8.1. 389-ds-base

Updated 389-ds-base packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 6.
The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

Bug Fixes

When a new user was created on Active Directory (AD) and their password was set, the system administor checked the flag "User must change password on next login". Afterwards, the default password was sent to Red Hat Directory Server (RHDS), which set the password but removed the aforementioned flag. With this update, the flag for password change at next login persists, and the password sync tool for by-passing the 7-day constraint is allowed if the flag is checked.
If an ACI (access control instruction) is configured to give permissions to "self", bound user itself, the result of a granted access for an entry was cached and could erroneously be reused for all entries. Consequently, a bound client could retrieve entries or attributes it was not supposed to, or fail to retrieve those entries and attributes it was supposed to retrieve. With this update, certain accesses are granted per entry, making sure that if a granted access is cached, it is purged for the next entry.
The multi-master replication protocol keeps a cumulative counter of the relative time offsets between servers. However, prior to this update, if the system time was adjusted by more than one day, the counter became off by more than one day. Consequently, a replication consumer refused to accept changes from the master and the replication process failed. This update adds a new configuration attribute to cn=config - nsslapd-ignore-time-skew, with the default of "off". In addition, an error message is logged warning the system administrator about the time skew issue. Alternatively, if this attribute is set to "on", a replication consumer allows replication to proceed despite the excessive time skew.
Previously, when an invalid install script from host name to the server was supplied, a vague error message was returned to the user. This update provides a proper error message to be returned when a setup script encounters an error in the host name.
Previously, the size of the directory server was constantly increasing after search requests for simple paged results were processed. The memory leak causing this bug has been fixed, and the server size no longer increases in the aforementioned situation.
Prior to this update, Windows Sync Control request returned the renamed member of a group entry only, not the group containing this member. As a consequence, renaming user Distinguished Name (DN) on Active Directory (AD) was not applied to the synced member DN in a group that the user DN belonged to. With this update, once a rename operation is received from AD, Windows Sync Control searches groups having a member value, and replaces the old DN with the renamed DN. In addition, Windows Sync Control also updates the renamed member DN in a group as intended.
Previously, when importing an LDAP Data Interchange Format (LDIF) or doing a replication initialization that contained tombstone entries, the parent entry of the tombstone entry had its numsubordinate entry count incorrectly incremented. With this update, the parent entry numsubordinate attribute is not updated when processing a tombstone entry, and numsubordinate value is now accurate in all entries.
Previously, calculating the size of an entry in the memory was underestimated: the entry cache size was larger than the specified size in the configuration. This bug has been fixed by calculating each entry size more accurately, which leads to more accurate size of the entry cache.
When trying to process an empty log file, the logconv.pl utility failed to run and reported a series of Perl errors. To fix this bug, empty log files are checked and ignored, and logconv.pl reports the empty log file by the following message:
Skipping empty access log, /var/log/dirsrv/slapd-ID/access.
While a Total Replication Update or Replica Initialization was occurring, the server could terminate unexpectedly. With this update, the replication plugin is not allowed to terminate while the total update of replica is still running, and the server thus no longer crashes.
Prior to this update, using the "-f" filter option caused the rsearch utility to return a filter syntax error. This update makes sure the filter is properly evaluated, and rsearch now works correctly when using the "-f" option.
Previously, when a search request for simple paged results was sent to a server and the request was abandoned, the paged result slot in the connection table was not properly released. Consequently, as the slot was not available, the temporary initial slot number "-1" was kept to access an array, which caused its invalid access. With this update, the abandoned slot content is properly deleted for reuse. As a result, the temporary slot number is now replaced with the correct slot number, and invalid array accesses no longer occur.
Due to exceeded size limit, Access Control Instruction (ACI) group evaluation failed. However, the "sizelimit" value could be a false value retrieved from a non-search operation. With this update, detected false values are replaced with an unlimited value (-1), and ACI group evaluation no longer fails due to an unexpected sizelimit exceeded error.
Performing an LDAP operation using the proxied authentication control could previously lead to server memory leaks. With this update, the allocated memory is released after the operation completion, and the server no longer leaks memory when processing operations using the proxied authentication control.
