[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master-next] 35 commits: Issue 4916 - Memory leak in ldap-agent

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Dec 15 18:56:05 GMT 2021

Timo Aaltonen pushed to branch master-next at FreeIPA packaging / 389-ds-base

54d7cc78 by Viktor Ashirov at 2021-09-22T00:07:23+02:00
Issue 4916 - Memory leak in ldap-agent

Fix a minor memory leak in ldap-agent to make AddressSanitizer happy.

Fixes: https://github.com/389ds/389-ds-base/issues/4916

Reviewed by: @mreynolds389, @Firstyear (Thanks!)

- - - - -
c661024b by tbordaz at 2021-09-23T09:49:40-04:00
Issue 4925 - Performance ACI: targetfilter evaluation result can be reused (#4926)

Bug description:
	An ACI may contain targetfilter. For a given returned entry, of a
        SRCH request, the same targetfilter is evaluated for each of the
        returned attributes.
        Once the filter has been evaluated, it is useless to reevaluate
        it for a next attribute.

Fix description:
	The fix implements a very simple cache (linked list) that keeps
        the results of the previously evaluated 'targetfilter'.
        This cache is per-entry. For an operation, a aclpb is allocated
        that is used to evaluate ACIs against each successive entry.
        Each time a candidate entry is added in the aclpb
        (acl_access_allowed), the cache (aclpb_curr_entry_targetfilters)
        is freed. Then for each 'targetfilter', the original targetfilter
        is lookup from the cache. If this is the first evaluation of it
        then the result of the evaluation is stored into the cache using
        the original targetfilter as the key in the cache

	The key to lookup/store the cache is the string representation
        of the targetfilter. The string contains a redzone to detect
        that the filter exceeds the maximum size (2K). If it exceeds
        then the key is invalid and the lookup/store is noop.

relates: #4925

Reviewed by: Mark Reynolds, William Brown (Thanks)

Platforms tested: F34
- - - - -
cdd354c9 by Mark Reynolds at 2021-09-27T13:07:20-04:00
Issue 4513 - fix ACI CI tests involving ip/hostname rules

Description:  Fix tests that use ACIs with ip/hostname rules. Harden
              the dscreate and dsctl acceptance tests, and fix some
              flakiness in the sync repl test, and filter schema

              Also updated the doxy file and fixed some compiler warnings

relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: spichugi & tbordaz(Thanks!!)

(cherry picked from commit 2a9df10303c4902a816a64b805448f31380a2728)

- - - - -
121e27a4 by Firstyear at 2021-09-30T11:51:23+10:00
Issue 4847 - BUG - potential deadlock in replica (#4936)

Bug Description: There was an incorrect double lock in

Fix Description: Replace the incorrect lock with and unlock.

fixes: https://github.com/389ds/389-ds-base/issues/4847

Author: jenny <@jenny-cheung>

Review by: @firstyear @droideck

Co-authored-by: jenny <84835889+jenny-cheung at users.noreply.github.com>
- - - - -
2cd65b47 by James Chapman at 2021-10-07T15:04:06+00:00
Issue 4921 - logconv.pl -j: Use of uninitialized value (#4922)

Description: When logconv.pl is run with the recommendations flag
it generates an uninitialized value error.

Fixed this and done some tidy up.

Fixes: https://github.com/389ds/389-ds-base/issues/4921

Reviewed by: @progier389  (Thank you)
- - - - -
9ea04db9 by Viktor Ashirov at 2021-10-11T09:13:49+02:00
Issue 4938 - max_failure_count can be reached in dscontainer on slow machine with missing debug exception trace

Bug Description:
On a very slow machine max_failure_count can be reached to soon. For
troubleshooting and diagnostics this parameter should be configurable.

Fix Description:
Introduce a new env variable DS_STARTUP_TIMEOUT that accepts a number in
seconds. By default it is 60.
Log a traceback when we reach the timeout.

Fixes: https://github.com/389ds/389-ds-base/issues/4938

Reviewed by: @Firstyear (Thanks!)

