4.128. openldap
Updated openldap packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The openldap packages contain configuration files, libraries, and documentation for OpenLDAP. OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols for accessing directory services over the Internet, similar to the way Domain Name System (DNS) information is propagated over the Internet.
Bug Fix
- BZ#750538
- When running an OpenLDAP server with the LDAP Sync replication engine (syncrepl) enabled and a large amount of data was replicated, the memory was used extensively. Due to high memory usage, the standalone LDAP daemon (slapd) was sometimes not able to allocate enough free memory using its default memory allocation mechanism. As a consequence, slapd fell back on the secondary memory allocation mechanism but without freeing the memory properly, and thus causing memory leaks. With this update, the slpad daemon frees the memory correctly in such a scenario, and memory leaks no longer occur.
All users of openldap are advised to upgrade to these updated packages, which fix this bug.
Updated openldap packages that fix several bugs and add an enhancement are now available for Red Hat Enterprise Linux 5.
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The openldap packages contain configuration files, libraries, and documentation for OpenLDAP.
Bug Fixes
- BZ#734144
- Prior to this update, some parts of OpenLDAP were impossible to debug due to incomplete debug data. The problem was caused by stripping debug data of some modules at an early stage of the package build process. This update disables the stripping and the openldap-debuginfo package is generated correctly.
- BZ#734145
- The openldap package compilation log contained information about breaking strict-aliasing rules. The presence of these warnings may have led into unexpected runtime behavior. The "-fno-strict-aliasing" option is now passed to a compiler to avoid optimizations that can produce invalid code. The change might contribute to stability and reliability of OpenLDAP.
Enhancement
- BZ#733659
- In a distributed environment, a Root DN (distinguished name) can be specified instead of a hostname to connect to an OpenLDAP server. The Root DN is used to look up the corresponding hosts using the DNS SRV (Domain Name Server Service) records. Prior to this update, the priority and weight of individual SRV records were ignored and the connection was created to the host in the first SRV record returned by the DNS server. As a consequence, a server in a different geographic location may have been queried, leading to high response times. Servers are now queried according to their priority and weight, which conforms to the RFC 2782 standard.
Users are advised to upgrade to these updated openldap packages, which resolve these bugs and add this enhancement.
Updated openldap packages that fix several bugs and add an enhancement are now available for Red Hat Enterprise Linux 5.
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.
Bug Fixes
- BZ#741184
- When an OpenLDAP server was running with the LDAP Sync replication engine (
syncrepl
) enabled and a large amount of data was replicated, the memory was used extensively. Consequently, the standalone LDAP daemon (slapd
) was sometimes not able to allocate enough free memory using its default memory allocation mechanism andslapd
fell back on the secondary memory allocation mechanism without freeing the memory properly, causing memory leaks. With this update, theslapd
daemon frees the memory correctly in such a scenario, and memory leaks no longer occur. - BZ#591419
- Due to an error introduced in one of the previous updates, initializing a connection to a
slapd
server may have caused the CPU usage to reach 100% and the server to become unresponsive for about three seconds. With this update, an existing upstream patch has been applied to target this issue, and the OpenLDAP suite now works as expected. - BZ#641953
- Previously, multiple concurrent connections to an OpenLDAP server could cause the
slapd
service to terminate unexpectedly with an assertion error. This update applies an upstream patch that adds mutexes to protect multiple threads from accessing a structure with a connection, and the slapd service no longer crashes. - BZ#655133
- The
libldap
library did not provide theldap_init_fd()
function, even though certain utilities such ascURL
rely on it and could not work properly as a result. This update applies a backported upstream patch that implements this API function, and these tools now work as expected. - BZ#620621
- When the openldap-servers package was installed with the
syncrepl
utility configured, adding or removing data from a master server occasionally caused theslapd
server to terminate unexpectedly. An upstream patch has been provided and the crashes no longer occur in the described scenario. - BZ#665951
- When running the
slapd
service with theppolicy
overlay enabled, an attempt to delete theuserPassword
attribute could cause the service to terminate unexpectedly, leaving the database in a corrupted state. With this update, an upstream patch has been applied to address this issue, and deleting theuserPassword
attribute no longer causes theslapd
service to crash. - BZ#684630
- Some parts of OpenLDAP were impossible to debug due to incomplete debug data. The problem was caused by stripping debug data of some modules at an early stage of the package build process. This update disables the stripping and the openldap-debuginfo package is generated correctly.
- BZ#732381
- Previously, the openldap package compilation log file contained warning messages returned by strict-aliasing rules. These warnings indicated that unexpected runtime behavior could occur. With this update, the
-fno-strict-aliasing
option is passed to the compiler to avoid optimizations that can produce invalid code, and no warning messages are now returned during package compilation. - BZ#609722
- When the openldap client was configured with the
TLS_CACERTDIR
option, some of the certificate files were not accessible. Consequently, openldap could not establish TLS (Transport Layer Security) connections. An upstream patch has been provided to address this issue and openldap now establishes TLS connections to the server, even if some certificates specified inTLS_CACERTDIR
are inaccessible. - BZ#738768
- Previously, the
ldap
init script was incorrectly marked as a configuration file. When manual modifications had been made to it while the openldap-servers package was installed, and when the package had been updated, the init script was not overwritten as part of the upgrade. With this update, the openldap spec file has been updated to reflect that theldap
init script is not a configuration file, and openldap-servers now overwrites the init script properly in the described scenario. - BZ#604092
- With the openldap-servers package was installed, when the server was shut down incorrectly and the database needed recovery, the openldap init script failed to start the server again. With this update, a new option has been added to the tool which checks openldap server configuration. The new option skips the database checks, and the openldap server now starts properly in the described scenario.
- BZ#699652
- The
ldap.conf(5)
manual page has been updated to emphasize that to specify Certificate Authorities, theTLS_CACERT
option is the preferred one to theTLS_CACERTDIR
option. - BZ#563148
- When the
migrate_all_offline.sh
script was used to migrate duplicate accounts, the migration process terminated. With this update, the script no longer interrupts the process, when certain errors occur. Local duplicate accounts no longer cause the migration process to interrupt.
Enhancement
- BZ#733435
- Previously, when a connection to an LDAP server was created by specifying search root DN (distinguished name) instead of the server hostname, the SRV records in DNS were requested and a list of LDAP server hostnames was generated. The servers were then queried in the order, in which the DNS server returned them but the priority and weight of the records were ignored. This update adds support for priority/weight of the DNS SRV records, and the servers are now queried according to their priority/weight, as required by RFC 2782.
All openldap users are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.