[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'master'

Timo Aaltonen tjaalton at moszumanska.debian.org
Thu Apr 2 11:57:02 UTC 2015


 Makefile.am                                                       |   14 
 VERSION.sh                                                        |    2 
 debian/changelog                                                  |    7 
 debian/patches/cve-2014-8105.diff                                 |  116 
 debian/patches/cve-2014-8112.diff                                 |  115 
 debian/patches/series                                             |    3 
 dirsrvtests/create_test.py                                        |  577 ++
 dirsrvtests/data/basic/dse.ldif.broken                            |   95 
 dirsrvtests/data/ticket47953/ticket47953.ldif                     |   27 
 dirsrvtests/data/ticket47988/schema_ipa3.3.tar.gz                 |binary
 dirsrvtests/data/ticket47988/schema_ipa4.1.tar.gz                 |binary
 dirsrvtests/suites/acct_usability_plugin/acct_usability_test.py   |   85 
 dirsrvtests/suites/acctpolicy_plugin/acctpolicy_test.py           |   85 
 dirsrvtests/suites/acl/acl_test.py                                |   85 
 dirsrvtests/suites/attr_encryption/attr_encrypt_test.py           |   85 
 dirsrvtests/suites/attr_uniqueness_plugin/attr_uniqueness_test.py |  237 +
 dirsrvtests/suites/automember_plugin/automember_test.py           |   85 
 dirsrvtests/suites/basic/basic_test.py                            |  695 ++
 dirsrvtests/suites/betxns/betxn_test.py                           |  187 
 dirsrvtests/suites/chaining_plugin/chaining_test.py               |   85 
 dirsrvtests/suites/clu/clu_test.py                                |  107 
 dirsrvtests/suites/clu/db2ldif_test.py                            |   84 
 dirsrvtests/suites/collation_plugin/collatation_test.py           |   85 
 dirsrvtests/suites/config/config_test.py                          |  189 
 dirsrvtests/suites/cos_plugin/cos_test.py                         |   85 
 dirsrvtests/suites/deref_plugin/deref_test.py                     |   85 
 dirsrvtests/suites/disk_monitoring/disk_monitor_test.py           |   85 
 dirsrvtests/suites/distrib_plugin/distrib_test.py                 |   85 
 dirsrvtests/suites/dna_plugin/dna_test.py                         |   85 
 dirsrvtests/suites/ds_logs/ds_logs_test.py                        |   85 
 dirsrvtests/suites/dynamic-plugins/constants.py                   |   33 
 dirsrvtests/suites/dynamic-plugins/finalizer.py                   |   57 
 dirsrvtests/suites/dynamic-plugins/plugin_tests.py                | 2318 ++++++++++
 dirsrvtests/suites/dynamic-plugins/stress_tests.py                |  141 
 dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py        |  534 ++
 dirsrvtests/suites/filter/filter_test.py                          |  144 
 dirsrvtests/suites/get_effective_rights/ger_test.py               |   85 
 dirsrvtests/suites/ldapi/ldapi_test.py                            |   85 
 dirsrvtests/suites/linkedattrs_plugin/linked_attrs_test.py        |   85 
 dirsrvtests/suites/mapping_tree/mapping_tree_test.py              |   85 
 dirsrvtests/suites/memberof_plugin/memberof_test.py               |   85 
 dirsrvtests/suites/memory_leaks/range_search_test.py              |  145 
 dirsrvtests/suites/mep_plugin/mep_test.py                         |   85 
 dirsrvtests/suites/monitor/monitor_test.py                        |   85 
 dirsrvtests/suites/paged_results/paged_results_test.py            |   85 
 dirsrvtests/suites/pam_passthru_plugin/pam_test.py                |   85 
 dirsrvtests/suites/passthru_plugin/passthru_test.py               |   85 
 dirsrvtests/suites/password/password_test.py                      |  135 
 dirsrvtests/suites/password/pwdAdmin_test.py                      |  439 +
 dirsrvtests/suites/password/pwdPolicy_test.py                     |   74 
 dirsrvtests/suites/posix_winsync_plugin/posix_winsync_test.py     |   85 
 dirsrvtests/suites/psearch/psearch_test.py                        |   85 
 dirsrvtests/suites/referint_plugin/referint_test.py               |   85 
 dirsrvtests/suites/replication/cleanallruv_test.py                | 1486 ++++++
 dirsrvtests/suites/replsync_plugin/repl_sync_test.py              |   85 
 dirsrvtests/suites/resource_limits/res_limits_test.py             |   85 
 dirsrvtests/suites/retrocl_plugin/retrocl_test.py                 |   85 
 dirsrvtests/suites/reverpwd_plugin/reverpwd_test.py               |   85 
 dirsrvtests/suites/roles_plugin/roles_test.py                     |   85 
 dirsrvtests/suites/rootdn_plugin/rootdn_plugin_test.py            |  770 +++
 dirsrvtests/suites/sasl/sasl_test.py                              |   85 
 dirsrvtests/suites/schema/test_schema.py                          |   63 
 dirsrvtests/suites/schema_reload_plugin/schema_reload_test.py     |   85 
 dirsrvtests/suites/snmp/snmp_test.py                              |   85 
 dirsrvtests/suites/ssl/ssl_test.py                                |   85 
 dirsrvtests/suites/syntax_plugin/syntax_test.py                   |   85 
 dirsrvtests/suites/usn_plugin/usn_test.py                         |   85 
 dirsrvtests/suites/views_plugin/views_test.py                     |   85 
 dirsrvtests/suites/vlv/vlv_test.py                                |   85 
 dirsrvtests/suites/whoami_plugin/whoami_test.py                   |   85 
 dirsrvtests/tickets/ticket365_test.py                             |  161 
 dirsrvtests/tickets/ticket47384_test.py                           |  159 
 dirsrvtests/tickets/ticket47431_test.py                           |  251 +
 dirsrvtests/tickets/ticket47462_test.py                           |  452 +
 dirsrvtests/tickets/ticket47553_ger.py                            |  553 ++
 dirsrvtests/tickets/ticket47560_test.py                           |    2 
 dirsrvtests/tickets/ticket47828_test.py                           |  721 +++
 dirsrvtests/tickets/ticket47838_test.py                           |  165 
 dirsrvtests/tickets/ticket47937_test.py                           |  237 +
 dirsrvtests/tickets/ticket47950_test.py                           |  273 +
 dirsrvtests/tickets/ticket47953_test.py                           |  120 
 dirsrvtests/tickets/ticket47963_test.py                           |  191 
 dirsrvtests/tickets/ticket47970_test.py                           |  206 
 dirsrvtests/tickets/ticket47973_test.py                           |  235 +
