[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master] 33 commits: Issue 5103 - UI - Add support for TPR to web console (#5111)

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Wed Apr 13 12:12:23 BST 2022

Timo Aaltonen pushed to branch master at FreeIPA packaging / 389-ds-base

4b8fed2a by James Chapman at 2022-02-01T08:30:41-05:00
Issue 5103 - UI - Add support for TPR to web console (#5111)

Description: A user can modify Temporary Password Rules password policy
via the CLI. Add similar functionality to the web console.

Fixes: https://github.com/389ds/389-ds-base/issues/5103
Reviewed by: @mreynolds389  (Thank you)
- - - - -
e98605db by Mark Reynolds at 2022-02-01T08:31:45-05:00
Issue 4299 - UI - fix minor issues with ldap editor

Description:  Improved how treeview handles loading subtrees with large
number of entries.  Previously, the parent entry would not be
displayed while loading its child entries, and if a timeout occurred
then the paretn entry would not be loading in the UI, and you could not
do or see anything with it.

Also added a pop modal when an error occurs when searching the database,
or the size limit is exceeded.

relates: https://github.com/389ds/389-ds-base/issues/4299

Reviewed by: spichugi(Thanks!)

- - - - -
c9226ad9 by Mark Reynolds at 2022-02-01T17:35:34-05:00
Issue 4299 - UI - fix minor issues with ldap editor (table view)


Imrpove the react handling of the table view while searching is going
on.  Also adjusted the default size limit to 2000.  The search was also
not doing any notifications if an error happened.

relates: https://github.com/389ds/389-ds-base/issues/4299

Reviewed by: spichugi(Thanks!)

- - - - -
d3665855 by Mark Reynolds at 2022-02-03T16:32:32-05:00
Issue 5142 - CLI - dsctl dbgen is broken


Changes to dsctl broke dbgen which requires instance.userid to
set the permissions of the ldif file. It occurred when we added:
local_simple_allocate(). The fix is add userid in this allocate

relates: https://github.com/389ds/389-ds-base/issues/5142

Reviewed by: progier(Thanks!)

- - - - -
ba086c9a by Firstyear at 2022-02-03T16:48:50-05:00
Issue 4775 - Add entryuuid CLI and Fixup (#4776)

Bug Description: EntryUUID when added was missing it's CLI
and helpers for fixups.

Fix Description: Add the CLI elements.

fixes: https://github.com/389ds/389-ds-base/issues/4775

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 (thanks!)

- - - - -
4de1c08f by progier389 at 2022-02-04T20:36:45+01:00
Issue 5050 - bdb bulk op fails if fs page size > 8K (#5150)

(cherry picked from commit db699306809cfe74926e469a30eab9b6d68645bb)

- - - - -
e13faa2b by Simon Pichugin at 2022-02-15T10:52:15-08:00
Issue 4299 - UI - Add Role funtionality (#5163)

Description:  Add Role management features to UI.
Improve CLI role functionality.

Relates: https://github.com/389ds/389-ds-base/issues/4299

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
5716a22c by Mark Reynolds at 2022-02-16T16:27:11-05:00
Issue 5155 - RFE - Provide an option to abort an Auto Member rebuild task

Description:  Add an abort task for the automember rebuild task.  There
are cases where IPA can start spinning up schema compat search during
the rebuild which can bog down an entire system.  If this happens the
task can be aborted to prevent an outage.

The transaction for the entire task was also removed since it isn't
really needed for a fixup task.

Also found that in cleanAllRUV we wre trying to write to the task entry
in the task add callback function (which is too early to start updating
the task and triggers error 32 messages in the errors log).  So that
was fixed as well.

relates: https://github.com/389ds/389-ds-base/issues/5155

Reviewed by: progier, tbordaz, spichugi (Thanks!!!)

- - - - -
23f1ba21 by Mark Reynolds at 2022-02-16T17:45:44-05:00
Issue 4721 - UI - attribute uniqueness crashes UI when there are no configs


The UI crashes if there are no attribute uniqueness configurations.  So
improved the robustness for plugins that only exist as separate config
entries (currently just attribute uniqueness).  Did some other plugin
cleanup with action menus and spacing.

relates: https://github.com/389ds/389-ds-base/issues/4721

Reviewed by: spichugi(Thanks!)

- - - - -
325e8abc by Mark Reynolds at 2022-02-17T09:10:25-05:00
Issue 5145 - Fix covscan errors

Decription: Fix latest covscan errors on lastest 389-ds-base-2.0

Resource leaks:

    csngen_multi_suppliers_test() -> csn & last_csn are not proeprly handled
    ids_sasl_listmech() -> leaks config_ret

Copy & Paste:
    referentialIntegrity.jsx -> copy & paste error with componetn name (harmless)

Null Dereference:

    acl_ext.c -> aclpb is dereferenced on allocation error

Use After Free

    pam_ptimpl.c -> do_one_pam_auth() happens on pam_end() error

relates: https://github.com/389ds/389-ds-base/issues/5145

Reviewed by: firstyear(Thanks!)

