i8c-stream-1.4
changed/i8c-stream-1.4/389-ds-base-1.4.3.39-7.module+el8.10.0+21985+3665ccdb
parent
844aa738e9
commit
bf45329f1e
@ -0,0 +1,108 @@
|
|||||||
|
From 016a2b6bd3e27cbff36609824a75b020dfd24823 Mon Sep 17 00:00:00 2001
|
||||||
|
From: James Chapman <jachapma@redhat.com>
|
||||||
|
Date: Wed, 1 May 2024 15:01:33 +0100
|
||||||
|
Subject: [PATCH] CVE-2024-2199
|
||||||
|
|
||||||
|
---
|
||||||
|
.../tests/suites/password/password_test.py | 56 +++++++++++++++++++
|
||||||
|
ldap/servers/slapd/modify.c | 8 ++-
|
||||||
|
2 files changed, 62 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py
|
||||||
|
index 38079476a..b3ff08904 100644
|
||||||
|
--- a/dirsrvtests/tests/suites/password/password_test.py
|
||||||
|
+++ b/dirsrvtests/tests/suites/password/password_test.py
|
||||||
|
@@ -65,6 +65,62 @@ def test_password_delete_specific_password(topology_st):
|
||||||
|
log.info('test_password_delete_specific_password: PASSED')
|
||||||
|
|
||||||
|
|
||||||
|
+def test_password_modify_non_utf8(topology_st):
|
||||||
|
+ """Attempt a modify of the userPassword attribute with
|
||||||
|
+ an invalid non utf8 value
|
||||||
|
+
|
||||||
|
+ :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36
|
||||||
|
+ :setup: Standalone instance
|
||||||
|
+ :steps:
|
||||||
|
+ 1. Add a user if it doesnt exist and set its password
|
||||||
|
+ 2. Verify password with a bind
|
||||||
|
+ 3. Modify userPassword attr with invalid value
|
||||||
|
+ 4. Attempt a bind with invalid password value
|
||||||
|
+ 5. Verify original password with a bind
|
||||||
|
+ :expectedresults:
|
||||||
|
+ 1. The user with userPassword should be added successfully
|
||||||
|
+ 2. Operation should be successful
|
||||||
|
+ 3. Server returns ldap.UNWILLING_TO_PERFORM
|
||||||
|
+ 4. Server returns ldap.INVALID_CREDENTIALS
|
||||||
|
+ 5. Operation should be successful
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ log.info('Running test_password_modify_non_utf8...')
|
||||||
|
+
|
||||||
|
+ # Create user and set password
|
||||||
|
+ standalone = topology_st.standalone
|
||||||
|
+ users = UserAccounts(standalone, DEFAULT_SUFFIX)
|
||||||
|
+ if not users.exists(TEST_USER_PROPERTIES['uid'][0]):
|
||||||
|
+ user = users.create(properties=TEST_USER_PROPERTIES)
|
||||||
|
+ else:
|
||||||
|
+ user = users.get(TEST_USER_PROPERTIES['uid'][0])
|
||||||
|
+ user.set('userpassword', PASSWORD)
|
||||||
|
+
|
||||||
|
+ # Verify password
|
||||||
|
+ try:
|
||||||
|
+ user.bind(PASSWORD)
|
||||||
|
+ except ldap.LDAPError as e:
|
||||||
|
+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
|
||||||
|
+ assert False
|
||||||
|
+
|
||||||
|
+ # Modify userPassword with an invalid value
|
||||||
|
+ password = b'tes\x82t-password' # A non UTF-8 encoded password
|
||||||
|
+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):
|
||||||
|
+ user.replace('userpassword', password)
|
||||||
|
+
|
||||||
|
+ # Verify a bind fails with invalid pasword
|
||||||
|
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
|
||||||
|
+ user.bind(password)
|
||||||
|
+
|
||||||
|
+ # Verify we can still bind with original password
|
||||||
|
+ try:
|
||||||
|
+ user.bind(PASSWORD)
|
||||||
|
+ except ldap.LDAPError as e:
|
||||||
|
+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
|
||||||
|
+ assert False
|
||||||
|
+
|
||||||
|
+ log.info('test_password_modify_non_utf8: PASSED')
|
||||||
|
+
|
||||||
|
if __name__ == '__main__':
|
||||||
|
# Run isolated
|
||||||
|
# -s for DEBUG mode
|
||||||
|
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
|
||||||
|
index 5ca78539c..669bb104c 100644
|
||||||
|
--- a/ldap/servers/slapd/modify.c
|
||||||
|
+++ b/ldap/servers/slapd/modify.c
|
||||||
