diff --git a/.389-ds-base.metadata b/.389-ds-base.metadata index 6d7d3f7..d09f29f 100644 --- a/.389-ds-base.metadata +++ b/.389-ds-base.metadata @@ -1 +1 @@ -77dee99c82e77c3c3c8579b443ebb68e63d51702 SOURCES/389-ds-base-1.3.7.5.tar.bz2 +930c13abb2fc444f1dbd0443ed72a5d5b14c48da SOURCES/389-ds-base-1.3.8.4.tar.bz2 diff --git a/.gitignore b/.gitignore index 18dc925..740caa7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/389-ds-base-1.3.7.5.tar.bz2 +SOURCES/389-ds-base-1.3.8.4.tar.bz2 diff --git a/SOURCES/0000-Ticket-49305-Need-to-wrap-atomic-calls.patch b/SOURCES/0000-Ticket-49305-Need-to-wrap-atomic-calls.patch deleted file mode 100644 index 2710342..0000000 --- a/SOURCES/0000-Ticket-49305-Need-to-wrap-atomic-calls.patch +++ /dev/null @@ -1,1514 +0,0 @@ -From f19dec383e24e2aaa40a6bdce2ca0e657ffc6e10 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 27 Sep 2017 09:26:14 -0400 -Subject: [PATCH] Ticket 49305 - Need to wrap atomic calls - -Bug Description: Some RHEL 7.5 platforms (ppc 32bit) still do not support - all the gcc builtin atomics. This breaks the downstream - builds. - -Fix Description: Use wrapper functions for the atomic's using #define's - to detect if builtin atomics are supported, otherwise - use the egneric nspr atomic functions. - -https://pagure.io/389-ds-base/issue/49305 - -Reviewed by: tbordaz(Thanks!) - -(cherry picked from commit af723fd632d355642babeed1dbdb5a308c21fa79) ---- - ldap/servers/slapd/attrsyntax.c | 8 +- - ldap/servers/slapd/back-ldbm/dblayer.c | 66 +++++----- - ldap/servers/slapd/entry.c | 11 +- - ldap/servers/slapd/libglobs.c | 161 ++++++++++++----------- - ldap/servers/slapd/log.c | 9 +- - ldap/servers/slapd/mapping_tree.c | 28 ++-- - ldap/servers/slapd/object.c | 8 +- - ldap/servers/slapd/psearch.c | 7 +- - ldap/servers/slapd/slapi-plugin.h | 52 ++++++++ - ldap/servers/slapd/slapi_counter.c | 100 ++++++++++++++ - ldap/servers/slapd/thread_data.c | 2 +- - src/nunc-stans/ns/ns_thrpool.c | 17 ++- - src/nunc-stans/test/test_nuncstans_stress_core.c | 42 +++++- - 13 files changed, 361 insertions(+), 150 deletions(-) - -diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c -index 03f05d9..a0a60c4 100644 ---- a/ldap/servers/slapd/attrsyntax.c -+++ b/ldap/servers/slapd/attrsyntax.c -@@ -274,7 +274,7 @@ attr_syntax_get_by_oid_locking_optional(const char *oid, PRBool use_lock, PRUint - } - asi = (struct asyntaxinfo *)PL_HashTableLookup_const(ht, oid); - if (asi) { -- __atomic_add_fetch_8(&(asi->asi_refcnt), 1, __ATOMIC_RELEASE); -+ slapi_atomic_incr(&(asi->asi_refcnt), __ATOMIC_RELEASE, ATOMIC_LONG); - } - if (use_lock) { - AS_UNLOCK_READ(oid2asi_lock); -@@ -371,7 +371,7 @@ attr_syntax_get_by_name_locking_optional(const char *name, PRBool use_lock, PRUi - } - asi = (struct asyntaxinfo *)PL_HashTableLookup_const(ht, name); - if (NULL != asi) { -- __atomic_add_fetch_8(&(asi->asi_refcnt), 1, __ATOMIC_RELEASE); -+ slapi_atomic_incr(&(asi->asi_refcnt), __ATOMIC_RELEASE, ATOMIC_LONG); - } - if (use_lock) { - AS_UNLOCK_READ(name2asi_lock); -@@ -406,7 +406,7 @@ attr_syntax_return_locking_optional(struct asyntaxinfo *asi, PRBool use_lock) - } - if (NULL != asi) { - PRBool delete_it = PR_FALSE; -- if (0 == __atomic_sub_fetch_8(&(asi->asi_refcnt), 1, __ATOMIC_ACQ_REL)) { -+ if (0 == slapi_atomic_decr(&(asi->asi_refcnt), __ATOMIC_ACQ_REL, ATOMIC_LONG)) { - delete_it = asi->asi_marked_for_delete; - } - -@@ -540,7 +540,7 @@ attr_syntax_delete_no_lock(struct asyntaxinfo *asi, - PL_HashTableRemove(ht, asi->asi_aliases[i]); - } - } -- if (__atomic_load_8(&(asi->asi_refcnt), __ATOMIC_ACQUIRE) > 0) { -+ if (slapi_atomic_load(&(asi->asi_refcnt), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) { - asi->asi_marked_for_delete = PR_TRUE; - } else { - /* This is ok, but the correct thing is to call delete first, -diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c -index d43258d..c4c4959 100644 ---- a/ldap/servers/slapd/back-ldbm/dblayer.c -+++ b/ldap/servers/slapd/back-ldbm/dblayer.c -@@ -2860,16 +2860,16 @@ int - dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flags) - { - /* -- * We either already have a DB* handle in the attrinfo structure. -- * in which case we simply return it to the caller, OR: -- * we need to make one. We do this as follows: -- * 1a) acquire the mutex that protects the handle list. -- * 1b) check that the DB* is still null. -- * 2) get the filename, and call libdb to open it -- * 3) if successful, store the result in the attrinfo stucture -- * 4) store the DB* in our own list so we can close it later. -- * 5) release the mutex. -- */ -+ * We either already have a DB* handle in the attrinfo structure. -+ * in which case we simply return it to the caller, OR: -+ * we need to make one. We do this as follows: -+ * 1a) acquire the mutex that protects the handle list. -+ * 1b) check that the DB* is still null. -+ * 2) get the filename, and call libdb to open it -+ * 3) if successful, store the result in the attrinfo stucture -+ * 4) store the DB* in our own list so we can close it later. -+ * 5) release the mutex. -+ */ - ldbm_instance *inst = (ldbm_instance *)be->be_instance_info; - int return_value = -1; - DB *pDB = NULL; -@@ -2878,9 +2878,9 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag - *ppDB = NULL; - - /* it's like a semaphore -- when count > 0, any file handle that's in -- * the attrinfo will remain valid from here on. -- */ -- __atomic_add_fetch_8(&(a->ai_dblayer_count), 1, __ATOMIC_RELEASE); -+ * the attrinfo will remain valid from here on. -+ */ -+ slapi_atomic_incr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG); - - if (a->ai_dblayer && ((dblayer_handle *)(a->ai_dblayer))->dblayer_dbp) { - /* This means that the pointer is valid, so we should return it. */ -@@ -2888,9 +2888,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag - return 0; - } - -- /* attrinfo handle is NULL, at least for now -- grab the mutex and try -- * again. -- */ -+ /* attrinfo handle is NULL, at least for now -- grab the mutex and try again. */ - PR_Lock(inst->inst_handle_list_mutex); - if (a->ai_dblayer && ((dblayer_handle *)(a->ai_dblayer))->dblayer_dbp) { - /* another thread set the handle while we were waiting on the lock */ -@@ -2900,8 +2898,8 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag - } - - /* attrinfo handle is still blank, and we have the mutex: open the -- * index file and stuff it in the attrinfo. -- */ -+ * index file and stuff it in the attrinfo. -+ */ - return_value = dblayer_open_file(be, attribute_name, open_flags, - a, &pDB); - if (0 == return_value) { -@@ -2911,40 +2909,36 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag - - PR_ASSERT(NULL != pDB); - /* Store the returned DB* in our own private list of -- * open files */ -+ * open files */ - if (NULL == prev_handle) { - /* List was empty */ - inst->inst_handle_tail = handle; - inst->inst_handle_head = handle; - } else { -- /* Chain the handle onto the last structure in the -- * list */ -+ /* Chain the handle onto the last structure in the list */ - inst->inst_handle_tail = handle; - prev_handle->dblayer_handle_next = handle; - } -- /* Stash a pointer to our wrapper structure in the -- * attrinfo structure */ -+ /* Stash a pointer to our wrapper structure in the attrinfo structure */ - handle->dblayer_dbp = pDB; - /* And, most importantly, return something to the caller!*/ - *ppDB = pDB; -- /* and save the hande in the attrinfo structure for -- * next time */ -+ /* and save the hande in the attrinfo structure for next time */ - a->ai_dblayer = handle; - /* don't need to update count -- we incr'd it already */ - handle->dblayer_handle_ai_backpointer = &(a->ai_dblayer); - } else { - /* Did not open it OK ! */ - /* Do nothing, because return value and fact that we didn't -- * store a DB* in the attrinfo is enough -- */ -+ * store a DB* in the attrinfo is enough */ - } - PR_Unlock(inst->inst_handle_list_mutex); - - if (return_value != 0) { - /* some sort of error -- we didn't open a handle at all. -- * decrement the refcount back to where it was. -- */ -- __atomic_sub_fetch_8(&(a->ai_dblayer_count), 1, __ATOMIC_RELEASE); -+ * decrement the refcount back to where it was. -+ */ -+ slapi_atomic_decr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG); - } - - return return_value; -@@ -2956,7 +2950,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag - int - dblayer_release_index_file(backend *be __attribute__((unused)), struct attrinfo *a, DB *pDB __attribute__((unused))) - { -- __atomic_sub_fetch_8(&(a->ai_dblayer_count), 1, __ATOMIC_RELEASE); -+ slapi_atomic_decr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG); - return 0; - } - -@@ -3063,13 +3057,13 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in - - dblayer_release_index_file(be, a, db); - -- while (__atomic_load_8(&(a->ai_dblayer_count), __ATOMIC_ACQUIRE) > 0) { -+ while (slapi_atomic_load(&(a->ai_dblayer_count), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) { - /* someone is using this index file */ - /* ASSUMPTION: you have already set the INDEX_OFFLINE flag, because -- * you intend to mess with this index. therefore no new requests -- * for this indexfile should happen, so the dblayer_count should -- * NEVER increase. -- */ -+ * you intend to mess with this index. therefore no new requests -+ * for this indexfile should happen, so the dblayer_count should -+ * NEVER increase. -+ */ - PR_ASSERT(a->ai_indexmask & INDEX_OFFLINE); - PR_Unlock(inst->inst_handle_list_mutex); - DS_Sleep(DBLAYER_CACHE_DELAY); -diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c -index 62d10c2..289a149 100644 ---- a/ldap/servers/slapd/entry.c -+++ b/ldap/servers/slapd/entry.c -@@ -2244,18 +2244,19 @@ slapi_entry_attr_find(const Slapi_Entry *e, const char *type, Slapi_Attr **a) - - /* the following functions control virtual attribute cache invalidation */ - --static uint32_t g_virtual_watermark = 0; /* good enough to init */ -+static int32_t g_virtual_watermark = 0; /* good enough to init */ - - int - slapi_entry_vattrcache_watermark_isvalid(const Slapi_Entry *e) - { -- return e->e_virtual_watermark == __atomic_load_4(&g_virtual_watermark, __ATOMIC_ACQUIRE); -+ return e->e_virtual_watermark == slapi_atomic_load(&g_virtual_watermark, __ATOMIC_ACQUIRE, ATOMIC_INT); -+ - } - - void - slapi_entry_vattrcache_watermark_set(Slapi_Entry *e) - { -- e->e_virtual_watermark = __atomic_load_4(&g_virtual_watermark, __ATOMIC_ACQUIRE); -+ e->e_virtual_watermark = slapi_atomic_load(&g_virtual_watermark, __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - void -@@ -2268,8 +2269,8 @@ void - slapi_entrycache_vattrcache_watermark_invalidate() - { - /* Make sure the value is never 0 */ -- if (__atomic_add_fetch_4(&g_virtual_watermark, 1, __ATOMIC_RELEASE) == 0) { -- __atomic_add_fetch_4(&g_virtual_watermark, 1, __ATOMIC_RELEASE); -+ if (slapi_atomic_incr(&g_virtual_watermark, __ATOMIC_RELEASE, ATOMIC_INT) == 0) { -+ slapi_atomic_incr(&g_virtual_watermark, __ATOMIC_RELEASE, ATOMIC_INT); - } - } - -diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c -index 0eeb16a..4c54cf7 100644 ---- a/ldap/servers/slapd/libglobs.c -+++ b/ldap/servers/slapd/libglobs.c -@@ -1335,19 +1335,19 @@ static uint64_t active_threads = 0; - void - g_incr_active_threadcnt(void) - { -- __atomic_add_fetch_8(&active_threads, 1, __ATOMIC_RELEASE); -+ slapi_atomic_incr(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG); - } - - void - g_decr_active_threadcnt(void) - { -- __atomic_sub_fetch_8(&active_threads, 1, __ATOMIC_RELEASE); -+ slapi_atomic_decr(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG); - } - - uint64_t - g_get_active_threadcnt(void) - { -- return __atomic_load_8(&active_threads, __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG); - } - - /* -@@ -1936,7 +1936,7 @@ config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf, - size = NDN_DEFAULT_SIZE; - } - if (apply) { -- __atomic_store_8(&(slapdFrontendConfig->ndn_cache_max_size), size, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->ndn_cache_max_size), &size, __ATOMIC_RELEASE, ATOMIC_LONG); - } - - return retVal; -@@ -3476,7 +3476,8 @@ int32_t - config_get_dynamic_plugins(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->dynamic_plugins), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->dynamic_plugins), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ - } - - int32_t -@@ -3498,7 +3499,7 @@ int32_t - config_get_cn_uses_dn_syntax_in_dns() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->cn_uses_dn_syntax_in_dns), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->cn_uses_dn_syntax_in_dns), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t -@@ -3543,7 +3544,7 @@ config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char * - newval = LDAP_OFF; - } - -- __atomic_store_4(configvalue, newval, __ATOMIC_RELEASE); -+ slapi_atomic_store(configvalue, &newval, __ATOMIC_RELEASE, ATOMIC_INT); - - return retVal; - } -@@ -3915,7 +3916,7 @@ config_set_threadnumber(const char *attrname, char *value, char *errorbuf, int a - retVal = LDAP_OPERATIONS_ERROR; - } - if (apply) { -- __atomic_store_4(&(slapdFrontendConfig->threadnumber), threadnum, __ATOMIC_RELAXED); -+ slapi_atomic_store(&(slapdFrontendConfig->threadnumber), &threadnum, __ATOMIC_RELAXED, ATOMIC_INT); - } - return retVal; - } -@@ -3944,7 +3945,7 @@ config_set_maxthreadsperconn(const char *attrname, char *value, char *errorbuf, - } - - if (apply) { -- __atomic_store_4(&(slapdFrontendConfig->maxthreadsperconn), maxthreadnum, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->maxthreadsperconn), &maxthreadnum, __ATOMIC_RELEASE, ATOMIC_INT); - } - return retVal; - } -@@ -4102,7 +4103,7 @@ config_set_ioblocktimeout(const char *attrname, char *value, char *errorbuf, int - } - - if (apply) { -- __atomic_store_4(&(slapdFrontendConfig->ioblocktimeout), nValue, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->ioblocktimeout), &nValue, __ATOMIC_RELEASE, ATOMIC_INT); - } - return retVal; - } -@@ -4606,21 +4607,22 @@ int32_t - config_get_sasl_mapping_fallback() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->sasl_mapping_fallback), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->sasl_mapping_fallback), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ - } - - int32_t - config_get_disk_monitoring() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->disk_monitoring), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->disk_monitoring), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_disk_logging_critical() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->disk_logging_critical), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->disk_logging_critical), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int -@@ -4667,14 +4669,14 @@ int32_t - config_get_ldapi_switch() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->ldapi_switch), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->ldapi_switch), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_ldapi_bind_switch() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->ldapi_bind_switch), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->ldapi_bind_switch), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - char * -@@ -4693,7 +4695,7 @@ int - config_get_ldapi_map_entries() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->ldapi_map_entries), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->ldapi_map_entries), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - char * -@@ -4763,7 +4765,8 @@ int32_t - config_get_slapi_counters() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->slapi_counters), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->slapi_counters), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ - } - - char * -@@ -4945,7 +4948,7 @@ int32_t - config_get_pw_change(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_change), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_change), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - -@@ -4953,7 +4956,7 @@ int32_t - config_get_pw_history(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_history), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_history), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - -@@ -4961,21 +4964,21 @@ int32_t - config_get_pw_must_change(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_must_change), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_must_change), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_allow_hashed_pw(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->allow_hashed_pw), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->allow_hashed_pw), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_pw_syntax(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_syntax), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_syntax), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - -@@ -5164,21 +5167,21 @@ int32_t - config_get_pw_is_global_policy(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->pw_is_global_policy), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->pw_is_global_policy), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_pw_is_legacy_policy(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_is_legacy), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_is_legacy), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_pw_exp(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_exp), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_exp), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - -@@ -5186,14 +5189,14 @@ int32_t - config_get_pw_unlock(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_unlock), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_unlock), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_pw_lockout() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->pw_policy.pw_lockout), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_lockout), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int -@@ -5213,112 +5216,112 @@ int32_t - config_get_lastmod() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->lastmod), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->lastmod), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_enquote_sup_oc() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->enquote_sup_oc), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->enquote_sup_oc), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_nagle(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->nagle), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->nagle), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_accesscontrol(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->accesscontrol), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->accesscontrol), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_return_exact_case(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->return_exact_case), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->return_exact_case), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_result_tweak(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->result_tweak), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->result_tweak), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_moddn_aci(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->moddn_aci), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->moddn_aci), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_security(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->security), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->security), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - slapi_config_get_readonly(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->readonly), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->readonly), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_schemacheck(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->schemacheck), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->schemacheck), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_schemamod(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->schemamod), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->schemamod), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_syntaxcheck(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->syntaxcheck), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->syntaxcheck), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_syntaxlogging(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->syntaxlogging), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->syntaxlogging), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_dn_validate_strict(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->dn_validate_strict), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->dn_validate_strict), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_ds4_compatible_schema(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->ds4_compatible_schema), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->ds4_compatible_schema), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_schema_ignore_trailing_spaces(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->schema_ignore_trailing_spaces), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->schema_ignore_trailing_spaces), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - char * -@@ -5402,7 +5405,7 @@ config_get_threadnumber(void) - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); - int32_t retVal; - -- retVal = __atomic_load_4(&(slapdFrontendConfig->threadnumber), __ATOMIC_RELAXED); -+ retVal = slapi_atomic_load(&(slapdFrontendConfig->threadnumber), __ATOMIC_RELAXED, ATOMIC_INT); - - if (retVal <= 0) { - retVal = util_get_hardware_threads(); -@@ -5420,7 +5423,7 @@ int32_t - config_get_maxthreadsperconn() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->maxthreadsperconn), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->maxthreadsperconn), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int -@@ -5452,7 +5455,7 @@ int32_t - config_get_ioblocktimeout() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->ioblocktimeout), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->ioblocktimeout), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int -@@ -5769,21 +5772,21 @@ int32_t - config_get_unauth_binds_switch(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->allow_unauth_binds), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->allow_unauth_binds), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_require_secure_binds(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->require_secure_binds), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->require_secure_binds), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_anon_access_switch(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->allow_anon_access), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->allow_anon_access), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int -@@ -6025,7 +6028,8 @@ int32_t - config_get_minssf_exclude_rootdse() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->minssf_exclude_rootdse), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->minssf_exclude_rootdse), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ - } - - int -@@ -6034,18 +6038,17 @@ config_set_max_filter_nest_level(const char *attrname, char *value, char *errorb - int retVal = LDAP_SUCCESS; - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); - char *endp; -- long level; -+ int32_t level; - - if (config_value_is_null(attrname, value, errorbuf, 0)) { - return LDAP_OPERATIONS_ERROR; - } - - errno = 0; -- level = strtol(value, &endp, 10); -+ level = (int32_t)strtol(value, &endp, 10); - if (*endp != '\0' || errno == ERANGE) { -- slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "(%s) value (%s) " -- "is invalid\n", -- attrname, value); -+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, -+ "(%s) value (%s) is invalid\n", attrname, value); - retVal = LDAP_OPERATIONS_ERROR; - return retVal; - } -@@ -6054,7 +6057,7 @@ config_set_max_filter_nest_level(const char *attrname, char *value, char *errorb - return retVal; - } - -- __atomic_store_4(&(slapdFrontendConfig->max_filter_nest_level), level, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->max_filter_nest_level), &level, __ATOMIC_RELEASE, ATOMIC_INT); - return retVal; - } - -@@ -6062,29 +6065,28 @@ int32_t - config_get_max_filter_nest_level() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->max_filter_nest_level), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->max_filter_nest_level), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - uint64_t - config_get_ndn_cache_size() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- -- return __atomic_load_8(&(slapdFrontendConfig->ndn_cache_max_size), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->ndn_cache_max_size), __ATOMIC_ACQUIRE, ATOMIC_LONG); - } - - int32_t - config_get_ndn_cache_enabled() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->ndn_cache_enabled), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->ndn_cache_enabled), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_return_orig_type_switch() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->return_orig_type), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->return_orig_type), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - char * -@@ -6786,7 +6788,7 @@ int32_t - config_get_force_sasl_external(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->force_sasl_external), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->force_sasl_external), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t -@@ -6808,7 +6810,7 @@ int32_t - config_get_entryusn_global(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->entryusn_global), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->entryusn_global), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t -@@ -7046,21 +7048,21 @@ int32_t - config_get_enable_turbo_mode(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->enable_turbo_mode), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->enable_turbo_mode), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_connection_nocanon(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->connection_nocanon), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->connection_nocanon), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_plugin_logging(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->plugin_logging), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->plugin_logging), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t -@@ -7073,21 +7075,21 @@ int32_t - config_get_unhashed_pw_switch() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->unhashed_pw_switch), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->unhashed_pw_switch), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_ignore_time_skew(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->ignore_time_skew), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->ignore_time_skew), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t - config_get_global_backend_lock() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return __atomic_load_4(&(slapdFrontendConfig->global_backend_lock), __ATOMIC_ACQUIRE); -+ return slapi_atomic_load(&(slapdFrontendConfig->global_backend_lock), __ATOMIC_ACQUIRE, ATOMIC_INT); - } - - int32_t -@@ -7163,8 +7165,9 @@ config_get_connection_buffer(void) - int - config_set_connection_buffer(const char *attrname, char *value, char *errorbuf, int apply) - { -- int retVal = LDAP_SUCCESS; - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -+ int retVal = LDAP_SUCCESS; -+ int32_t val; - - if (config_value_is_null(attrname, value, errorbuf, 0)) { - return LDAP_OPERATIONS_ERROR; -@@ -7181,7 +7184,9 @@ config_set_connection_buffer(const char *attrname, char *value, char *errorbuf, - return retVal; - } - -- __atomic_store_4(&(slapdFrontendConfig->connection_buffer), atoi(value), __ATOMIC_RELEASE); -+ val = atoi(value); -+ slapi_atomic_store(&(slapdFrontendConfig->connection_buffer), &val, __ATOMIC_RELEASE, ATOMIC_INT); -+ - return retVal; - } - -@@ -7204,7 +7209,7 @@ config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf - } - - if (apply) { -- __atomic_store_4(&(slapdFrontendConfig->listen_backlog_size), size, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->listen_backlog_size), &size, __ATOMIC_RELEASE, ATOMIC_INT); - } - return LDAP_SUCCESS; - } -@@ -7617,7 +7622,7 @@ config_set_accesslog_enabled(int value) - char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE]; - errorbuf[0] = '\0'; - -- __atomic_store_4(&(slapdFrontendConfig->accesslog_logging_enabled), value, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->accesslog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT); - if (value) { - log_set_logging(CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_ACCESS_LOG, errorbuf, CONFIG_APPLY); - } else { -@@ -7635,7 +7640,7 @@ config_set_auditlog_enabled(int value) - char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE]; - errorbuf[0] = '\0'; - -- __atomic_store_4(&(slapdFrontendConfig->auditlog_logging_enabled), value, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->auditlog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT); - if (value) { - log_set_logging(CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_AUDIT_LOG, errorbuf, CONFIG_APPLY); - } else { -@@ -7653,7 +7658,7 @@ config_set_auditfaillog_enabled(int value) - char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE]; - errorbuf[0] = '\0'; - -- __atomic_store_4(&(slapdFrontendConfig->auditfaillog_logging_enabled), value, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->auditfaillog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT); - if (value) { - log_set_logging(CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_AUDITFAIL_LOG, errorbuf, CONFIG_APPLY); - } else { -@@ -7744,7 +7749,7 @@ config_set_malloc_mxfast(const char *attrname, char *value, char *errorbuf, int - value, CONFIG_MALLOC_MXFAST, max); - return LDAP_OPERATIONS_ERROR; - } -- __atomic_store_4(&(slapdFrontendConfig->malloc_mxfast), mxfast, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->malloc_mxfast), &mxfast, __ATOMIC_RELEASE, ATOMIC_INT); - - if ((mxfast >= 0) && (mxfast <= max)) { - mallopt(M_MXFAST, mxfast); -@@ -7784,7 +7789,7 @@ config_set_malloc_trim_threshold(const char *attrname, char *value, char *errorb - return LDAP_OPERATIONS_ERROR; - } - -- __atomic_store_4(&(slapdFrontendConfig->malloc_trim_threshold), trim_threshold, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->malloc_trim_threshold), &trim_threshold, __ATOMIC_RELEASE, ATOMIC_INT); - - if (trim_threshold >= -1) { - mallopt(M_TRIM_THRESHOLD, trim_threshold); -@@ -7831,7 +7836,7 @@ config_set_malloc_mmap_threshold(const char *attrname, char *value, char *errorb - return LDAP_OPERATIONS_ERROR; - } - -- __atomic_store_4(&(slapdFrontendConfig->malloc_mmap_threshold), mmap_threshold, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(slapdFrontendConfig->malloc_mmap_threshold), &mmap_threshold, __ATOMIC_RELEASE, ATOMIC_INT); - - if ((mmap_threshold >= 0) && (mmap_threshold <= max)) { - mallopt(M_MMAP_THRESHOLD, mmap_threshold); -diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c -index 41b5c99..4d44c87 100644 ---- a/ldap/servers/slapd/log.c -+++ b/ldap/servers/slapd/log.c -@@ -4942,12 +4942,13 @@ static LogBufferInfo * - log_create_buffer(size_t sz) - { - LogBufferInfo *lbi; -+ uint64_t init_val = 0; - - lbi = (LogBufferInfo *)slapi_ch_malloc(sizeof(LogBufferInfo)); - lbi->top = (char *)slapi_ch_malloc(sz); - lbi->current = lbi->top; - lbi->maxsize = sz; -- __atomic_store_8(&(lbi->refcount), 0, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(lbi->refcount), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG); - return lbi; - } - -@@ -5009,7 +5010,7 @@ log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_t size1, cha - insert_point = lbi->current; - lbi->current += size; - /* Increment the copy refcount */ -- __atomic_add_fetch_8(&(lbi->refcount), 1, __ATOMIC_RELEASE); -+ slapi_atomic_incr(&(lbi->refcount), __ATOMIC_RELEASE, ATOMIC_LONG); - PR_Unlock(lbi->lock); - - /* Now we can copy without holding the lock */ -@@ -5017,7 +5018,7 @@ log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_t size1, cha - memcpy(insert_point + size1, msg2, size2); - - /* Decrement the copy refcount */ -- __atomic_sub_fetch_8(&(lbi->refcount), 1, __ATOMIC_RELEASE); -+ slapi_atomic_decr(&(lbi->refcount), __ATOMIC_RELEASE, ATOMIC_LONG); - - /* If we are asked to sync to disk immediately, do so */ - if (!slapdFrontendConfig->accesslogbuffering) { -@@ -5037,7 +5038,7 @@ log_flush_buffer(LogBufferInfo *lbi, int type, int sync_now) - if (type == SLAPD_ACCESS_LOG) { - - /* It is only safe to flush once any other threads which are copying are finished */ -- while (__atomic_load_8(&(lbi->refcount), __ATOMIC_ACQUIRE) > 0) { -+ while (slapi_atomic_load(&(lbi->refcount), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) { - /* It's ok to sleep for a while because we only flush every second or so */ - DS_Sleep(PR_MillisecondsToInterval(1)); - } -diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c -index 651d70e..6621ceb 100644 ---- a/ldap/servers/slapd/mapping_tree.c -+++ b/ldap/servers/slapd/mapping_tree.c -@@ -1647,7 +1647,7 @@ mapping_tree_init() - - /* we call this function from a single thread, so it should be ok */ - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shutdown has been detected */ - return 0; - } -@@ -1759,6 +1759,8 @@ mtn_free_node(mapping_tree_node **node) - void - mapping_tree_free() - { -+ int init_val = 1; -+ - /* unregister dse callbacks */ - slapi_config_remove_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, MAPPING_TREE_BASE_DN, LDAP_SCOPE_BASE, "(objectclass=*)", mapping_tree_entry_modify_callback); - slapi_config_remove_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, MAPPING_TREE_BASE_DN, LDAP_SCOPE_BASE, "(objectclass=*)", mapping_tree_entry_add_callback); -@@ -1771,7 +1773,7 @@ mapping_tree_free() - slapi_unregister_backend_state_change_all(); - /* recursively free tree nodes */ - mtn_free_node(&mapping_tree_root); -- __atomic_store_4(&mapping_tree_freed, 1, __ATOMIC_RELAXED); -+ slapi_atomic_store(&mapping_tree_freed, &init_val, __ATOMIC_RELAXED, ATOMIC_INT); - } - - /* This function returns the first node to parse when a search is done -@@ -2022,7 +2024,7 @@ slapi_dn_write_needs_referral(Slapi_DN *target_sdn, Slapi_Entry **referral) - mapping_tree_node *target_node = NULL; - int ret = 0; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shutdown detected */ - goto done; - } -@@ -2093,7 +2095,7 @@ slapi_mapping_tree_select(Slapi_PBlock *pb, Slapi_Backend **be, Slapi_Entry **re - int fixup = 0; - - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shutdown detected */ - return LDAP_OPERATIONS_ERROR; - } -@@ -2198,7 +2200,7 @@ slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list, Slapi_E - int flag_partial_result = 0; - int op_type; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - return LDAP_OPERATIONS_ERROR; - } - -@@ -2358,7 +2360,7 @@ slapi_mapping_tree_select_and_check(Slapi_PBlock *pb, char *newdn, Slapi_Backend - int ret; - int need_unlock = 0; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - return LDAP_OPERATIONS_ERROR; - } - -@@ -2524,7 +2526,7 @@ mtn_get_be(mapping_tree_node *target_node, Slapi_PBlock *pb, Slapi_Backend **be, - int flag_stop = 0; - struct slapi_componentid *cid = NULL; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shut down detected */ - return LDAP_OPERATIONS_ERROR; - } -@@ -2712,7 +2714,7 @@ best_matching_child(mapping_tree_node *parent, - mapping_tree_node *highest_match_node = NULL; - mapping_tree_node *current; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shutdown detected */ - return NULL; - } -@@ -2739,7 +2741,7 @@ mtn_get_mapping_tree_node_by_entry(mapping_tree_node *node, const Slapi_DN *dn) - { - mapping_tree_node *found_node = NULL; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shutdown detected */ - return NULL; - } -@@ -2782,7 +2784,7 @@ slapi_get_mapping_tree_node_by_dn(const Slapi_DN *dn) - mapping_tree_node *current_best_match = mapping_tree_root; - mapping_tree_node *next_best_match = mapping_tree_root; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shutdown detected */ - return NULL; - } -@@ -2816,7 +2818,7 @@ get_mapping_tree_node_by_name(mapping_tree_node *node, char *be_name) - int i; - mapping_tree_node *found_node = NULL; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shutdown detected */ - return NULL; - } -@@ -2863,7 +2865,7 @@ slapi_get_mapping_tree_node_configdn(const Slapi_DN *root) - { - char *dn = NULL; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shutdown detected */ - return NULL; - } -@@ -2890,7 +2892,7 @@ slapi_get_mapping_tree_node_configsdn(const Slapi_DN *root) - char *dn = NULL; - Slapi_DN *sdn = NULL; - -- if (__atomic_load_4(&mapping_tree_freed, __ATOMIC_RELAXED)) { -+ if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { - /* shutdown detected */ - return NULL; - } -diff --git a/ldap/servers/slapd/object.c b/ldap/servers/slapd/object.c -index 84845d3..6a1a9a5 100644 ---- a/ldap/servers/slapd/object.c -+++ b/ldap/servers/slapd/object.c -@@ -43,10 +43,12 @@ Object * - object_new(void *user_data, FNFree destructor) - { - Object *o; -+ uint64_t init_val = 1; -+ - o = (object *)slapi_ch_malloc(sizeof(object)); - o->destructor = destructor; - o->data = user_data; -- __atomic_store_8(&(o->refcnt), 1, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(o->refcnt), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG); - return o; - } - -@@ -60,7 +62,7 @@ void - object_acquire(Object *o) - { - PR_ASSERT(NULL != o); -- __atomic_add_fetch_8(&(o->refcnt), 1, __ATOMIC_RELEASE); -+ slapi_atomic_incr(&(o->refcnt), __ATOMIC_RELEASE, ATOMIC_LONG); - } - - -@@ -75,7 +77,7 @@ object_release(Object *o) - PRInt32 refcnt_after_release; - - PR_ASSERT(NULL != o); -- refcnt_after_release = __atomic_sub_fetch_8(&(o->refcnt), 1, __ATOMIC_ACQ_REL); -+ refcnt_after_release = slapi_atomic_decr(&(o->refcnt), __ATOMIC_ACQ_REL, ATOMIC_LONG); - if (refcnt_after_release == 0) { - /* Object can be destroyed */ - if (o->destructor) -diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c -index 0489122..70c530b 100644 ---- a/ldap/servers/slapd/psearch.c -+++ b/ldap/servers/slapd/psearch.c -@@ -134,7 +134,7 @@ ps_stop_psearch_system() - if (PS_IS_INITIALIZED()) { - PSL_LOCK_WRITE(); - for (ps = psearch_list->pl_head; NULL != ps; ps = ps->ps_next) { -- __atomic_add_fetch_8(&(ps->ps_complete), 1, __ATOMIC_RELEASE); -+ slapi_atomic_incr(&(ps->ps_complete), __ATOMIC_RELEASE, ATOMIC_LONG); - } - PSL_UNLOCK_WRITE(); - ps_wakeup_all(); -@@ -285,7 +285,7 @@ ps_send_results(void *arg) - - PR_Lock(psearch_list->pl_cvarlock); - -- while ((conn_acq_flag == 0) && __atomic_load_8(&(ps->ps_complete), __ATOMIC_ACQUIRE) == 0) { -+ while ((conn_acq_flag == 0) && slapi_atomic_load(&(ps->ps_complete), __ATOMIC_ACQUIRE, ATOMIC_LONG) == 0) { - /* Check for an abandoned operation */ - if (pb_op == NULL || slapi_op_abandoned(ps->ps_pblock)) { - slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", -@@ -427,6 +427,7 @@ static PSearch * - psearch_alloc(void) - { - PSearch *ps; -+ uint64_t init_val = 0; - - ps = (PSearch *)slapi_ch_calloc(1, sizeof(PSearch)); - -@@ -437,7 +438,7 @@ psearch_alloc(void) - slapi_ch_free((void **)&ps); - return (NULL); - } -- __atomic_store_8(&(ps->ps_complete), 0, __ATOMIC_RELEASE); -+ slapi_atomic_store(&(ps->ps_complete), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG); - ps->ps_eq_head = ps->ps_eq_tail = (PSEQNode *)NULL; - ps->ps_lasttime = (time_t)0L; - ps->ps_next = NULL; -diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h -index 3397c63..c434add 100644 ---- a/ldap/servers/slapd/slapi-plugin.h -+++ b/ldap/servers/slapd/slapi-plugin.h -@@ -8202,6 +8202,58 @@ void slapi_operation_time_initiated(Slapi_Operation *o, struct timespec *initiat - */ - #endif - -+/* See: https://gcc.gnu.org/ml/gcc/2016-11/txt6ZlA_JS27i.txt */ -+#define ATOMIC_GENERIC 0 -+#define ATOMIC_INT 4 -+#define ATOMIC_LONG 8 -+#define ATOMIC_INT128 16 /* Future */ -+ -+/** -+ * Store an integral value atomicly -+ * -+ * \param ptr - integral pointer -+ * \param val - pointer to integral value (use integral type int32_t with ATOMIC_INT, or uint64_t -+ * with ATOMIC_LONG & ATOMIC_GENERIC) -+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, -+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -+ * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG -+ */ -+void slapi_atomic_store(void *ptr, void *val, int memorder, int type); -+ -+/** -+ * Get an integral value atomicly -+ * -+ * \param ptr - integral pointer -+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, -+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -+ * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG -+ * \return - -+ */ -+uint64_t slapi_atomic_load(void *ptr, int memorder, int type); -+ -+/** -+ * Increment integral atomicly -+ * -+ * \param ptr - pointer to integral to increment -+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, -+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -+ * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG -+ * \return - new value of ptr -+ */ -+uint64_t slapi_atomic_incr(void *ptr, int memorder, int type); -+ -+/** -+ * Decrement integral atomicly -+ * -+ * \param ptr - pointer to integral to decrement -+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, -+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -+ * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG -+ * \return - new value of ptr -+ */ -+uint64_t slapi_atomic_decr(void *ptr, int memorder, int type); -+ -+ - #ifdef __cplusplus - } - #endif -diff --git a/ldap/servers/slapd/slapi_counter.c b/ldap/servers/slapd/slapi_counter.c -index ba0091f..9e705b3 100644 ---- a/ldap/servers/slapd/slapi_counter.c -+++ b/ldap/servers/slapd/slapi_counter.c -@@ -283,3 +283,103 @@ slapi_counter_get_value(Slapi_Counter *counter) - - return value; - } -+ -+ -+/* -+ * -+ * Atomic functions -+ * -+ * ptr - a pointer to an integral type variable: int, uint32_t, uint64_t, etc -+ * -+ * memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, -+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, or __ATOMIC_SEQ_CST -+ * -+ * See: https://gcc.gnu.org/onlinedocs/gcc-4.9.2/gcc/_005f_005fatomic-Builtins.html -+ * -+ * type_size - ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG, see slapi-plugin.h for more info -+ * -+ * Future: -+ * If we need to support ATOMIC_INT128 (not available on 32bit systems): -+ * __atomic_store_16((uint64_t *)&ptr, val, memorder); -+ * __atomic_load_16((uint64_t *)&ptr, memorder); -+ * __atomic_add_fetch_16((uint64_t *)&ptr, 1, memorder); -+ * __atomic_sub_fetch_16((uint64_t *)&ptr, 1, memorder); -+ */ -+ -+/* -+ * "val" must be either int32_t or uint64_t -+ */ -+void -+slapi_atomic_store(void *ptr, void *val, int memorder, int type_size) -+{ -+#ifdef ATOMIC_64BIT_OPERATIONS -+ if (type_size == ATOMIC_INT) { -+ __atomic_store_4((int32_t *)ptr, *(int32_t *)val, memorder); -+ } else if (type_size == ATOMIC_LONG) { -+ __atomic_store_8((uint64_t *)ptr, *(uint64_t *)val, memorder); -+ } else { -+ /* ATOMIC_GENERIC or unknown size */ -+ __atomic_store((uint64_t *)&ptr, (uint64_t *)val, memorder); -+ } -+#else -+ PRInt32 *pr_ptr = (PRInt32 *)ptr; -+ PR_AtomicSet(pr_ptr, *(PRInt32 *)val); -+#endif -+} -+ -+uint64_t -+slapi_atomic_load(void *ptr, int memorder, int type_size) -+{ -+#ifdef ATOMIC_64BIT_OPERATIONS -+ uint64_t ret; -+ -+ if (type_size == ATOMIC_INT) { -+ return __atomic_load_4((int32_t *)ptr, memorder); -+ } else if (type_size == ATOMIC_LONG) { -+ return __atomic_load_8((uint64_t *)ptr, memorder); -+ } else { -+ /* ATOMIC_GENERIC or unknown size */ -+ __atomic_load((uint64_t *)ptr, &ret, memorder); -+ return ret; -+ } -+#else -+ PRInt32 *pr_ptr = (PRInt32 *)ptr; -+ return PR_AtomicAdd(pr_ptr, 0); -+#endif -+} -+ -+uint64_t -+slapi_atomic_incr(void *ptr, int memorder, int type_size) -+{ -+#ifdef ATOMIC_64BIT_OPERATIONS -+ if (type_size == ATOMIC_INT) { -+ return __atomic_add_fetch_4((int32_t *)ptr, 1, memorder); -+ } else if (type_size == ATOMIC_LONG) { -+ return __atomic_add_fetch_8((uint64_t *)ptr, 1, memorder); -+ } else { -+ /* ATOMIC_GENERIC or unknown size */ -+ return __atomic_add_fetch((uint64_t *)ptr, 1, memorder); -+ } -+#else -+ PRInt32 *pr_ptr = (PRInt32 *)ptr; -+ return PR_AtomicIncrement(pr_ptr); -+#endif -+} -+ -+uint64_t -+slapi_atomic_decr(void *ptr, int memorder, int type_size) -+{ -+#ifdef ATOMIC_64BIT_OPERATIONS -+ if (type_size == ATOMIC_INT) { -+ return __atomic_sub_fetch_4((int32_t *)ptr, 1, memorder); -+ } else if (type_size == ATOMIC_LONG) { -+ return __atomic_sub_fetch_8((uint64_t *)ptr, 1, memorder); -+ } else { -+ /* ATOMIC_GENERIC or unknown size */ -+ return __atomic_sub_fetch((uint64_t *)ptr, 1, memorder); -+ } -+#else -+ PRInt32 *pr_ptr = (PRInt32 *)ptr; -+ return PR_AtomicDecrement(pr_ptr); -+#endif -+} -diff --git a/ldap/servers/slapd/thread_data.c b/ldap/servers/slapd/thread_data.c -index 9964832..d473710 100644 ---- a/ldap/servers/slapd/thread_data.c -+++ b/ldap/servers/slapd/thread_data.c -@@ -9,7 +9,7 @@ - /* - * Thread Local Storage Functions - */ --#include -+#include "slap.h" - #include - - void td_dn_destructor(void *priv); -diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c -index 7921cbc..2ad0bd7 100644 ---- a/src/nunc-stans/ns/ns_thrpool.c -+++ b/src/nunc-stans/ns/ns_thrpool.c -@@ -169,7 +169,11 @@ int32_t - ns_thrpool_is_shutdown(struct ns_thrpool_t *tp) - { - int32_t result = 0; -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_load(&(tp->shutdown), &result, __ATOMIC_ACQUIRE); -+#else -+ result = PR_AtomicAdd(&(tp->shutdown), 0); -+#endif - return result; - } - -@@ -177,7 +181,11 @@ int32_t - ns_thrpool_is_event_shutdown(struct ns_thrpool_t *tp) - { - int32_t result = 0; -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_load(&(tp->shutdown_event_loop), &result, __ATOMIC_ACQUIRE); -+#else -+ result = PR_AtomicAdd(&(tp->shutdown_event_loop), 0); -+#endif - return result; - } - -@@ -1442,8 +1450,11 @@ ns_thrpool_destroy(struct ns_thrpool_t *tp) - #endif - if (tp) { - /* Set the flag to shutdown the event loop. */ -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&(tp->shutdown_event_loop), 1, __ATOMIC_RELEASE); -- -+#else -+ PR_AtomicIncrement(&(tp->shutdown_event_loop)); -+#endif - /* Finish the event queue wakeup job. This has the - * side effect of waking up the event loop thread, which - * will cause it to exit since we set the event loop -@@ -1532,7 +1543,11 @@ ns_thrpool_shutdown(struct ns_thrpool_t *tp) - - /* Set the shutdown flag. This will cause the worker - * threads to exit after they finish all remaining work. */ -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&(tp->shutdown), 1, __ATOMIC_RELEASE); -+#else -+ PR_AtomicIncrement(&(tp->shutdown)); -+#endif - - /* Send worker shutdown jobs into the queues. This allows - * currently queued jobs to complete. -diff --git a/src/nunc-stans/test/test_nuncstans_stress_core.c b/src/nunc-stans/test/test_nuncstans_stress_core.c -index a678800..2fc4ef4 100644 ---- a/src/nunc-stans/test/test_nuncstans_stress_core.c -+++ b/src/nunc-stans/test/test_nuncstans_stress_core.c -@@ -128,7 +128,11 @@ server_conn_write(struct ns_job_t *job) - assert(connctx != NULL); - if (NS_JOB_IS_TIMER(ns_job_get_output_type(job))) { - do_logging(LOG_ERR, "conn_write: job [%p] timeout\n", job); -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&server_fail_count, 1, __ATOMIC_SEQ_CST); -+#else -+ PR_AtomicIncrement(&server_fail_count); -+#endif - conn_ctx_free(connctx); - assert_int_equal(ns_job_done(job), 0); - return; -@@ -173,7 +177,11 @@ server_conn_read(struct ns_job_t *job) - if (NS_JOB_IS_TIMER(ns_job_get_output_type(job))) { - /* The event that triggered this call back is because we timed out waiting for IO */ - do_logging(LOG_ERR, "conn_read: job [%p] timed out\n", job); -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&server_fail_count, 1, __ATOMIC_SEQ_CST); -+#else -+ PR_AtomicIncrement(&server_fail_count); -+#endif - conn_ctx_free(connctx); - assert_int_equal(ns_job_done(job), 0); - return; -@@ -204,7 +212,11 @@ server_conn_read(struct ns_job_t *job) - return; - } else { - do_logging(LOG_ERR, "conn_read: read error for job [%p] %d: %s\n", job, PR_GetError(), PR_ErrorToString(PR_GetError(), PR_LANGUAGE_I_DEFAULT)); -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&server_fail_count, 1, __ATOMIC_SEQ_CST); -+#else -+ PR_AtomicIncrement(&server_fail_count); -+#endif - conn_ctx_free(connctx); - assert_int_equal(ns_job_done(job), 0); - return; -@@ -214,7 +226,11 @@ server_conn_read(struct ns_job_t *job) - /* Didn't read anything */ - do_logging(LOG_DEBUG, "conn_read: job [%p] closed\n", job); - /* Increment the success */ -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&server_success_count, 1, __ATOMIC_SEQ_CST); -+#else -+ PR_AtomicIncrement(&server_success_count); -+#endif - conn_ctx_free(connctx); - assert_int_equal(ns_job_done(job), 0); - return; -@@ -314,26 +330,41 @@ client_response_cb(struct ns_job_t *job) - if (len < 0) { - /* PRErrorCode prerr = PR_GetError(); */ - do_logging(LOG_ERR, "FAIL: connection error, no data \n"); -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&client_fail_count, 1, __ATOMIC_SEQ_CST); -+#else -+ PR_AtomicIncrement(&client_fail_count); -+#endif - goto done; - } else if (len == 0) { - do_logging(LOG_ERR, "FAIL: connection closed, no data \n"); -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&client_fail_count, 1, __ATOMIC_SEQ_CST); -+#else -+ PR_AtomicIncrement(&client_fail_count); -+#endif - goto done; - } else { - /* Be paranoid, force last byte null */ - buffer[buflen - 1] = '\0'; - if (strncmp("this is a test!\n", buffer, strlen("this is a test!\n")) != 0) { - do_logging(LOG_ERR, "FAIL: connection incorrect response, no data \n"); -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&client_fail_count, 1, __ATOMIC_SEQ_CST); -+#else -+ PR_AtomicIncrement(&client_fail_count); -+#endif - goto done; - } - } - - struct timespec ts; - clock_gettime(CLOCK_MONOTONIC, &ts); -- -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&client_success_count, 1, __ATOMIC_SEQ_CST); -+#else -+ PR_AtomicIncrement(&client_success_count); -+#endif - do_logging(LOG_ERR, "PASS: %ld.%ld %d\n", ts.tv_sec, ts.tv_nsec, client_success_count); - - done: -@@ -354,7 +385,11 @@ client_initiate_connection_cb(struct ns_job_t *job) - char *err = NULL; - PR_GetErrorText(err); - do_logging(LOG_ERR, "FAIL: Socket failed, %d -> %s\n", PR_GetError(), err); -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&client_fail_count, 1, __ATOMIC_SEQ_CST); -+#else -+ PR_AtomicIncrement(&client_fail_count); -+#endif - goto done; - } - -@@ -368,8 +403,11 @@ client_initiate_connection_cb(struct ns_job_t *job) - PR_GetErrorText(err); - do_logging(LOG_ERR, "FAIL: cannot connect, timeout %d -> %s \n", PR_GetError(), err); - /* Atomic increment fail */ -+#ifdef ATOMIC_64BIT_OPERATIONS - __atomic_add_fetch(&client_timeout_count, 1, __ATOMIC_SEQ_CST); -- -+#else -+ PR_AtomicIncrement(&client_timeout_count); -+#endif - if (sock != NULL) { - PR_Close(sock); - } --- -2.9.5 - diff --git a/SOURCES/0000-Ticket-49830-Import-fails-if-backend-name-is-default.patch b/SOURCES/0000-Ticket-49830-Import-fails-if-backend-name-is-default.patch new file mode 100644 index 0000000..6f16723 --- /dev/null +++ b/SOURCES/0000-Ticket-49830-Import-fails-if-backend-name-is-default.patch @@ -0,0 +1,190 @@ +From da5a1bbb4e4352b8df10c84572441d47217b6c2c Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 6 Jul 2018 11:37:56 -0400 +Subject: [PATCH] Ticket 49830 - Import fails if backend name is "default" + +Bug Description: The server was previously reserving the backend + name "default". If you tried to import on a + backend with this name the import would skip all + child entries + +Fix Description: Change the default backend name to something + obscure, instead of "default". + + Also improved lib389's dbgen to generate the + correct "dc" attribute value in the root node. + +https://pagure.io/389-ds-base/issue/49830 + +Reviewed by: spichugi(Thanks!) + +(cherry picked from commit 8fa838a4ffd4d0c15ae51cb21f246bb1f2dea2a1) +--- + .../tests/suites/import/regression_test.py | 46 +++++++++++++++++++ + ldap/servers/slapd/defbackend.c | 4 +- + ldap/servers/slapd/mapping_tree.c | 7 ++- + ldap/servers/slapd/slap.h | 3 ++ + src/lib389/lib389/dbgen.py | 13 +++++- + 5 files changed, 66 insertions(+), 7 deletions(-) + +diff --git a/dirsrvtests/tests/suites/import/regression_test.py b/dirsrvtests/tests/suites/import/regression_test.py +index ad51721a1..d83d00323 100644 +--- a/dirsrvtests/tests/suites/import/regression_test.py ++++ b/dirsrvtests/tests/suites/import/regression_test.py +@@ -23,6 +23,52 @@ TEST_SUFFIX1 = "dc=importest1,dc=com" + TEST_BACKEND1 = "importest1" + TEST_SUFFIX2 = "dc=importest2,dc=com" + TEST_BACKEND2 = "importest2" ++TEST_DEFAULT_SUFFIX = "dc=default,dc=com" ++TEST_DEFAULT_NAME = "default" ++ ++ ++def test_import_be_default(topo): ++ """ Create a backend using the name "default". previously this name was ++ used int ++ ++ :id: 8e507beb-e917-4330-8cac-1ff0eee10508 ++ :feature: Import ++ :setup: Standalone instance ++ :steps: ++ 1. Create a test suffix using the be name of "default" ++ 2. Create an ldif for the "default" backend ++ 3. Import ldif ++ 4. Verify all entries were imported ++ :expectedresults: ++ 1. Success ++ 2. Success ++ 3. Success ++ 4. Success ++ """ ++ log.info('Adding suffix:{} and backend: {}...'.format(TEST_DEFAULT_SUFFIX, ++ TEST_DEFAULT_NAME)) ++ backends = Backends(topo.standalone) ++ backends.create(properties={BACKEND_SUFFIX: TEST_DEFAULT_SUFFIX, ++ BACKEND_NAME: TEST_DEFAULT_NAME}) ++ ++ log.info('Create LDIF file and import it...') ++ ldif_dir = topo.standalone.get_ldif_dir() ++ ldif_file = os.path.join(ldif_dir, 'default.ldif') ++ dbgen(topo.standalone, 5, ldif_file, TEST_DEFAULT_SUFFIX) ++ ++ log.info('Stopping the server and running offline import...') ++ topo.standalone.stop() ++ assert topo.standalone.ldif2db(TEST_DEFAULT_NAME, None, None, ++ None, ldif_file) ++ topo.standalone.start() ++ ++ log.info('Verifying entry count after import...') ++ entries = topo.standalone.search_s(TEST_DEFAULT_SUFFIX, ++ ldap.SCOPE_SUBTREE, ++ "(objectclass=*)") ++ assert len(entries) > 1 ++ ++ log.info('Test PASSED') + + + def test_del_suffix_import(topo): +diff --git a/ldap/servers/slapd/defbackend.c b/ldap/servers/slapd/defbackend.c +index aa709da87..b0465e297 100644 +--- a/ldap/servers/slapd/defbackend.c ++++ b/ldap/servers/slapd/defbackend.c +@@ -23,8 +23,6 @@ + /* + * ---------------- Macros --------------------------------------------------- + */ +-#define DEFBACKEND_TYPE "default" +- + #define DEFBACKEND_OP_NOT_HANDLED 0 + #define DEFBACKEND_OP_HANDLED 1 + +@@ -65,7 +63,7 @@ defbackend_init(void) + /* + * create a new backend + */ +- defbackend_backend = slapi_be_new(DEFBACKEND_TYPE, DEFBACKEND_TYPE, 1 /* Private */, 0 /* Do Not Log Changes */); ++ defbackend_backend = slapi_be_new(DEFBACKEND_TYPE, DEFBACKEND_NAME, 1 /* Private */, 0 /* Do Not Log Changes */); + if ((rc = slapi_pblock_set(pb, SLAPI_BACKEND, defbackend_backend)) != 0) { + errmsg = "slapi_pblock_set SLAPI_BACKEND failed"; + goto cleanup_and_return; +diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c +index 472a2f6aa..834949a67 100644 +--- a/ldap/servers/slapd/mapping_tree.c ++++ b/ldap/servers/slapd/mapping_tree.c +@@ -748,7 +748,7 @@ mapping_tree_entry_add(Slapi_Entry *entry, mapping_tree_node **newnodep) + be_names = (char **)slapi_ch_calloc(1, sizeof(char *)); + be_states = (int *)slapi_ch_calloc(1, sizeof(int)); + +- tmp_backend_name = (char *)slapi_ch_strdup("default"); /* "NULL_CONTAINER" */ ++ tmp_backend_name = (char *)slapi_ch_strdup(DEFBACKEND_NAME); /* "NULL_CONTAINER" */ + (be_names)[be_list_count] = tmp_backend_name; + + /* set backend as started by default */ +@@ -2250,7 +2250,10 @@ slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list, Slapi_E + if (ret != LDAP_SUCCESS) { + /* flag we have problems at least on part of the tree */ + flag_partial_result = 1; +- } else if ((((!slapi_sdn_issuffix(sdn, slapi_mtn_get_dn(node)) && !slapi_sdn_issuffix(slapi_mtn_get_dn(node), sdn))) || ((node_list == mapping_tree_root) && node->mtn_private && (scope != LDAP_SCOPE_BASE))) && (!be || strncmp(be->be_name, "default", 8))) { ++ } else if ((((!slapi_sdn_issuffix(sdn, slapi_mtn_get_dn(node)) && !slapi_sdn_issuffix(slapi_mtn_get_dn(node), sdn))) || ++ ((node_list == mapping_tree_root) && node->mtn_private && (scope != LDAP_SCOPE_BASE))) && ++ (!be || strncmp(be->be_name, DEFBACKEND_NAME, 8))) ++ { + if (be && !be_isdeleted(be)) { + /* wrong backend or referall, ignore it */ + slapi_log_err(SLAPI_LOG_ARGS, "slapi_mapping_tree_select_all", +diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h +index 7378c2d2a..eb97cdcc4 100644 +--- a/ldap/servers/slapd/slap.h ++++ b/ldap/servers/slapd/slap.h +@@ -45,6 +45,9 @@ static char ptokPBE[34] = "Internal (Software) Token "; + #define SLAPD_EXEMODE_DBVERIFY 12 + #define SLAPD_EXEMODE_UPGRADEDNFORMAT 13 + ++#define DEFBACKEND_TYPE "default" ++#define DEFBACKEND_NAME "DirectoryServerDefaultBackend" ++ + #define LDAP_SYSLOG + #include + #define RLIM_TYPE int +diff --git a/src/lib389/lib389/dbgen.py b/src/lib389/lib389/dbgen.py +index a0cda9430..68455b480 100644 +--- a/src/lib389/lib389/dbgen.py ++++ b/src/lib389/lib389/dbgen.py +@@ -113,8 +113,13 @@ usercertificate;binary:: MIIBvjCCASegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAnMQ8wDQYD + DBGEN_HEADER = """dn: {SUFFIX} + objectClass: top + objectClass: domain ++<<<<<<< HEAD + dc: example + aci: (target=ldap:///{SUFFIX})(targetattr=*)(version 3.0; acl "acl1"; allow(write) userdn = "ldap:///self";) ++======= ++dc: {RDN} ++aci: (target=ldap:///{SUFFIX})(targetattr=*)(version 3.0; acl "acl1"; allow(write) userdn = "ldap:///self";) ++>>>>>>> 8fa838a4f... Ticket 49830 - Import fails if backend name is "default" + aci: (target=ldap:///{SUFFIX})(targetattr=*)(version 3.0; acl "acl2"; allow(write) groupdn = "ldap:///cn=Directory Administrators, {SUFFIX}";) + aci: (target=ldap:///{SUFFIX})(targetattr=*)(version 3.0; acl "acl3"; allow(read, search, compare) userdn = "ldap:///anyone";) + +@@ -145,7 +150,7 @@ ou: Payroll + + """ + +-def dbgen(instance, number, ldif_file, suffix): ++def dbgen(instance, number, ldif_file, suffix, pseudol10n=False): + familyname_file = os.path.join(instance.ds_paths.data_dir, 'dirsrv/data/dbgen-FamilyNames') + givename_file = os.path.join(instance.ds_paths.data_dir, 'dirsrv/data/dbgen-GivenNames') + familynames = [] +@@ -156,7 +161,11 @@ def dbgen(instance, number, ldif_file, suffix): + givennames = [n.strip() for n in f] + + with open(ldif_file, 'w') as output: +- output.write(DBGEN_HEADER.format(SUFFIX=suffix)) ++ rdn = suffix.split(",", 1)[0].split("=", 1)[1] ++ output.write(DBGEN_HEADER.format(SUFFIX=suffix, RDN=rdn)) ++ for ou in DBGEN_OUS: ++ ou = pseudolocalize(ou) if pseudol10n else ou ++ output.write(DBGEN_OU_TEMPLATE.format(SUFFIX=suffix, OU=ou)) + for i in range(0, number): + # Pick a random ou + ou = random.choice(DBGEN_OUS) +-- +2.17.1 + diff --git a/SOURCES/0001-Ticket-48818-For-a-replica-bindDNGroup-should-be-fet.patch b/SOURCES/0001-Ticket-48818-For-a-replica-bindDNGroup-should-be-fet.patch new file mode 100644 index 0000000..4571372 --- /dev/null +++ b/SOURCES/0001-Ticket-48818-For-a-replica-bindDNGroup-should-be-fet.patch @@ -0,0 +1,51 @@ +From 0ea14f45cbc834e4791fdc393c5a2a042fd08101 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Tue, 10 Jul 2018 12:07:45 +0200 +Subject: [PATCH] Ticket 48818 - For a replica bindDNGroup, should be fetched + the first time it is used not when the replica is started + +Bug Description: + The fetching of the bindDNGroup is working as designed but this ticket is to make it more flexible + + At startup, if the group does not contain the replica_mgr. + No replication session will succeed until bindDnGroupCheckInterval delay. + updatedn_group_last_check is the timestamp of the last fetch. At startup + updatedn_group_last_check is set to the current time. So the next fetch will happen not before + updatedn_group_last_check+bindDnGroupCheckInterval. + + If the groupDn is changed after startup, no incoming replication can happen for the first + bindDnGroupCheckInterval seconds + +Fix Description: + The fix consist to unset updatedn_group_last_check so that the group will be fetch when the first + incoming replication session will happen. + +https://pagure.io/389-ds-base/issue/49818 + +Reviewed by: Mark Reynolds, Simon Spichugi (thanks !!!) + +Platforms tested: F27 + +Flag Day: no + +Doc impact: no +--- + ldap/servers/plugins/replication/repl5_replica.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c +index dee20875e..41cad3bf0 100644 +--- a/ldap/servers/plugins/replication/repl5_replica.c ++++ b/ldap/servers/plugins/replication/repl5_replica.c +@@ -2026,7 +2026,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) + /* get replication bind dn groups */ + r->updatedn_groups = replica_updatedn_group_new(e); + r->groupdn_list = replica_groupdn_list_new(r->updatedn_groups); +- r->updatedn_group_last_check = time(NULL); ++ r->updatedn_group_last_check = 0; + /* get groupdn check interval */ + if ((val = slapi_entry_attr_get_charptr(e, attr_replicaBindDnGroupCheckInterval))) { + if (repl_config_valid_num(attr_replicaBindDnGroupCheckInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) { +-- +2.17.1 + diff --git a/SOURCES/0001-Ticket-49305-Need-to-wrap-atomic-calls.patch b/SOURCES/0001-Ticket-49305-Need-to-wrap-atomic-calls.patch deleted file mode 100644 index 93820e4..0000000 --- a/SOURCES/0001-Ticket-49305-Need-to-wrap-atomic-calls.patch +++ /dev/null @@ -1,1325 +0,0 @@ -From 76e8c99e00f776fdab6cf834923d19f911f06fb9 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 28 Sep 2017 10:38:20 -0400 -Subject: [PATCH] Ticket 49305 - Need to wrap atomic calls - -Bug Description: Some RHEL 7.5 platforms (ppc 32bit) still do not support - all the gcc built-in atomics. This breaks the downstream - builds. - -Fix Description: Use wrapper functions for the atomic's using #define's - to detect if builtin atomics are supported, otherwise - use the generic nspr atomic functions. - -https://pagure.io/389-ds-base/issue/49305 - -Reviewed by: tbordaz, lkrispen, and wibrown(Thanks!!!) - -(cherry picked from commit 93a29584ddae52497b898b451c2c810244627acb) ---- - ldap/servers/slapd/attrsyntax.c | 8 +- - ldap/servers/slapd/back-ldbm/dblayer.c | 8 +- - ldap/servers/slapd/entry.c | 8 +- - ldap/servers/slapd/libglobs.c | 154 ++++++++++++++++----------------- - ldap/servers/slapd/log.c | 9 +- - ldap/servers/slapd/mapping_tree.c | 28 +++--- - ldap/servers/slapd/object.c | 7 +- - ldap/servers/slapd/psearch.c | 7 +- - ldap/servers/slapd/slapi-plugin.h | 65 ++++++++++---- - ldap/servers/slapd/slapi_counter.c | 113 +++++++++++++----------- - 10 files changed, 223 insertions(+), 184 deletions(-) - -diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c -index a0a60c4..1a9efef 100644 ---- a/ldap/servers/slapd/attrsyntax.c -+++ b/ldap/servers/slapd/attrsyntax.c -@@ -274,7 +274,7 @@ attr_syntax_get_by_oid_locking_optional(const char *oid, PRBool use_lock, PRUint - } - asi = (struct asyntaxinfo *)PL_HashTableLookup_const(ht, oid); - if (asi) { -- slapi_atomic_incr(&(asi->asi_refcnt), __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_incr_64(&(asi->asi_refcnt), __ATOMIC_RELEASE); - } - if (use_lock) { - AS_UNLOCK_READ(oid2asi_lock); -@@ -371,7 +371,7 @@ attr_syntax_get_by_name_locking_optional(const char *name, PRBool use_lock, PRUi - } - asi = (struct asyntaxinfo *)PL_HashTableLookup_const(ht, name); - if (NULL != asi) { -- slapi_atomic_incr(&(asi->asi_refcnt), __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_incr_64(&(asi->asi_refcnt), __ATOMIC_RELEASE); - } - if (use_lock) { - AS_UNLOCK_READ(name2asi_lock); -@@ -406,7 +406,7 @@ attr_syntax_return_locking_optional(struct asyntaxinfo *asi, PRBool use_lock) - } - if (NULL != asi) { - PRBool delete_it = PR_FALSE; -- if (0 == slapi_atomic_decr(&(asi->asi_refcnt), __ATOMIC_ACQ_REL, ATOMIC_LONG)) { -+ if (0 == slapi_atomic_decr_64(&(asi->asi_refcnt), __ATOMIC_ACQ_REL)) { - delete_it = asi->asi_marked_for_delete; - } - -@@ -540,7 +540,7 @@ attr_syntax_delete_no_lock(struct asyntaxinfo *asi, - PL_HashTableRemove(ht, asi->asi_aliases[i]); - } - } -- if (slapi_atomic_load(&(asi->asi_refcnt), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) { -+ if (slapi_atomic_load_64(&(asi->asi_refcnt), __ATOMIC_ACQUIRE) > 0) { - asi->asi_marked_for_delete = PR_TRUE; - } else { - /* This is ok, but the correct thing is to call delete first, -diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c -index c4c4959..9e557a2 100644 ---- a/ldap/servers/slapd/back-ldbm/dblayer.c -+++ b/ldap/servers/slapd/back-ldbm/dblayer.c -@@ -2880,7 +2880,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag - /* it's like a semaphore -- when count > 0, any file handle that's in - * the attrinfo will remain valid from here on. - */ -- slapi_atomic_incr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_incr_64(&(a->ai_dblayer_count), __ATOMIC_RELEASE); - - if (a->ai_dblayer && ((dblayer_handle *)(a->ai_dblayer))->dblayer_dbp) { - /* This means that the pointer is valid, so we should return it. */ -@@ -2938,7 +2938,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag - /* some sort of error -- we didn't open a handle at all. - * decrement the refcount back to where it was. - */ -- slapi_atomic_decr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_decr_64(&(a->ai_dblayer_count), __ATOMIC_RELEASE); - } - - return return_value; -@@ -2950,7 +2950,7 @@ dblayer_get_index_file(backend *be, struct attrinfo *a, DB **ppDB, int open_flag - int - dblayer_release_index_file(backend *be __attribute__((unused)), struct attrinfo *a, DB *pDB __attribute__((unused))) - { -- slapi_atomic_decr(&(a->ai_dblayer_count), __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_decr_64(&(a->ai_dblayer_count), __ATOMIC_RELEASE); - return 0; - } - -@@ -3057,7 +3057,7 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in - - dblayer_release_index_file(be, a, db); - -- while (slapi_atomic_load(&(a->ai_dblayer_count), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) { -+ while (slapi_atomic_load_64(&(a->ai_dblayer_count), __ATOMIC_ACQUIRE) > 0) { - /* someone is using this index file */ - /* ASSUMPTION: you have already set the INDEX_OFFLINE flag, because - * you intend to mess with this index. therefore no new requests -diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c -index 289a149..fbbc8fa 100644 ---- a/ldap/servers/slapd/entry.c -+++ b/ldap/servers/slapd/entry.c -@@ -2249,14 +2249,14 @@ static int32_t g_virtual_watermark = 0; /* good enough to init */ - int - slapi_entry_vattrcache_watermark_isvalid(const Slapi_Entry *e) - { -- return e->e_virtual_watermark == slapi_atomic_load(&g_virtual_watermark, __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return e->e_virtual_watermark == slapi_atomic_load_32(&g_virtual_watermark, __ATOMIC_ACQUIRE); - - } - - void - slapi_entry_vattrcache_watermark_set(Slapi_Entry *e) - { -- e->e_virtual_watermark = slapi_atomic_load(&g_virtual_watermark, __ATOMIC_ACQUIRE, ATOMIC_INT); -+ e->e_virtual_watermark = slapi_atomic_load_32(&g_virtual_watermark, __ATOMIC_ACQUIRE); - } - - void -@@ -2269,8 +2269,8 @@ void - slapi_entrycache_vattrcache_watermark_invalidate() - { - /* Make sure the value is never 0 */ -- if (slapi_atomic_incr(&g_virtual_watermark, __ATOMIC_RELEASE, ATOMIC_INT) == 0) { -- slapi_atomic_incr(&g_virtual_watermark, __ATOMIC_RELEASE, ATOMIC_INT); -+ if (slapi_atomic_incr_32(&g_virtual_watermark, __ATOMIC_RELEASE) == 0) { -+ slapi_atomic_incr_32(&g_virtual_watermark, __ATOMIC_RELEASE); - } - } - -diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c -index 4c54cf7..1ba3000 100644 ---- a/ldap/servers/slapd/libglobs.c -+++ b/ldap/servers/slapd/libglobs.c -@@ -1335,19 +1335,19 @@ static uint64_t active_threads = 0; - void - g_incr_active_threadcnt(void) - { -- slapi_atomic_incr(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_incr_64(&active_threads, __ATOMIC_RELEASE); - } - - void - g_decr_active_threadcnt(void) - { -- slapi_atomic_decr(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_decr_64(&active_threads, __ATOMIC_RELEASE); - } - - uint64_t - g_get_active_threadcnt(void) - { -- return slapi_atomic_load(&active_threads, __ATOMIC_RELEASE, ATOMIC_LONG); -+ return slapi_atomic_load_64(&active_threads, __ATOMIC_RELEASE); - } - - /* -@@ -1936,7 +1936,7 @@ config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf, - size = NDN_DEFAULT_SIZE; - } - if (apply) { -- slapi_atomic_store(&(slapdFrontendConfig->ndn_cache_max_size), &size, __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_store_64(&(slapdFrontendConfig->ndn_cache_max_size), size, __ATOMIC_RELEASE); - } - - return retVal; -@@ -3476,7 +3476,7 @@ int32_t - config_get_dynamic_plugins(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->dynamic_plugins), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->dynamic_plugins), __ATOMIC_ACQUIRE); - - } - -@@ -3499,7 +3499,7 @@ int32_t - config_get_cn_uses_dn_syntax_in_dns() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->cn_uses_dn_syntax_in_dns), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->cn_uses_dn_syntax_in_dns), __ATOMIC_ACQUIRE); - } - - int32_t -@@ -3544,7 +3544,7 @@ config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char * - newval = LDAP_OFF; - } - -- slapi_atomic_store(configvalue, &newval, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(configvalue, newval, __ATOMIC_RELEASE); - - return retVal; - } -@@ -3916,7 +3916,7 @@ config_set_threadnumber(const char *attrname, char *value, char *errorbuf, int a - retVal = LDAP_OPERATIONS_ERROR; - } - if (apply) { -- slapi_atomic_store(&(slapdFrontendConfig->threadnumber), &threadnum, __ATOMIC_RELAXED, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->threadnumber), threadnum, __ATOMIC_RELAXED); - } - return retVal; - } -@@ -3925,7 +3925,7 @@ int - config_set_maxthreadsperconn(const char *attrname, char *value, char *errorbuf, int apply) - { - int retVal = LDAP_SUCCESS; -- long maxthreadnum = 0; -+ int32_t maxthreadnum = 0; - char *endp = NULL; - - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -@@ -3935,7 +3935,7 @@ config_set_maxthreadsperconn(const char *attrname, char *value, char *errorbuf, - } - - errno = 0; -- maxthreadnum = strtol(value, &endp, 10); -+ maxthreadnum = (int32_t)strtol(value, &endp, 10); - - if (*endp != '\0' || errno == ERANGE || maxthreadnum < 1 || maxthreadnum > 65535) { - slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, -@@ -3945,7 +3945,7 @@ config_set_maxthreadsperconn(const char *attrname, char *value, char *errorbuf, - } - - if (apply) { -- slapi_atomic_store(&(slapdFrontendConfig->maxthreadsperconn), &maxthreadnum, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->maxthreadsperconn), maxthreadnum, __ATOMIC_RELEASE); - } - return retVal; - } -@@ -4083,7 +4083,7 @@ int - config_set_ioblocktimeout(const char *attrname, char *value, char *errorbuf, int apply) - { - int retVal = LDAP_SUCCESS; -- long nValue = 0; -+ int32_t nValue = 0; - char *endp = NULL; - - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -@@ -4093,7 +4093,7 @@ config_set_ioblocktimeout(const char *attrname, char *value, char *errorbuf, int - } - - errno = 0; -- nValue = strtol(value, &endp, 10); -+ nValue = (int32_t)strtol(value, &endp, 10); - - if (*endp != '\0' || errno == ERANGE || nValue < 0) { - slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", I/O block timeout must range from 0 to %lld", -@@ -4103,7 +4103,7 @@ config_set_ioblocktimeout(const char *attrname, char *value, char *errorbuf, int - } - - if (apply) { -- slapi_atomic_store(&(slapdFrontendConfig->ioblocktimeout), &nValue, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->ioblocktimeout), nValue, __ATOMIC_RELEASE); - } - return retVal; - } -@@ -4607,7 +4607,7 @@ int32_t - config_get_sasl_mapping_fallback() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->sasl_mapping_fallback), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->sasl_mapping_fallback), __ATOMIC_ACQUIRE); - - } - -@@ -4615,14 +4615,14 @@ int32_t - config_get_disk_monitoring() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->disk_monitoring), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->disk_monitoring), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_disk_logging_critical() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->disk_logging_critical), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->disk_logging_critical), __ATOMIC_ACQUIRE); - } - - int -@@ -4669,14 +4669,14 @@ int32_t - config_get_ldapi_switch() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->ldapi_switch), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->ldapi_switch), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_ldapi_bind_switch() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->ldapi_bind_switch), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->ldapi_bind_switch), __ATOMIC_ACQUIRE); - } - - char * -@@ -4695,7 +4695,7 @@ int - config_get_ldapi_map_entries() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->ldapi_map_entries), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->ldapi_map_entries), __ATOMIC_ACQUIRE); - } - - char * -@@ -4765,7 +4765,7 @@ int32_t - config_get_slapi_counters() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->slapi_counters), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->slapi_counters), __ATOMIC_ACQUIRE); - - } - -@@ -4948,7 +4948,7 @@ int32_t - config_get_pw_change(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_change), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_change), __ATOMIC_ACQUIRE); - } - - -@@ -4956,7 +4956,7 @@ int32_t - config_get_pw_history(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_history), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_history), __ATOMIC_ACQUIRE); - } - - -@@ -4964,21 +4964,21 @@ int32_t - config_get_pw_must_change(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_must_change), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_must_change), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_allow_hashed_pw(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->allow_hashed_pw), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->allow_hashed_pw), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_pw_syntax(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_syntax), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_syntax), __ATOMIC_ACQUIRE); - } - - -@@ -5167,21 +5167,21 @@ int32_t - config_get_pw_is_global_policy(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->pw_is_global_policy), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_is_global_policy), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_pw_is_legacy_policy(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_is_legacy), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_is_legacy), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_pw_exp(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_exp), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_exp), __ATOMIC_ACQUIRE); - } - - -@@ -5189,14 +5189,14 @@ int32_t - config_get_pw_unlock(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_unlock), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_unlock), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_pw_lockout() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->pw_policy.pw_lockout), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->pw_policy.pw_lockout), __ATOMIC_ACQUIRE); - } - - int -@@ -5216,112 +5216,112 @@ int32_t - config_get_lastmod() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->lastmod), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->lastmod), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_enquote_sup_oc() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->enquote_sup_oc), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->enquote_sup_oc), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_nagle(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->nagle), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->nagle), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_accesscontrol(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->accesscontrol), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->accesscontrol), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_return_exact_case(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->return_exact_case), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->return_exact_case), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_result_tweak(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->result_tweak), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->result_tweak), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_moddn_aci(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->moddn_aci), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->moddn_aci), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_security(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->security), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->security), __ATOMIC_ACQUIRE); - } - - int32_t - slapi_config_get_readonly(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->readonly), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->readonly), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_schemacheck(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->schemacheck), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->schemacheck), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_schemamod(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->schemamod), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->schemamod), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_syntaxcheck(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->syntaxcheck), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->syntaxcheck), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_syntaxlogging(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->syntaxlogging), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->syntaxlogging), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_dn_validate_strict(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->dn_validate_strict), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->dn_validate_strict), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_ds4_compatible_schema(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->ds4_compatible_schema), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->ds4_compatible_schema), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_schema_ignore_trailing_spaces(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->schema_ignore_trailing_spaces), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->schema_ignore_trailing_spaces), __ATOMIC_ACQUIRE); - } - - char * -@@ -5405,7 +5405,7 @@ config_get_threadnumber(void) - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); - int32_t retVal; - -- retVal = slapi_atomic_load(&(slapdFrontendConfig->threadnumber), __ATOMIC_RELAXED, ATOMIC_INT); -+ retVal = slapi_atomic_load_32(&(slapdFrontendConfig->threadnumber), __ATOMIC_RELAXED); - - if (retVal <= 0) { - retVal = util_get_hardware_threads(); -@@ -5423,7 +5423,7 @@ int32_t - config_get_maxthreadsperconn() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->maxthreadsperconn), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->maxthreadsperconn), __ATOMIC_ACQUIRE); - } - - int -@@ -5455,7 +5455,7 @@ int32_t - config_get_ioblocktimeout() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->ioblocktimeout), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->ioblocktimeout), __ATOMIC_ACQUIRE); - } - - int -@@ -5772,21 +5772,21 @@ int32_t - config_get_unauth_binds_switch(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->allow_unauth_binds), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->allow_unauth_binds), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_require_secure_binds(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->require_secure_binds), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->require_secure_binds), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_anon_access_switch(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->allow_anon_access), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->allow_anon_access), __ATOMIC_ACQUIRE); - } - - int -@@ -6028,7 +6028,7 @@ int32_t - config_get_minssf_exclude_rootdse() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->minssf_exclude_rootdse), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->minssf_exclude_rootdse), __ATOMIC_ACQUIRE); - - } - -@@ -6057,7 +6057,7 @@ config_set_max_filter_nest_level(const char *attrname, char *value, char *errorb - return retVal; - } - -- slapi_atomic_store(&(slapdFrontendConfig->max_filter_nest_level), &level, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->max_filter_nest_level), level, __ATOMIC_RELEASE); - return retVal; - } - -@@ -6065,28 +6065,28 @@ int32_t - config_get_max_filter_nest_level() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->max_filter_nest_level), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->max_filter_nest_level), __ATOMIC_ACQUIRE); - } - - uint64_t - config_get_ndn_cache_size() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->ndn_cache_max_size), __ATOMIC_ACQUIRE, ATOMIC_LONG); -+ return slapi_atomic_load_64(&(slapdFrontendConfig->ndn_cache_max_size), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_ndn_cache_enabled() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->ndn_cache_enabled), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->ndn_cache_enabled), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_return_orig_type_switch() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->return_orig_type), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->return_orig_type), __ATOMIC_ACQUIRE); - } - - char * -@@ -6788,7 +6788,7 @@ int32_t - config_get_force_sasl_external(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->force_sasl_external), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->force_sasl_external), __ATOMIC_ACQUIRE); - } - - int32_t -@@ -6810,7 +6810,7 @@ int32_t - config_get_entryusn_global(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->entryusn_global), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->entryusn_global), __ATOMIC_ACQUIRE); - } - - int32_t -@@ -7048,21 +7048,21 @@ int32_t - config_get_enable_turbo_mode(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->enable_turbo_mode), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->enable_turbo_mode), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_connection_nocanon(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->connection_nocanon), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->connection_nocanon), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_plugin_logging(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->plugin_logging), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->plugin_logging), __ATOMIC_ACQUIRE); - } - - int32_t -@@ -7075,21 +7075,21 @@ int32_t - config_get_unhashed_pw_switch() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->unhashed_pw_switch), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->unhashed_pw_switch), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_ignore_time_skew(void) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->ignore_time_skew), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->ignore_time_skew), __ATOMIC_ACQUIRE); - } - - int32_t - config_get_global_backend_lock() - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- return slapi_atomic_load(&(slapdFrontendConfig->global_backend_lock), __ATOMIC_ACQUIRE, ATOMIC_INT); -+ return slapi_atomic_load_32(&(slapdFrontendConfig->global_backend_lock), __ATOMIC_ACQUIRE); - } - - int32_t -@@ -7185,7 +7185,7 @@ config_set_connection_buffer(const char *attrname, char *value, char *errorbuf, - } - - val = atoi(value); -- slapi_atomic_store(&(slapdFrontendConfig->connection_buffer), &val, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->connection_buffer), val, __ATOMIC_RELEASE); - - return retVal; - } -@@ -7209,7 +7209,7 @@ config_set_listen_backlog_size(const char *attrname, char *value, char *errorbuf - } - - if (apply) { -- slapi_atomic_store(&(slapdFrontendConfig->listen_backlog_size), &size, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->listen_backlog_size), size, __ATOMIC_RELEASE); - } - return LDAP_SUCCESS; - } -@@ -7622,7 +7622,7 @@ config_set_accesslog_enabled(int value) - char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE]; - errorbuf[0] = '\0'; - -- slapi_atomic_store(&(slapdFrontendConfig->accesslog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->accesslog_logging_enabled), value, __ATOMIC_RELEASE); - if (value) { - log_set_logging(CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_ACCESS_LOG, errorbuf, CONFIG_APPLY); - } else { -@@ -7640,7 +7640,7 @@ config_set_auditlog_enabled(int value) - char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE]; - errorbuf[0] = '\0'; - -- slapi_atomic_store(&(slapdFrontendConfig->auditlog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->auditlog_logging_enabled), value, __ATOMIC_RELEASE); - if (value) { - log_set_logging(CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_AUDIT_LOG, errorbuf, CONFIG_APPLY); - } else { -@@ -7658,7 +7658,7 @@ config_set_auditfaillog_enabled(int value) - char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE]; - errorbuf[0] = '\0'; - -- slapi_atomic_store(&(slapdFrontendConfig->auditfaillog_logging_enabled), &value, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->auditfaillog_logging_enabled), value, __ATOMIC_RELEASE); - if (value) { - log_set_logging(CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE, "on", SLAPD_AUDITFAIL_LOG, errorbuf, CONFIG_APPLY); - } else { -@@ -7736,7 +7736,7 @@ config_set_malloc_mxfast(const char *attrname, char *value, char *errorbuf, int - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); - int max = 80 * (sizeof(size_t) / 4); -- int mxfast; -+ int32_t mxfast; - char *endp = NULL; - - if (config_value_is_null(attrname, value, errorbuf, 0)) { -@@ -7749,7 +7749,7 @@ config_set_malloc_mxfast(const char *attrname, char *value, char *errorbuf, int - value, CONFIG_MALLOC_MXFAST, max); - return LDAP_OPERATIONS_ERROR; - } -- slapi_atomic_store(&(slapdFrontendConfig->malloc_mxfast), &mxfast, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->malloc_mxfast), mxfast, __ATOMIC_RELEASE); - - if ((mxfast >= 0) && (mxfast <= max)) { - mallopt(M_MXFAST, mxfast); -@@ -7775,7 +7775,7 @@ int - config_set_malloc_trim_threshold(const char *attrname, char *value, char *errorbuf, int apply __attribute__((unused))) - { - slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -- int trim_threshold; -+ int32_t trim_threshold; - char *endp = NULL; - - if (config_value_is_null(attrname, value, errorbuf, 0)) { -@@ -7789,7 +7789,7 @@ config_set_malloc_trim_threshold(const char *attrname, char *value, char *errorb - return LDAP_OPERATIONS_ERROR; - } - -- slapi_atomic_store(&(slapdFrontendConfig->malloc_trim_threshold), &trim_threshold, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->malloc_trim_threshold), trim_threshold, __ATOMIC_RELEASE); - - if (trim_threshold >= -1) { - mallopt(M_TRIM_THRESHOLD, trim_threshold); -@@ -7836,7 +7836,7 @@ config_set_malloc_mmap_threshold(const char *attrname, char *value, char *errorb - return LDAP_OPERATIONS_ERROR; - } - -- slapi_atomic_store(&(slapdFrontendConfig->malloc_mmap_threshold), &mmap_threshold, __ATOMIC_RELEASE, ATOMIC_INT); -+ slapi_atomic_store_32(&(slapdFrontendConfig->malloc_mmap_threshold), mmap_threshold, __ATOMIC_RELEASE); - - if ((mmap_threshold >= 0) && (mmap_threshold <= max)) { - mallopt(M_MMAP_THRESHOLD, mmap_threshold); -diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c -index 4d44c87..e16d89c 100644 ---- a/ldap/servers/slapd/log.c -+++ b/ldap/servers/slapd/log.c -@@ -4942,13 +4942,12 @@ static LogBufferInfo * - log_create_buffer(size_t sz) - { - LogBufferInfo *lbi; -- uint64_t init_val = 0; - - lbi = (LogBufferInfo *)slapi_ch_malloc(sizeof(LogBufferInfo)); - lbi->top = (char *)slapi_ch_malloc(sz); - lbi->current = lbi->top; - lbi->maxsize = sz; -- slapi_atomic_store(&(lbi->refcount), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_store_64(&(lbi->refcount), 0, __ATOMIC_RELEASE); - return lbi; - } - -@@ -5010,7 +5009,7 @@ log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_t size1, cha - insert_point = lbi->current; - lbi->current += size; - /* Increment the copy refcount */ -- slapi_atomic_incr(&(lbi->refcount), __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_incr_64(&(lbi->refcount), __ATOMIC_RELEASE); - PR_Unlock(lbi->lock); - - /* Now we can copy without holding the lock */ -@@ -5018,7 +5017,7 @@ log_append_buffer2(time_t tnl, LogBufferInfo *lbi, char *msg1, size_t size1, cha - memcpy(insert_point + size1, msg2, size2); - - /* Decrement the copy refcount */ -- slapi_atomic_decr(&(lbi->refcount), __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_decr_64(&(lbi->refcount), __ATOMIC_RELEASE); - - /* If we are asked to sync to disk immediately, do so */ - if (!slapdFrontendConfig->accesslogbuffering) { -@@ -5038,7 +5037,7 @@ log_flush_buffer(LogBufferInfo *lbi, int type, int sync_now) - if (type == SLAPD_ACCESS_LOG) { - - /* It is only safe to flush once any other threads which are copying are finished */ -- while (slapi_atomic_load(&(lbi->refcount), __ATOMIC_ACQUIRE, ATOMIC_LONG) > 0) { -+ while (slapi_atomic_load_64(&(lbi->refcount), __ATOMIC_ACQUIRE) > 0) { - /* It's ok to sleep for a while because we only flush every second or so */ - DS_Sleep(PR_MillisecondsToInterval(1)); - } -diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c -index 6621ceb..8cc5318 100644 ---- a/ldap/servers/slapd/mapping_tree.c -+++ b/ldap/servers/slapd/mapping_tree.c -@@ -1647,7 +1647,7 @@ mapping_tree_init() - - /* we call this function from a single thread, so it should be ok */ - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shutdown has been detected */ - return 0; - } -@@ -1759,8 +1759,6 @@ mtn_free_node(mapping_tree_node **node) - void - mapping_tree_free() - { -- int init_val = 1; -- - /* unregister dse callbacks */ - slapi_config_remove_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP, MAPPING_TREE_BASE_DN, LDAP_SCOPE_BASE, "(objectclass=*)", mapping_tree_entry_modify_callback); - slapi_config_remove_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, MAPPING_TREE_BASE_DN, LDAP_SCOPE_BASE, "(objectclass=*)", mapping_tree_entry_add_callback); -@@ -1773,7 +1771,7 @@ mapping_tree_free() - slapi_unregister_backend_state_change_all(); - /* recursively free tree nodes */ - mtn_free_node(&mapping_tree_root); -- slapi_atomic_store(&mapping_tree_freed, &init_val, __ATOMIC_RELAXED, ATOMIC_INT); -+ slapi_atomic_store_32(&mapping_tree_freed, 1, __ATOMIC_RELAXED); - } - - /* This function returns the first node to parse when a search is done -@@ -2024,7 +2022,7 @@ slapi_dn_write_needs_referral(Slapi_DN *target_sdn, Slapi_Entry **referral) - mapping_tree_node *target_node = NULL; - int ret = 0; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shutdown detected */ - goto done; - } -@@ -2095,7 +2093,7 @@ slapi_mapping_tree_select(Slapi_PBlock *pb, Slapi_Backend **be, Slapi_Entry **re - int fixup = 0; - - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shutdown detected */ - return LDAP_OPERATIONS_ERROR; - } -@@ -2200,7 +2198,7 @@ slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list, Slapi_E - int flag_partial_result = 0; - int op_type; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - return LDAP_OPERATIONS_ERROR; - } - -@@ -2360,7 +2358,7 @@ slapi_mapping_tree_select_and_check(Slapi_PBlock *pb, char *newdn, Slapi_Backend - int ret; - int need_unlock = 0; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - return LDAP_OPERATIONS_ERROR; - } - -@@ -2526,7 +2524,7 @@ mtn_get_be(mapping_tree_node *target_node, Slapi_PBlock *pb, Slapi_Backend **be, - int flag_stop = 0; - struct slapi_componentid *cid = NULL; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shut down detected */ - return LDAP_OPERATIONS_ERROR; - } -@@ -2714,7 +2712,7 @@ best_matching_child(mapping_tree_node *parent, - mapping_tree_node *highest_match_node = NULL; - mapping_tree_node *current; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shutdown detected */ - return NULL; - } -@@ -2741,7 +2739,7 @@ mtn_get_mapping_tree_node_by_entry(mapping_tree_node *node, const Slapi_DN *dn) - { - mapping_tree_node *found_node = NULL; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shutdown detected */ - return NULL; - } -@@ -2784,7 +2782,7 @@ slapi_get_mapping_tree_node_by_dn(const Slapi_DN *dn) - mapping_tree_node *current_best_match = mapping_tree_root; - mapping_tree_node *next_best_match = mapping_tree_root; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shutdown detected */ - return NULL; - } -@@ -2818,7 +2816,7 @@ get_mapping_tree_node_by_name(mapping_tree_node *node, char *be_name) - int i; - mapping_tree_node *found_node = NULL; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shutdown detected */ - return NULL; - } -@@ -2865,7 +2863,7 @@ slapi_get_mapping_tree_node_configdn(const Slapi_DN *root) - { - char *dn = NULL; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shutdown detected */ - return NULL; - } -@@ -2892,7 +2890,7 @@ slapi_get_mapping_tree_node_configsdn(const Slapi_DN *root) - char *dn = NULL; - Slapi_DN *sdn = NULL; - -- if (slapi_atomic_load(&mapping_tree_freed, __ATOMIC_RELAXED, ATOMIC_INT)) { -+ if (slapi_atomic_load_32(&mapping_tree_freed, __ATOMIC_RELAXED)) { - /* shutdown detected */ - return NULL; - } -diff --git a/ldap/servers/slapd/object.c b/ldap/servers/slapd/object.c -index 6a1a9a5..8e55a16 100644 ---- a/ldap/servers/slapd/object.c -+++ b/ldap/servers/slapd/object.c -@@ -43,12 +43,11 @@ Object * - object_new(void *user_data, FNFree destructor) - { - Object *o; -- uint64_t init_val = 1; - - o = (object *)slapi_ch_malloc(sizeof(object)); - o->destructor = destructor; - o->data = user_data; -- slapi_atomic_store(&(o->refcnt), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_store_64(&(o->refcnt), 1, __ATOMIC_RELEASE); - return o; - } - -@@ -62,7 +61,7 @@ void - object_acquire(Object *o) - { - PR_ASSERT(NULL != o); -- slapi_atomic_incr(&(o->refcnt), __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_incr_64(&(o->refcnt), __ATOMIC_RELEASE); - } - - -@@ -77,7 +76,7 @@ object_release(Object *o) - PRInt32 refcnt_after_release; - - PR_ASSERT(NULL != o); -- refcnt_after_release = slapi_atomic_decr(&(o->refcnt), __ATOMIC_ACQ_REL, ATOMIC_LONG); -+ refcnt_after_release = slapi_atomic_decr_64(&(o->refcnt), __ATOMIC_ACQ_REL); - if (refcnt_after_release == 0) { - /* Object can be destroyed */ - if (o->destructor) -diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c -index 70c530b..e0dd2bf 100644 ---- a/ldap/servers/slapd/psearch.c -+++ b/ldap/servers/slapd/psearch.c -@@ -134,7 +134,7 @@ ps_stop_psearch_system() - if (PS_IS_INITIALIZED()) { - PSL_LOCK_WRITE(); - for (ps = psearch_list->pl_head; NULL != ps; ps = ps->ps_next) { -- slapi_atomic_incr(&(ps->ps_complete), __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_incr_64(&(ps->ps_complete), __ATOMIC_RELEASE); - } - PSL_UNLOCK_WRITE(); - ps_wakeup_all(); -@@ -285,7 +285,7 @@ ps_send_results(void *arg) - - PR_Lock(psearch_list->pl_cvarlock); - -- while ((conn_acq_flag == 0) && slapi_atomic_load(&(ps->ps_complete), __ATOMIC_ACQUIRE, ATOMIC_LONG) == 0) { -+ while ((conn_acq_flag == 0) && slapi_atomic_load_64(&(ps->ps_complete), __ATOMIC_ACQUIRE) == 0) { - /* Check for an abandoned operation */ - if (pb_op == NULL || slapi_op_abandoned(ps->ps_pblock)) { - slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", -@@ -427,7 +427,6 @@ static PSearch * - psearch_alloc(void) - { - PSearch *ps; -- uint64_t init_val = 0; - - ps = (PSearch *)slapi_ch_calloc(1, sizeof(PSearch)); - -@@ -438,7 +437,7 @@ psearch_alloc(void) - slapi_ch_free((void **)&ps); - return (NULL); - } -- slapi_atomic_store(&(ps->ps_complete), &init_val, __ATOMIC_RELEASE, ATOMIC_LONG); -+ slapi_atomic_store_64(&(ps->ps_complete), 0, __ATOMIC_RELEASE); - ps->ps_eq_head = ps->ps_eq_tail = (PSEQNode *)NULL; - ps->ps_lasttime = (time_t)0L; - ps->ps_next = NULL; -diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h -index c434add..4566202 100644 ---- a/ldap/servers/slapd/slapi-plugin.h -+++ b/ldap/servers/slapd/slapi-plugin.h -@@ -8202,56 +8202,87 @@ void slapi_operation_time_initiated(Slapi_Operation *o, struct timespec *initiat - */ - #endif - --/* See: https://gcc.gnu.org/ml/gcc/2016-11/txt6ZlA_JS27i.txt */ --#define ATOMIC_GENERIC 0 --#define ATOMIC_INT 4 --#define ATOMIC_LONG 8 --#define ATOMIC_INT128 16 /* Future */ -+/** -+ * Store a 32bit integral value atomicly -+ * -+ * \param ptr - integral pointer -+ * \param val - pointer to integral value (use integral type int32_t with ATOMIC_INT, or uint64_t -+ * with ATOMIC_LONG & ATOMIC_GENERIC) -+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, -+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -+ */ -+void slapi_atomic_store_32(int32_t *ptr, int32_t val, int memorder); - - /** -- * Store an integral value atomicly -+ * Store a 64bit integral value atomicly - * - * \param ptr - integral pointer - * \param val - pointer to integral value (use integral type int32_t with ATOMIC_INT, or uint64_t - * with ATOMIC_LONG & ATOMIC_GENERIC) - * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, - * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -- * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG - */ --void slapi_atomic_store(void *ptr, void *val, int memorder, int type); -+void slapi_atomic_store_64(uint64_t *ptr, uint64_t val, int memorder); - - /** -- * Get an integral value atomicly -+ * Get a 32bit integral value atomicly - * - * \param ptr - integral pointer - * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, - * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -- * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG - * \return - - */ --uint64_t slapi_atomic_load(void *ptr, int memorder, int type); -+int32_t slapi_atomic_load_32(int32_t *ptr, int memorder); - - /** -- * Increment integral atomicly -+ * Get a 64bit integral value atomicly -+ * -+ * \param ptr - integral pointer -+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, -+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -+ * \return ptr value -+ */ -+uint64_t slapi_atomic_load_64(uint64_t *ptr, int memorder); -+ -+/** -+ * Increment a 32bit integral atomicly - * - * \param ptr - pointer to integral to increment - * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, - * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -- * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG - * \return - new value of ptr - */ --uint64_t slapi_atomic_incr(void *ptr, int memorder, int type); -+int32_t slapi_atomic_incr_32(int32_t *ptr, int memorder); -+ -+/** -+ * Increment a 64bitintegral atomicly -+ * -+ * \param ptr - pointer to integral to increment -+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, -+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -+ * \return - new value of ptr -+ */ -+uint64_t slapi_atomic_incr_64(uint64_t *ptr, int memorder); -+ -+/** -+ * Decrement a 32bit integral atomicly -+ * -+ * \param ptr - pointer to integral to decrement -+ * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, -+ * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -+ * \return - new value of ptr -+ */ -+int32_t slapi_atomic_decr_32(int32_t *ptr, int memorder); - - /** -- * Decrement integral atomicly -+ * Decrement a 64bitintegral atomicly - * - * \param ptr - pointer to integral to decrement - * \param memorder - __ATOMIC_RELAXED, __ATOMIC_CONSUME, __ATOMIC_ACQUIRE, - * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, __ATOMIC_SEQ_CST -- * \param type - "ptr" type: ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG - * \return - new value of ptr - */ --uint64_t slapi_atomic_decr(void *ptr, int memorder, int type); -+uint64_t slapi_atomic_decr_64(uint64_t *ptr, int memorder); - - - #ifdef __cplusplus -diff --git a/ldap/servers/slapd/slapi_counter.c b/ldap/servers/slapd/slapi_counter.c -index 9e705b3..c5cae27 100644 ---- a/ldap/servers/slapd/slapi_counter.c -+++ b/ldap/servers/slapd/slapi_counter.c -@@ -295,53 +295,41 @@ slapi_counter_get_value(Slapi_Counter *counter) - * __ATOMIC_RELEASE, __ATOMIC_ACQ_REL, or __ATOMIC_SEQ_CST - * - * See: https://gcc.gnu.org/onlinedocs/gcc-4.9.2/gcc/_005f_005fatomic-Builtins.html -- * -- * type_size - ATOMIC_GENERIC, ATOMIC_INT, or ATOMIC_LONG, see slapi-plugin.h for more info -- * -- * Future: -- * If we need to support ATOMIC_INT128 (not available on 32bit systems): -- * __atomic_store_16((uint64_t *)&ptr, val, memorder); -- * __atomic_load_16((uint64_t *)&ptr, memorder); -- * __atomic_add_fetch_16((uint64_t *)&ptr, 1, memorder); -- * __atomic_sub_fetch_16((uint64_t *)&ptr, 1, memorder); - */ - - /* -- * "val" must be either int32_t or uint64_t -+ * atomic store functions (32bit and 64bit) - */ - void --slapi_atomic_store(void *ptr, void *val, int memorder, int type_size) -+slapi_atomic_store_32(int32_t *ptr, int32_t val, int memorder) - { - #ifdef ATOMIC_64BIT_OPERATIONS -- if (type_size == ATOMIC_INT) { -- __atomic_store_4((int32_t *)ptr, *(int32_t *)val, memorder); -- } else if (type_size == ATOMIC_LONG) { -- __atomic_store_8((uint64_t *)ptr, *(uint64_t *)val, memorder); -- } else { -- /* ATOMIC_GENERIC or unknown size */ -- __atomic_store((uint64_t *)&ptr, (uint64_t *)val, memorder); -- } -+ __atomic_store_4(ptr, val, memorder); - #else - PRInt32 *pr_ptr = (PRInt32 *)ptr; -- PR_AtomicSet(pr_ptr, *(PRInt32 *)val); -+ PR_AtomicSet(pr_ptr, (PRInt32)val); - #endif - } - --uint64_t --slapi_atomic_load(void *ptr, int memorder, int type_size) -+void -+slapi_atomic_store_64(uint64_t *ptr, uint64_t val, int memorder) - { - #ifdef ATOMIC_64BIT_OPERATIONS -- uint64_t ret; -+ __atomic_store_8(ptr, val, memorder); -+#else -+ PRInt32 *pr_ptr = (PRInt32 *)ptr; -+ PR_AtomicSet(pr_ptr, (PRInt32)val); -+#endif -+} - -- if (type_size == ATOMIC_INT) { -- return __atomic_load_4((int32_t *)ptr, memorder); -- } else if (type_size == ATOMIC_LONG) { -- return __atomic_load_8((uint64_t *)ptr, memorder); -- } else { -- /* ATOMIC_GENERIC or unknown size */ -- __atomic_load((uint64_t *)ptr, &ret, memorder); -- return ret; -- } -+/* -+ * atomic load functions (32bit and 64bit) -+ */ -+int32_t -+slapi_atomic_load_32(int32_t *ptr, int memorder) -+{ -+#ifdef ATOMIC_64BIT_OPERATIONS -+ return __atomic_load_4(ptr, memorder); - #else - PRInt32 *pr_ptr = (PRInt32 *)ptr; - return PR_AtomicAdd(pr_ptr, 0); -@@ -349,17 +337,24 @@ slapi_atomic_load(void *ptr, int memorder, int type_size) - } - - uint64_t --slapi_atomic_incr(void *ptr, int memorder, int type_size) -+slapi_atomic_load_64(uint64_t *ptr, int memorder) - { - #ifdef ATOMIC_64BIT_OPERATIONS -- if (type_size == ATOMIC_INT) { -- return __atomic_add_fetch_4((int32_t *)ptr, 1, memorder); -- } else if (type_size == ATOMIC_LONG) { -- return __atomic_add_fetch_8((uint64_t *)ptr, 1, memorder); -- } else { -- /* ATOMIC_GENERIC or unknown size */ -- return __atomic_add_fetch((uint64_t *)ptr, 1, memorder); -- } -+ return __atomic_load_8(ptr, memorder); -+#else -+ PRInt32 *pr_ptr = (PRInt32 *)ptr; -+ return PR_AtomicAdd(pr_ptr, 0); -+#endif -+} -+ -+/* -+ * atomic increment functions (32bit and 64bit) -+ */ -+int32_t -+slapi_atomic_incr_32(int32_t *ptr, int memorder) -+{ -+#ifdef ATOMIC_64BIT_OPERATIONS -+ return __atomic_add_fetch_4(ptr, 1, memorder); - #else - PRInt32 *pr_ptr = (PRInt32 *)ptr; - return PR_AtomicIncrement(pr_ptr); -@@ -367,17 +362,35 @@ slapi_atomic_incr(void *ptr, int memorder, int type_size) - } - - uint64_t --slapi_atomic_decr(void *ptr, int memorder, int type_size) -+slapi_atomic_incr_64(uint64_t *ptr, int memorder) - { - #ifdef ATOMIC_64BIT_OPERATIONS -- if (type_size == ATOMIC_INT) { -- return __atomic_sub_fetch_4((int32_t *)ptr, 1, memorder); -- } else if (type_size == ATOMIC_LONG) { -- return __atomic_sub_fetch_8((uint64_t *)ptr, 1, memorder); -- } else { -- /* ATOMIC_GENERIC or unknown size */ -- return __atomic_sub_fetch((uint64_t *)ptr, 1, memorder); -- } -+ return __atomic_add_fetch_8(ptr, 1, memorder); -+#else -+ PRInt32 *pr_ptr = (PRInt32 *)ptr; -+ return PR_AtomicIncrement(pr_ptr); -+#endif -+} -+ -+/* -+ * atomic decrement functions (32bit and 64bit) -+ */ -+int32_t -+slapi_atomic_decr_32(int32_t *ptr, int memorder) -+{ -+#ifdef ATOMIC_64BIT_OPERATIONS -+ return __atomic_sub_fetch_4(ptr, 1, memorder); -+#else -+ PRInt32 *pr_ptr = (PRInt32 *)ptr; -+ return PR_AtomicDecrement(pr_ptr); -+#endif -+} -+ -+uint64_t -+slapi_atomic_decr_64(uint64_t *ptr, int memorder) -+{ -+#ifdef ATOMIC_64BIT_OPERATIONS -+ return __atomic_sub_fetch_8(ptr, 1, memorder); - #else - PRInt32 *pr_ptr = (PRInt32 *)ptr; - return PR_AtomicDecrement(pr_ptr); --- -2.9.5 - diff --git a/SOURCES/0002-Ticket-49385-Fix-coverity-warnings.patch b/SOURCES/0002-Ticket-49385-Fix-coverity-warnings.patch deleted file mode 100644 index 64e030f..0000000 --- a/SOURCES/0002-Ticket-49385-Fix-coverity-warnings.patch +++ /dev/null @@ -1,286 +0,0 @@ -From 8308e20075adacfdf1827aaa3230e503207832bc Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 2 Oct 2017 09:33:29 -0400 -Subject: [PATCH] Ticket 49385 - Fix coverity warnings - -Description: This fixes coverity issues found from RHEL build of 1.3.7 - -https://pagure.io/389-ds-base/issue/49385 - -Reviewed by: lkrispenz(Thanks!) - -(cherry picked from commit 805e8f4d3016eb9c7906c1416482047a234d51ba) ---- - ldap/servers/plugins/http/http_impl.c | 1 + - ldap/servers/plugins/replication/urp.c | 10 ++++++---- - ldap/servers/plugins/syntaxes/string.c | 1 + - ldap/servers/slapd/back-ldbm/dbversion.c | 2 +- - ldap/servers/slapd/back-ldbm/index.c | 1 + - ldap/servers/slapd/conntable.c | 2 +- - ldap/servers/slapd/modify.c | 1 + - ldap/servers/slapd/plugin.c | 3 ++- - ldap/servers/slapd/referral.c | 18 +++++++++--------- - ldap/servers/slapd/task.c | 8 ++++++-- - ldap/servers/snmp/main.c | 13 +++++++++++-- - 11 files changed, 40 insertions(+), 20 deletions(-) - -diff --git a/ldap/servers/plugins/http/http_impl.c b/ldap/servers/plugins/http/http_impl.c -index d8bbe38..350c839 100644 ---- a/ldap/servers/plugins/http/http_impl.c -+++ b/ldap/servers/plugins/http/http_impl.c -@@ -601,6 +601,7 @@ sendPostReq(PRFileDesc *fd, const char *path, httpheader **httpheaderArray, char - if (path) { - path_len = strlen(path); - } else { -+ path = ""; - path_len = 0; - } - -diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c -index 3d63c64..9534c03 100644 ---- a/ldap/servers/plugins/replication/urp.c -+++ b/ldap/servers/plugins/replication/urp.c -@@ -856,7 +856,7 @@ urp_post_delete_operation(Slapi_PBlock *pb) - static int - urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn) - { -- Slapi_PBlock *add_pb = slapi_pblock_new(); -+ Slapi_PBlock *add_pb; - Slapi_Entry *cenotaph = NULL; - Slapi_Entry *pre_entry = NULL; - int ret = 0; -@@ -886,6 +886,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn) - slapi_rdn_remove_attr (rdn, SLAPI_ATTR_UNIQUEID ); - slapi_rdn_add(rdn, "cenotaphID", uniqueid); - newdn = slapi_ch_smprintf("%s,%s", slapi_rdn_get_rdn(rdn), parentdn); -+ slapi_rdn_free(&rdn); - slapi_ch_free_string(&parentdn); - /* slapi_sdn_free(&pre_sdn); */ - -@@ -902,6 +903,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn) - - slapi_log_err(SLAPI_LOG_REPL, sessionid, - "urp_fixup_add_cenotaph - addinng cenotaph: %s \n", newdn); -+ add_pb = slapi_pblock_new(); - slapi_pblock_init(add_pb); - - slapi_add_entry_internal_set_pb(add_pb, -@@ -1661,8 +1663,8 @@ urp_conflict_to_glue (char *sessionid, const Slapi_Entry *entry, Slapi_DN *paren - "urp_conflict_to_glue failed(%d) - %s --> %s\n", op_result, basedn, newrdn); - rc = 1; - } -- slapi_ch_free ( (void**)&newrdn ); - } -+ slapi_rdn_free(&parentrdn); - return rc; - } - /* -@@ -2166,11 +2168,11 @@ mod_objectclass_attr(const char *uniqueid, const Slapi_DN *entrysdn, const Slapi - { - Slapi_Mods smods; - int op_result; -- char csnstr[CSN_STRSIZE+1]; -+ char csnstr[CSN_STRSIZE+1] = {0}; - - slapi_mods_init(&smods, 3); - slapi_mods_add(&smods, LDAP_MOD_ADD, "objectclass", strlen("ldapsubentry"),"ldapsubentry"); -- slapi_mods_add(&smods, LDAP_MOD_REPLACE, "conflictcsn", strlen(csnstr),csn_as_string(opcsn, PR_FALSE, csnstr)); -+ slapi_mods_add(&smods, LDAP_MOD_REPLACE, "conflictcsn", CSN_STRSIZE, csn_as_string(opcsn, PR_FALSE, csnstr)); - op_result = urp_fixup_modify_entry(uniqueid, entrysdn, opcsn, &smods, 0); - slapi_mods_done(&smods); - if (op_result == LDAP_TYPE_OR_VALUE_EXISTS) { -diff --git a/ldap/servers/plugins/syntaxes/string.c b/ldap/servers/plugins/syntaxes/string.c -index f50dc13..e05ca7f 100644 ---- a/ldap/servers/plugins/syntaxes/string.c -+++ b/ldap/servers/plugins/syntaxes/string.c -@@ -391,6 +391,7 @@ bailout: - if (free_re) { - slapi_re_free(re); - } -+ slapi_ch_free_string(&alt); - slapi_ch_free((void **)&tmpbuf); /* NULL is fine */ - slapi_ch_free((void **)&bigpat); /* NULL is fine */ - -diff --git a/ldap/servers/slapd/back-ldbm/dbversion.c b/ldap/servers/slapd/back-ldbm/dbversion.c -index 01f86f4..5a77abd 100644 ---- a/ldap/servers/slapd/back-ldbm/dbversion.c -+++ b/ldap/servers/slapd/back-ldbm/dbversion.c -@@ -159,7 +159,7 @@ dbversion_read(struct ldbminfo *li, const char *directory, char **ldbmversion, c - } - (void)PR_Close(prfd); - -- if (*dataversion == NULL) { -+ if (dataversion == NULL || *dataversion == NULL) { - slapi_log_err(SLAPI_LOG_DEBUG, "dbversion_read", "dataversion not present in \"%s\"\n", filename); - } - if (*ldbmversion == NULL) { -diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c -index 798480e..58b11ed 100644 ---- a/ldap/servers/slapd/back-ldbm/index.c -+++ b/ldap/servers/slapd/back-ldbm/index.c -@@ -1063,6 +1063,7 @@ index_read_ext_allids( - /* The database might not exist. We have to assume it means empty set */ - slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "Failed to access idl index for %s\n", basetype); - slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "Assuming %s has no index values\n", basetype); -+ idl_free(&idl); - idl = idl_alloc(0); - break; - } else { -diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c -index c04ca0f..7c57b47 100644 ---- a/ldap/servers/slapd/conntable.c -+++ b/ldap/servers/slapd/conntable.c -@@ -347,7 +347,7 @@ connection_table_as_entry(Connection_Table *ct, Slapi_Entry *e) - - PR_EnterMonitor(ct->c[i].c_mutex); - if (ct->c[i].c_sd != SLAPD_INVALID_SOCKET) { -- char buf2[20]; -+ char buf2[SLAPI_TIMESTAMP_BUFSIZE+1]; - size_t lendn = ct->c[i].c_dn ? strlen(ct->c[i].c_dn) : 6; /* "NULLDN" */ - size_t lenip = ct->c[i].c_ipaddr ? strlen(ct->c[i].c_ipaddr) : 0; - size_t lenconn = 1; -diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c -index 4b5a676..6309975 100644 ---- a/ldap/servers/slapd/modify.c -+++ b/ldap/servers/slapd/modify.c -@@ -923,6 +923,7 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw) - if (pw_encodevals_ext(pb, sdn, va)) { - slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e)); - send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL); -+ valuearray_free(&va); - goto free_and_return; - } - -diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c -index f47ff9b..e02133a 100644 ---- a/ldap/servers/slapd/plugin.c -+++ b/ldap/servers/slapd/plugin.c -@@ -4242,7 +4242,7 @@ bail: - int - slapi_set_plugin_default_config(const char *type, Slapi_Value *value) - { -- Slapi_PBlock *pb = slapi_pblock_new(); -+ Slapi_PBlock *pb; - Slapi_Entry **entries = NULL; - int rc = LDAP_SUCCESS; - char **search_attrs = NULL; /* used by search */ -@@ -4251,6 +4251,7 @@ slapi_set_plugin_default_config(const char *type, Slapi_Value *value) - return rc; - } - -+ pb = slapi_pblock_new(); - charray_add(&search_attrs, slapi_ch_strdup(type)); - - /* cn=plugin default config,cn=config */ -diff --git a/ldap/servers/slapd/referral.c b/ldap/servers/slapd/referral.c -index c5d9ffc..5935820 100644 ---- a/ldap/servers/slapd/referral.c -+++ b/ldap/servers/slapd/referral.c -@@ -153,7 +153,7 @@ referrals_free(void) - struct berval ** - ref_adjust(Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn, int is_reference) - { -- int i, len, scope; -+ int i, len, scope = 0; - Slapi_DN *sdn = NULL; - char *p, *opdn_norm; - struct berval **urlscopy; -@@ -195,9 +195,9 @@ ref_adjust(Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn, int i - - for (i = 0; urls[i] != NULL; ++i) { - /* -- * duplicate the URL, stripping off the label if there is one and -- * leaving extra room for "??base" in case we need to append that. -- */ -+ * duplicate the URL, stripping off the label if there is one and -+ * leaving extra room for "??base" in case we need to append that. -+ */ - urlscopy[i] = (struct berval *)slapi_ch_malloc( - sizeof(struct berval)); - if ((p = strchr(urls[i]->bv_val, ' ')) == NULL) { -@@ -210,16 +210,16 @@ ref_adjust(Slapi_PBlock *pb, struct berval **urls, const Slapi_DN *refsdn, int i - urlscopy[i]->bv_val[len] = '\0'; - - /* -- * adjust the baseDN as needed and set the length -- */ -+ * adjust the baseDN as needed and set the length -+ */ - adjust_referral_basedn(&urlscopy[i]->bv_val, refsdn, - opdn_norm, is_reference); - urlscopy[i]->bv_len = strlen(urlscopy[i]->bv_val); - - /* -- * if we are dealing with a continuation reference that resulted -- * from a one-level search, add a scope of base to the URL. -- */ -+ * if we are dealing with a continuation reference that resulted -+ * from a one-level search, add a scope of base to the URL. -+ */ - if (is_reference && operation_get_type(op) == SLAPI_OPERATION_SEARCH && - scope == LDAP_SCOPE_ONELEVEL) { - strcat(urlscopy[i]->bv_val, "??base"); -diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c -index f3d02d9..53a0af5 100644 ---- a/ldap/servers/slapd/task.c -+++ b/ldap/servers/slapd/task.c -@@ -278,6 +278,10 @@ slapi_task_log_notice(Slapi_Task *task, char *format, ...) - char buffer[LOG_BUFFER]; - size_t len; - -+ if (task == NULL) { -+ return; -+ } -+ - va_start(ap, format); - PR_vsnprintf(buffer, LOG_BUFFER, format, ap); - va_end(ap); -@@ -1089,11 +1093,11 @@ task_export_thread(void *arg) - slapi_pblock_get(pb, SLAPI_BACKEND_TASK, &task); - - g_incr_active_threadcnt(); -- for (count = 0, inp = instance_names; *inp; inp++, count++) -+ for (count = 0, inp = instance_names; inp && *inp; inp++, count++) - ; - slapi_task_begin(task, count); - -- for (inp = instance_names; *inp; inp++) { -+ for (inp = instance_names; inp && *inp; inp++) { - int release_me = 0; - /* lookup the backend */ - be = slapi_be_select_by_instance_name((const char *)*inp); -diff --git a/ldap/servers/snmp/main.c b/ldap/servers/snmp/main.c -index 8477831..5bd318d 100644 ---- a/ldap/servers/snmp/main.c -+++ b/ldap/servers/snmp/main.c -@@ -21,6 +21,7 @@ - #include "ldap.h" - #include "ldif.h" - #include -+#include - - static char *agentx_master = NULL; - static char *agent_logdir = NULL; -@@ -54,9 +55,17 @@ main(int argc, char *argv[]) - { - char *s = getenv("DEBUG_SLEEP"); - if ((s != NULL) && isdigit(*s)) { -- int secs = atoi(s); -+ char *endp = NULL; -+ long secs; -+ errno = 0; -+ - printf("%s pid is %d\n", argv[0], getpid()); -- sleep(secs); -+ secs = strtol(s, &endp, 10); -+ if (*endp != '\0' || errno == ERANGE) { -+ sleep(10); -+ } else { -+ sleep(secs); -+ } - } - } - --- -2.9.5 - diff --git a/SOURCES/0002-Ticket-49546-Fix-issues-with-MIB-file.patch b/SOURCES/0002-Ticket-49546-Fix-issues-with-MIB-file.patch new file mode 100644 index 0000000..620cd85 --- /dev/null +++ b/SOURCES/0002-Ticket-49546-Fix-issues-with-MIB-file.patch @@ -0,0 +1,178 @@ +From 9f1bbff43c3e6ec01e60d35082b21b83a8795dc2 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 12 Jul 2018 10:48:11 -0400 +Subject: [PATCH] Ticket 49546 - Fix issues with MIB file + +Description: Change dsMaxThreadsHit to dsMaxThreadsHits, and set the + proper object type for dsIntIndex + +https://pagure.io/389-ds-base/issue/49546 + +Reviewed by: spichugi & firstyear(Thanks!!) + +(cherry picked from commit 6d4caac04be4223971de54d292db82734f6d6a44) +--- + ldap/servers/slapd/agtmmap.c | 2 +- + ldap/servers/slapd/agtmmap.h | 2 +- + ldap/servers/slapd/connection.c | 2 +- + ldap/servers/slapd/slap.h | 2 +- + ldap/servers/slapd/snmp_collator.c | 6 +++--- + ldap/servers/snmp/ldap-agent.c | 4 ++-- + ldap/servers/snmp/ldap-agent.h | 2 +- + ldap/servers/snmp/redhat-directory.mib | 8 ++++---- + 8 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/ldap/servers/slapd/agtmmap.c b/ldap/servers/slapd/agtmmap.c +index fbc730db6..352ccefda 100644 +--- a/ldap/servers/slapd/agtmmap.c ++++ b/ldap/servers/slapd/agtmmap.c +@@ -298,7 +298,7 @@ agt_mread_stats(int hdl, struct hdr_stats_t *pHdrInfo, struct ops_stats_t *pDsOp + pDsOpsTbl->dsErrors = pfile_stats->ops_stats.dsErrors; + pDsOpsTbl->dsConnections = pfile_stats->ops_stats.dsConnections; + pDsOpsTbl->dsConnectionsInMaxThreads = pfile_stats->ops_stats.dsConnectionsInMaxThreads; +- pDsOpsTbl->dsMaxThreadsHit = pfile_stats->ops_stats.dsMaxThreadsHit; ++ pDsOpsTbl->dsMaxThreadsHits = pfile_stats->ops_stats.dsMaxThreadsHits; + } + + if (pDsEntTbl != NULL) { +diff --git a/ldap/servers/slapd/agtmmap.h b/ldap/servers/slapd/agtmmap.h +index 2397dad3c..fb27ab2c4 100644 +--- a/ldap/servers/slapd/agtmmap.h ++++ b/ldap/servers/slapd/agtmmap.h +@@ -102,7 +102,7 @@ struct ops_stats_t + uint64_t dsErrors; + uint64_t dsConnections; /* Number of currently connected clients */ + uint64_t dsConnectionSeq; /* Monotonically increasing number bumped on each new conn est */ +- uint64_t dsMaxThreadsHit; /* Number of times a connection hit max threads */ ++ uint64_t dsMaxThreadsHits; /* Number of times a connection hit max threads */ + uint64_t dsConnectionsInMaxThreads; /* current number of connections that are in max threads */ + uint64_t dsBytesRecv; /* Count of bytes read from clients */ + uint64_t dsBytesSent; /* Count of bytes sent to clients */ +diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c +index 1dbb49f06..188383b97 100644 +--- a/ldap/servers/slapd/connection.c ++++ b/ldap/servers/slapd/connection.c +@@ -1911,7 +1911,7 @@ connection_activity(Connection *conn, int maxthreads) + slapi_counter_increment(max_threads_count); + slapi_counter_increment(conns_in_maxthreads); + slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsConnectionsInMaxThreads); +- slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHit); ++ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHits); + } + op_stack_obj = connection_get_operation(); + connection_add_operation(conn, op_stack_obj->op); +diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h +index eb97cdcc4..a02792648 100644 +--- a/ldap/servers/slapd/slap.h ++++ b/ldap/servers/slapd/slap.h +@@ -1889,7 +1889,7 @@ struct snmp_ops_tbl_t + Slapi_Counter *dsBytesSent; /* Count of bytes sent to clients */ + Slapi_Counter *dsEntriesReturned; + Slapi_Counter *dsReferralsReturned; +- Slapi_Counter *dsMaxThreadsHit; ++ Slapi_Counter *dsMaxThreadsHits; + Slapi_Counter *dsConnectionsInMaxThreads; + }; + +diff --git a/ldap/servers/slapd/snmp_collator.c b/ldap/servers/slapd/snmp_collator.c +index d56379466..1da7ccbb2 100644 +--- a/ldap/servers/slapd/snmp_collator.c ++++ b/ldap/servers/slapd/snmp_collator.c +@@ -122,7 +122,7 @@ snmp_collator_init(void) + g_get_global_snmp_vars()->ops_tbl.dsEntriesReturned = slapi_counter_new(); + g_get_global_snmp_vars()->ops_tbl.dsReferralsReturned = slapi_counter_new(); + g_get_global_snmp_vars()->ops_tbl.dsConnectionsInMaxThreads = slapi_counter_new(); +- g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHit = slapi_counter_new(); ++ g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHits = slapi_counter_new(); + g_get_global_snmp_vars()->entries_tbl.dsMasterEntries = slapi_counter_new(); + g_get_global_snmp_vars()->entries_tbl.dsCopyEntries = slapi_counter_new(); + g_get_global_snmp_vars()->entries_tbl.dsCacheEntries = slapi_counter_new(); +@@ -592,7 +592,7 @@ snmp_update_ops_table(void) + stats->ops_stats.dsConnections = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnections); + stats->ops_stats.dsConnectionSeq = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnectionSeq); + stats->ops_stats.dsConnectionsInMaxThreads = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnectionsInMaxThreads); +- stats->ops_stats.dsMaxThreadsHit = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHit); ++ stats->ops_stats.dsMaxThreadsHits = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHits); + stats->ops_stats.dsBytesRecv = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsBytesRecv); + stats->ops_stats.dsBytesSent = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsBytesSent); + stats->ops_stats.dsEntriesReturned = slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsEntriesReturned); +@@ -738,7 +738,7 @@ snmp_as_entry(Slapi_Entry *e) + add_counter_to_value(e, "Connections", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnections)); + add_counter_to_value(e, "ConnectionSeq", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnectionSeq)); + add_counter_to_value(e, "ConnectionsInMaxThreads", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsConnectionsInMaxThreads)); +- add_counter_to_value(e, "ConnectionsMaxThreadsCount", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHit)); ++ add_counter_to_value(e, "ConnectionsMaxThreadsCount", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsMaxThreadsHits)); + add_counter_to_value(e, "BytesRecv", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsBytesRecv)); + add_counter_to_value(e, "BytesSent", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsBytesSent)); + add_counter_to_value(e, "EntriesReturned", slapi_counter_get_value(g_get_global_snmp_vars()->ops_tbl.dsEntriesReturned)); +diff --git a/ldap/servers/snmp/ldap-agent.c b/ldap/servers/snmp/ldap-agent.c +index 4393a8956..bd9b8dd9b 100644 +--- a/ldap/servers/snmp/ldap-agent.c ++++ b/ldap/servers/snmp/ldap-agent.c +@@ -496,8 +496,8 @@ dsOpsTable_get_value(netsnmp_request_info *request, + the_stat = &context->ops_tbl.dsConnectionsInMaxThreads; + break; + +- case COLUMN_DSMAXTHREADSHIT: +- the_stat = &context->ops_tbl.dsMaxThreadsHit; ++ case COLUMN_DSMAXTHREADSHITS: ++ the_stat = &context->ops_tbl.dsMaxThreadsHits; + break; + + default: /* We shouldn't get here */ +diff --git a/ldap/servers/snmp/ldap-agent.h b/ldap/servers/snmp/ldap-agent.h +index 935d3a611..c98e467dd 100644 +--- a/ldap/servers/snmp/ldap-agent.h ++++ b/ldap/servers/snmp/ldap-agent.h +@@ -161,7 +161,7 @@ extern size_t snmptrap_oid_len; + #define COLUMN_DSERRORS 20 + #define COLUMN_DSCONNECTIONS 21 + #define COLUMN_DSCONNECTIONSINMAXTHREADS 22 +-#define COLUMN_DSMAXTHREADSHIT 23 ++#define COLUMN_DSMAXTHREADSHITS 23 + #define dsOpsTable_COL_MIN 1 + #define dsOpsTable_COL_MAX 23 + +diff --git a/ldap/servers/snmp/redhat-directory.mib b/ldap/servers/snmp/redhat-directory.mib +index c8608972e..579be8ee4 100644 +--- a/ldap/servers/snmp/redhat-directory.mib ++++ b/ldap/servers/snmp/redhat-directory.mib +@@ -87,7 +87,7 @@ RHDS-MIB DEFINITIONS ::= BEGIN + dsErrors, + dsConnections, + dsConnectionsInMaxThreads, +- dsMaxThreadsHit, ++ dsMaxThreadsHits, + dsMasterEntries, + dsCopyEntries, + dsCacheEntries, +@@ -190,7 +190,7 @@ RHDS-MIB DEFINITIONS ::= BEGIN + Counter64, + dsConnectionsInMaxThreads + Counter64, +- dsMaxThreadsHit ++ dsMaxThreadsHits + Counter64 + + } +@@ -472,7 +472,7 @@ RHDS-MIB DEFINITIONS ::= BEGIN + "Redhat defined 1.2." + ::= { dsOpsEntry 22 } + +- dsMaxThreadsHit OBJECT-TYPE ++ dsMaxThreadsHits OBJECT-TYPE + SYNTAX Counter64 + MAX-ACCESS read-only + STATUS current +@@ -596,7 +596,7 @@ RHDS-MIB DEFINITIONS ::= BEGIN + + DsIntEntry ::= SEQUENCE { + dsIntIndex +- INTEGER, ++ Integer32, + dsName + DistinguishedName, + dsTimeOfCreation +-- +2.17.1 + diff --git a/SOURCES/0003-Ticket-49180-errors-log-filled-with-attrlist_replace.patch b/SOURCES/0003-Ticket-49180-errors-log-filled-with-attrlist_replace.patch deleted file mode 100644 index 2be7aa7..0000000 --- a/SOURCES/0003-Ticket-49180-errors-log-filled-with-attrlist_replace.