[Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 238 commits: Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Aug 7 08:21:44 BST 2024
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base
Commits:
66e89b66 by Mark Reynolds at 2023-03-31T11:11:55-04:00
Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations
Description:
- DB settings "Look Through Limit" was misspelled, and the "+" increment button was not working
- Configuring logs would not correctly enable/disable the save button
- LDAP Browser - Pagination was not working correctly when you search for attributes/objectclasses. We were also missing some "search" inputs for attributes in some of the forms.
relates: https://github.com/389ds/389-ds-base/issues/5714
Reviewed by: spichugi(Thanks!)
- - - - -
6033380a by James Chapman at 2023-04-04T07:17:50+01:00
Issue 5643 - Memory leak in entryrdn during delete (#5717)
Bug description: Failure to delete temp key buffer
Fix description: Delete temp key buffer on exit
Fixes: https://github.com/389ds/389-ds-base/issues/5643
Reviewed by: @mreynolds389 (Thank you)
- - - - -
7f16473a by Vladimir Cech at 2023-04-05T12:19:54+02:00
Issue 4758 - Add tests for WebUI
Description:
Added WebUI visibility tests for server tab, database tab, replication tab, schema tab, monitoring tab.
Relates: https://github.com/389ds/389-ds-base/issues/4758
Reviewed by: https://github.com/bsimonova (Thank you!)
- - - - -
a01e230f by James Chapman at 2023-04-10T22:29:51+01:00
Issue 5705 - Add config parameter to close client conns on failed bind (#5712)
Description: Malformed applications that ignore BIND return code can
load the server with unnecessary requests
Fix description: Add a config option that will allow the closure of a
client connection from server side when a BIND is failing.
relates: https://github.com/389ds/389-ds-base/issues/5707
Reviewed by: @droideck (Thank you)
- - - - -
1a788100 by James Chapman at 2023-04-11T12:51:01+01:00
Issue 5718 - Memory leak in connection table (#5719)
Bug description: duplicate multiple mem allocation cause leak
Fix description: remove duplicate allocation
Fixes: https://github.com/389ds/389-ds-base/issues/5718
Reviewed by: @Firstyear (Thank you)
- - - - -
56939cc3 by Vladimir Cech at 2023-04-13T10:30:01+02:00
Issue 4758 - Add tests for WebUI
Description:
Added WebUI visibility tests for Plugins tab, LDAP Browser tab.
Relates: https://github.com/389ds/389-ds-base/issues/4758
Reviewed by: @bsimonova @droideck (Thanks!)
- - - - -
6ae14bc8 by tbordaz at 2023-04-17T15:29:32+02:00
Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
Bug description:
With LDBM / BDB separation, LDBM functions like
upgradednformat need to initialize ldbminfo
Fix description:
call dblayer_setup in upgradednformat
relates: #5726
Reviewed by: Simon Pichugin (Thanks)
- - - - -
dd7d487a by Firstyear at 2023-04-21T10:29:09+10:00
Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735)
Bug Description: A customer reported an issue with openldap to 389ds migration. This was due to
their openldap instance using a number of openldap attributes that I had not encountered in other
migrations.
These attributes are operational to openldap only and can be safely excluded.
Fix Description: Exclude pwdFailureTime and ContextCSN
fixes: https://github.com/389ds/389-ds-base/issues/5734
Author: William Brown <william at blackhats.net.au>
Review by: ???
- - - - -
9a05477f by tbordaz at 2023-04-21T11:25:29+02:00
Issue 5156 - RFE that implement slapi_memberof (#5694)
Bug description:
The RFE #5156 implements a new slapi function slapi_memberof.
This function is described in
https://www.port389.org/docs/389ds/design/slapi_memberof.html
For a given target entry, it allows the caller to retrieve
all entries that have a membership relation to that entry.
Typically, retrieving the groups that the given entry
is memberof.
This PR contains the implementation of slapi_memberof.
This PR contains part of the tests of slapi_memberof.
It does not contain the tests that are based on
already computed 'memberof' attribute (memberof plugin).
Those remaining tests will be reviewed later
Fix description:
This PR contains the implementation of slapi_memberof.
The slapi_memberof function is called by the server or
plugins.
The tests implements a new extop plugins 2.3.4.5.113730.6.7.1
(test_slapi_memberof.c).
At startup the init function (test_slapi_memberof_init) of
the extop plugin read the plugin configuration entry. The
config entry contains params with which slapi_memberof
is called (scope, excludeScope, recurse, membership attr,...)
The extop receives a target entry as parameters and call
slapi_memberof with this target entry and the config params.
The test suite tests give examples of all params setting
except the flag=MEMBEROF_RECOMPUTE that is hardcoded
(new tests will change this flag)
relates: #5156
Reviewed by: Mark Reynolds, Simon Pichugin, William Brown (Very big thanks!!!)
- - - - -
87efeb29 by Mark Reynolds at 2023-04-25T15:21:47-04:00
Bump version to 2.4.0
- - - - -
18ef874d by Vladimir Cech at 2023-04-27T12:23:50+02:00
Issue 4758 - Add tests for WebUI
Description:
Added WebUI test for bug where RHDS instance won't load when backup directory is set to non existing directory.
Relates: https://github.com/389ds/389-ds-base/issues/4758
Reviewed by: @bsimonova (Thanks!)
- - - - -
881cade7 by Mark Reynolds at 2023-04-27T16:25:36-04:00
Issue 5156 - fix build breakage from slapi-memberof commit
Description: Function prototypes were not declared correctly and this breaks
the builds on new compilers.
relates: #5156
Reviewed by: ?
- - - - -
0f9a80ac by Mark Reynolds at 2023-04-28T08:21:24-04:00
Issue - Copy config files into backup directory
Description: Copy dse.ldif, schema files, certmap.conf, slapd-collations,
and NSS files into the backup. These files are not restored
during a bak2db, so they must be manaully restored (if needed)
relates: https://github.com/389ds/389-ds-base/issues/2562
Reviewed by: firstyear, spichugi, progier, and tbordaz (Thanks!!!!)
- - - - -
9132f07b by progier389 at 2023-04-28T17:02:29+02:00
Issue 5743 - Disabling replica crashes the server (#5746)
* Issue 5743 - Disabling replica crashes the server
Problem: Server crash when disabling replication on a supplier/hub/consumer because of a null pointer exception while trying to delete the changelog.
Solution is trivial: do not try to use NULL pointer.
I double checked that the changelog db is still deleted in SUPPLIER/HUB case
(without the fix the crash also occurs in these cases, I suspect that the changelog removal code is called twice)
- - - - -
2d1e1455 by Mark Reynolds at 2023-05-04T14:57:23-04:00
Issue 5749 - RFE - Allow Account Policy Plugin to handle inactivity and expiration at the same time
Description:
Currently Account Policy Plugin as a state attribute and alternate state attribute.
If the main state attribute is NOT present in the entry then it fails back to the
alternate state attribute.
This RFE adds a new setting that tells the plugin to check both state attributes.
The purpose of this is for expiration and inactivity, so this is meant to be used
when the alternate state attribute is 'passwordExpirationtime'. So if the main
state attribute is OK, it will then check the alternate state attribute for
inactivity.
relates: https://github.com/389ds/389-ds-base/issues/5749
Reviewed by: tbordaz & spichugi(Thanks!!)
- - - - -
ea0ed1f5 by tbordaz at 2023-05-08T11:16:54+02:00
Issue 5156 - build warnings (#5758)
- - - - -
3dd9bd36 by Mark Reynolds at 2023-05-08T08:28:07-04:00
Issue 5738 - RFE - UI - Read/write replication monitor info to .dsrc file
Description:
Allow UI to use the .dsrc replication monitor info, and also allow the UI to
write new report configurations. This prevents an admin from having to enter
this information every time they want to run a report
relates: https://github.com/389ds/389-ds-base/issues/5738
Reviewed by: spichugi(Thanks!)
- - - - -
a55fa308 by tbordaz at 2023-05-09T08:51:47+02:00
Issue 5704 - crash in sync_refresh_initial_content (#5720)
Bug description:
If the last record of the changelog is not accessible
then the session record is NULL. It crashes the server
when it is dereferenced.
I failed to reproduce it, including disabling/removing
'cn=changelog' backend/mapping tree. So I guess it
happens during rare dynamic.
Fix description:
Return a failure when the session cookie is not
initialized
relates: #5704
Reviewed by: Mark Reynolds (Thanks)
- - - - -
bcbad874 by tbordaz at 2023-05-09T15:06:55+02:00
Issue 5722 - RFE When a filter contains 'nsrole', improve response time by rewriting the filter (#5723)
Bug description:
'nsrole' is a virtual attribute and is not indexed.
With a poorly selective filter like below the search may be not indexed
"(&(nsrole=cn=managed_role,cn=suffix)(objectclass=posixAccount)))"
The RFE is to rewrite the filter component contains 'nsrole'
attribute type.
Rewritten component can then been indexed
Fix description:
For managed role, it replaces 'nsrole' with 'nsroleDN'
attribute type
For filtered roled, it replace the 'nsrole' component
with the nsRoleFilter value
relates: #5722
Reviewed by: Pierre Rogier (Thanks)
- - - - -
7c90259f by James Chapman at 2023-05-09T15:35:39+01:00
Issue 5752 - RFE - Provide a history for LastLoginTime (#5753)
Description: When a user did a successfully bind, the "LastLoginTime"
attribute is updated. We have now a request from our security department
to display the users last successful bind before the current one. When
we just read out this attribute the value is already updated, so that
the user did not see his real last successful
login, in fact he sees the current login date and time.
Fix description: Create a new Acount Policy attribute to store the
login time stamps for a successful bind.
relates: https://github.com/389ds/389-ds-base/issues/5752
Reviewed by: @droideck (Thank you)
- - - - -
05528f6d by Firstyear at 2023-05-11T00:25:13+10:00
Issue 5052 - BUG - Custom filters prevented entry deletion (#5060)
Bug Description: When a custom filter was provided, entries
which were deleted in AD did not have that event correctly
reflected in 389-ds. This was due to the behaviour that when
an entry in AD is deleted, it is marked with a "deleted" flag
which the objectClass=* filter would (accidentally) collect
when it did a search. However, a custom user filter being
specified would in some cases (such as a memberOf filter)
NOT show up the deletion since the entry was considered
to have moved out of scope rather than being a full delete.
Fix Description: In the case that we have a userfilter, we
wrap it in an OR condition that always requests isDeleted
flags so that we can correctly reflect the delete status.
fixes: https://github.com/389ds/389-ds-base/issues/5052
Author: William Brown <william at blackhats.net.au>
Review by: @mreynolds389 @tbordaz
- - - - -
5304d4f2 by Mark Reynolds at 2023-05-11T08:16:43-04:00
Issue 152 - RFE - Add support for LDAP alias entries
Description: Per RFC rfc4512#section-2.6 add support for Alias Entries.
Currently this is only designed to work with "base" searches.
Thanks for @anilech for the code contribution!!!
relates: https://github.com/389ds/389-ds-base/issues/152
Reviewed by: spichugi, tbordaz, and progier(Thanks!!!)
- - - - -
1b2458fe by Mark Reynolds at 2023-05-16T11:28:09-04:00
Issue 5765 - Improve installer selinux handling
Description: When labeling ports we retry on error, and we should do the same
when labeling files
relates: https://github.com/389ds/389-ds-base/issues/5765
Reviewed by: ?
- - - - -
fdc2d53d by tbordaz at 2023-05-16T18:55:20+02:00
Issue 5722 - fix compilation warnings (#5771)
- - - - -
e7ef61f9 by Mark Reynolds at 2023-05-18T09:11:02-04:00
Issue 5768 - CLI/UI - cert checks are too strict, and other issues
Description:
The certificate type checks for CA/server break if there are no certificate
extensions set (use openssl in that case to gather the info instead).
dscontainter needed to be updated for new cert checks, and UI adding certs
improvements.
relates: https://github.com/389ds/389-ds-base/issues/5768
Reviewed by: spichugi(Thanks!)
- - - - -
d95d7e96 by Mark Reynolds at 2023-05-18T09:16:12-04:00
Issue 5770 - RFE - Extend Password Adminstrators to allow skipping password info updates
Description:
Add new config setting to state that password admin updates should not update
entry's password state attributes.
relates: https://github.com/389ds/389-ds-base/issues/5770
Reviewed by: progier, tbordaz, spichugi (Thanks!)
- - - - -
234cb2ec by Mark Reynolds at 2023-05-18T10:36:31-04:00
Bump version to 2.4.1
- - - - -
37ec5cda by tbordaz at 2023-05-22T17:03:01+02:00
Issue 5751 - Cleanallruv task crashes on consumer (#5775)
Bug description:
During CL refactoring (changelog DB was integrated into the main DB #2621)
several parts of code (removed DB, export/import CL,
cleanallRUV,..) calls replica_get_cl_info to retrieve the
changelog of a replica. If the replica does not contain a
changelog (consumer) the returned pointer is NULL.
Some code assume the pointer is not NULL and derefence it.
Fix description:
For all calls to replica_get_cl_info, check the pointer
before referencing it
relates: #5751
Reviewed by: Mark Reynolds
- - - - -
79d04f47 by Mark Reynolds at 2023-05-25T15:43:35-04:00
Issue 5778 - UI - Remove error message if .dsrc is missing
Description: Having a .dsrc file is not required, so the UI should not report
an error if it's not present
relates: https://github.com/389ds/389-ds-base/issues/5778
Reviewed by: spichugi & progier(Thanks!)
- - - - -
c6b2236c by James Chapman at 2023-05-29T10:38:21+01:00
Issue 5646 - Various memory leaks (#5725)
Bug description: A memory leak occurs when a sync repl search is run
in refreshPersist mode. The connection from sync repl consumer is
closed without freeing up the ldap req ctrls.
Fix description: When the connection to the client is closed or on
shutdown free the request control structure if it exists.
relates: https://github.com/389ds/389-ds-base/issues/5646
Reviewed by: @progier389, @droideck, @Firstyear, @tbordaz (Thank you)
- - - - -
ba0e1ce0 by Simon Pichugin at 2023-06-06T07:58:01-07:00
Issue 5786 - Set minimal permissions on GitHub Workflows (#5787)
Set minimal permissions on our GitHub Workflows.
Defining minimal permissions secures you against erroneous or malicious behaviour from external jobs you call from your workflow. It's especially important in case they get compromised.
Fixes: https://github.com/389ds/389-ds-base/issues/5786
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
7fbcb8da by Mark Reynolds at 2023-06-06T12:51:14-04:00
Issue 5786 - CLI - registers tools for bash completion
Description:
In newer versions of Fedora you need to register the CLI tools for bash
completion. Previously it worked out of the box, but now this
registration is required
relates: https://github.com/389ds/389-ds-base/issues/5785
Reviewed by: spichugi & viktor(Thanks!!)
- - - - -
a30a9e0d by Mark Reynolds at 2023-06-08T11:45:51-04:00
Issue 5789 - Improve ds-replcheck error handling
Description: When replication is not fully configured the tool outputs vague
messages. These should be cleaned up to indicate that
replication was not initialized. Also added healthcheck.
Relates: https://github.com/389ds/389-ds-base/issues/5789
Reviewed by: tbordaz, spichugi, progier (Thanks!!!)
- - - - -
3ddb1027 by Simon Pichugin at 2023-06-12T09:57:23-07:00
Issue 3527 - Add PROXY protocol support (#5762)
Description: Add support to 389-base for the PROXY protocol
for ACI evaluation and also for logging client queries.
The proxy protocol is described here:
http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
Fixes: https://github.com/389ds/389-ds-base/issues/3527
Reviewed by: @Firstyear, @progier389, @mreynolds389 (Thanks!)
- - - - -
99045500 by Vladimir Cech at 2023-06-13T11:28:23+02:00
Issue 4758 - Add tests for WebUI
Description:
Adding WebUI tests for bz1654238. Test for bz1654238 checks that you are able to create new entries in LDAP Browser tab.
Relates: https://github.com/389ds/389-ds-base/issues/4758
Reviewed by: @droideck (Thanks!)
- - - - -
eaabdd2a by tbordaz at 2023-06-14T10:50:53+02:00
Issue 5156 - (cont) RFE slapi_memberof reusing memberof values (#5744)
Bug description:
The RFE #5156 implements a new slapi function slapi_memberof.
