[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'upstream'

Timo Aaltonen tjaalton at moszumanska.debian.org
Thu Apr 2 11:57:03 UTC 2015


 Makefile.am                                                       |   14 
 Makefile.in                                                       |  104 
 VERSION.sh                                                        |    2 
 aclocal.m4                                                        |   15 
 config.guess                                                      |  192 
 config.sub                                                        |   40 
 dirsrvtests/create_test.py                                        |  577 ++
 dirsrvtests/data/basic/dse.ldif.broken                            |   95 
 dirsrvtests/data/ticket47953/ticket47953.ldif                     |   27 
 dirsrvtests/data/ticket47988/schema_ipa3.3.tar.gz                 |binary
 dirsrvtests/data/ticket47988/schema_ipa4.1.tar.gz                 |binary
 dirsrvtests/suites/acct_usability_plugin/acct_usability_test.py   |   85 
 dirsrvtests/suites/acctpolicy_plugin/acctpolicy_test.py           |   85 
 dirsrvtests/suites/acl/acl_test.py                                |   85 
 dirsrvtests/suites/attr_encryption/attr_encrypt_test.py           |   85 
 dirsrvtests/suites/attr_uniqueness_plugin/attr_uniqueness_test.py |  237 +
 dirsrvtests/suites/automember_plugin/automember_test.py           |   85 
 dirsrvtests/suites/basic/basic_test.py                            |  695 ++
 dirsrvtests/suites/betxns/betxn_test.py                           |  187 
 dirsrvtests/suites/chaining_plugin/chaining_test.py               |   85 
 dirsrvtests/suites/clu/clu_test.py                                |  107 
 dirsrvtests/suites/clu/db2ldif_test.py                            |   84 
 dirsrvtests/suites/collation_plugin/collatation_test.py           |   85 
 dirsrvtests/suites/config/config_test.py                          |  189 
 dirsrvtests/suites/cos_plugin/cos_test.py                         |   85 
 dirsrvtests/suites/deref_plugin/deref_test.py                     |   85 
 dirsrvtests/suites/disk_monitoring/disk_monitor_test.py           |   85 
 dirsrvtests/suites/distrib_plugin/distrib_test.py                 |   85 
 dirsrvtests/suites/dna_plugin/dna_test.py                         |   85 
 dirsrvtests/suites/ds_logs/ds_logs_test.py                        |   85 
 dirsrvtests/suites/dynamic-plugins/constants.py                   |   33 
 dirsrvtests/suites/dynamic-plugins/finalizer.py                   |   57 
 dirsrvtests/suites/dynamic-plugins/plugin_tests.py                | 2318 ++++++++++
 dirsrvtests/suites/dynamic-plugins/stress_tests.py                |  141 
 dirsrvtests/suites/dynamic-plugins/test_dynamic_plugins.py        |  534 ++
 dirsrvtests/suites/filter/filter_test.py                          |  144 
 dirsrvtests/suites/get_effective_rights/ger_test.py               |   85 
 dirsrvtests/suites/ldapi/ldapi_test.py                            |   85 
 dirsrvtests/suites/linkedattrs_plugin/linked_attrs_test.py        |   85 
 dirsrvtests/suites/mapping_tree/mapping_tree_test.py              |   85 
 dirsrvtests/suites/memberof_plugin/memberof_test.py               |   85 
 dirsrvtests/suites/memory_leaks/range_search_test.py              |  145 
 dirsrvtests/suites/mep_plugin/mep_test.py                         |   85 
 dirsrvtests/suites/monitor/monitor_test.py                        |   85 
 dirsrvtests/suites/paged_results/paged_results_test.py            |   85 
 dirsrvtests/suites/pam_passthru_plugin/pam_test.py                |   85 
 dirsrvtests/suites/passthru_plugin/passthru_test.py               |   85 
 dirsrvtests/suites/password/password_test.py                      |  135 
 dirsrvtests/suites/password/pwdAdmin_test.py                      |  439 +
 dirsrvtests/suites/password/pwdPolicy_test.py                     |   74 
 dirsrvtests/suites/posix_winsync_plugin/posix_winsync_test.py     |   85 
 dirsrvtests/suites/psearch/psearch_test.py                        |   85 
 dirsrvtests/suites/referint_plugin/referint_test.py               |   85 
 dirsrvtests/suites/replication/cleanallruv_test.py                | 1486 ++++++
 dirsrvtests/suites/replsync_plugin/repl_sync_test.py              |   85 
 dirsrvtests/suites/resource_limits/res_limits_test.py             |   85 
 dirsrvtests/suites/retrocl_plugin/retrocl_test.py                 |   85 
 dirsrvtests/suites/reverpwd_plugin/reverpwd_test.py               |   85 
 dirsrvtests/suites/roles_plugin/roles_test.py                     |   85 
 dirsrvtests/suites/rootdn_plugin/rootdn_plugin_test.py            |  770 +++
 dirsrvtests/suites/sasl/sasl_test.py                              |   85 
 dirsrvtests/suites/schema/test_schema.py                          |   63 
 dirsrvtests/suites/schema_reload_plugin/schema_reload_test.py     |   85 
 dirsrvtests/suites/snmp/snmp_test.py                              |   85 
 dirsrvtests/suites/ssl/ssl_test.py                                |   85 
 dirsrvtests/suites/syntax_plugin/syntax_test.py                   |   85 
 dirsrvtests/suites/usn_plugin/usn_test.py                         |   85 
 dirsrvtests/suites/views_plugin/views_test.py                     |   85 
 dirsrvtests/suites/vlv/vlv_test.py                                |   85 
 dirsrvtests/suites/whoami_plugin/whoami_test.py                   |   85 
 dirsrvtests/tickets/ticket365_test.py                             |  161 
 dirsrvtests/tickets/ticket47384_test.py                           |  159 
 dirsrvtests/tickets/ticket47431_test.py                           |  251 +
 dirsrvtests/tickets/ticket47462_test.py                           |  452 +
 dirsrvtests/tickets/ticket47553_ger.py                            |  553 ++
 dirsrvtests/tickets/ticket47560_test.py                           |    2 
 dirsrvtests/tickets/ticket47828_test.py                           |  721 +++
 dirsrvtests/tickets/ticket47838_test.py                           |  165 
 dirsrvtests/tickets/ticket47937_test.py                           |  237 +
 dirsrvtests/tickets/ticket47950_test.py                           |  273 +
 dirsrvtests/tickets/ticket47953_test.py                           |  120 
 dirsrvtests/tickets/ticket47963_test.py                           |  191 
 dirsrvtests/tickets/ticket47970_test.py                           |  206 
 dirsrvtests/tickets/ticket47973_test.py                           |  235 +
