rpms/389-ds-base
1
0
Fork 0
mirror of https://git.centos.org/rpms/389-ds-base.git synced 2025-02-24 00:32:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

import 389-ds-base-1.3.1.6-25.el7.src.rpm

Browse source
This commit is contained in:
CentOS Buildsys 2014-04-03 18:48:11 +01:00
parent ba46c74be3
commit cc3dff99a0
48 changed files with 5716 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

136
SOURCES/0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch Normal file
View file

@ -0,0 +1,136 @@
From 896091407c244ed151f2fad39a82881a6e991d26 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Tue, 29 Oct 2013 13:47:35 -0600
Subject: [PATCH] Ticket #47605 CVE-2013-4485: DoS due to improper handling of ger attr searches
https://fedorahosted.org/389/ticket/47605
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.3.1
Fix Description: The traversal of the attr list looking for GER objectclasses
was modifying the same attribute twice, removing the "@" from it. The second
time, since there was no "@" in the string, the strchr would return NULL, and
the code would not check for it.
The code was simplified and rewritten to use charray_merge_nodup
to build the gerattrs list with unique objectclass values, which I believe was
the intention of the original code. I also added some error checking to look
for invalid attributes like "@name" "name@" and "name@name@name".
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 7e03702932546e74f0044d11832e7e7e395cbb36)
(cherry picked from commit 12e54af6982ab5406f4bba6a02dd0724a0415501)
(cherry picked from commit 8c5e74b291d08c66e0afbf766f77f955725b9bf4)
---
ldap/servers/slapd/search.c | 79 +++++++++----------------------------------
1 files changed, 16 insertions(+), 63 deletions(-)
diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c
index da1772f..59c4afb 100644
--- a/ldap/servers/slapd/search.c
+++ b/ldap/servers/slapd/search.c
@@ -246,8 +246,6 @@ do_search( Slapi_PBlock *pb )
}
if ( attrs != NULL ) {
- int gerattrsiz = 1;
- int gerattridx = 0;
int aciin = 0;
/*
* . store gerattrs if any
@@ -257,66 +255,25 @@ do_search( Slapi_PBlock *pb )
{
char *p = NULL;
/* check if @<objectclass> is included */
- p = strchr(attrs[i], '@');
- if ( p && '\0' != *(p+1) ) /* don't store "*@", e.g. */
+ p = strchr(attrs[i], '@');
+ if ( p )
{
- int j = 0;
- if (gerattridx + 1 >= gerattrsiz)
+ char *dummyary[2]; /* need a char ** for charray_merge_nodup */
+ if ((*(p + 1) == '\0') || (p == attrs[i]) || (strchr(p+1, '@'))) /* e.g. "foo@" or "@objectclassname" or "foo@bar@baz" */
{
- char **tmpgerattrs;
- gerattrsiz *= 2;
- tmpgerattrs =
- (char **)slapi_ch_calloc(1, gerattrsiz*sizeof(char *));
- if (NULL != gerattrs)
- {
- memcpy(tmpgerattrs, gerattrs, gerattrsiz*sizeof(char *));
- slapi_ch_free((void **)&gerattrs);
- }
- gerattrs = tmpgerattrs;
- }
- for ( j = 0; gerattrs; j++ )
- {
- char *attri = NULL;
- if ( NULL == gerattrs[j] )
- {
- if (0 == j)
- {
- /* first time */
- gerattrs[gerattridx++] = attrs[i];
- /* get rid of "@<objectclass>" part from the attr
- list, which is needed only in gerattr list */
- *p = '\0';
- attri = slapi_ch_strdup(attrs[i]);
- attrs[i] = attri;
- *p = '@';
- }
- else
- {
- break; /* done */
- }
- }
- else if ( 0 == strcasecmp( attrs[i], gerattrs[j] ))
- {
- /* skip if attrs[i] is already in gerattrs */
- continue;
- }
- else
- {
- char *q = strchr(gerattrs[j], '@'); /* q never be 0 */
- if ( 0 != strcasecmp( p+1, q+1 ))
- {
- /* you don't want to display the same template
- entry multiple times */
- gerattrs[gerattridx++] = attrs[i];
- }
- /* get rid of "@<objectclass>" part from the attr
- list, which is needed only in gerattr list */
- *p = '\0';
- attri = slapi_ch_strdup(attrs[i]);
- attrs[i] = attri;
- *p = '@';
- }
+ slapi_log_error( SLAPI_LOG_ARGS, "do_search",
+ "invalid attribute [%s] in list - must be of the form "
+ "attributename@objectclassname where attributename is the "
+ "name of an attribute or \"*\" or \"+\" and objectclassname "
+ "is the name of an objectclass\n", attrs[i] );
+ continue;
}
+ dummyary[0] = p; /* p = @objectclassname */
+ dummyary[1] = NULL;
+ /* copy string to gerattrs with leading @ - disallow dups */
+ charray_merge_nodup(&gerattrs, dummyary, 1);
+ /* null terminate the attribute name at the @ after it has been copied */
+ *p = '\0';
}
else if ( !aciin && strcasecmp(attrs[i], LDAP_ALL_USER_ATTRS) == 0 )
{
@@ -324,10 +281,6 @@ do_search( Slapi_PBlock *pb )
aciin = 1;
}
}
- if (NULL != gerattrs)
- {
- gerattrs[gerattridx] = NULL;
- }
if (config_get_return_orig_type_switch()) {
/* return the original type, e.g., "sn (surname)" */
--
1.7.1

497
SOURCES/0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch Normal file
View file

@ -0,0 +1,497 @@
From e5cb97a16fa44e6944e234b9cf509ddb614559a3 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 9 Dec 2013 16:57:35 -0500
Subject: [PATCH 52/65] Ticket 47622 - Automember betxnpreoperation -
transaction not aborted when group entry does not exist
Bug Description: If the group defined in the automember plugin does not exist, than any add operation
that should trigger an update, succeeds even though the automember update failed.
Fix Description: Return an error if a automember post operation update fails - previously we always
returned success.
Updated plugin_call_func() to check the result of betxn postop plugins.
Also added return text to the result message when a betxn plugin fails. This is
useful for clients to explain why the operation failed.
https://fedorahosted.org/389/ticket/47622
Jenkins: passed
Valgrind: passed
Coverity: passed
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 1214168a222a35627b2bb9964600fad0246558cd)
(cherry picked from commit 6de4616f2506b4e093429cc1093e4ad21b22e6c9)
---
ldap/servers/plugins/automember/automember.c | 151 ++++++++++++++++++++++-----
ldap/servers/slapd/back-ldbm/ldbm_add.c | 4 +-
ldap/servers/slapd/back-ldbm/ldbm_delete.c | 5 +
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 2 +
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 3 +
ldap/servers/slapd/plugin.c | 3 +-
6 files changed, 137 insertions(+), 31 deletions(-)
diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
index c7168cb..3214ea1 100644
--- a/ldap/servers/plugins/automember/automember.c
+++ b/ldap/servers/plugins/automember/automember.c
@@ -103,8 +103,8 @@ static struct automemberRegexRule *automember_parse_regex_rule(char *rule_string
static void automember_free_regex_rule(struct automemberRegexRule *rule);
static int automember_parse_grouping_attr(char *value, char **grouping_attr,
char **grouping_value);
-static void automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileDesc *ldif_fd);
-static void automember_add_member_value(Slapi_Entry *member_e, const char *group_dn,
+static int automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileDesc *ldif_fd);
+static int automember_add_member_value(Slapi_Entry *member_e, const char *group_dn,
char *grouping_attr, char *grouping_value, PRFileDesc *ldif_fd);
const char *fetch_attr(Slapi_Entry *e, const char *attrname, const char *default_val);
@@ -1401,7 +1401,7 @@ automember_parse_grouping_attr(char *value, char **grouping_attr, char **groupin
* Determines which target groups need to be updated according to
* the rules in config, then performs the updates.
*/
-static void
+static int
automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileDesc *ldif_fd)
{
PRCList *rule = NULL;
@@ -1412,10 +1412,11 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD
Slapi_DN *last = NULL;
PRCList *curr_exclusion = NULL;
char **vals = NULL;
+ int rc = 0;
int i = 0;
if (!config || !e) {
- return;
+ return -1;
}
slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
@@ -1555,15 +1556,23 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD
if (PR_CLIST_IS_EMPTY(&targets)) {
/* Add to each default group. */
for (i = 0; config->default_groups && config->default_groups[i]; i++) {
- automember_add_member_value(e, config->default_groups[i],
- config->grouping_attr, config->grouping_value, ldif_fd);
+ if(automember_add_member_value(e, config->default_groups[i], config->grouping_attr,
+ config->grouping_value, ldif_fd))
+ {
+ rc = SLAPI_PLUGIN_FAILURE;
+ goto out;
+ }
}
} else {
/* Update the target groups. */
dnitem = (struct automemberDNListItem *)PR_LIST_HEAD(&targets);
while ((PRCList *)dnitem != &targets) {
- automember_add_member_value(e, slapi_sdn_get_dn(dnitem->dn),
- config->grouping_attr, config->grouping_value, ldif_fd);
+ if(automember_add_member_value(e, slapi_sdn_get_dn(dnitem->dn),config->grouping_attr,
+ config->grouping_value, ldif_fd))
+ {
+ rc = SLAPI_PLUGIN_FAILURE;
+ goto out;
+ }
dnitem = (struct automemberDNListItem *)PR_NEXT_LINK((PRCList *)dnitem);
}
}
@@ -1582,6 +1591,9 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD
slapi_ch_free((void**)&dnitem);
}
+out:
+
+ return rc;
}
/*
@@ -1589,7 +1601,7 @@ automember_update_membership(struct configEntry *config, Slapi_Entry *e, PRFileD
*
* Adds a member entry to a group.
*/
-static void
+static int
automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, char *grouping_attr,
char *grouping_value, PRFileDesc *ldif_fd)
{
@@ -1600,6 +1612,7 @@ automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, char *g
char *vals[2];
char *member_value = NULL;
int freeit = 0;
+ int rc = 0;
/* If grouping_value is dn, we need to fetch the dn instead. */
if (slapi_attr_type_cmp(grouping_value, "dn", SLAPI_TYPE_CMP_EXACT) == 0) {
@@ -1649,6 +1662,7 @@ automember_add_member_value(Slapi_Entry *member_e, const char *group_dn, char *g
"a \"%s\" value to group \"%s\" (%s).\n",
member_value, grouping_attr, group_dn,
ldap_err2string(result));
+ rc = result;
}
} else {
slapi_log_error(SLAPI_LOG_FATAL, AUTOMEMBER_PLUGIN_SUBSYSTEM,
@@ -1662,8 +1676,9 @@ out:
if (freeit) {
slapi_ch_free_string(&member_value);
}
-
slapi_pblock_destroy(mod_pb);
+
+ return rc;
}
@@ -1833,6 +1848,7 @@ automember_add_post_op(Slapi_PBlock *pb)
Slapi_DN *sdn = NULL;
struct configEntry *config = NULL;
PRCList *list = NULL;
+ int rc = SLAPI_PLUGIN_SUCCESS;
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
"--> automember_add_post_op\n");
@@ -1848,8 +1864,9 @@ automember_add_post_op(Slapi_PBlock *pb)
}
} else {
slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
- "automember_add_post_op: Error "
- "retrieving dn\n");
+ "automember_add_post_op: Error retrieving dn\n");
+
+ rc = SLAPI_PLUGIN_FAILURE;
goto bail;
}
@@ -1863,12 +1880,11 @@ automember_add_post_op(Slapi_PBlock *pb)
if (e) {
/* If the entry is a tombstone, just bail. */
- Slapi_Value *tombstone =
- slapi_value_new_string(SLAPI_ATTR_VALUE_TOMBSTONE);
- int rc = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS,
- tombstone);
+ Slapi_Value *tombstone = slapi_value_new_string(SLAPI_ATTR_VALUE_TOMBSTONE);
+ int is_tombstone = slapi_entry_attr_has_syntax_value(e, SLAPI_ATTR_OBJECTCLASS,
+ tombstone);
slapi_value_free(&tombstone);
- if (rc) {
+ if (is_tombstone) {
return SLAPI_PLUGIN_SUCCESS;
}
@@ -1891,7 +1907,10 @@ automember_add_post_op(Slapi_PBlock *pb)
if (slapi_dn_issuffix(slapi_sdn_get_dn(sdn), config->scope) &&
(slapi_filter_test_simple(e, config->filter) == 0)) {
/* Find out what membership changes are needed and make them. */
- automember_update_membership(config, e, NULL);
+ if(automember_update_membership(config, e, NULL)){
+ rc = SLAPI_PLUGIN_FAILURE;
+ break;
+ }
}
list = PR_NEXT_LINK(list);
@@ -1904,11 +1923,21 @@ automember_add_post_op(Slapi_PBlock *pb)
"automember_add_post_op: Error "
"retrieving post-op entry %s\n", slapi_sdn_get_dn(sdn));
}
+
bail:
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
- "<-- automember_add_post_op\n");
+ "<-- automember_add_post_op (%d)\n", rc);
- return SLAPI_PLUGIN_SUCCESS;
+ if(rc){
+ char errtxt[SLAPI_DSE_RETURNTEXT_SIZE];
+ int result = LDAP_UNWILLING_TO_PERFORM;
+
+ PR_snprintf(errtxt, SLAPI_DSE_RETURNTEXT_SIZE, "Automember Plugin update unexpectedly failed.\n");
+ slapi_pblock_set(pb, SLAPI_RESULT_CODE, &result);
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, &errtxt);
+ }
+
+ return rc;
}
/*
@@ -2216,7 +2245,11 @@ void automember_rebuild_task_thread(void *arg){
if (slapi_dn_issuffix(slapi_entry_get_dn(entries[i]), config->scope) &&
(slapi_filter_test_simple(entries[i], config->filter) == 0))
{
- automember_update_membership(config, entries[i], NULL);
+ if(automember_update_membership(config, entries[i], NULL)){
+ result = SLAPI_PLUGIN_FAILURE;
+ automember_config_unlock();
+ goto out;
+ }
}
list = PR_NEXT_LINK(list);
}
@@ -2416,7 +2449,7 @@ void automember_export_task_thread(void *arg){
/* make sure the plugin is still up, as this loop could run for awhile */
if (!g_plugin_started) {
automember_config_unlock();
- result = -1;
+ result = SLAPI_DSE_CALLBACK_ERROR;
goto out;
}
if (!PR_CLIST_IS_EMPTY(g_automember_config)) {
@@ -2426,7 +2459,11 @@ void automember_export_task_thread(void *arg){
if (slapi_dn_issuffix(slapi_sdn_get_dn(td->base_dn), config->scope) &&
(slapi_filter_test_simple(entries[i], config->filter) == 0))
{
- automember_update_membership(config, entries[i], ldif_fd);
+ if(automember_update_membership(config, entries[i], ldif_fd)){
+ result = SLAPI_DSE_CALLBACK_ERROR;
+ automember_config_unlock();
+ goto out;
+ }
}
list = PR_NEXT_LINK(list);
}
@@ -2624,7 +2661,13 @@ void automember_map_task_thread(void *arg){
if (slapi_dn_issuffix(slapi_entry_get_dn_const(e), config->scope) &&
(slapi_filter_test_simple(e, config->filter) == 0))
{
- automember_update_membership(config, e, ldif_fd_out);
+ if(automember_update_membership(config, e, ldif_fd_out)){
+ result = SLAPI_DSE_CALLBACK_ERROR;
+ slapi_entry_free(e);
+ slapi_ch_free_string(&entrystr);
+ automember_config_unlock();
+ goto out;
+ }
}
list = PR_NEXT_LINK(list);
}
@@ -2635,7 +2678,7 @@ void automember_map_task_thread(void *arg){
slapi_task_log_notice(task, "Automember map task, skipping invalid entry.");
slapi_task_log_status(task, "Automember map task, skipping invalid entry.");
}
- slapi_ch_free((void **)&entrystr);
+ slapi_ch_free_string(&entrystr);
}
automember_config_unlock();
@@ -2666,6 +2709,9 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
Slapi_DN *old_sdn = NULL;
Slapi_DN *new_sdn = NULL;
Slapi_Entry *post_e = NULL;
+ struct configEntry *config = NULL;
+ PRCList *list = NULL;
+ int rc = SLAPI_PLUGIN_SUCCESS;
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
"--> automember_modrdn_post_op\n");
@@ -2684,7 +2730,7 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
"automember_modrdn_post_op: Error "
"retrieving post-op entry\n");
- return 0;
+ return SLAPI_PLUGIN_FAILURE;
}
if ((old_sdn = automember_get_sdn(pb))) {
@@ -2694,11 +2740,58 @@ automember_modrdn_post_op(Slapi_PBlock *pb)
slapi_log_error(SLAPI_LOG_PLUGIN, AUTOMEMBER_PLUGIN_SUBSYSTEM,
"automember_modrdn_post_op: Error "
"retrieving dn\n");
+ return SLAPI_PLUGIN_FAILURE;
}
- slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
- "<-- automember_modrdn_post_op\n");
+ /* If replication, just bail. */
+ if (automember_isrepl(pb)) {
+ return SLAPI_PLUGIN_SUCCESS;
+ }
- return 0;
+ /*
+ * Check if a config entry applies to the entry(post modrdn)
+ */
+ automember_config_read_lock();
+
+ /* Bail out if the plug-in close function was just called. */
+ if (!g_plugin_started) {
+ automember_config_unlock();
+ return SLAPI_PLUGIN_SUCCESS;
+ }
+
+ if (!PR_CLIST_IS_EMPTY(g_automember_config)) {
+ list = PR_LIST_HEAD(g_automember_config);
+ while (list != g_automember_config) {
+ config = (struct configEntry *)list;
+
+ /* Does the entry meet scope and filter requirements? */
+ if (slapi_dn_issuffix(slapi_sdn_get_dn(new_sdn), config->scope) &&
+ (slapi_filter_test_simple(post_e, config->filter) == 0)) {
+ /* Find out what membership changes are needed and make them. */
+ if(automember_update_membership(config, post_e, NULL)){
+ rc = SLAPI_PLUGIN_FAILURE;
+ break;
+ }
+ }
+
+ list = PR_NEXT_LINK(list);
+ }
+ }
+
+ automember_config_unlock();
+
+ if(rc){
+ char errtxt[SLAPI_DSE_RETURNTEXT_SIZE];
+ int result = LDAP_UNWILLING_TO_PERFORM;
+
+ PR_snprintf(errtxt, SLAPI_DSE_RETURNTEXT_SIZE, "Automember Plugin update unexpectedly failed. "
+ "Please see the server errors log for more information.\n");
+ slapi_pblock_set(pb, SLAPI_RESULT_CODE, &result);
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, &errtxt);
+ }
+
+ slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
+ "<-- automember_modrdn_post_op (%d)\n", rc);
+ return rc;
}
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
index fa1e9bc..e5b9eeb 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
@@ -357,7 +357,7 @@ ldbm_back_add( Slapi_PBlock *pb )
/* make sure opreturn is set for the postop plugins */
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &rc);
}
-
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
/*
@@ -795,6 +795,7 @@ ldbm_back_add( Slapi_PBlock *pb )
if (!opreturn) {
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
@@ -1046,6 +1047,7 @@ ldbm_back_add( Slapi_PBlock *pb )
if (!opreturn) {
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
index 6725123..367ab99 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
@@ -325,6 +325,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
if (!opreturn) {
slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &rc );
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
/* the flag could be set in a preop plugin (e.g., USN) */
@@ -354,6 +355,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
ldap_result_code ?
&ldap_result_code : &retval );
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
@@ -603,6 +605,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
ldap_result_code ?
&ldap_result_code : &retval );
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
}
@@ -633,6 +636,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
&ldap_result_code : &rc );
}
/* retval is -1 */
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
slapi_pblock_set( pb, SLAPI_DELETE_BEPREOP_ENTRY, orig_entry );
@@ -1105,6 +1109,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
if (!opreturn) {
slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, &retval );
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index b5bdb41..f3b099d 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -582,6 +582,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
if (!opreturn) {
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
@@ -752,6 +753,7 @@ ldbm_back_modify( Slapi_PBlock *pb )
if (!opreturn) {
slapi_pblock_set(pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval);
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
index 4908751..1162fdb 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c
@@ -466,6 +466,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
if (!opreturn) {
slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &rc );
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
/*
@@ -890,6 +891,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
if (!opreturn) {
slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval );
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
@@ -1130,6 +1132,7 @@ ldbm_back_modrdn( Slapi_PBlock *pb )
if (!opreturn) {
slapi_pblock_set( pb, SLAPI_PLUGIN_OPRETURN, ldap_result_code ? &ldap_result_code : &retval );
}
+ slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
goto error_return;
}
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index 5f66ab2..1ca4dc5 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -1467,7 +1467,8 @@ plugin_call_func (struct slapdplugin *list, int operation, Slapi_PBlock *pb, int
}
else if (SLAPI_PLUGIN_BEPREOPERATION == list->plg_type ||
SLAPI_PLUGIN_BETXNPREOPERATION == list->plg_type ||
- SLAPI_PLUGIN_BEPOSTOPERATION == list->plg_type)
+ SLAPI_PLUGIN_BEPOSTOPERATION == list->plg_type ||
+ SLAPI_PLUGIN_BETXNPOSTOPERATION == list->plg_type )
{
/*
* respect fatal error SLAPI_PLUGIN_FAILURE (-1);
--
1.8.1.4

63
SOURCES/0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch Normal file
View file

@ -0,0 +1,63 @@
From a886214ba26d9b74895269d83de62bd310b7d18c Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 2 Dec 2013 15:08:15 -0500
Subject: [PATCH 53/65] Ticket 47613 - Impossible to configure
nsslapd-allowed-sasl-mechanisms
Bug Description: The design doc sasy you can use comma separated list of supported mechanisms,
but in fact this was not supported.
Fix Description: Allow comma separated lists.
https://fedorahosted.org/389/ticket/47613
Reviewed by: richm(Thanks!)
(cherry picked from commit 6200f6812682760cd2a54d6a3bcbb009a0dffe79)
(cherry picked from commit f1461312fc9e221413b19d6babbdf5a886794d10)
---
ldap/servers/slapd/libglobs.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index f8c5b01..b925a2c 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -125,6 +125,7 @@ static int config_set_onoff( const char *attrname, char *value,
int *configvalue, char *errorbuf, int apply );
static int config_set_schemareplace ( const char *attrname, char *value,
char *errorbuf, int apply );
+static void remove_commas(char *str);
/* Keeping the initial values */
/* CONFIG_INT/CONFIG_LONG */
@@ -6764,6 +6765,9 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
return LDAP_SUCCESS;
}
+ /* cyrus sasl doesn't like comma separated lists */
+ remove_commas(value);
+
CFG_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
CFG_UNLOCK_WRITE(slapdFrontendConfig);
@@ -7434,3 +7438,17 @@ slapi_err2string(int result)
#endif
}
+/* replace commas with spaces */
+static void
+remove_commas(char *str)
+{
+ int i;
+
+ for (i = 0; str && str[i]; i++)
+ {
+ if (str[i] == ',')
+ {
+ str[i] = ' ';
+ }
+ }
+}
--
1.8.1.4

174
SOURCES/0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch Normal file
View file

@ -0,0 +1,174 @@
From 690fd89fb94621a4cafee1e4064d7e42ceaae6db Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 5 Dec 2013 11:58:56 -0500
Subject: [PATCH 54/65] Ticket 47587 - hard coded limit of 64 masters in
agreement and changelog code
Bug Description: Need to remove hardcoded limit of 64 masters.
Fix Description: Changed the default limit to 256, and then we resize the array
as needed.
https://fedorahosted.org/389/ticket/47587
Reviewed by: richm & tbordaz(Thanks!!)
(cherry picked from commit bae797c94207d15025e763cfea0634f42eeb1210)
(cherry picked from commit 457cd16908071f3faddb021c12c792d22f64ab5c)
---
ldap/servers/plugins/replication/cl5_clcache.c | 22 +++++++++++++++++-----
ldap/servers/plugins/replication/repl5.h | 4 ++--
ldap/servers/plugins/replication/repl5_agmt.c | 18 ++++++++++++++----
3 files changed, 33 insertions(+), 11 deletions(-)
diff --git a/ldap/servers/plugins/replication/cl5_clcache.c b/ldap/servers/plugins/replication/cl5_clcache.c
index 8218312..d86620f 100644
--- a/ldap/servers/plugins/replication/cl5_clcache.c
+++ b/ldap/servers/plugins/replication/cl5_clcache.c
@@ -113,8 +113,9 @@ struct clc_buffer {
CSN *buf_missing_csn; /* used to detect persistent missing of CSN */
/* fields for control the CSN sequence sent to the consumer */
- struct csn_seq_ctrl_block *buf_cscbs [MAX_NUM_OF_MASTERS];
+ struct csn_seq_ctrl_block **buf_cscbs;
int buf_num_cscbs; /* number of csn sequence ctrl blocks */
+ int buf_max_cscbs;
/* fields for debugging stat */
int buf_load_cnt; /* number of loads for session */
@@ -256,12 +257,15 @@ clcache_get_buffer ( CLC_Buffer **buf, DB *db, ReplicaId consumer_rid, const RUV
(*buf)->buf_record_cnt = 0;
(*buf)->buf_record_skipped = 0;
(*buf)->buf_cursor = NULL;
- (*buf)->buf_num_cscbs = 0;
(*buf)->buf_skipped_new_rid = 0;
(*buf)->buf_skipped_csn_gt_cons_maxcsn = 0;
(*buf)->buf_skipped_up_to_date = 0;
(*buf)->buf_skipped_csn_gt_ruv = 0;
(*buf)->buf_skipped_csn_covered = 0;
+ (*buf)->buf_cscbs = (struct csn_seq_ctrl_block **) slapi_ch_calloc(MAX_NUM_OF_MASTERS + 1,
+ sizeof(struct csn_seq_ctrl_block *));
+ (*buf)->buf_num_cscbs = 0;
+ (*buf)->buf_max_cscbs = MAX_NUM_OF_MASTERS;
}
else {
*buf = clcache_new_buffer ( consumer_rid );
@@ -311,7 +315,7 @@ clcache_return_buffer ( CLC_Buffer **buf )
for ( i = 0; i < (*buf)->buf_num_cscbs; i++ ) {
clcache_free_cscb ( &(*buf)->buf_cscbs[i] );
}
- (*buf)->buf_num_cscbs = 0;
+ slapi_ch_free((void **)&(*buf)->buf_cscbs);
if ( (*buf)->buf_cursor ) {
@@ -554,7 +558,7 @@ clcache_refresh_consumer_maxcsns ( CLC_Buffer *buf )
static int
clcache_refresh_local_maxcsn ( const ruv_enum_data *rid_data, void *data )
{
- CLC_Buffer *buf = (CLC_Buffer*) data;
+ struct clc_buffer *buf = (struct clc_buffer*) data;
ReplicaId rid;
int rc = 0;
int i;
@@ -575,7 +579,12 @@ clcache_refresh_local_maxcsn ( const ruv_enum_data *rid_data, void *data )
break;
}
if ( i >= buf->buf_num_cscbs ) {
- buf->buf_cscbs[i] = clcache_new_cscb ();
+ if( i + 1 > buf->buf_max_cscbs){
+ buf->buf_cscbs = (struct csn_seq_ctrl_block **) slapi_ch_realloc((char *)buf->buf_cscbs,
+ (i + 2) * sizeof(struct csn_seq_ctrl_block *));
+ buf->buf_max_cscbs = i + 1;
+ }
+ buf->buf_cscbs[i] = clcache_new_cscb();
if ( buf->buf_cscbs[i] == NULL ) {
return -1;
}
@@ -878,6 +887,9 @@ clcache_new_buffer ( ReplicaId consumer_rid )
buf->buf_agmt_name = get_thread_private_agmtname();
buf->buf_consumer_rid = consumer_rid;
buf->buf_num_cscbs = 0;
+ buf->buf_max_cscbs = MAX_NUM_OF_MASTERS;
+ buf->buf_cscbs = (struct csn_seq_ctrl_block **) slapi_ch_calloc(MAX_NUM_OF_MASTERS + 1,
+ sizeof(struct csn_seq_ctrl_block *));
welldone = 1;
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index 5bec1c7..92a9229 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -140,11 +140,11 @@
#define DEFAULT_PROTOCOL_TIMEOUT 120
-/* To Allow Consumer Initialisation when adding an agreement - */
+/* To Allow Consumer Initialization when adding an agreement - */
#define STATE_PERFORMING_TOTAL_UPDATE 501
#define STATE_PERFORMING_INCREMENTAL_UPDATE 502
-#define MAX_NUM_OF_MASTERS 64
+#define MAX_NUM_OF_MASTERS 256
#define REPL_SESSION_ID_SIZE 64
#define REPL_GET_DN(addrp) slapi_sdn_get_dn((addrp)->sdn)
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index b7d107e..90d94f8 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -111,8 +111,9 @@ typedef struct repl5agmt {
const Slapi_RDN *rdn; /* RDN of replication agreement entry */
char *long_name; /* Long name (rdn + host, port) of entry, for logging */
Repl_Protocol *protocol; /* Protocol object - manages protocol */
- struct changecounter *changecounters[MAX_NUM_OF_MASTERS]; /* changes sent/skipped since server start up */
+ struct changecounter **changecounters; /* changes sent/skipped since server start up */
int num_changecounters;
+ int max_changecounters;
time_t last_update_start_time; /* Local start time of last update session */
time_t last_update_end_time; /* Local end time of last update session */
char last_update_status[STATUS_LEN]; /* Status of last update. Format = numeric code <space> textual description */
@@ -435,14 +436,17 @@ agmt_new_from_entry(Slapi_Entry *e)
/* Initialize status information */
ra->last_update_start_time = 0UL;
ra->last_update_end_time = 0UL;
- ra->num_changecounters = 0;
ra->last_update_status[0] = '\0';
ra->update_in_progress = PR_FALSE;
ra->stop_in_progress = PR_FALSE;
ra->last_init_end_time = 0UL;
ra->last_init_start_time = 0UL;
ra->last_init_status[0] = '\0';
-
+ ra->changecounters = (struct changecounter**) slapi_ch_calloc(MAX_NUM_OF_MASTERS + 1,
+ sizeof(struct changecounter *));
+ ra->num_changecounters = 0;
+ ra->max_changecounters = MAX_NUM_OF_MASTERS;
+
/* Fractional attributes */
slapi_entry_attr_find(e, type_nsds5ReplicatedAttributeList, &sattr);
@@ -599,6 +603,7 @@ agmt_delete(void **rap)
{
slapi_ch_free((void **)&ra->changecounters[ra->num_changecounters]);
}
+ slapi_ch_free((void **)&ra->changecounters);
if (ra->agreement_type == REPLICA_TYPE_WINDOWS)
{
@@ -2305,7 +2310,12 @@ agmt_inc_last_update_changecount (Repl_Agmt *ra, ReplicaId rid, int skipped)
}
else
{
- ra->num_changecounters ++;
+ ra->num_changecounters++;
+ if(ra->num_changecounters > ra->max_changecounters){
+ ra->changecounters = (struct changecounter**) slapi_ch_realloc((char *)ra->changecounters,
+ (ra->num_changecounters + 1) * sizeof(struct changecounter*));
+ ra->max_changecounters = ra->num_changecounters;
+ }
ra->changecounters[i] = (struct changecounter*) slapi_ch_calloc(1, sizeof(struct changecounter));
ra->changecounters[i]->rid = rid;
if ( skipped )
--
1.8.1.4

