8.154. 389-ds-base

Updated 389-ds-base packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The 389 Directory Server is an LDAPv3 compliant server. The base packages include the Lightweight Directory Access Protocol (LDAP) server and command-line utilities for server administration.

Bug Fixes

Due to an incorrect interpretation of the error code, the Directory Server considered an invalid chaining configuration setting as the disk full error and terminated unexpectedly. Now, a more appropriate error code is used and the server no longer shuts down when invalid chaining configuration settings are specified.
After the upgrade from Red Hat Enterprise Linux 6.3 to version 6.4, the upgrade script did not update the schema file for the PamConfig object class. Consequently, new features for PAM (Pluggable Authentication Module), such as configuration of multiple instances and pamFilter attribute, could not be used because of the schema violation. With this update, the upgrade script updates the schema file for the PamConfig object class as expected. As a result, the new features now function properly.
Previously, the valgrind test suite reported recurring memory leaks in the modify_update_last_modified_attr() function. The size of these leaks averaged between 60-80 bytes per modify call, which could cause problems in environments with frequent modify operations. With this update, memory leaks no longer occur in the modify_update_last_modified_attr() function.
Under certain circumstances, the Directory Server (DS) was not able to replace multi-valued attributes for new values that differed from the old ones only in the letter case. Consequently, a code 20 error message was displayed:
Type or value exists
With this update, DS has been modified to correctly process modification requests, and the letter case of attribute values can now be changed without complications.
Under certain circumstances, the DNA (Distributed Numeric Assignment) plug-in logged messages with the DB_LOCK_DEADLOCK error code when attempting to create an entry with a uidNumber attribute. This bug has been fixed and DNA now handles this case properly and errors are no longer logged in the aforementioned scenario.
The Posix Winsync plug-in was unnecessarily calling the internal modify() function. This internal modify() call failed and logged the following message:
slapi_modify_internal_set_pb: NULL parameter
With this update, Posix Winsync has been fixed and no longer calls modify(). As a result, the aforementioned message is no longer logged.
Under certain circumstances, the /etc/dirsrv/slapd-dstet-mkubik/dse.ldif file was written with 0 bytes after a server termination or when the system was powered off. Consequently, after the system restart, the DS or IdM system sometimes did not start, leading to production server outages. The server mechanism by which dse.ldif is written has been modified, and server outages no longer occur in the described case.
Prior to this update, while trying to remove a tombstone entry, the ns-slapd daemon terminated unexpectedly with a segmentation fault. This bug has been fixed and removal of tombstone entries no longer causes ns-slapd to crash.
Previously, the schema-reload plug-in was not thread-safe. Consequently, executing the schema-reload.pl script under a heavy load could have caused the ns-slapd process to terminate unexpectedly with a segmentation fault. With this update, schema-reload has been modified to be thread-safe, and schema-reload.pl can be now executed along with other LDAP operations without complications.
Due to an incorrect lock timing in the DNA (Distributed Numeric Assignment) plug-in, a deadlock occurred when DNA operation was executed along with other plug-ins. This update moves the release timing of the problematic lock, and DNA no longer causes the deadlock in the aforementioned scenario.
Under certain circumstances, an out of scope local variable caused the modrdn operation to terminate unexpectedly with a segmentation fault. This update modifies the declaration of the local variable so it does not get out of scope. As a result, modrdn operations no longer crash.
Previously, the cleanallruv task with the replica-force-cleaning option enabled did not remove all configuration attributes. Consequently, the task was initiated each time the server was restarted. With this update, the cleanallruv search mechanism has been modified, and cleanallruv no longer restarts when the server is restarted.
Due to a bug in the Acl plug-in, when using the getEffectiveRights request on a non-existing entry, a NULL pointer dereference could have occurred. Consequently, the server terminated unexpectedly with a segmentation fault. With this update, Acl has been modified to check for NULL entry pointers. As a result, the server no longer crashes and an appropriate error message is now displayed when using getEffectiveRights request on a non-existing entry.
Due to an insufficient size of the default sasl_io buffer, SASL connections could have been refused by the server. With this update, the buffer size has been increased to 65,536 bytes. Moreover, users can increase this value with the nsslapd-sasl-max-buffer-size setting. As a result, SASL connections are now accepted without complications.
Previously, the code responsible for replication conflict resolution in the 389-ds-base package did not work correctly in several cases, such as conflict DN generation, retrieving deleted parent entry, and examining the scope of a deleted entry. Consequently, an intermediate node entry with positive child count but without children could have been created. The server then refused to remove such an entry. This update fixes the replication conflict resolution code, thus preventing the incorrect node entry creation.
