sampledata_DATA = ldap/admin/src/scripts/failedbinds.py \ +- ldap/admin/src/scripts/DSSharedLib \ +- ldap/admin/src/scripts/logregex.py \ ++sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \ + $(srcdir)/ldap/ldif/Ace.ldif \ + $(srcdir)/ldap/ldif/European.ldif \ + $(srcdir)/ldap/ldif/Eurosuffix.ldif \ +@@ -1674,6 +1673,9 @@ perl_DATA = ldap/admin/src/scripts/SetupLog.pm \ + ldap/admin/src/scripts/DSUpdate.pm \ + ldap/admin/src/scripts/DSUpdateDialogs.pm + ++python_DATA = ldap/admin/src/scripts/failedbinds.py \ ++ ldap/admin/src/scripts/logregex.py ++ + property_DATA = ldap/admin/src/scripts/setup-ds.res \ + ldap/admin/src/scripts/migrate-ds.res + +@@ -9547,6 +9549,27 @@ uninstall-propertyDATA: + @list='$(property_DATA)'; test -n "$(propertydir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(propertydir)'; $(am__uninstall_files_from_dir) ++install-pythonDATA: $(python_DATA) ++ @$(NORMAL_INSTALL) ++ @list='$(python_DATA)'; test -n "$(pythondir)" || list=; \ ++ if test -n "$$list"; then \ ++ echo " $(MKDIR_P) '$(DESTDIR)$(pythondir)'"; \ ++ $(MKDIR_P) "$(DESTDIR)$(pythondir)" || exit 1; \ ++ fi; \ ++ for p in $$list; do \ ++ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ ++ echo "$$d$$p"; \ ++ done | $(am__base_list) | \ ++ while read files; do \ ++ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pythondir)'"; \ ++ $(INSTALL_DATA) $$files "$(DESTDIR)$(pythondir)" || exit $$?; \ ++ done ++ ++uninstall-pythonDATA: ++ @$(NORMAL_UNINSTALL) ++ @list='$(python_DATA)'; test -n "$(pythondir)" || list=; \ ++ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ ++ dir='$(DESTDIR)$(pythondir)'; $(am__uninstall_files_from_dir) + install-sampledataDATA: $(sampledata_DATA) + @$(NORMAL_INSTALL) + @list='$(sampledata_DATA)'; test -n "$(sampledatadir)" || list=; \ +@@ -9903,7 +9926,7 @@ check: $(BUILT_SOURCES) + all-am: Makefile $(LIBRARIES) $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) \ + $(MANS) $(DATA) $(HEADERS) config.h + installdirs: +- for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(serverincdir)"; do \ ++ for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(pythondir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(serverincdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done + install: $(BUILT_SOURCES) +@@ -10058,7 +10081,7 @@ info-am: + install-data-am: install-configDATA install-infDATA \ + install-initSCRIPTS install-initconfigDATA install-man \ + install-mibDATA install-nodist_propertyDATA install-perlDATA \ +- install-pkgconfigDATA install-propertyDATA \ ++ install-pkgconfigDATA install-propertyDATA install-pythonDATA \ + install-sampledataDATA install-schemaDATA \ + install-serverLTLIBRARIES install-serverincHEADERS \ + install-serverpluginLTLIBRARIES install-systemdsystemunitDATA \ +@@ -10116,10 +10139,10 @@ uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \ + uninstall-initconfigDATA uninstall-man uninstall-mibDATA \ + uninstall-nodist_propertyDATA uninstall-perlDATA \ + uninstall-pkgconfigDATA uninstall-propertyDATA \ +- uninstall-sampledataDATA uninstall-sbinPROGRAMS \ +- uninstall-sbinSCRIPTS uninstall-schemaDATA \ +- uninstall-serverLTLIBRARIES uninstall-serverincHEADERS \ +- uninstall-serverpluginLTLIBRARIES \ ++ uninstall-pythonDATA uninstall-sampledataDATA \ ++ uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS \ ++ uninstall-schemaDATA uninstall-serverLTLIBRARIES \ ++ uninstall-serverincHEADERS uninstall-serverpluginLTLIBRARIES \ + uninstall-systemdsystemunitDATA uninstall-taskSCRIPTS \ + uninstall-updateDATA uninstall-updateSCRIPTS + +@@ -10145,8 +10168,9 @@ uninstall-man: uninstall-man1 uninstall-man8 + install-man1 install-man8 install-mibDATA \ + install-nodist_propertyDATA install-pdf install-pdf-am \ + install-perlDATA install-pkgconfigDATA install-propertyDATA \ +- install-ps install-ps-am install-sampledataDATA \ +- install-sbinPROGRAMS install-sbinSCRIPTS install-schemaDATA \ ++ install-ps install-ps-am install-pythonDATA \ ++ install-sampledataDATA install-sbinPROGRAMS \ ++ install-sbinSCRIPTS install-schemaDATA \ + install-serverLTLIBRARIES install-serverincHEADERS \ + install-serverpluginLTLIBRARIES install-strip \ + install-systemdsystemunitDATA install-taskSCRIPTS \ +@@ -10160,15 +10184,16 @@ uninstall-man: uninstall-man1 uninstall-man8 + uninstall-man1 uninstall-man8 uninstall-mibDATA \ + uninstall-nodist_propertyDATA uninstall-perlDATA \ + uninstall-pkgconfigDATA uninstall-propertyDATA \ +- uninstall-sampledataDATA uninstall-sbinPROGRAMS \ +- uninstall-sbinSCRIPTS uninstall-schemaDATA \ +- uninstall-serverLTLIBRARIES uninstall-serverincHEADERS \ +- uninstall-serverpluginLTLIBRARIES \ ++ uninstall-pythonDATA uninstall-sampledataDATA \ ++ uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS \ ++ uninstall-schemaDATA uninstall-serverLTLIBRARIES \ ++ uninstall-serverincHEADERS uninstall-serverpluginLTLIBRARIES \ + uninstall-systemdsystemunitDATA uninstall-taskSCRIPTS \ + uninstall-updateDATA uninstall-updateSCRIPTS + + + clean-local: ++ -rm -rf dist + -rm -rf selinux-built + + dberrstrs.h: Makefile +diff --git a/configure b/configure +index 22cc78f..fd1bfb6 100755 +--- a/configure ++++ b/configure +@@ -720,6 +720,7 @@ defaultuser + updatedir + mibdir + infdir ++pythondir + perldir + scripttemplatedir + serverplugindir +@@ -17934,6 +17935,8 @@ if test "$with_fhs_opt" = "yes"; then + propertydir=/properties + # relative to libdir + perldir=/perl ++ # relative to libdir ++ pythondir=/python + else + if test "$with_fhs" = "yes"; then + ac_default_prefix=/usr +@@ -17963,6 +17966,8 @@ else + propertydir=/$PACKAGE_NAME/properties + # relative to libdir + perldir=/$PACKAGE_NAME/perl ++ # relative to libdir ++ pythondir=/$PACKAGE_NAME/python + fi + + # if mandir is the default value, override it +@@ -18216,6 +18221,7 @@ fi + + + ++ + # check for --with-instconfigdir + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-instconfigdir" >&5 + $as_echo_n "checking for --with-instconfigdir... " >&6; } +-- +1.8.1.4 + diff --git a/SOURCES/0091-Ticket-408-create-a-normalized-dn-cache.patch b/SOURCES/0091-Ticket-408-create-a-normalized-dn-cache.patch new file mode 100644 index 0000000..88da6e6 --- /dev/null +++ b/SOURCES/0091-Ticket-408-create-a-normalized-dn-cache.patch @@ -0,0 +1,35 @@ +From 515c57545df1958f90571461e6a1109e5c40522d Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Tue, 25 Feb 2014 14:33:48 -0800 +Subject: [PATCH 91/92] Ticket 408 - create a normalized dn cache + +covscan Defect type: FORWARD_NULL +15. 