diff --git a/SOURCES/0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch b/SOURCES/0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch
new file mode 100644
index 0000000..b04ee47
--- /dev/null
+++ b/SOURCES/0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch
@@ -0,0 +1,136 @@
+From 896091407c244ed151f2fad39a82881a6e991d26 Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Tue, 29 Oct 2013 13:47:35 -0600
+Subject: [PATCH] Ticket #47605 CVE-2013-4485: DoS due to improper handling of ger attr searches
+
+https://fedorahosted.org/389/ticket/47605
+Reviewed by: nhosoi (Thanks!)
+Branch: 389-ds-base-1.3.1
+Fix Description: The traversal of the attr list looking for GER objectclasses
+was modifying the same attribute twice, removing the "@" from it. The second
+time, since there was no "@" in the string, the strchr would return NULL, and
+the code would not check for it.
+The code was simplified and rewritten to use charray_merge_nodup
+to build the gerattrs list with unique objectclass values, which I believe was
+the intention of the original code. I also added some error checking to look
+for invalid attributes like "@name" "name@" and "name@name@name".
+Platforms tested: RHEL6 x86_64
+Flag Day: no
+Doc impact: no
+(cherry picked from commit 7e03702932546e74f0044d11832e7e7e395cbb36)
+(cherry picked from commit 12e54af6982ab5406f4bba6a02dd0724a0415501)
+(cherry picked from commit 8c5e74b291d08c66e0afbf766f77f955725b9bf4)
+---
+ ldap/servers/slapd/search.c | 79 +++++++++----------------------------------
+ 1 files changed, 16 insertions(+), 63 deletions(-)
+
+diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
+index da1772f..59c4afb 100644
+--- a/ldap/servers/slapd/search.c
++++ b/ldap/servers/slapd/search.c
+@@ -246,8 +246,6 @@ do_search( Slapi_PBlock *pb )
+ }
+
+ if ( attrs != NULL ) {
+- int gerattrsiz = 1;
+- int gerattridx = 0;
+ int aciin = 0;
+ /*
+ * . store gerattrs if any
+@@ -257,66 +255,25 @@ do_search( Slapi_PBlock *pb )
+ {
+ char *p = NULL;
+ /* check if @<objectclass> is included */
+- p = strchr(attrs[i], '@');
+- if ( p && '\0' != *(p+1) ) /* don't store "*@", e.g. */
++ p = strchr(attrs[i], '@');
++ if ( p )
+ {
+- int j = 0;
+- if (gerattridx + 1 >= gerattrsiz)
++ char *dummyary[2]; /* need a char ** for charray_merge_nodup */
++ if ((*(p + 1) == '\0') || (p == attrs[i]) || (strchr(p+1, '@'))) /* e.g. "foo@" or "@objectclassname" or "foo@bar@baz" */
+ {
+- char **tmpgerattrs;
+- gerattrsiz *= 2;
+- tmpgerattrs =
+- (char **)slapi_ch_calloc(1, gerattrsiz*sizeof(char *));
+- if (NULL != gerattrs)
+- {
+- memcpy(tmpgerattrs, gerattrs, gerattrsiz*sizeof(char *));
+- slapi_ch_free((void **)&gerattrs);
+- }
+- gerattrs = tmpgerattrs;
+- }
+- for ( j = 0; gerattrs; j++ )
+- {
+- char *attri = NULL;
+- if ( NULL == gerattrs[j] )
+- {
+- if (0 == j)
+- {
+- /* first time */
+- gerattrs[gerattridx++] = attrs[i];
+- /* get rid of "@<objectclass>" part from the attr
+- list, which is needed only in gerattr list */
+- *p = '\0';
+- attri = slapi_ch_strdup(attrs[i]);
+- attrs[i] = attri;
+- *p = '@';
+- }
+- else
+- {
+- break; /* done */
+- }
+- }
+- else if ( 0 == strcasecmp( attrs[i], gerattrs[j] ))
+- {
+- /* skip if attrs[i] is already in gerattrs */
+- continue;
+- }
+- else
+- {
+- char *q = strchr(gerattrs[j], '@'); /* q never be 0 */
+- if ( 0 != strcasecmp( p+1, q+1 ))
+- {
+- /* you don't want to display the same template
+- entry multiple times */
+- gerattrs[gerattridx++] = attrs[i];
+- }
+- /* get rid of "@<objectclass>" part from the attr
+- list, which is needed only in gerattr list */
+- *p = '\0';
+- attri = slapi_ch_strdup(attrs[i]);
+- attrs[i] = attri;
+- *p = '@';
+- }
++ slapi_log_error( SLAPI_LOG_ARGS, "do_search",
++ "invalid attribute [%s] in list - must be of the form "
++ "attributename@objectclassname where attributename is the "
++ "name of an attribute or \"*\" or \"+\" and objectclassname "
++ "is the name of an objectclass\n", attrs[i] );
++ continue;
+ }
++ dummyary[0] = p; /* p = @objectclassname */
++ dummyary[1] = NULL;
++ /* copy string to gerattrs with leading @ - disallow dups */
++ charray_merge_nodup(&gerattrs, dummyary, 1);
++ /* null terminate the attribute name at the @ after it has been copied */
++ *p = '\0';
+ }
+ else if ( !aciin && strcasecmp(attrs[i], LDAP_ALL_USER_ATTRS) == 0 )
+ {
+@@ -324,10 +281,6 @@ do_search( Slapi_PBlock *pb )
+ aciin = 1;
+ }
+ }
+- if (NULL != gerattrs)
+- {
+- gerattrs[gerattridx] = NULL;
+- }
+
+ if (config_get_return_orig_type_switch()) {
+ /* return the original type, e.g., "sn (surname)" */
+--
+1.7.1
+
diff --git a/SOURCES/0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch b/SOURCES/0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch
new file mode 100644
index 0000000..9050947
--- /dev/null
+++ b/SOURCES/0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch
@@ -0,0 +1,497 @@
+From e5cb97a16fa44e6944e234b9cf509ddb614559a3 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 9 Dec 2013 16:57:35 -0500
+Subject: [PATCH 52/65] Ticket 47622 - Automember betxnpreoperation -
+ transaction not aborted when group entry does not exist
+
+Bug Description: If the group defined in the automember plugin does not exist, than any add operation
+ that should trigger an update, succeeds even though the automember update failed.
+
+Fix Description: Return an error if a automember post operation update fails - previously we always
+ returned success.
+
+ Updated plugin_call_func() to check the result of betxn postop plugins.
+
+ Also added return text to the result message when a betxn plugin fails. This is
+ useful for clients to explain why the operation failed.
+
+https://fedorahosted.org/389/ticket/47622
+
+Jenkins: passed
+Valgrind: passed
+Coverity: passed
+
+Reviewed by: rmeggins(Thanks!)
+(cherry picked from commit 1214168a222a35627b2bb9964600fad0246558cd)
+(cherry picked from commit 6de4616f2506b4e093429cc1093e4ad21b22e6c9)
+---
+ ldap/servers/plugins/automember/automember.c | 151 ++++++++++++++++++++++-----
+ ldap/servers/slapd/back-ldbm/ldbm_add.c | 4 +-
+ ldap/servers/slapd/back-ldbm/ldbm_delete.c | 5 +
+ ldap/servers/slapd/back-ldbm/ldbm_modify.c | 2 +
+ ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 3 +
+ ldap/servers/slapd/plugin.c | 3 +-
+ 6 files changed, 137 insertions(+), 31 deletions(-)
+
+diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
+index c7168cb..3214ea1 100644
+--- a/ldap/servers/plugins/automember/automember.c
++++ b/ldap/servers/plugins/automember/automember.c
+@@ -103,8 +103,8 @@ static struct automemberRegexRule *automember_parse_regex_rule(char *rule_string
+ static void automember_free_regex_rule(struct automemberRegexRule *rule);
+ static int automember_parse_grouping_attr(char *value, char **grouping_attr,
+ char **grouping_value);
+-static void automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileDesc *ldif_fd);
+-static void automember_add_member_value(Slapi_Entry *member_e, const char *group_dn,
++static int automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileDesc *ldif_fd);
++static int automember_add_member_value(Slapi_Entry *member_e, const char *group_dn,
+ char *grouping_attr, char *grouping_value, PRFileDesc *ldif_fd);
+ const char *fetch_attr(Slapi_Entry *e, const char *attrname, const char *default_val);
+
+@@ -1401,7 +1401,7 @@ automember_parse_grouping_attr(char *value, char **grouping_attr, char **groupin
+ * Determines which target groups need to be updated according to
+ * the rules in config, then performs the updates.
+ */
+-static void
++static int
+ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileDesc *ldif_fd)
+ {
+ PRCList *rule = NULL;
+@@ -1412,10 +1412,11 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD
+ Slapi_DN *last = NULL;
+ PRCList *curr_exclusion = NULL;
+ char **vals = NULL;
++ int rc = 0;
+ int i = 0;
+
+ if (!config || !e) {
+- return;
++ return -1;
+ }
+
+ slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+@@ -1555,15 +1556,23 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD
+ if (PR_CLIST_IS_EMPTY(&targets)) {
+ /* Add to each default group. */
+ for (i = 0; config->default_groups && config->default_groups[i]; i++) {
+- automember_add_member_value(e, config->default_groups[i],
+- config->grouping_attr, config->grouping_value, ldif_fd);
++ if(automember_add_member_value(e, config->default_groups[i], config->grouping_attr,
++ config->grouping_value, ldif_fd))
++ {
++ rc = SLAPI_PLUGIN_FAILURE;
++ goto out;
++ }
+ }
+ } else {
+ /* Update the target groups. */
+ dnitem = (struct automemberDNListItem *)PR_LIST_HEAD(&targets);
+ while ((PRCList *)dnitem != &targets) {
+- automember_add_member_value(e, slapi_sdn_get_dn(dnitem->dn),
+- config->grouping_attr, config->grouping_value, ldif_fd);
++ if(automember_add_member_value(e, slapi_sdn_get_dn(dnitem->dn),config->grouping_attr,
++ config->grouping_value, ldif_fd))
++ {
++ rc = SLAPI_PLUGIN_FAILURE;
++ goto out;
++ }
+ dnitem = (struct automemberDNListItem *)PR_NEXT_LINK((PRCList *)dnitem);
+ }
+ }
+@@ -1582,6 +1591,9 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD
+ slapi_ch_free((void**)&dnitem);
+ }
+
++out:
++
++ return rc;
+ }
+
+ /*
+@@ -1589,7 +1601,7 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD
+ *
+ * Adds a member entry to a group.
+ */
+-static void
++static int
+ automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, char *grouping_attr,
+ char *grouping_value, PRFileDesc *ldif_fd)
+ {
+@@ -1600,6 +1612,7 @@ automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, char *g
+ char *vals[2];
+ char *member_value = NULL;
+ int freeit = 0;
++ int rc = 0;
+
+ /* If grouping_value is dn, we need to fetch the dn instead. */
+ if (slapi_attr_type_cmp(grouping_value, "dn", SLAPI_TYPE_CMP_EXACT) == 0) {
+@@ -1649,6 +1662,7 @@ automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, char *g
+ "a \"%s\" value to group \"%s\" (%s).\n",
+ member_value, grouping_attr, group_dn,
+ ldap_err2string(result));
++ rc = result;
+ }
+ } else {
+ slapi_log_error(SLAPI_LOG_FATAL, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+@@ -1662,8 +1676,9 @@ out:
+ if (freeit) {
+ slapi_ch_free_string(&member_value);
+ }
+-
+ slapi_pblock_destroy(mod_pb);
++
++ return rc;
+ }
+
+
+@@ -1833,6 +1848,7 @@ automember_add_post_op(Slapi_PBlock *pb)
+ Slapi_DN *sdn = NULL;
+ struct configEntry *config = NULL;
+ PRCList *list = NULL;
++ int rc = SLAPI_PLUGIN_SUCCESS;
+
+ slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+ "--> automember_add_post_op\n");
+@@ -1848,8 +1864,9 @@ automember_add_post_op(Slapi_PBlock *pb)
+ }
+ } else {
+ slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+- "automember_add_post_op: Error "
+- "retrieving dn\n");
++ "automember_add_post_op: Error retrieving dn\n");
++
++ rc = SLAPI_PLUGIN_FAILURE;
+ goto bail;
+ }
+
+@@ -1863,12 +1880,11 @@ automember_add_post_op(Slapi_PBlock *pb)
+
+ if (e) {
+ /* If the entry is a tombstone, just bail. */
+- Slapi_Value *tombstone =
+- slapi_value_new_string(SLAPI_ATTR_VALUE_TOMBSTONE);
+- int rc = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS,
+- tombstone);
++ Slapi_Value *tombstone = slapi_value_new_string(SLAPI_ATTR_VALUE_TOMBSTONE);
++ int is_tombstone = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS,
++ tombstone);
+ slapi_value_free(&tombstone);
+- if (rc) {
++ if (is_tombstone) {
+ return SLAPI_PLUGIN_SUCCESS;
+ }
+
+@@ -1891,7 +1907,10 @@ automember_add_post_op(Slapi_PBlock *pb)
+ if (slapi_dn_issuffix(slapi_sdn_get_dn(sdn), config->scope) &&
+ (slapi_filter_test_simple(e, config->filter) == 0)) {
+ /* Find out what membership changes are needed and make them. */
+- automember_update_membership(config, e, NULL);
++ if(automember_update_membership(config, e, NULL)){
++ rc = SLAPI_PLUGIN_FAILURE;
++ break;
++ }
+ }
+
+ list = PR_NEXT_LINK(list);
+@@ -1904,11 +1923,21 @@ automember_add_post_op(Slapi_PBlock *pb)
+ "automember_add_post_op: Error "
+ "retrieving post-op entry %s\n", slapi_sdn_get_dn(sdn));
+ }
++
+ bail:
+ slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+- "<-- automember_add_post_op\n");
++ "<-- automember_add_post_op (%d)\n", rc);
+
+- return SLAPI_PLUGIN_SUCCESS;
++ if(rc){
++ char errtxt[SLAPI_DSE_RETURNTEXT_SIZE];
++ int result = LDAP_UNWILLING_TO_PERFORM;
++
++ PR_snprintf(errtxt, SLAPI_DSE_RETURNTEXT_SIZE, "Automember Plugin update unexpectedly failed.\n");
++ slapi_pblock_set(pb, SLAPI_RESULT_CODE, &result);
++ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, &errtxt);
++ }
++
++ return rc;
+ }
+
+ /*
+@@ -2216,7 +2245,11 @@ void automember_rebuild_task_thread(void *arg){
+ if (slapi_dn_issuffix(slapi_entry_get_dn(entries[i]), config->scope) &&
+ (slapi_filter_test_simple(entries[i], config->filter) == 0))
+ {
+- automember_update_membership(config, entries[i], NULL);
++ if(automember_update_membership(config, entries[i], NULL)){
++ result = SLAPI_PLUGIN_FAILURE;
++ automember_config_unlock();
++ goto out;
++ }
+ }
+ list = PR_NEXT_LINK(list);
+ }
+@@ -2416,7 +2449,7 @@ void automember_export_task_thread(void *arg){
+ /* make sure the plugin is still up, as this loop could run for awhile */
+ if (!g_plugin_started) {
+ automember_config_unlock();
+- result = -1;
++ result = SLAPI_DSE_CALLBACK_ERROR;
+ goto out;
+ }
+ if (!PR_CLIST_IS_EMPTY(g_automember_config)) {
+@@ -2426,7 +2459,11 @@ void automember_export_task_thread(void *arg){
+ if (slapi_dn_issuffix(slapi_sdn_get_dn(td->base_dn), config->scope) &&
+ (slapi_filter_test_simple(entries[i], config->filter) == 0))
+ {
+- automember_update_membership(config, entries[i], ldif_fd);
++ if(automember_update_membership(config, entries[i], ldif_fd)){
++ result = SLAPI_DSE_CALLBACK_ERROR;
++ automember_config_unlock();
++ goto out;
++ }
+ }
+ list = PR_NEXT_LINK(list);
+ }
+@@ -2624,7 +2661,13 @@ void automember_map_task_thread(void *arg){
+ if (slapi_dn_issuffix(slapi_entry_get_dn_const(e), config->scope) &&
+ (slapi_filter_test_simple(e, config->filter) == 0))
+ {
+- automember_update_membership(config, e, ldif_fd_out);
++ if(automember_update_membership(config, e, ldif_fd_out)){
++ result = SLAPI_DSE_CALLBACK_ERROR;
++ slapi_entry_free(e);
++ slapi_ch_free_string(&entrystr);
++ automember_config_unlock();
++ goto out;
++ }
+ }
+ list = PR_NEXT_LINK(list);
+ }
+@@ -2635,7 +2678,7 @@ void automember_map_task_thread(void *arg){
+ slapi_task_log_notice(task, "Automember map task, skipping invalid entry.");
+ slapi_task_log_status(task, "Automember map task, skipping invalid entry.");
+ }
+- slapi_ch_free((void **)&entrystr);
++ slapi_ch_free_string(&entrystr);
+ }
+ automember_config_unlock();
+
+@@ -2666,6 +2709,9 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
+ Slapi_DN *old_sdn = NULL;
+ Slapi_DN *new_sdn = NULL;
+ Slapi_Entry *post_e = NULL;
++ struct configEntry *config = NULL;
++ PRCList *list = NULL;
++ int rc = SLAPI_PLUGIN_SUCCESS;
+
+ slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+ "--> automember_modrdn_post_op\n");
+@@ -2684,7 +2730,7 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
+ slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+ "automember_modrdn_post_op: Error "
+ "retrieving post-op entry\n");
+- return 0;
++ return SLAPI_PLUGIN_FAILURE;
+ }
+
+ if ((old_sdn = automember_get_sdn(pb))) {
+@@ -2694,11 +2740,58 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
+ slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+ "automember_modrdn_post_op: Error "
+ "retrieving dn\n");
++ return SLAPI_PLUGIN_FAILURE;
+ }
+
+- slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+- "<-- automember_modrdn_post_op\n");
++ /* If replication, just bail. */
++ if (automember_isrepl(pb)) {
++ return SLAPI_PLUGIN_SUCCESS;
++ }
+
+- return 0;
++ /*
++ * Check if a config entry applies to the entry(post modrdn)
++ */
++ automember_config_read_lock();
++
++ /* Bail out if the plug-in close function was just called. */
++ if (!g_plugin_started) {
++ automember_config_unlock();
++ return SLAPI_PLUGIN_SUCCESS;
++ }
++
++ if (!PR_CLIST_IS_EMPTY(g_automember_config)) {
++ list = PR_LIST_HEAD(g_automember_config);
++ while (list != g_automember_config) {
++ config = (struct configEntry *)list;
++
++ /* Does the entry meet scope and filter requirements? */
++ if (slapi_dn_issuffix(slapi_sdn_get_dn(new_sdn), config->scope) &&
++ (slapi_filter_test_simple(post_e, config->filter) == 0)) {
++ /* Find out what membership changes are needed and make them. */
++ if(automember_update_membership(config, post_e, NULL)){
++ rc = SLAPI_PLUGIN_FAILURE;
++ break;
++ }
++ }
++
++ list = PR_NEXT_LINK(list);
++ }
++ }
++
++ automember_config_unlock();
++
++ if(rc){
++ char errtxt[SLAPI_DSE_RETURNTEXT_SIZE];
++ int result = LDAP_UNWILLING_TO_PERFORM;
++
++ PR_snprintf(errtxt, SLAPI_DSE_RETURNTEXT_SIZE, "Automember Plugin update unexpectedly failed. "
++ "Please see the server errors log for more information.\n");
++ slapi_pblock_set(pb, SLAPI_RESULT_CODE, &result);
++ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, &errtxt);
++ }
++
++ slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
++ "<-- automember_modrdn_post_op (%d)\n", rc);
++ return rc;
+ }
+
+diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
+index fa1e9bc..e5b9eeb 100644
+--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
++++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
+@@ -357,7 +357,7 @@ ldbm_back_add( Slapi_PBlock *pb )
+ /* make sure opreturn is set for the postop plugins */
+ slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &rc);
+ }
+-
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+ /*
+@@ -795,6 +795,7 @@ ldbm_back_add( Slapi_PBlock *pb )
+ if (!opreturn) {
+ slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+
+@@ -1046,6 +1047,7 @@ ldbm_back_add( Slapi_PBlock *pb )
+ if (!opreturn) {
+ slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+
+diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
+index 6725123..367ab99 100644
+--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
++++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
+@@ -325,6 +325,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
+ if (!opreturn) {
+ slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &rc );
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+ /* the flag could be set in a preop plugin (e.g., USN) */
+@@ -354,6 +355,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
+ ldap_result_code ?
+ &ldap_result_code : &retval );
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+
+@@ -603,6 +605,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
+ ldap_result_code ?
+ &ldap_result_code : &retval );
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+ }
+@@ -633,6 +636,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
+ &ldap_result_code : &rc );
+ }
+ /* retval is -1 */
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+ slapi_pblock_set( pb, SLAPI_DELETE_BEPREOP_ENTRY, orig_entry );
+@@ -1105,6 +1109,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
+ if (!opreturn) {
+ slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, &retval );
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+
+diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+index b5bdb41..f3b099d 100644
+--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
++++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+@@ -582,6 +582,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
+ if (!opreturn) {
+ slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+
+@@ -752,6 +753,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
+ if (!opreturn) {
+ slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+
+diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+index 4908751..1162fdb 100644
+--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
++++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+@@ -466,6 +466,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
+ if (!opreturn) {
+ slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &rc );
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+ /*
+@@ -890,6 +891,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
+ if (!opreturn) {
+ slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval );
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+
+@@ -1130,6 +1132,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
+ if (!opreturn) {
+ slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval );
+ }
++ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
+ goto error_return;
+ }
+
+diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
+index 5f66ab2..1ca4dc5 100644
+--- a/ldap/servers/slapd/plugin.c
++++ b/ldap/servers/slapd/plugin.c
+@@ -1467,7 +1467,8 @@ plugin_call_func (struct slapdplugin *list, int operation, Slapi_PBlock *pb, int
+ }
+ else if (SLAPI_PLUGIN_BEPREOPERATION == list->plg_type ||
+ SLAPI_PLUGIN_BETXNPREOPERATION == list->plg_type ||
+- SLAPI_PLUGIN_BEPOSTOPERATION == list->plg_type)
++ SLAPI_PLUGIN_BEPOSTOPERATION == list->plg_type ||
++ SLAPI_PLUGIN_BETXNPOSTOPERATION == list->plg_type )
+ {
+ /*
+ * respect fatal error SLAPI_PLUGIN_FAILURE (-1);
+--
+1.8.1.4
+
diff --git a/SOURCES/0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch b/SOURCES/0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch
new file mode 100644
index 0000000..a93d34f
--- /dev/null
+++ b/SOURCES/0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch
@@ -0,0 +1,63 @@
+From a886214ba26d9b74895269d83de62bd310b7d18c Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 2 Dec 2013 15:08:15 -0500
+Subject: [PATCH 53/65] Ticket 47613 - Impossible to configure
+ nsslapd-allowed-sasl-mechanisms
+
+Bug Description: The design doc sasy you can use comma separated list of supported mechanisms,
+ but in fact this was not supported.
+
+Fix Description: Allow comma separated lists.
+
+https://fedorahosted.org/389/ticket/47613
+
+Reviewed by: richm(Thanks!)
+(cherry picked from commit 6200f6812682760cd2a54d6a3bcbb009a0dffe79)
+(cherry picked from commit f1461312fc9e221413b19d6babbdf5a886794d10)
+---
+ ldap/servers/slapd/libglobs.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
+index f8c5b01..b925a2c 100644
+--- a/ldap/servers/slapd/libglobs.c
++++ b/ldap/servers/slapd/libglobs.c
+@@ -125,6 +125,7 @@ static int config_set_onoff( const char *attrname, char *value,
+ int *configvalue, char *errorbuf, int apply );
+ static int config_set_schemareplace ( const char *attrname, char *value,
+ char *errorbuf, int apply );
++static void remove_commas(char *str);
+
+ /* Keeping the initial values */
+ /* CONFIG_INT/CONFIG_LONG */
+@@ -6764,6 +6765,9 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
+ return LDAP_SUCCESS;
+ }
+
++ /* cyrus sasl doesn't like comma separated lists */
++ remove_commas(value);
++
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
+@@ -7434,3 +7438,17 @@ slapi_err2string(int result)
+ #endif
+ }
+
++/* replace commas with spaces */
++static void
++remove_commas(char *str)
++{
++ int i;
++
++ for (i = 0; str && str[i]; i++)
++ {
++ if (str[i] == ',')
++ {
++ str[i] = ' ';
++ }
++ }
++}
+--
+1.8.1.4
+
diff --git a/SOURCES/0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch b/SOURCES/0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch
new file mode 100644
index 0000000..5454e51
--- /dev/null
+++ b/SOURCES/0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch
@@ -0,0 +1,174 @@
+From 690fd89fb94621a4cafee1e4064d7e42ceaae6db Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 5 Dec 2013 11:58:56 -0500
+Subject: [PATCH 54/65] Ticket 47587 - hard coded limit of 64 masters in
+ agreement and changelog code
+
+Bug Description: Need to remove hardcoded limit of 64 masters.
+
+Fix Description: Changed the default limit to 256, and then we resize the array
+ as needed.
+
+https://fedorahosted.org/389/ticket/47587
+
+Reviewed by: richm & tbordaz(Thanks!!)
+(cherry picked from commit bae797c94207d15025e763cfea0634f42eeb1210)
+(cherry picked from commit 457cd16908071f3faddb021c12c792d22f64ab5c)
+---
+ ldap/servers/plugins/replication/cl5_clcache.c | 22 +++++++++++++++++-----
+ ldap/servers/plugins/replication/repl5.h | 4 ++--
+ ldap/servers/plugins/replication/repl5_agmt.c | 18 ++++++++++++++----
+ 3 files changed, 33 insertions(+), 11 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/cl5_clcache.c b/ldap/servers/plugins/replication/cl5_clcache.c
+index 8218312..d86620f 100644
+--- a/ldap/servers/plugins/replication/cl5_clcache.c
++++ b/ldap/servers/plugins/replication/cl5_clcache.c
+@@ -113,8 +113,9 @@ struct clc_buffer {
+ CSN *buf_missing_csn; /* used to detect persistent missing of CSN */
+
+ /* fields for control the CSN sequence sent to the consumer */
+- struct csn_seq_ctrl_block *buf_cscbs [MAX_NUM_OF_MASTERS];
++ struct csn_seq_ctrl_block **buf_cscbs;
+ int buf_num_cscbs; /* number of csn sequence ctrl blocks */
++ int buf_max_cscbs;
+
+ /* fields for debugging stat */
+ int buf_load_cnt; /* number of loads for session */
+@@ -256,12 +257,15 @@ clcache_get_buffer ( CLC_Buffer **buf, DB *db, ReplicaId consumer_rid, const RUV
+ (*buf)->buf_record_cnt = 0;
+ (*buf)->buf_record_skipped = 0;
+ (*buf)->buf_cursor = NULL;
+- (*buf)->buf_num_cscbs = 0;
+ (*buf)->buf_skipped_new_rid = 0;
+ (*buf)->buf_skipped_csn_gt_cons_maxcsn = 0;
+ (*buf)->buf_skipped_up_to_date = 0;
+ (*buf)->buf_skipped_csn_gt_ruv = 0;
+ (*buf)->buf_skipped_csn_covered = 0;
++ (*buf)->buf_cscbs = (struct csn_seq_ctrl_block **) slapi_ch_calloc(MAX_NUM_OF_MASTERS + 1,
++ sizeof(struct csn_seq_ctrl_block *));
++ (*buf)->buf_num_cscbs = 0;
++ (*buf)->buf_max_cscbs = MAX_NUM_OF_MASTERS;
+ }
+ else {
+ *buf = clcache_new_buffer ( consumer_rid );
+@@ -311,7 +315,7 @@ clcache_return_buffer ( CLC_Buffer **buf )
+ for ( i = 0; i < (*buf)->buf_num_cscbs; i++ ) {
+ clcache_free_cscb ( &(*buf)->buf_cscbs[i] );
+ }
+- (*buf)->buf_num_cscbs = 0;
++ slapi_ch_free((void **)&(*buf)->buf_cscbs);
+
+ if ( (*buf)->buf_cursor ) {
+
+@@ -554,7 +558,7 @@ clcache_refresh_consumer_maxcsns ( CLC_Buffer *buf )
+ static int
+ clcache_refresh_local_maxcsn ( const ruv_enum_data *rid_data, void *data )
+ {
+- CLC_Buffer *buf = (CLC_Buffer*) data;
++ struct clc_buffer *buf = (struct clc_buffer*) data;
+ ReplicaId rid;
+ int rc = 0;
+ int i;
+@@ -575,7 +579,12 @@ clcache_refresh_local_maxcsn ( const ruv_enum_data *rid_data, void *data )
+ break;
+ }
+ if ( i >= buf->buf_num_cscbs ) {
+- buf->buf_cscbs[i] = clcache_new_cscb ();
++ if( i + 1 > buf->buf_max_cscbs){
++ buf->buf_cscbs = (struct csn_seq_ctrl_block **) slapi_ch_realloc((char *)buf->buf_cscbs,
++ (i + 2) * sizeof(struct csn_seq_ctrl_block *));
++ buf->buf_max_cscbs = i + 1;
++ }
++ buf->buf_cscbs[i] = clcache_new_cscb();
+ if ( buf->buf_cscbs[i] == NULL ) {
+ return -1;
+ }
+@@ -878,6 +887,9 @@ clcache_new_buffer ( ReplicaId consumer_rid )
+ buf->buf_agmt_name = get_thread_private_agmtname();
+ buf->buf_consumer_rid = consumer_rid;
+ buf->buf_num_cscbs = 0;
++ buf->buf_max_cscbs = MAX_NUM_OF_MASTERS;
++ buf->buf_cscbs = (struct csn_seq_ctrl_block **) slapi_ch_calloc(MAX_NUM_OF_MASTERS + 1,
++ sizeof(struct csn_seq_ctrl_block *));
+
+ welldone = 1;
+
+diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
+index 5bec1c7..92a9229 100644
+--- a/ldap/servers/plugins/replication/repl5.h
++++ b/ldap/servers/plugins/replication/repl5.h
+@@ -140,11 +140,11 @@
+
+ #define DEFAULT_PROTOCOL_TIMEOUT 120
+
+-/* To Allow Consumer Initialisation when adding an agreement - */
++/* To Allow Consumer Initialization when adding an agreement - */
+ #define STATE_PERFORMING_TOTAL_UPDATE 501
+ #define STATE_PERFORMING_INCREMENTAL_UPDATE 502
+
+-#define MAX_NUM_OF_MASTERS 64
++#define MAX_NUM_OF_MASTERS 256
+ #define REPL_SESSION_ID_SIZE 64
+
+ #define REPL_GET_DN(addrp) slapi_sdn_get_dn((addrp)->sdn)
+diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
+index b7d107e..90d94f8 100644
+--- a/ldap/servers/plugins/replication/repl5_agmt.c
++++ b/ldap/servers/plugins/replication/repl5_agmt.c
+@@ -111,8 +111,9 @@ typedef struct repl5agmt {
+ const Slapi_RDN *rdn; /* RDN of replication agreement entry */
+ char *long_name; /* Long name (rdn + host, port) of entry, for logging */
+ Repl_Protocol *protocol; /* Protocol object - manages protocol */
+- struct changecounter *changecounters[MAX_NUM_OF_MASTERS]; /* changes sent/skipped since server start up */
++ struct changecounter **changecounters; /* changes sent/skipped since server start up */
+ int num_changecounters;
++ int max_changecounters;
+ time_t last_update_start_time; /* Local start time of last update session */
+ time_t last_update_end_time; /* Local end time of last update session */
+ char last_update_status[STATUS_LEN]; /* Status of last update. Format = numeric code <space> textual description */
+@@ -435,14 +436,17 @@ agmt_new_from_entry(Slapi_Entry *e)
+ /* Initialize status information */
+ ra->last_update_start_time = 0UL;
+ ra->last_update_end_time = 0UL;
+- ra->num_changecounters = 0;
+ ra->last_update_status[0] = '\0';
+ ra->update_in_progress = PR_FALSE;
+ ra->stop_in_progress = PR_FALSE;
+ ra->last_init_end_time = 0UL;
+ ra->last_init_start_time = 0UL;
+ ra->last_init_status[0] = '\0';
+-
++ ra->changecounters = (struct changecounter**) slapi_ch_calloc(MAX_NUM_OF_MASTERS + 1,
++ sizeof(struct changecounter *));
++ ra->num_changecounters = 0;
++ ra->max_changecounters = MAX_NUM_OF_MASTERS;
++
+ /* Fractional attributes */
+ slapi_entry_attr_find(e, type_nsds5ReplicatedAttributeList, &sattr);
+
+@@ -599,6 +603,7 @@ agmt_delete(void **rap)
+ {
+ slapi_ch_free((void **)&ra->changecounters[ra->num_changecounters]);
+ }
++ slapi_ch_free((void **)&ra->changecounters);
+
+ if (ra->agreement_type == REPLICA_TYPE_WINDOWS)
+ {
+@@ -2305,7 +2310,12 @@ agmt_inc_last_update_changecount (Repl_Agmt *ra, ReplicaId rid, int skipped)
+ }
+ else
+ {
+- ra->num_changecounters ++;
++ ra->num_changecounters++;
++ if(ra->num_changecounters > ra->max_changecounters){
++ ra->changecounters = (struct changecounter**) slapi_ch_realloc((char *)ra->changecounters,
++ (ra->num_changecounters + 1) * sizeof(struct changecounter*));
++ ra->max_changecounters = ra->num_changecounters;
++ }
+ ra->changecounters[i] = (struct changecounter*) slapi_ch_calloc(1, sizeof(struct changecounter));
+ ra->changecounters[i]->rid = rid;
+ if ( skipped )
+--
+1.8.1.4
+
diff --git a/SOURCES/0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch b/SOURCES/0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch
new file mode 100644
index 0000000..beaa27a
--- /dev/null
+++ b/SOURCES/0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch
@@ -0,0 +1,51 @@
+From ef2f198a69dcd707c8101ab1e31b8360ac27c952 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 18 Nov 2013 12:49:48 -0500
+Subject: [PATCH 55/65] Ticket 47597 - Convert retro changelog plug-in to betxn
+
+Retro cl plugin is already betxn aware. The template and 20betxn.pl script
+needed to be updated to reflect the new default.