Previously, if a group on the Active Directory contained a member that was in a container of not-synchronized type, synchronizing the group with the LDAP server was unsuccessful. Consequently, the valid members were not synchronized. With this update, the entries in such containers are omitted and the synchronization is now successful in the described case.
Prior to this update, certain schema definitions in the 389-ds-base package did not comply with the LDAP RFC 2252 standard. Consequently, problems with LDAP clients could have occurred. With this update, these schema definitions have been corrected to be compliant with LDAP RFC 2252.
Under a very high load of hundreds of simultaneous connections and operations, the Directory Server could have encountered a race condition in the connection handling code. Consequently, the server terminated unexpectedly with a segmentation fault. With this update, code that updates the connection objects has been moved into the connection mutex object. As a result, Directory Server does not crash under high loads.
Prior to this update, the Simple Paged Results control did not support an asynchronous search. Consequently, if the Directory Server received large number of asynchronous search requests, some of the requests terminated with error 53:
With this update, asynchronous search support has been implemented into Simple Paged Results. As a result, Directory Server safely handles intensive asynchronous search requests.
Previously, when loading an entry from a database, the str2entry_dupcheck() function was called instead of the more appropriate str2entry_fast() function. This behavior has been changed and str2entry_fast() is now called in the described scenario.
The upgrade of Red Hat Enterprise Linux Identity Mangement server changed the value of the nsslapd-port variable to "0" for security reasons. The nsslapd-port is also used to construct the RUV (Replica Update Vector) used by replication. Previously, if the replication startup code found a zero nsslapd-port, it removed the RUV. Consequently, replication became unresponsive. With this update, RUV is no longer removed in the aforementioned scenario, thus preventing the replication hang.
Previously, an empty control list was not handled properly by the Directory Server. Consequently, a LDAP protocol error was returned. With this update, Directory Server has been modified to handle sequences of zero length correctly, thus preventing the error.
When there was a request for a new LDAP connection at the same time as a request for a new LDAPS or LDAPI connection, the Directory Server processed only the LDAP request. With this update, Directory Server has been modified to process all listener requests at the same time.
Prior to this update, an incorrect error code (err=0) was returned when creating an invalid external SASL bind. With this update, a proper error code (err=48) is returned in the aforementioned scenario.
When the Directory Server (DS) encountered an error while it processed a startTLS request, the server attempted to write a response back to the client. Consequently, DS became unresponsive. With this update, DS has been modified to correctly processes startTLS requests even in case of network errors. As a result, DS no longer hangs in the aforementioned scenario.
Previously, the size of the backlog parameter of the listen() function was set to "128". Consequently, if the server processed a large amount of simultaneous connection requests, the server could have dropped connection requests due to exceeded backlog size. With this update, a nsslapd-listen-backlog-size attribute has been added to allow the backlog size to be changed.
Previously, the disk monitoring feature of the Directory Server did not function properly. If logging functionality was set to "critical" and logging was disabled, the rotated logs were deleted. If the attribute nsslapd-errorlog-level was explicitly set to any value, even zero, the disk monitoring feature did not stop the Directory Server as expected. This update corrects the settings of the disk monitoring feature and the server shuts down when the critical threshold is reached.
Prior to this update, the connections attribute that stores the number of currently connected clients was incorrectly incremented twice, both by the disconnect_server_nomutex() and connection_reset() function. Consequently, the attribute contained incorrect values. This bug has been fixed and connections now store the correct number of connected clients.
When the Directory Server (DS) used both the replication and the DNA plug-in, and the client sent a sequence of ADD or DELETE requests for the same entry, DS returned the following message:
modify_switch_entries failed
This bug has been fixed, and the aforementioned message is no longer returned.
The internal password attribute is not preserved after the Directory Server (DS) restart. Previously, an attempt to delete the password after restarting DS, caused DS to terminate unexpectedly. With this update, DS has been modified to check if the password attribute exists, and if no, to skip the deletion. As a result, DS no longer crashes in the described case.
Prior to this update, when using the account policy plug-in to configure policies for individual users based on the createTimestamp attribute, the createTimestamp was overwritten after the consequent binding. Consequently, account policy failed to lock the user. With this update, createTimestamp is no longer modified after successful binding and account policy now locks users as expected.