|
@@ -765,8 +765,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
|
||||||
|
* flagged - leave mod attributes alone */
|
||||||
|
if (!repl_op && !skip_modified_attrs && lastmod) {
|
||||||
|
modify_update_last_modified_attr(pb, &smods);
|
||||||
|
+ slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods));
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
if (0 == slapi_mods_get_num_mods(&smods)) {
|
||||||
|
/* nothing to do - no mods - this is not an error - just
|
||||||
|
send back LDAP_SUCCESS */
|
||||||
|
@@ -933,8 +935,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
|
||||||
|
|
||||||
|
/* encode password */
|
||||||
|
if (pw_encodevals_ext(pb, sdn, va)) {
|
||||||
|
- slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
|
||||||
|
- send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
|
||||||
|
+ slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, "
|
||||||
|
+ "check value is utf8 string.\n", slapi_entry_get_dn_const(e));
|
||||||
|
+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, "
|
||||||
|
+ "check value is utf8 string.\n", 0, NULL);
|
||||||
|
valuearray_free(&va);
|
||||||
|
goto free_and_return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.45.0
|
||||||
|
|
@ -0,0 +1,213 @@
|
|||||||
|
From d5bbe52fbe84a7d3b5938bf82d5c4af15061a8e2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pierre Rogier <progier@redhat.com>
|
||||||
|
Date: Wed, 17 Apr 2024 18:18:04 +0200
|
||||||
|
Subject: [PATCH] CVE-2024-3657
|
||||||
|
|
||||||
|
---
|
||||||
|
.../tests/suites/filter/large_filter_test.py | 34 +++++-
|
||||||
|
ldap/servers/slapd/back-ldbm/index.c | 111 ++++++++++--------
|
||||||
|
2 files changed, 92 insertions(+), 53 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dirsrvtests/tests/suites/filter/large_filter_test.py b/dirsrvtests/tests/suites/filter/large_filter_test.py
|
||||||
|
index ecc7bf979..40526bb16 100644
|
||||||
|
--- a/dirsrvtests/tests/suites/filter/large_filter_test.py
|
||||||
|
+++ b/dirsrvtests/tests/suites/filter/large_filter_test.py
|
||||||
|
@@ -13,19 +13,29 @@ verify and testing Filter from a search
|
||||||
|
|
||||||
|
import os
|
||||||
|
import pytest
|
||||||
|
+import ldap
|
||||||
|
|
||||||
|
-from lib389._constants import PW_DM
|
||||||
|
+from lib389._constants import PW_DM, DEFAULT_SUFFIX, ErrorLog
|
||||||
|
from lib389.topologies import topology_st as topo
|
||||||
|
from lib389.idm.user import UserAccounts, UserAccount
|
||||||
|
from lib389.idm.account import Accounts
|
||||||
|
from lib389.backend import Backends
|
||||||
|
from lib389.idm.domain import Domain
|
||||||
|
+from lib389.utils import get_ldapurl_from_serverid
|
||||||
|
|
||||||
|
SUFFIX = 'dc=anuj,dc=com'
|
||||||
|
|
||||||
|
pytestmark = pytest.mark.tier1
|
||||||
|
|
||||||
|
|
||||||
|
+def open_new_ldapi_conn(dsinstance):
|
||||||
|
+ ldapurl, certdir = get_ldapurl_from_serverid(dsinstance)
|
||||||
|
+ assert 'ldapi://' in ldapurl
|
||||||
|
+ conn = ldap.initialize(ldapurl)
|
||||||
|
+ conn.sasl_interactive_bind_s("", ldap.sasl.external())
|
||||||
|
+ return conn
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@pytest.fixture(scope="module")
|
||||||
|
def _create_entries(request, topo):
|
||||||
|
"""
|
||||||
|
@@ -160,6 +170,28 @@ def test_large_filter(topo, _create_entries, real_value):
|
||||||
|
assert len(Accounts(conn, SUFFIX).filter(real_value)) == 3
|
||||||
|
|
||||||
|
|
||||||
|
+def test_long_filter_value(topo):
|
||||||
|
+ """Exercise large eq filter with dn syntax attributes
|
||||||
|
+
|
||||||
|
+ :id: b069ef72-fcc3-11ee-981c-482ae39447e5
|
||||||
|
+ :setup: Standalone
|
||||||
|
+ :steps:
|
||||||
|
+ 1. Try to pass filter rules as per the condition.
