[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 84 commits: Issue 50791 - Healthcheck to find notes=F

Timo Aaltonen gitlab at salsa.debian.org
Thu Nov 12 13:58:47 GMT 2020

Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base

c0688a06 by Barbora Smejkalova at 2020-07-14T14:34:53+02:00
Issue 50791 - Healthcheck to find notes=F

Created tests, that reproduce notes=A and notes=F in access log
and then check if healthcheck returned proper error code.

Relates: https://pagure.io/389-ds-base/issue/50791

Reviewed by: spichugi (Thanks!)

- - - - -
654d0ff2 by Simon Pichugin at 2020-07-17T01:01:45+02:00
Issue 50984 - Fix disk_mon_check_diskspace types

Description: Function parameters are inconsistence.
Documentation states that threshold should be from 0 to 2^63 - 1
so we can use uint64_t for that.


Reviewed by: firstyear (Thanks!)

- - - - -
ffda491f by Simon Pichugin at 2020-07-20T12:47:17+02:00
Issue 49300 - entryUSN is duplicated after memberOf operation

Bug Description: When we assign a member to a group we have two
oprations - group modification and user modification.
As a result, they both have the same entryUSN because USN Plugin
assigns entryUSN value in bepreop but increments the counter
in the postop and a lot of things can happen in between.

Fix Description: Increment the counter in bepreop together with
entryUSN assignment. Also, decrement the counter in bepostop if
the failuer has happened.
Add test suite to cover the change.


Reviewed by: tbordaz (Thanks!)

- - - - -
ed5b13ca by Mark Reynolds at 2020-07-20T09:34:54-04:00
Issue 51000 - Separate the BDB backend monitors

Bug Description:  While trying to remove duplicate code from the backend
                  and BDB backend code, I found that we were not correctly
                  separating the BDB monitors from the core backend code.

Fix Description:  Move all the monitor registering to the db_layer private
                  structure.  This way we have fully isolated the monitors
                  for each backend implementation/library.  This also removed
                  some duplicate code from the core backend and BDB code.

relates: https://pagure.io/389-ds-base/issue/51000

Reviewed by: spichugi(Thanks!)

- - - - -
22c51491 by Simon Pichugin at 2020-07-20T20:11:58+02:00
Issue 51059 - If dbhome directory is set online backup fails

Bug Description: If the dbhome directory is set, eg to /dev/shm/instance
then an online backup fails because it looks for the log.000000x file
in the wring diretcory.
This is hidden because the return code is overwritten before checking.

Fix Description: If dblayer_backup function fails - go to error processing


Reviewed by: mreynolds (Thanks!)

- - - - -
632a8e08 by Simon Pichugin at 2020-07-23T12:00:39+02:00
Issue 51136 - JSON Error output has redundant messages

Bug Description: When we try to start an instance for which
'systemctl start' command has failed, it produces excessive
output which is not a clear JSON.

Fix Description: Redirect stderr to stdout as we don't need
the info in CLI. User needs to check logs if something went wrong.
Add a new-line character in the end of DS CLI tool's stderr.
Clean up React state processing for setServerID callback.


Reviewed by: mreynolds (Thanks!)

- - - - -
d5c9c4e6 by Simon Pichugin at 2020-07-24T15:30:53+02:00
Issue 51086 - Fix instance name length for interactive install

Description: Instance name lenght is not properly validated
during interactive install. Add a check during a user input.


Reviewed by: mreynolds (Thanks!)

- - - - -
c6aae1e5 by Mark Reynolds at 2020-07-27T14:08:57-04:00
Issue 49487 - Cleanup unused code

Description:  Remove unused functions and "#if 0" code blocks.

relates: https://pagure.io/389-ds-base/issue/49487

Reviewed by: firstyear(Thanks!)

- - - - -
4610b5f6 by Barbora Simonova at 2020-07-28T14:51:20+02:00
Issue 50746 - Add option to healthcheck to list all the lint reports

Created tests that run healthcheck with the new --list-errors, --list-checks and --checks options
and then check syntax of the output.
I also added log.info to the health.py::_print_checks so I could check the log output of --list-checks.
test_healthcheck_backend_missing_mapping_tree is set to run on proper version, because the bz1835619 / ds51091 is fixed.

Relates: https://pagure.io/389-ds-base/issue/50746
Relates: https://pagure.io/389-ds-base/issue/51091

Reviewed by: spichugi (Thanks!)

- - - - -
98d6c7f8 by Mark Reynolds at 2020-07-28T14:56:56-04:00
Issue 49481 - remove unused or unnecessary database plugin functions

Description:  Removed some unused database plugin initializations.  Also
              cleaned up some of the logging in the bdb specific code
              that was not using the correct function name.

Fixes: https://pagure.io/389-ds-base/issue/49481

Reviewed by: elkris, tbordaz, and firstyear (Thanks!!!)

- - - - -
b7865bf1 by Mark Reynolds at 2020-07-29T11:58:00-04:00
Issue 49487 - Restore function that incorrectly removed by last patch

Bug Description:  Turns out we still need ldbm_back_entry_release() as
                  it's used in opshared.c, and its not trival to try and
                  move it into the backend code.

Fix Description:  Restore ldbm_back_entry_release() and still set the
                  function pointer in the pblock.  Also remove the unused
                  chaining release function.  Also did code cleanup with
                  comments in opshared.c

relates: https://pagure.io/389-ds-base/issue/49487

Reviewed by: elkris(Thanks!)

- - - - -
2c8e3398 by Mark Reynolds at 2020-07-29T16:19:41-04:00
Issue 51129 - SSL alert: The value of sslVersionMax "TLS1.3" is higher than the supported version

Bug Description:  If you try and set the sslVersionMax higher than the
                  default range, but within the supported range, you
                  would still get an error and the server would reset
                  the max to "default" max value.