- - - - -
a98d5ad6 by Firstyear at 2022-02-22T10:16:10+10:00
Issue 5137 - RFE - improve sssd conf output (#5138)

Bug Description: In the case the dsrc contained an ldapi
uri, this could cause sssd.conf if redirected to not
start as the "WARNING" was not commented

Fix Description: Move the warning into the sssd.conf as
generated, and comment it.

fixes: https://github.com/389ds/389-ds-base/issues/5137

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 
- - - - -
d04ffd4b by Firstyear at 2022-02-22T10:16:17+10:00
Issue 5102 - BUG - container may fail with bare uid/gid (#5140)

Bug Description: Containers may fail to start with bare
uid/gid. This also impacted setup of the instance due
to attempting to chown the volume root. They may also fail
to start if systemd-detect-virt is present but you are
NOT using systemd in the container as well.

Fix Description: This is resolved in the dockerfile through
the addition of nss_synth. For resolving the volume
issue we skip chown of the db_dir parent during setup. If we
know we are in a container, we skip the detect virt check.

fixes: https://github.com/389ds/389-ds-base/issues/5102

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 
- - - - -
2e04f368 by progier389 at 2022-02-22T10:59:16-05:00
Issue 5098 - Multiple issues around replication and CI test test_online_reinit_may_hang (#5109)

- - - - -
f50637ae by Firstyear at 2022-02-23T10:23:26+10:00
Issue 5160 - BUG - x- prefix in descr-oid can confuse oid parser (#5161)

Bug Description: Attributes and objectclasses with an x- prefix to their
name such as x-attribute or x-object can confuse the schema parser as it
is ambiguous if the term is a descr-oid or an x- field.

Fix Description: Improve our oid schema parse check to specifically warn
about this case, and improve the migration tool to pre-alert the user
that the schema value they want to migrate is not valid for 389.

fixes: https://github.com/389ds/389-ds-base/issues/5160

Author: William Brown <william at blackhats.net.au>

Review by: @tbordaz @droideck 
- - - - -
f969fd93 by progier389 at 2022-02-25T17:36:38+01:00
Issue 5122 - dsconf instance backend suffix set doesn't accept backend name (#5178)

(cherry picked from commit b527b34545927364521e1450687272edec191d95)

- - - - -
bdeeca56 by MIZUTA Takeshi at 2022-03-03T10:24:03+10:00
Issue 5048 - Support for nsslapd-tcp-fin-timeout and nsslapd-tcp-keepalive-time (#5179)

Installing 389-ds modifies system parameters by 70-dirsrv.conf.
"net.ipv4.tcp_fin_timeout" and "net.ipv4.tcp_keepalive_time" can be set for
389-ds sockets using setsockopt(). System parameters should not be changed
as much as possible and should only be applied to 389-ds sockets.

Fix Description:
To set parameters for 389-ds sockets, following two attributes have been added.
- nsslapd-tcp-fin-timeout
- nsslapd-tcp-keepalive-time
"net.ipv4.tcp_fin_timeout" and "net.ipv4.tcp_keepalive_time" of 70-dirsrv.conf
are no longer needed.

Relates: https://github.com/389ds/389-ds-base/issues/5048

Reviewed by: Firstyear, mreynolds389 (Thanks!)
- - - - -
9f410afa by Mark Reynolds at 2022-03-02T20:57:24-05:00
Issue 5186 - UI - Fix SASL Mapping regex validation and other minor


- replaced deprecated "isHoverable" with "isSelectable" for Cards.
- Revised logging save btn enablement
- Fixed entry dropdown toggling
- ACI editor improved Bind Rule modal(searching and form layout)
- Improve SASL mapping modal validation
- Improved LDAP editor result alerts to include spinner and more
  friendly result messages

relates: https://github.com/389ds/389-ds-base/issues/5186

Reviewed by: spichugi(Thanks!)

- - - - -
11adb34d by Firstyear at 2022-03-04T09:46:14+10:00
Issue 5162 - BUG - error on importing chain files (#5164)

Bug Description: Nss can't import pem chain files which can
confuse users why they have missing certificates when they try
to import a chain.

