Show Table of Contents
6. Bugs Fixed in 9.1
Directory Server 9.1 contains bug fixes for components in the directory service and associated tools. The list of bugs fixed in Directory Server 9.1 are listed in the erratum for this release, RHBA-2013:0960. The list of issues that are addressed in the Directory Server 9.1 update is in Table 2, “Bugs Fixed in This Release”.
Additionally, this release rolls in fixes that have been fixed incrementally in errata for Red Hat Enterprise Linux 6.3, Red Hat Enterprise Linux 6.4, and Z-stream (minor update) releases of the
389-ds-base package. These different errata and important fixed issues are listed in the subsequent tables.
Table 2. Bugs Fixed in This Release
| Bug Number | Description |
|---|---|
| 182509 | The changelog used for replication stored passwords in clear text in order to replicate them. In some contexts, this could be a security risk. |
| 510182 | If the DNA Plug-in was triggered during an account creation or update operation but that operation failed, the DNA counter was still incremented. This resulted in a gap in the range, where the number was used up but not assigned to an entry attribute. |
| 830350 | An issue in the htmladmin CGI caused a segmentation fault when restarting an Admin Server instance which used an IP address instead of a hostname. |
| 887394 | A problem in a CGI for the Admin Server Console caused a segmentation fault when attempting to restart the server. |
| 889575 | The remove-ds-admin.pl script, by default, leaves the security databases (cert8.db, key3.db, and secmod.db) intact after removing an instance. This prevents a new instance from being created later.
A new option,
-a, has been added to the remove-ds-admin.pl script to remove all generated data for an instance, allowing Admin Server to be re-installed later.
|
| 905266 | Internally, the Admin Server only checked for the results of a bind operation if an LDAP control was also sent with the connection. If there were no LDAP controls sent, then the operation reported a successful bind even if the bind, in fact, failed.
Now, the Admin Server and admin utilities always check the bind result, regardless of whether LDAP controls are sent with the request.
|
| 928560 | Removing the Admin Server using the remove-ds-admin.pl script did not also stop the Admin Server process. This left the process running indefinitely and kept port 9830 tied up. |
| 953600 | An improperly configred SELinux policy caused AVCs when an administrator attempted to shut down the Admin Server from the Console. This prevented the Admin Server from restarting. |
Table 3. Bugs Fixed in Red Hat Enterprise Linux 6.3 Errata
| RHBA-2012:1067 | |
|---|---|
| Bugzilla | Description |
| 834096 | Simultaneous updates that included deleting an attribute in an entry could cause the domain directory server to abort with a segmentation fault. This update checks whether a modified attribute entry has a NULL value. Now, the server handles simultaneous updates as expected. |
| 836251 | The get_entry function did not accept a NULL pblock. As a consequence, the Account Usability feature did not return the correct information about user account expiration and locked status. |
| RHSA-2012:0997 | |
|---|---|
| Bugzilla | Description |
| CVE-2012-2678 | A flaw was found in the way Directory Server handled password changes. If an LDAP user has changed their password, and the Directory Server has not been restarted since that change, an attacker able to bind to the Directory Server could obtain the plain text version of that user's password via the "unhashed#user#password" attribute. |
| CVE-2012-2746 | When the password for an LDAP user was changed, and audit logging was enabled (it is disabled by default), the new password was written to the audit log in plain text form. This update introduces a new configuration parameter, "nsslapd-auditlog-logging-hide-unhashed-pw", which when set to "on" (the default option), prevents Directory Server from writing plain text passwords to the audit log. This option can be configured in /etc/dirsrv/slapd-ID/dse.ldif. |
| RHSA-2012:0813 | |||
|---|---|---|---|
| Bugzilla | Description | ||
| CVE-2012-0833 | A flaw was found in the way the Directory Server daemon (ns-slapd) handled access control instructions (ACIs) using certificate groups. If an LDAP user that had a certificate group defined attempted to bind to the Directory Server, it would cause ns-slapd to enter an infinite loop and consume an excessive amount of CPU time. | ||
| 743979 | Previously, Directory Server used the Netscape Portable Runtime (NSPR) implementation of the read/write locking mechanism. This implementation allowed deadlocks to occur if Directory Server was under a heavy load, which caused the server to become unresponsive. With this update, Directory Server now uses the POSIX implementation of the locking mechanism, and deadlocks no longer occur under a heavy load. | ||
| 745201 | Previously, Distinguished Names (DNs) were not included in access log records of LDAP compare operations. Consequently, this information was missing in the access logs. Now, DNs are logged and can be found in the access logs. | ||
