[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master] 33 commits: Ticket 50165 - Fix issues with dscreate

Timo Aaltonen gitlab at salsa.debian.org
Wed Apr 24 13:53:15 BST 2019

Timo Aaltonen pushed to branch master at FreeIPA packaging / 389-ds-base

0036226b by Mark Reynolds at 2019-02-01T15:39:20Z
Ticket 50165 - Fix issues with dscreate

Bug Description:  The install would fail under these two conditions:

                   [1]  You do not specfiy a secure port, even if not using TLS
                   [2]  The suffix has a space after a comma.

Fix Description:  If the secure port is not specified set it to the default,
                  and normalize the suffix DN


Reviewed by: ?

- - - - -
98bfccc8 by Thierry Bordaz at 2019-02-01T15:43:50Z
Ticket 50177 - import task should not be deleted too rapidely after import finishes to be able to query the status

Bug Description:
	scripts that create online import and export tasks do not define a Time To Life of the tasks.
	As a consequence the task entry is cleared 2min (default value) after task completion.
	This is too rapid and some admin scripts may miss the final task status.

Fix Description:
	The fix is to keep the entry of completed online import and export tasks for 1 day.
	It also allows defines a default TTL to 1h (instead of 2min)


Reviewed by: Mark Reynolds

Platforms tested: F27

Flag Day: no

Doc impact: no

- - - - -
70cac1b1 by Thierry Bordaz at 2019-02-05T15:01:52Z
Ticket 49658 - In replicated topology a single-valued attribute can diverge

Bug Description:
	When deleting a specific value of a single valued attribute,
	the deleted value can be erronously resurrected.

Fix Description:
	This second fix is a rewrite of entry state resolution.
	The original function (resolve_attribute_state_single_valued) implemented
	a main algorythm but it was heavily merged with resolution of specific cases.
	It was too difficult to make the function understandable and preserving
	the handling of the specific cases.
	The risk of that rewrite fix is that I can not guarantee it fully covers
	the set of specific cases


Reviewed by: William Brown (Thanks !!)

Platforms tested: F27

Flag Day: no

Doc impact: no

- - - - -
6f87fab4 by Thierry Bordaz at 2019-02-06T12:54:53Z
Ticket 49873 - Contention on virtual attribute lookup

Bug Description:
	During lookup of the virtual attribute table (filter evaluation and returned attribute)
	the lock is acquired many times in read. For example it is acquired for each targetfilter aci and for
	each evaluated entry.
	Unfortunately RW lock is expensive and appears frequently on pstacks.
	The lock exists because the table can be updated but update is very rare (addition of a new service provider).
	So it slows down general proceeding for exceptional events.

Fix Description:
	The fix is to acquire/release the read lock at the operation level and set a per-cpu flag, so that later lookup
	would just check the flag.


Reviewed by: Ludwig Krispenz, William Brown (thanks !!)

Platforms tested: F27

Flag Day: no

Doc impact: no

- - - - -
ba02f5a6 by Mark Reynolds at 2019-02-07T17:10:33Z
Ticket 50155 - password history check has no way to just check the current password

Description:  Currently if you set passwordinhistory 1, it checks the last
              recorded password and the current password.  To get it to just
              check the current password we need to allow "0" in passwordinhistory.
              Then only check the current password, and not the entry's
              passwordHistory attributes (if any).

              Also added new "rebind" function to Accounts class to "rebind"
              on the current connection.


Reviewed by: firstyear & spichugi (Thanks!!)

- - - - -
f19f2793 by William Brown at 2019-02-08T00:56:44Z
Ticket 50151 - lib389 support cli add/replace/delete on objects

Bug Description: We need a generic way to add/replace/delete on
objects, that is not ldif. Ldif is wildly inaccessible and hard
to use.

Fix Description: Add a "modify" generic to cli_base, that is
used by user. It supports a syntax of:

modify <selector> <add|replace|delete>:<attr>:<value>

An example is:

... user modify demo_user add:objectclass:nsMemberOf

These can have many modifications in a single transaction:

user modify demo_user add:objectclass:nsMemberOf add:description:test


Author: William Brown <william at blackhats.net.au>

Review by: spichugi, mreynolds, lkrispen (Thanks!)

