Compare commits

..

No commits in common. 'c9' and 'cs10' have entirely different histories.
c9 ... cs10

2
.gitignore vendored

@ -1 +1 @@
SOURCES/slapi-nis-0.60.0.tar.gz
SOURCES/slapi-nis-0.70.0.tar.gz

@ -1 +1 @@
e5a84cf93b13b174c6d865de2f735cbfbc950917 SOURCES/slapi-nis-0.60.0.tar.gz
fb4a45def0dd72ad0e78cc566f62d714daa00f30 SOURCES/slapi-nis-0.70.0.tar.gz

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmMAimgACgkQRxniuKu/
YhorRw/8D0typYdDLGlalL7nMo57rjSApgy6gA4FKxMsNg/KiN1/7rMoCbu13iG0
sP6wpeZLjBNI/nWGYLRuQOyi7DSxgXYlNp+8xzJDMKjnNjRSaK+/EjqIcWhdWoEq
Q1JDjTdJ3hDCWCMQFrA/EBqb/WgQAhdmPdVzMoy6L2GBvX7W+UlCWaSMfpq5hnqg
9SZe4NpC7i6BVhHrnWUMsQRcApnjdHlC8tQmzqdD0+iNer0asXmJcQGCI9W7EwAs
MT4be/C2hfLfWgBdaMCZGgefGFYGI1ec+hfM9jyGsJcBsRXQ8Rq+VOLEI7lkD+wc
nQwq1VVVcAwFkbziQ5JBZqOKdem8lo9Mucn/sQ297EIfIi8NVhlDDZFtkgsYAglT
gaEeK4+d0QNz2+ViwJxGp2l0mG2inV8GjiyINpntbw8dh+qwI8xLI6/6B7R6wP30
Kj/90EehX0vFXX2ylrkrvg3d7UGp6PBgsiqeaJT5bL2ItVKJl8FyD0N9JsEL766/
SKqNHGZjEJv1rzPf2MMqutLHe1aSyTBjq4JBYPJKHAXPdvZluyALLM94erZqA/tJ
17PCLAf3P+OvixcnyzsUTP9U7SNlLPiMqwyvUB26ul0+CqEqKzZxiTOfpbKQ8p/j
3QpkrKLn0JbofZN1K7H6x/Mdwe5scdeTP0T8YPJm+ofZq+fBdnI=
=ZUV6
-----END PGP SIGNATURE-----

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhD/TWKTBHgTUwD3S5vWnKGOylwYFAmbAmNkACgkQ5vWnKGOy
lwaVDw//ZD4+V8M+TdW6OndHbELKKTCrciJjOwd1PloiSF0ESWm27Ov3EMSC+Tfg
3aFkgiNqpJ4HdCcS3fHYpKXe1wGPvrGoh4J3u87Mc4ryB75/S4Svrmdcjpe+4XFa
d7/0jpT9dIOlDHufqu0wjTOx3WX/vgB2DlUWN1qHsuAeQJxfvoXx3sB0ByCKuXpy
yQX94MUFgtLX5AKi1qkgCJlXOwyjD+WodI82ChDJjnPIZhCGIuY1wpBMpJASLApI
81/Q6a8+obhseG7cdL1Z7sW59kf3ytu+eFSEBdUqUFnmAl5MX8nsdYaAKRRyz2Wr
i7yCCVMgeZNPOe+YszsO5cL2DONUmb4CiT61YF7O6ioWeDsNv7EieNjx1MGSnC83
FxTmMOmDugovxTY2De9Eu+4EyavAOLlnD8GhwPmYHOxkGorQXT74ERl50nfQih2r
AEH3ZZp72A1S9Nn4Rgg9naHXlcBdKv0IGmxTPjJDe7BEona3RxGVx12arCIveTHM
cU1lr/uzEaO4lFUKu39JhH6fzLioOQdd1/o0Uh4NeR01VMwG/HdlXkJWijzlATBF
l3tMLL3GuMt+6QBDWH+edBoujEFQheps58OjWgTN0UJypFkkzv2iaTkGiPzdOYAL
CkjfVymkFdSd/CXYUIh6T927YlibMThWAeCkWG2oTNUHT8FVso0=
=HKv1
-----END PGP SIGNATURE-----