Fix Description: Error out on chain files in any of the import
paths since they are ambiguous.

fixes: https://github.com/389ds/389-ds-base/issues/5162

Author: William Brown <william at blackhats.net.au>

Review by: @droideck 
- - - - -
1f6646d7 by Mark Reynolds at 2022-03-04T09:45:46-05:00
Issue 5184 - memberOf does not work correctly with multiple include scopes

Bug Description:

MemberOf Plugin only looks at the first include scope, and the rest are
ignored. So if multiple "memberOfEntryScope" attributes are set then the
plugin will not work as expected.

Fix Description:

The fix is to read all the memberOfEntryScope attributes and update the
group cache.

relates: https://github.com/389ds/389-ds-base/issues/5184

Reviewed by: tbordaz(Thanks!)

- - - - -
3de6dda1 by Mark Reynolds at 2022-03-07T18:09:07-05:00
Issue 5188 - UI - LDAP editor - add entry and group types

Bug Description:

Previously the UI would create entries that had very few
objectclasses, and they did not match the entries created by dsidm.
This causes issues with the defualt aci's we add to a suffix.

Fix Description:

Added "types" of entries/accounts:  Basic, Posix, and
Service.  Each one using its own set of objectclasses.  For groups I
added: Basic and Posix

relates: https://github.com/389ds/389-ds-base/issues/5188

Reviewed by: jchapman, spichugi, tmihinto (Thanks!!!)

- - - - -
a0d1658c by Mark Reynolds at 2022-03-10T13:35:59-05:00
Issue 5189 - memberOf plugin exclude subtree not cleaning up groups on modrdn

Bug Description:

If MO plugin is configured to exclude membership to certain subtrees
then when a member is moved (moddn) to the "excluded" subtree the group
still maintains the member/uniquemember attribute.

Fix Description:

AFter modrdn if the user is out of scope then all the groups that it
belonged to will have the membrship attribute also removed from them.

This allows an admin to move entries to "special" locations, like a
"disabled ou" container, and all its memberships are properly updated

relates: https://github.com/389ds/389-ds-base/issues/5189

Reviewed by: tbordaz & spichugi(Thanks!!)

- - - - -
b2e608de by James Chapman at 2022-03-14T23:23:57+00:00
Issue 5193 - Incomplete ruv occasionally returned from ruv search (#5194)

* Issue 5193 - Incomplete ruv occasionally returned from ruv search

Bug Description:
An intermittent condition occurs during cleanallruv (force) CI tests
which results in an incomplete ruv being returned to the client. This
generates an "IndexError" in lib389 because of the ruv->replica_purl
being NULL.

Fix Description:
During an ruv search we iterate over the in memory ruv list. Skip over
an ruv if we detect ruv->replica_purl == NULL.

Fixes: https://github.com/389ds/389-ds-base/issues/5193

Reviewed by: @progier389 @mreynolds389  (Thanks)
- - - - -
ebc8ff47 by Viktor Ashirov at 2022-03-15T11:53:37+01:00
Issue 5200 - dscontainer should use environment variables with DS_ prefix

dscontainer accepts several environment variables, but some of them
don't have DS_ prefix, such as ERRORLOG_LEVEL and SUFFIX_NAME.
It would be good to use a uniform namespaced notation to avoid
generic names that can possibly conflict with other environment
variables (for example, when DS runs in a pod with other containers,
that can also use these generic variable names).

Additionally, DS_MEMORY_PERCENTAGE is no longer applicable when server
uses MDB. We should log a warning message to notify the user.

Fixes: https://github.com/389ds/389-ds-base/issues/5200

Reviewed by: @mreynolds389, @Firstyear (Thanks!)

- - - - -
3553bce4 by tbordaz at 2022-03-21T14:28:31+01:00
Issue 5218 - double-free of the virtual attribute context in persistent search (#5219)

	A search is processed by a worker using a private pblock.
	If the search is persistent, the worker spawn a thread
	and kind of duplicate its private pblock so that the spawn
        thread continue to process the persistent search.
	Then worker ends the initial search, reinit (free) its private pblock,
        and returns monitoring the wait_queue.
	When the persistent search completes, it frees the duplicated
	The problem is that private pblock and duplicated pblock
        are referring to a same structure (pb_vattr_context).
        That can lead to a double free

	When cloning the pblock (slapi_pblock_clone) make sure
	to transfert the references inside the original (private)
	pblock to the target (cloned) one
        That includes pb_vattr_context pointer.

Reviewed by: Mark Reynolds, James Chapman, Pierre Rogier (Thanks !)

Co-authored-by: Mark Reynolds <mreynolds at redhat.com>
- - - - -
e6431d95 by Mark Reynolds at 2022-03-21T18:23:54-04:00
Issue 5221 - User with expired password can still login with full privledges

Bug Description:

A user with an expired password can still login and perform operations
with its typical access perimssions.  But an expired password means the
account should be considered anonymous.

