ldap/servers
by thierry bordaz
ldap/servers/plugins/replication/repl5_replica.c | 1 +
ldap/servers/plugins/replication/repl5_updatedn_list.c | 5 ++++-
2 files changed, 5 insertions(+), 1 deletion(-)
New commits:
commit 35f6fb8fca9ed12deadd1d50c65fb0947a7b1768
Author: Thierry Bordaz <tbordaz(a)redhat.com>
Date: Thu May 12 15:38:28 2016 +0200
Ticket 48836 replication session fails because of permission denied
Bug Description:
https://fedorahosted.org/389/ticket/48597 fix introduced a regression where it
tests (in replica_is_updatedn) the returned value of replica_updatedn_list_ismember
against PR_TRUE.
Actually replica_updatedn_list_ismember returns PR_FALSE or a pointer to the found value
but not PR_TRUE.
Fix Description:
replica_updatedn_list_ismember should return PR_TRUE or PR_FALSE where the cast make it return
values that are different from PR_TRUE or PR_FALSE
https://fedorahosted.org/389/ticket/48836
Reviewed by: Noriko Hosoi, Ludwig Krispenz (thanks for your reviews)
Platforms tested: F24
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index f935b9c..5de6a49 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -1155,6 +1155,7 @@ replica_is_updatedn (Replica *r, const Slapi_DN *sdn)
if (r->updatedn_list) {
result = replica_updatedn_list_ismember(r->updatedn_list, sdn);
if (result == PR_TRUE) {
+ /* sdn is present in the updatedn_list */
replica_unlock(r->repl_lock);
return result;
}
diff --git a/ldap/servers/plugins/replication/repl5_updatedn_list.c b/ldap/servers/plugins/replication/repl5_updatedn_list.c
index a6609bc..c04a53f 100644
--- a/ldap/servers/plugins/replication/repl5_updatedn_list.c
+++ b/ldap/servers/plugins/replication/repl5_updatedn_list.c
@@ -284,7 +284,10 @@ replica_updatedn_list_ismember(ReplicaUpdateDNList list, const Slapi_DN *dn)
/* Bug 605169 - null ndn would cause core dump */
if ( ndn ) {
- ret = (PRBool)((uintptr_t)PL_HashTableLookupConst(hash, ndn));
+ if ((uintptr_t)PL_HashTableLookupConst(hash, ndn))
+ ret = PR_TRUE;
+ else
+ ret = PR_FALSE;
}
return ret;
7 years, 11 months
Branch '389-ds-base-1.3.4' - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/replication/repl5_replica.c | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit d5a84c41ed1d0686366fb0ed924803248396d22d
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue May 17 12:58:09 2016 -0700
Ticket #47819 - RFE - improve tombstone purging performance
Description: Initialize replica->precise_purging with slapi_counter_new().
https://fedorahosted.org/389/ticket/47819
Reviewed by mreynolds(a)redhat.com (Thanks, Mark!!)
(cherry picked from commit fb390315e3ea49a3bae6fb508333347f8c3a6807)
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index c7cf25f..a339777 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -203,6 +203,7 @@ replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation
r->protocol_timeout = slapi_counter_new();
r->backoff_min = slapi_counter_new();
r->backoff_max = slapi_counter_new();
+ r->precise_purging = slapi_counter_new();
/* read parameters from the replica config entry */
rc = _replica_init_from_config (r, e, errortext);
@@ -410,6 +411,7 @@ replica_destroy(void **arg)
slapi_counter_destroy(&r->protocol_timeout);
slapi_counter_destroy(&r->backoff_min);
slapi_counter_destroy(&r->backoff_max);
+ slapi_counter_destroy(&r->precise_purging);
slapi_ch_free((void **)arg);
}
7 years, 11 months
ldap/servers
by Noriko Hosoi
ldap/servers/plugins/replication/repl5_replica.c | 2 ++
1 file changed, 2 insertions(+)
New commits:
commit fb390315e3ea49a3bae6fb508333347f8c3a6807
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue May 17 12:58:09 2016 -0700
Ticket #47819 - RFE - improve tombstone purging performance
Description: Initialize replica->precise_purging with slapi_counter_new().
https://fedorahosted.org/389/ticket/47819
Reviewed by mreynolds(a)redhat.com (Thanks, Mark!!)
diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c
index 6562b3b..f935b9c 100644
--- a/ldap/servers/plugins/replication/repl5_replica.c
+++ b/ldap/servers/plugins/replication/repl5_replica.c
@@ -204,6 +204,7 @@ replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation
r->protocol_timeout = slapi_counter_new();
r->backoff_min = slapi_counter_new();
r->backoff_max = slapi_counter_new();
+ r->precise_purging = slapi_counter_new();
/* read parameters from the replica config entry */
rc = _replica_init_from_config (r, e, errortext);
@@ -411,6 +412,7 @@ replica_destroy(void **arg)
slapi_counter_destroy(&r->protocol_timeout);
slapi_counter_destroy(&r->backoff_min);
slapi_counter_destroy(&r->backoff_max);
+ slapi_counter_destroy(&r->precise_purging);
slapi_ch_free((void **)arg);
}
7 years, 11 months
ldap/servers
by Noriko Hosoi
ldap/servers/plugins/replication/repl5_total.c | 5 +++--
ldap/servers/slapd/plugin.c | 22 +++++++++-------------
2 files changed, 12 insertions(+), 15 deletions(-)
New commits:
commit e6ba94f61c4105403c46c76cd192061955bfd71b
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon May 16 17:08:21 2016 -0700
Ticket #48837 - Replication: total init aborted
Bug Description: Commit 2ecc93781abc786be6a8b8443faf2598a6c30f97 to fix
ticket 48822 broke the logic and forced plugin_call_exop_plugins to
return an error even if the underlying extended plugin were successful.
Fix Description:
In plugin_call_exop_plugins,
- this patch honours the return value from the plugins.
- LDAP_SUCCESS is translated to SLAPI_PLUGIN_EXTENDED_SENT_RESULT.
The extop plugin multimaster_extop_NSDS50ReplicationEntry is fixed to
return SLAPI_PLUGIN_EXTENDED_SENT_RESULT in the case of success.
https://fedorahosted.org/389/ticket/48837
Reviewed by lkrispen(a)redhat.com and wibrown(a)redhat.com (Thank you, Ludwig and William!)
diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c
index 7f7bb15..12b244d 100644
--- a/ldap/servers/plugins/replication/repl5_total.c
+++ b/ldap/servers/plugins/replication/repl5_total.c
@@ -866,8 +866,7 @@ multimaster_extop_NSDS50ReplicationEntry(Slapi_PBlock *pb)
rc, connid, opid);
}
- if (rc != 0)
- {
+ if (rc) {
/* just disconnect from the supplier. bulk import is stopped when
connection object is destroyed */
slapi_pblock_get (pb, SLAPI_CONNECTION, &conn);
@@ -881,6 +880,8 @@ multimaster_extop_NSDS50ReplicationEntry(Slapi_PBlock *pb)
{
slapi_entry_free (e);
}
+ } else {
+ rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
}
return rc;
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index f196d2c..5d63baa 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -527,23 +527,19 @@ plugin_determine_exop_plugins( const char *oid, struct slapdplugin **plugin)
int
plugin_call_exop_plugins( Slapi_PBlock *pb, struct slapdplugin *p )
{
- int rc = LDAP_SUCCESS;
- int lderr = SLAPI_PLUGIN_EXTENDED_NOT_HANDLED;
-
+ int rc;
slapi_pblock_set( pb, SLAPI_PLUGIN, p );
set_db_default_result_handlers( pb );
- if ( (rc = (*p->plg_exhandler)( pb )) == SLAPI_PLUGIN_EXTENDED_SENT_RESULT ) {
- return( rc ); /* result sent */
- } else if ( rc != SLAPI_PLUGIN_EXTENDED_NOT_HANDLED ) {
- /*
- * simple merge: report last real error
+ rc = (*p->plg_exhandler)( pb );
+ if (LDAP_SUCCESS == rc) {
+ /*
+ * Some plugin may return LDAP_SUCCESS in the success case.
+ * It is translated to SLAPI_PLUGIN_EXTENDED_SENT_RESULT to
+ * reduce the unnecessary error logs.
*/
- if ( rc != LDAP_SUCCESS ) {
- lderr = rc;
- }
+ rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT;
}
-
- return( lderr );
+ return (rc);
}
7 years, 11 months
ldap/servers
by William Brown
ldap/servers/slapd/back-ldbm/start.c | 127 +++++++++++++++++++++++++----------
ldap/servers/slapd/util.c | 4 -
2 files changed, 95 insertions(+), 36 deletions(-)
New commits:
commit 9eee3a8e06978a081c302ba8907af9e84d3c3cf2
Author: William Brown <firstyear(a)redhat.com>
Date: Wed May 11 09:09:29 2016 +1000
Ticket 48617 - Server ram checks work in isolation
Bug Description: Previously we would check all server cache allocations in
isolation. We would only know if I single cache would exceed our system ram.
This meant if you had many backends, it was possible to configure them each with
75% of the system ram, but be a valid configuration, even though it increased
the risk of oom.