 dirsrvtests/tickets/ticket47980_test.py                           |  710 +++
 dirsrvtests/tickets/ticket47981_test.py                           |  345 +
 dirsrvtests/tickets/ticket47988_test.py                           |  576 ++
 dirsrvtests/tickets/ticket48005_test.py                           |  407 +
 dirsrvtests/tickets/ticket48109_test.py                           |  386 +
 ldap/admin/src/logconv.pl                                         |   69 
 ldap/admin/src/scripts/50AES-pbe-plugin.ldif                      |   16 
 ldap/admin/src/scripts/52updateAESplugin.pl                       |   84 
 ldap/admin/src/scripts/60upgradeconfigfiles.pl                    |    2 
 ldap/ldif/50replication-plugins.ldif                              |    2 
 ldap/ldif/template-dse.ldif.in                                    |   16 
 ldap/schema/01core389.ldif                                        |    7 
 ldap/schema/10dna-plugin.ldif                                     |    8 
 ldap/servers/plugins/acctpolicy/acct_config.c                     |    8 
 ldap/servers/plugins/acctpolicy/acct_init.c                       |   99 
 ldap/servers/plugins/acctpolicy/acct_plugin.c                     |  178 
 ldap/servers/plugins/acctpolicy/acct_util.c                       |   19 
 ldap/servers/plugins/acctpolicy/acctpolicy.h                      |   25 
 ldap/servers/plugins/acl/acl.c                                    |   51 
 ldap/servers/plugins/acl/acl_ext.c                                |   52 
 ldap/servers/plugins/acl/aclanom.c                                |   68 
 ldap/servers/plugins/acl/acleffectiverights.c                     |   67 
 ldap/servers/plugins/acl/acllas.c                                 |   73 
 ldap/servers/plugins/acl/aclparse.c                               |    8 
 ldap/servers/plugins/acl/aclutil.c                                |    6 
 ldap/servers/plugins/automember/automember.c                      |   82 
 ldap/servers/plugins/chainingdb/cb_bind.c                         |   18 
 ldap/servers/plugins/chainingdb/cb_compare.c                      |    7 
 ldap/servers/plugins/chainingdb/cb_conn_stateless.c               |    1 
 ldap/servers/plugins/chainingdb/cb_delete.c                       |    5 
 ldap/servers/plugins/chainingdb/cb_modify.c                       |    4 
 ldap/servers/plugins/chainingdb/cb_modrdn.c                       |    5 
 ldap/servers/plugins/chainingdb/cb_search.c                       |    4 
 ldap/servers/plugins/chainingdb/cb_utils.c                        |   30 
 ldap/servers/plugins/cos/cos_cache.c                              |   76 
 ldap/servers/plugins/deref/deref.c                                |    2 
 ldap/servers/plugins/dna/dna.c                                    |  129 
 ldap/servers/plugins/linkedattrs/fixup_task.c                     |   44 
 ldap/servers/plugins/linkedattrs/linked_attrs.c                   |    2 
 ldap/servers/plugins/memberof/memberof.c                          |  121 
 ldap/servers/plugins/memberof/memberof.h                          |    5 
 ldap/servers/plugins/memberof/memberof_config.c                   |  223 
 ldap/servers/plugins/pam_passthru/pam_ptpreop.c                   |    6 
 ldap/servers/plugins/posix-winsync/posix-group-task.c             |   40 
 ldap/servers/plugins/posix-winsync/posix-winsync-config.c         |    1 
 ldap/servers/plugins/posix-winsync/posix-winsync.c                |   12 
 ldap/servers/plugins/referint/referint.c                          |   32 
 ldap/servers/plugins/replication/cl5.h                            |    4 
 ldap/servers/plugins/replication/cl5_api.c                        |    5 
 ldap/servers/plugins/replication/cl5_api.h                        |    1 
 ldap/servers/plugins/replication/cl5_clcache.c                    |    3 
 ldap/servers/plugins/replication/cl5_config.c                     |  103 
 ldap/servers/plugins/replication/repl5.h                          |   26 
 ldap/servers/plugins/replication/repl5_agmt.c                     |  277 -
 ldap/servers/plugins/replication/repl5_agmtlist.c                 |   42 
 ldap/servers/plugins/replication/repl5_connection.c               |  211 
 ldap/servers/plugins/replication/repl5_inc_protocol.c             |   52 
 ldap/servers/plugins/replication/repl5_init.c                     |    2 
 ldap/servers/plugins/replication/repl5_plugins.c                  |   67 
 ldap/servers/plugins/replication/repl5_prot_private.h             |    2 
 ldap/servers/plugins/replication/repl5_protocol.c                 |    2 
 ldap/servers/plugins/replication/repl5_replica.c                  |   28 
 ldap/servers/plugins/replication/repl5_replica_config.c           |   61 
 ldap/servers/plugins/replication/repl5_ruv.c                      |    1 
 ldap/servers/plugins/replication/repl5_tot_protocol.c             |   87 
 ldap/servers/plugins/replication/repl5_total.c                    |    4 
 ldap/servers/plugins/replication/repl_bind.c                      |    2 
 ldap/servers/plugins/replication/repl_connext.c                   |   20 
 ldap/servers/plugins/replication/repl_extop.c                     |   30 
 ldap/servers/plugins/replication/repl_globals.c                   |    3 
 ldap/servers/plugins/replication/repl_ops.c                       |   15 
 ldap/servers/plugins/replication/windows_connection.c             |    6 
 ldap/servers/plugins/replication/windows_inc_protocol.c           |   89 
 ldap/servers/plugins/replication/windows_private.c                |    2 
 ldap/servers/plugins/replication/windows_protocol_util.c          |    8 
 ldap/servers/plugins/replication/windows_tot_protocol.c           |   12 
 ldap/servers/plugins/retrocl/retrocl.c                            |   67 
 ldap/servers/plugins/retrocl/retrocl_create.c                     |    4 
 ldap/servers/plugins/retrocl/retrocl_po.c                         |   12 
 ldap/servers/plugins/rever/des.c                                  |  551 --
 ldap/servers/plugins/rever/pbe.c                                  |  621 ++
 ldap/servers/plugins/rever/rever.c                                |  116 
 ldap/servers/plugins/rever/rever.h                                |   11 
 ldap/servers/plugins/roles/roles_cache.c                          |   22 
 ldap/servers/plugins/rootdn_access/rootdn_access.c                |  159 
 ldap/servers/plugins/schema_reload/schema_reload.c                |   34 
