[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 192 commits: Bump version to

Timo Aaltonen gitlab at salsa.debian.org
Wed Jul 10 08:24:26 BST 2019

Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base

abdf8aab by Mark Reynolds at 2019-01-24T17:01:02Z
Bump version to

- - - - -
614ab2a2 by Simon Pichugin at 2019-01-28T17:32:26Z
Issue 50041 - CLI and WebUI - Add memberOf plugin functionality

Description: Add the main functionality to memberOf plugin tab.
Increase the eslint max line length from 80 to 100.
Rework plugin properties to be more compact.
Eslint webpack config. Add react-bootstrap-typeahead for
multivalued attributes. Fix the word 'successfully' typos.


Reviewed by: mreynolds, wibrown (Thanks!)

- - - - -
341eeabd by William Brown at 2019-01-28T22:40:35Z
Ticket 50151 - lib389 support cli add/replace/delete on objects

Bug Description: We need a generic way to add/replace/delete on
objects, that is not ldif. Ldif is wildly inaccessible and hard
to use.

Fix Description: Add a "modify" generic to cli_base, that is
used by user. It supports a syntax of:

modify <selector> <add|replace|delete>:<attr>:<value>

An example is:

... user modify demo_user add:objectclass:nsMemberOf

These can have many modifications in a single transaction:

user modify demo_user add:objectclass:nsMemberOf add:description:test


Author: William Brown <william at blackhats.net.au>

Review by: spichugi, mreynolds, lkrispen (Thanks!)

- - - - -
af9bb720 by Mark Reynolds at 2019-01-30T20:08:52Z
Bump version to

- - - - -
ae39d1f0 by William Brown at 2019-02-01T00:48:39Z
Ticket 50159 - sssd and config display

Bug Description: It can be very hard and confusing for an admin
when they first start with LDAP to know how to configure clients
both generic, ldapcli tools or sssd.

Fix Description: Add a subcommand to dsidm that allows generation
of example configs for ldap.conf, sssd.conf and generic display
of parameters for LDAP clients. These have been tested to work on
SUSE and Fedora, and they are well commented to advise admins
to review and improve the configurations.


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
1c5f0605 by William Brown at 2019-02-01T00:50:00Z
Ticket 50184 - Add cli tool parity to dsconf/dsctl

Bug Description: As we are removing the shell/perl tools, we need
to have functional parity with the existing tools. This adds the
final tools needed to make that equivalent.

Fix Description: Add support for dbverify, linkedattr fixup and
a monitoring tool.


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds (thanks!)

- - - - -
84dba178 by William Brown at 2019-02-01T00:51:59Z
Ticket 50140 - Use high ports in container installs

Bug Description: Out of the box, linux and containers don't
have the required root permissions to use ports below 1024.
We can't expect admins to change this, so we should configure
ourselves on high ports in container installs.

Fix Description: Add containised argument to slapd2base
options, and pass it as required for example file and
installer sections.


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
cd908573 by Thierry Bordaz at 2019-02-01T14:42:54Z
Ticket 50177 - import task should not be deleted too rapidely after import finishes to be able to query the status

Bug Description:
	scripts that create online import and export tasks do not define a Time To Life of the tasks.
	As a consequence the task entry is cleared 2min (default value) after task completion.
	This is too rapid and some admin scripts may miss the final task status.

Fix Description:
	The fix is to keep the entry of completed online import and export tasks for 1 day.
	It also allows defines a default TTL to 1h (instead of 2min)


Reviewed by:

Platforms tested: F27

Flag Day: no

Doc impact: no

- - - - -
9408b94d by Mark Reynolds at 2019-02-01T15:37:23Z
Ticket 50165 - Fix issues with dscreate

Bug Description:  The install would fail under these two conditions:

                   [1]  You do not specfiy a secure port, even if not using TLS
                   [2]  The suffix has a space after a comma.

Fix Description:  If the secure port is not specified set it to the default,
                  and normalize the suffix DN


Reviewed by: ?

- - - - -
24271fe6 by Hugh McMaster at 2019-02-03T06:58:57Z
Ticket 50111: Use pkg-config to detect icu

Use of icu-config is deprecated upstream and no longer supported
in Debian, Ubuntu and Linux Mint.

Signed-off-by: Hugh McMaster <hugh.mcmaster at outlook.com>

- - - - -
e09725e7 by Thierry Bordaz at 2019-02-05T14:19:49Z
Ticket 49658 - In replicated topology a single-valued attribute can diverge

Bug Description:
	When deleting a specific value of a single valued attribute,
	the deleted value can be erronously resurrected.

Fix Description:
	This second fix is a rewrite of entry state resolution.
	The original function (resolve_attribute_state_single_valued) implemented
	a main algorythm but it was heavily merged with resolution of specific cases.
	It was too difficult to make the function understandable and preserving
	the handling of the specific cases.
	The risk of that rewrite fix is that I can not guarantee it fully covers
	the set of specific cases


Reviewed by: William Brown (Thanks !!)

Platforms tested: F27

Flag Day: no

Doc impact: no

- - - - -
d8a94c28 by William Brown at 2019-02-06T00:16:42Z
Ticket 50195 - improve selinux error messages in interactive

Bug Description: During an interactive install, the selinux
module if not found would produce many error messages that
were not necessary.

Fix Description: Warn the user at the start of the install
that selinux isn't found, and allow them to continue


Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks!)

- - - - -
ff94e562 by William Brown at 2019-02-06T00:19:28Z
Ticket 50197 - Container integration improvements

Bug Description: During the container integration process
I have noticed a small number of remaining issues.

Fix Description:
* dm password is left as randomised in container install
* nss_ssl only removes dir content, not the directory itself
* basic tests rely on incorrect assumptions about file perms,
  hostnames and ports.


Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks!)

- - - - -
e580506d by Thierry Bordaz at 2019-02-06T12:41:22Z
Ticket 49873 - Contention on virtual attribute lookup

Bug Description:
	During lookup of the virtual attribute table (filter evaluation and returned attribute)
	the lock is acquired many times in read. For example it is acquired for each targetfilter aci and for
	each evaluated entry.
	Unfortunately RW lock is expensive and appears frequently on pstacks.
	The lock exists because the table can be updated but update is very rare (addition of a new service provider).
	So it slows down general proceeding for exceptional events.

Fix Description:
	The fix is to acquire/release the read lock at the operation level and set a per-cpu flag, so that later lookup
	would just check the flag.


Reviewed by: Ludwig Krispenz, William Brown (thanks !!)

Platforms tested: F27

Flag Day: no

Doc impact: no

- - - - -
cab38f97 by Mark Reynolds at 2019-02-07T17:07:17Z
Ticket 50155 - password history check has no way to just check the current password

Description:  Currently if you set passwordinhistory 1, it checks the last
              recorded password and the current password.  To get it to just
              check the current password we need to allow "0" in passwordinhistory.
              Then only check the current password, and not the entry's
              passwordHistory attributes (if any).

              Also added new "rebind" function to Accounts class to "rebind"
              on the current connection.


Reviewed by: firstyear & spichugi (Thanks!!)

- - - - -
d68b131e by Anuj Borah at 2019-02-11T06:49:36Z
Issue:50211 - Making an actual Anonymous type in lib389/idm/account.py

Making an actual Anonymous type in lib389/idm/account.py


Reviewed by: William Brown

- - - - -
8e2da5db by William Brown at 2019-02-11T22:26:39Z
Ticket 50199 - disable perl by default

Bug Description: Our python lib389 tools have become much
more mature. We should disable perl by default as it's really
not maintained, and deprecated, so we should stop emitting it
by default. It can still be enabled with --enable-perl to
./configure, but we just discourage it.

Fix Description: Turn yes to no.


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds, mhonek, lslebodn (Thanks)

- - - - -
6714c456 by Anuj Borah at 2019-02-14T02:31:25Z
Issue: 50170 - composable object types for nsRole in lib389

Composable object types for nsRole in lib389


Reviewed by: Ludwig Krispenz, William Brown, thierry bordaz

- - - - -
e373f392 by William Brown at 2019-02-15T00:46:32Z
Ticket 50208 - make instances mark off based on dse.ldif not sysconfig

Bug Description: As sysconfig isn't cross platform compatible, and
there are some potential plans to remove it from our systemd files,
we need to make sure that lib389 can handle this file not being present
in new installs.

Fix Description: Thankfully, we have a file we can always guarantee
exists: dse.ldif. This makes /etc/dirsrv/slapd-instance the only
fixed location in the server now, all other locations can be "moved".

This patch:
 * Fixes a large number of removal regressions
 * Add comments and warnings throughout remove and setup to help
     prevent future regresions
 * Create no longer creates /etc/sysconfig/dirsrv-instance
 * Create makes dse.ldif *first* as it's the marker location
 * Remove works when there is no marker file (but will remove if it
 * Listing now ignores /etc/sysconfig, and reads dse.ldif instead
     with a follow up https://pagure.io/389-ds-base/issue/50207 to
     parse data from this file for offline


Author: William Brown <william at blackhats.net.au>

Review by: spichugi, abbra (Thanks)

- - - - -
ddf79e62 by Anuj Borah at 2019-02-18T03:55:12Z
Issue: 50112 Port ACI test suit from TET to python3(Aci Atter)

Port ACI test suit from TET to python3


Reviewed by: William Brown and Simon Pichugin

	modified:   acivattr_test.py
	deleted:    deladd_test.py
	deleted:    globalgroup_part2_test.py
	deleted:    globalgroup_test.py
	deleted:    keywords_part2_test.py
	deleted:    keywords_test.py
	deleted:    misc_test.py
	deleted:    modify_test.py
	deleted:    modrdn_test.py
	deleted:    roledn_test.py
	deleted:    search_real_part2_test.py
	deleted:    search_real_part3_test.py
	deleted:    search_real_test.py
	deleted:    syntax_test.py
	deleted:    userattr_test.py
	deleted:    valueacl_part2_test.py
	deleted:    valueacl_test.py
	modified:   working_contstants.py

- - - - -
39d13101 by Anuj Borah at 2019-02-18T04:13:54Z
Issue:50112 - Port ACI test suit from TET to python3(valueaci)

Port ACI test suit from TET to python3(valueaci)


Reviewed by: William Brown

- - - - -
2031ed0d by William Brown at 2019-02-18T23:18:04Z
Ticket 50224 - warnings on deprecated API usage

Bug Description: There have been many cases of incorrect and
invalid api usage. As we go on, we can't allow more usage of
these apis to be added as it only puts more work on us in
the future to remove.

Fix Description: Add deprecation warnings to these apis, telling
people they will be removed, and where their faulty code is.


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds (Thanks!)

