diff -Nru openldap-2.5.13+dfsg/build/version.var openldap-2.5.14+dfsg/build/version.var --- openldap-2.5.13+dfsg/build/version.var 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/build/version.var 2023-02-08 18:49:18.000000000 +0000 @@ -15,9 +15,9 @@ ol_package=OpenLDAP ol_major=2 ol_minor=5 -ol_patch=13 -ol_api_inc=20513 +ol_patch=14 +ol_api_inc=20514 ol_api_current=1 -ol_api_revision=8 +ol_api_revision=9 ol_api_age=1 -ol_release_date="2022/07/14" +ol_release_date="2023/02/08" diff -Nru openldap-2.5.13+dfsg/CHANGES openldap-2.5.14+dfsg/CHANGES --- openldap-2.5.13+dfsg/CHANGES 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/CHANGES 2023-02-08 18:49:18.000000000 +0000 @@ -1,5 +1,50 @@ OpenLDAP 2.5 Change Log +OpenLDAP 2.5.14 Release (2023/02/08) + Fixed client tools to remove 'h' and 'p' options (ITS#9917,ITS#8618) + Fixed ldapsearch memory leak with paged results (ITS#9860) + Fixed libldap ldif_open_urlto check for failure (ITS#9904) + Fixed libldap ldap_url_parsehosts check for failure (ITS#9904) + Fixed liblunicode UTF8bvnormalize buffer size (ITS#9955) + Fixed lloadd race in epoch.c (ITS#9947) + Fixed lloadd to keep listener base around when not active (ITS#9984) + Fixed lloadd object reclamation sequencing (ITS#9983) + Fixed slapd memory leak with olcAuthIDRewrite (ITS#6035) + Fixed slapd transactions extended operations cleanup after write (ITS#9892) + Fixed slapd deadlock with replicated cn=config (ITS#9930,ITS#8102) + Fixed slapd connection close logic (ITS#9991) + Fixed slapd bconfig locking of cn=config entries (ITS#9045) + Fixed slapd-mdb max number of index databases to 256 (ITS#9895) + Fixed slapd-mdb to always release entries from ADD operations (ITS#9942) + Fixed slapd-mdb to fully init empty DN in tool_entry_get (ITS#9940) + Fixed slapd-monitor to free remembered cookies (ITS#9339) + Fixed slapo-accesslog reqStart ordering matching rule (ITS#9880) + Fixed slapo-deref memory leak (ITS#9924) + Fixed slapo-dynlist to ignore irrelevant objectClasses (ITS#9897) + Fixed slapo-dynlist to avoid unnecessary searches (ITS#9929) + Fixed slapo-dynlist to mark internal searches as such (ITS#9960) + Fixed slapo-pcache crash in consistency_check (ITS#9966) + Fixed slapo-remoteauth memory leaks (ITS#9438) + Build Environment + Fixed ancient DOS related ifdef checks (ITS#9925) + Fixed build process to not use gmake specific features (ITS#9894) + Fixed source tree to remove symlinks (ITS#9926) + Fixed slapo-otp testdir creation (ITS#9437) + Fixed slapd-tester memory leak (ITS#9908) + Fixed usage of non-standard C syntax (ITS#9898, ITS#9899, ITS#9901) + Fixed usage of bashism (ITS#9900) + Fixed test suite portability (ITS#9931) + Documentation + Fixed ldap_bind(3) to document ber_bvfree in ldap_sasl_bind (ITS#9976) + Fixed slapo-asyncmeta(5) to clarify scheduling for target connections (ITS#9941) + Fixed slapo-dynlist(5) to clarify configuration settings (ITS#9957) + Fixed slapo-unique(5) to clarify when quoting should be used (ITS#9915) + Minor cleanup + ITS#9935 + ITS#9336 + ITS#9337 + ITS#9985 + OpenLDAP 2.5.13 Release (2022/07/14) Fixed librewrite declaration of calloc (ITS#9841) Fixed libldap memory leaks (ITS#9876) diff -Nru openldap-2.5.13+dfsg/clients/tools/ldapcompare.c openldap-2.5.14+dfsg/clients/tools/ldapcompare.c --- openldap-2.5.13+dfsg/clients/tools/ldapcompare.