+
+https://fedorahosted.org/389/ticket/47597
+
+Reviewed by: richm(Thanks!)
+(cherry picked from commit 3dca85ec629be641f07ae2ecfef59609d4dc88e2)
+(cherry picked from commit 229d270428dc4cfabd7d367444f1c0b10a60ef87)
+---
+ ldap/admin/src/scripts/20betxn.pl | 4 +++-
+ ldap/ldif/template-dse.ldif.in | 1 +
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/admin/src/scripts/20betxn.pl b/ldap/admin/src/scripts/20betxn.pl
+index 2c56707..6f9b5e1 100644
+--- a/ldap/admin/src/scripts/20betxn.pl
++++ b/ldap/admin/src/scripts/20betxn.pl
+@@ -12,10 +12,12 @@ sub runinst {
+ # cn=Multimaster Replication Plugin
+ # cn=Roles Plugin,cn=plugins,cn=config
+ # cn=USN,cn=plugins,cn=config
++ # cn=Retro Changelog Plugin,cn=plugins,cn=config
+ my @objplugins = (
+ "cn=Multimaster Replication Plugin,cn=plugins,cn=config",
+ "cn=Roles Plugin,cn=plugins,cn=config",
+- "cn=USN,cn=plugins,cn=config"
++ "cn=USN,cn=plugins,cn=config",
++ "cn=Retro Changelog Plugin,cn=plugins,cn=config"
+ );
+ foreach my $plugin (@objplugins) {
+ my $ent = $conn->search($plugin, "base", "(cn=*)");
+diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
+index 95ed60c..12df7b6 100644
+--- a/ldap/ldif/template-dse.ldif.in
++++ b/ldap/ldif/template-dse.ldif.in
+@@ -557,6 +557,7 @@ cn: Retro Changelog Plugin
+ nsslapd-pluginpath: libretrocl-plugin
+ nsslapd-plugininitfunc: retrocl_plugin_init
+ nsslapd-plugintype: object
++nsslapd-pluginbetxn: on
+ nsslapd-pluginenabled: off
+ nsslapd-pluginprecedence: 25
+ nsslapd-plugin-depends-on-type: database
+--
+1.8.1.4
+
diff --git a/SOURCES/0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch b/SOURCES/0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch
new file mode 100644
index 0000000..3996d76
--- /dev/null
+++ b/SOURCES/0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch
@@ -0,0 +1,153 @@
+From 88315fddb145da4d3d0601d020c61b25aed66366 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 19 Nov 2013 09:45:03 -0500
+Subject: [PATCH 56/65] Ticket 47598 - Convert ldbm_back_seq code to be
+ transaction aware
+
+Description: Attempt to retrieve the transaction, and pass it to the db
+ functions, and id2entry. Also did a little code cleanup.
+
+https://fedorahosted.org/389/ticket/47598
+
+Reviewed by: richm(Thanks!)
+(cherry picked from commit 50272119bbff52c5d9b6ce5d7302aef763aa96ec)
+(cherry picked from commit da9fed74c2a04dc45b4354f436e70020bcbd7cd2)
+---
+ ldap/servers/slapd/back-ldbm/seq.c | 61 +++++++++++++++++++++-----------------
+ 1 file changed, 34 insertions(+), 27 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/seq.c b/ldap/servers/slapd/back-ldbm/seq.c
+index ab473bd..27da2a4 100644
+--- a/ldap/servers/slapd/back-ldbm/seq.c
++++ b/ldap/servers/slapd/back-ldbm/seq.c
+@@ -68,20 +68,21 @@
+ int
+ ldbm_back_seq( Slapi_PBlock *pb )
+ {
+- backend *be;
+- ldbm_instance *inst;
+- struct ldbminfo *li;
+- IDList *idl = NULL;
+- int err = LDAP_SUCCESS;
+- DB *db;
+- DBC *dbc = NULL;
+- int type;
+- char *attrname, *val;
+- int isroot;
++ backend *be;
++ ldbm_instance *inst;
++ struct ldbminfo *li;
++ IDList *idl = NULL;
++ back_txn txn = {NULL};
+ struct attrinfo *ai = NULL;
++ DB *db;
++ DBC *dbc = NULL;
++ char *attrname, *val;
++ int err = LDAP_SUCCESS;
+ int return_value = -1;
+- int nentries = 0;
+- int retry_count=0;
++ int nentries = 0;
++ int retry_count = 0;
++ int isroot;
++ int type;
+
+ /* Decode arguments */
+ slapi_pblock_get( pb, SLAPI_BACKEND, &be);
+@@ -90,9 +91,15 @@ ldbm_back_seq( Slapi_PBlock *pb )
+ slapi_pblock_get( pb, SLAPI_SEQ_ATTRNAME, &attrname );
+ slapi_pblock_get( pb, SLAPI_SEQ_VAL, &val );
+ slapi_pblock_get( pb, SLAPI_REQUESTOR_ISROOT, &isroot );
++ slapi_pblock_get( pb, SLAPI_TXN, &txn.back_txn_txn );
+
+ inst = (ldbm_instance *) be->be_instance_info;
+
++ if ( !txn.back_txn_txn ) {
++ dblayer_txn_init( li, &txn );
++ slapi_pblock_set( pb, SLAPI_TXN, txn.back_txn_txn );
++ }
++
+ /* Validate arguments */
+ if ( type != SLAPI_SEQ_FIRST &&
+ type != SLAPI_SEQ_LAST &&
+@@ -114,7 +121,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
+ LDAPDebug( LDAP_DEBUG_TRACE,
+ "seq: caller specified un-indexed attribute %s\n",
+ attrname ? attrname : "", 0, 0 );
+- slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
++ slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+ "Unindexed seq access type", 0, NULL );
+ return -1;
+ }
+@@ -123,13 +130,13 @@ ldbm_back_seq( Slapi_PBlock *pb )
+ LDAPDebug( LDAP_DEBUG_ANY,
+ "<= ldbm_back_seq NULL (could not open index file for attribute %s)\n",
+ attrname, 0, 0 );
+- slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
++ slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
+ return -1;
+ }
+
+ /* First, get a database cursor */
+
+- return_value = db->cursor(db,NULL,&dbc,0);
++ return_value = db->cursor(db, txn.back_txn_txn, &dbc, 0);
+
+ if (0 == return_value)
+ {
+@@ -160,7 +167,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
+ big_buffer = slapi_ch_malloc(key_length);
+ if (NULL == big_buffer) {
+ /* memory allocation failure */
+- dblayer_release_index_file( be, ai, db );
++ dblayer_release_index_file( be, ai, db );
+ return -1;
+ }
+ key.data = big_buffer;
+@@ -234,24 +241,24 @@ ldbm_back_seq( Slapi_PBlock *pb )
+ /* Retrieve the idlist for this key */
+ key.flags = 0;
+ for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) {
+- err = NEW_IDL_DEFAULT;
+- idl = idl_fetch( be, db, &key, NULL, ai, &err );
+- if(err == DB_LOCK_DEADLOCK) {
+- ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
++ err = NEW_IDL_DEFAULT;
++ idl = idl_fetch( be, db, &key, txn.back_txn_txn, ai, &err );
++ if(err == DB_LOCK_DEADLOCK) {
++ ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
+ #ifdef FIX_TXN_DEADLOCKS
+ #error if txn != NULL, have to retry the entire transaction
+ #endif
+- continue;
+- } else {
+- break;
+- }
++ continue;
++ } else {
++ break;
++ }
+ }
+ }
+ }
+ if(retry_count == IDL_FETCH_RETRY_COUNT) {
+- ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
++ ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
+ } else if ( err != 0 && err != DB_NOTFOUND ) {
+- ldbm_nasty("ldbm_back_seq database error", 1650, err);
++ ldbm_nasty("ldbm_back_seq database error", 1650, err);
+ }
+ slapi_ch_free( &(data.data) );
+ if ( key.data != little_buffer && key.data != &keystring ) {
+@@ -272,7 +279,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
+ for ( id = idl_firstid( idl ); id != NOID;
+ id = idl_nextid( idl, id ))
+ {
+- if (( e = id2entry( be, id, NULL, &err )) == NULL )
++ if (( e = id2entry( be, id, &txn, &err )) == NULL )
+ {
+ if ( err != LDAP_SUCCESS )
+ {
+--
+1.8.1.4
+
diff --git a/SOURCES/0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch b/SOURCES/0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch
new file mode 100644
index 0000000..918d98d
--- /dev/null
+++ b/SOURCES/0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch
@@ -0,0 +1,213 @@
+From a111165bab37e74bcaa76b1ba6182549a785361d Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 20 Nov 2013 09:08:50 -0500
+Subject: [PATCH 57/65] Ticket 47599 - Reduce lock scope in retro changelog
+ plug-in
+
+Description: Use RW locks for protecting the change numbers.
+
+ We still need to do the locking in retrocl_po.c as we need to
+ serialize the actual updates.
+
+https://fedorahosted.org/389/ticket/47599
+
+Reviewed by: richm(Thanks!!)
+(cherry picked from commit e2c42bced86bac235ac56ae98eed303f61ebd15e)
+(cherry picked from commit 03f6347eb72d3cbb49ae33312f32df9f91a2fd4c)
+---
+ ldap/servers/plugins/retrocl/retrocl.c | 3 ++-
+ ldap/servers/plugins/retrocl/retrocl.h | 1 +
+ ldap/servers/plugins/retrocl/retrocl_cn.c | 42 +++++++++++++++++++++----------
+ ldap/servers/plugins/retrocl/retrocl_po.c | 2 +-
+ 4 files changed, 33 insertions(+), 15 deletions(-)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
+index 90c3455..3e426a7 100644
+--- a/ldap/servers/plugins/retrocl/retrocl.c
++++ b/ldap/servers/plugins/retrocl/retrocl.c
+@@ -465,7 +465,8 @@ retrocl_plugin_init(Slapi_PBlock *pb)
+ if (!is_betxn) {
+ rc= slapi_register_plugin_ext("internalpostoperation", 1 /* Enabled */, "retrocl_internalpostop_init", retrocl_internalpostop_init, "Retrocl internal postoperation plugin", NULL, identity, precedence);
+ }
+-
++ retrocl_cn_lock = slapi_new_rwlock();
++ if(retrocl_cn_lock == NULL) return -1;
+ retrocl_internal_lock = PR_NewLock();
+ if (retrocl_internal_lock == NULL) return -1;
+ }
+diff --git a/ldap/servers/plugins/retrocl/retrocl.h b/ldap/servers/plugins/retrocl/retrocl.h
+index 276912b..bfebe2e 100644
+--- a/ldap/servers/plugins/retrocl/retrocl.h
++++ b/ldap/servers/plugins/retrocl/retrocl.h
+@@ -130,6 +130,7 @@ extern const char *attr_nsuniqueid;
+ extern const char *attr_isreplicated;
+
+ extern PRLock *retrocl_internal_lock;
++extern Slapi_RWLock *retrocl_cn_lock;
+
+ /* Functions */
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl_cn.c b/ldap/servers/plugins/retrocl/retrocl_cn.c
+index d2b15a4..f816730 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_cn.c
++++ b/ldap/servers/plugins/retrocl/retrocl_cn.c
+@@ -163,8 +163,9 @@ int retrocl_get_changenumbers(void)
+ NULL,NULL,0,&cr,NULL,handle_cnum_result,
+ handle_cnum_entry, NULL);
+
+- retrocl_first_cn = cr.cr_cnum;
++ slapi_rwlock_wrlock(retrocl_cn_lock);
+
++ retrocl_first_cn = cr.cr_cnum;
+ slapi_ch_free(( void **) &cr.cr_time );
+
+ slapi_seq_callback(RETROCL_CHANGELOG_DN,SLAPI_SEQ_LAST,
+@@ -178,6 +179,8 @@ int retrocl_get_changenumbers(void)
+ retrocl_first_cn,
+ retrocl_internal_cn);
+
++ slapi_rwlock_unlock(retrocl_cn_lock);
++
+ slapi_ch_free(( void **) &cr.cr_time );
+
+ return 0;
+@@ -238,10 +241,10 @@ time_t retrocl_getchangetime( int type, int *err )
+
+ void retrocl_forget_changenumbers(void)
+ {
+- PR_Lock(retrocl_internal_lock);
++ slapi_rwlock_wrlock(retrocl_cn_lock);
+ retrocl_first_cn = 0;
+ retrocl_internal_cn = 0;
+- PR_Unlock(retrocl_internal_lock);
++ slapi_rwlock_unlock(retrocl_cn_lock);
+ }
+
+ /*
+@@ -258,9 +261,11 @@ void retrocl_forget_changenumbers(void)
+ changeNumber retrocl_get_first_changenumber(void)
+ {
+ changeNumber cn;
+- PR_Lock(retrocl_internal_lock);
++
++ slapi_rwlock_rdlock(retrocl_cn_lock);
+ cn = retrocl_first_cn;
+- PR_Unlock(retrocl_internal_lock);
++ slapi_rwlock_unlock(retrocl_cn_lock);
++
+ return cn;
+ }
+
+@@ -277,9 +282,9 @@ changeNumber retrocl_get_first_changenumber(void)
+
+ void retrocl_set_first_changenumber(changeNumber cn)
+ {
+- PR_Lock(retrocl_internal_lock);
++ slapi_rwlock_wrlock(retrocl_cn_lock);
+ retrocl_first_cn = cn;
+- PR_Unlock(retrocl_internal_lock);
++ slapi_rwlock_unlock(retrocl_cn_lock);
+ }
+
+
+@@ -297,9 +302,11 @@ void retrocl_set_first_changenumber(changeNumber cn)
+ changeNumber retrocl_get_last_changenumber(void)
+ {
+ changeNumber cn;
+- PR_Lock(retrocl_internal_lock);
++
++ slapi_rwlock_rdlock(retrocl_cn_lock);
+ cn = retrocl_internal_cn;
+- PR_Unlock(retrocl_internal_lock);
++ slapi_rwlock_unlock(retrocl_cn_lock);
++
+ return cn;
+ }
+
+@@ -316,9 +323,11 @@ changeNumber retrocl_get_last_changenumber(void)
+
+ void retrocl_commit_changenumber(void)
+ {
++ slapi_rwlock_wrlock(retrocl_cn_lock);
+ if ( retrocl_first_cn == 0) {
+ retrocl_first_cn = retrocl_internal_cn;
+ }
++ slapi_rwlock_unlock(retrocl_cn_lock);
+ }
+
+ /*
+@@ -333,8 +342,10 @@ void retrocl_commit_changenumber(void)
+ */
+
+ void retrocl_release_changenumber(void)
+-{
++{
++ slapi_rwlock_wrlock(retrocl_cn_lock);
+ retrocl_internal_cn--;
++ slapi_rwlock_unlock(retrocl_cn_lock);
+ }
+
+ /*
+@@ -342,7 +353,7 @@ void retrocl_release_changenumber(void)
+ *
+ * Returns: 0/-1
+ *
+- * Arguments: none
++ * Arguments: none. The caller should have taken write lock for the change numbers
+ *
+ * Description: reads the last entry in the changelog to obtain
+ * the last change number.
+@@ -355,6 +366,7 @@ int retrocl_update_lastchangenumber(void)
+
+ if (retrocl_be_changelog == NULL) return -1;
+
++ slapi_rwlock_unlock(retrocl_cn_lock);
+ cr.cr_cnum = 0;
+ cr.cr_time = 0;
+ slapi_seq_callback(RETROCL_CHANGELOG_DN,SLAPI_SEQ_LAST,
+@@ -362,7 +374,7 @@ int retrocl_update_lastchangenumber(void)
+ NULL,NULL,0,&cr,NULL,handle_cnum_result,
+ handle_cnum_entry, NULL);
+
+-
++ slapi_rwlock_wrlock(retrocl_cn_lock);
+ retrocl_internal_cn = cr.cr_cnum;
+ slapi_log_error(SLAPI_LOG_PLUGIN,"retrocl","Refetched last changenumber = %lu \n",
+ retrocl_internal_cn);
+@@ -394,6 +406,8 @@ changeNumber retrocl_assign_changenumber(void)
+ * validity of the internal assignment of retrocl_internal_cn
+ * we had from the startup */
+
++ slapi_rwlock_wrlock(retrocl_cn_lock);
++
+ if(retrocl_internal_cn <= retrocl_first_cn){
+ /* the numbers have become out of sync - retrocl_get_changenumbers
+ * gets called only once during startup and it may have had a problem
+@@ -404,8 +418,10 @@ changeNumber retrocl_assign_changenumber(void)
+ */
+ retrocl_update_lastchangenumber();
+ }
+-
+ retrocl_internal_cn++;
+ cn = retrocl_internal_cn;
++
++ slapi_rwlock_unlock(retrocl_cn_lock);
++
+ return cn;
+ }
+diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
+index 382c98a..cd290f2 100644
+--- a/ldap/servers/plugins/retrocl/retrocl_po.c
++++ b/ldap/servers/plugins/retrocl/retrocl_po.c
+@@ -372,7 +372,7 @@ write_replog_db(
+ retrocl_release_changenumber();
+ } else {
+ /* Tell the change numbering system this one's committed to disk */
+- retrocl_commit_changenumber( );
++ retrocl_commit_changenumber();
+ }
+ } else {
+ slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+--
+1.8.1.4
+
diff --git a/SOURCES/0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch b/SOURCES/0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch
new file mode 100644
index 0000000..83bbf7b
--- /dev/null
+++ b/SOURCES/0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch
@@ -0,0 +1,33 @@
+From 6a670438877eecc6b75407e548dbb51bb849a9ff Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Fri, 22 Nov 2013 16:51:55 -0700
+Subject: [PATCH 58/65] Ticket 47599 - Reduce lock scope in retro changelog
+ plug-in
+
+Description: Forgot to add definition of retrocl_cn_lock
+
+https://fedorahosted.org/389/ticket/47599
+
+Reviewed by: richm(Thanks!!)
+(cherry picked from commit b330876a1bccd93a8e906ac56a10c002c981ecfc)
+(cherry picked from commit f4d5900579c773e5cf4b69eaeba6104078512ab0)
+(cherry picked from commit b19239fdca5c00865471acfd5ffc8502c66b914a)
+---
+ ldap/servers/plugins/retrocl/retrocl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
+index 3e426a7..528434e 100644
+--- a/ldap/servers/plugins/retrocl/retrocl.c
++++ b/ldap/servers/plugins/retrocl/retrocl.c
+@@ -77,6 +77,7 @@ void* g_plg_identity [PLUGIN_MAX];
+
+ Slapi_Backend *retrocl_be_changelog = NULL;
+ PRLock *retrocl_internal_lock = NULL;
++Slapi_RWLock *retrocl_cn_lock;
+ int retrocl_nattributes = 0;
+ char **retrocl_attributes = NULL;
+ char **retrocl_aliases = NULL;
+--
+1.8.1.4
+
diff --git a/SOURCES/0059-Ticket-47599-fix-memory-leak.patch b/SOURCES/0059-Ticket-47599-fix-memory-leak.patch
new file mode 100644
index 0000000..9ecbd7f
--- /dev/null
+++ b/SOURCES/0059-Ticket-47599-fix-memory-leak.patch
@@ -0,0 +1,32 @@
+From bda97e4f914e18d9d7b2de9b0e9bdc4014c73855 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 25 Nov 2013 09:36:25 -0500
+Subject: [PATCH 59/65] Ticket 47599 - fix memory leak
+
+Coverity 12410
+
+https://fedorahosted.org/389/ticket/47599
+
+Reviewed by: richm(Thanks!)
+(cherry picked from commit a16bf1b3c4ff0412c2481baace9b427750c11f8c)
+(cherry picked from commit c7e7c68ea4779601ec4896b1d90f3b6d347f047f)
+(cherry picked from commit 08dc37dc832e1ce78d27012a60b1691dba2f6501)
+---
+ ldap/servers/slapd/back-ldbm/seq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ldap/servers/slapd/back-ldbm/seq.c b/ldap/servers/slapd/back-ldbm/seq.c
+index 27da2a4..10484fd 100644
+--- a/ldap/servers/slapd/back-ldbm/seq.c
++++ b/ldap/servers/slapd/back-ldbm/seq.c
+@@ -242,6 +242,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
+ key.flags = 0;
+ for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) {
+ err = NEW_IDL_DEFAULT;
++ idl_free(idl);
+ idl = idl_fetch( be, db, &key, txn.back_txn_txn, ai, &err );
+ if(err == DB_LOCK_DEADLOCK) {
+ ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
+--
+1.8.1.4
+
diff --git a/SOURCES/0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch b/SOURCES/0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch
new file mode 100644
index 0000000..cd8e564
--- /dev/null
+++ b/SOURCES/0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch
@@ -0,0 +1,117 @@
+From 7b257e2f72ac674025f894ec5fdcc2eaca34b0a2 Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Fri, 15 Nov 2013 10:24:26 -0700
+Subject: [PATCH 60/65] Ticket #47596 attrcrypt fails to find unlocked key
+
+https://fedorahosted.org/389/ticket/47596
+Reviewed by: nkinder (Thanks!)
+Branch: 389-ds-base-1.3.1
+Fix Description: There should always be a pre-authenticated slot/token that
+has the servers cert and key. Just loop through all of the slots that the
+server's cert is found on, and use the first one that is authenticated.
+Platforms tested: RHEL6 x86_64
+Flag Day: no
+Doc impact: no
+(cherry picked from commit b1fad4e35c0f963bf4678a2ed9a068dbe4fb159c)
+(cherry picked from commit cf091de4ae70ad8d683ff33c57e75e58ff900502)
+(cherry picked from commit 92b46296c0b4ab9aa436ae09bca95832e2276c6e)
+---
+ ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 2 +-
+ ldap/servers/slapd/proto-slap.h | 1 +
+ ldap/servers/slapd/ssl.c | 58 +++++++++++++++++++++++++++
+ 3 files changed, 60 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
+index 09cce9b..f4a5d1a 100644
+--- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
++++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
+@@ -425,7 +425,7 @@ attrcrypt_fetch_private_key(SECKEYPrivateKey **private_key)
+ LDAPDebug(LDAP_DEBUG_ANY,"Can't find certificate %s in attrcrypt_fetch_private_key: %d - %s\n", cert_name, errorCode, slapd_pr_strerror(errorCode));
+ }
+ if( cert != NULL ) {
+- key = slapd_pk11_findKeyByAnyCert(cert, NULL);
++ key = slapd_get_unlocked_key_for_cert(cert, NULL);
+ }
+ if (key == NULL) {
+ errorCode = PR_GetError();
+diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
+index 4c1dab9..39c1f54 100644
+--- a/ldap/servers/slapd/proto-slap.h
++++ b/ldap/servers/slapd/proto-slap.h
+@@ -1012,6 +1012,7 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS);
+ int slapd_security_library_is_initialized();
+ int slapd_ssl_listener_is_initialized();
+ int slapd_SSL_client_auth (LDAP* ld);
++SECKEYPrivateKey *slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg);
+
+ /*
+ * security_wrappers.c
+diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
+index f515b8e..8b80acb 100644
+--- a/ldap/servers/slapd/ssl.c
++++ b/ldap/servers/slapd/ssl.c
+@@ -1577,3 +1577,61 @@ char* slapd_get_tmp_dir()
+ #endif
+ return ( tmpdir );
+ }
++
++SECKEYPrivateKey *
++slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg)
++{
++ SECKEYPrivateKey *key = NULL;
++ PK11SlotListElement *sle;
++ PK11SlotList *slotlist = PK11_GetAllSlotsForCert(cert, NULL);
++ const char *certsubject = cert->subjectName ? cert->subjectName : "unknown cert";
++
++ if (!slotlist) {
++ PRErrorCode errcode = PR_GetError();
++ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
++ "Error: cannot get slot list for certificate [%s] (%d: %s)\n",
++ certsubject, errcode, slapd_pr_strerror(errcode));
++ return key;
++ }
++
++ for (sle = slotlist->head; sle; sle = sle->next) {
++ PK11SlotInfo *slot = sle->slot;
++ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot";
++ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token";
++ if (!slot) {
++ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
++ "Missing slot for slot list element for certificate [%s]\n",
++ certsubject);
++ } else if (PK11_IsLoggedIn(slot, pin_arg)) {
++ key = PK11_FindKeyByDERCert(slot, cert, pin_arg);
++ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
++ "Found unlocked slot [%s] token [%s] for certificate [%s]\n",
++ slotname, tokenname, certsubject);
++ break;
++ } else {
++ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
++ "Skipping locked slot [%s] token [%s] for certificate [%s]\n",
++ slotname, tokenname, certsubject);
++ }
++ }
++
++ if (!key) {
++ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
++ "Error: could not find any unlocked slots for certificate [%s]. "
++ "Please review your TLS/SSL configuration. The following slots were found:\n",
++ certsubject);
++ for (sle = slotlist->head; sle; sle = sle->next) {
++ PK11SlotInfo *slot = sle->slot;
++ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot";
++ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token";
++ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
++ "Slot [%s] token [%s] was locked.\n",
++ slotname, tokenname);
++ }
++
++ }
++
++ PK11_FreeSlotList(slotlist);
++ return key;
++}
++
+--
+1.8.1.4
+
diff --git a/SOURCES/0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch b/SOURCES/0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch
new file mode 100644
index 0000000..75736c5
--- /dev/null
+++ b/SOURCES/0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch
@@ -0,0 +1,39 @@
+From 13dee95761221c2849523acf3276242416a7a01a Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Tue, 26 Nov 2013 08:14:07 -0700
+Subject: [PATCH 61/65] Ticket #47596 attrcrypt fails to find unlocked key
+
+https://fedorahosted.org/389/ticket/47596
+Reviewed by: nkinder (Thanks!)
+Branch: 389-ds-base-1.3.1
+Fix Description: Additional fix to the previous fix. As it turns out, the
+function PK11_IsLoggedIn() only returns true if the slot has been unlocked
+with a pin or password. If the slot does not need a login at all, because
+the cert/key db has no password, PK11_IsLoggedIn will return false. The code
+must check for PK11_NeedLogin too.
+Platforms tested: RHEL6 x86_64
+Flag Day: no
+Doc impact: no
+(cherry picked from commit e66c4cecc47eff659a72a51c1e1722fb41c1dfbc)
+(cherry picked from commit f608a943745e51fe4b5dbfb18bada2e2d13e0d6a)
+(cherry picked from commit 5d2a20b4881d5374a9088ed1504b2d7e753976bb)
+---
+ ldap/servers/slapd/ssl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
+index 8b80acb..61809aa 100644
+--- a/ldap/servers/slapd/ssl.c
++++ b/ldap/servers/slapd/ssl.c
+@@ -1602,7 +1602,7 @@ slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg)
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Missing slot for slot list element for certificate [%s]\n",
+ certsubject);
+- } else if (PK11_IsLoggedIn(slot, pin_arg)) {
++ } else if (!PK11_NeedLogin(slot) || PK11_IsLoggedIn(slot, pin_arg)) {
+ key = PK11_FindKeyByDERCert(slot, cert, pin_arg);
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Found unlocked slot [%s] token [%s] for certificate [%s]\n",
+--
+1.8.1.4
+
diff --git a/SOURCES/0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch b/SOURCES/0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch
new file mode 100644
index 0000000..5e03ea0
--- /dev/null
+++ b/SOURCES/0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch
@@ -0,0 +1,113 @@
+From 5edce023ae5977bebfdfd05ad21febc51c5b428b Mon Sep 17 00:00:00 2001
+From: Ludwig Krispenz <lkrispen@redhat.com>
+Date: Tue, 26 Nov 2013 09:15:53 +0100
+Subject: [PATCH 62/65] Ticket 47591 - entries with empty objectclass attribute
+ value can be hidden
+
+Bug Description: The problem is that for the empty value
+
+ objectClass;vdcsn-5283b8e0000000c80000;deleted
+
+ it is compared to "ldapsubentry" and "nstombstone"
+
+ 'if (PL_strncasecmp(type.bv_val,"tombstone",0)'
+
+ and with length 0, this is always true.