- - - - -
ea24c43a by Mark Reynolds at 2019-02-26T14:23:33Z
Ticket 50236 - memberOf should be more robust

Bug Description:  When doing a modrdn, or any memberOf update, if the entry
                  already has the memberOf attribute with the same value
                  the operation is incorrectly rejected.

Fix Description:  If we get an error 20 (type or value exists) return success.

                  Also fixed a coding mistake that causes the wrong error
                  code to be returned.  This also required fixing the CI
                  test to check for the new correct errro code.


Reviewed by:  firstyear, spichugi, and tbordaz (Thanks!!!)

- - - - -
a0639843 by Mark Reynolds at 2019-02-26T14:31:57Z
Ticket 50238 - Failed modrdn can corrupt entry cache

Bug Description:  Under certain conditions (found under IPA) when a backend
                  transaction plugin fails and causes a modrdn operation to
                  fail the entry cache no longer contains the original/pre
                  entry, but instead it has the post modrdn'ed entry with
                  the original entry's ID

Fix Description:  Upon failure, if the post entry is in the cache, then swap
                  it out with the original entry.


Reviewed by: firstyear, spichugi, & tboardaz (Thanks!!!)

- - - - -
6e95c659 by Mark Reynolds at 2019-02-27T21:32:50Z
Ticket 50215 - UI - implement Database Tab in reachJS

Description:  Implement database tab in ReactJS.


Reviewed by: spichugi & firstyear (Thanks!!)

- - - - -
0f785304 by Ludwig Krispenz at 2019-03-06T11:40:58Z
Ticket 50232 - export creates not importable ldif file

Bug: If the RUV entry hasa  smaller entryid than the suffix entry it will be
	exported before the suffix. If that ldif is used for import the RUV entry
	is skipped and a new one generated with a different database generation

Fix: Before exporting the RUV check that the suffix is alread exported, if not
	make the RUV entry pending and write it after all othere entries

Reviewed by: tbordaz, wbrown. Thanks

- - - - -
0654777e by Ludwig Krispenz at 2019-03-06T11:41:40Z
Ticket 50234 - one level search returns not matching entry

Bug: if in a onelevel search the IDList for the parentid is smaller than the filter
	threshold and smaller than the list generated by the search filter
	then the intersection is aborted and all children are returned.

Fix: In the above case we need to set the flag that the filter evaluation
	cannot be bypassed

Reviewed by: William, Thierry. Thanks

- - - - -
951c499d by Mark Reynolds at 2019-03-11T16:28:40Z
Ticket 50273 - reduce default replicaton agmt timeout

Description:  The default timeout of 10 minutes is just too long.
              Change default to 2 minutes.


Reviewed by: tbordaz(Thanks!)

(cherry picked from commit a703d1017716159f9c84b2c8f6fb0246f9a6a8a8)

- - - - -
1f15e966 by Simon Pichugin at 2019-03-13T13:25:31Z
Issue 50041 - Add CLI functionality for special plugins

Description: Add the functionality for
account-policy, attr-uniq, automember, dna, linked-attr,
managed-entries, memberof, pass-through-auth, refer-init,
retro-changelog, root-dn, usn commands.
Make DSLdapObject create an entry with only DN and attributes
(cases when RDN is not specified).
Fix two small typos in pwpolicy CLI's arguments.
Port test for DNA plugin.


Reviewed by: wibrown, mreynolds, mhonek (Thanks!)

(cherry picked from commit 46e28cb4229f590c225f2a52bc8169e6fcc2d65b)

- - - - -
09b5a2c3 by Mark Reynolds at 2019-03-14T04:50:18Z
Ticket 50260 - backend txn plugins can corrupt entry cache

Bug Description:  If a nested backend txn plugin fails, any updates
                  it made that went into the entry cache still persist
                  after the database transaction is aborted.

Fix Description:  In order to be sure the entry cache is not corrupted
                  after a backend txn plugin failure we need to flush
                  all the cache entries that were added to the cache
                  after the parent operation was started.

