Ce contenu n'est pas disponible dans la langue sélectionnée.
8.154. 389-ds-base
8.154.1.  RHBA-2013:1653 — 389-ds-base bug fix and enhancement update 
Copier lienLien copié sur presse-papiers!
		Updated 389-ds-base packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
	
		The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.
	
Bug Fixes
- BZ#830334
- Due to an incorrect interpretation of the error code, the Directory Server considered an invalid chaining configuration setting as the disk full error and terminated unexpectedly. Now, a more appropriate error code is used and the server no longer shuts down when invalid chaining configuration settings are specified.
- BZ#905825
- After the upgrade from Red Hat Enterprise Linux 6.3 to version 6.4, the upgrade script did not update the schema file for thePamConfigobject class. Consequently, new features for PAM (Pluggable Authentication Module), such as configuration of multiple instances and pamFilter attribute, could not be used because of the schema violation. With this update, the upgrade script updates the schema file for thePamConfigobject class as expected. As a result, the new features now function properly.
- BZ#906005
- Previously, the valgrind test suite reported recurring memory leaks in themodify_update_last_modified_attr()function. The size of these leaks averaged between 60-80 bytes per modify call, which could cause problems in environments with frequent modify operations. With this update, memory leaks no longer occur in themodify_update_last_modified_attr()function.
- BZ#906583
- Under certain circumstances, theDirectory Server(DS) was not able to replace multi-valued attributes for new values that differed from the old ones only in the letter case. Consequently, a code 20 error message was displayed:Type or value exists Type or value existsCopy to Clipboard Copied! Toggle word wrap Toggle overflow With this update,DShas been modified to correctly process modification requests, and the letter case of attribute values can now be changed without complications.
- BZ#907985
- Under certain circumstances, theDNA(Distributed Numeric Assignment) plug-in logged messages with theDB_LOCK_DEADLOCKerror code when attempting to create an entry with a uidNumber attribute. This bug has been fixed andDNAnow handles this case properly and errors are no longer logged in the aforementioned scenario.
- BZ#908861
- ThePosix Winsyncplug-in was unnecessarily calling the internalmodify()function. This internalmodify()call failed and logged the following message:slapi_modify_internal_set_pb: NULL parameter slapi_modify_internal_set_pb: NULL parameterCopy to Clipboard Copied! Toggle word wrap Toggle overflow With this update,Posix Winsynchas been fixed and no longer callsmodify(). As a result, the aforementioned message is no longer logged.
- BZ#910581
- Under certain circumstances, the/etc/dirsrv/slapd-dstet-mkubik/dse.ldiffile was written with 0 bytes after a server termination or when the system was powered off. Consequently, after the system restart, the DS or IdM system sometimes did not start, leading to production server outages. The server mechanism by whichdse.ldifis written has been modified, and server outages no longer occur in the described case.
- BZ#913215
- Prior to this update, while trying to remove a tombstone entry, thens-slapddaemon terminated unexpectedly with a segmentation fault. This bug has been fixed and removal of tombstone entries no longer causesns-slapdto crash.
- BZ#921937
- Previously, theschema-reloadplug-in was not thread-safe. Consequently, executing theschema-reload.plscript under a heavy load could have caused thens-slapdprocess to terminate unexpectedly with a segmentation fault. With this update,schema-reloadhas been modified to be thread-safe, andschema-reload.plcan be now executed along with other LDAP operations without complications.
- BZ#923407
- Due to an incorrect lock timing in theDNA(Distributed Numeric Assignment) plug-in, a deadlock occurred whenDNAoperation was executed along with other plug-ins. This update moves the release timing of the problematic lock, andDNAno longer causes the deadlock in the aforementioned scenario.
- BZ#923502
- Under certain circumstances, an out of scope local variable caused themodrdnoperation to terminate unexpectedly with a segmentation fault. This update modifies the declaration of the local variable so it does not get out of scope. As a result,modrdnoperations no longer crash.
- BZ#923503
- Previously, thecleanallruvtask with thereplica-force-cleaningoption enabled did not remove all configuration attributes. Consequently, the task was initiated each time the server was restarted. With this update, thecleanallruvsearch mechanism has been modified, andcleanallruvno longer restarts when the server is restarted.
- BZ#923504
- Due to a bug in theAclplug-in, when using thegetEffectiveRightsrequest on a non-existing entry, a NULL pointer dereference could have occurred. Consequently, the server terminated unexpectedly with a segmentation fault. With this update,Aclhas been modified to check for NULL entry pointers. As a result, the server no longer crashes and an appropriate error message is now displayed when usinggetEffectiveRightsrequest on a non-existing entry.
- BZ#923909
- Due to an insufficient size of the defaultsasl_iobuffer, SASL connections could have been refused by the server. With this update, the buffer size has been increased to 65,536 bytes. Moreover, users can increase this value with thensslapd-sasl-max-buffer-sizesetting. As a result, SASL connections are now accepted without complications.
- BZ#947583
- Previously, the code responsible for replication conflict resolution in the 389-ds-base package did not work correctly in several cases, such as conflict DN generation, retrieving deleted parent entry, and examining the scope of a deleted entry. Consequently, an intermediate node entry with positive child count but without children could have been created. The server then refused to remove such an entry. This update fixes the replication conflict resolution code, thus preventing the incorrect node entry creation.