+
+Fix Description: add a check bv_len >= strlen(valuetocompare)
+ or bv_len == strlen(valuetocompare)
+ define constants for lengths
+
+https://fedorahosted.org/389/ticket/47591
+
+Reviewed by: richm, thanks
+(cherry picked from commit 6b47eb4f54ff1e0a8b9c4aa9f3e6c3c3d958fd56)
+---
+ ldap/servers/slapd/entry.c | 15 ++++++++-------
+ ldap/servers/slapd/slapi-plugin.h | 15 ++++++++++++++-
+ 2 files changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
+index e0248c8..60e1dfe 100644
+--- a/ldap/servers/slapd/entry.c
++++ b/ldap/servers/slapd/entry.c
+@@ -340,7 +340,7 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
+ rawdn = NULL; /* Set once in the loop.
+ This won't affect the caller's passed address. */
+ }
+- if ( PL_strncasecmp( type.bv_val, "dn", type.bv_len ) == 0 ) {
++ if ( type.bv_len == SLAPI_ATTR_DN_LENGTH && PL_strncasecmp( type.bv_val, SLAPI_ATTR_DN, type.bv_len ) == 0 ) {
+ if ( slapi_entry_get_dn_const(e)!=NULL ) {
+ char ebuf[ BUFSIZ ];
+ LDAPDebug( LDAP_DEBUG_TRACE,
+@@ -376,7 +376,7 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
+ continue;
+ }
+
+- if ( PL_strncasecmp( type.bv_val, "rdn", type.bv_len ) == 0 ) {
++ if ( type.bv_len == SLAPI_ATTR_RDN_LENGTH && PL_strncasecmp( type.bv_val, SLAPI_ATTR_RDN, type.bv_len ) == 0 ) {
+ if ( NULL == slapi_entry_get_rdn_const( e )) {
+ slapi_entry_set_rdn( e, value.bv_val );
+ }
+@@ -387,13 +387,13 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
+
+ /* If SLAPI_STR2ENTRY_NO_ENTRYDN is set, skip entrydn */
+ if ( (flags & SLAPI_STR2ENTRY_NO_ENTRYDN) &&
+- PL_strncasecmp( type.bv_val, "entrydn", type.bv_len ) == 0 ) {
++ type.bv_len == SLAPI_ATTR_ENTRYDN_LENGTH && PL_strncasecmp( type.bv_val, SLAPI_ATTR_ENTRYDN, type.bv_len ) == 0 ) {
+ if (freeval) slapi_ch_free_string(&value.bv_val);
+ continue;
+ }
+
+ /* retrieve uniqueid */
+- if ( PL_strncasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID, type.bv_len) == 0 ){
++ if ( type.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH && PL_strncasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID, type.bv_len) == 0 ){
+
+ if (e->e_uniqueid != NULL){
+ LDAPDebug (LDAP_DEBUG_TRACE,
+@@ -411,10 +411,11 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
+ continue;
+ }
+
+- if (PL_strncasecmp(type.bv_val,"objectclass",type.bv_len) == 0) {
+- if (PL_strncasecmp(value.bv_val,"ldapsubentry",value.bv_len) == 0)
++ if (value_state == VALUE_PRESENT && type.bv_len >= SLAPI_ATTR_OBJECTCLASS_LENGTH
++ && PL_strncasecmp(type.bv_val, SLAPI_ATTR_OBJECTCLASS, type.bv_len) == 0) {
++ if (value.bv_len >= SLAPI_ATTR_VALUE_SUBENTRY_LENGTH && PL_strncasecmp(value.bv_val,SLAPI_ATTR_VALUE_SUBENTRY,value.bv_len) == 0)
+ e->e_flags |= SLAPI_ENTRY_LDAPSUBENTRY;
+- if (PL_strncasecmp(value.bv_val, SLAPI_ATTR_VALUE_TOMBSTONE,value.bv_len) == 0)
++ if (value.bv_len >= SLAPI_ATTR_VALUE_TOMBSTONE_LENGTH && PL_strncasecmp(value.bv_val, SLAPI_ATTR_VALUE_TOMBSTONE,value.bv_len) == 0)
+ e->e_flags |= SLAPI_ENTRY_FLAG_TOMBSTONE;
+ }
+
+diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
+index d456af8..d8cfe33 100644
+--- a/ldap/servers/slapd/slapi-plugin.h
++++ b/ldap/servers/slapd/slapi-plugin.h
+@@ -395,9 +395,22 @@ NSPR_API(PRUint32) PR_fprintf(struct PRFileDesc* fd, const char *fmt, ...)
+ #define SLAPI_ATTR_OBJECTCLASS "objectclass"
+ #define SLAPI_ATTR_VALUE_TOMBSTONE "nsTombstone"
+ #define SLAPI_ATTR_VALUE_PARENT_UNIQUEID "nsParentUniqueID"
++#define SLAPI_ATTR_VALUE_SUBENTRY "ldapsubentry"
+ #define SLAPI_ATTR_NSCP_ENTRYDN "nscpEntryDN"
+ #define SLAPI_ATTR_ENTRYUSN "entryusn"
+-#define SLAPI_ATTR_ENTRYDN "entrydn"
++#define SLAPI_ATTR_ENTRYDN "entrydn"
++#define SLAPI_ATTR_DN "dn"
++#define SLAPI_ATTR_RDN "rdn"
++#define SLAPI_ATTR_UNIQUEID_LENGTH 10
++#define SLAPI_ATTR_OBJECTCLASS_LENGTH 11
++#define SLAPI_ATTR_VALUE_TOMBSTONE_LENGTH 11
++#define SLAPI_ATTR_VALUE_PARENT_UNIQUEID_LENGTH 16
++#define SLAPI_ATTR_VALUE_SUBENTRY_LENGTH 12
++#define SLAPI_ATTR_NSCP_ENTRYDN_LENGTH 11
++#define SLAPI_ATTR_ENTRYUSN_LENGTH 8
++#define SLAPI_ATTR_ENTRYDN_LENGTH 7
++#define SLAPI_ATTR_DN_LENGTH 2
++#define SLAPI_ATTR_RDN_LENGTH 3
+
+
+ /* opaque structures */
+--
+1.8.1.4
+
diff --git a/SOURCES/0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch b/SOURCES/0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch
new file mode 100644
index 0000000..ae284b7
--- /dev/null
+++ b/SOURCES/0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch
@@ -0,0 +1,106 @@
+From 58b738e455355344acbfcac556600b2e19ade1a3 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 2 Dec 2013 17:13:55 -0500
+Subject: [PATCH 63/65] Ticket 47614 - Possible to specify invalid SASL
+ mechanism in nsslapd-allowed-sasl-mechanisms
+
+Bug Description: Invalid values could be specified in the allowed sasl mechanisms configuration
+ attribute. These values are directly passed to the sasl library.
+
+Fix Description: Follow RFR 4422, only allow upto 20 characters that are ASCII upper-case letters,
+ digits, hyphens, or underscores.
+
+https://fedorahosted.org/389/ticket/47614
+
+Reviewed by: richm(Thanks!)
+(cherry picked from commit 7e8a5fc7183f7c08212bfb746ea8c5ceedee0132)
+(cherry picked from commit f00321f892545d59e07c1a944936153660640e47)
+---
+ ldap/servers/slapd/libglobs.c | 60 +++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 60 insertions(+)
+
+diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
+index b925a2c..a763135 100644
+--- a/ldap/servers/slapd/libglobs.c
++++ b/ldap/servers/slapd/libglobs.c
+@@ -126,6 +126,7 @@ static int config_set_onoff( const char *attrname, char *value,
+ static int config_set_schemareplace ( const char *attrname, char *value,
+ char *errorbuf, int apply );
+ static void remove_commas(char *str);
++static int invalid_sasl_mech(char *str);
+
+ /* Keeping the initial values */
+ /* CONFIG_INT/CONFIG_LONG */
+@@ -6768,6 +6769,13 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
+ /* cyrus sasl doesn't like comma separated lists */
+ remove_commas(value);
+
++ if(invalid_sasl_mech(value)){
++ LDAPDebug(LDAP_DEBUG_ANY,"Invalid value/character for sasl mechanism (%s). Use ASCII "
++ "characters, upto 20 characters, that are upper-case letters, "
++ "digits, hyphens, or underscores\n", value, 0, 0);
++ return LDAP_UNWILLING_TO_PERFORM;
++ }
++
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
+@@ -7452,3 +7460,55 @@ remove_commas(char *str)
+ }
+ }
+ }
++
++/*
++ * Check the SASL mechanism values
++ *
++ * As per RFC 4422:
++ * SASL mechanisms are named by character strings, from 1 to 20
++ * characters in length, consisting of ASCII [ASCII] uppercase letters,
++ * digits, hyphens, and/or underscores.
++ */
++static int
++invalid_sasl_mech(char *str)
++{
++ char *mech = NULL, *token = NULL, *next = NULL;
++ int i;
++
++ if(str == NULL){
++ return 0;
++ }
++
++ /*
++ * Check the length for each mechanism
++ */
++ token = slapi_ch_strdup(str);
++ for (mech = ldap_utf8strtok_r(token, " ", &next); mech;
++ mech = ldap_utf8strtok_r(NULL, " ", &next))
++ {
++ if(strlen(mech) == 0 || strlen(mech) > 20){
++ /* invalid length */
++ slapi_ch_free_string(&token);
++ return 1;
++ }
++ }
++ slapi_ch_free_string(&token);
++
++ /*
++ * Check the individual characters
++ */
++ for (i = 0; str[i]; i++){
++ if ( ((int)str[i] < 48 || (int)str[i] > 57) && /* not a digit */
++ ((int)str[i] < 65 || (int)str[i] > 90) && /* not upper case */
++ (int)str[i] != 32 && /* not a space (between mechanisms) */
++ (int)str[i] != 45 && /* not a hyphen */
++ (int)str[i] != 95 ) /* not an underscore */
++ {
++ /* invalid character */
++ return 1;
++ }
++ }
++
++ /* Mechanism value is valid */
++ return 0;
++}
+--
+1.8.1.4
+
diff --git a/SOURCES/0064-Ticket-47592-automember-plugin-task-memory-leaks.patch b/SOURCES/0064-Ticket-47592-automember-plugin-task-memory-leaks.patch
new file mode 100644
index 0000000..c82571a
--- /dev/null
+++ b/SOURCES/0064-Ticket-47592-automember-plugin-task-memory-leaks.patch
@@ -0,0 +1,54 @@
+From 2429e72646b1bb30f8566b59dd370eb2ff1ac131 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 27 Nov 2013 10:58:43 -0500
+Subject: [PATCH 64/65] Ticket 47592 - automember plugin task memory leaks
+
+The search pblock was not destroyed at the end of the export and rebuild
+tasks.
+
+https://fedorahosted.org/389/ticket/47592
+
+Reviewed by: richm(Thanks!)
+(cherry picked from commit 085c6d494f90231f2e572a668ab601c321bffb01)
+(cherry picked from commit c9c7d545a987f8f52c9752ba1181d1885b74480c)
+---
+ ldap/servers/plugins/automember/automember.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
+index 3214ea1..cfea69d 100644
+--- a/ldap/servers/plugins/automember/automember.c
++++ b/ldap/servers/plugins/automember/automember.c
+@@ -2256,7 +2256,6 @@ void automember_rebuild_task_thread(void *arg){
+ }
+ }
+ automember_config_unlock();
+- slapi_free_search_results_internal(search_pb);
+
+ out:
+ if (plugin_is_betxn && fixup_pb) {
+@@ -2267,6 +2266,8 @@ out:
+ }
+ slapi_pblock_destroy(fixup_pb);
+ }
++ slapi_free_search_results_internal(search_pb);
++ slapi_pblock_destroy(search_pb);
+
+ if(result){
+ /* error */
+@@ -2470,9 +2471,11 @@ void automember_export_task_thread(void *arg){
+ }
+ }
+ automember_config_unlock();
+- slapi_free_search_results_internal(search_pb);
+
+ out:
++ slapi_free_search_results_internal(search_pb);
++ slapi_pblock_destroy(search_pb);
++
+ if(ldif_fd){
+ PR_Close(ldif_fd);
+ }
+--
+1.8.1.4
+
diff --git a/SOURCES/0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch b/SOURCES/0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch
new file mode 100644
index 0000000..68c7063
--- /dev/null
+++ b/SOURCES/0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch
@@ -0,0 +1,563 @@
+From 39af2e9e98c895c5145090865d5ab7cde6cc12fd Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Fri, 6 Dec 2013 16:57:41 -0500
+Subject: [PATCH 65/65] Ticket 47620 - 389-ds rejects
+ nsds5ReplicaProtocolTimeout attribute
+
+Bug Description: Attempting to add/modify/delete nsds5ReplicaProtocolTimeout
+ results in an error 53 (unwilling to perform).
+
+Fix Description: Allow nsds5ReplicaProtocolTimeout to be updated in agreements
+ and the replica configuration. Also, made the config timeout
+ setting dynamic.
+
+https://fedorahosted.org/389/ticket/47620
+
+Reviewed by: rmeggins(Thanks!)
+(cherry picked from commit 58fca2c4e4f2120cb6e5fb249008be8f551e944c)
+(cherry picked from commit 490360fd96121d06fa8813e182b44d045257be98)
+---
+ ldap/servers/plugins/replication/repl5.h | 12 +++--
+ ldap/servers/plugins/replication/repl5_agmt.c | 54 ++++++++++++++++------
+ ldap/servers/plugins/replication/repl5_agmtlist.c | 27 +++++++++--
+ .../plugins/replication/repl5_inc_protocol.c | 23 +++++++--
+ .../plugins/replication/repl5_prot_private.h | 1 -
+ ldap/servers/plugins/replication/repl5_protocol.c | 13 ++----
+ ldap/servers/plugins/replication/repl5_replica.c | 54 ++++++++++++++--------
+ .../plugins/replication/repl5_replica_config.c | 25 +++++++++-
+ .../plugins/replication/repl5_tot_protocol.c | 17 +++++--
+ 9 files changed, 169 insertions(+), 57 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
+index 92a9229..321a285 100644
+--- a/ldap/servers/plugins/replication/repl5.h
++++ b/ldap/servers/plugins/replication/repl5.h
+@@ -386,9 +386,15 @@ char **agmt_get_attrs_to_strip(Repl_Agmt *ra);
+ int agmt_set_attrs_to_strip(Repl_Agmt *ra, Slapi_Entry *e);
+ int agmt_set_timeout(Repl_Agmt *ra, long timeout);
+ void agmt_update_done(Repl_Agmt *ra, int is_total);
+-int agmt_get_protocol_timeout(Repl_Agmt *agmt);
+
+ typedef struct replica Replica;
++PRUint64 agmt_get_protocol_timeout(Repl_Agmt *agmt);
++void agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout);
++void agmt_update_maxcsn(Replica *r, Slapi_DN *sdn, int op, LDAPMod **mods, CSN *csn);
++void add_agmt_maxcsns(Slapi_Entry *e, Replica *r);
++void agmt_set_maxcsn(Repl_Agmt *ra);
++void agmt_remove_maxcsn(Repl_Agmt *ra);
++int agmt_maxcsn_to_smod (Replica *r, Slapi_Mod *smod);
+
+ /* In repl5_agmtlist.c */
+ int agmtlist_config_init();
+@@ -494,7 +500,6 @@ void prot_notify_window_opened (Repl_Protocol *rp);
+ void prot_notify_window_closed (Repl_Protocol *rp);
+ Object *prot_get_replica_object(Repl_Protocol *rp);
+ void prot_replicate_now(Repl_Protocol *rp);
+-int prot_get_timeout(Repl_Protocol *rp);
+
+ Repl_Protocol *agmt_get_protocol(Repl_Agmt *ra);
+
+@@ -591,7 +596,8 @@ char *replica_get_dn(Replica *r);
+ void replica_check_for_tasks(Replica*r, Slapi_Entry *e);
+ void replica_update_state (time_t when, void *arg);
+ void replica_reset_csn_pl(Replica *r);
+-int replica_get_protocol_timeout(Replica *r);
++PRUint64 replica_get_protocol_timeout(Replica *r);
++void replica_set_protocol_timeout(Replica *r, PRUint64 timeout);
+ int replica_get_backoff_min(Replica *r);
+ int replica_get_backoff_max(Replica *r);
+ void replica_set_backoff_min(Replica *r, int min);
+diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
+index 90d94f8..b0da172 100644
+--- a/ldap/servers/plugins/replication/repl5_agmt.c
++++ b/ldap/servers/plugins/replication/repl5_agmt.c
+@@ -142,7 +142,9 @@ typedef struct repl5agmt {
+ char **attrs_to_strip; /* for fractional replication, if a "mod" is empty, strip out these attributes:
+ * modifiersname, modifytimestamp, internalModifiersname, internalModifyTimestamp, etc */
+ int agreement_type;
+- PRUint64 protocol_timeout;
++ Slapi_Counter *protocol_timeout;
++ char *maxcsn; /* agmt max csn */
++ Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */
+ } repl5agmt;
+
+ /* Forward declarations */
+@@ -265,6 +267,14 @@ agmt_new_from_entry(Slapi_Entry *e)
+ slapi_entry_get_dn_const(e));
+ goto loser;
+ }
++ if ((ra->attr_lock = slapi_new_rwlock()) == NULL)
++ {
++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "Unable to create new attr lock "
++ "for replication agreement \"%s\" - agreement ignored.\n",
++ slapi_entry_get_dn_const(e));
++ goto loser;
++ }
++ ra->protocol_timeout = slapi_counter_new();
+
+ /* Find all the stuff we need for the agreement */
+
+@@ -338,19 +348,14 @@ agmt_new_from_entry(Slapi_Entry *e)
+ tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaRoot);
+ if (NULL != tmpstr)
+ {
++ PRUint64 ptimeout = 0;
++
+ ra->replarea = slapi_sdn_new_dn_passin(tmpstr);
+
+ /* If this agmt has its own timeout, grab it, otherwise use the replica's protocol timeout */
+- ra->protocol_timeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
+- if(ra->protocol_timeout == 0){
+- /* grab the replica protocol timeout */
+- Object *replobj = replica_get_replica_from_dn(ra->replarea);
+- if(replobj){
+- Replica *replica =(Replica*)object_get_data (replobj);
+- ra->protocol_timeout = replica_get_protocol_timeout(replica);
+- } else {
+- ra->protocol_timeout = DEFAULT_PROTOCOL_TIMEOUT;
+- }
++ ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
++ if(ptimeout){
++ slapi_counter_set_value(ra->protocol_timeout, ptimeout);
+ }
+ }
+
+@@ -613,6 +618,17 @@ agmt_delete(void **rap)
+ if(ra->attrs_to_strip){
+ slapi_ch_array_free(ra->attrs_to_strip);
+ }
++ if(ra->maxcsn){
++ slapi_ch_free_string(&ra->maxcsn);
++ }
++ schedule_destroy(ra->schedule);
++ slapi_ch_free_string(&ra->long_name);
++
++ slapi_counter_destroy(&ra->protocol_timeout);
++
++ /* free the locks */
++ PR_DestroyLock(ra->lock);
++ slapi_destroy_rwlock(ra->attr_lock);
+
+ schedule_destroy(ra->schedule);
+ slapi_ch_free((void **)&ra->long_name);
+@@ -2663,9 +2679,21 @@ agmt_update_done(Repl_Agmt *agmt, int is_total)
+ windows_update_done(agmt, is_total);
+ }
+
+-int
++PRUint64
+ agmt_get_protocol_timeout(Repl_Agmt *agmt)
+ {
+- return (int)agmt->protocol_timeout;
++ if(agmt){
++ return slapi_counter_get_value(agmt->protocol_timeout);
++ } else {
++ return 0;
++ }
++}
++
++void
++agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout)
++{
++ if(agmt){
++ slapi_counter_set_value(agmt->protocol_timeout, timeout);
++ }
+ }
+
+diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
+index 1167b0c..04891b7 100644
+--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
+@@ -209,6 +209,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ LDAPMod **mods;
+ char buff [SLAPI_DSE_RETURNTEXT_SIZE];
+ char *errortext = returntext ? returntext : buff;
++ char *val = NULL;
+ int rc = SLAPI_DSE_CALLBACK_OK;
+ Slapi_Operation *op;
+ void *identity;
+@@ -243,16 +244,21 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
+ for (i = 0; NULL != mods && NULL != mods[i]; i++)
+ {
++ slapi_ch_free_string(&val);
+ if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize))
+ {
+ /* we don't allow delete attribute operations unless it was issued by
+ the replication plugin - handled above */
+ if (mods[i]->mod_op & LDAP_MOD_DELETE)
+ {
+- if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0){
++ if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0 ){
+ /* allow the deletion of cleanallruv agmt attr */
+ continue;
+ }
++ if(strcasecmp (mods[i]->mod_type, type_replicaProtocolTimeout) == 0){
++ agmt_set_protocol_timeout(agmt, 0);
++ continue;
++ }
+
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
+ "deletion of %s attribute is not allowed\n", type_nsds5ReplicaInitialize);
+@@ -262,8 +268,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ }
+ else
+ {
+- char *val;
+-
+ if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0])
+ val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
+ else
+@@ -304,7 +308,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ val, mods[i]->mod_type);
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: %s\n", errortext);
+ }
+- slapi_ch_free ((void**)&val);
+ }
+ }
+ else if (slapi_attr_types_equivalent(mods[i]->mod_type,
+@@ -511,6 +514,21 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ rc = SLAPI_DSE_CALLBACK_ERROR;
+ }
+ }
++ else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){
++ if (val){
++ long ptimeout = atol(val);
++
++ if(ptimeout <= 0){
++ *returncode = LDAP_UNWILLING_TO_PERFORM;
++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
++ "must be a number greater than zero.\n",
++ type_replicaProtocolTimeout, val);
++ rc = SLAPI_DSE_CALLBACK_ERROR;
++ break;
++ }
++ agmt_set_protocol_timeout(agmt, ptimeout);
++ }
++ }
+ else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e))
+ {
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
+@@ -561,6 +579,7 @@ done:
+ {
+ agmtlist_release_agmt(agmt);
+ }
++ slapi_ch_free_string(&val);
+
+ return rc;
+ }
+diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c
+index 612fe46..05074b0 100644
+--- a/ldap/servers/plugins/replication/repl5_inc_protocol.c
++++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c
+@@ -1921,10 +1921,24 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu
+ static int
+ repl5_inc_stop(Private_Repl_Protocol *prp)
+ {
+- int return_value;
+ PRIntervalTime start, maxwait, now;
++ Replica *replica = NULL;
++ PRUint64 timeout;
++ int return_value;
++
++ if((timeout = agmt_get_protocol_timeout(prp->agmt)) == 0){
++ timeout = DEFAULT_PROTOCOL_TIMEOUT;
++ if(prp->replica_object){
++ object_acquire(prp->replica_object);
++ replica = object_get_data(prp->replica_object);
++ if((timeout = replica_get_protocol_timeout(replica)) == 0){
++ timeout = DEFAULT_PROTOCOL_TIMEOUT;
++ }
++ object_release(prp->replica_object);
++ }
++ }
+
+- maxwait = PR_SecondsToInterval(prp->timeout);
++ maxwait = PR_SecondsToInterval(timeout);
+ prp->terminate = 1;
+ event_notify(prp, EVENT_PROTOCOL_SHUTDOWN);
+ start = PR_IntervalNow();
+@@ -1939,8 +1953,8 @@ repl5_inc_stop(Private_Repl_Protocol *prp)
+ /* Isn't listening. Do something drastic. */
+ return_value = -1;
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
+- "%s: repl5_inc_stop: protocol does not stop after %d seconds\n",
+- agmt_get_long_name(prp->agmt), (int)prp->timeout);
++ "%s: repl5_inc_stop: protocol does not stop after %llu seconds\n",
++ agmt_get_long_name(prp->agmt), (long long unsigned int)timeout);
+ }
+ else
+ {
+@@ -2044,7 +2058,6 @@ Repl_5_Inc_Protocol_new(Repl_Protocol *rp)
+ prp->notify_window_closed = repl5_inc_notify_window_closed;
+ prp->update_now = repl5_inc_update_now;
+ prp->replica_object = prot_get_replica_object(rp);
+- prp->timeout = prot_get_timeout(rp);
+ if ((prp->lock = PR_NewLock()) == NULL)
+ {
+ goto loser;
+diff --git a/ldap/servers/plugins/replication/repl5_prot_private.h b/ldap/servers/plugins/replication/repl5_prot_private.h
+index 37072ee..586e1eb 100644
+--- a/ldap/servers/plugins/replication/repl5_prot_private.h
++++ b/ldap/servers/plugins/replication/repl5_prot_private.h
+@@ -75,7 +75,6 @@ typedef struct private_repl_protocol
+ int repl50consumer; /* Flag to tell us if this is a 5.0-style consumer we're talking to */
+ int repl71consumer; /* Flag to tell us if this is a 7.1-style consumer we're talking to */
+ int repl90consumer; /* Flag to tell us if this is a 9.0-style consumer we're talking to */
+- PRUint64 timeout;
+ } Private_Repl_Protocol;
+
+ extern Private_Repl_Protocol *Repl_5_Inc_Protocol_new();
+diff --git a/ldap/servers/plugins/replication/repl5_protocol.c b/ldap/servers/plugins/replication/repl5_protocol.c
+index 34fe8a0..0e9668d 100644
+--- a/ldap/servers/plugins/replication/repl5_protocol.c
++++ b/ldap/servers/plugins/replication/repl5_protocol.c
+@@ -71,8 +71,7 @@ typedef struct repl_protocol
+ Object *replica_object; /* Local replica. If non-NULL, replica object is acquired */
+ int state;
+ int next_state;
+- PRUint64 protocol_timeout;
+- PRThread *agmt_thread;
++ PRThread *agmt_thread;
+ PRLock *lock;
+ } repl_protocol;
+
+@@ -134,16 +133,17 @@ prot_new(Repl_Agmt *agmt, int protocol_state)
+ rp->prp_total = private_protocol_factory(rp, PROTOCOL_WINDOWS_TOTAL);
+ rp->delete_conn = windows_conn_delete;
+ }
+- rp->protocol_timeout = agmt_get_protocol_timeout(agmt);
+-
+ /* XXXggood register callback handlers for entries updated, and
+ schedule window enter/leave. */
+
+ goto done;
++
+ loser:
+ prot_delete(&rp);
++
+ done:
+ slapi_sdn_free(&replarea_sdn);
++
+ return rp;
+ }
+
+@@ -593,8 +593,3 @@ private_protocol_factory(Repl_Protocol *rp, int type)
+ return prp;
+ }
+
+-int
+-prot_get_timeout(Repl_Protocol *rp)
+-{
+- return (int)rp->protocol_timeout;
+-}
+diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
+index 8a1c590..02d4e74 100644
+--- a/ldap/servers/plugins/replication/repl5_replica.c
++++ b/ldap/servers/plugins/replication/repl5_replica.c
+@@ -87,7 +87,7 @@ struct replica {
+ PRBool state_update_inprogress; /* replica state is being updated */
+ PRLock *agmt_lock; /* protects agreement creation, start and stop */
+ char *locking_purl; /* supplier who has exclusive access */
+- PRUint64 protocol_timeout; /* protocol shutdown timeout */
++ Slapi_Counter *protocol_timeout; /* protocol shutdown timeout */
+ PRUint64 backoff_min; /* backoff retry minimum */
+ PRUint64 backoff_max; /* backoff retry maximum */
+ };
+@@ -164,26 +164,26 @@ replica_new(const Slapi_DN *root)
+ Replica *
+ replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation)
+ {
+- int rc = 0;
+- Replica *r;
++ int rc = 0;
++ Replica *r;
+ char *repl_name = NULL;
+
+- if (e == NULL)
+- {
+- if (NULL != errortext)
++ if (e == NULL)
++ {
++ if (NULL != errortext)
+ {
+- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "NULL entry");
++ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "NULL entry");
+ }
+- return NULL;
+- }
++ return NULL;
++ }
+
+- r = (Replica *)slapi_ch_calloc(1, sizeof(Replica));
++ r = (Replica *)slapi_ch_calloc(1, sizeof(Replica));
+
+- if (!r)
++ if (!r)
+ {
+- if (NULL != errortext)
++ if (NULL != errortext)
+ {
+- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Out of memory");
++ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Out of memory");
+ }
+ rc = -1;
+ goto done;
+@@ -208,6 +208,7 @@ replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation
+ rc = -1;
+ goto done;
+ }
++ r->protocol_timeout = slapi_counter_new();
+
+ /* read parameters from the replica config entry */
+ rc = _replica_init_from_config (r, e, errortext);
+@@ -403,6 +404,8 @@ replica_destroy(void **arg)
+ csnplFree(&r->min_csn_pl);;
+ }
+
++ slapi_counter_destroy(&r->protocol_timeout);
++
+ slapi_ch_free((void **)arg);
+ }
+
+@@ -796,10 +799,22 @@ replica_get_type (const Replica *r)
+ return r->repl_type;
+ }
+
+-int
++PRUint64
+ replica_get_protocol_timeout(Replica *r)
+ {
+- return (int)r->protocol_timeout;
++ if(r){
++ return slapi_counter_get_value(r->protocol_timeout);
++ } else {
++ return 0;
++ }
++}
++
++void
++replica_set_protocol_timeout(Replica *r, PRUint64 timeout)
++{
++ if(r){
++ slapi_counter_set_value(r->protocol_timeout, timeout);
++ }
+ }
+
+ /*
+@@ -1659,6 +1674,7 @@ _replica_init_from_config (Replica *r, Slapi_Entry *e, char *errortext)
+ char *val;
+ int backoff_min;
+ int backoff_max;
++ int ptimeout = 0;
+ int rc;
+
+ PR_ASSERT (r && e);
+@@ -1731,9 +1747,11 @@ _replica_init_from_config (Replica *r, Slapi_Entry *e, char *errortext)
+ }
+
+ /* get the protocol timeout */
+- r->protocol_timeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
+- if(r->protocol_timeout == 0){
+- r->protocol_timeout = DEFAULT_PROTOCOL_TIMEOUT;
++ ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
++ if(ptimeout <= 0){
++ slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT);
++ } else {
++ slapi_counter_set_value(r->protocol_timeout, ptimeout);
+ }
+
+ /* get replica flags */
+diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
+index 94c23c0..9452d51 100644
+--- a/ldap/servers/plugins/replication/repl5_replica_config.c
++++ b/ldap/servers/plugins/replication/repl5_replica_config.c
+@@ -396,9 +396,16 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry*
+ else if (strcasecmp (config_attr, type_replicaCleanRUV) == 0 ||
+ strcasecmp (config_attr, type_replicaAbortCleanRUV) == 0)
+ {
+- /* only allow the deletion of the cleanAllRUV config attributes */
++ /*
++ * Only allow the deletion of the cleanAllRUV config attributes, and the
++ * protocol timeout.