| 752577 | When Directory Server was under heavy load and operating in a congested network, problems with client connections sometimes occurred. When there was a connection problem while the server was sending simple paged result search results to the client, the LDAP server called a cleanup routine incorrectly. Consequently, a memory leak occurred and the server terminated unexpectedly. Now, cleanup tasks are run correctly and no memory leaks occur. | ||
| 757897 | Previously, certain operations with the change sequence number were not performed efficiently by the server. Consequently, the ns-slapd daemon consumed up to 100% of CPU time when performing a large number of CSN operations during content replication. With this update, the underlying source code has been modified to perform the CSN operations efficiently. As a result, large numbers of CSN operations can be performed during content replications without any performance issues. | ||
| 757898 | Allocated memory was not correctly released in the underlying code for the SASL GSSAPI authentication method when checking Simple Authentication and Security Layer (SASL) identity mappings. This problem could cause memory leaks when processing SASL bind requests, which eventually caused the LDAP server to terminate unexpectedly with a segmentation fault. This update adds function calls that are needed to free allocated memory correctly. | ||
| 759301 | Directory Server did not handle the entry update sequence number (USN) index correctly. Consequently, the index sometimes became out of sync with the main database and search operations on USN entries returned incorrect results. This update modifies the underlying source code of the Entry USN plug-in. As a result, the Entry USN index is now handled by the server correctly. | ||
| 772777 | Previously, search filter attributes were normalized and substring regular expressions were compiled repeatedly for every entry in the search result set. Consequently, using search filters with many attributes and substring subfilters resulted in poor search performance. This update ensures that search filters are pre-compiled and pre-normalized before being applied. These changes result in better search performance when applying search filters with many attributes and substring subfilters. | ||
| 772778 | Previously, the number of access control instructions to be cached was limited to 200. Consequently, evaluating a Directory Server entry against more than 200 ACIs failed with the following error message:
acl_TestRights - cache overflown
The default ACI cache limit has been increased to 2000 and allows it to be configurable by means of the new parameter nsslapd-aclpb-max-selected-acls in the ACL Plug-in configuration. | ||
| 772779 | Previously, the restore command contained a code path leading to an infinite loop. Consequently, Directory Server sometimes became unresponsive when performing a restore from a database backup. | ||
| 781485 | Previously, performing the ldapmodify operation to modify replica update vector (RUV) entries was allowed. Consequently, Directory Server became unresponsive when performing such operations. | ||
| 781495 | Previously, to identify restart events of Directory Server, the logconv.pl script searched server logs for the "conn=0 fd=" string. Consequently, the script reported a wrong number of server restarts. This update modifies the script to search for the "conn=1 fd=" string instead. As a result, the correct number of server restarts is now returned. | ||
| 781500 | When reloading a database from an LDIF file that contained an RUV element with an obsolete or decommissioned replication master, the changelog was invalidated. As a consequence, Directory Server emitted error messages and required re-initialization. This update ensures that the user is properly informed about obsolete or decommissioned replication masters, and that such masters are deleted from the RUV entries. | ||
| 781516 | Previously, when a non-leaf node became a tombstone entry, its child entries lost the parent-child relationships. Consequently, non-leaf tombstone entries could have been reaped prior to their child tombstone entries. This update fixes the underlying source code so that parent-child relationships are maintained even when a non-leaf entry is deleted. As a result, tombstones are now reaped correctly in the bottom-up order. | ||
| 781529 | Previously, no validation of managed entry attributes against the managed entry template was performed before updating Directory Server's managed entries. Consequently, managed entries could have been updated after updating an original entry attribute that was not contained in the managed entry template. | ||
| 81533 | Previously, Directory Server did not shut down before all running tasks had been completed. Consequently, it sometimes took a long time for the Directory Server to shut down when a long-running task was being carried out. | ||