This function is described in
https://www.port389.org/docs/389ds/design/slapi_memberof.html
A previous PR was relate to the implementation of
slapi_memberof, test plugin and tests to recompute membership
relations (MEMBEROF_RECOMPUTE)
Fix description:
This PR contains the remaining tests of slapi_memberof that
verify the ability of slapi_memberof to reuse 'memberof'
values. (MEMBEROF_REUSE_ONLY, MEMBEROF_REUSE_IF_POSSIBLE)
This PR also fixes some bugs in the slapi_membeof function
and the test plugin.
relates: #5156
Reviewed by: Pierre Rogier (thanks)
- - - - -
54cf07cc by Mark Reynolds at 2023-06-14T16:23:23-04:00
Issue 5785 - move bash completion to post section of specfile
Description: Need to move bash completion setup to %post section of specfile.
Previously it was done during the build process which is incorrect and breaks
builds.
relates: https://github.com/389ds/389-ds-base/issues/5785
Reviewed by: spichugi(Thanks!)
- - - - -
582f0294 by osenchenko at 2023-06-14T17:04:31-04:00
Issue 5781 - Bug handling return code of pre-extended operation plugin.
Issue 5781 - Bug handling return code of pre-extended operation plugin.
Bug Description: The return code of the plugin with the type "pre-extended operation" is not used when processing extended operation.Regardless of the plugin's return code, the operation continues to be processed.
Fix Description: Add additional condition in if statement
relates: https://github.com/389ds/389-ds-base/issues/5781
Author: osenchenko
Reviewed by: Mark Reynolds (thanks)
- - - - -
3cdc7d82 by Simon Pichugin at 2023-06-16T10:05:37-07:00
Issue 5798 - CLI - Add multi-valued support to dsconf config (#5799)
Description: Currently, we have two editable multi-valued attributes in cn=config:
nsslapd-haproxy-trusted-ip and nsslapd-referral.
Our current cn=config implementation doesn't support bunch ADD operations.
Make our CLI tools more robust so they can handle multi-valued attributes correctly.
Add add_many method to DSLdapObject.
Fixes: https://github.com/389ds/389-ds-base/issues/5798
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
3b76ff7a by Simon Pichugin at 2023-06-19T14:12:00-07:00
Issue 3527 - Fix HAProxy x390x compatibility and compiler warnings (#5801)
Description: We need to support both big-endian (x390x) and little-endian (x86)
architectures, it's better to dynamically adjust the byte order in our test cases
based on the architecture of the system executing the tests.
Define the values depending on the architecture.
Fix minor compiler warnings.
Related: https://github.com/389ds/389-ds-base/issues/3527
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
138f1bf3 by Simon Pichugin at 2023-06-21T09:06:28-07:00
Issue 5752 - CI - Add more tests for lastLoginHistorySize RFE (#5802)
Description: Add more tests for lastLoginHistorySize, including zero, negative,
non-integer test values.
Also, refactor the initial tests so we can expand the test suite easily.
Related: https://github.com/389ds/389-ds-base/issues/5752
Reviewed by: @jchapma (Thanks!)
- - - - -
ed8b5f3b by Mark Reynolds at 2023-06-21T15:26:46-04:00
Issue 5793 - UI - movce from webpack to esbuild bundler
Description:
To stay consistent and current with Cockpit (via https://github.com/cockpit-project/starter-kit)
we need to move from webpack to esbuild
relates: https://github.com/389ds/389-ds-base/issues/5793
Reviewed by: spichugi(Thanks!)
- - - - -
07477c6e by dependabot[bot] at 2023-06-22T15:53:11-04:00
Bump openssl from 0.10.52 to 0.10.55 in /src
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.52 to 0.10.55.
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.52...openssl-v0.10.55)
---
updated-dependencies:
- dependency-name: openssl
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
4b2f9ecd by Mark Reynolds at 2023-06-23T16:02:46-04:00
Issue 2375 - CLI - Healthcheck - revise and add new checks
Description:
Add check for
- unauthorized binds are allowed
- Access log buffering is disabled
- Security log buffering is disabled
- Make mapping tree check more robust for case
relates: https://github.com/389ds/389-ds-base/issues/2375
Reviewed by: spichugi(Thanks!)
- - - - -
b6cede51 by James Chapman at 2023-06-27T20:55:51+01:00
Issue 5755 - The Massive memory leaking on update operations (#5803)
Bug description: Memory leak with creation, modification and
deletion operations.
Fix description: When multiple search filters are used we use
set manipulation to construct the final idl results. In this
corner case we set the idl_set->compliment_head pointer which
is never freed.
relates: https://github.com/389ds/389-ds-base/issues/5755
Co-authored-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed by: @mreynolds389 (Thank you)
- - - - -
f2c1e44b by John Obaterspok at 2023-06-29T14:31:50-04:00
Issue 5551 - Almost empty and not loaded ns-slapd high cpu load
Bug Description: stracing the ns-slapd process one can see nanosleep gets called a lot as we only sleep for 1ms
Fix Description: Increasing the sleep time from 1ms to 500ms and the cpu usage will drop drop a few percent and strace will be more usable
relates: https://github.com/389ds/389-ds-base/issues/5551
Reviewd by: @mreynolds389
- - - - -
c3bec8b1 by Simon Pichugin at 2023-07-04T19:47:46-07:00
Issue 5701 - CI - Add more tests for referral mode fix (#5810)
Description: Refactor basic referral state test to be correct
according to the current lib389 implementation.
Add more tests to the clu/dsconf_test.py suite, which covers
CLI referral state logic.
Related: https://github.com/389ds/389-ds-base/issues/5701
Reviewed by: @progier389 (Thanks!)
- - - - -
13152871 by James Chapman at 2023-07-05T14:20:00+01:00
Issue 5755 - Massive memory leaking on update operations (#5824)
Description: Correction of idl memory leak fix
Fix description: Initial mem leak fix (#5803) causing a SEGV during
basic search.
The inital memory leak occurs during idl_set manipulation when a filter
type LDAP_FILTER_AND, filter choice LDAP_FILTER_NOT and an empty set is
used. The complelement idl is stashed for a later intersection, but is
never freed when an empty set is used during set intersection.
The previous fix has been removed and the inital leak corrected.
relates: https://github.com/389ds/389-ds-base/pull/5803
Reviewed by: @tbordaz @progier389 (Thank you)
- - - - -
c853fd43 by multipleofzero at 2023-07-05T14:25:24-04:00
Issue #5822 - Allow empty export path for db2ldif
Bug Description:
Until recently, db2ldif did not require an export path to be specified
and would use a specified default location to create a timestamped file.
A recent commit introduced a check to ensure the targeted export file's
parent actually exists. This check is fine if a target filename is
provided, but it fails when no filename is provided; a use case that
was supported before.
Fix Description:
The check should only be done iff a filename for the export is provided.
relates: https://github.com/389ds/389-ds-base/issues/5822
Author: multipleofzero
Reviewed by: @droideck
- - - - -
1fa23145 by Mark Reynolds at 2023-07-06T14:26:57-04:00
Issue 5825 - healthcheck - password storage scheme warning needs more info
Description: Add the current/insecure scheme to the report, and state which
config setting is insecure.
relates: https://github.com/389ds/389-ds-base/issues/5825
Reviewed by: jchapman & spichugi(Thanks!!)
- - - - -
c058a2b5 by Simon Pichugin at 2023-07-06T12:24:48-07:00
Issue 5793 - UI - Fix minor crashes (#5827)
Description: After a massive move from webpack to esbuild bundler rework,
fix two minor crashes which happened because of minor copy-paste errors.
Related: https://github.com/389ds/389-ds-base/issues/5793
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
97661cc9 by Mark Reynolds at 2023-07-07T14:10:49-04:00
Issue 5793 - UI - fix suffix selection in export modal
Description: Fix suffix selection which was not working, and fix crash
related to the move from webpack to esbuild (reload function
name)
relates: https://github.com/389ds/389-ds-base/issues/5793
Reviewed by: spichugi(Thanks!)
- - - - -
354d98df by Vladimir Cech at 2023-07-10T16:07:45+02:00
Issue 4719 - CI - Add dsconf add a PTA URL test
Description: This test checks that you are able to add a PTA URL through dsconf. Test tries to add new PTA URL and then check logs for message: "Successfully added URL".
Relates: https://github.com/389ds/389-ds-base/issues/4719
Reviewed by: @mreynolds389 @droideck (Thanks!)
- - - - -
22a2c235 by James Chapman at 2023-07-10T15:39:35+01:00
Issue 5752 - RFE - Provide a history for LastLoginTime (#5807)
Bug Description: For the lastloginhistory feature the user
can set the number of login histories that are saved by
modifing the lastloginhistorysize attribute. The CLI currently
allows setting this attribute value to 0 or a non positive int.
Fix Description: Add support for a lastloginhistorysize of 0 which
would disable the feature. Add CLI support for restricting non
positive int values.
relates: https://github.com/389ds/389-ds-base/issues/5752
Reviewed by: @droideck @mreynolds389 (Thank you)
- - - - -
005d08e5 by Mark Reynolds at 2023-07-10T14:10:04-04:00
Bump version to 2.4.2
- - - - -
9851f0ab by Simon Pichugin at 2023-07-12T15:28:25-07:00
Issue 3555 - UI - Fix audit issue with npm - stylelint (#5836)
Description: Update stylelint versions.
Run npm audit fix to address the vulnerability in stylelint.
Relates: https://github.com/389ds/389-ds-base/issues/3555
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
f4f83eab by progier389 at 2023-07-13T10:43:33+02:00
issue 5833 - dsconf monitor backend fails on lmdb (#5835)
Problem:
On a suffix using lmdb, 'dsconf instance monitor backend userroot' fails because dn normalization cache data are missing.
Solution:
In fact the code was already in mdb_monitor.c but disabled by #if 0 and the fix is simply to remove the #if
Also added entrycache-hashtables in debug mode (to be aligned to what is done in bdb case)
Issue: 5833
Reviewed by: @jchapma, @mreynolds389 Thanks!
- - - - -
0d4b820b by Simon Pichugin at 2023-07-13T17:55:09-07:00
Issue 4169 - UI - Fix retrochangelog and schema Typeaheads (#5837)
Description: During PF4 Migration, a few typeaheads got broken.
Fix retroChangelog and schema typeahead selects.
Fix style errors (thanks, Mark!)
Related: https://github.com/389ds/389-ds-base/issues/4169
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
4c6b2eca by Vladimir Cech at 2023-07-17T08:55:07+02:00
Issue 4758 - Add tests for WebUI
Description: Adding WebUI test for bz2029839. Test checks that Dictionary Check checkbox in Database/Password Policies/Global Policy/Syntax Checking is changed after cli command.
Relates: https://github.com/389ds/389-ds-base/issues/4758
Reviewed by: @droideck (Thanks!)
- - - - -
3c510e0a by progier389 at 2023-07-18T11:17:07+02:00
Issue 4551 - Paged search impacts performance (#5838)
* Issue 4551 - Paged search impacts performance
Problem:
Having a script looping doing a search with paged result impact greatly the performance of other clients
(for example ldclt bind+search rate decreased by 80% in the test case)
Cause:
Page result field in connection were protected by the connection mutex that is also used by the listener thread, in some cases this cause contention that delays the handling of new operations
Solution:
Do not rely on the connection mutex to protect the page result context but on a dedicated array of locks.
- - - - -
d6ebb570 by Simon Pichugin at 2023-07-20T18:03:10-07:00
Issue 3527 - UI - Add nsslapd-haproxy-trusted-ip to server setting (#5839)
Description: Add nsslapd-haproxy-trusted-ip attribute to
Server -> Server Settings -> Advanced Settings.
Move isValidIpAddress and isValidHostname to lib/tools.jsx.
Related: https://github.com/389ds/389-ds-base/issues/3527
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
9709dba6 by Viktor Ashirov at 2023-07-25T15:22:57+02:00
Issue 5859 - dbscan fails with AttributeError: 'list' object has no attribute 'extends'
Bug Description:
There is a typo in dbscan:
```
> cmd.extends(['-f', indexfile])
E AttributeError: 'list' object has no attribute 'extends'
src/lib389/lib389/__init__.py:3057: AttributeError
```
Fix Description:
Fix the typo and fix the test
dirsrvtests/tests/suites/password/regression_test.py::test_unhashed_pw_switch
Fixes: https://github.com/389ds/389-ds-base/issues/5859
Reviewed-by: @progier389 (Thanks!)
- - - - -
d1932b9c by Viktor Ashirov at 2023-07-25T17:06:56+02:00
Issue 5856 - SyntaxWarning: invalid escape sequence '\,'
Bug Description:
An error is logged during rpm build:
/usr/lib/python3.12/site-packages/lib389/cli_conf/replication.py:1682: SyntaxWarning: invalid escape sequence '\,'
Fix Description:
Fix the typo.
Fixes: https://github.com/389ds/389-ds-base/issues/5856
Reviewed-by: @droideck (Thanks!)
- - - - -
1c573d97 by Viktor Ashirov at 2023-07-27T08:55:13+02:00
Issue 5864 - Server fails to start after reboot because it's unable to access nsslapd-rundir
Bug Description:
Sometimes after reboot dirsrv service fails to start:
EMERG - main - Unable to access nsslapd-rundir: No such file or directory
EMERG - main - Ensure that user "dirsrv" has read and write permissions on /run/dirsrv
EMERG - main - Shutting down.
We rely on systemd-tmpfiles for /run/dirsrv creation. But dirsrv service
doesn't explicitly wait for systemd-tmpfiles-setup.service to start.
This creates a race condition.
Fix Description:
dirsrv service should start only after systemd-tmpfiles-setup.service is finished,
add it as a dependency via `After=` and `Wants=`.
Fixes: https://github.com/389ds/389-ds-base/issues/5864
Reviwed-by: @Firstyear (Thanks!)
- - - - -
fa06cceb by Viktor Ashirov at 2023-07-31T12:20:13+02:00
Issue 5785 - CLI - arg completion is broken
Bug Description:
Files installed by 389-ds-base under
/usr/share/bash-completion/completions are not owned by 389-ds-base rpm
package.
Fix Description:
* Move the snippet for registering completions to %install section
and install them under builddir.
* Register bash completions in %files section so that they are owned by
the package.
Fixes: https://github.com/389ds/389-ds-base/issues/5785
Reviewed-by: @droideck (Thanks!)
- - - - -
96959cf7 by Simon Pichugin at 2023-07-31T17:21:24-07:00
Issue 5853 - Update Cargo.lock and fix minor warning (#5854)
Description: Run cargo update --manifest-path=./src/Cargo.toml.
Add minimum supported rust version field to the manifests.
Fix minor 'variable does not need to be mutable' error.
Another error:
error: using `.borrow()` on a double reference, which returns
`&concread::cowcell::CowCellReadTxn<CacheStats>` instead of borrowing the inner type
We're getting the error about borrowing a double reference because
we're trying to borrow a type that is already a reference.
Fix - use the type directly.
Set rust-version to 1.70 for better compatibility.
Related: https://github.com/389ds/389-ds-base/issues/5853
Fixes: https://github.com/389ds/389-ds-base/issues/5861
Reviewed by: @vashirov (Thanks!), @Firstyear (Thanks for the rust-version idea!)
- - - - -
92cc2b1e by progier389 at 2023-08-01T15:39:31+02:00
Issue 5867 - lib389 should use filter for tarfile as recommended by PEP 706 (#5868)
Problem:
tarfile interface evolved after CVE-2007-4559 and using object generated by tarfile.open without setting explicitly a filter has been obsoleted.
Solution:
Add an extraction_filter after every tarfile.open call
**Issue:** [5867](https://github.com/389ds/389-ds-base/issues/5867)
**Reviewed by:** @droideck Thanks !
- - - - -
3b2824fa by Viktor Ashirov at 2023-08-02T10:26:50+02:00
Issue 5877 - test_basic_ldapagent breaks test_setup_ds_as_non_root* tests
Bug Description:
`test_basic_ldapagent` creates `agent.conf` file that can't be read by
non-root user in `test_setup_ds_as_non_root*` tests.
Fix Description:
Move `agent.conf` file creation to a fixture to ensure it is deleted
after the test is finished.
Fixes: https://github.com/389ds/389-ds-base/issues/5877
Reviewed-by: @bsimonova (Thanks!)
- - - - -
469e9b84 by progier389 at 2023-08-02T14:35:16+02:00
Issue 5876 - CI Test random failure - Import (#5879)
Problem: Import CI test sometime fails because of a timing issue
Solution: Loops on waiting until task get created or until timeout expires
- - - - -
afdcca18 by tbordaz at 2023-08-02T14:44:42+02:00
Issue 5870 - ns-slapd crashes at startup if a backend has no suffix (#5871)
Bug description:
With $5598, the server checks at startup if it exists
some referrals entries in the various backends/suffixes.