Fix Description: Now, all backends are check in isolation *and* they are check
as a whole regardless of manual or auto tuning. This also improves the auto
tuning system to check it's request, and to LOWER it if it is in excess of the
system ram. IE auto tuning a server should not ever be possible to create an OOM
condition.
https://fedorahosted.org/389/ticket/48617
Author: wibrown
Review by: nhosoi (Thanks!)
diff --git a/ldap/servers/slapd/back-ldbm/start.c b/ldap/servers/slapd/back-ldbm/start.c
index 5058942..17d9228 100644
--- a/ldap/servers/slapd/back-ldbm/start.c
+++ b/ldap/servers/slapd/back-ldbm/start.c
@@ -35,6 +35,10 @@ ldbm_back_start( Slapi_PBlock *pb )
char *home_dir;
int action;
int retval;
+ int issane = 0;
+ PRUint64 total_cache_size = 0;
+ size_t pagesize, pages, procpages, availpages;
+ char *msg; /* This will be set by one of the two cache sizing paths below. */
LDAPDebug( LDAP_DEBUG_TRACE, "ldbm backend starting\n", 0, 0, 0 );
@@ -116,8 +120,6 @@ ldbm_back_start( Slapi_PBlock *pb )
LDAPDebug( LDAP_DEBUG_ANY, "cache autosizing: bad settings, "
"value or sum of values can not larger than 100.\n", 0, 0, 0 );
} else {
- size_t pagesize, pages, procpages, availpages;
-
if (util_info_sys_pages(&pagesize, &pages, &procpages, &availpages) != 0) {
LDAPDebug( LDAP_DEBUG_ANY, "start: Unable to determine system page limits\n",
0, 0, 0 );
@@ -130,47 +132,73 @@ ldbm_back_start( Slapi_PBlock *pb )
Object *inst_obj;
ldbm_instance *inst;
PRUint64 cache_size;
+ PRUint64 dncache_size;
PRUint64 db_size;
- PRUint64 total_cache_size = 0;
+#ifndef LINUX
PRUint64 memsize = pages * pagesize;
- PRUint64 extra = 0; /* e.g., dncache size */
-
- for (inst_obj = objset_first_obj(li->li_instance_set); inst_obj;
- inst_obj = objset_next_obj(li->li_instance_set, inst_obj)) {
- inst = (ldbm_instance *)object_get_data(inst_obj);
- cache_size = (PRUint64)cache_get_max_size(&(inst->inst_cache));
- db_size = dblayer_get_id2entry_size(inst);
- if (cache_size < db_size) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "WARNING: %s: entry cache size %" NSPRIu64 "B is "
- "less than db size %" NSPRIu64 "B; "
- "We recommend to increase the entry cache size "
- "nsslapd-cachememsize.\n",
- inst->inst_name, cache_size, db_size);
- } else {
+#endif
+ if (li->li_cache_autosize == 0) {
+ /* First, set our message. */
+ msg = "This can be corrected by altering the values of nsslapd-dbcachesize, nsslapd-cachememsize and nsslapd-dncachememsize\n";
+
+ for (inst_obj = objset_first_obj(li->li_instance_set); inst_obj;
+ inst_obj = objset_next_obj(li->li_instance_set, inst_obj)) {
+ inst = (ldbm_instance *)object_get_data(inst_obj);
+ cache_size = (PRUint64)cache_get_max_size(&(inst->inst_cache));
+ db_size = dblayer_get_id2entry_size(inst);
+ if (cache_size < db_size) {
+ LDAPDebug(LDAP_DEBUG_ANY,
+ "WARNING: %s: entry cache size %llu B is "
+ "less than db size %llu B; "
+ "We recommend to increase the entry cache size "
+ "nsslapd-cachememsize.\n",
+ inst->inst_name, cache_size, db_size);
+ } else {
+ LDAPDebug(LDAP_DEBUG_BACKLDBM,
+ "%s: entry cache size: %llu B; db size: %llu B\n",
+ inst->inst_name, cache_size, db_size);
+ }
+ /* Get the dn_cachesize */
+ dncache_size = (PRUint64)cache_get_max_size(&(inst->inst_dncache));
+ total_cache_size += cache_size + dncache_size;
LDAPDebug(LDAP_DEBUG_BACKLDBM,
- "%s: entry cache size: %" NSPRIu64 "B; db size: %" NSPRIu64 "B\n",
- inst->inst_name, cache_size, db_size);
+ "total cache size: %llu B; \n",
+ total_cache_size, 0 ,0 );
}
- total_cache_size += cache_size;
- /* estimated overhead: dncache size * 2 */
- extra += (PRUint64)cache_get_max_size(&(inst->inst_dncache)) * 2;
- }
- LDAPDebug(LDAP_DEBUG_BACKLDBM,
- "Total entry cache size: %" NSPRIu64 "B; "
- "dbcache size: %" NSPRIu64 "B; "
- "available memory size: %" NSPRIu64 "B\n",
- total_cache_size, (PRUint32)li->li_dbcachesize, memsize - extra);
+ LDAPDebug(LDAP_DEBUG_BACKLDBM,
+ "Total entry cache size: %llu B; "
+ "dbcache size: %llu B; "
+ "available memory size: %llu B; \n",
+#ifdef LINUX
