[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 114 commits: Issue 50508 - UI - fix local password policy form

Timo Aaltonen gitlab at salsa.debian.org
Tue Nov 26 22:04:39 GMT 2019

Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base

53efe7a1 by Mark Reynolds at 2019-07-22T16:51:54Z
Issue 50508 - UI - fix local password policy form

Description:  The modal width is too narrow and it overflows

relates: https://pagure.io/389-ds-base/issue/50508

Reviewed by: mreynolds(one line commit rule)

- - - - -
9ea5b9bf by Anuj Borah at 2019-07-23T17:26:01Z
Issue 50511 -  lib389 PosixGroups type can not handle rdn properly

Description:  lib389 PosixGroups type can not handle rdn properly

Fixes: https://pagure.io/389-ds-base/issue/50511

Author: aborah

Reviewed by: Simon Pichugin, Matus Honek

- - - - -
c7782552 by Simon Pichugin at 2019-07-24T09:28:49Z
Issue 50488 - Create a monitor for disk space usagedisk-space-mon

Description: Create a new monitor object: cn=disk space,cn=monitor.
It contains 'dsDisk' multi-valued attribute which has a format:

dsdisk: partition="/" size="42006183936" used="35768864768" available="6237319
 168" use%="85"
dsdisk: partition="/tmp" size="1023303680" used="950198272" available="7310540
 8" use%="92"

Add MonitorDiskSpace(DSLdapObject) to monitor.py.
Add a test to check the basic functionality.
Remove unused code and its statfs.h dependency.
Remove SLAPD_MONITOR_DN definition because it is unused.


Authors: spichugi, mreynolds

Reviewed by: mreynolds, tbordaz, mhonek (Thanks!)

- - - - -
4295210b by Thierry Bordaz at 2019-07-25T13:54:16Z
Ticket 50510 - etime can contain invalid nanosecond value

Bug Description:
	When computing the etime, it takes into account the nanosecond.
	At border of a second, the ending nsec can be lower than starting nsec.
	In such case the computation is wrong as delta=(ending_nsec - starting_nsec) is negative.
	final_nsec = 1 - delta > 1sec

Fix Description:
	if delta=(ending_nsec - starting_nsec) is negative
	final_nsec = 1 + delta < 1sec


Reviewed by: Mark Reynolds (Thanks!)

Platforms tested: F28

Flag Day: no

Doc impact: no

- - - - -
b07be1e6 by Mark Reynolds at 2019-07-30T18:38:26Z
Issue 50521 - Add regressions in CI tests

Description:  Port accpol_test.py to DSLdapObject.  The othertests are all
              related to a change with hiding unhashed passwords by default
              in the logs.

relates: https://pagure.io/389-ds-base/issue/50521

Reviewed by: vashirov(Thanks!)

- - - - -
a593f3d0 by Mark Reynolds at 2019-07-30T20:25:58Z
Issue 50506 - Replace slapi_entry_attr_get_charptr() with slapi_entry_attr_get_ref()


There has been a pattern/habit in the code of using slapi_entry_attr_get_charptr()
to get an attribute value, but this function strdup's the entry's attribute value.
In almost all cases the slapi_entry_attr_get_charptr() value is freed right away -
it is not consumed. This is causing unnecessary malloc/free's which adds to
fragmentation and hurts performance. Instead, if the attribute value is not consumed
we should use slapi_entry_attr_get_ref() instead, which just grabs a pointer to
the attribute value.

relates: https://pagure.io/389-ds-base/issue/50506

ASAN & covscan approved

Reviewed by: lkrispen(Thanks!)

- - - - -
4b240e96 by Mark Reynolds at 2019-08-01T14:21:02Z
Issue 50506 - Fix invalid frees from pointer reference calls.

Description:  There were a few free calls that were not removed
              which caused a double free.  There was also extra
              care needed in pw.c around shadow password attribute

relates: https://pagure.io/389-ds-base/issue/50506

Reviewed by: lkrispen(Thanks!)

- - - - -
67c7604b by Mark Reynolds at 2019-08-02T16:07:07Z
Issue 50529 -  LDAP server returning PWP controls in different sequence

Description:  The server returns password policy controls in different orders
              depending on the state of grace logins.  The requested control,
              if any, should be returned first, followed by any controls the
              server might add.

relates: https://pagure.io/389-ds-base/issue/50529

Reviewed by: mreynolds (one line commit rule)

- - - - -
4159cf6d by Mark Reynolds at 2019-08-05T13:20:55Z
Issue 50530 - Directory Server not RFC 4511 compliant with requested attr "1.1"

Bug Description:  A regression was introduced some time back that changed the
                  behavior of how the server handled the "1.1" requested attribute
                  in a search request.  If "1.1" was requested along with other
                  attributes then no attibutes were returned, but in this case "1.1"
                  is expected to be ignroed.

Fix Description:  Only comply with "1.1" if it is the only requested attribute

relates: https://pagure.io/389-ds-base/issue/50530

Reviewed by: firstyear(Thanks!)

- - - - -
64e457ad by Anuj Borah at 2019-08-07T10:12:13Z
Issue: 48851 - Add more test cases to the match test suite(mode replace)

Bug Description: Add more test cases to the match test suite(mode replace)

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
7fb25957 by Anuj Borah at 2019-08-07T14:19:25Z
Issue: 48851 - investigate and port TET matching rules filter tests(indexing final)

Bug Description: Investigate and port TET matching rules filter tests(indexing final)

Relates : https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
70461785 by Mark Reynolds at 2019-08-07T14:34:33Z
Issue 50507 - Fix Cockpit UI styling for PF4

Description:  Fix the UI stylings to be aligned with Patternfly 4.

              Also cleaned up ds.css to remove unused and duplicate

              Added framework for PF React 4 so we start porting
              PF React to version 4 as well.

relates: https://pagure.io/389-ds-base/issue/50507

Reviewed by: spichugi(Thanks!)

- - - - -
205506a9 by Ludwig Krispenz at 2019-08-07T15:14:51Z
Issue 50506 - cont Fix invalid frees from pointer reference calls

one more issue found with dynamic_plugins test suite and ASAN

- - - - -
b8c64856 by Mark Reynolds at 2019-08-07T20:38:25Z
Issue 50534 - CLI change schema edit subcommand to replace

Description:  The way the CLI currently edits an attribute or objectclass
              is that it deletes it, and then adds the new attribute using
              only the params specified in "edit". So the subcommand "edit"
              is misleading as previous/untouched values will get overwritten,
              it should be "replace" instead to avoid confusion.

relates: https://pagure.io/389-ds-base/issue/50534

Reviewed by: spichugi(Thanks!)

- - - - -
fb3be041 by Mark Reynolds at 2019-08-07T20:49:22Z
Issue 50525 - nsslapd-defaultnamingcontext does not change when the assigned suffix gets deleted

Bug Description:

If you delete the suffix that is set as the default naming context, the attribute
is not reset.

Also using dsconf to delete a backend/suffix fails if there are vlv indexes, encrypted
attributes, or replication is configured.

