[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 23 commits: Issue 4412 - Fix CLI repl-agmt requirement for parameters (#4422)

Timo Aaltonen gitlab at salsa.debian.org
Fri Dec 18 13:30:33 GMT 2020



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base


Commits:
6e1b7b9d by Simon Pichugin at 2020-11-09T11:46:55+01:00
Issue 4412 - Fix CLI repl-agmt requirement for parameters (#4422)

Description: In dsconf CLI, make it possible to create SSLCLIENTAUTH
bind method agreement without specifying bind dn (--bind-dn) and
the password (--bind-passwd).

Fixes: #4412

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
f1285d78 by tbordaz at 2020-11-10T19:36:50+01:00
Issue 4391 - DSE config modify does not call be_postop (#4394)

Bug description:
	During a DSE modify, be_preop callback are called. But be_postop callback are called at the condition
	dse_call_callback is different that SLAPI_DSE_CALLBACK_DO_NOT_APPLY.

	This should systematically call be_postop if be_preop were called.
	In addition postop_modify_config_dse returning an invalid rc, systematically prevents DSE modify to call be_postop

Fix description:
        The required bug fix is that dse_callback need to return SLAPI_DSE_CALLBACK* not ldap rc.
	Also in case of vlv config (SLAPI_DSE_CALLBACK_DO_NOT_APPLY) if preop were called
        it requires to call the postop.

	In dse_modify, rc is used for dse_call_callback() (returns SLAPI_DSE_CALLBACK*)
        but also for plugin_call_plugin (returns SLAPI_PLUGIN_*). Those rc are not compatible
	and although the code works to help maintenance use 'plugin_rc' instead of 'rc'.

relates: https://github.com/389ds/389-ds-base/issues/4391

Reviewed by: William Brown, Simon Pichugin (thanks !)

Platforms tested: F31
- - - - -
32f30f26 by Mark Reynolds at 2020-11-11T22:01:55-05:00
Issue 4429 - NULL dereference in revert_cache()

Bug Description:  During a delete, if the DN (with an escaped leading space)
                  of an existing entry fail to parse the server will revert
                  the entry update.  In this case it will lead to a crash
                  becuase ther ldbm inst struct is not set before it attempts
                  the cache revert.

Fix Description:  Check the the ldbm instance struct is not NULL before
                  dereferencing it.

Relates: https://github.com/389ds/389-ds-base/issues/4429

Reviewed by: firstyear & spichugi(Thanks!!)

- - - - -
0dbdc110 by tbordaz at 2020-11-12T12:06:15+01:00
Issue 4316 - performance search rate: useless poll on network send callback (#4424)

Bug description:
	When sending back result/entries, DS first poll the connection to check
        it is able to write data on the socket. Then it writes the data.
	The purpose of the poll is to handle ioblocktimeout.
	The problem is that most of the time, the socket will process the write
	without any issue so it is useless to poll before the write.

Fix description:
	The fix is try write first. It polls for ioblocktimeout
        only if the write fails

relates: https://github.com/389ds/389-ds-base/issues/4316

Reviewed by: William Brown (thanks!)

Platforms tested: F31
- - - - -
9c7d5902 by Kazım SARIKAYA at 2020-11-12T15:16:27+01:00
build problems at alpine linux

- - - - -
6233c041 by Mark Reynolds at 2020-11-12T09:32:17-05:00
Issue 4432 - After a failed online import the next imports are very slow

Bug Description:  When an online import fails the entry and DN caches are
                  "reset", but we use the wrong "new maxsize" which was
                  setting the entry cache maxsize to zero which killed the
                  import performance.

Fix Description:  When resetting the caches use the previous cache maxsize.

Relates: https://github.com/389ds/389-ds-base/issues/4432

Reviewed by: firstyear & progier(Thanks!!)

- - - - -
5376f552 by Mark Reynolds at 2020-11-12T12:08:53-05:00
Issue 4383 - Do not normalize escaped spaces in a DN

Bug Description:  Adding an entry with an escaped leading space leads to many
                  problems.  Mainly id2entry can get corrupted during an
                  import of such an entry, and the entryrdn index is not
                  updated correctly

Fix Description:  In slapi_dn_normalize_ext() leave an escaped space intact.

Relates: https://github.com/389ds/389-ds-base/issues/4383

Reviewed by: firstyear, progier, and tbordaz (Thanks!!!)