- - - - -
459f7383 by Anuj Borah at 2019-02-20T02:44:30Z
Issue: 50112 - Port ACI test suit from TET to python3(modify)

Port ACI test suit from TET to python3(modify)


Reviewed by: William Brown

- - - - -
bc3ea14c by Anuj Borah at 2019-02-21T02:19:35Z
Issue: 50227 - Making an cosClassicDefinition type in src/lib389/lib389/cos.py

Making an cosClassicDefinition type in src/lib389/lib389/cos.py


Reviewed by: William Brown

- - - - -
5262f50b by Anuj Borah at 2019-02-25T03:55:02Z
Issue: 50219 - Add generic filter to DSLdapObjects

Add generic filter to DSLdapObjects


Reviewed by: William Brown

- - - - -
6963780b by William Brown at 2019-02-25T04:11:10Z
Ticket 50213 - fix list instance issue

Bug Description: A format string would not always be created
which caused instance list to fail. This may lead to instance
removal failing (creation and api removal still functioned)

Fix Description: Use a correctly initialised paths object, and
add extra debugging around the list capability for -v


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds (Thanks)

- - - - -
47c42590 by Mark Reynolds at 2019-02-26T14:20:05Z
Ticket 50236 - memberOf should be more robust

Bug Description:  When doing a modrdn, or any memberOf update, if the entry
                  already has the memberOf attribute with the same value
                  the operation is incorrectly rejected.

Fix Description:  If we get an error 20 (type or value exists) return success.

                  Also fixed a coding mistake that causes the wrong error
                  code to be returned.  This also required fixing the CI
                  test to check for the new correct errro code.


Reviewed by:  firstyear, spichugi, and tbordaz (Thanks!!!)

- - - - -
b30295a7 by Mark Reynolds at 2019-02-26T14:21:34Z
Ticket 50238 - Failed modrdn can corrupt entry cache

Bug Description:  Under certain conditions (found under IPA) when a backend
                  transaction plugin fails and causes a modrdn operation to
                  fail the entry cache no longer contains the original/pre
                  entry, but instead it has the post modrdn'ed entry with
                  the original entry's ID

Fix Description:  Upon failure, if the post entry is in the cache, then swap
                  it out with the original entry.


Reviewed by: firstyear, spichugi, & tboardaz (Thanks!!!)

- - - - -
45e84745 by William Brown at 2019-02-27T00:14:30Z
Ticket 50243 - refint modrdn stress test

Bug Description: It was reported that modrdn of an ou which
contained many items could break refint in some cases.

Fix Description: Add a stress test to try to reproduce the issue


Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks)

- - - - -
752801b8 by Mark Reynolds at 2019-02-27T21:09:30Z
Ticket 50215 - UI - implement Database Tab in reachJS

Description:  Implement database tab in ReactJS.


Reviewed by: spichugi & firstyear (Thanks!!)

- - - - -
eb1b5c51 by Ludwig Krispenz at 2019-02-28T14:18:16Z
Ticket 50232 - export creates not importable ldif file

Bug: If the RUV entry hasa  smaller entryid than the suffix entry it will be
	exported before the suffix. If that ldif is used for import the RUV entry
	is skipped and a new one generated with a different database generation

Fix: Before exporting the RUV check that the suffix is alread exported, if not
	make the RUV entry pending and write it after all othere entries

Reviewed by: tbordaz, wbrown. Thanks

- - - - -
fb5ae2ca by William Brown at 2019-03-01T04:31:36Z
Ticket 50197 - Container init tools

Bug Description: It's important that 389 Directory Server
has a functional, correct, and high quality container integration
system. After years of work on the server core and lib389, this is
nearly possible.

Importantly, containers have certain requirements we must understand.
All state must be in external-filesystem volumes. We can not assume
that we have an instance installed, so must create one on launch.
If one exists, we need to expose it. We don't have the ability to
ask questions, so we need to use environment, or work with no
input at all. We can't make assumptions about backends. Finally,
we need to assume that we could be a new version of the server -
we don't know about anything else.

Fix Description: This adds a dscontainer wrapper tool that is
intended for operation inside of containers. It handles and binds
many of the existing parts of lib389 for container support. I have
cleaned up past container support realising how it was done wasn't
as elegant as this.

The dscontainer tool is intended to be the entry point from a
dockerfile, IE the CMD directive.

There are still some avenues to explore. For example, we could
attempt to override the storage paths for logs and db rather than
relying on dockerfile system links. (this may break apparmor though).


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
0f918de1 by William Brown at 2019-03-01T04:43:59Z
Ticket 50197 - Container integration part 2

Bug Description: Rather than hardcoding behaviours into the setup
process of the installer, the container init process adapts the
slapd config to match what a container needs.

Fix Description: To achieve this, we expose a "start" option
in the from-file install which allows the post install start
to be true/false. We also correct the container's locations
to install ds into known paths. Finally a flag is added to
dsctl to prevent certain actions from running inside a container
limiting us only to maintenance actions (and still only offline)


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds, mhonek

- - - - -
c6054d12 by Simon Pichugin at 2019-03-01T20:46:17Z
Issue 50246 - Fix the regression in old control tools

Bug Description: The old control tools - status-dirsrv, start-dirsrv,
stop-dirsrv, restart-dirsrv stopped working properly after
the /etc/sysconfig/dirsrv removal.

Fix Description: Make them the direct systemctl command wrappers and
don't look for instances in /etc/sysconfig/dirsrv.
Fix UI. Make it use the new dsctl tools. Extend dsctl status (add JSON).

Also, remove the dragon warning because it breaks the QE test reports
when we run all the tests (we don't use DEBUGGING mode there
because it doesn't remove the instances).
The deprication warning should be enough for now.


Reviewed by: wibrown, vashirov, mhonek, mreynolds (Thanks!)

- - - - -
f1661548 by William Brown at 2019-03-04T01:42:04Z
Ticket 50230 - improve ioerror msg when not root/dirsrv

Bug Description: When not running as root or dirsrv, improve the clarity
of the error messages as the previous messages were misleading.

Fix Description: Improve the exception handling and messages.


Author: William Brown <william at blackhats.net.au>

Review by: mhonek

- - - - -
e6e18004 by Barbora Smejkalová at 2019-03-05T23:46:46Z
Issue 49029 - [RFE] improve internal operations logging

Added test cases and fixtures to check correct internal log values of user operations (add, rename, delete) in access log when different access log level is set.


Reviewed by: spichugi, firstyear, mreynolds (Thanks!)

- - - - -
2c5f34d6 by Anuj Borah at 2019-03-06T01:01:24Z
Issue: 50253 -  Making an nsManagedRoleDefinition type in src/lib389/lib389/idm/nsrole.py

Making an nsManagedRoleDefinition type in src/lib389/lib389/idm/nsrole.py


Reviewed by: William Brown, thierry bordaz

- - - - -
0ad1dd2e by Mark Reynolds at 2019-03-06T04:11:27Z
Ticket 50257 - lib389 - password policy user vs subtree checks are broken

Description:  We were not properly checking for user verses subtree policies.
              This patch cleaned up alot of flawed code, and properly uses
              DSLdapObjects to find policies and process them.


Reviewed by: firstyear(Thanks!)

- - - - -
47045414 by Ludwig Krispenz at 2019-03-06T10:32:40Z
Ticket 50234 - one level search returns not matching entry

Bug: if in a onelevel search the IDList for the parentid is smaller than the filter
	threshold and smaller than the list generated by the search filter
	then the intersection is aborted and all children are returned.

Fix: In the above case we need to set the flag that the filter evaluation
	cannot be bypassed

Reviewed by: William, Thierry. Thanks

- - - - -
eed079c0 by Simon Pichugin at 2019-03-06T15:43:58Z
Issue 50197 - Fix dscreate regression

Description: dscreate fails to create an instance because
the wrong number of arguments is used for Slapd2Base() call.


Reviewed by: ?

- - - - -
d79fea60 by William Brown at 2019-03-06T23:58:35Z
Ticket 49655 - remove doap file

Bug Description: Remove the unused and unmaintained doap file

Fix Description: rm 389-doap.rdf


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
28fe1601 by William Brown at 2019-03-08T02:00:58Z
Ticket 50137 - create should not check in non-stateful mode for exist

Bug Description: In def create, we should do a existance check for an
entry before creating. However, depending on access control this may not
work as intended because you can create without sight of the target, and
then this may cause misleading exceptions preventing the create.

Fix Description: In stateless mode, don't check the existance of the
entry before create.

In stateful ensure mode, continue to check for the existance.


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
00dfb129 by William Brown at 2019-03-08T02:14:40Z
Ticket 49575 - Indicate autosize value errors and corrective actions

Bug Description: The autosize system would fail if the values were
greater than 100 comibined. However, I did not disclose how to fix
these values and where.

Fix Description: Improve the error message to give reasonable
advice and location of the fix for corrective action.


Author: William Brown <william at blackhats.net.au>

Review by: tbordaz (Thanks!)

- - - - -
118f8a2f by Simon Pichugin at 2019-03-08T11:04:25Z
Issue 50263 - LDAPS port not listening after installation

Bug description: When I add an additional instance to my server,
an error is displayed at the end of the installation and
the LDAPS port is not listening.
The issue was introduced in

Fix description: Make interactive installation process
general["start"] argument.


Reviewed by: mreynolds, wibrown, mhonek (Thanks!)

- - - - -
46e28cb4 by Simon Pichugin at 2019-03-08T17:49:19Z
Issue 50041 - Add CLI functionality for special plugins

Description: Add the functionality for
account-policy, attr-uniq, automember, dna, linked-attr,
managed-entries, memberof, pass-through-auth, refer-init,
retro-changelog, root-dn, usn commands.
Make DSLdapObject create an entry with only DN and attributes
(cases when RDN is not specified).
Fix two small typos in pwpolicy CLI's arguments.
Port test for DNA plugin.


Reviewed by: wibrown, mreynolds, mhonek (Thanks!)

- - - - -
5563e770 by Anuj Borah at 2019-03-11T02:09:00Z
Issue: 50112 - Port ACI test suit from TET to python3(Global Group)

Port ACI test suit from TET to python3(Global Group)


Reviewed by: Mark Reynolds, Simon Pichugin, William Brown

- - - - -
9f3344a3 by Mark Reynolds at 2019-03-11T14:30:21Z
Ticket 50208 - lib389- Fix issue with list all instances

Description:  There was a regression where listing "all" instances
              failed and returned none.  This corrects the instance
              path gathering logic


Reviewed by: firstyear(Thanks!)

- - - - -
a703d101 by Mark Reynolds at 2019-03-11T16:27:20Z
Ticket 50273 - reduce default replicaton agmt timeout

Description:  The default timeout of 10 minutes is just too long.
              Change default to 2 minutes.


