[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master] 158 commits: Bump version to 2.5.0
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Aug 7 08:21:06 BST 2024
Timo Aaltonen pushed to branch master at FreeIPA packaging / 389-ds-base
Commits:
451140eb by James Chapman at 2023-11-15T15:57:27+00:00
Bump version to 2.5.0
- - - - -
f5bd0374 by progier389 at 2023-11-17T12:33:38+01:00
Issue 5947 - CI test_vlv_recreation_reindex fails on LMDB (#5979)
There are a few problems about vlv and lmdb:
[1] Crash while reindexing a vlv index while trying to clear the vlv cache
[2] Crash when VLV search fails because target entry is released twice
[3] Confusion about db interface and recno (recno is in the key rather than the data)
[4] dbscan fails to dump vlv cache database
Fix:
[1] Do not clear the vlv cache when having a pseudo txn (i.e: in import/reindex)
[2] Do not release the target entry in ldbm_back_search_cleanup
[3] Use the key to set the recno
[4] Do not try change the "vlv db name to vlv cache name" if the name
is already a cache name (i.e starting with ~)
Issue: #5947
Reviewed by: @droideck (Thanks!)
- - - - -
06bd0862 by progier389 at 2023-11-17T14:41:51+01:00
Issue 5984 - Crash when paged result search are abandoned (#5985)
* Issue 5984 - Crash when paged result search are abandoned
Problem:
Fix #4551 has changed the lock that protects the paged result data
within a connection. But the abandon operation attempts to free
the paged search result with the connection lock.
This leads to race condition and double free causing an heap
corruption and a SIGSEGV.
Solution:
- Get a copy of the operation data that needs to be logged.
- Unlock the connection mutex (to avoid deadlock risk)
- Free the paged result while holding the paged result lock.
Issue: 5984
Reviewed by: @tbordaz (Thanks!)
- - - - -
df7dd832 by progier389 at 2023-11-21T11:57:44+01:00
Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987)
Chasing several rabbits at the same time is a bad idea !
and I mixed branches and unwillingly pushed one commit for #5980 in #5984
just before the PR #5985 merge ! -:(
Hopefully it does not break anything but just logs some useless crap if instance fails to starts.
Anyway This commit reverts the change about __init.py
and also do a minor code cleanup (removed a trailing space) in abandon.c
Issue #5984
Reviewed by: @tbordaz Thanks !
- - - - -
770edb23 by progier389 at 2023-11-21T14:34:09+01:00
Issue 5976 - Fix freeipa install regression with lmdb (#5977)
* Issue 5976 - Fix freeipa install regression with lmdb
There are three issues blocking the ipa setup when using lmdb database
Missing cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry (For compatibility reason, the entry should exists even if it is unused)
Missing task status after reindexing (know issue: cf nsTaskStatus is not created for index task with mdb backend #5911)
Reindex task set the exit code too early (leading to UNWILLING_TO_PERFORM / 'database is read-only' error in subsequent write operation.
The fixes are:
Creates the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry even if it is not used.
Ensure that both task status and exit code are set when importing/reindexing
do not run the import framework in a new thread (but use the current thread) when doing a reindex in a task.
Issue: #5976
Reviewed by: @droideck, @tbordaz Thanks
- - - - -
84a845c4 by progier389 at 2023-11-22T15:26:54+01:00
Issue 5980 - Improve instance startup failure handling (#5991)
* Issue 5980 - Improve instance startup failure handling - PR 5991
Displays the important error log messages (those that are not: INFO/DEBUG/WARNING) when the server fails to start
to provide the root cause of the failure and help to diagnose some CI tests failures.
Issue: #5990
Reviewed by: @tbordaz Thanks!
- - - - -
cfc0d757 by dependabot[bot] at 2023-11-29T12:19:18+01:00
Bump openssl from 0.10.55 to 0.10.60 in /src (#5995)
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.55 to 0.10.60.
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.60)
---
updated-dependencies:
- dependency-name: openssl
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support at github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- - - - -
855e6f29 by tbordaz at 2023-11-29T13:46:57+01:00
Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994)
Bug description:
During an update if an BETXN plugin fails the full TXN is aborted and
the DB returns to the previous state. However potential internal
updates, done by BETXN plugins, are also applied on the entry cache.
Some entries in the entry cache are left in a state that does not
reflect the DB state. To prevent this mismatch, upon BETXN failure,
the fix https://pagure.io/389-ds-base/issue/50260 reverts some entries
in the entry cache .
The problem is that reversion is not limited to the cases of BETXN
failures that was the initial goal. So a "regular" error like schema
violation could trigger revert_cache
Fix description:
The fix flags if the failure is due to BETXN failures and
trigger revert_cache only in that case
relates: #5944
Reviewed by: Pierre Rogier (Thanks!)
- - - - -
139748af by progier389 at 2023-11-29T16:00:32+01:00
Issue 5993 - Fix several race condition around CI tests (#5996)
* Several fixes about CI tests
Some CI tests are randomly failing:
Several different root causes where found and in fact all of them seems related to a change of the tests dynamic (maybe due to having faster test VM):
issue test_replication_with_mod_delete_and_modrdn_operations CI test sometime fails #5975 ==> Should wait properly for the replication
server sometime fails to start/restart (Problem is that systemd default restart rate limit was reached by the LMDB tests) ==> Need to increase the burst threshold.
automember plugin failure (rebuild task sometime finished too fast (before the tested command is run) ==> Retry the test until task is not finished or too many attempt have been done.
test_etime_order_of_magnitude sometime fails. (IMHO this is normal as nothing prevent the thread to be preempted at
the "wrong" time). ==> Marking the test as flappy
Improve failure diagnostic:
Do not abort the report if error log is not available.
Log "systemctl status" if start fails and no significant error is found in error log.
Issue: #5993
Reviewed by: @tbordaz (Thanks!)
- - - - -
8e3f945e by progier389 at 2023-12-01T12:07:20+01:00
Issue 5997 - test_inactivty_and_expiration CI testcase is wrong (#5999)
Problem: test case is not doing what it is supposed to do because the inactivity limit is often smaller
than the server restart time so in most case the test only checks the account inactivity limit.
But once timing issue are fixed, there is a second issue #5998 (looks like the tested feature does not
work as intended!)
Solution:
Increase the inactivity limit to 1 minute
Make sure we wait enough time to trigger the inactivity limit since last password change but not
since last bind.
Mark the test as xfail because of issue #5998 that is not fixed by this PR
Issue #5997
reviewed by: @droideck (Thanks!)
- - - - -
8928951f by Viktor Ashirov at 2023-12-11T11:52:29+01:00
Issue 5954 - Disable Transparent Huge Pages
Bug Description:
THP can have negative effects on DS performance when large caches are
used.
Fix Description:
* Add a new variable for `ns-slapd` THP_DISABLE.
When THP_DISABLE is set to 1, THP is disabled for `ns-slapd` process
via `prctl(2)`. With any other value, THP settings are untouched.
Before:
```
$ grep THP /proc/$(pidof ns-slapd)/status
THP_enabled: 1
```
After
```
$ grep THP /proc/$(pidof ns-slapd)/status
THP_enabled: 0
```
* Add a new healthcheck linter, that checks if THP is disabled system-wide
or per instance. In case THP is enabled for both the system and the
process, it prints recommendations how to disable THP.
Fixes: https://github.com/389ds/389-ds-base/issues/5954
Reviewed-by: @tbordaz, @Firstyear, @droideck (Thank you all!)
- - - - -
86b5969a by progier389 at 2023-12-11T11:58:40+01:00
Issue 6004 - idletimeout may be ignored (#6005)
* Issue 6004 - idletimeout may be ignored
Problem: idletimeout is still not handled when binding as non root (unless there are some activity
on another connection)
Fix:
Add a slapi_eq_repeat_rel handler that walks all active connection every seconds and check if the timeout is expired.
Note about CI test:
Notice that idletimeout is never enforced for connections bound as root (i.e cn=directory manager).
Issue #6004
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
b9726faa by Viktor Ashirov at 2023-12-11T17:24:16+01:00
Issue 4673 - Update Rust crates
Description: Update Rust crates to make cargo audit happy
Relates: https://github.com/389ds/389-ds-base/issues/4673
Reviewed by: @droideck (Thanks!)
- - - - -
1ab0a092 by tbordaz at 2023-12-12T12:57:31+01:00
Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007)
Bug description:
During an update if an BETXN plugin fails the full TXN is aborted and the DB
returns to the previous state.
However potential internal updates, done by BETXN plugins, are also applied
on the entry cache.
Even if the TXN is aborted some entries in the entry cache are left in a state
that does not reflect the DB state.
The fix https://pagure.io/389-ds-base/issue/50260 "reverts" those
entries, setting their state to INVALID.
A problem is that reverted entries stay in the entry cache, until refcnt is 0.
During that period, an update targeting that entry fails to retrieve the
entry from the entry cache and fails to add it again as it already exist
the entry.
The update iterates 1000 times, trying to read the entry and to fetch it
from DB.
This is a pure waste as the reverted entry stays too long.
The signature of this issue is a message in the error log: "Retry count exceeded"
Fix description:
The fix consiste in the loops (fetch on DN or NSUNIQUEID) to test if the
entry state is INVALID.
In such case it aborts the loop and return a failure.
relates: #5939
Reviewed by: Pierre Rogier, Simon Pichugin (Thanks !!)
- - - - -
1572636b by Viktor Ashirov at 2023-12-19T12:41:42+01:00
Issue 6016 - Pin upload/download artifacts action to v3
Bug Description:
After update of actions/download-artifact to v4, our PR CI started to fail.
Fix Description:
A workaround is to pin to the older version v3.
Fixes: https://github.com/389ds/389-ds-base/issues/6016
Reviewed by: @progier389 (Thanks!)
- - - - -
6d98ad4a by Max at 2023-12-19T14:40:49+01:00
Issue 6015 - Fix typo remeber (#6014)
In the logs of my ldap instance when running dsconf slapd-localhost security ciphers set command, I saw this typo which I want to fix with this PR.
Issue: #6015
Reviewed by: @progier389
- - - - -
04a2de98 by progier389 at 2024-01-10T16:51:20+01:00
Issue 6022 - lmdb inconsistency between vlv index and vlv cache names (#6026)
Problem: dbstat -L shows two vlv cache db for a single vlv index db.
There should only have a single one.
Fix:
Added a CI Test
Using a single dbmdb_recno_cache_get_dbname function to get the cache db name.
Fix dbmdb_build_dbname to also append the backend name if the name is a vlv cache
Also fixed some issue found while creating the CI test:
Fixed an error message that puzzled me to make it clearer.
Fixed a race condition in lmdb bulk import that logged crappy data in error logs and crashed the CI tests.
Issue: #6022
Reviewed by: @droideck (Thanks !)
- - - - -
9982521a by tbordaz at 2024-01-10T16:53:08+01:00
Issue 5989 - RFE support of inChain Matching Rule (#5990)
Bug description:
Computation of membership (like 'memberof') is a common issue.
The issue is more expensive to solve when there are nested membership.
For example "gives me all the groups this entry belongs to" or "gives me
all subordinates having this manager".
Either the LDAP client computes the values or dedicated plugin (like 'memberof')
maintains direct membership attribute for the LDAP client.
InChain Matching Rule allow a LDAP client to request the server to compute this membership.
Fix description:
The implementation is designed https://www.port389.org/docs/389ds/design/matching-rule-in-chain.html
A specific fix in aclanom.c because inChain MR adds a acl DENY
on 'cn=config'. There was a bug that cleared anonymous aci
if the it existed a DENY acl anywhere (except a specific
list of entries like 'cn=monitor'). It triggered a failure
on chaining backend suite
relates: #5989
Reviewed by: William Brown, Mark Reynolds, Pierre Rogier, Simon Pichugin (Thanks !)
- - - - -
59369461 by progier389 at 2024-01-11T11:16:58+01:00
Issue 6028 - vlv index keys inconsistencies (#6031)
* Issue 6028 - Inconsistency among vlv keys
The issue is that reindexed vlv database are not cleared, so old keys remains
Solution: truncate the reindexed vlv sub database and its cache before starting the import engine.