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 62fbb3423b26426e735e134134ab710945514ca6 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Tue, 26 Sep 2017 15:51:41 +0200 -Subject: [PATCH] Ticket: 49180 - errors log filled with attrlist_replace - - attr_replace - -Bug: If a RUV contains the same URL with different replica IDs the created referrals contain duplicates - -Fix: check duplicate referrals - -Reviewed by: Mark, thanks ---- - ldap/servers/plugins/replication/repl5_ruv.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c -index 40dc0928b..7bfdc3425 100644 ---- a/ldap/servers/plugins/replication/repl5_ruv.c -+++ b/ldap/servers/plugins/replication/repl5_ruv.c -@@ -1386,7 +1386,17 @@ ruv_replica_count(const RUV *ruv) - * Extract all the referral URL's from the RUV (but self URL), - * returning them in an array of strings, that - * the caller must free. -+ * We also check and remove duplicates (caused by unclean RUVs) - */ -+static int -+ruv_referral_exists(unsigned char *purl, char **refs, int count) -+{ -+ for (size_t j=0; jreplica_purl != NULL) && - (slapi_utf8casecmp((unsigned char *)replica->replica_purl, -- (unsigned char *)mypurl) != 0)) { -+ (unsigned char *)mypurl) != 0) && -+ !ruv_referral_exists((unsigned char *)replica->replica_purl, r, i)) { - r[i] = slapi_ch_strdup(replica->replica_purl); - i++; - } --- -2.13.6 - diff --git a/SOURCES/0003-Ticket-49840-ds-replcheck-command-returns-traceback-.patch b/SOURCES/0003-Ticket-49840-ds-replcheck-command-returns-traceback-.patch new file mode 100644 index 0000000..d163168 --- /dev/null +++ b/SOURCES/0003-Ticket-49840-ds-replcheck-command-returns-traceback-.patch @@ -0,0 +1,149 @@ +From 6361810037bc32c22e3e00a16bc53b34d0b0d610 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 9 Jul 2018 15:50:09 -0400 +Subject: [PATCH] Ticket 49840 - ds-replcheck command returns traceback errors + against ldif files having garbage content when run in offline mode + +Description: Added a basic check to see if the LDIF files are actually + LDIF files. Also added checks that the database RUV are + present as well. + +https://pagure.io/389-ds-base/issue/49840 + +Reviewed by: spichugi(Thanks!) + +(cherry picked from commit 60cb52040704686d9541a2e2eb2765d86cb10af2) +--- + ldap/admin/src/scripts/ds-replcheck | 53 +++++++++++++++++++++++------ + 1 file changed, 43 insertions(+), 10 deletions(-) + +diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck +index 62f911034..5c195f983 100755 +--- a/ldap/admin/src/scripts/ds-replcheck ++++ b/ldap/admin/src/scripts/ds-replcheck +@@ -10,18 +10,19 @@ + # + + import os ++import sys + import re + import time + import ldap + import ldapurl + import argparse + import getpass +- ++from ldif import LDIFRecordList + from ldap.ldapobject import SimpleLDAPObject + from ldap.cidict import cidict + from ldap.controls import SimplePagedResultsControl + +-VERSION = "1.3" ++VERSION = "1.4" + RUV_FILTER = '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' + LDAP = 'ldap' + LDAPS = 'ldaps' +@@ -386,14 +387,17 @@ def ldif_search(LDIF, dn): + return result + + +-def get_dns(LDIF, opts): ++def get_dns(LDIF, filename, opts): + ''' Get all the DN's from an LDIF file + ''' + dns = [] + found = False ++ found_ruv = False ++ LDIF.seek(0) + for line in LDIF: + if line.startswith('dn: ') and line[4:].startswith('nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff'): + opts['ruv_dn'] = line[4:].lower().strip() ++ found_ruv = True + elif line.startswith('dn: '): + found = True + dn = line[4:].lower().strip() +@@ -407,6 +411,14 @@ def get_dns(LDIF, opts): + found = False + dns.append(dn) + ++ if not found_ruv: ++ print('Failed to find the database RUV in the LDIF file: ' + filename + ', the LDIF ' + ++ 'file must contain replication state information.') ++ dns = None ++ else: ++ # All good, reset cursor ++ LDIF.seek(0) ++ + return dns + + +@@ -415,6 +427,7 @@ def get_ldif_ruv(LDIF, opts): + ''' + LDIF.seek(0) + result = ldif_search(LDIF, opts['ruv_dn']) ++ LDIF.seek(0) # Reset cursor + return result['entry'].data['nsds50ruv'] + + +@@ -549,6 +562,7 @@ def do_offline_report(opts, output_file=None): + rconflicts = [] + rtombstones = 0 + mtombstones = 0 ++ idx = 0 + + # Open LDIF files + try: +@@ -561,12 +575,36 @@ def do_offline_report(opts, output_file=None): + RLDIF = open(opts['rldif'], "r") + except Exception as e: + print('Failed to open Replica LDIF: ' + str(e)) ++ MLDIF.close() ++ return None ++ ++ # Verify LDIF Files ++ try: ++ print("Validating Master ldif file ({})...".format(opts['mldif'])) ++ LDIFRecordList(MLDIF).parse() ++ except ValueError: ++ print('Master LDIF file in invalid, aborting...') ++ MLDIF.close() ++ RLDIF.close() ++ return None ++ try: ++ print("Validating Replica ldif file ({})...".format(opts['rldif'])) ++ LDIFRecordList(RLDIF).parse() ++ except ValueError: ++ print('Replica LDIF file is invalid, aborting...') ++ MLDIF.close() ++ RLDIF.close() + return None + + # Get all the dn's, and entry counts + print ("Gathering all the DN's...") +- master_dns = get_dns(MLDIF, opts) +- replica_dns = get_dns(RLDIF, opts) ++ master_dns = get_dns(MLDIF, opts['mldif'], opts) ++ replica_dns = get_dns(RLDIF, opts['rldif'], opts) ++ if master_dns is None or replica_dns is None: ++ print("Aborting scan...") ++ MLDIF.close() ++ RLDIF.close() ++ sys.exit(1) + m_count = len(master_dns) + r_count = len(replica_dns) + +@@ -575,11 +613,6 @@ def do_offline_report(opts, output_file=None): + opts['master_ruv'] = get_ldif_ruv(MLDIF, opts) + opts['replica_ruv'] = get_ldif_ruv(RLDIF, opts) + +- # Reset the cursors +- idx = 0 +- MLDIF.seek(idx) +- RLDIF.seek(idx) +- + """ Compare the master entries with the replica's. Take our list of dn's from + the master ldif and get that entry( dn) from the master and replica ldif. In + this phase we keep keep track of conflict/tombstone counts, and we check for +-- +2.17.1 + diff --git a/SOURCES/0004-Ticket-49388-repl-monitor-matches-null-string-many-t.patch b/SOURCES/0004-Ticket-49388-repl-monitor-matches-null-string-many-t.patch deleted file mode 100644 index 2af9083..0000000 --- a/SOURCES/0004-Ticket-49388-repl-monitor-matches-null-string-many-t.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 80631ee86fa951f18ed25f61ca72734931eb5387 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 2 Oct 2017 16:19:47 -0400 -Subject: [PATCH] Ticket 49388 - repl-monitor - matches null string many times - in regex - -Bug Description: When using a wildcard(*) for the hostname, some of the - regex's for parsing the various configurations throws - out warnings. - -Fix Description: When a wildcard is detected reset the hostnode variable - to nothing. - -https://pagure.io/389-ds-base/issue/49388 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit 4b41a02484db645a593b9d6ac6c4e062dd374395) ---- - ldap/admin/src/scripts/repl-monitor.pl.in | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in -index a3efa8e6e..97c1462a5 100755 ---- a/ldap/admin/src/scripts/repl-monitor.pl.in -+++ b/ldap/admin/src/scripts/repl-monitor.pl.in -@@ -1053,6 +1053,10 @@ sub add_server - # Remove the domain name from the host name - my ($hostnode) = $host; - $hostnode = $1 if $host =~ /^(.+?)\./; -+ if ($hostnode eq "*") { -+ # handle wild card correctly for regex -+ $hostnode = ""; -+ } - - # new host:port - if (!$binddn || $binddn eq "" || $binddn eq "*" || --- -2.13.6 - diff --git a/SOURCES/0004-Ticket-49893-disable-nunc-stans-by-default.patch b/SOURCES/0004-Ticket-49893-disable-nunc-stans-by-default.patch new file mode 100644 index 0000000..4044649 --- /dev/null +++ b/SOURCES/0004-Ticket-49893-disable-nunc-stans-by-default.patch @@ -0,0 +1,32 @@ +From 83949e7e4f3370f48ea5c5fabdb9af04e3d11c75 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 8 Aug 2018 17:19:27 -0400 +Subject: [PATCH] Ticket 49893 - disable nunc-stans by default + +Description: Until nunc-stans is stablized we need to disable it + +https://pagure.io/389-ds-base/issue/49893 + +Reviewed by: ? + +(cherry picked from commit 2f2d3b1d7e7d847de1bb9ddf2f63e71dbc90f710) +--- + ldap/servers/slapd/libglobs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c +index 12f6ec396..56b67b79b 100644 +--- a/ldap/servers/slapd/libglobs.c ++++ b/ldap/servers/slapd/libglobs.c +@@ -1683,7 +1683,7 @@ FrontendConfig_init(void) + cfg->maxbersize = SLAPD_DEFAULT_MAXBERSIZE; + cfg->logging_backend = slapi_ch_strdup(SLAPD_INIT_LOGGING_BACKEND_INTERNAL); + cfg->rootdn = slapi_ch_strdup(SLAPD_DEFAULT_DIRECTORY_MANAGER); +- init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_ON; ++ init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_OFF; + #if defined(LINUX) + init_malloc_mxfast = cfg->malloc_mxfast = DEFAULT_MALLOC_UNSET; + init_malloc_trim_threshold = cfg->malloc_trim_threshold = DEFAULT_MALLOC_UNSET; +-- +2.17.1 + diff --git a/SOURCES/0005-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch b/SOURCES/0005-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch deleted file mode 100644 index bdd9627..0000000 --- a/SOURCES/0005-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch +++ /dev/null @@ -1,257 +0,0 @@ -From bb2d74ebe9d725b47e35893a2d8c8bd713d6dd4b Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 3 Oct 2017 17:22:37 -0400 -Subject: [PATCH] Ticket 49389 - unable to retrieve specific cosAttribute when - subtree password policy is configured - -Bug Description: If indirect cos is being used and a subtree password - policy is added, th orignal COS attributes aren't always - returned. The issue is that when the subtree password - policy attribute was encountered during the virtual - attribute processing it set a flag that said the attribute - was operational (which is correct for the password policy - attr: pwdpolicysubentry). - - However, this flag was accidentally carried over to the - following virtual attributes that were being processed. - Which caused those attributes to be seen as operational - which is why it was no longer being returned to the client. - -Fix Description: Reset the prop flags before processing the next COS attribute - -https://pagure.io/389-ds-base/issue/49389 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit 0953e6011368bc29300990e9493ac13e5aba9586) ---- - dirsrvtests/tests/suites/cos/__init__.py | 0 - dirsrvtests/tests/suites/cos/indirect_cos_test.py | 191 ++++++++++++++++++++++ - ldap/servers/plugins/cos/cos_cache.c | 2 +- - 3 files changed, 192 insertions(+), 1 deletion(-) - create mode 100644 dirsrvtests/tests/suites/cos/__init__.py - create mode 100644 dirsrvtests/tests/suites/cos/indirect_cos_test.py - -diff --git a/dirsrvtests/tests/suites/cos/__init__.py b/dirsrvtests/tests/suites/cos/__init__.py -new file mode 100644 -index 000000000..e69de29bb -diff --git a/dirsrvtests/tests/suites/cos/indirect_cos_test.py b/dirsrvtests/tests/suites/cos/indirect_cos_test.py -new file mode 100644 -index 000000000..1aac6b8ed ---- /dev/null -+++ b/dirsrvtests/tests/suites/cos/indirect_cos_test.py -@@ -0,0 +1,191 @@ -+import logging -+import pytest -+import os -+import ldap -+import time -+import subprocess -+ -+from lib389 import Entry -+from lib389.idm.user import UserAccounts -+from lib389.topologies import topology_st as topo -+from lib389._constants import (DEFAULT_SUFFIX, DN_DM, PASSWORD, HOST_STANDALONE, -+ SERVERID_STANDALONE, PORT_STANDALONE) -+ -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+TEST_USER_DN = "uid=test_user,ou=people,dc=example,dc=com" -+OU_PEOPLE = 'ou=people,{}'.format(DEFAULT_SUFFIX) -+ -+PW_POLICY_CONT_PEOPLE = 'cn="cn=nsPwPolicyEntry,' \ -+ 'ou=people,dc=example,dc=com",' \ -+ 'cn=nsPwPolicyContainer,ou=people,dc=example,dc=com' -+ -+PW_POLICY_CONT_PEOPLE2 = 'cn="cn=nsPwPolicyEntry,' \ -+ 'dc=example,dc=com",' \ -+ 'cn=nsPwPolicyContainerdc=example,dc=com' -+ -+ -+def check_user(inst): -+ """Search the test user and make sure it has the execpted attrs -+ """ -+ try: -+ entries = inst.search_s('dc=example,dc=com', ldap.SCOPE_SUBTREE, "uid=test_user") -+ log.debug('user: \n' + str(entries[0])) -+ assert entries[0].hasAttr('ou'), "Entry is missing ou cos attribute" -+ assert entries[0].hasAttr('x-department'), "Entry is missing description cos attribute" -+ assert entries[0].hasAttr('x-en-ou'), "Entry is missing givenname cos attribute" -+ except ldap.LDAPError as e: -+ log.fatal('Failed to search for user: ' + str(e)) -+ raise e -+ -+ -+def setup_subtree_policy(topo): -+ """Set up subtree password policy -+ """ -+ try: -+ topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, -+ 'nsslapd-pwpolicy-local', -+ 'on')]) -+ except ldap.LDAPError as e: -+ log.error('Failed to set fine-grained policy: error {}'.format( -+ e.message['desc'])) -+ raise e -+ -+ log.info('Create password policy for subtree {}'.format(OU_PEOPLE)) -+ try: -+ subprocess.call(['%s/ns-newpwpolicy.pl' % topo.standalone.get_sbin_dir(), -+ '-D', DN_DM, '-w', PASSWORD, -+ '-p', str(PORT_STANDALONE), '-h', HOST_STANDALONE, -+ '-S', DEFAULT_SUFFIX, '-Z', SERVERID_STANDALONE]) -+ except subprocess.CalledProcessError as e: -+ log.error('Failed to create pw policy policy for {}: error {}'.format( -+ OU_PEOPLE, e.message['desc'])) -+ raise e -+ -+ log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE)) -+ try: -+ topo.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_REPLACE, -+ 'pwdpolicysubentry', -+ PW_POLICY_CONT_PEOPLE2)]) -+ except ldap.LDAPError as e: -+ log.error('Failed to pwdpolicysubentry pw policy ' -+ 'policy for {}: error {}'.format(OU_PEOPLE, e.message['desc'])) -+ raise e -+ time.sleep(1) -+ -+ -+def setup_indirect_cos(topo): -+ """Setup indirect COS definition and template -+ """ -+ cosDef = Entry(('cn=cosDefinition,dc=example,dc=com', -+ {'objectclass': ['top', 'ldapsubentry', -+ 'cossuperdefinition', -+ 'cosIndirectDefinition'], -+ 'cosAttribute': ['ou merge-schemes', -+ 'x-department merge-schemes', -+ 'x-en-ou merge-schemes'], -+ 'cosIndirectSpecifier': 'seeAlso', -+ 'cn': 'cosDefinition'})) -+ -+ cosTemplate = Entry(('cn=cosTemplate,dc=example,dc=com', -+ {'objectclass': ['top', -+ 'extensibleObject', -+ 'cosTemplate'], -+ 'ou': 'My COS Org', -+ 'x-department': 'My COS x-department', -+ 'x-en-ou': 'my COS x-en-ou', -+ 'cn': 'cosTemplate'})) -+ try: -+ topo.standalone.add_s(cosDef) -+ topo.standalone.add_s(cosTemplate) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to add cos: error ' + str(e)) -+ raise e -+ time.sleep(1) -+ -+ -+@pytest.fixture(scope="module") -+def setup(topo, request): -+ """Add schema, and test user -+ """ -+ log.info('Add custom schema...') -+ try: -+ ATTR_1 = ("( 1.3.6.1.4.1.409.389.2.189 NAME 'x-department' " + -+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )") -+ ATTR_2 = ("( 1.3.6.1.4.1.409.389.2.187 NAME 'x-en-ou' " + -+ "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )") -+ OC = ("( xPerson-oid NAME 'xPerson' DESC '' SUP person STRUCTURAL MAY " + -+ "( x-department $ x-en-ou ) X-ORIGIN 'user defined' )") -+ topo.standalone.modify_s("cn=schema", [(ldap.MOD_ADD, 'attributeTypes', ATTR_1), -+ (ldap.MOD_ADD, 'attributeTypes', ATTR_2), -+ (ldap.MOD_ADD, 'objectClasses', OC)]) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to add custom schema') -+ raise e -+ time.sleep(1) -+ -+ log.info('Add test user...') -+ users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) -+ -+ user_properties = { -+ 'uid': 'test_user', -+ 'cn': 'test user', -+ 'sn': 'user', -+ 'uidNumber': '1000', -+ 'gidNumber': '2000', -+ 'homeDirectory': '/home/test_user', -+ 'seeAlso': 'cn=cosTemplate,dc=example,dc=com' -+ } -+ users.create(properties=user_properties) -+ try: -+ topo.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_ADD, -+ 'objectclass', -+ 'xPerson')]) -+ except ldap.LDAPError as e: -+ log.fatal('Failed to add objectclass to user') -+ raise e -+ -+ # Setup COS -+ log.info("Setup indirect COS...") -+ setup_indirect_cos(topo) -+ -+ -+def test_indirect_cos(topo, setup): -+ """Test indirect cos -+ -+ :id: 890d5929-7d52-4a56-956e-129611b4649a -+ :setup: standalone -+ :steps: -+ 1. Test cos is working for test user -+ 2. Add subtree password policy -+ 3. Test cos is working for test user -+ :expectedresults: -+ 1. User has expected cos attrs -+ 2. Substree password policy setup is successful -+ 3 User still has expected cos attrs -+ """ -+ -+ # Step 1 - Search user and see if the COS attrs are included -+ log.info('Checking user...') -+ check_user(topo.standalone) -+ -+ # Step 2 - Add subtree password policy (Second COS - operational attribute) -+ setup_subtree_policy(topo) -+ -+ # Step 3 - Check user again now hat we have a mix of vattrs -+ log.info('Checking user...') -+ check_user(topo.standalone) -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c -index c7897ba05..9ae15db15 100644 ---- a/ldap/servers/plugins/cos/cos_cache.c -+++ b/ldap/servers/plugins/cos/cos_cache.c -@@ -2094,7 +2094,6 @@ cos_cache_vattr_types(vattr_sp_handle *handle __attribute__((unused)), - int index = 0; - cosCache *pCache; - char *lastattr = "thisisfakeforcos"; -- int props = 0; - - slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "--> cos_cache_vattr_types\n"); - -@@ -2105,6 +2104,7 @@ cos_cache_vattr_types(vattr_sp_handle *handle __attribute__((unused)), - } - - while (index < pCache->attrCount) { -+ int props = 0; - if (slapi_utf8casecmp( - (unsigned char *)pCache->ppAttrIndex[index]->pAttrName, - (unsigned char *)lastattr)) { --- -2.13.6 - diff --git a/SOURCES/0005-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch b/SOURCES/0005-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch new file mode 100644 index 0000000..6a1d09a --- /dev/null +++ b/SOURCES/0005-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch @@ -0,0 +1,137 @@ +From a21ba4722268349b9c63000145e5d119e1fddd60 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 9 Aug 2018 15:27:59 -0400 +Subject: [PATCH] Ticket 49890 : ldapsearch with server side sort crashes the + ldap server + +Bug Description: + Server side sort with a specified matching rule trigger a crash + +Fix Description: + Check if the we are able to index the provided value. + If we are not then slapd_qsort returns an error (LDAP_OPERATION_ERROR) + +https://pagure.io/389-ds-base/issue/49890 + +Reviewed by: mreynolds + +Platforms tested: F27 + +Flag Day: no + +Doc impact: no + +(cherry picked from commit c989e18f7a3da060b16d39919b920b6b2a19a0ac) +--- + dirsrvtests/tests/suites/syntax/mr_test.py | 59 ++++++++++++++++++++++ + ldap/servers/slapd/back-ldbm/sort.c | 14 +++++ + 2 files changed, 73 insertions(+) + create mode 100644 dirsrvtests/tests/suites/syntax/mr_test.py + +diff --git a/dirsrvtests/tests/suites/syntax/mr_test.py b/dirsrvtests/tests/suites/syntax/mr_test.py +new file mode 100644 +index 000000000..57061222a +--- /dev/null ++++ b/dirsrvtests/tests/suites/syntax/mr_test.py +@@ -0,0 +1,59 @@ ++import logging ++import pytest ++import os ++import ldap ++from lib389.dbgen import dbgen ++from lib389._constants import * ++from lib389.topologies import topology_st as topo ++from lib389._controls import SSSRequestControl ++ ++DEBUGGING = os.getenv("DEBUGGING", default=False) ++if DEBUGGING: ++ logging.getLogger(__name__).setLevel(logging.DEBUG) ++else: ++ logging.getLogger(__name__).setLevel(logging.INFO) ++log = logging.getLogger(__name__) ++ ++ ++def test_sss_mr(topo): ++ """Test matching rule/server side sort does not crash DS ++ ++ :id: 48c73d76-1694-420f-ab55-187135f2d260 ++ :setup: Standalone Instance ++ :steps: ++ 1. Add sample entries to the database ++ 2. Perform search using server side control (uid:2.5.13.3) ++ :expectedresults: ++ 1. Success ++ 2. Success ++ """ ++ ++ log.info("Creating LDIF...") ++ ldif_dir = topo.standalone.get_ldif_dir() ++ ldif_file = os.path.join(ldif_dir, 'mr-crash.ldif') ++ dbgen(topo.standalone, 5, ldif_file, DEFAULT_SUFFIX) ++ ++ log.info("Importing LDIF...") ++ topo.standalone.stop() ++ assert topo.standalone.ldif2db(DEFAULT_BENAME, None, None, None, ldif_file) ++ topo.standalone.start() ++ ++ log.info('Search using server side sorting using undefined mr in the attr...') ++ sort_ctrl = SSSRequestControl(True, ['uid:2.5.13.3']) ++ controls = [sort_ctrl] ++ msg_id = topo.standalone.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, ++ "objectclass=*", serverctrls=controls) ++ try: ++ rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(msg_id) ++ except ldap.OPERATIONS_ERROR: ++ pass ++ ++ log.info("Test PASSED") ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main(["-s", CURRENT_FILE]) ++ +diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c +index 5b84d87f3..70ac60803 100644 +--- a/ldap/servers/slapd/back-ldbm/sort.c ++++ b/ldap/servers/slapd/back-ldbm/sort.c +@@ -546,6 +546,16 @@ compare_entries_sv(ID *id_a, ID *id_b, sort_spec *s, baggage_carrier *bc, int *e + /* Now copy it, so the second call doesn't crap on it */ + value_a = slapi_ch_bvecdup(temp_value); /* Really, we'd prefer to not call the chXXX variant...*/ + matchrule_values_to_keys(this_one->mr_pb, actual_value_b, &value_b); ++ ++ if ((actual_value_a && !value_a) || ++ (actual_value_b && !value_b)) { ++ ber_bvecfree(actual_value_a); ++ ber_bvecfree(actual_value_b); ++ CACHE_RETURN(&inst->inst_cache, &a); ++ CACHE_RETURN(&inst->inst_cache, &b); ++ *error = 1; ++ return 0; ++ } + if (actual_value_a) + ber_bvecfree(actual_value_a); + if (actual_value_b) +@@ -717,6 +727,8 @@ recurse: + A[i] >= A[lo] for higuy <= i <= hi */ + + do { ++ if (error) ++ return LDAP_OPERATIONS_ERROR; + loguy++; + } while (loguy <= hi && compare_entries_sv(loguy, lo, s, bc, &error) <= 0); + +@@ -724,6 +736,8 @@ recurse: + either loguy > hi or A[loguy] > A[lo] */ + + do { ++ if (error) ++ return LDAP_OPERATIONS_ERROR; + higuy--; + } while (higuy > lo && compare_entries_sv(higuy, lo, s, bc, &error) >= 0); + +-- +2.17.1 + diff --git a/SOURCES/0006-Bug-1614820-Crash-in-vslapd_log_emergency_error.patch b/SOURCES/0006-Bug-1614820-Crash-in-vslapd_log_emergency_error.patch new file mode 100644 index 0000000..b49777d --- /dev/null +++ b/SOURCES/0006-Bug-1614820-Crash-in-vslapd_log_emergency_error.patch @@ -0,0 +1,85 @@ +From 59071a77774c530f0ab570dda27e23a021d23972 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 23 Aug 2018 10:09:58 -0400 +Subject: [PATCH] Bug 1614820 - Crash in vslapd_log_emergency_error + +Description: We were not locking the error log fd before closing and reopening + the log file. This could cause a crash when multiple threads are + trying to log tothe errors log. +--- + ldap/servers/slapd/log.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c +index 2e4ee03a8..7dd71541b 100644 +--- a/ldap/servers/slapd/log.c ++++ b/ldap/servers/slapd/log.c +@@ -2231,11 +2231,11 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked) + if (logging_hr_timestamps_enabled == 1) { + struct timespec tsnow; + if (clock_gettime(CLOCK_REALTIME, &tsnow) != 0) { +- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s", msg); ++ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s\n", msg); + return; + } + if (format_localTime_hr_log(tsnow.tv_sec, tsnow.tv_nsec, sizeof(tbuf), tbuf, &size) != 0) { +- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg); ++ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg); + return; + } + } else { +@@ -2243,14 +2243,14 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked) + time_t tnl; + tnl = slapi_current_utc_time(); + if (format_localTime_log(tnl, sizeof(tbuf), tbuf, &size) != 0) { +- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg); ++ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg); + return; + } + #ifdef HAVE_CLOCK_GETTIME + } + #endif + +- PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s", tbuf, msg); ++ PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s\n", tbuf, msg); + size = strlen(buffer); + + if (!locked) { +@@ -2531,7 +2531,7 @@ vslapd_log_access(char *fmt, va_list ap) + + if (SLAPI_LOG_BUFSIZ - blen < vlen) { + /* We won't be able to fit the message in! Uh-oh! */ +- /* Should we actually just do the snprintf, and warn that message was trunced? */ ++ /* Should we actually just do the snprintf, and warn that message was truncated? */ + log__error_emergency("Insufficent buffer capacity to fit timestamp and message!", 1, 0); + return -1; + } +@@ -4486,6 +4486,13 @@ log__error_emergency(const char *errstr, int reopen, int locked) + if (!reopen) { + return; + } ++ if (!locked) { ++ /* ++ * Take the lock because we are closing and reopening the error log (fd), ++ * and we don't want any other threads trying to use this fd ++ */ ++ LOG_ERROR_LOCK_WRITE(); ++ } + if (NULL != loginfo.log_error_fdes) { + LOG_CLOSE(loginfo.log_error_fdes); + } +@@ -4494,7 +4501,10 @@ log__error_emergency(const char *errstr, int reopen, int locked) + PRErrorCode prerr = PR_GetError(); + syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr)); + } else { +- vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked); ++ vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, 1 /* locked */); ++ } ++ if (!locked) { ++ LOG_ERROR_UNLOCK_WRITE(); + } + return; + } +-- +2.17.1 + diff --git a/SOURCES/0006-Ticket-49320-Activating-already-active-role-returns-.patch b/SOURCES/0006-Ticket-49320-Activating-already-active-role-returns-.patch deleted file mode 100644 index c169905..0000000 --- a/SOURCES/0006-Ticket-49320-Activating-already-active-role-returns-.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 50d62b6d5ea69e5cad6359dbd1dccb09fcfa1a6b Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 3 Oct 2017 09:51:53 -0400 -Subject: [PATCH] Ticket 49320 - Activating already active role returns error - 16 - -Bug Description: ns-activate.pl returns error 16 when trying to activate an - already active role. - -Fix Description: Check for error 16 (no such attr), and return error 100. - Also added a "redirect"otion to the ldapmod function to - hide any errors printed to STDERR, so that the script can - display its own error message. - -https://pagure.io/389-ds-base/issue/49320 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit 406084847f29aa44ffd81de746770aeff6b67c61) ---- - ldap/admin/src/scripts/DSUtil.pm.in | 18 +++++++++++------- - ldap/admin/src/scripts/ns-activate.pl.in | 9 ++++++++- - 2 files changed, 19 insertions(+), 8 deletions(-) - -diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in -index 805a9b91d..791464d0a 100644 ---- a/ldap/admin/src/scripts/DSUtil.pm.in -+++ b/ldap/admin/src/scripts/DSUtil.pm.in -@@ -1447,6 +1447,10 @@ sub ldapmod { - close (FILE); - } - -+ if ($info{redirect} eq ""){ -+ $info{redirect} = "> /dev/null"; -+ } -+ - # - # Check the protocol, and reset it if it's invalid - # -@@ -1470,9 +1474,9 @@ sub ldapmod { - print "STARTTLS)\n"; - } - if($info{openldap} eq "yes"){ -- system "ldapmodify -x -ZZ -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null"; -+ system "ldapmodify -x -ZZ -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}"; - } else { -- system "ldapmodify -ZZZ -P \"$info{certdir}\" -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null"; -+ system "ldapmodify -ZZZ -P \"$info{certdir}\" -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}"; - } - } elsif (($info{security} eq "on" && $info{protocol} eq "") || ($info{security} eq "on" && $info{protocol} =~ m/LDAPS/i) ){ - # -@@ -1482,9 +1486,9 @@ sub ldapmod { - print "LDAPS)\n"; - } - if($info{openldap} eq "yes"){ -- system "ldapmodify -x -H \"ldaps://$info{host}:$info{secure_port}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null"; -+ system "ldapmodify -x -H \"ldaps://$info{host}:$info{secure_port}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}"; - } else { -- system "ldapmodify -Z -P \"$info{certdir}\" -p $info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null"; -+ system "ldapmodify -Z -P \"$info{certdir}\" -p $info{secure_port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}"; - } - } elsif (($info{openldap} eq "yes") && (($info{ldapi} eq "on" && $info{protocol} eq "") || ($info{ldapi} eq "on" && $info{protocol} =~ m/LDAPI/i)) ){ - # -@@ -1499,7 +1503,7 @@ sub ldapmod { - if($protocol_error eq "yes"){ - print "LDAPI)\n"; - } -- system "ldapmodify -x -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null"; -+ system "ldapmodify -x -H \"$info{ldapiURL}\" -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}"; - } - } else { - # -@@ -1509,9 +1513,9 @@ sub ldapmod { - print "LDAP)\n"; - } - if($info{openldap} eq "yes"){ -- system "ldapmodify -x -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null"; -+ system "ldapmodify -x -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}"; - } else { -- system "ldapmodify -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" > /dev/null"; -+ system "ldapmodify -h $info{host} -p $info{port} -D \"$info{rootdn}\" -w $myrootdnpw $info{args} -f \"$file\" $info{redirect}"; - } - } - unlink ($file); -diff --git a/ldap/admin/src/scripts/ns-activate.pl.in b/ldap/admin/src/scripts/ns-activate.pl.in -index 5922c9aab..bec19c8e7 100644 ---- a/ldap/admin/src/scripts/ns-activate.pl.in -+++ b/ldap/admin/src/scripts/ns-activate.pl.in -@@ -731,11 +731,18 @@ if ( $single == 1 ){ - } - - $info{args} = "-c"; -+$info{redirect} = "> /dev/null 2>&1"; - DSUtil::ldapmod($record, %info); - if( $? != 0 ){ - debug("delete, $entry\n"); - $retCode=$?>>8; -- exit $retCode; -+ if ($retCode == "16") { # Error 16 (no such attr) - already activated -+ out("$entry already $state.\n"); -+ exit 100; -+ } else { -+ out("Failed to activate $entry, error $retCode\n"); -+ exit $retCode; -+ } - } - - out("$entry $state.\n"); --- -2.13.6 - diff --git a/SOURCES/0007-Ticket-48235-Remove-memberOf-global-lock.patch b/SOURCES/0007-Ticket-48235-Remove-memberOf-global-lock.patch deleted file mode 100644 index 42b3757..0000000 --- a/SOURCES/0007-Ticket-48235-Remove-memberOf-global-lock.patch +++ /dev/null @@ -1,914 +0,0 @@ -From cbe71d7e4901232eaa423b9dc55dba9401c05bec Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 13 Oct 2017 07:09:08 -0400 -Subject: [PATCH] Ticket 48235 - Remove memberOf global lock - -Bug Description: The memberOf global lock no longer servers a purpose since - the plugin is BETXN. This was causing potential deadlocks - when multiple backends are used. - -Fix Description: Remove the lock, and rework the fixup/ancestors caches/hashtables. - Instead of reusing a single cache, we create a fresh cache - when we copy the plugin config (which only happens at the start - of an operation). Then we destroy the caches when we free - the config. - -https://pagure.io/389-ds-base/issue/48235 - -Reviewed by: firstyear & tbordaz(Thanks!!) - -(cherry picked from commit 184b8a164f4ed456c72d58038aa9a0d512be61fa) ---- - ldap/servers/plugins/memberof/memberof.c | 326 +++--------------------- - ldap/servers/plugins/memberof/memberof.h | 17 ++ - ldap/servers/plugins/memberof/memberof_config.c | 166 +++++++++++- - 3 files changed, 210 insertions(+), 299 deletions(-) - -diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c -index a0f997ddf..a23c52abe 100644 ---- a/ldap/servers/plugins/memberof/memberof.c -+++ b/ldap/servers/plugins/memberof/memberof.c -@@ -48,14 +48,11 @@ static Slapi_PluginDesc pdesc = {"memberof", VENDOR, - static void *_PluginID = NULL; - static Slapi_DN *_ConfigAreaDN = NULL; - static Slapi_RWLock *config_rwlock = NULL; --static Slapi_DN *_pluginDN = NULL; --static PRMonitor *memberof_operation_lock = 0; -+static Slapi_DN* _pluginDN = NULL; - MemberOfConfig *qsortConfig = 0; - static int usetxn = 0; - static int premodfn = 0; --#define MEMBEROF_HASHTABLE_SIZE 1000 --static PLHashTable *fixup_entry_hashtable = NULL; /* global hash table protected by memberof_lock (memberof_operation_lock) */ --static PLHashTable *group_ancestors_hashtable = NULL; /* global hash table protected by memberof_lock (memberof_operation_lock) */ -+ - - typedef struct _memberofstringll - { -@@ -73,18 +70,6 @@ typedef struct _memberof_get_groups_data - PRBool use_cache; - } memberof_get_groups_data; - --/* The key to access the hash table is the normalized DN -- * The normalized DN is stored in the value because: -- * - It is used in slapi_valueset_find -- * - It is used to fill the memberof_get_groups_data.group_norm_vals -- */ --typedef struct _memberof_cached_value --{ -- char *key; -- char *group_dn_val; -- char *group_ndn_val; -- int valid; --} memberof_cached_value; - struct cache_stat - { - int total_lookup; -@@ -164,14 +149,9 @@ static int memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data); - static int memberof_entry_in_scope(MemberOfConfig *config, Slapi_DN *sdn); - static int memberof_add_objectclass(char *auto_add_oc, const char *dn); - static int memberof_add_memberof_attr(LDAPMod **mods, const char *dn, char *add_oc); --static PLHashTable *hashtable_new(); --static void fixup_hashtable_empty(char *msg); --static PLHashTable *hashtable_new(); --static void ancestor_hashtable_empty(char *msg); --static void ancestor_hashtable_entry_free(memberof_cached_value *entry); --static memberof_cached_value *ancestors_cache_lookup(const char *ndn); --static PRBool ancestors_cache_remove(const char *ndn); --static PLHashEntry *ancestors_cache_add(const void *key, void *value); -+static memberof_cached_value *ancestors_cache_lookup(MemberOfConfig *config, const char *ndn); -+static PRBool ancestors_cache_remove(MemberOfConfig *config, const char *ndn); -+static PLHashEntry *ancestors_cache_add(MemberOfConfig *config, const void *key, void *value); - - /*** implementation ***/ - -@@ -344,11 +324,6 @@ memberof_postop_start(Slapi_PBlock *pb) - slapi_log_err(SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM, - "--> memberof_postop_start\n"); - -- memberof_operation_lock = PR_NewMonitor(); -- if (0 == memberof_operation_lock) { -- rc = -1; -- goto bail; -- } - if (config_rwlock == NULL) { - if ((config_rwlock = slapi_new_rwlock()) == NULL) { - rc = -1; -@@ -356,9 +331,6 @@ memberof_postop_start(Slapi_PBlock *pb) - } - } - -- fixup_entry_hashtable = hashtable_new(); -- group_ancestors_hashtable = hashtable_new(); -- - /* Set the alternate config area if one is defined. */ - slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_AREA, &config_area); - if (config_area) { -@@ -413,13 +385,13 @@ memberof_postop_start(Slapi_PBlock *pb) - goto bail; - } - --/* -+ /* - * TODO: start up operation actor thread - * need to get to a point where server failure -- * or shutdown doesn't hose our operations -- * so we should create a task entry that contains -+ * or shutdown doesn't hose our operations -+ * so we should create a task entry that contains - * all required information to complete the operation -- * then the tasks can be restarted safely if -+ * then the tasks can be restarted safely if - * interrupted - */ - -@@ -451,18 +423,7 @@ memberof_postop_close(Slapi_PBlock *pb __attribute__((unused))) - slapi_sdn_free(&_pluginDN); - slapi_destroy_rwlock(config_rwlock); - config_rwlock = NULL; -- PR_DestroyMonitor(memberof_operation_lock); -- memberof_operation_lock = NULL; -- -- if (fixup_entry_hashtable) { -- fixup_hashtable_empty("memberof_postop_close empty fixup_entry_hastable"); -- PL_HashTableDestroy(fixup_entry_hashtable); -- } - -- if (group_ancestors_hashtable) { -- ancestor_hashtable_empty("memberof_postop_close empty group_ancestors_hashtable"); -- PL_HashTableDestroy(group_ancestors_hashtable); -- } - slapi_log_err(SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM, - "<-- memberof_postop_close\n"); - return 0; -@@ -524,7 +485,7 @@ memberof_postop_del(Slapi_PBlock *pb) - { - int ret = SLAPI_PLUGIN_SUCCESS; - MemberOfConfig *mainConfig = NULL; -- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -+ MemberOfConfig configCopy = {0}; - Slapi_DN *sdn; - void *caller_id = NULL; - -@@ -553,9 +514,6 @@ memberof_postop_del(Slapi_PBlock *pb) - memberof_copy_config(&configCopy, memberof_get_config()); - memberof_unlock_config(); - -- /* get the memberOf operation lock */ -- memberof_lock(); -- - /* remove this DN from the - * membership lists of groups - */ -@@ -563,7 +521,6 @@ memberof_postop_del(Slapi_PBlock *pb) - slapi_log_err(SLAPI_LOG_ERR, MEMBEROF_PLUGIN_SUBSYSTEM, - "memberof_postop_del - Error deleting dn (%s) from group. Error (%d)\n", - slapi_sdn_get_dn(sdn), ret); -- memberof_unlock(); - goto bail; - } - -@@ -583,7 +540,6 @@ memberof_postop_del(Slapi_PBlock *pb) - } - } - } -- memberof_unlock(); - bail: - memberof_free_config(&configCopy); - } -@@ -776,7 +732,7 @@ memberof_call_foreach_dn(Slapi_PBlock *pb __attribute__((unused)), Slapi_DN *sdn - memberof_cached_value *ht_grp = NULL; - const char *ndn = slapi_sdn_get_ndn(sdn); - -- ht_grp = ancestors_cache_lookup((const void *)ndn); -+ ht_grp = ancestors_cache_lookup(config, (const void *)ndn); - if (ht_grp) { - #if MEMBEROF_CACHE_DEBUG - slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_call_foreach_dn: Ancestors of %s already cached (%x)\n", ndn, ht_grp); -@@ -918,7 +874,7 @@ memberof_postop_modrdn(Slapi_PBlock *pb) - - if (memberof_oktodo(pb)) { - MemberOfConfig *mainConfig = 0; -- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -+ MemberOfConfig configCopy = {0}; - struct slapi_entry *pre_e = NULL; - struct slapi_entry *post_e = NULL; - Slapi_DN *pre_sdn = 0; -@@ -944,8 +900,6 @@ memberof_postop_modrdn(Slapi_PBlock *pb) - goto bail; - } - -- memberof_lock(); -- - /* update any downstream members */ - if (pre_sdn && post_sdn && configCopy.group_filter && - 0 == slapi_filter_test_simple(post_e, configCopy.group_filter)) { -@@ -1010,7 +964,6 @@ memberof_postop_modrdn(Slapi_PBlock *pb) - } - } - } -- memberof_unlock(); - bail: - memberof_free_config(&configCopy); - } -@@ -1166,7 +1119,7 @@ memberof_postop_modify(Slapi_PBlock *pb) - if (memberof_oktodo(pb)) { - int config_copied = 0; - MemberOfConfig *mainConfig = 0; -- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -+ MemberOfConfig configCopy = {0}; - - /* get the mod set */ - slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods); -@@ -1209,8 +1162,6 @@ memberof_postop_modify(Slapi_PBlock *pb) - if (interested) { - int op = slapi_mod_get_operation(smod); - -- memberof_lock(); -- - /* the modify op decides the function */ - switch (op & ~LDAP_MOD_BVALUES) { - case LDAP_MOD_ADD: { -@@ -1221,7 +1172,6 @@ memberof_postop_modify(Slapi_PBlock *pb) - "Error (%d)\n", - slapi_sdn_get_dn(sdn), ret); - slapi_mod_done(next_mod); -- memberof_unlock(); - goto bail; - } - break; -@@ -1239,7 +1189,6 @@ memberof_postop_modify(Slapi_PBlock *pb) - "Error (%d)\n", - slapi_sdn_get_dn(sdn), ret); - slapi_mod_done(next_mod); -- memberof_unlock(); - goto bail; - } - } else { -@@ -1250,7 +1199,6 @@ memberof_postop_modify(Slapi_PBlock *pb) - "Error (%d)\n", - slapi_sdn_get_dn(sdn), ret); - slapi_mod_done(next_mod); -- memberof_unlock(); - goto bail; - } - } -@@ -1265,7 +1213,6 @@ memberof_postop_modify(Slapi_PBlock *pb) - "Error (%d)\n", - slapi_sdn_get_dn(sdn), ret); - slapi_mod_done(next_mod); -- memberof_unlock(); - goto bail; - } - break; -@@ -1280,8 +1227,6 @@ memberof_postop_modify(Slapi_PBlock *pb) - break; - } - } -- -- memberof_unlock(); - } - - slapi_mod_done(next_mod); -@@ -1336,7 +1281,7 @@ memberof_postop_add(Slapi_PBlock *pb) - - if (memberof_oktodo(pb) && (sdn = memberof_getsdn(pb))) { - struct slapi_entry *e = NULL; -- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -+ MemberOfConfig configCopy = {0}; - MemberOfConfig *mainConfig; - slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &e); - -@@ -1361,8 +1306,6 @@ memberof_postop_add(Slapi_PBlock *pb) - int i = 0; - Slapi_Attr *attr = 0; - -- memberof_lock(); -- - for (i = 0; configCopy.groupattrs && configCopy.groupattrs[i]; i++) { - if (0 == slapi_entry_attr_find(e, configCopy.groupattrs[i], &attr)) { - if ((ret = memberof_add_attr_list(pb, &configCopy, sdn, attr))) { -@@ -1373,8 +1316,6 @@ memberof_postop_add(Slapi_PBlock *pb) - } - } - } -- -- memberof_unlock(); - memberof_free_config(&configCopy); - } - } -@@ -2094,7 +2035,7 @@ dump_cache_entry(memberof_cached_value *double_check, const char *msg) - * the firsts elements of the array has 'valid=1' and the dn/ndn of group it belong to - */ - static void --cache_ancestors(Slapi_Value **member_ndn_val, memberof_get_groups_data *groups) -+cache_ancestors(MemberOfConfig *config, Slapi_Value **member_ndn_val, memberof_get_groups_data *groups) - { - Slapi_ValueSet *groupvals = *((memberof_get_groups_data *)groups)->groupvals; - Slapi_Value *sval; -@@ -2191,14 +2132,14 @@ cache_ancestors(Slapi_Value **member_ndn_val, memberof_get_groups_data *groups) - #if MEMBEROF_CACHE_DEBUG - dump_cache_entry(cache_entry, key); - #endif -- if (ancestors_cache_add((const void *)key_copy, (void *)cache_entry) == NULL) { -- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache_ancestors: Failed to cache ancestor of %s\n", key); -+ if (ancestors_cache_add(config, (const void*) key_copy, (void *) cache_entry) == NULL) { -+ slapi_log_err( SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache_ancestors: Failed to cache ancestor of %s\n", key); - ancestor_hashtable_entry_free(cache_entry); -- slapi_ch_free((void **)&cache_entry); -+ slapi_ch_free ((void**)&cache_entry); - return; - } - #if MEMBEROF_CACHE_DEBUG -- if (double_check = ancestors_cache_lookup((const void *)key)) { -+ if (double_check = ancestors_cache_lookup(config, (const void*) key)) { - dump_cache_entry(double_check, "read back"); - } - #endif -@@ -2283,8 +2224,7 @@ memberof_get_groups_r(MemberOfConfig *config, Slapi_DN *member_sdn, memberof_get - - merge_ancestors(&member_ndn_val, &member_data, data); - if (!cached && member_data.use_cache) -- cache_ancestors(&member_ndn_val, &member_data); -- -+ cache_ancestors(config, &member_ndn_val, &member_data); - - slapi_value_free(&member_ndn_val); - slapi_valueset_free(groupvals); -@@ -2825,49 +2765,10 @@ memberof_qsort_compare(const void *a, const void *b) - val1, val2); - } - --/* betxn: This locking mechanism is necessary to guarantee the memberof -- * consistency */ --void --memberof_lock() --{ -- if (usetxn) { -- PR_EnterMonitor(memberof_operation_lock); -- } -- if (fixup_entry_hashtable) { -- fixup_hashtable_empty("memberof_lock"); -- } -- if (group_ancestors_hashtable) { -- ancestor_hashtable_empty("memberof_lock empty group_ancestors_hashtable"); -- memset(&cache_stat, 0, sizeof(cache_stat)); -- } --} -- --void --memberof_unlock() --{ -- if (group_ancestors_hashtable) { -- ancestor_hashtable_empty("memberof_unlock empty group_ancestors_hashtable"); --#if MEMBEROF_CACHE_DEBUG -- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache statistics: total lookup %d (success %d), add %d, remove %d, enum %d\n", -- cache_stat.total_lookup, cache_stat.successfull_lookup, -- cache_stat.total_add, cache_stat.total_remove, cache_stat.total_enumerate); -- slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "cache statistics duration: lookup %ld, add %ld, remove %ld, enum %ld\n", -- cache_stat.cumul_duration_lookup, cache_stat.cumul_duration_add, -- cache_stat.cumul_duration_remove, cache_stat.cumul_duration_enumerate); --#endif -- } -- if (fixup_entry_hashtable) { -- fixup_hashtable_empty("memberof_lock"); -- } -- if (usetxn) { -- PR_ExitMonitor(memberof_operation_lock); -- } --} -- - void - memberof_fixup_task_thread(void *arg) - { -- MemberOfConfig configCopy = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -+ MemberOfConfig configCopy = {0}; - Slapi_Task *task = (Slapi_Task *)arg; - task_data *td = NULL; - int rc = 0; -@@ -2933,9 +2834,6 @@ memberof_fixup_task_thread(void *arg) - /* do real work */ - rc = memberof_fix_memberof(&configCopy, task, td); - -- /* release the memberOf operation lock */ -- memberof_unlock(); -- - done: - if (usetxn && fixup_pb) { - if (rc) { /* failed */ -@@ -3100,7 +2998,7 @@ memberof_fix_memberof(MemberOfConfig *config, Slapi_Task *task, task_data *td) - } - - static memberof_cached_value * --ancestors_cache_lookup(const char *ndn) -+ancestors_cache_lookup(MemberOfConfig *config, const char *ndn) - { - memberof_cached_value *e; - #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME) -@@ -3118,7 +3016,7 @@ ancestors_cache_lookup(const char *ndn) - } - #endif - -- e = (memberof_cached_value *)PL_HashTableLookupConst(group_ancestors_hashtable, (const void *)ndn); -+ e = (memberof_cached_value *) PL_HashTableLookupConst(config->ancestors_cache, (const void *) ndn); - - #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME) - if (start) { -@@ -3133,7 +3031,7 @@ ancestors_cache_lookup(const char *ndn) - return e; - } - static PRBool --ancestors_cache_remove(const char *ndn) -+ancestors_cache_remove(MemberOfConfig *config, const char *ndn) - { - PRBool rc; - #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME) -@@ -3151,7 +3049,8 @@ ancestors_cache_remove(const char *ndn) - } - #endif - -- rc = PL_HashTableRemove(group_ancestors_hashtable, (const void *)ndn); -+ -+ rc = PL_HashTableRemove(config->ancestors_cache, (const void *)ndn); - - #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME) - if (start) { -@@ -3164,7 +3063,7 @@ ancestors_cache_remove(const char *ndn) - } - - static PLHashEntry * --ancestors_cache_add(const void *key, void *value) -+ancestors_cache_add(MemberOfConfig *config, const void *key, void *value) - { - PLHashEntry *e; - #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME) -@@ -3181,7 +3080,7 @@ ancestors_cache_add(const void *key, void *value) - } - #endif - -- e = PL_HashTableAdd(group_ancestors_hashtable, key, value); -+ e = PL_HashTableAdd(config->ancestors_cache, key, value); - - #if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME) - if (start) { -@@ -3211,7 +3110,6 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data) - const char *ndn; - char *dn_copy; - -- - /* - * If the server is ordered to shutdown, stop the fixup and return an error. - */ -@@ -3222,7 +3120,7 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data) - - /* Check if the entry has not already been fixed */ - ndn = slapi_sdn_get_ndn(sdn); -- if (ndn && fixup_entry_hashtable && PL_HashTableLookupConst(fixup_entry_hashtable, (void *)ndn)) { -+ if (ndn && config->fixup_cache && PL_HashTableLookupConst(config->fixup_cache, (void *)ndn)) { - slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: Entry %s already fixed up\n", ndn); - goto bail; - } -@@ -3240,12 +3138,13 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data) - * so free this memory - */ - ndn = slapi_sdn_get_ndn(sdn); -+ - #if MEMBEROF_CACHE_DEBUG - slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: This is NOT a group %s\n", ndn); - #endif -- ht_grp = ancestors_cache_lookup((const void *)ndn); -+ ht_grp = ancestors_cache_lookup(config, (const void *)ndn); - if (ht_grp) { -- if (ancestors_cache_remove((const void *)ndn)) { -+ if (ancestors_cache_remove(config, (const void *)ndn)) { - slapi_log_err(SLAPI_LOG_PLUGIN, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: free cached values for %s\n", ndn); - ancestor_hashtable_entry_free(ht_grp); - slapi_ch_free((void **)&ht_grp); -@@ -3297,11 +3196,11 @@ memberof_fix_memberof_callback(Slapi_Entry *e, void *callback_data) - slapi_valueset_free(groups); - - /* records that this entry has been fixed up */ -- if (fixup_entry_hashtable) { -+ if (config->fixup_cache) { - dn_copy = slapi_ch_strdup(ndn); -- if (PL_HashTableAdd(fixup_entry_hashtable, dn_copy, dn_copy) == NULL) { -+ if (PL_HashTableAdd(config->fixup_cache, dn_copy, dn_copy) == NULL) { - slapi_log_err(SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM, "memberof_fix_memberof_callback: " -- "failed to add dn (%s) in the fixup hashtable; NSPR error - %d\n", -+ "failed to add dn (%s) in the fixup hashtable; NSPR error - %d\n", - dn_copy, PR_GetError()); - slapi_ch_free((void **)&dn_copy); - /* let consider this as not a fatal error, it just skip an optimization */ -@@ -3397,157 +3296,8 @@ memberof_add_objectclass(char *auto_add_oc, const char *dn) - return rc; - } - --static PRIntn --memberof_hash_compare_keys(const void *v1, const void *v2) --{ -- PRIntn rc; -- if (0 == strcasecmp((const char *)v1, (const char *)v2)) { -- rc = 1; -- } else { -- rc = 0; -- } -- return rc; --} -- --static PRIntn --memberof_hash_compare_values(const void *v1, const void *v2) --{ -- PRIntn rc; -- if ((char *)v1 == (char *)v2) { -- rc = 1; -- } else { -- rc = 0; -- } -- return rc; --} -- --/* -- * Hashing function using Bernstein's method -- */ --static PLHashNumber --memberof_hash_fn(const void *key) --{ -- PLHashNumber hash = 5381; -- unsigned char *x = (unsigned char *)key; -- int c; -- -- while ((c = *x++)) { -- hash = ((hash << 5) + hash) ^ c; -- } -- return hash; --} -- --/* allocates the plugin hashtable -- * This hash table is used by operation and is protected from -- * concurrent operations with the memberof_lock (if not usetxn, memberof_lock -- * is not implemented and the hash table will be not used. -- * -- * The hash table contains all the DN of the entries for which the memberof -- * attribute has been computed/updated during the current operation -- * -- * hash table should be empty at the beginning and end of the plugin callback -- */ --static PLHashTable * --hashtable_new() --{ -- if (!usetxn) { -- return NULL; -- } -- -- return PL_NewHashTable(MEMBEROF_HASHTABLE_SIZE, -- memberof_hash_fn, -- memberof_hash_compare_keys, -- memberof_hash_compare_values, NULL, NULL); --} --/* this function called for each hash node during hash destruction */ --static PRIntn --fixup_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused))) --{ -- char *dn_copy; -- -- if (he == NULL) { -- return HT_ENUMERATE_NEXT; -- } -- dn_copy = (char *)he->value; -- slapi_ch_free_string(&dn_copy); -- -- return HT_ENUMERATE_REMOVE; --} -- --static void --fixup_hashtable_empty(char *msg) --{ -- if (fixup_entry_hashtable) { -- PL_HashTableEnumerateEntries(fixup_entry_hashtable, fixup_hashtable_remove, msg); -- } --} -- -- --/* allocates the plugin hashtable -- * This hash table is used by operation and is protected from -- * concurrent operations with the memberof_lock (if not usetxn, memberof_lock -- * is not implemented and the hash table will be not used. -- * -- * The hash table contains all the DN of the entries for which the memberof -- * attribute has been computed/updated during the current operation -- * -- * hash table should be empty at the beginning and end of the plugin callback -- */ -- --static void --ancestor_hashtable_entry_free(memberof_cached_value *entry) --{ -- int i; -- for (i = 0; entry[i].valid; i++) { -- slapi_ch_free((void **)&entry[i].group_dn_val); -- slapi_ch_free((void **)&entry[i].group_ndn_val); -- } -- /* Here we are at the ending element containing the key */ -- slapi_ch_free((void **)&entry[i].key); --} --/* this function called for each hash node during hash destruction */ --static PRIntn --ancestor_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused))) --{ -- memberof_cached_value *group_ancestor_array; -- -- if (he == NULL) { -- return HT_ENUMERATE_NEXT; -- } -- -- -- group_ancestor_array = (memberof_cached_value *)he->value; -- ancestor_hashtable_entry_free(group_ancestor_array); -- slapi_ch_free((void **)&group_ancestor_array); -- -- return HT_ENUMERATE_REMOVE; --} -- --static void --ancestor_hashtable_empty(char *msg) -+int -+memberof_use_txn() - { --#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME) -- long int start; -- struct timespec tsnow; --#endif -- -- if (group_ancestors_hashtable) { -- cache_stat.total_enumerate++; --#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME) -- if (clock_gettime(CLOCK_REALTIME, &tsnow) != 0) { -- start = 0; -- } else { -- start = tsnow.tv_nsec; -- } --#endif -- PL_HashTableEnumerateEntries(group_ancestors_hashtable, ancestor_hashtable_remove, msg); -- --#if defined(DEBUG) && defined(HAVE_CLOCK_GETTIME) -- if (start) { -- if (clock_gettime(CLOCK_REALTIME, &tsnow) == 0) { -- cache_stat.cumul_duration_enumerate += (tsnow.tv_nsec - start); -- } -- } --#endif -- } -+ return usetxn; - } -diff --git a/ldap/servers/plugins/memberof/memberof.h b/ldap/servers/plugins/memberof/memberof.h -index 4833ce221..ba64e9dfa 100644 ---- a/ldap/servers/plugins/memberof/memberof.h -+++ b/ldap/servers/plugins/memberof/memberof.h -@@ -64,8 +64,22 @@ typedef struct memberofconfig - int skip_nested; - int fixup_task; - char *auto_add_oc; -+ PLHashTable *ancestors_cache; -+ PLHashTable *fixup_cache; - } MemberOfConfig; - -+/* The key to access the hash table is the normalized DN -+ * The normalized DN is stored in the value because: -+ * - It is used in slapi_valueset_find -+ * - It is used to fill the memberof_get_groups_data.group_norm_vals -+ */ -+typedef struct _memberof_cached_value -+{ -+ char *key; -+ char *group_dn_val; -+ char *group_ndn_val; -+ int valid; -+} memberof_cached_value; - - /* - * functions -@@ -89,5 +103,8 @@ int memberof_apply_config(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entr - void *memberof_get_plugin_id(void); - void memberof_release_config(void); - PRUint64 get_plugin_started(void); -+void ancestor_hashtable_entry_free(memberof_cached_value *entry); -+PLHashTable *hashtable_new(); -+int memberof_use_txn(); - - #endif /* _MEMBEROF_H_ */ -diff --git a/ldap/servers/plugins/memberof/memberof_config.c b/ldap/servers/plugins/memberof/memberof_config.c -index c5ca4b137..3f22d95d6 100644 ---- a/ldap/servers/plugins/memberof/memberof_config.c -+++ b/ldap/servers/plugins/memberof/memberof_config.c -@@ -14,12 +14,12 @@ - * memberof_config.c - configuration-related code for memberOf plug-in - * - */ -- -+#include "plhash.h" - #include -- - #include "memberof.h" - - #define MEMBEROF_CONFIG_FILTER "(objectclass=*)" -+#define MEMBEROF_HASHTABLE_SIZE 1000 - - /* - * The configuration attributes are contained in the plugin entry e.g. -@@ -34,14 +34,16 @@ - /* - * function prototypes - */ --static int memberof_validate_config(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry *e, int *returncode, char *returntext, void *arg); --static int --memberof_search(Slapi_PBlock *pb __attribute__((unused)), -- Slapi_Entry *entryBefore __attribute__((unused)), -- Slapi_Entry *e __attribute__((unused)), -- int *returncode __attribute__((unused)), -- char *returntext __attribute__((unused)), -- void *arg __attribute__((unused))) -+static void fixup_hashtable_empty( MemberOfConfig *config, char *msg); -+static void ancestor_hashtable_empty(MemberOfConfig *config, char *msg); -+static int memberof_validate_config (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, -+ int *returncode, char *returntext, void *arg); -+static int memberof_search (Slapi_PBlock *pb __attribute__((unused)), -+ Slapi_Entry* entryBefore __attribute__((unused)), -+ Slapi_Entry* e __attribute__((unused)), -+ int *returncode __attribute__((unused)), -+ char *returntext __attribute__((unused)), -+ void *arg __attribute__((unused))) - { - return SLAPI_DSE_CALLBACK_OK; - } -@@ -52,7 +54,7 @@ memberof_search(Slapi_PBlock *pb __attribute__((unused)), - /* This is the main configuration which is updated from dse.ldif. The - * config will be copied when it is used by the plug-in to prevent it - * being changed out from under a running memberOf operation. */ --static MemberOfConfig theConfig = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; -+static MemberOfConfig theConfig = {0}; - static Slapi_RWLock *memberof_config_lock = 0; - static int inited = 0; - -@@ -693,6 +695,13 @@ void - memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src) - { - if (dest && src) { -+ -+ /* Allocate our caches here since we only copy the config at the start of an op */ -+ if (memberof_use_txn() == 1){ -+ dest->ancestors_cache = hashtable_new(); -+ dest->fixup_cache = hashtable_new(); -+ } -+ - /* Check if the copy is already up to date */ - if (src->groupattrs) { - int i = 0, j = 0; -@@ -787,6 +796,14 @@ memberof_free_config(MemberOfConfig *config) - slapi_ch_free_string(&config->memberof_attr); - memberof_free_scope(&(config->entryScopes), &config->entryScopeCount); - memberof_free_scope(&(config->entryScopeExcludeSubtrees), &config->entryExcludeScopeCount); -+ if (config->fixup_cache) { -+ fixup_hashtable_empty(config, "memberof_free_config empty fixup_entry_hastable"); -+ PL_HashTableDestroy(config->fixup_cache); -+ } -+ if (config->ancestors_cache) { -+ ancestor_hashtable_empty(config, "memberof_free_config empty group_ancestors_hashtable"); -+ PL_HashTableDestroy(config->ancestors_cache); -+ } - } - } - -@@ -982,3 +999,130 @@ bail: - - return ret; - } -+ -+ -+static PRIntn memberof_hash_compare_keys(const void *v1, const void *v2) -+{ -+ PRIntn rc; -+ if (0 == strcasecmp((const char *) v1, (const char *) v2)) { -+ rc = 1; -+ } else { -+ rc = 0; -+ } -+ return rc; -+} -+ -+static PRIntn memberof_hash_compare_values(const void *v1, const void *v2) -+{ -+ PRIntn rc; -+ if ((char *) v1 == (char *) v2) { -+ rc = 1; -+ } else { -+ rc = 0; -+ } -+ return rc; -+} -+ -+/* -+ * Hashing function using Bernstein's method -+ */ -+static PLHashNumber memberof_hash_fn(const void *key) -+{ -+ PLHashNumber hash = 5381; -+ unsigned char *x = (unsigned char *)key; -+ int c; -+ -+ while ((c = *x++)){ -+ hash = ((hash << 5) + hash) ^ c; -+ } -+ return hash; -+} -+ -+/* allocates the plugin hashtable -+ * This hash table is used by operation and is protected from -+ * concurrent operations with the memberof_lock (if not usetxn, memberof_lock -+ * is not implemented and the hash table will be not used. -+ * -+ * The hash table contains all the DN of the entries for which the memberof -+ * attribute has been computed/updated during the current operation -+ * -+ * hash table should be empty at the beginning and end of the plugin callback -+ */ -+PLHashTable *hashtable_new(int usetxn) -+{ -+ if (!usetxn) { -+ return NULL; -+ } -+ -+ return PL_NewHashTable(MEMBEROF_HASHTABLE_SIZE, -+ memberof_hash_fn, -+ memberof_hash_compare_keys, -+ memberof_hash_compare_values, NULL, NULL); -+} -+ -+/* this function called for each hash node during hash destruction */ -+static PRIntn fixup_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused))) -+{ -+ char *dn_copy; -+ -+ if (he == NULL) { -+ return HT_ENUMERATE_NEXT; -+ } -+ dn_copy = (char*) he->value; -+ slapi_ch_free_string(&dn_copy); -+ -+ return HT_ENUMERATE_REMOVE; -+} -+ -+static void fixup_hashtable_empty(MemberOfConfig *config, char *msg) -+{ -+ if (config->fixup_cache) { -+ PL_HashTableEnumerateEntries(config->fixup_cache, fixup_hashtable_remove, msg); -+ } -+} -+ -+ -+/* allocates the plugin hashtable -+ * This hash table is used by operation and is protected from -+ * concurrent operations with the memberof_lock (if not usetxn, memberof_lock -+ * is not implemented and the hash table will be not used. -+ * -+ * The hash table contains all the DN of the entries for which the memberof -+ * attribute has been computed/updated during the current operation -+ * -+ * hash table should be empty at the beginning and end of the plugin callback -+ */ -+ -+void ancestor_hashtable_entry_free(memberof_cached_value *entry) -+{ -+ int i; -+ -+ for (i = 0; entry[i].valid; i++) { -+ slapi_ch_free((void **) &entry[i].group_dn_val); -+ slapi_ch_free((void **) &entry[i].group_ndn_val); -+ } -+ /* Here we are at the ending element containing the key */ -+ slapi_ch_free((void**) &entry[i].key); -+} -+ -+/* this function called for each hash node during hash destruction */ -+static PRIntn ancestor_hashtable_remove(PLHashEntry *he, PRIntn index __attribute__((unused)), void *arg __attribute__((unused))) -+{ -+ memberof_cached_value *group_ancestor_array; -+ -+ if (he == NULL) { -+ return HT_ENUMERATE_NEXT; -+ } -+ group_ancestor_array = (memberof_cached_value *) he->value; -+ ancestor_hashtable_entry_free(group_ancestor_array); -+ slapi_ch_free((void **)&group_ancestor_array); -+ -+ return HT_ENUMERATE_REMOVE; -+} -+ -+static void ancestor_hashtable_empty(MemberOfConfig *config, char *msg) -+{ -+ if (config->ancestors_cache) { -+ PL_HashTableEnumerateEntries(config->ancestors_cache, ancestor_hashtable_remove, msg); -+ } -+} --- -2.13.6 - diff --git a/SOURCES/0007-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch b/SOURCES/0007-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch new file mode 100644 index 0000000..68427ae --- /dev/null +++ b/SOURCES/0007-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch @@ -0,0 +1,39 @@ +From de03e7456108de3f3d28c6a5d33926525b70557f Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Thu, 30 Aug 2018 14:28:10 -0400 +Subject: [PATCH] Ticket 49932 - Crash in delete_passwdPolicy when persistent + search connections are terminated unexpectedly + +Bug Description: We clone a pblock in a psearch search, and under certain + error conditions this pblock is freed, but it frees the + password policy struct which can lead to a double free + when the original pblock is destroyed. + +Fix Description: During the cloning, set the pwppolicy struct to NULL + so the clone allocates its own policy if needed + +https://pagure.io/389-ds-base/issue/49932 + +Reviewed by: ? + +(cherry picked from commit 78fc627accacfa4061ce48977e22301f81ea8d73) +--- + ldap/servers/slapd/pblock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c +index 4514c3ce6..bc18a7b18 100644 +--- a/ldap/servers/slapd/pblock.c ++++ b/ldap/servers/slapd/pblock.c +@@ -322,6 +322,8 @@ slapi_pblock_clone(Slapi_PBlock *pb) + if (pb->pb_intop != NULL) { + _pblock_assert_pb_intop(new_pb); + *(new_pb->pb_intop) = *(pb->pb_intop); ++ /* set pwdpolicy to NULL so this clone allocates its own policy */ ++ new_pb->pb_intop->pwdpolicy = NULL; + } + if (pb->pb_intplugin != NULL) { + _pblock_assert_pb_intplugin(new_pb); +-- +2.17.1 + diff --git a/SOURCES/0008-Bug-1624004-potential-denial-of-service-attack.patch b/SOURCES/0008-Bug-1624004-potential-denial-of-service-attack.patch new file mode 100644 index 0000000..aafb6eb --- /dev/null +++ b/SOURCES/0008-Bug-1624004-potential-denial-of-service-attack.patch @@ -0,0 +1,99 @@ +From ab7848a4a30d79c7433a1689ba1ea18897b73453 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Tue, 18 Sep 2018 16:39:26 -0400 +Subject: [PATCH] Bug 1624004 - potential denial of service attack + +Bug: a search request passing 8MB of NULL bytes as search attributes will + keep one thread busy for a long time. + The reason is that the attr array is copied/normalized to the searchattrs in + the search operation and does this using charray_add() which iterates thru + the array to determine the size of the array and then allocate one element more. + so this means we iterat 8 million times an array with a then average size of + 4 million elements. + +Fix: We already have traversed the array once and know the size, so we can allocate + the needed size once and only copy the element. + In addition we check for the kind of degenerated attributes "" as used in this + test scenario. + So the fix will reject invalid attr liste and improve performance for valid ones + +https://bugzilla.redhat.com/show_bug.cgi?id=1624004 +--- + ldap/servers/slapd/search.c | 16 ++++++++++++++-- + ldap/servers/slapd/unbind.c | 4 ++-- + 2 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c +index 731c6519e..dc26fc4d2 100644 +--- a/ldap/servers/slapd/search.c ++++ b/ldap/servers/slapd/search.c +@@ -209,6 +209,7 @@ do_search(Slapi_PBlock *pb) + if (attrs != NULL) { + char *normaci = slapi_attr_syntax_normalize("aci"); + int replace_aci = 0; ++ int attr_count = 0; + if (!normaci) { + normaci = slapi_ch_strdup("aci"); + } else if (strcasecmp(normaci, "aci")) { +@@ -218,9 +219,19 @@ do_search(Slapi_PBlock *pb) + /* + * . store gerattrs if any + * . add "aci" once if "*" is given ++ * . check that attrs are not degenerated + */ + for (i = 0; attrs[i] != NULL; i++) { + char *p = NULL; ++ attr_count++; ++ ++ if ( attrs[i][0] == '\0') { ++ log_search_access(pb, base, scope, fstr, "invalid attribute request"); ++ send_ldap_result(pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL); ++ slapi_ch_free_string(&normaci); ++ goto free_and_return; ++ } ++ + /* check if @ is included */ + p = strchr(attrs[i], '@'); + if (p) { +@@ -244,6 +255,7 @@ do_search(Slapi_PBlock *pb) + } else if (strcmp(attrs[i], LDAP_ALL_USER_ATTRS /* '*' */) == 0) { + if (!charray_inlist(attrs, normaci)) { + charray_add(&attrs, slapi_ch_strdup(normaci)); ++ attr_count++; + } + } else if (replace_aci && (strcasecmp(attrs[i], "aci") == 0)) { + slapi_ch_free_string(&attrs[i]); +@@ -263,13 +275,13 @@ do_search(Slapi_PBlock *pb) + } + } else { + /* return the chopped type, e.g., "sn" */ +- operation->o_searchattrs = NULL; ++ operation->o_searchattrs = (char **)slapi_ch_calloc(sizeof(char *), attr_count+1); + for (i = 0; attrs[i] != NULL; i++) { + char *type; + type = slapi_attr_syntax_normalize_ext(attrs[i], + ATTR_SYNTAX_NORM_ORIG_ATTR); + /* attrs[i] is consumed */ +- charray_add(&operation->o_searchattrs, attrs[i]); ++ operation->o_searchattrs[i] = attrs[i]; + attrs[i] = type; + } + } +diff --git a/ldap/servers/slapd/unbind.c b/ldap/servers/slapd/unbind.c +index 90f7b1546..686e27a8e 100644 +--- a/ldap/servers/slapd/unbind.c ++++ b/ldap/servers/slapd/unbind.c +@@ -87,8 +87,8 @@ do_unbind(Slapi_PBlock *pb) + /* pass the unbind to all backends */ + be_unbindall(pb_conn, operation); + ++free_and_return:; ++ + /* close the connection to the client */ + disconnect_server(pb_conn, operation->o_connid, operation->o_opid, SLAPD_DISCONNECT_UNBIND, 0); +- +-free_and_return:; + } +-- +2.17.1 + diff --git a/SOURCES/0008-Ticket-48235-remove-memberof-lock-cherry-pick-error.patch b/SOURCES/0008-Ticket-48235-remove-memberof-lock-cherry-pick-error.patch deleted file mode 100644 index 67d6c96..0000000 --- a/SOURCES/0008-Ticket-48235-remove-memberof-lock-cherry-pick-error.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 23a82820bce65653f96450fcc410706fa555fbfd Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 16 Oct 2017 10:44:29 -0400 -Subject: [PATCH] Ticket 48235 - remove memberof lock (cherry-pick error) - -Description: Fix cherry-pick error - -https://pagure.io/389-ds-base/issue/48235 - -Reviewed by: mreynolds(one line commit rule) - -(cherry picked from commit 3eb443b0ee11f3cf642ebfbcd135868a72ce39da) ---- - ldap/servers/plugins/memberof/memberof.c | 3 --- - ldap/servers/plugins/memberof/memberof.h | 2 -- - 2 files changed, 5 deletions(-) - -diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c -index a23c52abe..bae242c81 100644 ---- a/ldap/servers/plugins/memberof/memberof.c -+++ b/ldap/servers/plugins/memberof/memberof.c -@@ -2828,9 +2828,6 @@ memberof_fixup_task_thread(void *arg) - } - } - -- /* get the memberOf operation lock */ -- memberof_lock(); -- - /* do real work */ - rc = memberof_fix_memberof(&configCopy, task, td); - -diff --git a/ldap/servers/plugins/memberof/memberof.h b/ldap/servers/plugins/memberof/memberof.h -index ba64e9dfa..cf028453c 100644 ---- a/ldap/servers/plugins/memberof/memberof.h -+++ b/ldap/servers/plugins/memberof/memberof.h -@@ -88,8 +88,6 @@ int memberof_config(Slapi_Entry *config_e, Slapi_PBlock *pb); - void memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src); - void memberof_free_config(MemberOfConfig *config); - MemberOfConfig *memberof_get_config(void); --void memberof_lock(void); --void memberof_unlock(void); - void memberof_rlock_config(void); - void memberof_wlock_config(void); - void memberof_unlock_config(void); --- -2.13.6 - diff --git a/SOURCES/0009-Bug-1624004-fix-regression-in-empty-attribute-list.patch b/SOURCES/0009-Bug-1624004-fix-regression-in-empty-attribute-list.patch new file mode 100644 index 0000000..49fe251 --- /dev/null +++ b/SOURCES/0009-Bug-1624004-fix-regression-in-empty-attribute-list.patch @@ -0,0 +1,43 @@ +From 55e961338810d89a6f45f31f27b3fd609535b1da Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 19 Sep 2018 09:26:59 -0400 +Subject: [PATCH] Bug 1624004 - fix regression in empty attribute list + +https://bugzilla.redhat.com/show_bug.cgi?id=1624004 +--- + ldap/servers/slapd/search.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c +index dc26fc4d2..7e253f535 100644 +--- a/ldap/servers/slapd/search.c ++++ b/ldap/servers/slapd/search.c +@@ -210,6 +210,7 @@ do_search(Slapi_PBlock *pb) + char *normaci = slapi_attr_syntax_normalize("aci"); + int replace_aci = 0; + int attr_count = 0; ++ int empty_attrs = 0; + if (!normaci) { + normaci = slapi_ch_strdup("aci"); + } else if (strcasecmp(normaci, "aci")) { +@@ -226,10 +227,13 @@ do_search(Slapi_PBlock *pb) + attr_count++; + + if ( attrs[i][0] == '\0') { +- log_search_access(pb, base, scope, fstr, "invalid attribute request"); +- send_ldap_result(pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL); +- slapi_ch_free_string(&normaci); +- goto free_and_return; ++ empty_attrs++; ++ if (empty_attrs > 1) { ++ log_search_access(pb, base, scope, fstr, "invalid attribute request"); ++ send_ldap_result(pb, LDAP_PROTOCOL_ERROR, NULL, NULL, 0, NULL); ++ slapi_ch_free_string(&normaci); ++ goto free_and_return; ++ } + } + + /* check if @ is included */ +-- +2.17.1 + diff --git a/SOURCES/0009-Ticket-49394-slapi_pblock_get-may-leave-unchanged-th.patch b/SOURCES/0009-Ticket-49394-slapi_pblock_get-may-leave-unchanged-th.patch deleted file mode 100644 index e2b42d7..0000000 --- a/SOURCES/0009-Ticket-49394-slapi_pblock_get-may-leave-unchanged-th.patch +++ /dev/null @@ -1,703 +0,0 @@ -From 0b58d1a62679c3961bc41e03591c4277fb9f183e Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Thu, 5 Oct 2017 12:50:50 +0200 -Subject: [PATCH] Ticket 49394 - slapi_pblock_get may leave unchanged the - provided variable - -Bug Description: - Since 1.3.6.4 the pblock struct is a split in sub-structs - (https://pagure.io/389-ds-base/issue/49097) - - Before, it was a quite flat calloc struct and any slapi-pblock-get - retrieved the field (NULL if not previously slapi_pblock_set) and - assigned the provided variable. - - Now, the sub-struct are allocated on demand (slapi_pblock_set). - If a substruct that contains the requested field is not allocated the - provided variable is unchanged. - - This is a change of behavior, because a uninitialized local variable can - get random value (stack) if the lookup field/struct has not been set. - -Fix Description: - Update slapi_pblock_set so that it systematically sets the - provided variable when those substructs are NULL - pb_mr - pb_dse - pb_task - pb_misc - pb_intop - pb_intplugin - pb_deprecated - -https://pagure.io/389-ds-base/issue/49394 - -Reviewed by: Mark Reynolds, William Brown - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/slapd/pblock.c | 166 +++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 165 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c -index 077684d23..8f87de5b5 100644 ---- a/ldap/servers/slapd/pblock.c -+++ b/ldap/servers/slapd/pblock.c -@@ -379,6 +379,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_BACKEND_COUNT: - if (pblock->pb_misc != NULL) { - (*(int *)value) = pblock->pb_misc->pb_backend_count; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_BE_TYPE: -@@ -616,6 +618,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_REQUESTOR_ISROOT: - if (pblock->pb_intop != NULL) { - (*(int *)value) = pblock->pb_intop->pb_requestor_isroot; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_SKIP_MODIFIED_ATTRS: -@@ -657,6 +661,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_DESTROY_CONTENT: - if (pblock->pb_deprecated != NULL) { - (*(int *)value) = pblock->pb_deprecated->pb_destroy_content; -+ } else { -+ (*(int *)value) = 0; - } - break; - -@@ -685,16 +691,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_PLUGIN_OPRETURN: - if (pblock->pb_intop != NULL) { - (*(int *)value) = pblock->pb_intop->pb_opreturn; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_PLUGIN_OBJECT: - if (pblock->pb_intplugin != NULL) { - (*(void **)value) = pblock->pb_intplugin->pb_object; -+ } else { -+ (*(void **)value) = NULL; - } - break; - case SLAPI_PLUGIN_DESTROY_FN: - if (pblock->pb_intplugin != NULL) { - (*(IFP *)value) = pblock->pb_intplugin->pb_destroy_fn; -+ } else { -+ (*(IFP *)value) = NULL; - } - break; - case SLAPI_PLUGIN_DESCRIPTION: -@@ -703,11 +715,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_PLUGIN_IDENTITY: - if (pblock->pb_intplugin != NULL) { - (*(void **)value) = pblock->pb_intplugin->pb_plugin_identity; -+ } else { -+ (*(void **)value) = NULL; - } - break; - case SLAPI_PLUGIN_CONFIG_AREA: - if (pblock->pb_intplugin != NULL) { - (*(char **)value) = pblock->pb_intplugin->pb_plugin_config_area; -+ } else { -+ (*(char **)value) = 0; - } - break; - case SLAPI_PLUGIN_CONFIG_DN: -@@ -718,16 +734,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_PLUGIN_INTOP_RESULT: - if (pblock->pb_intop != NULL) { - (*(int *)value) = pblock->pb_intop->pb_internal_op_result; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES: - if (pblock->pb_intop != NULL) { - (*(Slapi_Entry ***)value) = pblock->pb_intop->pb_plugin_internal_search_op_entries; -+ } else { -+ (*(Slapi_Entry ***)value) = NULL; - } - break; - case SLAPI_PLUGIN_INTOP_SEARCH_REFERRALS: - if (pblock->pb_intop != NULL) { - (*(char ***)value) = pblock->pb_intop->pb_plugin_internal_search_op_referrals; -+ } else { -+ (*(char ***)value) = NULL; - } - break; - -@@ -1167,11 +1189,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_ENTRY_PRE_OP: - if (pblock->pb_intop != NULL) { - (*(Slapi_Entry **)value) = pblock->pb_intop->pb_pre_op_entry; -+ } else { -+ (*(Slapi_Entry **)value) = NULL; - } - break; - case SLAPI_ENTRY_POST_OP: - if (pblock->pb_intop != NULL) { - (*(Slapi_Entry **)value) = pblock->pb_intop->pb_post_op_entry; -+ } else { -+ (*(Slapi_Entry **)value) = NULL; - } - break; - -@@ -1419,12 +1445,16 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_CONTROLS_ARG: /* used to pass control argument before operation is created */ - if (pblock->pb_intop != NULL) { - (*(LDAPControl ***)value) = pblock->pb_intop->pb_ctrls_arg; -+ } else { -+ (*(LDAPControl ***)value) = NULL; - } - break; - /* notes to be added to the access log RESULT line for this op. */ - case SLAPI_OPERATION_NOTES: - if (pblock->pb_intop != NULL) { - (*(unsigned int *)value) = pblock->pb_intop->pb_operation_notes; -+ } else { -+ (*(unsigned int *)value) = 0; - } - break; - -@@ -1486,6 +1516,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_SYNTAX_SUBSTRLENS: /* aka SLAPI_MR_SUBSTRLENS */ - if (pblock->pb_intplugin != NULL) { - (*(int **)value) = pblock->pb_intplugin->pb_substrlens; -+ } else { -+ (*(int **)value) = NULL; - } - break; - case SLAPI_PLUGIN_SYNTAX_VALIDATE: -@@ -1505,11 +1537,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_MANAGEDSAIT: - if (pblock->pb_intop != NULL) { - (*(int *)value) = pblock->pb_intop->pb_managedsait; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_PWPOLICY: - if (pblock->pb_intop != NULL) { - (*(int *)value) = pblock->pb_intop->pb_pwpolicy_ctrl; -+ } else { -+ (*(int *)value) = 0; - } - break; - -@@ -1522,11 +1558,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_ADD_EXISTING_DN_ENTRY: - if (pblock->pb_intop != NULL) { - (*(Slapi_Entry **)value) = pblock->pb_intop->pb_existing_dn_entry; -+ } else { -+ (*(Slapi_Entry **)value) = NULL; - } - break; - case SLAPI_ADD_EXISTING_UNIQUEID_ENTRY: - if (pblock->pb_intop != NULL) { - (*(Slapi_Entry **)value) = pblock->pb_intop->pb_existing_uniqueid_entry; -+ } else { -+ (*(Slapi_Entry **)value) = NULL; - } - break; - case SLAPI_ADD_PARENT_ENTRY: -@@ -1537,6 +1577,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_ADD_PARENT_UNIQUEID: - if (pblock->pb_op != NULL) { - (*(char **)value) = pblock->pb_op->o_params.p.p_add.parentuniqueid; -+ } else { -+ (*(char **)value) = NULL; - } - break; - -@@ -1624,16 +1666,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_MODRDN_PARENT_ENTRY: - if (pblock->pb_intop != NULL) { - (*(Slapi_Entry **)value) = pblock->pb_intop->pb_parent_entry; -+ } else { -+ (*(Slapi_Entry **)value) = NULL; - } - break; - case SLAPI_MODRDN_NEWPARENT_ENTRY: - if (pblock->pb_intop != NULL) { - (*(Slapi_Entry **)value) = pblock->pb_intop->pb_newparent_entry; -+ } else { -+ (*(Slapi_Entry **)value) = NULL; - } - break; - case SLAPI_MODRDN_TARGET_ENTRY: - if (pblock->pb_intop != NULL) { - (*(Slapi_Entry **)value) = pblock->pb_intop->pb_target_entry; -+ } else { -+ (*(Slapi_Entry **)value) = NULL; - } - break; - case SLAPI_MODRDN_NEWSUPERIOR_ADDRESS: -@@ -1740,26 +1788,36 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_PLUGIN_MR_FILTER_MATCH_FN: - if (pblock->pb_mr != NULL) { - (*(mrFilterMatchFn *)value) = pblock->pb_mr->filter_match_fn; -+ } else { -+ (*(mrFilterMatchFn *)value) = NULL; - } - break; - case SLAPI_PLUGIN_MR_FILTER_INDEX_FN: - if (pblock->pb_mr != NULL) { - (*(IFP *)value) = pblock->pb_mr->filter_index_fn; -+ } else { -+ (*(IFP *)value) = NULL; - } - break; - case SLAPI_PLUGIN_MR_FILTER_RESET_FN: - if (pblock->pb_mr != NULL) { - (*(IFP *)value) = pblock->pb_mr->filter_reset_fn; -+ } else { -+ (*(IFP *)value) = NULL; - } - break; - case SLAPI_PLUGIN_MR_INDEX_FN: - if (pblock->pb_mr != NULL) { - (*(IFP *)value) = pblock->pb_mr->index_fn; -+ } else { -+ (*(IFP *)value) = NULL; - } - break; - case SLAPI_PLUGIN_MR_INDEX_SV_FN: - if (pblock->pb_mr != NULL) { - (*(IFP *)value) = pblock->pb_mr->index_sv_fn; -+ } else { -+ (*(IFP *)value) = NULL; - } - break; - -@@ -1767,41 +1825,57 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_PLUGIN_MR_OID: - if (pblock->pb_mr != NULL) { - (*(char **)value) = pblock->pb_mr->oid; -+ } else { -+ (*(char **)value) = NULL; - } - break; - case SLAPI_PLUGIN_MR_TYPE: - if (pblock->pb_mr != NULL) { - (*(char **)value) = pblock->pb_mr->type; -+ } else { -+ (*(char **)value) = NULL; - } - break; - case SLAPI_PLUGIN_MR_VALUE: - if (pblock->pb_mr != NULL) { - (*(struct berval **)value) = pblock->pb_mr->value; -+ } else { -+ (*(struct berval **)value) = NULL; - } - break; - case SLAPI_PLUGIN_MR_VALUES: - if (pblock->pb_mr != NULL) { - (*(struct berval ***)value) = pblock->pb_mr->values; -+ } else { -+ (*(struct berval ***)value) = NULL; - } - break; - case SLAPI_PLUGIN_MR_KEYS: - if (pblock->pb_mr != NULL) { - (*(struct berval ***)value) = pblock->pb_mr->keys; -+ } else { -+ (*(struct berval ***)value) = NULL; - } - break; - case SLAPI_PLUGIN_MR_FILTER_REUSABLE: - if (pblock->pb_mr != NULL) { - (*(unsigned int *)value) = pblock->pb_mr->filter_reusable; -+ } else { -+ (*(unsigned int *)value) = 0; - } - break; - case SLAPI_PLUGIN_MR_QUERY_OPERATOR: - if (pblock->pb_mr != NULL) { - (*(int *)value) = pblock->pb_mr->query_operator; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_PLUGIN_MR_USAGE: - if (pblock->pb_mr != NULL) { - (*(unsigned int *)value) = pblock->pb_mr->usage; -+ } else { -+ (*(unsigned int *)value) = 0; - } - break; - -@@ -1865,16 +1939,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_SEQ_TYPE: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->seq_type; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_SEQ_ATTRNAME: - if (pblock->pb_task != NULL) { - (*(char **)value) = pblock->pb_task->seq_attrname; -+ } else { -+ (*(char **)value) = NULL; - } - break; - case SLAPI_SEQ_VAL: - if (pblock->pb_task != NULL) { - (*(char **)value) = pblock->pb_task->seq_val; -+ } else { -+ (*(char **)value) = NULL; - } - break; - -@@ -1882,47 +1962,65 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_LDIF2DB_FILE: - if (pblock->pb_task != NULL) { - (*(char ***)value) = pblock->pb_task->ldif_files; -+ } else { -+ (*(char ***)value) = NULL; - } - break; - case SLAPI_LDIF2DB_REMOVEDUPVALS: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->removedupvals; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_DB2INDEX_ATTRS: - if (pblock->pb_task != NULL) { - (*(char ***)value) = pblock->pb_task->db2index_attrs; -+ } else { -+ (*(char ***)value) = NULL; - } - break; - case SLAPI_LDIF2DB_NOATTRINDEXES: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->ldif2db_noattrindexes; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_LDIF2DB_INCLUDE: - if (pblock->pb_task != NULL) { - (*(char ***)value) = pblock->pb_task->ldif_include; -+ } else { -+ (*(char ***)value) = NULL; - } - break; - case SLAPI_LDIF2DB_EXCLUDE: - if (pblock->pb_task != NULL) { - (*(char ***)value) = pblock->pb_task->ldif_exclude; -+ } else { -+ (*(char ***)value) = NULL; - } - break; - case SLAPI_LDIF2DB_GENERATE_UNIQUEID: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->ldif_generate_uniqueid; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_LDIF2DB_ENCRYPT: - case SLAPI_DB2LDIF_DECRYPT: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->ldif_encrypt; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_LDIF2DB_NAMESPACEID: - if (pblock->pb_task != NULL) { - (*(char **)value) = pblock->pb_task->ldif_namespaceid; -+ } else { -+ (*(char **)value) = NULL; - } - break; - -@@ -1930,16 +2028,22 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_DB2LDIF_PRINTKEY: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->ldif_printkey; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_DB2LDIF_DUMP_UNIQUEID: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->ldif_dump_uniqueid; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_DB2LDIF_FILE: - if (pblock->pb_task != NULL) { - (*(char **)value) = pblock->pb_task->ldif_file; -+ } else { -+ (*(char **)value) = NULL; - } - break; - -@@ -1947,37 +2051,51 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_BACKEND_INSTANCE_NAME: - if (pblock->pb_task != NULL) { - (*(char **)value) = pblock->pb_task->instance_name; -+ } else { -+ (*(char **)value) = NULL; - } - break; - case SLAPI_BACKEND_TASK: - if (pblock->pb_task != NULL) { - (*(Slapi_Task **)value) = pblock->pb_task->task; -+ } else { -+ (*(Slapi_Task **)value) = NULL; - } - break; - case SLAPI_TASK_FLAGS: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->task_flags; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_DB2LDIF_SERVER_RUNNING: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->server_running; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_BULK_IMPORT_ENTRY: - if (pblock->pb_task != NULL) { - (*(Slapi_Entry **)value) = pblock->pb_task->import_entry; -+ } else { -+ (*(Slapi_Entry **)value) = NULL; - } - break; - case SLAPI_BULK_IMPORT_STATE: - if (pblock->pb_task != NULL) { - (*(int *)value) = pblock->pb_task->import_state; -+ } else { -+ (*(int *)value) = 0; - } - break; - /* dbverify */ - case SLAPI_DBVERIFY_DBDIR: - if (pblock->pb_task != NULL) { - (*(char **)value) = pblock->pb_task->dbverify_dbdir; -+ } else { -+ (*(char **)value) = NULL; - } - break; - -@@ -1993,11 +2111,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_TXN: - if (pblock->pb_intop != NULL) { - (*(void **)value) = pblock->pb_intop->pb_txn; -+ } else { -+ (*(void **)value) = NULL; - } - break; - case SLAPI_TXN_RUV_MODS_FN: - if (pblock->pb_intop != NULL) { - (*(IFP *)value) = pblock->pb_intop->pb_txn_ruv_mods_fn; -+ } else { -+ (*(IFP *)value) = NULL; - } - break; - -@@ -2052,6 +2174,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_PB_RESULT_TEXT: - if (pblock->pb_intop != NULL) { - *((char **)value) = pblock->pb_intop->pb_result_text; -+ } else { -+ *((char **)value) = NULL; - } - break; - -@@ -2059,6 +2183,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_DBSIZE: - if (pblock->pb_misc != NULL) { - (*(unsigned int *)value) = pblock->pb_misc->pb_dbsize; -+ } else { -+ (*(unsigned int *)value) = 0; - } - break; - -@@ -2153,11 +2279,15 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_ARGC: - if (pblock->pb_misc != NULL) { - (*(int *)value) = pblock->pb_misc->pb_slapd_argc; -+ } else { -+ (*(int *)value) = 0; - } - break; - case SLAPI_ARGV: - if (pblock->pb_misc != NULL) { - (*(char ***)value) = pblock->pb_misc->pb_slapd_argv; -+ } else { -+ (*(char ***)value) = NULL; - } - break; - -@@ -2165,6 +2295,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_CONFIG_DIRECTORY: - if (pblock->pb_intplugin != NULL) { - (*(char **)value) = pblock->pb_intplugin->pb_slapd_configdir; -+ } else { -+ (*(char **)value) = NULL; - } - break; - -@@ -2175,12 +2307,16 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_PLUGIN_PWD_STORAGE_SCHEME_USER_PWD: - if (pblock->pb_deprecated != NULL) { - (*(char **)value) = pblock->pb_deprecated->pb_pwd_storage_scheme_user_passwd; -+ } else { -+ (*(char **)value) = NULL; - } - break; - - case SLAPI_PLUGIN_PWD_STORAGE_SCHEME_DB_PWD: - if (pblock->pb_deprecated != NULL) { - (*(char **)value) = pblock->pb_deprecated->pb_pwd_storage_scheme_db_passwd; -+ } else { -+ (*(char **)value) = NULL; - } - break; - -@@ -2208,6 +2344,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_PLUGIN_ENABLED: - if (pblock->pb_intplugin != NULL) { - *((int *)value) = pblock->pb_intplugin->pb_plugin_enabled; -+ } else { -+ *((int *)value) = 0; - } - break; - -@@ -2215,6 +2353,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_DSE_DONT_WRITE_WHEN_ADDING: - if (pblock->pb_dse != NULL) { - (*(int *)value) = pblock->pb_dse->dont_add_write; -+ } else { -+ (*(int *)value) = 0; - } - break; - -@@ -2222,6 +2362,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_DSE_MERGE_WHEN_ADDING: - if (pblock->pb_dse != NULL) { - (*(int *)value) = pblock->pb_dse->add_merge; -+ } else { -+ (*(int *)value) = 0; - } - break; - -@@ -2229,6 +2371,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_DSE_DONT_CHECK_DUPS: - if (pblock->pb_dse != NULL) { - (*(int *)value) = pblock->pb_dse->dont_check_dups; -+ } else { -+ (*(int *)value) = 0; - } - break; - -@@ -2236,6 +2380,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_DSE_REAPPLY_MODS: - if (pblock->pb_dse != NULL) { - (*(int *)value) = pblock->pb_dse->reapply_mods; -+ } else { -+ (*(int *)value) = 0; - } - break; - -@@ -2243,6 +2389,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_DSE_IS_PRIMARY_FILE: - if (pblock->pb_dse != NULL) { - (*(int *)value) = pblock->pb_dse->is_primary_file; -+ } else { -+ (*(int *)value) = 0; - } - break; - -@@ -2250,42 +2398,56 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_SCHEMA_FLAGS: - if (pblock->pb_dse != NULL) { - (*(int *)value) = pblock->pb_dse->schema_flags; -+ } else { -+ (*(int *)value) = 0; - } - break; - - case SLAPI_URP_NAMING_COLLISION_DN: - if (pblock->pb_intop != NULL) { - (*(char **)value) = pblock->pb_intop->pb_urp_naming_collision_dn; -+ } else { -+ (*(char **)value) = NULL; - } - break; - - case SLAPI_URP_TOMBSTONE_UNIQUEID: - if (pblock->pb_intop != NULL) { - (*(char **)value) = pblock->pb_intop->pb_urp_tombstone_uniqueid; -+ } else { -+ (*(char **)value) = NULL; - } - break; - - case SLAPI_URP_TOMBSTONE_CONFLICT_DN: - if (pblock->pb_intop != NULL) { -- (*(char **)value) = pblock->pb_intop->pb_urp_tombstone_conflict_dn; -+ (*(char **)value) = pblock->pb_intop->pb_urp_tombstone_conflict_dn; -+ } else { -+ (*(char **)value) = NULL; - } - break; - - case SLAPI_SEARCH_CTRLS: - if (pblock->pb_intop != NULL) { - (*(LDAPControl ***)value) = pblock->pb_intop->pb_search_ctrls; -+ } else { -+ (*(LDAPControl ***)value) = NULL; - } - break; - - case SLAPI_PLUGIN_SYNTAX_FILTER_NORMALIZED: - if (pblock->pb_intplugin != NULL) { - (*(int *)value) = pblock->pb_intplugin->pb_syntax_filter_normalized; -+ } else { -+ (*(int *)value) = 0; - } - break; - - case SLAPI_PLUGIN_SYNTAX_FILTER_DATA: - if (pblock->pb_intplugin != NULL) { - (*(void **)value) = pblock->pb_intplugin->pb_syntax_filter_data; -+ } else { -+ (*(void **)value) = NULL; - } - break; - -@@ -2311,6 +2473,8 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - case SLAPI_ACI_TARGET_CHECK: - if (pblock->pb_misc != NULL) { - (*(int *)value) = pblock->pb_misc->pb_aci_target_check; -+ } else { -+ (*(int *)value) = 0; - } - break; - --- -2.13.6 - diff --git a/SOURCES/0010-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch b/SOURCES/0010-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch deleted file mode 100644 index de029d8..0000000 --- a/SOURCES/0010-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 697e01b0ca2d028f0d2cabc47ab2335de93b0491 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 16 Oct 2017 12:52:46 -0400 -Subject: [PATCH] Ticket 49402 - Adding a database entry with the same database - name that was deleted hangs server at shutdown - -Bug Description: At shutdown, after a backend was deleted, which also had a import - task run, the server hangs at shutdown. The issue is that the - import task destructor used the ldbm inst struct to see if it was - busy, but the inst was freed and the destructor was checking invalid - memory which caused a false positive on the "busy" check. - -Fix Description: Do not check if the instance is busy to tell if it's okay to remove - the task, instead just check the task's state. - -https://pagure.io/389-ds-base/issue/49402 - -Reviewed by: lkrispen(Thanks!) - -(cherry picked from commit bc6dbf15c160ac7e6c553133b2b936a981cfb7b6) ---- - ldap/servers/slapd/back-ldbm/import.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/back-ldbm/import.c b/ldap/servers/slapd/back-ldbm/import.c -index e8f4a5615..42e2696d3 100644 ---- a/ldap/servers/slapd/back-ldbm/import.c -+++ b/ldap/servers/slapd/back-ldbm/import.c -@@ -244,7 +244,7 @@ import_task_destroy(Slapi_Task *task) - return; - } - -- while (is_instance_busy(job->inst)) { -+ while (task->task_state == SLAPI_TASK_RUNNING) { - /* wait for the job to finish before freeing it */ - DS_Sleep(PR_SecondsToInterval(1)); - } --- -2.13.6 - diff --git a/SOURCES/0011-Ticket-49064-RFE-allow-to-enable-MemberOf-plugin-in-.patch b/SOURCES/0011-Ticket-49064-RFE-allow-to-enable-MemberOf-plugin-in-.patch deleted file mode 100644 index 914e1d0..0000000 --- a/SOURCES/0011-Ticket-49064-RFE-allow-to-enable-MemberOf-plugin-in-.patch +++ /dev/null @@ -1,332 +0,0 @@ -From 4af03a6a2a59684950d887d42c6e9d8b027d71f5 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Mon, 16 Oct 2017 11:21:51 +0200 -Subject: [PATCH] Ticket 49064 - RFE allow to enable MemberOf plugin in - dedicated consumer - -Bug Description: - memberof triggers some internal updates to add/del 'memberof' values. - on a readonly consumer, those updates selects a REFERRAL_ON_UPDATE backend - and that is not followed by internal updates. - At the end of the day, the update is rejected and if memberof plugin is enabled - replication will stuck on that rejected update - -Fix Description: - internal updates from memberof need to bypassing referrals. - So they flag internal updates SLAPI_OP_FLAG_BYPASS_REFERRALS, so that mtn_get_be - (mapping tree selection) will not return the referrals. - -https://pagure.io/389-ds-base/issue/49064 - -Reviewed by: Ludwig Krispenz, William Brown (thanks a LOT !) - -Platforms tested: F23 (all tickets + basic suite) - -Flag Day: no - -Doc impact: no ---- - dirsrvtests/tests/tickets/ticket49064_test.py | 259 ++++++++++++++++++++++++++ - ldap/servers/plugins/memberof/memberof.c | 6 +- - 2 files changed, 262 insertions(+), 3 deletions(-) - create mode 100644 dirsrvtests/tests/tickets/ticket49064_test.py - -diff --git a/dirsrvtests/tests/tickets/ticket49064_test.py b/dirsrvtests/tests/tickets/ticket49064_test.py -new file mode 100644 -index 000000000..b4b6de4b9 ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket49064_test.py -@@ -0,0 +1,259 @@ -+import logging -+import pytest -+import os -+import time -+import ldap -+import subprocess -+from lib389.utils import ds_is_older -+from lib389.topologies import topology_m1h1c1 as topo -+from lib389._constants import * -+from lib389 import Entry -+ -+# Skip on older versions -+pytestmark = pytest.mark.skipif(ds_is_older('1.3.7'), reason="Not implemented") -+ -+USER_CN='user_' -+GROUP_CN='group_' -+FIXUP_FILTER = '(objectClass=*)' -+FIXUP_CMD = 'fixup-memberof.pl' -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+def memberof_fixup_task(server): -+ sbin_dir = server.get_sbin_dir() -+ memof_task = os.path.join(sbin_dir, FIXUP_CMD) -+ try: -+ output = subprocess.check_output( -+ [memof_task, '-D', DN_DM, '-w', PASSWORD, '-b', SUFFIX, '-Z', SERVERID_CONSUMER_1, '-f', FIXUP_FILTER]) -+ except subprocess.CalledProcessError as err: -+ output = err.output -+ log.info('output: {}'.format(output)) -+ expected = "Successfully added task entry" -+ assert expected in output -+ -+def config_memberof(server): -+ -+ server.plugins.enable(name=PLUGIN_MEMBER_OF) -+ MEMBEROF_PLUGIN_DN = ('cn=' + PLUGIN_MEMBER_OF + ',cn=plugins,cn=config') -+ server.modify_s(MEMBEROF_PLUGIN_DN, [(ldap.MOD_REPLACE, -+ 'memberOfAllBackends', -+ 'on'), -+ (ldap.MOD_REPLACE, 'memberOfAutoAddOC', 'nsMemberOf')]) -+ # Configure fractional to prevent total init to send memberof -+ ents = server.agreement.list(suffix=DEFAULT_SUFFIX) -+ for ent in ents: -+ log.info('update %s to add nsDS5ReplicatedAttributeListTotal' % ent.dn) -+ server.modify_s(ent.dn, -+ [(ldap.MOD_REPLACE, -+ 'nsDS5ReplicatedAttributeListTotal', -+ '(objectclass=*) $ EXCLUDE '), -+ (ldap.MOD_REPLACE, -+ 'nsDS5ReplicatedAttributeList', -+ '(objectclass=*) $ EXCLUDE memberOf')]) -+ -+ -+def send_updates_now(server): -+ -+ ents = server.agreement.list(suffix=DEFAULT_SUFFIX) -+ for ent in ents: -+ server.agreement.pause(ent.dn) -+ server.agreement.resume(ent.dn) -+ -+def add_user(server, no, desc='dummy', sleep=True): -+ cn = '%s%d' % (USER_CN, no) -+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX) -+ log.fatal('Adding user (%s): ' % dn) -+ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'inetuser'], -+ 'sn': ['_%s' % cn], -+ 'description': [desc]}))) -+ if sleep: -+ time.sleep(2) -+ -+def add_group(server, nr, sleep=True): -+ cn = '%s%d' % (GROUP_CN, nr) -+ dn = 'cn=%s,ou=groups,%s' % (cn, SUFFIX) -+ server.add_s(Entry((dn, {'objectclass': ['top', 'groupofnames'], -+ 'description': 'group %d' % nr}))) -+ if sleep: -+ time.sleep(2) -+ -+def update_member(server, member_dn, group_dn, op, sleep=True): -+ mod = [(op, 'member', member_dn)] -+ server.modify_s(group_dn, mod) -+ if sleep: -+ time.sleep(2) -+ -+def _find_memberof(server, member_dn, group_dn, find_result=True): -+ ent = server.getEntry(member_dn, ldap.SCOPE_BASE, "(objectclass=*)", ['memberof']) -+ found = False -+ if ent.hasAttr('memberof'): -+ -+ for val in ent.getValues('memberof'): -+ server.log.info("!!!!!!! %s: memberof->%s" % (member_dn, val)) -+ server.log.info("!!!!!!! %s" % (val)) -+ server.log.info("!!!!!!! %s" % (group_dn)) -+ if val.lower() == group_dn.lower(): -+ found = True -+ break -+ -+ if find_result: -+ assert (found) -+ else: -+ assert (not found) -+ -+ -+def test_ticket49064(topo): -+ """Specify a test case purpose or name here -+ -+ :id: 60c11636-55a1-4704-9e09-2c6bcc828de4 -+ :setup: 1 Master - 1 Hub - 1 Consumer -+ :steps: -+ 1. Configure replication to EXCLUDE memberof -+ 2. Enable memberof plugin -+ 3. Create users/groups -+ 4. make user_1 member of group_1 -+ 5. Checks that user_1 is memberof group_1 on M,H,C -+ 6. make group_1 member of group_2 (nest group) -+ 7. Checks that user_1 is memberof group_1 and group_2 on M,H,C -+ 8. Check group_1 is memberof group_2 on M,H,C -+ 9. remove group_1 from group_2 -+ 10. Check group_1 and user_1 are NOT memberof group_2 on M,H,C -+ 11. remove user_1 from group_1 -+ 12. Check user_1 is NOT memberof group_1 and group_2 on M,H,C -+ 13. Disable memberof on C1 -+ 14. make user_1 member of group_1 -+ 15. Checks that user is memberof group_1 on M,H but not on C -+ 16. Enable memberof on C1 -+ 17. Checks that user is memberof group_1 on M,H but not on C -+ 18. Run memberof fixup task -+ 19. Checks that user is memberof group_1 on M,H,C -+ -+ -+ :expectedresults: -+ no assert for membership check -+ """ -+ -+ -+ M1 = topo.ms["master1"] -+ H1 = topo.hs["hub1"] -+ C1 = topo.cs["consumer1"] -+ -+ # Step 1 & 2 -+ M1.config.enable_log('audit') -+ config_memberof(M1) -+ M1.restart() -+ -+ H1.config.enable_log('audit') -+ config_memberof(H1) -+ H1.restart() -+ -+ C1.config.enable_log('audit') -+ config_memberof(C1) -+ C1.restart() -+ -+ # Step 3 -+ for i in range(10): -+ add_user(M1, i, desc='add on m1') -+ for i in range(3): -+ add_group(M1, i) -+ -+ # Step 4 -+ member_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX) -+ group_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX) -+ update_member(M1, member_dn, group_dn, ldap.MOD_ADD, sleep=True) -+ -+ # Step 5 -+ for i in [M1, H1, C1]: -+ _find_memberof(i, member_dn, group_dn, find_result=True) -+ -+ -+ # Step 6 -+ user_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX) -+ grp1_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX) -+ grp2_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 2, SUFFIX) -+ update_member(M1, grp1_dn, grp2_dn, ldap.MOD_ADD, sleep=True) -+ -+ # Step 7 -+ for i in [grp1_dn, grp2_dn]: -+ for inst in [M1, H1, C1]: -+ _find_memberof(inst, user_dn, i, find_result=True) -+ -+ # Step 8 -+ for i in [M1, H1, C1]: -+ _find_memberof(i, grp1_dn, grp2_dn, find_result=True) -+ -+ # Step 9 -+ user_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX) -+ grp1_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX) -+ grp2_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 2, SUFFIX) -+ update_member(M1, grp1_dn, grp2_dn, ldap.MOD_DELETE, sleep=True) -+ -+ # Step 10 -+ for inst in [M1, H1, C1]: -+ for i in [grp1_dn, user_dn]: -+ _find_memberof(inst, i, grp2_dn, find_result=False) -+ -+ # Step 11 -+ member_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX) -+ group_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX) -+ update_member(M1, member_dn, group_dn, ldap.MOD_DELETE, sleep=True) -+ -+ # Step 12 -+ for inst in [M1, H1, C1]: -+ for grp in [grp1_dn, grp2_dn]: -+ _find_memberof(inst, member_dn, grp, find_result=False) -+ -+ # Step 13 -+ C1.plugins.disable(name=PLUGIN_MEMBER_OF) -+ C1.restart() -+ -+ # Step 14 -+ member_dn = 'cn=%s%d,ou=people,%s' % (USER_CN, 1, SUFFIX) -+ group_dn = 'cn=%s%d,ou=groups,%s' % (GROUP_CN, 1, SUFFIX) -+ update_member(M1, member_dn, group_dn, ldap.MOD_ADD, sleep=True) -+ -+ # Step 15 -+ for i in [M1, H1]: -+ _find_memberof(i, member_dn, group_dn, find_result=True) -+ _find_memberof(C1, member_dn, group_dn, find_result=False) -+ -+ # Step 16 -+ C1.plugins.enable(name=PLUGIN_MEMBER_OF) -+ C1.restart() -+ -+ # Step 17 -+ for i in [M1, H1]: -+ _find_memberof(i, member_dn, group_dn, find_result=True) -+ _find_memberof(C1, member_dn, group_dn, find_result=False) -+ -+ # Step 18 -+ memberof_fixup_task(C1) -+ time.sleep(5) -+ -+ # Step 19 -+ for i in [M1, H1, C1]: -+ _find_memberof(i, member_dn, group_dn, find_result=True) -+ -+ # If you need any test suite initialization, -+ # please, write additional fixture for that (including finalizer). -+ # Topology for suites are predefined in lib389/topologies.py. -+ -+ # If you need host, port or any other data about instance, -+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid) -+ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c -index bae242c81..44b52edbb 100644 ---- a/ldap/servers/plugins/memberof/memberof.c -+++ b/ldap/servers/plugins/memberof/memberof.c -@@ -609,7 +609,7 @@ memberof_del_dn_type_callback(Slapi_Entry *e, void *callback_data) - slapi_modify_internal_set_pb_ext( - mod_pb, slapi_entry_get_sdn(e), - mods, 0, 0, -- memberof_get_plugin_id(), 0); -+ memberof_get_plugin_id(), SLAPI_OP_FLAG_BYPASS_REFERRALS); - - slapi_modify_internal_pb(mod_pb); - -@@ -3224,7 +3224,7 @@ memberof_add_memberof_attr(LDAPMod **mods, const char *dn, char *add_oc) - mod_pb = slapi_pblock_new(); - slapi_modify_internal_set_pb( - mod_pb, dn, mods, 0, 0, -- memberof_get_plugin_id(), 0); -+ memberof_get_plugin_id(), SLAPI_OP_FLAG_BYPASS_REFERRALS); - slapi_modify_internal_pb(mod_pb); - - slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); -@@ -3279,7 +3279,7 @@ memberof_add_objectclass(char *auto_add_oc, const char *dn) - - slapi_modify_internal_set_pb( - mod_pb, dn, mods, 0, 0, -- memberof_get_plugin_id(), 0); -+ memberof_get_plugin_id(), SLAPI_OP_FLAG_BYPASS_REFERRALS); - slapi_modify_internal_pb(mod_pb); - - slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); --- -2.13.6 - diff --git a/SOURCES/0012-Ticket-49378-server-init-fails.patch b/SOURCES/0012-Ticket-49378-server-init-fails.patch deleted file mode 100644 index 80c658b..0000000 --- a/SOURCES/0012-Ticket-49378-server-init-fails.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 82e092e9debce16f048b4fe0f38265bc8d80f63d Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Thu, 28 Sep 2017 09:11:00 +1000 -Subject: [PATCH] Ticket 49378 server init fails - -Bug Description: We used our own target for DS installation, but -we should just use multi-user like anything else. - -Fix Description: Change service template to multi-user. This should -be a seamless upgrade to most consumers. - -https://pagure.io/389-ds-base/issue/49378 - -Author: wibrown - -Review by: mreynolds (Thanks!) - -(cherry picked from commit e9ad5f5aca64f65fa2c9b2dc5132b0dacf131c99) ---- - wrappers/systemd.template.asan.service.in | 2 +- - wrappers/systemd.template.service.in | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/wrappers/systemd.template.asan.service.in b/wrappers/systemd.template.asan.service.in -index 1fe321ccb..52681f632 100644 ---- a/wrappers/systemd.template.asan.service.in -+++ b/wrappers/systemd.template.asan.service.in -@@ -36,5 +36,5 @@ ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/ - .include @initconfigdir@/@package_name@.systemd - - [Install] --WantedBy=dirsrv.target -+WantedBy=multi-user.target - -diff --git a/wrappers/systemd.template.service.in b/wrappers/systemd.template.service.in -index 30b9e4b78..0d88900b6 100644 ---- a/wrappers/systemd.template.service.in -+++ b/wrappers/systemd.template.service.in -@@ -40,5 +40,5 @@ ExecStart=@sbindir@/ns-slapd -D @instconfigdir@/slapd-%i -i @localstatedir@/run/ - .include @initconfigdir@/@package_name@.systemd - - [Install] --WantedBy=dirsrv.target -+WantedBy=multi-user.target - --- -2.13.6 - diff --git a/SOURCES/0013-Ticket-49392-memavailable-not-available.patch b/SOURCES/0013-Ticket-49392-memavailable-not-available.patch deleted file mode 100644 index fabb740..0000000 --- a/SOURCES/0013-Ticket-49392-memavailable-not-available.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 9369164f45ba19519158286590aaefae1c64ef05 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Thu, 5 Oct 2017 09:54:48 +1000 -Subject: [PATCH] Ticket 49392 - memavailable not available - -Bug Description: On certain linux platforms memAvailable is -not actually available! This means that the value was 0, so -cgroup max was read instead, setting the system ram to: - -9223372036854771712 - -That's a bit excessive, and can cause memory allocations to fail. - -Fix Description: If memavail can't be found, fall back to -memtotal instead. - -https://pagure.io/389-ds-base/issue/49392 - -Author: wibrown - -Review by: mreynolds (Thanks!) ---- - ldap/servers/slapd/slapi_pal.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/slapi_pal.c b/ldap/servers/slapd/slapi_pal.c -index 38c178cfa..600d03d4d 100644 ---- a/ldap/servers/slapd/slapi_pal.c -+++ b/ldap/servers/slapd/slapi_pal.c -@@ -155,7 +155,16 @@ spal_meminfo_get() - - /* Both memtotal and memavail are in kb */ - memtotal = memtotal * 1024; -- memavail = memavail * 1024; -+ -+ /* -+ * Oracle Enterprise Linux doesn't provide a valid memavail value, so fall -+ * back to 80% of memtotal. -+ */ -+ if (memavail == 0) { -+ memavail = memtotal * 0.8; -+ } else { -+ memavail = memavail * 1024; -+ } - - /* If it's possible, get our cgroup info */ - uint64_t cg_mem_soft = 0; --- -2.13.6 - diff --git a/SOURCES/0014-Ticket-48006-Missing-warning-for-invalid-replica-bac.patch b/SOURCES/0014-Ticket-48006-Missing-warning-for-invalid-replica-bac.patch deleted file mode 100644 index c7e308a..0000000 --- a/SOURCES/0014-Ticket-48006-Missing-warning-for-invalid-replica-bac.