- When running an OpenLDAP server with the LDAP Sync replication engine (syncrepl) enabled and a large amount of data was replicated, the memory was used extensively. Due to high memory usage, the standalone LDAP daemon (slapd) was sometimes not able to allocate enough free memory using its default memory allocation mechanism. As a consequence, slapd fell back on the secondary memory allocation mechanism but without freeing the memory properly, and thus causing memory leaks. With this update, the slpad daemon frees the memory correctly in such a scenario, and memory leaks no longer occur.
- Prior to this update, some parts of OpenLDAP were impossible to debug due to incomplete debug data. The problem was caused by stripping debug data of some modules at an early stage of the package build process. This update disables the stripping and the openldap-debuginfo package is generated correctly.
- The openldap package compilation log contained information about breaking strict-aliasing rules. The presence of these warnings may have led into unexpected runtime behavior. The "-fno-strict-aliasing" option is now passed to a compiler to avoid optimizations that can produce invalid code. The change might contribute to stability and reliability of OpenLDAP.
- In a distributed environment, a Root DN (distinguished name) can be specified instead of a hostname to connect to an OpenLDAP server. The Root DN is used to look up the corresponding hosts using the DNS SRV (Domain Name Server Service) records. Prior to this update, the priority and weight of individual SRV records were ignored and the connection was created to the host in the first SRV record returned by the DNS server. As a consequence, a server in a different geographic location may have been queried, leading to high response times. Servers are now queried according to their priority and weight, which conforms to the RFC 2782 standard.
- When an OpenLDAP server was running with the LDAP Sync replication engine (
syncrepl) enabled and a large amount of data was replicated, the memory was used extensively. Consequently, the standalone LDAP daemon (
slapd) was sometimes not able to allocate enough free memory using its default memory allocation mechanism and
slapdfell back on the secondary memory allocation mechanism without freeing the memory properly, causing memory leaks. With this update, the
slapddaemon frees the memory correctly in such a scenario, and memory leaks no longer occur.
- Due to an error introduced in one of the previous updates, initializing a connection to a
slapdserver may have caused the CPU usage to reach 100% and the server to become unresponsive for about three seconds. With this update, an existing upstream patch has been applied to target this issue, and the OpenLDAP suite now works as expected.
- Previously, multiple concurrent connections to an OpenLDAP server could cause the
slapdservice to terminate unexpectedly with an assertion error. This update applies an upstream patch that adds mutexes to protect multiple threads from accessing a structure with a connection, and the slapd service no longer crashes.
libldaplibrary did not provide the
ldap_init_fd()function, even though certain utilities such as
cURLrely on it and could not work properly as a result. This update applies a backported upstream patch that implements this API function, and these tools now work as expected.
- When the openldap-servers package was installed with the
syncreplutility configured, adding or removing data from a master server occasionally caused the
slapdserver to terminate unexpectedly. An upstream patch has been provided and the crashes no longer occur in the described scenario.
- When running the
slapdservice with the
ppolicyoverlay enabled, an attempt to delete the
userPasswordattribute could cause the service to terminate unexpectedly, leaving the database in a corrupted state. With this update, an upstream patch has been applied to address this issue, and deleting the
userPasswordattribute no longer causes the
slapdservice to crash.
- Some parts of OpenLDAP were impossible to debug due to incomplete debug data. The problem was caused by stripping debug data of some modules at an early stage of the package build process. This update disables the stripping and the openldap-debuginfo package is generated correctly.
- Previously, the openldap package compilation log file contained warning messages returned by strict-aliasing rules. These warnings indicated that unexpected runtime behavior could occur. With this update, the
-fno-strict-aliasingoption is passed to the compiler to avoid optimizations that can produce invalid code, and no warning messages are now returned during package compilation.
- When the openldap client was configured with the
TLS_CACERTDIRoption, some of the certificate files were not accessible. Consequently, openldap could not establish TLS (Transport Layer Security) connections. An upstream patch has been provided to address this issue and openldap now establishes TLS connections to the server, even if some certificates specified in
- Previously, the
ldapinit script was incorrectly marked as a configuration file. When manual modifications had been made to it while the openldap-servers package was installed, and when the package had been updated, the init script was not overwritten as part of the upgrade. With this update, the openldap spec file has been updated to reflect that the
ldapinit script is not a configuration file, and openldap-servers now overwrites the init script properly in the described scenario.
- With the openldap-servers package was installed, when the server was shut down incorrectly and the database needed recovery, the openldap init script failed to start the server again. With this update, a new option has been added to the tool which checks openldap server configuration. The new option skips the database checks, and the openldap server now starts properly in the described scenario.
ldap.conf(5)manual page has been updated to emphasize that to specify Certificate Authorities, the
TLS_CACERToption is the preferred one to the
- When the
migrate_all_offline.shscript was used to migrate duplicate accounts, the migration process terminated. With this update, the script no longer interrupts the process, when certain errors occur. Local duplicate accounts no longer cause the migration process to interrupt.
- Previously, when a connection to an LDAP server was created by specifying search root DN (distinguished name) instead of the server hostname, the SRV records in DNS were requested and a list of LDAP server hostnames was generated. The servers were then queried in the order, in which the DNS server returned them but the priority and weight of the records were ignored. This update adds support for priority/weight of the DNS SRV records, and the servers are now queried according to their priority/weight, as required by RFC 2782.