Note: this is tested by: dirsrvtests/tests/suites/vlv/regression_test.py::test_vlv_cache_subdb_names CI test
Issue #6028
Reviewed by: @droideck (Thanks!)
- - - - -
fe11deca by Andrew Elwell at 2024-01-17T08:53:44+01:00
Issue 6034 - Change replica_id from str to int
Bug Description:
dscreate create-template claims replica_id is (str)
but it should be an int
Fix Description:
Change self._type['replica_id'] = str
to self._type['replica_id'] = int
Fixes: https://github.com/389ds/389-ds-base/issues/6033
Author: Andrew Elwell <Andrew.Elwell at gmail.com>
Reviewed by: @vashirov
- - - - -
9e37b211 by progier389 at 2024-01-18T19:35:53+01:00
Issue 6037 - Server crash at startup in vlvIndex_delete (#6038)
Server crash at startup because of a corrupted dse.ldif: The vlv initialization code error handling generates a SIGSEV.
Fix: Avoid dereferencing a null pointer while freeing vlvIndex.
Issue: #6037
Reviewed by: @tbordaz
- - - - -
9e595d45 by progier389 at 2024-01-19T11:55:57+01:00
Issue 6032 - Replication broken after backup restore (#6035)
Replication is broken after doing an offline backup then later on an online or offline restore
Note: with online backup changelog is discarded at restore time (because it has no purge RUV)
In fact there are multiple cause:
[1] _cl5CICbInit is building wrongly the changelog RUVs so changelog is recreated
[2] Changelog is not cleared when it is "Recreated because of wrong test in dbmdb_back_ctrl
[3] Replication keep alive get created before the replica get back in sync. This creates missing csn.
Solution:
[1] Fix _cl5CICbInit to get the csn from the changelog record key and store properly the min and max in the context.
[2] Replace invalid test by a proper one.
[3] Change keep alive update starting delay from 2 seconds to 10 minutes (i.e twice the maximum backoff timeout)
To let a chance for the other supplier to replay the missing changes.
Also added/modified some more data when replication log are enabled
Note: this is a partial fix as a proper "resync after db reload" is not handled so this left issues (typically because
of the plugin internal operations like memberof plugin or if there are lots of changes to replay) but at least is is enough for the CI test ...
Issue: #6032
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
7082c823 by progier389 at 2024-01-19T15:12:48+01:00
Switch default backend to lmdb and bump version to 3.0 (#6013)
Changes:
[1] use lmdb by default
[2] Change version number to 3.0.0
Issue: #5941
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
7a158c75 by James Chapman at 2024-01-22T13:08:37+00:00
Issue 6041 - dscreate ds-root - accepts relative path (#6042)
Bug Description: When dscreate ds-root is invoked with a relative path to
root_dir, the relative path is written to defaults.inf, causing instance
creation failure.
Fix Description: Use abs path when writing root_dir to defaults.inf
Fixes: https://github.com/389ds/389-ds-base/issues/6041
Reviewed by: @progier389, @droideck (Thank you)
- - - - -
1c71f454 by Viktor Ashirov at 2024-01-24T21:43:16+01:00
Issue 6047 - Add a check for tagged commits
Bug Description:
Release on GitHub can be created from a tag that points to a branch-less
commit.
Fix Description:
Add an additional check to Release action to ensure that the tagged
commit belongs to a valid branch.
Fixes: https://github.com/389ds/389-ds-base/issues/6047
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
d7e255af by progier389 at 2024-01-25T13:27:04+01:00
Issue 6049 - lmdb - changelog is wrongly recreated by reindex task (#6050)
* Issue 6049 - using lmdb the changelog is wrongly recreated by reindex task
dbmdb_import_all_done called at the end of import, bulk import and reindex is reenabling the backend
which trigger the replication plugin to check if data were not reloaded, but in the reindex case, the backend was not disabled (so the db ruv is not up to date) and changelog is then discarded .
The solution is to set back the backend in not busy mode when doing a reindex.
Issue: #6049
Reviewed by: @tbordaz (Thanks!)
- - - - -
288be366 by Viktor Ashirov at 2024-01-29T13:51:34+01:00
Issue 6051 - Drop unused pytest markers
Bug Description:
We have pytest markers such as `bz12345` or `ds1234`, but they are not
registered in `pytest.ini` and generate warnings. We no longer use them
to executed tests, and `git log` and `git blame` can be used for repo
archeology.
Fix Description:
Delete unused pytest markers.
Fixes: https://github.com/389ds/389-ds-base/issues/6051
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
b3efa8bb by Viktor Ashirov at 2024-01-29T13:53:18+01:00
Issue 6052 - Paged results test sets hostname to `localhost` on test collection
Bug Description:
Paged results test module has some code outside of the test functions and fixtures.
It gets interpreted by pytest on test collection. These tests might be even skipped,
but the code to change the hostname would still be executed. This leads to a situation,
where certain test cases fail with:
```
E ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'TLS: hostname does not match subjectAltName in peer certificate'}
```
Fix Description:
Remove the code that changes hostname, since the test no longer does the
checks based on the hostname, only on IP address.
Fixes: https://github.com/389ds/389-ds-base/issues/6052
Reviewed by: @tbordaz, @bsimonova (Thanks!)
- - - - -
539bb0fa by Simon Pichugin at 2024-01-29T14:09:48-08:00
Issue 3555 - Remove audit-ci from dependencies (#6056)
Description: We use npx for audit-ci runs. Hence we don't need the
package installed at all.
Remove audit-ci from package.json and a new generate package-lock.json.
Related: https://github.com/389ds/389-ds-base/issues/3555
Reviewed by: @vashirov (Thanks!)
- - - - -
f26ac014 by Simon Pichugin at 2024-01-29T17:14:34-08:00
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses for both (#6045)
Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.
Fixes: https://github.com/389ds/389-ds-base/issues/6043
Fixes: https://github.com/389ds/389-ds-base/issues/6044
Reviewed by: @vashirov (Thanks!)
- - - - -
05b947ad by Simon Pichugin at 2024-01-30T10:36:12-08:00
Bump version to 3.0.1
- - - - -
1f95b57f by David Olivier at 2024-01-31T12:19:59+01:00
Issue 6061 - Certificate lifetime displayed as NaN
Bug Description:
HOST_TIME_GMT is filled whith an unparsable format.
Fix Description:
Using `date -Iminutes` the format is compliant with "date time string format".
Ensuring Date.parse() will always recognize it with right TZ.
Author: Adadov
Fixes: https://github.com/389ds/389-ds-base/issues/6061
Reviewed by: @vashirov, @progier389
- - - - -
8fe75866 by Ryan Slominski at 2024-02-05T16:02:28+01:00
Issue 6068 - Add dscontainer stop function
Bug Description:
There currently is not a stop function in dscontainer. It would be nice
to have for use cases such as testing/debugging, plus custom container
setups run during the Docker build in which dscontainer is started to do
some custom configs, then later a stop function would be nice to
gracefully stop dscontainer. Discussed in
https://github.com/389ds/389-ds-base/discussions/6058.
Fix Description:
A simple stop() function added to dscontainer that gracefully stops the
ns-slapd process.
Fixes: https://github.com/389ds/389-ds-base/issues/6068
Co-authored-by: Viktor Ashirov <vashirov at redhat.com>
- - - - -
060f3eb3 by Ryan Slominski at 2024-02-07T13:07:52+01:00
Issue 6075 - Ignore build artifacts (#6076)
Bug Description:
When running the build I noticed some generated files are not included in .gitignore, thereby cluttering and distracting git use during local development.
Fix Description:
Update .gitignore.
Fixes https://github.com/389ds/389-ds-base/issues/6075
Reviewed by @progier389
- - - - -
f415611f by James Chapman at 2024-02-07T12:38:28+00:00
Issue 6010 - 389 ds ignores nsslapd-maxdescriptors (#6027)
Bug description: During server startup the connection table size is assumed
to be lower than or equal to the number of configured reserve file descriptors.
This prevents the server from starting whem the number of reserve descriptors
is high.
Fix description: Change the check to make sure the connection table size is
not greater than (max descriptors - reserve descriptors).
Also, the number of reserve descriptors is used to determine if the server can
accept a new connection. This has been changed to compare the connection table
size against the current number of connections.
Relates: https://github.com/389ds/389-ds-base/issues/6010
Reviewed by: @progier389, @droideck, @tbordaz (Thank you)
- - - - -
2467dba3 by Viktor Ashirov at 2024-02-07T16:48:43+01:00
Issue 6071 - Instance creation/removal is slow
Bug Description:
Sometimes instance creation and removal is slow (~2m).
We spend a lot of time running `semanage` to define labels.
But the default SELinux policy already contains the required contexts:
```
/dev/shm/slapd-.* all files system_u:object_r:dirsrv_tmpfs_t:s0
/etc/dirsrv(/.*)? all files system_u:object_r:dirsrv_config_t:s0
/usr/lib/systemd/system/dirsrv.* all files system_u:object_r:dirsrv_unit_file_t:s0
/usr/sbin/ldap-agent regular file system_u:object_r:dirsrv_snmp_exec_t:s0
/usr/sbin/ldap-agent-bin regular file system_u:object_r:dirsrv_snmp_exec_t:s0
/usr/sbin/ns-slapd regular file system_u:object_r:dirsrv_exec_t:s0
/usr/share/dirsrv(/.*)? all files system_u:object_r:dirsrv_share_t:s0
/var/lib/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_lib_t:s0
/var/lock/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_lock_t:s0
/var/log/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_log_t:s0
/var/log/dirsrv/ldap-agent.log.* all files system_u:object_r:dirsrv_snmp_var_log_t:s0
/var/run/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_run_t:s0
/var/run/ldap-agent\.pid all files system_u:object_r:dirsrv_snmp_var_run_t:s0
/var/run/slapd.* socket system_u:object_r:dirsrv_var_run_t:s0
```
Here's what's added to the system policy after creating a new instance:
```diff
--- labels_before 2024-02-05 13:56:08.667301292 -0500
+++ labels_after 2024-02-05 13:57:39.067301292 -0500
@@ -1,14 +1,23 @@
/dev/shm/slapd-.* all files system_u:object_r:dirsrv_tmpfs_t:s0
+/dev/shm/slapd-localhost all files system_u:object_r:dirsrv_tmpfs_t:s0
/etc/dirsrv(/.*)? all files system_u:object_r:dirsrv_config_t:s0
+/etc/dirsrv/slapd-localhost all files system_u:object_r:dirsrv_config_t:s0
+/etc/dirsrv/slapd-localhost/schema all files system_u:object_r:dirsrv_config_t:s0
/usr/lib/systemd/system/dirsrv.* all files system_u:object_r:dirsrv_unit_file_t:s0
/usr/sbin/ldap-agent regular file system_u:object_r:dirsrv_snmp_exec_t:s0
/usr/sbin/ldap-agent-bin regular file system_u:object_r:dirsrv_snmp_exec_t:s0
/usr/sbin/ns-slapd regular file system_u:object_r:dirsrv_exec_t:s0
/usr/share/dirsrv(/.*)? all files system_u:object_r:dirsrv_share_t:s0
/var/lib/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_lib_t:s0
+/var/lib/dirsrv/slapd-localhost/bak all files system_u:object_r:dirsrv_var_lib_t:s0
+/var/lib/dirsrv/slapd-localhost/db all files system_u:object_r:dirsrv_var_lib_t:s0
+/var/lib/dirsrv/slapd-localhost/ldif all files system_u:object_r:dirsrv_var_lib_t:s0
/var/lock/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_lock_t:s0
/var/log/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_log_t:s0
/var/log/dirsrv/ldap-agent.log.* all files system_u:object_r:dirsrv_snmp_var_log_t:s0
+/var/log/dirsrv/slapd-localhost all files system_u:object_r:dirsrv_var_log_t:s0
+/var/run/dirsrv all files system_u:object_r:dirsrv_var_run_t:s0
/var/run/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_run_t:s0
/var/run/ldap-agent\.pid all files system_u:object_r:dirsrv_snmp_var_run_t:s0
+/var/run/lock/dirsrv/slapd-localhost all files system_u:object_r:dirsrv_var_lock_t:s0
/var/run/slapd.* socket system_u:object_r:dirsrv_var_run_t:s0
```
Fix Description:
We should not add/remove labels for paths that are already covered by
the system SELinux policy. This is the case for the default `/usr`
prefix.