Reviewed by: tbordaz(Thanks!)

- - - - -
813030cc by William Brown at 2019-03-12T01:38:46Z
Ticket 50259 - implement dn construction test

Bug Description: Implement a lib389 dn test to show we have correct
behaviour with dn derivation in lib389 creation.

Fix Description: Add test case.


Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks!)

- - - - -
656a6c93 by Anuj Borah at 2019-03-12T04:22:56Z
Issue: 50112 - Port ACI test suit from TET to python3(Search)

Port ACI test suit from TET to python3(Search)


Reviewed by: William Brown, thierry bordaz

- - - - -
f59ddfbc by Simon Pichugin at 2019-03-13T09:57:25Z
Issue 50276 - 389-ds-console is not built on RHEL8 if cockpit_dist is already present

Description: When we make srpm we want to make sure that 389-ds-console is built every time.
It is built only if it's not already there (clean up is required).
We should enforce the cockpit_dist building even if it's present.


Reviewed by: mreynolds, vashirov (Thanks!)

- - - - -
703ee9b0 by William Brown at 2019-03-13T23:03:26Z
Ticket 49667 - 49668 - remove old spec files

Bug Description: Remove old unused spec files.

Fix Description: Lib389 and svrcore are now part of 389ds, so
these spec files are not used.


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
5bc92e99 by Mark Reynolds at 2019-03-14T04:45:15Z
Ticket 50255 - Port password policy test to use DSLdapObject

Description:  While investigating ticket 50255 I had issues with
              the CI test because it was not use DSLdapObject.  So
              This patch just refectors the test to use the current
              DSLDAPObject model.


Reviewed by: firstyear(Thanks!)

- - - - -
7ba8a80c by Mark Reynolds at 2019-03-14T04:47:26Z
Ticket 50260 - backend txn plugins can corrupt entry cache

Bug Description:  If a nested backend txn plugin fails, any updates
                  it made that went into the entry cache still persist
                  after the database transaction is aborted.

Fix Description:  In order to be sure the entry cache is not corrupted
                  after a backend txn plugin failure we need to flush
                  all the cache entries that were added to the cache
                  after the parent operation was started.

                  To do this we record the start time the original operation,
                  (or parent operation), and we record the time any entry
                  is added to the cache.  Then on failure we do a comparision
                  and remove the entry from the cache if it's not in use.
                  If it is in use we add a "invalid" flag which triggers
                  the entry to be removed when the cache entry is returned
                  by the owner.


CI tested and ASAN approved.

Reviewed by: firstyear, tbordaz, and lkrispen (Thanks!!!)

- - - - -
6d0ba294 by Thierry Bordaz at 2019-03-14T10:50:11Z
Ticket 49873: (cont) Contention on virtual attribute lookup

Bug Description:
	The previous fix was incomplete.
	It created the thread private counter before the fork.
	The deamon process was not inheriting it.

	There is a possiblity that an callback of an internal search
	tries to update the map. (cos thread monitoring cos definition)
	In such case the RW lock was first acquired in read at the top level
	of the internal search, then later the callback try to acquire it in write.
	this created a deadlock

	It stored in in private counter a value (int) rather than the address of
	of the value (int*).

Fix Description:
	The fix consists to create the thread private counter after the deamon creation.
	In adding, when acquiring the lock in write, if the lock was already acquired
	at the top level (in read), it release the lock and reset the counter. Then acquires
	the lock in write.
	In the opposite when releasing the lock in read, if the lock was not already acquired
	it assumes it was acquired in write and do nothing


Reviewed by: Mark Reynolds, William Brown (thanks !!)

Platforms tested: F30

Flag Day: no

Doc impact: no

- - - - -
208111a3 by William Brown at 2019-03-14T23:28:54Z
Ticket 49715 - extend account functionality

Bug Description: It was noted by mreynolds that account doesn't
do as much as user does. This brings account to partial-feature
parity with user, able to modify, show and delete accounts.

Fix Description: Add the ability to show, modify and delete generic
account types.

Note that account can never, and will never gain the ability to
create accounts, because "accounts" are such an opinionated and
complex topic. For creating accounts, user will remain the
preferred command. Account exists to "manage existing" account
types, that an external system may create or feed to the 389


Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks)

- - - - -
da7d2de1 by Thierry Bordaz at 2019-03-15T10:35:30Z
Ticket 50282 - OPERATIONS ERROR when trying to delete a group with automember members

Bug Description:
	When automember and memberof are enabled, if a user is member of a group
	because of an automember rule. Then when the group is deleted,
	memberof updates the member (to update 'memberof' attribute) that
	trigger automember to reevaluate the automember rule and add the member
	to the group. But at this time the group is already deleted.
	Chaining back the failure up to the top level operation the deletion
	of the group fails

Fix Description:
	The fix consists to check that if a automember rule tries to add a user
	in a group, then to check that the group exists before updating it.


Reviewed by: Mark Reynolds, William Brown

Platforms tested: F29

Flag Day: no

Doc impact: no

- - - - -
d318d060 by Mark Reynolds at 2019-03-15T14:11:16Z
Ticket 50077 - Do not automatically turn automember postop modifies on

Description:  Although we have set the new postop processing on by
              default in the template-dse.ldif, we do not want to
              enable it by default for upgrades (only new installs).

              So if the attribute is not set, it is assumed "off".


Reviewed by: firstyear(Thanks!)

- - - - -
c7da16fb by Thierry Bordaz at 2019-03-18T13:45:58Z
Ticket 49561 - MEP plugin, upon direct op failure, will delete twice the same managed entry

Bug Description:
	When a failure occurs during betxn_post plugin callback, the betxn_post plugins are called again.
	This is to process some kind of undo action (for example usn or dna that manage counters).

	If MEP plugin is called for a managing entry, it deletes the managed entry (that become a tombstone).
	If later an other betxn_postop fails, then MEP is called again.
	But as it does not detect the operation failure (for DEL and ADD), then it tries again
	to delete the managed entry that is already a tombstone.

Fix Description:
	The MEP betxn_post plugin callbacks (ADD and DEL) should catch the operation failure
	and return.
	It is already in place for MODRDN and MOD.


Reviewed by: Mark Reynold, thanks !!

Platforms tested: F28

Flag Day: no

Doc impact: no

- - - - -
33fbced2 by Mark Reynolds at 2019-03-18T16:42:49Z
Ticket 50260 - Invalid cache flushing improvements

Description:  The original version of the fix only checked if backend
              transaction "post" operation plugins failed, but it did
              not check for errors from the backend transaction "pre"
              operation plugin.  To address this we flush invalid
              entries whenever any error occurs.

              We were also not flushing invalid cache entries when
              modrdn errors occurred.  Modrdns only make changes to
              the DN hashtable inside the entry cache, but we were only
              checking the ID hashtable.  So we also need to check the
              DN hashtable in the entry cache for invalid entries.


Reviewed by: firstyear & tbordaz(Thanks!!)

- - - - -
0a4ee32c by Ludwig Krispenz at 2019-03-21T08:24:58Z
Ticket 50265: the warning about skew time could last forever

Bug: if the local system time is set back more than 300 seconds
	a worning about too much time skew is logged and the sampled
	time is updated. This adjustment is done at every write operation
	and can increase the time skew and be logged infinitely

Fix: the intention of the adjustment was to avoid a roll over of seq_num
	if the sampled time is not increased for more than 65k oberations.
	But this is already handled with an explicite check for seq_num
	rollover. The extra adjustment for negative time skew can be removed.

Reviewed by: Thierry, William. Thanks.

- - - - -
37f919a7 by Mark Reynolds at 2019-03-22T20:27:15Z
Ticket 50300 - Fix memory leak in automember plugin

Description:  We were allocating a pblock long before it was used, and
              we were returning from the function on an error before we
              freed it.  The fix just allocates the pblock right before
              it's used, and then it is properly freed.


Reviewed by: mreynolds (one line commit rule)

- - - - -
28a5ddbd by Akshay Adhikari at 2019-03-25T09:26:54Z
Ticket 49463 After cleanALLruv, replication is looping on keep alive DEL

Bug Description: When cleanAllRuv is launched, it spawn cleanAllRuv on all replicas.
Each replica will clean its changelog and database RUV but in addition
will DEL the keep alive entry of the target ReplicaID.

Fix Description: Test case cover all the scenario to be tested for the fix.


Review by: firstyear,tbordaz

- - - - -
395a4a26 by Mark Reynolds at 2019-03-25T15:23:59Z
Ticket 50289 - Fix various database UI issues


Fixed these issues:

- https://bugzilla.redhat.com/show_bug.cgi?id=1664621 - backup freezes when no suffix present

- https://bugzilla.redhat.com/show_bug.cgi?id=1685395 - Perform Backup fails when Backend Name is not configured

- https://bugzilla.redhat.com/show_bug.cgi?id=1688587 - typo when restarting instance

- https://bugzilla.redhat.com/show_bug.cgi?id=1688775 - db tree breaks when suffix contains spaces.

- https://bugzilla.redhat.com/show_bug.cgi?id=1688919 - backups fail with empty name

Also fixed issue where if you start an instance in UI the configuration is correctly loaded.


Reviewed by: spichugi(Thanks!)

- - - - -
24f8b6d9 by Anuj Borah at 2019-03-25T17:48:24Z
Issue:50112 - Port ACI test suit from TET to python3(misc and syntax)

Port ACI test suit from TET to python3(misc and syntax)


Reviewed by: thierry bordaz, William Brown, Matus Honek, Ludwig Krispenz, Simon Pichugin

- - - - -
09965c45 by Simon Pichugin at 2019-03-26T22:07:47Z
Issue 50292 - Fix Plugin CLI and UI issues

Description: Fix 'All plugins' tab rendering issue.
Fix nsds5replicalastinitstatus typo.
Fix generic_object_add logic for cases when RDN is in props and BaseDN is supplied.
Add Posix Winsync API plugin
Add PAM PTA plugin
Fix underscore issues in plugin arguments.
Fix Linked Attribute plugin Fixup task arguments and name.
Change a 'print()' function to a 'log.info()' function.


Reviewed by: mreynolds, wibrown (Thanks!)

- - - - -
38d4e523 by Thierry Bordaz at 2019-03-27T09:28:52Z
Ticket 49873 - (cont 2nd) Contention on virtual attribute lookup

Bug Description:
	SSL initialization does internal searches that access the vattr_global_lock
	Thread private counter needs to be initialized by that time.
	Currently it is initialized after SSL init.

	Second problem was a leak of one 'int' per worker. It was used to keep the private counter.

