From 53cecf3abcc08724ae9b21fd02b8423fd39e7086 Mon Sep 17 00:00:00 2001

From: progier389 <progier@redhat.com>

Date: Fri, 17 Nov 2023 14:41:51 +0100

Subject: [PATCH] Issue 5984 - Crash when paged result search are abandoned -

 fix + fix2 (#5985 and #5987)

Notice: This cherry-pick include two commit:

df7dd8320 Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987)

06bd08629 Issue 5984 - Crash when paged result search are abandoned (#5985)

The reason is that cherry pick of #5985 generates lots of conflict in __init.py

 and #5987 only revert that file ==> So it is easier and safer to keep the original

  file.

* Issue 5984 - Crash when paged result search are abandoned

Problem:

  Fix #4551 has changed the lock that protects the paged result data

  within a connection. But the abandon operation attempts to free

  the paged search result with the connection lock.

  This leads to race condition and double free causing an heap

  corruption and a SIGSEGV.

  Solution:

   - Get a copy of the operation data that needs to be logged.

   - Unlock the connection mutex (to avoid deadlock risk)

   - Free the paged result while holding the paged result lock.

Issue: 5984

Reviewed by: @tbordaz (Thanks!)

(cherry picked from commit 06bd0862956672eb76276cab5c1dd906fe5a7eec)

---

 .../paged_results/paged_results_test.py       | 758 +++++++++---------

 ldap/servers/slapd/abandon.c                  |  23 +-

 ldap/servers/slapd/opshared.c                 |   4 +-

 ldap/servers/slapd/pagedresults.c             |   8 +-

 ldap/servers/slapd/proto-slap.h               |   2 +-

 5 files changed, 392 insertions(+), 403 deletions(-)

diff --git a/dirsrvtests/tests/suites/paged_results/paged_results_test.py b/dirsrvtests/tests/suites/paged_results/paged_results_test.py

index ae2627b75..a030824c6 100644

--- a/dirsrvtests/tests/suites/paged_results/paged_results_test.py

+++ b/dirsrvtests/tests/suites/paged_results/paged_results_test.py

@@ -1,21 +1,32 @@

 # --- BEGIN COPYRIGHT BLOCK ---

-# Copyright (C) 2016 Red Hat, Inc.

+# Copyright (C) 2020 Red Hat, Inc.

 # All rights reserved.

 #

 # License: GPL (version 3 or any later version).

 # See LICENSE for details.

 # --- END COPYRIGHT BLOCK ---

 #

-from random import sample

+import socket

+from random import sample, randrange

 import pytest

 from ldap.controls import SimplePagedResultsControl, GetEffectiveRightsControl

 from lib389.tasks import *

 from lib389.utils import *

 from lib389.topologies import topology_st

-from lib389._constants import DN_LDBM, DN_DM, DEFAULT_SUFFIX, BACKEND_NAME, PASSWORD

+from lib389._constants import DN_LDBM, DN_DM, DEFAULT_SUFFIX

+from lib389._controls import SSSRequestControl

+from lib389.idm.user import UserAccount, UserAccounts

+from lib389.cli_base import FakeArgs

+from lib389.config import LDBMConfig

+from lib389.dbgen import dbgen_users

-from sss_control import SSSRequestControl

+from lib389.idm.organization import Organization

+from lib389.idm.organizationalunit import OrganizationalUnit

+from lib389.backend import Backends

+from lib389._mapped_object import DSLdapObject

+

+pytestmark = pytest.mark.tier1

 DEBUGGING = os.getenv('DEBUGGING', False)

@@ -26,9 +37,8 @@ else:

 log = logging.getLogger(__name__)

-TEST_USER_NAME = 'simplepaged_test'

-TEST_USER_DN = 'uid={},{}'.format(TEST_USER_NAME, DEFAULT_SUFFIX)

 TEST_USER_PWD = 'simplepaged_test'

+

 NEW_SUFFIX_1_NAME = 'test_parent'

