8.154. 389-ds-base
Updated 389-ds-base packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.
Bug Fixes
- BZ#830334
- Due to an incorrect interpretation of the error code, the Directory Server considered an invalid chaining configuration setting as the disk full error and terminated unexpectedly. Now, a more appropriate error code is used and the server no longer shuts down when invalid chaining configuration settings are specified.
- BZ#905825
- After the upgrade from Red Hat Enterprise Linux 6.3 to version 6.4, the upgrade script did not update the schema file for the
PamConfig
object class. Consequently, new features for PAM (Pluggable Authentication Module), such as configuration of multiple instances and pamFilter attribute, could not be used because of the schema violation. With this update, the upgrade script updates the schema file for thePamConfig
object class as expected. As a result, the new features now function properly. - BZ#906005
- Previously, the valgrind test suite reported recurring memory leaks in the
modify_update_last_modified_attr()
function. The size of these leaks averaged between 60-80 bytes per modify call, which could cause problems in environments with frequent modify operations. With this update, memory leaks no longer occur in themodify_update_last_modified_attr()
function. - BZ#906583
- Under certain circumstances, the
Directory Server
(DS) was not able to replace multi-valued attributes for new values that differed from the old ones only in the letter case. Consequently, a code 20 error message was displayed:Type or value exists
With this update,DS
has been modified to correctly process modification requests, and the letter case of attribute values can now be changed without complications. - BZ#907985
- Under certain circumstances, the
DNA
(Distributed Numeric Assignment) plug-in logged messages with theDB_LOCK_DEADLOCK
error code when attempting to create an entry with a uidNumber attribute. This bug has been fixed andDNA
now handles this case properly and errors are no longer logged in the aforementioned scenario. - BZ#908861
- The
Posix Winsync
plug-in was unnecessarily calling the internalmodify()
function. This internalmodify()
call failed and logged the following message:slapi_modify_internal_set_pb: NULL parameter
With this update,Posix Winsync
has been fixed and no longer callsmodify()
. As a result, the aforementioned message is no longer logged. - BZ#910581
- Under certain circumstances, the
/etc/dirsrv/slapd-dstet-mkubik/dse.ldif
file was written with 0 bytes after a server termination or when the system was powered off. Consequently, after the system restart, the DS or IdM system sometimes did not start, leading to production server outages. The server mechanism by whichdse.ldif
is written has been modified, and server outages no longer occur in the described case. - BZ#913215
- Prior to this update, while trying to remove a tombstone entry, the
ns-slapd
daemon terminated unexpectedly with a segmentation fault. This bug has been fixed and removal of tombstone entries no longer causesns-slapd
to crash. - BZ#921937
- Previously, the
schema-reload
plug-in was not thread-safe. Consequently, executing theschema-reload.pl
script under a heavy load could have caused thens-slapd
process to terminate unexpectedly with a segmentation fault. With this update,schema-reload
has been modified to be thread-safe, andschema-reload.pl
can be now executed along with other LDAP operations without complications. - BZ#923407
- Due to an incorrect lock timing in the
DNA
(Distributed Numeric Assignment) plug-in, a deadlock occurred whenDNA
operation was executed along with other plug-ins. This update moves the release timing of the problematic lock, andDNA
no longer causes the deadlock in the aforementioned scenario. - BZ#923502
- Under certain circumstances, an out of scope local variable caused the
modrdn
operation to terminate unexpectedly with a segmentation fault. This update modifies the declaration of the local variable so it does not get out of scope. As a result,modrdn
operations no longer crash. - BZ#923503
- Previously, the
cleanallruv
task with thereplica-force-cleaning
option enabled did not remove all configuration attributes. Consequently, the task was initiated each time the server was restarted. With this update, thecleanallruv
search mechanism has been modified, andcleanallruv
no longer restarts when the server is restarted. - BZ#923504
- Due to a bug in the
Acl
plug-in, when using thegetEffectiveRights
request on a non-existing entry, a NULL pointer dereference could have occurred. Consequently, the server terminated unexpectedly with a segmentation fault. With this update,Acl
has been modified to check for NULL entry pointers. As a result, the server no longer crashes and an appropriate error message is now displayed when usinggetEffectiveRights
request on a non-existing entry. - BZ#923909
- Due to an insufficient size of the default
sasl_io
buffer, SASL connections could have been refused by the server. With this update, the buffer size has been increased to 65,536 bytes. Moreover, users can increase this value with thensslapd-sasl-max-buffer-size
setting. As a result, SASL connections are now accepted without complications. - BZ#947583
- Previously, the code responsible for replication conflict resolution in the 389-ds-base package did not work correctly in several cases, such as conflict DN generation, retrieving deleted parent entry, and examining the scope of a deleted entry. Consequently, an intermediate node entry with positive child count but without children could have been created. The server then refused to remove such an entry. This update fixes the replication conflict resolution code, thus preventing the incorrect node entry creation.