- - - - -
454a2d49 by William Brown at 2020-11-13T09:10:13+10:00
Issue 4428 - Paged Results with Chaining Test Case

Bug Description: This test case shows how a paged search with criticality
set to false, causes chaining to sigsegv.

Fix Description: N/A - this is a reproducer, not the fix.

fixes: #4428

Author: William Brown <william at blackhats.net.au>

Review by: @droideck, @mreynolds389

- - - - -
b79419a4 by William Brown at 2020-11-13T09:10:15+10:00
Issue 4428 - BUG Paged Results with critical false causes sigsegv in chaining

Bug Description: When a paged search through chaining backend is
received with a false criticality (such as SSSD), chaining backend
will sigsegv due to a null context.

Fix Description: When a NULL ctx is recieved to be freed, this is
as paged results have finished being sent, so we check the NULL
ctx and move on.

fixes: #4428

Author: William Brown <william at blackhats.net.au>

Review by: @droideck, @mreynolds389

- - - - -
43bcb561 by William Brown at 2020-11-17T13:12:33+10:00
Issue 4373 - BUG - Mapping Tree nodes can be created that are invalid

Bug Description: The mapping tree is built and arranged based on
the content of the nsslapd-parent-suffix attribute. However, it is
possible that this value is invalid pointing at a non-existant
suffix, or that it could be pointing at a suffix that is invalid
in the suffix hierarchy that mapping trees expect.

https://www.port389.org/docs/389ds/design/mapping_tree_assembly.html

Fix Description: Rather than build the mapping tree by arranging
nodes through the nsslapd-parent-suffix value, we should sort and build
them through the known and defined suffix values in cn (which we already)
rely upon to be correct. This allows stable ordering and avoids potential
user and developer errors.

fixes: #4373

Author: William Brown <william at blackhats.net.au>

Review by: @progier389, @mreynolds389 (Thanks!)

- - - - -
83fc1e9d by progier389 at 2020-11-17T11:31:40-05:00
ticket 2058: Add keep alive entry after on-line initialization - second version (#4399)

Bug description:
Keep alive entry is not created on target master after on line initialization,
and its RUVelement stays empty until a direct update is issued on that master

Fix description:
The patch allows a consumer (configured as a master) to create (if it did not
exist before) the consumer's keep alive entry. It creates it at the end of a
replication session at a time we are sure the changelog exists and will not
be reset. It allows a consumer to have RUVelement with csn in the RUV at the
first incoming replication session.

That is basically lkrispen's proposal with an associated pytest testcase

Second version changes:
   - moved the testcase to suites/replication/regression_test.py
   - set up the topology from a 2 master topology then
    reinitialized the replicas from an ldif without replication metadata
    rather than using the cli.
   - search for keepalive entries using search_s instead of getEntry
   - add a comment about keep alive entries purpose

last commit:
   - wait that ruv are in sync before checking keep alive entries

Reviewed by: droideck, Firstyear

Platforms tested: F32

relates: #2058
- - - - -
ea6e4a84 by progier389 at 2020-11-18T17:14:38+01:00
do not add referrals for masters with different data generation #2054 (#4427)

Bug description:
The problem is that some operation mandatory in the usual cases are
also performed when replication cannot take place because the
database set are differents (i.e: RUV generation ids are different)

One of the issue is that the csn generator state is updated when
starting a replication session (it is a problem when trying to
reset the time skew, as freshly reinstalled replicas get infected
by the old ones)

A second issue is that the RUV got updated when ending a replication session
(which may add replica that does not share the same data set,
then update operations on consumer retun referrals towards wrong masters

Fix description:
The fix checks the RUVs generation id before updating the csn generator
and before updating the RUV.