 dirsrvtests/tickets/ticket47980_test.py                           |  710 +++
 dirsrvtests/tickets/ticket47981_test.py                           |  345 +
 dirsrvtests/tickets/ticket47988_test.py                           |  576 ++
 dirsrvtests/tickets/ticket48005_test.py                           |  407 +
 dirsrvtests/tickets/ticket48109_test.py                           |  386 +
 ldap/admin/src/logconv.pl                                         |   69 
 ldap/admin/src/scripts/50AES-pbe-plugin.ldif                      |   16 
 ldap/admin/src/scripts/52updateAESplugin.pl                       |   84 
 ldap/admin/src/scripts/60upgradeconfigfiles.pl                    |    2 
 ldap/ldif/50replication-plugins.ldif                              |    2 
 ldap/ldif/template-dse.ldif.in                                    |   16 
 ldap/schema/01core389.ldif                                        |    7 
 ldap/schema/10dna-plugin.ldif                                     |    8 
 ldap/servers/plugins/acctpolicy/acct_config.c                     |    8 
 ldap/servers/plugins/acctpolicy/acct_init.c                       |   99 
 ldap/servers/plugins/acctpolicy/acct_plugin.c                     |  178 
 ldap/servers/plugins/acctpolicy/acct_util.c                       |   19 
 ldap/servers/plugins/acctpolicy/acctpolicy.h                      |   25 
 ldap/servers/plugins/acl/acl.c                                    |   51 
 ldap/servers/plugins/acl/acl_ext.c                                |   52 
 ldap/servers/plugins/acl/aclanom.c                                |   68 
 ldap/servers/plugins/acl/acleffectiverights.c                     |   67 
 ldap/servers/plugins/acl/acllas.c                                 |   73 
 ldap/servers/plugins/acl/aclparse.c                               |    8 
 ldap/servers/plugins/acl/aclutil.c                                |    6 
 ldap/servers/plugins/automember/automember.c                      |   82 
 ldap/servers/plugins/chainingdb/cb_bind.c                         |   18 
 ldap/servers/plugins/chainingdb/cb_compare.c                      |    7 
 ldap/servers/plugins/chainingdb/cb_conn_stateless.c               |    1 
 ldap/servers/plugins/chainingdb/cb_delete.c                       |    5 
 ldap/servers/plugins/chainingdb/cb_modify.c                       |    4 
 ldap/servers/plugins/chainingdb/cb_modrdn.c                       |    5 
 ldap/servers/plugins/chainingdb/cb_search.c                       |    4 
 ldap/servers/plugins/chainingdb/cb_utils.c                        |   30 
 ldap/servers/plugins/cos/cos_cache.c                              |   76 
 ldap/servers/plugins/deref/deref.c                                |    2 
 ldap/servers/plugins/dna/dna.c                                    |  129 
 ldap/servers/plugins/linkedattrs/fixup_task.c                     |   44 
 ldap/servers/plugins/linkedattrs/linked_attrs.c                   |    2 
 ldap/servers/plugins/memberof/memberof.c                          |  121 
 ldap/servers/plugins/memberof/memberof.h                          |    5 
 ldap/servers/plugins/memberof/memberof_config.c                   |  223 
 ldap/servers/plugins/pam_passthru/pam_ptpreop.c                   |    6 
 ldap/servers/plugins/posix-winsync/posix-group-task.c             |   40 
 ldap/servers/plugins/posix-winsync/posix-winsync-config.c         |    1 
 ldap/servers/plugins/posix-winsync/posix-winsync.c                |   12 
 ldap/servers/plugins/referint/referint.c                          |   32 
 ldap/servers/plugins/replication/cl5.h                            |    4 
 ldap/servers/plugins/replication/cl5_api.c                        |    5 
 ldap/servers/plugins/replication/cl5_api.h                        |    1 
 ldap/servers/plugins/replication/cl5_clcache.c                    |    3 
 ldap/servers/plugins/replication/cl5_config.c                     |  103 
 ldap/servers/plugins/replication/repl5.h                          |   26 
 ldap/servers/plugins/replication/repl5_agmt.c                     |  277 -
 ldap/servers/plugins/replication/repl5_agmtlist.c                 |   42 
 ldap/servers/plugins/replication/repl5_connection.c               |  211 
 ldap/servers/plugins/replication/repl5_inc_protocol.c             |   52 
 ldap/servers/plugins/replication/repl5_init.c                     |    2 
 ldap/servers/plugins/replication/repl5_plugins.c                  |   67 
 ldap/servers/plugins/replication/repl5_prot_private.h             |    2 
 ldap/servers/plugins/replication/repl5_protocol.c                 |    2 
 ldap/servers/plugins/replication/repl5_replica.c                  |   28 
 ldap/servers/plugins/replication/repl5_replica_config.c           |   61 
 ldap/servers/plugins/replication/repl5_ruv.c                      |    1 
 ldap/servers/plugins/replication/repl5_tot_protocol.c             |   87 
 ldap/servers/plugins/replication/repl5_total.c                    |    4 
 ldap/servers/plugins/replication/repl_bind.c                      |    2 
 ldap/servers/plugins/replication/repl_connext.c                   |   20 
 ldap/servers/plugins/replication/repl_extop.c                     |   30 
 ldap/servers/plugins/replication/repl_globals.c                   |    3 
 ldap/servers/plugins/replication/repl_ops.c                       |   15 
 ldap/servers/plugins/replication/windows_connection.c             |    6 
 ldap/servers/plugins/replication/windows_inc_protocol.c           |   89 
 ldap/servers/plugins/replication/windows_private.c                |    2 
 ldap/servers/plugins/replication/windows_protocol_util.c          |    8 
 ldap/servers/plugins/replication/windows_tot_protocol.c           |   12 
 ldap/servers/plugins/retrocl/retrocl.c                            |   67 
 ldap/servers/plugins/retrocl/retrocl_create.c                     |    4 
 ldap/servers/plugins/retrocl/retrocl_po.c                         |   12 
 ldap/servers/plugins/rever/des.c                                  |  551 --
 ldap/servers/plugins/rever/pbe.c                                  |  621 ++
 ldap/servers/plugins/rever/rever.c                                |  116 
 ldap/servers/plugins/rever/rever.h                                |   11 
 ldap/servers/plugins/roles/roles_cache.c                          |   22 
 ldap/servers/plugins/rootdn_access/rootdn_access.c                |  159 
 ldap/servers/plugins/schema_reload/schema_reload.c                |   34 