If a backend has no defined suffix (not clear how it
occurs except crafting dse.ldif) the checking
triggers a sigsev
Fix description:
Check it exists a suffix before using it
- - - - -
ff9145b4 by James Chapman at 2023-08-02T14:01:01+01:00
Issue 5729 - Memory leak in factory_create_extension (#5814)
Bug description: Mem leak in sync repl operation extension code. In
syn persist when we release the connection, the operation extension
is not free'd.
Fix description: In syn persist when we release the connection, free the operation
extension if it exists.
relates: https://github.com/389ds/389-ds-base/issues/5729
Reviewed by: @droideck, @progier389 (Thank you)
- - - - -
171a3476 by Mark Reynolds at 2023-08-03T13:40:15-04:00
Bump version to 2.4.3
- - - - -
415c7480 by Viktor Ashirov at 2023-08-04T10:03:11+02:00
Issue 5872 - `dbscan()` in lib389 can return bytes
Bug Description:
When attribute encryption or changelog encryption is used, `dbscan()`
can return bytes instead of a string.
Fix Description:
* Update subprocess call to expect bytes instead of string.
* Revert changes to the tests done in
8bf7829ce3e3a8990fccd2fdbe7ae15ca1c8f0e7.
* Update entryrdn_test to expect output from dbscan as bytes.
Fixes: https://github.com/389ds/389-ds-base/issues/5872
Relates: https://github.com/389ds/389-ds-base/issues/5859
Reviewed-by: @progier, @droideck (Thanks!)
- - - - -
599db0a4 by progier389 at 2023-08-07T10:18:19+02:00
Issue 5883 - Remove connection mutex contention risk on autobind (#5886)
Problem: A contention on the connection c_mutex is blocking the listener thread when autobind is performed.
Solution: Let the listener thread skip the connection if the mutex is held by another thread
Reviewed by: @mreynolds389 , @droideck Thanks
- - - - -
0bf6b51d by Gilbert Kimetto at 2023-08-07T09:13:16-07:00
Issue 5848 - dsconf should prevent setting the replicaID for hub and consumer roles (#5849)
Bug Description: dsconf accepts the "replica-id" option when setting a hub or a consumer.
The replica configuration entry is correctly created ( replicaID is set to 65535 ).
we should prevent users setting the replicaID for hub and consumer roles because
the value is set automatically anyway.
Fix Description: Check if role is "consumer" or "hub" and if so deny option to set the ReplicaID.
Add tests.
Fixes: https://github.com/389ds/389-ds-base/issues/5848
Author: Gilbert Kimetto
Reviewed by: Simon Pichugin
- - - - -
b62bd43e by Vladimir Cech at 2023-08-08T12:50:07+02:00
Issue 4758 - Add tests for WebUI
Description:
Adding WebUI test for bz2018101. This test checks that you are able to create credentials and aliases through WebUI in monitoring tab.
Relates: https://github.com/389ds/389-ds-base/issues/4758
Reviewed by: @droideck
- - - - -
2dab9224 by progier389 at 2023-08-08T14:18:58+02:00
Issue 5872 - part 2 - fix is_dbi regression (#5887)
A one liner fix to handle a regression in nightly tests about is_dbi function (need to convert dbscan output back into string):
Issue: 5272 part 2
Reviewed by: @mreynolds389 Thanks!
- - - - -
454ee60f by James Chapman at 2023-08-08T13:35:27+01:00
Issue 5834 - AccountPolicyPlugin erroring for some users (#5866)
Bug Description: With the account policy plugin enabled and
lastloginhistory size set to non 0 an issue occurs during
simultaneous binds of the same user. In this case the timestamp
to be stored in the lastloginHistory attribute already exists from
a previous bind, and generates an error message.
A side effect of lastloginHistory feature is that the modifytimestamp
value is updated after a successful bind, even when the feature is
disabled.
Fix Description: Before a timestamp is added to the lastloginHistory
attribute a check is performed to make sure it doesnt already exist.
Ensure the entry is not modified when this feature is disabled.
Fixes: https://github.com/389ds/389-ds-base/issues/5834
Relates:https://github.com/389ds/389-ds-base/issues/5752
Reviewed by: @progier389, @tbordaz (Thank you)
- - - - -
89c2de50 by progier389 at 2023-08-08T17:27:16+02:00
Issue 4551 - Part 2 - Fix build warning of previous PR (#5888)
Fix build paged search resuilt PR warning in header fix
Issue: 4551
Reviewed by: @mreynolds389 Thanks
- - - - -
bfe5fe5d by Viktor Ashirov at 2023-08-10T16:13:33+02:00
Issue 5082 - slugify: ModuleNotFoundError when running test cases
Bug Description:
slugify module is used in WebUI tests for creating filenames for
screenshots. But it's often not installed by default, since it's not
required by lib389. WebUI tests are executed only when a WEBUI
environment variable is present, so we should import it under the same
condition.
Fix Description:
Import slugify module only when WEBUI environment variable is present
and WebUI tests are executed.
Reviewed-by: @progier389 (Thanks!)
Fixes: https://github.com/389ds/389-ds-base/issues/5082
- - - - -
087d486a by progier389 at 2023-08-11T15:44:50+02:00
Issue 5890 - Need a tester for testing multiple listening thread feature (#5891)
Problem: Need a specific tester for testing multiple listening thread feature.
Solution:
Having a python tool that open n connection then loops
waiting some time
select randomly a connection
perform a base search operation and aggregate elapsed time
display the result every second
Issue: 5890
- - - - -
e84564fe by progier389 at 2023-08-11T16:13:11+02:00
Issue 5894 - lmdb import error fails with Could not store the entry (#5895)
- - - - -
3dfe80f1 by progier389 at 2023-08-11T17:13:56+02:00
Issue i5846 - Crash when lmdb import is aborted (#5881)
Problem: Double free occurs in the writer thread queue when an import over lmdb aborts
Solution: fix the double free
- - - - -
4297d886 by progier389 at 2023-08-11T17:59:55+02:00
issue 5890 part 2 - Need a tester for testing multiple listening thread feature (#5897)
Problem: after latest commit --amend: elapsed time is now written every operation
instead of getting aggregated every seconds
Cause: I forgot that time.time() is returning a float instead of an int as in C
Fix: Convert time.time() result to int
Issue: 5890
- - - - -
68e91603 by Adadov at 2023-08-16T17:50:31-04:00
Bug Description:
Certificates encoded values are truncated if length is over 1000 characters.
Fix Description:
Add exception for every attribute matching .*certificate.*
Author: Adadov
Reviewed by: mreynolds
- - - - -
475ee01d by Stanislav Levin at 2023-08-17T18:01:41+02:00
Issue 5203 - outdated version in provided metadata for lib389
Bug Description:
There is a hardcoded version of `lib389` since
9dccfea39a2e0477cdad5463eb4ad4a25ac7ad68.
Fix Description:
Build `setup.py` from template.
Fixes: https://github.com/389ds/389-ds-base/issues/5203
Reviewed by: Simon Pichugin (thanks!)
Signed-off-by: Stanislav Levin <slev at altlinux.org>
- - - - -
63fd271f by tbordaz at 2023-08-17T18:15:42+02:00
Issue 5722 - improve testcase (#5904)
- - - - -
c1f95889 by James Chapman at 2023-08-28T16:40:49+01:00
Issue 5909 - Multi listener hang with 20k connections (#5910)
Bug Description: When the server is configured with multiple listeners,
the connection table is divided into multiple sub tables. These sub tables
are then mapped to a single freelist to enable efficient allocation of new
connections. Each sub table is a double linked list with element 0 used as
the head of the list. During the mapping of sub tables to freelist the
head of each sub table is incorrectly mapped to the freelist, creating a "hole"
in the freelist.
Fix Description: Skip element 0 of each sub table when mapping to the
single freelist.
Fixes: https//github.com/389ds/389-ds-base/issues/5909
Reviewed by: @vashirov (Thank you)
- - - - -
bacf8075 by markafarrell at 2023-08-30T14:19:11+02:00
pass instance correctly to ds_is_older (#5903)
Correctly pass instance to instance to ds_is_older when initializing PosixGroups class.
Currently this results in an error when connecting to a remote 389ds instance.
Fixes #5902
- - - - -
404da4c8 by progier389 at 2023-08-31T14:40:19+02:00
Issue 5902 - Fix previous commit regression (#5919)
Fix previous commit regression:
CI test test_schema_comparewithfiles fails with: AttributeError: SchemaLegacy object has no attribute _instance
Because SchemaLegacy is not a DSLdapObject and the instance is stored in conn instead of in _instance
Issue: 5902
Reviewed by: @tbodaz, (Thanks!)
- - - - -
c257ed7c by James Chapman at 2023-08-31T15:05:31+01:00
Issue 5909 - Multi listener hang with 20k connections (#5917)
Bug Description: A fix for connection sub-table to freelist mapping results
in an uninitialised head of the sub-table linked list.
Fix Description: During connection table creation, initialise all elements but
skip the list head during the mapping phase.
Fixes: https//github.com/389ds/389-ds-base/issues/5909
Reviewed by: @progier389 @tbordaz (Thank you)
- - - - -
b021fb25 by Mark Reynolds at 2023-08-31T12:40:40-04:00
Issue 5914 - UI - server settings page validation improvements and db index fixes
Description:
We were not correctly validating the config settings for numbers on the server settings page.
Database index add/delete models were crashing browser related to esbuild port and camelCase function names
relates: https://github.com/389ds/389-ds-base/issues/5914
Reviewed by: spichugi(Thanks!)
- - - - -
8b0e13cf by Simon Pichugin at 2023-08-31T11:19:05-07:00
Issue 5848 - Fix condition and add a CI test (#5916)
Description: Add a "positive" test for the issue and fix the condition
to make sure that 65535 and no --replica-id are correctly accepted.
Related: https://github.com/389ds/389-ds-base/issues/5848
Reviewed by: @mreynolds389 @tbordaz (Thanks!)
- - - - -
d3f94d49 by Simon Pichugin at 2023-08-31T11:19:35-07:00
Issue 5848 - Fix condition and add a CI test (#5916)
Description: Add a "positive" test for the issue and fix the condition
to make sure that 65535 and no --replica-id are correctly accepted.
Related: https://github.com/389ds/389-ds-base/issues/5848
Reviewed by: @mreynolds389 @tbordaz (Thanks!)
- - - - -
d650303d by Simon Pichugin at 2023-09-01T08:45:31-07:00
Issue 1115 - Add a CI test (#5913)
Description: Add a test to validate replication behaviour under
different operation types. Specifically, this test ensures
that modifications, deletions, and 'modrdn' operations are
replicated correctly across supplier instances.
Related: https://github.com/389ds/389-ds-base/issues/1115
Reviewed by: @progier389 (Thanks!)
- - - - -
7135e21a by Simon Pichugin at 2023-09-07T10:48:17-07:00
Issue 1081 - CI - Add more tests for overwriting x-origin issue (#5815)
Description: Add a test suite that tests an attributetype and
its x-origin values in a replicated environment s1c1 and s1h1c1.
Also, ensure the custom x-origin is correctly overwritten
in the replication event as 'user defined'.
Related: https://github.com/389ds/389-ds-base/issues/1081
Reviewed by: @progier389 (Thanks!)
- - - - -
63f88642 by Simon Pichugin at 2023-09-07T10:49:43-07:00
Issue 1317 - Add a CI test (#5923)
Description: Add a test that checks the situation when a recovered
supplier accepts direct updates before being in sync, replica to
that supplier and from that supplier is broken.
Related: https://github.com/389ds/389-ds-base/issues/1317
Reviewed by: @progier389 (Thanks!)
- - - - -
3e917225 by Simon Pichugin at 2023-09-12T12:39:09-07:00
Issue 1456 - Add a CI test that verifies there is no issue (#5927)
Description: Add a test which checks that targetattr behaves
correctly when a subtype is used.
Related: https://github.com/389ds/389-ds-base/issues/1456
Reviewed by: @progier389 (Thanks!)
- - - - -
9ca2e513 by Simon Pichugin at 2023-09-14T19:03:54-07:00
Issue 1802 - Improve ldclt man page (#5928)
Bug Description: ldclt is a complex tool. We should be providing worked examples
to help add context to the many parameters available.
Fix Description: Add a worked example from the addition of a set of users to
using them for a binding load test.
Fixes: https://github.com/389ds/389-ds-base/issues/1802
Author: wibrown
Review by: @progier389 and @jchapma (Thanks!)
Co-authored-by: William Brown <firstyear at redhat.com>
- - - - -
c3a69bb1 by progier389 at 2023-09-18T12:48:41+02:00
Issue 5761 - Worker thread dynamic management (#5796)
* Issue 5761 - Worker thread dynamic management
Objectives:
Allow to configure the number of worker threads without having to restart the server
Decrease the worker thread global mutex contention but removing the associated condition variable
==> Increase the "searchrate" performance
Solution: See https://github.com/389ds/389ds.github.io/blob/main/docs/389ds/design/worker-threads.md
Issue: 5761
Reviewed by: @tbordaz (Thanks!)
- - - - -
cb85204c by Simon Pichugin at 2023-09-19T16:38:04-07:00
Issue 843 - Add a warning to slapi_valueset_add_value_ext (#5925)
Description: The combination of SLAPI_VALUE_FLAG_DUPCHECK and SLAPI_VALUE_FLAG_PASSIN flags is not recommended for slapi_valueset_add_value_ext.
Using this combination could result in undefined behaviour related to memory management. If you need both flags, please use the slapi_valueset_add_attr_value_ext function instead and ensure proper cleanup if there's an error.
We don't use the function with the above flag combination, but someone in the community might (even though it's highly unlikely). Hence, as of now, it isn't worth investing more time into this, and the documentation should be updated with this change.
Related: https://github.com/389ds/389-ds-base/issues/843
Reviewed by: @progier389 (Thanks!)
- - - - -
e820ab70 by Simon Pichugin at 2023-09-20T18:25:30-07:00
Issue 1870 - Add a CI test (#5929)
Description: If two instances of the plugin are created with the same origin scope,
only the request of one of the plugins will be satisfied.
(i.e. template and instance A and B, that both make entries in ou A and B,
from ou=People, only A will work)
Related: https://github.com/389ds/389-ds-base/issues/1870
Author: wibrown
Reviser: spichugi
Reviewed by: @progier389 (Thanks!)
- - - - -
aa465605 by DesigNET at 2023-09-21T13:25:27-07:00
Issue 5732 - Localizing Cockpit's 389ds Plugin using CockpitPoPlugin (#5764)
Description: To enable localization for 389ds, we obtained CockpitPoPlugin from pkg/lib/cockpit-po-plugin.js in the old Cockpit, called it in webpack.config.js, and modified the files so that 389ds can handle language files (po files).
Relates: https://github.com/389ds/389-ds-base/issues/5732
Author: designet-inc-oss
Reviewed by: @mreynolds389, @vashirov, @droideck (Thanks!)
- - - - -
9633e8d3 by Simon Pichugin at 2023-09-27T15:40:33-07:00
Issue 1925 - Add a CI test (#5936)
Description: Verify that the issue is not present. Cover the scenario when
we remove existing VLVs, create new VLVs (with the same name) and then
we do online re-indexing.
Related: https://github.com/389ds/389-ds-base/issues/1925
Reviewed by: @progier389 (Thanks!)
- - - - -
02d33325 by progier389 at 2023-09-28T12:15:25+02:00
issue 5924 - ASAN server build crash when looping opening/closing connections (#5926)
* issue 5924 - ASAN server build crash when looping opening/closing connections
Issue: Got a crash due to:
1. Failure to get a connection slot because connection freelist is misshandled.
2. A confusion between listening and acceptedfd descriptor leaded to
close the listening descriptor while handing the error.
Solution:
Rename clearly the file descriptor variables
Close the accepted file descriptor in error handler
Rewrite the freelist management so that first connection chosen is the last released one.
(Code is simpler, this fix the end of list issue, and it avoid to spread the open connection over too much memory)
Issue: #5924
Reviewed by: @Firstyear, @vashirov, @droideck (Thanks !)
- - - - -
2afb0e3a by Simon Pichugin at 2023-10-04T16:58:05-07:00
Issue 5938 - Attribute Names changed to lowercase after adding the Attributes (#5940)
Bug Description: When working with the web console to edit the attributes
with capital and lowercase letters in their names. The capital letters within
the names of an attribute change whenever the attributes are added
to an object class.