- BZ#951616
- Previously, if a group on the Active Directory contained a member that was in a container of not-synchronized type, synchronizing the group with the LDAP server was unsuccessful. Consequently, the valid members were not synchronized. With this update, the entries in such containers are omitted and the synchronization is now successful in the described case.
- BZ#953052
- Prior to this update, certain schema definitions in the 389-ds-base package did not comply with the LDAP RFC 2252 standard. Consequently, problems with LDAP clients could have occurred. With this update, these schema definitions have been corrected to be compliant with LDAP RFC 2252.
- BZ#957305
- Under a very high load of hundreds of simultaneous connections and operations, the
Directory Server
could have encountered a race condition in the connection handling code. Consequently, the server terminated unexpectedly with a segmentation fault. With this update, code that updates the connection objects has been moved into the connectionmutex
object. As a result,Directory Server
does not crash under high loads. - BZ#957864
- Prior to this update, the Simple Paged Results control did not support an asynchronous search. Consequently, if the
Directory Server
received large number of asynchronous search requests, some of the requests terminated with error 53:LDAP_UNWILLING_TO_PERFORM
With this update, asynchronous search support has been implemented into Simple Paged Results. As a result,Directory Server
safely handles intensive asynchronous search requests. - BZ#958522
- Previously, when loading an entry from a database, the
str2entry_dupcheck()
function was called instead of the more appropriatestr2entry_fast()
function. This behavior has been changed andstr2entry_fast()
is now called in the described scenario. - BZ#962885
- The upgrade of Red Hat Enterprise Linux Identity Mangement server changed the value of the nsslapd-port variable to "0" for security reasons. The nsslapd-port is also used to construct the RUV (Replica Update Vector) used by replication. Previously, if the replication startup code found a zero nsslapd-port, it removed the RUV. Consequently, replication became unresponsive. With this update, RUV is no longer removed in the aforementioned scenario, thus preventing the replication hang.
- BZ#963234
- Previously, an empty control list was not handled properly by the
Directory Server
. Consequently, a LDAP protocol error was returned. With this update,Directory Server
has been modified to handle sequences of zero length correctly, thus preventing the error. - BZ#966781
- When there was a request for a new LDAP connection at the same time as a request for a new LDAPS or LDAPI connection, the
Directory Server
processed only the LDAP request. With this update,Directory Server
has been modified to process all listener requests at the same time. - BZ#968383
- Prior to this update, an incorrect error code (err=0) was returned when creating an invalid external SASL bind. With this update, a proper error code (err=48) is returned in the aforementioned scenario.
- BZ#968503
- When the
Directory Server
(DS) encountered an error while it processed astartTLS
request, the server attempted to write a response back to the client. Consequently, DS became unresponsive. With this update, DS has been modified to correctly processesstartTLS
requests even in case of network errors. As a result, DS no longer hangs in the aforementioned scenario. - BZ#969210
- Previously, the size of the
backlog
parameter of thelisten()
function was set to "128". Consequently, if the server processed a large amount of simultaneous connection requests, the server could have dropped connection requests due to exceededbacklog
size. With this update, ansslapd-listen-backlog-size
attribute has been added to allow thebacklog
size to be changed. - BZ#970995
- Previously, the disk monitoring feature of the
Directory Server
did not function properly. If logging functionality was set to "critical" and logging was disabled, the rotated logs were deleted. If the attributensslapd-errorlog-level
was explicitly set to any value, even zero, the disk monitoring feature did not stop theDirectory Server
as expected. This update corrects the settings of the disk monitoring feature and the server shuts down when the critical threshold is reached. - BZ#971033
- Prior to this update, the
connections
attribute that stores the number of currently connected clients was incorrectly incremented twice, both by thedisconnect_server_nomutex()
andconnection_reset()
function. Consequently, the attribute contained incorrect values. This bug has been fixed andconnections
now store the correct number of connected clients. - BZ#972976
- When the
Directory Server
(DS) used both the replication and theDNA
plug-in, and the client sent a sequence of ADD or DELETE requests for the same entry, DS returned the following message:modify_switch_entries failed
This bug has been fixed, and the aforementioned message is no longer returned. - BZ#973583
- The internal
password
attribute is not preserved after theDirectory Server
(DS) restart. Previously, an attempt to delete thepassword
after restarting DS, caused DS to terminate unexpectedly. With this update, DS has been modified to check if thepassword
attribute exists, and if no, to skip the deletion. As a result, DS no longer crashes in the described case. - BZ#974361
- Prior to this update, when using the
account policy
plug-in to configure policies for individual users based on the createTimestamp attribute, the createTimestamp was overwritten after the consequent binding. Consequently,account policy
failed to lock the user. With this update, createTimestamp is no longer modified after successful binding andaccount policy
now locks users as expected. - BZ#974719
- Under certain circumstances, an inconsistent behavior of the modrdn operation when processing a tombstone entry caused the
Directory Server
(DS) to terminate unexpectedly. With this update, DS has been modified to correctly process tombstones with modrdn, thus preventing the crash. - BZ#974875
- Prior to this update, when an attribute was configured to be encrypted, the on-line import failed to encrypt this attribute on a server. This update allows encryption on the consumer side, during an on-line import, thus fixing this bug.