 ldap/servers/plugins/sync/sync.h                                  |   11 
 ldap/servers/plugins/sync/sync_persist.c                          |   20 
 ldap/servers/plugins/sync/sync_refresh.c                          |   32 
 ldap/servers/plugins/sync/sync_util.c                             |   99 
 ldap/servers/plugins/syntaxes/validate_task.c                     |   46 
 ldap/servers/plugins/uiduniq/7bit.c                               |   12 
 ldap/servers/plugins/uiduniq/uid.c                                |   63 
 ldap/servers/plugins/usn/usn.c                                    |   20 
 ldap/servers/plugins/usn/usn.h                                    |    1 
 ldap/servers/plugins/usn/usn_cleanup.c                            |   66 
 ldap/servers/slapd/abandon.c                                      |    8 
 ldap/servers/slapd/add.c                                          |    8 
 ldap/servers/slapd/attr.c                                         |    8 
 ldap/servers/slapd/attrsyntax.c                                   |  282 -
 ldap/servers/slapd/auth.c                                         |   91 
 ldap/servers/slapd/back-ldbm/dblayer.c                            |   61 
 ldap/servers/slapd/back-ldbm/dblayer.h                            |    2 
 ldap/servers/slapd/back-ldbm/filterindex.c                        |    7 
 ldap/servers/slapd/back-ldbm/import-merge.c                       |    4 
 ldap/servers/slapd/back-ldbm/import-threads.c                     |   18 
 ldap/servers/slapd/back-ldbm/import.c                             |   11 
 ldap/servers/slapd/back-ldbm/ldbm_attr.c                          |   82 
 ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c                     |    7 
 ldap/servers/slapd/back-ldbm/ldbm_bind.c                          |    2 
 ldap/servers/slapd/back-ldbm/ldbm_config.c                        |    7 
 ldap/servers/slapd/back-ldbm/ldbm_delete.c                        |   14 
 ldap/servers/slapd/back-ldbm/ldbm_modrdn.c                        |    4 
 ldap/servers/slapd/back-ldbm/ldbm_search.c                        |   29 
 ldap/servers/slapd/back-ldbm/ldif2ldbm.c                          |    2 
 ldap/servers/slapd/back-ldbm/matchrule.c                          |   10 
 ldap/servers/slapd/back-ldbm/misc.c                               |    6 
 ldap/servers/slapd/back-ldbm/monitor.c                            |   10 
 ldap/servers/slapd/back-ldif/bind.c                               |    4 
 ldap/servers/slapd/backend.c                                      |   29 
 ldap/servers/slapd/bind.c                                         |   16 
 ldap/servers/slapd/compare.c                                      |    2 
 ldap/servers/slapd/configdse.c                                    |    8 
 ldap/servers/slapd/connection.c                                   |   24 
 ldap/servers/slapd/conntable.c                                    |   10 
 ldap/servers/slapd/control.c                                      |    2 
 ldap/servers/slapd/daemon.c                                       |  248 +
 ldap/servers/slapd/defbackend.c                                   |    3 
 ldap/servers/slapd/delete.c                                       |    2 
 ldap/servers/slapd/dse.c                                          |  157 
 ldap/servers/slapd/entry.c                                        |    4 
 ldap/servers/slapd/entrywsi.c                                     |   13 
 ldap/servers/slapd/extendop.c                                     |    6 
 ldap/servers/slapd/fedse.c                                        |   43 
 ldap/servers/slapd/filter.c                                       |   24 
 ldap/servers/slapd/libglobs.c                                     |   72 
 ldap/servers/slapd/log.c                                          |    6 
 ldap/servers/slapd/main.c                                         |    1 
 ldap/servers/slapd/mapping_tree.c                                 |   12 
 ldap/servers/slapd/modify.c                                       |   51 
 ldap/servers/slapd/modrdn.c                                       |    6 
 ldap/servers/slapd/monitor.c                                      |    8 
 ldap/servers/slapd/operation.c                                    |    4 
 ldap/servers/slapd/opshared.c                                     |   21 
 ldap/servers/slapd/pblock.c                                       |    4 
 ldap/servers/slapd/plugin.c                                       |  259 -
 ldap/servers/slapd/plugin_syntax.c                                |   22 
 ldap/servers/slapd/proto-slap.h                                   |   19 
 ldap/servers/slapd/psearch.c                                      |   10 
 ldap/servers/slapd/pw.c                                           |  181 
 ldap/servers/slapd/pw.h                                           |    2 
 ldap/servers/slapd/result.c                                       |   33 
 ldap/servers/slapd/sasl_io.c                                      |   12 
 ldap/servers/slapd/saslbind.c                                     |   14 
 ldap/servers/slapd/schema.c                                       |  428 +
 ldap/servers/slapd/search.c                                       |    2 
 ldap/servers/slapd/security_wrappers.c                            |    6 
 ldap/servers/slapd/slap.h                                         |   12 
 ldap/servers/slapd/slapi-plugin.h                                 |   38 
 ldap/servers/slapd/slapi-private.h                                |   23 
 ldap/servers/slapd/slapi2nspr.c                                   |   14 
 ldap/servers/slapd/snmp_collator.c                                |    2 
 ldap/servers/slapd/ssl.c                                          |  513 +-
 ldap/servers/slapd/task.c                                         |   72 
 ldap/servers/slapd/thread_data.c                                  |   29 
 ldap/servers/slapd/tools/dbscan.c                                 |    2 
 ldap/servers/slapd/tools/ldclt/ldapfct.c                          |   31 
 ldap/servers/slapd/tools/mmldif.c                                 |   12 
 ldap/servers/slapd/tools/rsearch/nametable.c                      |    1 
 ldap/servers/slapd/unbind.c                                       |    6 
 rpm/389-ds-base.spec.in                                           |   37 
 wrappers/systemd.template.service.in                              |    1 
 256 files changed, 23868 insertions(+), 2659 deletions(-)

