Branch '389-ds-base-1.3.2' - ldap/servers
by Noriko Hosoi
ldap/servers/slapd/back-ldbm/ldbm_search.c | 5 +++++
ldap/servers/slapd/backend.c | 11 ++++++++---
ldap/servers/slapd/slapi-plugin.h | 1 +
3 files changed, 14 insertions(+), 3 deletions(-)
New commits:
commit 3ff6d520ae0a15f74dc57122837627b5b73de629
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Aug 14 17:54:30 2014 -0700
Ticket #47874 - Performance degradation with scope ONE after some load
Bug Description: Backend has a bit to indicate "should not bypass
the filter test". It's set if one of the search results is ALLID
in idl_intersection. Once the flag is set, it's never been unset.
It makes the following one level searches slow down.
Fix Description: Introduced slapi_be_unset_flag and unset the bit
at the end of every search.
https://fedorahosted.org/389/ticket/47874
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
(cherry picked from commit 8e1345ab9276d1cf9c9ac2cbd858c398235ef5ce)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
index ec3dd1e..e1951a0 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
@@ -183,6 +183,11 @@ ldbm_back_search_cleanup(Slapi_PBlock *pb,
slapi_pblock_get( pb, SLAPI_BACKEND, &be );
inst = (ldbm_instance *) be->be_instance_info;
+ /*
+ * In case SLAPI_BE_FLAG_DONT_BYPASS_FILTERTEST is set,
+ * clean it up for the following sessions.
+ */
+ slapi_be_unset_flag(be, SLAPI_BE_FLAG_DONT_BYPASS_FILTERTEST);
CACHE_RETURN(&inst->inst_cache, &e); /* NULL e is handled correctly */
if (inst->inst_ref_count) {
slapi_counter_decrement(inst->inst_ref_count);
diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c
index 8a72b13..22f41ee 100644
--- a/ldap/servers/slapd/backend.c
+++ b/ldap/servers/slapd/backend.c
@@ -580,13 +580,18 @@ slapi_be_setentrypoint(Slapi_Backend *be, int entrypoint, void *ret_fnptr, Slapi
}
int slapi_be_is_flag_set(Slapi_Backend * be, int flag)
-{
+{
return be->be_flags & flag;
}
void slapi_be_set_flag(Slapi_Backend * be, int flag)
-{
- be->be_flags|= flag;
+{
+ be->be_flags |= flag;
+}
+
+void slapi_be_unset_flag(Slapi_Backend * be, int flag)
+{
+ be->be_flags &= ~flag;
}
char * slapi_be_get_name(Slapi_Backend * be)
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 52a77ff..d7c5ea7 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -6366,6 +6366,7 @@ int slapi_is_ldapi_conn(Slapi_PBlock *pb);
int slapi_be_is_flag_set(Slapi_Backend * be, int flag);
void slapi_be_set_flag(Slapi_Backend * be, int flag);
+void slapi_be_unset_flag(Slapi_Backend * be, int flag);
#define SLAPI_BE_FLAG_REMOTE_DATA 0x1 /* entries held by backend are remote */
#define SLAPI_BE_FLAG_DONT_BYPASS_FILTERTEST 0x10 /* force to call filter_test (search only) */
9 years, 8 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/back-ldbm/ldbm_search.c | 5 +++++
ldap/servers/slapd/backend.c | 11 ++++++++---
ldap/servers/slapd/slapi-plugin.h | 1 +
3 files changed, 14 insertions(+), 3 deletions(-)
New commits:
commit 8e1345ab9276d1cf9c9ac2cbd858c398235ef5ce
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Aug 14 17:54:30 2014 -0700
Ticket #47874 - Performance degradation with scope ONE after some load
Bug Description: Backend has a bit to indicate "should not bypass
the filter test". It's set if one of the search results is ALLID
in idl_intersection. Once the flag is set, it's never been unset.
It makes the following one level searches slow down.
Fix Description: Introduced slapi_be_unset_flag and unset the bit
at the end of every search.
https://fedorahosted.org/389/ticket/47874
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
index ec3dd1e..e1951a0 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
@@ -183,6 +183,11 @@ ldbm_back_search_cleanup(Slapi_PBlock *pb,
slapi_pblock_get( pb, SLAPI_BACKEND, &be );
inst = (ldbm_instance *) be->be_instance_info;
+ /*
+ * In case SLAPI_BE_FLAG_DONT_BYPASS_FILTERTEST is set,
+ * clean it up for the following sessions.