Fixes: https://github.com/389ds/389-ds-base/issues/6071
Reviewed by: @progier389 (Thanks!)
- - - - -
244916eb by progier389 at 2024-02-08T11:54:57+01:00
Issue 6073 - Improve error log when running out of memory (#6084)
* Issue 6073 - Improve error log when running out of memory easy fix enhancement needs triage
* Issue 6073 - Fix typos
Log the stack backtrace when a calloc/malloc/realloc fails and requested memory size is larger than 1Mb
Also adapt the advices to lmdb (some of the tuning mentioned in the error message are now irrelevant)
Issue #6073
Reviewed by: @tbordaz, @droideck (Thanks!)
- - - - -
b96dbaa8 by progier389 at 2024-02-09T12:49:11+01:00
Issue 6082 - Remove explicit dependencies toward libdb (#6083)
* Issue 6082 - Generate a bundled libdb
* Get libdb source tarball from Fedora lookaside cache
* Fix typos in comments
libdb is deprecated and may not be available in future os, the idea is to remove any explicit dependency towards this library:
Add a new configure option --with-bundle-libdb=path_to_libdb_include_and_libs
Modify rpm.mk to upload the libdb src rpm and extract it
Provide a spec file to rebuild custom version of libdb without needing external dependencies like tcl mySql gdbm
Modify 389-ds-spec to:
remove prerequisite towards libdb.
Build a new 389-ds-base-bdb package (flagged as deprecated) that includes libback-bdb.so plugin and
Bundle a custom version of libdb named libdb-5.3-389ds.so built from libdb source rpm libdb-5.3-389ds.so
Modify Makefile to build a new libback-bdb.so plugin if --with-bundle-libdb has been used.
(Move the db-bdb code out of libback-ldbm.so into a new libback-bdb.so plugin)
Remove DB_File dependency in logconv.pl
Load dynamically the plugin libback-bdb.so if using bdb and if bdb_init is not present (in libback-ldbm.so) ( to support builds without bundled libdb) and shout loudly if the module is not available
Issue: #6082
Reviewed by: @vashirov (Thanks!)
- - - - -
a157666e by Timo Aaltonen at 2024-02-11T16:31:44+02:00
Merge tag '389-ds-base-2.4.4' into master-next
- - - - -
fc1a997c by Môshe van der Sterre at 2024-02-13T10:04:53+01:00
Issue 6046 - Make dscreate to work during kickstart installations
Description: The with_systemd_running method is added to ensure that
systemd is operational (for the start, stop, and status methods). In
particular, this makes dscreate work in chroot environments. But is has
a broader effect in that it avoids systemctl calls when they are
guaranteed to not work.
Fixes: https://github.com/389ds/389-ds-base/issues/6046
Reviewed by: @vashirov
- - - - -
1fe029c4 by Chris Peterson at 2024-02-13T11:26:31+01:00
Issue 5962 - Rearrange includes for 32-bit support logic
Description:
The logic to support 32-bit architectures was correctly written (define
_LARGEFILE64_SOURCE) but placed too "late". If a standard library header
(e.g., <stdio.h>) is included before _LARGEFILE64_SOURCE is defined, then
the correct symbols will not be made available during compliation. In this
instance, armhf builds were failing due to off64_t not getting defined
correctly.
The inclusion of <sys/statvfs.h> in slap.h is required to prevent
a cryptic compliation error on "#define f_type f_un.f_un_type".
Relates: https://github.com/389ds/389-ds-base/issues/5962
Relates: https://bugs.launchpad.net/ubuntu/+source/389-ds-base/+bug/2052578
Relates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063434
Reviewed by: @vashirov
- - - - -
ed48371c by James Chapman at 2024-02-13T13:24:04+00:00
Issue 5487 - Fix various isses with logconv.pl (#6085)
Bug description: Logconv.pl CSV file contains mismatched header and data columns
Fix description: Add notesF to support invalid filters
Relates: https://github.com/389ds/389-ds-base/issues/5487
Reviewed by: @progier389, @vashirov (Thank you)
- - - - -
eb6c95fd by Simon Pichugin at 2024-02-14T10:37:21-08:00
Issue 6067 - Add hidden -v and -j options to each CLI subcommand (#6088)
Description: There is no [-v] option before instance_name mentioned,
so user will not know he can use it unless he runs "dsctl -h".
Add a custom HelpFormatter to each subcommand. The formatter_class adds
[-v] [-j] to the usage line and adds the options' description to the full help output.
Related: https://github.com/389ds/389-ds-base/issues/6067
Reviewed by: @vashirov (Thanks!)
- - - - -
ac8c9fe2 by Simon Pichugin at 2024-02-14T11:07:00-08:00
Issue 6067 - Add hidden -v and -j options to each CLI subcommand (#6088)
Description: There is no [-v] option before instance_name mentioned,
so user will not know he can use it unless he runs "dsctl -h".
Add a custom HelpFormatter to each subcommand. The formatter_class adds
[-v] [-j] to the usage line and adds the options' description to the full help output.
Related: https://github.com/389ds/389-ds-base/issues/6067
Reviewed by: @vashirov (Thanks!)
- - - - -
808492bb by Viktor Ashirov at 2024-02-16T08:36:35+01:00
Issue 6094 - Add coverity scan workflow
Description:
Add a new workflow for SAST (Static application security testing)
using Coverity.
Fixes: https://github.com/389ds/389-ds-base/issues/6094
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
29fc276c by Viktor Ashirov at 2024-02-16T11:37:49+01:00
Issue 5647 - covscan: memory leak in audit log when adding entries
Description:
Add a test case for CVE-2024-1062.
Relates: https://github.com/389ds/389-ds-base/issues/5647
Relates: https://github.com/389ds/389-ds-base/issues/5502
Reviewed by: @progier389, @tbordaz (Thanks!)
- - - - -
c9c67bca by James Chapman at 2024-02-16T11:13:16+00:00
Issue 6096 - Improve connection timeout error logging (#6097)
Bug description: When a paged result search is run with a time limit,
if the time limit is exceed the server closes the connection with
closed IO timeout (nsslapd-ioblocktimeout) - T2. This error message
is incorrect as the reason the connection has been closed was because
the specified time limit on a paged result search has been exceeded.
Fix description: Correct error message
Relates: https://github.com/389ds/389-ds-base/issues/6096
Reviewed by: @tbordaz (Thank you)
- - - - -
d379ac9b by Simon Pichugin at 2024-02-16T13:52:36-08:00
Issue 6067 - Improve dsidm CLI No Such Entry handling (#6079)
Description: Add additional error processing to dsidm CLI tool for when basedn
or OU subentries are absent.
Related: https://github.com/389ds/389-ds-base/issues/6067
Reviewed by: @vashirov (Thanks!)
- - - - -
29c79c98 by Simon Pichugin at 2024-02-16T13:55:23-08:00
Issue 6067 - Improve dsidm CLI No Such Entry handling (#6079)
Description: Add additional error processing to dsidm CLI tool for when basedn
or OU subentries are absent.
Related: https://github.com/389ds/389-ds-base/issues/6067
Reviewed by: @vashirov (Thanks!)
- - - - -
91443acf by James Chapman at 2024-02-19T09:29:13+00:00
Issue 6092 - passwordHistory is not updated with a pre-hashed password (#6093)
Bug description: passwordHistory is not updated by with a pre-hashed password
Fix description: During a mod replace of the userpassword attribute, if an encoded
password value is detected and both pw_history and allow_hashed_pw are enabled, get
the present entry values which are used to update the password history.
Relates: https://github.com/389ds/389-ds-base/issues/6092
Reviewed by: @tbordaz (Thank you)
- - - - -
aa3b4e66 by Viktor Ashirov at 2024-02-20T14:33:42+01:00
Issue 6086 - Ambiguous warning about SELinux in dscreate for non-root user
Bug Description:
When an instance is created using dscreate under non-root user,
there is a scary looking ambiguous warning:
> Selinux support will be disabled, continue? [yes]:
It's not clear to the user what exactly are the implications
(system-wide disabling of SELinux?).
We should provide a better wording.
Fix Description:
Change the wording and fix spelling of SELinux in the log messages.
Fixes: https://github.com/389ds/389-ds-base/issues/6086
Reviewed by: @progier389 (Thanks!)
- - - - -
d65eea90 by James Chapman at 2024-02-21T12:43:03+00:00
Issue 6103 - New connection timeout error breaks errormap (#6104)
Bug description: A recent addition to the connection disconnect error
messaging, conflicts with how errormap.c maps error codes/strings.
Fix description: errormap expects error codes/strings to be in ascending
order. Moved the new error code to the bottom of the list.
Relates: https://github.com/389ds/389-ds-base/issues/6103
Reviewed by: @droideck. @progier389 (Thank you)
- - - - -
d09c1100 by James Chapman at 2024-02-21T12:45:35+00:00
Issue 6096 - Improve connection timeout error logging (#6097)
Bug description: When a paged result search is run with a time limit,
if the time limit is exceed the server closes the connection with
closed IO timeout (nsslapd-ioblocktimeout) - T2. This error message
is incorrect as the reason the connection has been closed was because
the specified time limit on a paged result search has been exceeded.
Fix description: Correct error message
Relates: https://github.com/389ds/389-ds-base/issues/6096
Reviewed by: @tbordaz (Thank you)
- - - - -
616daff8 by James Chapman at 2024-02-21T12:48:06+00:00
Issue 6103 - New connection timeout error breaks errormap (#6104)
Bug description: A recent addition to the connection disconnect error
messaging, conflicts with how errormap.c maps error codes/strings.
Fix description: errormap expects error codes/strings to be in ascending
order. Moved the new error code to the bottom of the list.
Relates: https://github.com/389ds/389-ds-base/issues/6103
Reviewed by: @droideck. @progier389 (Thank you)
- - - - -
a380deb0 by progier389 at 2024-02-22T23:11:15+01:00
Issue 6057 - vlv search may result wrong result with lmdb (#6091)
* Issue 6057 - vlv search may result wrong result with lmdb
Different issue related to vlv index and import/bulk import:
vlv sub database was not open when the backend was started
vlv index was not cleaned by import/bulk import
vlv index was not rebuilt by import/bulk import
vlv index not rebuilt by explicit vlv reindex.
vlv index not rebuilt by explicit vlv reindex if vlv name contains hyphen.
vlv index not rebuilt if basedn is not the suffix.
In fact all theses issues had the same cause: the backend vlv search list is empty after the server get restarted.
Solution:
[For 1,2 and 3] Fix the test_vlv_cache_subdb_names to ensure that vlv index are properly cleaned
and recreated by a bulk import
Initialize the vlv search list if it is not yet initialized when starting an instance (just before opening
all the sub databases associated with the backend) rather than doing it before restarting the instance after the import.
[For 4] Add a new member for vlv in the import context and handle it properly.
[For 5] Convert the vlv name as a dbname and store it is a separate list - compare the dbname when checking if vlv is reindexed.
[for 6] Rebuild the proper entry dn (in case of reindex) to be able to evaluate the vlv scope
to rebuild the dn I used the entry_info data (stored in a temporary database) that contains the rdn/nrdn/
and ancestors IDs (used to to rebuild the entryrdn index) and now also store the dn which is simply
propagated by adding the entry rdn to the parent entry dn.
Issue: #6057
Reviewed by: @tbordaz , @droideck (Thanks!)
- - - - -
fcdeec3b by Simon Pichugin at 2024-02-27T16:30:47-08:00
Issue 3527 - Support HAProxy and Instance on the same machine configuration (#6107)
Description: Improve how we handle HAProxy connections to work better when
the DS and HAProxy are on the same machine.
