diff --git a/SOURCES/0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch b/SOURCES/0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch new file mode 100644 index 0000000..b0bc6a8 --- /dev/null +++ b/SOURCES/0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch @@ -0,0 +1,263 @@ +From 9a8ee0954699da05501ded2900a834584346ef85 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Mon, 25 Nov 2019 10:59:44 +0100 +Subject: [PATCH] Ticket 50736 - RetroCL trimming may crash at shutdown if + trimming configuration is invalid + +Bug Description: + If config of retroCL trimming contains invalid value for trim-interval + and/or maxage, then the trimming initialization is skipped. + In such case the trimming structures are not allocated and if they + are freed at shutdown it triggers a crash + +Fix Description: + When trimming mechanism is stopped (at shutdown) check that + it was successfully initialized before freeing the structs + +https://pagure.io/389-ds-base/issue/50736 + +Reviewed by: Mark Reynolds + +Platforms tested: F30 + +Flag Day: no + +Doc impact: no +--- + .../suites/replication/changelog_test.py | 185 ++++++++++++++++++ + ldap/servers/plugins/retrocl/retrocl_trim.c | 17 +- + 2 files changed, 196 insertions(+), 6 deletions(-) + +diff --git a/dirsrvtests/tests/suites/replication/changelog_test.py b/dirsrvtests/tests/suites/replication/changelog_test.py +index 0b6b886f3..0d3e85bb2 100755 +--- a/dirsrvtests/tests/suites/replication/changelog_test.py ++++ b/dirsrvtests/tests/suites/replication/changelog_test.py +@@ -16,6 +16,12 @@ from lib389.replica import Replicas + from lib389.idm.user import UserAccounts + from lib389.topologies import topology_m2 as topo + from lib389._constants import * ++from lib389.plugins import RetroChangelogPlugin ++from lib389.dseldif import DSEldif ++from lib389.tasks import * ++from lib389.utils import * ++ ++pytestmark = pytest.mark.tier1 + + TEST_ENTRY_NAME = 'replusr' + NEW_RDN_NAME = 'cl5usr' +@@ -235,6 +241,185 @@ def test_verify_changelog_offline_backup(topo): + _check_changelog_ldif(topo, changelog_ldif) + + ++@pytest.mark.ds47669 ++def test_changelog_maxage(topo, changelog_init): ++ """Check nsslapd-changelog max age values ++ ++ :id: d284ff27-03b2-412c-ac74-ac4f2d2fae3b ++ :setup: Replication with two master, change nsslapd-changelogdir to ++ '/var/lib/dirsrv/slapd-master1/changelog' and ++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on' ++ :steps: ++ 1. Set nsslapd-changelogmaxage in cn=changelog5,cn=config to values - '12345','10s','30M','12h','2D','4w' ++ 2. Set nsslapd-changelogmaxage in cn=changelog5,cn=config to values - '-123','xyz' ++ ++ :expectedresults: ++ 1. Operation should be successful ++ 2. Operation should be unsuccessful ++ """ ++ log.info('1. Test nsslapd-changelogmaxage in cn=changelog5,cn=config') ++ ++ # bind as directory manager ++ topo.ms["master1"].log.info("Bind as %s" % DN_DM) ++ topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD) ++ ++ add_and_check(topo, CHANGELOG, MAXAGE, '12345', True) ++ add_and_check(topo, CHANGELOG, MAXAGE, '10s', True) ++ add_and_check(topo, CHANGELOG, MAXAGE, '30M', True) ++ add_and_check(topo, CHANGELOG, MAXAGE, '12h', True) ++ add_and_check(topo, CHANGELOG, MAXAGE, '2D', True) ++ add_and_check(topo, CHANGELOG, MAXAGE, '4w', True) ++ add_and_check(topo, CHANGELOG, MAXAGE, '-123', False) ++ add_and_check(topo, CHANGELOG, MAXAGE, 'xyz', False) ++ ++ ++@pytest.mark.ds47669 ++def test_ticket47669_changelog_triminterval(topo, changelog_init): ++ """Check nsslapd-changelog triminterval values ++ ++ :id: 8f850c37-7e7c-49dd-a4e0-9344638616d6 ++ :setup: Replication with two master, change nsslapd-changelogdir to ++ '/var/lib/dirsrv/slapd-master1/changelog' and ++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on' ++ :steps: ++ 1. Set nsslapd-changelogtrim-interval in cn=changelog5,cn=config to values - ++ '12345','10s','30M','12h','2D','4w' ++ 2. Set nsslapd-changelogtrim-interval in cn=changelog5,cn=config to values - '-123','xyz' ++ ++ :expectedresults: ++ 1. Operation should be successful ++ 2. Operation should be unsuccessful ++ """ ++ log.info('2. Test nsslapd-changelogtrim-interval in cn=changelog5,cn=config') ++ ++ # bind as directory manager ++ topo.ms["master1"].log.info("Bind as %s" % DN_DM) ++ topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD) ++ ++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '12345', True) ++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '10s', True) ++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '30M', True) ++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '12h', True) ++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '2D', True) ++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '4w', True) ++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, '-123', False) ++ add_and_check(topo, CHANGELOG, TRIMINTERVAL, 'xyz', False) ++ ++ ++@pytest.mark.ds47669 ++def test_changelog_compactdbinterval(topo, changelog_init): ++ """Check nsslapd-changelog compactdbinterval values ++ ++ :id: 0f4b3118-9dfa-4c2a-945c-72847b42a48c ++ :setup: Replication with two master, change nsslapd-changelogdir to ++ '/var/lib/dirsrv/slapd-master1/changelog' and ++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on' ++ :steps: ++ 1. Set nsslapd-changelogcompactdb-interval in cn=changelog5,cn=config to values - ++ '12345','10s','30M','12h','2D','4w' ++ 2. Set nsslapd-changelogcompactdb-interval in cn=changelog5,cn=config to values - ++ '-123','xyz' ++ ++ :expectedresults: ++ 1. Operation should be successful ++ 2. Operation should be unsuccessful ++ """ ++ log.info('3. Test nsslapd-changelogcompactdb-interval in cn=changelog5,cn=config') ++ ++ # bind as directory manager ++ topo.ms["master1"].log.info("Bind as %s" % DN_DM) ++ topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD) ++ ++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '12345', True) ++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '10s', True) ++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '30M', True) ++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '12h', True) ++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '2D', True) ++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '4w', True) ++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, '-123', False) ++ add_and_check(topo, CHANGELOG, COMPACTDBINTERVAL, 'xyz', False) ++ ++ ++@pytest.mark.ds47669 ++def test_retrochangelog_maxage(topo, changelog_init): ++ """Check nsslapd-retrochangelog max age values ++ ++ :id: 0cb84d81-3e86-4dbf-84a2-66aefd8281db ++ :setup: Replication with two master, change nsslapd-changelogdir to ++ '/var/lib/dirsrv/slapd-master1/changelog' and ++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on' ++ :steps: ++ 1. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to values - ++ '12345','10s','30M','12h','2D','4w' ++ 2. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to values - ++ '-123','xyz' ++ ++ :expectedresults: ++ 1. Operation should be successful ++ 2. Operation should be unsuccessful ++ """ ++ log.info('4. Test nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config') ++ ++ # bind as directory manager ++ topo.ms["master1"].log.info("Bind as %s" % DN_DM) ++ topo.ms["master1"].simple_bind_s(DN_DM, PASSWORD) ++ ++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '12345', True) ++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '10s', True) ++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '30M', True) ++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '12h', True) ++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '2D', True) ++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '4w', True) ++ add_and_check(topo, RETROCHANGELOG, MAXAGE, '-123', False) ++ add_and_check(topo, RETROCHANGELOG, MAXAGE, 'xyz', False) ++ ++ topo.ms["master1"].log.info("ticket47669 was successfully verified.") ++ ++@pytest.mark.ds50736 ++def test_retrochangelog_trimming_crash(topo, changelog_init): ++ """Check that when retroCL nsslapd-retrocthangelog contains invalid ++ value, then the instance does not crash at shutdown ++ ++ :id: 5d9bd7ca-e9bf-4be9-8fc8-902aa5513052 ++ :setup: Replication with two master, change nsslapd-changelogdir to ++ '/var/lib/dirsrv/slapd-master1/changelog' and ++ set cn=Retro Changelog Plugin,cn=plugins,cn=config to 'on' ++ :steps: ++ 1. Set nsslapd-changelogmaxage in cn=Retro Changelog Plugin,cn=plugins,cn=config to value '-1' ++ This value is invalid. To disable retroCL trimming it should be set to 0 ++ 2. Do several restart ++ 3. check there is no 'Detected Disorderly Shutdown' message (crash) ++ 4. restore valid value for nsslapd-changelogmaxage '1w' ++ ++ :expectedresults: ++ 1. Operation should be successful ++ 2. Operation should be successful ++ 3. Operation should be successful ++ 4. Operation should be successful ++ """ ++ log.info('1. Test retroCL trimming crash in cn=Retro Changelog Plugin,cn=plugins,cn=config') ++ ++ # set the nsslapd-changelogmaxage directly on dse.ldif ++ # because the set value is invalid ++ topo.ms["master1"].log.info("ticket50736 start verification") ++ topo.ms["master1"].stop() ++ retroPlugin = RetroChangelogPlugin(topo.ms["master1"]) ++ dse_ldif = DSEldif(topo.ms["master1"]) ++ dse_ldif.replace(retroPlugin.dn, 'nsslapd-changelogmaxage', '-1') ++ topo.ms["master1"].start() ++ ++ # The crash should be systematic, but just in case do several restart ++ # with a delay to let all plugin init ++ for i in range(5): ++ time.sleep(1) ++ topo.ms["master1"].stop() ++ topo.ms["master1"].start() ++ ++ assert not topo.ms["master1"].detectDisorderlyShutdown() ++ ++ topo.ms["master1"].log.info("ticket 50736 was successfully verified.") ++ ++ + if __name__ == '__main__': + # Run isolated + # -s for DEBUG mode +diff --git a/ldap/servers/plugins/retrocl/retrocl_trim.c b/ldap/servers/plugins/retrocl/retrocl_trim.c +index a46534984..0378eb7f6 100644 +--- a/ldap/servers/plugins/retrocl/retrocl_trim.c ++++ b/ldap/servers/plugins/retrocl/retrocl_trim.c +@@ -481,11 +481,16 @@ retrocl_init_trimming(void) + void + retrocl_stop_trimming(void) + { +- retrocl_trimming = 0; +- if (retrocl_trim_ctx) { +- slapi_eq_cancel(retrocl_trim_ctx); +- retrocl_trim_ctx = NULL; ++ if (retrocl_trimming) { ++ /* RetroCL trimming config was valid and trimming struct allocated ++ * Let's free them ++ */ ++ retrocl_trimming = 0; ++ if (retrocl_trim_ctx) { ++ slapi_eq_cancel(retrocl_trim_ctx); ++ retrocl_trim_ctx = NULL; ++ } ++ PR_DestroyLock(ts.ts_s_trim_mutex); ++ ts.ts_s_trim_mutex = NULL; + } +- PR_DestroyLock(ts.ts_s_trim_mutex); +- ts.ts_s_trim_mutex = NULL; + } +-- +2.21.1 + diff --git a/SOURCES/0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch b/SOURCES/0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch new file mode 100644 index 0000000..0eeb397 --- /dev/null +++ b/SOURCES/0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch @@ -0,0 +1,37 @@ +From 37449e509f4a4253bacea57adf6c1d860eaaf1bb Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 2 Aug 2019 12:07:07 -0400 +Subject: [PATCH] Issue 50529 - LDAP server returning PWP controls in + different sequence + +Description: The server returns password policy controls in different orders + depending on the state of grace