[389-devel] Please review: [389 Project] #26: Please support setting defaultNamingContext in the rootdse.
https://fedorahosted.org/389/ticket/26 https://fedorahosted.org/389/attachment/ticket/26/0001-Trac-Ticket-26-Please-support-setting-defaultNamingC.patch Fix descriptions: 1) Introducing an attribute defaultNamingContext to rootdse. 2) To support it, a config parameter nsslapd-defaultnamingcontext is added. . Suffix created in setup is set to nsslapd-defaultnamingcontext in createConfigFile (DSCreate.pm). . If the default naming context is deleted from mapping tree, the config parameter nsslapd-defaultnamingcontext as well as the attribute defaultNamingContext in rootdse are removed. . When nsslapd-defaultnamingcontext does not exist, there are 3 ways to set it. a) Next added suffix is automatically set. b) Add nsslapd-defaultnamingcontext value to cn=config using ldap client. c) Shutdown the server and add nsslapd-defaultnamingcontext value to cn=config . nsslapd-defaultnamingcontext value could be replaced with other existing suffix with ldap modify operation. In addition, invalid read was reported by valgrind when a suffix was removed. To solve it, adding a write lock to dse_call_callback. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #26: Please support setting defaultNamingContext in the rootdse.
Please note that this patch is a subset of my previous review request. The contention problem in deleting suffix/backend was separated to Ticket 259 (https://fedorahosted.org/389/ticket/259). https://fedorahosted.org/389/ticket/26 https://fedorahosted.org/389/attachment/ticket/26/0001-Trac-Ticket-26-Please-support-setting.patch Fix descriptions: 1) Introducing an attribute defaultNamingContext to rootdse. 2) To support it, a config parameter nsslapd-defaultnamingcontext is added. . Suffix created in setup is set to nsslapd-defaultnamingcontext in createConfigFile (DSCreate.pm). . If the default naming context is deleted from mapping tree, the config parameter nsslapd-defaultnamingcontext as well as the attribute defaultNamingContext in rootdse are removed. . When nsslapd-defaultnamingcontext does not exist, there are 3 ways to set it. a) Next added suffix is automatically set. b) Add nsslapd-defaultnamingcontext value to cn=config using ldap client. c) Shutdown the server and add nsslapd-defaultnamingcontext value to cn=config . nsslapd-defaultnamingcontext value could be replaced with other existing suffix with ldap modify operation. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #75: Unconfigure plugin opperations are being called.
https://fedorahosted.org/389/ticket/75 https://fedorahosted.org/389/attachment/ticket/75/0002-Trac-Ticket-75-Unconfigure-plugin-opperations-are-be.patch Fix descriptions: When plugin is not enabled, the start function is not called, but the initialization is made and the plugins are registered. This patch calls the initialization/plugin registration only when the plugin is enabled. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Please review: fix mep sdn compiler warnings
Rich Megginson wrote: -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel ack. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Please review: fix recent compiler warnings
Rich Megginson wrote: -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel ack. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Please review: Ticket #15 - Get rid of rwlock.h/rwlock.c and just use slapi_rwlock instead
Rich Megginson wrote: https://fedorahosted.org/389/ticket/15 https://fedorahosted.org/389/attachment/ticket/15/diffs-without-autoconf.patch -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel ack. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Please review: fix new compiler warnings
Rich Megginson wrote: -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel ack. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #274: Reindexing entryrdn fails if ancestors are also tombstoned
https://fedorahosted.org/389/ticket/274 https://fedorahosted.org/389/attachment/ticket/274/0001-Trac-Ticket-274-Reindexing-entryrdn-fails-if.patch Bug description: Inserting/traversing entryrdn fails if a parent entry is tombstoned and the rdn in the entryrdn index includes nsuniqueid. In DIT cn=A,ou=B,o=C, cn=A and ou=B are removed and turned to tombstone entries. Both of the 2 representations need to be supported in the entryrdn. nsuniqueid=...,cn=A,ou=B,o=C and nsuniqueid=...,cn=A,nsuniqueid=...,ou=B,o=C Fix description: Support for the second case is added by this patch. Also, in index_add_mods, code for checking NULL mods is added. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #275: Invalid read reported by valgrind
https://fedorahosted.org/389/ticket/275 https://fedorahosted.org/389/attachment/ticket/275/0001-Trac-Ticket-275-Invalid-read-reported-by-valgrind.patch Fix description: Since the matching rule type could be normalized and the original string could be freed in filter_normalize_ext, the type needs to have a duplicated string (bitwise.c, plugin_mr.c). Filter_ava functions and filter_sub functions in the syntax plugins need to check if the passed pblock is NULL or not before accessing it. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Please review: coverity 12488 Resource leak In attr_index_config()
Rich Megginson wrote: -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel ack. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #51: memory leaks in 389-ds-base-1.2.8.2-1.el5?
https://fedorahosted.org/389/ticket/51 https://fedorahosted.org/389/attachment/ticket/51/0001-Trac-Ticket-51-memory-leaks-in-389-ds-base-1.2.8.2-1.patch Fix description: Ran valgrind with the MMR+SASL servers and fixed leaks found in the test. [plugin/replication/repl5_connection.c] conn_connect could have overridden conn-ld without releasing it. This patch releases it if necessary. [slapd/dn.c] If DN normalization fails in slapi_sdn_get_dn, this patch releases the locally strdup'ed string. [slapd/modify.c, modutil.c] DN syntax attribute value is found in mods, it was normalized and replaced in slapi_mods_insert_at. It leaked the pre- noralized value. Instead, this patch normalizes mods in do_modify and frees it when the modify is done. [slapd/operation.c] modrdn_newsuperior_address.sdn was not release when the modrdn operaton is done. This patch adds the release code. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #34: remove-ds.pl does not remove everything
https://fedorahosted.org/389/ticket/34 https://fedorahosted.org/389/attachment/ticket/34/0001-Trac-Ticket-34-remove-ds.pl-does-not-remove-everythi.patch Fix description: Introduce an option --all | -a, with which all the generated files and directories are removed. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #298: crash when replicating orphaned tombstone entry
https://fedorahosted.org/389/ticket/298 https://fedorahosted.org/389/attachment/ticket/298/0001-Trac-Ticket-298-crash-when-replicating-orphaned-tomb.patch Fix description: 1. The cause of the crash was freeing a to-be-added entry in tombstone_to_glue although the entry is consumed in slapi_add_entry_internal_set_pb/slapi_add_internal_pb. This patch removes the redundant slapi_entry_free from tombstone_to_glue. 2. Introducing is_suffix_dn_ext to pass is_tombstone flag for getting the proper parent sdn of a tombstoned entry. 3. Logic handling ancestor tombstone was broken. In _entryrdn_insert_key, if _entryrdn_get_tombstone_elem finds a child node, it was checking if the node is a tombstone or not immediately. It should have been done in the next loop. 4. Reducing repeated WARNING: bad entry: ID ## messages. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: 389-admin: htmladmin
If htmladmin fails to connect to the server, the cgi could crash. This patch checks the flag for the server status and avoids the unnecessary free. From 4ec23c03450d45639282c173d2e095c4023876bb Mon Sep 17 00:00:00 2001 From: Noriko Hosoi nho...@totoro.sjc.redhat.com Date: Fri, 23 Mar 2012 13:13:08 -0700 Subject: [PATCH] If htmladmin fails to connect to the server, the cgi could crash. This patch checks the flag for the server status and avoids the unnecessary free. --- admserv/cgi-src40/htmladmin.c | 13 + 1 files changed, 9 insertions(+), 4 deletions(-) diff --git a/admserv/cgi-src40/htmladmin.c b/admserv/cgi-src40/htmladmin.c index 09d0ad0..7110526 100644 --- a/admserv/cgi-src40/htmladmin.c +++ b/admserv/cgi-src40/htmladmin.c @@ -1175,8 +1175,8 @@ int output_topology(AdmldapInfo ldapInfo, char *admin_url; char *server_host; int *server_port; - int running; - char *href; + int running = 0; + char *href = NULL; char *info_link; char *log_link; @@ -1232,7 +1232,10 @@ int output_topology(AdmldapInfo ldapInfo, free((void *)dn_escaped); free((void *)val_escaped); - PR_smprintf_free((char *)href); + if (running == 1) { + PR_smprintf_free((char *)href); + href = NULL; + } PR_smprintf_free((char *)info_link); PR_smprintf_free((char *)log_link); } else if(strstr(ldap_get_dn(server, sie_entry), Directory)) { @@ -1276,7 +1279,9 @@ int output_topology(AdmldapInfo ldapInfo, free((void *)dn_escaped); free((void *)val_escaped); free((void *)host_escaped); - PR_smprintf_free((char *)href); + if (href) { + PR_smprintf_free((char *)href); + } PR_smprintf_free((char *)info_link); PR_smprintf_free((char *)log_link); PR_smprintf_free((char *)repl_link); -- 1.7.7.6 -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #46: setup-ds-admin.pl does not like ipv6 only hostnames
https://fedorahosted.org/389/ticket/46 https://fedorahosted.org/389/attachment/ticket/46/0001-Trac-Ticket-46-revised-setup-ds-admin.pl-does-not.patch Fix Description: Socket::GetAddrInfo https://fedorahosted.org/389/wiki/GetAddrInfo class is not available on all the supported platforms. Instead, this patch uses Socket6, which has better supports. https://fedorahosted.org/389/ticket/46 https://fedorahosted.org/389/attachment/ticket/46/0001-Trac-Ticket-46-setup-ds-admin.pl-does-not-like-ipv6-.patch git patch file (master) Fix Description: Perl functions gethostbyname/gethostbyaddr do not support IPv6 addresses. This patch replaces the obsolete functions with the ones from Socket::GetAddrInfo https://fedorahosted.org/389/wiki/GetAddrInfo. https://fedorahosted.org/389/attachment/ticket/46/0001-Trac-Ticket-46-setup-ds-admin.pl-does-not-like-ipv6-.2.patch git patch file for 389-ds-base.spec (master) Fix Description: Adding IPv6 friendly perl packages to Requires list: Requires: perl-Socket-GetAddrInfo https://fedorahosted.org/389/wiki/GetAddrInfo Requires: perl-NetAddr https://fedorahosted.org/389/wiki/NetAddr-IP -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #335: transaction retries need to be cache aware
https://fedorahosted.org/389/ticket/335 https://fedorahosted.org/389/attachment/ticket/335/0001-Trac-Ticket-335-transaction-retries-need-to-be-cache.patch Fix description: When libdb returns DEADLOCK and backend update function retries the operation, the target entry is reset to the original shape. The target entry could be or could not be in the entry cache. Regardless of the status, the original code just released the entry with backentry_free before going into the next loop, which causes the cache error. This patch checks the status of the entry. If it is in the entry cache, remove it from the entry cache and add a new entry back to the cache if necessary. To get the accurate cache status of each entry, the output argument cache_res to id2entry_add_ext is added. Additinally, error checking for the conflict value in index_add_mods was week (curr_attr). This patch is adding the check. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #338: letters in object's cn get converted to lowercase when renaming object