+ */
+ slapi_be_unset_flag(be, SLAPI_BE_FLAG_DONT_BYPASS_FILTERTEST);
CACHE_RETURN(&inst->inst_cache, &e); /* NULL e is handled correctly */
if (inst->inst_ref_count) {
slapi_counter_decrement(inst->inst_ref_count);
diff --git a/ldap/servers/slapd/backend.c b/ldap/servers/slapd/backend.c
index 8a72b13..22f41ee 100644
--- a/ldap/servers/slapd/backend.c
+++ b/ldap/servers/slapd/backend.c
@@ -580,13 +580,18 @@ slapi_be_setentrypoint(Slapi_Backend *be, int entrypoint, void *ret_fnptr, Slapi
}
int slapi_be_is_flag_set(Slapi_Backend * be, int flag)
-{
+{
return be->be_flags & flag;
}
void slapi_be_set_flag(Slapi_Backend * be, int flag)
-{
- be->be_flags|= flag;
+{
+ be->be_flags |= flag;
+}
+
+void slapi_be_unset_flag(Slapi_Backend * be, int flag)
+{
+ be->be_flags &= ~flag;
}
char * slapi_be_get_name(Slapi_Backend * be)
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index f318bb6..f1ecfe8 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -6429,6 +6429,7 @@ int slapi_is_ldapi_conn(Slapi_PBlock *pb);
int slapi_be_is_flag_set(Slapi_Backend * be, int flag);
void slapi_be_set_flag(Slapi_Backend * be, int flag);
+void slapi_be_unset_flag(Slapi_Backend * be, int flag);
#define SLAPI_BE_FLAG_REMOTE_DATA 0x1 /* entries held by backend are remote */
#define SLAPI_BE_FLAG_DONT_BYPASS_FILTERTEST 0x10 /* force to call filter_test (search only) */
9 years, 8 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Noriko Hosoi
ldap/servers/slapd/back-ldbm/ldbm_search.c | 83 +++++++++++++++++------------
1 file changed, 49 insertions(+), 34 deletions(-)
New commits:
commit a791bff262495f9d9e5dd8e012d6cc000fc071dd
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Thu Aug 14 12:35:40 2014 +0200
Ticket 47872 - Filter AND with only one clause should be optimized
Bug Description: If the filter id of the form "(&(attr=value))" it is not detected
that the filtertest can by bypassed like in "(attr=value)"
Fix Description: Check if an AND filter has only one component and this component is not
another complex filter. To make this work, the check if the filter
attribute is a subtyp also had to be applied earlier
https://fedorahosted.org/389/ticket/47872
Reviewed by: RichM, thanks
(cherry picked from commit 29316b10f02e7cf7b01fe01f9b82b2088453221b)
(cherry picked from commit 39adbdc6062b5af27346759ca4cee6c570fedddf)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
index 7d23580..8793a0b 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
@@ -1263,22 +1263,55 @@ grok_filter_list(struct slapi_filter *flist)
#endif
/* Helper function for can_skip_filter_test() */
+static int grok_filter_not_subtype(struct slapi_filter *f)
+{
+ /* If we haven't determined that we can't skip the filter test already,
+ * do one last check for attribute subtypes. We don't need to worry
+ * about any complex filters here since grok_filter() will have already
+ * assumed that we can't skip the filter test in those cases. */
+
+ int rc = 1;
+ char *type = NULL;
+ char *basetype = NULL;
+
+ /* We don't need to free type since that's taken
+ * care of when the filter is free'd later. We
+ * do need to free basetype when we are done. */
+ slapi_filter_get_attribute_type(f, &type);
+ basetype = slapi_attr_basetype(type, NULL, 0);
+
+ /* Is the filter using an attribute subtype? */
+ if (strcasecmp(type, basetype) != 0) {
+ /* If so, we can't optimize since attribute subtypes
+ * are simply indexed under their basetype attribute.
+ * The basetype index has no knowledge of the subtype
+ * itself. In the future, we should add support for
+ * indexing the subtypes so we can optimize this type
+ * of search. */
+ rc = 0;
+ }
+ slapi_ch_free_string(&basetype);
+ return rc;
+}
+
static int grok_filter(struct slapi_filter *f)
{
switch ( f->f_choice ) {
case LDAP_FILTER_EQUALITY:
- return 1; /* If there's an ID list and an equality filter, we can skip the filter test */
+ /* If there's an ID list and an equality filter, we can skip the filter test */
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_SUBSTRINGS:
return 0;
case LDAP_FILTER_GE:
- return 1;
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_LE:
- return 1;
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_PRESENT:
- return 1; /* If there's an ID list, and a presence filter, we can skip the filter test */
+ /* If there's an ID list, and a presence filter, we can skip the filter test */
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_APPROX:
return 0;
@@ -1287,10 +1320,18 @@ static int grok_filter(struct slapi_filter *f)
return 0;
case LDAP_FILTER_AND:
- return 0; /* Unless we check to see whether the presence and equality branches
- of the search filter were all indexed, we get things wrong here,
- so let's punt for now */
- /* return grok_filter_list(f->f_and); AND clauses are potentially OK */
+ /* Unless we check to see whether the presence and equality branches
+ * of the search filter were all indexed, we get things wrong here,
+ * so let's punt for now
+ */
+ if (f->f_and->f_next == NULL) {
+ /* there is only one AND component,
+ * if it is a simple filter, we can skip it
+ */
+ return grok_filter(f->f_and);
+ } else {
+ return 0;
+ }
case LDAP_FILTER_OR:
return 0;
@@ -1333,32 +1374,6 @@ can_skip_filter_test(
/* Grok the filter and tell me if it has only equality components in it */
rc = grok_filter(f);
- /* If we haven't determined that we can't skip the filter test already,
- * do one last check for attribute subtypes. We don't need to worry
- * about any complex filters here since grok_filter() will have already
- * assumed that we can't skip the filter test in those cases. */
- if (rc != 0) {
- char *type = NULL;
- char *basetype = NULL;
-
- /* We don't need to free type since that's taken
- * care of when the filter is free'd later. We
- * do need to free basetype when we are done. */
- slapi_filter_get_attribute_type(f, &type);
- basetype = slapi_attr_basetype(type, NULL, 0);
-
- /* Is the filter using an attribute subtype? */
- if (strcasecmp(type, basetype) != 0) {
- /* If so, we can't optimize since attribute subtypes
- * are simply indexed under their basetype attribute.
