[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 327 commits: Bump version to 1.4.5.0

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Thu Feb 10 17:39:35 GMT 2022



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base


Commits:
5c25c06c by Mark Reynolds at 2020-10-28T09:43:51-04:00
Bump version to 1.4.5.0

- - - - -
cdaa81c5 by Mark Reynolds at 2020-10-29T23:07:40-04:00
Bump version to 2.0.0

- - - - -
db655bbe by Firstyear at 2020-11-02T09:14:25+10:00
Issue 4403 RFE - OpenLDAP pw hash migration tests (#4408)

Bug Description: As we want to support openldap to 389 password migration,
we should check if we allow accounts to continue to bind. This involves
testing different openldap authentication schemes to determine if they
work.

Fix Description: Add tests for different password and contrib password
types that are supported in openldap.

fixes: #4403

Author: William Brown <william at blackhats.net.au>

Review by: @droideck, @progier389 (Thanks!)
- - - - -
013ea7dd by progier389 at 2020-11-03T12:18:50+01:00
ticket 2058: Add keep alive entry after on-line initialization - second version (#4399)

Bug description:
Keep alive entry is not created on target master after on line initialization,
and its RUVelement stays empty until a direct update is issued on that master

Fix description:
The patch allows a consumer (configured as a master) to create (if it did not
exist before) the consumer's keep alive entry. It creates it at the end of a
replication session at a time we are sure the changelog exists and will not
be reset. It allows a consumer to have RUVelement with csn in the RUV at the
first incoming replication session.

That is basically lkrispen's proposal with an associated pytest testcase

Second version changes:
   - moved the testcase to suites/replication/regression_test.py
   - set up the topology from a 2 master topology then
    reinitialized the replicas from an ldif without replication metadata
    rather than using the cli.
   - search for keepalive entries using search_s instead of getEntry
   - add a comment about keep alive entries purpose

last commit:
   - wait that ruv are in sync before checking keep alive entries

Reviewed by: droideck, Firstyear

Platforms tested: F32

relates: #2058
- - - - -
4cc9b104 by Mark Reynolds at 2020-11-03T08:02:45-05:00
Issue 4176 - CL trimming causes high CPU

Bug Description:  The changelog trimming switched to using pthread_cond_timedwait()
                  instead of NSPR, but the relative time was used for the wait time
                  instead of the absolute time.  This caused it to basically not
                  wait at all and consume all the CPU.

Fix Description:  Use the absolute(monotonic) time for the condition wait time.

Relates: https://github.com/389ds/389-ds-base/issues/4176

Reviewed by: progier(Thanks!)

- - - - -
5b0cbddc by sgouvern at 2020-11-03T14:32:06+01:00
Issue 4218 - Verify the new wtime and optime access log keywords (#4397)

Description: Add a test case to dirsrvtests/tests/suites/ds_logs/ds_logs_test.py:
test_optime_and_wtime_keywords. It tests that the new optime and wtime keywords
are present in the access log and have correct values
Also, adapt test_etime_order_of_magnitude adapted to the new RESULT string format 
in the access log

Relates: #4218

Reviewed by: @droideck, @Firstyear (Thanks!)
- - - - -
bc92c17b by tbordaz at 2020-11-03T17:33:31+01:00
Issue 4391 - DSE config modify does not call be_postop (#4394)

Bug description:
	During a DSE modify, be_preop callback are called. But be_postop callback are called at the condition
	dse_call_callback is different that SLAPI_DSE_CALLBACK_DO_NOT_APPLY.

	This should systematically call be_postop if be_preop were called.
	In addition postop_modify_config_dse returning an invalid rc, systematically prevents DSE modify to call be_postop

Fix description:
        The required bug fix is that dse_callback need to return SLAPI_DSE_CALLBACK* not ldap rc.
	Also in case of vlv config (SLAPI_DSE_CALLBACK_DO_NOT_APPLY) if preop were called
        it requires to call the postop.

	In dse_modify, rc is used for dse_call_callback() (returns SLAPI_DSE_CALLBACK*)
        but also for plugin_call_plugin (returns SLAPI_PLUGIN_*). Those rc are not compatible
	and although the code works to help maintenance use 'plugin_rc' instead of 'rc'.

relates: https://github.com/389ds/389-ds-base/issues/4391

Reviewed by: William Brown, Simon Pichugin (thanks !)

Platforms tested: F31
- - - - -
7cb5c920 by Mark Reynolds at 2020-11-03T13:42:29-05:00
Issue 4420 - change NVR to use X.X.X instead of X.X.X.X

Description:  Start using 389-ds-base-2.0.0 instead of 389-ds-base-2.0.0.0

Fixes: https://github.com/389ds/389-ds-base/issues/4420

Reviewed by: mreynolds (one line commit rule)

- - - - -
b557f5da by Mark Reynolds at 2020-11-03T13:43:44-05:00
Bump version to 2.0.1

- - - - -
04ba05e0 by Mark Reynolds at 2020-11-03T17:23:22-05:00
Issue 4415 - unable to query schema if there are extra parenthesis

Bug Description:  When a client does a schema lookup in lib389 asking
                  for theresult in JSON, the X-ORIGIN is not correctly
                  parsed if it contains an extra parenthesis

Fix Description:  When parsing between the X-ORIGIN encapsulating parenthesis
                  find the right most match, not the first match.

Relates: https://github.com/389ds/389-ds-base/issues/4415

Reviewed by: spichugi(Thanks!)

- - - - -
a2c7e50b by Kazım SARIKAYA at 2020-11-08T14:48:49-05:00
build problems at alpine linux

- - - - -
c3bdb443 by Firstyear at 2020-11-09T10:55:47+10:00
Issue 4407 RFE - remove http client and presence plugin (#4409)

Bug Description: The presence plugin has been disabled for a long
time and relates to a defunct IM project. This also had a HTTP client
that we no longer use in any capacity, but was enabled by default.

Fix Description: This removes the two un-used plugins, and adds
handlers to allows deny-listing of the plugins to prevent them being
loaded.

fixes: #4407

Author: William Brown <william at blackhats.net.au>

Review by: @droideck, @mreynolds389 (Thanks!)
- - - - -
ca8ac8ec by Simon Pichugin at 2020-11-09T11:43:04+01:00
Issue 4412 - Fix CLI repl-agmt requirement for parameters (#4422)

Description: In dsconf CLI, make it possible to create SSLCLIENTAUTH
bind method agreement without specifying bind dn (--bind-dn) and
the password (--bind-passwd).

Fixes: #4412

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
f8a424f1 by Mark Reynolds at 2020-11-11T22:01:18-05:00
Issue 4429 - NULL dereference in revert_cache()

Bug Description:  During a delete, if the DN (with an escaped leading space)
                  of an existing entry fail to parse the server will revert
                  the entry update.  In this case it will lead to a crash
                  becuase ther ldbm inst struct is not set before it attempts
                  the cache revert.

Fix Description:  Check the the ldbm instance struct is not NULL before
                  dereferencing it.

Relates: https://github.com/389ds/389-ds-base/issues/4429

Reviewed by: firstyear & spichugi(Thanks!!)

- - - - -
a924b551 by Barbora Simonova at 2020-11-12T10:05:03+01:00
Issue 4281 - dsidm user status fails with Error: 'nsUserAccount' object has no attribute 'is_locked'

Description:
Created a test to verify bz1862971, because the status,lock and unlock options
were moved from dsidm user to dsidm account. The rest of the tests for dsidm will soon follow
so I have created helper functions for next tests.

Relates: https://github.com/389ds/389-ds-base/issues/4281
Relates: https://github.com/389ds/389-ds-base/issues/4348

Reviewed by: droideck, Firstyear (Thanks!)

- - - - -
99462bbf by tbordaz at 2020-11-12T11:52:38+01:00
Issue 4316 - performance search rate: useless poll on network send callback (#4424)

Bug description:
	When sending back result/entries, DS first poll the connection to check
        it is able to write data on the socket. Then it writes the data.
	The purpose of the poll is to handle ioblocktimeout.
	The problem is that most of the time, the socket will process the write
	without any issue so it is useless to poll before the write.

Fix description:
	The fix is try write first. It polls for ioblocktimeout
        only if the write fails

relates: https://github.com/389ds/389-ds-base/issues/4316

Reviewed by: William Brown (thanks!)

Platforms tested: F31
- - - - -
4e99d892 by Mark Reynolds at 2020-11-12T09:31:18-05:00
Issue 4432 - After a failed online import the next imports are very slow

Bug Description:  When an online import fails the entry and DN caches are
                  "reset", but we use the wrong "new maxsize" which was
                  setting the entry cache maxsize to zero which killed the
                  import performance.

Fix Description:  When resetting the caches use the previous cache maxsize.

Relates: https://github.com/389ds/389-ds-base/issues/4432

Reviewed by: firstyear & progier(Thanks!!)

- - - - -
2529313e by Mark Reynolds at 2020-11-12T12:08:01-05:00
Issue 4383 - Do not normalize escaped spaces in a DN

Bug Description:  Adding an entry with an escaped leading space leads to many
                  problems.  Mainly id2entry can get corrupted during an
                  import of such an entry, and the entryrdn index is not
                  updated correctly

Fix Description:  In slapi_dn_normalize_ext() leave an escaped space intact.

Relates: https://github.com/389ds/389-ds-base/issues/4383

Reviewed by: firstyear, progier, and tbordaz (Thanks!!!)

- - - - -
4a2d711b by progier389 at 2020-11-12T18:50:04+01:00
do not add referrals for masters with different data generation #2054 (#4427)

Bug description:
The problem is that some operation mandatory in the usual cases are
also performed when replication cannot take place because the
database set are differents (i.e: RUV generation ids are different)

One of the issue is that the csn generator state is updated when
starting a replication session (it is a problem when trying to
reset the time skew, as freshly reinstalled replicas get infected
by the old ones)

A second issue is that the RUV got updated when ending a replication session
(which may add replica that does not share the same data set,
then update operations on consumer retun referrals towards wrong masters

Fix description:
The fix checks the RUVs generation id before updating the csn generator
and before updating the RUV.

Reviewed by: mreynolds
             firstyear
             vashirov

Platforms tested: F32
- - - - -
87712846 by William Brown at 2020-11-13T08:58:04+10:00
Issue 4428 - Paged Results with Chaining Test Case

Bug Description: This test case shows how a paged search with criticality
set to false, causes chaining to sigsegv.

Fix Description: N/A - this is a reproducer, not the fix.

fixes: #4428

Author: William Brown <william at blackhats.net.au>

Review by: @droideck, @mreynolds389

- - - - -
7f241dc7 by William Brown at 2020-11-13T08:58:04+10:00
Issue 4428 - BUG Paged Results with critical false causes sigsegv in chaining

Bug Description: When a paged search through chaining backend is
received with a false criticality (such as SSSD), chaining backend
will sigsegv due to a null context.

Fix Description: When a NULL ctx is recieved to be freed, this is
as paged results have finished being sent, so we check the NULL
ctx and move on.

fixes: #4428

Author: William Brown <william at blackhats.net.au>

Review by: @droideck, @mreynolds389

- - - - -
d644ebaa by William Brown at 2020-11-17T10:21:35+10:00
Issue 4373 - BUG - Mapping Tree nodes can be created that are invalid

Bug Description: The mapping tree is built and arranged based on
the content of the nsslapd-parent-suffix attribute. However, it is
possible that this value is invalid pointing at a non-existant
suffix, or that it could be pointing at a suffix that is invalid
in the suffix hierarchy that mapping trees expect.

https://www.port389.org/docs/389ds/design/mapping_tree_assembly.html

Fix Description: Rather than build the mapping tree by arranging
nodes through the nsslapd-parent-suffix value, we should sort and build
them through the known and defined suffix values in cn (which we already)
rely upon to be correct. This allows stable ordering and avoids potential
user and developer errors.

fixes: #4373

Author: William Brown <william at blackhats.net.au>

Review by: @progier389, @mreynolds389 (Thanks!)

- - - - -
33279b75 by William Brown at 2020-11-17T10:28:27+10:00
Issue 4410 RFE - ndn cache with arc in rust

Bug Description: As we move to LMDB and require a concurrently
readable model, we need access to concurrently readable datastructures.

Fix Description: This is a poc of NDN cache in rust with
a concurrently readable adaptive replacement cache.

fixes: #4410

Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
3c3e1f30 by progier389 at 2020-11-19T10:21:10+01:00
Issue 4440 - BUG - ldifgen with --start-idx option fails with unsupported operand (#4444)

Bug description:
Got TypeError exception when usign:
  dsctl -v slapd-localhost ldifgen users --suffix
     dc=example,dc=com --parent ou=people,dc=example,dc=com
     --number 100000 --generic --start-idx=50
The reason is that by default python parser provides
 value for numeric options:
  as an integer if specified by "--option value" or
  as a string if specified by "--option=value"

Fix description:
convert the numeric parameters to integer when using it.
 options impacted are:
  - in users subcommand:   --number ,  --start-idx
  - in mod-load subcommand:   --num-users, --add-users,
               --del-users, --modrdn-users, --mod-users

FYI: An alternative solution would have been to indicate the
parser that these values are an integer. But two reasons
 leaded me to implement the first solution:
 - first solution fix the problem for all users while the
   second one fixes only dsctl command.
 - first solution is easier to test:
    I just added a new test file generated by a script
      that duplicated existing ldifgen test, renamed the
       test cases and replaced the numeric arguments by
       strings.
   Second solution would need to redesign the test framework
    to be able to test the parser.

relates: https://github.com/389ds/389-ds-base/issues/4440

Reviewed by:

Platforms tested: F32
- - - - -
61738d31 by Viktor Ashirov at 2020-11-23T14:16:26+01:00
Fix pytest test collection

Bug Description:
Some tests were missing tier0 and tier1 marks, didn't have _test
postfix in the filename.
Because of this some tests were not collected and not executed.

Fix Description:

* Add missing pytest marks for tier0 and tier1
* Rename test modules to have _test in the filename.

Reviewed by: Simon (Thanks!)

- - - - -
4d5915f3 by Simon Pichugin at 2020-11-24T17:06:52+01:00
Issue 4105 - Remove python.six from lib389 (#4456)

Description: We no longer use python 2, we can remove all the python-six
imports and replace code with Python 3 support only.

Fixes: #4105

Reviewed by: @mreynolds389 @Firstyear (Thanks!)
- - - - -
73ee04fa by progier389 at 2020-11-24T19:22:49+01:00
Issue 4449 - dsconf replication monitor fails to retrieve database RUV - consumer (Unavailable) (#4451)

Bug Description:

"dsconf replication monitor" fails to retrieve database RUV entry from consumer and this
appears into the Cockpit web UI too.
The problem is that the bind credentials are not rightly propagated when trying to get
the consumers agreement status.  Then supplier credntials are used instead  and RUV
is searched anonymously because there is no bind dn in ldapi case.

Fix Description:

- Propagates the bind credentials when computing agreement status
- Add a credential cache because now a replica password could get asked several times:
    when discovering the topology and
    when getting the agreement maxcsn
- Testcase test_dsconf_replication_monitor is modified to:
  - Assert when getting "consumer (Unavalaible)" status
  - Add a step using a freshly generated Dirsrv instance (as dsconf does)
    rather than using the topology one
    FYI: although the feature was tested in test_dsconf_replication_monitor py.test
     the test does not hit the bug because of several side effects:
        - If consumer credentials are not provided the suplier credentials are used.
        - topology generated DirSrv instance has a bind DN.
        - topology masters have the same credentials
     DirSrv generated by dsconf (in ldapi case) have no bind DN and hits the bugs

- Add a comment about nonlocal keyword

Relates: #4449

Reviewers:
  firstyear
  droideck
  mreynolds

Issue 4449: Add a comment about nonlocal keyword
- - - - -
8bb2f6b3 by Akshay Adhikari at 2020-11-25T13:40:35+01:00
Issue 4112 - Added a CI test (#4441)

Issue 4112 - Added a CI test

Bug Description: If the dbhome directory is set, eg to /dev/shm/instance
then an online backup fails because it looks for the log.000000x file
in the wring directory.

Relates: #4112

Reviewed by: Firstyear,droideck (Thanks!)
- - - - -
c87084de by tbordaz at 2020-11-25T18:07:34+01:00
Issue 4297 - 2nd fix for on ADD replication URP issue internal searches with filter containing unescaped chars (#4439)

Bug description:
	Previous fix is buggy because slapi_filter_escape_filter_value returns
        a escaped filter component not an escaped assertion value.

Fix description:
	use the escaped filter component

relates: https://github.com/389ds/389-ds-base/issues/4297

Reviewed by: William Brown

Platforms tested: F31
- - - - -
d6f73060 by Mark Reynolds at 2020-11-25T16:25:43-05:00
Issue 3986 - UI - Handle objectclasses that do not have X-ORIGIN set

Description:  The UI schema page was not handling objectclasses that did not
              have x-origin set.  This patch prevents the browser from crashing
              in that case.

Relates: https://github.com/389ds/389-ds-base/issues/3986

Reviewed by: mreynolds (one line commit rule)

- - - - -
bc6edc01 by William Brown at 2020-11-26T08:16:49+10:00
Issue 4454 - RFE - fix version numbers to allow object caching

Bug Description: ccache and sccache are unable to cache object
files in 389-ds due to the use of BUILDNUM that takes a current
time including minutes, and VERSION.sh using the current
date and git commit which can change between branches.

Fix Description: When using --enable-debug, BUILDNUM and VERSION
are set to 0 or "DEVELOPER BUILD". Since this is now static
object caching can now occuring, reducing developer recompile
times and allowing incremental compilation to work correctly.

fixes: #4454

Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
ca65f3a6 by Mark Reynolds at 2020-11-25T17:50:31-05:00
Issue 3657 - Add options to dsctl for dsrc file

Description:  Add options to create, modify, delete, and display
              the .dsrc CLI tool shortcut file.

Relates: https://github.com/389ds/389-ds-base/issues/3657

Reviewed by: firstyear(Thanks!)

- - - - -
ce7beae4 by William Brown at 2020-11-26T09:28:33+10:00
Issue 4460 - BUG  - lib389 should use system tls policy

Bug Description: Due to some changes in dsrc for tlsreqcert
and how def open was structured in lib389, the system ldap.conf
policy was ignored.

Fix Description: Default to using the system ldap.conf policy
if undefined in lib389 or the tls_reqcert param in dsrc.

fixes: #4460

Author: William Brown <william at blackhats.net.au>

Review by: ???

- - - - -
f1243f7c by tbordaz at 2020-11-30T09:03:33+01:00
Issue 4243 - Fix test: SyncRepl plugin provides a wrong cookie (#4467)

Bug description:
	This test case was incorrect.
	During a refreshPersistent search, a cookie is sent
	with the intermediate message that indicates the end of the refresh phase.
	Then a second cookie is sent on the updated entry (group10)
	I believed this test was successful some time ago but neither python-ldap
	nor sync_repl changed (intermediate sent in post refresh).
	So the testcase was never successful :(

Fix description:
	The fix is just to take into account the two expected cookies

relates: https://github.com/389ds/389-ds-base/issues/4243

Reviewed by: Mark Reynolds

Platforms tested: F31
- - - - -
a98fe542 by James Chapman at 2020-11-30T15:28:05+00:00
Issue 4418 - ldif2db - offline. Warn the user of skipped entries 

Bug Description: During an ldif2db import entries that do not
conform to various constraints will be skipped and not imported.
On completition of an import with skipped entries, the server
returns a success exit code and logs the skipped entry detail to
the error logs. The success exit code could lead the user to
believe that all entries were successfully imported.

Fix Description: If a skipped entry occurs during import, the
import will continue and a warning will be returned to the user.

CLI tools for offline import updated to handle warning code.

Test added to generate an incorrect ldif entry and perform an
import.

Fixes: #4418

Reviewed by: Firstyear, droideck  (Thanks)
- - - - -
a5029c80 by Mark Reynolds at 2020-11-30T11:40:36-05:00
Issue 4384 - Use MONOTONIC clock for all timing events and conditions

Bug Description:  All of the server's event handling and replication were
                  based on REALTIME clocks, which can be influenced by the
                  system changing.  This could causes massive delays, and
                  simply cause unexpected behavior.

Fix Description:  Move all condition variables to use pthread instead of NSPR
                  functions.  Also make sure we use MONOTONIC clocks when we
                  get the current time when checking for timeouts and other
                  timed events.

Relates: https://github.com/389ds/389-ds-base/issues/4384

Reviewed by: elkris, firstyear, and tbordaz (Thanks!!!)

Apply firstyear's sugestions

Apply Firstyear's other suggestions

Apply Thierry's suggestions

- - - - -
782e6c1e by Mark Reynolds at 2020-11-30T16:30:39-05:00
Issue 4105 - Remove python.six (fix regression)

Description:  The switch off of six StringIO was not correctly ported,
              and an object was assigned to a variable instead of the
              variable being initialized with a new instance of the
              object.

Fixes: https://github.com/389ds/389-ds-base/issues/4105

Reviewed by: mreynolds(one line commit rule)

- - - - -
b7219518 by William Brown at 2020-12-01T13:15:14+10:00
Issue 4464 - RFE - clang with ds+asan+rust

Bug Description: Some subtle issues existed when using clang with
ds for builds, emiting warnings or not working (asan).

Fix Description: Remove some compiler flags that caused warnings,
and clean up how to emit certain linking related parts for asan
and dynamic libs for clang.

fixes: #4464

Author: William Brown <william at blackhats.net.au>

Review by: vashirov (thanks!)

- - - - -
7d2f95dc by tbordaz at 2020-12-01T15:15:21+01:00
Issue 4243 - Fix test: SyncRepl plugin provides a wrong cookie (#4466) (#4466)

Bug description:
	Individual testcase run fine but they fails when
	run in a raw

Fix description:
	Each testcase needs to do cleanup (at the end) or
        make initialization more robust

relates: https://github.com/389ds/389-ds-base/issues/4243

Reviewed by: William Brown, Simon Pichugin (Thanks !)

Platforms tested:  F31
- - - - -
2eba8fec by Barbora Simonova at 2020-12-03T11:10:10+01:00
Issue 4284 - dsidm fails to delete an organizationalUnit entry

Description:
Created test for dsidm organizationalunit delete and moved the function
check_value_in_log_and_reset() to __init__.py, because it will be used for
other dsidm tests.
Also modified the delete() function in lib389 to be able to delete the entry
without warning message for test purposes.

Relates: https://github.com/389ds/389-ds-base/issues/4284

Reviewed by: droideck (Thanks!)

- - - - -
52215dcb by William Brown at 2020-12-04T10:13:05+10:00
Issue 4446 RFE - openldap password hashers

Bug Description: To allow easier migrations, we need to support
some password types that OpenLDAP has that we do not. This
is mainly PBKDF2 types. OpenLDAP's hashers are
based on python passlib, so they also store the values in
a different way than our PBDKF2 module.

Fix Description: This adds passlib style PBKDF2 support, written
in Rust. It extends the slapi_r_plugin shim to support password
extensions for Rust plugins, as well as providing a number of
small improvements to the build system and testing for rust
plugins.

fixes: #4446

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 (Thanks)

- - - - -
dec149b4 by Firstyear at 2020-12-04T10:14:33+10:00
Issue 4460 - BUG - add machine name to subject alt names in SSCA (#4472)

Bug Description: During SSCA creation, the server cert did not have
the machine name, which meant that the cert would not work without
reqcert = never.

