[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 56 commits: Issue 5442 - Search results are different between RHDS10 and RHDS11

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Mon Aug 16 07:55:57 BST 2021



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base


Commits:
d641e852 by Mark Reynolds at 2021-01-26T11:18:37-05:00
Issue 5442 - Search results are different between RHDS10 and RHDS11

Bug Description:  In 1.4.x we introduced a change that was overly strict about
                  how a search on a non-existent subtree returned its error code.
                  It was changed from returning an error 32 to an error 0 with
                  zero entries returned.

Fix Description:  When finding the entry and processing acl's make sure to
                  gather the aci's that match the resource even if the resource
                  does not exist.  This requires some extra checks when processing
                  the target attribute.

relates: https://github.com/389ds/389-ds-base/issues/4542

Reviewed by: firstyear, elkris, and tbordaz (Thanks!)

Apply Thierry's changes

round 2

Apply more suggestions from Thierry

- - - - -
14f67ebe by tbordaz at 2021-01-26T18:08:28+01:00
Issue 4324 - Performance search rate: change entry cache monitor to recursive pthread mutex (#4569)

Bug description:
	The entry cache is protected with recursive mutex. Currently it is
	implemented using PR_Monitor (NSPR). When the entry cache mutex
	becomes the bottleneck (for example base search searchrate on
	the same entry), using pthread recursive mutex gives 8% benefit.

Fix description:
	Changing the c_mutex from PR_Monitor to pthread recursive mutex

relates: https://github.com/389ds/389-ds-base/issues/4324

Reviewed by: Mark Reynolds, Simon Pichugin

Platforms tested: F31
- - - - -
96edca86 by James Chapman at 2021-01-27T09:56:38+00:00
Issue 4396 - Minor memory leak in backend (#4558) (#4572)

Bug Description: As multiple suffixes per backend were no longer used, this
functionality has been replaced with a single suffix per backend. Legacy
code remains that adds multiple suffixes to the dse internal backend,
resulting in memory allocations that are lost.

Also a minor typo is corrected in backend.c

Fix Description: Calls to be_addsuffix on the DSE backend are removed
as they are never used.

Fixes: https://github.com/389ds/389-ds-base/issues/4396

Reviewed by: mreynolds389, Firstyear, droideck (Thank you)
- - - - -
9f9eb91e by tbordaz at 2021-01-27T12:40:34+01:00
Issue 4526 - sync_repl: when completing an operation in the pending list, it can select the wrong operation (#4553)

Bug description:
	When an operation complete, it was retrieved in the pending list with
	the address of the Operation structure. In case of POST OP nested operations
	the same address can be reused. So when completing an operation there could be
	a confusion which operation actually completed.
	A second problem is that if an update its DB_DEADLOCK, the BETXN_PREOP can
	be called several times. During retry, the operation is already in the pending
	list.

Fix description:
	The fix defines a new operation extension (sync_persist_extension_type).
	This operation extension contains an index (idx_pl) of the op_pl in the
	the pending list.

	And additional safety fix is to dump the pending list in case it becomes large (>10).
	The pending list is dumped with SLAPI_LOG_PLUGIN.

	When there is a retry (operation extension exists) the call to sync_update_persist_betxn_pre_op
	becomes a NOOP: the operation is not added again in the pending list.

relates: https://github.com/389ds/389-ds-base/issues/4526

Reviewed by: William Brown (Thanks !!)

Platforms tested: F31 & F33
- - - - -
900e6fdc by tbordaz at 2021-01-28T10:46:50+01:00
Issue 4563 - Failure on s390x: 'Fails to split RDN "o=pki-tomcat-CA" into components' (#4573)

Bug description:
	SLAPI_OPERATION_TYPE is a stored/read as an int (slapi_pblock_get/set).
	This although the storage field is an unsigned long.
	Calling slapi_pblock_get with an long (8 btyes) destination creates
	a problem on big-endian (s390x).