https://fedorahosted.org/389/ticket/338 https://fedorahosted.org/389/attachment/ticket/338/0001-Trac-Ticket-338-letters-in-object-s-cn-get-converted.2.patch Fix description: The value of newrdn was normalized as dn then decapitalized. The decapitalization was not just needed but the cause of the reported bug. This patch removes the decapitalization call (slapi_dn_ignore_case) and adds slapi_dn_ignore_case to acl_access_allowed_modrdn (acl.c) and referint_postop_modrdn (referint/referint.c). Additionally, unnecessary code is being removed from chaining_ back_modrdn (chainingdb/cb_modrdn.c). -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #310: Avoid calling escape_string() for logged DNs
https://fedorahosted.org/389/ticket/310 https://fedorahosted.org/389/attachment/ticket/310/0001-Trac-Ticket-310-Avoid-calling-escape_string-for-logg.patch Fix description: removed unnecessary escape_string calls and the static buffer used by escape_string. Ran slamd repeatedly (BIND+SEARCH+UNBIND from 4 threads in 10 min.), but I could not get the good evidence that No escape_string improves the performance. Please note that the bind dn contains ascii characters and digits only. The following is the average of 5 repeated attempts each. [With escape_string] Total_Duration Total_CountAvg_Duration AVG_Count/Interval --+-+-+--- 2395787.2 2404987.0 0.99840083.117 --+-+-+--- [No escape_string] Total_Duration Total_CountAvg_Duration AVG_Count/Interval --+-+-+--- 2395570.8 2314081.2 1.04538568.020 --+-+-+--- -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #345: db deadlock return should not log error
https://fedorahosted.org/389/ticket/345 https://fedorahosted.org/389/attachment/ticket/345/0001-Ticket-345-db-deadlock-return-should-not-log-error.patch Fix description: error log level is set to SLAPI_LOG_TRACE if DB_LOCK_DEADLOCK is returned from the BDB operations, otherwise set to SLAPI_LOG_FATAL. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review comment: [389 Project] #412: memberof performance enhancement
https://fedorahosted.org/389/ticket/412 https://fedorahosted.org/389/attachment/ticket/412/0001-Trac-Ticket-412-memberof-performance-enhancement.patch Fix description: memberof.c: replaced DN strings with Slapi_DN and set the normalized info to Slapi_Value flags. It reduces the number of slaip_dn_normalize_ext call by ~25%. attr.c, slapi-plugin.h: introduced a new API slapi_attr_ value_cmp_ext which takes Slapi_Value instead of struct berval. By replacing with Slapi_Value, the value flag (e.g., normalized info) can be passed to the syntax plugin. value.c: changed slapi_value_compare to call slapi_attr_ value_cmp_ext instead of slapi_attr_value_cmp. Replying to nkinder https://fedorahosted.org/389/ticket/412#comment:2: What sort of performance increase do these changes give you in your testing? Unfortunately, there was no observable performance gain. Let me explain it with the test env next... As replied to the Nathan's question, I could not see any performance gain in the elapsed time, although it reduced the count of slapi_dn_normalize_ext by ~25%. But the server's behaviour observed in the test was interesting. The dominant time of the elapsed time spent in the memberof operation is likely in libdb. The time difference 14 sec vs. 27 sec between Straight ldapmodify ...; sh memof_script.sh and ldapmodify ...; restart the server; [ldapsearch all; ]sh memof_script.sh cannot be explained in the server level. Callgrind outputs almost the same graph except the libdb internal. And once we put all memberof operations in one transaction, the response time is extremely short. We have not enabled betxn by default yet. Can we make a plan to do so for brushing up the code especially on Fedora? Result: Note: With/Without? https://fedorahosted.org/389/wiki/With/Without the attached patch: 0001-Trac-Ticket-412-memberof-performance-enhancement.patch​, there was no difference in the elapsed time. This test adds 1000 user entries first (ldapmodify...). Then memof_script.sh adds a group entry which contains the 1000 members; the script waits for all the user entries have memberof attribute value. (The test files are attached to the trac #412 with the instructions.) Straight ldapmodify ...; sh memof_script.sh: 14 seconds ldapmodify ...; restart the server; sh memof_script.sh: 27 seconds ldapmodify ...; restart the server; ldapsearch all; sh memof_script.sh: 27 seconds (I.e, the difference is not due to the entries in the entry cache or not) Enable betxn of the Memberof Plugin dn: cn=MemberOf? https://fedorahosted.org/389/wiki/MemberOf Plugin,cn=plugins,cn=config nsslapd-pluginType: betxnpostoperation Straight ldapmodify ...; sh memof_script.sh: 1 second ldapmodify ...; restart the server; ldapsearch all; sh memof_script.sh: 1 second Thanks, --noriko -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #443: Deleting attribute present in nsslapd-allowed-to-delete-attrs returns Operations error
https://fedorahosted.org/389/ticket/443 https://fedorahosted.org/389/attachment/ticket/443/0001-Trac-Ticket-443-Deleting-attribute-present-in.patch Bug Description: Even if setting a config parameter to nsslapd- allowed-to-delete-attrs, the value failed to delete if the type was on|off or integer. Fix Description: Store all the initial config param values in ConfigList. If the attribute value is deleted, reset the initial value. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #447: Possible to add invalid attribute to nsslapd-allowed-to-delete-attrs
https://fedorahosted.org/389/ticket/447 https://fedorahosted.org/389/attachment/ticket/447/0001-Trac-Ticket-447-Possible-to-add-invalid-attribute.patch Fix description: This patch is adding a code to check if the value of config parameter nsslapd-allowed-to-delete-attrs includes any invalid attributes or not. If it does, the server ignores the invalid ones, and the following search returns only the valid attributes. Also, it is logged in the error log: nsslapd-allowed-to-delete-attrs: Unknown attribute bogus will be ignored -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #500: Newly created users with organizationalPerson objectClass fails to sync from AD to DS with missing attribute error
https://fedorahosted.org/389/ticket/500 https://fedorahosted.org/389/attachment/ticket/500/0001-Trac-Ticket-500-Newly-created-users-with-organizatio.patch Bug description: Posix Account objectclass requires homeDirectory, uidNumber, and gidNumber. When an AD entry has just some of these attributes or other allow-to-have attributes, i.e., loginShell or gecos, the entry is incompletely converted to Posix Account entry and fails to be added due to the missing attribute error. Fix description: Before transforming the AD entry to the DS posix account entry, check the required attributes first. If any of the above 3 attributes is missing, all of the posix account related attributes are dropped and added to the DS as a non-posix account entry. If the PLUGIN log level is set, this type of message is logged in the error log. [] posix-winsync - AD entry CN=CN,OU=OU,DC=DC,DC=COM does not have MUST attribute uidNumber for posixAccount objectclass. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #547: [Patch] Incorrect assumption in ndn cache
https://fedorahosted.org/389/ticket/547 https://fedorahosted.org/389/attachment/ticket/547/0001-Ticket-547-Incorrect-assumption-in-ndn-cache.patch Bug Description: In ndn_cache_lookup, to determine the given dn is already normalized or not, the length is compared with the normalized dn length. If they match, it considers the given dn is already normalized. But there are cases even if the lengths are equal, the given dn may not be normalized yet. (e.g., 'cn=o=ABC,o=XYZ' vs. 'cn=o\3DABC,o=XYZ') Fix Description: This patch adds another check: if the dn and normalized dn length match, call memcmp to compare the 2 dn's. When memcmp returns 0, ndn_cache_lookup returns the passed dn. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #542: Cannot dynamically set nsslapd-maxbersize
https://fedorahosted.org/389/ticket/542 https://fedorahosted.org/389/attachment/ticket/542/0001-Ticket-542-Cannot-dynamically-set-nsslapd-maxbersize.patch Fix description: Based on the proposal made by rmegg...@redhat.com in the ticket #542, this patch sets maxbersize every time before reading the client input from the socket. If the incoming ber size is larger than maxbersize, access log logs: [..] conn=# op=-1 fd=64 closed error 34 (Numerical result out of range) - B2 And the error log logs: [..] connection - conn=# fd=# Incoming BER Element was too long, max allowable is # bytes. Change the nsslapd-maxbersize attribute in cn=config to increase. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #545: Segfault during initial LDIF import: str2entry_dupcheck()
https://fedorahosted.org/389/ticket/545 https://fedorahosted.org/389/attachment/ticket/545/0001-Ticket-545-Segfault-during-initial-LDIF-import-str2e.patch Bug description: If an attribute type having multiple values exists in an entry, and any compare function is not associated with the attribute type, fast_dup_check flag was not disabled from the second time. Since fast_dup_check requires the compare function based on the attribute syntax, it causes the segfault. Fix description: This patch checks whether a compare function is associated with the multi-valued attribute not just at the first time the attribute type appears but at the second time and after, and disable fast_dup_check properly if needed. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #537: Improvement of range search
https://fedorahosted.org/389/ticket/537 https://fedorahosted.org/389/attachment/ticket/537/0001-Ticket-537-Improvement-of-range-search.2.patch Thanks to Rich for his reviews and comments. I've added the read transaction abort in case idl_new_fetch / idl_new_range_fetch failed in the transaction. Fix description: The index range search function index_range _read_ext was written to call idl_fetch_ext to get an idlist belonging to one key. Then add it to the main idlist as long as the key satisfiles the range search filter condition. This patch introduces a new range search function idl_new_ range_fetch to the new idl code, which generates an idlist in one idl function that eliminates the redundancy such as generating idlist and cursor per key. This patch only implements the new idl version. If idl_new is not set, the existing code is executed. *Additionally, idl_new_fetch did not abort the read transaction** **even if any error occurred in the transaction. Now, it switches** **between commit and abort based upon the result.* -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #342: better error message when cache overflows
https://fedorahosted.org/389/ticket/342 https://fedorahosted.org/389/attachment/ticket/342/0001-Ticket-342-better-error-message-when-cache-overflows.patch Bug description: ACL cache overflow error message is not very clear and repeated too many times. Fix description: 1) print a message like this: Your ACL cache of %d slots has overflowed. This can happen when you have many ACIs. This ACI evaluation requires %d slots to cache. You can increase your max value by setting the attribute nsslapd-aclpb-max-selected-acls in cn=ACL Plugin,cn=plugins,cn=config to a value higher. A server restart is required. 2) print the error message only once per ACI evaluation instead of hundreds of times -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #476: 389 ds do not start on F18 due to missing modules
https://fedorahosted.org/389/ticket/476 https://fedorahosted.org/389/attachment/ticket/476/0001-Ticket-476-389-ds-do-not-start-on-F18-due-to-missing.patch https://fedorahosted.org/389/attachment/ticket/476/diffs.txt Effective diff out of the patch Bug description: Since apache 2.4, some module are no longer loaded by default. Fix description: As suggeted by the bug reporter, this patch adds httpd-2.4.conf.in to the source tree which loads missing modules: mpm_worker_module, access_compat_module, authn_core_module authz_core_module, authz_user_module, unixd_module -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #502: setup-ds.pl script should wait if semanage.trans.LOCK present