 ldap/servers/plugins/sync/sync.h                                  |   11 
 ldap/servers/plugins/sync/sync_persist.c                          |   20 
 ldap/servers/plugins/sync/sync_refresh.c                          |   32 
 ldap/servers/plugins/sync/sync_util.c                             |   99 
 ldap/servers/plugins/syntaxes/validate_task.c                     |   46 
 ldap/servers/plugins/uiduniq/7bit.c                               |   12 
 ldap/servers/plugins/uiduniq/uid.c                                |   63 
 ldap/servers/plugins/usn/usn.c                                    |   20 
 ldap/servers/plugins/usn/usn.h                                    |    1 
 ldap/servers/plugins/usn/usn_cleanup.c                            |   66 
 ldap/servers/slapd/abandon.c                                      |    8 
 ldap/servers/slapd/add.c                                          |    8 
 ldap/servers/slapd/attr.c                                         |    8 
 ldap/servers/slapd/attrsyntax.c                                   |  282 -
 ldap/servers/slapd/auth.c                                         |   91 
 ldap/servers/slapd/back-ldbm/dblayer.c                            |   61 
 ldap/servers/slapd/back-ldbm/dblayer.h                            |    2 
 ldap/servers/slapd/back-ldbm/filterindex.c                        |    7 
 ldap/servers/slapd/back-ldbm/import-merge.c                       |    4 
 ldap/servers/slapd/back-ldbm/import-threads.c                     |   18 
 ldap/servers/slapd/back-ldbm/import.c                             |   11 
 ldap/servers/slapd/back-ldbm/ldbm_attr.c                          |   82 
 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c                     |    7 
 ldap/servers/slapd/back-ldbm/ldbm_bind.c                          |    2 
 ldap/servers/slapd/back-ldbm/ldbm_config.c                        |    7 
 ldap/servers/slapd/back-ldbm/ldbm_delete.c                        |   14 
 ldap/servers/slapd/back-ldbm/ldbm_modrdn.c                        |    4 
 ldap/servers/slapd/back-ldbm/ldbm_search.c                        |   29 
 ldap/servers/slapd/back-ldbm/ldif2ldbm.c                          |    2 
 ldap/servers/slapd/back-ldbm/matchrule.c                          |   10 
 ldap/servers/slapd/back-ldbm/misc.c                               |    6 
 ldap/servers/slapd/back-ldbm/monitor.c                            |   10 
 ldap/servers/slapd/back-ldif/bind.c                               |    4 
 ldap/servers/slapd/backend.c                                      |   29 
 ldap/servers/slapd/bind.c                                         |   16 
 ldap/servers/slapd/compare.c                                      |    2 
 ldap/servers/slapd/configdse.c                                    |    8 
 ldap/servers/slapd/connection.c                                   |   24 
 ldap/servers/slapd/conntable.c                                    |   10 
 ldap/servers/slapd/control.c                                      |    2 
 ldap/servers/slapd/daemon.c                                       |  248 +
 ldap/servers/slapd/defbackend.c                                   |    3 
 ldap/servers/slapd/delete.c                                       |    2 
 ldap/servers/slapd/dse.c                                          |  157 
 ldap/servers/slapd/entry.c                                        |    4 
 ldap/servers/slapd/entrywsi.c                                     |   13 
 ldap/servers/slapd/extendop.c                                     |    6 
 ldap/servers/slapd/fedse.c                                        |   43 
 ldap/servers/slapd/filter.c                                       |   24 
 ldap/servers/slapd/libglobs.c                                     |   72 
 ldap/servers/slapd/log.c                                          |    6 
 ldap/servers/slapd/main.c                                         |    1 
 ldap/servers/slapd/mapping_tree.c                                 |   12 
 ldap/servers/slapd/modify.c                                       |   51 
 ldap/servers/slapd/modrdn.c                                       |    6 
 ldap/servers/slapd/monitor.c                                      |    8 
 ldap/servers/slapd/operation.c                                    |    4 
 ldap/servers/slapd/opshared.c                                     |   21 
 ldap/servers/slapd/pblock.c                                       |    4 
 ldap/servers/slapd/plugin.c                                       |  259 -
 ldap/servers/slapd/plugin_syntax.c                                |   22 
 ldap/servers/slapd/proto-slap.h                                   |   19 
 ldap/servers/slapd/psearch.c                                      |   10 
 ldap/servers/slapd/pw.c                                           |  181 
 ldap/servers/slapd/pw.h                                           |    2 
 ldap/servers/slapd/result.c                                       |   33 
 ldap/servers/slapd/sasl_io.c                                      |   12 
 ldap/servers/slapd/saslbind.c                                     |   14 
 ldap/servers/slapd/schema.c                                       |  428 +
 ldap/servers/slapd/search.c                                       |    2 
 ldap/servers/slapd/security_wrappers.c                            |    6 
 ldap/servers/slapd/slap.h                                         |   12 
 ldap/servers/slapd/slapi-plugin.h                                 |   38 
 ldap/servers/slapd/slapi-private.h                                |   23 
 ldap/servers/slapd/slapi2nspr.c                                   |   14 
 ldap/servers/slapd/snmp_collator.c                                |    2 
 ldap/servers/slapd/ssl.c                                          |  513 +-
 ldap/servers/slapd/task.c                                         |   72 
 ldap/servers/slapd/thread_data.c                                  |   29 
 ldap/servers/slapd/tools/dbscan.c                                 |    2 
 ldap/servers/slapd/tools/ldclt/ldapfct.c                          |   31 
 ldap/servers/slapd/tools/mmldif.c                                 |   12 
 ldap/servers/slapd/tools/rsearch/nametable.c                      |    1 
 ldap/servers/slapd/unbind.c                                       |    6 
 rpm/389-ds-base.spec.in                                           |   37 
 wrappers/systemd.template.service.in                              |    1 
 256 files changed, 23756 insertions(+), 2661 deletions(-)