Fix description:
	Define destination op_type as an int (4 bytes)

relates: https://github.com/389ds/389-ds-base/issues/4563

Reviewed by: Mark Reynolds, William Brown

Platforms tested: F31 (little endian), Debian (big endian)
- - - - -
75ef66b4 by progier389 at 2021-02-01T12:32:24+01:00
Issue 4579 - libasan detects heap-use-after-free in URP test (#4584)

(cherry picked from commit 64167696080eb664c5bc4f00ff10412a9ad8cc2c)

- - - - -
7b681e1d by Mark Reynolds at 2021-02-02T11:28:36-05:00
Bump version to 1.4.4.12

- - - - -
71cb9030 by Mark Reynolds at 2021-02-10T09:33:10-05:00
Issue 4609 - CVE - info disclosure when authenticating

Description:  If you bind as a user that does not exist.  Error 49 is returned
              instead of error 32.  As error 32 discloses that the entry does
              not exist.  When you bind as an entry that does not have userpassword
              set then error 48 (inappropriate auth) is returned, but this
              discloses that the entry does indeed exist.  Instead we should
              always return error 49, even if the password is not set in the
              entry.  This way we do not disclose to an attacker if the Bind
              DN exists or not.

Relates: https://github.com/389ds/389-ds-base/issues/4609

Reviewed by: tbordaz(Thanks!)

- - - - -
8d40f278 by Simon Pichugin at 2021-02-12T13:15:13+01:00
Issue 4593 - RFE - Print help when nsSSLPersonalitySSL is not found (#4614)

Description: RHDS instance will fail to start if the TLS server
certificate nickname doesn't match the value of the configuration
parameter "nsSSLPersonalitySSL".

The mismatch typically happens when customers copy the NSS DB from
a previous instance or export the certificate's data but forget to set
the "nsSSLPersonalitySSL" value accordingly.

Log an additional message which should help a user to set up
nsSSLPersonalitySSL correctly.

Fixes: #4593

Reviewed by: @Firstyear (Thanks!)
- - - - -
d4c2ab38 by Mark Reynolds at 2021-02-12T12:32:05-05:00
Issue 4324 - Some architectures the cache line size file does not exist

Bug Description:  When optimizing our mutexes we check for a system called
                  coherency_line_size that contains the size value, but if
                  the file did not exist the server would crash in PR_Read
                  (NULL pointer for fd).

Fix Description:  Check PR_Open() was successfully before calling PR_Read().

Relates: https://github.com/389ds/389-ds-base/issues/4324

Reviewed by: tbordaz(Thanks!)

- - - - -
b8c4510b by Firstyear at 2021-02-12T14:22:54-05:00
Issue 4591 - RFE - improve openldap_to_ds help and features (#4607)

Bug Description: Improve the --help page, and finish wiring in some
features.

Fix Description: Wire in exclusion of attributes/schema for migration.

fixes: https://github.com/389ds/389-ds-base/issues/4591

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389, @droideck
- - - - -
ffa4563d by Jack at 2021-02-12T14:28:15-05:00
Update dscontainer (#4564)

Issue 4564 - RFE - Add suffix to dscontainer rc file

Bug Description: The suffix was not added before, adding a hurdle to
automatic admin of the container instance

Fix Description: If the suffix is set, add it to the created rc file. 

fixes: https://github.com/389ds/389-ds-base/pull/4564

Author: @Jackbennett

Review by: @Firstyear  
- - - - -
6841d693 by Mark Reynolds at 2021-02-12T14:32:48-05:00
Bump version to 1.4.4.13

- - - - -
6fcdfad7 by Mark Reynolds at 2021-02-12T15:13:14-05:00
Issue 4615 - log message when psearch first exceeds max threads per conn

Desciption:  When a connection hits max threads per conn for the first time
             log a message in the error.  This will help customers diagnosis
             misbehaving clients.

Fixes: https://github.com/389ds/389-ds-base/issues/4615

Reviewed by: progier389(Thanks!)

- - - - -
48259831 by Mark Reynolds at 2021-02-12T15:16:53-05:00
Issue 4619 - remove pytest requirement from lib389

Description:  Remove the requirement for pytest from lib389, it causes
              unneeded package requirements on Fedora/RHEL.

Fixes: https://github.com/389ds/389-ds-base/issues/4619

Reviewed by: mreynolds(one line commit rule)

- - - - -
4e3b2d31 by Mark Reynolds at 2021-02-17T20:15:41-05:00
Issue 4513 - CI - make acl ip address tests more robust

Description:  The tests aumme the system is using IPv6 loopback address, but it
              should still check for IPv4 loopback.

Relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: ?

- - - - -
58725517 by tbordaz at 2021-02-23T10:24:04+01:00
Issue 4649 - crash in sync_repl when a MODRDN create a cenotaph (#4652)

Bug description:
	When an operation is flagged OP_FLAG_NOOP, it skips BETXN plugins but calls POST plugins.
	For sync_repl, betxn (sync_update_persist_betxn_pre_op) creates an operation extension to be
	consumed by the post (sync_update_persist_op). In case of OP_FLAG_NOOP, there is no
	operation extension.

Fix description:
	Test that the operation is OP_FLAG_NOOP if the operation extension is missing

relates: https://github.com/389ds/389-ds-base/issues/4649

Reviewed by: William Brown (thanks)

Platforms tested: F31
- - - - -
3687e1ca by tbordaz at 2021-02-23T13:43:44+01:00
Issue 4644 - Large updates can reset the CLcache to the beginning of the changelog (#4647)

Bug description:
	The replication agreements are using bulk load to load updates.
	For bulk load it uses a cursor with DB_MULTIPLE_KEY and DB_NEXT.
	Before using the cursor, it must be initialized with DB_SET.

	If during the cursor/DB_SET the CSN refers to an update that is larger than
	the size of the provided buffer, then the cursor remains not initialized and
	c_get returns DB_BUFFER_SMALL.

	The consequence is that the next c_get(DB_MULTIPLE_KEY and DB_NEXT) will return the
	first record in the changelog DB. This break CLcache.

Fix description:
	The fix is to harden cursor initialization so that if DB_SET fails
	because of DB_BUFFER_SMALL. It reallocates buf_data and retries a DB_SET.
	If DB_SET can not be initialized it logs a warning.

	The patch also changes the behaviour of the fix #4492.
	#4492 detected a massive (1day) jump prior the starting csn and ended the
	replication session. If the jump was systematic, for example
	if the CLcache got broken because of a too large updates, then
	replication was systematically stopped.
	This patch suppress the systematically stop, letting RA doing a big jump.
	From #4492 only remains the warning.

relates: https://github.com/389ds/389-ds-base/issues/4644

Reviewed by: Pierre Rogier (Thanks !!!!)

Platforms tested: F31
- - - - -
e86389b4 by Mark Reynolds at 2021-02-23T11:53:20-05:00
Issue 4646 - CLI/UI - revise DNA plugin management

Bug Description:

There was a false assumption that you have to create the shared DNA
server configuration entry, but in fact the server creates and manages
this entry.  The only thing you should edit in this entry are the
remote Bind Method and Connection Protocol.

Fix Description:

Remove the options to create the shared config entry, and edit the
core/reserved attributes.

Also fixed some issues where we were not showing CLI plugin output in
proper JSON.  This required some changes to the UI as well.

Relates: https://github.com/389ds/389-ds-base/issues/4646

Reviewed by: spichugi(Thanks!)

- - - - -
65a55129 by Simon Pichugin at 2021-02-24T13:34:02+01:00
Issue 4513 - Fix replication CI test failures (#4557)

Description: Divide regression test suite into separate
files with different topologies to use. It fixes topology
conflicts that may occurre.

Fix cleanup finalizer at topo_with_sigkill fixture.

Remove rfc2307compat test suite as it's not valid
as we don't ship 10rfc2307.ldif anymore.
https://github.com/389ds/389-ds-base/pull/4388/

Relates: #4513

Reviewed by: @mreynolds389, @Firstyear

- - - - -
3fc16ccc by Firstyear at 2021-03-02T11:15:31+10:00
Issue 4588 - BUG - unable to compile without xcrypt (#4589)

Bug Description: If xcrypt is not available, especially on some
distros with older libraries, 389 was unable to build.

Fix Description: Detect if we have xcrypt, and if not, add
stubs that always error instead.

fixes: https://github.com/389ds/389-ds-base/issues/4588

Author: William Brown <william at blackhats.net.au>

Review by: @progier389, @jchapma, @droideck (Thanks!)
- - - - -
e8b93a6b by Mark Reynolds at 2021-03-03T15:33:51-05:00
Issue 4169 - UI - updates on the tuning page are not reflected in the UI

Bug Description:  We were not reloading the configuration after applying
                  to the server.  So the UI would appear to reset to the
                  previous value.