Fix Description:
	Call of vattr_global_lock_create needs to be called before slapd_do_all_nss_ssl_init.
	Also, 'main' may or may not fork, the initialization fo the thread private variable
	is done either on the child or parent depending if main forks or not.

	The leak is fixed using a destructor callback of the private variable and so
	call PR_SetThreadPrivate only if there is no private variable.


Reviewed by: Mark Reynolds, Simon Pichugi (thanks)

Platforms tested: F28

Flag Day: no

Doc impact: no

Ticket foo

- - - - -
235bde93 by Thierry Bordaz at 2019-03-28T16:58:46Z
Ticket 49873 - (cont 3rd) cleanup debug log

- - - - -
5d76a244 by Hugh McMaster at 2019-03-29T01:39:47Z
Use PKG_CHECK_MODULES to detect the event library

- - - - -
f56f78db by Hugh McMaster at 2019-03-29T01:39:47Z
Use PKG_CHECK_MODULES to detect the nspr library

- - - - -
a7f1dd08 by Hugh McMaster at 2019-03-29T01:39:47Z
Use PKG_CHECK_MODULES to detect the nss library

- - - - -
d6a32479 by Hugh McMaster at 2019-03-29T01:39:47Z
Use PKG_CHECK_MODULES to detect the cmocka library

- - - - -
5203410c by Hugh McMaster at 2019-03-29T01:39:47Z
Use PKG_CHECK_MODULES to detect the pcre library

- - - - -
9f5f29a7 by Hugh McMaster at 2019-03-29T01:39:47Z
m4/doxygen.m4: Fix spelling of Doxygen in a message

- - - - -
40ca6e97 by Hugh McMaster at 2019-03-29T01:39:47Z
configure.ac: Remove unpaired parentheses from two help strings

- - - - -
a2ebc6d5 by Hugh McMaster at 2019-03-29T01:39:47Z
configure.ac: Add missing comma to an AC_ARG_ENABLE macro

- - - - -
e50466ee by Hugh McMaster at 2019-03-29T01:39:47Z
Use PKG_CHECK_MODULES to detect the libsasl2 library

- - - - -
9d6531aa by Hugh McMaster at 2019-03-29T01:39:47Z
Use pkg-config from the host system to better support cross-compiling

- - - - -
773e8989 by Hugh McMaster at 2019-03-29T01:39:47Z
Use PKG_CHECK_MODULES to detect the kerberos library

- - - - -
11309bf3 by Hugh McMaster at 2019-03-29T01:39:47Z
Use PKG_CHECK_MODULES to detect the systemd library

- - - - -
6c2bb66f by Mark Reynolds at 2019-03-29T13:18:44Z
Ticket 50308 - Fix memory leaks for repeat binds and replication

Description:  Fixed two memory leaks:

    - If a worker thread had multiple binds the "bind dn"
      thread data was leaked.
    - Memory leak when processing changes in the changelog


Reviewed by: firstyear(Thanks!)

- - - - -
1808f317 by Mark Reynolds at 2019-03-29T18:59:05Z
Ticket 50308 - Revise memory leak fix

Description;  Turns out the previous commit did not address
              the changelog leak, and it introduced a compiler
              warning.  This part of the fix is being reverted.


- - - - -
9a126614 by Mark Reynolds at 2019-03-29T20:06:14Z
Bump version to

- - - - -
223846df by William Brown at 2019-04-01T23:27:17Z
Ticket 49390 - improve compare and cn=config compare tests

Bug Description: We had a number of tests for the dsldapobject
compare cases, but they were in the lib389 tests. Move and update
these to work as part of the dirsrvtests suite.

Fix Description: Update lib389 to properly handle attribute casing
and update compare tests to work with newer lib389 ideas


Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks)

- - - - -
bc207222 by William Brown at 2019-04-02T03:06:28Z
Ticket 50310 - fix sasl header include

Bug Description: After the merge of the PKG_CONFIG change, on SUSE
the server fails to build. This is because the pkg-config for
sasl on suse doesn't add the -I include for sasl to the path so
using sasl.h doesn't work.

Fix Description: Change all references to sasl/sasl.h


Author: William Brown <william at blackhats.net.au>

Review by: hmc, mreynolds (thanks!)

- - - - -
7a0b8ae5 by Viktor Ashirov at 2019-04-02T13:31:07Z
Issue 50032 - Fix deprecation warnings in tests

Bug Description:
Deprecation warnings are issued by Python for the following changes:
1. https://docs.python.org/3/whatsnew/3.6.html#deprecated-python-behavior
https://bugs.python.org/issue27364 - Deprecate invalid escape sequences in str/bytes

2. https://docs.python.org/3/whatsnew/3.7.html#deprecated-python-behavior
https://bugs.python.org/issue25988 - collections.abc.Indexable

3. https://docs.python.org/3/library/logging.html#logging.warning
https://bugs.python.org/issue13235 - logging.warn() is not documented

Fix Description:
1. Use correct escape sequences or raw strings where needed.
2. Import Callable from collections.abc instead of collections module directly.
3. Use logging.warning() instead of logging.warn().

Fixes https://pagure.io/389-ds-base/issue/50032

Reviewed by: mreynolds, spichugi

- - - - -
38515800 by Mark Reynolds at 2019-04-02T17:31:16Z
Ticket 50240 - Improve task logging

Description:  Improve the updates to the task's log attribute when
              errors occur.  Previously we were not recording the
              reason for most failures during db2ldif, ldif2db, and


Reviewed by: ?

- - - - -
c9d65282 by Mark Reynolds at 2019-04-02T17:36:48Z
Ticket 50306 - Move connection config inside struct

Description: We are constantly calling configuration get functions
             during a connection. These calls are expensive, so we
             should just store all these settings in the conn struct
             during handle_new_connection()


Reviewed by: firstyear(Thanks!)

- - - - -
78003de2 by Mark Reynolds at 2019-04-03T01:08:11Z
Ticket 50303 - Add task creation date to task data

Description: Add a new attribute to the slapi task entry containing
             the start date. This provides a nice convenience without
             having to change LDAP clients.


Reviewed by: firstyear & spichugi(Thanks!)

- - - - -
0319ec02 by Viktor Ashirov at 2019-04-04T14:54:47Z
Issue 49915 - Add regression test

Fixes https://pagure.io/389-ds-base/issue/49915

Reviewed by: mreynolds (Thanks!)

- - - - -
018c8364 by William Brown at 2019-04-04T23:43:27Z
Ticket 49899 - fix pin.txt and pwdfile permissions

Bug Description: On unix, user and group permissions are basically
the same, because users always have a primary group. However, best
practice ignores this, and states everything should be user
owned only if security sensitive.

Fix Description: Make pin.txt and pwdfile user only owned to prevent
disclosure (in limited circumstances, this is little more than
a compliance step).


Author: William Brown <william at blackhats.net.au>

Review by: tbordaz, mhonek (Thanks)

- - - - -
9e4ce5fa by Barbora Smejkalová at 2019-04-05T11:05:32Z
Issue 50026 - Audit log does not capture the operation where nsslapd-lookthroughlimit is modified

Updated test case to check modification of attributes in audit log, because it wasn't logged in correct format.

Also removed function in test_internal_log_level_131076 in ds_logs_test.py that I used for debugging when making that test and forgot to delete it.


Reviewed by: mreynolds, tbordaz, spichugi (Thanks!)

- - - - -
78f8c17a by Matúš Honěk at 2019-04-05T12:48:08Z
Fix typo from: Issue 49915 - Add regression test

Fixes commit 0319ec02a.

Relates https://pagure.io/389-ds-base/pull-request/50320

- - - - -
d08f7eb6 by Mark Reynolds at 2019-04-05T15:13:36Z
Ticket 50305 - Revise CleanAllRUV task restart process

Bug Description:  If the server was stopped while a CleanAllRUV task was
                  running the task gets marked in the replica config entry
                  so it knowns to resume the task at server startup.  The
                  problem is that when it resumed it just fires off the
                  task thread, and did not create a new Slapi_Task entry.
                  This makes it impossible to track these tasks that got

Fix Description:  There were a few things wrong with the resume process,
                  including it was harded coded to only handle a maximum
                  of 4 tasks.  We also were not recording all the required
                  information needed to resume the task.

                  Now "resume" process can handle an infinite number of
                  tasks, and it creates fresh Slapi_Task entries so the
                  tasks can be tracked.

CI tested & ASAN approved


Reviewed by: lkrispenz(Thanks!)

- - - - -
51eb5b26 by William Brown at 2019-04-08T01:07:08Z
Ticket 50317 - fix ds-backtrace issue on latest gdb

Bug Description: ds-backtrace was failing due to a
type issue on latest python/gdb on suse.

Fix Description: If debug info is missing, a nonetype
was returned in the backtrace, causing a type mismatch
on " ".join().


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
3347d922 by Martin Pitt at 2019-04-11T12:04:56Z
Fix cockpit console AppStream data

 * Add missing <?xml> header
 * Update <extends> to renamed cockpit ID, as "cockpit.desktop" is
   invalid (§ 2.1.3 [1]) and got changed in [2]
 * Avoid dashes in <id> (§2.1.3) and use the actual project's home page.
   Rename the file accordingly.
 * Use a more verbose description from the home page ("style-invalid"
   validation error)
 * Avoid whitespace in <summary>
 * Add homepage URL
 * Add <update_contact>

`appstream-util validate src/cockpit/389-console/org.cockpit-project.389-console.metainfo.xml`
is happy now.

[1] https://www.freedesktop.org/software/appstream/docs/chap-Metadata.html#sect-Metadata-GenericComponent
[2] https://github.com/cockpit-project/cockpit/pull/11557

- - - - -
ab94fc12 by Mark Reynolds at 2019-04-12T20:14:22Z
Ticket 50291 - Add monitor tab functionality to Cockpit UI

Description:  Added the backend functionality to the monitoring

              Also returned all dsconf errors as json objects so
              the UI could display friendly error messages


Reviewed by: spichugi(Thanks!)

- - - - -
117d4ba0 by Thierry Bordaz at 2019-04-15T09:52:27Z
Ticket 50306 - (cont typo) Move connection config inside struct

Bug Description:
	typo where ioblocktimeout was erronously computed from maxbersize

Fix Description:
	move c_maxbersize to c_ioblocktimeout


Reviewed by: Thierry Bordaz

Platforms tested: F28

Flag Day: no

Doc impact: no

- - - - -
8ca14203 by Mark Reynolds at 2019-04-15T15:15:02Z
Ticket 49990 - Increase the default FD limits

Description:  As discussed in the ticket, this fix sets the maxdescriptors
              to the maximum allowed by the OS/systemd.  If this limit can
              not be obtained then we fall back to 8192 as the limit


Reviewed by: tbordaz & firstyear(Thanks!!)