- * The basetype index has no knowledge of the subtype
- * itself. In the future, we should add support for
- * indexing the subtypes so we can optimize this type
- * of search. */
- rc = 0;
- }
- slapi_ch_free_string(&basetype);
- }
return rc;
}
9 years, 8 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Noriko Hosoi
ldap/servers/slapd/back-ldbm/ldbm_search.c | 83 +++++++++++++++++------------
1 file changed, 49 insertions(+), 34 deletions(-)
New commits:
commit 39adbdc6062b5af27346759ca4cee6c570fedddf
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Thu Aug 14 12:35:40 2014 +0200
Ticket 47872 - Filter AND with only one clause should be optimized
Bug Description: If the filter id of the form "(&(attr=value))" it is not detected
that the filtertest can by bypassed like in "(attr=value)"
Fix Description: Check if an AND filter has only one component and this component is not
another complex filter. To make this work, the check if the filter
attribute is a subtyp also had to be applied earlier
https://fedorahosted.org/389/ticket/47872
Reviewed by: RichM, thanks
(cherry picked from commit 29316b10f02e7cf7b01fe01f9b82b2088453221b)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
index f1375a5..ec3dd1e 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
@@ -1273,22 +1273,55 @@ grok_filter_list(struct slapi_filter *flist)
#endif
/* Helper function for can_skip_filter_test() */
+static int grok_filter_not_subtype(struct slapi_filter *f)
+{
+ /* If we haven't determined that we can't skip the filter test already,
+ * do one last check for attribute subtypes. We don't need to worry
+ * about any complex filters here since grok_filter() will have already
+ * assumed that we can't skip the filter test in those cases. */
+
+ int rc = 1;
+ char *type = NULL;
+ char *basetype = NULL;
+
+ /* We don't need to free type since that's taken
+ * care of when the filter is free'd later. We
+ * do need to free basetype when we are done. */
+ slapi_filter_get_attribute_type(f, &type);
+ basetype = slapi_attr_basetype(type, NULL, 0);
+
+ /* Is the filter using an attribute subtype? */
+ if (strcasecmp(type, basetype) != 0) {
+ /* If so, we can't optimize since attribute subtypes
+ * are simply indexed under their basetype attribute.
+ * The basetype index has no knowledge of the subtype
+ * itself. In the future, we should add support for
+ * indexing the subtypes so we can optimize this type
+ * of search. */
+ rc = 0;
+ }
+ slapi_ch_free_string(&basetype);
+ return rc;
+}
+
static int grok_filter(struct slapi_filter *f)
{
switch ( f->f_choice ) {
case LDAP_FILTER_EQUALITY:
- return 1; /* If there's an ID list and an equality filter, we can skip the filter test */
+ /* If there's an ID list and an equality filter, we can skip the filter test */
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_SUBSTRINGS:
return 0;
case LDAP_FILTER_GE:
- return 1;
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_LE:
- return 1;
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_PRESENT:
- return 1; /* If there's an ID list, and a presence filter, we can skip the filter test */
+ /* If there's an ID list, and a presence filter, we can skip the filter test */
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_APPROX:
return 0;
@@ -1297,10 +1330,18 @@ static int grok_filter(struct slapi_filter *f)
return 0;
case LDAP_FILTER_AND:
- return 0; /* Unless we check to see whether the presence and equality branches
- of the search filter were all indexed, we get things wrong here,
- so let's punt for now */
- /* return grok_filter_list(f->f_and); AND clauses are potentially OK */
+ /* Unless we check to see whether the presence and equality branches
+ * of the search filter were all indexed, we get things wrong here,
+ * so let's punt for now
+ */
+ if (f->f_and->f_next == NULL) {
+ /* there is only one AND component,
+ * if it is a simple filter, we can skip it
+ */
+ return grok_filter(f->f_and);
+ } else {
+ return 0;
+ }
case LDAP_FILTER_OR:
return 0;
@@ -1343,32 +1384,6 @@ can_skip_filter_test(
/* Grok the filter and tell me if it has only equality components in it */
rc = grok_filter(f);
- /* If we haven't determined that we can't skip the filter test already,
- * do one last check for attribute subtypes. We don't need to worry
- * about any complex filters here since grok_filter() will have already
- * assumed that we can't skip the filter test in those cases. */
- if (rc != 0) {
- char *type = NULL;
- char *basetype = NULL;
-
- /* We don't need to free type since that's taken
- * care of when the filter is free'd later. We
- * do need to free basetype when we are done. */
- slapi_filter_get_attribute_type(f, &type);
- basetype = slapi_attr_basetype(type, NULL, 0);
-
- /* Is the filter using an attribute subtype? */
- if (strcasecmp(type, basetype) != 0) {
- /* If so, we can't optimize since attribute subtypes
- * are simply indexed under their basetype attribute.