Fix Description:  This was fixed in master branch as part of a different
                  effort to move to PF4.  Back porting that part of the
                  fix to 1.4.4

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

- - - - -
85fabb6f by Mark Reynolds at 2021-03-09T12:39:44-05:00
Issue 4663 - CLI - unable to add objectclass/attribute without x-origin

- - - - -
d3c7f40a by Firstyear at 2021-03-10T12:46:09+10:00
Issue 4659 - restart after openldap migration to enable plugins (#4660)

Bug Description: Rather than requesting the user to do the fixup
which also relies on them to know to restart after enabling the
plugins, we should restart and do the fixup.

Fix Description: Restart before we do post tasks.

fixes: https://github.com/389ds/389-ds-base/issues/4659

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 
- - - - -
12b25060 by Firstyear at 2021-03-10T12:59:35+10:00
Issue 4661 - RFE - allow importing openldap schemas (#4662)

Bug Description: Many applications only publish schemas in
openldap formats. We should be able to import them.

Fix Description: Add a dsconf tool that allows online
importing of these schemas. This uses the migration framework
underneath so that we avoid code duplication.

fixes: https://github.com/389ds/389-ds-base/issues/4661

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 (Thanks!)
- - - - -
e8a4c61b by Mark Reynolds at 2021-03-11T08:51:06-05:00
Issue 4459 - lib389 - Default paths should use dse.ldif if the server is down

Bug Description:  If a custom path is used for something like the backup directory,
                  dsctl will still use the default path from defaults.inf.

Fix Description:  When initializing the default Paths consult dse.ldif for some
                  of the paths.

relates: https://github.com/389ds/389-ds-base/issues/4459

Reviewed by: firstyear(Thanks!)

- - - - -
f32cd6d1 by Mark Reynolds at 2021-03-11T09:24:21-05:00
Issue 4656 - Remove problematic language from UI/CLI/lib389

Description:  Replace "master" and "slave" with more appropriate names

relates: https://github.com/389ds/389-ds-base/issues/4656

Reviewed by: firstyear(Thanks!)

- - - - -
6fddab6d by Mark Reynolds at 2021-03-11T09:59:57-05:00
Issue 4656 - Make replication CLI backwards compatible with role name change

Description:  All replication role names to be backawards compatible with
              problematic language changes

relates: https://github.com/389ds/389-ds-base/issues/4656

Reviewed by: mreynolds

- - - - -
a6b7d062 by Mark Reynolds at 2021-03-15T23:35:24-04:00
Issue 4658 - monitor - connection start date is incorrect

Description:  The connection start time was incorrectly set to a
              MONTONIC time instead of a REALTIME.  This just sets
              the start time to REALTIME and the "idletimeout" to
              MONOTONIC as originally intended.

Relates: https://github.com/389ds/389-ds-base/issues/4658

Reviewed by: mreynolds (one line commit rule)

- - - - -
b190d1fb by Mark Reynolds at 2021-03-17T09:51:15-04:00
Issue 4229 - Fix Rust linking

Description:  Fixed a build problem related to:
                  - undefined reference to symbol
                  - error adding symbols: DSO missing from command line

Relates: https://github.com/389ds/389-ds-base/issues/4229

Reviewed by: mreynolds

- - - - -
8d081684 by Mark Reynolds at 2021-03-18T13:20:49-04:00
Issue 4671 - UI - Fix browser crashes

Description:  if schema attributes were missing x-origin it would crash the browser,
              and in Monitor -> Replication, if the replication agreement is in an
              odd state, and the lag was not computable, it could also crash the UI.

Relates: https://github.com/389ds/389-ds-base/issues/4671

Reviewed by: mreynolds (one line commit rule)

- - - - -
37dc9567 by Thierry Bordaz at 2021-03-19T14:02:36+01:00
Bump version to 1.4.4.14

- - - - -
2cda79bc by Mark Reynolds at 2021-03-29T15:21:49-04:00
Issue 4706 - negative wtime in access log for CMP operations

Description:  We forgot to set the start time for compare operations,
              this led to invalid values in the access log for optime
              and wtime.

relates: https://github.com/389ds/389-ds-base/issues/4706

Reviewed by: mreynolds (one line commit ruile)

- - - - -
67177489 by Mark Reynolds at 2021-03-29T21:05:00-04:00
Issue 2736 - https://github.com/389ds/389-ds-base/issues/2736

Description:  Adjust perl and python scripts shebangs for be absolute values

relates: https://github.com/389ds/389-ds-base/issues/2736

Reviewed by: firstyear(Thanks!)