Fix Description:

As for the default naming context, if there is a second suffix configured, it will be
automatically set as the new default naming context, otherwise the attribute is not

For dsconf backend delete issue, it now checks and removes replication configuration
and agreements, and removes all the child entries under the backend entry.

relates: https://pagure.io/389-ds-base/issue/50525

Reviewed by: spichugi(Thanks!)

- - - - -
71d7ca07 by Mark Reynolds at 2019-08-08T12:02:49Z
Issue 50536 - Audit log heading written to log after every update

Bug Description:  Once the audit log is rotated the log "title" is incorrectly
                  written to the log after every single update.  This happened
                  becuase when we udpated the state of the log it was applied
                  to a local variable, and not the log info structure itself.

Fix Description:  After writting the "title", update the state of the log using
                  a pointer to the log info structure.

relates: https://pagure.io/389-ds-base/issue/50536

Reviewed by: lkrispenz(Thanks!)

- - - - -
35757309 by Mark Reynolds at 2019-08-08T15:48:40Z
Issue 50538 - cleanAllRUV task limit is not enforced for replicated tasks

Bug Description:

There is a hard limit of 64 concurrent cleanAllRUV tasks, but this limit is
only enforced when creating "new" tasks. It was not enforced when a task was
received via an extended operation. There were also race conditions in the
existing logic that allowed the array of cleaned rids to get corrupted . This
allowed for a very large number of task threads to be created.

Fix Description:

Maintain a new counter to keep track of the number of clean and abort threads
to make sure it never over runs the rid array buffers.

relates: https://pagure.io/389-ds-base/issue/50538

Reviewed by: lkrispenz(Thanks!)

- - - - -
21ba8427 by Mark Reynolds at 2019-08-09T13:31:23Z
Issue 50538 - Move CI test to individual file

Description:  The CI test needs to be a standalone file as it needs
              a clean environment to run correctly

relates: https://pagure.io/389-ds-base/issue/50538

Reviewed by: lkrispenz(Thanks!)

- - - - -
340f2399 by Ludwig Krispenz at 2019-08-13T08:05:34Z
Ticket 50490 objects and memory leaks

Bug: There are severalmemory leaks for replication objects

Fix: This patch contains a couple of fixes:

	- The balance of acquire and release for a replica object was incorrect,
	but the object is allocated at startup or when a replica is added and
	destroyed at shutdown. In between we know the replica exists and can be accessed directly
	To ensure that no access was made until it is destroyed the shutdown order was
	slightly modifed

	- other objects like RUV or AGMT were also not always correctly balanced, this
	is corrected

	- in cl5_api where many types of objects are used, the variable names were changed
	to bettr indicat to what an object refers

	- some other leaks, eg in repl5_total_init or op_shared_add were fixed

	- unused code has been removed

Reviewed by: William, Thierry, Mark - thanks

- - - - -
7a24286f by Akshay Adhikari at 2019-08-13T13:17:31Z
Issue 50462 - Fix CI tests

Description: Explicitly changed strings to bytes in upgrade-script(tools.py)
Also Added ds_version check in order it won't break in 1.4.
Added a new replication agreement, and a replication manager. Replication is not
working with service accounts.

related: https://pagure.io/389-ds-base/issue/50462

Reviewed by: Firstyear, vashirov (Thanks!)

- - - - -
ca915d58 by Thierry Bordaz at 2019-08-14T13:37:12Z
Ticket 50542 - Entry cache contention during base search

Bug Description:
	During a base search the entry cache lock is acquired to retrieve the target entry.
	Later when the candidate list is built, the entry cache lock is also acquired
	to retrieve the candidate that is actually the target entry itself

	So for a base search the entry cache lock is accessed 4 times (2 acquires + 2 releases)

	It is very easy to create a huge contention (e.g. dereferencing large group) increasing

Fix Description:
	The idea is to acquire the entry, from the entry cache (with refcnt++) when searching the base
	search. Then instead of returning the entry (refcnt--) the entry is kept in the operation until
	the operation completes. If later we need the entry (to send it back to the client), the entry is
	picked up from the operation not from the entry cache lookup


Reviewed by: Ludwig Krispenz, William Brown

Platforms tested: F29

Flag Day: no

Doc impact: no

- - - - -
f5714c12 by Barbora Smejkalova at 2019-08-22T06:25:47Z
Issue 49761 - Fix CI test suite issues

Fixing failing ticket49071_test.py, so it would pass nightly tests.
Also moved this test to "/suites/import/regression_test.py" and removed ticket49071_test.py from "tickets"

Relates: https://pagure.io/389-ds-base/issue/49071
Relates: https://pagure.io/389-ds-base/issue/49761

Reviewed by: firstyear, vashirov (Thanks!)

- - - - -
7edcaff0 by Ludwig Krispenz at 2019-08-22T14:41:28Z
fix for 50542 crashes in filter tests

The crash is when a backentry is released, there is a call to CACHE_RETURN
and then check and free of a vlv entry.
But CACHE_RETURN, under some conditions, can free the backentry - the following check will
dereference a NULL entry and crashes

Fix: Reverse the order of freeing vlv entry and returning entry to cache

Note: Viktor did successfully runthe tests, thanks

Reviewed by: ?

- - - - -
b5d96274 by Mark Reynolds at 2019-08-22T15:45:06Z
Issue 49624 - modrdn silently fails if DB deadlock occurs

Bug Description:

If a DB Deadlock error occurs during a modrdn operation the entry
cache gets updated (corrupted), but the update is not applied to
the database.

Fix Description:

Looks like there was a copy & paste error, and the wrong attribute
was updated during the retry of the modrdn operation.

relates: https://pagure.io/389-ds-base/issue/49624

Reviewed by: lkrispenz (Thanks!)

- - - - -
6ae84810 by Simon Pichugin at 2019-08-23T07:54:55Z
Issue 50499 - Audit fix - Update npm 'eslint-utils' version

Description: Versions of `eslint-utils` >=1.2.0 or <1.4.1 are vulnerable
to Arbitrary Code Execution. Update the version.


Reviewed by: ?

- - - - -
e3780926 by Mark Reynolds at 2019-08-23T15:32:48Z
Issue 50506 - Fix regression from slapi_entry_attr_get_ref refactor

Description:  In pwenc.c we took a reference to the attribute value, but
              it was freed before we looked at it.

relates: https://pagure.io/389-ds-base/issue/50506

Regviewed by: mreynolds (one line commit rule)

- - - - -
af4631f2 by Viktor Ashirov at 2019-08-23T16:07:40Z
Issue 49761 - Fix CI test suite issues


* Update conftest.py to work correctly on FIPS machine
* Rename single letter variables to avoid conflicts with pdb commands
* Skip some tests on versions < where fix is not available
* Add a timeout after import task is created to avoid failures on slow machines

Relates: https://pagure.io/389-ds-base/issue/49761

Reviewed by: spichugi (Thanks!)

- - - - -
441d5aba by Mark Reynolds at 2019-08-26T14:50:05Z
Issue 49324 - idl_new report index name in error conditions

Description:  Add the index attribute name to error messages

relates: https://pagure.io/389-ds-base/issue/49324

Reviewed by: firstyear & tbordaz (Thanks!!)