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 73c72aba0ab31f9d16cdfd8879e9da5f3fb985e0 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 17 Oct 2017 12:39:18 -0400 -Subject: [PATCH] Ticket 48006 - Missing warning for invalid replica backoff - configuration - -Description: Add warning if you try to set a min backoff time that is - greater than the configured maximum, or the max time that - is less than the minimum. - - Also fixed compiler warning in ldbm_config.c - -https://pagure.io/389-ds-base/issue/48006 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit e123acb6987c75f6d7282b32c4f279b976eb6f5e) ---- - .../plugins/replication/repl5_replica_config.c | 24 ++++++++++++++++++++-- - ldap/servers/slapd/back-ldbm/ldbm_config.c | 2 +- - 2 files changed, 23 insertions(+), 3 deletions(-) - -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index f28044c19..22d766143 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -465,7 +465,8 @@ replica_config_modify(Slapi_PBlock *pb, - } - } else if (strcasecmp(config_attr, type_replicaBackoffMin) == 0) { - if (apply_mods) { -- PRUint64 val = atoll(config_attr_value); -+ uint64_t val = atoll(config_attr_value); -+ uint64_t max; - - if (val <= 0) { - *returncode = LDAP_UNWILLING_TO_PERFORM; -@@ -475,11 +476,21 @@ replica_config_modify(Slapi_PBlock *pb, - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); - break; - } -+ max = replica_get_backoff_max(r); -+ if (val > max){ -+ *returncode = LDAP_UNWILLING_TO_PERFORM; -+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -+ "Attribute %s value (%s) is invalid, must be a number less than the max backoff time (%d).\n", -+ config_attr, config_attr_value, (int)max); -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -+ break; -+ } - replica_set_backoff_min(r, val); - } - } else if (strcasecmp(config_attr, type_replicaBackoffMax) == 0) { - if (apply_mods) { -- PRUint64 val = atoll(config_attr_value); -+ uint64_t val = atoll(config_attr_value); -+ uint64_t min; - - if (val <= 0) { - *returncode = LDAP_UNWILLING_TO_PERFORM; -@@ -490,6 +501,15 @@ replica_config_modify(Slapi_PBlock *pb, - errortext); - break; - } -+ min = replica_get_backoff_min(r); -+ if (val < min) { -+ *returncode = LDAP_UNWILLING_TO_PERFORM; -+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -+ "Attribute %s value (%s) is invalid, must be a number more than the min backoff time (%d).\n", -+ config_attr, config_attr_value, (int)min); -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -+ break; -+ } - replica_set_backoff_max(r, val); - } - } else if (strcasecmp(config_attr, type_replicaPrecisePurge) == 0) { -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c -index 2ef4652ce..feb993366 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_config.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c -@@ -388,7 +388,7 @@ ldbm_config_directory_set(void *arg, void *value, char *errorbuf, int phase, int - goto done; - } - slapi_pblock_destroy(search_pb); -- if (NULL == s || '\0' == s || 0 == PL_strcmp(s, "(null)")) { -+ if (NULL == s || '\0' == *s || 0 == PL_strcmp(s, "(null)")) { - slapi_log_err(SLAPI_LOG_ERR, - "ldbm_config_directory_set", "db directory is not set; check %s in the db config: %s\n", - CONFIG_DIRECTORY, CONFIG_LDBM_DN); --- -2.13.6 - diff --git a/SOURCES/0015-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch b/SOURCES/0015-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch deleted file mode 100644 index 26780eb..0000000 --- a/SOURCES/0015-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 4569da8f2c55d54a34f31312ee5756c70a7f463c Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 19 Oct 2017 17:33:10 -0400 -Subject: [PATCH] Ticket 49408 - Server allows to set any nsds5replicaid in the - existing replica entry - -Description: There was no value validation for replica ID. Now there is. - -https://pagure.io/389-ds-base/issue/49408 - -Reviewed by: tbordaz(Thanks!) - -(cherry picked from commit 296f0abb78b7ec82580d039d9c505506f6ce07be) ---- - ldap/servers/plugins/replication/repl5_replica_config.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 22d766143..7477a292c 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -411,6 +411,18 @@ replica_config_modify(Slapi_PBlock *pb, - slapi_ch_free_string(&new_repl_type); - new_repl_type = slapi_ch_strdup(config_attr_value); - } else if (strcasecmp(config_attr, attr_replicaId) == 0) { -+ char *endp = NULL; -+ int64_t rid = 0; -+ errno = 0; -+ rid = strtoll(config_attr_value, &endp, 10); -+ if (*endp != '\0' || rid > 65535 || rid < 1 || errno == ERANGE) { -+ *returncode = LDAP_UNWILLING_TO_PERFORM; -+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -+ "Attribute %s value (%s) is invalid, must be a number between 1 and 65535.\n", -+ config_attr, config_attr_value); -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -+ break; -+ } - slapi_ch_free_string(&new_repl_id); - new_repl_id = slapi_ch_strdup(config_attr_value); - } else if (strcasecmp(config_attr, attr_flags) == 0) { --- -2.13.6 - diff --git a/SOURCES/0016-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch b/SOURCES/0016-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch deleted file mode 100644 index c66717f..0000000 --- a/SOURCES/0016-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 70d236dedadc030fd2b450d7607b395b50523538 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 19 Oct 2017 17:02:20 -0400 -Subject: [PATCH] Ticket 49407 - status-dirsrv shows ellipsed lines - -Bug Description: To show the full output you have to pass "-l" to systemctl, - but there is no way to use this option with the current design. - -Fix Description: Just show the full lines by default, as adding options can break - the script's current usage. - -https://pagure.io/389-ds-base/issue/49407 - -Reviewed by: tbordaz(Thanks!) - -(cherry picked from commit 45d2fd4b50227687ad042a0e17d8dcd9e4cd3023) ---- - ldap/admin/src/scripts/status-dirsrv.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ldap/admin/src/scripts/status-dirsrv.in b/ldap/admin/src/scripts/status-dirsrv.in -index 90428990b..8e492c115 100755 ---- a/ldap/admin/src/scripts/status-dirsrv.in -+++ b/ldap/admin/src/scripts/status-dirsrv.in -@@ -37,7 +37,7 @@ status_instance() { - # Use systemctl if available. - # - if [ -d "@systemdsystemunitdir@" ] && [ $(id -u) -eq 0 ];then -- @bindir@/systemctl status @package_name@@$SERV_ID.service -+ @bindir@/systemctl status @package_name@@$SERV_ID.service -l - rv=$? - if [ $rv -ne 0 ]; then - return 1 -@@ -65,7 +65,7 @@ found=0 - if [ $# -eq 0 ]; then - # We're reporting the status of all instances. - ret=0 -- @bindir@/systemctl status @package_name@.target -+ @bindir@/systemctl status @package_name@.target -l - initfiles=`get_initconfig_files $initconfig_dir` || { echo No instances found in $initconfig_dir ; exit 1 ; } - for i in $initfiles; do - inst=`normalize_server_id $i` --- -2.13.6 - diff --git a/SOURCES/0017-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch b/SOURCES/0017-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch deleted file mode 100644 index bf19308..0000000 --- a/SOURCES/0017-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch +++ /dev/null @@ -1,37 +0,0 @@ -From b7cca69de5f6cda32bc38504a7aa7e5bc786bbe6 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 19 Oct 2017 14:44:38 -0400 -Subject: [PATCH] Ticket 48681 - Use of uninitialized value in string ne at - /usr/bin/logconv.pl line 2565, <$LOGFH> line 4 - -Bug description: The original fix for 48681 added a regression in regards to perl - warning everytime you ran the script. That was due to a new hash - for sasl binds that was not initialized. - -Fix Description: Check is the saslbind hash "exists" before checking its value. - -https://pagure.io/389-ds-base/issue/48681 - -Reviewed by: mreynolds (one line fix) - -(cherry picked from commit e46749b77d95ad8fedf07d38890573b2862badf7) ---- - ldap/admin/src/logconv.pl | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl -index 4932db42e..473c71f21 100755 ---- a/ldap/admin/src/logconv.pl -+++ b/ldap/admin/src/logconv.pl -@@ -2562,7 +2562,7 @@ sub parseLineNormal - if ($_ =~ /conn= *([0-9A-Z]+) +op= *([0-9\-]+)/i){ - $conn = $1; - $op = $2; -- if ($hashes->{saslconnop}->{$conn-$op} ne ""){ -+ if (exists $hashes->{saslconnop}->{$conn-$op} && $hashes->{saslconnop}->{$conn-$op} ne ""){ - # This was a SASL BIND - record the dn - if ($binddn ne ""){ - if($binddn eq $rootDN){ $rootDNBindCount++; } --- -2.13.6 - diff --git a/SOURCES/0018-Ticket-49374-server-fails-to-start-because-maxdisksi.patch b/SOURCES/0018-Ticket-49374-server-fails-to-start-because-maxdisksi.patch deleted file mode 100644 index 61ab747..0000000 --- a/SOURCES/0018-Ticket-49374-server-fails-to-start-because-maxdisksi.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 4ecec8dac601b77a25ebc390f138aad1ee48d805 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 19 Oct 2017 12:20:48 -0400 -Subject: [PATCH] Ticket 49374 - server fails to start because maxdisksize is - recognized incorrectly - -Bug Description: When directly editting dse.ldif, the server had a check - when setting the log maxdiskspace vs maxlogsize. If the - maxlogsize is processed first and it is higher than the - default maxdisksspace then it throw an error and the server - fails to start. - - If you attempt this same operation using ldapmodify it - works as "live" updates check all the mods first, so the - order of the attributes does not matter. - -Fix description: Remove the size checks from the attribute set function. - It is technically redundant since it is correctly checked - by the configdse code. - -https://pagure.io/389-ds-base/issue/49374 - -Reviewed by: tbordaz(Thanks!) - -(cherry picked from commit 63a0a59c9b09af08151831209ee6711b4363aee2) ---- - ldap/servers/slapd/log.c | 60 ++++++++++++------------------------------------ - 1 file changed, 15 insertions(+), 45 deletions(-) - -diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c -index e16d89cc5..998efaef3 100644 ---- a/ldap/servers/slapd/log.c -+++ b/ldap/servers/slapd/log.c -@@ -960,7 +960,6 @@ int - log_set_logsize(const char *attrname, char *logsize_str, int logtype, char *returntext, int apply) - { - int rv = LDAP_SUCCESS; -- PRInt64 mdiskspace = 0; /* in bytes */ - PRInt64 max_logsize; /* in bytes */ - int logsize; /* in megabytes */ - slapdFrontendConfig_t *fe_cfg = getFrontendConfig(); -@@ -979,72 +978,43 @@ log_set_logsize(const char *attrname, char *logsize_str, int logtype, char *retu - - switch (logtype) { - case SLAPD_ACCESS_LOG: -- LOG_ACCESS_LOCK_WRITE(); -- mdiskspace = loginfo.log_access_maxdiskspace; -- break; -- case SLAPD_ERROR_LOG: -- LOG_ERROR_LOCK_WRITE(); -- mdiskspace = loginfo.log_error_maxdiskspace; -- break; -- case SLAPD_AUDIT_LOG: -- LOG_AUDIT_LOCK_WRITE(); -- mdiskspace = loginfo.log_audit_maxdiskspace; -- break; -- case SLAPD_AUDITFAIL_LOG: -- LOG_AUDITFAIL_LOCK_WRITE(); -- mdiskspace = loginfo.log_auditfail_maxdiskspace; -- break; -- default: -- PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, -- "%s: invalid logtype %d", attrname, logtype); -- rv = LDAP_OPERATIONS_ERROR; -- } -- -- if ((max_logsize > mdiskspace) && (mdiskspace != -1)) { -- rv = 2; -- } -- -- switch (logtype) { -- case SLAPD_ACCESS_LOG: -- if (!rv && apply) { -+ if (apply) { -+ LOG_ACCESS_LOCK_WRITE(); - loginfo.log_access_maxlogsize = max_logsize; - fe_cfg->accesslog_maxlogsize = logsize; -+ LOG_ACCESS_UNLOCK_WRITE(); - } -- LOG_ACCESS_UNLOCK_WRITE(); - break; - case SLAPD_ERROR_LOG: -- if (!rv && apply) { -+ if (apply) { -+ LOG_ERROR_LOCK_WRITE(); - loginfo.log_error_maxlogsize = max_logsize; - fe_cfg->errorlog_maxlogsize = logsize; -+ LOG_ERROR_UNLOCK_WRITE(); - } -- LOG_ERROR_UNLOCK_WRITE(); - break; - case SLAPD_AUDIT_LOG: -- if (!rv && apply) { -+ if (apply) { -+ LOG_AUDIT_LOCK_WRITE(); - loginfo.log_audit_maxlogsize = max_logsize; - fe_cfg->auditlog_maxlogsize = logsize; -+ LOG_AUDIT_UNLOCK_WRITE(); - } -- LOG_AUDIT_UNLOCK_WRITE(); - break; - case SLAPD_AUDITFAIL_LOG: -- if (!rv && apply) { -+ if (apply) { -+ LOG_AUDITFAIL_LOCK_WRITE(); - loginfo.log_auditfail_maxlogsize = max_logsize; - fe_cfg->auditfaillog_maxlogsize = logsize; -+ LOG_AUDITFAIL_UNLOCK_WRITE(); - } -- LOG_AUDITFAIL_UNLOCK_WRITE(); - break; - default: -- rv = 1; -- } -- /* logsize is in MB */ -- if (rv == 2) { -- slapi_log_err(SLAPI_LOG_ERR, "log_set_logsize", -- "Invalid value for Maximum log size:" -- "Maxlogsize:%d (MB) exceeds Maxdisksize:%ld (MB)\n", -- logsize, (long int)(mdiskspace / LOG_MB_IN_BYTES)); -- -+ PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, -+ "%s: invalid logtype %d", attrname, logtype); - rv = LDAP_OPERATIONS_ERROR; - } -+ - return rv; - } - --- -2.13.6 - diff --git a/SOURCES/0019-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch b/SOURCES/0019-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch deleted file mode 100644 index d92ffd6..0000000 --- a/SOURCES/0019-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch +++ /dev/null @@ -1,66 +0,0 @@ -From ef4ac2d45c9ea99fbb1ae6cee97745161f193bf9 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 25 Oct 2017 10:53:28 -0400 -Subject: [PATCH] Ticket 48681 - Use of uninitialized value in string ne at - /usr/bin/logconv.pl - -Bug Description: ldapi connections were not properly porcessed by the - connection parsing code which lead to uninitialized errors. - -Fix Description: Modify the connection IP address regex's to include "local" - -https://pagure.io/389-ds-base/issue/48681 - -Reviewd by: mreynolds (one line commit rule) - -(cherry picked from commit 6098e7b927b64ba300567e71ea611140c47676a1) ---- - ldap/admin/src/logconv.pl | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl -index 473c71f21..e36386e11 100755 ---- a/ldap/admin/src/logconv.pl -+++ b/ldap/admin/src/logconv.pl -@@ -809,9 +809,9 @@ if ($totalTimeInNsecs == 0){ - print "Restarts: $serverRestartCount\n"; - - if(%cipher){ -- print " Secure Protocol Versions:\n"; -+ print "Secure Protocol Versions:\n"; - foreach my $key (sort { $b cmp $a } keys %cipher) { -- print " - $key - $cipher{$key}\n"; -+ print " - $key ($cipher{$key} connections)\n"; - } - print "\n"; - } -@@ -1754,7 +1754,7 @@ parseLineBind { - ($end) = $endTime =~ /\D*(\S*)/; - } - } -- if ($_ =~ /connection from *([0-9A-Fa-f\.\:]+)/i ) { -+ if ($_ =~ /connection from *([0-9A-Za-z\.\:]+)/i ) { - my $skip = "yes"; - for (my $excl =0; $excl < $#excludeIP; $excl++){ - if ($excludeIP[$excl] eq $1){ -@@ -2085,7 +2085,7 @@ sub parseLineNormal - } - if (m/ connection from/){ - my $ip; -- if ($_ =~ /connection from *([0-9A-Fa-f\.\:]+)/i ){ -+ if ($_ =~ /connection from *([0-9A-Za-z\.\:]+)/i ){ - $ip = $1; - for (my $xxx =0; $xxx < $#excludeIP; $xxx++){ - if ($excludeIP[$xxx] eq $ip){$exc = "yes";} -@@ -2253,7 +2253,7 @@ sub parseLineNormal - } - if ($usage =~ /g/ || $usage =~ /c/ || $usage =~ /i/ || $usage =~ /f/ || $usage =~ /u/ || $usage =~ /U/ || $verb eq "yes"){ - $exc = "no"; -- if ($_ =~ /connection from *([0-9A-fa-f\.\:]+)/i ) { -+ if ($_ =~ /connection from *([0-9A-Za-z\.\:]+)/i ) { - for (my $xxx = 0; $xxx < $#excludeIP; $xxx++){ - if ($1 eq $excludeIP[$xxx]){ - $exc = "yes"; --- -2.13.6 - diff --git a/SOURCES/0020-Ticket-49401-improve-valueset-sorted-performance-on-.patch b/SOURCES/0020-Ticket-49401-improve-valueset-sorted-performance-on-.patch deleted file mode 100644 index 657dfe6..0000000 --- a/SOURCES/0020-Ticket-49401-improve-valueset-sorted-performance-on-.patch +++ /dev/null @@ -1,250 +0,0 @@ -From a59b2f4129565dbfa1b63899dd550e9c22b02923 Mon Sep 17 00:00:00 2001 -From: Mohammad Nweider -Date: Wed, 18 Oct 2017 13:02:15 +0000 -Subject: [PATCH] Ticket 49401 - improve valueset sorted performance on delete - -Bug Description: valueset sorted maintains a list of syntax sorted -references to the attributes of the entry. During addition these are -modified and added properly, so they stay sorted. - -However, in the past to maintain the sorted property, during a delete -we would need to remove the vs->sorted array, and recreate it via qsort, - -While this was an improvement from past (where we would removed -vs->sorted during an attr delete), it still has performance implications -on very very large datasets, IE 50,000 member groups with -addition/deletion, large entry caches and replication. - -Fix Description: Implement a new algorithm that is able to maintain -existing sort data in a near linear time. - -https://pagure.io/389-ds-base/issue/49401 - -Author: nweiderm, wibrown - -Review by: wibrown, lkrispen, tbordaz (Thanks nweiderm!) - -(cherry picked from commit a43a8efc7907116146b505ac40f18fac71f474b0) ---- - ldap/servers/slapd/valueset.c | 171 +++++++++++++++++++++++++----------------- - 1 file changed, 103 insertions(+), 68 deletions(-) - -diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c -index d2c67d2fb..1c1bc150a 100644 ---- a/ldap/servers/slapd/valueset.c -+++ b/ldap/servers/slapd/valueset.c -@@ -677,100 +677,136 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn) - size_t i = 0; - size_t j = 0; - int nextValue = 0; -+ int nv = 0; - int numValues = 0; -+ Slapi_Value **va2 = NULL; -+ int *sorted2 = NULL; - - /* Loop over all the values freeing the old ones. */ -- for (i = 0; i < vs->num; i++) { -+ for(i = 0; i < vs->num; i++) -+ { - /* If we have the sorted array, find the va array ref by it. */ - if (vs->sorted) { - j = vs->sorted[i]; - } else { - j = i; - } -- csnset_purge(&(vs->va[j]->v_csnset), csn); -- if (vs->va[j]->v_csnset == NULL) { -- slapi_value_free(&vs->va[j]); -- vs->va[j] = NULL; -- } else if (vs->va[j] != NULL) { -- /* This value survived, we should count it. */ -- numValues++; -+ if (vs->va[j]) { -+ csnset_purge(&(vs->va[j]->v_csnset),csn); -+ if (vs->va[j]->v_csnset == NULL) { -+ slapi_value_free(&vs->va[j]); -+ /* Set the removed value to NULL so we know later to skip it */ -+ vs->va[j] = NULL; -+ if (vs->sorted) { -+ /* Mark the value in sorted for removal */ -+ vs->sorted[i] = -1; -+ } -+ } else { -+ /* This value survived, we should count it. */ -+ numValues++; -+ } - } - } - -- /* Now compact the value/sorted list. */ -+ /* Compact vs->va and vs->sorted only when there're -+ * remaining values ie: numValues is greater than 0 */ - /* -- * Because we want to preserve the sorted array, this is complicated. -+ * Algorithm explination: We start with a pair of arrays - the attrs, and the sorted array that provides -+ * a lookup into it: -+ * -+ * va: [d e a c b] sorted: [2 4 3 0 1] -+ * -+ * When we remove the element b, we NULL it, and we have to mark the place where it "was" as a -1 to -+ * flag it's removal. -+ * -+ * va: [d e a c NULL] sorted: [2 -1 3 0 1] -+ * -+ * Now a second va is created with the reduced allocation, -+ * -+ * va2: [ X X X X ] .... -+ * -+ * Now we loop over sorted, skipping -1 that we find. In a new counter we create new sorted -+ * references, and move the values compacting them in the process. -+ * va: [d e a c NULL] -+ * va2: [a x x x] -+ * sorted: [_0 -1 3 0 1] -+ * -+ * Looping a few more times would yield: - * -- * We have an array of values: -- * [ b, a, c, NULL, e, NULL, NULL, d] -- * And an array of indicies that are sorted. -- * [ 1, 0, 2, 7, 4, 3, 5, 6 ] -- * Were we to iterate over the sorted array, we get refs to the values in -- * some order. -- * The issue is now we must *remove* from both the values *and* the sorted. -+ * va2: [a c x x] -+ * sorted: [_0 _1 3 0 1] - * -- * Previously, we just discarded this, because too hard. Now we try to keep -- * it. The issue is that this is surprisingly hard to actually keep in -- * sync. -+ * va2: [a c d x] -+ * sorted: [_0 _1 _2 0 1] - * -- * We can't just blindly move the values down: That breaks the sorted array -- * and we would need to iterate over the sorted array multiple times to -- * achieve this. -+ * va2: [a c d e] -+ * sorted: [_0 _1 _2 _3 1] -+ * -+ * Not only does this sort va, but with sorted, we have a faster lookup, and it will benefit cache -+ * lookup. - * -- * It's actually going to be easier to just ditch the sorted, compact vs -- * and then qsort the array. - */ -+ if (numValues > 0) { -+ if(vs->sorted) { -+ /* Let's allocate va2 and sorted2 */ -+ va2 = (Slapi_Value **) slapi_ch_malloc( (numValues + 1) * sizeof(Slapi_Value *)); -+ sorted2 = (int *) slapi_ch_malloc( (numValues + 1)* sizeof(int)); -+ } - -- j = 0; -- while (nextValue < numValues && j < vs->num) { -- /* nextValue is what we are looking at now -- * j tracks along the array getting next elements. -- * -- * [ b, a, c, NULL, e, NULL, NULL, d] -- * ^nv ^j -- * [ b, a, c, e, NULL, NULL, NULL, d] -- * ^nv ^j -- * [ b, a, c, e, NULL, NULL, NULL, d] -- * ^nv ^j -- * [ b, a, c, e, NULL, NULL, NULL, d] -- * ^nv ^j -- * [ b, a, c, e, NULL, NULL, NULL, d] -- * ^nv ^j -- * [ b, a, c, e, d, NULL, NULL, NULL] -- * ^nv ^j -- */ -- if (vs->va[nextValue] == NULL) { -- /* Advance j till we find something */ -- while (vs->va[j] == NULL) { -- j++; -+ /* I is the index for the *new* va2 array */ -+ for(i=0; inum; i++) { -+ if (vs->sorted) { -+ /* Skip any removed values from the index */ -+ while((nv < vs->num) && (-1 == vs->sorted[nv])) { -+ nv++; -+ } -+ /* We have a remaining value, add it to the va */ -+ if(nv < vs->num) { -+ va2[i] = vs->va[vs->sorted[nv]]; -+ sorted2[i] = i; -+ nv++; -+ } -+ } else { -+ while((nextValue < vs->num) && (NULL == vs->va[nextValue])) { -+ nextValue++; -+ } -+ -+ if(nextValue < vs->num) { -+ vs->va[i] = vs->va[nextValue]; -+ nextValue++; -+ } else { -+ break; -+ } - } -- /* We have something! */ -- vs->va[nextValue] = vs->va[j]; -- vs->va[j] = NULL; - } -- nextValue++; -- } -- /* Fix up the number of values */ -- vs->num = numValues; -- /* Should we re-alloc values to be smaller? */ -- /* Other parts of DS are lazy. Lets clean our list */ -- for (j = vs->num; j < vs->max; j++) { -- vs->va[j] = NULL; -- } - -- /* All the values were deleted, we can discard the whole array. */ -- if (vs->num == 0) { - if (vs->sorted) { -+ /* Finally replace the valuearray and adjust num, max */ -+ slapi_ch_free((void **)&vs->va); - slapi_ch_free((void **)&vs->sorted); -+ vs->va = va2; -+ vs->sorted = sorted2; -+ vs->num = numValues; -+ vs->max = vs->num + 1; -+ } else { -+ vs->num = numValues; - } -- slapi_ch_free((void **)&vs->va); -- vs->va = NULL; -- vs->max = 0; -- } else if (vs->sorted != NULL) { -- /* We still have values! rebuild the sorted array */ -- valueset_array_to_sorted(a, vs); -+ -+ for (j = vs->num; j < vs->max; j++) { -+ vs->va[j] = NULL; -+ if (vs->sorted) { -+ vs->sorted[j] = -1; -+ } -+ } -+ } else { -+ slapi_valueset_done(vs); - } - -+ /* We still have values but not sorted array! rebuild it */ -+ if(vs->num > VALUESET_ARRAY_SORT_THRESHOLD && vs->sorted == NULL) { -+ vs->sorted = (int *) slapi_ch_malloc( vs->max* sizeof(int)); -+ valueset_array_to_sorted(a, vs); -+ } - #ifdef DEBUG - PR_ASSERT(vs->num == 0 || (vs->num > 0 && vs->va[0] != NULL)); - size_t index = 0; -@@ -781,7 +817,6 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn) - PR_ASSERT(vs->va[index] == NULL); - } - #endif -- - /* return the number of remaining values */ - return numValues; - } --- -2.13.6 - diff --git a/SOURCES/0021-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch b/SOURCES/0021-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch deleted file mode 100644 index 8438d01..0000000 --- a/SOURCES/0021-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 308691e03cc6312bde3409b346df3156d34db0fe Mon Sep 17 00:00:00 2001 -From: Mohammad Nweider -Date: Wed, 25 Oct 2017 16:26:54 +0000 -Subject: [PATCH] Ticket 49401 - Fix compiler incompatible-pointer-types - warnings - -Bug Description: vs->sorted was integer pointer in older versions, - but now it's size_t pointer, this is causing compiler warnings - during the build - -Fix Description: use size_t pointers instead of integer pointers for vs->sorted and sorted2 - -Review By: mreynolds - -Signed-off-by: Mark Reynolds -(cherry picked from commit 52ba2aba49935989152010aee0d40b01d7a78432) ---- - ldap/servers/slapd/valueset.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c -index 1c1bc150a..dc0360738 100644 ---- a/ldap/servers/slapd/valueset.c -+++ b/ldap/servers/slapd/valueset.c -@@ -680,7 +680,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn) - int nv = 0; - int numValues = 0; - Slapi_Value **va2 = NULL; -- int *sorted2 = NULL; -+ size_t *sorted2 = NULL; - - /* Loop over all the values freeing the old ones. */ - for(i = 0; i < vs->num; i++) -@@ -750,7 +750,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn) - if(vs->sorted) { - /* Let's allocate va2 and sorted2 */ - va2 = (Slapi_Value **) slapi_ch_malloc( (numValues + 1) * sizeof(Slapi_Value *)); -- sorted2 = (int *) slapi_ch_malloc( (numValues + 1)* sizeof(int)); -+ sorted2 = (size_t *) slapi_ch_malloc( (numValues + 1)* sizeof(size_t)); - } - - /* I is the index for the *new* va2 array */ -@@ -804,7 +804,7 @@ valueset_array_purge(const Slapi_Attr *a, Slapi_ValueSet *vs, const CSN *csn) - - /* We still have values but not sorted array! rebuild it */ - if(vs->num > VALUESET_ARRAY_SORT_THRESHOLD && vs->sorted == NULL) { -- vs->sorted = (int *) slapi_ch_malloc( vs->max* sizeof(int)); -+ vs->sorted = (size_t *) slapi_ch_malloc( vs->max* sizeof(size_t)); - valueset_array_to_sorted(a, vs); - } - #ifdef DEBUG --- -2.13.6 - diff --git a/SOURCES/0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch b/SOURCES/0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch deleted file mode 100644 index 8e2be67..0000000 --- a/SOURCES/0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch +++ /dev/null @@ -1,39 +0,0 @@ -From dba89dd23d2d62686de192e0986eba65270a62c7 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 26 Oct 2017 10:03:39 -0400 -Subject: [PATCH] Ticket 48894 - harden valueset_array_to_sorted_quick valueset - access - -Description: It's possible during the sorting of a valueset to access an - array element past the allocated size, and also go below the index 0. - -https://pagure.io/389-ds-base/issue/48894 - -Reviewed by: nweiderm (Thanks!) - -(cherry picked from commit 2086d052e338ddcbcf6bd3222617991641573a12) ---- - ldap/servers/slapd/valueset.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c -index dc0360738..14ebc48e6 100644 ---- a/ldap/servers/slapd/valueset.c -+++ b/ldap/servers/slapd/valueset.c -@@ -1019,11 +1019,11 @@ valueset_array_to_sorted_quick(const Slapi_Attr *a, Slapi_ValueSet *vs, size_t l - while (1) { - do { - i++; -- } while (valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0); -+ } while (i < vs->max && valueset_value_cmp(a, vs->va[vs->sorted[i]], vs->va[pivot]) < 0); - - do { - j--; -- } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0); -+ } while (valueset_value_cmp(a, vs->va[vs->sorted[j]], vs->va[pivot]) > 0 && j > 0); - - if (i >= j) { - break; --- -2.13.6 - diff --git a/SOURCES/0023-Ticket-49424-Resolve-csiphash-alignment-issues.patch b/SOURCES/0023-Ticket-49424-Resolve-csiphash-alignment-issues.patch deleted file mode 100644 index 5dde249..0000000 --- a/SOURCES/0023-Ticket-49424-Resolve-csiphash-alignment-issues.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 5909e20899334816f36cac0e47105e56df52ad3c Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Mon, 30 Oct 2017 12:01:34 +1000 -Subject: [PATCH] Ticket 49424 - Resolve csiphash alignment issues - -Bug Description: On some platforms, uint64_t is not the same size -as a void * - as well, if the input is not aligned correctly, then -a number of nasty crashes can result - -Fix Description: Instead of relying on alignment to be correct, -we should memcpy the data to inputs instead. - -https://pagure.io/389-ds-base/issue/49424 - -Author: wibrown - -Review by: lslebodn, cgrzemba, vashirov, mreynolds (Thanks!) - -(cherry picked from commit 751446440f5269a246e6e652a64e63aa5933734a) ---- - src/libsds/external/csiphash/csiphash.c | 52 +++++++++++++++++++-------------- - src/libsds/test/test_sds_csiphash.c | 43 +++++++++++++++++++++------ - 2 files changed, 64 insertions(+), 31 deletions(-) - -diff --git a/src/libsds/external/csiphash/csiphash.c b/src/libsds/external/csiphash/csiphash.c -index 0089c82f7..2351db6cf 100644 ---- a/src/libsds/external/csiphash/csiphash.c -+++ b/src/libsds/external/csiphash/csiphash.c -@@ -32,6 +32,9 @@ - #include - #include /* for size_t */ - -+#include /* calloc,free */ -+#include /* memcpy */ -+ - #include - - #if defined(HAVE_SYS_ENDIAN_H) -@@ -75,11 +78,24 @@ - uint64_t - sds_siphash13(const void *src, size_t src_sz, const char key[16]) - { -- const uint64_t *_key = (uint64_t *)key; -+ uint64_t _key[2] = {0}; -+ memcpy(_key, key, 16); - uint64_t k0 = _le64toh(_key[0]); - uint64_t k1 = _le64toh(_key[1]); - uint64_t b = (uint64_t)src_sz << 56; -- const uint64_t *in = (uint64_t *)src; -+ -+ size_t input_sz = (src_sz / sizeof(uint64_t)) + 1; -+ -+ /* Account for non-uint64_t alligned input */ -+ /* Could make this stack allocation */ -+ uint64_t *in = calloc(1, input_sz * sizeof(uint64_t)); -+ /* -+ * Because all crypto code sucks, they modify *in -+ * during operation, so we stash a copy of the ptr here. -+ * alternately, we could use stack allocated array, but gcc -+ * will complain about the vla being unbounded. -+ */ -+ uint64_t *in_ptr = memcpy(in, src, src_sz); - - uint64_t v0 = k0 ^ 0x736f6d6570736575ULL; - uint64_t v1 = k1 ^ 0x646f72616e646f6dULL; -@@ -96,27 +112,15 @@ sds_siphash13(const void *src, size_t src_sz, const char key[16]) - v0 ^= mi; - } - -+ /* -+ * Because we allocate in as size + 1, we can over-read 0 -+ * for this buffer to be padded correctly. in here is a pointer to the -+ * excess data because the while loop above increments the in pointer -+ * to point to the excess once src_sz drops < 8. -+ */ - uint64_t t = 0; -- uint8_t *pt = (uint8_t *)&t; -- uint8_t *m = (uint8_t *)in; -- -- switch (src_sz) { -- case 7: -- pt[6] = m[6]; /* FALLTHRU */ -- case 6: -- pt[5] = m[5]; /* FALLTHRU */ -- case 5: -- pt[4] = m[4]; /* FALLTHRU */ -- case 4: -- *((uint32_t *)&pt[0]) = *((uint32_t *)&m[0]); -- break; -- case 3: -- pt[2] = m[2]; /* FALLTHRU */ -- case 2: -- pt[1] = m[1]; /* FALLTHRU */ -- case 1: -- pt[0] = m[0]; /* FALLTHRU */ -- } -+ memcpy(&t, in, sizeof(uint64_t)); -+ - b |= _le64toh(t); - - v3 ^= b; -@@ -126,5 +130,9 @@ sds_siphash13(const void *src, size_t src_sz, const char key[16]) - v2 ^= 0xff; - // dround - dROUND(v0, v1, v2, v3); -+ -+ free(in_ptr); -+ - return (v0 ^ v1) ^ (v2 ^ v3); - } -+ -diff --git a/src/libsds/test/test_sds_csiphash.c b/src/libsds/test/test_sds_csiphash.c -index cdb6b7f46..cc9a6b2b5 100644 ---- a/src/libsds/test/test_sds_csiphash.c -+++ b/src/libsds/test/test_sds_csiphash.c -@@ -25,23 +25,48 @@ - static void - test_siphash(void **state __attribute__((unused))) - { -- -- // - uint64_t value = 0; - uint64_t hashout = 0; - char key[16] = {0}; - -- uint64_t test_a = 15794382300316794652U; -- uint64_t test_b = 13042610424265326907U; -+ uint64_t test_simple = 15794382300316794652U; - -- // Initial simple test -+ /* Initial simple test */ - value = htole64(5); - hashout = sds_siphash13(&value, sizeof(uint64_t), key); -- assert_true(hashout == test_a); -+ assert_int_equal(hashout, test_simple); -+ -+ /* Test a range of input sizes to check endianness behaviour */ -+ -+ hashout = sds_siphash13("a", 1, key); -+ assert_int_equal(hashout, 0x407448d2b89b1813U); -+ -+ hashout = sds_siphash13("aa", 2, key); -+ assert_int_equal(hashout, 0x7910e0436ed8d1deU); -+ -+ hashout = sds_siphash13("aaa", 3, key); -+ assert_int_equal(hashout, 0xf752893a6c769652U); -+ -+ hashout = sds_siphash13("aaaa", 4, key); -+ assert_int_equal(hashout, 0x8b02350718d87164U); -+ -+ hashout = sds_siphash13("aaaaa", 5, key); -+ assert_int_equal(hashout, 0x92a991474c7eef2U); -+ -+ hashout = sds_siphash13("aaaaaa", 6, key); -+ assert_int_equal(hashout, 0xf0ab815a640277ccU); -+ -+ hashout = sds_siphash13("aaaaaaa", 7, key); -+ assert_int_equal(hashout, 0x33f3c6d7dbc82c0dU); -+ -+ hashout = sds_siphash13("aaaaaaaa", 8, key); -+ assert_int_equal(hashout, 0xc501b12e18428c92U); -+ -+ hashout = sds_siphash13("aaaaaaaabbbb", 12, key); -+ assert_int_equal(hashout, 0xcddca673069ade64U); - -- char *test = "abc"; -- hashout = sds_siphash13(test, 4, key); -- assert_true(hashout == test_b); -+ hashout = sds_siphash13("aaaaaaaabbbbbbbb", 16, key); -+ assert_int_equal(hashout, 0xdc54f0bfc0e1deb0U); - } - - int --- -2.13.6 - diff --git a/SOURCES/0024-Ticket-49436-double-free-in-COS-in-some-conditions.patch b/SOURCES/0024-Ticket-49436-double-free-in-COS-in-some-conditions.patch deleted file mode 100644 index 4309a5f..0000000 --- a/SOURCES/0024-Ticket-49436-double-free-in-COS-in-some-conditions.patch +++ /dev/null @@ -1,258 +0,0 @@ -From dcf75750dff23e848cde2ae63a0778b123de6dd7 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Thu, 2 Nov 2017 13:32:41 +1000 -Subject: [PATCH] Ticket 49436 - double free in COS in some conditions - -Bug Description: virtualattrs and COS have some serious memory -ownership issues. What was happening is that COS with multiple -attributes using the same sp_handle would cause a structure -to be registered twice. During shutdown we would then trigger -a double free in the process. - -Fix Description: Change the behaviour of sp_handles to use a -handle *per* attribute we register to guarantee the assocation -between them. - -https://pagure.io/389-ds-base/issue/49436 - -Author: wibrown - -Review by: mreynolds, vashirov (Thanks!) - -(cherry pick from commit ee4428a3f5d2d8e37a7107c7dce9d622fc17d41c) ---- - dirsrvtests/tests/suites/cos/indirect_cos_test.py | 43 +++++++---------------- - ldap/servers/plugins/cos/cos_cache.c | 32 +++++++++-------- - ldap/servers/plugins/roles/roles_cache.c | 8 ++--- - ldap/servers/slapd/vattr.c | 28 +++++++++------ - 4 files changed, 51 insertions(+), 60 deletions(-) - -diff --git a/dirsrvtests/tests/suites/cos/indirect_cos_test.py b/dirsrvtests/tests/suites/cos/indirect_cos_test.py -index 1aac6b8ed..452edcdf8 100644 ---- a/dirsrvtests/tests/suites/cos/indirect_cos_test.py -+++ b/dirsrvtests/tests/suites/cos/indirect_cos_test.py -@@ -7,6 +7,7 @@ import subprocess - - from lib389 import Entry - from lib389.idm.user import UserAccounts -+from lib389.idm.domain import Domain - from lib389.topologies import topology_st as topo - from lib389._constants import (DEFAULT_SUFFIX, DN_DM, PASSWORD, HOST_STANDALONE, - SERVERID_STANDALONE, PORT_STANDALONE) -@@ -48,14 +49,8 @@ def check_user(inst): - def setup_subtree_policy(topo): - """Set up subtree password policy - """ -- try: -- topo.standalone.modify_s("cn=config", [(ldap.MOD_REPLACE, -- 'nsslapd-pwpolicy-local', -- 'on')]) -- except ldap.LDAPError as e: -- log.error('Failed to set fine-grained policy: error {}'.format( -- e.message['desc'])) -- raise e -+ -+ topo.standalone.config.set('nsslapd-pwpolicy-local', 'on') - - log.info('Create password policy for subtree {}'.format(OU_PEOPLE)) - try: -@@ -68,15 +63,9 @@ def setup_subtree_policy(topo): - OU_PEOPLE, e.message['desc'])) - raise e - -- log.info('Add pwdpolicysubentry attribute to {}'.format(OU_PEOPLE)) -- try: -- topo.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_REPLACE, -- 'pwdpolicysubentry', -- PW_POLICY_CONT_PEOPLE2)]) -- except ldap.LDAPError as e: -- log.error('Failed to pwdpolicysubentry pw policy ' -- 'policy for {}: error {}'.format(OU_PEOPLE, e.message['desc'])) -- raise e -+ domain = Domain(topo.standalone, DEFAULT_SUFFIX) -+ domain.replace('pwdpolicysubentry', PW_POLICY_CONT_PEOPLE2) -+ - time.sleep(1) - - -@@ -116,12 +105,9 @@ def setup(topo, request): - """ - log.info('Add custom schema...') - try: -- ATTR_1 = ("( 1.3.6.1.4.1.409.389.2.189 NAME 'x-department' " + -- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )") -- ATTR_2 = ("( 1.3.6.1.4.1.409.389.2.187 NAME 'x-en-ou' " + -- "SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )") -- OC = ("( xPerson-oid NAME 'xPerson' DESC '' SUP person STRUCTURAL MAY " + -- "( x-department $ x-en-ou ) X-ORIGIN 'user defined' )") -+ ATTR_1 = (b"( 1.3.6.1.4.1.409.389.2.189 NAME 'x-department' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )") -+ ATTR_2 = (b"( 1.3.6.1.4.1.409.389.2.187 NAME 'x-en-ou' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )") -+ OC = (b"( xPerson-oid NAME 'xPerson' DESC '' SUP person STRUCTURAL MAY ( x-department $ x-en-ou ) X-ORIGIN 'user defined' )") - topo.standalone.modify_s("cn=schema", [(ldap.MOD_ADD, 'attributeTypes', ATTR_1), - (ldap.MOD_ADD, 'attributeTypes', ATTR_2), - (ldap.MOD_ADD, 'objectClasses', OC)]) -@@ -142,14 +128,9 @@ def setup(topo, request): - 'homeDirectory': '/home/test_user', - 'seeAlso': 'cn=cosTemplate,dc=example,dc=com' - } -- users.create(properties=user_properties) -- try: -- topo.standalone.modify_s(TEST_USER_DN, [(ldap.MOD_ADD, -- 'objectclass', -- 'xPerson')]) -- except ldap.LDAPError as e: -- log.fatal('Failed to add objectclass to user') -- raise e -+ user = users.create(properties=user_properties) -+ -+ user.add('objectClass', 'xPerson') - - # Setup COS - log.info("Setup indirect COS...") -diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c -index 9ae15db15..662dace35 100644 ---- a/ldap/servers/plugins/cos/cos_cache.c -+++ b/ldap/servers/plugins/cos/cos_cache.c -@@ -109,9 +109,6 @@ void *cos_get_plugin_identity(void); - #define COSTYPE_INDIRECT 3 - #define COS_DEF_ERROR_NO_TEMPLATES -2 - --/* the global plugin handle */ --static volatile vattr_sp_handle *vattr_handle = NULL; -- - /* both variables are protected by change_lock */ - static int cos_cache_notify_flag = 0; - static PRBool cos_cache_at_work = PR_FALSE; -@@ -323,16 +320,6 @@ cos_cache_init(void) - views_api = 0; - } - -- if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle, -- cos_cache_vattr_get, -- cos_cache_vattr_compare, -- cos_cache_vattr_types) != 0) { -- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, -- "cos_cache_init - Cannot register as service provider\n"); -- ret = -1; -- goto out; -- } -- - if (PR_CreateThread(PR_USER_THREAD, - cos_cache_wait_on_change, - NULL, -@@ -860,8 +847,23 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data) - dnVals[valIndex]->bv_val); - } - -- slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, -- dnVals[valIndex]->bv_val, NULL, NULL); -+ /* -+ * Each SP_handle is associated to one and only one vattr. -+ * We could consider making this a single function rather -+ * than the double-call. -+ */ -+ -+ vattr_sp_handle *vattr_handle = NULL; -+ -+ if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle, -+ cos_cache_vattr_get, -+ cos_cache_vattr_compare, -+ cos_cache_vattr_types) != 0) { -+ slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider for %s\n", dnVals[valIndex]->bv_val); -+ } else { -+ slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL); -+ } -+ - } /* if(attrType is cosAttribute) */ - - /* -diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c -index 59f5a6081..1e5865af8 100644 ---- a/ldap/servers/plugins/roles/roles_cache.c -+++ b/ldap/servers/plugins/roles/roles_cache.c -@@ -47,9 +47,6 @@ static char *allUserAttributes[] = { - /* views scoping */ - static void **views_api; - --/* Service provider handler */ --static vattr_sp_handle *vattr_handle = NULL; -- - /* List of nested roles */ - typedef struct _role_object_nested - { -@@ -224,6 +221,10 @@ roles_cache_init() - so that we update the corresponding cache */ - slapi_register_backend_state_change(NULL, roles_cache_trigger_update_suffix); - -+ /* Service provider handler - only used once! and freed by vattr! */ -+ vattr_sp_handle *vattr_handle = NULL; -+ -+ - if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle, - roles_sp_get_value, - roles_sp_compare_value, -@@ -622,7 +623,6 @@ roles_cache_stop() - current_role = next_role; - } - slapi_rwlock_unlock(global_lock); -- slapi_ch_free((void **)&vattr_handle); - roles_list = NULL; - - slapi_log_err(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "<-- roles_cache_stop\n"); -diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c -index 82deb41fe..432946c79 100644 ---- a/ldap/servers/slapd/vattr.c -+++ b/ldap/servers/slapd/vattr.c -@@ -1864,7 +1864,12 @@ vattr_map_create(void) - void - vattr_map_entry_free(vattr_map_entry *vae) - { -- slapi_ch_free((void **)&(vae->sp_list)); -+ vattr_sp_handle *list_entry = vae->sp_list; -+ while (list_entry != NULL) { -+ vattr_sp_handle *next_entry = list_entry->next; -+ slapi_ch_free((void **)&list_entry); -+ list_entry = next_entry; -+ } - slapi_ch_free_string(&(vae->type_name)); - slapi_ch_free((void **)&vae); - } -@@ -2143,16 +2148,9 @@ slapi_vattr_schema_check_type(Slapi_Entry *e, char *type) - vattr_map_entry * - vattr_map_entry_new(char *type_name, vattr_sp_handle *sph, void *hint) - { -- vattr_map_entry *result = NULL; -- vattr_sp_handle *sp_copy = NULL; -- -- sp_copy = (vattr_sp_handle *)slapi_ch_calloc(1, sizeof(vattr_sp_handle)); -- sp_copy->sp = sph->sp; -- sp_copy->hint = hint; -- -- result = (vattr_map_entry *)slapi_ch_calloc(1, sizeof(vattr_map_entry)); -+ vattr_map_entry *result = (vattr_map_entry *)slapi_ch_calloc(1, sizeof(vattr_map_entry)); - result->type_name = slapi_ch_strdup(type_name); -- result->sp_list = sp_copy; -+ result->sp_list = sph; - - /* go get schema */ - result->objectclasses = vattr_map_entry_build_schema(type_name); -@@ -2273,6 +2271,16 @@ we'd need to hold a lock on the read path, which we don't want to do. - So any SP which relinquishes its need to handle a type needs to continue - to handle the calls on it, but return nothing */ - /* DBDB need to sort out memory ownership here, it's not quite right */ -+/* -+ * This function was inconsistent. We would allocated and "kind of", -+ * copy the sp_handle here for the vattr_map_entry_new path. But we -+ * would "take ownership" for the existing entry and the list addition -+ * path. Instead now, EVERY sp_handle we take, we take ownership of -+ * and the CALLER must allocate a new one each time. -+ * -+ * Better idea, is that regattr should just take the fn pointers -+ * and callers never *see* the sp_handle structure at all. -+ */ - - int - vattr_map_sp_insert(char *type_to_add, vattr_sp_handle *sp, void *hint) --- -2.13.6 - diff --git a/SOURCES/0025-Ticket-48393-Improve-replication-config-validation.patch b/SOURCES/0025-Ticket-48393-Improve-replication-config-validation.patch deleted file mode 100644 index 748eb78..0000000 --- a/SOURCES/0025-Ticket-48393-Improve-replication-config-validation.patch +++ /dev/null @@ -1,1719 +0,0 @@ -From c1ac23d7f5f6f14d75bd02cfd55818e2558f7cb9 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 3 Nov 2017 09:30:01 -0400 -Subject: [PATCH] Ticket 48393 - Improve replication config validation - -Bug Description: There was inconsistent behavior when modifying and adding replication - configurations and agreements. There were also a few places where - unsigned ints were used for values which made checking for negative - values impossible. - -Fix Description: Added a new function to properly check "number" attribute values. - Also forced failure on the actual update if an invalid value was used - (previously we would log an error and use some default value). Also - made all the int types consistent. - -https://pagure.io/389-ds-base/issue/48393 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit f6b0e1841059460d6d0071cc771e3fbe834af393) ---- - .../suites/replication/replica_config_test.py | 397 +++++++++++++++++++++ - ldap/schema/01core389.ldif | 3 +- - ldap/servers/plugins/replication/repl5.h | 54 +-- - ldap/servers/plugins/replication/repl5_agmt.c | 173 +++++---- - ldap/servers/plugins/replication/repl5_replica.c | 280 +++++++++------ - .../plugins/replication/repl5_replica_config.c | 158 ++++---- - ldap/servers/plugins/replication/replutil.c | 26 ++ - 7 files changed, 792 insertions(+), 299 deletions(-) - create mode 100644 dirsrvtests/tests/suites/replication/replica_config_test.py - -diff --git a/dirsrvtests/tests/suites/replication/replica_config_test.py b/dirsrvtests/tests/suites/replication/replica_config_test.py -new file mode 100644 -index 000000000..50ea2ece9 ---- /dev/null -+++ b/dirsrvtests/tests/suites/replication/replica_config_test.py -@@ -0,0 +1,397 @@ -+import logging -+import pytest -+import copy -+import os -+import ldap -+from lib389._constants import * -+from lib389 import Entry -+from lib389.topologies import topology_st as topo -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+REPLICA_DN = 'cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' -+AGMT_DN = 'cn=test_agreement,cn=replica,cn="dc=example,dc=com",cn=mapping tree,cn=config' -+notnum = 'invalid' -+too_big = '9223372036854775807' -+overflow = '9999999999999999999999999999999999999999999999999999999999999999999' -+ -+replica_dict = {'objectclass': 'top nsDS5Replica'.split(), -+ 'nsDS5ReplicaRoot': 'dc=example,dc=com', -+ 'nsDS5ReplicaType': '3', -+ 'nsDS5Flags': '1', -+ 'nsDS5ReplicaId': '65535', -+ 'nsds5ReplicaPurgeDelay': '604800', -+ 'nsDS5ReplicaBindDN': 'cn=u', -+ 'cn': 'replica'} -+ -+agmt_dict = {'objectClass': 'top nsDS5ReplicationAgreement'.split(), -+ 'cn': 'test_agreement', -+ 'nsDS5ReplicaRoot': 'dc=example,dc=com', -+ 'nsDS5ReplicaHost': 'localhost.localdomain', -+ 'nsDS5ReplicaPort': '5555', -+ 'nsDS5ReplicaBindDN': 'uid=tester', -+ 'nsds5ReplicaCredentials': 'password', -+ 'nsDS5ReplicaTransportInfo': 'LDAP', -+ 'nsDS5ReplicaBindMethod': 'SIMPLE'} -+ -+ -+repl_add_attrs = [('nsDS5ReplicaType', '-1', '4', overflow, notnum, '1'), -+ ('nsDS5Flags', '-1', '2', overflow, notnum, '1'), -+ ('nsDS5ReplicaId', '0', '65536', overflow, notnum, '1'), -+ ('nsds5ReplicaPurgeDelay', '-2', too_big, overflow, notnum, '1'), -+ ('nsDS5ReplicaBindDnGroupCheckInterval', '-2', too_big, overflow, notnum, '1'), -+ ('nsds5ReplicaTombstonePurgeInterval', '-2', too_big, overflow, notnum, '1'), -+ ('nsds5ReplicaProtocolTimeout', '-1', too_big, overflow, notnum, '1'), -+ ('nsds5ReplicaReleaseTimeout', '-1', too_big, overflow, notnum, '1'), -+ ('nsds5ReplicaBackoffMin', '0', too_big, overflow, notnum, '3'), -+ ('nsds5ReplicaBackoffMax', '0', too_big, overflow, notnum, '6')] -+ -+repl_mod_attrs = [('nsDS5Flags', '-1', '2', overflow, notnum, '1'), -+ ('nsds5ReplicaPurgeDelay', '-2', too_big, overflow, notnum, '1'), -+ ('nsDS5ReplicaBindDnGroupCheckInterval', '-2', too_big, overflow, notnum, '1'), -+ ('nsds5ReplicaTombstonePurgeInterval', '-2', too_big, overflow, notnum, '1'), -+ ('nsds5ReplicaProtocolTimeout', '-1', too_big, overflow, notnum, '1'), -+ ('nsds5ReplicaReleaseTimeout', '-1', too_big, overflow, notnum, '1'), -+ ('nsds5ReplicaBackoffMin', '0', too_big, overflow, notnum, '3'), -+ ('nsds5ReplicaBackoffMax', '0', too_big, overflow, notnum, '6')] -+ -+agmt_attrs = [('nsds5ReplicaPort', '0', '65536', overflow, notnum, '389'), -+ ('nsds5ReplicaTimeout', '-1', too_big, overflow, notnum, '6'), -+ ('nsds5ReplicaBusyWaitTime', '-1', too_big, overflow, notnum, '6'), -+ ('nsds5ReplicaSessionPauseTime', '-1', too_big, overflow, notnum, '6'), -+ ('nsds5ReplicaFlowControlWindow', '-1', too_big, overflow, notnum, '6'), -+ ('nsds5ReplicaFlowControlPause', '-1', too_big, overflow, notnum, '6'), -+ ('nsds5ReplicaProtocolTimeout', '-1', too_big, overflow, notnum, '6')] -+ -+ -+def replica_setup(topo): -+ """Add a valid replica config entry to modify -+ """ -+ try: -+ topo.standalone.delete_s(REPLICA_DN) -+ except: -+ pass -+ -+ try: -+ topo.standalone.add_s(Entry((REPLICA_DN, replica_dict))) -+ except ldap.LDAPError as e: -+ log.fatal("Failed to add replica entry: " + str(e)) -+ assert False -+ -+ -+def replica_reset(topo): -+ try: -+ topo.standalone.delete_s(REPLICA_DN) -+ except: -+ pass -+ -+ -+def agmt_setup(topo): -+ """Add a valid replica config entry to modify -+ """ -+ try: -+ topo.standalone.delete_s(AGMT_DN) -+ except: -+ pass -+ -+ try: -+ topo.standalone.add_s(Entry((AGMT_DN, agmt_dict))) -+ except ldap.LDAPError as e: -+ log.fatal("Failed to add agreement entry: " + str(e)) -+ assert False -+ -+ -+def agmt_reset(topo): -+ try: -+ topo.standalone.delete_s(AGMT_DN) -+ except: -+ pass -+ -+ -+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", repl_add_attrs) -+def test_replica_num_add(topo, attr, too_small, too_big, overflow, notnum, valid): -+ """Test all the number values you can set for a replica config entry -+ -+ :id: a8b47d4a-a089-4d70-8070-e6181209bf92 -+ :setup: standalone instance -+ :steps: -+ 1. Use a value that is too small -+ 2. Use a value that is too big -+ 3. Use a value that overflows the int -+ 4. Use a value with character value (not a number) -+ 5. Use a valid value -+ :expectedresults: -+ 1. Add is rejected -+ 2. Add is rejected -+ 3. Add is rejected -+ 4. Add is rejected -+ 5. Add is allowed -+ """ -+ -+ replica_reset(topo) -+ -+ # Test too small -+ my_replica = copy.deepcopy(replica_dict) -+ my_replica[attr] = too_small -+ try: -+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica))) -+ log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, too_small)) -+ assert False -+ except ldap.LDAPError as e: -+ log.info("Correctly failed to add replica entry with {}:{} error: {}".format(attr, too_small, str(e))) -+ -+ # Test too big -+ my_replica = copy.deepcopy(replica_dict) -+ my_replica[attr] = too_big -+ try: -+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica))) -+ log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, too_big)) -+ assert False -+ except ldap.LDAPError as e: -+ log.info("Correctly failed to add replica entry with {}:{} error: {}".format(attr, too_big, str(e))) -+ -+ # Test overflow -+ my_replica = copy.deepcopy(replica_dict) -+ my_replica[attr] = overflow -+ try: -+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica))) -+ log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, overflow)) -+ assert False -+ except ldap.LDAPError as e: -+ log.info("Correctly failed to add replica entry with {}:{} error: {}".format(attr, overflow, str(e))) -+ -+ # test not a number -+ my_replica = copy.deepcopy(replica_dict) -+ my_replica[attr] = notnum -+ try: -+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica))) -+ log.fatal("Incorrectly allowed to add replica entry with {}:{}".format(attr, notnum)) -+ assert False -+ except ldap.LDAPError as e: -+ log.info("Correctly failed to add replica entry with {}:{} error: {}".format(attr, notnum, str(e))) -+ -+ # Test valid value -+ my_replica = copy.deepcopy(replica_dict) -+ my_replica[attr] = valid -+ try: -+ topo.standalone.add_s(Entry((REPLICA_DN, my_replica))) -+ log.info("Correctly allowed to add replica entry with {}: {}".format(attr, valid)) -+ except ldap.LDAPError as e: -+ log.fatal("Incorrectly failed to add replica entry with {}: {} error: {}".format(attr, valid, str(e))) -+ assert False -+ -+ -+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", repl_mod_attrs) -+def test_replica_num_modify(topo, attr, too_small, too_big, overflow, notnum, valid): -+ """Test all the number values you can set for a replica config entry -+ -+ :id: a8b47d4a-a089-4d70-8070-e6181209bf93 -+ :setup: standalone instance -+ :steps: -+ 1. Replace a value that is too small -+ 2. Repalce a value that is too big -+ 3. Replace a value that overflows the int -+ 4. Replace a value with character value (not a number) -+ 5. Replace a vlue with a valid value -+ :expectedresults: -+ 1. Value is rejected -+ 2. Value is rejected -+ 3. Value is rejected -+ 4. Value is rejected -+ 5. Value is allowed -+ """ -+ -+ # Value too small -+ replica_setup(topo) -+ try: -+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, too_small)]) -+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_small)) -+ assert False -+ except: -+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_small)) -+ -+ # Value too big -+ replica_setup(topo) -+ try: -+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, too_big)]) -+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_big)) -+ assert False -+ except: -+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_big)) -+ -+ # Value overflow -+ replica_setup(topo) -+ try: -+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, overflow)]) -+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, overflow)) -+ assert False -+ except: -+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, overflow)) -+ -+ # Value not a number -+ replica_setup(topo) -+ try: -+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, notnum)]) -+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, notnum)) -+ assert False -+ except: -+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, notnum)) -+ -+ # Value is valid -+ replica_setup(topo) -+ try: -+ topo.standalone.modify_s(REPLICA_DN, [(ldap.MOD_REPLACE, attr, valid)]) -+ log.info('Correctly added valid agreement attribute value: {}:{}'.format(attr, valid)) -+ except ldap.LDAPError as e: -+ log.fatal('Valid value for {}:{} was incorrectly rejected. Error {}'.format(attr, valid, str(e))) -+ assert False -+ -+ -+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", agmt_attrs) -+def test_agmt_num_add(topo, attr, too_small, too_big, overflow, notnum, valid): -+ """Test all the number values you can set for a replica config entry -+ -+ :id: a8b47d4a-a089-4d70-8070-e6181209bf94 -+ :setup: standalone instance -+ :steps: -+ 1. Use a value that is too small -+ 2. Use a value that is too big -+ 3. Use a value that overflows the int -+ 4. Use a value with character value (not a number) -+ 5. Use a valid value -+ :expectedresults: -+ 1. Add is rejected -+ 2. Add is rejected -+ 3. Add is rejected -+ 4. Add is rejected -+ 5. Add is allowed -+ """ -+ agmt_reset(topo) -+ -+ # Test too small -+ my_agmt = copy.deepcopy(agmt_dict) -+ my_agmt[attr] = too_small -+ try: -+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt))) -+ log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, too_small)) -+ assert False -+ except ldap.LDAPError as e: -+ log.info("Correctly failed to add agreement entry with {}:{} error: {}".format(attr, too_small, str(e))) -+ -+ # Test too big -+ my_agmt = copy.deepcopy(agmt_dict) -+ my_agmt[attr] = too_big -+ try: -+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt))) -+ log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, too_big)) -+ assert False -+ except ldap.LDAPError as e: -+ log.info("Correctly failed to add agreement entry with {}:{} error: {}".format(attr, too_big, str(e))) -+ -+ # Test overflow -+ my_agmt = copy.deepcopy(agmt_dict) -+ my_agmt[attr] = overflow -+ try: -+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt))) -+ log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, overflow)) -+ assert False -+ except ldap.LDAPError as e: -+ log.info("Correctly failed to add agreement entry with {}:{} error: {}".format(attr, overflow, str(e))) -+ -+ # test not a number -+ my_agmt = copy.deepcopy(agmt_dict) -+ my_agmt[attr] = notnum -+ try: -+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt))) -+ log.fatal("Incorrectly allowed to add agreement entry with {}:{}".format(attr, notnum)) -+ assert False -+ except ldap.LDAPError as e: -+ log.info("Correctly failed to add agreement entry with {}:{} error: {}".format(attr, notnum, str(e))) -+ -+ # Test valid value -+ my_agmt = copy.deepcopy(agmt_dict) -+ my_agmt[attr] = valid -+ try: -+ topo.standalone.add_s(Entry((AGMT_DN, my_agmt))) -+ log.info("Correctly allowed to add agreement entry with {}: {}".format(attr, valid)) -+ except ldap.LDAPError as e: -+ log.fatal("Incorrectly failed to add agreement entry with {}: {} error: {}".format(attr, valid, str(e))) -+ assert False -+ -+ -+@pytest.mark.parametrize("attr, too_small, too_big, overflow, notnum, valid", agmt_attrs) -+def test_agmt_num_modify(topo, attr, too_small, too_big, overflow, notnum, valid): -+ """Test all the number values you can set for a replica config entry -+ -+ :id: a8b47d4a-a089-4d70-8070-e6181209bf95 -+ :setup: standalone instance -+ :steps: -+ 1. Replace a value that is too small -+ 2. Replace a value that is too big -+ 3. Replace a value that overflows the int -+ 4. Replace a value with character value (not a number) -+ 5. Replace a vlue with a valid value -+ :expectedresults: -+ 1. Value is rejected -+ 2. Value is rejected -+ 3. Value is rejected -+ 4. Value is rejected -+ 5. Value is allowed -+ """ -+ -+ # Value too small -+ agmt_setup(topo) -+ try: -+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, too_small)]) -+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_small)) -+ assert False -+ except: -+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_small)) -+ -+ # Value too big -+ agmt_setup(topo) -+ try: -+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, too_big)]) -+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, too_big)) -+ assert False -+ except: -+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, too_big)) -+ -+ # Value overflow -+ agmt_setup(topo) -+ try: -+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, overflow)]) -+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, overflow)) -+ assert False -+ except: -+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, overflow)) -+ -+ # Value not a number -+ agmt_setup(topo) -+ try: -+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, notnum)]) -+ log.fatal('Invalid value for {}:{} was incorrectly allowed'.format(attr, notnum)) -+ assert False -+ except: -+ log.info('Invalid value for {}:{} was correctly rejected'.format(attr, notnum)) -+ -+ # Value is valid -+ agmt_setup(topo) -+ try: -+ topo.standalone.modify_s(AGMT_DN, [(ldap.MOD_REPLACE, attr, valid)]) -+ except ldap.LDAPError as e: -+ log.fatal('Valid value for {}:{} was incorrectly rejected. Error {}'.format(attr, valid, str(e))) -+ assert False -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif -index 246495214..ab124c86c 100644 ---- a/ldap/schema/01core389.ldif -+++ b/ldap/schema/01core389.ldif -@@ -303,6 +303,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2331 NAME 'nsslapd-logging-hr-timestamps - attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2335 NAME 'nsds5ReplicaIgnoreMissingChange' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -+attributeTypes: ( 2.16.840.1.113730.3.1.2336 NAME 'nsDS5ReplicaBindDnGroupCheckInterval' DESC 'Replication configuration setting for controlling the bind dn group check interval' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) - # - # objectclasses - # -@@ -312,7 +313,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.44 NAME 'nsIndex' DESC 'Netscape defined - objectClasses: ( 2.16.840.1.113730.3.2.109 NAME 'nsBackendInstance' DESC 'Netscape defined objectclass' SUP top MUST ( CN ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.110 NAME 'nsMappingTree' DESC 'Netscape defined objectclass' SUP top MUST ( CN ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.104 NAME 'nsContainer' DESC 'Netscape defined objectclass' SUP top MUST ( CN ) X-ORIGIN 'Netscape Directory Server' ) --objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Netscape defined objectclass' SUP top MUST ( nsDS5ReplicaRoot $ nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax $ nsds5ReplicaReleaseTimeout ) X-ORIGIN 'Netscape Directory Server' ) -+objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Replication configuration objectclass' SUP top MUST ( nsDS5ReplicaRoot $ nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax $ nsds5ReplicaReleaseTimeout $ nsDS5ReplicaBindDnGroupCheckInterval ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.113 NAME 'nsTombstone' DESC 'Netscape defined objectclass' SUP top MAY ( nstombstonecsn $ nsParentUniqueId $ nscpEntryDN ) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5ReplicaWaitForAsyncResults $ nsds5ReplicaIgnoreMissingChange) X-ORIGIN 'Netscape Directory Server' ) - objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' ) -diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h -index 3bd878d4d..c6e79b7e2 100644 ---- a/ldap/servers/plugins/replication/repl5.h -+++ b/ldap/servers/plugins/replication/repl5.h -@@ -330,8 +330,8 @@ void replsupplier_configure(Repl_Supplier *rs, Slapi_PBlock *pb); - void replsupplier_start(Repl_Supplier *rs); - void replsupplier_stop(Repl_Supplier *rs); - void replsupplier_destroy(Repl_Supplier **rs); --void replsupplier_notify(Repl_Supplier *rs, PRUint32 eventmask); --PRUint32 replsupplier_get_status(Repl_Supplier *rs); -+void replsupplier_notify(Repl_Supplier *rs, uint32_t eventmask); -+uint32_t replsupplier_get_status(Repl_Supplier *rs); - - /* In repl5_plugins.c */ - int multimaster_set_local_purl(void); -@@ -383,7 +383,7 @@ int agmt_stop(Repl_Agmt *ra); - int agmt_replicate_now(Repl_Agmt *ra); - char *agmt_get_hostname(const Repl_Agmt *ra); - int agmt_get_port(const Repl_Agmt *ra); --PRUint32 agmt_get_transport_flags(const Repl_Agmt *ra); -+uint32_t agmt_get_transport_flags(const Repl_Agmt *ra); - char *agmt_get_binddn(const Repl_Agmt *ra); - struct berval *agmt_get_credentials(const Repl_Agmt *ra); - int agmt_get_bindmethod(const Repl_Agmt *ra); -@@ -448,8 +448,8 @@ int agmt_set_attrs_to_strip(Repl_Agmt *ra, Slapi_Entry *e); - int agmt_set_timeout(Repl_Agmt *ra, long timeout); - int agmt_set_ignoremissing(Repl_Agmt *ra, long ignoremissing); - void agmt_update_done(Repl_Agmt *ra, int is_total); --PRUint64 agmt_get_protocol_timeout(Repl_Agmt *agmt); --void agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout); -+uint64_t agmt_get_protocol_timeout(Repl_Agmt *agmt); -+void agmt_set_protocol_timeout(Repl_Agmt *agmt, uint64_t timeout); - void agmt_update_maxcsn(Replica *r, Slapi_DN *sdn, int op, LDAPMod **mods, CSN *csn); - void add_agmt_maxcsns(Slapi_Entry *e, Replica *r); - void agmt_remove_maxcsn(Repl_Agmt *ra); -@@ -532,8 +532,8 @@ void *consumer_connection_extension_constructor(void *object, void *parent); - void consumer_connection_extension_destructor(void *ext, void *object, void *parent); - - /* extension helpers for managing exclusive access */ --consumer_connection_extension *consumer_connection_extension_acquire_exclusive_access(void *conn, PRUint64 connid, int opid); --int consumer_connection_extension_relinquish_exclusive_access(void *conn, PRUint64 connid, int opid, PRBool force); -+consumer_connection_extension *consumer_connection_extension_acquire_exclusive_access(void *conn, uint64_t connid, int opid); -+int consumer_connection_extension_relinquish_exclusive_access(void *conn, uint64_t connid, int opid, PRBool force); - - /* mapping tree extension - stores replica object */ - typedef struct multimaster_mtnode_extension -@@ -666,8 +666,8 @@ Replica *replica_new_from_entry(Slapi_Entry *e, char *errortext, PRBool is_add_o - void replica_destroy(void **arg); - int replica_subentry_update(Slapi_DN *repl_root, ReplicaId rid); - int replica_subentry_check(Slapi_DN *repl_root, ReplicaId rid); --PRBool replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opid, const char *locking_purl, char **current_purl); --void replica_relinquish_exclusive_access(Replica *r, PRUint64 connid, int opid); -+PRBool replica_get_exclusive_access(Replica *r, PRBool *isInc, uint64_t connid, int opid, const char *locking_purl, char **current_purl); -+void replica_relinquish_exclusive_access(Replica *r, uint64_t connid, int opid); - PRBool replica_get_tombstone_reap_active(const Replica *r); - const Slapi_DN *replica_get_root(const Replica *r); - const char *replica_get_name(const Replica *r); -@@ -685,11 +685,13 @@ PRBool replica_is_updatedn(Replica *r, const Slapi_DN *sdn); - void replica_set_updatedn(Replica *r, const Slapi_ValueSet *vs, int mod_op); - void replica_set_groupdn(Replica *r, const Slapi_ValueSet *vs, int mod_op); - char *replica_get_generation(const Replica *r); -+ - /* currently supported flags */ - #define REPLICA_LOG_CHANGES 0x1 /* enable change logging */ --PRBool replica_is_flag_set(const Replica *r, PRUint32 flag); --void replica_set_flag(Replica *r, PRUint32 flag, PRBool clear); --void replica_replace_flags(Replica *r, PRUint32 flags); -+ -+PRBool replica_is_flag_set(const Replica *r, uint32_t flag); -+void replica_set_flag(Replica *r, uint32_t flag, PRBool clear); -+void replica_replace_flags(Replica *r, uint32_t flags); - void replica_dump(Replica *r); - void replica_set_enabled(Replica *r, PRBool enable); - Object *replica_get_replica_from_dn(const Slapi_DN *dn); -@@ -720,7 +722,7 @@ int replica_delete_by_dn(const char *dn); - int replica_is_being_configured(const char *dn); - void consumer5_set_mapping_tree_state_for_replica(const Replica *r, RUV *supplierRuv); - Object *replica_get_for_backend(const char *be_name); --void replica_set_purge_delay(Replica *r, PRUint32 purge_delay); -+void replica_set_purge_delay(Replica *r, uint32_t purge_delay); - void replica_set_tombstone_reap_interval(Replica *r, long interval); - void replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv); - void replica_set_ruv_dirty(Replica *r); -@@ -730,20 +732,20 @@ char *replica_get_dn(Replica *r); - void replica_check_for_tasks(Replica *r, Slapi_Entry *e); - void replica_update_state(time_t when, void *arg); - void replica_reset_csn_pl(Replica *r); --PRUint64 replica_get_protocol_timeout(Replica *r); --void replica_set_protocol_timeout(Replica *r, PRUint64 timeout); --PRUint64 replica_get_release_timeout(Replica *r); --void replica_set_release_timeout(Replica *r, PRUint64 timeout); -+uint64_t replica_get_protocol_timeout(Replica *r); -+void replica_set_protocol_timeout(Replica *r, uint64_t timeout); -+uint64_t replica_get_release_timeout(Replica *r); -+void replica_set_release_timeout(Replica *r, uint64_t timeout); - void replica_set_groupdn_checkinterval(Replica *r, int timeout); --PRUint64 replica_get_backoff_min(Replica *r); --PRUint64 replica_get_backoff_max(Replica *r); --void replica_set_backoff_min(Replica *r, PRUint64 min); --void replica_set_backoff_max(Replica *r, PRUint64 max); -+uint64_t replica_get_backoff_min(Replica *r); -+uint64_t replica_get_backoff_max(Replica *r); -+void replica_set_backoff_min(Replica *r, uint64_t min); -+void replica_set_backoff_max(Replica *r, uint64_t max); - int replica_get_agmt_count(Replica *r); - void replica_incr_agmt_count(Replica *r); - void replica_decr_agmt_count(Replica *r); --PRUint64 replica_get_precise_purging(Replica *r); --void replica_set_precise_purging(Replica *r, PRUint64 on_off); -+uint64_t replica_get_precise_purging(Replica *r); -+void replica_set_precise_purging(Replica *r, uint64_t on_off); - PRBool ignore_error_and_keep_going(int error); - void replica_check_release_timeout(Replica *r, Slapi_PBlock *pb); - void replica_lock_replica(Replica *r); -@@ -764,8 +766,8 @@ void replica_unlock_replica(Replica *r); - is active, RECV should back off. And vice versa. But SEND can coexist. */ - #define REPLICA_TOTAL_EXCL_RECV 32 /* ditto */ - --PRBool replica_is_state_flag_set(Replica *r, PRInt32 flag); --void replica_set_state_flag(Replica *r, PRUint32 flag, PRBool clear); -+PRBool replica_is_state_flag_set(Replica *r, int32_t flag); -+void replica_set_state_flag(Replica *r, uint32_t flag, PRBool clear); - void replica_set_tombstone_reap_stop(Replica *r, PRBool val); - void replica_enable_replication(Replica *r); - void replica_disable_replication(Replica *r, Object *r_obj); -@@ -836,6 +838,8 @@ LDAPControl *create_managedsait_control(void); - LDAPControl *create_backend_control(Slapi_DN *sdn); - void repl_set_mtn_state_and_referrals(const Slapi_DN *sdn, const char *mtn_state, const RUV *ruv, char **ruv_referrals, char **other_referrals); - void repl_set_repl_plugin_path(const char *path); -+int repl_config_valid_num(const char *config_attr, char *config_attr_value, int64_t min, int64_t max, -+ int *returncode, char *errortext, int64_t *retval); - - /* repl5_updatedn_list.c */ - typedef void *ReplicaUpdateDNList; -diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c -index e2ab320e4..78fb91ae6 100644 ---- a/ldap/servers/plugins/replication/repl5_agmt.c -+++ b/ldap/servers/plugins/replication/repl5_agmt.c -@@ -65,31 +65,31 @@ - struct changecounter - { - ReplicaId rid; -- PRUint32 num_replayed; -- PRUint32 num_skipped; -+ uint32_t num_replayed; -+ uint32_t num_skipped; - }; - - typedef struct repl5agmt - { - char *hostname; /* remote hostname */ -- int port; /* port of remote server */ -- PRUint32 transport_flags; /* SSL, TLS, etc. */ -+ int64_t port; /* port of remote server */ -+ uint32_t transport_flags; /* SSL, TLS, etc. */ - char *binddn; /* DN to bind as */ - struct berval *creds; /* Password, or certificate */ -- int bindmethod; /* Bind method - simple, SSL */ -+ int64_t bindmethod; /* Bind method - simple, SSL */ - Slapi_DN *replarea; /* DN of replicated area */ - char **frac_attrs; /* list of fractional attributes to be replicated */ - char **frac_attrs_total; /* list of fractional attributes to be replicated for total update protocol */ - PRBool frac_attr_total_defined; /* TRUE if frac_attrs_total is defined */ - Schedule *schedule; /* Scheduling information */ -- int auto_initialize; /* 1 = automatically re-initialize replica */ -+ int64_t auto_initialize; /* 1 = automatically re-initialize replica */ - const Slapi_DN *dn; /* DN of replication agreement entry */ - const Slapi_RDN *rdn; /* RDN of replication agreement entry */ - char *long_name; /* Long name (rdn + host, port) of entry, for logging */ - Repl_Protocol *protocol; /* Protocol object - manages protocol */ - struct changecounter **changecounters; /* changes sent/skipped since server start up */ -- int num_changecounters; -- int max_changecounters; -+ int64_t num_changecounters; -+ int64_t max_changecounters; - time_t last_update_start_time; /* Local start time of last update session */ - time_t last_update_end_time; /* Local end time of last update session */ - char last_update_status[STATUS_LEN]; /* Status of last update. Format = numeric code textual description */ -@@ -102,35 +102,35 @@ typedef struct repl5agmt - Object *consumerRUV; /* last RUV received from the consumer - used for changelog purging */ - CSN *consumerSchemaCSN; /* last schema CSN received from the consumer */ - ReplicaId consumerRID; /* indicates if the consumer is the originator of a CSN */ -- int tmpConsumerRID; /* Indicates the consumer rid was set from the agmt maxcsn - it should be refreshed */ -- long timeout; /* timeout (in seconds) for outbound LDAP connections to remote server */ -+ int64_t tmpConsumerRID; /* Indicates the consumer rid was set from the agmt maxcsn - it should be refreshed */ -+ int64_t timeout; /* timeout (in seconds) for outbound LDAP connections to remote server */ - PRBool stop_in_progress; /* set by agmt_stop when shutting down */ -- long busywaittime; /* time in seconds to wait after getting a REPLICA BUSY from the consumer - -- to allow another supplier to finish sending its updates - -- if set to 0, this means to use the default value if we get a busy -- signal from the consumer */ -- long pausetime; /* time in seconds to pause after sending updates - -- to allow another supplier to send its updates - -- should be greater than busywaittime - -- if set to 0, this means do not pause */ -+ int64_t busywaittime; /* time in seconds to wait after getting a REPLICA BUSY from the consumer - -+ * to allow another supplier to finish sending its updates - -+ * if set to 0, this means to use the default value if we get a busy -+ * signal from the consumer -+ */ -+ int64_t pausetime; /* time in seconds to pause after sending updates - -+ * to allow another supplier to send its updates - -+ * should be greater than busywaittime - -+ * if set to 0, this means do not pause -+ */ - void *priv; /* private data, used for windows-specific agreement data -- for sync agreements or for replication session plug-in -- private data for normal replication agreements */ -+ * for sync agreements or for replication session plug-in -+ * private data for normal replication agreements -+ */ - char **attrs_to_strip; /* for fractional replication, if a "mod" is empty, strip out these attributes: -- * modifiersname, modifytimestamp, internalModifiersname, internalModifyTimestamp, etc */ -- int agreement_type; -+ * modifiersname, modifytimestamp, internalModifiersname, internalModifyTimestamp, etc */ -+ int64_t agreement_type; - Slapi_Counter *protocol_timeout; -- char *maxcsn; /* agmt max csn */ -- long flowControlWindow; /* This is the maximum number of entries -- * sent without acknowledgment -- */ -- long flowControlPause; /* When nb of not acknowledged entries overpass totalUpdateWindow -- * This is the duration (in msec) that the RA will pause before sending the next entry -- */ -- long ignoreMissingChange; /* if set replication will try to continue even if change cannot be found in changelog */ -- Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */ -- int WaitForAsyncResults; /* Pass to DS_Sleep(PR_MillisecondsToInterval(WaitForAsyncResults)) -- * in repl5_inc_waitfor_async_results */ -+ char *maxcsn; /* agmt max csn */ -+ int64_t flowControlWindow; /* This is the maximum number of entries sent without acknowledgment */ -+ int64_t flowControlPause; /* When nb of not acknowledged entries overpass totalUpdateWindow -+ * This is the duration (in msec) that the RA will pause before sending the next entry */ -+ int64_t ignoreMissingChange; /* if set replication will try to continue even if change cannot be found in changelog */ -+ Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */ -+ int64_t WaitForAsyncResults; /* Pass to DS_Sleep(PR_MillisecondsToInterval(WaitForAsyncResults)) -+ * in repl5_inc_waitfor_async_results */ - } repl5agmt; - - /* Forward declarations */ -@@ -182,7 +182,7 @@ agmt_is_valid(Repl_Agmt *ra) - } - if (ra->port <= 0) { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "agmt_is_valid - Replication agreement \"%s\" " -- "is malformed: invalid port number %d.\n", -+ "is malformed: invalid port number %ld.\n", - slapi_sdn_get_dn(ra->dn), ra->port); - return_value = 0; - } -@@ -241,10 +241,14 @@ agmt_new_from_entry(Slapi_Entry *e) - { - Repl_Agmt *ra; - Slapi_Attr *sattr; -+ char errormsg[SLAPI_DSE_RETURNTEXT_SIZE]; - char *tmpstr; - char **denied_attrs = NULL; - char *auto_initialize = NULL; - char *val_nsds5BeginReplicaRefresh = "start"; -+ char *val = NULL; -+ int64_t ptimeout = 0; -+ int rc = 0; - - ra = (Repl_Agmt *)slapi_ch_calloc(1, sizeof(repl5agmt)); - if ((ra->lock = PR_NewLock()) == NULL) { -@@ -283,8 +287,17 @@ agmt_new_from_entry(Slapi_Entry *e) - - /* Host name of remote replica */ - ra->hostname = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaHost); -+ - /* Port number for remote replica instance */ -- ra->port = slapi_entry_attr_get_int(e, type_nsds5ReplicaPort); -+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaPort))){ -+ int64_t port; -+ if (repl_config_valid_num(type_nsds5ReplicaPort, val, 1, 65535, &rc, errormsg, &port) != 0) { -+ goto loser; -+ } -+ slapi_ch_free_string(&val); -+ ra->port = port; -+ } -+ - /* SSL, TLS, or other transport stuff */ - ra->transport_flags = 0; - (void)agmt_set_transportinfo_no_lock(ra, e); -@@ -313,29 +326,35 @@ agmt_new_from_entry(Slapi_Entry *e) - - /* timeout. */ - ra->timeout = DEFAULT_TIMEOUT; -- if (slapi_entry_attr_find(e, type_nsds5ReplicaTimeout, &sattr) == 0) { -- Slapi_Value *sval; -- if (slapi_attr_first_value(sattr, &sval) == 0) { -- ra->timeout = slapi_value_get_long(sval); -+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaTimeout))){ -+ int64_t timeout; -+ if (repl_config_valid_num(type_nsds5ReplicaTimeout, val, 0, INT_MAX, &rc, errormsg, &timeout) != 0) { -+ goto loser; - } -+ slapi_ch_free_string(&val); -+ ra->timeout = timeout; - } - - /* flow control update window. */ - ra->flowControlWindow = DEFAULT_FLOWCONTROL_WINDOW; -- if (slapi_entry_attr_find(e, type_nsds5ReplicaFlowControlWindow, &sattr) == 0) { -- Slapi_Value *sval; -- if (slapi_attr_first_value(sattr, &sval) == 0) { -- ra->flowControlWindow = slapi_value_get_long(sval); -+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaFlowControlWindow))){ -+ int64_t flow; -+ if (repl_config_valid_num(type_nsds5ReplicaTimeout, val, 0, INT_MAX, &rc, errormsg, &flow) != 0) { -+ goto loser; - } -+ slapi_ch_free_string(&val); -+ ra->flowControlWindow = flow; - } - - /* flow control update pause. */ - ra->flowControlPause = DEFAULT_FLOWCONTROL_PAUSE; -- if (slapi_entry_attr_find(e, type_nsds5ReplicaFlowControlPause, &sattr) == 0) { -- Slapi_Value *sval; -- if (slapi_attr_first_value(sattr, &sval) == 0) { -- ra->flowControlPause = slapi_value_get_long(sval); -+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaFlowControlPause))){ -+ int64_t pause; -+ if (repl_config_valid_num(type_nsds5ReplicaFlowControlPause, val, 0, INT_MAX, &rc, errormsg, &pause) != 0) { -+ goto loser; - } -+ slapi_ch_free_string(&val); -+ ra->flowControlPause = pause; - } - - /* continue on missing change ? */ -@@ -357,7 +376,6 @@ agmt_new_from_entry(Slapi_Entry *e) - if (NULL != tmpstr) { - Object *repl_obj; - Replica *replica; -- PRUint64 ptimeout = 0; - - ra->replarea = slapi_sdn_new_dn_passin(tmpstr); - -@@ -367,14 +385,18 @@ agmt_new_from_entry(Slapi_Entry *e) - replica_incr_agmt_count(replica); - } - } -+ } - -- /* If this agmt has its own timeout, grab it, otherwise use the replica's protocol timeout */ -- ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout); -- if (ptimeout) { -- slapi_counter_set_value(ra->protocol_timeout, ptimeout); -+ /* If this agmt has its own timeout, grab it, otherwise use the replica's protocol timeout */ -+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaProtocolTimeout))){ -+ if (repl_config_valid_num(type_replicaProtocolTimeout, val, 0, INT_MAX, &rc, errormsg, &ptimeout) != 0) { -+ goto loser; - } -+ slapi_ch_free_string(&val); -+ slapi_counter_set_value(ra->protocol_timeout, ptimeout); - } - -+ - /* Replica enabled */ - tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaEnabled); - if (NULL != tmpstr) { -@@ -384,9 +406,8 @@ agmt_new_from_entry(Slapi_Entry *e) - ra->is_enabled = PR_TRUE; - } else { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "agmt_new_from_entry - " -- "Warning invalid value for nsds5ReplicaEnabled (%s), value must be \"on\" or \"off\". " -- "Ignoring this repl agreement.\n", -- tmpstr); -+ "Warning invalid value for nsds5ReplicaEnabled (%s), value must be \"on\" or \"off\". " -+ "Ignoring this repl agreement.\n", tmpstr); - slapi_ch_free_string(&tmpstr); - goto loser; - } -@@ -402,11 +423,24 @@ agmt_new_from_entry(Slapi_Entry *e) - } - - /* busy wait time - time to wait after getting REPLICA BUSY from consumer */ -- ra->busywaittime = slapi_entry_attr_get_long(e, type_nsds5ReplicaBusyWaitTime); -+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBusyWaitTime))){ -+ int64_t busytime = 0; -+ if (repl_config_valid_num(type_nsds5ReplicaBusyWaitTime, val, 0, INT_MAX, &rc, errormsg, &busytime) != 0) { -+ goto loser; -+ } -+ slapi_ch_free_string(&val); -+ ra->busywaittime = busytime; -+ } - - /* pause time - time to pause after a session has ended */ -- ra->pausetime = slapi_entry_attr_get_long(e, type_nsds5ReplicaSessionPauseTime); -- -+ if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaSessionPauseTime))){ -+ int64_t pausetime = 0; -+ if (repl_config_valid_num(type_nsds5ReplicaSessionPauseTime, val, 0, INT_MAX, &rc, errormsg, &pausetime) != 0) { -+ goto loser; -+ } -+ slapi_ch_free_string(&val); -+ ra->pausetime = pausetime; -+ } - /* consumer's RUV */ - if (slapi_entry_attr_find(e, type_ruvElement, &sattr) == 0) { - RUV *ruv; -@@ -434,7 +468,7 @@ agmt_new_from_entry(Slapi_Entry *e) - if (dot) { - *dot = '\0'; - } -- ra->long_name = slapi_ch_smprintf("agmt=\"%s\" (%s:%d)", agmtname, hostname, ra->port); -+ ra->long_name = slapi_ch_smprintf("agmt=\"%s\" (%s:%ld)", agmtname, hostname, ra->port); - } - - /* DBDB: review this code */ -@@ -534,6 +568,9 @@ agmt_new_from_entry(Slapi_Entry *e) - - return ra; - loser: -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, -+ "agmt_new_from_entry - Failed to parse agreement, skipping.\n"); -+ slapi_ch_free_string(&val); - agmt_delete((void **)&ra); - return NULL; - } -@@ -754,10 +791,10 @@ agmt_start(Repl_Agmt *ra) - char buf[BUFSIZ]; - char unavail_buf[BUFSIZ]; - -- PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%d;", slapi_sdn_get_dn(repl_sdn), -+ PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%ld;", slapi_sdn_get_dn(repl_sdn), - slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)), - ra->hostname, ra->port); -- PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%d;unavailable", slapi_sdn_get_dn(repl_sdn), -+ PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%ld;unavailable", slapi_sdn_get_dn(repl_sdn), - slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)), - ra->hostname, ra->port); - if (strstr(maxcsns[i], buf) || strstr(maxcsns[i], unavail_buf)) { -@@ -901,7 +938,7 @@ agmt_get_port(const Repl_Agmt *ra) - /* - * Return the transport flags for this agreement. - */ --PRUint32 -+uint32_t - agmt_get_transport_flags(const Repl_Agmt *ra) - { - unsigned int return_value; -@@ -2919,7 +2956,7 @@ agmt_update_done(Repl_Agmt *agmt, int is_total) - } - } - --PRUint64 -+uint64_t - agmt_get_protocol_timeout(Repl_Agmt *agmt) - { - if (agmt) { -@@ -2930,7 +2967,7 @@ agmt_get_protocol_timeout(Repl_Agmt *agmt) - } - - void --agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout) -+agmt_set_protocol_timeout(Repl_Agmt *agmt, uint64_t timeout) - { - if (agmt) { - slapi_counter_set_value(agmt->protocol_timeout, timeout); -@@ -2992,11 +3029,11 @@ agmt_update_maxcsn(Replica *r, Slapi_DN *sdn, int op, LDAPMod **mods, CSN *csn) - * temporarily mark it as "unavailable". - */ - slapi_ch_free_string(&agmt->maxcsn); -- agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%d;unavailable", slapi_sdn_get_dn(agmt->replarea), -+ agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%ld;unavailable", slapi_sdn_get_dn(agmt->replarea), - slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(agmt->rdn)), agmt->hostname, agmt->port); - } else if (rid == oprid) { - slapi_ch_free_string(&agmt->maxcsn); -- agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%d;%d;%s", slapi_sdn_get_dn(agmt->replarea), -+ agmt->maxcsn = slapi_ch_smprintf("%s;%s;%s;%ld;%d;%s", slapi_sdn_get_dn(agmt->replarea), - slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(agmt->rdn)), agmt->hostname, - agmt->port, agmt->consumerRID, maxcsn); - } -@@ -3190,10 +3227,10 @@ agmt_remove_maxcsn(Repl_Agmt *ra) - char unavail_buf[BUFSIZ]; - struct berval val; - -- PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%d;", slapi_sdn_get_dn(ra->replarea), -+ PR_snprintf(buf, BUFSIZ, "%s;%s;%s;%ld;", slapi_sdn_get_dn(ra->replarea), - slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)), - ra->hostname, ra->port); -- PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%d;unavailable", -+ PR_snprintf(unavail_buf, BUFSIZ, "%s;%s;%s;%ld;unavailable", - slapi_sdn_get_dn(ra->replarea), - slapi_rdn_get_value_by_ref(slapi_rdn_get_rdn(ra->rdn)), - ra->hostname, ra->port); -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index 92f847f24..e5296bf1c 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -33,42 +33,40 @@ struct replica - Slapi_DN *repl_root; /* top of the replicated are */ - char *repl_name; /* unique replica name */ - PRBool new_name; /* new name was generated - need to be saved */ -- ReplicaUpdateDNList updatedn_list; /* list of dns with which a supplier should bind -- to update this replica */ -- Slapi_ValueSet *updatedn_groups; /* set of groups whose memebers are -- * allowed to update replica */ -+ ReplicaUpdateDNList updatedn_list; /* list of dns with which a supplier should bind to update this replica */ -+ Slapi_ValueSet *updatedn_groups; /* set of groups whose memebers are allowed to update replica */ - ReplicaUpdateDNList groupdn_list; /* exploded listof dns from update group */ -- PRUint32 updatedn_group_last_check; -- int updatedn_group_check_interval; -- ReplicaType repl_type; /* is this replica read-only ? */ -- ReplicaId repl_rid; /* replicaID */ -- Object *repl_ruv; /* replica update vector */ -- PRBool repl_ruv_dirty; /* Dirty flag for ruv */ -- CSNPL *min_csn_pl; /* Pending list for minimal CSN */ -- void *csn_pl_reg_id; /* registration assignment for csn callbacks */ -- unsigned long repl_state_flags; /* state flags */ -- PRUint32 repl_flags; /* persistent, externally visible flags */ -- PRMonitor *repl_lock; /* protects entire structure */ -- Slapi_Eq_Context repl_eqcxt_rs; /* context to cancel event that saves ruv */ -- Slapi_Eq_Context repl_eqcxt_tr; /* context to cancel event that reaps tombstones */ -- Object *repl_csngen; /* CSN generator for this replica */ -- PRBool repl_csn_assigned; /* Flag set when new csn is assigned. */ -- PRUint32 repl_purge_delay; /* When purgeable, CSNs are held on to for this many extra seconds */ -- PRBool tombstone_reap_stop; /* TRUE when the tombstone reaper should stop */ -- PRBool tombstone_reap_active; /* TRUE when the tombstone reaper is running */ -- long tombstone_reap_interval; /* Time in seconds between tombstone reaping */ -- Slapi_ValueSet *repl_referral; /* A list of administrator provided referral URLs */ -- PRBool state_update_inprogress; /* replica state is being updated */ -- PRLock *agmt_lock; /* protects agreement creation, start and stop */ -- char *locking_purl; /* supplier who has exclusive access */ -- uint64_t locking_conn; /* The supplier's connection id */ -- Slapi_Counter *protocol_timeout; /* protocol shutdown timeout */ -- Slapi_Counter *backoff_min; /* backoff retry minimum */ -- Slapi_Counter *backoff_max; /* backoff retry maximum */ -- Slapi_Counter *precise_purging; /* Enable precise tombstone purging */ -- PRUint64 agmt_count; /* Number of agmts */ -- Slapi_Counter *release_timeout; /* The amount of time to wait before releasing active replica */ -- PRUint64 abort_session; /* Abort the current replica session */ -+ uint32_t updatedn_group_last_check; /* the time of the last group check */ -+ int64_t updatedn_group_check_interval; /* the group check interval */ -+ ReplicaType repl_type; /* is this replica read-only ? */ -+ ReplicaId repl_rid; /* replicaID */ -+ Object *repl_ruv; /* replica update vector */ -+ PRBool repl_ruv_dirty; /* Dirty flag for ruv */ -+ CSNPL *min_csn_pl; /* Pending list for minimal CSN */ -+ void *csn_pl_reg_id; /* registration assignment for csn callbacks */ -+ unsigned long repl_state_flags; /* state flags */ -+ uint32_t repl_flags; /* persistent, externally visible flags */ -+ PRMonitor *repl_lock; /* protects entire structure */ -+ Slapi_Eq_Context repl_eqcxt_rs; /* context to cancel event that saves ruv */ -+ Slapi_Eq_Context repl_eqcxt_tr; /* context to cancel event that reaps tombstones */ -+ Object *repl_csngen; /* CSN generator for this replica */ -+ PRBool repl_csn_assigned; /* Flag set when new csn is assigned. */ -+ int64_t repl_purge_delay; /* When purgeable, CSNs are held on to for this many extra seconds */ -+ PRBool tombstone_reap_stop; /* TRUE when the tombstone reaper should stop */ -+ PRBool tombstone_reap_active; /* TRUE when the tombstone reaper is running */ -+ int64_t tombstone_reap_interval; /* Time in seconds between tombstone reaping */ -+ Slapi_ValueSet *repl_referral; /* A list of administrator provided referral URLs */ -+ PRBool state_update_inprogress; /* replica state is being updated */ -+ PRLock *agmt_lock; /* protects agreement creation, start and stop */ -+ char *locking_purl; /* supplier who has exclusive access */ -+ uint64_t locking_conn; /* The supplier's connection id */ -+ Slapi_Counter *protocol_timeout; /* protocol shutdown timeout */ -+ Slapi_Counter *backoff_min; /* backoff retry minimum */ -+ Slapi_Counter *backoff_max; /* backoff retry maximum */ -+ Slapi_Counter *precise_purging; /* Enable precise tombstone purging */ -+ uint64_t agmt_count; /* Number of agmts */ -+ Slapi_Counter *release_timeout; /* The amount of time to wait before releasing active replica */ -+ uint64_t abort_session; /* Abort the current replica session */ - }; - - -@@ -532,7 +530,7 @@ replica_subentry_update(Slapi_DN *repl_root, ReplicaId rid) - * current_purl is the supplier who already has access, if any - */ - PRBool --replica_get_exclusive_access(Replica *r, PRBool *isInc, PRUint64 connid, int opid, const char *locking_purl, char **current_purl) -+replica_get_exclusive_access(Replica *r, PRBool *isInc, uint64_t connid, int opid, const char *locking_purl, char **current_purl) - { - PRBool rval = PR_TRUE; - -@@ -608,7 +606,7 @@ done: - * Relinquish exclusive access to the replica - */ - void --replica_relinquish_exclusive_access(Replica *r, PRUint64 connid, int opid) -+replica_relinquish_exclusive_access(Replica *r, uint64_t connid, int opid) - { - PRBool isInc; - -@@ -915,7 +913,7 @@ replica_get_type(const Replica *r) - return r->repl_type; - } - --PRUint64 -+uint64_t - replica_get_protocol_timeout(Replica *r) - { - if (r) { -@@ -925,7 +923,7 @@ replica_get_protocol_timeout(Replica *r) - } - } - --PRUint64 -+uint64_t - replica_get_release_timeout(Replica *r) - { - if (r) { -@@ -936,7 +934,7 @@ replica_get_release_timeout(Replica *r) - } - - void --replica_set_release_timeout(Replica *r, PRUint64 limit) -+replica_set_release_timeout(Replica *r, uint64_t limit) - { - if (r) { - slapi_counter_set_value(r->release_timeout, limit); -@@ -944,7 +942,7 @@ replica_set_release_timeout(Replica *r, PRUint64 limit) - } - - void --replica_set_protocol_timeout(Replica *r, PRUint64 timeout) -+replica_set_protocol_timeout(Replica *r, uint64_t timeout) - { - if (r) { - slapi_counter_set_value(r->protocol_timeout, timeout); -@@ -1182,7 +1180,7 @@ replica_get_generation(const Replica *r) - } - - PRBool --replica_is_flag_set(const Replica *r, PRUint32 flag) -+replica_is_flag_set(const Replica *r, uint32_t flag) - { - if (r) - return (r->repl_flags & flag); -@@ -1191,7 +1189,7 @@ replica_is_flag_set(const Replica *r, PRUint32 flag) - } - - void --replica_set_flag(Replica *r, PRUint32 flag, PRBool clear) -+replica_set_flag(Replica *r, uint32_t flag, PRBool clear) - { - if (r == NULL) - return; -@@ -1208,7 +1206,7 @@ replica_set_flag(Replica *r, PRUint32 flag, PRBool clear) - } - - void --replica_replace_flags(Replica *r, PRUint32 flags) -+replica_replace_flags(Replica *r, uint32_t flags) - { - if (r) { - replica_lock(r->repl_lock); -@@ -1829,17 +1827,18 @@ _replica_check_validity(const Replica *r) - static int - _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - { -- Slapi_Attr *a = NULL; - Slapi_Attr *attr; - CSNGen *gen; - char *precise_purging = NULL; - char buf[SLAPI_DSE_RETURNTEXT_SIZE]; - char *errormsg = errortext ? errortext : buf; - char *val; -- int backoff_min; -- int backoff_max; -- int ptimeout = 0; -- int release_timeout = 0; -+ int64_t backoff_min; -+ int64_t backoff_max; -+ int64_t ptimeout = 0; -+ int64_t release_timeout = 0; -+ int64_t interval = 0; -+ int64_t rtype = 0; - int rc; - - PR_ASSERT(r && e); -@@ -1847,7 +1846,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - /* get replica root */ - val = slapi_entry_attr_get_charptr(e, attr_replicaRoot); - if (val == NULL) { -- PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, "Failed to retrieve %s attribute from (%s)\n", -+ PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, "Failed to retrieve %s attribute from (%s)", - attr_replicaRoot, - (char *)slapi_entry_get_dn((Slapi_Entry *)e)); - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - %s\n", -@@ -1858,66 +1857,94 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - r->repl_root = slapi_sdn_new_dn_passin(val); - - /* get replica type */ -- val = slapi_entry_attr_get_charptr(e, attr_replicaType); -- if (val) { -- r->repl_type = atoi(val); -- slapi_ch_free((void **)&val); -+ if (slapi_entry_attr_exists(e, attr_replicaType)) { -+ if ((val = slapi_entry_attr_get_charptr(e, attr_replicaType))) { -+ if (repl_config_valid_num(attr_replicaType, val, 0, REPLICA_TYPE_UPDATABLE, &rc, errormsg, &rtype) != 0) { -+ slapi_ch_free_string(&val); -+ return -1; -+ } -+ r->repl_type = rtype; -+ slapi_ch_free_string(&val); -+ } else { -+ r->repl_type = REPLICA_TYPE_READONLY; -+ } - } else { - r->repl_type = REPLICA_TYPE_READONLY; - } - -- /* grab and validate the backoff retry settings */ -+ /* grab and validate the backoff min retry settings */ - if (slapi_entry_attr_exists(e, type_replicaBackoffMin)) { -- backoff_min = slapi_entry_attr_get_int(e, type_replicaBackoffMin); -- if (backoff_min <= 0) { -- slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - " -- "Invalid value for %s: %d Using default value (%d)\n", -- type_replicaBackoffMin, backoff_min, PROTOCOL_BACKOFF_MINIMUM); -+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaBackoffMin))) { -+ if (repl_config_valid_num(type_replicaBackoffMin, val, 1, INT_MAX, &rc, errormsg, &backoff_min) != 0) { -+ slapi_ch_free_string(&val); -+ return -1; -+ } -+ slapi_ch_free_string(&val); -+ } else { - backoff_min = PROTOCOL_BACKOFF_MINIMUM; - } - } else { - backoff_min = PROTOCOL_BACKOFF_MINIMUM; - } - -+ /* grab and validate the backoff max retry settings */ - if (slapi_entry_attr_exists(e, type_replicaBackoffMax)) { -- backoff_max = slapi_entry_attr_get_int(e, type_replicaBackoffMax); -- if (backoff_max <= 0) { -- slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - " -- "Invalid value for %s: %d Using default value (%d)\n", -- type_replicaBackoffMax, backoff_max, PROTOCOL_BACKOFF_MAXIMUM); -+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaBackoffMax))) { -+ if (repl_config_valid_num(type_replicaBackoffMax, val, 1, INT_MAX, &rc, errormsg, &backoff_max) != 0) { -+ slapi_ch_free_string(&val); -+ return -1; -+ } -+ slapi_ch_free_string(&val); -+ } else { - backoff_max = PROTOCOL_BACKOFF_MAXIMUM; - } - } else { - backoff_max = PROTOCOL_BACKOFF_MAXIMUM; - } - -+ /* Verify backoff min and max work together */ - if (backoff_min > backoff_max) { -- /* Ok these values are invalid, reset back the defaults */ -- slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - " -- "Backoff minimum (%d) can not be greater than " -- "the backoff maximum (%d). Using default values: min (%d) max (%d)\n", -- backoff_min, backoff_max, PROTOCOL_BACKOFF_MINIMUM, PROTOCOL_BACKOFF_MAXIMUM); -- slapi_counter_set_value(r->backoff_min, PROTOCOL_BACKOFF_MINIMUM); -- slapi_counter_set_value(r->backoff_max, PROTOCOL_BACKOFF_MAXIMUM); -+ PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, -+ "Backoff minimum (%ld) can not be greater than the backoff maximum (%ld).", -+ backoff_min, backoff_max); -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - " -+ "%s\n", errormsg); -+ return -1; - } else { - slapi_counter_set_value(r->backoff_min, backoff_min); - slapi_counter_set_value(r->backoff_max, backoff_max); - } - - /* get the protocol timeout */ -- ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout); -- if (ptimeout <= 0) { -- slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT); -+ if (slapi_entry_attr_exists(e, type_replicaProtocolTimeout)) { -+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaProtocolTimeout))) { -+ if (repl_config_valid_num(type_replicaProtocolTimeout, val, 0, INT_MAX, &rc, errormsg, &ptimeout) != 0) { -+ slapi_ch_free_string(&val); -+ return -1; -+ } -+ slapi_ch_free_string(&val); -+ slapi_counter_set_value(r->protocol_timeout, ptimeout); -+ } else { -+ slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT); -+ } - } else { -- slapi_counter_set_value(r->protocol_timeout, ptimeout); -+ slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT); - } - - /* Get the release timeout */ -- release_timeout = slapi_entry_attr_get_int(e, type_replicaReleaseTimeout); -- if (release_timeout <= 0) { -- slapi_counter_set_value(r->release_timeout, 0); -+ if (slapi_entry_attr_exists(e, type_replicaReleaseTimeout)) { -+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaReleaseTimeout))) { -+ if (repl_config_valid_num(type_replicaReleaseTimeout, val, 0, INT_MAX, &rc, errortext, &release_timeout) != 0) { -+ slapi_ch_free_string(&val); -+ return -1; -+ } -+ slapi_counter_set_value(r->release_timeout, release_timeout); -+ slapi_ch_free_string(&val); -+ } else { -+ slapi_counter_set_value(r->release_timeout, 0); -+ } - } else { -- slapi_counter_set_value(r->release_timeout, release_timeout); -+ slapi_counter_set_value(r->release_timeout, 0); - } - - /* check for precise tombstone purging */ -@@ -1929,10 +1956,11 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - slapi_counter_set_value(r->precise_purging, 0); - } else { - /* Invalid value */ -- slapi_log_err(SLAPI_LOG_WARNING, repl_plugin_name, "_replica_init_from_config - " -- "Invalid value for %s: %s Using default value (off)\n", -- type_replicaPrecisePurge, precise_purging); -- slapi_counter_set_value(r->precise_purging, 0); -+ PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, "Invalid value for %s: %s", -+ type_replicaPrecisePurge, precise_purging); -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "_replica_init_from_config - " -+ "%s\n", errormsg); -+ return -1; - } - slapi_ch_free_string(&precise_purging); - } else { -@@ -1940,7 +1968,19 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - } - - /* get replica flags */ -- r->repl_flags = slapi_entry_attr_get_ulong(e, attr_flags); -+ if (slapi_entry_attr_exists(e, attr_flags)) { -+ int64_t rflags; -+ if((val = slapi_entry_attr_get_charptr(e, attr_flags))) { -+ if (repl_config_valid_num(attr_flags, val, 0, 1, &rc, errortext, &rflags) != 0) { -+ return -1; -+ } -+ r->repl_flags = (uint32_t)rflags; -+ } else { -+ r->repl_flags = 0; -+ } -+ } else { -+ r->repl_flags = 0; -+ } - - /* - * Get replicaid -@@ -1955,20 +1995,13 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - else if (r->repl_type == REPLICA_TYPE_UPDATABLE || - r->repl_type == REPLICA_TYPE_PRIMARY) { - if ((val = slapi_entry_attr_get_charptr(e, attr_replicaId))) { -- int temprid = atoi(val); -- slapi_ch_free((void **)&val); -- if (temprid <= 0 || temprid >= READ_ONLY_REPLICA_ID) { -- PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, -- "Attribute %s must have a value greater than 0 " -- "and less than %d: entry %s", -- attr_replicaId, READ_ONLY_REPLICA_ID, -- (char *)slapi_entry_get_dn((Slapi_Entry *)e)); -- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, -- "_replica_init_from_config - %s\n", errormsg); -+ int64_t rid; -+ if (repl_config_valid_num(attr_replicaId, val, 1, 65535, &rc, errormsg, &rid) != 0) { -+ slapi_ch_free_string(&val); - return -1; -- } else { -- r->repl_rid = (ReplicaId)temprid; - } -+ r->repl_rid = (ReplicaId)rid; -+ slapi_ch_free_string(&val); - } else { - PR_snprintf(errormsg, SLAPI_DSE_RETURNTEXT_SIZE, - "Failed to retrieve required %s attribute from %s", -@@ -2003,10 +2036,13 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - r->groupdn_list = replica_groupdn_list_new(r->updatedn_groups); - r->updatedn_group_last_check = time(NULL); - /* get groupdn check interval */ -- val = slapi_entry_attr_get_charptr(e, attr_replicaBindDnGroupCheckInterval); -- if (val) { -- r->updatedn_group_check_interval = atoi(val); -- slapi_ch_free((void **)&val); -+ if ((val = slapi_entry_attr_get_charptr(e, attr_replicaBindDnGroupCheckInterval))) { -+ if (repl_config_valid_num(attr_replicaBindDnGroupCheckInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) { -+ slapi_ch_free_string(&val); -+ return -1; -+ } -+ r->updatedn_group_check_interval = interval; -+ slapi_ch_free_string(&val); - } else { - r->updatedn_group_check_interval = -1; - } -@@ -2041,18 +2077,26 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - * since we don't know about LCUP replicas, and they can just - * turn up whenever they want to. - */ -- if (slapi_entry_attr_find(e, type_replicaPurgeDelay, &a) == -1) { -- /* No purge delay provided, so use default */ -- r->repl_purge_delay = 60 * 60 * 24 * 7; /* One week, in seconds */ -+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaPurgeDelay))) { -+ if (repl_config_valid_num(type_replicaPurgeDelay, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) { -+ slapi_ch_free_string(&val); -+ return -1; -+ } -+ r->repl_purge_delay = interval; -+ slapi_ch_free_string(&val); - } else { -- r->repl_purge_delay = slapi_entry_attr_get_uint(e, type_replicaPurgeDelay); -+ r->repl_purge_delay = 60 * 60 * 24 * 7; /* One week, in seconds */ - } - -- if (slapi_entry_attr_find(e, type_replicaTombstonePurgeInterval, &a) == -1) { -- /* No reap interval provided, so use default */ -- r->tombstone_reap_interval = 3600 * 24; /* One day */ -+ if ((val = slapi_entry_attr_get_charptr(e, type_replicaTombstonePurgeInterval))) { -+ if (repl_config_valid_num(type_replicaTombstonePurgeInterval, val, -1, INT_MAX, &rc, errormsg, &interval) != 0) { -+ slapi_ch_free_string(&val); -+ return -1; -+ } -+ r->tombstone_reap_interval = interval; -+ slapi_ch_free_string(&val); - } else { -- r->tombstone_reap_interval = slapi_entry_attr_get_int(e, type_replicaTombstonePurgeInterval); -+ r->tombstone_reap_interval = 3600 * 24; /* One week, in seconds */ - } - - r->tombstone_reap_stop = r->tombstone_reap_active = PR_FALSE; -@@ -3534,7 +3578,7 @@ replica_log_ruv_elements_nolock(const Replica *r) - } - - void --replica_set_purge_delay(Replica *r, PRUint32 purge_delay) -+replica_set_purge_delay(Replica *r, uint32_t purge_delay) - { - PR_ASSERT(r); - replica_lock(r->repl_lock); -@@ -3710,7 +3754,7 @@ replica_set_ruv_dirty(Replica *r) - } - - PRBool --replica_is_state_flag_set(Replica *r, PRInt32 flag) -+replica_is_state_flag_set(Replica *r, int32_t flag) - { - PR_ASSERT(r); - if (r) -@@ -3720,7 +3764,7 @@ replica_is_state_flag_set(Replica *r, PRInt32 flag) - } - - void --replica_set_state_flag(Replica *r, PRUint32 flag, PRBool clear) -+replica_set_state_flag(Replica *r, uint32_t flag, PRBool clear) - { - if (r == NULL) - return; -@@ -3994,7 +4038,7 @@ replica_get_attr(Slapi_PBlock *pb, const char *type, void *value) - return rc; - } - --PRUint64 -+uint64_t - replica_get_backoff_min(Replica *r) - { - if (r) { -@@ -4004,7 +4048,7 @@ replica_get_backoff_min(Replica *r) - } - } - --PRUint64 -+uint64_t - replica_get_backoff_max(Replica *r) - { - if (r) { -@@ -4015,7 +4059,7 @@ replica_get_backoff_max(Replica *r) - } - - void --replica_set_backoff_min(Replica *r, PRUint64 min) -+replica_set_backoff_min(Replica *r, uint64_t min) - { - if (r) { - slapi_counter_set_value(r->backoff_min, min); -@@ -4023,7 +4067,7 @@ replica_set_backoff_min(Replica *r, PRUint64 min) - } - - void --replica_set_backoff_max(Replica *r, PRUint64 max) -+replica_set_backoff_max(Replica *r, uint64_t max) - { - if (r) { - slapi_counter_set_value(r->backoff_max, max); -@@ -4031,14 +4075,14 @@ replica_set_backoff_max(Replica *r, PRUint64 max) - } - - void --replica_set_precise_purging(Replica *r, PRUint64 on_off) -+replica_set_precise_purging(Replica *r, uint64_t on_off) - { - if (r) { - slapi_counter_set_value(r->precise_purging, on_off); - } - } - --PRUint64 -+uint64_t - replica_get_precise_purging(Replica *r) - { - if (r) { -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 7477a292c..9c3c75458 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -405,28 +405,35 @@ replica_config_modify(Slapi_PBlock *pb, - } else if (strcasecmp(config_attr, attr_replicaBindDnGroup) == 0) { - *returncode = replica_config_change_updatedngroup(r, mods[i], errortext, apply_mods); - } else if (strcasecmp(config_attr, attr_replicaBindDnGroupCheckInterval) == 0) { -- int interval = atoi(config_attr_value); -- replica_set_groupdn_checkinterval(r, interval); -+ int64_t interval = 0; -+ if (repl_config_valid_num(config_attr, config_attr_value, -1, INT_MAX, returncode, errortext, &interval) == 0) { -+ replica_set_groupdn_checkinterval(r, interval); -+ } else { -+ break; -+ } - } else if (strcasecmp(config_attr, attr_replicaType) == 0) { -+ int64_t rtype; - slapi_ch_free_string(&new_repl_type); -- new_repl_type = slapi_ch_strdup(config_attr_value); -+ if (repl_config_valid_num(config_attr, config_attr_value, 1, 3, returncode, errortext, &rtype) == 0) { -+ new_repl_type = slapi_ch_strdup(config_attr_value); -+ } else { -+ break; -+ } - } else if (strcasecmp(config_attr, attr_replicaId) == 0) { -- char *endp = NULL; - int64_t rid = 0; -- errno = 0; -- rid = strtoll(config_attr_value, &endp, 10); -- if (*endp != '\0' || rid > 65535 || rid < 1 || errno == ERANGE) { -- *returncode = LDAP_UNWILLING_TO_PERFORM; -- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -- "Attribute %s value (%s) is invalid, must be a number between 1 and 65535.\n", -- config_attr, config_attr_value); -- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -+ if (repl_config_valid_num(config_attr, config_attr_value, 1, 65535, returncode, errortext, &rid) == 0) { -+ slapi_ch_free_string(&new_repl_id); -+ new_repl_id = slapi_ch_strdup(config_attr_value); -+ } else { - break; - } -- slapi_ch_free_string(&new_repl_id); -- new_repl_id = slapi_ch_strdup(config_attr_value); - } else if (strcasecmp(config_attr, attr_flags) == 0) { -- *returncode = replica_config_change_flags(r, config_attr_value, errortext, apply_mods); -+ int64_t rflags = 0; -+ if (repl_config_valid_num(config_attr, config_attr_value, 0, 1, returncode, errortext, &rflags) == 0) { -+ *returncode = replica_config_change_flags(r, config_attr_value, errortext, apply_mods); -+ } else { -+ break; -+ } - } else if (strcasecmp(config_attr, TASK_ATTR) == 0) { - *returncode = replica_execute_task(mtnode_ext->replica, config_attr_value, errortext, apply_mods); - } else if (strcasecmp(config_attr, attr_replicaReferral) == 0) { -@@ -442,18 +449,21 @@ replica_config_modify(Slapi_PBlock *pb, - } - } else if (strcasecmp(config_attr, type_replicaPurgeDelay) == 0) { - if (apply_mods && config_attr_value[0]) { -- PRUint32 delay; -- if (isdigit(config_attr_value[0])) { -- delay = (unsigned int)atoi(config_attr_value); -+ int64_t delay = 0; -+ if (repl_config_valid_num(config_attr, config_attr_value, -1, INT_MAX, returncode, errortext, &delay) == 0) { - replica_set_purge_delay(r, delay); -- } else -- *returncode = LDAP_OPERATIONS_ERROR; -+ } else { -+ break; -+ } - } - } else if (strcasecmp(config_attr, type_replicaTombstonePurgeInterval) == 0) { - if (apply_mods && config_attr_value[0]) { -- long interval; -- interval = atol(config_attr_value); -- replica_set_tombstone_reap_interval(r, interval); -+ int64_t interval; -+ if (repl_config_valid_num(config_attr, config_attr_value, -1, INT_MAX, returncode, errortext, &interval) == 0) { -+ replica_set_tombstone_reap_interval(r, interval); -+ } else { -+ break; -+ } - } - } - /* ignore modifiers attributes added by the server */ -@@ -461,73 +471,55 @@ replica_config_modify(Slapi_PBlock *pb, - *returncode = LDAP_SUCCESS; - } else if (strcasecmp(config_attr, type_replicaProtocolTimeout) == 0) { - if (apply_mods) { -- PRUint64 ptimeout = 0; -- -- ptimeout = atoll(config_attr_value); -- -- if (ptimeout <= 0) { -- *returncode = LDAP_UNWILLING_TO_PERFORM; -- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -- "Attribute %s value (%s) is invalid, must be a number greater than zero.\n", -- config_attr, config_attr_value); -- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -+ int64_t ptimeout = 0; -+ if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &ptimeout) == 0) { -+ replica_set_protocol_timeout(r, ptimeout); -+ } else { - break; - } -- replica_set_protocol_timeout(r, ptimeout); - } - } else if (strcasecmp(config_attr, type_replicaBackoffMin) == 0) { - if (apply_mods) { -- uint64_t val = atoll(config_attr_value); -- uint64_t max; -- -- if (val <= 0) { -- *returncode = LDAP_UNWILLING_TO_PERFORM; -- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -- "Attribute %s value (%s) is invalid, must be a number greater than zero.\n", -- config_attr, config_attr_value); -- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -- break; -- } -- max = replica_get_backoff_max(r); -- if (val > max){ -- *returncode = LDAP_UNWILLING_TO_PERFORM; -- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -- "Attribute %s value (%s) is invalid, must be a number less than the max backoff time (%d).\n", -- config_attr, config_attr_value, (int)max); -- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -+ int64_t val = 0; -+ int64_t max; -+ if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &val) == 0) { -+ max = replica_get_backoff_max(r); -+ if (val > max){ -+ *returncode = LDAP_UNWILLING_TO_PERFORM; -+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -+ "Attribute %s value (%s) is invalid, must be a number less than the max backoff time (%d).\n", -+ config_attr, config_attr_value, (int)max); -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -+ break; -+ } -+ replica_set_backoff_min(r, val); -+ } else { - break; - } -- replica_set_backoff_min(r, val); - } - } else if (strcasecmp(config_attr, type_replicaBackoffMax) == 0) { - if (apply_mods) { -- uint64_t val = atoll(config_attr_value); -- uint64_t min; -- -- if (val <= 0) { -- *returncode = LDAP_UNWILLING_TO_PERFORM; -- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -- "Attribute %s value (%s) is invalid, must be a number greater than zero.\n", -- config_attr, config_attr_value); -- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", -- errortext); -- break; -- } -- min = replica_get_backoff_min(r); -- if (val < min) { -- *returncode = LDAP_UNWILLING_TO_PERFORM; -- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -- "Attribute %s value (%s) is invalid, must be a number more than the min backoff time (%d).\n", -- config_attr, config_attr_value, (int)min); -- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -+ int64_t val = 0; -+ int64_t min; -+ if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &val) == 0) { -+ min = replica_get_backoff_min(r); -+ if (val < min) { -+ *returncode = LDAP_UNWILLING_TO_PERFORM; -+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -+ "Attribute %s value (%s) is invalid, must be a number more than the min backoff time (%d).\n", -+ config_attr, config_attr_value, (int)min); -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_config_modify - %s\n", errortext); -+ break; -+ } -+ replica_set_backoff_max(r, val); -+ } else { - break; - } -- replica_set_backoff_max(r, val); - } - } else if (strcasecmp(config_attr, type_replicaPrecisePurge) == 0) { - if (apply_mods) { - if (config_attr_value[0]) { -- PRUint64 on_off = 0; -+ uint64_t on_off = 0; - - if (strcasecmp(config_attr_value, "on") == 0) { - on_off = 1; -@@ -550,19 +542,11 @@ replica_config_modify(Slapi_PBlock *pb, - } - } else if (strcasecmp(config_attr, type_replicaReleaseTimeout) == 0) { - if (apply_mods) { -- long val = atol(config_attr_value); -- -- if (val < 0) { -- *returncode = LDAP_UNWILLING_TO_PERFORM; -- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -- "Attribute %s value (%s) is invalid, must be a number zero or greater.