|
||||||
|
+ :expectedresults:
|
||||||
|
+ 1. Pass
|
||||||
|
+ """
|
||||||
|
+ inst = topo.standalone
|
||||||
|
+ conn = open_new_ldapi_conn(inst.serverid)
|
||||||
|
+ inst.config.loglevel(vals=(ErrorLog.DEFAULT,ErrorLog.TRACE,ErrorLog.SEARCH_FILTER))
|
||||||
|
+ filter_value = "a\x1Edmin" * 1025
|
||||||
|
+ conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
|
||||||
|
+ filter_value = "aAdmin" * 1025
|
||||||
|
+ conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
|
||||||
|
+ filter_value = "*"
|
||||||
|
+ conn.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, f'(cn={filter_value})')
|
||||||
|
+ inst.config.loglevel(vals=(ErrorLog.DEFAULT,))
|
||||||
|
+
|
||||||
|
+
|
||||||
|
if __name__ == '__main__':
|
||||||
|
CURRENT_FILE = os.path.realpath(__file__)
|
||||||
|
pytest.main("-s -v %s" % CURRENT_FILE)
|
||||||
|
diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
|
||||||
|
index 410db23d1..30fa09ebb 100644
|
||||||
|
--- a/ldap/servers/slapd/back-ldbm/index.c
|
||||||
|
+++ b/ldap/servers/slapd/back-ldbm/index.c
|
||||||
|
@@ -71,6 +71,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
|
||||||
|
#define INDEX_BUFFER_FLAG_SERIALIZE 1
|
||||||
|
#define INDEX_BUFFER_FLAG_STATS 2
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * space needed to encode a byte:
|
||||||
|
+ * 0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx
|
||||||
|
+ * 0x22 and 0x5C requires 2 bytes: \" and \\
|
||||||
|
+ * other requires 1 byte: c
|
||||||
|
+ */
|
||||||
|
+static char encode_size[] = {
|
||||||
|
+ /* 0x00 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+ /* 0x10 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+ /* 0x20 */ 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
||||||
|
+ /* 0x30 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
||||||
|
+ /* 0x40 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
||||||
|
+ /* 0x50 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1,
|
||||||
|
+ /* 0x60 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
||||||
|
+ /* 0x70 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3,
|
||||||
|
+ /* 0x80 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+ /* 0x90 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+ /* 0xA0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+ /* 0xB0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+ /* 0xC0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+ /* 0xD0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+ /* 0xE0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+ /* 0xF0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* Index buffering functions */
|
||||||
|
|
||||||
|