Fix Description: Add the machine name as an alt name during SSCA
creation. It is not guaranteed this value is correct, but it
is better than nothing.

relates: https://github.com/389ds/389-ds-base/issues/4460

Author: William Brown <william at blackhats.net.au>

Review by: mreynolds389, droideck 
- - - - -
74a96c6a by tbordaz at 2020-12-07T09:41:27+10:00
Issue 4315: performance search rate: nagle triggers high rate of setsocketopt (#4437)

Bug description:
	When a socket is set with NO_DELAY=0 (nagle), written pdu are buffered
	until buffer is full or tcp_cork is set. This reduce network traffic when
        the application writes partial pdu.
        DS write complete pdu (results/entries/..) so it gives low benefit for DS.
	In addition nagle being 'on' by default, DS sets/unset socket tcp_cork to send
	immediately results/entries at each operation. This is an overhead of syscalls.

Fix description:
	Disable nagle by default

relates: https://github.com/389ds/389-ds-base/issues/4315

Reviewed by: @mreynolds389, @Firstyear 

Platforms tested:  F33
- - - - -
87b39043 by tbordaz at 2020-12-08T08:32:21+01:00
Issue 4243 - Fix test (4th): SyncRepl plugin provides a wrong (#4475)

Bug description:
	Cookie changenumber can be 0.
	test_sync_repl_cookie_add_del and test_sync_repl_mep are not
	accepting this value

Fix description:
	change the assertion

relates: https://github.com/389ds/389-ds-base/issues/4243

Reviewed by: William Brown, Simon Pichugin (thanks for this continuous effort on
 buggy testcases :) )

Platforms tested: F31
- - - - -
1af84fd1 by James Chapman at 2020-12-09T22:42:59+00:00
Issue 4419 - Warn users of skipped entries during ldif2db online import (#4476)

Bug Description:  During an online ldif2db import entries that do not
                  conform to various constraints will be skipped and
                  not imported. On completition of an import with skipped
                  entries, the server responds with a success message
                  and logs the skipped entry detail to the error logs.
                  The success messgae could lead the user to believe
                  that all entries were successfully imported.

Fix Description:  If a skipped entry occurs during import, the import
                  will continue and a warning message will be displayed.
                  The schema is extended with a nsTaskWarning attribute
                  which is used to capture and retrieve any task
                  warnings.

                  CLI tools for online import updated.

                  Test added to generate an incorrect ldif entry and perform an
                  online import.

Fixes: https://github.com/389ds/389-ds-base/issues/4419

Reviewed by: tbordaz, mreynolds389, droideck, Firstyear (Thanks)
- - - - -
4b501a5e by William Brown at 2020-12-10T09:29:40+10:00
Ticket 4313 - fix potential syncrepl data corruption

Bug Description: The cookie encodes which changelog entries we
have seen up to and including. However, the sync process would then
re-send the cl item from the cookie number. This could cause corruption
in some cases as some combinations of actions between two points
are no-oped in the server.

Fix Description: Fix the changelog search to always process that
entries of the CL must be greater than, but not equal to the
already seen CL items from the cookie.

Fixes: https://github.com/389ds/389-ds-base/issues/4313

Author: William Brown <william at blackhats.net.au>

Review by: @tbordaz

- - - - -
d2a3f2eb by William Brown at 2020-12-10T09:29:40+10:00
Ticket 4313 - improve tests and improve readme re refdel

Bug Description: This is a supplement to 51260.

Fix Description: This expands the test cases to be able to detect
the subsequent data corruption of 51260. This also improves
documentation around the rfc, and some todo comments for
future work with entryuuid + openldap.

Fixes: https://github.com/389ds/389-ds-base/issues/4313

Author: William Brown <william at blackhats.net.au>

Review by: @tbordaz

- - - - -
5a3a6e50 by William Brown at 2020-12-10T09:29:40+10:00
Ticket 4224 - openldap can become confused with entryuuid

Bug Description: OpenLDAP server as a syncrepl consumed enforces
the condition that syncUUID in ldap messages must match the entryuuid
of the entry. This is not in the RFC but it affects this one situation.

Fix Description: To resolve this, we enforce that entryuuid is a
requirement to the openldap syncrepl mode. Only entries with an
entryuuid can be sent to openldap. Additionally, this mode is disabled
by default by a configuration parameter "syncrepl-allow-openldap" in
the content sync plugin config.

Fixes: https://github.com/389ds/389-ds-base/issues/4224

Author: William Brown <william at blackhats.net.au>

Review by: @tbordaz (Thanks!)

- - - - -
7ed09120 by Firstyear at 2020-12-10T12:45:54+10:00
Issue 4229 - RFE - Improve rust linking and build performance (#4474)

Bug Description: Due to changes in how we approach rust in our
make system, we can improve this significantly to reduce complexity
in our linking, and to remove a large quantity of deadcode that
is no longer needed.

Fix Description: Remove older parts of sds (removed in favour
of rust datastructures and concread), and remove lfds which
is no longer used from nunc-stans

fixes: https://github.com/389ds/389-ds-base/issues/4229

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 (Thanks!)
- - - - -
f0825275 by James Chapman at 2020-12-10T03:15:43+00:00
Issue 4489 - Remove return statement from a void function (#4490)

Bug  Description: void function returns a value, causing compiler warnings.

Fix Description: Remove return statement.

Relates: https://github.com/389ds/389-ds-base/issues/4419

Reviewed by: One line rule
- - - - -
bdf955bd by Mark Reynolds at 2020-12-10T12:04:51-05:00
Issue 4421 - Unable to build with Rust enabled in closed environment

Description:  Add Makefile flags and update rpm.mk that allow updating
              and downloading all the cargo/rust dependencies.  This is
              needed for nightly tests and upstream/downstream releases.

Fixes: https://github.com/389ds/389-ds-base/issues/4421

Reviewed by: firstyear(Thanks!)

- - - - -
4715f372 by Mark Reynolds at 2020-12-10T15:34:31-05:00
Issue 4224 - cleanup specfile after libsds removal

Description:  The original commit for this ticket did not cleanup the specfile

relates: https://github.com/389ds/389-ds-base/issues/4224

Reviewed by: mreynolds(one line commit rule)

- - - - -
09d3ab7d by James Chapman at 2020-12-10T22:23:39+00:00
Issue 4486 - Remove random ldif file generation from import test (#4487)

Bug Description: The test_fast_slow_import() test validates the performance 
                            impact of the nsslapd-db-private-import-mem config attribute
                            over multiple ldif file offline imports. For each import, a
                            random ldif file is generated which can differ in size,
                            effecting the duration of the import.

Fix Description: Check if the ldif file exists before creating a new one, so we
                          have the same ldif file for each import comparison.

Fixes: https://github.com/389ds/389-ds-base/issues/4486

Reviewed by: Firstyear, droideck (Thank you)
- - - - -
429c2f85 by Mark Reynolds at 2020-12-11T15:25:09-05:00
Issue 4483 - heap-use-after-free in slapi_be_getsuffix

Description:  heap-use-after-free in slapi_be_getsuffix after disk
              monitoring runs. This feature is freeing a list of
              backends which it does not need to do.

Fixes: https://github.com/389ds/389-ds-base/issues/4483

Reviewed by: firstyear & tbordaz(Thanks!!)

- - - - -
32413b5b by Firstyear at 2020-12-14T11:16:31+10:00
Issue 4373 - BUG - calloc of size 0 in MT build (#4496)

Bug Description: In some cases it's possible for there to be
no mapping trees which causes a warning of a calloc of size
0.

Fix Description: In these cases, we can skip the attempt to calloc
and build.

fixes: https://github.com/389ds/389-ds-base/issues/4373

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 
- - - - -
f629f8f5 by tbordaz at 2020-12-14T10:02:24+01:00
Issue 4492 - Changelog cache can upload updates from a wrong starting point (CSN) (#4493)

Bug description:
          When a replication session starts, a starting point is computed
          according to supplier/consumer RUVs.
	  from the starting point the updates are bulk loaded from the CL.
          When a bulk set have been fully evaluated the server needs to bulk load another set.
	  It iterates until there is no more updates to send.
          The bug is that during bulk load, it recomputes the CL cursor position
          and this computation can be wrong. For example if a new update on
          a rarely updated replica (or not known replica) the new position will
          be set before the inital starting point

Fix description:
          Fixing the invalid computation is a bit risky (complex code resulting from
          years of corner cases handling) and a fix could fail to address others flavor
          with the same symptom
          The fix is only (sorry for that) safety checking fix that would end a replication session
          if the computed cursor position goes before the initial starting point.
	  In case of large jump behind (24h) the starting point, a warning is logged.

relates: https://github.com/389ds/389-ds-base/issues/4492

Reviewed by: Mark Reynolds, William Brown

Platforms tested: F31
- - - - -
9fa46b83 by Mark Reynolds at 2020-12-14T10:08:23-05:00
Issue 3522 - Remove DES to AES conversion code

Description:  remove the reversible password storage scheem upgrade code.
              This was only needed for people moving from 1.2.10, which
              has not been supported for years.

Fixes: https://github.com/389ds/389-ds-base/issues/3522

Reviewed by: firstyear & spichugi(Thanks!!)

- - - - -
07b678dc by Simon Pichugin at 2020-12-14T21:13:45+01:00
Issue 1795 - RFE - Enable logging for libldap and libber in error log (#4481)

Description: Libraries like libldap, libber do error and debug
logging, but it is not available in the DS logs.

Provide a way to enable the third party logging in DS.
Add nsslapd-external-libs-debug-enabled attribute to 'cn=config'
which will enable all of the levels available in libldap and libber.
The setting should be used only for debugging purposes as
it prints all of the operations with great verbosity.

The code for log_external_libs_debug_print() and
log_external_libs_debug_set_log_fn() functions are provided
by a former Red Hat employee - Ludwig Krispenz.

Fixes: #1795

Reviewed by: @Firstyear and @tbordaz (Thanks!)
- - - - -
bf46ccec by Stanislav Levin at 2020-12-15T09:49:34+10:00
Issue 4272 RFE - add support for gost-yescrypt for hashing passwords (#4497)

Bug Description: The state standard of Russian Federation requires
strong password hashes relied on GOST R 34.11-2012 (also known as
Streebog[0]) hash function.

Fix Description: One of the implementations of Streebog hash function
was made by libxcrypt, which has come as the replacement of glibc's
libcrypt. This means that several of the pwdstorage plugins have already
linked against libxcrypt.

>From libxcrypt docs:
    gost-yescrypt uses the output from the yescrypt hashing method in
    place of a hmac message.  Thus, the yescrypt crypto properties
    are superseeded by the GOST R 34.11-2012 (Streebog) hash function
    with a 256 bit digest.

[0]: https://tools.ietf.org/html/rfc6986

fixes: #4272

Reviewed by: @Firstyear, @mreynolds389 (Thanks!)
- - - - -
d7bef97b by Mark Reynolds at 2020-12-15T16:54:43-05:00
Merge pull request #4501 from mreynolds389/issue4500

Issue 4500 - add cockpit options to dsctl
- - - - -
b9edaacf by Firstyear at 2020-12-16T08:57:24+10:00
Issue 4373 - BUG - one line cleanup, free results in mt if ent 0 (#4502)

Bug Description: We had a free on the wrong line which could
lead to a memory leak during server setup.

Fix Description: Free results if ent count is 0

fixes: https://github.com/389ds/389-ds-base/issues/4373

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 @tbordaz (Thanks!)
- - - - -
0b08e6f3 by progier389 at 2020-12-16T16:21:35+01:00
Issue #4504 - Fix pytest test_dsconf_replication_monitor (#4505)


- - - - -
cc0f6928 by tbordaz at 2020-12-16T16:30:28+01:00
Issue 4480 - Unexpected info returned to ldap request (#4491)

Bug description:
	If the bind entry does not exist, the bind result info
        reports that 'No such entry'. It should not give any
        information if the target entry exists or not

Fix description:
	Does not return any additional information during a bind

relates: https://github.com/389ds/389-ds-base/issues/4480

Reviewed by: William Brown, Viktor Ashirov, Mark Reynolds (thank you all)

Platforms tested:  F31
- - - - -
0f38410a by Firstyear at 2020-12-17T08:22:23+10:00
Issue 4498 - BUG - entryuuid replication may not work (#4503)

Bug Description: EntryUUID can be duplicated in replication,
due to a missing check in assign_uuid

Fix Description: Add a test case to determine how this occurs,
and add the correct check for existing entryUUID.

fixes: https://github.com/389ds/389-ds-base/issues/4498

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 
- - - - -
a1618152 by Mark Reynolds at 2021-01-04T23:25:30-05:00
Issue 4507 - Improve csngen testing task (#4508)

Description:  Once the csngen testing task is created, it will not stop for 10 minutes
              even if you attempt to stop the server.  This is adding 10 minutes to
              the CI testing runs.

              Improved this task to check for the server shutdown, an moved the csngen
              test to the bottom of the file so it is executed last so it does not
              interfere with other tests

Fixes: https://github.com/389ds/389-ds-base/issues/4507

Reviewed by: tbordaz(Thanks!)
- - - - -
3ab35273 by Firstyear at 2021-01-06T11:12:39+10:00
Issue 4517 - BUG: Multiple systemd pin warnings (#4518)

Bug Description: When multiple entries exist under
cn=encryption,cn=config then we log a warning for each
entry that systemd ask pass may be needed. This creates noise
when the warning is needed once.

Fix Description: Move the warning to outside the loop.

fixes: https://github.com/389ds/389-ds-base/issues/4517

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 @droideck (Thanks!)
- - - - -
3b0f3385 by Mark Reynolds at 2021-01-06T20:41:22-05:00
Issue 4414 - disk monitoring - prevent division by zero crash

Bug Description:  If a disk mount has zero total space or zero used
                  space then a division by zero can occur and the
                  server will crash.

                  It has also been observed that sometimes a system
                  can return the wrong disk entirely, and when that
                  happens the incorrect disk also has zero available
                  space which triggers the disk monitioring thread to
                  immediately shut the server down.

Fix Description:  Check the total and used space for zero and do not
                  divide, just ignore it.  As a preemptive measure
                  ignore disks from /dev, /proc, /sys (except /dev/shm).
                  Yes it's a bit hacky, but the true underlying cause
                  is not known yet.  So better to be safe than sorry.

Relates: https://github.com/389ds/389-ds-base/issues/4414

Reviewed by: firstyear(Thanks!)

- - - - -
53af2749 by Simon Pichugin at 2021-01-07T06:11:56+01:00
Issue 4513 - Fix schema test and lib389 task module (#4514)

Issue 4513 - Fix schema test and lib389 task module

Description: Fix the assertion in schema_test.py.
Make sure that all of the tasks are up to date
with the recent changes in the task API.

Relates: #4513

Reviewed by: @mreynolds389, @Firstyear (Thanks!) 

- - - - -
1bcd2b43 by Mark Reynolds at 2021-01-07T20:33:46-05:00
Issue 4381 - RFE - LDAPI authentication DN rewritter

Description:  Create a new LDAPI configuration entry to specify a DN
              mapping based on system user name.  This also includes
              a reload task.

              For more information see:

              https://www.port389.org/docs/389ds/design/ldapi-auto-auth-dn-design.html

Relates: https://github.com/389ds/389-ds-base/issues/4381

Reviewed by: firstyear & cheimes(Thanks!!)

Apply Firstyear's suggestions

- - - - -
65678bb3 by Mark Reynolds at 2021-01-07T20:36:13-05:00
Issue 4384 - Separate eventq into REALTIME and MONOTONIC

Description:  The recent changes to the eventq "when" time changed
              internally from REALTIME to MONOTONIC, and this broke
              the API.  Create a new API for MONOTONIC clocks, and
              keep the original API intact for REALTIME clocks.

Relates:  https://github.com/389ds/389-ds-base/issues/4384

Reviewed by: firstyear(Thanks!)

- - - - -
89367c67 by Viktor Ashirov at 2021-01-10T14:19:07+01:00
Issue 4219 - Log internal unindexed searches (notes=A)

Description:
Add a test case.

Relates: https://github.com/389ds/389-ds-base/issues/4219

Reviewed by: @mreynolds389, @droideck, @tmihinto (Thanks!)

- - - - -
acaf2235 by tbordaz at 2021-01-11T17:33:06+01:00
Issue 4521 - DS crash in deref plugin if dereferenced entry exists but is not returned by internal search (#4525)

Bug description:
	For each returned entry, deref plugin dereferences some attribute values that refer to entries.
	To do this it does an internal search (scope base) with each attribute values.
	Deref plugin assumes that if internal search succeeds, a single entry is returned.
	It exists cases (not identified) where internal search succeeds but returns no entry.
	In such case (search succeeds but no entry returned) the server crash.
	Note: wonder if DB deadlock could lead to such situation.

Fix description:
	Make a hardening fix that logs warning in such case

relates: https://github.com/389ds/389-ds-base/issues/4521

Reviewed by: Mark Reynolds (thanks)

Platforms tested: F31
- - - - -
bcd39f16 by Firstyear at 2021-01-12T12:46:37+10:00
Issue 4506 - BUG - Fix bounds on fd table population (#4520)

Bug Description: While investigating 4506 it was noticed that
it was possible to exceed the capacity of the connection table
fd array if you had many listeners and a large number of
connections. The number of connections required and in the
correct state to cause this is in the thousands and would
be infeasible in reality, but it is still worth defending
from this.

Fix Description: Add the correct bound on the while loop
setting up the fd for polling.

relates: https://github.com/389ds/389-ds-base/issues/4506

Author: William Brown <william at blackhats.net.au>

Review by: @progier389 
- - - - -
279556bc by progier389 at 2021-01-12T11:06:24+01:00
Issue 4504 - Insure ldapi is enabled in repl_monitor_test.py (Needed on RHEL) (#4527)


- - - - -
78f6203d by progier389 at 2021-01-12T13:57:13+01:00
Issue 4504 - pytest test_dsconf_replication_monitor fails on RHEL - Fix merging issue (#4530)

* Issue 4504 - Insure ldapi is enabled in repl_monitor_test.py (Needed on RHEL)

* Issue #4504 - Fix pytest test_dsconf_replication_monitor on RHEL

* Issue #4504 - Fix pytest test_dsconf_replication_monitor on RHEL
- - - - -
f06181b2 by Barbora Simonova at 2021-01-12T15:39:08+01:00
Issue 4315 - performance search rate: nagle triggers high rate of setsocketopt

Description:
The config value of nsslapd-nagle is now set to 'off' by default.
Added a test case, that checks the value.

Relates: https://github.com/389ds/389-ds-base/issues/4315

Reviewed by: droideck (Thanks!)

- - - - -
a880fddc by progier389 at 2021-01-12T17:45:41+01:00
Issue 4504 - insure that repl_monitor_test use ldapi (for RHEL) - fix merge issue (#4533)


- - - - -
279b68d5 by Mark Reynolds at 2021-01-12T12:42:02-05:00
Issue 4513 - CI Tests - fix test failures

Description:

    Fixed tests in these suites:  basic, entryuuid, filter, lib389, and schema

relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: progier(Thanks!)

- - - - -
6dd37b4f by Robbie Harwood at 2021-01-13T09:42:26+10:00
Issue 4537 - Use KRB5_CLIENT_KTNAME for client keytabs (#4523)

Bug description:

set_krb5_creds() creates a principal with an empty string for a realm,
and assumes this will function as a wildcard.  However, this behavior is
not a guarantee that krb5 provides; dependent on canonicalization
settings, it could result in later failures in SASL.

Fix description:

Remove set_krb5_creds().  Previously, this function existed in order to
treat the keytab at KRB5_KTNAME as a source of initiator credentials.
However, since krb5-1.11, there is a separate environment variable
KRB5_CLIENT_KTNAME that provides this functionality.

In the process, remove the unused Heimdal vestiges.  In
773e89898d995f4dfecbe872dd6679f4ae2e542d , the semantics of HAVE_KRB5
were changed to refer to specifically MIT krb5.  As a result, none of
the Kerberos goo has run against Heimdal since then.  When Heimdal has a
feature release, it will also support KRB5_CLIENT_KTNAME, and so this
code will work with it too.

relates: https://github.com/389ds/389-ds-base/issues/4537

Author: Robbie Harwood <rharwood at redhat.com>

Review by: @Firstyear, @mreynolds389, @droideck (Thanks!)
- - - - -
ef8328f7 by Mark Reynolds at 2021-01-13T08:57:35-05:00
Issue 4535 - lib389 - healthcheck throws exception if backend is not replicated

Bug Description:

If a backend is not replicated then healthcheck backend cl_trimming check will
throw an exception.  Now dsctl catches this error and moves on, but ipa healthcheck
complains becuase it is directly using the API.

Fix Description:

Catch the exception is rpelciation is not enabled, and just move to the next check.

Fixes: https://github.com/389ds/389-ds-base/issues/4535

Reviewed by: firstyear & spichugi(Thanks!!)

- - - - -
290c408a by Simon Pichugin at 2021-01-13T15:16:08+01:00
Issue 4528 - Fix cn=monitor SCOPE_ONE search (#4529)

Bug Description: While doing a ldapsearch on "cn=monitor" is
throwing err=32 with -s one.

Fix Description: 'cn=monitor' is not a real entry so we should not
trying to check if the searched suffix (cm=monitor or its children)
belongs to the searched backend.

Fixes: #4528

Reviewed by: @mreynolds389 @Firstyear @tbordaz (Thanks!)
- - - - -
ffc9f525 by Firstyear at 2021-01-14T09:08:09+10:00
Issue 4539 - BUG - no such file if no overlays in openldap during migration (#4540)

Bug Description: If no overlays were configured in openldap, the migration
would fail with no such file or directory.

Fix Description: Check if the overlay folder in slapd.d exists as python
listdir can not handle if the directory does not exist.

fixes: https://github.com/389ds/389-ds-base/issues/4539

Author: William Brown <william at blackhats.net.au>

Review by: @droideck (Thanks!)
- - - - -
6d17ca7d by Mark Reynolds at 2021-01-14T13:16:20-05:00
Bump version to 2.0.2

- - - - -
2bee54eb by Mark Reynolds at 2021-01-14T16:47:25-05:00
Update rpm.mk for RUST tarballs

- - - - -
54a74194 by Robbie Harwood at 2021-01-15T08:43:38+10:00
Issue 4544 - Compiler warnings on krb5 functions (#4545)

Bug description:  6dd37b4fa801b64af0f26293c359a08d744661b2
introduced compiler warnings on unused code.

Fix description: Remove the dead code.

relates: https://github.com/389ds/389-ds-base/issues/4544

Author: Robbie Harwood <rharwood at redhat.com>

Review by: @Firstyear @mreynolds389 
- - - - -
111774dc by progier389 at 2021-01-18T15:01:08+01:00
Issue 4534 - libasan read buffer overflow in filtercmp (#4541)


- - - - -
9015bff2 by Mark Reynolds at 2021-01-18T09:54:30-05:00
Issue 4535 - lib389 - Fix log function in backends.py

Description:  Had a typo for the log function in a lint test that
              is breaking freeipa healthcheck

Relates: https://github.com/389ds/389-ds-base/issues/4535

Reviewed by: mreynolds (one line commit rule)

- - - - -
e4f282e1 by Firstyear at 2021-01-19T11:31:17+10:00
Issue 4506 - Temporary fix for io issues (#4516)

Issue 4506 - RFE - connection accept thread

Bug Description: Previously we accepted connections and
selected for new work in the same event loop. This could
cause connection table polling to delay accepts, and
accepts to delay connection activity from being ready.