\n", -- config_attr, config_attr_value); -- slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, -- "replica_config_modify - %s\n", errortext); -- break; -- } else { -- /* Set the timeout */ -+ int64_t val; -+ if (repl_config_valid_num(config_attr, config_attr_value, 1, INT_MAX, returncode, errortext, &val) == 0) { - replica_set_release_timeout(r, val); -+ } else { -+ break; - } - } - } else { -@@ -1011,7 +995,7 @@ replica_config_change_flags(Replica *r, const char *new_flags, char *returntext - PR_ASSERT(r); - - if (apply_mods) { -- PRUint32 flags; -+ uint32_t flags; - - flags = atol(new_flags); - -diff --git a/ldap/servers/plugins/replication/replutil.c b/ldap/servers/plugins/replication/replutil.c -index 1b0446788..7cc132362 100644 ---- a/ldap/servers/plugins/replication/replutil.c -+++ b/ldap/servers/plugins/replication/replutil.c -@@ -1061,3 +1061,29 @@ repl_set_repl_plugin_path(const char *path) - { - replpluginpath = slapi_ch_strdup(path); - } -+ -+int -+repl_config_valid_num(const char *config_attr, char *config_attr_value, int64_t min, int64_t max, -+ int *returncode, char *errortext, int64_t *retval) -+{ -+ int rc = 0; -+ char *endp = NULL; -+ int64_t val; -+ errno = 0; -+ -+ val = strtol(config_attr_value, &endp, 10); -+ if (*endp != '\0' || val < min || val > max || errno == ERANGE) { -+ *returncode = LDAP_UNWILLING_TO_PERFORM; -+ if (errortext){ -+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, -+ "Attribute %s value (%s) is invalid, must be a number between %ld and %ld.", -+ config_attr, config_attr_value, min, max); -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "repl_config_valid_num - %s\n", -+ errortext); -+ } -+ rc = -1; -+ } else { -+ *retval = val; -+ } -+ return rc; -+} --- -2.13.6 - diff --git a/SOURCES/0026-Ticket-49439-cleanallruv-is-not-logging-information.patch b/SOURCES/0026-Ticket-49439-cleanallruv-is-not-logging-information.patch deleted file mode 100644 index 5a52e68..0000000 --- a/SOURCES/0026-Ticket-49439-cleanallruv-is-not-logging-information.patch +++ /dev/null @@ -1,169 +0,0 @@ -From 403c5b61efb5aca3cbea31170d13dfba190ef355 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 2 Nov 2017 12:55:11 -0400 -Subject: [PATCH] Ticket 49439 - cleanallruv is not logging information - -Bug Description: During the logging refector effro from ticket 48978 - a mistake was made and cleanruv_log() was using - LOG_NOTICE (which is not a true log level), it was - supposed to be SLAPI_LOG_NOTICE. - - We also use DEBUG defines to contorl the logging for - debug builds - -Fix Description: Remove the LDAP_DEBUG defines in cleanruv_log, and set - the correct logging severity level. - -https://pagure.io/389-ds-base/issue/49439 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit e1f866a5e3ccce8e061e361c0e3dd11175a8acf2) ---- - .../plugins/replication/repl5_replica_config.c | 30 ++++++++++------------ - 1 file changed, 14 insertions(+), 16 deletions(-) - -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 9c3c75458..9c8d6adbb 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -1783,7 +1783,7 @@ replica_cleanallruv_thread(void *arg) - /* - * need to sleep between passes - */ -- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Not all replicas have received the " -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Not all replicas have received the " - "cleanallruv extended op, retrying in %d seconds", - interval); - if (!slapi_is_shutting_down()) { -@@ -1825,7 +1825,7 @@ replica_cleanallruv_thread(void *arg) - found_dirty_rid = 0; - } else { - found_dirty_rid = 1; -- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Replica is not cleaned yet (%s)", -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Replica is not cleaned yet (%s)", - agmt_get_long_name(agmt)); - break; - } -@@ -1843,7 +1843,7 @@ replica_cleanallruv_thread(void *arg) - * Need to sleep between passes unless we are shutting down - */ - if (!slapi_is_shutting_down()) { -- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Replicas have not been cleaned yet, " -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Replicas have not been cleaned yet, " - "retrying in %d seconds", - interval); - PR_Lock(notify_lock); -@@ -1883,10 +1883,10 @@ done: - * Shutdown or abort - */ - if (!is_task_aborted(data->rid) || slapi_is_shutting_down()) { -- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, - "Server shutting down. Process will resume at server startup"); - } else { -- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, "Task aborted for rid(%d).", data->rid); -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Task aborted for rid(%d).", data->rid); - delete_cleaned_rid_config(data); - remove_cleaned_rid(data->rid); - } -@@ -2053,7 +2053,7 @@ check_replicas_are_done_cleaning(cleanruv_data *data) - break; - } - -- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, - "Not all replicas finished cleaning, retrying in %d seconds", - interval); - if (!slapi_is_shutting_down()) { -@@ -2163,7 +2163,7 @@ check_replicas_are_done_aborting(cleanruv_data *data) - if (not_all_aborted == 0) { - break; - } -- cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, LOG_NOTICE, -+ cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, SLAPI_LOG_NOTICE, - "Not all replicas finished aborting, retrying in %d seconds", interval); - if (!slapi_is_shutting_down()) { - PR_Lock(notify_lock); -@@ -2210,7 +2210,7 @@ check_agmts_are_caught_up(cleanruv_data *data, char *maxcsn) - not_all_caughtup = 0; - } else { - not_all_caughtup = 1; -- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, - "Replica not caught up (%s)", agmt_get_long_name(agmt)); - break; - } -@@ -2220,7 +2220,7 @@ check_agmts_are_caught_up(cleanruv_data *data, char *maxcsn) - if (not_all_caughtup == 0 || is_task_aborted(data->rid)) { - break; - } -- cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, LOG_NOTICE, -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, - "Not all replicas caught up, retrying in %d seconds", interval); - if (!slapi_is_shutting_down()) { - PR_Lock(notify_lock); -@@ -2270,7 +2270,7 @@ check_agmts_are_alive(Replica *replica, ReplicaId rid, Slapi_Task *task) - not_all_alive = 0; - } else { - not_all_alive = 1; -- cleanruv_log(task, rid, CLEANALLRUV_ID, LOG_NOTICE, "Replica not online (%s)", -+ cleanruv_log(task, rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Replica not online (%s)", - agmt_get_long_name(agmt)); - break; - } -@@ -2280,7 +2280,7 @@ check_agmts_are_alive(Replica *replica, ReplicaId rid, Slapi_Task *task) - if (not_all_alive == 0 || is_task_aborted(rid)) { - break; - } -- cleanruv_log(task, rid, CLEANALLRUV_ID, LOG_NOTICE, "Not all replicas online, retrying in %d seconds...", -+ cleanruv_log(task, rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Not all replicas online, retrying in %d seconds...", - interval); - - if (!slapi_is_shutting_down()) { -@@ -3063,7 +3063,7 @@ replica_abort_task_thread(void *arg) - * Need to sleep between passes. unless we are shutting down - */ - if (!slapi_is_shutting_down()) { -- cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, LOG_NOTICE, "Retrying in %d seconds", interval); -+ cleanruv_log(data->task, data->rid, ABORT_CLEANALLRUV_ID, SLAPI_LOG_NOTICE, "Retrying in %d seconds", interval); - PR_Lock(notify_lock); - PR_WaitCondVar(notify_cvar, PR_SecondsToInterval(interval)); - PR_Unlock(notify_lock); -@@ -3184,7 +3184,7 @@ replica_cleanallruv_send_extop(Repl_Agmt *ra, cleanruv_data *clean_data, int che - /* extop was accepted */ - rc = 0; - } else { -- cleanruv_log(clean_data->task, clean_data->rid, CLEANALLRUV_ID, LOG_NOTICE, -+ cleanruv_log(clean_data->task, clean_data->rid, CLEANALLRUV_ID, SLAPI_LOG_NOTICE, - "Replica %s does not support the CLEANALLRUV task. " - "Sending replica CLEANRUV task...", - slapi_sdn_get_dn(agmt_get_dn_byref(ra))); -@@ -3352,7 +3352,7 @@ replica_cleanallruv_check_maxcsn(Repl_Agmt *agmt, char *basedn, char *rid_text, - csn_init_by_string(repl_max, remote_maxcsn); - if (csn_compare(repl_max, max) < 0) { - /* we are not caught up yet, free, and return */ -- cleanruv_log(task, atoi(rid_text), CLEANALLRUV_ID, LOG_NOTICE, -+ cleanruv_log(task, atoi(rid_text), CLEANALLRUV_ID, SLAPI_LOG_NOTICE, - "Replica maxcsn (%s) is not caught up with deleted replica's maxcsn(%s)", - remote_maxcsn, maxcsn); - rc = -1; -@@ -3525,7 +3525,6 @@ stop_ruv_cleaning() - void - cleanruv_log(Slapi_Task *task, int rid, char *task_type, int sev_level, char *fmt, ...) - { --#ifdef LDAP_DEBUG - va_list ap1; - va_list ap2; - va_list ap3; -@@ -3550,7 +3549,6 @@ cleanruv_log(Slapi_Task *task, int rid, char *task_type, int sev_level, char *fm - va_end(ap2); - va_end(ap3); - va_end(ap4); --#endif - } - - char * --- -2.13.6 - diff --git a/SOURCES/0027-Ticket-48393-fix-copy-and-paste-error.patch b/SOURCES/0027-Ticket-48393-fix-copy-and-paste-error.patch deleted file mode 100644 index d59c217..0000000 --- a/SOURCES/0027-Ticket-48393-fix-copy-and-paste-error.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3d045a240bb32b66e15401bf89eff5b980420b24 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 3 Nov 2017 12:18:26 -0400 -Subject: [PATCH] Ticket 48393 - fix copy and paste error - -Description: Copy and paste error when validating repl agmt - -https://pagure.io/389-ds-base/issue/48393 - -Reviewed by: mreynolds(one line commit rule) - -(cherry picked from commit 431647039c5e6d860d8866542050d456f69bb600) ---- - ldap/servers/plugins/replication/repl5_agmt.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c -index 78fb91ae6..ee396c8ef 100644 ---- a/ldap/servers/plugins/replication/repl5_agmt.c -+++ b/ldap/servers/plugins/replication/repl5_agmt.c -@@ -339,7 +339,7 @@ agmt_new_from_entry(Slapi_Entry *e) - ra->flowControlWindow = DEFAULT_FLOWCONTROL_WINDOW; - if ((val = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaFlowControlWindow))){ - int64_t flow; -- if (repl_config_valid_num(type_nsds5ReplicaTimeout, val, 0, INT_MAX, &rc, errormsg, &flow) != 0) { -+ if (repl_config_valid_num(type_nsds5ReplicaFlowControlWindow, val, 0, INT_MAX, &rc, errormsg, &flow) != 0) { - goto loser; - } - slapi_ch_free_string(&val); --- -2.13.6 - diff --git a/SOURCES/0028-Ticket-49038-remove-legacy-replication-change-cleanu.patch b/SOURCES/0028-Ticket-49038-remove-legacy-replication-change-cleanu.patch deleted file mode 100644 index dd889f9..0000000 --- a/SOURCES/0028-Ticket-49038-remove-legacy-replication-change-cleanu.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 2b5b09a7a871d626bb45888f948126732d0893f3 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 4 Oct 2017 12:55:30 -0400 -Subject: [PATCH] Ticket 49038 - remove legacy replication - change cleanup - script precedence - -Description: Bump the cleanup scripts precendance so it happens after the - main plugin upgrade scripts are called. - -https://pagure.io/389-ds-base/issue/49038 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit 1fe2c761103c36090ab67df0271dfdb3012037fb) ---- - Makefile.am | 2 +- - ...{50removeLegacyReplication.ldif => 60removeLegacyReplication.ldif} | 0 - rpm/389-ds-base.spec.in | 4 ++-- - 3 files changed, 3 insertions(+), 3 deletions(-) - rename ldap/admin/src/scripts/{50removeLegacyReplication.ldif => 60removeLegacyReplication.ldif} (100%) - -diff --git a/Makefile.am b/Makefile.am -index 09a6bc296..8834a7819 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -942,7 +942,7 @@ update_DATA = ldap/admin/src/scripts/exampleupdate.pl \ - ldap/admin/src/scripts/50telexnumbersyntaxplugin.ldif \ - ldap/admin/src/scripts/50guidesyntaxplugin.ldif \ - ldap/admin/src/scripts/50targetuniqueid.ldif \ -- ldap/admin/src/scripts/50removeLegacyReplication.ldif \ -+ ldap/admin/src/scripts/60removeLegacyReplication.ldif \ - ldap/admin/src/scripts/50linkedattrsplugin.ldif \ - ldap/admin/src/scripts/50usnplugin.ldif \ - ldap/admin/src/scripts/50smd5pwdstorageplugin.ldif \ -diff --git a/ldap/admin/src/scripts/50removeLegacyReplication.ldif b/ldap/admin/src/scripts/60removeLegacyReplication.ldif -similarity index 100% -rename from ldap/admin/src/scripts/50removeLegacyReplication.ldif -rename to ldap/admin/src/scripts/60removeLegacyReplication.ldif -diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in -index 1e5c2cfd3..30a1d7d9a 100644 ---- a/rpm/389-ds-base.spec.in -+++ b/rpm/389-ds-base.spec.in -@@ -395,9 +395,9 @@ echo remove pid files . . . >> $output 2>&1 || : - echo upgrading instances . . . >> $output 2>&1 || : - DEBUGPOSTSETUPOPT=`/usr/bin/echo $DEBUGPOSTSETUP | /usr/bin/sed -e "s/[^d]//g"` - if [ -n "$DEBUGPOSTSETUPOPT" ] ; then -- %{_sbindir}/setup-ds.pl -l $output2 -$DEBUGPOSTSETUPOPT -u -s General.UpdateMode=offline >> $output 2>&1 || : -+ %{_sbindir}/setup-ds.pl -$DEBUGPOSTSETUPOPT -u -s General.UpdateMode=offline >> $output 2>&1 || : - else -- %{_sbindir}/setup-ds.pl -l $output2 -u -s General.UpdateMode=offline >> $output 2>&1 || : -+ %{_sbindir}/setup-ds.pl -u -s General.UpdateMode=offline >> $output 2>&1 || : - fi - - # restart instances that require it --- -2.13.6 - diff --git a/SOURCES/0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch b/SOURCES/0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch deleted file mode 100644 index c46e333..0000000 --- a/SOURCES/0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch +++ /dev/null @@ -1,88 +0,0 @@ -From b1dfe53aaf7cb0260286423b9abf7d71f8edd421 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 15 Nov 2017 13:27:58 -0500 -Subject: [PATCH] Ticket 49454 - SSL Client Authentication breaks in FIPS mode - -Bug Description: Replication using SSL Client Auth breaks when FIPS - is enabled. This is because FIPS mode changes the - internal certificate token name. - -Fix Description: If FIPS is enabled grab the token name from the internal - slot instead of using the default hardcoded internal - token name. - -https://pagure.io/389-ds-base/issue/49454 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit 6e794a8eff213d49c933f781006e234984160db2) ---- - ldap/servers/slapd/proto-slap.h | 1 + - ldap/servers/slapd/security_wrappers.c | 6 ++++++ - ldap/servers/slapd/ssl.c | 24 +++++++++++++++++------- - 3 files changed, 24 insertions(+), 7 deletions(-) - -diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h -index 4a30def8b..3b7ab53b2 100644 ---- a/ldap/servers/slapd/proto-slap.h -+++ b/ldap/servers/slapd/proto-slap.h -@@ -1130,6 +1130,7 @@ PRBool slapd_pk11_DoesMechanism(PK11SlotInfo *slot, CK_MECHANISM_TYPE type); - PK11SymKey *slapd_pk11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey, CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags, PRBool isPerm); - PK11SymKey *slapd_pk11_TokenKeyGenWithFlags(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *param, int keySize, SECItem *keyid, CK_FLAGS opFlags, PK11AttrFlags attrFlags, void *wincx); - CK_MECHANISM_TYPE slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECItem *pwitem); -+char *slapd_PK11_GetTokenName(PK11SlotInfo *slot); - - /* - * start_tls_extop.c -diff --git a/ldap/servers/slapd/security_wrappers.c b/ldap/servers/slapd/security_wrappers.c -index bec28d2f3..41fe03608 100644 ---- a/ldap/servers/slapd/security_wrappers.c -+++ b/ldap/servers/slapd/security_wrappers.c -@@ -401,3 +401,9 @@ slapd_PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **params, SECIte - { - return PK11_GetPBECryptoMechanism(algid, params, pwitem); - } -+ -+char * -+slapd_PK11_GetTokenName(PK11SlotInfo *slot) -+{ -+ return PK11_GetTokenName(slot); -+} -diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c -index efe32d5d0..52ac7ea9f 100644 ---- a/ldap/servers/slapd/ssl.c -+++ b/ldap/servers/slapd/ssl.c -@@ -2365,13 +2365,23 @@ slapd_SSL_client_auth(LDAP *ld) - ssltoken = slapi_entry_attr_get_charptr(entry, "nsssltoken"); - if (ssltoken && personality) { - if (!PL_strcasecmp(ssltoken, "internal") || -- !PL_strcasecmp(ssltoken, "internal (software)")) { -- -- /* Translate config internal name to more -- * readable form. Certificate name is just -- * the personality for internal tokens. -- */ -- token = slapi_ch_strdup(internalTokenName); -+ !PL_strcasecmp(ssltoken, "internal (software)")) -+ { -+ if ( slapd_pk11_isFIPS() ) { -+ /* -+ * FIPS mode changes the internal token name, so we need to -+ * grab the new token name from the internal slot. -+ */ -+ PK11SlotInfo *slot = slapd_pk11_getInternalSlot(); -+ token = slapi_ch_strdup(slapd_PK11_GetTokenName(slot)); -+ PK11_FreeSlot(slot); -+ } else { -+ /* -+ * Translate config internal name to more readable form. -+ * Certificate name is just the personality for internal tokens. -+ */ -+ token = slapi_ch_strdup(internalTokenName); -+ } - #if defined(USE_OPENLDAP) - /* openldap needs tokenname:certnick */ - PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality); --- -2.13.6 - diff --git a/SOURCES/0030-Ticket-49435-Fix-NS-race-condition-on-loaded-test-sy.patch b/SOURCES/0030-Ticket-49435-Fix-NS-race-condition-on-loaded-test-sy.patch deleted file mode 100644 index 771963c..0000000 --- a/SOURCES/0030-Ticket-49435-Fix-NS-race-condition-on-loaded-test-sy.patch +++ /dev/null @@ -1,1029 +0,0 @@ -From 04605da5c813ffc818d874ae0a14790c166d792d Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Mon, 6 Nov 2017 08:56:01 +1000 -Subject: [PATCH] Ticket 49435 - Fix NS race condition on loaded test systems - -Bug Description: During a test run, on a heavily loaded systems -some events would time out before they could occur correctly. - -Fix Description: Change the structure of events to mitigate -a deref performance hit, and add a ns_job_wait conditional -that allows blocking on a job to complete so that tests do not -require time based checks. - -https://pagure.io/389-ds-base/issue/49435 - -Author: wibrown - -Review by: mreynolds (Thanks!) ---- - src/nunc-stans/include/nunc-stans.h | 12 +++ - src/nunc-stans/ns/ns_event_fw.h | 3 +- - src/nunc-stans/ns/ns_thrpool.c | 175 +++++++++++++++++++++-------------- - src/nunc-stans/test/test_nuncstans.c | 156 ++++++++++++++++++------------- - 4 files changed, 209 insertions(+), 137 deletions(-) - -diff --git a/src/nunc-stans/include/nunc-stans.h b/src/nunc-stans/include/nunc-stans.h -index 386a8d283..192e38ec3 100644 ---- a/src/nunc-stans/include/nunc-stans.h -+++ b/src/nunc-stans/include/nunc-stans.h -@@ -77,6 +77,10 @@ typedef enum _ns_result_t { - * This occurs when a lower level OS issue occurs, generally thread related. - */ - NS_THREAD_FAILURE = 5, -+ /** -+ * The job is being deleted -+ */ -+ NS_DELETING = 6, - } ns_result_t; - - /** -@@ -837,6 +841,14 @@ ns_job_type_t ns_job_get_output_type(struct ns_job_t *job); - ns_result_t ns_job_set_done_cb(struct ns_job_t *job, ns_job_func_t func); - - /** -+ * Block until a job is completed. This returns the next state of the job as as a return. -+ * -+ * \param job The job to set the callback for. -+ * \retval ns_job_state_t The next state the job will move to. IE, WAITING, DELETED, ARMED. -+ */ -+ns_result_t ns_job_wait(struct ns_job_t *job); -+ -+/** - * Creates a new thread pool - * - * Must be called with a struct ns_thrpool_config that has been -diff --git a/src/nunc-stans/ns/ns_event_fw.h b/src/nunc-stans/ns/ns_event_fw.h -index 436b28269..88997b24d 100644 ---- a/src/nunc-stans/ns/ns_event_fw.h -+++ b/src/nunc-stans/ns/ns_event_fw.h -@@ -80,7 +80,8 @@ typedef enum _ns_job_state { - interface between the app/thread pool/event framework */ - typedef struct ns_job_t - { -- pthread_mutex_t *monitor; -+ pthread_mutex_t monitor; -+ pthread_cond_t notify; - struct ns_thrpool_t *tp; - ns_job_func_t func; - struct ns_job_data_t *data; -diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c -index 2ad0bd799..1d8bb03f1 100644 ---- a/src/nunc-stans/ns/ns_thrpool.c -+++ b/src/nunc-stans/ns/ns_thrpool.c -@@ -214,7 +214,7 @@ job_queue_cleanup(void *arg) - static void - internal_ns_job_done(ns_job_t *job) - { -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - #ifdef DEBUG - ns_log(LOG_DEBUG, "internal_ns_job_done %x state %d moving to NS_JOB_DELETED\n", job, job->state); - #endif -@@ -239,9 +239,9 @@ internal_ns_job_done(ns_job_t *job) - job->done_cb(job); - } - -- pthread_mutex_unlock(job->monitor); -- pthread_mutex_destroy(job->monitor); -- ns_free(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); -+ pthread_mutex_destroy(&(job->monitor)); -+ pthread_cond_destroy(&(job->notify)); - - ns_free(job); - } -@@ -250,7 +250,7 @@ internal_ns_job_done(ns_job_t *job) - static void - internal_ns_job_rearm(ns_job_t *job) - { -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - PR_ASSERT(job->state == NS_JOB_NEEDS_ARM); - /* Don't think I need to check persistence here, it could be the first arm ... */ - #ifdef DEBUG -@@ -267,7 +267,7 @@ internal_ns_job_rearm(ns_job_t *job) - /* Prevents an un-necessary queue / dequeue to the event_q */ - work_q_notify(job); - } -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - } - - static void -@@ -281,7 +281,7 @@ work_job_execute(ns_job_t *job) - * DELETED! Crashes abound, you have been warned ... - */ - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - #ifdef DEBUG - ns_log(LOG_DEBUG, "work_job_execute %x state %d moving to NS_JOB_RUNNING\n", job, job->state); - #endif -@@ -303,7 +303,12 @@ work_job_execute(ns_job_t *job) - #ifdef DEBUG - ns_log(LOG_DEBUG, "work_job_execute %x state %d job func complete, sending to job_done...\n", job, job->state); - #endif -- pthread_mutex_unlock(job->monitor); -+ /* -+ * Let waiters know we are done, they'll pick up once -+ * we unlock. -+ */ -+ pthread_cond_signal(&(job->notify)); -+ pthread_mutex_unlock(&(job->monitor)); - internal_ns_job_done(job); - /* MUST NOT ACCESS JOB AGAIN.*/ - } else if (job->state == NS_JOB_NEEDS_ARM) { -@@ -311,7 +316,8 @@ work_job_execute(ns_job_t *job) - ns_log(LOG_DEBUG, "work_job_execute %x state %d job func complete, sending to rearm...\n", job, job->state); - #endif - /* Rearm the job! */ -- pthread_mutex_unlock(job->monitor); -+ /* We *don't* notify here because we ARE NOT done! */ -+ pthread_mutex_unlock(&(job->monitor)); - internal_ns_job_rearm(job); - } else { - #ifdef DEBUG -@@ -321,7 +327,12 @@ work_job_execute(ns_job_t *job) - PR_ASSERT(!NS_JOB_IS_PERSIST(job->job_type)); - /* We are now idle, set waiting. */ - job->state = NS_JOB_WAITING; -- pthread_mutex_unlock(job->monitor); -+ /* -+ * Let waiters know we are done, they'll pick up once -+ * we unlock. -+ */ -+ pthread_cond_signal(&(job->notify)); -+ pthread_mutex_unlock(&(job->monitor)); - } - /* MUST NOT ACCESS JOB AGAIN */ - } -@@ -338,7 +349,7 @@ static void - work_q_notify(ns_job_t *job) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - #ifdef DEBUG - ns_log(LOG_DEBUG, "work_q_notify %x state %d\n", job, job->state); - #endif -@@ -346,12 +357,12 @@ work_q_notify(ns_job_t *job) - if (job->state != NS_JOB_ARMED) { - /* Maybe we should return some error here? */ - ns_log(LOG_ERR, "work_q_notify %x state %d is not ARMED, cannot queue!\n", job, job->state); -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return; - } - /* MUST NOT ACCESS job after enqueue. So we stash tp.*/ - ns_thrpool_t *ltp = job->tp; -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - sds_lqueue_enqueue(ltp->work_q, (void *)job); - pthread_mutex_lock(&(ltp->work_q_lock)); - pthread_cond_signal(&(ltp->work_q_cv)); -@@ -411,13 +422,13 @@ static void - update_event(ns_job_t *job) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - #ifdef DEBUG - ns_log(LOG_DEBUG, "update_event %x state %d\n", job, job->state); - #endif - PR_ASSERT(job->state == NS_JOB_NEEDS_DELETE || job->state == NS_JOB_ARMED); - if (job->state == NS_JOB_NEEDS_DELETE) { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - internal_ns_job_done(job); - return; - } else if (NS_JOB_IS_IO(job->job_type) || job->ns_event_fw_fd) { -@@ -426,7 +437,7 @@ update_event(ns_job_t *job) - } else { - job->tp->ns_event_fw->ns_event_fw_mod_io(job->tp->ns_event_fw_ctx, job); - } -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - /* We need these returns to prevent a race on the next else if condition when we release job->monitor */ - return; - } else if (NS_JOB_IS_TIMER(job->job_type) || job->ns_event_fw_time) { -@@ -435,7 +446,7 @@ update_event(ns_job_t *job) - } else { - job->tp->ns_event_fw->ns_event_fw_mod_timer(job->tp->ns_event_fw_ctx, job); - } -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return; - } else if (NS_JOB_IS_SIGNAL(job->job_type) || job->ns_event_fw_sig) { - if (!job->ns_event_fw_sig) { -@@ -443,15 +454,15 @@ update_event(ns_job_t *job) - } else { - job->tp->ns_event_fw->ns_event_fw_mod_signal(job->tp->ns_event_fw_ctx, job); - } -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return; - } else { - /* It's a "run now" job. */ - if (NS_JOB_IS_THREAD(job->job_type)) { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - work_q_notify(job); - } else { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - event_q_notify(job); - } - } -@@ -602,14 +613,14 @@ event_cb(ns_job_t *job) - */ - - /* There is no guarantee this won't be called once we start to enter the shutdown, especially with timers .... */ -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - - PR_ASSERT(job->state == NS_JOB_ARMED || job->state == NS_JOB_NEEDS_DELETE); - if (job->state == NS_JOB_ARMED && NS_JOB_IS_THREAD(job->job_type)) { - #ifdef DEBUG - ns_log(LOG_DEBUG, "event_cb %x state %d threaded, send to work_q\n", job, job->state); - #endif -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - work_q_notify(job); - } else if (job->state == NS_JOB_NEEDS_DELETE) { - #ifdef DEBUG -@@ -620,14 +631,14 @@ event_cb(ns_job_t *job) - * It's here because it's been QUEUED for deletion and *may* be coming - * from the thrpool destroy thread! - */ -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - - } else { - #ifdef DEBUG - ns_log(LOG_DEBUG, "event_cb %x state %d non-threaded, execute right meow\n", job, job->state); - #endif - /* Not threaded, execute now! */ -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - work_job_execute(job); - /* MUST NOT ACCESS JOB FROM THIS POINT */ - } -@@ -682,12 +693,12 @@ static ns_job_t * - new_ns_job(ns_thrpool_t *tp, PRFileDesc *fd, ns_job_type_t job_type, ns_job_func_t func, struct ns_job_data_t *data) - { - ns_job_t *job = ns_calloc(1, sizeof(ns_job_t)); -- job->monitor = ns_calloc(1, sizeof(pthread_mutex_t)); - - pthread_mutexattr_t *monitor_attr = ns_calloc(1, sizeof(pthread_mutexattr_t)); - pthread_mutexattr_init(monitor_attr); - pthread_mutexattr_settype(monitor_attr, PTHREAD_MUTEX_RECURSIVE); -- assert(pthread_mutex_init(job->monitor, monitor_attr) == 0); -+ assert(pthread_mutex_init(&(job->monitor), monitor_attr) == 0); -+ assert(pthread_cond_init(&(job->notify), NULL) == 0); - ns_free(monitor_attr); - - job->tp = tp; -@@ -746,14 +757,14 @@ ns_job_done(ns_job_t *job) - /* Get the shutdown state ONCE at the start, atomically */ - int32_t shutdown_state = ns_thrpool_is_shutdown(job->tp); - -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - - if (job->state == NS_JOB_NEEDS_DELETE || job->state == NS_JOB_DELETED) { - /* Just return if the job has been marked for deletion */ - #ifdef DEBUG - ns_log(LOG_DEBUG, "ns_job_done %x tp shutdown -> %x state %d return early\n", job, shutdown_state, job->state); - #endif -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NS_SUCCESS; - } - -@@ -762,7 +773,7 @@ ns_job_done(ns_job_t *job) - #ifdef DEBUG - ns_log(LOG_DEBUG, "ns_job_done %x tp shutdown -> false state %d failed to mark as done\n", job, job->state); - #endif -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NS_INVALID_STATE; - } - -@@ -773,13 +784,13 @@ ns_job_done(ns_job_t *job) - ns_log(LOG_DEBUG, "ns_job_done %x tp shutdown -> false state %d setting to async NS_JOB_NEEDS_DELETE\n", job, job->state); - #endif - job->state = NS_JOB_NEEDS_DELETE; -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - } else if (!shutdown_state) { - #ifdef DEBUG - ns_log(LOG_DEBUG, "ns_job_done %x tp shutdown -> false state %d setting NS_JOB_NEEDS_DELETE and queuing\n", job, job->state); - #endif - job->state = NS_JOB_NEEDS_DELETE; -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - event_q_notify(job); - } else { - #ifdef DEBUG -@@ -787,7 +798,7 @@ ns_job_done(ns_job_t *job) - #endif - job->state = NS_JOB_NEEDS_DELETE; - /* We are shutting down, just remove it! */ -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - internal_ns_job_done(job); - } - return NS_SUCCESS; -@@ -849,12 +860,12 @@ ns_add_io_job(ns_thrpool_t *tp, PRFileDesc *fd, ns_job_type_t job_type, ns_job_f - return NS_ALLOCATION_FAILURE; - } - -- pthread_mutex_lock(_job->monitor); -+ pthread_mutex_lock(&(_job->monitor)); - #ifdef DEBUG - ns_log(LOG_DEBUG, "ns_add_io_job state %d moving to NS_JOB_ARMED\n", (_job)->state); - #endif - _job->state = NS_JOB_NEEDS_ARM; -- pthread_mutex_unlock(_job->monitor); -+ pthread_mutex_unlock(&(_job->monitor)); - internal_ns_job_rearm(_job); - - /* fill in a pointer to the job for the caller if requested */ -@@ -889,12 +900,12 @@ ns_add_timeout_job(ns_thrpool_t *tp, struct timeval *tv, ns_job_type_t job_type, - return NS_ALLOCATION_FAILURE; - } - -- pthread_mutex_lock(_job->monitor); -+ pthread_mutex_lock(&(_job->monitor)); - #ifdef DEBUG - ns_log(LOG_DEBUG, "ns_add_timeout_job state %d moving to NS_JOB_ARMED\n", (_job)->state); - #endif - _job->state = NS_JOB_NEEDS_ARM; -- pthread_mutex_unlock(_job->monitor); -+ pthread_mutex_unlock(&(_job->monitor)); - internal_ns_job_rearm(_job); - - /* fill in a pointer to the job for the caller if requested */ -@@ -944,14 +955,14 @@ ns_add_io_timeout_job(ns_thrpool_t *tp, PRFileDesc *fd, struct timeval *tv, ns_j - if (!_job) { - return NS_ALLOCATION_FAILURE; - } -- pthread_mutex_lock(_job->monitor); -+ pthread_mutex_lock(&(_job->monitor)); - _job->tv = *tv; - - #ifdef DEBUG - ns_log(LOG_DEBUG, "ns_add_io_timeout_job state %d moving to NS_JOB_ARMED\n", (_job)->state); - #endif - _job->state = NS_JOB_NEEDS_ARM; -- pthread_mutex_unlock(_job->monitor); -+ pthread_mutex_unlock(&(_job->monitor)); - internal_ns_job_rearm(_job); - - /* fill in a pointer to the job for the caller if requested */ -@@ -982,12 +993,12 @@ ns_add_signal_job(ns_thrpool_t *tp, int32_t signum, ns_job_type_t job_type, ns_j - return NS_ALLOCATION_FAILURE; - } - -- pthread_mutex_lock(_job->monitor); -+ pthread_mutex_lock(&(_job->monitor)); - #ifdef DEBUG - ns_log(LOG_DEBUG, "ns_add_signal_job state %d moving to NS_JOB_ARMED\n", (_job)->state); - #endif - _job->state = NS_JOB_NEEDS_ARM; -- pthread_mutex_unlock(_job->monitor); -+ pthread_mutex_unlock(&(_job->monitor)); - internal_ns_job_rearm(_job); - - /* fill in a pointer to the job for the caller if requested */ -@@ -1038,9 +1049,9 @@ ns_add_shutdown_job(ns_thrpool_t *tp) - if (!_job) { - return NS_ALLOCATION_FAILURE; - } -- pthread_mutex_lock(_job->monitor); -+ pthread_mutex_lock(&(_job->monitor)); - _job->state = NS_JOB_NEEDS_ARM; -- pthread_mutex_unlock(_job->monitor); -+ pthread_mutex_unlock(&(_job->monitor)); - internal_ns_job_rearm(_job); - return NS_SUCCESS; - } -@@ -1061,13 +1072,13 @@ void * - ns_job_get_data(ns_job_t *job) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - PR_ASSERT(job->state != NS_JOB_DELETED); - if (job->state != NS_JOB_DELETED) { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return job->data; - } else { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NULL; - } - } -@@ -1076,14 +1087,14 @@ ns_result_t - ns_job_set_data(ns_job_t *job, void *data) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - PR_ASSERT(job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING); - if (job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING) { - job->data = data; -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NS_SUCCESS; - } else { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NS_INVALID_STATE; - } - } -@@ -1092,13 +1103,13 @@ ns_thrpool_t * - ns_job_get_tp(ns_job_t *job) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - PR_ASSERT(job->state != NS_JOB_DELETED); - if (job->state != NS_JOB_DELETED) { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return job->tp; - } else { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NULL; - } - } -@@ -1107,13 +1118,13 @@ ns_job_type_t - ns_job_get_output_type(ns_job_t *job) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - PR_ASSERT(job->state == NS_JOB_RUNNING); - if (job->state == NS_JOB_RUNNING) { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return job->output_job_type; - } else { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return 0; - } - } -@@ -1122,13 +1133,13 @@ ns_job_type_t - ns_job_get_type(ns_job_t *job) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - PR_ASSERT(job->state != NS_JOB_DELETED); - if (job->state != NS_JOB_DELETED) { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return job->job_type; - } else { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return 0; - } - } -@@ -1137,13 +1148,13 @@ PRFileDesc * - ns_job_get_fd(ns_job_t *job) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - PR_ASSERT(job->state != NS_JOB_DELETED); - if (job->state != NS_JOB_DELETED) { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return job->fd; - } else { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NULL; - } - } -@@ -1152,18 +1163,40 @@ ns_result_t - ns_job_set_done_cb(struct ns_job_t *job, ns_job_func_t func) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - PR_ASSERT(job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING); - if (job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING) { - job->done_cb = func; -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NS_SUCCESS; - } else { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NS_INVALID_STATE; - } - } - -+ns_result_t -+ns_job_wait(struct ns_job_t *job) { -+ PR_ASSERT(job); -+ pthread_mutex_lock(&(job->monitor)); -+ if (job->state == NS_JOB_WAITING) { -+ /* It's done */ -+ pthread_mutex_unlock(&(job->monitor)); -+ return NS_SUCCESS; -+ } else { -+ pthread_cond_wait(&(job->notify), &(job->monitor)); -+ ns_job_state_t result = job->state; -+ pthread_mutex_unlock(&(job->monitor)); -+ if (result == NS_JOB_WAITING) { -+ return NS_SUCCESS; -+ } else if (result == NS_JOB_NEEDS_DELETE) { -+ return NS_DELETING; -+ } else { -+ PR_ASSERT(1 == 0); -+ return NS_INVALID_STATE; -+ } -+ } -+} - - /* - * This is a convenience function - use if you need to re-arm the same event -@@ -1173,7 +1206,7 @@ ns_result_t - ns_job_rearm(ns_job_t *job) - { - PR_ASSERT(job); -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - PR_ASSERT(job->state == NS_JOB_WAITING || job->state == NS_JOB_RUNNING); - - if (ns_thrpool_is_shutdown(job->tp)) { -@@ -1186,7 +1219,7 @@ ns_job_rearm(ns_job_t *job) - #endif - job->state = NS_JOB_NEEDS_ARM; - internal_ns_job_rearm(job); -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NS_SUCCESS; - } else if (!NS_JOB_IS_PERSIST(job->job_type) && job->state == NS_JOB_RUNNING) { - /* For this to be called, and NS_JOB_RUNNING, we *must* be the callback thread! */ -@@ -1195,10 +1228,10 @@ ns_job_rearm(ns_job_t *job) - ns_log(LOG_DEBUG, "ns_rearm_job %x state %d setting NS_JOB_NEEDS_ARM\n", job, job->state); - #endif - job->state = NS_JOB_NEEDS_ARM; -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NS_SUCCESS; - } else { -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - return NS_INVALID_STATE; - } - /* Unreachable code .... */ -@@ -1254,7 +1287,7 @@ setup_event_q_wakeup(ns_thrpool_t *tp) - NS_JOB_READ | NS_JOB_PERSIST | NS_JOB_PRESERVE_FD, - wakeup_cb, NULL); - -- pthread_mutex_lock(job->monitor); -+ pthread_mutex_lock(&(job->monitor)); - - /* The event_queue wakeup is ready, arm it. */ - #ifdef DEBUG -@@ -1267,7 +1300,7 @@ setup_event_q_wakeup(ns_thrpool_t *tp) - - /* Stash the wakeup job in tp so we can release it later. */ - tp->event_q_wakeup_job = job; -- pthread_mutex_unlock(job->monitor); -+ pthread_mutex_unlock(&(job->monitor)); - } - - /* Initialize the thrpool config */ -@@ -1463,7 +1496,7 @@ ns_thrpool_destroy(struct ns_thrpool_t *tp) - * and use it to wake up the event loop. - */ - -- pthread_mutex_lock(tp->event_q_wakeup_job->monitor); -+ pthread_mutex_lock(&(tp->event_q_wakeup_job->monitor)); - - // tp->event_q_wakeup_job->job_type |= NS_JOB_THREAD; - /* This triggers the job to "run", which will cause a shutdown cascade */ -@@ -1471,7 +1504,7 @@ ns_thrpool_destroy(struct ns_thrpool_t *tp) - ns_log(LOG_DEBUG, "ns_thrpool_destroy %x state %d moving to NS_JOB_NEEDS_DELETE\n", tp->event_q_wakeup_job, tp->event_q_wakeup_job->state); - #endif - tp->event_q_wakeup_job->state = NS_JOB_NEEDS_DELETE; -- pthread_mutex_unlock(tp->event_q_wakeup_job->monitor); -+ pthread_mutex_unlock(&(tp->event_q_wakeup_job->monitor)); - /* Has to be event_q_notify, not internal_job_done */ - event_q_notify(tp->event_q_wakeup_job); - -diff --git a/src/nunc-stans/test/test_nuncstans.c b/src/nunc-stans/test/test_nuncstans.c -index 629377a89..afe3c02fc 100644 ---- a/src/nunc-stans/test/test_nuncstans.c -+++ b/src/nunc-stans/test/test_nuncstans.c -@@ -55,14 +55,21 @@ - /* We need the internal headers for state checks */ - #include "../ns/ns_event_fw.h" - -+#include -+ -+#include -+ - #ifdef HAVE_STDLIB_H - #include - #endif - - - static int cb_check = 0; --static PRLock *cb_lock = NULL; --static PRCondVar *cb_cond = NULL; -+ -+static pthread_mutex_t cb_lock; -+static pthread_cond_t cb_cond; -+// static PRLock *cb_lock = NULL; -+// static PRCondVar *cb_cond = NULL; - - void - ns_test_logger(int priority __attribute__((unused)), const char *fmt, va_list varg) -@@ -71,6 +78,19 @@ ns_test_logger(int priority __attribute__((unused)), const char *fmt, va_list va - vprintf(fmt, varg); - } - -+static int -+cond_wait_rel(pthread_cond_t *restrict cond, pthread_mutex_t *restrict mutex, const struct timespec *restrict reltime) { -+ struct timespec now; -+ struct timespec abswait; -+ -+ clock_gettime(CLOCK_REALTIME, &now); -+ -+ abswait.tv_sec = now.tv_sec + reltime->tv_sec; -+ abswait.tv_nsec = now.tv_nsec + reltime->tv_nsec; -+ -+ return pthread_cond_timedwait(cond, mutex, &abswait); -+} -+ - /* All our other tests will use this in some form. */ - static int - ns_test_setup(void **state) -@@ -81,8 +101,8 @@ ns_test_setup(void **state) - /* Reset the callback check */ - cb_check = 0; - /* Create the cond var the CB check will use. */ -- cb_lock = PR_NewLock(); -- cb_cond = PR_NewCondVar(cb_lock); -+ assert(pthread_mutex_init(&cb_lock, NULL) == 0); -+ assert(pthread_cond_init(&cb_cond, NULL) == 0); - - ns_thrpool_config_init(&ns_config); - -@@ -105,8 +125,8 @@ ns_test_teardown(void **state) - - ns_thrpool_destroy(tp); - -- PR_DestroyCondVar(cb_cond); -- PR_DestroyLock(cb_lock); -+ pthread_cond_destroy(&cb_cond); -+ pthread_mutex_destroy(&cb_lock); - - return 0; - } -@@ -114,24 +134,23 @@ ns_test_teardown(void **state) - static void - ns_init_test_job_cb(struct ns_job_t *job __attribute__((unused))) - { -+ pthread_mutex_lock(&cb_lock); - cb_check += 1; -- PR_Lock(cb_lock); -- PR_NotifyCondVar(cb_cond); -- PR_Unlock(cb_lock); -+ pthread_cond_signal(&cb_cond); -+ pthread_mutex_unlock(&cb_lock); - } - - static void - ns_init_disarm_job_cb(struct ns_job_t *job) - { - if (ns_job_done(job) == NS_SUCCESS) { -+ pthread_mutex_lock(&cb_lock); - cb_check = 1; -+ pthread_cond_signal(&cb_cond); -+ pthread_mutex_unlock(&cb_lock); - } else { - assert_int_equal(1, 0); - } -- PR_Lock(cb_lock); -- PR_NotifyCondVar(cb_cond); -- /* Disarm ourselves */ -- PR_Unlock(cb_lock); - } - - static void -@@ -146,20 +165,20 @@ ns_init_test(void **state) - { - struct ns_thrpool_t *tp = *state; - struct ns_job_t *job = NULL; -+ struct timespec timeout = {1, 0}; - -- PR_Lock(cb_lock); -+ pthread_mutex_lock(&cb_lock); - assert_int_equal( - ns_add_job(tp, NS_JOB_NONE | NS_JOB_THREAD, ns_init_test_job_cb, NULL, &job), - 0); - -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1)); -- PR_Unlock(cb_lock); -+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0); -+ pthread_mutex_unlock(&cb_lock); - - assert_int_equal(cb_check, 1); - - /* Once the job is done, it's not in the event queue, and it's complete */ -- /* We have to stall momentarily to let the work_job_execute release the job to us */ -- PR_Sleep(PR_SecondsToInterval(1)); -+ assert(ns_job_wait(job) == NS_SUCCESS); - assert_int_equal(ns_job_done(job), NS_SUCCESS); - } - -@@ -169,19 +188,20 @@ ns_set_data_test(void **state) - /* Add a job with data */ - struct ns_thrpool_t *tp = *state; - struct ns_job_t *job = NULL; -+ struct timespec timeout = {1, 0}; - - char *data = malloc(6); - - strcpy(data, "first"); - -- PR_Lock(cb_lock); -+ pthread_mutex_lock(&cb_lock); - assert_int_equal( - ns_add_job(tp, NS_JOB_NONE | NS_JOB_THREAD, ns_init_test_job_cb, data, &job), - NS_SUCCESS); - - /* Let the job run */ -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1)); -- PR_Unlock(cb_lock); -+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0); -+ pthread_mutex_unlock(&cb_lock); - - /* Check that the data is correct */ - char *retrieved = (char *)ns_job_get_data(job); -@@ -193,16 +213,14 @@ ns_set_data_test(void **state) - data = malloc(7); - strcpy(data, "second"); - -- while (job->state != NS_JOB_WAITING) { -- PR_Sleep(PR_MillisecondsToInterval(50)); -- } -+ assert(ns_job_wait(job) == NS_SUCCESS); - ns_job_set_data(job, data); - - /* Rearm, and let it run again. */ -- PR_Lock(cb_lock); -+ pthread_mutex_lock(&cb_lock); - ns_job_rearm(job); -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1)); -- PR_Unlock(cb_lock); -+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0); -+ pthread_mutex_unlock(&cb_lock); - - /* Make sure it's now what we expect */ - retrieved = (char *)ns_job_get_data(job); -@@ -218,9 +236,7 @@ ns_set_data_test(void **state) - * waiting. we might need a load barrier here ... - */ - -- while (job->state != NS_JOB_WAITING) { -- PR_Sleep(PR_MillisecondsToInterval(50)); -- } -+ assert(ns_job_wait(job) == NS_SUCCESS); - - assert_int_equal(ns_job_done(job), NS_SUCCESS); - } -@@ -230,8 +246,9 @@ ns_job_done_cb_test(void **state) - { - struct ns_thrpool_t *tp = *state; - struct ns_job_t *job = NULL; -+ struct timespec timeout = {1, 0}; - -- PR_Lock(cb_lock); -+ pthread_mutex_lock(&cb_lock); - assert_int_equal( - ns_create_job(tp, NS_JOB_NONE | NS_JOB_THREAD, ns_init_do_nothing_cb, &job), - NS_SUCCESS); -@@ -240,8 +257,8 @@ ns_job_done_cb_test(void **state) - /* Remove it */ - assert_int_equal(ns_job_done(job), NS_SUCCESS); - -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1)); -- PR_Unlock(cb_lock); -+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0); -+ pthread_mutex_unlock(&cb_lock); - - assert_int_equal(cb_check, 1); - } -@@ -250,16 +267,15 @@ static void - ns_init_rearm_job_cb(struct ns_job_t *job) - { - if (ns_job_rearm(job) != NS_SUCCESS) { -+ pthread_mutex_lock(&cb_lock); - cb_check = 1; - /* we failed to re-arm as expected, let's go away ... */ - assert_int_equal(ns_job_done(job), NS_SUCCESS); -+ pthread_cond_signal(&cb_cond); -+ pthread_mutex_unlock(&cb_lock); - } else { - assert_int_equal(1, 0); - } -- PR_Lock(cb_lock); -- PR_NotifyCondVar(cb_cond); -- /* Disarm ourselves */ -- PR_Unlock(cb_lock); - } - - static void -@@ -268,8 +284,9 @@ ns_job_persist_rearm_ignore_test(void **state) - /* Test that rearm ignores the persistent job. */ - struct ns_thrpool_t *tp = *state; - struct ns_job_t *job = NULL; -+ struct timespec timeout = {1, 0}; - -- PR_Lock(cb_lock); -+ pthread_mutex_lock(&cb_lock); - assert_int_equal( - ns_create_job(tp, NS_JOB_NONE | NS_JOB_THREAD | NS_JOB_PERSIST, ns_init_rearm_job_cb, &job), - NS_SUCCESS); -@@ -281,8 +298,8 @@ ns_job_persist_rearm_ignore_test(void **state) - * should see only 1 in the cb_check. - */ - -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1)); -- PR_Unlock(cb_lock); -+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0); -+ pthread_mutex_unlock(&cb_lock); - - /* If we fail to rearm, this is set to 1 Which is what we want. */ - assert_int_equal(cb_check, 1); -@@ -294,6 +311,7 @@ ns_job_persist_disarm_test(void **state) - /* Make a persistent job */ - struct ns_thrpool_t *tp = *state; - struct ns_job_t *job = NULL; -+ struct timespec timeout = {2, 0}; - - assert_int_equal( - ns_create_job(tp, NS_JOB_NONE | NS_JOB_PERSIST, ns_init_disarm_job_cb, &job), -@@ -302,9 +320,9 @@ ns_job_persist_disarm_test(void **state) - assert_int_equal(ns_job_rearm(job), NS_SUCCESS); - - /* In the callback it should disarm */ -- PR_Lock(cb_lock); -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1)); -- PR_Unlock(cb_lock); -+ pthread_mutex_lock(&cb_lock); -+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0); -+ pthread_mutex_unlock(&cb_lock); - /* Make sure it did */ - assert_int_equal(cb_check, 1); - } -@@ -329,14 +347,13 @@ ns_job_persist_disarm_test(void **state) - static void - ns_init_race_done_job_cb(struct ns_job_t *job) - { -- cb_check += 1; - ns_job_done(job); - /* We need to sleep to let the job race happen */ - PR_Sleep(PR_SecondsToInterval(2)); -- PR_Lock(cb_lock); -- PR_NotifyCondVar(cb_cond); -- /* Disarm ourselves */ -- PR_Unlock(cb_lock); -+ pthread_mutex_lock(&cb_lock); -+ cb_check += 1; -+ pthread_cond_signal(&cb_cond); -+ pthread_mutex_unlock(&cb_lock); - } - - static void -@@ -344,14 +361,15 @@ ns_job_race_done_test(void **state) - { - struct ns_thrpool_t *tp = *state; - struct ns_job_t *job = NULL; -+ struct timespec timeout = {5, 0}; - -- PR_Lock(cb_lock); -+ pthread_mutex_lock(&cb_lock); - assert_int_equal( - ns_add_job(tp, NS_JOB_NONE | NS_JOB_THREAD, ns_init_race_done_job_cb, NULL, &job), - NS_SUCCESS); - -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(5)); -- PR_Unlock(cb_lock); -+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0); -+ pthread_mutex_unlock(&cb_lock); - - assert_int_equal(cb_check, 1); - } -@@ -365,8 +383,9 @@ ns_job_signal_cb_test(void **state) - { - struct ns_thrpool_t *tp = *state; - struct ns_job_t *job = NULL; -+ struct timespec timeout = {1, 0}; - -- PR_Lock(cb_lock); -+ pthread_mutex_lock(&cb_lock); - assert_int_equal( - ns_add_signal_job(tp, SIGUSR1, NS_JOB_SIGNAL, ns_init_test_job_cb, NULL, &job), - NS_SUCCESS); -@@ -376,8 +395,8 @@ ns_job_signal_cb_test(void **state) - /* Send the signal ... */ - raise(SIGUSR1); - -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1)); -- PR_Unlock(cb_lock); -+ assert(cond_wait_rel(&cb_cond, &cb_lock, &timeout) == 0); -+ pthread_mutex_unlock(&cb_lock); - - assert_int_equal(cb_check, 1); - -@@ -408,12 +427,11 @@ ns_job_neg_timeout_test(void **state) - static void - ns_timer_job_cb(struct ns_job_t *job) - { -- cb_check += 1; - ns_job_done(job); -- PR_Lock(cb_lock); -- PR_NotifyCondVar(cb_cond); -- /* Disarm ourselves */ -- PR_Unlock(cb_lock); -+ pthread_mutex_lock(&cb_lock); -+ cb_check += 1; -+ pthread_cond_signal(&cb_cond); -+ pthread_mutex_unlock(&cb_lock); - } - - static void -@@ -421,16 +439,19 @@ ns_job_timer_test(void **state) - { - struct ns_thrpool_t *tp = *state; - struct ns_job_t *job = NULL; -- struct timeval tv = {2, 0}; -+ struct timeval tv = {3, 0}; -+ struct timespec timeout = {2, 0}; - -- PR_Lock(cb_lock); -+ pthread_mutex_lock(&cb_lock); - assert_true(ns_add_timeout_job(tp, &tv, NS_JOB_THREAD, ns_timer_job_cb, NULL, &job) == NS_SUCCESS); - -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(1)); -+ cond_wait_rel(&cb_cond, &cb_lock, &timeout); -+ // pthread_mutex_unlock(&cb_lock); - assert_int_equal(cb_check, 0); - -- PR_WaitCondVar(cb_cond, PR_SecondsToInterval(2)); -- PR_Unlock(cb_lock); -+ // pthread_mutex_lock(&cb_lock); -+ cond_wait_rel(&cb_cond, &cb_lock, &timeout); -+ pthread_mutex_unlock(&cb_lock); - assert_int_equal(cb_check, 1); - } - -@@ -441,7 +462,9 @@ ns_job_timer_test(void **state) - static void - ns_timer_persist_job_cb(struct ns_job_t *job) - { -+ pthread_mutex_lock(&cb_lock); - cb_check += 1; -+ pthread_mutex_unlock(&cb_lock); - if (cb_check < 10) { - ns_job_rearm(job); - } else { -@@ -456,16 +479,19 @@ ns_job_timer_persist_test(void **state) - struct ns_job_t *job = NULL; - struct timeval tv = {1, 0}; - -- PR_Lock(cb_lock); - assert_true(ns_add_timeout_job(tp, &tv, NS_JOB_THREAD, ns_timer_persist_job_cb, NULL, &job) == NS_SUCCESS); - - PR_Sleep(PR_SecondsToInterval(5)); - -+ pthread_mutex_lock(&cb_lock); - assert_true(cb_check <= 6); -+ pthread_mutex_unlock(&cb_lock); - - PR_Sleep(PR_SecondsToInterval(6)); - -+ pthread_mutex_lock(&cb_lock); - assert_int_equal(cb_check, 10); -+ pthread_mutex_unlock(&cb_lock); - } - - int --- -2.13.6 - diff --git a/SOURCES/0031-Ticket-49410-opened-connection-can-remain-no-longer-.patch b/SOURCES/0031-Ticket-49410-opened-connection-can-remain-no-longer-.patch deleted file mode 100644 index b62e8b8..0000000 --- a/SOURCES/0031-Ticket-49410-opened-connection-can-remain-no-longer-.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 11cea14acfc11d0328013b61a3e1396e97dfe577 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Tue, 14 Nov 2017 16:29:03 +0100 -Subject: [PATCH] Ticket 49410 - opened connection can remain no longer poll, - like hanging - -Bug Description: - Some opened connection are no longer poll. - Those connections has 'gettingber' toggle set although there is - no more worker thread reading it. - The reason they have gettingber set is that the last - operation had 'persistent search' flag. With such flag - gettingber is not reset. - persistent flag is set even when no persistent search/sync_repl - was received on the connection. - The problem is that the flag is tested on the wrong operation. - The tested operation can be - - the first operation when the connection entered in turbo mode - - the previous operation if several ops PDUs were read on the network - - accessing random memory - - In theory testing the flag can lead to sigsev even - if it never crash - -Fix Description: - The fix is to use the operation that is in the pblock - In such case pb_op is no longer used, so we can get rid of it. - In addition make pb_conn a local variable where it is used - -https://pagure.io/389-ds-base/issue/49410 - -Reviewed by: Ludwig Krispenz, Mark Reynolds - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/slapd/connection.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index 24a7a1c05..3f19b9765 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -1498,8 +1498,6 @@ connection_threadmain() - int maxthreads = 0; - int enable_nunc_stans = 0; - long bypasspollcnt = 0; -- Connection *pb_conn = NULL; -- Operation *pb_op = NULL; - - enable_nunc_stans = config_get_enable_nunc_stans(); - #if defined(hpux) -@@ -1520,6 +1518,8 @@ connection_threadmain() - } - - if (!thread_turbo_flag && !more_data) { -+ Connection *pb_conn = NULL; -+ - /* If more data is left from the previous connection_read_operation, - we should finish the op now. Client might be thinking it's - done sending the request and wait for the response forever. -@@ -1530,7 +1530,6 @@ connection_threadmain() - * Connection wait for new work provides the conn and op for us. - */ - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); - - switch (ret) { - case CONN_NOWORK: -@@ -1786,7 +1785,7 @@ connection_threadmain() - /* total number of ops for the server */ - slapi_counter_increment(ops_completed); - /* If this op isn't a persistent search, remove it */ -- if (pb_op->o_flags & OP_FLAG_PS) { -+ if (op->o_flags & OP_FLAG_PS) { - PR_EnterMonitor(conn->c_mutex); - connection_release_nolock(conn); /* psearch acquires ref to conn - release this one now */ - PR_ExitMonitor(conn->c_mutex); --- -2.13.6 - diff --git a/SOURCES/0032-Ticket-49443-scope-one-searches-in-1.3.7-give-incorr.patch b/SOURCES/0032-Ticket-49443-scope-one-searches-in-1.3.7-give-incorr.patch deleted file mode 100644 index b90b8b2..0000000 --- a/SOURCES/0032-Ticket-49443-scope-one-searches-in-1.3.7-give-incorr.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 5f38be985bc98969b0fdaa6ece8f84b11bdddc2f Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Thu, 9 Nov 2017 10:20:44 +0100 -Subject: [PATCH] Ticket 49443 - scope one searches in 1.3.7 give incorrect - results - -Bug: if a onelevel search is done for an unidexed attribute, the filter test is skipped - and all children of the search base are returned - -Fix: enforce filter test if allids - -Reviewed by: Mark, thanks ---- - ldap/servers/slapd/back-ldbm/idl_set.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/ldap/servers/slapd/back-ldbm/idl_set.c b/ldap/servers/slapd/back-ldbm/idl_set.c -index ba39ff03f..b68e7ab76 100644 ---- a/ldap/servers/slapd/back-ldbm/idl_set.c -+++ b/ldap/servers/slapd/back-ldbm/idl_set.c -@@ -349,6 +349,11 @@ idl_set_intersect(IDListSet *idl_set, backend *be) - { - IDList *result_list = NULL; - -+ if (idl_set->allids) { -+ /* if any component was allids we have to apply the filtertest */ -+ slapi_be_set_flag(be, SLAPI_BE_FLAG_DONT_BYPASS_FILTERTEST); -+ } -+ - if (idl_set->allids != 0 && idl_set->count == 0) { - /* - * We only have allids, so must be allids. --- -2.13.6 - diff --git a/SOURCES/0033-Ticket-49441-Import-crashes-with-large-indexed-binar.patch b/SOURCES/0033-Ticket-49441-Import-crashes-with-large-indexed-binar.patch deleted file mode 100644 index d304225..0000000 --- a/SOURCES/0033-Ticket-49441-Import-crashes-with-large-indexed-binar.patch +++ /dev/null @@ -1,1048 +0,0 @@ -From 737a34433df469e0e2de9e70e3960eb253448109 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 6 Nov 2017 21:58:52 -0500 -Subject: [PATCH] Ticket 49441 - Import crashes with large indexed binary - attributes - -Bug Description: Importing an ldif file that contains entries with large - binary attributes that are indexed crashes the server. - The crash occurs when "encoding" the binary value to a - string for debug logging, where we "underflow" the buffer - space index which then allows the string buffer to overflow. - -Fix Description: While filling the string buffer with the encoded binary - value we need to make sure if the buffer space is greater - than zero before decrementing it. - - Also check if trace logging is being used before we actually - call the logging function which calls the "encoded" function - first. This way we avoid this costly "encoding" on every - index call we make. - -https://pagure.io/389-ds-base/issue/49441 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit b4497c4f28501b188797e12909983853642af967) ---- - dirsrvtests/tests/data/ticket49441/binary.ldif | 858 +++++++++++++++++++++++++ - dirsrvtests/tests/tickets/ticket49441_test.py | 74 +++ - ldap/servers/slapd/back-ldbm/index.c | 21 +- - 3 files changed, 943 insertions(+), 10 deletions(-) - create mode 100644 dirsrvtests/tests/data/ticket49441/binary.ldif - create mode 100644 dirsrvtests/tests/tickets/ticket49441_test.py - -diff --git a/dirsrvtests/tests/data/ticket49441/binary.ldif b/dirsrvtests/tests/data/ticket49441/binary.ldif -new file mode 100644 -index 000000000..bdebaf817 ---- /dev/null -+++ b/dirsrvtests/tests/data/ticket49441/binary.ldif -@@ -0,0 +1,858 @@ -+version: 1 -+ -+# entry-id: 1 -+dn: dc=example,dc=com -+objectClass: domain -+objectClass: top -+dc: example -+nsUniqueId: f49ca102-c2ee11e7-9170b029-e68fda34 -+creatorsName: -+modifiersName: -+createTimestamp: 20171106123544Z -+modifyTimestamp: 20171106123544Z -+ -+# entry-id: 2 -+dn: ou=binary,dc=example,dc=com -+certificateRevocationList;binary:: MIITbjCCElYCAQEwDQYJKoZIhvcNAQEFBQAwVzELMAk -+ GA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9y -+ aXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQRcNMTcxMDE2MTUxNjAyWhcNMTcxMDE5MTUxNjAyWjCCE -+ ZcwIwIEV4cj0hcNMTYxMTMwMDAyNDA0WjAMMAoGA1UdFQQDCgEAMCMCBFeHI9EXDTE2MTEzMDAwMj -+ gwNVowDDAKBgNVHRUEAwoBADAjAgRXhyPPFw0xNjExMzAwMDIxNDJaMAwwCgYDVR0VBAMKAQAwIwI -+ EV4cjzhcNMTYxMTMwMDAzMTE0WjAMMAoGA1UdFQQDCgEAMCMCBFeHI2gXDTE2MTEyOTE1MTM0M1ow -+ DDAKBgNVHRUEAwoBADA9AgRXhwCzFw0xNjExMDIyMjQ0NThaMCYwCgYDVR0VBAMKAQEwGAYDVR0YB -+ BEYDzIwMTYwOTA3MDEzODU1WjAjAgRXhvE4Fw0xNjA4MDExNDA5MTFaMAwwCgYDVR0VBAMKAQAwIw -+ IEV4bxNxcNMTYwODAxMTQwODU4WjAMMAoGA1UdFQQDCgEAMCMCBEkD2YYXDTE2MDcwNTE1NTg0NVo -+ wDDAKBgNVHRUEAwoBADAjAgRJA9mFFw0xNjA3MDUxNTU1MTlaMAwwCgYDVR0VBAMKAQAwIwIESQPT -+ cRcNMTYxMTMwMDAyODA1WjAMMAoGA1UdFQQDCgEAMCMCBEkD03AXDTE2MTEzMDAwMjgwNVowDDAKB -+ gNVHRUEAwoBADAjAgRJA9NuFw0xNjA2MjAxNjQ4NTlaMAwwCgYDVR0VBAMKAQAwIwIESQPSOBcNMT -+ YwNjE3MTU1OTM4WjAMMAoGA1UdFQQDCgEAMCMCBEkD0jcXDTE2MTEzMDAwMzExNFowDDAKBgNVHRU -+ EAwoBADAjAgRJA9I0Fw0xNjA2MjAxNzAyMDJaMAwwCgYDVR0VBAMKAQAwIwIESQPSMxcNMTYwNjIw -+ MTcwMjAyWjAMMAoGA1UdFQQDCgEAMCMCBEkD0jEXDTE2MDYxNzE1NDgwMlowDDAKBgNVHRUEAwoBA -+ DAjAgRJA9IwFw0xNjExMzAwMDMxMTRaMAwwCgYDVR0VBAMKAQAwIwIESQPSLhcNMTYwNjE3MTU0MD -+ A2WjAMMAoGA1UdFQQDCgEAMCMCBEkD0VIXDTE2MTEzMDAwMzExNFowDDAKBgNVHRUEAwoBADAjAgR -+ JA9FRFw0xNjExMzAwMDMxMTRaMAwwCgYDVR0VBAMKAQAwIwIESQPRTxcNMTYwNjE1MTkyMDU4WjAM -+ MAoGA1UdFQQDCgEAMCMCBEkD0U4XDTE2MDYxNTE5MjYyMlowDDAKBgNVHRUEAwoBADAjAgRJA9FLF -+ w0xNjA2MTUxODQ5MzZaMAwwCgYDVR0VBAMKAQAwIwIESQPRShcNMTYwNjE1MTQzNDU1WjAMMAoGA1 -+ UdFQQDCgEAMCMCBEkD0UkXDTE2MDYxNTE0MzEyMlowDDAKBgNVHRUEAwoBADAjAgRJA9FIFw0xNjA -+ 2MTUxNDMwMTdaMAwwCgYDVR0VBAMKAQAwIwIESQPQexcNMTYwNjE1MTkyNjIyWjAMMAoGA1UdFQQD -+ CgEAMCMCBEkD0HoXDTE2MDYxNTE5MjYyMlowDDAKBgNVHRUEAwoBADAjAgRJA9B4Fw0xNjA2MTQxM -+ TQ3MzlaMAwwCgYDVR0VBAMKAQAwIwIESQPQdxcNMTYwNjE1MTkyNTU5WjAMMAoGA1UdFQQDCgEAMC -+ MCBEkD0HYXDTE2MDYxNTE5MjU1OVowDDAKBgNVHRUEAwoBADAjAgRJA9B0Fw0xNjA2MTQxMTQzMzh -+ aMAwwCgYDVR0VBAMKAQAwIwIESQPQcxcNMTYwNjE0MTE0MDU4WjAMMAoGA1UdFQQDCgEAMCMCBEkD -+ 0HIXDTE2MDYxNTE5MjU0NlowDDAKBgNVHRUEAwoBADAjAgRJA9BwFw0xNjA2MTQxMTE3NDlaMAwwC -+ gYDVR0VBAMKAQAwIwIESQPLhhcNMTYwNjAxMjI1NTA1WjAMMAoGA1UdFQQDCgEAMCMCBEkDyRgXDT -+ E2MDUyNjIxNDQwOFowDDAKBgNVHRUEAwoBADAjAgRJA8kXFw0xNjA1MjYyMTQzMjdaMAwwCgYDVR0 -+ VBAMKAQAwIwIESQPIsRcNMTYwNTI2MTUxOTMwWjAMMAoGA1UdFQQDCgEAMCMCBEkDmmEXDTE2MDYx -+ NTE5MjU0NlowDDAKBgNVHRUEAwoBADAjAgRJA5pgFw0xNjA2MTUxOTI1NDZaMAwwCgYDVR0VBAMKA -+ QAwIwIESQOZ9RcNMTYwNjE1MTkyNDQzWjAMMAoGA1UdFQQDCgEFMCMCBEkDmfQXDTE2MDYxNTE5Mj -+ Q0M1owDDAKBgNVHRUEAwoBBTAjAgRJA5nyFw0xNjAyMDExOTM0MTlaMAwwCgYDVR0VBAMKAQAwIwI -+ ESQOXgBcNMTYwMTI2MTUwNTE5WjAMMAoGA1UdFQQDCgEAMCMCBEkDh0oXDTE1MTIxNzE3MzE0NVow -+ DDAKBgNVHRUEAwoBAzAjAgRJA3ZBFw0xNjAyMDIxNDM3MTZaMAwwCgYDVR0VBAMKAQMwIwIESQN2Q -+ BcNMTYwMjAyMTQzNzAzWjAMMAoGA1UdFQQDCgEDMCMCBEkDXsUXDTE1MTIwODIwMTM0OVowDDAKBg -+ NVHRUEAwoBAzAjAgRJA17EFw0xNTEyMDgyMDEzNDlaMAwwCgYDVR0VBAMKAQMwIwIESQNewxcNMTU -+ xMjA4MjAxMzUwWjAMMAoGA1UdFQQDCgEDMCMCBEkDWrkXDTE1MTIwODIwMTM1MFowDDAKBgNVHRUE -+ AwoBAzAjAgRJA1q4Fw0xNTEyMDgyMDEzNTBaMAwwCgYDVR0VBAMKAQMwIwIESQNatxcNMTUxMjA4M -+ jAxMzUwWjAMMAoGA1UdFQQDCgEDMCMCBEkDNjMXDTE2MDcwNTIwMDcxMlowDDAKBgNVHRUEAwoBBT -+ AjAgRJAwpwFw0xNjA2MTUxOTQwMDNaMAwwCgYDVR0VBAMKAQAwIwIESQMKbxcNMTYwNjE1MTk0MDA -+ zWjAMMAoGA1UdFQQDCgEAMCMCBEkC2Z0XDTE0MTAyMDE2NDgzN1owDDAKBgNVHRUEAwoBBTAjAgRJ -+ AthhFw0xNDEwMjAxNjQ4MzdaMAwwCgYDVR0VBAMKAQUwIwIESQLX7RcNMTQxMTEyMjAyNjA1WjAMM -+ AoGA1UdFQQDCgEFMCMCBEkC1+sXDTE0MTAyNzE1NTI1OVowDDAKBgNVHRUEAwoBAzAjAgRJAn2hFw -+ 0xNDAzMTMxNjUwMjZaMAwwCgYDVR0VBAMKAQAwIwIESQJ9MxcNMTQwMzEyMTUxODI5WjAMMAoGA1U -+ dFQQDCgEAMCMCBEkCfTEXDTE0MDMxMjExMzMzNVowDDAKBgNVHRUEAwoBADAjAgRJAn0wFw0xNDAz -+ MTIxMjE4MjFaMAwwCgYDVR0VBAMKAQAwIwIESQJ8YxcNMTQwMzEyMTEyNzEwWjAMMAoGA1UdFQQDC -+ gEAMCMCBEkCfGEXDTE0MDMxMDE0NTYxNlowDDAKBgNVHRUEAwoBADAjAgRJAnxgFw0xNDAzMTAxNT -+ A4MTVaMAwwCgYDVR0VBAMKAQAwIwIESQJ8XhcNMTQwMzEwMTIzMDM3WjAMMAoGA1UdFQQDCgEAMCM -+ CBEkCfF0XDTE0MDMxMDE0NTMyMlowDDAKBgNVHRUEAwoBADAjAgRJAnxbFw0xNDAzMTAxMDQ5NDBa -+ MAwwCgYDVR0VBAMKAQAwIwIESQJ8WhcNMTQwMzEwMTIwOTM2WjAMMAoGA1UdFQQDCgEAMCMCBEkCe -+ ywXDTE0MDMwNzEwMzcxM1owDDAKBgNVHRUEAwoBADAjAgRJAnsrFw0xNDAzMTAxMDQ3MTdaMAwwCg -+ YDVR0VBAMKAQAwIwIESQJ6xRcNMTQwMzA2MTEwMDM3WjAMMAoGA1UdFQQDCgEAMCMCBEkCesQXDTE -+ 0MDMwNzEwMzMyNVowDDAKBgNVHRUEAwoBADAjAgRJAm7jFw0xNDAyMDQyMTMwMjFaMAwwCgYDVR0V -+ BAMKAQAwIwIESQJrWhcNMTQwMTI3MTIyMTI0WjAMMAoGA1UdFQQDCgEAMCMCBEkCa1kXDTE0MDMwN -+ jEwNTY0OFowDDAKBgNVHRUEAwoBADAjAgRJAmjyFw0xNDAxMjExMDEyMTlaMAwwCgYDVR0VBAMKAQ -+ AwIwIESQJiPRcNMTQwMTAyMTYwMjIxWjAMMAoGA1UdFQQDCgEAMCMCBEkCXFgXDTEzMTIxODE3NTI -+ wNVowDDAKBgNVHRUEAwoBADAjAgRJAlW1Fw0xMzEyMDIxNTAzNTVaMAwwCgYDVR0VBAMKAQAwIwIE -+ SQJVshcNMTMxMjAyMTQ1NTM2WjAMMAoGA1UdFQQDCgEAMCMCBEkCVbEXDTEzMTIwMjE0NTk1OVowD -+ DAKBgNVHRUEAwoBADAjAgRJAlWvFw0xMzEyMDIxNDE3MzBaMAwwCgYDVR0VBAMKAQAwIwIESQJVrh -+ cNMTMxMjAyMTQ0OTMxWjAMMAoGA1UdFQQDCgEAMCMCBEkCVawXDTEzMTIwMjEzMTA1OFowDDAKBgN -+ VHRUEAwoBADAjAgRJAlWrFw0xMzEyMDIxNDEyMTVaMAwwCgYDVR0VBAMKAQAwIwIESQJONRcNMTMx -+ MTEyMjExMzI0WjAMMAoGA1UdFQQDCgEAMCMCBEkCJrkXDTEzMDkxMDA2NDUyNFowDDAKBgNVHRUEA -+ woBADAjAgRJAhmPFw0xMzA4MjExMDM0MTFaMAwwCgYDVR0VBAMKAQAwIwIESQIVrBcNMTMwODEyMT -+ g1NTU1WjAMMAoGA1UdFQQDCgEAMCMCBEkCFasXDTEzMTIxODE3MDQ0MlowDDAKBgNVHRUEAwoBADA -+ jAgRJAhAoFw0xMzA3MjkxNjAwMzVaMAwwCgYDVR0VBAMKAQAwIwIESQIQJxcNMTQwMTAyMTU1MDUy -+ WjAMMAoGA1UdFQQDCgEAMCMCBEkCCh8XDTEzMDcxNTA3MzY1NlowDDAKBgNVHRUEAwoBADAjAgRJA -+ gexFw0xMzA3MDgxNTU5MTRaMAwwCgYDVR0VBAMKAQAwIwIESQH73BcNMTMwNzI5MTU1NTAzWjAMMA -+ oGA1UdFQQDCgEAMCMCBEkB5EcXDTEzMDUyOTE0MDUyNVowDDAKBgNVHRUEAwoBADAjAgRJAcDtFw0 -+ xMzA1MTAyMDExNTBaMAwwCgYDVR0VBAMKAQAwIwIESQGmXBcNMTMwNDEwMDkyMTI2WjAMMAoGA1Ud -+ FQQDCgEAMCMCBEkBnj0XDTEzMDMyNTE4MTc0MFowDDAKBgNVHRUEAwoBADAjAgRJAYMOFw0xMzAyM -+ TExMTEwNDdaMAwwCgYDVR0VBAMKAQAwIwIESQF4PRcNMTMwODEyMTg0ODE2WjAMMAoGA1UdFQQDCg -+ EAMCMCBEkBcwcXDTEzMDEwMzE2NTgyMFowDDAKBgNVHRUEAwoBADAjAgRJAXMEFw0xMzAxMDMxMDA -+ yMjRaMAwwCgYDVR0VBAMKAQAwIwIESQFuRxcNMTMxMDA3MTMwMjM1WjAMMAoGA1UdFQQDCgEFMCMC -+ BEkBaLsXDTEzMDQxMDA5MTY1NVowDDAKBgNVHRUEAwoBADAjAgRJAWaQFw0xMjExMjkxNjAxMzJaM -+ AwwCgYDVR0VBAMKAQAwIwIESQFmhBcNMTIxMTI5MTE1NTIyWjAMMAoGA1UdFQQDCgEAMCMCBEkBZo -+ MXDTEyMTEyOTE1MjYwNVowDDAKBgNVHRUEAwoBADAjAgRJAWaBFw0xMjExMjkxMTAzNTJaMAwwCgY -+ DVR0VBAMKAQAwIwIESQFmgBcNMTIxMTI5MTE1MTU4WjAMMAoGA1UdFQQDCgEAMCMCBEkBYT8XDTEy -+ MTExNTA5NTI1OVowDDAKBgNVHRUEAwoBADAjAgRJAWCrFw0xMjExMTQxNDM2NDVaMAwwCgYDVR0VB -+ AMKAQAwIwIESQFgqhcNMTIxMTE1MDk0ODI1WjAMMAoGA1UdFQQDCgEAMCMCBEkBXT4XDTEzMTIwMj -+ EzMDcwMVowDDAKBgNVHRUEAwoBADAjAgRJAVvbFw0xMjExMjkxMTAwMzFaMAwwCgYDVR0VBAMKAQC -+ gMDAuMAsGA1UdFAQEAgIo8DAfBgNVHSMEGDAWgBT0Fi4Bu6uQGaQoQg2dwB+crxCGKzANBgkqhkiG -+ 9w0BAQUFAAOCAQEATe14zpsSjrGcW4yNZrdGtsupuJge+DQV+h1ZwBEQtsmOmMvbSdMsu+vMvTzHQ -+ KWJq56picjixY6v4vPqhRRZWP8evOc0NuoxpiUhgez3CKFQoJ2bdeaS/WCfqss3Sa4FZTUzkVWZde -+ moDH8CcHt5in3H7SwF5i9/rKB/bLuTjQg+LRKh2E9+FAkJn1S/ZRh1Vjd/KuRFOXD6odjV54oTWE0 -+ 6PcHBdwip62ridLdQopt3+e1UgwKBNJAmBD6uMN1tPmenUYWxh4xI7Ft4HQR58TdIiTZmfQHmEkjl -+ dBNEAoUK1hvRy6E2mSdRq9Yex8f+rGdxI1+++6lHaN1+M8jQ4g== -+userCertificate;binary:: MIKE/jCCg+YCAQEwX6FdMFukWTBXMQswCQYDVQQGEwJVUzEQMA4GA -+ 1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECx -+ MJRENvbVN1YkNBMGegZTBjMFukWTBXMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCA -+ GA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBAgRIwMPg -+ MA0GCSqGSIb3DQEBBQUAAgRXh6kjMCIYDzIwMTcxMDE1MjI0NjEzWhgPMjAxNzExMTQyMjQ2MTNaM -+ IKCuTCCEQoGCSqGSIb2fQdEADGCEPswghD3gAEEMIIQ8DBvMFcxCzAJBgNVBAYTAlVTMRAwDgYDVQ -+ QKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwl -+ EQ29tU3ViQ0EWFENBIERvbWFpbiBTZWFyY2hiYXNlME4wPzEVMBMGCgmSJomT8ixkARkWBWxvY2Fs -+ MRQwEgYKCZImiZPyLGQBGRYEVGVzdDEQMA4GA1UECxMHRGV2aWNlcxYLQ0xTIERldmljZXMwgYswa -+ DEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRQwEgYKCZImiZPyLGQBGRYEVGVzdDETMBEGA1UECxMKVG -+ VzdCBVc2VyczEkMCIGA1UECxMbU1NPIEFkbWluaXN0cmF0aW9uIEFjY291bnRzFh9DTFMgU1NPIEF -+ kbWluaXN0cmF0aW9uIEFjY291bnRzMFQwQjEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRQwEgYKCZIm -+ iZPyLGQBGRYEVGVzdDETMBEGA1UECxMKVGVzdCBVc2VycxYOQ0xTIFRlc3QgVXNlcnMwfDBfMRUwE -+ wYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgRUZXN0MRswGQYDVQQLExJEb21haW -+ 4gQ29udHJvbGxlcnMxEzARBgNVBAsTCkdCIFNlcnZlcnMWGUNMUyBHQiBEb21haW4gQ29udHJvbGx -+ lcnMwfDBfMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/IsZAEZFgR0ZXN0MRswGQYD -+ VQQLExJEb21haW4gQ29udHJvbGxlcnMxEzARBgNVBAsTClVTIFNlcnZlcnMWGUNMUyBVUyBEb21ha -+ W4gQ29udHJvbGxlcnMwgaIwgY4xFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgmSJomT8ixkAR -+ kWBFRlc3QxFDASBgNVBAsTC1Rlc3QtT2ZmaWNlMRAwDgYDVQQLEwdTZXJ2ZXJzMRMwEQYDVQQLEwp -+ HQiBTZXJ2ZXJzMRQwEgYDVQQLEwtBcHBsaWNhdGlvbjEMMAoGA1UECxMDV0VCFg9DTFMgR0IgV2Vi -+ IEFwcHMwgbUwgaExFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgmSJomT8ixkARkWBFRlc3QxF -+ DASBgNVBAsTC1Rlc3QtT2ZmaWNlMRAwDgYDVQQLEwdTZXJ2ZXJzMRMwEQYDVQQLEwpHQiBTZXJ2ZX -+ JzMRQwEgYDVQQLEwtBcHBsaWNhdGlvbjEMMAoGA1UECxMDV0VCMREwDwYDVQQLEwhJbnRyYW5ldBY -+ PQ0xTIEdCIEludHJhbmV0MIG1MIGhMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFDASBgoJkiaJk/Is -+ ZAEZFgRUZXN0MRQwEgYDVQQLEwtUZXN0LU9mZmljZTEQMA4GA1UECxMHU2VydmVyczETMBEGA1UEC -+ xMKVVMgU2VydmVyczEUMBIGA1UECxMLQXBwbGljYXRpb24xDDAKBgNVBAsTA1dFQjERMA8GA1UECx -+ MISW50cmFuZXQWD0NMUyBVUyBJbnRyYW5ldDA8MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnR -+ ydXN0MRAwDgYDVQQLEwdEeW5Db3JwFgdEeW5Db3JwMEowODELMAkGA1UEBhMCVVMxEDAOBgNVBAoT -+ B0VudHJ1c3QxFzAVBgNVBAsTDkFkbWluaXN0cmF0b3JzFg5BZG1pbmlzdHJhdG9yczBKMDgxCzAJB -+ gNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MRcwFQYDVQQLEw5HZW5lcmFsIE1vdG9ycxYOR2VuZX -+ JhbCBNb3RvcnMwczBZMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEXMBUGA1UECxMOR2V -+ uZXJhbCBNb3RvcnMxHzAdBgNVBAsTFkdNIFVzZXIgQWRtaW5pc3RyYXRvcnMWFkdNIFVzZXIgQWRt -+ aW5pc3RyYXRvcnMwXzBPMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEXMBUGA1UECxMOR -+ 2VuZXJhbCBNb3RvcnMxFTATBgNVBAsTDEdNIEVuZCBVc2VycxYMR00gRW5kIFVzZXJzMFYwQzEVMB -+ MGCgmSJomT8ixkARkWBWxvY2FsMRQwEgYKCZImiZPyLGQBGRYEVGVzdDEUMBIGA1UECxMLV2ViIFN -+ lcnZlcnMWD0NMUyBXZWIgU2VydmVyczBeMEcxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgmS -+ JomT8ixkARkWBFRlc3QxGDAWBgNVBAsTD0NNUyBBZG1pbiBVc2VycxYTQ0xTIENNUyBBZG1pbiBVc -+ 2VyczBeMEcxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgmSJomT8ixkARkWBFRlc3QxGDAWBg -+ NVBAsTD1BLSSBBZG1pbiBVc2VycxYTQ0xTIFBLSSBBZG1pbiBVc2VyczBLMD8xCzAJBgNVBAYTAnV -+ zMRAwDgYDVQQKEwdlbnRydXN0MQ8wDQYDVQQLEwZtb2JpbGUxDTALBgNVBAsTBGRlbW8WCERlbW8g -+ TURNMEgwMzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxEjAQBgNVBAsTCUVtcGxveWVlc -+ xYRRW50cnVzdCBFbXBsb3llZXMwWzBQMRUwEwYKCZImiZPyLGQBGRYFTG9jYWwxFDASBgoJkiaJk/ -+ IsZAEZFgRUZXN0MRMwEQYDVQQLEwpUZXN0IFVzZXJzMQwwCgYDVQQHEwNERVYWB0NMUyBERVYwJDA -+ cMQswCQYDVQQGEwJ1czENMAsGA1UEChMETklTVBYETklTVDB2MGcxCzAJBgNVBAYTAlVTMRAwDgYD -+ VQQKEwdFbnRydXN0MRkwFwYDVQQLExBNYW5hZ2VkIFNlcnZpY2VzMRkwFwYDVQQLExBEZW1vIENvb -+ VByaXYgU3ViMRAwDgYDVQQLEwdEZXZpY2VzFgtNU08gRGV2aWNlczCBhDBuMQswCQYDVQQGEwJVUz -+ EQMA4GA1UEChMHRW50cnVzdDEZMBcGA1UECxMQTWFuYWdlZCBTZXJ2aWNlczEZMBcGA1UECxMQRGV -+ tbyBDb21Qcml2IFN1YjEXMBUGA1UECxMOQWRtaW5pc3RyYXRvcnMWEk1TTyBBZG1pbmlzdHJhdG9y -+ czB6MGkxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MRkwFwYDVQQLExBNYW5hZ2VkIFNlc -+ nZpY2VzMRkwFwYDVQQLExBEZW1vIENvbVByaXYgU3ViMRIwEAYDVQQLEwlFbXBsb3llZXMWDU1TTy -+ BFbXBsb3llZXMwRDAxMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHR290U3ZlbjEQMA4GA1UECxMHRGV -+ 2aWNlcxYPR290U3ZlbiBEZXZpY2VzMIGEMFoxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0 -+ MSAwHgYDVQQLExdFbnRydXN0IFNhbGVzIEVuZ2luZWVyczEXMBUGA1UECxMOQWRtaW5pc3RyYXRvc -+ nMWJkVudHJ1c3QgU2FsZXMgRW5naW5lZXJzIEFkbWluaXN0cmF0b3JzMHYwUzELMAkGA1UEBhMCVV -+ MxEDAOBgNVBAoTB0VudHJ1c3QxIDAeBgNVBAsTF0VudHJ1c3QgU2FsZXMgRW5naW5lZXJzMRAwDgY -+ DVQQLEwdEZXZpY2VzFh9FbnRydXN0IFNhbGVzIEVuZ2luZWVycyBEZXZpY2VzMHIwUTELMAkGA1UE -+ BhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIDAeBgNVBAsTF0VudHJ1c3QgU2FsZXMgRW5naW5lZXJzM -+ Q4wDAYDVQQLEwVDYXJkcxYdRW50cnVzdCBTYWxlcyBFbmdpbmVlcnMgQ2FyZHMwdDBSMQswCQYDVQ -+ QGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEgMB4GA1UECxMXRW50cnVzdCBTYWxlcyBFbmdpbmVlcnM -+ xDzANBgNVBAsTBlBlb3BsZRYeRW50cnVzdCBTYWxlcyBFbmdpbmVlcnMgUGVvcGxlMIGKMF0xCzAJ -+ BgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSMwIQYDVQQLExpFbnRydXN0IFByb2R1Y3QgTWFuY -+ WdlbWVudDEXMBUGA1UECxMOQWRtaW5pc3RyYXRvcnMWKUVudHJ1c3QgUHJvZHVjdCBNYW5hZ2VtZW -+ 50IEFkbWluaXN0cmF0b3JzMHwwVjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIzAhBgN -+ VBAsTGkVudHJ1c3QgUHJvZHVjdCBNYW5hZ2VtZW50MRAwDgYDVQQLEwdEZXZpY2VzFiJFbnRydXN0 -+ IFByb2R1Y3QgTWFuYWdlbWVudCBEZXZpY2VzMHgwVDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0Vud -+ HJ1c3QxIzAhBgNVBAsTGkVudHJ1c3QgUHJvZHVjdCBNYW5hZ2VtZW50MQ4wDAYDVQQLEwVDYXJkcx -+ YgRW50cnVzdCBQcm9kdWN0IE1hbmFnZW1lbnQgQ2FyZHMwejBVMQswCQYDVQQGEwJVUzEQMA4GA1U -+ EChMHRW50cnVzdDEjMCEGA1UECxMaRW50cnVzdCBQcm9kdWN0IE1hbmFnZW1lbnQxDzANBgNVBAsT -+ BlBlb3BsZRYhRW50cnVzdCBQcm9kdWN0IE1hbmFnZW1lbnQgUGVvcGxlMCQwHDELMAkGA1UEBhMCT -+ loxDTALBgNVBAoTBExJTloWBExJTlowTDA1MQswCQYDVQQGEwJOWjENMAsGA1UEChMETElOWjEXMB -+ UGA1UECxMOQWRtaW5pc3RyYXRvcnMWE0xJTlogQWRtaW5pc3RyYXRvcnMwPjAuMQswCQYDVQQGEwJ -+ OWjENMAsGA1UEChMETElOWjEQMA4GA1UECxMHRGV2aWNlcxYMTElOWiBEZXZpY2VzMDwwLTELMAkG -+ A1UEBhMCTloxDTALBgNVBAoTBExJTloxDzANBgNVBAsTBlBlb3BsZRYLTElOWiBQZW9wbGUwVDA0M -+ QswCQYDVQQGEwJVUzElMCMGA1UEChMcTWFnZWxsYW4gSGVhbHRoIFNlcnZpY2VzIEluYxYcTWFnZW -+ xsYW4gSGVhbHRoIFNlcnZpY2VzIEluYzBnMFExFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEUMBIGCgm -+ SJomT8ixkARkWBHRlc3QxEzARBgNVBAsTClRlc3QgVXNlcnMxDTALBgNVBAcTBFRlc3QWEkNMUyBU -+ ZXN0IFVzZXIgVGVzdDBEMDoxCzAJBgNVBAYTAnVzMSswKQYDVQQKEyJGZWRlcmFsIEhvbWUgTG9hb -+ iBCYW5rIG9mIE5ldyBZb3JrFgZGSExCTlkwWjBKMQswCQYDVQQGEwJ1czErMCkGA1UEChMiRmVkZX -+ JhbCBIb21lIExvYW4gQmFuayBvZiBOZXcgWW9yazEOMAwGA1UECxMFMUxpbmsWDEZITEJOWSAxTGl -+ uazBcMEsxCzAJBgNVBAYTAnVzMSswKQYDVQQKEyJGZWRlcmFsIEhvbWUgTG9hbiBCYW5rIG9mIE5l -+ dyBZb3JrMQ8wDQYDVQQLEwZBZG1pbnMWDUZITEJOWSBBZG1pbnMwSAYJKoZIhvZ9B0QQMTswOTAQA -+ gEAAgEAAgEIAgEPAwIDeDAQAgEAAgEAAgEIAgEKAwIAeTAQAgEAAgEAAgEIAgEKAwIAeQMBADBxBg -+ kqhkiG9n0HTUAxZAxiQUVTLUNCQy0xMjgsIEFFUy1DQkMtMjU2LCBBRVMtR0NNLTEyOCwgQUVTLUd -+ DTS0yNTYsIFRSSVBMRURFUy1DQkMtMTkyLCBDQVNUNS1DQkMtODAsIENBU1Q1LUNCQy0xMjgwdgYJ -+ KoZIhvZ9B01BMWkMZ0VDRFNBLVJFQ09NTUVOREVELCBSU0FQU1MtUkVDT01NRU5ERUQsIFJTQS1SR -+ UNPTU1FTkRFRCwgRFNBLVJFQ09NTUVOREVELCBFQ0RTQS1TSEExLCBSU0EtU0hBMSwgRFNBLVNIQT -+ EwFwYJKoZIhvZ9B00QMQoECFJTQS0yMDQ4MIIWSQYJKoZIhvZ9B00AMYIWOjCCFjYwgYACAQAwADB -+ 5MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBB -+ dXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSAwHgYDVQQDExdTZWN1cml0eSBPZmZpY2VyI -+ FBvbGljeTB9AgEBMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGU -+ NlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWR -+ taW5pc3RyYXRvciBQb2xpY3kweAIBAjAAMHExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0 -+ MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExG -+ DAWBgNVBAMTD0VuZCBVc2VyIFBvbGljeTB9AgEDMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0 -+ VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21 -+ TdWJDQTEdMBsGA1UEAxMUQWRtaW5pc3RyYXRvciBQb2xpY3kwfQIBBDAAMHYxCzAJBgNVBAYTAlVT -+ MRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwE -+ AYDVQQLEwlEQ29tU3ViQ0ExHTAbBgNVBAMTFEFkbWluaXN0cmF0b3IgUG9saWN5MHMCAQUwADBsMQ -+ swCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXR -+ ob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRMwEQYDVQQDEwpBU0ggUG9saWN5MH0CAQYwADB2 -+ MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBd -+ XRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbG -+ ljeTB9AgEHMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnR -+ pZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWRtaW5p -+ c3RyYXRvciBQb2xpY3kwfAIBCDAAMHUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwI -+ AYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHDAaBg -+ NVBAMTE1NlcnZlciBMb2dpbiBQb2xpY3kwfAIBCTAAMHUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwd -+ FbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29t -+ U3ViQ0ExHDAaBgNVBAMTE1NlcnZlciBMb2dpbiBQb2xpY3kwfQIBCjAAMHYxCzAJBgNVBAYTAlVTM -+ RAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEA -+ YDVQQLEwlEQ29tU3ViQ0ExHTAbBgNVBAMTFEFkbWluaXN0cmF0b3IgUG9saWN5MIGAAgEMMAAweTE -+ LMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0 -+ aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEgMB4GA1UEAxMXQ0xTIFNlcnZlciBMb2dpbiBQb -+ 2xpY3kwgYACAQ0wADB5MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2 -+ VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSAwHgYDVQQDExdTZWN -+ 1cml0eSBPZmZpY2VyIFBvbGljeTCBgAIBDjAAMHkxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRy -+ dXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ -+ 0ExIDAeBgNVBAMTF1NlY3VyaXR5IE9mZmljZXIgUG9saWN5MH0CAQ8wADB2MQswCQYDVQQGEwJVUz -+ EQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBA -+ GA1UECxMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTB9AgERMAAwdjEL -+ MAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0a -+ G9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWRtaW5pc3RyYXRvciBQb2xpY3 -+ kwfAIBCzAAMHUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZ -+ pY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHDAaBgNVBAMTE0NMUyBFbmQg -+ VXNlciBQb2xpY3kwfQIBEjAAMHYxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDV -+ QQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHTAbBgNVBA -+ MTFEFkbWluaXN0cmF0b3IgUG9saWN5MH0CARMwADB2MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW5 -+ 0cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1 -+ YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTCBgAIBFDAAMHkxCzAJBgNVBAYTAlVTM -+ RAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEA -+ YDVQQLEwlEQ29tU3ViQ0ExIDAeBgNVBAMTF0R5bkNvcnAgRW5kIFVzZXIgUG9saWN5MH8CASAwADB -+ 4MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBB -+ dXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMR8wHQYDVQQDExZDU1JFUyBSZXF1ZXN0b3IgU -+ G9saWN5MHkCASEwADByMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2 -+ VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRkwFwYDVQQDExBNRE1 -+ XUyBYQVAgUG9saWN5MEkCASIwADBCMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEhMB8G -+ A1UEAxMYU09BUCBBZG1pbiBFeHBvcnQgUG9saWN5MIGDAgEjMAAwfDELMAkGA1UEBhMCVVMxEDAOB -+ gNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBA -+ sTCURDb21TdWJDQTEjMCEGA1UEAxMaRXhwb3J0YWJsZSBFbmQgVXNlciBQb2xpY3kweAIBJDAAMHE -+ xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1 -+ dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGDAWBgNVBAMTD0VuZCBVc2VyIFBvbGljeTB9A -+ gElMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYX -+ Rpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWRtaW5pc3RyYXR -+ vciBQb2xpY3kwfQIBJjAAMHYxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQL -+ ExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHTAbBgNVBAMTF -+ E1vYmlsZSBEZXZpY2UgUG9saWN5MHwCAScwADB1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cn -+ VzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkN -+ BMRwwGgYDVQQDExNTZXJ2ZXIgTG9naW4gUG9saWN5MH0CASgwADB2MQswCQYDVQQGEwJVUzEQMA4G -+ A1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UEC -+ xMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTCBgQIBKTAAMHoxCzAJBg -+ NVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml -+ 0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExITAfBgNVBAMTGFNQT0MgU2VydmVyIExvZ2luIFBvbGlj -+ eTCBggIBKjAAMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0a -+ WZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExIjAgBgNVBAMTGVNQT0MgQW -+ RtaW5pc3RyYXRvciBQb2xpY3kwfAIBKzAAMHUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN -+ 0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0Ex -+ HDAaBgNVBAMTE1NlcnZlciBMb2dpbiBQb2xpY3kwgZECASwwADCBiTELMAkGA1UEBhMCVVMxEDAOB -+ gNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBA -+ sTCURDb21TdWJDQTEwMC4GA1UEAxMnTWFzdGVyIExpc3QgU2lnbmVyIEFkbWluaXN0cmF0b3IgUG9 -+ saWN5MH0CAS0wADB2MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2Vy -+ dGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pb -+ mlzdHJhdG9yIFBvbGljeTB4AgEuMAAwcTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIj -+ AgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEYMBY -+ GA1UEAxMPRW5kIFVzZXIgUG9saWN5MH0CAS8wADB2MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50 -+ cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1Y -+ kNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTB4AgExMAAwcTELMAkGA1UEBhMCVVMxED -+ AOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgN -+ VBAsTCURDb21TdWJDQTEYMBYGA1UEAxMPRW5kIFVzZXIgUG9saWN5MH0CATIwADB2MQswCQYDVQQG -+ EwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllc -+ zESMBAGA1UECxMJRENvbVN1YkNBMR0wGwYDVQQDExRBZG1pbmlzdHJhdG9yIFBvbGljeTB8AgEwMA -+ AwdTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24 -+ gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEcMBoGA1UEAxMTU2VydmVyIExvZ2luIFBv -+ bGljeTB9AgEzMAAwdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlc -+ nRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUQWRtaW -+ 5pc3RyYXRvciBQb2xpY3kwfQIBNTAAMHYxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSI -+ wIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHTAb -+ BgNVBAMTFENhcmQgRW5kIFVzZXIgUG9saWN5MHgCATQwADBxMQswCQYDVQQGEwJVUzEQMA4GA1UEC -+ hMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRE -+ NvbVN1YkNBMRgwFgYDVQQDEw9FbmQgVXNlciBQb2xpY3kwfAIBNjAAMHUxCzAJBgNVBAYTAlVTMRA -+ wDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYD -+ VQQLEwlEQ29tU3ViQ0ExHDAaBgNVBAMTE01ETSBFbmQgVXNlciBQb2xpY3kwfAIBNzAAMHUxCzAJB -+ gNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcm -+ l0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHDAaBgNVBAMTE1NlcnZlciBMb2dpbiBQb2xpY3kwgYU -+ CATgwADB+MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNh -+ dGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSUwIwYDVQQDExxNU08gVU1TIEFkb -+ WluaXN0cmF0b3IgUG9saWN5MIJZ7wYKKoZIhvZ9B00uADGCWd8wglnbMDEwFwwSY3NjX3BpdjFrX2 -+ NhcmRhdXRoAgEnMBYwFDASDA1QaXYxS0NhcmRBdXRoAgFDMEwwEwwOY3NjX3Bpdm1peGVkXzMCASg -+ wNTAQMA4MCVBpdjFLQXV0aAIBRDAPMA0MCFBpdjJLRW5jAgFFMBAwDgwJUGl2MktTaWduAgFGMIG4 -+ MBAMC2VudF9hZF9jbHMxAgE3MIGjMIGgMA4MCUR1YWxVc2FnZQIBXDCBjTELMAkGA1UEBhMCVVMxE -+ DAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBg -+ NVBAsTCURDb21TdWJDQTE0MDIGA1UEAxMrQ0xTIDF5ciBEb21haW4gQ29udHJvbGxlciBEdWFsIFV -+ zYWdlIFBvbGljeTCBuDAQDAtlbnRfYWRfY2xzMgIBODCBozCBoDAODAlEdWFsVXNhZ2UCAV0wgY0x -+ CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1d -+ Ghvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExNDAyBgNVBAMTK0NMUyAyeXIgRG9tYWluIENvbn -+ Ryb2xsZXIgRHVhbCBVc2FnZSBQb2xpY3kwdTARDAxlbnRfYWRfY2xzMm0CAVIwTjAjMBAMCkVuY3J -+ 5cHRpb24CAgCQog8MCkVuY3J5cHRpb24CAQEwJzASDAxWZXJpZmljYXRpb24CAgCRohEMDFZlcmlm -+ aWNhdGlvbgIBAqIQDAtlbnRfZGVmYXVsdAIBAzCBvjASDA1lbnRfYWRfY2xzMm1hAgFUMIGnMIGkM -+ A8MCUR1YWxVc2FnZQICAJQwgZAxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQ -+ QLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExNzA1BgNVBAM -+ TLkNMUyAybW9udGggRG9tYWluIENvbnRyb2xsZXIgRHVhbCBVc2FnZSBQb2xpY3kwgbAwDgwJZW50 -+ X2FkX2RjAgF4MIGdMIGaMBAMCkR1YWwgVXNhZ2UCAgDSMIGFMQswCQYDVQQGEwJVUzEQMA4GA1UEC -+ hMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRE -+ NvbVN1YkNBMSwwKgYDVQQDEyNFbnRlcnByaXNlIERvbWFpbiBDb250cm9sbGVyIFBvbGljeTBHMBk -+ ME2VudF9hZG1zcnZjc191bXNfZWECAgCLMCowEjAQDApFbmNyeXB0aW9uAgIA9DAUMBIMDFZlcmlm -+ aWNhdGlvbgICAPUwRTAZDBRlbnRfYWRtc3J2Y3NfdXNlcnJlZwIBEjAoMBEwDwwKRW5jcnlwdGlvb -+ gIBHjATMBEMDFZlcmlmaWNhdGlvbgIBHzCBzzAZDBRlbnRfYWRtc3J2Y3NfdXNybWdtdAIBETCBsT -+ ARMA8MCkVuY3J5cHRpb24CARwwgZswEQwMVmVyaWZpY2F0aW9uAgEdMIGFMQswCQYDVQQGEwJVUzE -+ QMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAG -+ A1UECxMJRENvbVN1YkNBMSwwKgYDVQQDEyNUcnVlUGFzcyBTZXJ2ZXIgVmVyaWZpY2F0aW9uIFBvb -+ GljeTA6MA4MCWVudF9iYXNpYwIBJjAoMBEwDwwKRW5jcnlwdGlvbgIBQTATMBEMDFZlcmlmaWNhdG -+ lvbgIBQjCCATkwDQwIZW50X2NsczECAS8wggEmMIGOMA8MCkVuY3J5cHRpb24CAVIwezELMAkGA1U -+ EBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRp -+ ZXMxEjAQBgNVBAsTCURDb21TdWJDQTEiMCAGA1UEAxMZQ0xTIDF5ciBFbmNyeXB0aW9uIFBvbGlje -+ TCBkjARDAxWZXJpZmljYXRpb24CAVMwfTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIj -+ AgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEkMCI -+ GA1UEAxMbQ0xTIDF5ciBWZXJpZmljYXRpb24gUG9saWN5MIIBOTANDAhlbnRfY2xzMgIBMDCCASYw -+ gY4wDwwKRW5jcnlwdGlvbgIBVDB7MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA -+ 1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSIwIAYDVQ -+ QDExlDTFMgMnlyIEVuY3J5cHRpb24gUG9saWN5MIGSMBEMDFZlcmlmaWNhdGlvbgIBVTB9MQswCQY -+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp -+ dGllczESMBAGA1UECxMJRENvbVN1YkNBMSQwIgYDVQQDExtDTFMgMnlyIFZlcmlmaWNhdGlvbiBQb -+ 2xpY3kwQDASDA1lbnRfY2xzX2FkbWluAgFXMCowEjAQDApFbmNyeXB0aW9uAgIAmDAUMBIMDFZlcm -+ lmaWNhdGlvbgICAJkwggFPMBMMDmVudF9jbHNfYWRtaW4yAgFWMIIBNjCBljAQDApFbmNyeXB0aW9 -+ uAgIAljCBgTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmlj -+ YXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEoMCYGA1UEAxMfQ0xTIEFkbWluI -+ DJ5ciBFbmNyeXB0aW9uIFBvbGljeTCBmjASDAxWZXJpZmljYXRpb24CAgCXMIGDMQswCQYDVQQGEw -+ JVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczE -+ SMBAGA1UECxMJRENvbVN1YkNBMSowKAYDVQQDEyFDTFMgQWRtaW4gMnlyIFZlcmlmaWNhdGlvbiBQ -+ b2xpY3kwgbgwFwwSZW50X2Ntc2NsaWVudF9jbHMxAgExMIGcMIGZMA8MCkR1YWwgVXNhZ2UCAVYwg -+ YUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIE -+ F1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExLDAqBgNVBAMTI0NMUyAxeXIgQUkgQ2xpZW5 -+ 0IER1YWwgVXNhZ2UgUG9saWN5MIG/MBkMFGVudF9jbXNjbGllbnRfY2xzMV9mAgEzMIGhMIGeMA8M -+ CkR1YWwgVXNhZ2UCAVgwgYoxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLE -+ xlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExMTAvBgNVBAMTKE -+ NMUyAxeXIgQUkgQ2xpZW50IEZpbGUgRHVhbCBVc2FnZSBQb2xpY3kwgbgwFwwSZW50X2Ntc2NsaWV -+ udF9jbHMyAgEyMIGcMIGZMA8MCkR1YWwgVXNhZ2UCAVcwgYUxCzAJBgNVBAYTAlVTMRAwDgYDVQQK -+ EwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ -+ 29tU3ViQ0ExLDAqBgNVBAMTI0NMUyAyeXIgQUkgQ2xpZW50IER1YWwgVXNhZ2UgUG9saWN5MIG/MB -+ kMFGVudF9jbXNjbGllbnRfY2xzMl9mAgE0MIGhMIGeMA8MCkR1YWwgVXNhZ2UCAVkwgYoxCzAJBgN -+ VBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 -+ aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExMTAvBgNVBAMTKENMUyAyeXIgQUkgQ2xpZW50IEZpbGUgR -+ HVhbCBVc2FnZSBQb2xpY3kwLjAXDBJlbnRfY21zY2xpZW50X3NrZHUCASowEzARMA8MCkR1YWwgVX -+ NhZ2UCAUkwMDAZDBRlbnRfY21zY2xpZW50X3NrZHVfZgIBKzATMBEwDwwKRHVhbCBVc2FnZQIBSjC -+ BuDAXDBJlbnRfY21zc2VydmVyX2NsczECATUwgZwwgZkwDwwKRHVhbCBVc2FnZQIBWjCBhTELMAkG -+ A1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9ya -+ XRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEsMCoGA1UEAxMjQ0xTIDF5ciBBSSBTZXJ2ZXIgRHVhbC -+ BVc2FnZSBQb2xpY3kwgbgwFwwSZW50X2Ntc3NlcnZlcl9jbHMyAgE2MIGcMIGZMA8MCkR1YWwgVXN -+ hZ2UCAVswgYUxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZp -+ Y2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExLDAqBgNVBAMTI0NMUyAyeXIgQ -+ UkgU2VydmVyIER1YWwgVXNhZ2UgUG9saWN5MC4wFwwSZW50X2Ntc3NlcnZlcl9za2R1AgEsMBMwET -+ APDApEdWFsIFVzYWdlAgFLMEYwGAwSZW50X2NzcmVzX2FwcHJvdmVyAgIAjDAqMBIwEAwKRW5jcnl -+ wdGlvbgICAPYwFDASDAxWZXJpZmljYXRpb24CAgD3MEYwGAwTZW50X2NzcmVzX3JlcXVlc3RvcgIB -+ bzAqMBIwEAwKRW5jcnlwdGlvbgICAMUwFDASDAxWZXJpZmljYXRpb24CAgDGMDwwEAwLZW50X2RlZ -+ mF1bHQCAQMwKDARMA8MCkVuY3J5cHRpb24CAQEwEzARDAxWZXJpZmljYXRpb24CAQIwggE8MBAMC2 -+ VudF9kZXNrdG9wAgEHMIIBJjCBjjAPDApFbmNyeXB0aW9uAgEJMHsxCzAJBgNVBAYTAlVTMRAwDgY -+ DVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQL -+ EwlEQ29tU3ViQ0ExIjAgBgNVBAMTGVNhZmVOZXQgRW5jcnlwdGlvbiBQb2xpY3kwgZIwEQwMVmVya -+ WZpY2F0aW9uAgEKMH0xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZX -+ J0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExJDAiBgNVBAMTG1NhZmV -+ OZXQgVmVyaWZpY2F0aW9uIFBvbGljeTCBpDAVDBBlbnRfZHVfYmFzaWNfZWt1AgFtMIGKMIGHMBAM -+ CkR1YWwgVXNhZ2UCAgDCMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLE -+ xlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGjAYBgNVBAMTEU -+ R1YWwgVXNhZ2UgUG9saWN5MEMwFQwQZW50X2VhY2NhdHRhY2hlZAIBaDAqMBIwEAwKRW5jcnlwdGl -+ vbgICALgwFDASDAxWZXJpZmljYXRpb24CAgC5MD0wDwwKZW50X2VhY2NvbgIBajAqMBIwEAwKRW5j -+ cnlwdGlvbgICALwwFDASDAxWZXJpZmljYXRpb24CAgC9MEUwFwwSZW50X2VhY2NzdGFuZGFsb25lA -+ gFpMCowEjAQDApFbmNyeXB0aW9uAgIAujAUMBIMDFZlcmlmaWNhdGlvbgICALswggGiMAwMB2VudF -+ 9lZnMCARUwggGQMHgwCAwDRUZTAgEnMGwxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSI -+ wIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExEzAR -+ BgNVBAMTCkVGUyBQb2xpY3kwgYYwDwwKRW5jcnlwdGlvbgIBJTBzMQswCQYDVQQGEwJVUzEQMA4GA -+ 1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECx -+ MJRENvbVN1YkNBMRowGAYDVQQDExFFbmNyeXB0aW9uIFBvbGljeTCBijARDAxWZXJpZmljYXRpb24 -+ CASYwdTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRp -+ b24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEcMBoGA1UEAxMTVmVyaWZpY2F0aW9uI -+ FBvbGljeTBEMBgME2VudF9lc3Zwbl9jb21tZWRvaWQCASUwKDARMA8MCkVuY3J5cHRpb24CAT8wEz -+ ARDAxWZXJpZmljYXRpb24CAUAwggE7MA8MCmVudF9ldG9rZW4CAWwwggEmMIGOMBAMCkVuY3J5cHR -+ pb24CAgDAMHoxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZp -+ Y2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExITAfBgNVBAMTGGVUb2tlbiBFb -+ mNyeXB0aW9uIFBvbGljeTCBkjASDAxWZXJpZmljYXRpb24CAgDBMHwxCzAJBgNVBAYTAlVTMRAwDg -+ YDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQ -+ LEwlEQ29tU3ViQ0ExIzAhBgNVBAMTGmVUb2tlbiBWZXJpZmljYXRpb24gUG9saWN5MIIBOTAPDApl -+ bnRfZXhwb3J0AgEGMIIBJDCBjTAPDApFbmNyeXB0aW9uAgEHMHoxCzAJBgNVBAYTAlVTMRAwDgYDV -+ QQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEw -+ lEQ29tU3ViQ0ExITAfBgNVBAMUGEVuY3J5cHRpb24gUG9saWN5X0V4cG9ydDCBkTARDAxWZXJpZml -+ jYXRpb24CAQgwfDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRp -+ ZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEjMCEGA1UEAxQaVmVyaWZpY -+ 2F0aW9uIFBvbGljeV9FeHBvcnQwggE9MBQMD2VudF9nZW1hbHRvX2NzcAIBXjCCASMwgYowEAwKRW -+ 5jcnlwdGlvbgICAKswdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUN -+ lcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMBsGA1UEAxMUR00g -+ RW5jcnlwdGlvbiBQb2xpY3kwgZMwEgwMVmVyaWZpY2F0aW9uAgIArDB9MQswCQYDVQQGEwJVUzEQM -+ A4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1 -+ UECxMJRENvbVN1YkNBMSQwIgYDVQQDExtHZW1hbHRvIFZlcmlmaWNhdGlvbiBQb2xpY3kwgb8wFgw -+ RZW50X2lpc19za2R1X2NsczECATkwgaQwgaEwDwwKRHVhbCBVc2FnZQIBXjCBjTELMAkGA1UEBhMC -+ VVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxE -+ jAQBgNVBAsTCURDb21TdWJDQTE0MDIGA1UEAxMrQ0xTIDF5ciBJSVMgRHVhbCBVc2FnZSBObyBLZX -+ kgQmFja3VwIFBvbGljeTCBvzAWDBFlbnRfaWlzX3NrZHVfY2xzMgIBOjCBpDCBoTAPDApEdWFsIFV -+ zYWdlAgFfMIGNMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlm -+ aWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMTQwMgYDVQQDEytDTFMgMnlyI -+ ElJUyBEdWFsIFVzYWdlIE5vIEtleSBCYWNrdXAgUG9saWN5MHswFwwSZW50X2lpc19za2R1X2Nscz -+ JtAgFTME4wIzAQDApFbmNyeXB0aW9uAgIAkqIPDApFbmNyeXB0aW9uAgEBMCcwEgwMVmVyaWZpY2F -+ 0aW9uAgIAk6IRDAxWZXJpZmljYXRpb24CAQKiEAwLZW50X2RlZmF1bHQCAQMwgcUwGAwTZW50X2lp -+ c19za2R1X2NsczJtYQIBVTCBqDCBpTAQDApEdWFsIFVzYWdlAgIAlTCBkDELMAkGA1UEBhMCVVMxE -+ DAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBg -+ NVBAsTCURDb21TdWJDQTE3MDUGA1UEAxMuQ0xTIDJtb250aCBJSVMgRHVhbCBVc2FnZSBObyBLZXk -+ gQmFja3VwIFBvbGljeTCBpzAQDAtlbnRfbWFjaGluZQIBeTCBkjCBjzAQDApEdWFsIFVzYWdlAgIA -+ 0zB7MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvb -+ iBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSIwIAYDVQQDExlFbnRlcnByaXNlIE1hY2 -+ hpbmUgUG9saWN5MEAwEgwNZW50X21kbXdzX2NsaQIBcDAqMBIwEAwKRW5jcnlwdGlvbgICAMcwFDA -+ SDAxWZXJpZmljYXRpb24CAgDIMEIwFAwPZW50X21saXN0X2FkbWluAgF/MCowEjAQDApFbmNyeXB0 -+ aW9uAgIA3jAUMBIMDFZlcmlmaWNhdGlvbgICAN8wggE5MBUMEGVudF9tbGlzdF9zaWduZXICAX4wg -+ gEeMIGHMBAMCkVuY3J5cHRpb24CAgDcMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MS -+ IwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGjA -+ YBgNVBAMTEUVuY3J5cHRpb24gUG9saWN5MIGRMBIMDFZlcmlmaWNhdGlvbgICAN0wezELMAkGA1UE -+ BhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZ -+ XMxEjAQBgNVBAsTCURDb21TdWJDQTEiMCAGA1UEAxMZTWFzdGVyIExpc3QgU2lnbmVyIFBvbGljeT -+ CCAeQwGAwTZW50X21zX3NjX2NhcGlfY2xzMQIBLTCCAcYwgZ0wDwwKRHVhbCBVc2FnZQIBTDCBiTE -+ LMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0 -+ aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEwMC4GA1UEAxMnQ0xTIDF5ciBEdWFsIFVzYWdlI -+ E5vIEtleSBCYWNrdXAgUG9saWN5MIGOMA8MCkVuY3J5cHRpb24CAU4wezELMAkGA1UEBhMCVVMxED -+ AOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgN -+ VBAsTCURDb21TdWJDQTEiMCAGA1UEAxMZQ0xTIDF5ciBFbmNyeXB0aW9uIFBvbGljeTCBkjARDAxW -+ ZXJpZmljYXRpb24CAU0wfTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTG -+ UNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEkMCIGA1UEAxMbQ0 -+ xTIDF5ciBWZXJpZmljYXRpb24gUG9saWN5MIIB5DAYDBNlbnRfbXNfc2NfY2FwaV9jbHMyAgEuMII -+ BxjCBnTAPDApEdWFsIFVzYWdlAgFPMIGJMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEi -+ MCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMTAwL -+ gYDVQQDEydDTFMgMnlyIER1YWwgVXNhZ2UgTm8gS2V5IEJhY2t1cCBQb2xpY3kwgY4wDwwKRW5jcn -+ lwdGlvbgIBUTB7MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGl -+ maWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSIwIAYDVQQDExlDTFMgMnly -+ IEVuY3J5cHRpb24gUG9saWN5MIGSMBEMDFZlcmlmaWNhdGlvbgIBUDB9MQswCQYDVQQGEwJVUzEQM -+ A4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1 -+ UECxMJRENvbVN1YkNBMSQwIgYDVQQDExtDTFMgMnlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwggHyMBk -+ MFGVudF9tc19zY19jYXBpX2NsczJtAgFRMIIB0zCBoTAQDApEdWFsIFVzYWdlAgIAjTCBjDELMAkG -+ A1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9ya -+ XRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEzMDEGA1UEAxMqQ0xTIDJtb250aCBEdWFsIFVzYWdlIE -+ 5vIEtleSBCYWNrdXAgUG9saWN5MIGSMBAMCkVuY3J5cHRpb24CAgCPMH4xCzAJBgNVBAYTAlVTMRA -+ wDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYD -+ VQQLEwlEQ29tU3ViQ0ExJTAjBgNVBAMTHENMUyAybW9udGggRW5jcnlwdGlvbiBQb2xpY3kwgZcwE -+ gwMVmVyaWZpY2F0aW9uAgIAjjCBgDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBg -+ NVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEnMCUGA1U -+ EAxMeQ0xTIDJtb250aCBWZXJpZmljYXRpb24gUG9saWN5MIIB5zAYDBNlbnRfbXNfc2NfY2FwaV9j -+ bHM0AgFPMIIByTCBnjAQDApEdWFsIFVzYWdlAgIAhzCBiTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB -+ 0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb2 -+ 1TdWJDQTEwMC4GA1UEAxMnQ0xTIDR5ciBEdWFsIFVzYWdlIE5vIEtleSBCYWNrdXAgUG9saWN5MIG -+ PMBAMCkVuY3J5cHRpb24CAgCJMHsxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYD -+ VQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExIjAgBgNVB -+ AMTGUNMUyA0eXIgRW5jcnlwdGlvbiBQb2xpY3kwgZMwEgwMVmVyaWZpY2F0aW9uAgIAiDB9MQswCQ -+ YDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3J -+ pdGllczESMBAGA1UECxMJRENvbVN1YkNBMSQwIgYDVQQDExtDTFMgNHlyIFZlcmlmaWNhdGlvbiBQ -+ b2xpY3kwggHnMBgME2VudF9tc19zY19jYXBpX2NsczUCAVAwggHJMIGeMBAMCkR1YWwgVXNhZ2UCA -+ gCKMIGJMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdG -+ lvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMTAwLgYDVQQDEydDTFMgNXlyIER1YWw -+ gVXNhZ2UgTm8gS2V5IEJhY2t1cCBQb2xpY3kwgY8wEAwKRW5jcnlwdGlvbgICAIwwezELMAkGA1UE -+ BhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZ -+ XMxEjAQBgNVBAsTCURDb21TdWJDQTEiMCAGA1UEAxMZQ0xTIDV5ciBFbmNyeXB0aW9uIFBvbGljeT -+ CBkzASDAxWZXJpZmljYXRpb24CAgCLMH0xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSI -+ wIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExJDAi -+ BgNVBAMTG0NMUyA1eXIgVmVyaWZpY2F0aW9uIFBvbGljeTCCAfgwGAwTZW50X21zX3NjX2NsczRfM -+ TAyNAIBXDCCAdowgaMwEAwKRHVhbCBVc2FnZQICAKUwgY4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEw -+ dFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29 -+ tU3ViQ0ExNTAzBgNVBAMTLENMUyAxMDI0IDR5ciBEdWFsIFVzYWdlIE5vIEtleSBCYWNrdXAgUG9s -+ aWN5MIGVMBAMCkVuY3J5cHRpb24CAgCnMIGAMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzd -+ DEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMS -+ cwJQYDVQQDEx5DTFMgMTAyNCA0eXIgRW5jcnlwdGlvbiBQb2xpY3kwgZkwEgwMVmVyaWZpY2F0aW9 -+ uAgIApjCBgjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmlj -+ YXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEpMCcGA1UEAxMgQ0xTIDEwMjQgN -+ HlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwggH4MBgME2VudF9tc19zY19jbHM0XzIwNDgCAVowggHaMI -+ GjMBAMCkR1YWwgVXNhZ2UCAgCfMIGOMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCA -+ GA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMTUwMwYD -+ VQQDEyxDTFMgMjA0OCA0eXIgRHVhbCBVc2FnZSBObyBLZXkgQmFja3VwIFBvbGljeTCBlTAQDApFb -+ mNyeXB0aW9uAgIAoTCBgDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGU -+ NlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEnMCUGA1UEAxMeQ0x -+ TIDIwNDggNHlyIEVuY3J5cHRpb24gUG9saWN5MIGZMBIMDFZlcmlmaWNhdGlvbgICAKAwgYIxCzAJ -+ BgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvc -+ ml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExKTAnBgNVBAMTIENMUyAyMDQ4IDR5ciBWZXJpZmljYX -+ Rpb24gUG9saWN5MIIB+DAYDBNlbnRfbXNfc2NfY2xzNV8xMDI0AgFdMIIB2jCBozAQDApEdWFsIFV -+ zYWdlAgIAqDCBjjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRp -+ ZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTE1MDMGA1UEAxMsQ0xTIDEwM -+ jQgNXlyIER1YWwgVXNhZ2UgTm8gS2V5IEJhY2t1cCBQb2xpY3kwgZUwEAwKRW5jcnlwdGlvbgICAK -+ owgYAxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9 -+ uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExJzAlBgNVBAMTHkNMUyAxMDI0IDV5ciBF -+ bmNyeXB0aW9uIFBvbGljeTCBmTASDAxWZXJpZmljYXRpb24CAgCpMIGCMQswCQYDVQQGEwJVUzEQM -+ A4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1 -+ UECxMJRENvbVN1YkNBMSkwJwYDVQQDEyBDTFMgMTAyNCA1eXIgVmVyaWZpY2F0aW9uIFBvbGljeTC -+ CAfgwGAwTZW50X21zX3NjX2NsczVfMjA0OAIBWzCCAdowgaMwEAwKRHVhbCBVc2FnZQICAKIwgY4x -+ CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1d -+ Ghvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExNTAzBgNVBAMTLENMUyAyMDQ4IDV5ciBEdWFsIF -+ VzYWdlIE5vIEtleSBCYWNrdXAgUG9saWN5MIGVMBAMCkVuY3J5cHRpb24CAgCkMIGAMQswCQYDVQQ -+ GEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGll -+ czESMBAGA1UECxMJRENvbVN1YkNBMScwJQYDVQQDEx5DTFMgMjA0OCA1eXIgRW5jcnlwdGlvbiBQb -+ 2xpY3kwgZkwEgwMVmVyaWZpY2F0aW9uAgIAozCBgjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudH -+ J1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJ -+ DQTEpMCcGA1UEAxMgQ0xTIDIwNDggNXlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwggHpMBcMEmVudF9t -+ c19zY19jbHNfMjA0OAIBWDCCAcwwgZ8wEAwKRHVhbCBVc2FnZQICAJowgYoxCzAJBgNVBAYTAlVTM -+ RAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEA -+ YDVQQLEwlEQ29tU3ViQ0ExMTAvBgNVBAMTKENMUyAyMDQ4IER1YWwgVXNhZ2UgTm8gS2V5IEJhY2t -+ 1cCBQb2xpY3kwgZAwEAwKRW5jcnlwdGlvbgICAJwwfDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0Vu -+ dHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21Td -+ WJDQTEjMCEGA1UEAxMaQ0xTIDIwNDggRW5jcnlwdGlvbiBQb2xpY3kwgZQwEgwMVmVyaWZpY2F0aW -+ 9uAgIAmzB+MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWN -+ hdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSUwIwYDVQQDExxDTFMgMjA0OCBW -+ ZXJpZmljYXRpb24gUG9saWN5MIG1MBgME2VudF9tc19zbXJ0Y3JkX2NhcGkCAQ8wgZgwgZUwDwwKR -+ HVhbCBVc2FnZQIBGTCBgTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGU -+ NlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEoMCYGA1UEAxMfRHV -+ hbCBVc2FnZSBObyBLZXkgQmFja3VwIFBvbGljeTCCAakwEAwKZW50X21zY2FwaQICAIEwggGTMHkw -+ CQwDRUZTAgIA4zBsMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2Vyd -+ GlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRMwEQYDVQQDEwpFRlMgUG -+ 9saWN5MIGHMBAMCkVuY3J5cHRpb24CAgDhMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN -+ 0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0Ex -+ GjAYBgNVBAMTEUVuY3J5cHRpb24gUG9saWN5MIGLMBIMDFZlcmlmaWNhdGlvbgICAOIwdTELMAkGA -+ 1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaX -+ RpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEcMBoGA1UEAxMTVmVyaWZpY2F0aW9uIFBvbGljeTBDMBc -+ MEmVudF9tc2Z0X3NtYXJ0Y2FyZAIBDjAoMBEwDwwKRW5jcnlwdGlvbgIBFzATMBEMDFZlcmlmaWNh -+ dGlvbgIBGDA/MBMMDmVudF9tc2dzY2FubmVyAgENMCgwETAPDApFbmNyeXB0aW9uAgEVMBMwEQwMV -+ mVyaWZpY2F0aW9uAgEWMD4wEgwNZW50X21zZ3NlcnZlcgIBDDAoMBEwDwwKRW5jcnlwdGlvbgIBEz -+ ATMBEMDFZlcmlmaWNhdGlvbgIBFDBAMBIMDGVudF9tc29hZG1pbgICAIkwKjASMBAMCkVuY3J5cHR -+ pb24CAgDxMBQwEgwMVmVyaWZpY2F0aW9uAgIA8DCCATkwFQwQZW50X21zdHdva2V5cGFpcgIBWTCC -+ AR4wgYowEAwKRW5jcnlwdGlvbgICAJ0wdjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxI -+ jAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEdMB -+ sGA1UEAxMUR00gRW5jcnlwdGlvbiBQb2xpY3kwgY4wEgwMVmVyaWZpY2F0aW9uAgIAnjB4MQswCQY -+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp -+ dGllczESMBAGA1UECxMJRENvbVN1YkNBMR8wHQYDVQQDExZHTSBWZXJpZmljYXRpb24gUG9saWN5M -+ IIBvjARDAxlbnRfbm9ucmVwdWQCARQwggGnMIGGMA8MCkVuY3J5cHRpb24CASIwczELMAkGA1UEBh -+ MCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXM -+ xEjAQBgNVBAsTCURDb21TdWJDQTEaMBgGA1UEAxMRRW5jcnlwdGlvbiBQb2xpY3kwgY4wEwwOTm9u -+ cmVwdWRpYXRpb24CASQwdzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTG -+ UNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEeMBwGA1UEAxMVTm -+ 9ucmVwdWRpYXRpb24gUG9saWN5MIGKMBEMDFZlcmlmaWNhdGlvbgIBIzB1MQswCQYDVQQGEwJVUzE -+ QMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAG -+ A1UECxMJRENvbVN1YkNBMRwwGgYDVQQDExNWZXJpZmljYXRpb24gUG9saWN5MIICQDAZDBRlbnRfb -+ m9ucmVwdWRfYW5kX2VmcwIBFzCCAiEweDAIDANFRlMCAS0wbDELMAkGA1UEBhMCVVMxEDAOBgNVBA -+ oTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCUR -+ Db21TdWJDQTETMBEGA1UEAxMKRUZTIFBvbGljeTCBhjAPDApFbmNyeXB0aW9uAgEqMHMxCzAJBgNV -+ BAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0a -+ WVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGjAYBgNVBAMTEUVuY3J5cHRpb24gUG9saWN5MIGOMBMMDk -+ 5vbnJlcHVkaWF0aW9uAgEsMHcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQ -+ LExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExHjAcBgNVBAMT -+ FU5vbnJlcHVkaWF0aW9uIFBvbGljeTCBijARDAxWZXJpZmljYXRpb24CASswdTELMAkGA1UEBhMCV -+ VMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEj -+ AQBgNVBAsTCURDb21TdWJDQTEcMBoGA1UEAxMTVmVyaWZpY2F0aW9uIFBvbGljeTA5MA0MCGVudF9 -+ vY3NwAgEpMCgwETAPDApFbmNyeXB0aW9uAgFHMBMwEQwMVmVyaWZpY2F0aW9uAgFIMD0wEQwMZW50 -+ X3Byb2ZzcnZyAgEFMCgwETAPDApFbmNyeXB0aW9uAgEFMBMwEQwMVmVyaWZpY2F0aW9uAgEGMDgwD -+ AwHZW50X3JkcAIBQDAoMBEwDwwKRW5jcnlwdGlvbgIBaTATMBEMDFZlcmlmaWNhdGlvbgIBajCBqj -+ ASDA1lbnRfc2lnbl9uaXN0AgFyMIGTMIGQMBIMDFZlcmlmaWNhdGlvbgICAMowejELMAkGA1UEBhM -+ CVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMx -+ EjAQBgNVBAsTCURDb21TdWJDQTEhMB8GA1UEAxMYTklTVCBWZXJpZmljYXRpb24gUG9saWN5MIGkM -+ BYMEWVudF9za3BfZHVhbHVzYWdlAgEYMIGJMIGGMA8MCkR1YWwgVXNhZ2UCAS4wczELMAkGA1UEBh -+ MCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXM -+ xEjAQBgNVBAsTCURDb21TdWJDQTEaMBgGA1UEAxMRRHVhbCBVc2FnZSBQb2xpY3kwLTATDA1lbnRf -+ c2twbm9ucmVwAgIAgDAWMBQwEgwMVmVyaWZpY2F0aW9uAgIA4DAwMBgMEmVudF9za3Bub25yZXBfY -+ XV0aAICAIYwFDASMBAMCkR1YWwgVXNhZ2UCAgDrMEEwEwwOZW50X3Nwb2NfYWRtaW4CAXwwKjASMB -+ AMCkVuY3J5cHRpb24CAgDYMBQwEgwMVmVyaWZpY2F0aW9uAgIA2TBCMBQMD2VudF9zcG9jX2NsaWV -+ udAIBejAqMBIwEAwKRW5jcnlwdGlvbgICANQwFDASDAxWZXJpZmljYXRpb24CAgDVMD4wEAwLZW50 -+ X3Nwb2NfZHYCAX0wKjASMBAMCkVuY3J5cHRpb24CAgDaMBQwEgwMVmVyaWZpY2F0aW9uAgIA2zBCM -+ BQMD2VudF9zcG9jX3NlcnZlcgIBezAqMBIwEAwKRW5jcnlwdGlvbgICANYwFDASDAxWZXJpZmljYX -+ Rpb24CAgDXMIG+MBMMDWVudF9zc2xfYmFzaWMCAgCIMIGmMBIwEAwKRW5jcnlwdGlvbgICAO8wgY8 -+ wEgwMVmVyaWZpY2F0aW9uAgIA7jB5MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAG -+ A1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSAwHgYDV -+ QQDFBdWZXJpZmljYXRpb25fcDEwIFBvbGljeTB7MBIMDGVudF9zc2xfY2VydAICAIcwUDAkMBAMCk -+ VuY3J5cHRpb24CAgDsohAMCkVuY3J5cHRpb24CAgDvMCgwEgwMVmVyaWZpY2F0aW9uAgIA7aISDAx -+ WZXJpZmljYXRpb24CAgDuohMMDWVudF9zc2xfYmFzaWMCAgCIMIIBKDAXDBJlbnRfc3RhbmRhbG9u -+ ZV9lZnMCARYwggELMIGLMBAMC0NNUCBTaWduaW5nAgEpMHcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKE -+ wdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ2 -+ 9tU3ViQ0ExHjAcBgNVBAMTFU1TIENNUCBTaWduaW5nIFBvbGljeTB7MAgMA0VGUwIBKDBvMQswCQY -+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp -+ dGllczESMBAGA1UECxMJRENvbVN1YkNBMRYwFAYDVQQDEw1NUyBFRlMgUG9saWN5MD4wEgwNZW50X -+ 3RpbWVzdGFtcAIBBDAoMBEwDwwKRW5jcnlwdGlvbgIBAzATMBEMDFZlcmlmaWNhdGlvbgIBBDBDMB -+ UMEGVudF90aW1lc3RhbXBpbmcCAXcwKjASMBAMCkVuY3J5cHRpb24CAgDQMBQwEgwMVmVyaWZpY2F -+ 0aW9uAgIA0TCBxzARDAxlbnRfdHJ1ZXBhc3MCAQgwgbEwETAPDApFbmNyeXB0aW9uAgELMIGbMBEM -+ DFZlcmlmaWNhdGlvbgIBDDCBhTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVB -+ AsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEsMCoGA1UEAx -+ MjVHJ1ZVBhc3MgU2VydmVyIFZlcmlmaWNhdGlvbiBQb2xpY3kwgc0wFwwSZW50X3RydWVwYXNzX21 -+ 1bHRpAgEJMIGxMBEwDwwKRW5jcnlwdGlvbgIBDTCBmzARDAxWZXJpZmljYXRpb24CAQ4wgYUxCzAJ -+ BgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvc -+ ml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExLDAqBgNVBAMTI1RydWVQYXNzIFNlcnZlciBWZXJpZm -+ ljYXRpb24gUG9saWN5MIIBLzATDA5lbnRfdHdva2V5cGFpcgIBEzCCARYwgYYwDwwKRW5jcnlwdGl -+ vbgIBIDBzMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNh -+ dGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRowGAYDVQQDExFFbmNyeXB0aW9uI -+ FBvbGljeTCBijARDAxWZXJpZmljYXRpb24CASEwdTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudH -+ J1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJ -+ DQTEcMBoGA1UEAxMTVmVyaWZpY2F0aW9uIFBvbGljeTCCAUMwFwwSZW50X3R3b2tleXBhaXJfcDEw -+ AgEkMIIBJjCBjjATDA5FbmNyeXB0aW9uX3AxMAIBPTB3MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHR -+ W50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbV -+ N1YkNBMR4wHAYDVQQDFBVFbmNyeXB0aW9uX3AxMCBQb2xpY3kwgZIwFQwQVmVyaWZpY2F0aW9uX3A -+ xMAIBPjB5MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNh -+ dGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMSAwHgYDVQQDFBdWZXJpZmljYXRpb -+ 25fcDEwIFBvbGljeTBBMBMMDWVudF91bXNfYWRtaW4CAgCKMCowEjAQDApFbmNyeXB0aW9uAgIA8j -+ AUMBIMDFZlcmlmaWNhdGlvbgICAPMwOzAPDAplbnRfeGFwc3J2AgEQMCgwETAPDApFbmNyeXB0aW9 -+ uAgEaMBMwEQwMVmVyaWZpY2F0aW9uAgEbMIGuMBUMEGVwYXNzX2RvY19zaWduZXICAWQwgZQwgZEw -+ FQwPRG9jdW1lbnQgU2lnbmVyAgIAtzB4MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiM -+ CAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMR8wHQ -+ YDVQQDExZEb2N1bWVudCBTaWduZXIgUG9saWN5MIGzMBoMFGVwYXNzX2RvY19zaWduZXJfZHRsAgI -+ AhDCBlDCBkTAVDA9Eb2N1bWVudCBTaWduZXICAgDoMHgxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdF -+ bnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU -+ 3ViQ0ExHzAdBgNVBAMTFkRvY3VtZW50IFNpZ25lciBQb2xpY3kwgbYwFwwSZXBhc3NfbWxpc3Rfc2 -+ lnbmVyAgFjMIGaMIGXMBgMEk1hc3RlciBMaXN0IFNpZ25lcgICALYwezELMAkGA1UEBhMCVVMxEDA -+ OBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNV -+ BAsTCURDb21TdWJDQTEiMCAGA1UEAxMZTWFzdGVyIExpc3QgU2lnbmVyIFBvbGljeTAqMBIMDW1vY -+ mlsZV9kZXZpY2UCAXEwFDASMBAMCkR1YWwgVXNhZ2UCAgDJMIG4MBYMEW1vYmlsZV9kZXZpY2VfMW -+ twAgF2MIGdMIGaMBIMDFZlcmlmaWNhdGlvbgICAM8wgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwd -+ FbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29t -+ U3ViQ0ExKjAoBgNVBAMTIU1vYmlsZSBEZXZpY2UgVmVyaWZpY2F0aW9uIFBvbGljeTCCAVowEAwKb -+ XNfdGhyZWV5cgICAIUwggFEMIGdMBAMCkVuY3J5cHRpb24CAgDpMIGIMQswCQYDVQQGEwJVUzEQMA -+ 4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1U -+ ECxMJRENvbVN1YkNBMS8wLQYDVQQDEyZNaWNyb1NvZnQgVGhyZWUgWWVhciBFbmNyeXB0aW9uIFBv -+ bGljeTCBoTASDAxWZXJpZmljYXRpb24CAgDqMIGKMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50c -+ nVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1Yk -+ NBMTEwLwYDVQQDEyhNaWNyb1NvZnQgVGhyZWUgWWVhciBWZXJpZmljYXRpb24gUG9saWN5MD4wEgw -+ NbXNfdnBuX3NlcnZlcgIBIDAoMBEwDwwKRW5jcnlwdGlvbgIBODATMBEMDFZlcmlmaWNhdGlvbgIB -+ OTCBmDAPDApzc2xfZGV2aWNlAgFzMIGEMIGBMAkMA3NzbAICAMswdDELMAkGA1UEBhMCVVMxEDAOB -+ gNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBA -+ sTCURDb21TdWJDQTEbMBkGA1UEAxMSU1NMIEludGVyb3AgUG9saWN5MIIBQDAXDBJzc2xfZGV2aWN -+ lX2ludGVyb3ACAXQwggEjMIGQMAoMBHNzbDECAgDMMIGBMQswCQYDVQQGEwJVUzEQMA4GA1UEChMH -+ RW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvb -+ VN1YkNBMSgwJgYDVQQDEx9TU0wgSW50ZXJvcCBWZXJpZmljYXRpb24gUG9saWN5MIGNMAoMBHNzbD -+ ICAgDNMH8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F -+ 0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExJjAkBgNVBAMTHVNTTCBJbnRlcm9w -+ IEVuY3J5cHRpb24gUG9saWN5MEMwFwwSdnBuX2NsaWVudF9tYWNoaW5lAgEhMCgwETAPDApFbmNye -+ XB0aW9uAgE6MBMwEQwMVmVyaWZpY2F0aW9uAgE7MIGiMBQMD3Zwbl9jbGllbnRfdXNlcgIBGTCBiT -+ CBhjAPDApEdWFsIFVzYWdlAgEvMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAY -+ DVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExGjAYBgNV -+ BAMTEUR1YWwgVXNhZ2UgUG9saWN5MDgwDAwHdnBuX2RpcgIBCjAoMBEwDwwKRW5jcnlwdGlvbgIBD -+ zATMBEMDFZlcmlmaWNhdGlvbgIBEDA6MA4MCXZwbl9ub2RpcgIBCzAoMBEwDwwKRW5jcnlwdGlvbg -+ IBETATMBEMDFZlcmlmaWNhdGlvbgIBEjA6MA4MCXdlYl9hZF9kYwIBHzAoMBEwDwwKRW5jcnlwdGl -+ vbgIBNjATMBEMDFZlcmlmaWNhdGlvbgIBNzA/MBMMDndlYl9hZF9kY19jbHMxAgFDMCgwETAPDApF -+ bmNyeXB0aW9uAgFvMBMwEQwMVmVyaWZpY2F0aW9uAgFwMD8wEwwOd2ViX2FkX2RjX2NsczICAUQwK -+ DARMA8MCkVuY3J5cHRpb24CAXEwEzARDAxWZXJpZmljYXRpb24CAXIwggE+MBAMC3dlYl9hZF9zdn -+ IyAgFhMIIBKDCBjzAQDApFbmNyeXB0aW9uAgIAsTB7MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW5 -+ 0cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1 -+ YkNBMSIwIAYDVQQDExlDTFMgMnlyIEVuY3J5cHRpb24gUG9saWN5MIGTMBIMDFZlcmlmaWNhdGlvb -+ gICALIwfTELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYX -+ Rpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEkMCIGA1UEAxMbQ0xTIDJ5ciBWZXJ -+ pZmljYXRpb24gUG9saWN5MIIBLjAQDAt3ZWJfYWRfc3ZyMwIBYjCCARgwgYcwEAwKRW5jcnlwdGlv -+ bgICALMwczELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljY -+ XRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTEaMBgGA1UEAxMRRW5jcnlwdGlvbi -+ BQb2xpY3kwgYswEgwMVmVyaWZpY2F0aW9uAgIAtDB1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW5 -+ 0cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1 -+ YkNBMRwwGgYDVQQDExNWZXJpZmljYXRpb24gUG9saWN5MD8wEwwOd2ViX2FpX2Ntc19jbGkCAT4wK -+ DARMA8MCkVuY3J5cHRpb24CAWUwEzARDAxWZXJpZmljYXRpb24CAWYwPjASDA13ZWJfYWlfY21zX2 -+ RzAgE/MCgwETAPDApFbmNyeXB0aW9uAgFnMBMwEQwMVmVyaWZpY2F0aW9uAgFoMD8wEwwOd2ViX2F -+ pX2Ntc19zdnICAT0wKDARMA8MCkVuY3J5cHRpb24CAWMwEzARDAxWZXJpZmljYXRpb24CAWQwPDAO -+ DAl3ZWJfYmFzaWMCAWswKjASMBAMCkVuY3J5cHRpb24CAgC+MBQwEgwMVmVyaWZpY2F0aW9uAgIAv -+ zBCMBQMDndlYl9jbGlzdnJfZXhwAgIAgjAqMBIwEAwKRW5jcnlwdGlvbgICAOQwFDASDAxWZXJpZm -+ ljYXRpb24CAgDlMDkwDQwId2ViX2NsczECAUUwKDARMA8MCkVuY3J5cHRpb24CAXMwEzARDAxWZXJ -+ pZmljYXRpb24CAXQwOTANDAh3ZWJfY2xzMgIBRjAoMBEwDwwKRW5jcnlwdGlvbgIBdTATMBEMDFZl -+ cmlmaWNhdGlvbgIBdjA+MBIMDXdlYl9jbXNjbGllbnQCAUEwKDARMA8MCkVuY3J5cHRpb24CAWswE -+ zARDAxWZXJpZmljYXRpb24CAWwwRDAXDBJ3ZWJfY21zY2xpZW50X2NsczECAUswKTARMA8MCkVuY3 -+ J5cHRpb24CAX8wFDASDAxWZXJpZmljYXRpb24CAgCAMEUwFwwSd2ViX2Ntc2NsaWVudF9jbHMyAgF -+ MMCowEjAQDApFbmNyeXB0aW9uAgIAgTAUMBIMDFZlcmlmaWNhdGlvbgICAIIwPjASDA13ZWJfY21z -+ c2VydmVyAgFCMCgwETAPDApFbmNyeXB0aW9uAgFtMBMwEQwMVmVyaWZpY2F0aW9uAgFuMEUwFwwSd -+ 2ViX2Ntc3NlcnZlcl9jbHMxAgFNMCowEjAQDApFbmNyeXB0aW9uAgIAgzAUMBIMDFZlcmlmaWNhdG -+ lvbgICAIQwRTAXDBJ3ZWJfY21zc2VydmVyX2NsczICAU4wKjASMBAMCkVuY3J5cHRpb24CAgCFMBQ -+ wEgwMVmVyaWZpY2F0aW9uAgIAhjA9MBEMDHdlYl9jb2Rlc2lnbgIBHjAoMBEwDwwKRW5jcnlwdGlv -+ bgIBNDATMBEMDFZlcmlmaWNhdGlvbgIBNTBCMBYMEXdlYl9jb2Rlc2lnbl9jbHMxAgFJMCgwETAPD -+ ApFbmNyeXB0aW9uAgF7MBMwEQwMVmVyaWZpY2F0aW9uAgF8MEIwFgwRd2ViX2NvZGVzaWduX2Nscz -+ ICAUowKDARMA8MCkVuY3J5cHRpb24CAX0wEzARDAxWZXJpZmljYXRpb24CAX4wggEsMBAMC3dlYl9 -+ kZWZhdWx0AgEcMIIBFjCBhjAPDApFbmNyeXB0aW9uAgEwMHMxCzAJBgNVBAYTAlVTMRAwDgYDVQQK -+ EwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ -+ 29tU3ViQ0ExGjAYBgNVBAMTEUVuY3J5cHRpb24gUG9saWN5MIGKMBEMDFZlcmlmaWNhdGlvbgIBMT -+ B1MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiB -+ BdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRwwGgYDVQQDExNWZXJpZmljYXRpb24gUG9s -+ aWN5MCwwEwwOd2ViX29uZWtleXBhaXICATwwFTATMBEMDFZlcmlmaWNhdGlvbgIBYjA7MA8MCndlY -+ l9zZXJ2ZXICAR0wKDARMA8MCkVuY3J5cHRpb24CATIwEzARDAxWZXJpZmljYXRpb24CATMwKjAQDA -+ t3ZWJfc2VydmVyMgIBdTAWMBQwEgwMVmVyaWZpY2F0aW9uAgIAzjBEMBYMEHdlYl9zZXJ2ZXJfYmF -+ zaWMCAgCDMCowEjAQDApFbmNyeXB0aW9uAgIA5jAUMBIMDFZlcmlmaWNhdGlvbgICAOcwQDAUDA93 -+ ZWJfc2VydmVyX2NsczECAUcwKDARMA8MCkVuY3J5cHRpb24CAXcwEzARDAxWZXJpZmljYXRpb24CA -+ XgwggFAMBQMD3dlYl9zZXJ2ZXJfY2xzMgIBSDCCASYwgY4wDwwKRW5jcnlwdGlvbgIBeTB7MQswCQ -+ YDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3J -+ pdGllczESMBAGA1UECxMJRENvbVN1YkNBMSIwIAYDVQQDExlDTFMgMnlyIEVuY3J5cHRpb24gUG9s -+ aWN5MIGSMBEMDFZlcmlmaWNhdGlvbgIBejB9MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzd -+ DEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMS -+ QwIgYDVQQDExtDTFMgMnlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwggEyMBQMD3dlYl9zZXJ2ZXJfY2x -+ zMwIBYDCCARgwgYcwEAwKRW5jcnlwdGlvbgICAK8wczELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0Vu -+ dHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21Td -+ WJDQTEaMBgGA1UEAxMRRW5jcnlwdGlvbiBQb2xpY3kwgYswEgwMVmVyaWZpY2F0aW9uAgIAsDB1MQ -+ swCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXR -+ ob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBMRwwGgYDVQQDExNWZXJpZmljYXRpb24gUG9saWN5 -+ MIIBQjAUDA93ZWJfc2VydmVyX2NsczQCAV8wggEoMIGPMBAMCkVuY3J5cHRpb24CAgCtMHsxCzAJB -+ gNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcm -+ l0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0ExIjAgBgNVBAMTGUNMUyA0eXIgRW5jcnlwdGlvbiBQb2x -+ pY3kwgZMwEgwMVmVyaWZpY2F0aW9uAgIArjB9MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVz -+ dDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczESMBAGA1UECxMJRENvbVN1YkNBM -+ SQwIgYDVQQDExtDTFMgNHlyIFZlcmlmaWNhdGlvbiBQb2xpY3kwRjAYDBN3ZWJfc2VydmVyX2V4cG -+ VyaWFuAgFuMCowEjAQDApFbmNyeXB0aW9uAgIAwzAUMBIMDFZlcmlmaWNhdGlvbgICAMQwQDAUDA9 -+ 3ZWJfc2VydmVyX2hpZ2gCATswKDARMA8MCkVuY3J5cHRpb24CAWAwEzARDAxWZXJpZmljYXRpb24C -+ AWEwGwYJKoZIhvZ9B000MQ4wDAYKKoZIhvZ9B001ATAhMB8GA1UdIwQYMBaAFDy++9gIa1JL8T+Oh -+ 9HW5F160lV9MA0GCSqGSIb3DQEBBQUAA4IBAQBelvaP82tFhjcHOTSDP97QLcqo2yE9RjjLtC/In8 -+ u/Zi/8y6jR9GRE11U6GbF+5+EJ5pckTMJ8Oorn3ZVOl4dKyzTN9m2rLjdUXNWd/th8Ja1RD/9hpMD -+ o5HUUYJEoOQxufTZnWfEZ2AISB7rXLCFZpdHGvc3H2ORtkhV+SuTmLpNkN1Zsbv8TXNi4szuX5sbA -+ y/mX7G8q0Twbb+GGpZjlKV226xc2Ejy3uYGrUK0kEr6u/ONTK1844vsuZPkcJOMcj7/c4o8oKKVMT -+ Fyafl1swsxHWn6MTh6WqI5k2LBcyEZSptDcG1brE7BU1JAOE9F7nkaoOOWefJs3n7B8piLg -+crossCertificatePair;binary:: MIIGUqCCBk4wggZKMIIFMqADAgECAgRIwMPgMA0GCSqGSIb3 -+ DQEBBQUAMFgxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY -+ 2F0aW9uIEF1dGhvcml0aWVzMRMwEQYDVQQLEwpEQ29tUm9vdENBMB4XDTEwMDQyMDE0NDQwNloXDT -+ MwMDMyMDE1MTQwNlowVzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUN -+ lcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTCCASIwDQYJKoZIhvcN -+ AQEBBQADggEPADCCAQoCggEBAOMj486WAJ+GC3aOTn7g1p3+tzHJ8YUAoLW0y4WC6eleA+Yq9M+FP -+ Xlo+E6AMak4+HENfQMBa5bUgqJMGL20ZOktm0jpMtGtbS/J6Y9TrujpysVnO4SZwuWJOlwV+DLfgH -+ JYFcE/oeVej/TcoQw+zV0RkeDVA4npgOw5FWKzPlnKANF8KN598KK92jx+p60egFYyIY04MknO/cH -+ APZXT7tVIp1ljyHyNwMPWiwYdyVdR7IkrFQrb55lHEj4/KdHoLISe4/sQB1Yw6S9fz+A7HhF3BBkb -+ tNJk+jfjDL2/hNq0VP9b9zURJKSGEUTBaoAbvcWw7p7v2t7VOTB5Wb496SECAwEAAaOCAxswggMXM -+ A4GA1UdDwEB/wQEAwIBBjA8BgNVHSAENTAzMA8GDWCGSAGG+muBSAMKAgEwDwYNYIZIAYb6a4FIAw -+ oCAjAPBg1ghkgBhvprgUgDCgIDMA8GA1UdEwEB/wQFMAMBAf8wggEBBggrBgEFBQcBAQSB9DCB8TC -+ BnQYIKwYBBQUHMAKGgZBsZGFwOi8vZGNvbWRpcjEubWFuYWdlZC5lbnRydXN0LmNvbS9vdT1EQ29t -+ Um9vdENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxvPUVudHJ1c3QsYz1VUz9jQUNlc -+ nRpZmljYXRlO2JpbmFyeSxjcm9zc0NlcnRpZmljYXRlUGFpcjtiaW5hcnkwTwYIKwYBBQUHMAKGQ2 -+ h0dHA6Ly9kY29td2ViMS5tYW5hZ2VkLmVudHJ1c3QuY29tL0FJQS9DZXJ0c0lzc3VlZFRvRENvbVJ -+ vb3RDQS5wN2MwggFUBgNVHR8EggFLMIIBRzCB06CB0KCBzYY4aHR0cDovL2Rjb213ZWIxLm1hbmFn -+ ZWQuZW50cnVzdC5jb20vQ1JMcy9EQ29tUm9vdENBMS5jcmyGgZBsZGFwOi8vZGNvbWRpcjEubWFuY -+ WdlZC5lbnRydXN0LmNvbS9jbj1XaW5Db21iaW5lZDEsb3U9RENvbVJvb3RDQSxvdT1DZXJ0aWZpY2 -+ F0aW9uJTIwQXV0aG9yaXRpZXMsbz1FbnRydXN0LGM9VVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGl -+ zdDtiaW5hcnkwb6BtoGukaTBnMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UE -+ CxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczETMBEGA1UECxMKRENvbVJvb3RDQTENMAsGA1UEA -+ xMEQ1JMMTAfBgNVHSMEGDAWgBRFx/xyHQhRD4vvL4V0iTRGDDP/JTAdBgNVHQ4EFgQUPL772AhrUk -+ vxP46H0dbkXXrSVX0wGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQADggE -+ BAJQrdloQCgTe0ahJyTU/fsKLzYXVGJOwnrwyof/+7emUfZS/OhKYuCfQ9w/wWLhT5SUzm9GDlUfk -+ YUfpL+/5joymDJO8/thcEq/k2PJepSFf7IMY8635kNz27kI9fA8JQGn7nEI8WBjX26qs7Ho7QKVkv -+ 6YEDuGeJwBLTGyNerDEf5n+DdMvrDmVAOs62T8uTZDb9gn/uIEGv3vaR+rs3KxvDhEr/2OFJtDWHw -+ PdHFOrr1pNkNWqdStwoE2/fxUfccQhLn+H5GgKLD7YT74uUCi+VFP1juV3F7jUlytgtMnnbqRIbDn -+ 4bMPn2HOmxdQ20amsdKX4bfosqFMepfSxWRQ= -+crossCertificatePair;binary:: MIIGQaCCBj0wggY5MIIFIaADAgECAgRIwJY0MA0GCSqGSIb3 -+ DQEBBQUAMFgxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY -+ 2F0aW9uIEF1dGhvcml0aWVzMRMwEQYDVQQLEwpEQ29tUm9vdENBMB4XDTA4MDkwNTE4MDQxMVoXDT -+ E4MDkwNTAyMTMzN1owVzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUN -+ lcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQTCCASIwDQYJKoZIhvcN -+ AQEBBQADggEPADCCAQoCggEBAL+MSY0GXRSMIIm5l+bMpXvk8rlG/Rjqaw0TNZ2w+KsG6ktNWXDll -+ A1i1l0Fvx2qj4O/z5bNfgmUmJZFamyWOS6TkwX2C+2DspI7P3a+gVTVu+7VJkevo3Hye2Pd6bAf/+ -+ bfV2IhSyAOe0wW0sANyQrIjzsU1r6YBjpcT1E5QZdnzSrEYRoBhJGXf8/v+Zu21AqOZ9EpagpvmsZ -+ 4UI8ORFg2PV0UOmnwNkMVO21JH1sUGYfKP9JAoO8vTzgwYbDN1w5DMC7SqWBl00OF6pGGaglJ5D16 -+ OcopR8aZVePxj+dW+MADgEufai5CqhUKZ6CA1pa+P6c1lPcFEGgz9AQS420CAwEAAaOCAwowggMGM -+ A4GA1UdDwEB/wQEAwIBBjA8BgNVHSAENTAzMA8GDWCGSAGG+muBSAMKAgEwDwYNYIZIAYb6a4FIAw -+ oCAjAPBg1ghkgBhvprgUgDCgIDMA8GA1UdEwEB/wQFMAMBAf8wggEBBggrBgEFBQcBAQSB9DCB8TC -+ BnQYIKwYBBQUHMAKGgZBsZGFwOi8vZGNvbWRpcjEubWFuYWdlZC5lbnRydXN0LmNvbS9vdT1EQ29t -+ Um9vdENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxvPUVudHJ1c3QsYz1VUz9jQUNlc -+ nRpZmljYXRlO2JpbmFyeSxjcm9zc0NlcnRpZmljYXRlUGFpcjtiaW5hcnkwTwYIKwYBBQUHMAKGQ2 -+ h0dHA6Ly9kY29td2ViMS5tYW5hZ2VkLmVudHJ1c3QuY29tL0FJQS9DZXJ0c0lzc3VlZFRvRENvbVJ -+ vb3RDQS5wN2MwggFDBgNVHR8EggE6MIIBNjCBwqCBv6CBvIaBgGxkYXA6Ly9kY29tZGlyMS5tYW5h -+ Z2VkLmVudHJ1c3QuY29tL291PURDb21Sb290Q0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhvcml0a -+ WVzLG89RW50cnVzdCxjPVVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5hjdodHRwOi -+ 8vZGNvbXdlYjEubWFuYWdlZC5lbnRydXN0LmNvbS9DUkxzL0RDb21Sb290Q0EuY3JsMG+gbaBrpGk -+ wZzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24g -+ QXV0aG9yaXRpZXMxEzARBgNVBAsTCkRDb21Sb290Q0ExDTALBgNVBAMTBENSTDEwHwYDVR0jBBgwF -+ oAUh1mBY1JFXsCw39HI6bl1OBAu3tkwHQYDVR0OBBYEFPQWLgG7q5AZpChCDZ3AH5yvEIYrMBkGCS -+ qGSIb2fQdBAAQMMAobBFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4IBAQCrafi2DFqdhpXtzeJpUgZ -+ glNOwZUBOp5thJUH7+yMcgl5Ka4JIqqNpw3ZbFPFT9Ni4IzDmJYyPgqHmgRubxFWpAHdP8SjEK7pl -+ 6DwDmbCAWBiq7SmSfqt502FUUyiTcZsCLi6GqE4fetej41t3NaGidqyVQXPJ26Ti2jNT4NzRnADi6 -+ vOzMzxMSkWH1OaHoGLtTVpIjkbJZygnSmof4+gs4M1fmH4FVTcWV6t8zbTwkH4RTYSHVX04aM4ZBp -+ nhMq6sk9uNL+qndpWkO7u7zr6K527kl6/t1Xr9/vnzD0ACVk/gluI7MvCUIzP55o01Rp90ZCMIMak -+ u0qrESgh0GXln -+cACertificate;binary:: MIIGSjCCBTKgAwIBAgIESMDD4DANBgkqhkiG9w0BAQUFADBYMQswCQY -+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp -+ dGllczETMBEGA1UECxMKRENvbVJvb3RDQTAeFw0xMDA0MjAxNDQ0MDZaFw0zMDAzMjAxNTE0MDZaM -+ FcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIE -+ F1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggE -+ KAoIBAQDjI+POlgCfhgt2jk5+4Nad/rcxyfGFAKC1tMuFgunpXgPmKvTPhT15aPhOgDGpOPhxDX0D -+ AWuW1IKiTBi9tGTpLZtI6TLRrW0vyemPU67o6crFZzuEmcLliTpcFfgy34ByWBXBP6HlXo/03KEMP -+ s1dEZHg1QOJ6YDsORVisz5ZygDRfCjeffCivdo8fqetHoBWMiGNODJJzv3BwD2V0+7VSKdZY8h8jc -+ DD1osGHclXUeyJKxUK2+eZRxI+PynR6CyEnuP7EAdWMOkvX8/gOx4RdwQZG7TSZPo34wy9v4TatFT -+ /W/c1ESSkhhFEwWqAG73FsO6e79re1TkweVm+PekhAgMBAAGjggMbMIIDFzAOBgNVHQ8BAf8EBAMC -+ AQYwPAYDVR0gBDUwMzAPBg1ghkgBhvprgUgDCgIBMA8GDWCGSAGG+muBSAMKAgIwDwYNYIZIAYb6a -+ 4FIAwoCAzAPBgNVHRMBAf8EBTADAQH/MIIBAQYIKwYBBQUHAQEEgfQwgfEwgZ0GCCsGAQUFBzACho -+ GQbGRhcDovL2Rjb21kaXIxLm1hbmFnZWQuZW50cnVzdC5jb20vb3U9RENvbVJvb3RDQSxvdT1DZXJ -+ 0aWZpY2F0aW9uJTIwQXV0aG9yaXRpZXMsbz1FbnRydXN0LGM9VVM/Y0FDZXJ0aWZpY2F0ZTtiaW5h -+ cnksY3Jvc3NDZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5ME8GCCsGAQUFBzAChkNodHRwOi8vZGNvbXdlY -+ jEubWFuYWdlZC5lbnRydXN0LmNvbS9BSUEvQ2VydHNJc3N1ZWRUb0RDb21Sb290Q0EucDdjMIIBVA -+ YDVR0fBIIBSzCCAUcwgdOggdCggc2GOGh0dHA6Ly9kY29td2ViMS5tYW5hZ2VkLmVudHJ1c3QuY29 -+ tL0NSTHMvRENvbVJvb3RDQTEuY3JshoGQbGRhcDovL2Rjb21kaXIxLm1hbmFnZWQuZW50cnVzdC5j -+ b20vY249V2luQ29tYmluZWQxLG91PURDb21Sb290Q0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhvc -+ ml0aWVzLG89RW50cnVzdCxjPVVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5MG+gba -+ BrpGkwZzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXR -+ pb24gQXV0aG9yaXRpZXMxEzARBgNVBAsTCkRDb21Sb290Q0ExDTALBgNVBAMTBENSTDEwHwYDVR0j -+ BBgwFoAURcf8ch0IUQ+L7y+FdIk0Rgwz/yUwHQYDVR0OBBYEFDy++9gIa1JL8T+Oh9HW5F160lV9M -+ BkGCSqGSIb2fQdBAAQMMAobBFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4IBAQCUK3ZaEAoE3tGoSc -+ k1P37Ci82F1RiTsJ68MqH//u3plH2UvzoSmLgn0PcP8Fi4U+UlM5vRg5VH5GFH6S/v+Y6MpgyTvP7 -+ YXBKv5NjyXqUhX+yDGPOt+ZDc9u5CPXwPCUBp+5xCPFgY19uqrOx6O0ClZL+mBA7hnicAS0xsjXqw -+ xH+Z/g3TL6w5lQDrOtk/Lk2Q2/YJ/7iBBr972kfq7Nysbw4RK/9jhSbQ1h8D3RxTq69aTZDVqnUrc -+ KBNv38VH3HEIS5/h+RoCiw+2E++LlAovlRT9Y7ldxe41JcrYLTJ526kSGw5+GzD59hzpsXUNtGprH -+ Sl+G36LKhTHqX0sVkU -+cACertificate;binary:: MIIGOTCCBSGgAwIBAgIESMCWNDANBgkqhkiG9w0BAQUFADBYMQswCQY -+ DVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp -+ dGllczETMBEGA1UECxMKRENvbVJvb3RDQTAeFw0wODA5MDUxODA0MTFaFw0xODA5MDUwMjEzMzdaM -+ FcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIE -+ F1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ29tU3ViQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggE -+ KAoIBAQC/jEmNBl0UjCCJuZfmzKV75PK5Rv0Y6msNEzWdsPirBupLTVlw5ZQNYtZdBb8dqo+Dv8+W -+ zX4JlJiWRWpsljkuk5MF9gvtg7KSOz92voFU1bvu1SZHr6Nx8ntj3emwH//m31diIUsgDntMFtLAD -+ ckKyI87FNa+mAY6XE9ROUGXZ80qxGEaAYSRl3/P7/mbttQKjmfRKWoKb5rGeFCPDkRYNj1dFDpp8D -+ ZDFTttSR9bFBmHyj/SQKDvL084MGGwzdcOQzAu0qlgZdNDheqRhmoJSeQ9ejnKKUfGmVXj8Y/nVvj -+ AA4BLn2ouQqoVCmeggNaWvj+nNZT3BRBoM/QEEuNtAgMBAAGjggMKMIIDBjAOBgNVHQ8BAf8EBAMC -+ AQYwPAYDVR0gBDUwMzAPBg1ghkgBhvprgUgDCgIBMA8GDWCGSAGG+muBSAMKAgIwDwYNYIZIAYb6a -+ 4FIAwoCAzAPBgNVHRMBAf8EBTADAQH/MIIBAQYIKwYBBQUHAQEEgfQwgfEwgZ0GCCsGAQUFBzACho -+ GQbGRhcDovL2Rjb21kaXIxLm1hbmFnZWQuZW50cnVzdC5jb20vb3U9RENvbVJvb3RDQSxvdT1DZXJ -+ 0aWZpY2F0aW9uJTIwQXV0aG9yaXRpZXMsbz1FbnRydXN0LGM9VVM/Y0FDZXJ0aWZpY2F0ZTtiaW5h -+ cnksY3Jvc3NDZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5ME8GCCsGAQUFBzAChkNodHRwOi8vZGNvbXdlY -+ jEubWFuYWdlZC5lbnRydXN0LmNvbS9BSUEvQ2VydHNJc3N1ZWRUb0RDb21Sb290Q0EucDdjMIIBQw -+ YDVR0fBIIBOjCCATYwgcKggb+ggbyGgYBsZGFwOi8vZGNvbWRpcjEubWFuYWdlZC5lbnRydXN0LmN -+ vbS9vdT1EQ29tUm9vdENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxvPUVudHJ1c3Qs -+ Yz1VUz9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeYY3aHR0cDovL2Rjb213ZWIxLm1hb -+ mFnZWQuZW50cnVzdC5jb20vQ1JMcy9EQ29tUm9vdENBLmNybDBvoG2ga6RpMGcxCzAJBgNVBAYTAl -+ VTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRM -+ wEQYDVQQLEwpEQ29tUm9vdENBMQ0wCwYDVQQDEwRDUkwxMB8GA1UdIwQYMBaAFIdZgWNSRV7AsN/R -+ yOm5dTgQLt7ZMB0GA1UdDgQWBBT0Fi4Bu6uQGaQoQg2dwB+crxCGKzAZBgkqhkiG9n0HQQAEDDAKG -+ wRWNy4xAwIAgTANBgkqhkiG9w0BAQUFAAOCAQEAq2n4tgxanYaV7c3iaVIGYJTTsGVATqebYSVB+/ -+ sjHIJeSmuCSKqjacN2WxTxU/TYuCMw5iWMj4Kh5oEbm8RVqQB3T/EoxCu6Zeg8A5mwgFgYqu0pkn6 -+ redNhVFMok3GbAi4uhqhOH3rXo+NbdzWhonaslUFzyduk4tozU+Dc0ZwA4urzszM8TEpFh9Tmh6Bi -+ 7U1aSI5GyWcoJ0pqH+PoLODNX5h+BVU3FlerfM208JB+EU2Eh1V9OGjOGQaZ4TKurJPbjS/qp3aVp -+ Du7u86+iudu5Jev7dV6/f758w9AAlZP4JbiOzLwlCMz+eaNNUafdGQjCDGpLtKqxEoIdBl5Zw== -+objectClass: organizationalUnit -+objectClass: top -+objectClass: extensibleobject -+ou: binary -+nsUniqueId: f49ca103-c2ee11e7-9170b029-e68fda34 -+creatorsName: -+modifiersName: -+createTimestamp: 20171106123544Z -+modifyTimestamp: 20171106123544Z -+ -+# entry-id: 3 -+dn: cn=test,ou=binary,dc=example,dc=com -+userCertificate:: MIIGfzCCBWcCAQEwgYOhgYAwfqR8MHoxCzAJBgNVBAYTAlVTMRAwDgYDVQQK -+ EwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0aWVzMRIwEAYDVQQLEwlEQ -+ 29tU3ViQ0ExITAfBgNVBAMTGFNQT0MgU2VydmVyIExvZ2luIFBvbGljeTBnoGUwYzBbpFkwVzELMA -+ kGA1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9 -+ yaXRpZXMxEjAQBgNVBAsTCURDb21TdWJDQQIESMDD4DANBgkqhkiG9w0BAQUFAAIEV4eo1TAiGA8y -+ MDE3MTAxNTIyNDYwOVoYDzIwMTcxMTE0MjI0NjA5WjCCBBUwHwYJKoZIhvZ9B00BMRIwEAIBAAIBC -+ AIBCAIBCgMCAGkwFAYJKoZIhvZ9B00DMQcwBQwDQUxMMBEGCSqGSIb2fQdNBTEEAwID2DAPBgkqhk -+ iG9n0HTQYxAgwAMBcGCSqGSIb2fQdNCTEKDAhSU0EtMjA0ODApBgkqhkiG9n0HTQ4xHDAaDAlwcml -+ udGFibGUMB3RlbGV0ZXgMBHV0ZjgwEQYJKoZIhvZ9B00PMQQDAgeAMBEGCSqGSIb2fQdNFTEEAwIH -+ gDAQBgkqhkiG9n0HTRYxAwMBADAQBgkqhkiG9n0HTQgxAwMBADAQBgkqhkiG9n0HTSwxAwMBADAPB -+ gkqhkiG9n0HTQsxAjAAMBAGCSqGSIb2fQdNDDEDAwEAMBAGCSqGSIb2fQdNDTEDAgEeMA8GCSqGSI -+ b2fQdNEzECDAAwEAYJKoZIhvZ9B00XMQMBAQAwEQYJKoZIhvZ9B00YMQQCAgfQMBAGCSqGSIb2fQd -+ NHzEDAQEAMBAGCSqGSIb2fQdNJjEDAwEAMBAGCSqGSIb2fQdNGTEDAgECMBAGCSqGSIb2fQdNGzED -+ AQEAMBAGCSqGSIb2fQdNKTEDAQEAMBAGCSqGSIb2fQdNHDEDAgEAMBAGCSqGSIb2fQdNHTEDAgEBM -+ BAGCSqGSIb2fQdNIDEDAwEAMBEGCSqGSIb2fQdNITEEAwIE8DAPBgkqhkiG9n0HTSMxAgwAMA8GCS -+ qGSIb2fQdNJDECDAAwJAYJKoZIhvZ9B00lMRcwFQwJRGlyZWN0b3J5DANFQUIMA0dBTDAQBgkqhki -+ G9n0HTSsxAwMBADAPBgkqhkiG9n0HTTYxAgwAMBEGCSqGSIb2fQdNMzEEAwIHgDAPBgkqhkiG9n0H -+ TScxAgwAMBAGCSqGSIb2fQdNETEDAgECMBAGCSqGSIb2fQdNKDEDAgFkMBEGCiqGSIb2fQdNLQExA -+ wIBAzBEBgoqhkiG9n0HTS0CMTYwNAwMZW50ZWxsaWdlbmNlDAZkaXJlY3QMCHpmLWxvY2FsDAp6Zi -+ 1yb2FtaW5nDAZ6Zi1tc2YwFwYKKoZIhvZ9B00tAzEJDAdleGVjdXRlMBAGCSqGSIb2fQdNMTEDAQE -+ AMBAGCSqGSIb2fQdNMjEDAQEAMBAGCSqGSIb2fQdNOTEDAQH/MA8GCSqGSIb2fQdNLzECDAAwEAYJ -+ KoZIhvZ9B004MQMBAQAwEwYJKoZIhvZ9B003MQYMBENBU1QwEAYJKoZIhvZ9B007MQMBAQAwFgYJK -+ oZIhvZ9B009MQkMB0VudHJ1c3QwEAYJKoZIhvZ9B00+MQMBAQAwEAYJKoZIhvZ9B00/MQMBAQAwFw -+ YJKoZIhvZ9B00KMQoMCFJTQS0yMDQ4MBAGCSqGSIb2fQdNQzEDAQEAMCEwHwYDVR0jBBgwFoAUPL7 -+ 72AhrUkvxP46H0dbkXXrSVX0wDQYJKoZIhvcNAQEFBQADggEBADrezRWX0fuPC415BUa3tafMLaVO -+ 24v3CP+qYud4Z6IKI7jNtt2pcneaYjQ7iaxypE3N7Wwlim6Ak4yuwwJ9SrKOSe7YPiFOuugvNy2fk -+ +f2h3bFkLm40bkjPPH8bih4sLyU8RcN2cAJLxHINwXO3ALKBo3IdxrfcoKquO7g+R4+ZPvmS/95J9 -+ aQ08FZKpkv+ORPRZySkr0zMUARdBBguklHqFeczn5tQnmJcsfVlP4DC7IPqw2xM8l3b+iAH5pyqgb -+ o/Lk11VWkD11s3K8/Bf40eH23upDOwmYBAszHdXU4+5HNZ/An6xfVEjr/+KxUAEVD5TGQMVJY6SCS -+ zN3ONRc= -+objectClass: top -+objectClass: extensibleobject -+cn: test -+nsUniqueId: f49ca104-c2ee11e7-9170b029-e68fda34 -+creatorsName: -+modifiersName: -+createTimestamp: 20171106123544Z -+modifyTimestamp: 20171106123544Z -+ -diff --git a/dirsrvtests/tests/tickets/ticket49441_test.py b/dirsrvtests/tests/tickets/ticket49441_test.py -new file mode 100644 -index 000000000..e50ebc128 ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket49441_test.py -@@ -0,0 +1,74 @@ -+import logging -+import pytest -+import os -+import ldap -+from lib389._constants import * -+from lib389.topologies import topology_st as topo -+from lib389.utils import * -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+ -+def test_ticket49441(topo): -+ """Import ldif with large indexed binary attributes, the server should not -+ crash -+ -+ :id: 4e5df145-cbd1-4955-8f77-6a7eaa14beba -+ :setup: standalone topology -+ :steps: -+ 1. Add indexes for binary attributes -+ 2. Perform online import -+ 3. Verify server is still running -+ :expectedresults: -+ 1. Indexes are successfully added -+ 2. Import succeeds -+ 3. Server is still running -+ """ -+ -+ log.info('Position ldif files, and add indexes...') -+ ldif_dir = topo.standalone.get_ldif_dir() + "binary.ldif" -+ ldif_file = (topo.standalone.getDir(__file__, DATA_DIR) + -+ "ticket49441/binary.ldif") -+ shutil.copyfile(ldif_file, ldif_dir) -+ args = {INDEX_TYPE: ['eq', 'pres']} -+ for attr in ('usercertificate', 'authorityrevocationlist', -+ 'certificaterevocationlist', 'crosscertificatepair', -+ 'cacertificate'): -+ try: -+ topo.standalone.index.create(suffix=DEFAULT_SUFFIX, -+ be_name='userroot', -+ attr=attr, args=args) -+ except ldap.LDAPError as e: -+ log.fatal("Failed to add index '{}' error: {}".format(attr, str(e))) -+ raise e -+ -+ log.info('Import LDIF with large indexed binary attributes...') -+ try: -+ topo.standalone.tasks.importLDIF(suffix=DEFAULT_SUFFIX, -+ input_file=ldif_dir, -+ args={TASK_WAIT: True}) -+ except: -+ log.fatal('Import failed!') -+ assert False -+ -+ log.info('Verify server is still running...') -+ try: -+ topo.standalone.search_s("", ldap.SCOPE_BASE, "objectclass=*") -+ except ldap.LDAPError as e: -+ log.fatal('Server is not alive: ' + str(e)) -+ assert False -+ -+ log.info('Test PASSED') -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c -index 58b11ed99..a565db87b 100644 ---- a/ldap/servers/slapd/back-ldbm/index.c -+++ b/ldap/servers/slapd/back-ldbm/index.c -@@ -827,8 +827,10 @@ encode(const struct berval *data, char buf[BUFSIZ]) - bufSpace -= (s - first); - } - do { -- *bufNext++ = '\\'; -- --bufSpace; -+ if (bufSpace) { -+ *bufNext++ = '\\'; -+ --bufSpace; -+ } - if (bufSpace < 2) { - memcpy(bufNext, "..", 2); - bufNext += 2; -@@ -926,8 +928,10 @@ index_read_ext_allids( - slapi_log_err(SLAPI_LOG_ERR, "index_read_ext_allids", "NULL prefix\n"); - return NULL; - } -- slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "=> ( \"%s\" %s \"%s\" )\n", -- type, prefix, encode(val, buf)); -+ if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) { -+ slapi_log_err(SLAPI_LOG_TRACE, "index_read_ext_allids", "=> ( \"%s\" %s \"%s\" )\n", -+ type, prefix, encode(val, buf)); -+ } - - basetype = typebuf; - if ((basetmp = slapi_attr_basetype(type, typebuf, sizeof(typebuf))) != NULL) { -@@ -1773,8 +1777,7 @@ addordel_values( - */ - key.flags = DB_DBT_USERMEM; - key.ulen = tmpbuflen; --#ifdef LDAP_ERROR_LOGGING -- /* XXX if ( slapd_ldap_debug & LDAP_DEBUG_TRACE ) XXX */ -+ if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) { - { - char encbuf[BUFSIZ]; - -@@ -1782,7 +1785,6 @@ addordel_values( - (flags & BE_INDEX_ADD) ? "add" : "del", - encoded (&key, encbuf)); - } --#endif - - if (NULL != txn) { - db_txn = txn->back_txn_txn; -@@ -1939,8 +1941,8 @@ addordel_values_sv( - */ - key.flags = DB_DBT_USERMEM; - key.ulen = tmpbuflen; --#ifdef LDAP_ERROR_LOGGING -- /* XXX if ( slapd_ldap_debug & LDAP_DEBUG_TRACE ) XXX */ -+ -+ if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) { - { - char encbuf[BUFSIZ]; - -@@ -1948,7 +1950,6 @@ addordel_values_sv( - (flags & BE_INDEX_ADD) ? "add" : "del", - encoded(&key, encbuf)); - } --#endif - - if (NULL != txn) { - db_txn = txn->back_txn_txn; --- -2.13.6 - diff --git a/SOURCES/0034-Ticket-49441-Import-crashes-oneline-fix.patch b/SOURCES/0034-Ticket-49441-Import-crashes-oneline-fix.patch deleted file mode 100644 index d9b84d3..0000000 --- a/SOURCES/0034-Ticket-49441-Import-crashes-oneline-fix.