| 781537 | Directory Server expected the value of the authzid attribute to be fully BER-encoded. Consequently, the following error was returned when performing the ldapsearch command with proxy authorization:
unable to parse proxied authorization control (2 (protocol error))
| ||
| 781538 | Previously, the buffer for matching rule OIDs had a fixed size of 1024 characters. Consequently, matching rule OIDs got truncated when their total length exceeded 1024 characters. | ||
| 781539 | Executing the ldapsearch command on the "cn=config" object returned all attributes of the object, including attributes with empty values. This update ensures that attributes with empty values are not saved into "cn=config" and enhances the ldapsearch command with a check for empty attributes. | ||
| 781541 | Log records of proxy operations displayed the bound user as the one who performed the operation, rather than the proxy user. This behavior has been changed. | ||
| 784343 | The database upgrade scripts checked if the server was offline by checking for the presence of .pid files. In some cases, however, the files remain present even if the associated processes have already been terminated. Consequently, the upgrade scripts sometimes assumed that the Directory Server was online and did not proceed with the database upgrade even if the server was actually offline. | ||
| 784344 | Previously, the repl-monitor command used only the subdomain part of hostnames for host identification. Consequently, hostnames with the identical subdomain part (for example: "ldap.domain1", "ldap.domain2") were identified as a single host, and inaccurate output was produced. | ||
| 788140 | The server used unnormalized DN strings to perform internal search and modify operations while the code for modify operations expected normalized DN strings. Consequently, error messages like the following one were logged when performing replication with domain names specified in unnormalized format:
NSMMReplicationPlugin - repl_set_mtn_referrals: could not set referrals for replica dc=example,dc=com: 32
| ||
| 788724 | The code for extensible search filters used strcmp routines for value comparison. Consequently, using extensible search filters with binary data returned incorrect results. | ||
| 788725 | Value normalization of the search filter did not respect the used filter type and matching rules. When using different values than the default comparison type for the searched attribute syntax, search attempts returned incorrect results. | ||
| 788729 | Tombstones of child entries in a database were handled incorrectly. Therefore, if the database contained deleted entries that were converted to tombstones, an attempt to reindex the entryrdn index failed with the following error message:
_entryrdn_insert_key: Getting "nsuniqueid=ca681083-69f011e0-8115a0d5-f42e0a24,ou=People,dc=example,dc=com" failed
| ||
| 788731 | RUV tombstone entries were indexed incorrectly by the entryrdn index. Consequently, attempts to search for such entries were not successful. | ||
| 788741 | The Distributed Numeric Assignment Plug-in used too short timeout for requests to replicate a range of UIDs. Consequently, using replication with DNA to add users sometimes failed on networks with high latency, returning the following error message:
Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed
With this update, the default timeout for such replication requests has been set to 10 minutes. | ||
| 788745 | Change sequence numbers in the RUV were not refreshed when a replication role was changed, leading to inconsistent data. | ||
| 788749 | Errors in schema files were not reported clearly in log files. Consequently, the messages could be incorrectly interpreted as reporting an error in the dse.ldif file. | ||
| 788750 | The server used an outdated version of the nisDomain schema after an upgrade. Consequently, restarting Directory Server after an upgrade produced the following error message:
attr_syntax_create - Error: the EQUALITY matching rule [caseIgnoreMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.26] for the attribute [nisDomain]
| ||
| 788751 | Directory Server previously did not properly release allocated memory after finishing normalization operations. This caused memory leaks to occur during server's runtime. | ||
| 788753 | The "connection" attribute was not included in the cn=monitor schema, which caused the access control information (ACI) handling code to ignore the ACI. Consequently, requesting the connection attribute when performing anonymous search on cn=monitor returned the connection attribute, even though it was denied by the default ACI. This update ensures that the ACI is processed even if the attribute is not in the schema. | ||
| 788755 | Previously, IPv4-mapped IPv6 addresses were treated as independent addresses by Directory Server. Consequently, errors were reported during server startup when such addresses conflicted with standard IPv4 addresses. | ||
| 790491 | A NULL pointer dereference sometimes occurred when initializing a Directory Server replica. Consequently, the server terminated unexpectedly with a segmentation fault. | ||