New commits:
commit 775997f5079b1c03506e81efc661852b560089b0
Author: Noriko Hosoi <nhosoi at redhat.com>
Date:   Fri Mar 6 16:46:09 2015 -0800

    bump version to 1.3.3.9

diff --git a/VERSION.sh b/VERSION.sh
index 8dd9634..71c5369 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
 # PACKAGE_VERSION is constructed from these
 VERSION_MAJOR=1
 VERSION_MINOR=3
-VERSION_MAINT=3.8
+VERSION_MAINT=3.9
 # if this is a PRERELEASE, set VERSION_PREREL
 # otherwise, comment it out
 # be sure to include the dot prefix in the prerel

commit 74e80db8380a4606e07672dfb5e3f7d403efe150
Author: Mark Reynolds <mreynolds at redhat.com>
Date:   Tue Dec 16 16:53:07 2014 -0500

    Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
    
    Fix for CVE-2014-8105
    
    Description:  At server startup check for the Retro Changelog default ACI
                  on cn=changelog, if present delete it.
    
    Reviewed by: lkrispenz(Thanks!)
    
    (cherry picked from commit 4b812a1af367ed409e21abe73a77e57092e5a5f3)
    (cherry picked from commit 29652118e2ae17ca98c1934af5109f1ac87d94ae)

diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
index 0d2a6dc..8a0f350 100644
--- a/ldap/servers/plugins/retrocl/retrocl.c
+++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -308,6 +308,68 @@ char *retrocl_get_config_str(const char *attrt)
     return ma;
 }
 
+static void
+retrocl_remove_legacy_default_aci(void)
+{
+    Slapi_PBlock *pb = NULL;
+    Slapi_Entry **entries;
+    char **aci_vals = NULL;
+    char *attrs[] = {"aci", NULL};
+    int rc;
+
+    pb = slapi_pblock_new();
+    slapi_search_internal_set_pb(pb, RETROCL_CHANGELOG_DN, LDAP_SCOPE_BASE, "objectclass=*",
+            attrs, 0, NULL, NULL, g_plg_identity[PLUGIN_RETROCL] , 0);
+    slapi_search_internal_pb(pb);
+    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+    if (rc == LDAP_SUCCESS) {
+        slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
+        if(entries && entries[0]){
+            if((aci_vals = slapi_entry_attr_get_charray(entries[0], "aci"))){
+                if(charray_inlist(aci_vals, RETROCL_ACL)){
+                    /*
+                     * Okay, we need to remove the aci
+                     */
+                    LDAPMod mod;
+                    LDAPMod *mods[2];
+                    char *val[2];
+                    Slapi_PBlock *mod_pb = 0;
+
+                    mod_pb = slapi_pblock_new();
+                    mods[0] = &mod;
+                    mods[1] = 0;
+                    val[0] = RETROCL_ACL;
+                    val[1] = 0;
+                    mod.mod_op = LDAP_MOD_DELETE;
+                    mod.mod_type = "aci";
+                    mod.mod_values = val;
+
+                    slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entries[0]),
+                                                    mods, 0, 0, g_plg_identity[PLUGIN_RETROCL], 0);
+                    slapi_modify_internal_pb(mod_pb);
+                    slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc);
+                    if(rc == LDAP_SUCCESS){
+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+                                "Successfully removed vulnerable legacy default aci \"%s\".  "
+                                "If the aci removal was not desired please use a different \"acl "
+                                "name\" so it is not removed at the next plugin startup.\n",
+                                RETROCL_ACL);
+                    } else {
+                        slapi_log_error( SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+                                "Failed to removed vulnerable legacy default aci (%s) error %d\n",
+                                RETROCL_ACL, rc);
+                    }
+                    slapi_pblock_destroy(mod_pb);
+                }
+                slapi_ch_array_free(aci_vals);
+            }
+        }
+    }
+    slapi_free_search_results_internal(pb);
+    slapi_pblock_destroy(pb);
+}
+
+
 /*
  * Function: retrocl_start
  *
@@ -333,7 +395,10 @@ static int retrocl_start (Slapi_PBlock *pb)
       LDAPDebug1Arg(LDAP_DEBUG_TRACE,"Couldnt find backend, not trimming retro changelog (%d).\n",rc);
       return rc;
     }
-   
+
+    /* Remove the old default aci as it exposes passwords changes to anonymous users */
+    retrocl_remove_legacy_default_aci();
+
     retrocl_init_trimming();
 
     if (slapi_pblock_get(pb, SLAPI_ADD_ENTRY, &e) != 0) {
diff --git a/ldap/servers/plugins/retrocl/retrocl_create.c b/ldap/servers/plugins/retrocl/retrocl_create.c
index 1ffdaae..870421c 100644
--- a/ldap/servers/plugins/retrocl/retrocl_create.c
+++ b/ldap/servers/plugins/retrocl/retrocl_create.c
@@ -344,10 +344,6 @@ void retrocl_create_cle (void)
     val.bv_len = strlen(val.bv_val);
     slapi_entry_add_values( e, "cn", vals );  
     
-    val.bv_val = RETROCL_ACL;
-    val.bv_len = strlen(val.bv_val);
-    slapi_entry_add_values( e, "aci", vals );  
-
     pb = slapi_pblock_new ();
     slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */, 
 				     g_plg_identity[PLUGIN_RETROCL], 

commit 8603d6533d84009e13a94ce6327abfba7ae73ef4
Author: Ludwig Krispenz <lkrispen at redhat.com>
Date:   Fri Nov 28 14:23:06 2014 +0100

    Bug 1199675 - CVE-2014-8112 CVE-2014-8105 389-ds-base: various flaws [fedora-all]
    
    Fix for CVE-2014-8112
    
    	If the unhashed pw switch is set to off this should only
            prevent the generation of the unhashed#user#password
    	attribute.
    	But encoding of pw values and detiecetion which values have
    	to be deleted needs to stay intact.
    	So the check if the switch is set has to be placed close to
            the generation of the attribute in different 'if' branches
    
    Reviewed by Noriko, thanks
    
    (cherry picked from commit e5de803f4ab1b097c637c269fcc8b567e664c00d)
    (cherry picked from commit 84b8bfd7d18a0613920dce36f1d3775d75e45a3e)

diff --git a/ldap/servers/plugins/retrocl/retrocl_po.c b/ldap/servers/plugins/retrocl/retrocl_po.c
index bcf53cd..61f99cf 100644
--- a/ldap/servers/plugins/retrocl/retrocl_po.c
+++ b/ldap/servers/plugins/retrocl/retrocl_po.c
@@ -101,6 +101,12 @@ static lenstr *make_changes_string(LDAPMod **ldm, const char **includeattrs)
 		continue;
 	    }
 	}
+	if (SLAPD_UNHASHED_PW_NOLOG == slapi_config_get_unhashed_pw_switch()) {
+		if (0 == strcasecmp(ldm[ i ]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD)) {
+			/* If nsslapd-unhashed-pw-switch == nolog, skip writing it to cl. */
+			continue;
+		}
+	}
 	switch ( ldm[ i ]->mod_op  & ~LDAP_MOD_BVALUES ) {
 	case LDAP_MOD_ADD:
 	    addlenstr( l, "add: " );
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 9b2f42d..ab12f56 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -836,8 +836,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 	 * before calling the preop plugins
 	 */
 
