May 2016 - 389-commits - Fedora Mailing-Lists

by thierry bordaz

ldap/servers/plugins/replication/repl5_replica.c | 1 + ldap/servers/plugins/replication/repl5_updatedn_list.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) New commits: commit 35f6fb8fca9ed12deadd1d50c65fb0947a7b1768 Author: Thierry Bordaz <tbordaz(a)redhat.com> Date: Thu May 12 15:38:28 2016 +0200 Ticket 48836 replication session fails because of permission denied Bug Description: https://fedorahosted.org/389/ticket/48597 fix introduced a regression where it tests (in replica_is_updatedn) the returned value of replica_updatedn_list_ismember against PR_TRUE. Actually replica_updatedn_list_ismember returns PR_FALSE or a pointer to the found value but not PR_TRUE. Fix Description: replica_updatedn_list_ismember should return PR_TRUE or PR_FALSE where the cast make it return values that are different from PR_TRUE or PR_FALSE https://fedorahosted.org/389/ticket/48836 Reviewed by: Noriko Hosoi, Ludwig Krispenz (thanks for your reviews) Platforms tested: F24 Flag Day: no Doc impact: no diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c index f935b9c..5de6a49 100644 --- a/ldap/servers/plugins/replication/repl5_replica.c +++ b/ldap/servers/plugins/replication/repl5_replica.c @@ -1155,6 +1155,7 @@ replica_is_updatedn (Replica *r, const Slapi_DN *sdn) if (r->updatedn_list) { result = replica_updatedn_list_ismember(r->updatedn_list, sdn); if (result == PR_TRUE) { + /* sdn is present in the updatedn_list */ replica_unlock(r->repl_lock); return result; } diff --git a/ldap/servers/plugins/replication/repl5_updatedn_list.c b/ldap/servers/plugins/replication/repl5_updatedn_list.c index a6609bc..c04a53f 100644 --- a/ldap/servers/plugins/replication/repl5_updatedn_list.c +++ b/ldap/servers/plugins/replication/repl5_updatedn_list.c @@ -284,7 +284,10 @@ replica_updatedn_list_ismember(ReplicaUpdateDNList list, const Slapi_DN *dn) /* Bug 605169 - null ndn would cause core dump */ if ( ndn ) { - ret = (PRBool)((uintptr_t)PL_HashTableLookupConst(hash, ndn)); + if ((uintptr_t)PL_HashTableLookupConst(hash, ndn)) + ret = PR_TRUE; + else + ret = PR_FALSE; } return ret;

7 years, 11 months

1
0
0 / 0

Branch '389-ds-base-1.3.4' - ldap/servers

by Noriko Hosoi

ldap/servers/plugins/replication/repl5_replica.c | 2 ++ 1 file changed, 2 insertions(+) New commits: commit d5a84c41ed1d0686366fb0ed924803248396d22d Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue May 17 12:58:09 2016 -0700 Ticket #47819 - RFE - improve tombstone purging performance Description: Initialize replica->precise_purging with slapi_counter_new(). https://fedorahosted.org/389/ticket/47819 Reviewed by mreynolds(a)redhat.com (Thanks, Mark!!) (cherry picked from commit fb390315e3ea49a3bae6fb508333347f8c3a6807) diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c index c7cf25f..a339777 100644 --- a/ldap/servers/plugins/replication/repl5_replica.c +++ b/ldap/servers/plugins/replication/repl5_replica.c @@ -203,6 +203,7 @@ replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation r->protocol_timeout = slapi_counter_new(); r->backoff_min = slapi_counter_new(); r->backoff_max = slapi_counter_new(); + r->precise_purging = slapi_counter_new(); /* read parameters from the replica config entry */ rc = _replica_init_from_config (r, e, errortext); @@ -410,6 +411,7 @@ replica_destroy(void **arg) slapi_counter_destroy(&r->protocol_timeout); slapi_counter_destroy(&r->backoff_min); slapi_counter_destroy(&r->backoff_max); + slapi_counter_destroy(&r->precise_purging); slapi_ch_free((void **)arg); }

7 years, 11 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/plugins/replication/repl5_replica.c | 2 ++ 1 file changed, 2 insertions(+) New commits: commit fb390315e3ea49a3bae6fb508333347f8c3a6807 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue May 17 12:58:09 2016 -0700 Ticket #47819 - RFE - improve tombstone purging performance Description: Initialize replica->precise_purging with slapi_counter_new(). https://fedorahosted.org/389/ticket/47819 Reviewed by mreynolds(a)redhat.com (Thanks, Mark!!) diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c index 6562b3b..f935b9c 100644 --- a/ldap/servers/plugins/replication/repl5_replica.c +++ b/ldap/servers/plugins/replication/repl5_replica.c @@ -204,6 +204,7 @@ replica_new_from_entry (Slapi_Entry *e, char *errortext, PRBool is_add_operation r->protocol_timeout = slapi_counter_new(); r->backoff_min = slapi_counter_new(); r->backoff_max = slapi_counter_new(); + r->precise_purging = slapi_counter_new(); /* read parameters from the replica config entry */ rc = _replica_init_from_config (r, e, errortext); @@ -411,6 +412,7 @@ replica_destroy(void **arg) slapi_counter_destroy(&r->protocol_timeout); slapi_counter_destroy(&r->backoff_min); slapi_counter_destroy(&r->backoff_max); + slapi_counter_destroy(&r->precise_purging); slapi_ch_free((void **)arg); }