- - - - -
be2e6636 by tbordaz at 2021-04-02T14:10:00+02:00
Issue 4700 - Regression in winsync replication agreement (#4712)

Bug description:
	#4396 fixes a memory leak but did not set 'cn=config' as
	DSE backend.
	It had no signicant impact unless with sidgen IPA plugin

Fix description:
	revert the portion of the #4364 patch that set be_suffix
	in be_addsuffix, free the suffix before setting it

relates: https://github.com/389ds/389-ds-base/issues/4700

Reviewed by: Pierre Rogier (thanks !)

Platforms tested: F33
- - - - -
f4b03055 by Thierry Bordaz at 2021-04-06T11:45:21+02:00
Bump version to 1.4.4.15

- - - - -
718b4537 by Mark Reynolds at 2021-04-13T08:46:26-04:00
Issue 4577 - Fix ASAN flags in specfile

Description:  Previously Rust and ASAN did not work together and we
              had to add special conditions in the specfile file to
              avoid the conflict.  These checks are no longer needed
              and should be removed.

relates: https://github.com/389ds/389-ds-base/issues/4577

Author: vashirov at redhat.com - Thanks!

Reviewed by: mreynolds

- - - - -
91c1c4d0 by Firstyear at 2021-04-16T11:25:08+10:00
Issue 4637 - ndn cache leak (#4724)

Bug Description: During the change of the ndn cache to rust a memory
leak was missed (probably due to asan with gcc and rust issues). This
is due to a behavioural change in how dn's were used in the original version.

Fix Description: Free the dn key since rust internally needs to clone
a copy so it can correctly free it.

This also improves the drop code in the rust, and allows environment
passthrough into startup so that external ASAN_OPTIONS can be set.

fixes: https://github.com/389ds/389-ds-base/issues/4637

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389

- - - - -
58dbf084 by tbordaz at 2021-04-27T09:39:57+02:00
Issue 4711 - SIGSEV with sync_repl (#4738)

Bug description:
	sync_repl sends back entries identified with a unique
	identifier that is 'nsuniqueid'. If 'nsuniqueid' is
	missing, then it may crash

Fix description:
	Check a nsuniqueid is available else returns OP_ERR

relates: https://github.com/389ds/389-ds-base/issues/4711

Reviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!)

Platforms tested:  F33
- - - - -
6446fe27 by tbordaz at 2021-04-29T11:40:09+02:00
Issue 4667 - incorrect accounting of readers in vattr rwlock (#4732)

Bug description:
	The fix #2932 (Contention on virtual attribute lookup) reduced
	contention on vattr acquiring vattr lock at the operation
	level rather than at the attribute level (filter and
        returned attr).
        The fix #2932 is invalid. it can lead to deadlock scenario
	(3 threads). A vattr writer (new cos/schema) blocks
        an update thread that hold DB pages and later needs vattr.
	Then if a reader (holding vattr) blocks vattr writer and later
        needs the same DB pages, there is a deadlock.
	The decisions are:
		- revert #2932 (this issue)
		- Skip contention if deployement has no vattr #4678
		- reduce contention with new approaches
                  (COW and/or cache vattr struct in each thread)
		  no issue opened

Fix description:
	The fix reverts #2932

relates: https://github.com/389ds/389-ds-base/issues/4667

Reviewed by: William Brown, Simon Pichugin

Platforms tested:  F33

- - - - -
4ba0f07d by Mark Reynolds at 2021-04-30T08:43:08-04:00
Issue 4742 - UI - should always use LDAPI path when calling CLI

Bug Description:

In some places in the UI code we call dsconf like:

dsconf -j slapd-instance ...

Instead of:

dsconf -j "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket"

The problem is that if you setup the ".dsrc" file to use something other than LDAPI then the UI hangs.

Fix Description:

We need to always call the CLI using the LDAP socket.

Relates: https://github.com/389ds/389-ds-base/issues/4742

Reviewed by: spichugi(Thanks!)