                  To do this we record the start time the original operation,
                  (or parent operation), and we record the time any entry
                  is added to the cache.  Then on failure we do a comparision
                  and remove the entry from the cache if it's not in use.
                  If it is in use we add a "invalid" flag which triggers
                  the entry to be removed when the cache entry is returned
                  by the owner.


CI tested and ASAN approved.

Reviewed by: firstyear, tbordaz, and lkrispen (Thanks!!!)

(cherry picked from commit 7ba8a80cfbaed9f6d727f98ed8c284943b3295e1)

- - - - -
b998fed9 by Thierry Bordaz at 2019-03-14T10:58:16Z
Ticket 49873: (cont) Contention on virtual attribute lookup

Bug Description:
	The previous fix was incomplete.
	It created the thread private counter before the fork.
	The deamon process was not inheriting it.

	There is a possiblity that an callback of an internal search
	tries to update the map. (cos thread monitoring cos definition)
	In such case the RW lock was first acquired in read at the top level
	of the internal search, then later the callback try to acquire it in write.
	this created a deadlock

	It stored in in private counter a value (int) rather than the address of
	of the value (int*).

Fix Description:
	The fix consists to create the thread private counter after the deamon creation.
	In adding, when acquiring the lock in write, if the lock was already acquired
	at the top level (in read), it release the lock and reset the counter. Then acquires
	the lock in write.
	In the opposite when releasing the lock in read, if the lock was not already acquired
	it assumes it was acquired in write and do nothing


Reviewed by: Mark Reynolds, William Brown (thanks !!)

Platforms tested: F30

Flag Day: no

Doc impact: no

- - - - -
ada0f84b by Thierry Bordaz at 2019-03-15T10:38:24Z
Ticket 50282 - OPERATIONS ERROR when trying to delete a group with automember members

Bug Description:
	When automember and memberof are enabled, if a user is member of a group
	because of an automember rule. Then when the group is deleted,
	memberof updates the member (to update 'memberof' attribute) that
	trigger automember to reevaluate the automember rule and add the member
	to the group. But at this time the group is already deleted.
	Chaining back the failure up to the top level operation the deletion
	of the group fails

Fix Description:
	The fix consists to check that if a automember rule tries to add a user
	in a group, then to check that the group exists before updating it.


Reviewed by: Mark Reynolds, William Brown

Platforms tested: F29

Flag Day: no

Doc impact: no

- - - - -
4ab9bd59 by Mark Reynolds at 2019-03-15T14:12:44Z
Ticket 50077 - Do not automatically turn automember postop modifies on

Description:  Although we have set the new postop processing on by
              default in the template-dse.ldif, we do not want to
              enable it by default for upgrades (only new installs).

              So if the attribute is not set, it is assumed "off".


Reviewed by: firstyear(Thanks!)

(cherry picked from commit d318d060f49b67ed1b10f22b52f98e038afa356a)

- - - - -
906e093f by Thierry Bordaz at 2019-03-18T13:50:31Z
Ticket 49561 - MEP plugin, upon direct op failure, will delete twice the same managed entry

Bug Description:
	When a failure occurs during betxn_post plugin callback, the betxn_post plugins are called again.
	This is to process some kind of undo action (for example usn or dna that manage counters).

	If MEP plugin is called for a managing entry, it deletes the managed entry (that become a tombstone).
	If later an other betxn_postop fails, then MEP is called again.
	But as it does not detect the operation failure (for DEL and ADD), then it tries again
	to delete the managed entry that is already a tombstone.

Fix Description:
	The MEP betxn_post plugin callbacks (ADD and DEL) should catch the operation failure
	and return.
	It is already in place for MODRDN and MOD.


Reviewed by: Mark Reynold, thanks !!

Platforms tested: F28

Flag Day: no

Doc impact: no

- - - - -
67aaee47 by Mark Reynolds at 2019-03-18T16:45:39Z
Ticket 50260 - Invalid cache flushing improvements

Description:  The original version of the fix only checked if backend
              transaction "post" operation plugins failed, but it did
              not check for errors from the backend transaction "pre"
              operation plugin.  To address this we flush invalid
              entries whenever any error occurs.