Fix Description: Presevrer the case in both UI and CLI when doing
edit/add/list operations.
Fixes: https://github.com/389ds/389-ds-base/issues/5938
Reviewed by: @progier389 (Thanks!)
- - - - -
4f99f8bc by dependabot[bot] at 2023-10-10T16:26:45+02:00
Bump postcss from 8.4.24 to 8.4.31 in /src/cockpit/389-console (#5945)
Bumps [postcss](https://github.com/postcss/postcss) from 8.4.24 to 8.4.31.
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.4.24...8.4.31)
---
updated-dependencies:
- dependency-name: postcss
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support at github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- - - - -
415eeada by progier389 at 2023-10-13T12:21:37+02:00
Issue 5843 - dsconf / dscreate should be able to handle lmdb parameters (#5943)
* Issue 5843 - dsconf / dscreate should be able to handle lmdb parameters
Description:
dscreate changes:
- make db_lib a standard option instead of an advanced one
- add mdb_max_size as standard option
dsconf instance backend config set changes:
- add --mdb_max_size option associated with nsslapd-mdb-max-size
- add --mdb_max_readers option associated with nsslapd-mdb_max_readers
- add --mdb_max_dbs option associated with nsslapd-mdb_max_dbs
Issue: #5843
Reviewed by: @Firstyear and @droideck ( Thanks ! )
- - - - -
f52d10a1 by strzh at 2023-10-13T13:07:30+02:00
bugfix for --passwd-file not working on latest version (#5934)
bugfix for --passwd-file not working on latest version (#5934)
Fix a dsconf fails because a naming mismatch between argparse parameters and args attribute)
Solved by using consistent naming while keeping old name for compatibility
Issue: #5935
Reviewer: @tbordaz @progier389 @droideck
- - - - -
91c4f62f by progier389 at 2023-10-16T12:04:55+02:00
Issue 4843 - Fix dscreate create-template issue (#5950)
Regression with dscreate from-instance before creating first instance:
the target directory does not exists and a warning is inserted in the template file
which is then broken.
Fix is pretty trivial:
Select an existing directory to compute the file system free space.
Issue #5943
Reviewed by: @droideck (Thanks !)
- - - - -
1370c060 by Simon Pichugin at 2023-10-18T09:04:59-07:00
Issue 3555 - UI - Fix audit issue with npm - babel/traverse (#5959)
Description: Run npm audit fix to address the vulnerability
in babel/traverse.
Relates: https://github.com/389ds/389-ds-base/issues/3555
Reviewed by: @progier389 (Thanks!)
- - - - -
696f0ed2 by Viktor Ashirov at 2023-10-20T15:40:35+02:00
Issue 5960 - Subpackages should have more strict interdependencies
Bug Description:
`cockpit-389-ds` requires `389-ds-base` and `python3-lib389`, but it
should require the exact version and release as well. Without this it's
possible to update `cockpit-389-ds` without updating other sub-packages,
which can lead to incompatibilities between WebUI and underlying lib389
tools used by the WebUI.
Fix Description:
Update Requires for the subpackages to use version and release.
Fixes: https://github.com/389ds/389-ds-base/issues/5960
Reviewed-by: @progier389, @droideck (Thanks!)
- - - - -
6a8040d2 by Viktor Ashirov at 2023-10-20T15:43:07+02:00
Issue 5786 - Update permissions for Release workflow
Description:
Release workflow needs write access to create releases.
Fixes: https://github.com/389ds/389-ds-base/issues/5786
Reviewed-by: @droideck (Thanks!)
- - - - -
8e379e26 by Simon Pichugin at 2023-10-24T09:17:57-07:00
Issue 5966 - CLI - Custom schema object is removed on a failed edit (#5967)
Description: When the failure happens during a custom schema edit operation
in both CLI and UI (because it uses the CLI command), we first remove
the old schema object, and only then do we add the new one (edited).
Bring the old schema object on the failed attempt.
Resolves: https://github.com/389ds/389-ds-base/issues/5966
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
91d1df69 by progier389 at 2023-10-25T15:13:13+02:00
Revert "Issue 5761 - Worker thread dynamic management (#5796)" (#5970)
This reverts commit c3a69bb19ee0733027bdea5da9e4bcbb9b0cd0ba about the
Worker thread dynamic management feature because it caused a regression
in freeipa CI tests due to a massive performance loss during a total update
( https://issues.redhat.com/browse/IDMDS-3781 )
Issue: #5761
Reviewed by: @tbordaz (Thanks!)
- - - - -
9d0ebfe5 by progier389 at 2023-10-31T12:08:32+01:00
Issue 5973 - Fix fedora cop RawHide builds (#5974)
Problem: @389ds/389-ds-base-nightly copr nigthly builds faild on
fedora-rawhide-s390x and fedora-rawhide-x86_64
Solution:
[1] Work around a gcc cpp bug by moving stavfs.h include line
before ldbm-backend.h include line
[2] Do not use large file API on LP64 architecture
Reviewed by: @tbordaz , @droideck (Thanks !)
- - - - -
17106c3e by Simon Pichugin at 2023-10-31T16:51:23-07:00
Issue 5971 - CLI - Fix password prompt for repl status (#5972)
Description: dsconf replication status is failing with 'Invalid credentials'
when the password of the Directory Manager is different on servers.
Ask for each instance's password separately.
Expand the help message in CLI for replication and agreement status commands.
Fixes: https://github.com/389ds/389-ds-base/issues/5971
Reviewed by: @tbordaz (Thanks!)
- - - - -
451140eb by James Chapman at 2023-11-15T15:57:27+00:00
Bump version to 2.5.0
- - - - -
f5bd0374 by progier389 at 2023-11-17T12:33:38+01:00
Issue 5947 - CI test_vlv_recreation_reindex fails on LMDB (#5979)
There are a few problems about vlv and lmdb:
[1] Crash while reindexing a vlv index while trying to clear the vlv cache
[2] Crash when VLV search fails because target entry is released twice
[3] Confusion about db interface and recno (recno is in the key rather than the data)
[4] dbscan fails to dump vlv cache database
Fix:
[1] Do not clear the vlv cache when having a pseudo txn (i.e: in import/reindex)
[2] Do not release the target entry in ldbm_back_search_cleanup
[3] Use the key to set the recno
[4] Do not try change the "vlv db name to vlv cache name" if the name
is already a cache name (i.e starting with ~)
Issue: #5947
Reviewed by: @droideck (Thanks!)
- - - - -
06bd0862 by progier389 at 2023-11-17T14:41:51+01:00
Issue 5984 - Crash when paged result search are abandoned (#5985)
* Issue 5984 - Crash when paged result search are abandoned
Problem:
Fix #4551 has changed the lock that protects the paged result data
within a connection. But the abandon operation attempts to free
the paged search result with the connection lock.
This leads to race condition and double free causing an heap
corruption and a SIGSEGV.
Solution:
- Get a copy of the operation data that needs to be logged.
- Unlock the connection mutex (to avoid deadlock risk)
- Free the paged result while holding the paged result lock.
Issue: 5984
Reviewed by: @tbordaz (Thanks!)
- - - - -
df7dd832 by progier389 at 2023-11-21T11:57:44+01:00
Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987)
Chasing several rabbits at the same time is a bad idea !
and I mixed branches and unwillingly pushed one commit for #5980 in #5984
just before the PR #5985 merge ! -:(
Hopefully it does not break anything but just logs some useless crap if instance fails to starts.
Anyway This commit reverts the change about __init.py
and also do a minor code cleanup (removed a trailing space) in abandon.c
Issue #5984
Reviewed by: @tbordaz Thanks !
- - - - -
770edb23 by progier389 at 2023-11-21T14:34:09+01:00
Issue 5976 - Fix freeipa install regression with lmdb (#5977)
* Issue 5976 - Fix freeipa install regression with lmdb
There are three issues blocking the ipa setup when using lmdb database
Missing cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry (For compatibility reason, the entry should exists even if it is unused)
Missing task status after reindexing (know issue: cf nsTaskStatus is not created for index task with mdb backend #5911)
Reindex task set the exit code too early (leading to UNWILLING_TO_PERFORM / 'database is read-only' error in subsequent write operation.
The fixes are:
Creates the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry even if it is not used.
Ensure that both task status and exit code are set when importing/reindexing
do not run the import framework in a new thread (but use the current thread) when doing a reindex in a task.
Issue: #5976
Reviewed by: @droideck, @tbordaz Thanks
- - - - -
84a845c4 by progier389 at 2023-11-22T15:26:54+01:00
Issue 5980 - Improve instance startup failure handling (#5991)
* Issue 5980 - Improve instance startup failure handling - PR 5991
Displays the important error log messages (those that are not: INFO/DEBUG/WARNING) when the server fails to start
to provide the root cause of the failure and help to diagnose some CI tests failures.
Issue: #5990
Reviewed by: @tbordaz Thanks!
- - - - -
cfc0d757 by dependabot[bot] at 2023-11-29T12:19:18+01:00
Bump openssl from 0.10.55 to 0.10.60 in /src (#5995)
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.55 to 0.10.60.
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.55...openssl-v0.10.60)
---
updated-dependencies:
- dependency-name: openssl
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support at github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- - - - -
855e6f29 by tbordaz at 2023-11-29T13:46:57+01:00
Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994)
Bug description:
During an update if an BETXN plugin fails the full TXN is aborted and
the DB returns to the previous state. However potential internal
updates, done by BETXN plugins, are also applied on the entry cache.
Some entries in the entry cache are left in a state that does not
reflect the DB state. To prevent this mismatch, upon BETXN failure,
the fix https://pagure.io/389-ds-base/issue/50260 reverts some entries
in the entry cache .
The problem is that reversion is not limited to the cases of BETXN
failures that was the initial goal. So a "regular" error like schema
violation could trigger revert_cache
Fix description:
The fix flags if the failure is due to BETXN failures and
trigger revert_cache only in that case
relates: #5944
Reviewed by: Pierre Rogier (Thanks!)
- - - - -
139748af by progier389 at 2023-11-29T16:00:32+01:00
Issue 5993 - Fix several race condition around CI tests (#5996)
* Several fixes about CI tests
Some CI tests are randomly failing:
Several different root causes where found and in fact all of them seems related to a change of the tests dynamic (maybe due to having faster test VM):
issue test_replication_with_mod_delete_and_modrdn_operations CI test sometime fails #5975 ==> Should wait properly for the replication
server sometime fails to start/restart (Problem is that systemd default restart rate limit was reached by the LMDB tests) ==> Need to increase the burst threshold.
automember plugin failure (rebuild task sometime finished too fast (before the tested command is run) ==> Retry the test until task is not finished or too many attempt have been done.
test_etime_order_of_magnitude sometime fails. (IMHO this is normal as nothing prevent the thread to be preempted at
the "wrong" time). ==> Marking the test as flappy
Improve failure diagnostic:
Do not abort the report if error log is not available.
Log "systemctl status" if start fails and no significant error is found in error log.
Issue: #5993
Reviewed by: @tbordaz (Thanks!)
- - - - -
8e3f945e by progier389 at 2023-12-01T12:07:20+01:00
Issue 5997 - test_inactivty_and_expiration CI testcase is wrong (#5999)
Problem: test case is not doing what it is supposed to do because the inactivity limit is often smaller
than the server restart time so in most case the test only checks the account inactivity limit.
But once timing issue are fixed, there is a second issue #5998 (looks like the tested feature does not
work as intended!)
Solution:
Increase the inactivity limit to 1 minute
Make sure we wait enough time to trigger the inactivity limit since last password change but not
since last bind.
Mark the test as xfail because of issue #5998 that is not fixed by this PR
Issue #5997
reviewed by: @droideck (Thanks!)
- - - - -
8928951f by Viktor Ashirov at 2023-12-11T11:52:29+01:00
Issue 5954 - Disable Transparent Huge Pages
Bug Description:
THP can have negative effects on DS performance when large caches are
used.
Fix Description:
* Add a new variable for `ns-slapd` THP_DISABLE.
When THP_DISABLE is set to 1, THP is disabled for `ns-slapd` process
via `prctl(2)`. With any other value, THP settings are untouched.
Before:
```
$ grep THP /proc/$(pidof ns-slapd)/status
THP_enabled: 1
```
After
```
$ grep THP /proc/$(pidof ns-slapd)/status
THP_enabled: 0
```
* Add a new healthcheck linter, that checks if THP is disabled system-wide
or per instance. In case THP is enabled for both the system and the
process, it prints recommendations how to disable THP.
Fixes: https://github.com/389ds/389-ds-base/issues/5954
Reviewed-by: @tbordaz, @Firstyear, @droideck (Thank you all!)
- - - - -
86b5969a by progier389 at 2023-12-11T11:58:40+01:00
Issue 6004 - idletimeout may be ignored (#6005)
* Issue 6004 - idletimeout may be ignored
Problem: idletimeout is still not handled when binding as non root (unless there are some activity
on another connection)
Fix:
Add a slapi_eq_repeat_rel handler that walks all active connection every seconds and check if the timeout is expired.
Note about CI test:
Notice that idletimeout is never enforced for connections bound as root (i.e cn=directory manager).
Issue #6004
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
b9726faa by Viktor Ashirov at 2023-12-11T17:24:16+01:00
Issue 4673 - Update Rust crates
Description: Update Rust crates to make cargo audit happy
Relates: https://github.com/389ds/389-ds-base/issues/4673
Reviewed by: @droideck (Thanks!)
- - - - -
1ab0a092 by tbordaz at 2023-12-12T12:57:31+01:00
Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007)
Bug description:
During an update if an BETXN plugin fails the full TXN is aborted and the DB
returns to the previous state.
However potential internal updates, done by BETXN plugins, are also applied
on the entry cache.
Even if the TXN is aborted some entries in the entry cache are left in a state
that does not reflect the DB state.
The fix https://pagure.io/389-ds-base/issue/50260 "reverts" those
entries, setting their state to INVALID.
A problem is that reverted entries stay in the entry cache, until refcnt is 0.
During that period, an update targeting that entry fails to retrieve the
entry from the entry cache and fails to add it again as it already exist
the entry.
The update iterates 1000 times, trying to read the entry and to fetch it
from DB.
This is a pure waste as the reverted entry stays too long.
The signature of this issue is a message in the error log: "Retry count exceeded"
Fix description:
The fix consiste in the loops (fetch on DN or NSUNIQUEID) to test if the
entry state is INVALID.
In such case it aborts the loop and return a failure.
relates: #5939
Reviewed by: Pierre Rogier, Simon Pichugin (Thanks !!)
- - - - -
1572636b by Viktor Ashirov at 2023-12-19T12:41:42+01:00
Issue 6016 - Pin upload/download artifacts action to v3
Bug Description:
After update of actions/download-artifact to v4, our PR CI started to fail.
Fix Description:
A workaround is to pin to the older version v3.
Fixes: https://github.com/389ds/389-ds-base/issues/6016
Reviewed by: @progier389 (Thanks!)
- - - - -
6d98ad4a by Max at 2023-12-19T14:40:49+01:00
Issue 6015 - Fix typo remeber (#6014)
In the logs of my ldap instance when running dsconf slapd-localhost security ciphers set command, I saw this typo which I want to fix with this PR.
Issue: #6015
Reviewed by: @progier389
- - - - -
04a2de98 by progier389 at 2024-01-10T16:51:20+01:00
Issue 6022 - lmdb inconsistency between vlv index and vlv cache names (#6026)
Problem: dbstat -L shows two vlv cache db for a single vlv index db.
There should only have a single one.
Fix:
Added a CI Test
Using a single dbmdb_recno_cache_get_dbname function to get the cache db name.
Fix dbmdb_build_dbname to also append the backend name if the name is a vlv cache
Also fixed some issue found while creating the CI test:
Fixed an error message that puzzled me to make it clearer.
Fixed a race condition in lmdb bulk import that logged crappy data in error logs and crashed the CI tests.
Issue: #6022
Reviewed by: @droideck (Thanks !)
- - - - -
9982521a by tbordaz at 2024-01-10T16:53:08+01:00
Issue 5989 - RFE support of inChain Matching Rule (#5990)
Bug description:
Computation of membership (like 'memberof') is a common issue.
The issue is more expensive to solve when there are nested membership.
For example "gives me all the groups this entry belongs to" or "gives me
all subordinates having this manager".
Either the LDAP client computes the values or dedicated plugin (like 'memberof')
maintains direct membership attribute for the LDAP client.
InChain Matching Rule allow a LDAP client to request the server to compute this membership.