389-ds-base-1.3.1.6/ldap/servers/slapd/dn.c:3036:var_deref_op - + Dereferencing null pointer "node". +Introduced by commit 1d6dd39fb8b0ef8eb42ec9ef8c3d325e27a3d3c1 +Fix: Check if "node" is null or not before referencing. + +Reviewed by rmeggins@redhat.com (Thank you, Rich!!) +(cherry picked from commit 5ac08038a05877b4240755801debd5e5a3a94c6f) +(cherry picked from commit 977c1b293beb0e8324a99614705ba316d46352f8) +(cherry picked from commit 056d390f9ee97f02447ae802deb388ec41bf6925) +--- + ldap/servers/slapd/dn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c +index 1eab631..4a11a18 100644 +--- a/ldap/servers/slapd/dn.c ++++ b/ldap/servers/slapd/dn.c +@@ -3003,7 +3003,7 @@ ndn_cache_flush() + int i; + + node = ndn_cache->tail; +- for(i = 0; i < NDN_FLUSH_COUNT && ndn_cache->cache_count > NDN_MIN_COUNT; i++){ ++ for(i = 0; node && i < NDN_FLUSH_COUNT && ndn_cache->cache_count > NDN_MIN_COUNT; i++){ + flush_node = node; + /* update the lru */ + next = node->prev; +-- +1.8.1.4 + diff --git a/SOURCES/0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch b/SOURCES/0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch new file mode 100644 index 0000000..0aad61a --- /dev/null +++ b/SOURCES/0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch @@ -0,0 +1,39 @@ +From c5950ffa10303383596ea7611844185901d74e2f Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Tue, 25 Feb 2014 15:09:34 -0800 +Subject: [PATCH 92/92] Ticket 571 (dup 47361) - Empty control list causes LDAP + protocol error is thrown + +covscan Defect type: Compiler Warnings +2. 389-ds-base-1.3.1.6/ldap/servers/slapd/control.c:364:25: + warning - format '%d' expects argument of type 'int', + but argument 4 has type 'PRUint64' [-Wformat=] +Introduced by commit d695afb6a637432e880296d8552f466981c0796c +Fix: Replaced %d with % NSPRIu64 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!!) +(cherry picked from commit 383db4a27cc417c1708989d84cf0e4445936ae9f) +(cherry picked from commit 8b92149bf229d12052a2f349611e5f639fc57ef8) +(cherry picked from commit 86b76ef2466659efd31b07bc02b02daf444a9cde) +--- + ldap/servers/slapd/control.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c +index e614d50..1229e9f 100644 +--- a/ldap/servers/slapd/control.c ++++ b/ldap/servers/slapd/control.c +@@ -360,8 +360,8 @@ get_ldapmessage_controls_ext( + slapi_pblock_set(pb, SLAPI_REQCONTROLS, NULL); + slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found); + slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found); +- slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%d op=%d contains an empty list of controls\n", +- pb->pb_conn->c_connid, pb->pb_op->o_opid); ++ slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%" NSPRIu64 " op=%d contains an empty list of controls\n", ++ (long long unsigned int)pb->pb_conn->c_connid, pb->pb_op->o_opid); + } else { + if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) { + goto free_and_return; +-- +1.8.1.4 + diff --git a/SOURCES/0093-Ticket-408-create-a-normalized-dn-cache.patch b/SOURCES/0093-Ticket-408-create-a-normalized-dn-cache.patch new file mode 100644 index 0000000..2c78087 --- /dev/null +++ b/SOURCES/0093-Ticket-408-create-a-normalized-dn-cache.patch @@ -0,0 +1,35 @@ +From 6cf6bea5372a57ffeee304c601e665f13861353c Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Tue, 25 Feb 2014 16:54:22 -0800 +Subject: [PATCH] Ticket 408 - create a normalized dn cache + +covscan Defect type: FORWARD_NULL +15. 389-ds-base-1.3.1.6/ldap/servers/slapd/dn.c:3036:var_deref_op - + Dereferencing null pointer "node". +Introduced by commit 1d6dd39fb8b0ef8eb42ec9ef8c3d325e27a3d3c1 +Fix: Check if "node" is null or not before referencing. +Note: Found second FORWARD_NULL in addition to + commit 5ac08038a05877b4240755801debd5e5a3a94c6f, +(cherry picked from commit ea13cda8f49646be8a9a5e468b2819bd2d91ca87) +(cherry picked from commit dfa36fd4a7ab243a5692e7792d19e67e63b1e397) +(cherry picked from commit 347ffb722f7d376e0ad2c565ada533f0dad3cfb8) +--- + ldap/servers/slapd/dn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c +index 4a11a18..003e9b7 100644 +--- a/ldap/servers/slapd/dn.c ++++ b/ldap/servers/slapd/dn.c +@@ -3030,7 +3030,7 @@ ndn_cache_free() + } + + node = ndn_cache->tail; +- while(ndn_cache->cache_count){ ++ while(node && ndn_cache->cache_count){ + flush_node = node; + /* update the lru */ + next = node->prev; +-- +1.8.1.4 + diff --git a/SOURCES/0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch b/SOURCES/0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch new file mode 100644 index 0000000..9eca655 --- /dev/null +++ b/SOURCES/0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch @@ -0,0 +1,158 @@ +From e2b8468f459647261812f542485f3481d39bd26c Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Fri, 7 Mar 2014 12:29:55 -0800 +Subject: [PATCH] Ticket #47735 - e_uniqueid fails to set if an entry is a + conflict entry + +Bug Description: +When an entry is turned to be a conflict entry, its nsUniqueId has +a mdcsn info as a subtype like this: + nsUniqueId;mdcsn-5319136f000200010000: c5e0d787-a58f11e3-b7f9dfd1-acc3d5e4 +In this case, the attribute type is assigned to the berval "type" +as follows: + type.bv_val = "nsUniqueId;mdcsn-5319136f000200010000" + type.bv_len = 37 +The subtyped stateinfo is processed in