- Due to an incorrect interpretation of the error code, the Directory Server considered an invalid chaining configuration setting as the disk full error and terminated unexpectedly. Now, a more appropriate error code is used and the server no longer shuts down when invalid chaining configuration settings are specified.
- After the upgrade from Red Hat Enterprise Linux 6.3 to version 6.4, the upgrade script did not update the schema file for the
PamConfigobject class. Consequently, new features for PAM (Pluggable Authentication Module), such as configuration of multiple instances and pamFilter attribute, could not be used because of the schema violation. With this update, the upgrade script updates the schema file for the
PamConfigobject class as expected. As a result, the new features now function properly.
- Previously, the valgrind test suite reported recurring memory leaks in the
modify_update_last_modified_attr()function. The size of these leaks averaged between 60-80 bytes per modify call, which could cause problems in environments with frequent modify operations. With this update, memory leaks no longer occur in the
- Under certain circumstances, the
Directory Server(DS) was not able to replace multi-valued attributes for new values that differed from the old ones only in the letter case. Consequently, a code 20 error message was displayed:
Type or value existsWith this update,
DShas been modified to correctly process modification requests, and the letter case of attribute values can now be changed without complications.
- Under certain circumstances, the
DNA(Distributed Numeric Assignment) plug-in logged messages with the
DB_LOCK_DEADLOCKerror code when attempting to create an entry with a uidNumber attribute. This bug has been fixed and
DNAnow handles this case properly and errors are no longer logged in the aforementioned scenario.
Posix Winsyncplug-in was unnecessarily calling the internal
modify()function. This internal
modify()call failed and logged the following message:
slapi_modify_internal_set_pb: NULL parameterWith this update,
Posix Winsynchas been fixed and no longer calls
modify(). As a result, the aforementioned message is no longer logged.
- Under certain circumstances, the
/etc/dirsrv/slapd-dstet-mkubik/dse.ldiffile was written with 0 bytes after a server termination or when the system was powered off. Consequently, after the system restart, the DS or IdM system sometimes did not start, leading to production server outages. The server mechanism by which
dse.ldifis written has been modified, and server outages no longer occur in the described case.
- Prior to this update, while trying to remove a tombstone entry, the
ns-slapddaemon terminated unexpectedly with a segmentation fault. This bug has been fixed and removal of tombstone entries no longer causes
- Previously, the
schema-reloadplug-in was not thread-safe. Consequently, executing the
schema-reload.plscript under a heavy load could have caused the
ns-slapdprocess to terminate unexpectedly with a segmentation fault. With this update,
schema-reloadhas been modified to be thread-safe, and
schema-reload.plcan be now executed along with other LDAP operations without complications.
- Due to an incorrect lock timing in the
DNA(Distributed Numeric Assignment) plug-in, a deadlock occurred when
DNAoperation was executed along with other plug-ins. This update moves the release timing of the problematic lock, and
DNAno longer causes the deadlock in the aforementioned scenario.
- Under certain circumstances, an out of scope local variable caused the
modrdnoperation to terminate unexpectedly with a segmentation fault. This update modifies the declaration of the local variable so it does not get out of scope. As a result,
modrdnoperations no longer crash.
- Previously, the
cleanallruvtask with the
replica-force-cleaningoption enabled did not remove all configuration attributes. Consequently, the task was initiated each time the server was restarted. With this update, the
cleanallruvsearch mechanism has been modified, and
cleanallruvno longer restarts when the server is restarted.
- Due to a bug in the
Aclplug-in, when using the
getEffectiveRightsrequest on a non-existing entry, a NULL pointer dereference could have occurred. Consequently, the server terminated unexpectedly with a segmentation fault. With this update,
Aclhas been modified to check for NULL entry pointers. As a result, the server no longer crashes and an appropriate error message is now displayed when using
getEffectiveRightsrequest on a non-existing entry.
- Due to an insufficient size of the default
sasl_iobuffer, SASL connections could have been refused by the server. With this update, the buffer size has been increased to 65,536 bytes. Moreover, users can increase this value with the
nsslapd-sasl-max-buffer-sizesetting. As a result, SASL connections are now accepted without complications.
- Previously, the code responsible for replication conflict resolution in the 389-ds-base package did not work correctly in several cases, such as conflict DN generation, retrieving deleted parent entry, and examining the scope of a deleted entry. Consequently, an intermediate node entry with positive child count but without children could have been created. The server then refused to remove such an entry. This update fixes the replication conflict resolution code, thus preventing the incorrect node entry creation.