7 years, 11 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/plugins/replication/repl5_total.c | 5 +++-- ldap/servers/slapd/plugin.c | 22 +++++++++------------- 2 files changed, 12 insertions(+), 15 deletions(-) New commits: commit e6ba94f61c4105403c46c76cd192061955bfd71b Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Mon May 16 17:08:21 2016 -0700 Ticket #48837 - Replication: total init aborted Bug Description: Commit 2ecc93781abc786be6a8b8443faf2598a6c30f97 to fix ticket 48822 broke the logic and forced plugin_call_exop_plugins to return an error even if the underlying extended plugin were successful. Fix Description: In plugin_call_exop_plugins, - this patch honours the return value from the plugins. - LDAP_SUCCESS is translated to SLAPI_PLUGIN_EXTENDED_SENT_RESULT. The extop plugin multimaster_extop_NSDS50ReplicationEntry is fixed to return SLAPI_PLUGIN_EXTENDED_SENT_RESULT in the case of success. https://fedorahosted.org/389/ticket/48837 Reviewed by lkrispen(a)redhat.com and wibrown(a)redhat.com (Thank you, Ludwig and William!) diff --git a/ldap/servers/plugins/replication/repl5_total.c b/ldap/servers/plugins/replication/repl5_total.c index 7f7bb15..12b244d 100644 --- a/ldap/servers/plugins/replication/repl5_total.c +++ b/ldap/servers/plugins/replication/repl5_total.c @@ -866,8 +866,7 @@ multimaster_extop_NSDS50ReplicationEntry(Slapi_PBlock *pb) rc, connid, opid); } - if (rc != 0) - { + if (rc) { /* just disconnect from the supplier. bulk import is stopped when connection object is destroyed */ slapi_pblock_get (pb, SLAPI_CONNECTION, &conn); @@ -881,6 +880,8 @@ multimaster_extop_NSDS50ReplicationEntry(Slapi_PBlock *pb) { slapi_entry_free (e); } + } else { + rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT; } return rc; diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c index f196d2c..5d63baa 100644 --- a/ldap/servers/slapd/plugin.c +++ b/ldap/servers/slapd/plugin.c @@ -527,23 +527,19 @@ plugin_determine_exop_plugins( const char *oid, struct slapdplugin **plugin) int plugin_call_exop_plugins( Slapi_PBlock *pb, struct slapdplugin *p ) { - int rc = LDAP_SUCCESS; - int lderr = SLAPI_PLUGIN_EXTENDED_NOT_HANDLED; - + int rc; slapi_pblock_set( pb, SLAPI_PLUGIN, p ); set_db_default_result_handlers( pb ); - if ( (rc = (*p->plg_exhandler)( pb )) == SLAPI_PLUGIN_EXTENDED_SENT_RESULT ) { - return( rc ); /* result sent */ - } else if ( rc != SLAPI_PLUGIN_EXTENDED_NOT_HANDLED ) { - /* - * simple merge: report last real error + rc = (*p->plg_exhandler)( pb ); + if (LDAP_SUCCESS == rc) { + /* + * Some plugin may return LDAP_SUCCESS in the success case. + * It is translated to SLAPI_PLUGIN_EXTENDED_SENT_RESULT to + * reduce the unnecessary error logs. */ - if ( rc != LDAP_SUCCESS ) { - lderr = rc; - } + rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT; } - - return( lderr ); + return (rc); }