str2entry_state_information_from_type, +which modifies type.bv_val to "nsUniqueId", but type.bv_len remains 37. +str2entry_fast has this logic to set e_uniqueid, where the nsUniqueId +with stateinfo fails to set the value to e_uniqueid. + if ( type.bv_len == 10 && + PL_strncasecmp (type.bv_val, "nsUniqueId", type.bv_len) == 0 ){ + +Fix Description: This patch resets the length of the type with the +basetype length 10 before the if expression is called for setting +e_uniqueid. + +https://fedorahosted.org/389/ticket/47735 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!!) +(cherry picked from commit 07bd2259cc45c9d5c193b15faaf0d0c60e1b723c) +(cherry picked from commit 6e0ffbe1bdde99cfd71a5617d89482eef4696c7f) +(cherry picked from commit d4350bd0724c37040a4aaf361a10918c925b7605) +--- + ldap/servers/slapd/entry.c | 60 +++++++++++++++++++++++++++------------------- + 1 file changed, 36 insertions(+), 24 deletions(-) + +diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c +index 60e1dfe..0d018a9 100644 +--- a/ldap/servers/slapd/entry.c ++++ b/ldap/servers/slapd/entry.c +@@ -95,10 +95,22 @@ struct attrs_in_extension attrs_in_extension[] = + /* + * WARNING: s gets butchered... the base type remains. + */ +-void +-str2entry_state_information_from_type(char *s,CSNSet **csnset,CSN **attributedeletioncsn,CSN **maxcsn,int *value_state,int *attr_state) ++static void ++str2entry_state_information_from_type(struct berval *atype, ++ CSNSet **csnset, ++ CSN **attributedeletioncsn, ++ CSN **maxcsn, ++ int *value_state, ++ int *attr_state) + { +- char *p= strchr(s, ';'); ++ char *p = NULL; ++ if ((NULL == atype) || (NULL == atype->bv_val)) { ++ return; ++ } ++ p = PL_strchr(atype->bv_val, ';'); ++ if (p) { ++ atype->bv_len = p - atype->bv_val; ++ } + *value_state= VALUE_PRESENT; + *attr_state= ATTRIBUTE_PRESENT; + while(p!=NULL) +@@ -243,19 +255,20 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in + } + + if ( slapi_ldif_parse_line( s, &type, &value, &freeval ) < 0 ) { +- LDAPDebug( LDAP_DEBUG_TRACE, +- "<= str2entry_fast NULL (parse_line)\n", 0, 0, 0 ); ++ LDAPDebug0Args(LDAP_DEBUG_TRACE, "<= str2entry_fast NULL (parse_line)\n"); + continue; + } + + /* + * Extract the attribute and value CSNs from the attribute type. +- */ ++ */ + csn_free(&attributedeletioncsn); /* JCM - Do this more efficiently */ + csnset_free(&valuecsnset); + value_state= VALUE_NOTFOUND; + attr_state= ATTRIBUTE_NOTFOUND; +- str2entry_state_information_from_type(type.bv_val,&valuecsnset,&attributedeletioncsn,&maxcsn,&value_state,&attr_state); ++ str2entry_state_information_from_type(&type, ++ &valuecsnset, &attributedeletioncsn, ++ &maxcsn, &value_state, &attr_state); + if(!read_stateinfo) + { + /* We are not maintaining state information */ +@@ -393,8 +406,7 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in + } + + /* retrieve uniqueid */ +- if ( type.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH && PL_strncasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID, type.bv_len) == 0 ){ +- ++ if ((type.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH) && (PL_strcasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID) == 0)) { + if (e->e_uniqueid != NULL){ + LDAPDebug (LDAP_DEBUG_TRACE, + "str2entry_fast: entry has multiple uniqueids %s " +@@ -752,22 +764,21 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo ) + char *valuecharptr=NULL; + struct berval bvvalue; + int rc; +- entry_attrs *ea = NULL; +- int tree_attr_checking = 0; +- int big_entry_attr_presence_check = 0; +- int check_for_duplicate_values = +- ( 0 != ( flags & SLAPI_STR2ENTRY_REMOVEDUPVALS )); +- Slapi_Value *value = 0; +- CSN *attributedeletioncsn= NULL; +- CSNSet *valuecsnset= NULL; +- CSN *maxcsn= NULL; +- char *normdn = NULL; +- int strict = 0; ++ entry_attrs *ea = NULL; ++ int tree_attr_checking = 0; ++ int big_entry_attr_presence_check = 0; ++ int check_for_duplicate_values = ( 0 != ( flags & SLAPI_STR2ENTRY_REMOVEDUPVALS )); ++ Slapi_Value *value = 0; ++ CSN *attributedeletioncsn= NULL; ++ CSNSet *valuecsnset= NULL; ++ CSN *maxcsn= NULL; ++ char *normdn = NULL; ++ int strict = 0; + + /* Check if we should be performing strict validation. */ + strict = config_get_dn_validate_strict(); + +- LDAPDebug( LDAP_DEBUG_TRACE, "=> str2entry_dupcheck\n", 0, 0, 0 ); ++ LDAPDebug0Args(LDAP_DEBUG_TRACE, "=> str2entry_dupcheck\n"); + + e = slapi_entry_alloc(); + slapi_entry_init(e,NULL,NULL); +@@ -808,7 +819,9 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo ) + csnset_free(&valuecsnset); + value_state= VALUE_NOTFOUND; + attr_state= VALUE_NOTFOUND; +- str2entry_state_information_from_type(type,&valuecsnset,&attributedeletioncsn,&maxcsn,&value_state,&attr_state); ++ str2entry_state_information_from_type(&bvtype, ++ &valuecsnset, &attributedeletioncsn, ++ &maxcsn, &value_state, &attr_state); + if(!read_stateinfo) + { + /* We are not maintaining state information */ +@@ -916,8 +929,7 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo ) + } + + /* retrieve uniqueid */ +- if ( strcasecmp (type, SLAPI_ATTR_UNIQUEID) == 0 ){ +- ++ if ((bvtype.