+ (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, availpages * pagesize
+#else
+ (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, memsize
+#endif
+ );
+
/* autosizing dbCache and entryCache */
- if (li->li_cache_autosize > 0) {
+ } else if (li->li_cache_autosize > 0) {
+ msg = "This can be corrected by altering the values of nsslapd-cache-autosize, nsslapd-cache-autosize-split and nsslapd-dncachememsize\n";
zone_pages = (li->li_cache_autosize * pages) / 100;
- /* now split it according to user prefs */
+ size_t zone_size = zone_pages * pagesize;
+ /* This is how much we "might" use, lets check it's sane. */
+ /* In the case it is not, this will *reduce* the allocation */
+ issane = util_is_cachesize_sane(&zone_size);
+ if (!issane) {
+ LDAPDebug(LDAP_DEBUG_ANY, "Your autosized cache values have been reduced. Likely your nsslapd-cache-autosize percentage is too high.\n", 0,0,0);
+ LDAPDebug(LDAP_DEBUG_ANY, msg, 0,0,0);
+ }
+ /* It's valid, lets divide it up and set according to user prefs */
+ zone_pages = zone_size / pagesize;
db_pages = (li->li_cache_autosize_split * zone_pages) / 100;
- /* fudge an extra instance into our calculations... */
- entry_pages = (zone_pages - db_pages) /
- (objset_size(li->li_instance_set) + 1);
+ entry_pages = (zone_pages - db_pages) / objset_size(li->li_instance_set);
+ /* We update this for the is-sane check below. */
+ total_cache_size = (zone_pages - db_pages) * pagesize;
+
LDAPDebug(LDAP_DEBUG_ANY, "cache autosizing. found %dk physical memory\n",
pages*(pagesize/1024), 0, 0);
+ LDAPDebug(LDAP_DEBUG_ANY, "cache autosizing. found %dk avaliable\n",
+ zone_pages*(pagesize/1024), 0, 0);
LDAPDebug(LDAP_DEBUG_ANY, "cache autosizing: db cache: %dk, "
"each entry cache (%d total): %dk\n",
db_pages*(pagesize/1024), objset_size(li->li_instance_set),
@@ -193,6 +221,10 @@ ldbm_back_start( Slapi_PBlock *pb )
cache_set_max_entries(&(inst->inst_cache), -1);
cache_set_max_size(&(inst->inst_cache),
li->li_cache_autosize_ec, CACHE_TYPE_ENTRY);
+ /* We need to get each instances dncache size to add to the total */
+ /* Else we can't properly check the cache allocations below */
+ /* Trac 48831 exists to allow this to be auto-sized too ... */
+ total_cache_size += (PRUint64)cache_get_max_size(&(inst->inst_dncache));
}
}
/* autosizing importCache */
@@ -202,6 +234,10 @@ ldbm_back_start( Slapi_PBlock *pb )
li->li_import_cache_autosize = 50;
}
import_pages = (li->li_import_cache_autosize * pages) / 100;
+ size_t import_size = import_pages * pagesize;
+ issane = util_is_cachesize_sane(&import_size);
+ /* We just accept the reduced allocation here. */
+ import_pages = import_size / pagesize;
LDAPDebug(LDAP_DEBUG_ANY, "cache autosizing: import cache: %dk \n",
import_pages*(pagesize/1024), NULL, NULL);
@@ -211,6 +247,29 @@ ldbm_back_start( Slapi_PBlock *pb )
}
}
+ /* Finally, lets check that the total result is sane. */
+
+ size_t total_size = total_cache_size + (PRUint64)li->li_dbcachesize;
+ issane = util_is_cachesize_sane(&total_size);
+ if (!issane) {
+ /* Right, it's time to panic */
+ LDAPDebug( LDAP_DEBUG_ANY, "CRITICAL: It is highly likely your memory configuration will EXCEED your systems memory.\n", 0, 0, 0 );
+ LDAPDebug(LDAP_DEBUG_ANY,
+ "Total entry cache size: %llu B; "
+ "dbcache size: %llu B; "
+ "available memory size: %llu B; \n",
+#ifdef LINUX
+ (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, availpages * pagesize
+#else
+ (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, memsize
+#endif
+ );
+ LDAPDebug(LDAP_DEBUG_ANY, msg, 0,0,0);
+ return SLAPI_FAIL_GENERAL;
+ }
+
+
+
retval = check_db_version(li, &action);
if (0 != retval)
{
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index f297176..b0fd73b 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -1784,10 +1784,10 @@ int util_is_cachesize_sane(size_t *cachesize)
(unsigned long)cachepages,(unsigned long)availpages,0);
if (!issane) {
- /* Since we are ask for more than what's available, we give half of
+ /* Since we are ask for more than what's available, we give 3/4 of the remaining.