- - - - -
173194e5 by Mark Reynolds at 2021-10-18T15:00:27-04:00
Issue 4299 - Merge LDAP editor code into Cockpit UI

Description: Merging parts of Têko Mihinto <tmihinto at redhat.com> LDAP
editor into the Cockpit UI.  Some of it is functional, but there is
still much more work to be done.

relates: https://github.com/389ds/389-ds-base/issues/4299

Reviewed by: spichugi(Thanks!)

- - - - -
c0623e95 by Mark Reynolds at 2021-10-19T08:51:20-04:00
Bump github contianer shm size to 4 gigs

- - - - -
bf128397 by Mark Reynolds at 2021-10-19T09:27:14-04:00
Issue 2790 - Set db home directory by default

Description:  The selinux rules (selinux-policy-3.14.3-79)
              have been updated to support /dev/shm/slapd-INST

Relates: https://github.com/389ds/389-ds-base/issues/2790

Reviewed by: firstyear(Thanks!)

- - - - -
6467ea5c by progier389 at 2021-10-26T10:38:00+02:00
Issue 4943 - Fix csn generator to limit time skew drift (#4946)

* Issue 4943 - Fix csn generator to limit time skew drift

(cherry picked from commit cbfccd67e0ad0900f5307c565f8b32cbfdda5223)

- - - - -
b0d06615 by Simon Pichugin at 2021-10-26T17:08:43-07:00
Issue 3584 - Fix PBKDF2_SHA256 hashing in FIPS mode (#4949)

Issue Description: Use PK11_Decrypt function to get hash data
because PK11_ExtractKeyValue function is forbidden in FIPS mode.
We can't extract keys while in FIPS mode. But we use PK11_ExtractKeyValue
for hashes, and it's not forbidden.

We can't use OpenSSL's PBKDF2-SHA256 implementation right now because
we need to support an upgrade procedure while in FIPS mode (update
hash on bind). For that, we should fix existing PBKDF2 usage, and we can
switch to OpenSSL's PBKDF2-SHA256 in the following versions.

Fix Description: Use PK11_Decrypt function to get the data.

Enable TLS on all CI test topologies while in FIPS because without
that we don't set up the NSS database correctly.

Add PBKDF2-SHA256 (OpenSSL) to ldif templates, so the password scheme is
discoverable by internal functions.


Reviewed by: @progier389, @mreynolds389, @Firstyear, @tbordaz (Thanks!!)

- - - - -
0e5a5c52 by Mark Reynolds at 2021-10-27T20:36:49-04:00
Issue 4962 - Fix various UI bugs part 1

Fix Description:

Bug 2016022 - Cockpit UI: UI is incorrectly saying "Create the Sub Suffix entry"
Bug 2015951 - Cockpit UI: Database tab ---> Export Database/replicaton
Bug 2015221 - Cockpit UI: UX Bugs Server Settings ->Tuning and Limits
Bug 2015139 - Configuration for Import Cache Settings is not saved
Bug 2015127 - No message when configuring Global Database Configuration
Bug 2014924 - Cockpit UI: UX Bugs and other cockpit GUI related defects

relates: https://github.com/389ds/389-ds-base/issues/4962

Reviewed by: spichugi & jchapman (Thanks!!)

- - - - -
36af8a01 by Mark Reynolds at 2021-10-28T08:26:35-04:00
Issue 4731 - Promoting/demoting a replica can crash the server

Bug Description:  The server will crash if you demote a
                  supplier with no changelog.

Fix Description:  Check if the changelog pointer is NULL before
                  dereferencing it

relates: https://github.com/389ds/389-ds-base/issues/4731

Reviewed by: spichugi & firstyear (Thanks!!)

- - - - -
9e9ef0f3 by Mark Reynolds at 2021-10-28T14:46:46-04:00
Issue 4956 - Automember allows invalid regex, and does not log proper error

Bug Description:  The server was detecting an invalid automember
                  regex, but it did not reject it, and it did not
                  log which regex rule was invalid.

Fix Description:  By properly rejecting the invalid regex will also
                  trigger the proper error logging to occur.

relates: https://github.com/389ds/389-ds-base/issues/4956

Reviewed by: tbordaz & spichugi(Thanks!!)