- - - - -
5287b9ac by Simon Pichugin at 2019-08-26T19:22:18Z
Issue 50206 - Refactor lock, unlock and status of dsidm account/role

Description: Port ns-accountstatus.pl, ns-activate.pl and ns-inactivate.pl to lib389 CLI.
Add: dsidm account/role entry-status, dsidm account subtree-status, dsidm role lock/unlock
Refactor: dsidm account lock/unlock
Remove: dsidm account status
Also, refactor role.py and idm/account.py accordingly to the CLI requirements.


Reviewed by: firstyear (Thanks, William!)

- - - - -
bfdb2262 by William Brown at 2019-08-26T22:31:08Z
Ticket 50564 - Fix rust libraries by default and improve docker

Bug Description: Rust libraries were not installed properly
due to quirks of autotools and cargo. Containers as a result
couldn't start in some cases.

Fix Description: Fix this by building rust
libraries as static libs and linking them into existing .so files


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
8474a172 by Mark Reynolds at 2019-08-27T15:13:25Z
Issue 49324 - idl_new fix assert

Description:  Remove faulty assert, and retrieve best effort name of index

relates: https://pagure.io/389-ds-base/issue/49324

Reviewed by: tbordaz(Thanks!)

- - - - -
723b88a2 by Anuj Borah at 2019-08-28T10:03:09Z
Issue: 48055 - CI test-(Plugin configuration should throw proper error messages if not configured properly)

CI test-(Plugin configuration should throw proper error messages if not configured properly)

Relates: https://pagure.io/389-ds-base/issue/48055

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
43f7b99c by William Brown at 2019-08-28T23:44:50Z
Ticket 50349 - filter schema validation

Bug Description: 389 Should assert that all attributes in a filter
are present and valid in schema. If there are attributes in a filter
that are not in schema, this can lead to DOS due to fall-back to
un-indexed scans, and it also can mask and cover-up application and
development issues with queries. For example, the referenced case was
caused by IPA mistakenly searching an attribute that can never be
satisfied by ACI/filter. If we warned or rejected filters in this case
we would have quickly communicated to the developer that they had caused
a mistake - feedback, being a vital component of psychology and usability

This should optionally be allowed to be disabled, due to some sites that
use things like extensibleObject that by nature, bypass and violate schema

Fix Description: We now have a configuration item that has three levels:
off, warn, on. The idea is that with "on" we'll reject the filter and
won't execute it. "warn", we evaluate the filter, but we map invalid
attributes empty IDL. And "off" we have the "previous" behiavour. We
default to "warn" which is the rfc compliant behaviour.


Author: William Brown <william at blackhats.net.au>

Review by: tbordaz, lkrispen (Thanks!)

- - - - -
0c94f219 by Simon Pichugin at 2019-08-30T14:52:18Z
Issue 50578 - Add SKIP_AUDIT_CI flag for Cockpit builds

Description: Sometimes we need to skip audit-ci check because
we are doing a bisect or just checking older commit.
Process an environment variable SKIP_AUDIT_CI and
if it's set - skip the audit-ci action.


Reviewed by: mreynolds, vashirov (Thanks!)

- - - - -
54ae3dfb by Simon Pichugin at 2019-09-02T14:12:31Z
Issue 50572 - After running cl-dump dbdir/cldb/*ldif.done are not deleted

Description: By default, remove ldif.done files after running cl-dump.
Add an option '-l' which allows keep the files.
Modify 'dsconf replication dump-changelog' command accordingly.
Update man files.


Reviewed by: firstyear, mreynolds (Thanks!)

- - - - -
0a343893 by Simon Pichugin at 2019-09-02T16:16:10Z
Issue 50545 - Port fixup-memberuid and add the functionality to CLI and UI

Description: fixup-memberuid.pl script corrects mismatched member and uniquemember values.
Port to existing CLI tools and add the button (similar to memberOf fixup task) to UI.


Reviewed by: mreynolds, firstyear (Thanks!)

- - - - -
aa17a8f9 by Simon Pichugin at 2019-09-03T15:59:29Z
Issue 50550 - DS installer debug messages leaking to ipa-server-install

Bug Description:
DS installer debug messages are now leaked in the main ipa-server-install output.
This looks as a (very minor) regression, I did not see this text in the past.

Fix Description:
Clean up loging in lib389. Replace 'sepolicy' module with subprocess call
to 'semanage' tool. It is done because 'sepolicy' has verbose output that
appears on 'import'. Instead of developing a tricky workaround, direct
'semange' call was used.


Reviewed by: firstyear, mreynolds, mhonek (Thanks!)

- - - - -
ba425453 by William Brown at 2019-09-03T23:58:43Z
Ticket 50567, 50568 - strict host check disable and display container version

Bug Description: This is a minor fix to disable strict host checking
by default as it causes some installs to unexpectedly fail. We also
display the container version by default to aid future issue reports.

Fix Description: strict host check to false, and print paths.version.


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds (Thanks!)

- - - - -
295ea072 by William Brown at 2019-09-04T00:04:02Z
Ticket 50576 - Same proc uid/gid maps to rootdn for ldapi sasl

Bug Description: In containers the directory server process may
not start as root, and root may not even be accessible. This means
that some local administration is difficult to achieve. By allowing
the running process id to map to rootdn (directory manager), we have
the same effective security, but ease use of some cli tools.

Fix Description: Allow uid/gid to map to root dn


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds (Thanks!)

- - - - -
a096b07c by Mark Reynolds at 2019-09-06T19:42:04Z
Bump version to

- - - - -
00403323 by Mark Reynolds at 2019-09-07T11:37:42Z
Issue 50546 - Fix various issues in UI

Description:  This patch addresses several issues:

    - #50546 - Exports from Cockpit can be stored outside of /var/lib/dirsrv/slapd-instance_name/ldif/
    - #50418 - dsctl remove does not cleanup /etc/tmpfiles.d
    - #50554 - Cockpit incorrectly shows that a server is in read-only mode
    - #49856 - Changing port should adjust selinux labels
    - This also enforces a minimum password length for root DN
    - Added confirmation modal is you disable LDAPI(and UI)
    - Added port verification
    - Created new "view" modals for schema instead oi reusing edit forms
    - Improved instance creation form validation
    - Added a progress bar for doing the initial load of configuration

relates: https://pagure.io/389-ds-base/issue/50546

Reviewed by: spichugi(Thanks!)

- - - - -
4a84f843 by Simon Pichugin at 2019-09-09T07:10:31Z
Issue 50173 - Add the validate-syntax task to the dsconf schema

Description: Perl scripts will be removed. And we should have
the replacement for syntax-validate.pl. We should add the CLI
option to dsconf schema.
Add validate-syntax task subcommand for 'dsconf schema'.
Add a test for syntax validate task


Reviewed by: firstyear (Thanks!)

- - - - -
38d1b0a0 by Simon Pichugin at 2019-09-09T11:53:36Z
Issue 50586 - lib389 - Fix DSEldif long line processing

Description: When dse.ldif has a very long line inthe attribute value,
it puts it to the next line and adds ' '.
We should process it correctly in lib389.