static int
|
||||||
|
@@ -799,65 +825,46 @@ index_add_mods(
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Convert a 'struct berval' into a displayable ASCII string
|
||||||
|
+ * returns the printable string
|
||||||
|
*/
|
||||||
|
-
|
||||||
|
-#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"')
|
||||||
|
-
|
||||||
|
const char *
|
||||||
|
encode(const struct berval *data, char buf[BUFSIZ])
|
||||||
|
{
|
||||||
|
- char *s;
|
||||||
|
- char *last;
|
||||||
|
- if (data == NULL || data->bv_len == 0)
|
||||||
|
- return "";
|
||||||
|
- last = data->bv_val + data->bv_len - 1;
|
||||||
|
- for (s = data->bv_val; s < last; ++s) {
|
||||||
|
- if (SPECIAL(*s)) {
|
||||||
|
- char *first = data->bv_val;
|
||||||
|
- char *bufNext = buf;
|
||||||
|
- size_t bufSpace = BUFSIZ - 4;
|
||||||
|
- while (1) {
|
||||||
|
- /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */
|
||||||
|
- if (bufSpace < (size_t)(s - first))
|
||||||
|
- s = first + bufSpace - 1;
|
||||||
|
- if (s != first) {
|
||||||
|
- memcpy(bufNext, first, s - first);
|
||||||
|
- bufNext += (s - first);
|
||||||
|
- bufSpace -= (s - first);
|
||||||
|
- }
|
||||||
|
- do {
|
||||||
|
- if (bufSpace) {
|
||||||
|
- *bufNext++ = '\\';
|
||||||
|
- --bufSpace;
|
||||||
|
- }
|
||||||
|
- if (bufSpace < 2) {
|
||||||
|
- memcpy(bufNext, "..", 2);
|
||||||
|
- bufNext += 2;
|
||||||
|
- goto bail;
|
||||||
|
- }
|
||||||
|
- if (*s == '\\' || *s == '"') {
|
||||||
|
- *bufNext++ = *s;
|
||||||
|
- --bufSpace;
|
||||||
|
- } else {
|
||||||
|
- sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s);
|
||||||
|
- bufNext += 2;
|
||||||
|
- bufSpace -= 2;
|
||||||
|
- }
|
||||||
|
- } while (++s <= last && SPECIAL(*s));
|
||||||
|
- if (s > last)
|
||||||
|
- break;
|
||||||
|
- first = s;
|
||||||
|
- while (!SPECIAL(*s) && s <= last)
|
||||||
|
- ++s;
|
||||||
|
- }
|
||||||
|
- bail:
|
||||||
|
- *bufNext = '\0';
|
||||||
|
- /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */
|
||||||
|
+ if (!data || !data->bv_val) {
|
||||||
|
+ strcpy(buf, "<NULL>");
|
||||||
|
+ return buf;
|
||||||
|
+ }
|
||||||
|
+ char *endbuff = &buf[BUFSIZ-4]; /* Reserve space to append "...\0" */
|
||||||
|
+ char *ptout = buf;
|
||||||
|
+ unsigned char *ptin = (unsigned char*) data->bv_val;
|
||||||
|
+ unsigned char *endptin = ptin+data->bv_len;
|
||||||
|
+
|
||||||
|
+ while (ptin < endptin) {
|
||||||
|
+ if (ptout >= endbuff) {
|
||||||
|
+ /*
|
||||||
|
+ * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be
|
||||||
|
+ * truncated anyway. So there is no real interrest to test if the original
|
||||||
|
+ * data contains no special characters and return it as is.