- - - - -
5f05bc7a by Mark Reynolds at 2021-10-28T14:55:16-04:00
Issue 4092 - systemd-tmpfiles warnings

Bug Description:

systemd-tmpfiles warns about legacy paths in our tmpfiles configs.
Using /var/run also introduces a race condition, see the following
issue https://pagure.io/389-ds-base/issue/47429

Fix Description:

Instead of using @localstatedir@/run use @localrundir@ which was
introduced in #850.

Relates: https://github.com/389ds/389-ds-base/issues/766
Fixes: https://github.com/389ds/389-ds-base/issues/4092

Reviewed by: vashirov & firstyear(Thanks!)

- - - - -
c30ebb57 by Mark Reynolds at 2021-11-01T14:08:32-04:00
Issue 4973 - installer changes permissions on /run

Description:  There was a regression when we switched over to using /run
              that caused the installer to try and create /run which
              caused the ownership to change.  Fixed this by changing
              the "run_dir" to /run/dirsrv

relates: https://github.com/389ds/389-ds-base/issues/4973

Reviewed by: jchapman(Thanks!)

- - - - -
769e591b by Simon Pichugin at 2021-11-01T12:09:10-07:00
Issue 4962 - Fix various UI bugs - Plugins (#4969)


Bug 1816526 - restart instance after plugin enabled/disabled should depend on 'nsslapd-dynamic-plugins' status
Bug 2011183 - Retro Changelog plugin - saving any configuration is stuck in loading
Bug 2011187 - Posix Winsync Plugin - configuration is not saved
Bug 2011188 - DNA plugin fails to be enabled
Bug 2011751 - Referential Integrity Plugin - unable to save changes
Bug 2011767 - RootDN Access Control Plugin - configuration stuck and a wrong message is displayed
Bug 2011814 - Account Policy Plugin - configuration failing with error

relates: #4962

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
a123c215 by Mark Reynolds at 2021-11-02T10:46:54-04:00
Issue 4973 - update snmp to use /run/dirsrv for PID file

Description:  Previously SNMP would write the agent PID file directly
              under /run (or /var/run), but this broke a CI test after
              updating lib389/defaults.inf to use /run/dirsrv.

              Instead of hacking the CI test, I changed the path
              snmp uses to:  /run/dirsrv/  Which is where it
              should really be written anyway.

relates: https://github.com/389ds/389-ds-base/issues/4973

Reviewed by: vashirov(Thanks!)

- - - - -
b0e890bf by Viktor Ashirov at 2021-11-03T12:17:03+01:00
Issue 4976 - Failure in suites/import/import_test.py::test_fast_slow_import

Bug Description:
Previous change 6b10f1795f52395aa46d48a6f0428d126b35a90d had a wrong
assumption that total_time1 and total_time2 have a very insignificant
difference in case nsslapd-db-private-import-mem is set to 'off'.
In reality it is insignificant only on a smaller number of entries.
A recent change in libdb exposed this wrong assumption. With this change
__db.00* files get the maximum size in advance, instead of expanding
them when needed.

Fix Description:
Revert 6b10f1795f52395aa46d48a6f0428d126b35a90d.

Fixes: https://github.com/389ds/389-ds-base/issues/4976

Reviewed by: @mreynolds389, @droideck (Thanks!)

- - - - -
b1efe0d4 by Mark Reynolds at 2021-11-03T08:56:11-04:00
Issue 4978 - make installer robust

Description:  When run in a container the server can fail to start
              because the installer sets the db_home_dir to /dev/shm,
              but in containers the default size of /dev/shm is too
              small for libdb. We should detect if we are in a
              container and not set db_home_dir to /dev/shm.

              During instance removal, if an instance was not properly
              created then it can not be removed either. Make the
              uninstall more robust to accept some errors and continue
              removing the instance.

relates: https://github.com/389ds/389-ds-base/issues/4978

Reviewed by: firstyear & tbordaz(Thanks!)

- - - - -
7570259a by tbordaz at 2021-11-05T09:59:47+01:00
Issue 4972 - gecos with IA5 introduces a compatibility issue with previous (#4981)

releases where it was DirectoryString

Bug description:
       For years 'gecos' was DirectoryString (UTF8), with #50933 it was restricted to IA5 (ascii)

       IA5 definition conforms rfc2307 but is a problem for existing deployments
       where entries can have 'gecos' attribute value with UTF8.