-	if (pw_change && !repl_op &&
-	    (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch())) {
+	if (pw_change && !repl_op ) {
 		Slapi_Value **va = NULL;
 
 		unhashed_pw_attr = slapi_attr_syntax_normalize(PSEUDO_ATTR_UNHASHEDUSERPASSWORD);
@@ -907,13 +906,15 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 						 *  Finally, delete the unhashed userpassword
 						 *  (this will update the password entry extension)
 						 */
-						bval.bv_val = password;
-						bval.bv_len = strlen(password);
-						bv[0] = &bval;
-						bv[1] = NULL;
-						valuearray_init_bervalarray(bv, &va);
-						slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-						valuearray_free(&va);
+						if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+							bval.bv_val = password;
+							bval.bv_len = strlen(password);
+							bv[0] = &bval;
+							bv[1] = NULL;
+							valuearray_init_bervalarray(bv, &va);
+							slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+							valuearray_free(&va);
+						}
 					} else {
 						/*
 						 *  Password is encoded, try and find a matching unhashed_password to delete
@@ -945,19 +946,23 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 								if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
 									if((*(pwsp->pws_cmp))((char *)unhashed_pwd , valpwd) == 0 ){
 										/* match, add the delete mod for this particular unhashed userpassword */
-										valuearray_init_bervalarray(bv, &va);
-										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-										valuearray_free(&va);
-										free_pw_scheme( unhashed_pwsp );
+										if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+										    valuearray_init_bervalarray(bv, &va);
+										    slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+										    valuearray_free(&va);
+										    free_pw_scheme( unhashed_pwsp );
+										}
 										break;
 									}
 								} else {
 									/*
 									 *  We have a hashed unhashed_userpassword!  We must delete it.
 									 */
-									valuearray_init_bervalarray(bv, &va);
-									slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
-									valuearray_free(&va);
+									if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
+										valuearray_init_bervalarray(bv, &va);
+										slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+										valuearray_free(&va);
+									}
 								}
 								free_pw_scheme( unhashed_pwsp );
 							}
@@ -972,7 +977,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
 				if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
 					slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
 				}
-			} else {
+			} else if (SLAPD_UNHASHED_PW_OFF != config_get_unhashed_pw_switch()) {
 				/* add pseudo password attribute */
 				valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
 				if(va && va[0]){

commit 1e38fbea783704d021950e03b57df0c54a1f7545
Author: Noriko Hosoi <nhosoi at redhat.com>
Date:   Wed Mar 4 15:05:09 2015 -0800

    Ticket #47801 - RHDS keeps on logging write_changelog_and_ruv: failed to update RUV for unknown
    
    Description: When no operation is given to write_changelog_and_ruv
    (consumer has the chance just to update ruv) and opcsn is NULL,
    update_ruv_component immediately returns the default return value
    RUV_NOTFOUND, which should not be logged as SLAPI_LOG_FATAL but
    just ignored.
    
    https://fedorahosted.org/389/ticket/47801
    
    Reviewed by rmeggins at redhat.com (Thank you, Rich!!)
    
    (cherry picked from commit c170d9541cca17031e2663c24a1a1e97d8b3172a)

diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c
index 495afeb..84e4a07 100644
--- a/ldap/servers/plugins/replication/repl5_plugins.c
+++ b/ldap/servers/plugins/replication/repl5_plugins.c
@@ -1233,17 +1233,17 @@ write_changelog_and_ruv (Slapi_PBlock *pb)
 		}
 		rc = update_ruv_component(r, opcsn, pb);
 		if (RUV_COVERS_CSN == rc) {
-        		slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
+			slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
 					"write_changelog_and_ruv: RUV already covers csn for "
 					"%s (uniqid: %s, optype: %lu) csn %s\n",
 					dn, uniqueid, optype,
 					csn_as_string(oppcsn, PR_FALSE, csn_str));
-		} else if (rc != RUV_SUCCESS) {
-        		slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+		} else if ((rc != RUV_SUCCESS) && (rc != RUV_NOTFOUND)) {
+			slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
 					"write_changelog_and_ruv: failed to update RUV for "
-					"%s (uniqid: %s, optype: %lu) to changelog csn %s\n",
+					"%s (uniqid: %s, optype: %lu) to changelog csn %s - rc %d\n",
 					dn, uniqueid, optype,
-					csn_as_string(oppcsn, PR_FALSE, csn_str));
+					csn_as_string(oppcsn, PR_FALSE, csn_str), rc);
 		}
 	}
 

commit 06a5cc4cf8732081489a443db2e782d78b53980f
Author: Noriko Hosoi <nhosoi at redhat.com>
Date:   Wed Mar 4 13:05:02 2015 -0800

    Ticket #47957 - Make ReplicaWaitForAsyncResults configurable
    
    Description: Introducing a config attr nsDS5ReplicaWaitForAsyncResults
    to the agreement entry.
      dn: cn=<AGREEMENT>,cn=replica,cn="<SUFFIX>",cn=mapping tree,cn=config
      nsDS5ReplicaWaitForAsyncResults: <integer in millisecond>
    
    Prior to this patch, supplier sleeps 1 second if it finds the response
    from consumer is not ready.  1 second could be too long if higher
    replication throughput is required.
    
    This patch makes the waiting time configurable, and change the default
    to 100 millisecond.  If the attribute nsDS5ReplicaWaitForAsyncResults
    does not exist or the value is 0, the default value is set.
    
    https://fedorahosted.org/389/ticket/47957
    
    Reviewed by rmeggins at redhat.com (Thank you!!)
    