Reviewed by: mreynolds, mhonek (Thanks!)

- - - - -
041f71c2 by Mark Reynolds at 2019-09-09T20:36:20Z
Issue 50546 - fix more UI issues

Description:  In schema.js do not reset "ds-input" class's border.  In FF
              it makes all the field ugly.  Also fixed the plugin forms
              to be nicer and easier to read

relates: https://pagure.io/389-ds-base/issue/50546

Reviewed by: mreynolds (one line commit rule)

- - - - -
d0c846be by Tibor Dudlák at 2019-09-10T16:22:57Z
Do not use comparision with "is" for empty value

There is a warning with python 3.8 at fedora rawhide about
comparision with "is" while running ipa-server install:
dirsrv_log.py:148: SyntaxWarning: "is not" with a literal. Did you mean "!="
Removing "is not ''" as this should not be needed
to make sure that timedata['nanosecond'] is empty.

Signed-off-by: Tibor Dudlák <tdudlak at redhat.com>

- - - - -
db876c62 by Mark Reynolds at 2019-09-10T19:14:42Z
Issue 50546 - fix more UI issues(part 2)

Description:  Fixed minor issues not fully addressed from the last commit

relates: https://pagure.io/389-ds-base/issue/50546

Reviewed by: mreynolds (one line commit rule)

- - - - -
828ebf66 by William Brown at 2019-09-10T23:31:32Z
Ticket 50584, 49212 - docker healthcheck and configuration

Bug Description: Docker is managed by providing values from the
environment. To know if this is ready to make changes to our
local instance, we need to be able to check the instance is
healthy. In addition, docker has a health check process which
can allow monitoring and management of instances as they start.

Fix Description: This provides a healthcheck tool and allows
configuration by the envirnoment for the directory manager
password, and allows indicating via the env to perform a
db2index on startup.


Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
00e33315 by Matus Honek at 2019-09-11T11:00:53Z
Issue 50580 - Perl can't be disabled in configure

Bug description:
Due to incorrect use of AC_ARG_ENABLE macro arguments' semantics some
calls like ./configure --disable-* and --enable-*=no worked
unexpectedly like --enable-*=yes.

Fix description:
As this issue affects several ./configure options all were fixed. The
fix uses the fourth argument of the AC_ARG_ENABLE to set the default in
case no option was provided. In case an explicit --disable-* or
--enable-* argument was provided to ./configure the respective $enable_*
variable is implicitly populated by autoconf, hence subsequent
if-else statements take care of additional operations based on the
variable's value.

For the record, some implementations of the options pre-set the default
value before the AC_ARG_ENABLE in case the respective $enable_* variable
has not been set. This is a correct approach, hence left as is.

Resolves: https://pagure.io/389-ds-base/issue/50580

Author: Matus Honek <mhonek at redhat.com>

Review-By: Mark (thanks!)

- - - - -
9e88e197 by Ludwig Krispenz at 2019-09-12T13:51:57Z
Issue 50506 - Fix regression for relication stripattrs

Bug: When parsing the provided attribute value, a reference was used
	and modified, the original attribute was corrupted

Fix: Use a copy for parsing

Reviewed by: ?

- - - - -
0caae8aa by Ludwig Krispenz at 2019-09-12T14:42:46Z
Ticket 50593 Investigate URP handling on standalone instance

Bug: If the MMR plugin is enabled (on by default)
	even if no replica was configured the MMR plugins were called
	and eventually tried to generate cenotaphs for modrdn ops-

Fix: Check early if the operation affects a backend without replication
	and return

- - - - -
99f11312 by Sylvie Gouverneyre at 2019-09-13T14:51:48Z
ticket 50510 - etime can contain invalid nanosecond value

Bug Description:
	When running the test on upstream backported version, the skipif line has to be manually commented

Fix description :
	changed skifif to xfail, the test being written so that it is able to manage the failures.
	This is a temporary fix, as the test will have to be modified when bug 1749236 related to this feature will be fixed.

- - - - -
c403a39c by Mark Reynolds at 2019-09-16T19:31:15Z
Issue 50604 - Fix UI validation


This issue has been opened to track a series of bugzillas that were filed by our QE group during a massive UI testing day. Here are the issues being addressed in this issue:

- Replication agreement disappears from table after browser refresh
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751128
- Fix log rotation time validation
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751004
- Check backup/ldif name to see if it already exists
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751007
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751009
- Root DN should not be editable
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751011
- Backup should check if there is a database available
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751019
    - Also fixed backup duplicate timestamp issue
- Fixed instance creation error handing
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751026
- Fixed export/inout issues.  Check for existing back or ldif
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751019
- Validate SSL version min and max
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751072
- Can not promte/demote replica
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751145
- Database link creation and deletion issue
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751157
- Agreement name validation during creation
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751165
- Validate referral port
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751173
- Fix deleteion of config attributes
    - https://bugzilla.redhat.com/show_bug.cgi?id=1751190

There was an overall improvement when creating suffixes/databases on how to initialize them

relates: https://pagure.io/389-ds-base/issue/50604

Reviewed by: spichugi(Thanks!)

- - - - -
4c5a4316 by Thierry Bordaz at 2019-09-17T13:21:05Z
Ticket 50581 - ns-slapd crashes during ldapi search

Bug Description:
	Using ldapi, if the length of the socket file path exceeds
	46 bytes it triggers a buffer overflow while reseting a connection.
	Reset happens at open/close/error.

Fix Description:
	Use a buffer sized for a PRNetAddr.local.path (~100bytes)
	Use of MAXPATHLEN (4kb) is too much.


Reviewed by: William Brown, Alexander Bokovoy, Mark Reynolds, Simon Pichugi

Platforms tested: F30 (thanks !!)

Flag Day: no

Doc impact: no

- - - - -
2b44a279 by Mark Reynolds at 2019-09-17T14:36:30Z
Bump version to

- - - - -
16cf97e1 by Ludwig Krispenz at 2019-09-18T15:13:19Z
Ticket: 50610 memory leak in dbscan

Bug: the latest allocation of a database iteratioj is not freed,

Fix: after the iteration free key/data structs

Reviewed by: Mark, thanks

- - - - -
56ea32d6 by Viktor Ashirov at 2019-09-23T08:00:49Z
Issue 50615 - Log current test name to journald

Bug Description:
Sometimes server crashes during test execution, events about crash are
logged to journald. But it's not easy to tell in which test the crash
happened, especially during the full test run.

Fix Description:
Add a fixture that is used automatically for all tests (if the server is
built with systemd) on setup and teardown, and logs a message to journald

Fixes: https://pagure.io/389-ds-base/issue/50615

Reviewed by: mreynolds (Thanks!)

- - - - -
fce5c6c0 by Mark Reynolds at 2019-09-25T14:49:37Z
Issue 50620 - Fix regressions from 50506 (slapi_enry_attr_get_ref)

Description:  Some crashes were found in upstream testing.  Needed
              to revert slapi_entry_attr_get_ref() back to slapi_entry_attr_get_charptr()

relates: https://pagure.io/389-ds-base/issue/50620

Reviewed by: tbordaz(Thanks!)