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 2c868707b3ae1a4255ea33610b177f8a98f4a3f3 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Tue, 7 Nov 2017 17:09:18 +1000 -Subject: [PATCH] Ticket 49441 - Import crashes - oneline fix - -Bug Description: index.c fails to compile. - -Fix Description: Excess braces due to copy paste issue. - -https://pagure.io/389-ds-base/issue/49441 - -Author: wibrown - -Review by: oneline rule - -(cherry picked from commit be4d7e5a82c1616317fa52968d2814e3f922254c) ---- - ldap/servers/slapd/back-ldbm/index.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c -index a565db87b..587f4d991 100644 ---- a/ldap/servers/slapd/back-ldbm/index.c -+++ b/ldap/servers/slapd/back-ldbm/index.c -@@ -1778,7 +1778,6 @@ addordel_values( - key.flags = DB_DBT_USERMEM; - key.ulen = tmpbuflen; - if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) { -- { - char encbuf[BUFSIZ]; - - slapi_log_err(SLAPI_LOG_TRACE, "addordel_values", "%s_value(\"%s\")\n", -@@ -1943,7 +1942,6 @@ addordel_values_sv( - key.ulen = tmpbuflen; - - if (slapi_is_loglevel_set(LDAP_DEBUG_TRACE)) { -- { - char encbuf[BUFSIZ]; - - slapi_log_err(SLAPI_LOG_TRACE, "addordel_values_sv", "%s_value(\"%s\")\n", --- -2.13.6 - diff --git a/SOURCES/0035-Ticket-49377-Incoming-BER-too-large-with-TLS-on-plai.patch b/SOURCES/0035-Ticket-49377-Incoming-BER-too-large-with-TLS-on-plai.patch deleted file mode 100644 index 6d7c5f4..0000000 --- a/SOURCES/0035-Ticket-49377-Incoming-BER-too-large-with-TLS-on-plai.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 40811ab7571ddf0a6905b3b019229bdb555bd04d Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Tue, 7 Nov 2017 12:42:11 +1000 -Subject: [PATCH] Ticket 49377 - Incoming BER too large with TLS on plain port - -Bug Description: When doing TLS to a plain port, a message of -"ber element 3 bytes too large for max ber" when max ber > 3. - -Fix Description: When ber_len < maxber, report that the request -may be misformed instead of "oversize" instead. This can lead -to a better diagnosis. - -https://pagure.io/389-ds-base/issue/49377 - -Author: wibrown - -Review by: mreynolds (thanks!) - -Cherry picked from commit b3629af054760d9421a41d63b8b8ed513bb6944d ---- - ldap/servers/slapd/connection.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index 3f19b9765..8ef115691 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -2176,6 +2176,13 @@ log_ber_too_big_error(const Connection *conn, ber_len_t ber_len, ber_len_t maxbe - " is %" BERLEN_T " bytes. Change the nsslapd-maxbersize attribute in" - " cn=config to increase.\n", - conn->c_connid, conn->c_sd, maxbersize); -+ } else if (ber_len < maxbersize) { -+ /* This means the request was misformed, not too large. */ -+ slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error", -+ "conn=%" PRIu64 " fd=%d Incoming BER Element may be misformed. " -+ "This may indicate an attempt to use TLS on a plaintext port, " -+ "IE ldaps://localhost:389. Check your client LDAP_URI settings.\n", -+ conn->c_connid, conn->c_sd); - } else { - slapi_log_err(SLAPI_LOG_ERR, "log_ber_too_big_error", - "conn=%" PRIu64 " fd=%d Incoming BER Element was %" BERLEN_T " bytes, max allowable" --- -2.13.6 - diff --git a/SOURCES/0036-Ticket-48118-At-startup-changelog-can-be-erronously-.patch b/SOURCES/0036-Ticket-48118-At-startup-changelog-can-be-erronously-.patch deleted file mode 100644 index 1aa02b6..0000000 --- a/SOURCES/0036-Ticket-48118-At-startup-changelog-can-be-erronously-.patch +++ /dev/null @@ -1,244 +0,0 @@ -From 127e0d954eb7741c4afdc0305f7970b7ea164e8d Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Thu, 9 Nov 2017 11:28:34 +0100 -Subject: [PATCH] Ticket 48118 - At startup, changelog can be erronously - rebuilt after a normal shutdown - - Problem: There are two problems that can lead to inconsistent database and changelog maxruv: - 1] the database ruv is written periodically in th ehouskeeping thread and at shutdown. It - relies on teh ruv_dirty flag, but due to a race condition this can be reset befor writing - the ruv - 2] the changelog max ruv is updated whenever an operation is commutted, but in case of internal - operations inside the txn for a client operation, if the operation is aborted the cl maxruv - is not reset. Since it is only written at shutdown this normally is no problem, but if the - aborted operation is the last before shutdown or is aborted by shutdown the cl ruv is incorrect - - Fix: the fix is in two parts: - 1] remove the use of the dirty flag, ensure that the ruv is always written. The overhead for writing - a database ruv that has not changed is minimal - 2] when writing the changelog maxruv check if the macsns it contains are really present in the - changelog. If not the maxruv is not written, it will be reconstructed at the next startup - - Reviewed by: William,Thierry - Thanks ---- - ldap/servers/plugins/replication/cl5_api.c | 39 ++++++++++++++++++++++ - ldap/servers/plugins/replication/repl5.h | 1 - - ldap/servers/plugins/replication/repl5_replica.c | 32 +----------------- - .../plugins/replication/repl5_replica_config.c | 2 -- - 4 files changed, 40 insertions(+), 34 deletions(-) - -diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c -index ec648c014..55032dfb0 100644 ---- a/ldap/servers/plugins/replication/cl5_api.c -+++ b/ldap/servers/plugins/replication/cl5_api.c -@@ -250,6 +250,8 @@ static void _cl5ReadBerval(struct berval *bv, char **buff); - static void _cl5WriteBerval(struct berval *bv, char **buff); - static int _cl5ReadBervals(struct berval ***bv, char **buff, unsigned int size); - static int _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size); -+static int64_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv); -+static int64_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg); - - /* replay iteration */ - #ifdef FOR_DEBUGGING -@@ -2716,6 +2718,36 @@ _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size) - return CL5_SUCCESS; - } - -+static int64_t -+_cl5CheckCSNinCL(const ruv_enum_data *element, void *arg) -+{ -+ CL5DBFile *file = (CL5DBFile *)arg; -+ int rc = 0; -+ -+ DBT key = {0}, data = {0}; -+ char csnStr[CSN_STRSIZE]; -+ -+ /* construct the key */ -+ key.data = csn_as_string(element->csn, PR_FALSE, csnStr); -+ key.size = CSN_STRSIZE; -+ -+ data.flags = DB_DBT_MALLOC; -+ -+ rc = file->db->get(file->db, NULL /*txn*/, &key, &data, 0); -+ -+ slapi_ch_free(&(data.data)); -+ return rc; -+} -+ -+static int64_t -+_cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv) -+{ -+ int rc = 0; -+ -+ rc = ruv_enumerate_elements(maxruv, _cl5CheckCSNinCL, (void *)file); -+ -+ return rc; -+} - /* upgrade from db33 to db41 - * 1. Run recovery on the database environment using the DB_ENV->open method - * 2. Remove any Berkeley DB environment using the DB_ENV->remove method -@@ -4010,6 +4042,13 @@ _cl5WriteRUV(CL5DBFile *file, PRBool purge) - rc = ruv_to_bervals(file->maxRUV, &vals); - } - -+ if (!purge && _cl5CheckMaxRUV(file, file->maxRUV)) { -+ slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name_cl, -+ "_cl5WriteRUV - changelog maxRUV not found in changelog for file %s\n", -+ file->name); -+ return CL5_DB_ERROR; -+ } -+ - key.size = CSN_STRSIZE; - - rc = _cl5WriteBervals(vals, &buff, &data.size); -diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h -index c6e79b7e2..4e206a0fc 100644 ---- a/ldap/servers/plugins/replication/repl5.h -+++ b/ldap/servers/plugins/replication/repl5.h -@@ -725,7 +725,6 @@ Object *replica_get_for_backend(const char *be_name); - void replica_set_purge_delay(Replica *r, uint32_t purge_delay); - void replica_set_tombstone_reap_interval(Replica *r, long interval); - void replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv); --void replica_set_ruv_dirty(Replica *r); - Slapi_Entry *get_in_memory_ruv(Slapi_DN *suffix_sdn); - int replica_write_ruv(Replica *r); - char *replica_get_dn(Replica *r); -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index e5296bf1c..77f4f18e4 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -41,7 +41,6 @@ struct replica - ReplicaType repl_type; /* is this replica read-only ? */ - ReplicaId repl_rid; /* replicaID */ - Object *repl_ruv; /* replica update vector */ -- PRBool repl_ruv_dirty; /* Dirty flag for ruv */ - CSNPL *min_csn_pl; /* Pending list for minimal CSN */ - void *csn_pl_reg_id; /* registration assignment for csn callbacks */ - unsigned long repl_state_flags; /* state flags */ -@@ -788,7 +787,6 @@ replica_set_ruv(Replica *r, RUV *ruv) - } - - r->repl_ruv = object_new((void *)ruv, (FNFree)ruv_destroy); -- r->repl_ruv_dirty = PR_TRUE; - - replica_unlock(r->repl_lock); - } -@@ -860,9 +858,6 @@ replica_update_ruv(Replica *r, const CSN *updated_csn, const char *replica_purl) - "to update RUV for replica %s, csn = %s\n", - slapi_sdn_get_dn(r->repl_root), - csn_as_string(updated_csn, PR_FALSE, csn_str)); -- } else { -- /* RUV updated - mark as dirty */ -- r->repl_ruv_dirty = PR_TRUE; - } - } else { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, -@@ -1347,8 +1342,6 @@ replica_dump(Replica *r) - slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\tupdate dn: %s\n", - updatedn_list ? updatedn_list : "not configured"); - slapi_ch_free_string(&updatedn_list); -- slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\truv: %s configured and is %sdirty\n", -- r->repl_ruv ? "" : "not", r->repl_ruv_dirty ? "" : "not "); - slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "\tCSN generator: %s configured\n", - r->repl_csngen ? "" : "not"); - /* JCMREPL - Dump Referrals */ -@@ -1675,7 +1668,6 @@ replica_check_for_data_reload(Replica *r, void *arg __attribute__((unused))) - - ruv_force_csn_update_from_ruv(upper_bound_ruv, r_ruv, - "Force update of database RUV (from CL RUV) -> ", SLAPI_LOG_NOTICE); -- replica_set_ruv_dirty(r); - } - - } else { -@@ -2778,11 +2770,6 @@ replica_write_ruv(Replica *r) - - replica_lock(r->repl_lock); - -- if (!r->repl_ruv_dirty) { -- replica_unlock(r->repl_lock); -- return rc; -- } -- - PR_ASSERT(r->repl_ruv); - - ruv_to_smod((RUV *)object_get_data(r->repl_ruv), &smod); -@@ -2817,14 +2804,10 @@ replica_write_ruv(Replica *r) - /* ruv does not exist - create one */ - replica_lock(r->repl_lock); - -- if (rc == LDAP_SUCCESS) { -- r->repl_ruv_dirty = PR_FALSE; -- } else if (rc == LDAP_NO_SUCH_OBJECT) { -+ if (rc == LDAP_NO_SUCH_OBJECT) { - /* this includes an internal operation - but since this only happens - during server startup - its ok that we have lock around it */ - rc = _replica_configure_ruv(r, PR_TRUE); -- if (rc == 0) -- r->repl_ruv_dirty = PR_FALSE; - } else /* error */ - { - slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, -@@ -3325,7 +3308,6 @@ replica_create_ruv_tombstone(Replica *r) - - if (ruv_init_new(csnstr, r->repl_rid, purl, &ruv) == RUV_SUCCESS) { - r->repl_ruv = object_new((void *)ruv, (FNFree)ruv_destroy); -- r->repl_ruv_dirty = PR_TRUE; - return_value = LDAP_SUCCESS; - } else { - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name, "replica_create_ruv_tombstone - " -@@ -3365,8 +3347,6 @@ replica_create_ruv_tombstone(Replica *r) - slapi_add_internal_pb(pb); - e = NULL; /* add consumes e, upon success or failure */ - slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &return_value); -- if (return_value == LDAP_SUCCESS) -- r->repl_ruv_dirty = PR_FALSE; - - done: - slapi_entry_free(e); -@@ -3630,7 +3610,6 @@ replica_strip_cleaned_rids(Replica *r) - ruv_get_cleaned_rids(ruv, rid); - while (rid[i] != 0) { - ruv_delete_replica(ruv, rid[i]); -- replica_set_ruv_dirty(r); - if (replica_write_ruv(r)) { - slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, - "replica_strip_cleaned_rids - Failed to write RUV\n"); -@@ -3744,15 +3723,6 @@ replica_update_ruv_consumer(Replica *r, RUV *supplier_ruv) - } - } - --void --replica_set_ruv_dirty(Replica *r) --{ -- PR_ASSERT(r); -- replica_lock(r->repl_lock); -- r->repl_ruv_dirty = PR_TRUE; -- replica_unlock(r->repl_lock); --} -- - PRBool - replica_is_state_flag_set(Replica *r, int32_t flag) - { -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 9c8d6adbb..e025f34d8 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -937,7 +937,6 @@ replica_config_change_type_and_id(Replica *r, const char *new_type, const char * - replica_reset_csn_pl(r); - } - ruv_delete_replica(ruv, oldrid); -- replica_set_ruv_dirty(r); - cl5CleanRUV(oldrid); - replica_set_csn_assigned(r); - } -@@ -1323,7 +1322,6 @@ replica_execute_cleanruv_task(Object *r, ReplicaId rid, char *returntext __attri - return LDAP_UNWILLING_TO_PERFORM; - } - rc = ruv_delete_replica(local_ruv, rid); -- replica_set_ruv_dirty(replica); - if (replica_write_ruv(replica)) { - slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, "cleanAllRUV_task - Could not write RUV\n"); - } --- -2.13.6 - diff --git a/SOURCES/0037-Ticket-48118-fix-compiler-warning-for-incorrect-retu.patch b/SOURCES/0037-Ticket-48118-fix-compiler-warning-for-incorrect-retu.patch deleted file mode 100644 index f592cba..0000000 --- a/SOURCES/0037-Ticket-48118-fix-compiler-warning-for-incorrect-retu.patch +++ /dev/null @@ -1,45 +0,0 @@ -From fd06b282ffd06a5b3807c0396bff442f0c7568b1 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Wed, 15 Nov 2017 13:17:00 +0100 -Subject: [PATCH] Ticket 48118 - fix compiler warning for incorrect return type - ---- - ldap/servers/plugins/replication/cl5_api.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c -index 55032dfb0..721013abf 100644 ---- a/ldap/servers/plugins/replication/cl5_api.c -+++ b/ldap/servers/plugins/replication/cl5_api.c -@@ -250,8 +250,8 @@ static void _cl5ReadBerval(struct berval *bv, char **buff); - static void _cl5WriteBerval(struct berval *bv, char **buff); - static int _cl5ReadBervals(struct berval ***bv, char **buff, unsigned int size); - static int _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size); --static int64_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv); --static int64_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg); -+static int32_t _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv); -+static int32_t _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg); - - /* replay iteration */ - #ifdef FOR_DEBUGGING -@@ -2718,7 +2718,7 @@ _cl5WriteBervals(struct berval **bv, char **buff, u_int32_t *size) - return CL5_SUCCESS; - } - --static int64_t -+static int32_t - _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg) - { - CL5DBFile *file = (CL5DBFile *)arg; -@@ -2739,7 +2739,7 @@ _cl5CheckCSNinCL(const ruv_enum_data *element, void *arg) - return rc; - } - --static int64_t -+static int32_t - _cl5CheckMaxRUV(CL5DBFile *file, RUV *maxruv) - { - int rc = 0; --- -2.13.6 - diff --git a/SOURCES/0038-Ticket-49298-Correct-error-codes-with-config-restore.patch b/SOURCES/0038-Ticket-49298-Correct-error-codes-with-config-restore.patch deleted file mode 100644 index 5e0db58..0000000 --- a/SOURCES/0038-Ticket-49298-Correct-error-codes-with-config-restore.patch +++ /dev/null @@ -1,210 +0,0 @@ -From e3dea0043973faf42f7756d840bc55aa8f143eb1 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Wed, 15 Nov 2017 13:44:02 +1000 -Subject: [PATCH] Ticket 49298 - Correct error codes with config restore. - -Bug Description: The piece of code uses 0 as an error - not 1, -and in some cases did not even check the codes or use the -correct logic. - -Fix Description: Cleanup dse_check_file to better check the -content of files and communicate issues to the admin. Correct -slapd_bootstrap_config to correctly handle the cases of removal -and restore. - -https://pagure.io/389-ds-base/issue/49298 - -Author: wibrown - -Review by: mreynoolds & spichugi - -Signed-off-by: Mark Reynolds -(cherry picked from commit 75e55e26579955adf058e8adcba9a28779583b7b) ---- - .../suites/config/removed_config_49298_test.py | 81 ++++++++++++++++++++++ - ldap/servers/slapd/config.c | 15 ++-- - ldap/servers/slapd/dse.c | 42 ++++++++--- - 3 files changed, 119 insertions(+), 19 deletions(-) - create mode 100644 dirsrvtests/tests/suites/config/removed_config_49298_test.py - -diff --git a/dirsrvtests/tests/suites/config/removed_config_49298_test.py b/dirsrvtests/tests/suites/config/removed_config_49298_test.py -new file mode 100644 -index 000000000..e65236924 ---- /dev/null -+++ b/dirsrvtests/tests/suites/config/removed_config_49298_test.py -@@ -0,0 +1,81 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2017 Red Hat, Inc. -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+import pytest -+import os -+import logging -+import subprocess -+ -+from lib389.topologies import topology_st as topo -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+def test_restore_config(topo): -+ """ -+ Check that if a dse.ldif and backup are removed, that the server still starts. -+ -+ :id: e1c38fa7-30bc-46f2-a934-f8336f387581 -+ :setup: Standalone instance -+ :steps: -+ 1. Stop the instance -+ 2. Delete 'dse.ldif' -+ 3. Start the instance -+ :expectedresults: -+ 1. Steps 1 and 2 succeed. -+ 2. Server will succeed to start with restored cfg. -+ """ -+ topo.standalone.stop() -+ -+ dse_path = topo.standalone.get_config_dir() -+ -+ log.info(dse_path) -+ -+ for i in ('dse.ldif', 'dse.ldif.startOK'): -+ p = os.path.join(dse_path, i) -+ os.remove(p) -+ -+ # This will pass. -+ topo.standalone.start() -+ -+def test_removed_config(topo): -+ """ -+ Check that if a dse.ldif and backup are removed, that the server -+ exits better than "segfault". -+ -+ :id: b45272d1-c197-473e-872f-07257fcb2ec0 -+ :setup: Standalone instance -+ :steps: -+ 1. Stop the instance -+ 2. Delete 'dse.ldif', 'dse.ldif.bak', 'dse.ldif.startOK' -+ 3. Start the instance -+ :expectedresults: -+ 1. Steps 1 and 2 succeed. -+ 2. Server will fail to start, but will not crash. -+ """ -+ topo.standalone.stop() -+ -+ dse_path = topo.standalone.get_config_dir() -+ -+ log.info(dse_path) -+ -+ for i in ('dse.ldif', 'dse.ldif.bak', 'dse.ldif.startOK'): -+ p = os.path.join(dse_path, i) -+ os.remove(p) -+ -+ # We actually can't check the log output, because it can't read dse.ldif, -+ # don't know where to write it yet! All we want is the server fail to -+ # start here, rather than infinite run + segfault. -+ with pytest.raises(subprocess.CalledProcessError): -+ topo.standalone.start() -+ -+ -diff --git a/ldap/servers/slapd/config.c b/ldap/servers/slapd/config.c -index afe07df84..c8d57e747 100644 ---- a/ldap/servers/slapd/config.c -+++ b/ldap/servers/slapd/config.c -@@ -121,14 +121,13 @@ slapd_bootstrap_config(const char *configdir) - "Passed null config directory\n"); - return rc; /* Fail */ - } -- PR_snprintf(configfile, sizeof(configfile), "%s/%s", configdir, -- CONFIG_FILENAME); -- PR_snprintf(tmpfile, sizeof(tmpfile), "%s/%s.tmp", configdir, -- CONFIG_FILENAME); -- if ((rc = dse_check_file(configfile, tmpfile)) == 0) { -- PR_snprintf(tmpfile, sizeof(tmpfile), "%s/%s.bak", configdir, -- CONFIG_FILENAME); -- rc = dse_check_file(configfile, tmpfile); -+ PR_snprintf(configfile, sizeof(configfile), "%s/%s", configdir, CONFIG_FILENAME); -+ PR_snprintf(tmpfile, sizeof(tmpfile), "%s/%s.bak", configdir, CONFIG_FILENAME); -+ rc = dse_check_file(configfile, tmpfile); -+ if (rc == 0) { -+ /* EVERYTHING IS GOING WRONG, ARRGHHHHHH */ -+ slapi_log_err(SLAPI_LOG_ERR, "slapd_bootstrap_config", "No valid configurations can be accessed! You must restore %s from backup!\n", configfile); -+ return 0; - } - - if ((rc = PR_GetFileInfo64(configfile, &prfinfo)) != PR_SUCCESS) { -diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c -index 420248c24..653009f53 100644 ---- a/ldap/servers/slapd/dse.c -+++ b/ldap/servers/slapd/dse.c -@@ -609,29 +609,49 @@ dse_check_file(char *filename, char *backupname) - - if (PR_GetFileInfo64(filename, &prfinfo) == PR_SUCCESS) { - if (prfinfo.size > 0) { -- return (1); -+ /* File exists and has content. */ -+ return 1; - } else { -+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file", -+ "The config %s has zero length. Attempting restore ... \n", filename, rc); - rc = PR_Delete(filename); - } -+ } else { -+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file", -+ "The config %s can not be accessed. Attempting restore ... (reason: %d)\n", filename, rc); - } - - if (backupname) { -+ -+ if (PR_GetFileInfo64(backupname, &prfinfo) != PR_SUCCESS) { -+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file", -+ "The backup %s can not be accessed. Check it exists and permissions.\n", backupname); -+ return 0; -+ } -+ -+ if (prfinfo.size <= 0) { -+ slapi_log_err(SLAPI_LOG_ERR, "dse_check_file", -+ "The backup file %s has zero length, refusing to restore it.\n", backupname); -+ return 0; -+ } -+ - rc = PR_Rename(backupname, filename); -- } else { -- return (0); -- } -+ if (rc != PR_SUCCESS) { -+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file", -+ "The configuration file %s was NOT able to be restored from %s, error %d\n", filename, backupname, rc); -+ return 0; -+ } - -- if (PR_GetFileInfo64(filename, &prfinfo) == PR_SUCCESS && prfinfo.size > 0) { - slapi_log_err(SLAPI_LOG_INFO, "dse_check_file", -- "The configuration file %s was restored from backup %s\n", filename, backupname); -- return (1); -+ "The configuration file %s was restored from backup %s\n", filename, backupname); -+ return 1; -+ - } else { -- slapi_log_err(SLAPI_LOG_ERR, "dse_check_file", -- "The configuration file %s was not restored from backup %s, error %d\n", -- filename, backupname, rc); -- return (0); -+ slapi_log_err(SLAPI_LOG_INFO, "dse_check_file", "No backup filename provided.\n"); -+ return 0; - } - } -+ - static int - dse_read_one_file(struct dse *pdse, const char *filename, Slapi_PBlock *pb, int primary_file) - { --- -2.13.6 - diff --git a/SOURCES/0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch b/SOURCES/0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch deleted file mode 100644 index 7ba646d..0000000 --- a/SOURCES/0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch +++ /dev/null @@ -1,99 +0,0 @@ -From bfaf5b56bb1a416c5e058a9925642098c87e0330 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Thu, 30 Nov 2017 14:06:59 +0100 -Subject: [PATCH] Ticket 49474 - sasl allow mechs does not operate correctly - -Bug Description: In a fix to sasl allowed mechs, the logic -was not properly configured. - -Fix Description: Alter the ids_sasl_supported_mech to be -clearer and simpler in it's design. - -https://pagure.io/389-ds-base/issue/49474 - -Author: wibrown - -Review by: tbordaz (Thank you!) - -Cherry picked from f75cfbce07b79272a7f1a2e387dc232d45c169f5 ---- - ldap/servers/slapd/saslbind.c | 49 ++++++++----------------------------------- - 1 file changed, 9 insertions(+), 40 deletions(-) - -diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c -index 6734c32a7..67da97148 100644 ---- a/ldap/servers/slapd/saslbind.c -+++ b/ldap/servers/slapd/saslbind.c -@@ -835,52 +835,21 @@ ids_sasl_listmech(Slapi_PBlock *pb) - static int - ids_sasl_mech_supported(Slapi_PBlock *pb, const char *mech) - { -- int i, ret = 0; -- char **mechs; -- char **allowed_mechs = NULL; -- char *dupstr; -- const char *str; -- int sasl_result = 0; -- Connection *pb_conn = NULL; -- -- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -- sasl_conn_t *sasl_conn = (sasl_conn_t *)pb_conn->c_sasl_conn; - slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_mech_supported", "=>\n"); - -- /* sasl_listmech is not thread-safe - caller must lock pb_conn */ -- sasl_result = sasl_listmech(sasl_conn, -- NULL, /* username */ -- "", ",", "", -- &str, NULL, NULL); -- if (sasl_result != SASL_OK) { -- return 0; -- } -- -- dupstr = slapi_ch_strdup(str); -- mechs = slapi_str2charray(dupstr, ","); -- allowed_mechs = config_get_allowed_sasl_mechs_array(); -+ char **allowed_mechs = ids_sasl_listmech(pb); - -- for (i = 0; mechs[i] != NULL; i++) { -- if (strcasecmp(mech, mechs[i]) == 0) { -- if (allowed_mechs) { -- if (charray_inlist(allowed_mechs, (char *)mech) == 0) { -- ret = 1; -- } -- break; -- } else { -- ret = 1; -- break; -- } -- } -+ /* 0 indicates "now allowed" */ -+ int allowed_mech_present = 0; -+ if (allowed_mechs != NULL) { -+ /* Returns 1 if present and allowed. */ -+ allowed_mech_present = charray_inlist(allowed_mechs, (char *)mech); -+ charray_free(allowed_mechs); - } - -- charray_free(allowed_mechs); -- charray_free(mechs); -- slapi_ch_free((void **)&dupstr); -- - slapi_log_err(SLAPI_LOG_TRACE, "ids_sasl_mech_supported", "<=\n"); - -- return ret; -+ return allowed_mech_present; - } - - /* -@@ -944,7 +913,7 @@ ids_sasl_check_bind(Slapi_PBlock *pb) - * different error code to SASL_NOMECH. Must be called - * while holding the pb_conn lock - */ -- if (!ids_sasl_mech_supported(pb, mech)) { -+ if (ids_sasl_mech_supported(pb, mech) == 0) { - rc = SASL_NOMECH; - goto sasl_check_result; - } --- -2.13.6 - diff --git a/SOURCES/0040-Ticket-49470-overflow-in-pblock_get.patch b/SOURCES/0040-Ticket-49470-overflow-in-pblock_get.patch deleted file mode 100644 index 6c9225b..0000000 --- a/SOURCES/0040-Ticket-49470-overflow-in-pblock_get.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 30fa0e4c993d4a91a90327329b50f02e637fe049 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Tue, 28 Nov 2017 15:31:25 +0100 -Subject: [PATCH] Ticket 49470 - overflow in pblock_get - -Bug Description: While getting the connection id we used an int -not a uint64_t - -Fix Description: Make the stack size uint64_t instead. - -https://pagure.io/389-ds-base/issue/49470 - -Author: wibrown - -Review by: tbordaz ---- - ldap/servers/slapd/modify.c | 5 +++-- - ldap/servers/slapd/pblock.c | 4 ++-- - ldap/servers/slapd/slap.h | 2 +- - 3 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c -index 6309975ae..0dcac646b 100644 ---- a/ldap/servers/slapd/modify.c -+++ b/ldap/servers/slapd/modify.c -@@ -281,11 +281,12 @@ do_modify(Slapi_PBlock *pb) - - if (ignored_some_mods && (0 == smods.num_elements)) { - if (pb_conn->c_isreplication_session) { -- int connid, opid; -+ uint64_t connid; -+ int32_t opid; - slapi_pblock_get(pb, SLAPI_CONN_ID, &connid); - slapi_pblock_get(pb, SLAPI_OPERATION_ID, &opid); - slapi_log_err(SLAPI_LOG_ERR, "do_modify", -- "Rejecting replicated password policy operation(conn=%d op=%d) for " -+ "Rejecting replicated password policy operation(conn=%"PRIu64" op=%d) for " - "entry %s. To allow these changes to be accepted, set passwordIsGlobalPolicy to 'on' in " - "cn=config.\n", - connid, opid, rawdn); -diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c -index 8f87de5b5..4514c3ce6 100644 ---- a/ldap/servers/slapd/pblock.c -+++ b/ldap/servers/slapd/pblock.c -@@ -412,7 +412,7 @@ slapi_pblock_get(Slapi_PBlock *pblock, int arg, void *value) - "slapi_pblock_get", "Connection is NULL and hence cannot access SLAPI_CONN_ID \n"); - return (-1); - } -- (*(PRUint64 *)value) = pblock->pb_conn->c_connid; -+ (*(uint64_t *)value) = pblock->pb_conn->c_connid; - break; - case SLAPI_CONN_DN: - /* -@@ -2538,7 +2538,7 @@ slapi_pblock_set(Slapi_PBlock *pblock, int arg, void *value) - "slapi_pblock_set", "Connection is NULL and hence cannot access SLAPI_CONN_ID \n"); - return (-1); - } -- pblock->pb_conn->c_connid = *((PRUint64 *)value); -+ pblock->pb_conn->c_connid = *((uint64_t *)value); - break; - case SLAPI_CONN_DN: - /* -diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h -index 44632580a..830944f72 100644 ---- a/ldap/servers/slapd/slap.h -+++ b/ldap/servers/slapd/slap.h -@@ -1604,7 +1604,7 @@ typedef struct conn - int c_gettingber; /* in the middle of ber_get_next */ - BerElement *c_currentber; /* ber we're getting */ - time_t c_starttime; /* when the connection was opened */ -- PRUint64 c_connid; /* id of this connection for stats*/ -+ uint64_t c_connid; /* id of this connection for stats*/ - PRUint64 c_maxthreadscount; /* # of times a conn hit max threads */ - PRUint64 c_maxthreadsblocked; /* # of operations blocked by maxthreads */ - int c_opsinitiated; /* # ops initiated/next op id */ --- -2.13.6 - diff --git a/SOURCES/0041-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch b/SOURCES/0041-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch deleted file mode 100644 index 14a79cd..0000000 --- a/SOURCES/0041-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch +++ /dev/null @@ -1,161 +0,0 @@ -From 25844922007eea26f78d18171e51be3aa7b5e949 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Wed, 6 Dec 2017 15:14:57 +0100 -Subject: [PATCH] Ticket 49471 - heap-buffer-overflow in ss_unescape - -Bug Description: - Two problems here - - when searching for wildcard and escape char, ss_unescape assumes the string - is at least 3 chars longs. So memcmp can overflow a shorter string - - while splitting a string into substring pattern, it loops over - wildcard and can overpass the string end - -Fix Description: - For the first problem, it checks the string size is long enough to memcmp - a wildcard or an escape - For the second it exits from the loop as soon as the end of the string is reached - -https://pagure.io/389-ds-base/issue/49471 - -Reviewed by: William Brown - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit 5991388ce75fba8885579b769711d57acfd43cd3) ---- - dirsrvtests/tests/tickets/ticket49471_test.py | 79 +++++++++++++++++++++++++++ - ldap/servers/plugins/collation/orfilter.c | 14 +++-- - 2 files changed, 87 insertions(+), 6 deletions(-) - create mode 100644 dirsrvtests/tests/tickets/ticket49471_test.py - -diff --git a/dirsrvtests/tests/tickets/ticket49471_test.py b/dirsrvtests/tests/tickets/ticket49471_test.py -new file mode 100644 -index 000000000..0456a5182 ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket49471_test.py -@@ -0,0 +1,79 @@ -+import logging -+import pytest -+import os -+import time -+import ldap -+from lib389._constants import * -+from lib389.topologies import topology_st as topo -+from lib389 import Entry -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+ -+USER_CN='user_' -+def _user_get_dn(no): -+ cn = '%s%d' % (USER_CN, no) -+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX) -+ return (cn, dn) -+ -+def add_user(server, no, desc='dummy', sleep=True): -+ (cn, dn) = _user_get_dn(no) -+ log.fatal('Adding user (%s): ' % dn) -+ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'inetuser', 'userSecurityInformation'], -+ 'cn': [cn], -+ 'description': [desc], -+ 'sn': [cn], -+ 'description': ['add on that host']}))) -+ if sleep: -+ time.sleep(2) -+ -+def test_ticket49471(topo): -+ """Specify a test case purpose or name here -+ -+ :id: 457ab172-9455-4eb2-89a0-150e3de5993f -+ :setup: Fill in set up configuration here -+ :steps: -+ 1. Fill in test case steps here -+ 2. And indent them like this (RST format requirement) -+ :expectedresults: -+ 1. Fill in the result that is expected -+ 2. For each test step -+ """ -+ -+ # If you need any test suite initialization, -+ # please, write additional fixture for that (including finalizer). -+ # Topology for suites are predefined in lib389/topologies.py. -+ -+ # If you need host, port or any other data about instance, -+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid) -+ -+ S1 = topo.standalone -+ add_user(S1, 1) -+ -+ Filter = "(description:2.16.840.1.113730.3.3.2.1.1.6:=\*on\*)" -+ ents = S1.search_s(SUFFIX, ldap.SCOPE_SUBTREE, Filter) -+ assert len(ents) == 1 -+ -+ # -+ # The following is for the test 49491 -+ # skipped here else it crashes in ASAN -+ #Filter = "(description:2.16.840.1.113730.3.3.2.1.1.6:=\*host)" -+ #ents = S1.search_s(SUFFIX, ldap.SCOPE_SUBTREE, Filter) -+ #assert len(ents) == 1 -+ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c -index 5a2d8a0ab..a98d90219 100644 ---- a/ldap/servers/plugins/collation/orfilter.c -+++ b/ldap/servers/plugins/collation/orfilter.c -@@ -313,12 +313,12 @@ ss_unescape(struct berval *val) - char *t = s; - char *limit = s + val->bv_len; - while (s < limit) { -- if (!memcmp(s, "\\2a", 3) || -- !memcmp(s, "\\2A", 3)) { -+ if (((limit - s) >= 3) && -+ (!memcmp(s, "\\2a", 3) || !memcmp(s, "\\2A", 3))) { - *t++ = WILDCARD; - s += 3; -- } else if (!memcmp(s, "\\5c", 3) || -- !memcmp(s, "\\5C", 3)) { -+ } else if ((limit - s) >= 3 && -+ (!memcmp(s, "\\5c", 3) || !memcmp(s, "\\5C", 3))) { - *t++ = '\\'; - s += 3; - } else { -@@ -409,13 +409,15 @@ ss_filter_values(struct berval *pattern, int *query_op) - switch (*p) { - case WILDCARD: - result[n++] = ss_filter_value(s, p - s, &val); -- while (++p != plimit && *p == WILDCARD) -- ; -+ while (p != plimit && *p == WILDCARD) p++; - s = p; - break; - default: - break; - } -+ if (p >= plimit) { -+ break; -+ } - } - if (p != s || s == plimit) { - result[n++] = ss_filter_value(s, p - s, &val); --- -2.13.6 - diff --git a/SOURCES/0042-Ticket-49298-fix-complier-warn.patch b/SOURCES/0042-Ticket-49298-fix-complier-warn.patch deleted file mode 100644 index 8cc97dc..0000000 --- a/SOURCES/0042-Ticket-49298-fix-complier-warn.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 189c3ce4d5b5c9341a60d4056dad26133d9607ca Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Fri, 17 Nov 2017 11:43:36 +1000 -Subject: [PATCH] Ticket 49298 - fix complier warn - -Bug Description: Extra argument to error log in dse.c - -Fix Description: Remove extra argument. - -https://pagure.io/389-ds-base/issue/49298 - -Author: wibrown - -Review by: oneline rule. ---- - ldap/servers/slapd/dse.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c -index 653009f53..662e91aa7 100644 ---- a/ldap/servers/slapd/dse.c -+++ b/ldap/servers/slapd/dse.c -@@ -613,7 +613,7 @@ dse_check_file(char *filename, char *backupname) - return 1; - } else { - slapi_log_err(SLAPI_LOG_INFO, "dse_check_file", -- "The config %s has zero length. Attempting restore ... \n", filename, rc); -+ "The config %s has zero length. Attempting restore ... \n", filename); - rc = PR_Delete(filename); - } - } else { --- -2.13.6 - diff --git a/SOURCES/0043-Ticket-49495-Fix-memory-management-is-vattr.patch b/SOURCES/0043-Ticket-49495-Fix-memory-management-is-vattr.patch deleted file mode 100644 index 670891a..0000000 --- a/SOURCES/0043-Ticket-49495-Fix-memory-management-is-vattr.patch +++ /dev/null @@ -1,153 +0,0 @@ -From 2c56e7dc08a41fc1dfa6a79213e93686f553847c Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Mon, 11 Dec 2017 15:48:24 +0100 -Subject: [PATCH] Ticket 49495 - Fix memory management is vattr. - -Bug Description: During the fix for -https://pagure.io/389-ds-base/issue/49436 a issue was exposed -in how registration of attributes to cos work. With the change -to handle -> attr link, this exposed that cos treats each attribute -and template pair as a new type for the handle. As aresult, this -caused the sp_list to create a long linked list of M*N entries -for each attr - template value. Obviously, this is extremely -slow to traverse during a search! - -Fix Description: Undo part of the SLL next change and convert -to reference counting. The issue remains that there is a defect -in how cos handles attribute registration, but this can not be -resolved without a significant rearchitecture of the code -related to virtual attributes. - -https://pagure.io/389-ds-base/issue/49495 - -Author: wibrown - -Review by: tbordaz, lkrispen (Thanks!) ---- - ldap/servers/plugins/cos/cos_cache.c | 28 +++++++++++----------------- - ldap/servers/slapd/vattr.c | 23 +++++++++++++++++++++-- - 2 files changed, 32 insertions(+), 19 deletions(-) - -diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c -index 662dace35..3b3c05783 100644 ---- a/ldap/servers/plugins/cos/cos_cache.c -+++ b/ldap/servers/plugins/cos/cos_cache.c -@@ -275,7 +275,7 @@ static Slapi_Mutex *start_lock; - static Slapi_Mutex *stop_lock; - static Slapi_CondVar *something_changed = NULL; - static Slapi_CondVar *start_cond = NULL; -- -+static vattr_sp_handle *vattr_handle = NULL; - - /* - cos_cache_init -@@ -314,6 +314,15 @@ cos_cache_init(void) - goto out; - } - -+ if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle, -+ cos_cache_vattr_get, -+ cos_cache_vattr_compare, -+ cos_cache_vattr_types) != 0) { -+ slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider\n"); -+ ret = -1; -+ goto out; -+ } -+ - /* grab the views interface */ - if (slapi_apib_get_interface(Views_v1_0_GUID, &views_api)) { - /* lets be tolerant if views is disabled */ -@@ -847,22 +856,7 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data) - dnVals[valIndex]->bv_val); - } - -- /* -- * Each SP_handle is associated to one and only one vattr. -- * We could consider making this a single function rather -- * than the double-call. -- */ -- -- vattr_sp_handle *vattr_handle = NULL; -- -- if (slapi_vattrspi_register((vattr_sp_handle **)&vattr_handle, -- cos_cache_vattr_get, -- cos_cache_vattr_compare, -- cos_cache_vattr_types) != 0) { -- slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_cache_init - Cannot register as service provider for %s\n", dnVals[valIndex]->bv_val); -- } else { -- slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL); -- } -+ slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle, dnVals[valIndex]->bv_val, NULL, NULL); - - } /* if(attrType is cosAttribute) */ - -diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c -index 432946c79..13e527188 100644 ---- a/ldap/servers/slapd/vattr.c -+++ b/ldap/servers/slapd/vattr.c -@@ -1544,6 +1544,7 @@ struct _vattr_sp_handle - vattr_sp *sp; - struct _vattr_sp_handle *next; /* So we can link them together in the map */ - void *hint; /* Hint to the SP */ -+ uint64_t rc; - }; - - /* Calls made by Service Providers */ -@@ -1770,7 +1771,7 @@ is a separate thing in the insterests of stability. - - */ - --#define VARRT_MAP_HASHTABLE_SIZE 10 -+#define VARRT_MAP_HASHTABLE_SIZE 32 - - /* Attribute map oject */ - /* Needs to contain: a linked list of pointers to provider handles handles, -@@ -1867,7 +1868,10 @@ vattr_map_entry_free(vattr_map_entry *vae) - vattr_sp_handle *list_entry = vae->sp_list; - while (list_entry != NULL) { - vattr_sp_handle *next_entry = list_entry->next; -- slapi_ch_free((void **)&list_entry); -+ if (slapi_atomic_decr_64(&(list_entry->rc), __ATOMIC_RELAXED) == 0) { -+ /* Only free on RC 0 */ -+ slapi_ch_free((void **)&list_entry); -+ } - list_entry = next_entry; - } - slapi_ch_free_string(&(vae->type_name)); -@@ -2280,6 +2284,17 @@ to handle the calls on it, but return nothing */ - * - * Better idea, is that regattr should just take the fn pointers - * and callers never *see* the sp_handle structure at all. -+ * -+ * This leaves us with some quirks today. First: if you have plugin A -+ * and B, A registers attr 1 and B 1 and 2, it's possible that if you -+ * register A1 first, then B1, you have B->A in next. Then when you -+ * register B2, because we take 0==result from map_lookup, we add sp -+ * "as is" to the map. This means that B2 now has the same next to A1 -+ * handle. This won't add a bug, because A1 won't be able to service the -+ * attr, but it could cause some head scratching ... -+ * -+ * Again, to fix this, the whole vattr external interface needs a -+ * redesign ... :( - */ - - int -@@ -2304,11 +2319,15 @@ vattr_map_sp_insert(char *type_to_add, vattr_sp_handle *sp, void *hint) - if (found) { - return 0; - } -+ /* Increase the ref count of the sphandle */ -+ slapi_atomic_incr_64(&(sp->rc), __ATOMIC_RELAXED); - /* We insert the SP handle into the linked list at the head */ - sp->next = map_entry->sp_list; - map_entry->sp_list = sp; - } else { - /* If not, add it */ -+ /* Claim a reference on the sp ... */ -+ slapi_atomic_incr_64(&(sp->rc), __ATOMIC_RELAXED); - map_entry = vattr_map_entry_new(type_to_add, sp, hint); - if (NULL == map_entry) { - return ENOMEM; --- -2.13.6 - diff --git a/SOURCES/0044-Ticket-48184-close-connections-at-shutdown-cleanly.patch b/SOURCES/0044-Ticket-48184-close-connections-at-shutdown-cleanly.patch deleted file mode 100644 index 7d58838..0000000 --- a/SOURCES/0044-Ticket-48184-close-connections-at-shutdown-cleanly.patch +++ /dev/null @@ -1,215 +0,0 @@ -From 0c1fbfaf77d6f7b2a6628deaf309bbe1c3e7a8e8 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Tue, 28 Nov 2017 13:39:19 +0100 -Subject: [PATCH] Ticket 48184 - close connections at shutdown cleanly. - -Bug Description: During shutdown we would not close connections. -In the past this may have just been an annoyance, but now with the way -nunc-stans works, io events can still trigger on open xeisting connectinos -during shutdown. - -Fix Description: Close connections during shutdown rather than -leaving them alive. - -https://pagure.io/389-ds-base/issue/48184 - -Author: wibrown - -Review by: lkrispen, vashirov (Thank you!) ---- - ldap/servers/slapd/conntable.c | 13 +++++++ - ldap/servers/slapd/daemon.c | 77 ++++++++++++++++++++++++++---------------- - ldap/servers/slapd/fe.h | 1 + - ldap/servers/slapd/slap.h | 1 + - 4 files changed, 63 insertions(+), 29 deletions(-) - -diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c -index 7c57b47cd..f2f763dfa 100644 ---- a/ldap/servers/slapd/conntable.c -+++ b/ldap/servers/slapd/conntable.c -@@ -91,6 +91,19 @@ connection_table_abandon_all_operations(Connection_Table *ct) - } - } - -+void -+connection_table_disconnect_all(Connection_Table *ct) -+{ -+ for (size_t i = 0; i < ct->size; i++) { -+ if (ct->c[i].c_mutex) { -+ Connection *c = &(ct->c[i]); -+ PR_EnterMonitor(c->c_mutex); -+ disconnect_server_nomutex(c, c->c_connid, -1, SLAPD_DISCONNECT_ABORT, ECANCELED); -+ PR_ExitMonitor(c->c_mutex); -+ } -+ } -+} -+ - /* Given a file descriptor for a socket, this function will return - * a slot in the connection table to use. - * -diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c -index 4e0466ab3..c245a4d4e 100644 ---- a/ldap/servers/slapd/daemon.c -+++ b/ldap/servers/slapd/daemon.c -@@ -1176,6 +1176,30 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp) - housekeeping_stop(); /* Run this after op_thread_cleanup() logged sth */ - disk_monitoring_stop(); - -+ /* -+ * Now that they are abandonded, we need to mark them as done. -+ * In NS while it's safe to allow excess jobs to be cleaned by -+ * by the walk and ns_job_done of remaining queued events, the -+ * issue is that if we allow something to live past this point -+ * the CT is freed from underneath, and bad things happen (tm). -+ * -+ * NOTE: We do this after we stop psearch, because there could -+ * be a race between flagging the psearch done, and users still -+ * try to send on the connection. Similar with op_threads. -+ */ -+ connection_table_disconnect_all(the_connection_table); -+ -+ /* -+ * WARNING: Normally we should close the tp in main -+ * but because of issues in the current connection design -+ * we need to close it here to guarantee events won't fire! -+ * -+ * All the connection close jobs "should" complete before -+ * shutdown at least. -+ */ -+ ns_thrpool_shutdown(tp); -+ ns_thrpool_wait(tp); -+ - threads = g_get_active_threadcnt(); - if (threads > 0) { - slapi_log_err(SLAPI_LOG_INFO, "slapd_daemon", -@@ -1628,23 +1652,18 @@ ns_handle_closure(struct ns_job_t *job) - Connection *c = (Connection *)ns_job_get_data(job); - int do_yield = 0; - --/* this function must be called from the event loop thread */ --#ifdef DEBUG -- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job))); --#else -- /* This doesn't actually confirm it's in the event loop thread, but it's a start */ -- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) { -- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_closure", "Attempt to close outside of event loop thread %" PRIu64 " for fd=%d\n", -- c->c_connid, c->c_sd); -- return; -- } --#endif - PR_EnterMonitor(c->c_mutex); -+ /* Assert we really have the right job state. */ -+ PR_ASSERT(job == c->c_job); -+ - connection_release_nolock_ext(c, 1); /* release ref acquired for event framework */ - PR_ASSERT(c->c_ns_close_jobs == 1); /* should be exactly 1 active close job - this one */ - c->c_ns_close_jobs--; /* this job is processing closure */ -+ /* Because handle closure will add a new job, we need to detach our current one. */ -+ c->c_job = NULL; - do_yield = ns_handle_closure_nomutex(c); - PR_ExitMonitor(c->c_mutex); -+ /* Remove this task now. */ - ns_job_done(job); - if (do_yield) { - /* closure not done - another reference still outstanding */ -@@ -1667,6 +1686,14 @@ ns_connection_post_io_or_closing(Connection *conn) - return; - } - -+ /* -+ * Cancel any existing ns jobs we have registered. -+ */ -+ if (conn->c_job != NULL) { -+ ns_job_done(conn->c_job); -+ conn->c_job = NULL; -+ } -+ - if (CONN_NEEDS_CLOSING(conn)) { - /* there should only ever be 0 or 1 active closure jobs */ - PR_ASSERT((conn->c_ns_close_jobs == 0) || (conn->c_ns_close_jobs == 1)); -@@ -1676,13 +1703,10 @@ ns_connection_post_io_or_closing(Connection *conn) - conn->c_connid, conn->c_sd); - return; - } else { -- /* just make sure we schedule the event to be closed in a timely manner */ -- tv.tv_sec = 0; -- tv.tv_usec = slapd_wakeup_timer * 1000; - conn->c_ns_close_jobs++; /* now 1 active closure job */ - connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */ -- ns_result_t job_result = ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER, -- ns_handle_closure, conn, NULL); -+ /* Close the job asynchronously. Why? */ -+ ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handle_closure, conn, &(conn->c_job)); - if (job_result != NS_SUCCESS) { - if (job_result == NS_SHUTDOWN) { - slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post closure job " -@@ -1726,7 +1750,7 @@ ns_connection_post_io_or_closing(Connection *conn) - #endif - ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv, - NS_JOB_READ | NS_JOB_PRESERVE_FD, -- ns_handle_pr_read_ready, conn, NULL); -+ ns_handle_pr_read_ready, conn, &(conn->c_job)); - if (job_result != NS_SUCCESS) { - if (job_result == NS_SHUTDOWN) { - slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post I/O job for " -@@ -1755,19 +1779,13 @@ ns_handle_pr_read_ready(struct ns_job_t *job) - int maxthreads = config_get_maxthreadsperconn(); - Connection *c = (Connection *)ns_job_get_data(job); - --/* this function must be called from the event loop thread */ --#ifdef DEBUG -- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job))); --#else -- /* This doesn't actually confirm it's in the event loop thread, but it's a start */ -- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) { -- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "Attempt to handle read ready outside of event loop thread %" PRIu64 " for fd=%d\n", -- c->c_connid, c->c_sd); -- return; -- } --#endif -- - PR_EnterMonitor(c->c_mutex); -+ /* Assert we really have the right job state. */ -+ PR_ASSERT(job == c->c_job); -+ -+ /* On all code paths we remove the job, so set it null now */ -+ c->c_job = NULL; -+ - slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "activity on conn %" PRIu64 " for fd=%d\n", - c->c_connid, c->c_sd); - /* if we were called due to some i/o event, see what the state of the socket is */ -@@ -1826,6 +1844,7 @@ ns_handle_pr_read_ready(struct ns_job_t *job) - slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "queued conn %" PRIu64 " for fd=%d\n", - c->c_connid, c->c_sd); - } -+ /* Since we call done on the job, we need to remove it here. */ - PR_ExitMonitor(c->c_mutex); - ns_job_done(job); - return; -diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h -index 4d25a9fb8..f47bb6145 100644 ---- a/ldap/servers/slapd/fe.h -+++ b/ldap/servers/slapd/fe.h -@@ -100,6 +100,7 @@ extern Connection_Table *the_connection_table; /* JCM - Exported from globals.c - Connection_Table *connection_table_new(int table_size); - void connection_table_free(Connection_Table *ct); - void connection_table_abandon_all_operations(Connection_Table *ct); -+void connection_table_disconnect_all(Connection_Table *ct); - Connection *connection_table_get_connection(Connection_Table *ct, int sd); - int connection_table_move_connection_out_of_active_list(Connection_Table *ct, Connection *c); - void connection_table_move_connection_on_to_active_list(Connection_Table *ct, Connection *c); -diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h -index 830944f72..08754d8fb 100644 ---- a/ldap/servers/slapd/slap.h -+++ b/ldap/servers/slapd/slap.h -@@ -1644,6 +1644,7 @@ typedef struct conn - void *c_io_layer_cb_data; /* callback data */ - struct connection_table *c_ct; /* connection table that this connection belongs to */ - ns_thrpool_t *c_tp; /* thread pool for this connection */ -+ struct ns_job_t *c_job; /* If it exists, the current ns_job_t */ - int c_ns_close_jobs; /* number of current close jobs */ - char *c_ipaddr; /* ip address str - used by monitor */ - } Connection; --- -2.13.6 - diff --git a/SOURCES/0045-Ticket-49509-Indexing-of-internationalized-matching-.patch b/SOURCES/0045-Ticket-49509-Indexing-of-internationalized-matching-.patch deleted file mode 100644 index ec43a14..0000000 --- a/SOURCES/0045-Ticket-49509-Indexing-of-internationalized-matching-.patch +++ /dev/null @@ -1,239 +0,0 @@ -From 8d79d7c81157e77f4da595a723a6ed10a8e9789b Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Thu, 11 Jan 2018 18:52:43 +0100 -Subject: [PATCH] Ticket 49509 - Indexing of internationalized matching rules - is failing - -Bug Description: - Indexing of the internationalized matching rules tests if a - matching rule indexer handle or not a given OID. - A side effect of https://pagure.io/389-ds-base/issue/49097 is that - the returned indexing callbacks are lost. - Indeed, the indexing callbacks (and potentially others fields) were - stored in the temporary pblock that was memcpy to the provided - pblock in case of success - -Fix Description: - The fix basically restores the previous behavior but do not - memcpy pblock. It read/store the pblock fields that are - inputs/outputs of slapi_mr_indexer_create. - -https://pagure.io/389-ds-base/issue/49509 - -Reviewed by: Ludwig Krispenz - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/slapd/plugin_mr.c | 148 ++++++++++++++++++++++++++++------------- - 1 file changed, 103 insertions(+), 45 deletions(-) - -diff --git a/ldap/servers/slapd/plugin_mr.c b/ldap/servers/slapd/plugin_mr.c -index bd2baff6c..ca4fe00e1 100644 ---- a/ldap/servers/slapd/plugin_mr.c -+++ b/ldap/servers/slapd/plugin_mr.c -@@ -143,6 +143,82 @@ plugin_mr_bind(char *oid, struct slapdplugin *plugin) - slapi_log_err(SLAPI_LOG_FILTER, "plugin_mr_bind", "<=\n"); - } - -+void -+mr_indexer_init_pb(Slapi_PBlock* src_pb, Slapi_PBlock* dst_pb) -+{ -+ char* oid; -+ char *type; -+ uint32_t usage; -+ void *object; -+ IFP destroyFn; -+ IFP indexFn, indexSvFn; -+ -+ /* matching rule plugin arguments */ -+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_OID, &oid); -+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_TYPE, &type); -+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_USAGE, &usage); -+ -+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_OID, oid); -+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_TYPE, type); -+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_USAGE, &usage); -+ -+ /* matching rule plugin functions */ -+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn); -+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn); -+ -+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_INDEX_FN, indexFn); -+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, indexSvFn); -+ -+ /* common */ -+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_OBJECT, &object); -+ slapi_pblock_get(src_pb, SLAPI_PLUGIN_DESTROY_FN, &destroyFn); -+ -+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_OBJECT, object); -+ slapi_pblock_set(dst_pb, SLAPI_PLUGIN_DESTROY_FN, destroyFn); -+ -+ -+} -+ -+/* -+ * Retrieves the matching rule plugin able to index/sort the provided OID/type -+ * -+ * The Matching rules able to index/sort a given OID are stored in a global list: global_mr_oids -+ * -+ * The retrieval is done in 3 phases: -+ * - It first searches (in global_mr_oids) for the already bound OID->MR -+ * - Else, look first in old style MR plugin -+ * for each registered 'syntax' and 'matchingrule' plugins having a -+ * SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, it binds (plugin_mr_bind) the first -+ * plugin that support the OID -+ * - Else, look in new style MR plugin -+ * for each registered 'syntax' and 'matchingrule' plugins, it binds (plugin_mr_bind) the first -+ * plugin that contains OID in its plg_mr_names -+ * -+ * Inputs: -+ * SLAPI_PLUGIN_MR_OID -+ * should contain the OID of the matching rule that you want used for indexing or sorting. -+ * SLAPI_PLUGIN_MR_TYPE -+ * should contain the attribute type that you want used for indexing or sorting. -+ * SLAPI_PLUGIN_MR_USAGE -+ * should specify if the indexer will be used for indexing (SLAPI_PLUGIN_MR_USAGE_INDEX) -+ * or for sorting (SLAPI_PLUGIN_MR_USAGE_SORT) -+ * -+ * -+ * Output: -+ * -+ * SLAPI_PLUGIN_MR_OID -+ * contain the OFFICIAL OID of the matching rule that you want used for indexing or sorting. -+ * SLAPI_PLUGIN_MR_INDEX_FN -+ * specifies the indexer function responsible for indexing or sorting of struct berval ** -+ * SLAPI_PLUGIN_MR_INDEX_SV_FN -+ * specifies the indexer function responsible for indexing or sorting of Slapi_Value ** -+ * SLAPI_PLUGIN_OBJECT -+ * contain any information that you want passed to the indexer function. -+ * SLAPI_PLUGIN_DESTROY_FN -+ * specifies the function responsible for freeing any memory allocated by this indexer factory function. -+ * For example, memory allocated for a structure that you pass to the indexer function using SLAPI_PLUGIN_OBJECT. -+ * -+ */ - int /* an LDAP error code, hopefully LDAP_SUCCESS */ - slapi_mr_indexer_create(Slapi_PBlock *opb) - { -@@ -152,28 +228,33 @@ int /* an LDAP error code, hopefully LDAP_SUCCESS */ - IFP createFn = NULL; - struct slapdplugin *mrp = plugin_mr_find_registered(oid); - if (mrp != NULL) { -+ /* Great the matching OID -> MR plugin was already found, just reuse it */ - if (!(rc = slapi_pblock_set(opb, SLAPI_PLUGIN, mrp)) && - !(rc = slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) && - createFn != NULL) { - rc = createFn(opb); - } - } else { -- /* call each plugin, until one is able to handle this request. */ -+ /* We need to find in the MR plugins list, the MR plugin that will be able to handle OID -+ * -+ * It can be "old style" MR plugin (i.e. collation) that define indexer -+ * -+ * It can be "now style" MR plugin that contain OID string in 'plg_mr_names' -+ * (ie. ces, cis, bin...) where plg_mr_names is defined in 'mr_plugin_table' in each file -+ * ces.c, cis.c... -+ * New style MR plugin have NULL indexer create function but rather use a default indexer -+ */ -+ -+ /* Look for a old syntax-style mr plugin -+ * call each plugin, until one is able to handle this request. -+ */ - rc = LDAP_UNAVAILABLE_CRITICAL_EXTENSION; -- // We need to get the type and usage from the caller. -- char *type; -- uint32_t usage; -- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_TYPE, &type); -- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_USAGE, &usage); -+ - for (mrp = get_plugin_list(PLUGIN_LIST_MATCHINGRULE); mrp != NULL; mrp = mrp->plg_next) { - - Slapi_PBlock *pb = slapi_pblock_new(); -+ mr_indexer_init_pb(opb, pb); - slapi_pblock_set(pb, SLAPI_PLUGIN, mrp); -- /* From filtercmp.c and matchrule.c, these are the values we need to set. into pb */ -- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_OID, oid); -- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_TYPE, type); -- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_USAGE, &usage); -- - /* This is associated with the pb_plugin struct, so it comes with mrp */ - if (slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, &createFn)) { - /* plugin not a matchingrule type */ -@@ -185,14 +266,11 @@ int /* an LDAP error code, hopefully LDAP_SUCCESS */ - IFP indexFn = NULL; - IFP indexSvFn = NULL; - /* These however, are in the pblock direct, so we need to copy them. */ -- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn); -- slapi_pblock_get(opb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn); -- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_FN, indexFn); -- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, indexSvFn); -+ slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_FN, &indexFn); -+ slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &indexSvFn); - if (indexFn || indexSvFn) { - /* Success: this plugin can handle it. */ -- /* call create on the opb? */ -- createFn(opb); -+ mr_indexer_init_pb(pb, opb); - plugin_mr_bind(oid, mrp); /* for future reference */ - rc = 0; /* success */ - slapi_pblock_destroy(pb); -@@ -205,37 +283,12 @@ int /* an LDAP error code, hopefully LDAP_SUCCESS */ - /* look for a new syntax-style mr plugin */ - struct slapdplugin *pi = plugin_mr_find(oid); - if (pi) { -- Slapi_PBlock *pb = slapi_pblock_new(); -- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_OID, oid); -- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_TYPE, type); -- slapi_pblock_set(pb, SLAPI_PLUGIN_MR_USAGE, &usage); -- slapi_pblock_set(pb, SLAPI_PLUGIN, pi); -- rc = default_mr_indexer_create(pb); -+ slapi_pblock_set(opb, SLAPI_PLUGIN, pi); -+ rc = default_mr_indexer_create(opb); - if (!rc) { -- /* On success, copy the needed values in. These are added by default_mr_indexer_create */ -- void *pb_object = NULL; -- IFP destroy_fn = NULL; -- IFP index_fn = NULL; -- IFP index_sv_fn = NULL; -- -- slapi_pblock_get(pb, SLAPI_PLUGIN_OBJECT, &pb_object); -- slapi_pblock_get(pb, SLAPI_PLUGIN_DESTROY_FN, &destroy_fn); -- slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_FN, &index_fn); -- slapi_pblock_get(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, &index_sv_fn); -- -- /* SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, and SLAPI_PLUGIN_MR_FILTER_CREATE_FN, are part of pb_plugin */ -- slapi_pblock_set(opb, SLAPI_PLUGIN, pi); -- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_OID, oid); -- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_TYPE, type); -- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_USAGE, &usage); -- slapi_pblock_set(opb, SLAPI_PLUGIN_OBJECT, pb_object); -- slapi_pblock_set(opb, SLAPI_PLUGIN_DESTROY_FN, destroy_fn); -- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_INDEX_FN, index_fn); -- slapi_pblock_set(opb, SLAPI_PLUGIN_MR_INDEX_SV_FN, index_sv_fn); -- - plugin_mr_bind(oid, pi); /* for future reference */ - } -- slapi_pblock_destroy(pb); -+ slapi_pblock_set(opb, SLAPI_PLUGIN, NULL); - } - } - } -@@ -706,6 +759,11 @@ default_mr_indexer_create(Slapi_PBlock *pb) - slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_FN, mr_wrap_mr_index_fn); - slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEX_SV_FN, mr_wrap_mr_index_sv_fn); - slapi_pblock_set(pb, SLAPI_PLUGIN_DESTROY_FN, default_mr_indexer_destroy); -+ -+ /* Note the two following setting are in the slapdplugin struct SLAPI_PLUGIN -+ * so they are not really output of the function but will just -+ * be stored in the bound (OID <--> plugin) list (plugin_mr_find_registered/plugin_mr_bind) -+ */ - slapi_pblock_set(pb, SLAPI_PLUGIN_MR_INDEXER_CREATE_FN, default_mr_indexer_create); - slapi_pblock_set(pb, SLAPI_PLUGIN_MR_FILTER_CREATE_FN, default_mr_filter_create); - rc = 0; --- -2.13.6 - diff --git a/SOURCES/0046-Ticket-49493-heap-use-after-free-in-csn_as_string.patch b/SOURCES/0046-Ticket-49493-heap-use-after-free-in-csn_as_string.patch deleted file mode 100644 index 84d1d21..0000000 --- a/SOURCES/0046-Ticket-49493-heap-use-after-free-in-csn_as_string.patch +++ /dev/null @@ -1,155 +0,0 @@ -From a7a0db402b32dcec7fc93bcbef42174163ae9c12 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Tue, 12 Dec 2017 12:46:37 +0100 -Subject: [PATCH] Ticket 49493 - heap use after free in csn_as_string - -Bug: If write_changlog_and_ruv failed teh csn pending list was not properly - cleand and references to the prim csn were kept, but the prim csn was reset - -Fix: check the return code for the mmr postop plugin and aset error codes properly - that will triger cancel_opcsn - -Reviewed by: Thierry, thanks -Tested by: Viktor, thanks ---- - ldap/servers/slapd/back-ldbm/ldbm_add.c | 22 +--------------------- - ldap/servers/slapd/back-ldbm/ldbm_delete.c | 4 ++++ - ldap/servers/slapd/back-ldbm/ldbm_modify.c | 4 ++++ - ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 4 ++++ - ldap/servers/slapd/back-ldbm/misc.c | 18 ++++++++++++++++++ - ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 1 + - 6 files changed, 32 insertions(+), 21 deletions(-) - -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c -index b7e17ad50..f29945a7e 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_add.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c -@@ -22,7 +22,6 @@ extern char *hassubordinates; - - static void delete_update_entrydn_operational_attributes(struct backentry *ep); - --static int set_error(Slapi_PBlock *pb, int retval, int ldap_result_code, char **ldap_result_message); - #define ADD_SET_ERROR(rc, error, count) \ - { \ - (rc) = (error); \ -@@ -1201,7 +1200,7 @@ ldbm_back_add(Slapi_PBlock *pb) - - retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_ADD_FN); - if (retval) { -- set_error(pb, retval, ldap_result_code, &ldap_result_message); -+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message); - goto error_return; - } - -@@ -1471,22 +1470,3 @@ delete_update_entrydn_operational_attributes(struct backentry *ep) - slapi_entry_attr_delete(ep->ep_entry, LDBM_ENTRYDN_STR); - } - --static int --set_error(Slapi_PBlock *pb, int retval, int ldap_result_code, char **ldap_result_message) --{ -- int opreturn = 0; -- if (!ldap_result_code) { -- slapi_pblock_get(pb, SLAPI_RESULT_CODE, &ldap_result_code); -- } -- if (!ldap_result_code) { -- ldap_result_code = LDAP_OPERATIONS_ERROR; -- slapi_pblock_set(pb, SLAPI_RESULT_CODE, &ldap_result_code); -- } -- slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn); -- if (!opreturn) { -- slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval); -- } -- slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message); -- -- return opreturn; --} -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -index db463c18c..be0db1bd0 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -@@ -1276,6 +1276,10 @@ replace_entry: - } - - retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_DELETE_FN); -+ if (retval) { -+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message); -+ goto error_return; -+ } - - commit_return: - /* Release SERIAL LOCK */ -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c -index 7ee796fd2..cc4319e5f 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c -@@ -867,6 +867,10 @@ ldbm_back_modify(Slapi_PBlock *pb) - goto error_return; - } - retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_MODIFY_FN); -+ if (retval) { -+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message); -+ goto error_return; -+ } - - /* Release SERIAL LOCK */ - retval = dblayer_txn_commit(be, &txn); -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c -index 2c0cb074e..93fb77dc9 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c -@@ -1211,6 +1211,10 @@ ldbm_back_modrdn(Slapi_PBlock *pb) - goto error_return; - } - retval = plugin_call_mmr_plugin_postop(pb, NULL,SLAPI_PLUGIN_BE_TXN_POST_MODRDN_FN); -+ if (retval) { -+ ldbm_set_error(pb, retval, &ldap_result_code, &ldap_result_message); -+ goto error_return; -+ } - - /* Release SERIAL LOCK */ - retval = dblayer_txn_commit(be, &txn); -diff --git a/ldap/servers/slapd/back-ldbm/misc.c b/ldap/servers/slapd/back-ldbm/misc.c -index df1afdfb1..c52e58a4a 100644 ---- a/ldap/servers/slapd/back-ldbm/misc.c -+++ b/ldap/servers/slapd/back-ldbm/misc.c -@@ -16,6 +16,24 @@ - - #include "back-ldbm.h" - -+void -+ldbm_set_error(Slapi_PBlock *pb, int retval, int *ldap_result_code, char **ldap_result_message) -+{ -+ int opreturn = 0; -+ if (!(*ldap_result_code)) { -+ slapi_pblock_get(pb, SLAPI_RESULT_CODE, ldap_result_code); -+ } -+ if (!(*ldap_result_code)) { -+ *ldap_result_code = LDAP_OPERATIONS_ERROR; -+ slapi_pblock_set(pb, SLAPI_RESULT_CODE, ldap_result_code); -+ } -+ slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &opreturn); -+ if (!opreturn) { -+ slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, *ldap_result_code ? ldap_result_code : &retval); -+ } -+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, ldap_result_message); -+} -+ - /* Takes a return code supposed to be errno or from lidb - which we don't expect to see and prints a handy log message */ - void -diff --git a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h -index 0cee3df62..da3eef18b 100644 ---- a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h -+++ b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h -@@ -379,6 +379,7 @@ int ldbm_txn_ruv_modify_context(Slapi_PBlock *pb, modify_context *mc); - int get_value_from_string(const char *string, char *type, char **value); - int get_values_from_string(const char *string, char *type, char ***valuearray); - void normalize_dir(char *dir); -+void ldbm_set_error(Slapi_PBlock *pb, int retval, int *ldap_result_code, char **ldap_result_message); - - /* - * nextid.c --- -2.13.6 - diff --git a/SOURCES/0047-Ticket-49524-Password-policy-minimum-token-length-fa.patch b/SOURCES/0047-Ticket-49524-Password-policy-minimum-token-length-fa.patch deleted file mode 100644 index ee2f366..0000000 --- a/SOURCES/0047-Ticket-49524-Password-policy-minimum-token-length-fa.patch +++ /dev/null @@ -1,133 +0,0 @@ -From a85f64d2c4fa2718748a205d4ae0ebab47513199 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 8 Jan 2018 11:34:02 -0500 -Subject: [PATCH] Ticket 49524 - Password policy: minimum token length fails - when the token length is equal to attribute length - -Bug Description: The token checking breaks when the password is the - exact value of the entry attribute. - -Fix Description: Remove the "equal" part of the string comparisons. - -https://pagure.io/389-ds-base/issue/49524 - -Reviewed by: firstyear & spichugi(Thanks!!) - -(cherry picked from commit 790be09fc434d394239bf2486d01f212b36cf0e3) ---- - .../tests/suites/password/pwdPolicy_token_test.py | 75 ++++++++++++++++++++++ - ldap/servers/slapd/pw.c | 2 +- - ldap/servers/slapd/utf8.c | 2 +- - 3 files changed, 77 insertions(+), 2 deletions(-) - create mode 100644 dirsrvtests/tests/suites/password/pwdPolicy_token_test.py - -diff --git a/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py -new file mode 100644 -index 000000000..7a4de9c85 ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/pwdPolicy_token_test.py -@@ -0,0 +1,75 @@ -+import logging -+import pytest -+import os -+import time -+import ldap -+from lib389._constants import * -+from lib389.idm.user import UserAccounts -+from lib389.topologies import topology_st as topo -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+USER_DN = 'uid=Test_user1,ou=People,dc=example,dc=com' -+TOKEN = 'test_user1' -+ -+user_properties = { -+ 'uid': 'Test_user1', -+ 'cn': 'test_user1', -+ 'sn': 'test_user1', -+ 'uidNumber': '1001', -+ 'gidNumber': '2001', -+ 'userpassword': PASSWORD, -+ 'description': 'userdesc', -+ 'homeDirectory': '/home/{}'.format('test_user')} -+ -+ -+def pwd_setup(topo): -+ topo.standalone.config.replace_many(('passwordCheckSyntax', 'on'), -+ ('passwordMinLength', '4'), -+ ('passwordMinCategories', '1')) -+ users = UserAccounts(topo.standalone, DEFAULT_SUFFIX) -+ return users.create(properties=user_properties) -+ -+ -+def test_token_lengths(topo): -+ """Test that password token length is enforced for various lengths including -+ the same length as the attribute being checked by the policy. -+ -+ :id: dae9d916-2a03-4707-b454-9e901d295b13 -+ :setup: Standalone instance -+ :steps: -+ 1. Test token length rejects password of the same length as rdn value -+ :expectedresults: -+ 1. Passwords are rejected -+ """ -+ user = pwd_setup(topo) -+ for length in ['4', '6', '10']: -+ topo.standalone.simple_bind_s(DN_DM, PASSWORD) -+ topo.standalone.config.set('passwordMinTokenLength', length) -+ topo.standalone.simple_bind_s(USER_DN, PASSWORD) -+ time.sleep(1) -+ -+ try: -+ passwd = TOKEN[:int(length)] -+ log.info("Testing password len {} token ({})".format(length, passwd)) -+ user.replace('userpassword', passwd) -+ log.fatal('Password incorrectly allowed!') -+ assert False -+ except ldap.CONSTRAINT_VIOLATION as e: -+ log.info('Password correctly rejected: ' + str(e)) -+ except ldap.LDAPError as e: -+ log.fatal('Unexpected failure ' + str(e)) -+ assert False -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index e625962e8..0cf795b41 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -1465,7 +1465,7 @@ check_trivial_words(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Value **vals, char * - sp = slapi_ch_strdup(slapi_value_get_string(valp)); - ep = sp + strlen(sp); - ep = ldap_utf8prevn(sp, ep, toklen); -- if (!ep || (sp >= ep)) { -+ if (!ep || (sp > ep)) { - slapi_ch_free_string(&sp); - continue; - } -diff --git a/ldap/servers/slapd/utf8.c b/ldap/servers/slapd/utf8.c -index b0667c636..4538625b3 100644 ---- a/ldap/servers/slapd/utf8.c -+++ b/ldap/servers/slapd/utf8.c -@@ -152,7 +152,7 @@ ldap_utf8prevn(char *s, char *from, int n) - } - for (; n > 0; --n) { - prev = ldap_utf8prev(prev); -- if ((prev <= s) && (n > 0)) { -+ if ((n > 0) && (prev < s)) { - return NULL; - } - } --- -2.13.6 - diff --git a/SOURCES/0048-Ticket-49446-cleanallruv-should-ignore-cleaned-repli.patch b/SOURCES/0048-Ticket-49446-cleanallruv-should-ignore-cleaned-repli.patch deleted file mode 100644 index e77d26e..0000000 --- a/SOURCES/0048-Ticket-49446-cleanallruv-should-ignore-cleaned-repli.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 7fa2f146c80ed64217bb0c1022c99bd1948cdc7c Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Thu, 11 Jan 2018 15:56:21 +0100 -Subject: [PATCH] Ticket 49446 - cleanallruv should ignore cleaned replica Id - in processing changelog if in force mode - -Bug: If the startcsn is calculated based on a cleaned rid, it could be missing from the changelog. - -Fix: In force mode we do not care that the topology gets in sync for the cleaned RID, so we can ignore it - in an earlier stage, instead of setting it to precleane only. - -Reviewed by: Thierry, thanks ---- - ldap/servers/plugins/replication/repl5_replica_config.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index e025f34d8..005528a41 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -1688,9 +1688,15 @@ replica_cleanallruv_thread(void *arg) - } - /* - * Presetting the rid prevents duplicate thread creation, but allows the db and changelog to still -- * process updates from the rid. set_cleaned_rid() blocks updates, so we don't want to do that... yet. -+ * process updates from the rid. -+ * set_cleaned_rid() blocks updates, so we don't want to do that... yet unless we are in force mode. -+ * If we are forcing a clean independent of state of other servers for this RID we can set_cleaned_rid() - */ -- preset_cleaned_rid(data->rid); -+ if (data->force) { -+ set_cleaned_rid(data->rid); -+ } else { -+ preset_cleaned_rid(data->rid); -+ } - rid_text = slapi_ch_smprintf("%d", data->rid); - csn_as_string(data->maxcsn, PR_FALSE, csnstr); - /* --- -2.13.6 - diff --git a/SOURCES/0049-Ticket-49413-Changelog-trimming-ignores-disabled-rep.patch b/SOURCES/0049-Ticket-49413-Changelog-trimming-ignores-disabled-rep.patch deleted file mode 100644 index bbf059c..0000000 --- a/SOURCES/0049-Ticket-49413-Changelog-trimming-ignores-disabled-rep.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 7cb2e56db2da439c90bbfd35f132a85708942490 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Tue, 14 Nov 2017 11:25:18 +0100 -Subject: [PATCH] Ticket 49413 - Changelog trimming ignores disabled - replica-agreement - -Bug: if a replication agreement is disabled it is not taken into account when - changelog trimming determines where to stop. - If the agreement is reenabled later replication can fail - -Fix: do not ignore disabled agreements in changelog trimming - -Reviewed by: Thierry, thanks ---- - ldap/servers/plugins/replication/cl5_api.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c -index 721013abf..dc2857910 100644 ---- a/ldap/servers/plugins/replication/cl5_api.c -+++ b/ldap/servers/plugins/replication/cl5_api.c -@@ -4283,12 +4283,10 @@ _cl5GetRUV2Purge2(Object *fileObj, RUV **ruv) - while (agmtObj) { - agmt = (Repl_Agmt *)object_get_data(agmtObj); - PR_ASSERT(agmt); -- -- if (!agmt_is_enabled(agmt)) { -- agmtObj = agmtlist_get_next_agreement_for_replica(r, agmtObj); -- continue; -- } -- -+ /* we need to handle all agreements, also if they are not enabled -+ * if they will be later enabled and changes are trimmed -+ * replication can fail -+ */ - consRUVObj = agmt_get_consumer_ruv(agmt); - if (consRUVObj) { - consRUV = (RUV *)object_get_data(consRUVObj); --- -2.13.6 - diff --git a/SOURCES/0050-Ticket-49278-GetEffectiveRights-gives-false-negative.patch b/SOURCES/0050-Ticket-49278-GetEffectiveRights-gives-false-negative.patch deleted file mode 100644 index f43d383..0000000 --- a/SOURCES/0050-Ticket-49278-GetEffectiveRights-gives-false-negative.patch +++ /dev/null @@ -1,330 +0,0 @@ -From 6e00c3bac13811bc6d94b810b17a59f9428c29f6 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Thu, 11 Jan 2018 15:17:56 +0100 -Subject: [PATCH] Ticket 49278 - GetEffectiveRights gives false-negative - - Bug: If geteffective rights was issued for an non existing entry the - mechanism to genrate a template entry no longer worked and no results were - returned. - Fix: Improve the handling in itreating the result set, so that template entries (if - requested) are genereated and are not applied to existing entries. - Also some code cleanup in iterate() - Reviewed by: Thierry, thanks ---- - ldap/servers/slapd/opshared.c | 239 ++++++++++++++++++++---------------------- - 1 file changed, 114 insertions(+), 125 deletions(-) - -diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c -index 24157120e..46dcf6fba 100644 ---- a/ldap/servers/slapd/opshared.c -+++ b/ldap/servers/slapd/opshared.c -@@ -33,6 +33,7 @@ static char *pwpolicy_lock_attrs_all[] = {"passwordRetryCount", - static void compute_limits(Slapi_PBlock *pb); - static int send_results_ext(Slapi_PBlock *pb, int send_result, int *nentries, int pagesize, unsigned int *pr_stat); - static int process_entry(Slapi_PBlock *pb, Slapi_Entry *e, int send_result); -+static void send_entry(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Operation *operation, char **attrs, int attrsonly, int *pnentries); - - int - op_shared_is_allowed_attr(const char *attr_name, int replicated_op) -@@ -1040,6 +1041,31 @@ process_entry(Slapi_PBlock *pb, Slapi_Entry *e, int send_result) - - return 0; - } -+static void -+send_entry(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Operation *operation, char **attrs, int attrsonly, int *pnentries) -+{ -+ /* -+ * It's a regular entry, or it's a referral and -+ * managedsait control is on. In either case, send -+ * the entry. -+ */ -+ switch (send_ldap_search_entry(pb, e, NULL, attrs, attrsonly)) { -+ case 0: /* entry sent ok */ -+ (*pnentries)++; -+ slapi_pblock_set(pb, SLAPI_NENTRIES, pnentries); -+ break; -+ case 1: /* entry not sent */ -+ break; -+ case -1: /* connection closed */ -+ /* -+ * mark the operation as abandoned so the backend -+ * next entry function gets called again and has -+ * a chance to clean things up. -+ */ -+ operation->o_status = SLAPI_OP_STATUS_ABANDONED; -+ break; -+ } -+} - - #if 0 - /* Loops through search entries and sends them to the client. -@@ -1214,7 +1240,7 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in - *pnentries = 0; - - while (!done) { -- Slapi_Entry *gerentry = NULL; -+ Slapi_Entry *ger_template_entry = NULL; - Slapi_Operation *operation; - - slapi_pblock_get(pb, SLAPI_OPERATION, &operation); -@@ -1236,57 +1262,57 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in - slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &e); - - /* Check for possible get_effective_rights control */ -- if (e) { -- if (operation->o_flags & OP_FLAG_GET_EFFECTIVE_RIGHTS) { -- char *errbuf = NULL; -+ if (operation->o_flags & OP_FLAG_GET_EFFECTIVE_RIGHTS) { -+ char *errbuf = NULL; -+ -+ if (PAGEDRESULTS_PAGE_END == pr_stat) { -+ /* -+ * read ahead -- there is at least more entry. -+ * undo it and return the PAGE_END -+ */ -+ be->be_prev_search_results(pb); -+ done = 1; -+ continue; -+ } -+ if ( e == NULL ) { - char **gerattrs = NULL; - char **gerattrsdup = NULL; - char **gap = NULL; - char *gapnext = NULL; -- -- if (PAGEDRESULTS_PAGE_END == pr_stat) { -- /* -- * read ahead -- there is at least more entry. -- * undo it and return the PAGE_END -+ /* we have no more entries -+ * but we might create a template entry for GER -+ * so we need to continue, but make sure to stop -+ * after handling the template entry. -+ * the template entry is a temporary entry returned by the acl -+ * plugin in the pblock and will be freed - */ -- be->be_prev_search_results(pb); -- done = 1; -- continue; -- } -+ done = 1; -+ pr_stat = PAGEDRESULTS_SEARCH_END; - - slapi_pblock_get(pb, SLAPI_SEARCH_GERATTRS, &gerattrs); - gerattrsdup = cool_charray_dup(gerattrs); - gap = gerattrsdup; -- do { -+ while (gap && *gap) { - gapnext = NULL; -- if (gap) { -- if (*gap && *(gap + 1)) { -- gapnext = *(gap + 1); -- *(gap + 1) = NULL; -- } -- slapi_pblock_set(pb, SLAPI_SEARCH_GERATTRS, gap); -- rc = plugin_call_acl_plugin(pb, e, attrs, NULL, -- SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS, -- &errbuf); -- if (NULL != gapnext) { -- *(gap + 1) = gapnext; -- } -- } else if (NULL != e) { -- rc = plugin_call_acl_plugin(pb, e, attrs, NULL, -- SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS, -- &errbuf); -+ if (*(gap + 1)) { -+ gapnext = *(gap + 1); -+ *(gap + 1) = NULL; -+ } -+ slapi_pblock_set(pb, SLAPI_SEARCH_GERATTRS, gap); -+ rc = plugin_call_acl_plugin(pb, e, attrs, NULL, -+ SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS, -+ &errbuf); -+ if (NULL != gapnext) { -+ *(gap + 1) = gapnext; - } -+ gap++; -+ /* get the template entry, if any */ -+ slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &e); - if (NULL == e) { -- /* get the template entry, if any */ -- slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &e); -- if (NULL == e) { -- /* everything is ok - don't send the result */ -- pr_stat = PAGEDRESULTS_SEARCH_END; -- done = 1; -- continue; -- } -- gerentry = e; -+ /* everything is ok - don't send the result */ -+ continue; - } -+ ger_template_entry = e; - if (rc != LDAP_SUCCESS) { - /* Send error result and - abort op if the control is critical */ -@@ -1294,65 +1320,53 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in - "Failed to get effective rights for entry (%s), rc=%d\n", - slapi_entry_get_dn_const(e), rc); - send_ldap_result(pb, rc, NULL, errbuf, 0, NULL); -- slapi_ch_free((void **)&errbuf); -- if (gerentry) { -- slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, NULL); -- slapi_entry_free(gerentry); -- gerentry = e = NULL; -- } -- pr_stat = PAGEDRESULTS_SEARCH_END; - rval = -1; -- done = 1; -- continue; -- } -- slapi_ch_free((void **)&errbuf); -- if (process_entry(pb, e, send_result)) { -- /* shouldn't send this entry */ -- if (gerentry) { -- slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, NULL); -- slapi_entry_free(gerentry); -- gerentry = e = NULL; -+ } else { -+ if (!process_entry(pb, e, send_result)) { -+ /* should send this entry now*/ -+ send_entry(pb, e, operation, attrs, attrsonly, pnentries); - } -- continue; - } - -- /* -- * It's a regular entry, or it's a referral and -- * managedsait control is on. In either case, send -- * the entry. -- */ -- switch (send_ldap_search_entry(pb, e, NULL, attrs, attrsonly)) { -- case 0: /* entry sent ok */ -- (*pnentries)++; -- slapi_pblock_set(pb, SLAPI_NENTRIES, pnentries); -- break; -- case 1: /* entry not sent */ -- break; -- case -1: /* connection closed */ -- /* -- * mark the operation as abandoned so the backend -- * next entry function gets called again and has -- * a chance to clean things up. -- */ -- operation->o_status = SLAPI_OP_STATUS_ABANDONED; -- break; -- } -- if (gerentry) { -+ slapi_ch_free((void **)&errbuf); -+ if (ger_template_entry) { - slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_ENTRY, NULL); -- slapi_entry_free(gerentry); -- gerentry = e = NULL; -+ slapi_entry_free(ger_template_entry); -+ ger_template_entry = e = NULL; - } -- } while (gap && ++gap && *gap); -+ } /* while ger template */ - slapi_pblock_set(pb, SLAPI_SEARCH_GERATTRS, gerattrs); - cool_charray_free(gerattrsdup); -- if (pagesize == *pnentries) { -- /* PAGED RESULTS: reached the pagesize */ -- /* We don't set "done = 1" here. -- * We read ahead next entry to check whether there is -- * more entries to return or not. */ -- pr_stat = PAGEDRESULTS_PAGE_END; -+ } else { -+ /* we are processing geteffective rights for an existing entry */ -+ rc = plugin_call_acl_plugin(pb, e, attrs, NULL, -+ SLAPI_ACL_ALL, ACLPLUGIN_ACCESS_GET_EFFECTIVE_RIGHTS, -+ &errbuf); -+ if (rc != LDAP_SUCCESS) { -+ /* Send error result and -+ abort op if the control is critical */ -+ slapi_log_err(SLAPI_LOG_ERR, "iterate", -+ "Failed to get effective rights for entry (%s), rc=%d\n", -+ slapi_entry_get_dn_const(e), rc); -+ send_ldap_result(pb, rc, NULL, errbuf, 0, NULL); -+ rval = -1; -+ } else { -+ if (!process_entry(pb, e, send_result)) { -+ /* should send this entry now*/ -+ send_entry(pb, e, operation, attrs, attrsonly, pnentries); -+ if (pagesize == *pnentries) { -+ /* PAGED RESULTS: reached the pagesize */ -+ /* We don't set "done = 1" here. -+ * We read ahead next entry to check whether there is -+ * more entries to return or not. */ -+ pr_stat = PAGEDRESULTS_PAGE_END; -+ } -+ } - } -- } else { /* not GET_EFFECTIVE_RIGHTS */ -+ slapi_ch_free((void **)&errbuf); -+ } -+ /* not GET_EFFECTIVE_RIGHTS */ -+ } else if (e) { - if (PAGEDRESULTS_PAGE_END == pr_stat) { - /* - * read ahead -- there is at least more entry. -@@ -1364,46 +1378,21 @@ iterate(Slapi_PBlock *pb, Slapi_Backend *be, int send_result, int *pnentries, in - } - /* Adding shadow password attrs. */ - add_shadow_ext_password_attrs(pb, &e); -- if (process_entry(pb, e, send_result)) { -- /* shouldn't send this entry */ -- struct slapi_entry *pb_pw_entry = slapi_pblock_get_pw_entry(pb); -- slapi_entry_free(pb_pw_entry); -- slapi_pblock_set_pw_entry(pb, NULL); -- continue; -- } -- -- /* -- * It's a regular entry, or it's a referral and -- * managedsait control is on. In either case, send -- * the entry. -- */ -- switch (send_ldap_search_entry(pb, e, NULL, attrs, attrsonly)) { -- case 0: /* entry sent ok */ -- (*pnentries)++; -- slapi_pblock_set(pb, SLAPI_NENTRIES, pnentries); -- break; -- case 1: /* entry not sent */ -- break; -- case -1: /* connection closed */ -- /* -- * mark the operation as abandoned so the backend -- * next entry function gets called again and has -- * a chance to clean things up. -- */ -- operation->o_status = SLAPI_OP_STATUS_ABANDONED; -- break; -+ if (!process_entry(pb, e, send_result)) { -+ /*this entry was not sent, do it now*/ -+ send_entry(pb, e, operation, attrs, attrsonly, pnentries); -+ if (pagesize == *pnentries) { -+ /* PAGED RESULTS: reached the pagesize */ -+ /* We don't set "done = 1" here. -+ * We read ahead next entry to check whether there is -+ * more entries to return or not. */ -+ pr_stat = PAGEDRESULTS_PAGE_END; -+ } - } -+ /* cleanup pw entry . sent or not */ - struct slapi_entry *pb_pw_entry = slapi_pblock_get_pw_entry(pb); - slapi_entry_free(pb_pw_entry); - slapi_pblock_set_pw_entry(pb, NULL); -- if (pagesize == *pnentries) { -- /* PAGED RESULTS: reached the pagesize */ -- /* We don't set "done = 1" here. -- * We read ahead next entry to check whether there is -- * more entries to return or not. */ -- pr_stat = PAGEDRESULTS_PAGE_END; -- } -- } - } else { - /* no more entries */ - done = 1; --- -2.13.6 - diff --git a/SOURCES/0051-Ticket-49531-coverity-issues-fix-memory-leaks.patch b/SOURCES/0051-Ticket-49531-coverity-issues-fix-memory-leaks.patch deleted file mode 100644 index b264ff5..0000000 --- a/SOURCES/0051-Ticket-49531-coverity-issues-fix-memory-leaks.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 7acfb18228322ab2e331720bd7fe083da04625a2 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 12 Jan 2018 09:50:34 -0500 -Subject: [PATCH] Ticket 49531 - coverity issues - fix memory leaks - -Description: There were two false positives around pwpolicy struct - being leaked, but it is freed when the pblock is - destroyed. The other two leaks were real, but they - only occurred during error conditions. - -https://pagure.io/389-ds-base/issue/49531 - -Reviewed by: lkrispen (Thanks!) - -(cherry picked from commit 700d7422e6309d2d405961abbb805fbfe852e53c) ---- - ldap/servers/plugins/replication/cl5_api.c | 1 + - ldap/servers/plugins/replication/urp.c | 3 ++- - 2 files changed, 3 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c -index dc2857910..89ae9956c 100644 ---- a/ldap/servers/plugins/replication/cl5_api.c -+++ b/ldap/servers/plugins/replication/cl5_api.c -@@ -4046,6 +4046,7 @@ _cl5WriteRUV(CL5DBFile *file, PRBool purge) - slapi_log_err(SLAPI_LOG_ERR, repl_plugin_name_cl, - "_cl5WriteRUV - changelog maxRUV not found in changelog for file %s\n", - file->name); -+ ber_bvecfree(vals); - return CL5_DB_ERROR; - } - -diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c -index 9534c0322..d4556d7fd 100644 ---- a/ldap/servers/plugins/replication/urp.c -+++ b/ldap/servers/plugins/replication/urp.c -@@ -861,7 +861,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn) - Slapi_Entry *pre_entry = NULL; - int ret = 0; - Slapi_DN *pre_sdn = NULL; -- Slapi_RDN *rdn = slapi_rdn_new(); -+ Slapi_RDN *rdn = NULL; - char *parentdn = NULL; - char *newdn; - const char *entrydn; -@@ -882,6 +882,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn) - entrydn = slapi_entry_get_ndn (pre_entry);*/ - uniqueid = slapi_entry_get_uniqueid (pre_entry); - parentdn = slapi_dn_parent(entrydn); -+ rdn = slapi_rdn_new(); - slapi_sdn_get_rdn(pre_sdn, rdn); - slapi_rdn_remove_attr (rdn, SLAPI_ATTR_UNIQUEID ); - slapi_rdn_add(rdn, "cenotaphID", uniqueid); --- -2.13.6 - diff --git a/SOURCES/0052-Ticket-49529-Fix-Coverity-warnings-invalid-deference.patch b/SOURCES/0052-Ticket-49529-Fix-Coverity-warnings-invalid-deference.patch deleted file mode 100644 index 1d91b81..0000000 --- a/SOURCES/0052-Ticket-49529-Fix-Coverity-warnings-invalid-deference.patch +++ /dev/null @@ -1,503 +0,0 @@ -From 0b5cbcf45f3fb4b03a1f762c5704183787d30696 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 12 Jan 2018 08:38:22 -0500 -Subject: [PATCH] Ticket 49529 - Fix Coverity warnings: invalid deferences - -Description: So many of the warnings were false positives, but - I "fixed" 90% of them anyway for these two reasons: - - One, it's possible that a future change could actually - result in a NULL pointer being referenced. - - Two, it would be nice to stop these coverity warnings - so we can focus on real warnings. Auto waivers also - don't always work as the surrounding code changes. - -https://pagure.io/389-ds-base/issue/49529 - -Reviewed by: firstyear (Thanks!) - -(cherry picked from commit 7e27face5ef021d883a44d70bb3e9732b115016f) ---- - ldap/servers/slapd/abandon.c | 10 ++++++++-- - ldap/servers/slapd/add.c | 18 +++++++++++++++--- - ldap/servers/slapd/bind.c | 20 +++++++++++++++----- - ldap/servers/slapd/compare.c | 17 +++++++++++++---- - ldap/servers/slapd/connection.c | 19 +++++++++++++------ - ldap/servers/slapd/delete.c | 4 ++-- - ldap/servers/slapd/dn.c | 7 +++++++ - ldap/servers/slapd/entry.c | 10 +++++++++- - ldap/servers/slapd/extendop.c | 7 +++++++ - ldap/servers/slapd/filter.c | 6 +++++- - ldap/servers/slapd/modify.c | 18 ++++++++++++++++-- - ldap/servers/slapd/passwd_extop.c | 4 ++++ - ldap/servers/slapd/psearch.c | 13 +++++++++---- - ldap/servers/slapd/result.c | 14 +++++++++++++- - ldap/servers/slapd/search.c | 5 ++++- - ldap/servers/slapd/task.c | 5 +++++ - 16 files changed, 145 insertions(+), 32 deletions(-) - -diff --git a/ldap/servers/slapd/abandon.c b/ldap/servers/slapd/abandon.c -index 5c30c972d..e2237e5fc 100644 ---- a/ldap/servers/slapd/abandon.c -+++ b/ldap/servers/slapd/abandon.c -@@ -42,10 +42,16 @@ do_abandon(Slapi_PBlock *pb) - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); - -- BerElement *ber = pb_op->o_ber; -- - slapi_log_err(SLAPI_LOG_TRACE, "do_abandon", "->\n"); - -+ if (pb_op == NULL || pb_conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "do_abandon", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n", -+ pb_conn, pb_op); -+ return; -+ } -+ -+ BerElement *ber = pb_op->o_ber; -+ - /* - * Parse the abandon request. It looks like this: - * -diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c -index 0a4a5d7b2..8f2fdeac8 100644 ---- a/ldap/servers/slapd/add.c -+++ b/ldap/servers/slapd/add.c -@@ -66,6 +66,14 @@ do_add(Slapi_PBlock *pb) - - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); - slapi_pblock_get(pb, SLAPI_OPERATION, &operation); -+ -+ -+ if (operation == NULL || pb_conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "do_add", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n", -+ pb_conn, operation); -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "param error", 0, NULL); -+ return; -+ } - ber = operation->o_ber; - - /* count the add request */ -@@ -450,8 +458,8 @@ op_shared_add(Slapi_PBlock *pb) - - if (!internal_op) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d ADD dn=\"%s\"%s\n", -- pb_conn->c_connid, -- operation->o_opid, -+ pb_conn ? pb_conn->c_connid : -1, -+ operation ? operation->o_opid: -1, - slapi_entry_get_dn_const(e), - proxystr ? proxystr : ""); - } else { -@@ -865,7 +873,11 @@ handle_fast_add(Slapi_PBlock *pb, Slapi_Entry *entry) - int ret; - - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -- -+ if (pb_conn == NULL){ -+ slapi_log_err(SLAPI_LOG_ERR, "handle_fast_add", "NULL param: pb_conn (0x%p)\n", pb_conn); -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "param error", 0, NULL); -+ return; -+ } - be = pb_conn->c_bi_backend; - - if ((be == NULL) || (be->be_wire_import == NULL)) { -diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c -index 4a8e4deaf..a34a21a77 100644 ---- a/ldap/servers/slapd/bind.c -+++ b/ldap/servers/slapd/bind.c -@@ -54,11 +54,7 @@ do_bind(Slapi_PBlock *pb) - { - Operation *pb_op = NULL; - Connection *pb_conn = NULL; -- -- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); -- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -- -- BerElement *ber = pb_op->o_ber; -+ BerElement *ber; - int err, isroot; - ber_tag_t method = LBER_DEFAULT; - ber_int_t version = -1; -@@ -83,6 +79,16 @@ do_bind(Slapi_PBlock *pb) - - slapi_log_err(SLAPI_LOG_TRACE, "do_bind", "=>\n"); - -+ slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); -+ slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -+ if (pb_op == NULL || pb_conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "do_bind", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n", -+ pb_conn, pb_op); -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL); -+ goto free_and_return; -+ } -+ ber = pb_op->o_ber; -+ - /* - * Parse the bind request. It looks like this: - * -@@ -856,6 +862,10 @@ log_bind_access( - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); - -+ if (pb_op == NULL || pb_conn == NULL) { -+ return; -+ } -+ - if (method == LDAP_AUTH_SASL && saslmech && msg) { - slapi_log_access(LDAP_DEBUG_STATS, - "conn=%" PRIu64 " op=%d BIND dn=\"%s\" " -diff --git a/ldap/servers/slapd/compare.c b/ldap/servers/slapd/compare.c -index 9bc6b693a..2626d91d0 100644 ---- a/ldap/servers/slapd/compare.c -+++ b/ldap/servers/slapd/compare.c -@@ -35,10 +35,7 @@ do_compare(Slapi_PBlock *pb) - { - Operation *pb_op = NULL; - Connection *pb_conn = NULL; -- slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); -- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -- -- BerElement *ber = pb_op->o_ber; -+ BerElement *ber; - char *rawdn = NULL; - const char *dn = NULL; - struct ava ava = {0}; -@@ -50,6 +47,18 @@ do_compare(Slapi_PBlock *pb) - - slapi_log_err(SLAPI_LOG_TRACE, "do_compare", "=>\n"); - -+ slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); -+ slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -+ -+ if (pb_op == NULL || pb_conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "do_compare", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n", -+ pb_conn, pb_op); -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL); -+ goto free_and_return; -+ } -+ -+ ber = pb_op->o_ber; -+ - /* count the compare request */ - slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsCompareOps); - -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index 8ef115691..fa24ec040 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -1518,7 +1518,7 @@ connection_threadmain() - } - - if (!thread_turbo_flag && !more_data) { -- Connection *pb_conn = NULL; -+ Connection *pb_conn = NULL; - - /* If more data is left from the previous connection_read_operation, - we should finish the op now. Client might be thinking it's -@@ -1530,6 +1530,13 @@ connection_threadmain() - * Connection wait for new work provides the conn and op for us. - */ - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -+ if (pb_conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain", -+ "pb_conn is NULL\n"); -+ slapi_pblock_destroy(pb); -+ g_decr_active_threadcnt(); -+ return; -+ } - - switch (ret) { - case CONN_NOWORK: -@@ -1702,11 +1709,11 @@ connection_threadmain() - * so need locking from here on */ - signal_listner(); - /* with nunc-stans, I see an enormous amount of time spent in the poll() in -- * connection_read_operation() when the below code is enabled - not sure why -- * nunc-stans makes such a huge difference - for now, just disable this code -- * when using nunc-stans - it is supposed to be an optimization but turns out -- * to not be the opposite with nunc-stans -- */ -+ * connection_read_operation() when the below code is enabled - not sure why -+ * nunc-stans makes such a huge difference - for now, just disable this code -+ * when using nunc-stans - it is supposed to be an optimization but turns out -+ * to not be the opposite with nunc-stans -+ */ - } else if (!enable_nunc_stans) { /* more data in conn - just put back on work_q - bypass poll */ - bypasspollcnt++; - PR_EnterMonitor(conn->c_mutex); -diff --git a/ldap/servers/slapd/delete.c b/ldap/servers/slapd/delete.c -index ba238b18f..49cdab138 100644 ---- a/ldap/servers/slapd/delete.c -+++ b/ldap/servers/slapd/delete.c -@@ -262,8 +262,8 @@ op_shared_delete(Slapi_PBlock *pb) - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d DEL dn=\"%s\"%s\n", -- pb_conn->c_connid, -- pb_op->o_opid, -+ pb_conn ? pb_conn->c_connid : -1, -+ pb_op ? pb_op->o_opid : -1, - slapi_sdn_get_dn(sdn), - proxystr ? proxystr : ""); - } else { -diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c -index afca37214..abc155533 100644 ---- a/ldap/servers/slapd/dn.c -+++ b/ldap/servers/slapd/dn.c -@@ -2477,6 +2477,13 @@ slapi_sdn_copy(const Slapi_DN *from, Slapi_DN *to) - { - SDN_DUMP(from, "slapi_sdn_copy from"); - SDN_DUMP(to, "slapi_sdn_copy to"); -+ -+ if (to == NULL || from == NULL){ -+ slapi_log_err(SLAPI_LOG_ERR, "slapi_sdn_copy", -+ "NULL param: from (0x%p) to (0x%p)\n", from, to); -+ return; -+ } -+ - slapi_sdn_done(to); - if (from->udn) { - to->flag = slapi_setbit_uchar(to->flag, FLAG_UDN); -diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c -index fbbc8faa0..32828b4e2 100644 ---- a/ldap/servers/slapd/entry.c -+++ b/ldap/servers/slapd/entry.c -@@ -1998,6 +1998,10 @@ slapi_entry_dup(const Slapi_Entry *e) - struct attrs_in_extension *aiep; - - PR_ASSERT(NULL != e); -+ if (e == NULL){ -+ slapi_log_err(SLAPI_LOG_ERR, "slapi_entry_dup", "entry is NULL\n"); -+ return NULL; -+ } - - ec = slapi_entry_alloc(); - -@@ -3660,7 +3664,11 @@ delete_values_sv_internal( - Slapi_Attr *a; - int retVal = LDAP_SUCCESS; - --/* -+ if (e == NULL){ -+ slapi_log_err(SLAPI_LOG_ERR, "delete_values_sv_internal", "entry is NULL\n"); -+ return LDAP_OPERATIONS_ERROR; -+ } -+ /* - * If type is in the protected_attrs_all list, we could ignore the failure, - * as the attribute could only exist in the entry in the memory when the - * add/mod operation is done, while the retried entry from the db does not -diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c -index 1594a8c9c..815949be6 100644 ---- a/ldap/servers/slapd/extendop.c -+++ b/ldap/servers/slapd/extendop.c -@@ -219,6 +219,13 @@ do_extended(Slapi_PBlock *pb) - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); - -+ if (pb_conn == NULL || pb_op == NULL) { -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "param error", 0, NULL); -+ slapi_log_err(SLAPI_LOG_ERR, "do_extended", -+ "NULL param error: conn (0x%p) op (0x%p)\n", pb_conn, pb_op); -+ goto free_and_return; -+ } -+ - /* - * Parse the extended request. It looks like this: - * -diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c -index fe3525f34..ef975e679 100644 ---- a/ldap/servers/slapd/filter.c -+++ b/ldap/servers/slapd/filter.c -@@ -292,7 +292,11 @@ get_filter_internal(Connection *conn, BerElement *ber, struct slapi_filter **fil - - case LDAP_FILTER_EXTENDED: - slapi_log_err(SLAPI_LOG_FILTER, "get_filter_internal", "EXTENDED\n"); -- if (conn->c_ldapversion < 3) { -+ if (conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "get_filter_internal", -+ "NULL param: conn (0x%p)\n", conn); -+ err = LDAP_OPERATIONS_ERROR; -+ } else if (conn->c_ldapversion < 3) { - slapi_log_err(SLAPI_LOG_ERR, "get_filter_internal", - "Extensible filter received from v2 client\n"); - err = LDAP_PROTOCOL_ERROR; -diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c -index 0dcac646b..10d263159 100644 ---- a/ldap/servers/slapd/modify.c -+++ b/ldap/servers/slapd/modify.c -@@ -122,9 +122,16 @@ do_modify(Slapi_PBlock *pb) - slapi_log_err(SLAPI_LOG_TRACE, "do_modify", "=>\n"); - - slapi_pblock_get(pb, SLAPI_OPERATION, &operation); -- ber = operation->o_ber; -- - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -+ if (operation == NULL) { -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, -+ NULL, "operation is NULL parameter", 0, NULL); -+ slapi_log_err(SLAPI_LOG_ERR, "do_modify", -+ "NULL param: pb_conn (0x%p) operation (0x%p)\n", pb_conn, operation); -+ return; -+ } -+ -+ ber = operation->o_ber; - - /* count the modify request */ - slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsModifyEntryOps); -@@ -1165,6 +1172,13 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - internal_op = operation_is_flag_set(operation, OP_FLAG_INTERNAL); - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); - -+ if (pb_conn == NULL || operation == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "op_shared_allow_pw_change", -+ "NULL param error: conn (0x%p) op (0x%p)\n", pb_conn, operation); -+ rc = -1; -+ goto done; -+ } -+ - slapi_sdn_init_dn_byref(&sdn, dn); - pwpolicy = new_passwdPolicy(pb, (char *)slapi_sdn_get_ndn(&sdn)); - -diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c -index 54a9a6716..40145af2e 100644 ---- a/ldap/servers/slapd/passwd_extop.c -+++ b/ldap/servers/slapd/passwd_extop.c -@@ -486,6 +486,10 @@ passwd_modify_extop(Slapi_PBlock *pb) - /* Allow password modify only for SSL/TLS established connections and - * connections using SASL privacy layers */ - slapi_pblock_get(pb, SLAPI_CONNECTION, &conn); -+ if (conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "passwd_modify_extop", "conn is NULL"); -+ goto free_and_return; -+ } - if (slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) { - errMesg = "Could not get SASL SSF from connection\n"; - rc = LDAP_OPERATIONS_ERROR; -diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c -index e0dd2bf89..1bf062954 100644 ---- a/ldap/servers/slapd/psearch.c -+++ b/ldap/servers/slapd/psearch.c -@@ -271,6 +271,11 @@ ps_send_results(void *arg) - slapi_pblock_get(ps->ps_pblock, SLAPI_CONNECTION, &pb_conn); - slapi_pblock_get(ps->ps_pblock, SLAPI_OPERATION, &pb_op); - -+ if (pb_conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "ps_send_results", "pb_conn is NULL\n"); -+ return; -+ } -+ - /* need to acquire a reference to this connection so that it will not - be released or cleaned up out from under us */ - PR_EnterMonitor(pb_conn->c_mutex); -@@ -280,7 +285,7 @@ ps_send_results(void *arg) - if (conn_acq_flag) { - slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", - "conn=%" PRIu64 " op=%d Could not acquire the connection - psearch aborted\n", -- pb_conn->c_connid, pb_op->o_opid); -+ pb_conn->c_connid, pb_op ? pb_op->o_opid : -1); - } - - PR_Lock(psearch_list->pl_cvarlock); -@@ -290,7 +295,7 @@ ps_send_results(void *arg) - if (pb_op == NULL || slapi_op_abandoned(ps->ps_pblock)) { - slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", - "conn=%" PRIu64 " op=%d The operation has been abandoned\n", -- pb_conn->c_connid, pb_op->o_opid); -+ pb_conn->c_connid, pb_op ? pb_op->o_opid : -1); - break; - } - if (NULL == ps->ps_eq_head) { -@@ -532,7 +537,7 @@ ps_service_persistent_searches(Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t chg - slapi_log_err(SLAPI_LOG_CONNS, "ps_service_persistent_searches", - "conn=%" PRIu64 " op=%d entry %s with chgtype %d " - "matches the ps changetype %d\n", -- pb_conn->c_connid, -+ pb_conn ? pb_conn->c_connid : -1, - pb_op->o_opid, - edn, chgtype, ps->ps_changetypes); - -@@ -609,7 +614,7 @@ ps_service_persistent_searches(Slapi_Entry *e, Slapi_Entry *eprev, ber_int_t chg - /* Turn 'em loose */ - ps_wakeup_all(); - slapi_log_err(SLAPI_LOG_TRACE, "ps_service_persistent_searches", "Enqueued entry " -- "\"%s\" on %d persistent search lists\n", -+ "\"%s\" on %d persistent search lists\n", - slapi_entry_get_dn_const(e), matched); - } else { - slapi_log_err(SLAPI_LOG_TRACE, "ps_service_persistent_searches", -diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c -index 2302ae96b..ce394d948 100644 ---- a/ldap/servers/slapd/result.c -+++ b/ldap/servers/slapd/result.c -@@ -396,7 +396,7 @@ send_ldap_result_ext( - break; - - case LDAP_REFERRAL: -- if (conn->c_ldapversion > LDAP_VERSION2) { -+ if (conn && conn->c_ldapversion > LDAP_VERSION2) { - tag = LDAP_TAG_REFERRAL; - break; - } -@@ -645,6 +645,11 @@ process_read_entry_controls(Slapi_PBlock *pb, char *oid) - BerElement *req_ber = NULL; - Operation *op = NULL; - slapi_pblock_get(pb, SLAPI_OPERATION, &op); -+ if (op == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "process_read_entry_controls", "op is NULL\n"); -+ rc = -1; -+ goto done; -+ } - - if (strcmp(oid, LDAP_CONTROL_PRE_READ_ENTRY) == 0) { - /* first verify this is the correct operation for a pre-read entry control */ -@@ -2145,6 +2150,13 @@ encode_read_entry(Slapi_PBlock *pb, Slapi_Entry *e, char **attrs, int alluseratt - slapi_pblock_get(pb, SLAPI_OPERATION, &op); - slapi_pblock_get(pb, SLAPI_CONNECTION, &conn); - -+ if (conn == NULL || op == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "encode_read_entry", -+ "NULL param error: conn (0x%p) op (0x%p)\n", conn, op); -+ rc = -1; -+ goto cleanup; -+ } -+ - /* Start the ber encoding with the DN */ - rc = ber_printf(ber, "t{s{", LDAP_RES_SEARCH_ENTRY, slapi_entry_get_dn_const(e)); - if (rc == -1) { -diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c -index 5e3413245..731c6519e 100644 ---- a/ldap/servers/slapd/search.c -+++ b/ldap/servers/slapd/search.c -@@ -125,7 +125,10 @@ do_search(Slapi_PBlock *pb) - goto free_and_return; - } - -- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -+ if (slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn) != 0 || pb_conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "do_search", "pb_conn is NULL\n"); -+ goto free_and_return; -+ } - - /* - * If nsslapd-minssf-exclude-rootdse is on, the minssf check has been -diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c -index 53a0af52d..002083c04 100644 ---- a/ldap/servers/slapd/task.c -+++ b/ldap/servers/slapd/task.c -@@ -199,6 +199,11 @@ slapi_task_log_status(Slapi_Task *task, char *format, ...) - { - va_list ap; - -+ if (task == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "slapi_task_log_status", -+ "Slapi_Task is NULL, can not log status\n"); -+ return; -+ } - if (!task->task_status) - task->task_status = (char *)slapi_ch_malloc(10 * LOG_BUFFER); - if (!task->task_status) --- -2.13.6 - diff --git a/SOURCES/0053-Ticket-49463-After-cleanALLruv-there-is-a-flow-of-ke.patch b/SOURCES/0053-Ticket-49463-After-cleanALLruv-there-is-a-flow-of-ke.patch deleted file mode 100644 index c0f08f7..0000000 --- a/SOURCES/0053-Ticket-49463-After-cleanALLruv-there-is-a-flow-of-ke.patch +++ /dev/null @@ -1,286 +0,0 @@ -From 0ac68e15a9a4048d3c1ad4519000996cd65fdefb Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 1 Dec 2017 16:23:11 +0100 -Subject: [PATCH] Ticket 49463 - After cleanALLruv, there is a flow of keep - alive DEL - -Bug Description: - When cleanAllRuv is launched, it spawn cleanAllRuv on all replicas. - Each replica will clean its changelog and database RUV AND in addition - will DEL the keep alive entry of the target ReplicaID. - So for the same entry (keep alive) there will be as many DEL as there are replicas - - This flow of DEL is useless as only one DEL is enough. - In addition because of https://pagure.io/389-ds-base/issue/49466, replication may - loop on each of those DELs. - -Fix Description: - The fix is only to prevent the flow of DEL. - It adds a flag ('original_task') in the task payload. - The server receiving the task (replica_execute_cleanall_ruv_task) flags the - task as 'original_task'. - In the opposite, the propagated cleanAllRuv (multimaster_extop_cleanruv) does - not flag the task as 'original_task' - Only original task does the DEL of the keep alive entry. - Note the propageted payload (extop) is not changed. In a mixed version - environment "old" servers will DEL the keep alive and flow can still happen - -https://pagure.io/389-ds-base/issue/49466 - -Reviewed by: Ludwig Krispenz - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/plugins/replication/repl5.h | 49 ++++++++++++---------- - ldap/servers/plugins/replication/repl5_replica.c | 21 ++++++++++ - .../plugins/replication/repl5_replica_config.c | 32 +++++++++++--- - ldap/servers/plugins/replication/repl_extop.c | 2 + - 4 files changed, 76 insertions(+), 28 deletions(-) - -diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h -index 4e206a0fc..e08fec752 100644 ---- a/ldap/servers/plugins/replication/repl5.h -+++ b/ldap/servers/plugins/replication/repl5.h -@@ -783,12 +783,37 @@ void multimaster_mtnode_construct_replicas(void); - - void multimaster_be_state_change(void *handle, char *be_name, int old_be_state, int new_be_state); - -+#define CLEANRIDSIZ 64 /* maximum number for concurrent CLEANALLRUV tasks */ -+ -+typedef struct _cleanruv_data -+{ -+ Object *repl_obj; -+ Replica *replica; -+ ReplicaId rid; -+ Slapi_Task *task; -+ struct berval *payload; -+ CSN *maxcsn; -+ char *repl_root; -+ Slapi_DN *sdn; -+ char *certify; -+ char *force; -+ PRBool original_task; -+} cleanruv_data; -+ -+typedef struct _cleanruv_purge_data -+{ -+ int cleaned_rid; -+ const Slapi_DN *suffix_sdn; -+ char *replName; -+ char *replGen; -+} cleanruv_purge_data; -+ - /* In repl5_replica_config.c */ - int replica_config_init(void); - void replica_config_destroy(void); - int get_replica_type(Replica *r); - int replica_execute_cleanruv_task_ext(Object *r, ReplicaId rid); --void add_cleaned_rid(ReplicaId rid, Replica *r, char *maxcsn, char *forcing); -+void add_cleaned_rid(cleanruv_data *data, char *maxcsn); - int is_cleaned_rid(ReplicaId rid); - int replica_cleanall_ruv_abort(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *eAfter, int *returncode, char *returntext, void *arg); - void replica_cleanallruv_thread_ext(void *arg); -@@ -808,29 +833,7 @@ void set_cleaned_rid(ReplicaId rid); - void cleanruv_log(Slapi_Task *task, int rid, char *task_type, int sev_level, char *fmt, ...); - char *replica_cleanallruv_get_local_maxcsn(ReplicaId rid, char *base_dn); - --#define CLEANRIDSIZ 64 /* maximum number for concurrent CLEANALLRUV tasks */ - --typedef struct _cleanruv_data --{ -- Object *repl_obj; -- Replica *replica; -- ReplicaId rid; -- Slapi_Task *task; -- struct berval *payload; -- CSN *maxcsn; -- char *repl_root; -- Slapi_DN *sdn; -- char *certify; -- char *force; --} cleanruv_data; -- --typedef struct _cleanruv_purge_data --{ -- int cleaned_rid; -- const Slapi_DN *suffix_sdn; -- char *replName; -- char *replGen; --} cleanruv_purge_data; - - /* replutil.c */ - LDAPControl *create_managedsait_control(void); -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index 77f4f18e4..e75807a62 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -2120,6 +2120,7 @@ replica_check_for_tasks(Replica *r, Slapi_Entry *e) - char csnstr[CSN_STRSIZE]; - char *token = NULL; - char *forcing; -+ PRBool original_task; - char *csnpart; - char *ridstr; - char *iter = NULL; -@@ -2151,8 +2152,15 @@ replica_check_for_tasks(Replica *r, Slapi_Entry *e) - csn_init_by_string(maxcsn, csnpart); - csn_as_string(maxcsn, PR_FALSE, csnstr); - forcing = ldap_utf8strtok_r(iter, ":", &iter); -+ original_task = PR_TRUE; - if (forcing == NULL) { - forcing = "no"; -+ } else if (!strcasecmp(forcing, "yes") || !strcasecmp(forcing, "no")) { -+ /* forcing was correctly set, lets try to read the original task flag */ -+ token = ldap_utf8strtok_r(iter, ":", &iter); -+ if (token && !atoi(token)) { -+ original_task = PR_FALSE; -+ } - } - - slapi_log_err(SLAPI_LOG_NOTICE, repl_plugin_name, "CleanAllRUV Task - cleanAllRUV task found, " -@@ -2190,6 +2198,13 @@ replica_check_for_tasks(Replica *r, Slapi_Entry *e) - data->force = slapi_ch_strdup(forcing); - data->repl_root = NULL; - -+ /* This is a corner case, a cleanAllRuv task was interrupted by a shutdown or a crash -+ * We retrieved from type_replicaCleanRUV if the cleanAllRuv request -+ * was received from a direct task ADD or if was received via -+ * the cleanAllRuv extop. -+ */ -+ data->original_task = original_task; -+ - thread = PR_CreateThread(PR_USER_THREAD, replica_cleanallruv_thread_ext, - (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, - PR_UNJOINABLE_THREAD, SLAPD_DEFAULT_THREAD_STACKSIZE); -@@ -2284,6 +2299,12 @@ replica_check_for_tasks(Replica *r, Slapi_Entry *e) - data->sdn = slapi_sdn_dup(r->repl_root); - data->certify = slapi_ch_strdup(certify); - -+ /* This is a corner case, a cleanAllRuv task was interrupted by a shutdown or a crash -+ * Let's assum this replica was the original receiver of the task. -+ * This flag has no impact on Abort cleanAllRuv -+ */ -+ data->original_task = PR_TRUE; -+ - thread = PR_CreateThread(PR_USER_THREAD, replica_abort_task_thread, - (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, - PR_UNJOINABLE_THREAD, SLAPD_DEFAULT_THREAD_STACKSIZE); -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 005528a41..95b933bb8 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -1573,6 +1573,11 @@ replica_execute_cleanall_ruv_task(Object *r, ReplicaId rid, Slapi_Task *task, co - data->repl_root = slapi_ch_strdup(basedn); - data->force = slapi_ch_strdup(force_cleaning); - -+ /* It is either a consequence of a direct ADD cleanAllRuv task -+ * or modify of the replica to add nsds5task: cleanAllRuv -+ */ -+ data->original_task = PR_TRUE; -+ - thread = PR_CreateThread(PR_USER_THREAD, replica_cleanallruv_thread, - (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, - PR_UNJOINABLE_THREAD, SLAPD_DEFAULT_THREAD_STACKSIZE); -@@ -1702,7 +1707,7 @@ replica_cleanallruv_thread(void *arg) - /* - * Add the cleanallruv task to the repl config - so we can handle restarts - */ -- add_cleaned_rid(data->rid, data->replica, csnstr, data->force); /* marks config that we started cleaning a rid */ -+ add_cleaned_rid(data, csnstr); /* marks config that we started cleaning a rid */ - cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Cleaning rid (%d)...", data->rid); - /* - * First, wait for the maxcsn to be covered -@@ -1878,7 +1883,13 @@ done: - */ - delete_cleaned_rid_config(data); - check_replicas_are_done_cleaning(data); -- remove_keep_alive_entry(data->task, data->rid, data->repl_root); -+ if (data->original_task) { -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Original task deletes Keep alive entry (%d).", data->rid); -+ remove_keep_alive_entry(data->task, data->rid, data->repl_root); -+ } else { -+ cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Propagated task does not delete Keep alive entry (%d).", data->rid); -+ } -+ - clean_agmts(data); - remove_cleaned_rid(data->rid); - cleanruv_log(data->task, data->rid, CLEANALLRUV_ID, SLAPI_LOG_INFO, "Successfully cleaned rid(%d).", data->rid); -@@ -2029,7 +2040,7 @@ check_replicas_are_done_cleaning(cleanruv_data *data) - "Waiting for all the replicas to finish cleaning..."); - - csn_as_string(data->maxcsn, PR_FALSE, csnstr); -- filter = PR_smprintf("(%s=%d:%s:%s)", type_replicaCleanRUV, (int)data->rid, csnstr, data->force); -+ filter = PR_smprintf("(%s=%d:%s:%s:%d)", type_replicaCleanRUV, (int)data->rid, csnstr, data->force, data->original_task ? 