@ -1,102 +0,0 @@
From ee94788e63d9f35daca7c0d1e80a488f738a9c52 Mon Sep 17 00:00:00 2001
From: Thierry Bordaz <tbordaz@redhat.com>
Date: Fri, 1 Sep 2023 11:02:08 +0200
Subject: [PATCH 1/2] BZ 2124214 - schema compat plugin deadlock on delete post
op
Bug description:
backends locks (SC map and retroCL) are acquired in
the opposite order
(https://bugzilla.redhat.com/show_bug.cgi?id=2124214#c17)
Fix description:
Credits of the fix are to Pierre Rogier who found
a reproducible testcase, did the fix and verified it.
In specific condition of retroCL trimming the DEL
callback of the SC should check if the backend should
be ignored
relates: 2124214
---
src/back-shr.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/back-shr.c b/src/back-shr.c
index ce2b1f3..1792bef 100644
--- a/src/back-shr.c
+++ b/src/back-shr.c
@@ -2811,6 +2811,18 @@ backend_shr_delete_cb(Slapi_PBlock *pb)
if (wrap_get_call_level() > 0) {
return 0;
}
+ /* especially important to test if we want to prevent frequent
+ * deadlocks when backends are accesses in opposite order.
+ * i.e. "regular" update on domain map+retroCL and retroCL trimming
+ * retroCL+domain map
+ */
+ if (backend_shr_write_ignore(pb)) {
+#if DEBUG_MAP_LOCK
+ slapi_log_error(SLAPI_LOG_FATAL, "schema-compat",
+ "backend_shr_delete_cb: (%p) operation is not impacting schema compat\n", PR_MyThreadId(), 1);
+#endif
+ return 0;
+ }
/* Read parameters from the pblock. */
slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &cbdata.state);
--
2.41.0
From 61fcf534c3da767788e27641f3ebfe4d6a6c0b25 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 9 Oct 2023 13:53:28 +0300
Subject: [PATCH 2/2] Add more ignores to modrdn and modify cases
BZ 2124214 - schema compat plugin deadlock on delete post op
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/back-shr.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/back-shr.c b/src/back-shr.c
index 1792bef..4cbc39b 100644
--- a/src/back-shr.c
+++ b/src/back-shr.c
@@ -2463,6 +2463,15 @@ backend_shr_modify_cb(Slapi_PBlock *pb)
/* No data yet, ignore */
return 0;
}
+
+ if (backend_shr_write_ignore(pb)) {
+#if DEBUG_MAP_LOCK
+ slapi_log_error(SLAPI_LOG_FATAL, "schema-compat",
+ "backend_shr_modify_cb: (%p) operation is not impacting schema compat\n", PR_MyThreadId(), 1);
+#endif
+ return 0;
+ }
+
slapi_pblock_get(pb, SLAPI_MODIFY_TARGET, &dn);
slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &cbdata.mods);
slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &cbdata.e_pre);
@@ -2669,6 +2678,15 @@ backend_shr_modrdn_cb(Slapi_PBlock *pb)
/* No data yet, ignore */
return 0;
}
+
+ if (backend_shr_write_ignore(pb)) {
+#if DEBUG_MAP_LOCK
+ slapi_log_error(SLAPI_LOG_FATAL, "schema-compat",
+ "backend_shr_modrdn_cb: (%p) operation is not impacting schema compat\n", PR_MyThreadId(), 1);
+#endif
+ return 0;
+ }
+
slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &cbdata.e_pre);
slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &cbdata.e_post);
--
2.41.0