Fix description:
The implementation is designed https://www.port389.org/docs/389ds/design/matching-rule-in-chain.html
A specific fix in aclanom.c because inChain MR adds a acl DENY
on 'cn=config'. There was a bug that cleared anonymous aci
if the it existed a DENY acl anywhere (except a specific
list of entries like 'cn=monitor'). It triggered a failure
on chaining backend suite
relates: #5989
Reviewed by: William Brown, Mark Reynolds, Pierre Rogier, Simon Pichugin (Thanks !)
- - - - -
59369461 by progier389 at 2024-01-11T11:16:58+01:00
Issue 6028 - vlv index keys inconsistencies (#6031)
* Issue 6028 - Inconsistency among vlv keys
The issue is that reindexed vlv database are not cleared, so old keys remains
Solution: truncate the reindexed vlv sub database and its cache before starting the import engine.
Note: this is tested by: dirsrvtests/tests/suites/vlv/regression_test.py::test_vlv_cache_subdb_names CI test
Issue #6028
Reviewed by: @droideck (Thanks!)
- - - - -
fe11deca by Andrew Elwell at 2024-01-17T08:53:44+01:00
Issue 6034 - Change replica_id from str to int
Bug Description:
dscreate create-template claims replica_id is (str)
but it should be an int
Fix Description:
Change self._type['replica_id'] = str
to self._type['replica_id'] = int
Fixes: https://github.com/389ds/389-ds-base/issues/6033
Author: Andrew Elwell <Andrew.Elwell at gmail.com>
Reviewed by: @vashirov
- - - - -
9e37b211 by progier389 at 2024-01-18T19:35:53+01:00
Issue 6037 - Server crash at startup in vlvIndex_delete (#6038)
Server crash at startup because of a corrupted dse.ldif: The vlv initialization code error handling generates a SIGSEV.
Fix: Avoid dereferencing a null pointer while freeing vlvIndex.
Issue: #6037
Reviewed by: @tbordaz
- - - - -
9e595d45 by progier389 at 2024-01-19T11:55:57+01:00
Issue 6032 - Replication broken after backup restore (#6035)
Replication is broken after doing an offline backup then later on an online or offline restore
Note: with online backup changelog is discarded at restore time (because it has no purge RUV)
In fact there are multiple cause:
[1] _cl5CICbInit is building wrongly the changelog RUVs so changelog is recreated
[2] Changelog is not cleared when it is "Recreated because of wrong test in dbmdb_back_ctrl
[3] Replication keep alive get created before the replica get back in sync. This creates missing csn.
Solution:
[1] Fix _cl5CICbInit to get the csn from the changelog record key and store properly the min and max in the context.
[2] Replace invalid test by a proper one.
[3] Change keep alive update starting delay from 2 seconds to 10 minutes (i.e twice the maximum backoff timeout)
To let a chance for the other supplier to replay the missing changes.
Also added/modified some more data when replication log are enabled
Note: this is a partial fix as a proper "resync after db reload" is not handled so this left issues (typically because
of the plugin internal operations like memberof plugin or if there are lots of changes to replay) but at least is is enough for the CI test ...
Issue: #6032
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
7082c823 by progier389 at 2024-01-19T15:12:48+01:00
Switch default backend to lmdb and bump version to 3.0 (#6013)
Changes:
[1] use lmdb by default
[2] Change version number to 3.0.0
Issue: #5941
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
7a158c75 by James Chapman at 2024-01-22T13:08:37+00:00
Issue 6041 - dscreate ds-root - accepts relative path (#6042)
Bug Description: When dscreate ds-root is invoked with a relative path to
root_dir, the relative path is written to defaults.inf, causing instance
creation failure.
Fix Description: Use abs path when writing root_dir to defaults.inf
Fixes: https://github.com/389ds/389-ds-base/issues/6041
Reviewed by: @progier389, @droideck (Thank you)
- - - - -
1c71f454 by Viktor Ashirov at 2024-01-24T21:43:16+01:00
Issue 6047 - Add a check for tagged commits
Bug Description:
Release on GitHub can be created from a tag that points to a branch-less
commit.
Fix Description:
Add an additional check to Release action to ensure that the tagged
commit belongs to a valid branch.
Fixes: https://github.com/389ds/389-ds-base/issues/6047
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
d7e255af by progier389 at 2024-01-25T13:27:04+01:00
Issue 6049 - lmdb - changelog is wrongly recreated by reindex task (#6050)
* Issue 6049 - using lmdb the changelog is wrongly recreated by reindex task
dbmdb_import_all_done called at the end of import, bulk import and reindex is reenabling the backend
which trigger the replication plugin to check if data were not reloaded, but in the reindex case, the backend was not disabled (so the db ruv is not up to date) and changelog is then discarded .
The solution is to set back the backend in not busy mode when doing a reindex.
Issue: #6049
Reviewed by: @tbordaz (Thanks!)
- - - - -
288be366 by Viktor Ashirov at 2024-01-29T13:51:34+01:00
Issue 6051 - Drop unused pytest markers
Bug Description:
We have pytest markers such as `bz12345` or `ds1234`, but they are not
registered in `pytest.ini` and generate warnings. We no longer use them
to executed tests, and `git log` and `git blame` can be used for repo
archeology.
Fix Description:
Delete unused pytest markers.
Fixes: https://github.com/389ds/389-ds-base/issues/6051
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
b3efa8bb by Viktor Ashirov at 2024-01-29T13:53:18+01:00
Issue 6052 - Paged results test sets hostname to `localhost` on test collection
Bug Description:
Paged results test module has some code outside of the test functions and fixtures.
It gets interpreted by pytest on test collection. These tests might be even skipped,
but the code to change the hostname would still be executed. This leads to a situation,
where certain test cases fail with:
```
E ldap.SERVER_DOWN: {'result': -1, 'desc': "Can't contact LDAP server", 'ctrls': [], 'info': 'TLS: hostname does not match subjectAltName in peer certificate'}
```
Fix Description:
Remove the code that changes hostname, since the test no longer does the
checks based on the hostname, only on IP address.
Fixes: https://github.com/389ds/389-ds-base/issues/6052
Reviewed by: @tbordaz, @bsimonova (Thanks!)
- - - - -
539bb0fa by Simon Pichugin at 2024-01-29T14:09:48-08:00
Issue 3555 - Remove audit-ci from dependencies (#6056)
Description: We use npx for audit-ci runs. Hence we don't need the
package installed at all.
Remove audit-ci from package.json and a new generate package-lock.json.
Related: https://github.com/389ds/389-ds-base/issues/3555
Reviewed by: @vashirov (Thanks!)
- - - - -
f26ac014 by Simon Pichugin at 2024-01-29T17:14:34-08:00
Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses for both (#6045)
Description: Update the generation script in 'rpm.mk' and 'bundle-rust-downstream.py'
to include SPDX license information for combined JavaScript (npm) and Cargo dependencies.
Fixes: https://github.com/389ds/389-ds-base/issues/6043
Fixes: https://github.com/389ds/389-ds-base/issues/6044
Reviewed by: @vashirov (Thanks!)
- - - - -
05b947ad by Simon Pichugin at 2024-01-30T10:36:12-08:00
Bump version to 3.0.1
- - - - -
1f95b57f by David Olivier at 2024-01-31T12:19:59+01:00
Issue 6061 - Certificate lifetime displayed as NaN
Bug Description:
HOST_TIME_GMT is filled whith an unparsable format.
Fix Description:
Using `date -Iminutes` the format is compliant with "date time string format".
Ensuring Date.parse() will always recognize it with right TZ.
Author: Adadov
Fixes: https://github.com/389ds/389-ds-base/issues/6061
Reviewed by: @vashirov, @progier389
- - - - -
8fe75866 by Ryan Slominski at 2024-02-05T16:02:28+01:00
Issue 6068 - Add dscontainer stop function
Bug Description:
There currently is not a stop function in dscontainer. It would be nice
to have for use cases such as testing/debugging, plus custom container
setups run during the Docker build in which dscontainer is started to do
some custom configs, then later a stop function would be nice to
gracefully stop dscontainer. Discussed in
https://github.com/389ds/389-ds-base/discussions/6058.
Fix Description:
A simple stop() function added to dscontainer that gracefully stops the
ns-slapd process.
Fixes: https://github.com/389ds/389-ds-base/issues/6068
Co-authored-by: Viktor Ashirov <vashirov at redhat.com>
- - - - -
060f3eb3 by Ryan Slominski at 2024-02-07T13:07:52+01:00
Issue 6075 - Ignore build artifacts (#6076)
Bug Description:
When running the build I noticed some generated files are not included in .gitignore, thereby cluttering and distracting git use during local development.
Fix Description:
Update .gitignore.
Fixes https://github.com/389ds/389-ds-base/issues/6075
Reviewed by @progier389
- - - - -
f415611f by James Chapman at 2024-02-07T12:38:28+00:00
Issue 6010 - 389 ds ignores nsslapd-maxdescriptors (#6027)
Bug description: During server startup the connection table size is assumed
to be lower than or equal to the number of configured reserve file descriptors.
This prevents the server from starting whem the number of reserve descriptors
is high.
Fix description: Change the check to make sure the connection table size is
not greater than (max descriptors - reserve descriptors).
Also, the number of reserve descriptors is used to determine if the server can
accept a new connection. This has been changed to compare the connection table
size against the current number of connections.
Relates: https://github.com/389ds/389-ds-base/issues/6010
Reviewed by: @progier389, @droideck, @tbordaz (Thank you)
- - - - -
2467dba3 by Viktor Ashirov at 2024-02-07T16:48:43+01:00
Issue 6071 - Instance creation/removal is slow
Bug Description:
Sometimes instance creation and removal is slow (~2m).
We spend a lot of time running `semanage` to define labels.
But the default SELinux policy already contains the required contexts:
```
/dev/shm/slapd-.* all files system_u:object_r:dirsrv_tmpfs_t:s0
/etc/dirsrv(/.*)? all files system_u:object_r:dirsrv_config_t:s0
/usr/lib/systemd/system/dirsrv.* all files system_u:object_r:dirsrv_unit_file_t:s0
/usr/sbin/ldap-agent regular file system_u:object_r:dirsrv_snmp_exec_t:s0
/usr/sbin/ldap-agent-bin regular file system_u:object_r:dirsrv_snmp_exec_t:s0
/usr/sbin/ns-slapd regular file system_u:object_r:dirsrv_exec_t:s0
/usr/share/dirsrv(/.*)? all files system_u:object_r:dirsrv_share_t:s0
/var/lib/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_lib_t:s0
/var/lock/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_lock_t:s0
/var/log/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_log_t:s0
/var/log/dirsrv/ldap-agent.log.* all files system_u:object_r:dirsrv_snmp_var_log_t:s0
/var/run/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_run_t:s0
/var/run/ldap-agent\.pid all files system_u:object_r:dirsrv_snmp_var_run_t:s0
/var/run/slapd.* socket system_u:object_r:dirsrv_var_run_t:s0
```
Here's what's added to the system policy after creating a new instance:
```diff
--- labels_before 2024-02-05 13:56:08.667301292 -0500
+++ labels_after 2024-02-05 13:57:39.067301292 -0500
@@ -1,14 +1,23 @@
/dev/shm/slapd-.* all files system_u:object_r:dirsrv_tmpfs_t:s0
+/dev/shm/slapd-localhost all files system_u:object_r:dirsrv_tmpfs_t:s0
/etc/dirsrv(/.*)? all files system_u:object_r:dirsrv_config_t:s0
+/etc/dirsrv/slapd-localhost all files system_u:object_r:dirsrv_config_t:s0
+/etc/dirsrv/slapd-localhost/schema all files system_u:object_r:dirsrv_config_t:s0
/usr/lib/systemd/system/dirsrv.* all files system_u:object_r:dirsrv_unit_file_t:s0
/usr/sbin/ldap-agent regular file system_u:object_r:dirsrv_snmp_exec_t:s0
/usr/sbin/ldap-agent-bin regular file system_u:object_r:dirsrv_snmp_exec_t:s0
/usr/sbin/ns-slapd regular file system_u:object_r:dirsrv_exec_t:s0
/usr/share/dirsrv(/.*)? all files system_u:object_r:dirsrv_share_t:s0
/var/lib/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_lib_t:s0
+/var/lib/dirsrv/slapd-localhost/bak all files system_u:object_r:dirsrv_var_lib_t:s0
+/var/lib/dirsrv/slapd-localhost/db all files system_u:object_r:dirsrv_var_lib_t:s0
+/var/lib/dirsrv/slapd-localhost/ldif all files system_u:object_r:dirsrv_var_lib_t:s0
/var/lock/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_lock_t:s0
/var/log/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_log_t:s0
/var/log/dirsrv/ldap-agent.log.* all files system_u:object_r:dirsrv_snmp_var_log_t:s0
+/var/log/dirsrv/slapd-localhost all files system_u:object_r:dirsrv_var_log_t:s0
+/var/run/dirsrv all files system_u:object_r:dirsrv_var_run_t:s0
/var/run/dirsrv(/.*)? all files system_u:object_r:dirsrv_var_run_t:s0
/var/run/ldap-agent\.pid all files system_u:object_r:dirsrv_snmp_var_run_t:s0
+/var/run/lock/dirsrv/slapd-localhost all files system_u:object_r:dirsrv_var_lock_t:s0
/var/run/slapd.* socket system_u:object_r:dirsrv_var_run_t:s0
```
Fix Description:
We should not add/remove labels for paths that are already covered by
the system SELinux policy. This is the case for the default `/usr`
prefix.
Fixes: https://github.com/389ds/389-ds-base/issues/6071
Reviewed by: @progier389 (Thanks!)
- - - - -
244916eb by progier389 at 2024-02-08T11:54:57+01:00
Issue 6073 - Improve error log when running out of memory (#6084)
* Issue 6073 - Improve error log when running out of memory easy fix enhancement needs triage
* Issue 6073 - Fix typos
Log the stack backtrace when a calloc/malloc/realloc fails and requested memory size is larger than 1Mb
Also adapt the advices to lmdb (some of the tuning mentioned in the error message are now irrelevant)
Issue #6073
Reviewed by: @tbordaz, @droideck (Thanks!)
- - - - -
b96dbaa8 by progier389 at 2024-02-09T12:49:11+01:00
Issue 6082 - Remove explicit dependencies toward libdb (#6083)
* Issue 6082 - Generate a bundled libdb
* Get libdb source tarball from Fedora lookaside cache
* Fix typos in comments
libdb is deprecated and may not be available in future os, the idea is to remove any explicit dependency towards this library:
Add a new configure option --with-bundle-libdb=path_to_libdb_include_and_libs
Modify rpm.mk to upload the libdb src rpm and extract it
Provide a spec file to rebuild custom version of libdb without needing external dependencies like tcl mySql gdbm
Modify 389-ds-spec to:
remove prerequisite towards libdb.
Build a new 389-ds-base-bdb package (flagged as deprecated) that includes libback-bdb.so plugin and
Bundle a custom version of libdb named libdb-5.3-389ds.so built from libdb source rpm libdb-5.3-389ds.so
Modify Makefile to build a new libback-bdb.so plugin if --with-bundle-libdb has been used.
(Move the db-bdb code out of libback-ldbm.so into a new libback-bdb.so plugin)
Remove DB_File dependency in logconv.pl
Load dynamically the plugin libback-bdb.so if using bdb and if bdb_init is not present (in libback-ldbm.so) ( to support builds without bundled libdb) and shout loudly if the module is not available
Issue: #6082
Reviewed by: @vashirov (Thanks!)
- - - - -
fc1a997c by Môshe van der Sterre at 2024-02-13T10:04:53+01:00
Issue 6046 - Make dscreate to work during kickstart installations
Description: The with_systemd_running method is added to ensure that
systemd is operational (for the start, stop, and status methods). In
particular, this makes dscreate work in chroot environments. But is has
a broader effect in that it avoids systemctl calls when they are
guaranteed to not work.
Fixes: https://github.com/389ds/389-ds-base/issues/6046
Reviewed by: @vashirov
- - - - -
1fe029c4 by Chris Peterson at 2024-02-13T11:26:31+01:00
Issue 5962 - Rearrange includes for 32-bit support logic
Description:
The logic to support 32-bit architectures was correctly written (define
_LARGEFILE64_SOURCE) but placed too "late". If a standard library header
(e.g., <stdio.h>) is included before _LARGEFILE64_SOURCE is defined, then
the correct symbols will not be made available during compliation. In this
instance, armhf builds were failing due to off64_t not getting defined
correctly.