7 years, 11 months

1
0
0 / 0

ldap/servers

by William Brown

ldap/servers/slapd/back-ldbm/start.c | 127 +++++++++++++++++++++++++---------- ldap/servers/slapd/util.c | 4 - 2 files changed, 95 insertions(+), 36 deletions(-) New commits: commit 9eee3a8e06978a081c302ba8907af9e84d3c3cf2 Author: William Brown <firstyear(a)redhat.com> Date: Wed May 11 09:09:29 2016 +1000 Ticket 48617 - Server ram checks work in isolation Bug Description: Previously we would check all server cache allocations in isolation. We would only know if I single cache would exceed our system ram. This meant if you had many backends, it was possible to configure them each with 75% of the system ram, but be a valid configuration, even though it increased the risk of oom. Fix Description: Now, all backends are check in isolation *and* they are check as a whole regardless of manual or auto tuning. This also improves the auto tuning system to check it's request, and to LOWER it if it is in excess of the system ram. IE auto tuning a server should not ever be possible to create an OOM condition. https://fedorahosted.org/389/ticket/48617 Author: wibrown Review by: nhosoi (Thanks!) diff --git a/ldap/servers/slapd/back-ldbm/start.c b/ldap/servers/slapd/back-ldbm/start.c index 5058942..17d9228 100644 --- a/ldap/servers/slapd/back-ldbm/start.c +++ b/ldap/servers/slapd/back-ldbm/start.c @@ -35,6 +35,10 @@ ldbm_back_start( Slapi_PBlock *pb ) char *home_dir; int action; int retval; + int issane = 0; + PRUint64 total_cache_size = 0; + size_t pagesize, pages, procpages, availpages; + char *msg; /* This will be set by one of the two cache sizing paths below. */ LDAPDebug( LDAP_DEBUG_TRACE, "ldbm backend starting\n", 0, 0, 0 ); @@ -116,8 +120,6 @@ ldbm_back_start( Slapi_PBlock *pb ) LDAPDebug( LDAP_DEBUG_ANY, "cache autosizing: bad settings, " "value or sum of values can not larger than 100.\n", 0, 0, 0 ); } else { - size_t pagesize, pages, procpages, availpages; - if (util_info_sys_pages(&pagesize, &pages, &procpages, &availpages) != 0) { LDAPDebug( LDAP_DEBUG_ANY, "start: Unable to determine system page limits\n", 0, 0, 0 ); @@ -130,47 +132,73 @@ ldbm_back_start( Slapi_PBlock *pb ) Object *inst_obj; ldbm_instance *inst; PRUint64 cache_size; + PRUint64 dncache_size; PRUint64 db_size; - PRUint64 total_cache_size = 0; +#ifndef LINUX PRUint64 memsize = pages * pagesize; - PRUint64 extra = 0; /* e.g., dncache size */ - - for (inst_obj = objset_first_obj(li->li_instance_set); inst_obj; - inst_obj = objset_next_obj(li->li_instance_set, inst_obj)) { - inst = (ldbm_instance *)object_get_data(inst_obj); - cache_size = (PRUint64)cache_get_max_size(&(inst->inst_cache)); - db_size = dblayer_get_id2entry_size(inst); - if (cache_size < db_size) { - LDAPDebug(LDAP_DEBUG_ANY, - "WARNING: %s: entry cache size %" NSPRIu64 "B is " - "less than db size %" NSPRIu64 "B; " - "We recommend to increase the entry cache size " - "nsslapd-cachememsize.\n", - inst->inst_name, cache_size, db_size); - } else { +#endif + if (li->li_cache_autosize == 0) { + /* First, set our message. */ + msg = "This can be corrected by altering the values of nsslapd-dbcachesize, nsslapd-cachememsize and nsslapd-dncachememsize\n"; + + for (inst_obj = objset_first_obj(li->li_instance_set); inst_obj; + inst_obj = objset_next_obj(li->li_instance_set, inst_obj)) { + inst = (ldbm_instance *)object_get_data(inst_obj); + cache_size = (PRUint64)cache_get_max_size(&(inst->inst_cache)); + db_size = dblayer_get_id2entry_size(inst); + if (cache_size < db_size) { + LDAPDebug(LDAP_DEBUG_ANY, + "WARNING: %s: entry cache size %llu B is " + "less than db size %llu B; " + "We recommend to increase the entry cache size " + "nsslapd-cachememsize.\n", + inst->inst_name, cache_size, db_size); + } else { + LDAPDebug(LDAP_DEBUG_BACKLDBM, + "%s: entry cache size: %llu B; db size: %llu B\n", + inst->inst_name, cache_size, db_size); + } + /* Get the dn_cachesize */ + dncache_size = (PRUint64)cache_get_max_size(&(inst->inst_dncache)); + total_cache_size += cache_size + dncache_size; LDAPDebug(LDAP_DEBUG_BACKLDBM, - "%s: entry cache size: %" NSPRIu64 "B; db size: %" NSPRIu64 "B\n", - inst->inst_name, cache_size, db_size); + "total cache size: %llu B; \n", + total_cache_size, 0 ,0 ); } - total_cache_size += cache_size; - /* estimated overhead: dncache size * 2 */ - extra += (PRUint64)cache_get_max_size(&(inst->inst_dncache)) * 2; - } - LDAPDebug(LDAP_DEBUG_BACKLDBM, - "Total entry cache size: %" NSPRIu64 "B; " - "dbcache size: %" NSPRIu64 "B; " - "available memory size: %" NSPRIu64 "B\n", - total_cache_size, (PRUint32)li->li_dbcachesize, memsize - extra); + LDAPDebug(LDAP_DEBUG_BACKLDBM, + "Total entry cache size: %llu B; " + "dbcache size: %llu B; " + "available memory size: %llu B; \n", +#ifdef LINUX + (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, availpages * pagesize +#else + (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, memsize +#endif + ); + /* autosizing dbCache and entryCache */ - if (li->li_cache_autosize > 0) { + } else if (li->li_cache_autosize > 0) { + msg = "This can be corrected by altering the values of nsslapd-cache-autosize, nsslapd-cache-autosize-split and nsslapd-dncachememsize\n"; zone_pages = (li->li_cache_autosize * pages) / 100; - /* now split it according to user prefs */ + size_t zone_size = zone_pages * pagesize; + /* This is how much we "might" use, lets check it's sane. */ + /* In the case it is not, this will *reduce* the allocation */ + issane = util_is_cachesize_sane(&zone_size); + if (!issane) { + LDAPDebug(LDAP_DEBUG_ANY, "Your autosized cache values have been reduced. Likely your nsslapd-cache-autosize percentage is too high.\n", 0,0,0); + LDAPDebug(LDAP_DEBUG_ANY, msg, 0,0,0); + } + /* It's valid, lets divide it up and set according to user prefs */ + zone_pages = zone_size / pagesize; db_pages = (li->li_cache_autosize_split * zone_pages) / 100; - /* fudge an extra instance into our calculations... */ - entry_pages = (zone_pages - db_pages) / - (objset_size(li->li_instance_set) + 1); + entry_pages = (zone_pages - db_pages) / objset_size(li->li_instance_set); + /* We update this for the is-sane check below. */ + total_cache_size = (zone_pages - db_pages) * pagesize; + LDAPDebug(LDAP_DEBUG_ANY, "cache autosizing. found %dk physical memory\n", pages*(pagesize/1024), 0, 0); + LDAPDebug(LDAP_DEBUG_ANY, "cache autosizing. found %dk avaliable\n", + zone_pages*(pagesize/1024), 0, 0); LDAPDebug(LDAP_DEBUG_ANY, "cache autosizing: db cache: %dk, " "each entry cache (%d total): %dk\n", db_pages*(pagesize/1024), objset_size(li->li_instance_set), @@ -193,6 +221,10 @@ ldbm_back_start( Slapi_PBlock *pb ) cache_set_max_entries(&(inst->inst_cache), -1); cache_set_max_size(&(inst->inst_cache), li->li_cache_autosize_ec, CACHE_TYPE_ENTRY); + /* We need to get each instances dncache size to add to the total */ + /* Else we can't properly check the cache allocations below */ + /* Trac 48831 exists to allow this to be auto-sized too ... */ + total_cache_size += (PRUint64)cache_get_max_size(&(inst->inst_dncache)); } } /* autosizing importCache */ @@ -202,6 +234,10 @@ ldbm_back_start( Slapi_PBlock *pb ) li->li_import_cache_autosize = 50; } import_pages = (li->li_import_cache_autosize * pages) / 100; + size_t import_size = import_pages * pagesize; + issane = util_is_cachesize_sane(&import_size); + /* We just accept the reduced allocation here. */ + import_pages = import_size / pagesize; LDAPDebug(LDAP_DEBUG_ANY, "cache autosizing: import cache: %dk \n", import_pages*(pagesize/1024), NULL, NULL); @@ -211,6 +247,29 @@ ldbm_back_start( Slapi_PBlock *pb ) } } + /* Finally, lets check that the total result is sane. */ + + size_t total_size = total_cache_size + (PRUint64)li->li_dbcachesize; + issane = util_is_cachesize_sane(&total_size); + if (!issane) { + /* Right, it's time to panic */ + LDAPDebug( LDAP_DEBUG_ANY, "CRITICAL: It is highly likely your memory configuration will EXCEED your systems memory.\n", 0, 0, 0 ); + LDAPDebug(LDAP_DEBUG_ANY, + "Total entry cache size: %llu B; " + "dbcache size: %llu B; " + "available memory size: %llu B; \n", +#ifdef LINUX + (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, availpages * pagesize +#else + (PRUint64)total_cache_size, (PRUint64)li->li_dbcachesize, memsize +#endif + ); + LDAPDebug(LDAP_DEBUG_ANY, msg, 0,0,0); + return SLAPI_FAIL_GENERAL; + } + + + retval = check_db_version(li, &action); if (0 != retval) { diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c index f297176..b0fd73b 100644 --- a/ldap/servers/slapd/util.c +++ b/ldap/servers/slapd/util.c @@ -1784,10 +1784,10 @@ int util_is_cachesize_sane(size_t *cachesize) (unsigned long)cachepages,(unsigned long)availpages,0); if (!issane) { - /* Since we are ask for more than what's available, we give half of + /* Since we are ask for more than what's available, we give 3/4 of the remaining. * the remaining system mem to the cachesize instead, and log a warning */ - *cachesize = (size_t)((availpages / 2) * pagesize); + *cachesize = (size_t)((availpages * 0.75 ) * pagesize); slapi_log_error(SLAPI_LOG_FATAL, "util_is_cachesize_sane", "WARNING adjusted cachesize to %lu\n", (unsigned long)*cachesize); } #else