Fix Description: This seperates those functions allowing
accept to occur in parallel to our normal work.

fixes: https://github.com/389ds/389-ds-base/issues/4506

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 @progier389 (Thanks!)
- - - - -
a4a53e1e by Mark Reynolds at 2021-01-20T11:10:50-05:00
Issue 4548 - CLI - dsconf needs better root DN access control plugin validation

Description:  There is no validation done for any of the root DN access control
              plugin settings.

Relates: https://github.com/389ds/389-ds-base/issues/4548

Reviewed by: spichugi & firstyear (Thanks!!)

- - - - -
f3bedfda by Firstyear at 2021-01-21T10:12:57+10:00
Issue 4506 - BUG - fix oob alloc for fds (#4555)

Bug Description: during review it was requested that a piece
of code be changed which seemed quite innocent. The code was
moved but the logic around the code wasn't considered
causing the fd array for the accept thread to be allocated with
a size of zero, causing the values to be lost.

Fix Description: Move the allocation to the correct location.

fixes: https://github.com/389ds/389-ds-base/issues/4506

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 @droideck 
- - - - -
071793f2 by Akshay Adhikari at 2021-01-21T13:01:27+01:00
Issue 4153 - Added a CI test (#4556)

Bug Description: The numSubordinates value doesn't always match the number of direct subordinate(s)

Relates: #4153

Reviewed by: @droideck 
- - - - -
4f4807f0 by Simon Pichugin at 2021-01-22T11:45:57+01:00
Issue 4513 - Fix replication CI test failures (#4557)

Description: Divide regression test suite into separate
files with different topologies to use. It fixes topology
conflicts that may occurre.

Fix cleanup finalizer at topo_with_sigkill fixture.

Remove rfc2307compat test suite as it's not valid
as we don't ship 10rfc2307.ldif anymore.
https://github.com/389ds/389-ds-base/pull/4388/

Relates: #4513

Reviewed by: @mreynolds389, @Firstyear
- - - - -
6ea32f9f by Simon Pichugin at 2021-01-22T16:17:30+01:00
Issue 4513 - Fix replication CI test failures (#4557)

Desciption: Add missing tests from previous commit.

Relates: #4513

Reviewed by: @mreynolds, @Firstyear (Thanks!)

- - - - -
3038c598 by Barbora Simonova at 2021-01-25T15:31:51+01:00
Update metadata for customerscenario in test docstring

Description:
Update metadata for customerscenario in test docstring to be properly imported in Polarion.

- - - - -
b8b822cc by bsimonova at 2021-01-25T16:28:10+01:00
Revert "Update metadata for customerscenario in test docstring"

This reverts commit 3038c59861acf4f30d5100b1c4d163fa9d5d9085.

- - - - -
4513cc46 by James Chapman at 2021-01-26T10:29:42+00:00
Issue 4396 - Minor memory leak in backend (#4558)

Bug Description: As multiple suffixes per backend were no longer used, this
functionality has been replaced with a single suffix per backend. Legacy
code remains that adds multiple suffixes to the dse internal backend,
resulting in memory allocations that are lost.

Also a minor typo is corrected in backend.c

Fix Description: Calls to be_addsuffix on the DSE backend are removed
as they are never used.

Fixes: https://github.com/389ds/389-ds-base/issues/4396

Reviewed by: mreynolds389, Firstyear, droideck (Thank you)
- - - - -
533c5740 by Mark Reynolds at 2021-01-26T11:17:29-05:00
Issue 5442 - Search results are different between RHDS10 and RHDS11

Bug Description:  In 1.4.x we introduced a change that was overly strict about
                  how a search on a non-existent subtree returned its error code.
                  It was changed from returning an error 32 to an error 0 with
                  zero entries returned.

Fix Description:  When finding the entry and processing acl's make sure to
                  gather the aci's that match the resource even if the resource
                  does not exist.  This requires some extra checks when processing
                  the target attribute.

relates: https://github.com/389ds/389-ds-base/issues/4542

Reviewed by: firstyear, elkris, and tbordaz (Thanks!)

Apply Thierry's changes

round 2

Apply more suggestions from Thierry

- - - - -
fe0f6152 by Simon Pichugin at 2021-01-26T17:50:20+01:00
Issue 4513 - Add DS version check to SSL version test (#4570)

Description: Starting from Fedora 33, cryptographic protocols
(TLS 1.0 and TLS 1.1) were moved to LEGACY
Add a 389-ds-base version check so we don't check for the policies
if DS is newer than 1.4.3.
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2

Relates: #4513

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
abb93243 by tbordaz at 2021-01-26T18:02:44+01:00
Issue 4324 - Performance search rate: change entry cache monitor to recursive pthread mutex (#4569)

Bug description:
	The entry cache is protected with recursive mutex. Currently it is
	implemented using PR_Monitor (NSPR). When the entry cache mutex
	becomes the bottleneck (for example base search searchrate on
	the same entry), using pthread recursive mutex gives 8% benefit.

Fix description:
	Changing the c_mutex from PR_Monitor to pthread recursive mutex

relates: https://github.com/389ds/389-ds-base/issues/4324

Reviewed by: Mark Reynolds, Simon Pichugin

Platforms tested: F31
- - - - -
ba0e91b4 by tbordaz at 2021-01-27T11:58:38+01:00
Issue 4526 - sync_repl: when completing an operation in the pending list, it can select the wrong operation (#4553)

Bug description:
	When an operation complete, it was retrieved in the pending list with
	the address of the Operation structure. In case of POST OP nested operations
	the same address can be reused. So when completing an operation there could be
	a confusion which operation actually completed.
	A second problem is that if an update its DB_DEADLOCK, the BETXN_PREOP can
	be called several times. During retry, the operation is already in the pending
	list.

Fix description:
	The fix defines a new operation extension (sync_persist_extension_type).
	This operation extension contains an index (idx_pl) of the op_pl in the
	the pending list.

	And additional safety fix is to dump the pending list in case it becomes large (>10).
	The pending list is dumped with SLAPI_LOG_PLUGIN.

	When there is a retry (operation extension exists) the call to sync_update_persist_betxn_pre_op
	becomes a NOOP: the operation is not added again in the pending list.

relates: https://github.com/389ds/389-ds-base/issues/4526

Reviewed by: William Brown (Thanks !!)

Platforms tested: F31 & F33
- - - - -
08c83d38 by Akshay Adhikari at 2021-01-27T14:30:01+01:00
Issue 4575 - Update test docstrings metadata

Description: Added customerscenario tag in test metadata for all customer tests cases

Relates: https://github.com/389ds/389-ds-base/issues/4575

Reviewed by: @vashirov

- - - - -
82777382 by Mark Reynolds at 2021-01-27T12:26:19-05:00
Issue 4093 - fix compiler warnings and update doxygen

Description:  Update the doxy file (doxygen), fix compiler warnings
              (x86_64, arm, and s390x), and update Rust cargo file.

relates: https://github.com/389ds/389-ds-base/issues/4093

Reviewed by: firstyear, spichugi, & progier(Thanks!!!)

- - - - -
90c48837 by tbordaz at 2021-01-28T10:39:31+01:00
Issue 4563 - Failure on s390x: 'Fails to split RDN "o=pki-tomcat-CA" into components' (#4573)

Bug description:
	SLAPI_OPERATION_TYPE is a stored/read as an int (slapi_pblock_get/set).
	This although the storage field is an unsigned long.
	Calling slapi_pblock_get with an long (8 btyes) destination creates
	a problem on big-endian (s390x).

Fix description:
	Define destination op_type as an int (4 bytes)

relates: https://github.com/389ds/389-ds-base/issues/4563

Reviewed by: Mark Reynolds, William Brown

Platforms tested: F31 (little endian), Debian (big endian)
- - - - -
f41fb942 by Viktor Ashirov at 2021-01-29T10:28:44+01:00
Issue 4577 - Add GitHub actions

Add first set of actions to compile project using gcc and clang.

Relates: https://github.com/389ds/389-ds-base/issues/4577

Reviewed by: @firstyear, @droideck

- - - - -
95201aa8 by Barbora Simonova at 2021-01-29T15:04:50+01:00
Issue 4348 - Add tests for dsidm

Description:
Created tests for dsidm user option and enhanced
the src/lib389/lib389/cli_idm/__init__.py and src/lib389/lib389/cli_base/__init__.py
so the output gets caught to topology LogCapture to compare the results.

Relates: https://github.com/389ds/389-ds-base/issues/4348

Reviewed by: droideck (Thanks!)

- - - - -
15109fc0 by tbordaz at 2021-02-01T09:28:25+01:00
Issue 4581 - A failed re-indexing leaves the database in broken state (#4582)

Bug description:
	During reindex the numsubordinates attribute is not updated in parent entries.
	The consequence is that the internal counter job->numsubordinates==0.
	Later when indexing the ancestorid, the server can show the progression of this
	indexing with a ratio using job->numsubordinates==0.
	Division with 0 -> SIGFPE

Fix description:
	if the numsubordinates is NULL, log a message without a division.

relates: https://github.com/389ds/389-ds-base/issues/4581

Reviewed by: Pierre Rogier, Mark Reynolds, Simon Pichugin, Teko Mihinto (thanks !!)

Platforms tested: F31
- - - - -
64167696 by progier389 at 2021-02-01T10:57:10+01:00
Issue 4579 - libasan detects heap-use-after-free in URP test (#4584)


- - - - -
f38b124f by Firstyear at 2021-02-03T09:48:48+10:00
Issue 4588 - BUG - unable to compile without xcrypt (#4589)

Bug Description: If xcrypt is not available, especially on some
distros with older libraries, 389 was unable to build.

Fix Description: Detect if we have xcrypt, and if not, add
stubs that always error instead.

fixes: https://github.com/389ds/389-ds-base/issues/4588

Author: William Brown <william at blackhats.net.au>

Review by: @progier389, @jchapma, @droideck (Thanks!)
- - - - -
4f22163e by Viktor Ashirov at 2021-02-08T17:07:27+01:00
Issue 4577 - Add GitHub actions

Description:

* Update compilation tests to use prebuilt container images
* Add pytest workflow for dirsrvtests

Test suite matrix is generated automatically based
on the contents of the tests suites directory.
Replication test suite is split up futher to speed up test
execution.

Relates: https://github.com/389ds/389-ds-base/issues/4577

Reviewed by: ??

- - - - -
90da5570 by tbordaz at 2021-02-09T11:43:42+01:00
Issue 4600 - performance modify rate: reduce lock contention on the object extension factory (#4601)

Bug description:
	object extension factory uses a simple mutex to protect allocation/destroy object.
	This mutex is a NSPR mutex. Using modrate load (entry object), the mutext is the
	second hottest contention. Moving it to pthread mutex moves it down to the fifth
	hotest.
	giving a small throughput benefit (1%)

Fix description:
	Use pthread normal mutex

relates: https://github.com/389ds/389-ds-base/issues/4600

Reviewed by:  Simon Pichugin, William Brown

Platforms tested: RHEL 8.3 and F31
- - - - -
ec2fc845 by Viktor Ashirov at 2021-02-09T11:49:35+01:00
Issue 4571 - Stale libdb-utils dependency

Description:

libdb-utils was used by `verify-db.pl` to work, but it's no longer needed.

Fix Description:

* Remove libdb-utils dependency from the spec file, `index_dump` tool (superseded by `db_scan`).
* Remove outdated changelog section from the spec file.

Reviewed by: @Firstyear, @droideck (Thanks!)

- - - - -
2b176205 by Barbora Simonova at 2021-02-09T13:00:29+01:00
Issue 4348 - Add tests for dsidm

Description:
Fixed missing reason for xfail mark in test_dsidm_user_get_dn.
Replaced print() statements with log.info() in cli_base and cli_idm init files.

Relates: https://github.com/389ds/389-ds-base/issues/4348

Reviewed by: droideck (Thanks!)

- - - - -
b6aae4d8 by Mark Reynolds at 2021-02-10T09:29:31-05:00
Issue 4609 - CVE - info disclosure when authenticating

Description:  If you bind as a user that does not exist.  Error 49 is returned
              instead of error 32.  As error 32 discloses that the entry does
              not exist.  When you bind as an entry that does not have userpassword
              set then error 48 (inappropriate auth) is returned, but this
              discloses that the entry does indeed exist.  Instead we should
              always return error 49, even if the password is not set in the
              entry.  This way we do not disclose to an attacker if the Bind
              DN exists or not.

Relates: https://github.com/389ds/389-ds-base/issues/4609

Reviewed by: tbordaz(Thanks!)

- - - - -
137db805 by progier389 at 2021-02-10T19:18:00+01:00
issue 4612 - Fix pytest fourwaymmr_test for non root user (#4613)


- - - - -
fc69ddb9 by Firstyear at 2021-02-11T15:12:38+10:00
Issue 4591 - RFE - improve openldap_to_ds help and features (#4607)

Bug Description: Improve the --help page, and finish wiring in some
features.

Fix Description: Wire in exclusion of attributes/schema for migration.

fixes: https://github.com/389ds/389-ds-base/issues/4591

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389, @droideck
- - - - -
3e09bff1 by Viktor Ashirov at 2021-02-11T15:26:16+01:00
Issue 4577 - Add GitHub actions

Description:

* Enable IPv6 support for docker daemon
* Set server.example.com as FQDN for container

Relates: https://github.com/389ds/389-ds-base/issues/4577

Reviewed by: @droideck (Thanks!)

- - - - -
946f2048 by Mark Reynolds at 2021-02-11T10:19:25-05:00
Issue 4149 - UI - port TreeView and opther components to PF4

Description:  This ports all th TreeViews to PF4, and also does some proof
              of concept changes for PF3 to PF4 migration.  There is much
              more needed, but this does not break anything

relates: https://github.com/389ds/389-ds-base/issues/4149

Reviewed by: spichugi(Thanks!)

- - - - -
20b9ec53 by Jack at 2021-02-12T11:40:05+10:00
Update dscontainer (#4564)

Issue 4564 - RFE - Add suffix to dscontainer rc file

Bug Description: The suffix was not added before, adding a hurdle to
automatic admin of the container instance

Fix Description: If the suffix is set, add it to the created rc file. 

fixes: https://github.com/389ds/389-ds-base/pull/4564

Author: @Jackbennett

Review by: @Firstyear  
- - - - -
66221963 by progier389 at 2021-02-12T12:34:22+01:00
Issue 4469 - Backend redesign phase 3a - bdb dependency removal from back-ldbm

A massive change (https://directory.fedoraproject.org/docs/389ds/design/backend-redesign-phase3.html) that implements and use the dbimpl API in the backend.
- - - - -
145e27fa by Simon Pichugin at 2021-02-12T13:12:51+01:00
Issue 4593 - RFE - Print help when nsSSLPersonalitySSL is not found (#4614)

Description: RHDS instance will fail to start if the TLS server
certificate nickname doesn't match the value of the configuration
parameter "nsSSLPersonalitySSL".

The mismatch typically happens when customers copy the NSS DB from
a previous instance or export the certificate's data but forget to set
the "nsSSLPersonalitySSL" value accordingly.

Log an additional message which should help a user to set up
nsSSLPersonalitySSL correctly.

Fixes: #4593

Reviewed by: @Firstyear (Thanks!)
- - - - -
a7766ffb by Mark Reynolds at 2021-02-12T12:28:53-05:00
Issue 4324 - Some architectures the cache line size file does not exist

Bug Description:  When optimizing our mutexes we check for a system called
                  coherency_line_size that contains the size value, but if
                  the file did not exist the server would crash in PR_Read
                  (NULL pointer for fd).

Fix Description:  Check PR_Open() was successfully before calling PR_Read().

Relates: https://github.com/389ds/389-ds-base/issues/4324

Reviewed by: tbordaz(Thanks!)

- - - - -
07b5a79a by progier389 at 2021-02-12T20:52:48+01:00
Issue 4469 - Backend redesing phase 3a - implement dbimpl API and use it in back-ldbm (#4618)

see design document https://directory.fedoraproject.org/docs/389ds/design/backend-redesign-phase3.html
- - - - -
404e278e by Mark Reynolds at 2021-02-12T15:11:18-05:00
Issue 4615 - log message when psearch first exceeds max threads per conn

Desciption:  When a connection hits max threads per conn for the first time
             log a message in the error.  This will help customers diagnosis
             misbehaving clients.

Fixes: https://github.com/389ds/389-ds-base/issues/4615

Reviewed by: progier389(Thanks!)

- - - - -
53075a88 by Mark Reynolds at 2021-02-12T15:16:12-05:00
Issue 4619 - remove pytest requirement from lib389

Description:  Remove the requirement for pytest from lib389, it causes
              unneeded package requirements on Fedora/RHEL.

Fixes: https://github.com/389ds/389-ds-base/issues/4619

Reviewed by: mreynolds(one line commit rule)

- - - - -
a355b30b by Mark Reynolds at 2021-02-12T15:28:16-05:00
Bump version to 2.0.3

- - - - -
a2af7c54 by Mark Reynolds at 2021-02-17T20:14:01-05:00
Issue 4513 - CI - make acl ip address tests more robust

Description:  The tests aumme the system is using IPv6 loopback address, but it
              should still check for IPv4 loopback.

Relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: ?

- - - - -
845e0f9f by Barbora Simonova at 2021-02-18T10:38:26+01:00
Issue 2820 - Fix CI test suite issues

Description:
tickets/ticket48961_test.py was failing in CI nightly runs.
Fixed the failure by changing the code to use DSLdapObject
and moved the code into the config test suite.

Relates: https://github.com/389ds/389-ds-base/issues/2820

Reviewed by: droideck (Thanks!)

- - - - -
0f2b46ea by Mark Reynolds at 2021-02-19T08:45:36-05:00
Issue 4169 - UI - port charts to PF4

Description:  Ported the charts under the monitor tab to use PF4 sparkline charts
              and provide realtime stats on the the caches.

Relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

- - - - -
2108b4f6 by James Chapman at 2021-02-19T16:32:22+00:00
Issue 4595 - Paged search lookthroughlimit bug (#4602)

Bug Description: During a paged search with lookthroughlimit enabled,
lookthroughcount is used to keep track of how many entries are
examined. A paged search reads ahead one entry to catch the end of the
search so it doesn't show the prompt when there are no more entries.
lookthroughcount doesn't take read ahead into account when tracking
how many entries have been examined.

Fix Description: Keep lookthroughcount in sync with read ahead by
by decrementing it during read ahead roll back.

Fixes: https://github.com/389ds/389-ds-base/issues/4595

Relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: droideck, mreynolds389, Firstyear, progier389 (Many thanks)
- - - - -
66b92a3f by Mark Reynolds at 2021-02-19T17:24:35-05:00
Issue 4169 - UI - Migrate Accordians to PF4 ExpandableSection

Description:  Replace all the CustomCollapse components with PF4
              ExpandableSection component.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

- - - - -
1c6adb37 by Mark Reynolds at 2021-02-22T16:21:02-05:00
Issue 4169 - UI - Migrate alerts to PF4

Description:  Migrate the toast notifications to PF4 Alerts.

              Also fixed a refresh problem on the Tuning page.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

- - - - -
9bdd9ec3 by tbordaz at 2021-02-23T08:58:37+01:00
Issue 4649 - crash in sync_repl when a MODRDN create a cenotaph (#4652)

Bug description:
	When an operation is flagged OP_FLAG_NOOP, it skips BETXN plugins but calls POST plugins.
	For sync_repl, betxn (sync_update_persist_betxn_pre_op) creates an operation extension to be
	consumed by the post (sync_update_persist_op). In case of OP_FLAG_NOOP, there is no
	operation extension.

Fix description:
	Test that the operation is OP_FLAG_NOOP if the operation extension is missing

relates: https://github.com/389ds/389-ds-base/issues/4649

Reviewed by: William Brown (thanks)

Platforms tested: F31
- - - - -
f581979f by tbordaz at 2021-02-23T13:42:31+01:00
Issue 4644 - Large updates can reset the CLcache to the beginning of the changelog (#4647)

Bug description:
	The replication agreements are using bulk load to load updates.
	For bulk load it uses a cursor with DB_MULTIPLE_KEY and DB_NEXT.
	Before using the cursor, it must be initialized with DB_SET.

	If during the cursor/DB_SET the CSN refers to an update that is larger than
	the size of the provided buffer, then the cursor remains not initialized and
	c_get returns DB_BUFFER_SMALL.

	The consequence is that the next c_get(DB_MULTIPLE_KEY and DB_NEXT) will return the
	first record in the changelog DB. This break CLcache.

Fix description:
	The fix is to harden cursor initialization so that if DB_SET fails
	because of DB_BUFFER_SMALL. It reallocates buf_data and retries a DB_SET..
	If DB_SET can not be initialized it logs a warning.

	The patch also changes the behaviour of the fix #4492.
	#4492 detected a massive (1day) jump prior the starting csn and ended the
	replication session. If the jump was systematic, for example
	if the CLcache got broken because of a too large updates, then
	replication was systematically stopped.
	This patch suppress the systematically stop, letting RA doing a big jump..
	From #4492 only remains the warning.

relates: https://github.com/389ds/389-ds-base/issues/4644

Reviewed by: Pierre Rogier (Thanks !!!!)

Platforms tested: F31
- - - - -
60e35aac by Mark Reynolds at 2021-02-23T11:52:38-05:00
Issue 4646 - CLI/UI - revise DNA plugin management

Bug Description:

There was a false assumption that you have to create the shared DNA
server configuration entry, but in fact the server creates and manages
this entry.  The only thing you should edit in this entry are the
remote Bind Method and Connection Protocol.

Fix Description:

Remove the options to create the shared config entry, and edit the
core/reserved attributes.

Also fixed some issues where we were not showing CLI plugin output in
proper JSON.  This required some changes to the UI as well.

Relates: https://github.com/389ds/389-ds-base/issues/4646

Reviewed by: spichugi(Thanks!)

- - - - -
e9b4eb59 by Simon Pichugin at 2021-02-26T15:54:29+01:00
Issue 4643 - Add a tool that generates Rust dependencies for a specfile (#4645)

Description: The Fedora builds of 389-DS uses the vendored crates
to build the official packages for Rawhide. Vendoring and bundling
dependencies is in violation of Fedora policies. As an upstream project
we are free to ship vendored code. But as a downstream Fedora project
we must not use the vendored code.

Add a tool that will help to generate 'Provides: bundled(crate(foo)) = version'
for Cargo.lock file content.
Replace License field which should contain all of the package licenses
we bundle in the specfile.