Fix Description:

Clear the bind credentials if the password is expired

relates: https://github.com/389ds/389-ds-base/issues/5221

Reviewed by: progier(Thanks!)

- - - - -
d12f31d5 by Mark Reynolds at 2022-03-22T11:07:43-04:00
Issue 5186 - UI - Fix SASL Mapping regex test feature


If the regex is invalid you are still able to click on the "Test"
button which then crashes the UI.  THe Test button needs to be disabled
if the regex is invalid

relates: https://github.com/389ds/389-ds-base/issues/5186

Reviewed by: jchapman & spichugi(Thanks!!)

- - - - -
f4a80df6 by Mark Reynolds at 2022-03-22T11:27:45-04:00
Issue 5225 - UI - impossible to manually set entry cache

Bug description:  The UI thinks cache auto-tuning is always set which
prevents the user from manaully setting the entry cache.

Fix Description:  The UI was comparing a value to an array, which always
returned false and kept the UI thinking autotunning was set.

relates: https://github.com/389ds/389-ds-base/issues/5225

Reviewed by: spichugi(Thanks!)

- - - - -
e2fc3582 by Simon Pichugin at 2022-03-22T12:49:43-07:00
Issue 4299 - UI - Add CoS funtionality (#5196)

Description: Add CoS management features to UI.
Fix logic in Custom Entry Wizard.

Relates: https://github.com/389ds/389-ds-base/issues/4299

Reviewed by: @mreynolds389 (Thanks!!)
- - - - -
5ea5ead5 by Thierry Bordaz at 2022-03-23T09:40:43-04:00
Issue 5230 - Race condition in RHDS disk monitoring functions

Bug description:
	Disk monitoring fetch file system info using
        getmntent system call.
        It should rather use MT safe getmnent_r

Fix description:
	use getmntent_r

relates: #5230

Reviewed by: Mark Reynolds

Platforms tested: F35

- - - - -
2d8ea294 by Mark Reynolds at 2022-03-23T12:18:20-04:00
Bump version to 2.0.15

- - - - -
6d757852 by Timo Aaltonen at 2022-04-13T14:08:59+03:00
Merge branch 'upstream'

- - - - -
fc8f6563 by Timo Aaltonen at 2022-04-13T14:09:16+03:00
version bump

- - - - -
5dc68c92 by Timo Aaltonen at 2022-04-13T14:11:33+03:00
releasing package 389-ds-base version 2.0.15-1

- - - - -

30 changed files:

- debian/changelog
- + dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/cn=schema/cn={5}test.ldif
- + dirsrvtests/tests/data/tls/ca.crt
- + dirsrvtests/tests/data/tls/cert9.db
- + dirsrvtests/tests/data/tls/int.crt
- + dirsrvtests/tests/data/tls/key4.db
- + dirsrvtests/tests/data/tls/leaf.crt
- + dirsrvtests/tests/data/tls/pkcs11.txt
- + dirsrvtests/tests/data/tls/pwdfile.txt
- + dirsrvtests/tests/data/tls/server-export.p12
- + dirsrvtests/tests/data/tls/tls_import_ca_chain.pem
- + dirsrvtests/tests/data/tls/tls_import_crt_chain.pem
- + dirsrvtests/tests/data/tls/tls_import_key.pem
- + dirsrvtests/tests/data/tls/tls_import_key_chain.pem
- + dirsrvtests/tests/suites/automember_plugin/automember_abort_test.py
- + dirsrvtests/tests/suites/memberof_plugin/memberof_include_scopes_test.py
- dirsrvtests/tests/suites/openldap_2_389/migrate_test.py
- + dirsrvtests/tests/suites/password/pw_expired_access_test.py
- dirsrvtests/tests/suites/replication/regression_m2_test.py
- + dirsrvtests/tests/suites/schema/x_attribute_descr_oid_test.py
- + dirsrvtests/tests/suites/tls/tls_import_ca_chain_test.py
- ldap/admin/src/70-dirsrv.conf
- ldap/schema/01core389.ldif
- ldap/servers/plugins/acl/acl_ext.c
- ldap/servers/plugins/automember/automember.c
- ldap/servers/plugins/memberof/memberof.c
- ldap/servers/plugins/pam_passthru/pam_ptimpl.c
- ldap/servers/plugins/replication/repl5_replica.c
- ldap/servers/plugins/replication/repl5_replica_config.c

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/26e3f81fcc1f343ac7f38a6b542f65d48fc0899d...5dc68c924c04ecc77150fa029c3e3f128da82631

View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/26e3f81fcc1f343ac7f38a6b542f65d48fc0899d...5dc68c924c04ecc77150fa029c3e3f128da82631
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220413/0e645da5/attachment-0001.htm>

More information about the Pkg-freeipa-devel mailing list