Under certain circumstances, an inconsistent behavior of the modrdn operation when processing a tombstone entry caused the Directory Server (DS) to terminate unexpectedly. With this update, DS has been modified to correctly process tombstones with modrdn, thus preventing the crash.
Prior to this update, when an attribute was configured to be encrypted, the on-line import failed to encrypt this attribute on a server. This update allows encryption on the consumer side, during an on-line import, thus fixing this bug.
Previously, after removing the createTimestamp attribute from the account policy, this attribute was still applied by the Directory Server (DS). This bug has been fixed, and createTimestamp can now be effectively removed from the DS account policy.
BZ#975250, BZ#979169
Previously, with a mix of concurrent search, update, and replication operations a deadlock could have occurred between the changelog readers, writers, and main database writers. Consequently, the update operations failed. With this update, a new nsslapd-db-deadlock-policy configuration parameter has been introduced. The default value of this parameter is set to 9, which terminates the last locker in case of a deadlock. After changing this value to 6, the locker with the fewest write locks is terminated, which is advised for users who encounter frequent deadlocks.
Prior to this update, if certain requested attributes were skipped during a search, the returned attribute names and values were sometimes transformed to upper case. This update removes attributes that are not authorized from the requested attributes set, so that the names of returned attributes or values are preserved in the correct form.
Previously, after modifying a single-valued attribute in a multi-master replication environment, this change was not replicated to other servers. With this update, code that handles replication updates has been changed. As a result, the modify operations on single-valued attributes are replicated correctly.
Previously, setting the "nsslapd-disk-monitoring-threshold" attribute with the ldapmodify utility to a large value worked as expected; however, due to a bug in the ldapsearch utility, the treshold value was displayed as a negative number. This update corrects the bug in ldapsearch and correct treshold values are now displayed.
Previously, the Directory Server (DS) was not properly freeing the memory used by old connections. Consequently, when opening and closing hundreds of connections per minute for a long period of time, a memory leak occurred. With this update, DS has been modified to release the memory used by old connections as expected. As a result, the memory leak no longer occurs in the aforementioned scenario.
Due to the USN (Update Sequence Number) configuration, the initial value of the lastusn variable in the rootdse directory was displayed as "18446744073709551615" instead of expected "-1". This update adds a special treatment for initial lastusn. As a result, this value is set to "-1" as expected. If a negative value is found in the USN index file, it is reset to the initial value.
With this update, several minor coding errors have been corrected to prevent possible memory leaks and stability issues.
If logging functionality was not set to "critical", the mount point for the logs directory was incorrectly skipped during the disk space check. The processing of configuration settings has been fixed and the log directory is no longer skipped.
Previously, memory leaks occurred when using the set_krb5_creds() function for the replication transport or bind. The underlying source code has been modified and the memory leaks no longer occur.
When multiple clients were connected to the Directory Server (DS), each of them adding and deleting users, the server deadlock could have occurred. With this update, a patch has been introduced to prevent the deadlock.
When a server-side sorting request was evaluated, the "sort type" parameter was registered only from the first attribute in the request and the following attributes were ignored even if having different "sort type" values. Consequently, the sorting operation was performed incorrectly. With this update, Directory Server has been modified so that the server-side sorting resets "sort type" for each sort attribute in the request. As a result, the sorting is now handled correctly.
Due to a schema error, the Directory Server (DS) failed to start after the system upgrade. This bug has been fixed, and DS now works correctly in the described case.
If a replication was configured before initializing the sub backend, the temporary sub suffix was not updated with the real sub suffix entry. Consequently, the server search failed to return entries under the sub suffix. With this update, when a real sub suffix is added, the temporary entry ID in the entryrdn index is replaced with the real entry ID. As a result, search successfully returns sub suffix entries.
With certain specific values of the nsDS5ReplicaName variable, the replication could have become corrupted. With this update, all replica names are handled correctly.
In certain cases, the Directory Server became unresponsive when processing multiple outgoing and incoming operations using the TLS or SSL protocol. The underlying source code has been modified and the server no longer hangs in this scenario.
Previously, if the Directory Server (DS) worked with replicas that did not support the CLEANALLRUV task, running this task made DS unresponsive. With this update, DS has been modified to skip replicas that do not support CLEANALLRUV, thus fixing this bug.
Previously, when checking an Active Directory (AD) entry was a subject of synchronization, just the direct child of the target was checked. Consequently, AD entries which were in a deeper level were not synchronized to the Directory Server. This bug has been fixed, and child directories of the target are now synchronized at and all levels.
Users of 389-ds-base are advised to upgrade to these updated packages, which fix these bugs.