 NEW_SUFFIX_1 = 'o={}'.format(NEW_SUFFIX_1_NAME)

 NEW_SUFFIX_2_NAME = 'child'

@@ -36,34 +46,90 @@ NEW_SUFFIX_2 = 'ou={},{}'.format(NEW_SUFFIX_2_NAME, NEW_SUFFIX_1)

 NEW_BACKEND_1 = 'parent_base'

 NEW_BACKEND_2 = 'child_base'

+OLD_HOSTNAME = socket.gethostname()

+if os.getuid() == 0:

+    socket.sethostname('localhost')

+HOSTNAME = socket.gethostname()

+IP_ADDRESS = socket.gethostbyname(HOSTNAME)

+OLD_IP_ADDRESS = socket.gethostbyname(OLD_HOSTNAME)

+

 @pytest.fixture(scope="module")

-def test_user(topology_st, request):

+def create_40k_users(topology_st, request):

+    inst = topology_st.standalone

+

+    # Prepare return value

+    retval = FakeArgs()

+    retval.inst = inst

+    retval.bename = '40k'

+    retval.suffix = 'o=%s' % retval.bename

+    ldifdir = inst.get_ldif_dir()

+    retval.ldif_file = '%s/%s.ldif' % (ldifdir, retval.bename)

+

+    # Create new backend

+    bes = Backends(inst)

+    be_1 = bes.create(properties={

+        'cn': retval.bename,

+        'nsslapd-suffix': retval.suffix,

+    })

+

+    # Set paged search lookthrough limit

+    ldbmconfig = LDBMConfig(inst)

+    ldbmconfig.replace('nsslapd-pagedlookthroughlimit', b'100000')

+

+    # Create ldif and import it.

+    dbgen_users(inst, 40000, retval.ldif_file, retval.suffix)

+    # tasks = Tasks(inst)

+    # args = {TASK_WAIT: True}

+    # tasks.importLDIF(retval.suffix, None, retval.ldif_file, args)

+    inst.stop()

+    assert inst.ldif2db(retval.bename, None, None, None, retval.ldif_file, None)

+    inst.start()

+

+    # And set an aci allowing anonymous read

+    log.info('Adding ACI to allow our test user to search')

+    ACI_TARGET = '(targetattr != "userPassword || aci")'

+    ACI_ALLOW = '(version 3.0; acl "Enable anonymous access";allow (read, search, compare)'

+    ACI_SUBJECT = '(userdn = "ldap:///anyone");)'

+    ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

+    o_1 = Organization(inst, retval.suffix)

+    o_1.set('aci', ACI_BODY)

+

+    return retval

+

+

+@pytest.fixture(scope="module")

+def create_user(topology_st, request):

     """User for binding operation"""

-    log.info('Adding user {}'.format(TEST_USER_DN))

-    try:

-        topology_st.standalone.add_s(Entry((TEST_USER_DN, {

-            'objectclass': 'top person'.split(),

-            'objectclass': 'organizationalPerson',

-            'objectclass': 'inetorgperson',

-            'cn': TEST_USER_NAME,

-            'sn': TEST_USER_NAME,

-            'userpassword': TEST_USER_PWD,

-            'mail': '%s@redhat.com' % TEST_USER_NAME,

-            'uid': TEST_USER_NAME

-        })))

-    except ldap.LDAPError as e:

-        log.error('Failed to add user (%s): error (%s)' % (TEST_USER_DN,

-                                                           e.message['desc']))

-        raise e

+    log.info('Adding user simplepaged_test')

+    new_uri = topology_st.standalone.ldapuri.replace(OLD_HOSTNAME, HOSTNAME)

+    topology_st.standalone.ldapuri = new_uri

+    users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)

+    user = users.create(properties={

+        'uid': 'simplepaged_test',

+        'cn': 'simplepaged_test',

+        'sn': 'simplepaged_test',

+        'uidNumber': '1234',

+        'gidNumber': '1234',

+        'homeDirectory': '/home/simplepaged_test',

+        'userPassword': TEST_USER_PWD,

+    })

+

+    # Now add the ACI so simplepage_test can read the users ...