Fixes: https://github.com/389ds/389-ds-base/issues/4643

Reviewed by: @Firstyear, @decathorpe, @mreynolds389 (Thanks!)
- - - - -
aefc1acb by progier389 at 2021-03-08T21:12:57+01:00
issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin (#4622)

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin

Merge of a fix in cl5_clcache.c (changelog cache restarts from begining if large update)
Rebase with master

* Issue 4469 - Backend redesing phase 3a - implement dbimpl API and use it in back-ldbm - fix test_maxbersize_repl pytest failure

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin - fix indent issue

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin - fix merge issue

manual Merge of fix about changelog cache iteration restarting from beginning in case of large update + automatic rebase to master

* Issue 4552 - Backend redesign phase 3b - fix indent issue + random crash and memory leak in tombstone handling
- - - - -
c25d385f by Mark Reynolds at 2021-03-09T12:37:20-05:00
Merge pull request #4664 from mreynolds389/issue4663

Issue 4663 - CLI - unable to add objectclass/attribute without x-origin
- - - - -
714add9e by Firstyear at 2021-03-10T12:45:36+10:00
Issue 4659 - restart after openldap migration to enable plugins (#4660)

Bug Description: Rather than requesting the user to do the fixup
which also relies on them to know to restart after enabling the
plugins, we should restart and do the fixup.

Fix Description: Restart before we do post tasks.

fixes: https://github.com/389ds/389-ds-base/issues/4659

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 
- - - - -
cf0eb4dd by Firstyear at 2021-03-10T12:59:11+10:00
Issue 4661 - RFE - allow importing openldap schemas (#4662)

Bug Description: Many applications only publish schemas in
openldap formats. We should be able to import them.

Fix Description: Add a dsconf tool that allows online
importing of these schemas. This uses the migration framework
underneath so that we avoid code duplication.

fixes: https://github.com/389ds/389-ds-base/issues/4661

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 (Thanks!)
- - - - -
19eb28db by Mark Reynolds at 2021-03-10T10:37:03-05:00
Issue 4656 - Remove problematic language from UI/CLI/lib389

Description:  Replace "master" and "slave" with more appropriate names

relates: https://github.com/389ds/389-ds-base/issues/4656

Reviewed by: firstyear(Thanks!)

- - - - -
f3c13129 by Mark Reynolds at 2021-03-11T08:50:31-05:00
Issue 4459 - lib389 - Default paths should use dse.ldif if the server is down

Bug Description:  If a custom path is used for something like the backup directory,
                  dsctl will still use the default path from defaults.inf..

Fix Description:  When initializing the default Paths consult dse.ldif for some
                  of the paths.

relates: https://github.com/389ds/389-ds-base/issues/4459

Reviewed by: firstyear(Thanks!)

- - - - -
d5fdea90 by Mark Reynolds at 2021-03-11T10:12:46-05:00
Issue 4656 - remove problematic language from ds-replcheck

Description: remove master from ds-replcheck and replace it with supplier

relates: https://github.com/389ds/389-ds-base/issues/4656

Reviewed by: mreynolds

e with '#' will be ignored, and an empty message aborts the commit.

- - - - -
1827c76d by Mark Reynolds at 2021-03-15T16:50:37-04:00
Issue 4169 - UI - migrate modals to PF4

Description:  Updated the Modals to PF4.  Also had to redesign DNA and
              Managed Entry plugin pages.  Other minor improvements were
              made.

Relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

- - - - -
47a23847 by Mark Reynolds at 2021-03-15T23:31:01-04:00
Issue 4658 - monitor - connection start date is incorrect

Description:  The connection start time was incorrectly set to a
              MONTONIC time instead of a REALTIME.  This just sets
              the start time to REALTIME and the "idletimeout" to
              MONOTONIC as originally intended.

Relates: https://github.com/389ds/389-ds-base/issues/4658

Reviewed by: mreynolds (one line commit rule)

- - - - -
aec1b449 by Mark Reynolds at 2021-03-16T09:53:53-04:00
Issue 4673 - Update Rust crates

Description:  Update the bare minimum rust dependencies so that a build will complete

Relates: https://github.com/389ds/389-ds-base/issues/4673

Reviewed by: mreynolds

- - - - -
e5da97bf by Mark Reynolds at 2021-03-17T09:48:25-04:00
Issue 4229 - Fix Rust linking

Description:  Fixed a build problem related to:
                  - undefined reference to symbol
                  - error adding symbols: DSO missing from command line

Relates: https://github.com/389ds/389-ds-base/issues/4229

Reviewed by: mreynolds

- - - - -
06db4a85 by Gilbert Kimetto at 2021-03-17T10:52:17-04:00
Issue  4654  Updates to tickets/ticket48234_test.py  (#4654)

* IDMDS-1068 Update failing ticket48234_test.py test

* IDMDS-1068 Update failing ticket48234_test.py test

* [INTEROP-4009] CodeReady Studio on OpenShift - Run locally

* [INTEROP-4009] CodeReady Studio on OpenShift - Run locally

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4654 Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4654 - Updates to tickets/ticket48234_test.py

Bug Description:

Update to tickets/ticket48234_test.py which are currently failing and using
soon to be obsolete classes

Fix Description:

Updated tickets/ticket48234_test.py and ported to the suites directory
Updated to utilise the DSLDAPObject class methods

relates: <The Issue URL>

Author: Gilbert Kimetto

Reviewed by: ???
IDMDS-1068 Update failing ticket48234_test.py test

[INTEROP-4009] CodeReady Studio on OpenShift - Run locally

[INTEROP-4009] CodeReady Studio on OpenShift - Run locally

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4609 - CVE - info disclosure when authenticating

Description:  If you bind as a user that does not exist.  Error 49 is returned
              instead of error 32.  As error 32 discloses that the entry does
              not exist.  When you bind as an entry that does not have userpassword
              set then error 48 (inappropriate auth) is returned, but this
              discloses that the entry does indeed exist.  Instead we should
              always return error 49, even if the password is not set in the
              entry.  This way we do not disclose to an attacker if the Bind
              DN exists or not.

Relates: https://github.com/389ds/389-ds-base/issues/4609

Reviewed by: tbordaz(Thanks!)

* issue 4612 - Fix pytest fourwaymmr_test for non root user (#4613)

* Issue 4591 - RFE - improve openldap_to_ds help and features (#4607)

Bug Description: Improve the --help page, and finish wiring in some
features.

Fix Description: Wire in exclusion of attributes/schema for migration.

fixes: https://github.com/389ds/389-ds-base/issues/4591

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389, @droideck

* Issue 4577 - Add GitHub actions

Description:

* Enable IPv6 support for docker daemon
* Set server.example.com as FQDN for container

Relates: https://github.com/389ds/389-ds-base/issues/4577

Reviewed by: @droideck (Thanks!)

* Issue 4149 - UI - port TreeView and opther components to PF4

Description:  This ports all th TreeViews to PF4, and also does some proof
              of concept changes for PF3 to PF4 migration.  There is much
              more needed, but this does not break anything

relates: https://github.com/389ds/389-ds-base/issues/4149

Reviewed by: spichugi(Thanks!)

* Update dscontainer (#4564)

Issue 4564 - RFE - Add suffix to dscontainer rc file

Bug Description: The suffix was not added before, adding a hurdle to
automatic admin of the container instance

Fix Description: If the suffix is set, add it to the created rc file. 

fixes: https://github.com/389ds/389-ds-base/pull/4564

Author: @Jackbennett

Review by: @Firstyear

* Issue 4469 - Backend redesign phase 3a - bdb dependency removal from back-ldbm

A massive change (https://directory.fedoraproject.org/docs/389ds/design/backend-redesign-phase3.html) that implements and use the dbimpl API in the backend.

* Issue 4593 - RFE - Print help when nsSSLPersonalitySSL is not found (#4614)

Description: RHDS instance will fail to start if the TLS server
certificate nickname doesn't match the value of the configuration
parameter "nsSSLPersonalitySSL".

The mismatch typically happens when customers copy the NSS DB from
a previous instance or export the certificate's data but forget to set
the "nsSSLPersonalitySSL" value accordingly.

Log an additional message which should help a user to set up
nsSSLPersonalitySSL correctly.

Fixes: #4593

Reviewed by: @Firstyear (Thanks!)

* Issue 4324 - Some architectures the cache line size file does not exist

Bug Description:  When optimizing our mutexes we check for a system called
                  coherency_line_size that contains the size value, but if
                  the file did not exist the server would crash in PR_Read
                  (NULL pointer for fd).

Fix Description:  Check PR_Open() was successfully before calling PR_Read().

Relates: https://github.com/389ds/389-ds-base/issues/4324

Reviewed by: tbordaz(Thanks!)

* Issue 4469 - Backend redesing phase 3a - implement dbimpl API and use it in back-ldbm (#4618)

see design document https://directory.fedoraproject.org/docs/389ds/design/backend-redesign-phase3.html

* Issue 4615 - log message when psearch first exceeds max threads per conn

Desciption:  When a connection hits max threads per conn for the first time
             log a message in the error.  This will help customers diagnosis
             misbehaving clients.

Fixes: https://github.com/389ds/389-ds-base/issues/4615

Reviewed by: progier389(Thanks!)

* Issue 4619 - remove pytest requirement from lib389

Description:  Remove the requirement for pytest from lib389, it causes
              unneeded package requirements on Fedora/RHEL.

Fixes: https://github.com/389ds/389-ds-base/issues/4619

Reviewed by: mreynolds(one line commit rule)

* Bump version to 2.0.3

* Issue 4513 - CI - make acl ip address tests more robust

Description:  The tests aumme the system is using IPv6 loopback address, but it
              should still check for IPv4 loopback.

Relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: ?

* Issue 2820 - Fix CI test suite issues

Description:
tickets/ticket48961_test.py was failing in CI nightly runs.
Fixed the failure by changing the code to use DSLdapObject
and moved the code into the config test suite.

Relates: https://github.com/389ds/389-ds-base/issues/2820

Reviewed by: droideck (Thanks!)

* Issue 4169 - UI - port charts to PF4

Description:  Ported the charts under the monitor tab to use PF4 sparkline charts
              and provide realtime stats on the the caches.

Relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

* Issue 4595 - Paged search lookthroughlimit bug (#4602)

Bug Description: During a paged search with lookthroughlimit enabled,
lookthroughcount is used to keep track of how many entries are
examined. A paged search reads ahead one entry to catch the end of the
search so it doesn't show the prompt when there are no more entries.
lookthroughcount doesn't take read ahead into account when tracking
how many entries have been examined.

Fix Description: Keep lookthroughcount in sync with read ahead by
by decrementing it during read ahead roll back.

Fixes: https://github.com/389ds/389-ds-base/issues/4595

Relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: droideck, mreynolds389, Firstyear, progier389 (Many thanks)

* Issue 4169 - UI - Migrate Accordians to PF4 ExpandableSection

Description:  Replace all the CustomCollapse components with PF4
              ExpandableSection component.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4169 - UI - Migrate alerts to PF4

Description:  Migrate the toast notifications to PF4 Alerts.

              Also fixed a refresh problem on the Tuning page.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

* Issue 4649 - crash in sync_repl when a MODRDN create a cenotaph (#4652)

Bug description:
	When an operation is flagged OP_FLAG_NOOP, it skips BETXN plugins but calls POST plugins.
	For sync_repl, betxn (sync_update_persist_betxn_pre_op) creates an operation extension to be
	consumed by the post (sync_update_persist_op). In case of OP_FLAG_NOOP, there is no
	operation extension.

Fix description:
	Test that the operation is OP_FLAG_NOOP if the operation extension is missing

relates: https://github.com/389ds/389-ds-base/issues/4649

Reviewed by: William Brown (thanks)

Platforms tested: F31

* Issue 4644 - Large updates can reset the CLcache to the beginning of the changelog (#4647)

Bug description:
	The replication agreements are using bulk load to load updates.
	For bulk load it uses a cursor with DB_MULTIPLE_KEY and DB_NEXT.
	Before using the cursor, it must be initialized with DB_SET.

	If during the cursor/DB_SET the CSN refers to an update that is larger than
	the size of the provided buffer, then the cursor remains not initialized and
	c_get returns DB_BUFFER_SMALL.

	The consequence is that the next c_get(DB_MULTIPLE_KEY and DB_NEXT) will return the
	first record in the changelog DB. This break CLcache.

Fix description:
	The fix is to harden cursor initialization so that if DB_SET fails
	because of DB_BUFFER_SMALL. It reallocates buf_data and retries a DB_SET..
	If DB_SET can not be initialized it logs a warning.

	The patch also changes the behaviour of the fix #4492.
	#4492 detected a massive (1day) jump prior the starting csn and ended the
	replication session. If the jump was systematic, for example
	if the CLcache got broken because of a too large updates, then
	replication was systematically stopped.
	This patch suppress the systematically stop, letting RA doing a big jump..
	From #4492 only remains the warning.

relates: https://github.com/389ds/389-ds-base/issues/4644

Reviewed by: Pierre Rogier (Thanks !!!!)

Platforms tested: F31

* Issue 4646 - CLI/UI - revise DNA plugin management

Bug Description:

There was a false assumption that you have to create the shared DNA
server configuration entry, but in fact the server creates and manages
this entry.  The only thing you should edit in this entry are the
remote Bind Method and Connection Protocol.

Fix Description:

Remove the options to create the shared config entry, and edit the
core/reserved attributes.

Also fixed some issues where we were not showing CLI plugin output in
proper JSON.  This required some changes to the UI as well.

Relates: https://github.com/389ds/389-ds-base/issues/4646

Reviewed by: spichugi(Thanks!)

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4643 - Add a tool that generates Rust dependencies for a specfile (#4645)

Description: The Fedora builds of 389-DS uses the vendored crates
to build the official packages for Rawhide. Vendoring and bundling
dependencies is in violation of Fedora policies. As an upstream project
we are free to ship vendored code. But as a downstream Fedora project
we must not use the vendored code.

Add a tool that will help to generate 'Provides: bundled(crate(foo)) = version'
for Cargo.lock file content.
Replace License field which should contain all of the package licenses
we bundle in the specfile.

Fixes: https://github.com/389ds/389-ds-base/issues/4643

Reviewed by: @Firstyear, @decathorpe, @mreynolds389 (Thanks!)

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin (#4622)

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin

Merge of a fix in cl5_clcache.c (changelog cache restarts from begining if large update)
Rebase with master

* Issue 4469 - Backend redesing phase 3a - implement dbimpl API and use it in back-ldbm - fix test_maxbersize_repl pytest failure

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin - fix indent issue

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin - fix merge issue

manual Merge of fix about changelog cache iteration restarting from beginning in case of large update + automatic rebase to master

* Issue 4552 - Backend redesign phase 3b - fix indent issue + random crash and memory leak in tombstone handling

* Merge pull request #4664 from mreynolds389/issue4663

Issue 4663 - CLI - unable to add objectclass/attribute without x-origin

Issue 4654 Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4654 Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4654 - Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

Bug Description:

- Update ticket48234_test.py to verify tests on RHEL 7/8 and Fedora
- Update deprecated "*_s" methods to leverage the DSLDAPObject class
- Move test from the current location in ../tickets to appropriate ../suites/aci/* directory

Fix Description:
- Issue 4654 Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

relates:

Author: Gilbert Kimetto

Reviewed by: ???

Co-authored-by: Mark Reynolds <mreynolds at redhat.com>
Co-authored-by: progier389 <progier at redhat.com>
Co-authored-by: Firstyear <william at blackhats.net.au>
Co-authored-by: Viktor Ashirov <vashirov at redhat.com>
Co-authored-by: Jack <me at jackben.net>
Co-authored-by: Simon Pichugin <spichugi at redhat.com>
Co-authored-by: Barbora Simonova <bsmejkal at redhat.com>
Co-authored-by: James Chapman <jachapma at redhat.com>
Co-authored-by: tbordaz <tbordaz at redhat.com>
- - - - -
6def0ac9 by progier389 at 2021-03-18T12:34:04+01:00
Issue 4648 - Fix some issues and improvement around CI tests (#4651)

* Issue 4648 - Fix some issues and improvement around CI tests

* Issue 4648 - Fix some issues and improvement around CI tests
- - - - -
e249c0dd by Mark Reynolds at 2021-03-18T09:16:18-04:00
Issue 4169 - UI - Add PF4 charts for server stats

Description:  Added charts for current connections (that does NOT use cn=monitor),
              server memory size and CPU usage.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi & tmihinto (Thanks!!)

- - - - -
72726e42 by Mark Reynolds at 2021-03-18T13:17:43-04:00
Issue 4671 - UI - Fix browser crashes

Description:  if schema attributes were missing x-origin it would crash the browser,
              and in Monitor -> Replication, if the replication agreement is in an
              odd state, and the lag was not computable, it could also crash the UI.

Relates: https://github.com/389ds/389-ds-base/issues/4671

Reviewed by: mreynolds (one line commit rule)

- - - - -
8069de9c by Firstyear at 2021-03-24T08:59:15+10:00
Issue 4666 - BUG - cb_ping_farm can fail with anonymous binds disabled (#4669)

Bug Description: cb_ping_farm had a combination of issues that made it
possible to fail in high load or odd situations. First it used anonymous
binds instead of the same credentials as the chaining process. Second
it used a NULL search DN, meaning it would use the default BASE configured
in /etc/openldap/ldap.conf. Depending on per-site configuration this
could cause the cb_ping_farm check to fail infinitly until restart
of the instance.

Fix Description: Change chaining cb_ping_farm to bind with the same
credentials as the chaining configuration, and change the target base
dn to the DN of the suffix that we are chaining to.

fixes: https://github.com/389ds/389-ds-base/issues/4666

Author: William Brown <william at blackhats.net.au>

Review by: @progier389 
- - - - -
741e7a72 by Akshay Adhikari at 2021-03-24T16:22:23+01:00
Issue 4127 - With Accounts/Account module delete fuction is not working (#4697)

Description: Added a test to verify delete function is working with Accounts/Account

Relates: https://github.com/389ds/389-ds-base/issues/4127

Reviewed by: @droideck
- - - - -
0c51de73 by Barbora Simonova at 2021-03-29T18:04:14+02:00
Issue 3585 - LDAP server returning controltype in different sequence

Description:
Added a test to check sequence of ldap controlType returned
when there are remaining or exhausted grace login.
Automation was not possible until now because of bug 1757699 in python-ldap
where no controls were returned in the error message after exception was raised
with exhausted grace login. The bug is fixed now.

Relates: https://github.com/389ds/389-ds-base/issues/3585

Reviewed by: droideck (Thanks!)

- - - - -
ed477340 by Mark Reynolds at 2021-03-29T15:19:53-04:00
Issue 4706 - negative wtime in access log for CMP operations

Description:  We forgot to set the start time for compare operations,
              this led to invalid values in the access log for optime
              and wtime.

relates: https://github.com/389ds/389-ds-base/issues/4706

Reviewed by: mreynolds (one line commit ruile)

- - - - -
54db3f7d by Mark Reynolds at 2021-03-29T21:04:29-04:00
Issue 2736 - https://github.com/389ds/389-ds-base/issues/2736

Description:  Adjust perl and python scripts shebangs for be absolute values

relates: https://github.com/389ds/389-ds-base/issues/2736

Reviewed by: firstyear(Thanks!)

- - - - -
ecd7e71d by Mark Reynolds at 2021-03-30T13:50:10-04:00
Issue 2736 - remove remaining perl references

Description:  Remove all perl shebang mangling code.

relates: https://github.com/389ds/389-ds-base/issues/2736

Reviewed by: mreynolds

- - - - -
29ee6d2e by progier389 at 2021-03-31T14:59:23+02:00
issue 4585 - backend redesign phase 3c - dbregion test removal (#4665)

* issue 4585 - backend redesign phase 3c - dbregion test removal

* Issue 4585 - backend redesign phase 3c - dbregion test removal

* Issue 4585 - Backend redesign phase 3c -  remove import_lock_fd
- - - - -
e4dfa12b by Mark Reynolds at 2021-03-31T09:30:46-04:00
Issue 4169 - UI - migrate monitor tables to PF4

Description:  Migrate from PF3 tables to PF4 tables.  This patch mostly
              hanles the tables underthe monitor tab, but there are many
              more tables that need migrating.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

- - - - -
ba598c79 by Gilbert Kimetto at 2021-04-01T10:20:28-04:00
Issue 3965 - RFE - Implement the Password Policy attribute "pwdReset" (#4710)

* IDMDS-1068 Update failing ticket48234_test.py test

* IDMDS-1068 Update failing ticket48234_test.py test

* [INTEROP-4009] CodeReady Studio on OpenShift - Run locally

* [INTEROP-4009] CodeReady Studio on OpenShift - Run locally

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* [IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4654 Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4654 - Updates to tickets/ticket48234_test.py

Bug Description:

Update to tickets/ticket48234_test.py which are currently failing and using
soon to be obsolete classes

Fix Description:

Updated tickets/ticket48234_test.py and ported to the suites directory
Updated to utilise the DSLDAPObject class methods

relates: <The Issue URL>

Author: Gilbert Kimetto

Reviewed by: ???
IDMDS-1068 Update failing ticket48234_test.py test

[INTEROP-4009] CodeReady Studio on OpenShift - Run locally

[INTEROP-4009] CodeReady Studio on OpenShift - Run locally

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4609 - CVE - info disclosure when authenticating

Description:  If you bind as a user that does not exist.  Error 49 is returned
              instead of error 32.  As error 32 discloses that the entry does
              not exist.  When you bind as an entry that does not have userpassword
              set then error 48 (inappropriate auth) is returned, but this
              discloses that the entry does indeed exist.  Instead we should
              always return error 49, even if the password is not set in the
              entry.  This way we do not disclose to an attacker if the Bind
              DN exists or not.

Relates: https://github.com/389ds/389-ds-base/issues/4609

Reviewed by: tbordaz(Thanks!)

* issue 4612 - Fix pytest fourwaymmr_test for non root user (#4613)

* Issue 4591 - RFE - improve openldap_to_ds help and features (#4607)

Bug Description: Improve the --help page, and finish wiring in some
features.

Fix Description: Wire in exclusion of attributes/schema for migration.

fixes: https://github.com/389ds/389-ds-base/issues/4591

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389, @droideck

* Issue 4577 - Add GitHub actions

Description:

* Enable IPv6 support for docker daemon
* Set server.example.com as FQDN for container

Relates: https://github.com/389ds/389-ds-base/issues/4577

Reviewed by: @droideck (Thanks!)

* Issue 4149 - UI - port TreeView and opther components to PF4

Description:  This ports all th TreeViews to PF4, and also does some proof
              of concept changes for PF3 to PF4 migration.  There is much
              more needed, but this does not break anything

relates: https://github.com/389ds/389-ds-base/issues/4149

Reviewed by: spichugi(Thanks!)

* Update dscontainer (#4564)

Issue 4564 - RFE - Add suffix to dscontainer rc file

Bug Description: The suffix was not added before, adding a hurdle to
automatic admin of the container instance

Fix Description: If the suffix is set, add it to the created rc file. 

fixes: https://github.com/389ds/389-ds-base/pull/4564

Author: @Jackbennett

Review by: @Firstyear

* Issue 4469 - Backend redesign phase 3a - bdb dependency removal from back-ldbm

A massive change (https://directory.fedoraproject.org/docs/389ds/design/backend-redesign-phase3.html) that implements and use the dbimpl API in the backend.

* Issue 4593 - RFE - Print help when nsSSLPersonalitySSL is not found (#4614)

Description: RHDS instance will fail to start if the TLS server
certificate nickname doesn't match the value of the configuration
parameter "nsSSLPersonalitySSL".

The mismatch typically happens when customers copy the NSS DB from
a previous instance or export the certificate's data but forget to set
the "nsSSLPersonalitySSL" value accordingly.