Fix Description:  Keep track of both the supported and default SSL ranges,
                  and correctly use each range for value validation.  If
                  the value is outside the supported range, then use default
                  value, etc, but do not check the requested range against
                  the default range.  We only use the default range if
                  there is no specified min or max in the config, or if
                  a invalid min or max value is set in the config.

                  Also, refactored the range variable names to be more

                     enabledNSSVersions -->  defaultNSSVersions
                     emin, emax         -->  dmin, dmax

relates: https://pagure.io/389-ds-base/issue/51129

Reviewed by: firstyear(Thanks!)

- - - - -
594bf91f by Simon Pichugin at 2020-07-30T14:41:14+02:00
Issue 51222 - It should not be allowed to delete Managed Entry manually

Bug Description: It is possible to delete a managed entry and no error is raised.
Also, while doing delete or modrdn peration on a managing entry and the managed entry
doesn't exist, we should continue the operation.

Fix Description: We should put an entry struct duplicate to SLAPI_ENTRY_PRE_OP pblock
before we execute plugins PRE_OP. Also, we should allow to continue modrdn and delete
managing entry operations execution even when managed entry doesn't exists.
Allow 'cn=directory manager' to delete managed entry on direct update.
Add a test.


Reviewed by: firstyear, tbordaz (Thanks!)

- - - - -
b1e4f5f2 by Barbora Simonova at 2020-08-03T12:51:04+02:00
Issue 51102 - RFE - ds-replcheck - make online timeout configurable

Created a sanity test to check if the newly introduced -t option
for ds-replcheck does not break anything when used with various connection mechanisms.

Relates: https://pagure.io/389-ds-base/issue/51102

Reviewed by: spichugi (Thanks!)

- - - - -
79d5f2cf by William Brown at 2020-08-05T11:10:31+10:00
Ticket 50933 - Update 2307compat.ldif

Bug Description: This resolves a potential conflict between 60nis.ldif
in freeipa and others with 2307compat, by removing the conflicting
definitions from 2307bis that were included.

Fix Description: By not including these in 2307compat, this means that
sites that rely on the values provided by 2307bis may ALSO need
60nis.ldif to be present. However, these nis values seem like they are
likely very rare in reality, and this also will avoid potential
issues with freeipa. It also is the least disruptive as we don't need
to change an already defined file, and we don't have values where the name
to oid relationship changes.

Fixes: #50933

Author: William Brown <william at blackhats.net.au>

Review by: tbordaz (Thanks!)

- - - - -
a2041151 by William Brown at 2020-08-05T11:10:31+10:00
Ticket 50933 - enable 2307compat.ldif by default

Bug Description: This patch enables 2307compat.ldif by

Fix Description: This is seperate to allow a simple roll
back if required during the review/devel process.


Author: William Brown <william at blackhats.net.au>

Review by: tbordaz (Thanks)

- - - - -
d2689280 by Barbora Simonova at 2020-08-05T12:12:14+02:00
Issue 50952 - SSCA lacks basicConstraint:CA

Created a test that checks if the certificate generated by instance
has 'category: authority' tag in trust.

Relates: https://pagure.io/389-ds-base/issue/50952

Reviewed by: spichugi (Thanks!)

- - - - -
066a7b49 by Simon Pichugin at 2020-08-06T20:42:36+02:00
Issue 50260 - Fix test according to #51222 fix

Description: Managed Entry plugin behaviour was fixed and
returned codes were cleaned up. Now we allow to continue
modrdn and delete managing entry operations execution
even when managed entry doesn't exists.
Also allow 'cn=directory manager' to delete managed entry
on direct update.
Make the updates fail using another way.


Reviewed by: mreynolds (Thanks!)

- - - - -
ea39a99e by Mark Reynolds at 2020-08-10T12:04:26-04:00
Issue 51233 - ds-replcheck crashes in offline mode

Bug Description:  When processing all the DN's found in the Master LDIF
                  it is possible that the LDIF is not in the expected
                  order and ldifsearch fails (crashing the tool).

Fix Description:  If ldifsearch does not find an entry, start from the
                  beginning of the LDIF and try again.

relates: https://pagure.io/389-ds-base/issue/51233

Reviewed by: spichugi(Thanks!)

- - - - -
c5b60d6d by Simon Pichugin at 2020-08-11T16:32:43+02:00
Issue 51228 - Clean up dsidm user status command

Description: ns-accountstatus.pl, ns-activate.pl and ns-inactivate.pl
were ported to lib389 CLI. The functionality was added to dsidm account/role entry-status,
dsidm account subtree-status, dsidm role lock/unlock, dsidm account lock/unlock.

Remove dsidm user status/lock/unlock commands as they are redundant.


Reviewed by: mreynolds (Thanks!)

- - - - -
5afcbb0d by Mark Reynolds at 2020-08-12T12:46:42-04:00
Issue 50933 - Fix OID change between 10rfc2307 and 10rfc2307compat

Bug Description:  10rfc2307compat changed the OID for nisMap objectclass to
                  match the standard OID, but this breaks replication with
                  older versions of DS.

Fix Description:  Continue to use the old(invalid?) oid for nisMap so that
                  replication does not break in a mixed version environment.

Fixes: https://pagure.io/389-ds-base/issue/50933

Reviewed by: firstyear & tbordaz(Thanks!!)

- - - - -
dda3ab0d by Mark Reynolds at 2020-08-17T09:20:07-04:00
Issue 51165 - Set the operation start time for extended ops

Bug Description:  Extended ops, likewhat is used in replication, were not
                  setting the operation start time.  This caused invalid
                  values in the new access log keywords (wtime & optime)

Fix Description:  Set the start start at the start of the extended op.