* the remaining system mem to the cachesize instead, and log a warning
*/
- *cachesize = (size_t)((availpages / 2) * pagesize);
+ *cachesize = (size_t)((availpages * 0.75 ) * pagesize);
slapi_log_error(SLAPI_LOG_FATAL, "util_is_cachesize_sane", "WARNING adjusted cachesize to %lu\n", (unsigned long)*cachesize);
}
#else
7 years, 11 months
ldap/admin
by Mark Reynolds
ldap/admin/src/scripts/repl-monitor.pl.in | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
New commits:
commit 77e6044ee5e44fa86e44280d46f36d63a30458b0
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu May 12 16:10:02 2016 -0400
Ticket 48220 - The "repl-monitor" web page does not display "year" in date.
Bug Description: The year is not displayed in the header when the day
is less than 10. Appears to be an issue with localtime().
Fix Description: Instead of strftime for displaying the date.
https://fedorahosted.org/389/ticket/48220
Reviewed by: nhosoi(Thanks!)
diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in
index a670610..0964ae0 100755
--- a/ldap/admin/src/scripts/repl-monitor.pl.in
+++ b/ldap/admin/src/scripts/repl-monitor.pl.in
@@ -166,6 +166,7 @@ use Mozilla::LDAP::Conn; # LDAP module for Perl
use Mozilla::LDAP::Utils qw(normalizeDN); # LULU, utilities.
use Mozilla::LDAP::API qw(:api :ssl :apiv3 :constant); # Direct access to C API
use Time::Local; # to convert GMT Z strings to localtime
+use POSIX;
#
# Global variables
@@ -206,7 +207,7 @@ my %ld;
my ($opt_f, $opt_h, $opt_p, $opt_u, $opt_t, $opt_r, $opt_s);
my (@conns, @alias, @color);
-my ($section, $interval, $nowraw, $now, $mm, $dd, $tt, $yy, $wday);
+my ($section, $interval, $now, $mm, $dd, $tt, $yy, $wday);
my ($fn, $rc, $prompt, $last_sidx);
my $supplierUrl = "";
my %passwords = ();
@@ -242,9 +243,7 @@ $prompt = "";
$interval = 300 if ( !$interval || $interval <= 0 );
# Get current date/time
- $nowraw = localtime();
- ($wday, $mm, $dd, $tt, $yy) = split(/ /, $nowraw);
- $now = "$wday $mm $dd $yy $tt";
+ $now = strftime "%a %b %e %Y %H:%M:%S", localtime;
# if no -r (Reenter and skip html header), print html header
if (!$opt_r) {
7 years, 11 months
VERSION.sh
by Noriko Hosoi
VERSION.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit af9de3071795b94560cab711957eaded5cf6bf67
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed May 11 16:18:11 2016 -0700
bump version to 1.1.43
diff --git a/VERSION.sh b/VERSION.sh
index bf55ea2..cd76f32 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -11,7 +11,7 @@ vendorurl=http://port389.org
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=1
-VERSION_MAINT=42
+VERSION_MAINT=43
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
7 years, 11 months
build.properties win/VERSION.mak
by Noriko Hosoi
build.properties | 2 +-
win/VERSION.mak | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
New commits:
commit 6811bc4820a6ad7cd078c96c19d61e6c26562afe
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed May 11 15:38:03 2016 -0700
version 1.1.16
Updated the value of PKGGUID and OLDGUID with uuidgen.
diff --git a/build.properties b/build.properties
index a275820..e968e7a 100644
--- a/build.properties
+++ b/build.properties
@@ -23,7 +23,7 @@ lang=en
console.root=.
console.version=11
-console.dotversion=1.1.15
+console.dotversion=1.1.16
console.dotgenversion=1.1
theme.core=389-console
diff --git a/win/VERSION.mak b/win/VERSION.mak
index 30f196d..6c8c80f 100644
--- a/win/VERSION.mak
+++ b/win/VERSION.mak
@@ -7,18 +7,18 @@ BRANDNOSPACE=389
# this is the vendor or manufacturer
VENDOR=389 Project
# the version
-VERSION=1.1.15
+VERSION=1.1.16
# the name of the product - this is used in the title of the
# installer, in the name of the folder, and in the name
# of the shortcuts
PRODUCTNAME=$(BRAND) Management Console
# this is the GUID of the package - must be changed
# when the version is changed - use uuidgen -n1
-PKGGUID=595875D5-C97E-442B-8C8C-66DD2A4583B4
+PKGGUID=DF505B7B-9D6A-4F39-8E50-A26434B05C02
# the upgrade GUID should usually not be changed
UPGRADEGUID=7EA828C0-C219-438d-9BB3-3418DC900D60
# guid of old version to be removed
-OLDGUID=3D26B463-9543-49F3-954E-C9AA3A76EC3A
+OLDGUID=595875D5-C97E-442B-8C8C-66DD2A4583B4
OLDSHORTCUT=Fedora IDM Console.lnk
OLDPROGRAMFOLDER=Fedora Identity Management Console
# filename prefix for certain branded jar and script files
7 years, 11 months
dirsrvtests/tests
by William Brown
dirsrvtests/tests/suites/gssapi_repl/gssapi_repl_test.py | 216 +++++++++++++++
1 file changed, 216 insertions(+)
New commits:
commit 2a32cab7ad3aa0aff1ab1a81a3a96334be0525f8
Author: William Brown <firstyear(a)redhat.com>
Date: Wed May 11 13:37:18 2016 +1000
Ticket 48829 - Add gssapi sasl replication bind test
Bug Description: We previously had no way to test if replication via a gssapi
agreement was working.