Ensure the client and header destination IPs are checked against the trusted IP list.
Additionally, this change will also allow configuration having
HAProxy is listening on a different subnet than the one used to forward the request.
Related: https://github.com/389ds/389-ds-base/issues/3527
Reviewed by: @progier389, @jchapma (Thanks!)
- - - - -
f19b93e1 by Simon Pichugin at 2024-02-27T18:05:22-08:00
Issue 3527 - Support HAProxy and Instance on the same machine configuration (#6107)
Description: Improve how we handle HAProxy connections to work better when
the DS and HAProxy are on the same machine.
Ensure the client and header destination IPs are checked against the trusted IP list.
Additionally, this change will also allow configuration having
HAProxy is listening on a different subnet than the one used to forward the request.
Related: https://github.com/389ds/389-ds-base/issues/3527
Reviewed by: @progier389, @jchapma (Thanks!)
- - - - -
27dd9b71 by Viktor Ashirov at 2024-03-04T16:43:41+01:00
Issue 5305 - OpenLDAP version autodetection doesn't work
Bug Description:
An error is logged during a build in `mock` with Bash 4.4:
```
checking for --with-libldap-r... ./configure: command substitution: line 22848: syntax error near unexpected token `>'
./configure: command substitution: line 22848: `ldapsearch -VV 2> >(sed -n '/ldapsearch/ s/.*ldapsearch \([0-9]\+\.[0-9]\+\.[0-9]\+\) .*/\1/p')'
no
```
`mock` runs Bash as `sh` (POSIX mode). Support for process substitution
in POSIX mode was added in version 5.1:
https://lists.gnu.org/archive/html/bug-bash/2020-12/msg00002.html
> Process substitution is now available in posix mode.
Fix Description:
* Add missing `BuildRequires` for openldap-clients
* Replace process substitution with a pipe
Fixes: https://github.com/389ds/389-ds-base/issues/5305
Reviewed by: @progier389, @tbordaz (Thanks!)
- - - - -
6054dfad by Mark Reynolds at 2024-03-04T10:44:17-05:00
Issue 5842 - Add log buffering to audit log
Description:
Add log buffering to audit/auditfail logs. Since these logs are
intertwined there is only one config setting for both logs:
nsslapd-auditlog-logbuffering: on/off
relates: https://github.com/389ds/389-ds-base/issues/5842
Reviewed by: spichugi(Thanks!)
- - - - -
79101870 by Mark Reynolds at 2024-03-04T10:46:26-05:00
Issue 5842 - Add log buffering to audit log
Description:
Add log buffering to audit/auditfail logs. Since these logs are
intertwined there is only one config setting for both logs:
nsslapd-auditlog-logbuffering: on/off
relates: https://github.com/389ds/389-ds-base/issues/5842
Reviewed by: spichugi(Thanks!)
- - - - -
840161b8 by Mark Reynolds at 2024-03-04T11:50:16-05:00
Issue 6112 - RFE - add new operation note for MFA authentications
Add a new operation note to indicate that a MFA plugin performed the
BIND. This implies that the plugin must set the note itself as there is
no other way to detect this:
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
The purpose for this is for auditing needs
Fixes: https://github.com/389ds/389-ds-base/issues/6112
Reviewed by: spichugi(Thanks!)
- - - - -
aead888d by Mark Reynolds at 2024-03-04T11:50:35-05:00
Issue 6112 - RFE - add new operation note for MFA authentications
Add a new operation note to indicate that a MFA plugin performed the
BIND. This implies that the plugin must set the note itself as there is
no other way to detect this:
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
The purpose for this is for auditing needs
Fixes: https://github.com/389ds/389-ds-base/issues/6112
Reviewed by: spichugi(Thanks!)
- - - - -
9a9f8e6d by Viktor Ashirov at 2024-03-04T18:13:16+01:00
Issue 5305 - OpenLDAP version autodetection doesn't work
Bug Description:
An error is logged during a build in `mock` with Bash 4.4:
```
checking for --with-libldap-r... ./configure: command substitution: line 22848: syntax error near unexpected token `>'
./configure: command substitution: line 22848: `ldapsearch -VV 2> >(sed -n '/ldapsearch/ s/.*ldapsearch \([0-9]\+\.[0-9]\+\.[0-9]\+\) .*/\1/p')'
no
```
`mock` runs Bash as `sh` (POSIX mode). Support for process substitution
in POSIX mode was added in version 5.1:
https://lists.gnu.org/archive/html/bug-bash/2020-12/msg00002.html
> Process substitution is now available in posix mode.
Fix Description:
* Add missing `BuildRequires` for openldap-clients
* Replace process substitution with a pipe
Fixes: https://github.com/389ds/389-ds-base/issues/5305
Reviewed by: @progier389, @tbordaz (Thanks!)
- - - - -
4eb1cb60 by Ding-Yi Chen at 2024-03-06T18:36:19-08:00
Issue 6117 - Fix the UTC offset print (#6118)
Bug Description: UTC offset is mistakenly displayed as <sign><hour><seconds>
-03:30 was displayed as -031800
Fix Description: UTC offset is now displayed as <sign><hour><minutes>
-03.30 is displayed as -0330
Fixes: https://github.com/389ds/389-ds-base/issues/6117
Author: Ding-Yi Chen <dchen at redhat.com>
Reviewed by: Simon Pichugin
- - - - -
d18807fe by Ding-Yi Chen at 2024-03-06T18:38:47-08:00
Issue 6117 - Fix the UTC offset print (#6118)
Bug Description: UTC offset is mistakenly displayed as <sign><hour><seconds>
-03:30 was displayed as -031800
Fix Description: UTC offset is now displayed as <sign><hour><minutes>
-03.30 is displayed as -0330
Fixes: https://github.com/389ds/389-ds-base/issues/6117
Author: Ding-Yi Chen <dchen at redhat.com>
Reviewed by: Simon Pichugin
- - - - -
1d73b8ac by James Chapman at 2024-03-08T16:15:52+00:00
Issue 6119 - Synchronise accept_thread with slapd_daemon (#6120)
Bug Description: A corner cases exists, where the slapd_daemon has
begun its shutdown process but the accept_thread is still running
and capable of handling new connections. When this scenario occurs,
the connection subsystem has been partially deallocated and is in
an unstable state. A segfault is generated when attempting to get a
new connection from the connection table.
Fix Description: The connection table is only deallocated when the
number of active threads is 0. Modify the accept_thread to adjust the
the active thread count during creation/destruction, meaning the connection
table can only be freed when the accept_thread has completed
Relates: https://github.com/389ds/389-ds-base/issues/6119
Reviewed by: @tbordaz, @Firstyear , @mreynolds389 (Thank you)
- - - - -
e555c2a8 by progier389 at 2024-03-13T18:04:18+01:00
Issue 6057 - vlv search may result wrong result with lmdb - Fix 2 (#6121)
* Issue 6057 - vlv search may result wrong result with lmdb - Fix 2
* Issue i6057 - Fix2 - Fix review comment
Previous fix is failing after a restart because of a chicken and egg issue related to vlv_init and backend initialization.
vlv_init requires that the backend get initialized to be able to generate the vlvSearch struct.
Because of deadlocks, and to be able to roll back the database instance open transaction I found it easier to avoid using vlv_getindices if vlv is not initialized but rather perform a search on cn=config to build a list of all possible vlv indexes filenames (ignoring the configuration errors) and use that list to open the database files for vlv indices and their cache.
Also fixed some minor issues:
@droideck minor remarks done about #6091 after the merge
a typo while logging info about the database environment parameters
Issue: #6057
Reviewed by: @tbordaz, @droideck , @mreynolds389 (Thanks!)
- - - - -
4fe22ecc by Barbora Simonova at 2024-03-13T19:52:53+01:00
Issue 6110 - Typo in Account Policy plugin message
Description:
Add additional condition for add and set state
in the config entry success message
Fixes: https://github.com/389ds/389-ds-base/issues/6110
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
72c211b8 by tbordaz at 2024-03-18T11:34:30+01:00
Issue 6080 - ns-slapd crash in referint_get_config (#6081)
Bug description:
Referential integrity plugin spawn a thread to run
integrity check/update in a deferred way. It uses a log
file to pipe changes to check. The name of the file,
stored in the config, is read periodically.
At shutdown, referint plugin close callback notifies
the thread to stop and free the config.
The problem is that the thread may check the config
while it was notify to stop.
Fix description:
synchronize the plugin close function (referint_postop_close)
and the batch thread (referint_thread_func).
When the batch thread starts it set 'batch_thread_running'
and reset it when it stops.
The plugin close function notifes the batch thread to stop
(via keeprunning==0) and then wait 'batch_thread_running' is
reset
relates: #6080
Reviewed by: Pierre Rogier (thanks !)
- - - - -
1475453e by tbordaz at 2024-03-18T11:37:26+01:00
Issue 6080 - ns-slapd crash in referint_get_config (#6081)
Bug description:
Referential integrity plugin spawn a thread to run
integrity check/update in a deferred way. It uses a log
file to pipe changes to check. The name of the file,
stored in the config, is read periodically.
At shutdown, referint plugin close callback notifies
the thread to stop and free the config.
The problem is that the thread may check the config
while it was notify to stop.
Fix description:
synchronize the plugin close function (referint_postop_close)
and the batch thread (referint_thread_func).
When the batch thread starts it set 'batch_thread_running'
and reset it when it stops.
The plugin close function notifes the batch thread to stop
(via keeprunning==0) and then wait 'batch_thread_running' is
reset
relates: #6080
Reviewed by: Pierre Rogier (thanks !)
- - - - -
b6f987e0 by Barbora Simonova at 2024-03-19T09:37:54+01:00
Issue 6110 - Typo in Account Policy plugin message
Description:
Add additional condition for add and set state
in the config entry success message
Fixes: https://github.com/389ds/389-ds-base/issues/6110
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
d1944539 by James Chapman at 2024-03-19T13:32:27+00:00
Issue 6125 - dscreate interactive fails when chosing mdb backend (#6126)
Bug description: dscreate in interactive mode fails when a mdb backend
is used. Cast to string missing in the parse_size method.
Fix description: Convert the value to string in parse method.
Fixes: https://github.com/389ds/389-ds-base/issues/6125
Reviewed by: @progier389, @droideck (Thank you)
- - - - -
2003e376 by James Chapman at 2024-03-20T11:33:46+00:00
Issue 6125 - dscreate interactive fails when chosing mdb backend (#6126)
Bug description: dscreate in interactive mode fails when a mdb backend
is used. Cast to string missing in the parse_size method.
Fix description: Convert the value to string in parse method.
Fixes: https://github.com/389ds/389-ds-base/issues/6125
Reviewed by: @progier389, @droideck (Thank you)
- - - - -
b551b18b by progier389 at 2024-03-22T17:44:36+01:00
Issue 6105 - lmdb - Cannot create entries with long rdn (#6130)
* Issue 6105 - lmdb - add fails if rdn is longer than 250 bytes - Part 1
This fix is split in two commits:
Part 1 refactorize the entryrdn static subfunctions parameters
Part 2 implement the use of a redirect database file
in two commits because the first part has a big diff
but it is quite straightforward as it only refactorize the set of parameters used by the entryrdn static subfunctions
to rather use a single parameter (A single context struct containing all the parameters needed to access the
database (like the backend, the database instances, the txn and the cursor )
The benefit are:
- avoid having too much parameters in sub functions
especially for the second part of the fix that implements a second db to handle the entryrdn
- avoid duplicating the retry loops to open/close the cursor
- IMHO it made the code clearer
* Issue 6105 - lmdb - Cannot create entries with long rdn
- the use of a redirect database file
- the use of redirect link with the private database used by import to build the dn/rdn/ancestor relationship
- the CI testcase
* Issue 6105 - lmdb - Cannot create entries with long rdn - review feedback
- fix some comments
- improve the CI tests by adding children to an ou with long rdn then renaming it.