| 796770 | A double free error sometimes occurred during operations with orphaned tombstone entries. Consequently, when an orphaned tombstone entry was passed to the tombstone_to_glue function, the Directory Server terminated unexpectedly. | ||
| 800215 | An internal loop was incorrectly handled in the ldapcompare command. Consequently, performing concurrent comparison operations on virtual attributes caused the Directory Server to become unresponsive. | ||
| 803930 | When upgrading Directory Server, server startup had been initiated before the actual upgrade procedure finished. Consequently, the startup failed with the following error message:
ldif2dbm - _get_and_add_parent_rdns: Failed to convert DN cn=TESTRELM.COM to RDN
| ||
| 811291 | The range read operation did not correctly handle situations when an entry was deleted while a ranged search operation was being performed. Consequently, performing delete and ranged search operations concurrently under heavy loads caused the Directory Server to terminate unexpectedly. | ||
| 813964 | When performing delete and search operations against Directory Server under high load, the DB_MULTIPLE_NEXT pointer to the stack buffer could have been set to an invalid value. As a consequence, pointer's dereference lead to an attempt to access memory that was not allocated for the stack buffer. This caused the server to terminate unexpectedly with a segmentation fault. Now, if the pointer's value is invalid, the page or value is considered deleted and the stack buffer is reloaded. | ||
| 815991 | The ldap_initialize() function is not thread-safe. Consequently, Directory Server terminated unexpectedly during startup when using replication with many replication agreements. This update ensures that calls of the ldap_initialize() function are protected by a mutual exclusion. | ||
| An attempt to rename an RDN failed if the new string sequence was the same except of using the different lower/upper case of some letters. This update fixes the code so that it is possible to rename RDNs to the same string sequence with case difference. | ||
| 822700 | ACI handling did not reject incorrectly specified DNs. Consequently, incorrectly specified DNs in an ACI caused Directory Server to terminate unexpectedly during startup or after an online import. | ||
| 824014 | Previously, the code handling the entryusn attribute modified cache entries directly. Consequently under heavy loads, the server terminated unexpectedly when performing delete and search operations using the entryusn and memberof attributes with referential integrity enabled. | ||
Table 4. Bugs Fixed in Red Hat Enterprise Linux 6.4 Errata
| RHSA-2013:0503 | |
|---|---|
| Bugzilla | Description |
| CVE-2012-4450 | A flaw was found in the way Directory Server enforced ACLs after performing an LDAP modify relative distinguished name (modrdn) operation. After modrdn was used to move part of a tree, the ACLs defined on the moved DN were not properly enforced until the server was restarted. This could allow LDAP users to access information that should be restricted by the defined ACLs. |
| 742381 | Due to certain changes under the cn=config suffix, when an attribute value was deleted and then added back in the same modify operation, error 53 was returned. Consequently, the configuration could not be reset. This update allows delete operations to succeed if the attribute is added back in the same modify operation and reset the configuration file as expected. |
| 757836 | Previously, the logconv.pl script used a connection number equal to 0 (conn=0) as a restart point, which caused the script to return incorrect restart statistics. Directory Server is now configured to use connection number equal to 1 (conn=1) as the restart point. |
| 803873 | The Windows Sync feature uses the name in a search filter to perform an internal search to find an entry. Parentheses, ( and ), are special characters in the LDAP protocol and therefore must be escaped. However, an attempt to synchronize an entry containing parentheses in the name from an Active Directory erver failed with an error. With this update, Directory Server properly escapes the parentheses. |
| 818762 | When having an entry in a Directory Server with the same user name, group name, or both as an entry in Active Directory and simultaneously the entry in Active Directory was out of scope of the Windows Sync feature, the Directory Server entry was deleted. This update adds the new winSyncMoveAction Directory Server attribute for the Windows Sync agreement entry, which allows the user to specify the behavior of out-of-scope Active Directory entries. The value could be set to:
|
| 830334 | Due to an incorrect interpretation of an error code, Directory Server considered an invalid chaining configuration setting as the disk full error and shut down unexpectedly. |
| 830335 | Previously, restoring an LDIF file from a replica which had older changes that other servers did not see yet, could lead to these updates not being replicated to other replicas. With this update, Directory Server checks the change sequence numbers (CSNs) and allows the older updates to be replicated. |