- * The basetype index has no knowledge of the subtype
- * itself. In the future, we should add support for
- * indexing the subtypes so we can optimize this type
- * of search. */
- rc = 0;
- }
- slapi_ch_free_string(&basetype);
- }
return rc;
}
9 years, 8 months
ldap/servers
by Ludwig Krispenz
ldap/servers/slapd/back-ldbm/ldbm_search.c | 83 +++++++++++++++++------------
1 file changed, 49 insertions(+), 34 deletions(-)
New commits:
commit 29316b10f02e7cf7b01fe01f9b82b2088453221b
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Thu Aug 14 12:35:40 2014 +0200
Ticket 47872 - Filter AND with only one clause should be optimized
Bug Description: If the filter id of the form "(&(attr=value))" it is not detected
that the filtertest can by bypassed like in "(attr=value)"
Fix Description: Check if an AND filter has only one component and this component is not
another complex filter. To make this work, the check if the filter
attribute is a subtyp also had to be applied earlier
https://fedorahosted.org/389/ticket/47872
Reviewed by: RichM, thanks
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_search.c b/ldap/servers/slapd/back-ldbm/ldbm_search.c
index f1375a5..ec3dd1e 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_search.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_search.c
@@ -1273,22 +1273,55 @@ grok_filter_list(struct slapi_filter *flist)
#endif
/* Helper function for can_skip_filter_test() */
+static int grok_filter_not_subtype(struct slapi_filter *f)
+{
+ /* If we haven't determined that we can't skip the filter test already,
+ * do one last check for attribute subtypes. We don't need to worry
+ * about any complex filters here since grok_filter() will have already
+ * assumed that we can't skip the filter test in those cases. */
+
+ int rc = 1;
+ char *type = NULL;
+ char *basetype = NULL;
+
+ /* We don't need to free type since that's taken
+ * care of when the filter is free'd later. We
+ * do need to free basetype when we are done. */
+ slapi_filter_get_attribute_type(f, &type);
+ basetype = slapi_attr_basetype(type, NULL, 0);
+
+ /* Is the filter using an attribute subtype? */
+ if (strcasecmp(type, basetype) != 0) {
+ /* If so, we can't optimize since attribute subtypes
+ * are simply indexed under their basetype attribute.
+ * The basetype index has no knowledge of the subtype
+ * itself. In the future, we should add support for
+ * indexing the subtypes so we can optimize this type
+ * of search. */
+ rc = 0;
+ }
+ slapi_ch_free_string(&basetype);
+ return rc;
+}
+
static int grok_filter(struct slapi_filter *f)
{
switch ( f->f_choice ) {
case LDAP_FILTER_EQUALITY:
- return 1; /* If there's an ID list and an equality filter, we can skip the filter test */
+ /* If there's an ID list and an equality filter, we can skip the filter test */
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_SUBSTRINGS:
return 0;
case LDAP_FILTER_GE:
- return 1;
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_LE:
- return 1;
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_PRESENT:
- return 1; /* If there's an ID list, and a presence filter, we can skip the filter test */
+ /* If there's an ID list, and a presence filter, we can skip the filter test */
+ return grok_filter_not_subtype(f);
case LDAP_FILTER_APPROX:
return 0;
@@ -1297,10 +1330,18 @@ static int grok_filter(struct slapi_filter *f)
return 0;
case LDAP_FILTER_AND:
- return 0; /* Unless we check to see whether the presence and equality branches
- of the search filter were all indexed, we get things wrong here,
- so let's punt for now */
- /* return grok_filter_list(f->f_and); AND clauses are potentially OK */
+ /* Unless we check to see whether the presence and equality branches
+ * of the search filter were all indexed, we get things wrong here,
+ * so let's punt for now
+ */
+ if (f->f_and->f_next == NULL) {
+ /* there is only one AND component,
+ * if it is a simple filter, we can skip it
+ */
+ return grok_filter(f->f_and);
+ } else {
+ return 0;
+ }
case LDAP_FILTER_OR:
return 0;
@@ -1343,32 +1384,6 @@ can_skip_filter_test(
/* Grok the filter and tell me if it has only equality components in it */
rc = grok_filter(f);
- /* If we haven't determined that we can't skip the filter test already,
- * do one last check for attribute subtypes. We don't need to worry
- * about any complex filters here since grok_filter() will have already
- * assumed that we can't skip the filter test in those cases. */
- if (rc != 0) {
- char *type = NULL;
- char *basetype = NULL;
-
- /* We don't need to free type since that's taken
- * care of when the filter is free'd later. We
- * do need to free basetype when we are done. */
- slapi_filter_get_attribute_type(f, &type);
- basetype = slapi_attr_basetype(type, NULL, 0);
-
- /* Is the filter using an attribute subtype? */
- if (strcasecmp(type, basetype) != 0) {
- /* If so, we can't optimize since attribute subtypes
- * are simply indexed under their basetype attribute.