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH) && (PL_strcasecmp (type, SLAPI_ATTR_UNIQUEID) == 0)) { + if (e->e_uniqueid != NULL){ + LDAPDebug (LDAP_DEBUG_TRACE, + "str2entry_dupcheck: entry has multiple uniqueids %s " +-- +1.8.1.4 + diff --git a/SOURCES/0095-Ticket-47739-directory-server-is-insecurely-misinter.patch b/SOURCES/0095-Ticket-47739-directory-server-is-insecurely-misinter.patch new file mode 100644 index 0000000..0d649a3 --- /dev/null +++ b/SOURCES/0095-Ticket-47739-directory-server-is-insecurely-misinter.patch @@ -0,0 +1,75 @@ +From 8a368a62ea22127f95017467a044df57937ed238 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Mon, 10 Mar 2014 16:12:08 -0700 +Subject: [PATCH] Ticket #47739 - directory server is insecurely + misinterpreting authzid on a SASL/GSSAPI bind + +Description: SASL_CB_PROXY_POLICY callback is not needed since we +don't support the case authid and authzid do not match. This patch +gets rid of the callback function ids_sasl_proxy_policy. + +https://fedorahosted.org/389/ticket/47739 + +Reviewed by nkinder@redhat.com (Thank you, Nathan!!) +(cherry picked from commit 76acff12a86110d4165f94e2cba13ef5c7ebc38a) +(cherry picked from commit 9bc2b46b7c7ee4c975d04b041f73a5992906b07c) +(cherry picked from commit d2063c889feeba122e12f152e2e2c98aed4eb442) +(cherry picked from commit 614d72196e696395d5bc0a6d62f8be9d4ee41c5b) +--- + ldap/servers/slapd/saslbind.c | 33 --------------------------------- + 1 file changed, 33 deletions(-) + +diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c +index 96b1f8c..b405c46 100644 +--- a/ldap/servers/slapd/saslbind.c ++++ b/ldap/servers/slapd/saslbind.c +@@ -229,34 +229,6 @@ static int ids_sasl_log( + return SASL_OK; + } + +-static int ids_sasl_proxy_policy( +- sasl_conn_t *conn, +- void *context, +- const char *requested_user, int rlen, +- const char *auth_identity, int alen, +- const char *def_realm, int urlen, +- struct propctx *propctx +-) +-{ +- int retVal = SASL_OK; +- /* do not permit sasl proxy authorization */ +- /* if the auth_identity is null or empty string, allow the sasl request to go thru */ +- if ( (auth_identity != NULL ) && ( strlen(auth_identity) > 0 ) ) { +- Slapi_DN authId , reqUser; +- slapi_sdn_init_dn_byref(&authId,auth_identity); +- slapi_sdn_init_dn_byref(&reqUser,requested_user); +- if (slapi_sdn_compare((const Slapi_DN *)&reqUser,(const Slapi_DN *) &authId) != 0) { +- LDAPDebug(LDAP_DEBUG_TRACE, +- "sasl proxy auth not permitted authid=%s user=%s\n", +- auth_identity, requested_user, 0); +- retVal = SASL_NOAUTHZ; +- } +- slapi_sdn_done(&authId); +- slapi_sdn_done(&reqUser); +- } +- return retVal; +-} +- + static void ids_sasl_user_search( + char *basedn, + int scope, +@@ -575,11 +547,6 @@ static sasl_callback_t ids_sasl_callbacks[] = + NULL + }, + { +- SASL_CB_PROXY_POLICY, +- (IFP) ids_sasl_proxy_policy, +- NULL +- }, +- { + SASL_CB_CANON_USER, + (IFP) ids_sasl_canon_user, + NULL +-- +1.8.1.4 + diff --git a/SOURCES/0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch b/SOURCES/0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch new file mode 100644 index 0000000..45abf61 --- /dev/null +++ b/SOURCES/0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch @@ -0,0 +1,78 @@ +From a0489deaa9b3f72dca120f3b1622039f92a3e437 Mon Sep 17 00:00:00 2001 +From: Noriko Hosoi +Date: Thu, 13 Mar 2014 13:06:43 -0700 +Subject: [PATCH] Ticket #47735 - e_uniqueid fails to set if an entry is a + conflict entry + +Description: In commit e2b8468f459647261812f542485f3481d39bd26c, +to get the base type length when a state info is stripped from +the attribute type, the fix in str2entry_state_information_from_type +blindly returned the base type length for the ordinary sub-typed +attributes. This patch fixes it so that only when the state info +is removed, the length is reset. + +https://fedorahosted.org/389/ticket/47735 + +Reviewed by rmeggins@redhat.com (Thank you, Rich!!) +(cherry picked from commit a7ac181d60b1f2ecd3640d0b610eba300b7c3cdb) +(cherry picked from commit 4ffa8247ab9dcc45137f07511d62ea33c24f76df) +(cherry picked from commit 093a146853e6bb44b08c36a1da22735633adbd4a) +(cherry picked from commit 2bb0f1b2b9b1c69118d8c8db1c5426eb7d7690ea) +--- + ldap/servers/slapd/entry.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c +index 0d018a9..5306da2 100644 +--- a/ldap/servers/slapd/entry.c ++++ b/ldap/servers/slapd/entry.c +@@ -104,13 +104,11 @@ str2entry_state_information_from_type(struct berval *atype, + int *attr_state) + { + char *p = NULL; ++ char *semicolonp = NULL; + if ((NULL == atype) || (NULL == atype->bv_val)) { + return; + } + p = PL_strchr(atype->bv_val, ';'); +- if (p) { +- atype->bv_len = p - atype->bv_val; +- } + *value_state= VALUE_PRESENT; + *attr_state= ATTRIBUTE_PRESENT; + while(p!=NULL) +@@ -169,19 +167,31 @@ str2entry_state_information_from_type(struct berval *atype, + csn_init_by_csn ( *maxcsn, *attributedeletioncsn ); + } + } ++ if (NULL == semicolonp) { ++ semicolonp = p; /* the first semicolon */ ++ } + } + else if(strncmp(p+1,"deletedattribute", 16)==0) + { + p[0]='\0'; + *attr_state= ATTRIBUTE_DELETED; ++ if (NULL == semicolonp) { ++ semicolonp = p; /* the first semicolon */ ++ } + } + else if(strncmp(p+1,"deleted", 7)==0) + { + p[0]='\0'; + *value_state= VALUE_DELETED; ++ if (NULL == semicolonp) { ++ semicolonp = p; /* the first semicolon */ ++ } + } + p= strchr(p+1, ';'); + } ++ if (semicolonp) { ++ atype->bv_len = semicolonp - atype->bv_val; ++ } + } + + /* rawdn is not consumed. Caller needs to free it. */ +-- +1.8.1.4 + diff --git a/SOURCES/0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch b/SOURCES/0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch new file mode 100644 index 0000000..a9e4d92 --- /dev/null +++ b/SOURCES/0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch @@ -0,0 +1,474 @@ +From 5b6deac35adbae20d0821a4530d30f0908ad7478 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 31 Mar 2014 15:17:59 -0400 +Subject: [PATCH] Ticket 47759 - Crash in replication when server is under + write load + +Bug Description: When the server is under alot of load, a race condition allows + a replication connection LDAP struct to be freed(unbind) while + it is being used by another thread. This leads to a crash. + +Fix Description: Extend the connection lock to also cover ldap client interaction + (e.g. conn->ld struct). + +https://fedorahosted.org/389/ticket/47759 + +Reviewed by: nhosoi & rmeggins(Thanks!!) +(cherry picked from commit 9940ca29ca258891c52640a23adc2851afe59d0e) +(cherry picked from commit 0e576c85c34826c4d63d9578db55f8179b4a1a60) +(cherry picked from commit 2a80b7152823ca16628c2da48614166b8d2104a4) +--- + .../servers/plugins/replication/repl5_connection.c | 89 ++++++++++++---------- + ldap/servers/slapd/ldaputil.c | 39 +++++----- + 2 files changed, 69 insertions(+), 59 deletions(-) + +diff --git a/ldap/servers/plugins/replication/repl5_connection.c b/ldap/servers/plugins/replication/repl5_connection.c +index 668abda..17d1d9c 100644 +--- a/ldap/servers/plugins/replication/repl5_connection.c ++++ b/ldap/servers/plugins/replication/repl5_connection.c +@@ -138,6 +138,7 @@ static void repl5_debug_timeout_callback(time_t when, void *arg); + + /* Forward declarations */ + static void close_connection_internal(Repl_Connection *conn); ++static void conn_delete_internal(Repl_Connection *conn); + + /* + * Create a new connection object. Returns a pointer to the object, or +@@ -182,11 +183,22 @@ conn_new(Repl_Agmt *agmt) + rpc->plain = NULL; + return rpc; + loser: +- conn_delete(rpc); ++ conn_delete_internal(rpc); + slapi_ch_free((void**)&rpc); + return NULL; + } + ++static PRBool ++conn_connected_locked(Repl_Connection *conn, int locked) ++{ ++ PRBool return_value; ++ ++ if(!locked) PR_Lock(conn->lock); ++ return_value = STATE_CONNECTED == conn->state; ++ if(!locked) PR_Unlock(conn->lock); ++ ++ return return_value; ++} + + /* + * Return PR_TRUE if the connection is in the connected state +@@ -194,14 +206,9 @@ loser: + static PRBool + conn_connected(Repl_Connection *conn) + { +- PRBool return_value; +- PR_Lock(conn->lock); +- return_value = STATE_CONNECTED == conn->state; +- PR_Unlock(conn->lock); +- return return_value; ++ return conn_connected_locked(conn, 1); + } + +- + /* + * Destroy a connection object. + */ +@@ -243,7 +250,6 @@ conn_delete(Repl_Connection *conn) + if (slapi_eq_cancel(conn->linger_event) == 1) + { + /* Event was found and cancelled. Destroy the connection object. */ +- PR_Unlock(conn->lock); + destroy_it = PR_TRUE; + } + else +@@ -254,16 +260,15 @@ conn_delete(Repl_Connection *conn) + * off, so arrange for the event to destroy the object . + */ + conn->delete_after_linger = PR_TRUE; +- PR_Unlock(conn->lock); + } + } + if (destroy_it) + { + conn_delete_internal(conn); + } ++ PR_Unlock(conn->lock); + } + +- + /* + * Return the last operation type processed by the connection + * object, and the LDAP error encountered. +@@ -327,17 +332,18 @@ conn_read_result_ex(Repl_Connection *conn, char **retoidp, struct berval **retda + while (!slapi_is_shutting_down()) + { + /* we have to make sure the update sending thread does not +- attempt to call conn_disconnect while we are reading ++ attempt to close connection while we are reading + results - so lock the conn while we get the results */ + PR_Lock(conn->lock); ++ + if ((STATE_CONNECTED != conn->state) || !conn->ld) { + rc = -1; + return_value = CONN_NOT_CONNECTED; + PR_Unlock(conn->lock); + break; + } +- + rc = ldap_result(conn->ld, send_msgid, 1, &local_timeout, &res); ++ + PR_Unlock(conn->lock); + + if (0 != rc) +@@ -661,8 +667,10 @@ perform_operation(Repl_Connection *conn, int optype, const char *dn, + server_controls[1] = update_control; + server_controls[2] = NULL; + +- /* lock the conn to prevent the result reader thread +- from closing the connection out from under us */ ++ /* ++ * Lock the conn to prevent the result reader thread ++ * from closing the connection out from under us. ++ */ + PR_Lock(conn->lock); + if (STATE_CONNECTED == conn->state) + { +@@ -804,7 +812,6 @@ conn_send_rename(Repl_Connection *conn, const char *dn, + NULL /* extop OID */, NULL /* extop payload */, message_id); + } + +- + /* + * Send an LDAP extended operation. + */ +@@ -818,7 +825,6 @@ conn_send_extended_operation(Repl_Connection *conn, const char *extop_oid, + update_control, extop_oid, payload, message_id); + } + +- + /* + * Synchronously read an entry and return a specific attribute's values. + * Returns CONN_OPERATION_SUCCESS if successful. Returns +@@ -838,6 +844,8 @@ conn_read_entry_attribute(Repl_Connection *conn, const char *dn, + LDAPMessage *res = NULL; + char *attrs[2]; + ++ PR_Lock(conn->lock); ++ + PR_ASSERT(NULL != type); + if (conn_connected(conn)) + { +@@ -860,7 +868,7 @@ conn_read_entry_attribute(Repl_Connection *conn, const char *dn, + } + else if (IS_DISCONNECT_ERROR(ldap_rc)) + { +- conn_disconnect(conn); ++ close_connection_internal(conn); + return_value = CONN_NOT_CONNECTED; + } + else +@@ -878,10 +886,11 @@ conn_read_entry_attribute(Repl_Connection *conn, const char *dn, + { + return_value = CONN_NOT_CONNECTED; + } ++ PR_Unlock(conn->lock); ++ + return return_value; + } + +- + /* + * Return an pointer to a string describing the connection's status. + */ +@@ -892,8 +901,6 @@ conn_get_status(Repl_Connection *conn) + return conn->status; + } + +- +- + /* + * Cancel any outstanding linger timer. Should be called when + * a replication session is beginning. +@@ -925,7 +932,6 @@ conn_cancel_linger(Repl_Connection *conn) + PR_Unlock(conn->lock); + } + +- + /* + * Called when our linger timeout timer expires. This means + * we should check to see if perhaps the connection's become +@@ -957,7 +963,6 @@ linger_timeout(time_t event_time, void *arg) + } + } + +- + /* + * Indicate that a session is ending. The linger timer starts when + * this function is called. +@@ -995,8 +1000,6 @@ conn_start_linger(Repl_Connection *conn) + PR_Unlock(conn->lock); + } + +- +- + /* + * If no connection is currently active, opens a connection and binds to + * the remote server. If a connection is open (e.g. lingering) then +@@ -1015,10 +1018,14 @@ conn_connect(Repl_Connection *conn) + ConnResult return_value = CONN_OPERATION_SUCCESS; + int pw_ret = 1; + +- /** Connection already open just return SUCCESS **/ +- if(conn->state == STATE_CONNECTED) goto done; +- + PR_Lock(conn->lock); ++ ++ /* Connection already open, just return SUCCESS */ ++ if(conn->state == STATE_CONNECTED){ ++ PR_Unlock(conn->lock); ++ return return_value; ++ } ++ + if (conn->flag_agmt_changed) { + /* So far we cannot change Hostname and Port */ + /* slapi_ch_free((void **)&conn->hostname); */ +@@ -1033,7 +1040,6 @@ conn_connect(Repl_Connection *conn) + conn->port = agmt_get_port(conn->agmt); /* port could be updated */ + slapi_ch_free((void **)&conn->plain); + } +- PR_Unlock(conn->lock); + + creds = agmt_get_credentials(conn->agmt); + +@@ -1174,6 +1180,7 @@ done: + { + close_connection_internal(conn); + } ++ PR_Unlock(conn->lock); + + return return_value; + } +@@ -1209,7 +1216,6 @@ conn_disconnect(Repl_Connection *conn) + PR_Unlock(conn->lock); + } + +- + /* + * Determine if the remote replica supports DS 5.0 replication. + * Return codes: +@@ -1226,6 +1232,7 @@ conn_replica_supports_ds5_repl(Repl_Connection *conn) + ConnResult return_value; + int ldap_rc; + ++ PR_Lock(conn->lock); + if (conn_connected(conn)) + { + if (conn->supports_ds50_repl == -1) { +@@ -1273,7 +1280,7 @@ conn_replica_supports_ds5_repl(Repl_Connection *conn) + if (IS_DISCONNECT_ERROR(ldap_rc)) + { + conn->last_ldap_error = ldap_rc; /* specific reason */ +- conn_disconnect(conn); ++ close_connection_internal(conn); + return_value = CONN_NOT_CONNECTED; + } + else +@@ -1293,10 +1300,11 @@ conn_replica_supports_ds5_repl(Repl_Connection *conn) + /* Not connected */ + return_value = CONN_NOT_CONNECTED; + } ++ PR_Unlock(conn->lock); ++ + return return_value; + } + +- + /* + * Determine if the remote replica supports DS 7.1 replication. + * Return codes: +@@ -1313,6 +1321,7 @@ conn_replica_supports_ds71_repl(Repl_Connection *conn) + ConnResult return_value; + int ldap_rc; + ++ PR_Lock(conn->lock); + if (conn_connected(conn)) + { + if (conn->supports_ds71_repl == -1) { +@@ -1344,7 +1353,7 @@ conn_replica_supports_ds71_repl(Repl_Connection *conn) + if (IS_DISCONNECT_ERROR(ldap_rc)) + { + conn->last_ldap_error = ldap_rc; /* specific reason */ +- conn_disconnect(conn); ++ close_connection_internal(conn); + return_value = CONN_NOT_CONNECTED; + } + else +@@ -1364,6 +1373,8 @@ conn_replica_supports_ds71_repl(Repl_Connection *conn) + /* Not connected */ + return_value = CONN_NOT_CONNECTED; + } ++ PR_Unlock(conn->lock); ++ + return return_value; + } + +@@ -1383,6 +1394,7 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn) + ConnResult return_value; + int ldap_rc; + ++ PR_Lock(conn->lock); + if (conn_connected(conn)) + { + if (conn->supports_ds90_repl == -1) { +@@ -1414,7 +1426,7 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn) + if (IS_DISCONNECT_ERROR(ldap_rc)) + { + conn->last_ldap_error = ldap_rc; /* specific reason */ +- conn_disconnect(conn); ++ close_connection_internal(conn); + return_value = CONN_NOT_CONNECTED; + } + else +@@ -1423,7 +1435,7 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn) + } + } + if (NULL != res) +- ldap_msgfree(res); ++ ldap_msgfree(res); + } + else + { +@@ -1435,6 +1447,8 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn) + /* Not connected */ + return_value = CONN_NOT_CONNECTED; + } ++ PR_Unlock(conn->lock); ++ + return return_value; + } + +@@ -1452,7 +1466,6 @@ conn_replica_is_readonly(Repl_Connection *conn) + } + } + +- + /* + * Return 1 if "value" is a value of attribute type "type" in entry "entry". + * Otherwise, return 0. +@@ -1501,9 +1514,6 @@ attribute_string_value_present(LDAP *ld, LDAPMessage *entry, const char *type, + return return_value; + } + +- +- +- + /* + * Read the remote server's schema entry, then read the local schema entry, + * and compare the nsschemacsn attribute. If the local csn is newer, or +@@ -1533,7 +1543,7 @@ conn_push_schema(Repl_Connection *conn, CSN **remotecsn) + return_value = CONN_OPERATION_FAILED; + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "NULL remote CSN\n"); + } +- else if (!conn_connected(conn)) ++ else if (!conn_connected_locked(conn, 0 /* not locked */)) + { + return_value = CONN_NOT_CONNECTED; + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, +@@ -1699,6 +1709,7 @@ conn_push_schema(Repl_Connection *conn, CSN **remotecsn) + { + csn_free(&localcsn); + } ++ + return return_value; + } + +diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c +index edc8267..08601bd 100644 +--- a/ldap/servers/slapd/ldaputil.c ++++ b/ldap/servers/slapd/ldaputil.c +@@ -1011,8 +1011,8 @@ slapi_ldap_bind( + than the currently unused clientctrls */ + ldap_get_option(ld, LDAP_OPT_CLIENT_CONTROLS, &clientctrls); + if (clientctrls && clientctrls[0] && +- slapi_control_present(clientctrls, START_TLS_OID, NULL, NULL)) { +- secure = 2; ++ slapi_control_present(clientctrls, START_TLS_OID, NULL, NULL)) { ++ secure = 2; + } else { + #if defined(USE_OPENLDAP) + /* openldap doesn't have a SSL/TLS yes/no flag - so grab the +@@ -1051,12 +1051,12 @@ slapi_ldap_bind( + slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_bind", + "Set up conn to use client auth\n"); + } +- bvcreds.bv_val = NULL; /* ignore username and passed in creds */ +- bvcreds.bv_len = 0; /* for external auth */ +- bindid = NULL; ++ bvcreds.bv_val = NULL; /* ignore username and passed in creds */ ++ bvcreds.bv_len = 0; /* for external auth */ ++ bindid = NULL; + } else { /* other type of auth */ +- bvcreds.bv_val = (char *)creds; +- bvcreds.bv_len = creds ? strlen(creds) : 0; ++ bvcreds.bv_val = (char *)creds; ++ bvcreds.bv_len = creds ? strlen(creds) : 0; + } + + if (secure == 2) { /* send start tls */ +@@ -1084,31 +1084,29 @@ slapi_ldap_bind( + bindid, creds); + if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls, + NULL /* clientctrls */, &mymsgid))) { +- char *myhostname = NULL; +- char *copy = NULL; ++ char *hostname = NULL; ++ char *host_port = NULL; + char *ptr = NULL; + int myerrno = errno; + int gaierr = 0; + +- ldap_get_option(ld, LDAP_OPT_HOST_NAME, &myhostname); +- if (myhostname) { +- ptr = strchr(myhostname, ':'); ++ ldap_get_option(ld, LDAP_OPT_HOST_NAME, &host_port); ++ if (host_port) { ++ ptr = strchr(host_port, ':'); + if (ptr) { +- copy = slapi_ch_strdup(myhostname); +- *(copy + (ptr - myhostname)) = '\0'; +- slapi_ch_free_string(&myhostname); +- myhostname = copy; ++ hostname = slapi_ch_strdup(host_port); ++ *(hostname + (ptr - host_port)) = '\0'; + } + } +- + if (0 == myerrno) { + struct addrinfo *result = NULL; +- gaierr = getaddrinfo(myhostname, NULL, NULL, &result); ++ gaierr = getaddrinfo(hostname, NULL, NULL, &result); + myerrno = errno; + if (result) { + freeaddrinfo(result); + } + } ++ + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", + "Error: could not send bind request for id " + "[%s] authentication mechanism [%s]: error %d (%s), system error %d (%s), " +@@ -1119,8 +1117,9 @@ slapi_ldap_bind( + PR_GetError(), slapd_pr_strerror(PR_GetError()), + myerrno ? myerrno : gaierr, + myerrno ? slapd_system_strerror(myerrno) : gai_strerror(gaierr), +- myhostname ? myhostname : "unknown host"); +- slapi_ch_free_string(&myhostname); ++ host_port ? host_port : "unknown host"); ++ slapi_ch_free_string(&hostname); ++ slapi_ch_free_string(&host_port); + goto done; + } + +-- +1.8.1.4 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index 9ad2d37..3403b76 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -25,7 +25,7 @@ Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.3.1.6 -Release: %{?relprefix}10%{?prerel}%{?dist} +Release: %{?relprefix}25%{?prerel}%{?dist} License: GPLv2 with exceptions URL: http://port389.org/ Group: System Environment/Daemons @@ -164,6 +164,53 @@ Patch46: 0047-Ticket-47585-Replication-Failures-related-to-skipped.patc Patch47: 0048-Ticket-47581-Winsync-plugin-segfault-during-incremen.patch Patch48: 0049-Ticket-47581-Winsync-plugin-segfault-during-incremen.patch Patch49: 0050-Revert-Ticket-47559-hung-server-related-to-sasl-and-.patch +Patch50: 0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch +Patch51: 0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch +Patch52: 0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch +Patch53: 0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch +Patch54: 0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch +Patch55: 0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch +Patch56: 0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch +Patch57: 0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch +Patch58: 0059-Ticket-47599-fix-memory-leak.patch +Patch59: 0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch +Patch60: 0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch +Patch61: 0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch +Patch62: 0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch +Patch63: 0064-Ticket-47592-automember-plugin-task-memory-leaks.patch +Patch64: 0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch +Patch65: 0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch +Patch66: 0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch +Patch67: 0068-Ticket-47620-Config-value-validation-improvement.patch +Patch68: 0069-Ticket-47620-Fix-logically-dead-code.patch +Patch69: 0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch +Patch70: 0071-Ticket-47620-Fix-missing-left-bracket.patch +Patch71: 0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch +Patch72: 0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch +Patch73: 0074-Ticket-47623-fix-memleak-caused-by-47347.patch +Patch74: 0075-Ticket-47623-fix-memleak-caused-by-47347.patch +Patch75: 0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch +Patch76: 0077-Ticket-47627-Fix-replication-logging.patch +Patch77: 0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch +Patch78: 0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch +Patch79: 0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch +Patch80: 0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch +Patch81: 0082-Ticket-47516-replication-stops-with-excessive-clock-.patch +Patch82: 0083-Ticket-342-better-error-message-when-cache-overflows.patch +Patch83: 0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch +Patch84: 0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch +Patch85: 0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch +Patch86: 0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch +Patch87: 0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch +Patch88: 0089-Ticket-47709-package-issue-in-389-ds-base.patch +Patch89: 0090-Ticket-47709-package-issue-in-389-ds-base.patch +Patch90: 0091-Ticket-408-create-a-normalized-dn-cache.patch +Patch91: 0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch +Patch92: 0093-Ticket-408-create-a-normalized-dn-cache.patch +Patch93: 0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch +Patch94: 0095-Ticket-47739-directory-server-is-insecurely-misinter.patch +Patch95: 0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch +Patch96: 0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -264,6 +311,53 @@ cp %{SOURCE2} README.devel %patch47 -p1 %patch48 -p1 %patch49 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 +%patch59 -p1 +%patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 +%patch66 -p1 +%patch67 -p1 +%patch68 -p1 +%patch69 -p1 +%patch70 -p1 +%patch71 -p1 +%patch72 -p1 +%patch73 -p1 +%patch74 -p1 +%patch75 -p1 +%patch76 -p1 +%patch77 -p1 +%patch78 -p1 +%patch79 -p1 +%patch80 -p1 +%patch81 -p1 +%patch82 -p1 +%patch83 -p1 +%patch84 -p1 +%patch85 -p1 +%patch86 -p1 +%patch87 -p1 +%patch88 -p1 +%patch89 -p1 +%patch90 -p1 +%patch91 -p1 +%patch92 -p1 +%patch93 -p1 +%patch94 -p1 +%patch95 -p1 +%patch96 -p1 %build %if %{use_openldap} @@ -390,8 +484,8 @@ fi %{_unitdir} %{_bindir}/* %{_sbindir}/* -%{_libdir}/%{pkgname}/libns-dshttpd.so* %{_libdir}/%{pkgname}/perl +%{_libdir}/%{pkgname}/python %dir %{_libdir}/%{pkgname}/plugins %{_libdir}/%{pkgname}/plugins/*.so %dir %{_localstatedir}/lib/%{pkgname} @@ -412,8 +506,96 @@ fi %doc LICENSE EXCEPTION LICENSE.GPLv2 README.devel %dir %{_libdir}/%{pkgname} %{_libdir}/%{pkgname}/libslapd.so.