@ -1,78 +0,0 @@
From 24eeccd408d9627299231d7843ca9e65e71af3de Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 21 Mar 2023 17:32:47 +0200
Subject: [PATCH 1/2] Test the case when container is a child of the target DN
We can have target DN both inside or outside of a container.
Previously, the code did not look into the latter one. When container is
a child of the target DN (like using IPA's base DN instead of
cn=compat,$BASE_DN) and a search was done with a subtree scope, the
check failed.
With this change a subtree scope search which starts with a base DN
that includes a compat tree's container would be considered for the
search.
Fixes: rhbz#2168893
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/back-sch.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/back-sch.c b/src/back-sch.c
index 93746b1..e447bda 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -1340,11 +1340,12 @@ backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_
if (slapi_sdn_scope_test(cbdata->target_dn,
set_data->container_sdn,
- cbdata->scope) == 1) {
+ cbdata->scope) != 0) {
cbdata->answer = TRUE;
- }
-
- if (slapi_sdn_issuffix(cbdata->target_dn, set_data->container_sdn) == 1) {
+ } else if ((cbdata->scope == LDAP_SCOPE_SUBTREE) &&
+ slapi_sdn_scope_test(set_data->container_sdn,
+ cbdata->target_dn,
+ cbdata->scope) != 0) {
cbdata->answer = TRUE;
}
--
2.40.0
From 73058645eac86b40913deec01807854e0a8bda0d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 24 Apr 2023 12:19:10 +0300
Subject: [PATCH 2/2] Identify the container without search base check
Ignore the actual search base when identifying whether a target DN is
within a known data container. The reason is that we need to know
whether a search would have to descent into a particular container. The
scope validation will happen later.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/back-sch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/back-sch.c b/src/back-sch.c
index e447bda..a79f61b 100644
--- a/src/back-sch.c
+++ b/src/back-sch.c
@@ -1340,7 +1340,7 @@ backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_
if (slapi_sdn_scope_test(cbdata->target_dn,
set_data->container_sdn,
- cbdata->scope) != 0) {
+ LDAP_SCOPE_SUBTREE) != 0) {
cbdata->answer = TRUE;
} else if ((cbdata->scope == LDAP_SCOPE_SUBTREE) &&
slapi_sdn_scope_test(set_data->container_sdn,
--
2.40.0

@ -0,0 +1,38 @@
From 6f325b0370d64335dbe58c0f23fa12d0ee91a6cc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 27 Aug 2024 10:55:25 +0300
Subject: [PATCH] Do not use PR_SecondsToInterval in slapi_eq_once_rel
Relative time can be specified directly in seconds
Fixes: https://pagure.io/slapi-nis/issue/54
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
src/back-shr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/back-shr.c b/src/back-shr.c
index a29f4f9..95c5c8a 100644
--- a/src/back-shr.c
+++ b/src/back-shr.c
@@ -916,7 +916,7 @@ backend_shr_refresh_thread(void *arg)
/* Schedule the initialization of the maps */
slapi_eq_once_rel(backend_shr_data_initialize_thread, cbdata,
- slapi_current_rel_time_t() + PR_SecondsToInterval(1));
+ slapi_current_rel_time_t() + 1);
PR_Sleep(PR_SecondsToInterval(1));
/* Then wait for its completion */
@@ -975,7 +975,7 @@ backend_shr_startup(struct plugin_state *state,
* but make sure it is called a first thing when event loop is created */
slapi_eq_once_rel(backend_shr_data_initialize_thread, cbdata,
slapi_current_rel_time_t() +
- PR_SecondsToInterval(PLUGIN_SCAN_DELAY));
+ PLUGIN_SCAN_DELAY);
slapi_log_error(SLAPI_LOG_FATAL,
cbdata->state->plugin_desc->spd_id,
--
2.45.2