- * The basetype index has no knowledge of the subtype
- * itself. In the future, we should add support for
- * indexing the subtypes so we can optimize this type
- * of search. */
- rc = 0;
- }
- slapi_ch_free_string(&basetype);
- }
return rc;
}
9 years, 8 months
wrappers/initscript.in wrappers/systemd.group.in
by Noriko Hosoi
wrappers/initscript.in | 2 +-
wrappers/systemd.group.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
New commits:
commit fd71c235171329d0a1d03c74726722cb1ff2ce29
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Aug 11 18:47:03 2014 -0700
Ticket #47574 - start dirsrv after ntpd
Description:
1) Adding a dependency on ntpd.service to systemd (systemd.group.in).
2) Set "# chkconfig: - 59 73" to initcript. Start priority 59 is one
greater than ntpd's; stop priofity 73 is one less than ntpd's.
https://fedorahosted.org/389/ticket/47574
Reviewed and commented by rmeggins(a)redhat.com (Thank you, Rich!!)
diff --git a/wrappers/initscript.in b/wrappers/initscript.in
index 7601784..ad4ea2b 100644
--- a/wrappers/initscript.in
+++ b/wrappers/initscript.in
@@ -2,7 +2,7 @@
#
# @package_name@ This starts and stops @package_name@
#
-# chkconfig: - 21 79
+# chkconfig: - 59 73
# description: @capbrand@ Directory Server
# processname: @sbindir@/ns-slapd
# configdir: @sysconfdir@/@package_name@/
diff --git a/wrappers/systemd.group.in b/wrappers/systemd.group.in
index 4c710f3..135affc 100644
--- a/wrappers/systemd.group.in
+++ b/wrappers/systemd.group.in
@@ -1,6 +1,6 @@
[Unit]
Description=@capbrand@ Directory Server
-After=syslog.target network.target
+After=syslog.target network.target ntpd.service
[Install]
WantedBy=multi-user.target
9 years, 8 months
Changes to '389-ds-base-1.3.2-CVE-2014-3562'
by Noriko Hosoi
New branch '389-ds-base-1.3.2-CVE-2014-3562' available with the following commits:
commit 5e35f1c2cd3c71fdc7073b19a415f19cef49e075
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Aug 12 10:28:27 2014 -0700
Bump version to 1.3.2.22
commit ac82f31473ef7157f05ad9c78ad31d46ea591a11
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Jul 28 09:42:43 2014 -0700
Ticket #47869 - unauthenticated information disclosure (Bug 1123477)
Fix Description: nscpentrywsi is returned only authenticated as root.
The bug was fixed by lkrispen(a)redhat.com (Ludwig Krispenz).
His patch was modified based upon this review comment.
https://bugzilla.redhat.com/show_bug.cgi?id=1123477#c2
https://bugzilla.redhat.com/show_bug.cgi?id=1127833
(cherry picked from commit aa90e26d5c4ea47b2a4a22f99cf0742cf48b3fae)
(cherry picked from commit 394277fdcef70078b54a280de88ab06dd289cc7a)
(cherry picked from commit 79c07013ff3f67da8888661ad2fcd9e32062e50a)
(cherry picked from commit 67f9130d419076bfc21935e1e008091b3237f660)
9 years, 8 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/ssl.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
New commits:
commit 2b7b9cb86cd14a5ac60ee7b01d2a31aed54f3fb8
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Aug 11 12:26:37 2014 -0700
Ticket #47838 - harden the list of ciphers available by default
Description: Fixed a coverity issue introduced by
commit 13c0d2f7b7850676042fe05c917a7d498135324f
Coverity 12734 - Uninitialized scalar variable
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 72abebd..1a21df0 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -354,13 +354,15 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
SECStatus rc;
PRBool setdefault = (flag == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE;
PRBool enabled = (flag == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE;
- PRBool setme;
+ PRBool setme = PR_FALSE;
const PRUint16 *implementedCiphers = SSL_GetImplementedCiphers();
_conf_init_ciphers();
for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {
- if (!(_conf_ciphers[x].flags & CIPHER_IS_DEFAULT)) {
+ if (_conf_ciphers[x].flags & CIPHER_IS_DEFAULT) {
+ setme = PR_TRUE;
+ } else {
/*
* SSL_CipherPrefGetDefault
* If the application has not previously set the default preference,
9 years, 8 months
dirsrvtests/tickets
by Noriko Hosoi
dirsrvtests/tickets/ticket47869MMR_test.py | 416 +++++++++++++++++++++++++++++
1 file changed, 416 insertions(+)
New commits:
commit b85efe48267b7103baccb09f0305577aa112f4b2
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Fri Aug 8 15:28:25 2014 -0700
Ticket 47869 - CI test: add test case for ticket 47869
Description:
On Master 1 and 2:
Bind as Directory Manager.
Search all specifying nscpEntryWsi in the attribute list.
Check nscpEntryWsi is returned.
On Master 1 and 2:
Bind as Bind Entry.
Search all specifying nscpEntryWsi in the attribute list.
Check nscpEntryWsi is not returned.
On Master 1 and 2:
Bind as anonymous.
Search all specifying nscpEntryWsi in the attribute list.