- - - - -
e0cf8a9c by James Chapman at 2021-04-30T13:54:02+00:00
Issue 4701 - RFE - Exclude attributes from retro changelog (#4723)

Description: When the retro changelog plugin is enabled it writes the
             added/modified values to the "cn-changelog" suffix. In
             some cases an entries attribute values can be of a
             sensitive nature and should be excluded. This RFE adds
             functionality that will allow an admin exclude certain
             attributes from the retro changelog DB.

Relates: https://github.com/389ds/389-ds-base/issues/4701

Reviewed by: mreynolds389, droideck (Thanks folks)
- - - - -
70c3e9e7 by tbordaz at 2021-05-07T08:51:17+02:00
Issue 4759 - Fix coverity issue (#4760)

Bug description:
	with #4218 (wtime, optime in access log), hrtime is set in the
	operation. But it is done before checking if the operation is
	set. covscan fails

Fix description:
	move the setting after verification that operation != NULL

relates: https://github.com/389ds/389-ds-base/issues/4759

Reviewed by: Simon Pichugin

Platforms tested: F34
- - - - -
db47dfcb by tbordaz at 2021-05-12T14:33:33+02:00
Issue 4725 - [RFE] DS - Update the password policy to support a Temporary Password Rules (#4727)

Bug description:
	Enhance password policy to support registration password (Temporary Password Rules)
	design is  https://www.port389.org/docs/389ds/design/otp-password-policy.html

Fix description:
	The fix introduces new password policy configuration attributes
        (passwordTPR*) and entry (user) operational attributes (pwdTPR*).
	It supports Temporary Password Rules (fixed use count) and validity
        window (valid since-until).
	During bind it checks if the TPR limits are violated.
	During password update it computes and set
	operational attributed (pwdTPR*).

	Note: a previous version of the fix/design mentioned
	this feature as 'One Time Password'. This naming was confusing
        and the current version replace it with 'Temporary Password
        Rules' (aka TPR). If it remains some 'OTP' code/comments
        it is a mistake.

relates: https://github.com/389ds/389-ds-base/issues/4725

Reviewed by: William Brown (Thanks !!!)

Platforms tested: F33

- - - - -
56299aef by Mark Reynolds at 2021-05-17T09:24:51-04:00
Issue 4770 - Lower FIPS logging severity

Description:  If FIPS is not available on a system we log errors messages
              with the severity level of ERR, but it's not really an error
              so it should be changed to NOTICE.

relates: https://github.com/389ds/389-ds-base/issues/4770

Reviewed by: mreynolds (one line commit rule)

- - - - -
49a5f1c1 by Thierry Bordaz at 2021-05-17T17:24:03+02:00
Issue 4725 - Fix compiler warnings

- - - - -
66bbfee8 by tbordaz at 2021-05-18T12:29:29-04:00
Issue 4747 - Remove unstable/unstatus tests from PRCI (#4748)

Bug description:
	Some tests (17) in the tests suite (dirsrvtest/tests/suites)
	are failing although there is no regression.
	It needs (long) investigations to status if failures
	are due to a bug in the tests or in DS core.
	Until those investigations are completes, test suites
	loose a large part of its value to detect regression.
	Indeed those failing tests may hide a real regression.

Fix description:
	Flag failing tests with pytest.mark.flaky(max_runs=2, min_passes=1)
	Additional action will be to create upstream 17 ticket to
	status on each failing tests

relates: https://github.com/389ds/389-ds-base/issues/4747

Reviewed by: Simon Pichugin, Viktor Ashirov (many thanks for your
reviews and help)

Platforms tested: F33

- - - - -
e3104967 by Mark Reynolds at 2021-05-19T12:19:15-04:00
Issue 3555 - Fix UI audit issue

Description:  This does not fix all the audit errors because we need
              to get off of patternfly 3 first, but this does address
              a critical vulnerability and several high vulnerabilities.

relates: #3555

Reviewed by: mreynolds

- - - - -
a80d6770 by Mark Reynolds at 2021-05-21T13:11:25-04:00
Issue 4773 - Enable interval feature of DNA plugin

Description:  Enable the dormant interval feature in DNA plugin

relates: https://github.com/389ds/389-ds-base/issues/4773

Review by: mreynolds (one line commit rule)