51
SOURCES/0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch Normal file
View file

@ -0,0 +1,51 @@
From ef2f198a69dcd707c8101ab1e31b8360ac27c952 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 18 Nov 2013 12:49:48 -0500
Subject: [PATCH 55/65] Ticket 47597 - Convert retro changelog plug-in to betxn
Retro cl plugin is already betxn aware. The template and 20betxn.pl script
needed to be updated to reflect the new default.
https://fedorahosted.org/389/ticket/47597
Reviewed by: richm(Thanks!)
(cherry picked from commit 3dca85ec629be641f07ae2ecfef59609d4dc88e2)
(cherry picked from commit 229d270428dc4cfabd7d367444f1c0b10a60ef87)
---
ldap/admin/src/scripts/20betxn.pl | 4 +++-
ldap/ldif/template-dse.ldif.in | 1 +
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/ldap/admin/src/scripts/20betxn.pl b/ldap/admin/src/scripts/20betxn.pl
index 2c56707..6f9b5e1 100644
--- a/ldap/admin/src/scripts/20betxn.pl
+++ b/ldap/admin/src/scripts/20betxn.pl
@@ -12,10 +12,12 @@ sub runinst {
# cn=Multimaster Replication Plugin
# cn=Roles Plugin,cn=plugins,cn=config
# cn=USN,cn=plugins,cn=config
+ # cn=Retro Changelog Plugin,cn=plugins,cn=config
my @objplugins = (
"cn=Multimaster Replication Plugin,cn=plugins,cn=config",
"cn=Roles Plugin,cn=plugins,cn=config",
- "cn=USN,cn=plugins,cn=config"
+ "cn=USN,cn=plugins,cn=config",
+ "cn=Retro Changelog Plugin,cn=plugins,cn=config"
);
foreach my $plugin (@objplugins) {
my $ent = $conn->search($plugin, "base", "(cn=*)");
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 95ed60c..12df7b6 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -557,6 +557,7 @@ cn: Retro Changelog Plugin
nsslapd-pluginpath: libretrocl-plugin
nsslapd-plugininitfunc: retrocl_plugin_init
nsslapd-plugintype: object
+nsslapd-pluginbetxn: on
nsslapd-pluginenabled: off
nsslapd-pluginprecedence: 25
nsslapd-plugin-depends-on-type: database
--
1.8.1.4

153
SOURCES/0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch Normal file
View file

@ -0,0 +1,153 @@
From 88315fddb145da4d3d0601d020c61b25aed66366 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 19 Nov 2013 09:45:03 -0500
Subject: [PATCH 56/65] Ticket 47598 - Convert ldbm_back_seq code to be
transaction aware
Description: Attempt to retrieve the transaction, and pass it to the db
functions, and id2entry. Also did a little code cleanup.
https://fedorahosted.org/389/ticket/47598
Reviewed by: richm(Thanks!)
(cherry picked from commit 50272119bbff52c5d9b6ce5d7302aef763aa96ec)
(cherry picked from commit da9fed74c2a04dc45b4354f436e70020bcbd7cd2)
---
ldap/servers/slapd/back-ldbm/seq.c | 61 +++++++++++++++++++++-----------------
1 file changed, 34 insertions(+), 27 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/seq.c b/ldap/servers/slapd/back-ldbm/seq.c
index ab473bd..27da2a4 100644
--- a/ldap/servers/slapd/back-ldbm/seq.c
+++ b/ldap/servers/slapd/back-ldbm/seq.c
@@ -68,20 +68,21 @@
int
ldbm_back_seq( Slapi_PBlock *pb )
{
- backend *be;
- ldbm_instance *inst;
- struct ldbminfo *li;
- IDList *idl = NULL;
- int err = LDAP_SUCCESS;
- DB *db;
- DBC *dbc = NULL;
- int type;
- char *attrname, *val;
- int isroot;
+ backend *be;
+ ldbm_instance *inst;
+ struct ldbminfo *li;
+ IDList *idl = NULL;
+ back_txn txn = {NULL};
struct attrinfo *ai = NULL;
+ DB *db;
+ DBC *dbc = NULL;
+ char *attrname, *val;
+ int err = LDAP_SUCCESS;
int return_value = -1;
- int nentries = 0;
- int retry_count=0;
+ int nentries = 0;
+ int retry_count = 0;
+ int isroot;
+ int type;
/* Decode arguments */
slapi_pblock_get( pb, SLAPI_BACKEND, &be);
@@ -90,9 +91,15 @@ ldbm_back_seq( Slapi_PBlock *pb )
slapi_pblock_get( pb, SLAPI_SEQ_ATTRNAME, &attrname );
slapi_pblock_get( pb, SLAPI_SEQ_VAL, &val );
slapi_pblock_get( pb, SLAPI_REQUESTOR_ISROOT, &isroot );
+ slapi_pblock_get( pb, SLAPI_TXN, &txn.back_txn_txn );
inst = (ldbm_instance *) be->be_instance_info;
+ if ( !txn.back_txn_txn ) {
+ dblayer_txn_init( li, &txn );
+ slapi_pblock_set( pb, SLAPI_TXN, txn.back_txn_txn );
+ }
+
/* Validate arguments */
if ( type != SLAPI_SEQ_FIRST &&
type != SLAPI_SEQ_LAST &&
@@ -114,7 +121,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
LDAPDebug( LDAP_DEBUG_TRACE,
"seq: caller specified un-indexed attribute %s\n",
attrname ? attrname : "", 0, 0 );
- slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+ slapi_send_ldap_result( pb, LDAP_UNWILLING_TO_PERFORM, NULL,
"Unindexed seq access type", 0, NULL );
return -1;
}
@@ -123,13 +130,13 @@ ldbm_back_seq( Slapi_PBlock *pb )
LDAPDebug( LDAP_DEBUG_ANY,
"<= ldbm_back_seq NULL (could not open index file for attribute %s)\n",
attrname, 0, 0 );
- slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
+ slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
return -1;
}
/* First, get a database cursor */
- return_value = db->cursor(db,NULL,&dbc,0);
+ return_value = db->cursor(db, txn.back_txn_txn, &dbc, 0);
if (0 == return_value)
{
@@ -160,7 +167,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
big_buffer = slapi_ch_malloc(key_length);
if (NULL == big_buffer) {
/* memory allocation failure */
- dblayer_release_index_file( be, ai, db );
+ dblayer_release_index_file( be, ai, db );
return -1;
}
key.data = big_buffer;
@@ -234,24 +241,24 @@ ldbm_back_seq( Slapi_PBlock *pb )
/* Retrieve the idlist for this key */
key.flags = 0;
for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) {
- err = NEW_IDL_DEFAULT;
- idl = idl_fetch( be, db, &key, NULL, ai, &err );
- if(err == DB_LOCK_DEADLOCK) {
- ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
+ err = NEW_IDL_DEFAULT;
+ idl = idl_fetch( be, db, &key, txn.back_txn_txn, ai, &err );
+ if(err == DB_LOCK_DEADLOCK) {
+ ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
#ifdef FIX_TXN_DEADLOCKS
#error if txn != NULL, have to retry the entire transaction
#endif
- continue;
- } else {
- break;
- }
+ continue;
+ } else {
+ break;
+ }
}
}
}
if(retry_count == IDL_FETCH_RETRY_COUNT) {
- ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
+ ldbm_nasty("ldbm_back_seq retry count exceeded",1645,err);
} else if ( err != 0 && err != DB_NOTFOUND ) {
- ldbm_nasty("ldbm_back_seq database error", 1650, err);
+ ldbm_nasty("ldbm_back_seq database error", 1650, err);
}
slapi_ch_free( &(data.data) );
if ( key.data != little_buffer && key.data != &keystring ) {
@@ -272,7 +279,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
for ( id = idl_firstid( idl ); id != NOID;
id = idl_nextid( idl, id ))
{
- if (( e = id2entry( be, id, NULL, &err )) == NULL )
+ if (( e = id2entry( be, id, &txn, &err )) == NULL )
{
if ( err != LDAP_SUCCESS )
{
--
1.8.1.4

213
SOURCES/0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch Normal file
View file

@ -0,0 +1,213 @@
From a111165bab37e74bcaa76b1ba6182549a785361d Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 20 Nov 2013 09:08:50 -0500
Subject: [PATCH 57/65] Ticket 47599 - Reduce lock scope in retro changelog
plug-in
Description: Use RW locks for protecting the change numbers.
We still need to do the locking in retrocl_po.c as we need to
serialize the actual updates.
https://fedorahosted.org/389/ticket/47599
Reviewed by: richm(Thanks!!)
(cherry picked from commit e2c42bced86bac235ac56ae98eed303f61ebd15e)
(cherry picked from commit 03f6347eb72d3cbb49ae33312f32df9f91a2fd4c)
---
ldap/servers/plugins/retrocl/retrocl.c | 3 ++-
ldap/servers/plugins/retrocl/retrocl.h | 1 +
ldap/servers/plugins/retrocl/retrocl_cn.c | 42 +++++++++++++++++++++----------
ldap/servers/plugins/retrocl/retrocl_po.c | 2 +-
4 files changed, 33 insertions(+), 15 deletions(-)
diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
index 90c3455..3e426a7 100644
--- a/ldap/servers/plugins/retrocl/retrocl.c
+++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -465,7 +465,8 @@ retrocl_plugin_init(Slapi_PBlock *pb)
if (!is_betxn) {
rc= slapi_register_plugin_ext("internalpostoperation", 1 /* Enabled */, "retrocl_internalpostop_init", retrocl_internalpostop_init, "Retrocl internal postoperation plugin", NULL, identity, precedence);
}
-
+ retrocl_cn_lock = slapi_new_rwlock();
+ if(retrocl_cn_lock == NULL) return -1;
retrocl_internal_lock = PR_NewLock();
if (retrocl_internal_lock == NULL) return -1;
}
diff --git a/ldap/servers/plugins/retrocl/retrocl.h b/ldap/servers/plugins/retrocl/retrocl.h
index 276912b..bfebe2e 100644
--- a/ldap/servers/plugins/retrocl/retrocl.h
+++ b/ldap/servers/plugins/retrocl/retrocl.h
@@ -130,6 +130,7 @@ extern const char *attr_nsuniqueid;
extern const char *attr_isreplicated;
extern PRLock *retrocl_internal_lock;
+extern Slapi_RWLock *retrocl_cn_lock;
/* Functions */
diff --git a/ldap/servers/plugins/retrocl/retrocl_cn.c b/ldap/servers/plugins/retrocl/retrocl_cn.c
index d2b15a4..f816730 100644
--- a/ldap/servers/plugins/retrocl/retrocl_cn.c
+++ b/ldap/servers/plugins/retrocl/retrocl_cn.c
@@ -163,8 +163,9 @@ int retrocl_get_changenumbers(void)
NULL,NULL,0,&cr,NULL,handle_cnum_result,
handle_cnum_entry, NULL);
- retrocl_first_cn = cr.cr_cnum;
+ slapi_rwlock_wrlock(retrocl_cn_lock);
+ retrocl_first_cn = cr.cr_cnum;
slapi_ch_free(( void **) &cr.cr_time );
slapi_seq_callback(RETROCL_CHANGELOG_DN,SLAPI_SEQ_LAST,
@@ -178,6 +179,8 @@ int retrocl_get_changenumbers(void)
retrocl_first_cn,
retrocl_internal_cn);
+ slapi_rwlock_unlock(retrocl_cn_lock);
+
slapi_ch_free(( void **) &cr.cr_time );
return 0;
@@ -238,10 +241,10 @@ time_t retrocl_getchangetime( int type, int *err )
void retrocl_forget_changenumbers(void)
{
- PR_Lock(retrocl_internal_lock);
+ slapi_rwlock_wrlock(retrocl_cn_lock);
retrocl_first_cn = 0;
retrocl_internal_cn = 0;
- PR_Unlock(retrocl_internal_lock);
+ slapi_rwlock_unlock(retrocl_cn_lock);
}
/*
@@ -258,9 +261,11 @@ void retrocl_forget_changenumbers(void)
changeNumber retrocl_get_first_changenumber(void)
{
changeNumber cn;
- PR_Lock(retrocl_internal_lock);
+
+ slapi_rwlock_rdlock(retrocl_cn_lock);
cn = retrocl_first_cn;
- PR_Unlock(retrocl_internal_lock);
+ slapi_rwlock_unlock(retrocl_cn_lock);
+
return cn;
}
@@ -277,9 +282,9 @@ changeNumber retrocl_get_first_changenumber(void)
void retrocl_set_first_changenumber(changeNumber cn)
{
- PR_Lock(retrocl_internal_lock);
+ slapi_rwlock_wrlock(retrocl_cn_lock);
retrocl_first_cn = cn;
- PR_Unlock(retrocl_internal_lock);
+ slapi_rwlock_unlock(retrocl_cn_lock);
}
@@ -297,9 +302,11 @@ void retrocl_set_first_changenumber(changeNumber cn)
changeNumber retrocl_get_last_changenumber(void)
{
changeNumber cn;
- PR_Lock(retrocl_internal_lock);
+
+ slapi_rwlock_rdlock(retrocl_cn_lock);
cn = retrocl_internal_cn;
- PR_Unlock(retrocl_internal_lock);
+ slapi_rwlock_unlock(retrocl_cn_lock);
+
return cn;
}
@@ -316,9 +323,11 @@ changeNumber retrocl_get_last_changenumber(void)
void retrocl_commit_changenumber(void)
{
+ slapi_rwlock_wrlock(retrocl_cn_lock);
if ( retrocl_first_cn == 0) {
retrocl_first_cn = retrocl_internal_cn;
}
+ slapi_rwlock_unlock(retrocl_cn_lock);
}
/*
@@ -333,8 +342,10 @@ void retrocl_commit_changenumber(void)
*/
void retrocl_release_changenumber(void)
-{
+{
+ slapi_rwlock_wrlock(retrocl_cn_lock);
retrocl_internal_cn--;
+ slapi_rwlock_unlock(retrocl_cn_lock);
}
/*
@@ -342,7 +353,7 @@ void retrocl_release_changenumber(void)
*
* Returns: 0/-1
*
- * Arguments: none
+ * Arguments: none. The caller should have taken write lock for the change numbers
*
* Description: reads the last entry in the changelog to obtain
* the last change number.
@@ -355,6 +366,7 @@ int retrocl_update_lastchangenumber(void)
if (retrocl_be_changelog == NULL) return -1;
+ slapi_rwlock_unlock(retrocl_cn_lock);
cr.cr_cnum = 0;
cr.cr_time = 0;
slapi_seq_callback(RETROCL_CHANGELOG_DN,SLAPI_SEQ_LAST,
@@ -362,7 +374,7 @@ int retrocl_update_lastchangenumber(void)
NULL,NULL,0,&cr,NULL,handle_cnum_result,
handle_cnum_entry, NULL);
-
+ slapi_rwlock_wrlock(retrocl_cn_lock);
retrocl_internal_cn = cr.cr_cnum;
slapi_log_error(SLAPI_LOG_PLUGIN,"retrocl","Refetched last changenumber = %lu \n",
retrocl_internal_cn);
@@ -394,6 +406,8 @@ changeNumber retrocl_assign_changenumber(void)
* validity of the internal assignment of retrocl_internal_cn
* we had from the startup */
+ slapi_rwlock_wrlock(retrocl_cn_lock);
+
if(retrocl_internal_cn <= retrocl_first_cn){
/* the numbers have become out of sync - retrocl_get_changenumbers
* gets called only once during startup and it may have had a problem
@@ -404,8 +418,10 @@ changeNumber retrocl_assign_changenumber(void)
*/
retrocl_update_lastchangenumber();
}
-
retrocl_internal_cn++;
cn = retrocl_internal_cn;
+
+ slapi_rwlock_unlock(retrocl_cn_lock);
+
return cn;
}
diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
index 382c98a..cd290f2 100644
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
@@ -372,7 +372,7 @@ write_replog_db(
retrocl_release_changenumber();
} else {
/* Tell the change numbering system this one's committed to disk */
- retrocl_commit_changenumber( );
+ retrocl_commit_changenumber();
}
} else {
slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
--
1.8.1.4

33
SOURCES/0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch Normal file
View file

@ -0,0 +1,33 @@
From 6a670438877eecc6b75407e548dbb51bb849a9ff Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Fri, 22 Nov 2013 16:51:55 -0700
Subject: [PATCH 58/65] Ticket 47599 - Reduce lock scope in retro changelog
plug-in
Description: Forgot to add definition of retrocl_cn_lock
https://fedorahosted.org/389/ticket/47599
Reviewed by: richm(Thanks!!)
(cherry picked from commit b330876a1bccd93a8e906ac56a10c002c981ecfc)
(cherry picked from commit f4d5900579c773e5cf4b69eaeba6104078512ab0)
(cherry picked from commit b19239fdca5c00865471acfd5ffc8502c66b914a)
---
ldap/servers/plugins/retrocl/retrocl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
index 3e426a7..528434e 100644
--- a/ldap/servers/plugins/retrocl/retrocl.c
+++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -77,6 +77,7 @@ void* g_plg_identity [PLUGIN_MAX];
Slapi_Backend *retrocl_be_changelog = NULL;
PRLock *retrocl_internal_lock = NULL;
+Slapi_RWLock *retrocl_cn_lock;
int retrocl_nattributes = 0;
char **retrocl_attributes = NULL;
char **retrocl_aliases = NULL;
--
1.8.1.4

32
SOURCES/0059-Ticket-47599-fix-memory-leak.patch Normal file
View file

@ -0,0 +1,32 @@
From bda97e4f914e18d9d7b2de9b0e9bdc4014c73855 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 25 Nov 2013 09:36:25 -0500
Subject: [PATCH 59/65] Ticket 47599 - fix memory leak
Coverity 12410
https://fedorahosted.org/389/ticket/47599
Reviewed by: richm(Thanks!)
(cherry picked from commit a16bf1b3c4ff0412c2481baace9b427750c11f8c)
(cherry picked from commit c7e7c68ea4779601ec4896b1d90f3b6d347f047f)
(cherry picked from commit 08dc37dc832e1ce78d27012a60b1691dba2f6501)
---
ldap/servers/slapd/back-ldbm/seq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ldap/servers/slapd/back-ldbm/seq.c b/ldap/servers/slapd/back-ldbm/seq.c
index 27da2a4..10484fd 100644
--- a/ldap/servers/slapd/back-ldbm/seq.c
+++ b/ldap/servers/slapd/back-ldbm/seq.c
@@ -242,6 +242,7 @@ ldbm_back_seq( Slapi_PBlock *pb )
key.flags = 0;
for (retry_count = 0; retry_count < IDL_FETCH_RETRY_COUNT; retry_count++) {
err = NEW_IDL_DEFAULT;
+ idl_free(idl);
idl = idl_fetch( be, db, &key, txn.back_txn_txn, ai, &err );
if(err == DB_LOCK_DEADLOCK) {
ldbm_nasty("ldbm_back_seq deadlock retry", 1600, err);
--
1.8.1.4

117
SOURCES/0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch Normal file
View file

@ -0,0 +1,117 @@
From 7b257e2f72ac674025f894ec5fdcc2eaca34b0a2 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Fri, 15 Nov 2013 10:24:26 -0700
Subject: [PATCH 60/65] Ticket #47596 attrcrypt fails to find unlocked key
https://fedorahosted.org/389/ticket/47596
Reviewed by: nkinder (Thanks!)
Branch: 389-ds-base-1.3.1
Fix Description: There should always be a pre-authenticated slot/token that
has the servers cert and key. Just loop through all of the slots that the
server's cert is found on, and use the first one that is authenticated.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit b1fad4e35c0f963bf4678a2ed9a068dbe4fb159c)
(cherry picked from commit cf091de4ae70ad8d683ff33c57e75e58ff900502)
(cherry picked from commit 92b46296c0b4ab9aa436ae09bca95832e2276c6e)
---
ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 2 +-
ldap/servers/slapd/proto-slap.h | 1 +
ldap/servers/slapd/ssl.c | 58 +++++++++++++++++++++++++++
3 files changed, 60 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
index 09cce9b..f4a5d1a 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c
@@ -425,7 +425,7 @@ attrcrypt_fetch_private_key(SECKEYPrivateKey **private_key)
LDAPDebug(LDAP_DEBUG_ANY,"Can't find certificate %s in attrcrypt_fetch_private_key: %d - %s\n", cert_name, errorCode, slapd_pr_strerror(errorCode));
}
if( cert != NULL ) {
- key = slapd_pk11_findKeyByAnyCert(cert, NULL);
+ key = slapd_get_unlocked_key_for_cert(cert, NULL);
}
if (key == NULL) {
errorCode = PR_GetError();
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 4c1dab9..39c1f54 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -1012,6 +1012,7 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS);
int slapd_security_library_is_initialized();
int slapd_ssl_listener_is_initialized();
int slapd_SSL_client_auth (LDAP* ld);
+SECKEYPrivateKey *slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg);
/*
* security_wrappers.c
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index f515b8e..8b80acb 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1577,3 +1577,61 @@ char* slapd_get_tmp_dir()
#endif
return ( tmpdir );
}
+
+SECKEYPrivateKey *
+slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg)
+{
+ SECKEYPrivateKey *key = NULL;
+ PK11SlotListElement *sle;
+ PK11SlotList *slotlist = PK11_GetAllSlotsForCert(cert, NULL);
+ const char *certsubject = cert->subjectName ? cert->subjectName : "unknown cert";
+
+ if (!slotlist) {
+ PRErrorCode errcode = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Error: cannot get slot list for certificate [%s] (%d: %s)\n",
+ certsubject, errcode, slapd_pr_strerror(errcode));
+ return key;
+ }
+
+ for (sle = slotlist->head; sle; sle = sle->next) {
+ PK11SlotInfo *slot = sle->slot;
+ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot";
+ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token";
+ if (!slot) {
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Missing slot for slot list element for certificate [%s]\n",
+ certsubject);
+ } else if (PK11_IsLoggedIn(slot, pin_arg)) {
+ key = PK11_FindKeyByDERCert(slot, cert, pin_arg);
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Found unlocked slot [%s] token [%s] for certificate [%s]\n",
+ slotname, tokenname, certsubject);
+ break;
+ } else {
+ slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
+ "Skipping locked slot [%s] token [%s] for certificate [%s]\n",
+ slotname, tokenname, certsubject);
+ }
+ }
+
+ if (!key) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Error: could not find any unlocked slots for certificate [%s]. "
+ "Please review your TLS/SSL configuration. The following slots were found:\n",
+ certsubject);
+ for (sle = slotlist->head; sle; sle = sle->next) {
+ PK11SlotInfo *slot = sle->slot;
+ const char *slotname = (slot && PK11_GetSlotName(slot)) ? PK11_GetSlotName(slot) : "unknown slot";
+ const char *tokenname = (slot && PK11_GetTokenName(slot)) ? PK11_GetTokenName(slot) : "unknown token";
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Slot [%s] token [%s] was locked.\n",
+ slotname, tokenname);
+ }
+
+ }
+
+ PK11_FreeSlotList(slotlist);
+ return key;
+}
+
--
1.8.1.4

39
SOURCES/0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch Normal file
View file

@ -0,0 +1,39 @@
From 13dee95761221c2849523acf3276242416a7a01a Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Tue, 26 Nov 2013 08:14:07 -0700
Subject: [PATCH 61/65] Ticket #47596 attrcrypt fails to find unlocked key
https://fedorahosted.org/389/ticket/47596
Reviewed by: nkinder (Thanks!)
Branch: 389-ds-base-1.3.1
Fix Description: Additional fix to the previous fix. As it turns out, the
function PK11_IsLoggedIn() only returns true if the slot has been unlocked
with a pin or password. If the slot does not need a login at all, because
the cert/key db has no password, PK11_IsLoggedIn will return false. The code
must check for PK11_NeedLogin too.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit e66c4cecc47eff659a72a51c1e1722fb41c1dfbc)
(cherry picked from commit f608a943745e51fe4b5dbfb18bada2e2d13e0d6a)
(cherry picked from commit 5d2a20b4881d5374a9088ed1504b2d7e753976bb)
---
ldap/servers/slapd/ssl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 8b80acb..61809aa 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1602,7 +1602,7 @@ slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg)
slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
"Missing slot for slot list element for certificate [%s]\n",
certsubject);
- } else if (PK11_IsLoggedIn(slot, pin_arg)) {
+ } else if (!PK11_NeedLogin(slot) || PK11_IsLoggedIn(slot, pin_arg)) {
key = PK11_FindKeyByDERCert(slot, cert, pin_arg);
slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
"Found unlocked slot [%s] token [%s] for certificate [%s]\n",
--
1.8.1.4