|
||||||
|
+ */
|
||||||
|
+ strcpy(endbuff, "...");
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
+ switch (encode_size[*ptin]) {
|
||||||
|
+ case 1:
|
||||||
|
+ *ptout++ = *ptin++;
|
||||||
|
+ break;
|
||||||
|
+ case 2:
|
||||||
|
+ *ptout++ = '\\';
|
||||||
|
+ *ptout++ = *ptin++;
|
||||||
|
+ break;
|
||||||
|
+ case 3:
|
||||||
|
+ sprintf(ptout, "\\%02x", *ptin++);
|
||||||
|
+ ptout += 3;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
- /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */
|
||||||
|
- return data->bv_val;
|
||||||
|
+ *ptout = 0;
|
||||||
|
+ return buf;
|
||||||
|
}
|
||||||
|
|
||||||
|
static const char *
|
||||||
|
--
|
||||||
|
2.45.0
|
||||||
|
|
@ -0,0 +1,143 @@
|
|||||||
|
From 6e5f03d5872129963106024f53765234a282406c Mon Sep 17 00:00:00 2001
|
||||||
|
From: James Chapman <jachapma@redhat.com>
|
||||||
|
Date: Fri, 16 Feb 2024 11:13:16 +0000
|
||||||
|
Subject: [PATCH] Issue 6096 - Improve connection timeout error logging (#6097)
|
||||||
|
|
||||||
|
Bug description: When a paged result search is run with a time limit,
|
||||||
|
if the time limit is exceed the server closes the connection with
|
||||||
|
closed IO timeout (nsslapd-ioblocktimeout) - T2. This error message
|
||||||
|
is incorrect as the reason the connection has been closed was because
|
||||||
|
the specified time limit on a paged result search has been exceeded.
|
||||||
|
|
||||||
|
Fix description: Correct error message
|
||||||
|
|
||||||
|
Relates: https://github.com/389ds/389-ds-base/issues/6096
|
||||||
|
|
||||||
|
Reviewed by: @tbordaz (Thank you)
|
||||||
|
---
|
||||||
|
ldap/admin/src/logconv.pl | 24 ++++++++++++++++++-
|
||||||
|
ldap/servers/slapd/daemon.c | 4 ++--
|
||||||
|
ldap/servers/slapd/disconnect_error_strings.h | 1 +
|
||||||
|
ldap/servers/slapd/disconnect_errors.h | 2 +-
|
||||||
|
4 files changed, 27 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
|
||||||
|
index 7698c383a..2a933c4a3 100755
|
||||||
|
--- a/ldap/admin/src/logconv.pl
|
||||||
|
+++ b/ldap/admin/src/logconv.pl
|
||||||
|
@@ -267,7 +267,7 @@ my $optimeAvg = 0;
|
||||||
|
my %cipher = ();
|
||||||
|
my @removefiles = ();
|
||||||
|
|
||||||
|
-my @conncodes = qw(A1 B1 B4 T1 T2 B2 B3 R1 P1 P2 U1);
|
||||||
|
+my @conncodes = qw(A1 B1 B4 T1 T2 T3 B2 B3 R1 P1 P2 U1);
|
||||||
|
my %conn = ();
|
||||||
|
map {$conn{$_} = $_} @conncodes;
|
||||||
|
|
||||||
|
@@ -355,6 +355,7 @@ $connmsg{"B1"} = "Bad Ber Tag Encountered";
|
||||||
|
$connmsg{"B4"} = "Server failed to flush data (response) back to Client";
|
||||||
|
$connmsg{"T1"} = "Idle Timeout Exceeded";
|
||||||
|
$connmsg{"T2"} = "IO Block Timeout Exceeded or NTSSL Timeout";
|
||||||
|
+$connmsg{"T3"} = "Paged Search Time Limit Exceeded";
|
||||||
|
$connmsg{"B2"} = "Ber Too Big";
|
||||||
|
$connmsg{"B3"} = "Ber Peek";
|
||||||
|
$connmsg{"R1"} = "Revents";
|