The inclusion of <sys/statvfs.h> in slap.h is required to prevent
a cryptic compliation error on "#define f_type f_un.f_un_type".
Relates: https://github.com/389ds/389-ds-base/issues/5962
Relates: https://bugs.launchpad.net/ubuntu/+source/389-ds-base/+bug/2052578
Relates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063434
Reviewed by: @vashirov
- - - - -
ed48371c by James Chapman at 2024-02-13T13:24:04+00:00
Issue 5487 - Fix various isses with logconv.pl (#6085)
Bug description: Logconv.pl CSV file contains mismatched header and data columns
Fix description: Add notesF to support invalid filters
Relates: https://github.com/389ds/389-ds-base/issues/5487
Reviewed by: @progier389, @vashirov (Thank you)
- - - - -
eb6c95fd by Simon Pichugin at 2024-02-14T10:37:21-08:00
Issue 6067 - Add hidden -v and -j options to each CLI subcommand (#6088)
Description: There is no [-v] option before instance_name mentioned,
so user will not know he can use it unless he runs "dsctl -h".
Add a custom HelpFormatter to each subcommand. The formatter_class adds
[-v] [-j] to the usage line and adds the options' description to the full help output.
Related: https://github.com/389ds/389-ds-base/issues/6067
Reviewed by: @vashirov (Thanks!)
- - - - -
808492bb by Viktor Ashirov at 2024-02-16T08:36:35+01:00
Issue 6094 - Add coverity scan workflow
Description:
Add a new workflow for SAST (Static application security testing)
using Coverity.
Fixes: https://github.com/389ds/389-ds-base/issues/6094
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
29fc276c by Viktor Ashirov at 2024-02-16T11:37:49+01:00
Issue 5647 - covscan: memory leak in audit log when adding entries
Description:
Add a test case for CVE-2024-1062.
Relates: https://github.com/389ds/389-ds-base/issues/5647
Relates: https://github.com/389ds/389-ds-base/issues/5502
Reviewed by: @progier389, @tbordaz (Thanks!)
- - - - -
c9c67bca by James Chapman at 2024-02-16T11:13:16+00:00
Issue 6096 - Improve connection timeout error logging (#6097)
Bug description: When a paged result search is run with a time limit,
if the time limit is exceed the server closes the connection with
closed IO timeout (nsslapd-ioblocktimeout) - T2. This error message
is incorrect as the reason the connection has been closed was because
the specified time limit on a paged result search has been exceeded.
Fix description: Correct error message
Relates: https://github.com/389ds/389-ds-base/issues/6096
Reviewed by: @tbordaz (Thank you)
- - - - -
d379ac9b by Simon Pichugin at 2024-02-16T13:52:36-08:00
Issue 6067 - Improve dsidm CLI No Such Entry handling (#6079)
Description: Add additional error processing to dsidm CLI tool for when basedn
or OU subentries are absent.
Related: https://github.com/389ds/389-ds-base/issues/6067
Reviewed by: @vashirov (Thanks!)
- - - - -
91443acf by James Chapman at 2024-02-19T09:29:13+00:00
Issue 6092 - passwordHistory is not updated with a pre-hashed password (#6093)
Bug description: passwordHistory is not updated by with a pre-hashed password
Fix description: During a mod replace of the userpassword attribute, if an encoded
password value is detected and both pw_history and allow_hashed_pw are enabled, get
the present entry values which are used to update the password history.
Relates: https://github.com/389ds/389-ds-base/issues/6092
Reviewed by: @tbordaz (Thank you)
- - - - -
aa3b4e66 by Viktor Ashirov at 2024-02-20T14:33:42+01:00
Issue 6086 - Ambiguous warning about SELinux in dscreate for non-root user
Bug Description:
When an instance is created using dscreate under non-root user,
there is a scary looking ambiguous warning:
> Selinux support will be disabled, continue? [yes]:
It's not clear to the user what exactly are the implications
(system-wide disabling of SELinux?).
We should provide a better wording.
Fix Description:
Change the wording and fix spelling of SELinux in the log messages.
Fixes: https://github.com/389ds/389-ds-base/issues/6086
Reviewed by: @progier389 (Thanks!)
- - - - -
d65eea90 by James Chapman at 2024-02-21T12:43:03+00:00
Issue 6103 - New connection timeout error breaks errormap (#6104)
Bug description: A recent addition to the connection disconnect error
messaging, conflicts with how errormap.c maps error codes/strings.
Fix description: errormap expects error codes/strings to be in ascending
order. Moved the new error code to the bottom of the list.
Relates: https://github.com/389ds/389-ds-base/issues/6103
Reviewed by: @droideck. @progier389 (Thank you)
- - - - -
a380deb0 by progier389 at 2024-02-22T23:11:15+01:00
Issue 6057 - vlv search may result wrong result with lmdb (#6091)
* Issue 6057 - vlv search may result wrong result with lmdb
Different issue related to vlv index and import/bulk import:
vlv sub database was not open when the backend was started
vlv index was not cleaned by import/bulk import
vlv index was not rebuilt by import/bulk import
vlv index not rebuilt by explicit vlv reindex.
vlv index not rebuilt by explicit vlv reindex if vlv name contains hyphen.
vlv index not rebuilt if basedn is not the suffix.
In fact all theses issues had the same cause: the backend vlv search list is empty after the server get restarted.
Solution:
[For 1,2 and 3] Fix the test_vlv_cache_subdb_names to ensure that vlv index are properly cleaned
and recreated by a bulk import
Initialize the vlv search list if it is not yet initialized when starting an instance (just before opening
all the sub databases associated with the backend) rather than doing it before restarting the instance after the import.
[For 4] Add a new member for vlv in the import context and handle it properly.
[For 5] Convert the vlv name as a dbname and store it is a separate list - compare the dbname when checking if vlv is reindexed.
[for 6] Rebuild the proper entry dn (in case of reindex) to be able to evaluate the vlv scope
to rebuild the dn I used the entry_info data (stored in a temporary database) that contains the rdn/nrdn/
and ancestors IDs (used to to rebuild the entryrdn index) and now also store the dn which is simply
propagated by adding the entry rdn to the parent entry dn.
Issue: #6057
Reviewed by: @tbordaz , @droideck (Thanks!)
- - - - -
fcdeec3b by Simon Pichugin at 2024-02-27T16:30:47-08:00
Issue 3527 - Support HAProxy and Instance on the same machine configuration (#6107)
Description: Improve how we handle HAProxy connections to work better when
the DS and HAProxy are on the same machine.
Ensure the client and header destination IPs are checked against the trusted IP list.
Additionally, this change will also allow configuration having
HAProxy is listening on a different subnet than the one used to forward the request.
Related: https://github.com/389ds/389-ds-base/issues/3527
Reviewed by: @progier389, @jchapma (Thanks!)
- - - - -
27dd9b71 by Viktor Ashirov at 2024-03-04T16:43:41+01:00
Issue 5305 - OpenLDAP version autodetection doesn't work
Bug Description:
An error is logged during a build in `mock` with Bash 4.4:
```
checking for --with-libldap-r... ./configure: command substitution: line 22848: syntax error near unexpected token `>'
./configure: command substitution: line 22848: `ldapsearch -VV 2> >(sed -n '/ldapsearch/ s/.*ldapsearch \([0-9]\+\.[0-9]\+\.[0-9]\+\) .*/\1/p')'
no
```
`mock` runs Bash as `sh` (POSIX mode). Support for process substitution
in POSIX mode was added in version 5.1:
https://lists.gnu.org/archive/html/bug-bash/2020-12/msg00002.html
> Process substitution is now available in posix mode.
Fix Description:
* Add missing `BuildRequires` for openldap-clients
* Replace process substitution with a pipe
Fixes: https://github.com/389ds/389-ds-base/issues/5305
Reviewed by: @progier389, @tbordaz (Thanks!)
- - - - -
6054dfad by Mark Reynolds at 2024-03-04T10:44:17-05:00
Issue 5842 - Add log buffering to audit log
Description:
Add log buffering to audit/auditfail logs. Since these logs are
intertwined there is only one config setting for both logs:
nsslapd-auditlog-logbuffering: on/off
relates: https://github.com/389ds/389-ds-base/issues/5842
Reviewed by: spichugi(Thanks!)
- - - - -
840161b8 by Mark Reynolds at 2024-03-04T11:50:16-05:00
Issue 6112 - RFE - add new operation note for MFA authentications
Add a new operation note to indicate that a MFA plugin performed the
BIND. This implies that the plugin must set the note itself as there is
no other way to detect this:
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
The purpose for this is for auditing needs
Fixes: https://github.com/389ds/389-ds-base/issues/6112
Reviewed by: spichugi(Thanks!)
- - - - -
4eb1cb60 by Ding-Yi Chen at 2024-03-06T18:36:19-08:00
Issue 6117 - Fix the UTC offset print (#6118)
Bug Description: UTC offset is mistakenly displayed as <sign><hour><seconds>
-03:30 was displayed as -031800
Fix Description: UTC offset is now displayed as <sign><hour><minutes>
-03.30 is displayed as -0330
Fixes: https://github.com/389ds/389-ds-base/issues/6117
Author: Ding-Yi Chen <dchen at redhat.com>
Reviewed by: Simon Pichugin
- - - - -
1d73b8ac by James Chapman at 2024-03-08T16:15:52+00:00
Issue 6119 - Synchronise accept_thread with slapd_daemon (#6120)
Bug Description: A corner cases exists, where the slapd_daemon has
begun its shutdown process but the accept_thread is still running
and capable of handling new connections. When this scenario occurs,
the connection subsystem has been partially deallocated and is in
an unstable state. A segfault is generated when attempting to get a
new connection from the connection table.
Fix Description: The connection table is only deallocated when the
number of active threads is 0. Modify the accept_thread to adjust the
the active thread count during creation/destruction, meaning the connection
table can only be freed when the accept_thread has completed
Relates: https://github.com/389ds/389-ds-base/issues/6119
Reviewed by: @tbordaz, @Firstyear , @mreynolds389 (Thank you)
- - - - -
e555c2a8 by progier389 at 2024-03-13T18:04:18+01:00
Issue 6057 - vlv search may result wrong result with lmdb - Fix 2 (#6121)
* Issue 6057 - vlv search may result wrong result with lmdb - Fix 2
* Issue i6057 - Fix2 - Fix review comment
Previous fix is failing after a restart because of a chicken and egg issue related to vlv_init and backend initialization.
vlv_init requires that the backend get initialized to be able to generate the vlvSearch struct.
Because of deadlocks, and to be able to roll back the database instance open transaction I found it easier to avoid using vlv_getindices if vlv is not initialized but rather perform a search on cn=config to build a list of all possible vlv indexes filenames (ignoring the configuration errors) and use that list to open the database files for vlv indices and their cache.
Also fixed some minor issues:
@droideck minor remarks done about #6091 after the merge
a typo while logging info about the database environment parameters
Issue: #6057
Reviewed by: @tbordaz, @droideck , @mreynolds389 (Thanks!)
- - - - -
4fe22ecc by Barbora Simonova at 2024-03-13T19:52:53+01:00
Issue 6110 - Typo in Account Policy plugin message
Description:
Add additional condition for add and set state
in the config entry success message
Fixes: https://github.com/389ds/389-ds-base/issues/6110
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
72c211b8 by tbordaz at 2024-03-18T11:34:30+01:00
Issue 6080 - ns-slapd crash in referint_get_config (#6081)
Bug description:
Referential integrity plugin spawn a thread to run
integrity check/update in a deferred way. It uses a log
file to pipe changes to check. The name of the file,
stored in the config, is read periodically.
At shutdown, referint plugin close callback notifies
the thread to stop and free the config.
The problem is that the thread may check the config
while it was notify to stop.
Fix description:
synchronize the plugin close function (referint_postop_close)
and the batch thread (referint_thread_func).
When the batch thread starts it set 'batch_thread_running'
and reset it when it stops.
The plugin close function notifes the batch thread to stop
(via keeprunning==0) and then wait 'batch_thread_running' is
reset
relates: #6080
Reviewed by: Pierre Rogier (thanks !)
- - - - -
d1944539 by James Chapman at 2024-03-19T13:32:27+00:00
Issue 6125 - dscreate interactive fails when chosing mdb backend (#6126)
Bug description: dscreate in interactive mode fails when a mdb backend
is used. Cast to string missing in the parse_size method.
Fix description: Convert the value to string in parse method.
Fixes: https://github.com/389ds/389-ds-base/issues/6125
Reviewed by: @progier389, @droideck (Thank you)
- - - - -
b551b18b by progier389 at 2024-03-22T17:44:36+01:00
Issue 6105 - lmdb - Cannot create entries with long rdn (#6130)
* Issue 6105 - lmdb - add fails if rdn is longer than 250 bytes - Part 1
This fix is split in two commits:
Part 1 refactorize the entryrdn static subfunctions parameters
Part 2 implement the use of a redirect database file
in two commits because the first part has a big diff
but it is quite straightforward as it only refactorize the set of parameters used by the entryrdn static subfunctions
to rather use a single parameter (A single context struct containing all the parameters needed to access the
database (like the backend, the database instances, the txn and the cursor )
The benefit are:
- avoid having too much parameters in sub functions
especially for the second part of the fix that implements a second db to handle the entryrdn
- avoid duplicating the retry loops to open/close the cursor
- IMHO it made the code clearer
* Issue 6105 - lmdb - Cannot create entries with long rdn
- the use of a redirect database file
- the use of redirect link with the private database used by import to build the dn/rdn/ancestor relationship
- the CI testcase
* Issue 6105 - lmdb - Cannot create entries with long rdn - review feedback
- fix some comments
- improve the CI tests by adding children to an ou with long rdn then renaming it.
- - - - -
23a094c5 by progier389 at 2024-03-25T11:22:41+01:00
Issue i6057 - Fix3 - Fix covscan issues (#6127)
Fix two minor issues reported by covscan after the previews fix:
CID 1540758: Null pointer dereferences - NULL_RETURNS
/ldap/servers/slapd/back-ldbm/vlv.c: 412 in vlv_list_filenames
Generate Null pointer exception if vlv config entry is not compliant to the schema
Added a ternary test to harden the code.
CID 1540757: Null pointer dereferences - FORWARD_NULL
/ldap/servers/slapd/back-ldbm/db-mdb/mdb_instance.c: 377 in dbmdb_open_all_files
covscan complain that be may be null (which is true but not in the case database context is also NULL)
Added a test to avoid the warning
Issue #6057
Reviewed by: @tbordaz, @droideck Thanks!
- - - - -
b2956043 by progier389 at 2024-03-26T11:22:43+01:00
Issue 5105 - lmdb - Cannot create entries with long rdn - fix covscan (#6131)
A minor code cleanup issue fixing: CID 1540880 CID 1540879 CID 1540878 CID 1540876 CID 1540875
All these report have the same pattern but on different function.
The issue is that ctx == NULL is tested as part of the parameter validity tests (even if it is never NULL)
then goto bail but the bail code dereference ctx to potentially free some resources.
So I changed the code from:
Log Entering in Function
If (One of parameter is NULL) {
Log Error message
goto bail
}
To:
If (One of parameter is NULL) {
Log Error message
return -1;
}
Log Entering in Function
CID 1540877 is a real issue about a potential memory leak in case of error (shoud goto bail0 instead of bail to make sure childelem is free)
Issue: #6105
Reviewed by: @droideck Thanks!
- - - - -
374b7b08 by Mark Reynolds at 2024-03-29T09:31:44-04:00
Issue 6133 - Move slapi_pblock_set_flag_operation_notes() to slapi-plugin.h
Description:
slapi_pblock_set_flag_operation_notes() is currently only available in slapi-private.h, but with the latest changes at add "notes=M" it needs to be available to plugins.
relates: https://github.com/389ds/389-ds-base/issues/6133
Reviewed by: spichugi(Thanks!)
- - - - -
cc3a8640 by progier389 at 2024-04-05T12:03:47+02:00
Issue 6136 - failure in freeipa tests (#6137)
* Issue 6136 - failure in freeipa tests
Several issue detected when adding a CI test that mimic one of freeipa nightly test :
bdb - offline import fail when trying to create the guardian file because instance is not yet fully initialized and the generated path is wrong - fixed by using the directory from ldbminfo and the instance names that are defined.
mdb - vlv index are not generated because for one level scoped vlv, the entryid is not properly set.
should use vlv_grok_new_import_entry to reset the vlv filter when the base entry is added (as it is done in bdb).
also added a function to mark the vlv_grok_new_import_entry as uninitialized before the import
mdb- crash while trying to import an entry without parent (i.e a suffix entry) that does not belong to the backend
fixed by avoiding the null pointer exception in that case
Issue: #6136
Reviewed by: @droideck, @jchapma (Thanks!)