logins. The requested control, + if any, should be returned first, followed by any controls the + server might add. + +relates: https://pagure.io/389-ds-base/issue/50529 + +Reviewed by: mreynolds (one line commit rule) +--- + ldap/servers/slapd/pw_mgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c +index befac50cd..ca76fc12f 100644 +--- a/ldap/servers/slapd/pw_mgmt.c ++++ b/ldap/servers/slapd/pw_mgmt.c +@@ -207,10 +207,10 @@ skip: + + /* password expired and user exceeded limit of grace attemps. + * Send result and also the control */ +- slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0); + if (pwresponse_req) { + slapi_pwpolicy_make_response_control(pb, -1, -1, LDAP_PWPOLICY_PWDEXPIRED); + } ++ slapi_add_pwd_control(pb, LDAP_CONTROL_PWEXPIRED, 0); + slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, + "password expired!", 0, NULL); + +-- +2.21.1 + diff --git a/SOURCES/0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch b/SOURCES/0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch new file mode 100644 index 0000000..4441022 --- /dev/null +++ b/SOURCES/0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch @@ -0,0 +1,153 @@ +From c0f3b0c3c95aad6b67a80643bbf389acf7aa191d Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Thu, 29 Aug 2019 15:51:56 +0200 +Subject: [PATCH] Issue 50572 - After running cl-dump dbdir/cldb/*ldif.done are + not deleted + +Description: By default, remove ldif.done files after running cl-dump. +Add an option '-l' which allows keep the files. +Update man files. + +https://pagure.io/389-ds-base/issue/50572 + +Reviewed by: firstyear, mreynolds (Thanks!) +--- + ldap/admin/src/scripts/cl-dump.pl | 23 +++++++++++++++-------- + man/man1/cl-dump.1 | 11 +++++++---- + 2 files changed, 22 insertions(+), 12 deletions(-) + +diff --git a/ldap/admin/src/scripts/cl-dump.pl b/ldap/admin/src/scripts/cl-dump.pl +index f4ad5dd33..2e7f20413 100755 +--- a/ldap/admin/src/scripts/cl-dump.pl ++++ b/ldap/admin/src/scripts/cl-dump.pl +@@ -5,7 +5,7 @@ + # All rights reserved. + # + # License: GPL (version 3 or any later version). +-# See LICENSE for details. ++# See LICENSE for details. + # END COPYRIGHT BLOCK + ################################################################################### + # +@@ -13,7 +13,7 @@ + # + # SYNOPSIS: + # cl-dump.pl [-h host] [-p port] [-D bind-dn] -w bind-password | -P bind-cert +-# [-r replica-roots] [-o output-file] [-c] [-v] ++# [-r replica-roots] [-o output-file] [-c] [-l] [-v] + # + # cl-dump.pl -i changelog-ldif-file-with-base64encoding [-o output-file] [-c] + # +@@ -22,7 +22,7 @@ + # + # OPTIONS: + # -c Dump and interpret CSN only. This option can be used with or +-# without -i option. ++# without -i option. + # + # -D bind-dn + # Directory server's bind DN. Default to "cn=Directory Manager" if +@@ -32,6 +32,8 @@ + # Directory server's host. Default to the server where the script + # is running. + # ++# -l Preserve generated ldif.done files from changelogdir ++# + # -i changelog-ldif-file-with-base64encoding + # If you already have a ldif-like changelog, but the changes + # in that file are encoded, you may use this option to +@@ -68,7 +70,7 @@ + # all of this nonsense can be omitted if the mozldapsdk and perldap are + # installed in the operating system locations (e.g. /usr/lib /usr/lib/perl5) + +-$usage="Usage: $0 [-h host] [-p port] [-D bind-dn] [-w bind-password | -P bind-cert] [-r replica-roots] [-o output-file] [-c] [-v]\n\n $0 -i changelog-ldif-file-with-base64encoding [-o output-file] [-c]\n"; ++$usage="Usage: $0 [-h host] [-p port] [-D bind-dn] [-w bind-password | -P bind-cert] [-r replica-roots] [-o output-file] [-c] [-l] [-v]\n\n $0 -i changelog-ldif-file-with-base64encoding [-o output-file] [-c]\n"; + + use Getopt::Std; # Parse command line arguments + use Mozilla::LDAP::Conn; # LDAP module for Perl +@@ -86,7 +88,7 @@ $version = "Directory Server Changelog Dump - Version 1.0"; + $| = 1; + + # Check for legal options +- if (!getopts('h:p:D:w:P:r:o:cvi:')) { ++ if (!getopts('h:p:D:w:P:r:o:clvi:')) { + print $usage; + exit -1; + } +@@ -123,7 +125,7 @@ sub validateArgs + if ($opt_o && ! open (OUTPUT, ">$opt_o")) { + print "Can't create output file $opt_o\n"; + $rc = -1; +- } ++ } + # Open STDOUT if option -o is missing + open (OUTPUT, ">-") if !