- - - - -
23a094c5 by progier389 at 2024-03-25T11:22:41+01:00
Issue i6057 - Fix3 - Fix covscan issues (#6127)
Fix two minor issues reported by covscan after the previews fix:
CID 1540758: Null pointer dereferences - NULL_RETURNS
/ldap/servers/slapd/back-ldbm/vlv.c: 412 in vlv_list_filenames
Generate Null pointer exception if vlv config entry is not compliant to the schema
Added a ternary test to harden the code.
CID 1540757: Null pointer dereferences - FORWARD_NULL
/ldap/servers/slapd/back-ldbm/db-mdb/mdb_instance.c: 377 in dbmdb_open_all_files
covscan complain that be may be null (which is true but not in the case database context is also NULL)
Added a test to avoid the warning
Issue #6057
Reviewed by: @tbordaz, @droideck Thanks!
- - - - -
b2956043 by progier389 at 2024-03-26T11:22:43+01:00
Issue 5105 - lmdb - Cannot create entries with long rdn - fix covscan (#6131)
A minor code cleanup issue fixing: CID 1540880 CID 1540879 CID 1540878 CID 1540876 CID 1540875
All these report have the same pattern but on different function.
The issue is that ctx == NULL is tested as part of the parameter validity tests (even if it is never NULL)
then goto bail but the bail code dereference ctx to potentially free some resources.
So I changed the code from:
Log Entering in Function
If (One of parameter is NULL) {
Log Error message
goto bail
}
To:
If (One of parameter is NULL) {
Log Error message
return -1;
}
Log Entering in Function
CID 1540877 is a real issue about a potential memory leak in case of error (shoud goto bail0 instead of bail to make sure childelem is free)
Issue: #6105
Reviewed by: @droideck Thanks!
- - - - -
374b7b08 by Mark Reynolds at 2024-03-29T09:31:44-04:00
Issue 6133 - Move slapi_pblock_set_flag_operation_notes() to slapi-plugin.h
Description:
slapi_pblock_set_flag_operation_notes() is currently only available in slapi-private.h, but with the latest changes at add "notes=M" it needs to be available to plugins.
relates: https://github.com/389ds/389-ds-base/issues/6133
Reviewed by: spichugi(Thanks!)
- - - - -
ca378867 by Mark Reynolds at 2024-03-29T09:33:16-04:00
Issue 6133 - Move slapi_pblock_set_flag_operation_notes() to slapi-plugin.h
Description:
slapi_pblock_set_flag_operation_notes() is currently only available in slapi-private.h, but with the latest changes at add "notes=M" it needs to be available to plugins.
relates: https://github.com/389ds/389-ds-base/issues/6133
Reviewed by: spichugi(Thanks!)
- - - - -
cc3a8640 by progier389 at 2024-04-05T12:03:47+02:00
Issue 6136 - failure in freeipa tests (#6137)
* Issue 6136 - failure in freeipa tests
Several issue detected when adding a CI test that mimic one of freeipa nightly test :
bdb - offline import fail when trying to create the guardian file because instance is not yet fully initialized and the generated path is wrong - fixed by using the directory from ldbminfo and the instance names that are defined.
mdb - vlv index are not generated because for one level scoped vlv, the entryid is not properly set.
should use vlv_grok_new_import_entry to reset the vlv filter when the base entry is added (as it is done in bdb).
also added a function to mark the vlv_grok_new_import_entry as uninitialized before the import
mdb- crash while trying to import an entry without parent (i.e a suffix entry) that does not belong to the backend
fixed by avoiding the null pointer exception in that case
Issue: #6136
Reviewed by: @droideck, @jchapma (Thanks!)
* Fix vlv CI test deadlock
@long-entryrdn was not open by dbmdb_open_all_files
this leaded to failure when trying to open it in a read operation
because at dblayer level, it is not possible to open write txn
within a read txn - and although it is possible at lmdb level,
the new file will not be visible within the read txn
but we may need to access it.
So the open failed, and entryrdn attrinfo should then be released
before returning an error to avoid keeping entryrdn busy.
That is what trigger the hang when removing a backend.
Added some conditionnal debug code to understand why the server hang.
Also added a missing dblayer_release_index_file in vlvIndex_checkforindex
that may be the reason while there is a hang when removing vlv on bdb.
* Issue 6136 - failure in freeipa tests - Fix review comments
- - - - -
05ea9821 by James Chapman at 2024-04-05T16:29:50+00:00
Issue 6092 - passwordHistory is not updated with a pre-hashed password (#6093)
Bug description: passwordHistory is not updated by with a pre-hashed password
Fix description: During a mod replace of the userpassword attribute, if an encoded
password value is detected and both pw_history and allow_hashed_pw are enabled, get
the present entry values which are used to update the password history.
Relates: https://github.com/389ds/389-ds-base/issues/6092
Reviewed by: @tbordaz (Thank you)
- - - - -
abb6723b by Simon Pichugin at 2024-04-10T15:06:15+02:00
Issue 6142 - [RFE] Add LMDB configuration related checks into Healthcheck tool (#6143)
Description
Add a warning in healthcheck if bdb is still used.
Add a warning if there's a mismatch in configuration attributes.
Add a warning if in the DB directory both BDB and MDB files exist.
Fixes: https://github.com/389ds/389-ds-base/issues/6142
Reviewed by: @progier389
- - - - -
281c0271 by progier389 at 2024-04-10T15:10:22+02:00
Issue 6141 - freeipa test_topology_TestCASpecificRUVs is failing (#6144)
On lmdb, vlv search using a value instead of range may fail (set target on first record instead of smallest record whose key is greater of equal to the wanted value).
The reason is that a test is inverted when walking the cursor to find the record position so the loop end after first iteration.
Also fix a coverity scan warning
Issue: #6141
Reviewed by: @tbordaz
- - - - -
87932714 by progier389 at 2024-04-10T23:57:40+01:00
Issue 6057 - vlv search may result wrong result with lmdb (#6091)
* Issue 6057 - vlv search may result wrong result with lmdb
Different issue related to vlv index and import/bulk import:
vlv sub database was not open when the backend was started
vlv index was not cleaned by import/bulk import
vlv index was not rebuilt by import/bulk import
vlv index not rebuilt by explicit vlv reindex.
vlv index not rebuilt by explicit vlv reindex if vlv name contains hyphen.
vlv index not rebuilt if basedn is not the suffix.
In fact all theses issues had the same cause: the backend vlv search list is empty after the server get restarted.
Solution:
[For 1,2 and 3] Fix the test_vlv_cache_subdb_names to ensure that vlv index are properly cleaned
and recreated by a bulk import
Initialize the vlv search list if it is not yet initialized when starting an instance (just before opening
all the sub databases associated with the backend) rather than doing it before restarting the instance after the import.
[For 4] Add a new member for vlv in the import context and handle it properly.
[For 5] Convert the vlv name as a dbname and store it is a separate list - compare the dbname when checking if vlv is reindexed.
[for 6] Rebuild the proper entry dn (in case of reindex) to be able to evaluate the vlv scope
to rebuild the dn I used the entry_info data (stored in a temporary database) that contains the rdn/nrdn/
and ancestors IDs (used to to rebuild the entryrdn index) and now also store the dn which is simply
propagated by adding the entry rdn to the parent entry dn.
Issue: #6057
Reviewed by: @tbordaz , @droideck (Thanks!)
- - - - -
d051ac7b by progier389 at 2024-04-10T23:57:56+01:00
Issue 6057 - vlv search may result wrong result with lmdb - Fix 2 (#6121)
* Issue 6057 - vlv search may result wrong result with lmdb - Fix 2
* Issue i6057 - Fix2 - Fix review comment
Previous fix is failing after a restart because of a chicken and egg issue related to vlv_init and backend initialization.
vlv_init requires that the backend get initialized to be able to generate the vlvSearch struct.
Because of deadlocks, and to be able to roll back the database instance open transaction I found it easier to avoid using vlv_getindices if vlv is not initialized but rather perform a search on cn=config to build a list of all possible vlv indexes filenames (ignoring the configuration errors) and use that list to open the database files for vlv indices and their cache.
Also fixed some minor issues:
@droideck minor remarks done about #6091 after the merge
a typo while logging info about the database environment parameters
Issue: #6057
Reviewed by: @tbordaz, @droideck , @mreynolds389 (Thanks!)
- - - - -
42d1efb0 by progier389 at 2024-04-10T23:58:10+01:00
Issue i6057 - Fix3 - Fix covscan issues (#6127)
Fix two minor issues reported by covscan after the previews fix:
CID 1540758: Null pointer dereferences - NULL_RETURNS
/ldap/servers/slapd/back-ldbm/vlv.c: 412 in vlv_list_filenames
Generate Null pointer exception if vlv config entry is not compliant to the schema
Added a ternary test to harden the code.
CID 1540757: Null pointer dereferences - FORWARD_NULL
/ldap/servers/slapd/back-ldbm/db-mdb/mdb_instance.c: 377 in dbmdb_open_all_files
covscan complain that be may be null (which is true but not in the case database context is also NULL)
Added a test to avoid the warning
Issue #6057
Reviewed by: @tbordaz, @droideck Thanks!
- - - - -
71f28fe9 by progier389 at 2024-04-10T23:58:19+01:00
Issue 6082 - Remove explicit dependencies toward libdb (#6083)
* Issue 6082 - Generate a bundled libdb
* Get libdb source tarball from Fedora lookaside cache
* Fix typos in comments
libdb is deprecated and may not be available in future os, the idea is to remove any explicit dependency towards this library:
Add a new configure option --with-bundle-libdb=path_to_libdb_include_and_libs
Modify rpm.mk to upload the libdb src rpm and extract it
Provide a spec file to rebuild custom version of libdb without needing external dependencies like tcl mySql gdbm
Modify 389-ds-spec to:
remove prerequisite towards libdb.
Build a new 389-ds-base-bdb package (flagged as deprecated) that includes libback-bdb.so plugin and
Bundle a custom version of libdb named libdb-5.3-389ds.so built from libdb source rpm libdb-5.3-389ds.so
Modify Makefile to build a new libback-bdb.so plugin if --with-bundle-libdb has been used.
(Move the db-bdb code out of libback-ldbm.so into a new libback-bdb.so plugin)
Remove DB_File dependency in logconv.pl
Load dynamically the plugin libback-bdb.so if using bdb and if bdb_init is not present (in libback-ldbm.so) ( to support builds without bundled libdb) and shout loudly if the module is not available
Issue: #6082
Reviewed by: @vashirov (Thanks!)
- - - - -
c6da1775 by progier389 at 2024-04-10T23:58:28+01:00
Issue 6105 - lmdb - Cannot create entries with long rdn (#6130)
* Issue 6105 - lmdb - add fails if rdn is longer than 250 bytes - Part 1
This fix is split in two commits:
Part 1 refactorize the entryrdn static subfunctions parameters
Part 2 implement the use of a redirect database file
in two commits because the first part has a big diff
but it is quite straightforward as it only refactorize the set of parameters used by the entryrdn static subfunctions
to rather use a single parameter (A single context struct containing all the parameters needed to access the
database (like the backend, the database instances, the txn and the cursor )
The benefit are:
- avoid having too much parameters in sub functions
especially for the second part of the fix that implements a second db to handle the entryrdn
- avoid duplicating the retry loops to open/close the cursor
- IMHO it made the code clearer
* Issue 6105 - lmdb - Cannot create entries with long rdn
- the use of a redirect database file
- the use of redirect link with the private database used by import to build the dn/rdn/ancestor relationship
- the CI testcase
* Issue 6105 - lmdb - Cannot create entries with long rdn - review feedback
- fix some comments
- improve the CI tests by adding children to an ou with long rdn then renaming it.
- - - - -
4fc64071 by James Chapman at 2024-04-10T23:58:36+01:00
Issue 6119 - Synchronise accept_thread with slapd_daemon (#6120)
Bug Description: A corner cases exists, where the slapd_daemon has
begun its shutdown process but the accept_thread is still running
and capable of handling new connections. When this scenario occurs,
the connection subsystem has been partially deallocated and is in
an unstable state. A segfault is generated when attempting to get a
new connection from the connection table.