+    ACI_BODY = ensure_bytes('(targetattr= "uid || sn || dn")(version 3.0; acl "Allow read for user"; allow (read,search,compare) userdn = "ldap:///all";)')

+    topology_st.standalone.modify_s(DEFAULT_SUFFIX, [(ldap.MOD_REPLACE, 'aci', ACI_BODY)])

     def fin():

-        log.info('Deleting user {}'.format(TEST_USER_DN))

-        topology_st.standalone.delete_s(TEST_USER_DN)

+        log.info('Deleting user simplepaged_test')

+        if not DEBUGGING:

+            user.delete()

+        if os.getuid() == 0:

+            socket.sethostname(OLD_HOSTNAME)

     request.addfinalizer(fin)

+    return user

 @pytest.fixture(scope="module")

 def new_suffixes(topology_st):

@@ -72,47 +138,40 @@ def new_suffixes(topology_st):

     """

     log.info('Adding suffix:{} and backend: {}'.format(NEW_SUFFIX_1, NEW_BACKEND_1))

-    topology_st.standalone.backend.create(NEW_SUFFIX_1,

-                                          {BACKEND_NAME: NEW_BACKEND_1})

-    topology_st.standalone.mappingtree.create(NEW_SUFFIX_1,

-                                              bename=NEW_BACKEND_1)

-    try:

-        topology_st.standalone.add_s(Entry((NEW_SUFFIX_1, {

-            'objectclass': 'top',

-            'objectclass': 'organization',

-            'o': NEW_SUFFIX_1_NAME

-        })))

-    except ldap.LDAPError as e:

-        log.error('Failed to add suffix ({}): error ({})'.format(NEW_SUFFIX_1,

-                                                                 e.message['desc']))

-        raise

-    log.info('Adding suffix:{} and backend: {}'.format(NEW_SUFFIX_2, NEW_BACKEND_2))

-    topology_st.standalone.backend.create(NEW_SUFFIX_2,

-                                          {BACKEND_NAME: NEW_BACKEND_2})

-    topology_st.standalone.mappingtree.create(NEW_SUFFIX_2,

-                                              bename=NEW_BACKEND_2,

-                                              parent=NEW_SUFFIX_1)

-

-    try:

-        topology_st.standalone.add_s(Entry((NEW_SUFFIX_2, {

-            'objectclass': 'top',

-            'objectclass': 'organizationalunit',

-            'ou': NEW_SUFFIX_2_NAME

-        })))

-    except ldap.LDAPError as e:

-        log.error('Failed to add suffix ({}): error ({})'.format(NEW_SUFFIX_2,

-                                                                 e.message['desc']))

-        raise

+    bes = Backends(topology_st.standalone)

+    bes.create(properties={

+        'cn': 'NEW_BACKEND_1',

+        'nsslapd-suffix': NEW_SUFFIX_1,

+    })

+    # Create the root objects with their ACI

     log.info('Adding ACI to allow our test user to search')

     ACI_TARGET = '(targetattr != "userPassword || aci")'

     ACI_ALLOW = '(version 3.0; acl "Enable anonymous access";allow (read, search, compare)'

     ACI_SUBJECT = '(userdn = "ldap:///anyone");)'

     ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT

-    mod = [(ldap.MOD_ADD, 'aci', ACI_BODY)]

-    topology_st.standalone.modify_s(NEW_SUFFIX_1, mod)

+    o_1 = Organization(topology_st.standalone, NEW_SUFFIX_1)

+    o_1.create(properties={

+        'o': NEW_SUFFIX_1_NAME,

+        'aci': ACI_BODY,

+    })

+

+    log.info('Adding suffix:{} and backend: {}'.format(NEW_SUFFIX_2, NEW_BACKEND_2))

+    be_2 = bes.create(properties={

+        'cn': 'NEW_BACKEND_2',

+        'nsslapd-suffix': NEW_SUFFIX_2,

+    })

+

+    # We have to adjust the MT to say that BE_1 is a parent.