1 : 0); - while (not_all_cleaned && !is_task_aborted(data->rid) && !slapi_is_shutting_down()) { - agmt_obj = agmtlist_get_first_agreement_for_replica(data->replica); - if (agmt_obj == NULL) { -@@ -2502,7 +2513,7 @@ set_cleaned_rid(ReplicaId rid) - * Add the rid and maxcsn to the repl config (so we can resume after a server restart) - */ - void --add_cleaned_rid(ReplicaId rid, Replica *r, char *maxcsn, char *forcing) -+add_cleaned_rid(cleanruv_data *cleanruv_data, char *maxcsn) - { - Slapi_PBlock *pb; - struct berval *vals[2]; -@@ -2512,6 +2523,16 @@ add_cleaned_rid(ReplicaId rid, Replica *r, char *maxcsn, char *forcing) - char data[CSN_STRSIZE + 10]; - char *dn; - int rc; -+ ReplicaId rid; -+ Replica *r; -+ char *forcing; -+ -+ if (data == NULL) { -+ return; -+ } -+ rid = cleanruv_data->rid; -+ r = cleanruv_data->replica; -+ forcing = cleanruv_data->force; - - if (r == NULL || maxcsn == NULL) { - return; -@@ -2519,7 +2540,7 @@ add_cleaned_rid(ReplicaId rid, Replica *r, char *maxcsn, char *forcing) - /* - * Write the rid & maxcsn to the config entry - */ -- val.bv_len = PR_snprintf(data, sizeof(data), "%d:%s:%s", rid, maxcsn, forcing); -+ val.bv_len = PR_snprintf(data, sizeof(data), "%d:%s:%s:%d", rid, maxcsn, forcing, cleanruv_data->original_task ? 1 : 0); - dn = replica_get_dn(r); - pb = slapi_pblock_new(); - mod.mod_op = LDAP_MOD_ADD | LDAP_MOD_BVALUES; -@@ -2961,6 +2982,7 @@ replica_cleanall_ruv_abort(Slapi_PBlock *pb __attribute__((unused)), - data->repl_root = slapi_ch_strdup(base_dn); - data->sdn = NULL; - data->certify = slapi_ch_strdup(certify_all); -+ data->original_task = PR_TRUE; - - thread = PR_CreateThread(PR_USER_THREAD, replica_abort_task_thread, - (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, -diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c -index c49c6bd8d..68e2544b4 100644 ---- a/ldap/servers/plugins/replication/repl_extop.c -+++ b/ldap/servers/plugins/replication/repl_extop.c -@@ -1412,6 +1412,7 @@ multimaster_extop_abort_cleanruv(Slapi_PBlock *pb) - data->rid = rid; - data->repl_root = slapi_ch_strdup(repl_root); - data->certify = slapi_ch_strdup(certify_all); -+ data->original_task = PR_FALSE; - /* - * Set the aborted rid and stop the cleaning - */ -@@ -1555,6 +1556,7 @@ multimaster_extop_cleanruv(Slapi_PBlock *pb) - data->payload = slapi_ch_bvdup(extop_payload); - data->force = slapi_ch_strdup(force); - data->repl_root = slapi_ch_strdup(repl_root); -+ data->original_task = PR_FALSE; - - thread = PR_CreateThread(PR_USER_THREAD, replica_cleanallruv_thread_ext, - (void *)data, PR_PRIORITY_NORMAL, PR_GLOBAL_THREAD, --- -2.13.6 - diff --git a/SOURCES/0054-Ticket-49532-coverity-issues-fix-compiler-warnings-c.patch b/SOURCES/0054-Ticket-49532-coverity-issues-fix-compiler-warnings-c.patch deleted file mode 100644 index 278a45e..0000000 --- a/SOURCES/0054-Ticket-49532-coverity-issues-fix-compiler-warnings-c.patch +++ /dev/null @@ -1,75 +0,0 @@ -From cfa194289ee0c9d26d5775f0b67cf9b481bf357f Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 12 Jan 2018 10:37:18 -0500 -Subject: [PATCH] Ticket 49532 - coverity issues - fix compiler warnings & - clang issues - -Description: Fixed all the warnings - -https://pagure.io/389-ds-base/issue/49532 - -Reviewed by: tbordaz(Thanks!) - -(cherry picked from commit 05907ae05c8a88a64b86747879c002d55d356673) ---- - ldap/servers/slapd/back-ldbm/idl_set.c | 4 ++-- - ldap/servers/slapd/control.c | 2 +- - src/nunc-stans/ns/ns_thrpool.c | 7 ++++++- - 3 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/ldap/servers/slapd/back-ldbm/idl_set.c b/ldap/servers/slapd/back-ldbm/idl_set.c -index b68e7ab76..f9a900f1f 100644 ---- a/ldap/servers/slapd/back-ldbm/idl_set.c -+++ b/ldap/servers/slapd/back-ldbm/idl_set.c -@@ -270,7 +270,7 @@ idl_set_union(IDListSet *idl_set, backend *be) - * Allocate a new set based on the size of our sets. - */ - IDList *result_list = idl_alloc(idl_set->total_size); -- IDList *idl = idl_set->head; -+ IDList *idl = NULL; - IDList *idl_del = NULL; - IDList *prev_idl = NULL; - NIDS last_min = 0; -@@ -398,7 +398,7 @@ idl_set_intersect(IDListSet *idl_set, backend *be) - * we don't care if we have allids here, because we'll ignore it anyway. - */ - result_list = idl_alloc(idl_set->minimum->b_nids); -- IDList *idl = idl_set->head; -+ IDList *idl = NULL; - - /* The previous value we inserted. */ - NIDS last_min = 0; -diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c -index 91d8abb95..366ec7897 100644 ---- a/ldap/servers/slapd/control.c -+++ b/ldap/servers/slapd/control.c -@@ -337,7 +337,7 @@ get_ldapmessage_controls_ext( - slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found); - slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found); - slapi_log_err(SLAPI_LOG_CONNS, "get_ldapmessage_controls_ext", "Warning: conn=%" PRIu64 " op=%d contains an empty list of controls\n", -- pb_conn->c_connid, pb_op->o_opid); -+ pb_conn ? pb_conn->c_connid : -1, pb_op ? pb_op->o_opid : -1); - } else { - /* len, ber_len_t is uint, not int, cannot be != -1, may be better to remove this check. */ - if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) { -diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c -index 1d8bb03f1..d95b0c38b 100644 ---- a/src/nunc-stans/ns/ns_thrpool.c -+++ b/src/nunc-stans/ns/ns_thrpool.c -@@ -1587,7 +1587,12 @@ ns_thrpool_shutdown(struct ns_thrpool_t *tp) - */ - for (size_t i = 0; i < tp->thread_count; i++) { - ns_result_t result = ns_add_shutdown_job(tp); -- PR_ASSERT(result == NS_SUCCESS); -+ if (result != NS_SUCCESS) { -+#ifdef DEBUG -+ ns_log(LOG_DEBUG, "ns_thrpool_shutdown - Failed to add shutdown job: error (%d)\n", result); -+#endif -+ PR_ASSERT(0); -+ } - } - /* Make sure all threads are woken up to their shutdown jobs. */ - pthread_mutex_lock(&(tp->work_q_lock)); --- -2.13.6 - diff --git a/SOURCES/0055-Ticket-49523-memberof-schema-violation-error-message.patch b/SOURCES/0055-Ticket-49523-memberof-schema-violation-error-message.patch deleted file mode 100644 index d55ffac..0000000 --- a/SOURCES/0055-Ticket-49523-memberof-schema-violation-error-message.patch +++ /dev/null @@ -1,225 +0,0 @@ -From 60198729ba59f673aae2ae1db1d9668b674ad429 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 5 Jan 2018 15:31:44 +0100 -Subject: [PATCH] Ticket 49523 - memberof: schema violation error message is - confusing as memberof will likely repair target entry - -Bug Description: - When memberof is enabled it adds 'memberof' attribute to members entries. - If a member entry has not the appropriate objectclass to support 'memberof' attribute an ERR is logged. - - ERR - oc_check_allowed_sv - Entry "cn=user_1,ou=People,dc=example,dc=com" -- attribute "memberOf" not allowed - - This is confusing because memberof will catch this violation and may try to repair it. - So although this message is alarming, the target entry may finally have the 'memberof' attribute. - - This is especially confusing since https://pagure.io/389-ds-base/issue/48985 where the repair operation - is done by default (if schema is violated) - - We can not (and should not) eliminate the schema violation message. - But memberof should log a additional warning (beside the schema violation msg) stating it repaired the violation. - -Fix Description: - - Add a warning message upon repair operation - ERR - oc_check_allowed_sv - Entry "" -- attribute "memberOf" not allowed - WARN - memberof-plugin - Entry - schema violation caught - repair operation succeeded - -https://pagure.io/389-ds-base/issue/49523 - -Reviewed by: Mark Reynolds - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no ---- - dirsrvtests/tests/tickets/ticket49523_test.py | 154 ++++++++++++++++++++++++++ - ldap/servers/plugins/memberof/memberof.c | 8 +- - 2 files changed, 161 insertions(+), 1 deletion(-) - create mode 100644 dirsrvtests/tests/tickets/ticket49523_test.py - -diff --git a/dirsrvtests/tests/tickets/ticket49523_test.py b/dirsrvtests/tests/tickets/ticket49523_test.py -new file mode 100644 -index 000000000..c3296ef07 ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket49523_test.py -@@ -0,0 +1,154 @@ -+import logging -+import pytest -+import os -+import ldap -+import time -+import re -+from lib389.plugins import MemberOfPlugin -+from lib389._constants import * -+from lib389.topologies import topology_st as topo -+from lib389 import Entry -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+ -+USER_CN='user_' -+GROUP_CN='group_' -+def _user_get_dn(no): -+ cn = '%s%d' % (USER_CN, no) -+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX) -+ return (cn, dn) -+ -+def add_user(server, no, desc='dummy', sleep=True): -+ (cn, dn) = _user_get_dn(no) -+ log.fatal('Adding user (%s): ' % dn) -+ server.add_s(Entry((dn, {'objectclass': ['top', 'person'], -+ 'cn': [cn], -+ 'description': [desc], -+ 'sn': [cn], -+ 'description': ['add on that host']}))) -+ if sleep: -+ time.sleep(2) -+ -+def add_group(server, nr, sleep=True): -+ cn = '%s%d' % (GROUP_CN, nr) -+ dn = 'cn=%s,ou=groups,%s' % (cn, SUFFIX) -+ server.add_s(Entry((dn, {'objectclass': ['top', 'groupofnames'], -+ 'description': 'group %d' % nr}))) -+ if sleep: -+ time.sleep(2) -+ -+def update_member(server, member_dn, group_dn, op, sleep=True): -+ mod = [(op, 'member', member_dn)] -+ server.modify_s(group_dn, mod) -+ if sleep: -+ time.sleep(2) -+ -+def _find_memberof(server, member_dn, group_dn, find_result=True): -+ ent = server.getEntry(member_dn, ldap.SCOPE_BASE, "(objectclass=*)", ['memberof']) -+ found = False -+ if ent.hasAttr('memberof'): -+ -+ for val in ent.getValues('memberof'): -+ server.log.info("!!!!!!! %s: memberof->%s" % (member_dn, val)) -+ server.log.info("!!!!!!! %s" % (val)) -+ server.log.info("!!!!!!! %s" % (group_dn)) -+ if val.lower() == group_dn.lower(): -+ found = True -+ break -+ -+ if find_result: -+ assert (found) -+ else: -+ assert (not found) -+ -+def pattern_accesslog(server, log_pattern): -+ file_obj = open(server.accesslog, "r") -+ -+ found = False -+ # Use a while true iteration because 'for line in file: hit a -+ while True: -+ line = file_obj.readline() -+ found = log_pattern.search(line) -+ if ((line == '') or (found)): -+ break -+ -+ return found -+ -+def pattern_errorlog(server, log_pattern): -+ file_obj = open(server.errlog, "r") -+ -+ found = None -+ # Use a while true iteration because 'for line in file: hit a -+ while True: -+ line = file_obj.readline() -+ found = log_pattern.search(line) -+ server.log.fatal("%s --> %s" % (line, found)) -+ if ((line == '') or (found)): -+ break -+ -+ return found -+ -+def test_ticket49523(topo): -+ """Specify a test case purpose or name here -+ -+ :id: e2af0aaa-447e-4e85-a5ce-57ae66260d0b -+ :setup: Fill in set up configuration here -+ :steps: -+ 1. Fill in test case steps here -+ 2. And indent them like this (RST format requirement) -+ :expectedresults: -+ 1. Fill in the result that is expected -+ 2. For each test step -+ """ -+ -+ # If you need any test suite initialization, -+ # please, write additional fixture for that (including finalizer). -+ # Topology for suites are predefined in lib389/topologies.py. -+ -+ # If you need host, port or any other data about instance, -+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid) -+ inst = topo.standalone -+ memberof = MemberOfPlugin(inst) -+ memberof.enable() -+ memberof.set_autoaddoc('nsMemberOf') -+ inst.restart() -+ -+ # Step 2 -+ for i in range(10): -+ add_user(inst, i, desc='add user') -+ -+ add_group(inst, 1) -+ -+ group_parent_dn = 'ou=groups,%s' % (SUFFIX) -+ group_rdn = 'cn=%s%d' % (GROUP_CN, 1) -+ group_dn = '%s,%s' % (group_rdn, group_parent_dn) -+ (member_cn, member_dn) = _user_get_dn(1) -+ update_member(inst, member_dn, group_dn, ldap.MOD_ADD, sleep=False) -+ -+ _find_memberof(inst, member_dn, group_dn, find_result=True) -+ -+ pattern = ".*oc_check_allowed_sv - Entry.*cn=%s.* -- attribute.*not allowed.*" % member_cn -+ log.fatal("pattern = %s" % pattern) -+ regex = re.compile(pattern) -+ assert pattern_errorlog(inst, regex) -+ -+ regex = re.compile(".*schema violation caught - repair operation.*") -+ assert pattern_errorlog(inst, regex) -+ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c -index 44b52edbb..fcfa7817d 100644 ---- a/ldap/servers/plugins/memberof/memberof.c -+++ b/ldap/servers/plugins/memberof/memberof.c -@@ -3236,8 +3236,14 @@ memberof_add_memberof_attr(LDAPMod **mods, const char *dn, char *add_oc) - */ - break; - } -- if (memberof_add_objectclass(add_oc, dn)) { -+ rc = memberof_add_objectclass(add_oc, dn); -+ slapi_log_err(SLAPI_LOG_WARNING, MEMBEROF_PLUGIN_SUBSYSTEM, -+ "Entry %s - schema violation caught - repair operation %s\n", -+ dn ? dn : "unknown", -+ rc ? "failed" : "succeeded"); -+ if (rc) { - /* Failed to add objectclass */ -+ rc = LDAP_OBJECT_CLASS_VIOLATION; - break; - } - added_oc = 1; --- -2.13.6 - diff --git a/SOURCES/0056-Ticket-49534-Fix-coverity-issues-and-regression.patch b/SOURCES/0056-Ticket-49534-Fix-coverity-issues-and-regression.patch deleted file mode 100644 index a465a4d..0000000 --- a/SOURCES/0056-Ticket-49534-Fix-coverity-issues-and-regression.patch +++ /dev/null @@ -1,1495 +0,0 @@ -From 961a1d68274453a9a0e79acdd4a3d6e3da146722 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 16 Jan 2018 10:14:34 -0500 -Subject: [PATCH] Ticket 49534 - Fix coverity issues and regression - -Description: Fix regression introdcued in the previous coverity patch. - - Also fixed many other coverity issues. - -https://pagure.io/389-ds-base/issue/49534 - -Reviewed by: wibrown, tbordaz, lkrispen(Thanks!) - -(cherry picked from commit 7658232cc427a5c46e94989eec9195f0392ee540) ---- - ldap/servers/plugins/acl/acl.c | 6 ++++ - ldap/servers/plugins/acl/acllas.c | 13 +++++-- - ldap/servers/plugins/automember/automember.c | 6 ++++ - ldap/servers/plugins/cos/cos_cache.c | 16 +++++++-- - ldap/servers/plugins/memberof/memberof_config.c | 8 ++--- - ldap/servers/plugins/replication/cl5_clcache.c | 9 +++-- - .../plugins/replication/repl5_replica_config.c | 3 -- - ldap/servers/plugins/rootdn_access/rootdn_access.c | 7 +++- - ldap/servers/plugins/uiduniq/7bit.c | 18 +++++----- - ldap/servers/plugins/views/views.c | 3 ++ - ldap/servers/slapd/auth.c | 3 +- - ldap/servers/slapd/back-ldbm/dblayer.c | 5 ++- - ldap/servers/slapd/back-ldbm/filterindex.c | 2 +- - ldap/servers/slapd/back-ldbm/import-threads.c | 10 +++--- - ldap/servers/slapd/back-ldbm/index.c | 3 +- - ldap/servers/slapd/back-ldbm/instance.c | 4 +++ - ldap/servers/slapd/back-ldbm/ldbm_add.c | 18 +++++++--- - .../slapd/back-ldbm/ldbm_attrcrypt_config.c | 7 ++-- - .../servers/slapd/back-ldbm/ldbm_instance_config.c | 2 +- - ldap/servers/slapd/back-ldbm/ldbm_search.c | 4 +-- - ldap/servers/slapd/back-ldbm/vlv.c | 2 +- - ldap/servers/slapd/back-ldbm/vlv_srch.c | 2 +- - ldap/servers/slapd/backend.c | 2 +- - ldap/servers/slapd/compare.c | 7 ++-- - ldap/servers/slapd/connection.c | 40 ++++++++++++---------- - ldap/servers/slapd/control.c | 6 ++++ - ldap/servers/slapd/dse.c | 5 +-- - ldap/servers/slapd/eventq.c | 2 +- - ldap/servers/slapd/extendop.c | 10 +++--- - ldap/servers/slapd/filter.c | 12 ++++--- - ldap/servers/slapd/index_subsystem.c | 2 +- - ldap/servers/slapd/main.c | 19 ++++++++-- - ldap/servers/slapd/mapping_tree.c | 2 +- - ldap/servers/slapd/modify.c | 39 ++++++++++----------- - ldap/servers/slapd/opshared.c | 7 ++++ - ldap/servers/slapd/passwd_extop.c | 4 +++ - ldap/servers/slapd/plugin.c | 8 +++-- - ldap/servers/slapd/plugin_internal_op.c | 1 + - ldap/servers/slapd/psearch.c | 6 ++-- - ldap/servers/slapd/pw.c | 3 +- - ldap/servers/slapd/pw_mgmt.c | 30 ++++++++++------ - ldap/servers/slapd/result.c | 2 +- - ldap/servers/slapd/saslbind.c | 5 +++ - ldap/servers/slapd/task.c | 5 +-- - ldap/servers/slapd/util.c | 12 ++++--- - ldap/servers/slapd/valueset.c | 10 ++++-- - ldap/servers/slapd/vattr.c | 20 ++++++++--- - ldap/servers/snmp/main.c | 19 ++++++---- - 48 files changed, 276 insertions(+), 153 deletions(-) - -diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c -index f10c9f6b5..bc154c78f 100644 ---- a/ldap/servers/plugins/acl/acl.c -+++ b/ldap/servers/plugins/acl/acl.c -@@ -437,6 +437,12 @@ acl_access_allowed( - * pointers to them--we must always start afresh (see psearch.c). - */ - slapi_pblock_get(pb, SLAPI_OPERATION, &op); -+ if (op == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, plugin_name, -+ "acl_access_allowed - NULL op\n"); -+ ret_val = LDAP_OPERATIONS_ERROR; -+ goto cleanup_and_ret; -+ } - if (operation_is_flag_set(op, OP_FLAG_PS) || - (aclpb->aclpb_curr_entry_sdn == NULL) || - (slapi_sdn_compare(aclpb->aclpb_curr_entry_sdn, e_sdn) != 0) || -diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c -index b9bea205c..3950fd405 100644 ---- a/ldap/servers/plugins/acl/acllas.c -+++ b/ldap/servers/plugins/acl/acllas.c -@@ -4260,7 +4260,7 @@ acllas_replace_attr_macro(char *rule, lasInfo *lasinfo) - /* - * working_rule is the first member of working_list. - * str points to the next $attr.attrName in working_rule. -- * each member of working_list needs to have each occurence of -+ * each member of working_list needs to have each occurrence of - * $attr.atrName replaced with the value of attrName in e. - * If attrName is multi valued then this generates another - * list which replaces the old one. -@@ -4273,8 +4273,7 @@ acllas_replace_attr_macro(char *rule, lasInfo *lasinfo) - str = strstr(macro_str, "."); - if (!str) { - slapi_log_err(SLAPI_LOG_ERR, plugin_name, -- "acllas_replace_attr_macro - Invalid macro \"%s\".", -- macro_str); -+ "acllas_replace_attr_macro - Invalid macro \"%s\".", macro_str); - slapi_ch_free_string(¯o_str); - charray_free(working_list); - return NULL; -@@ -4282,10 +4281,18 @@ acllas_replace_attr_macro(char *rule, lasInfo *lasinfo) - - str++; /* skip the . */ - l = acl_strstr(&str[0], ")"); -+ if (l == -1){ -+ slapi_log_err(SLAPI_LOG_ERR, plugin_name, -+ "acllas_replace_attr_macro - Invalid macro str \"%s\".", str); -+ slapi_ch_free_string(¯o_str); -+ charray_free(working_list); -+ return NULL; -+ } - macro_attr_name = slapi_ch_malloc(l + 1); - strncpy(macro_attr_name, &str[0], l); - macro_attr_name[l] = '\0'; - -+ - slapi_entry_attr_find(e, macro_attr_name, &attr); - if (NULL == attr) { - -diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c -index 4c008e1f2..cbd25915a 100644 ---- a/ldap/servers/plugins/automember/automember.c -+++ b/ldap/servers/plugins/automember/automember.c -@@ -1047,6 +1047,7 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e) - /* Order rules by target group DN */ - if (slapi_sdn_compare(rule->target_group_dn, curr_rule->target_group_dn) < 0) { - PR_INSERT_BEFORE(&(rule->list), list); -+ rule = NULL; - break; - } - -@@ -1055,9 +1056,11 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e) - /* If we hit the end of the list, add to the tail. */ - if ((PRCList *)config->inclusive_rules == list) { - PR_INSERT_BEFORE(&(rule->list), list); -+ rule = NULL; - break; - } - } -+ automember_free_regex_rule(rule); - } else { - /* Add to head of list */ - PR_INSERT_LINK(&(rule->list), (PRCList *)config->inclusive_rules); -@@ -1101,6 +1104,7 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e) - /* Order rules by target group DN */ - if (slapi_sdn_compare(rule->target_group_dn, curr_rule->target_group_dn) < 0) { - PR_INSERT_BEFORE(&(rule->list), list); -+ rule = NULL; - break; - } - -@@ -1109,6 +1113,7 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e) - /* If we hit the end of the list, add to the tail. */ - if ((PRCList *)config->exclusive_rules == list) { - PR_INSERT_BEFORE(&(rule->list), list); -+ rule = NULL; - break; - } - } -@@ -1116,6 +1121,7 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e) - /* Add to head of list */ - PR_INSERT_LINK(&(rule->list), (PRCList *)config->exclusive_rules); - } -+ automember_free_regex_rule(rule); - } else { - slapi_log_err(SLAPI_LOG_ERR, AUTOMEMBER_PLUGIN_SUBSYSTEM, - "automember_parse_regex_entry - Skipping invalid exclusive " -diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c -index 3b3c05783..5e0cf1725 100644 ---- a/ldap/servers/plugins/cos/cos_cache.c -+++ b/ldap/servers/plugins/cos/cos_cache.c -@@ -874,7 +874,7 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data) - - if (pCosAttribute && (!pCosTargetTree || !pCosTemplateDn)) { - /* get the parent of the definition */ -- char *orig = slapi_dn_parent(pDn->val); -+ char *orig = pDn ? slapi_dn_parent(pDn->val) : NULL; - char *parent = NULL; - if (orig) { - parent = slapi_create_dn_string("%s", orig); -@@ -900,7 +900,7 @@ cos_dn_defs_cb(Slapi_Entry *e, void *callback_data) - slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, - "cos_dn_defs_cb - " - "Failed to get parent dn of cos definition %s.\n", -- pDn->val); -+ pDn ? pDn->val : ""); - if (!pCosTemplateDn) { - if (!pCosTargetTree) { - slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, "cos_dn_defs_cb - cosTargetTree and cosTemplateDn are not set.\n"); -@@ -1843,6 +1843,13 @@ cos_cache_add_tmpl(cosTemplates **pTemplates, cosAttrValue *dn, cosAttrValue *ob - - slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "--> cos_cache_add_tmpl\n"); - -+ if (dn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, COS_PLUGIN_SUBSYSTEM, -+ "cos_cache_add_tmpl - param cosAttrValue dn is NULL\n"); -+ ret = -1; -+ goto done; -+ } -+ - /* create the attribute */ - theTemp = (cosTemplates *)slapi_ch_malloc(sizeof(cosTemplates)); - if (theTemp) { -@@ -1851,7 +1858,9 @@ cos_cache_add_tmpl(cosTemplates **pTemplates, cosAttrValue *dn, cosAttrValue *ob - int index = 0; - int template_default = 0; - char *ptr = NULL; -- char *normed = slapi_create_dn_string("%s", dn->val); -+ char *normed = NULL; -+ -+ normed = slapi_create_dn_string("%s", dn->val); - if (normed) { - slapi_ch_free_string(&dn->val); - dn->val = normed; -@@ -1964,6 +1973,7 @@ cos_cache_add_tmpl(cosTemplates **pTemplates, cosAttrValue *dn, cosAttrValue *ob - ret = -1; - } - -+done: - slapi_log_err(SLAPI_LOG_TRACE, COS_PLUGIN_SUBSYSTEM, "<-- cos_cache_add_tmpl\n"); - return ret; - } -diff --git a/ldap/servers/plugins/memberof/memberof_config.c b/ldap/servers/plugins/memberof/memberof_config.c -index 3f22d95d6..8a27f5250 100644 ---- a/ldap/servers/plugins/memberof/memberof_config.c -+++ b/ldap/servers/plugins/memberof/memberof_config.c -@@ -550,7 +550,7 @@ memberof_apply_config(Slapi_PBlock *pb __attribute__((unused)), - } - - /* Build the new list */ -- for (i = 0; theConfig.groupattrs[i]; i++) { -+ for (i = 0; theConfig.groupattrs && theConfig.groupattrs[i]; i++) { - theConfig.group_slapiattrs[i] = slapi_attr_new(); - slapi_attr_init(theConfig.group_slapiattrs[i], theConfig.groupattrs[i]); - } -@@ -572,7 +572,7 @@ memberof_apply_config(Slapi_PBlock *pb __attribute__((unused)), - bytes_out = snprintf(filter_str, filter_str_len - bytes_out, "(|"); - - /* Add filter section for each groupattr. */ -- for (i = 0; theConfig.groupattrs[i]; i++) { -+ for (i = 0; theConfig.groupattrs && theConfig.groupattrs[i]; i++) { - bytes_out += snprintf(filter_str + bytes_out, filter_str_len - bytes_out, "(%s=*)", theConfig.groupattrs[i]); - } - -@@ -721,7 +721,7 @@ memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src) - } - - /* Count how many values we have in the source list. */ -- for (j = 0; src->group_slapiattrs[j]; j++) { -+ for (j = 0; src->group_slapiattrs && src->group_slapiattrs[j]; j++) { - /* Do nothing. */ - } - -@@ -731,7 +731,7 @@ memberof_copy_config(MemberOfConfig *dest, MemberOfConfig *src) - } - - /* Copy the attributes. */ -- for (i = 0; src->group_slapiattrs[i]; i++) { -+ for (i = 0; src->group_slapiattrs && src->group_slapiattrs[i]; i++) { - dest->group_slapiattrs[i] = slapi_attr_dup(src->group_slapiattrs[i]); - } - -diff --git a/ldap/servers/plugins/replication/cl5_clcache.c b/ldap/servers/plugins/replication/cl5_clcache.c -index 40985b9a7..a8477a83a 100644 ---- a/ldap/servers/plugins/replication/cl5_clcache.c -+++ b/ldap/servers/plugins/replication/cl5_clcache.c -@@ -676,7 +676,7 @@ clcache_initial_anchorcsn(CLC_Buffer *buf, int *flag) - buf->buf_state = CLC_STATE_DONE; - } else { - csn_init_by_csn(buf->buf_current_csn, anchorcsn); -- csn_as_string(buf->buf_current_csn, 0, (char *)buf->buf_key.data); -+ buf->buf_key.data = csn_as_string(buf->buf_current_csn, 0, (char *)buf->buf_key.data); - slapi_log_err(SLAPI_LOG_REPL, "clcache_initial_anchorcsn", - "anchor is now: %s\n", (char *)buf->buf_key.data); - } -@@ -746,10 +746,9 @@ clcache_adjust_anchorcsn(CLC_Buffer *buf, int *flag) - buf->buf_state = CLC_STATE_DONE; - } else { - csn_init_by_csn(buf->buf_current_csn, anchorcsn); -- csn_as_string(buf->buf_current_csn, 0, (char *)buf->buf_key.data); -- slapi_log_err(SLAPI_LOG_REPL, buf->buf_agmt_name, "clcache_adjust_anchorcsn - " -- "anchor is now: %s\n", -- (char *)buf->buf_key.data); -+ buf->buf_key.data = csn_as_string(buf->buf_current_csn, 0, (char *)buf->buf_key.data); -+ slapi_log_err(SLAPI_LOG_REPL, buf->buf_agmt_name, -+ "clcache_adjust_anchorcsn - anchor is now: %s\n", (char *)buf->buf_key.data); - } - - return buf->buf_state; -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index 95b933bb8..bda333362 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -2527,9 +2527,6 @@ add_cleaned_rid(cleanruv_data *cleanruv_data, char *maxcsn) - Replica *r; - char *forcing; - -- if (data == NULL) { -- return; -- } - rid = cleanruv_data->rid; - r = cleanruv_data->replica; - forcing = cleanruv_data->force; -diff --git a/ldap/servers/plugins/rootdn_access/rootdn_access.c b/ldap/servers/plugins/rootdn_access/rootdn_access.c -index b4db1202a..1cb999792 100644 ---- a/ldap/servers/plugins/rootdn_access/rootdn_access.c -+++ b/ldap/servers/plugins/rootdn_access/rootdn_access.c -@@ -459,7 +459,7 @@ rootdn_check_access(Slapi_PBlock *pb) - PRNetAddr *client_addr = NULL; - PRHostEnt *host_entry = NULL; - time_t curr_time; -- struct tm *timeinfo; -+ struct tm *timeinfo = NULL; - char *dnsName = NULL; - int isRoot = 0; - int rc = SLAPI_PLUGIN_SUCCESS; -@@ -478,6 +478,11 @@ rootdn_check_access(Slapi_PBlock *pb) - if (open_time || daysAllowed) { - curr_time = slapi_current_utc_time(); - timeinfo = localtime(&curr_time); -+ if (timeinfo == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, ROOTDN_PLUGIN_SUBSYSTEM, -+ "rootdn_check_access - Failed to get localtime\n"); -+ return -1; -+ } - } - /* - * First check TOD restrictions, continue through if we are in the open "window" -diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c -index b23e652cf..60fcbab93 100644 ---- a/ldap/servers/plugins/uiduniq/7bit.c -+++ b/ldap/servers/plugins/uiduniq/7bit.c -@@ -715,18 +715,18 @@ preop_modrdn(Slapi_PBlock *pb) - int - NS7bitAttr_Init(Slapi_PBlock *pb) - { -- int err = 0; -+ int32_t err = 0; - Slapi_Entry *plugin_entry = NULL; - char *plugin_type = NULL; -- int preadd = SLAPI_PLUGIN_PRE_ADD_FN; -- int premod = SLAPI_PLUGIN_PRE_MODIFY_FN; -- int premdn = SLAPI_PLUGIN_PRE_MODRDN_FN; -+ int32_t preadd = SLAPI_PLUGIN_PRE_ADD_FN; -+ int32_t premod = SLAPI_PLUGIN_PRE_MODIFY_FN; -+ int32_t premdn = SLAPI_PLUGIN_PRE_MODRDN_FN; - - BEGIN -- int attr_count = 0; -- int argc; -- char **argv; -- int valid_suffix = 0; -+ int32_t attr_count = 0; -+ int32_t argc = 0; -+ char **argv = NULL; -+ int32_t valid_suffix = 0; - - /* Declare plugin version */ - err = slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, -@@ -752,7 +752,7 @@ NS7bitAttr_Init(Slapi_PBlock *pb) - break; - - err = slapi_pblock_get(pb, SLAPI_PLUGIN_ARGV, &argv); -- if (err) -+ if (err || argv == NULL) - break; - - for (attr_count = 0; argv && argv[attr_count]; attr_count++) { -diff --git a/ldap/servers/plugins/views/views.c b/ldap/servers/plugins/views/views.c -index 6ba3e290d..6f784f599 100644 ---- a/ldap/servers/plugins/views/views.c -+++ b/ldap/servers/plugins/views/views.c -@@ -558,6 +558,9 @@ views_cache_index(void) - /* copy over the views */ - for (i = 0; i < theCache.view_count; i++) { - theCache.ppViewIndex[i] = theView; -+ if (theView == NULL){ -+ break; -+ } - theView = theView->list.pNext; - } - -diff --git a/ldap/servers/slapd/auth.c b/ldap/servers/slapd/auth.c -index b8e171b27..a2050b990 100644 ---- a/ldap/servers/slapd/auth.c -+++ b/ldap/servers/slapd/auth.c -@@ -463,7 +463,8 @@ handle_handshake_done(PRFileDesc *prfd, void *clientData) - slapi_log_access(LDAP_DEBUG_STATS, - "conn=%" PRIu64 " %s %i-bit %s; client %s; issuer %s\n", - conn->c_connid, -- sslversion, keySize, cipher ? cipher : "NULL", -+ sslversion, keySize, -+ cipher ? cipher : "NULL", - subject ? escape_string(subject, sbuf) : "NULL", - issuer ? escape_string(issuer, ibuf) : "NULL"); - if (issuer) -diff --git a/ldap/servers/slapd/back-ldbm/dblayer.c b/ldap/servers/slapd/back-ldbm/dblayer.c -index 9e557a24a..5d870e364 100644 ---- a/ldap/servers/slapd/back-ldbm/dblayer.c -+++ b/ldap/servers/slapd/back-ldbm/dblayer.c -@@ -3007,7 +3007,7 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in - struct dblayer_private_env *pEnv = NULL; - ldbm_instance *inst = NULL; - dblayer_handle *handle = NULL; -- char dbName[MAXPATHLEN]; -+ char dbName[MAXPATHLEN] = {0}; - char *dbNamep; - char *p; - int dbbasenamelen, dbnamelen; -@@ -3098,8 +3098,7 @@ dblayer_erase_index_file_ex(backend *be, struct attrinfo *a, PRBool use_lock, in - dbNamep = (char *)slapi_ch_realloc(dbNamep, dbnamelen); - } - p = dbNamep + dbbasenamelen; -- sprintf(p, "%c%s%s", -- get_sep(dbNamep), a->ai_type, LDBM_FILENAME_SUFFIX); -+ sprintf(p, "%c%s%s", get_sep(dbNamep), a->ai_type, LDBM_FILENAME_SUFFIX); - rc = dblayer_db_remove_ex(pEnv, dbNamep, 0, 0); - a->ai_dblayer = NULL; - if (dbNamep != dbName) -diff --git a/ldap/servers/slapd/back-ldbm/filterindex.c b/ldap/servers/slapd/back-ldbm/filterindex.c -index fd079077c..e8c3c2008 100644 ---- a/ldap/servers/slapd/back-ldbm/filterindex.c -+++ b/ldap/servers/slapd/back-ldbm/filterindex.c -@@ -563,7 +563,7 @@ range_candidates( - - /* Check if it is for bulk import. */ - slapi_pblock_get(pb, SLAPI_OPERATION, &op); -- if (entryrdn_get_switch() && operation_is_flag_set(op, OP_FLAG_INTERNAL) && -+ if (entryrdn_get_switch() && op && operation_is_flag_set(op, OP_FLAG_INTERNAL) && - operation_is_flag_set(op, OP_FLAG_BULK_IMPORT)) { - /* parentid is treated specially that is needed for the bulk import. (See #48755) */ - operator= SLAPI_OP_RANGE_NO_IDL_SORT | SLAPI_OP_RANGE_NO_ALLIDS; -diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c -index b8cd9aaa0..0419865c9 100644 ---- a/ldap/servers/slapd/back-ldbm/import-threads.c -+++ b/ldap/servers/slapd/back-ldbm/import-threads.c -@@ -1664,8 +1664,7 @@ upgradedn_producer(void *param) - slapi_ch_free_string(&rdn); - } - } else { -- e = -- slapi_str2entry(data.data, SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT); -+ e = slapi_str2entry(data.data, SLAPI_STR2ENTRY_USE_OBSOLETE_DNFORMAT); - rdn = slapi_ch_strdup(slapi_entry_get_rdn_const(e)); - if (NULL == rdn) { - Slapi_RDN srdn; -@@ -1683,6 +1682,7 @@ upgradedn_producer(void *param) - slapi_log_err(SLAPI_LOG_WARNING, "upgradedn_producer", - "%s: Skipping badly formatted entry (id %lu)\n", - inst->inst_name, (u_long)temp_id); -+ slapi_ch_free_string(&rdn); - continue; - } - -@@ -2183,6 +2183,7 @@ done: - free_IDarray(&dn_norm_sp_conflicts); - slapi_ch_free_string(&ecopy); - slapi_ch_free(&(data.data)); -+ slapi_ch_free_string(&rdn); - if (job->upgradefd) { - fclose(job->upgradefd); - } -@@ -3783,7 +3784,7 @@ out: - slapi_ch_free_string(&search_scope); - - -- if (fd > 0) { -+ if (fd >= 0) { - close(fd); - } - -@@ -3949,8 +3950,7 @@ import_get_and_add_parent_rdns(ImportWorkerInfo *info, - rc = slapi_rdn_add_srdn_to_all_rdns(srdn, &mysrdn); - if (rc) { - slapi_log_err(SLAPI_LOG_ERR, "import_get_and_add_parent_rdns", -- "Failed to merge Slapi_RDN %s to RDN\n", -- slapi_sdn_get_dn(bdn->dn_sdn)); -+ "Failed to merge Slapi_RDN to RDN\n"); - } - bail: - slapi_ch_free(&data.data); -diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c -index 587f4d991..7e1cdd0db 100644 ---- a/ldap/servers/slapd/back-ldbm/index.c -+++ b/ldap/servers/slapd/back-ldbm/index.c -@@ -749,7 +749,7 @@ index_add_mods( - mods[i]->mod_type, - &curr_attr); - if (curr_attr) { -- for (j = 0; mods_valueArray[j] != NULL; j++) { -+ for (j = 0; mods_valueArray && mods_valueArray[j] != NULL; j++) { - if (!slapi_valueset_find(curr_attr, all_vals, mods_valueArray[j])) { - /* - * If the mod del value is not found in all_vals -@@ -1054,6 +1054,7 @@ index_read_ext_allids( - for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) { - *err = NEW_IDL_DEFAULT; - PRIntervalTime interval; -+ idl_free(&idl); - idl = idl_fetch_ext(be, db, &key, db_txn, ai, err, allidslimit); - if (*err == DB_LOCK_DEADLOCK) { - ldbm_nasty("index_read_ext_allids", "index read retrying transaction", 1045, *err); -diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c -index d4715ab9c..7f9f423a5 100644 ---- a/ldap/servers/slapd/back-ldbm/instance.c -+++ b/ldap/servers/slapd/back-ldbm/instance.c -@@ -352,6 +352,10 @@ ldbm_instance_find_by_name(struct ldbminfo *li, char *name) - Object *inst_obj; - ldbm_instance *inst; - -+ if (name == NULL) { -+ return NULL; -+ } -+ - inst_obj = objset_first_obj(li->li_instance_set); - while (inst_obj != NULL) { - inst = (ldbm_instance *)object_get_data(inst_obj); -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c -index f29945a7e..c93d44a65 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_add.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c -@@ -60,7 +60,7 @@ ldbm_back_add(Slapi_PBlock *pb) - ID pid; - int isroot; - char *errbuf = NULL; -- back_txn txn; -+ back_txn txn = {0}; - back_txnid parent_txn; - int retval = -1; - char *msg; -@@ -96,6 +96,7 @@ ldbm_back_add(Slapi_PBlock *pb) - PRUint64 conn_id; - int op_id; - int result_sent = 0; -+ - if (slapi_pblock_get(pb, SLAPI_CONN_ID, &conn_id) < 0) { - conn_id = 0; /* connection is NULL */ - } -@@ -109,6 +110,11 @@ ldbm_back_add(Slapi_PBlock *pb) - slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_replicated_operation); - slapi_pblock_get(pb, SLAPI_BACKEND, &be); - -+ if (operation == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_add", "NULL operation\n"); -+ return LDAP_OPERATIONS_ERROR; -+ } -+ - is_resurect_operation = operation_is_flag_set(operation, OP_FLAG_RESURECT_ENTRY); - is_tombstone_operation = operation_is_flag_set(operation, OP_FLAG_TOMBSTONE_ENTRY); - is_fixup_operation = operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP); -@@ -126,6 +132,11 @@ ldbm_back_add(Slapi_PBlock *pb) - goto error_return; - } - -+ if (e == NULL){ -+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_add", "entry is NULL.\n"); -+ goto error_return; -+ } -+ - /* sdn & parentsdn need to be initialized before "goto *_return" */ - slapi_sdn_init(&parentsdn); - -@@ -169,9 +180,8 @@ ldbm_back_add(Slapi_PBlock *pb) - * before we make our last abandon check to avoid race conditions in - * the code that processes abandon operations. - */ -- if (operation) { -- operation->o_status = SLAPI_OP_STATUS_WILL_COMPLETE; -- } -+ operation->o_status = SLAPI_OP_STATUS_WILL_COMPLETE; -+ - if (slapi_op_abandoned(pb)) { - ldap_result_code = -1; /* needs to distinguish from "success" */ - goto error_return; -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c -index e792c26cf..9ecb09903 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c -@@ -124,8 +124,8 @@ ldbm_instance_attrcrypt_config_add_callback(Slapi_PBlock *pb __attribute__((unus - { - ldbm_instance *inst = (ldbm_instance *)arg; - char *attribute_name = NULL; -- int cipher = 0; -- int ret = 0; -+ int32_t cipher = 0; -+ int32_t ret = SLAPI_DSE_CALLBACK_OK; - - returntext[0] = '\0'; - -@@ -146,7 +146,6 @@ ldbm_instance_attrcrypt_config_add_callback(Slapi_PBlock *pb __attribute__((unus - *returncode = LDAP_UNWILLING_TO_PERFORM; - ret = SLAPI_DSE_CALLBACK_ERROR; - } else { -- - ainfo_get(inst->inst_be, attribute_name, &ai); - /* If we couldn't find a non-default attrinfo, then that means - * that no indexing or encryption has yet been defined for this attribute -@@ -172,9 +171,7 @@ ldbm_instance_attrcrypt_config_add_callback(Slapi_PBlock *pb __attribute__((unus - *returncode = LDAP_UNWILLING_TO_PERFORM; - ret = SLAPI_DSE_CALLBACK_ERROR; - } -- ret = SLAPI_DSE_CALLBACK_OK; - } -- - } else { - ret = SLAPI_DSE_CALLBACK_ERROR; - } -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c -index c2e49d5ab..eb2603897 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c -@@ -1307,7 +1307,7 @@ ldbm_instance_delete_instance_entry_callback(Slapi_PBlock *pb __attribute__((unu - char *returntext, - void *arg) - { -- char *instance_name; -+ char *instance_name = NULL; - struct ldbminfo *li = (struct ldbminfo *)arg; - struct ldbm_instance *inst = NULL; - -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c -index 02a21bf92..8f3111813 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_search.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c -@@ -1157,7 +1157,7 @@ subtree_candidates( - slapi_pblock_get(pb, SLAPI_REQUESTOR_ISROOT, &isroot); - /* Check if it is for bulk import. */ - slapi_pblock_get(pb, SLAPI_OPERATION, &op); -- if (entryrdn_get_switch() && operation_is_flag_set(op, OP_FLAG_INTERNAL) && -+ if (op && entryrdn_get_switch() && operation_is_flag_set(op, OP_FLAG_INTERNAL) && - operation_is_flag_set(op, OP_FLAG_BULK_IMPORT)) { - is_bulk_import = PR_TRUE; - } -@@ -1168,7 +1168,7 @@ subtree_candidates( - * since tombstone entries are not indexed in the ancestorid index. - * Note: they are indexed in the entryrdn index. - */ -- if (candidates != NULL && (idl_length(candidates) > FILTER_TEST_THRESHOLD)) { -+ if (candidates != NULL && (idl_length(candidates) > FILTER_TEST_THRESHOLD) && e) { - IDList *tmp = candidates, *descendants = NULL; - back_txn txn = {NULL}; - -diff --git a/ldap/servers/slapd/back-ldbm/vlv.c b/ldap/servers/slapd/back-ldbm/vlv.c -index 9a1a1c63e..23825c2d5 100644 ---- a/ldap/servers/slapd/back-ldbm/vlv.c -+++ b/ldap/servers/slapd/back-ldbm/vlv.c -@@ -1518,7 +1518,7 @@ vlv_trim_candidates_byvalue(backend *be, const IDList *candidates, const sort_sp - { - PRUint32 si = 0; /* The Selected Index */ - PRUint32 low = 0; -- PRUint32 high = candidates->b_nids - 1; -+ PRUint32 high = 0; - PRUint32 current = 0; - ID id = NOID; - int found = 0; -diff --git a/ldap/servers/slapd/back-ldbm/vlv_srch.c b/ldap/servers/slapd/back-ldbm/vlv_srch.c -index e9780b590..c4c0875ad 100644 ---- a/ldap/servers/slapd/back-ldbm/vlv_srch.c -+++ b/ldap/servers/slapd/back-ldbm/vlv_srch.c -@@ -168,7 +168,7 @@ vlvSearch_init(struct vlvSearch *p, Slapi_PBlock *pb, const Slapi_Entry *e, ldbm - - /* switch context back to the DSE backend */ - slapi_pblock_set(pb, SLAPI_BACKEND, oldbe); -- slapi_pblock_set(pb, SLAPI_PLUGIN, oldbe->be_database); -+ slapi_pblock_set(pb, SLAPI_PLUGIN, oldbe ? oldbe->be_database: NULL); - } - - /* make (&(parentid=idofbase)(|(originalfilter)(objectclass=referral))) */ -diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c -index fb3eb77a3..78c00a5a8 100644 ---- a/ldap/servers/slapd/backend.c -+++ b/ldap/servers/slapd/backend.c -@@ -171,7 +171,7 @@ slapi_be_issuffix(const Slapi_Backend *be, const Slapi_DN *suffix) - struct suffixlist *list; - int r = 0; - /* this backend is no longer valid */ -- if (be->be_state != BE_STATE_DELETED) { -+ if (be && be->be_state != BE_STATE_DELETED) { - int i = 0, count; - - count = slapi_counter_get_value(be->be_suffixcounter); -diff --git a/ldap/servers/slapd/compare.c b/ldap/servers/slapd/compare.c -index 2626d91d0..88a6c3599 100644 ---- a/ldap/servers/slapd/compare.c -+++ b/ldap/servers/slapd/compare.c -@@ -47,9 +47,11 @@ do_compare(Slapi_PBlock *pb) - - slapi_log_err(SLAPI_LOG_TRACE, "do_compare", "=>\n"); - -+ /* have to init this here so we can "done" it below if we short circuit */ -+ slapi_sdn_init(&sdn); -+ - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -- - if (pb_op == NULL || pb_conn == NULL) { - slapi_log_err(SLAPI_LOG_ERR, "do_compare", "NULL param: pb_conn (0x%p) pb_op (0x%p)\n", - pb_conn, pb_op); -@@ -62,9 +64,6 @@ do_compare(Slapi_PBlock *pb) - /* count the compare request */ - slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsCompareOps); - -- /* have to init this here so we can "done" it below if we short circuit */ -- slapi_sdn_init(&sdn); -- - /* - * Parse the compare request. It looks like this: - * -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index fa24ec040..5d2b64ed2 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -1526,18 +1526,6 @@ connection_threadmain() - [blackflag 624234] */ - ret = connection_wait_for_new_work(pb, interval); - -- /* -- * Connection wait for new work provides the conn and op for us. -- */ -- slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -- if (pb_conn == NULL) { -- slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain", -- "pb_conn is NULL\n"); -- slapi_pblock_destroy(pb); -- g_decr_active_threadcnt(); -- return; -- } -- - switch (ret) { - case CONN_NOWORK: - PR_ASSERT(interval != PR_INTERVAL_NO_TIMEOUT); /* this should never happen with PR_INTERVAL_NO_TIMEOUT */ -@@ -1550,15 +1538,22 @@ connection_threadmain() - return; - case CONN_FOUND_WORK_TO_DO: - /* note - don't need to lock here - connection should only -- be used by this thread - since c_gettingber is set to 1 -- in connection_activity when the conn is added to the -- work queue, setup_pr_read_pds won't add the connection prfd -- to the poll list */ -+ be used by this thread - since c_gettingber is set to 1 -+ in connection_activity when the conn is added to the -+ work queue, setup_pr_read_pds won't add the connection prfd -+ to the poll list */ -+ slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -+ if (pb_conn == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain", "pb_conn is NULL\n"); -+ slapi_pblock_destroy(pb); -+ g_decr_active_threadcnt(); -+ return; -+ } - if (pb_conn->c_opscompleted == 0) { - /* -- * We have a new connection, set the anonymous reslimit idletimeout -- * if applicable. -- */ -+ * We have a new connection, set the anonymous reslimit idletimeout -+ * if applicable. -+ */ - char *anon_dn = config_get_anon_limits_dn(); - int idletimeout; - /* If an anonymous limits dn is set, use it to set the limits. */ -@@ -1578,6 +1573,7 @@ connection_threadmain() - slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain", - "Could not add/remove IO layers from connection\n"); - } -+ break; - default: - break; - } -@@ -1604,6 +1600,12 @@ connection_threadmain() - /* Once we're here we have a pb */ - slapi_pblock_get(pb, SLAPI_CONNECTION, &conn); - slapi_pblock_get(pb, SLAPI_OPERATION, &op); -+ if (conn == NULL || op == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain", "NULL param: conn (0x%p) op (0x%p)\n", conn, op); -+ slapi_pblock_destroy(pb); -+ g_decr_active_threadcnt(); -+ return; -+ } - maxthreads = config_get_maxthreadsperconn(); - more_data = 0; - ret = connection_read_operation(conn, op, &tag, &more_data); -diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c -index 366ec7897..4fd8473be 100644 ---- a/ldap/servers/slapd/control.c -+++ b/ldap/servers/slapd/control.c -@@ -304,6 +304,12 @@ get_ldapmessage_controls_ext( - - Operation *pb_op = NULL; - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); -+ if (pb_op == NULL) { -+ rc = LDAP_OPERATIONS_ERROR; -+ slapi_log_err(SLAPI_LOG_ERR, "get_ldapmessage_controls_ext", "NULL pb_op\n"); -+ slapi_rwlock_unlock(supported_controls_lock); -+ goto free_and_return; -+ } - - if (supported_controls == NULL || - supported_controls[i] == NULL || -diff --git a/ldap/servers/slapd/dse.c b/ldap/servers/slapd/dse.c -index 662e91aa7..932912c17 100644 ---- a/ldap/servers/slapd/dse.c -+++ b/ldap/servers/slapd/dse.c -@@ -1727,8 +1727,9 @@ dse_modify(Slapi_PBlock *pb) /* JCM There should only be one exit point from thi - } - - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); -- internal_op = operation_is_flag_set(pb_op, OP_FLAG_INTERNAL); -- -+ if (pb_op){ -+ internal_op = operation_is_flag_set(pb_op, OP_FLAG_INTERNAL); -+ } - /* Find the entry we are about to modify. */ - ec = dse_get_entry_copy(pdse, sdn, DSE_USE_LOCK); - if (ec == NULL) { -diff --git a/ldap/servers/slapd/eventq.c b/ldap/servers/slapd/eventq.c -index 8fccf38a8..a491acd0a 100644 ---- a/ldap/servers/slapd/eventq.c -+++ b/ldap/servers/slapd/eventq.c -@@ -462,7 +462,7 @@ slapi_eq_get_arg(Slapi_Eq_Context ctx) - slapi_eq_context **p; - - PR_ASSERT(eq_initialized); -- if (!eq_stopped) { -+ if (eq && !eq_stopped) { - PR_Lock(eq->eq_lock); - p = &(eq->eq_queue); - while (p && *p != NULL) { -diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c -index 815949be6..98595bcaa 100644 ---- a/ldap/servers/slapd/extendop.c -+++ b/ldap/servers/slapd/extendop.c -@@ -135,10 +135,12 @@ extop_handle_import_start(Slapi_PBlock *pb, char *extoid __attribute__((unused)) - * connection block & mark this connection as belonging to a bulk import - */ - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -- PR_EnterMonitor(pb_conn->c_mutex); -- pb_conn->c_flags |= CONN_FLAG_IMPORT; -- pb_conn->c_bi_backend = be; -- PR_ExitMonitor(pb_conn->c_mutex); -+ if (pb_conn) { -+ PR_EnterMonitor(pb_conn->c_mutex); -+ pb_conn->c_flags |= CONN_FLAG_IMPORT; -+ pb_conn->c_bi_backend = be; -+ PR_ExitMonitor(pb_conn->c_mutex); -+ } - - slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, EXTOP_BULK_IMPORT_START_OID); - bv.bv_val = NULL; -diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c -index ef975e679..2ac3d2cd8 100644 ---- a/ldap/servers/slapd/filter.c -+++ b/ldap/servers/slapd/filter.c -@@ -686,11 +686,13 @@ slapi_filter_dup(Slapi_Filter *f) - outl = &out->f_list; - for (fl = f->f_list; fl != NULL; fl = fl->f_next) { - (*outl) = slapi_filter_dup(fl); -- (*outl)->f_next = 0; -- if (lastout) -- lastout->f_next = *outl; -- lastout = *outl; -- outl = &((*outl)->f_next); -+ if (*outl){ -+ (*outl)->f_next = 0; -+ if (lastout) -+ lastout->f_next = *outl; -+ lastout = *outl; -+ outl = &((*outl)->f_next); -+ } - } - break; - -diff --git a/ldap/servers/slapd/index_subsystem.c b/ldap/servers/slapd/index_subsystem.c -index 47ca90047..97cb7b489 100644 ---- a/ldap/servers/slapd/index_subsystem.c -+++ b/ldap/servers/slapd/index_subsystem.c -@@ -1179,7 +1179,7 @@ index_subsys_assign_decoder(Slapi_Filter *f) - * have the same associated attributes configuration for now - * though they may have different namespaces - */ -- if (index_subsys_index_matches_index(f->assigned_decoder, index)) { -+ if (index_subsys_index_matches_index(f->assigned_decoder, index) && last) { - /* add to end */ - last->list.pNext = index_subsys_index_shallow_dup(index); - last = last->list.pNext; -diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c -index ddaceffea..e1493bb80 100644 ---- a/ldap/servers/slapd/main.c -+++ b/ldap/servers/slapd/main.c -@@ -683,13 +683,26 @@ main(int argc, char **argv) - { - char *s = getenv("DEBUG_SLEEP"); - if ((s != NULL) && isdigit(*s)) { -- int secs = atoi(s); -- printf("slapd pid is %d\n", getpid()); -+ char *endp = NULL; -+ int64_t secs; -+ errno = 0; -+ -+ secs = strtol(s, &endp, 10); -+ if ( endp == s || -+ *endp != '\0' || -+ ((secs == LONG_MIN || secs == LONG_MAX) && errno == ERANGE) || -+ secs < 1 ) -+ { -+ /* Invalid value, default to 30 seconds */ -+ secs = 30; -+ } else if (secs > 3600) { -+ secs = 3600; -+ } -+ printf("slapd pid is %d - sleeping for %ld\n", getpid(), secs); - sleep(secs); - } - } - -- - /* used to set configfile to the default config file name here */ - if ((mcfg.myname = strrchr(argv[0], '/')) == NULL) { - mcfg.myname = slapi_ch_strdup(argv[0]); -diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c -index 8cc531834..472a2f6aa 100644 ---- a/ldap/servers/slapd/mapping_tree.c -+++ b/ldap/servers/slapd/mapping_tree.c -@@ -2629,7 +2629,7 @@ mtn_get_be(mapping_tree_node *target_node, Slapi_PBlock *pb, Slapi_Backend **be, - (target_node->mtn_be_states[*index] == SLAPI_BE_STATE_OFFLINE)) { - slapi_log_err(SLAPI_LOG_TRACE, "mtn_get_be", - "Operation attempted on backend in OFFLINE state : %s\n", -- target_node->mtn_backend_names[*index]); -+ target_node->mtn_backend_names ? target_node->mtn_backend_names[*index] : "Unknown backend"); - result = LDAP_OPERATIONS_ERROR; - *be = defbackend_get_backend(); - } -diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c -index 10d263159..f2f6d1783 100644 ---- a/ldap/servers/slapd/modify.c -+++ b/ldap/servers/slapd/modify.c -@@ -123,7 +123,7 @@ do_modify(Slapi_PBlock *pb) - - slapi_pblock_get(pb, SLAPI_OPERATION, &operation); - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -- if (operation == NULL) { -+ if (operation == NULL || pb_conn == NULL) { - send_ldap_result(pb, LDAP_OPERATIONS_ERROR, - NULL, "operation is NULL parameter", 0, NULL); - slapi_log_err(SLAPI_LOG_ERR, "do_modify", -@@ -1156,6 +1156,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - char *proxydn = NULL; - char *proxystr = NULL; - char *errtext = NULL; -+ int32_t needpw = 0; - - slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &repl_op); - if (repl_op) { -@@ -1169,24 +1170,23 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - slapi_pblock_get(pb, SLAPI_REQUESTOR_ISROOT, &isroot); - slapi_pblock_get(pb, SLAPI_OPERATION, &operation); - slapi_pblock_get(pb, SLAPI_PWPOLICY, &pwresponse_req); -- internal_op = operation_is_flag_set(operation, OP_FLAG_INTERNAL); - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -+ slapi_sdn_init_dn_byref(&sdn, dn); - -- if (pb_conn == NULL || operation == NULL) { -- slapi_log_err(SLAPI_LOG_ERR, "op_shared_allow_pw_change", -- "NULL param error: conn (0x%p) op (0x%p)\n", pb_conn, operation); -+ if (operation == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "op_shared_allow_pw_change", "NULL operation\n"); - rc = -1; - goto done; - } -- -- slapi_sdn_init_dn_byref(&sdn, dn); -- pwpolicy = new_passwdPolicy(pb, (char *)slapi_sdn_get_ndn(&sdn)); -+ if (pb_conn) { -+ needpw = pb_conn->c_needpw; -+ } - - /* get the proxy auth dn if the proxy auth control is present */ - if ((proxy_err = proxyauth_get_dn(pb, &proxydn, &errtext)) != LDAP_SUCCESS) { - if (operation_is_flag_set(operation, OP_FLAG_ACTION_LOG_ACCESS)) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"\n", -- pb_conn->c_connid, operation->o_opid, -+ pb_conn ? pb_conn->c_connid: -1, operation->o_opid, - slapi_sdn_get_dn(&sdn)); - } - -@@ -1195,6 +1195,9 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - goto done; - } - -+ pwpolicy = new_passwdPolicy(pb, (char *)slapi_sdn_get_ndn(&sdn)); -+ internal_op = operation_is_flag_set(operation, OP_FLAG_INTERNAL); -+ - /* internal operation has root permissions for subtrees it is allowed to access */ - if (!internal_op) { - /* slapi_acl_check_mods needs an array of LDAPMods, but -@@ -1225,7 +1228,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); - } - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s\n", -- pb_conn->c_connid, operation->o_opid, -+ pb_conn ? pb_conn->c_connid : -1, operation->o_opid, - slapi_sdn_get_dn(&sdn), proxystr ? proxystr : ""); - } - -@@ -1254,7 +1257,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - - /* Check if password policy allows users to change their passwords.*/ - if (!operation->o_isroot && slapi_sdn_compare(&sdn, &operation->o_sdn) == 0 && -- !pb_conn->c_needpw && !pwpolicy->pw_change) { -+ !needpw && !pwpolicy->pw_change) { - if (pwresponse_req == 1) { - slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDMODNOTALLOWED); - } -@@ -1267,7 +1270,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - } - - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", -- pb_conn->c_connid, operation->o_opid, -+ pb_conn ? pb_conn->c_connid : -1, operation->o_opid, - slapi_sdn_get_dn(&sdn), - proxystr ? proxystr : "", - "user is not allowed to change password"); -@@ -1280,8 +1283,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - - /* check if password is within password minimum age; - error result is sent directly from check_pw_minage */ -- if (pb_conn && !pb_conn->c_needpw && -- check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) { -+ if (!needpw && check_pw_minage(pb, &sdn, mod->mod_bvalues) == 1) { - if (operation_is_flag_set(operation, OP_FLAG_ACTION_LOG_ACCESS)) { - if (proxydn) { - proxystr = slapi_ch_smprintf(" authzid=\"%s\"", proxydn); -@@ -1289,7 +1291,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - - if (!internal_op) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", -- pb_conn->c_connid, -+ pb_conn ? pb_conn->c_connid : -1, - operation->o_opid, - slapi_sdn_get_dn(&sdn), - proxystr ? proxystr : "", -@@ -1303,17 +1305,14 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - "within password minimum age"); - } - } -- - rc = -1; - goto done; - } - -- - /* check password syntax; remember the old password; - error sent directly from check_pw_syntax function */ - valuearray_init_bervalarray(mod->mod_bvalues, &values); -- switch (check_pw_syntax_ext(pb, &sdn, values, old_pw, NULL, -- mod->mod_op, smods)) { -+ switch (check_pw_syntax_ext(pb, &sdn, values, old_pw, NULL, mod->mod_op, smods)) { - case 0: /* success */ - rc = 1; - break; -@@ -1326,7 +1325,7 @@ op_shared_allow_pw_change(Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_M - - if (!internal_op) { - slapi_log_access(LDAP_DEBUG_STATS, "conn=%" PRIu64 " op=%d MOD dn=\"%s\"%s, %s\n", -- pb_conn->c_connid, -+ pb_conn ? pb_conn->c_connid : -1, - operation->o_opid, - slapi_sdn_get_dn(&sdn), - proxystr ? proxystr : "", -diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c -index 46dcf6fba..50b7ae8f6 100644 ---- a/ldap/servers/slapd/opshared.c -+++ b/ldap/servers/slapd/opshared.c -@@ -276,6 +276,13 @@ op_shared_search(Slapi_PBlock *pb, int send_result) - slapi_pblock_get(pb, SLAPI_SEARCH_STRFILTER, &fstr); - slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &attrs); - slapi_pblock_get(pb, SLAPI_OPERATION, &operation); -+ if (operation == NULL) { -+ op_shared_log_error_access(pb, "SRCH", base, "NULL operation"); -+ send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, "NULL operation", 0, NULL); -+ rc = -1; -+ goto free_and_return_nolock; -+ } -+ - internal_op = operation_is_flag_set(operation, OP_FLAG_INTERNAL); - flag_psearch = operation_is_flag_set(operation, OP_FLAG_PS); - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -diff --git a/ldap/servers/slapd/passwd_extop.c b/ldap/servers/slapd/passwd_extop.c -index 40145af2e..5f21f2f71 100644 ---- a/ldap/servers/slapd/passwd_extop.c -+++ b/ldap/servers/slapd/passwd_extop.c -@@ -727,6 +727,10 @@ parse_req_done: - */ - Operation *pb_op = NULL; - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); -+ if (pb_op == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "passwd_modify_extop", "pb_op is NULL"); -+ goto free_and_return; -+ } - - operation_set_target_spec(pb_op, slapi_entry_get_sdn(targetEntry)); - slapi_pblock_set(pb, SLAPI_REQUESTOR_ISROOT, &pb_op->o_isroot); -diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c -index e02133abc..2db3c7fcd 100644 ---- a/ldap/servers/slapd/plugin.c -+++ b/ldap/servers/slapd/plugin.c -@@ -3625,9 +3625,11 @@ plugin_invoke_plugin_pb(struct slapdplugin *plugin, int operation, Slapi_PBlock - return PR_TRUE; - - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); -- -- -- PR_ASSERT(pb_op); -+ if (pb_op == NULL) { -+ slapi_log_err(SLAPI_LOG_ERR, "plugin_invoke_plugin_pb", "pb_op is NULL"); -+ PR_ASSERT(0); -+ return PR_FALSE; -+ } - - target_spec = operation_get_target_spec(pb_op); - -diff --git a/ldap/servers/slapd/plugin_internal_op.c b/ldap/servers/slapd/plugin_internal_op.c -index 52b8df8c3..f6bbafb92 100644 ---- a/ldap/servers/slapd/plugin_internal_op.c -+++ b/ldap/servers/slapd/plugin_internal_op.c -@@ -527,6 +527,7 @@ internal_plugin_search_entry_callback(Slapi_Entry *e, void *callback_data) - this_entry = (Entry_Node *)slapi_ch_calloc(1, sizeof(Entry_Node)); - - if ((this_entry->data = slapi_entry_dup(e)) == NULL) { -+ slapi_ch_free((void**)&this_entry); - return (0); - } - -diff --git a/ldap/servers/slapd/psearch.c b/ldap/servers/slapd/psearch.c -index 1bf062954..8ad268a85 100644 ---- a/ldap/servers/slapd/psearch.c -+++ b/ldap/servers/slapd/psearch.c -@@ -353,8 +353,8 @@ ps_send_results(void *arg) - if (rc) { - slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", - "conn=%" PRIu64 " op=%d Error %d sending entry %s with op status %d\n", -- pb_conn->c_connid, pb_op->o_opid, -- rc, slapi_entry_get_dn_const(ec), pb_op->o_status); -+ pb_conn->c_connid, pb_op ? pb_op->o_opid: -1, -+ rc, slapi_entry_get_dn_const(ec), pb_op ? pb_op->o_status : -1); - } - } - -@@ -401,7 +401,7 @@ ps_send_results(void *arg) - - slapi_log_err(SLAPI_LOG_CONNS, "ps_send_results", - "conn=%" PRIu64 " op=%d Releasing the connection and operation\n", -- conn->c_connid, pb_op->o_opid); -+ conn->c_connid, pb_op ? pb_op->o_opid : -1); - /* Delete this op from the connection's list */ - connection_remove_operation_ext(ps->ps_pblock, conn, pb_op); - -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index 0cf795b41..53464c64a 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -1741,7 +1741,6 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - pwdpolicy->pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT; - pwdpolicy->pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS; - pwdpolicy->pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES; -- pwdpolicy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH; - pwdpolicy->pw_maxage = SLAPD_DEFAULT_PW_MAXAGE; - pwdpolicy->pw_minage = SLAPD_DEFAULT_PW_MINAGE; - pwdpolicy->pw_warning = SLAPD_DEFAULT_PW_WARNING; -@@ -2229,7 +2228,7 @@ slapi_check_account_lock(Slapi_PBlock *pb, Slapi_Entry *bind_target_entry, int p - /* - * Check if the password policy has to be checked or not - */ -- if (!check_password_policy || pwpolicy->pw_lockout == 0) { -+ if (!check_password_policy || !pwpolicy || pwpolicy->pw_lockout == 0) { - goto notlocked; - } - -diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c -index 50bcbde99..602868470 100644 ---- a/ldap/servers/slapd/pw_mgmt.c -+++ b/ldap/servers/slapd/pw_mgmt.c -@@ -44,6 +44,7 @@ need_new_pw(Slapi_PBlock *pb, Slapi_Entry *e, int pwresponse_req) - char graceUserTime[16] = {0}; - Connection *pb_conn = NULL; - long t; -+ int needpw = 0; - - if (NULL == e) { - return (-1); -@@ -91,6 +92,9 @@ need_new_pw(Slapi_PBlock *pb, Slapi_Entry *e, int pwresponse_req) - slapi_ch_free_string(&passwordExpirationTime); - - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); -+ if (pb_conn) { -+ needpw = pb_conn->c_needpw; -+ } - - /* Check if password has been reset */ - if (pw_exp_date == NO_TIME) { -@@ -99,7 +103,11 @@ need_new_pw(Slapi_PBlock *pb, Slapi_Entry *e, int pwresponse_req) - if (pwpolicy->pw_must_change) { - /* set c_needpw for this connection to be true. this client - now can only change its own password */ -- pb_conn->c_needpw = 1; -+ if (pb_conn){ -+ pb_conn->c_needpw = needpw = 1; -+ } else { -+ needpw = 1; -+ } - t = 0; - /* We need to include "changeafterreset" error in - * passwordpolicy response control. So, we will not be -@@ -121,7 +129,7 @@ skip: - /* if password never expires, don't need to go on; return 0 */ - if (pwpolicy->pw_exp == 0) { - /* check for "changeafterreset" condition */ -- if (pb_conn->c_needpw == 1) { -+ if (needpw == 1) { - if (pwresponse_req) { - slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_CHGAFTERRESET); - } -@@ -150,7 +158,7 @@ skip: - slapi_mods_done(&smods); - if (pwresponse_req) { - /* check for "changeafterreset" condition */ -- if (pb_conn->c_needpw == 1) { -+ if (needpw == 1) { - slapi_pwpolicy_make_response_control(pb, -1, - ((pwpolicy->pw_gracelimit) - pwdGraceUserTime), - LDAP_PWPOLICY_CHGAFTERRESET); -@@ -182,9 +190,11 @@ skip: - if (pb_conn && (LDAP_VERSION2 == pb_conn->c_ldapversion)) { - Operation *pb_op = NULL; - slapi_pblock_get(pb, SLAPI_OPERATION, &pb_op); -- /* We close the connection only with LDAPv2 connections */ -- disconnect_server(pb_conn, pb_op->o_connid, -- pb_op->o_opid, SLAPD_DISCONNECT_UNBIND, 0); -+ if (pb_op) { -+ /* We close the connection only with LDAPv2 connections */ -+ disconnect_server(pb_conn, pb_op->o_connid, -+ pb_op->o_opid, SLAPD_DISCONNECT_UNBIND, 0); -+ } - } - /* Apply current modifications */ - pw_apply_mods(sdn, &smods); -@@ -207,7 +217,7 @@ skip: - /* reset the expiration time to current + warning time - * and set passwordExpWarned to true - */ -- if (pb_conn->c_needpw != 1) { -+ if (needpw != 1) { - pw_exp_date = time_plus_sec(cur_time, pwpolicy->pw_warning); - } - -@@ -227,14 +237,14 @@ skip: - slapi_mods_done(&smods); - if (pwresponse_req) { - /* check for "changeafterreset" condition */ -- if (pb_conn->c_needpw == 1) { -+ if (needpw == 1) { - slapi_pwpolicy_make_response_control(pb, t, -1, LDAP_PWPOLICY_CHGAFTERRESET); - } else { - slapi_pwpolicy_make_response_control(pb, t, -1, -1); - } - } - -- if (pb_conn->c_needpw == 1) { -+ if (needpw == 1) { - slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0); - } else { - slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRING, t); -@@ -250,7 +260,7 @@ skip: - pw_apply_mods(sdn, &smods); - slapi_mods_done(&smods); - /* Leftover from "changeafterreset" condition */ -- if (pb_conn->c_needpw == 1) { -+ if (needpw == 1) { - slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0); - } - /* passes checking, return 0 */ -diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c -index ce394d948..6892ccfdc 100644 ---- a/ldap/servers/slapd/result.c -+++ b/ldap/servers/slapd/result.c -@@ -1340,7 +1340,7 @@ send_specific_attrs(Slapi_Entry *e, char **attrs, Slapi_Operation *op, Slapi_PBl - attrs = attrs_ext; - } - -- for (i = 0; attrs && attrs[i] != NULL; i++) { -+ for (i = 0; my_searchattrs && attrs && attrs[i] != NULL; i++) { - char *current_type_name = attrs[i]; - Slapi_ValueSet **values = NULL; - int attr_free_flags = 0; -diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c -index 67da97148..0907c623f 100644 ---- a/ldap/servers/slapd/saslbind.c -+++ b/ldap/servers/slapd/saslbind.c -@@ -884,6 +884,11 @@ ids_sasl_check_bind(Slapi_PBlock *pb) - slapi_pblock_get(pb, SLAPI_CONNECTION, &pb_conn); - PR_ASSERT(pb_conn); - -+ if (pb_conn == NULL){ -+ slapi_log_err(SLAPI_LOG_ERR, "ids_sasl_check_bind", "pb_conn is NULL\n"); -+ return; -+ } -+ - PR_EnterMonitor(pb_conn->c_mutex); /* BIG LOCK */ - continuing = pb_conn->c_flags & CONN_FLAG_SASL_CONTINUE; - pb_conn->c_flags &= ~CONN_FLAG_SASL_CONTINUE; /* reset flag */ -diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c -index 002083c04..4bd8895ff 100644 ---- a/ldap/servers/slapd/task.c -+++ b/ldap/servers/slapd/task.c -@@ -2335,8 +2335,9 @@ task_fixup_tombstone_thread(void *arg) - Slapi_Task *task = task_data->task; - char **base = task_data->base; - char *filter = NULL; -- int fixup_count = 0; -- int rc, i, j; -+ int32_t fixup_count = 0; -+ int32_t rc = 0; -+ int32_t i, j; - - if (!task) { - return; /* no task */ -diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c -index a0f3268da..a72de9b07 100644 ---- a/ldap/servers/slapd/util.c -+++ b/ldap/servers/slapd/util.c -@@ -746,8 +746,9 @@ normalize_mods2bvals(const LDAPMod **mods) - struct berval **mbvp = NULL; - - for (mbvp = mods[w]->mod_bvalues, -- normmbvp = normalized_mods[w]->mod_bvalues; -- mbvp && *mbvp; mbvp++, normmbvp++) { -+ normmbvp = normalized_mods[w]->mod_bvalues; -+ normmbvp && mbvp && *mbvp; mbvp++, normmbvp++) -+ { - if (is_dn_syntax) { - Slapi_DN *sdn = slapi_sdn_new_dn_byref((*mbvp)->bv_val); - if (slapi_sdn_get_dn(sdn)) { -@@ -769,8 +770,9 @@ normalize_mods2bvals(const LDAPMod **mods) - char **mvp = NULL; - - for (mvp = mods[w]->mod_values, -- normmbvp = normalized_mods[w]->mod_bvalues; -- mvp && *mvp; mvp++, normmbvp++) { -+ normmbvp = normalized_mods[w]->mod_bvalues; -+ normmbvp && mvp && *mvp; mvp++, normmbvp++) -+ { - vlen = strlen(*mvp); - - *normmbvp = -@@ -801,7 +803,7 @@ normalize_mods2bvals(const LDAPMod **mods) - PR_ASSERT(normmbvp - normalized_mods[w]->mod_bvalues <= num_values); - - /* don't forget to null terminate it */ -- if (num_values > 0) { -+ if (num_values > 0 && normmbvp) { - *normmbvp = NULL; - } - } -diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c -index 14ebc48e6..2af3ee18d 100644 ---- a/ldap/servers/slapd/valueset.c -+++ b/ldap/servers/slapd/valueset.c -@@ -121,7 +121,9 @@ valuearray_add_valuearray_fast(Slapi_Value ***vals, - j++; - } - } -- (*vals)[nvals + j] = NULL; -+ if (*vals) { -+ (*vals)[nvals + j] = NULL; -+ } - } - - void -@@ -1138,7 +1140,7 @@ slapi_valueset_add_attr_valuearray_ext(const Slapi_Attr *a, Slapi_ValueSet *vs, - } - - for (size_t i = 0; i < naddvals; i++) { -- if (addvals[i] != NULL) { -+ if (addvals[i] != NULL && vs->va) { - if (passin) { - /* We consume the values */ - (vs->va)[vs->num] = addvals[i]; -@@ -1166,7 +1168,9 @@ slapi_valueset_add_attr_valuearray_ext(const Slapi_Attr *a, Slapi_ValueSet *vs, - } - } - } -- (vs->va)[vs->num] = NULL; -+ if (vs->va){ -+ (vs->va)[vs->num] = NULL; -+ } - - PR_ASSERT((vs->sorted == NULL) || (vs->num < VALUESET_ARRAY_SORT_THRESHOLD) || ((vs->num >= VALUESET_ARRAY_SORT_THRESHOLD) && (vs->sorted[0] < vs->num))); - return (rc); -diff --git a/ldap/servers/slapd/vattr.c b/ldap/servers/slapd/vattr.c -index 13e527188..f7c473ab1 100644 ---- a/ldap/servers/slapd/vattr.c -+++ b/ldap/servers/slapd/vattr.c -@@ -316,13 +316,19 @@ vattr_context_check(vattr_context *c) - static void - vattr_context_mark(vattr_context *c) - { -- c->vattr_context_loop_count += 1; -+ if (c) { -+ c->vattr_context_loop_count += 1; -+ } - } - - static int - vattr_context_unmark(vattr_context *c) - { -- return (c->vattr_context_loop_count -= 1); -+ if (c) { -+ return (c->vattr_context_loop_count -= 1); -+ } else { -+ return 0; -+ } - } - - /* modify the context structure on exit from a vattr sp function */ -@@ -385,13 +391,19 @@ vattr_context_grok(vattr_context **c) - static void - vattr_context_set_loop_msg_displayed(vattr_context **c) - { -- (*c)->error_displayed = 1; -+ if (c && *c){ -+ (*c)->error_displayed = 1; -+ } - } - - static int - vattr_context_is_loop_msg_displayed(vattr_context **c) - { -- return (*c)->error_displayed; -+ if (c && *c){ -+ return (*c)->error_displayed; -+ } else { -+ return 0; -+ } - } - - /* -diff --git a/ldap/servers/snmp/main.c b/ldap/servers/snmp/main.c -index 5bd318df4..95cc26148 100644 ---- a/ldap/servers/snmp/main.c -+++ b/ldap/servers/snmp/main.c -@@ -21,6 +21,7 @@ - #include "ldap.h" - #include "ldif.h" - #include -+#include - #include - - static char *agentx_master = NULL; -@@ -56,16 +57,22 @@ main(int argc, char *argv[]) - char *s = getenv("DEBUG_SLEEP"); - if ((s != NULL) && isdigit(*s)) { - char *endp = NULL; -- long secs; -+ int64_t secs; - errno = 0; - -- printf("%s pid is %d\n", argv[0], getpid()); - secs = strtol(s, &endp, 10); -- if (*endp != '\0' || errno == ERANGE) { -- sleep(10); -- } else { -- sleep(secs); -+ if ( endp == s || -+ *endp != '\0' || -+ ((secs == LONG_MIN || secs == LONG_MAX) && errno == ERANGE) || -+ secs < 1 ) -+ { -+ /* Invalid value, default to 30 seconds */ -+ secs = 30; -+ } else if (secs > 3600) { -+ secs = 3600; - } -+ printf("%s pid is %d - sleeping for %ld\n", argv[0], getpid(), secs); -+ sleep(secs); - } - } - --- -2.13.6 - diff --git a/SOURCES/0057-Ticket-49370-Add-all-the-password-policy-defaults-to.patch b/SOURCES/0057-Ticket-49370-Add-all-the-password-policy-defaults-to.patch deleted file mode 100644 index 239c6cb..0000000 --- a/SOURCES/0057-Ticket-49370-Add-all-the-password-policy-defaults-to.patch +++ /dev/null @@ -1,288 +0,0 @@ -From 86efa0314c59550f0660c8d143a52a57b1dffb96 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 18 Jan 2018 09:56:17 -0500 -Subject: [PATCH] Ticket 49370 - Add all the password policy defaults to a new - local policy - -Bug Description: When processing a local password policy we were not pulling - in the defaults for the "on/off" settings. This patch - addresses that. - -Fix Description: Create common default init functions for all password policies - -https://pagure.io/389-ds-base/issue/49370 - -Reviewed by: tbordaz, wibrown, and spichugi (Thanks!!!) - -(cherry picked from commit c8b388bf9f5269e1e1dc8c7c70ec8e58e825204a) ---- - .../tests/suites/password/regression_test.py | 58 +++++++++++++-- - ldap/servers/slapd/libglobs.c | 84 ++++++++++++++-------- - ldap/servers/slapd/pw.c | 29 ++------ - ldap/servers/slapd/slap.h | 2 + - 4 files changed, 113 insertions(+), 60 deletions(-) - -diff --git a/dirsrvtests/tests/suites/password/regression_test.py b/dirsrvtests/tests/suites/password/regression_test.py -index f6ee16773..800294057 100644 ---- a/dirsrvtests/tests/suites/password/regression_test.py -+++ b/dirsrvtests/tests/suites/password/regression_test.py -@@ -6,9 +6,10 @@ - # --- END COPYRIGHT BLOCK --- - # - import pytest --from lib389._constants import SUFFIX, PASSWORD -+import time -+from lib389._constants import SUFFIX, PASSWORD, DN_DM - from lib389.idm.user import UserAccounts --from lib389.utils import ldap, os, logging -+from lib389.utils import ldap, os, logging, ensure_bytes - from lib389.topologies import topology_st as topo - - DEBUGGING = os.getenv("DEBUGGING", default=False) -@@ -20,6 +21,7 @@ log = logging.getLogger(__name__) - - user_data = {'cn': 'CNpwtest1', 'sn': 'SNpwtest1', 'uid': 'UIDpwtest1', 'mail': 'MAILpwtest1@redhat.com', - 'givenname': 'GNpwtest1'} -+ - TEST_PASSWORDS = list(user_data.values()) - # Add substring/token values of "CNpwtest1" - TEST_PASSWORDS += ['CNpwtest1ZZZZ', 'ZZZZZCNpwtest1', -@@ -37,13 +39,20 @@ def passw_policy(topo, request): - """Configure password policy with PasswordCheckSyntax attribute set to on""" - - log.info('Configure Pwpolicy with PasswordCheckSyntax and nsslapd-pwpolicy-local set to on') -+ topo.standalone.simple_bind_s(DN_DM, PASSWORD) - topo.standalone.config.set('PasswordExp', 'on') - topo.standalone.config.set('PasswordCheckSyntax', 'off') - topo.standalone.config.set('nsslapd-pwpolicy-local', 'on') - - subtree = 'ou=people,{}'.format(SUFFIX) - log.info('Configure subtree password policy for {}'.format(subtree)) -- topo.standalone.subtreePwdPolicy(subtree, {'passwordchange': 'on', 'passwordCheckSyntax': 'on'}) -+ topo.standalone.subtreePwdPolicy(subtree, {'passwordchange': ensure_bytes('on'), -+ 'passwordCheckSyntax': ensure_bytes('on'), -+ 'passwordLockout': ensure_bytes('on'), -+ 'passwordResetFailureCount': ensure_bytes('3'), -+ 'passwordLockoutDuration': ensure_bytes('3'), -+ 'passwordMaxFailure': ensure_bytes('2')}) -+ time.sleep(1) - - def fin(): - log.info('Reset pwpolicy configuration settings') -@@ -76,6 +85,47 @@ def test_user(topo, request): - return tuser - - -+def test_pwp_local_unlock(topo, passw_policy, test_user): -+ """Test subtree policies use the same global default for passwordUnlock -+ -+ :id: 741a8417-5f65-4012-b9ed-87987ce3ca1b -+ :setup: Standalone instance -+ :steps: -+ 1. Test user can bind -+ 2. Bind with bad passwords to lockout account, and verify account is locked -+ 3. Wait for lockout interval, and bind with valid password -+ :expectedresults: -+ 1. Bind successful -+ 2. Entry is locked -+ 3. Entry can bind with correct password -+ """ -+ -+ log.info("Verify user can bind...") -+ test_user.bind(PASSWORD) -+ -+ log.info('Test passwordUnlock default - user should be able to reset password after lockout') -+ for i in range(0,2): -+ try: -+ test_user.bind("bad-password") -+ except ldap.INVALID_CREDENTIALS: -+ # expected -+ pass -+ except ldap.LDAPError as e: -+ log.fatal("Got unexpected failure: " + atr(e)) -+ raise e -+ -+ -+ log.info('Verify account is locked') -+ with pytest.raises(ldap.CONSTRAINT_VIOLATION): -+ test_user.bind(PASSWORD) -+ -+ log.info('Wait for lockout duration...') -+ time.sleep(4) -+ -+ log.info('Check if user can now bind with correct password') -+ test_user.bind(PASSWORD) -+ -+ - @pytest.mark.bz1465600 - @pytest.mark.parametrize("user_pasw", TEST_PASSWORDS) - def test_trivial_passw_check(topo, passw_policy, test_user, user_pasw): -@@ -143,4 +193,4 @@ if __name__ == '__main__': - # Run isolated - # -s for DEBUG mode - CURRENT_FILE = os.path.realpath(__file__) -- pytest.main("-s {}".format(CURRENT_FILE)) -+ pytest.main(["-s", CURRENT_FILE]) -diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c -index 1ba30002f..c1a765aca 100644 ---- a/ldap/servers/slapd/libglobs.c -+++ b/ldap/servers/slapd/libglobs.c -@@ -1401,6 +1401,56 @@ getFrontendConfig(void) - */ - - void -+pwpolicy_init_defaults (passwdPolicy *pw_policy) -+{ -+ pw_policy->pw_change = LDAP_ON; -+ pw_policy->pw_must_change = LDAP_OFF; -+ pw_policy->pw_syntax = LDAP_OFF; -+ pw_policy->pw_exp = LDAP_OFF; -+ pw_policy->pw_send_expiring = LDAP_OFF; -+ pw_policy->pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH; -+ pw_policy->pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS; -+ pw_policy->pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS; -+ pw_policy->pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS; -+ pw_policy->pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS; -+ pw_policy->pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS; -+ pw_policy->pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT; -+ pw_policy->pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS; -+ pw_policy->pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES; -+ pw_policy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH; -+ pw_policy->pw_maxage = SLAPD_DEFAULT_PW_MAXAGE; -+ pw_policy->pw_minage = SLAPD_DEFAULT_PW_MINAGE; -+ pw_policy->pw_warning = SLAPD_DEFAULT_PW_WARNING; -+ pw_policy->pw_history = LDAP_OFF; -+ pw_policy->pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY; -+ pw_policy->pw_lockout = LDAP_OFF; -+ pw_policy->pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE; -+ pw_policy->pw_unlock = LDAP_ON; -+ pw_policy->pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION; -+ pw_policy->pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT; -+ pw_policy->pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT; -+ pw_policy->pw_admin = NULL; -+ pw_policy->pw_admin_user = NULL; -+ pw_policy->pw_is_legacy = LDAP_ON; -+ pw_policy->pw_track_update_time = LDAP_OFF; -+} -+ -+static void -+pwpolicy_fe_init_onoff(passwdPolicy *pw_policy) -+{ -+ init_pw_change = pw_policy->pw_change; -+ init_pw_must_change = pw_policy->pw_must_change; -+ init_pw_syntax = pw_policy->pw_syntax; -+ init_pw_exp = pw_policy->pw_exp; -+ init_pw_send_expiring = pw_policy->pw_send_expiring; -+ init_pw_history = pw_policy->pw_history; -+ init_pw_lockout = pw_policy->pw_lockout; -+ init_pw_unlock = pw_policy->pw_unlock; -+ init_pw_is_legacy = pw_policy->pw_is_legacy; -+ init_pw_track_update_time = pw_policy->pw_track_update_time; -+} -+ -+void - FrontendConfig_init(void) - { - slapdFrontendConfig_t *cfg = getFrontendConfig(); -@@ -1511,41 +1561,13 @@ FrontendConfig_init(void) - * let clients abide by the LDAP standards and send us a SASL/EXTERNAL bind - * if that's what they want to do */ - init_force_sasl_external = cfg->force_sasl_external = LDAP_OFF; -- - init_readonly = cfg->readonly = LDAP_OFF; -+ -+ pwpolicy_init_defaults(&cfg->pw_policy); -+ pwpolicy_fe_init_onoff(&cfg->pw_policy); - init_pwpolicy_local = cfg->pwpolicy_local = LDAP_OFF; - init_pwpolicy_inherit_global = cfg->pwpolicy_inherit_global = LDAP_OFF; -- init_pw_change = cfg->pw_policy.pw_change = LDAP_ON; -- init_pw_must_change = cfg->pw_policy.pw_must_change = LDAP_OFF; - init_allow_hashed_pw = cfg->allow_hashed_pw = LDAP_OFF; -- init_pw_syntax = cfg->pw_policy.pw_syntax = LDAP_OFF; -- init_pw_exp = cfg->pw_policy.pw_exp = LDAP_OFF; -- init_pw_send_expiring = cfg->pw_policy.pw_send_expiring = LDAP_OFF; -- cfg->pw_policy.pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH; -- cfg->pw_policy.pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS; -- cfg->pw_policy.pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS; -- cfg->pw_policy.pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS; -- cfg->pw_policy.pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS; -- cfg->pw_policy.pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS; -- cfg->pw_policy.pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT; -- cfg->pw_policy.pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS; -- cfg->pw_policy.pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES; -- cfg->pw_policy.pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH; -- cfg->pw_policy.pw_maxage = SLAPD_DEFAULT_PW_MAXAGE; -- cfg->pw_policy.pw_minage = SLAPD_DEFAULT_PW_MINAGE; -- cfg->pw_policy.pw_warning = SLAPD_DEFAULT_PW_WARNING; -- init_pw_history = cfg->pw_policy.pw_history = LDAP_OFF; -- cfg->pw_policy.pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY; -- init_pw_lockout = cfg->pw_policy.pw_lockout = LDAP_OFF; -- cfg->pw_policy.pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE; -- init_pw_unlock = cfg->pw_policy.pw_unlock = LDAP_ON; -- cfg->pw_policy.pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION; -- cfg->pw_policy.pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT; -- cfg->pw_policy.pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT; -- cfg->pw_policy.pw_admin = NULL; -- cfg->pw_policy.pw_admin_user = NULL; -- init_pw_is_legacy = cfg->pw_policy.pw_is_legacy = LDAP_ON; -- init_pw_track_update_time = cfg->pw_policy.pw_track_update_time = LDAP_OFF; - init_pw_is_global_policy = cfg->pw_is_global_policy = LDAP_OFF; - - init_accesslog_logging_enabled = cfg->accesslog_logging_enabled = LDAP_ON; -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index 53464c64a..3a545e12e 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -1730,32 +1730,11 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - goto done; - } - -- /* Set the default values */ -- pwdpolicy->pw_mintokenlength = SLAPD_DEFAULT_PW_MINTOKENLENGTH; -- pwdpolicy->pw_minlength = SLAPD_DEFAULT_PW_MINLENGTH; -- pwdpolicy->pw_mindigits = SLAPD_DEFAULT_PW_MINDIGITS; -- pwdpolicy->pw_minalphas = SLAPD_DEFAULT_PW_MINALPHAS; -- pwdpolicy->pw_minuppers = SLAPD_DEFAULT_PW_MINUPPERS; -- pwdpolicy->pw_minlowers = SLAPD_DEFAULT_PW_MINLOWERS; -- pwdpolicy->pw_minspecials = SLAPD_DEFAULT_PW_MINSPECIALS; -- pwdpolicy->pw_min8bit = SLAPD_DEFAULT_PW_MIN8BIT; -- pwdpolicy->pw_maxrepeats = SLAPD_DEFAULT_PW_MAXREPEATS; -- pwdpolicy->pw_mincategories = SLAPD_DEFAULT_PW_MINCATEGORIES; -- pwdpolicy->pw_maxage = SLAPD_DEFAULT_PW_MAXAGE; -- pwdpolicy->pw_minage = SLAPD_DEFAULT_PW_MINAGE; -- pwdpolicy->pw_warning = SLAPD_DEFAULT_PW_WARNING; -- pwdpolicy->pw_inhistory = SLAPD_DEFAULT_PW_INHISTORY; -- pwdpolicy->pw_maxfailure = SLAPD_DEFAULT_PW_MAXFAILURE; -- pwdpolicy->pw_lockduration = SLAPD_DEFAULT_PW_LOCKDURATION; -- pwdpolicy->pw_resetfailurecount = SLAPD_DEFAULT_PW_RESETFAILURECOUNT; -- pwdpolicy->pw_gracelimit = SLAPD_DEFAULT_PW_GRACELIMIT; -- -- /* set the default passwordLegacyPolicy setting */ -- pwdpolicy->pw_is_legacy = 1; -- -- /* set passwordTrackUpdateTime */ -- pwdpolicy->pw_track_update_time = slapdFrontendConfig->pw_policy.pw_track_update_time; -+ /* Set the default values (from libglobs.c) */ -+ pwpolicy_init_defaults(pwdpolicy); -+ pwdpolicy->pw_storagescheme = slapdFrontendConfig->pw_storagescheme; - -+ /* Set the defined values now */ - for (slapi_entry_first_attr(pw_entry, &attr); attr; - slapi_entry_next_attr(pw_entry, attr, &attr)) { - slapi_attr_get_type(attr, &attr_name); -diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h -index 08754d8fb..f6fc374a4 100644 ---- a/ldap/servers/slapd/slap.h -+++ b/ldap/servers/slapd/slap.h -@@ -1773,6 +1773,8 @@ typedef struct passwordpolicyarray - Slapi_DN **pw_admin_user; - } passwdPolicy; - -+void pwpolicy_init_defaults (passwdPolicy *pw_policy); -+ - Slapi_PBlock *slapi_pblock_clone(Slapi_PBlock *pb); /* deprecated */ - - passwdPolicy *slapi_pblock_get_pwdpolicy(Slapi_PBlock *pb); --- -2.13.6 - diff --git a/SOURCES/0058-Ticket-49541-repl-config-should-not-allow-rid-65535-.patch b/SOURCES/0058-Ticket-49541-repl-config-should-not-allow-rid-65535-.patch deleted file mode 100644 index 63a6136..0000000 --- a/SOURCES/0058-Ticket-49541-repl-config-should-not-allow-rid-65535-.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 38ca528af83f1874a79ad6744215bd4af1404414 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 18 Jan 2018 13:17:08 -0500 -Subject: [PATCH] Ticket 49541 - repl config should not allow rid 65535 for - masters - -Description: Reject adding a replica config entry with a rid of 65535 or higher, - and prevent setting master's rid to 65535 or higher. - -https://pagure.io/389-ds-base/issue/49541 - -Reviewed by: mreynolds(one line commit rule) - -(cherry picked from commit ebb00a4180693225cf3c2f4aced54dc33141fa77) ---- - dirsrvtests/tests/suites/replication/replica_config_test.py | 9 +++++---- - ldap/servers/plugins/replication/repl5_replica.c | 2 +- - 2 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/dirsrvtests/tests/suites/replication/replica_config_test.py b/dirsrvtests/tests/suites/replication/replica_config_test.py -index 50ea2ece9..143a12479 100644 ---- a/dirsrvtests/tests/suites/replication/replica_config_test.py -+++ b/dirsrvtests/tests/suites/replication/replica_config_test.py -@@ -24,7 +24,7 @@ replica_dict = {'objectclass': 'top nsDS5Replica'.split(), - 'nsDS5ReplicaRoot': 'dc=example,dc=com', - 'nsDS5ReplicaType': '3', - 'nsDS5Flags': '1', -- 'nsDS5ReplicaId': '65535', -+ 'nsDS5ReplicaId': '65534', - 'nsds5ReplicaPurgeDelay': '604800', - 'nsDS5ReplicaBindDN': 'cn=u', - 'cn': 'replica'} -@@ -42,7 +42,7 @@ agmt_dict = {'objectClass': 'top nsDS5ReplicationAgreement'.split(), - - repl_add_attrs = [('nsDS5ReplicaType', '-1', '4', overflow, notnum, '1'), - ('nsDS5Flags', '-1', '2', overflow, notnum, '1'), -- ('nsDS5ReplicaId', '0', '65536', overflow, notnum, '1'), -+ ('nsDS5ReplicaId', '0', '65535', overflow, notnum, '1'), - ('nsds5ReplicaPurgeDelay', '-2', too_big, overflow, notnum, '1'), - ('nsDS5ReplicaBindDnGroupCheckInterval', '-2', too_big, overflow, notnum, '1'), - ('nsds5ReplicaTombstonePurgeInterval', '-2', too_big, overflow, notnum, '1'), -@@ -60,7 +60,8 @@ repl_mod_attrs = [('nsDS5Flags', '-1', '2', overflow, notnum, '1'), - ('nsds5ReplicaBackoffMin', '0', too_big, overflow, notnum, '3'), - ('nsds5ReplicaBackoffMax', '0', too_big, overflow, notnum, '6')] - --agmt_attrs = [('nsds5ReplicaPort', '0', '65536', overflow, notnum, '389'), -+agmt_attrs = [ -+ ('nsds5ReplicaPort', '0', '65535', overflow, notnum, '389'), - ('nsds5ReplicaTimeout', '-1', too_big, overflow, notnum, '6'), - ('nsds5ReplicaBusyWaitTime', '-1', too_big, overflow, notnum, '6'), - ('nsds5ReplicaSessionPauseTime', '-1', too_big, overflow, notnum, '6'), -@@ -393,5 +394,5 @@ if __name__ == '__main__': - # Run isolated - # -s for DEBUG mode - CURRENT_FILE = os.path.realpath(__file__) -- pytest.main("-s %s" % CURRENT_FILE) -+ pytest.main(["-s", CURRENT_FILE]) - -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index e75807a62..bdb8a5167 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -1988,7 +1988,7 @@ _replica_init_from_config(Replica *r, Slapi_Entry *e, char *errortext) - r->repl_type == REPLICA_TYPE_PRIMARY) { - if ((val = slapi_entry_attr_get_charptr(e, attr_replicaId))) { - int64_t rid; -- if (repl_config_valid_num(attr_replicaId, val, 1, 65535, &rc, errormsg, &rid) != 0) { -+ if (repl_config_valid_num(attr_replicaId, val, 1, 65534, &rc, errormsg, &rid) != 0) { - slapi_ch_free_string(&val); - return -1; - } --- -2.13.6 - diff --git a/SOURCES/0059-CVE-2017-15134-crash-in-slapi_filter_sprintf.patch b/SOURCES/0059-CVE-2017-15134-crash-in-slapi_filter_sprintf.patch deleted file mode 100644 index 8d43a80..0000000 --- a/SOURCES/0059-CVE-2017-15134-crash-in-slapi_filter_sprintf.patch +++ /dev/null @@ -1,111 +0,0 @@ -From cb008bcace2510f157ccec2df4e5ff254513b7c4 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Mon, 15 Jan 2018 10:24:41 +0100 -Subject: [PATCH] CVE 2017-15134 - crash in slapi_filter_sprintf - -Signed-off-by: Mark Reynolds ---- - ldap/servers/slapd/util.c | 36 +++++++++++++++++++++++++++++++----- - 1 file changed, 31 insertions(+), 5 deletions(-) - -diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c -index a72de9b07..ddb2cc899 100644 ---- a/ldap/servers/slapd/util.c -+++ b/ldap/servers/slapd/util.c -@@ -238,9 +238,10 @@ escape_string_for_filename(const char *str, char buf[BUFSIZ]) - struct filter_ctx - { - char *buf; -- char attr[ATTRSIZE]; -+ char *attr; - int attr_position; - int attr_found; -+ size_t attr_size; - int buf_size; - int buf_len; - int next_arg_needs_esc_norm; -@@ -279,7 +280,7 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen) - * Start collecting the attribute name so we can use the correct - * syntax normalization func. - */ -- if (ctx->attr_found == 0 && ctx->attr_position < (ATTRSIZE - 1)) { -+ if (ctx->attr_found == 0 && ctx->attr_position < (ctx->attr_size - 1)) { - if (ctx->attr[0] == '\0') { - if (strstr(val, "=")) { - /* we have an attr we need to record */ -@@ -293,6 +294,14 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen) - * attr with val. The next pass should be '=', otherwise we will - * reset it. - */ -+ if (slen > ctx->attr_size) { -+ if (ctx->attr_size == ATTRSIZE) { -+ ctx->attr = slapi_ch_calloc(sizeof(char), slen+1); -+ } else { -+ ctx->attr = slapi_ch_realloc(ctx->attr, sizeof(char) * (slen+1)); -+ } -+ ctx->attr_size = slen+1; -+ } - memcpy(ctx->attr, val, slen); - ctx->attr_position = slen; - } -@@ -302,9 +311,20 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen) - } else { - if (special_attr_char(val[0])) { - /* this is not an attribute, we should not be collecting this, reset everything */ -- memset(ctx->attr, '\0', ATTRSIZE); -+ memset(ctx->attr, '\0', ctx->attr_size); - ctx->attr_position = 0; - } else { -+ /* we can be adding char by char and overrun allocated size */ -+ if (ctx->attr_position >= ctx->attr_size) { -+ if (ctx->attr_size == ATTRSIZE) { -+ char *ctxattr = slapi_ch_calloc(sizeof(char), ctx->attr_size + ATTRSIZE); -+ memcpy(ctxattr, ctx->attr, ctx->attr_size); -+ ctx->attr = ctxattr; -+ } else { -+ ctx->attr = slapi_ch_realloc(ctx->attr, sizeof(char) * (ctx->attr_size + ATTRSIZE)); -+ } -+ ctx->attr_size = ctx->attr_size + ATTRSIZE; -+ } - memcpy(ctx->attr + ctx->attr_position, val, 1); - ctx->attr_position++; - } -@@ -377,7 +397,7 @@ filter_stuff_func(void *arg, const char *val, PRUint32 slen) - ctx->next_arg_needs_esc_norm = 0; - ctx->attr_found = 0; - ctx->attr_position = 0; -- memset(ctx->attr, '\0', ATTRSIZE); -+ memset(ctx->attr, '\0', ctx->attr_size); - slapi_ch_free_string(&buf); - - return filter_len; -@@ -416,12 +436,14 @@ slapi_filter_sprintf(const char *fmt, ...) - { - struct filter_ctx ctx = {0}; - va_list args; -+ char attr_static[ATTRSIZE] = {0}; - char *buf; - int rc; - - buf = slapi_ch_calloc(sizeof(char), FILTER_BUF + 1); - ctx.buf = buf; -- memset(ctx.attr, '\0', ATTRSIZE); -+ ctx.attr = attr_static; -+ ctx.attr_size = ATTRSIZE; - ctx.attr_position = 0; - ctx.attr_found = 0; - ctx.buf_len = FILTER_BUF; -@@ -438,6 +460,10 @@ slapi_filter_sprintf(const char *fmt, ...) - } - va_end(args); - -+ if (ctx.attr_size > ATTRSIZE) { -+ slapi_ch_free_string(&ctx.attr); -+ } -+ - return ctx.buf; - } - --- -2.13.6 - diff --git a/SOURCES/0060-Ticket-49534-Fix-coverity-regression.patch b/SOURCES/0060-Ticket-49534-Fix-coverity-regression.patch deleted file mode 100644 index b5adec3..0000000 --- a/SOURCES/0060-Ticket-49534-Fix-coverity-regression.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3c605035eff49e603c8e4a4c0886499913924529 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 24 Jan 2018 14:24:08 -0500 -Subject: [PATCH] Ticket 49534 - Fix coverity regression - -Description: In automembers plugin a free was in the wrong spot - which later led to a double free for the "rule". - -https://pagure.io/389-ds-base/issue/49534 - -Reviewed by: mreynolds (one line commit rule) - -(cherry picked from commit b3768e602fdfc2ea1fc645b17ad61c8592ab87fa) ---- - ldap/servers/plugins/automember/automember.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c -index cbd25915a..c91aa4e8e 100644 ---- a/ldap/servers/plugins/automember/automember.c -+++ b/ldap/servers/plugins/automember/automember.c -@@ -1117,11 +1117,11 @@ automember_parse_regex_entry(struct configEntry *config, Slapi_Entry *e) - break; - } - } -+ automember_free_regex_rule(rule); - } else { - /* Add to head of list */ - PR_INSERT_LINK(&(rule->list), (PRCList *)config->exclusive_rules); - } -- automember_free_regex_rule(rule); - } else { - slapi_log_err(SLAPI_LOG_ERR, AUTOMEMBER_PLUGIN_SUBSYSTEM, - "automember_parse_regex_entry - Skipping invalid exclusive " --- -2.13.6 - diff --git a/SOURCES/0061-Ticket-49541-Replica-ID-config-validation-fix.patch b/SOURCES/0061-Ticket-49541-Replica-ID-config-validation-fix.patch deleted file mode 100644 index 5520757..0000000 --- a/SOURCES/0061-Ticket-49541-Replica-ID-config-validation-fix.patch +++ /dev/null @@ -1,31 +0,0 @@ -From d39be97021f273548957a9f26ca35d5faab20318 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 29 Jan 2018 21:13:16 -0500 -Subject: [PATCH] Ticket 49541 - Replica ID config validation fix - -Description: Is is possible to set the replica ID to 65535 with a modify - operation, which is reserved for hubs/consumers. - -https://pagure.io/389-ds-base/issue/49541 - -Reviewed by: mreynolds (one line commit rule) ---- - ldap/servers/plugins/replication/repl5_replica_config.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c -index bda333362..ea430d9a4 100644 ---- a/ldap/servers/plugins/replication/repl5_replica_config.c -+++ b/ldap/servers/plugins/replication/repl5_replica_config.c -@@ -421,7 +421,7 @@ replica_config_modify(Slapi_PBlock *pb, - } - } else if (strcasecmp(config_attr, attr_replicaId) == 0) { - int64_t rid = 0; -- if (repl_config_valid_num(config_attr, config_attr_value, 1, 65535, returncode, errortext, &rid) == 0) { -+ if (repl_config_valid_num(config_attr, config_attr_value, 1, 65534, returncode, errortext, &rid) == 0) { - slapi_ch_free_string(&new_repl_id); - new_repl_id = slapi_ch_strdup(config_attr_value); - } else { --- -2.13.6 - diff --git a/SOURCES/0062-Ticket-49370-Crash-when-using-a-global-and-local-pw.patch b/SOURCES/0062-Ticket-49370-Crash-when-using-a-global-and-local-pw.patch deleted file mode 100644 index 19077f9..0000000 --- a/SOURCES/0062-Ticket-49370-Crash-when-using-a-global-and-local-pw.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 3bdd7b5cccd2993c5ae5b9d893be15c71373aaf8 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 29 Jan 2018 11:53:33 -0500 -Subject: [PATCH] Ticket 49370 - Crash when using a global and local pw - policies - -Description: This a regression from the previous patch. We were - accidently using a reference to the global pw policy - password storage scheme, which was getting freed after - pblock was done from an operation. The next operation - then used(and double freed) this memory on the next - operation. - -https://pagure.io/389-ds-base/issue/49370 - -Reviewed by: tbordaz (Thanks!) - -(cherry picked from commit d86e0f9634e694feb378ee335d29b2e89fd27e2c) ---- - ldap/servers/slapd/pw.c | 32 +++++++++++++++++--------------- - 1 file changed, 17 insertions(+), 15 deletions(-) - -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index 3a545e12e..451be364d 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -209,7 +209,7 @@ pw_name2scheme(char *name) - struct pw_scheme *pwsp; - struct slapdplugin *p; - -- if ((p = plugin_get_pwd_storage_scheme(name, strlen(name), PLUGIN_LIST_PWD_STORAGE_SCHEME)) != NULL) { -+ if (name != NULL && (p = plugin_get_pwd_storage_scheme(name, strlen(name), PLUGIN_LIST_PWD_STORAGE_SCHEME)) != NULL) { - pwsp = (struct pw_scheme *)slapi_ch_malloc(sizeof(struct pw_scheme)); - if (pwsp != NULL) { - typedef int (*CMPFP)(char *, char *); -@@ -1612,18 +1612,18 @@ pw_get_admin_users(passwdPolicy *pwp) - passwdPolicy * - new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - { -+ slapdFrontendConfig_t *slapdFrontendConfig = NULL; - Slapi_ValueSet *values = NULL; -+ Slapi_Value **sval = NULL; - Slapi_Entry *e = NULL, *pw_entry = NULL; -- int type_name_disposition = 0; -+ passwdPolicy *pwdpolicy = NULL; -+ Slapi_Attr *attr = NULL; -+ char *pwscheme_name = NULL; -+ char *attr_name = NULL; - char *actual_type_name = NULL; -+ int type_name_disposition = 0; - int attr_free_flags = 0; - int rc = 0; -- passwdPolicy *pwdpolicy = NULL; -- struct pw_scheme *pwdscheme = NULL; -- Slapi_Attr *attr; -- char *attr_name; -- Slapi_Value **sval; -- slapdFrontendConfig_t *slapdFrontendConfig; - int optype = -1; - - /* If we already allocated a pw policy, return it */ -@@ -1717,9 +1717,7 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - pw_entry = get_entry(pb, bvp->bv_val); - } - } -- - slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); -- - slapi_entry_free(e); - - if (pw_entry == NULL) { -@@ -1732,7 +1730,11 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - - /* Set the default values (from libglobs.c) */ - pwpolicy_init_defaults(pwdpolicy); -- pwdpolicy->pw_storagescheme = slapdFrontendConfig->pw_storagescheme; -+ -+ /* Set the current storage scheme */ -+ pwscheme_name = config_get_pw_storagescheme(); -+ pwdpolicy->pw_storagescheme = pw_name2scheme(pwscheme_name); -+ slapi_ch_free_string(&pwscheme_name); - - /* Set the defined values now */ - for (slapi_entry_first_attr(pw_entry, &attr); attr; -@@ -1865,6 +1867,7 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - } - } else if (!strcasecmp(attr_name, "passwordstoragescheme")) { - if ((sval = attr_get_present_values(attr))) { -+ free_pw_scheme(pwdpolicy->pw_storagescheme); - pwdpolicy->pw_storagescheme = - pw_name2scheme((char *)slapi_value_get_string(*sval)); - } -@@ -1924,10 +1927,9 @@ done: - * structure from slapdFrontendconfig - */ - *pwdpolicy = slapdFrontendConfig->pw_policy; -- pwdscheme = (struct pw_scheme *)slapi_ch_calloc(1, sizeof(struct pw_scheme)); -- *pwdscheme = *slapdFrontendConfig->pw_storagescheme; -- pwdscheme->pws_name = strdup(slapdFrontendConfig->pw_storagescheme->pws_name); -- pwdpolicy->pw_storagescheme = pwdscheme; -+ pwscheme_name = config_get_pw_storagescheme(); -+ pwdpolicy->pw_storagescheme = pw_name2scheme(pwscheme_name); -+ slapi_ch_free_string(&pwscheme_name); - pwdpolicy->pw_admin = slapi_sdn_dup(slapdFrontendConfig->pw_policy.pw_admin); - pw_get_admin_users(pwdpolicy); - if (pb) { --- -2.13.6 - diff --git a/SOURCES/0063-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch b/SOURCES/0063-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch deleted file mode 100644 index b79ed65..0000000 --- a/SOURCES/0063-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch +++ /dev/null @@ -1,320 +0,0 @@ -From 656b141630c5f37a953a75ff05d3a1a30b14eef1 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 1 Feb 2018 14:28:24 -0500 -Subject: [PATCH] Ticket 49557 - Add config option for checking CRL on outbound - SSL Connections - -Bug Description: There are cases where a CRL is not available during an outbound - replication connection. This is seen as an error by openldap, - and the connection fails. - -Fix Description: Add on/off option for checking the CRL. The default is not to - check the CRL. - -https://pagure.io/389-ds-base/issue/49557 - -Reviewed by: wibrown, Ludwig Krispenz, Thierry Bordaz ---- - dirsrvtests/tests/suites/{ssl => tls}/__init__.py | 0 - dirsrvtests/tests/suites/tls/tls_check_crl_test.py | 52 +++++++++++++++++ - ldap/schema/01core389.ldif | 1 + - ldap/servers/slapd/ldaputil.c | 9 ++- - ldap/servers/slapd/libglobs.c | 66 +++++++++++++++++++++- - ldap/servers/slapd/proto-slap.h | 2 + - ldap/servers/slapd/slap.h | 10 +++- - 7 files changed, 135 insertions(+), 5 deletions(-) - rename dirsrvtests/tests/suites/{ssl => tls}/__init__.py (100%) - create mode 100644 dirsrvtests/tests/suites/tls/tls_check_crl_test.py - -diff --git a/dirsrvtests/tests/suites/ssl/__init__.py b/dirsrvtests/tests/suites/tls/__init__.py -similarity index 100% -rename from dirsrvtests/tests/suites/ssl/__init__.py -rename to dirsrvtests/tests/suites/tls/__init__.py -diff --git a/dirsrvtests/tests/suites/tls/tls_check_crl_test.py b/dirsrvtests/tests/suites/tls/tls_check_crl_test.py -new file mode 100644 -index 000000000..8b4d07f94 ---- /dev/null -+++ b/dirsrvtests/tests/suites/tls/tls_check_crl_test.py -@@ -0,0 +1,52 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2018 Red Hat, Inc. -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+ -+ -+import pytest -+import ldap -+from lib389.topologies import topology_st -+ -+def test_tls_check_crl(topology_st): -+ """Test that TLS check_crl configurations work as expected. -+ -+ :id: -+ :steps: -+ 1. Enable TLS -+ 2. Set invalid value -+ 3. Set valid values -+ 4. Check config reset -+ :expectedresults: -+ 1. TlS is setup -+ 2. The invalid value is rejected -+ 3. The valid values are used -+ 4. The value can be reset -+ """ -+ standalone = topology_st.standalone -+ # Enable TLS -+ standalone.enable_tls() -+ # Check all the valid values. -+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none') -+ with pytest.raises(ldap.OPERATIONS_ERROR): -+ standalone.config.set('nsslapd-tls-check-crl', 'tnhoeutnoeutn') -+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none') -+ -+ standalone.config.set('nsslapd-tls-check-crl', 'peer') -+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'peer') -+ -+ standalone.config.set('nsslapd-tls-check-crl', 'none') -+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none') -+ -+ standalone.config.set('nsslapd-tls-check-crl', 'all') -+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'all') -+ -+ standalone.config.remove_all('nsslapd-tls-check-crl') -+ assert(standalone.config.get_attr_val_utf8('nsslapd-tls-check-crl') == 'none') -+ -+ -+ -diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif -index ab124c86c..c7f9fef2b 100644 ---- a/ldap/schema/01core389.ldif -+++ b/ldap/schema/01core389.ldif -@@ -304,6 +304,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netsc - attributeTypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2335 NAME 'nsds5ReplicaIgnoreMissingChange' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) - attributeTypes: ( 2.16.840.1.113730.3.1.2336 NAME 'nsDS5ReplicaBindDnGroupCheckInterval' DESC 'Replication configuration setting for controlling the bind dn group check interval' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -+attributeTypes: ( 2.16.840.1.113730.3.1.2344 NAME 'nsslapd-tls-check-crl' DESC 'Check CRL when opening outbound TLS connections. Valid options are none, peer, all.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) - # - # objectclasses - # -diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c -index fa9d276a3..2fc2f0615 100644 ---- a/ldap/servers/slapd/ldaputil.c -+++ b/ldap/servers/slapd/ldaputil.c -@@ -570,6 +570,7 @@ slapi_ldif_parse_line( - } - - #if defined(USE_OPENLDAP) -+ - static int - setup_ol_tls_conn(LDAP *ld, int clientauth) - { -@@ -602,7 +603,13 @@ setup_ol_tls_conn(LDAP *ld, int clientauth) - } - } - if (slapi_client_uses_openssl(ld)) { -- const int crlcheck = LDAP_OPT_X_TLS_CRL_ALL; -+ int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE; -+ tls_check_crl_t tls_check_state = config_get_tls_check_crl(); -+ if (tls_check_state == TLS_CHECK_PEER) { -+ crlcheck = LDAP_OPT_X_TLS_CRL_PEER; -+ } else if (tls_check_state == TLS_CHECK_ALL) { -+ crlcheck = LDAP_OPT_X_TLS_CRL_ALL; -+ } - /* Sets the CRL evaluation strategy. */ - rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck); - if (rc) { -diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c -index c1a765aca..eb6552af1 100644 ---- a/ldap/servers/slapd/libglobs.c -+++ b/ldap/servers/slapd/libglobs.c -@@ -157,7 +157,8 @@ typedef enum { - CONFIG_STRING_OR_EMPTY, /* use an empty string */ - CONFIG_SPECIAL_ANON_ACCESS_SWITCH, /* maps strings to an enumeration */ - CONFIG_SPECIAL_VALIDATE_CERT_SWITCH, /* maps strings to an enumeration */ -- CONFIG_SPECIAL_UNHASHED_PW_SWITCH /* unhashed pw: on/off/nolog */ -+ CONFIG_SPECIAL_UNHASHED_PW_SWITCH, /* unhashed pw: on/off/nolog */ -+ CONFIG_SPECIAL_TLS_CHECK_CRL, /* maps enum tls_check_crl_t to char * */ - } ConfigVarType; - - static int32_t config_set_onoff(const char *attrname, char *value, int32_t *configvalue, char *errorbuf, int apply); -@@ -1173,7 +1174,15 @@ static struct config_get_and_set - {CONFIG_LOGGING_BACKEND, NULL, - log_set_backend, 0, - (void **)&global_slapdFrontendConfig.logging_backend, -- CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL}}; -+ CONFIG_STRING_OR_EMPTY, NULL, SLAPD_INIT_LOGGING_BACKEND_INTERNAL}, -+ {CONFIG_TLS_CHECK_CRL_ATTRIBUTE, config_set_tls_check_crl, -+ NULL, 0, -+ (void **)&global_slapdFrontendConfig.tls_check_crl, -+ CONFIG_SPECIAL_TLS_CHECK_CRL, (ConfigGetFunc)config_get_tls_check_crl, -+ "none" /* Allow reset to this value */} -+ -+ /* End config */ -+ }; - - /* - * hashNocaseString - used for case insensitive hash lookups -@@ -1506,7 +1515,6 @@ FrontendConfig_init(void) - cfg->maxdescriptors = SLAPD_DEFAULT_MAXDESCRIPTORS; - cfg->groupevalnestlevel = SLAPD_DEFAULT_GROUPEVALNESTLEVEL; - cfg->snmp_index = SLAPD_DEFAULT_SNMP_INDEX; -- - cfg->SSLclientAuth = SLAPD_DEFAULT_SSLCLIENTAUTH; - - #ifdef USE_SYSCONF -@@ -1524,6 +1532,7 @@ FrontendConfig_init(void) - #endif - init_security = cfg->security = LDAP_OFF; - init_ssl_check_hostname = cfg->ssl_check_hostname = LDAP_ON; -+ cfg->tls_check_crl = TLS_CHECK_NONE; - init_return_exact_case = cfg->return_exact_case = LDAP_ON; - init_result_tweak = cfg->result_tweak = LDAP_OFF; - init_attrname_exceptions = cfg->attrname_exceptions = LDAP_OFF; -@@ -2042,6 +2051,7 @@ config_set_port(const char *attrname, char *port, char *errorbuf, int apply) - return retVal; - } - -+ - int - config_set_secureport(const char *attrname, char *port, char *errorbuf, int apply) - { -@@ -2073,6 +2083,33 @@ config_set_secureport(const char *attrname, char *port, char *errorbuf, int appl - } - - -+int32_t -+config_set_tls_check_crl(const char *attrname, char *value, char *errorbuf, int apply) -+{ -+ int32_t retVal = LDAP_SUCCESS; -+ /* Default */ -+ tls_check_crl_t state = TLS_CHECK_NONE; -+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -+ -+ if (strcasecmp(value, "none") == 0) { -+ state = TLS_CHECK_NONE; -+ } else if (strcasecmp(value, "peer") == 0) { -+ state = TLS_CHECK_PEER; -+ } else if (strcasecmp(value, "all") == 0) { -+ state = TLS_CHECK_ALL; -+ } else { -+ retVal = LDAP_OPERATIONS_ERROR; -+ slapi_create_errormsg(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: unsupported value: %s", attrname, value); -+ } -+ -+ if (retVal == LDAP_SUCCESS && apply) { -+ slapi_atomic_store_32((int32_t *)&(slapdFrontendConfig->tls_check_crl), state, __ATOMIC_RELEASE); -+ } -+ -+ return retVal; -+} -+ -+ - int - config_set_SSLclientAuth(const char *attrname, char *value, char *errorbuf, int apply) - { -@@ -4591,6 +4628,12 @@ config_set_versionstring(const char *attrname __attribute__((unused)), char *ver - - #define config_copy_strval(s) s ? slapi_ch_strdup(s) : NULL; - -+tls_check_crl_t -+config_get_tls_check_crl() { -+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); -+ return (tls_check_crl_t)slapi_atomic_load_32((int32_t *)&(slapdFrontendConfig->tls_check_crl), __ATOMIC_ACQUIRE); -+} -+ - int - config_get_port() - { -@@ -7439,6 +7482,23 @@ config_set_value( - slapi_entry_attr_set_int(e, cgas->attr_name, ival); - break; - -+ case CONFIG_SPECIAL_TLS_CHECK_CRL: -+ if (!value) { -+ slapi_entry_attr_set_charptr(e, cgas->attr_name, (char *)cgas->initvalue); -+ break; -+ } -+ tls_check_crl_t state = *(tls_check_crl_t *)value; -+ -+ if (state == TLS_CHECK_ALL) { -+ sval = "all"; -+ } else if (state == TLS_CHECK_PEER) { -+ sval = "peer"; -+ } else { -+ sval = "none"; -+ } -+ slapi_entry_attr_set_charptr(e, cgas->attr_name, sval); -+ break; -+ - case CONFIG_SPECIAL_SSLCLIENTAUTH: - if (!value) { - slapi_entry_attr_set_charptr(e, cgas->attr_name, "off"); -diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h -index 3b7ab53b2..b13334ad1 100644 ---- a/ldap/servers/slapd/proto-slap.h -+++ b/ldap/servers/slapd/proto-slap.h -@@ -236,6 +236,7 @@ int config_set_port(const char *attrname, char *port, char *errorbuf, int apply) - int config_set_secureport(const char *attrname, char *port, char *errorbuf, int apply); - int config_set_SSLclientAuth(const char *attrname, char *value, char *errorbuf, int apply); - int config_set_ssl_check_hostname(const char *attrname, char *value, char *errorbuf, int apply); -+int32_t config_set_tls_check_crl(const char *attrname, char *value, char *errorbuf, int apply); - int config_set_SSL3ciphers(const char *attrname, char *value, char *errorbuf, int apply); - int config_set_localhost(const char *attrname, char *value, char *errorbuf, int apply); - int config_set_listenhost(const char *attrname, char *value, char *errorbuf, int apply); -@@ -397,6 +398,7 @@ void log_disable_hr_timestamps(void); - - int config_get_SSLclientAuth(void); - int config_get_ssl_check_hostname(void); -+tls_check_crl_t config_get_tls_check_crl(void); - char *config_get_SSL3ciphers(void); - char *config_get_localhost(void); - char *config_get_listenhost(void); -diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h -index 216d94afd..443d90094 100644 ---- a/ldap/servers/slapd/slap.h -+++ b/ldap/servers/slapd/slap.h -@@ -443,6 +443,13 @@ typedef void (*VFPV)(); /* takes undefined arguments */ - typedef int32_t slapi_onoff_t; - typedef int32_t slapi_int_t; - -+typedef enum _tls_check_crl_t { -+ TLS_CHECK_NONE = 0, -+ TLS_CHECK_PEER = 1, -+ TLS_CHECK_ALL = 2, -+} tls_check_crl_t; -+ -+ - struct subfilt - { - char *sf_type; -@@ -2151,6 +2158,7 @@ typedef struct _slapdEntryPoints - #define CONFIG_RUNDIR_ATTRIBUTE "nsslapd-rundir" - #define CONFIG_SSLCLIENTAUTH_ATTRIBUTE "nsslapd-SSLclientAuth" - #define CONFIG_SSL_CHECK_HOSTNAME_ATTRIBUTE "nsslapd-ssl-check-hostname" -+#define CONFIG_TLS_CHECK_CRL_ATTRIBUTE "nsslapd-tls-check-crl" - #define CONFIG_HASH_FILTERS_ATTRIBUTE "nsslapd-hash-filters" - #define CONFIG_OUTBOUND_LDAP_IO_TIMEOUT_ATTRIBUTE "nsslapd-outbound-ldap-io-timeout" - #define CONFIG_FORCE_SASL_EXTERNAL_ATTRIBUTE "nsslapd-force-sasl-external" -@@ -2263,6 +2271,7 @@ typedef struct _slapdFrontendConfig - slapi_onoff_t security; - int SSLclientAuth; - slapi_onoff_t ssl_check_hostname; -+ tls_check_crl_t tls_check_crl; - int validate_cert; - int sizelimit; - int SNMPenabled; -@@ -2294,7 +2303,6 @@ typedef struct _slapdFrontendConfig - slapi_onoff_t plugin_track; - slapi_onoff_t moddn_aci; - struct pw_scheme *pw_storagescheme; -- - slapi_onoff_t pwpolicy_local; - slapi_onoff_t pw_is_global_policy; - slapi_onoff_t pwpolicy_inherit_global; --- -2.13.6 - diff --git a/SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch b/SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch deleted file mode 100644 index d4eeeeb..0000000 --- a/SOURCES/0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 10ec64288dcc25fd855bc05601bc4794ecea2003 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Tue, 6 Feb 2018 19:49:22 +0100 -Subject: [PATCH] Ticket 49560 - nsslapd-extract-pemfiles should be enabled by - default as openldap is moving to openssl - -Bug Description: - Due to a change in the OpenLDAP client libraries (switching from NSS to OpenSSL), - the TLS options LDAP_OPT_X_TLS_CACERTFILE, LDAP_OPT_X_TLS_KEYFILE, LDAP_OPT_X_TLS_CERTFILE, - need to specify path to PEM files. - - Those PEM files are extracted from the key/certs from the NSS db in /etc/dirsrv/slapd-xxx - - Those files are extracted if the option (under 'cn=config') nsslapd-extract-pemfiles is set to 'on'. - - The default value is 'off', that prevent secure outgoing connection. - -Fix Description: - - Enable nsslapd-extract-pemfiles by default - Then when establishing an outgoing connection, if it is not using NSS crypto layer - and the pem files have been extracted then use the PEM files - -https://pagure.io/389-ds-base/issue/49560 - -Reviewed by: mreynolds & mhonek - -Platforms tested: RHEL 7.5 - -Flag Day: no - -Doc impact: no - -Signed-off-by: Mark Reynolds -(cherry picked from commit 8304caec593b591558c9c18de9bcb6b2f23db5b6) ---- - ldap/servers/slapd/ldaputil.c | 32 ++++++++++++++++---------------- - ldap/servers/slapd/libglobs.c | 2 +- - ldap/servers/slapd/ssl.c | 2 +- - 3 files changed, 18 insertions(+), 18 deletions(-) - -diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c -index 2fc2f0615..fcf22e632 100644 ---- a/ldap/servers/slapd/ldaputil.c -+++ b/ldap/servers/slapd/ldaputil.c -@@ -591,7 +591,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth) - slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn", - "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength); - } -- if (slapi_client_uses_non_nss(ld)) { -+ if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) { - cacert = slapi_get_cacertfile(); - if (cacert) { - /* CA Cert PEM file exists. Set the path to openldap option. */ -@@ -602,21 +602,21 @@ setup_ol_tls_conn(LDAP *ld, int clientauth) - cacert, rc, ldap_err2string(rc)); - } - } -- if (slapi_client_uses_openssl(ld)) { -- int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE; -- tls_check_crl_t tls_check_state = config_get_tls_check_crl(); -- if (tls_check_state == TLS_CHECK_PEER) { -- crlcheck = LDAP_OPT_X_TLS_CRL_PEER; -- } else if (tls_check_state == TLS_CHECK_ALL) { -- crlcheck = LDAP_OPT_X_TLS_CRL_ALL; -- } -- /* Sets the CRL evaluation strategy. */ -- rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck); -- if (rc) { -- slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn", -- "Could not set CRLCHECK [%d]: %d:%s\n", -- crlcheck, rc, ldap_err2string(rc)); -- } -+ } -+ if (slapi_client_uses_openssl(ld)) { -+ int32_t crlcheck = LDAP_OPT_X_TLS_CRL_NONE; -+ tls_check_crl_t tls_check_state = config_get_tls_check_crl(); -+ if (tls_check_state == TLS_CHECK_PEER) { -+ crlcheck = LDAP_OPT_X_TLS_CRL_PEER; -+ } else if (tls_check_state == TLS_CHECK_ALL) { -+ crlcheck = LDAP_OPT_X_TLS_CRL_ALL; -+ } -+ /* Sets the CRL evaluation strategy. */ -+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck); -+ if (rc) { -+ slapi_log_err(SLAPI_LOG_ERR, "setup_ol_tls_conn", -+ "Could not set CRLCHECK [%d]: %d:%s\n", -+ crlcheck, rc, ldap_err2string(rc)); - } - } - /* tell it where our cert db/file is */ -diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c -index eb6552af1..3bd5c1826 100644 ---- a/ldap/servers/slapd/libglobs.c -+++ b/ldap/servers/slapd/libglobs.c -@@ -1688,7 +1688,7 @@ FrontendConfig_init(void) - init_malloc_mmap_threshold = cfg->malloc_mmap_threshold = DEFAULT_MALLOC_UNSET; - #endif - -- init_extract_pem = cfg->extract_pem = LDAP_OFF; -+ init_extract_pem = cfg->extract_pem = LDAP_ON; - - /* Done, unlock! */ - CFG_UNLOCK_WRITE(cfg); -diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c -index 52ac7ea9f..36b09fd16 100644 ---- a/ldap/servers/slapd/ssl.c -+++ b/ldap/servers/slapd/ssl.c -@@ -2462,7 +2462,7 @@ slapd_SSL_client_auth(LDAP *ld) - errorCode, slapd_pr_strerror(errorCode)); - } else { - #if defined(USE_OPENLDAP) -- if (slapi_client_uses_non_nss(ld)) { -+ if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) { - char *certdir = config_get_certdir(); - char *keyfile = NULL; - char *certfile = NULL; --- -2.13.6 - diff --git a/SOURCES/0065-Ticket-bz1525628-invalid-password-migration-causes-u.patch b/SOURCES/0065-Ticket-bz1525628-invalid-password-migration-causes-u.patch deleted file mode 100644 index 981ce22..0000000 --- a/SOURCES/0065-Ticket-bz1525628-invalid-password-migration-causes-u.patch +++ /dev/null @@ -1,286 +0,0 @@ -From 40fcaabfaa2c865471cc5fb1fab04106bc3ec611 Mon Sep 17 00:00:00 2001 -From: William Brown -Date: Thu, 18 Jan 2018 11:27:58 +1000 -Subject: [PATCH] Ticket bz1525628 - invalid password migration causes unauth - bind - -Bug Description: Slapi_ct_memcmp expects both inputs to be -at LEAST size n. If they are not, we only compared UP to n. - -Invalid migrations of passwords (IE {CRYPT}XX) would create -a pw which is just salt and no hash. ct_memcmp would then -only verify the salt bits and would allow the authentication. - -This relies on an administrative mistake both of allowing -password migration (nsslapd-allow-hashed-passwords) and then -subsequently migrating an INVALID password to the server. - -Fix Description: slapi_ct_memcmp now access n1, n2 size -and will FAIL if they are not the same, but will still compare -n bytes, where n is the "longest" memory, to the first byte -of the other to prevent length disclosure of the shorter -value (generally the mis-migrated password) - -https://bugzilla.redhat.com/show_bug.cgi?id=1525628 - -Author: wibrown - -Review by: ??? - -Signed-off-by: Mark Reynolds ---- - .../bz1525628_ct_memcmp_invalid_hash_test.py | 56 ++++++++++++++++++++++ - ldap/servers/plugins/pwdstorage/clear_pwd.c | 4 +- - ldap/servers/plugins/pwdstorage/crypt_pwd.c | 4 +- - ldap/servers/plugins/pwdstorage/md5_pwd.c | 4 +- - ldap/servers/plugins/pwdstorage/sha_pwd.c | 16 +++++-- - ldap/servers/plugins/pwdstorage/smd5_pwd.c | 2 +- - ldap/servers/slapd/ch_malloc.c | 36 ++++++++++++-- - ldap/servers/slapd/slapi-plugin.h | 2 +- - 8 files changed, 108 insertions(+), 16 deletions(-) - create mode 100644 dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py - -diff --git a/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py -new file mode 100644 -index 000000000..2f38384a1 ---- /dev/null -+++ b/dirsrvtests/tests/suites/password/bz1525628_ct_memcmp_invalid_hash_test.py -@@ -0,0 +1,56 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2018 Red Hat, Inc. -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+ -+import ldap -+import pytest -+import logging -+from lib389.topologies import topology_st -+from lib389._constants import PASSWORD, DEFAULT_SUFFIX -+ -+from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES -+ -+logging.getLogger(__name__).setLevel(logging.DEBUG) -+log = logging.getLogger(__name__) -+ -+def test_invalid_hash_fails(topology_st): -+ """When given a malformed hash from userpassword migration -+ slapi_ct_memcmp would check only to the length of the shorter -+ field. This affects some values where it would ONLY verify -+ the salt is valid, and thus would allow any password to bind. -+ -+ :id: 8131c029-7147-47db-8d03-ec5db2a01cfb -+ :setup: Standalone Instance -+ :steps: -+ 1. Create a user -+ 2. Add an invalid password hash (truncated) -+ 3. Attempt to bind -+ :expectedresults: -+ 1. User is added -+ 2. Invalid pw hash is added -+ 3. Bind fails -+ """ -+ log.info("Running invalid hash test") -+ -+ # Allow setting raw password hashes for migration. -+ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on') -+ -+ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX) -+ user = users.create(properties=TEST_USER_PROPERTIES) -+ user.set('userPassword', '{CRYPT}XX') -+ -+ # Attempt to bind. This should fail. -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ user.bind(PASSWORD) -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ user.bind('XX') -+ with pytest.raises(ldap.INVALID_CREDENTIALS): -+ user.bind('{CRYPT}XX') -+ -+ log.info("PASSED") -+ -diff --git a/ldap/servers/plugins/pwdstorage/clear_pwd.c b/ldap/servers/plugins/pwdstorage/clear_pwd.c -index f5e6f9d4c..3d340752d 100644 ---- a/ldap/servers/plugins/pwdstorage/clear_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/clear_pwd.c -@@ -39,7 +39,7 @@ clear_pw_cmp(const char *userpwd, const char *dbpwd) - * However, even if the first part of userpw matches dbpwd, but len !