Fixes: https://pagure.io/389-ds-base/issue/51165

Reviewed by: mreynolds (one line commit rule)

- - - - -
0f1ab5f0 by Ludwig Krispenz at 2020-08-17T20:37:21+02:00
Ticket - 49562 integrate changelog database to main database

Bug description:
	PHASE 2 of backend redesign:
        Mainly changelog managed its own access to the database and it uses a global
        config entry (cn=changelog5,cn=config) not related to the backend/replica.

Fix description:
	The fix is described in the design.
         - use-after-free (remove+add replica, set)
         - various leaks (triggered with CI tests fixup-tombstone, cascading)
	 - Plus some changes in the CI tests


Reviewed by: Mark Reynolds, William Brown, Thierry Bordaz

- - - - -
bf6e4866 by Thierry Bordaz at 2020-08-18T17:23:41+02:00
Ticket - 51189 integrate changelog in main database - update CLI

Bug description:
    PHASE 2 of backend redesign:
    With https://pagure.io/389-ds-base/issue/49562, the changelog uses the main database.
    Changelog configuration was managed with a global config entry (cn=changelog5,cn=config)
    Now it is managed via a per backend config entry (cn=changelog,cn=<backend_entry>).
    Some config parameters are now in the backend specific changelog entry
    Some config paramters are simply abandonned (see design):

Fix description:
    This fix (PR) is to be applied on top of 49562
    It suppressed the ablity to create/delete changelog as the changelog entry
    is now created/suppressed when a backend becomes a replica or not.

    subcommands to set/get changelog attributes requires a suffix (aka backend).
	dsconf <inst> replication set-changelog --suffix <suffix>  --trim-interval <val>
	dsconf <inst> replication set-changelog --suffix <suffix>  --max-age <val>
	dsconf <inst> replication set-changelog --suffix <suffix>  --max-entries <val>
	dsconf <inst> replication get-changelog --suffix <suffix>

    This patch removes the ability to restore a changelog (restore-changelog)
    It implements a new 'class Changelog' to set/get the configuration attribute
    of a per backend changelog


Reviewed by: Simon Pichugin, Mark Reynolds (Big thanks)

- - - - -
d1d557ad by Simon Pichugin at 2020-08-20T10:32:59+02:00
Issue 51229 - Server Settings page gets into an unresponsive state

Bug Description: If we switch the tab in Cockpit UI and restart
the instance - we can't go back to the default tab as it's in
an unresponsive loading state.

Fix Description: Do the update on ComponentDidUpdate instead of


Reviewed by: mreynolds (Thanks!)

- - - - -
b8e9773e by William Brown at 2020-08-21T10:06:56+10:00
Ticket 51177 - on upgrade configuration handlers

Bug Description: 389 to function in docker and other environments
such as restore-from-backup, needs to be able to upgrade it's configuration
on startup. This lets us ship-and-enable new features, upgrade plugins
and more (similar to libglobs upgrades)

Previously we had only basic machinery for this (IE make sure this
entry exists like this) which would always write the content. This
caused problems where plugins would re-enable on restart, or couldn't
be removed.

Fix Description: This adds an upgrade processor and an exists_or_add
so that we can do stateful creates of entries, but without trampling
user modifications IE disabling plugins.

fixes: #51177

Author: William Brown <william at blackhats.net.au>

Review by: tbordaz, mreynolds (Thanks!)

- - - - -
cbcdf050 by William Brown at 2020-08-24T12:43:07+10:00
Ticket 51247 - Container Healthcheck failure

Bug Description: Due to human error, a change to begin_healthcheck
was overlooked that causes containers to always report an unhealthy

Fix Description: Fix the use of begin_healthcheck

fixes: https://pagure.io/389-ds-base/issue/51247
fixes #51247

Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
52a09ced by Simon Pichugin at 2020-08-27T15:24:48+02:00
Issue 51228 - Fix lock/unlock wording and lib389 use of methods

Descriptions: Clean up lib389 idm-account methods to presicely locate
CoS objects. Also, fix AccountPolicyEntry super() function.
Fix wording in user input requests while doing lock/unlock.


Reviewed by: mreynolds (Thanks!)

- - - - -
3d61aafa by William Brown at 2020-08-27T23:48:20+00:00
Ticket 51177 - fix warnings

Bug Description: Humans make mistakes. A lot of mistakes. In
the commit of 51177 I made a mistake of not checking every
compiler warning, which led to a mistake that could cause
problems for others.

Fix Description: There is no fix for humans. But we can
fix the compiler warnings.

fixes #51177

Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
01d9def3 by Mark Reynolds at 2020-09-01T10:06:17-04:00
Issue 51253 - dscreate should LDAPI to bootstrap the config

Description:  There are cases where DNS is not setup yet, and trying to
              automate the installation fails.  Using LDAPI bypasses this
              issue and allows for more robust deployment options

relates: https://pagure.io/389-ds-base/issue/51253

Reviewed by: minfrin, firstyear, and tbordaz (Thanks!!!)

- - - - -
e8f06927 by Mark Reynolds at 2020-09-02T09:12:05-04:00
Issue 51121 - Remove hardcoded changelog file name

Bug Description:  There are several places in the code where
                  the new changelog name is just a hardcoded
                  string.  So if the name changes we will have
                  many places that need to be updated.

Fix Description:  Use a "define" for the file name in the bdb code,
                  and in the changelog get get the filename from
                  backend ldbminfo.

                  Also extended the ldbminfo flags to include the
                  backend implementation.  This will be used as
                  we start to need a way t odetect what database
                  backend is in use.

relates: https://pagure.io/389-ds-base/issue/51121

Reviewed by: firstyear(Thanks!)