Fix Description: This adds a test case capable of creating a gssapi environment
and binding the accounts for replication.
https://fedorahosted.org/389/ticket/48829
Author: wibrown
Review by: spichugi (Thanks!)
diff --git a/dirsrvtests/tests/suites/gssapi_repl/gssapi_repl_test.py b/dirsrvtests/tests/suites/gssapi_repl/gssapi_repl_test.py
new file mode 100644
index 0000000..57f670f
--- /dev/null
+++ b/dirsrvtests/tests/suites/gssapi_repl/gssapi_repl_test.py
@@ -0,0 +1,216 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+from lib389.mit_krb5 import MitKrb5
+
+
+#########################################
+#
+# WARNING!!!!! If this test is failing, and your here to find out why, the
+# reason is very likely your hosts file!!!!
+#
+# IT MUST LOOK LIKE THIS BELOW: Note the unique IPS for each kdc name!
+#
+# 127.0.0.1 ldapkdc.example.com localhost
+# 127.0.1.1 ldapkdc1.example.com
+# 127.0.2.1 ldapkdc2.example.com
+#
+#########################################
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+REALM = "EXAMPLE.COM"
+
+HOST_MASTER_1 = 'ldapkdc1.example.com'
+HOST_MASTER_2 = 'ldapkdc2.example.com'
+
+class TopologyReplication(object):
+ def __init__(self, master1, master2):
+ master1.open()
+ self.master1 = master1
+ master2.open()
+ self.master2 = master2
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ # Create the realm first
+ krb = MitKrb5(realm=REALM)
+ if krb.check_realm():
+ krb.destroy_realm()
+ krb.create_realm()
+ DEBUG = False
+
+ # Creating master 1...
+ master1 = DirSrv(verbose=DEBUG)
+ args_instance[SER_HOST] = HOST_MASTER_1
+ args_instance[SER_PORT] = PORT_MASTER_1
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_1
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_instance[SER_REALM] = REALM
+ args_instance[SER_STRICT_HOSTNAME_CHECKING] = False
+ args_master = args_instance.copy()
+ master1.allocate(args_master)
+ instance_master1 = master1.exists()
+ if instance_master1:
+ master1.delete()
+ master1.create() # There is some magic in .create that finds the realm, and adds the keytab for us.
+ master1.open()
+ master1.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_1)
+
+ # Creating master 2...
+ master2 = DirSrv(verbose=DEBUG)
+ args_instance[SER_HOST] = HOST_MASTER_2
+ args_instance[SER_PORT] = PORT_MASTER_2
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_2
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_instance[SER_REALM] = REALM
+ args_instance[SER_STRICT_HOSTNAME_CHECKING] = False
+ args_master = args_instance.copy()
+ master2.allocate(args_master)
+ instance_master2 = master2.exists()
+ if instance_master2:
+ master2.delete()
+ master2.create()
+ master2.open()
+ master2.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_2)
+
+ # Delete each instance in the end
+ def fin():
+ master1.delete()
+ master2.delete()
+ if krb.check_realm():
+ krb.destroy_realm()
+ #request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ master1.clearTmpDir(__file__)
+
+ return TopologyReplication(master1, master2)
+
+def _create_machine_ou(inst):
+ inst.add_s( Entry(( "ou=Machines,%s" % DEFAULT_SUFFIX, {
+ 'objectClass' : 'top organizationalUnit'.split(),
+ 'ou' : 'Machines'
+ }
+ ))
+ )
+
+def _create_machine_account(inst, name):
+ # Create the simple security objects for the servers to replicate to
+ inst.add_s( Entry(( "uid=%s,ou=Machines,%s" % (name, DEFAULT_SUFFIX),
+ {
+ 'objectClass' : 'top account'.split(),
+ 'uid' : name
+ }
+ )))
+
+def _check_machine_account(inst, name):
+ r = inst.search_s( 'ou=Machines,%s' % DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=%s)' % name)
+ if len(r) > 0:
+ return True
+ return False
+
+def _allow_machine_account(inst, name):
+ # First we need to get the mapping tree dn
+ mt = inst.mappingtree.list(suffix=DEFAULT_SUFFIX)[0]
+ inst.modify_s('cn=replica,%s' % mt.dn, [
+ (ldap.MOD_REPLACE, 'nsDS5ReplicaBindDN', "uid=%s,ou=Machines,%s" % (name, DEFAULT_SUFFIX))
+ ])
+
+def test_gssapi_repl(topology):
+ """
+ Create a kdc, then using that, provision two masters which have a gssapi
+ authenticated replication agreement.