New commits:
commit 3b69fdffa1a4624acbb3c142f2fbb0e65a73969f
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Thu Apr 2 14:47:39 2015 +0300

    releasing package 389-ds-base version 1.3.3.9-1

diff --git a/debian/changelog b/debian/changelog
index 7701267..c35120c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,9 @@
-389-ds-base (1.3.3.9-1) UNRELEASED; urgency=medium
+389-ds-base (1.3.3.9-1) experimental; urgency=medium
 
   * New upstream bugfix release.
     - Drop cve-2014-8*.diff, upstream.
 
- -- Timo Aaltonen <tjaalton at debian.org>  Thu, 02 Apr 2015 14:27:55 +0300
+ -- Timo Aaltonen <tjaalton at debian.org>  Thu, 02 Apr 2015 14:47:20 +0300
 
 389-ds-base (1.3.3.5-4) unstable; urgency=medium
 

commit 32279df838075b3af0052ab2fef5aae02d54c969
Author: Timo Aaltonen <tjaalton at debian.org>
Date:   Thu Apr 2 14:35:39 2015 +0300

    update the changelog, drop upstream patches

diff --git a/debian/changelog b/debian/changelog
index ce6baa0..7701267 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+389-ds-base (1.3.3.9-1) UNRELEASED; urgency=medium
+
+  * New upstream bugfix release.
+    - Drop cve-2014-8*.diff, upstream.
+
+ -- Timo Aaltonen <tjaalton at debian.org>  Thu, 02 Apr 2015 14:27:55 +0300
+
 389-ds-base (1.3.3.5-4) unstable; urgency=medium
 