++ */
+ continue;
+ }
++ else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 )
++ {
++ replica_set_protocol_timeout(r, DEFAULT_PROTOCOL_TIMEOUT);
++ }
+ else
+ {
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+@@ -487,6 +494,22 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry*
+ {
+ *returncode = LDAP_SUCCESS;
+ }
++ else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ){
++ if (apply_mods && config_attr_value && config_attr_value[0])
++ {
++ long ptimeout = atol(config_attr_value);
++
++ if(ptimeout <= 0){
++ *returncode = LDAP_UNWILLING_TO_PERFORM;
++ PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE,
++ "attribute %s value (%s) is invalid, must be a number greater than zero.\n",
++ config_attr, config_attr_value);
++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "replica_config_modify: %s\n", errortext);
++ } else {
++ replica_set_protocol_timeout(r, ptimeout);
++ }
++ }
++ }
+ else
+ {
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+diff --git a/ldap/servers/plugins/replication/repl5_tot_protocol.c b/ldap/servers/plugins/replication/repl5_tot_protocol.c
+index 5bb203a..a241128 100644
+--- a/ldap/servers/plugins/replication/repl5_tot_protocol.c
++++ b/ldap/servers/plugins/replication/repl5_tot_protocol.c
+@@ -505,11 +505,22 @@ static int
+ repl5_tot_stop(Private_Repl_Protocol *prp)
+ {
+ int return_value;
+- int seconds = 600;
+ PRIntervalTime start, maxwait, now;
++ PRUint64 timeout = DEFAULT_PROTOCOL_TIMEOUT;
++ Replica *replica = NULL;
++
++ if((timeout = agmt_get_protocol_timeout(prp->agmt)) == 0){
++ timeout = DEFAULT_PROTOCOL_TIMEOUT;
++ if(prp->replica_object){
++ replica = object_get_data(prp->replica_object);
++ if((timeout = replica_get_protocol_timeout(replica)) == 0){
++ timeout = DEFAULT_PROTOCOL_TIMEOUT;
++ }
++ }
++ }
+
+ prp->terminate = 1;
+- maxwait = PR_SecondsToInterval(seconds);
++ maxwait = PR_SecondsToInterval(timeout);
+ start = PR_IntervalNow();
+ now = start;
+ while (!prp->stopped && ((now - start) < maxwait))
+@@ -567,7 +578,6 @@ Repl_5_Tot_Protocol_new(Repl_Protocol *rp)
+ prp->notify_window_opened = repl5_tot_noop;
+ prp->notify_window_closed = repl5_tot_noop;
+ prp->update_now = repl5_tot_noop;
+- prp->timeout = DEFAULT_PROTOCOL_TIMEOUT;
+ if ((prp->lock = PR_NewLock()) == NULL)
+ {
+ goto loser;
+@@ -588,6 +598,7 @@ Repl_5_Tot_Protocol_new(Repl_Protocol *rp)
+ prp->repl50consumer = 0;
+ prp->repl71consumer = 0;
+ prp->repl90consumer = 0;
++ prp->replica_object = prot_get_replica_object(rp);
+ return prp;
+ loser:
+ repl5_tot_delete(&prp);
+--
+1.8.1.4
+
diff --git a/SOURCES/0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch b/SOURCES/0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch
new file mode 100644
index 0000000..d6780c7
--- /dev/null
+++ b/SOURCES/0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch
@@ -0,0 +1,72 @@
+From 26a0d63bcbf280d20bd984fd00fd82e82ed62de5 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 12 Dec 2013 12:48:08 -0500
+Subject: [PATCH 66/78] Ticket 47613 - Issues setting allowed mechanisms
+
+Bug Description: Adding an empty value for nsslapd-allowed-sasl-mechanisms blocks all
+ sasl authentication. Also changing the allowed sasl mechansism does
+ require a restart after making a change.
+
+Fix Description: Reject an empty values for nsslapd-allowed-sasl-mechanisms, and allow
+ config changes to occur without restarting the server.
+
+https://fedorahosted.org/389/ticket/47613
+
+Reviewed by: nhosoi(Thanks!)
+(cherry picked from commit 43959232f792db2b79e614f6db78f7569920fdc1)
+(cherry picked from commit a1e386188663c9197b80b3b51cca0d58ce0c9181)
+---
+ ldap/servers/slapd/configdse.c | 1 -
+ ldap/servers/slapd/libglobs.c | 10 +++++++---
+ 2 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
+index bd1566e..b54062d 100644
+--- a/ldap/servers/slapd/configdse.c
++++ b/ldap/servers/slapd/configdse.c
+@@ -81,7 +81,6 @@ static const char *requires_restart[] = {
+ #endif
+ "cn=config:" CONFIG_RETURN_EXACT_CASE_ATTRIBUTE,
+ "cn=config:" CONFIG_SCHEMA_IGNORE_TRAILING_SPACES,
+- "cn=config:nsslapd-allowed-sasl-mechanisms",
+ "cn=config,cn=ldbm:nsslapd-idlistscanlimit",
+ "cn=config,cn=ldbm:nsslapd-parentcheck",
+ "cn=config,cn=ldbm:nsslapd-dbcachesize",
+diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
+index a763135..64510d6 100644
+--- a/ldap/servers/slapd/libglobs.c
++++ b/ldap/servers/slapd/libglobs.c
+@@ -6761,8 +6761,7 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
+ {
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+- if(!apply || slapdFrontendConfig->allowed_sasl_mechs){
+- /* we only set this at startup, if we try again just return SUCCESS */
++ if(!apply){
+ return LDAP_SUCCESS;
+ }
+
+@@ -6777,6 +6776,7 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
+ }
+
+ CFG_LOCK_WRITE(slapdFrontendConfig);
++ slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs);
+ slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
+
+@@ -7476,7 +7476,11 @@ invalid_sasl_mech(char *str)
+ int i;
+
+ if(str == NULL){
+- return 0;
++ return 1;
++ }
++ if(strlen(str) < 1){
++ /* ignore empty values */
++ return 1;
+ }
+
+ /*
+--
+1.8.1.4
+
diff --git a/SOURCES/0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch b/SOURCES/0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch
new file mode 100644
index 0000000..1419218
--- /dev/null
+++ b/SOURCES/0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch
@@ -0,0 +1,51 @@
+From 00a0b5f1d506f5f79f4b27859355db8d5a70a249 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 12 Dec 2013 15:36:11 -0500
+Subject: [PATCH 67/78] Ticket 47620 - Fix cherry-pick error for 1.3.2 and
+ 1.3.1
+
+Description: During the cherry-pick process I had to make some manual changes,
+ and there were two schedule_destroy() calls made which lead to
+ a dereferenced point.
+
+https://fedorahosted.org/389/ticket/47620
+
+Reviewed by: rmeggins(Thanks!)
+(cherry picked from commit 3ae6900d8269926a1da097e3818aa444137aa9d9)
+(cherry picked from commit 5d4ac7c8c5d48be0796cdbf2ae7b9c40460de18c)
+---
+ ldap/servers/plugins/replication/repl5_agmt.c | 2 --
+ ldap/servers/plugins/replication/repl5_schedule.c | 4 ++++
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
+index b0da172..14c2fb4 100644
+--- a/ldap/servers/plugins/replication/repl5_agmt.c
++++ b/ldap/servers/plugins/replication/repl5_agmt.c
+@@ -630,8 +630,6 @@ agmt_delete(void **rap)
+ PR_DestroyLock(ra->lock);
+ slapi_destroy_rwlock(ra->attr_lock);
+
+- schedule_destroy(ra->schedule);
+- slapi_ch_free((void **)&ra->long_name);
+ slapi_ch_free((void **)rap);
+ }
+
+diff --git a/ldap/servers/plugins/replication/repl5_schedule.c b/ldap/servers/plugins/replication/repl5_schedule.c
+index 419e3ec..1db06a6 100644
+--- a/ldap/servers/plugins/replication/repl5_schedule.c
++++ b/ldap/servers/plugins/replication/repl5_schedule.c
+@@ -159,6 +159,10 @@ schedule_destroy(Schedule *s)
+ {
+ int i;
+
++ if(s == NULL){
++ return;
++ }
++
+ /* unschedule update window event if exists */
+ unschedule_window_state_change_event (s);
+
+--
+1.8.1.4
+
diff --git a/SOURCES/0068-Ticket-47620-Config-value-validation-improvement.patch b/SOURCES/0068-Ticket-47620-Config-value-validation-improvement.patch
new file mode 100644
index 0000000..1bc77b1
--- /dev/null
+++ b/SOURCES/0068-Ticket-47620-Config-value-validation-improvement.patch
@@ -0,0 +1,119 @@
+From 014aaa8b331e9af9f36432000c4c99b9f60687ae Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Fri, 13 Dec 2013 11:43:47 -0500
+Subject: [PATCH 68/78] Ticket 47620 - Config value validation improvement
+
+Bug Description: When setting the replication protocol timeout, it is possible
+ to set a negative number(it should be rejected), and when
+ setting the timeout for an agreement using letters, we get an
+ invalid syntax error, but it should really be an error 53 to
+ be consistent with how the invalid timeout error that is given
+ when updating the replica entry.
+
+Fix Description: In the agmt modify code, we did not have the actual modify value
+ during the validation. This allowed the value to be added, which
+ was later caught for the invalid syntax. Then improved the overall
+ logic to the validation to also catch the negative numbers.
+
+https://fedorahosted.org/389/ticket/47620
+
+Reviewed by: rmeggins(Thanks!)
+(cherry picked from commit 8a4bbc7c74a6847d75e4d6e9e0b16859a5da8ec0)
+(cherry picked from commit 1bbb27b522dd8eb36f09f47c144fd65511c132b5)
+---
+ ldap/servers/plugins/replication/repl5_agmtlist.c | 32 ++++++++++++----------
+ .../plugins/replication/repl5_replica_config.c | 12 +++++---
+ 2 files changed, 25 insertions(+), 19 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
+index 04891b7..bd14202 100644
+--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
+@@ -245,6 +245,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ for (i = 0; NULL != mods && NULL != mods[i]; i++)
+ {
+ slapi_ch_free_string(&val);
++ val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
+ if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize))
+ {
+ /* we don't allow delete attribute operations unless it was issued by
+@@ -268,10 +269,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ }
+ else
+ {
+- if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0])
+- val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
+- else
+- {
++ if(val == NULL){
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
+ "no value provided for %s attribute\n", type_nsds5ReplicaInitialize);
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+@@ -515,19 +513,23 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ }
+ }
+ else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){
+- if (val){
+- long ptimeout = atol(val);
++ long ptimeout = 0;
+
+- if(ptimeout <= 0){
+- *returncode = LDAP_UNWILLING_TO_PERFORM;
+- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
+- "must be a number greater than zero.\n",
+- type_replicaProtocolTimeout, val);
+- rc = SLAPI_DSE_CALLBACK_ERROR;
+- break;
+- }
+- agmt_set_protocol_timeout(agmt, ptimeout);
++ if (val){
++ ptimeout = atol(val);
++ }
++ if(ptimeout <= 0){
++ *returncode = LDAP_UNWILLING_TO_PERFORM;
++ PR_snprintf (returntext, SLAPI_DSE_RETURNTEXT_SIZE,
++ "attribute %s value (%s) is invalid, must be a number greater than zero.\n",
++ type_replicaProtocolTimeout, val ? val : "");
++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
++ "must be a number greater than zero.\n",
++ type_replicaProtocolTimeout, val ? val : "");
++ rc = SLAPI_DSE_CALLBACK_ERROR;
++ break;
+ }
++ agmt_set_protocol_timeout(agmt, ptimeout);
+ }
+ else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e))
+ {
+diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
+index 9452d51..74e1fb7 100644
+--- a/ldap/servers/plugins/replication/repl5_replica_config.c
++++ b/ldap/servers/plugins/replication/repl5_replica_config.c
+@@ -497,17 +497,21 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry*
+ else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ){
+ if (apply_mods && config_attr_value && config_attr_value[0])
+ {
+- long ptimeout = atol(config_attr_value);
++ long ptimeout = 0;
++
++ if(config_attr_value){
++ ptimeout = atol(config_attr_value);
++ }
+
+ if(ptimeout <= 0){
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE,
+ "attribute %s value (%s) is invalid, must be a number greater than zero.\n",
+- config_attr, config_attr_value);
++ config_attr, config_attr_value ? config_attr_value : "");
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "replica_config_modify: %s\n", errortext);
+- } else {
+- replica_set_protocol_timeout(r, ptimeout);
++ break;
+ }
++ replica_set_protocol_timeout(r, ptimeout);
+ }
+ }
+ else
+--
+1.8.1.4
+
diff --git a/SOURCES/0069-Ticket-47620-Fix-logically-dead-code.patch b/SOURCES/0069-Ticket-47620-Fix-logically-dead-code.patch
new file mode 100644
index 0000000..42b192d
--- /dev/null
+++ b/SOURCES/0069-Ticket-47620-Fix-logically-dead-code.patch
@@ -0,0 +1,56 @@
+From 1eece8d6d6dc88eb214927992840e5edf270786b Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 16 Dec 2013 09:48:12 -0500
+Subject: [PATCH 69/78] Ticket 47620 - Fix logically dead code.
+
+Coverity issues: 12419 & 12420
+
+https://fedorahosted.org/389/ticket/47620
+
+Reviewed by: rmeggins(Thanks!)
+(cherry picked from commit 080cb44f5eaa794375a8e69b6e1ac09fcae9a961)
+(cherry picked from commit c094a9f1a758dabd1164bf979a4ac22bb3720d63)
+---
+ ldap/servers/plugins/replication/repl5_agmtlist.c | 12 +-----------
+ ldap/servers/plugins/replication/repl5_replica_config.c | 2 +-
+ 2 files changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
+index bd14202..5219c92 100644
+--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
+@@ -277,17 +277,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ break;
+ }
+
+- /* Start replica initialization */
+- if (val == NULL)
+- {
+- PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "No value supplied for attr (%s)", mods[i]->mod_type);
+- slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: %s\n",
+- errortext);
+- *returncode = LDAP_UNWILLING_TO_PERFORM;
+- rc = SLAPI_DSE_CALLBACK_ERROR;
+- break;
+- }
+-
++ /* Start replica initialization */
+ if (strcasecmp (val, "start") == 0)
+ {
+ start_initialize = 1;
+diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
+index 74e1fb7..853bcde 100644
+--- a/ldap/servers/plugins/replication/repl5_replica_config.c
++++ b/ldap/servers/plugins/replication/repl5_replica_config.c
+@@ -495,7 +495,7 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry*
+ *returncode = LDAP_SUCCESS;
+ }
+ else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ){
+- if (apply_mods && config_attr_value && config_attr_value[0])
++ if (apply_mods)
+ {
+ long ptimeout = 0;
+
+--
+1.8.1.4
+
diff --git a/SOURCES/0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch b/SOURCES/0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch
new file mode 100644
index 0000000..5a3a162
--- /dev/null
+++ b/SOURCES/0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch
@@ -0,0 +1,36 @@
+From 3d941308ae833a59cad81951793b6374a8c15a56 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 17 Dec 2013 13:11:03 -0500
+Subject: [PATCH 70/78] Ticket 47620 - Fix dereferenced NULL pointer in
+ agmtlist_modify_callback()
+
+The server would dereference a NULL point if an attribute was deleted from a replication
+agreement.
+
+https://fedorahosted.org/389/ticket/47620
+
+Reviewed by: rmeggins(Thanks!)
+(cherry picked from commit 8baed897f504e75478b5dbbe736c1eaf6d2d7fa9)
+(cherry picked from commit 60d263f7bc52e4b5186a01c38868763a275abadc)
+---
+ ldap/servers/plugins/replication/repl5_agmtlist.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
+index 5219c92..6e8b82c 100644
+--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
+@@ -245,7 +245,9 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ for (i = 0; NULL != mods && NULL != mods[i]; i++)
+ {
+ slapi_ch_free_string(&val);
+- val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
++ if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0])
++ val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
++ }
+ if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize))
+ {
+ /* we don't allow delete attribute operations unless it was issued by
+--
+1.8.1.4
+
diff --git a/SOURCES/0071-Ticket-47620-Fix-missing-left-bracket.patch b/SOURCES/0071-Ticket-47620-Fix-missing-left-bracket.patch
new file mode 100644
index 0000000..b25fa51
--- /dev/null
+++ b/SOURCES/0071-Ticket-47620-Fix-missing-left-bracket.patch
@@ -0,0 +1,28 @@
+From 854e1f23218b8e81db2c05728f8e21cd09dd69eb Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 17 Dec 2013 14:01:34 -0500
+Subject: [PATCH 71/78] Ticket 47620 - Fix missing left bracket
+
+https://fedorahosted.org/389/ticket/47620
+(cherry picked from commit 3a4d39e166449177c85b92af8b47c5c6848c4d02)
+(cherry picked from commit b143477e186734333b6cfae615484b886b204e0e)
+---
+ ldap/servers/plugins/replication/repl5_agmtlist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
+index 6e8b82c..9e0291f 100644
+--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
+@@ -245,7 +245,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ for (i = 0; NULL != mods && NULL != mods[i]; i++)
+ {
+ slapi_ch_free_string(&val);
+- if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0])
++ if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0]){
+ val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
+ }
+ if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize))
+--
+1.8.1.4
+
diff --git a/SOURCES/0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch b/SOURCES/0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch
new file mode 100644
index 0000000..a0f65bd
--- /dev/null
+++ b/SOURCES/0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch
@@ -0,0 +1,83 @@
+From d695afb6a637432e880296d8552f466981c0796c Mon Sep 17 00:00:00 2001
+From: "Thierry bordaz (tbordaz)" <tbordaz@redhat.com>
+Date: Thu, 16 May 2013 15:28:47 +0200
+Subject: [PATCH 72/78] Ticket 571 (dup 47361) - Empty control list causes LDAP
+ protocol error is thrown
+
+Bug Description:
+
+ If a request contains a list of controls containing zero control, it does
+ not conform RFC http://tools.ietf.org/html/rfc4511#section-4.1.11. Then the
+ server returns a Protocol Error.
+ This is too restrictive for some applications.
+ Note: such application needs to be linked with old version of mozldap or openldap
+ because recent version skip sending empty list of controls
+
+Fix Description:
+ The fix is to ignore this error and let the operation complete
+
+ Note: ticket 571 (bz 918717) is a duplicate of 47361 (bz 963234). 47361 was used to
+ backport in 1.2.11. 571 is used to backport in 1.3.1.
+ This bug is fixed since 1.3.2
+
+https://fedorahosted.org/389/ticket/571
+https://fedorahosted.org/389/ticket/47361
+
+Reviewed by: Rich Megginson (thanks Rich !)
+
+Platforms tested: F17 (unit + acceptance vlv/proxy/managed/psearch/tls/bindcontrol)
+
+Flag Day: no
+
+Doc impact: no
+(cherry picked from commit dea2a254117f1e9f4be1068c6784b2780fec933f)
+---
+ ldap/servers/slapd/control.c | 32 +++++++++++++++++++++-----------
+ 1 file changed, 21 insertions(+), 11 deletions(-)
+
+diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c
+index fc3ab9f..e614d50 100644
+--- a/ldap/servers/slapd/control.c
++++ b/ldap/servers/slapd/control.c
+@@ -354,17 +354,27 @@ get_ldapmessage_controls_ext(
+ len = -1; /* reset for next loop iter */
+ }
+
+- if ( (tag != LBER_END_OF_SEQORSET) && (len != -1) ) {
+- goto free_and_return;
+- }
+-
+- slapi_pblock_set( pb, SLAPI_REQCONTROLS, ctrls );
+- managedsait = slapi_control_present( ctrls,
+- LDAP_CONTROL_MANAGEDSAIT, NULL, NULL );
+- slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, &managedsait );
+- pwpolicy_ctrl = slapi_control_present( ctrls,
+- LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL );
+- slapi_pblock_set( pb, SLAPI_PWPOLICY, &pwpolicy_ctrl );
++ if (curcontrols == 0) {
++ int ctrl_not_found = 0; /* means that a given control is not present in the request */
++
++ slapi_pblock_set(pb, SLAPI_REQCONTROLS, NULL);
++ slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found);
++ slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found);
++ slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%d op=%d contains an empty list of controls\n",
++ pb->pb_conn->c_connid, pb->pb_op->o_opid);
++ } else {
++ if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) {
++ goto free_and_return;
++ }
++
++ slapi_pblock_set(pb, SLAPI_REQCONTROLS, ctrls);
++ managedsait = slapi_control_present(ctrls,
++ LDAP_CONTROL_MANAGEDSAIT, NULL, NULL);
++ slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &managedsait);
++ pwpolicy_ctrl = slapi_control_present(ctrls,
++ LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL);
++ slapi_pblock_set(pb, SLAPI_PWPOLICY, &pwpolicy_ctrl);
++ }
+
+ if ( controlsp != NULL ) {
+ *controlsp = ctrls;
+--
+1.8.1.4
+
diff --git a/SOURCES/0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch b/SOURCES/0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch
new file mode 100644
index 0000000..9207ccf
--- /dev/null
+++ b/SOURCES/0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch
@@ -0,0 +1,189 @@
+From 298ada3b2f7b8aa770df9a5a7d8129f46b4417d7 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Mon, 16 Dec 2013 13:03:19 -0800
+Subject: [PATCH 73/78] Ticket #47606 - replica init/bulk import errors should
+ be more verbose
+
+Description:
+1. maxbersize: If the size of an entry is larger than the consumer's
+ maxbersize, the following error used to be logged:
+ Incoming BER Element was too long, max allowable is ### bytes.
+ Change the nsslapd-maxbersize attribute in cn=config to increase.
+ This message does not indicate how large the maxbersize needs to be.
+ This patch adds the code to retrieve the failed ber size.
+ Revised message:
+ Incoming BER Element was @@@ bytes, max allowable is ### bytes.
+ Change the nsslapd-maxbersize attribute in cn=config to increase.
+ Note: There is no lber API that returns the ber size if it fails to
+ handle the ber. This patch borrows the internal structure of ber
+ and get the size. This could be risky since the size or structure
+ of the ber could be updated in the openldap/mozldap lber.
+2. cache size: The bulk import depends upon the nsslapd-cachememsize
+ value in the backend instance entry (e.g., cn=userRoot,cn=ldbm
+ database,cn=plugins,cn=config). If an entry size is larger than
+ the cachememsize, the bulk import used to fail with this message:
+ import userRoot: REASON: entry too large (@@@ bytes) for the
+ import buffer size (### bytes). Try increasing nsslapd-
+ cachememsize.
+ Also, the message follows the skipping entry message:
+ import userRoot: WARNING: skipping entry "<DN>"
+ but actually, it did NOT "skip" the entry and continue the bulk
+ import, but it failed there and completely wiped out the backend
+ database.
+ This patch modifies the message as follows:
+ import userRoot: REASON: entry too large (@@@ bytes) for the
+ effective import buffer size (### bytes). Try increasing nsslapd-
+ cachememsize for the backend instance "userRoot".
+ and as the message mentions, it just skips the failed entry and
+ continues the bulk import.
+3. In repl5_tot_result_threadmain, when conn_read_result_ex returns
+ non zero (non SUCCESS), it sets abort, but does not set any error
+ code to rc (return code), which is not considered as "finished" in
+ repl5_tot_waitfor_async_results and it contines waiting until the
+ code reaches the max loop count (about 5 minutes). This patch sets
+ LDAP_CONNECT_ERROR to the return code along with setting abort, if
+ conn_read_result_ex returns CONN_NOT_CONNECTED. This makes the bulk
+ import finishes quickly when it fails.
+
+https://fedorahosted.org/389/ticket/47606
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
+(cherry picked from commit 1119083d3d99993421609783efcb8962d78724fc)
+(cherry picked from commit fde9ed5bf74b4ea1fff875bcb421137c78af1227)
+(cherry picked from commit c9d0b6ccad84dd56a536da883f5a8e5acb01bc4e)
+---
+ .../plugins/replication/repl5_tot_protocol.c | 3 ++
+ ldap/servers/slapd/back-ldbm/import-threads.c | 8 ++---
+ ldap/servers/slapd/connection.c | 36 ++++++++++++++++++----
+ ldap/servers/slapd/openldapber.h | 25 +++++++++++++++
+ 4 files changed, 62 insertions(+), 10 deletions(-)
+ create mode 100644 ldap/servers/slapd/openldapber.h
+
+diff --git a/ldap/servers/plugins/replication/repl5_tot_protocol.c b/ldap/servers/plugins/replication/repl5_tot_protocol.c
+index a241128..3895ace 100644
+--- a/ldap/servers/plugins/replication/repl5_tot_protocol.c
++++ b/ldap/servers/plugins/replication/repl5_tot_protocol.c
+@@ -203,6 +203,9 @@ static void repl5_tot_result_threadmain(void *param)
+ /* If so then we need to take steps to abort the update process */
+ PR_Lock(cb->lock);
+ cb->abort = 1;
++ if (conres == CONN_NOT_CONNECTED) {
++ cb->rc = LDAP_CONNECT_ERROR;
++ }
+ PR_Unlock(cb->lock);
+ }
+ /* Should we stop ? */
+diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
+index c0475c6..95433aa 100644
+--- a/ldap/servers/slapd/back-ldbm/import-threads.c
++++ b/ldap/servers/slapd/back-ldbm/import-threads.c
+@@ -3330,11 +3330,11 @@ static int bulk_import_queue(ImportJob *job, Slapi_Entry *entry)
+
+ newesize = (slapi_entry_size(ep->ep_entry) + sizeof(struct backentry));
+ if (newesize > job->fifo.bsize) { /* entry too big */
+- import_log_notice(job, "WARNING: skipping entry \"%s\"",
+- slapi_entry_get_dn(ep->ep_entry));
+ import_log_notice(job, "REASON: entry too large (%lu bytes) for "
+- "the import buffer size (%lu bytes). Try increasing nsslapd-cachememsize.",
+- (long unsigned int)newesize, (long unsigned int)job->fifo.bsize);
++ "the effective import buffer size (%lu bytes). "
++ "Try increasing nsslapd-cachememsize for the backend instance \"%s\".",
++ (long unsigned int)newesize, (long unsigned int)job->fifo.bsize,
++ job->inst->inst_name);
+ backentry_clear_entry(ep); /* entry is released in the frontend on failure*/
+ backentry_free( &ep ); /* release the backend wrapper, here */
+ PR_Unlock(job->wire_lock);
+diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
+index fed3512..02c86c5 100644
+--- a/ldap/servers/slapd/connection.c
++++ b/ldap/servers/slapd/connection.c
+@@ -1749,6 +1749,32 @@ void connection_make_new_pb(Slapi_PBlock **ppb, Connection *conn)
+ }
+
+
++#ifdef USE_OPENLDAP
++#include "openldapber.h"
++#else
++#include "mozldap.h"
++#endif
++
++static ber_tag_t
++_ber_get_len(BerElement *ber, ber_len_t *lenp)
++{
++#ifdef USE_OPENLDAP
++ OLBerElement *lber = (OLBerElement *)ber;
++#else
++ MozElement *lber = (MozElement *)ber;
++#endif
++
++ if (NULL == lenp) {
++ return LBER_DEFAULT;
++ }
++ *lenp = 0;
++ if (NULL == lber) {
++ return LBER_DEFAULT;
++ }
++ *lenp = lber->ber_len;
++ return lber->ber_tag;
++}
++
+ /*
+ * Utility function called by connection_read_operation(). This is a
+ * small wrapper on top of libldap's ber_get_next_buffer_ext().
+@@ -1787,18 +1813,16 @@ get_next_from_buffer( void *buffer, size_t buffer_size, ber_len_t *lenp,
+ if ((LBER_OVERFLOW == *tagp || LBER_DEFAULT == *tagp) && 0 == bytes_scanned &&
+ !SLAPD_SYSTEM_WOULD_BLOCK_ERROR(errno))
+ {
+- if (LBER_OVERFLOW == *tagp)
+- {
+- err = SLAPD_DISCONNECT_BER_TOO_BIG;
+- }
+- else if (errno == ERANGE)
++ if ((LBER_OVERFLOW == *tagp) || (errno == ERANGE))
+ {
+ ber_len_t maxbersize = config_get_maxbersize();
++ ber_len_t tmplen = 0;
++ (void)_ber_get_len(ber, &tmplen);
+ /* openldap does not differentiate between length == 0
+ and length > max - all we know is that there was a
+ problem with the length - assume too big */
+ err = SLAPD_DISCONNECT_BER_TOO_BIG;
+- log_ber_too_big_error(conn, 0, maxbersize);
++ log_ber_too_big_error(conn, tmplen, maxbersize);
+ }
+ else
+ {
+diff --git a/ldap/servers/slapd/openldapber.h b/ldap/servers/slapd/openldapber.h
+new file mode 100644
+index 0000000..52644a5
+--- /dev/null
++++ b/ldap/servers/slapd/openldapber.h
+@@ -0,0 +1,25 @@
++/*
++ * openldap lber library does not provide an API which returns the ber size
++ * (ber->ber_len) when the ber tag is LBER_DEFAULT or LBER_OVERFLOW.
++ * The ber size is useful when issuing an error message to indicate how
++ * large the maxbersize needs to be set.
++ * Borrowed from liblber/lber-int.h
++ */
++struct lber_options {
++ short lbo_valid;
++ unsigned short lbo_options;
++ int lbo_debug;
++};
++struct berelement {
++ struct lber_options ber_opts;
++ ber_tag_t ber_tag;
++ ber_len_t ber_len;
++ ber_tag_t ber_usertag;
++ char *ber_buf;
++ char *ber_ptr;
++ char *ber_end;
++ char *ber_sos_ptr;
++ char *ber_rwptr;
++ void *ber_memctx;
++};
++typedef struct berelement OLBerElement;
+--
+1.8.1.4
+
diff --git a/SOURCES/0074-Ticket-47623-fix-memleak-caused-by-47347.patch b/SOURCES/0074-Ticket-47623-fix-memleak-caused-by-47347.patch
new file mode 100644
index 0000000..e692ddd
--- /dev/null
+++ b/SOURCES/0074-Ticket-47623-fix-memleak-caused-by-47347.patch
@@ -0,0 +1,42 @@
+From b910f02f74410f44d0285d77b15e5d399df3c1a8 Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Mon, 9 Dec 2013 17:00:32 -0700
+Subject: [PATCH 74/78] Ticket #47623 fix memleak caused by 47347
+
+https://fedorahosted.org/389/ticket/47623
+Reviewed by: nhosoi (Thanks!)