- Previously, if a group on the Active Directory contained a member that was in a container of not-synchronized type, synchronizing the group with the LDAP server was unsuccessful. Consequently, the valid members were not synchronized. With this update, the entries in such containers are omitted and the synchronization is now successful in the described case.
- Prior to this update, certain schema definitions in the 389-ds-base package did not comply with the LDAP RFC 2252 standard. Consequently, problems with LDAP clients could have occurred. With this update, these schema definitions have been corrected to be compliant with LDAP RFC 2252.
- Under a very high load of hundreds of simultaneous connections and operations, the
Directory Servercould have encountered a race condition in the connection handling code. Consequently, the server terminated unexpectedly with a segmentation fault. With this update, code that updates the connection objects has been moved into the connection
mutexobject. As a result,
Directory Serverdoes not crash under high loads.
- Prior to this update, the Simple Paged Results control did not support an asynchronous search. Consequently, if the
Directory Serverreceived large number of asynchronous search requests, some of the requests terminated with error 53:
LDAP_UNWILLING_TO_PERFORMWith this update, asynchronous search support has been implemented into Simple Paged Results. As a result,
Directory Serversafely handles intensive asynchronous search requests.
- Previously, when loading an entry from a database, the
str2entry_dupcheck()function was called instead of the more appropriate
str2entry_fast()function. This behavior has been changed and
str2entry_fast()is now called in the described scenario.
- The upgrade of Red Hat Enterprise Linux Identity Mangement server changed the value of the nsslapd-port variable to "0" for security reasons. The nsslapd-port is also used to construct the RUV (Replica Update Vector) used by replication. Previously, if the replication startup code found a zero nsslapd-port, it removed the RUV. Consequently, replication became unresponsive. With this update, RUV is no longer removed in the aforementioned scenario, thus preventing the replication hang.
- Previously, an empty control list was not handled properly by the
Directory Server. Consequently, a LDAP protocol error was returned. With this update,
Directory Serverhas been modified to handle sequences of zero length correctly, thus preventing the error.
- When there was a request for a new LDAP connection at the same time as a request for a new LDAPS or LDAPI connection, the
Directory Serverprocessed only the LDAP request. With this update,
Directory Serverhas been modified to process all listener requests at the same time.
- Prior to this update, an incorrect error code (err=0) was returned when creating an invalid external SASL bind. With this update, a proper error code (err=48) is returned in the aforementioned scenario.
- When the
Directory Server(DS) encountered an error while it processed a
startTLSrequest, the server attempted to write a response back to the client. Consequently, DS became unresponsive. With this update, DS has been modified to correctly processes
startTLSrequests even in case of network errors. As a result, DS no longer hangs in the aforementioned scenario.
- Previously, the size of the
backlogparameter of the
listen()function was set to "128". Consequently, if the server processed a large amount of simultaneous connection requests, the server could have dropped connection requests due to exceeded
backlogsize. With this update, a
nsslapd-listen-backlog-sizeattribute has been added to allow the
backlogsize to be changed.
- Previously, the disk monitoring feature of the
Directory Serverdid not function properly. If logging functionality was set to "critical" and logging was disabled, the rotated logs were deleted. If the attribute
nsslapd-errorlog-levelwas explicitly set to any value, even zero, the disk monitoring feature did not stop the
Directory Serveras expected. This update corrects the settings of the disk monitoring feature and the server shuts down when the critical threshold is reached.
- Prior to this update, the
connectionsattribute that stores the number of currently connected clients was incorrectly incremented twice, both by the
connection_reset()function. Consequently, the attribute contained incorrect values. This bug has been fixed and
connectionsnow store the correct number of connected clients.
- When the
Directory Server(DS) used both the replication and the
DNAplug-in, and the client sent a sequence of ADD or DELETE requests for the same entry, DS returned the following message:
modify_switch_entries failedThis bug has been fixed, and the aforementioned message is no longer returned.
- The internal
passwordattribute is not preserved after the
Directory Server(DS) restart. Previously, an attempt to delete the
passwordafter restarting DS, caused DS to terminate unexpectedly. With this update, DS has been modified to check if the
passwordattribute exists, and if no, to skip the deletion. As a result, DS no longer crashes in the described case.
- Prior to this update, when using the
account policyplug-in to configure policies for individual users based on the createTimestamp attribute, the createTimestamp was overwritten after the consequent binding. Consequently,
account policyfailed to lock the user. With this update, createTimestamp is no longer modified after successful binding and
account policynow locks users as expected.