$opt_o; + +@@ -194,10 +196,15 @@ sub cl_dump_and_decode + else { + &cl_decode ($_); + } +- # Test op -M doesn't work well so we use rename ++ # Test op -M doesn't work well so we use rename/remove + # here to avoid reading the same ldif file more + # than once. +- rename ($ldif, "$ldif.done"); ++ if ($opt_l) { ++ rename ($ldif, "$ldif.done"); ++ } else { ++ # Remove the file - default behaviou when '-l' is not specified ++ unlink ($ldif) ++ } + } + &print_header ($replica, "Not Found") if !$gotldif; + } +diff --git a/man/man1/cl-dump.1 b/man/man1/cl-dump.1 +index db736aca9..fbb836a72 100644 +--- a/man/man1/cl-dump.1 ++++ b/man/man1/cl-dump.1 +@@ -20,7 +20,7 @@ cl-dump \- Dump and decode Directory Server replication change log + .SH SYNOPSIS + .B cl\-dump + [\fI\-h host\fR] [\fI\-p port\fR] [\fI\-D bind\(hydn\fR] \-w bind\(hypassword | \-P bind\(hycert +- [\fI\-r replica\(hyroots\fR] [\fI\-o output\(hyfile\fR] [\fI\-c\fR] [\fI\-v\fR] ++ [\fI\-r replica\(hyroots\fR] [\fI\-o output\(hyfile\fR] [\fI\-c\fR] [\fI\-l\fR] [\fI\-v\fR] + + .PP + .B cl\-dump +@@ -30,12 +30,12 @@ cl-dump \- Dump and decode Directory Server replication change log + Dump and decode Directory Server replication change log + .PP + .\" TeX users may be more comfortable with the \fB\fP and +-.\" \fI\fP escape sequences to invode bold face and italics, ++.\" \fI\fP escape sequences to invode bold face and italics, + .\" respectively. + .SH OPTIONS + A summary of options is included below. + .TP +-.B \-c ++.B \-c + Dump and interpret CSN only. This option can be used with or + without \-i option. + .TP +@@ -47,6 +47,9 @@ the option is omitted. + Directory server's host. Default to the server where the script + is running. + .TP ++.B \-l ++Preserve generated ldif.done files from changelogdir ++.TP + .B \-i changelog\(hyldif\(hyfile\(hywith\(hybase64encoding + If you already have a ldif-like changelog, but the changes + in that file are encoded, you may use this option to +@@ -66,7 +69,7 @@ Specify replica roots whose changelog you want to dump. The replica + roots may be separated by comma. All the replica roots would be + dumped if the option is omitted. + .TP +-.B \-v ++.B \-v + Print the version of this script. + .TP + .B \-w bind\(hypassword +-- +2.21.1 + diff --git a/SOURCES/0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch b/SOURCES/0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch new file mode 100644 index 0000000..975ce26 --- /dev/null +++ b/SOURCES/0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch @@ -0,0 +1,32 @@ +From c8977a03f2c65978ad7977030d55bc830bc1f852 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 16 Oct 2019 16:52:59 -0400 +Subject: [PATCH] Issue 50655 - access log etime is not properly formatted + +Description: The wrong printf format was used for displaying the nanosecond etime + in the access log. + +relates: https://pagure.io/389-ds-base/issue/50655 + +Reviewed by: firstyear(Thanks!) +--- + ldap/servers/slapd/result.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c +index d9f431cc5..393b3f6cd 100644 +--- a/ldap/servers/slapd/result.c ++++ b/ldap/servers/slapd/result.c +@@ -1920,7 +1920,8 @@ log_result(Slapi_PBlock *pb, Operation *op, int err, ber_tag_t tag, int nentries + struct timespec o_hr_time_end; + slapi_operation_time_elapsed(op, &o_hr_time_end); + +- snprintf(etime, ETIME_BUFSIZ, "%" PRId64 ".