              We were also not flushing invalid cache entries when
              modrdn errors occurred.  Modrdns only make changes to
              the DN hashtable inside the entry cache, but we were only
              checking the ID hashtable.  So we also need to check the
              DN hashtable in the entry cache for invalid entries.


Reviewed by: firstyear & tbordaz(Thanks!!)

(cherry picked from commit 33fbced25277b88695bfba7262e606380e9d891f)

- - - - -
c01d34cf by Ludwig Krispenz at 2019-03-21T08:29:16Z
Ticket 50265: the warning about skew time could last forever

Bug: if the local system time is set back more than 300 seconds
	a worning about too much time skew is logged and the sampled
	time is updated. This adjustment is done at every write operation
	and can increase the time skew and be logged infinitely

Fix: the intention of the adjustment was to avoid a roll over of seq_num
	if the sampled time is not increased for more than 65k oberations.
	But this is already handled with an explicite check for seq_num
	rollover. The extra adjustment for negative time skew can be removed.

Reviewed by: Thierry, William. Thanks.

- - - - -
f3aa0a60 by Timo Aaltonen at 2019-03-21T14:53:48Z
control: Drop 389-ds-base from -legacy-tools Depends. (Closes: #924265)

- - - - -
f57f72c2 by Timo Aaltonen at 2019-03-21T15:02:05Z
fix-dsctl-remove.diff: Don't hardcode sysconfig. (Closes: #925221)

- - - - -
d55de4d5 by Mark Reynolds at 2019-03-22T20:38:57Z
Ticket 50300 - Fix memory leak in automember plugin

Description:  We were allocating a pblock long before it was used, and
              we were returning from the function on an error before we
              freed it.  The fix just allocates the pblock right before
              it's used, and then it is properly freed.


Reviewed by: mreynolds (one line commit rule)

(cherry picked from commit 37f919a79a719c485742bb0bc2e09d8b2018a2b6)

- - - - -
e568d474 by Mark Reynolds at 2019-03-25T15:34:21Z
Ticket 50289 - Fix various database UI issues


Fixed these issues:

- https://bugzilla.redhat.com/show_bug.cgi?id=1664621 - backup freezes when no suffix present

- https://bugzilla.redhat.com/show_bug.cgi?id=1685395 - Perform Backup fails when Backend Name is not configured

- https://bugzilla.redhat.com/show_bug.cgi?id=1688587 - typo when restarting instance

- https://bugzilla.redhat.com/show_bug.cgi?id=1688775 - db tree breaks when suffix contains spaces.

- https://bugzilla.redhat.com/show_bug.cgi?id=1688919 - backups fail with empty name

Also fixed issue where if you start an instance in UI the configuration is correctly loaded.


Reviewed by: spichugi(Thanks!)

- - - - -
2b689f8b by Simon Pichugin at 2019-03-26T22:19:55Z
Issue 50292 - Fix Plugin CLI and UI issues

Description: Fix 'All plugins' tab rendering issue.
Fix nsds5replicalastinitstatus typo.
Fix generic_object_add logic for cases when RDN is in props and BaseDN is supplied.
Add Posix Winsync API plugin
Add PAM PTA plugin
Fix underscore issues in plugin arguments.
Fix Linked Attribute plugin Fixup task arguments and name.
Change a 'print()' function to a 'log.info()' function.


Reviewed by: mreynolds, wibrown (Thanks!)

- - - - -
74490fb2 by Thierry Bordaz at 2019-03-27T09:35:35Z
Ticket 49873 - (cont 2nd) Contention on virtual attribute lookup

Bug Description:
	SSL initialization does internal searches that access the vattr_global_lock
	Thread private counter needs to be initialized by that time.
	Currently it is initialized after SSL init.

	Second problem was a leak of one 'int' per worker. It was used to keep the private counter.