113
SOURCES/0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch Normal file
View file

@ -0,0 +1,113 @@
From 5edce023ae5977bebfdfd05ad21febc51c5b428b Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Tue, 26 Nov 2013 09:15:53 +0100
Subject: [PATCH 62/65] Ticket 47591 - entries with empty objectclass attribute
value can be hidden
Bug Description: The problem is that for the empty value
objectClass;vdcsn-5283b8e0000000c80000;deleted
it is compared to "ldapsubentry" and "nstombstone"
'if (PL_strncasecmp(type.bv_val,"tombstone",0)'
and with length 0, this is always true.
Fix Description: add a check bv_len >= strlen(valuetocompare)
or bv_len == strlen(valuetocompare)
define constants for lengths
https://fedorahosted.org/389/ticket/47591
Reviewed by: richm, thanks
(cherry picked from commit 6b47eb4f54ff1e0a8b9c4aa9f3e6c3c3d958fd56)
---
ldap/servers/slapd/entry.c | 15 ++++++++-------
ldap/servers/slapd/slapi-plugin.h | 15 ++++++++++++++-
2 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index e0248c8..60e1dfe 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -340,7 +340,7 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
rawdn = NULL; /* Set once in the loop.
This won't affect the caller's passed address. */
}
- if ( PL_strncasecmp( type.bv_val, "dn", type.bv_len ) == 0 ) {
+ if ( type.bv_len == SLAPI_ATTR_DN_LENGTH && PL_strncasecmp( type.bv_val, SLAPI_ATTR_DN, type.bv_len ) == 0 ) {
if ( slapi_entry_get_dn_const(e)!=NULL ) {
char ebuf[ BUFSIZ ];
LDAPDebug( LDAP_DEBUG_TRACE,
@@ -376,7 +376,7 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
continue;
}
- if ( PL_strncasecmp( type.bv_val, "rdn", type.bv_len ) == 0 ) {
+ if ( type.bv_len == SLAPI_ATTR_RDN_LENGTH && PL_strncasecmp( type.bv_val, SLAPI_ATTR_RDN, type.bv_len ) == 0 ) {
if ( NULL == slapi_entry_get_rdn_const( e )) {
slapi_entry_set_rdn( e, value.bv_val );
}
@@ -387,13 +387,13 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
/* If SLAPI_STR2ENTRY_NO_ENTRYDN is set, skip entrydn */
if ( (flags & SLAPI_STR2ENTRY_NO_ENTRYDN) &&
- PL_strncasecmp( type.bv_val, "entrydn", type.bv_len ) == 0 ) {
+ type.bv_len == SLAPI_ATTR_ENTRYDN_LENGTH && PL_strncasecmp( type.bv_val, SLAPI_ATTR_ENTRYDN, type.bv_len ) == 0 ) {
if (freeval) slapi_ch_free_string(&value.bv_val);
continue;
}
/* retrieve uniqueid */
- if ( PL_strncasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID, type.bv_len) == 0 ){
+ if ( type.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH && PL_strncasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID, type.bv_len) == 0 ){
if (e->e_uniqueid != NULL){
LDAPDebug (LDAP_DEBUG_TRACE,
@@ -411,10 +411,11 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
continue;
}
- if (PL_strncasecmp(type.bv_val,"objectclass",type.bv_len) == 0) {
- if (PL_strncasecmp(value.bv_val,"ldapsubentry",value.bv_len) == 0)
+ if (value_state == VALUE_PRESENT && type.bv_len >= SLAPI_ATTR_OBJECTCLASS_LENGTH
+ && PL_strncasecmp(type.bv_val, SLAPI_ATTR_OBJECTCLASS, type.bv_len) == 0) {
+ if (value.bv_len >= SLAPI_ATTR_VALUE_SUBENTRY_LENGTH && PL_strncasecmp(value.bv_val,SLAPI_ATTR_VALUE_SUBENTRY,value.bv_len) == 0)
e->e_flags |= SLAPI_ENTRY_LDAPSUBENTRY;
- if (PL_strncasecmp(value.bv_val, SLAPI_ATTR_VALUE_TOMBSTONE,value.bv_len) == 0)
+ if (value.bv_len >= SLAPI_ATTR_VALUE_TOMBSTONE_LENGTH && PL_strncasecmp(value.bv_val, SLAPI_ATTR_VALUE_TOMBSTONE,value.bv_len) == 0)
e->e_flags |= SLAPI_ENTRY_FLAG_TOMBSTONE;
}
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index d456af8..d8cfe33 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -395,9 +395,22 @@ NSPR_API(PRUint32) PR_fprintf(struct PRFileDesc* fd, const char *fmt, ...)
#define SLAPI_ATTR_OBJECTCLASS "objectclass"
#define SLAPI_ATTR_VALUE_TOMBSTONE "nsTombstone"
#define SLAPI_ATTR_VALUE_PARENT_UNIQUEID "nsParentUniqueID"
+#define SLAPI_ATTR_VALUE_SUBENTRY "ldapsubentry"
#define SLAPI_ATTR_NSCP_ENTRYDN "nscpEntryDN"
#define SLAPI_ATTR_ENTRYUSN "entryusn"
-#define SLAPI_ATTR_ENTRYDN "entrydn"
+#define SLAPI_ATTR_ENTRYDN "entrydn"
+#define SLAPI_ATTR_DN "dn"
+#define SLAPI_ATTR_RDN "rdn"
+#define SLAPI_ATTR_UNIQUEID_LENGTH 10
+#define SLAPI_ATTR_OBJECTCLASS_LENGTH 11
+#define SLAPI_ATTR_VALUE_TOMBSTONE_LENGTH 11
+#define SLAPI_ATTR_VALUE_PARENT_UNIQUEID_LENGTH 16
+#define SLAPI_ATTR_VALUE_SUBENTRY_LENGTH 12
+#define SLAPI_ATTR_NSCP_ENTRYDN_LENGTH 11
+#define SLAPI_ATTR_ENTRYUSN_LENGTH 8
+#define SLAPI_ATTR_ENTRYDN_LENGTH 7
+#define SLAPI_ATTR_DN_LENGTH 2
+#define SLAPI_ATTR_RDN_LENGTH 3
/* opaque structures */
--
1.8.1.4

106
SOURCES/0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch Normal file
View file

@ -0,0 +1,106 @@
From 58b738e455355344acbfcac556600b2e19ade1a3 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 2 Dec 2013 17:13:55 -0500
Subject: [PATCH 63/65] Ticket 47614 - Possible to specify invalid SASL
mechanism in nsslapd-allowed-sasl-mechanisms
Bug Description: Invalid values could be specified in the allowed sasl mechanisms configuration
attribute. These values are directly passed to the sasl library.
Fix Description: Follow RFR 4422, only allow upto 20 characters that are ASCII upper-case letters,
digits, hyphens, or underscores.
https://fedorahosted.org/389/ticket/47614
Reviewed by: richm(Thanks!)
(cherry picked from commit 7e8a5fc7183f7c08212bfb746ea8c5ceedee0132)
(cherry picked from commit f00321f892545d59e07c1a944936153660640e47)
---
ldap/servers/slapd/libglobs.c | 60 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index b925a2c..a763135 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -126,6 +126,7 @@ static int config_set_onoff( const char *attrname, char *value,
static int config_set_schemareplace ( const char *attrname, char *value,
char *errorbuf, int apply );
static void remove_commas(char *str);
+static int invalid_sasl_mech(char *str);
/* Keeping the initial values */
/* CONFIG_INT/CONFIG_LONG */
@@ -6768,6 +6769,13 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
/* cyrus sasl doesn't like comma separated lists */
remove_commas(value);
+ if(invalid_sasl_mech(value)){
+ LDAPDebug(LDAP_DEBUG_ANY,"Invalid value/character for sasl mechanism (%s). Use ASCII "
+ "characters, upto 20 characters, that are upper-case letters, "
+ "digits, hyphens, or underscores\n", value, 0, 0);
+ return LDAP_UNWILLING_TO_PERFORM;
+ }
+
CFG_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
CFG_UNLOCK_WRITE(slapdFrontendConfig);
@@ -7452,3 +7460,55 @@ remove_commas(char *str)
}
}
}
+
+/*
+ * Check the SASL mechanism values
+ *
+ * As per RFC 4422:
+ * SASL mechanisms are named by character strings, from 1 to 20
+ * characters in length, consisting of ASCII [ASCII] uppercase letters,
+ * digits, hyphens, and/or underscores.
+ */
+static int
+invalid_sasl_mech(char *str)
+{
+ char *mech = NULL, *token = NULL, *next = NULL;
+ int i;
+
+ if(str == NULL){
+ return 0;
+ }
+
+ /*
+ * Check the length for each mechanism
+ */
+ token = slapi_ch_strdup(str);
+ for (mech = ldap_utf8strtok_r(token, " ", &next); mech;
+ mech = ldap_utf8strtok_r(NULL, " ", &next))
+ {
+ if(strlen(mech) == 0 || strlen(mech) > 20){
+ /* invalid length */
+ slapi_ch_free_string(&token);
+ return 1;
+ }
+ }
+ slapi_ch_free_string(&token);
+
+ /*
+ * Check the individual characters
+ */
+ for (i = 0; str[i]; i++){
+ if ( ((int)str[i] < 48 || (int)str[i] > 57) && /* not a digit */
+ ((int)str[i] < 65 || (int)str[i] > 90) && /* not upper case */
+ (int)str[i] != 32 && /* not a space (between mechanisms) */
+ (int)str[i] != 45 && /* not a hyphen */
+ (int)str[i] != 95 ) /* not an underscore */
+ {
+ /* invalid character */
+ return 1;
+ }
+ }
+
+ /* Mechanism value is valid */
+ return 0;
+}
--
1.8.1.4

54
SOURCES/0064-Ticket-47592-automember-plugin-task-memory-leaks.patch Normal file
View file

@ -0,0 +1,54 @@
From 2429e72646b1bb30f8566b59dd370eb2ff1ac131 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 27 Nov 2013 10:58:43 -0500
Subject: [PATCH 64/65] Ticket 47592 - automember plugin task memory leaks
The search pblock was not destroyed at the end of the export and rebuild
tasks.
https://fedorahosted.org/389/ticket/47592
Reviewed by: richm(Thanks!)
(cherry picked from commit 085c6d494f90231f2e572a668ab601c321bffb01)
(cherry picked from commit c9c7d545a987f8f52c9752ba1181d1885b74480c)
---
ldap/servers/plugins/automember/automember.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
index 3214ea1..cfea69d 100644
--- a/ldap/servers/plugins/automember/automember.c
+++ b/ldap/servers/plugins/automember/automember.c
@@ -2256,7 +2256,6 @@ void automember_rebuild_task_thread(void *arg){
}
}
automember_config_unlock();
- slapi_free_search_results_internal(search_pb);
out:
if (plugin_is_betxn && fixup_pb) {
@@ -2267,6 +2266,8 @@ out:
}
slapi_pblock_destroy(fixup_pb);
}
+ slapi_free_search_results_internal(search_pb);
+ slapi_pblock_destroy(search_pb);
if(result){
/* error */
@@ -2470,9 +2471,11 @@ void automember_export_task_thread(void *arg){
}
}
automember_config_unlock();
- slapi_free_search_results_internal(search_pb);
out:
+ slapi_free_search_results_internal(search_pb);
+ slapi_pblock_destroy(search_pb);
+
if(ldif_fd){
PR_Close(ldif_fd);
}
--
1.8.1.4

563
SOURCES/0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch Normal file
View file

@ -0,0 +1,563 @@
From 39af2e9e98c895c5145090865d5ab7cde6cc12fd Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 6 Dec 2013 16:57:41 -0500
Subject: [PATCH 65/65] Ticket 47620 - 389-ds rejects
nsds5ReplicaProtocolTimeout attribute
Bug Description: Attempting to add/modify/delete nsds5ReplicaProtocolTimeout
results in an error 53 (unwilling to perform).
Fix Description: Allow nsds5ReplicaProtocolTimeout to be updated in agreements
and the replica configuration. Also, made the config timeout
setting dynamic.
https://fedorahosted.org/389/ticket/47620
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 58fca2c4e4f2120cb6e5fb249008be8f551e944c)
(cherry picked from commit 490360fd96121d06fa8813e182b44d045257be98)
---
ldap/servers/plugins/replication/repl5.h | 12 +++--
ldap/servers/plugins/replication/repl5_agmt.c | 54 ++++++++++++++++------
ldap/servers/plugins/replication/repl5_agmtlist.c | 27 +++++++++--
.../plugins/replication/repl5_inc_protocol.c | 23 +++++++--
.../plugins/replication/repl5_prot_private.h | 1 -
ldap/servers/plugins/replication/repl5_protocol.c | 13 ++----
ldap/servers/plugins/replication/repl5_replica.c | 54 ++++++++++++++--------
.../plugins/replication/repl5_replica_config.c | 25 +++++++++-
.../plugins/replication/repl5_tot_protocol.c | 17 +++++--
9 files changed, 169 insertions(+), 57 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index 92a9229..321a285 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -386,9 +386,15 @@ char **agmt_get_attrs_to_strip(Repl_Agmt *ra);
int agmt_set_attrs_to_strip(Repl_Agmt *ra, Slapi_Entry *e);
int agmt_set_timeout(Repl_Agmt *ra, long timeout);
void agmt_update_done(Repl_Agmt *ra, int is_total);
-int agmt_get_protocol_timeout(Repl_Agmt *agmt);
typedef struct replica Replica;
+PRUint64 agmt_get_protocol_timeout(Repl_Agmt *agmt);
+void agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout);
+void agmt_update_maxcsn(Replica *r, Slapi_DN *sdn, int op, LDAPMod **mods, CSN *csn);
+void add_agmt_maxcsns(Slapi_Entry *e, Replica *r);
+void agmt_set_maxcsn(Repl_Agmt *ra);
+void agmt_remove_maxcsn(Repl_Agmt *ra);
+int agmt_maxcsn_to_smod (Replica *r, Slapi_Mod *smod);
/* In repl5_agmtlist.c */
int agmtlist_config_init();
@@ -494,7 +500,6 @@ void prot_notify_window_opened (Repl_Protocol *rp);
void prot_notify_window_closed (Repl_Protocol *rp);
Object *prot_get_replica_object(Repl_Protocol *rp);
void prot_replicate_now(Repl_Protocol *rp);
-int prot_get_timeout(Repl_Protocol *rp);
Repl_Protocol *agmt_get_protocol(Repl_Agmt *ra);
@@ -591,7 +596,8 @@ char *replica_get_dn(Replica *r);
void replica_check_for_tasks(Replica*r, Slapi_Entry *e);
void replica_update_state (time_t when, void *arg);
void replica_reset_csn_pl(Replica *r);
-int replica_get_protocol_timeout(Replica *r);
+PRUint64 replica_get_protocol_timeout(Replica *r);
+void replica_set_protocol_timeout(Replica *r, PRUint64 timeout);
int replica_get_backoff_min(Replica *r);
int replica_get_backoff_max(Replica *r);
void replica_set_backoff_min(Replica *r, int min);
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index 90d94f8..b0da172 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -142,7 +142,9 @@ typedef struct repl5agmt {
char **attrs_to_strip; /* for fractional replication, if a "mod" is empty, strip out these attributes:
* modifiersname, modifytimestamp, internalModifiersname, internalModifyTimestamp, etc */
int agreement_type;
- PRUint64 protocol_timeout;
+ Slapi_Counter *protocol_timeout;
+ char *maxcsn; /* agmt max csn */
+ Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */
} repl5agmt;
/* Forward declarations */
@@ -265,6 +267,14 @@ agmt_new_from_entry(Slapi_Entry *e)
slapi_entry_get_dn_const(e));
goto loser;
}
+ if ((ra->attr_lock = slapi_new_rwlock()) == NULL)
+ {
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "Unable to create new attr lock "
+ "for replication agreement \"%s\" - agreement ignored.\n",
+ slapi_entry_get_dn_const(e));
+ goto loser;
+ }
+ ra->protocol_timeout = slapi_counter_new();
/* Find all the stuff we need for the agreement */
@@ -338,19 +348,14 @@ agmt_new_from_entry(Slapi_Entry *e)
tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaRoot);
if (NULL != tmpstr)
{
+ PRUint64 ptimeout = 0;
+
ra->replarea = slapi_sdn_new_dn_passin(tmpstr);
/* If this agmt has its own timeout, grab it, otherwise use the replica's protocol timeout */
- ra->protocol_timeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
- if(ra->protocol_timeout == 0){
- /* grab the replica protocol timeout */
- Object *replobj = replica_get_replica_from_dn(ra->replarea);
- if(replobj){
- Replica *replica =(Replica*)object_get_data (replobj);
- ra->protocol_timeout = replica_get_protocol_timeout(replica);
- } else {
- ra->protocol_timeout = DEFAULT_PROTOCOL_TIMEOUT;
- }
+ ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
+ if(ptimeout){
+ slapi_counter_set_value(ra->protocol_timeout, ptimeout);
}
}
@@ -613,6 +618,17 @@ agmt_delete(void **rap)
if(ra->attrs_to_strip){
slapi_ch_array_free(ra->attrs_to_strip);
}
+ if(ra->maxcsn){
+ slapi_ch_free_string(&ra->maxcsn);
+ }
+ schedule_destroy(ra->schedule);
+ slapi_ch_free_string(&ra->long_name);
+
+ slapi_counter_destroy(&ra->protocol_timeout);
+
+ /* free the locks */
+ PR_DestroyLock(ra->lock);
+ slapi_destroy_rwlock(ra->attr_lock);
schedule_destroy(ra->schedule);
slapi_ch_free((void **)&ra->long_name);
@@ -2663,9 +2679,21 @@ agmt_update_done(Repl_Agmt *agmt, int is_total)
windows_update_done(agmt, is_total);
}
-int
+PRUint64
agmt_get_protocol_timeout(Repl_Agmt *agmt)
{
- return (int)agmt->protocol_timeout;
+ if(agmt){
+ return slapi_counter_get_value(agmt->protocol_timeout);
+ } else {
+ return 0;
+ }
+}
+
+void
+agmt_set_protocol_timeout(Repl_Agmt *agmt, PRUint64 timeout)
+{
+ if(agmt){
+ slapi_counter_set_value(agmt->protocol_timeout, timeout);
+ }
}
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index 1167b0c..04891b7 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -209,6 +209,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
LDAPMod **mods;
char buff [SLAPI_DSE_RETURNTEXT_SIZE];
char *errortext = returntext ? returntext : buff;
+ char *val = NULL;
int rc = SLAPI_DSE_CALLBACK_OK;
Slapi_Operation *op;
void *identity;
@@ -243,16 +244,21 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &mods);
for (i = 0; NULL != mods && NULL != mods[i]; i++)
{
+ slapi_ch_free_string(&val);
if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize))
{
/* we don't allow delete attribute operations unless it was issued by
the replication plugin - handled above */
if (mods[i]->mod_op & LDAP_MOD_DELETE)
{
- if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0){
+ if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0 ){
/* allow the deletion of cleanallruv agmt attr */
continue;
}
+ if(strcasecmp (mods[i]->mod_type, type_replicaProtocolTimeout) == 0){
+ agmt_set_protocol_timeout(agmt, 0);
+ continue;
+ }
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"deletion of %s attribute is not allowed\n", type_nsds5ReplicaInitialize);
@@ -262,8 +268,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
}
else
{
- char *val;
-
if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0])
val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
else
@@ -304,7 +308,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
val, mods[i]->mod_type);
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: %s\n", errortext);
}
- slapi_ch_free ((void**)&val);
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
@@ -511,6 +514,21 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
rc = SLAPI_DSE_CALLBACK_ERROR;
}
}
+ else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){
+ if (val){
+ long ptimeout = atol(val);
+
+ if(ptimeout <= 0){
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
+ "must be a number greater than zero.\n",
+ type_replicaProtocolTimeout, val);
+ rc = SLAPI_DSE_CALLBACK_ERROR;
+ break;
+ }
+ agmt_set_protocol_timeout(agmt, ptimeout);
+ }
+ }
else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e))
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
@@ -561,6 +579,7 @@ done:
{
agmtlist_release_agmt(agmt);
}
+ slapi_ch_free_string(&val);
return rc;
}
diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c
index 612fe46..05074b0 100644
--- a/ldap/servers/plugins/replication/repl5_inc_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c
@@ -1921,10 +1921,24 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu
static int
repl5_inc_stop(Private_Repl_Protocol *prp)
{
- int return_value;
PRIntervalTime start, maxwait, now;
+ Replica *replica = NULL;
+ PRUint64 timeout;
+ int return_value;
+
+ if((timeout = agmt_get_protocol_timeout(prp->agmt)) == 0){
+ timeout = DEFAULT_PROTOCOL_TIMEOUT;
+ if(prp->replica_object){
+ object_acquire(prp->replica_object);
+ replica = object_get_data(prp->replica_object);
+ if((timeout = replica_get_protocol_timeout(replica)) == 0){
+ timeout = DEFAULT_PROTOCOL_TIMEOUT;
+ }
+ object_release(prp->replica_object);
+ }
+ }
- maxwait = PR_SecondsToInterval(prp->timeout);
+ maxwait = PR_SecondsToInterval(timeout);
prp->terminate = 1;
event_notify(prp, EVENT_PROTOCOL_SHUTDOWN);
start = PR_IntervalNow();
@@ -1939,8 +1953,8 @@ repl5_inc_stop(Private_Repl_Protocol *prp)
/* Isn't listening. Do something drastic. */
return_value = -1;
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
- "%s: repl5_inc_stop: protocol does not stop after %d seconds\n",
- agmt_get_long_name(prp->agmt), (int)prp->timeout);
+ "%s: repl5_inc_stop: protocol does not stop after %llu seconds\n",
+ agmt_get_long_name(prp->agmt), (long long unsigned int)timeout);
}
else
{
@@ -2044,7 +2058,6 @@ Repl_5_Inc_Protocol_new(Repl_Protocol *rp)
prp->notify_window_closed = repl5_inc_notify_window_closed;
prp->update_now = repl5_inc_update_now;
prp->replica_object = prot_get_replica_object(rp);
- prp->timeout = prot_get_timeout(rp);
if ((prp->lock = PR_NewLock()) == NULL)
{
goto loser;
diff --git a/ldap/servers/plugins/replication/repl5_prot_private.h b/ldap/servers/plugins/replication/repl5_prot_private.h
index 37072ee..586e1eb 100644
--- a/ldap/servers/plugins/replication/repl5_prot_private.h
+++ b/ldap/servers/plugins/replication/repl5_prot_private.h
@@ -75,7 +75,6 @@ typedef struct private_repl_protocol
int repl50consumer; /* Flag to tell us if this is a 5.0-style consumer we're talking to */
int repl71consumer; /* Flag to tell us if this is a 7.1-style consumer we're talking to */
int repl90consumer; /* Flag to tell us if this is a 9.0-style consumer we're talking to */
- PRUint64 timeout;
} Private_Repl_Protocol;
extern Private_Repl_Protocol *Repl_5_Inc_Protocol_new();
diff --git a/ldap/servers/plugins/replication/repl5_protocol.c b/ldap/servers/plugins/replication/repl5_protocol.c
index 34fe8a0..0e9668d 100644
--- a/ldap/servers/plugins/replication/repl5_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_protocol.c
@@ -71,8 +71,7 @@ typedef struct repl_protocol
Object *replica_object; /* Local replica. If non-NULL, replica object is acquired */
int state;
int next_state;
- PRUint64 protocol_timeout;
- PRThread *agmt_thread;
+ PRThread *agmt_thread;
PRLock *lock;
} repl_protocol;
@@ -134,16 +133,17 @@ prot_new(Repl_Agmt *agmt, int protocol_state)
rp->prp_total = private_protocol_factory(rp, PROTOCOL_WINDOWS_TOTAL);
rp->delete_conn = windows_conn_delete;
}
- rp->protocol_timeout = agmt_get_protocol_timeout(agmt);
-
/* XXXggood register callback handlers for entries updated, and
schedule window enter/leave. */
goto done;
+
loser:
prot_delete(&rp);
+
done:
slapi_sdn_free(&replarea_sdn);
+
return rp;
}
@@ -593,8 +593,3 @@ private_protocol_factory(Repl_Protocol *rp, int type)
return prp;
}
-int
-prot_get_timeout(Repl_Protocol *rp)
-{
- return (int)rp->protocol_timeout;
-}
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index 8a1c590..02d4e74 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -87,7 +87,7 @@ struct replica {
PRBool state_update_inprogress; /* replica state is being updated */
PRLock *agmt_lock; /* protects agreement creation, start and stop */
char *locking_purl; /* supplier who has exclusive access */
- PRUint64 protocol_timeout; /* protocol shutdown timeout */
+ Slapi_Counter *protocol_timeout; /* protocol shutdown timeout */
PRUint64 backoff_min; /* backoff retry minimum */
PRUint64 backoff_max; /* backoff retry maximum */
};
@@ -164,26 +164,26 @@ replica_new(const Slapi_DN *root)
Replica *
replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation)
{
- int rc = 0;
- Replica *r;
+ int rc = 0;
+ Replica *r;
char *repl_name = NULL;
- if (e == NULL)
- {
- if (NULL != errortext)
+ if (e == NULL)
+ {
+ if (NULL != errortext)
{
- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "NULL entry");
+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "NULL entry");
}
- return NULL;
- }
+ return NULL;
+ }
- r = (Replica *)slapi_ch_calloc(1, sizeof(Replica));
+ r = (Replica *)slapi_ch_calloc(1, sizeof(Replica));
- if (!r)
+ if (!r)
{
- if (NULL != errortext)
+ if (NULL != errortext)
{
- PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Out of memory");
+ PR_snprintf(errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Out of memory");
}
rc = -1;
goto done;
@@ -208,6 +208,7 @@ replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation
rc = -1;
goto done;
}
+ r->protocol_timeout = slapi_counter_new();
/* read parameters from the replica config entry */
rc = _replica_init_from_config (r, e, errortext);
@@ -403,6 +404,8 @@ replica_destroy(void **arg)
csnplFree(&r->min_csn_pl);;
}
+ slapi_counter_destroy(&r->protocol_timeout);
+
slapi_ch_free((void **)arg);
}
@@ -796,10 +799,22 @@ replica_get_type (const Replica *r)
return r->repl_type;
}
-int
+PRUint64
replica_get_protocol_timeout(Replica *r)
{
- return (int)r->protocol_timeout;
+ if(r){
+ return slapi_counter_get_value(r->protocol_timeout);
+ } else {
+ return 0;
+ }
+}
+
+void
+replica_set_protocol_timeout(Replica *r, PRUint64 timeout)
+{
+ if(r){
+ slapi_counter_set_value(r->protocol_timeout, timeout);
+ }
}
/*
@@ -1659,6 +1674,7 @@ _replica_init_from_config (Replica *r, Slapi_Entry *e, char *errortext)
char *val;
int backoff_min;
int backoff_max;
+ int ptimeout = 0;
int rc;
PR_ASSERT (r && e);
@@ -1731,9 +1747,11 @@ _replica_init_from_config (Replica *r, Slapi_Entry *e, char *errortext)
}
/* get the protocol timeout */
- r->protocol_timeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
- if(r->protocol_timeout == 0){
- r->protocol_timeout = DEFAULT_PROTOCOL_TIMEOUT;
+ ptimeout = slapi_entry_attr_get_int(e, type_replicaProtocolTimeout);
+ if(ptimeout <= 0){
+ slapi_counter_set_value(r->protocol_timeout, DEFAULT_PROTOCOL_TIMEOUT);
+ } else {
+ slapi_counter_set_value(r->protocol_timeout, ptimeout);
}
/* get replica flags */
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index 94c23c0..9452d51 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -396,9 +396,16 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry*
else if (strcasecmp (config_attr, type_replicaCleanRUV) == 0 ||
strcasecmp (config_attr, type_replicaAbortCleanRUV) == 0)
{
- /* only allow the deletion of the cleanAllRUV config attributes */
+ /*
+ * Only allow the deletion of the cleanAllRUV config attributes, and the
+ * protocol timeout.
+ */
continue;
}
+ else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 )
+ {
+ replica_set_protocol_timeout(r, DEFAULT_PROTOCOL_TIMEOUT);
+ }
else
{
*returncode = LDAP_UNWILLING_TO_PERFORM;
@@ -487,6 +494,22 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry*
{
*returncode = LDAP_SUCCESS;
}
+ else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ){
+ if (apply_mods && config_attr_value && config_attr_value[0])
+ {
+ long ptimeout = atol(config_attr_value);
+
+ if(ptimeout <= 0){
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE,
+ "attribute %s value (%s) is invalid, must be a number greater than zero.\n",
+ config_attr, config_attr_value);
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "replica_config_modify: %s\n", errortext);
+ } else {
+ replica_set_protocol_timeout(r, ptimeout);
+ }
+ }
+ }
else
{
*returncode = LDAP_UNWILLING_TO_PERFORM;
diff --git a/ldap/servers/plugins/replication/repl5_tot_protocol.c b/ldap/servers/plugins/replication/repl5_tot_protocol.c
index 5bb203a..a241128 100644
--- a/ldap/servers/plugins/replication/repl5_tot_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_tot_protocol.c
@@ -505,11 +505,22 @@ static int
repl5_tot_stop(Private_Repl_Protocol *prp)
{
int return_value;
- int seconds = 600;
PRIntervalTime start, maxwait, now;
+ PRUint64 timeout = DEFAULT_PROTOCOL_TIMEOUT;
+ Replica *replica = NULL;
+
+ if((timeout = agmt_get_protocol_timeout(prp->agmt)) == 0){
+ timeout = DEFAULT_PROTOCOL_TIMEOUT;
+ if(prp->replica_object){
+ replica = object_get_data(prp->replica_object);
+ if((timeout = replica_get_protocol_timeout(replica)) == 0){
+ timeout = DEFAULT_PROTOCOL_TIMEOUT;
+ }
+ }
+ }
prp->terminate = 1;
- maxwait = PR_SecondsToInterval(seconds);
+ maxwait = PR_SecondsToInterval(timeout);
start = PR_IntervalNow();
now = start;
while (!prp->stopped && ((now - start) < maxwait))
@@ -567,7 +578,6 @@ Repl_5_Tot_Protocol_new(Repl_Protocol *rp)
prp->notify_window_opened = repl5_tot_noop;
prp->notify_window_closed = repl5_tot_noop;
prp->update_now = repl5_tot_noop;
- prp->timeout = DEFAULT_PROTOCOL_TIMEOUT;
if ((prp->lock = PR_NewLock()) == NULL)
{
goto loser;
@@ -588,6 +598,7 @@ Repl_5_Tot_Protocol_new(Repl_Protocol *rp)
prp->repl50consumer = 0;
prp->repl71consumer = 0;
prp->repl90consumer = 0;
+ prp->replica_object = prot_get_replica_object(rp);
return prp;
loser:
repl5_tot_delete(&prp);
--
1.8.1.4