||||||
|
@@ -1723,6 +1724,10 @@ if ($usage =~ /j/i || $verb eq "yes"){
|
||||||
|
print "\n $recCount. You have some coonections that are being closed by the ioblocktimeout setting. You may want to increase the ioblocktimeout.\n";
|
||||||
|
$recCount++;
|
||||||
|
}
|
||||||
|
+ if (defined($conncount->{"T3"}) and $conncount->{"T3"} > 0){
|
||||||
|
+ print "\n $recCount. You have some connections that are being closed because a paged result search limit has been exceeded. You may want to increase the search time limit.\n";
|
||||||
|
+ $recCount++;
|
||||||
|
+ }
|
||||||
|
# compare binds to unbinds, if the difference is more than 30% of the binds, then report a issue
|
||||||
|
if (($bindCount - $unbindCount) > ($bindCount*.3)){
|
||||||
|
print "\n $recCount. You have a significant difference between binds and unbinds. You may want to investigate this difference.\n";
|
||||||
|
@@ -2366,6 +2371,7 @@ sub parseLineNormal
|
||||||
|
$brokenPipeCount++;
|
||||||
|
if (m/- T1/){ $hashes->{rc}->{"T1"}++; }
|
||||||
|
elsif (m/- T2/){ $hashes->{rc}->{"T2"}++; }
|
||||||
|
+ elsif (m/- T3/){ $hashes->{rc}->{"T3"}++; }
|
||||||
|
elsif (m/- A1/){ $hashes->{rc}->{"A1"}++; }
|
||||||
|
elsif (m/- B1/){ $hashes->{rc}->{"B1"}++; }
|
||||||
|
elsif (m/- B4/){ $hashes->{rc}->{"B4"}++; }
|
||||||
|
@@ -2381,6 +2387,7 @@ sub parseLineNormal
|
||||||
|
$connResetByPeerCount++;
|
||||||
|
if (m/- T1/){ $hashes->{src}->{"T1"}++; }
|
||||||
|
elsif (m/- T2/){ $hashes->{src}->{"T2"}++; }
|
||||||
|
+ elsif (m/- T3/){ $hashes->{src}->{"T3"}++; }
|
||||||
|
elsif (m/- A1/){ $hashes->{src}->{"A1"}++; }
|
||||||
|
elsif (m/- B1/){ $hashes->{src}->{"B1"}++; }
|
||||||
|
elsif (m/- B4/){ $hashes->{src}->{"B4"}++; }
|
||||||
|
@@ -2396,6 +2403,7 @@ sub parseLineNormal
|
||||||
|
$resourceUnavailCount++;
|
||||||
|
if (m/- T1/){ $hashes->{rsrc}->{"T1"}++; }
|
||||||
|
elsif (m/- T2/){ $hashes->{rsrc}->{"T2"}++; }
|
||||||
|
+ elsif (m/- T3/){ $hashes->{rsrc}->{"T3"}++; }
|
||||||
|
elsif (m/- A1/){ $hashes->{rsrc}->{"A1"}++; }
|
||||||
|
elsif (m/- B1/){ $hashes->{rsrc}->{"B1"}++; }
|
||||||
|
elsif (m/- B4/){ $hashes->{rsrc}->{"B4"}++; }
|
||||||
|
@@ -2494,6 +2502,20 @@ sub parseLineNormal
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ if (m/- T3/){
|
||||||
|
+ if ($_ =~ /conn= *([0-9A-Z]+)/i) {
|
||||||
|
+ $exc = "no";
|
||||||
|
+ $ip = getIPfromConn($1, $serverRestartCount);
|
||||||
|
+ for (my $xxx = 0; $xxx < $#excludeIP; $xxx++){
|
||||||
|
+ if ($ip eq $excludeIP[$xxx]){$exc = "yes";}
|
||||||
|
+ }
|
||||||
|
+ if ($exc ne "yes"){
|
||||||
|
+ $hashes->{T3}->{$ip}++;
|
||||||
|
+ $hashes->{conncount}->{"T3"}++;
|
||||||
|
+ $connCodeCount++;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
if (m/- B2/){
|
||||||
|
if ($_ =~ /conn= *([0-9A-Z]+)/i) {
|
||||||
|
$exc = "no";
|
||||||
|
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