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/clients/tools/ldapcompare.c 2023-02-08 18:49:18.000000000 +0000 @@ -104,7 +104,7 @@ const char options[] = "z" - "Cd:D:e:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z"; + "Cd:D:e:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z"; #ifdef LDAP_CONTROL_DONTUSECOPY int dontUseCopy = 0; diff -Nru openldap-2.5.13+dfsg/clients/tools/ldapdelete.c openldap-2.5.14+dfsg/clients/tools/ldapdelete.c --- openldap-2.5.13+dfsg/clients/tools/ldapdelete.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/clients/tools/ldapdelete.c 2023-02-08 18:49:18.000000000 +0000 @@ -82,7 +82,7 @@ const char options[] = "r" - "cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:z:Z"; + "cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:z:Z"; int handle_private_option( int i ) diff -Nru openldap-2.5.13+dfsg/clients/tools/ldapexop.c openldap-2.5.14+dfsg/clients/tools/ldapexop.c --- openldap-2.5.13+dfsg/clients/tools/ldapexop.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/clients/tools/ldapexop.c 2023-02-08 18:49:18.000000000 +0000 @@ -52,7 +52,7 @@ const char options[] = "" - "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z"; + "d:D:e:H:InNO:o:QR:U:vVw:WxX:y:Y:Z"; int handle_private_option( int i ) diff -Nru openldap-2.5.13+dfsg/clients/tools/ldapmodify.c openldap-2.5.14+dfsg/clients/tools/ldapmodify.c --- openldap-2.5.13+dfsg/clients/tools/ldapmodify.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/clients/tools/ldapmodify.c 2023-02-08 18:49:18.000000000 +0000 @@ -125,7 +125,7 @@ const char options[] = "aE:rS:" - "cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z"; + "cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z"; int handle_private_option( int i ) diff -Nru openldap-2.5.13+dfsg/clients/tools/ldapmodrdn.c openldap-2.5.14+dfsg/clients/tools/ldapmodrdn.c --- openldap-2.5.13+dfsg/clients/tools/ldapmodrdn.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/clients/tools/ldapmodrdn.c 2023-02-08 18:49:18.000000000 +0000 @@ -95,7 +95,7 @@ const char options[] = "rs:" - "cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z"; + "cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z"; int handle_private_option( int i ) diff -Nru openldap-2.5.13+dfsg/clients/tools/ldappasswd.c openldap-2.5.14+dfsg/clients/tools/ldappasswd.c --- openldap-2.5.13+dfsg/clients/tools/ldappasswd.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/clients/tools/ldappasswd.c 2023-02-08 18:49:18.000000000 +0000 @@ -81,7 +81,7 @@ const char options[] = "a:As:St:T:" - "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z"; + "d:D:e:H:InNO:o:QR:U:vVw:WxX:y:Y:Z"; int handle_private_option( int i ) diff -Nru openldap-2.5.13+dfsg/clients/tools/ldapsearch.c openldap-2.5.14+dfsg/clients/tools/ldapsearch.c --- openldap-2.5.13+dfsg/clients/tools/ldapsearch.