* +%{_libdir}/%{pkgname}/libns-dshttpd.so* %changelog +* Thu Mar 31 2014 Noriko Hosoi - 1.3.1.6-25 +- release 1.3.1.6-25 +- Resolves: bug 1082740 - ns-slapd crash in reliability 15 + +* Thu Mar 13 2014 Noriko Hosoi - 1.3.1.6-24 +- release 1.3.1.6-24 +- Resolves: bug 1074084 - e_uniqueid fails to set if an entry is a conflict entry (Ticket 47735); regression - sub-type length in attribute type was mistakenly subtracted. + +* Tue Mar 11 2014 Noriko Hosoi - 1.3.1.6-23 +- Resolves: bug 1074850 - EMBARGOED CVE-2014-0132 389-ds-base: 389-ds: flaw in parsing authzid can lead to privilege escalation [rhel-7.0] (Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind) (Added 0095-Ticket-47739-directory-server-is-insecurely-misinter.patch) + +* Tue Mar 11 2014 Noriko Hosoi - 1.3.1.6-23 +- release 1.3.1.6-22 +- Resolves: bug 1074850 - EMBARGOED CVE-2014-0132 389-ds-base: 389-ds: flaw in parsing authzid can lead to privilege escalation [rhel-7.0] (Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind) + +* Mon Mar 10 2014 Noriko Hosoi - 1.3.1.6-22 +- release 1.3.1.6-22 +- Resolves: bug 1074084 - e_uniqueid fails to set if an entry is a conflict entry (Ticket 47735) + +* Tue Feb 25 2014 Noriko Hosoi - 1.3.1.6-21 +- release 1.3.1.6-21 +- Resolves: bug 918694 - Fix covscan defect FORWARD_NULL (Ticket 408) +- Resolves: bug 918717 - Fix covscan defect COMPILER WARNINGS (Ticket 571) + +* Tue Feb 25 2014 Noriko Hosoi - 1.3.1.6-20 +- release 1.3.1.6-20 +- Resolves: bug 1065242 - 389-ds-base, conflict occurs at yum installation if multilib_policy=all. (Ticket 47709) + +* Tue Feb 18 2014 Noriko Hosoi - 1.3.1.6-19 +- release 1.3.1.6-19 +- Resolves: bug 1065971 - Enrolling a host into IdM/IPA always takes two attempts (Ticket 47704) + +* Mon Feb 3 2014 Noriko Hosoi - 1.3.1.6-18 +- release 1.3.1.6-18 +- Resolves: bug 838656 - logconv.pl tool removes the access logs contents if "-M" is not correctly used (Ticket 471) +- Resolves: bug 922538 - improve dbgen rdn generation, output (Ticket 47374) +- Resolves: bug 970750 - flush.pl is not included in perl5 (Ticket 47374) +- Resolves: bug 1013898 - Fix various issues with logconv.pl (Ticket 471) + +* Wed Jan 29 2014 Noriko Hosoi - 1.3.1.6-17 +- release 1.3.1.6-17 +- Resolves: bug 853106 - Deleting attribute present in nsslapd-allowed-to-delete-attrs returns Operations error (Ticket 443) +- Resolves: bug 1049525 - Server hangs in cos_cache when adding a user entry (Ticket 47649) + +* Wed Jan 29 2014 Daniel Mach - 1.3.1.6-16 +- Mass rebuild 2014-01-24 + +* Tue Jan 21 2014 Noriko Hosoi - 1.3.1.6-15 +- release 1.3.1.6-15 +- Resolves: bug 918702 - better error message when cache overflows (Ticket 342) +- Resolves: bug 1009679 - replication stops with excessive clock skew (Ticket 47516) +- Resolves: bug 1042855 - Unable to delete protocol timeout attribute (Ticket 47620) +- Resolves: bug 918694 - Fix crash when disabling/enabling the setting (Ticket 408) +- Resolves: bug 853355 - config_set_allowed_to_delete_attrs: Valgrind reports Invalid read (Ticket 47660) + +* Wed Jan 8 2014 Noriko Hosoi - 1.3.1.6-14 +- release 1.3.1.6-14 +- Resolves: bug 853355 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs (Ticket 447) +- Resolves: bug 1034739 - Impossible to configure nsslapd-allowed-sasl-mechanisms (Ticket 47613) +- Resolves: bug 1038639 - 389-ds rejects nsds5ReplicaProtocolTimeout attribut; Fix logically dead code; Fix dereferenced NULL pointer in agmtlist_modify_callback(); Fix missing left brackete (Ticket 47620) +- Resolves: bug 1042855 - nsds5ReplicaProtocolTimeout attribute is not validated when added to replication agreement; Config value validation improvement (Ticket 47620) +- Resolves: bug 918717 - server does not accept 0 length LDAP Control sequence (Ticket 571) +- Resolves: bug 1034902 - replica init/bulk import errors should be more verbose (Ticket 47606) +- Resolves: bug 1044219 - fix memleak caused by 47347 (Ticket 47623) +- Resolves: bug 1049522 - Crash after replica is installed; Fix cherry-pick error for 1.3.2 and 1.3.1 (Ticket 47620) +- Resolves: bug 1049568 - changelog iteration should ignore cleaned rids when getting the minCSN (Ticket 47627) + +* Fri Dec 27 2013 Daniel Mach - 1.3.1.6-13 +- Mass rebuild 2013-12-27 + +* Tue Dec 10 2013 Noriko Hosoi - 1.3.1.6-12 +- release 1.3.1.6-12 +- Resolves: bug 1038639 - 389-ds rejects nsds5ReplicaProtocolTimeout attribute (Ticket 47620) +- Resolves: bug 1034898 - automember plugin task memory leaks (Ticket 47592) +- Resolves: bug 1034451 - Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms (Ticket 47614) +- Resolves: bug 1032318 - entries with empty objectclass attribute value can be hidden (Ticket 47591) +- Resolves: bug 1032316 - attrcrypt fails to find unlocked key (Ticket 47596) +- Resolves: bug 1031227 - Reduce lock scope in retro changelog plug-in (Ticket 47599) +- Resolves: bug 1031226 - Convert ldbm_back_seq code to be transaction aware (Ticket 47598) +- Resolves: bug 1031225 - Convert retro changelog plug-in to betxn (Ticket 47597) +- Resolves: bug 1031223 - hard coded limit of 64 masters in agreement and changelog code (Ticket 47587) +- Resolves: bug 1034739 - Impossible to configure nsslapd-allowed-sasl-mechanisms (Ticket 47613) +- Resolves: bug 1035824 - Automember betxnpreoperation - transaction not aborted when group entry does not exist (Ticket 47622) + +* Thu Nov 21 2013 Rich Megginson - 1.3.1.6-11 +- Resolves: bug 1024979 - CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches + * Tue Nov 12 2013 Rich Megginson - 1.3.1.6-10 - release 1.3.1.6-10 - Resolves: bug 1018893 DS91: ns-slapd stuck in DS_Sleep @@ -476,7 +658,7 @@ fi - Resolves Bug 1000633 - ns-slapd crash due to bogus DN - Ticket #47488 - Users from AD sub OU does not sync to IPA -* Tue Aug 01 2013 Noriko Hosoi - 1.3.1.6-1 +* Thu Aug 01 2013 Noriko Hosoi - 1.3.1.6-1 - bump version to 1.3.1.6 - Ticket 47455 - valgrind - value mem leaks, uninit mem usage - fix coverity 11915 - dead code - introduced with fix for ticket 346