* Fix vlv CI test deadlock
@long-entryrdn was not open by dbmdb_open_all_files
this leaded to failure when trying to open it in a read operation
because at dblayer level, it is not possible to open write txn
within a read txn - and although it is possible at lmdb level,
the new file will not be visible within the read txn
but we may need to access it.
So the open failed, and entryrdn attrinfo should then be released
before returning an error to avoid keeping entryrdn busy.
That is what trigger the hang when removing a backend.
Added some conditionnal debug code to understand why the server hang.
Also added a missing dblayer_release_index_file in vlvIndex_checkforindex
that may be the reason while there is a hang when removing vlv on bdb.
* Issue 6136 - failure in freeipa tests - Fix review comments
- - - - -
abb6723b by Simon Pichugin at 2024-04-10T15:06:15+02:00
Issue 6142 - [RFE] Add LMDB configuration related checks into Healthcheck tool (#6143)
Description
Add a warning in healthcheck if bdb is still used.
Add a warning if there's a mismatch in configuration attributes.
Add a warning if in the DB directory both BDB and MDB files exist.
Fixes: https://github.com/389ds/389-ds-base/issues/6142
Reviewed by: @progier389
- - - - -
281c0271 by progier389 at 2024-04-10T15:10:22+02:00
Issue 6141 - freeipa test_topology_TestCASpecificRUVs is failing (#6144)
On lmdb, vlv search using a value instead of range may fail (set target on first record instead of smallest record whose key is greater of equal to the wanted value).
The reason is that a test is inverted when walking the cursor to find the record position so the loop end after first iteration.
Also fix a coverity scan warning
Issue: #6141
Reviewed by: @tbordaz
- - - - -
55529d18 by progier389 at 2024-04-12T12:16:12+02:00
Issue 6082 - Remove explicit dependencies toward libdb - revert default (#6145)
Change BUNDLE_LIBDB default value so that Fedora packages are still using /lib64/libdb-5.3.so by default. The version with bundled lib may still be generated by using:
BUNDLE_LIBDB=1 SKIP_AUDIT_CI=1 make -f rpm.mk update-cargo-dependencies download-cargo-dependencies srpms
BUNDLE_LIBDB=1 SKIP_AUDIT_CI=1 make -f rpm.mk rpms
Issue: #6082
reviewed by: @jchapma
- - - - -
d08d17e6 by progier389 at 2024-05-06T12:19:03+02:00
Issue 6157 - Cockipt crashes when getting replication status if topology contains an old 389ds version (#6158)
dsconf -j instance replica status --suffix ... aborts if a topology contains an old version that does not set nsds5replicaLastUpdateStatusJSON in the replica agreement.
Fix is in two parts:
Catch TypeError, ValueError and KeyError in the _lint_agmts_status function to preserve the cockpit page and
the other agreement status in case of unexpected error.
While decoding the json attribute in get_agmt_status:
Catch the jsonDecodeError and generates a red state with a message explaining that value has an invalid format
Catch the TypeError and generates an amber state with legacy replica status message
Issue: #6157
Reviewed by: @droideck (Thanks!)
- - - - -
e24615fc by Simon Pichugin at 2024-05-06T15:25:22-07:00
Issue 6142 - Fix CI tests (#6161)
Description: Use the correct topology in healthcheck_test.py.
Fix trailing spaces. For the BDB test, process the "no error"
outcome for the newer version, where we expect that having BDB is an issue.
Fixes: https://github.com/389ds/389-ds-base/issues/6142
Reviewed by: @progier389 (Thanks!)
- - - - -
8f783e88 by Sergey Salamanov at 2024-05-14T15:11:03+02:00
fix issue6165 (#6167)
Problem: Server crash when using the referential integrity plugin when transactions are used and an error occurs when opening a file for writing.
Cause: The crash is caused by using an uninitialized mutex PR_Unlock(referint_mutex)) after the error message and before calling referint_unlock();
Fix: The line using the uninitialized mutex PR_Unlock(referint_mutex) has been removed. It opens with an initialization check in the function below - referint_unlock().
Issue: #6166
Reviewed by: @progier389
- - - - -
884deb60 by James Chapman at 2024-05-15T09:56:42+01:00
Bump version to 3.1.0
- - - - -
904dc990 by tbordaz at 2024-05-22T11:29:05+02:00
Issue 6172 - RFE: improve the performance of evaluation of filter component when tested against a large valueset (like group members) (#6173)
Bug description:
Before returning an entry (to a SRCH) the server checks that the entry matches the SRCH filter.
If a filter component (equality) is testing the value (ava) against a
large valueset (like uniquemember values), it takes a long time because
of the large number of values and required normalization of the values.
This can be improved taking benefit of sorted valueset. Those sorted
valueset were created to improve updates of large valueset (groups) but
at that time not implemented in SRCH path.
Fix description:
In case of LDAP_FILTER_EQUALITY component, the server can get
benefit of the sorted valuearray.
To limit the risk of regression, we use the sorted valuearray
only for the DN syntax attribute. Indeed the sorted valuearray was
designed for those type of attribute.
With those two limitations, there is no need of a toggle and
the call to plugin_call_syntax_filter_ava can be replaced by
a call to slapi_valueset_find.
In both cases, sorted valueset and plugin_call_syntax_filter_ava, ava and
values are normalized.
In sorted valueset, the values have been normalized to insert the index
in the sorted array and then comparison is done on normalized values.
In plugin_call_syntax_filter_ava, all values in valuearray (of valueset) are normalized
before comparison.
relates: #6172
Reviewed by: Pierre Rogier, Simon Pichugin (Big Thanks !!!)
- - - - -
7df3957d by Viktor Ashirov at 2024-05-22T12:38:44+02:00
Issue 6151 - Use %bcond macro for conditional builds in the spec file
`rpmbuild` supports conditional package builds with the command line
switches `--with` and `--without`:
https://rpm-software-management.github.io/rpm/manual/conditionalbuilds.html
This is useful to rebuild an existing src.rpm file without editing the
spec file first. Or build in COPR with macros overrides for some
options. For example, automatic rebuilds from dist-git in COPR to
produced sanitized builds.
We use our custom global variables for different options such as
`use_cockpit` or `use_asan`. Instead we should switch to `%bcond` macro.
Additional changes:
* `rpm/bundle-rust-npm.py`: add `-f` option to automatically do the changes
to the `License:` field.
* Remove unneeded `389-ds-base-git.sh`
* Update `389-ds-base-devel.README`
* `rpm.mk`:
** exclude `vendor.tar.gz` from the resulting tarball
** add aliases for rpms and srpms targets
** use bundle-rust-npm.py with -f option for development releases
** add rpmspec target to generate a spec file under `rpm/` directory.
* `389-ds-base.spec.in`:
** remove unused/obsoleted lines
** remove `Provides:` for Rust crates, it will be populated by
`bundle-rust-npm.py`
** add .asan to the NVR automatically
** use macro for nss Requires:
** move libdb globals behind if/endif
Fixes: https://github.com/389ds/389-ds-base/issues/6151
Reviewed by: @droideck (Thanks!)
- - - - -
1a7abef1 by progier389 at 2024-05-27T11:40:44+02:00
Issue 6159 - Add a test to check URP add and delete conflict (#6160)
Add URP tests that run if URP_VERY_LONG_TEST environment variable is set
One test spends 6 days and check the 5770 different way of running
the (Add, sync agmt 1, sync agmt 2, Del) sequence on 3 suppliers
and check that when everything is in sync, the entries are the same everywhere
Second test generate crossed entries and conflict entries
(In theory that should not happen but we have sometime seen them)
And tries to remove one of the entry.
Then once everything is back in sync, it check that the entry are the same
The second test fails - Apparently there is a problem with URP in that corner case
- - - - -
c019af14 by Alexander Bokovoy at 2024-05-28T11:51:08+02:00
Issue 6123 - Allow DNA plugin to reuse global config for bind method and connection protocol (#6124)
Description:
FreeIPA configures uniform authentication and access methods for DNA
plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set
those, IPA installer has to wait until its own server entry is
asynchronously created by the DNA plugin and then update the entry. This
process takes up to two minutes which is almost a half of time spent on
creating IPA server with integrated DNS and external TLS certificates
(e.g., without integrated CA).
DNA plugin's configuration entry already allows to specify remote bind
DN and remote bind password. This is handled by
dna_get_shared_servers() which pulls remote_binddn and remote_bindpw
from the global config entry unconditionally:
...
server->remote_binddn = config_entry->remote_binddn;
server->remote_bindpw = config_entry->remote_bindpw;
server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i],
DNA_REMOTE_BIND_METHOD);
server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i],
DNA_REMOTE_CONN_PROT);
...
If we could add similar handling for remote_bind_method and
remote_conn_prot, with an override from the server entry, that would be
great. This way we can pre-create the configuration with the same
method/protocol values and skip waiting for the server entry to be
created from DNA plugin side.
Fixes: #6123
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ffa9c8b7 by jasonborden at 2024-05-31T15:50:12+02:00
Change default salt sizes generated in crypt_pwd (#6185)
Issue - #6186 - Increase the amount of salt crypt_pwd generates
Bug Description:
Salt currently generated by crypt_pwd is only 12 bits which is rather weak.
Fix Description:
Makes the salt generated the same length as linux shadow:
12bits (2 b64 chars) for CRYPT
48bits (8 b64 chars) for CRYPT-MD5
96bits (16 b64 chars) for CRYPT-SHA256 and CRYPT-SHA512
relates: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/ZJXVFQ6XC2IEROA2LZNBXKQ6YWAJHAIU/
Author: Jason Borden
Co-authored-by: Jason Borden <jason at acedatacenter.com>
Reviewed by: @progier389, @merlinthp (Thanks!)
- - - - -
b8139233 by Sergey Salamanov at 2024-05-31T17:55:03+02:00
Issue 6175 - Referential integrity plugin - in referint_thread_func does not handle null from ldap_utf8strtok (#6168)
Added a check for _null_ for the **ptoken** variable when returning from **ldap_utf8strtok_r**.
Issue: #6175
Reviewed by: @progier389
- - - - -
78efaab7 by Viktor Ashirov at 2024-05-31T20:28:24+02:00
Issue 6189 - CI tests fail with `[Errno 2] No such file or directory: '/var/cache/dnf/metadata_lock.pid'`
Bug Description:
There is an intermittent issue during container startup in our CI:
```
[Errno 2] No such file or directory: '/var/cache/dnf/metadata_lock.pid'
Error: Process completed with exit code 1.
```
`systemd` is not fully initialized when a second command runs and expects
a pid file to be available.
The script should wait until `systemctl is-system-running` is successful.
Fix Description:
Add a check for `systemctl is-system-running`.
Fixes: https://github.com/389ds/389-ds-base/issues/6189
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
47c0bc3b by Viktor Ashirov at 2024-05-31T20:37:53+02:00
Issue 6177 - Spec file cleanup
Description:
* Move `libback-bdb` to `389-ds-base-bdb` subpackage completely
* Move `%prerel` macro to `Version:` field, only needed for upstream builds
* Remove the rest of `%prerel` macros
* Switch to `%autorelease` and `%autochangelog`
* Remove deprecated Group metadata
* Remove ifdef for RHEL7 (lib389 is now always built and required)
* Remove obsoleted `%clean` macro
* Remove unneeded cleanup steps
* Remove unused variable
* Add missing `$(RPMBUILD_OPTIONS)` for `rpmbuild` in `srpm` target
Fixes: https://github.com/389ds/389-ds-base/issues/6177
Fixes: https://github.com/389ds/389-ds-base/issues/6178
Reviewed by: @progier389 (Thanks!)
- - - - -
1b26ed9a by Viktor Ashirov at 2024-05-31T20:39:11+02:00
Issue 6193 - Test failure: test_tls_command_returns_error_text
Bug Description:
openssl changed error message in
https://github.com/openssl/openssl/commit/fedab100a4b8f4c3b81de632f29c159fb46ac3f2
Fix Description:
Adjust assert to use regex for different messages.
Fixes: https://github.com/389ds/389-ds-base/issues/6193
Reviewed by: @progier389 (Thanks!)
- - - - -
cde7d651 by Mark Reynolds at 2024-06-04T10:00:53-04:00
Issue 6170 - audit log buffering doesn't handle large updates
Description:
A large update, like adding 10K memebrs to a group, gets truncated. When
the update is larger than the buffer then flush the current buffer, and
then directly write the large update to the log file (skipping the
buffering)
Relates: https://github.com/389ds/389-ds-base/issues/6170
Reviewed by: progier (Thanks!)
Apply Pierres suggestions
- - - - -
d7b56a1e by Firstyear at 2024-06-05T10:18:51+10:00
Issue 6181 - RFE - Allow system to manage uid/gid at startup (#6182)
Bug Description: We have a user who wishes to implement a non-standard configuration in which the
running gid is not the primary gid of the uid that the server runs as. Currently this trips up most
of our setup tools.
Rather than support dropping to an alternate gid in the server, it is simpler to allow systemd to
pre-configure our user and group at start up. This needs a small number of changes.
Fix Description:
- dscreate needs to correctly setup file ownships for dse.ldif and friends rather than relying on
the server having root access and changing the perms itself
- Our unit file needs to enable the CAP_NET_BIND privilege so that the service can bind to ports
lower than 1024 without being root
- The server needs to not attempt to change it's uid/gid if we are already running as that user/gid.
fixes: https://github.com/389ds/389-ds-base/issues/6181
Author: William Brown <william at blackhats.net.au>
Review by: @mreynolds389 and @progier389 (Thank you!)
- - - - -
bb887aa4 by Simon Pichugin at 2024-06-05T17:24:00-07:00
Issue 6188 - Add nsslapd-haproxy-trusted-ip to cn=schema (#6201)
Description: Add HAProxy trusted IP address multi-valued attribute
to cn=schema in 01core389.ldif
Related: https://github.com/389ds/389-ds-base/issues/6188
Reviewed by: @progier389 (Thanks!)
- - - - -
18887446 by Viktor Ashirov at 2024-06-08T17:50:19+02:00
Issue 6181 - RFE - Allow system to manage uid/gid at startup
Description:
Expand CapabilityBoundingSet to include addittional capabilites.
Fixes: https://github.com/389ds/389-ds-base/issues/6181
Reviewed by: @progier389 (Thanks!)
- - - - -
bb76673d by Viktor Ashirov at 2024-06-08T17:52:46+02:00
Issue 6192 - Test failure: test_match_large_valueset
Description:
When BDB backend is used, nsslapd-cache-autosize needs to be set to 0
first in order to change nsslapd-cachememsize.
Also increase the expected etime slightly, as it fails on slower VMs
both with BDB and MDB backends.
Fixes: https://github.com/389ds/389-ds-base/issues/6192
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
216ffc07 by Viktor Ashirov at 2024-06-09T10:25:31+02:00
Issue 6200 - Disable WebUI CI tests
Description:
Currently WebUI tests fail. There are known issues both in tests and the
code. We should re-enable the tests back when we get to fix those
issues.
Fixes: https://github.com/389ds/389-ds-base/issues/6200
Reviewed by: @droideck (Thanks!)
- - - - -
eedde898 by progier389 at 2024-06-10T17:47:02+02:00
Issue 6199 - unprotected search query during certificate based authentication (#6205)
Problems:
SubjectDN extracted from the certificate is not escaped when used by certmap.conf
Other extracted value are wrongly escaped and quoted when added in filter
Solution: Ensure that proper escape function is used in these two cases.
Values in filter should not be quoted but * should be escaped.
Note: I considered to reuse the ldap_bv2escaped_filter_value function but it needless realloc the returned data
so I ended up to rewrite something the escape function (which is quite straightforward anyway).
Issue: #6199
Reviewed by: @droideck
- - - - -
072b290d by Viktor Ashirov at 2024-06-11T08:55:46+02:00
Issue 6191 - Node.js 16 actions are deprecated
Description:
Node.js 16 actions are deprecated.
Update
* actions/checkout to v4
* actions/download-artifact to v4
* actions/upload-artifact to v4
Fixes: https://github.com/389ds/389-ds-base/issues/6191
Reviewed by: @progier389, @droideck (Thanks!)