- - - - -
4d9cc24d by Thierry Bordaz at 2019-04-15T16:06:17Z
Ticket 50329 - Possible Security Issue: DOS due to ioblocktimeout not applying to TLS

Bug Description:
    A secure socket is configured in blocking mode. If an event
    is detected on a secure socket a worker, tries to read the request.
    The read can hang indefinitely if there is nothing to read.
    As a consequence ioblocktimeout is not enforced when reading secure socket

Fix Description:
    The fix is specific to secure socket read.
    Before reading it polls the socket for a read. The socket is poll
    (with a 0.1s timeout) until read is possible or sum of poll timeout
    is greater than ioblocktimeout.


Reviewed by: Mark Reynolds

Platforms tested: F28

Flag Day: no

Doc impact: no

- - - - -
68b6319d by Simon Pichugin at 2019-04-15T16:32:43Z
Issue 50041 - Add the rest UI Plugin tabs - Part 1

Description: Add UI plugin tabs for accountPolicy, attributeUniqueness,
linkedAttributes, referentialIntegrity, retroChangelog, rootDNAccessControl
and winsync.
Reorder the tabs to make the usage more intuitive.
Fix Attribute Uniqueness logging level issue.
Move pluginTable.jsx content to pluginTables.jsx.
Fix a small 'help' typo in dbtasks.py.


Reviewed by: mreynolds (Thanks!)

- - - - -
56373fb5 by William Brown at 2019-04-16T00:53:40Z
Ticket 49390, 50019 - support cn=config compare operations

Bug Description: Ansible will attempt to check the state of a value
before it makes an alteration on the ldap server. To do this in a
correct and schema aware fashion, it will use the ldapcompare operation.

It's a request that people want to manage their cn=config with ansible,
however dse.c didn't support ldapcompare on these backends.

Fix Description: Add support for ldapcompare operations on dse.c,
including the ability to correctly generate the cn=config defaults
into the entry for comparison.

This also adds support for ldapcompare as the default comparitor in


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
af97382f by Anuj Borah at 2019-04-16T08:30:20Z
Issue:50112 - Port ACI test suit from TET to python3(Delete and  Add)

Port ACI test suit from TET to python3(Delete and  Add)


Reviewed by: William Brown, Simon Pichugin

- - - - -
9724e8bb by Anuj Borah at 2019-04-17T09:47:28Z
Issue: 50313 - Add a NestedRole type to lib389

Add the NestedRole and the NestedRoles classes to src/lib389/lib389/idm/role.py
Add one test case that will test that the new class NestedRoles is
working fine.


Reviewed by: Simon Pichugin, thierry bordaz

- - - - -
6d080a0a by William Brown at 2019-04-18T02:58:01Z
Ticket 50329 - improve connection default parameters

Bug Description: An issue was raised that appears that our default
values may be misleading and hard to configure correctly in some
circumstances. We should improve our default values to have better
time sharing for connections.

Fix Description: Improve ioblock to be shorter to prevent write
blocks, make reads quicker for sharing, and by default have an
idle disconnect to clients.


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
4f7c05e2 by Mark Reynolds at 2019-04-18T13:37:20Z
Ticket 50327 - Add replication conflict entry support to lib389/CLI

Description:  Added Conflict Entry and Glue entry classes to lib389,
              and updated dsconf to allow for conflict entry management.

              Made some other minor changes to mapped objects:

                -  Added an attribute list option to display()
                -  Added a recursive delete option to delete()


Reviewed by: firstyear, lkrispen, and spichugi(Thanks!!!)

- - - - -
21e10bd5 by Mark Reynolds at 2019-04-22T14:59:02Z
Ticket 50327 - Add replication conflict support to UI

Description:  Added a page under the monitor tab to view and management
              replication conflict and glue entries.


Reviewed by: spichugi(Thanks!)

- - - - -
fc46de68 by Ludwig Krispenz at 2019-04-25T11:51:51Z
Ticket 50340 - structs for diabled plugins will not be freed

Bug: when plugins are loaded from dse.ldif enabled plugins will be added to
	the list of the plugin type and freed when plugins are stopped.
	But the memory allocated for disabled plugins will remain allocated and
	and be reported.

Fix: free plugin if not enabled after loading
	This will alos let the many leaks reported for "GrowStuff" disappear.
	The fix also contains one missing free for slapi_ch_smprintf allocated memory

Reviewed by: Mark, thanks

- - - - -
6a6b8d96 by Simon Pichugin at 2019-04-26T11:29:44Z
Issue #50067 - Fix krb5 dependency in a specfile

Bug Description: The build fails because the krb5 dependencies
are not installed while using specfile.

Fix Description: Add pkgconfig(krb5) to the BuildRequires section.


Reviewed by: mhonek, mreynolds (Thanks!)

- - - - -
80468425 by William Brown at 2019-05-01T01:38:11Z
Ticket 50344 - tidy rpm vs build systemd flag handling

Bug Description: In rpm builds we would read with_systemd from
defaults.inf, which has a diffeent value to hand-building. AS
a result this caused as issue in dscontainer on opensuse where
it believed systemd was present.

Fix Description: Simplify the systemd handling to a single flag
which is possible to override in a container env.


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
468b8a8d by Anuj Borah at 2019-05-06T15:35:57Z
Issue: 50112 - Port ACI test suit from TET to python3(keyaci)

Port ACI test suit from TET to python3(keyaci)


Reviewed by: Mark Reynolds, Simon Pichugin, William Brown, Viktor Ashirov

- - - - -
f35ad371 by Thierry Bordaz at 2019-05-07T15:36:07Z
Ticket 50329 - revert fix

Bug Description:
	This fix introduces a regression BZ 1705125


- - - - -
06c9f534 by Hugh McMaster at 2019-05-09T11:35:00Z
Remove the nss3 path prefix from the cert.h C preprocessor source file inclusion

Bug Description:
The NSS header cert.h resides in different paths on different operating
systems. Hardcoding a path prefix as #include <nss3/cert.h> caused
fatal compile-time errors on some operating systems, such as Debian,
because the C preprocessor could not find the header.

Fix Description:
Removing the 'nss3' path prefix allows compilation to succeed, as
the compiler can locate cert.h in the NSS include path detected
by pkg-config.

Changes to rpm/389-ds-base.spec.in included at the request of
Matus Honek in https://pagure.io/389-ds-base/pull-request/50352

Author: Hugh McMaster <hugh.mcmaster at outlook.com>

Reviewed by: firstyear, mhonek, mreynolds

Remove NSS header and library path hacks from the rpm package spec file

Patch suggested by Matus Honek in https://pagure.io/389-ds-base/pull-request/50352

- - - - -
aa1bde47 by Anuj Borah at 2019-05-10T02:36:41Z
Issue: 50358 -  Create a Bitwise Plugin class in plugins.py

Create a Bitwise Plugin class in plugins.py


Author: aborah

Reviewed by: William Brown

- - - - -
e5ae9d0d by Viktor Ashirov at 2019-05-10T12:18:33Z
Issue 50303 - Add creation date to task data

Bug Description:
Tests are failing on < where nsTaskCreated attribute doesn't exists

Fix Description:
Check for nsTaskCreated attribute only in
Additionally, run dscreate test only on

Fixes https://pagure.io/389-ds-base/issue/50303

Reviewed by: mhonek (Thanks!)

- - - - -
9e80a33e by Viktor Ashirov at 2019-05-10T12:20:38Z
Issue #50353 - Categorize tests by tiers

Bug Description:
We should have different tiers of tests:
tier0 - basic functionality (installation, instance startup, basic operations, import/export, etc.)
tier1 - functional tests for the most used features
tier2 - functional tests for the less used features and tests that take more time to complete (stress tests)
tier3 - long duration tests.

Fix Description:
Use pytest marks per test module or individually.

Fixes https://pagure.io/389-ds-base/issue/50353

Reviewed by: spichugi (Thanks!)

- - - - -
b770ac72 by Matúš Honěk at 2019-05-10T13:41:36Z
Issue 49730 - MozLDAP bindings have been unsupported for a while

Bug Description:
We haven't been supporting MozLDAP for a long time. In fact, it is not possible
to build without OpenLDAP as MozLDAP specifics were not maintained properly.

Fix Description:
Remove all MozLDAP-only features from the code.

Fixes https://pagure.io/389-ds-base/issue/49730
Relates https://pagure.io/389-ds-base/pull-request/50332

Author: mhonek

Review by: hmc, firstyear, spichugi (Thanks!)

- - - - -
974c802f by Mark Reynolds at 2019-05-13T13:56:35Z
Ticket 50363 - ds-replcheck incorrectly reports error out of order multi-valued attributes

Bug Description:  If for some reason an entry's multi-valued attribute
                  values are in different orders on different replicas
                  the tool reports this as an inconsistency when it is

Fix Description:  For both offline & online processing sort each entry's
                  multi-valued attribute values.


Reviewed by: firstyear & mhonek (Thanks!!)

- - - - -
423a9ce2 by Viktor Ashirov at 2019-05-14T08:20:32Z
Issue 50164 - Add test for dscreate to basic test suite

Bug Description:
dscreate tests do not work properly when newer lib389 is used
with older 389-ds-base versions.

Fix Description:
* Unset PYTHONPATH for dscreate if it's set to prevent clobbering system

* Don't run dscreate_test on older versions, where instance-specific sysconfig
env file is mentioned in systemd unit file. dscreate no longer creates it and
causes dirsrv service fail to start.

* Don't check for instance-specific sysconfig env file on removing the instance
since it's no longer created.

Fixes https://pagure.io/389-ds-base/issue/50164

Reviewed by: mreynolds (Thanks!)

- - - - -
fa74996f by Viktor Ashirov at 2019-05-14T08:24:15Z
Fix missing import

Reviewed by: one line commit rule

- - - - -
505b563d by Ludwig Krispenz at 2019-05-14T15:16:30Z
Ticket 50340 cont - structs for disabled plugins will not be freed

Bug: The original fix did free structs for not enabled plugins, but
     they remained in the depenendency list of plugins and when the
     list was processed a freed struct could be accessed

Fix: do not add a disabled plugin to the plugin dependency list

Reviewed by: Mark, thanks

- - - - -
7141b8d1 by Mark Reynolds at 2019-05-15T02:22:04Z
Ticket 50370 -  CleanAllRUV task crashing during server shutdown

Description:  There is a race condition during server shutdown that
              can cause the server to crash.  Increment the active
              thread count for each cleaning task to prevent the plugins
              from being closed before the thread terminates.


Reviewed by: firstyear(Thanks!)

- - - - -
87338c17 by Akshay Adhikari at 2019-05-15T09:22:22Z
Issue 50220 - attr_encryption test suite failing

Description: Fixed the issue by removing the old function of creating an encrypted attribute
with a new one.