- - - - -
f9638bbd by Thierry Bordaz at 2020-09-09T10:40:10+02:00
Ticket 51190 - SyncRepl plugin provides a wrong cookie

Bug description:
	A sync repl thread is similar to persistent search thread.
        The server is communicating with the sync repl thread with
        an ordered queue of updates.
        Updates are written in the queue by post op callbacks.
	Sync repl thread waits/reads the queue, retrieve the updates
	from the retroCL, checks if target entry matches the
	request (scope/filter) and send back the entry/update to
        the sync repl client.

        Several issues regarding the way order of the updates in
	the queue:

	(1) When an update generates nested updates (automemeber,
        memberof,...) the order of the updates in the queue is
        not following the order of applied updates. The consequence
	is that the cookie (containing the update nubmer) can be wrong.
        It can contains jumps, disorder and invalid number (-1).

	When an update fails (nested or primary update), none of the
        updates should be pushed to sync_repl queue

	(2) The plugin callback on updates are POSTOP, so if there are
        two direct updates, there is a possibility that the callback
        of the second update (and its nested updates) are enqueued
        before the first update. In such case the sync_repl thread
        may skip some updates and/or fail to retrieve update from
        retroCL (cookie.update_no=-1)

Fix description:
	The fix does
        (1) implements a pending list of updates (in the thread
	private space "get_thread_primary_op").
        The first in the pending list is the primary update then
        the others are the nested updates.
        A new operation (betxn_preop) registers the operation at
        the end of the pending list with the state OPERATION_PL_PENDING.
        It requires to registers new callbacks (sync_betxn_preop_init)

        During be_postop (see below) callbacks flags the pending
        depending on the operatione result.
	When no more pending updates are OPERATION_PL_PENDING,
        then depending of the result of the primary update
        updates are moved to the sync_repl queue.

	(2) The postop plugin callbacks are now be_postop


Reviewed by:  Mark Reynolds, Simon Pichugin, William Brown (Thanks)

Platforms tested: F31

- - - - -
0d1ac8ab by Simon Pichugin at 2020-09-17T16:34:52+02:00
Issue 4327 - Update issue templates and README.md

Description: GitHub creates it's issue templates directly in the repo.
Create a bug report and feature request templates.
Update README.md

Reviewed by: Firstyear (Thanks!)

Fixes: #4327
- - - - -
f41fc384 by Antonio Navarro at 2020-09-17T16:38:50+02:00
Issue 4322 - Updates old reference to pagure issue (#4321)

Description: Updates old reference to Pagure issue
(docker/README.md ' was fixed by @antonionc)

The rest is done by @droideck:
Change reference from the old Pagure issue to the corresponding GitHub issue
Fix all Pagure references and improve guides.

Co-authored-by: Simon Pichugin <spichugi at redhat.com>

Reviewed by: Firstyear (Thanks!)

Fixes: #4322 
- - - - -
00d08139 by tbordaz at 2020-09-21T08:28:38+02:00
Issue 4319 - Performance search rate: listener may be erroneously waken up (#4323)

Bug description:
	A worker thread usually wakes up the listener when it has completed
        reading the operation from the operation.
	In addition upon exceptional event (timeout while reading op or
	max thread per connection), it sets a local flag (need_wakeup) and
	wakes the listener.
	The problem is that it does not reset the flag after wake up. So
	for any further operation (on any operation) it will trigger this
	additional wake up.
	This triggers a write syscall and wakes up listener for nothing.
	This impacts througput by ~2%

Fix description:
	reset the need_wakeup after signal_listner

relates: https://github.com/389ds/389-ds-base/issues/4319

Reviewed by: William Brown, Mark Reynolds (thanks !!)

Platforms tested: F31, RHEL8.3
- - - - -
ff6e8523 by Simon Pichugin at 2020-09-22T13:23:47+02:00
Issue 4322 - Fix a source link (#4332)

Description: Source0 should point to a local file instead of
a remote URL. We use it for testing/development only so
there is no need in external links.

Reviewed by: @Firstyear (Thanks!)

Fixes: #4322
- - - - -
787dfa11 by Mark Reynolds at 2020-09-22T11:34:38-04:00
Issue 4209 - RFE - add bootstrap credentials to repl agreement

Description:  When using Bind DN Groups for a replication agreement
              authentication there are cases where the group is not
              present, or is outdated.  In such cases having bootstrap
              credentials can allow replication to start working again.
              New replication sessions will always try and use the
              default credentials first.

relates: https://github.com/389ds/389-ds-base/issues/4209

Reviewed by: firstyear & tbordaz(Thanks!)

- - - - -
a16d9c14 by Mark Reynolds at 2020-09-22T11:34:38-04:00
Issue 4209 - RFE - add bootstrap credentials to repl agreement

Description:  When using Bind DN Groups for a replication agreement
              authentication there are cases where the group is not

relates: https://github.com/389ds/389-ds-base/issues/4209

Reviewed by: firstyear & tbordaz(Thanks!)

- - - - -
19c27490 by Mark Reynolds at 2020-09-22T11:34:38-04:00
Issue 4209 - RFE - add bootstrap credentials to repl agreement (UI update)

Description:  Add replication bootstrap settings to the UI.

relates: https://github.com/389ds/389-ds-base/issues/4209

Reviewed by: tbordaz & firstyear(Thanks!)

- - - - -
1dbb69ba by Mark Reynolds at 2020-09-22T11:34:38-04:00
Issue 4209 - RFE - add bootstrap credentials to repl agreement (upgrade update)

Description:  Add an upgrade function to add the new bootstrap password
              attribute to the AES reversible password plugin.

relates: https://github.com/389ds/389-ds-base/issues/4209

Reviewed by: tbordaz & firstyear (Thanks!!)