Check nscpEntryWsi is not returned.
diff --git a/dirsrvtests/tickets/ticket47869MMR_test.py b/dirsrvtests/tickets/ticket47869MMR_test.py
new file mode 100644
index 0000000..47ac5b2
--- /dev/null
+++ b/dirsrvtests/tickets/ticket47869MMR_test.py
@@ -0,0 +1,416 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import socket
+import time
+import logging
+import pytest
+import re
+from lib389 import DirSrv, Entry, tools
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from constants import *
+from lib389._constants import *
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+#
+# important part. We can deploy Master1 and Master2 on different versions
+#
+installation1_prefix = None
+installation2_prefix = None
+
+TEST_REPL_DN = "cn=test_repl, %s" % SUFFIX
+ENTRY_NAME = 'test_entry'
+MAX_ENTRIES = 10
+
+BIND_NAME = 'bind_entry'
+BIND_DN = 'cn=%s, %s' % (BIND_NAME, SUFFIX)
+BIND_PW = 'password'
+
+class TopologyMaster1Master2(object):
+ def __init__(self, master1, master2):
+ master1.open()
+ self.master1 = master1
+
+ master2.open()
+ self.master2 = master2
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ '''
+ This fixture is used to create a replicated topology for the 'module'.
+ The replicated topology is MASTER1 <-> Master2.
+ At the beginning, It may exists a master2 instance and/or a master2 instance.
+ It may also exists a backup for the master1 and/or the master2.
+
+ Principle:
+ If master1 instance exists:
+ restart it
+ If master2 instance exists:
+ restart it
+ If backup of master1 AND backup of master2 exists:
+ create or rebind to master1
+ create or rebind to master2
+
+ restore master1 from backup
+ restore master2 from backup
+ else:
+ Cleanup everything
+ remove instances
+ remove backups
+ Create instances
+ Initialize replication
+ Create backups
+ '''
+ global installation1_prefix
+ global installation2_prefix
+
+ # allocate master1 on a given deployement
+ master1 = DirSrv(verbose=False)
+ if installation1_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+
+ # Args for the master1 instance
+ args_instance[SER_HOST] = HOST_MASTER_1
+ args_instance[SER_PORT] = PORT_MASTER_1
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_1
+ args_master = args_instance.copy()
+ master1.allocate(args_master)
+
+ # allocate master1 on a given deployement
+ master2 = DirSrv(verbose=False)
+ if installation2_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation2_prefix
+
+ # Args for the consumer instance
+ args_instance[SER_HOST] = HOST_MASTER_2
+ args_instance[SER_PORT] = PORT_MASTER_2
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_2
+ args_master = args_instance.copy()
+ master2.allocate(args_master)
+
+
+ # Get the status of the backups
+ backup_master1 = master1.checkBackupFS()
+ backup_master2 = master2.checkBackupFS()
+
+ # Get the status of the instance and restart it if it exists
+ instance_master1 = master1.exists()
+ if instance_master1:
+ master1.stop(timeout=10)
+ master1.start(timeout=10)
+
+ instance_master2 = master2.exists()
+ if instance_master2:
+ master2.stop(timeout=10)
+ master2.start(timeout=10)
+
+ if backup_master1 and backup_master2:
+ # The backups exist, assuming they are correct
+ # we just re-init the instances with them
+ if not instance_master1:
+ master1.create()
+ # Used to retrieve configuration information (dbdir, confdir...)
+ master1.open()
+
+ if not instance_master2:
+ master2.create()
+ # Used to retrieve configuration information (dbdir, confdir...)
+ master2.open()
+
+ # restore master1 from backup
+ master1.stop(timeout=10)
+ master1.restoreFS(backup_master1)
+ master1.start(timeout=10)
+
+ # restore master2 from backup
+ master2.stop(timeout=10)
+ master2.restoreFS(backup_master2)
+ master2.start(timeout=10)
+ else:
+ # We should be here only in two conditions
+ # - This is the first time a test involve master-consumer
+ # so we need to create everything
+ # - Something weird happened (instance/backup destroyed)
+ # so we discard everything and recreate all
+
+ # Remove all the backups. So even if we have a specific backup file
+ # (e.g backup_master) we clear all backups that an instance my have created
+ if backup_master1:
+ master1.clearBackupFS()
+ if backup_master2:
+ master2.clearBackupFS()
+
+ # Remove all the instances
+ if instance_master1:
+ master1.delete()
+ if instance_master2:
+ master2.delete()
+
+ # Create the instances
+ master1.create()
+ master1.open()
+ master2.create()
+ master2.open()
+
+ #
+ # Now prepare the Master-Consumer topology
+ #
+ # First Enable replication
+ master1.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_1)
+ master2.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_2)
+
+ # Initialize the supplier->consumer
+
+ properties = {RA_NAME: r'meTo_$host:$port',