   * Security fixes (Closes: #779909)
diff --git a/debian/patches/cve-2014-8105.diff b/debian/patches/cve-2014-8105.diff
deleted file mode 100644
index 3fe13fe..0000000
--- a/debian/patches/cve-2014-8105.diff
+++ /dev/null
@@ -1,116 +0,0 @@
-commit 74e80db8380a4606e07672dfb5e3f7d403efe150
-Author: Mark Reynolds <mreynolds at redhat.com>
-Date:   Tue Dec 16 16:53:07 2014 -0500
-
-    Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
-    
-    Fix for CVE-2014-8105
-    
-    Description:  At server startup check for the Retro Changelog default ACI
-                  on cn=changelog, if present delete it.
-    
-    Reviewed by: lkrispenz(Thanks!)
-    
-    (cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
-    (cherry picked from commit 29652118e2ae17ca98c1934af5109f1ac87d94ae)
-
-diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
-index 0d2a6dc..8a0f350 100644
---- a/ldap/servers/plugins/retrocl/retrocl.c
-+++ b/ldap/servers/plugins/retrocl/retrocl.c
-@@ -308,6 +308,68 @@ char *retrocl_get_config_str(const char *attrt)
-     return ma;
- }
- 
-+static void
-+retrocl_remove_legacy_default_aci(void)
-+{
-+    Slapi_PBlock *pb = NULL;
-+    Slapi_Entry **entries;
-+    char **aci_vals = NULL;
-+    char *attrs[] = {"aci", NULL};
-+    int rc;
-+
-+    pb = slapi_pblock_new();
-+    slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*",
-+            attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
-+    slapi_search_internal_pb(pb);
-+    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
-+    if (rc == LDAP_SUCCESS) {
-+        slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
-+        if(entries && entries[0]){
-+            if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
-+                if(charray_inlist(aci_vals, RETROCL_ACL)){
-+                    /*
-+                     * Okay, we need to remove the aci
-+                     */
-+                    LDAPMod mod;
-+                    LDAPMod *mods[2];
-+                    char *val[2];
-+                    Slapi_PBlock *mod_pb = 0;
-+
-+                    mod_pb = slapi_pblock_new();
-+                    mods[0] = &mod;
-+                    mods[1] = 0;
-+                    val[0] = RETROCL_ACL;
-+                    val[1] = 0;
-+                    mod.mod_op = LDAP_MOD_DELETE;
-+                    mod.mod_type = "aci";
-+                    mod.mod_values = val;
-+
-+                    slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]),
-+                                                    mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0);
-+                    slapi_modify_internal_pb(mod_pb);
-+                    slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
-+                    if(rc == LDAP_SUCCESS){
-+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
-+                                "Successfully removed vulnerable legacy default aci \"%s\".  "
-+                                "If the aci removal was not desired please use a different \"acl "
-+                                "name\" so it is not removed at the next plugin startup.\n",
-+                                RETROCL_ACL);
-+                    } else {
-+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
-+                                "Failed to removed vulnerable legacy default aci (%s) error %d\n",
-+                                RETROCL_ACL, rc);
-+                    }
-+                    slapi_pblock_destroy(mod_pb);
-+                }
-+                slapi_ch_array_free(aci_vals);
-+            }
-+        }
-+    }
-+    slapi_free_search_results_internal(pb);
-+    slapi_pblock_destroy(pb);
-+}
-+
-+
- /*
-  * Function: retrocl_start
-  *
-@@ -333,7 +395,10 @@ static int retrocl_start (Slapi_PBlock *pb)
-       LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc);
-       return rc;
-     }
--   
-+
-+    /* Remove the old default aci as it exposes passwords changes to anonymous users */
-+    retrocl_remove_legacy_default_aci();
-+
-     retrocl_init_trimming();
- 
-     if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
-diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
-index 1ffdaae..870421c 100644
---- a/ldap/servers/plugins/retrocl/retrocl_create.c
-+++ b/ldap/servers/plugins/retrocl/retrocl_create.c
-@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
-     val.bv_len = strlen(val.bv_val);
-     slapi_entry_add_values( e, "cn", vals );  
-     
--    val.bv_val = RETROCL_ACL;
--    val.bv_len = strlen(val.bv_val);
--    slapi_entry_add_values( e, "aci", vals );  
--
-     pb = slapi_pblock_new ();
-     slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */, 
- 				     g_plg_identity[PLUGIN_RETROCL], 
diff --git a/debian/patches/cve-2014-8112.diff b/debian/patches/cve-2014-8112.diff
deleted file mode 100644
index 34c4624..0000000
--- a/debian/patches/cve-2014-8112.diff
+++ /dev/null
@@ -1,115 +0,0 @@
-commit 8603d6533d84009e13a94ce6327abfba7ae73ef4
-Author: Ludwig Krispenz <lkrispen at redhat.com>
-Date:   Fri Nov 28 14:23:06 2014 +0100
-
-    Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
-    
-    Fix for CVE-2014-8112
-    
-    	If the unhashed pw switch is set to off this should only
-            prevent the generation of the unhashed#user#password
-    	attribute.
-    	But encoding of pw values and detiecetion which values have
-    	to be deleted needs to stay intact.
-    	So the check if the switch is set has to be placed close to
-            the generation of the attribute in different 'if' branches
-    
-    Reviewed by Noriko, thanks
-    
-    (cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d)
-    (cherry picked from commit 84b8bfd7d18a0613920dce36f1d3775d75e45a3e)
-
-diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
-index bcf53cd..61f99cf 100644
---- a/ldap/servers/plugins/retrocl/retrocl_po.c
-+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
-@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs)
- 		continue;
- 	    }
- 	}
-+	if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
-+		if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
-+			/* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
-+			continue;
-+		}
-+	}
- 	switch ( ldm[ i ]->mod_op  & ~LDAP_MOD_BVALUES ) {
- 	case LDAP_MOD_ADD:
- 	    addlenstr( l, "add: " );
-diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
-index 9b2f42d..ab12f56 100644
---- a/ldap/servers/slapd/modify.c
-+++ b/ldap/servers/slapd/modify.c
-@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
- 	 * before calling the preop plugins
- 	 */
- 
--	if (pw_change && !repl_op &&
--	    (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
-+	if (pw_change && !repl_op ) {
- 		Slapi_Value **va = NULL;
- 
- 		unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
-@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
- 						 *  Finally, delete the unhashed userpassword
- 						 *  (this will update the password entry extension)
- 						 */
--						bval.bv_val = password;
--						bval.bv_len = strlen(password);
--						bv[0] = &bval;
--						bv[1] = NULL;
--						valuearray_init_bervalarray(bv, &va);
--						slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
--						valuearray_free(&va);
-+						if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
-+							bval.bv_val = password;
-+							bval.bv_len = strlen(password);
-+							bv[0] = &bval;
-+							bv[1] = NULL;
-+							valuearray_init_bervalarray(bv, &va);
-+							slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-+							valuearray_free(&va);
-+						}
- 					} else {
- 						/*
- 						 *  Password is encoded, try and find a matching unhashed_password to delete
-@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
- 								if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
- 									if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
- 										/* match, add the delete mod for this particular unhashed userpassword */
--										valuearray_init_bervalarray(bv, &va);
--										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
--										valuearray_free(&va);
--										free_pw_scheme( unhashed_pwsp );
-+										if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
-+										    valuearray_init_bervalarray(bv, &va);
-+										    slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-+										    valuearray_free(&va);
-+										    free_pw_scheme( unhashed_pwsp );
-+										}
- 										break;
- 									}
- 								} else {
- 									/*
- 									 *  We have a hashed unhashed_userpassword!  We must delete it.
- 									 */
--									valuearray_init_bervalarray(bv, &va);
--									slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
--									valuearray_free(&va);
-+									if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
-+										valuearray_init_bervalarray(bv, &va);
-+										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-+										valuearray_free(&va);
-+									}
- 								}
- 								free_pw_scheme( unhashed_pwsp );
- 							}
-@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
- 				if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
- 					slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
- 				}
--			} else {
-+			} else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
- 				/* add pseudo password attribute */
- 				valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
- 				if(va && va[0]){
diff --git a/debian/patches/series b/debian/patches/series
index 331a449..1e33765 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,6 +6,3 @@ fix-bsd.patch
 support-kfreebsd.patch
 fix-obsolete-target.diff
 fix-saslpath.diff
-
-cve-2014-8112.diff
-cve-2014-8105.diff