Prior to this update, the tombstone data resurrection did not consider the case in which its parent entry became a conflict entry. In addition, resurrected tombstone data treatment was missing in the entryrdn index. As a consequence, the parent-child relationship became confused when the tombstone data was being resurrected. With this update, the Directory Information Tree (DIT) structure is properly maintained; even if the parent of a tombstone-data entry becomes a conflict entry, the parent-child relationship is now correctly managed.
Due to improper use of the valueset_add_valueset() function, which expects only empty values to be passed to it, the server could terminate unexpectedly. This update handles the misuse of the function, which now no longer causes the server to crash.
Previously, the logging level was too verbose for the severity of the message, and the errors log could fill up with redundant messages. To fix this bug, the logging has been changed to be written only when "access control list processing" log level is being used, and thus the errors log no longer fills up with harmless warning messages.
Previously, if the do_search() function failed at the early phase, the memory storing the given baseDN was not freed. The underlying source code has been fixed, and the baseDN no longer leaks memory even if the search fails at the early phase.
Previously, in the entry cache, some delete operations failed with an error when entries were deleted while tombstone purging was in process. This update retries to obtain the parent entry until it succeeds or times out. As a result, delete operations in the entry cache now succeed as intended.
Previously, when Multi Master Replication was configured, if an entry was updated on Master 1 and deleted on Master2, the replicated update from Master 1 could target on a deleted entry (a tombstone). This led to two consequences. Firstly, the replicated update failed and could break the replication. Secondly, the tombstone entries differed on Master 1 and Master 2. This update allows updates on a tombstone if the update originates in a replication. Now, replication succeeds and tombstone entries are identical on all servers.
When deleting a node entry whose descendants were all deleted, previously, only the first position was checked. Consequently, the child entry at the first position was deleted in the database. However, it could be reused for the replaced tombstone entry, which reported the false error "has children", and thus caused the node deletion to fail. With this update, instead of checking the first position, all child entries are checked whether they are tombstones or not; in case all of them are tombstones, the node is deleted. Now, the false error "has children" is no longer reported, and a node entry whose children are all tombstones is successfully deleted.
When a replication is configured, a replication change log database is also a target of the backup. However, backing up a change log database previously failed because there was no back end instance associated with the replication change log database. As a consequence, backing up on a server failed. With this update, if a backing up database is a change log database, the db2bak.pl utility skips checking the back end instance, and backing up thus works as intended.
When processing a large amount of access logs without using any verbose options, memory continued to grow until the system was exhausted of available memory, or logs were completely processed. The back-ported feature causing excessive memory consumption has been removed, and memory now remains stable regardless of the amount of logging being processed.
Previously, the following message was incorrectly coded as an error level:
changelog iteration code returned a dummy entry with csn %s, skipping ...
Consequently, once the server run into the state, this benign error message was logged in the error log repeatedly. To fix this bug, the log level has been changed, and the the message is no longer logged.
Prior to this update, when performing a modrdn operation on a managed entry, the managed entry plugin failed to properly update managed entry pointer. The underlying source code has been fixed, and the managed entry link now remains intact on modrdn operations.
The previous MemberOf plugin code assumed the Distinguished Name (DN) value to have the correct syntax, and did not check the normalized value of that DN. This could lead to dereferencing a NULL pointer and unexpected termination. This update checks the normalized value and logs a proper error. As a result, invalid DN no longer causes crashes and errors are properly logged.
When adding and deleting entries, the modified parent entry, numsubordinates, could be replaced in the entry cache, even if the operation failed. As a consequence, parent numsubordinate count could be incorrectly updated. This update adds code to unswitch the parent entry in the cache, and parent numsubordinate count is now guaranteed to be correct.
Previously, if nested tombstone entries were present, parents were always purged first, and thus their child entries became orphaned. With this update, when doing the tombstone purge, the candidate list is processed in the reverse order, which removes the child entries before the parent entries. As a result, orphaned tombstone entries are no longer left orphaned after purging.
Previously, a tombstone purge thread issued a callback search that started reading the id2entry file, even if the back end had already been stopped or disabled. This could cause the server to terminate unexpectedly. Now, when performing a search and returning entries, this update checks if the back end is started before reading id2entry. As a result, even if the tombstone purge occurs while the back end is stopped, the server no longer crashes.