- - - - -
d98428a7 by Firstyear at 2020-09-23T09:19:34+10:00
Ticket 4326 - entryuuid fixup did not work correctly (#4328)

Bug Description: due to an oversight in how fixup tasks
worked, the entryuuid fixup task did not work correctly and
would not persist over restarts.

Fix Description: Correctly implement entryuuid fixup.

fixes: #4326

Author: William Brown <william at blackhats.net.au>

Review by: mreynolds (thanks!)
- - - - -
e51d2d62 by Mark Reynolds at 2020-09-22T19:35:44-04:00
Issue 4258 - Add server version information to UI

Description:  Add the server's version number to the server configuration

Fixes: https://github.com/389ds/389-ds-base/issues/4258

Reviewed by: firstyear(Thanks!)

- - - - -
089c1d58 by Simon Pichugin at 2020-09-24T10:25:04+02:00
Issue 3996 - Add dsidm rename option (#4338)

Description: Add rename option to dsidm CLI.
user, group, posixgroup, organizationalunit - rename by rdn.
account, role - rename by dn.
Set Account._protected = False by default so we can run
rename and delete operations.
Fix typos in dsidm CLI code.

Reviewed by: @mreynolds389 and @Firstyear (Thanks!!)

Fixes: #4127
Fixes: #3996
- - - - -
3a643dc8 by Mark Reynolds at 2020-09-24T12:29:52-04:00
Issue 4342 - UI - additional fixes for creation instance modal

Description: In the instance creation modal there is an incorrect warning
             about the port number range. It should state valid port numbers
             are between 1 and 65535. The root DN character validation allows
             non ascii as the first characters after the "=". And we are not
             forewarning about the instance name length if it is greater than
             80 characters

Fixes: https://github.com/389ds/389-ds-base/issues/4342

Reviewed by: spichugi(Thanks!)

- - - - -
df3a5127 by sgouvern at 2020-09-28T10:09:18+10:00
Description: (#4325)

Automated tests to verify that
- db2ldif exits properly when the ldif file path provided cannot be accessed
- a usefull error message is displayed as output when the ldif file cannot be accessed

Relates: https://github.com/389ds/389-ds-base/issues/4241
Relates: https://github.com/389ds/389-ds-base/issues/4278

Reviewed by: Bsimonova, Firstyear. Thanks !
- - - - -
f6799c27 by Firstyear at 2020-09-30T11:35:20+10:00
Ticket 4345 - import self sign cert doc comment (#4346)

Bug Description: It was raised that the doc comment with TLS
and self sign cert could be confusing and if disabled it was
not clear how to enable TLS later.

Fix Description: Improve the doc comment with examples.

fixes: #4345

Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks!)
- - - - -
dc905d22 by Firstyear at 2020-10-02T07:55:58+10:00
Ticket 4351 - improve generated sssd.conf output (#4354)

Bug Description: There were some subtle issues in the sssd.conf
generator. When no group was specified, we'd generate an invalid
config. When the config used ldapi, it may not work on remote

Fix Description: When the uri is ldapi, emit a warning for
this parameter to be reviewed. When ldap filter is none
provide the example as commented out.

fixes: #4351

Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks!)
- - - - -
7275ce97 by Firstyear at 2020-10-02T08:09:22+10:00
Ticket 4350 - dsrc should warn when tls_cacertdir is invalid (#4353)

Bug Description: When the cacertdir is not a directory
or does not exist we should warn that this is not valid
and provide recification steps.

Fix Description: Check if the path exists or is a directory
and report this, along with steps on how to run c_rehash

fixes: #4350

Author: William Brown <william at blackhats.net.au>

Review by: spichugi (Thanks!)
- - - - -
bf5a79c6 by tbordaz at 2020-10-02T12:03:12+02:00
Issue 4297- On ADD replication URP issue internal searches with filter containing unescaped chars (#4355)

Bug description:
	In MMR a consumer receiving a ADD has to do some checking based on basedn.
	It checks if the entry was a tombstone or if the conflicting parent entry was a tombstone.

	To do this checking, URP does internal searches using basedn.
	A '*' (ASTERISK) is valid in a RDN and in a DN. But using a DN in an assertionvalue of a filter, the ASTERISK needs to be escaped else the server will interprete the filtertype to be a substring. (see

	The problem is that if a added entry contains an ASTERISK in the DN, it will not be escaped in internal search and trigger substring search (likely unindexed).

Fix description:
	escape the DN before doing internal search in URP

Fixes: #4297

Reviewed by:  Mark Reynolds, William Brown, Simon Pichugi (thanks !)

Platforms tested: F31
- - - - -
4f25c850 by Firstyear at 2020-10-06T08:15:01+10:00
Ticket 4347 - log when server requires a restart for a plugin to become active (#4352)

Bug Description: When testing another feature, user confusion was experienced
while enabling a plugin. This was due to a misunderstanding about dynamic
plugins and when and how they take effect.

Fix Description: When dynamic plugins are NOT enabled, and an attempt
is made to enable a plugin, clearly log that we require a restart of
the server for this functionality to become active.

fixes: #4347

Author: William Brown <william at blackhats.net.au>

Review by: @droideck, @mreynolds389 (Thanks!)
- - - - -
db7d98c3 by Firstyear at 2020-10-06T12:41:00+10:00
Ticket 4350 - One line, fix invalid type error in tls_cacertdir check (#4358)

Bug Description: When the tls_cacertdir parameter was not
present os.path fails with None not a str.

Fix Description: Check if the path is None

fixes: #4350

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 
- - - - -
b7ad38a6 by Barbora Simonova at 2020-10-06T11:04:00+02:00
Issue 4348 - Add tests for dsidm

Created tests for dsidm client_config option and enhanced
the src/lib389/lib389/cli_idm/client_config.py so the output gets caught
to a log file and can be compared.
Also modified the dbgen_test.py, because the check_value_in_log_and_reset() function
provided a fake value in the log file. So in case something failed and the original value
was not in the output, the test would find the value in "Check that {} is present" line
and therefore it would not fail.