Log an additional message which should help a user to set up
nsSSLPersonalitySSL correctly.

Fixes: #4593

Reviewed by: @Firstyear (Thanks!)

* Issue 4324 - Some architectures the cache line size file does not exist

Bug Description:  When optimizing our mutexes we check for a system called
                  coherency_line_size that contains the size value, but if
                  the file did not exist the server would crash in PR_Read
                  (NULL pointer for fd).

Fix Description:  Check PR_Open() was successfully before calling PR_Read().

Relates: https://github.com/389ds/389-ds-base/issues/4324

Reviewed by: tbordaz(Thanks!)

* Issue 4469 - Backend redesing phase 3a - implement dbimpl API and use it in back-ldbm (#4618)

see design document https://directory.fedoraproject.org/docs/389ds/design/backend-redesign-phase3.html

* Issue 4615 - log message when psearch first exceeds max threads per conn

Desciption:  When a connection hits max threads per conn for the first time
             log a message in the error.  This will help customers diagnosis
             misbehaving clients.

Fixes: https://github.com/389ds/389-ds-base/issues/4615

Reviewed by: progier389(Thanks!)

* Issue 4619 - remove pytest requirement from lib389

Description:  Remove the requirement for pytest from lib389, it causes
              unneeded package requirements on Fedora/RHEL.

Fixes: https://github.com/389ds/389-ds-base/issues/4619

Reviewed by: mreynolds(one line commit rule)

* Bump version to 2.0.3

* Issue 4513 - CI - make acl ip address tests more robust

Description:  The tests aumme the system is using IPv6 loopback address, but it
              should still check for IPv4 loopback.

Relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: ?

* Issue 2820 - Fix CI test suite issues

Description:
tickets/ticket48961_test.py was failing in CI nightly runs.
Fixed the failure by changing the code to use DSLdapObject
and moved the code into the config test suite.

Relates: https://github.com/389ds/389-ds-base/issues/2820

Reviewed by: droideck (Thanks!)

* Issue 4169 - UI - port charts to PF4

Description:  Ported the charts under the monitor tab to use PF4 sparkline charts
              and provide realtime stats on the the caches.

Relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

* Issue 4595 - Paged search lookthroughlimit bug (#4602)

Bug Description: During a paged search with lookthroughlimit enabled,
lookthroughcount is used to keep track of how many entries are
examined. A paged search reads ahead one entry to catch the end of the
search so it doesn't show the prompt when there are no more entries.
lookthroughcount doesn't take read ahead into account when tracking
how many entries have been examined.

Fix Description: Keep lookthroughcount in sync with read ahead by
by decrementing it during read ahead roll back.

Fixes: https://github.com/389ds/389-ds-base/issues/4595

Relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: droideck, mreynolds389, Firstyear, progier389 (Many thanks)

* Issue 4169 - UI - Migrate Accordians to PF4 ExpandableSection

Description:  Replace all the CustomCollapse components with PF4
              ExpandableSection component.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4169 - UI - Migrate alerts to PF4

Description:  Migrate the toast notifications to PF4 Alerts.

              Also fixed a refresh problem on the Tuning page.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

* Issue 4649 - crash in sync_repl when a MODRDN create a cenotaph (#4652)

Bug description:
	When an operation is flagged OP_FLAG_NOOP, it skips BETXN plugins but calls POST plugins.
	For sync_repl, betxn (sync_update_persist_betxn_pre_op) creates an operation extension to be
	consumed by the post (sync_update_persist_op). In case of OP_FLAG_NOOP, there is no
	operation extension.

Fix description:
	Test that the operation is OP_FLAG_NOOP if the operation extension is missing

relates: https://github.com/389ds/389-ds-base/issues/4649

Reviewed by: William Brown (thanks)

Platforms tested: F31

* Issue 4644 - Large updates can reset the CLcache to the beginning of the changelog (#4647)

Bug description:
	The replication agreements are using bulk load to load updates.
	For bulk load it uses a cursor with DB_MULTIPLE_KEY and DB_NEXT.
	Before using the cursor, it must be initialized with DB_SET.

	If during the cursor/DB_SET the CSN refers to an update that is larger than
	the size of the provided buffer, then the cursor remains not initialized and
	c_get returns DB_BUFFER_SMALL.

	The consequence is that the next c_get(DB_MULTIPLE_KEY and DB_NEXT) will return the
	first record in the changelog DB. This break CLcache.

Fix description:
	The fix is to harden cursor initialization so that if DB_SET fails
	because of DB_BUFFER_SMALL. It reallocates buf_data and retries a DB_SET..
	If DB_SET can not be initialized it logs a warning.

	The patch also changes the behaviour of the fix #4492.
	#4492 detected a massive (1day) jump prior the starting csn and ended the
	replication session. If the jump was systematic, for example
	if the CLcache got broken because of a too large updates, then
	replication was systematically stopped.
	This patch suppress the systematically stop, letting RA doing a big jump..
	From #4492 only remains the warning.

relates: https://github.com/389ds/389-ds-base/issues/4644

Reviewed by: Pierre Rogier (Thanks !!!!)

Platforms tested: F31

* Issue 4646 - CLI/UI - revise DNA plugin management

Bug Description:

There was a false assumption that you have to create the shared DNA
server configuration entry, but in fact the server creates and manages
this entry.  The only thing you should edit in this entry are the
remote Bind Method and Connection Protocol.

Fix Description:

Remove the options to create the shared config entry, and edit the
core/reserved attributes.

Also fixed some issues where we were not showing CLI plugin output in
proper JSON.  This required some changes to the UI as well.

Relates: https://github.com/389ds/389-ds-base/issues/4646

Reviewed by: spichugi(Thanks!)

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

[IDMDS-1068] Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4643 - Add a tool that generates Rust dependencies for a specfile (#4645)

Description: The Fedora builds of 389-DS uses the vendored crates
to build the official packages for Rawhide. Vendoring and bundling
dependencies is in violation of Fedora policies. As an upstream project
we are free to ship vendored code. But as a downstream Fedora project
we must not use the vendored code.

Add a tool that will help to generate 'Provides: bundled(crate(foo)) = version'
for Cargo.lock file content.
Replace License field which should contain all of the package licenses
we bundle in the specfile.

Fixes: https://github.com/389ds/389-ds-base/issues/4643

Reviewed by: @Firstyear, @decathorpe, @mreynolds389 (Thanks!)

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin (#4622)

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin

Merge of a fix in cl5_clcache.c (changelog cache restarts from begining if large update)
Rebase with master

* Issue 4469 - Backend redesing phase 3a - implement dbimpl API and use it in back-ldbm - fix test_maxbersize_repl pytest failure

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin - fix indent issue

* issue 4552 - Backup Redesign phase 3b - use dbimpl in replicatin plugin - fix merge issue

manual Merge of fix about changelog cache iteration restarting from beginning in case of large update + automatic rebase to master

* Issue 4552 - Backend redesign phase 3b - fix indent issue + random crash and memory leak in tombstone handling

* Merge pull request #4664 from mreynolds389/issue4663

Issue 4663 - CLI - unable to add objectclass/attribute without x-origin

Issue 4654 Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4654 Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

* Issue 4654 - Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

Bug Description:

- Update ticket48234_test.py to verify tests on RHEL 7/8 and Fedora
- Update deprecated "*_s" methods to leverage the DSLDAPObject class
- Move test from the current location in ../tickets to appropriate ../suites/aci/* directory

Fix Description:
- Issue 4654 Update ticket48234_test.py and move to suites/acl/aci_excl_filter_test.py

relates:

Author: Gilbert Kimetto

Reviewed by: ???

* Test new password policy attribute "pwdReset by DM user

    Description: Verify that the DM user is not permitted to
    change the password policy attribute "pwdReset.

    Reviewed by: ?

Co-authored-by: Mark Reynolds <mreynolds at redhat.com>
Co-authored-by: progier389 <progier at redhat.com>
Co-authored-by: Firstyear <william at blackhats.net.au>
Co-authored-by: Viktor Ashirov <vashirov at redhat.com>
Co-authored-by: Jack <me at jackben.net>
Co-authored-by: Simon Pichugin <spichugi at redhat.com>
Co-authored-by: Barbora Simonova <bsmejkal at redhat.com>
Co-authored-by: James Chapman <jachapma at redhat.com>
Co-authored-by: tbordaz <tbordaz at redhat.com>
- - - - -
ab0bc2e6 by tbordaz at 2021-04-02T14:05:41+02:00
Issue 4700 - Regression in winsync replication agreement (#4712)

Bug description:
	#4396 fixes a memory leak but did not set 'cn=config' as
	DSE backend.
	It had no signicant impact unless with sidgen IPA plugin

Fix description:
	revert the portion of the #4364 patch that set be_suffix
	in be_addsuffix, free the suffix before setting it

relates: https://github.com/389ds/389-ds-base/issues/4700

Reviewed by: Pierre Rogier (thanks !)

Platforms tested: F33
- - - - -
26d6d69b by Gilbert Kimetto at 2021-04-02T09:09:04-04:00
Issue 3965 - RFE - Implement the Password Policy attribute "pwdReset" (#4713)

Description:
Updated the docstring for the new test test_pwdReset_by_user_DM to make it compatible for Polarion
Added a marker with the respective BugZilla
Updated results details for step 4

Relates: https://github.com/389ds/389-ds-base/issues/3965

Reviewed by: ?
- - - - -
f1f7ff12 by progier389 at 2021-04-02T15:48:50+02:00
Issue 4680 - 389ds coredump (@389ds/389-ds-base-nightly) in replica install with CA (#4715)

* Issue 4680 - 389ds coredump (@389ds/389-ds-base-nightly) in replica install with CA

* Issue 4680 - 389ds coredump (@389ds/389-ds-base-nightly) in replica install with CA (Added Thierry's check)
- - - - -
7f6ba5a3 by Thierry Bordaz at 2021-04-07T09:46:28+02:00
Bump version to 2.0.4

- - - - -
1bd1411a by progier389 at 2021-04-07T15:56:41+02:00
issue 4653: refactor ldbm backend to allow replacement of BDB - phase 3e - dbscan (#4709)

* issue 4653: refactor ldbm backend to allow replacement of BDB - phase 3e - dbscan

* issue 4653: refactor ldbm backend to allow replacement of BDB - phase 3e - dbscan - fix indentation
- - - - -
e542902a by Mark Reynolds at 2021-04-07T09:59:12-04:00
Issue 4169 - UI - PF4 migration - database tables

Description: Convert all the tables used by the database tab to PF4

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

- - - - -
0a504c8e by Mark Reynolds at 2021-04-13T08:42:28-04:00
Issue 4577 - Fix ASAN flags in specfile

Description:  Previously Rust and ASAN did not work together and we
              had to add special conditions in the specfile file to
              avoid the conflict.  These checks are no longer needed
              and should be removed.

relates: https://github.com/389ds/389-ds-base/issues/4577

Author: vashirov at redhat.com - Thanks!

Reviewed by: mreynolds

- - - - -
ee3196c1 by Firstyear at 2021-04-16T10:46:12+10:00
Issue 4637 - ndn cache leak (#4724)

Bug Description: During the change of the ndn cache to rust a memory
leak was missed (probably due to asan with gcc and rust issues). This
is due to a behavioural change in how dn's were used in the original version.

Fix Description: Free the dn key since rust internally needs to clone
a copy so it can correctly free it.

This also improves the drop code in the rust, and allows environment
passthrough into startup so that external ASAN_OPTIONS can be set.

fixes: https://github.com/389ds/389-ds-base/issues/4637

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 
- - - - -
a67fa12b by Mark Reynolds at 2021-04-16T16:22:56-04:00
Issue 4169 - UI - migrate replication tables to PF4

Description:  Migrated replication tables to PF 4 and cleaned up
              replication monitoring.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi & jchapman(Thanks!!)

- - - - -
f0ef03f6 by Viktor Ashirov at 2021-04-19T18:07:21+02:00
Issue 4632 - dscontainer: SyntaxWarning: "is" with a literal.

Bug Description:
`dscontainer -H` always returns 1 because of incorrect comparison
(object instead of value).

Fix Description:
Use the euality operator `==` instead of identity operator `is`.

Relates: https://github.com/389ds/389-ds-base/issues/4300
Fixes: https://github.com/389ds/389-ds-base/issues/4632

Reviewed by: @mreynolds389 (Thanks!)

- - - - -
40edb3cd by Mark Reynolds at 2021-04-20T12:13:38-04:00
Issue 4656 - Remove problematic language from source code

Description:  replace "master" with supplier, and "slave" with consumer

relates: https://github.com/389ds/389-ds-base/issues/4656

Reviewed by: firstyear, tbordaz, and spichugi(Thanks!!!)

Upgrade

During bootstrapping adjust the in memory plugin structure, and
the plugin slapi_entry.  After bootstrapping the plugins, update
any plugin that has a dependency on the old plugin name

- - - - -
4559a89c by Viktor Ashirov at 2021-04-20T21:42:37+02:00
Issue 4729 - GitHub Actions fails to run pytest tests

Description:
Update python interpreter

Fixes: https://github.com/389ds/389-ds-base/issues/4729

Reviewed by: @droideck (Thanks!)

- - - - -
0a399a2b by James Chapman at 2021-04-24T21:37:54+01:00
Issue 4734 - import of entry with no parent warning (#4735)

Description:    Online import of ldif file that contains an entry with
                no parent doesnt generate a task warning.

Fixes:          https://github.com/389ds/389-ds-base/issues/4734

Author: vashirov at redhat.com (Thanks)

Reviewed by: mreynolds, jchapma
- - - - -
d7eef2fc by tbordaz at 2021-04-27T09:29:32+02:00
Issue 4711 - SIGSEV with sync_repl (#4738)

Bug description:
	sync_repl sends back entries identified with a unique
	identifier that is 'nsuniqueid'. If 'nsuniqueid' is
	missing, then it may crash

Fix description:
	Check a nsuniqueid is available else returns OP_ERR

relates: https://github.com/389ds/389-ds-base/issues/4711

Reviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!)

Platforms tested:  F33
- - - - -
095eca41 by tbordaz at 2021-04-27T16:13:50+02:00
Issue 4740 - Fix CI lib389 userPwdPolicy and subtreePwdPolicy (#4741)

Bug description:
	pwdpolicy tests in regression_test.py are failing
	because of missing '%s' in debug log

Fix description:
	add the '%s'

relates: https://github.com/389ds/389-ds-base/issues/4740

Reviewed by: Mark Reynolds

Platforms tested: F33
- - - - -
e501b83a by James Chapman at 2021-04-27T17:00:15+01:00
Issue 4701 - RFE - Exclude attributes from retro changelog (#4723)

Description: When the retro changelog plugin is enabled it writes the
             added/modified values to the "cn-changelog" suffix. In
             some cases an entries attribute values can be of a
             sensitive nature and should be excluded. This RFE adds
             functionality that will allow an admin exclude certain
             attributes from the retro changelog DB.

Relates: https://github.com/389ds/389-ds-base/issues/4701

Reviewed by: mreynolds389, droideck (Thanks folks)
- - - - -
3250a3e4 by tbordaz at 2021-04-29T09:29:44+02:00
Issue 4667 - incorrect accounting of readers in vattr rwlock (#4732)

Bug description:
	The fix #2932 (Contention on virtual attribute lookup) reduced
	contention on vattr acquiring vattr lock at the operation
	level rather than at the attribute level (filter and
        returned attr).
        The fix #2932 is invalid. it can lead to deadlock scenario
	(3 threads). A vattr writer (new cos/schema) blocks
        an update thread that hold DB pages and later needs vattr.
	Then if a reader (holding vattr) blocks vattr writer and later
        needs the same DB pages, there is a deadlock.
	The decisions are:
		- revert #2932 (this issue)
		- Skip contention if deployement has no vattr #4678
		- reduce contention with new approaches
                  (COW and/or cache vattr struct in each thread)
		  no issue opened

Fix description:
	The fix reverts #2932

relates: https://github.com/389ds/389-ds-base/issues/4667

Reviewed by: William Brown, Simon Pichugin

Platforms tested:  F33
- - - - -
13420e5c by Mark Reynolds at 2021-04-29T14:14:05-04:00
Issue 4169 - UI - Migrate Server, Security, and Schema tables to PF4

Description:  Migrate these tables to PF4 tables.

              Also added spinning buttons.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi(Thanks!)

- - - - -
5598abba by Mark Reynolds at 2021-04-30T08:40:54-04:00
Issue 4742 - UI - should always use LDAPI path when calling CLI

Bug Description:

In some places in the UI code we call dsconf like:

dsconf -j slapd-instance ...

Instead of:

dsconf -j "ldapi://%2fvar%2frun%2fslapd-" + this.props.serverId + ".socket"

The problem is that if you setup the ".dsrc" file to use something other than LDAPI then the UI hangs.

Fix Description:

We need to always call the CLI using the LDAP socket.

Relates: https://github.com/389ds/389-ds-base/issues/4742

Reviewed by: spichugi(Thanks!)

- - - - -
f6938036 by James Chapman at 2021-05-04T15:48:10+01:00
Issue 4750 - Fix compiler warning in retrocl (#4751)

Description: An unused variable generates a compiler warning.

Fix description: Remove unused variable. Modify CI test to restart the test instance instead
		         of using dynamic plugins.

Fixes: https://github.com/389ds/389-ds-base/issues/4750

Relates: https://github.com/389ds/389-ds-base/issues/4701

Reviewed by: jchapma (One line commit rule)
- - - - -
a7943349 by Viktor Ashirov at 2021-05-05T09:33:58+02:00
Issue 4714 - dscontainer fails with rootless podman

Bug Description:
shutil.copy2 attempts to preserve metadata, but in a container without
privileges we don't have access to set xattrs. With rootless podman this
triggers an AVC denial and causes dscontainer to fail when a shared
data volume is reused.

Fix Description:
Use shutil.copy instead.

Reviewed by: @Firstyear (Thanks!)

Fixes: https://github.com/389ds/389-ds-base/issues/4714

- - - - -
9b62aede by James Chapman at 2021-05-05T16:46:16+01:00
Issue 4169 - UI - Migrate Buttons to PF4 (#4745)

Description: Migrate buttons from PF3 to PF4

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: mreynolds389, droideck (Many thanks)
- - - - -
ad3e77d7 by tbordaz at 2021-05-06T18:50:06+02:00
Issue 4759 - Fix coverity issue (#4760)

Bug description:
	with #4218 (wtime, optime in access log), hrtime is set in the
	operation. But it is done before checking if the operation is
	set. covscan fails

Fix description:
	move the setting after verification that operation != NULL

relates: https://github.com/389ds/389-ds-base/issues/4759

Reviewed by: Simon Pichugin

Platforms tested: F34
- - - - -
8006632e by tbordaz at 2021-05-06T18:54:20+02:00
Issue 4747 - Remove unstable/unstatus tests from PRCI (#4748)

Bug description:
	Some tests (17) in the tests suite (dirsrvtest/tests/suites)
	are failing although there is no regression.
	It needs (long) investigations to status if failures
	are due to a bug in the tests or in DS core.
	Until those investigations are completes, test suites
	loose a large part of its value to detect regression.
	Indeed those failing tests may hide a real regression.

Fix description:
	Flag failing tests with pytest.mark.flaky(max_runs=2, min_passes=1)
	Additional action will be to create upstream 17 ticket to
	status on each failing tests

relates: https://github.com/389ds/389-ds-base/issues/4747

Reviewed by: Simon Pichugin, Viktor Ashirov (many thanks for your
reviews and help)

Platforms tested: F33
- - - - -
adc2c8f5 by tbordaz at 2021-05-12T14:21:04+02:00
Issue 4725 - [RFE] DS - Update the password policy to support a Temporary Password Rules (#4727)

Bug description:
	Enhance password policy to support registration password (Temporary Password Rules)
	design is  https://www.port389.org/docs/389ds/design/otp-password-policy.html

Fix description:
	The fix introduces new password policy configuration attributes
        (passwordTPR*) and entry (user) operational attributes (pwdTPR*).
	It supports Temporary Password Rules (fixed use count) and validity
        window (valid since-until).
	During bind it checks if the TPR limits are violated.
	During password update it computes and set
	operational attributed (pwdTPR*).

	Note: a previous version of the fix/design mentioned
	this feature as 'One Time Password'. This naming was confusing
        and the current version replace it with 'Temporary Password
        Rules' (aka TPR). If it remains some 'OTP' code/comments
        it is a mistake.

relates: https://github.com/389ds/389-ds-base/issues/4725

Reviewed by: William Brown (Thanks !!!)

Platforms tested: F33
- - - - -
2a12316b by progier389 at 2021-05-12T19:29:19+02:00
Issue 4765 - database suffix unexpectdly changed from .db to .db4 (#4766)

* Issue 4765 - database suffix unexpectdly changed from .db to .db4

* Issue 4765 - database suffix unexpectdly changed from .db to .db4 - fix some compilation warnings
- - - - -
6ca3fb97 by Mark Reynolds at 2021-05-17T09:21:49-04:00
Issue 4770 - Lower FIPS logging severity

Description:  If FIPS is not available on a system we log errors messages
              with the severity level of ERR, but it's not really an error
              so it should be changed to NOTICE.

relates: https://github.com/389ds/389-ds-base/issues/4770

Reviewed by: mreynolds (one line commit rule)

- - - - -
b6d8de51 by Thierry Bordaz at 2021-05-17T17:21:51+02:00
Issue 4725 - Fix compiler warnings

- - - - -
f5b2cfb3 by Mark Reynolds at 2021-05-19T12:12:47-04:00
Issue 3555 - Fix UI audit issue

Description:  This does not fix all the audit errors because we need
              to get off of patternfly 3 first, but this does address
              a critical vulnerability and several high vulnerabilities.

relates: https://github.com/389ds/389-ds-base/issues/3555

Reviewed by: mreynolds

- - - - -
3cbad9e8 by Simon Pichugin at 2021-05-20T14:24:25+02:00
Issue 4623 - RFE - Monitor the current DB locks (#4762)

* Issue 4623 - RFE - Monitor the current DB locks

Description: DB lock gets exhausted because of unindexed internal searches
(under a transaction). Indexing those searches is the way to prevent exhaustion.
If db lock get exhausted during a txn, it leads to db panic and the later recovery
can possibly fail. That leads to a full reinit of the instance where the db locks
got exhausted.

Add three attributes to global BDB config: "nsslapd-db-locks-monitoring-enabled",
 "nsslapd-db-locks-monitoring-threshold" and "nsslapd-db-locks-monitoring-pause".
By default, nsslapd-db-locks-monitoring-enabled is turned on, nsslapd-db-locks-monitoring-threshold is set to 90% and nsslapd-db-locks-monitoring-threshold is 500ms.

When current locks are close to the maximum locks value of 90% - returning
the next candidate will fail until the maximum of locks won't be
increased or current locks are released.
The monitoring thread runs with the configurable interval of 500ms.

Add the setting to UI and CLI tools.