7 years, 11 months

1
0
0 / 0

ldap/admin

by Mark Reynolds

ldap/admin/src/scripts/repl-monitor.pl.in | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) New commits: commit 77e6044ee5e44fa86e44280d46f36d63a30458b0 Author: Mark Reynolds <mreynolds(a)redhat.com> Date: Thu May 12 16:10:02 2016 -0400 Ticket 48220 - The "repl-monitor" web page does not display "year" in date. Bug Description: The year is not displayed in the header when the day is less than 10. Appears to be an issue with localtime(). Fix Description: Instead of strftime for displaying the date. https://fedorahosted.org/389/ticket/48220 Reviewed by: nhosoi(Thanks!) diff --git a/ldap/admin/src/scripts/repl-monitor.pl.in b/ldap/admin/src/scripts/repl-monitor.pl.in index a670610..0964ae0 100755 --- a/ldap/admin/src/scripts/repl-monitor.pl.in +++ b/ldap/admin/src/scripts/repl-monitor.pl.in @@ -166,6 +166,7 @@ use Mozilla::LDAP::Conn; # LDAP module for Perl use Mozilla::LDAP::Utils qw(normalizeDN); # LULU, utilities. use Mozilla::LDAP::API qw(:api :ssl :apiv3 :constant); # Direct access to C API use Time::Local; # to convert GMT Z strings to localtime +use POSIX; # # Global variables @@ -206,7 +207,7 @@ my %ld; my ($opt_f, $opt_h, $opt_p, $opt_u, $opt_t, $opt_r, $opt_s); my (@conns, @alias, @color); -my ($section, $interval, $nowraw, $now, $mm, $dd, $tt, $yy, $wday); +my ($section, $interval, $now, $mm, $dd, $tt, $yy, $wday); my ($fn, $rc, $prompt, $last_sidx); my $supplierUrl = ""; my %passwords = (); @@ -242,9 +243,7 @@ $prompt = ""; $interval = 300 if ( !$interval || $interval <= 0 ); # Get current date/time - $nowraw = localtime(); - ($wday, $mm, $dd, $tt, $yy) = split(/ /, $nowraw); - $now = "$wday $mm $dd $yy $tt"; + $now = strftime "%a %b %e %Y %H:%M:%S", localtime; # if no -r (Reenter and skip html header), print html header if (!$opt_r) {

7 years, 11 months

1
0
0 / 0

VERSION.sh

by Noriko Hosoi

VERSION.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit af9de3071795b94560cab711957eaded5cf6bf67 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Wed May 11 16:18:11 2016 -0700 bump version to 1.1.43 diff --git a/VERSION.sh b/VERSION.sh index bf55ea2..cd76f32 100644 --- a/VERSION.sh +++ b/VERSION.sh @@ -11,7 +11,7 @@ vendorurl=http://port389.org # PACKAGE_VERSION is constructed from these VERSION_MAJOR=1 VERSION_MINOR=1 -VERSION_MAINT=42 +VERSION_MAINT=43 # if this is a PRERELEASE, set VERSION_PREREL # otherwise, comment it out # be sure to include the dot prefix in the prerel

7 years, 11 months

1
0
0 / 0

build.properties win/VERSION.mak

by Noriko Hosoi

build.properties | 2 +- win/VERSION.mak | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) New commits: commit 6811bc4820a6ad7cd078c96c19d61e6c26562afe Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Wed May 11 15:38:03 2016 -0700 version 1.1.16 Updated the value of PKGGUID and OLDGUID with uuidgen. diff --git a/build.properties b/build.properties index a275820..e968e7a 100644 --- a/build.properties +++ b/build.properties @@ -23,7 +23,7 @@ lang=en console.root=. console.version=11 -console.dotversion=1.1.15 +console.dotversion=1.1.16 console.dotgenversion=1.1 theme.core=389-console diff --git a/win/VERSION.mak b/win/VERSION.mak index 30f196d..6c8c80f 100644 --- a/win/VERSION.mak +++ b/win/VERSION.mak @@ -7,18 +7,18 @@ BRANDNOSPACE=389 # this is the vendor or manufacturer VENDOR=389 Project # the version -VERSION=1.1.15 +VERSION=1.1.16 # the name of the product - this is used in the title of the # installer, in the name of the folder, and in the name # of the shortcuts PRODUCTNAME=$(BRAND) Management Console # this is the GUID of the package - must be changed # when the version is changed - use uuidgen -n1 -PKGGUID=595875D5-C97E-442B-8C8C-66DD2A4583B4 +PKGGUID=DF505B7B-9D6A-4F39-8E50-A26434B05C02 # the upgrade GUID should usually not be changed UPGRADEGUID=7EA828C0-C219-438d-9BB3-3418DC900D60 # guid of old version to be removed -OLDGUID=3D26B463-9543-49F3-954E-C9AA3A76EC3A +OLDGUID=595875D5-C97E-442B-8C8C-66DD2A4583B4 OLDSHORTCUT=Fedora IDM Console.lnk OLDPROGRAMFOLDER=Fedora Identity Management Console # filename prefix for certain branded jar and script files