=, we - * have already failed anyawy. This prevents substring matching. - */ -- if (slapi_ct_memcmp(userpwd, dbpwd, len_dbp) != 0) { -+ if (slapi_ct_memcmp(userpwd, dbpwd, len_user, len_dbp) != 0) { - result = 1; - } - } else { -@@ -51,7 +51,7 @@ clear_pw_cmp(const char *userpwd, const char *dbpwd) - * dbpwd to itself. We have already got result == 1 if we are here, so we are - * just trying to take up time! - */ -- if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp)) { -+ if (slapi_ct_memcmp(dbpwd, dbpwd, len_dbp, len_dbp)) { - /* Do nothing, we have the if to fix a coverity check. */ - } - } -diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -index 3bd226581..0dccd1b51 100644 ---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -@@ -65,13 +65,13 @@ crypt_close(Slapi_PBlock *pb __attribute__((unused))) - int - crypt_pw_cmp(const char *userpwd, const char *dbpwd) - { -- int rc; -+ int32_t rc; - char *cp; - PR_Lock(cryptlock); - /* we use salt (first 2 chars) of encoded password in call to crypt() */ - cp = crypt(userpwd, dbpwd); - if (cp) { -- rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd)); -+ rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd), strlen(cp)); - } else { - rc = -1; - } -diff --git a/ldap/servers/plugins/pwdstorage/md5_pwd.c b/ldap/servers/plugins/pwdstorage/md5_pwd.c -index 1e2cf58e7..2c2aacaa6 100644 ---- a/ldap/servers/plugins/pwdstorage/md5_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/md5_pwd.c -@@ -30,7 +30,7 @@ - int - md5_pw_cmp(const char *userpwd, const char *dbpwd) - { -- int rc = -1; -+ int32_t rc = -1; - char *bver; - PK11Context *ctx = NULL; - unsigned int outLen; -@@ -57,7 +57,7 @@ md5_pw_cmp(const char *userpwd, const char *dbpwd) - bver = NSSBase64_EncodeItem(NULL, (char *)b2a_out, sizeof b2a_out, &binary_item); - /* bver points to b2a_out upon success */ - if (bver) { -- rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd)); -+ rc = slapi_ct_memcmp(bver, dbpwd, strlen(dbpwd), strlen(bver)); - } else { - slapi_log_err(SLAPI_LOG_PLUGIN, MD5_SUBSYSTEM_NAME, - "Could not base64 encode hashed value for password compare"); -diff --git a/ldap/servers/plugins/pwdstorage/sha_pwd.c b/ldap/servers/plugins/pwdstorage/sha_pwd.c -index 1fbe0bc82..381b31d7c 100644 ---- a/ldap/servers/plugins/pwdstorage/sha_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/sha_pwd.c -@@ -49,7 +49,7 @@ sha_pw_cmp(const char *userpwd, const char *dbpwd, unsigned int shaLen) - char userhash[MAX_SHA_HASH_SIZE]; - char quick_dbhash[MAX_SHA_HASH_SIZE + SHA_SALT_LENGTH + 3]; - char *dbhash = quick_dbhash; -- struct berval salt; -+ struct berval salt = {0}; - PRUint32 hash_len; - unsigned int secOID; - char *schemeName; -@@ -122,9 +122,19 @@ sha_pw_cmp(const char *userpwd, const char *dbpwd, unsigned int shaLen) - - /* the proof is in the comparison... */ - if (hash_len >= shaLen) { -- result = slapi_ct_memcmp(userhash, dbhash, shaLen); -+ /* -+ * This say "if the hash has a salt IE >, OR if they are equal, check the hash component ONLY. -+ * This is why we repeat shaLen twice, even though it seems odd. If you have a dbhast of ssha -+ * it's len is 28, and the userpw is 20, but 0 - 20 is the sha, and 21-28 is the salt, which -+ * has already been processed into userhash. -+ * The case where dbpwd is truncated is handled above in "invalid base64" arm. -+ */ -+ result = slapi_ct_memcmp(userhash, dbhash, shaLen, shaLen); - } else { -- result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, hash_len - OLD_SALT_LENGTH); -+ /* This case is for if the salt is at the START, which only applies to DS40B1 case. -+ * May never be a valid check... -+ */ -+ result = slapi_ct_memcmp(userhash, dbhash + OLD_SALT_LENGTH, shaLen, hash_len - OLD_SALT_LENGTH); - } - - loser: -diff --git a/ldap/servers/plugins/pwdstorage/smd5_pwd.c b/ldap/servers/plugins/pwdstorage/smd5_pwd.c -index a83ac6fa4..cbfc74ff3 100644 ---- a/ldap/servers/plugins/pwdstorage/smd5_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/smd5_pwd.c -@@ -82,7 +82,7 @@ smd5_pw_cmp(const char *userpwd, const char *dbpwd) - PK11_DestroyContext(ctx, 1); - - /* Compare everything up to the salt. */ -- rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH); -+ rc = slapi_ct_memcmp(userhash, dbhash, MD5_LENGTH, MD5_LENGTH); - - loser: - if (dbhash && dbhash != quick_dbhash) -diff --git a/ldap/servers/slapd/ch_malloc.c b/ldap/servers/slapd/ch_malloc.c -index ef436b3e8..90a2b2c1a 100644 ---- a/ldap/servers/slapd/ch_malloc.c -+++ b/ldap/servers/slapd/ch_malloc.c -@@ -336,8 +336,8 @@ slapi_ch_smprintf(const char *fmt, ...) - - /* Constant time memcmp. Does not shortcircuit on failure! */ - /* This relies on p1 and p2 both being size at least n! */ --int --slapi_ct_memcmp(const void *p1, const void *p2, size_t n) -+int32_t -+slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2) - { - int result = 0; - const unsigned char *_p1 = (const unsigned char *)p1; -@@ -347,9 +347,35 @@ slapi_ct_memcmp(const void *p1, const void *p2, size_t n) - return 2; - } - -- for (size_t i = 0; i < n; i++) { -- if (_p1[i] ^ _p2[i]) { -- result = 1; -+ if (n1 == n2) { -+ for (size_t i = 0; i < n1; i++) { -+ if (_p1[i] ^ _p2[i]) { -+ result = 1; -+ } -+ } -+ } else { -+ const unsigned char *_pa; -+ const unsigned char *_pb; -+ size_t nl; -+ if (n2 > n1) { -+ _pa = _p2; -+ _pb = _p2; -+ nl = n2; -+ } else { -+ _pa = _p1; -+ _pb = _p1; -+ nl = n1; -+ } -+ /* We already fail as n1 != n2 */ -+ result = 3; -+ for (size_t i = 0; i < nl; i++) { -+ if (_pa[i] ^ _pb[i]) { -+ /* -+ * If we don't mutate result here, dead code elimination -+ * we remove for loop. -+ */ -+ result = 4; -+ } - } - } - return result; -diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h -index 4566202d3..95cdcc0da 100644 ---- a/ldap/servers/slapd/slapi-plugin.h -+++ b/ldap/servers/slapd/slapi-plugin.h -@@ -5862,7 +5862,7 @@ char *slapi_ch_smprintf(const char *fmt, ...) - * \param n length in bytes of the content of p1 AND p2. - * \return 0 on match. 1 on non-match. 2 on presence of NULL pointer in p1 or p2. - */ --int slapi_ct_memcmp(const void *p1, const void *p2, size_t n); -+int32_t slapi_ct_memcmp(const void *p1, const void *p2, size_t n1, size_t n2); - - /* - * syntax plugin routines --- -2.13.6 - diff --git a/SOURCES/0066-Ticket-49545-final-substring-extended-filter-search-.patch b/SOURCES/0066-Ticket-49545-final-substring-extended-filter-search-.patch deleted file mode 100644 index 6aea31b..0000000 --- a/SOURCES/0066-Ticket-49545-final-substring-extended-filter-search-.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 183517787fe86c1bc2359ad807318b8bca573d17 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 19 Jan 2018 16:34:36 +0100 -Subject: [PATCH] Ticket 49545 - final substring extended filter search returns - invalid result - -Bug Description: - During a search (using extended filter with final substring), the server - checks the filter before returning the matching entries. - When checking the attribute value against the filter, it - uses the wrong value. - -Fix Description: - Make suree it uses the right portion of the attribute value, in order - to generate the keys to compare. - -https://pagure.io/389-ds-base/issue/49545 - -Reviewed by: Ludwig Krispenz - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no - -Signed-off-by: Mark Reynolds ---- - ldap/servers/plugins/collation/orfilter.c | 20 ++++++++++++++++++-- - 1 file changed, 18 insertions(+), 2 deletions(-) - -diff --git a/ldap/servers/plugins/collation/orfilter.c b/ldap/servers/plugins/collation/orfilter.c -index a98d90219..672ee7b19 100644 ---- a/ldap/servers/plugins/collation/orfilter.c -+++ b/ldap/servers/plugins/collation/orfilter.c -@@ -182,17 +182,33 @@ ss_filter_match(or_filter_t * or, struct berval **vals) - } else { /* final */ - auto size_t attempts = MAX_CHAR_COMBINING; - auto char *limit = v.bv_val; -+ auto char *end; - auto struct berval **vkeys; - auto struct berval *vals[2]; - auto struct berval key; -+ - rc = -1; - vals[0] = &v; - vals[1] = NULL; - key.bv_val = (*k)->bv_val; - key.bv_len = (*k)->bv_len - 1; -- v.bv_val = (*vals)->bv_val + (*vals)->bv_len; -+ /* In the following lines it will loop to find -+ * if the end of the attribute value matches the 'final' of the filter -+ * Short summary: -+ * vals contains the attribute value :for example "hello world" -+ * key contain the key generated from the indexing of final part of the filter. -+ * for example filter=(=*ld), so key contains the indexing("ld"). -+ * -+ * The loop will iterate over the attribute value (vals) from the end of string -+ * to the begining. So it will try to index('d'), index('ld'), index('rld'), index('orld')... -+ * -+ * At each iteration if the key generated from indexing the portion of vals, matches -+ * the key generate from the final part of the filter, then the loop stops => we are done -+ */ -+ end = v.bv_val + v.bv_len - 1; -+ v.bv_val = end; - while (1) { -- v.bv_len = (*vals)->bv_len - (v.bv_val - (*vals)->bv_val); -+ v.bv_len = end - v.bv_val + 1; - vkeys = ix->ix_index(ix, vals, NULL); - if (vkeys && vkeys[0]) { - auto const struct berval *vkey = vkeys[0]; --- -2.13.6 - diff --git a/SOURCES/0067-Ticket-49551-v3-correct-handling-of-numsubordinates-.patch b/SOURCES/0067-Ticket-49551-v3-correct-handling-of-numsubordinates-.patch deleted file mode 100644 index 8c41a91..0000000 --- a/SOURCES/0067-Ticket-49551-v3-correct-handling-of-numsubordinates-.patch +++ /dev/null @@ -1,296 +0,0 @@ -From 233b64f26df76aa50f4b37aaf6b3804d208fdc1b Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Mon, 12 Feb 2018 09:24:25 +0100 -Subject: [PATCH] Ticket 49551 - v3 - correct handling of numsubordinates for - cenotaphs and tombstone delete - - Bug: The ticket exposed several problems with tombstone handling. - - tombstone entries of conflicts were not purged in tombstone purging - - cenotaphs are tombstone, but the subordinate count was not managed properly - - direct delete of tombstones failed with err=1 - - delete of entry with only conflict children failed correctly, but gave no hint why - - Fix: update the correct numsobordinates attribut for cenotaphs - set proper flag in directly deleting a tombstone - change search filter for tombstone purging to include ldapsubentries - check for conflict children if a delete is rejected and add a message to the response - - Reviewed by; Thierry, William - thanks ---- - ldap/servers/plugins/replication/repl5_replica.c | 14 +++++++++-- - ldap/servers/plugins/replication/urp.c | 8 +++--- - ldap/servers/slapd/back-ldbm/ldbm_add.c | 8 +++--- - ldap/servers/slapd/back-ldbm/ldbm_delete.c | 14 ++++++++--- - ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 3 ++- - ldap/servers/slapd/back-ldbm/parents.c | 12 ++++++--- - ldap/servers/slapd/entry.c | 31 ++++++++++++++++++++++++ - ldap/servers/slapd/slapi-plugin.h | 2 ++ - ldap/servers/slapd/slapi-private.h | 1 + - ldap/servers/slapd/task.c | 4 +-- - 10 files changed, 78 insertions(+), 19 deletions(-) - -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index bdb8a5167..628fb9ceb 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -3017,6 +3017,16 @@ process_reap_entry(Slapi_Entry *entry, void *cb_data) - search in the future, see _replica_reap_tombstones below and add more to the - attrs array */ - deletion_csn = entry_get_deletion_csn(entry); -+ if (deletion_csn == NULL) { -+ /* this might be a tombstone which was directly added, eg a cenotaph -+ * check if a tombstonecsn exist and use it -+ */ -+ char *tombstonecsn = slapi_entry_attr_get_charptr(entry, SLAPI_ATTR_TOMBSTONE_CSN); -+ if (tombstonecsn) { -+ deletion_csn = csn_new_by_string(tombstonecsn); -+ slapi_ch_free_string(&tombstonecsn); -+ } -+ } - - if ((NULL == deletion_csn || csn_compare(deletion_csn, purge_csn) < 0) && - (!is_ruv_tombstone_entry(entry))) { -@@ -3116,11 +3126,11 @@ _replica_reap_tombstones(void *arg) - */ - csn_as_string(purge_csn, PR_FALSE, deletion_csn_str); - PR_snprintf(tombstone_filter, 128, -- "(&(%s<=%s)(objectclass=nsTombstone))", SLAPI_ATTR_TOMBSTONE_CSN, -+ "(&(%s<=%s)(objectclass=nsTombstone)(|(objectclass=*)(objectclass=ldapsubentry)))", SLAPI_ATTR_TOMBSTONE_CSN, - csn_as_string(purge_csn, PR_FALSE, deletion_csn_str)); - } else { - /* Use the old inefficient filter */ -- PR_snprintf(tombstone_filter, 128, "(objectclass=nsTombstone)"); -+ PR_snprintf(tombstone_filter, 128, "(&(objectclass=nsTombstone)(|(objectclass=*)(objectclass=ldapsubentry)))"); - } - - /* we just need the objectclass - for the deletion csn -diff --git a/ldap/servers/plugins/replication/urp.c b/ldap/servers/plugins/replication/urp.c -index d4556d7fd..11c5da7cf 100644 ---- a/ldap/servers/plugins/replication/urp.c -+++ b/ldap/servers/plugins/replication/urp.c -@@ -911,7 +911,7 @@ urp_fixup_add_cenotaph (Slapi_PBlock *pb, char *sessionid, CSN *opcsn) - cenotaph, - NULL, - repl_get_plugin_identity(PLUGIN_MULTIMASTER_REPLICATION), -- OP_FLAG_REPL_FIXUP|OP_FLAG_NOOP); -+ OP_FLAG_REPL_FIXUP|OP_FLAG_NOOP|OP_FLAG_CENOTAPH_ENTRY); - slapi_add_internal_pb(add_pb); - slapi_pblock_get(add_pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); - -@@ -1922,7 +1922,7 @@ done: - newpb = NULL; - - slapi_log_err(SLAPI_LOG_REPL, sessionid, -- "urp_get_min_naming_conflict_entry - Found %d entries\n", i); -+ "urp_get_min_naming_conflict_entry - Found %d entries\n", min_csn?1:0); - - return min_naming_conflict_entry; - } -@@ -2172,8 +2172,8 @@ mod_objectclass_attr(const char *uniqueid, const Slapi_DN *entrysdn, const Slapi - char csnstr[CSN_STRSIZE+1] = {0}; - - slapi_mods_init(&smods, 3); -- slapi_mods_add(&smods, LDAP_MOD_ADD, "objectclass", strlen("ldapsubentry"),"ldapsubentry"); -- slapi_mods_add(&smods, LDAP_MOD_REPLACE, "conflictcsn", CSN_STRSIZE, csn_as_string(opcsn, PR_FALSE, csnstr)); -+ slapi_mods_add_string(&smods, LDAP_MOD_ADD, "objectclass", "ldapsubentry"); -+ slapi_mods_add_string(&smods, LDAP_MOD_REPLACE, "conflictcsn", csn_as_string(opcsn, PR_FALSE, csnstr)); - op_result = urp_fixup_modify_entry(uniqueid, entrysdn, opcsn, &smods, 0); - slapi_mods_done(&smods); - if (op_result == LDAP_TYPE_OR_VALUE_EXISTS) { -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c -index c93d44a65..f0a3262ec 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_add.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c -@@ -81,6 +81,7 @@ ldbm_back_add(Slapi_PBlock *pb) - Slapi_Operation *operation; - int is_replicated_operation = 0; - int is_resurect_operation = 0; -+ int is_cenotaph_operation = 0; - int is_tombstone_operation = 0; - int is_fixup_operation = 0; - int is_remove_from_cache = 0; -@@ -116,6 +117,7 @@ ldbm_back_add(Slapi_PBlock *pb) - } - - is_resurect_operation = operation_is_flag_set(operation, OP_FLAG_RESURECT_ENTRY); -+ is_cenotaph_operation = operation_is_flag_set(operation, OP_FLAG_CENOTAPH_ENTRY); - is_tombstone_operation = operation_is_flag_set(operation, OP_FLAG_TOMBSTONE_ENTRY); - is_fixup_operation = operation_is_flag_set(operation, OP_FLAG_REPL_FIXUP); - is_ruv = operation_is_flag_set(operation, OP_FLAG_REPL_RUV); -@@ -846,9 +848,9 @@ ldbm_back_add(Slapi_PBlock *pb) - the in-memory state of the parent to reflect the new child (update - subordinate count specifically */ - if (parententry) { -- retval = parent_update_on_childchange(&parent_modify_c, -- is_resurect_operation ? PARENTUPDATE_RESURECT : PARENTUPDATE_ADD, -- NULL); -+ int op = is_resurect_operation ? PARENTUPDATE_RESURECT : PARENTUPDATE_ADD; -+ if (is_cenotaph_operation ) op |= PARENTUPDATE_CREATE_TOMBSTONE; -+ retval = parent_update_on_childchange(&parent_modify_c, op, NULL); - slapi_log_err(SLAPI_LOG_BACKLDBM, "ldbm_back_add", - "conn=%lu op=%d parent_update_on_childchange: old_entry=0x%p, new_entry=0x%p, rc=%d\n", - conn_id, op_id, parent_modify_c.old_entry, parent_modify_c.new_entry, retval); -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -index be0db1bd0..bc0a3654e 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c -@@ -291,9 +291,16 @@ replace_entry: - retval = slapi_entry_has_children(e->ep_entry); - if (retval && !is_replicated_operation) { - ldap_result_code= LDAP_NOT_ALLOWED_ON_NONLEAF; -- slapi_log_err(SLAPI_LOG_BACKLDBM, "ldbm_back_delete", -- "conn=%lu op=%d Deleting entry %s has %d children.\n", -- conn_id, op_id, slapi_entry_get_dn(e->ep_entry), retval); -+ if (slapi_entry_has_conflict_children(e->ep_entry, (void *)li->li_identity) > 0) { -+ ldap_result_message = "Entry has replication conflicts as children"; -+ slapi_log_err(SLAPI_LOG_ERR, "ldbm_back_delete", -+ "conn=%lu op=%d Deleting entry %s has replication conflicts as children.\n", -+ conn_id, op_id, slapi_entry_get_dn(e->ep_entry)); -+ } else { -+ slapi_log_err(SLAPI_LOG_BACKLDBM, "ldbm_back_delete", -+ "conn=%lu op=%d Deleting entry %s has %d children.\n", -+ conn_id, op_id, slapi_entry_get_dn(e->ep_entry), retval); -+ } - retval = -1; - goto error_return; - } -@@ -431,6 +438,7 @@ replace_entry: - slapi_log_err(SLAPI_LOG_WARNING, "ldbm_back_delete", - "Attempt to Tombstone again a tombstone entry %s\n", dn); - delete_tombstone_entry = 1; -+ operation_set_flag(operation, OP_FLAG_TOMBSTONE_ENTRY); - } - } - -diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c -index b41a2d241..5797dd779 100644 ---- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c -+++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c -@@ -2824,7 +2824,8 @@ _entryrdn_delete_key(backend *be, - break; - } - childelem = (rdn_elem *)dataret.data; -- if (!slapi_is_special_rdn(childelem->rdn_elem_nrdn_rdn, RDN_IS_TOMBSTONE)) { -+ if (!slapi_is_special_rdn(childelem->rdn_elem_nrdn_rdn, RDN_IS_TOMBSTONE) && -+ !strcasestr(childelem->rdn_elem_nrdn_rdn, "cenotaphid")) { - /* there's at least one live child */ - slapi_log_err(SLAPI_LOG_ERR, "_entryrdn_delete_key", - "Failed to remove %s; has a child %s\n", nrdn, -diff --git a/ldap/servers/slapd/back-ldbm/parents.c b/ldap/servers/slapd/back-ldbm/parents.c -index 79e66451e..1afc795c0 100644 ---- a/ldap/servers/slapd/back-ldbm/parents.c -+++ b/ldap/servers/slapd/back-ldbm/parents.c -@@ -89,7 +89,11 @@ parent_update_on_childchange(modify_context *mc, int op, size_t *new_sub_count) - } - } - -- if (PARENTUPDATE_DELETE_TOMBSTONE != repl_op) { -+ if ((PARENTUPDATE_ADD == op) && (PARENTUPDATE_CREATE_TOMBSTONE == repl_op)) { -+ /* we are directly adding a tombstone entry, only need to -+ * update the tombstone subordinates -+ */ -+ } else if (PARENTUPDATE_DELETE_TOMBSTONE != repl_op) { - /* are we adding ? */ - if (((PARENTUPDATE_ADD == op) || (PARENTUPDATE_RESURECT == op)) && !already_present) { - /* If so, and the parent entry does not already have a subcount -@@ -136,10 +140,10 @@ parent_update_on_childchange(modify_context *mc, int op, size_t *new_sub_count) - } - } - -- /* tombstoneNumSubordinates is needed only when this is repl op -- * and a child is being deleted */ -+ /* tombstoneNumSubordinates has to be updated if a tombstone child has been -+ * deleted or a tombstone has been directly added (cenotaph) */ - current_sub_count = LDAP_MAXINT; -- if ((repl_op && (PARENTUPDATE_DEL == op)) || (PARENTUPDATE_RESURECT == op)) { -+ if (repl_op) { - ret = slapi_entry_attr_find(mc->old_entry->ep_entry, - tombstone_numsubordinates, &read_attr); - if (0 == ret) { -diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c -index 32828b4e2..b85e9f5b0 100644 ---- a/ldap/servers/slapd/entry.c -+++ b/ldap/servers/slapd/entry.c -@@ -3238,6 +3238,37 @@ slapi_entry_has_children(const Slapi_Entry *entry) - return slapi_entry_has_children_ext(entry, 0); - } - -+int -+slapi_entry_has_conflict_children(const Slapi_Entry *entry, void *plg_id) -+{ -+ Slapi_PBlock *search_pb = NULL; -+ Slapi_Entry **entries; -+ int rc = 0; -+ -+ search_pb = slapi_pblock_new(); -+ slapi_search_internal_set_pb(search_pb, slapi_entry_get_dn_const(entry), -+ LDAP_SCOPE_ONELEVEL, -+ "(&(objectclass=ldapsubentry)(nsds5ReplConflict=namingConflict*))", -+ NULL, 0, NULL, NULL, plg_id, 0); -+ slapi_search_internal_pb(search_pb); -+ slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); -+ if (rc) { -+ rc = -1; -+ } else { -+ slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); -+ if (entries && entries[0]) { -+ /* we found at least one conflict entry */ -+ rc = 1; -+ } else { -+ rc = 0; -+ } -+ slapi_free_search_results_internal(search_pb); -+ } -+ slapi_pblock_destroy(search_pb); -+ -+ return rc; -+} -+ - /* - * Renames an entry to simulate a MODRDN operation - */ -diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h -index 95cdcc0da..6978e258f 100644 ---- a/ldap/servers/slapd/slapi-plugin.h -+++ b/ldap/servers/slapd/slapi-plugin.h -@@ -2000,6 +2000,8 @@ int slapi_entry_has_children(const Slapi_Entry *e); - */ - int slapi_entry_has_children_ext(const Slapi_Entry *e, int include_tombstone); - -+int slapi_entry_has_conflict_children(const Slapi_Entry *e, void *plg_id); -+ - /** - * This function determines if an entry is the root DSE. - * -diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h -index 548d5cabb..b08c0d7ce 100644 ---- a/ldap/servers/slapd/slapi-private.h -+++ b/ldap/servers/slapd/slapi-private.h -@@ -403,6 +403,7 @@ char *slapi_filter_to_string_internal(const struct slapi_filter *f, char *buf, s - #define OP_FLAG_NEVER_CHAIN SLAPI_OP_FLAG_NEVER_CHAIN /* 0x000800 */ - #define OP_FLAG_TOMBSTONE_ENTRY SLAPI_OP_FLAG_TOMBSTONE_ENTRY /* 0x001000 */ - #define OP_FLAG_RESURECT_ENTRY 0x002000 -+#define OP_FLAG_CENOTAPH_ENTRY 0x004000 - #define OP_FLAG_ACTION_NOLOG 0x008000 /* Do not log the entry in \ - * audit log or change log \ - */ -diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c -index 4bd8895ff..3f9d5d995 100644 ---- a/ldap/servers/slapd/task.c -+++ b/ldap/servers/slapd/task.c -@@ -2352,10 +2352,10 @@ task_fixup_tombstone_thread(void *arg) - - if (task_data->stripcsn) { - /* find tombstones with nsTombstoneCSN */ -- filter = "(&(nstombstonecsn=*)(objectclass=nsTombstone))"; -+ filter = "(&(nstombstonecsn=*)(objectclass=nsTombstone)(|(objectclass=*)(objectclass=ldapsubentry)))"; - } else { - /* find tombstones missing nsTombstoneCSN */ -- filter = "(&(!(nstombstonecsn=*))(objectclass=nsTombstone))"; -+ filter = "(&(!(nstombstonecsn=*))(objectclass=nsTombstone)(|(objectclass=*)(objectclass=ldapsubentry)))"; - } - - /* Okay check the specified backends only */ --- -2.13.6 - diff --git a/SOURCES/0068-Ticket-49551-fix-memory-leak-found-by-coverity.patch b/SOURCES/0068-Ticket-49551-fix-memory-leak-found-by-coverity.patch deleted file mode 100644 index efa2ee4..0000000 --- a/SOURCES/0068-Ticket-49551-fix-memory-leak-found-by-coverity.patch +++ /dev/null @@ -1,42 +0,0 @@ -From a88eea7e06a8e0a7367b2d266f9db37f6d5bbb4a Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Mon, 12 Feb 2018 16:27:03 +0100 -Subject: [PATCH] Ticket 49551 - fix memory leak found by coverity - ---- - ldap/servers/plugins/replication/repl5_replica.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index 628fb9ceb..e3ddd783d 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -3002,6 +3002,7 @@ process_reap_entry(Slapi_Entry *entry, void *cb_data) - if the value is set in the replica, we will know about it immediately */ - PRBool *tombstone_reap_stop = ((reap_callback_data *)cb_data)->tombstone_reap_stop; - const CSN *deletion_csn = NULL; -+ int deletion_csn_free = 0; - int rc = -1; - - /* abort reaping if we've been told to stop or we're shutting down */ -@@ -3024,6 +3025,7 @@ process_reap_entry(Slapi_Entry *entry, void *cb_data) - char *tombstonecsn = slapi_entry_attr_get_charptr(entry, SLAPI_ATTR_TOMBSTONE_CSN); - if (tombstonecsn) { - deletion_csn = csn_new_by_string(tombstonecsn); -+ deletion_csn_free = 1; - slapi_ch_free_string(&tombstonecsn); - } - } -@@ -3056,6 +3058,9 @@ process_reap_entry(Slapi_Entry *entry, void *cb_data) - /* Don't update the count for the database tombstone entry */ - (*num_entriesp)++; - } -+ if (deletion_csn_free) { -+ csn_free(&deletion_csn); -+ } - - return 0; - } --- -2.13.6 - diff --git a/SOURCES/0069-Ticket-48184-revert-previous-patch-around-nunc-stans.patch b/SOURCES/0069-Ticket-48184-revert-previous-patch-around-nunc-stans.patch deleted file mode 100644 index a87c42e..0000000 --- a/SOURCES/0069-Ticket-48184-revert-previous-patch-around-nunc-stans.patch +++ /dev/null @@ -1,204 +0,0 @@ -From 7d5ae77d840afda65020237f87a4535f09f0b462 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 29 Mar 2018 13:24:47 -0400 -Subject: [PATCH] Ticket 48184 - revert previous patch around unuc-stans - shutdown crash - -https://pagure.io/389-ds-base/issue/48184 ---- - ldap/servers/slapd/conntable.c | 13 -------- - ldap/servers/slapd/daemon.c | 76 +++++++++++++++++------------------------- - ldap/servers/slapd/fe.h | 1 - - ldap/servers/slapd/slap.h | 1 - - 4 files changed, 30 insertions(+), 61 deletions(-) - -diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c -index f2f763dfa..7c57b47cd 100644 ---- a/ldap/servers/slapd/conntable.c -+++ b/ldap/servers/slapd/conntable.c -@@ -91,19 +91,6 @@ connection_table_abandon_all_operations(Connection_Table *ct) - } - } - --void --connection_table_disconnect_all(Connection_Table *ct) --{ -- for (size_t i = 0; i < ct->size; i++) { -- if (ct->c[i].c_mutex) { -- Connection *c = &(ct->c[i]); -- PR_EnterMonitor(c->c_mutex); -- disconnect_server_nomutex(c, c->c_connid, -1, SLAPD_DISCONNECT_ABORT, ECANCELED); -- PR_ExitMonitor(c->c_mutex); -- } -- } --} -- - /* Given a file descriptor for a socket, this function will return - * a slot in the connection table to use. - * -diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c -index c245a4d4e..fcc461a90 100644 ---- a/ldap/servers/slapd/daemon.c -+++ b/ldap/servers/slapd/daemon.c -@@ -1176,30 +1176,6 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp) - housekeeping_stop(); /* Run this after op_thread_cleanup() logged sth */ - disk_monitoring_stop(); - -- /* -- * Now that they are abandonded, we need to mark them as done. -- * In NS while it's safe to allow excess jobs to be cleaned by -- * by the walk and ns_job_done of remaining queued events, the -- * issue is that if we allow something to live past this point -- * the CT is freed from underneath, and bad things happen (tm). -- * -- * NOTE: We do this after we stop psearch, because there could -- * be a race between flagging the psearch done, and users still -- * try to send on the connection. Similar with op_threads. -- */ -- connection_table_disconnect_all(the_connection_table); -- -- /* -- * WARNING: Normally we should close the tp in main -- * but because of issues in the current connection design -- * we need to close it here to guarantee events won't fire! -- * -- * All the connection close jobs "should" complete before -- * shutdown at least. -- */ -- ns_thrpool_shutdown(tp); -- ns_thrpool_wait(tp); -- - threads = g_get_active_threadcnt(); - if (threads > 0) { - slapi_log_err(SLAPI_LOG_INFO, "slapd_daemon", -@@ -1652,18 +1628,25 @@ ns_handle_closure(struct ns_job_t *job) - Connection *c = (Connection *)ns_job_get_data(job); - int do_yield = 0; - -+/* this function must be called from the event loop thread */ -+#ifdef DEBUG -+ PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job))); -+#else -+ /* This doesn't actually confirm it's in the event loop thread, but it's a start */ -+ if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) { -+ slapi_log_err(SLAPI_LOG_ERR, "ns_handle_closure", "Attempt to close outside of event loop thread %" PRIu64 " for fd=%d\n", -+ c->c_connid, c->c_sd); -+ return; -+ } -+#endif -+ - PR_EnterMonitor(c->c_mutex); -- /* Assert we really have the right job state. */ -- PR_ASSERT(job == c->c_job); - - connection_release_nolock_ext(c, 1); /* release ref acquired for event framework */ - PR_ASSERT(c->c_ns_close_jobs == 1); /* should be exactly 1 active close job - this one */ - c->c_ns_close_jobs--; /* this job is processing closure */ -- /* Because handle closure will add a new job, we need to detach our current one. */ -- c->c_job = NULL; - do_yield = ns_handle_closure_nomutex(c); - PR_ExitMonitor(c->c_mutex); -- /* Remove this task now. */ - ns_job_done(job); - if (do_yield) { - /* closure not done - another reference still outstanding */ -@@ -1686,14 +1669,6 @@ ns_connection_post_io_or_closing(Connection *conn) - return; - } - -- /* -- * Cancel any existing ns jobs we have registered. -- */ -- if (conn->c_job != NULL) { -- ns_job_done(conn->c_job); -- conn->c_job = NULL; -- } -- - if (CONN_NEEDS_CLOSING(conn)) { - /* there should only ever be 0 or 1 active closure jobs */ - PR_ASSERT((conn->c_ns_close_jobs == 0) || (conn->c_ns_close_jobs == 1)); -@@ -1703,10 +1678,13 @@ ns_connection_post_io_or_closing(Connection *conn) - conn->c_connid, conn->c_sd); - return; - } else { -+ /* just make sure we schedule the event to be closed in a timely manner */ -+ tv.tv_sec = 0; -+ tv.tv_usec = slapd_wakeup_timer * 1000; - conn->c_ns_close_jobs++; /* now 1 active closure job */ - connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */ -- /* Close the job asynchronously. Why? */ -- ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handle_closure, conn, &(conn->c_job)); -+ ns_result_t job_result = ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER, -+ ns_handle_closure, conn, NULL); - if (job_result != NS_SUCCESS) { - if (job_result == NS_SHUTDOWN) { - slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post closure job " -@@ -1750,7 +1728,7 @@ ns_connection_post_io_or_closing(Connection *conn) - #endif - ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv, - NS_JOB_READ | NS_JOB_PRESERVE_FD, -- ns_handle_pr_read_ready, conn, &(conn->c_job)); -+ ns_handle_pr_read_ready, conn, NULL); - if (job_result != NS_SUCCESS) { - if (job_result == NS_SHUTDOWN) { - slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post I/O job for " -@@ -1779,12 +1757,19 @@ ns_handle_pr_read_ready(struct ns_job_t *job) - int maxthreads = config_get_maxthreadsperconn(); - Connection *c = (Connection *)ns_job_get_data(job); - -- PR_EnterMonitor(c->c_mutex); -- /* Assert we really have the right job state. */ -- PR_ASSERT(job == c->c_job); -+/* this function must be called from the event loop thread */ -+#ifdef DEBUG -+ PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job))); -+#else -+ /* This doesn't actually confirm it's in the event loop thread, but it's a start */ -+ if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) { -+ slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "Attempt to handle read ready outside of event loop thread %" PRIu64 " for fd=%d\n", -+ c->c_connid, c->c_sd); -+ return; -+ } -+#endif - -- /* On all code paths we remove the job, so set it null now */ -- c->c_job = NULL; -+ PR_EnterMonitor(c->c_mutex); - - slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "activity on conn %" PRIu64 " for fd=%d\n", - c->c_connid, c->c_sd); -@@ -1844,7 +1829,6 @@ ns_handle_pr_read_ready(struct ns_job_t *job) - slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "queued conn %" PRIu64 " for fd=%d\n", - c->c_connid, c->c_sd); - } -- /* Since we call done on the job, we need to remove it here. */ - PR_ExitMonitor(c->c_mutex); - ns_job_done(job); - return; -diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h -index f47bb6145..4d25a9fb8 100644 ---- a/ldap/servers/slapd/fe.h -+++ b/ldap/servers/slapd/fe.h -@@ -100,7 +100,6 @@ extern Connection_Table *the_connection_table; /* JCM - Exported from globals.c - Connection_Table *connection_table_new(int table_size); - void connection_table_free(Connection_Table *ct); - void connection_table_abandon_all_operations(Connection_Table *ct); --void connection_table_disconnect_all(Connection_Table *ct); - Connection *connection_table_get_connection(Connection_Table *ct, int sd); - int connection_table_move_connection_out_of_active_list(Connection_Table *ct, Connection *c); - void connection_table_move_connection_on_to_active_list(Connection_Table *ct, Connection *c); -diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h -index 443d90094..9b10aa19e 100644 ---- a/ldap/servers/slapd/slap.h -+++ b/ldap/servers/slapd/slap.h -@@ -1651,7 +1651,6 @@ typedef struct conn - void *c_io_layer_cb_data; /* callback data */ - struct connection_table *c_ct; /* connection table that this connection belongs to */ - ns_thrpool_t *c_tp; /* thread pool for this connection */ -- struct ns_job_t *c_job; /* If it exists, the current ns_job_t */ - int c_ns_close_jobs; /* number of current close jobs */ - char *c_ipaddr; /* ip address str - used by monitor */ - } Connection; --- -2.13.6 - diff --git a/SOURCES/0070-Ticket-49619-adjustment-of-csn_generator-can-fail-so.patch b/SOURCES/0070-Ticket-49619-adjustment-of-csn_generator-can-fail-so.patch deleted file mode 100644 index 7fc3da9..0000000 --- a/SOURCES/0070-Ticket-49619-adjustment-of-csn_generator-can-fail-so.patch +++ /dev/null @@ -1,59 +0,0 @@ -From d606691d341dfffee0b02fc55fb29f74f975e775 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Wed, 21 Mar 2018 18:26:16 +0100 -Subject: [PATCH] Ticket 49619 - adjustment of csn_generator can fail so next - generated csn can be equal to the most recent one received - -Bug Description: - On consumer side csn_generator ajustment occurs (let CSN = highest known csn) - - when a replication session starts - when a csn is generated locally and than csn is <= CSN - - During adjustment, in the case - - there is no remote/local offset (time change) - the current_time on the consumer is identical to CSN - - Then next locally generated csn will only differ with seqnum - - The seqnum of the csn_generator is increased only if CSN.seqnum is larger - than the csn_generator one. - In case of egality, it remains unchanged. - - The consequence is that the next locally generated csn will be identical to CSN (except for the RID). - So even after csn_generator adjustment, csn_generator may create csn that are not larger than the CSN - -Fix Description: - compare the new generated timestamp (time+offsets) with adjustment one. - If the new is greater or EQUAL, make sure the local seqnum is ahead the remote one - -https://pagure.io/389-ds-base/issue/49619 - -Reviewed by: Mark Reynolds - -Platforms tested: F27 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/slapd/csngen.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/csngen.c b/ldap/servers/slapd/csngen.c -index 287ea847e..4ac45acf0 100644 ---- a/ldap/servers/slapd/csngen.c -+++ b/ldap/servers/slapd/csngen.c -@@ -331,7 +331,7 @@ csngen_adjust_time(CSNGen *gen, const CSN *csn) - /* let's revisit the seq num - if the new time is > the old - tiem, we should reset the seq number to remote + 1 if - this won't cause a wrap around */ -- if (new_time > cur_time) { -+ if (new_time >= cur_time) { - /* just set seq_num regardless of whether the current one - is < or > than the remote one - the goal of this function - is to make sure we generate CSNs > the remote CSN - if --- -2.13.6 - diff --git a/SOURCES/0071-Ticket-49161-memberof-fails-if-group-is-moved-into-s.patch b/SOURCES/0071-Ticket-49161-memberof-fails-if-group-is-moved-into-s.patch deleted file mode 100644 index 411720a..0000000 --- a/SOURCES/0071-Ticket-49161-memberof-fails-if-group-is-moved-into-s.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 293361f34d935080c1d8d0e73b4355b48faebe2a Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Tue, 27 Feb 2018 13:56:14 +0100 -Subject: [PATCH] Ticket 49161 - memberof fails if group is moved into scope - -if the DEL part of the replace of memberof fails because it does not exist -just add the new memberof values - -Reviwed by: Mark, thanks ---- - ldap/servers/plugins/memberof/memberof.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c -index fcfa7817d..2f46167dc 100644 ---- a/ldap/servers/plugins/memberof/memberof.c -+++ b/ldap/servers/plugins/memberof/memberof.c -@@ -1710,6 +1710,13 @@ memberof_modop_one_replace_r(Slapi_PBlock *pb, MemberOfConfig *config, int mod_o - replace_mod.mod_values = replace_val; - } - rc = memberof_add_memberof_attr(mods, op_to, config->auto_add_oc); -+ if (rc == LDAP_NO_SUCH_ATTRIBUTE) { -+ /* the memberof values to be replaced do not exist -+ * just add the new values */ -+ mods[0] = mods[1]; -+ mods[1] = NULL; -+ rc = memberof_add_memberof_attr(mods, op_to, config->auto_add_oc); -+ } - } - } - --- -2.13.6 - diff --git a/SOURCES/0072-Ticket-49296-Fix-race-condition-in-connection-code-w.patch b/SOURCES/0072-Ticket-49296-Fix-race-condition-in-connection-code-w.patch deleted file mode 100644 index e920975..0000000 --- a/SOURCES/0072-Ticket-49296-Fix-race-condition-in-connection-code-w.patch +++ /dev/null @@ -1,101 +0,0 @@ -From dd12327d1523f3ff9d6ae8b44b640fb9d0d2d53b Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 19 Feb 2018 10:44:36 -0500 -Subject: [PATCH] Ticket 49296 - Fix race condition in connection code with - anonymous limits - -Bug Description: When a connection first comes in we set the anonymous - resource limits (if set) before we do anything else. The - way we check if the connection is "new" was flawed. It - assumed the connection was new if no operations were - completed yet, but there was a small window between sending - the result and setting that the operation completed in the - connection struct. - - So on a connection that binds and then does a search, when - the server sends the bind result the client sends the search, - but the search op/activity can be picked up before we set - c_opscompleted. This opens a window where the code thinks - the search op is the first op(new connection), and it incorrectly - sets the anonymous limits for the bind dn. - -Fix description: Do not use c_opscompleted to determine if a connection is new, - instead use a new flag to set the connection "initialized", - which prevents the race condition. - -https://pagure.io/389-ds-base/issue/49296 - -Reviewed by: firstyear(Thanks!) - -(cherry picked from commit 0d5214d08e6b5b39fb9d5ef5cf3d8834574954f1) ---- - ldap/servers/slapd/connection.c | 12 +++++++++++- - ldap/servers/slapd/slap.h | 7 +++---- - 2 files changed, 14 insertions(+), 5 deletions(-) - -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index 5d2b64ed2..5ca32a333 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -217,6 +217,7 @@ connection_cleanup(Connection *conn) - conn->c_connid = 0; - conn->c_opsinitiated = 0; - conn->c_opscompleted = 0; -+ conn->c_anonlimits_set = 0; - conn->c_threadnumber = 0; - conn->c_refcnt = 0; - conn->c_idlesince = 0; -@@ -1549,7 +1550,9 @@ connection_threadmain() - g_decr_active_threadcnt(); - return; - } -- if (pb_conn->c_opscompleted == 0) { -+ -+ PR_EnterMonitor(pb_conn->c_mutex); -+ if (pb_conn->c_anonlimits_set == 0) { - /* - * We have a new connection, set the anonymous reslimit idletimeout - * if applicable. -@@ -1568,7 +1571,14 @@ connection_threadmain() - } - } - slapi_ch_free_string(&anon_dn); -+ /* -+ * Set connection as initialized to avoid setting anonymous limits -+ * multiple times on the same connection -+ */ -+ pb_conn->c_anonlimits_set = 1; - } -+ PR_ExitMonitor(pb_conn->c_mutex); -+ - if (connection_call_io_layer_callbacks(pb_conn)) { - slapi_log_err(SLAPI_LOG_ERR, "connection_threadmain", - "Could not add/remove IO layers from connection\n"); -diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h -index 9b10aa19e..03355f5fe 100644 ---- a/ldap/servers/slapd/slap.h -+++ b/ldap/servers/slapd/slap.h -@@ -1616,6 +1616,7 @@ typedef struct conn - PRUint64 c_maxthreadsblocked; /* # of operations blocked by maxthreads */ - int c_opsinitiated; /* # ops initiated/next op id */ - PRInt32 c_opscompleted; /* # ops completed */ -+ uint64_t c_anonlimits_set; /* default anon limits are set */ - PRInt32 c_threadnumber; /* # threads used in this conn */ - int c_refcnt; /* # ops refering to this conn */ - PRMonitor *c_mutex; /* protect each conn structure; need to be re-entrant */ -@@ -1623,10 +1624,8 @@ typedef struct conn - time_t c_idlesince; /* last time of activity on conn */ - int c_idletimeout; /* local copy of idletimeout */ - int c_idletimeout_handle; /* the resource limits handle */ -- Conn_private *c_private; /* data which is not shared outside*/ -- /* connection.c */ -- int c_flags; /* Misc flags used only for SSL */ -- /* status currently */ -+ Conn_private *c_private; /* data which is not shared outside connection.c */ -+ int c_flags; /* Misc flags used only for SSL status currently */ - int c_needpw; /* need new password */ - CERTCertificate *c_client_cert; /* Client's Cert */ - PRFileDesc *c_prfd; /* NSPR 2.1 FileDesc */ --- -2.13.6 - diff --git a/SOURCES/0073-Ticket-49540-Indexing-task-is-reported-finished-too-.patch b/SOURCES/0073-Ticket-49540-Indexing-task-is-reported-finished-too-.patch deleted file mode 100644 index b811f38..0000000 --- a/SOURCES/0073-Ticket-49540-Indexing-task-is-reported-finished-too-.patch +++ /dev/null @@ -1,206 +0,0 @@ -From 3dac3503087b6bae9e6e3d63a8214e8be65a145b Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 19 Jan 2018 17:50:59 +0100 -Subject: [PATCH 05/10] Ticket 49540 - Indexing task is reported finished too - early regarding the backend status - -Bug Description: - If a task complete successfully, its status is updated before the backend - can receive update. - -Fix Description: - postpone the task status update after backend is reenabled - -https://pagure.io/389-ds-base/issue/49540 - -Reviewed by: Ludwig Krispenz - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no ---- - dirsrvtests/tests/tickets/ticket49540_test.py | 135 ++++++++++++++++++++++++++ - ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 16 +-- - 2 files changed, 145 insertions(+), 6 deletions(-) - create mode 100644 dirsrvtests/tests/tickets/ticket49540_test.py - -diff --git a/dirsrvtests/tests/tickets/ticket49540_test.py b/dirsrvtests/tests/tickets/ticket49540_test.py -new file mode 100644 -index 000000000..1fbfde2c5 ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket49540_test.py -@@ -0,0 +1,135 @@ -+import logging -+import pytest -+import os -+import ldap -+import time -+import re -+from lib389._constants import * -+from lib389.tasks import * -+from lib389.topologies import topology_st as topo -+from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES -+from lib389 import Entry -+ -+ -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+HOMEDIRECTORY_INDEX = 'cn=homeDirectory,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config' -+HOMEDIRECTORY_CN = "homedirectory" -+MATCHINGRULE = 'nsMatchingRule' -+USER_CN = 'user_' -+ -+def create_index_entry(topo): -+ log.info("\n\nindex homeDirectory") -+ try: -+ ent = topo.getEntry(HOMEDIRECTORY_INDEX, ldap.SCOPE_BASE) -+ except ldap.NO_SUCH_OBJECT: -+ topo.add_s(Entry((HOMEDIRECTORY_INDEX, { -+ 'objectclass': "top nsIndex".split(), -+ 'cn': HOMEDIRECTORY_CN, -+ 'nsSystemIndex': 'false', -+ MATCHINGRULE: ['caseIgnoreIA5Match', 'caseExactIA5Match' ], -+ 'nsIndexType': ['eq', 'sub', 'pres']}))) -+ -+ -+def provision_users(topo): -+ test_users = [] -+ homeValue = b'x' * (32 * 1024) # just to slow down indexing -+ for i in range(100): -+ CN = '%s%d' % (USER_CN, i) -+ users = UserAccounts(topo, SUFFIX) -+ user_props = TEST_USER_PROPERTIES.copy() -+ user_props.update({'uid': CN, 'cn': CN, 'sn': '_%s' % CN, HOMEDIRECTORY_CN: homeValue}) -+ testuser = users.create(properties=user_props) -+ test_users.append(testuser) -+ return test_users -+ -+def start_start_status(server): -+ args = {TASK_WAIT: False} -+ indexTask = Tasks(server) -+ indexTask.reindex(suffix=SUFFIX, attrname='homeDirectory', args=args) -+ return indexTask -+ -+def check_task_status(server, indexTask, test_entry): -+ finish_pattern = re.compile(".*Finished indexing.*") -+ mod = [(ldap.MOD_REPLACE, 'sn', b'foo')] -+ for i in range(10): -+ log.info("check_task_status =========> %d th loop" % i) -+ try: -+ ent = server.getEntry(indexTask.dn, ldap.SCOPE_BASE) -+ if ent.hasAttr('nsTaskStatus'): -+ value = str(ent.getValue('nsTaskStatus')) -+ finish = finish_pattern.search(value) -+ log.info("%s ---> %s" % (indexTask.dn, value)) -+ else: -+ finish = None -+ log.info("%s ---> NO STATUS" % (indexTask.dn)) -+ -+ if not finish: -+ # This is not yet finished try an update -+ try: -+ server.modify_s(test_entry, mod) -+ -+ # weird, may be indexing just complete -+ ent = server.getEntry(indexTask.dn, ldap.SCOPE_BASE, ['nsTaskStatus']) -+ assert (ent.hasAttr('nsTaskStatus') and regex.search(ent.getValue('nsTaskStatus'))) -+ log.info("Okay, it just finished so the MOD was successful") -+ except ldap.UNWILLING_TO_PERFORM: -+ log.info("=========> Great it was expected in the middle of index") -+ else: -+ # The update should be successful -+ server.modify_s(test_entry, mod) -+ -+ except ldap.NO_SUCH_OBJECT: -+ log.info("%s: no found" % (indexTask.dn)) -+ -+ time.sleep(1) -+ -+def test_ticket49540(topo): -+ """Specify a test case purpose or name here -+ -+ :id: 1df16d5a-1b92-46b7-8435-876b87545748 -+ :setup: Standalone Instance -+ :steps: -+ 1. Create homeDirectory index (especially with substring) -+ 2. Creates 100 users with large homeDirectory value => long to index -+ 3. Start an indexing task WITHOUT waiting for its completion -+ 4. Monitor that until task.status = 'Finish', any update -> UNWILLING to perform -+ :expectedresults: -+ 1. Index configuration succeeds -+ 2. users entry are successfully created -+ 3. Indexing task is started -+ 4. If the task.status does not contain 'Finished indexing', any update should return UNWILLING_TO_PERFORM -+ When it contains 'Finished indexing', updates should be successful -+ """ -+ -+ server = topo.standalone -+ create_index_entry(server) -+ test_users = provision_users(server) -+ -+ indexTask = start_start_status(server) -+ check_task_status(server, indexTask, test_users[0].dn) -+ -+ # If you need any test suite initialization, -+ # please, write additional fixture for that (including finalizer). -+ # Topology for suites are predefined in lib389/topologies.py. -+ -+ # If you need host, port or any other data about instance, -+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid) -+ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main(["-s", CURRENT_FILE]) -+ -diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -index 4347c1721..16b87ee6b 100644 ---- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c -@@ -2562,12 +2562,7 @@ ldbm_back_ldbm2index(Slapi_PBlock *pb) - vlvIndex_go_online(pvlv[vlvidx], be); - } - -- if (task) { -- slapi_task_log_status(task, "%s: Finished indexing.", -- inst->inst_name); -- slapi_task_log_notice(task, "%s: Finished indexing.", -- inst->inst_name); -- } -+ /* if it was a task, its status will be updated later after backend is ready for update */ - slapi_log_err(SLAPI_LOG_INFO, "ldbm_back_ldbm2index", "%s: Finished indexing.\n", - inst->inst_name); - return_value = 0; /* success */ -@@ -2591,6 +2586,15 @@ err_min: - dblayer_release_id2entry(be, db); /* nope */ - instance_set_not_busy(inst); - -+ if (return_value == 0) { -+ if (task) { -+ slapi_task_log_status(task, "%s: Finished indexing.", -+ inst->inst_name); -+ slapi_task_log_notice(task, "%s: Finished indexing.", -+ inst->inst_name); -+ } -+ } -+ - if (run_from_cmdline) { - dblayer_instance_close(be); - if (0 != dblayer_close(li, DBLAYER_INDEX_MODE)) { --- -2.13.6 - diff --git a/SOURCES/0074-Ticket-49566-ds-replcheck-needs-to-work-with-hidden-.patch b/SOURCES/0074-Ticket-49566-ds-replcheck-needs-to-work-with-hidden-.patch deleted file mode 100644 index d311158..0000000 --- a/SOURCES/0074-Ticket-49566-ds-replcheck-needs-to-work-with-hidden-.patch +++ /dev/null @@ -1,157 +0,0 @@ -From 22cf575ae7aea204c3e3974c645725a25f4e09e6 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 14 Feb 2018 20:25:34 -0500 -Subject: [PATCH] Ticket 49566 - ds-replcheck needs to work with hidden - conflict entries - -Description: Conflict entries are now hidden and the tool needs to account - for it. The filter needs to include "objectclass=ldapsubentry" - - Added option to prompt for password, and cleaned up man page. - -https://pagure.io/389-ds-base/issue/49566 - -Reviewed by: spichugi(Thanks!) - -(cherry picked from commit 9e2009ae7105dda5493d4d60b20f15ffb369ab26) ---- - ldap/admin/src/scripts/ds-replcheck | 23 ++++++++++++++++------- - man/man1/ds-replcheck.1 | 14 +++++++++++--- - 2 files changed, 27 insertions(+), 10 deletions(-) - -diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck -index 0b7e70ee8..45c4670a3 100755 ---- a/ldap/admin/src/scripts/ds-replcheck -+++ b/ldap/admin/src/scripts/ds-replcheck -@@ -14,6 +14,7 @@ import time - import ldap - import ldapurl - import argparse -+import getpass - - from ldap.ldapobject import SimpleLDAPObject - from ldap.cidict import cidict -@@ -878,14 +879,16 @@ def do_online_report(opts, output_file=None): - controls = [paged_ctrl] - req_pr_ctrl = controls[0] - try: -- master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, "objectclass=*", -+ master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, -+ "(|(objectclass=*)(objectclass=ldapsubentry))", - ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], - serverctrls=controls) - except ldap.LDAPError as e: - print("Error: Failed to get Master entries: %s", str(e)) - exit(1) - try: -- replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, "objectclass=*", -+ replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, -+ "(|(objectclass=*)(objectclass=ldapsubentry))", - ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], - serverctrls=controls) - except ldap.LDAPError as e: -@@ -928,7 +931,8 @@ def do_online_report(opts, output_file=None): - if m_pctrls[0].cookie: - # Copy cookie from response control to request control - req_pr_ctrl.cookie = m_pctrls[0].cookie -- master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, "objectclass=*", -+ master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, -+ "(|(objectclass=*)(objectclass=ldapsubentry))", - ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], serverctrls=controls) - else: - m_done = True # No more pages available -@@ -947,7 +951,8 @@ def do_online_report(opts, output_file=None): - if r_pctrls[0].cookie: - # Copy cookie from response control to request control - req_pr_ctrl.cookie = r_pctrls[0].cookie -- replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, "objectclass=*", -+ replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, -+ "(|(objectclass=*)(objectclass=ldapsubentry))", - ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], serverctrls=controls) - else: - r_done = True # No more pages available -@@ -976,8 +981,9 @@ def main(): - parser = argparse.ArgumentParser(description=desc) - parser.add_argument('-v', '--verbose', help='Verbose output', action='store_true', default=False, dest='verbose') - parser.add_argument('-o', '--outfile', help='The output file', dest='file', default=None) -- parser.add_argument('-D', '--binddn', help='The Bind DN', dest='binddn', default="") -- parser.add_argument('-w', '--bindpw', help='The Bind password', dest='bindpw', default="") -+ parser.add_argument('-D', '--binddn', help='The Bind DN', dest='binddn', default=None) -+ parser.add_argument('-w', '--bindpw', help='The Bind password', dest='bindpw', default=None) -+ parser.add_argument('-W', '--prompt', help='Prompt for the bind password', action='store_true', dest='prompt', default=False) - parser.add_argument('-m', '--master_url', help='The LDAP URL for the Master server (REQUIRED)', - dest='murl', default=None) - parser.add_argument('-r', '--replica_url', help='The LDAP URL for the Replica server (REQUIRED)', -@@ -1012,7 +1018,7 @@ def main(): - elif (args.mldif is None and - (args.suffix is None or - args.binddn is None or -- args.bindpw is None or -+ (args.bindpw is None and args.prompt is False) or - args.murl is None or - args.rurl is None)): - print("\n-------> Missing required options for online mode!\n") -@@ -1098,6 +1104,9 @@ def main(): - print("Can't open file: " + args.file) - exit(1) - -+ if args.prompt: -+ opts['bindpw'] = getpass.getpass('Enter password:') -+ - if opts['mldif'] is not None and opts['rldif'] is not None: - print ("Performing offline report...") - do_offline_report(opts, OUTPUT_FILE) -diff --git a/man/man1/ds-replcheck.1 b/man/man1/ds-replcheck.1 -index 21b4802a5..3f14e11c8 100644 ---- a/man/man1/ds-replcheck.1 -+++ b/man/man1/ds-replcheck.1 -@@ -2,7 +2,7 @@ - .\" First parameter, NAME, should be all caps - .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection - .\" other parameters are allowed: see man(7), man(1) --.TH DS-REPLCHECK 1 "May 2, 2017" -+.TH DS-REPLCHECK 1 "Feb 14, 2018" - .\" Please adjust this date whenever revising the manpage. - .\" - .\" Some roff macros, for reference: -@@ -19,7 +19,7 @@ - ds-replcheck - Performs replication synchronization report between two replicas - - .SH SYNOPSIS --ds-replcheck [-h] [-o FILE] [-D BINDDN] [-w BINDPW] [-m MURL] -+ds-replcheck [-h] [-o FILE] [-D BINDDN] [[-w BINDPW] [-W]] [-m MURL] - [-r RURL] [-b SUFFIX] [-l LAG] [-Z CERTDIR] - [-i IGNORE] [-p PAGESIZE] [-M MLDIF] [-R RLDIF] - -@@ -41,6 +41,10 @@ The Directory Manager DN, or root DN.a (online mode) - .B \fB\-w\fR \fIPASSWORD\fR - The Directory Manager password (online mode) - .TP -+.B \fB\-W\fR -+.br -+Prompt for the Directory Manager password (online mode) -+.TP - .B \fB\-m\fR \fILDAP_URL\fR - The LDAP Url for the first replica (online mode) - .TP -@@ -59,6 +63,10 @@ The directory containing a certificate database for StartTLS/SSL connections. ( - .B \fB\-i\fR \fIIGNORE LIST\fR - Comma separated list of attributes to ignore in the report (online & offline) - .TP -+.B \fB\-c\fR -+.br -+Display verbose conflict entry information -+.TP - .B \fB\-M\fR \fILDIF FILE\fR - The LDIF file for the first replica (offline mode) - .TP -@@ -81,5 +89,5 @@ ds-replcheck was written by the 389 Project. - .SH "REPORTING BUGS" - Report bugs to https://pagure.io/389-ds-base/new_issue - .SH COPYRIGHT --Copyright \(co 2017 Red Hat, Inc. -+Copyright \(co 2018 Red Hat, Inc. - --- -2.13.6 - diff --git a/SOURCES/0075-Ticket-49460-replica_write_ruv-log-a-failure-even-wh.patch b/SOURCES/0075-Ticket-49460-replica_write_ruv-log-a-failure-even-wh.patch deleted file mode 100644 index 9120697..0000000 --- a/SOURCES/0075-Ticket-49460-replica_write_ruv-log-a-failure-even-wh.patch +++ /dev/null @@ -1,169 +0,0 @@ -From a0c4a8d69735cb37e5b52b195ec632ce6d1f028f Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Tue, 21 Nov 2017 17:23:29 +0100 -Subject: [PATCH] Ticket 49460 - replica_write_ruv log a failure even when it - succeeds - -Bug Description: - Minor issue - If the update of the DB RUV returns a success LDAP_SUCCESS (internal modify), - it however logs an error as if it failed - - side effect of https://pagure.io/389-ds-base/issue/48118 - -Fix Description: - Log a message only on failure - -https://pagure.io/389-ds-base/issue/49460 - -Reviewed by: Ludwig Krispenz, William Brown - -Platforms tested: F23 - -Flag Day: no - -Doc impact: no ---- - dirsrvtests/tests/tickets/ticket49460_test.py | 115 +++++++++++++++++++++++ - ldap/servers/plugins/replication/repl5_replica.c | 3 +- - 2 files changed, 116 insertions(+), 2 deletions(-) - create mode 100644 dirsrvtests/tests/tickets/ticket49460_test.py - -diff --git a/dirsrvtests/tests/tickets/ticket49460_test.py b/dirsrvtests/tests/tickets/ticket49460_test.py -new file mode 100644 -index 000000000..296b3c9aa ---- /dev/null -+++ b/dirsrvtests/tests/tickets/ticket49460_test.py -@@ -0,0 +1,115 @@ -+import time -+import ldap -+import logging -+import pytest -+import os -+import re -+from lib389._constants import * -+from lib389.config import Config -+from lib389 import DirSrv, Entry -+from lib389.topologies import topology_m3 as topo -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+USER_CN="user" -+ -+def add_user(server, no, desc='dummy', sleep=True): -+ cn = '%s%d' % (USER_CN, no) -+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX) -+ log.fatal('Adding user (%s): ' % dn) -+ server.add_s(Entry((dn, {'objectclass': ['top', 'person', 'inetuser', 'userSecurityInformation'], -+ 'sn': ['_%s' % cn], -+ 'description': [desc]}))) -+ time.sleep(1) -+ -+def check_user(server, no, timeout=10): -+ -+ cn = '%s%d' % (USER_CN, no) -+ dn = 'cn=%s,ou=people,%s' % (cn, SUFFIX) -+ found = False -+ cpt = 0 -+ while cpt < timeout: -+ try: -+ server.getEntry(dn, ldap.SCOPE_BASE, "(objectclass=*)") -+ found = True -+ break -+ except ldap.NO_SUCH_OBJECT: -+ time.sleep(1) -+ cpt += 1 -+ return found -+ -+def pattern_errorlog(server, log_pattern): -+ file_obj = open(server.errlog, "r") -+ -+ found = None -+ # Use a while true iteration because 'for line in file: hit a -+ while True: -+ line = file_obj.readline() -+ found = log_pattern.search(line) -+ if ((line == '') or (found)): -+ break -+ -+ return found -+ -+def test_ticket_49460(topo): -+ """Specify a test case purpose or name here -+ -+ :id: d1aa2e8b-e6ab-4fc6-9c63-c6f622544f2d -+ :setup: Fill in set up configuration here -+ :steps: -+ 1. Enable replication logging -+ 2. Do few updates to generatat RUV update -+ :expectedresults: -+ 1. No report of failure when the RUV is updated -+ """ -+ -+ M1 = topo.ms["master1"] -+ M2 = topo.ms["master2"] -+ M3 = topo.ms["master3"] -+ -+ for i in (M1, M2, M3): -+ i.config.loglevel(vals=[256 + 4], service='access') -+ i.config.loglevel(vals=[LOG_REPLICA, LOG_DEFAULT], service='error') -+ -+ add_user(M1, 11, desc="add to M1") -+ add_user(M2, 21, desc="add to M2") -+ add_user(M3, 31, desc="add to M3") -+ -+ for i in (M1, M2, M3): -+ assert check_user(i, 11) -+ assert check_user(i, 21) -+ assert check_user(i, 31) -+ -+ time.sleep(10) -+ -+ #M1.tasks.cleanAllRUV(suffix=SUFFIX, replicaid='3', -+ # force=False, args={TASK_WAIT: True}) -+ #time.sleep(10) -+ regex = re.compile(".*Failed to update RUV tombstone.*LDAP error - 0") -+ assert not pattern_errorlog(M1, regex) -+ assert not pattern_errorlog(M2, regex) -+ assert not pattern_errorlog(M3, regex) -+ -+ # If you need any test suite initialization, -+ # please, write additional fixture for that (including finalizer). -+ # Topology for suites are predefined in lib389/topologies.py. -+ -+ # If you need host, port or any other data about instance, -+ # Please, use the instance object attributes for that (for example, topo.ms["master1"].serverid) -+ -+ if DEBUGGING: -+ # Add debugging steps(if any)... -+ pass -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main("-s %s" % CURRENT_FILE) -+ -diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c -index e3ddd783d..c6d6ee746 100644 ---- a/ldap/servers/plugins/replication/repl5_replica.c -+++ b/ldap/servers/plugins/replication/repl5_replica.c -@@ -2829,8 +2829,7 @@ replica_write_ruv(Replica *r) - /* this includes an internal operation - but since this only happens - during server startup - its ok that we have lock around it */ - rc = _replica_configure_ruv(r, PR_TRUE); -- } else /* error */ -- { -+ } else if (rc != LDAP_SUCCESS) { /* error */ - slapi_log_err(SLAPI_LOG_REPL, repl_plugin_name, - "replica_write_ruv - Failed to update RUV tombstone for %s; " - "LDAP error - %d\n", --- -2.13.6 - diff --git a/SOURCES/0076-Ticket-49631-same-csn-generated-twice.patch b/SOURCES/0076-Ticket-49631-same-csn-generated-twice.patch deleted file mode 100644 index 9058223..0000000 --- a/SOURCES/0076-Ticket-49631-same-csn-generated-twice.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 9c929dbfcd1687ba43b2b2ee649c0e6522365fad Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Wed, 4 Apr 2018 08:59:15 +0200 -Subject: [PATCH] Ticket 49631 - same csn generated twice - -Bug: if in the csn adjustment the local time was less or equal than the remote time - the sequence number has always been adjusted to remote++ - but if the csn time was equal and the local seq number was larger the effect - was a reset of the csn generato. - -Fix: correctly handles seqnum in csn adjustment - -Reviewed by: Mark, thanks ---- - ldap/servers/slapd/csngen.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/csngen.c b/ldap/servers/slapd/csngen.c -index 4ac45acf0..3afc9176b 100644 ---- a/ldap/servers/slapd/csngen.c -+++ b/ldap/servers/slapd/csngen.c -@@ -338,7 +338,11 @@ csngen_adjust_time(CSNGen *gen, const CSN *csn) - we have increased the time, we can decrease the seqnum - and still guarantee that any new CSNs generated will be - > any current CSNs we have generated */ -- gen->state.seq_num = remote_seqnum + 1; -+ if (remote_seqnum < gen->state.seq_num) { -+ gen->state.seq_num ++; -+ } else { -+ gen->state.seq_num = remote_seqnum + 1; -+ } - } - if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) { - slapi_log_err(SLAPI_LOG_REPL, "csngen_adjust_time", --- -2.13.6 - diff --git a/SOURCES/0077-CVE-2018-1089-Crash-from-long-search-filter.patch b/SOURCES/0077-CVE-2018-1089-Crash-from-long-search-filter.patch deleted file mode 100644 index 007cb29..0000000 --- a/SOURCES/0077-CVE-2018-1089-Crash-from-long-search-filter.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 71b87e678bcc03bb9a0802f7dffc97cf354ee69a Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 5 Apr 2018 14:52:34 -0400 -Subject: [PATCH] CVE-2018-1089 - Crash from long search filter - ---- - ldap/servers/slapd/filter.c | 8 ++++---- - ldap/servers/slapd/util.c | 10 +++++----- - 2 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c -index 2ac3d2cd8..393a4dcee 100644 ---- a/ldap/servers/slapd/filter.c -+++ b/ldap/servers/slapd/filter.c -@@ -472,7 +472,7 @@ get_substring_filter( - f->f_sub_initial = val; - eval = (char *)slapi_escape_filter_value(val, -1); - if (eval) { -- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) { -+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) { - fstr_len += (strlen(eval) + 1) * 2; - *fstr = slapi_ch_realloc(*fstr, fstr_len); - } -@@ -486,7 +486,7 @@ get_substring_filter( - charray_add(&f->f_sub_any, val); - eval = (char *)slapi_escape_filter_value(val, -1); - if (eval) { -- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) { -+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) { - fstr_len += (strlen(eval) + 1) * 2; - *fstr = slapi_ch_realloc(*fstr, fstr_len); - } -@@ -504,7 +504,7 @@ get_substring_filter( - f->f_sub_final = val; - eval = (char *)slapi_escape_filter_value(val, -1); - if (eval) { -- if (fstr_len < strlen(*fstr) + strlen(eval) + 1) { -+ if (fstr_len <= strlen(*fstr) + strlen(eval) + 1) { - fstr_len += (strlen(eval) + 1) * 2; - *fstr = slapi_ch_realloc(*fstr, fstr_len); - } -@@ -530,7 +530,7 @@ get_substring_filter( - } - - filter_compute_hash(f); -- if (fstr_len < strlen(*fstr) + 3) { -+ if (fstr_len <= strlen(*fstr) + 3) { - fstr_len += 3; - *fstr = slapi_ch_realloc(*fstr, fstr_len); - } -diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c -index ddb2cc899..cb46efb3d 100644 ---- a/ldap/servers/slapd/util.c -+++ b/ldap/servers/slapd/util.c -@@ -161,6 +161,11 @@ do_escape_string( - break; - } - do { -+ if (bufSpace < 4) { -+ memcpy(bufNext, "..", 2); -+ bufNext += 2; -+ goto bail; -+ } - if (esc == UTIL_ESCAPE_BACKSLASH) { - /* *s is '\\' */ - /* If *(s+1) and *(s+2) are both hex digits, -@@ -179,11 +184,6 @@ do_escape_string( - *bufNext++ = '\\'; - --bufSpace; - } -- if (bufSpace < 3) { -- memcpy(bufNext, "..", 2); -- bufNext += 2; -- goto bail; -- } - PR_snprintf(bufNext, 3, "%02x", *(unsigned char *)s); - bufNext += 2; - bufSpace -= 2; --- -2.13.6 - diff --git a/SOURCES/0078-Ticket-49649.patch b/SOURCES/0078-Ticket-49649.patch deleted file mode 100644 index 887eefd..0000000 --- a/SOURCES/0078-Ticket-49649.patch +++ /dev/null @@ -1,40 +0,0 @@ -From e4d51884e3ca36b8256c33936dc31e77e0ad4736 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 8 May 2018 12:35:43 -0400 -Subject: [PATCH] Ticket 49649 - -Description: Fix crpyt.h include - -https://pagure.io/389-ds-base/issue/49649 - -Reviewed by: mreynolds(one line commit rule) - -(cherry picked from commit 2817f0c49401056835a79aafd8f8d4edc9113d1d) ---- - ldap/servers/plugins/pwdstorage/crypt_pwd.c | 10 +--------- - 1 file changed, 1 insertion(+), 9 deletions(-) - -diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -index 0dccd1b51..19894bd80 100644 ---- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c -+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c -@@ -20,15 +20,7 @@ - #include - #include - #include --#if defined(hpux) || defined(LINUX) || defined(__FreeBSD__) --#ifndef __USE_XOPEN --#define __USE_XOPEN /* linux */ --#endif /* __USE_XOPEN */ --#include --#else /* hpux */ --#include --#endif /* hpux */ -- -+#include /* for crypt_r */ - #include "pwdstorage.h" - - static PRLock *cryptlock = NULL; /* Some implementations of crypt are not thread safe. ie. ours & Irix */ --- -2.13.6 - diff --git a/SOURCES/0079-Ticket-49665-Upgrade-script-doesn-t-enable-PBKDF2-pa.patch b/SOURCES/0079-Ticket-49665-Upgrade-script-doesn-t-enable-PBKDF2-pa.patch deleted file mode 100644 index a34d3b1..0000000 --- a/SOURCES/0079-Ticket-49665-Upgrade-script-doesn-t-enable-PBKDF2-pa.patch +++ /dev/null @@ -1,53 +0,0 @@ -From a13a83465c685d6ec8d47b6f10646986ded16a68 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 9 May 2018 16:36:48 -0400 -Subject: [PATCH] Ticket 49665 - Upgrade script doesn't enable PBKDF2 password - storage plug-in - -Description: There is no upgrade script to add the PBKDF2 plugin, this - fix adds the script. - -https://pagure.io/389-ds-base/issue/49665 - -Reviewed by: ? - -(cherry picked from commit dc690dd231a626b3b6a2019fee51e3cb15db7962) ---- - Makefile.am | 1 + - ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif | 12 ++++++++++++ - 2 files changed, 13 insertions(+) - create mode 100644 ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif - -diff --git a/Makefile.am b/Makefile.am -index 8834a7819..055d480aa 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -949,6 +949,7 @@ update_DATA = ldap/admin/src/scripts/exampleupdate.pl \ - ldap/admin/src/scripts/50refintprecedence.ldif \ - ldap/admin/src/scripts/50retroclprecedence.ldif \ - ldap/admin/src/scripts/50rootdnaccesscontrolplugin.ldif \ -+ ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif \ - ldap/admin/src/scripts/50contentsync.ldif \ - ldap/admin/src/scripts/60upgradeschemafiles.pl \ - ldap/admin/src/scripts/60upgradeconfigfiles.pl \ -diff --git a/ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif b/ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif -new file mode 100644 -index 000000000..462d5534a ---- /dev/null -+++ b/ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif -@@ -0,0 +1,12 @@ -+dn: cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config -+objectclass: top -+objectclass: nsSlapdPlugin -+cn: PBKDF2_SHA256 -+nsslapd-pluginpath: libpwdstorage-plugin -+nsslapd-plugininitfunc: pbkdf2_sha256_pwd_storage_scheme_init -+nsslapd-plugintype: pwdstoragescheme -+nsslapd-pluginenabled: on -+nsslapd-pluginDescription: DESC -+nsslapd-pluginVersion: PACKAGE_VERSION -+nsslapd-pluginVendor: VENDOR -+nsslapd-pluginid: ID --- -2.13.6 - diff --git a/SOURCES/0080-Ticket-49665-Upgrade-script-doesn-t-enable-CRYPT-pas.patch b/SOURCES/0080-Ticket-49665-Upgrade-script-doesn-t-enable-CRYPT-pas.patch deleted file mode 100644 index 0bf3735..0000000 --- a/SOURCES/0080-Ticket-49665-Upgrade-script-doesn-t-enable-CRYPT-pas.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 1c077cff1ce49f5380192325a6947c623019c365 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 9 May 2018 16:39:23 -0400 -Subject: [PATCH] Ticket 49665 - Upgrade script doesn't enable CRYPT password - storage plug-in - -Description: There is no upgrade script to add the new CRYPT plugins, this - fix adds the script. - -https://pagure.io/389-ds-base/issue/49665 - -Reviewed by: vashirov(Thanks!) - -(cherry picked from commit 91dc832411a1bb6e8bf62bb72c36777ddc63770f) ---- - Makefile.am | 1 + - .../admin/src/scripts/50cryptpwdstorageplugin.ldif | 38 ++++++++++++++++++++++ - 2 files changed, 39 insertions(+) - create mode 100644 ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif - -diff --git a/Makefile.am b/Makefile.am -index 055d480aa..4f62a899b 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -950,6 +950,7 @@ update_DATA = ldap/admin/src/scripts/exampleupdate.pl \ - ldap/admin/src/scripts/50retroclprecedence.ldif \ - ldap/admin/src/scripts/50rootdnaccesscontrolplugin.ldif \ - ldap/admin/src/scripts/50pbkdf2pwdstorageplugin.ldif \ -+ ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif \ - ldap/admin/src/scripts/50contentsync.ldif \ - ldap/admin/src/scripts/60upgradeschemafiles.pl \ - ldap/admin/src/scripts/60upgradeconfigfiles.pl \ -diff --git a/ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif b/ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif -new file mode 100644 -index 000000000..0a4a50776 ---- /dev/null -+++ b/ldap/admin/src/scripts/50cryptpwdstorageplugin.ldif -@@ -0,0 +1,38 @@ -+dn: cn=CRYPT-MD5,cn=Password Storage Schemes,cn=plugins,cn=config -+objectClass: top -+objectClass: nsSlapdPlugin -+cn: CRYPT-MD5 -+nsslapd-pluginPath: libpwdstorage-plugin -+nsslapd-pluginInitfunc: crypt_md5_pwd_storage_scheme_init -+nsslapd-pluginType: pwdstoragescheme -+nsslapd-pluginEnabled: on -+nsslapd-pluginId: ID -+nsslapd-pluginVersion: PACKAGE_VERSION -+nsslapd-pluginVendor: VENDOR -+nsslapd-pluginDescription: DESC -+ -+dn: cn=CRYPT-SHA256,cn=Password Storage Schemes,cn=plugins,cn=config -+objectClass: top -+objectClass: nsSlapdPlugin -+cn: CRYPT-SHA256 -+nsslapd-pluginPath: libpwdstorage-plugin -+nsslapd-pluginInitfunc: crypt_sha256_pwd_storage_scheme_init -+nsslapd-pluginType: pwdstoragescheme -+nsslapd-pluginEnabled: on -+nsslapd-pluginId: ID -+nsslapd-pluginVersion: PACKAGE_VERSION -+nsslapd-pluginVendor: VENDOR -+nsslapd-pluginDescription: DESC -+ -+dn: cn=CRYPT-SHA512,cn=Password Storage Schemes,cn=plugins,cn=config -+objectClass: top -+objectClass: nsSlapdPlugin -+cn: CRYPT-SHA512 -+nsslapd-pluginPath: libpwdstorage-plugin -+nsslapd-pluginInitfunc: crypt_sha512_pwd_storage_scheme_init -+nsslapd-pluginType: pwdstoragescheme -+nsslapd-pluginEnabled: on -+nsslapd-pluginId: ID -+nsslapd-pluginVersion: PACKAGE_VERSION -+nsslapd-pluginVendor: VENDOR -+nsslapd-pluginDescription: DESC --- -2.13.6 - diff --git a/SOURCES/0081-Ticket-49671-Readonly-replicas-should-not-write-inte.patch b/SOURCES/0081-Ticket-49671-Readonly-replicas-should-not-write-inte.patch deleted file mode 100644 index 534b4c5..0000000 --- a/SOURCES/0081-Ticket-49671-Readonly-replicas-should-not-write-inte.patch +++ /dev/null @@ -1,205 +0,0 @@ -From 279489884f56cfc97d1ad9afdf92da3ad3b05b70 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 11 May 2018 10:53:06 -0400 -Subject: [PATCH] Ticket 49671 - Readonly replicas should not write internal - ops to changelog - -Bug Description: When a hub receives an update that triggers the memberOf - plugin, but that interal operation has no csn and that - causes the update to the changelog to fail and break - replication. - -Fix Description: Do not write internal updates with no csns to the changelog - on read-only replicas. - -https://pagure.io/389-ds-base/issue/49671 - -Reviewed by: simon, tbordaz, and lkrispen (Thanks!!!) - -(cherry picked from commit afb755bd95f1643665ea34c5a5fa2bb26bfa21b9) ---- - .../tests/suites/replication/cascading_test.py | 150 +++++++++++++++++++++ - ldap/servers/plugins/replication/repl5_plugins.c | 10 ++ - 2 files changed, 160 insertions(+) - create mode 100644 dirsrvtests/tests/suites/replication/cascading_test.py - -diff --git a/dirsrvtests/tests/suites/replication/cascading_test.py b/dirsrvtests/tests/suites/replication/cascading_test.py -new file mode 100644 -index 000000000..7331f20e9 ---- /dev/null -+++ b/dirsrvtests/tests/suites/replication/cascading_test.py -@@ -0,0 +1,150 @@ -+# --- BEGIN COPYRIGHT BLOCK --- -+# Copyright (C) 2018 Red Hat, Inc. -+# All rights reserved. -+# -+# License: GPL (version 3 or any later version). -+# See LICENSE for details. -+# --- END COPYRIGHT BLOCK --- -+# -+import logging -+import pytest -+import os -+import ldap -+from lib389._constants import * -+from lib389.replica import ReplicationManager -+from lib389.plugins import MemberOfPlugin -+from lib389.agreement import Agreements -+from lib389.idm.user import UserAccount, TEST_USER_PROPERTIES -+from lib389.idm.group import Groups -+from lib389.topologies import topology_m1h1c1 as topo -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+BIND_DN = 'uid=tuser1,ou=People,dc=example,dc=com' -+BIND_RDN = 'tuser1' -+ -+ -+def config_memberof(server): -+ """Configure memberOf plugin and configure fractional -+ to prevent total init to send memberof -+ """ -+ -+ memberof = MemberOfPlugin(server) -+ memberof.enable() -+ memberof.set_autoaddoc('nsMemberOf') -+ server.restart() -+ agmts = Agreements(server) -+ for agmt in agmts.list(): -+ log.info('update %s to add nsDS5ReplicatedAttributeListTotal' % agmt.dn) -+ agmt.replace_many(('nsDS5ReplicatedAttributeListTotal', '(objectclass=*) $ EXCLUDE '), -+ ('nsDS5ReplicatedAttributeList', '(objectclass=*) $ EXCLUDE memberOf')) -+ -+ -+def test_basic_with_hub(topo): -+ """Check that basic operations work in cascading replication, this includes -+ testing plugins that perform internal operatons, and replicated password -+ policy state attributes. -+ -+ :id: 4ac85552-45bc-477b-89a4-226dfff8c6cc -+ :setup: 1 master, 1 hub, 1 consumer -+ :steps: -+ 1. Enable memberOf plugin and set password account lockout settings -+ 2. Restart the instance -+ 3. Add a user -+ 4. Add a group -+ 5. Test that the replication works -+ 6. Add the user as a member to the group -+ 7. Test that the replication works -+ 8. Issue bad binds to update passwordRetryCount -+ 9. Test that replicaton works -+ 10. Check that passwordRetyCount was replicated -+ :expectedresults: -+ 1. Should be a success -+ 2. Should be a success -+ 3. Should be a success -+ 4. Should be a success -+ 5. Should be a success -+ 6. Should be a success -+ 7. Should be a success -+ 8. Should be a success -+ 9. Should be a success -+ 10. Should be a success -+ """ -+ -+ repl_manager = ReplicationManager(DEFAULT_SUFFIX) -+ master = topo.ms["master1"] -+ consumer = topo.cs["consumer1"] -+ hub = topo.hs["hub1"] -+ -+ for inst in topo: -+ config_memberof(inst) -+ inst.config.set('passwordlockout', 'on') -+ inst.config.set('passwordlockoutduration', '60') -+ inst.config.set('passwordmaxfailure', '3') -+ inst.config.set('passwordIsGlobalPolicy', 'on') -+ -+ # Create user -+ user1 = UserAccount(master, BIND_DN) -+ user_props = TEST_USER_PROPERTIES.copy() -+ user_props.update({'sn': BIND_RDN, -+ 'cn': BIND_RDN, -+ 'uid': BIND_RDN, -+ 'inetUserStatus': '1', -+ 'objectclass': 'extensibleObject', -+ 'userpassword': PASSWORD}) -+ user1.create(properties=user_props, basedn=SUFFIX) -+ -+ # Create group -+ groups = Groups(master, DEFAULT_SUFFIX) -+ group = groups.create(properties={'cn': 'group'}) -+ -+ # Test replication -+ repl_manager.test_replication(master, consumer) -+ -+ # Trigger memberOf plugin by adding user to group -+ group.replace('member', user1.dn) -+ -+ # Test replication once more -+ repl_manager.test_replication(master, consumer) -+ -+ # Issue bad password to update passwordRetryCount -+ try: -+ master.simple_bind_s(user1.dn, "badpassword") -+ except: -+ pass -+ -+ # Test replication one last time -+ master.simple_bind_s(DN_DM, PASSWORD) -+ repl_manager.test_replication(master, consumer) -+ -+ # Finally check if passwordRetyCount was replicated to the hub and consumer -+ user1 = UserAccount(hub, BIND_DN) -+ count = user1.get_attr_val_int('passwordRetryCount') -+ if count is None: -+ log.fatal('PasswordRetyCount was not replicated to hub') -+ assert False -+ if int(count) != 1: -+ log.fatal('PasswordRetyCount has unexpected value: {}'.format(count)) -+ assert False -+ -+ user1 = UserAccount(consumer, BIND_DN) -+ count = user1.get_attr_val_int('passwordRetryCount') -+ if count is None: -+ log.fatal('PasswordRetyCount was not replicated to consumer') -+ assert False -+ if int(count) != 1: -+ log.fatal('PasswordRetyCount has unexpected value: {}'.format(count)) -+ assert False -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main(["-s", CURRENT_FILE]) -+ -diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c -index 0aee8829a..324e38263 100644 ---- a/ldap/servers/plugins/replication/repl5_plugins.c -+++ b/ldap/servers/plugins/replication/repl5_plugins.c -@@ -1059,6 +1059,16 @@ write_changelog_and_ruv(Slapi_PBlock *pb) - goto common_return; - } - -+ /* Skip internal operations with no op csn if this is a read-only replica */ -+ if (op_params->csn == NULL && -+ operation_is_flag_set(op, OP_FLAG_INTERNAL) && -+ replica_get_type(r) == REPLICA_TYPE_READONLY) -+ { -+ slapi_log_err(SLAPI_LOG_REPL, "write_changelog_and_ruv", -+ "Skipping internal operation on read-only replica\n"); -+ goto common_return; -+ } -+ - /* we might have stripped all the mods - in that case we do not - log the operation */ - if (op_params->operation_type != SLAPI_OPERATION_MODIFY || --- -2.13.6 - diff --git a/SOURCES/0082-Ticket-49696-replicated-operations-should-be-seriali.patch b/SOURCES/0082-Ticket-49696-replicated-operations-should-be-seriali.patch deleted file mode 100644 index b84eaef..0000000 --- a/SOURCES/0082-Ticket-49696-replicated-operations-should-be-seriali.patch +++ /dev/null @@ -1,48 +0,0 @@ -From f0b41ec12f957612c69ae5be3bbbb6e2d6db2530 Mon Sep 17 00:00:00 2001 -From: Ludwig Krispenz -Date: Thu, 17 May 2018 10:31:58 +0200 -Subject: [PATCH] Ticket 49696: replicated operations should be serialized - - Bug: there was a scenario where two threads could process replication operations in parallel. - The reason was that for a new repl start request the repl conn flag is not set and the - connection is made readable. - When the start repl op is finished, the flagi set, but in a small window the supplier could - already have sent updates and more_data would trigger this thread also to continue to process - repl operations. - - Fix: In the situation where a thread successfully processed a start repl request and just set the repl_conn - flag do not use more_data. - - Reviewed by: Thierry, thanks ---- - ldap/servers/slapd/connection.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index 5ca32a333..b5030f0cb 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -1822,9 +1822,17 @@ connection_threadmain() - - /* If we're in turbo mode, we keep our reference to the connection alive */ - /* can't use the more_data var because connection could have changed in another thread */ -- more_data = conn_buffered_data_avail_nolock(conn, &conn_closed) ? 1 : 0; -- slapi_log_err(SLAPI_LOG_CONNS, "connection_threadmain", "conn %" PRIu64 " check more_data %d thread_turbo_flag %d\n", -- conn->c_connid, more_data, thread_turbo_flag); -+ slapi_log_err(SLAPI_LOG_CONNS, "connection_threadmain", "conn %" PRIu64 " check more_data %d thread_turbo_flag %d" -+ "repl_conn_bef %d, repl_conn_now %d\n", -+ conn->c_connid, more_data, thread_turbo_flag, -+ replication_connection, conn->c_isreplication_session); -+ if (!replication_connection && conn->c_isreplication_session) { -+ /* it a connection that was just flagged as replication connection */ -+ more_data = 0; -+ } else { -+ /* normal connection or already established replication connection */ -+ more_data = conn_buffered_data_avail_nolock(conn, &conn_closed) ? 1 : 0; -+ } - if (!more_data) { - if (!thread_turbo_flag) { - /* --- -2.13.6 - diff --git a/SOURCES/0083-Ticket-48184-clean-up-and-delete-connections-at-shut.patch b/SOURCES/0083-Ticket-48184-clean-up-and-delete-connections-at-shut.patch deleted file mode 100644 index 29170f4..0000000 --- a/SOURCES/0083-Ticket-48184-clean-up-and-delete-connections-at-shut.patch +++ /dev/null @@ -1,335 +0,0 @@ -From 5a5d3dffd0b36edb543fd31fa53d7128dd5161c2 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 18 May 2018 10:13:46 +0200 -Subject: [PATCH] Ticket 48184 - clean up and delete connections at shutdown - (2nd try) - -Bug description: - During shutdown we would not close connections. - In the past this may have just been an annoyance, but now with the way - nunc-stans works, io events can still trigger on open xeisting connectinos - during shutdown. - - Because of NS dynamic it can happen that several jobs wants to work on the - same connection. In such case (a job is already set in c_job) we delay the - new job that will retry. - In addition: - - some call needed c_mutex - - test uninitialized nunc-stans in case of shutdown while startup is not completed - -Fix Description: Close connections during shutdown rather than - leaving them alive. - -https://pagure.io/389-ds-base/issue/48184 - -Reviewed by: - Original was Ludwig and Viktor - Second fix reviewed by Mark - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit e562157ca3e97867d902996cc18fb04f90dc10a8) ---- - ldap/servers/slapd/connection.c | 2 + - ldap/servers/slapd/conntable.c | 13 ++++ - ldap/servers/slapd/daemon.c | 131 ++++++++++++++++++++++++++++------------ - ldap/servers/slapd/fe.h | 1 + - ldap/servers/slapd/slap.h | 1 + - 5 files changed, 108 insertions(+), 40 deletions(-) - -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index b5030f0cb..76e83112b 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -1716,7 +1716,9 @@ connection_threadmain() - if ((tag != LDAP_REQ_UNBIND) && !thread_turbo_flag && !replication_connection) { - if (!more_data) { - conn->c_flags &= ~CONN_FLAG_MAX_THREADS; -+ PR_EnterMonitor(conn->c_mutex); - connection_make_readable_nolock(conn); -+ PR_ExitMonitor(conn->c_mutex); - /* once the connection is readable, another thread may access conn, - * so need locking from here on */ - signal_listner(); -diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c -index 7c57b47cd..f2f763dfa 100644 ---- a/ldap/servers/slapd/conntable.c -+++ b/ldap/servers/slapd/conntable.c -@@ -91,6 +91,19 @@ connection_table_abandon_all_operations(Connection_Table *ct) - } - } - -+void -+connection_table_disconnect_all(Connection_Table *ct) -+{ -+ for (size_t i = 0; i < ct->size; i++) { -+ if (ct->c[i].c_mutex) { -+ Connection *c = &(ct->c[i]); -+ PR_EnterMonitor(c->c_mutex); -+ disconnect_server_nomutex(c, c->c_connid, -1, SLAPD_DISCONNECT_ABORT, ECANCELED); -+ PR_ExitMonitor(c->c_mutex); -+ } -+ } -+} -+ - /* Given a file descriptor for a socket, this function will return - * a slot in the connection table to use. - * -diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c -index fcc461a90..50e67474e 100644 ---- a/ldap/servers/slapd/daemon.c -+++ b/ldap/servers/slapd/daemon.c -@@ -1087,12 +1087,18 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp) - /* we have exited from ns_thrpool_wait. This means we are shutting down! */ - /* Please see https://firstyear.fedorapeople.org/nunc-stans/md_docs_job-safety.html */ - /* tldr is shutdown needs to run first to allow job_done on an ARMED job */ -- for (size_t i = 0; i < listeners; i++) { -- PRStatus shutdown_status = ns_job_done(listener_idxs[i].ns_job); -- if (shutdown_status != PR_SUCCESS) { -- slapi_log_err(SLAPI_LOG_CRIT, "ns_set_shutdown", "Failed to shutdown listener idx %" PRIu64 " !\n", i); -+ for (uint64_t i = 0; i < listeners; i++) { -+ PRStatus shutdown_status; -+ -+ if (listener_idxs[i].ns_job) { -+ shutdown_status = ns_job_done(listener_idxs[i].ns_job); -+ if (shutdown_status != PR_SUCCESS) { -+ slapi_log_err(SLAPI_LOG_CRIT, "ns_set_shutdown", "Failed to shutdown listener idx %" PRIu64 " !\n", i); -+ } -+ PR_ASSERT(shutdown_status == PR_SUCCESS); -+ } else { -+ slapi_log_err(SLAPI_LOG_CRIT, "slapd_daemon", "Listeners uninitialized. Possibly the server was shutdown while starting\n"); - } -- PR_ASSERT(shutdown_status == PR_SUCCESS); - listener_idxs[i].ns_job = NULL; - } - } else { -@@ -1176,6 +1182,32 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp) - housekeeping_stop(); /* Run this after op_thread_cleanup() logged sth */ - disk_monitoring_stop(); - -+ /* -+ * Now that they are abandonded, we need to mark them as done. -+ * In NS while it's safe to allow excess jobs to be cleaned by -+ * by the walk and ns_job_done of remaining queued events, the -+ * issue is that if we allow something to live past this point -+ * the CT is freed from underneath, and bad things happen (tm). -+ * -+ * NOTE: We do this after we stop psearch, because there could -+ * be a race between flagging the psearch done, and users still -+ * try to send on the connection. Similar with op_threads. -+ */ -+ connection_table_disconnect_all(the_connection_table); -+ -+ /* -+ * WARNING: Normally we should close the tp in main -+ * but because of issues in the current connection design -+ * we need to close it here to guarantee events won't fire! -+ * -+ * All the connection close jobs "should" complete before -+ * shutdown at least. -+ */ -+ if (enable_nunc_stans) { -+ ns_thrpool_shutdown(tp); -+ ns_thrpool_wait(tp); -+ } -+ - threads = g_get_active_threadcnt(); - if (threads > 0) { - slapi_log_err(SLAPI_LOG_INFO, "slapd_daemon", -@@ -1628,25 +1660,18 @@ ns_handle_closure(struct ns_job_t *job) - Connection *c = (Connection *)ns_job_get_data(job); - int do_yield = 0; - --/* this function must be called from the event loop thread */ --#ifdef DEBUG -- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job))); --#else -- /* This doesn't actually confirm it's in the event loop thread, but it's a start */ -- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) { -- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_closure", "Attempt to close outside of event loop thread %" PRIu64 " for fd=%d\n", -- c->c_connid, c->c_sd); -- return; -- } --#endif -- - PR_EnterMonitor(c->c_mutex); -+ /* Assert we really have the right job state. */ -+ PR_ASSERT(job == c->c_job); - - connection_release_nolock_ext(c, 1); /* release ref acquired for event framework */ - PR_ASSERT(c->c_ns_close_jobs == 1); /* should be exactly 1 active close job - this one */ - c->c_ns_close_jobs--; /* this job is processing closure */ -+ /* Because handle closure will add a new job, we need to detach our current one. */ -+ c->c_job = NULL; - do_yield = ns_handle_closure_nomutex(c); - PR_ExitMonitor(c->c_mutex); -+ /* Remove this task now. */ - ns_job_done(job); - if (do_yield) { - /* closure not done - another reference still outstanding */ -@@ -1659,14 +1684,25 @@ ns_handle_closure(struct ns_job_t *job) - /** - * Schedule more I/O for this connection, or make sure that it - * is closed in the event loop. -+ * caller must hold c_mutex -+ * It returns -+ * 0 on success -+ * 1 on need to retry - */ --void --ns_connection_post_io_or_closing(Connection *conn) -+static int -+ns_connection_post_io_or_closing_try(Connection *conn) - { - struct timeval tv; - - if (!enable_nunc_stans) { -- return; -+ return 0; -+ } -+ -+ /* -+ * Cancel any existing ns jobs we have registered. -+ */ -+ if (conn->c_job != NULL) { -+ return 1; - } - - if (CONN_NEEDS_CLOSING(conn)) { -@@ -1676,15 +1712,12 @@ ns_connection_post_io_or_closing(Connection *conn) - slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "Already a close " - "job in progress on conn %" PRIu64 " for fd=%d\n", - conn->c_connid, conn->c_sd); -- return; -+ return 0; - } else { -- /* just make sure we schedule the event to be closed in a timely manner */ -- tv.tv_sec = 0; -- tv.tv_usec = slapd_wakeup_timer * 1000; - conn->c_ns_close_jobs++; /* now 1 active closure job */ - connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */ -- ns_result_t job_result = ns_add_timeout_job(conn->c_tp, &tv, NS_JOB_TIMER, -- ns_handle_closure, conn, NULL); -+ /* Close the job asynchronously. Why? */ -+ ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handle_closure, conn, &(conn->c_job)); - if (job_result != NS_SUCCESS) { - if (job_result == NS_SHUTDOWN) { - slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post closure job " -@@ -1723,12 +1756,12 @@ ns_connection_post_io_or_closing(Connection *conn) - * The error occurs when we get a connection in a closing state. - * For now we return, but there is probably a better way to handle the error case. - */ -- return; -+ return 0; - } - #endif - ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv, - NS_JOB_READ | NS_JOB_PRESERVE_FD, -- ns_handle_pr_read_ready, conn, NULL); -+ ns_handle_pr_read_ready, conn, &(conn->c_job)); - if (job_result != NS_SUCCESS) { - if (job_result == NS_SHUTDOWN) { - slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post I/O job for " -@@ -1745,6 +1778,28 @@ ns_connection_post_io_or_closing(Connection *conn) - conn->c_connid, conn->c_sd); - } - } -+ return 0; -+} -+void -+ns_connection_post_io_or_closing(Connection *conn) -+{ -+ while (ns_connection_post_io_or_closing_try(conn)) { -+ /* we should retry later */ -+ -+ /* We are not suppose to work immediately on the connection that is taken by -+ * another job -+ * release the lock and give some time -+ */ -+ -+ if (CONN_NEEDS_CLOSING(conn) && conn->c_ns_close_jobs) { -+ return; -+ } else { -+ PR_ExitMonitor(conn->c_mutex); -+ DS_Sleep(PR_MillisecondsToInterval(100)); -+ -+ PR_EnterMonitor(conn->c_mutex); -+ } -+ } - } - - /* This function must be called without the thread flag, in the -@@ -1757,19 +1812,12 @@ ns_handle_pr_read_ready(struct ns_job_t *job) - int maxthreads = config_get_maxthreadsperconn(); - Connection *c = (Connection *)ns_job_get_data(job); - --/* this function must be called from the event loop thread */ --#ifdef DEBUG -- PR_ASSERT(0 == NS_JOB_IS_THREAD(ns_job_get_type(job))); --#else -- /* This doesn't actually confirm it's in the event loop thread, but it's a start */ -- if (NS_JOB_IS_THREAD(ns_job_get_type(job)) != 0) { -- slapi_log_err(SLAPI_LOG_ERR, "ns_handle_pr_read_ready", "Attempt to handle read ready outside of event loop thread %" PRIu64 " for fd=%d\n", -- c->c_connid, c->c_sd); -- return; -- } --#endif -- - PR_EnterMonitor(c->c_mutex); -+ /* Assert we really have the right job state. */ -+ PR_ASSERT(job == c->c_job); -+ -+ /* On all code paths we remove the job, so set it null now */ -+ c->c_job = NULL; - - slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "activity on conn %" PRIu64 " for fd=%d\n", - c->c_connid, c->c_sd); -@@ -1829,6 +1877,7 @@ ns_handle_pr_read_ready(struct ns_job_t *job) - slapi_log_err(SLAPI_LOG_CONNS, "ns_handle_pr_read_ready", "queued conn %" PRIu64 " for fd=%d\n", - c->c_connid, c->c_sd); - } -+ /* Since we call done on the job, we need to remove it here. */ - PR_ExitMonitor(c->c_mutex); - ns_job_done(job); - return; -@@ -2451,7 +2500,9 @@ ns_handle_new_connection(struct ns_job_t *job) - * that poll() was avoided, even at the expense of putting this new fd back - * in nunc-stans to poll for read ready. - */ -+ PR_EnterMonitor(c->c_mutex); - ns_connection_post_io_or_closing(c); -+ PR_ExitMonitor(c->c_mutex); - return; - } - -diff --git a/ldap/servers/slapd/fe.h b/ldap/servers/slapd/fe.h -index 4d25a9fb8..f47bb6145 100644 ---- a/ldap/servers/slapd/fe.h -+++ b/ldap/servers/slapd/fe.h -@@ -100,6 +100,7 @@ extern Connection_Table *the_connection_table; /* JCM - Exported from globals.c - Connection_Table *connection_table_new(int table_size); - void connection_table_free(Connection_Table *ct); - void connection_table_abandon_all_operations(Connection_Table *ct); -+void connection_table_disconnect_all(Connection_Table *ct); - Connection *connection_table_get_connection(Connection_Table *ct, int sd); - int connection_table_move_connection_out_of_active_list(Connection_Table *ct, Connection *c); - void connection_table_move_connection_on_to_active_list(Connection_Table *ct, Connection *c); -diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h -index 03355f5fe..de4ac35c0 100644 ---- a/ldap/servers/slapd/slap.h -+++ b/ldap/servers/slapd/slap.h -@@ -1650,6 +1650,7 @@ typedef struct conn - void *c_io_layer_cb_data; /* callback data */ - struct connection_table *c_ct; /* connection table that this connection belongs to */ - ns_thrpool_t *c_tp; /* thread pool for this connection */ -+ struct ns_job_t *c_job; /* If it exists, the current ns_job_t */ - int c_ns_close_jobs; /* number of current close jobs */ - char *c_ipaddr; /* ip address str - used by monitor */ - } Connection; --- -2.13.6 - diff --git a/SOURCES/0084-Ticket-49576-Update-ds-replcheck-for-new-conflict-en.patch b/SOURCES/0084-Ticket-49576-Update-ds-replcheck-for-new-conflict-en.patch deleted file mode 100644 index 8d21a62..0000000 --- a/SOURCES/0084-Ticket-49576-Update-ds-replcheck-for-new-conflict-en.patch +++ /dev/null @@ -1,938 +0,0 @@ -From 19945c4807f6b3269fb65100ddaea5f596f68e72 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 18 May 2018 07:29:11 -0400 -Subject: [PATCH 1/6] Ticket 49576 - Update ds-replcheck for new conflict - entries - -Description: This patch addresses the recvent changes to conflict - entries and tombstones. - -https://pagure.io/389-ds-base/issue/49576 - -Reviewed by: tbordaz(Thanks!) - -(cherry picked from commit 53e58cdbfb2a2672ac21cd9b6d59f8b345478324) ---- - ldap/admin/src/scripts/ds-replcheck | 456 +++++++++++++++++++--------- - 1 file changed, 312 insertions(+), 144 deletions(-) - -diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck -index 45c4670a3..b801ccaa8 100755 ---- a/ldap/admin/src/scripts/ds-replcheck -+++ b/ldap/admin/src/scripts/ds-replcheck -@@ -1,7 +1,7 @@ - #!