+ """
+
+ master1 = topology.master1
+ master2 = topology.master2
+
+
+ # Create the locations on each master for the other to bind to.
+ _create_machine_ou(master1)
+ _create_machine_ou(master2)
+
+ _create_machine_account(master1, 'ldap/%s' % HOST_MASTER_1)
+ _create_machine_account(master1, 'ldap/%s' % HOST_MASTER_2)
+ _create_machine_account(master2, 'ldap/%s' % HOST_MASTER_1)
+ _create_machine_account(master2, 'ldap/%s' % HOST_MASTER_2)
+
+ # Set on the cn=replica config to accept the other masters princ mapping under mapping tree
+ _allow_machine_account(master1, 'ldap/%s' % HOST_MASTER_2)
+ _allow_machine_account(master2, 'ldap/%s' % HOST_MASTER_1)
+
+ #
+ # Create all the agreements
+ #
+ # Creating agreement from master 1 to master 2
+
+ # Set the replica bind method to sasl gssapi
+ properties = {RA_NAME: r'meTo_$host:$port',
+ RA_METHOD: 'SASL/GSSAPI',
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ m1_m2_agmt = master1.agreement.create(suffix=SUFFIX, host=master2.host, port=master2.port, properties=properties)
+ if not m1_m2_agmt:
+ log.fatal("Fail to create a master -> master replica agreement")
+ sys.exit(1)
+ log.debug("%s created" % m1_m2_agmt)
+
+ # Creating agreement from master 2 to master 1
+
+ # Set the replica bind method to sasl gssapi
+ properties = {RA_NAME: r'meTo_$host:$port',
+ RA_METHOD: 'SASL/GSSAPI',
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ m2_m1_agmt = master2.agreement.create(suffix=SUFFIX, host=master1.host, port=master1.port, properties=properties)
+ if not m2_m1_agmt:
+ log.fatal("Fail to create a master -> master replica agreement")
+ sys.exit(1)
+ log.debug("%s created" % m2_m1_agmt)
+
+ # Allow the replicas to get situated with the new agreements...
+ time.sleep(5)
+
+ #
+ # Initialize all the agreements
+ #
+ master1.agreement.init(SUFFIX, HOST_MASTER_2, PORT_MASTER_2)
+ master1.waitForReplInit(m1_m2_agmt)
+
+ # Check replication is working...
+ if master1.testReplication(DEFAULT_SUFFIX, master2):
+ log.info('Replication is working.')
+ else:
+ log.fatal('Replication is not working.')
+ assert False
+
+ # Add a user to master 1
+ _create_machine_account(master1, 'http/one.example.com')
+ # Check it's on 2
+ time.sleep(5)
+ assert(_check_machine_account(master2, 'http/one.example.com'))
+ # Add a user to master 2
+ _create_machine_account(master2, 'http/two.example.com')
+ # Check it's on 1
+ time.sleep(5)
+ assert(_check_machine_account(master2, 'http/two.example.com'))
+
+
+ log.info('Test complete')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
7 years, 11 months
Branch '389-ds-base-1.2.11' - ldap/schema ldap/servers
by Noriko Hosoi
ldap/schema/01core389.ldif | 5 ++-
ldap/servers/slapd/ssl.c | 71 ++++++++++++++++++++++++++++++++++++++-------
2 files changed, 65 insertions(+), 11 deletions(-)
New commits:
commit 6111400a7b21785823e16b1071fc29bc21542213
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue May 10 14:41:10 2016 -0700
Ticket #48816 - (1.2.11 only) add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=config in RHEL 6 389-ds-base
Description: 389-ds-base-1.2.11 has no way to disable TLS1.0. This patch is
adding config params nsTLS10, nsTLS11 and nsTLS12 to cn=encryption,cn=config
so that the definition of nsTLS1 remains intact if the new parameters are not
specified explicitely. If nsTLS10, nsTLS11 or nsTLS12 appear in the config
entry, nsTLS1 is ignored and the new parameters are added.
Default values:
nsTLS1: on
nsTLS10,nsTLS11,nsTLS12: ignored
Examples:
cn=encryption,cn=config
[no SSL version settings]
==> sslVersionMin: TLS1.0
cn=encryption,cn=config
nsTLS1: on
==> sslVersionMin: TLS1.0
cn=encryption,cn=config
nsTLS1: on | off
nsTLS10: on
==> sslVersionMin: TLS1.0
==> Note: nsTLS1 is ignored.
cn=encryption,cn=config
nsTLS11: on
==> sslVersionMin: TLS1.1
cn=encryption,cn=config
nsTLS12: on
==> sslVersionMin: TLS1.2
Special cases:
If all SSL version config parameters are off, SSL fails to configure.
cn=encryption,cn=config
nsTLS10: off
nsTLS11: off
nsTLS12: off
nsTLS1: off
==> SSL configuration fails.