https://fedorahosted.org/389/ticket/502 https://fedorahosted.org/389/attachment/ticket/502/0001-Ticket-502-setup-ds.pl-script-should-wait-if-semanag.patch Bug description: If multiple DSCreate or removeDSInstance run simultaneously, semanage port fails because only one semanage transaction is allowed to start. Fix description: This patch puts semanage port in the while loop and it retries until it succeeds or reaches the max retry count (in total 5 minutes). -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #533: only scan for attributes to decrypt if there are encrypted attrs configured
https://fedorahosted.org/389/ticket/533 https://fedorahosted.org/389/attachment/ticket/533/0001-Ticket-533-only-scan-for-attributes-to-decrypt-if-th.patch Bug description: When an internal entry is created in id2entry, all attributes are scanned in attrcrypt_decrypt_entry() and checked if they need to be decrypted regardless of SSL configured on the server or not. Fix description: In attrcrypt_encrypt_* and attrcrypt_decrypt_* functions, this patch checks the attrcrypt_configured flag. It goes scanning the attribute list only when the encrypt_ configured flag is set to true. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #572: PamConfig schema not updated during upgrade
https://fedorahosted.org/389/ticket/572 https://fedorahosted.org/389/attachment/ticket/572/0001-Ticket-572-PamConfig-schema-not-updated-during-upgra.patch Bug description: PAM passthrough schema was not upgraded in the upgrade from 389-ds-base-1.2.10.2 to 389-ds-base-1.2.11.15. Fix description: This patch adds 60pam-plugin.ldif to the upgrade schema file list. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #579: Error messages encountered when using POSIX winsync
https://fedorahosted.org/389/ticket/579 https://fedorahosted.org/389/attachment/ticket/579/0001-Ticket-579-Error-messages-encountered-when-using-POS.patch Bug description: posix_group_fix_memberuid_callback registered by posixWinsyncCreateMemberOfTask calls an internal modify function even if there are no attributes to fix up. The attempt fails as expected, but it logs cryptic errors in the error log: - slapi_modify_internal_set_pb: NULL parameter - allow_operation: component identity is NULL Fix description: This patch skips calling the fix up internal modify if there is no attributes to fix up. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #490: Slow role performance when using a lot of roles
https://fedorahosted.org/389/ticket/490 https://fedorahosted.org/389/attachment/ticket/490/0001-Ticket-490-Slow-role-performance-when-using-a-lot-of.patch Bug description: Role uses the virtual attribute framework. When the search with a filter including nsrole or a return attribute list containing nsrole is being processed, the virtual attribute code checks the entry if the vattr values are valid or not by examining the watermark. If it is valid, the values are used as if they are static. If it is not valid, the entry is evaluated against the role definitions and dynamically generated virtual attributes are set to the list (e_virtual_attrs) with the proper watermark. The current code additionally checks e_virtual_attrs to determine the entry is already evaluated or not. If it is NULL, it considers the entry is not yet evaluated and it returns SLAPI_ ENTRY_VATTR_NOT_RESOLVED even if the watermark is valid. That is, all the entries which do not have virtual attributes are unnecessarily evaluated every time search with nsrole is executed. Fix description: This patch does not return SLAPI_ENTRY_VATTR_NOT_ RESOLVED but does SLAPI_ENTRY_VATTR_RESOLVED_ABSENT if e_virtual_ attrs is NULL AND the watermark is valid. By skipping the not- needed nsrole evaluation, it speeds up the virtual search once virutual attribute values are placed in the entries in memory. Comment: Using test data having 86568 entries in total; 98 nsRoleDefinition entries and 61542 nsRoleDn among them... Sample command line: ldapsearch -LLLx -h localhost -p 389 -D 'cn=directory manager' -w password -b dc=example,dc=com (nsrole=cn=CN0,o=O0,dc=example,dc=com) nsrole It returns 3291 entries with 8321 nsrole attribute values. With the patch: nsslapd-ndn-cache-enabled: on No entries in cache: 0m49.308s All entries in cache: 0m0.181s nsslapd-ndn-cache-enabled: off No entries in cache: 0m51.792s All entries in cache: 0m0.210s Without the patch: nsslapd-ndn-cache-enabled: on No entries in cache: 0m50.579s All entries in cache: 0m9.599s nsslapd-ndn-cache-enabled: off No entries in cache: 0m52.727s All entries in cache: 0m9.857s The patch has no impact on the elapsed time to generate virtual attributes (No entries in cache). But once they are evaluated and placed in the entry cache, we could see the improvement (All entries in cache). Please note that if all the entries in the database have virtual attributes, this patch would have no effect. In addition, I tested with nsslapd-ndn-cache-enabled: on and off. It's not huge, but we could recognize steady improvement. I recommend to enable the functionality, by default or at least, advertise it more (on 1.3.0 or newer)... -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #490: Slow role performance when using a lot of roles
https://fedorahosted.org/389/ticket/490 https://fedorahosted.org/389/attachment/ticket/490/0001-Ticket-490-Slow-role-performance-when-using-a-lot-of.2.patch Following the suggestion from Rich, I separated the change on str2filter.c to another ticket/patch (https://fedorahosted.org/389/ticket/603). -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #604: Required attribute not checked during search operation
https://fedorahosted.org/389/ticket/604 https://fedorahosted.org/389/attachment/ticket/604/0001-Ticket-604-Required-attribute-not-checked-during-sea.patch Comment (by nhosoi): Bug description: If attribute list passed from the ldapsearch contains a string with a space and following characters, the same string is returned to the client. E.g., ldapsearch -b basedn (filter) sn garbage returns dn: matched dn sn garbage: sn Fix description: This patch introduces a config parameter nsslapd-search-return-original-type-switch. It takes on | off. By default, it is off. When it is off, search returns the attribute from which a space and following characters are chopped. dn: matched dn sn: sn If it is on, it respects the current behaviour and returns the original attribute string. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #627: ns-slapd crashes sporadically with segmentation fault in libslapd.so
https://fedorahosted.org/389/ticket/627 https://fedorahosted.org/389/attachment/ticket/627/0001-Ticket-627-ns-slapd-crashes-sporadically-with-segmen.patch Bug Description: Schema reload task (schema-reload.pl) was not thread safe. Fix Description: Attribute Syntax is stored in the hash and retrieved based upon the attribute syntax. When Schema reload task is invoked, the attribute syntax objects were completely replaced ignoring the lock protection. This patch protects the attribute syntax replacement (attr_syntax_delete_all_for_ schemareload) with the write lock. Also, attribute syntax object maintains the reference count. The schema reload respects the reference count instead of blindly deleting them. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #529: dn normalization must handle multiple space characters in attributes
https://fedorahosted.org/389/ticket/529 https://fedorahosted.org/389/attachment/ticket/529/0001-Ticket-529-dn-normalization-must-handle-multiple-spa.2.patch Bug description: This is the second half of the fix for #529. The first half fixed the DN normalization which used to allow DNs where only the number of spaces are different. Now it is rejucted as expected. But it breaks the backward compatibility. Fix description: The upgrade script 80upgradednformat.pl called from setup-ds.pl -u checks the duplicated DNs and rename them if necessary. For instance, if there are 2 DNs: cn=test user0,dc=example,dc=com (entryid: N) cn=testuser0,dc=example,dc=com (entryid: M) then the upgrade script/tool modifies the second one as follows: cn=test user0 M,dc=example,dc=com (entryid: M) and the original cn: testuser0 is kept in the attribute. The modified result is reported in setup-ds.pl -u as follows: Duplicated DN(s) were found and renamed. Renamed entry IDs are listed in /var/lib/dirsrv/slapd- ID/ldif/userRoot_conflict.txt. Contents of the conflict.txt: prinary entry ID: duplicated entry IDs 13:16 18 14:17 -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #608: Posix Winsync plugin throws posix_winsync_end_update_cb: failed to add task entry error message
https://fedorahosted.org/389/ticket/608 https://fedorahosted.org/389/attachment/ticket/608/0001-Ticket-608-Posix-Winsync-plugin-throws-posix_winsync.patch Bug description: When a task posixWinsyncCreateMemberOfTask is already running, another same task request is received, the Posix Winsync Plug-in issues an error posix-winsync - posix_ winsync_end_update_cb: failed to add task entry. This is not an error but an expected behaviour. Fix description: Instead of filing the message as SLAPI_LOG_ FATAL, this patch logs clearer message task entry taskname already exists if the log level is SLAPI_LOG_PLUGIN. posix_winsync_end_update_cb -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47330: changelog db extension / upgrade is obsolete
https://fedorahosted.org/389/ticket/47330 https://fedorahosted.org/389/attachment/ticket/47330/0001-Ticket-47330-changelog-db-extension-upgrade-is-obsol.patch Bug Description: Upgrading from db4 to db5 was not implemented in changelog db code. Fix Description: Implemented upgrading changelog db from db4 to db5. The db extension for db4 is .db4; for the newer BDB version, it is .db without the major version number. This is the same format as the main db. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47313: Indexed search with filter containing '' and ! with attribute subtypes gives wrong result
https://fedorahosted.org/389/ticket/47313 https://fedorahosted.org/389/attachment/ticket/47313/0001-Ticket-47313-Indexed-search-with-filter-containing-a.patch Bug description: Index db files do not contain the subtype knowledge, which is only in the primary id2entry db and entries in the memory. If the search filter includes subtype in the NOT condition and the type is indexed, the condition is mistakenly simplified to the one equivalent to not having the subtype. E.g., if the given filter is ((cn=A*)(!(cn;fr=ABC en)), it's evaluated as ((cn=A*)(!(cn=ABC en)). Fix description: If a filter contains a subtype in NOT condition, we give up using the index and leave the not evaluation to the search return code. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Please Review: Add git commit hash to developer rpm build name
Nathan Kinder wrote: -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel ack! -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47347: Simple paged results should support async search
https://fedorahosted.org/389/ticket/47347 https://fedorahosted.org/389/attachment/ticket/47347/0001-Ticket-47347-Simple-paged-results-should-support-asy.patch Bug description: Simple paged results serialized the request even for a series of asynchronous search requests, and it returned error 53 (unwilling to perform) if the second request comes in while the first one is being processed. Fix description: This patch implements the asynchronous support for the Simple paged results search. - Removed pagedresults_check_or_set_processing which was used to Simple paged results requests exclusive. Instead, pagedresults_lock is introduced to protect the PagedResults object from the other threads sharing the same cookie. - If any error including hitting the sizelimit or timelimit, search result set was released immediately in ldbm_back_ next_search_entry_ext, which could cause the race condition among multiple asynchronous search requests. To prevent it, the search result set is untouched if the operation is a Simple paged result search, and let its clean up function to handle it. - Sizelimit was evaluated in the accumulative way instead of on the each page size. For instance, if the sizelimit was 101 AND the page size is 100, as soon as getting the 2nd page, it hit the sizelimit and the search failed. This patch fixes it so that as long as the requested page size is less than 101, the requests successfully continue without getting an error 4 (LDAP_SIZELIMIT_EXCEEDED). To fulfill the requirement, the current size needs to be managed per operation instead of the search result set or PagedResults object. For the purpose, introduced o_pagedresults_sizelimit to Slapi_Operation. - When shutting down, connection_table_free could use backend callback (e.g., be_search_results_release). Therefore, moved be_cleanupall after connection_table_free. - Each Simple paged results helper functions checks if the operation is really a Simple paged result request control is associated with to prevent any unexpected behaviour. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #529: dn normalization must handle multiple space characters in attributes