Due to various mistakes in the source code, potential memory leaks, corrupted memory, or crashes could occur. All the aforementioned bugs have been addressed, and the server now behaves as expected without crashing or leaking memory.
Due to a failure in back end transaction, the post plugin was not properly passed to the back end. As a consequence, the ldapdelete client unexpectedly executed a tombstone deletion. A failure check code has been added with this update, and a tombstone deletion by ldapdelete now fails as expected.
Previously, the server enabled the rsa_null_sha cipher, which was not considered secure. With this update, rsa_null_sha is no longer available.
Previously, the caller of the slapi_valueset_add_attr_valuearray_ext() function freed the returned Slapi_ValueSet data type improperly upon failure. Consequently, Slapi_ValueSet leaked memory when the attribute adding operation failed. This update adds the code to free the memory, and returned Slapi_ValueSet no longer leaks memory.
Prior to this update, syntax plugins were loaded during bootstrapping. However, in that phase, attributes had already been handled. As a consequence, the sorted results of multi-attribute values in schema and Directory Server specific Entries (DSE) became invalid. This update adds a default syntax plugin, and the sorted results of DSE and schema are now in the right order.
Previously, environment variables, except from TERM and LANG, were ignored if a program was started using the "service" utility. Consequently, memory fragmentation could not be configured. To fix this bug, mallopt environment variables, "SLAPD_MXFAST", "MALLOC_TRIM_THRESHOLD_" and "MALLOC_MMAP_THRESHOLD_", have been made configurable. Now, memory fragmentation can be controlled explicitly and provide instructions to the "service" utility.
Prior to this update, when running a CLEANALLRUV task, the changelog replication incorrectly examined a Change Sequence Number (CSN) which could be deleted and returned as the minimum CSN for a replica. With this update, CSNs that are from a "cleaned" replica ID are ignored, and replication now uses the correct minimum CSN.
Previously, a group on Active Directory (AD) had a new member which was not a target of windows sync and existed only on AD. If an operation was executed on AD, the member was replaced with other members which were the targets of the windows sync. Consequently, the new member values were not synchronized. With this update, a modify operation follows including the member value, which is now proceeded by confirming the existence on AD, thus fixing the bug.
If a group on Active Directory (AD) and Directory Server (DS) had members which were local, not synchronized, and the members were removed from the group on one side, the delete operation was synchronized and all the members including the local ones were deleted. The underlying source code has been modified to check, firstly, if an attribute is completely deleted on one side, secondly, if each value on the other side is in the sync scope. In addition, the value is now put to the mode for the delete only if the value is in the sync scope.
Previously, the manual page for the logconv.pl utility was missing some of the command line options. The manual page has been updated to show the complete usage of logconv.pl with all the available options.
Due to a bug in partial restoration, the order of the restored index became confused. With this update, the default compare function is called. Now, after running a partial restoration, indexing problems no longer occur.
In processing Class of Service (CoS) definition entry, if the cosTemplateDn entry was not yet given when the cosAttribute entry was being processed, the parent entry Distinguished Name (DN) was set to cosTemplateDn automatically. Consequently, the parent entry could be an ancestor entry of an entry to be updated. In addition, if the entry was a target of the betxn type of plugins, a deadlock occurred. With this update, the parent entry DN is added only when codTemplateDn is not provided. Now, even if cosAttribute and cosTemplateDn are listed in the order in the CoS definition entry and the betxn type plug-ins are enabled, updating an entry no longer causes deadlocks.
Previously, if Virtual List View (VLV) search failed with "timelimit" or "adminlimit" server resources, the allocated ID list was not freed. Consequently, when the failure occurred, the memory used for the ID list leaked. This update adds the free code for the error cases, and the memory leaks caused by the VLV failure no longer occur.


Previously, only the root Distinguished Name (DN) accounts were able to specify users that could bypass the password policy settings or add hashed passwords to users. With this update, non-root DN accounts are allowed to perform these types of operations as well.
Users of 389-ds-base are advised to upgrade to these updated packages, which fix these bugs and add this enhancement. After installing this update, the 389 server service will be restarted automatically.
Updated 389-ds-base packages that fix one bug are now available for Red Hat Enterprise Linux 6.
The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

Bug Fix

Bug fixes for replication conflict resolution
introduced a memory leak bug, which increased the size of the Directory Server. With this update, the memory leak code has been fixed, and the size of the Directory Servers in the replication topology is now stable under the stress. (BZ#1147479)
Users of 389-ds-base are advised to upgrade to these updated packages, which fix this bug. After installing this update, the 389 server service will be restarted automatically.