72
SOURCES/0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch Normal file
View file

@ -0,0 +1,72 @@
From 26a0d63bcbf280d20bd984fd00fd82e82ed62de5 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 12 Dec 2013 12:48:08 -0500
Subject: [PATCH 66/78] Ticket 47613 - Issues setting allowed mechanisms
Bug Description: Adding an empty value for nsslapd-allowed-sasl-mechanisms blocks all
sasl authentication. Also changing the allowed sasl mechansism does
require a restart after making a change.
Fix Description: Reject an empty values for nsslapd-allowed-sasl-mechanisms, and allow
config changes to occur without restarting the server.
https://fedorahosted.org/389/ticket/47613
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 43959232f792db2b79e614f6db78f7569920fdc1)
(cherry picked from commit a1e386188663c9197b80b3b51cca0d58ce0c9181)
---
ldap/servers/slapd/configdse.c | 1 -
ldap/servers/slapd/libglobs.c | 10 +++++++---
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/ldap/servers/slapd/configdse.c b/ldap/servers/slapd/configdse.c
index bd1566e..b54062d 100644
--- a/ldap/servers/slapd/configdse.c
+++ b/ldap/servers/slapd/configdse.c
@@ -81,7 +81,6 @@ static const char *requires_restart[] = {
#endif
"cn=config:" CONFIG_RETURN_EXACT_CASE_ATTRIBUTE,
"cn=config:" CONFIG_SCHEMA_IGNORE_TRAILING_SPACES,
- "cn=config:nsslapd-allowed-sasl-mechanisms",
"cn=config,cn=ldbm:nsslapd-idlistscanlimit",
"cn=config,cn=ldbm:nsslapd-parentcheck",
"cn=config,cn=ldbm:nsslapd-dbcachesize",
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index a763135..64510d6 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -6761,8 +6761,7 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
{
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- if(!apply || slapdFrontendConfig->allowed_sasl_mechs){
- /* we only set this at startup, if we try again just return SUCCESS */
+ if(!apply){
return LDAP_SUCCESS;
}
@@ -6777,6 +6776,7 @@ config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf,
}
CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapi_ch_free_string(&slapdFrontendConfig->allowed_sasl_mechs);
slapdFrontendConfig->allowed_sasl_mechs = slapi_ch_strdup(value);
CFG_UNLOCK_WRITE(slapdFrontendConfig);
@@ -7476,7 +7476,11 @@ invalid_sasl_mech(char *str)
int i;
if(str == NULL){
- return 0;
+ return 1;
+ }
+ if(strlen(str) < 1){
+ /* ignore empty values */
+ return 1;
}
/*
--
1.8.1.4

51
SOURCES/0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch Normal file
View file

@ -0,0 +1,51 @@
From 00a0b5f1d506f5f79f4b27859355db8d5a70a249 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 12 Dec 2013 15:36:11 -0500
Subject: [PATCH 67/78] Ticket 47620 - Fix cherry-pick error for 1.3.2 and
1.3.1
Description: During the cherry-pick process I had to make some manual changes,
and there were two schedule_destroy() calls made which lead to
a dereferenced point.
https://fedorahosted.org/389/ticket/47620
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 3ae6900d8269926a1da097e3818aa444137aa9d9)
(cherry picked from commit 5d4ac7c8c5d48be0796cdbf2ae7b9c40460de18c)
---
ldap/servers/plugins/replication/repl5_agmt.c | 2 --
ldap/servers/plugins/replication/repl5_schedule.c | 4 ++++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index b0da172..14c2fb4 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -630,8 +630,6 @@ agmt_delete(void **rap)
PR_DestroyLock(ra->lock);
slapi_destroy_rwlock(ra->attr_lock);
- schedule_destroy(ra->schedule);
- slapi_ch_free((void **)&ra->long_name);
slapi_ch_free((void **)rap);
}
diff --git a/ldap/servers/plugins/replication/repl5_schedule.c b/ldap/servers/plugins/replication/repl5_schedule.c
index 419e3ec..1db06a6 100644
--- a/ldap/servers/plugins/replication/repl5_schedule.c
+++ b/ldap/servers/plugins/replication/repl5_schedule.c
@@ -159,6 +159,10 @@ schedule_destroy(Schedule *s)
{
int i;
+ if(s == NULL){
+ return;
+ }
+
/* unschedule update window event if exists */
unschedule_window_state_change_event (s);
--
1.8.1.4

119
SOURCES/0068-Ticket-47620-Config-value-validation-improvement.patch Normal file
View file

@ -0,0 +1,119 @@
From 014aaa8b331e9af9f36432000c4c99b9f60687ae Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 13 Dec 2013 11:43:47 -0500
Subject: [PATCH 68/78] Ticket 47620 - Config value validation improvement
Bug Description: When setting the replication protocol timeout, it is possible
to set a negative number(it should be rejected), and when
setting the timeout for an agreement using letters, we get an
invalid syntax error, but it should really be an error 53 to
be consistent with how the invalid timeout error that is given
when updating the replica entry.
Fix Description: In the agmt modify code, we did not have the actual modify value
during the validation. This allowed the value to be added, which
was later caught for the invalid syntax. Then improved the overall
logic to the validation to also catch the negative numbers.
https://fedorahosted.org/389/ticket/47620
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 8a4bbc7c74a6847d75e4d6e9e0b16859a5da8ec0)
(cherry picked from commit 1bbb27b522dd8eb36f09f47c144fd65511c132b5)
---
ldap/servers/plugins/replication/repl5_agmtlist.c | 32 ++++++++++++----------
.../plugins/replication/repl5_replica_config.c | 12 +++++---
2 files changed, 25 insertions(+), 19 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index 04891b7..bd14202 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -245,6 +245,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
for (i = 0; NULL != mods && NULL != mods[i]; i++)
{
slapi_ch_free_string(&val);
+ val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize))
{
/* we don't allow delete attribute operations unless it was issued by
@@ -268,10 +269,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
}
else
{
- if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0])
- val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
- else
- {
+ if(val == NULL){
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"no value provided for %s attribute\n", type_nsds5ReplicaInitialize);
*returncode = LDAP_UNWILLING_TO_PERFORM;
@@ -515,19 +513,23 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){
- if (val){
- long ptimeout = atol(val);
+ long ptimeout = 0;
- if(ptimeout <= 0){
- *returncode = LDAP_UNWILLING_TO_PERFORM;
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
- "must be a number greater than zero.\n",
- type_replicaProtocolTimeout, val);
- rc = SLAPI_DSE_CALLBACK_ERROR;
- break;
- }
- agmt_set_protocol_timeout(agmt, ptimeout);
+ if (val){
+ ptimeout = atol(val);
+ }
+ if(ptimeout <= 0){
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ PR_snprintf (returntext, SLAPI_DSE_RETURNTEXT_SIZE,
+ "attribute %s value (%s) is invalid, must be a number greater than zero.\n",
+ type_replicaProtocolTimeout, val ? val : "");
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
+ "must be a number greater than zero.\n",
+ type_replicaProtocolTimeout, val ? val : "");
+ rc = SLAPI_DSE_CALLBACK_ERROR;
+ break;
}
+ agmt_set_protocol_timeout(agmt, ptimeout);
}
else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e))
{
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index 9452d51..74e1fb7 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -497,17 +497,21 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry*
else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ){
if (apply_mods && config_attr_value && config_attr_value[0])
{
- long ptimeout = atol(config_attr_value);
+ long ptimeout = 0;
+
+ if(config_attr_value){
+ ptimeout = atol(config_attr_value);
+ }
if(ptimeout <= 0){
*returncode = LDAP_UNWILLING_TO_PERFORM;
PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE,
"attribute %s value (%s) is invalid, must be a number greater than zero.\n",
- config_attr, config_attr_value);
+ config_attr, config_attr_value ? config_attr_value : "");
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "replica_config_modify: %s\n", errortext);
- } else {
- replica_set_protocol_timeout(r, ptimeout);
+ break;
}
+ replica_set_protocol_timeout(r, ptimeout);
}
}
else
--
1.8.1.4

56
SOURCES/0069-Ticket-47620-Fix-logically-dead-code.patch Normal file
View file

@ -0,0 +1,56 @@
From 1eece8d6d6dc88eb214927992840e5edf270786b Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 16 Dec 2013 09:48:12 -0500
Subject: [PATCH 69/78] Ticket 47620 - Fix logically dead code.
Coverity issues: 12419 & 12420
https://fedorahosted.org/389/ticket/47620
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 080cb44f5eaa794375a8e69b6e1ac09fcae9a961)
(cherry picked from commit c094a9f1a758dabd1164bf979a4ac22bb3720d63)
---
ldap/servers/plugins/replication/repl5_agmtlist.c | 12 +-----------
ldap/servers/plugins/replication/repl5_replica_config.c | 2 +-
2 files changed, 2 insertions(+), 12 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index bd14202..5219c92 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -277,17 +277,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
break;
}
- /* Start replica initialization */
- if (val == NULL)
- {
- PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "No value supplied for attr (%s)", mods[i]->mod_type);
- slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: %s\n",
- errortext);
- *returncode = LDAP_UNWILLING_TO_PERFORM;
- rc = SLAPI_DSE_CALLBACK_ERROR;
- break;
- }
-
+ /* Start replica initialization */
if (strcasecmp (val, "start") == 0)
{
start_initialize = 1;
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index 74e1fb7..853bcde 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -495,7 +495,7 @@ replica_config_modify (Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry*
*returncode = LDAP_SUCCESS;
}
else if (strcasecmp (config_attr, type_replicaProtocolTimeout) == 0 ){
- if (apply_mods && config_attr_value && config_attr_value[0])
+ if (apply_mods)
{
long ptimeout = 0;
--
1.8.1.4

36
SOURCES/0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch Normal file
View file

@ -0,0 +1,36 @@
From 3d941308ae833a59cad81951793b6374a8c15a56 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 17 Dec 2013 13:11:03 -0500
Subject: [PATCH 70/78] Ticket 47620 - Fix dereferenced NULL pointer in
agmtlist_modify_callback()
The server would dereference a NULL point if an attribute was deleted from a replication
agreement.
https://fedorahosted.org/389/ticket/47620
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 8baed897f504e75478b5dbbe736c1eaf6d2d7fa9)
(cherry picked from commit 60d263f7bc52e4b5186a01c38868763a275abadc)
---
ldap/servers/plugins/replication/repl5_agmtlist.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index 5219c92..6e8b82c 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -245,7 +245,9 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
for (i = 0; NULL != mods && NULL != mods[i]; i++)
{
slapi_ch_free_string(&val);
- val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
+ if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0])
+ val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
+ }
if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize))
{
/* we don't allow delete attribute operations unless it was issued by
--
1.8.1.4

28
SOURCES/0071-Ticket-47620-Fix-missing-left-bracket.patch Normal file
View file

@ -0,0 +1,28 @@
From 854e1f23218b8e81db2c05728f8e21cd09dd69eb Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 17 Dec 2013 14:01:34 -0500
Subject: [PATCH 71/78] Ticket 47620 - Fix missing left bracket
https://fedorahosted.org/389/ticket/47620
(cherry picked from commit 3a4d39e166449177c85b92af8b47c5c6848c4d02)
(cherry picked from commit b143477e186734333b6cfae615484b886b204e0e)
---
ldap/servers/plugins/replication/repl5_agmtlist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index 6e8b82c..9e0291f 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -245,7 +245,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
for (i = 0; NULL != mods && NULL != mods[i]; i++)
{
slapi_ch_free_string(&val);
- if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0])
+ if (mods[i]->mod_bvalues && mods[i]->mod_bvalues[0]){
val = slapi_berval_get_string_copy (mods[i]->mod_bvalues[0]);
}
if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5ReplicaInitialize))
--
1.8.1.4

83
SOURCES/0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch Normal file
View file

@ -0,0 +1,83 @@
From d695afb6a637432e880296d8552f466981c0796c Mon Sep 17 00:00:00 2001
From: "Thierry bordaz (tbordaz)" <tbordaz@redhat.com>
Date: Thu, 16 May 2013 15:28:47 +0200
Subject: [PATCH 72/78] Ticket 571 (dup 47361) - Empty control list causes LDAP
protocol error is thrown
Bug Description:
If a request contains a list of controls containing zero control, it does
not conform RFC http://tools.ietf.org/html/rfc4511#section-4.1.11. Then the
server returns a Protocol Error.
This is too restrictive for some applications.
Note: such application needs to be linked with old version of mozldap or openldap
because recent version skip sending empty list of controls
Fix Description:
The fix is to ignore this error and let the operation complete
Note: ticket 571 (bz 918717) is a duplicate of 47361 (bz 963234). 47361 was used to
backport in 1.2.11. 571 is used to backport in 1.3.1.
This bug is fixed since 1.3.2
https://fedorahosted.org/389/ticket/571
https://fedorahosted.org/389/ticket/47361
Reviewed by: Rich Megginson (thanks Rich !)
Platforms tested: F17 (unit + acceptance vlv/proxy/managed/psearch/tls/bindcontrol)
Flag Day: no
Doc impact: no
(cherry picked from commit dea2a254117f1e9f4be1068c6784b2780fec933f)
---
ldap/servers/slapd/control.c | 32 +++++++++++++++++++++-----------
1 file changed, 21 insertions(+), 11 deletions(-)
diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c
index fc3ab9f..e614d50 100644
--- a/ldap/servers/slapd/control.c
+++ b/ldap/servers/slapd/control.c
@@ -354,17 +354,27 @@ get_ldapmessage_controls_ext(
len = -1; /* reset for next loop iter */
}
- if ( (tag != LBER_END_OF_SEQORSET) && (len != -1) ) {
- goto free_and_return;
- }
-
- slapi_pblock_set( pb, SLAPI_REQCONTROLS, ctrls );
- managedsait = slapi_control_present( ctrls,
- LDAP_CONTROL_MANAGEDSAIT, NULL, NULL );
- slapi_pblock_set( pb, SLAPI_MANAGEDSAIT, &managedsait );
- pwpolicy_ctrl = slapi_control_present( ctrls,
- LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL );
- slapi_pblock_set( pb, SLAPI_PWPOLICY, &pwpolicy_ctrl );
+ if (curcontrols == 0) {
+ int ctrl_not_found = 0; /* means that a given control is not present in the request */
+
+ slapi_pblock_set(pb, SLAPI_REQCONTROLS, NULL);
+ slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found);
+ slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found);
+ slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%d op=%d contains an empty list of controls\n",
+ pb->pb_conn->c_connid, pb->pb_op->o_opid);
+ } else {
+ if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) {
+ goto free_and_return;
+ }
+
+ slapi_pblock_set(pb, SLAPI_REQCONTROLS, ctrls);
+ managedsait = slapi_control_present(ctrls,
+ LDAP_CONTROL_MANAGEDSAIT, NULL, NULL);
+ slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &managedsait);
+ pwpolicy_ctrl = slapi_control_present(ctrls,
+ LDAP_X_CONTROL_PWPOLICY_REQUEST, NULL, NULL);
+ slapi_pblock_set(pb, SLAPI_PWPOLICY, &pwpolicy_ctrl);
+ }
if ( controlsp != NULL ) {
*controlsp = ctrls;
--
1.8.1.4

189
SOURCES/0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch Normal file
View file

@ -0,0 +1,189 @@
From 298ada3b2f7b8aa770df9a5a7d8129f46b4417d7 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Mon, 16 Dec 2013 13:03:19 -0800
Subject: [PATCH 73/78] Ticket #47606 - replica init/bulk import errors should
be more verbose
Description:
1. maxbersize: If the size of an entry is larger than the consumer's
maxbersize, the following error used to be logged:
Incoming BER Element was too long, max allowable is ### bytes.
Change the nsslapd-maxbersize attribute in cn=config to increase.
This message does not indicate how large the maxbersize needs to be.
This patch adds the code to retrieve the failed ber size.
Revised message:
Incoming BER Element was @@@ bytes, max allowable is ### bytes.
Change the nsslapd-maxbersize attribute in cn=config to increase.
Note: There is no lber API that returns the ber size if it fails to
handle the ber. This patch borrows the internal structure of ber
and get the size. This could be risky since the size or structure
of the ber could be updated in the openldap/mozldap lber.
2. cache size: The bulk import depends upon the nsslapd-cachememsize
value in the backend instance entry (e.g., cn=userRoot,cn=ldbm
database,cn=plugins,cn=config). If an entry size is larger than
the cachememsize, the bulk import used to fail with this message:
import userRoot: REASON: entry too large (@@@ bytes) for the
import buffer size (### bytes). Try increasing nsslapd-
cachememsize.
Also, the message follows the skipping entry message:
import userRoot: WARNING: skipping entry "<DN>"
but actually, it did NOT "skip" the entry and continue the bulk
import, but it failed there and completely wiped out the backend
database.
This patch modifies the message as follows:
import userRoot: REASON: entry too large (@@@ bytes) for the
effective import buffer size (### bytes). Try increasing nsslapd-
cachememsize for the backend instance "userRoot".
and as the message mentions, it just skips the failed entry and
continues the bulk import.
3. In repl5_tot_result_threadmain, when conn_read_result_ex returns
non zero (non SUCCESS), it sets abort, but does not set any error
code to rc (return code), which is not considered as "finished" in
repl5_tot_waitfor_async_results and it contines waiting until the
code reaches the max loop count (about 5 minutes). This patch sets
LDAP_CONNECT_ERROR to the return code along with setting abort, if
conn_read_result_ex returns CONN_NOT_CONNECTED. This makes the bulk
import finishes quickly when it fails.
https://fedorahosted.org/389/ticket/47606
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit 1119083d3d99993421609783efcb8962d78724fc)
(cherry picked from commit fde9ed5bf74b4ea1fff875bcb421137c78af1227)
(cherry picked from commit c9d0b6ccad84dd56a536da883f5a8e5acb01bc4e)
---
.../plugins/replication/repl5_tot_protocol.c | 3 ++
ldap/servers/slapd/back-ldbm/import-threads.c | 8 ++---
ldap/servers/slapd/connection.c | 36 ++++++++++++++++++----
ldap/servers/slapd/openldapber.h | 25 +++++++++++++++
4 files changed, 62 insertions(+), 10 deletions(-)
create mode 100644 ldap/servers/slapd/openldapber.h
diff --git a/ldap/servers/plugins/replication/repl5_tot_protocol.c b/ldap/servers/plugins/replication/repl5_tot_protocol.c
index a241128..3895ace 100644
--- a/ldap/servers/plugins/replication/repl5_tot_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_tot_protocol.c
@@ -203,6 +203,9 @@ static void repl5_tot_result_threadmain(void *param)
/* If so then we need to take steps to abort the update process */
PR_Lock(cb->lock);
cb->abort = 1;
+ if (conres == CONN_NOT_CONNECTED) {
+ cb->rc = LDAP_CONNECT_ERROR;
+ }
PR_Unlock(cb->lock);
}
/* Should we stop ? */
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index c0475c6..95433aa 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -3330,11 +3330,11 @@ static int bulk_import_queue(ImportJob *job, Slapi_Entry *entry)
newesize = (slapi_entry_size(ep->ep_entry) + sizeof(struct backentry));
if (newesize > job->fifo.bsize) { /* entry too big */
- import_log_notice(job, "WARNING: skipping entry \"%s\"",
- slapi_entry_get_dn(ep->ep_entry));
import_log_notice(job, "REASON: entry too large (%lu bytes) for "
- "the import buffer size (%lu bytes). Try increasing nsslapd-cachememsize.",
- (long unsigned int)newesize, (long unsigned int)job->fifo.bsize);
+ "the effective import buffer size (%lu bytes). "
+ "Try increasing nsslapd-cachememsize for the backend instance \"%s\".",
+ (long unsigned int)newesize, (long unsigned int)job->fifo.bsize,
+ job->inst->inst_name);
backentry_clear_entry(ep); /* entry is released in the frontend on failure*/
backentry_free( &ep ); /* release the backend wrapper, here */
PR_Unlock(job->wire_lock);
diff --git a/ldap/servers/slapd/connection.c b/ldap/servers/slapd/connection.c
index fed3512..02c86c5 100644
--- a/ldap/servers/slapd/connection.c
+++ b/ldap/servers/slapd/connection.c
@@ -1749,6 +1749,32 @@ void connection_make_new_pb(Slapi_PBlock **ppb, Connection *conn)
}
+#ifdef USE_OPENLDAP
+#include "openldapber.h"
+#else
+#include "mozldap.h"
+#endif
+
+static ber_tag_t
+_ber_get_len(BerElement *ber, ber_len_t *lenp)
+{
+#ifdef USE_OPENLDAP
+ OLBerElement *lber = (OLBerElement *)ber;
+#else
+ MozElement *lber = (MozElement *)ber;
+#endif
+
+ if (NULL == lenp) {
+ return LBER_DEFAULT;
+ }
+ *lenp = 0;
+ if (NULL == lber) {
+ return LBER_DEFAULT;
+ }
+ *lenp = lber->ber_len;
+ return lber->ber_tag;
+}
+
/*
* Utility function called by connection_read_operation(). This is a
* small wrapper on top of libldap's ber_get_next_buffer_ext().
@@ -1787,18 +1813,16 @@ get_next_from_buffer( void *buffer, size_t buffer_size, ber_len_t *lenp,
if ((LBER_OVERFLOW == *tagp || LBER_DEFAULT == *tagp) && 0 == bytes_scanned &&
!SLAPD_SYSTEM_WOULD_BLOCK_ERROR(errno))
{
- if (LBER_OVERFLOW == *tagp)
- {
- err = SLAPD_DISCONNECT_BER_TOO_BIG;
- }
- else if (errno == ERANGE)
+ if ((LBER_OVERFLOW == *tagp) || (errno == ERANGE))
{
ber_len_t maxbersize = config_get_maxbersize();
+ ber_len_t tmplen = 0;
+ (void)_ber_get_len(ber, &tmplen);
/* openldap does not differentiate between length == 0
and length > max - all we know is that there was a
problem with the length - assume too big */
err = SLAPD_DISCONNECT_BER_TOO_BIG;
- log_ber_too_big_error(conn, 0, maxbersize);
+ log_ber_too_big_error(conn, tmplen, maxbersize);
}
else
{
diff --git a/ldap/servers/slapd/openldapber.h b/ldap/servers/slapd/openldapber.h
new file mode 100644
index 0000000..52644a5
--- /dev/null
+++ b/ldap/servers/slapd/openldapber.h
@@ -0,0 +1,25 @@
+/*
+ * openldap lber library does not provide an API which returns the ber size
+ * (ber->ber_len) when the ber tag is LBER_DEFAULT or LBER_OVERFLOW.
+ * The ber size is useful when issuing an error message to indicate how
+ * large the maxbersize needs to be set.
+ * Borrowed from liblber/lber-int.h
+ */
+struct lber_options {
+ short lbo_valid;
+ unsigned short lbo_options;
+ int lbo_debug;
+};
+struct berelement {
+ struct lber_options ber_opts;
+ ber_tag_t ber_tag;
+ ber_len_t ber_len;
+ ber_tag_t ber_usertag;
+ char *ber_buf;
+ char *ber_ptr;
+ char *ber_end;
+ char *ber_sos_ptr;
+ char *ber_rwptr;
+ void *ber_memctx;
+};
+typedef struct berelement OLBerElement;
--
1.8.1.4

42
SOURCES/0074-Ticket-47623-fix-memleak-caused-by-47347.patch Normal file
View file

@ -0,0 +1,42 @@
From b910f02f74410f44d0285d77b15e5d399df3c1a8 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Mon, 9 Dec 2013 17:00:32 -0700
Subject: [PATCH 74/78] Ticket #47623 fix memleak caused by 47347
https://fedorahosted.org/389/ticket/47623
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.3.1
Fix Description: Only need to create the mutex when creating a new PR object.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 98ccb602058270e97a3702ae2b81c17635af8d27)
(cherry picked from commit 65c51555c0ecc94c5d93f09124168697ba1db6b3)
(cherry picked from commit 8a2c666df491b7c8666f8a70a5038b35c43fbc3b)
---
ldap/servers/slapd/pagedresults.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index 78bd6b0..a835d6b 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -122,6 +122,7 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
sizeof(PagedResults) * maxlen);
}
*index = maxlen; /* the first position in the new area */
+ conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
} else {
for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) {
if (!conn->c_pagedresults.prl_list[i].pr_current_be) {
@@ -131,7 +132,6 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
}
}
conn->c_pagedresults.prl_count++;
- conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
} else {
/* Repeated paged results request.
* PagedResults is already allocated. */
--
1.8.1.4