Fix Description: The connection table is only deallocated when the
number of active threads is 0. Modify the accept_thread to adjust the
the active thread count during creation/destruction, meaning the connection
table can only be freed when the accept_thread has completed
Relates: https://github.com/389ds/389-ds-base/issues/6119
Reviewed by: @tbordaz, @Firstyear , @mreynolds389 (Thank you)
- - - - -
7472abb0 by progier389 at 2024-04-10T23:58:47+01:00
Issue 6136 - failure in freeipa tests (#6137)
* Issue 6136 - failure in freeipa tests
Several issue detected when adding a CI test that mimic one of freeipa nightly test :
bdb - offline import fail when trying to create the guardian file because instance is not yet fully initialized and the generated path is wrong - fixed by using the directory from ldbminfo and the instance names that are defined.
mdb - vlv index are not generated because for one level scoped vlv, the entryid is not properly set.
should use vlv_grok_new_import_entry to reset the vlv filter when the base entry is added (as it is done in bdb).
also added a function to mark the vlv_grok_new_import_entry as uninitialized before the import
mdb- crash while trying to import an entry without parent (i.e a suffix entry) that does not belong to the backend
fixed by avoiding the null pointer exception in that case
Issue: #6136
Reviewed by: @droideck, @jchapma (Thanks!)
* Fix vlv CI test deadlock
@long-entryrdn was not open by dbmdb_open_all_files
this leaded to failure when trying to open it in a read operation
because at dblayer level, it is not possible to open write txn
within a read txn - and although it is possible at lmdb level,
the new file will not be visible within the read txn
but we may need to access it.
So the open failed, and entryrdn attrinfo should then be released
before returning an error to avoid keeping entryrdn busy.
That is what trigger the hang when removing a backend.
Added some conditionnal debug code to understand why the server hang.
Also added a missing dblayer_release_index_file in vlvIndex_checkforindex
that may be the reason while there is a hang when removing vlv on bdb.
* Issue 6136 - failure in freeipa tests - Fix review comments
- - - - -
388c7429 by progier389 at 2024-04-10T23:59:02+01:00
Issue 6141 - freeipa test_topology_TestCASpecificRUVs is failing (#6144)
On lmdb, vlv search using a value instead of range may fail (set target on first record instead of smallest record whose key is greater of equal to the wanted value).
The reason is that a test is inverted when walking the cursor to find the record position so the loop end after first iteration.
Also fix a coverity scan warning
Issue: #6141
Reviewed by: @tbordaz
- - - - -
ea2e47a3 by Simon Pichugin at 2024-04-10T23:59:16+01:00
Issue 6142 - [RFE] Add LMDB configuration related checks into Healthcheck tool (#6143)
Description
Add a warning in healthcheck if bdb is still used.
Add a warning if there's a mismatch in configuration attributes.
Add a warning if in the DB directory both BDB and MDB files exist.
Fixes: https://github.com/389ds/389-ds-base/issues/6142
Reviewed by: @progier389
- - - - -
55529d18 by progier389 at 2024-04-12T12:16:12+02:00
Issue 6082 - Remove explicit dependencies toward libdb - revert default (#6145)
Change BUNDLE_LIBDB default value so that Fedora packages are still using /lib64/libdb-5.3.so by default. The version with bundled lib may still be generated by using:
BUNDLE_LIBDB=1 SKIP_AUDIT_CI=1 make -f rpm.mk update-cargo-dependencies download-cargo-dependencies srpms
BUNDLE_LIBDB=1 SKIP_AUDIT_CI=1 make -f rpm.mk rpms
Issue: #6082
reviewed by: @jchapma
- - - - -
8c82a718 by progier389 at 2024-04-12T12:24:40+01:00
Issue 6082 - Remove explicit dependencies toward libdb - revert default (#6145)
Change BUNDLE_LIBDB default value so that Fedora packages are still using /lib64/libdb-5.3.so by default. The version with bundled lib may still be generated by using:
BUNDLE_LIBDB=1 SKIP_AUDIT_CI=1 make -f rpm.mk update-cargo-dependencies download-cargo-dependencies srpms
BUNDLE_LIBDB=1 SKIP_AUDIT_CI=1 make -f rpm.mk rpms
Issue: #6082
reviewed by: @jchapma
- - - - -
7657726d by James Chapman at 2024-04-15T14:33:21+01:00
Bump version to 3.0.2
- - - - -
06910a83 by Timo Aaltonen at 2024-04-22T18:15:32+03:00
Merge branch 'upstream-experimental' into master-next
- - - - -
c6af7531 by Timo Aaltonen at 2024-04-22T18:15:48+03:00
Merge tag '389-ds-base-2.4.5' into master-next
- - - - -
8d6caec9 by Timo Aaltonen at 2024-04-22T18:16:14+03:00
Merge branch 'master' into master-next
- - - - -
fb3b1bc3 by Timo Aaltonen at 2024-04-25T13:31:56+03:00
version bump
- - - - -
e173c8d6 by Timo Aaltonen at 2024-04-25T13:32:07+03:00
patches: Refreshed.
- - - - -
c3320abe by Timo Aaltonen at 2024-04-25T13:35:01+03:00
releasing package 389-ds-base version 3.0.2+dfsg1-1
- - - - -
d08d17e6 by progier389 at 2024-05-06T12:19:03+02:00
Issue 6157 - Cockipt crashes when getting replication status if topology contains an old 389ds version (#6158)
dsconf -j instance replica status --suffix ... aborts if a topology contains an old version that does not set nsds5replicaLastUpdateStatusJSON in the replica agreement.
Fix is in two parts:
Catch TypeError, ValueError and KeyError in the _lint_agmts_status function to preserve the cockpit page and
the other agreement status in case of unexpected error.
While decoding the json attribute in get_agmt_status:
Catch the jsonDecodeError and generates a red state with a message explaining that value has an invalid format
Catch the TypeError and generates an amber state with legacy replica status message
Issue: #6157
Reviewed by: @droideck (Thanks!)
- - - - -
e24615fc by Simon Pichugin at 2024-05-06T15:25:22-07:00
Issue 6142 - Fix CI tests (#6161)
Description: Use the correct topology in healthcheck_test.py.
Fix trailing spaces. For the BDB test, process the "no error"
outcome for the newer version, where we expect that having BDB is an issue.
Fixes: https://github.com/389ds/389-ds-base/issues/6142
Reviewed by: @progier389 (Thanks!)
- - - - -
8f783e88 by Sergey Salamanov at 2024-05-14T15:11:03+02:00
fix issue6165 (#6167)
Problem: Server crash when using the referential integrity plugin when transactions are used and an error occurs when opening a file for writing.
Cause: The crash is caused by using an uninitialized mutex PR_Unlock(referint_mutex)) after the error message and before calling referint_unlock();
Fix: The line using the uninitialized mutex PR_Unlock(referint_mutex) has been removed. It opens with an initialization check in the function below - referint_unlock().
Issue: #6166
Reviewed by: @progier389
- - - - -
884deb60 by James Chapman at 2024-05-15T09:56:42+01:00
Bump version to 3.1.0
- - - - -
904dc990 by tbordaz at 2024-05-22T11:29:05+02:00
Issue 6172 - RFE: improve the performance of evaluation of filter component when tested against a large valueset (like group members) (#6173)
Bug description:
Before returning an entry (to a SRCH) the server checks that the entry matches the SRCH filter.
If a filter component (equality) is testing the value (ava) against a
large valueset (like uniquemember values), it takes a long time because
of the large number of values and required normalization of the values.
This can be improved taking benefit of sorted valueset. Those sorted
valueset were created to improve updates of large valueset (groups) but
at that time not implemented in SRCH path.
Fix description:
In case of LDAP_FILTER_EQUALITY component, the server can get
benefit of the sorted valuearray.
To limit the risk of regression, we use the sorted valuearray
only for the DN syntax attribute. Indeed the sorted valuearray was
designed for those type of attribute.
With those two limitations, there is no need of a toggle and
the call to plugin_call_syntax_filter_ava can be replaced by
a call to slapi_valueset_find.
In both cases, sorted valueset and plugin_call_syntax_filter_ava, ava and
values are normalized.
In sorted valueset, the values have been normalized to insert the index
in the sorted array and then comparison is done on normalized values.
In plugin_call_syntax_filter_ava, all values in valuearray (of valueset) are normalized
before comparison.
relates: #6172
Reviewed by: Pierre Rogier, Simon Pichugin (Big Thanks !!!)
- - - - -
7df3957d by Viktor Ashirov at 2024-05-22T12:38:44+02:00
Issue 6151 - Use %bcond macro for conditional builds in the spec file
`rpmbuild` supports conditional package builds with the command line
switches `--with` and `--without`:
https://rpm-software-management.github.io/rpm/manual/conditionalbuilds.html
This is useful to rebuild an existing src.rpm file without editing the
spec file first. Or build in COPR with macros overrides for some
options. For example, automatic rebuilds from dist-git in COPR to
produced sanitized builds.
We use our custom global variables for different options such as
`use_cockpit` or `use_asan`. Instead we should switch to `%bcond` macro.
Additional changes:
* `rpm/bundle-rust-npm.py`: add `-f` option to automatically do the changes
to the `License:` field.
* Remove unneeded `389-ds-base-git.sh`
* Update `389-ds-base-devel.README`
* `rpm.mk`:
** exclude `vendor.tar.gz` from the resulting tarball
** add aliases for rpms and srpms targets
** use bundle-rust-npm.py with -f option for development releases
** add rpmspec target to generate a spec file under `rpm/` directory.
* `389-ds-base.spec.in`:
** remove unused/obsoleted lines
** remove `Provides:` for Rust crates, it will be populated by
`bundle-rust-npm.py`
** add .asan to the NVR automatically
** use macro for nss Requires:
** move libdb globals behind if/endif
Fixes: https://github.com/389ds/389-ds-base/issues/6151
Reviewed by: @droideck (Thanks!)
- - - - -
1a7abef1 by progier389 at 2024-05-27T11:40:44+02:00
Issue 6159 - Add a test to check URP add and delete conflict (#6160)
Add URP tests that run if URP_VERY_LONG_TEST environment variable is set
One test spends 6 days and check the 5770 different way of running
the (Add, sync agmt 1, sync agmt 2, Del) sequence on 3 suppliers
and check that when everything is in sync, the entries are the same everywhere
Second test generate crossed entries and conflict entries
(In theory that should not happen but we have sometime seen them)
And tries to remove one of the entry.
Then once everything is back in sync, it check that the entry are the same
The second test fails - Apparently there is a problem with URP in that corner case
- - - - -
c019af14 by Alexander Bokovoy at 2024-05-28T11:51:08+02:00
Issue 6123 - Allow DNA plugin to reuse global config for bind method and connection protocol (#6124)
Description:
FreeIPA configures uniform authentication and access methods for DNA
plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set
those, IPA installer has to wait until its own server entry is
asynchronously created by the DNA plugin and then update the entry. This
process takes up to two minutes which is almost a half of time spent on
creating IPA server with integrated DNS and external TLS certificates
(e.g., without integrated CA).
DNA plugin's configuration entry already allows to specify remote bind
DN and remote bind password. This is handled by
dna_get_shared_servers() which pulls remote_binddn and remote_bindpw
from the global config entry unconditionally:
...
server->remote_binddn = config_entry->remote_binddn;
server->remote_bindpw = config_entry->remote_bindpw;
server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i],
DNA_REMOTE_BIND_METHOD);
server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i],
DNA_REMOTE_CONN_PROT);
...
If we could add similar handling for remote_bind_method and
remote_conn_prot, with an override from the server entry, that would be
great. This way we can pre-create the configuration with the same
method/protocol values and skip waiting for the server entry to be
created from DNA plugin side.
Fixes: #6123
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ffa9c8b7 by jasonborden at 2024-05-31T15:50:12+02:00
Change default salt sizes generated in crypt_pwd (#6185)
Issue - #6186 - Increase the amount of salt crypt_pwd generates
Bug Description:
Salt currently generated by crypt_pwd is only 12 bits which is rather weak.