https://fedorahosted.org/389/ticket/529 https://fedorahosted.org/389/attachment/ticket/529/0001-Ticket-529-dn-normalization-must-handle-multiple-spa.7.patch Thanks so much to Thierry for finding out this bug. Bug Description: Commit 69ff83598d517bed84922b1c7dd67cab023b4d99 had a flaw -- handling normdn in upgradedn_producer had a problem. The string was passed to the Slapi_DN in the entry using slapi_sdn_init_dn_passin, while the string could be modified at other places. Fix Description: This patch manages the normdn string more carefully. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47367: ldapdelete returns non-leaf entry error while trying to remove a leaf entry
https://fedorahosted.org/389/ticket/47367 https://fedorahosted.org/389/attachment/ticket/47367/0001-Ticket-47367-phase-1-ldapdelete-returns-non-leaf-ent.patch Bug description: Replication conflict confuses the numsubordinate count, which leaves an entry that cannot be deleted even its subordinate entries are all removed. Fix description: [urp.c] get_dn_plus_uniqueid: a logic to create a conflict DN had a bug. It used to call slapi_sdn_get_rdn to get the rdn. The function slapi_sdn_get_rdn blindly returned the dn field without checking whether the field is NULL or not. Instead, this patch changes the interface of the helper function get_ dn_plus_uniqueid and use the original Slapi_DN with slapi_ sdn_get_dn, then generates the conflict DN nsuniqueid=...+ RDN,PARENT. [ldbm_delete.c] This patch removes 2 PR_ASSERT calls for is_tombstone_entry, which allows us to test deleting an tombstone entry without aborting the server built with debug flag. [ldbm_entryrdn.c] When traversing the DIT, a special treatment is needed for a tombstone entry. I.e, 2 RDNs (nsuniqueid=..., RDN) is treated as one RDN. It should decrement the index (rdnidx) one more to point to the right position of the RDN array in Slapi_RDN. [ldbm_search.c] When checking the scope of an entry in ldbm_ back_next_search_entry_ext, a tombstone entry was not properly examined. This patch introduces a new slapi api slapi_sdn_ scope_test_ext. [dn.c] In slapi_sdn_get_rdn, use slapi_sdn_get_dn to get the dn value of Slapi_DN. It was one cause of the problem in get_dn_plus_uniqueid (urp.c). This patch adds slapi_sdn_scope_test_ext, which takes flags to indicates the first argument dn is a tombstone sdn. Also, this patch replaces malloc + strcpy + strcat with slapi_ch_smprintf to improve the readability of the code. [rdn.c] This patch replaces malloc + strcpy + strcat with slapi_ch_smprintf to improve the readability of the code. Note: this patch is for 389-ds-base-1.2.11. To apply this patch to master, it requires a few conflict fixes. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #47367: ldapdelete returns non-leaf entry error while trying to remove a leaf entry
https://fedorahosted.org/389/ticket/47367 /0001-Ticket-47367-phase-1-ldapdelete-returns-non-leaf-ent.patch/ https://fedorahosted.org/389/attachment/ticket/47367/0001-Ticket-47367-phase-1-ldapdelete-returns-non-leaf-ent.patch ​ https://fedorahosted.org/389/raw-attachment/ticket/47367/0001-Ticket-47367-phase-1-ldapdelete-returns-non-leaf-ent.patch revised git patch file (389-ds-base-1.2.11 branch) /0002-snapshot.patch/ https://fedorahosted.org/389/attachment/ticket/47367/0002-snapshot.patch ​ https://fedorahosted.org/389/raw-attachment/ticket/47367/0002-snapshot.patch Diffs from the previous patch In addition, the heavier test revealed more issues in the deletion. Revised patch contains this fix: [ldbm_delete.c] There is a case a parent of a delete-candidate entry runs into a conflict and multiple parent entries exist. Once it occurs, a parent entry found by the parent dn string may not be the entry which manages the numsubordinate count the delete-candidate entry belonging to. It confuses the numsubordinate counts and leaves an entry which cannot be deleted due to the numsubordinate count mismatch. This patch retrieves parent entry by parent id if it is available. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #569: examine replication code to reduce amount of stored state information
https://fedorahosted.org/389/ticket/569 https://fedorahosted.org/389/attachment/ticket/569/0001-Ticket-569-examine-replication-code-to-reduce-amount.patch Description: commit c7f6f161f4967635d6f02b029be571d88ec61961 made this change: In case the deleted value list in an attribute is empty: * this means the entry is deleted and has no more attributes, * when writing the attr to disk we would loose the AD-csn. * Add an empty value to the set of deleted values. This will * never be seen by any client. It will never be moved to the * present values and is only used to preserve the AD-csn. The AD-csn size was not counted for the buffer size to allocate. This patch adds the size. Note: Closing #47360: Delete attribute could crash the server as a duplicate of this bug. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47400: MMR stress test with dna enabled causes a deadlock
https://fedorahosted.org/389/ticket/47400 https://fedorahosted.org/389/attachment/ticket/47400/0001-Ticket-47400-MMR-stress-test-with-dna-enabled-causes.patch Bug description: Under the heavy add/delete posix user entries, dna_update_config_event causes a deadlock. Fix description: dna_update_config_event starts transaction before updating the shared config entry to avoid the deadlock situation. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #521: modrdn + NSMMReplicationPlugin - Consumer failed to replay change
https://fedorahosted.org/389/ticket/521 https://fedorahosted.org/389/attachment/ticket/521/0001-Ticket-521-modrdn-NSMMReplicationPlugin-Consumer-fai.patch Bug description: modrdn on AD is synchronized to DS, but the other way does not get synchronized. Fix description: 1) process_replay_rename (windows_protocol_util.c): If newparent was NULL, the rename operation was skipped. This patch sets the original parent dn to the newparent. 2) process_replay_rename (windows_protocol_util.c): AD does not accept deleteoldrdn == 0 (Old RDN must be deleted). If deleteoldrdn is 0, it is replaced with 1 before sending the request to AD. 3) is_subject_of_agreement_remote (windows_protocol_util.c): When checking if the entry was in the subtree defined in the agreement or not, it returned true only if the entry is a direct child of the agreement subtree top. This patch returns true if the entry is the further descendent of the subtree. 4) This patch adds more NULL reference checks. 5) When the given dn is already normalized, sets it to Slapi_DN as a normlized dn. It saves an unnecessary dn normalization. 6) Logs in windows sync specific code are prefixed with NSMMReplicationPlugin - windows sync. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47310: Attribute dsOnlyMemberUid not allowed when syncing nested posix groups from AD with posixWinsync
https://fedorahosted.org/389/ticket/47310 https://fedorahosted.org/389/attachment/ticket/47310/0001-Ticket-47310-Attribute-dsOnlyMemberUid-not-allowed-w.patch Bug description: When Posix Winsync API plug-in is configured with posixWinsyncMapMemberUid and posixWinsyncMapNestedGrouping enabled (true), Posix Group added to AD is synchronized to DS with mapped dsOnlyMemberUid and memberUid. When adding a Posix Group with the nested group member, addGroupMembership function adds dynamicGroup to objectClass to allow the Posix Group entry to have dsOnlyMemberUid. The add should be made against the entry in the memory since the entry is not yet stored in the database, but it was trying to modify against the backend. Fix description: This patch directly adds dynamicGroup to the objectclass valueset, by which the attribute dsOnlyMemberUid is allowed to add to the entry. In addition, 1) when reflecting the mapped memberUid on DS to AD, the logic was corrected to if dsOnlyMemberUid matches memberUid, 2) when the Posix Group is nested in the multiple levels, the mapped memberUid was not retrieved. The code was added. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #48: Active Directory has certain uids which are reserved and will cause a Directory Server replica initialization of an AD server to abort.
https://fedorahosted.org/389/ticket/48 https://fedorahosted.org/389/attachment/ticket/48/0001-Ticket-48-Active-Directory-has-certain-uids-which-ar.patch Bug description: Some account names (e.g. service) is reserved in Active Directory. If DS has an entry having such an NT user ID and the entry is synchronized to the AD, it fails with LDAP_ALREADY_ EXISTS, but the error is gracefully ignored. In the total update, updating Account Control bit follows the failed add, which fails since the AD entry WinSync expects does not exist and it aborts the total update. Fix description: If adding a DS entry to AD fails and the updating Account Control bit also fails, the following note is logged in the error log and the total update continues: windows_process_total_add: Creating AD entry cn=service service, cn=Users,dc=EXAMPLE,dc=COM from DS entry uid=service,ou=People, dc=example,dc=com failed. AD reserves the account name. Ignoring the error... In addition, in windows_parse_config_entry, if the attribute values in the agreement is retrieved before the agreement is started, the following error is logged, which is not necessary. This patch stops logging it if the agreement does not set protocol yet. Replication agreement for agmt=cn=WinSync could not be updated. For replication to take place, please enable the suffix and restart the server. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Please review: fix mem leak in admldapBuildInfoSSL when there is no password
Rich Megginson wrote: -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel ack -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (389-ds-base-1.3.1): [389 Project] #47488: Users from AD sub OU does not sync to IPA
https://fedorahosted.org/389/ticket/47488 https://fedorahosted.org/389/attachment/ticket/47488/0001-Ticket-47488-Users-from-AD-sub-OU-does-not-sync-to-I.patch Bug description: When processing a DN from AD, the DN is passed to a helper function is_subject_of_agreement_remote (windows_protocol_ util.c) to check if the DN is a subject of the sync service or not. The helper function was checking if the AD DN is just one-level child of the agreement subtree top (nsds7WindowsReplicaSubtree) but not the subtree-level descendents. Note: the DN is an original one in AD, which has not be flattened yet. Therefore, the AD entry was determined not to be synchronized. Fix description: This bug was fixed in the master tree with the ticket #521 https://fedorahosted.org/389/ticket/521 - modrdn + NSMMReplicationPlugin - Consumer failed to replay change. 3) is_subject_of_agreement_remote (windows_protocol_util.c): When checking if the entry was in the subtree defined in the agreement or not, it returned true only if the entry is a direct child of the agreement subtree top. This patch returns true if the entry is the further descendent of the subtree. The fix is back ported to 389-ds-base-1.3.1 branch. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #197: rhds82 rfe - BDB backend - clear free page files to reduce changelog size