==> Note: nsSSL3 is off by default.
cn=encryption,cn=config
nsTLS10: on
nsTLS12: off
==> sslVersionMin: TLS1.0
==> Note: nsTLS12 is ignored.
Even if off is set to the higher SSL version as in this example,
it is not used as sslVersionMax, but it is ignored.
https://fedorahosted.org/389/ticket/48816
Thanks so much for the ideas, comments and discussions, William, Ludwig, and Mark!!
Final review was made by wibrown(a)redhat.com (Thank you, William!!)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index 8f366a8..4ae6967 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -119,6 +119,9 @@ attributeTypes: ( nsKeyfile-oid NAME 'nsKeyfile' DESC 'Netscape defined attribut
attributeTypes: ( nsSSL2-oid NAME 'nsSSL2' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSL3-oid NAME 'nsSSL3' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsTLS1-oid NAME 'nsTLS1' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( nsTLS10-oid NAME 'nsTLS10' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( nsTLS11-oid NAME 'nsTLS11' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( nsTLS12-oid NAME 'nsTLS12' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLClientAuth-oid NAME 'nsSSLClientAuth' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLSessionTimeout-oid NAME 'nsSSLSessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
@@ -171,5 +174,5 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' )
objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index fcf7ba9..54ba16a 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1058,6 +1058,9 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
Slapi_Entry *e = NULL;
PRBool enableSSL2 = PR_FALSE;
PRBool enableSSL3 = PR_FALSE;
+ int enableTLS10 = -1;
+ int enableTLS11 = -1;
+ int enableTLS12 = -1;
PRBool enableTLS1 = PR_TRUE;
PRBool fipsMode = PR_FALSE;
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
@@ -1414,6 +1417,39 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
}
slapi_ch_free_string( &val );
+ val = slapi_entry_attr_get_charptr( e, "nsTLS10" );
+ if ( val ) {
+ if ( !strcasecmp( val, "off" ) ) {
+ enableTLS10 = 0;
+ } else if ( !strcasecmp( val, "on" ) ) {
+ enableTLS10 = 1;
+ } else {
+ enableTLS10 = slapi_entry_attr_get_bool(e, "nsTLS10")?1:0;
+ }
+ }
+ slapi_ch_free_string( &val );
+ val = slapi_entry_attr_get_charptr( e, "nsTLS11" );
+ if ( val ) {
+ if ( !strcasecmp( val, "off" ) ) {
+ enableTLS11 = 0;
+ } else if ( !strcasecmp( val, "on" ) ) {
+ enableTLS11 = 1;
+ } else {
+ enableTLS11 = slapi_entry_attr_get_bool(e, "nsTLS11")?1:0;
+ }
+ }
+ slapi_ch_free_string( &val );
+ val = slapi_entry_attr_get_charptr( e, "nsTLS12" );
+ if ( val ) {
+ if ( !strcasecmp( val, "off" ) ) {
+ enableTLS12 = 0;
+ } else if ( !strcasecmp( val, "on" ) ) {
+ enableTLS12 = 1;
+ } else {
+ enableTLS12 = slapi_entry_attr_get_bool(e, "nsTLS12")?1:0;
+ }
+ }
+ slapi_ch_free_string( &val );
val = slapi_entry_attr_get_charptr( e, "nsTLS1" );
if ( val ) {
if ( !strcasecmp( val, "off" ) ) {
@@ -1430,25 +1466,40 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
if (NSSVersionMin > 0) {
char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
+ NSSVersionMax = enabledNSSVersions.max;
/* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */
- if (enableTLS1) {
+ if ((enableTLS10 >= 0) || (enableTLS11 >= 0) || (enableTLS12 >= 0)) {
+ if (enableTLS10 > 0) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
+ } else if (enableTLS11 > 0) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_1;
+ } else if (enableTLS12 > 0) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_2;
+ } else if (enableTLS1) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
+ } else if (enableSSL3) {
+ NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
+ NSSVersionMax = SSL_LIBRARY_VERSION_3_0;
+ } else {
+ slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. "
+ "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12.");
+ return 0;
+ }
+ } else if (enableTLS1) {
NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
- } else {
+ } else if (enableSSL3) {
NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
NSSVersionMax = SSL_LIBRARY_VERSION_3_0;
- }
- if (enableSSL3) {
- NSSVersionMin = SSL_LIBRARY_VERSION_3_0;
- } else if (!enableTLS1) {
- slapd_SSL_error("SSL Initialization 2: Both nsSSL3 and nsTLS1 are off. Enabling nsTLS1.");
- NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0;
- NSSVersionMax = enabledNSSVersions.max;
+ } else {
+ slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. "
+ "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12.");
+ return 0;
}
slapdNSSVersions.min = NSSVersionMin;
slapdNSSVersions.max = NSSVersionMax;
(void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin));
(void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax));
- slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization",
+ slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization",
"Configured SSL version range: min: %s, max: %s\n",
mymin, mymax);
sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);
7 years, 11 months