Fix Description:
Makes the salt generated the same length as linux shadow:
12bits (2 b64 chars) for CRYPT
48bits (8 b64 chars) for CRYPT-MD5
96bits (16 b64 chars) for CRYPT-SHA256 and CRYPT-SHA512
relates: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/ZJXVFQ6XC2IEROA2LZNBXKQ6YWAJHAIU/
Author: Jason Borden
Co-authored-by: Jason Borden <jason at acedatacenter.com>
Reviewed by: @progier389, @merlinthp (Thanks!)
- - - - -
b8139233 by Sergey Salamanov at 2024-05-31T17:55:03+02:00
Issue 6175 - Referential integrity plugin - in referint_thread_func does not handle null from ldap_utf8strtok (#6168)
Added a check for _null_ for the **ptoken** variable when returning from **ldap_utf8strtok_r**.
Issue: #6175
Reviewed by: @progier389
- - - - -
78efaab7 by Viktor Ashirov at 2024-05-31T20:28:24+02:00
Issue 6189 - CI tests fail with `[Errno 2] No such file or directory: '/var/cache/dnf/metadata_lock.pid'`
Bug Description:
There is an intermittent issue during container startup in our CI:
```
[Errno 2] No such file or directory: '/var/cache/dnf/metadata_lock.pid'
Error: Process completed with exit code 1.
```
`systemd` is not fully initialized when a second command runs and expects
a pid file to be available.
The script should wait until `systemctl is-system-running` is successful.
Fix Description:
Add a check for `systemctl is-system-running`.
Fixes: https://github.com/389ds/389-ds-base/issues/6189
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
47c0bc3b by Viktor Ashirov at 2024-05-31T20:37:53+02:00
Issue 6177 - Spec file cleanup
Description:
* Move `libback-bdb` to `389-ds-base-bdb` subpackage completely
* Move `%prerel` macro to `Version:` field, only needed for upstream builds
* Remove the rest of `%prerel` macros
* Switch to `%autorelease` and `%autochangelog`
* Remove deprecated Group metadata
* Remove ifdef for RHEL7 (lib389 is now always built and required)
* Remove obsoleted `%clean` macro
* Remove unneeded cleanup steps
* Remove unused variable
* Add missing `$(RPMBUILD_OPTIONS)` for `rpmbuild` in `srpm` target
Fixes: https://github.com/389ds/389-ds-base/issues/6177
Fixes: https://github.com/389ds/389-ds-base/issues/6178
Reviewed by: @progier389 (Thanks!)
- - - - -
1b26ed9a by Viktor Ashirov at 2024-05-31T20:39:11+02:00
Issue 6193 - Test failure: test_tls_command_returns_error_text
Bug Description:
openssl changed error message in
https://github.com/openssl/openssl/commit/fedab100a4b8f4c3b81de632f29c159fb46ac3f2
Fix Description:
Adjust assert to use regex for different messages.
Fixes: https://github.com/389ds/389-ds-base/issues/6193
Reviewed by: @progier389 (Thanks!)
- - - - -
cde7d651 by Mark Reynolds at 2024-06-04T10:00:53-04:00
Issue 6170 - audit log buffering doesn't handle large updates
Description:
A large update, like adding 10K memebrs to a group, gets truncated. When
the update is larger than the buffer then flush the current buffer, and
then directly write the large update to the log file (skipping the
buffering)
Relates: https://github.com/389ds/389-ds-base/issues/6170
Reviewed by: progier (Thanks!)
Apply Pierres suggestions
- - - - -
d7b56a1e by Firstyear at 2024-06-05T10:18:51+10:00
Issue 6181 - RFE - Allow system to manage uid/gid at startup (#6182)
Bug Description: We have a user who wishes to implement a non-standard configuration in which the
running gid is not the primary gid of the uid that the server runs as. Currently this trips up most
of our setup tools.
Rather than support dropping to an alternate gid in the server, it is simpler to allow systemd to
pre-configure our user and group at start up. This needs a small number of changes.
Fix Description:
- dscreate needs to correctly setup file ownships for dse.ldif and friends rather than relying on
the server having root access and changing the perms itself
- Our unit file needs to enable the CAP_NET_BIND privilege so that the service can bind to ports
lower than 1024 without being root
- The server needs to not attempt to change it's uid/gid if we are already running as that user/gid.
fixes: https://github.com/389ds/389-ds-base/issues/6181
Author: William Brown <william at blackhats.net.au>
Review by: @mreynolds389 and @progier389 (Thank you!)
- - - - -
bb887aa4 by Simon Pichugin at 2024-06-05T17:24:00-07:00
Issue 6188 - Add nsslapd-haproxy-trusted-ip to cn=schema (#6201)
Description: Add HAProxy trusted IP address multi-valued attribute
to cn=schema in 01core389.ldif
Related: https://github.com/389ds/389-ds-base/issues/6188
Reviewed by: @progier389 (Thanks!)
- - - - -
18887446 by Viktor Ashirov at 2024-06-08T17:50:19+02:00
Issue 6181 - RFE - Allow system to manage uid/gid at startup
Description:
Expand CapabilityBoundingSet to include addittional capabilites.
Fixes: https://github.com/389ds/389-ds-base/issues/6181
Reviewed by: @progier389 (Thanks!)
- - - - -
bb76673d by Viktor Ashirov at 2024-06-08T17:52:46+02:00
Issue 6192 - Test failure: test_match_large_valueset
Description:
When BDB backend is used, nsslapd-cache-autosize needs to be set to 0
first in order to change nsslapd-cachememsize.
Also increase the expected etime slightly, as it fails on slower VMs
both with BDB and MDB backends.
Fixes: https://github.com/389ds/389-ds-base/issues/6192
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
216ffc07 by Viktor Ashirov at 2024-06-09T10:25:31+02:00
Issue 6200 - Disable WebUI CI tests
Description:
Currently WebUI tests fail. There are known issues both in tests and the
code. We should re-enable the tests back when we get to fix those
issues.
Fixes: https://github.com/389ds/389-ds-base/issues/6200
Reviewed by: @droideck (Thanks!)
- - - - -
eedde898 by progier389 at 2024-06-10T17:47:02+02:00
Issue 6199 - unprotected search query during certificate based authentication (#6205)
Problems:
SubjectDN extracted from the certificate is not escaped when used by certmap.conf
Other extracted value are wrongly escaped and quoted when added in filter
Solution: Ensure that proper escape function is used in these two cases.
Values in filter should not be quoted but * should be escaped.
Note: I considered to reuse the ldap_bv2escaped_filter_value function but it needless realloc the returned data
so I ended up to rewrite something the escape function (which is quite straightforward anyway).
Issue: #6199
Reviewed by: @droideck
- - - - -
072b290d by Viktor Ashirov at 2024-06-11T08:55:46+02:00
Issue 6191 - Node.js 16 actions are deprecated
Description:
Node.js 16 actions are deprecated.
Update
* actions/checkout to v4
* actions/download-artifact to v4
* actions/upload-artifact to v4
Fixes: https://github.com/389ds/389-ds-base/issues/6191
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
d0b8174f by dependabot[bot] at 2024-06-11T09:11:31+02:00
Bump braces from 3.0.2 to 3.0.3 in /src/cockpit/389-console
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)
---
updated-dependencies:
- dependency-name: braces
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
f2e581bc by progier389 at 2024-06-11T12:02:12+02:00
Issue 6207 - Random crash in test_long_rdn CI test (#6215)
CI test indexes/test_long_rdn sometime crashes
The issue is that a data returned by dblayer_bulk_nextdata iterator is wrongly freed
The fix is to avoid freeing the data
Issue: #6207
Reviewed by: @droideck (Thanks!)
- - - - -
d261ea27 by Simon Pichugin at 2024-06-11T20:19:29-07:00
Issue 6183 - Slow ldif2db import on a newly created BDB backend (#6208)
Bug Description: After creating a new BDB backend, we autotune the cache only when restarting.
So, an administrator will try to import an LDIF before that; she will have a very slow import.
Fix Description: Do the autotuning during the backend creation.
Add a CI test for the scenario.
Fixes: https://github.com/389ds/389-ds-base/issues/6183
Reviewed by: @progier389, @tbordaz (Thanks!!)
- - - - -
407bdaa0 by progier389 at 2024-06-13T15:17:36+02:00
Issue 5772 - ONE LEVEL search fails to return sub-suffixes (#6219)
Problem: ONE LEVEL scoped search fails to return sub-suffixes entries
Reason: When such search is done, a one level search is done on the main suffix and base search are done on any matching sub-suffix. But main suffix is processed search (to ensure that parent entries are returned before children ones when searching subtree) and ldbm_back_search change the filter to (&(parentid=xxx)old_filter) so the filter test reject the entry on the sub-suffixes.
Solution: Revert the backend list when doing one level search so that the sub-suffixes are processed first
and restore the base dn for the main suffix.
Alternative rejected: reset the filter when discivering a sub-suffix. Not so easy because filter is altered by the rewriteres.
And systematic duplication is an useless overhead if there is no matching sub-suffixes (which is the usual case)
Issue: #5772
Reviewed by: @tbordaz, @droideck (Thanks!)
- - - - -
0f46d433 by Viktor Ashirov at 2024-06-13T16:34:38+02:00
Issue 6120 - /usr/lib64/dirsrv/plugins/libback-bdb.so has an invalid-looking DT_RPATH: /usr/lib/dirsrv
Bug Description:
rpminspect reports an invalid DT_RPATH /usr/lib/dirsrv
It's evaluated in m4/bundle_libdb.m4 from
```
-R${prefix}/lib/dirsrv"
```
Fix Description:
Change it to lib64
Fixes: https://github.com/389ds/389-ds-base/issues/6210
Reviewed by: @progier389 (Thanks!)
- - - - -
4e3dc9e8 by progier389 at 2024-06-17T14:03:02+02:00
Issue 6222 - CI test acl/test_timeofday_keyword sometime fails (#6223)
CI test acl/test_timeofday_keyword sometime fails because current time (in minutes) changes during the test
Solution is to run the test in loop and retry if the time has changed.
Also fix:
Similar issue with test_dayofweek_keyword_today_can_access (with time in days)
Skip the tests that sets the hostname if run as non root
Issue: #6222
Reviewed by: @droideck (Thanks!)
- - - - -
796f7030 by progier389 at 2024-06-18T14:21:07+02:00
Issue 6224 - d2entry - Could not open id2entry err 0 - at startup when having sub-suffixes (#6225)
Problem:: d2entry - Could not open id2entry err 0 is logged at startup when having sub-suffixes
Reason: The slapi_exist_referral internal search access a backend that is not yet started.
Solution: Limit the internal search to a single backend
Issue: #6224
Reviewed by: @droideck Thanks!
- - - - -
9687d830 by dependabot[bot] at 2024-06-20T09:11:14+02:00
Bump ws from 7.5.9 to 7.5.10 in /src/cockpit/389-console
Bumps [ws](https://github.com/websockets/ws) from 7.5.9 to 7.5.10.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/7.5.9...7.5.10)
---
updated-dependencies:
- dependency-name: ws
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
f76503de by progier389 at 2024-06-21T19:41:42+02:00
Issue 6233 - CI test wait_for_async_feature_test sometime fails (#6234)
CI test random failure related to timing.
Fixed by decreasing the minimum number of expected asynchronous results
Issue: #6233
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
1f41661c by tbordaz at 2024-06-24T13:41:35+02:00
Issue 6227 - dsconf schema does not show inChain matching rule (#6228)
Bug description:
The registered inChain MR does defined any matching rule
syntax (mr_syntax).
When dsconf reads the matching rules (read_schema_dse)
it only reports those which have OID and SYNTAX.
As a consequence InChain was not reported.
Fix description:
The syntax defines that assersion syntax that is
distinguished name. Add this syntax to the register
struct
relates: #6227
Reviewed by: Pierre Rogier (Thanks !)
- - - - -
e5c761b0 by Yaakov Selkowitz at 2024-06-25T10:05:12+02:00
Issue 6236 - rpm: fix compatibility with RPM 4.20
Description:
RPM 4.20 drops support for the deprecated %patchN syntax, and adds a
build-specific path to %_builddir.