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/clients/tools/ldapsearch.c 2023-02-08 18:49:18.000000000 +0000 @@ -363,7 +363,7 @@ } const char options[] = "a:Ab:cE:F:l:Ls:S:tT:uz:" - "Cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z"; + "Cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z"; int handle_private_option( int i ) @@ -998,10 +998,7 @@ FILE *fp = NULL; int rc, rc1, i, first; LDAP *ld = NULL; - BerElement *seber = NULL, *vrber = NULL; - - BerElement *syncber = NULL; - struct berval *syncbvalp = NULL; + BerElement *ber = NULL; int err; tool_init( TOOL_SEARCH ); @@ -1200,20 +1197,21 @@ tool_exit( ld, EXIT_FAILURE ); } - if (( seber = ber_alloc_t(LBER_USE_DER)) == NULL ) { + if (( ber = ber_alloc_t(LBER_USE_DER)) == NULL ) { tool_exit( ld, EXIT_FAILURE ); } - err = ber_printf( seber, "b", abs(subentries) == 1 ? 0 : 1 ); + err = ber_printf( ber, "b", abs(subentries) == 1 ? 0 : 1 ); if ( err == -1 ) { - ber_free( seber, 1 ); + ber_free( ber, 1 ); fprintf( stderr, _("Subentries control encoding error!\n") ); tool_exit( ld, EXIT_FAILURE ); } - if ( ber_flatten2( seber, &c[i].ldctl_value, 0 ) == -1 ) { + err = ber_flatten2( ber, &c[i].ldctl_value, 1 ); + ber_free( ber, 1 ); + if ( err == -1 ) tool_exit( ld, EXIT_FAILURE ); - } c[i].ldctl_oid = LDAP_CONTROL_SUBENTRIES; c[i].ldctl_iscritical = subentries < 1; @@ -1225,29 +1223,29 @@ tool_exit( ld, EXIT_FAILURE ); } - if (( syncber = ber_alloc_t(LBER_USE_DER)) == NULL ) { + if (( ber = ber_alloc_t(LBER_USE_DER)) == NULL ) { tool_exit( ld, EXIT_FAILURE ); } if ( sync_cookie.bv_len == 0 ) { - err = ber_printf( syncber, "{e}", abs(ldapsync) ); + err = ber_printf( ber, "{e}", abs(ldapsync) ); } else { - err = ber_printf( syncber, "{eO}", abs(ldapsync), + err = ber_printf( ber, "{eO}", abs(ldapsync), &sync_cookie ); } if ( err == -1 ) { - ber_free( syncber, 1 ); + ber_free( ber, 1 ); fprintf( stderr, _("ldap sync control encoding error!\n") ); tool_exit( ld, EXIT_FAILURE ); } - if ( ber_flatten( syncber, &syncbvalp ) == -1 ) { + err = ber_flatten2( ber, &c[i].ldctl_value, 1 ); + ber_free( ber, 1 ); + if ( err == -1 ) tool_exit( ld, EXIT_FAILURE ); - } c[i].ldctl_oid = LDAP_CONTROL_SYNC; - c[i].ldctl_value = (*syncbvalp); c[i].ldctl_iscritical = ldapsync < 0; i++; } @@ -1257,19 +1255,20 @@ tool_exit( ld, EXIT_FAILURE ); } - if (( vrber = ber_alloc_t(LBER_USE_DER)) == NULL ) { + if (( ber = ber_alloc_t(LBER_USE_DER)) == NULL ) { tool_exit( ld, EXIT_FAILURE ); } - if ( ( err = ldap_put_vrFilter( vrber, vrFilter ) ) == -1 ) { - ber_free( vrber, 1 ); + if ( ( err = ldap_put_vrFilter( ber, vrFilter ) ) == -1 ) { + ber_free( ber, 1 ); fprintf( stderr, _("Bad ValuesReturnFilter: %s\n"), vrFilter ); tool_exit( ld, EXIT_FAILURE ); } - if ( ber_flatten2( vrber, &c[i].ldctl_value, 0 ) == -1 ) { + err = ber_flatten2( ber, &c[i].ldctl_value, 1 ); + ber_free( ber, 1 ); + if ( err == -1 ) tool_exit( ld, EXIT_FAILURE ); - } c[i].ldctl_oid = LDAP_CONTROL_VALUESRETURNFILTER; c[i].ldctl_iscritical = valuesReturnFilter > 1; @@ -1439,8 +1438,11 @@ tool_server_controls( ld, c, i ); - if ( seber ) ber_free( seber, 1 ); - if ( vrber ) ber_free( vrber, 1 ); + /* free any controls we added */ + for ( ; nctrls-- > save_nctrls; ) { + if ( c[nctrls].ldctl_value.bv_val != derefval.bv_val ) + ber_memfree( c[nctrls].ldctl_value.bv_val ); + } /* step back to the original number of controls, so that * those set while parsing args are preserved */ diff -Nru openldap-2.5.13+dfsg/clients/tools/ldapvc.c openldap-2.5.14+dfsg/clients/tools/ldapvc.c --- openldap-2.5.13+dfsg/clients/tools/ldapvc.