%010" PRId64 "", (int64_t)o_hr_time_end.tv_sec, (int64_t)o_hr_time_end.tv_nsec); ++ ++ snprintf(etime, ETIME_BUFSIZ, "%" PRId64 ".%.09" PRId64 "", (int64_t)o_hr_time_end.tv_sec, (int64_t)o_hr_time_end.tv_nsec); + + slapi_pblock_get(pb, SLAPI_OPERATION_NOTES, &operation_notes); + +-- +2.21.1 + diff --git a/SOURCES/0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch b/SOURCES/0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch new file mode 100644 index 0000000..27b3324 --- /dev/null +++ b/SOURCES/0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch @@ -0,0 +1,35 @@ +From 5c4e9f2017ba6c0415fe8352587db61dd9451ee4 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 20 Jan 2020 13:16:36 -0500 +Subject: [PATCH] Issue 50834 - Incorrectly setting the NSS default SSL version + max + +Description: We've been using the wrong function to get the NSS max + version We were calling SSL_VersionRangeGetSupported() + which gets the versions NSS "can" handle, but + SSL_VersionRangeGetDefault() gets the versions that + are actually "enabled". + +relates: https://pagure.io/389-ds-base/issue/50834 + +Reviewed by: mreynolds(one line commit rule) +--- + ldap/servers/slapd/ssl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c +index ed054db44..c71e3019b 100644 +--- a/ldap/servers/slapd/ssl.c ++++ b/ldap/servers/slapd/ssl.c +@@ -1164,7 +1164,7 @@ slapd_nss_init(int init_ssl __attribute__((unused)), int config_available __attr + char *certdir; + char emin[VERSION_STR_LENGTH], emax[VERSION_STR_LENGTH]; + /* Get the range of the supported SSL version */ +- SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledNSSVersions); ++ SSL_VersionRangeGetDefault(ssl_variant_stream, &enabledNSSVersions); + + (void)slapi_getSSLVersion_str(enabledNSSVersions.min, emin, sizeof(emin)); + (void)slapi_getSSLVersion_str(enabledNSSVersions.max, emax, sizeof(emax)); +-- +2.21.1 + diff --git a/SOURCES/0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch b/SOURCES/0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch new file mode 100644 index 0000000..90f1370 --- /dev/null +++ b/SOURCES/0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch @@ -0,0 +1,43 @@ +From 572ed29e447141f532f2d84f9ea78c48308ad684 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Fri, 7 Jun 2019 11:35:46 +0200 +Subject: [PATCH] Ticket 50428 - Log the actual base DN when the search fails + with "invalid attribute request" + +Bug Description: + When a search request contains invalid parameters (attribute list with empty attribute + name, unknown scope, invalid filter..) the search is rejected but the access log + contains a wrong base search: ... SRCH base="(null)"... + This is because it does not use for logging the variable that gather the actual base ('rawbase') + +Fix Description: + Use 'rawbase' value for logging + +https://pagure.io/389-ds-base/issue/50428 + +Reviewed by: Mark Reynolds + +Platforms tested: F28 + +Flag Day: no + +Doc impact: no +--- + ldap/servers/slapd/search.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ldap/servers/slapd/search.c b/ldap/servers/slapd/search.c +index 7e253f535..2a9979552 100644 +--- a/ldap/servers/slapd/search.c ++++ b/ldap/servers/slapd/search.c +@@ -154,6 +154,7 @@ do_search(Slapi_PBlock *pb) + goto free_and_return; + } + } ++ base = rawbase; + + /* + * ignore negative time and size limits since they make no sense +-- +2.21.1 + diff --git a/SOURCES/0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch b/SOURCES/0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch new file mode 100644 index 0000000..3836923 --- /dev/null +++ b/SOURCES/0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch @@ -0,0 +1,146 @@ +From c629c7ffe35bb2a09ad4dfa60d56fb01a51915d0 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Fri, 2 Aug 2019 14:36:24 -0400 +Subject: [PATCH] Issue 50530 - Directory Server not RFC 4511 compliant with + requested attr "1.1" + +Bug Description: A regression was introduced some time back that changed the + behavior of how the server handled the "1.1" requested attribute + in a search request. If "1.1" was requested along with other + attributes then no attibutes were returned, but in this case "1.1" + is expected to be ignroed. + +Fix Description: Only comply with "1.1" if it is the only requested attribute + +relates: https://pagure.io/389-ds-base/issue/50530 + +Reviewed by: firstyear(Thanks!) +--- + dirsrvtests/tests/suites/basic/basic_test.py | 57 +++++++++++++++++--- + ldap/servers/slapd/result.c | 7 ++- + 2 files changed, 57 insertions(+), 7 deletions(-) + +diff --git a/dirsrvtests/tests/suites/basic/basic_test.py b/dirsrvtests/tests/suites/basic/basic_test.py +index 0f7536b63..cea4f6bfe 100644 +--- a/dirsrvtests/tests/suites/basic/basic_test.py ++++ b/dirsrvtests/tests/suites/basic/basic_test.py +@@ -28,6 +28,7 @@ log = logging.getLogger(__name__) + USER1_DN = 'uid=user1,' + DEFAULT_SUFFIX + USER2_DN = 'uid=user2,' + DEFAULT_SUFFIX + USER3_DN = 'uid=user3,' + DEFAULT_SUFFIX ++USER4_DN = 'uid=user4,' + DEFAULT_SUFFIX + + ROOTDSE_DEF_ATTR_LIST = ('namingContexts', + 'supportedLDAPVersion', +@@ -409,8 +410,8 @@ def test_basic_acl(topology_st, import_example_ldif): + 'uid': 'user1', + 'userpassword': PASSWORD}))) + except ldap.LDAPError as e: +- log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN +- + ': error ' + e.message['desc']) ++ log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN + ++ ': error ' + e.message['desc']) + assert False + + try: +@@ -421,8 +422,8 @@ def test_basic_acl(topology_st, import_example_ldif): + 'uid': 'user2', + 'userpassword': PASSWORD}))) + except ldap.LDAPError as e: +- log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN +- + ': error ' + e.message['desc']) ++ log.fatal('test_basic_acl: Failed to add test user ' + USER1_DN + ++ ': error ' + e.message['desc']) + assert False + + # +@@ -572,6 +573,50 @@ def test_basic_searches(topology_st, import_example_ldif): + log.info('test_basic_searches: PASSED') + + ++@pytest.fixture(scope="module") ++def add_test_entry(topology_st, request): ++ # Add test entry ++ topology_st.standalone.add_s(Entry((USER4_DN, ++ {'objectclass': "top extensibleObject".split(), ++ 'cn': 'user1', 'uid': 'user1'}))) ++ ++ ++search_params = [(['1.1'], 'cn', False), ++ (['1.1', 'cn'], 'cn', True), ++ (['+'], 'nsUniqueId', True), ++ (['*'], 'cn', True), ++ (['cn'], 'cn', True)] ++@pytest.mark.parametrize("attrs, attr, present", search_params) ++def test_search_req_attrs(topology_st, add_test_entry, attrs, attr, present): ++ """Test requested attributes in search operations. ++ :id: 426a59ff-49b8-4a70-b377-0c0634a29b6e ++ :setup: Standalone instance ++ :steps: ++ 1. Test "1.1" does not return any attributes. ++ 2. Test "1.1" is ignored if there are other requested attributes ++ 3. Test "+" returns all operational attributes ++ 4. Test "*" returns all attributes ++ 5. Test requested attributes ++ ++ :expectedresults: ++ 1. Success ++ 2. Success ++ 3. Success ++ 4. Success ++ 5. Success ++ """ ++ ++ log.info("Testing attrs: {} attr: {} present: {}".format(attrs, attr, present)) ++ entry = topology_st.standalone.search_s(USER4_DN, ++ ldap.SCOPE_BASE, ++ 'objectclass=top', ++ attrs) ++ if present: ++ assert entry[0].hasAttr(attr) ++ else: ++ assert not entry[0].hasAttr(attr) ++ ++ + def test_basic_referrals(topology_st, import_example_ldif): + """Test