Fixes: https://github.com/389ds/389-ds-base/issues/4348

Reviewed by: Firstyear, droideck (Thanks!)

- - - - -
54b54423 by Mark Reynolds at 2020-10-06T10:17:37-04:00
Issue 4360 - password policy max sequence sets is not working as expected

Description: password max sequence sets: "123--123" are not being correctly
             detected. This is due to an uninitialized char array

Relates: https://github.com/389ds/389-ds-base/issues/4360

Reviewed by: mreynolds (one line commit rule)

- - - - -
7cb9a635 by Simon Pichugin at 2020-10-08T19:18:24+02:00
Issue 4265 - UI - Make the secondary plugins read-only (#4364)

Description: As some of the changes may break the server.
We should make all the plugins in the UI Plugins table read-only.
Only the ones in the left column should editable.
The change is only for UI.

Fixes: #4265

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
aaaaaf50 by Mark Reynolds at 2020-10-08T19:31:56-04:00
Issue 4366 - lib389 - Fix account status inactivity checks

Bug Description:  When we converted the entries lastLoginAttr to epoch seconds
                  the function was not converting it correctly, and the value
                  was off by quite a bit.  This caused the CLI tools to potentially
                  report the wrong status of the entry.

Fix Description>  First the times from the entry are gmtime, not local.  So
                  instead of grabbing the current local time, we need to grab
                  the current gmtime.  Second, the function that converts a
                  generalized time to epoch seconds is not working.  So that
                  was reworked to generate the correct epoch value.

relates: https://github.com/389ds/389-ds-base/issues/4366

Reviewed by: firstyear(Thanks!)

- - - - -
a931061e by Mark Reynolds at 2020-10-08T19:37:15-04:00
Issue 4368 - ds-replcheck crashes when processing glue entries

Bug Description:  When processing glue entries on the replica the tool
                  can crash by dereferencing a None variable.

Fix Description:  Properly check the replica result entry for what type
                  of entry it is, and ten properly handle it if it is
                  a glue entry.

relates: https://github.com/389ds/389-ds-base/issues/4368

Reviewed by: firstyear(Thanks!)

- - - - -
f7ecbf85 by Firstyear at 2020-10-09T10:34:30+10:00
Issue 4361 - RFE - add - dscreate --advanced flag to avoid user confusion

Bug Description: It has been noticed in a few seperate reports that
certain options in the dscreate template can cause confusion. This
is because when presented with the options, people may attempt to
tweak or change settings to "customise" them, without fully
understanding the impact.

Fix Description: Distinguish common options from developer-only
advanced options in the template with the --advanced flag.

fixes: #4361

Author: William Brown <william at blackhats.net.au>

Review by: @droideck @mreynolds389 thanks! 
- - - - -
90048526 by Firstyear at 2020-10-12T07:54:01+10:00
Issue 4334 - RFE - Task timeout may cause larger dataset imports to fail (#4359)

Bug Description: The task.wait() function had a hardcoded timeout
and no method to "disable" that check. This could cause very large
databases to fail to import.

Fix Description: Support timeout=None, which allows the task to
take 'infinite' time. Additionally, this provides a warning that
this is occuring.

fixes: #4334

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 @droideck (thanks!)
- - - - -
ffc5982b by Firstyear at 2020-10-13T08:14:26+10:00
Issue 4372 - BUG - Chaining DB did not validate bind mech parameters (#4374)

Bug Description: Chaining DB did not validate the content of bind mech.
When combined with an ambiguous help string, this caused users to set
blank/empty strings into the chaining db config, that would not auth
correctly to the tarcet.

Fix Description: The chaining DB should strictly enforce the incoming
values that are set. The help in dsconf should be explicit about what
values are supported and how they are set.

fixes: #4372

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 (thanks!)
- - - - -
7fd97b1d by Simon Pichugin at 2020-10-13T14:04:55+02:00
Issue 3555 - Fix npm audit issues (#4370)

Description: Update dependencies which have vulnarabilities
and remove unused deps:
- eonasdan-bootstrap-datetimepicker;
- react-ellipsis-with-tooltip;
- recompose;

Relates: #3555

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
43c69156 by tbordaz at 2020-10-15T11:57:56+02:00
Issue 4329 - Sync repl - if a serie of updates target the same entry then the cookie get wrong changenumber (#4356)

Bug description:
            In persist mode, sync_repl sends a matching updated entry with a sync state control
            containing a cookie. The cookie contains the changenumber related to the updated entry.
	    If several consecutive updates targets the same entry, sync_repl will send for each
            update the same changenumber (the first of the set of updates).
            changenumber will resync as soon as another entry is sent.
            The reason why sync_repl sends several time the same entry is that the internal
            search looks for '(changenumber >= cookie_changenumber)' rather than
            '(changenumber > cookie_changenumber)'.

Fix description:
            Change the filter to look for the next changenumber

Fixes: #4329

Reviewed by:  William Brown, Simon Pichugi

Platforms tested: F31, F33
- - - - -
b8b16914 by tbordaz at 2020-10-15T16:59:56+02:00
Issue 4379 - allow more than 1 empty AttributeDescription for ldapsearch, without the risk of denial of service (#4380)

Bug description:
	The fix #3028 enforces a strict limit of empty attributeDescription.
        The limit is low (1) and some application may failing.
        We can relax this limit to a higher value without reopening DOS risk

Fix description:
	Change the max authorized empty attributesDescription from 1 to 10

relates: https://github.com/389ds/389-ds-base/issues/4379

Reviewed by: Mark Reynolds

Platforms tested: F31
- - - - -
141a5145 by Mark Reynolds at 2020-10-16T10:58:00-04:00
Issue 4159 - Healthcheck code DSBLE0002 not returned on disabled suffix

Bug Description:  The healthcheck tool was actually crashing when a suffix
                  was disabled.  We also were not correctly processing
                  DSLdapObjects, where we would run all the lint tests
                  even though we only asked to run one specific lint test.