- Under certain circumstances, an inconsistent behavior of the modrdn operation when processing a tombstone entry caused the
Directory Server(DS) to terminate unexpectedly. With this update, DS has been modified to correctly process tombstones with modrdn, thus preventing the crash.
- Prior to this update, when an attribute was configured to be encrypted, the on-line import failed to encrypt this attribute on a server. This update allows encryption on the consumer side, during an on-line import, thus fixing this bug.
- Previously, after removing the createTimestamp attribute from the account policy, this attribute was still applied by the Directory Server (DS). This bug has been fixed, and createTimestamp can now be effectively removed from the DS account policy.
- BZ#975250, BZ#979169
- Previously, with a mix of concurrent search, update, and replication operations a deadlock could have occurred between the changelog readers, writers, and main database writers. Consequently, the update operations failed. With this update, a new
nsslapd-db-deadlock-policyconfiguration parameter has been introduced. The default value of this parameter is set to
9, which terminates the last locker in case of a deadlock. After changing this value to
6, the locker with the fewest write locks is terminated, which is advised for users who encounter frequent deadlocks.
- Prior to this update, if certain requested attributes were skipped during a search, the returned attribute names and values were sometimes transformed to upper case. This update removes attributes that are not authorized from the requested attributes set, so that the names of returned attributes or values are preserved in the correct form.
- Previously, after modifying a single-valued attribute in a multi-master replication environment, this change was not replicated to other servers. With this update, code that handles replication updates has been changed. As a result, the modify operations on single-valued attributes are replicated correctly.
- Previously, setting the "nsslapd-disk-monitoring-threshold" attribute with the ldapmodify utility to a large value worked as expected; however, due to a bug in the ldapsearch utility, the treshold value was displayed as a negative number. This update corrects the bug in ldapsearch and correct treshold values are now displayed.
- Previously, the Directory Server (DS) was not properly freeing the memory used by old connections. Consequently, when opening and closing hundreds of connections per minute for a long period of time, a memory leak occurred. With this update, DS has been modified to release the memory used by old connections as expected. As a result, the memory leak no longer occurs in the aforementioned scenario.
- Due to the USN (Update Sequence Number) configuration, the initial value of the lastusn variable in the rootdse directory was displayed as "18446744073709551615" instead of expected "-1". This update adds a special treatment for initial lastusn. As a result, this value is set to "-1" as expected. If a negative value is found in the USN index file, it is reset to the initial value.
- With this update, several minor coding errors have been corrected to prevent possible memory leaks and stability issues.
- If logging functionality was not set to "critical", the mount point for the logs directory was incorrectly skipped during the disk space check. The processing of configuration settings has been fixed and the log directory is no longer skipped.
- Previously, memory leaks occurred when using the set_krb5_creds() function for the replication transport or bind. The underlying source code has been modified and the memory leaks no longer occur.
- When multiple clients were connected to the Directory Server (DS), each of them adding and deleting users, the server deadlock could have occurred. With this update, a patch has been introduced to prevent the deadlock.
- When a server-side sorting request was evaluated, the "sort type" parameter was registered only from the first attribute in the request and the following attributes were ignored even if having different "sort type" values. Consequently, the sorting operation was performed incorrectly. With this update, Directory Server has been modified so that the server-side sorting resets "sort type" for each sort attribute in the request. As a result, the sorting is now handled correctly.
- Due to a schema error, the Directory Server (DS) failed to start after the system upgrade. This bug has been fixed, and DS now works correctly in the described case.
- If a replication was configured before initializing the sub backend, the temporary sub suffix was not updated with the real sub suffix entry. Consequently, the server search failed to return entries under the sub suffix. With this update, when a real sub suffix is added, the temporary entry ID in the entryrdn index is replaced with the real entry ID. As a result, search successfully returns sub suffix entries.
- With certain specific values of the nsDS5ReplicaName variable, the replication could have become corrupted. With this update, all replica names are handled correctly.
- In certain cases, the Directory Server became unresponsive when processing multiple outgoing and incoming operations using the TLS or SSL protocol. The underlying source code has been modified and the server no longer hangs in this scenario.
- Previously, if the Directory Server (DS) worked with replicas that did not support the CLEANALLRUV task, running this task made DS unresponsive. With this update, DS has been modified to skip replicas that do not support CLEANALLRUV, thus fixing this bug.
- Previously, when checking an Active Directory (AD) entry was a subject of synchronization, just the direct child of the target was checked. Consequently, AD entries which were in a deeper level were not synchronized to the Directory Server. This bug has been fixed, and child directories of the target are now synchronized at and all levels.