+    mt = be_2.get_mapping_tree()

+    mt.set_parent(NEW_SUFFIX_1)

+

+    ou_2 = OrganizationalUnit(topology_st.standalone, NEW_SUFFIX_2)

+    ou_2.create(properties={

+        'ou': NEW_SUFFIX_2_NAME

+    })

 def add_users(topology_st, users_num, suffix):

@@ -122,72 +181,54 @@ def add_users(topology_st, users_num, suffix):

     """

     users_list = []

+    users = UserAccounts(topology_st.standalone, suffix, rdn=None)

+

     log.info('Adding %d users' % users_num)

     for num in sample(range(1000), users_num):

         num_ran = int(round(num))

         USER_NAME = 'test%05d' % num_ran

-        USER_DN = 'uid=%s,%s' % (USER_NAME, suffix)

-        users_list.append(USER_DN)

-        try:

-            topology_st.standalone.add_s(Entry((USER_DN, {

-                'objectclass': 'top person'.split(),

-                'objectclass': 'organizationalPerson',

-                'objectclass': 'inetorgperson',

-                'cn': USER_NAME,

-                'sn': USER_NAME,

-                'userpassword': 'pass%s' % num_ran,

-                'mail': '%s@redhat.com' % USER_NAME,

-                'uid': USER_NAME})))

-        except ldap.LDAPError as e:

-            log.error('Failed to add user (%s): error (%s)' % (USER_DN,

-                                                               e.message['desc']))

-            raise e

+

+        user = users.create(properties={

+            'uid': USER_NAME,

+            'sn': USER_NAME,

+            'cn': USER_NAME,

+            'uidNumber': '%s' % num_ran,

+            'gidNumber': '%s' % num_ran,

+            'homeDirectory': '/home/%s' % USER_NAME,

+            'mail': '%s@redhat.com' % USER_NAME,

+            'userpassword': 'pass%s' % num_ran,

+        })

+        users_list.append(user)

     return users_list

-def del_users(topology_st, users_list):

+def del_users(users_list):

     """Delete users with DNs from given list"""

     log.info('Deleting %d users' % len(users_list))

-    for user_dn in users_list:

-        try:

-            topology_st.standalone.delete_s(user_dn)

-        except ldap.LDAPError as e:

-            log.error('Failed to delete user (%s): error (%s)' % (user_dn,

-                                                                  e.message['desc']))

-            raise e

+    for user in users_list:

+        user.delete()

 def change_conf_attr(topology_st, suffix, attr_name, attr_value):

-    """Change configurational attribute in the given suffix.

+    """Change configuration attribute in the given suffix.

     Returns previous attribute value.

     """

-    try:

-        entries = topology_st.standalone.search_s(suffix, ldap.SCOPE_BASE,

-                                                  'objectclass=top',

-                                                  [attr_name])

-        attr_value_bck = entries[0].data.get(attr_name)

-        log.info('Set %s to %s. Previous value - %s. Modified suffix - %s.' % (

-            attr_name, attr_value, attr_value_bck, suffix))

-        if attr_value is None:

-            topology_st.standalone.modify_s(suffix, [(ldap.MOD_DELETE,

-                                                      attr_name,

-                                                      attr_value)])

-        else:

-            topology_st.standalone.modify_s(suffix, [(ldap.MOD_REPLACE,

-                                                      attr_name,

-                                                      attr_value)])

-    except ldap.LDAPError as e:

-        log.error('Failed to change attr value (%s): error (%s)' % (attr_name,

-                                                                    e.message['desc']))

-        raise e

+    entry = DSLdapObject(topology_st.standalone, suffix)

+    attr_value_bck = entry.get_attr_val_bytes(attr_name)

+    log.info('Set %s to %s. Previous value - %s. Modified suffix - %s.' % (

+        attr_name, attr_value, attr_value_bck, suffix))

+    if attr_value is None:

+        entry.remove_all(attr_name)

+    else:

+        entry.replace(attr_name, attr_value)

     return attr_value_bck

-def paged_search(topology_st, suffix, controls, search_flt, searchreq_attrlist):

+def paged_search(conn, suffix, controls, search_flt, searchreq_attrlist, abandon_rate=0):

     """Search at the DEFAULT_SUFFIX with ldap.SCOPE_SUBTREE

     using Simple Paged Control(should the first item in the

     list controls.