    (cherry picked from commit 2802f362395eac0bbbec99fef86ca27240da0d0f)

diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index 9b7ec1d..ffd8710 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -306,6 +306,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2310 NAME 'nsds5ReplicaFlowControlWindow
 attributeTypes: ( 2.16.840.1.113730.3.1.2311 NAME 'nsds5ReplicaFlowControlPause' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2313 NAME 'nsslapd-changelogtrim-interval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 attributeTypes: ( 2.16.840.1.113730.3.1.2314 NAME 'nsslapd-changelogcompactdb-interval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2315 NAME 'nsDS5ReplicaWaitForAsyncResults' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
 #
 # objectclasses
 #
@@ -317,7 +318,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.110 NAME 'nsMappingTree' DESC 'Netscape d
 objectClasses: ( 2.16.840.1.113730.3.2.104 NAME 'nsContainer' DESC 'Netscape defined objectclass' SUP top  MUST ( CN ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.108 NAME 'nsDS5Replica' DESC 'Netscape defined objectclass' SUP top  MUST ( nsDS5ReplicaRoot $  nsDS5ReplicaId ) MAY (cn $ nsds5ReplicaPreciseTombstonePurging $ nsds5ReplicaCleanRUV $ nsds5ReplicaAbortCleanRUV $ nsDS5ReplicaType $ nsDS5ReplicaBindDN $ nsState $ nsDS5ReplicaName $ nsDS5Flags $ nsDS5Task $ nsDS5ReplicaReferral $ nsDS5ReplicaAutoReferral $ nsds5ReplicaPurgeDelay $ nsds5ReplicaTombstonePurgeInterval $ nsds5ReplicaChangeCount $ nsds5ReplicaLegacyConsumer $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaBackoffMin $ nsds5ReplicaBackoffMax ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.113 NAME 'nsTombstone' DESC 'Netscape defined objectclass' SUP top MAY ( nstombstonecsn $ nsParentUniqueId $ nscpEntryDN ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause ) X-ORIGIN 'Netscape Directory Server' )
+objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsds5ReplicaCleanRUVNotified $ nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicatedAttributeListTotal $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5ReplicaEnabled $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5ReplicaStripAttrs $ nsds5replicaSessionPauseTime $ nsds5ReplicaProtocolTimeout $ nsds5ReplicaFlowControlWindow $ nsds5ReplicaFlowControlPause $ nsDS5ReplicaWaitForAsyncResults ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
 objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
diff --git a/ldap/servers/plugins/replication/repl5.h b/ldap/servers/plugins/replication/repl5.h
index 39d25bb..a7da266 100644
--- a/ldap/servers/plugins/replication/repl5.h
+++ b/ldap/servers/plugins/replication/repl5.h
@@ -194,6 +194,9 @@ extern const char *type_winSyncSubtreePair;
 /* To Allow Consumer Initialisation when adding an agreement - */
 extern const char *type_nsds5BeginReplicaRefresh;
 
+/* For tuning replica release */
+extern const char *type_nsds5WaitForAsyncResults;
+
 /* replica related attributes */
 extern const char *attr_replicaId;
 extern const char *attr_replicaRoot;
@@ -412,6 +415,7 @@ void add_agmt_maxcsns(Slapi_Entry *e, Replica *r);
 void agmt_set_maxcsn(Repl_Agmt *ra);
 void agmt_remove_maxcsn(Repl_Agmt *ra);
 int agmt_maxcsn_to_smod (Replica *r, Slapi_Mod *smod);
+int agmt_set_WaitForAsyncResults(Repl_Agmt *ra, const Slapi_Entry *e);
 
 /* In repl5_agmtlist.c */
 int agmtlist_config_init();
@@ -748,6 +752,9 @@ void repl5_set_debug_timeout(const char *val);
 /* temp hack XXX */
 ReplicaId agmt_get_consumerRID(Repl_Agmt *ra);
 
+/* For replica release tuning */
+int agmt_get_WaitForAsyncResults(Repl_Agmt *ra);
+
 PRBool ldif_dump_is_running();
 
 void windows_init_agreement_from_entry(Repl_Agmt *ra, Slapi_Entry *e);
diff --git a/ldap/servers/plugins/replication/repl5_agmt.c b/ldap/servers/plugins/replication/repl5_agmt.c
index d27648e..2ccb7ba 100644
--- a/ldap/servers/plugins/replication/repl5_agmt.c
+++ b/ldap/servers/plugins/replication/repl5_agmt.c
@@ -154,6 +154,8 @@ typedef struct repl5agmt {
 	                        * This is the duration (in msec) that the RA will pause before sending the next entry
 	                        */
 	Slapi_RWLock *attr_lock; /* RW lock for all the stripped attrs */
+	int WaitForAsyncResults; /* Pass to DS_Sleep(PR_MillisecondsToInterval(WaitForAsyncResults))
+	                          * in repl5_inc_waitfor_async_results */
 } repl5agmt;
 
 /* Forward declarations */
@@ -315,7 +317,8 @@ agmt_new_from_entry(Slapi_Entry *e)
 	ra->port = slapi_entry_attr_get_int(e, type_nsds5ReplicaPort);
 	/* SSL, TLS, or other transport stuff */
 	ra->transport_flags = 0;
-	agmt_set_transportinfo_no_lock(ra, e);
+	(void) agmt_set_transportinfo_no_lock(ra, e);
+	(void) agmt_set_WaitForAsyncResults(ra, e);
 
 	/* DN to use when binding. May be empty if certain SASL auth is to be used e.g. EXTERNAL GSSAPI. */
 	ra->binddn = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBindDN);
@@ -1727,6 +1730,27 @@ agmt_set_transportinfo_no_lock(Repl_Agmt *ra, const Slapi_Entry *e)
 	return (rc);
 }
 
+int
+agmt_set_WaitForAsyncResults(Repl_Agmt *ra, const Slapi_Entry *e)
+{
+	int wait = 0;
+	if (e) {
+		wait = slapi_entry_attr_get_int(e, type_nsds5WaitForAsyncResults);
+	}
+	if (wait <= 0) {
+		ra->WaitForAsyncResults = 100; /* 0.1 sec */
+	} else {
+		ra->WaitForAsyncResults = wait;
+	}
+	return 0;
+}
+
+int
+agmt_get_WaitForAsyncResults(Repl_Agmt *ra)
+{
+	return ra->WaitForAsyncResults;
+}
+
 int 
 agmt_set_transportinfo_from_entry(Repl_Agmt *ra, const Slapi_Entry *e) 
 {
diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index e414e0b..5b419c6 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -548,7 +548,8 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
                 rc = SLAPI_DSE_CALLBACK_ERROR;
             }
         }
-        else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout)){
+        else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_replicaProtocolTimeout))
+        {
             if (mods[i]->mod_op & LDAP_MOD_DELETE)
             {
                 agmt_set_protocol_timeout(agmt, 0);
@@ -574,6 +575,14 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry
                 agmt_set_protocol_timeout(agmt, ptimeout);
             }
         }
+        else if (slapi_attr_types_equivalent(mods[i]->mod_type, type_nsds5WaitForAsyncResults))
+        {
+            if (mods[i]->mod_op & LDAP_MOD_DELETE) {
+                (void) agmt_set_WaitForAsyncResults(agmt, NULL);
+            } else {
+                (void) agmt_set_WaitForAsyncResults(agmt, e);
+            }
+        }
         else if (0 == windows_handle_modify_agreement(agmt, mods[i]->mod_type, e))
         {
             slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " 
diff --git a/ldap/servers/plugins/replication/repl5_inc_protocol.c b/ldap/servers/plugins/replication/repl5_inc_protocol.c
index f18fde5..bd4edeb 100644
--- a/ldap/servers/plugins/replication/repl5_inc_protocol.c
+++ b/ldap/servers/plugins/replication/repl5_inc_protocol.c
@@ -110,6 +110,7 @@ typedef struct result_data
 	int last_message_id_received;
 	int flowcontrol_detection;
 	int result; /* The UPDATE_TRANSIENT_ERROR etc */
+	int WaitForAsyncResults;
 } result_data;
 