| 830336 | When a Directory Server was under a heavy read and write load, and an update request was processed, a DB_LOCK_DEADLOCK error message appeared in the error log, such as:
entryrdn-index - _entryrdn_put_data: Adding the parent link (XXX) failed: DB_LOCK_DEADLOCK: Locker killed to resolve a deadlock (-30994)
These errors are common under these circumstances and there should not have been recorded in the error log. |
| 830337 | When a Directory Server was configured to use multi-master replication and the entry USN plug-in, a delete operation was not replicated to the other masters. This update prevents the USN plug-in from changing the delete operation into a delete tombstone operation and from removing the operation before it logs into the change log to replay to other servers. As a result, the delete operation is replicated to all servers as expected. |
| 830338 | Previously, Directory Server did not refresh its Kerberos cache. Consequently, if a new Kerberos ticket was issued for a host that had already authenticated against a Directory Server, it would be rejected by this server until it was restarted. With this update, the Kerberos cache is flushed after an authentication failure. |
| 830343 | Using the Managed Entry plug-in in conjunction with other plug-ins, such as Distributed Numeric Assignment (DNA), MemberOf, and Auto Member, led to problems with delete operations on entries that managed the Managed Entry plug-in. The manager entry was deleted, but the managed entry was not. The deadlock retry handling has been improved so that both entries are deleted during the same database operation. |
| 830344 | Previously, replication errors logged in the error log could contain incorrect information. With this update, the replication errors have been modified to be more useful in diagnosing and fixing problems. |
| 830346 | When audit logging in a Directory Server was enabled, LDAP add operations were ignored and were not logged. This update removes a regression in the audit log code that caused the add operation to be ignored, and LDAP add operations are now logged to the audit log as expected. |
| 830348 | Directory Servers with a large number of replication agreements took a considerable amount of time to shut down due to a long sleep interval coded in the replication stop code. This sleep interval has been reduced to speed up the system termination. |
| 830349 | Previously, in a SASL map definition, using a compound search filter that included the ampersand (&) character failed because the ampersand was escaped. |
| 832560 | When replication was configured and a conflict occurred, under certain circumstances, an error check did not reveal this conflict, because a to-be-deleted attribute was already deleted by another master. Consequently, the conflict terminated the server. This update improves error checks to prevent replication conflicts from crashing the server. |
| 833202 | Previously, internal entries that were in the cache were freed when retrying failed transactions due to a deadlock. This behavior caused problems in a Directory Server and this server could terminate under a heavy update load. With this update, the cached internal entries are no longer freed and directory servers do not crash in the described scenario. |
| 833218 | Due to improper deadlock handling, the database reported an error instead of retrying the transaction. Consequently, under a heavy load, the Directory Server got deadlock errors when attempting to write to the database. The deadlock handling has been fixed and Directory Server works as expected in such a case. |
| 834047 | Internal access control prohibited deleting newly added or modified passwords. This update allows the user to delete any password if they have the modify rights. |
| 834054 | Certain operations, other than ldapmodify operations, can cause the Directory Server to modify internal attributes. For example, a bind operation can cause updates to password failure counters. In these cases, Directory Server was updating attributes that could only be updated during an explicit ldapmodify operation, such as the modifyTimestamp attribute. This update adds a new internal flag to skip the update of these attributes on other than modify operations. |
| 834056 | Due to an invalid configuration setup in the Auto Memmber plug-in, the Directory Server became unresponsive under certain circumstances. With this update, the configuration file is validated, invalid configurations are not allowed, and the server no longer hangs. |
| 834057 | When using SNMP monitoring, Directory Server terminated at startup if there were multiple LDAP servers listed in the ldap-agent.conf file. With this update, the buffer between LDAP servers no longer resets and Directory Server starts up regardless of the number of LDAP servers listed in the configuration file. |
| 834064 | Previously, the dnaNextValue counter was incremented in the pre-operation stage. Consequently, if the operation failed, the counter was still incremented. Now, the dnaNextValue counter is not incremented if the operation fails. |