44
SOURCES/0075-Ticket-47623-fix-memleak-caused-by-47347.patch Normal file
View file

@ -0,0 +1,44 @@
From 0cd6aca794ccbd064c0609c45f8dc6333ad8ca8a Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Tue, 10 Dec 2013 08:08:35 -0700
Subject: [PATCH 75/78] Ticket #47623 fix memleak caused by 47347
https://fedorahosted.org/389/ticket/47623
Reviewed by: tbordaz, nhosoi (Thanks!)
Branch: 389-ds-base-1.3.1
Fix Description: Create the mutex if it doesn't exist.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 0d4849dd7551347f0e24ac1027f4d0501084dcf3)
(cherry picked from commit 5d3ae5f709964cd7dfb73b631a22389223f5ef25)
(cherry picked from commit 5c649ddacd1d2c11b6e922b29472094b780c2a0e)
---
ldap/servers/slapd/pagedresults.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
index a835d6b..9af5773 100644
--- a/ldap/servers/slapd/pagedresults.c
+++ b/ldap/servers/slapd/pagedresults.c
@@ -122,7 +122,6 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
sizeof(PagedResults) * maxlen);
}
*index = maxlen; /* the first position in the new area */
- conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
} else {
for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) {
if (!conn->c_pagedresults.prl_list[i].pr_current_be) {
@@ -131,6 +130,9 @@ pagedresults_parse_control_value( Slapi_PBlock *pb,
}
}
}
+ if (!conn->c_pagedresults.prl_list[*index].pr_mutex) {
+ conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
+ }
conn->c_pagedresults.prl_count++;
} else {
/* Repeated paged results request.
--
1.8.1.4

150
SOURCES/0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch Normal file
View file

@ -0,0 +1,150 @@
From ea86342f0497a2d4c45c337ada9ec9e8329fc7cd Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 11 Dec 2013 11:25:44 -0500
Subject: [PATCH 76/78] Ticket 47627 - changelog iteration should ignore
cleaned rids when getting the minCSN
Description: If a change is not found in the change log the server will look for a min csn
to start the replay. This minCSN should not come from a cleaned RUV element.
https://fedorahosted.org/389/ticket/47627
Reviewed by: rmeggins & lkrispenz(Thanks!!)
(cherry picked from commit 9c6e9bb12327a2d50e651221614d34984b605427)
(cherry picked from commit 8004449ae206d0d417497324ffedf79ca9e25572)
---
ldap/servers/plugins/replication/cl5_api.c | 2 +-
ldap/servers/plugins/replication/repl5_ruv.c | 42 ++++++++++++++++++++++------
ldap/servers/plugins/replication/repl5_ruv.h | 3 ++
3 files changed, 37 insertions(+), 10 deletions(-)
diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
index 7bedc2c..064a628 100644
--- a/ldap/servers/plugins/replication/cl5_api.c
+++ b/ldap/servers/plugins/replication/cl5_api.c
@@ -5172,7 +5172,7 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum
{
/* use the supplier min csn for the buffer start csn - we know
this csn is in our changelog */
- if ((RUV_SUCCESS == ruv_get_min_csn(supplierRuv, &startCSN)) &&
+ if ((RUV_SUCCESS == ruv_get_min_csn_ext(supplierRuv, &startCSN, 1 /* ignore cleaned rids */)) &&
startCSN)
{ /* must now free startCSN */
if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) {
diff --git a/ldap/servers/plugins/replication/repl5_ruv.c b/ldap/servers/plugins/replication/repl5_ruv.c
index 7395195..dc83555 100644
--- a/ldap/servers/plugins/replication/repl5_ruv.c
+++ b/ldap/servers/plugins/replication/repl5_ruv.c
@@ -998,9 +998,9 @@ ruv_covers_csn_cleanallruv(const RUV *ruv, const CSN *csn)
* or max{maxcsns of all ruv elements} if get_the_max != 0.
*/
static int
-ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid)
+ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid, int ignore_cleaned_rid)
{
- int return_value;
+ int return_value = RUV_SUCCESS;
if (ruv == NULL || csn == NULL)
{
@@ -1012,6 +1012,7 @@ ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid
CSN *found = NULL;
RUVElement *replica;
int cookie;
+
slapi_rwlock_rdlock (ruv->lock);
for (replica = dl_get_first (ruv->elements, &cookie); replica;
replica = dl_get_next (ruv->elements, &cookie))
@@ -1028,6 +1029,10 @@ ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid
{
continue;
}
+ if(ignore_cleaned_rid && is_cleaned_rid(replica->rid)){
+ continue;
+ }
+
if(rid){ /* we are only interested in this rid's maxcsn */
if(replica->rid == rid){
found = replica->csn;
@@ -1041,36 +1046,55 @@ ruv_get_min_or_max_csn(const RUV *ruv, CSN **csn, int get_the_max, ReplicaId rid
found = replica->csn;
}
}
- }
+ }
+
if (found == NULL)
{
- *csn = NULL;
+ *csn = NULL;
}
else
{
*csn = csn_dup (found);
}
slapi_rwlock_unlock (ruv->lock);
- return_value = RUV_SUCCESS;
}
return return_value;
}
int
-ruv_get_rid_max_csn(const RUV *ruv, CSN **csn, ReplicaId rid){
- return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, rid);
+ruv_get_rid_max_csn(const RUV *ruv, CSN **csn, ReplicaId rid)
+{
+ return ruv_get_rid_max_csn_ext(ruv, csn, rid, 0);
+}
+
+int
+ruv_get_rid_max_csn_ext(const RUV *ruv, CSN **csn, ReplicaId rid, int ignore_cleaned_rid)
+{
+ return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, rid, ignore_cleaned_rid);
}
int
ruv_get_max_csn(const RUV *ruv, CSN **csn)
{
- return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, 0 /* rid */);
+ return ruv_get_max_csn_ext(ruv, csn, 0);
+}
+
+int
+ruv_get_max_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid)
+{
+ return ruv_get_min_or_max_csn(ruv, csn, 1 /* get the max */, 0 /* rid */, ignore_cleaned_rid);
}
int
ruv_get_min_csn(const RUV *ruv, CSN **csn)
{
- return ruv_get_min_or_max_csn(ruv, csn, 0 /* get the min */, 0 /* rid */);
+ return ruv_get_min_csn_ext(ruv, csn, 0);
+}
+
+int
+ruv_get_min_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid)
+{
+ return ruv_get_min_or_max_csn(ruv, csn, 0 /* get the min */, 0 /* rid */, ignore_cleaned_rid);
}
int
diff --git a/ldap/servers/plugins/replication/repl5_ruv.h b/ldap/servers/plugins/replication/repl5_ruv.h
index 799dc7f..4593b84 100644
--- a/ldap/servers/plugins/replication/repl5_ruv.h
+++ b/ldap/servers/plugins/replication/repl5_ruv.h
@@ -123,8 +123,11 @@ PRBool ruv_covers_csn(const RUV *ruv, const CSN *csn);
PRBool ruv_covers_csn_strict(const RUV *ruv, const CSN *csn);
PRBool ruv_covers_csn_cleanallruv(const RUV *ruv, const CSN *csn);
int ruv_get_min_csn(const RUV *ruv, CSN **csn);
+int ruv_get_min_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid);
int ruv_get_max_csn(const RUV *ruv, CSN **csn);
+int ruv_get_max_csn_ext(const RUV *ruv, CSN **csn, int ignore_cleaned_rid);
int ruv_get_rid_max_csn(const RUV *ruv, CSN **csn, ReplicaId rid);
+int ruv_get_rid_max_csn_ext(const RUV *ruv, CSN **csn, ReplicaId rid, int ignore_cleaned_rid);
int ruv_enumerate_elements (const RUV *ruv, FNEnumRUV fn, void *arg);
int ruv_to_smod(const RUV *ruv, Slapi_Mod *smod);
int ruv_last_modified_to_smod(const RUV *ruv, Slapi_Mod *smod);
--
1.8.1.4

61
SOURCES/0077-Ticket-47627-Fix-replication-logging.patch Normal file
View file

@ -0,0 +1,61 @@
From 30144a9dabfe221cdded349078eaedf91cb53e88 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Sat, 14 Dec 2013 07:38:12 -0500
Subject: [PATCH 77/78] Ticket 47627 - Fix replication logging
We printed the same CSN for the missing CSN and the supplier min CSN because
we reused the same CSN pointer.
https://fedorahosted.org/389/ticket/47627
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 20cccf58108099cead2412a979e70e4f5972b806)
(cherry picked from commit ae3daa16783bab18f202a71b81177f4407dccdcd)
---
ldap/servers/plugins/replication/cl5_api.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/ldap/servers/plugins/replication/cl5_api.c b/ldap/servers/plugins/replication/cl5_api.c
index 064a628..abcc39a 100644
--- a/ldap/servers/plugins/replication/cl5_api.c
+++ b/ldap/servers/plugins/replication/cl5_api.c
@@ -5081,6 +5081,7 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum
int i;
CSN **csns = NULL;
CSN *startCSN = NULL;
+ CSN *minCSN = NULL;
char csnStr [CSN_STRSIZE];
int rc = CL5_SUCCESS;
Object *supplierRuvObj = NULL;
@@ -5170,20 +5171,24 @@ static int _cl5PositionCursorForReplay (ReplicaId consumerRID, const RUV *consum
*/
if ((rc == DB_NOTFOUND) && !ruv_has_csns(file->purgeRUV))
{
+ char mincsnStr[CSN_STRSIZE];
+
/* use the supplier min csn for the buffer start csn - we know
this csn is in our changelog */
- if ((RUV_SUCCESS == ruv_get_min_csn_ext(supplierRuv, &startCSN, 1 /* ignore cleaned rids */)) &&
- startCSN)
+ if ((RUV_SUCCESS == ruv_get_min_csn_ext(supplierRuv, &minCSN, 1 /* ignore cleaned rids */)) &&
+ minCSN)
{ /* must now free startCSN */
if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) {
- csn_as_string(startCSN, PR_FALSE, csnStr);
+ csn_as_string(startCSN, PR_FALSE, csnStr);
+ csn_as_string(minCSN, PR_FALSE, mincsnStr);
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl,
"%s: CSN %s not found and no purging, probably a reinit\n",
agmt_name, csnStr);
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl,
"%s: Will try to use supplier min CSN %s to load changelog\n",
- agmt_name, csnStr);
+ agmt_name, mincsnStr);
}
+ startCSN = minCSN;
rc = clcache_load_buffer (clcache, startCSN, DB_SET);
}
else
--
1.8.1.4

69
SOURCES/0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch Normal file
View file

@ -0,0 +1,69 @@
From 31a7087a26c153ff3430a1028be34c64839d0fd0 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Wed, 8 Jan 2014 10:30:04 -0800
Subject: [PATCH 78/78] Ticket #447 - Possible to add invalid attribute to
nsslapd-allowed-to-delete-attrs
Bug description: If given value of nsslapd-allowed-to-delete-attrs are
all invalid attributes, e.g.,
nsslapd-allowed-to-delete-attrs: invalid0 invalid1
they were logged as invalid, but accidentally set to nsslapd-allowed-
to-delete-attrs.
Fix description: This patch checks the validation result and if there
is no valid attributes given to nsslapd-allowed-to-delete-attrs, it
issues a message in the error log:
nsslapd-allowed-to-delete-attrs: Given attributes are all invalid.
No effects.
and it returns an error. The modify operation fails with "DSA is
unwilling to perform".
https://fedorahosted.org/389/ticket/447
Reviewed by rmeggins@redhat.com (Thank you, Rich!)
(cherry picked from commit 31cd7a838aef30d80be6efe519cc2e821811c645)
(cherry picked from commit eab32225c129f6a5115bbd5ac2a3c2035f4393b2)
(cherry picked from commit c392aa891e67b8be189d3e354a179fc376998642)
---
ldap/servers/slapd/libglobs.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 64510d6..6df225d 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -6720,15 +6720,23 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value,
/* given value included unknown attribute,
* we need to re-create a value. */
/* reuse the duplicated string for the new attr value. */
- for (s = allowed, d = vcopy; s && *s; s++) {
- size_t slen = strlen(*s);
- memmove(d, *s, slen);
- d += slen;
- memmove(d, " ", 1);
- d++;
+ if (allowed && (NULL == *allowed)) {
+ /* all the values to allow to delete are invalid */
+ slapi_log_error(SLAPI_LOG_FATAL, "config",
+ "%s: Given attributes are all invalid. No effects.\n",
+ CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE);
+ return LDAP_NO_SUCH_ATTRIBUTE;
+ } else {
+ for (s = allowed, d = vcopy; s && *s; s++) {
+ size_t slen = strlen(*s);
+ memmove(d, *s, slen);
+ d += slen;
+ memmove(d, " ", 1);
+ d++;
+ }
+ *(d-1) = '\0';
+ strcpy(value, vcopy); /* original value needs to be refreshed */
}
- *(d-1) = '\0';
- strcpy(value, vcopy); /* original value needs to be refreshed */
} else {
slapi_ch_free_string(&vcopy);
vcopy = slapi_ch_strdup(value);
--
1.8.1.4

50
SOURCES/0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch Normal file
View file

@ -0,0 +1,50 @@
From d30caf438689760dd4fce8dc914070daae47de72 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Mon, 13 Jan 2014 11:03:46 -0800
Subject: [PATCH 79/83] Ticket #47660 - config_set_allowed_to_delete_attrs:
Valgrind reports Invalid read
Description: There was a logic error in checking the availability of
a pointer. Before checking the contents of an address, the correctness
of the pointer needed to be checked.
Also, one memory leak was found in the error return case.
Note: these 2 issues were introduece by this commit:
commit 94b123780b21e503b78bceca9d60904206ef91fa
Trac Ticket #447 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs
https://fedorahosted.org/389/ticket/47660
Reviewed by rmeggins@redhat.com (Thank you, Rich!)
(cherry picked from commit 1a788bf35a138d221f2bfb88d6da5fc5244d738c)
(cherry picked from commit 22c24f0d133cfcfc9f7457a84282d223ea3f6e25)
(cherry picked from commit 4aa849fa0a32d90e7d88574f35e1e17fbaf1034f)
---
ldap/servers/slapd/libglobs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 6df225d..bcf7db4 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -6704,7 +6704,7 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value,
int needcopy = 0;
allowed = slapi_str2charray_ext(vcopy, " ", 0);
for (s = allowed; s && *s; s++) ;
- for (--s; s && *s && (s >= allowed); s--) {
+ for (--s; s && (s >= allowed) && *s; s--) {
cgas = (struct config_get_and_set *)PL_HashTableLookup(confighash,
*s);
if (!cgas && PL_strcasecmp(*s, "aci") /* aci is an exception */) {
@@ -6725,6 +6725,7 @@ config_set_allowed_to_delete_attrs( const char *attrname, char *value,
slapi_log_error(SLAPI_LOG_FATAL, "config",
"%s: Given attributes are all invalid. No effects.\n",
CONFIG_ALLOWED_TO_DELETE_ATTRIBUTE);
+ slapi_ch_array_free(allowed);
return LDAP_NO_SUCH_ATTRIBUTE;
} else {
for (s = allowed, d = vcopy; s && *s; s++) {
--
1.8.1.4

208
SOURCES/0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch Normal file
View file

@ -0,0 +1,208 @@
From f649d36ecf04926704add30a9f3179bd862de4c1 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Thu, 16 Jan 2014 15:21:28 -0500
Subject: [PATCH 80/83] Ticket 408 - Fix crash when disabling/enabling the
setting
Bug Description: Enabling/disabling can lead to crash as the setting
was not designed to be dynamically updated.
Fix Description: Do not use the actual config setting to determine if the
cache is enabled. Instead we record when the cache is
initialized. The server still needs to be restarted for
the config change to take effect.
Also freed the cache at server shtudown.
https://fedorahosted.org/389/ticket/408
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 03c90f04065059ee310e9fa7d98228e0aa39fa50)
(cherry picked from commit 50ad64a442495810a84558c6c17dcc2263b815b6)
(cherry picked from commit e0d85bead832c6aa7a2ec01157ab786a53fb5272)
---
ldap/servers/slapd/back-ldbm/monitor.c | 2 +-
ldap/servers/slapd/dn.c | 93 +++++++++++++++++++++++++++-------
ldap/servers/slapd/main.c | 1 +
ldap/servers/slapd/slapi-private.h | 2 +
4 files changed, 78 insertions(+), 20 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/monitor.c b/ldap/servers/slapd/back-ldbm/monitor.c
index 3427809..409c771 100644
--- a/ldap/servers/slapd/back-ldbm/monitor.c
+++ b/ldap/servers/slapd/back-ldbm/monitor.c
@@ -146,7 +146,7 @@ int ldbm_back_monitor_instance_search(Slapi_PBlock *pb, Slapi_Entry *e,
MSET("maxDnCacheCount");
}
/* normalized dn cache stats */
- if(config_get_ndn_cache_enabled()){
+ if(ndn_cache_started()){
ndn_cache_get_stats(&hits, &tries, &size, &maxsize, &count);
sprintf(buf, "%" NSPRIu64, (long long unsigned int)tries);
MSET("normalizedDnCacheTries");
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index 9530b84..1eab631 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -103,6 +103,7 @@ static void ndn_cache_update_lru(struct ndn_cache_lru **node);
static void ndn_cache_add(char *dn, size_t dn_len, char *ndn, size_t ndn_len);
static void ndn_cache_delete(char *dn);
static void ndn_cache_flush();
+static void ndn_cache_free();
static int ndn_started = 0;
static PRLock *lru_lock = NULL;
static Slapi_RWLock *ndn_cache_lock = NULL;
@@ -2751,7 +2752,7 @@ ndn_hash_string(const void *key)
void
ndn_cache_init()
{
- if(!config_get_ndn_cache_enabled()){
+ if(!config_get_ndn_cache_enabled() || ndn_started){
return;
}
ndn_cache_hashtable = PL_NewHashTable( NDN_CACHE_BUCKETS, ndn_hash_string, PL_CompareStrings, PL_CompareValues, 0, 0);
@@ -2764,24 +2765,49 @@ ndn_cache_init()
ndn_cache->cache_size = sizeof(struct ndn_cache_ctx) + sizeof(PLHashTable) + sizeof(PLHashTable);
ndn_cache->head = NULL;
ndn_cache->tail = NULL;
-
+ ndn_started = 1;
if ( NULL == ( lru_lock = PR_NewLock()) || NULL == ( ndn_cache_lock = slapi_new_rwlock())) {
- char *errorbuf = NULL;
- if(ndn_cache_hashtable){
- PL_HashTableDestroy(ndn_cache_hashtable);
- }
- ndn_cache_hashtable = NULL;
- config_set_ndn_cache_enabled(CONFIG_NDN_CACHE, "off", errorbuf, 1 );
- slapi_counter_destroy(&ndn_cache->cache_hits);
- slapi_counter_destroy(&ndn_cache->cache_tries);
- slapi_counter_destroy(&ndn_cache->cache_misses);
- slapi_ch_free((void **)&ndn_cache);
+ ndn_cache_destroy();
slapi_log_error( SLAPI_LOG_FATAL, "ndn_cache_init", "Failed to create locks. Disabling cache.\n" );
- } else {
- ndn_started = 1;
}
}
+void
+ndn_cache_destroy()
+{
+ char *errorbuf = NULL;
+
+ if(!ndn_started){
+ return;
+ }
+ if(lru_lock){
+ PR_DestroyLock(lru_lock);
+ lru_lock = NULL;
+ }
+ if(ndn_cache_lock){
+ slapi_destroy_rwlock(ndn_cache_lock);
+ ndn_cache_lock = NULL;
+ }
+ if(ndn_cache_hashtable){
+ ndn_cache_free();
+ PL_HashTableDestroy(ndn_cache_hashtable);
+ ndn_cache_hashtable = NULL;
+ }
+ config_set_ndn_cache_enabled(CONFIG_NDN_CACHE, "off", errorbuf, 1 );
+ slapi_counter_destroy(&ndn_cache->cache_hits);
+ slapi_counter_destroy(&ndn_cache->cache_tries);
+ slapi_counter_destroy(&ndn_cache->cache_misses);
+ slapi_ch_free((void **)&ndn_cache);
+
+ ndn_started = 0;
+}
+
+int
+ndn_cache_started()
+{
+ return ndn_started;
+}
+
/*
* Look up this dn in the ndn cache
*/
@@ -2994,19 +3020,48 @@ ndn_cache_flush()
slapi_log_error( SLAPI_LOG_CACHE, "ndn_cache_flush","Flushed cache.\n");
}
+static void
+ndn_cache_free()
+{
+ struct ndn_cache_lru *node, *next, *flush_node;
+
+ if(!ndn_cache){
+ return;
+ }
+
+ node = ndn_cache->tail;
+ while(ndn_cache->cache_count){
+ flush_node = node;
+ /* update the lru */
+ next = node->prev;
+ if(next){
+ next->next = NULL;
+ }
+ ndn_cache->tail = next;
+ node = next;
+ /* now update the hash */
+ ndn_cache->cache_count--;
+ ndn_cache_delete(flush_node->key);
+ slapi_ch_free_string(&flush_node->key);
+ slapi_ch_free((void **)&flush_node);
+ }
+}
+
/* this is already "write" locked from ndn_cache_add */
static void
ndn_cache_delete(char *dn)
{
- struct ndn_hash_val *ht_val;
+ struct ndn_hash_val *ht_entry;
- ht_val = (struct ndn_hash_val *)PL_HashTableLookupConst(ndn_cache_hashtable, dn);
- if(ht_val){
- ndn_cache->cache_size -= ht_val->size;
- slapi_ch_free_string(&ht_val->ndn);
+ ht_entry = (struct ndn_hash_val *)PL_HashTableLookupConst(ndn_cache_hashtable, dn);
+ if(ht_entry){
+ ndn_cache->cache_size -= ht_entry->size;
+ slapi_ch_free_string(&ht_entry->ndn);
+ slapi_ch_free((void **)&ht_entry);
PL_HashTableRemove(ndn_cache_hashtable, dn);
}
}
+
/* stats for monitor */
void
ndn_cache_get_stats(PRUint64 *hits, PRUint64 *tries, size_t *size, size_t *max_size, long *count)
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index a17a2c5..ad8dd83 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -1280,6 +1280,7 @@ main( int argc, char **argv)
cleanup:
SSL_ShutdownServerSessionIDCache();
SSL_ClearSessionCache();
+ ndn_cache_destroy();
NSS_Shutdown();
PR_Cleanup();
#ifdef _WIN32
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 194f3fd..eaa5f98 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -392,6 +392,8 @@ Slapi_DN *slapi_sdn_init_normdn_passin(Slapi_DN *sdn, const char *dn);
char *slapi_dn_normalize_original( char *dn );
char *slapi_dn_normalize_case_original( char *dn );
void ndn_cache_init();
+void ndn_cache_destroy();
+int ndn_cache_started();
void ndn_cache_get_stats(PRUint64 *hits, PRUint64 *tries, size_t *size, size_t *max_size, long *count);
#define NDN_DEFAULT_SIZE 20971520 /* 20mb - size of normalized dn cache */
--
1.8.1.4

120
SOURCES/0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch Normal file
View file

@ -0,0 +1,120 @@
From 5a79c1ecc7e706202a2a668e6cb12624f302ed35 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 17 Jan 2014 15:13:21 -0500
Subject: [PATCH 81/83] Ticket 47620 - Unable to delete protocol timeout
attribute
Bug Description: Attempting to delete nsds5ReplicaProtocolTimeout from a replication
agreement unexpectedly fails with an error 53.
Fix Description: The previous delete operation check was in the wrong location, and the
delete operation was treated as a modify - which then triggered the
error 53. Added the correct check for the delete operation.
Also removed some old code for a CLEANALLRUV attribute that was never
implemented.
https://fedorahosted.org/389/ticket/47620
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 9c41a365e8fbd23cab28eb91f50cdce696a30730)
(cherry picked from commit 77380161e9e04f64a431dd35ce4b4c45ed01cae5)
---
ldap/servers/plugins/replication/repl5.h | 1 -
ldap/servers/plugins/replication/repl5_agmtlist.c | 46 +++++++++++------------
ldap/servers/plugins/replication/repl_globals.c | 1 -
3 files changed, 22 insertions(+), 26 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index 321a285..655e8ba 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -167,7 +167,6 @@ extern const char *type_nsds5ReplicaBusyWaitTime;
extern const char *type_nsds5ReplicaSessionPauseTime;
extern const char *type_nsds5ReplicaEnabled;
extern const char *type_nsds5ReplicaStripAttrs;
-extern const char *type_nsds5ReplicaCleanRUVnotified;
extern const char *type_replicaProtocolTimeout;
extern const char *type_replicaBackoffMin;
extern const char *type_replicaBackoffMax;
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index 9e0291f..0edf28a 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -254,15 +254,6 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
the replication plugin - handled above */
if (mods[i]->mod_op & LDAP_MOD_DELETE)
{
- if(strcasecmp (mods[i]->mod_type, type_nsds5ReplicaCleanRUVnotified) == 0 ){
- /* allow the deletion of cleanallruv agmt attr */
- continue;
- }
- if(strcasecmp (mods[i]->mod_type, type_replicaProtocolTimeout) == 0){
- agmt_set_protocol_timeout(agmt, 0);
- continue;
- }
-
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"deletion of %s attribute is not allowed\n", type_nsds5ReplicaInitialize);
*returncode = LDAP_UNWILLING_TO_PERFORM;
@@ -505,23 +496,30 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
}
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){
- long ptimeout = 0;
-
- if (val){
- ptimeout = atol(val);
+ if (mods[i]->mod_op & LDAP_MOD_DELETE)
+ {
+ agmt_set_protocol_timeout(agmt, 0);
}
- if(ptimeout <= 0){
- *returncode = LDAP_UNWILLING_TO_PERFORM;
- PR_snprintf (returntext, SLAPI_DSE_RETURNTEXT_SIZE,
- "attribute %s value (%s) is invalid, must be a number greater than zero.\n",
- type_replicaProtocolTimeout, val ? val : "");
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
- "must be a number greater than zero.\n",
- type_replicaProtocolTimeout, val ? val : "");
- rc = SLAPI_DSE_CALLBACK_ERROR;
- break;
+ else
+ {
+ long ptimeout = 0;
+
+ if (val){
+ ptimeout = atol(val);
+ }
+ if(ptimeout <= 0){
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ PR_snprintf (returntext, SLAPI_DSE_RETURNTEXT_SIZE,
+ "attribute %s value (%s) is invalid, must be a number greater than zero.\n",
+ type_replicaProtocolTimeout, val ? val : "");
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "attribute %s value (%s) is invalid, "
+ "must be a number greater than zero.\n",
+ type_replicaProtocolTimeout, val ? val : "");
+ rc = SLAPI_DSE_CALLBACK_ERROR;
+ break;
+ }
+ agmt_set_protocol_timeout(agmt, ptimeout);
}
- agmt_set_protocol_timeout(agmt, ptimeout);
}
else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e))
{
diff --git a/ldap/servers/plugins/replication/repl_globals.c b/ldap/servers/plugins/replication/repl_globals.c
index 7dfeb9b..305ed25 100644
--- a/ldap/servers/plugins/replication/repl_globals.c
+++ b/ldap/servers/plugins/replication/repl_globals.c
@@ -133,7 +133,6 @@ const char *type_nsds5ReplicaBusyWaitTime = "nsds5ReplicaBusyWaitTime";
const char *type_nsds5ReplicaSessionPauseTime = "nsds5ReplicaSessionPauseTime";
const char *type_nsds5ReplicaEnabled = "nsds5ReplicaEnabled";
const char *type_nsds5ReplicaStripAttrs = "nsds5ReplicaStripAttrs";
-const char *type_nsds5ReplicaCleanRUVnotified = "nsds5ReplicaCleanRUVNotified";
/* windows sync specific attributes */
const char *type_nsds7WindowsReplicaArea = "nsds7WindowsReplicaSubtree";
--
1.8.1.4