@ -1,3 +1,5 @@
%bcond_with nis
%if 0%{?fedora} >= 14 || 0%{?rhel} >= 6
%define ldap_impl openldap
%else
@ -10,15 +12,14 @@
%endif
Name: slapi-nis
Version: 0.60.0
Release: 5%{?dist}
Summary: NIS Server and Schema Compatibility plugins for Directory Server
License: GPLv3
Version: 0.70.0
Release: 3%{?dist}
Summary: Schema Compatibility plugin for Directory Server
License: GPL-3.0-or-later
URL: http://pagure.io/slapi-nis/
Source0: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
Source1: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
Patch0: slapi-nis-bz2183950.patch
Patch1: slapi-nis-RHEL-5134.patch
Patch0: slapi-nis-eq_once_rel.patch
BuildRequires: make
BuildRequires: autoconf
@ -33,11 +34,13 @@ BuildRequires: libsss_nss_idmap-devel > 1.16.0-5
%define sss_nss_opts %{nil}
%endif
BuildRequires: pam-devel
%if %{with nis}
%if (0%{?fedora} > 14 && 0%{?fedora} < 28) || (0%{?rhel} > 6 && 0%{?rhel} < 8)
BuildRequires: libtirpc-devel
%else
BuildRequires: libnsl2-devel
%endif
%endif
%if 0%{?fedora} > 27 || 0%{?rhel} >= 9
ExcludeArch: %{ix86}
%endif
@ -58,13 +61,18 @@ for attributes from multiple entries in the tree.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch -p1 -P0
%build
autoconf --force
%if %{with nis}
WITH_NIS=--enable-nis=yes
%else
WITH_NIS=--disable-nis
%endif
%configure --disable-static --with-ldap=%{ldap_impl} \
--with-nsswitch --with-pam --with-pam-service=system-auth \
$WITH_NIS \
%{sss_nss_opts} %{betxn_opts}
sed -i -e 's,%{_libdir}/dirsrv/plugins/,,g' -e 's,.so$,,g' doc/examples/*.ldif
make %{?_smp_mflags}
@ -81,59 +89,87 @@ make check
%endif
%files
%doc COPYING NEWS README STATUS doc/*.txt doc/examples/*.ldif doc/ipa
%doc COPYING NEWS README STATUS doc/sch-*.txt doc/examples/sch-*.ldif doc/ipa
%if %{with nis}
%doc doc/nis-*.txt doc/examples/nis-*.ldif
%{_mandir}/man1/*
%{_libdir}/dirsrv/plugins/*.so
%{_sbindir}/nisserver-plugin-defs
%endif
%{_libdir}/dirsrv/plugins/*.so
%triggerin -- 389-ds-base
instances=$(/usr/sbin/dsctl -l)
for inst in $instances ; do
grep -q "cn=NIS server,cn=plugins" /etc/dirsrv/${inst}/dse.ldif
if test $? -eq 0 ; then
/usr/bin/ldapdelete -Y EXTERNAL -H ldapi://%2fvar%2frun%2f${inst}.socket -r "cn=NIS Server,cn=plugins,cn=config" 2>/dev/null
result=$?
if test $result -eq 255 ; then
echo "Cannot remove NIS server plugin from LDAP server ${inst} instance. Server will fail to start until it is removed."
echo "Remove 'cn=NIS Server,cn=plugins,cn=config' entry from /etc/dirsrv/${inst}/dse.ldif"
fi
if test $result -eq 0 ; then
/usr/sbin/dsctl "$inst" restart
fi
fi
done
%changelog
* Tue Oct 10 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-5
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.70.0-3
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Tue Aug 27 2024 Alexander Bokovoy <abokovoy@redhat.com> - 0.70.0-2
- Fix regression in data initialization
- Resolves: RHEL-56042
* Wed Aug 21 2024 Alexander Bokovoy <abokovoy@redhat.com> - 0.70.0-1
- Upstream release 0.70.0: make NIS server optional
- Disable NIS server support
- Resolves: RHEL-34186
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.60.0-6
- Bump release for June 2024 mass rebuild
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.60.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Nov 07 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-4
- Ignore updates from non-tracked subtrees during modify/modrdn/update
to avoid deadlocks with retro changelog
- Resolves: RHEL-11983
* Mon Apr 24 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-4
- Also handle base searches within the compat tree
- Related: rhbz#2183950
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.60.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Apr 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-3
- Fix base DN searches outside the compat tree
- Resolves: rhbz#2183950
* Sun Aug 21 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-2
- Rebuild to fix changelog
- Related: rhbz#2117299
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.60.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Sat Aug 20 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-1
- upstream release 0.60.0
- new upstream release
- Change license from GPLv2 to GPLv3+ to follow 389-ds licensing
- Fix ID views integration
- Fix base scope lookups
- Bump NIS max dgram size to 8KB by default instead of 1KB
- Resolves: rhbz#2117299
Allow to rebuild the compat tree
* Fri Jan 21 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-4
- Rebuild against libnsl 2.0.0
- Related: rhbz#2039220
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Feb 01 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-5
- Resolves: rhbz#2032691
- Rebuild against newer OpenLDAP version
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.56.7-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Jul 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-2
- Resolves: rhbz#1979619
IPA: High CPU utilization (over 1000% plus) by ns-slapd process
- Resolves: rhbz#1979623
With base object scope, ldapsearch against compat tree does not return any data on Rhel8 IPA servers.
* Fri Nov 12 2021 Björn Esser <besser82@fedoraproject.org> - 0.56.7-3
- Rebuild(libnsl2)
* Wed May 19 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-1
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue May 18 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-1
- CVE-2021-3480: invalid bind DN crash
- New upstream release
- Resolves: rhbz#1947351
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.56.6-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Loading…
Cancel
Save