Fixes: https://github.com/389ds/389-ds-base/issues/4623

Reviewed by: @Firstyear, @tbordaz, @jchapma, @mreynolds389 (Thank you!!)
- - - - -
58a1591b by Mark Reynolds at 2021-05-21T13:10:27-04:00
Issue 4773 - Enable interval feature of DNA plugin

Description:  Enable the dormant interval feature in DNA plugin

relates: https://github.com/389ds/389-ds-base/issues/4773

Review by: mreynolds (one line commit rule)

- - - - -
83094c3b by MIZUTA Takeshi at 2021-05-25T11:15:49-04:00
Issue 4781 - There are some typos in man-pages

Description: Fixed the following man-page typo.
- dbscan(1)
- ldclt(1)
- rsearch(1)
- 99user.ldif(5)
- dirsrv.systemd(5)

relates: https://github.com/389ds/389-ds-base/issues/4781

- - - - -
3111a166 by Viktor Ashirov at 2021-05-26T13:11:11+02:00
Issue 2820 - Fix CI test suite issues

Bug Description:
Test collection fails due to file name clash - basic_test.py is present
in other suites too.

Fix Description:
Add a missing a __init__.py file.

Relates: https://github.com/389ds/389-ds-base/issues/2820

Reviewed by: @droideck (Thanks!)

- - - - -
0cfdea7a by progier389 at 2021-05-26T16:07:43+02:00
Issue 4764 - replicated operation sometime checks ACI (#4783)


- - - - -
4763e651 by Mark Reynolds at 2021-05-27T15:18:06-04:00
Issue 4656 - Allow backward compatilbity for replication plugin name change

Description:  We still need to map the plugin name from the old one to the new
              one to support upgrades with other applications.

relates: https://github.com/389ds/389-ds-base/issues/4656

ASAN tested and approved

Reviewed by: abbra(Thanks!)

- - - - -
723bf037 by Mark Reynolds at 2021-05-28T13:15:46-04:00
Issue 4169 - UI - Port plugin tables to PF4

Description:  port the plugins tables to PF4.  This completes the entire
              table migration.

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: jchapman & spichugi(Thanks!!)

- - - - -
ba5578f7 by Mark Reynolds at 2021-05-28T13:21:57-04:00
Issue 4778 - RFE - Allow setting TOD for db compaction and add task

Description:  Since database compaction can be costly it should be allowed
              to set a time to execute it during offpeak hours.  Once the
              compaction interval has been met, it will wait for the configured
              time of day to do the compaction.  The default is just before
              midnight: 23:59

              A task was also created that can run compaction on demand,
              and can also just target the replication changelog.  This could
              be used in conjunction with a cronjob for more complex
              execution patterns.

ASAN tested and approved.

relates: https://github.com/389ds/389-ds-base/issues/4778

Reviewed by: spichugi(Thanks!)

- - - - -
607bfbf1 by Mark Reynolds at 2021-05-30T09:41:27-04:00
Bump version to 2.0.5

- - - - -
5fe3b0ce by Akshay Adhikari at 2021-06-02T13:30:17+02:00
Issue 4753 - Adjust our tests to 389-ds-base-snmp missing in RHEL 9 Appstream

Description: With RHEL 9, 389-ds-base-snmp is no longer delivered in AppStream.
We need to adapt our tests which rely on 389-ds-base-snmp, so that they are skipped if it is missing.

Fix Description: Added skipif to tests which rely on 389-ds-base-snmp

Fixes: https://github.com/389ds/389-ds-base/issues/4753

Reviewed by: ??

- - - - -
72a7aa93 by Akshay Adhikari at 2021-06-02T13:30:17+02:00
removed the snmp_present() from utils.py as we have get_rpm_version() in conftest.py

- - - - -
a38f9394 by Akshay Adhikari at 2021-06-02T13:30:17+02:00
Issue 4753 - Adjust our tests to 389-ds-base-snmp missing in RHEL 9 Appstream

Description: With RHEL 9, 389-ds-base-snmp is no longer delivered in AppStream.
We need to adapt our tests which rely on 389-ds-base-snmp so that they are skipped if it is missing.

Fix Description: Added skipif to tests that rely on 389-ds-base-snmp

Fixes: https://github.com/389ds/389-ds-base/issues/4753

Reviewed by: @vashirov, @sgouvern (Thanks!)

- - - - -
53f372ce by Akshay Adhikari at 2021-06-02T13:31:30+02:00
Issue 4575 Update test docstrings metadata

Description: Mapping all the test cases to the requirements.

Fix Description: Adding __init__.py file and docstrings to all the test suites

Fixes: https://github.com/389ds/389-ds-base/pull/4754

Reviewed by: @vashirov, @sgouvern (Thanks!)

- - - - -
268d1c7e by Akshay Adhikari at 2021-06-02T15:36:02+02:00
Issue 4379 - Allow more than 1 empty AttributeDescription for ldapsearch, without the risk of denial of service

Desciption: Added a test case to verify up to 10 empty values and a negative
case to check max limit.

Relates: https://github.com/389ds/389-ds-base/issues/4379

Reviewed by: @bsimonova, @droideck (Thanks!)

- - - - -
ff830604 by Akshay Adhikari at 2021-06-02T15:36:02+02:00
Issue 4379 - Allow more than 1 empty AttributeDescription for ldapsearch, without the risk of denial of service

Description: Added a test case to verify up to 10 empty values and a negative
case to check max limit.

Relates: https://github.com/389ds/389-ds-base/issues/4379

Reviewed by: @vashirov, @bsimonova, @droideck (Thanks!)

- - - - -
f53b2844 by Thierry Bordaz at 2021-06-04T13:58:35+02:00
Issue 4379 - fixing regression in test_info_disclosure

- - - - -
f8e42061 by tbordaz at 2021-06-07T11:23:35+02:00
Issue 4789 - Temporary password rules are not enforce with local password policy (#4790)

Bug description:
	When allocating a password policy structure (new_passwdPolicy)
        it is initialized with the local policy definition or
	the global one. If it exists a local policy entry, the TPR
        attributes (passwordTPRMaxUse, passwordTPRDelayValidFrom and
        passwordTPRDelayExpireAt) are not taken into account.

Fix description:
	Take into account TPR attributes to initialize the policy

relates: https://github.com/389ds/389-ds-base/issues/4789

Reviewed by: Simon Pichugin, William Brown

Platforms tested: F34
- - - - -
a8596b08 by Mark Reynolds at 2021-06-07T13:07:36-04:00
Issue 4773 - Add CI test for DNA interval assignment

Description: Add test case for DNA interval assignment

relates: https://github.com/389ds/389-ds-base/issues/4773

Reviewed by: spichugi(Thanks!)

- - - - -
2120af0c by Mark Reynolds at 2021-06-08T09:35:24-04:00
Issue 4447 - Crash when the Referential Integrity log is manually edited

Bug Description:  If the referint log is manually edited with a string
                  that is not a DN the server will crash when processing
                  the log.

Fix Description:  Check for NULL pointers when strtoking the file line.

relates: https://github.com/389ds/389-ds-base/issues/4447

Reviewed by: firstyear(Thanks!)

- - - - -
2437047b by James Chapman at 2021-06-09T15:27:10+01:00
Issue 4169 - UI Migrate checkbox to PF4 (#4769)

Description: 	Migrate checkbox from pf3 to pf4
		       Button migrations missed in previous PR

Relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: droideck, mreynolds389 (Thank you)
- - - - -
551b5a98 by tbordaz at 2021-06-10T15:03:27+02:00
Issue 4797 - ACL IP ADDRESS evaluation may corrupt c_isreplication_session connection flags (#4799)

Bug description:
	The fix for ticket #3764 was broken with a missing break in a
	switch. The consequence is that while setting the client IP
	address in the pblock (SLAPI_CONN_CLIENTNETADDR_ACLIP), the
	connection is erroneously set as replication connection.
        This can lead to crash or failure of testcase
        test_access_from_certain_network_only_ip.
        This bug was quite hidden until the fix for #4764 is
        showing it more frequently

Fix description:
	Add the missing break

relates: https://github.com/389ds/389-ds-base/issues/4797

Reviewed by: Mark Reynolds

Platforms tested: F33
- - - - -
23a75834 by Barbora Simonova at 2021-06-10T16:14:01+02:00
Issue 4593 - Log an additional message if the server certificate nickname doesn't match nsSSLPersonalitySSL value

Description:
Added a test to check if additional message is present in the error log
if nsSSLPersonalitySSL value does not match the certificate nickname.
Also brought back changes to ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c,
because they were removed in commit 07b5a79a3a9ec9c6d5575f2a893fd48bdcdd3c81

Relates: https://github.com/389ds/389-ds-base/issues/4593

Reviewed by: @vashirov, @Firstyear, @droideck (Thanks!)

- - - - -
da522d53 by Firstyear at 2021-06-11T12:23:37+10:00
Issue 4794 - BUG - don't capture container output (#4798)

Bug Description: It was noticed that capturing the container
output with PIPE may cause the buffer to fill up, resulting
in some tasks hanging.

Fix Description: Do not capture the process output.

fixes: https://github.com/389ds/389-ds-base/issues/4794

Author: William Brown <william at blackhats.net.au>

Review by: @vashirov, @last-ninjai 
- - - - -
f542f890 by James Chapman at 2021-06-14T12:29:14+01:00
Issue 4791 - Missing dependency for RetroCL RFE (#4792)

Description: The RetroCL exclude attribute RFE is dependent on functionality of the
	     EntryUUID bug fix, that didn't make into the latest build. This breaks the
             RetroCL exclude attr feature so we need to provide a workaround.

Fixes: https://github.com/389ds/389-ds-base/issues/4791

Relates: https://github.com/389ds/389-ds-base/pull/4723

Relates: https://github.com/389ds/389-ds-base/issues/4224

Reviewed by: tbordaz, droideck (Thank you)
- - - - -
ff977cc8 by tbordaz at 2021-06-16T13:41:27+02:00
Issue 4747 - Remove unstable/unstatus tests (followup) (#4809)

Bug description:
	test_syncrepl_basic test is unstable (1 fail out of 10 run)
	with a error.PyAsn1Error exception.

Fix description:
	flag this tests as flaky

relates: https://github.com/389ds/389-ds-base/issues/4747

Reviewed by: self reviewed (one line commit)

Platforms tested: F33
- - - - -
836e84b3 by Mark Reynolds at 2021-06-16T08:11:27-04:00
Issue 4093 - Fix MEP test case

Bug Description:  Once some compiler warnings were fixed it
                  accidentally fixed the modrdn behavior.  Previously
                  the modrdn code accidentally ignored errors that the
                  test case was taking for granted.  Once these checks
                  were properly inforced the teset case started to fail.

Fix Description:  Revise test case to "properly" check modrdn operations
                  by creating the Managed Entry before assignign it to
                  an entry, and then check for the revise managhed entry
                  DN after the modrdn takes place.

                  Also, improved CI debugging logging settings

relates: https://github.com/389ds/389-ds-base/issues/4093

Reviewed by: spichugi(Thanks!)

- - - - -
7753988c by Mark Reynolds at 2021-06-16T08:15:54-04:00
Issue 4709 - Fix double free in dbscan

Description:  Fix double free in dbscan - in main()

relates: https://github.com/389ds/389-ds-base/pull/4709

Reviewed by: tbordaz, spichugi, progier(Thanks!!!)

- - - - -
649b7b50 by Mark Reynolds at 2021-06-16T08:19:33-04:00
Issue 4506 - Improve SASL logging

Description:

Converted all SLAPI_LOG_TRACE logging to Connection logging (SLAPI_LOG_CONNS).

sasl_errstring() perform a simple and fast switch case mapping from
error code to const string.

relates : https://github.com/389ds/389-ds-base/issues/4506

Signed-off-by: Christian Heimes <cheimes at redhat.com>

Reviewed by: mreynolds

- - - - -
a8703f01 by Mark Reynolds at 2021-06-16T10:10:21-04:00
Issue 4656 - replication name change upgrade code causes crash with dynamic plugins

Bug Description:  If dynamic plugins is enabled, the server will crash after
                  restarting several plugins.  The global plugin list became
                  corrupted, and an invalid plugin entry was read.

Fix Description:  Always call the close function of a plugin even if its
                  not started (this undoes a change from the previous patch
                  that was not needed afterall).

                  Updated the replication plugin upgrade code logging to
                  be more clear, and to be logged by default.

ASAN testeed and approved

relates: https://github.com/389ds/389-ds-base/issues/4656

Reviewed by: tbordaz(Thanks!)

- - - - -
b251ffe7 by Mark Reynolds at 2021-06-17T09:57:23-04:00
Issue 4656 - Fix replication plugin rename dependency issues

Bug Description:  If a plugin has a named dependency on the old
                  Replication plugin name, and it is listed in
                  the dse.ldif before the replication plugin
                  then the "conversion" fails because the internal
                  plugin dependency list was not properly updated

Fix Description:  Update the plugin dependency list after we update a
                  plugin's dependency.

relates: https://github.com/389ds/389-ds-base/issues/4656

Reviewed by: spichugi(Thanks!)

- - - - -
59d889ad by tbordaz at 2021-06-17T16:22:09+02:00
Issue 4788 - CLI should support Temporary Password Rules attributes (#4793)

Bug description:
    Since #4725, password policy support temporary password rules.
    CLI (dsconf) does not support this RFE and only direct ldap
    operation can configure global/local password policy

Fix description:
    Update dsconf to support this new RFE.
    To run successfully the testcase it relies on #4788

relates: #4788

Reviewed by: Simon Pichugin (thanks !!)

Platforms tested: F34
- - - - -
c7b16700 by Barbora Simonova at 2021-06-22T14:45:28+02:00
Issue 4414 - disk monitoring - prevent division by zero crash

Description:
Added a test to check DS will not crash when division by zero
occurs in disk monitoring. Also fixed a description in compact_test.py
because it was causing errors in Polarion import.
Relates: https://github.com/389ds/389-ds-base/issues/4414

Reviewed by: droideck (Thanks!)

- - - - -
cb825e0b by James Chapman at 2021-06-22T15:55:49+01:00
Issue 4169 - UI - Migrate Typeaheads to PF4 (#4808)

* Issue 4169 - UI - Migrate Typeaheads to PF4

Description: Migrate the current bootstrap typeaheads to
patternfly 4 select typeaheads

Relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: mreynolds389, droideck (Many thanks)
- - - - -
72964fe6 by Simon Pichugin at 2021-06-23T10:01:30+02:00
Issue 4803 - Improve DB Locks Monitoring Feature Descriptions (#4810)

Description: The description of the field "nsslapd-db-locks-monitoring-threshold"
is unclear. Make the explanations more detailed and concise in both CLI
and Web UI.

Fixes: https://github.com/389ds/389-ds-base/issues/4803

Reviewed by: @tbordaz (Thank you!)

- - - - -
9ee03bc8 by Simon Pichugin at 2021-06-23T10:21:57+02:00
Issue 4803 - Improve DB Locks Monitoring Feature Descriptions

Description: Enchance one line for the threshold setting
as per comment in https://github.com/389ds/389-ds-base/pull/4810

Relates: https://github.com/389ds/389-ds-base/issues/4803

Reviewed by: @droideck (one line rule)

- - - - -
c0ca290f by Thierry Bordaz at 2021-06-23T19:12:10+02:00
Bump version to 2.0.6

- - - - -
6b10f179 by Viktor Ashirov at 2021-06-29T14:05:10+02:00
Issue 2820 - Fix CI test suite issues

Bug Description:
* repl_monitor_test.py fails after changes in replication monitor output
in e4dfa12b151afa9a2b1830af4fe370fc8e0dfaa1
* import_test.py::test_fast_slow_import is very strict and fails when
the time difference between imports is insignificant and less than 1s.

Fix Description:
* repl_monitor_test.py - update expected string values
* import_test.py - relax the expected time to be within 1s variance,
comment out flaky decorator to enable the test back in PR CI.

Relates: https://github.com/389ds/389-ds-base/issues/2820

Reviewed by: @mreynolds389, @droideck (Thanks!)

- - - - -
96fe605f by tbordaz at 2021-07-02T13:33:52+02:00
Issue 4822 - Fix CI temporary password: fixture leftover breaks them (#4823)

Bug description:
	dirsrvtests/tests/suites/password/pwdPolicy_attribute_test.py contains
        password policy attributes tests (min_age,...) and tpr tests.
        Leftover of the fixture password_policy (scope module) are breaking
        TPR tests with subtree/user local password policy.

Fix description:
	Separate temporary password tests into their own module

relates: https://github.com/389ds/389-ds-base/issues/4822

Reviewed by: Simon Pichugin (Thanks!)

Platforms tested: 8.5
- - - - -
747d2bfb by Viktor Ashirov at 2021-07-02T16:11:24+02:00
Issue 4826 - Filter argparse-manpage from autogenerated requires

Bug Description:
RPM dependency generators add argparse-manpage to the list of runtime
dependencies. But it's a buildtime only dependency.

Fix Description:
Use requires filter macro in the spec file.

Fixes: https://github.com/389ds/389-ds-base/issues/4826

Reviewed by: @mreynolds389 (Thanks!)

- - - - -
8b257002 by tbordaz at 2021-07-02T18:02:54+02:00
Issue 4262 - Fix Index out of bound in fractional test (#4828)

Bug description:
	In master branch there are by default 2 groups while
        in 1.4.3 it exists only one. So the index '1'
	in the retrieved groups raise 'invalid index' exception
        in 1.4.3.

Fix description:
	Retrieve the specific group bug739172_01group
        to test its membership

relates: https://github.com/389ds/389-ds-base/issues/4262

Reviewed by:

Platforms tested:  8.5, fedora

foo
- - - - -
fb70c5c8 by tbordaz at 2021-07-02T20:53:26+02:00
Issue 4414 - SIGFPE crash in rhds disk monitoring routine (#4829)

Bug description:
	The testcase systematically fails on PRCI running
        in a container. It gets a E_ACCES during
        access to a tmpfs mounted filesystem, while
        it runs fine on openstack.

Fix description:
	Just skip this test in our test PRCI

relates: https://github.com/389ds/389-ds-base/issues/4414

Reviewed by: Mark Reynolds

Platforms tested: fedora
- - - - -
ca848dfb by Akshay Adhikari at 2021-07-07T12:39:01+02:00
Issue 4706 - negative wtime for compare operations (#4780)

Description: Improve ds_logs_test.py::test_optime_and_wtime_keywords so
it tests the associated bug.

Relates: https://github.com/389ds/389-ds-base/issues/4706

Reviewed by: @vashirov, @droideck 
- - - - -
13ee2053 by Firstyear at 2021-07-08T10:46:25+10:00
Issue 4820 - RFE - control flow integrity (#4821)

Bug Description: Many attacks involved hijacking the
control flow of an executable to change it's behaviour.
While we can do many things to prevent this at development
time, we need to be ready for unexpected situations in
run time.

Fix Description: Enabling control flow integrity allows
enforcing that our projects logic flow only goes in certain,
known valid locations at compile time. This means a program
that violates these behaviours will be terminated to prevent
exploitation.

fixes: https://github.com/389ds/389-ds-base/issues/4820

Author: William Brown <william at blackhats.net.au>

Review by: @jchapma 
- - - - -
aeb90eb0 by Firstyear at 2021-07-09T11:53:35+10:00
Issue 4817 - BUG - locked crypt accounts on import may allow all passwords (#4819)

Bug Description: Due to mishanding of short dbpwd hashes, the
crypt_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.

Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.

fixes: https://github.com/389ds/389-ds-base/issues/4817

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 
- - - - -
aec9ceb4 by Mark Reynolds at 2021-07-12T23:08:22-04:00
Issue 4169 - UI - migrate Server Tab forms to PF4

Description:  Migrate off of PF3 Forms/Rows/Col to PF4 Forms/Grids
              for the Server & Database tabs

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed by: spichugi & jchapman(Thanks!!)

- - - - -
c072156c by James Chapman at 2021-07-14T22:24:24+01:00
Issue 4603 - Reindexing a single backend (#4831)

* Issue 4603 - Reindexing a single backend

Bug description:
	While trying to offline reindex a single backend, all backends
	are reindexed. This can introduce un-wanted latencies if one wants to reindex a
	single backend rather than reindexing all backends.

Fix description:
	DB txn logging disabled
	CLI modified to provide extra reindex options
	DSELidf extended to get backend index attributes

Relates: https://github.com/389ds/389-ds-base/issues/4603

Reviewed by:  mreynolds389,  droideck, Firstyear (Thank you)

- - - - -
4b74d1e9 by Mark Reynolds at 2021-07-15T12:22:05-04:00
Issue 4443 - Internal unindexed searches in syncrepl/retro changelog

Bug Description:

When a non-system index is added to a backend it is
disabled until the database is initialized or reindexed.
So in the case of the retro changelog the changenumber index
is alway disabled by default since it is never initialized.
This leads to unexpected unindexed searches of the retro
changelog.

Fix Description:

If an index has "nsSystemIndex" set to "true" then enable it
immediately.

relates:  https://github.com/389ds/389-ds-base/issues/4443

Reviewed by: spichugi & tbordaz(Thanks!!)

- - - - -
0f443bf3 by Mark Reynolds at 2021-07-15T13:50:02-04:00
Bump version to 2.0.7

- - - - -
9ae0134c by James Chapman at 2021-07-29T14:27:09+01:00
Issue - 4696 - Password hash upgrade on bind (#4840)


Description:
	There is an unintended side effect of the "upgrade password
	on bind" feature. It causes the password policy code to be
	engaged and it resets the passwordExpirationtime in the entry.

Fix description:
	Only allow an external password modify operation or an extended
	password modify operation update the password info.

Relates: https://github.com/389ds/389-ds-base/issues/4696

Reviewed by: @droideck, @tbordaz, @mreynolds389 (Thank you)

- - - - -
24d458af by Viktor Ashirov at 2021-07-29T18:07:24+02:00
Issue 4848 - Force to require nss version greater or equal as the version available at the build time

Description:
In our spec file we require nss >= 3.34, but not the exact (or greater,
as they are backward compatible) version available at the build time.

Fix Description:
We should record nss version available at the build time and require it
at the runtime.
Adapt a macro from samba spec file.

Fixes: https://github.com/389ds/389-ds-base/issues/4848

Reviewed by: @mreynolds389, @Firstyear, @droideck (Thank you!)

- - - - -
434d6803 by Simon Pichugin at 2021-08-03T14:49:10+02:00
Issue 4460 - Fix isLocal and TLS paths discovery (#4850)

Description: Fix isLocal inconsistency in the 'allocate' code.
Process LDAP URI and decide if it's local or not.
Make sure that while connecting locally the certdir (and other TLS paths) are accessible
(has read right) before setting ldap.OPT_X_TLS_*.
If none ldap.OPT_X_TLS_* options are set and there is no new TLS context, 
don't set OPT_X_TLS_NEWCTX. Then /etc/openldap/ldap.conf will be used..

Relates: https://github.com/389ds/389-ds-base/issues/4460

Reviewed by: @mreynolds389, @Firstyear (Thanks!!)
- - - - -
33c81588 by Mark Reynolds at 2021-08-03T23:34:45-04:00
Issue 4736 - CLI - Errors from certutil are not propagated

Description:  Errors from certutil are not returned to the client, and
only a generic failure code is returned.  The actual error text should be
returned to the client since it has meaning.  Just catch all the
exception and return the output as a ValueError.

relates: https://github.com/389ds/389-ds-base/issues/4736

Reviewed by: firstyear (Thanks!)