| 834065 | When a replication agreement was added without the LDAP bind credentials, the replication process failed with a number of errors. With this update, Directory Server validates the replication configuration and ensures that all needed credentials are supplied. As a result, Directory Server rejects invalid replication configuration before attempting to replicate with invalid credentials. |
| 834075 | Previously, the logconv.pl script did not grab the correct search base, and as a consequence, the searching statistics were invalid. A new hash has been created to store connections and operation numbers from search operations. As a result, logconv.pl now grabs the correct search base and no longer produces incorrect statistics. |
| 838706 | When using the Referential Integrity plug-in, renaming a user DN did not rename the user's DN in the user's groups, unless that case matched exactly. With this update, case-insensitive comparisons or DN normalizations are performed, so that the member attributes are updated when the user is renamed. |
| 840153 | Previously, the Attribute Uniqueness plug-in did comparisons of un-normalized values. Consequently, using this plug-in and performing the LDAP rename operation on an entry containing one of the attributes which were tested for uniqueness by this plug-in caused the LDAP rename operation to fail with the following error:
Constraint Violation - Another entry with the same attribute value already exists.
With this update, Attribute Uniqueness ensures that comparisons are performed between values which were normalized the same way, and LDAP rename works as expected. |
| 841600 | When the Referential Integrity plug-in was used with a delay time greater than 0, and the LDAP rename operation was performed on a user entry with DN specified by one or more group entries under the scope of the Referential Integrity plug-in, the user entry DN in the group entries did not change. |
| 842438 | To improve the performance, the entry cache size is supposed to be larger then the primary database size if possible. Previously, Directory Server did not alert the user that the size of the entry cache was too small. Consequently, the user could not notice that the size of the entry cache was too small and that they should enlarge it. With this update, the configured entry cache size and the primary database size are examined, and if the entry cache is too small, a warning is logged in the error log. |
| 842440 | Previously, the Memberof plug-in code executed redundant DN normalizations and therefore slowed down the system. |
| 842441 | Previously, the Directory Server could disallow changes that were made to the nsds5ReplicaStripAttrs attribute using the ldapmodify operation. Consequently, the attribute could only be set manually in the dse.ldif file when the server was shut down. With this update, the user is now able to set the nsds5ReplicaStripAttrs attribute using the ldapmodify operation. |
| 850683 | Previously, Directory Server did not check attribute values for the nsds5ReplicaEnabled feature which caused this feature to be disabled. With this update, Directory Server checks if the attribute value for nsds5ReplicaEnabled is valid and reports an error if it is not. |
| 852088 | When multi-master replication or database chaining was used with the TLS/SSL protocol, a server using client certificate-based authentication was unable to connect and connection errors appeared in the error log. With this update, the internal TLS/SSL and certificate setup is performed correctly and communication between servers works as expected. |
| 852202 | Previously, there was a race condition in the replication code. When two or more suppliers were attempting to update a heavily loaded consumer at the same time, the consumer could, under certain circumstances, switch to total update mode, erase the database, and abort replication with an error. The underlying source code has been modified to prevent the race condition. As a result, the connection is now protected against access from multiple threads and multiple suppliers. |
| 852839 | Due to the use of an uninitialized variable, a heavily loaded server processing multiple simultaneous delete operations could terminate unexpectedly under certain circumstances. This update provides a patch that initializes the variable properly. |
| 855438 | Due to an incorrect attempt to send the cleanallruv task to the Windows WinSync replication agreements, the task became unresponsive. With this update, the WinSync replication agreements are ignored and the cleanallruv task no longer hangs in the described scenario. |
| 856657 | Previously, the dirsrv init script always returned 0, even when one or all the defined instances failed to start. This update applies a patch that improves the underlying source code and dirsrv no longer returns 0 if any of the defined instances failed. |