- BZ#975243
- Previously, after removing the createTimestamp attribute from the account policy, this attribute was still applied by the Directory Server (DS). This bug has been fixed, and createTimestamp can now be effectively removed from the DS account policy.
- BZ#975250, BZ#979169
- Previously, with a mix of concurrent search, update, and replication operations a deadlock could have occurred between the changelog readers, writers, and main database writers. Consequently, the update operations failed. With this update, a new
nsslapd-db-deadlock-policy
configuration parameter has been introduced. The default value of this parameter is set to9
, which terminates the last locker in case of a deadlock. After changing this value to6
, the locker with the fewest write locks is terminated, which is advised for users who encounter frequent deadlocks. - BZ#976546
- Prior to this update, if certain requested attributes were skipped during a search, the returned attribute names and values were sometimes transformed to upper case. This update removes attributes that are not authorized from the requested attributes set, so that the names of returned attributes or values are preserved in the correct form.
- BZ#979435
- Previously, after modifying a single-valued attribute in a multi-master replication environment, this change was not replicated to other servers. With this update, code that handles replication updates has been changed. As a result, the modify operations on single-valued attributes are replicated correctly.
- BZ#982325
- Previously, setting the "nsslapd-disk-monitoring-threshold" attribute with the ldapmodify utility to a large value worked as expected; however, due to a bug in the ldapsearch utility, the treshold value was displayed as a negative number. This update corrects the bug in ldapsearch and correct treshold values are now displayed.
- BZ#983091
- Previously, the Directory Server (DS) was not properly freeing the memory used by old connections. Consequently, when opening and closing hundreds of connections per minute for a long period of time, a memory leak occurred. With this update, DS has been modified to release the memory used by old connections as expected. As a result, the memory leak no longer occurs in the aforementioned scenario.
- BZ#986131
- Due to the USN (Update Sequence Number) configuration, the initial value of the lastusn variable in the rootdse directory was displayed as "18446744073709551615" instead of expected "-1". This update adds a special treatment for initial lastusn. As a result, this value is set to "-1" as expected. If a negative value is found in the USN index file, it is reset to the initial value.
- BZ#986424
- With this update, several minor coding errors have been corrected to prevent possible memory leaks and stability issues.
- BZ#986857
- If logging functionality was not set to "critical", the mount point for the logs directory was incorrectly skipped during the disk space check. The processing of configuration settings has been fixed and the log directory is no longer skipped.
- BZ#987703
- Previously, memory leaks occurred when using the set_krb5_creds() function for the replication transport or bind. The underlying source code has been modified and the memory leaks no longer occur.
- BZ#988562
- When multiple clients were connected to the Directory Server (DS), each of them adding and deleting users, the server deadlock could have occurred. With this update, a patch has been introduced to prevent the deadlock.
- BZ#989692
- When a server-side sorting request was evaluated, the "sort type" parameter was registered only from the first attribute in the request and the following attributes were ignored even if having different "sort type" values. Consequently, the sorting operation was performed incorrectly. With this update, Directory Server has been modified so that the server-side sorting resets "sort type" for each sort attribute in the request. As a result, the sorting is now handled correctly.
- BZ#1002260
- Due to a schema error, the Directory Server (DS) failed to start after the system upgrade. This bug has been fixed, and DS now works correctly in the described case.
- BZ#1006846
- If a replication was configured before initializing the sub backend, the temporary sub suffix was not updated with the real sub suffix entry. Consequently, the server search failed to return entries under the sub suffix. With this update, when a real sub suffix is added, the temporary entry ID in the entryrdn index is replaced with the real entry ID. As a result, search successfully returns sub suffix entries.
- BZ#1007452
- With certain specific values of the nsDS5ReplicaName variable, the replication could have become corrupted. With this update, all replica names are handled correctly.
- BZ#1008013
- In certain cases, the Directory Server became unresponsive when processing multiple outgoing and incoming operations using the TLS or SSL protocol. The underlying source code has been modified and the server no longer hangs in this scenario.
- BZ#1013735
- Previously, if the Directory Server (DS) worked with replicas that did not support the CLEANALLRUV task, running this task made DS unresponsive. With this update, DS has been modified to skip replicas that do not support CLEANALLRUV, thus fixing this bug.
- BZ#1016038
- Previously, when checking an Active Directory (AD) entry was a subject of synchronization, just the direct child of the target was checked. Consequently, AD entries which were in a deeper level were not synchronized to the Directory Server. This bug has been fixed, and child directories of the target are now synchronized at and all levels.
Users of 389-ds-base are advised to upgrade to these updated packages, which fix these bugs.