4.128. openldap

Updated openldap packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The openldap packages contain configuration files, libraries, and documentation for OpenLDAP. OpenLDAP is an open source suite of Lightweight Directory Access Protocol (LDAP) applications and development tools. LDAP is a set of protocols for accessing directory services over the Internet, similar to the way Domain Name System (DNS) information is propagated over the Internet.

Bug Fix

BZ#750538
When running an OpenLDAP server with the LDAP Sync replication engine (syncrepl) enabled and a large amount of data was replicated, the memory was used extensively. Due to high memory usage, the standalone LDAP daemon (slapd) was sometimes not able to allocate enough free memory using its default memory allocation mechanism. As a consequence, slapd fell back on the secondary memory allocation mechanism but without freeing the memory properly, and thus causing memory leaks. With this update, the slpad daemon frees the memory correctly in such a scenario, and memory leaks no longer occur.
All users of openldap are advised to upgrade to these updated packages, which fix this bug.
Updated openldap packages that fix several bugs and add an enhancement are now available for Red Hat Enterprise Linux 5.
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. The openldap packages contain configuration files, libraries, and documentation for OpenLDAP.

Bug Fixes

BZ#734144
Prior to this update, some parts of OpenLDAP were impossible to debug due to incomplete debug data. The problem was caused by stripping debug data of some modules at an early stage of the package build process. This update disables the stripping and the openldap-debuginfo package is generated correctly.
BZ#734145
The openldap package compilation log contained information about breaking strict-aliasing rules. The presence of these warnings may have led into unexpected runtime behavior. The "-fno-strict-aliasing" option is now passed to a compiler to avoid optimizations that can produce invalid code. The change might contribute to stability and reliability of OpenLDAP.

Enhancement

BZ#733659
In a distributed environment, a Root DN (distinguished name) can be specified instead of a hostname to connect to an OpenLDAP server. The Root DN is used to look up the corresponding hosts using the DNS SRV (Domain Name Server Service) records. Prior to this update, the priority and weight of individual SRV records were ignored and the connection was created to the host in the first SRV record returned by the DNS server. As a consequence, a server in a different geographic location may have been queried, leading to high response times. Servers are now queried according to their priority and weight, which conforms to the RFC 2782 standard.
Users are advised to upgrade to these updated openldap packages, which resolve these bugs and add this enhancement.
Updated openldap packages that fix several bugs and add an enhancement are now available for Red Hat Enterprise Linux 5.
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access Protocol) applications and development tools. LDAP is a set of protocols for accessing directory services (usually phone book style information, but other information is possible) over the Internet, similar to the way DNS (Domain Name System) information is propagated over the Internet. The openldap package contains configuration files, libraries, and documentation for OpenLDAP.

Bug Fixes

BZ#741184
When an OpenLDAP server was running with the LDAP Sync replication engine (syncrepl) enabled and a large amount of data was replicated, the memory was used extensively. Consequently, the standalone LDAP daemon (slapd) was sometimes not able to allocate enough free memory using its default memory allocation mechanism and slapd fell back on the secondary memory allocation mechanism without freeing the memory properly, causing memory leaks. With this update, the slapd daemon frees the memory correctly in such a scenario, and memory leaks no longer occur.
BZ#591419
Due to an error introduced in one of the previous updates, initializing a connection to a slapd server may have caused the CPU usage to reach 100% and the server to become unresponsive for about three seconds. With this update, an existing upstream patch has been applied to target this issue, and the OpenLDAP suite now works as expected.
BZ#641953
Previously, multiple concurrent connections to an OpenLDAP server could cause the slapd service to terminate unexpectedly with an assertion error. This update applies an upstream patch that adds mutexes to protect multiple threads from accessing a structure with a connection, and the slapd service no longer crashes.
BZ#655133
The libldap library did not provide the ldap_init_fd() function, even though certain utilities such as cURL rely on it and could not work properly as a result. This update applies a backported upstream patch that implements this API function, and these tools now work as expected.
BZ#620621
When the openldap-servers package was installed with the syncrepl utility configured, adding or removing data from a master server occasionally caused the slapd server to terminate unexpectedly. An upstream patch has been provided and the crashes no longer occur in the described scenario.
BZ#665951
When running the slapd service with the ppolicy overlay enabled, an attempt to delete the userPassword attribute could cause the service to terminate unexpectedly, leaving the database in a corrupted state. With this update, an upstream patch has been applied to address this issue, and deleting the userPassword attribute no longer causes the slapd service to crash.
BZ#684630
Some parts of OpenLDAP were impossible to debug due to incomplete debug data. The problem was caused by stripping debug data of some modules at an early stage of the package build process. This update disables the stripping and the openldap-debuginfo package is generated correctly.
BZ#732381
Previously, the openldap package compilation log file contained warning messages returned by strict-aliasing rules. These warnings indicated that unexpected runtime behavior could occur. With this update, the -fno-strict-aliasing option is passed to the compiler to avoid optimizations that can produce invalid code, and no warning messages are now returned during package compilation.
BZ#609722
When the openldap client was configured with the TLS_CACERTDIR option, some of the certificate files were not accessible. Consequently, openldap could not establish TLS (Transport Layer Security) connections. An upstream patch has been provided to address this issue and openldap now establishes TLS connections to the server, even if some certificates specified in TLS_CACERTDIR are inaccessible.
BZ#738768
Previously, the ldap init script was incorrectly marked as a configuration file. When manual modifications had been made to it while the openldap-servers package was installed, and when the package had been updated, the init script was not overwritten as part of the upgrade. With this update, the openldap spec file has been updated to reflect that the ldap init script is not a configuration file, and openldap-servers now overwrites the init script properly in the described scenario.
BZ#604092
With the openldap-servers package was installed, when the server was shut down incorrectly and the database needed recovery, the openldap init script failed to start the server again. With this update, a new option has been added to the tool which checks openldap server configuration. The new option skips the database checks, and the openldap server now starts properly in the described scenario.
BZ#699652
The ldap.conf(5) manual page has been updated to emphasize that to specify Certificate Authorities, the TLS_CACERT option is the preferred one to the TLS_CACERTDIR option.
BZ#563148
When the migrate_all_offline.sh script was used to migrate duplicate accounts, the migration process terminated. With this update, the script no longer interrupts the process, when certain errors occur. Local duplicate accounts no longer cause the migration process to interrupt.

Enhancement

BZ#733435
Previously, when a connection to an LDAP server was created by specifying search root DN (distinguished name) instead of the server hostname, the SRV records in DNS were requested and a list of LDAP server hostnames was generated. The servers were then queried in the order, in which the DNS server returned them but the priority and weight of the records were ignored. This update adds support for priority/weight of the DNS SRV records, and the servers are now queried according to their priority/weight, as required by RFC 2782.
All openldap users are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.