Fix description:
       Revert the definition to of 'gecos' being Directory String

       Additional fix to make test_replica_backup_and_restore more
       robust to CI

relates: https://github.com/389ds/389-ds-base/issues/4972

Reviewed by: William Brown, Pierre Rogier, James Chapman (Thanks !)

Platforms tested: F34
- - - - -
608d4b37 by tbordaz at 2021-11-05T16:37:42+01:00
Issue 4678 - RFE automatique disable of virtual attribute checking (#4918)

Bug description:
	Virtual attributes are configured via Roles or COS definitions
        and registered during initialization of those plugins.
	Virtual attributes are processed during search evaluation of
	filter and returned attributes. This processing is expensive
	and prone to create contention between searches.
	Use of virtual attribute is not frequent. So many of the
	deployement process virtual attribute even if there is none.

Fix description:
	The fix configure the server to ignore virtual attribute by
        default (nsslapd-ignore-virtual-attrs: on).
        At startup, if a new virtual attribute is registered or
        it exists Roles/COS definitions, then the server is
	configured to process the virtual attributes
        (nsslapd-ignore-virtual-attrs: off)
        design: https://www.port389.org/docs/389ds/design/vattr-automatic-toggle.html

relates: https://github.com/389ds/389-ds-base/issues/4678

Reviewed by: William Brown, Simon Pichugin, Mark Reynolds (Thanks !!)

Platforms tested: F34
- - - - -
33c85c56 by Mark Reynolds at 2021-11-10T08:57:50-05:00
Issue 4978 - use more portable python command for checking containers

Description:  During the installation check for containers use arguments
              for subprocess.run() that work on all versions of python

relates: https://github.com/389ds/389-ds-base/issues/4978

Reviewed by: mreynolds(one line commit rule)

- - - - -
f53793d3 by Simon Pichugin at 2021-11-12T10:45:23-08:00
Issue 4962 - Fix various UI bugs - dsctl and ciphers (#5000)

Description: Don't start/stop instance if it's already started/stopped.
Add JSON error output to the basic CLI tool's operations.
Fix Ciphers Tab behaviour so it's aligned with the documentation and the
core functionality.

Relates: https://github.com/389ds/389-ds-base/issues/4962

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
8a2b4c7d by Mark Reynolds at 2021-11-15T16:43:02-05:00
Issue 5001 - Fix next round of UI bugs:


Addressing a series of bugs found by QE:

Bug 2016526 - LDAPI & Autobind save btn misbehaving
Bug 2016481 - Disabling Security leaves the pop-up window open
Bug 2016026 - Selecting existing certificate in Security Configuration crashes browser
Bug 2017402 - Adding several allowed SASL mechanisms does not behave correctly
Bug 2017411 - cockpit crashes because invalid SASL mapping regex was saved
Bug 2022117 - Cockpit UI: Editing an Objectclass name causes an error in Cockpit UI
Bug 2021194 - Searching "matching rules" in the "Schema" Tab crashes browser
Bug 2021591 - cockpit : audit and audit failure log enablement status is not persistent

relates: https://github.com/389ds/389-ds-base/issues/5001

Reviewed by: tbordaz & spichugi(Thanks!!)

- - - - -
172dd04e by spike at 2021-11-16T09:09:49-05:00
Issue 4959 - Invalid /etc/hosts setup can cause isLocalHost to fail.

Description: Use local_simple_allocate in dsctl so that isLocal is always set properly

Relates: https://github.com/389ds/389-ds-base/issues/4959

Reviewed by: @droideck (Thanks!)

- - - - -
a69bd611 by Mark Reynolds at 2021-11-16T11:49:26-05:00
Issue 5001 - Update CI test for new availableSASLMechs attribute

Description:  Issue 5001 added a new attribute to the root dse, but
              a CI test was not updated for the new attribute.

relates: https://github.com/389ds/389-ds-base/issues/5001

Reviewed by: mreynolds (one line commit rule)

- - - - -
f974ec39 by Mark Reynolds at 2021-11-17T15:37:59-05:00
Issue 5006 - UI - LDAP editor tree not being properly updated

Description:  Deleting an entry was the tree view did not update the
              treeview.  Updates to table view were also not seen
              in the tree view.  The views should now be in synch

              Also, replaced some console logging with our "log_cmd"
              function in the editor utils file.

relates: https://github.com/389ds/389-ds-base/issues/5006

Reviewed by: spichugi(Thanks!)