+Branch: 389-ds-base-1.3.1
+Fix Description: Only need to create the mutex when creating a new PR object.
+Platforms tested: RHEL6 x86_64
+Flag Day: no
+Doc impact: no
+(cherry picked from commit 98ccb602058270e97a3702ae2b81c17635af8d27)
+(cherry picked from commit 65c51555c0ecc94c5d93f09124168697ba1db6b3)
+(cherry picked from commit 8a2c666df491b7c8666f8a70a5038b35c43fbc3b)
+---
+ ldap/servers/slapd/pagedresults.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
+index 78bd6b0..a835d6b 100644
+--- a/ldap/servers/slapd/pagedresults.c
++++ b/ldap/servers/slapd/pagedresults.c
+@@ -122,6 +122,7 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
+ sizeof(PagedResults) * maxlen);
+ }
+ *index = maxlen; /* the first position in the new area */
++ conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
+ } else {
+ for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) {
+ if (!conn->c_pagedresults.prl_list[i].pr_current_be) {
+@@ -131,7 +132,6 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
+ }
+ }
+ conn->c_pagedresults.prl_count++;
+- conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
+ } else {
+ /* Repeated paged results request.
+ * PagedResults is already allocated. */
+--
+1.8.1.4
+
diff --git a/SOURCES/0075-Ticket-47623-fix-memleak-caused-by-47347.patch b/SOURCES/0075-Ticket-47623-fix-memleak-caused-by-47347.patch
new file mode 100644
index 0000000..128c3f4
--- /dev/null
+++ b/SOURCES/0075-Ticket-47623-fix-memleak-caused-by-47347.patch
@@ -0,0 +1,44 @@
+From 0cd6aca794ccbd064c0609c45f8dc6333ad8ca8a Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Tue, 10 Dec 2013 08:08:35 -0700
+Subject: [PATCH 75/78] Ticket #47623 fix memleak caused by 47347
+
+https://fedorahosted.org/389/ticket/47623
+Reviewed by: tbordaz, nhosoi (Thanks!)
+Branch: 389-ds-base-1.3.1
+Fix Description: Create the mutex if it doesn't exist.
+Platforms tested: RHEL6 x86_64
+Flag Day: no
+Doc impact: no
+(cherry picked from commit 0d4849dd7551347f0e24ac1027f4d0501084dcf3)
+(cherry picked from commit 5d3ae5f709964cd7dfb73b631a22389223f5ef25)
+(cherry picked from commit 5c649ddacd1d2c11b6e922b29472094b780c2a0e)
+---
+ ldap/servers/slapd/pagedresults.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
+index a835d6b..9af5773 100644
+--- a/ldap/servers/slapd/pagedresults.c
++++ b/ldap/servers/slapd/pagedresults.c
+@@ -122,7 +122,6 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
+ sizeof(PagedResults) * maxlen);
+ }
+ *index = maxlen; /* the first position in the new area */
+- conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
+ } else {
+ for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) {
+ if (!conn->c_pagedresults.prl_list[i].pr_current_be) {
+@@ -131,6 +130,9 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
+ }
+ }
+ }
++ if (!conn->c_pagedresults.prl_list[*index].pr_mutex) {
++ conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
++ }
+ conn->c_pagedresults.prl_count++;
+ } else {
+ /* Repeated paged results request.
+--
+1.8.1.4
+
diff --git a/SOURCES/0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch b/SOURCES/0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch
new file mode 100644
index 0000000..3906b84
--- /dev/null
+++ b/SOURCES/0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch
@@ -0,0 +1,150 @@
+From ea86342f0497a2d4c45c337ada9ec9e8329fc7cd Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 11 Dec 2013 11:25:44 -0500
+Subject: [PATCH 76/78] Ticket 47627 - changelog iteration should ignore
+ cleaned rids when getting the minCSN
+
+Description: If a change is not found in the change log the server will look for a min csn
+ to start the replay. This minCSN should not come from a cleaned RUV element.
+
+https://fedorahosted.org/389/ticket/47627
+
+Reviewed by: rmeggins & lkrispenz(Thanks!!)
+(cherry picked from commit 9c6e9bb12327a2d50e651221614d34984b605427)
+(cherry picked from commit 8004449ae206d0d417497324ffedf79ca9e25572)
+---
+ ldap/servers/plugins/replication/cl5_api.c | 2 +-
+ ldap/servers/plugins/replication/repl5_ruv.c | 42 ++++++++++++++++++++++------
+ ldap/servers/plugins/replication/repl5_ruv.h | 3 ++
+ 3 files changed, 37 insertions(+), 10 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
+index 7bedc2c..064a628 100644
+--- a/ldap/servers/plugins/replication/cl5_api.c
++++ b/ldap/servers/plugins/replication/cl5_api.c
+@@ -5172,7 +5172,7 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum
+ {
+ /* use the supplier min csn for the buffer start csn - we know
+ this csn is in our changelog */
+- if ((RUV_SUCCESS == ruv_get_min_csn(supplierRuv, &startCSN)) &&
++ if ((RUV_SUCCESS == ruv_get_min_csn_ext(supplierRuv, &startCSN, 1 /* ignore cleaned rids */)) &&
+ startCSN)
+ { /* must now free startCSN */
+ if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) {
+diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c
+index 7395195..dc83555 100644
+--- a/ldap/servers/plugins/replication/repl5_ruv.c
++++ b/ldap/servers/plugins/replication/repl5_ruv.c
+@@ -998,9 +998,9 @@ ruv_covers_csn_cleanallruv(const RUV *ruv, const CSN *csn)
+ * or max{maxcsns of all ruv elements} if get_the_max != 0.
+ */
+ static int
+-ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid)
++ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid, int ignore_cleaned_rid)
+ {
+- int return_value;
++ int return_value = RUV_SUCCESS;
+
+ if (ruv == NULL || csn == NULL)
+ {
+@@ -1012,6 +1012,7 @@ ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid
+ CSN *found = NULL;
+ RUVElement *replica;
+ int cookie;
++
+ slapi_rwlock_rdlock (ruv->lock);
+ for (replica = dl_get_first (ruv->elements, &cookie); replica;
+ replica = dl_get_next (ruv->elements, &cookie))
+@@ -1028,6 +1029,10 @@ ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid
+ {
+ continue;
+ }
++ if(ignore_cleaned_rid && is_cleaned_rid(replica->rid)){
++ continue;
++ }
++
+ if(rid){ /* we are only interested in this rid's maxcsn */
+ if(replica->rid == rid){
+ found = replica->csn;
+@@ -1041,36 +1046,55 @@ ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid
+ found = replica->csn;
+ }
+ }
+- }
++ }
++
+ if (found == NULL)
+ {
+- *csn = NULL;
++ *csn = NULL;
+ }
+ else
+ {
+ *csn = csn_dup (found);
+ }
+ slapi_rwlock_unlock (ruv->lock);
+- return_value = RUV_SUCCESS;
+ }
+ return return_value;
+ }
+
+ int
+-ruv_get_rid_max_csn(const RUV *ruv, CSN **csn, ReplicaId rid){
+- return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, rid);
++ruv_get_rid_max_csn(const RUV *ruv, CSN **csn, ReplicaId rid)
++{
++ return ruv_get_rid_max_csn_ext(ruv, csn, rid, 0);
++}
++
++int
++ruv_get_rid_max_csn_ext(const RUV *ruv, CSN **csn, ReplicaId rid, int ignore_cleaned_rid)
++{
++ return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, rid, ignore_cleaned_rid);
+ }
+
+ int
+ ruv_get_max_csn(const RUV *ruv, CSN **csn)
+ {
+- return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, 0 /* rid */);
++ return ruv_get_max_csn_ext(ruv, csn, 0);
++}
++
++int
++ruv_get_max_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid)
++{
++ return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, 0 /* rid */, ignore_cleaned_rid);
+ }
+
+ int
+ ruv_get_min_csn(const RUV *ruv, CSN **csn)
+ {
+- return ruv_get_min_or_max_csn(ruv, csn, 0 /* get the min */, 0 /* rid */);
++ return ruv_get_min_csn_ext(ruv, csn, 0);
++}
++
++int
++ruv_get_min_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid)
++{
++ return ruv_get_min_or_max_csn(ruv, csn, 0 /* get the min */, 0 /* rid */, ignore_cleaned_rid);
+ }
+
+ int
+diff --git a/ldap/servers/plugins/replication/repl5_ruv.h b/ldap/servers/plugins/replication/repl5_ruv.h
+index 799dc7f..4593b84 100644
+--- a/ldap/servers/plugins/replication/repl5_ruv.h
++++ b/ldap/servers/plugins/replication/repl5_ruv.h
+@@ -123,8 +123,11 @@ PRBool ruv_covers_csn(const RUV *ruv, const CSN *csn);
+ PRBool ruv_covers_csn_strict(const RUV *ruv, const CSN *csn);
+ PRBool ruv_covers_csn_cleanallruv(const RUV *ruv, const CSN *csn);
+ int ruv_get_min_csn(const RUV *ruv, CSN **csn);
++int ruv_get_min_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid);
+ int ruv_get_max_csn(const RUV *ruv, CSN **csn);
++int ruv_get_max_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid);
+ int ruv_get_rid_max_csn(const RUV *ruv, CSN **csn, ReplicaId rid);
++int ruv_get_rid_max_csn_ext(const RUV *ruv, CSN **csn, ReplicaId rid, int ignore_cleaned_rid);
+ int ruv_enumerate_elements (const RUV *ruv, FNEnumRUV fn, void *arg);
+ int ruv_to_smod(const RUV *ruv, Slapi_Mod *smod);
+ int ruv_last_modified_to_smod(const RUV *ruv, Slapi_Mod *smod);
+--
+1.8.1.4
+
diff --git a/SOURCES/0077-Ticket-47627-Fix-replication-logging.patch b/SOURCES/0077-Ticket-47627-Fix-replication-logging.patch
new file mode 100644
index 0000000..65c7da6
--- /dev/null
+++ b/SOURCES/0077-Ticket-47627-Fix-replication-logging.patch
@@ -0,0 +1,61 @@
+From 30144a9dabfe221cdded349078eaedf91cb53e88 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Sat, 14 Dec 2013 07:38:12 -0500
+Subject: [PATCH 77/78] Ticket 47627 - Fix replication logging
+
+We printed the same CSN for the missing CSN and the supplier min CSN because
+we reused the same CSN pointer.
+
+https://fedorahosted.org/389/ticket/47627
+
+Reviewed by: rmeggins(Thanks!)
+(cherry picked from commit 20cccf58108099cead2412a979e70e4f5972b806)
+(cherry picked from commit ae3daa16783bab18f202a71b81177f4407dccdcd)
+---
+ ldap/servers/plugins/replication/cl5_api.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
+index 064a628..abcc39a 100644
+--- a/ldap/servers/plugins/replication/cl5_api.c
++++ b/ldap/servers/plugins/replication/cl5_api.c
+@@ -5081,6 +5081,7 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum
+ int i;
+ CSN **csns = NULL;
+ CSN *startCSN = NULL;
++ CSN *minCSN = NULL;
+ char csnStr [CSN_STRSIZE];
+ int rc = CL5_SUCCESS;
+ Object *supplierRuvObj = NULL;
+@@ -5170,20 +5171,24 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum
+ */
+ if ((rc == DB_NOTFOUND) && !ruv_has_csns(file->purgeRUV))
+ {
++ char mincsnStr[CSN_STRSIZE];
++
+ /* use the supplier min csn for the buffer start csn - we know
+ this csn is in our changelog */
+- if ((RUV_SUCCESS == ruv_get_min_csn_ext(supplierRuv, &startCSN, 1 /* ignore cleaned rids */)) &&
+- startCSN)
++ if ((RUV_SUCCESS == ruv_get_min_csn_ext(supplierRuv, &minCSN, 1 /* ignore cleaned rids */)) &&
++ minCSN)
+ { /* must now free startCSN */
+ if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) {
+- csn_as_string(startCSN, PR_FALSE, csnStr);
++ csn_as_string(startCSN, PR_FALSE, csnStr);
++ csn_as_string(minCSN, PR_FALSE, mincsnStr);
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl,
+ "%s: CSN %s not found and no purging, probably a reinit\n",
+ agmt_name, csnStr);
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl,
+ "%s: Will try to use supplier min CSN %s to load changelog\n",
+- agmt_name, csnStr);
++ agmt_name, mincsnStr);
+ }
++ startCSN = minCSN;
+ rc = clcache_load_buffer (clcache, startCSN, DB_SET);
+ }
+ else
+--
+1.8.1.4
+
diff --git a/SOURCES/0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch b/SOURCES/0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch
new file mode 100644
index 0000000..2acccad
--- /dev/null
+++ b/SOURCES/0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch
@@ -0,0 +1,69 @@
+From 31a7087a26c153ff3430a1028be34c64839d0fd0 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Wed, 8 Jan 2014 10:30:04 -0800
+Subject: [PATCH 78/78] Ticket #447 - Possible to add invalid attribute to
+ nsslapd-allowed-to-delete-attrs
+
+Bug description: If given value of nsslapd-allowed-to-delete-attrs are
+all invalid attributes, e.g.,
+ nsslapd-allowed-to-delete-attrs: invalid0 invalid1
+they were logged as invalid, but accidentally set to nsslapd-allowed-
+to-delete-attrs.
+
+Fix description: This patch checks the validation result and if there
+is no valid attributes given to nsslapd-allowed-to-delete-attrs, it
+issues a message in the error log:
+ nsslapd-allowed-to-delete-attrs: Given attributes are all invalid.
+ No effects.
+and it returns an error. The modify operation fails with "DSA is
+unwilling to perform".
+
+https://fedorahosted.org/389/ticket/447
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!)
+(cherry picked from commit 31cd7a838aef30d80be6efe519cc2e821811c645)
+(cherry picked from commit eab32225c129f6a5115bbd5ac2a3c2035f4393b2)
+(cherry picked from commit c392aa891e67b8be189d3e354a179fc376998642)
+---
+ ldap/servers/slapd/libglobs.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
+index 64510d6..6df225d 100644
+--- a/ldap/servers/slapd/libglobs.c
++++ b/ldap/servers/slapd/libglobs.c
+@@ -6720,15 +6720,23 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value,
+ /* given value included unknown attribute,
+ * we need to re-create a value. */
+ /* reuse the duplicated string for the new attr value. */
+- for (s = allowed, d = vcopy; s && *s; s++) {
+- size_t slen = strlen(*s);
+- memmove(d, *s, slen);
+- d += slen;
+- memmove(d, " ", 1);
+- d++;
++ if (allowed && (NULL == *allowed)) {
++ /* all the values to allow to delete are invalid */
++ slapi_log_error(SLAPI_LOG_FATAL, "config",
++ "%s: Given attributes are all invalid. No effects.\n",
++ CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE);
++ return LDAP_NO_SUCH_ATTRIBUTE;
++ } else {
++ for (s = allowed, d = vcopy; s && *s; s++) {
++ size_t slen = strlen(*s);
++ memmove(d, *s, slen);
++ d += slen;
++ memmove(d, " ", 1);
++ d++;
++ }
++ *(d-1) = '\0';
++ strcpy(value, vcopy); /* original value needs to be refreshed */
+ }
+- *(d-1) = '\0';
+- strcpy(value, vcopy); /* original value needs to be refreshed */
+ } else {
+ slapi_ch_free_string(&vcopy);
+ vcopy = slapi_ch_strdup(value);
+--
+1.8.1.4
+
diff --git a/SOURCES/0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch b/SOURCES/0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch
new file mode 100644
index 0000000..582c8a1
--- /dev/null
+++ b/SOURCES/0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch
@@ -0,0 +1,50 @@
+From d30caf438689760dd4fce8dc914070daae47de72 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Mon, 13 Jan 2014 11:03:46 -0800
+Subject: [PATCH 79/83] Ticket #47660 - config_set_allowed_to_delete_attrs:
+ Valgrind reports Invalid read
+
+Description: There was a logic error in checking the availability of
+a pointer. Before checking the contents of an address, the correctness
+of the pointer needed to be checked.
+
+Also, one memory leak was found in the error return case.
+
+Note: these 2 issues were introduece by this commit:
+commit 94b123780b21e503b78bceca9d60904206ef91fa
+Trac Ticket #447 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs
+
+https://fedorahosted.org/389/ticket/47660
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!)
+(cherry picked from commit 1a788bf35a138d221f2bfb88d6da5fc5244d738c)
+(cherry picked from commit 22c24f0d133cfcfc9f7457a84282d223ea3f6e25)
+(cherry picked from commit 4aa849fa0a32d90e7d88574f35e1e17fbaf1034f)
+---
+ ldap/servers/slapd/libglobs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
+index 6df225d..bcf7db4 100644
+--- a/ldap/servers/slapd/libglobs.c
++++ b/ldap/servers/slapd/libglobs.c
+@@ -6704,7 +6704,7 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value,
+ int needcopy = 0;
+ allowed = slapi_str2charray_ext(vcopy, " ", 0);
+ for (s = allowed; s && *s; s++) ;
+- for (--s; s && *s && (s >= allowed); s--) {
++ for (--s; s && (s >= allowed) && *s; s--) {
+ cgas = (struct config_get_and_set *)PL_HashTableLookup(confighash,
+ *s);
+ if (!cgas && PL_strcasecmp(*s, "aci") /* aci is an exception */) {
+@@ -6725,6 +6725,7 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value,
+ slapi_log_error(SLAPI_LOG_FATAL, "config",
+ "%s: Given attributes are all invalid. No effects.\n",
+ CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE);
++ slapi_ch_array_free(allowed);
+ return LDAP_NO_SUCH_ATTRIBUTE;
+ } else {
+ for (s = allowed, d = vcopy; s && *s; s++) {
+--
+1.8.1.4
+
diff --git a/SOURCES/0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch b/SOURCES/0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch
new file mode 100644
index 0000000..7f3d73b
--- /dev/null
+++ b/SOURCES/0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch
@@ -0,0 +1,208 @@
+From f649d36ecf04926704add30a9f3179bd862de4c1 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Thu, 16 Jan 2014 15:21:28 -0500
+Subject: [PATCH 80/83] Ticket 408 - Fix crash when disabling/enabling the
+ setting
+
+Bug Description: Enabling/disabling can lead to crash as the setting
+ was not designed to be dynamically updated.
+
+Fix Description: Do not use the actual config setting to determine if the
+ cache is enabled. Instead we record when the cache is
+ initialized. The server still needs to be restarted for
+ the config change to take effect.
+
+ Also freed the cache at server shtudown.
+
+https://fedorahosted.org/389/ticket/408
+
+Reviewed by: rmeggins(Thanks!)
+(cherry picked from commit 03c90f04065059ee310e9fa7d98228e0aa39fa50)
+(cherry picked from commit 50ad64a442495810a84558c6c17dcc2263b815b6)
+(cherry picked from commit e0d85bead832c6aa7a2ec01157ab786a53fb5272)
+---
+ ldap/servers/slapd/back-ldbm/monitor.c | 2 +-
+ ldap/servers/slapd/dn.c | 93 +++++++++++++++++++++++++++-------
+ ldap/servers/slapd/main.c | 1 +
+ ldap/servers/slapd/slapi-private.h | 2 +
+ 4 files changed, 78 insertions(+), 20 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/monitor.c b/ldap/servers/slapd/back-ldbm/monitor.c
+index 3427809..409c771 100644
+--- a/ldap/servers/slapd/back-ldbm/monitor.c
++++ b/ldap/servers/slapd/back-ldbm/monitor.c
+@@ -146,7 +146,7 @@ int ldbm_back_monitor_instance_search(Slapi_PBlock *pb, Slapi_Entry *e,
+ MSET("maxDnCacheCount");
+ }
+ /* normalized dn cache stats */
+- if(config_get_ndn_cache_enabled()){
++ if(ndn_cache_started()){
+ ndn_cache_get_stats(&hits, &tries, &size, &maxsize, &count);
+ sprintf(buf, "%" NSPRIu64, (long long unsigned int)tries);
+ MSET("normalizedDnCacheTries");
+diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
+index 9530b84..1eab631 100644
+--- a/ldap/servers/slapd/dn.c
++++ b/ldap/servers/slapd/dn.c
+@@ -103,6 +103,7 @@ static void ndn_cache_update_lru(struct ndn_cache_lru **node);
+ static void ndn_cache_add(char *dn, size_t dn_len, char *ndn, size_t ndn_len);
+ static void ndn_cache_delete(char *dn);
+ static void ndn_cache_flush();
++static void ndn_cache_free();
+ static int ndn_started = 0;
+ static PRLock *lru_lock = NULL;
+ static Slapi_RWLock *ndn_cache_lock = NULL;
+@@ -2751,7 +2752,7 @@ ndn_hash_string(const void *key)
+ void
+ ndn_cache_init()
+ {
+- if(!config_get_ndn_cache_enabled()){
++ if(!config_get_ndn_cache_enabled() || ndn_started){
+ return;
+ }
+ ndn_cache_hashtable = PL_NewHashTable( NDN_CACHE_BUCKETS, ndn_hash_string, PL_CompareStrings, PL_CompareValues, 0, 0);
+@@ -2764,24 +2765,49 @@ ndn_cache_init()
+ ndn_cache->cache_size = sizeof(struct ndn_cache_ctx) + sizeof(PLHashTable) + sizeof(PLHashTable);
+ ndn_cache->head = NULL;
+ ndn_cache->tail = NULL;
+-
++ ndn_started = 1;
+ if ( NULL == ( lru_lock = PR_NewLock()) || NULL == ( ndn_cache_lock = slapi_new_rwlock())) {
+- char *errorbuf = NULL;
+- if(ndn_cache_hashtable){
+- PL_HashTableDestroy(ndn_cache_hashtable);
+- }
+- ndn_cache_hashtable = NULL;
+- config_set_ndn_cache_enabled(CONFIG_NDN_CACHE, "off", errorbuf, 1 );
+- slapi_counter_destroy(&ndn_cache->cache_hits);
+- slapi_counter_destroy(&ndn_cache->cache_tries);
+- slapi_counter_destroy(&ndn_cache->cache_misses);
+- slapi_ch_free((void **)&ndn_cache);
++ ndn_cache_destroy();
+ slapi_log_error( SLAPI_LOG_FATAL, "ndn_cache_init", "Failed to create locks. Disabling cache.\n" );
+- } else {
+- ndn_started = 1;
+ }
+ }
+
++void
++ndn_cache_destroy()
++{
++ char *errorbuf = NULL;
++
++ if(!ndn_started){
++ return;
++ }
++ if(lru_lock){
++ PR_DestroyLock(lru_lock);
++ lru_lock = NULL;
++ }
++ if(ndn_cache_lock){
++ slapi_destroy_rwlock(ndn_cache_lock);
++ ndn_cache_lock = NULL;
++ }
++ if(ndn_cache_hashtable){
++ ndn_cache_free();
++ PL_HashTableDestroy(ndn_cache_hashtable);
++ ndn_cache_hashtable = NULL;
++ }
++ config_set_ndn_cache_enabled(CONFIG_NDN_CACHE, "off", errorbuf, 1 );
++ slapi_counter_destroy(&ndn_cache->cache_hits);
++ slapi_counter_destroy(&ndn_cache->cache_tries);
++ slapi_counter_destroy(&ndn_cache->cache_misses);
++ slapi_ch_free((void **)&ndn_cache);
++
++ ndn_started = 0;
++}
++
++int
++ndn_cache_started()
++{
++ return ndn_started;
++}
++
+ /*
+ * Look up this dn in the ndn cache
+ */
+@@ -2994,19 +3020,48 @@ ndn_cache_flush()
+ slapi_log_error( SLAPI_LOG_CACHE, "ndn_cache_flush","Flushed cache.\n");
+ }
+
++static void
++ndn_cache_free()
++{
++ struct ndn_cache_lru *node, *next, *flush_node;
++
++ if(!ndn_cache){
++ return;
++ }
++
++ node = ndn_cache->tail;
++ while(ndn_cache->cache_count){
++ flush_node = node;
++ /* update the lru */
++ next = node->prev;
++ if(next){
++ next->next = NULL;
++ }
++ ndn_cache->tail = next;
++ node = next;
++ /* now update the hash */
++ ndn_cache->cache_count--;
++ ndn_cache_delete(flush_node->key);
++ slapi_ch_free_string(&flush_node->key);
++ slapi_ch_free((void **)&flush_node);
++ }
++}
++
+ /* this is already "write" locked from ndn_cache_add */
+ static void
+ ndn_cache_delete(char *dn)
+ {
+- struct ndn_hash_val *ht_val;
++ struct ndn_hash_val *ht_entry;
+
+- ht_val = (struct ndn_hash_val *)PL_HashTableLookupConst(ndn_cache_hashtable, dn);
+- if(ht_val){
+- ndn_cache->cache_size -= ht_val->size;
+- slapi_ch_free_string(&ht_val->ndn);
++ ht_entry = (struct ndn_hash_val *)PL_HashTableLookupConst(ndn_cache_hashtable, dn);
++ if(ht_entry){
++ ndn_cache->cache_size -= ht_entry->size;
++ slapi_ch_free_string(&ht_entry->ndn);
++ slapi_ch_free((void **)&ht_entry);
+ PL_HashTableRemove(ndn_cache_hashtable, dn);
+ }
+ }
++
+ /* stats for monitor */
+ void
+ ndn_cache_get_stats(PRUint64 *hits, PRUint64 *tries, size_t *size, size_t *max_size, long *count)
+diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
+index a17a2c5..ad8dd83 100644
+--- a/ldap/servers/slapd/main.c
++++ b/ldap/servers/slapd/main.c
+@@ -1280,6 +1280,7 @@ main( int argc, char **argv)
+ cleanup:
+ SSL_ShutdownServerSessionIDCache();
+ SSL_ClearSessionCache();
++ ndn_cache_destroy();
+ NSS_Shutdown();
+ PR_Cleanup();
+ #ifdef _WIN32
+diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
+index 194f3fd..eaa5f98 100644
+--- a/ldap/servers/slapd/slapi-private.h
++++ b/ldap/servers/slapd/slapi-private.h
+@@ -392,6 +392,8 @@ Slapi_DN *slapi_sdn_init_normdn_passin(Slapi_DN *sdn, const char *dn);
+ char *slapi_dn_normalize_original( char *dn );
+ char *slapi_dn_normalize_case_original( char *dn );
+ void ndn_cache_init();
++void ndn_cache_destroy();
++int ndn_cache_started();
+ void ndn_cache_get_stats(PRUint64 *hits, PRUint64 *tries, size_t *size, size_t *max_size, long *count);
+ #define NDN_DEFAULT_SIZE 20971520 /* 20mb - size of normalized dn cache */
+
+--
+1.8.1.4
+
diff --git a/SOURCES/0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch b/SOURCES/0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch
new file mode 100644
index 0000000..c8c32d9
--- /dev/null
+++ b/SOURCES/0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch
@@ -0,0 +1,120 @@
+From 5a79c1ecc7e706202a2a668e6cb12624f302ed35 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Fri, 17 Jan 2014 15:13:21 -0500
+Subject: [PATCH 81/83] Ticket 47620 - Unable to delete protocol timeout
+ attribute
+
+Bug Description: Attempting to delete nsds5ReplicaProtocolTimeout from a replication
+ agreement unexpectedly fails with an error 53.
+
+Fix Description: The previous delete operation check was in the wrong location, and the
+ delete operation was treated as a modify - which then triggered the
+ error 53. Added the correct check for the delete operation.
+
+ Also removed some old code for a CLEANALLRUV attribute that was never
+ implemented.
+
+https://fedorahosted.org/389/ticket/47620
+
+Reviewed by: nhosoi(Thanks!)
+(cherry picked from commit 9c41a365e8fbd23cab28eb91f50cdce696a30730)
+(cherry picked from commit 77380161e9e04f64a431dd35ce4b4c45ed01cae5)
+---
+ ldap/servers/plugins/replication/repl5.h | 1 -
+ ldap/servers/plugins/replication/repl5_agmtlist.c | 46 +++++++++++------------
+ ldap/servers/plugins/replication/repl_globals.c | 1 -
+ 3 files changed, 22 insertions(+), 26 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
+index 321a285..655e8ba 100644
+--- a/ldap/servers/plugins/replication/repl5.h
++++ b/ldap/servers/plugins/replication/repl5.h
+@@ -167,7 +167,6 @@ extern const char *type_nsds5ReplicaBusyWaitTime;
+ extern const char *type_nsds5ReplicaSessionPauseTime;
+ extern const char *type_nsds5ReplicaEnabled;
+ extern const char *type_nsds5ReplicaStripAttrs;
+-extern const char *type_nsds5ReplicaCleanRUVnotified;
+ extern const char *type_replicaProtocolTimeout;
+ extern const char *type_replicaBackoffMin;
+ extern const char *type_replicaBackoffMax;
+diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
+index 9e0291f..0edf28a 100644
+--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
++++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
+@@ -254,15 +254,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ the replication plugin - handled above */
+ if (mods[i]->mod_op & LDAP_MOD_DELETE)
+ {
+- if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0 ){
+- /* allow the deletion of cleanallruv agmt attr */
+- continue;
+- }
+- if(strcasecmp (mods[i]->mod_type, type_replicaProtocolTimeout) == 0){
+- agmt_set_protocol_timeout(agmt, 0);
+- continue;
+- }
+-
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
+ "deletion of %s attribute is not allowed\n", type_nsds5ReplicaInitialize);
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+@@ -505,23 +496,30 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
+ }
+ }
+ else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){
+- long ptimeout = 0;
+-
+- if (val){
+- ptimeout = atol(val);
++ if (mods[i]->mod_op & LDAP_MOD_DELETE)
++ {
++ agmt_set_protocol_timeout(agmt, 0);
+ }
+- if(ptimeout <= 0){
+- *returncode = LDAP_UNWILLING_TO_PERFORM;
+- PR_snprintf (returntext, SLAPI_DSE_RETURNTEXT_SIZE,
+- "attribute %s value (%s) is invalid, must be a number greater than zero.\n",
+- type_replicaProtocolTimeout, val ? val : "");
+- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
+- "must be a number greater than zero.\n",
+- type_replicaProtocolTimeout, val ? val : "");
+- rc = SLAPI_DSE_CALLBACK_ERROR;
+- break;
++ else
++ {
++ long ptimeout = 0;
++
++ if (val){
++ ptimeout = atol(val);
++ }
++ if(ptimeout <= 0){
++ *returncode = LDAP_UNWILLING_TO_PERFORM;
++ PR_snprintf (returntext, SLAPI_DSE_RETURNTEXT_SIZE,
++ "attribute %s value (%s) is invalid, must be a number greater than zero.\n",
++ type_replicaProtocolTimeout, val ? val : "");
++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
++ "must be a number greater than zero.\n",
++ type_replicaProtocolTimeout, val ? val : "");
++ rc = SLAPI_DSE_CALLBACK_ERROR;
++ break;
++ }
++ agmt_set_protocol_timeout(agmt, ptimeout);
+ }
+- agmt_set_protocol_timeout(agmt, ptimeout);
+ }
+ else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e))
+ {
+diff --git a/ldap/servers/plugins/replication/repl_globals.c b/ldap/servers/plugins/replication/repl_globals.c
+index 7dfeb9b..305ed25 100644
+--- a/ldap/servers/plugins/replication/repl_globals.c
++++ b/ldap/servers/plugins/replication/repl_globals.c
+@@ -133,7 +133,6 @@ const char *type_nsds5ReplicaBusyWaitTime = "nsds5ReplicaBusyWaitTime";
+ const char *type_nsds5ReplicaSessionPauseTime = "nsds5ReplicaSessionPauseTime";
+ const char *type_nsds5ReplicaEnabled = "nsds5ReplicaEnabled";
+ const char *type_nsds5ReplicaStripAttrs = "nsds5ReplicaStripAttrs";
+-const char *type_nsds5ReplicaCleanRUVnotified = "nsds5ReplicaCleanRUVNotified";
+
+ /* windows sync specific attributes */
+ const char *type_nsds7WindowsReplicaArea = "nsds7WindowsReplicaSubtree";
+--
+1.8.1.4
+
diff --git a/SOURCES/0082-Ticket-47516-replication-stops-with-excessive-clock-.patch b/SOURCES/0082-Ticket-47516-replication-stops-with-excessive-clock-.patch
new file mode 100644
index 0000000..56d9aea
--- /dev/null
+++ b/SOURCES/0082-Ticket-47516-replication-stops-with-excessive-clock-.patch
@@ -0,0 +1,92 @@
+From 029e230581a4b8e955db01dd0735f1ad9db521ac Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Thu, 16 Jan 2014 12:57:22 -0700
+Subject: [PATCH 82/83] Ticket #47516 replication stops with excessive clock
+ skew
+
+https://fedorahosted.org/389/ticket/47516
+Reviewed by: nhosoi (Thanks!)