@@ -206,14 +247,17 @@ def paged_search(topology_st, suffix, controls, search_flt, searchreq_attrlist):

                                                     searchreq_attrlist,

                                                     req_pr_ctrl.size,

                                                     str(controls)))

-    msgid = topology_st.standalone.search_ext(suffix,

-                                              ldap.SCOPE_SUBTREE,

-                                              search_flt,

-                                              searchreq_attrlist,

-                                              serverctrls=controls)

+    msgid = conn.search_ext(suffix, ldap.SCOPE_SUBTREE, search_flt, searchreq_attrlist, serverctrls=controls)

+    log.info('Getting page %d' % (pages,))

     while True:

-        log.info('Getting page %d' % (pages,))

-        rtype, rdata, rmsgid, rctrls = topology_st.standalone.result3(msgid)

+        try:

+            rtype, rdata, rmsgid, rctrls = conn.result3(msgid, timeout=0.001)

+        except ldap.TIMEOUT:

+            if pages > 0 and abandon_rate>0 and randrange(100)

+                conn.abandon(msgid)

+                log.info('Paged result search is abandonned.')

+                return all_results

+            continue

         log.debug('Data: {}'.format(rdata))

         all_results.extend(rdata)

         pages += 1

@@ -228,27 +272,25 @@ def paged_search(topology_st, suffix, controls, search_flt, searchreq_attrlist):

                 # Copy cookie from response control to request control

                 log.debug('Cookie: {}'.format(pctrls[0].cookie))

                 req_pr_ctrl.cookie = pctrls[0].cookie

-                msgid = topology_st.standalone.search_ext(suffix,

-                                                          ldap.SCOPE_SUBTREE,

-                                                          search_flt,

-                                                          searchreq_attrlist,

-                                                          serverctrls=controls)

+                msgid = conn.search_ext(suffix, ldap.SCOPE_SUBTREE, search_flt, searchreq_attrlist, serverctrls=controls)

             else:

                 break  # No more pages available

         else:

             break

+        log.info('Getting page %d' % (pages,))

     assert not pctrls[0].cookie

     return all_results

-@pytest.mark.parametrize("page_size,users_num",

-                         [(6, 5), (5, 5), (5, 25)])

-def test_search_success(topology_st, test_user, page_size, users_num):

+@pytest.mark.parametrize("page_size,users_num", [(6, 5), (5, 5), (5, 25)])

+def test_search_success(topology_st, create_user, page_size, users_num):

     """Verify that search with a simple paged results control

     returns all entries it should without errors.

     :id: ddd15b70-64f1-4a85-a793-b24761e50354

+    :customerscenario: True

+    :parametrized: yes

     :feature: Simple paged results

     :setup: Standalone instance, test user for binding,

             varying number of users for the search base

@@ -264,21 +306,16 @@ def test_search_success(topology_st, test_user, page_size, users_num):

     search_flt = r'(uid=test*)'

     searchreq_attrlist = ['dn', 'sn']

-    try:

-        log.info('Set user bind')

-        topology_st.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD)

+    log.info('Set user bind %s ' % create_user)

+    conn = create_user.bind(TEST_USER_PWD)

-        req_ctrl = SimplePagedResultsControl(True, size=page_size, cookie='')

+    req_ctrl = SimplePagedResultsControl(True, size=page_size, cookie='')

+    all_results = paged_search(conn, DEFAULT_SUFFIX, [req_ctrl], search_flt, searchreq_attrlist)