| 858580 | The schema reload task reloads schema files in the schema directory. Simultaneously, Directory Server has several internal schemas which are not stored in the schema directory. These schemas were lost after the schema reload task was executed. Consequently, adding a posixAccount class failed. With this update, the internal schemas are stashed in a hash table and reloaded with external schemas. As result, adding a posixAccount is successful. |
| 863576 | When abandoning a simple paged result request, Directory Server tried to acquire a connection lock twice, and because the connection lock is not self reentrant, Directory Server was waiting for the lock forever and stopped the server. This update provides a patch that eliminates the second lock. |
| 864594 | Previously, anonymous resource limits applied to the Directory Manager. However, the Directory Manager should never have any limits. With this update, anonymous resource limits no longer apply to Directory Manager. |
| 868841 | Even if an entry in Active Directory did not contain all the required attributes for the POSIX account entry, the entry was synchronized to the Directory Server as a POSIX entry. Consequently, the synchronization failed due to a missing attribute error. With this update, if an entry does not have all the required attributes, the POSIX account related attributes are dropped and the entry is synchronized as an ordinary entry. As a result, the synchronization is successful. |
| 870158 | When a Directory Server was under a heavy load, deleting entries using the Entry USN feature caused tombstone entry indexes to be processed incorrectly. Consequently, the server could become unresponsive. This update fixes Directory Server to process tombstone indexes correctly, so that the server no longer hangs in this situation. |
| 870162 | Previously, the abandon request checked if the operation to abandon existed. When a search operation was already finished and an operation object had been released, a Simple Page Results request could fail due to this check. This update modifies Directory Server to skip operation existence checking, so that simple paged results requests are always successfully aborted. |
| 875862 | Previously, the DNA plug-in attempted to dereference a NULL pointer value for the dnaMagicRegen attribute. Consequently, if DNA was enabled with no dnamagicregen value specified in its configuration and an entry with an attribute that triggered the DNA value generation was added, the server could terminate unexpectedly. This update improves the Directory Server to check for an empty dnamagicregen value before it attempts to dereference this value. |
| 876694 | Previously, the code to check if a new superior entry existed, returned the No such object error only when the operation was requested by the Directory Manager. Consequently, if an ordinary non-root user attempted to use the modrdn operation to move an entry to a non-existing parent, the server terminated unexpectedly. This update provides a patch that removes the operator condition so that the check returns the No such object error even if the requester is an ordinary user, and the modrdn operation performed to the non-existing parent successfully fails for any user. |
| 876727 | If a filter contained a range search, the search retrieved one ID per one idl_fetch attribute and merged it to the ID list using the idl_union() function. This process is slow, especially when the range search result size is large. With this update, Directory Server switches to ALLID mode by using the nsslapd-rangelookthroughlimit switch instead of creating a complete ID list. As a result, the range search takes less time. |
| 891930 | An attempt to add a new entry to the DNA plug-in when the range of values was depleted returned a vague error about failing to allocate a new value for the range. The error message has been improved with more details about the failure. |
| 896256 | Previously, an upgrade of the 389-ds-base packages affected configuration files. Consequently, custom configuration files were reverted to by default. This update provides a patch to ensure that custom changes in configuration files are preserved during the upgrade process. |
| 834061 | Previously, Directory Server did not include the SO_KEEPALIVE settings and connections could not be closed properly. This enhancement implements the SO_KEEPALIVE settings to the Directory Server connections. |
| RHBA-2012:1345-1 | |
|---|---|
| 757773 | Prior to this update, the Red Hat Directory Server Console showed the same SSL port for two simultaneous Directory Server instances, which could lead to LDAP operation conflicts. As a consequence, SSL configuration, certificate management and other operations could fail. This update fixes the Console so that it will use different SSL ports. |
| 806566 | Prior to this update, the Red Hat Directory Server Console did not support the class of service (CoS) merge-schemes qualifier. As a consequence, a CoS configured through the CLI to use the merge-schemes qualifier would strip the cosAttribute attribute when the CoS was viewed or modified in the Console. |
| RHSA-2013:0503-3 | |
|---|---|