- - - - -
e4a09aa1 by Barbora Simonova at 2021-08-04T09:22:19+02:00
Issue 4623 - RFE - Monitor the current DB locks ( nsslapd-db-current-locks )

Description:
Added additional tests for DB locks monitoring to check if invalid
values are correctly rejected for nsslapd-db-locks and
nsslapd-db-locks-monitoring-threshold.

Relates: https://github.com/389ds/389-ds-base/issues/4623

Reviewed by: droideck (Thanks!)

- - - - -
c02d99fd by Mark Reynolds at 2021-08-05T23:49:05-04:00
Issue 4169 - Migrate Replication & Schema tabs to PF4

Description:  Migrate the remaining components in the repl and schema
tabs to PF4

relates: https://github.com/389ds/389-ds-base/issues/4169

Reviewed: spichugi & jchapman (Thanks!!)

- - - - -
f5fd00f6 by Viktor Ashirov at 2021-08-06T06:53:17+02:00
Issue 4859 - Don't version libns-dshttpd

Description:
On every build libns-dshttpd has a version corresponding
to the package version, e.g. libns-dshttpd-2.0.7.so.
It's unnecessary, as we are the only consumers of this library
and we don't change its ABI on every build.
It also triggers rpmdiff test failures that have to be waived on
each build.

Fixes: https://github.com/389ds/389-ds-base/issues/4859

Reviewed by: @mreynolds389 (Thanks!)

- - - - -
1bbef77a by Viktor Ashirov at 2021-08-06T06:53:32+02:00
Issue 4861 - Improve instructions in custom.conf for memory leak detection

Description:
Extend instructions in
/usr/lib/systemd/system/dirsrv at .service.d/custom.conf
to provide guides on how to use valgrind and AddressSanitizer.

Fixes: https://github.com/389ds/389-ds-base/issues/4861

Reviewed by: @mreynolds389 (Thanks!)

- - - - -
c7a67960 by Mark Reynolds at 2021-08-10T11:17:46-04:00
Issue 4736 - lib389 - fix regression in certutil error checking

Description: A regression in the previous commit accidentally called
certutil twice which triggered the CLI to prompt for the NSS database
password.  This broke CI tests, etc.

relates: https://github.com/389ds/389-ds-base/issues/4736

Reviewed by: mreynolds (one line commit rule)

- - - - -
9cf2517b by Simon Pichugin at 2021-08-18T16:05:20+02:00
Issue 4763 - Attribute Uniqueness Plugin uses wrong subtree on ModRDN (#4871)

Bug Description: When using the Attribute uniqueness plugin, restricted
to one subtree, moving an object with an already existing attribute
to this subtree does not raise any exceptions. It appears that the
originating subtree is searched instead.

Fix Description: Use parent DN of the new entry when searching
for attribute uniqueness.
Add test to plugins/attruniq_test.py suite.

Fixes: https://github.com/389ds/389-ds-base/issues/4763

Reviewed by: @tbordaz (Thanks!)
- - - - -
a5c04a8f by Simon Pichugin at 2021-08-18T16:11:33+02:00
Issue 4851 - Typos in "dsconf pwpolicy set --help" (#4867)

Description: Fix typos in the output of "dsconf instance_name
pwpolicy set --help".

Fixes: https://github.com/389ds/389-ds-base/issues/4851

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
bce941ec by Firstyear at 2021-08-19T14:31:03-04:00
Issue 4872 - BUG - entryuuid enabled by default causes replication issues (#4876)

Bug Description: Due to older servers missing the syntax
plugin this breaks schema replication and causes cascading
errors.

Fix Description: This changes the syntax to be a case
insensitive string, while leaving the plugins in place
for other usage.

fixes: https://github.com/389ds/389-ds-base/issues/4872

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 @progier389 
- - - - -
193ae2f7 by Firstyear at 2021-08-23T11:46:58+10:00
Issue 4877 - RFE - EntryUUID to validate UUIDs on fixup (#4878)

Bug Description: Due to changing the syntax of EntryUUID's
to string, we may have invalid EntryUUID's imported into
the database.

Fix Description: To resolve this during a fixup we validate
that Uuid's have a valid syntax. If they do not, we regenerate
them.

fixes: https://github.com/389ds/389-ds-base/issues/4877

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389

- - - - -
553f26c8 by Mark Reynolds at 2021-08-23T15:35:05-04:00
Bump version to 2.0.8

- - - - -
6e21d41f by Mark Reynolds at 2021-08-26T09:38:11-04:00
Issue 4884 - server crashes when dnaInterval attribute is set to zero

Bug Description:

A division by zero crash occurs if the dnaInterval is set to zero

Fix Description:

Validate the config value of dnaInterval and adjust it to the
default/safe value of "1" if needed.

relates: https://github.com/389ds/389-ds-base/issues/4884

Reviewed by: tbordaz(Thanks!)

- - - - -
d86a6a82 by Mark Reynolds at 2021-08-26T10:10:39-04:00
Issue 4875 - CLI - Add some verbosity to installer

Description:  Previously the installer would basically say
              "Starting" and "Finished".  If a step would
              run into a problem it is difficult to narrow
              down what is going wrong.  So add a little more
              output during the installation.

relates: https://github.com/389ds/389-ds-base/issues/4875

Reviewed by: firstyear & spichugi(Thanks!!)

- - - - -
01f97198 by Mark Reynolds at 2021-08-27T08:53:52-04:00
Issue 4149 - UI - Migrate the remaining components to PF4

Description:  This completes the initial migration to PF4

fixes: https://github.com/389ds/389-ds-base/issues/4149

Reviewed by: spichugi(Thanks!)

- - - - -
cef02245 by Mark Reynolds at 2021-08-30T15:42:37-04:00
Issue 4887 - UI - Update webpack.config.js and package.json

Bug Description:

Our cockpit dependencies were very out of date and had
security issues.  But the newer ELint package had lots of new
complaints.

Fix Description:

"noop" no longer exists in PF4, so that had to be removed from
the PropTypes, as well as a ton of ESlint errros about
variable declarations, certain function names, etc.

npm audit is now clean, and we are up to date with Cockpit
requirements/standards.

relates: https://github.com/389ds/389-ds-base/issues/4887

Reviewed by: jchapman(Thanks!)

- - - - -
9dab9bc6 by Mark Reynolds at 2021-08-30T15:50:13-04:00
Bump version to 2.0.9

- - - - -
549d9c65 by Mark Reynolds at 2021-08-31T16:11:51-04:00
Issue 4887 - UI - fix minor regression from camelCase fixup

Description:  The new ESlinter can comaplained about function names, and
there was a mistake that caused the wrong function name to be passed as
a property to a component.

relates:  https://github.com/389ds/389-ds-base/issues/4887

Reviedwed by: mreynolds(one line commit rule)

- - - - -
3f7a2fa3 by Mark Reynolds at 2021-09-03T09:57:07-04:00
Issue 4869 - Fix retro cl trimming misuse of monotonic/realtime clocks

Bug Description:  Monotonic clocks were used to check if an entry was old
                  enough to be trimmed, but the real system time should be
                  used.  So entries were never trimmed from the changelog..

Fix Description:  Make sure monotonic clocks are only used for the
                  trimming interval, and real time clocks are used
                  for entry age.

relates: https://github.com/389ds/389-ds-base/issues/4869

Reviewed by: firstyear(Thanks!)

- - - - -
154957ca by Mark Reynolds at 2021-09-09T07:47:35-04:00
Issue 4910 - db reindex corrupts RUV tombstone nsuiqueid index

Bug Description:  During a reindex task we skip the RUV tombstone entry,
                  which corrupts the nsuniqueid index.

Fix Description:  Make sure we still index nsuniqueid index for
                  the RUV tombstone entry.

relates: https://github.com/389ds/389-ds-base/issues/4910

Reviewed by: firstyear & progier389 (Thanks!!)

- - - - -
93aa9f4c by Mark Reynolds at 2021-09-09T07:49:33-04:00
Issue 4912 - dsidm command crashing when account policy plugin is enabled

Bug Description:  If the account policy plugin is enabled, but not
                  configured then dsidm will crash when checking an
                  entry's status.

Fix Description:  Check if the config DN is present before trying
                  to check its values.

relates: https://github.com/389ds/389-ds-base/issues/4912

Reviewed by: firstyear(thanks!)

- - - - -
4634ec6a by Simon Pichugin at 2021-09-10T14:20:26-07:00
Issue 4894 - IPA failure in ipa user-del --preserve (#4907)

Bug Description: Starting with 389-ds 2.0.8 on rawhide,
any call to ipa user-del --preserve fails with
This entry already exists.

Fix Description: We should split 'dn' parameter in searchAllSubtrees
into parent and target. As one of them is used for excluding the
subtree checks and another one for searching.
Improve 'superior' processing when we don't change the parent..
Rename variables in a more sane way.

Fixes: https://github.com/389ds/389-ds-base/issues/4894

Reviewed by: @Firstyear, @tbordaz, @progier389 (Thanks!)
- - - - -
2e4387db by Mark Reynolds at 2021-09-11T10:14:38-04:00
Issue 4796 - Add support for nsslapd-state to CLI & UI

Description:  Add support for nsslapd-state to lib389 and UI.  Also
              added a check to prevent the changing of nsslapd-state
              for replicated suffixes.

              Also did a little UI cleanup where a bottom margin was added
              to the bottom of pages instead of using <hr> to create the gap.

relates: https://github.com/389ds/389-ds-base/issues/4796

Reviewed by: jachapman & spichugi(Thanks!!)

- - - - -
d4243cfc by François Cami at 2021-09-13T12:16:01-04:00
Issue 4863 - typoes in logconv.pl

There are two occurrences of "occurrances" in logconv.pl.
Replace the two occurrences of occurrances by occurences.

Relates: https://github.com/389ds/389-ds-base/issues/4863
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed by: Mark Reynolds <mreynolds at redhat.com>

- - - - -
083c55b1 by Mark Reynolds at 2021-09-13T12:23:48-04:00
Issue 4912 - Account Policy plugin does not set the config entry DN

Description: Although we create the config entry for the Account Policy
plugin, we do not list the config entry DN in the main plugin entry
via nsslapd-pluginarg0

relates: https://github.com/389ds/389-ds-base/issues/4912

Reviewed by: mreynolds(one line commit rule)

- - - - -
b400b07c by Marc Muehlfeld at 2021-09-14T09:24:06-04:00
Issue 4908 - Updated several dsconf --help entries (typos, wrong descriptions, etc.)

Description:
The --help of dsconf and its subcommands contain several incorrect descriptions, typos, inconsistent language, some entries end with a ".", some doesn't, some descriptions start with lowercase, ...

For a better user experience, the descriptions of subcommands, and parameters should be reviewed and improved.

Fixes: #4908

Reviewed by: Mark Reynolds, William Brown, and Simon Pichugin

- - - - -
21dd2802 by Mark Reynolds at 2021-09-20T09:12:55-04:00
Bump version to 2.0.10

- - - - -
54d7cc78 by Viktor Ashirov at 2021-09-22T00:07:23+02:00
Issue 4916 - Memory leak in ldap-agent

Description:
Fix a minor memory leak in ldap-agent to make AddressSanitizer happy.

Fixes: https://github.com/389ds/389-ds-base/issues/4916

Reviewed by: @mreynolds389, @Firstyear (Thanks!)

- - - - -
c661024b by tbordaz at 2021-09-23T09:49:40-04:00
Issue 4925 - Performance ACI: targetfilter evaluation result can be reused (#4926)

Bug description:
	An ACI may contain targetfilter. For a given returned entry, of a
        SRCH request, the same targetfilter is evaluated for each of the
        returned attributes.
        Once the filter has been evaluated, it is useless to reevaluate
        it for a next attribute.

Fix description:
	The fix implements a very simple cache (linked list) that keeps
        the results of the previously evaluated 'targetfilter'.
        This cache is per-entry. For an operation, a aclpb is allocated
        that is used to evaluate ACIs against each successive entry.
        Each time a candidate entry is added in the aclpb
        (acl_access_allowed), the cache (aclpb_curr_entry_targetfilters)
        is freed. Then for each 'targetfilter', the original targetfilter
        is lookup from the cache. If this is the first evaluation of it
        then the result of the evaluation is stored into the cache using
        the original targetfilter as the key in the cache

	The key to lookup/store the cache is the string representation
        of the targetfilter. The string contains a redzone to detect
        that the filter exceeds the maximum size (2K). If it exceeds
        then the key is invalid and the lookup/store is noop.

relates: #4925

Reviewed by: Mark Reynolds, William Brown (Thanks)

Platforms tested: F34
- - - - -
cdd354c9 by Mark Reynolds at 2021-09-27T13:07:20-04:00
Issue 4513 - fix ACI CI tests involving ip/hostname rules

Description:  Fix tests that use ACIs with ip/hostname rules. Harden
              the dscreate and dsctl acceptance tests, and fix some
              flakiness in the sync repl test, and filter schema
              validation.

              Also updated the doxy file and fixed some compiler warnings

relates: https://github.com/389ds/389-ds-base/issues/4513

Reviewed by: spichugi & tbordaz(Thanks!!)

(cherry picked from commit 2a9df10303c4902a816a64b805448f31380a2728)

- - - - -
121e27a4 by Firstyear at 2021-09-30T11:51:23+10:00
Issue 4847 - BUG - potential deadlock in replica (#4936)

Bug Description: There was an incorrect double lock in
repl5_replica_config.c

Fix Description: Replace the incorrect lock with and unlock.

fixes: https://github.com/389ds/389-ds-base/issues/4847

Author: jenny <@jenny-cheung>

Review by: @firstyear @droideck

Co-authored-by: jenny <84835889+jenny-cheung at users.noreply.github.com>
- - - - -
2cd65b47 by James Chapman at 2021-10-07T15:04:06+00:00
Issue 4921 - logconv.pl -j: Use of uninitialized value (#4922)

Description: When logconv.pl is run with the recommendations flag
it generates an uninitialized value error.

Fixed this and done some tidy up.

Fixes: https://github.com/389ds/389-ds-base/issues/4921

Reviewed by: @progier389  (Thank you)
- - - - -
9ea04db9 by Viktor Ashirov at 2021-10-11T09:13:49+02:00
Issue 4938 - max_failure_count can be reached in dscontainer on slow machine with missing debug exception trace

Bug Description:
On a very slow machine max_failure_count can be reached to soon. For
troubleshooting and diagnostics this parameter should be configurable.

Fix Description:
Introduce a new env variable DS_STARTUP_TIMEOUT that accepts a number in
seconds. By default it is 60.
Log a traceback when we reach the timeout.

Fixes: https://github.com/389ds/389-ds-base/issues/4938

Reviewed by: @Firstyear (Thanks!)

- - - - -
173194e5 by Mark Reynolds at 2021-10-18T15:00:27-04:00
Issue 4299 - Merge LDAP editor code into Cockpit UI

Description: Merging parts of Têko Mihinto <tmihinto at redhat.com> LDAP
editor into the Cockpit UI.  Some of it is functional, but there is
still much more work to be done.

relates: https://github.com/389ds/389-ds-base/issues/4299

Reviewed by: spichugi(Thanks!)

- - - - -
c0623e95 by Mark Reynolds at 2021-10-19T08:51:20-04:00
Bump github contianer shm size to 4 gigs

- - - - -
bf128397 by Mark Reynolds at 2021-10-19T09:27:14-04:00
Issue 2790 - Set db home directory by default

Description:  The selinux rules (selinux-policy-3.14.3-79)
              have been updated to support /dev/shm/slapd-INST

Relates: https://github.com/389ds/389-ds-base/issues/2790

Reviewed by: firstyear(Thanks!)

- - - - -
6467ea5c by progier389 at 2021-10-26T10:38:00+02:00
Issue 4943 - Fix csn generator to limit time skew drift (#4946)

* Issue 4943 - Fix csn generator to limit time skew drift

(cherry picked from commit cbfccd67e0ad0900f5307c565f8b32cbfdda5223)

- - - - -
b0d06615 by Simon Pichugin at 2021-10-26T17:08:43-07:00
Issue 3584 - Fix PBKDF2_SHA256 hashing in FIPS mode (#4949)

Issue Description: Use PK11_Decrypt function to get hash data
because PK11_ExtractKeyValue function is forbidden in FIPS mode.
We can't extract keys while in FIPS mode. But we use PK11_ExtractKeyValue
for hashes, and it's not forbidden.

We can't use OpenSSL's PBKDF2-SHA256 implementation right now because
we need to support an upgrade procedure while in FIPS mode (update
hash on bind). For that, we should fix existing PBKDF2 usage, and we can
switch to OpenSSL's PBKDF2-SHA256 in the following versions.

Fix Description: Use PK11_Decrypt function to get the data.

Enable TLS on all CI test topologies while in FIPS because without
that we don't set up the NSS database correctly.

Add PBKDF2-SHA256 (OpenSSL) to ldif templates, so the password scheme is
discoverable by internal functions.

https://github.com/389ds/389-ds-base/issues/3584

Reviewed by: @progier389, @mreynolds389, @Firstyear, @tbordaz (Thanks!!)

- - - - -
0e5a5c52 by Mark Reynolds at 2021-10-27T20:36:49-04:00
Issue 4962 - Fix various UI bugs part 1

Fix Description:

Bug 2016022 - Cockpit UI: UI is incorrectly saying "Create the Sub Suffix entry"
Bug 2015951 - Cockpit UI: Database tab ---> Export Database/replicaton
data
Bug 2015221 - Cockpit UI: UX Bugs Server Settings ->Tuning and Limits
Bug 2015139 - Configuration for Import Cache Settings is not saved
Bug 2015127 - No message when configuring Global Database Configuration
Bug 2014924 - Cockpit UI: UX Bugs and other cockpit GUI related defects

relates: https://github.com/389ds/389-ds-base/issues/4962

Reviewed by: spichugi & jchapman (Thanks!!)

- - - - -
36af8a01 by Mark Reynolds at 2021-10-28T08:26:35-04:00
Issue 4731 - Promoting/demoting a replica can crash the server

Bug Description:  The server will crash if you demote a
                  supplier with no changelog.

Fix Description:  Check if the changelog pointer is NULL before
                  dereferencing it

relates: https://github.com/389ds/389-ds-base/issues/4731

Reviewed by: spichugi & firstyear (Thanks!!)

- - - - -
9e9ef0f3 by Mark Reynolds at 2021-10-28T14:46:46-04:00
Issue 4956 - Automember allows invalid regex, and does not log proper error

Bug Description:  The server was detecting an invalid automember
                  regex, but it did not reject it, and it did not
                  log which regex rule was invalid.

Fix Description:  By properly rejecting the invalid regex will also
                  trigger the proper error logging to occur.

relates: https://github.com/389ds/389-ds-base/issues/4956

Reviewed by: tbordaz & spichugi(Thanks!!)

- - - - -
5f05bc7a by Mark Reynolds at 2021-10-28T14:55:16-04:00
Issue 4092 - systemd-tmpfiles warnings

Bug Description:

systemd-tmpfiles warns about legacy paths in our tmpfiles configs.
Using /var/run also introduces a race condition, see the following
issue https://pagure.io/389-ds-base/issue/47429

Fix Description:

Instead of using @localstatedir@/run use @localrundir@ which was
introduced in #850.

Relates: https://github.com/389ds/389-ds-base/issues/766
Fixes: https://github.com/389ds/389-ds-base/issues/4092

Reviewed by: vashirov & firstyear(Thanks!)

- - - - -
c30ebb57 by Mark Reynolds at 2021-11-01T14:08:32-04:00
Issue 4973 - installer changes permissions on /run

Description:  There was a regression when we switched over to using /run
              that caused the installer to try and create /run which
              caused the ownership to change.  Fixed this by changing
              the "run_dir" to /run/dirsrv

relates: https://github.com/389ds/389-ds-base/issues/4973

Reviewed by: jchapman(Thanks!)

- - - - -
769e591b by Simon Pichugin at 2021-11-01T12:09:10-07:00
Issue 4962 - Fix various UI bugs - Plugins (#4969)

Description:

Bug 1816526 - restart instance after plugin enabled/disabled should depend on 'nsslapd-dynamic-plugins' status
Bug 2011183 - Retro Changelog plugin - saving any configuration is stuck in loading
Bug 2011187 - Posix Winsync Plugin - configuration is not saved
Bug 2011188 - DNA plugin fails to be enabled
Bug 2011751 - Referential Integrity Plugin - unable to save changes
Bug 2011767 - RootDN Access Control Plugin - configuration stuck and a wrong message is displayed
Bug 2011814 - Account Policy Plugin - configuration failing with error

relates: #4962

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
a123c215 by Mark Reynolds at 2021-11-02T10:46:54-04:00
Issue 4973 - update snmp to use /run/dirsrv for PID file

Description:  Previously SNMP would write the agent PID file directly
              under /run (or /var/run), but this broke a CI test after
              updating lib389/defaults.inf to use /run/dirsrv.

              Instead of hacking the CI test, I changed the path
              snmp uses to:  /run/dirsrv/  Which is where it
              should really be written anyway.

relates: https://github.com/389ds/389-ds-base/issues/4973

Reviewed by: vashirov(Thanks!)

- - - - -
b0e890bf by Viktor Ashirov at 2021-11-03T12:17:03+01:00
Issue 4976 - Failure in suites/import/import_test.py::test_fast_slow_import

Bug Description:
Previous change 6b10f1795f52395aa46d48a6f0428d126b35a90d had a wrong
assumption that total_time1 and total_time2 have a very insignificant
difference in case nsslapd-db-private-import-mem is set to 'off'.
In reality it is insignificant only on a smaller number of entries.
A recent change in libdb exposed this wrong assumption. With this change
__db.00* files get the maximum size in advance, instead of expanding
them when needed.

Fix Description:
Revert 6b10f1795f52395aa46d48a6f0428d126b35a90d.

Fixes: https://github.com/389ds/389-ds-base/issues/4976

Reviewed by: @mreynolds389, @droideck (Thanks!)

- - - - -
b1efe0d4 by Mark Reynolds at 2021-11-03T08:56:11-04:00
Issue 4978 - make installer robust

Description:  When run in a container the server can fail to start
              because the installer sets the db_home_dir to /dev/shm,
              but in containers the default size of /dev/shm is too
              small for libdb. We should detect if we are in a
              container and not set db_home_dir to /dev/shm.

              During instance removal, if an instance was not properly
              created then it can not be removed either. Make the
              uninstall more robust to accept some errors and continue
              removing the instance.

relates: https://github.com/389ds/389-ds-base/issues/4978

Reviewed by: firstyear & tbordaz(Thanks!)

- - - - -
7570259a by tbordaz at 2021-11-05T09:59:47+01:00
Issue 4972 - gecos with IA5 introduces a compatibility issue with previous (#4981)

releases where it was DirectoryString

Bug description:
       For years 'gecos' was DirectoryString (UTF8), with #50933 it was restricted to IA5 (ascii)
       https://github.com/389ds/389-ds-base/commit/0683bcde1b667b6d0ca6e8d1ef605f17c51ea2f7#

       IA5 definition conforms rfc2307 but is a problem for existing deployments
       where entries can have 'gecos' attribute value with UTF8.

Fix description:
       Revert the definition to of 'gecos' being Directory String

       Additional fix to make test_replica_backup_and_restore more
       robust to CI

relates: https://github.com/389ds/389-ds-base/issues/4972

Reviewed by: William Brown, Pierre Rogier, James Chapman (Thanks !)