 /* Various states the incremental protocol can pass through */
@@ -492,18 +493,17 @@ repl5_inc_waitfor_async_results(result_data *rd)
 		slapi_log_error(SLAPI_LOG_REPL, NULL,
 					"repl5_inc_waitfor_async_results: %d %d\n",
 					rd->last_message_id_received, rd->last_message_id_sent);
-		if (rd->last_message_id_received >= rd->last_message_id_sent) 
-		{
+		if (rd->last_message_id_received >= rd->last_message_id_sent) {
 			/* If so then we're done */
 			done = 1;
-		}
-		if (rd->abort && (rd->result == UPDATE_CONNECTION_LOST))
-		{
+		} else if (rd->abort && (rd->result == UPDATE_CONNECTION_LOST)) {
 			done = 1; /* no connection == no more results */
 		}
 		PR_Unlock(rd->lock);
-		/* If not then sleep a bit */
-		DS_Sleep(PR_SecondsToInterval(1));
+		if (!done) {
+			/* If not then sleep a bit */
+			DS_Sleep(PR_MillisecondsToInterval(rd->WaitForAsyncResults));
+		}
 		loops++;
 		/* If we sleep forever then we can conclude that something bad happened, and bail... */
 		/* Arbitrary 30 second delay : basically we should only expect to wait as long as it takes to process a few operations, which should be on the order of a second at most */
@@ -1912,6 +1912,7 @@ send_updates(Private_Repl_Protocol *prp, RUV *remote_update_vector, PRUint32 *nu
 		{
 			/* We need to ensure that we wait until all the responses have been received from our operations */
 			if (return_value != UPDATE_CONNECTION_LOST) {
+				rd->WaitForAsyncResults = agmt_get_WaitForAsyncResults(prp->agmt);
 				/* if connection was lost/closed, there will be nothing to read */
 				repl5_inc_waitfor_async_results(rd);
 			}
diff --git a/ldap/servers/plugins/replication/repl_globals.c b/ldap/servers/plugins/replication/repl_globals.c
index e2157fa..7f4fcd2 100644
--- a/ldap/servers/plugins/replication/repl_globals.c
+++ b/ldap/servers/plugins/replication/repl_globals.c
@@ -141,6 +141,7 @@ const char *type_nsds5ReplicaEnabled = "nsds5ReplicaEnabled";
 const char *type_nsds5ReplicaStripAttrs = "nsds5ReplicaStripAttrs";
 const char* type_nsds5ReplicaFlowControlWindow = "nsds5ReplicaFlowControlWindow";
 const char* type_nsds5ReplicaFlowControlPause = "nsds5ReplicaFlowControlPause";
+const char *type_nsds5WaitForAsyncResults = "nsds5ReplicaWaitForAsyncResults";
 
 /* windows sync specific attributes */
 const char *type_nsds7WindowsReplicaArea = "nsds7WindowsReplicaSubtree";

commit f298e2bbc2ca55f93a9a5353451318b58a3a7fab
Author: Noriko Hosoi <nhosoi at redhat.com>
Date:   Tue Mar 3 15:42:58 2015 -0800

    Ticket 47431 - CI test: added test cases for ticket 47431
    
    Summary: Duplicate values for the attribute nsslapd-pluginarg are not handled correctly
    Test cases:
    1) cn=7-bit check,cn=plugins,cn=config
       nsslapd-pluginarg0: uid
       nsslapd-pluginarg1: mail
       nsslapd-pluginarg2: userpassword <== repeat 27 times
       nsslapd-pluginarg3: ,
       nsslapd-pluginarg4: dc=test,dc=com
       ==>
       The duplicated values are removed by str2entry_dupcheck as follows:
       [..] - str2entry_dupcheck: 27 duplicate values for attribute type nsslapd-pluginarg2
              detected in entry cn=7-bit check,cn=plugins,cn=config. Extra values ignored.
    2) cn=7-bit check,cn=plugins,cn=config
       nsslapd-pluginarg0: uid
       nsslapd-pluginarg0: mail
       nsslapd-pluginarg1: userpassword
       nsslapd-pluginarg2: ,
       nsslapd-pluginarg3: dc=test,dc=com
       ==>
       nsslapd-pluginarg0: uid
       nsslapd-pluginarg1: mail
       nsslapd-pluginarg2: userpassword
       nsslapd-pluginarg3: ,
       nsslapd-pluginarg4: dc=test,dc=com
    3) cn=7-bit check,cn=plugins,cn=config
       nsslapd-pluginarg1: uid
       nsslapd-pluginarg3: mail
       nsslapd-pluginarg5: userpassword
       nsslapd-pluginarg7: ,
       nsslapd-pluginarg9: dc=test,dc=com
       ==>
       nsslapd-pluginarg0: uid
       nsslapd-pluginarg1: mail
       nsslapd-pluginarg2: userpassword
       nsslapd-pluginarg3: ,
       nsslapd-pluginarg4: dc=test,dc=com
    Note: it does not modify the config params. The syntax errors are
    internally translated and processed accordingly.
    
    https://fedorahosted.org/389/ticket/47431
    
    Reviewed by rmeggins at redhat.com (Thank you, Rich!!)
    