| CVE-2012-4450 | A flaw was found in the way Directory Server enforced ACLs after performing an LDAP modify relative distinguished name (modrdn) operation. After modrdn was used to move part of a tree, the ACLs defined on the moved (Distinguished Name) were not properly enforced until the server was restarted. This could allow LDAP users to access information that should be restricted by the defined ACLs. |
| RHSA-2013:0742-2 | |
|---|---|
| CVE-2013-1897 | It was found that the Directory Server did not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration setting was set to rootdse. An anonymous user could connect to the LDAP database and, if the search scope is set to base, obtain access to information outside of the root DSE. |
| 929107 | Previously, the schema-reload plug-in was not thread-safe. Consequently, executing the schema-reload.pl script under heavy load could cause the ns-slapd process to terminate unexpectedly with a segmentation fault. |
| 929111 | An out of scope problem for a local variable, in some cases, caused the modrdn operation to terminate unexpectedly with a segmentation fault. This update declares the local variable at the proper place of the function so it does not go out of scope, and the modrdn operation no longer crashes. |
| 929114 | A task manually constructed an exact value to be removed from the configuration if the replica-force-cleaning option was used. Consequently, the task configuration was not cleaned up, and every time the server was restarted, the task attempted to rebuild the value to remove again. This update searches the configuration for the exact value to delete, instead of manually building the value, and the task does not restart when the server is restarted. |
| 929115 | Previously, a NULL pointer dereference could have occurred when attempting to get effective rights on an entry that did not exist, leading to an unexpected termination due to a segmentation fault. This update checks for NULL entry pointers and returns the appropriate error. |
| 929196 | A problem in the lock timing in the DNA plug-in caused a deadlock if the DNA operation was executed with other plug-ins. This update moves the release timing of the problematic lock, and the DNA plug-in does not cause the deadlock. |
| RHSA-2013:0628-1 | |
|---|---|
| CVE-2013-0312 | A flaw was found in the way LDAPv3 control data was handled by Directory Server. If a malicious user were able to bind to the directory (even anonymously) and send an LDAP request containing crafted LDAPv3 control data, they could cause the server to crash, denying service to the directory. |
| 910994 | After an upgrade from Red Hat Enterprise Linux 6.3 to version 6.4, the upgrade script did not update the schema file for the pamConfig object class. Consequently, new features for PAM such as configuration of multiple instances and the pamFilter attribute could not be used because of the schema violation. With this update, the upgrade script updates the schema file for the pamConfig object class. |
| 910996 | The Directory Server failed when multi-valued attributes were replaced. The problem occurred when replication was enabled, while the server executing the modification was configured as a single master and there was at least one replication agreement. Consequently, the modification requests were refused by the master server, which returned a code 20 Type or value exists error message. These requests were replacements of multi-valued attributes, and the error only occurred when one of the new values matched one of the current values of the attribute, but had a different letter case. |
| 911467 | The DNA Plug-in, under certain conditions, could log error messages with the "DB_LOCK_DEADLOCK" error code when attempting to create an entry with a uidNumber attribute. |
| 911468 | Posix Winsync plugin was calling an intefilenamernal modify function which was not necessary. The internal modify call failed and logged an error message slapi_modify_internal_set_pb: NULL parameter, which was not clear. This patch stops calling the internal modify function if it is not necessary. |
| 911469 | Under certain conditions, the dse.ldif file had 0 bytes after a server termination or when the machine was powered off. Consequently, after the system was brought up, a Directory Server or IdM system could be unable to restart, leading to production server outages. Now, the server mechanism by which the dse.ldif is written is more robust, and tries all available backup dse.ldif files, and outages no longer occur. |
| 911474 | Due to an incorrect interpretation of an error code, a Directory Server considered an invalid chaining configuration setting as the disk full error and shut down unexpectedly. Now, a more appropriate error code is in use and the server no longer shuts down from invalid chaining configuration settings. |
| 914305 | While trying to remove a tombstone entry, the ns-slapd daemon terminated unexpectedly with a segmentation fault. With this update, removal of tombstone entries no longer causes crashes. |
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.