- - - - -
4b987b3a by William Brown at 2019-09-26T00:55:53Z
Ticket 50617 - disable cargo lock

Bug Description: We need cargo lock for future offline builds, but
the version of cargo in suse/rhel seems to old to support vendoring.

Fix Description: For now, disable this, and rely on "online" builds
(but we have no/few external deps anyway)


Author: William Brown <william at blackhats.net.au>

Review by: mhonek, mreynolds (thanks!)

- - - - -
28f40a83 by William Brown at 2019-09-26T01:00:25Z
Ticket 50595 - remove syslog.target requirement

Bug Description: Syslog.target is removed in newer systemd versions.

Fix Description: Remove the target because it's no longer relevant.


Author: William Brown <william at blackhats.net.au>

Review by: mhonek (Thanks)

- - - - -
54df38ee by William Brown at 2019-09-26T01:12:06Z
Ticket 50622 - ds_selinux_enabled may crash on suse

Bug Description: SUSE doesn't have the python-selinux module by
default, so this tool crashes as it can't find the python
module for import.

Fix Description: ATtempt to import the library, and on failure
return false for enabled.


Author: William Brown <william at blackhats.net.au>

Review by: mhonek (Thanks!)

- - - - -
761dd658 by Simon Pichugin at 2019-09-26T07:13:26Z
Issue 50545 - Port repl-monitor.pl to lib389 CLI

Description: Add a new command to 'dsconf replication' CLI.
'dsconf replication monitor' generates a report which
shows the replication topology to which the instance does belong.

Additional arguments:
  -c or --connections [CONNECTION [CONNECTION ...]]
	The connection values for monitoring other not
	connected topologies. The format:
	'host:port:binddn:bindpwd'. You can use regex for host
	and port. You can set bindpwd to * and it will be
	requested at the runtime or you can include the path
	to the password file in square brackets - [~/pwd.txt]
  -a or --aliases [ALIAS [ALIAS ...]]
	If a host:port is assigned an alias, then the alias
	instead of host:port will be displayed in the output.
	The format: alias=host:port

Also, ~/.dsrc can be used for specifying the connections and aliases.

    connection1 = server1.example.com:38901:cn=Directory manager:*
    connection2 = server2.example.com:38902:cn=Directory manager:[~/pwd.txt]
    connection3 = hub1.example.com:.*:cn=Directory manager:password

    M1 = server1.example.com:38901
    M2 = server2.example.com:38902


Reviewed by: mreynolds (Thanks!)

- - - - -
d41ef935 by Viktor Ashirov at 2019-09-26T07:59:15Z
Issue 50627 - Add ASAN logs to HTML report

Bug Description:
ASAN-enabled server generates error logs, it would be nice to collect
them and identify tests that caused the error.

Fix Description:
Add a hook for pytest-html plugin to add logs generated by ASAN to the
html report. After test is done, these logs will be rotated.

Fixes: https://pagure.io/389-ds-base/issue/50627

Reviewed by: mreynolds (Thanks!)

- - - - -
11bb10ff by Mark Reynolds at 2019-09-26T13:43:18Z
bump version to

- - - - -
2e85b4a3 by Mark Reynolds at 2019-09-27T21:23:49Z
Issue 50499 - Fix npm audit issues

Description;  Updated npm handlebars package

relates: https://pagure.io/389-ds-base/issue/50499

- - - - -
205778fc by William Brown at 2019-10-01T23:26:40Z
Ticket 50619 - extend commands to have more modify options

Bug Description: Extend dsidm to support modifying more types of

Fix Description: Can now modify groups, posixgroup, ou and others
from the cli without an ldifmodify


Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks!)

- - - - -
e0492360 by William Brown at 2019-10-01T23:33:55Z
Ticket 50632 - Add ensure attr state so that diffs are easier from 389-ds-portal

Bug Description: We did not have a stateful attribute update system.

Fix Description: Add a stateful attribute update that asserts attributes
and values are in a known state, and updates in a single modification if not.


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds (Thanks!)

- - - - -
52f2b0db by Thierry Bordaz at 2019-10-07T13:10:42Z
Ticket 50636 - Crash during sasl bind

Bug Description:
	Sasl bind registers IO layers (sasl_IoMethods) that will be
	pushed (and called) by the next incoming operation.
	So the next incoming operation should synchronize itself
	with the sasl bind.

Fix Description:
	The call to connection_call_io_layer_callbacks, that pushes
	registered methods, must hold c_mutex so that it let
	a pending sasl bind to fully register the methods.


Reviewed by: Ludwig Krispenz, Mark Reynolds

Platforms tested: F28

Flag Day: no

Doc impact: no

- - - - -
1ac74076 by Viktor Ashirov at 2019-10-08T06:49:19Z
Issue 50638 - RecursionError: maximum recursion depth exceeded while calling a Python object

Bug Description:
DSLdapObject has an overridden `__getattr__` method. In case the requested
attribute doesn't exist, `getattr()` goes into an infitite recursive loop,
only to be interrupted by a `RecursionError` exception.

`rename()` method has one such lookup for a non-existent attribute,
and it's not used at all.

Fix Description:
* Restore the default behaviour of `getattr()` when attribute doesn't exist.
* Remove unneeded attribute lookup in `rename()`.

Fixes: https://pagure.io/389-ds-base/issue/50638

Reviewed by: mreynolds, mhonek, firstyear (Thanks!)

- - - - -
f6bd667d by Anuj Borah at 2019-10-09T10:09:34Z
Issue: 48851 - investigate and port TET matching rules filter tests(indexing more test cases)

Bug Description: Investigate and port TET matching rules filter tests(indexing more test cases)

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
b7d11180 by Ludwig Krispenz at 2019-10-10T08:57:02Z
Ticket - 50349 - additional fix: filter schema check must handle subtypes

Bug: if the filter did contain an attribute with a subtype eg givenname;lang-de
	then the schema lookup failed.

Fix: The subtype needs to be removed befor asi lookup

Reviewed by: William, Thiery, Mark - thanks

- - - - -
94c74015 by Ludwig Krispenz at 2019-10-10T11:35:26Z
Ticket 49476 - refactor ldbm backend to allow replacement of BDB


This patch provides the first phase of the backend redesign. It does
split the configuration of the LDBM layer and the DB specific layer.

The dblayer_private defines a set of functions to be used by the LDBM
layer and to be implemented by the DB layer.

Currently this is only done for the BDB implementation, the patch automatically
splits the configuration for existing instances

See also:


- - - - -
c8ac6fca by Ludwig Krispenz at 2019-10-10T11:35:26Z
Ticket 49476 - backend refactoring phase1, fix failing tests

this patch fixes a couple of failing tests
- passwordpolicy, failing sometimes, with and without backend patch,
	adding a sleep makes it pass
- ticket48906 - check did look for backend config params in the (now)
	wrong entry
- ticket48252 - incorrect parameters passed to db2index, which only
	had effect with th enew backend code
- ticket49076 - bug in bdb_config code, fixe

- - - - -
6377bc78 by William Brown at 2019-10-11T01:10:13Z
Ticket 50627 - Support platforms without pytest_html

Bug Description: On systems without pytest_html the conftest
hook would cause tests to fail

Fix Description: If pytest_html is none, don't write the report
to avoid the failure.