+Branch: 389-ds-base-1.3.1
+Fix Description: The previous fix was not adequate. Instead, the determination
+of whether or not to ignore time skew should be determined in
+csngen_adjust_time().
+Platforms tested: RHEL6 x86_64
+Flag Day: no
+Doc impact: yes - document new config param
+(cherry picked from commit 9f2b104b0938b21d7c9fe37c736d0e6328843aeb)
+(cherry picked from commit a6ec074c6295a59938f313b4fe09430e8f601fab)
+(cherry picked from commit 51c1b2a0e4245b90f418f9f909c1d17c564f77f3)
+---
+ ldap/servers/plugins/replication/repl_extop.c | 11 ++---------
+ ldap/servers/slapd/csngen.c | 8 ++++++--
+ 2 files changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c
+index 57249a6..35014a9 100644
+--- a/ldap/servers/plugins/replication/repl_extop.c
++++ b/ldap/servers/plugins/replication/repl_extop.c
+@@ -835,19 +835,12 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb)
+ rc = replica_update_csngen_state_ext (replica, supplier_ruv, replicacsn); /* too much skew */
+ if (rc == CSN_LIMIT_EXCEEDED)
+ {
+- extern int config_get_ignore_time_skew();
+-
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+ "conn=%" NSPRIu64 " op=%d repl=\"%s\": "
+ "Excessive clock skew from supplier RUV\n",
+ (long long unsigned int)connid, opid, repl_root);
+- if (!config_get_ignore_time_skew()) {
+- response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW;
+- goto send_response;
+- } else {
+- /* else just continue */
+- rc = 0;
+- }
++ response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW;
++ goto send_response;
+ }
+ else if (rc != 0)
+ {
+diff --git a/ldap/servers/slapd/csngen.c b/ldap/servers/slapd/csngen.c
+index 464a59e..f87f2d1 100644
+--- a/ldap/servers/slapd/csngen.c
++++ b/ldap/servers/slapd/csngen.c
+@@ -326,6 +326,8 @@ int csngen_adjust_time(CSNGen *gen, const CSN* csn)
+ time_t remote_time, remote_offset, cur_time;
+ PRUint16 remote_seqnum;
+ int rc;
++ extern int config_get_ignore_time_skew();
++ int ignore_time_skew = config_get_ignore_time_skew();
+
+ if (gen == NULL || csn == NULL)
+ return CSN_INVALID_PARAMETER;
+@@ -380,7 +382,7 @@ int csngen_adjust_time(CSNGen *gen, const CSN* csn)
+ remote_offset = remote_time - cur_time;
+ if (remote_offset > gen->state.remote_offset)
+ {
+- if (remote_offset <= CSN_MAX_TIME_ADJUST)
++ if (ignore_time_skew || (remote_offset <= CSN_MAX_TIME_ADJUST))
+ {
+ gen->state.remote_offset = remote_offset;
+ }
+@@ -651,6 +653,8 @@ _csngen_cmp_callbacks (const void *el1, const void *el2)
+ static int
+ _csngen_adjust_local_time (CSNGen *gen, time_t cur_time)
+ {
++ extern int config_get_ignore_time_skew();
++ int ignore_time_skew = config_get_ignore_time_skew();
+ time_t time_diff = cur_time - gen->state.sampled_time;
+
+ if (time_diff == 0) {
+@@ -714,7 +718,7 @@ _csngen_adjust_local_time (CSNGen *gen, time_t cur_time)
+ gen->state.remote_offset);
+ }
+
+- if (abs (time_diff) > CSN_MAX_TIME_ADJUST)
++ if (!ignore_time_skew && (abs (time_diff) > CSN_MAX_TIME_ADJUST))
+ {
+ slapi_log_error (SLAPI_LOG_FATAL, NULL, "_csngen_adjust_local_time: "
+ "adjustment limit exceeded; value - %d, limit - %d\n",
+--
+1.8.1.4
+
diff --git a/SOURCES/0083-Ticket-342-better-error-message-when-cache-overflows.patch b/SOURCES/0083-Ticket-342-better-error-message-when-cache-overflows.patch
new file mode 100644
index 0000000..8ec2bbd
--- /dev/null
+++ b/SOURCES/0083-Ticket-342-better-error-message-when-cache-overflows.patch
@@ -0,0 +1,36 @@
+From 4730b81cfda96b8825ad0b01df2e89024f31b634 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Thu, 16 Jan 2014 11:06:22 -0800
+Subject: [PATCH 83/83] Ticket #342 - better error message when cache overflows
+
+Description: commit 892bf12c1bb8b10afea3d6ff711059bf04e362cc
+introduced an invalid memory read/write. This patch prepares one
+extra aclpblock for the acl cache overflow.
+
+https://fedorahosted.org/389/ticket/342
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
+(cherry picked from commit 3fee1fc829a4a9573d087d1ead3c949239e5e914)
+(cherry picked from commit fe75b11cad371890482b7f394384083dc1b0fd70)
+(cherry picked from commit aec20501db3a33df0bc151371cdec334c62af4b0)
+---
+ ldap/servers/plugins/acl/acl_ext.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
+index e42a7e2..ee2dd0f 100644
+--- a/ldap/servers/plugins/acl/acl_ext.c
++++ b/ldap/servers/plugins/acl/acl_ext.c
+@@ -717,7 +717,8 @@ acl__malloc_aclpb ( )
+
+ /* allocate arrays for result cache */
+ aclpb->aclpb_cache_result = (r_cache_t *)
+- slapi_ch_calloc (aclpb_max_cache_results, sizeof (r_cache_t));
++ slapi_ch_calloc (aclpb_max_cache_results + 1 /* 1 for cache overflow warning */,
++ sizeof (r_cache_t));
+
+ /* allocate arrays for target handles in eval_context */
+ aclpb->aclpb_curr_entryEval_context.acle_handles_matched_target = (int *)
+--
+1.8.1.4
+
diff --git a/SOURCES/0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch b/SOURCES/0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch
new file mode 100644
index 0000000..32aa515
--- /dev/null
+++ b/SOURCES/0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch
@@ -0,0 +1,122 @@
+From 84a58b65db55c914a800b0fb31d538bc691c2b13 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Thu, 23 Jan 2014 18:07:56 -0800
+Subject: [PATCH 84/85] Ticket #443 - Deleting attribute present in
+ nsslapd-allowed-to-delete-attrs returns Operations error
+
+Description: commit 90dd9bb3c1411daca353d055d90618e67aa1fa7e introduced
+an Invalid read/write. The commit meant to allow "on" and "off" as well
+as integer 0 and 1 in on/off type of config parameters. This patch converts
+the integers to "on" or "off" and pass it to config set function.
+
+https://fedorahosted.org/389/ticket/443
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
+(cherry picked from commit c52987d295a9f4a091568d02679765f3a83beb69)
+(cherry picked from commit 4266657727fc71afbb6b4f21886ebd86a68b2ed2)
+(cherry picked from commit d68dc3235d04caf3736d3587801a3c96cfebccb6)
+---
+ ldap/servers/slapd/libglobs.c | 54 +++++++++++++++++++++++++------------------
+ 1 file changed, 31 insertions(+), 23 deletions(-)
+
+diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
+index bcf7db4..8bd4978 100644
+--- a/ldap/servers/slapd/libglobs.c
++++ b/ldap/servers/slapd/libglobs.c
+@@ -3176,8 +3176,7 @@ config_set_security( const char *attrname, char *value, char *errorbuf, int appl
+ }
+
+ static int
+-config_set_onoff ( const char *attrname, char *value, int *configvalue,
+- char *errorbuf, int apply )
++config_set_onoff(const char *attrname, char *value, int *configvalue, char *errorbuf, int apply)
+ {
+ int retVal = LDAP_SUCCESS;
+ slapi_onoff_t newval = -1;
+@@ -3185,33 +3184,27 @@ config_set_onoff ( const char *attrname, char *value, int *configvalue,
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ #endif
+
+- if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
+- return LDAP_OPERATIONS_ERROR;
++ if ( config_value_is_null( attrname, value, errorbuf, 1 )) {
++ return LDAP_OPERATIONS_ERROR;
+ }
+
+ CFG_ONOFF_LOCK_WRITE(slapdFrontendConfig);
+- if ( strcasecmp ( value, "on" ) != 0 &&
+- strcasecmp ( value, "off") != 0 &&
+- /* initializing the value */
+- (*(int *)value != LDAP_ON) &&
+- (*(int *)value != LDAP_OFF)) {
+- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+- "%s: invalid value \"%s\". Valid values are \"on\" or \"off\".",
+- attrname, value );
+- retVal = LDAP_OPERATIONS_ERROR;
++ if (strcasecmp(value, "on") && strcasecmp(value, "off")) {
++ PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
++ "%s: invalid value \"%s\". Valid values are \"on\" or \"off\".",
++ attrname, value );
++ retVal = LDAP_OPERATIONS_ERROR;
+ }
+
+ if ( !apply ) {
+- /* we can return now if we aren't applying the changes */
+- return retVal;
++ /* we can return now if we aren't applying the changes */
++ return retVal;
+ }
+
+ if ( strcasecmp ( value, "on" ) == 0 ) {
+- newval = LDAP_ON;
++ newval = LDAP_ON;
+ } else if ( strcasecmp ( value, "off" ) == 0 ) {
+- newval = LDAP_OFF;
+- } else { /* assume it is an integer */
+- newval = *(slapi_onoff_t *)value;
++ newval = LDAP_OFF;
+ }
+
+ #ifdef ATOMIC_GETSET_ONOFF
+@@ -7000,6 +6993,18 @@ config_get_listen_backlog_size()
+ return retVal;
+ }
+
++static char *
++config_initvalue_to_onoff(struct config_get_and_set *cgas, char *initvalbuf, size_t initvalbufsize)
++{
++ char *retval = NULL;
++ if (cgas->config_var_type == CONFIG_ON_OFF) {
++ slapi_onoff_t *ival = (slapi_onoff_t *)(intptr_t)cgas->initvalue;
++ PR_snprintf(initvalbuf, initvalbufsize, "%s", (ival && *ival) ? "on" : "off");
++ retval = initvalbuf;
++ }
++ return retval;
++}
++
+ /*
+ * This function is intended to be used from the dse code modify callback. It
+ * is "optimized" for that case because it takes a berval** of values, which is
+@@ -7048,12 +7053,15 @@ config_set(const char *attr, struct berval **values, char *errorbuf, int apply)
+ default:
+ if ((NULL == values) &&
+ config_allowed_to_delete_attrs(cgas->attr_name)) {
++ char initvalbuf[64];
++ void *initval = cgas->initvalue;
++ if (cgas->config_var_type == CONFIG_ON_OFF) {
++ initval = (void *)config_initvalue_to_onoff(cgas, initvalbuf, sizeof(initvalbuf));
++ }
+ if (cgas->setfunc) {
+- retval = (cgas->setfunc)(cgas->attr_name, cgas->initvalue,
+- errorbuf, apply);
++ retval = (cgas->setfunc)(cgas->attr_name, initval, errorbuf, apply);
+ } else if (cgas->logsetfunc) {
+- retval = (cgas->logsetfunc)(cgas->attr_name, cgas->initvalue,
+- cgas->whichlog, errorbuf, apply);
++ retval = (cgas->logsetfunc)(cgas->attr_name, initval, cgas->whichlog, errorbuf, apply);
+ } else {
+ LDAPDebug1Arg(LDAP_DEBUG_ANY,
+ "config_set: the attribute %s is read only; "
+--
+1.8.1.4
+
diff --git a/SOURCES/0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch b/SOURCES/0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch
new file mode 100644
index 0000000..a8a2426
--- /dev/null
+++ b/SOURCES/0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch
@@ -0,0 +1,173 @@
+From f86b7bd86945df33843e90a7ac84d5967a7e7e82 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Fri, 24 Jan 2014 18:12:32 -0800
+Subject: [PATCH 85/85] Ticket #47649 - Server hangs in cos_cache when adding a
+ user entry
+
+Bug description: cos_dn_defs_cb reads cosDefinition and sets up the cos
+Definition part of cos cache. In the function, when processing
+cosAttribute, cosTargetTree and cosTemlpateDn are missing, it sets the
+parent dn of the cos definition dn. This parent setting is needed only
+when the 2 attributes are completely missing from the cos definition.
+But if the attributes are located below cosAttribute (see the Example
+cos definition), in addition to "cn=cosTemplates,ou=people,dc=example,
+dc=com", the parent of "cn=generatePostalCode,ou=People,dc=example,dc=com"
+is added to the cos cache as cosTemplateDn.
+ Example cos definition:
+ dn: cn=generatePostalCode,ou=People,dc=example,dc=com
+ description: generate postalCode attr based on location
+ objectClass: top
+ objectClass: ldapsubentry
+ objectClass: cossuperdefinition
+ objectClass: cosClassicDefinition
+ cosAttribute: postalCode
+ costemplatedn: cn=cosTemplates,ou=people,dc=example,dc=com
+ cosSpecifier: l
+ cn: generatePostalCode
+The mistakenly added cosTemplatedDn makes adding an entry under ou=People
+notify recreating the cos cache. The notification needs to be outside of
+backend transaction since it causes a deadlock with the cos_cache_wait_
+on_change thread which cannot read the DB due to the transaction but holds
+the lock that the notifier thread is waiting for.
+
+Fix description: The parent of the cos definition dn is set to the
+cosTargetTree and the cosTemlpateDn, only when the attributes are
+completely missing.
+
+https://fedorahosted.org/389/ticket/47649
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
+(cherry picked from commit 1e52401d3abd0377f55676f4a1508a02aaa7f955)
+(cherry picked from commit 01c0794cde7eb91a1a4e477a0286533df4a4ae38)
+(cherry picked from commit 1ebad4bd50fb1483998a32b5d3e232e89aeda0f7)
+---
+ ldap/servers/plugins/cos/cos_cache.c | 82 +++++++++++++++++++++---------------
+ 1 file changed, 48 insertions(+), 34 deletions(-)
+
+diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
+index fed2aa9..a68e59f 100644
+--- a/ldap/servers/plugins/cos/cos_cache.c
++++ b/ldap/servers/plugins/cos/cos_cache.c
+@@ -727,7 +727,8 @@ struct dn_defs_info {
+ * if a particular attempt to add a definition fails: info.ret gets set to
+ * zero only if we succed to add a def.
+ */
+-static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
++static int
++cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
+ {
+ struct dn_defs_info *info;
+ cosAttrValue **pSneakyVal = 0;
+@@ -877,31 +878,10 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
+ dnVals[valIndex]->bv_val);
+ }
+
+- if(!pCosTargetTree)
+- {
+- /* get the parent of the definition */
+- char *orig = slapi_dn_parent(pDn->val);
+- Slapi_DN *psdn = slapi_sdn_new_dn_byval(orig);
+- char *parent = (char *)slapi_sdn_get_dn(psdn);
+- if (!parent) {
+- parent = (char *)slapi_sdn_get_udn(psdn);
+- LDAPDebug(LDAP_DEBUG_ANY,
+- "cos_cache_build_definition_list: "
+- "failed to normalize parent dn %s. "
+- "Adding the pre normalized dn.\n",
+- parent, 0, 0);
+- }
+- cos_cache_add_attrval(&pCosTargetTree, parent);
+- if (!pCosTemplateDn) {
+- cos_cache_add_attrval(&pCosTemplateDn, parent);
+- }
+- slapi_sdn_free(&psdn);
+- }
+-
+ slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle,
+ dnVals[valIndex]->bv_val, NULL, NULL);
+ } /* if(attrType is cosAttribute) */
+-
++
+ /*
+ * Add the attributetype to the appropriate
+ * list.
+@@ -913,6 +893,47 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
+ ber_bvecfree( dnVals );
+ dnVals = NULL;
+ } while(!slapi_entry_next_attr(e, dnAttr, &dnAttr));
++
++ if (pCosAttribute && (!pCosTargetTree || !pCosTemplateDn)) {
++ /* get the parent of the definition */
++ char *orig = slapi_dn_parent(pDn->val);
++ char *parent = NULL;
++ if (orig) {
++ parent = slapi_create_dn_string("%s", orig);
++ if (!parent) {
++ parent = orig;
++ LDAPDebug1Arg(LDAP_DEBUG_ANY,
++ "cos_dn_defs_cb: "
++ "failed to normalize parent dn %s. "
++ "Adding the pre normalized dn.\n",
++ parent);
++ }
++ if (!pCosTargetTree) {
++ cos_cache_add_attrval(&pCosTargetTree, parent);
++ }
++ if (!pCosTemplateDn) {
++ cos_cache_add_attrval(&pCosTemplateDn, parent);
++ }
++ if (parent != orig) {
++ slapi_ch_free_string(&parent);
++ }
++ slapi_ch_free_string(&orig);
++ } else {
++ LDAPDebug1Arg(LDAP_DEBUG_ANY,
++ "cos_dn_defs_cb: "
++ "failed to get parent dn of cos definition %s.\n",
++ pDn->val);
++ if (!pCosTemplateDn) {
++ if (!pCosTargetTree) {
++ LDAPDebug0Args(LDAP_DEBUG_ANY, "cosTargetTree and cosTemplateDn are not set.\n");
++ } else {
++ LDAPDebug0Args(LDAP_DEBUG_ANY, "cosTemplateDn is not set.\n");
++ }
++ } else if (!pCosTargetTree) {
++ LDAPDebug0Args(LDAP_DEBUG_ANY, "cosTargetTree is not set.\n");
++ }
++ }
++ }
+
+ /*
+ determine the type of class of service scheme
+@@ -951,9 +972,7 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
+ */
+
+ /* these must exist */
+- if( pDn &&
+- pObjectclass &&
+-
++ if(pDn && pObjectclass &&
+ (
+ (cosType == COSTYPE_CLASSIC &&
+ pCosTemplateDn &&
+@@ -3582,14 +3601,9 @@ static int cos_cache_entry_is_cos_related( Slapi_Entry *e) {
+ {
+ pObj = (char*)slapi_value_get_string(val);
+
+- /*
+- * objectclasses are ascii--maybe strcasecmp() is faster than
+- * slapi_utf8casecmp()
+- */
+- if( !strcasecmp(pObj, "cosdefinition") ||
+- !strcasecmp(pObj, "cossuperdefinition") ||
+- !strcasecmp(pObj, "costemplate")
+- )
++ if(!strcasecmp(pObj, "cosdefinition") ||
++ !strcasecmp(pObj, "cossuperdefinition") ||
++ !strcasecmp(pObj, "costemplate"))
+ {
+ rc = 1;
+ }
+--
+1.8.1.4
+
diff --git a/SOURCES/0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch b/SOURCES/0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch
new file mode 100644
index 0000000..7322976
--- /dev/null
+++ b/SOURCES/0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch
@@ -0,0 +1,82 @@
+From 9b1e2d02e20f270aed32f05210d207398ae0f7a1 Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Fri, 31 Jan 2014 14:21:59 -0700
+Subject: [PATCH 86/87] Ticket #47374 - flush.pl is not included in perl5
+
+https://fedorahosted.org/389/ticket/47374
+Reviewed by: nhosoi (Thanks!)
+Branch: rhel-7.0
+Fix Description: Change opt_b to BeginNum and opt_r to Random_Seed.
+Have to specify option as j=i because -j has an integer argument.
+Get rid of opt_j and use ZeroPad instead.
+Platforms tested: RHEL6 x86_64
+Flag Day: no
+Doc impact: no
+(cherry picked from commit f9ba01b4b9ce3881cf08433b0c43db93ab207507)
+(cherry picked from commit 55df132065f109b8f548100461011c10b58843ea)
+(cherry picked from commit ea868566c49869b3fa0f6e2c7194b743d22f77fe)
+---
+ ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in b/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in
+index 51af0db..2ef76f2 100755
+--- a/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in
++++ b/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in
+@@ -543,13 +543,14 @@ sub flush {
+
+ my $Number_To_Generate = 1;
+ $Output_File_Name = "output.ldif";
+-$Random_Seed = 1;
++$Random_Seed = 0;
+ $Suffix = 'dc=example,dc=com';
+ $NamingType = "uid";
+ $inetOrgPerson = "objectClass: inetOrgPerson\n";
+ $PrintOrgChartDat = 0;
+-$DataDir = "/usr/share/dirsrv/data";
++$DataDir = "@templatedir@";
+ $BeginNum = 0;
++$ZeroPad = 0;
+
+ $Verbose = 0;
+ $debug = 0;
+@@ -572,7 +573,7 @@ GetOptions('number=i' => \$Number_To_Generate,
+ 'x' => \$opt_x,
+ 'y' => \$opt_y,
+ 'z' => \$opt_z,
+- 'j' => \$opt_j,
++ 'j=i' => \$ZeroPad,
+ 'verbose' => \$Verbose,
+ 'debug' => \$debug,
+ 'quiet' => \$Quiet,
+@@ -598,7 +599,6 @@ if ("" != $opt_y)
+ {
+ $printorgunit = 0;
+ }
+-$ZeroPad = $opt_j;
+
+ if ($Suffix =~ /o=/) {
+ ($Organization) = $Suffix =~ /o=([^,]+)/;
+@@ -1029,8 +1029,8 @@ sub MakeRandomLocality {
+ sub MakeRandomName {
+ local($Given_Name, $Surname, $Full_Name, $UID, $uniq, $first, $last, $RDN);
+ # Get the unique number depending if a seed was set or not.
+- $uniq = int rand($Random_Seed) if ($opt_r);
+- $uniq = $x if (!$opt_r);
++ $uniq = int rand($Random_Seed) if ($Random_Seed);
++ $uniq = $x if (!$Random_Seed);
+
+ $Given_Name = $given_names[rand @given_names];
+ $Surname = $family_names[rand @family_names];
+@@ -1040,7 +1040,7 @@ sub MakeRandomName {
+ $UID = $first . $last . "$uniq";
+
+ # Create the uid based on the DN naming type defined
+- if ($opt_b) { # use a uniquenumber for the RDN value
++ if ($BeginNum) { # use a uniquenumber for the RDN value
+ if ($ZeroPad) {
+ $RDN = sprintf "%0.${ZeroPad}d", $x;
+ } else {
+--
+1.8.1.4
+
diff --git a/SOURCES/0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch b/SOURCES/0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch
new file mode 100644
index 0000000..1b62c2f
--- /dev/null
+++ b/SOURCES/0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch
@@ -0,0 +1,74 @@
+From 7dc5c28a3beeeb90cdae084ae6d1fa338c09c50f Mon Sep 17 00:00:00 2001
+From: Rich Megginson <rmeggins@redhat.com>
+Date: Fri, 31 Jan 2014 16:49:58 -0700
+Subject: [PATCH 87/87] Ticket #471 logconv.pl tool removes the access logs
+ contents if "-M" is not correctly used
+
+https://fedorahosted.org/389/ticket/471
+Reviewed by: nhosoi (Thanks!)
+Branch: rhel-7.0
+Fix Description: Do not call new_stats_block() until we verify that it is safe
+to call it. It will wipe out the file.
+Platforms tested: RHEL6 x86_64
+Flag Day: no
+Doc impact: no
+(cherry picked from commit 7447050f572fb8865145d020e9eab64032f667be)
+(cherry picked from commit cfbda421535451d99d3ee774a49fc099cfb902f0)
+(cherry picked from commit 811300f30264a82b6cd9d0e1d7594a066458912c)
+---
+ ldap/admin/src/logconv.pl | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
+index e7d7507..99e0efd 100755
+--- a/ldap/admin/src/logconv.pl
++++ b/ldap/admin/src/logconv.pl
+@@ -104,6 +104,8 @@ my $reportBinds = "no";
+ my $rootDN = "";
+ my $needCleanup = 0;
+ my @scopeTxt = ("0 (base)", "1 (one)", "2 (subtree)");
++my $reportStatsSecFile;
++my $reportStatsMinFile;
+
+ GetOptions(
+ 'd|rootDN=s' => \$rootDN,
+@@ -115,8 +117,8 @@ GetOptions(
+ 'S|startTime=s' => \$startTime,
+ 'E|endTime=s' => \$endTime,
+ 'B|bind=s' => sub { $reportBinds = "yes"; $bindReportDN=($_[1]) },
+- 'm|reportFileSecs=s' => sub { my ($opt,$value) = @_; $s_stats = new_stats_block($value); $reportStats = "-m";},
+- 'M|reportFileMins=s' => sub { my ($opt,$value) = @_; $m_stats = new_stats_block($value); $reportStats = "-M";},
++ 'm|reportFileSecs=s' => \$reportStatsSecFile,
++ 'M|reportFileMins=s' => \$reportStatsMinFile,
+ 'h|help' => sub { displayUsage() },
+ # usage options '-efcibaltnxgjuiryp'
+ 'e' => sub { $usage = $usage . "e"; },
+@@ -169,14 +171,23 @@ while($arg_count <= $#ARGV){
+ }
+
+ if($file_count == 0){
+- if($reportStats){
+- print "Usage error for option $reportStats, either the output file or access log is missing!\n\n";
++ if($reportStatsSecFile or $reportStatsMinFile){
++ print "Usage error for option -m or -M, either the output file or access log is missing!\n\n";
+ } else {
+ print "There are no access logs specified!\n\n";
+ }
+ exit 1;
+ }
+
++if ($reportStatsSecFile) {
++ $s_stats = new_stats_block($reportStatsSecFile);
++ $reportStats = "-m";
++}
++if ($reportStatsMinFile) {
++ $m_stats = new_stats_block($reportStatsMinFile);
++ $reportStats = "-M";
++}
++
+ if ($sizeCount eq "all"){$sizeCount = "100000";}
+
+ #######################################
+--
+1.8.1.4
+
diff --git a/SOURCES/0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch b/SOURCES/0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch
new file mode 100644
index 0000000..cf4a32f
--- /dev/null
+++ b/SOURCES/0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch
@@ -0,0 +1,45 @@
+From e585f17556d12f96683665aed7699a78a89c9ab4 Mon Sep 17 00:00:00 2001
+From: Ludwig Krispenz <lkrispen@redhat.com>
+Date: Tue, 18 Feb 2014 11:40:16 +0100
+Subject: [PATCH] Ticket 47704 - invalid sizelimits in aci group evaluation
+
+Bug Description: aci group evaluation fails because of sizelimit exceeded
+ but it is exceeded because it is -1476887876 or another
+ negative integer becasue operation parameter are a union
+ based on operation types and so for otehr than search
+ the value is dependent on the operation params
+
+Fix Description: treat any negative integer like -1 (unlimited). A better fix
+ would be to introduce a specific configuration param or
+ to abondon the limit in group evaluation at all. But this
+ could introduce backward compatibility problems and
+ will be handled in ticket 47703 for newer versions
+
+https://fedorahosted.org/389/ticket/47704
+
+Reviewed by: Rich, thanks
+(cherry picked from commit 377266ebb2ff488aa3cc4b96990c002db7e6103e)
+---
+ ldap/servers/plugins/acl/acl_ext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
+index ee2dd0f..b9cec43 100644
+--- a/ldap/servers/plugins/acl/acl_ext.c
++++ b/ldap/servers/plugins/acl/acl_ext.c
+@@ -836,6 +836,12 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy
+ slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit );
+ if ( aclpb->aclpb_max_member_sizelimit == 0 ) {
+ aclpb->aclpb_max_member_sizelimit = SLAPD_DEFAULT_LOOKTHROUGHLIMIT;
++ } else if ( aclpb->aclpb_max_member_sizelimit < -1 ) {
++ /* handle the case of a negtive size limit either set or due
++ * to bug bz1065971. The member size limit should be dropped,
++ * but for backward compatibility to the best we can
++ */
++ aclpb->aclpb_max_member_sizelimit = -1;
+ }
+ slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &aclpb->aclpb_optype );
+
+--
+1.8.1.4
+
diff --git a/SOURCES/0089-Ticket-47709-package-issue-in-389-ds-base.patch b/SOURCES/0089-Ticket-47709-package-issue-in-389-ds-base.patch
new file mode 100644
index 0000000..c54b3b2
--- /dev/null
+++ b/SOURCES/0089-Ticket-47709-package-issue-in-389-ds-base.patch
@@ -0,0 +1,87 @@
+From 8cbc6f09ee63f21b235219e7ca92ed26b28c52da Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Thu, 20 Feb 2014 13:18:06 -0800
+Subject: [PATCH 89/90] Ticket #47709 - package issue in 389-ds-base
+
+Description: Following the package guideline, moving pytyon binaries
+to the architecture aware location and libns-dshttpd.so* from 389-ds-base
+to 389-ds-base-libs.