- - - - -
50606d85 by MIZUTA Takeshi at 2021-05-25T11:17:28-04:00
Issue 4781 - There are some typos in man-pages

Description: Fixed the following man-page typo.
- dbscan(1)
- ldclt(1)
- rsearch(1)
- 99user.ldif(5)
- dirsrv.systemd(5)

relates: https://github.com/389ds/389-ds-base/issues/4781

- - - - -
bba519cc by Simon Pichugin at 2021-05-26T13:39:34+02:00
Issue 4623 - RFE - Monitor the current DB locks (#4762)

Description: DB lock gets exhausted because of unindexed internal searches
(under a transaction). Indexing those searches is the way to prevent exhaustion.
If db lock get exhausted during a txn, it leads to db panic and the later recovery
can possibly fail. That leads to a full reinit of the instance where the db locks
got exhausted.

Add three attributes to global BDB config: "nsslapd-db-locks-monitoring-enabled",
 "nsslapd-db-locks-monitoring-threshold" and "nsslapd-db-locks-monitoring-pause".
By default, nsslapd-db-locks-monitoring-enabled is turned on, nsslapd-db-locks-monitoring-threshold is set to 90% and nsslapd-db-locks-monitoring-threshold is 500ms.

When current locks are close to the maximum locks value of 90% - returning
the next candidate will fail until the maximum of locks won't be
increased or current locks are released.
The monitoring thread runs with the configurable interval of 500ms.

Add the setting to UI and CLI tools.

Fixes: https://github.com/389ds/389-ds-base/issues/4623

Reviewed by: @Firstyear, @tbordaz, @jchapma, @mreynolds389 (Thank you!!)

- - - - -
407a9ebe by progier389 at 2021-05-26T16:22:41+02:00
Issue 4764 - replicated operation sometime checks ACI (#4783)

(cherry picked from commit 0cfdea7abcacfca6686a6cf84dbf7ae1167f3022)

- - - - -
7b583470 by Mark Reynolds at 2021-05-28T13:47:17-04:00
Issue 4778 - RFE - Allow setting TOD for db compaction and add task

Description:  Since database compaction can be costly it should be allowed
              to set a time to execute it during offpeak hours.  Once the
              compaction interval has been met, it will wait for the configured
              time of day to do the compaction.  The default is just before
              midnight: 23:59

              A task was also created that can run compaction on demand,
              and can also just target the replication changelog.  This could
              be used in conjunction with a cronjob for more complex
              execution patterns.

ASAN tested and approved.

relates: https://github.com/389ds/389-ds-base/issues/4778

Reviewed by: spichugi(Thanks!)

- - - - -
23c28c2f by Mark Reynolds at 2021-05-30T11:15:00-04:00
Issue 4719 - lib389 - fix dsconf passthrough auth bugs

Description:  This fixes issues with pass through auth subtree validation
              and other fixes with adding/editting URLs and nslapd-pluginarg
              attributes

Relates: https://github.com/389ds/389-ds-base/issues/4719

Reviewed by: spichugi(Thanks!)

- - - - -
f835ad25 by Mark Reynolds at 2021-05-30T11:27:33-04:00
Update npm packages

- - - - -
3d31c6c7 by Mark Reynolds at 2021-05-30T11:28:15-04:00
Bump version to 1.4.4.16

- - - - -


10 changed files:

- + .github/workflows/pytest.yml
- Makefile.am
- VERSION.sh
- dirsrvtests/create_test.py
- dirsrvtests/tests/data/openldap_2_389/4539/slapd.d/cn=config/cn=schema.ldif
- dirsrvtests/tests/longduration/automembers_long_test.py
- dirsrvtests/tests/stress/README
- dirsrvtests/tests/stress/reliabilty/reliab_7_5_test.py
- dirsrvtests/tests/stress/replication/mmr_01_4m-2h-4c_test.py
- dirsrvtests/tests/stress/replication/mmr_01_4m_test.py


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/16e40086928e66f78027fad202308a83334a46e7...3d31c6c717391d45a7e85492209ee8fcde7dfe3b

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/16e40086928e66f78027fad202308a83334a46e7...3d31c6c717391d45a7e85492209ee8fcde7dfe3b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20210816/8e9222d9/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list