- - - - -
d0b8174f by dependabot[bot] at 2024-06-11T09:11:31+02:00
Bump braces from 3.0.2 to 3.0.3 in /src/cockpit/389-console
Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)
---
updated-dependencies:
- dependency-name: braces
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
f2e581bc by progier389 at 2024-06-11T12:02:12+02:00
Issue 6207 - Random crash in test_long_rdn CI test (#6215)
CI test indexes/test_long_rdn sometime crashes
The issue is that a data returned by dblayer_bulk_nextdata iterator is wrongly freed
The fix is to avoid freeing the data
Issue: #6207
Reviewed by: @droideck (Thanks!)
- - - - -
d261ea27 by Simon Pichugin at 2024-06-11T20:19:29-07:00
Issue 6183 - Slow ldif2db import on a newly created BDB backend (#6208)
Bug Description: After creating a new BDB backend, we autotune the cache only when restarting.
So, an administrator will try to import an LDIF before that; she will have a very slow import.
Fix Description: Do the autotuning during the backend creation.
Add a CI test for the scenario.
Fixes: https://github.com/389ds/389-ds-base/issues/6183
Reviewed by: @progier389, @tbordaz (Thanks!!)
- - - - -
407bdaa0 by progier389 at 2024-06-13T15:17:36+02:00
Issue 5772 - ONE LEVEL search fails to return sub-suffixes (#6219)
Problem: ONE LEVEL scoped search fails to return sub-suffixes entries
Reason: When such search is done, a one level search is done on the main suffix and base search are done on any matching sub-suffix. But main suffix is processed search (to ensure that parent entries are returned before children ones when searching subtree) and ldbm_back_search change the filter to (&(parentid=xxx)old_filter) so the filter test reject the entry on the sub-suffixes.
Solution: Revert the backend list when doing one level search so that the sub-suffixes are processed first
and restore the base dn for the main suffix.
Alternative rejected: reset the filter when discivering a sub-suffix. Not so easy because filter is altered by the rewriteres.
And systematic duplication is an useless overhead if there is no matching sub-suffixes (which is the usual case)
Issue: #5772
Reviewed by: @tbordaz, @droideck (Thanks!)
- - - - -
0f46d433 by Viktor Ashirov at 2024-06-13T16:34:38+02:00
Issue 6120 - /usr/lib64/dirsrv/plugins/libback-bdb.so has an invalid-looking DT_RPATH: /usr/lib/dirsrv
Bug Description:
rpminspect reports an invalid DT_RPATH /usr/lib/dirsrv
It's evaluated in m4/bundle_libdb.m4 from
```
-R${prefix}/lib/dirsrv"
```
Fix Description:
Change it to lib64
Fixes: https://github.com/389ds/389-ds-base/issues/6210
Reviewed by: @progier389 (Thanks!)
- - - - -
4e3dc9e8 by progier389 at 2024-06-17T14:03:02+02:00
Issue 6222 - CI test acl/test_timeofday_keyword sometime fails (#6223)
CI test acl/test_timeofday_keyword sometime fails because current time (in minutes) changes during the test
Solution is to run the test in loop and retry if the time has changed.
Also fix:
Similar issue with test_dayofweek_keyword_today_can_access (with time in days)
Skip the tests that sets the hostname if run as non root
Issue: #6222
Reviewed by: @droideck (Thanks!)
- - - - -
796f7030 by progier389 at 2024-06-18T14:21:07+02:00
Issue 6224 - d2entry - Could not open id2entry err 0 - at startup when having sub-suffixes (#6225)
Problem:: d2entry - Could not open id2entry err 0 is logged at startup when having sub-suffixes
Reason: The slapi_exist_referral internal search access a backend that is not yet started.
Solution: Limit the internal search to a single backend
Issue: #6224
Reviewed by: @droideck Thanks!
- - - - -
9687d830 by dependabot[bot] at 2024-06-20T09:11:14+02:00
Bump ws from 7.5.9 to 7.5.10 in /src/cockpit/389-console
Bumps [ws](https://github.com/websockets/ws) from 7.5.9 to 7.5.10.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/7.5.9...7.5.10)
---
updated-dependencies:
- dependency-name: ws
dependency-type: indirect
...
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
f76503de by progier389 at 2024-06-21T19:41:42+02:00
Issue 6233 - CI test wait_for_async_feature_test sometime fails (#6234)
CI test random failure related to timing.
Fixed by decreasing the minimum number of expected asynchronous results
Issue: #6233
Reviewed by: @droideck, @tbordaz (Thanks!)
- - - - -
1f41661c by tbordaz at 2024-06-24T13:41:35+02:00
Issue 6227 - dsconf schema does not show inChain matching rule (#6228)
Bug description:
The registered inChain MR does defined any matching rule
syntax (mr_syntax).
When dsconf reads the matching rules (read_schema_dse)
it only reports those which have OID and SYNTAX.
As a consequence InChain was not reported.
Fix description:
The syntax defines that assersion syntax that is
distinguished name. Add this syntax to the register
struct
relates: #6227
Reviewed by: Pierre Rogier (Thanks !)
- - - - -
e5c761b0 by Yaakov Selkowitz at 2024-06-25T10:05:12+02:00
Issue 6236 - rpm: fix compatibility with RPM 4.20
Description:
RPM 4.20 drops support for the deprecated %patchN syntax, and adds a
build-specific path to %_builddir.
Fixes: https://github.com/389ds/389-ds-base/issues/6236
- - - - -
04a0b6ac by progier389 at 2024-06-28T18:56:49+02:00
Issue 6229 - After an initial failure, subsequent online backups fail (#6230)
* Issue 6229 - After an initial failure, subsequent online backups will not work
Several issues related to backup task error handling:
Backends stay busy after the failure
Exit code is 0 in some cases
Crash if failing to open the backup directory
And a more general one:
lib389 Task DN collision
Solutions:
Always reset the busy flags that have been set
Ensure that 0 is not returned in error case
Avoid closing NULL directory descriptor
Use a timestamp having milliseconds precision to create the task DN
Issue: #6229
Reviewed by: @droideck (Thanks!)
- - - - -
f6481f62 by jasonborden at 2024-07-02T12:07:29+02:00
Issue 6241 - Add support for CRYPT-YESCRYPT (#6242)
Description:
Implements CRYPT-YESCRYPT as a password storage scheme
Issue: #6241
Reviewed by: @progier389
- - - - -
b47cbe04 by progier389 at 2024-07-02T12:10:14+02:00
Issue 6245 - covscan fixes (#6246)
* Issue 6245 - covscan fixes
Fix issues reported by coverity scan static analyzer
Issue: #6245
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
c09717d9 by progier389 at 2024-07-03T13:29:28+02:00
Issue 6216 - CI test_fast_slow_import sometime fail (#6247)
The test comparing times around 2 seconds is pretty instable.
With this fix, the test is still running, checking that import with private memory works
but does not check any more that it is faster than standard import
Issue: #6216
Reviewed by: @droideck (Thanks!)
- - - - -
3fe56612 by Mark Reynolds at 2024-07-05T15:13:40-04:00
Issue 6238 - RFE - add option to write audit log in JSON format
Description:
Add option to set the format between: default, json, or json-pretty
json-pretty just writes the JSON format in a vertical structure verses
one condensed line of text.
You can also adjust the local time format using strftime formatting
Relates: https://github.com/389ds/389-ds-base/issues/6238
Reviewed by: ?
- - - - -
eb7e57d7 by progier389 at 2024-07-08T11:19:09+02:00
Issue 6155 - ldap-agent fails to start because of permission error (#6179)
Issue: dirsrv-snmp service fails to starts when SELinux is enforced because of AVC preventing to open some files
One workaround is to use the dac_override capability but it is a bad practice.
Fix: Setting proper permissions:
Running ldap-agent with uid=root and gid=dirsrv to be able to access both snmp and dirsrv resources.
Setting read permission on the group for the dse.ldif file
Setting r/w permissions on the group for the snmp semaphore and mmap file
For that one special care is needed because ns-slapd umask overrides the file creation permission
as is better to avoid changing the umask (changing umask within the code is not thread safe,
and the current 0022 umask value is correct for most of the files) so the safest way is to chmod the snmp file
if the needed permission are not set.
Issue: #6155
Reviewed by: @droideck , @vashirov (Thanks ! )
- - - - -
a3d35219 by Simon Pichugin at 2024-07-09T18:09:28-07:00
Issue 6254 - Enabling replication for a sub suffix crashes browser (#6255)
Bug Description: Web Console: Enabling replication for a sub-suffix causes
TypeError: this.props.data.nsds5replicabinddn is not iterable.
Fix Description: Make sure that loadSuffixTree is run for subsuffixes, too.
Set defaults if data is absent.
Fixes: https://github.com/389ds/389-ds-base/issues/6254
Reviewed by: @progier389 (Thanks!)
- - - - -
0f6a9215 by progier389 at 2024-07-17T10:18:48+02:00
Issue 6238 - Fix test_audit_json_logging CI test regression (#6264)
CI test test_audit_json_logging report generation fails because some log file contains non UTF-8 characters.
The fix is to ignore invalid characters when generating the report.
(So that the logs get properly copied in the assets)
Issue #6238
Reviewed by: @mreynolds389 (Thanks!)
- - - - -
7f92c01c by progier389 at 2024-07-17T15:52:37+02:00
Issue 6248 - fix fanalyzer warnings (#6253)
* Issue 6248 - fix fanalyzer warnings
* Issue 6248 - fix fanalyzer warnings - clang warning
* Issue 6248 - fix fanalyzer warnings - fix non debug warning
This change remove all gcc -fanalyzer warnings.
Number of them are not that interesting (False/positive due to some limts of the analyzer and some possible crashes when running out of memory.
But some of these warnings where real concerns.
Issue #6248
Reviewed by: @droideck (Thanks!)
- - - - -
298aa73a by progier389 at 2024-07-19T11:39:56+02:00
Issue 6245 - Revert __COVERITY__ ifndef (#6268)
PR #6246 generated 300 new coverity scan defect about uninitialized variable because slapi_pblock_get is
within #ifndef COVERITY
Since it generates more warning than it fixes, this change revert this part.
Issue: #6245
Reviewed by: @vashirov , @droideck (Thanks!)
- - - - -
32a0e26a by dependabot[bot] at 2024-07-23T10:30:03+02:00
Bump openssl from 0.10.64 to 0.10.66 in /src
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.64 to 0.10.66.
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.64...openssl-v0.10.66)
---
updated-dependencies:
- dependency-name: openssl
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support at github.com>
- - - - -
bd5e0ef7 by Viktor Ashirov at 2024-07-23T12:46:06+02:00
Issue 5853 - Update Cargo.lock
Description:
Update Cargo.lock to bump dependencies' versions.
Relates: https://github.com/389ds/389-ds-base/issues/5853
Reviewed by: @progier389 (Thanks!)
- - - - -
f75b5e24 by progier389 at 2024-07-25T09:40:15+02:00
Issue 6265 - lmdb - missing entries in range searches (#6266)
* Issue 6265 - lmdb - missing entries in range searches
Several issues seen after generating ldif with 2000 users and importing it in a replica:
1. The entryid attribute in missing in the suffix entry.
2. Access log shows that the internal search looking for "(parentid>=1)" is not returning all entries but one.
3. When initializing a replica through a replication agreement some entries are missing (because of 2)
4. Once 2. get fixed, the bulk import still fails because the default values for nsds5ReplicaFlowControlWindow and nsds5ReplicaFlowControlPause are not adapted to lmdb (supplier sent the entry faster than bdb and the target replica import them slower.
The fix is about:
1. Ensuring that the operational attribute are properly set when importing the suffix entry.
2. and 3. Avoid using database bulk operation when computing range unless we are sure that bdb is used. (rely instead on the generic dblayer database iterator - dblayer_cursor_iterate.
4. Change the default values for nsds5ReplicaFlowControlWindow and nsds5ReplicaFlowControlPause if agreement is on a lmdb backend.
Issue: #6265
Reviewed by: @vashirov, @droideck (Thanks!)
- - - - -
d05836dd by Sumedh Sidhaye at 2024-07-25T15:34:36+02:00
Issue 6256 - nsslapd-numlisteners limit is not enforced
Description: Add a test to check if nsslapd-numlisteners value
can be set higher than 4
Relates: https://github.com/389ds/389-ds-base/issues/6256
Reviewed by: droideck
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
- - - - -
36a2f1d5 by James Chapman at 2024-07-26T12:02:30+02:00
Security fix for CVE-2024-2199
Description:
A denial of service vulnerability was found in the 389 Directory Server.
This issue may allow an authenticated user to cause a server crash while
modifying userPassword using malformed input.
Fix Description:
When doing a mod on userPassword we reset the pblock modifier after we
set the modified timestamp, ensuring the pblock data stays valid.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-2199
- https://access.redhat.com/security/cve/CVE-2024-2199
- https://bugzilla.redhat.com/show_bug.cgi?id=2267976
- - - - -
b1e9acf3 by Pierre Rogier at 2024-07-26T12:03:06+02:00
Security fix for CVE-2024-3657
Description:
A flaw was found in the 389 Directory Server. A specially-crafted LDAP query
can potentially cause a failure on the directory server, leading to a denial
of service.
Fix Description:
The code was modified to avoid a buffer overflow when logging some requests
in the audit log.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-3657
- https://access.redhat.com/security/cve/CVE-2024-3657
- https://bugzilla.redhat.com/show_bug.cgi?id=2274401
- - - - -
9e6cefb1 by Pierre Rogier at 2024-07-26T12:03:26+02:00
Security fix for CVE-2024-5953
Description:
A denial of service vulnerability was found in the 389 Directory Server.
This issue may allow an authenticated user to cause a server denial
of service while attempting to log in with a user with a malformed hash
in their password.
Fix Description:
To prevent buffer overflow when a bind request is processed, the bind fails
if the hash size is not coherent without even attempting to process further
the hashed password.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-5953
- https://access.redhat.com/security/cve/CVE-2024-5953
- https://bugzilla.redhat.com/show_bug.cgi?id=2292104
- - - - -
a468073b by Thierry Bordaz at 2024-07-26T12:03:42+02:00
Security fix for CVE-2024-6237
Description:
A flaw was found in the 389 Directory Server. This flaw allows
an unauthenticated user to cause a systematic server crash while sending
a specific extended search request, leading to a denial of service.
Fix Description:
Add missing parameter to `slapi_log_err` function call.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-6237
- https://access.redhat.com/security/cve/CVE-2024-6237
- https://bugzilla.redhat.com/show_bug.cgi?id=2293579
- https://github.com/389ds/389-ds-base/issues/5989
- - - - -
23c4d457 by Viktor Ashirov at 2024-07-26T18:56:55+02:00
Issue 5327 - Fix test metadata
Description:
Metadata validation job fails on unescaped sequence used in the docstring.
Fix Description:
Escape unicode value in the docstring.
Relates: https://github.com/389ds/389-ds-base/issues/5327
Reviewed by: @droideck (Thanks!)
- - - - -
9753fb91 by James Chapman at 2024-07-30T03:55:59+01:00
Issue 6256 - nsslapd-numlisteners limit is not enforced (#6257)
Description: When a invalid value for the attribute nsslapd-numlisteners
is used, config normalises the value but the invalid value is written to
dse.ldif.
Fix description: Modify config to reject an invalid value is used.
Fixes: https://github.com/389ds/389-ds-base/issues/6256
Reviewed by: @droideck (Thank you)
- - - - -
aef16683 by Viktor Ashirov at 2024-07-30T10:13:20+02:00
Bump version to 3.1.1
- - - - -
23 changed files:
- .github/scripts/generate_matrix.py
- .github/workflows/compile.yml
- + .github/workflows/coverity.yml
- .github/workflows/lmdbpytest.yml
- .github/workflows/npm.yml
- .github/workflows/pytest.yml
- .github/workflows/release.yml
- .github/workflows/validate.yml
- .gitignore
- Makefile.am
- VERSION.sh
- configure.ac
- dirsrvtests/conftest.py
- dirsrvtests/report.py
- + dirsrvtests/tests/data/freeipa/issue6136/dse.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/ipaca.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/15rfc2307bis.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/15rfc4876.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60basev2.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60basev3.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60basev4.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60certificate-profiles.ldif
- + dirsrvtests/tests/data/freeipa/issue6136/schema/60ipaconfig.ldif
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/aa50e5bbf1fde22bcf6cad5a192edad306ef1f40...aef16683ff3d280c53049551a99dd44f22f989e2
--
View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/aa50e5bbf1fde22bcf6cad5a192edad306ef1f40...aef16683ff3d280c53049551a99dd44f22f989e2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20240807/4c59c592/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list