+
+https://fedorahosted.org/389/ticket/47709
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
+
+(cherry picked from commit a32b2a9ddc5764d449b051c20077643585e81def)
+(cherry picked from commit 011385ad8cb8afc42611b57a3a88600eb1d56932)
+(cherry picked from commit f1bbfe2ff0768128b10903ca1262302313b74ad6)
+---
+ Makefile.am | 8 +++++---
+ configure.ac | 5 +++++
+ 2 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 8cf7ba7..04845a0 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -166,6 +166,7 @@ initdir = @initdir@
+ initconfigdir = $(sysconfdir)@initconfigdir@
+ instconfigdir = @instconfigdir@
+ perldir = $(libdir)@perldir@
++pythondir = $(libdir)@pythondir@
+ infdir = $(datadir)@infdir@
+ mibdir = $(datadir)@mibdir@
+ updatedir = $(datadir)@updatedir@
+@@ -250,9 +251,7 @@ config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \
+ # with the default schema e.g. there is
+ # considerable overlap of 60changelog.ldif and 01common.ldif
+ # and 60inetmail.ldif and 50ns-mail.ldif among others
+-sampledata_DATA = ldap/admin/src/scripts/failedbinds.py \
+- ldap/admin/src/scripts/DSSharedLib \
+- ldap/admin/src/scripts/logregex.py \
++sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
+ $(srcdir)/ldap/ldif/Ace.ldif \
+ $(srcdir)/ldap/ldif/European.ldif \
+ $(srcdir)/ldap/ldif/Eurosuffix.ldif \
+@@ -404,6 +403,9 @@ perl_DATA = ldap/admin/src/scripts/SetupLog.pm \
+ ldap/admin/src/scripts/DSUpdate.pm \
+ ldap/admin/src/scripts/DSUpdateDialogs.pm
+
++python_DATA = ldap/admin/src/scripts/failedbinds.py \
++ ldap/admin/src/scripts/logregex.py
++
+ property_DATA = ldap/admin/src/scripts/setup-ds.res \
+ ldap/admin/src/scripts/migrate-ds.res
+
+diff --git a/configure.ac b/configure.ac
+index 2376b34..908683e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -264,6 +264,8 @@ if test "$with_fhs_opt" = "yes"; then
+ propertydir=/properties
+ # relative to libdir
+ perldir=/perl
++ # relative to libdir
++ pythondir=/python
+ else
+ if test "$with_fhs" = "yes"; then
+ ac_default_prefix=/usr
+@@ -295,6 +297,8 @@ else
+ propertydir=/$PACKAGE_NAME/properties
+ # relative to libdir
+ perldir=/$PACKAGE_NAME/perl
++ # relative to libdir
++ pythondir=/$PACKAGE_NAME/python
+ fi
+
+ # if mandir is the default value, override it
+@@ -403,6 +407,7 @@ AC_SUBST(serverincdir)
+ AC_SUBST(serverplugindir)
+ AC_SUBST(scripttemplatedir)
+ AC_SUBST(perldir)
++AC_SUBST(pythondir)
+ AC_SUBST(infdir)
+ AC_SUBST(mibdir)
+ AC_SUBST(mandir)
+--
+1.8.1.4
+
diff --git a/SOURCES/0090-Ticket-47709-package-issue-in-389-ds-base.patch b/SOURCES/0090-Ticket-47709-package-issue-in-389-ds-base.patch
new file mode 100644
index 0000000..4e3b58a
--- /dev/null
+++ b/SOURCES/0090-Ticket-47709-package-issue-in-389-ds-base.patch
@@ -0,0 +1,204 @@
+From 9293031eee2e795d6712f1d92314be03fe6f0751 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Thu, 20 Feb 2014 15:31:05 -0800
+Subject: [PATCH 90/90] Ticket #47709 - package issue in 389-ds-base
+
+Description: Automatically generated files: Makefile.in, configure
+(cherry picked from commit 99d5d3e59827c132ba2666c67f9e22bd62aaacab)
+---
+ Makefile.in | 65 ++++++++++++++++++++++++++++++++++++++++++-------------------
+ configure | 6 ++++++
+ 2 files changed, 51 insertions(+), 20 deletions(-)
+
+diff --git a/Makefile.in b/Makefile.in
+index d90f130..21d9dc5 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -144,9 +144,9 @@ am__installdirs = "$(DESTDIR)$(serverdir)" \
+ "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" \
+ "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" \
+ "$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(propertydir)" \
+- "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" \
+- "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(updatedir)" \
+- "$(DESTDIR)$(serverincdir)"
++ "$(DESTDIR)$(pythondir)" "$(DESTDIR)$(sampledatadir)" \
++ "$(DESTDIR)$(schemadir)" "$(DESTDIR)$(systemdsystemunitdir)" \
++ "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(serverincdir)"
+ LTLIBRARIES = $(server_LTLIBRARIES) $(serverplugin_LTLIBRARIES)
+ am__DEPENDENCIES_1 =
+ libacctpolicy_plugin_la_DEPENDENCIES = libslapd.la \
+@@ -1104,8 +1104,8 @@ NROFF = nroff
+ MANS = $(dist_man_MANS)
+ DATA = $(config_DATA) $(inf_DATA) $(initconfig_DATA) $(mib_DATA) \
+ $(nodist_property_DATA) $(perl_DATA) $(pkgconfig_DATA) \
+- $(property_DATA) $(sampledata_DATA) $(schema_DATA) \
+- $(systemdsystemunit_DATA) $(update_DATA)
++ $(property_DATA) $(python_DATA) $(sampledata_DATA) \
++ $(schema_DATA) $(systemdsystemunit_DATA) $(update_DATA)
+ HEADERS = $(serverinc_HEADERS)
+ ETAGS = etags
+ CTAGS = ctags
+@@ -1314,6 +1314,7 @@ prefix = @prefix@
+ program_transform_name = @program_transform_name@
+ propertydir = $(datadir)@propertydir@
+ psdir = @psdir@
++pythondir = $(libdir)@pythondir@
+ sampledatadir = $(datadir)@sampledatadir@
+ sasl_inc = @sasl_inc@
+ sasl_lib = @sasl_lib@
+@@ -1519,9 +1520,7 @@ config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \
+ # with the default schema e.g. there is
+ # considerable overlap of 60changelog.ldif and 01common.ldif
+ # and 60inetmail.ldif and 50ns-mail.ldif among others
+-sampledata_DATA = ldap/admin/src/scripts/failedbinds.py \
+- ldap/admin/src/scripts/DSSharedLib \
+- ldap/admin/src/scripts/logregex.py \
++sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
+ $(srcdir)/ldap/ldif/Ace.ldif \
+ $(srcdir)/ldap/ldif/European.ldif \
+ $(srcdir)/ldap/ldif/Eurosuffix.ldif \
+@@ -1674,6 +1673,9 @@ perl_DATA = ldap/admin/src/scripts/SetupLog.pm \
+ ldap/admin/src/scripts/DSUpdate.pm \
+ ldap/admin/src/scripts/DSUpdateDialogs.pm
+
++python_DATA = ldap/admin/src/scripts/failedbinds.py \
++ ldap/admin/src/scripts/logregex.py
++
+ property_DATA = ldap/admin/src/scripts/setup-ds.res \
+ ldap/admin/src/scripts/migrate-ds.res
+
+@@ -9547,6 +9549,27 @@ uninstall-propertyDATA:
+ @list='$(property_DATA)'; test -n "$(propertydir)" || list=; \
+ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+ dir='$(DESTDIR)$(propertydir)'; $(am__uninstall_files_from_dir)
++install-pythonDATA: $(python_DATA)
++ @$(NORMAL_INSTALL)
++ @list='$(python_DATA)'; test -n "$(pythondir)" || list=; \
++ if test -n "$$list"; then \
++ echo " $(MKDIR_P) '$(DESTDIR)$(pythondir)'"; \
++ $(MKDIR_P) "$(DESTDIR)$(pythondir)" || exit 1; \
++ fi; \
++ for p in $$list; do \
++ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
++ echo "$$d$$p"; \
++ done | $(am__base_list) | \
++ while read files; do \
++ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pythondir)'"; \
++ $(INSTALL_DATA) $$files "$(DESTDIR)$(pythondir)" || exit $$?; \
++ done
++
++uninstall-pythonDATA:
++ @$(NORMAL_UNINSTALL)
++ @list='$(python_DATA)'; test -n "$(pythondir)" || list=; \
++ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
++ dir='$(DESTDIR)$(pythondir)'; $(am__uninstall_files_from_dir)
+ install-sampledataDATA: $(sampledata_DATA)
+ @$(NORMAL_INSTALL)
+ @list='$(sampledata_DATA)'; test -n "$(sampledatadir)" || list=; \
+@@ -9903,7 +9926,7 @@ check: $(BUILT_SOURCES)
+ all-am: Makefile $(LIBRARIES) $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) \
+ $(MANS) $(DATA) $(HEADERS) config.h
+ installdirs:
+- for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(serverincdir)"; do \
++ for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(pythondir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(serverincdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+ install: $(BUILT_SOURCES)
+@@ -10058,7 +10081,7 @@ info-am:
+ install-data-am: install-configDATA install-infDATA \
+ install-initSCRIPTS install-initconfigDATA install-man \
+ install-mibDATA install-nodist_propertyDATA install-perlDATA \
+- install-pkgconfigDATA install-propertyDATA \
++ install-pkgconfigDATA install-propertyDATA install-pythonDATA \
+ install-sampledataDATA install-schemaDATA \
+ install-serverLTLIBRARIES install-serverincHEADERS \
+ install-serverpluginLTLIBRARIES install-systemdsystemunitDATA \
+@@ -10116,10 +10139,10 @@ uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \
+ uninstall-initconfigDATA uninstall-man uninstall-mibDATA \
+ uninstall-nodist_propertyDATA uninstall-perlDATA \
+ uninstall-pkgconfigDATA uninstall-propertyDATA \
+- uninstall-sampledataDATA uninstall-sbinPROGRAMS \
+- uninstall-sbinSCRIPTS uninstall-schemaDATA \
+- uninstall-serverLTLIBRARIES uninstall-serverincHEADERS \
+- uninstall-serverpluginLTLIBRARIES \
++ uninstall-pythonDATA uninstall-sampledataDATA \
++ uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS \
++ uninstall-schemaDATA uninstall-serverLTLIBRARIES \
++ uninstall-serverincHEADERS uninstall-serverpluginLTLIBRARIES \
+ uninstall-systemdsystemunitDATA uninstall-taskSCRIPTS \
+ uninstall-updateDATA uninstall-updateSCRIPTS
+
+@@ -10145,8 +10168,9 @@ uninstall-man: uninstall-man1 uninstall-man8
+ install-man1 install-man8 install-mibDATA \
+ install-nodist_propertyDATA install-pdf install-pdf-am \
+ install-perlDATA install-pkgconfigDATA install-propertyDATA \
+- install-ps install-ps-am install-sampledataDATA \
+- install-sbinPROGRAMS install-sbinSCRIPTS install-schemaDATA \
++ install-ps install-ps-am install-pythonDATA \
++ install-sampledataDATA install-sbinPROGRAMS \
++ install-sbinSCRIPTS install-schemaDATA \
+ install-serverLTLIBRARIES install-serverincHEADERS \
+ install-serverpluginLTLIBRARIES install-strip \
+ install-systemdsystemunitDATA install-taskSCRIPTS \
+@@ -10160,15 +10184,16 @@ uninstall-man: uninstall-man1 uninstall-man8
+ uninstall-man1 uninstall-man8 uninstall-mibDATA \
+ uninstall-nodist_propertyDATA uninstall-perlDATA \
+ uninstall-pkgconfigDATA uninstall-propertyDATA \
+- uninstall-sampledataDATA uninstall-sbinPROGRAMS \
+- uninstall-sbinSCRIPTS uninstall-schemaDATA \
+- uninstall-serverLTLIBRARIES uninstall-serverincHEADERS \
+- uninstall-serverpluginLTLIBRARIES \
++ uninstall-pythonDATA uninstall-sampledataDATA \
++ uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS \
++ uninstall-schemaDATA uninstall-serverLTLIBRARIES \
++ uninstall-serverincHEADERS uninstall-serverpluginLTLIBRARIES \
+ uninstall-systemdsystemunitDATA uninstall-taskSCRIPTS \
+ uninstall-updateDATA uninstall-updateSCRIPTS
+
+
+ clean-local:
++ -rm -rf dist
+ -rm -rf selinux-built
+
+ dberrstrs.h: Makefile
+diff --git a/configure b/configure
+index 22cc78f..fd1bfb6 100755
+--- a/configure
++++ b/configure
+@@ -720,6 +720,7 @@ defaultuser
+ updatedir
+ mibdir
+ infdir
++pythondir
+ perldir
+ scripttemplatedir
+ serverplugindir
+@@ -17934,6 +17935,8 @@ if test "$with_fhs_opt" = "yes"; then
+ propertydir=/properties
+ # relative to libdir
+ perldir=/perl
++ # relative to libdir
++ pythondir=/python
+ else
+ if test "$with_fhs" = "yes"; then
+ ac_default_prefix=/usr
+@@ -17963,6 +17966,8 @@ else
+ propertydir=/$PACKAGE_NAME/properties
+ # relative to libdir
+ perldir=/$PACKAGE_NAME/perl
++ # relative to libdir
++ pythondir=/$PACKAGE_NAME/python
+ fi
+
+ # if mandir is the default value, override it
+@@ -18216,6 +18221,7 @@ fi
+
+
+
++
+ # check for --with-instconfigdir
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-instconfigdir" >&5
+ $as_echo_n "checking for --with-instconfigdir... " >&6; }
+--
+1.8.1.4
+
diff --git a/SOURCES/0091-Ticket-408-create-a-normalized-dn-cache.patch b/SOURCES/0091-Ticket-408-create-a-normalized-dn-cache.patch
new file mode 100644
index 0000000..88da6e6
--- /dev/null
+++ b/SOURCES/0091-Ticket-408-create-a-normalized-dn-cache.patch
@@ -0,0 +1,35 @@
+From 515c57545df1958f90571461e6a1109e5c40522d Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Tue, 25 Feb 2014 14:33:48 -0800
+Subject: [PATCH 91/92] Ticket 408 - create a normalized dn cache
+
+covscan Defect type: FORWARD_NULL
+15. 389-ds-base-1.3.1.6/ldap/servers/slapd/dn.c:3036:var_deref_op -
+ Dereferencing null pointer "node".
+Introduced by commit 1d6dd39fb8b0ef8eb42ec9ef8c3d325e27a3d3c1
+Fix: Check if "node" is null or not before referencing.
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
+(cherry picked from commit 5ac08038a05877b4240755801debd5e5a3a94c6f)
+(cherry picked from commit 977c1b293beb0e8324a99614705ba316d46352f8)
+(cherry picked from commit 056d390f9ee97f02447ae802deb388ec41bf6925)
+---
+ ldap/servers/slapd/dn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
+index 1eab631..4a11a18 100644
+--- a/ldap/servers/slapd/dn.c
++++ b/ldap/servers/slapd/dn.c
+@@ -3003,7 +3003,7 @@ ndn_cache_flush()
+ int i;
+
+ node = ndn_cache->tail;
+- for(i = 0; i < NDN_FLUSH_COUNT && ndn_cache->cache_count > NDN_MIN_COUNT; i++){
++ for(i = 0; node && i < NDN_FLUSH_COUNT && ndn_cache->cache_count > NDN_MIN_COUNT; i++){
+ flush_node = node;
+ /* update the lru */
+ next = node->prev;
+--
+1.8.1.4
+
diff --git a/SOURCES/0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch b/SOURCES/0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch
new file mode 100644
index 0000000..0aad61a
--- /dev/null
+++ b/SOURCES/0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch
@@ -0,0 +1,39 @@
+From c5950ffa10303383596ea7611844185901d74e2f Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Tue, 25 Feb 2014 15:09:34 -0800
+Subject: [PATCH 92/92] Ticket 571 (dup 47361) - Empty control list causes LDAP
+ protocol error is thrown
+
+covscan Defect type: Compiler Warnings
+2. 389-ds-base-1.3.1.6/ldap/servers/slapd/control.c:364:25:
+ warning - format '%d' expects argument of type 'int',
+ but argument 4 has type 'PRUint64' [-Wformat=]
+Introduced by commit d695afb6a637432e880296d8552f466981c0796c
+Fix: Replaced %d with % NSPRIu64
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
+(cherry picked from commit 383db4a27cc417c1708989d84cf0e4445936ae9f)
+(cherry picked from commit 8b92149bf229d12052a2f349611e5f639fc57ef8)
+(cherry picked from commit 86b76ef2466659efd31b07bc02b02daf444a9cde)
+---
+ ldap/servers/slapd/control.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c
+index e614d50..1229e9f 100644
+--- a/ldap/servers/slapd/control.c
++++ b/ldap/servers/slapd/control.c
+@@ -360,8 +360,8 @@ get_ldapmessage_controls_ext(
+ slapi_pblock_set(pb, SLAPI_REQCONTROLS, NULL);
+ slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found);
+ slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found);
+- slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%d op=%d contains an empty list of controls\n",
+- pb->pb_conn->c_connid, pb->pb_op->o_opid);
++ slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%" NSPRIu64 " op=%d contains an empty list of controls\n",
++ (long long unsigned int)pb->pb_conn->c_connid, pb->pb_op->o_opid);
+ } else {
+ if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) {
+ goto free_and_return;
+--
+1.8.1.4
+
diff --git a/SOURCES/0093-Ticket-408-create-a-normalized-dn-cache.patch b/SOURCES/0093-Ticket-408-create-a-normalized-dn-cache.patch
new file mode 100644
index 0000000..2c78087
--- /dev/null
+++ b/SOURCES/0093-Ticket-408-create-a-normalized-dn-cache.patch
@@ -0,0 +1,35 @@
+From 6cf6bea5372a57ffeee304c601e665f13861353c Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Tue, 25 Feb 2014 16:54:22 -0800
+Subject: [PATCH] Ticket 408 - create a normalized dn cache
+
+covscan Defect type: FORWARD_NULL
+15. 389-ds-base-1.3.1.6/ldap/servers/slapd/dn.c:3036:var_deref_op -
+ Dereferencing null pointer "node".
+Introduced by commit 1d6dd39fb8b0ef8eb42ec9ef8c3d325e27a3d3c1
+Fix: Check if "node" is null or not before referencing.
+Note: Found second FORWARD_NULL in addition to
+ commit 5ac08038a05877b4240755801debd5e5a3a94c6f,
+(cherry picked from commit ea13cda8f49646be8a9a5e468b2819bd2d91ca87)
+(cherry picked from commit dfa36fd4a7ab243a5692e7792d19e67e63b1e397)
+(cherry picked from commit 347ffb722f7d376e0ad2c565ada533f0dad3cfb8)
+---
+ ldap/servers/slapd/dn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
+index 4a11a18..003e9b7 100644
+--- a/ldap/servers/slapd/dn.c
++++ b/ldap/servers/slapd/dn.c
+@@ -3030,7 +3030,7 @@ ndn_cache_free()
+ }
+
+ node = ndn_cache->tail;
+- while(ndn_cache->cache_count){
++ while(node && ndn_cache->cache_count){
+ flush_node = node;
+ /* update the lru */
+ next = node->prev;
+--
+1.8.1.4
+
diff --git a/SOURCES/0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch b/SOURCES/0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch
new file mode 100644
index 0000000..9eca655
--- /dev/null
+++ b/SOURCES/0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch
@@ -0,0 +1,158 @@
+From e2b8468f459647261812f542485f3481d39bd26c Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Fri, 7 Mar 2014 12:29:55 -0800
+Subject: [PATCH] Ticket #47735 - e_uniqueid fails to set if an entry is a
+ conflict entry
+
+Bug Description:
+When an entry is turned to be a conflict entry, its nsUniqueId has
+a mdcsn info as a subtype like this:
+ nsUniqueId;mdcsn-5319136f000200010000: c5e0d787-a58f11e3-b7f9dfd1-acc3d5e4
+In this case, the attribute type is assigned to the berval "type"
+as follows:
+ type.bv_val = "nsUniqueId;mdcsn-5319136f000200010000"
+ type.bv_len = 37
+The subtyped stateinfo is processed in str2entry_state_information_from_type,
+which modifies type.bv_val to "nsUniqueId", but type.bv_len remains 37.
+str2entry_fast has this logic to set e_uniqueid, where the nsUniqueId
+with stateinfo fails to set the value to e_uniqueid.
+ if ( type.bv_len == 10 &&
+ PL_strncasecmp (type.bv_val, "nsUniqueId", type.bv_len) == 0 ){
+
+Fix Description: This patch resets the length of the type with the
+basetype length 10 before the if expression is called for setting
+e_uniqueid.
+
+https://fedorahosted.org/389/ticket/47735
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
+(cherry picked from commit 07bd2259cc45c9d5c193b15faaf0d0c60e1b723c)
+(cherry picked from commit 6e0ffbe1bdde99cfd71a5617d89482eef4696c7f)
+(cherry picked from commit d4350bd0724c37040a4aaf361a10918c925b7605)
+---
+ ldap/servers/slapd/entry.c | 60 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 36 insertions(+), 24 deletions(-)
+
+diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
+index 60e1dfe..0d018a9 100644
+--- a/ldap/servers/slapd/entry.c
++++ b/ldap/servers/slapd/entry.c
+@@ -95,10 +95,22 @@ struct attrs_in_extension attrs_in_extension[] =
+ /*
+ * WARNING: s gets butchered... the base type remains.
+ */
+-void
+-str2entry_state_information_from_type(char *s,CSNSet **csnset,CSN **attributedeletioncsn,CSN **maxcsn,int *value_state,int *attr_state)
++static void
++str2entry_state_information_from_type(struct berval *atype,
++ CSNSet **csnset,
++ CSN **attributedeletioncsn,
++ CSN **maxcsn,
++ int *value_state,
++ int *attr_state)
+ {
+- char *p= strchr(s, ';');
++ char *p = NULL;
++ if ((NULL == atype) || (NULL == atype->bv_val)) {
++ return;
++ }
++ p = PL_strchr(atype->bv_val, ';');
++ if (p) {
++ atype->bv_len = p - atype->bv_val;
++ }
+ *value_state= VALUE_PRESENT;
+ *attr_state= ATTRIBUTE_PRESENT;
+ while(p!=NULL)
+@@ -243,19 +255,20 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
+ }
+
+ if ( slapi_ldif_parse_line( s, &type, &value, &freeval ) < 0 ) {
+- LDAPDebug( LDAP_DEBUG_TRACE,
+- "<= str2entry_fast NULL (parse_line)\n", 0, 0, 0 );
++ LDAPDebug0Args(LDAP_DEBUG_TRACE, "<= str2entry_fast NULL (parse_line)\n");
+ continue;
+ }
+
+ /*
+ * Extract the attribute and value CSNs from the attribute type.
+- */
++ */
+ csn_free(&attributedeletioncsn); /* JCM - Do this more efficiently */
+ csnset_free(&valuecsnset);
+ value_state= VALUE_NOTFOUND;
+ attr_state= ATTRIBUTE_NOTFOUND;
+- str2entry_state_information_from_type(type.bv_val,&valuecsnset,&attributedeletioncsn,&maxcsn,&value_state,&attr_state);
++ str2entry_state_information_from_type(&type,
++ &valuecsnset, &attributedeletioncsn,
++ &maxcsn, &value_state, &attr_state);
+ if(!read_stateinfo)
+ {
+ /* We are not maintaining state information */
+@@ -393,8 +406,7 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
+ }
+
+ /* retrieve uniqueid */
+- if ( type.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH && PL_strncasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID, type.bv_len) == 0 ){
+-
++ if ((type.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH) && (PL_strcasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID) == 0)) {
+ if (e->e_uniqueid != NULL){
+ LDAPDebug (LDAP_DEBUG_TRACE,
+ "str2entry_fast: entry has multiple uniqueids %s "
+@@ -752,22 +764,21 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
+ char *valuecharptr=NULL;
+ struct berval bvvalue;
+ int rc;
+- entry_attrs *ea = NULL;
+- int tree_attr_checking = 0;
+- int big_entry_attr_presence_check = 0;
+- int check_for_duplicate_values =
+- ( 0 != ( flags & SLAPI_STR2ENTRY_REMOVEDUPVALS ));
+- Slapi_Value *value = 0;
+- CSN *attributedeletioncsn= NULL;
+- CSNSet *valuecsnset= NULL;
+- CSN *maxcsn= NULL;
+- char *normdn = NULL;
+- int strict = 0;
++ entry_attrs *ea = NULL;
++ int tree_attr_checking = 0;
++ int big_entry_attr_presence_check = 0;
++ int check_for_duplicate_values = ( 0 != ( flags & SLAPI_STR2ENTRY_REMOVEDUPVALS ));
++ Slapi_Value *value = 0;
++ CSN *attributedeletioncsn= NULL;
++ CSNSet *valuecsnset= NULL;
++ CSN *maxcsn= NULL;
++ char *normdn = NULL;
++ int strict = 0;
+
+ /* Check if we should be performing strict validation. */
+ strict = config_get_dn_validate_strict();
+
+- LDAPDebug( LDAP_DEBUG_TRACE, "=> str2entry_dupcheck\n", 0, 0, 0 );
++ LDAPDebug0Args(LDAP_DEBUG_TRACE, "=> str2entry_dupcheck\n");
+
+ e = slapi_entry_alloc();
+ slapi_entry_init(e,NULL,NULL);
+@@ -808,7 +819,9 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
+ csnset_free(&valuecsnset);
+ value_state= VALUE_NOTFOUND;
+ attr_state= VALUE_NOTFOUND;
+- str2entry_state_information_from_type(type,&valuecsnset,&attributedeletioncsn,&maxcsn,&value_state,&attr_state);
++ str2entry_state_information_from_type(&bvtype,
++ &valuecsnset, &attributedeletioncsn,
++ &maxcsn, &value_state, &attr_state);
+ if(!read_stateinfo)
+ {
+ /* We are not maintaining state information */
+@@ -916,8 +929,7 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
+ }
+
+ /* retrieve uniqueid */
+- if ( strcasecmp (type, SLAPI_ATTR_UNIQUEID) == 0 ){
+-
++ if ((bvtype.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH) && (PL_strcasecmp (type, SLAPI_ATTR_UNIQUEID) == 0)) {
+ if (e->e_uniqueid != NULL){
+ LDAPDebug (LDAP_DEBUG_TRACE,
+ "str2entry_dupcheck: entry has multiple uniqueids %s "
+--
+1.8.1.4
+
diff --git a/SOURCES/0095-Ticket-47739-directory-server-is-insecurely-misinter.patch b/SOURCES/0095-Ticket-47739-directory-server-is-insecurely-misinter.patch
new file mode 100644
index 0000000..0d649a3
--- /dev/null
+++ b/SOURCES/0095-Ticket-47739-directory-server-is-insecurely-misinter.patch
@@ -0,0 +1,75 @@
+From 8a368a62ea22127f95017467a044df57937ed238 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Mon, 10 Mar 2014 16:12:08 -0700
+Subject: [PATCH] Ticket #47739 - directory server is insecurely
+ misinterpreting authzid on a SASL/GSSAPI bind
+
+Description: SASL_CB_PROXY_POLICY callback is not needed since we
+don't support the case authid and authzid do not match. This patch
+gets rid of the callback function ids_sasl_proxy_policy.
+
+https://fedorahosted.org/389/ticket/47739
+
+Reviewed by nkinder@redhat.com (Thank you, Nathan!!)
+(cherry picked from commit 76acff12a86110d4165f94e2cba13ef5c7ebc38a)
+(cherry picked from commit 9bc2b46b7c7ee4c975d04b041f73a5992906b07c)
+(cherry picked from commit d2063c889feeba122e12f152e2e2c98aed4eb442)
+(cherry picked from commit 614d72196e696395d5bc0a6d62f8be9d4ee41c5b)
+---
+ ldap/servers/slapd/saslbind.c | 33 ---------------------------------
+ 1 file changed, 33 deletions(-)
+
+diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
+index 96b1f8c..b405c46 100644
+--- a/ldap/servers/slapd/saslbind.c
++++ b/ldap/servers/slapd/saslbind.c
+@@ -229,34 +229,6 @@ static int ids_sasl_log(
+ return SASL_OK;
+ }
+
+-static int ids_sasl_proxy_policy(
+- sasl_conn_t *conn,
+- void *context,
+- const char *requested_user, int rlen,
+- const char *auth_identity, int alen,
+- const char *def_realm, int urlen,
+- struct propctx *propctx
+-)
+-{
+- int retVal = SASL_OK;
+- /* do not permit sasl proxy authorization */
+- /* if the auth_identity is null or empty string, allow the sasl request to go thru */
+- if ( (auth_identity != NULL ) && ( strlen(auth_identity) > 0 ) ) {
+- Slapi_DN authId , reqUser;
+- slapi_sdn_init_dn_byref(&authId,auth_identity);
+- slapi_sdn_init_dn_byref(&reqUser,requested_user);
+- if (slapi_sdn_compare((const Slapi_DN *)&reqUser,(const Slapi_DN *) &authId) != 0) {
+- LDAPDebug(LDAP_DEBUG_TRACE,
+- "sasl proxy auth not permitted authid=%s user=%s\n",
+- auth_identity, requested_user, 0);
+- retVal = SASL_NOAUTHZ;
+- }
+- slapi_sdn_done(&authId);
+- slapi_sdn_done(&reqUser);
+- }
+- return retVal;
+-}
+-
+ static void ids_sasl_user_search(
+ char *basedn,
+ int scope,
+@@ -575,11 +547,6 @@ static sasl_callback_t ids_sasl_callbacks[] =
+ NULL
+ },
+ {
+- SASL_CB_PROXY_POLICY,
+- (IFP) ids_sasl_proxy_policy,
+- NULL
+- },
+- {
+ SASL_CB_CANON_USER,
+ (IFP) ids_sasl_canon_user,
+ NULL
+--
+1.8.1.4
+
diff --git a/SOURCES/0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch b/SOURCES/0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch
new file mode 100644
index 0000000..45abf61
--- /dev/null
+++ b/SOURCES/0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch
@@ -0,0 +1,78 @@
+From a0489deaa9b3f72dca120f3b1622039f92a3e437 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Thu, 13 Mar 2014 13:06:43 -0700
+Subject: [PATCH] Ticket #47735 - e_uniqueid fails to set if an entry is a
+ conflict entry
+
+Description: In commit e2b8468f459647261812f542485f3481d39bd26c,
+to get the base type length when a state info is stripped from
+the attribute type, the fix in str2entry_state_information_from_type
+blindly returned the base type length for the ordinary sub-typed
+attributes. This patch fixes it so that only when the state info
+is removed, the length is reset.