|
||||||
|
index 5a48aa66f..bb80dae36 100644
|
||||||
|
--- a/ldap/servers/slapd/daemon.c
|
||||||
|
+++ b/ldap/servers/slapd/daemon.c
|
||||||
|
@@ -1599,9 +1599,9 @@ setup_pr_read_pds(Connection_Table *ct)
|
||||||
|
int add_fd = 1;
|
||||||
|
/* check timeout for PAGED RESULTS */
|
||||||
|
if (pagedresults_is_timedout_nolock(c)) {
|
||||||
|
- /* Exceeded the timelimit; disconnect the client */
|
||||||
|
+ /* Exceeded the paged search timelimit; disconnect the client */
|
||||||
|
disconnect_server_nomutex(c, c->c_connid, -1,
|
||||||
|
- SLAPD_DISCONNECT_IO_TIMEOUT,
|
||||||
|
+ SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT,
|
||||||
|
0);
|
||||||
|
connection_table_move_connection_out_of_active_list(ct,
|
||||||
|
c);
|
||||||
|
diff --git a/ldap/servers/slapd/disconnect_error_strings.h b/ldap/servers/slapd/disconnect_error_strings.h
|
||||||
|
index f7a31d728..c2d9e283b 100644
|
||||||
|
--- a/ldap/servers/slapd/disconnect_error_strings.h
|
||||||
|
+++ b/ldap/servers/slapd/disconnect_error_strings.h
|
||||||
|
@@ -27,6 +27,7 @@ ER2(SLAPD_DISCONNECT_BER_FLUSH, "B4")
|
||||||
|
ER2(SLAPD_DISCONNECT_IDLE_TIMEOUT, "T1")
|
||||||
|
ER2(SLAPD_DISCONNECT_REVENTS, "R1")
|
||||||
|
ER2(SLAPD_DISCONNECT_IO_TIMEOUT, "T2")
|
||||||
|
+ER2(SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, "T3")
|
||||||
|
ER2(SLAPD_DISCONNECT_PLUGIN, "P1")
|
||||||
|
ER2(SLAPD_DISCONNECT_UNBIND, "U1")
|
||||||
|
ER2(SLAPD_DISCONNECT_POLL, "P2")
|
||||||
|
diff --git a/ldap/servers/slapd/disconnect_errors.h b/ldap/servers/slapd/disconnect_errors.h
|
||||||
|
index a0484f1c2..e118f674c 100644
|
||||||
|
--- a/ldap/servers/slapd/disconnect_errors.h
|
||||||
|
+++ b/ldap/servers/slapd/disconnect_errors.h
|
||||||
|
@@ -35,6 +35,6 @@
|
||||||
|
#define SLAPD_DISCONNECT_SASL_FAIL SLAPD_DISCONNECT_ERROR_BASE + 12
|
||||||
|
#define SLAPD_DISCONNECT_PROXY_INVALID_HEADER SLAPD_DISCONNECT_ERROR_BASE + 13
|
||||||
|
#define SLAPD_DISCONNECT_PROXY_UNKNOWN SLAPD_DISCONNECT_ERROR_BASE + 14
|
||||||
|
-
|
||||||
|
+#define SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT SLAPD_DISCONNECT_ERROR_BASE + 15
|
||||||
|
|
||||||
|
#endif /* __DISCONNECT_ERRORS_H_ */
|
||||||
|
--
|
||||||
|
2.45.0
|
||||||
|
|
@ -0,0 +1,44 @@
|
|||||||
|
From a112394af3a20787755029804684d57a9c3ffa9a Mon Sep 17 00:00:00 2001
|
||||||
|
From: James Chapman <jachapma@redhat.com>
|
||||||
|
Date: Wed, 21 Feb 2024 12:43:03 +0000
|
||||||
|
Subject: [PATCH] Issue 6103 - New connection timeout error breaks errormap
|
||||||
|
(#6104)
|
||||||
|
|
||||||
|
Bug description: A recent addition to the connection disconnect error
|
||||||
|
messaging, conflicts with how errormap.c maps error codes/strings.
|
||||||
|
|
||||||
|
Fix description: errormap expects error codes/strings to be in ascending
|
||||||
|
order. Moved the new error code to the bottom of the list.