- - - - -
64a521f4 by Timo Aaltonen at 2021-11-18T15:56:43+02:00
Override some lintian errors.

- - - - -
18a12749 by Mark Reynolds at 2021-11-21T17:48:37-05:00
Issue 5014 - UI - Add group creation to LDAP editor

Description:  Added group creation to LDAP editor via the "New ..."
              menu option

relates: https://github.com/389ds/389-ds-base/issues/5014

Reviewed by: spichugi(Thanks!)

- - - - -
a033e026 by Simon Pichugin at 2021-11-22T19:39:33-05:00
Issue 4962 - Fix various UI bugs - Settings and Monitor (#5016)


Bug 2014924 - Cockpit UI: UX Bugs and other cockpit GUI related defects
Bug 2017441 - cockpit : Export changelog allows to check both 'Export to LDIF For Debugging' options but only takes one into account
Bug 2018101 - cockpit : impossible to create credentials or aliases for replication monitoring synchronization report
Bug 2021250 - cockpit : logging setting entered values for rotation and deletion policies should be checked
Bug 2021278 - Cockpit UI: Unable to Edit Attributes without first searching for the attribute to edit

Related: https://github.com/389ds/389-ds-base/issues/5001

Reviewed by: @mreynolds389 (Thanks!!)
- - - - -
237913e8 by Mark Reynolds at 2021-11-22T19:44:39-05:00
Bump version to 2.0.11

- - - - -
5952e984 by Timo Aaltonen at 2021-12-15T20:48:24+02:00
Merge branch 'upstream' into master-next

- - - - -
2df23cf9 by Timo Aaltonen at 2021-12-15T20:48:54+02:00
bump the version

- - - - -
9f06adbb by Timo Aaltonen at 2021-12-15T20:49:48+02:00
watch: Update the url.

- - - - -

30 changed files:

- .github/workflows/pytest.yml
- Makefile.am
- configure.ac
- + debian/389-ds-base-libs.lintian-overrides
- debian/389-ds-base.lintian-overrides
- debian/changelog
- debian/watch
- dirsrvtests/conftest.py
- dirsrvtests/tests/suites/acl/keywords_part2_test.py
- dirsrvtests/tests/suites/automember_plugin/configuration_test.py
- dirsrvtests/tests/suites/basic/basic_test.py
- dirsrvtests/tests/suites/clu/dsctl_acceptance_test.py
- dirsrvtests/tests/suites/config/config_test.py
- dirsrvtests/tests/suites/cos/cos_test.py
- dirsrvtests/tests/suites/filter/rfc3673_all_oper_attrs_test.py
- dirsrvtests/tests/suites/filter/schema_validation_test.py
- dirsrvtests/tests/suites/healthcheck/health_security_test.py
- dirsrvtests/tests/suites/import/import_test.py
- dirsrvtests/tests/suites/paged_results/paged_results_test.py
- + dirsrvtests/tests/suites/replication/promote_demote_test.py
- dirsrvtests/tests/suites/roles/basic_test.py
- dirsrvtests/tests/suites/schema/schema_test.py
- dirsrvtests/tests/suites/setup_ds/dscreate_test.py
- dirsrvtests/tests/suites/syncrepl_plugin/__init__.py
- dirsrvtests/tests/suites/syncrepl_plugin/openldap_test.py
- docs/slapi.doxy.in
- include/base/util.h
- ldap/admin/src/defaults.inf.in
- ldap/admin/src/logconv.pl

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/f405c03ccc2655b252eefd17f3c287878bf3b40a...9f06adbba1ef5c9e7cbd663e1bb4ef1bfc012090

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/f405c03ccc2655b252eefd17f3c287878bf3b40a...9f06adbba1ef5c9e7cbd663e1bb4ef1bfc012090
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20211215/002e39e6/attachment-0001.htm>

More information about the Pkg-freeipa-devel mailing list