Fixes: https://pagure.io/389-ds-base/issue/50627

Author: William Brown <william at blackhats.net.au>

Review by: vashirov

- - - - -
c95f6cfb by Barbora Smejkalova at 2019-10-11T11:48:58Z
Add new test suite to test migration between RHDS versions

Created migration test suite, which will be used with ansible for testing import/export
and replication method between RHDS versions. These tests can be executed only in specific
test environment and therefore will be skipped in normal test run.

Reviewed by: vashirov, firstyear (Thanks!)

- - - - -
7a0a090c by Mark Reynolds at 2019-10-16T18:56:46Z
Issue 50646 - Improve task handling during shutdowns

Bug Description:  There is a race condition when stopping the server and
                  a running import task that can cause a heap-use-after-free.

Fix Description:  For an import task, encapsulate the import thread with
                  a global thread increment/decrement (just like the export
                  task).  Also improved how tasks are notified to abort by
                  notifiying them before we wait for active threads to finish.
                  Then the tasks get destroyed after all threads are complete.

relates: https://pagure.io/389-ds-base/issue/50646

Reviewed by: lkrispen & tbordaz (Thanks!!)

- - - - -
cc1c946b by Mark Reynolds at 2019-10-16T19:07:57Z
Issue 50653 -  objectclass parsing fails to log error message text

Description:  When replacing an objectclass, if it already exists we
              log an error but we do not log what objectclass it is.
              This commit adds the error message text.

relates: https://pagure.io/389-ds-base/issue/50653

Reviewed by: abbra(Thanks!)

- - - - -
225f4e17 by Mark Reynolds at 2019-10-16T21:00:05Z
Issue 50655 - access log etime is not properly formatted

Description:  The wrong printf format was used for displaying the nanosecond etime
              in the access log.

relates: https://pagure.io/389-ds-base/issue/50655

Reviewed by: firstyear(Thanks!)

- - - - -
fc476208 by Mark Reynolds at 2019-10-16T23:50:04Z
Issue 49850 -  ldbm_get_nonleaf_ids() slow for databases with many non-leaf entries

Bug Description:  The logs from an LDIF import indicated that gathering non-leaf IDs
                  for creating the ancestorid index took an enormous amount of time,
                  over 10hrs.  The root cause is that the parentid index btree ordering
                  is lexical, but the IDList being built up from it is sorted numerically.
                  In the existing code, the IDList is maintained in constantly sorted
                  order by idl_insert().

Fix Description:  ldbm_get_nonleaf_ids() switches to idl_append_extend() instead idl_insert()
                  for building up the IDList and then sorts the result only once, using
                  qsort with idl_sort_cmp, after the entire list has been gathered.

                  The improvement on identical hardware is for the operation to take 10
                  seconds rather than 10 hours

Patch Author:  Thomas Lackey <telackey at bozemanpass.com>  Thanks for the great contribution!!!

relates: https://pagure.io/389-ds-base/issue/49850

Reviewed by: mreynolds, tbordaz, and firstyear (Thanks!)

- - - - -
2f5daa79 by Sylvie Gouverneyre at 2019-10-17T08:10:26Z
Ticket 50428 - Log the actual base DN when the search fails with "invalid attribute request"

Bug Description:
When a search fails because it requests more than one empty attribute,
the search base DN is always logged as "(null)".

Fix Description:
The search base DN for the failed search request is logged.
This commit includes the automated test to verify the correct behavior.

Fixes https://pagure.io/389-ds-base/issue/50428
Relates: https://pagure.io/389-ds-base/issue/49969

Author: Sylvie Gouverneyre

Reviewed by: Viktor Ashirov, Simon Pichugin, Thierry Bordaz

- - - - -
166a594c by Anuj Borah at 2019-10-17T09:27:45Z
Issue: 48851 - Investigate and port TET matching rules filter tests(match more test cases)

Bug Description: Investigate and port TET matching rules filter tests(match more test cases)

Relates: https://pagure.io/389-ds-base/issue/48851

Author: aborah

Reviewed by: Simon Pichugin

- - - - -
a2e3c02e by Simon Pichugin at 2019-10-18T06:00:06Z
Issue 50634 - Clean up CLI errors output

Description: CLI tools should print human easy readable messages
if something went wrong.
As discussed here: https://pagure.io/389-ds-base/pull-request/50624

Change the CLI error processing so the dict type is always transformed.


Reviewed by: mreynolds, mhonek (Thanks!)

- - - - -
1563a9d8 by Viktor Ashirov at 2019-10-18T13:58:16Z
Issue 50660 - Build failure on Fedora 31

Bug Description:
node-sass v4.11 is not compatible with nodejs-12 that is shipped with
Fedora 31.

Fix Description:
Bump node-sass version to v4.12

Relates/Fixes: https://pagure.io/389-ds-base/issue/50660

Reviewed by: ???

- - - - -
abc6f165 by Simon Pichugin at 2019-10-21T16:25:20Z
Issue 50634 - Clean up CLI errors output - Fix wrong exception

Description: The previous commit takes care only about ValueError
evaluation. But it is possible that other exceptions will be raised
which will result in a wrong error output.
Make the exception object more general.


Reviewed by: ?

- - - - -
52b3eb0f by Ludwig Krispenz at 2019-10-24T12:07:45Z
    Ticket 49850 cont -fix crash in ldbm_non_leaf

    Bug: if the ldif to be imported contains only one entry there are no leaf nodes
            and the call to qsort crashes

    Fix: check that nodes is not NULL

- - - - -
44e92dc8 by William Brown at 2019-10-25T02:34:26Z
Ticket 50669 - remove nunc-stans

Bug Description: We have been attempting to modernise our
connection code for a long time - one attempt was nunc-stans.
However after a series of attempts to integrate it, and multiple
failures we discussed this in the listed email thread and decided
to remove this.


Fix Description: rm -r src/nunc-stans


Author: William Brown <william at blackhats.net.au>

Review by: mreynolds (Thanks!)

- - - - -
30ae2d70 by Viktor Ashirov at 2019-10-25T19:59:51Z
Issue 50669 - Fix RPM build

Bug Description:
rpm build fails due to missing libnunc-stans.so:
RPM build errors:
    File not found: /workspace/ds/rpmbuild/BUILDROOT/389-ds-base-*
make: *** [rpm.mk:115: rpms] Error 1

Fix Description:
Update 389-ds-base.spec file

Relates: https://pagure.io/389-ds-base/issue/50669

- - - - -
5e338e97 by Mark Reynolds at 2019-10-30T13:00:52Z
Issue 50677 - Map subtree searches with NULL base to default naming context


The Root DSE entry is retreived by using a empty/NULL search base, and a
search scope of "BASE".  According to the RFCs these are the exact requirements
for returning the Root DSE, but it does not dictate what you must do if
a different search scope is used.  In DS we will return NO_SUCH_OBJECT if
the scope is ONE or SUBTREE.  In AD it will use the default suffix in this

To be more compatible AD, specifically global catalog, 389 should also return
the default naming context for a non-Root DSE search(a NULL suffix with a
scope of ONE, or SUBTREE).

relates: https://pagure.io/389-ds-base/issue/50677

Reviewed by: firstyear(Thanks!)