Fix Description:  Make healthcheck more robust to handle exceptions.  Fix
                  the processing of DSLdapObjects by passing in the lint
                  function name to DSLint().

                  Also added the health "check" that triggered the issue
                  to the final report so you know which exact test to rerun.

Fixes: https://github.com/389ds/389-ds-base/issues/4159

Reviewed by: firstyear & spichugi(Thanks!)

- - - - -
9cfb5751 by Mark Reynolds at 2020-10-19T12:11:08-04:00
Issue 4176 - import ldif2cl task should not close all changelogs

Bug Description:  With the new per-backend replication changelog, the
                  ldif2cl task would incorrectly close all the backends.

Fix Description:  First, the global changelog struct (s_cl5Desc) was
                  completely removed and merged with the replica changelog
                  db handle struct.  The dbState variable is used to
                  sychronize access to the changelog db struct during
                  shutdown, or ldif2cl tasks.

                  The CLI was updated to handle setting changelog encryption,
                  and importing/restoring a changelog ldif.

                  The UI was updated to handle the new per-backlend changelog
                  and its configuration.  Also added the option to
                  export/import the changelog and its various forms.

Fixes: https://github.com/389ds/389-ds-base/issues/4176

Reviewed by: tbordaz, firstyear, and elkris (Thanks!!!)

Remove unneeded LMDB changelog file name

Apply requested changes

Fix dbscan, adjust changelog format v6, and other cleanup...

Prepare the CLI for changelog export/import

- - - - -
0a902cc8 by Firstyear at 2020-10-20T12:04:51+10:00
Issue #3600 - RFE - openldap migration tooling (#4318)

Bug Description: A large number of enterprise customers are interested
to move from OpenLDAP to 389 Directory Server. As this can be a
difficult process, there are many parts that we can automate to make
the process smoother, and to provide other information to assist
admins in a successful migration.

Fix Description: This adds the openldap_to_ds command, which given
a backup of an OpenLDAP and it's configuration, is able to partially
migrate the content and plugins to a running instance. Additionally
this is able to provide a checklist of other migration tasks that
may require administrator action and management.

fixes: #3600

Author: William Brown <william at blackhats.net.au>

Review by: @droideck @mreynolds389 (Thanks!)
- - - - -
d2c285f0 by Jamie Chapman at 2020-10-20T15:00:27+01:00
Issue 1199 - Misleading message in access log for idle timeout (#4385)

Issue 1199 - Misleading message in access log for idle timeout

Description:    Update timeout error code in daemon.
                       Add extra detail to idle and IO timeout error messaging.
                       Typo in logconv.pl

Relates:        #1199

Reviewed by:    mreynolds389, droideck, Firstyear (Thanks folks)
- - - - -
95653e74 by Simon Pichugin at 2020-10-20T18:49:37+02:00
Issue 4295 - Fix a closing quote issue (#4386)

Description: The "details" keyword in the access log does not have
a closing quote.
The issue happens because the quote was set in the wrong place.

Fixes: #4295

Reviewed by: @mreynolds389 
- - - - -
d5c5097b by Mark Reynolds at 2020-10-20T14:54:54-04:00
Issue 4389 - errors log with incorrectly formatted message parent_update_on_childchange

Description:  The arguemtns were incorrect for the logging line

Fixes: https://github.com/389ds/389-ds-base/issues/4389

Reviewed by: mreynolds(one line commit rule)

- - - - -
266d8780 by Mark Reynolds at 2020-10-21T17:07:13-04:00
Issue 2526 - suffix management in backends incorrect

Description:  Previously the server used to support mutliple suffixes per backend
              and the server had to maintain and check a be list of suffixes.
              However, this is no longer supported, so all of this code can be
              cleaned up to support a single suffix per backend.

              Also added a check that when creating a mapping tree entry, that the
              backend entry must already exist and match the suffix.

Relates: https://github.com/389ds/389-ds-base/issues/2526

Reviewed by: firstyear(Thanks!)

- - - - -
8742f657 by Akshay Adhikari at 2020-10-22T08:48:14+02:00
Issue 2820 - Fix CI tests (#4365)

Issue 2820 - Fix CI tests

Bug Description: tickets/ticket47973_test.py test had failures in CI nightly runs

Fix Description: Fix the failure and also change the code to use DSLdapObject.
Move the code into the schema test suite.
Replace legacy objects from the whole test

Relates: #2820

Reviewed by: Simon(droideck)
- - - - -
1f5aecb5 by Mark Reynolds at 2020-10-22T09:46:03-04:00
Issue 4392 - Update create_test.py

Description:  Remove the unnecessary DEBUGGING logger code

Fixes: https://github.com/389ds/389-ds-base/issues/4392

Reviewed by: firstyear & spichugi (Thanks!!)

- - - - -
fbb54a7f by tbordaz at 2020-10-23T10:34:02+02:00
Issue 4363 - Sync repl: per thread structure was incorrectly initialized (#4395)

Bug description:
	A per thread structure should be allocated once, either on get/set.
        Currently it is allocated on the primary operation and free when
        the primary operation is completed.

