4.128. openldap

BZ#750538

When running an OpenLDAP server with the LDAP Sync replication engine (syncrepl) enabled and a large amount of data was replicated, the memory was used extensively. Due to high memory usage, the standalone LDAP daemon (slapd) was sometimes not able to allocate enough free memory using its default memory allocation mechanism. As a consequence, slapd fell back on the secondary memory allocation mechanism but without freeing the memory properly, and thus causing memory leaks. With this update, the slpad daemon frees the memory correctly in such a scenario, and memory leaks no longer occur.

BZ#734144

Prior to this update, some parts of OpenLDAP were impossible to debug due to incomplete debug data. The problem was caused by stripping debug data of some modules at an early stage of the package build process. This update disables the stripping and the openldap-debuginfo package is generated correctly.

BZ#734145

The openldap package compilation log contained information about breaking strict-aliasing rules. The presence of these warnings may have led into unexpected runtime behavior. The "-fno-strict-aliasing" option is now passed to a compiler to avoid optimizations that can produce invalid code. The change might contribute to stability and reliability of OpenLDAP.

Enhancement

BZ#733659

In a distributed environment, a Root DN (distinguished name) can be specified instead of a hostname to connect to an OpenLDAP server. The Root DN is used to look up the corresponding hosts using the DNS SRV (Domain Name Server Service) records. Prior to this update, the priority and weight of individual SRV records were ignored and the connection was created to the host in the first SRV record returned by the DNS server. As a consequence, a server in a different geographic location may have been queried, leading to high response times. Servers are now queried according to their priority and weight, which conforms to the RFC 2782 standard.

Bug Fixes

BZ#741184

When an OpenLDAP server was running with the LDAP Sync replication engine (syncrepl) enabled and a large amount of data was replicated, the memory was used extensively. Consequently, the standalone LDAP daemon (slapd) was sometimes not able to allocate enough free memory using its default memory allocation mechanism and slapd fell back on the secondary memory allocation mechanism without freeing the memory properly, causing memory leaks. With this update, the slapd daemon frees the memory correctly in such a scenario, and memory leaks no longer occur.

BZ#591419

Due to an error introduced in one of the previous updates, initializing a connection to a slapd server may have caused the CPU usage to reach 100% and the server to become unresponsive for about three seconds. With this update, an existing upstream patch has been applied to target this issue, and the OpenLDAP suite now works as expected.

BZ#641953

Previously, multiple concurrent connections to an OpenLDAP server could cause the slapd service to terminate unexpectedly with an assertion error. This update applies an upstream patch that adds mutexes to protect multiple threads from accessing a structure with a connection, and the slapd service no longer crashes.

BZ#655133

The libldap library did not provide the ldap_init_fd() function, even though certain utilities such as cURL rely on it and could not work properly as a result. This update applies a backported upstream patch that implements this API function, and these tools now work as expected.

BZ#620621

When the openldap-servers package was installed with the syncrepl utility configured, adding or removing data from a master server occasionally caused the slapd server to terminate unexpectedly. An upstream patch has been provided and the crashes no longer occur in the described scenario.

BZ#665951

When running the slapd service with the ppolicy overlay enabled, an attempt to delete the userPassword attribute could cause the service to terminate unexpectedly, leaving the database in a corrupted state. With this update, an upstream patch has been applied to address this issue, and deleting the userPassword attribute no longer causes the slapd service to crash.

BZ#684630

Some parts of OpenLDAP were impossible to debug due to incomplete debug data. The problem was caused by stripping debug data of some modules at an early stage of the package build process. This update disables the stripping and the openldap-debuginfo package is generated correctly.

BZ#732381

Previously, the openldap package compilation log file contained warning messages returned by strict-aliasing rules. These warnings indicated that unexpected runtime behavior could occur. With this update, the -fno-strict-aliasing option is passed to the compiler to avoid optimizations that can produce invalid code, and no warning messages are now returned during package compilation.

BZ#609722

When the openldap client was configured with the TLS_CACERTDIR option, some of the certificate files were not accessible. Consequently, openldap could not establish TLS (Transport Layer Security) connections. An upstream patch has been provided to address this issue and openldap now establishes TLS connections to the server, even if some certificates specified in TLS_CACERTDIR are inaccessible.

BZ#738768

Previously, the ldap init script was incorrectly marked as a configuration file. When manual modifications had been made to it while the openldap-servers package was installed, and when the package had been updated, the init script was not overwritten as part of the upgrade. With this update, the openldap spec file has been updated to reflect that the ldap init script is not a configuration file, and openldap-servers now overwrites the init script properly in the described scenario.

BZ#604092

With the openldap-servers package was installed, when the server was shut down incorrectly and the database needed recovery, the openldap init script failed to start the server again. With this update, a new option has been added to the tool which checks openldap server configuration. The new option skips the database checks, and the openldap server now starts properly in the described scenario.

BZ#699652

The ldap.conf(5) manual page has been updated to emphasize that to specify Certificate Authorities, the TLS_CACERT option is the preferred one to the TLS_CACERTDIR option.

BZ#563148

When the migrate_all_offline.sh script was used to migrate duplicate accounts, the migration process terminated. With this update, the script no longer interrupts the process, when certain errors occur. Local duplicate accounts no longer cause the migration process to interrupt.

Enhancement

BZ#733435

Previously, when a connection to an LDAP server was created by specifying search root DN (distinguished name) instead of the server hostname, the SRV records in DNS were requested and a list of LDAP server hostnames was generated. The servers were then queried in the order, in which the DNS server returned them but the priority and weight of the records were ignored. This update adds support for priority/weight of the DNS SRV records, and the servers are now queried according to their priority/weight, as required by RFC 2782.