+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN],
+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW],
+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD],
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ repl_agreement = master1.agreement.create(suffix=SUFFIX, host=master2.host, port=master2.port, properties=properties)
+
+ if not repl_agreement:
+ log.fatal("Fail to create a replica agreement")
+ sys.exit(1)
+
+ log.debug("%s created" % repl_agreement)
+
+ properties = {RA_NAME: r'meTo_$host:$port',
+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN],
+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW],
+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD],
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ master2.agreement.create(suffix=SUFFIX, host=master1.host, port=master1.port, properties=properties)
+
+ master1.agreement.init(SUFFIX, HOST_MASTER_2, PORT_MASTER_2)
+ master1.waitForReplInit(repl_agreement)
+
+ # Check replication is working fine
+ master1.add_s(Entry((TEST_REPL_DN, {'objectclass': "top person".split(),
+ 'sn': 'test_repl',
+ 'cn': 'test_repl'})))
+ loop = 0
+ while loop <= 10:
+ try:
+ ent = master2.getEntry(TEST_REPL_DN, ldap.SCOPE_BASE, "(objectclass=*)")
+ break
+ except ldap.NO_SUCH_OBJECT:
+ time.sleep(1)
+ loop += 1
+
+ # Time to create the backups
+ master1.stop(timeout=10)
+ master1.backupfile = master1.backupFS()
+ master1.start(timeout=10)
+
+ master2.stop(timeout=10)
+ master2.backupfile = master2.backupFS()
+ master2.start(timeout=10)
+
+ # clear the tmp directory
+ master1.clearTmpDir(__file__)
+
+ #
+ # Here we have two instances master and consumer
+ # with replication working. Either coming from a backup recovery
+ # or from a fresh (re)init
+ # Time to return the topology
+ return TopologyMaster1Master2(master1, master2)
+
+def test_ticket47869_init(topology):
+ """
+ It adds an entry ('bind_entry') and 10 test entries
+ It sets the anonymous aci
+
+ """
+ # enable acl error logging
+ mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', str(8192))] # REPL
+ topology.master1.modify_s(DN_CONFIG, mod)
+ topology.master2.modify_s(DN_CONFIG, mod)
+
+ # entry used to bind with
+ topology.master1.log.info("Add %s" % BIND_DN)
+ topology.master1.add_s(Entry((BIND_DN, {
+ 'objectclass': "top person".split(),
+ 'sn': BIND_NAME,
+ 'cn': BIND_NAME,
+ 'userpassword': BIND_PW})))
+ loop = 0
+ while loop <= 10:
+ try:
+ ent = topology.master2.getEntry(BIND_DN, ldap.SCOPE_BASE, "(objectclass=*)")
+ break
+ except ldap.NO_SUCH_OBJECT:
+ time.sleep(1)
+ loop += 1
+
+ # keep anonymous ACI for use 'read-search' aci in SEARCH test
+ ACI_ANONYMOUS = "(targetattr!=\"userPassword\")(version 3.0; acl \"Enable anonymous access\"; allow (read, search, compare) userdn=\"ldap:///anyone\";)"
+ mod = [(ldap.MOD_REPLACE, 'aci', ACI_ANONYMOUS)]
+ topology.master1.modify_s(SUFFIX, mod)
+ topology.master2.modify_s(SUFFIX, mod)
+
+ # add entries
+ for cpt in range(MAX_ENTRIES):
+ name = "%s%d" % (ENTRY_NAME, cpt)
+ mydn = "cn=%s,%s" % (name, SUFFIX)
+ topology.master1.add_s(Entry((mydn,
+ {'objectclass': "top person".split(),
+ 'sn': name,
+ 'cn': name})))
+ loop = 0
+ while loop <= 10:
+ try:
+ ent = topology.master2.getEntry(mydn, ldap.SCOPE_BASE, "(objectclass=*)")
+ break
+ except ldap.NO_SUCH_OBJECT:
+ time.sleep(1)
+ loop += 1
+
+def test_ticket47869_check(topology):
+ '''
+ On Master 1 and 2:
+ Bind as Directory Manager.
+ Search all specifying nscpEntryWsi in the attribute list.
+ Check nscpEntryWsi is returned.
+ On Master 1 and 2:
+ Bind as Bind Entry.
+ Search all specifying nscpEntryWsi in the attribute list.
+ Check nscpEntryWsi is not returned.
+ On Master 1 and 2:
+ Bind as anonymous.
+ Search all specifying nscpEntryWsi in the attribute list.
+ Check nscpEntryWsi is not returned.
+ '''
+ topology.master1.log.info("\n\n######################### CHECK nscpentrywsi ######################\n")
+
+ topology.master1.log.info("##### Master1: Bind as %s #####" % DN_DM)
+ topology.master1.simple_bind_s(DN_DM, PASSWORD)
+
+ topology.master1.log.info("Master1: Calling search_ext...")
+ msgid = topology.master1.search_ext(SUFFIX, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nscpentrywsi'])
+ nscpentrywsicnt = 0
+ rtype, rdata, rmsgid = topology.master1.result2(msgid)
+ topology.master1.log.info("%d results" % len(rdata))
+
+ topology.master1.log.info("Results:")
+ for dn, attrs in rdata:
+ topology.master1.log.info("dn: %s" % dn)
+ if attrs.has_key('nscpentrywsi'):
+ nscpentrywsicnt += 1
+ topology.master1.log.info("Master1: count of nscpentrywsi: %d" % nscpentrywsicnt)
+
+ topology.master2.log.info("##### Master2: Bind as %s #####" % DN_DM)
+ topology.master2.simple_bind_s(DN_DM, PASSWORD)
+
+ topology.master2.log.info("Master2: Calling search_ext...")