- BZ#951616
- Previously, if a group on the Active Directory contained a member that was in a container of not-synchronized type, synchronizing the group with the LDAP server was unsuccessful. Consequently, the valid members were not synchronized. With this update, the entries in such containers are omitted and the synchronization is now successful in the described case.
- BZ#953052
- Prior to this update, certain schema definitions in the 389-ds-base package did not comply with the LDAP RFC 2252 standard. Consequently, problems with LDAP clients could have occurred. With this update, these schema definitions have been corrected to be compliant with LDAP RFC 2252.
- BZ#957305
- Under a very high load of hundreds of simultaneous connections and operations, theDirectory Servercould have encountered a race condition in the connection handling code. Consequently, the server terminated unexpectedly with a segmentation fault. With this update, code that updates the connection objects has been moved into the connectionmutexobject. As a result,Directory Serverdoes not crash under high loads.
- BZ#957864
- Prior to this update, the Simple Paged Results control did not support an asynchronous search. Consequently, if theDirectory Serverreceived large number of asynchronous search requests, some of the requests terminated with error 53:LDAP_UNWILLING_TO_PERFORM LDAP_UNWILLING_TO_PERFORMCopy to Clipboard Copied! Toggle word wrap Toggle overflow With this update, asynchronous search support has been implemented into Simple Paged Results. As a result,Directory Serversafely handles intensive asynchronous search requests.
- BZ#958522
- Previously, when loading an entry from a database, thestr2entry_dupcheck()function was called instead of the more appropriatestr2entry_fast()function. This behavior has been changed andstr2entry_fast()is now called in the described scenario.
- BZ#962885
- The upgrade of Red Hat Enterprise Linux Identity Mangement server changed the value of the nsslapd-port variable to "0" for security reasons. The nsslapd-port is also used to construct the RUV (Replica Update Vector) used by replication. Previously, if the replication startup code found a zero nsslapd-port, it removed the RUV. Consequently, replication became unresponsive. With this update, RUV is no longer removed in the aforementioned scenario, thus preventing the replication hang.
- BZ#963234
- Previously, an empty control list was not handled properly by theDirectory Server. Consequently, a LDAP protocol error was returned. With this update,Directory Serverhas been modified to handle sequences of zero length correctly, thus preventing the error.
- BZ#966781
- When there was a request for a new LDAP connection at the same time as a request for a new LDAPS or LDAPI connection, theDirectory Serverprocessed only the LDAP request. With this update,Directory Serverhas been modified to process all listener requests at the same time.
- BZ#968383
- Prior to this update, an incorrect error code (err=0) was returned when creating an invalid external SASL bind. With this update, a proper error code (err=48) is returned in the aforementioned scenario.
- BZ#968503
- When theDirectory Server(DS) encountered an error while it processed astartTLSrequest, the server attempted to write a response back to the client. Consequently, DS became unresponsive. With this update, DS has been modified to correctly processesstartTLSrequests even in case of network errors. As a result, DS no longer hangs in the aforementioned scenario.
- BZ#969210
- Previously, the size of thebacklogparameter of thelisten()function was set to "128". Consequently, if the server processed a large amount of simultaneous connection requests, the server could have dropped connection requests due to exceededbacklogsize. With this update, ansslapd-listen-backlog-sizeattribute has been added to allow thebacklogsize to be changed.
- BZ#970995
- Previously, the disk monitoring feature of theDirectory Serverdid not function properly. If logging functionality was set to "critical" and logging was disabled, the rotated logs were deleted. If the attributensslapd-errorlog-levelwas explicitly set to any value, even zero, the disk monitoring feature did not stop theDirectory Serveras expected. This update corrects the settings of the disk monitoring feature and the server shuts down when the critical threshold is reached.
- BZ#971033
- Prior to this update, theconnectionsattribute that stores the number of currently connected clients was incorrectly incremented twice, both by thedisconnect_server_nomutex()andconnection_reset()function. Consequently, the attribute contained incorrect values. This bug has been fixed andconnectionsnow store the correct number of connected clients.
- BZ#972976
- When theDirectory Server(DS) used both the replication and theDNAplug-in, and the client sent a sequence of ADD or DELETE requests for the same entry, DS returned the following message:modify_switch_entries failed modify_switch_entries failedCopy to Clipboard Copied! Toggle word wrap Toggle overflow This bug has been fixed, and the aforementioned message is no longer returned.
- BZ#973583
- The internalpasswordattribute is not preserved after theDirectory Server(DS) restart. Previously, an attempt to delete thepasswordafter restarting DS, caused DS to terminate unexpectedly. With this update, DS has been modified to check if thepasswordattribute exists, and if no, to skip the deletion. As a result, DS no longer crashes in the described case.
- BZ#974361
- Prior to this update, when using theaccount policyplug-in to configure policies for individual users based on the createTimestamp attribute, the createTimestamp was overwritten after the consequent binding. Consequently,account policyfailed to lock the user. With this update, createTimestamp is no longer modified after successful binding andaccount policynow locks users as expected.