https://fedorahosted.org/389/ticket/197 https://fedorahosted.org/389/attachment/ticket/197/0001-Ticket-197-BDB-backend-clear-free-page-files-to-redu.patch Bug description: Even if entries in the database and changes in the changelog database are deleted/trimmed, the unused pages of the data- bases were not returned to the filesystem. Fix description: This patch calls the compact API that Berkeley DB provides, which compacts the database. 2 config parameters are introduced to specify the interval of the compact calls. Primary DBs (id2entry): dn: cn=config,cn=ldbm database,cn=plugins,cn=config nsslapd-db-compactdb-interval: seconds Changelog DBs: dn: cn=changelog5,cn=config nsslapd-changelogcompactdb-interval: seconds By default, 2592000 seconds (30 days) -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] RFC: New Design: Fine Grained ID List Size
Rich Megginson wrote: Please review and comment: http://port389.org/wiki/Design/Fine_Grained_ID_List_Size -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel Hi Rich, A nice design! It looks promising to solve the sticky problems. Can I add a request -- a flag or something to the value to switch the behaviour? E.g., nsIndexIDListScanLimit: maxsize[:indextype]/[:flags]/[:value[,value...]] The flags could be KEYWORD_1|KEYWORD_2|... By default, no flags. I only have one use case for now, but we may want to apply the scan limit only when the specific filter is in AND, i.e., ((objectclass=inetorgperson)(uid=UserA)), but not to the standalone filter (objectclass=inetorgperson). This could be useful when DB stores millions of inetorgperson's as well as millions of other objectclasses. But not useful at all, if 99% of the entries are inetorgperson. So, for example, the keyword could be ANDONLY...? Thanks, --noriko -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #460: support multiple subtrees and filters
https://fedorahosted.org/389/ticket/460 https://fedorahosted.org/389/attachment/ticket/460/0001-Ticket-460-support-multiple-subtrees-and-filters.patch Description: 1. support multiple subtrees new config parameter in windwows sync agreement: winSyncSubtreePair: DS Subtree:AD Subtree Example: winSyncSubtreePair: ou=OU1,dc=DSexample,dc=com:ou=OU1,DC=ADexample,DC=com winSyncSubtreePair: ou=OU2,dc=DSexample,dc=com:ou=OU2,DC=ADexample,DC=com winSyncSubtreePair: ou=OU3,dc=DSexample,dc=com:ou=OU3,DC=ADexample,DC=com . Attribute type winSyncSubtreePair is added to the objectclass nsDSWindowsReplicationAgreement. . If winSyncSubtreePair is not set, there is not behavioral difference: the AD subtree nsds7WindowsReplicaSubtree and the DS subtree nsds7DirectoryReplicaSubtree are used for the sync target checks. . When winSyncSubtreePair is set, the above 2 config parameters are ignored. To determine if an entry is the target of the synchronization, the DN is examined whether the DN is a descendent of any of the subtrees or not. If it is, the subtree of the counter part is retrieved. Moving an entry from one subtree to another is synchronized. Members of a group is synchronized as long as the member entry is in any of the defined subtrees. 2. support filters new config parameters in windwows sync agreement: nsds7WindowsFilter: additional filter on AD nsds7DirectoryFilter: additional filter on DS Example: nsds7WindowsFilter: (|(cn=*user*)(cn=*group*)) nsds7DirectoryFilter: (|(uid=*user*)(cn=*group*)) . The filters are set to the windows_userfilter and directory_ userfilter in the private area in the windows agreement. And when each server is searched the filters are added to the internal filter. For instance, filters shown in the above Example allow synchronizing the entries which CN contains user or group. 3. Misc . Added slapi_sdn_set_ndn_byref, slapi_sdn_set_ndn_passin, and slapi_sdn_common_ancestor to dn.c (see also slapi-plugin.h). . Fixed memory leaks. . Fixed some of the mixed indentations. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47492: PassSync removes User must change password flag on the Windows side
https://fedorahosted.org/389/ticket/47492 https://fedorahosted.org/389/attachment/ticket/47492/0001-Ticket-47492-PassSync-removes-User-must-change-passw.patch Bug description: Windows Sync sends password modify even if it is from PassSync originated on AD. The modify updates the pwdLastSet attribute value to non-zero value. The value 0 indicates the pass- word must change at next logon on AD. Fix description: Before sending the password modify, check whether the current pwdLastSet value is 0 or not. If it is 0 (means the password must change), reset pwdLastSet value to 0 along with the password modify. This operation replaces the password on AD, but the password still must change at next logon. Note: If password must change at next logon on the both DS and AD, the password needs to be changed by the user on the both servers to enable it on each. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47523: Set up replcation/agreement before initializing the sub suffix, the sub suffix is not found by ldapsearch
https://fedorahosted.org/389/ticket/47523 https://fedorahosted.org/389/attachment/ticket/47523/0001-Ticket-47523-Set-up-replcation-agreement-before-init.patch Bug description: If a replication is configured against a backend before initializing the backend with a suffix entry, an RUV entry is inserted first with the entryid 1. The RUV entry's entryrdn is added to the entryrdn index with a suffix entry which is a parent entry of the RUV entry having a temporary entryid 0, which was to be replaced with the real entryid when the real suffix entry is added. But the replacement code was not executed. Fix description: When a real suffix is added to the entryrdn index, it returns DB_KEYEXIST, which used to be ignored by resetting 0 (== SUCCESS). This patch returns DB_KEYEXIST to the caller and let _entryrdn_insert_key use the info to replace the temporary entryid with the real one. The error code is ignored by the other callers. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #54: locale nl not supported by collation plugin
https://fedorahosted.org/389/ticket/54 https://fedorahosted.org/389/attachment/ticket/54/0001-Ticket-54-locale-nl-not-supported-by-collation-plugi.patch Bug description: In the recent version of ICU, some locales do not have its specific collator, but are included in the default (root) locale. nl, en, and fr are in the class. ICU API ucol_open takes the locale string and returns the collator with the status. If the locale has no dedicated collator and the root collator is picked up, status U_USING_DEFAULT_WARNING is returned, which is not an error. But collation_indexer_create (collate.c) treats it as an error and stops the collation. Fix description: As ICU doc suggests, error checking for ucol_open is replaced with (U_SUCCESS(err), by which the status U_USING_ DEFAULT_WARNING is correctly handled. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #53: Need to update supported locales
https://fedorahosted.org/389/ticket/53 https://fedorahosted.org/389/attachment/ticket/53/0001-Ticket-53-Need-to-update-supported-locales.patch Description: This patch adds locales that were newly supported by ICU to slapd-collations.conf. (OID 2.16.840.1.113730.3.3.2.51.1 through 2.16.840.1.113730.3.3.2.244.1) Upgrade script 60upgradeconfigfiles.pl is also added. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47530: dbscan on entryrdn should show all matching values
https://fedorahosted.org/389/ticket/47530 https://fedorahosted.org/389/attachment/ticket/47530/0001-Ticket-47530-dbscan-on-entryrdn-should-show-all-matc.patch Bug description: 1. When the key format of entryrdn was updated (eliminated ':' from the key), the dbscan was not updated. 2. If a key is passed with -k option and if the key has multiple values, only the first one was printed. Fix description: 1. The key format is adjusted to the entryrdn code. 2. Multi-valued key is supported. Usage: dbscan -f entryrdn.db Scan entryrdn based on the order of the key (oid - 1,2,..., Coid - C1,C2,..., Poid - P1,P2,...). dbscan -f engryrdn.db -k key where the key could be suffix or key (oid, Coid, Poid) The scan starts from the item of the key and traverses its descendants. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] switch to F19 for autogen?
(2013年10月09日 15:24), Rich Megginson wrote: On 10/09/2013 04:12 PM, Nathan Kinder wrote: On 10/09/2013 01:21 PM, Rich Megginson wrote: In the interest of reducing the autotool file churn, is everyone ok with switching to using F19 to run autogen? Ack. If we want to enforce that for master, we could update the version checks in autogen.sh to require the F19 versions as a minimum. Any objections? Speak now or be required to use F19 for autotool changes . . . noriko No objections. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47422: With 1.3.04 and subtree-renaming OFF, when a user is deleted after restarting the server, the same entry can't be added
https://fedorahosted.org/389/ticket/47422 https://fedorahosted.org/389/attachment/ticket/47422/0001-Ticket-47422-With-1.3.04-and-subtree-renaming-OFF-wh.patch Bug description: {{{ 1) As reported by baburaje12, regardless of the nsslapd-subtree- rename-switch, entrydn was not stored in the id2entry db. The attribute value had to be stored in the db file if the switch was off. Attribute values to avoid storing in the db file are maintained in an array protected_attrs_all statically. Entrydn should be dynamic depending on the switch. 2) When the switch is off, import was skipping to generate the parentid index, which leads to skipping to create the entrydn, as well. }}} Fix description: {{{ 1) Instead of keeping entrydn in the protected_attrs_all statically, this patch introduces an api set_attr_to_protected_list to add or remove entrydn based upon the value of nsslapd-subtree-rename- switch. 2) The condition to create a parentid index is fixed to always create it if the nsslapd-subtree-rename-switch is off. }}} -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #47530: dbscan on entryrdn should show all matching values
https://fedorahosted.org/389/ticket/47530 https://fedorahosted.org/389/attachment/ticket/47530/0001-Ticket-47530-dbscan-on-entryrdn-should-show-all-matc.2.patch Bug description: {{{ 1) commit bded3015acdd5c71f05ceb10f10af220a02e6f74 was not a complete patch, which was failing in the case the entryrdn key is not given. 2) Coverity 13190: Logically dead code }}} Fix description: {{{ 1) If an entryrdn key is not given, it sets DB_NEXT to the db flag and continues scanning the entryrdn index. 2) The unnecessary checking 0 for the return code rc is removed. }}} -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47555: db2bak.pl issue when specifying non-default directory
https://fedorahosted.org/389/attachment/ticket/47555/0001-Ticket-47555-db2bak.pl-issue-when-specifying-non-def.patch Bug description: db2bak.pl takes an option -a backupdir, which is supposed to be generated by the server and used as a backup directory. But since the created directory inherits the parent's selinux context, it may fail to store the backup files in the directory. Fix description: As the reporter agaviola suggested, it should be a good idea to add one more level to the archive directory. $archivedir = ${archivedir}/ID-${yr}_${mn}_${dy}_${h}_${m}_${s}; But to keep the backward compatibility, introducing a new option -A backupdir and when -A is given, storing the backup files in the nested backup directory. If the option is -a backupdir, the backup files are stored in the backupdir. Also, this patch sets the right ownership and selinux context to the generated directory. Note: if the parent directories of the created backupdir do not have the correct selinux context, even if the last directory's setting is correct, storing the backup files fails. It is the user's responsibility to set them correctly. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Building 389-ds-base-1.3.2.3