- - - - -
8166d834 by Anuj Borah at 2019-10-30T14:26:13Z
Issue: 48055 -  CI test - automember_plugin(part1)

CI test - automember_plugin(part1) and add nsAdminGroup

Relates: https://pagure.io/389-ds-base/issue/48055

Fixes: https://pagure.io/389-ds-base/issue/50515

Author: aborah

Reviewed by: Simon Pichugin, Mark Reynolds, Viktor Ashirov

- - - - -
d400bc1d by Matus Honek at 2019-10-31T11:19:23Z
Issue 50669 - Remove nunc-stans in favour of reworking current conn code (add.)

Bug Description:
There are a bit more pieces that should be removed for the ticket.

Fix Description:
Remove some additional code. Some documentation still left in place for

Relates https://pagure.io/389-ds-base/issue/50669

Author: Matus Honek <mhonek at redhat.com>

Review by: mreynolds, firstyear (thanks!)

- - - - -
3f4f52a7 by Viktor Ashirov at 2019-10-31T13:56:13Z
Issue 50680 - Remove branding from upstream spec file

Bug Description:
Branding logic is triggered in EPEL builds. We should not have it in
upstream as it should be applied in the downstream only.

Fix Description:
Remove branding.

Fixes: https://pagure.io/389-ds-base/issue/50680

Reviewed by: mreynolds (Thanks!)

- - - - -
5e48e9f4 by Mark Reynolds at 2019-10-31T20:53:07Z
Issue 50592 - Port Replication Tab to ReactJS

Description:  Ported the replication tab to React.  Made many
              other improvements throughout the UI:

              - Protected "Treeviews" by disable/enable as components are relaoded
              - Add a new Double Confirmation Modal/Popup
              - Added a script (buildAndWatch.sh) for faster/more convenient developing
              - Added a new RUV fucntion for the CLI, and made other lib389 improvements:
                   - Added support for not only "dc" suffixes, but also "o", "ou", and "cn"

relates: https://pagure.io/389-ds-base/issue/50592

Reviewed by: spichugi(Thanks!)

- - - - -
12991435 by Mark Reynolds at 2019-11-03T20:38:11Z
Bump version to

- - - - -
5202ad8b by Simon Pichugin at 2019-11-04T21:15:43Z
Issue 50499 - Fix npm audit issues

Description:  Updated npm handlebars package to 4.4.5

relates: https://pagure.io/389-ds-base/issue/50499

- - - - -
cc8bfec0 by William Brown at 2019-11-05T05:00:37Z
Ticket 50633 - Add cargo vendor support for offline builds

Bug Description: At suse/rh we need to be able to build offline. To
achieve this we need offline builds. This adds support for these in
389-ds with cargo and rust.

Fix Description:
This adds cargo vendor support for offline builds,
and shows that they work. We add a stub library for librslapd/libslapd
so that we can begin to develop features in rust.

To build normally: work as usual.

To build offline: make -f rpm.mk download-cargo-dependencies
    ./configure --enable-rust --enable-rust-offline

Continue to build as usual.

A note to keep in mind is cargo test does not work offline as
dev-dependencies are not vendored.

The download-cargo-dependencies has been added to dist-bz2 for


Author: William Brown <william at blackhats.net.au>

Review by: mhonek (Thanks)

- - - - -
f701d18f by Matúš Honěk at 2019-11-06T14:31:20Z
Issue 50199 - Disable perl by default

Bug Description:
Setting PERL_ON=0 in 389-ds-base.spec.in still builds with Perl
due to the fix in PR #50200.

Fix Description:
Introduce use_legacy in SPEC file (dropping use_perl for clarity), and
keep logic for *perl* flags in other layers for compatibility and
add *legacy* flags to encapsulate the additional changes that need to
be done to which files are being installed when building with/without Perl.

Relates https://pagure.io/389-ds-base/issue/50199
Relates https://pagure.io/389-ds-base/pull-request/50200

Author: Matus Honek <mhonek at redhat.com>

Review by: mreynolds, firstyear, vashirov (thanks!)

- - - - -
1747f910 by Mark Reynolds at 2019-11-06T16:08:50Z
Issue 50689 - Failed db restore task does not report an error

Bug Description: If you have a back up that contains a backend that
                 is not configured the restore fails, but a success
                 return code is returned to the client.  This happens
                 becuase the return code gets overwritten after the

Fix Description: Preserve the error code upon failure and properly update
                 the task exit code.

relates: https://pagure.io/389-ds-base/issue/50689

Reviewed by: tboardaz & lkrispen(Thanks!!)

Never rewrite the orginal error code

- - - - -
83d41432 by William Brown at 2019-11-07T00:44:33Z
Ticket 50007, 50648 - improve x509 handling.

Bug Description: certutil and nssdb have fallen from favour
and are really not easy to use. Most admins are used to PEM
files and much easier TLS management.

Fix Description: Add some basic and simple wrappers to support
a set of common operations such as listing TLS certs, making a CSR
and importing PEM files - including from services like let's encrypt


Author: William Brown <william at blackhats.net.au>

Review by: spichugi, mreynolds (Thanks!)

- - - - -
5a26d545 by William Brown at 2019-11-07T00:56:13Z
Ticket 50641 - Update default aci to allows users to change their own password

Bug Description: The default acis were too restrictive - we do want
people to be able to self change passwords by default!

Fix Description: Fix the default aci's and add tests to prove they behave
as we actually expect.


Author: William Brown <william at blackhats.net.au>

Review by: vashirov

- - - - -
a3d876fa by William Brown at 2019-11-07T00:56:13Z
Update to mark as skipif

- - - - -
6dcf4067 by William Brown at 2019-11-07T01:35:21Z
Update based on Marks feedback

- - - - -
21f2a06c by Mark Reynolds at 2019-11-08T21:57:32Z
Issue 50696 - Fix various UI bugs

Bug 1751004 - Log Settings "Create New Log Every" takes non integer as input, it even takes alphabets

Bug 1748349 - 'View objectclass' modal dialog doesn't have all controls disabled

Bug 1688614 - Chaining Configuration Error: Cockpit had an unexpected internal error

Bug 1748355 - LDAPI and Autobind configuration should have a warning

Bug 1751157 - Cannot Create Database Link

Bug 1751011 - DS instance can be easily destroyed by changing non existing Directory Manager DN

Bug 1688663 - Cockpit: Enable Replication failed with error "Failed to add replication manager because the base DN of the entry does not exist"

Bug 1751035 - Allow and Deny same Ciphers same time

relates: https://pagure.io/389-ds-base/issue/50696

Reviewed by: spichugi(Thanks!)

- - - - -
66a21bfc by Matus Honek at 2019-11-11T14:05:43Z
Issue #50683 - Makefile.am contains unused RPM-related targets

Bug Description:
Makefile.am contains some targets very similar to the ones in rpm.mk but
most likely unused by anyone and also untouched recently unlike the
rpm.mk ones.