LDAP server in referral mode. + +@@ -716,8 +761,8 @@ def test_basic_systemctl(topology_st, import_example_ldif): + log.info('Attempting to start the server with broken dse.ldif...') + try: + topology_st.standalone.start() +- except: +- log.info('Server failed to start as expected') ++ except Exception as e: ++ log.info('Server failed to start as expected: ' + str(e)) + log.info('Check the status...') + assert (not topology_st.standalone.status()) + log.info('Server failed to start as expected') +diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c +index 393b3f6cd..61e7a70f9 100644 +--- a/ldap/servers/slapd/result.c ++++ b/ldap/servers/slapd/result.c +@@ -1546,6 +1546,8 @@ send_ldap_search_entry_ext( + * "+" means all operational attributes (rfc3673) + * operational attributes are only retrieved if they are named + * specifically or when "+" is specified. ++ * In the case of "1.1", if there are other requested attributes ++ * then "1.1" should be ignored. + */ + + /* figure out if we want all user attributes or no attributes at all */ +@@ -1560,7 +1562,10 @@ send_ldap_search_entry_ext( + if (strcmp(LDAP_ALL_USER_ATTRS, attrs[i]) == 0) { + alluserattrs = 1; + } else if (strcmp(LDAP_NO_ATTRS, attrs[i]) == 0) { +- noattrs = 1; ++ /* "1.1" is only valid if it's the only requested attribute */ ++ if (i == 0 && attrs[1] == NULL) { ++ noattrs = 1; ++ } + } else if (strcmp(LDAP_ALL_OPERATIONAL_ATTRS, attrs[i]) == 0) { + alloperationalattrs = 1; + } else { +-- +2.21.1 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index 59c8cef..ac72c06 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -39,7 +39,7 @@ Summary: 389 Directory Server (%{variant}) Name: 389-ds-base Version: 1.3.9.1 -Release: %{?relprefix}12%{?prerel}%{?dist} +Release: %{?relprefix}13%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org/ Group: System Environment/Daemons @@ -187,6 +187,13 @@ Patch38: 0038-Issue-49850-ldbm_get_nonleaf_ids-slow-for-databases-.patc Patch39: 0039-Ticket-49850-cont-fix-crash-in-ldbm_non_leaf.patch Patch40: 0040-Issue-50538-cleanAllRUV-task-limit-is-not-enforced-f.patch Patch41: 0041-Fix-cherry-pick-error-for-cleanAllRUV-issue.patch +Patch42: 0042-Ticket-50736-RetroCL-trimming-may-crash-at-shutdown-.patch +Patch43: 0043-Issue-50529-LDAP-server-returning-PWP-controls-in-di.patch +Patch44: 0044-Issue-50572-After-running-cl-dump-dbdir-cldb-ldif.do.patch +Patch45: 0045-Issue-50655-access-log-etime-is-not-properly-formatt.patch +Patch46: 0046-Issue-50834-Incorrectly-setting-the-NSS-default-SSL-.patch +Patch47: 0047-Ticket-50428-Log-the-actual-base-DN-when-the-search-.patch +Patch48: 0048-Issue-50530-Directory-Server-not-RFC-4511-compliant-.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -539,6 +546,17 @@ fi %{_sysconfdir}/%{pkgname}/dirsrvtests %changelog +* Wed Feb 12 2020 Mark Reynolds - 1.3.9.1-13 +- Bump version to 1.3.9.1-13 +- Resolves: Bug 1801693 - ns-slapd is crashing while restarting ipactl +- Resolves: Bug 1801695 - LDAP server returning controltype in different sequence +- Resolves: Bug 1801700 - After running cl-dump dbdir/cldb/*ldif.done are not deleted +- Resolves: Bug 1801701 - etime displayed has an order of magnitude 10 times smaller than it should be +- Resolves: Bug 1801702 - Regression: NSS has interop problems as server when using limited cipher list +- Resolves: Bug 1801704 - Log the actual base DN when the search fails with "invalid attribute request" +- Resolves: Bug 1801705 - Directory Server 10 not RFC 4511 compliant +- Resolves: Bug 1801706 - Replace error by warning in the state machine defined in repl5_inc_run + * Fri Nov 1 2019 Mark Reynolds - 1.3.9.1-12 - Bump version to 1.3.9.1-12 - Resolves: Bug 1767622 - CleanAllRUV task limit not enforced