Reviewed by: mreynolds
             firstyear
             vashirov

Platforms tested: F32
- - - - -
5eacadd1 by progier389 at 2020-11-20T11:50:42+01:00
Issue 4440 - BUG - ldifgen with --start-idx option fails with unsupported operand (#4444)

Bug description:
Got TypeError exception when usign:
  dsctl -v slapd-localhost ldifgen users --suffix
     dc=example,dc=com --parent ou=people,dc=example,dc=com
     --number 100000 --generic --start-idx=50
The reason is that by default python parser provides
 value for numeric options:
  as an integer if specified by "--option value" or
  as a string if specified by "--option=value"

Fix description:
convert the numeric parameters to integer when using it.
 options impacted are:
  - in users subcommand:   --number ,  --start-idx
  - in mod-load subcommand:   --num-users, --add-users,
               --del-users, --modrdn-users, --mod-users

FYI: An alternative solution would have been to indicate the
parser that these values are an integer. But two reasons
 leaded me to implement the first solution:
 - first solution fix the problem for all users while the
   second one fixes only dsctl command.
 - first solution is easier to test:
    I just added a new test file generated by a script
      that duplicated existing ldifgen test, renamed the
       test cases and replaced the numeric arguments by
       strings.
   Second solution would need to redesign the test framework
    to be able to test the parser.

relates: https://github.com/389ds/389-ds-base/issues/4440

Reviewed by:

Platforms tested: F32
- - - - -
8657fe47 by Simon Pichugin at 2020-11-24T17:12:32+01:00
Issue 4105 - Remove python.six from lib389 (#4456)

Description: We no longer use python 2, we can remove all the python-six
imports and replace code with Python 3 support only.

Fixes: #4105

Reviewed by: @mreynolds389 @Firstyear (Thanks!)
- - - - -
2c89eef7 by progier389 at 2020-11-25T12:15:44+01:00
Issue 4449 - dsconf replication monitor fails to retrieve database RUV - consumer (Unavailable) (#4451)

Bug Description:

"dsconf replication monitor" fails to retrieve database RUV entry from consumer and this
appears into the Cockpit web UI too.
The problem is that the bind credentials are not rightly propagated when trying to get
the consumers agreement status.  Then supplier credntials are used instead  and RUV
is searched anonymously because there is no bind dn in ldapi case.

Fix Description:

- Propagates the bind credentials when computing agreement status
- Add a credential cache because now a replica password could get asked several times:
    when discovering the topology and
    when getting the agreement maxcsn
- Testcase test_dsconf_replication_monitor is modified to:
  - Assert when getting "consumer (Unavalaible)" status
  - Add a step using a freshly generated Dirsrv instance (as dsconf does)
    rather than using the topology one
    FYI: although the feature was tested in test_dsconf_replication_monitor py.test
     the test does not hit the bug because of several side effects:
        - If consumer credentials are not provided the suplier credentials are used.
        - topology generated DirSrv instance has a bind DN.
        - topology masters have the same credentials
     DirSrv generated by dsconf (in ldapi case) have no bind DN and hits the bugs

- Add a comment about nonlocal keyword

Relates: #4449

Reviewers:
  firstyear
  droideck
  mreynolds

Issue 4449: Add a comment about nonlocal keyword

(cherry picked from commit 73ee04fa12cd1de3a5e47c109e79e31c1aaaa2ab)

- - - - -
54c9db06 by tbordaz at 2020-11-25T18:12:54+01:00
Issue 4297 - 2nd fix for on ADD replication URP issue internal searches with filter containing unescaped chars (#4439)

Bug description:
	Previous fix is buggy because slapi_filter_escape_filter_value returns
        a escaped filter component not an escaped assertion value.

Fix description:
	use the escaped filter component

relates: https://github.com/389ds/389-ds-base/issues/4297

Reviewed by: William Brown

Platforms tested: F31
- - - - -
2dd89149 by Mark Reynolds at 2020-11-25T16:28:15-05:00
Issue 3986 - UI - Handle objectclasses that do not have X-ORIGIN set

Description:  The UI schema page was not handling objectclasses that did not
              have x-origin set.  This patch prevents the browser from crashing
              in that case.

Relates: https://github.com/389ds/389-ds-base/issues/3986

Reviewed by: mreynolds (one line commit rule)

- - - - -
b1634c75 by Mark Reynolds at 2020-11-25T17:51:40-05:00
Issue 3657 - Add options to dsctl for dsrc file

Description:  Add options to create, modify, delete, and display
              the .dsrc CLI tool shortcut file.

Relates: https://github.com/389ds/389-ds-base/issues/3657

Reviewed by: firstyear(Thanks!)

- - - - -
aacdac38 by William Brown at 2020-11-26T09:30:00+10:00
Issue 4460 - BUG  - lib389 should use system tls policy

Bug Description: Due to some changes in dsrc for tlsreqcert
and how def open was structured in lib389, the system ldap.conf
policy was ignored.