-        all_results = paged_search(topology_st, DEFAULT_SUFFIX, [req_ctrl],

-                                   search_flt, searchreq_attrlist)

+    log.info('%d results' % len(all_results))

+    assert len(all_results) == len(users_list)

-        log.info('%d results' % len(all_results))

-        assert len(all_results) == len(users_list)

-    finally:

-        log.info('Set Directory Manager bind back (test_search_success)')

-        topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)

-        del_users(topology_st, users_list)

+    del_users(users_list)

 @pytest.mark.parametrize("page_size,users_num,suffix,attr_name,attr_value,expected_err", [

@@ -292,13 +329,15 @@ def test_search_success(topology_st, test_user, page_size, users_num):

      ldap.SIZELIMIT_EXCEEDED),

     (5, 50, 'cn=config,%s' % DN_LDBM, 'nsslapd-lookthroughlimit', '20',

      ldap.ADMINLIMIT_EXCEEDED)])

-def test_search_limits_fail(topology_st, test_user, page_size, users_num,

+def test_search_limits_fail(topology_st, create_user, page_size, users_num,

                             suffix, attr_name, attr_value, expected_err):

     """Verify that search with a simple paged results control

     throws expected exceptoins when corresponding limits are

     exceeded.

     :id: e3067107-bd6d-493d-9989-3e641a9337b0

+    :customerscenario: True

+    :parametrized: yes

     :setup: Standalone instance, test user for binding,

             varying number of users for the search base

     :steps:

@@ -321,7 +360,7 @@ def test_search_limits_fail(topology_st, test_user, page_size, users_num,

     try:

         log.info('Set user bind')

-        topology_st.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD)

+        conn = create_user.bind(TEST_USER_PWD)

         log.info('Create simple paged results control instance')

         req_ctrl = SimplePagedResultsControl(True, size=page_size, cookie='')

@@ -330,11 +369,8 @@ def test_search_limits_fail(topology_st, test_user, page_size, users_num,

             sort_ctrl = SSSRequestControl(True, ['sn'])

             controls.append(sort_ctrl)

         log.info('Initiate ldapsearch with created control instance')

-        msgid = topology_st.standalone.search_ext(DEFAULT_SUFFIX,

-                                                  ldap.SCOPE_SUBTREE,

-                                                  search_flt,

-                                                  searchreq_attrlist,

-                                                  serverctrls=controls)

+        msgid = conn.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,

+                                search_flt, searchreq_attrlist, serverctrls=controls)

         time_val = conf_param_dict.get('nsslapd-timelimit')

         if time_val:

@@ -345,12 +381,11 @@ def test_search_limits_fail(topology_st, test_user, page_size, users_num,

         pctrls = []

         while True:

             log.info('Getting page %d' % (pages,))

-            if pages == 0 and (time_val or attr_name in ('nsslapd-lookthroughlimit',

-                                                         'nsslapd-pagesizelimit')):

-                rtype, rdata, rmsgid, rctrls = topology_st.standalone.result3(msgid)

+            if pages == 0 and (time_val or attr_name == 'nsslapd-pagesizelimit'):

+                rtype, rdata, rmsgid, rctrls = conn.result3(msgid)

             else:

                 with pytest.raises(expected_err):

-                    rtype, rdata, rmsgid, rctrls = topology_st.standalone.result3(msgid)

+                    rtype, rdata, rmsgid, rctrls = conn.result3(msgid)

                     all_results.extend(rdata)

                     pages += 1

                     pctrls = [

@@ -363,28 +398,24 @@ def test_search_limits_fail(topology_st, test_user, page_size, users_num,

                 if pctrls[0].cookie:

                     # Copy cookie from response control to request control

                     req_ctrl.cookie = pctrls[0].cookie

-                    msgid = topology_st.standalone.search_ext(DEFAULT_SUFFIX,

-                                                              ldap.SCOPE_SUBTREE,

-                                                              search_flt,

-                                                              searchreq_attrlist,