Platforms tested: F34
- - - - -
608d4b37 by tbordaz at 2021-11-05T16:37:42+01:00
Issue 4678 - RFE automatique disable of virtual attribute checking (#4918)

Bug description:
	Virtual attributes are configured via Roles or COS definitions
        and registered during initialization of those plugins.
	Virtual attributes are processed during search evaluation of
	filter and returned attributes. This processing is expensive
	and prone to create contention between searches.
	Use of virtual attribute is not frequent. So many of the
	deployement process virtual attribute even if there is none.

Fix description:
	The fix configure the server to ignore virtual attribute by
        default (nsslapd-ignore-virtual-attrs: on).
        At startup, if a new virtual attribute is registered or
        it exists Roles/COS definitions, then the server is
	configured to process the virtual attributes
        (nsslapd-ignore-virtual-attrs: off)
        design: https://www.port389.org/docs/389ds/design/vattr-automatic-toggle.html

relates: https://github.com/389ds/389-ds-base/issues/4678

Reviewed by: William Brown, Simon Pichugin, Mark Reynolds (Thanks !!)

Platforms tested: F34
- - - - -
33c85c56 by Mark Reynolds at 2021-11-10T08:57:50-05:00
Issue 4978 - use more portable python command for checking containers

Description:  During the installation check for containers use arguments
              for subprocess.run() that work on all versions of python

relates: https://github.com/389ds/389-ds-base/issues/4978

Reviewed by: mreynolds(one line commit rule)

- - - - -
f53793d3 by Simon Pichugin at 2021-11-12T10:45:23-08:00
Issue 4962 - Fix various UI bugs - dsctl and ciphers (#5000)

Description: Don't start/stop instance if it's already started/stopped.
Add JSON error output to the basic CLI tool's operations.
Fix Ciphers Tab behaviour so it's aligned with the documentation and the
core functionality.

Relates: https://github.com/389ds/389-ds-base/issues/4962

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
8a2b4c7d by Mark Reynolds at 2021-11-15T16:43:02-05:00
Issue 5001 - Fix next round of UI bugs:

Description:

Addressing a series of bugs found by QE:

Bug 2016526 - LDAPI & Autobind save btn misbehaving
Bug 2016481 - Disabling Security leaves the pop-up window open
Bug 2016026 - Selecting existing certificate in Security Configuration crashes browser
Bug 2017402 - Adding several allowed SASL mechanisms does not behave correctly
Bug 2017411 - cockpit crashes because invalid SASL mapping regex was saved
Bug 2022117 - Cockpit UI: Editing an Objectclass name causes an error in Cockpit UI
Bug 2021194 - Searching "matching rules" in the "Schema" Tab crashes browser
Bug 2021591 - cockpit : audit and audit failure log enablement status is not persistent

relates: https://github.com/389ds/389-ds-base/issues/5001

Reviewed by: tbordaz & spichugi(Thanks!!)

- - - - -
172dd04e by spike at 2021-11-16T09:09:49-05:00
Issue 4959 - Invalid /etc/hosts setup can cause isLocalHost to fail.

Description: Use local_simple_allocate in dsctl so that isLocal is always set properly

Relates: https://github.com/389ds/389-ds-base/issues/4959

Reviewed by: @droideck (Thanks!)

- - - - -
a69bd611 by Mark Reynolds at 2021-11-16T11:49:26-05:00
Issue 5001 - Update CI test for new availableSASLMechs attribute

Description:  Issue 5001 added a new attribute to the root dse, but
              a CI test was not updated for the new attribute.

relates: https://github.com/389ds/389-ds-base/issues/5001

Reviewed by: mreynolds (one line commit rule)

- - - - -
f974ec39 by Mark Reynolds at 2021-11-17T15:37:59-05:00
Issue 5006 - UI - LDAP editor tree not being properly updated

Description:  Deleting an entry was the tree view did not update the
              treeview.  Updates to table view were also not seen
              in the tree view.  The views should now be in synch

              Also, replaced some console logging with our "log_cmd"
              function in the editor utils file.

relates: https://github.com/389ds/389-ds-base/issues/5006

Reviewed by: spichugi(Thanks!)

- - - - -
18a12749 by Mark Reynolds at 2021-11-21T17:48:37-05:00
Issue 5014 - UI - Add group creation to LDAP editor

Description:  Added group creation to LDAP editor via the "New ..."
              menu option

relates: https://github.com/389ds/389-ds-base/issues/5014

Reviewed by: spichugi(Thanks!)

- - - - -
a033e026 by Simon Pichugin at 2021-11-22T19:39:33-05:00
Issue 4962 - Fix various UI bugs - Settings and Monitor (#5016)

Description:

Bug 2014924 - Cockpit UI: UX Bugs and other cockpit GUI related defects
Bug 2017441 - cockpit : Export changelog allows to check both 'Export to LDIF For Debugging' options but only takes one into account
Bug 2018101 - cockpit : impossible to create credentials or aliases for replication monitoring synchronization report
Bug 2021250 - cockpit : logging setting entered values for rotation and deletion policies should be checked
Bug 2021278 - Cockpit UI: Unable to Edit Attributes without first searching for the attribute to edit

Related: https://github.com/389ds/389-ds-base/issues/5001

Reviewed by: @mreynolds389 (Thanks!!)
- - - - -
237913e8 by Mark Reynolds at 2021-11-22T19:44:39-05:00
Bump version to 2.0.11

- - - - -
cb9980a0 by tbordaz at 2021-11-24T18:43:30+01:00
Issue 5008 - If a non critical plugin can not be loaded/initialized, bootstrap should succeeds (#5009)

Bug description:
	If a non-critical plugin can not be loaded/initialized, the server should continue its startup.

Fix description:
	During plugin_setup, if the server fails to initialize a
	non-critical plugin then it just log an error:

	plugin_setup - "GOST_YESCRYPT" plugin in library "libpwdstorage-plugin" not initialized and ignored

	The non-critical plugins are statically listed in
        plugin_load_critical(). ATM non critical plugins are
		entryuuid (name)
		GOST_YESCRYPT (name)
		libpwdchan (library path)

relates: #5008

Reviewed by: Mark Reynolds, Pierre Rogier, William Brown, Stanislav Levin (thanks !!)

Platforms tested: F34, CentOS8
- - - - -
2a0edec1 by Firstyear at 2021-12-02T09:55:53+10:00
Issue 5020 - BUG - improve clarity of posix win sync logging (#5021)

* Issue 5020 - BUG - improve clarity of posix win sync logging

Bug Description: When a user isn't synced from AD due to missing schema,
if the user was a member of a group then posix-winsync would confusingly
report an err=32 (NO_SUCH_OBJECT) which made it "appear" significantly
worse as a problem than it was.

Fix Description: This clarifies the error message to make it easier
for an administrator to understand why this is occuring.

fixes: https://github.com/389ds/389-ds-base/issues/5020

Author: William Brown <william at blackhats.net.au>

Review by: @tbordaz , @droideck 
- - - - -
43ac925f by Firstyear at 2021-12-03T11:01:46+10:00
Issue 5024 - BUG - windows ro replica sigsegv (#5027)

Bug Description: After 1.4.3, the changelog moves into the main database rather than being a
seperate entity. This caused a situation where it was possible to create and configure a
changelog while also acting as a read-only replica. This allows individuals to create a
windows sync agreement, however during the upgrade to 1.4.4 where we move the changelog into
the main DB, I can only assume we either delete or ignore the CL if the replica is readonly.

As a result, this caused a situation where the replica information and agreement existed, but
the changelog did not. During startup as the agreement was processed, an attempt to open the
CL was made, but caused a NULL pointer dereference which prevented server startup.

Fix Description: This fixes the issue on a number of fronts. First, we remove the original
NULL pointer dereference in cl5_api.c. We correct a bug in promote in lib389 that prevented
consumer to supplier promotion. And finally, this adds a hardening check to better communicate
to users in this situation what steps they need to take.

fixes: https://github.com/389ds/389-ds-base/issues/5024

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 @tbordaz 
- - - - -
1a52a366 by Viktor Ashirov at 2021-12-03T10:21:54+01:00
Issue 4931 - RFE: dsidm - add creation of service accounts

Description:
Extend dsidm to handle service accounts under ou=services

Relates: https://github.com/389ds/389-ds-base/issues/4931

Reviewed by: @Firstyear, @mreynolds389 (Thanks!)

- - - - -
0bf27ed1 by Sam Morris at 2021-12-06T11:58:07-05:00
Issue 4165 - Don't apply RootDN access control restrictions to UNIX connections

Bug Description:

The RootDN access control plugin prevents access via UNIX sockets (ldapi://)
when host or IP restrictions are configured.

Fix Description:

The host and IP restrictions are no longer applied if the client connected via UNIX sockets.

relates: https://github.com/389ds/389-ds-base/issues/4165

Author: Sam Morris

Reviewed by: @mreynolds389, @Firstyear

- - - - -
7953e8b6 by Firstyear at 2021-12-10T09:38:21+10:00
Issue 5043 - BUG - Result must be used compiler warning (#5045)

Bug Description: Rust 1.57 enforces that Results must be
used, which causes librnsslapd to fail to build

Fix Description: Change how we duplicate the string so
that we don't need the result step.

fixes: https://github.com/389ds/389-ds-base/issues/5043

Author: William Brown <william at blackhats.net.au>

Review by: @vashirov, @droideck 
- - - - -
5ba2b8b2 by Firstyear at 2021-12-10T09:38:26+10:00
Issue 5046 - BUG - update concread (#5047)

Bug Description: an update to concread changed how the cache was
constructed and how stats are used.

Fix Description: Update to adapt to these changes. Additionally
this update has a number of performance improvements.

fixes: https://github.com/389ds/389-ds-base/issues/5046

Author: William Brown <william at blackhats.net.au>

Review by: @vashirov, @droideck 
- - - - -
706d95fa by Simon Pichugin at 2021-12-13T18:02:37-08:00
Issue 4962 - Fix various UI bugs - Database and Backups (#5044)

Description:

Bug 1751280 - [RFE] Cockpit : Provide the access path to the exported suffix
Bug 1861805 - 389-ds-base: Accepting nsslapd-db-checkpoint-interval values in negative.
Bug 1926516 - Cannot load the DB with suffix with characters escaped by a backslash.
Bug 1986388 - Cockpit: "Manage backups" list is empty if dirsrv service is stopped

Related: https://github.com/389ds/389-ds-base/issues/5001

Reviewed by: @jchapma, @mreynolds389 (Thanks!)
- - - - -
039bc990 by James Chapman at 2022-01-13T16:50:07+00:00
Issue 4994 - Revert retrocl dependency workaround (#4995)

Description: The RetroCL exclude attribute RFE was dependent on the
functionality of a commit that didn't make into the rhel 8.5 build. A
work around was committed that added the missing methods.

Since then the previous commit has been merged, so there now exists two
definitions of the same method, these need to be removed.

fixes: https://github.com/389ds/389-ds-base/issues/4994

relates: https://github.com/389ds/389-ds-base/issues/4791

Reviewed by: tbordaz (Merci)
- - - - -
97b3c32d by James Chapman at 2022-01-13T16:50:55+00:00
Issue 5074 - retro changelog cli updates (#5075)

Bug description: The cli does not allow for the creation of multiple
exclude attributes in one call. When there are multiple exclude
attributes defined, the cli doesn't allow removal of an individual
exclude attribute. Using the set command deletes all excluded
attributes.

Fix description: Modify parser to take multiple arguments in a single
call. Add atribute del method to lib389 cli_conf.

Fixes: https://github.com/389ds/389-ds-base/issues/5074

Reviewed by: Firstyear, droideck, mreynolds389 (Thank you)
- - - - -
c2f6c23b by Simon Pichugin at 2022-01-13T09:31:34-08:00
Issue 3584 - Add is_fips check to password tests (#5100)

Description: While in FIPS mode, it's expected that SSHA512 is used
as a storage scheme. And {PBKDF2_SHA256} is used when not run in FIPS mode.
Align tests with the logic.

Fixes: https://github.com/389ds/389-ds-base/issues/3584

Reviewed by: @mreynolds389 (Thanks!)
- - - - -
cb21e1a2 by tbordaz at 2022-01-14T14:51:59+01:00
Issue 5095 - sync-repl with openldap may send truncated syncUUID (#5099)

Bug description:
	When using sync_repl from openldap, syncUUID (that identify an
	entry) is retrieved from targetEntryUUID rather than nsuniqueid.
	syncUUID is a 16 bytes long representation of targetEntryUUID.
        TargetEntryUUID can contain '00' so syncUUID can contain a
	byte with 0x00.
	When creating a syncInfo
(https://datatracker.ietf.org/doc/html/rfc4533#section-2.5)
	syncUUIDS is ber encoded with '[v]' taking a null terminated
	array of (char*). In such case the 0x00 char truncates the
	syncUUID.

Fix description:
	Instead of using a null terminated array of (char*), the
	fix uses a null terminated array of berval.

relates: https://github.com/389ds/389-ds-base/issues/5095

Reviewed by: William Brown, Simon Pichugin (Thanks)

Platforms tested: F34
- - - - -
389188cd by tbordaz at 2022-01-14T17:21:27+01:00
Issue 5105 - During a bind, if the target entry is not reachable the operation may complete without sending result (#5107)

Bug description:
	A bind operation can skip sending back operation result.
	This can happen in rare condition like backend is not available
	or in referral mode or did not define a bind callback.

Fix description:
	Catch those errors condition and send an operation result.

relates: https://github.com/389ds/389-ds-base/issues/5105

Reviewed by: Pierre Rogier (thanks !)

Platforms tested: F34
- - - - -
64aef1e7 by tbordaz at 2022-01-19T09:35:54+01:00
Issue 4312 - performance search rate: contention on global monitoring counters (#4940)

Bug description:
	The servers manages a set of counters in order to report metrics either with SRCH
	"cn=monitor" or with SNMP agent.
	The counters are global and so the threads updating the counters are all accessing
	the same counters and same memory addresses. The counters are accessed by workers and/or listener threads.
	All of them are in competition to access the counter memory addresses that creates contention.

Fix description:
	The fix spread the set of global counters into a per thread set
	of global counters
	https://www.port389.org/docs/389ds/design/global-counters-contention.html

relates: https://github.com/389ds/389-ds-base/issues/4312

Reviewed by: William Brown, Mark Reynolds (Thanks)

Platforms tested:  F34
- - - - -
9a49331c by Viktor Ashirov at 2022-01-19T19:52:32+01:00
Issue 5115 -  AttributeError: type object 'build_manpages' has no attribute 'build_manpages'

Bug Description:
Starting from v2.1, argparse-manpage provides methods build_manpages,
get_build_py_cmd and get_install_cmd in the top-level module.
This breaks installation of lib389 on systems with the newer version
of argparse-manpage.

Fix Description:
Update setup.py to be aware of the module version and import methods
based on it.

Fixes: https://github.com/389ds/389-ds-base/issues/5115

Reviewed by: @tbordaz, @mreynolds389 (Thanks!)

- - - - -
0130544e by Thierry Bordaz at 2022-01-20T10:07:18+01:00
Issue 4312 - fix compiler warning

- - - - -
de212e22 by Viktor Ashirov at 2022-01-20T17:21:17+01:00
Issue 5124 - dscontainer fails to create an instance

Bug Description:
After 5f05bc7af82edf4690c0dce0ceaab8ac328b70a6 dscontainer fails to
create an intance, because it tries to write PID file to /run instead
of /run/dirsrv as was previously.

Fix Description:
Change pid_file in defaults.inf back to /run/dirsrv/slapd-{instance_name}.pid

Fixes: https://github.com/389ds/389-ds-base/issues/5124

Reviewed by: @mreynolds389, @droideck (Thanks!)

- - - - -
5b69fc6a by Mark Reynolds at 2022-01-24T11:51:02-05:00
Issue 5127 - run restorecon on /dev/shm at server startup

Description:

Update the systemd service file to execute a script that runs
restorecon on the DB home directory.  This addresses issues with
backup/restore, reboot, and FS restore issues that can happen when
/dev/shm is missing or created outside of dscreate.

relates: https://github.com/389ds/389-ds-base/issues/5127

Reviewed by: progier & viktor (Thanks!!)

- - - - -
0000fb52 by Mark Reynolds at 2022-01-24T12:01:12-05:00
Issue 4299 - UI LDAP editor - add "edit" and "rename" functionality

Description:

Reworked the entry edit wizard to be one form to edit all
aspects of the entry.  Also add the ability to do modrdns.

relates: https://github.com/389ds/389-ds-base/issues/4299

Reviewed by: spichugi & tmihinto(Thanks!!)

- - - - -
1cee8d4f by Mark Reynolds at 2022-01-24T12:01:52-05:00
Issue 4299 - UI - Add ACI editing features

Description:  Add ACI management features to UI

relates: https://github.com/389ds/389-ds-base/issues/4299

Reviewed by: spichugi & jchapman(Thanks!!)

- - - - -
874da220 by Mark Reynolds at 2022-01-24T12:20:24-05:00
Issue 3555 - UI - fix audit issue with npm nanoid

Description:

Ran npm audit fix to address vulnerability in nanoid

relates: https://github.com/389ds/389-ds-base/issues/3555

Reviewed by: mreynolds

- - - - -
26cb4b8e by Mark Reynolds at 2022-01-24T13:07:47-05:00
Issue 5132 - Update Rust crate lru to fix CVE

Description:

A CVE was discovered in the Rust create lru that
389-ds-base was using.  CVE-2021-45720  bundled
lru: Use after free in lru crate

https://bugzilla.redhat.com/show_bug.cgi?id=2044430

relates: https://github.com/389ds/389-ds-base/issues/5132

Reviewed by: ?

- - - - -
8a0dc0c1 by Mark Reynolds at 2022-01-24T13:32:54-05:00
Bump version to 2.0.13

Description:  The version had bumped to 2.0.12, but that commit
was not pushed.  So 2.0.12 was really at commit:

706d95fa1 Issue 4962 - Fix various UI bugs - Database and Backups (#5044)

- - - - -
72eb93ac by Firstyear at 2022-01-25T10:49:42+10:00
Issue 5129 - BUG - Incorrect fn signature in add_index (#5130)

Bug Description: Due to an incorrect function signature,
it was possible to cause add index to fail by trying to
add an empty mr set.

Fix Description: Fix the function signature and make
the function more robust.

fixes: https://github.com/389ds/389-ds-base/issues/5129

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389 (thanks!)
- - - - -
e7d6aef4 by Mark Reynolds at 2022-01-25T13:39:13-05:00
Issue 5135 - UI - Disk monitoring threshold does update properly

Description:

If you try entering a value manually and start with an empty field
it overwrites the value with 4096 as it's trying to incorrectly
enforce a minimum value.

relates: https://github.com/389ds/389-ds-base/issues/5135

Reviewed by: spichugi(Thanks!)

- - - - -
c1a56924 by Firstyear at 2022-01-27T07:34:39-05:00
Issue 5080 - BUG - multiple index types not handled in openldap migration (#5094)

Bug Description: In migration from openldap we were not correctly
handling how we parsed indexed attributes with multiple types of
indexes applied.

Fix Description: Fix the parsing and add tests for this scenario

fixes: https://github.com/389ds/389-ds-base/issues/5080

Author: William Brown <william at blackhats.net.au>

Review by: @mreynolds389, @progier389, @droideck 
- - - - -
f0b69ea7 by Firstyear at 2022-01-27T07:35:27-05:00
Issue 5079 - BUG - multiple ways to specific primary (#5087)

Bug Description: In a winsync environment, we can only sync
changes to a primary replica. There are however, multiple
ways to specify which server is a primary for a replication
agreement, and I only accounted for one of them.

Fix Description: Improve the check to account for the
other primary replica flags.

fixes: https://github.com/389ds/389-ds-base/issues/5079

Author: William Brown <william at blackhats.net.au>

Review by: @droideck 
- - - - -
e19a538e by Firstyear at 2022-01-27T07:35:48-05:00
Issue 4992 - BUG - slapd.socket container fix (#4993)

Bug Description: A recent fix exposed that we were incorrectly
setting the container socket for ldapi.

Fix Description: Correct this to be consistent.

fixes: https://github.com/389ds/389-ds-base/issues/4992

Author: William Brown <william at blackhats.net.au>

Review by: @droideck 
- - - - -
68c97a2b by tbordaz at 2022-01-27T07:36:04-05:00
Issue 5037 - in OpenQA changelog trimming can crashes (#5070)

Bug description:
	The changelog trimming thread is launched
	upon various conditions (changelog open,
	create replica, check RUVs, enable replication,
	...).
	The trimming thread is stopped upon
	various conditions (import, changelog close,
	delete replica, reload RUVs, disable replication
	demote supplier,...)
	There are two issues:
	In case the trimming is stopped while the thread
	has not yet started, the trimming thread can crash
	because some required data (cldb) have been
	cleared under it.

	In case the trimming is restarted while the thread
	has not yet started, there is a possiblity of
	starting several trimming threads

Fix description:
	The fix to prevent the first issue, just checks that
        the required data (cldb) is set.
	The second fix is to use a flag (trimmingOnGoing)
	to prevent multiple trimming threads. The flag is
	protected by stLock.

relates: https://github.com/389ds/389-ds-base/issues/5037

Reviewed by: Simon Pichugin (thanks !)

Platforms tested: F34
- - - - -
f308faeb by Adam Williamson at 2022-01-27T15:53:52-05:00
Issue 5127 - ds_selinux_restorecon.sh: always exit 0

Description:

We don't want to error out and give up on starting the service
if the restorecon fails - it might just be that the directory
doesn't exist and doesn't need restoring. Issue identified and
fix suggested by Simon Farnsworth

relates: https://github.com/389ds/389-ds-base/issues/5127

Reviewed by: adamw & mreynolds

- - - - -
eccfa2af by Mark Reynolds at 2022-01-27T16:06:48-05:00
Bump version to 2.0.14

- - - - -


17 changed files:

- + .github/daemon.json
- + .github/scripts/generate_matrix.py
- + .github/workflows/compile.yml
- + .github/workflows/pytest.yml
- .gitignore
- Makefile.am
- VERSION.sh
- configure.ac
- dirsrvtests/conftest.py
- dirsrvtests/create_test.py
- + dirsrvtests/tests/data/entryuuid/localhost-userRoot-invalid.ldif
- + dirsrvtests/tests/data/longduration/db_protect_long_test_reference_1.4.2.12.json
- dirsrvtests/tests/data/openldap_2_389/1/slapd.d/cn=config/olcDatabase={1}mdb.ldif
- + dirsrvtests/tests/data/openldap_2_389/4539/slapd.d/cn=config.ldif
- + dirsrvtests/tests/data/openldap_2_389/4539/slapd.d/cn=config/cn=module{0}.ldif
- + dirsrvtests/tests/data/openldap_2_389/4539/slapd.d/cn=config/cn=schema.ldif
- + dirsrvtests/tests/data/openldap_2_389/4539/slapd.d/cn=config/cn=schema/cn={0}core.ldif


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/5e1e392ae8aca76f5325987197e35fbeddfc58a7...eccfa2af9dd6f07a0354ea0698a5582cfb17c367

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/5e1e392ae8aca76f5325987197e35fbeddfc58a7...eccfa2af9dd6f07a0354ea0698a5582cfb17c367
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220210/e9641c06/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list