Fix Description: Default to using the system ldap.conf policy
if undefined in lib389 or the tls_reqcert param in dsrc.

fixes: #4460

Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
de9965d0 by tbordaz at 2020-11-30T09:07:13+01:00
Issue 4243 - Fix test: SyncRepl plugin provides a wrong cookie (#4467)

Bug description:
	This test case was incorrect.
	During a refreshPersistent search, a cookie is sent
	with the intermediate message that indicates the end of the refresh phase.
	Then a second cookie is sent on the updated entry (group10)
	I believed this test was successful some time ago but neither python-ldap
	nor sync_repl changed (intermediate sent in post refresh).
	So the testcase was never successful :(

Fix description:
	The fix is just to take into account the two expected cookies

relates: https://github.com/389ds/389-ds-base/issues/4243

Reviewed by: Mark Reynolds

Platforms tested: F31
- - - - -
806feba7 by Mark Reynolds at 2020-11-30T11:43:07-05:00
Issue 4384 - Use MONOTONIC clock for all timing events and conditions

Bug Description:  All of the server's event handling and replication were
                  based on REALTIME clocks, which can be influenced by the
                  system changing.  This could causes massive delays, and
                  simply cause unexpected behavior.

Fix Description:  Move all condition variables to use pthread instead of NSPR
                  functions.  Also make sure we use MONOTONIC clocks when we
                  get the current time when checking for timeouts and other
                  timed events.

Relates: https://github.com/389ds/389-ds-base/issues/4384

Reviewed by: elkris, firstyear, and tbordaz (Thanks!!!)

Apply firstyear's sugestions

Apply Firstyear's other suggestions

Apply Thierry's suggestions

- - - - -
74170d72 by Mark Reynolds at 2020-11-30T16:34:19-05:00
Issue 4105 - Remove python.six (fix regression)

Description:  The switch off of six StringIO was not correctly ported,
              and an object was assigned to a variable instead of the
              variable being initialized with a new instance of the
              object.

Fixes: https://github.com/389ds/389-ds-base/issues/4105

Reviewed by: mreynolds(one line commit rule)

- - - - -
b09e6033 by Mark Reynolds at 2020-11-30T17:14:03-05:00
Bump version to 1.4.4.9

- - - - -


30 changed files:

- Makefile.am
- VERSION.sh
- + dirsrvtests/tests/suites/chaining_plugin/paged_search_test.py
- + dirsrvtests/tests/suites/clu/dbgen_test_usan.py
- + dirsrvtests/tests/suites/clu/dsrc_test.py
- dirsrvtests/tests/suites/clu/repl_monitor_test.py
- dirsrvtests/tests/suites/import/import_test.py
- + dirsrvtests/tests/suites/mapping_tree/mt_cursed_test.py
- dirsrvtests/tests/suites/plugins/entryusn_test.py
- dirsrvtests/tests/suites/replication/regression_test.py
- dirsrvtests/tests/suites/schema/schema_test.py
- dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py
- dirsrvtests/tests/suites/syntax/acceptance_test.py
- ldap/servers/plugins/chainingdb/cb_add.c
- ldap/servers/plugins/chainingdb/cb_compare.c
- ldap/servers/plugins/chainingdb/cb_conn_stateless.c
- ldap/servers/plugins/chainingdb/cb_delete.c
- ldap/servers/plugins/chainingdb/cb_instance.c
- ldap/servers/plugins/chainingdb/cb_modify.c
- ldap/servers/plugins/chainingdb/cb_modrdn.c
- ldap/servers/plugins/chainingdb/cb_search.c
- ldap/servers/plugins/chainingdb/cb_utils.c
- ldap/servers/plugins/cos/cos_cache.c
- ldap/servers/plugins/dna/dna.c
- ldap/servers/plugins/passthru/ptconn.c
- ldap/servers/plugins/referint/referint.c
- ldap/servers/plugins/replication/repl5.h
- ldap/servers/plugins/replication/repl5_backoff.c
- ldap/servers/plugins/replication/repl5_connection.c
- ldap/servers/plugins/replication/repl5_inc_protocol.c


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/bf454ad070199d5e8c0a03b5e2505e6f2750e998...b09e603396362750ad4e28034790c4c2215cfc27

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/bf454ad070199d5e8c0a03b5e2505e6f2750e998...b09e603396362750ad4e28034790c4c2215cfc27
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201218/8322b273/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list