commit 775997f5079b1c03506e81efc661852b560089b0
Author: Noriko Hosoi <nhosoi at redhat.com>
Date:   Fri Mar 6 16:46:09 2015 -0800

    bump version to 1.3.3.9

diff --git a/VERSION.sh b/VERSION.sh
index 8dd9634..71c5369 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
 # PACKAGE_VERSION is constructed from these
 VERSION_MAJOR=1
 VERSION_MINOR=3
-VERSION_MAINT=3.8
+VERSION_MAINT=3.9
 # if this is a PRERELEASE, set VERSION_PREREL
 # otherwise, comment it out
 # be sure to include the dot prefix in the prerel

commit 74e80db8380a4606e07672dfb5e3f7d403efe150
Author: Mark Reynolds <mreynolds at redhat.com>
Date:   Tue Dec 16 16:53:07 2014 -0500

    Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
    
    Fix for CVE-2014-8105
    
    Description:  At server startup check for the Retro Changelog default ACI
                  on cn=changelog, if present delete it.
    
    Reviewed by: lkrispenz(Thanks!)
    
    (cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
    (cherry picked from commit 29652118e2ae17ca98c1934af5109f1ac87d94ae)

diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
index 0d2a6dc..8a0f350 100644
--- a/ldap/servers/plugins/retrocl/retrocl.c
+++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -308,6 +308,68 @@ char *retrocl_get_config_str(const char *attrt)
     return ma;
 }
 
+static void
+retrocl_remove_legacy_default_aci(void)
+{
+    Slapi_PBlock *pb = NULL;
+    Slapi_Entry **entries;
+    char **aci_vals = NULL;
+    char *attrs[] = {"aci", NULL};
+    int rc;
+
+    pb = slapi_pblock_new();
+    slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*",
+            attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
+    slapi_search_internal_pb(pb);
+    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+    if (rc == LDAP_SUCCESS) {
+        slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
+        if(entries && entries[0]){
+            if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
+                if(charray_inlist(aci_vals, RETROCL_ACL)){
+                    /*
+                     * Okay, we need to remove the aci
+                     */
+                    LDAPMod mod;
+                    LDAPMod *mods[2];
+                    char *val[2];
+                    Slapi_PBlock *mod_pb = 0;
+
+                    mod_pb = slapi_pblock_new();
+                    mods[0] = &mod;
+                    mods[1] = 0;
+                    val[0] = RETROCL_ACL;
+                    val[1] = 0;
+                    mod.mod_op = LDAP_MOD_DELETE;
+                    mod.mod_type = "aci";
+                    mod.mod_values = val;
+
+                    slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]),
+                                                    mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0);
+                    slapi_modify_internal_pb(mod_pb);
+                    slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+                    if(rc == LDAP_SUCCESS){
+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+                                "Successfully removed vulnerable legacy default aci \"%s\".  "
+                                "If the aci removal was not desired please use a different \"acl "
+                                "name\" so it is not removed at the next plugin startup.\n",
+                                RETROCL_ACL);
+                    } else {
+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+                                "Failed to removed vulnerable legacy default aci (%s) error %d\n",
+                                RETROCL_ACL, rc);
+                    }
+                    slapi_pblock_destroy(mod_pb);
+                }
+                slapi_ch_array_free(aci_vals);
+            }
+        }
+    }
+    slapi_free_search_results_internal(pb);
+    slapi_pblock_destroy(pb);
+}
+
+
 /*
  * Function: retrocl_start
  *
@@ -333,7 +395,10 @@ static int retrocl_start (Slapi_PBlock *pb)
       LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc);
       return rc;
     }
-   
+
+    /* Remove the old default aci as it exposes passwords changes to anonymous users */
+    retrocl_remove_legacy_default_aci();
+
     retrocl_init_trimming();
 
     if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
index 1ffdaae..870421c 100644
--- a/ldap/servers/plugins/retrocl/retrocl_create.c
+++ b/ldap/servers/plugins/retrocl/retrocl_create.c
@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
     val.bv_len = strlen(val.bv_val);
     slapi_entry_add_values( e, "cn", vals );  
     
-    val.bv_val = RETROCL_ACL;
-    val.bv_len = strlen(val.bv_val);
-    slapi_entry_add_values( e, "aci", vals );  
-
     pb = slapi_pblock_new ();
     slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */, 
 				     g_plg_identity[PLUGIN_RETROCL], 

commit 8603d6533d84009e13a94ce6327abfba7ae73ef4
Author: Ludwig Krispenz <lkrispen at redhat.com>
Date:   Fri Nov 28 14:23:06 2014 +0100

    Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
    
    Fix for CVE-2014-8112
    
    	If the unhashed pw switch is set to off this should only
            prevent the generation of the unhashed#user#password
    	attribute.
    	But encoding of pw values and detiecetion which values have
    	to be deleted needs to stay intact.
    	So the check if the switch is set has to be placed close to
            the generation of the attribute in different 'if' branches
    
    Reviewed by Noriko, thanks
    
    (cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d)
    (cherry picked from commit 84b8bfd7d18a0613920dce36f1d3775d75e45a3e)

diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
index bcf53cd..61f99cf 100644
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs)
 		continue;
 	    }
 	}
+	if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
+		if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
+			/* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
+			continue;
+		}
+	}
 	switch ( ldm[ i ]->mod_op  & ~LDAP_MOD_BVALUES ) {
 	case LDAP_MOD_ADD:
 	    addlenstr( l, "add: " );
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 9b2f42d..ab12f56 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 	 * before calling the preop plugins
 	 */
 
-	if (pw_change && !repl_op &&
-	    (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
+	if (pw_change && !repl_op ) {
 		Slapi_Value **va = NULL;
 
 		unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 						 *  Finally, delete the unhashed userpassword
 						 *  (this will update the password entry extension)
 						 */
-						bval.bv_val = password;
-						bval.bv_len = strlen(password);
-						bv[0] = &bval;
-						bv[1] = NULL;
-						valuearray_init_bervalarray(bv, &va);
-						slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-						valuearray_free(&va);
+						if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+							bval.bv_val = password;
+							bval.bv_len = strlen(password);
+							bv[0] = &bval;
+							bv[1] = NULL;
+							valuearray_init_bervalarray(bv, &va);
+							slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+							valuearray_free(&va);
+						}
 					} else {
 						/*
 						 *  Password is encoded, try and find a matching unhashed_password to delete
@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 								if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
 									if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
 										/* match, add the delete mod for this particular unhashed userpassword */
-										valuearray_init_bervalarray(bv, &va);
-										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-										valuearray_free(&va);
-										free_pw_scheme( unhashed_pwsp );
+										if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+										    valuearray_init_bervalarray(bv, &va);
+										    slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+										    valuearray_free(&va);
+										    free_pw_scheme( unhashed_pwsp );
+										}
 										break;
 									}
 								} else {
 									/*
 									 *  We have a hashed unhashed_userpassword!  We must delete it.
 									 */
-									valuearray_init_bervalarray(bv, &va);
-									slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-									valuearray_free(&va);
+									if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+										valuearray_init_bervalarray(bv, &va);
+										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+										valuearray_free(&va);
+									}
 								}
 								free_pw_scheme( unhashed_pwsp );
 							}
@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 				if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
 					slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
 				}
-			} else {
+			} else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
 				/* add pseudo password attribute */
 				valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
 				if(va && va[0]){

commit 1e38fbea783704d021950e03b57df0c54a1f7545
Author: Noriko Hosoi <nhosoi at redhat.com>
Date:   Wed Mar 4 15:05:09 2015 -0800

    Ticket #47801 - RHDS keeps on logging write_changelog_and_ruv: failed to update RUV for unknown
    
    Description: When no operation is given to write_changelog_and_ruv
    (consumer has the chance just to update ruv) and opcsn is NULL,
    update_ruv_component immediately returns the default return value
    RUV_NOTFOUND, which should not be logged as SLAPI_LOG_FATAL but
    just ignored.
    
    https://fedorahosted.org/389/ticket/47801
    
    Reviewed by rmeggins at redhat.com (Thank you, Rich!!)
    
    (cherry picked from commit c170d9541cca17031e2663c24a1a1e97d8b3172a)

diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c
index 495afeb..84e4a07 100644
--- a/ldap/servers/plugins/replication/repl5_plugins.c
+++ b/ldap/servers/plugins/replication/repl5_plugins.c
@@ -1233,17 +1233,17 @@ write_changelog_and_ruv (Slapi_PBlock *pb)
 		}
 		rc = update_ruv_component(r, opcsn, pb);
 		if (RUV_COVERS_CSN == rc) {
-        		slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
+			slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 					"write_changelog_and_ruv: RUV already covers csn for "
 					"%s (uniqid: %s, optype: %lu) csn %s\n",
 					dn, uniqueid, optype,
 					csn_as_string(oppcsn, PR_FALSE, csn_str));
-		} else if (rc != RUV_SUCCESS) {
-        		slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+		} else if ((rc != RUV_SUCCESS) && (rc != RUV_NOTFOUND)) {
+			slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
 					"write_changelog_and_ruv: failed to update RUV for "
-					"%s (uniqid: %s, optype: %lu) to changelog csn %s\n",
+					"%s (uniqid: %s, optype: %lu) to changelog csn %s - rc %d\n",
 					dn, uniqueid, optype,
-					csn_as_string(oppcsn, PR_FALSE, csn_str));
+					csn_as_string(oppcsn, PR_FALSE, csn_str), rc);
 		}
 	}
 

commit 06a5cc4cf8732081489a443db2e782d78b53980f
Author: Noriko Hosoi <nhosoi at redhat.com>
Date:   Wed Mar 4 13:05:02 2015 -0800

    Ticket #47957 - Make ReplicaWaitForAsyncResults configurable
    
    Description: Introducing a config attr nsDS5ReplicaWaitForAsyncResults
    to the agreement entry.
      dn: cn=<AGREEMENT>,cn=replica,cn="<SUFFIX>",cn=mapping tree,cn=config
      nsDS5ReplicaWaitForAsyncResults: <integer in millisecond>
    
    Prior to this patch, supplier sleeps 1 second if it finds the response
    from consumer is not ready.  1 second could be too long if higher
    replication throughput is required.
    