/usr/bin/python - - # --- BEGIN COPYRIGHT BLOCK --- --# Copyright (C) 2017 Red Hat, Inc. -+# Copyright (C) 2018 Red Hat, Inc. - # All rights reserved. - # - # License: GPL (version 3 or any later version). -@@ -9,6 +9,7 @@ - # --- END COPYRIGHT BLOCK --- - # - -+import os - import re - import time - import ldap -@@ -20,7 +21,7 @@ from ldap.ldapobject import SimpleLDAPObject - from ldap.cidict import cidict - from ldap.controls import SimplePagedResultsControl - --VERSION = "1.2" -+VERSION = "1.3" - RUV_FILTER = '(&(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff)(objectclass=nstombstone))' - LDAP = 'ldap' - LDAPS = 'ldaps' -@@ -36,6 +37,7 @@ class Entry(object): - ''' This is a stripped down version of Entry from python-lib389. - Once python-lib389 is released on RHEL this class will go away. - ''' -+ - def __init__(self, entrydata): - if entrydata: - self.dn = entrydata[0] -@@ -51,7 +53,7 @@ class Entry(object): - - - def get_entry(entries, dn): -- ''' Loop over enties looking for a matching dn -+ ''' Loop over a list of enties looking for a matching dn - ''' - for entry in entries: - if entry.dn == dn: -@@ -60,7 +62,7 @@ def get_entry(entries, dn): - - - def remove_entry(rentries, dn): -- ''' Remove an entry from the array of entries -+ ''' Remove an entry from the list of entries - ''' - for entry in rentries: - if entry.dn == dn: -@@ -69,7 +71,7 @@ def remove_entry(rentries, dn): - - - def extract_time(stateinfo): -- ''' Take the nscpEntryWSI attribute and get the most recent timestamp from -+ ''' Take the nscpEntryWSI(state info) attribute and get the most recent timestamp from - one of the csns (vucsn, vdcsn, mdcsn, adcsn) - - Return the timestamp in decimal -@@ -87,7 +89,7 @@ def extract_time(stateinfo): - - - def convert_timestamp(timestamp): -- ''' Convert createtimestamp to ctime: 20170405184656Z -> Wed Apr 5 19:46:56 2017 -+ ''' Convert createtimestamp to ctime: 20170405184656Z ----> Wed Apr 5 19:46:56 2017 - ''' - time_tuple = (int(timestamp[:4]), int(timestamp[4:6]), int(timestamp[6:8]), - int(timestamp[8:10]), int(timestamp[10:12]), int(timestamp[12:14]), -@@ -97,27 +99,43 @@ def convert_timestamp(timestamp): - - - def convert_entries(entries): -- '''Convert and normalize the ldap entries. Take note of conflicts and tombstones -- ''' -+ '''For online report. Convert and normalize the ldap entries. Take note of -+ conflicts and tombstones ''' - new_entries = [] - conflict_entries = [] -+ glue_entries = [] - result = {} - tombstones = 0 -+ - for entry in entries: - new_entry = Entry(entry) - new_entry.data = {k.lower(): v for k, v in list(new_entry.data.items())} -- if 'nsds5replconflict' in new_entry.data: -+ if new_entry.dn.endswith("cn=mapping tree,cn=config"): -+ '''Skip replica entry (ldapsearch brings this in because the filter -+ we use triggers an internal operation to return the config entry - so -+ it must be skipped -+ ''' -+ continue -+ if ('nsds5replconflict' in new_entry.data and 'nsTombstone' not in new_entry.data['objectclass'] and -+ 'nstombstone' not in new_entry.data['objectclass']): -+ # This is a conflict entry that is NOT a tombstone entry (should this be reconsidered?) - conflict_entries.append(new_entry) -+ if 'glue' in new_entry.data['objectclass']: -+ # A glue entry here is not necessarily a glue entry there. Keep track of -+ # them for when we check missing entries -+ glue_entries.append(new_entry) - else: - new_entries.append(new_entry) - - if 'nstombstonecsn' in new_entry.data: -+ # Maintain tombstone count - tombstones += 1 - del entries - - result['entries'] = new_entries - result['conflicts'] = conflict_entries - result['tombstones'] = tombstones -+ result['glue'] = glue_entries - - return result - -@@ -174,20 +192,60 @@ def get_ruv_report(opts): - return report - - -+def remove_attr_state_info(attr): -+ state_attr = None -+ idx = attr.find(';') -+ if idx > 0: -+ state_attr = attr # preserve state info for diff report -+ if ";deleted" in attr: -+ # Ignore this attribute it was deleted -+ return None, state_attr -+ attr = attr[:idx] -+ -+ return attr.lower(), state_attr -+ -+def add_attr_entry(entry, val, attr, state_attr): -+ ''' Offline mode (ldif comparision) Add the attr to the entry, and if there -+ is state info add nscpentrywsi attr - we need consistency with online mode -+ to make code simpler ''' -+ if attr is not None: -+ if attr in entry: -+ entry[attr].append(val) -+ else: -+ entry[attr] = [val] -+ -+ # Handle state info for diff report -+ if state_attr is not None: -+ state_attr = state_attr + ": " + val -+ if 'nscpentrywsi' in entry: -+ entry['nscpentrywsi'].append(state_attr) -+ else: -+ entry['nscpentrywsi'] = [state_attr] -+ val = "" -+ -+ - # - # Offline mode helper functions - # --def ldif_search(LDIF, dn, conflicts=False): -- ''' Search ldif by DN -+def ldif_search(LDIF, dn): -+ ''' Offline mode - Search ldif for a single DN. We need to factor in that -+ DN's and attribute values can wrap lines and are identified by a leading -+ white space. So we can't fully process an attribute until we get to the -+ next attribute. - ''' - result = {} - data = {} - found_conflict = False -+ found_subentry = False - found_part_dn = False -+ found_part_val = False -+ found_attr = False -+ found_tombstone = False -+ found_glue = False - found = False -- reset_line = False - count = 0 -- -+ ignore_list = ['conflictcsn', 'modifytimestamp', 'modifiersname'] -+ val = "" - result['entry'] = None - result['conflict'] = None - result['tombstone'] = False -@@ -195,54 +253,132 @@ def ldif_search(LDIF, dn, conflicts=False): - for line in LDIF: - count += 1 - line = line.rstrip() -- if reset_line: -- reset_line = False -- line = prev_line -+ - if found: -+ # We found our entry, now build up the entry (account from line wrap) - if line == "": -- # End of entry -+ # End of entry - update entry's last attribute value and break out -+ add_attr_entry(data, val, attr, state_attr) -+ val = "" -+ # Done! - break - - if line[0] == ' ': -- # continuation line -- prev = data[attr][len(data[attr]) - 1] -- data[attr][len(data[attr]) - 1] = prev + line.strip() -+ # continuation line (wrapped value) -+ val += line[1:] -+ found_part_val = True - continue -+ elif found_part_val: -+ # We have the complete value now (it was wrapped) -+ found_part_val = False -+ found_attr = False -+ add_attr_entry(data, val, attr, state_attr) -+ -+ # Now that the value is added to the entry lets process the new attribute... -+ value_set = line.split(":", 1) -+ attr, state_attr = remove_attr_state_info(value_set[0]) -+ -+ if attr in ignore_list or (attr is None and state_attr is None): -+ # Skip it -+ found_attr = False -+ attr = None -+ continue - -- value_set = line.split(":", 1) -- attr = value_set[0].lower() -- if attr.startswith('nsds5replconflict'): -- found_conflict = True -- if attr.startswith('nstombstonecsn'): -- result['tombstone'] = True -- -- if attr in data: -- data[attr].append(value_set[1].strip()) -+ val = value_set[1].strip() -+ found_attr = True -+ -+ if attr is not None: -+ # Set the entry type flags -+ if attr.startswith('nsds5replconflict'): -+ found_conflict = True -+ if attr.startswith("objectclass") and val == "ldapsubentry": -+ found_subentry = True -+ if attr.startswith('nstombstonecsn'): -+ result['tombstone'] = True -+ found_tombstone = True -+ continue - else: -- data[attr] = [value_set[1].strip()] -+ # New attribute... -+ if found_attr: -+ # But first we have to add the previous complete attr value to the entry data -+ add_attr_entry(data, val, attr, state_attr) -+ -+ # Process new attribute -+ value_set = line.split(":", 1) -+ attr, state_attr = remove_attr_state_info(value_set[0]) -+ if attr is None or attr in ignore_list: -+ # Skip it (its deleted) -+ found_attr = False -+ attr = None -+ continue -+ -+ val = value_set[1].strip() -+ found_attr = True -+ -+ # Set the entry type flags -+ if attr.startswith('nsds5replconflict'): -+ found_conflict = True -+ if attr.startswith("objectclass") and (val == "ldapsubentry" or val == "glue"): -+ if val == "glue": -+ found_glue = True -+ found_subentry = True -+ if attr.startswith('nstombstonecsn'): -+ result['tombstone'] = True -+ found_tombstone = True -+ continue -+ - elif found_part_dn: - if line[0] == ' ': -+ # DN is still wrapping, keep building up the dn value - part_dn += line[1:].lower() - else: -- # We have the full dn -+ # We now have the full dn - found_part_dn = False -- reset_line = True -- prev_line = line - if part_dn == dn: -+ # We found our entry - found = True -+ -+ # But now we have a new attribute to process -+ value_set = line.split(":", 1) -+ attr, state_attr = remove_attr_state_info(value_set[0]) -+ if attr is None or attr in ignore_list: -+ # Skip it (its deleted) -+ found_attr = False -+ attr = None -+ continue -+ -+ val = value_set[1].strip() -+ found_attr = True -+ -+ if attr.startswith('nsds5replconflict'): -+ found_conflict = True -+ if attr.startswith("objectclass") and val == "ldapsubentry": -+ found_subentry = True -+ -+ if attr.startswith('nstombstonecsn'): -+ result['tombstone'] = True -+ found_tombstone = True - continue -+ - if line.startswith('dn: '): - if line[4:].lower() == dn: -+ # We got our full DN, now process the entry - found = True - continue - else: -+ # DN wraps the line, keep looping until we get the whole value - part_dn = line[4:].lower() - found_part_dn = True - -+ # Keep track of entry index - we use this later when searching the LDIF again - result['idx'] = count -- if found_conflict: -+ -+ result['glue'] = None -+ if found_conflict and found_subentry and found_tombstone is False: - result['entry'] = None - result['conflict'] = Entry([dn, data]) -+ if found_glue: -+ result['glue'] = result['conflict'] - elif found: - result['conflict'] = None - result['entry'] = Entry([dn, data]) -@@ -251,7 +387,7 @@ def ldif_search(LDIF, dn, conflicts=False): - - - def get_dns(LDIF, opts): -- ''' Get all the DN's -+ ''' Get all the DN's from an LDIF file - ''' - dns = [] - found = False -@@ -275,7 +411,7 @@ def get_dns(LDIF, opts): - - - def get_ldif_ruv(LDIF, opts): -- ''' Search the ldif and get the ruv entry -+ ''' Search the LDIF and get the ruv entry - ''' - LDIF.seek(0) - result = ldif_search(LDIF, opts['ruv_dn']) -@@ -283,7 +419,7 @@ def get_ldif_ruv(LDIF, opts): - - - def cmp_entry(mentry, rentry, opts): -- ''' Compare the two entries, and return a diff map -+ ''' Compare the two entries, and return a "diff map" - ''' - diff = {} - diff['dn'] = mentry['dn'] -@@ -307,6 +443,7 @@ def cmp_entry(mentry, rentry, opts): - diff['missing'].append(" - Replica missing attribute: \"%s\"" % (mattr)) - diff_count += 1 - if 'nscpentrywsi' in mentry.data: -+ # Great we have state info so we can provide details about the missing attribute - found = False - for val in mentry.data['nscpentrywsi']: - if val.lower().startswith(mattr + ';'): -@@ -316,6 +453,7 @@ def cmp_entry(mentry, rentry, opts): - diff['missing'].append(" - Master's State Info: %s" % (val)) - diff['missing'].append(" - Date: %s\n" % (time.ctime(extract_time(val)))) - else: -+ # No state info, just move on - diff['missing'].append("") - - elif mentry.data[mattr] != rentry.data[mattr]: -@@ -335,6 +473,9 @@ def cmp_entry(mentry, rentry, opts): - if not found: - diff['diff'].append(" Master: ") - for val in mentry.data[mattr]: -+ # This is an "origin" value which means it's never been -+ # updated since replication was set up. So its the -+ # original value - diff['diff'].append(" - Origin value: %s" % (val)) - diff['diff'].append("") - -@@ -350,10 +491,13 @@ def cmp_entry(mentry, rentry, opts): - if not found: - diff['diff'].append(" Replica: ") - for val in rentry.data[mattr]: -+ # This is an "origin" value which means it's never been -+ # updated since replication was set up. So its the -+ # original value - diff['diff'].append(" - Origin value: %s" % (val)) - diff['diff'].append("") - else: -- # no state info -+ # no state info, report what we got - diff['diff'].append(" Master: ") - for val in mentry.data[mattr]: - diff['diff'].append(" - %s: %s" % (mattr, val)) -@@ -436,40 +580,62 @@ def do_offline_report(opts, output_file=None): - MLDIF.seek(idx) - RLDIF.seek(idx) - -- # Compare the master entries with the replica's -+ """ Compare the master entries with the replica's. Take our list of dn's from -+ the master ldif and get that entry( dn) from the master and replica ldif. In -+ this phase we keep keep track of conflict/tombstone counts, and we check for -+ missing entries and entry differences. We only need to do the entry diff -+ checking in this phase - we do not need to do it when process the replica dn's -+ because if the entry exists in both LDIF's then we already checked or diffs -+ while processing the master dn's. -+ """ - print ("Comparing Master to Replica...") - missing = False - for dn in master_dns: -- mresult = ldif_search(MLDIF, dn, True) -- rresult = ldif_search(RLDIF, dn, True) -+ mresult = ldif_search(MLDIF, dn) -+ rresult = ldif_search(RLDIF, dn) -+ -+ if dn in replica_dns: -+ if (rresult['entry'] is not None or rresult['glue'] is not None or -+ rresult['conflict'] is not None or rresult['tombstone']): -+ """ We can safely remove this DN from the replica dn list as it -+ does not need to be checked again. This also speeds things up -+ when doing the replica vs master phase. -+ """ -+ replica_dns.remove(dn) - - if mresult['tombstone']: - mtombstones += 1 -+ # continue -+ if rresult['tombstone']: -+ rtombstones += 1 - - if mresult['conflict'] is not None or rresult['conflict'] is not None: -+ # If either entry is a conflict we still process it here - if mresult['conflict'] is not None: - mconflicts.append(mresult['conflict']) -+ if rresult['conflict'] is not None: -+ rconflicts.append(rresult['conflict']) - elif rresult['entry'] is None: -- # missing entry - restart the search from beginning -+ # missing entry - restart the search from beginning in case it got skipped - RLDIF.seek(0) - rresult = ldif_search(RLDIF, dn) -- if rresult['entry'] is None: -- # missing entry in rentries -- RLDIF.seek(mresult['idx']) # Set the cursor to the last good line -+ if rresult['entry'] is None and rresult['glue'] is None: -+ # missing entry in Replica(rentries) -+ RLDIF.seek(mresult['idx']) # Set the LDIF cursor/index to the last good line - if not missing: -- missing_report += ('Replica is missing entries:\n') -+ missing_report += (' Entries missing on Replica:\n') - missing = True - if mresult['entry'] and 'createtimestamp' in mresult['entry'].data: -- missing_report += (' - %s (Master\'s creation date: %s)\n' % -+ missing_report += (' - %s (Created on Master at: %s)\n' % - (dn, convert_timestamp(mresult['entry'].data['createtimestamp'][0]))) - else: - missing_report += (' - %s\n' % dn) -- else: -+ elif mresult['tombstone'] is False: - # Compare the entries - diff = cmp_entry(mresult['entry'], rresult['entry'], opts) - if diff: - diff_report.append(format_diff(diff)) -- else: -+ elif mresult['tombstone'] is False: - # Compare the entries - diff = cmp_entry(mresult['entry'], rresult['entry'], opts) - if diff: -@@ -478,7 +644,10 @@ def do_offline_report(opts, output_file=None): - if missing: - missing_report += ('\n') - -- # Search Replica, and look for missing entries only. Count entries as well -+ """ Search Replica, and look for missing entries only. We already did the -+ diff checking, so its only missing entries we are worried about. Count the -+ remaining conflict & tombstone entries as well. -+ """ - print ("Comparing Replica to Master...") - MLDIF.seek(0) - RLDIF.seek(0) -@@ -486,26 +655,26 @@ def do_offline_report(opts, output_file=None): - for dn in replica_dns: - rresult = ldif_search(RLDIF, dn) - mresult = ldif_search(MLDIF, dn) -- - if rresult['tombstone']: - rtombstones += 1 -- if mresult['entry'] is not None or rresult['conflict'] is not None: -- if rresult['conflict'] is not None: -- rconflicts.append(rresult['conflict']) -+ # continue -+ -+ if rresult['conflict'] is not None: -+ rconflicts.append(rresult['conflict']) - elif mresult['entry'] is None: - # missing entry - MLDIF.seek(0) - mresult = ldif_search(MLDIF, dn) -- if mresult['entry'] is None and mresult['conflict'] is not None: -- MLDIF.seek(rresult['idx']) # Set the cursor to the last good line -+ if mresult['entry'] is None and mresult['glue'] is None: -+ MLDIF.seek(rresult['idx']) # Set the LDIF cursor/index to the last good line - if not missing: -- missing_report += ('Master is missing entries:\n') -+ missing_report += (' Entries missing on Master:\n') - missing = True -- if 'createtimestamp' in rresult['entry'].data: -- missing_report += (' - %s (Replica\'s creation date: %s)\n' % -+ if rresult['entry'] and 'createtimestamp' in rresult['entry'].data: -+ missing_report += (' - %s (Created on Replica at: %s)\n' % - (dn, convert_timestamp(rresult['entry'].data['createtimestamp'][0]))) - else: -- missing_report += (' - %s\n') -+ missing_report += (' - %s\n' % dn) - if missing: - missing_report += ('\n') - -@@ -553,8 +722,8 @@ def do_offline_report(opts, output_file=None): - print(final_report) - - --def check_for_diffs(mentries, rentries, report, opts): -- ''' Check for diffs, return the updated report -+def check_for_diffs(mentries, mglue, rentries, rglue, report, opts): -+ ''' Online mode only - Check for diffs, return the updated report - ''' - diff_report = [] - m_missing = [] -@@ -569,18 +738,26 @@ def check_for_diffs(mentries, rentries, report, opts): - for mentry in mentries: - rentry = get_entry(rentries, mentry.dn) - if rentry: -- diff = cmp_entry(mentry, rentry, opts) -- if diff: -- diff_report.append(format_diff(diff)) -+ if 'nsTombstone' not in rentry.data['objectclass'] and 'nstombstone' not in rentry.data['objectclass']: -+ diff = cmp_entry(mentry, rentry, opts) -+ if diff: -+ diff_report.append(format_diff(diff)) - # Now remove the rentry from the rentries so we can find stragglers - remove_entry(rentries, rentry.dn) - else: -- # Add missing entry in Replica -- r_missing.append(mentry) -+ rentry = get_entry(rglue, mentry.dn) -+ if rentry: -+ # Glue entry nothing to compare -+ remove_entry(rentries, rentry.dn) -+ else: -+ # Add missing entry in Replica -+ r_missing.append(mentry) - - for rentry in rentries: - # We should not have any entries if we are sync -- m_missing.append(rentry) -+ mentry = get_entry(mglue, rentry.dn) -+ if mentry is None: -+ m_missing.append(rentry) - - if len(diff_report) > 0: - report['diff'] += diff_report -@@ -609,6 +786,12 @@ def connect_to_replicas(opts): - ruri = "%s://%s:%s/" % (opts['rprotocol'], opts['rhost'], opts['rport']) - replica = SimpleLDAPObject(ruri) - -+ # Set timeouts -+ master.set_option(ldap.OPT_NETWORK_TIMEOUT,5.0) -+ master.set_option(ldap.OPT_TIMEOUT,5.0) -+ replica.set_option(ldap.OPT_NETWORK_TIMEOUT,5.0) -+ replica.set_option(ldap.OPT_TIMEOUT,5.0) -+ - # Setup Secure Conenction - if opts['certdir'] is not None: - # Setup Master -@@ -620,7 +803,7 @@ def connect_to_replicas(opts): - try: - master.start_tls_s() - except ldap.LDAPError as e: -- print('TLS negotiation failed on Master: %s' % str(e)) -+ print('TLS negotiation failed on Master: {}'.format(str(e))) - exit(1) - - # Setup Replica -@@ -632,7 +815,7 @@ def connect_to_replicas(opts): - try: - replica.start_tls_s() - except ldap.LDAPError as e: -- print('TLS negotiation failed on Master: %s' % str(e)) -+ print('TLS negotiation failed on Master: {}'.format(str(e))) - exit(1) - - # Open connection to master -@@ -642,7 +825,8 @@ def connect_to_replicas(opts): - print("Cannot connect to %r" % muri) - exit(1) - except ldap.LDAPError as e: -- print("Error: Failed to authenticate to Master: %s", str(e)) -+ print("Error: Failed to authenticate to Master: ({}). " -+ "Please check your credentials and LDAP urls are correct.".format(str(e))) - exit(1) - - # Open connection to replica -@@ -652,7 +836,8 @@ def connect_to_replicas(opts): - print("Cannot connect to %r" % ruri) - exit(1) - except ldap.LDAPError as e: -- print("Error: Failed to authenticate to Replica: %s", str(e)) -+ print("Error: Failed to authenticate to Replica: ({}). " -+ "Please check your credentials and LDAP urls are correct.".format(str(e))) - exit(1) - - # Get the RUVs -@@ -665,7 +850,7 @@ def connect_to_replicas(opts): - print("Error: Master does not have an RUV entry") - exit(1) - except ldap.LDAPError as e: -- print("Error: Failed to get Master RUV entry: %s", str(e)) -+ print("Error: Failed to get Master RUV entry: {}".format(str(e))) - exit(1) - - print ("Gathering Replica's RUV...") -@@ -678,7 +863,7 @@ def connect_to_replicas(opts): - exit(1) - - except ldap.LDAPError as e: -- print("Error: Failed to get Replica RUV entry: %s", str(e)) -+ print("Error: Failed to get Replica RUV entry: {}".format(str(e))) - exit(1) - - return (master, replica, opts) -@@ -687,6 +872,7 @@ def connect_to_replicas(opts): - def print_online_report(report, opts, output_file): - ''' Print the online report - ''' -+ - print ('Preparing final report...') - m_missing = len(report['m_missing']) - r_missing = len(report['r_missing']) -@@ -711,22 +897,23 @@ def print_online_report(report, opts, output_file): - missing = True - final_report += ('\nMissing Entries\n') - final_report += ('=====================================================\n\n') -- if m_missing > 0: -- final_report += (' Entries missing on Master:\n') -- for entry in report['m_missing']: -+ -+ if r_missing > 0: -+ final_report += (' Entries missing on Replica:\n') -+ for entry in report['r_missing']: - if 'createtimestamp' in entry.data: -- final_report += (' - %s (Created on Replica at: %s)\n' % -+ final_report += (' - %s (Created on Master at: %s)\n' % - (entry.dn, convert_timestamp(entry.data['createtimestamp'][0]))) - else: - final_report += (' - %s\n' % (entry.dn)) - -- if r_missing > 0: -- if m_missing > 0: -+ if m_missing > 0: -+ if r_missing > 0: - final_report += ('\n') -- final_report += (' Entries missing on Replica:\n') -- for entry in report['r_missing']: -+ final_report += (' Entries missing on Master:\n') -+ for entry in report['m_missing']: - if 'createtimestamp' in entry.data: -- final_report += (' - %s (Created on Master at: %s)\n' % -+ final_report += (' - %s (Created on Replica at: %s)\n' % - (entry.dn, convert_timestamp(entry.data['createtimestamp'][0]))) - else: - final_report += (' - %s\n' % (entry.dn)) -@@ -751,7 +938,8 @@ def print_online_report(report, opts, output_file): - def remove_state_info(entry): - ''' Remove the state info for the attributes used in the conflict report - ''' -- attrs = ['objectclass', 'nsds5replconflict', 'createtimestamp'] -+ attrs = ['objectclass', 'nsds5replconflict', 'createtimestamp' , 'modifytimestamp'] -+ # attrs = ['createtimestamp'] - for key, val in list(entry.data.items()): - for attr in attrs: - if key.lower().startswith(attr): -@@ -766,9 +954,6 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False): - r_conflicts = [] - - for entry in mentries: -- if format_conflicts: -- remove_state_info(entry) -- - if 'glue' in entry.data['objectclass']: - m_conflicts.append({'dn': entry.dn, 'conflict': entry.data['nsds5replconflict'][0], - 'date': entry.data['createtimestamp'][0], 'glue': 'yes'}) -@@ -776,9 +961,6 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False): - m_conflicts.append({'dn': entry.dn, 'conflict': entry.data['nsds5replconflict'][0], - 'date': entry.data['createtimestamp'][0], 'glue': 'no'}) - for entry in rentries: -- if format_conflicts: -- remove_state_info(entry) -- - if 'glue' in entry.data['objectclass']: - r_conflicts.append({'dn': entry.dn, 'conflict': entry.data['nsds5replconflict'][0], - 'date': entry.data['createtimestamp'][0], 'glue': 'yes'}) -@@ -790,7 +972,7 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False): - report = "\n\nConflict Entries\n" - report += "=====================================================\n\n" - if len(m_conflicts) > 0: -- report += ('Master Conflict Entries: %d\n' % (len(m_conflicts))) -+ report += ('Master Conflict Entries: %d\n' % (len(m_conflicts))) - if verbose: - for entry in m_conflicts: - report += ('\n - %s\n' % (entry['dn'])) -@@ -799,7 +981,7 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False): - report += (' - Created: %s\n' % (convert_timestamp(entry['date']))) - - if len(r_conflicts) > 0: -- if len(m_conflicts) > 0: -+ if len(m_conflicts) > 0 and verbose: - report += "\n" # add spacer - report += ('Replica Conflict Entries: %d\n' % (len(r_conflicts))) - if verbose: -@@ -814,46 +996,6 @@ def get_conflict_report(mentries, rentries, verbose, format_conflicts=False): - return "" - - --def get_tombstones(replica, opts): -- ''' Return the number of tombstones -- ''' -- paged_ctrl = SimplePagedResultsControl(True, size=opts['pagesize'], cookie='') -- controls = [paged_ctrl] -- req_pr_ctrl = controls[0] -- count = 0 -- -- try: -- msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, -- '(&(objectclass=nstombstone)(nstombstonecsn=*))', -- ['dn'], serverctrls=controls) -- except ldap.LDAPError as e: -- print("Error: Failed to get tombstone entries: %s", str(e)) -- exit(1) -- -- done = False -- while not done: -- rtype, rdata, rmsgid, rctrls = replica.result3(msgid) -- count += len(rdata) -- -- pctrls = [ -- c -- for c in rctrls -- if c.controlType == SimplePagedResultsControl.controlType -- ] -- if pctrls: -- if pctrls[0].cookie: -- # Copy cookie from response control to request control -- req_pr_ctrl.cookie = pctrls[0].cookie -- msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, -- '(&(objectclass=nstombstone)(nstombstonecsn=*))', -- ['dn'], serverctrls=controls) -- else: -- done = True # No more pages available -- else: -- done = True -- return count -- -- - def do_online_report(opts, output_file=None): - ''' Check for differences between two replicas - ''' -@@ -880,7 +1022,7 @@ def do_online_report(opts, output_file=None): - req_pr_ctrl = controls[0] - try: - master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, -- "(|(objectclass=*)(objectclass=ldapsubentry))", -+ "(|(objectclass=*)(objectclass=ldapsubentry)(objectclass=nstombstone))", - ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], - serverctrls=controls) - except ldap.LDAPError as e: -@@ -888,7 +1030,7 @@ def do_online_report(opts, output_file=None): - exit(1) - try: - replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, -- "(|(objectclass=*)(objectclass=ldapsubentry))", -+ "(|(objectclass=*)(objectclass=ldapsubentry)(objectclass=nstombstone))", - ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], - serverctrls=controls) - except ldap.LDAPError as e: -@@ -918,7 +1060,9 @@ def do_online_report(opts, output_file=None): - rconflicts += rresult['conflicts'] - - # Check for diffs -- report = check_for_diffs(mresult['entries'], rresult['entries'], report, opts) -+ report = check_for_diffs(mresult['entries'], mresult['glue'], -+ rresult['entries'], rresult['glue'], -+ report, opts) - - if not m_done: - # Master -@@ -933,7 +1077,7 @@ def do_online_report(opts, output_file=None): - req_pr_ctrl.cookie = m_pctrls[0].cookie - master_msgid = master.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, - "(|(objectclass=*)(objectclass=ldapsubentry))", -- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], serverctrls=controls) -+ ['*', 'createtimestamp', 'nscpentrywsi', 'conflictcsn', 'nsds5replconflict'], serverctrls=controls) - else: - m_done = True # No more pages available - else: -@@ -953,7 +1097,7 @@ def do_online_report(opts, output_file=None): - req_pr_ctrl.cookie = r_pctrls[0].cookie - replica_msgid = replica.search_ext(opts['suffix'], ldap.SCOPE_SUBTREE, - "(|(objectclass=*)(objectclass=ldapsubentry))", -- ['*', 'createtimestamp', 'nscpentrywsi', 'nsds5replconflict'], serverctrls=controls) -+ ['*', 'createtimestamp', 'nscpentrywsi', 'conflictcsn', 'nsds5replconflict'], serverctrls=controls) - else: - r_done = True # No more pages available - else: -@@ -961,10 +1105,8 @@ def do_online_report(opts, output_file=None): - - # Get conflicts & tombstones - report['conflict'] = get_conflict_report(mconflicts, rconflicts, opts['conflicts']) -- report['mtombstones'] = get_tombstones(master, opts) -- report['rtombstones'] = get_tombstones(replica, opts) -- report['m_count'] += report['mtombstones'] -- report['r_count'] += report['rtombstones'] -+ report['mtombstones'] = mresult['tombstones'] -+ report['rtombstones'] = rresult['tombstones'] - - # Do the final report - print_online_report(report, opts, output_file) -@@ -1027,11 +1169,16 @@ def main(): - - # Parse the ldap URLs - if args.murl is not None and args.rurl is not None: -+ # Make sure the URLs are different -+ if args.murl == args.rurl: -+ print("Master and Replica LDAP URLs are the same, they must be different") -+ exit(1) -+ - # Parse Master url -- murl = ldapurl.LDAPUrl(args.murl) - if not ldapurl.isLDAPUrl(args.murl): - print("Master LDAP URL is invalid") - exit(1) -+ murl = ldapurl.LDAPUrl(args.murl) - if murl.urlscheme in VALID_PROTOCOLS: - opts['mprotocol'] = murl.urlscheme - else: -@@ -1052,10 +1199,10 @@ def main(): - opts['mport'] = parts[1] - - # Parse Replica url -- rurl = ldapurl.LDAPUrl(args.rurl) - if not ldapurl.isLDAPUrl(args.rurl): - print("Replica LDAP URL is invalid") - exit(1) -+ rurl = ldapurl.LDAPUrl(args.rurl) - if rurl.urlscheme in VALID_PROTOCOLS: - opts['rprotocol'] = rurl.urlscheme - else: -@@ -1075,11 +1222,19 @@ def main(): - opts['rhost'] = parts[0] - opts['rport'] = parts[1] - -+ # Validate certdir -+ opts['certdir'] = None -+ if args.certdir: -+ if os.path.exists() and os.path.isdir(certdir): -+ opts['certdir'] = args.certdir -+ else: -+ print("certificate directory ({}) does not exist or is not a directory".format(args.certdir)) -+ exit(1) -+ - # Initialize the options - opts['binddn'] = args.binddn - opts['bindpw'] = args.bindpw - opts['suffix'] = args.suffix -- opts['certdir'] = args.certdir - opts['starttime'] = int(time.time()) - opts['verbose'] = args.verbose - opts['mldif'] = args.mldif -@@ -1109,6 +1264,18 @@ def main(): - - if opts['mldif'] is not None and opts['rldif'] is not None: - print ("Performing offline report...") -+ -+ # Validate LDIF files, must exist and not be empty -+ for ldif_dir in [opts['mldif'], opts['rldif']]: -+ if not os.path.exists(ldif_dir): -+ print ("LDIF file ({}) does not exist".format(ldif_dir)) -+ exit(1) -+ if os.path.getsize(ldif_dir) == 0: -+ print ("LDIF file ({}) is empty".format(ldif_dir)) -+ exit(1) -+ if opts['mldif'] == opts['rldif']: -+ print("The Master and Replica LDIF files must be different") -+ exit(1) - do_offline_report(opts, OUTPUT_FILE) - else: - print ("Performing online report...") -@@ -1118,5 +1285,6 @@ def main(): - print('Finished writing report to "%s"' % (args.file)) - OUTPUT_FILE.close() - -+ - if __name__ == '__main__': - main() --- -2.17.0 - diff --git a/SOURCES/0085-Ticket-49576-Add-support-of-deletedattribute-in-ds-r.patch b/SOURCES/0085-Ticket-49576-Add-support-of-deletedattribute-in-ds-r.patch deleted file mode 100644 index 8b4e655..0000000 --- a/SOURCES/0085-Ticket-49576-Add-support-of-deletedattribute-in-ds-r.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 00ebe4e4298fb19d9b8fc78b16053fb0b92eea9f Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 25 May 2018 09:47:31 -0400 -Subject: [PATCH] Ticket 49576 - Add support of ";deletedattribute" in - ds-replcheck - -Description: Also need to check for ";deletedattribute" when processing LDIF file - -https://pagure.io/389-ds-base/issue/49576 - -Reviewed by: tbordaz(Thanks!) - -(cherry picked from commit 9e046a35a0f771e77c788cddee2cbddee6ae0571) ---- - ldap/admin/src/scripts/ds-replcheck | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck -index b801ccaa8..661c9e0ce 100755 ---- a/ldap/admin/src/scripts/ds-replcheck -+++ b/ldap/admin/src/scripts/ds-replcheck -@@ -197,7 +197,7 @@ def remove_attr_state_info(attr): - idx = attr.find(';') - if idx > 0: - state_attr = attr # preserve state info for diff report -- if ";deleted" in attr: -+ if ";deleted" in attr or ";deletedattribute" in attr: - # Ignore this attribute it was deleted - return None, state_attr - attr = attr[:idx] --- -2.17.0 - diff --git a/SOURCES/0086-Ticket-49726-DS-only-accepts-RSA-and-Fortezza-cipher.patch b/SOURCES/0086-Ticket-49726-DS-only-accepts-RSA-and-Fortezza-cipher.patch deleted file mode 100644 index 9d14858..0000000 --- a/SOURCES/0086-Ticket-49726-DS-only-accepts-RSA-and-Fortezza-cipher.patch +++ /dev/null @@ -1,529 +0,0 @@ -From b6894f921a0635dba97a0745ce75917284e5e5ff Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Sun, 27 May 2018 10:48:55 -0400 -Subject: [PATCH] Ticket 49726 - DS only accepts RSA and Fortezza cipher - families - -Bug Description: Currently DS only accepts fortezza and RSA cipher families. - This prevents things like ECC certificates from being used. - -Fix Description: Instead of hardcoding the cipher families, just grab the - current type and use it. - - Also cleaned up code: removed unncessary "ifdefs", and switched - for loops to use size_t. - -https://pagure.io/389-ds-base/issue/49726 - -Reviewed by: ? - -(cherry picked from commit 27a16a068887e5b9fcab3b4507d58a18e6f1d1ec) ---- - ldap/servers/slapd/ssl.c | 136 ++++++--------------------------------- - 1 file changed, 20 insertions(+), 116 deletions(-) - -diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c -index 36b09fd16..b8eba2da4 100644 ---- a/ldap/servers/slapd/ssl.c -+++ b/ldap/servers/slapd/ssl.c -@@ -31,28 +31,11 @@ - #include "fe.h" - #include "certdb.h" - --#if !defined(USE_OPENLDAP) --#include "ldap_ssl.h" --#endif -- - /* For IRIX... */ - #ifndef MAXPATHLEN - #define MAXPATHLEN 1024 - #endif - --#if NSS_VMAJOR * 100 + NSS_VMINOR >= 315 --/* TLS1.2 is defined in RFC5246. */ --#define NSS_TLS12 1 --#elif NSS_VMAJOR * 100 + NSS_VMINOR >= 314 --/* TLS1.1 is defined in RFC4346. */ --#define NSS_TLS11 1 --#else --#define NSS_TLS10 1 --#endif -- --#if NSS_VMAJOR * 100 + NSS_VMINOR >= 320 --#define HAVE_NSS_DHE 1 --#endif - - /****************************************************************************** - * Default SSL Version Rule -@@ -70,10 +53,9 @@ - - extern char *slapd_SSL3ciphers; - extern symbol_t supported_ciphers[]; --#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ - static SSLVersionRange enabledNSSVersions; - static SSLVersionRange slapdNSSVersions; --#endif -+ - - /* dongle_file_name is set in slapd_nss_init when we set the path for the - key, cert, and secmod files - the dongle file must be in the same directory -@@ -109,12 +91,10 @@ static char *configDN = "cn=encryption,cn=config"; - #define CIPHER_SET_DEFAULTWEAKCIPHER 0x10 /* allowWeakCipher is not set in cn=encryption */ - #define CIPHER_SET_ALLOWWEAKCIPHER 0x20 /* allowWeakCipher is on */ - #define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */ -- --#ifdef HAVE_NSS_DHE - #define CIPHER_SET_DEFAULTWEAKDHPARAM 0x100 /* allowWeakDhParam is not set in cn=encryption */ - #define CIPHER_SET_ALLOWWEAKDHPARAM 0x200 /* allowWeakDhParam is on */ - #define CIPHER_SET_DISALLOWWEAKDHPARAM 0x400 /* allowWeakDhParam is off */ --#endif -+ - - #define CIPHER_SET_ISDEFAULT(flag) \ - (((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE) -@@ -145,10 +125,7 @@ static char *configDN = "cn=encryption,cn=config"; - #define CIPHER_IS_WEAK 0x4 - #define CIPHER_IS_DEPRECATED 0x8 - --#ifdef HAVE_NSS_DHE - static int allowweakdhparam = CIPHER_SET_DEFAULTWEAKDHPARAM; --#endif -- - - static char **cipher_names = NULL; - static char **enabled_cipher_names = NULL; -@@ -225,12 +202,10 @@ static lookup_cipher _lookup_cipher[] = { - /*{"tls_dhe_dss_1024_des_sha", ""}, */ - {"tls_dhe_dss_1024_rc4_sha", "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"}, - {"tls_dhe_dss_rc4_128_sha", "TLS_DHE_DSS_WITH_RC4_128_SHA"}, --#if defined(NSS_TLS12) - /* New in NSS 3.15 */ - {"tls_rsa_aes_128_gcm_sha", "TLS_RSA_WITH_AES_128_GCM_SHA256"}, - {"tls_dhe_rsa_aes_128_gcm_sha", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"}, - {"tls_dhe_dss_aes_128_gcm_sha", NULL}, /* not available */ --#endif - {NULL, NULL}}; - - /* E.g., "SSL3", "TLS1.2", "Unknown SSL version: 0x0" */ -@@ -317,7 +292,6 @@ getSupportedCiphers(void) - SSLCipherSuiteInfo info; - char *sep = "::"; - int number_of_ciphers = SSL_NumImplementedCiphers; -- int i; - int idx = 0; - PRBool isFIPS = slapd_pk11_isFIPS(); - -@@ -325,7 +299,7 @@ getSupportedCiphers(void) - - if ((cipher_names == NULL) && (_conf_ciphers)) { - cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *)); -- for (i = 0; _conf_ciphers[i].name != NULL; i++) { -+ for (size_t i = 0; _conf_ciphers[i].name != NULL; i++) { - SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[i].num, &info, sizeof(info)); - /* only support FIPS approved ciphers in FIPS mode */ - if (!isFIPS || info.isFIPS) { -@@ -341,7 +315,6 @@ getSupportedCiphers(void) - return cipher_names; - } - --#ifdef HAVE_NSS_DHE - int - get_allow_weak_dh_param(Slapi_Entry *e) - { -@@ -365,7 +338,6 @@ get_allow_weak_dh_param(Slapi_Entry *e) - slapi_ch_free((void **)&val); - return allow; - } --#endif - - - char ** -@@ -374,7 +346,6 @@ getEnabledCiphers(void) - SSLCipherSuiteInfo info; - char *sep = "::"; - int number_of_ciphers = 0; -- int x; - int idx = 0; - PRBool enabled; - -@@ -383,14 +354,14 @@ getEnabledCiphers(void) - return NULL; - } - if ((enabled_cipher_names == NULL) && _conf_ciphers) { -- for (x = 0; _conf_ciphers[x].name; x++) { -+ for (size_t x = 0; _conf_ciphers[x].name; x++) { - SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled); - if (enabled) { - number_of_ciphers++; - } - } - enabled_cipher_names = (char **)slapi_ch_calloc((number_of_ciphers + 1), sizeof(char *)); -- for (x = 0; _conf_ciphers[x].name; x++) { -+ for (size_t x = 0; _conf_ciphers[x].name; x++) { - SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled); - if (enabled) { - SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num, &info, sizeof(info)); -@@ -472,9 +443,6 @@ getSSLVersionRange(char **min, char **max) - } - return -1; - } --#if defined(NSS_TLS10) -- return -1; /* not supported */ --#else /* NSS_TLS11 or newer */ - if (min) { - *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0); - } -@@ -482,10 +450,8 @@ getSSLVersionRange(char **min, char **max) - *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0); - } - return 0; --#endif - } - --#if defined(USE_OPENLDAP) - void - getSSLVersionRangeOL(int *min, int *max) - { -@@ -499,10 +465,7 @@ getSSLVersionRangeOL(int *min, int *max) - if (!slapd_ssl_listener_is_initialized()) { - return; - } --#if defined(NSS_TLS10) -- *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0; -- return; --#else /* NSS_TLS11 or newer */ -+ - if (min) { - switch (slapdNSSVersions.min) { - case SSL_LIBRARY_VERSION_3_0: -@@ -550,14 +513,11 @@ getSSLVersionRangeOL(int *min, int *max) - } - } - return; --#endif - } --#endif /* USE_OPENLDAP */ - - static void - _conf_init_ciphers(void) - { -- int x; - SECStatus rc; - SSLCipherSuiteInfo info; - const PRUint16 *implementedCiphers = SSL_GetImplementedCiphers(); -@@ -568,7 +528,7 @@ _conf_init_ciphers(void) - } - _conf_ciphers = (cipherstruct *)slapi_ch_calloc(SSL_NumImplementedCiphers + 1, sizeof(cipherstruct)); - -- for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) { -+ for (size_t x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) { - rc = SSL_GetCipherSuiteInfo(implementedCiphers[x], &info, sizeof info); - if (SECFailure == rc) { - slapi_log_err(SLAPI_LOG_ERR, "Security Initialization", -@@ -598,7 +558,6 @@ _conf_init_ciphers(void) - static void - _conf_setallciphers(int flag, char ***suplist, char ***unsuplist) - { -- int x; - SECStatus rc; - PRBool setdefault = CIPHER_SET_ISDEFAULT(flag); - PRBool enabled = CIPHER_SET_ISALL(flag); -@@ -608,7 +567,7 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist) - - _conf_init_ciphers(); - -- for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) { -+ for (size_t x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) { - if (_conf_ciphers[x].flags & CIPHER_IS_DEFAULT) { - /* certainly, not the first time. */ - setme = PR_TRUE; -@@ -663,11 +622,10 @@ charray2str(char **ary, const char *delim) - void - _conf_dumpciphers(void) - { -- int x; - PRBool enabled; - /* {"SSL3","rc4", SSL_EN_RC4_128_WITH_MD5}, */ - slapd_SSL_info("Configured NSS Ciphers"); -- for (x = 0; _conf_ciphers[x].name; x++) { -+ for (size_t x = 0; _conf_ciphers[x].name; x++) { - SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled); - if (enabled) { - slapd_SSL_info("\t%s: enabled%s%s%s", _conf_ciphers[x].name, -@@ -687,7 +645,8 @@ char * - _conf_setciphers(char *setciphers, int flags) - { - char *t, err[MAGNUS_ERROR_LEN]; -- int x, i, active; -+ int active; -+ size_t x = 0; - char *raw = setciphers; - char **suplist = NULL; - char **unsuplist = NULL; -@@ -772,7 +731,7 @@ _conf_setciphers(char *setciphers, int flags) - } - } - if (lookup) { /* lookup with old cipher name and get NSS cipherSuiteName */ -- for (i = 0; _lookup_cipher[i].alias; i++) { -+ for (size_t i = 0; _lookup_cipher[i].alias; i++) { - if (!PL_strcasecmp(setciphers, _lookup_cipher[i].alias)) { - if (enabled && !_lookup_cipher[i].name[0]) { - slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s", -@@ -915,9 +874,8 @@ getChildren(char *dn) - slapi_pblock_get(new_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result); - slapi_pblock_get(new_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &e); - if (e != NULL) { -- int i; - list = (char **)slapi_ch_malloc(sizeof(*list) * (nEntries + 1)); -- for (i = 0; e[i] != NULL; i++) { -+ for (size_t i = 0; e[i] != NULL; i++) { - list[i] = slapi_ch_strdup(slapi_entry_get_dn(e[i])); - } - list[nEntries] = NULL; -@@ -935,8 +893,7 @@ static void - freeChildren(char **list) - { - if (list != NULL) { -- int i; -- for (i = 0; list[i] != NULL; i++) { -+ for (size_t i = 0; list[i] != NULL; i++) { - slapi_ch_free((void **)(&list[i])); - } - slapi_ch_free((void **)(&list)); -@@ -1017,7 +974,6 @@ warn_if_no_key_file(const char *dir, int no_log) - return ret; - } - --#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ - /* - * If non NULL buf and positive bufsize is given, - * the memory is used to store the version string. -@@ -1183,7 +1139,6 @@ restrict_SSLVersionRange(void) - } - } - } --#endif - - /* - * slapd_nss_init() is always called from main(), even if we do not -@@ -1206,7 +1161,6 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr - int create_certdb = 0; - PRUint32 nssFlags = 0; - char *certdir; --#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ - char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; - /* Get the range of the supported SSL version */ - SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions); -@@ -1216,7 +1170,6 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr - slapi_log_err(SLAPI_LOG_CONFIG, "Security Initialization", - "slapd_nss_init - Supported range by NSS: min: %s, max: %s\n", - emin, emax); --#endif - - /* set in slapd_bootstrap_config, - thus certdir is available even if config_available is false */ -@@ -1385,9 +1338,7 @@ slapd_ssl_init() - char *val = NULL; - PK11SlotInfo *slot; - Slapi_Entry *entry = NULL; --#ifdef HAVE_NSS_DHE - SECStatus rv = SECFailure; --#endif - - /* Get general information */ - -@@ -1396,7 +1347,6 @@ slapd_ssl_init() - val = slapi_entry_attr_get_charptr(entry, "nssslSessionTimeout"); - ciphers = slapi_entry_attr_get_charptr(entry, "nsssl3ciphers"); - --#ifdef HAVE_NSS_DHE - allowweakdhparam = get_allow_weak_dh_param(entry); - if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) { - slapd_SSL_warn("notice, generating new WEAK DH param"); -@@ -1405,7 +1355,6 @@ slapd_ssl_init() - slapd_SSL_error("Warning, unable to generate weak dh parameters"); - } - } --#endif - - /* We are currently using the value of sslSessionTimeout - for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */ -@@ -1527,7 +1476,6 @@ slapd_ssl_init() - return 0; - } - --#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ - /* - * val: sslVersionMin/Max value set in cn=encription,cn=config (INPUT) - * rval: Corresponding value to set SSLVersionRange (OUTPUT) -@@ -1541,7 +1489,7 @@ static int - set_NSS_version(char *val, PRUint16 *rval, int ismin) - { - char *vp, *endp; -- int vnum; -+ int64_t vnum; - char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; - - if (NULL == rval) { -@@ -1662,7 +1610,6 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) - } - } - } else if (tlsv < 1.3) { /* TLS1.2 */ --#if defined(NSS_TLS12) - if (ismin) { - if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) { - slapd_SSL_warn("The value of sslVersionMin " -@@ -1685,7 +1632,6 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) - (*rval) = SSL_LIBRARY_VERSION_TLS_1_2; - } - } --#endif - } else { /* Specified TLS is newer than supported */ - if (ismin) { - slapd_SSL_warn("The value of sslVersionMin " -@@ -1720,7 +1666,6 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin) - #undef SSLLEN - #undef TLSSTR - #undef TLSLEN --#endif - - int - slapd_ssl_init2(PRFileDesc **fd, int startTLS) -@@ -1740,12 +1685,10 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) - char *tmpDir; - Slapi_Entry *e = NULL; - PRBool fipsMode = PR_FALSE; --#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ - PRUint16 NSSVersionMin = enabledNSSVersions.min; - PRUint16 NSSVersionMax = enabledNSSVersions.max; - char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH]; - char newmax[VERSION_STR_LENGTH]; --#endif - char cipher_string[1024]; - int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER; - int_fast16_t renegotiation = (int_fast16_t)SSL_RENEGOTIATE_REQUIRES_XTN; -@@ -1964,15 +1907,13 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) - } - - if (SECSuccess == rv) { -+ SSLKEAType certKEA; - --#ifdef HAVE_NSS_DHE -- /* Step If we want weak dh params, flag it on the socket now! */ -- -+ /* If we want weak dh params, flag it on the socket now! */ - rv = SSL_OptionSet(*fd, SSL_ENABLE_SERVER_DHE, PR_TRUE); - if (rv != SECSuccess) { - slapd_SSL_warn("Warning, unable to start DHE"); - } -- - if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) { - slapd_SSL_warn("notice, allowing weak parameters on socket."); - rv = SSL_EnableWeakDHEPrimeGroup(*fd, PR_TRUE); -@@ -1980,13 +1921,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) - slapd_SSL_warn("Warning, unable to allow weak DH params on socket."); - } - } --#endif - -- if (slapd_pk11_fortezzaHasKEA(cert) == PR_TRUE) { -- rv = SSL_ConfigSecureServer(*fd, cert, key, kt_fortezza); -- } else { -- rv = SSL_ConfigSecureServer(*fd, cert, key, kt_rsa); -- } -+ certKEA = NSS_FindCertKEAType(cert); -+ rv = SSL_ConfigSecureServer(*fd, cert, key, certKEA); - if (SECSuccess != rv) { - errorCode = PR_GetError(); - slapd_SSL_warn("ConfigSecureServer: " -@@ -2140,7 +2077,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) - enableTLS1 = PR_TRUE; /* If available, enable TLS1 */ - } - slapi_ch_free_string(&val); --#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ - val = slapi_entry_attr_get_charptr(e, "sslVersionMin"); - if (val) { - (void)set_NSS_version(val, &NSSVersionMin, 1); -@@ -2161,9 +2097,8 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) - mymax, newmax); - NSSVersionMax = enabledNSSVersions.max; - } --#endif - } --#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ -+ - if (NSSVersionMin > 0) { - /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */ - slapdNSSVersions.min = NSSVersionMin; -@@ -2183,7 +2118,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) - mymin, mymax); - } - } else { --#endif - /* deprecated code */ - sslStatus = SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3, enableSSL3); - if (sslStatus != SECSuccess) { -@@ -2202,9 +2136,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS) - enableTLS1 ? "enable" : "disable", - errorCode, slapd_pr_strerror(errorCode)); - } --#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ - } --#endif - - val = NULL; - if (e != NULL) { -@@ -2382,12 +2314,8 @@ slapd_SSL_client_auth(LDAP *ld) - */ - token = slapi_ch_strdup(internalTokenName); - } --#if defined(USE_OPENLDAP) - /* openldap needs tokenname:certnick */ - PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality); --#else -- PL_strncpyz(cert_name, personality, sizeof(cert_name)); --#endif - slapi_ch_free_string(&ssltoken); - } else { - /* external PKCS #11 token - attach token name */ -@@ -2461,7 +2389,6 @@ slapd_SSL_client_auth(LDAP *ld) - "(no password). (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - errorCode, slapd_pr_strerror(errorCode)); - } else { --#if defined(USE_OPENLDAP) - if (slapi_client_uses_non_nss(ld) && config_get_extract_pem()) { - char *certdir = config_get_certdir(); - char *keyfile = NULL; -@@ -2532,29 +2459,6 @@ slapd_SSL_client_auth(LDAP *ld) - cert_name); - } - } --/* -- * not sure what else needs to be done for client auth - don't -- * currently have a way to pass in the password to use to unlock -- * the keydb - nor a way to disable caching -- */ --#else /* !USE_OPENLDAP */ -- rc = ldapssl_enable_clientauth(ld, SERVER_KEY_NAME, pw, cert_name); -- if (rc != 0) { -- errorCode = PR_GetError(); -- slapd_SSL_error("ldapssl_enable_clientauth(%s, %s) %i (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", -- SERVER_KEY_NAME, cert_name, rc, -- errorCode, slapd_pr_strerror(errorCode)); -- } else { -- /* -- * We cannot allow NSS to cache outgoing client auth connections - -- * each client auth connection must have it's own non-shared SSL -- * connection to the peer so that it will go through the -- * entire handshake protocol every time including the use of its -- * own unique client cert - see bug 605457 -- */ -- ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE); -- } --#endif - } - } - --- -2.17.0 - diff --git a/SOURCES/0087-Ticket-48184-clean-up-and-delete-connections-at-shut.patch b/SOURCES/0087-Ticket-48184-clean-up-and-delete-connections-at-shut.patch deleted file mode 100644 index b49c92e..0000000 --- a/SOURCES/0087-Ticket-48184-clean-up-and-delete-connections-at-shut.patch +++ /dev/null @@ -1,190 +0,0 @@ -From 240cfa58c62571b92640a385cfcce6d858cb00dc Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Wed, 30 May 2018 15:48:11 +0200 -Subject: [PATCH] Ticket 48184 - clean up and delete connections at shutdown - (3rd) - -Bug description: - During shutdown we would not close connections. - In the past this may have just been an annoyance, but now with the way - nunc-stans works, io events can still trigger on open xeisting connectinos - during shutdown. - -Fix Description: - Because of NS dynamic it can happen that several jobs wants to work on the - same connection. In such case (a job is already set in c_job) we delay the - new job that will retry. - In addition: - - some call needed c_mutex - - test uninitialized nunc-stans in case of shutdown while startup is not completed - - If it is not possible to schedule immediately a job it is sometime useless to wait: - - if the connection is already freed, just cancel the scheduled job - and do not register a new one - - If we are in middle of a shutdown we do not know if the - scheduled job is ns_handle_closure, so cancel the scheduled - job and schedule ns_handle_closure. - -https://pagure.io/389-ds-base/issue/48184 - -Reviewed by: - Original fix reviewed by Ludwig and Viktor - Second fix reviewed by Mark - Third fix reviewed by Mark - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/slapd/connection.c | 10 +++-- - ldap/servers/slapd/conntable.c | 2 +- - ldap/servers/slapd/daemon.c | 67 +++++++++++++++++++++++++-------- - ldap/servers/slapd/proto-slap.h | 2 +- - 4 files changed, 60 insertions(+), 21 deletions(-) - -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index 76e83112b..c54e7c26c 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -741,14 +741,18 @@ connection_acquire_nolock(Connection *conn) - - /* returns non-0 if connection can be reused and 0 otherwise */ - int --connection_is_free(Connection *conn) -+connection_is_free(Connection *conn, int use_lock) - { - int rc; - -- PR_EnterMonitor(conn->c_mutex); -+ if (use_lock) { -+ PR_EnterMonitor(conn->c_mutex); -+ } - rc = conn->c_sd == SLAPD_INVALID_SOCKET && conn->c_refcnt == 0 && - !(conn->c_flags & CONN_FLAG_CLOSING); -- PR_ExitMonitor(conn->c_mutex); -+ if (use_lock) { -+ PR_ExitMonitor(conn->c_mutex); -+ } - - return rc; - } -diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c -index f2f763dfa..114871d17 100644 ---- a/ldap/servers/slapd/conntable.c -+++ b/ldap/servers/slapd/conntable.c -@@ -129,7 +129,7 @@ connection_table_get_connection(Connection_Table *ct, int sd) - break; - } - -- if (connection_is_free(&(ct->c[index]))) { -+ if (connection_is_free(&(ct->c[index]), 1 /*use lock */)) { - break; - } - } -diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c -index 50e67474e..35cfe7de0 100644 ---- a/ldap/servers/slapd/daemon.c -+++ b/ldap/servers/slapd/daemon.c -@@ -1699,7 +1699,8 @@ ns_connection_post_io_or_closing_try(Connection *conn) - } - - /* -- * Cancel any existing ns jobs we have registered. -+ * A job was already scheduled. -+ * Let it be dispatched first - */ - if (conn->c_job != NULL) { - return 1; -@@ -1780,25 +1781,59 @@ ns_connection_post_io_or_closing_try(Connection *conn) - } - return 0; - } -+ -+/* -+ * Tries to schedule I/O for this connection -+ * If the connection is already busy with a scheduled I/O -+ * it can wait until scheduled I/O is dispatched -+ * -+ * caller must hold c_mutex -+ */ - void - ns_connection_post_io_or_closing(Connection *conn) - { - while (ns_connection_post_io_or_closing_try(conn)) { -- /* we should retry later */ -- -- /* We are not suppose to work immediately on the connection that is taken by -- * another job -- * release the lock and give some time -- */ -- -- if (CONN_NEEDS_CLOSING(conn) && conn->c_ns_close_jobs) { -- return; -- } else { -- PR_ExitMonitor(conn->c_mutex); -- DS_Sleep(PR_MillisecondsToInterval(100)); -- -- PR_EnterMonitor(conn->c_mutex); -- } -+ /* Here a job is currently scheduled (c->job is set) and not yet dispatched -+ * Job can be either: -+ * - ns_handle_closure -+ * - ns_handle_pr_read_ready -+ */ -+ -+ if (connection_is_free(conn, 0)) { -+ PRStatus shutdown_status; -+ -+ /* The connection being freed, -+ * It means that ns_handle_closure already completed and the connection -+ * is no longer on the active list. -+ * The scheduled job is useless and scheduling a new one as well -+ */ -+ shutdown_status = ns_job_done(conn->c_job); -+ if (shutdown_status != PR_SUCCESS) { -+ slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed cancel a job on a freed connection %d !\n", conn->c_sd); -+ } -+ conn->c_job = NULL; -+ return; -+ } -+ if (g_get_shutdown() && CONN_NEEDS_CLOSING(conn)) { -+ PRStatus shutdown_status; -+ -+ /* This is shutting down cancel any scheduled job to register ns_handle_closure -+ */ -+ shutdown_status = ns_job_done(conn->c_job); -+ if (shutdown_status != PR_SUCCESS) { -+ slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed to cancel a job during shutdown %d !\n", conn->c_sd); -+ } -+ conn->c_job = NULL; -+ continue; -+ } -+ -+ /* We are not suppose to work immediately on the connection that is taken by -+ * another job -+ * release the lock and give some time -+ */ -+ PR_ExitMonitor(conn->c_mutex); -+ DS_Sleep(PR_MillisecondsToInterval(100)); -+ PR_EnterMonitor(conn->c_mutex); - } - } - -diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h -index b13334ad1..f54bc6bc5 100644 ---- a/ldap/servers/slapd/proto-slap.h -+++ b/ldap/servers/slapd/proto-slap.h -@@ -1431,7 +1431,7 @@ int connection_acquire_nolock(Connection *conn); - int connection_acquire_nolock_ext(Connection *conn, int allow_when_closing); - int connection_release_nolock(Connection *conn); - int connection_release_nolock_ext(Connection *conn, int release_only); --int connection_is_free(Connection *conn); -+int connection_is_free(Connection *conn, int user_lock); - int connection_is_active_nolock(Connection *conn); - #if defined(USE_OPENLDAP) - ber_slen_t openldap_read_function(Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len); --- -2.17.0 - diff --git a/SOURCES/0088-Ticket-49736-Hardening-of-active-connection-list.patch b/SOURCES/0088-Ticket-49736-Hardening-of-active-connection-list.patch deleted file mode 100644 index 1a6143d..0000000 --- a/SOURCES/0088-Ticket-49736-Hardening-of-active-connection-list.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 1f3e1ad55f72a885e27db41be28ce1037ff0ce93 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 1 Jun 2018 16:12:40 +0200 -Subject: [PATCH] Ticket 49736 - Hardening of active connection list - -Bug Description: - In case of a bug in the management of the connection refcnt - it can happen that there are several attempts to move a connection - out of the active list. - - It triggers a crash because when derefencing c->c_prev. - c_prev is never NULL on the active list - -Fix Description: - The fix tests if the connection is already out of the active list. - If such case, it just returns. - - A potential issue that is not addressed by this fix is: - Thread A and Thread B are using 'c' but c->refcnt=1 (it should be 2) - Thread A "closes" 'c', 'c' is move out of active list (free) because of refcnt=0 - A new connection happens selecting the free connection 'c', moving it to the active list. - Thread C is using 'c' from the new connection c->refcnt=1 - Thread B "closes" 'c', 'c' is moved out of the active list. - -> new operation coming on 'c' will not be detected - -> Thread C will likely crash when sending result - -https://pagure.io/389-ds-base/issue/49736 - -Reviewed by: Mark Reynolds (thanks!) - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit b0e05806232b781eed3ff102485045a358d7659b) ---- - ldap/servers/slapd/conntable.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/ldap/servers/slapd/conntable.c b/ldap/servers/slapd/conntable.c -index 114871d17..cb68a1119 100644 ---- a/ldap/servers/slapd/conntable.c -+++ b/ldap/servers/slapd/conntable.c -@@ -243,6 +243,27 @@ connection_table_move_connection_out_of_active_list(Connection_Table *ct, Connec - int c_sd; /* for logging */ - /* we always have previous element because list contains a dummy header */; - PR_ASSERT(c->c_prev); -+ if (c->c_prev == NULL) { -+ /* c->c_prev is set when the connection is moved ON the active list -+ * So this connection is already OUT of the active list -+ * -+ * Not sure how to recover from here. -+ * Considering c->c_prev is NULL we can assume refcnt is now 0 -+ * and connection_cleanup was already called. -+ * If it is not the case, then consequences are: -+ * - Leak some memory (connext, unsent page result entries, various buffers) -+ * - hanging connection (fd not closed) -+ * A option would be to call connection_cleanup here. -+ * -+ * The logged message helps to know how frequently the problem exists -+ */ -+ slapi_log_err(SLAPI_LOG_CRIT, -+ "connection_table_move_connection_out_of_active_list", -+ "conn %d is already OUT of the active list (refcnt is %d)\n", -+ c->c_sd, c->c_refcnt); -+ -+ return 0; -+ } - - #ifdef FOR_DEBUGGING - slapi_log_err(SLAPI_LOG_DEBUG, "connection_table_move_connection_out_of_active_list", "Moving connection out of active list\n"); --- -2.17.0 - diff --git a/SOURCES/0089-Ticket-49652-DENY-aci-s-are-not-handled-properly.patch b/SOURCES/0089-Ticket-49652-DENY-aci-s-are-not-handled-properly.patch deleted file mode 100644 index e0a8c9b..0000000 --- a/SOURCES/0089-Ticket-49652-DENY-aci-s-are-not-handled-properly.patch +++ /dev/null @@ -1,285 +0,0 @@ -From 5b7d67bdef7810c661ae4ba1fdfa620c86985661 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Fri, 27 Apr 2018 08:34:51 -0400 -Subject: [PATCH] Ticket 49652 - DENY aci's are not handled properly - -Bug Description: There are really two issues here. One, when a resource - is denied by a DENY aci the cached results for that resource - are not proprely set, and on the same connection if the same - operation repeated it will be allowed instead of denied because - the cache result was not proprely updated. - - Two, if there are no ALLOW aci's on a resource, then we don't - check the deny rules, and resources that are restricted are - returned to the client. - -Fix Description: For issue one, when an entry is denied access reset all the - attributes' cache results to DENIED as it's possible previously - evaluated aci's granted access to some of these attributes which - are still present in the acl result cache. - - For issue two, if there are no ALLOW aci's on a resource but - there are DENY aci's, then set the aclpb state flags to - process DENY aci's - -https://pagure.io/389-ds-base/issue/49652 - -Reviewed by: tbordaz & lkrispenz(Thanks!!) - -(cherry picked from commit d77c7f0754f67022b42784c05be8a493a00f2ec5) ---- - dirsrvtests/tests/suites/acl/acl_deny_test.py | 198 ++++++++++++++++++ - ldap/servers/plugins/acl/acl.c | 24 ++- - 2 files changed, 220 insertions(+), 2 deletions(-) - create mode 100644 dirsrvtests/tests/suites/acl/acl_deny_test.py - -diff --git a/dirsrvtests/tests/suites/acl/acl_deny_test.py b/dirsrvtests/tests/suites/acl/acl_deny_test.py -new file mode 100644 -index 000000000..285664150 ---- /dev/null -+++ b/dirsrvtests/tests/suites/acl/acl_deny_test.py -@@ -0,0 +1,198 @@ -+import logging -+import pytest -+import os -+import ldap -+import time -+from lib389._constants import * -+from lib389.topologies import topology_st as topo -+from lib389.idm.user import UserAccount, UserAccounts, TEST_USER_PROPERTIES -+from lib389.idm.domain import Domain -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+BIND_DN2 = 'uid=tuser,ou=People,dc=example,dc=com' -+BIND_RDN2 = 'tuser' -+BIND_DN = 'uid=tuser1,ou=People,dc=example,dc=com' -+BIND_RDN = 'tuser1' -+SRCH_FILTER = "uid=tuser1" -+SRCH_FILTER2 = "uid=tuser" -+ -+aci_list_A = ['(targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)', -+ '(targetattr = "*") (version 3.0;acl "allow tuser";allow (all)(userdn = "ldap:///uid=tuser5,ou=People,dc=example,dc=com");)', -+ '(targetattr != "uid || mail") (version 3.0; acl "deny-attrs"; deny (all) (userdn = "ldap:///anyone");)', -+ '(targetfilter = "(inetUserStatus=1)") ( version 3.0; acl "deny-specific-entry"; deny(all) (userdn = "ldap:///anyone");)'] -+ -+aci_list_B = ['(targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allow (read, search, compare)userdn = "ldap:///anyone";)', -+ '(targetattr != "uid || mail") (version 3.0; acl "deny-attrs"; deny (all) (userdn = "ldap:///anyone");)', -+ '(targetfilter = "(inetUserStatus=1)") ( version 3.0; acl "deny-specific-entry"; deny(all) (userdn = "ldap:///anyone");)'] -+ -+ -+@pytest.fixture(scope="module") -+def aci_setup(topo): -+ topo.standalone.log.info("Add {}".format(BIND_DN)) -+ user = UserAccount(topo.standalone, BIND_DN) -+ user_props = TEST_USER_PROPERTIES.copy() -+ user_props.update({'sn': BIND_RDN, -+ 'cn': BIND_RDN, -+ 'uid': BIND_RDN, -+ 'inetUserStatus': '1', -+ 'objectclass': 'extensibleObject', -+ 'userpassword': PASSWORD}) -+ user.create(properties=user_props, basedn=SUFFIX) -+ -+ topo.standalone.log.info("Add {}".format(BIND_DN2)) -+ user2 = UserAccount(topo.standalone, BIND_DN2) -+ user_props = TEST_USER_PROPERTIES.copy() -+ user_props.update({'sn': BIND_RDN2, -+ 'cn': BIND_RDN2, -+ 'uid': BIND_RDN2, -+ 'userpassword': PASSWORD}) -+ user2.create(properties=user_props, basedn=SUFFIX) -+ -+ -+def test_multi_deny_aci(topo, aci_setup): -+ """Test that mutliple deny rules work, and that they the cache properly -+ stores the result -+ -+ :id: 294c366d-850e-459e-b5a0-3cc828ec3aca -+ :setup: Standalone Instance -+ :steps: -+ 1. Add aci_list_A aci's and verify two searches on the same connection -+ behave the same -+ 2. Add aci_list_B aci's and verify search fails as expected -+ :expectedresults: -+ 1. Both searches do not return any entries -+ 2. Seaches do not return any entries -+ """ -+ -+ if DEBUGGING: -+ # Maybe add aci logging? -+ pass -+ -+ suffix = Domain(topo.standalone, DEFAULT_SUFFIX) -+ -+ for run in range(2): -+ topo.standalone.log.info("Pass " + str(run + 1)) -+ -+ # Test ACI List A -+ topo.standalone.log.info("Testing two searches behave the same...") -+ topo.standalone.simple_bind_s(DN_DM, PASSWORD) -+ suffix.set('aci', aci_list_A, ldap.MOD_REPLACE) -+ time.sleep(1) -+ -+ topo.standalone.simple_bind_s(BIND_DN, PASSWORD) -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) -+ if entries and entries[0]: -+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 1") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) -+ if entries and entries[0]: -+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 2") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) -+ if entries is None or len(entries) == 0: -+ topo.standalone.log.fatal("Failed to get entry as good user") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) -+ if entries is None or len(entries) == 0: -+ topo.standalone.log.fatal("Failed to get entry as good user") -+ assert False -+ -+ # Bind a different user who has rights -+ topo.standalone.simple_bind_s(BIND_DN2, PASSWORD) -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) -+ if entries is None or len(entries) == 0: -+ topo.standalone.log.fatal("Failed to get entry as good user") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) -+ if entries is None or len(entries) == 0: -+ topo.standalone.log.fatal("Failed to get entry as good user (2)") -+ assert False -+ -+ if run > 0: -+ # Second pass -+ topo.standalone.restart() -+ -+ # Reset ACI's and do the second test -+ topo.standalone.log.info("Testing search does not return any entries...") -+ topo.standalone.simple_bind_s(DN_DM, PASSWORD) -+ suffix.set('aci', aci_list_B, ldap.MOD_REPLACE) -+ time.sleep(1) -+ -+ topo.standalone.simple_bind_s(BIND_DN, PASSWORD) -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) -+ if entries and entries[0]: -+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 1") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) -+ if entries and entries[0]: -+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 2") -+ assert False -+ -+ if run > 0: -+ # Second pass -+ topo.standalone.restart() -+ -+ # Bind as different user who has rights -+ topo.standalone.simple_bind_s(BIND_DN2, PASSWORD) -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) -+ if entries is None or len(entries) == 0: -+ topo.standalone.log.fatal("Failed to get entry as good user") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) -+ if entries is None or len(entries) == 0: -+ topo.standalone.log.fatal("Failed to get entry as good user (2)") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) -+ if entries and entries[0]: -+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 1") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) -+ if entries and entries[0]: -+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 2") -+ assert False -+ -+ # back to user 1 -+ topo.standalone.simple_bind_s(BIND_DN, PASSWORD) -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) -+ if entries is None or len(entries) == 0: -+ topo.standalone.log.fatal("Failed to get entry as user1") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER2) -+ if entries is None or len(entries) == 0: -+ topo.standalone.log.fatal("Failed to get entry as user1 (2)") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) -+ if entries and entries[0]: -+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 1") -+ assert False -+ -+ entries = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, SRCH_FILTER) -+ if entries and entries[0]: -+ topo.standalone.log.fatal("Incorrectly got an entry returned from search 2") -+ assert False -+ -+ topo.standalone.log.info("Test PASSED") -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main(["-s", CURRENT_FILE]) -+ -diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c -index bc154c78f..6d105f4fa 100644 ---- a/ldap/servers/plugins/acl/acl.c -+++ b/ldap/servers/plugins/acl/acl.c -@@ -1088,9 +1088,23 @@ acl_read_access_allowed_on_entry( - ** a DENY rule, then we don't have access to - ** the entry ( nice trick to get in ) - */ -- if (aclpb->aclpb_state & -- ACLPB_EXECUTING_DENY_HANDLES) -+ if (aclpb->aclpb_state & ACLPB_EXECUTING_DENY_HANDLES) { -+ aclEvalContext *c_ContextEval = &aclpb->aclpb_curr_entryEval_context; -+ AclAttrEval *c_attrEval = NULL; -+ /* -+ * The entire entry is blocked, but previously evaluated allow aci's might -+ * show some of the attributes as readable in the acl cache, so reset all -+ * the cached attributes' status to FAIL. -+ */ -+ for (size_t j = 0; j < c_ContextEval->acle_numof_attrs; j++) { -+ c_attrEval = &c_ContextEval->acle_attrEval[j]; -+ c_attrEval->attrEval_r_status &= ~ACL_ATTREVAL_SUCCESS; -+ c_attrEval->attrEval_r_status |= ACL_ATTREVAL_FAIL; -+ c_attrEval->attrEval_s_status &= ~ACL_ATTREVAL_SUCCESS; -+ c_attrEval->attrEval_s_status |= ACL_ATTREVAL_FAIL; -+ } - return LDAP_INSUFFICIENT_ACCESS; -+ } - - /* The other case is I don't have an - ** explicit allow rule -- which is fine. -@@ -2908,6 +2922,12 @@ acl__TestRights(Acl_PBlock *aclpb, int access, const char **right, const char ** - result_reason->deciding_aci = NULL; - result_reason->reason = ACL_REASON_NO_MATCHED_RESOURCE_ALLOWS; - -+ /* If we have deny handles we should process them */ -+ if (aclpb->aclpb_num_deny_handles > 0) { -+ aclpb->aclpb_state &= ~ACLPB_EXECUTING_ALLOW_HANDLES; -+ aclpb->aclpb_state |= ACLPB_EXECUTING_DENY_HANDLES; -+ } -+ - TNF_PROBE_1_DEBUG(acl__TestRights_end, "ACL", "", - tnf_string, no_allows, ""); - --- -2.17.0 - diff --git a/SOURCES/0090-Ticket-49576-ds-replcheck-fix-certificate-directory-.patch b/SOURCES/0090-Ticket-49576-ds-replcheck-fix-certificate-directory-.patch deleted file mode 100644 index fa70099..0000000 --- a/SOURCES/0090-Ticket-49576-ds-replcheck-fix-certificate-directory-.patch +++ /dev/null @@ -1,32 +0,0 @@ -From d385d452001c91d01893b5ddc9e47f8200223ce9 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 11 Jun 2018 11:52:57 -0400 -Subject: [PATCH] Ticket 49576 - ds-replcheck: fix certificate directory - verification - -Description: The tool would crash if you attempted to use a certificate - directory for conntacting replicas. - -https://pagure.io/389-ds-base/issue/49576 - -Reviewed by: spichugi(Thanks!) ---- - ldap/admin/src/scripts/ds-replcheck | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/admin/src/scripts/ds-replcheck b/ldap/admin/src/scripts/ds-replcheck -index 661c9e0ce..62f911034 100755 ---- a/ldap/admin/src/scripts/ds-replcheck -+++ b/ldap/admin/src/scripts/ds-replcheck -@@ -1225,7 +1225,7 @@ def main(): - # Validate certdir - opts['certdir'] = None - if args.certdir: -- if os.path.exists() and os.path.isdir(certdir): -+ if os.path.exists(args.certdir) and os.path.isdir(args.certdir): - opts['certdir'] = args.certdir - else: - print("certificate directory ({}) does not exist or is not a directory".format(args.certdir)) --- -2.17.0 - diff --git a/SOURCES/0091-Ticket-49765-Async-operations-can-hang-when-the-serv.patch b/SOURCES/0091-Ticket-49765-Async-operations-can-hang-when-the-serv.patch deleted file mode 100644 index a5387aa..0000000 --- a/SOURCES/0091-Ticket-49765-Async-operations-can-hang-when-the-serv.patch +++ /dev/null @@ -1,278 +0,0 @@ -From 70e6c68196d381d05d35414c138894b54939d236 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Thu, 7 Jun 2018 16:19:34 +0200 -Subject: [PATCH] Ticket 49765 - Async operations can hang when the server is - running nunc-stans - -Bug Description: - The fix https://pagure.io/389-ds-base/issue/48184 allowed to schedule - several NS handlers where each handler waits for the dispatch of the - previous handler before being schedule. - - In case the current handler is never called (connection inactivity) - those that are waiting can wait indefinitely (until timeout or connection - closure). But those that are waiting delay the processing of the operation - when the scheduling is called by connection_threadmain. - - The some operations can appear hanging. - This scenario happens with async operations - -Fix Description: - Instead of waiting for the completion of the scheduled handler, - evaluates if the scheduled handler needs to be cleared (ns_job_done) - or the waiting handler to be canceled. - -https://pagure.io/389-ds-base/issue/49765 - -Reviewed by: Mark Reynolds (thanks Mark !) - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/slapd/daemon.c | 142 +++++++++++++++------------- - src/nunc-stans/include/nunc-stans.h | 3 + - src/nunc-stans/ns/ns_thrpool.c | 5 + - 3 files changed, 84 insertions(+), 66 deletions(-) - -diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c -index 35cfe7de0..0a723c4a8 100644 ---- a/ldap/servers/slapd/daemon.c -+++ b/ldap/servers/slapd/daemon.c -@@ -152,12 +152,21 @@ accept_and_configure(int s __attribute__((unused)), PRFileDesc *pr_acceptfd, PRN - */ - static int handle_new_connection(Connection_Table *ct, int tcps, PRFileDesc *pr_acceptfd, int secure, int local, Connection **newconn); - static void ns_handle_new_connection(struct ns_job_t *job); -+static void ns_handle_closure(struct ns_job_t *job); - static void handle_pr_read_ready(Connection_Table *ct, PRIntn num_poll); - static int clear_signal(struct POLL_STRUCT *fds); - static void unfurl_banners(Connection_Table *ct, daemon_ports_t *ports, PRFileDesc **n_tcps, PRFileDesc **s_tcps, PRFileDesc **i_unix); - static int write_pid_file(void); - static int init_shutdown_detect(void); - -+#define NS_HANDLER_NEW_CONNECTION 0 -+#define NS_HANDLER_READ_CONNECTION 1 -+#define NS_HANDLER_CLOSE_CONNECTION 2 -+static ns_job_func_t ns_handlers[] = { -+ ns_handle_new_connection, -+ ns_handle_pr_read_ready, -+ ns_handle_closure -+}; - /* - * NSPR has different implementations for PRMonitor, depending - * on the availble threading model -@@ -1058,7 +1067,7 @@ slapd_daemon(daemon_ports_t *ports, ns_thrpool_t *tp) - for (size_t ii = 0; ii < listeners; ++ii) { - listener_idxs[ii].ct = the_connection_table; /* to pass to handle_new_connection */ - ns_result_t result = ns_add_io_job(tp, listener_idxs[ii].listenfd, NS_JOB_ACCEPT | NS_JOB_PERSIST | NS_JOB_PRESERVE_FD, -- ns_handle_new_connection, &listener_idxs[ii], &(listener_idxs[ii].ns_job)); -+ ns_handlers[NS_HANDLER_NEW_CONNECTION], &listener_idxs[ii], &(listener_idxs[ii].ns_job)); - if (result != NS_SUCCESS) { - slapi_log_err(SLAPI_LOG_CRIT, "slapd_daemon", "ns_add_io_job failed to create add acceptor %d\n", result); - } -@@ -1684,28 +1693,84 @@ ns_handle_closure(struct ns_job_t *job) - /** - * Schedule more I/O for this connection, or make sure that it - * is closed in the event loop. -+ * - * caller must hold c_mutex -- * It returns -- * 0 on success -- * 1 on need to retry - */ --static int --ns_connection_post_io_or_closing_try(Connection *conn) -+void -+ns_connection_post_io_or_closing(Connection *conn) - { - struct timeval tv; - - if (!enable_nunc_stans) { -- return 0; -+ return; - } - - /* - * A job was already scheduled. -- * Let it be dispatched first -+ * Check if it is the appropriate one - */ - if (conn->c_job != NULL) { -- return 1; -+ if (connection_is_free(conn, 0)) { -+ PRStatus shutdown_status; -+ -+ /* The connection being freed, -+ * It means that ns_handle_closure already completed and the connection -+ * is no longer on the active list. -+ * The scheduled job is useless and scheduling a new one as well -+ */ -+ shutdown_status = ns_job_done(conn->c_job); -+ if (shutdown_status != PR_SUCCESS) { -+ slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed cancel a job on a freed connection %d !\n", conn->c_sd); -+ } -+ conn->c_job = NULL; -+ return; -+ } -+ if (CONN_NEEDS_CLOSING(conn)) { -+ if (ns_job_is_func(conn->c_job, ns_handlers[NS_HANDLER_CLOSE_CONNECTION])) { -+ /* Due to the closing state we would schedule a ns_handle_closure -+ * but one is already registered. -+ * Just return; -+ */ -+ slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "Already ns_handle_closure " -+ "job in progress on conn %" PRIu64 " for fd=%d\n", -+ conn->c_connid, conn->c_sd); -+ return; -+ } else { -+ /* Due to the closing state we would schedule a ns_handle_closure -+ * but a different handler is registered. Stop it and schedule (below) ns_handle_closure -+ */ -+ ns_job_done(conn->c_job); -+ conn->c_job = NULL; -+ } -+ } else { -+ /* Here the connection is still active => ignore the call and return */ -+ if (ns_job_is_func(conn->c_job, ns_handlers[NS_HANDLER_READ_CONNECTION])) { -+ /* Connection is still active and a read_ready is already scheduled -+ * Likely a consequence of async operations -+ * Just let the current read_ready do its job -+ */ -+ slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "Already ns_handle_pr_read_ready " -+ "job in progress on conn %" PRIu64 " for fd=%d\n", -+ conn->c_connid, conn->c_sd); -+ } else { -+ /* Weird situation where the connection is not flagged closing but ns_handle_closure -+ * is scheduled. -+ * We should not try to read it anymore -+ */ -+ PR_ASSERT(ns_job_is_func(conn->c_job, ns_handlers[NS_HANDLER_CLOSE_CONNECTION])); -+ } -+ return; -+ } - } - -+ /* At this point conn->c_job is NULL -+ * Either it was null when the function was called -+ * Or we cleared it (+ns_job_done) if the wrong (according -+ * to the connection state) handler was scheduled -+ * -+ * Now we need to determine which handler to schedule -+ */ -+ - if (CONN_NEEDS_CLOSING(conn)) { - /* there should only ever be 0 or 1 active closure jobs */ - PR_ASSERT((conn->c_ns_close_jobs == 0) || (conn->c_ns_close_jobs == 1)); -@@ -1718,7 +1783,7 @@ ns_connection_post_io_or_closing_try(Connection *conn) - conn->c_ns_close_jobs++; /* now 1 active closure job */ - connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */ - /* Close the job asynchronously. Why? */ -- ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handle_closure, conn, &(conn->c_job)); -+ ns_result_t job_result = ns_add_job(conn->c_tp, NS_JOB_TIMER, ns_handlers[NS_HANDLER_CLOSE_CONNECTION], conn, &(conn->c_job)); - if (job_result != NS_SUCCESS) { - if (job_result == NS_SHUTDOWN) { - slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post closure job " -@@ -1762,7 +1827,7 @@ ns_connection_post_io_or_closing_try(Connection *conn) - #endif - ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv, - NS_JOB_READ | NS_JOB_PRESERVE_FD, -- ns_handle_pr_read_ready, conn, &(conn->c_job)); -+ ns_handlers[NS_HANDLER_READ_CONNECTION], conn, &(conn->c_job)); - if (job_result != NS_SUCCESS) { - if (job_result == NS_SHUTDOWN) { - slapi_log_err(SLAPI_LOG_INFO, "ns_connection_post_io_or_closing", "post I/O job for " -@@ -1782,61 +1847,6 @@ ns_connection_post_io_or_closing_try(Connection *conn) - return 0; - } - --/* -- * Tries to schedule I/O for this connection -- * If the connection is already busy with a scheduled I/O -- * it can wait until scheduled I/O is dispatched -- * -- * caller must hold c_mutex -- */ --void --ns_connection_post_io_or_closing(Connection *conn) --{ -- while (ns_connection_post_io_or_closing_try(conn)) { -- /* Here a job is currently scheduled (c->job is set) and not yet dispatched -- * Job can be either: -- * - ns_handle_closure -- * - ns_handle_pr_read_ready -- */ -- -- if (connection_is_free(conn, 0)) { -- PRStatus shutdown_status; -- -- /* The connection being freed, -- * It means that ns_handle_closure already completed and the connection -- * is no longer on the active list. -- * The scheduled job is useless and scheduling a new one as well -- */ -- shutdown_status = ns_job_done(conn->c_job); -- if (shutdown_status != PR_SUCCESS) { -- slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed cancel a job on a freed connection %d !\n", conn->c_sd); -- } -- conn->c_job = NULL; -- return; -- } -- if (g_get_shutdown() && CONN_NEEDS_CLOSING(conn)) { -- PRStatus shutdown_status; -- -- /* This is shutting down cancel any scheduled job to register ns_handle_closure -- */ -- shutdown_status = ns_job_done(conn->c_job); -- if (shutdown_status != PR_SUCCESS) { -- slapi_log_err(SLAPI_LOG_CRIT, "ns_connection_post_io_or_closing", "Failed to cancel a job during shutdown %d !\n", conn->c_sd); -- } -- conn->c_job = NULL; -- continue; -- } -- -- /* We are not suppose to work immediately on the connection that is taken by -- * another job -- * release the lock and give some time -- */ -- PR_ExitMonitor(conn->c_mutex); -- DS_Sleep(PR_MillisecondsToInterval(100)); -- PR_EnterMonitor(conn->c_mutex); -- } --} -- - /* This function must be called without the thread flag, in the - * event loop. This function may free the connection. This can - * only be done in the event loop thread. -diff --git a/src/nunc-stans/include/nunc-stans.h b/src/nunc-stans/include/nunc-stans.h -index 192e38ec3..a0ddbdb42 100644 ---- a/src/nunc-stans/include/nunc-stans.h -+++ b/src/nunc-stans/include/nunc-stans.h -@@ -959,4 +959,7 @@ ns_result_t ns_thrpool_wait(struct ns_thrpool_t *tp); - */ - ns_result_t ns_job_rearm(struct ns_job_t *job); - -+int -+ns_job_is_func(struct ns_job_t *job, ns_job_func_t func); -+ - #endif /* NS_THRPOOL_H */ -diff --git a/src/nunc-stans/ns/ns_thrpool.c b/src/nunc-stans/ns/ns_thrpool.c -index d95b0c38b..774607c88 100644 ---- a/src/nunc-stans/ns/ns_thrpool.c -+++ b/src/nunc-stans/ns/ns_thrpool.c -@@ -1237,6 +1237,11 @@ ns_job_rearm(ns_job_t *job) - /* Unreachable code .... */ - return NS_INVALID_REQUEST; - } -+int -+ns_job_is_func(struct ns_job_t *job, ns_job_func_t func) -+{ -+ return(job && job->func == func); -+} - - static void - ns_thrpool_delete(ns_thrpool_t *tp) --- -2.17.1 - diff --git a/SOURCES/0092-Ticket-49765-compiler-warning.patch b/SOURCES/0092-Ticket-49765-compiler-warning.patch deleted file mode 100644 index b28d8d2..0000000 --- a/SOURCES/0092-Ticket-49765-compiler-warning.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 2daf9be2b949b845ce18c355d862ac765a512ba7 Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Fri, 8 Jun 2018 14:34:28 +0200 -Subject: [PATCH] Ticket 49765 - compiler warning - ---- - ldap/servers/slapd/daemon.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c -index 0a723c4a8..01db503dc 100644 ---- a/ldap/servers/slapd/daemon.c -+++ b/ldap/servers/slapd/daemon.c -@@ -1778,7 +1778,7 @@ ns_connection_post_io_or_closing(Connection *conn) - slapi_log_err(SLAPI_LOG_CONNS, "ns_connection_post_io_or_closing", "Already a close " - "job in progress on conn %" PRIu64 " for fd=%d\n", - conn->c_connid, conn->c_sd); -- return 0; -+ return; - } else { - conn->c_ns_close_jobs++; /* now 1 active closure job */ - connection_acquire_nolock_ext(conn, 1 /* allow acquire even when closing */); /* event framework now has a reference */ -@@ -1822,7 +1822,7 @@ ns_connection_post_io_or_closing(Connection *conn) - * The error occurs when we get a connection in a closing state. - * For now we return, but there is probably a better way to handle the error case. - */ -- return 0; -+ return; - } - #endif - ns_result_t job_result = ns_add_io_timeout_job(conn->c_tp, conn->c_prfd, &tv, -@@ -1844,7 +1844,7 @@ ns_connection_post_io_or_closing(Connection *conn) - conn->c_connid, conn->c_sd); - } - } -- return 0; -+ return; - } - - /* This function must be called without the thread flag, in the --- -2.17.1 - diff --git a/SOURCES/0093-Ticket-49893-disable-nunc-stans-by-default.patch b/SOURCES/0093-Ticket-49893-disable-nunc-stans-by-default.patch deleted file mode 100644 index cfc5ea5..0000000 --- a/SOURCES/0093-Ticket-49893-disable-nunc-stans-by-default.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 911038990df1357f452b0e38309261faf1de898f Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 8 Aug 2018 17:19:27 -0400 -Subject: [PATCH] Ticket 49893 - disable nunc-stans by default - -Description: Until nunc-stans is stablized we need to disable it - -https://pagure.io/389-ds-base/issue/49893 - -Reviewed by: ? - -(cherry picked from commit 2f2d3b1d7e7d847de1bb9ddf2f63e71dbc90f710) ---- - ldap/servers/slapd/libglobs.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c -index 3bd5c1826..f8741028d 100644 ---- a/ldap/servers/slapd/libglobs.c -+++ b/ldap/servers/slapd/libglobs.c -@@ -1681,7 +1681,7 @@ FrontendConfig_init(void) - cfg->maxbersize = SLAPD_DEFAULT_MAXBERSIZE; - cfg->logging_backend = slapi_ch_strdup(SLAPD_INIT_LOGGING_BACKEND_INTERNAL); - cfg->rootdn = slapi_ch_strdup(SLAPD_DEFAULT_DIRECTORY_MANAGER); -- init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_ON; -+ init_enable_nunc_stans = cfg->enable_nunc_stans = LDAP_OFF; - #if defined(LINUX) - init_malloc_mxfast = cfg->malloc_mxfast = DEFAULT_MALLOC_UNSET; - init_malloc_trim_threshold = cfg->malloc_trim_threshold = DEFAULT_MALLOC_UNSET; --- -2.17.1 - diff --git a/SOURCES/0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch b/SOURCES/0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch deleted file mode 100644 index 0af0b6f..0000000 --- a/SOURCES/0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch +++ /dev/null @@ -1,137 +0,0 @@ -From 1013a1bfe0882d213f48e900ab89e00651188489 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 9 Aug 2018 15:27:59 -0400 -Subject: [PATCH] Ticket 49890 : ldapsearch with server side sort crashes the - ldap server - -Bug Description: - Server side sort with a specified matching rule trigger a crash - -Fix Description: - Check if the we are able to index the provided value. - If we are not then slapd_qsort returns an error (LDAP_OPERATION_ERROR) - -https://pagure.io/389-ds-base/issue/49890 - -Reviewed by: mreynolds - -Platforms tested: F27 - -Flag Day: no - -Doc impact: no - -(cherry picked from commit c989e18f7a3da060b16d39919b920b6b2a19a0ac) ---- - dirsrvtests/tests/suites/syntax/mr_test.py | 59 ++++++++++++++++++++++ - ldap/servers/slapd/back-ldbm/sort.c | 14 +++++ - 2 files changed, 73 insertions(+) - create mode 100644 dirsrvtests/tests/suites/syntax/mr_test.py - -diff --git a/dirsrvtests/tests/suites/syntax/mr_test.py b/dirsrvtests/tests/suites/syntax/mr_test.py -new file mode 100644 -index 000000000..57061222a ---- /dev/null -+++ b/dirsrvtests/tests/suites/syntax/mr_test.py -@@ -0,0 +1,59 @@ -+import logging -+import pytest -+import os -+import ldap -+from lib389.dbgen import dbgen -+from lib389._constants import * -+from lib389.topologies import topology_st as topo -+from lib389._controls import SSSRequestControl -+ -+DEBUGGING = os.getenv("DEBUGGING", default=False) -+if DEBUGGING: -+ logging.getLogger(__name__).setLevel(logging.DEBUG) -+else: -+ logging.getLogger(__name__).setLevel(logging.INFO) -+log = logging.getLogger(__name__) -+ -+ -+def test_sss_mr(topo): -+ """Test matching rule/server side sort does not crash DS -+ -+ :id: 48c73d76-1694-420f-ab55-187135f2d260 -+ :setup: Standalone Instance -+ :steps: -+ 1. Add sample entries to the database -+ 2. Perform search using server side control (uid:2.5.13.3) -+ :expectedresults: -+ 1. Success -+ 2. Success -+ """ -+ -+ log.info("Creating LDIF...") -+ ldif_dir = topo.standalone.get_ldif_dir() -+ ldif_file = os.path.join(ldif_dir, 'mr-crash.ldif') -+ dbgen(topo.standalone, 5, ldif_file, DEFAULT_SUFFIX) -+ -+ log.info("Importing LDIF...") -+ topo.standalone.stop() -+ assert topo.standalone.ldif2db(DEFAULT_BENAME, None, None, None, ldif_file) -+ topo.standalone.start() -+ -+ log.info('Search using server side sorting using undefined mr in the attr...') -+ sort_ctrl = SSSRequestControl(True, ['uid:2.5.13.3']) -+ controls = [sort_ctrl] -+ msg_id = topo.standalone.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, -+ "objectclass=*", serverctrls=controls) -+ try: -+ rtype, rdata, rmsgid, response_ctrl = topo.standalone.result3(msg_id) -+ except ldap.OPERATIONS_ERROR: -+ pass -+ -+ log.info("Test PASSED") -+ -+ -+if __name__ == '__main__': -+ # Run isolated -+ # -s for DEBUG mode -+ CURRENT_FILE = os.path.realpath(__file__) -+ pytest.main(["-s", CURRENT_FILE]) -+ -diff --git a/ldap/servers/slapd/back-ldbm/sort.c b/ldap/servers/slapd/back-ldbm/sort.c -index 5b84d87f3..70ac60803 100644 ---- a/ldap/servers/slapd/back-ldbm/sort.c -+++ b/ldap/servers/slapd/back-ldbm/sort.c -@@ -546,6 +546,16 @@ compare_entries_sv(ID *id_a, ID *id_b, sort_spec *s, baggage_carrier *bc, int *e - /* Now copy it, so the second call doesn't crap on it */ - value_a = slapi_ch_bvecdup(temp_value); /* Really, we'd prefer to not call the chXXX variant...*/ - matchrule_values_to_keys(this_one->mr_pb, actual_value_b, &value_b); -+ -+ if ((actual_value_a && !value_a) || -+ (actual_value_b && !value_b)) { -+ ber_bvecfree(actual_value_a); -+ ber_bvecfree(actual_value_b); -+ CACHE_RETURN(&inst->inst_cache, &a); -+ CACHE_RETURN(&inst->inst_cache, &b); -+ *error = 1; -+ return 0; -+ } - if (actual_value_a) - ber_bvecfree(actual_value_a); - if (actual_value_b) -@@ -717,6 +727,8 @@ recurse: - A[i] >= A[lo] for higuy <= i <= hi */ - - do { -+ if (error) -+ return LDAP_OPERATIONS_ERROR; - loguy++; - } while (loguy <= hi && compare_entries_sv(loguy, lo, s, bc, &error) <= 0); - -@@ -724,6 +736,8 @@ recurse: - either loguy > hi or A[loguy] > A[lo] */ - - do { -+ if (error) -+ return LDAP_OPERATIONS_ERROR; - higuy--; - } while (higuy > lo && compare_entries_sv(higuy, lo, s, bc, &error) >= 0); - --- -2.17.1 - diff --git a/SOURCES/0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch b/SOURCES/0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch deleted file mode 100644 index 77d030c..0000000 --- a/SOURCES/0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch +++ /dev/null @@ -1,287 +0,0 @@ -From d1c87a502dc969198aa0e6a210e1303ae71bdeae Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Thu, 7 Jun 2018 18:35:34 +0200 -Subject: [PATCH] Ticket 49742 - Fine grained password policy can impact search - performance - -Bug Description: - new_passwdPolicy is called with an entry DN. - In case of fine grain password policy we need to retrieve - the possible password policy (pwdpolicysubentry) that applies to - that entry. - It triggers an internal search to retrieve the entry. - - In case of a search operation (add_shadow_ext_password_attrs), the - entry is already in the pblock. So it is useless to do an additional - internal search for it. - -Fix Description: - in case of fine grain password policy and a SRCH operation, - if the entry DN matches the entry stored in the pblock (SLAPI_SEARCH_RESULT_ENTRY) - then use that entry instead of doing an internal search - -https://pagure.io/389-ds-base/issue/49742 - -Reviewed by: Mark Reynolds - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no ---- - dirsrvtests/tests/tickets/ticket48228_test.py | 18 +++---- - dirsrvtests/tests/tickets/ticket548_test.py | 18 ++++--- - ldap/servers/slapd/pw.c | 48 +++++++++++++++++-- - 3 files changed, 66 insertions(+), 18 deletions(-) - -diff --git a/dirsrvtests/tests/tickets/ticket48228_test.py b/dirsrvtests/tests/tickets/ticket48228_test.py -index 4f4494e0b..1ab741b94 100644 ---- a/dirsrvtests/tests/tickets/ticket48228_test.py -+++ b/dirsrvtests/tests/tickets/ticket48228_test.py -@@ -7,6 +7,7 @@ - # --- END COPYRIGHT BLOCK --- - # - import logging -+import time - - import pytest - from lib389.tasks import * -@@ -33,14 +34,14 @@ def set_global_pwpolicy(topology_st, inhistory): - topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) - # Enable password policy - try: -- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')]) -+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', b'on')]) - except ldap.LDAPError as e: - log.error('Failed to set pwpolicy-local: error ' + e.message['desc']) - assert False - - log.info(" Set global password history on\n") - try: -- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', 'on')]) -+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordHistory', b'on')]) - except ldap.LDAPError as e: - log.error('Failed to set passwordHistory: error ' + e.message['desc']) - assert False -@@ -48,7 +49,7 @@ def set_global_pwpolicy(topology_st, inhistory): - log.info(" Set global passwords in history\n") - try: - count = "%d" % inhistory -- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count)]) -+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordInHistory', count.encode())]) - except ldap.LDAPError as e: - log.error('Failed to set passwordInHistory: error ' + e.message['desc']) - assert False -@@ -113,9 +114,9 @@ def check_passwd_inhistory(topology_st, user, cpw, passwd): - topology_st.standalone.simple_bind_s(user, cpw) - time.sleep(1) - try: -- topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd)]) -+ topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', passwd.encode())]) - except ldap.LDAPError as e: -- log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error ' + e.message['desc']) -+ log.info(' The password ' + passwd + ' of user' + USER1_DN + ' in history: error {0}'.format(e)) - inhistory = 1 - time.sleep(1) - return inhistory -@@ -130,7 +131,7 @@ def update_passwd(topology_st, user, passwd, times): - # Now update the value for this iter. - cpw = 'password%d' % i - try: -- topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw)]) -+ topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', cpw.encode())]) - except ldap.LDAPError as e: - log.fatal( - 'test_ticket48228: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message[ -@@ -146,7 +147,6 @@ def test_ticket48228_test_global_policy(topology_st): - """ - Check global password policy - """ -- - log.info(' Set inhistory = 6') - set_global_pwpolicy(topology_st, 6) - -@@ -201,7 +201,7 @@ def test_ticket48228_test_global_policy(topology_st): - log.info("Global policy was successfully verified.") - - --def test_ticket48228_test_subtree_policy(topology_st): -+def text_ticket48228_text_subtree_policy(topology_st): - """ - Check subtree level password policy - """ -@@ -233,7 +233,7 @@ def test_ticket48228_test_subtree_policy(topology_st): - log.info(' Set inhistory = 4') - topology_st.standalone.simple_bind_s(DN_DM, PASSWORD) - try: -- topology_st.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', '4')]) -+ topology_st.standalone.modify_s(SUBTREE_PWP, [(ldap.MOD_REPLACE, 'passwordInHistory', b'4')]) - except ldap.LDAPError as e: - log.error('Failed to set pwpolicy-local: error ' + e.message['desc']) - assert False -diff --git a/dirsrvtests/tests/tickets/ticket548_test.py b/dirsrvtests/tests/tickets/ticket548_test.py -index d354cc802..0d71ab6ca 100644 ---- a/dirsrvtests/tests/tickets/ticket548_test.py -+++ b/dirsrvtests/tests/tickets/ticket548_test.py -@@ -42,7 +42,7 @@ def set_global_pwpolicy(topology_st, min_=1, max_=10, warn=3): - log.info(" +++++ Enable global password policy +++++\n") - # Enable password policy - try: -- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', 'on')]) -+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-pwpolicy-local', b'on')]) - except ldap.LDAPError as e: - log.error('Failed to set pwpolicy-local: error ' + e.message['desc']) - assert False -@@ -54,28 +54,28 @@ def set_global_pwpolicy(topology_st, min_=1, max_=10, warn=3): - - log.info(" Set global password Min Age -- %s day\n" % min_) - try: -- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMinAge', '%s' % min_secs)]) -+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMinAge', ('%s' % min_secs).encode())]) - except ldap.LDAPError as e: - log.error('Failed to set passwordMinAge: error ' + e.message['desc']) - assert False - - log.info(" Set global password Expiration -- on\n") - try: -- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordExp', 'on')]) -+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordExp', b'on')]) - except ldap.LDAPError as e: - log.error('Failed to set passwordExp: error ' + e.message['desc']) - assert False - - log.info(" Set global password Max Age -- %s days\n" % max_) - try: -- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMaxAge', '%s' % max_secs)]) -+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordMaxAge', ('%s' % max_secs).encode())]) - except ldap.LDAPError as e: - log.error('Failed to set passwordMaxAge: error ' + e.message['desc']) - assert False - - log.info(" Set global password Warning -- %s days\n" % warn) - try: -- topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordWarning', '%s' % warn_secs)]) -+ topology_st.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'passwordWarning', ('%s' % warn_secs).encode())]) - except ldap.LDAPError as e: - log.error('Failed to set passwordWarning: error ' + e.message['desc']) - assert False -@@ -93,6 +93,8 @@ def set_subtree_pwpolicy(topology_st, min_=2, max_=20, warn=6): - try: - topology_st.standalone.add_s(Entry((SUBTREE_CONTAINER, {'objectclass': 'top nsContainer'.split(), - 'cn': 'nsPwPolicyContainer'}))) -+ except ldap.ALREADY_EXISTS: -+ pass - except ldap.LDAPError as e: - log.error('Failed to add subtree container: error ' + e.message['desc']) - # assert False -@@ -128,6 +130,8 @@ def set_subtree_pwpolicy(topology_st, min_=2, max_=20, warn=6): - 'cosPriority': '1', - 'cn': SUBTREE_COS_TMPLDN, - 'pwdpolicysubentry': SUBTREE_PWP}))) -+ except ldap.ALREADY_EXISTS: -+ pass - except ldap.LDAPError as e: - log.error('Failed to add COS template: error ' + e.message['desc']) - # assert False -@@ -139,6 +143,8 @@ def set_subtree_pwpolicy(topology_st, min_=2, max_=20, warn=6): - 'cn': SUBTREE_PWPDN, - 'costemplatedn': SUBTREE_COS_TMPL, - 'cosAttribute': 'pwdpolicysubentry default operational-default'}))) -+ except ldap.ALREADY_EXISTS: -+ pass - except ldap.LDAPError as e: - log.error('Failed to add COS def: error ' + e.message['desc']) - # assert False -@@ -150,7 +156,7 @@ def update_passwd(topology_st, user, passwd, newpasswd): - log.info(" Bind as {%s,%s}" % (user, passwd)) - topology_st.standalone.simple_bind_s(user, passwd) - try: -- topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', newpasswd)]) -+ topology_st.standalone.modify_s(user, [(ldap.MOD_REPLACE, 'userpassword', newpasswd.encode())]) - except ldap.LDAPError as e: - log.fatal('test_ticket548: Failed to update the password ' + cpw + ' of user ' + user + ': error ' + e.message[ - 'desc']) -diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c -index 451be364d..10b8e7254 100644 ---- a/ldap/servers/slapd/pw.c -+++ b/ldap/servers/slapd/pw.c -@@ -1625,6 +1625,10 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - int attr_free_flags = 0; - int rc = 0; - int optype = -1; -+ int free_e = 1; /* reset if e is taken from pb */ -+ if (pb) { -+ slapi_pblock_get(pb, SLAPI_OPERATION_TYPE, &optype); -+ } - - /* If we already allocated a pw policy, return it */ - if (pb != NULL) { -@@ -1688,7 +1692,43 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - /* If we're not doing an add, we look for the pwdpolicysubentry - attribute in the target entry itself. */ - } else { -- if ((e = get_entry(pb, dn)) != NULL) { -+ if (optype == SLAPI_OPERATION_SEARCH) { -+ Slapi_Entry *pb_e; -+ -+ /* During a search the entry should be in the pblock -+ * For safety check entry DN is identical to 'dn' -+ */ -+ slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_ENTRY, &pb_e); -+ if (pb_e) { -+ Slapi_DN * sdn; -+ const char *ndn; -+ char *pb_ndn; -+ -+ pb_ndn = slapi_entry_get_ndn(pb_e); -+ -+ sdn = slapi_sdn_new_dn_byval(dn); -+ ndn = slapi_sdn_get_ndn(sdn); -+ -+ if (strcasecmp(pb_ndn, ndn) == 0) { -+ /* We are using the candidate entry that is already loaded in the pblock -+ * Do not trigger an additional internal search -+ * Also we will not need to free the entry that will remain in the pblock -+ */ -+ e = pb_e; -+ free_e = 0; -+ } else { -+ e = get_entry(pb, dn); -+ } -+ slapi_sdn_free(&sdn); -+ } else { -+ e = get_entry(pb, dn); -+ } -+ } else { -+ /* For others operations but SEARCH */ -+ e = get_entry(pb, dn); -+ } -+ -+ if (e) { - Slapi_Attr *attr = NULL; - rc = slapi_entry_attr_find(e, "pwdpolicysubentry", &attr); - if (attr && (0 == rc)) { -@@ -1718,7 +1758,9 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - } - } - slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); -- slapi_entry_free(e); -+ if (free_e) { -+ slapi_entry_free(e); -+ } - - if (pw_entry == NULL) { - slapi_log_err(SLAPI_LOG_ERR, "new_passwdPolicy", -@@ -1916,7 +1958,7 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn) - slapi_pblock_set_pwdpolicy(pb, pwdpolicy); - } - return pwdpolicy; -- } else if (e) { -+ } else if (free_e) { - slapi_entry_free(e); - } - } --- -2.17.1 - diff --git a/SOURCES/0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch b/SOURCES/0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch deleted file mode 100644 index 81a9a8a..0000000 --- a/SOURCES/0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch +++ /dev/null @@ -1,85 +0,0 @@ -From 9d2aa18fb5c48a11300d2309df89213bbdb614e1 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 23 Aug 2018 13:43:36 -0400 -Subject: [PATCH 1/2] Bug 1623247 - Crash in vslapd_log_emergency_error - - Description: We were not locking the error log fd before closing and reopening - the log file. This could cause a crash when multiple threads are - trying to log tothe errors log. ---- - ldap/servers/slapd/log.c | 22 ++++++++++++++++------ - 1 file changed, 16 insertions(+), 6 deletions(-) - -diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c -index 998efaef3..90ce6ac0a 100644 ---- a/ldap/servers/slapd/log.c -+++ b/ldap/servers/slapd/log.c -@@ -2231,11 +2231,11 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked) - if (logging_hr_timestamps_enabled == 1) { - struct timespec tsnow; - if (clock_gettime(CLOCK_REALTIME, &tsnow) != 0) { -- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s", msg); -+ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to determine system time for message :: %s\n", msg); - return; - } - if (format_localTime_hr_log(tsnow.tv_sec, tsnow.tv_nsec, sizeof(tbuf), tbuf, &size) != 0) { -- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg); -+ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg); - return; - } - } else { -@@ -2243,14 +2243,14 @@ vslapd_log_emergency_error(LOGFD fp, const char *msg, int locked) - time_t tnl; - tnl = slapi_current_utc_time(); - if (format_localTime_log(tnl, sizeof(tbuf), tbuf, &size) != 0) { -- syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s", msg); -+ syslog(LOG_EMERG, "vslapd_log_emergency_error, Unable to format system time for message :: %s\n", msg); - return; - } - #ifdef HAVE_CLOCK_GETTIME - } - #endif - -- PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s", tbuf, msg); -+ PR_snprintf(buffer, sizeof(buffer), "%s - EMERG - %s\n", tbuf, msg); - size = strlen(buffer); - - if (!locked) { -@@ -2531,7 +2531,7 @@ vslapd_log_access(char *fmt, va_list ap) - - if (SLAPI_LOG_BUFSIZ - blen < vlen) { - /* We won't be able to fit the message in! Uh-oh! */ -- /* Should we actually just do the snprintf, and warn that message was trunced? */ -+ /* Should we actually just do the snprintf, and warn that message was truncated? */ - log__error_emergency("Insufficent buffer capacity to fit timestamp and message!", 1, 0); - return -1; - } -@@ -4447,6 +4447,13 @@ log__error_emergency(const char *errstr, int reopen, int locked) - if (!reopen) { - return; - } -+ if (!locked) { -+ /* -+ * Take the lock because we are closing and reopening the error log (fd), -+ * and we don't want any other threads trying to use this fd -+ */ -+ LOG_ERROR_LOCK_WRITE(); -+ } - if (NULL != loginfo.log_error_fdes) { - LOG_CLOSE(loginfo.log_error_fdes); - } -@@ -4455,7 +4462,10 @@ log__error_emergency(const char *errstr, int reopen, int locked) - PRErrorCode prerr = PR_GetError(); - syslog(LOG_ERR, "Failed to reopen errors log file, " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", prerr, slapd_pr_strerror(prerr)); - } else { -- vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, locked); -+ vslapd_log_emergency_error(loginfo.log_error_fdes, errstr, 1 /* locked */); -+ } -+ if (!locked) { -+ LOG_ERROR_UNLOCK_WRITE(); - } - return; - } --- -2.17.1 - diff --git a/SOURCES/0097-Ticket-49768-Under-network-intensive-load-persistent.patch b/SOURCES/0097-Ticket-49768-Under-network-intensive-load-persistent.patch deleted file mode 100644 index cee161a..0000000 --- a/SOURCES/0097-Ticket-49768-Under-network-intensive-load-persistent.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 2136ba8dd18e72bfbe037517c10187bfe695628f Mon Sep 17 00:00:00 2001 -From: Thierry Bordaz -Date: Thu, 24 May 2018 15:36:34 +0200 -Subject: [PATCH] Ticket 49768 - Under network intensive load persistent search - can erronously decrease connection refcnt - -Bug Description: - If a connection enters in turbo mode (because of high traffic) or - a worker reads several requests in the read buffer (more_data), the thread - keeps processing connection. - In that condition it should not decrease the refcnt. - In case the operation is a persistent search, it decreases systematically - the refcnt. - So refcnt can become lower than the actual number of threads active on the connection. - - Most of the time it can create messages like - Attempt to release connection that is not acquired - In some rare case, if the a connection is out of the active list but a remaining thread - tries to remove it again it can lead to a crash - -Fix Description: - The fix consist, when processing a PS, to decrease the refcnt at the condition - the connection is not in turbo mode or in more_data. - -https://pagure.io/389-ds-base/issue/49768 - -Reviewed by: Mark Reynolds - -Platforms tested: F26 - -Flag Day: no - -Doc impact: no ---- - ldap/servers/slapd/connection.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c -index c54e7c26c..1dbb49f06 100644 ---- a/ldap/servers/slapd/connection.c -+++ b/ldap/servers/slapd/connection.c -@@ -1811,9 +1811,17 @@ connection_threadmain() - slapi_counter_increment(ops_completed); - /* If this op isn't a persistent search, remove it */ - if (op->o_flags & OP_FLAG_PS) { -- PR_EnterMonitor(conn->c_mutex); -- connection_release_nolock(conn); /* psearch acquires ref to conn - release this one now */ -- PR_ExitMonitor(conn->c_mutex); -+ /* Release the connection (i.e. decrease refcnt) at the condition -+ * this thread will not loop on it. -+ * If we are in turbo mode (dedicated to that connection) or -+ * more_data (continue reading buffered req) this thread -+ * continues to hold the connection -+ */ -+ if (!thread_turbo_flag && !more_data) { -+ PR_EnterMonitor(conn->c_mutex); -+ connection_release_nolock(conn); /* psearch acquires ref to conn - release this one now */ -+ PR_ExitMonitor(conn->c_mutex); -+ } - /* ps_add makes a shallow copy of the pb - so we - * can't free it or init it here - just set operation to NULL. - * ps_send_results will call connection_remove_operation_ext to free it --- -2.17.1 - diff --git a/SOURCES/0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch b/SOURCES/0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch deleted file mode 100644 index f7b8a04..0000000 --- a/SOURCES/0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1bb5fd7fac9c5b93d3dfb8b8a2a648e238a158bc Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Thu, 30 Aug 2018 14:28:10 -0400 -Subject: [PATCH] Ticket 49932 - Crash in delete_passwdPolicy when persistent - search connections are terminated unexpectedly - -Bug Description: We clone a pblock in a psearch search, and under certain - error conditions this pblock is freed, but it frees the - password policy struct which can lead to a double free - when the original pblock is destroyed. - -Fix Description: During the cloning, set the pwppolicy struct to NULL - so the clone allocates its own policy if needed - -https://pagure.io/389-ds-base/issue/49932 - -Reviewed by: ? - -(cherry picked from commit 78fc627accacfa4061ce48977e22301f81ea8d73) ---- - ldap/servers/slapd/pblock.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c -index 4514c3ce6..bc18a7b18 100644 ---- a/ldap/servers/slapd/pblock.c -+++ b/ldap/servers/slapd/pblock.c -@@ -322,6 +322,8 @@ slapi_pblock_clone(Slapi_PBlock *pb) - if (pb->pb_intop != NULL) { - _pblock_assert_pb_intop(new_pb); - *(new_pb->pb_intop) = *(pb->pb_intop); -+ /* set pwdpolicy to NULL so this clone allocates its own policy */ -+ new_pb->pb_intop->pwdpolicy = NULL; - } - if (pb->pb_intplugin != NULL) { - _pblock_assert_pb_intplugin(new_pb); --- -2.17.1 - diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index 6c9df65..09f1e05 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -38,8 +38,8 @@ Summary: 389 Directory Server (%{variant}) Name: 389-ds-base -Version: 1.3.7.5 -Release: %{?relprefix}28%{?prerel}%{?dist} +Version: 1.3.8.4 +Release: %{?relprefix}15%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org/ Group: System Environment/Daemons @@ -83,7 +83,7 @@ BuildRequires: libevent-devel BuildRequires: libtalloc-devel BuildRequires: libtevent-devel # For tests! -#BuildRequires: libcmocka-devel +BuildRequires: libcmocka-devel BuildRequires: doxygen # this is needed for using semanage from our setup scripts @@ -102,6 +102,7 @@ Requires: perl-Mozilla-LDAP # this is needed to setup SSL if you are not using the # administration server package Requires: nss-tools +Requires: nss >= 3.34 # these are not found by the auto-dependency method # they are required to support the mandatory LDAP SASL mechs @@ -134,8 +135,7 @@ Requires: systemd-libs Requires: svrcore >= 4.1.3 Requires: python-ldap -# upgrade path from monolithic % {name} (including -libs & -devel) to % {name} + % {name}-snmp -Obsoletes: %{name} <= 1.3.5.4 +Obsoletes: %{name} <= 1.3.7.10 %if %{use_tcmalloc} BuildRequires: gperftools-devel @@ -146,105 +146,16 @@ Source0: https://releases.pagure.org/389-ds-base/%{name}-%{version}%{?p # 389-ds-git.sh should be used to generate the source tarball from git Source1: %{name}-git.sh Source2: %{name}-devel.README -Patch00: 0000-Ticket-49305-Need-to-wrap-atomic-calls.patch -Patch01: 0001-Ticket-49305-Need-to-wrap-atomic-calls.patch -Patch02: 0002-Ticket-49385-Fix-coverity-warnings.patch -Patch03: 0003-Ticket-49180-errors-log-filled-with-attrlist_replace.patch -Patch04: 0004-Ticket-49388-repl-monitor-matches-null-string-many-t.patch -Patch05: 0005-Ticket-49389-unable-to-retrieve-specific-cosAttribut.patch -Patch06: 0006-Ticket-49320-Activating-already-active-role-returns-.patch -Patch07: 0007-Ticket-48235-Remove-memberOf-global-lock.patch -Patch08: 0008-Ticket-48235-remove-memberof-lock-cherry-pick-error.patch -Patch09: 0009-Ticket-49394-slapi_pblock_get-may-leave-unchanged-th.patch -Patch10: 0010-Ticket-49402-Adding-a-database-entry-with-the-same-d.patch -Patch11: 0011-Ticket-49064-RFE-allow-to-enable-MemberOf-plugin-in-.patch -Patch12: 0012-Ticket-49378-server-init-fails.patch -Patch13: 0013-Ticket-49392-memavailable-not-available.patch -Patch14: 0014-Ticket-48006-Missing-warning-for-invalid-replica-bac.patch -Patch15: 0015-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch -Patch16: 0016-Ticket-49408-Server-allows-to-set-any-nsds5replicaid.patch -Patch17: 0017-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch -Patch18: 0018-Ticket-49374-server-fails-to-start-because-maxdisksi.patch -Patch19: 0019-Ticket-48681-Use-of-uninitialized-value-in-string-ne.patch -Patch20: 0020-Ticket-49401-improve-valueset-sorted-performance-on-.patch -Patch21: 0021-Ticket-49401-Fix-compiler-incompatible-pointer-types.patch -Patch22: 0022-Ticket-48894-harden-valueset_array_to_sorted_quick-v.patch -Patch23: 0023-Ticket-49424-Resolve-csiphash-alignment-issues.patch -Patch24: 0024-Ticket-49436-double-free-in-COS-in-some-conditions.patch -Patch25: 0025-Ticket-48393-Improve-replication-config-validation.patch -Patch26: 0026-Ticket-49439-cleanallruv-is-not-logging-information.patch -Patch27: 0027-Ticket-48393-fix-copy-and-paste-error.patch -Patch28: 0028-Ticket-49038-remove-legacy-replication-change-cleanu.patch -Patch29: 0029-Ticket-49454-SSL-Client-Authentication-breaks-in-FIP.patch -Patch30: 0030-Ticket-49435-Fix-NS-race-condition-on-loaded-test-sy.patch -Patch31: 0031-Ticket-49410-opened-connection-can-remain-no-longer-.patch -Patch32: 0032-Ticket-49443-scope-one-searches-in-1.3.7-give-incorr.patch -Patch33: 0033-Ticket-49441-Import-crashes-with-large-indexed-binar.patch -Patch34: 0034-Ticket-49441-Import-crashes-oneline-fix.patch -Patch35: 0035-Ticket-49377-Incoming-BER-too-large-with-TLS-on-plai.patch -Patch36: 0036-Ticket-48118-At-startup-changelog-can-be-erronously-.patch -Patch37: 0037-Ticket-48118-fix-compiler-warning-for-incorrect-retu.patch -Patch38: 0038-Ticket-49298-Correct-error-codes-with-config-restore.patch -Patch39: 0039-Ticket-49474-sasl-allow-mechs-does-not-operate-corre.patch -Patch40: 0040-Ticket-49470-overflow-in-pblock_get.patch -Patch41: 0041-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch -Patch42: 0042-Ticket-49298-fix-complier-warn.patch -Patch43: 0043-Ticket-49495-Fix-memory-management-is-vattr.patch -Patch44: 0044-Ticket-48184-close-connections-at-shutdown-cleanly.patch -Patch45: 0045-Ticket-49509-Indexing-of-internationalized-matching-.patch -Patch46: 0046-Ticket-49493-heap-use-after-free-in-csn_as_string.patch -Patch47: 0047-Ticket-49524-Password-policy-minimum-token-length-fa.patch -Patch48: 0048-Ticket-49446-cleanallruv-should-ignore-cleaned-repli.patch -Patch49: 0049-Ticket-49413-Changelog-trimming-ignores-disabled-rep.patch -Patch50: 0050-Ticket-49278-GetEffectiveRights-gives-false-negative.patch -Patch51: 0051-Ticket-49531-coverity-issues-fix-memory-leaks.patch -Patch52: 0052-Ticket-49529-Fix-Coverity-warnings-invalid-deference.patch -Patch53: 0053-Ticket-49463-After-cleanALLruv-there-is-a-flow-of-ke.patch -Patch54: 0054-Ticket-49532-coverity-issues-fix-compiler-warnings-c.patch -Patch55: 0055-Ticket-49523-memberof-schema-violation-error-message.patch -Patch56: 0056-Ticket-49534-Fix-coverity-issues-and-regression.patch -Patch57: 0057-Ticket-49370-Add-all-the-password-policy-defaults-to.patch -Patch58: 0058-Ticket-49541-repl-config-should-not-allow-rid-65535-.patch -Patch59: 0059-CVE-2017-15134-crash-in-slapi_filter_sprintf.patch -Patch60: 0060-Ticket-49534-Fix-coverity-regression.patch -Patch61: 0061-Ticket-49541-Replica-ID-config-validation-fix.patch -Patch62: 0062-Ticket-49370-Crash-when-using-a-global-and-local-pw.patch -Patch63: 0063-Ticket-49557-Add-config-option-for-checking-CRL-on-o.patch -Patch64: 0064-Ticket-49560-nsslapd-extract-pemfiles-should-be-enab.patch -Patch65: 0065-Ticket-bz1525628-invalid-password-migration-causes-u.patch -Patch66: 0066-Ticket-49545-final-substring-extended-filter-search-.patch -Patch67: 0067-Ticket-49551-v3-correct-handling-of-numsubordinates-.patch -Patch68: 0068-Ticket-49551-fix-memory-leak-found-by-coverity.patch -Patch69: 0069-Ticket-48184-revert-previous-patch-around-nunc-stans.patch -Patch70: 0070-Ticket-49619-adjustment-of-csn_generator-can-fail-so.patch -Patch71: 0071-Ticket-49161-memberof-fails-if-group-is-moved-into-s.patch -Patch72: 0072-Ticket-49296-Fix-race-condition-in-connection-code-w.patch -Patch73: 0073-Ticket-49540-Indexing-task-is-reported-finished-too-.patch -Patch74: 0074-Ticket-49566-ds-replcheck-needs-to-work-with-hidden-.patch -Patch75: 0075-Ticket-49460-replica_write_ruv-log-a-failure-even-wh.patch -Patch76: 0076-Ticket-49631-same-csn-generated-twice.patch -Patch77: 0077-CVE-2018-1089-Crash-from-long-search-filter.patch -Patch78: 0078-Ticket-49649.patch -Patch79: 0079-Ticket-49665-Upgrade-script-doesn-t-enable-PBKDF2-pa.patch -Patch80: 0080-Ticket-49665-Upgrade-script-doesn-t-enable-CRYPT-pas.patch -Patch81: 0081-Ticket-49671-Readonly-replicas-should-not-write-inte.patch -Patch82: 0082-Ticket-49696-replicated-operations-should-be-seriali.patch -Patch83: 0083-Ticket-48184-clean-up-and-delete-connections-at-shut.patch -Patch84: 0084-Ticket-49576-Update-ds-replcheck-for-new-conflict-en.patch -Patch85: 0085-Ticket-49576-Add-support-of-deletedattribute-in-ds-r.patch -Patch86: 0086-Ticket-49726-DS-only-accepts-RSA-and-Fortezza-cipher.patch -Patch87: 0087-Ticket-48184-clean-up-and-delete-connections-at-shut.patch -Patch88: 0088-Ticket-49736-Hardening-of-active-connection-list.patch -Patch89: 0089-Ticket-49652-DENY-aci-s-are-not-handled-properly.patch -Patch90: 0090-Ticket-49576-ds-replcheck-fix-certificate-directory-.patch -Patch91: 0091-Ticket-49765-Async-operations-can-hang-when-the-serv.patch -Patch92: 0092-Ticket-49765-compiler-warning.patch -Patch93: 0093-Ticket-49893-disable-nunc-stans-by-default.patch -Patch94: 0094-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch -Patch95: 0095-Ticket-49742-Fine-grained-password-policy-can-impact.patch -Patch96: 0096-Bug-1623247-Crash-in-vslapd_log_emergency_error.patch -Patch97: 0097-Ticket-49768-Under-network-intensive-load-persistent.patch -Patch98: 0098-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch +Patch00: 0000-Ticket-49830-Import-fails-if-backend-name-is-default.patch +Patch01: 0001-Ticket-48818-For-a-replica-bindDNGroup-should-be-fet.patch +Patch02: 0002-Ticket-49546-Fix-issues-with-MIB-file.patch +Patch03: 0003-Ticket-49840-ds-replcheck-command-returns-traceback-.patch +Patch04: 0004-Ticket-49893-disable-nunc-stans-by-default.patch +Patch05: 0005-Ticket-49890-ldapsearch-with-server-side-sort-crashe.patch +Patch06: 0006-Bug-1614820-Crash-in-vslapd_log_emergency_error.patch +Patch07: 0007-Ticket-49932-Crash-in-delete_passwdPolicy-when-persi.patch +Patch08: 0008-Bug-1624004-potential-denial-of-service-attack.patch +Patch09: 0009-Bug-1624004-fix-regression-in-empty-attribute-list.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -267,6 +178,7 @@ BuildRequires: libtevent-devel BuildRequires: systemd-devel %if %{use_asan} Requires: libasan +Requires: llvm %endif @@ -296,7 +208,7 @@ Development Libraries and headers for the 389 Directory Server base package. Summary: SNMP Agent for 389 Directory Server Group: System Environment/Daemons Requires: %{name} = %{version}-%{release} -Obsoletes: %{name} <= 1.3.6.0 +Obsoletes: %{name} <= 1.3.7.10 %description snmp SNMP Agent for the 389 Directory Server base package. @@ -336,7 +248,7 @@ autoreconf -fiv --with-systemdsystemconfdir=%{_sysconfdir}/systemd/system \ --with-perldir=/usr/bin \ --with-systemdgroupname=%{groupname} $NSSARGS \ - --with-systemd $TCMALLOC_FLAGS $ASAN_FLAGS + --with-systemd --enable-cmocka $TCMALLOC_FLAGS $ASAN_FLAGS # Generate symbolic info for debuggers export XCFLAGS=$RPM_OPT_FLAGS @@ -382,10 +294,10 @@ popd # make sure perl scripts have a proper shebang sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' $RPM_BUILD_ROOT%{_datadir}/%{pkgname}/script-templates/template-*.pl -## exclude 32-bit platforms from running tests +# exclude 32-bit platforms from running tests %if %{_arch} != "s390x" && %{_arch} != "s390" && %{_arch} != "i386" && %{_arch} != "ppc" %check -## This checks the code, if it fails it prints why, then re-raises the fail to shortcircuit the rpm build#. +# This checks the code, if it fails it prints why, then re-raises the fail to shortcircuit the rpm build. if ! make DESTDIR="$RPM_BUILD_ROOT" check; then cat ./test-suite.log && false; fi %endif @@ -407,16 +319,15 @@ if [ -n "$DEBUGPOSTTRANS" ] ; then output2=${DEBUGPOSTTRANS}.upgrade fi -# Soft static allocation for UID and GID +# Create dirsrv user and group (if needed) USERNAME="dirsrv" -ALLOCATED_UID=389 GROUPNAME="dirsrv" -ALLOCATED_GID=389 HOMEDIR="/usr/share/dirsrv" - -getent group $GROUPNAME >/dev/null || /usr/sbin/groupadd -f -g $ALLOCATED_GID -r $GROUPNAME +if ! getent group $GROUPNAME >/dev/null ; then + /usr/sbin/groupadd -f -r $GROUPNAME +fi if ! getent passwd $USERNAME >/dev/null ; then - /usr/sbin/useradd -r -u $ALLOCATED_UID -g $GROUPNAME -d $HOMEDIR -s /sbin/nologin -c "user for 389-ds-base" $USERNAME + /usr/sbin/useradd -r -g $GROUPNAME -d $HOMEDIR -s /sbin/nologin -c "user for 389-ds-base" $USERNAME fi # Reload our sysctl before we restart (if we can) @@ -489,7 +400,6 @@ fi %systemd_postun_with_restart %{pkgname}-snmp.service %files -%defattr(-,root,root,-) %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl %dir %{_sysconfdir}/%{pkgname} %dir %{_sysconfdir}/%{pkgname}/schema @@ -564,7 +474,6 @@ fi %exclude %{_unitdir}/%{pkgname}-snmp.service %files devel -%defattr(-,root,root,-) %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel %{_includedir}/%{pkgname} %{_libdir}/%{pkgname}/libslapd.so @@ -576,7 +485,6 @@ fi %{_libdir}/pkgconfig/* %files libs -%defattr(-,root,root,-) %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel %dir %{_libdir}/%{pkgname} %{_libdir}/%{pkgname}/libslapd.so.* @@ -586,7 +494,6 @@ fi %{_libdir}/%{pkgname}/libldaputil.so.* %files snmp -%defattr(-,root,root,-) %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel %config(noreplace)%{_sysconfdir}/%{pkgname}/config/ldap-agent.conf %{_sbindir}/ldap-agent* @@ -594,64 +501,79 @@ fi %{_unitdir}/%{pkgname}-snmp.service %files tests -%defattr(-,root,root,-) %doc LICENSE LICENSE.GPLv3+ %{_sysconfdir}/%{pkgname}/dirsrvtests %changelog -* Thu Sep 13 2018 Mark Reynolds - 1.3.7.5-28 -- Bump version to 1.3.7.5-28 -- Resolves: Bug 1628676 - 389-ds-base: race condition on reference counter leads to DoS using persistent search -- Resolves: Bug 1628677 - Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly - -* Wed Aug 29 2018 Mark Reynolds - 1.3.7.5-27 -- Bump version to 1.3.7.5-27 -- Resolves: Bug 1623247 - Crash in vslapd_log_emergency_error - -* Tue Aug 14 2018 Mark Reynolds - 1.3.7.5-26 -- Bump version to 1.3.7.5-26 -- Resolves: Bug 1615924 - Fine grained password policy can impact search performance -- Resolves: Bug 1614836 - Disable nunc-stans by default -- Resolves: Bug 1614861 - ldapsearch with server side sort crashes the ldap server - -* Tue Jul 3 2018 Mark Reynolds - 1.3.7.5-25 -- Bump version to 1.3.7.5-25 -- Resolves: Bug 1597530 - Async operations can hang when the server is running nunc-stans - -* Wed Jun 13 2018 Mark Reynolds - 1.3.7.5-24 -- Bump version to 1.3.7.5-24 -- Resolves: Bug 1580257 - Fix certificate directory verification - -* Fri Jun 1 2018 Mark Reynolds - 1.3.7.5-23 -- Bump version to 1.3.7.5-23 -- Resolves: Bug 1581588 - ACI deny rules do not work correctly -- Resolves: Bug 1582747 - DS only accepts RSA and Fortezza cipher families - -* Mon May 21 2018 Mark Reynolds - 1.3.7.5-22 -- Bump version to 1.3.5.7-22 -- Resolves: Bug 1563079 - adjustment of csn_generator can fail so next generated csn can be equal to the most recent one received -- Resolves: Bug 1579702 - Replication stops working when MemberOf plugin is enabled on hub and consumer -- Resolves: Bug 1579698 - replicated operations should be serialized -- Resolves: Bug 1579700 - Upgrade script doesn't enable PBKDF password storage plug-in -- Resolves: Bug 1580257 - ds-replcheck LDIF comparision fails when checking for conflicts -- Resolves: Bug 1580523 - ns-slapd segfaults with ERR - connection_release_nolock_ext - conn=0 fd=0 Attempt to release connection that is not acquired - -* Thu Apr 5 2018 Mark Reynolds - 1.3.7.5-21 -- Bump version to 1.3.7.5-21 -- Resolves: Bug 1559818 - EMBARGOED CVE-2018-1089 389-ds-base: ns-slapd crash via large filter value in ldapsearch - -* Wed Apr 4 2018 Mark Reynolds - 1.3.7.5-20 -- Bump version to 1.3.7.5-20 -- Resolves: Bug 1563079 - adjustment of csn_generator can fail so next generated csn can be equal to the most recent one received -- Resolves: Bug 1559764 - memberof fails if group is moved into scope -- Resolves: Bug 1554720 - "Truncated search results" pop-up appears in user details in WebUI -- Resolves: Bug 1553605 - ipa-server-install fails with Error: Upgrade failed with no such entry -- Resolves: Bug 1559760 - ds-replcheck: add -W option to ask for the password from stdin instead of passing it on command line -- Resolves: Bug 1559464 - replica_write_ruv log a failure even when it succeeds - -* Tue Apr 3 2018 Matus Honek - 1.3.7.5-19 -- Bump version to 1.3.7.5-19 -- Resolves: Bug 1563107 - IPA server is not responding, all authentication and admin tests failed [rhel-7.5.z] +* Wed Sep 19 2018 Mark Reynolds - 1.3.8.4-15 +- Bump version to 1.3.8.4-15 +- Resolves: Bug 1624004 - Fix regression in last patch + +* Tue Sep 18 2018 Mark Reynolds - 1.3.8.4-14 +- Bump version to 1.3.8.4-14 +- Resolves: Bug 1624004 - potential denial of service attack + +* Fri Aug 31 2018 Mark Reynolds - 1.3.8.4-13 +- Bump version to 1.3.8.4-13 +- Resolves: Bug 1623949 - Crash in delete_passwdPolicy when persistent search connections are terminated unexpectedly + +* Thu Aug 23 2018 Mark Reynolds - 1.3.8.4-12 +- Bump version to 1.3.8.4-12 +- Resolves: Bug 1616412 - filter optimization fix causes regression(fix reverted) + +* Thu Aug 23 2018 Mark Reynolds - 1.3.8.4-11 +- Bump version to 1.3.8.4-11 +- Resolves: Bug 1614820 - Server crash through modify command with large DN + +* Fri Aug 10 2018 Mark Reynolds - 1.3.8.4-10 +- Bump verison to 1.3.8.4-10 +- Resolves: Bug 1614501 - Disable nunc-stans by default +- Resolves: Bug 1607078 - ldapsearch with server side sort crashes the ldap server + +* Tue Jul 24 2018 Mark Reynolds - 1.3.8.4-9 +- Bump version to 1.3.8.4-9 +- Resolves: Bug 1594484 - setup-ds.pl not able to handle/create the user "dirsrv" if there is an already existing user with the UID/GID 389 on the machine. + +* Mon Jul 23 2018 Mark Reynolds - 1.3.8.4-8 +- Bump version to 1.3.8.4-8 +- Resolves: Bug 1594484 - setup-ds.pl not able to handle/create the user "dirsrv" if there is an already existing user with the UID/GID 389 on the machine. + +* Mon Jul 16 2018 Mark Reynolds - 1.3.8.4-7 +- Bump version to 1.3.8.4-7 +- Resolves: Bug 1595766 - backout this fix for now because it breaks FreeIPA (removed patch file all together) + +* Mon Jul 16 2018 Mark Reynolds - 1.3.8.4-6 +- Bump version to 1.3.8.4-6 +- Resolves: Bug 1595766 - backout this fix for now because it breaks FreeIPA + +* Mon Jul 16 2018 Mark Reynolds - 1.3.8.4-5 +- Bump version to 1.3.8.4-5 +- Resolves: Bug 1595766 - CVE-2018-10871 389-ds-base: replication and the Retro Changelog plugin store plaintext password by default + +* Mon Jul 16 2018 Mark Reynolds - 1.3.8.4-4 +- Bump version to 1.3.8.4-4 +- Resolves: Bug 1597384 - Async operations can hang when the server is running nunc-stans +- Resolves: Bug 1598186 - A search with the scope "one" returns a non-matching entry +- Resolves: Bug 1598718 - import fails if backend name is "default" +- Resolves: Bug 1598478 - If a replica is created with a bindDNGroup, this group is taken into account only after bindDNGroupCheckInterval seconds +- Resolves: Bug 1525256 - Invalid SNMP MIB for 389 DS +- Resolves: Bug 1597518 - ds-replcheck command returns traceback errors against ldif files having garbage content when run in offline mode + +* Mon Jun 25 2018 Mark Reynolds - 1.3.8.4-3 +- Bump version to 1.3.8.4-3 +- Resolves: Bug 1594484 - setup-ds.pl not able to handle/create the user "dirsrv" if there is an already existing user with the UID/GID 389 on the machine. + +* Mon Jun 25 2018 Mark Reynolds - 1.3.8.4-2 +- Bump version to 1.3.8.4-2 +- Resolves: Bug 1594484 - setup-ds.pl not able to handle/create the user "dirsrv" if there is an already existing user with the UID/GID 389 on the machine. + +* Thu Jun 21 2018 Mark Reynolds - 1.3.8.4-1 +- Bump version to 1.3.8.4-1 +- Resolves: Bug 1560653 - Rebase 389-ds-base in RHEL 7.6 to 1.3.8 + +* Thu May 24 2018 Mark Reynolds - 1.3.8.2-1 +- Bump version to 1.3.8.2-1 +- Resolves: Bug 1560653 - Rebase 389-ds-base in RHEL 7.6 to 1.3.8 * Mon Feb 12 2018 Mark Reynolds - 1.3.7.5-18 - Bump version to 1.3.7.5-18