- BZ#974719
- Under certain circumstances, an inconsistent behavior of the modrdn operation when processing a tombstone entry caused theDirectory Server(DS) to terminate unexpectedly. With this update, DS has been modified to correctly process tombstones with modrdn, thus preventing the crash.
- BZ#974875
- Prior to this update, when an attribute was configured to be encrypted, the on-line import failed to encrypt this attribute on a server. This update allows encryption on the consumer side, during an on-line import, thus fixing this bug.
- BZ#975243
- Previously, after removing the createTimestamp attribute from the account policy, this attribute was still applied by the Directory Server (DS). This bug has been fixed, and createTimestamp can now be effectively removed from the DS account policy.
- BZ#975250, BZ#979169
- Previously, with a mix of concurrent search, update, and replication operations a deadlock could have occurred between the changelog readers, writers, and main database writers. Consequently, the update operations failed. With this update, a newnsslapd-db-deadlock-policyconfiguration parameter has been introduced. The default value of this parameter is set to9, which terminates the last locker in case of a deadlock. After changing this value to6, the locker with the fewest write locks is terminated, which is advised for users who encounter frequent deadlocks.
- BZ#976546
- Prior to this update, if certain requested attributes were skipped during a search, the returned attribute names and values were sometimes transformed to upper case. This update removes attributes that are not authorized from the requested attributes set, so that the names of returned attributes or values are preserved in the correct form.
- BZ#979435
- Previously, after modifying a single-valued attribute in a multi-master replication environment, this change was not replicated to other servers. With this update, code that handles replication updates has been changed. As a result, the modify operations on single-valued attributes are replicated correctly.
- BZ#982325
- Previously, setting the "nsslapd-disk-monitoring-threshold" attribute with the ldapmodify utility to a large value worked as expected; however, due to a bug in the ldapsearch utility, the treshold value was displayed as a negative number. This update corrects the bug in ldapsearch and correct treshold values are now displayed.
- BZ#983091
- Previously, the Directory Server (DS) was not properly freeing the memory used by old connections. Consequently, when opening and closing hundreds of connections per minute for a long period of time, a memory leak occurred. With this update, DS has been modified to release the memory used by old connections as expected. As a result, the memory leak no longer occurs in the aforementioned scenario.
- BZ#986131
- Due to the USN (Update Sequence Number) configuration, the initial value of the lastusn variable in the rootdse directory was displayed as "18446744073709551615" instead of expected "-1". This update adds a special treatment for initial lastusn. As a result, this value is set to "-1" as expected. If a negative value is found in the USN index file, it is reset to the initial value.
- BZ#986424
- With this update, several minor coding errors have been corrected to prevent possible memory leaks and stability issues.
- BZ#986857
- If logging functionality was not set to "critical", the mount point for the logs directory was incorrectly skipped during the disk space check. The processing of configuration settings has been fixed and the log directory is no longer skipped.
- BZ#987703
- Previously, memory leaks occurred when using the set_krb5_creds() function for the replication transport or bind. The underlying source code has been modified and the memory leaks no longer occur.
- BZ#988562
- When multiple clients were connected to the Directory Server (DS), each of them adding and deleting users, the server deadlock could have occurred. With this update, a patch has been introduced to prevent the deadlock.
- BZ#989692
- When a server-side sorting request was evaluated, the "sort type" parameter was registered only from the first attribute in the request and the following attributes were ignored even if having different "sort type" values. Consequently, the sorting operation was performed incorrectly. With this update, Directory Server has been modified so that the server-side sorting resets "sort type" for each sort attribute in the request. As a result, the sorting is now handled correctly.
- BZ#1002260
- Due to a schema error, the Directory Server (DS) failed to start after the system upgrade. This bug has been fixed, and DS now works correctly in the described case.
- BZ#1006846
- If a replication was configured before initializing the sub backend, the temporary sub suffix was not updated with the real sub suffix entry. Consequently, the server search failed to return entries under the sub suffix. With this update, when a real sub suffix is added, the temporary entry ID in the entryrdn index is replaced with the real entry ID. As a result, search successfully returns sub suffix entries.
- BZ#1007452
- With certain specific values of the nsDS5ReplicaName variable, the replication could have become corrupted. With this update, all replica names are handled correctly.
- BZ#1008013
- In certain cases, the Directory Server became unresponsive when processing multiple outgoing and incoming operations using the TLS or SSL protocol. The underlying source code has been modified and the server no longer hangs in this scenario.
- BZ#1013735
- Previously, if the Directory Server (DS) worked with replicas that did not support the CLEANALLRUV task, running this task made DS unresponsive. With this update, DS has been modified to skip replicas that do not support CLEANALLRUV, thus fixing this bug.
- BZ#1016038
- Previously, when checking an Active Directory (AD) entry was a subject of synchronization, just the direct child of the target was checked. Consequently, AD entries which were in a deeper level were not synchronized to the Directory Server. This bug has been fixed, and child directories of the target are now synchronized at and all levels.
		Users of 389-ds-base are advised to upgrade to these updated packages, which fix these bugs.