Fixes https://pagure.io/389-ds-base/issue/50220

Reviewed by: firstyear,viktor

- - - - -
d0da0284 by Anuj Borah at 2019-05-15T13:50:18Z
Issue:48851 - investigate and port TET matching rules filter tests

Investigate and port TET matching rules filter tests


Reviewed by: William Brown, thierry bordaz, Viktor Ashirov, Simon Pichugin, Matus Honek

- - - - -
41c30fd5 by Mark Reynolds at 2019-05-15T20:07:42Z
Ticket 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients

Description:  When the client is a IPv6 client, any ACI's that contain bind rules
              for IPv4 addresses essentially break that aci causing it to not be
              fully evaluated.

              For example we have an aci like this:

                 aci: (targetattr != "aci")(version 3.0; aci "rootdse anon read access"; allow(
                 read,search,compare) userdn="ldap:///anyone" and
                 (ip="" or ip="2620:52:0:84:f816:3eff:fe4b:4f35");)

              So when the client is IPv6 we start processing the IP addresses in
              the ACI, as soon as a IPv4 address is found the ACI evaluation stops
              and in this case the IPv6 address is never checked and access is denied.

              The problem is that we set the wrong return code variable in libaccess


Reviewed by: mreynolds (one line commit rule)

- - - - -
632ecb90 by Mark Reynolds at 2019-05-16T00:16:42Z
Ticket 50251 - clear text passwords visable in CLI verbose mode logging

Bug Description:  If you run any of the CLI tools using "-v", and set a password,
                  that password will be displayed in clear text in the console.

Fix Description:  Create an internal list of sensitive attributes to filter, and
                  mask them in the operation debug logging.  But still allow the
                  password to be seen if you set the env variable DEBUGGING=true

                  We also still print the root DN password if it is a container


Reviewed by: spichugi, firstyear, and mhonek (Thanks!!!)

- - - - -
2c51eeb4 by Viktor Ashirov at 2019-05-16T10:44:48Z
Issue - 50374 dsdim posixgroup create fails with ERROR

Bug Description:
dsidm posixgroup create passes a wrong parameter to

Fix Description:
Fix the parameter name.

Fixes https://pagure.io/389-ds-base/issue/50374

Reviewed by: mreynolds (Thanks!)

- - - - -
a9e4ce00 by Viktor Ashirov at 2019-05-16T12:48:08Z
Issue 49761 - Fix CI test suite issues

Fix various failures on older releases for tier1 tests

Relates https://pagure.io/389-ds-base/issue/49761

Reviewed by: spichugi (Thanks!)

- - - - -
cd000871 by Barbora Smejkalová at 2019-05-16T13:01:38Z
Issue 49029 - [RFE] improve internal operations logging

Edited the test cases by changing the 'op' number to regex, because the values were hardcoded into the test and if there was some more fixing of internal logs that would cause the 'op' number to raise up/lower down then the test would fail. The main goal is to check syntax of internal messages, not to match 'op' numbers.

Also changed strings in src/lib389/lib389/dirsrv_log.py to raw strings to stop showing warnings about deprecation.


Reviewed by: vashirov (Thanks!)

- - - - -
9ebf5f8a by Viktor Ashirov at 2019-05-16T16:38:08Z
Issue 50384 - Missing dependency: cracklib-dicts

Bug Description:
passwordDictCheck relies on cracklib and uses a default dictionary
provided by cracklib-dicts, but we don't depend on it.

Fix Description:
Add missing dependency for cracklib-dicts

Fixes https://pagure.io/389-ds-base/issue/50384

Reviewed by: ???

- - - - -
26b9e1b0 by Mark Reynolds at 2019-05-16T20:26:49Z
Ticket 50306 - Fix regression with maxbersize

Description:  When passing the max BER size to openldap we were using the wrong
              integer type, and it caused it to not be enforced.


Reviewed by: mreynolds(one line commit rule)

- - - - -
31c89d3b by Simon Pichugin at 2019-05-17T18:35:26Z
Issue 50390 - Add Managed Entries Plug-in Config Entry schema

Description: Add AttributeTypes and an ObjectClass to Managed Entries
Plug-in Configuration entry schema.
Fix MEPConfigs(DSLdapObjects) accordingly.


Reviewed by: mreynolds (Thanks!)

- - - - -
f2c63bcd by Viktor Ashirov at 2019-05-20T12:50:47Z
Issue 50387 - enable_tls() should label ports with ldap_port_t

Bug Description:
In some tests we use enable_tls(), but the secure port doesn't get
labeled automatically with ldap_port_t.

Fix Description:
Fix enable_tls() to label secure port.
Additionally fix typo in pluginpath_validation_test.py

Fixes https://pagure.io/389-ds-base/issue/50387

Reviewed by: mreynolds, mhonek (Thanks!)

- - - - -
0935b8af by Mark Reynolds at 2019-05-20T19:06:54Z
Ticket 50396 - Crash in PAM plugin when user does not exist

Description:  pam passthru & addn plugin causes crash in bind when
              user does not exist.  Need to make sure we don't
              dereference NULL pointer.


Reviewed by: mreynolds & tbordaz

- - - - -
2738fd00 by Viktor Ashirov at 2019-05-21T09:16:41Z
Issue 49960 - Core schema contains strings instead of numer oids

Bug Description:
Core schema contains strings instead of numer oids.

Fix Description:
Update schema files with the correct oids.

Relates: https://pagure.io/389-ds-base/issue/49960

Reviewed by: firstyear, mreynolds, spichugi (Thanks!)

- - - - -
6fd9a413 by Anuj Borah at 2019-05-21T10:24:26Z
Issue: 50112 - Port ACI test suit from TET to python3(roledn)

Description: Port ACI test suit from TET to python3 (roledn)

Relates: https://pagure.io/389-ds-base/issue/50112

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
ca70d06f by Mark Reynolds at 2019-05-21T16:26:47Z
Ticket 50393 - maxlogsperdir accepting negative values

Description:  Improve the log "digit" config setting validation
              for all settings.


Reviewed by: tbordaz, firstyear, mhonek, and spichugi (Thanks!!!!)

- - - - -
a8bc2e33 by Anuj Borah at 2019-05-21T17:02:50Z
Issue: 50112 - Port ACI test suit from TET to python3(userattr)

Description: Port ACI test suit from TET to python3(userattr)

Fixes https://pagure.io/389-ds-base/issue/50112

Author: aborah

Reviewed by: Matus Honek, Simon Pichugin

- - - - -
c4a2eb4a by Viktor Ashirov at 2019-05-22T15:12:21Z
Issue 50037 - lib389 fails to install in venv under non-root user

Bug description:
Some files were installed using absolute path, preventing installation
under non-root user.

Fix description:
Change paths to be relative to the current prefix.
Update .gitignore to exlcude venv and build products.
Update tox.ini to the current supported Python versions.

Fixes https://pagure.io/389-ds-base/issue/50037

Reviewed by: mhonek, firstyear, spichugi (Thanks!)

- - - - -
db29fc2d by Anuj Borah at 2019-05-23T10:01:14Z
Issue: 48851 - investigate and port TET matching rules filter tests(scanlimit)

investigate and port TET matching rules filter tests(scanlimit)

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin, Matus Honek

- - - - -
2886ba77 by Thierry Bordaz at 2019-05-23T13:15:28Z
Ticket 50389 - ns-slapd craches while two threads are polling the same connection

Bug Description:
	nspr IO is not multi-threaded safe.
	389-ds should not be in a situation where several threads are polling
	a same connection at the same time.
	The scenario is a worker send back an operation result at the same time
	another worker wants to read an incoming request.

Fix Description:
	The fix consist in synchonizing polling with c_pdumutex.

	The thread that sends data (flush_ber) hold c_pdumutex.

	The thread that reads the data does a non blocking read. It then
	enforce ioblocktimeout with iteration of poll.
	The reading thread must hold c_pdumutex during poll to synchronize
	with the reader thread.
	The reading thread must poll with a small timeout
	(CONN_TURBO_TIMEOUT_INTERVAL). In order to not block
	the thread that send back data, the fix reduces the delay to 0.1s.


Reviewed by: Mark Reynolds, Matus Honek, William Brown

Platforms tested: F28

Flag Day: no

Doc impact: no

- - - - -
f8e5e010 by Viktor Ashirov at 2019-05-23T14:17:40Z
Issue 50403 - Instance creation fails on 1.3.9 using perl utils and latest lib389

Bug Description:
There is a typo in formatInfData() that generates invalid inf file.

Fix Description:
Fix the typo.

Fixes https://pagure.io/389-ds-base/issue/50403

Reviewed by: mreynolds (Thanks!)

- - - - -
2ca86fe1 by Ludwig Krispenz at 2019-05-24T16:55:36Z
Ticket 50340 - 2nd try - structs for diabled plugins will not be freed

    Bug: when plugins are loaded from dse.ldif enabled plugins will be added to
            the list of the plugin type and freed when plugins are stopped.
            But the memory allocated for disabled plugins will remain allocated and
            and be reported.

    Fix: The previous fix did free not enabled plugins in plugin_setup, but
	 that caused a lot of issues.
	 This patch frees not enabled plugins in plugin_dependency_freeall

    Reviewed by:  ?

Signed-off-by: Mark Reynolds <mreynolds at redhat.com>

- - - - -
ba46b9a8 by Simon Pichugin at 2019-05-24T17:11:29Z
Issue 50041 - Add the rest UI Plugin tabs - Part 2

Description: Add UI plugin tabs for autoMembership, DNA, managedEntries,
passthroughAuthentication, usn.
Add Shared Config Entry to referentialIntegrity plugin.
Add Plugin Precedence field to the basic plugin configuration.
Fix CLI tools according to the UI changes.


Reviewed by: mreynolds (Thanks!)

- - - - -
bc773989 by Viktor Ashirov at 2019-05-24T18:24:41Z
Issue 49761 - Fix CI test suite issues

Bug Description:
RootDN plugin test was failing because of a race condition: existing
connection was reused to test allow/deny rules.

Fix Description:
Refactor test to use direct ldap connection instead of topology's bind.

Relates https://pagure.io/389-ds-base/issue/49761

Reviewed by: mreynolds (Thanks!)

- - - - -
1f1119d4 by Mark Reynolds at 2019-05-24T18:37:38Z
Bump version to

- - - - -
08a6aadc by Hugh McMaster at 2019-05-27T12:50:59Z
Ticket 49730 - Remove unused Mozilla ldapsdk variables

Bug Description:
The recent removal of support for Mozilla's ldapsdk in b770ac7
left behind some unused variables.