Fix Description:
Remove the targets for cleanness and reducing confusion.

Fixes https://pagure.io/389-ds-base/issue/50683

Author: Matus Honek <mhonek at redhat.com>

Review by: firstyear, mreynolds (thanks!)

- - - - -
15789e89 by Viktor Ashirov at 2019-11-12T10:11:27Z
Issue 49761 - Fix CI test suite issues


Fix various test issues on RHEL7 and RHEL8:
* systemd on RHEL7 doesn't have --value option.
  Drop --value option and parse the output manually.

* Use newer BDB config only on 1.4.2+.

* Skip tests/suites/password/pbkdf2_upgrade_plugin_test.py on <1.4.1.

* Unhashed passwords are not logged by default only on

* String literal comparison doesn't work with double digits,
  i.e. '' > '' returns False.
  Use packaging.version to compare versions.

* Don't use nsAccount objectClass on versions <=1.4.x.

* Update skipif/xfail version to match downstream versions too.

Relates: https://pagure.io/389-ds-base/issue/49761

Reviewed by: firstyear (Thanks!)

- - - - -
7a7bc787 by Viktor Ashirov at 2019-11-12T11:56:10Z
Issue 50706 - Missing lib389 dependency - packaging

In 15789e8 I introduced a new dependency for lib389, thinking it's part
of python's standard library, but it's not. We need to explicitly
mention it in the spec file, requirements.txt and setup.py.

Fixes: https://pagure.io/389-ds-base/issue/50706

Reviewed by: mhonek (Thanks!)

- - - - -
2b8750d6 by Viktor Ashirov at 2019-11-12T17:21:30Z
Issue #50712 - Version comparison doesn't work correctly on git builds

Bug Description:
>>> get_ds_version()
>>> ds_is_older('1.4.0')

This happens because packaging.version returns a different object for
'' (LegacyVersion) than for '1.4.0'

And during comparison Version is always higher:
>>> x = Version('1.0')
>>> y = LegacyVersion('2.0')
>>> x > y

Fix Description:
Always use LegacyVersion during comparison

Fixes: https://pagure.io/389-ds-base/issue/50712

Reviewed by: tbordaz (Thanks!)

- - - - -
fb3d3559 by Barbora Smejkalova at 2019-11-13T10:14:05Z
Issue 50536 - After audit log file is rotated, DS version string is logged after each update

Created test case, which checks if DS version string is present only once
at the top of the audit log after it is rotated.

Relates: https://pagure.io/389-ds-base/issue/50536

Reviewed by: spichugi (Thanks!)

- - - - -
ddbe3c8f by Mark Reynolds at 2019-11-13T17:34:54Z
Issue 50716 - CVE-2019-14824 (BZ#1748199) - deref plugin displays restricted attributes

Bug Description:  If there is an ACI that allows "search" access to an attribute,
                  the deref plugin access control checks sees this is a "read"
                  privilege and returns the attribute's value.

Fix description:  For deref plugin we are only concerned with "read" access, not
                  "search" access.  Removed the SLAPI_ACL_SEARCH right flag when
                  checking access for an attribute.

relates: https://pagure.io/389-ds-base/issue/50716

Reviewed by: lkrispen & tbordaz(Thanks!)

- - - - -
0493b01b by Mark Reynolds at 2019-11-13T21:00:18Z
Issue 50699 - Add Disk Monitor to CLI and UI

Description:  Add the disk monitoring to the CLI and UI

relates: https://pagure.io/389-ds-base/issue/50699

Reviewed by: spichugi(Thanks!)

- - - - -
f90077f5 by Mark Reynolds at 2019-11-14T00:10:46Z
Issue 50644 - fix regression with creating sample entries

Bug Description:  The previous commit for this issue missed how the aci's
                  were were being adjusted for each type of different
                  suffix rdn.

Fix Description:  I just moved the aci creation into the base object
                  creation code where all the info needed was readily

relates: https://pagure.io/389-ds-base/issue/50644

Reviewed by: firstyear(Thanks!)

- - - - -
334ba3fb by Viktor Ashirov at 2019-11-14T13:22:40Z
Issue 50716 - CVE-2019-14824 (BZ#1748199) - deref plugin displays restricted attributes

Add test case

Author: Mark Reynolds

Relates: https://pagure.io/389-ds-base/issue/50716

- - - - -
b77f04af by Ludwig Krispenz at 2019-11-14T15:14:00Z
Ticket 50659 AddressSanitizer: SEGV ... in bdb_pre_close

Bug: The crash reported is caused by calling dblayer_close twice in some
	offline exec modes. Investigating the crash revealed another crash
	in dbverify and memory leaks, one introduced by the backend
	patch, two existing previously

Fix: 	- call dblayer_close only once
	- initialize db env properly in dbverify execmode
	- don't set sdn by reference when adding to entrydncache
	- free collected instances from commandline in dbupgrade mode
	- free bdb env in index mode

Reviewed by: William

- - - - -
1b277fb2 by Simon Pichugin at 2019-11-14T16:24:00Z
Issue 50634 - Fix CLI error parsing for non-string values

Bug Description: Sometimes the error message has int values and
it makes ' - '.join() function to fail.

Fix Description: Use a list comprehension to change the dict values to str.


Reviewed by: ?

- - - - -
e7f0ec9e by Viktor Ashirov at 2019-11-14T18:22:33Z
Issue 49761 - Fix CI test suite issues

Fix few more issues around version detection.

Relates: https://pagure.io/389-ds-base/issue/49761

Reviewed by: mreynolds (Thanks!)

- - - - -
c881f6ec by Mark Reynolds at 2019-11-14T21:05:32Z
Bump version to

- - - - -

21 changed files:

- + .cargo/config
- .gitignore
- Makefile.am
- configure.ac
- dirsrvtests/conftest.py
- + dirsrvtests/tests/stress/search/__init__.py
- + dirsrvtests/tests/stress/search/simple.py
- dirsrvtests/tests/suites/acl/acivattr_test.py
- + dirsrvtests/tests/suites/acl/default_aci_allows_self_write.py
- dirsrvtests/tests/suites/acl/roledn_test.py
- + dirsrvtests/tests/suites/automember_plugin/basic_test.py
- + dirsrvtests/tests/suites/automember_plugin/configuration_test.py
- + dirsrvtests/tests/suites/backups/backup_test.py
- dirsrvtests/tests/suites/basic/basic_test.py
- dirsrvtests/tests/suites/config/autotuning_test.py
- dirsrvtests/tests/suites/config/config_test.py
- dirsrvtests/tests/suites/cos/cos_test.py
- + dirsrvtests/tests/suites/disk_monitoring/disk_space_test.py
- dirsrvtests/tests/suites/ds_logs/ds_logs_test.py

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/compare/5ac5a8aadd42551ea0389907fd286b7d60157685...c881f6ec028d8c6b7efa7c5924e52ea037fac686

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/compare/5ac5a8aadd42551ea0389907fd286b7d60157685...c881f6ec028d8c6b7efa7c5924e52ea037fac686
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20191126/e47d9c4f/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list