+
+https://fedorahosted.org/389/ticket/47735
+
+Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
+(cherry picked from commit a7ac181d60b1f2ecd3640d0b610eba300b7c3cdb)
+(cherry picked from commit 4ffa8247ab9dcc45137f07511d62ea33c24f76df)
+(cherry picked from commit 093a146853e6bb44b08c36a1da22735633adbd4a)
+(cherry picked from commit 2bb0f1b2b9b1c69118d8c8db1c5426eb7d7690ea)
+---
+ ldap/servers/slapd/entry.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
+index 0d018a9..5306da2 100644
+--- a/ldap/servers/slapd/entry.c
++++ b/ldap/servers/slapd/entry.c
+@@ -104,13 +104,11 @@ str2entry_state_information_from_type(struct berval *atype,
+ int *attr_state)
+ {
+ char *p = NULL;
++ char *semicolonp = NULL;
+ if ((NULL == atype) || (NULL == atype->bv_val)) {
+ return;
+ }
+ p = PL_strchr(atype->bv_val, ';');
+- if (p) {
+- atype->bv_len = p - atype->bv_val;
+- }
+ *value_state= VALUE_PRESENT;
+ *attr_state= ATTRIBUTE_PRESENT;
+ while(p!=NULL)
+@@ -169,19 +167,31 @@ str2entry_state_information_from_type(struct berval *atype,
+ csn_init_by_csn ( *maxcsn, *attributedeletioncsn );
+ }
+ }
++ if (NULL == semicolonp) {
++ semicolonp = p; /* the first semicolon */
++ }
+ }
+ else if(strncmp(p+1,"deletedattribute", 16)==0)
+ {
+ p[0]='\0';
+ *attr_state= ATTRIBUTE_DELETED;
++ if (NULL == semicolonp) {
++ semicolonp = p; /* the first semicolon */
++ }
+ }
+ else if(strncmp(p+1,"deleted", 7)==0)
+ {
+ p[0]='\0';
+ *value_state= VALUE_DELETED;
++ if (NULL == semicolonp) {
++ semicolonp = p; /* the first semicolon */
++ }
+ }
+ p= strchr(p+1, ';');
+ }
++ if (semicolonp) {
++ atype->bv_len = semicolonp - atype->bv_val;
++ }
+ }
+
+ /* rawdn is not consumed. Caller needs to free it. */
+--
+1.8.1.4
+
diff --git a/SOURCES/0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch b/SOURCES/0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch
new file mode 100644
index 0000000..a9e4d92
--- /dev/null
+++ b/SOURCES/0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch
@@ -0,0 +1,474 @@
+From 5b6deac35adbae20d0821a4530d30f0908ad7478 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Mon, 31 Mar 2014 15:17:59 -0400
+Subject: [PATCH] Ticket 47759 - Crash in replication when server is under
+ write load
+
+Bug Description: When the server is under alot of load, a race condition allows
+ a replication connection LDAP struct to be freed(unbind) while
+ it is being used by another thread. This leads to a crash.
+
+Fix Description: Extend the connection lock to also cover ldap client interaction
+ (e.g. conn->ld struct).
+
+https://fedorahosted.org/389/ticket/47759
+
+Reviewed by: nhosoi & rmeggins(Thanks!!)
+(cherry picked from commit 9940ca29ca258891c52640a23adc2851afe59d0e)
+(cherry picked from commit 0e576c85c34826c4d63d9578db55f8179b4a1a60)
+(cherry picked from commit 2a80b7152823ca16628c2da48614166b8d2104a4)
+---
+ .../servers/plugins/replication/repl5_connection.c | 89 ++++++++++++----------
+ ldap/servers/slapd/ldaputil.c | 39 +++++-----
+ 2 files changed, 69 insertions(+), 59 deletions(-)
+
+diff --git a/ldap/servers/plugins/replication/repl5_connection.c b/ldap/servers/plugins/replication/repl5_connection.c
+index 668abda..17d1d9c 100644
+--- a/ldap/servers/plugins/replication/repl5_connection.c
++++ b/ldap/servers/plugins/replication/repl5_connection.c
+@@ -138,6 +138,7 @@ static void repl5_debug_timeout_callback(time_t when, void *arg);
+
+ /* Forward declarations */
+ static void close_connection_internal(Repl_Connection *conn);
++static void conn_delete_internal(Repl_Connection *conn);
+
+ /*
+ * Create a new connection object. Returns a pointer to the object, or
+@@ -182,11 +183,22 @@ conn_new(Repl_Agmt *agmt)
+ rpc->plain = NULL;
+ return rpc;
+ loser:
+- conn_delete(rpc);
++ conn_delete_internal(rpc);
+ slapi_ch_free((void**)&rpc);
+ return NULL;
+ }
+
++static PRBool
++conn_connected_locked(Repl_Connection *conn, int locked)
++{
++ PRBool return_value;
++
++ if(!locked) PR_Lock(conn->lock);
++ return_value = STATE_CONNECTED == conn->state;
++ if(!locked) PR_Unlock(conn->lock);
++
++ return return_value;
++}
+
+ /*
+ * Return PR_TRUE if the connection is in the connected state
+@@ -194,14 +206,9 @@ loser:
+ static PRBool
+ conn_connected(Repl_Connection *conn)
+ {
+- PRBool return_value;
+- PR_Lock(conn->lock);
+- return_value = STATE_CONNECTED == conn->state;
+- PR_Unlock(conn->lock);
+- return return_value;
++ return conn_connected_locked(conn, 1);
+ }
+
+-
+ /*
+ * Destroy a connection object.
+ */
+@@ -243,7 +250,6 @@ conn_delete(Repl_Connection *conn)
+ if (slapi_eq_cancel(conn->linger_event) == 1)
+ {
+ /* Event was found and cancelled. Destroy the connection object. */
+- PR_Unlock(conn->lock);
+ destroy_it = PR_TRUE;
+ }
+ else
+@@ -254,16 +260,15 @@ conn_delete(Repl_Connection *conn)
+ * off, so arrange for the event to destroy the object .
+ */
+ conn->delete_after_linger = PR_TRUE;
+- PR_Unlock(conn->lock);
+ }
+ }
+ if (destroy_it)
+ {
+ conn_delete_internal(conn);
+ }
++ PR_Unlock(conn->lock);
+ }
+
+-
+ /*
+ * Return the last operation type processed by the connection
+ * object, and the LDAP error encountered.
+@@ -327,17 +332,18 @@ conn_read_result_ex(Repl_Connection *conn, char **retoidp, struct berval **retda
+ while (!slapi_is_shutting_down())
+ {
+ /* we have to make sure the update sending thread does not
+- attempt to call conn_disconnect while we are reading
++ attempt to close connection while we are reading
+ results - so lock the conn while we get the results */
+ PR_Lock(conn->lock);
++
+ if ((STATE_CONNECTED != conn->state) || !conn->ld) {
+ rc = -1;
+ return_value = CONN_NOT_CONNECTED;
+ PR_Unlock(conn->lock);
+ break;
+ }
+-
+ rc = ldap_result(conn->ld, send_msgid, 1, &local_timeout, &res);
++
+ PR_Unlock(conn->lock);
+
+ if (0 != rc)
+@@ -661,8 +667,10 @@ perform_operation(Repl_Connection *conn, int optype, const char *dn,
+ server_controls[1] = update_control;
+ server_controls[2] = NULL;
+
+- /* lock the conn to prevent the result reader thread
+- from closing the connection out from under us */
++ /*
++ * Lock the conn to prevent the result reader thread
++ * from closing the connection out from under us.
++ */
+ PR_Lock(conn->lock);
+ if (STATE_CONNECTED == conn->state)
+ {
+@@ -804,7 +812,6 @@ conn_send_rename(Repl_Connection *conn, const char *dn,
+ NULL /* extop OID */, NULL /* extop payload */, message_id);
+ }
+
+-
+ /*
+ * Send an LDAP extended operation.
+ */
+@@ -818,7 +825,6 @@ conn_send_extended_operation(Repl_Connection *conn, const char *extop_oid,
+ update_control, extop_oid, payload, message_id);
+ }
+
+-
+ /*
+ * Synchronously read an entry and return a specific attribute's values.
+ * Returns CONN_OPERATION_SUCCESS if successful. Returns
+@@ -838,6 +844,8 @@ conn_read_entry_attribute(Repl_Connection *conn, const char *dn,
+ LDAPMessage *res = NULL;
+ char *attrs[2];
+
++ PR_Lock(conn->lock);
++
+ PR_ASSERT(NULL != type);
+ if (conn_connected(conn))
+ {
+@@ -860,7 +868,7 @@ conn_read_entry_attribute(Repl_Connection *conn, const char *dn,
+ }
+ else if (IS_DISCONNECT_ERROR(ldap_rc))
+ {
+- conn_disconnect(conn);
++ close_connection_internal(conn);
+ return_value = CONN_NOT_CONNECTED;
+ }
+ else
+@@ -878,10 +886,11 @@ conn_read_entry_attribute(Repl_Connection *conn, const char *dn,
+ {
+ return_value = CONN_NOT_CONNECTED;
+ }
++ PR_Unlock(conn->lock);
++
+ return return_value;
+ }
+
+-
+ /*
+ * Return an pointer to a string describing the connection's status.
+ */
+@@ -892,8 +901,6 @@ conn_get_status(Repl_Connection *conn)
+ return conn->status;
+ }
+
+-
+-
+ /*
+ * Cancel any outstanding linger timer. Should be called when
+ * a replication session is beginning.
+@@ -925,7 +932,6 @@ conn_cancel_linger(Repl_Connection *conn)
+ PR_Unlock(conn->lock);
+ }
+
+-
+ /*
+ * Called when our linger timeout timer expires. This means
+ * we should check to see if perhaps the connection's become
+@@ -957,7 +963,6 @@ linger_timeout(time_t event_time, void *arg)
+ }
+ }
+
+-
+ /*
+ * Indicate that a session is ending. The linger timer starts when
+ * this function is called.
+@@ -995,8 +1000,6 @@ conn_start_linger(Repl_Connection *conn)
+ PR_Unlock(conn->lock);
+ }
+
+-
+-
+ /*
+ * If no connection is currently active, opens a connection and binds to
+ * the remote server. If a connection is open (e.g. lingering) then
+@@ -1015,10 +1018,14 @@ conn_connect(Repl_Connection *conn)
+ ConnResult return_value = CONN_OPERATION_SUCCESS;
+ int pw_ret = 1;
+
+- /** Connection already open just return SUCCESS **/
+- if(conn->state == STATE_CONNECTED) goto done;
+-
+ PR_Lock(conn->lock);
++
++ /* Connection already open, just return SUCCESS */
++ if(conn->state == STATE_CONNECTED){
++ PR_Unlock(conn->lock);
++ return return_value;
++ }
++
+ if (conn->flag_agmt_changed) {
+ /* So far we cannot change Hostname and Port */
+ /* slapi_ch_free((void **)&conn->hostname); */
+@@ -1033,7 +1040,6 @@ conn_connect(Repl_Connection *conn)
+ conn->port = agmt_get_port(conn->agmt); /* port could be updated */
+ slapi_ch_free((void **)&conn->plain);
+ }
+- PR_Unlock(conn->lock);
+
+ creds = agmt_get_credentials(conn->agmt);
+
+@@ -1174,6 +1180,7 @@ done:
+ {
+ close_connection_internal(conn);
+ }
++ PR_Unlock(conn->lock);
+
+ return return_value;
+ }
+@@ -1209,7 +1216,6 @@ conn_disconnect(Repl_Connection *conn)
+ PR_Unlock(conn->lock);
+ }
+
+-
+ /*
+ * Determine if the remote replica supports DS 5.0 replication.
+ * Return codes:
+@@ -1226,6 +1232,7 @@ conn_replica_supports_ds5_repl(Repl_Connection *conn)
+ ConnResult return_value;
+ int ldap_rc;
+
++ PR_Lock(conn->lock);
+ if (conn_connected(conn))
+ {
+ if (conn->supports_ds50_repl == -1) {
+@@ -1273,7 +1280,7 @@ conn_replica_supports_ds5_repl(Repl_Connection *conn)
+ if (IS_DISCONNECT_ERROR(ldap_rc))
+ {
+ conn->last_ldap_error = ldap_rc; /* specific reason */
+- conn_disconnect(conn);
++ close_connection_internal(conn);
+ return_value = CONN_NOT_CONNECTED;
+ }
+ else
+@@ -1293,10 +1300,11 @@ conn_replica_supports_ds5_repl(Repl_Connection *conn)
+ /* Not connected */
+ return_value = CONN_NOT_CONNECTED;
+ }
++ PR_Unlock(conn->lock);
++
+ return return_value;
+ }
+
+-
+ /*
+ * Determine if the remote replica supports DS 7.1 replication.
+ * Return codes:
+@@ -1313,6 +1321,7 @@ conn_replica_supports_ds71_repl(Repl_Connection *conn)
+ ConnResult return_value;
+ int ldap_rc;
+
++ PR_Lock(conn->lock);
+ if (conn_connected(conn))
+ {
+ if (conn->supports_ds71_repl == -1) {
+@@ -1344,7 +1353,7 @@ conn_replica_supports_ds71_repl(Repl_Connection *conn)
+ if (IS_DISCONNECT_ERROR(ldap_rc))
+ {
+ conn->last_ldap_error = ldap_rc; /* specific reason */
+- conn_disconnect(conn);
++ close_connection_internal(conn);
+ return_value = CONN_NOT_CONNECTED;
+ }
+ else
+@@ -1364,6 +1373,8 @@ conn_replica_supports_ds71_repl(Repl_Connection *conn)
+ /* Not connected */
+ return_value = CONN_NOT_CONNECTED;
+ }
++ PR_Unlock(conn->lock);
++
+ return return_value;
+ }
+
+@@ -1383,6 +1394,7 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn)
+ ConnResult return_value;
+ int ldap_rc;
+
++ PR_Lock(conn->lock);
+ if (conn_connected(conn))
+ {
+ if (conn->supports_ds90_repl == -1) {
+@@ -1414,7 +1426,7 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn)
+ if (IS_DISCONNECT_ERROR(ldap_rc))
+ {
+ conn->last_ldap_error = ldap_rc; /* specific reason */
+- conn_disconnect(conn);
++ close_connection_internal(conn);
+ return_value = CONN_NOT_CONNECTED;
+ }
+ else
+@@ -1423,7 +1435,7 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn)
+ }
+ }
+ if (NULL != res)
+- ldap_msgfree(res);
++ ldap_msgfree(res);
+ }
+ else
+ {
+@@ -1435,6 +1447,8 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn)
+ /* Not connected */
+ return_value = CONN_NOT_CONNECTED;
+ }
++ PR_Unlock(conn->lock);
++
+ return return_value;
+ }
+
+@@ -1452,7 +1466,6 @@ conn_replica_is_readonly(Repl_Connection *conn)
+ }
+ }
+
+-
+ /*
+ * Return 1 if "value" is a value of attribute type "type" in entry "entry".
+ * Otherwise, return 0.
+@@ -1501,9 +1514,6 @@ attribute_string_value_present(LDAP *ld, LDAPMessage *entry, const char *type,
+ return return_value;
+ }
+
+-
+-
+-
+ /*
+ * Read the remote server's schema entry, then read the local schema entry,
+ * and compare the nsschemacsn attribute. If the local csn is newer, or
+@@ -1533,7 +1543,7 @@ conn_push_schema(Repl_Connection *conn, CSN **remotecsn)
+ return_value = CONN_OPERATION_FAILED;
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "NULL remote CSN\n");
+ }
+- else if (!conn_connected(conn))
++ else if (!conn_connected_locked(conn, 0 /* not locked */))
+ {
+ return_value = CONN_NOT_CONNECTED;
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
+@@ -1699,6 +1709,7 @@ conn_push_schema(Repl_Connection *conn, CSN **remotecsn)
+ {
+ csn_free(&localcsn);
+ }
++
+ return return_value;
+ }
+
+diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
+index edc8267..08601bd 100644
+--- a/ldap/servers/slapd/ldaputil.c
++++ b/ldap/servers/slapd/ldaputil.c
+@@ -1011,8 +1011,8 @@ slapi_ldap_bind(
+ than the currently unused clientctrls */
+ ldap_get_option(ld, LDAP_OPT_CLIENT_CONTROLS, &clientctrls);
+ if (clientctrls && clientctrls[0] &&
+- slapi_control_present(clientctrls, START_TLS_OID, NULL, NULL)) {
+- secure = 2;
++ slapi_control_present(clientctrls, START_TLS_OID, NULL, NULL)) {
++ secure = 2;
+ } else {
+ #if defined(USE_OPENLDAP)
+ /* openldap doesn't have a SSL/TLS yes/no flag - so grab the
+@@ -1051,12 +1051,12 @@ slapi_ldap_bind(
+ slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_bind",
+ "Set up conn to use client auth\n");
+ }
+- bvcreds.bv_val = NULL; /* ignore username and passed in creds */
+- bvcreds.bv_len = 0; /* for external auth */
+- bindid = NULL;
++ bvcreds.bv_val = NULL; /* ignore username and passed in creds */
++ bvcreds.bv_len = 0; /* for external auth */
++ bindid = NULL;
+ } else { /* other type of auth */
+- bvcreds.bv_val = (char *)creds;
+- bvcreds.bv_len = creds ? strlen(creds) : 0;
++ bvcreds.bv_val = (char *)creds;
++ bvcreds.bv_len = creds ? strlen(creds) : 0;
+ }
+
+ if (secure == 2) { /* send start tls */
+@@ -1084,31 +1084,29 @@ slapi_ldap_bind(
+ bindid, creds);
+ if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
+ NULL /* clientctrls */, &mymsgid))) {
+- char *myhostname = NULL;
+- char *copy = NULL;
++ char *hostname = NULL;
++ char *host_port = NULL;
+ char *ptr = NULL;
+ int myerrno = errno;
+ int gaierr = 0;
+
+- ldap_get_option(ld, LDAP_OPT_HOST_NAME, &myhostname);
+- if (myhostname) {
+- ptr = strchr(myhostname, ':');
++ ldap_get_option(ld, LDAP_OPT_HOST_NAME, &host_port);
++ if (host_port) {
++ ptr = strchr(host_port, ':');
+ if (ptr) {
+- copy = slapi_ch_strdup(myhostname);
+- *(copy + (ptr - myhostname)) = '\0';
+- slapi_ch_free_string(&myhostname);
+- myhostname = copy;
++ hostname = slapi_ch_strdup(host_port);
++ *(hostname + (ptr - host_port)) = '\0';
+ }
+ }
+-
+ if (0 == myerrno) {
+ struct addrinfo *result = NULL;
+- gaierr = getaddrinfo(myhostname, NULL, NULL, &result);
++ gaierr = getaddrinfo(hostname, NULL, NULL, &result);
+ myerrno = errno;
+ if (result) {
+ freeaddrinfo(result);
+ }
+ }
++
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
+ "Error: could not send bind request for id "
+ "[%s] authentication mechanism [%s]: error %d (%s), system error %d (%s), "
+@@ -1119,8 +1117,9 @@ slapi_ldap_bind(
+ PR_GetError(), slapd_pr_strerror(PR_GetError()),
+ myerrno ? myerrno : gaierr,
+ myerrno ? slapd_system_strerror(myerrno) : gai_strerror(gaierr),
+- myhostname ? myhostname : "unknown host");
+- slapi_ch_free_string(&myhostname);
++ host_port ? host_port : "unknown host");
++ slapi_ch_free_string(&hostname);
++ slapi_ch_free_string(&host_port);
+ goto done;
+ }
+
+--
+1.8.1.4
+
diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec
index 9ad2d37..3403b76 100644
--- a/SPECS/389-ds-base.spec
+++ b/SPECS/389-ds-base.spec
@@ -25,7 +25,7 @@
Summary: 389 Directory Server (base)
Name: 389-ds-base
Version: 1.3.1.6
-Release: %{?relprefix}10%{?prerel}%{?dist}
+Release: %{?relprefix}25%{?prerel}%{?dist}
License: GPLv2 with exceptions
URL: http://port389.org/
Group: System Environment/Daemons
@@ -164,6 +164,53 @@ Patch46: 0047-Ticket-47585-Replication-Failures-related-to-skipped.patc
Patch47: 0048-Ticket-47581-Winsync-plugin-segfault-during-incremen.patch
Patch48: 0049-Ticket-47581-Winsync-plugin-segfault-during-incremen.patch
Patch49: 0050-Revert-Ticket-47559-hung-server-related-to-sasl-and-.patch
+Patch50: 0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch
+Patch51: 0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch
+Patch52: 0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch
+Patch53: 0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch
+Patch54: 0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch
+Patch55: 0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch
+Patch56: 0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch
+Patch57: 0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch
+Patch58: 0059-Ticket-47599-fix-memory-leak.patch
+Patch59: 0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch
+Patch60: 0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch
+Patch61: 0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch
+Patch62: 0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch
+Patch63: 0064-Ticket-47592-automember-plugin-task-memory-leaks.patch
+Patch64: 0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch
+Patch65: 0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch
+Patch66: 0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch
+Patch67: 0068-Ticket-47620-Config-value-validation-improvement.patch
+Patch68: 0069-Ticket-47620-Fix-logically-dead-code.patch
+Patch69: 0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch
+Patch70: 0071-Ticket-47620-Fix-missing-left-bracket.patch
+Patch71: 0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch
+Patch72: 0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch
+Patch73: 0074-Ticket-47623-fix-memleak-caused-by-47347.patch
+Patch74: 0075-Ticket-47623-fix-memleak-caused-by-47347.patch
+Patch75: 0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch
+Patch76: 0077-Ticket-47627-Fix-replication-logging.patch
+Patch77: 0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch
+Patch78: 0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch
+Patch79: 0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch
+Patch80: 0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch
+Patch81: 0082-Ticket-47516-replication-stops-with-excessive-clock-.patch
+Patch82: 0083-Ticket-342-better-error-message-when-cache-overflows.patch
+Patch83: 0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch
+Patch84: 0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch
+Patch85: 0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch
+Patch86: 0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch
+Patch87: 0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch
+Patch88: 0089-Ticket-47709-package-issue-in-389-ds-base.patch
+Patch89: 0090-Ticket-47709-package-issue-in-389-ds-base.patch
+Patch90: 0091-Ticket-408-create-a-normalized-dn-cache.patch
+Patch91: 0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch
+Patch92: 0093-Ticket-408-create-a-normalized-dn-cache.patch
+Patch93: 0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch
+Patch94: 0095-Ticket-47739-directory-server-is-insecurely-misinter.patch
+Patch95: 0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch
+Patch96: 0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@@ -264,6 +311,53 @@ cp %{SOURCE2} README.devel
%patch47 -p1
%patch48 -p1
%patch49 -p1
+%patch50 -p1
+%patch51 -p1
+%patch52 -p1
+%patch53 -p1
+%patch54 -p1
+%patch55 -p1
+%patch56 -p1
+%patch57 -p1
+%patch58 -p1
+%patch59 -p1
+%patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
+%patch64 -p1
+%patch65 -p1
+%patch66 -p1
+%patch67 -p1
+%patch68 -p1
+%patch69 -p1
+%patch70 -p1
+%patch71 -p1
+%patch72 -p1
+%patch73 -p1
+%patch74 -p1
+%patch75 -p1
+%patch76 -p1
+%patch77 -p1
+%patch78 -p1
+%patch79 -p1
+%patch80 -p1
+%patch81 -p1
+%patch82 -p1
+%patch83 -p1
+%patch84 -p1
+%patch85 -p1
+%patch86 -p1
+%patch87 -p1
+%patch88 -p1
+%patch89 -p1
+%patch90 -p1
+%patch91 -p1
+%patch92 -p1
+%patch93 -p1
+%patch94 -p1
+%patch95 -p1
+%patch96 -p1
%build
%if %{use_openldap}
@@ -390,8 +484,8 @@ fi
%{_unitdir}
%{_bindir}/*
%{_sbindir}/*
-%{_libdir}/%{pkgname}/libns-dshttpd.so*
%{_libdir}/%{pkgname}/perl
+%{_libdir}/%{pkgname}/python
%dir %{_libdir}/%{pkgname}/plugins
%{_libdir}/%{pkgname}/plugins/*.so
%dir %{_localstatedir}/lib/%{pkgname}
@@ -412,8 +506,96 @@ fi
%doc LICENSE EXCEPTION LICENSE.GPLv2 README.devel
%dir %{_libdir}/%{pkgname}
%{_libdir}/%{pkgname}/libslapd.so.*
+%{_libdir}/%{pkgname}/libns-dshttpd.so*
%changelog
+* Thu Mar 31 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-25
+- release 1.3.1.6-25
+- Resolves: bug 1082740 - ns-slapd crash in reliability 15
+
+* Thu Mar 13 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-24
+- release 1.3.1.6-24
+- Resolves: bug 1074084 - e_uniqueid fails to set if an entry is a conflict entry (Ticket 47735); regression - sub-type length in attribute type was mistakenly subtracted.
+
+* Tue Mar 11 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-23
+- Resolves: bug 1074850 - EMBARGOED CVE-2014-0132 389-ds-base: 389-ds: flaw in parsing authzid can lead to privilege escalation [rhel-7.0] (Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind) (Added 0095-Ticket-47739-directory-server-is-insecurely-misinter.patch)
+
+* Tue Mar 11 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-23
+- release 1.3.1.6-22
+- Resolves: bug 1074850 - EMBARGOED CVE-2014-0132 389-ds-base: 389-ds: flaw in parsing authzid can lead to privilege escalation [rhel-7.0] (Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind)
+
+* Mon Mar 10 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-22
+- release 1.3.1.6-22
+- Resolves: bug 1074084 - e_uniqueid fails to set if an entry is a conflict entry (Ticket 47735)
+
+* Tue Feb 25 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-21
+- release 1.3.1.6-21
+- Resolves: bug 918694 - Fix covscan defect FORWARD_NULL (Ticket 408)
+- Resolves: bug 918717 - Fix covscan defect COMPILER WARNINGS (Ticket 571)
+
+* Tue Feb 25 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-20
+- release 1.3.1.6-20
+- Resolves: bug 1065242 - 389-ds-base, conflict occurs at yum installation if multilib_policy=all. (Ticket 47709)
+
+* Tue Feb 18 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-19
+- release 1.3.1.6-19
+- Resolves: bug 1065971 - Enrolling a host into IdM/IPA always takes two attempts (Ticket 47704)
+
+* Mon Feb 3 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-18
+- release 1.3.1.6-18
+- Resolves: bug 838656 - logconv.pl tool removes the access logs contents if "-M" is not correctly used (Ticket 471)
+- Resolves: bug 922538 - improve dbgen rdn generation, output (Ticket 47374)
+- Resolves: bug 970750 - flush.pl is not included in perl5 (Ticket 47374)
+- Resolves: bug 1013898 - Fix various issues with logconv.pl (Ticket 471)
+
+* Wed Jan 29 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-17
+- release 1.3.1.6-17
+- Resolves: bug 853106 - Deleting attribute present in nsslapd-allowed-to-delete-attrs returns Operations error (Ticket 443)
+- Resolves: bug 1049525 - Server hangs in cos_cache when adding a user entry (Ticket 47649)
+
+* Wed Jan 29 2014 Daniel Mach <dmach@redhat.com> - 1.3.1.6-16
+- Mass rebuild 2014-01-24
+
+* Tue Jan 21 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-15
+- release 1.3.1.6-15
+- Resolves: bug 918702 - better error message when cache overflows (Ticket 342)
+- Resolves: bug 1009679 - replication stops with excessive clock skew (Ticket 47516)
+- Resolves: bug 1042855 - Unable to delete protocol timeout attribute (Ticket 47620)
+- Resolves: bug 918694 - Fix crash when disabling/enabling the setting (Ticket 408)
+- Resolves: bug 853355 - config_set_allowed_to_delete_attrs: Valgrind reports Invalid read (Ticket 47660)
+
+* Wed Jan 8 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-14
+- release 1.3.1.6-14
+- Resolves: bug 853355 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs (Ticket 447)
+- Resolves: bug 1034739 - Impossible to configure nsslapd-allowed-sasl-mechanisms (Ticket 47613)
+- Resolves: bug 1038639 - 389-ds rejects nsds5ReplicaProtocolTimeout attribut; Fix logically dead code; Fix dereferenced NULL pointer in agmtlist_modify_callback(); Fix missing left brackete (Ticket 47620)
+- Resolves: bug 1042855 - nsds5ReplicaProtocolTimeout attribute is not validated when added to replication agreement; Config value validation improvement (Ticket 47620)
+- Resolves: bug 918717 - server does not accept 0 length LDAP Control sequence (Ticket 571)
+- Resolves: bug 1034902 - replica init/bulk import errors should be more verbose (Ticket 47606)
+- Resolves: bug 1044219 - fix memleak caused by 47347 (Ticket 47623)
+- Resolves: bug 1049522 - Crash after replica is installed; Fix cherry-pick error for 1.3.2 and 1.3.1 (Ticket 47620)
+- Resolves: bug 1049568 - changelog iteration should ignore cleaned rids when getting the minCSN (Ticket 47627)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.3.1.6-13
+- Mass rebuild 2013-12-27
+
+* Tue Dec 10 2013 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-12
+- release 1.3.1.6-12
+- Resolves: bug 1038639 - 389-ds rejects nsds5ReplicaProtocolTimeout attribute (Ticket 47620)
+- Resolves: bug 1034898 - automember plugin task memory leaks (Ticket 47592)
+- Resolves: bug 1034451 - Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms (Ticket 47614)
+- Resolves: bug 1032318 - entries with empty objectclass attribute value can be hidden (Ticket 47591)
+- Resolves: bug 1032316 - attrcrypt fails to find unlocked key (Ticket 47596)
+- Resolves: bug 1031227 - Reduce lock scope in retro changelog plug-in (Ticket 47599)
+- Resolves: bug 1031226 - Convert ldbm_back_seq code to be transaction aware (Ticket 47598)
+- Resolves: bug 1031225 - Convert retro changelog plug-in to betxn (Ticket 47597)
+- Resolves: bug 1031223 - hard coded limit of 64 masters in agreement and changelog code (Ticket 47587)
+- Resolves: bug 1034739 - Impossible to configure nsslapd-allowed-sasl-mechanisms (Ticket 47613)
+- Resolves: bug 1035824 - Automember betxnpreoperation - transaction not aborted when group entry does not exist (Ticket 47622)
+
+* Thu Nov 21 2013 Rich Megginson <rmeggins@redhat.com> - 1.3.1.6-11
+- Resolves: bug 1024979 - CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches
+
* Tue Nov 12 2013 Rich Megginson <rmeggins@redhat.com> - 1.3.1.6-10
- release 1.3.1.6-10
- Resolves: bug 1018893 DS91: ns-slapd stuck in DS_Sleep
@@ -476,7 +658,7 @@ fi
- Resolves Bug 1000633 - ns-slapd crash due to bogus DN
- Ticket #47488 - Users from AD sub OU does not sync to IPA
-* Tue Aug 01 2013 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-1
+* Thu Aug 01 2013 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-1
- bump version to 1.3.1.6
- Ticket 47455 - valgrind - value mem leaks, uninit mem usage
- fix coverity 11915 - dead code - introduced with fix for ticket 346