-                                                              serverctrls=controls)

+                    msgid = conn.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,

+                                            search_flt, searchreq_attrlist, serverctrls=controls)

                 else:

                     break  # No more pages available

             else:

                 break

     finally:

-        log.info('Set Directory Manager bind back (test_search_limits_fail)')

-        topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)

-        del_users(topology_st, users_list)

+        del_users(users_list)

         change_conf_attr(topology_st, suffix, attr_name, attr_value_bck)

-def test_search_sort_success(topology_st, test_user):

+def test_search_sort_success(topology_st, create_user):

     """Verify that search with a simple paged results control

     and a server side sort control returns all entries

     it should without errors.

     :id: 17d8b150-ed43-41e1-b80f-ee9b4ce45155

+    :customerscenario: True

     :setup: Standalone instance, test user for binding,

             varying number of users for the search base

     :steps:

@@ -403,8 +434,7 @@ def test_search_sort_success(topology_st, test_user):

     searchreq_attrlist = ['dn', 'sn']

     try:

-        log.info('Set user bind')

-        topology_st.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD)

+        conn = create_user.bind(TEST_USER_PWD)

         req_ctrl = SimplePagedResultsControl(True, size=page_size, cookie='')

         sort_ctrl = SSSRequestControl(True, ['sn'])

@@ -412,25 +442,25 @@ def test_search_sort_success(topology_st, test_user):

         log.info('Initiate ldapsearch with created control instance')

         log.info('Collect data with sorting')

         controls = [req_ctrl, sort_ctrl]

-        results_sorted = paged_search(topology_st, DEFAULT_SUFFIX, controls,

+        results_sorted = paged_search(conn, DEFAULT_SUFFIX, controls,

                                       search_flt, searchreq_attrlist)

         log.info('Substring numbers from user DNs')

-        r_nums = map(lambda x: int(x[0][8:13]), results_sorted)

+        # r_nums = map(lambda x: int(x[0][8:13]), results_sorted)

+        r_nums = [int(x[0][8:13]) for x in results_sorted]

         log.info('Assert that list is sorted')

         assert all(r_nums[i] <= r_nums[i + 1] for i in range(len(r_nums) - 1))

     finally:

-        log.info('Set Directory Manager bind back (test_search_sort_success)')

-        topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)

-        del_users(topology_st, users_list)

+        del_users(users_list)

-def test_search_abandon(topology_st, test_user):

+def test_search_abandon(topology_st, create_user):

     """Verify that search with simple paged results control

     can be abandon

     :id: 0008538b-7585-4356-839f-268828066978

+    :customerscenario: True

     :setup: Standalone instance, test user for binding,

             varying number of users for the search base

     :steps:

@@ -452,36 +482,32 @@ def test_search_abandon(topology_st, test_user):

     try:

         log.info('Set user bind')

-        topology_st.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD)

+        conn = create_user.bind(TEST_USER_PWD)

         log.info('Create simple paged results control instance')

         req_ctrl = SimplePagedResultsControl(True, size=page_size, cookie='')

         controls = [req_ctrl]

         log.info('Initiate a search with a paged results control')

-        msgid = topology_st.standalone.search_ext(DEFAULT_SUFFIX,

-                                                  ldap.SCOPE_SUBTREE,

-                                                  search_flt,

-                                                  searchreq_attrlist,

-                                                  serverctrls=controls)

+        msgid = conn.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE,

+                                search_flt, searchreq_attrlist, serverctrls=controls)

         log.info('Abandon the search')

-        topology_st.standalone.abandon(msgid)

+        conn.abandon(msgid)

         log.info('Expect an ldap.TIMEOUT exception, while trying to get the search results')

         with pytest.raises(ldap.TIMEOUT):

-            topology_st.standalone.result3(msgid, timeout=5)

+            conn.result3(msgid, timeout=5)

     finally:

-        log.info('Set Directory Manager bind back (test_search_abandon)')

-        topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)

-        del_users(topology_st, users_list)

+        del_users(users_list)

-def test_search_with_timelimit(topology_st, test_user):

+def test_search_with_timelimit(topology_st, create_user):

     """Verify that after performing multiple simple paged searches

     to completion, each with a timelimit, it wouldn't fail, if we sleep

     for a time more than the timelimit.