Fix Description:
Remove the unused variables from the code base.

Author: Hugh McMaster <hugh.mcmaster at outlook.com>

Review by: firstyear, mreynolds, mhonek

- - - - -
71e27117 by Viktor Ashirov at 2019-05-27T15:01:51Z
Issue 50390 - Add Managed Entries Plug-in Config Entry schema

Bug Description:
On older versions without the MEP config entry schema lib389 fails
to configure MEP plugin

Fix Description:
Check if we have required schema present, otherwise fallback to extensibleObject

Relates https://pagure.io/389-ds-base/issue/50390

Reviewed by: spichugi (Thanks!)

- - - - -
cf01e3b4 by Anuj Borah at 2019-05-28T10:59:16Z
Issue: 48851 - investigate and port TET matching rules filter tests(vfilter_ld)

Investigate and port TET matching rules filter tests(vfilter_ld)

Relates: https://pagure.io/389-ds-base/issue/48851

Reviewed by: Simon Pichugin

- - - - -
3d4c48eb by Mark Reynolds at 2019-05-28T13:33:10Z
Ticket 50355 -  NSS can change the requested SSL min and max versions

Description:  If we try and set a min and max SSL version in the server,
              it is actually only a request.  After setting the min and
              max, you need to retrieve the min and max to see what NSS
              did.  Then you have to reset the min and max versions one
              more time to actually set the valid range.  So yes, you do
              have to do a set() -> get() -> set().

              There also another outstanding issue with NSS where it says
              the default max SSL version in FIPS mode is 1.3, but in fact
              it is 1.2.  So this patch has a hack fix to workaround that
              bug.  It should be able to be removed soon...


Reviewed by: mhonek(Thanks!)

- - - - -
aa2649fa by Anuj Borah at 2019-05-30T11:32:23Z
Issue: 48851 - investigate and port TET matching rules filter tests(vfilter simple)

Investigate and port TET matching rules filter tests(vfilter simple)

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin, Viktor Ashirov, Barbora Smejkalová

- - - - -
255faf93 by Simon Pichugin at 2019-05-31T11:52:24Z
Issue 50052 - Add package-lock.json and use "npm ci"

Bug description: All software changes incur some risk,
and it's critical to be able to manage this risk.
We can use a common way of dealing with it - npm-shrinkwrap.

Fix description: The suggested approach - npm-shrinkwrap - is an "overkill"
for our case. We don't need to publish the package on NPM.
It will be sufficient enough to use existing NPM functionality added in 5.7 version.

Replace `npm install` with `npm ci` which uses package-lock.json
and throws an error if any inconsistencies with pachage.json are found.
Add package-lock.json to the repo.
When we change the package.json content, a new pachage-lock.json should be
generated (using `npm install`) and the change should be commited.

Fix audit issues and update package.json. Add repository field.

Add audit-ci tool. While creating a tarball, we now check that
there are no vulnerabilities higher than "moderate".
If you it's impossible to fix issue on our side right now and it is safe
to proceed, the vulnerable package can be added to whitelist temporary.


Reviewed by: mhonek, vashirov (Thanks!)

Add audit-ci tool, fix audit issues, add "repository" field

- - - - -
423a7ba0 by Mark Reynolds at 2019-05-31T12:45:22Z
Ticket 50413 - ds-replcheck - Always display the Result Summary

Description:  Previously we only printed a "Result Summary" if there
              were no inconsistencies and the entry counts matched.
              However, the entry counts do not need to match.  So
              this made the "Result Summary" checks too strict, and
              if things were out of sync there was no Result Summary
              printed at all.  This fix just always prints a result
              summary and it removes the entry count check.


Reviewed by: ?

- - - - -
10bffac3 by Matus Honek at 2019-06-03T12:23:48Z
Issue 49875 - Move SystemD service config to a drop-in file

Bug Description:
Runtime configuration options are mixed into the service specification
which should seldom be changed by users.

Fix Description:
Move the runtime configuration options into a drop-in file. These options
are then automatically pulled in by SystemD.

Additional Info:
Erasing the default values of the mentioned options to implicitly pull in
system defaults which are more sane nowadays.

The .service file is now common for xsan and non-xsan builds, the former
differring only by an additional drop-in file.

Related https://pagure.io/389-ds-base/issue/49875

Author: Matus Honek <mhonek at redhat.com>

Review by: firstyear, mreynolds, vashirov (thanks!)

- - - - -
73cdeb71 by Viktor Ashirov at 2019-06-03T16:22:36Z
Issue 49761 - Fix CI test suite issues

Bug Description:
ds_is_older() and ds_is_newer() accept only one value. This becomes tricky
when we need to compare current DS version to a number of versions
across different branches where a feature was implemented or a bug was

Fix Description:
Add a generic function that accepts either string or multiple strings
containing versions. If a single version string is passed, it is
compared only to that string. If multiple version strings are passed,
the comparison happens only in a related branch, i.e. '' is
compared only to '1.3.x', but not to '1.4.x'.

Update replcheck_test.py to use different parameters for ds-replcheck
depending on the version.

Relates: https://pagure.io/389-ds-base/issue/49761

Reviewed by: mreynolds (Thanks!)

- - - - -
7596ca04 by Anuj Borah at 2019-06-04T11:16:38Z
Issue: 48851 - Add more search filters to vfilter_simple test suite

Add more search filters to vfilter_simple test suite

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
65e325a0 by Mark Reynolds at 2019-06-05T13:07:04Z
Ticket 50417 - Revise legacy tool scripts to work with new systemd changes

Description:  Since we no longer use unit files in /etc/sysconfig all the shell/perl
              scripts need to ifnd instances using /etc/dirsrv (@instconfigdir@)


Reviewed by: ?

- - - - -
f20e982c by Thierry Bordaz at 2019-06-06T13:40:44Z
Ticket 50329 - (2nd) Possible Security Issue: DOS due to ioblocktimeout not applying to TLS

Bug Description:
    A secure socket is configured in blocking mode. If an event
    is detected on a secure socket a worker tries to receive the request.
    If handshake occurs during the read, it can hang longer than
    ioblocktimeout because it takes into account the socket option
    rather than the timeout used for the ssl_Recv

Fix Description:
    The fix is specific to secure socket and set this socket option
    to do non blocking IO.


Reviewed by: ?

Platforms tested: F28, RHEL7.6

Flag Day: no

Doc impact: no

- - - - -
278f5aac by Thierry Bordaz at 2019-06-07T12:24:55Z
Ticket 50428 - Log the actual base DN when the search fails with "invalid attribute request"

Bug Description:
	When a search request contains invalid parameters (attribute list with empty attribute
	name, unknown scope, invalid filter..) the search is rejected but the access log
	contains a wrong base search: ... SRCH base="(null)"...
	This is because it does not use for logging the variable that gather the actual base ('rawbase')

Fix Description:
	Use 'rawbase' value for logging


Reviewed by: Mark Reynolds

Platforms tested: F28

Flag Day: no

Doc impact: no

- - - - -
c96ef350 by Matus Honek at 2019-06-07T12:41:14Z
Issue 50365 - PIDFile= references path below legacy directory /var/run/

Bug description:
SystemD complains the PIDFile= in the .service file points into a legacy
directory /var/run

Fix description:
Drop '@localstatedir@' which interpolates to '/var'. Although the actual
directory referenced everywhere else is the one prefixed with '/var' it
should not pose a problem since every environment SystemD is supposed to
run in has to have absolute path `/run' present which is effectively
always linked to the legacy '/var/run'.

Fixes https://pagure.io/389-ds-base/issue/50365

Author: Matus Honek <mhonek at redhat.com>

Review by: mreynolds, vashirov, firstyear (thanks!)

- - - - -
ff46f533 by Simon Pichugin at 2019-06-07T15:34:40Z
Issue 50052 - Fix rpm.mk according to audit-ci change

Description: Always run `npm ci` when we run node_modules install.
It should be done because we always have to be sure about
what we ship in the package is safe and stable.


Reviewed by: mreynolds (Thanks!)

- - - - -
22f2f9a1 by Mark Reynolds at 2019-06-07T18:33:17Z
Issue 50426 - nsSSL3Ciphers is limited to 1024 characters

Bug Description:  There was a hardcoded buffer for processing TLS ciphers.
                  Anything over 1024 characters was truncated and was not

Fix Description:  Don't use a fixed size buffer and just use the entire
                  string.  When printing errors about invalid format then
                  we must use a fixed sized buffer, but we will truncate
                  that log value as to not exceed the ssl logging function's
                  buffer, and still output a useful message.

ASAN approved


Reviewed by: firstyear, tbordaz, and spichugi (Thanks!!!)

- - - - -
3ca307d2 by Mark Reynolds at 2019-06-07T18:38:50Z
Revert "Issue 49960 - Core schema contains strings instead of numer oids"

This reverts commit 2738fd00ffd7b9bced16e2e9ce61da80eec51206.

- - - - -
4934b57a by Mark Reynolds at 2019-06-10T19:34:06Z
Ticket 50431 - Fix covscan warnings

Description:  Most coverity errors happen when something fails.


Reviewed by: firstyear & spichugi(Thanks!)

- - - - -
8af8e785 by Mark Reynolds at 2019-06-10T20:02:12Z
Issue 50417 - Fix missing quote in some legacy tools

Description:  A few scripts were missing a quote for the CONFIG_DIR var


Reviewed by: mreynolds (one line commit rule)

- - - - -
b4e585fa by Anuj Borah at 2019-06-12T12:07:00Z
Issue: 48851 - investigate and port TET matching rules filter tests(match)

Investigate and port TET matching rules filter tests(match)

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Matus Honek, Simon Pichugin

- - - - -
84243ab8 by Barbora Smejkalová at 2019-06-13T08:15:17Z
Issue 50370 - CleanAllRUV task crashing during server shutdown

Added test case to check if CleanAllRUV task didn't crash during server shutdown.

This code is not in a mergeable state yet.
I need review, if my steps are correct, because it is a timing issue to reproduce the bug.


Reviewed by: mreynolds (Thanks!)

- - - - -
054d32e7 by Mark Reynolds at 2019-06-13T21:55:25Z
Issue 50431 - Fix regression from coverity fix

Description:  Fix a regression from the initial coverity commit
              where we did not allow NULL pointers to set into
              the pblock.  They were false positives reported by


Reviewed by: mreynolds (one line commit rule)

- - - - -
09ba2514 by William Brown at 2019-06-14T09:26:51Z
Ticket 50037 - revert path changes as it breaks prefix/rpm builds

Bug Description: A change was made to support virtual envs, but it
causes a regression that breaks prefix building to access the cli

Fix Description: Revert the path changes - the other patch changes
were tottaly reasonable, and can remain.