92
SOURCES/0082-Ticket-47516-replication-stops-with-excessive-clock-.patch Normal file
View file

@ -0,0 +1,92 @@
From 029e230581a4b8e955db01dd0735f1ad9db521ac Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Thu, 16 Jan 2014 12:57:22 -0700
Subject: [PATCH 82/83] Ticket #47516 replication stops with excessive clock
skew
https://fedorahosted.org/389/ticket/47516
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.3.1
Fix Description: The previous fix was not adequate. Instead, the determination
of whether or not to ignore time skew should be determined in
csngen_adjust_time().
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: yes - document new config param
(cherry picked from commit 9f2b104b0938b21d7c9fe37c736d0e6328843aeb)
(cherry picked from commit a6ec074c6295a59938f313b4fe09430e8f601fab)
(cherry picked from commit 51c1b2a0e4245b90f418f9f909c1d17c564f77f3)
---
ldap/servers/plugins/replication/repl_extop.c | 11 ++---------
ldap/servers/slapd/csngen.c | 8 ++++++--
2 files changed, 8 insertions(+), 11 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c
index 57249a6..35014a9 100644
--- a/ldap/servers/plugins/replication/repl_extop.c
+++ b/ldap/servers/plugins/replication/repl_extop.c
@@ -835,19 +835,12 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb)
rc = replica_update_csngen_state_ext (replica, supplier_ruv, replicacsn); /* too much skew */
if (rc == CSN_LIMIT_EXCEEDED)
{
- extern int config_get_ignore_time_skew();
-
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
"conn=%" NSPRIu64 " op=%d repl=\"%s\": "
"Excessive clock skew from supplier RUV\n",
(long long unsigned int)connid, opid, repl_root);
- if (!config_get_ignore_time_skew()) {
- response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW;
- goto send_response;
- } else {
- /* else just continue */
- rc = 0;
- }
+ response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW;
+ goto send_response;
}
else if (rc != 0)
{
diff --git a/ldap/servers/slapd/csngen.c b/ldap/servers/slapd/csngen.c
index 464a59e..f87f2d1 100644
--- a/ldap/servers/slapd/csngen.c
+++ b/ldap/servers/slapd/csngen.c
@@ -326,6 +326,8 @@ int csngen_adjust_time(CSNGen *gen, const CSN* csn)
time_t remote_time, remote_offset, cur_time;
PRUint16 remote_seqnum;
int rc;
+ extern int config_get_ignore_time_skew();
+ int ignore_time_skew = config_get_ignore_time_skew();
if (gen == NULL || csn == NULL)
return CSN_INVALID_PARAMETER;
@@ -380,7 +382,7 @@ int csngen_adjust_time(CSNGen *gen, const CSN* csn)
remote_offset = remote_time - cur_time;
if (remote_offset > gen->state.remote_offset)
{
- if (remote_offset <= CSN_MAX_TIME_ADJUST)
+ if (ignore_time_skew || (remote_offset <= CSN_MAX_TIME_ADJUST))
{
gen->state.remote_offset = remote_offset;
}
@@ -651,6 +653,8 @@ _csngen_cmp_callbacks (const void *el1, const void *el2)
static int
_csngen_adjust_local_time (CSNGen *gen, time_t cur_time)
{
+ extern int config_get_ignore_time_skew();
+ int ignore_time_skew = config_get_ignore_time_skew();
time_t time_diff = cur_time - gen->state.sampled_time;
if (time_diff == 0) {
@@ -714,7 +718,7 @@ _csngen_adjust_local_time (CSNGen *gen, time_t cur_time)
gen->state.remote_offset);
}
- if (abs (time_diff) > CSN_MAX_TIME_ADJUST)
+ if (!ignore_time_skew && (abs (time_diff) > CSN_MAX_TIME_ADJUST))
{
slapi_log_error (SLAPI_LOG_FATAL, NULL, "_csngen_adjust_local_time: "
"adjustment limit exceeded; value - %d, limit - %d\n",
--
1.8.1.4

36
SOURCES/0083-Ticket-342-better-error-message-when-cache-overflows.patch Normal file
View file

@ -0,0 +1,36 @@
From 4730b81cfda96b8825ad0b01df2e89024f31b634 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 16 Jan 2014 11:06:22 -0800
Subject: [PATCH 83/83] Ticket #342 - better error message when cache overflows
Description: commit 892bf12c1bb8b10afea3d6ff711059bf04e362cc
introduced an invalid memory read/write. This patch prepares one
extra aclpblock for the acl cache overflow.
https://fedorahosted.org/389/ticket/342
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit 3fee1fc829a4a9573d087d1ead3c949239e5e914)
(cherry picked from commit fe75b11cad371890482b7f394384083dc1b0fd70)
(cherry picked from commit aec20501db3a33df0bc151371cdec334c62af4b0)
---
ldap/servers/plugins/acl/acl_ext.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index e42a7e2..ee2dd0f 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -717,7 +717,8 @@ acl__malloc_aclpb ( )
/* allocate arrays for result cache */
aclpb->aclpb_cache_result = (r_cache_t *)
- slapi_ch_calloc (aclpb_max_cache_results, sizeof (r_cache_t));
+ slapi_ch_calloc (aclpb_max_cache_results + 1 /* 1 for cache overflow warning */,
+ sizeof (r_cache_t));
/* allocate arrays for target handles in eval_context */
aclpb->aclpb_curr_entryEval_context.acle_handles_matched_target = (int *)
--
1.8.1.4

122
SOURCES/0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch Normal file
View file

@ -0,0 +1,122 @@
From 84a58b65db55c914a800b0fb31d538bc691c2b13 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 23 Jan 2014 18:07:56 -0800
Subject: [PATCH 84/85] Ticket #443 - Deleting attribute present in
nsslapd-allowed-to-delete-attrs returns Operations error
Description: commit 90dd9bb3c1411daca353d055d90618e67aa1fa7e introduced
an Invalid read/write. The commit meant to allow "on" and "off" as well
as integer 0 and 1 in on/off type of config parameters. This patch converts
the integers to "on" or "off" and pass it to config set function.
https://fedorahosted.org/389/ticket/443
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit c52987d295a9f4a091568d02679765f3a83beb69)
(cherry picked from commit 4266657727fc71afbb6b4f21886ebd86a68b2ed2)
(cherry picked from commit d68dc3235d04caf3736d3587801a3c96cfebccb6)
---
ldap/servers/slapd/libglobs.c | 54 +++++++++++++++++++++++++------------------
1 file changed, 31 insertions(+), 23 deletions(-)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index bcf7db4..8bd4978 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -3176,8 +3176,7 @@ config_set_security( const char *attrname, char *value, char *errorbuf, int appl
}
static int
-config_set_onoff ( const char *attrname, char *value, int *configvalue,
- char *errorbuf, int apply )
+config_set_onoff(const char *attrname, char *value, int *configvalue, char *errorbuf, int apply)
{
int retVal = LDAP_SUCCESS;
slapi_onoff_t newval = -1;
@@ -3185,33 +3184,27 @@ config_set_onoff ( const char *attrname, char *value, int *configvalue,
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
#endif
- if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
- return LDAP_OPERATIONS_ERROR;
+ if ( config_value_is_null( attrname, value, errorbuf, 1 )) {
+ return LDAP_OPERATIONS_ERROR;
}
CFG_ONOFF_LOCK_WRITE(slapdFrontendConfig);
- if ( strcasecmp ( value, "on" ) != 0 &&
- strcasecmp ( value, "off") != 0 &&
- /* initializing the value */
- (*(int *)value != LDAP_ON) &&
- (*(int *)value != LDAP_OFF)) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\". Valid values are \"on\" or \"off\".",
- attrname, value );
- retVal = LDAP_OPERATIONS_ERROR;
+ if (strcasecmp(value, "on") && strcasecmp(value, "off")) {
+ PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+ "%s: invalid value \"%s\". Valid values are \"on\" or \"off\".",
+ attrname, value );
+ retVal = LDAP_OPERATIONS_ERROR;
}
if ( !apply ) {
- /* we can return now if we aren't applying the changes */
- return retVal;
+ /* we can return now if we aren't applying the changes */
+ return retVal;
}
if ( strcasecmp ( value, "on" ) == 0 ) {
- newval = LDAP_ON;
+ newval = LDAP_ON;
} else if ( strcasecmp ( value, "off" ) == 0 ) {
- newval = LDAP_OFF;
- } else { /* assume it is an integer */
- newval = *(slapi_onoff_t *)value;
+ newval = LDAP_OFF;
}
#ifdef ATOMIC_GETSET_ONOFF
@@ -7000,6 +6993,18 @@ config_get_listen_backlog_size()
return retVal;
}
+static char *
+config_initvalue_to_onoff(struct config_get_and_set *cgas, char *initvalbuf, size_t initvalbufsize)
+{
+ char *retval = NULL;
+ if (cgas->config_var_type == CONFIG_ON_OFF) {
+ slapi_onoff_t *ival = (slapi_onoff_t *)(intptr_t)cgas->initvalue;
+ PR_snprintf(initvalbuf, initvalbufsize, "%s", (ival && *ival) ? "on" : "off");
+ retval = initvalbuf;
+ }
+ return retval;
+}
+
/*
* This function is intended to be used from the dse code modify callback. It
* is "optimized" for that case because it takes a berval** of values, which is
@@ -7048,12 +7053,15 @@ config_set(const char *attr, struct berval **values, char *errorbuf, int apply)
default:
if ((NULL == values) &&
config_allowed_to_delete_attrs(cgas->attr_name)) {
+ char initvalbuf[64];
+ void *initval = cgas->initvalue;
+ if (cgas->config_var_type == CONFIG_ON_OFF) {
+ initval = (void *)config_initvalue_to_onoff(cgas, initvalbuf, sizeof(initvalbuf));
+ }
if (cgas->setfunc) {
- retval = (cgas->setfunc)(cgas->attr_name, cgas->initvalue,
- errorbuf, apply);
+ retval = (cgas->setfunc)(cgas->attr_name, initval, errorbuf, apply);
} else if (cgas->logsetfunc) {
- retval = (cgas->logsetfunc)(cgas->attr_name, cgas->initvalue,
- cgas->whichlog, errorbuf, apply);
+ retval = (cgas->logsetfunc)(cgas->attr_name, initval, cgas->whichlog, errorbuf, apply);
} else {
LDAPDebug1Arg(LDAP_DEBUG_ANY,
"config_set: the attribute %s is read only; "
--
1.8.1.4

173
SOURCES/0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch Normal file
View file

@ -0,0 +1,173 @@
From f86b7bd86945df33843e90a7ac84d5967a7e7e82 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Fri, 24 Jan 2014 18:12:32 -0800
Subject: [PATCH 85/85] Ticket #47649 - Server hangs in cos_cache when adding a
user entry
Bug description: cos_dn_defs_cb reads cosDefinition and sets up the cos
Definition part of cos cache. In the function, when processing
cosAttribute, cosTargetTree and cosTemlpateDn are missing, it sets the
parent dn of the cos definition dn. This parent setting is needed only
when the 2 attributes are completely missing from the cos definition.
But if the attributes are located below cosAttribute (see the Example
cos definition), in addition to "cn=cosTemplates,ou=people,dc=example,
dc=com", the parent of "cn=generatePostalCode,ou=People,dc=example,dc=com"
is added to the cos cache as cosTemplateDn.
Example cos definition:
dn: cn=generatePostalCode,ou=People,dc=example,dc=com
description: generate postalCode attr based on location
objectClass: top
objectClass: ldapsubentry
objectClass: cossuperdefinition
objectClass: cosClassicDefinition
cosAttribute: postalCode
costemplatedn: cn=cosTemplates,ou=people,dc=example,dc=com
cosSpecifier: l
cn: generatePostalCode
The mistakenly added cosTemplatedDn makes adding an entry under ou=People
notify recreating the cos cache. The notification needs to be outside of
backend transaction since it causes a deadlock with the cos_cache_wait_
on_change thread which cannot read the DB due to the transaction but holds
the lock that the notifier thread is waiting for.
Fix description: The parent of the cos definition dn is set to the
cosTargetTree and the cosTemlpateDn, only when the attributes are
completely missing.
https://fedorahosted.org/389/ticket/47649
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit 1e52401d3abd0377f55676f4a1508a02aaa7f955)
(cherry picked from commit 01c0794cde7eb91a1a4e477a0286533df4a4ae38)
(cherry picked from commit 1ebad4bd50fb1483998a32b5d3e232e89aeda0f7)
---
ldap/servers/plugins/cos/cos_cache.c | 82 +++++++++++++++++++++---------------
1 file changed, 48 insertions(+), 34 deletions(-)
diff --git a/ldap/servers/plugins/cos/cos_cache.c b/ldap/servers/plugins/cos/cos_cache.c
index fed2aa9..a68e59f 100644
--- a/ldap/servers/plugins/cos/cos_cache.c
+++ b/ldap/servers/plugins/cos/cos_cache.c
@@ -727,7 +727,8 @@ struct dn_defs_info {
* if a particular attempt to add a definition fails: info.ret gets set to
* zero only if we succed to add a def.
*/
-static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
+static int
+cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
{
struct dn_defs_info *info;
cosAttrValue **pSneakyVal = 0;
@@ -877,31 +878,10 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
dnVals[valIndex]->bv_val);
}
- if(!pCosTargetTree)
- {
- /* get the parent of the definition */
- char *orig = slapi_dn_parent(pDn->val);
- Slapi_DN *psdn = slapi_sdn_new_dn_byval(orig);
- char *parent = (char *)slapi_sdn_get_dn(psdn);
- if (!parent) {
- parent = (char *)slapi_sdn_get_udn(psdn);
- LDAPDebug(LDAP_DEBUG_ANY,
- "cos_cache_build_definition_list: "
- "failed to normalize parent dn %s. "
- "Adding the pre normalized dn.\n",
- parent, 0, 0);
- }
- cos_cache_add_attrval(&pCosTargetTree, parent);
- if (!pCosTemplateDn) {
- cos_cache_add_attrval(&pCosTemplateDn, parent);
- }
- slapi_sdn_free(&psdn);
- }
-
slapi_vattrspi_regattr((vattr_sp_handle *)vattr_handle,
dnVals[valIndex]->bv_val, NULL, NULL);
} /* if(attrType is cosAttribute) */
-
+
/*
* Add the attributetype to the appropriate
* list.
@@ -913,6 +893,47 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
ber_bvecfree( dnVals );
dnVals = NULL;
} while(!slapi_entry_next_attr(e, dnAttr, &dnAttr));
+
+ if (pCosAttribute && (!pCosTargetTree || !pCosTemplateDn)) {
+ /* get the parent of the definition */
+ char *orig = slapi_dn_parent(pDn->val);
+ char *parent = NULL;
+ if (orig) {
+ parent = slapi_create_dn_string("%s", orig);
+ if (!parent) {
+ parent = orig;
+ LDAPDebug1Arg(LDAP_DEBUG_ANY,
+ "cos_dn_defs_cb: "
+ "failed to normalize parent dn %s. "
+ "Adding the pre normalized dn.\n",
+ parent);
+ }
+ if (!pCosTargetTree) {
+ cos_cache_add_attrval(&pCosTargetTree, parent);
+ }
+ if (!pCosTemplateDn) {
+ cos_cache_add_attrval(&pCosTemplateDn, parent);
+ }
+ if (parent != orig) {
+ slapi_ch_free_string(&parent);
+ }
+ slapi_ch_free_string(&orig);
+ } else {
+ LDAPDebug1Arg(LDAP_DEBUG_ANY,
+ "cos_dn_defs_cb: "
+ "failed to get parent dn of cos definition %s.\n",
+ pDn->val);
+ if (!pCosTemplateDn) {
+ if (!pCosTargetTree) {
+ LDAPDebug0Args(LDAP_DEBUG_ANY, "cosTargetTree and cosTemplateDn are not set.\n");
+ } else {
+ LDAPDebug0Args(LDAP_DEBUG_ANY, "cosTemplateDn is not set.\n");
+ }
+ } else if (!pCosTargetTree) {
+ LDAPDebug0Args(LDAP_DEBUG_ANY, "cosTargetTree is not set.\n");
+ }
+ }
+ }
/*
determine the type of class of service scheme
@@ -951,9 +972,7 @@ static int cos_dn_defs_cb (Slapi_Entry* e, void *callback_data)
*/
/* these must exist */
- if( pDn &&
- pObjectclass &&
-
+ if(pDn && pObjectclass &&
(
(cosType == COSTYPE_CLASSIC &&
pCosTemplateDn &&
@@ -3582,14 +3601,9 @@ static int cos_cache_entry_is_cos_related( Slapi_Entry *e) {
{
pObj = (char*)slapi_value_get_string(val);
- /*
- * objectclasses are ascii--maybe strcasecmp() is faster than
- * slapi_utf8casecmp()
- */
- if( !strcasecmp(pObj, "cosdefinition") ||
- !strcasecmp(pObj, "cossuperdefinition") ||
- !strcasecmp(pObj, "costemplate")
- )
+ if(!strcasecmp(pObj, "cosdefinition") ||
+ !strcasecmp(pObj, "cossuperdefinition") ||
+ !strcasecmp(pObj, "costemplate"))
{
rc = 1;
}
--
1.8.1.4

82
SOURCES/0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch Normal file
View file

@ -0,0 +1,82 @@
From 9b1e2d02e20f270aed32f05210d207398ae0f7a1 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Fri, 31 Jan 2014 14:21:59 -0700
Subject: [PATCH 86/87] Ticket #47374 - flush.pl is not included in perl5
https://fedorahosted.org/389/ticket/47374
Reviewed by: nhosoi (Thanks!)
Branch: rhel-7.0
Fix Description: Change opt_b to BeginNum and opt_r to Random_Seed.
Have to specify option as j=i because -j has an integer argument.
Get rid of opt_j and use ZeroPad instead.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit f9ba01b4b9ce3881cf08433b0c43db93ab207507)
(cherry picked from commit 55df132065f109b8f548100461011c10b58843ea)
(cherry picked from commit ea868566c49869b3fa0f6e2c7194b743d22f77fe)
---
ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in b/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in
index 51af0db..2ef76f2 100755
--- a/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in
+++ b/ldap/servers/slapd/tools/rsearch/scripts/dbgen.pl.in
@@ -543,13 +543,14 @@ sub flush {
my $Number_To_Generate = 1;
$Output_File_Name = "output.ldif";
-$Random_Seed = 1;
+$Random_Seed = 0;
$Suffix = 'dc=example,dc=com';
$NamingType = "uid";
$inetOrgPerson = "objectClass: inetOrgPerson\n";
$PrintOrgChartDat = 0;
-$DataDir = "/usr/share/dirsrv/data";
+$DataDir = "@templatedir@";
$BeginNum = 0;
+$ZeroPad = 0;
$Verbose = 0;
$debug = 0;
@@ -572,7 +573,7 @@ GetOptions('number=i' => \$Number_To_Generate,
'x' => \$opt_x,
'y' => \$opt_y,
'z' => \$opt_z,
- 'j' => \$opt_j,
+ 'j=i' => \$ZeroPad,
'verbose' => \$Verbose,
'debug' => \$debug,
'quiet' => \$Quiet,
@@ -598,7 +599,6 @@ if ("" != $opt_y)
{
$printorgunit = 0;
}
-$ZeroPad = $opt_j;
if ($Suffix =~ /o=/) {
($Organization) = $Suffix =~ /o=([^,]+)/;
@@ -1029,8 +1029,8 @@ sub MakeRandomLocality {
sub MakeRandomName {
local($Given_Name, $Surname, $Full_Name, $UID, $uniq, $first, $last, $RDN);
# Get the unique number depending if a seed was set or not.
- $uniq = int rand($Random_Seed) if ($opt_r);
- $uniq = $x if (!$opt_r);
+ $uniq = int rand($Random_Seed) if ($Random_Seed);
+ $uniq = $x if (!$Random_Seed);
$Given_Name = $given_names[rand @given_names];
$Surname = $family_names[rand @family_names];
@@ -1040,7 +1040,7 @@ sub MakeRandomName {
$UID = $first . $last . "$uniq";
# Create the uid based on the DN naming type defined
- if ($opt_b) { # use a uniquenumber for the RDN value
+ if ($BeginNum) { # use a uniquenumber for the RDN value
if ($ZeroPad) {
$RDN = sprintf "%0.${ZeroPad}d", $x;
} else {
--
1.8.1.4

74
SOURCES/0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch Normal file
View file

@ -0,0 +1,74 @@
From 7dc5c28a3beeeb90cdae084ae6d1fa338c09c50f Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Fri, 31 Jan 2014 16:49:58 -0700
Subject: [PATCH 87/87] Ticket #471 logconv.pl tool removes the access logs
contents if "-M" is not correctly used
https://fedorahosted.org/389/ticket/471
Reviewed by: nhosoi (Thanks!)
Branch: rhel-7.0
Fix Description: Do not call new_stats_block() until we verify that it is safe
to call it. It will wipe out the file.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 7447050f572fb8865145d020e9eab64032f667be)
(cherry picked from commit cfbda421535451d99d3ee774a49fc099cfb902f0)
(cherry picked from commit 811300f30264a82b6cd9d0e1d7594a066458912c)
---
ldap/admin/src/logconv.pl | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
index e7d7507..99e0efd 100755
--- a/ldap/admin/src/logconv.pl
+++ b/ldap/admin/src/logconv.pl
@@ -104,6 +104,8 @@ my $reportBinds = "no";
my $rootDN = "";
my $needCleanup = 0;
my @scopeTxt = ("0 (base)", "1 (one)", "2 (subtree)");
+my $reportStatsSecFile;
+my $reportStatsMinFile;
GetOptions(
'd|rootDN=s' => \$rootDN,
@@ -115,8 +117,8 @@ GetOptions(
'S|startTime=s' => \$startTime,
'E|endTime=s' => \$endTime,
'B|bind=s' => sub { $reportBinds = "yes"; $bindReportDN=($_[1]) },
- 'm|reportFileSecs=s' => sub { my ($opt,$value) = @_; $s_stats = new_stats_block($value); $reportStats = "-m";},
- 'M|reportFileMins=s' => sub { my ($opt,$value) = @_; $m_stats = new_stats_block($value); $reportStats = "-M";},
+ 'm|reportFileSecs=s' => \$reportStatsSecFile,
+ 'M|reportFileMins=s' => \$reportStatsMinFile,
'h|help' => sub { displayUsage() },
# usage options '-efcibaltnxgjuiryp'
'e' => sub { $usage = $usage . "e"; },
@@ -169,14 +171,23 @@ while($arg_count <= $#ARGV){
}
if($file_count == 0){
- if($reportStats){
- print "Usage error for option $reportStats, either the output file or access log is missing!\n\n";
+ if($reportStatsSecFile or $reportStatsMinFile){
+ print "Usage error for option -m or -M, either the output file or access log is missing!\n\n";
} else {
print "There are no access logs specified!\n\n";
}
exit 1;
}
+if ($reportStatsSecFile) {
+ $s_stats = new_stats_block($reportStatsSecFile);
+ $reportStats = "-m";
+}
+if ($reportStatsMinFile) {
+ $m_stats = new_stats_block($reportStatsMinFile);
+ $reportStats = "-M";
+}
+
if ($sizeCount eq "all"){$sizeCount = "100000";}
#######################################
--
1.8.1.4

45
SOURCES/0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch Normal file
View file

@ -0,0 +1,45 @@
From e585f17556d12f96683665aed7699a78a89c9ab4 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz <lkrispen@redhat.com>
Date: Tue, 18 Feb 2014 11:40:16 +0100
Subject: [PATCH] Ticket 47704 - invalid sizelimits in aci group evaluation
Bug Description: aci group evaluation fails because of sizelimit exceeded
but it is exceeded because it is -1476887876 or another
negative integer becasue operation parameter are a union
based on operation types and so for otehr than search
the value is dependent on the operation params
Fix Description: treat any negative integer like -1 (unlimited). A better fix
would be to introduce a specific configuration param or
to abondon the limit in group evaluation at all. But this
could introduce backward compatibility problems and
will be handled in ticket 47703 for newer versions
https://fedorahosted.org/389/ticket/47704
Reviewed by: Rich, thanks
(cherry picked from commit 377266ebb2ff488aa3cc4b96990c002db7e6103e)
---
ldap/servers/plugins/acl/acl_ext.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index ee2dd0f..b9cec43 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -836,6 +836,12 @@ acl_init_aclpb ( Slapi_PBlock *pb , Acl_PBlock *aclpb, const char *ndn, int copy
slapi_pblock_get( pb, SLAPI_SEARCH_SIZELIMIT, &aclpb->aclpb_max_member_sizelimit );
if ( aclpb->aclpb_max_member_sizelimit == 0 ) {
aclpb->aclpb_max_member_sizelimit = SLAPD_DEFAULT_LOOKTHROUGHLIMIT;
+ } else if ( aclpb->aclpb_max_member_sizelimit < -1 ) {
+ /* handle the case of a negtive size limit either set or due
+ * to bug bz1065971. The member size limit should be dropped,
+ * but for backward compatibility to the best we can
+ */
+ aclpb->aclpb_max_member_sizelimit = -1;
}
slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &aclpb->aclpb_optype );
--
1.8.1.4

87
SOURCES/0089-Ticket-47709-package-issue-in-389-ds-base.patch Normal file
View file

@ -0,0 +1,87 @@
From 8cbc6f09ee63f21b235219e7ca92ed26b28c52da Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 20 Feb 2014 13:18:06 -0800
Subject: [PATCH 89/90] Ticket #47709 - package issue in 389-ds-base
Description: Following the package guideline, moving pytyon binaries
to the architecture aware location and libns-dshttpd.so* from 389-ds-base
to 389-ds-base-libs.
https://fedorahosted.org/389/ticket/47709
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit a32b2a9ddc5764d449b051c20077643585e81def)
(cherry picked from commit 011385ad8cb8afc42611b57a3a88600eb1d56932)
(cherry picked from commit f1bbfe2ff0768128b10903ca1262302313b74ad6)
---
Makefile.am | 8 +++++---
configure.ac | 5 +++++
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 8cf7ba7..04845a0 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -166,6 +166,7 @@ initdir = @initdir@
initconfigdir = $(sysconfdir)@initconfigdir@
instconfigdir = @instconfigdir@
perldir = $(libdir)@perldir@
+pythondir = $(libdir)@pythondir@
infdir = $(datadir)@infdir@
mibdir = $(datadir)@mibdir@
updatedir = $(datadir)@updatedir@
@@ -250,9 +251,7 @@ config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \
# with the default schema e.g. there is
# considerable overlap of 60changelog.ldif and 01common.ldif
# and 60inetmail.ldif and 50ns-mail.ldif among others
-sampledata_DATA = ldap/admin/src/scripts/failedbinds.py \
- ldap/admin/src/scripts/DSSharedLib \
- ldap/admin/src/scripts/logregex.py \
+sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
$(srcdir)/ldap/ldif/Ace.ldif \
$(srcdir)/ldap/ldif/European.ldif \
$(srcdir)/ldap/ldif/Eurosuffix.ldif \
@@ -404,6 +403,9 @@ perl_DATA = ldap/admin/src/scripts/SetupLog.pm \
ldap/admin/src/scripts/DSUpdate.pm \
ldap/admin/src/scripts/DSUpdateDialogs.pm
+python_DATA = ldap/admin/src/scripts/failedbinds.py \
+ ldap/admin/src/scripts/logregex.py
+
property_DATA = ldap/admin/src/scripts/setup-ds.res \
ldap/admin/src/scripts/migrate-ds.res
diff --git a/configure.ac b/configure.ac
index 2376b34..908683e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -264,6 +264,8 @@ if test "$with_fhs_opt" = "yes"; then
propertydir=/properties
# relative to libdir
perldir=/perl
+ # relative to libdir
+ pythondir=/python
else
if test "$with_fhs" = "yes"; then
ac_default_prefix=/usr
@@ -295,6 +297,8 @@ else
propertydir=/$PACKAGE_NAME/properties
# relative to libdir
perldir=/$PACKAGE_NAME/perl
+ # relative to libdir
+ pythondir=/$PACKAGE_NAME/python
fi
# if mandir is the default value, override it
@@ -403,6 +407,7 @@ AC_SUBST(serverincdir)
AC_SUBST(serverplugindir)
AC_SUBST(scripttemplatedir)
AC_SUBST(perldir)
+AC_SUBST(pythondir)
AC_SUBST(infdir)
AC_SUBST(mibdir)
AC_SUBST(mandir)
--
1.8.1.4