     :id: 6cd7234b-136c-419f-bf3e-43aa73592cff

+    :customerscenario: True

     :setup: Standalone instance, test user for binding,

             varying number of users for the search base

     :steps:

@@ -506,7 +532,7 @@ def test_search_with_timelimit(topology_st, test_user):

     try:

         log.info('Set user bind')

-        topology_st.standalone.simple_bind_s(TEST_USER_DN, TEST_USER_PWD)

+        conn = create_user.bind(TEST_USER_PWD)

         log.info('Create simple paged results control instance')

         req_ctrl = SimplePagedResultsControl(True, size=page_size, cookie='')

@@ -514,18 +540,14 @@ def test_search_with_timelimit(topology_st, test_user):

         for ii in range(3):

             log.info('Iteration %d' % ii)

-            msgid = topology_st.standalone.search_ext(DEFAULT_SUFFIX,

-                                                      ldap.SCOPE_SUBTREE,

-                                                      search_flt,

-                                                      searchreq_attrlist,

-                                                      serverctrls=controls,

-                                                      timeout=timelimit)

+            msgid = conn.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, search_flt,

+                                    searchreq_attrlist, serverctrls=controls, timeout=timelimit)

             pages = 0

             pctrls = []

             while True:

                 log.info('Getting page %d' % (pages,))

-                rtype, rdata, rmsgid, rctrls = topology_st.standalone.result3(msgid)

+                rtype, rdata, rmsgid, rctrls = conn.result3(msgid)

                 pages += 1

                 pctrls = [

                     c

@@ -537,12 +559,8 @@ def test_search_with_timelimit(topology_st, test_user):

                     if pctrls[0].cookie:

                         # Copy cookie from response control to request control

                         req_ctrl.cookie = pctrls[0].cookie

-                        msgid = topology_st.standalone.search_ext(DEFAULT_SUFFIX,

-                                                                  ldap.SCOPE_SUBTREE,

-                                                                  search_flt,

-                                                                  searchreq_attrlist,

-                                                                  serverctrls=controls,

-                                                                  timeout=timelimit)

+                        msgid = conn.search_ext(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, search_flt,

+                                                searchreq_attrlist, serverctrls=controls, timeout=timelimit)

                     else:

                         log.info('Done with this search - sleeping %d seconds' % (

                             timelimit * 2))

@@ -551,24 +569,21 @@ def test_search_with_timelimit(topology_st, test_user):

                 else:

                     break

     finally:

-        log.info('Set Directory Manager bind back (test_search_with_timelimit)')

-        topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)

-        del_users(topology_st, users_list)

+        del_users(users_list)

-@pytest.mark.parametrize('aci_subject',

-                         ('dns = "localhost.localdomain"',

-                          'ip = "::1" or ip = "127.0.0.1"'))

-def test_search_dns_ip_aci(topology_st, test_user, aci_subject):

+def test_search_ip_aci(topology_st, create_user):

     """Verify that after performing multiple simple paged searches

     to completion on the suffix with DNS or IP based ACI

     :id: bbfddc46-a8c8-49ae-8c90-7265d05b22a9

+    :customerscenario: True

+    :parametrized: yes

     :setup: Standalone instance, test user for binding,

             varying number of users for the search base

     :steps:

         1. Back up and remove all previous ACI from suffix

-        2. Add an anonymous ACI for DNS check

+        2. Add an anonymous ACI for IP check

         3. Bind as test user

         4. Search through added users with a simple paged control

         5. Perform steps 4 three times in a row

@@ -584,32 +599,31 @@ def test_search_dns_ip_aci(topology_st, test_user, aci_subject):

         6. ACI should be successfully returned