Fix description:
	The per thread structure is now a HEAD structure.
        The HEAD is the where the primary operation is referenced when
        the operation starts and where it is reset when the primary operation ends
	(pushed to the sync_repl thread)

relates: https://github.com/389ds/389-ds-base/issues/4363

Reviewed by: Mark Reynolds

Platforms tested: F31, F33
- - - - -
e227c5be by Mark Reynolds at 2020-10-25T12:49:54-04:00
Issue 2526 - revert API change in slapi_be_getsuffix()

Description:  The public slapi API was changed in the previous commit and
              this broke several other projects using 389 DS.  This patch
              restore the API, but it ignores the unused value:

                  const Slapi_DN *slapi_be_getsuffix(Slapi_Backend *be, int unused);

Relates: https://github.com/389ds/389-ds-base/issues/2526

Reviewed by: mreynolds

- - - - -
a2584e1d by Mark Reynolds at 2020-10-26T09:08:00-04:00
Issue 4262 - Remove legacy tools subpackage

Description:  Remove all the legacy tool scripts, libraries, and obsolete files

Relates: https://github.com/389ds/389-ds-base/issues/4262

Reviewed by: viktor & firstyear (Thanks!!)

Apply Viktor's suggestions

- - - - -
06ff5b77 by Mark Reynolds at 2020-10-26T11:42:46-04:00
Issue 4262 - Remove legacy tools subpackage (restart instances after rpm install)

Description:  Update specfile to restart instances after installing new rpm

Relates: https://github.com/389ds/389-ds-base/issues/4262

Reviewed by: viktor(Thanks!)

- - - - -
60412d96 by Mark Reynolds at 2020-10-26T16:31:30-04:00
Issue 4262 - Remove legacy tools subpackage (final cleanup)

Description:  Found a few more cleanup issues with removing perl.

Relates: https://github.com/389ds/389-ds-base/issues/4262

Reviewed by: spichugi(Thanks!)

- - - - -
f030cf88 by Mark Reynolds at 2020-10-26T21:45:30-04:00
Bump version to

- - - - -
67c8b870 by Mark Reynolds at 2020-10-27T13:58:01-04:00
Issue 2526 - retrocl backend created out of order

Bug Description:  A recent change verified that you do not create
                  a mappingtree entry before the backend entry was
                  created.  The server created the retrocl backend
                  in the opposite order which broke the retrocl.

Fix Description:  Create the retrocl backend entry before creating
                  the mapping tree entry.

Relates: https://github.com/389ds/389-ds-base/issues/2526

Reviewed by: viktor(Thanks!)

- - - - -
b45df8df by Mark Reynolds at 2020-10-28T09:02:26-04:00
Issue 4262 - more perl removal cleanup

Description:  Removed the remaining "enabled_perl" code.

Relates: https://github.com/389ds/389-ds-base/issues/4262

Reviewed by: viktor(Thanks!)

- - - - -
fa6e1aa2 by Mark Reynolds at 2020-10-28T09:59:15-04:00
Issue 2526 - revert backend validation check

Description:  Other projects are creating backends out of order, so
              the previous patch was breaking these projects.  Reverting
              the valdiation check in 1.4.4, but leaving it in 1.4.5 (F34)
              where we will fix the other projects for F34.

Relates: https://github.com/389ds/389-ds-base/issues/2526

Reviewed by: mreynolds

- - - - -
60a2429e by Mark Reynolds at 2020-10-28T10:46:31-04:00
Bump version to

- - - - -
c4b1be45 by Mark Reynolds at 2020-11-03T08:03:29-05:00
Issue 4176 - CL trimming causes high CPU

Bug Description:  The changelog trimming switched to using pthread_cond_timedwait()
                  instead of NSPR, but the relative time was used for the wait time
                  instead of the absolute time.  This caused it to basically not
                  wait at all and consume all the CPU.

Fix Description:  Use the absolute(monotonic) time for the condition wait time.

Relates: https://github.com/389ds/389-ds-base/issues/4176

Reviewed by: progier(Thanks!)

- - - - -
264f173a by Mark Reynolds at 2020-11-03T17:25:19-05:00
Issue 4415 - unable to query schema if there are extra parenthesis

Bug Description:  When a client does a schema lookup in lib389 asking
                  for theresult in JSON, the X-ORIGIN is not correctly
                  parsed if it contains an extra parenthesis

Fix Description:  When parsing between the X-ORIGIN encapsulating parenthesis
                  find the right most match, not the first match.

Relates: https://github.com/389ds/389-ds-base/issues/4415

Reviewed by: spichugi(Thanks!)

- - - - -
bf454ad0 by Mark Reynolds at 2020-11-07T22:33:31-05:00
Bump version to

- - - - -

30 changed files:

- + .github/ISSUE_TEMPLATE/bug_report.md
- + .github/ISSUE_TEMPLATE/feature_request.md
- Makefile.am
- configure.ac
- dirsrvtests/create_test.py
- + dirsrvtests/tests/data/openldap_2_389/1/example_com.slapcat.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/example_net.slapcat.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/setup/example_com.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/setup/example_net.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/setup/slapd.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/cn=module{0}.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/cn=schema.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/cn=schema/cn={0}core.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/cn=schema/cn={2}inetorgperson.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/cn=schema/cn={3}rfc2307bis.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/cn=schema/cn={4}yast.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={-1}frontend.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={0}config.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={1}mdb.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={0}memberof.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={1}refint.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={2}unique.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={2}mdb.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={2}mdb/olcOverlay={0}memberof.ldif
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={2}mdb/olcOverlay={1}unique.ldif
- dirsrvtests/tests/suites/acl/acl_deny_test.py

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/318a3ce0c721ce217fc166b69e3457ad6ee0fb98...bf454ad070199d5e8c0a03b5e2505e6f2750e998

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/318a3ce0c721ce217fc166b69e3457ad6ee0fb98...bf454ad070199d5e8c0a03b5e2505e6f2750e998
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201112/8de8201c/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list