+ msgid = topology.master2.search_ext(SUFFIX, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nscpentrywsi'])
+ nscpentrywsicnt = 0
+ rtype, rdata, rmsgid = topology.master2.result2(msgid)
+ topology.master2.log.info("%d results" % len(rdata))
+
+ topology.master2.log.info("Results:")
+ for dn, attrs in rdata:
+ topology.master2.log.info("dn: %s" % dn)
+ if attrs.has_key('nscpentrywsi'):
+ nscpentrywsicnt += 1
+ topology.master2.log.info("Master2: count of nscpentrywsi: %d" % nscpentrywsicnt)
+
+ # bind as bind_entry
+ topology.master1.log.info("##### Master1: Bind as %s #####" % BIND_DN)
+ topology.master1.simple_bind_s(BIND_DN, BIND_PW)
+
+ topology.master1.log.info("Master1: Calling search_ext...")
+ msgid = topology.master1.search_ext(SUFFIX, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nscpentrywsi'])
+ nscpentrywsicnt = 0
+ rtype, rdata, rmsgid = topology.master1.result2(msgid)
+ topology.master1.log.info("%d results" % len(rdata))
+
+ for dn, attrs in rdata:
+ if attrs.has_key('nscpentrywsi'):
+ nscpentrywsicnt += 1
+ assert nscpentrywsicnt == 0
+ topology.master1.log.info("Master1: count of nscpentrywsi: %d" % nscpentrywsicnt)
+
+ # bind as bind_entry
+ topology.master2.log.info("##### Master2: Bind as %s #####" % BIND_DN)
+ topology.master2.simple_bind_s(BIND_DN, BIND_PW)
+
+ topology.master2.log.info("Master2: Calling search_ext...")
+ msgid = topology.master2.search_ext(SUFFIX, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nscpentrywsi'])
+ nscpentrywsicnt = 0
+ rtype, rdata, rmsgid = topology.master2.result2(msgid)
+ topology.master2.log.info("%d results" % len(rdata))
+
+ for dn, attrs in rdata:
+ if attrs.has_key('nscpentrywsi'):
+ nscpentrywsicnt += 1
+ assert nscpentrywsicnt == 0
+ topology.master2.log.info("Master2: count of nscpentrywsi: %d" % nscpentrywsicnt)
+
+ # bind as anonymous
+ topology.master1.log.info("##### Master1: Bind as anonymous #####")
+ topology.master1.simple_bind_s("", "")
+
+ topology.master1.log.info("Master1: Calling search_ext...")
+ msgid = topology.master1.search_ext(SUFFIX, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nscpentrywsi'])
+ nscpentrywsicnt = 0
+ rtype, rdata, rmsgid = topology.master1.result2(msgid)
+ topology.master1.log.info("%d results" % len(rdata))
+
+ for dn, attrs in rdata:
+ if attrs.has_key('nscpentrywsi'):
+ nscpentrywsicnt += 1
+ assert nscpentrywsicnt == 0
+ topology.master1.log.info("Master1: count of nscpentrywsi: %d" % nscpentrywsicnt)
+
+ # bind as bind_entry
+ topology.master2.log.info("##### Master2: Bind as anonymous #####")
+ topology.master2.simple_bind_s("", "")
+
+ topology.master2.log.info("Master2: Calling search_ext...")
+ msgid = topology.master2.search_ext(SUFFIX, ldap.SCOPE_SUBTREE, 'objectclass=*', ['nscpentrywsi'])
+ nscpentrywsicnt = 0
+ rtype, rdata, rmsgid = topology.master2.result2(msgid)
+ topology.master2.log.info("%d results" % len(rdata))
+
+ for dn, attrs in rdata:
+ if attrs.has_key('nscpentrywsi'):
+ nscpentrywsicnt += 1
+ assert nscpentrywsicnt == 0
+ topology.master2.log.info("Master2: count of nscpentrywsi: %d" % nscpentrywsicnt)
+
+ topology.master1.log.info("##### ticket47869 was successfully verified. #####");
+
+def test_ticket47869_final(topology):
+ topology.master1.stop(timeout=10)
+ topology.master2.stop(timeout=10)
+
+def run_isolated():
+ '''
+ run_isolated is used to run these test cases independently of a test scheduler (xunit, py.test..)
+ To run isolated without py.test, you need to
+ - edit this file and comment '@pytest.fixture' line before 'topology' function.
+ - set the installation prefix
+ - run this program
+ '''
+ global installation1_prefix
+ global installation2_prefix
+ installation1_prefix = None
+ installation2_prefix = None
+
+ topo = topology(True)
+ test_ticket47869_init(topo)
+
+ test_ticket47869_check(topo)
+
+ test_ticket47869_final(topo)
+
+if __name__ == '__main__':
+ run_isolated()
+
9 years, 8 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/ssl.c | 1 -
1 file changed, 1 deletion(-)
New commits:
commit 36b8a19ca75a71eb0412c4fd5ec7d10920752e8d
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Fri Aug 8 12:39:46 2014 -0700
Ticket #47838 - harden the list of ciphers available by default
Description: Fixed a compiler warning introduced by
commit 13c0d2f7b7850676042fe05c917a7d498135324f
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index cf9643f..72abebd 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -356,7 +356,6 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
PRBool enabled = (flag == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE;
PRBool setme;
const PRUint16 *implementedCiphers = SSL_GetImplementedCiphers();
- SSLCipherSuiteInfo info;
_conf_init_ciphers();
9 years, 8 months