Fix Description:
	Call of vattr_global_lock_create needs to be called before slapd_do_all_nss_ssl_init.
	Also, 'main' may or may not fork, the initialization fo the thread private variable
	is done either on the child or parent depending if main forks or not.

	The leak is fixed using a destructor callback of the private variable and so
	call PR_SetThreadPrivate only if there is no private variable.


Reviewed by: Mark Reynolds, Simon Pichugi (thanks)

Platforms tested: F28

Flag Day: no

Doc impact: no

Ticket foo

- - - - -
f7d71790 by Thierry Bordaz at 2019-03-28T17:15:01Z
Ticket 49873 - (cont 3rd) cleanup debug log

- - - - -
85c3c304 by Mark Reynolds at 2019-03-29T13:20:58Z
Ticket 50308 - Fix memory leaks for repeat binds and replication

Description:  Fixed two memory leaks:

    - If a worker thread had multiple binds the "bind dn"
      thread data was leaked.
    - Memory leak when processing changes in the changelog


Reviewed by: firstyear(Thanks!)

(cherry picked from commit 6c2bb66f15d7ab8ab079effc66e0705c2513b1fd)

- - - - -
11430afd by Mark Reynolds at 2019-03-29T19:01:57Z
Ticket 50308 - Revise memory leak fix

Description;  Turns out the previous commit did not address
              the changelog leak, and it introduced a compiler
              warning.  This part of the fix is being reverted.

(cherry picked from commit 1808f317d5ef240fd0ac3947fcb90a895e46b436)

- - - - -
9d84a40d by Mark Reynolds at 2019-03-29T19:40:43Z
Bump version to

- - - - -
b471f966 by Timo Aaltonen at 2019-04-03T06:44:07Z
Merge branch 'upstream'

- - - - -
9e4432a2 by Timo Aaltonen at 2019-04-03T06:44:52Z
bump changelog

- - - - -
bc662300 by Timo Aaltonen at 2019-04-24T09:04:15Z
releasing package 389-ds-base version

- - - - -

30 changed files:

- debian/changelog
- debian/control
- + debian/patches/fix-dsctl-remove.diff
- debian/patches/series
- dirsrvtests/tests/suites/automember_plugin/automember_test.py
- dirsrvtests/tests/suites/betxns/betxn_test.py
- dirsrvtests/tests/suites/memberof_plugin/regression_test.py
- dirsrvtests/tests/suites/password/pwp_history_test.py
- dirsrvtests/tests/suites/plugins/acceptance_test.py
- + dirsrvtests/tests/suites/plugins/dna_test.py
- − dirsrvtests/tests/tickets/ticket47937_test.py
- + dirsrvtests/tests/tickets/ticket49658_test.py
- + dirsrvtests/tests/tickets/ticket50232_test.py
- + dirsrvtests/tests/tickets/ticket50234_test.py
- ldap/admin/src/scripts/db2ldif.pl.in
- ldap/admin/src/scripts/ldif2db.pl.in
- ldap/servers/plugins/automember/automember.c
- ldap/servers/plugins/memberof/memberof.c
- ldap/servers/plugins/mep/mep.c
- ldap/servers/plugins/replication/cl5_clcache.c
- ldap/servers/plugins/replication/repl5_agmt.c
- ldap/servers/slapd/back-ldbm/back-ldbm.h
- ldap/servers/slapd/back-ldbm/backentry.c
- ldap/servers/slapd/back-ldbm/cache.c
- ldap/servers/slapd/back-ldbm/idl_set.c
- ldap/servers/slapd/back-ldbm/ldbm_add.c
- ldap/servers/slapd/back-ldbm/ldbm_delete.c
- ldap/servers/slapd/back-ldbm/ldbm_modify.c
- ldap/servers/slapd/back-ldbm/ldbm_modrdn.c

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/compare/a80a850dbf8483a40a6f1638de0c2f625908beb5...bc66230085f8d982375a7919b9e729e93d5cd35f

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/compare/a80a850dbf8483a40a6f1638de0c2f625908beb5...bc66230085f8d982375a7919b9e729e93d5cd35f
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190424/3b6ff5d0/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list