    This patch makes the waiting time configurable, and change the default
    to 100 millisecond.  If the attribute nsDS5ReplicaWaitForAsyncResults
    does not exist or the value is 0, the default value is set.
    
    https://fedorahosted.org/389/ticket/47957
    
    Reviewed by rmeggins at redhat.com (Thank you!!)
    
    (cherry picked from commit 2802f362395eac0bbbec99fef86ca27240da0d0f)

diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index 9b7ec1d..ffd8710 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -306,6 +306,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2310 NAME 'nsds5ReplicaFlowControlWindow
 attributeTypes: ( 2.16.840.1.113730.3.1.2311 NAME 'nsds5ReplicaFlowControlPause' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2313 NAME 'nsslapd-changelogtrim-interval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2314 NAME 'nsslapd-changelogcompactdb-interval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2315 NAME 'nsDS5ReplicaWaitForAsyncResults' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 #
 # objectclasses
 #
@@ -317,7 +318,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.110 NAME 'nsMappingTree' DESC 'Netscape d
 objectClasses: ( 2.16.840.1.113730.3.2.104 NAME 'nsContainer' DESC 'Netscape defined objectclass' SUP top  MUST ( CN ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Netscape defined objectclass' SUP top  MUST ( nsDS5ReplicaRoot $  nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.113 NAME 'nsTombstone' DESC 'Netscape defined objectclass' SUP top MAY ( nstombstonecsn $ nsParentUniqueId $ nscpEntryDN ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause ) X-ORIGIN 'Netscape Directory Server' )
+objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5ReplicaWaitForAsyncResults ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index 39d25bb..a7da266 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -194,6 +194,9 @@ extern const char *type_winSyncSubtreePair;
 /* To Allow Consumer Initialisation when adding an agreement - */
 extern const char *type_nsds5BeginReplicaRefresh;
 
+/* For tuning replica release */
+extern const char *type_nsds5WaitForAsyncResults;
+
 /* replica related attributes */
 extern const char *attr_replicaId;
 extern const char *attr_replicaRoot;
@@ -412,6 +415,7 @@ void add_agmt_maxcsns(Slapi_Entry *e, Replica *r);
 void agmt_set_maxcsn(Repl_Agmt *ra);
 void agmt_remove_maxcsn(Repl_Agmt *ra);
 int agmt_maxcsn_to_smod (Replica *r, Slapi_Mod *smod);
+int agmt_set_WaitForAsyncResults(Repl_Agmt *ra, const Slapi_Entry *e);
 
 /* In repl5_agmtlist.c */
 int agmtlist_config_init();
@@ -748,6 +752,9 @@ void repl5_set_debug_timeout(const char *val);
 /* temp hack XXX */
 ReplicaId agmt_get_consumerRID(Repl_Agmt *ra);
 
+/* For replica release tuning */
+int agmt_get_WaitForAsyncResults(Repl_Agmt *ra);
+
 PRBool ldif_dump_is_running();
 
 void windows_init_agreement_from_entry(Repl_Agmt *ra, Slapi_Entry *e);
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index d27648e..2ccb7ba 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -154,6 +154,8 @@ typedef struct repl5agmt {
 	                        * This is the duration (in msec) that the RA will pause before sending the next entry
 	                        */
 	Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */
+	int WaitForAsyncResults; /* Pass to DS_Sleep(PR_MillisecondsToInterval(WaitForAsyncResults))
+	                          * in repl5_inc_waitfor_async_results */
 } repl5agmt;
 
 /* Forward declarations */
@@ -315,7 +317,8 @@ agmt_new_from_entry(Slapi_Entry *e)
 	ra->port = slapi_entry_attr_get_int(e, type_nsds5ReplicaPort);
 	/* SSL, TLS, or other transport stuff */
 	ra->transport_flags = 0;
-	agmt_set_transportinfo_no_lock(ra, e);
+	(void) agmt_set_transportinfo_no_lock(ra, e);
+	(void) agmt_set_WaitForAsyncResults(ra, e);
 
 	/* DN to use when binding. May be empty if certain SASL auth is to be used e.g. EXTERNAL GSSAPI. */
 	ra->binddn = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBindDN);
@@ -1727,6 +1730,27 @@ agmt_set_transportinfo_no_lock(Repl_Agmt *ra, const Slapi_Entry *e)
 	return (rc);
 }
 
+int
+agmt_set_WaitForAsyncResults(Repl_Agmt *ra, const Slapi_Entry *e)
+{
+	int wait = 0;
+	if (e) {
+		wait = slapi_entry_attr_get_int(e, type_nsds5WaitForAsyncResults);
+	}
+	if (wait <= 0) {
+		ra->WaitForAsyncResults = 100; /* 0.1 sec */
+	} else {
+		ra->WaitForAsyncResults = wait;
+	}
+	return 0;
+}
+
+int
+agmt_get_WaitForAsyncResults(Repl_Agmt *ra)
+{
+	return ra->WaitForAsyncResults;
+}
+
 int 
 agmt_set_transportinfo_from_entry(Repl_Agmt *ra, const Slapi_Entry *e) 
 {
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index e414e0b..5b419c6 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -548,7 +548,8 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
                 rc = SLAPI_DSE_CALLBACK_ERROR;
             }
         }
-        else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){
+        else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout))
+        {
             if (mods[i]->mod_op & LDAP_MOD_DELETE)
             {
                 agmt_set_protocol_timeout(agmt, 0);



More information about the Pkg-fedora-ds-maintainers mailing list