204
SOURCES/0090-Ticket-47709-package-issue-in-389-ds-base.patch Normal file
View file

@ -0,0 +1,204 @@
From 9293031eee2e795d6712f1d92314be03fe6f0751 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 20 Feb 2014 15:31:05 -0800
Subject: [PATCH 90/90] Ticket #47709 - package issue in 389-ds-base
Description: Automatically generated files: Makefile.in, configure
(cherry picked from commit 99d5d3e59827c132ba2666c67f9e22bd62aaacab)
---
Makefile.in | 65 ++++++++++++++++++++++++++++++++++++++++++-------------------
configure | 6 ++++++
2 files changed, 51 insertions(+), 20 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index d90f130..21d9dc5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -144,9 +144,9 @@ am__installdirs = "$(DESTDIR)$(serverdir)" \
"$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" \
"$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" \
"$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(propertydir)" \
- "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" \
- "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(updatedir)" \
- "$(DESTDIR)$(serverincdir)"
+ "$(DESTDIR)$(pythondir)" "$(DESTDIR)$(sampledatadir)" \
+ "$(DESTDIR)$(schemadir)" "$(DESTDIR)$(systemdsystemunitdir)" \
+ "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(serverincdir)"
LTLIBRARIES = $(server_LTLIBRARIES) $(serverplugin_LTLIBRARIES)
am__DEPENDENCIES_1 =
libacctpolicy_plugin_la_DEPENDENCIES = libslapd.la \
@@ -1104,8 +1104,8 @@ NROFF = nroff
MANS = $(dist_man_MANS)
DATA = $(config_DATA) $(inf_DATA) $(initconfig_DATA) $(mib_DATA) \
$(nodist_property_DATA) $(perl_DATA) $(pkgconfig_DATA) \
- $(property_DATA) $(sampledata_DATA) $(schema_DATA) \
- $(systemdsystemunit_DATA) $(update_DATA)
+ $(property_DATA) $(python_DATA) $(sampledata_DATA) \
+ $(schema_DATA) $(systemdsystemunit_DATA) $(update_DATA)
HEADERS = $(serverinc_HEADERS)
ETAGS = etags
CTAGS = ctags
@@ -1314,6 +1314,7 @@ prefix = @prefix@
program_transform_name = @program_transform_name@
propertydir = $(datadir)@propertydir@
psdir = @psdir@
+pythondir = $(libdir)@pythondir@
sampledatadir = $(datadir)@sampledatadir@
sasl_inc = @sasl_inc@
sasl_lib = @sasl_lib@
@@ -1519,9 +1520,7 @@ config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \
# with the default schema e.g. there is
# considerable overlap of 60changelog.ldif and 01common.ldif
# and 60inetmail.ldif and 50ns-mail.ldif among others
-sampledata_DATA = ldap/admin/src/scripts/failedbinds.py \
- ldap/admin/src/scripts/DSSharedLib \
- ldap/admin/src/scripts/logregex.py \
+sampledata_DATA = ldap/admin/src/scripts/DSSharedLib \
$(srcdir)/ldap/ldif/Ace.ldif \
$(srcdir)/ldap/ldif/European.ldif \
$(srcdir)/ldap/ldif/Eurosuffix.ldif \
@@ -1674,6 +1673,9 @@ perl_DATA = ldap/admin/src/scripts/SetupLog.pm \
ldap/admin/src/scripts/DSUpdate.pm \
ldap/admin/src/scripts/DSUpdateDialogs.pm
+python_DATA = ldap/admin/src/scripts/failedbinds.py \
+ ldap/admin/src/scripts/logregex.py
+
property_DATA = ldap/admin/src/scripts/setup-ds.res \
ldap/admin/src/scripts/migrate-ds.res
@@ -9547,6 +9549,27 @@ uninstall-propertyDATA:
@list='$(property_DATA)'; test -n "$(propertydir)" || list=; \
files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
dir='$(DESTDIR)$(propertydir)'; $(am__uninstall_files_from_dir)
+install-pythonDATA: $(python_DATA)
+ @$(NORMAL_INSTALL)
+ @list='$(python_DATA)'; test -n "$(pythondir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(pythondir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(pythondir)" || exit 1; \
+ fi; \
+ for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pythondir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(pythondir)" || exit $$?; \
+ done
+
+uninstall-pythonDATA:
+ @$(NORMAL_UNINSTALL)
+ @list='$(python_DATA)'; test -n "$(pythondir)" || list=; \
+ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+ dir='$(DESTDIR)$(pythondir)'; $(am__uninstall_files_from_dir)
install-sampledataDATA: $(sampledata_DATA)
@$(NORMAL_INSTALL)
@list='$(sampledata_DATA)'; test -n "$(sampledatadir)" || list=; \
@@ -9903,7 +9926,7 @@ check: $(BUILT_SOURCES)
all-am: Makefile $(LIBRARIES) $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) \
$(MANS) $(DATA) $(HEADERS) config.h
installdirs:
- for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(serverincdir)"; do \
+ for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(pkgconfigdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(pythondir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" "$(DESTDIR)$(systemdsystemunitdir)" "$(DESTDIR)$(updatedir)" "$(DESTDIR)$(serverincdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
install: $(BUILT_SOURCES)
@@ -10058,7 +10081,7 @@ info-am:
install-data-am: install-configDATA install-infDATA \
install-initSCRIPTS install-initconfigDATA install-man \
install-mibDATA install-nodist_propertyDATA install-perlDATA \
- install-pkgconfigDATA install-propertyDATA \
+ install-pkgconfigDATA install-propertyDATA install-pythonDATA \
install-sampledataDATA install-schemaDATA \
install-serverLTLIBRARIES install-serverincHEADERS \
install-serverpluginLTLIBRARIES install-systemdsystemunitDATA \
@@ -10116,10 +10139,10 @@ uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \
uninstall-initconfigDATA uninstall-man uninstall-mibDATA \
uninstall-nodist_propertyDATA uninstall-perlDATA \
uninstall-pkgconfigDATA uninstall-propertyDATA \
- uninstall-sampledataDATA uninstall-sbinPROGRAMS \
- uninstall-sbinSCRIPTS uninstall-schemaDATA \
- uninstall-serverLTLIBRARIES uninstall-serverincHEADERS \
- uninstall-serverpluginLTLIBRARIES \
+ uninstall-pythonDATA uninstall-sampledataDATA \
+ uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS \
+ uninstall-schemaDATA uninstall-serverLTLIBRARIES \
+ uninstall-serverincHEADERS uninstall-serverpluginLTLIBRARIES \
uninstall-systemdsystemunitDATA uninstall-taskSCRIPTS \
uninstall-updateDATA uninstall-updateSCRIPTS
@@ -10145,8 +10168,9 @@ uninstall-man: uninstall-man1 uninstall-man8
install-man1 install-man8 install-mibDATA \
install-nodist_propertyDATA install-pdf install-pdf-am \
install-perlDATA install-pkgconfigDATA install-propertyDATA \
- install-ps install-ps-am install-sampledataDATA \
- install-sbinPROGRAMS install-sbinSCRIPTS install-schemaDATA \
+ install-ps install-ps-am install-pythonDATA \
+ install-sampledataDATA install-sbinPROGRAMS \
+ install-sbinSCRIPTS install-schemaDATA \
install-serverLTLIBRARIES install-serverincHEADERS \
install-serverpluginLTLIBRARIES install-strip \
install-systemdsystemunitDATA install-taskSCRIPTS \
@@ -10160,15 +10184,16 @@ uninstall-man: uninstall-man1 uninstall-man8
uninstall-man1 uninstall-man8 uninstall-mibDATA \
uninstall-nodist_propertyDATA uninstall-perlDATA \
uninstall-pkgconfigDATA uninstall-propertyDATA \
- uninstall-sampledataDATA uninstall-sbinPROGRAMS \
- uninstall-sbinSCRIPTS uninstall-schemaDATA \
- uninstall-serverLTLIBRARIES uninstall-serverincHEADERS \
- uninstall-serverpluginLTLIBRARIES \
+ uninstall-pythonDATA uninstall-sampledataDATA \
+ uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS \
+ uninstall-schemaDATA uninstall-serverLTLIBRARIES \
+ uninstall-serverincHEADERS uninstall-serverpluginLTLIBRARIES \
uninstall-systemdsystemunitDATA uninstall-taskSCRIPTS \
uninstall-updateDATA uninstall-updateSCRIPTS
clean-local:
+ -rm -rf dist
-rm -rf selinux-built
dberrstrs.h: Makefile
diff --git a/configure b/configure
index 22cc78f..fd1bfb6 100755
--- a/configure
+++ b/configure
@@ -720,6 +720,7 @@ defaultuser
updatedir
mibdir
infdir
+pythondir
perldir
scripttemplatedir
serverplugindir
@@ -17934,6 +17935,8 @@ if test "$with_fhs_opt" = "yes"; then
propertydir=/properties
# relative to libdir
perldir=/perl
+ # relative to libdir
+ pythondir=/python
else
if test "$with_fhs" = "yes"; then
ac_default_prefix=/usr
@@ -17963,6 +17966,8 @@ else
propertydir=/$PACKAGE_NAME/properties
# relative to libdir
perldir=/$PACKAGE_NAME/perl
+ # relative to libdir
+ pythondir=/$PACKAGE_NAME/python
fi
# if mandir is the default value, override it
@@ -18216,6 +18221,7 @@ fi
+
# check for --with-instconfigdir
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for --with-instconfigdir" >&5
$as_echo_n "checking for --with-instconfigdir... " >&6; }
--
1.8.1.4

35
SOURCES/0091-Ticket-408-create-a-normalized-dn-cache.patch Normal file
View file

@ -0,0 +1,35 @@
From 515c57545df1958f90571461e6a1109e5c40522d Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Tue, 25 Feb 2014 14:33:48 -0800
Subject: [PATCH 91/92] Ticket 408 - create a normalized dn cache
covscan Defect type: FORWARD_NULL
15. 389-ds-base-1.3.1.6/ldap/servers/slapd/dn.c:3036:var_deref_op -
Dereferencing null pointer "node".
Introduced by commit 1d6dd39fb8b0ef8eb42ec9ef8c3d325e27a3d3c1
Fix: Check if "node" is null or not before referencing.
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit 5ac08038a05877b4240755801debd5e5a3a94c6f)
(cherry picked from commit 977c1b293beb0e8324a99614705ba316d46352f8)
(cherry picked from commit 056d390f9ee97f02447ae802deb388ec41bf6925)
---
ldap/servers/slapd/dn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index 1eab631..4a11a18 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -3003,7 +3003,7 @@ ndn_cache_flush()
int i;
node = ndn_cache->tail;
- for(i = 0; i < NDN_FLUSH_COUNT && ndn_cache->cache_count > NDN_MIN_COUNT; i++){
+ for(i = 0; node && i < NDN_FLUSH_COUNT && ndn_cache->cache_count > NDN_MIN_COUNT; i++){
flush_node = node;
/* update the lru */
next = node->prev;
--
1.8.1.4

39
SOURCES/0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch Normal file
View file

@ -0,0 +1,39 @@
From c5950ffa10303383596ea7611844185901d74e2f Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Tue, 25 Feb 2014 15:09:34 -0800
Subject: [PATCH 92/92] Ticket 571 (dup 47361) - Empty control list causes LDAP
protocol error is thrown
covscan Defect type: Compiler Warnings
2. 389-ds-base-1.3.1.6/ldap/servers/slapd/control.c:364:25:
warning - format '%d' expects argument of type 'int',
but argument 4 has type 'PRUint64' [-Wformat=]
Introduced by commit d695afb6a637432e880296d8552f466981c0796c
Fix: Replaced %d with % NSPRIu64
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit 383db4a27cc417c1708989d84cf0e4445936ae9f)
(cherry picked from commit 8b92149bf229d12052a2f349611e5f639fc57ef8)
(cherry picked from commit 86b76ef2466659efd31b07bc02b02daf444a9cde)
---
ldap/servers/slapd/control.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/slapd/control.c b/ldap/servers/slapd/control.c
index e614d50..1229e9f 100644
--- a/ldap/servers/slapd/control.c
+++ b/ldap/servers/slapd/control.c
@@ -360,8 +360,8 @@ get_ldapmessage_controls_ext(
slapi_pblock_set(pb, SLAPI_REQCONTROLS, NULL);
slapi_pblock_set(pb, SLAPI_MANAGEDSAIT, &ctrl_not_found);
slapi_pblock_set(pb, SLAPI_PWPOLICY, &ctrl_not_found);
- slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%d op=%d contains an empty list of controls\n",
- pb->pb_conn->c_connid, pb->pb_op->o_opid);
+ slapi_log_error(SLAPI_LOG_CONNS, "connection", "Warning: conn=%" NSPRIu64 " op=%d contains an empty list of controls\n",
+ (long long unsigned int)pb->pb_conn->c_connid, pb->pb_op->o_opid);
} else {
if ((tag != LBER_END_OF_SEQORSET) && (len != -1)) {
goto free_and_return;
--
1.8.1.4

35
SOURCES/0093-Ticket-408-create-a-normalized-dn-cache.patch Normal file
View file

@ -0,0 +1,35 @@
From 6cf6bea5372a57ffeee304c601e665f13861353c Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Tue, 25 Feb 2014 16:54:22 -0800
Subject: [PATCH] Ticket 408 - create a normalized dn cache
covscan Defect type: FORWARD_NULL
15. 389-ds-base-1.3.1.6/ldap/servers/slapd/dn.c:3036:var_deref_op -
Dereferencing null pointer "node".
Introduced by commit 1d6dd39fb8b0ef8eb42ec9ef8c3d325e27a3d3c1
Fix: Check if "node" is null or not before referencing.
Note: Found second FORWARD_NULL in addition to
commit 5ac08038a05877b4240755801debd5e5a3a94c6f,
(cherry picked from commit ea13cda8f49646be8a9a5e468b2819bd2d91ca87)
(cherry picked from commit dfa36fd4a7ab243a5692e7792d19e67e63b1e397)
(cherry picked from commit 347ffb722f7d376e0ad2c565ada533f0dad3cfb8)
---
ldap/servers/slapd/dn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index 4a11a18..003e9b7 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -3030,7 +3030,7 @@ ndn_cache_free()
}
node = ndn_cache->tail;
- while(ndn_cache->cache_count){
+ while(node && ndn_cache->cache_count){
flush_node = node;
/* update the lru */
next = node->prev;
--
1.8.1.4

158
SOURCES/0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch Normal file
View file

@ -0,0 +1,158 @@
From e2b8468f459647261812f542485f3481d39bd26c Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Fri, 7 Mar 2014 12:29:55 -0800
Subject: [PATCH] Ticket #47735 - e_uniqueid fails to set if an entry is a
conflict entry
Bug Description:
When an entry is turned to be a conflict entry, its nsUniqueId has
a mdcsn info as a subtype like this:
nsUniqueId;mdcsn-5319136f000200010000: c5e0d787-a58f11e3-b7f9dfd1-acc3d5e4
In this case, the attribute type is assigned to the berval "type"
as follows:
type.bv_val = "nsUniqueId;mdcsn-5319136f000200010000"
type.bv_len = 37
The subtyped stateinfo is processed in str2entry_state_information_from_type,
which modifies type.bv_val to "nsUniqueId", but type.bv_len remains 37.
str2entry_fast has this logic to set e_uniqueid, where the nsUniqueId
with stateinfo fails to set the value to e_uniqueid.
if ( type.bv_len == 10 &&
PL_strncasecmp (type.bv_val, "nsUniqueId", type.bv_len) == 0 ){
Fix Description: This patch resets the length of the type with the
basetype length 10 before the if expression is called for setting
e_uniqueid.
https://fedorahosted.org/389/ticket/47735
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit 07bd2259cc45c9d5c193b15faaf0d0c60e1b723c)
(cherry picked from commit 6e0ffbe1bdde99cfd71a5617d89482eef4696c7f)
(cherry picked from commit d4350bd0724c37040a4aaf361a10918c925b7605)
---
ldap/servers/slapd/entry.c | 60 +++++++++++++++++++++++++++-------------------
1 file changed, 36 insertions(+), 24 deletions(-)
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index 60e1dfe..0d018a9 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -95,10 +95,22 @@ struct attrs_in_extension attrs_in_extension[] =
/*
* WARNING: s gets butchered... the base type remains.
*/
-void
-str2entry_state_information_from_type(char *s,CSNSet **csnset,CSN **attributedeletioncsn,CSN **maxcsn,int *value_state,int *attr_state)
+static void
+str2entry_state_information_from_type(struct berval *atype,
+ CSNSet **csnset,
+ CSN **attributedeletioncsn,
+ CSN **maxcsn,
+ int *value_state,
+ int *attr_state)
{
- char *p= strchr(s, ';');
+ char *p = NULL;
+ if ((NULL == atype) || (NULL == atype->bv_val)) {
+ return;
+ }
+ p = PL_strchr(atype->bv_val, ';');
+ if (p) {
+ atype->bv_len = p - atype->bv_val;
+ }
*value_state= VALUE_PRESENT;
*attr_state= ATTRIBUTE_PRESENT;
while(p!=NULL)
@@ -243,19 +255,20 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
}
if ( slapi_ldif_parse_line( s, &type, &value, &freeval ) < 0 ) {
- LDAPDebug( LDAP_DEBUG_TRACE,
- "<= str2entry_fast NULL (parse_line)\n", 0, 0, 0 );
+ LDAPDebug0Args(LDAP_DEBUG_TRACE, "<= str2entry_fast NULL (parse_line)\n");
continue;
}
/*
* Extract the attribute and value CSNs from the attribute type.
- */
+ */
csn_free(&attributedeletioncsn); /* JCM - Do this more efficiently */
csnset_free(&valuecsnset);
value_state= VALUE_NOTFOUND;
attr_state= ATTRIBUTE_NOTFOUND;
- str2entry_state_information_from_type(type.bv_val,&valuecsnset,&attributedeletioncsn,&maxcsn,&value_state,&attr_state);
+ str2entry_state_information_from_type(&type,
+ &valuecsnset, &attributedeletioncsn,
+ &maxcsn, &value_state, &attr_state);
if(!read_stateinfo)
{
/* We are not maintaining state information */
@@ -393,8 +406,7 @@ str2entry_fast( const char *rawdn, const Slapi_RDN *srdn, char *s, int flags, in
}
/* retrieve uniqueid */
- if ( type.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH && PL_strncasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID, type.bv_len) == 0 ){
-
+ if ((type.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH) && (PL_strcasecmp (type.bv_val, SLAPI_ATTR_UNIQUEID) == 0)) {
if (e->e_uniqueid != NULL){
LDAPDebug (LDAP_DEBUG_TRACE,
"str2entry_fast: entry has multiple uniqueids %s "
@@ -752,22 +764,21 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
char *valuecharptr=NULL;
struct berval bvvalue;
int rc;
- entry_attrs *ea = NULL;
- int tree_attr_checking = 0;
- int big_entry_attr_presence_check = 0;
- int check_for_duplicate_values =
- ( 0 != ( flags & SLAPI_STR2ENTRY_REMOVEDUPVALS ));
- Slapi_Value *value = 0;
- CSN *attributedeletioncsn= NULL;
- CSNSet *valuecsnset= NULL;
- CSN *maxcsn= NULL;
- char *normdn = NULL;
- int strict = 0;
+ entry_attrs *ea = NULL;
+ int tree_attr_checking = 0;
+ int big_entry_attr_presence_check = 0;
+ int check_for_duplicate_values = ( 0 != ( flags & SLAPI_STR2ENTRY_REMOVEDUPVALS ));
+ Slapi_Value *value = 0;
+ CSN *attributedeletioncsn= NULL;
+ CSNSet *valuecsnset= NULL;
+ CSN *maxcsn= NULL;
+ char *normdn = NULL;
+ int strict = 0;
/* Check if we should be performing strict validation. */
strict = config_get_dn_validate_strict();
- LDAPDebug( LDAP_DEBUG_TRACE, "=> str2entry_dupcheck\n", 0, 0, 0 );
+ LDAPDebug0Args(LDAP_DEBUG_TRACE, "=> str2entry_dupcheck\n");
e = slapi_entry_alloc();
slapi_entry_init(e,NULL,NULL);
@@ -808,7 +819,9 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
csnset_free(&valuecsnset);
value_state= VALUE_NOTFOUND;
attr_state= VALUE_NOTFOUND;
- str2entry_state_information_from_type(type,&valuecsnset,&attributedeletioncsn,&maxcsn,&value_state,&attr_state);
+ str2entry_state_information_from_type(&bvtype,
+ &valuecsnset, &attributedeletioncsn,
+ &maxcsn, &value_state, &attr_state);
if(!read_stateinfo)
{
/* We are not maintaining state information */
@@ -916,8 +929,7 @@ str2entry_dupcheck( const char *rawdn, char *s, int flags, int read_stateinfo )
}
/* retrieve uniqueid */
- if ( strcasecmp (type, SLAPI_ATTR_UNIQUEID) == 0 ){
-
+ if ((bvtype.bv_len == SLAPI_ATTR_UNIQUEID_LENGTH) && (PL_strcasecmp (type, SLAPI_ATTR_UNIQUEID) == 0)) {
if (e->e_uniqueid != NULL){
LDAPDebug (LDAP_DEBUG_TRACE,
"str2entry_dupcheck: entry has multiple uniqueids %s "
--
1.8.1.4

75
SOURCES/0095-Ticket-47739-directory-server-is-insecurely-misinter.patch Normal file
View file

@ -0,0 +1,75 @@
From 8a368a62ea22127f95017467a044df57937ed238 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Mon, 10 Mar 2014 16:12:08 -0700
Subject: [PATCH] Ticket #47739 - directory server is insecurely
misinterpreting authzid on a SASL/GSSAPI bind
Description: SASL_CB_PROXY_POLICY callback is not needed since we
don't support the case authid and authzid do not match. This patch
gets rid of the callback function ids_sasl_proxy_policy.
https://fedorahosted.org/389/ticket/47739
Reviewed by nkinder@redhat.com (Thank you, Nathan!!)
(cherry picked from commit 76acff12a86110d4165f94e2cba13ef5c7ebc38a)
(cherry picked from commit 9bc2b46b7c7ee4c975d04b041f73a5992906b07c)
(cherry picked from commit d2063c889feeba122e12f152e2e2c98aed4eb442)
(cherry picked from commit 614d72196e696395d5bc0a6d62f8be9d4ee41c5b)
---
ldap/servers/slapd/saslbind.c | 33 ---------------------------------
1 file changed, 33 deletions(-)
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 96b1f8c..b405c46 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -229,34 +229,6 @@ static int ids_sasl_log(
return SASL_OK;
}
-static int ids_sasl_proxy_policy(
- sasl_conn_t *conn,
- void *context,
- const char *requested_user, int rlen,
- const char *auth_identity, int alen,
- const char *def_realm, int urlen,
- struct propctx *propctx
-)
-{
- int retVal = SASL_OK;
- /* do not permit sasl proxy authorization */
- /* if the auth_identity is null or empty string, allow the sasl request to go thru */
- if ( (auth_identity != NULL ) && ( strlen(auth_identity) > 0 ) ) {
- Slapi_DN authId , reqUser;
- slapi_sdn_init_dn_byref(&authId,auth_identity);
- slapi_sdn_init_dn_byref(&reqUser,requested_user);
- if (slapi_sdn_compare((const Slapi_DN *)&reqUser,(const Slapi_DN *) &authId) != 0) {
- LDAPDebug(LDAP_DEBUG_TRACE,
- "sasl proxy auth not permitted authid=%s user=%s\n",
- auth_identity, requested_user, 0);
- retVal = SASL_NOAUTHZ;
- }
- slapi_sdn_done(&authId);
- slapi_sdn_done(&reqUser);
- }
- return retVal;
-}
-
static void ids_sasl_user_search(
char *basedn,
int scope,
@@ -575,11 +547,6 @@ static sasl_callback_t ids_sasl_callbacks[] =
NULL
},
{
- SASL_CB_PROXY_POLICY,
- (IFP) ids_sasl_proxy_policy,
- NULL
- },
- {
SASL_CB_CANON_USER,
(IFP) ids_sasl_canon_user,
NULL
--
1.8.1.4

78
SOURCES/0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch Normal file
View file

@ -0,0 +1,78 @@
From a0489deaa9b3f72dca120f3b1622039f92a3e437 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Thu, 13 Mar 2014 13:06:43 -0700
Subject: [PATCH] Ticket #47735 - e_uniqueid fails to set if an entry is a
conflict entry
Description: In commit e2b8468f459647261812f542485f3481d39bd26c,
to get the base type length when a state info is stripped from
the attribute type, the fix in str2entry_state_information_from_type
blindly returned the base type length for the ordinary sub-typed
attributes. This patch fixes it so that only when the state info
is removed, the length is reset.
https://fedorahosted.org/389/ticket/47735
Reviewed by rmeggins@redhat.com (Thank you, Rich!!)
(cherry picked from commit a7ac181d60b1f2ecd3640d0b610eba300b7c3cdb)
(cherry picked from commit 4ffa8247ab9dcc45137f07511d62ea33c24f76df)
(cherry picked from commit 093a146853e6bb44b08c36a1da22735633adbd4a)
(cherry picked from commit 2bb0f1b2b9b1c69118d8c8db1c5426eb7d7690ea)
---
ldap/servers/slapd/entry.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index 0d018a9..5306da2 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -104,13 +104,11 @@ str2entry_state_information_from_type(struct berval *atype,
int *attr_state)
{
char *p = NULL;
+ char *semicolonp = NULL;
if ((NULL == atype) || (NULL == atype->bv_val)) {
return;
}
p = PL_strchr(atype->bv_val, ';');
- if (p) {
- atype->bv_len = p - atype->bv_val;
- }
*value_state= VALUE_PRESENT;
*attr_state= ATTRIBUTE_PRESENT;
while(p!=NULL)
@@ -169,19 +167,31 @@ str2entry_state_information_from_type(struct berval *atype,
csn_init_by_csn ( *maxcsn, *attributedeletioncsn );
}
}
+ if (NULL == semicolonp) {
+ semicolonp = p; /* the first semicolon */
+ }
}
else if(strncmp(p+1,"deletedattribute", 16)==0)
{
p[0]='\0';
*attr_state= ATTRIBUTE_DELETED;
+ if (NULL == semicolonp) {
+ semicolonp = p; /* the first semicolon */
+ }
}
else if(strncmp(p+1,"deleted", 7)==0)
{
p[0]='\0';
*value_state= VALUE_DELETED;
+ if (NULL == semicolonp) {
+ semicolonp = p; /* the first semicolon */
+ }
}
p= strchr(p+1, ';');
}
+ if (semicolonp) {
+ atype->bv_len = semicolonp - atype->bv_val;
+ }
}
/* rawdn is not consumed. Caller needs to free it. */
--
1.8.1.4