Building 389-ds-base-1.3.2.3 including the following patches (in addition to 1.3.2.2). 144869f bump version to 1.3.2.3 a4073a8 Ticket #47515 Fedora 20: setup-ds-admin.pl b5676ab Ticket 47569 - Fix build warnings 2b7cbb8 Ticket 47569 - ACIs do not allow attribute subtypes in targetattr keyword 8bfefb6 Ticket 47565 - Content Sync update file needs extensibleObject 9b0e6a3 Ticket 47560: fixup memberof task does not work: task entry not added 7b3b2fe Ticket #47559 hung server - related to sasl and initialize Please let me know if there's something else we'd like to add to the release. Thanks, --noriko -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #538: hardcoded sasl2 plugin path in ldaputil.c, saslbind.c
https://fedorahosted.org/389/ticket/538 https://fedorahosted.org/389/attachment/ticket/538/0001-Ticket-538-hardcoded-sasl2-plugin-path-in-ldaputil.c.patch Bug description: The hardcoded sasl2 path is Fedora/RHEL specific. It needs to support other architectures with other filesystem format. Fix description: This patch supports ARM architectures with GNU triplet format. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47589: Winsync replica initialization and incremental updates from DS to AD fails on RHEL7
https://fedorahosted.org/389/ticket/47589 https://fedorahosted.org/389/attachment/ticket/47589/0001-Ticket-47589-Winsync-replica-initialization-and-incr.patch Bug description: Cherry-picking the fix for Ticket #47492 - PassSync removes User must change password flag on the Windows side (commit 8d34f77f6d8d3c83dce1f29e6df709df1adef09d) dropped one line to set suffix in map_entry_dn_outbound. Fix description: This patch recovers the suffix setting code. Note: this fix requires 389-ds-base-1.3.1 respin. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #605: support TLS 1.1
https://fedorahosted.org/389/ticket/605 https://fedorahosted.org/389/attachment/ticket/605/0001-Ticket-605-support-TLS-1.1.patch Description: NSS 3.14 deprecates the current way to configure SSL versions: SSL_OptionSet(pr_sock, SSL_ENABLE_SSL3|SSL_ENABLE_TLS, True|False) Instead, it introduces new range APIs to provide more detailed SSL version control by using SSL_VersionRangeSet(pr_sock, NSSVersions). The NSSVersions has 2 fields min and max, which take the minimum and maximum SSL versions. By default, slapd_ssl_init2 sets the default supported range by NSS, which is min: SSL3 and max: TLS1.2. This patch adds 2 config params sslVersionMin and sslVersionMax to cn=encryption,cn=config to provide the ability to control the values. Both takes: ssl3 or tls1.?. If the range is not supported by the NSS or conflicts with the current params nsSSL3 and nsTLS1, it'd be adjusted. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47313: Indexed search with filter containing '' and ! with attribute subtypes gives wrong result
https://fedorahosted.org/389/ticket/47313 https://fedorahosted.org/389/attachment/ticket/47313/0001-Ticket-47313-Indexed-search-with-filter-containing-a.2.patch Description: commit fae006821bd6e524c0f7f8d5f023f4fe5e160ef0 introduced a bug, which occurs when a filter includes NOT and one of the results from the subfilters returns NONE. This patch backoffs the last section of the commit fae006821bd6e524c0f7f8d5f023f4fe5e160ef0 with an improvement -- avoiding unnecessary idl duplication. Also, adding (NULL == idl) checks to idl_common.c. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 3): [389 Project] #47606: replica init/bulk import errors should be more verbose
https://fedorahosted.org/389/ticket/47606 https://fedorahosted.org/389/attachment/ticket/47606/0001-Ticket-47606-replica-init-bulk-import-errors-should-.3.patch Responding to the comment by Rich (https://fedorahosted.org/389/ticket/47606#comment:13), 389 Project wrote: Thanks for your comments, Rich. The code skipping a failed entry instead of failing there in bulk_import_queue was backed off. And this is the cause why repl5_tot_waitfor_async_results did not return with done when a failure was returned from the connection. 3. In repl5_tot_result_threadmain, when conn_read_result_ex returns non zero (non SUCCESS), it sets abort, but does not set any error code to rc (return code), which is not considered as finished in repl5_tot_waitfor_async_results and it contines waiting until the code reaches the max loop count (about 5 minutes). This patch sets LDAP_CONNECT_ERROR to the return code along with setting abort, if conn_read_result_ex returns CONN_NOT_CONNECTED. This makes the bulk import finishes quickly when it fails. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47571: targetattr ACIs ignore subtype
https://fedorahosted.org/389/ticket/47571 https://fedorahosted.org/389/attachment/ticket/47571/0001-Ticket-47571-targetattr-ACIs-ignore-subtype.patch Description: Subtypes in targetattr, userattr in aci as well as filter and attribute list in the search are supported. * If targetattr contains subtypes, the base type only as well as other subtypes are not allowed to access (or denied to access). * If userattr contains subtypes, the base type as well as other subtypes in entries do not match the userattr value. * If attribute list in search has a base type attribute, and a targetattr has a type with subtypes, then only the subtyped value is returned. E.g., attribute list: sn targetattr: sn;en == sn;en: sn-en-value is returned but sn or sn;fr is not. If attribute list has a type with subtype, then if the targetattr allows the subtype, the value is returned. E.g., attribute list: sn;en targetattr: sn;en == sn;en: sn-en-value is returned but sn or sn;fr is not. 1) slapd/attr.c Added another compare type SLAPI_TYPE_CMP_SUBTYPES to comp_cmp which is called by slapi_attr_type_cmp to support full compare subtypes. 2) plugin/acl.c: Added a helper function acl__attr_subtype_cmp, which calls slapi_attr_type_ cmp with SLAPI_TYPE_CMP_SUBTYPES if a type in aci contains subtypes. Some slapi_attr_type_cmp takes SLAPI_TYPE_CMP_SUBTYPES instead of BASE, which was one of the causes of ignoring subtypes. 3) slapd/search.c,result.c send_all_attrs/send_specific_attrs use a dontsendattr array to control the duplicate attribute types. Replaced the logic with a simpler one by creating an charray with no duplicates. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] ACL: Adding object based on owner attribute
Hi Nathaniel, 389-ds-base-1.3.2.10-1 is available from the Fedora 20 Testing and Rawhide repositories, which contains the fix for Ticket 47653 - Need a way to allow users to create entries assigned to themselves. (Please see also http://directory.fedoraproject.org/wiki/Releases/1.3.2.10) If you could try the bits and give a karma / feedback on https://admin.fedoraproject.org/updates/389-ds-base-1.3.2.10-1.fc20, we'd greatly appreciate it. Thanks, --noriko Nathaniel McCallum wrote: I really appreciate the quick fix for this (a9cd4e78f1fd1af5de06aca46c8c10ed70bbe4e1)! Any idea when this will be available in a release and/or Fedora Rawhide? Nathaniel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #47571: targetattr ACIs ignore subtype
https://fedorahosted.org/389/ticket/47571 https://fedorahosted.org/389/attachment/ticket/47571/0001-Ticket-47571-targetattr-ACIs-ignore-subtype.2.patch Description: Subtypes in targetattr, userattr in aci as well as filter and attribute list in the search are supported. * If targetattr contains subtypes, the base type only as well as other subtypes are not allowed to access (or denied to access). * If userattr contains subtypes, the base type as well as other subtypes in entries do not match the userattr value. * If attribute list in search has a base type attribute, and a targetattr has a type with subtypes, then only the subtyped value is returned. E.g., attribute list: sn targetattr: sn;en == sn;en: sn-en-value and sn;en;phonetic: sn-en-phonetic-value are returned but sn or sn;fr is not. If attribute list has a type with subtype, then if the targetattr allows the subtype, the value is returned. E.g., attribute list: sn;en targetattr: sn;en == sn;en: sn-en-value and sn;en;phonetic: sn-en-phonetic-value are returned but sn or sn;fr is not. 1) slapd/attr.c * slapi_attr_type_cmp assumed the subtype order in 2 args are identical, but it is not always guaranteed. Removed the assumption. * Added another compare type SLAPI_TYPE_CMP_SUBTYPES to comp_cmp which is called by slapi_attr_type_cmp to support full subtypes comparison. 2) plugin/acl.c: * Changed to call slapi_attr_type_cmp with human readable macros, e.g., SLAPI_TYPE_CMP_BASE, SLAPI_TYPE_CMP_SUBTYPE, etc. * Replaced strcasecmp with slapi_attr_type_cmp for attribute type comparison. * Changed to call slapi_attr_type_cmp with SLAPI_TYPE_CMP_SUBTYPES (full subtype comparison) in acl__get_attrEval, where the next attribute to compare is determined. 3) slapd/search.c,result.c send_all_attrs/send_specific_attrs use a dontsendattr array to control the duplicate attribute types. Replaced the logic with a simpler one by creating an charray with no duplicates. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (one line fix): [389 Project] #47660: config_set_allowed_to_delete_attrs: Valgrind reports Invalid read
https://fedorahosted.org/389/ticket/47660 https://fedorahosted.org/389/attachment/ticket/47660/0001-Ticket-47660-config_set_allowed_to_delete_attrs-Valg.patch -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 3): [389 Project] #443: Deleting attribute present in nsslapd-allowed-to-delete-attrs returns Operations error
https://fedorahosted.org/389/ticket/443 https://fedorahosted.org/389/attachment/ticket/443/0001-Ticket-443-Deleting-attribute-present-in-nsslapd-all.2.patch Take 3 based upon the suggestions from Rich. This is much less invasive then the previous proposal. Thanks, --noriko -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47570: slapi_ldap_init unusable during independent plugin development
https://fedorahosted.org/389/ticket/47570 https://fedorahosted.org/389/attachment/ticket/47570/0001-Ticket-47570-slapi_ldap_init-unusable-during-indepen.patch Description: RFE: making slapi_ldap_init callable without snmp_collator_init. The api slapi_ldap_init calls set_snmp_interaction_row, in which interaction_table_mutex is held. This patch replaces NSPR PR_(Un)Lock with slapi_(un)lock_mutex. The slapi_(un)lock_mutex skips locking if the mutex is not initialized. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47693: Environment variables are not passed when DS is started via service
https://fedorahosted.org/389/ticket/47693 https://fedorahosted.org/389/attachment/ticket/47693/0001-Ticket-47693-Environment-variables-are-not-passed-wh.patch Description: Environment variables (except TERM and LANG) are ignored if a program is started via service. If it is started with systemctl, it takes this COMMAND and the values are correctly passed to the server. systemctl set-environment SLAPD_MXFAST=0 MALLOC_TRIM_THRESHOLD_=4096 To control them explicitly and to provide the same instructions to the service and systemctl, it'd be good to have some variables (SLAPD_MXFAST, MALLOC_TRIM_THRESHOLD_ and MALLOC_MMAP_THRESHOLD_ in this patch) configurable. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #47677: Size returned by slapi_entry_size is not accurate
https://fedorahosted.org/389/ticket/47677 https://fedorahosted.org/389/attachment/ticket/47677/0001-Ticket-47677-Size-returned-by-slapi_entry_size-is-no.2.patch Description: slapi_entry_size calculating the entry size had issues. . To calculate the Slapi_DN size, local function slapi_dn_size was used. slapi_dn_size internally calls slapi_sdn_get_dn and slapi_sdn_get_ndn. The calls generates normalized dn and case lowered normalized dn from raw dn udn if the normalized dn are not stored in Slapi_DN yet. I.e., the get size function allocates extra memory for the normalized dn. Local slapi_dn_size also failed to count the raw dn length. This patch replaces slapi_dn_size with (slapi_sdn_get_size - sizeof(Slapi_DN)). . slapi_entry_size counted Slapi_RDN twice. . slapi_entry_size did not count the size of e_virtual_lock, e_aux_attrs and e_extension. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47608: change slapi_entry_attr_get_bool to handle on/off values, support default value