7 years, 11 months

1
0
0 / 0

dirsrvtests/tests

by William Brown

dirsrvtests/tests/suites/gssapi_repl/gssapi_repl_test.py | 216 +++++++++++++++ 1 file changed, 216 insertions(+) New commits: commit 2a32cab7ad3aa0aff1ab1a81a3a96334be0525f8 Author: William Brown <firstyear(a)redhat.com> Date: Wed May 11 13:37:18 2016 +1000 Ticket 48829 - Add gssapi sasl replication bind test Bug Description: We previously had no way to test if replication via a gssapi agreement was working. Fix Description: This adds a test case capable of creating a gssapi environment and binding the accounts for replication. https://fedorahosted.org/389/ticket/48829 Author: wibrown Review by: spichugi (Thanks!) diff --git a/dirsrvtests/tests/suites/gssapi_repl/gssapi_repl_test.py b/dirsrvtests/tests/suites/gssapi_repl/gssapi_repl_test.py new file mode 100644 index 0000000..57f670f --- /dev/null +++ b/dirsrvtests/tests/suites/gssapi_repl/gssapi_repl_test.py @@ -0,0 +1,216 @@ +import os +import sys +import time +import ldap +import logging +import pytest +from lib389 import DirSrv, Entry, tools, tasks +from lib389.tools import DirSrvTools +from lib389._constants import * +from lib389.properties import * +from lib389.tasks import * +from lib389.utils import * +from lib389.mit_krb5 import MitKrb5 + + +######################################### +# +# WARNING!!!!! If this test is failing, and your here to find out why, the +# reason is very likely your hosts file!!!! +# +# IT MUST LOOK LIKE THIS BELOW: Note the unique IPS for each kdc name! +# +# 127.0.0.1 ldapkdc.example.com localhost +# 127.0.1.1 ldapkdc1.example.com +# 127.0.2.1 ldapkdc2.example.com +# +######################################### + +logging.getLogger(__name__).setLevel(logging.DEBUG) +log = logging.getLogger(__name__) + +REALM = "EXAMPLE.COM" + +HOST_MASTER_1 = 'ldapkdc1.example.com' +HOST_MASTER_2 = 'ldapkdc2.example.com' + +class TopologyReplication(object): + def __init__(self, master1, master2): + master1.open() + self.master1 = master1 + master2.open() + self.master2 = master2 + + +(a)pytest.fixture(scope="module") +def topology(request): + # Create the realm first + krb = MitKrb5(realm=REALM) + if krb.check_realm(): + krb.destroy_realm() + krb.create_realm() + DEBUG = False + + # Creating master 1... + master1 = DirSrv(verbose=DEBUG) + args_instance[SER_HOST] = HOST_MASTER_1 + args_instance[SER_PORT] = PORT_MASTER_1 + args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_1 + args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX + args_instance[SER_REALM] = REALM + args_instance[SER_STRICT_HOSTNAME_CHECKING] = False + args_master = args_instance.copy() + master1.allocate(args_master) + instance_master1 = master1.exists() + if instance_master1: + master1.delete() + master1.create() # There is some magic in .create that finds the realm, and adds the keytab for us. + master1.open() + master1.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_1) + + # Creating master 2... + master2 = DirSrv(verbose=DEBUG) + args_instance[SER_HOST] = HOST_MASTER_2 + args_instance[SER_PORT] = PORT_MASTER_2 + args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_2 + args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX + args_instance[SER_REALM] = REALM + args_instance[SER_STRICT_HOSTNAME_CHECKING] = False + args_master = args_instance.copy() + master2.allocate(args_master) + instance_master2 = master2.exists() + if instance_master2: + master2.delete() + master2.create() + master2.open() + master2.