474
SOURCES/0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch Normal file
View file

@ -0,0 +1,474 @@
From 5b6deac35adbae20d0821a4530d30f0908ad7478 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 31 Mar 2014 15:17:59 -0400
Subject: [PATCH] Ticket 47759 - Crash in replication when server is under
write load
Bug Description: When the server is under alot of load, a race condition allows
a replication connection LDAP struct to be freed(unbind) while
it is being used by another thread. This leads to a crash.
Fix Description: Extend the connection lock to also cover ldap client interaction
(e.g. conn->ld struct).
https://fedorahosted.org/389/ticket/47759
Reviewed by: nhosoi & rmeggins(Thanks!!)
(cherry picked from commit 9940ca29ca258891c52640a23adc2851afe59d0e)
(cherry picked from commit 0e576c85c34826c4d63d9578db55f8179b4a1a60)
(cherry picked from commit 2a80b7152823ca16628c2da48614166b8d2104a4)
---
.../servers/plugins/replication/repl5_connection.c | 89 ++++++++++++----------
ldap/servers/slapd/ldaputil.c | 39 +++++-----
2 files changed, 69 insertions(+), 59 deletions(-)
diff --git a/ldap/servers/plugins/replication/repl5_connection.c b/ldap/servers/plugins/replication/repl5_connection.c
index 668abda..17d1d9c 100644
--- a/ldap/servers/plugins/replication/repl5_connection.c
+++ b/ldap/servers/plugins/replication/repl5_connection.c
@@ -138,6 +138,7 @@ static void repl5_debug_timeout_callback(time_t when, void *arg);
/* Forward declarations */
static void close_connection_internal(Repl_Connection *conn);
+static void conn_delete_internal(Repl_Connection *conn);
/*
* Create a new connection object. Returns a pointer to the object, or
@@ -182,11 +183,22 @@ conn_new(Repl_Agmt *agmt)
rpc->plain = NULL;
return rpc;
loser:
- conn_delete(rpc);
+ conn_delete_internal(rpc);
slapi_ch_free((void**)&rpc);
return NULL;
}
+static PRBool
+conn_connected_locked(Repl_Connection *conn, int locked)
+{
+ PRBool return_value;
+
+ if(!locked) PR_Lock(conn->lock);
+ return_value = STATE_CONNECTED == conn->state;
+ if(!locked) PR_Unlock(conn->lock);
+
+ return return_value;
+}
/*
* Return PR_TRUE if the connection is in the connected state
@@ -194,14 +206,9 @@ loser:
static PRBool
conn_connected(Repl_Connection *conn)
{
- PRBool return_value;
- PR_Lock(conn->lock);
- return_value = STATE_CONNECTED == conn->state;
- PR_Unlock(conn->lock);
- return return_value;
+ return conn_connected_locked(conn, 1);
}
-
/*
* Destroy a connection object.
*/
@@ -243,7 +250,6 @@ conn_delete(Repl_Connection *conn)
if (slapi_eq_cancel(conn->linger_event) == 1)
{
/* Event was found and cancelled. Destroy the connection object. */
- PR_Unlock(conn->lock);
destroy_it = PR_TRUE;
}
else
@@ -254,16 +260,15 @@ conn_delete(Repl_Connection *conn)
* off, so arrange for the event to destroy the object .
*/
conn->delete_after_linger = PR_TRUE;
- PR_Unlock(conn->lock);
}
}
if (destroy_it)
{
conn_delete_internal(conn);
}
+ PR_Unlock(conn->lock);
}
-
/*
* Return the last operation type processed by the connection
* object, and the LDAP error encountered.
@@ -327,17 +332,18 @@ conn_read_result_ex(Repl_Connection *conn, char **retoidp, struct berval **retda
while (!slapi_is_shutting_down())
{
/* we have to make sure the update sending thread does not
- attempt to call conn_disconnect while we are reading
+ attempt to close connection while we are reading
results - so lock the conn while we get the results */
PR_Lock(conn->lock);
+
if ((STATE_CONNECTED != conn->state) || !conn->ld) {
rc = -1;
return_value = CONN_NOT_CONNECTED;
PR_Unlock(conn->lock);
break;
}
-
rc = ldap_result(conn->ld, send_msgid, 1, &local_timeout, &res);
+
PR_Unlock(conn->lock);
if (0 != rc)
@@ -661,8 +667,10 @@ perform_operation(Repl_Connection *conn, int optype, const char *dn,
server_controls[1] = update_control;
server_controls[2] = NULL;
- /* lock the conn to prevent the result reader thread
- from closing the connection out from under us */
+ /*
+ * Lock the conn to prevent the result reader thread
+ * from closing the connection out from under us.
+ */
PR_Lock(conn->lock);
if (STATE_CONNECTED == conn->state)
{
@@ -804,7 +812,6 @@ conn_send_rename(Repl_Connection *conn, const char *dn,
NULL /* extop OID */, NULL /* extop payload */, message_id);
}
-
/*
* Send an LDAP extended operation.
*/
@@ -818,7 +825,6 @@ conn_send_extended_operation(Repl_Connection *conn, const char *extop_oid,
update_control, extop_oid, payload, message_id);
}
-
/*
* Synchronously read an entry and return a specific attribute's values.
* Returns CONN_OPERATION_SUCCESS if successful. Returns
@@ -838,6 +844,8 @@ conn_read_entry_attribute(Repl_Connection *conn, const char *dn,
LDAPMessage *res = NULL;
char *attrs[2];
+ PR_Lock(conn->lock);
+
PR_ASSERT(NULL != type);
if (conn_connected(conn))
{
@@ -860,7 +868,7 @@ conn_read_entry_attribute(Repl_Connection *conn, const char *dn,
}
else if (IS_DISCONNECT_ERROR(ldap_rc))
{
- conn_disconnect(conn);
+ close_connection_internal(conn);
return_value = CONN_NOT_CONNECTED;
}
else
@@ -878,10 +886,11 @@ conn_read_entry_attribute(Repl_Connection *conn, const char *dn,
{
return_value = CONN_NOT_CONNECTED;
}
+ PR_Unlock(conn->lock);
+
return return_value;
}
-
/*
* Return an pointer to a string describing the connection's status.
*/
@@ -892,8 +901,6 @@ conn_get_status(Repl_Connection *conn)
return conn->status;
}
-
-
/*
* Cancel any outstanding linger timer. Should be called when
* a replication session is beginning.
@@ -925,7 +932,6 @@ conn_cancel_linger(Repl_Connection *conn)
PR_Unlock(conn->lock);
}
-
/*
* Called when our linger timeout timer expires. This means
* we should check to see if perhaps the connection's become
@@ -957,7 +963,6 @@ linger_timeout(time_t event_time, void *arg)
}
}
-
/*
* Indicate that a session is ending. The linger timer starts when
* this function is called.
@@ -995,8 +1000,6 @@ conn_start_linger(Repl_Connection *conn)
PR_Unlock(conn->lock);
}
-
-
/*
* If no connection is currently active, opens a connection and binds to
* the remote server. If a connection is open (e.g. lingering) then
@@ -1015,10 +1018,14 @@ conn_connect(Repl_Connection *conn)
ConnResult return_value = CONN_OPERATION_SUCCESS;
int pw_ret = 1;
- /** Connection already open just return SUCCESS **/
- if(conn->state == STATE_CONNECTED) goto done;
-
PR_Lock(conn->lock);
+
+ /* Connection already open, just return SUCCESS */
+ if(conn->state == STATE_CONNECTED){
+ PR_Unlock(conn->lock);
+ return return_value;
+ }
+
if (conn->flag_agmt_changed) {
/* So far we cannot change Hostname and Port */
/* slapi_ch_free((void **)&conn->hostname); */
@@ -1033,7 +1040,6 @@ conn_connect(Repl_Connection *conn)
conn->port = agmt_get_port(conn->agmt); /* port could be updated */
slapi_ch_free((void **)&conn->plain);
}
- PR_Unlock(conn->lock);
creds = agmt_get_credentials(conn->agmt);
@@ -1174,6 +1180,7 @@ done:
{
close_connection_internal(conn);
}
+ PR_Unlock(conn->lock);
return return_value;
}
@@ -1209,7 +1216,6 @@ conn_disconnect(Repl_Connection *conn)
PR_Unlock(conn->lock);
}
-
/*
* Determine if the remote replica supports DS 5.0 replication.
* Return codes:
@@ -1226,6 +1232,7 @@ conn_replica_supports_ds5_repl(Repl_Connection *conn)
ConnResult return_value;
int ldap_rc;
+ PR_Lock(conn->lock);
if (conn_connected(conn))
{
if (conn->supports_ds50_repl == -1) {
@@ -1273,7 +1280,7 @@ conn_replica_supports_ds5_repl(Repl_Connection *conn)
if (IS_DISCONNECT_ERROR(ldap_rc))
{
conn->last_ldap_error = ldap_rc; /* specific reason */
- conn_disconnect(conn);
+ close_connection_internal(conn);
return_value = CONN_NOT_CONNECTED;
}
else
@@ -1293,10 +1300,11 @@ conn_replica_supports_ds5_repl(Repl_Connection *conn)
/* Not connected */
return_value = CONN_NOT_CONNECTED;
}
+ PR_Unlock(conn->lock);
+
return return_value;
}
-
/*
* Determine if the remote replica supports DS 7.1 replication.
* Return codes:
@@ -1313,6 +1321,7 @@ conn_replica_supports_ds71_repl(Repl_Connection *conn)
ConnResult return_value;
int ldap_rc;
+ PR_Lock(conn->lock);
if (conn_connected(conn))
{
if (conn->supports_ds71_repl == -1) {
@@ -1344,7 +1353,7 @@ conn_replica_supports_ds71_repl(Repl_Connection *conn)
if (IS_DISCONNECT_ERROR(ldap_rc))
{
conn->last_ldap_error = ldap_rc; /* specific reason */
- conn_disconnect(conn);
+ close_connection_internal(conn);
return_value = CONN_NOT_CONNECTED;
}
else
@@ -1364,6 +1373,8 @@ conn_replica_supports_ds71_repl(Repl_Connection *conn)
/* Not connected */
return_value = CONN_NOT_CONNECTED;
}
+ PR_Unlock(conn->lock);
+
return return_value;
}
@@ -1383,6 +1394,7 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn)
ConnResult return_value;
int ldap_rc;
+ PR_Lock(conn->lock);
if (conn_connected(conn))
{
if (conn->supports_ds90_repl == -1) {
@@ -1414,7 +1426,7 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn)
if (IS_DISCONNECT_ERROR(ldap_rc))
{
conn->last_ldap_error = ldap_rc; /* specific reason */
- conn_disconnect(conn);
+ close_connection_internal(conn);
return_value = CONN_NOT_CONNECTED;
}
else
@@ -1423,7 +1435,7 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn)
}
}
if (NULL != res)
- ldap_msgfree(res);
+ ldap_msgfree(res);
}
else
{
@@ -1435,6 +1447,8 @@ conn_replica_supports_ds90_repl(Repl_Connection *conn)
/* Not connected */
return_value = CONN_NOT_CONNECTED;
}
+ PR_Unlock(conn->lock);
+
return return_value;
}
@@ -1452,7 +1466,6 @@ conn_replica_is_readonly(Repl_Connection *conn)
}
}
-
/*
* Return 1 if "value" is a value of attribute type "type" in entry "entry".
* Otherwise, return 0.
@@ -1501,9 +1514,6 @@ attribute_string_value_present(LDAP *ld, LDAPMessage *entry, const char *type,
return return_value;
}
-
-
-
/*
* Read the remote server's schema entry, then read the local schema entry,
* and compare the nsschemacsn attribute. If the local csn is newer, or
@@ -1533,7 +1543,7 @@ conn_push_schema(Repl_Connection *conn, CSN **remotecsn)
return_value = CONN_OPERATION_FAILED;
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "NULL remote CSN\n");
}
- else if (!conn_connected(conn))
+ else if (!conn_connected_locked(conn, 0 /* not locked */))
{
return_value = CONN_NOT_CONNECTED;
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
@@ -1699,6 +1709,7 @@ conn_push_schema(Repl_Connection *conn, CSN **remotecsn)
{
csn_free(&localcsn);
}
+
return return_value;
}
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index edc8267..08601bd 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -1011,8 +1011,8 @@ slapi_ldap_bind(
than the currently unused clientctrls */
ldap_get_option(ld, LDAP_OPT_CLIENT_CONTROLS, &clientctrls);
if (clientctrls && clientctrls[0] &&
- slapi_control_present(clientctrls, START_TLS_OID, NULL, NULL)) {
- secure = 2;
+ slapi_control_present(clientctrls, START_TLS_OID, NULL, NULL)) {
+ secure = 2;
} else {
#if defined(USE_OPENLDAP)
/* openldap doesn't have a SSL/TLS yes/no flag - so grab the
@@ -1051,12 +1051,12 @@ slapi_ldap_bind(
slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_bind",
"Set up conn to use client auth\n");
}
- bvcreds.bv_val = NULL; /* ignore username and passed in creds */
- bvcreds.bv_len = 0; /* for external auth */
- bindid = NULL;
+ bvcreds.bv_val = NULL; /* ignore username and passed in creds */
+ bvcreds.bv_len = 0; /* for external auth */
+ bindid = NULL;
} else { /* other type of auth */
- bvcreds.bv_val = (char *)creds;
- bvcreds.bv_len = creds ? strlen(creds) : 0;
+ bvcreds.bv_val = (char *)creds;
+ bvcreds.bv_len = creds ? strlen(creds) : 0;
}
if (secure == 2) { /* send start tls */
@@ -1084,31 +1084,29 @@ slapi_ldap_bind(
bindid, creds);
if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
NULL /* clientctrls */, &mymsgid))) {
- char *myhostname = NULL;
- char *copy = NULL;
+ char *hostname = NULL;
+ char *host_port = NULL;
char *ptr = NULL;
int myerrno = errno;
int gaierr = 0;
- ldap_get_option(ld, LDAP_OPT_HOST_NAME, &myhostname);
- if (myhostname) {
- ptr = strchr(myhostname, ':');
+ ldap_get_option(ld, LDAP_OPT_HOST_NAME, &host_port);
+ if (host_port) {
+ ptr = strchr(host_port, ':');
if (ptr) {
- copy = slapi_ch_strdup(myhostname);
- *(copy + (ptr - myhostname)) = '\0';
- slapi_ch_free_string(&myhostname);
- myhostname = copy;
+ hostname = slapi_ch_strdup(host_port);
+ *(hostname + (ptr - host_port)) = '\0';
}
}
-
if (0 == myerrno) {
struct addrinfo *result = NULL;
- gaierr = getaddrinfo(myhostname, NULL, NULL, &result);
+ gaierr = getaddrinfo(hostname, NULL, NULL, &result);
myerrno = errno;
if (result) {
freeaddrinfo(result);
}
}
+
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send bind request for id "
"[%s] authentication mechanism [%s]: error %d (%s), system error %d (%s), "
@@ -1119,8 +1117,9 @@ slapi_ldap_bind(
PR_GetError(), slapd_pr_strerror(PR_GetError()),
myerrno ? myerrno : gaierr,
myerrno ? slapd_system_strerror(myerrno) : gai_strerror(gaierr),
- myhostname ? myhostname : "unknown host");
- slapi_ch_free_string(&myhostname);
+ host_port ? host_port : "unknown host");
+ slapi_ch_free_string(&hostname);
+ slapi_ch_free_string(&host_port);
goto done;
}
--
1.8.1.4

188
SPECS/389-ds-base.spec
View file

@ -25,7 +25,7 @@
Summary: 389 Directory Server (base)
Name: 389-ds-base
Version: 1.3.1.6
Release: %{?relprefix}10%{?prerel}%{?dist}
Release: %{?relprefix}25%{?prerel}%{?dist}
License: GPLv2 with exceptions
URL: http://port389.org/
Group: System Environment/Daemons
@ -164,6 +164,53 @@ Patch46: 0047-Ticket-47585-Replication-Failures-related-to-skipped.patc
Patch47: 0048-Ticket-47581-Winsync-plugin-segfault-during-incremen.patch
Patch48: 0049-Ticket-47581-Winsync-plugin-segfault-during-incremen.patch
Patch49: 0050-Revert-Ticket-47559-hung-server-related-to-sasl-and-.patch
Patch50: 0051-Ticket-47605-CVE-2013-4485-DoS-due-to-improper-handl.patch
Patch51: 0052-Ticket-47622-Automember-betxnpreoperation-transactio.patch
Patch52: 0053-Ticket-47613-Impossible-to-configure-nsslapd-allowed.patch
Patch53: 0054-Ticket-47587-hard-coded-limit-of-64-masters-in-agree.patch
Patch54: 0055-Ticket-47597-Convert-retro-changelog-plug-in-to-betx.patch
Patch55: 0056-Ticket-47598-Convert-ldbm_back_seq-code-to-be-transa.patch
Patch56: 0057-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch
Patch57: 0058-Ticket-47599-Reduce-lock-scope-in-retro-changelog-pl.patch
Patch58: 0059-Ticket-47599-fix-memory-leak.patch
Patch59: 0060-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch
Patch60: 0061-Ticket-47596-attrcrypt-fails-to-find-unlocked-key.patch
Patch61: 0062-Ticket-47591-entries-with-empty-objectclass-attribut.patch
Patch62: 0063-Ticket-47614-Possible-to-specify-invalid-SASL-mechan.patch
Patch63: 0064-Ticket-47592-automember-plugin-task-memory-leaks.patch
Patch64: 0065-Ticket-47620-389-ds-rejects-nsds5ReplicaProtocolTime.patch
Patch65: 0066-Ticket-47613-Issues-setting-allowed-mechanisms.patch
Patch66: 0067-Ticket-47620-Fix-cherry-pick-error-for-1.3.2-and-1.3.patch
Patch67: 0068-Ticket-47620-Config-value-validation-improvement.patch
Patch68: 0069-Ticket-47620-Fix-logically-dead-code.patch
Patch69: 0070-Ticket-47620-Fix-dereferenced-NULL-pointer-in-agmtli.patch
Patch70: 0071-Ticket-47620-Fix-missing-left-bracket.patch
Patch71: 0072-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch
Patch72: 0073-Ticket-47606-replica-init-bulk-import-errors-should-.patch
Patch73: 0074-Ticket-47623-fix-memleak-caused-by-47347.patch
Patch74: 0075-Ticket-47623-fix-memleak-caused-by-47347.patch
Patch75: 0076-Ticket-47627-changelog-iteration-should-ignore-clean.patch
Patch76: 0077-Ticket-47627-Fix-replication-logging.patch
Patch77: 0078-Ticket-447-Possible-to-add-invalid-attribute-to-nssl.patch
Patch78: 0079-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch
Patch79: 0080-Ticket-408-Fix-crash-when-disabling-enabling-the-set.patch
Patch80: 0081-Ticket-47620-Unable-to-delete-protocol-timeout-attri.patch
Patch81: 0082-Ticket-47516-replication-stops-with-excessive-clock-.patch
Patch82: 0083-Ticket-342-better-error-message-when-cache-overflows.patch
Patch83: 0084-Ticket-443-Deleting-attribute-present-in-nsslapd-all.patch
Patch84: 0085-Ticket-47649-Server-hangs-in-cos_cache-when-adding-a.patch
Patch85: 0086-Ticket-47374-flush.pl-is-not-included-in-perl5.patch
Patch86: 0087-Ticket-471-logconv.pl-tool-removes-the-access-logs-c.patch
Patch87: 0088-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch
Patch88: 0089-Ticket-47709-package-issue-in-389-ds-base.patch
Patch89: 0090-Ticket-47709-package-issue-in-389-ds-base.patch
Patch90: 0091-Ticket-408-create-a-normalized-dn-cache.patch
Patch91: 0092-Ticket-571-dup-47361-Empty-control-list-causes-LDAP-.patch
Patch92: 0093-Ticket-408-create-a-normalized-dn-cache.patch
Patch93: 0094-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch
Patch94: 0095-Ticket-47739-directory-server-is-insecurely-misinter.patch
Patch95: 0096-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch
Patch96: 0097-Ticket-47759-Crash-in-replication-when-server-is-und.patch
%description
389 Directory Server is an LDAPv3 compliant server. The base package includes
@ -264,6 +311,53 @@ cp %{SOURCE2} README.devel
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch71 -p1
%patch72 -p1
%patch73 -p1
%patch74 -p1
%patch75 -p1
%patch76 -p1
%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
%patch81 -p1
%patch82 -p1
%patch83 -p1
%patch84 -p1
%patch85 -p1
%patch86 -p1
%patch87 -p1
%patch88 -p1
%patch89 -p1
%patch90 -p1
%patch91 -p1
%patch92 -p1
%patch93 -p1
%patch94 -p1
%patch95 -p1
%patch96 -p1
%build
%if %{use_openldap}
@ -390,8 +484,8 @@ fi
%{_unitdir}
%{_bindir}/*
%{_sbindir}/*
%{_libdir}/%{pkgname}/libns-dshttpd.so*
%{_libdir}/%{pkgname}/perl
%{_libdir}/%{pkgname}/python
%dir %{_libdir}/%{pkgname}/plugins
%{_libdir}/%{pkgname}/plugins/*.so
%dir %{_localstatedir}/lib/%{pkgname}
@ -412,8 +506,96 @@ fi
%doc LICENSE EXCEPTION LICENSE.GPLv2 README.devel
%dir %{_libdir}/%{pkgname}
%{_libdir}/%{pkgname}/libslapd.so.*
%{_libdir}/%{pkgname}/libns-dshttpd.so*
%changelog
* Thu Mar 31 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-25
- release 1.3.1.6-25
- Resolves: bug 1082740 - ns-slapd crash in reliability 15
* Thu Mar 13 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-24
- release 1.3.1.6-24
- Resolves: bug 1074084 - e_uniqueid fails to set if an entry is a conflict entry (Ticket 47735); regression - sub-type length in attribute type was mistakenly subtracted.
* Tue Mar 11 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-23
- Resolves: bug 1074850 - EMBARGOED CVE-2014-0132 389-ds-base: 389-ds: flaw in parsing authzid can lead to privilege escalation [rhel-7.0] (Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind) (Added 0095-Ticket-47739-directory-server-is-insecurely-misinter.patch)
* Tue Mar 11 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-23
- release 1.3.1.6-22
- Resolves: bug 1074850 - EMBARGOED CVE-2014-0132 389-ds-base: 389-ds: flaw in parsing authzid can lead to privilege escalation [rhel-7.0] (Ticket 47739 - directory server is insecurely misinterpreting authzid on a SASL/GSSAPI bind)
* Mon Mar 10 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-22
- release 1.3.1.6-22
- Resolves: bug 1074084 - e_uniqueid fails to set if an entry is a conflict entry (Ticket 47735)
* Tue Feb 25 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-21
- release 1.3.1.6-21
- Resolves: bug 918694 - Fix covscan defect FORWARD_NULL (Ticket 408)
- Resolves: bug 918717 - Fix covscan defect COMPILER WARNINGS (Ticket 571)
* Tue Feb 25 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-20
- release 1.3.1.6-20
- Resolves: bug 1065242 - 389-ds-base, conflict occurs at yum installation if multilib_policy=all. (Ticket 47709)
* Tue Feb 18 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-19
- release 1.3.1.6-19
- Resolves: bug 1065971 - Enrolling a host into IdM/IPA always takes two attempts (Ticket 47704)
* Mon Feb 3 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-18
- release 1.3.1.6-18
- Resolves: bug 838656 - logconv.pl tool removes the access logs contents if "-M" is not correctly used (Ticket 471)
- Resolves: bug 922538 - improve dbgen rdn generation, output (Ticket 47374)
- Resolves: bug 970750 - flush.pl is not included in perl5 (Ticket 47374)
- Resolves: bug 1013898 - Fix various issues with logconv.pl (Ticket 471)
* Wed Jan 29 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-17
- release 1.3.1.6-17
- Resolves: bug 853106 - Deleting attribute present in nsslapd-allowed-to-delete-attrs returns Operations error (Ticket 443)
- Resolves: bug 1049525 - Server hangs in cos_cache when adding a user entry (Ticket 47649)
* Wed Jan 29 2014 Daniel Mach <dmach@redhat.com> - 1.3.1.6-16
- Mass rebuild 2014-01-24
* Tue Jan 21 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-15
- release 1.3.1.6-15
- Resolves: bug 918702 - better error message when cache overflows (Ticket 342)
- Resolves: bug 1009679 - replication stops with excessive clock skew (Ticket 47516)
- Resolves: bug 1042855 - Unable to delete protocol timeout attribute (Ticket 47620)
- Resolves: bug 918694 - Fix crash when disabling/enabling the setting (Ticket 408)
- Resolves: bug 853355 - config_set_allowed_to_delete_attrs: Valgrind reports Invalid read (Ticket 47660)
* Wed Jan 8 2014 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-14
- release 1.3.1.6-14
- Resolves: bug 853355 - Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs (Ticket 447)
- Resolves: bug 1034739 - Impossible to configure nsslapd-allowed-sasl-mechanisms (Ticket 47613)
- Resolves: bug 1038639 - 389-ds rejects nsds5ReplicaProtocolTimeout attribut; Fix logically dead code; Fix dereferenced NULL pointer in agmtlist_modify_callback(); Fix missing left brackete (Ticket 47620)
- Resolves: bug 1042855 - nsds5ReplicaProtocolTimeout attribute is not validated when added to replication agreement; Config value validation improvement (Ticket 47620)
- Resolves: bug 918717 - server does not accept 0 length LDAP Control sequence (Ticket 571)
- Resolves: bug 1034902 - replica init/bulk import errors should be more verbose (Ticket 47606)
- Resolves: bug 1044219 - fix memleak caused by 47347 (Ticket 47623)
- Resolves: bug 1049522 - Crash after replica is installed; Fix cherry-pick error for 1.3.2 and 1.3.1 (Ticket 47620)
- Resolves: bug 1049568 - changelog iteration should ignore cleaned rids when getting the minCSN (Ticket 47627)
* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1.3.1.6-13
- Mass rebuild 2013-12-27
* Tue Dec 10 2013 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-12
- release 1.3.1.6-12
- Resolves: bug 1038639 - 389-ds rejects nsds5ReplicaProtocolTimeout attribute (Ticket 47620)
- Resolves: bug 1034898 - automember plugin task memory leaks (Ticket 47592)
- Resolves: bug 1034451 - Possible to specify invalid SASL mechanism in nsslapd-allowed-sasl-mechanisms (Ticket 47614)
- Resolves: bug 1032318 - entries with empty objectclass attribute value can be hidden (Ticket 47591)
- Resolves: bug 1032316 - attrcrypt fails to find unlocked key (Ticket 47596)
- Resolves: bug 1031227 - Reduce lock scope in retro changelog plug-in (Ticket 47599)
- Resolves: bug 1031226 - Convert ldbm_back_seq code to be transaction aware (Ticket 47598)
- Resolves: bug 1031225 - Convert retro changelog plug-in to betxn (Ticket 47597)
- Resolves: bug 1031223 - hard coded limit of 64 masters in agreement and changelog code (Ticket 47587)
- Resolves: bug 1034739 - Impossible to configure nsslapd-allowed-sasl-mechanisms (Ticket 47613)
- Resolves: bug 1035824 - Automember betxnpreoperation - transaction not aborted when group entry does not exist (Ticket 47622)
* Thu Nov 21 2013 Rich Megginson <rmeggins@redhat.com> - 1.3.1.6-11
- Resolves: bug 1024979 - CVE-2013-4485 389-ds-base: DoS due to improper handling of ger attr searches
* Tue Nov 12 2013 Rich Megginson <rmeggins@redhat.com> - 1.3.1.6-10
- release 1.3.1.6-10
- Resolves: bug 1018893 DS91: ns-slapd stuck in DS_Sleep
@ -476,7 +658,7 @@ fi
- Resolves Bug 1000633 - ns-slapd crash due to bogus DN
- Ticket #47488 - Users from AD sub OU does not sync to IPA
* Tue Aug 01 2013 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-1
* Thu Aug 01 2013 Noriko Hosoi <nhosoi@redhat.com> - 1.3.1.6-1
- bump version to 1.3.1.6
- Ticket 47455 - valgrind - value mem leaks, uninit mem usage
- fix coverity 11915 - dead code - introduced with fix for ticket 346