https://fedorahosted.org/389/ticket/47608 https://fedorahosted.org/389/attachment/ticket/47608/0001-Ticket-47608-change-slapi_entry_attr_get_bool-to-han.patch Description: Adding an API slapi_entry_attr_get_bool_ext, which is an extension of slapi_entry_attr_get_bool. The difference is slapi_ entry_attr_get_bool_ext returns the given default value if the type is not found in the entry. Does this satisfy the requirement? -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47602: Make ldbm_back_seq independently support transactions
https://fedorahosted.org/389/ticket/47602 0001-Ticket-47602-Make-ldbm_back_seq-independently-suppor Description: If ldbm_back_seq is called as a child of transaction, it fails to access the on-going transaction data. This patch picks up the parent transaction if any, and it calls dblayer_read_txn_begin with the parent transaction. If the read transaction is aborted by DEADLOCK, it retries. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47700: Unresolved external symbol references break loading of the ACL plugin
https://fedorahosted.org/389/ticket/47700 https://fedorahosted.org/389/attachment/ticket/47700/0001-Ticket-47700-Unresolved-external-symbol-references-b.patch Description of problem by na...@redhat.com: Various functions in the directory server are declared with extern C linkage, causing the compiler to emit references to an unmangled symbol name, but because their definitions don't match the declarations, and the definitions are compiled using the C++ compiler, the implementations are emitted as mangled symbols. Fix description: Adjusted the function declaration to the implementation. Additionally, removed unused macros for ACL_ReadDbMapFile, which had been removed. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47701: Make retro changelog trim interval programmable
https://fedorahosted.org/389/ticket/47701 https://fedorahosted.org/389/attachment/ticket/47701/0001-Ticket-47701-Make-retro-changelog-trim-interval-prog.patch Description: Currently, retro changelog trim interval is hardcoded with 5 minutes. #define CHANGELOGDB_TRIM_INTERVAL 300*1000 /* 5 minutes Better have a control on the interval based upon the DS usage -- e.g., if there is no updates, we don't need to call changelog_trim via retrocl_housekeeping every 5 minutes. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Please review: [389 Project] #47700: Unresolved external symbol references break loading of the ACL plugin
Nalin Dahyabhai wrote: On Mon, Feb 17, 2014 at 01:19:10PM -0800, Noriko Hosoi wrote: https://fedorahosted.org/389/ticket/47700 https://fedorahosted.org/389/attachment/ticket/47700/0001-Ticket-47700-Unresolved-external-symbol-references-b.patch Description of problem by na...@redhat.com: Various functions in the directory server are declared with extern C linkage, causing the compiler to emit references to an unmangled symbol name, but because their definitions don't match the declarations, and the definitions are compiled using the C++ compiler, the implementations are emitted as mangled symbols. Fix description: Adjusted the function declaration to the implementation. I think the second half of the original patch needs to be added back. When I compile master with the proposed fix applied, nm shows that lib/libaccess/.libs/libns_dshttpd_la-aclcache.o references an unmangled INTereport symbol, but lib/base/.libs/libns_dshttpd_la-ereport.o provides it mangled. Thanks, Nalin. Interesting... Could you please attach the errors to the email for me not to make further mistakes? Thanks! --noriko HTH, Nalin -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] Design review: Access control on entries specified in MODDN operation (ticket 47553)
Rich Megginson wrote: On 02/24/2014 09:00 AM, thierry bordaz wrote: Hello, IPA team filled this ticket https://fedorahosted.org/389/ticket/47553. It requires an ACI improvement so that during a MODDN a given user is only allowed to move an entry from one specified part of the DIT to an other specified part of the DIT. This without the need to grant the ADD permission. Here is the design of what could be implemented to support this need http://port389.org/wiki/Access_control_on_trees_specified_in_MODDN_operation regards thierry Since this not related to any Red Hat internal or customer information, we should move this discussion to the 389-devel list. Hi Thierry, Your design looks good. A minor question. The doc does not mention about deny. For instance, in your example DIT, can I allow moddn_to and moddn_from on the top dc=example,dc=com and deny them on cn=tests. Then, I can move an entry between cn=accounts and staging, but not to/from cn=tests? Or deny is not supposed to use there? Thanks, --noriko -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47735: e_uniqueid fails to set if an entry is a conflict entry
https://fedorahosted.org/389/ticket/47735 https://fedorahosted.org/389/attachment/ticket/47735/0001-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch Bug Description: When an entry is turned to be a conflict entry, its nsUniqueId has a mdcsn info as a subtype like this: nsUniqueId;mdcsn-5319136f00020001: c5e0d787-a58f11e3-b7f9dfd1-acc3d5e4 In this case, the attribute type is assigned to the berval type as follows: type.bv_val = nsUniqueId;mdcsn-5319136f00020001 type.bv_len = 37 The subtyped stateinfo is processed in str2entry_state_information_from_type, which modifies type.bv_val to nsUniqueId, but type.bv_len remains 37. str2entry_fast has this logic to set e_uniqueid, where the nsUniqueId with stateinfo fails to set the value to e_uniqueid. if ( type.bv_len == 10 PL_strncasecmp (type.bv_val, nsUniqueId, type.bv_len) == 0 ){ Fix Description: This patch resets the length of the type with the basetype length 10 before the if expression is called for setting e_uniqueid. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #47735: e_uniqueid fails to set if an entry is a conflict entry
https://fedorahosted.org/389/attachment/ticket/47735/0001-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.2.patch git patch file (master; take 2) -- merged 2 args into 1 in str2entry_state_information_from_type (Thanks to Rich for his suggestion). Noriko Hosoi wrote: https://fedorahosted.org/389/ticket/47735 https://fedorahosted.org/389/attachment/ticket/47735/0001-Ticket-47735-e_uniqueid-fails-to-set-if-an-entry-is-.patch Bug Description: When an entry is turned to be a conflict entry, its nsUniqueId has a mdcsn info as a subtype like this: nsUniqueId;mdcsn-5319136f00020001: c5e0d787-a58f11e3-b7f9dfd1-acc3d5e4 In this case, the attribute type is assigned to the berval type as follows: type.bv_val = nsUniqueId;mdcsn-5319136f00020001 type.bv_len = 37 The subtyped stateinfo is processed in str2entry_state_information_from_type, which modifies type.bv_val to nsUniqueId, but type.bv_len remains 37. str2entry_fast has this logic to set e_uniqueid, where the nsUniqueId with stateinfo fails to set the value to e_uniqueid. if ( type.bv_len == 10 PL_strncasecmp (type.bv_val, nsUniqueId, type.bv_len) == 0 ){ Fix Description: This patch resets the length of the type with the basetype length 10 before the if expression is called for setting e_uniqueid. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47737: Under heavy stress, failure of turning a tombstone into glue makes the server hung
https://fedorahosted.org/389/ticket/47737 https://fedorahosted.org/389/attachment/ticket/47737/0001-Ticket-47737-Under-heavy-stress-failure-of-turning-a.patch Turning a tombstone entry to a glue entry is done in a while loop (create_glue_entry:urp_glue.c) Unless the transformation is successful (or LDAP_NO_SUCH_OBJECT), it cannot exit from the loop. But under a stress, there could be a tombstone and a conflict entry coexist, and do_create_glue_entry keeps returning LDAP_ALREADY_EXISTS. In such a case, we need to give up greating a glue. {{{ [..] NSMMReplicationPlugin - conn=7 op=1939 csn=531a144300070003: Can't created glue entry ou=test,ou=projects,o=bees,ou=organizations,dc=cvsdude,dc=com uniqueid=ee68e001-a62811e3-bc8ab407-12c832a2, error 68 [..] NSMMReplicationPlugin - conn=7 op=1939 csn=531a144300070003: Can't created glue entry ou=test,ou=projects,o=bees,ou=organizations,dc=cvsdude,dc=com uniqueid=ee68e001-a62811e3-bc8ab407-12c832a2, error 68 [..] NSMMReplicationPlugin - conn=7 op=1939 csn=531a144300070003: Can't created glue entry ou=test,ou=projects,o=bees,ou=organizations,dc=cvsdude,dc=com uniqueid=ee68e001-a62811e3-bc8ab407-12c832a2, error 68 [..] }}} {{{ Thread 32 (Thread 0x7f6ac77fe700 (LWP 24906)): #0 0x7f6ae4e3e74d in fsync () at ../sysdeps/unix/syscall- template.S:81 #1 0x7f6ae5492e8b in pt_Fsync (fd=0x7f6ae81b15c0) at ../../../nspr/pr/src/pthreads/ptio.c:1530 #2 0x7f6ae6e8afe7 in vslapd_log_error (fp=0x7f6ae81b15c0, subsystem=0x7f6adb19ad90 NSMMReplicationPlugin, fmt=0x7f6adb1a6fa0 %s: Can't created glue entry %s uniqueid=%s, error %d\n, ap=0x7f6ac77f7438, locked=1) at ldap/servers/slapd/log.c:1953 #3 0x7f6ae6e8aa52 in slapd_log_error_proc_internal (subsystem=0x7f6adb19ad90 NSMMReplicationPlugin, fmt=0x7f6adb1a6fa0 %s: Can't created glue entry %s uniqueid=%s, error %d\n, ap_err=0x7f6ac77f7420, ap_file=0x7f6ac77f7438) at ldap/servers/slapd/log.c:1809 #4 0x7f6ae6e8b1d5 in slapi_log_error (severity=0, subsystem=0x7f6adb19ad90 NSMMReplicationPlugin, fmt=0x7f6adb1a6fa0 %s: Can't created glue entry %s uniqueid=%s, error %d\n) at ldap/servers/slapd/log.c:1994 #5 0x7f6adb17a6b3 in create_glue_entry (pb=0x7f6aa40b7f90, sessionid=0x7f6ac77f7690 conn=7 op=1939 csn=531a144300070003, dn=0x7f6aa40c6370, uniqueid=0x7f6aa40bee60 ee68e001-a62811e3-bc8ab407-12c832a2, opcsn=0x7f6aa40bee40) at ldap/servers/plugins/replication/urp_glue.c:257 #6 0x7f6adb1791eb in urp_add_resolve_parententry (pb=0x7f6aa40b7f90, sessionid=0x7f6ac77f7690 conn=7 op=1939 csn=531a144300070003, entry=0x7f6aa40badf0, parententry=0x0, opcsn=0x7f6aa40bee40) at ldap/servers/plugins/replication/urp.c:908 #7 0x7f6adb177e29 in urp_add_operation (pb=0x7f6aa40b7f90) at ldap/servers/plugins/replication/urp.c:165 #8 0x7f6adb15ae22 in multimaster_bepreop_add (pb=0x7f6aa40b7f90) at ldap/servers/plugins/replication/repl5_plugins.c:711 #9 0x7f6ae6eade99 in plugin_call_func (list=0x7f6ae830fd90, operation=450, pb=0x7f6aa40b7f90, call_one=0) at ldap/servers/slapd/plugin.c:1453 #10 0x7f6ae6eadd59 in plugin_call_list (list=0x7f6ae830fd90, operation=450, pb=0x7f6aa40b7f90) at ldap/servers/slapd/plugin.c:1415 #11 0x7f6ae6eabfe1 in plugin_call_plugins (pb=0x7f6aa40b7f90, whichfunction=450) at ldap/servers/slapd/plugin.c:398 #12 0x7f6adc085696 in ldbm_back_add (pb=0x7f6aa40b7f90) at ldap/servers/slapd/back-ldbm/ldbm_add.c:257 #13 0x7f6ae6e478aa in op_shared_add (pb=0x7f6aa40b7f90) at ldap/servers/slapd/add.c:681 #14 0x7f6ae6e468b4 in do_add (pb=0x7f6aa40b7f90) at ldap/servers/slapd/add.c:258 #15 0x7f6ae7379935 in connection_dispatch_operation (conn=0x7f6ae71e3f48, op=0x7f6aa40b6330, pb=0x7f6aa40b7f90) at ldap/servers/slapd/connection.c:579 #16 0x7f6ae737b32c in connection_threadmain () at ldap/servers/slapd/connection.c:2339 #17 0x7f6ae5494c86 in _pt_root (arg=0x7f6ae84eb130) at ../../../nspr/pr/src/pthreads/ptthread.c:204 #18 0x7f6ae4e37d15 in start_thread (arg=0x7f6ac77fe700) at pthread_create.c:308 #19 0x7f6ae495453d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:114 }}} -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47748: Simultaneous adding a user and binding as the user could fail in the password policy check