Fixes: https://github.com/389ds/389-ds-base/issues/6236
- - - - -
04a0b6ac by progier389 at 2024-06-28T18:56:49+02:00
Issue 6229 - After an initial failure, subsequent online backups fail (#6230)
* Issue 6229 - After an initial failure, subsequent online backups will not work
Several issues related to backup task error handling:
Backends stay busy after the failure
Exit code is 0 in some cases
Crash if failing to open the backup directory
And a more general one:
lib389 Task DN collision
Solutions:
Always reset the busy flags that have been set
Ensure that 0 is not returned in error case
Avoid closing NULL directory descriptor
Use a timestamp having milliseconds precision to create the task DN
Issue: #6229
Reviewed by: @droideck (Thanks!)
- - - - -
f6481f62 by jasonborden at 2024-07-02T12:07:29+02:00
Issue 6241 - Add support for CRYPT-YESCRYPT (#6242)
Description:
Implements CRYPT-YESCRYPT as a password storage scheme
Issue: #6241
Reviewed by: @progier389
- - - - -
b47cbe04 by progier389 at 2024-07-02T12:10:14+02:00
Issue 6245 - covscan fixes (#6246)
* Issue 6245 - covscan fixes
Fix issues reported by coverity scan static analyzer
Issue: #6245
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
c09717d9 by progier389 at 2024-07-03T13:29:28+02:00
Issue 6216 - CI test_fast_slow_import sometime fail (#6247)
The test comparing times around 2 seconds is pretty instable.
With this fix, the test is still running, checking that import with private memory works
but does not check any more that it is faster than standard import
Issue: #6216
Reviewed by: @droideck (Thanks!)
- - - - -
3fe56612 by Mark Reynolds at 2024-07-05T15:13:40-04:00
Issue 6238 - RFE - add option to write audit log in JSON format
Description:
Add option to set the format between: default, json, or json-pretty
json-pretty just writes the JSON format in a vertical structure verses
one condensed line of text.
You can also adjust the local time format using strftime formatting
Relates: https://github.com/389ds/389-ds-base/issues/6238
Reviewed by: ?
- - - - -
eb7e57d7 by progier389 at 2024-07-08T11:19:09+02:00
Issue 6155 - ldap-agent fails to start because of permission error (#6179)
Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files
One workaround is to use the dac_override capability but it is a bad practice.
Fix: Setting proper permissions:
Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources.
Setting read permission on the group for the dse.ldif file
Setting r/w permissions on the group for the snmp semaphore and mmap file
For that one special care is needed because ns-slapd umask overrides the file creation permission
as is better to avoid changing the umask (changing umask within the code is not thread safe,
and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file
if the needed permission are not set.
Issue: #6155
Reviewed by: @droideck , @vashirov (Thanks ! )
- - - - -
a3d35219 by Simon Pichugin at 2024-07-09T18:09:28-07:00
Issue 6254 - Enabling replication for a sub suffix crashes browser (#6255)
Bug Description: Web Console: Enabling replication for a sub-suffix causes
TypeError: this.props.data.nsds5replicabinddn is not iterable.
Fix Description: Make sure that loadSuffixTree is run for subsuffixes, too.
Set defaults if data is absent.
Fixes: https://github.com/389ds/389-ds-base/issues/6254
Reviewed by: @progier389 (Thanks!)
- - - - -
0f6a9215 by progier389 at 2024-07-17T10:18:48+02:00
Issue 6238 - Fix test_audit_json_logging CI test regression (#6264)
CI test test_audit_json_logging report generation fails because some log file contains non UTF-8 characters.
The fix is to ignore invalid characters when generating the report.
(So that the logs get properly copied in the assets)
Issue #6238
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
7f92c01c by progier389 at 2024-07-17T15:52:37+02:00
Issue 6248 - fix fanalyzer warnings (#6253)
* Issue 6248 - fix fanalyzer warnings
* Issue 6248 - fix fanalyzer warnings - clang warning
* Issue 6248 - fix fanalyzer warnings - fix non debug warning
This change remove all gcc -fanalyzer warnings.
Number of them are not that interesting (False/positive due to some limts of the analyzer and some possible crashes when running out of memory.
But some of these warnings where real concerns.
Issue #6248
Reviewed by: @droideck (Thanks!)
- - - - -
298aa73a by progier389 at 2024-07-19T11:39:56+02:00
Issue 6245 - Revert __COVERITY__ ifndef (#6268)
PR #6246 generated 300 new coverity scan defect about uninitialized variable because slapi_pblock_get is
within #ifndef COVERITY
Since it generates more warning than it fixes, this change revert this part.
Issue: #6245
Reviewed by: @vashirov , @droideck (Thanks!)
- - - - -
32a0e26a by dependabot[bot] at 2024-07-23T10:30:03+02:00
Bump openssl from 0.10.64 to 0.10.66 in /src
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.64 to 0.10.66.
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.64...openssl-v0.10.66)
---
updated-dependencies:
- dependency-name: openssl
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
bd5e0ef7 by Viktor Ashirov at 2024-07-23T12:46:06+02:00
Issue 5853 - Update Cargo.lock
Description:
Update Cargo.lock to bump dependencies' versions.
Relates: https://github.com/389ds/389-ds-base/issues/5853
Reviewed by: @progier389 (Thanks!)
- - - - -
f75b5e24 by progier389 at 2024-07-25T09:40:15+02:00
Issue 6265 - lmdb - missing entries in range searches (#6266)
* Issue 6265 - lmdb - missing entries in range searches
Several issues seen after generating ldif with 2000 users and importing it in a replica:
1. The entryid attribute in missing in the suffix entry.
2. Access log shows that the internal search looking for "(parentid>=1)" is not returning all entries but one.
3. When initializing a replica through a replication agreement some entries are missing (because of 2)
4. Once 2. get fixed, the bulk import still fails because the default values for nsds5ReplicaFlowControlWindow and nsds5ReplicaFlowControlPause are not adapted to lmdb (supplier sent the entry faster than bdb and the target replica import them slower.
The fix is about:
1. Ensuring that the operational attribute are properly set when importing the suffix entry.
2. and 3. Avoid using database bulk operation when computing range unless we are sure that bdb is used. (rely instead on the generic dblayer database iterator - dblayer_cursor_iterate.
4. Change the default values for nsds5ReplicaFlowControlWindow and nsds5ReplicaFlowControlPause if agreement is on a lmdb backend.
Issue: #6265
Reviewed by: @vashirov, @droideck (Thanks!)
- - - - -
d05836dd by Sumedh Sidhaye at 2024-07-25T15:34:36+02:00
Issue 6256 - nsslapd-numlisteners limit is not enforced
Description: Add a test to check if nsslapd-numlisteners value
can be set higher than 4
Relates: https://github.com/389ds/389-ds-base/issues/6256
Reviewed by: droideck
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
- - - - -
36a2f1d5 by James Chapman at 2024-07-26T12:02:30+02:00
Security fix for CVE-2024-2199
Description:
A denial of service vulnerability was found in the 389 Directory Server.
This issue may allow an authenticated user to cause a server crash while
modifying userPassword using malformed input.
Fix Description:
When doing a mod on userPassword we reset the pblock modifier after we
set the modified timestamp, ensuring the pblock data stays valid.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-2199
- https://access.redhat.com/security/cve/CVE-2024-2199
- https://bugzilla.redhat.com/show_bug.cgi?id=2267976
- - - - -
b1e9acf3 by Pierre Rogier at 2024-07-26T12:03:06+02:00
Security fix for CVE-2024-3657
Description:
A flaw was found in the 389 Directory Server. A specially-crafted LDAP query
can potentially cause a failure on the directory server, leading to a denial
of service.
Fix Description:
The code was modified to avoid a buffer overflow when logging some requests
in the audit log.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-3657
- https://access.redhat.com/security/cve/CVE-2024-3657
- https://bugzilla.redhat.com/show_bug.cgi?id=2274401
- - - - -
9e6cefb1 by Pierre Rogier at 2024-07-26T12:03:26+02:00
Security fix for CVE-2024-5953
Description:
A denial of service vulnerability was found in the 389 Directory Server.
This issue may allow an authenticated user to cause a server denial
of service while attempting to log in with a user with a malformed hash
in their password.
Fix Description:
To prevent buffer overflow when a bind request is processed, the bind fails
if the hash size is not coherent without even attempting to process further
the hashed password.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-5953
- https://access.redhat.com/security/cve/CVE-2024-5953
- https://bugzilla.redhat.com/show_bug.cgi?id=2292104
- - - - -
a468073b by Thierry Bordaz at 2024-07-26T12:03:42+02:00
Security fix for CVE-2024-6237
Description:
A flaw was found in the 389 Directory Server. This flaw allows
an unauthenticated user to cause a systematic server crash while sending
a specific extended search request, leading to a denial of service.
Fix Description:
Add missing parameter to `slapi_log_err` function call.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-6237
- https://access.redhat.com/security/cve/CVE-2024-6237
- https://bugzilla.redhat.com/show_bug.cgi?id=2293579
- https://github.com/389ds/389-ds-base/issues/5989
- - - - -
23c4d457 by Viktor Ashirov at 2024-07-26T18:56:55+02:00
Issue 5327 - Fix test metadata
Description:
Metadata validation job fails on unescaped sequence used in the docstring.
Fix Description:
Escape unicode value in the docstring.
Relates: https://github.com/389ds/389-ds-base/issues/5327
Reviewed by: @droideck (Thanks!)
- - - - -
9753fb91 by James Chapman at 2024-07-30T03:55:59+01:00
Issue 6256 - nsslapd-numlisteners limit is not enforced (#6257)
Description: When a invalid value for the attribute nsslapd-numlisteners
is used, config normalises the value but the invalid value is written to
dse.ldif.
Fix description: Modify config to reject an invalid value is used.
Fixes: https://github.com/389ds/389-ds-base/issues/6256
Reviewed by: @droideck (Thank you)
- - - - -
aef16683 by Viktor Ashirov at 2024-07-30T10:13:20+02:00
Bump version to 3.1.1
- - - - -
7237a55f by Timo Aaltonen at 2024-08-07T08:03:49+03:00
Merge tag '389-ds-base-3.0.2' into m
- - - - -
6f8c4dcd by Timo Aaltonen at 2024-08-07T08:04:08+03:00
Merge branch 'master-next' into m
- - - - -
b1006fe0 by Timo Aaltonen at 2024-08-07T08:05:45+03:00
version bump
- - - - -
a2cd8988 by Timo Aaltonen at 2024-08-07T09:53:44+03:00
control, vendor: Add librust-ahash-0.7-dev to build-depends, modify concread cargo to allow newer lru.
- - - - -
9f45e6eb by Timo Aaltonen at 2024-08-07T10:19:04+03:00
releasing package 389-ds-base version 3.1.1+dfsg1-1
- - - - -
28 changed files:
- .github/scripts/generate_matrix.py
- .github/workflows/compile.yml
- + .github/workflows/coverity.yml
- .github/workflows/lmdbpytest.yml
- .github/workflows/npm.yml
- .github/workflows/pytest.yml
- .github/workflows/release.yml
- .github/workflows/validate.yml
- .gitignore
- Makefile.am
- VERSION.sh
- configure.ac
- debian/changelog
- debian/control
- debian/patches/allow-newer-crates.diff
- debian/vendor/concread/.cargo-checksum.json
- debian/vendor/concread/Cargo.toml
- dirsrvtests/conftest.py
- dirsrvtests/report.py
- + dirsrvtests/tests/data/freeipa/issue6136/dse.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/ipaca.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/15rfc2307bis.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/15rfc4876.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60basev2.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60basev3.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60basev4.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60certificate-profiles.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60ipaconfig.ldif
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/be5e970c4714a794cbf4bfbe04fc363d490b32b1...9f45e6eb2ebdb19b5f1e60b2883d0933f0cc8106
--
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/be5e970c4714a794cbf4bfbe04fc363d490b32b1...9f45e6eb2ebdb19b5f1e60b2883d0933f0cc8106
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20240807/4027fd1f/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list