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_2) + + # Delete each instance in the end + def fin(): + master1.delete() + master2.delete() + if krb.check_realm(): + krb.destroy_realm() + #request.addfinalizer(fin) + + # Clear out the tmp dir + master1.clearTmpDir(__file__) + + return TopologyReplication(master1, master2) + +def _create_machine_ou(inst): + inst.add_s( Entry(( "ou=Machines,%s" % DEFAULT_SUFFIX, { + 'objectClass' : 'top organizationalUnit'.split(), + 'ou' : 'Machines' + } + )) + ) + +def _create_machine_account(inst, name): + # Create the simple security objects for the servers to replicate to + inst.add_s( Entry(( "uid=%s,ou=Machines,%s" % (name, DEFAULT_SUFFIX), + { + 'objectClass' : 'top account'.split(), + 'uid' : name + } + ))) + +def _check_machine_account(inst, name): + r = inst.search_s( 'ou=Machines,%s' % DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=%s)' % name) + if len(r) > 0: + return True + return False + +def _allow_machine_account(inst, name): + # First we need to get the mapping tree dn + mt = inst.mappingtree.list(suffix=DEFAULT_SUFFIX)[0] + inst.modify_s('cn=replica,%s' % mt.dn, [ + (ldap.MOD_REPLACE, 'nsDS5ReplicaBindDN', "uid=%s,ou=Machines,%s" % (name, DEFAULT_SUFFIX)) + ]) + +def test_gssapi_repl(topology): + """ + Create a kdc, then using that, provision two masters which have a gssapi + authenticated replication agreement. + """ + + master1 = topology.master1 + master2 = topology.master2 + + + # Create the locations on each master for the other to bind to. + _create_machine_ou(master1) + _create_machine_ou(master2) + + _create_machine_account(master1, 'ldap/%s' % HOST_MASTER_1) + _create_machine_account(master1, 'ldap/%s' % HOST_MASTER_2) + _create_machine_account(master2, 'ldap/%s' % HOST_MASTER_1) + _create_machine_account(master2, 'ldap/%s' % HOST_MASTER_2) + + # Set on the cn=replica config to accept the other masters princ mapping under mapping tree + _allow_machine_account(master1, 'ldap/%s' % HOST_MASTER_2) + _allow_machine_account(master2, 'ldap/%s' % HOST_MASTER_1) + + # + # Create all the agreements + # + # Creating agreement from master 1 to master 2 + + # Set the replica bind method to sasl gssapi + properties = {RA_NAME: r'meTo_$host:$port', + RA_METHOD: 'SASL/GSSAPI', + RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]} + m1_m2_agmt = master1.agreement.create(suffix=SUFFIX, host=master2.host, port=master2.port, properties=properties) + if not m1_m2_agmt: + log.fatal("Fail to create a master -> master replica agreement") + sys.exit(1) + log.debug("%s created" % m1_m2_agmt) + + # Creating agreement from master 2 to master 1 + + # Set the replica bind method to sasl gssapi + properties = {RA_NAME: r'meTo_$host:$port', + RA_METHOD: 'SASL/GSSAPI', + RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]} + m2_m1_agmt = master2.agreement.create(suffix=SUFFIX, host=master1.host, port=master1.port, properties=properties) + if not m2_m1_agmt: + log.fatal("Fail to create a master -> master replica agreement") + sys.exit(1) + log.debug("%s created" % m2_m1_agmt) + + # Allow the replicas to get situated with the new agreements... + time.sleep(5) + + # + # Initialize all the agreements + # + master1.agreement.init(SUFFIX, HOST_MASTER_2, PORT_MASTER_2) + master1.waitForReplInit(m1_m2_agmt) + + # Check replication is working... + if master1.testReplication(DEFAULT_SUFFIX, master2): + log.info('Replication is working.') + else: + log.fatal('Replication is not working.') + assert False + + # Add a user to master 1 + _create_machine_account(master1, 'http/one.example.com') + # Check it's on 2 + time.sleep(5) + assert(_check_machine_account(master2, 'http/one.example.com')) + # Add a user to master 2 + _create_machine_account(master2, 'http/two.example.com') + # Check it's on 1 + time.sleep(5) + assert(_check_machine_account(master2, 'http/two.example.com')) + + + log.info('Test complete') + + +if __name__ == '__main__': + # Run isolated + # -s for DEBUG mode + CURRENT_FILE = os.path.realpath(__file__) + pytest.main("-s %s" % CURRENT_FILE)