https://fedorahosted.org/389/ticket/47748 https://fedorahosted.org/389/attachment/ticket/47748/0001-Ticket-47748-Simultaneous-adding-a-user-and-binding-.patch 389 Project wrote: Comment: Bug description: In do_bind, bind_target_entry is retrieved from the DB or the entry cache. There was a small window that the entry failed to retrieve from there but the bind procedure in the backend (be_bind) succeeds. In the case, NULL bind_target_entry is passed to the Pass- word Policy check and it fails. Fix description: If be_bind returns SUCCESS and bind_target_entry is NULL, retrieve bind_target_entry agian, which is guaranteed since the entry was retrieved in the backend and placed in the entry cache. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (take 2): [389 Project] #47748: Simultaneous adding a user and binding as the user could fail in the password policy check
https://fedorahosted.org/389/ticket/47748 https://fedorahosted.org/389/attachment/ticket/47748/0001-Ticket-47748-Simultaneous-adding-a-user-and-binding-.2.patch git patch file (master; take 2) -- fixed mistakes in the previous patch (Thanks, Rich!!) Thanks, --noriko -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] [389-users] git repo / tarball issues
Hello, (I'm switching from 389-users to 389-devel list for people who could be more interested in...) Rich Megginson wrote: On 04/03/2014 07:06 AM, Timo Aaltonen wrote: Hi It's me again :) 1) 389-ds-console 1.2.7 has no tarball though it was tagged for release in Sep'12 You can download the tar ball from here now. http://port389.org/sources/389-ds-console-1.2.7.tar.bz2 2) 389-adminutil 1.1.20 is not tagged in git Looks like it is, according to https://git.fedorahosted.org/cgit/389/adminutil.git/ Rich, I cannot see the tag, either... *puzzled* $ git pull Already up-to-date. $ git tag -l | egrep 389-adminutil 389-adminutil-1.1.10 389-adminutil-1.1.11 389-adminutil-1.1.12 389-adminutil-1.1.13 389-adminutil-1.1.14 389-adminutil-1.1.15 389-adminutil-1.1.16 389-adminutil-1.1.17 389-adminutil-1.1.18 389-adminutil-1.1.19 389-adminutil-1.1.8 389-adminutil-1.1.9 although indeed this page https://git.fedorahosted.org/cgit/389/adminutil.git/ shows it is... Timo, you could download the zip file/tar ball that has the tag from here. So, you have no problem to continue your task? Tag Download 389-adminutil-1.1.20 https://git.fedorahosted.org/cgit/389/adminutil.git/tag/?id=389-adminutil-1.1.20 adminutil-389-adminutil-1.1.20.zip https://git.fedorahosted.org/cgit/389/adminutil.git/snapshot/adminutil-389-adminutil-1.1.20.zip adminutil-389-adminutil-1.1.20.tar.gz https://git.fedorahosted.org/cgit/389/adminutil.git/snapshot/adminutil-389-adminutil-1.1.20.tar.gz adminutil-389-adminutil-1.1.20.tar.xz https://git.fedorahosted.org/cgit/389/adminutil.git/snapshot/adminutil-389-adminutil-1.1.20.tar.xz 3) 389-ds-base repo seems to be in limbo, since 1.3.2 branch doesn't have the latest release, which itself was just 1.3.2.13+ one patch, so doesn't contain changes from .14 and .15. So which one am I supposed to push to the distro? 389-ds-base-1.3.2.16 is a security fix only release. It's branched from the stable build (1.3.2.13) and it has only the fix. The tag 389-ds-base-1.3.2.16 tag is on the 389-ds-base-1.3.2-CVE-2014-0132 branch. Once we finish more testing, we are going back to the normal branch 389-ds-base-1.3.2. Sorry about this confusion. Thanks, --noriko -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] [389-users] git repo / tarball issues
Hi Timo, Timo Aaltonen wrote: 1) 389-ds-console 1.2.7 has no tarball though it was tagged for release in Sep'12 You can download the tar ball from here now. http://port389.org/sources/389-ds-console-1.2.7.tar.bz2 Cool, thanks. It's a broken tarball though, you forgot '/' after the version.. Sorry. I've fixed it... Could you please try it, one more time? tar tvjf 389-ds-console-1.2.7.tar.bz2 drwxrwxr-x root/root 0 2012-09-17 13:03 389-ds-console-1.2.7/ -rw-rw-r-- root/root35 2012-09-17 13:03 389-ds-console-1.2.7/.gitignore -rw-rw-r-- root/root 4628 2012-09-17 13:03 389-ds-console-1.2.7/389-ds-console.spec -rw-rw-r-- root/root 12279 2012-09-17 13:03 389-ds-console-1.2.7/LICENSE -rwxrwxr-x root/root 1002 2012-09-17 13:03 389-ds-console-1.2.7/build.properties Also, you still need some way to fix the process of how these links get to the webpage too :) Yeah, that's what I thought, too. I searched an existing page on http://directory.fedoraproject.org, but I could not find it. Rich, could there be a good place to put the link(s)? 2) 389-adminutil 1.1.20 is not tagged in git Looks like it is, according to https://git.fedorahosted.org/cgit/389/adminutil.git/ Rich, I cannot see the tag, either... *puzzled* $ git pull Already up-to-date. $ git tag -l | egrep 389-adminutil 389-adminutil-1.1.10 389-adminutil-1.1.11 389-adminutil-1.1.12 389-adminutil-1.1.13 389-adminutil-1.1.14 389-adminutil-1.1.15 389-adminutil-1.1.16 389-adminutil-1.1.17 389-adminutil-1.1.18 389-adminutil-1.1.19 389-adminutil-1.1.8 389-adminutil-1.1.9 although indeed this page https://git.fedorahosted.org/cgit/389/adminutil.git/ shows it is... Timo, you could download the zip file/tar ball that has the tag from here. So, you have no problem to continue your task? I've used the release tarball and packaging is on 9b3cfced24ffe6e6e from master, so I'm good.. just wondered why the tag wasn't there but it was. 3) 389-ds-base repo seems to be in limbo, since 1.3.2 branch doesn't have the latest release, which itself was just 1.3.2.13+ one patch, so doesn't contain changes from .14 and .15. So which one am I supposed to push to the distro? 389-ds-base-1.3.2.16 is a security fix only release. It's branched from the stable build (1.3.2.13) and it has only the fix. The tag 389-ds-base-1.3.2.16 tag is on the 389-ds-base-1.3.2-CVE-2014-0132 branch. Once we finish more testing, we are going back to the normal branch 389-ds-base-1.3.2. Sorry about this confusion. ahh ok, I'll just rebase on .16 then. Now I see that you have a separate 389-announce list where only the stable releases get announced.. maybe send those to 389-users too? All right. I will do so from the next time. Thanks for your suggestion! --noriko -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
Re: [389-devel] [389-users] git repo / tarball issues
Timo Aaltonen wrote: you probably mean this? http://directory.fedoraproject.org/wiki/Source Ah, I see. I haven't updated the page, done just release notes... Let me clean it up to adjust the current versions. Thanks, again! --noriko -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #346: Slow ldapmodify operation time for large quantities of multi-valued attribute values
https://fedorahosted.org/389/ticket/346 https://fedorahosted.org/389/attachment/ticket/346/0001-Ticket-346-Slow-ldapmodify-operation-time-for-large-.2.patch -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (revised): [389 Project] #346: Slow ldapmodify operation time for large quantities of multi-valued attribute values
https://fedorahosted.org/389/ticket/346 https://fedorahosted.org/389/attachment/ticket/346/0001-Ticket-346-Slow-ldapmodify-operation-time-for-large-.3.patch 389 Project wrote: #346: Slow ldapmodify operation time for large quantities of multi-valued attribute values -+- Reporter: beall | Owner: lkrispen Type: enhancement | Status: reopened Priority: major | Milestone: 1.2.11.30 Component: Database -|Version: 1.2.9.9 Performance| Keywords: ldapmodify, Resolution:| performance, uniqueMember, multi- Blocked By:| valued attribute Review: ack | Blocking: Red Hat Bugzilla:| Ticket origin: Community [https://bugzilla.redhat.com/show_bug.cgi?id=1028344| 1028344] | [https://bugzilla.redhat.com/show_bug.cgi?id=839344| 839344]| -+- Comment (by nhosoi): Replying to [comment:73 rmeggins]: why not use slapi_berval_cmp()? You are right, Rich! They are almost identical... :p Let me update the patch and rerun the test... -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review (389-ds-base-1.2.11 branch): [389 Project] #47750: Creating a glue fails if one above level is a conflict or missing
https://fedorahosted.org/389/ticket/47750 https://fedorahosted.org/389/ticket/47696 https://fedorahosted.org/389/attachment/ticket/47750/0001-Ticket-47750-Creating-a-glue-fails-if-one-above-leve.3.patch -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47750: Creating a glue fails if one above level is a conflict or missing
389-ds-base-1.2.11 patch (full) https://fedorahosted.org/389/attachment/ticket/47750/0001-Ticket-47750-Creating-a-glue-fails-if-one-above-leve.4.patch git patch file (389-ds-base-1.2.11) -- merged patch 3 and the diff 389-ds-base-1.2.11 patch (diff from the previous patch 3) https://fedorahosted.org/389/attachment/ticket/47750/diffs.txt.1.2.11 master (full) https://fedorahosted.org/389/attachment/ticket/47750/0001-Ticket-47750-Creating-a-glue-fails-if-one-above-leve.5.patch -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47764: Problem with deletion while replicated
https://fedorahosted.org/389/ticket/47764 https://fedorahosted.org/389/attachment/ticket/47764/0001-Ticket-47764-Problem-with-deletion-while-replicated.patch Bug description: When checking a child entry on a node, it only checked the first position, which was normally deleted if there were no more children. But in some cases, a tombstoned child was placed there. If it occurred, even though there were no live child any more, _entryrdn_delete_key returned has children and the delete operation failed. Fix description: This patch checks all the children of the to-be- deleted node and if there is no child or all of them are tombstones, it goes to the next process. Also, the fixed a typo reported by chatfield (Thank you!!) -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47780: Some VLV search request causes memory leaks
https://fedorahosted.org/389/ticket/47780 https://fedorahosted.org/389/attachment/ticket/47780/0001-Ticket-47780-Some-VLV-search-request-causes-memory-l.patch Fix description: . Modified idl_free interface as follows so that passed idl is cleared with NULL once the IDList is successfully freed. {{{ -idl_free(IDList *idl) +idl_free(IDList **idl) }}} This change is used to clean up search candidates when ldbm_back_ search_cleanup (ldbm_search.c) is called as an error return. The cleanup function frees the search candidates when it's not NULL and it's not assigned to sr_candidates field in the search result. This fixes a memory leak when VLV/Sort op fails. . ldbm_back_search_cleanup (ldbm_search.c) calls slapi_send_ldap_result if an ldap error is passed to the function. The logic used to be if (ldap_result=LDAP_SUCCESS), which is based upon that mozldap return codes are all positive. Supporting openldap library, there is a chance to get a negative return code (e.g. LDAP_PARAM_ERROR == -9). This patch supports the negative return codes, as well. . In ldbm_back_search (ldbm_search.c) vlv_filter_candidates could ruturn errors such as and LDAP_TIMELIMIT_EXCEEDED, LDAP_ADMINLIMIT_ EXCEEDED. The search results are supposed to be returned to the client with the error code if the control is not critical. The code is added. . The VLV operation stores the result in vlv_response_control.result in ldbm_back_search (ldbm_search.c), which occurs at 3 places, vlv_ filter_candidates, sort_candidates and vlv_trim_candidates_txn. The return code from the latter calls used to override the former return code. This patch fixes it to respect the former return code. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel
[389-devel] Please review: [389 Project] #47804: db2bak.pl error with changelogdb
https://fedorahosted.org/389/ticket/47804 https://fedorahosted.org/389/attachment/ticket/47804/0001-Ticket-47804-db2bak.pl-error-with-changelogdb.patch Bug description: Backup utility db2bak[.pl] copies not just backend db files but also changelog db files, which is not associated with the backend instance, but the backup code blindly expected it. Fix description: If the copying directory is a changelog db dir, skip retrieving the backend instance info and just copy the files underneath. -- 389-devel mailing list 389-devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-devel