Related: https://pagure.io/389-ds-base/issue/50037

Author: William Brown <william at blackhats.net.au>

Review by: vashirov (Thanks!)

- - - - -
5c6ffae1 by William Brown at 2019-06-14T12:54:43Z
Ticket 50439 - Update docker integration to work out of source directory

Bug Description: Docker did not function in some cases, and we had to wait for
releases via rpm.

Fix Description: This adds the support to build from source into the tree
so that we can build and test git master. This also resolves a var/run
issue in the image, as well as some other minor python cleaning such
as handling sigchld to act as init.


Author: William Brown william at blackhats.net.au

Review by: spichugi

- - - - -
bd80a4f5 by Mark Reynolds at 2019-06-14T18:32:56Z
Issue 49602 - Revise replication status messages

Bug Description: All agreement status messages start with "Error (##)" followed
                 by a text string.  Even success states start with "Error", and
                 this is confusing.

                 Added new attributes to display the status in a JSON format
                 for easier parsing for applications:


Design Doc:  https://www.port389.org/docs/389ds/design/repl-agmt-status-design.html


Reviewed by: firstyear(Thanks!)

- - - - -
89081d1f by Anuj Borah at 2019-06-17T12:36:05Z
Issue: 50446 -  NameError: name 'ds_is_older' is not defined

Bug description: ds_is_older module is not imported in account.py
that's why enroll_certificate function is not working.

Fixes: https://pagure.io/389-ds-base/issue/50446

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
86077ec5 by Anuj Borah at 2019-06-18T11:16:05Z
Issue: 48851 - Investigate and port TET matching rules filter tests(bug772777)

Bug description: Investigate and port TET matching rules filter tests(bug772777).

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Matus Honek, Simon Pichugin

- - - - -
a90dec70 by Mark Reynolds at 2019-06-18T19:26:31Z
Ticket 49361 - Use IPv6 friendly network functions

Description:  We use these functions that are not reliable with IPv6:

                 - gethostbyname()
                 - inet_ntoa()
                 - inet_aton()
                 - inet_addr()

              This patch replaces these calls using one of the following
              preferred functions:

                  - inet_ntop()
                  - inet_pton()

              Also fixed a few failures in the replication CI test
              regression_test.py as replication uses code touched by this

ASAN approved


Reviewed by: firstyear(Thanks!)

- - - - -
5f0d45a3 by Mark Reynolds at 2019-06-18T20:18:31Z
Bump version to

- - - - -
d4a676cf by Simon Pichugin at 2019-06-19T10:42:36Z
Issue 49232 - Truncate the message when buffer capacity is exceeded

Bug Description: When the access log buffer capacity is exceeded we log
an emergency error and the access log line is not logged at all.

Fix Description: Log the error message to errors log and log the access
log message but truncate its elements (for the search access log message).
Or just log what is in the buffer in other cases.
Add CI test to ds_logs test suite for the basic feature testing.


Reviewed by: mreynolds, tbordaz, firstyear (Thanks!!)

- - - - -
73cb6b9e by Anuj Borah at 2019-06-19T11:58:53Z
Issue: 48851 - investigate and port TET matching rules filter tests(index)

Investigate and port TET matching rules filter tests(index)

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
5c0198d9 by Mark Reynolds at 2019-06-19T19:41:04Z
Issue 50454 - Fix Cockpit UI branding

Bug Description:  On RHEL we still displayed "389 Directory Server" in
                  the Cockpit vertical navigation panel instead of
                  "Red Hat Directory Server".

Fix Description:  Instead of using separate files, just do a "sed" replacement
                  in the specfile to handle the branding


Reviewed by: viktor & mhonek (Thanks!!)

- - - - -
f874c39f by William Brown at 2019-06-20T13:22:10Z
Ticket 50439 - fix waitpid issue when pid does not exist

Bug Description: In some situations, waitpid will fail with
a no child process error, when the pid file has a value but
no pid exists.

Fix Description: Catch the exception, because in this case
we have no pids to wait upon, so there is no harm to skip this.


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
5e285f63 by Viktor Ashirov at 2019-06-24T15:42:12Z
Issue 50378 - ACI's with IPv4 and IPv6 bind rules do not work for IPv6 clients


Add a new test case for #50378 instead of the older one that was testing
an unsupported corner case (ip=*).

Relates: https://pagure.io/389-ds-base/issue/50378

Reviewed by: mreynolds (Thanks!)

- - - - -
1924c12b by Anuj Borah at 2019-06-25T13:02:19Z
Issue: 48851 - Add more test cases to the match test suite.

Bug Description: Add more test cases to the match test suite.

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
e4ec3e0e by Matúš Honěk at 2019-06-25T14:46:05Z
Ticket 50217 -  Implement dsconf security section

Bug Description:
dsconf lacks options to configure security options

Fix Description:
Implementing options to configure security related attributes and handle ciphers

Fixes: https://pagure.io/389-ds-base/issue/50217

Author: Matus Honek <mhonek at redhat.com>

Review by: firstyear, mreynolds (Thanks!)

- - - - -
19d2029b by Mark Reynolds at 2019-06-25T19:18:43Z
Issue 50462 - Fix CI tests

Description:  Port some of the failing ticket tests to suites

related: https://pagure.io/389-ds-base/issue/50462

Reviewed by: vashirov, mhonek, spichugi, and aadhikari (thanks!)

- - - - -
71138c04 by Mark Reynolds at 2019-06-25T19:22:40Z
Issue 50462 - Fix Root DN access control plugin CI tests

Description:  Port CI test to use DSLDapObject instead of raw types,
              and add sleeps after every config change.

              Also increased replication timeout in the referint_plugin

related: https://pagure.io/389-ds-base/issue/50462

Reviewed by: vashirov(thanks!)

- - - - -
0b2f0475 by Ludwig Krispenz at 2019-06-27T07:26:13Z
Ticket 50472 - memory leak with encryption

Bug: In ssl initialization a lot of memory is allocated by calls to nss functions
	and not freed

Fix: free all allocations reported by asan

Reviewed by: Mark, thanks

- - - - -
9bf0fc29 by Matúš Honěk at 2019-06-27T08:10:17Z
Issue 50474 - Unify result codes for add and modify of repl5 config

Bug Description:
Same constraints resulting in error are reported as different LDAP
result codes when using different operation for adjusting these.

Fix Description:
A part of the code had not conveyed the error reason down the stack,
therefore adding this information and returning the proper code.

Fixes: https://pagure.io/389-ds-base/issue/50474

Author: Matus Honek <mhonek at redhat.com>

Review by: mreynolds, spichugi (thanks!)

- - - - -
4661c793 by Viktor Ashirov at 2019-07-01T14:30:07Z
Issue 49761 - Fix CI test suite issues


Fix test failures in tier0 and tier1 tests:

* Skip tests where it's not implemented.
* Set custom fd limits to the value less than allowed per process.
* Use a correct URI for ACI related tests in paged_results_test.py.

Relates: https://pagure.io/389-ds-base/issue/49761

Reviewed by: mreynolds (Thanks!)

- - - - -
4677007d by Akshay Adhikari at 2019-07-03T14:39:20Z
Issue 50177 - Add a new CI test case, also added fixes in lib389

Bug Description: Import task should not be deleted too rapidely after import finishes
to be able to query the status.

Fix Description: A new attribute 'ttl' is order to tune the life time of the task.
The default value is increased to '86400'. Added a test to check that and added it
to ImportTask & ExportTask classes in lib389 so it will create ttl attribute by default.

Fixes: https://pagure.io/389-ds-base/issue/50177

Review by: mreynolds (Thanks!)

- - - - -
70ba6e38 by Akshay Adhikari at 2019-07-03T15:01:38Z
Issue 49997 - Add a new CI test case

Bug Description: If the suffix provided in the command line does not exist or it's
not replicated, we have an error message that it's regarding the RUV

Fix Description: Added a test case that will validate if a wrong suffix is passed then
a proper error message is displayed or not.

Relates: https://pagure.io/389-ds-base/issue/49997

Review by: vashirov (Thanks!)

- - - - -
c2650f02 by Akshay Adhikari at 2019-07-04T06:57:21Z
Issue 49239 - Add a new CI test case

Bug Description: ds-replcheck unreliable, showing false positives, showing missing tombstone entries
in the report.

Fix Description: Added a test case to check missing tombstone entries is not reported, also fixed
py3 issue in ds-replcheck by explicitly adding bytes.

Relates: https://pagure.io/389-ds-base/issue/49239

Review by: vashirov, mreynolds (Thanks!)

- - - - -
fdf59ee0 by Mark Reynolds at 2019-07-08T18:00:28Z
Issue 50431 - Fix regression from coverity fix

Description:  Fix a regression from the initial coverity commit that
              caused the memebrOf groupattrs to become corrupted and
              crash the server.


Reviewed by: vashirov(Thanks!)

- - - - -
74833414 by Mark Reynolds at 2019-07-08T19:23:01Z
Bump version to

- - - - -

25 changed files:

- + .dockerignore
- .gitignore
- − 389-doap.rdf
- Makefile.am
- autogen.sh
- configure.ac
- + dirsrvtests/pytest.ini
- dirsrvtests/tests/perf/memberof_test.py
- dirsrvtests/tests/stress/cos/cos_scale_template_test.py
- dirsrvtests/tests/stress/reliabilty/reliab_7_5_test.py
- dirsrvtests/tests/stress/reliabilty/reliab_conn_test.py
- dirsrvtests/tests/stress/replication/mmr_01_4m-2h-4c_test.py
- dirsrvtests/tests/stress/replication/mmr_01_4m_test.py
- + dirsrvtests/tests/suites/acl/acivattr_test.py
- dirsrvtests/tests/suites/acl/acl_deny_test.py
- dirsrvtests/tests/suites/acl/acl_test.py
- + dirsrvtests/tests/suites/acl/conftest.py
- + dirsrvtests/tests/suites/acl/deladd_test.py
- dirsrvtests/tests/suites/acl/enhanced_aci_modrnd_test.py
- + dirsrvtests/tests/suites/acl/globalgroup_part2_test.py
- + dirsrvtests/tests/suites/acl/globalgroup_test.py
- + dirsrvtests/tests/suites/acl/keywords_part2_test.py
- + dirsrvtests/tests/suites/acl/keywords_test.py
- + dirsrvtests/tests/suites/acl/misc_test.py

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/compare/92909976b6b741a8932c8b6db42fa9ba660c1520...7483341432b1a7c3d8448ff3b3e01b09d0540bc7

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/compare/92909976b6b741a8932c8b6db42fa9ba660c1520...7483341432b1a7c3d8448ff3b3e01b09d0540bc7
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190710/6a5b4b81/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list