diff --git a/SOURCES/slapi-nis-delay-sending-responses-from-compat-tree-a.patch b/SOURCES/slapi-nis-delay-sending-responses-from-compat-tree-a.patch new file mode 100644 index 0000000..47a8a7d --- /dev/null +++ b/SOURCES/slapi-nis-delay-sending-responses-from-compat-tree-a.patch @@ -0,0 +1,460 @@ +From 44e8e5f79616fb80edf8af010332c18a628af861 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 29 Oct 2015 17:34:48 +0100 +Subject: [PATCH 1/2] slapi-nis: delay sending responses from compat tree after + map search + +When slapi-nis plugin responds on a search query, it holds read lock for +the internal structure called 'map cache'. The map cache lock can also be taken +for write when modification would be required like responding to DELETE, ADD, or +MODIFY operations. + +As result of the lock semantics, write lock owner is blocked until all read lock +owners release their locks. This is generally not a problem but when readers sent +out LDAP query results, they call into SLAPI function that might take long time +to send out the data due to external reasons (network latencies, clients being +blocked, etc) and all this time map cache is locked for write operations. + +When Kerberos KDC issues a TGT, it needs to modify few Kerberos-related attributes +in the principal's LDAP entry. These updates are generating MOD operations visible +by slapi-nis plugin which triggers re-scan of map cache to potentially replace +the affected entries. To perform potential replacement, slapi-nis has to take a write +lock and be blocked by outstanding readers. + +Therefore, it is possible to encounter a situation where an LDAP client uses +SASL GSSAPI authentication and existing Kerberos ticket did expire in a course +of outstanding search request. According to LDAPv3 protocol specification, an +LDAP client must perform re-negotiation before reading any outstanding PDUs. It +would ask Kerberos KDC for a new (or renewed) TGT, that would cause MOD updates +for the primary tree which is tracked for changes by slapi-nis. These changes +would be blocked by a slapi-nis reader as the client cannot finish reading +outstanding PDUs yet. + +To solve this problem, we avoid sending LDAP entries while keeping map cache +lock. Instead, we generate a linked list of copies of entries which will be +sent out. To allow sharing of entries between multiple parallel queries, we +hash the entry and reference the cached entry in the linked list with increased +reference count. Once entry is actually sent, its reference count decreased and +on reaching zero it is removed from the hash. + +o solve this problem, we avoid sending LDAP entries while keeping map cache +lock. Instead, we generate a linked list of copies of entries which will be +sent out. To allow sharing of entries between multiple parallel queries, we +hash the entry and reference the cached entry in the linked list with increased +reference count. Once entry is actually sent, its reference count decreased and +on reaching zero it is removed from the hash. + +The entry in the hash table might become outdated. This is detected by comparing +both modifyTimestamp and entryUSN values of the entry to be sent and entry in the +hash table. If new version of the entry is different, hash table's entry reference +is replaced with a new copy. The old entry is not removed because it is still +referenced by some outstanding query processing. Thus, the hash table always +references the most recent version of an entry but there might be multiple copies +in possesion of the linked lists from the separate parallel queries. + +An entry sharing via hash table can be disabled by setting + slapi-entry-cache: 0 +in the definition, cn=Schema Compatibility,cn=plugins,cn=config + +Resolves: rhbz#1273587 + +https://bugzilla.redhat.com/show_bug.cgi?id=1273587 +--- + doc/sch-configuration.txt | 7 ++ + src/back-sch.c | 159 ++++++++++++++++++++++++++++++++++++++++++---- + src/back-sch.h | 20 ++++++ + src/plug-sch.c | 34 ++++++++++ + src/plugin.h | 3 + + 5 files changed, 212 insertions(+), 11 deletions(-) + +diff --git a/doc/sch-configuration.txt b/doc/sch-configuration.txt +index e07a4af..dd8b3c4 100644 +--- a/doc/sch-configuration.txt ++++ b/doc/sch-configuration.txt +@@ -16,6 +16,13 @@ look like this: + nsslapd-version: 0.0 + nsslapd-pluginvendor: redhat.com + nsslapd-plugindescription: Schema Compatibility Plugin ++ slapi-entry-cache: 1 ++ ++The only optional attribute is 'slapi-entry-cache' (default to 1) ++controls whether the plugin should use an entry cache for outstanding ++query requests. The entry cache is an optimization technique to ++help reduce memory pressure during parallel requests. Specify 0 to disable ++an entry cache. + + Configuration for individual sets should be stored in entries directly + beneath the plugin's entry. These attributes are recognized: +diff --git a/src/back-sch.c b/src/back-sch.c +index dd6f92d..b2362d0 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -32,6 +32,7 @@ + + #ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H + #include ++#include + #include + #include + #else +@@ -53,6 +54,9 @@ + #include "map.h" + #include "back-sch.h" + ++static void ++backend_entries_to_return_push(struct backend_search_cbdata *cbdata, Slapi_Entry *e); ++ + #define SCH_CONTAINER_CONFIGURATION_FILTER "(&(" SCH_CONTAINER_CONFIGURATION_GROUP_ATTR "=*)(" SCH_CONTAINER_CONFIGURATION_BASE_ATTR "=*)(" SCH_CONTAINER_CONFIGURATION_FILTER_ATTR "=*)(" SCH_CONTAINER_CONFIGURATION_RDN_ATTR "=*))" + + /* Read the name of the NIS master. A dummy function for the schema +@@ -996,7 +1000,7 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, + void *backend_data, void *cb_data) + { + Slapi_DN *sdn; +- Slapi_Entry *entry; ++ Slapi_Entry *entry = NULL; /* prevent to free an uninitialized entry */ + Slapi_Attr *attr = NULL; + struct backend_search_cbdata *cbdata; + struct backend_entry_data *entry_data; +@@ -1052,8 +1056,7 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, + slapi_entry_delete_string(entry, "objectClass", "ipaOverrideTarget"); + } + #endif +- slapi_send_ldap_search_entry(cbdata->pb, entry, NULL, +- cbdata->attrs, cbdata->attrsonly); ++ backend_entries_to_return_push(cbdata, entry); + cbdata->n_entries++; + + if (entry != entry_data->e) { +@@ -1070,7 +1073,7 @@ backend_search_set_cb(const char *group, const char *set, bool_t flag, + { + struct backend_search_cbdata *cbdata; + struct backend_set_data *set_data; +- Slapi_Entry *set_entry; ++ Slapi_Entry *set_entry = NULL ; /* prevent to free an uninitialized entry */ + int result, n_entries; + int n_entries_without_nsswitch; + const char *ndn; +@@ -1124,12 +1127,11 @@ backend_search_set_cb(const char *group, const char *set, bool_t flag, + set_data->common.group, set_entry); + } + #endif +- slapi_send_ldap_search_entry(cbdata->pb, set_entry, +- NULL, cbdata->attrs, +- cbdata->attrsonly); ++ backend_entries_to_return_push(cbdata, set_entry); + cbdata->n_entries++; + break; + } ++ + slapi_entry_free(set_entry); + } + +@@ -1244,7 +1246,7 @@ backend_search_group_cb(const char *group, void *cb_data) + { + struct backend_search_cbdata *cbdata; + Slapi_DN *group_dn; +- Slapi_Entry *group_entry; ++ Slapi_Entry *group_entry = NULL; /* prevent to free an uninitialized entry */ + int result, n_maps; + + cbdata = cb_data; +@@ -1279,12 +1281,11 @@ backend_search_group_cb(const char *group, void *cb_data) + idview_process_overrides(cbdata, NULL, NULL, group, group_entry); + } + #endif +- slapi_send_ldap_search_entry(cbdata->pb, group_entry, +- NULL, cbdata->attrs, +- cbdata->attrsonly); ++ backend_entries_to_return_push(cbdata, group_entry); + cbdata->n_entries++; + break; + } ++ + slapi_entry_free(group_entry); + } + +@@ -1343,6 +1344,138 @@ backend_sch_scope_as_string(int scope) + return ""; + } + ++/* The entries are pushed (added) at the end of the list ++ * so that they will be send in the head->tail order ++ */ ++static void ++backend_entries_to_return_push(struct backend_search_cbdata *cbdata, Slapi_Entry *e) ++{ ++ struct entries_to_send *e_to_send = NULL; ++ struct cached_entry *entry = NULL; ++ bool_t dont_cache = FALSE; ++ PLHashTable* ht = (PLHashTable*) cbdata->state->cached_entries; ++ ++ if ((cbdata == NULL) || (e == NULL)) return; ++ ++ e_to_send = (struct entries_to_send *) slapi_ch_calloc(1, sizeof(struct entries_to_send)); ++ ++ dont_cache = cbdata->state->use_entry_cache ? FALSE : TRUE; ++ ++ if (!wrap_rwlock_wrlock(cbdata->state->cached_entries_lock)) { ++ entry = PL_HashTableLookup(ht, slapi_entry_get_ndn(e)); ++ if (entry != NULL) { ++ /* There is an entry in the hash table but is it the same? */ ++ char *e_modifyTimestamp = slapi_entry_attr_get_charptr(e, "modifyTimestamp"); ++ char *entry_modifyTimestamp = slapi_entry_attr_get_charptr(entry->entry, "modifyTimestamp"); ++ unsigned long e_usn = slapi_entry_attr_get_ulong(e, "entryUSN"); ++ unsigned long entry_usn = slapi_entry_attr_get_ulong(entry->entry, "entryUSN"); ++ int res = -1; ++ ++ /* Our comparison strategy is following: ++ * - compare modifyTimestamp values first, ++ * - if they are the same (modifyTimestamp in slapi-nis is down to a second precision), ++ * compare entryUSN values if they exist ++ * - default to not using the cached entry to be on safe side if both comparisons don't ++ * give us a definite answer */ ++ if ((e_modifyTimestamp != NULL) && (entry_modifyTimestamp != NULL)) { ++ res = strncmp(e_modifyTimestamp, entry_modifyTimestamp, strlen(e_modifyTimestamp)); ++ } ++ ++ if ((res == 0) && ((e_usn != 0) && (entry_usn != 0))) { ++ res = e_usn != entry_usn ? 1 : 0; ++ } ++ ++ if (res != 0) { ++ /* Cached entry is different, evict it from the hash table */ ++ (void) PL_HashTableRemove(ht, slapi_entry_get_ndn(entry->entry)); ++ ++ /* We don't want to clear the entry because it is still in use by other thread. ++ * Instead, we'll insert new entry into hash table, let the linked list in other ++ * search to remove the entry itself, but mark it as non-cached. */ ++ entry->not_cached = TRUE; ++ entry = NULL; ++ } else { ++ slapi_log_error(SLAPI_LOG_PLUGIN, ++ cbdata->state->plugin_desc->spd_id, ++ "referenced entry [%s], USNs: %ld vs %ld, [%s] vs [%s]\n", ++ slapi_entry_get_ndn(e), e_usn, entry_usn, e_modifyTimestamp, entry_modifyTimestamp); ++ /* It is the same entry, reference it for us */ ++ (void) PR_AtomicIncrement(&entry->refcount); ++ } ++ ++ if (e_modifyTimestamp != NULL) ++ slapi_ch_free_string(&e_modifyTimestamp); ++ if (entry_modifyTimestamp != NULL) ++ slapi_ch_free_string(&entry_modifyTimestamp); ++ } ++ ++ if (entry == NULL) { ++ /* no cached entry for this DN */ ++ entry = (struct cached_entry *) slapi_ch_calloc(1, sizeof(struct cached_entry)); ++ entry->entry = slapi_entry_dup(e); ++ entry->not_cached = FALSE; ++ (void) PR_AtomicSet(&entry->refcount, 1); ++ if ((ht != NULL) && (entry->entry != NULL) && (!dont_cache)) { ++ (void) PL_HashTableAdd(ht, slapi_entry_get_ndn(entry->entry), entry); ++ } ++ } ++ ++ wrap_rwlock_unlock(cbdata->state->cached_entries_lock); ++ } ++ ++ e_to_send->entry = entry; ++ if (cbdata->entries_tail == NULL) { ++ /* First entry in that list */ ++ cbdata->entries_tail = e_to_send; ++ cbdata->entries_head = e_to_send; ++ } else { ++ cbdata->entries_tail->next = e_to_send; ++ cbdata->entries_tail = e_to_send; ++ } ++} ++ ++static void ++backend_send_mapped_entries(struct backend_search_cbdata *cbdata) ++{ ++ struct entries_to_send *e_to_send, *next; ++ PLHashTable* ht = NULL; ++ int i = 0; ++ PRInt32 count; ++ ++ if (cbdata == NULL) return; ++ ht = (PLHashTable*) cbdata->state->cached_entries; ++ ++ /* iterate from head->tail sending the stored entries */ ++ for (e_to_send = cbdata->entries_head, i = 0; e_to_send != NULL; i++) { ++ next = e_to_send->next; ++ if (e_to_send->entry->refcount > 0) { ++ slapi_send_ldap_search_entry(cbdata->pb, e_to_send->entry->entry, NULL, ++ cbdata->attrs, cbdata->attrsonly); ++ ++ /* Clean up entry only if there is no reference to it any more in any outstanding request */ ++ wrap_rwlock_wrlock(cbdata->state->cached_entries_lock); ++ count = PR_AtomicDecrement(&e_to_send->entry->refcount); ++ if (count == 0) { ++ if (!e_to_send->entry->not_cached) { ++ (void) PL_HashTableRemove(ht, slapi_entry_get_ndn(e_to_send->entry->entry)); ++ } ++ /* free this returned entry */ ++ slapi_entry_free(e_to_send->entry->entry); ++ e_to_send->entry->entry = NULL; ++ slapi_ch_free((void **) &e_to_send->entry); ++ e_to_send->entry = NULL; ++ } ++ wrap_rwlock_unlock(cbdata->state->cached_entries_lock); ++ } ++ ++ /* Otherwise only free list item */ ++ slapi_ch_free((void **) &e_to_send); ++ e_to_send = next; ++ } ++ cbdata->entries_head = NULL; ++ cbdata->entries_tail = NULL; ++} ++ + static int + backend_search_cb(Slapi_PBlock *pb) + { +@@ -1443,6 +1576,8 @@ backend_search_cb(Slapi_PBlock *pb) + cbdata.state->plugin_desc->spd_id, + "unable to acquire read lock\n"); + } ++ /* Return existing collected entries */ ++ backend_send_mapped_entries(&cbdata); + wrap_dec_call_level(); + #ifdef USE_NSSWITCH + /* If during search of some sets we staged additional lookups, perform them. */ +@@ -1525,6 +1660,8 @@ backend_search_cb(Slapi_PBlock *pb) + if (map_rdlock() == 0) { + map_data_foreach_domain(cbdata.state, backend_search_group_cb, &cbdata); + map_unlock(); ++ /* Return newly acquired entries */ ++ backend_send_mapped_entries(&cbdata); + } else { + slapi_log_error(SLAPI_LOG_PLUGIN, + cbdata.state->plugin_desc->spd_id, +diff --git a/src/back-sch.h b/src/back-sch.h +index 1aedf36..e8ec400 100644 +--- a/src/back-sch.h ++++ b/src/back-sch.h +@@ -63,6 +63,24 @@ struct backend_staged_search { + Slapi_Entry **entries; + }; + ++/* Entry to be send to clients is cached to allow multiple threads to re-use results. ++ */ ++struct cached_entry { ++ Slapi_Entry *entry; ++ PRInt32 refcount; ++ bool_t not_cached; ++}; ++ ++/* list of entries to actually send, sorted as a linked list ++ * Entries are references to the ones stored in a cache ++ * Before sending them out one needs to refcount the entry ++ */ ++struct entries_to_send { ++ struct entries_to_send *next; ++ struct entries_to_send *prev; ++ struct cached_entry *entry; ++}; ++ + /* Intercept a search request, and if it belongs to one of our compatibility + * trees, answer from our cache before letting the default database have a + * crack at it. */ +@@ -88,6 +106,8 @@ struct backend_search_cbdata { + int n_entries; + struct backend_staged_search *staged; + struct backend_staged_search *cur_staged; ++ struct entries_to_send *entries_head; ++ struct entries_to_send *entries_tail; + }; + + struct backend_search_filter_config { +diff --git a/src/plug-sch.c b/src/plug-sch.c +index 5a6e736..f132e6d 100644 +--- a/src/plug-sch.c ++++ b/src/plug-sch.c +@@ -44,6 +44,7 @@ + + #ifdef HAVE_DIRSRV_SLAPI_PLUGIN_H + #include ++#include + #include + #include + #else +@@ -100,6 +101,7 @@ plugin_startup(Slapi_PBlock *pb) + { + /* Populate the maps and data. */ + struct plugin_state *state; ++ Slapi_Entry *plugin_entry = NULL; + slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &state); + slapi_pblock_get(pb, SLAPI_TARGET_DN, &state->plugin_base); + slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, +@@ -111,12 +113,35 @@ plugin_startup(Slapi_PBlock *pb) + backend_startup(pb, state); + state->pam_lock = wrap_new_rwlock(); + backend_nss_init_context((struct nss_ops_ctx**) &state->nss_context); ++ if ((slapi_pblock_get(pb, SLAPI_PLUGIN_CONFIG_ENTRY, &plugin_entry) == 0) && ++ (plugin_entry != NULL)) { ++ state->use_entry_cache = backend_shr_get_vattr_boolean(state, plugin_entry, ++ "slapi-entry-cache", ++ 1); ++ } ++ state->cached_entries_lock = wrap_new_rwlock(); ++ wrap_rwlock_wrlock(state->cached_entries_lock); ++ state->cached_entries = PL_NewHashTable(0, PL_HashString, PL_CompareStrings, PL_CompareValues, 0, 0); ++ wrap_rwlock_unlock(state->cached_entries_lock); + /* Note that the plugin is ready to go. */ + slapi_log_error(SLAPI_LOG_PLUGIN, plugin_description.spd_id, + "plugin startup completed\n"); + return 0; + } + ++static PRIntn ++remove_cached_entries_cb(PLHashEntry *he, PRIntn i, void *arg) ++{ ++ struct cached_entry *e = (struct cached_entry*) he->value; ++ if (e != NULL) { ++ if (e->entry != NULL) { ++ slapi_entry_free(e->entry); ++ } ++ slapi_ch_free((void **) &e); ++ } ++ return HT_ENUMERATE_REMOVE; ++} ++ + static int + plugin_shutdown(Slapi_PBlock *pb) + { +@@ -126,6 +151,15 @@ plugin_shutdown(Slapi_PBlock *pb) + wrap_free_rwlock(state->pam_lock); + state->pam_lock = NULL; + backend_nss_free_context((struct nss_ops_ctx**) &state->nss_context); ++ if (state->cached_entries != NULL) { ++ wrap_rwlock_wrlock(state->cached_entries_lock); ++ PL_HashTableEnumerateEntries(state->cached_entries, remove_cached_entries_cb, NULL); ++ PL_HashTableDestroy(state->cached_entries); ++ state->cached_entries = NULL; ++ wrap_rwlock_unlock(state->cached_entries_lock); ++ wrap_free_rwlock(state->cached_entries_lock); ++ state->cached_entries_lock = NULL; ++ } + state->plugin_base = NULL; + slapi_log_error(SLAPI_LOG_PLUGIN, state->plugin_desc->spd_id, + "plugin shutdown completed\n"); +diff --git a/src/plugin.h b/src/plugin.h +index 94ad747..429e291 100644 +--- a/src/plugin.h ++++ b/src/plugin.h +@@ -47,6 +47,9 @@ struct plugin_state { + /* Schema compat-specific data. */ + struct wrapped_rwlock *pam_lock; + void *nss_context; ++ int use_entry_cache; ++ void *cached_entries; ++ struct wrapped_rwlock *cached_entries_lock; + }; + + #endif +-- +2.5.0 + diff --git a/SOURCES/slapi-nis-fix-processing-of-ID-views.patch b/SOURCES/slapi-nis-fix-processing-of-ID-views.patch new file mode 100644 index 0000000..bd8a3df --- /dev/null +++ b/SOURCES/slapi-nis-fix-processing-of-ID-views.patch @@ -0,0 +1,92 @@ +From ef773387ede9dc90388fdbc423ceada99aa78e67 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 3 Nov 2015 14:42:05 +0200 +Subject: [PATCH 2/2] slapi-nis: fix processing of ID views + +- ID View processing should only happen if ID view is defined +- When finding attribute with slapi_entry_attr_find() use correct return + code (slapi_entry_attr_exists() returns 1, _find() returns 0) +- cn=,cn=views,cn=compat,$SUFFIX lookup is fixed + +Resolves: rhbz#1277576, rhbz#1265465 + +https://bugzilla.redhat.com/show_bug.cgi?id=1277576 +https://bugzilla.redhat.com/show_bug.cgi?id=1265465 +--- + src/back-sch-idview.c | 2 +- + src/back-sch.c | 32 ++++++++++++++++++++++++-------- + 2 files changed, 25 insertions(+), 9 deletions(-) + +diff --git a/src/back-sch-idview.c b/src/back-sch-idview.c +index 93fbab5..8ffab91 100644 +--- a/src/back-sch-idview.c ++++ b/src/back-sch-idview.c +@@ -175,7 +175,7 @@ idview_process_overrides(struct backend_search_cbdata *cbdata, + /* Replace the attribute's value with the override or + * add an override value if the attribute didn't exist */ + result = slapi_entry_attr_find(entry, override_type, &sattr); +- if (result == 1) { ++ if (result == 0) { + result = slapi_entry_attr_delete(entry, override_type); + } + result = slapi_attr_get_valueset(override_attr, &override_valueset); +diff --git a/src/back-sch.c b/src/back-sch.c +index b2362d0..98542c5 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1043,17 +1043,21 @@ backend_search_entry_cb(const char *domain, const char *map, bool_t secure, + slapi_sdn_get_ndn(sdn)); + entry = entry_data->e; + #ifdef USE_IPA_IDVIEWS +- entry = slapi_entry_dup(entry_data->e); + if (cbdata->idview != NULL) { +- idview_process_overrides(cbdata, key, map, domain, entry); +- } ++ entry = slapi_entry_dup(entry_data->e); ++ if (entry != NULL) { ++ idview_process_overrides(cbdata, key, map, domain, entry); + +- /* slapi_entry_attr_exists() was introduced only in https://fedorahosted.org/389/ticket/47710 */ +- is_attr_exists = slapi_entry_attr_find(entry, IPA_IDVIEWS_ATTR_ANCHORUUID, &attr) == 0; ++ /* slapi_entry_attr_exists() was introduced only in https://fedorahosted.org/389/ticket/47710 */ ++ is_attr_exists = slapi_entry_attr_find(entry, IPA_IDVIEWS_ATTR_ANCHORUUID, &attr) == 0; + +- if (is_attr_exists == TRUE) { +- slapi_entry_attr_delete(entry, IPA_IDVIEWS_ATTR_ANCHORUUID); +- slapi_entry_delete_string(entry, "objectClass", "ipaOverrideTarget"); ++ if (is_attr_exists == TRUE) { ++ slapi_entry_attr_delete(entry, IPA_IDVIEWS_ATTR_ANCHORUUID); ++ slapi_entry_delete_string(entry, "objectClass", "ipaOverrideTarget"); ++ } ++ } else { ++ entry = entry_data->e; ++ } + } + #endif + backend_entries_to_return_push(cbdata, entry); +@@ -1203,10 +1207,22 @@ static bool_t + backend_search_find_set_dn_cb(const char *group, void *cb_data) + { + struct backend_search_cbdata *cbdata; ++ Slapi_DN *group_dn; + + cbdata = cb_data; ++ ++ /* Check the group itself. */ ++ group_dn = slapi_sdn_new_dn_byval(group); ++ if (slapi_sdn_scope_test(group_dn, cbdata->target_dn, ++ cbdata->scope) == 1) { ++ cbdata->answer = TRUE; ++ slapi_sdn_free(&group_dn); ++ return TRUE; ++ } ++ + map_data_foreach_map(cbdata->state, group, + backend_search_find_set_dn_in_group_cb, cb_data); ++ slapi_sdn_free(&group_dn); + return TRUE; + } + +-- +2.5.0 + diff --git a/SPECS/slapi-nis.spec b/SPECS/slapi-nis.spec index 0260601..140a4f5 100644 --- a/SPECS/slapi-nis.spec +++ b/SPECS/slapi-nis.spec @@ -11,7 +11,7 @@ Name: slapi-nis Version: 0.54 -Release: 5%{?dist} +Release: 6%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server Group: System Environment/Daemons License: GPLv2 @@ -25,6 +25,9 @@ Patch3: slapi-nis-use-libnss_sss.so.2-explicitly.patch Patch4: slapi-nis-nss-make-sure-to-remember-the-length-of-reallocated.patch Patch5: slapi-nis-nss-Make-sure-default-buffer-for-nsswitch-operations-is-.patch Patch6: slapi-nis-don-t-search-in-SSSD-when-memberUid-has-no.patch +Patch7: slapi-nis-delay-sending-responses-from-compat-tree-a.patch +Patch8: slapi-nis-fix-processing-of-ID-views.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: 389-ds-base-devel, %{ldap_impl}-devel BuildRequires: nspr-devel, nss-devel, /usr/bin/rpcgen @@ -69,6 +72,8 @@ for attributes from multiple entries in the tree. %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build %configure --disable-static --with-tcp-wrappers --with-ldap=%{ldap_impl} \ --with-nsswitch --with-pam --with-pam-service=system-auth \ @@ -98,6 +103,12 @@ rm -rf $RPM_BUILD_ROOT %{_sbindir}/nisserver-plugin-defs %changelog +* Fri Nov 13 2015 Alexander Bokovoy - 0.54-6 +- delay sending responses from compat tree after map cache search +- Resolves: #1281748 +- fix processing of ID views +- Resolves: #1281750, #1281752 + * Tue Jul 28 2015 Alexander Bokovoy - 0.54-5 - Don't lookup groups in SSSD for memberUid without @domain - Resolves: #1243823