7 years, 11 months

1
0
0 / 0

Branch '389-ds-base-1.2.11' - ldap/schema ldap/servers

by Noriko Hosoi

ldap/schema/01core389.ldif | 5 ++- ldap/servers/slapd/ssl.c | 71 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 65 insertions(+), 11 deletions(-) New commits: commit 6111400a7b21785823e16b1071fc29bc21542213 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Tue May 10 14:41:10 2016 -0700 Ticket #48816 - (1.2.11 only) add a nsTLS1.0 on or off new configuration parameter to cn=encryption,cn=config in RHEL 6 389-ds-base Description: 389-ds-base-1.2.11 has no way to disable TLS1.0. This patch is adding config params nsTLS10, nsTLS11 and nsTLS12 to cn=encryption,cn=config so that the definition of nsTLS1 remains intact if the new parameters are not specified explicitely. If nsTLS10, nsTLS11 or nsTLS12 appear in the config entry, nsTLS1 is ignored and the new parameters are added. Default values: nsTLS1: on nsTLS10,nsTLS11,nsTLS12: ignored Examples: cn=encryption,cn=config [no SSL version settings] ==> sslVersionMin: TLS1.0 cn=encryption,cn=config nsTLS1: on ==> sslVersionMin: TLS1.0 cn=encryption,cn=config nsTLS1: on | off nsTLS10: on ==> sslVersionMin: TLS1.0 ==> Note: nsTLS1 is ignored. cn=encryption,cn=config nsTLS11: on ==> sslVersionMin: TLS1.1 cn=encryption,cn=config nsTLS12: on ==> sslVersionMin: TLS1.2 Special cases: If all SSL version config parameters are off, SSL fails to configure. cn=encryption,cn=config nsTLS10: off nsTLS11: off nsTLS12: off nsTLS1: off ==> SSL configuration fails. ==> Note: nsSSL3 is off by default. cn=encryption,cn=config nsTLS10: on nsTLS12: off ==> sslVersionMin: TLS1.0 ==> Note: nsTLS12 is ignored. Even if off is set to the higher SSL version as in this example, it is not used as sslVersionMax, but it is ignored. https://fedorahosted.org/389/ticket/48816 Thanks so much for the ideas, comments and discussions, William, Ludwig, and Mark!! Final review was made by wibrown(a)redhat.com (Thank you, William!!) diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index 8f366a8..4ae6967 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -119,6 +119,9 @@ attributeTypes: ( nsKeyfile-oid NAME 'nsKeyfile' DESC 'Netscape defined attribut attributeTypes: ( nsSSL2-oid NAME 'nsSSL2' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSL3-oid NAME 'nsSSL3' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsTLS1-oid NAME 'nsTLS1' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( nsTLS10-oid NAME 'nsTLS10' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( nsTLS11-oid NAME 'nsTLS11' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) +attributeTypes: ( nsTLS12-oid NAME 'nsTLS12' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSLClientAuth-oid NAME 'nsSSLClientAuth' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSLSessionTimeout-oid NAME 'nsSSLSessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' ) @@ -171,5 +174,5 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' ) -objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' ) +objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsTLS10 $ nsTLS11 $ nsTLS12 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' ) objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' ) diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c index fcf7ba9..54ba16a 100644 --- a/ldap/servers/slapd/ssl.c +++ b/ldap/servers/slapd/ssl.c @@ -1058,6 +1058,9 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) Slapi_Entry *e = NULL; PRBool enableSSL2 = PR_FALSE; PRBool enableSSL3 = PR_FALSE; + int enableTLS10 = -1; + int enableTLS11 = -1; + int enableTLS12 = -1; PRBool enableTLS1 = PR_TRUE; PRBool fipsMode = PR_FALSE; #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ @@ -1414,6 +1417,39 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) } } slapi_ch_free_string( &val ); + val = slapi_entry_attr_get_charptr( e, "nsTLS10" ); + if ( val ) { + if ( !strcasecmp( val, "off" ) ) { + enableTLS10 = 0; + } else if ( !strcasecmp( val, "on" ) ) { + enableTLS10 = 1; + } else { + enableTLS10 = slapi_entry_attr_get_bool(e, "nsTLS10")?1:0; + } + } + slapi_ch_free_string( &val ); + val = slapi_entry_attr_get_charptr( e, "nsTLS11" ); + if ( val ) { + if ( !strcasecmp( val, "off" ) ) { + enableTLS11 = 0; + } else if ( !strcasecmp( val, "on" ) ) { + enableTLS11 = 1; + } else { + enableTLS11 = slapi_entry_attr_get_bool(e, "nsTLS11")?1:0; + } + } + slapi_ch_free_string( &val ); + val = slapi_entry_attr_get_charptr( e, "nsTLS12" ); + if ( val ) { + if ( !strcasecmp( val, "off" ) ) { + enableTLS12 = 0; + } else if ( !strcasecmp( val, "on" ) ) { + enableTLS12 = 1; + } else { + enableTLS12 = slapi_entry_attr_get_bool(e, "nsTLS12")?1:0; + } + } + slapi_ch_free_string( &val ); val = slapi_entry_attr_get_charptr( e, "nsTLS1" ); if ( val ) { if ( !strcasecmp( val, "off" ) ) { @@ -1430,25 +1466,40 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS) #if !defined(NSS_TLS10) /* NSS_TLS11 or newer */ if (NSSVersionMin > 0) { char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH]; + NSSVersionMax = enabledNSSVersions.max; /* Use new NSS API SSL_VersionRangeSet (NSS3.14 or newer) */ - if (enableTLS1) { + if ((enableTLS10 >= 0) || (enableTLS11 >= 0) || (enableTLS12 >= 0)) { + if (enableTLS10 > 0) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; + } else if (enableTLS11 > 0) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_1; + } else if (enableTLS12 > 0) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_2; + } else if (enableTLS1) { + NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; + } else if (enableSSL3) { + NSSVersionMin = SSL_LIBRARY_VERSION_3_0; + NSSVersionMax = SSL_LIBRARY_VERSION_3_0; + } else { + slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. " + "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12."); + return 0; + } + } else if (enableTLS1) { NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; - } else { + } else if (enableSSL3) { NSSVersionMin = SSL_LIBRARY_VERSION_3_0; NSSVersionMax = SSL_LIBRARY_VERSION_3_0; - } - if (enableSSL3) { - NSSVersionMin = SSL_LIBRARY_VERSION_3_0; - } else if (!enableTLS1) { - slapd_SSL_error("SSL Initialization 2: Both nsSSL3 and nsTLS1 are off. Enabling nsTLS1."); - NSSVersionMin = SSL_LIBRARY_VERSION_TLS_1_0; - NSSVersionMax = enabledNSSVersions.max; + } else { + slapd_SSL_error("SSL Initialization 2: all SSL version parameters are off. " + "Enable nsTLS1 or nsTLS10, nsTLS11, nsTLS12."); + return 0; } slapdNSSVersions.min = NSSVersionMin; slapdNSSVersions.max = NSSVersionMax; (void) slapi_getSSLVersion_str(slapdNSSVersions.min, mymin, sizeof(mymin)); (void) slapi_getSSLVersion_str(slapdNSSVersions.max, mymax, sizeof(mymax)); - slapi_log_error(SLAPI_LOG_CONFIG, "SSL Initialization", + slapi_log_error(SLAPI_LOG_FATAL, "SSL Initialization", "Configured SSL version range: min: %s, max: %s\n", mymin, mymax); sslStatus = SSL_VersionRangeSet(pr_sock, &slapdNSSVersions);

7 years, 11 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits May 2016