    (cherry picked from commit 9576982b676d663139350a5aeb551ff19abedcba)

diff --git a/dirsrvtests/tickets/ticket47431_test.py b/dirsrvtests/tickets/ticket47431_test.py
new file mode 100644
index 0000000..893a303
--- /dev/null
+++ b/dirsrvtests/tickets/ticket47431_test.py
@@ -0,0 +1,251 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+installation1_prefix = None
+
+DN_7BITPLUGIN="cn=7-bit check,%s" % DN_PLUGIN
+ATTRS = ["uid", "mail", "userpassword", ",", SUFFIX, None]
+
+class TopologyStandalone(object):
+    def __init__(self, standalone):
+        standalone.open()
+        self.standalone = standalone
+
+
+ at pytest.fixture(scope="module")
+def topology(request):
+    global installation1_prefix
+    if installation1_prefix:
+        args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+
+    # Creating standalone instance ...
+    standalone = DirSrv(verbose=False)
+    args_instance[SER_HOST] = HOST_STANDALONE
+    args_instance[SER_PORT] = PORT_STANDALONE
+    args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+    args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+    args_standalone = args_instance.copy()
+    standalone.allocate(args_standalone)
+    instance_standalone = standalone.exists()
+    if instance_standalone:
+        standalone.delete()
+    standalone.create()
+    standalone.open()
+
+    # Clear out the tmp dir
+    standalone.clearTmpDir(__file__)
+
+    return TopologyStandalone(standalone)
+
+
+def test_ticket47431_0(topology):
+    '''
+    Enable 7 bit plugin
+    '''
+    log.info("Ticket 47431 - 0: Enable 7bit plugin...")
+    topology.standalone.plugins.enable(name=PLUGIN_7_BIT_CHECK)
+
+
+def test_ticket47431_1(topology):
+    '''
+    nsslapd-pluginarg0: uid
+    nsslapd-pluginarg1: mail
+    nsslapd-pluginarg2: userpassword <== repeat 27 times
+    nsslapd-pluginarg3: ,
+    nsslapd-pluginarg4: dc=example,dc=com
+
+    The duplicated values are removed by str2entry_dupcheck as follows:
+    [..] - str2entry_dupcheck: 27 duplicate values for attribute type nsslapd-pluginarg2
+           detected in entry cn=7-bit check,cn=plugins,cn=config. Extra values ignored.
+    '''
+   
+    log.info("Ticket 47431 - 1: Check 26 duplicate values are treated as one...")
+    expected = "str2entry_dupcheck: .* duplicate values for attribute type nsslapd-pluginarg2 detected in entry cn=7-bit check,cn=plugins,cn=config."
+
+    log.debug('modify_s %s' % DN_7BITPLUGIN)
+    try:
+        topology.standalone.modify_s(DN_7BITPLUGIN,
+                                     [(ldap.MOD_REPLACE, 'nsslapd-pluginarg0', "uid"),
+                                      (ldap.MOD_REPLACE, 'nsslapd-pluginarg1', "mail"),
+                                      (ldap.MOD_REPLACE, 'nsslapd-pluginarg2', "userpassword"),
+                                      (ldap.MOD_REPLACE, 'nsslapd-pluginarg3', ","),
+                                      (ldap.MOD_REPLACE, 'nsslapd-pluginarg4', SUFFIX)])
+    except ValueError:
+        log.error('modify failed: Some problem occured with a value that was provided')
+        assert False
+
+    arg2 = "nsslapd-pluginarg2: userpassword"
+    topology.standalone.stop(timeout=10)
+    dse_ldif = topology.standalone.confdir + '/dse.ldif'
+    os.system('mv %s %s.47431' % (dse_ldif, dse_ldif))
+    os.system('sed -e "s/\\(%s\\)/\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1\\n\\1/" %s.47431 > %s' % (arg2, dse_ldif, dse_ldif))
+    topology.standalone.start(timeout=10)
+
+    cmdline = 'egrep -i "%s" %s' % (expected, topology.standalone.errlog)
+    p = os.popen(cmdline, "r")
+    line = p.readline()
+    if line == "":
+        log.error('Expected error "%s" not logged in %s' % (expected, topology.standalone.errlog))
+        assert False
+    else:
+        log.debug('line: %s' % line)
+        log.info('Expected error "%s" logged in %s' % (expected, topology.standalone.errlog))
+
+
+    log.info("Ticket 47431 - 1: done")
+
+
+def test_ticket47431_2(topology):
+    '''
+    nsslapd-pluginarg0: uid
+    nsslapd-pluginarg0: mail
+    nsslapd-pluginarg1: userpassword
+    nsslapd-pluginarg2: ,
+    nsslapd-pluginarg3: dc=example,dc=com
+    ==>
+    nsslapd-pluginarg0: uid
+    nsslapd-pluginarg1: mail
+    nsslapd-pluginarg2: userpassword
+    nsslapd-pluginarg3: ,
+    nsslapd-pluginarg4: dc=example,dc=com
+    Should be logged in error log:
+    [..] NS7bitAttr_Init - 0: uid
+    [..] NS7bitAttr_Init - 1: userpassword
+    [..] NS7bitAttr_Init - 2: mail
+    [..] NS7bitAttr_Init - 3: ,
+    [..] NS7bitAttr_Init - 4: dc=example,dc=com
+    '''
+
+    log.info("Ticket 47431 - 2: Check two values belonging to one arg is fixed...")
+   
+    try:
+        topology.standalone.modify_s(DN_7BITPLUGIN,
+                                     [(ldap.MOD_REPLACE, 'nsslapd-pluginarg0', "uid"),
+                                      (ldap.MOD_ADD, 'nsslapd-pluginarg0', "mail"),
+                                      (ldap.MOD_REPLACE, 'nsslapd-pluginarg1', "userpassword"),
+                                      (ldap.MOD_REPLACE, 'nsslapd-pluginarg2', ","),
+                                      (ldap.MOD_REPLACE, 'nsslapd-pluginarg3', SUFFIX),
+                                      (ldap.MOD_DELETE, 'nsslapd-pluginarg4', None)])
+    except ValueError:
+        log.error('modify failed: Some problem occured with a value that was provided')
+        assert False
+
+    # PLUGIN LOG LEVEL
+    topology.standalone.modify_s(DN_CONFIG, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '65536')])
+
+    topology.standalone.restart(timeout=10)
+
+    cmdline = 'egrep -i %s %s' % ("NS7bitAttr_Init", topology.standalone.errlog)
+    p = os.popen(cmdline, "r")
+    i = 0
+    while ATTRS[i]:
+        line = p.readline()
+        log.debug('line - %s' % line)
+        log.debug('ATTRS[%d] %s' % (i, ATTRS[i]))
+        if line == "":
+            break
+        elif line.find(ATTRS[i]) >= 0:
+            log.debug('%s was logged' % ATTRS[i])
+        else:
+            log.error('%s was not logged.' % ATTRS[i])
+            assert False
+        i = i + 1
+
+    log.info("Ticket 47431 - 2: done")
+
+



More information about the Pkg-fedora-ds-maintainers mailing list