|
||||||
|
|
||||||
|
Relates: https://github.com/389ds/389-ds-base/issues/6103
|
||||||
|
|
||||||
|
Reviewed by: @droideck. @progier389 (Thank you)
|
||||||
|
---
|
||||||
|
ldap/servers/slapd/disconnect_error_strings.h | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ldap/servers/slapd/disconnect_error_strings.h b/ldap/servers/slapd/disconnect_error_strings.h
|
||||||
|
index c2d9e283b..f603a08ce 100644
|
||||||
|
--- a/ldap/servers/slapd/disconnect_error_strings.h
|
||||||
|
+++ b/ldap/servers/slapd/disconnect_error_strings.h
|
||||||
|
@@ -14,7 +14,8 @@
|
||||||
|
/* disconnect_error_strings.h
|
||||||
|
*
|
||||||
|
* Strings describing the errors used in logging the reason a connection
|
||||||
|
- * was closed.
|
||||||
|
+ * was closed. Ensure definitions are in the same order as the error codes
|
||||||
|
+ * defined in disconnect_errors.h
|
||||||
|
*/
|
||||||
|
#ifndef __DISCONNECT_ERROR_STRINGS_H_
|
||||||
|
#define __DISCONNECT_ERROR_STRINGS_H_
|
||||||
|
@@ -35,6 +36,6 @@ ER2(SLAPD_DISCONNECT_NTSSL_TIMEOUT, "T2")
|
||||||
|
ER2(SLAPD_DISCONNECT_SASL_FAIL, "S1")
|
||||||
|
ER2(SLAPD_DISCONNECT_PROXY_INVALID_HEADER, "P3")
|
||||||
|
ER2(SLAPD_DISCONNECT_PROXY_UNKNOWN, "P4")
|
||||||
|
-
|
||||||
|
+ER2(SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, "T3")
|
||||||
|
|
||||||
|
#endif /* __DISCONNECT_ERROR_STRINGS_H_ */
|
||||||
|
--
|
||||||
|
2.45.0
|
||||||
|
|
@ -0,0 +1,30 @@
|
|||||||
|
From edd9abc8901604dde1d739d87ca2906734d53dd3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Viktor Ashirov <vashirov@redhat.com>
|
||||||
|
Date: Thu, 13 Jun 2024 13:35:09 +0200
|
||||||
|
Subject: [PATCH] Issue 6103 - New connection timeout error breaks errormap
|
||||||
|
|
||||||
|
Description:
|
||||||
|
Remove duplicate SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT error code.
|
||||||
|
|
||||||
|
Fixes: https://github.com/389ds/389-ds-base/issues/6103
|
||||||
|
|
||||||
|
Reviewed by: @tbordaz (Thanks!)
|
||||||
|
---
|
||||||
|
ldap/servers/slapd/disconnect_error_strings.h | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ldap/servers/slapd/disconnect_error_strings.h b/ldap/servers/slapd/disconnect_error_strings.h
|
||||||
|
index f603a08ce..d49cc79a2 100644
|
||||||
|
--- a/ldap/servers/slapd/disconnect_error_strings.h
|
||||||
|
+++ b/ldap/servers/slapd/disconnect_error_strings.h
|
||||||
|
@@ -28,7 +28,6 @@ ER2(SLAPD_DISCONNECT_BER_FLUSH, "B4")
|
||||||
|
ER2(SLAPD_DISCONNECT_IDLE_TIMEOUT, "T1")
|
||||||
|
ER2(SLAPD_DISCONNECT_REVENTS, "R1")
|
||||||
|
ER2(SLAPD_DISCONNECT_IO_TIMEOUT, "T2")
|
||||||
|
-ER2(SLAPD_DISCONNECT_PAGED_SEARCH_LIMIT, "T3")
|
||||||
|
ER2(SLAPD_DISCONNECT_PLUGIN, "P1")
|
||||||
|
ER2(SLAPD_DISCONNECT_UNBIND, "U1")
|
||||||
|
ER2(SLAPD_DISCONNECT_POLL, "P2")
|
||||||
|
--
|
||||||
|
2.45.0
|
||||||
|
|
Loading…
Reference in new issue