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/clients/tools/ldapvc.c 2023-02-08 18:49:18.000000000 +0000 @@ -86,7 +86,7 @@ const char options[] = "abE:" - "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z"; + "d:D:e:H:InNO:o:QR:U:vVw:WxX:y:Y:Z"; int handle_private_option( int i ) diff -Nru openldap-2.5.13+dfsg/clients/tools/ldapwhoami.c openldap-2.5.14+dfsg/clients/tools/ldapwhoami.c --- openldap-2.5.13+dfsg/clients/tools/ldapwhoami.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/clients/tools/ldapwhoami.c 2023-02-08 18:49:18.000000000 +0000 @@ -62,7 +62,7 @@ const char options[] = "" - "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z"; + "d:D:e:H:InNO:o:QR:U:vVw:WxX:y:Y:Z"; int handle_private_option( int i ) diff -Nru openldap-2.5.13+dfsg/configure openldap-2.5.14+dfsg/configure --- openldap-2.5.13+dfsg/configure 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/configure 2023-02-08 18:49:18.000000000 +0000 @@ -1,5 +1,5 @@ #! /bin/sh -# From configure.ac Id: 15bca89511fc428731cf9ab71a9b46e37511be67 . +# From configure.ac Id: 3943f6265060065483db582e5c7bef14fe934d80 . # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.69. # @@ -636,7 +636,6 @@ #endif" ac_subst_vars='LTLIBOBJS -BALANCER_INCLUDE SLAPD_SQL_INCLUDES SLAPD_SQL_LIBS SLAPD_SQL_LDFLAGS @@ -717,6 +716,7 @@ SLAPD_SLAPI_DEPEND BUILD_SLAPI BUILD_SLAPD +DO_VERSIONED_SYMBOLS OL_VERSIONED_SYMBOLS BUILD_LIBS_DYNAMIC BUILD_THREAD @@ -4701,7 +4701,6 @@ SLAPD_LIBS= BALANCER_LIBS= -BALANCER_INCLUDE= BUILD_SLAPD=no BUILD_BALANCER=no @@ -22854,7 +22853,7 @@ WITH_SYSTEMD=no systemdsystemunitdir= ol_link_systemd=no -if test $ol_enable_slapd == no && test $ol_enable_balancer != yes ; then +if test $ol_enable_slapd = no && test $ol_enable_balancer != yes ; then if test $ol_with_systemd != no ; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: servers disabled, ignoring --with-systemd=$ol_with_systemd argument" >&5 $as_echo "$as_me: WARNING: servers disabled, ignoring --with-systemd=$ol_with_systemd argument" >&2;} @@ -25799,11 +25798,11 @@ -a "$ol_with_threads" != no \ -a "$have_libevent" = yes ; then if test "$ol_enable_balancer" = mod; then - BALANCER_INCLUDE=Makefile.module BUILD_BALANCER=mod + BALANCER_MAKE="servers/lloadd/Makefile_module.in:build/mod.mk" else - BALANCER_INCLUDE=Makefile.server BUILD_BALANCER=yes + BALANCER_MAKE="servers/lloadd/Makefile_server.in:build/srv.mk" fi fi @@ -25816,6 +25815,7 @@ fi OL_VERSIONED_SYMBOLS="" +DO_VERSIONED_SYMBOLS="# " if test $ol_enable_versioning != no; then LDVS=`$LD --help < /dev/null 2>/dev/null | grep gnu-version-script` if test -z "$LDVS"; then @@ -25830,6 +25830,9 @@ else OL_VERSIONED_SYMBOLS="-z gnu-version-script=" fi + if test -n "$OL_VERSIONED_SYMBOLS"; then + DO_VERSIONED_SYMBOLS="" + fi fi @@ -25945,7 +25948,6 @@ - # Check whether --with-xxinstall was given. if test "${with_xxinstall+set}" = set; then : withval=$with_xxinstall; @@ -25953,7 +25955,7 @@ -ac_config_files="$ac_config_files Makefile:build/top.mk:Makefile.in:build/dir.mk doc/Makefile:build/top.mk:doc/Makefile.in:build/dir.mk doc/man/Makefile:build/top.mk:doc/man/Makefile.in:build/dir.mk doc/man/man1/Makefile:build/top.mk:doc/man/man1/Makefile.in:build/man.mk doc/man/man3/Makefile:build/top.mk:doc/man/man3/Makefile.in:build/man.mk doc/man/man5/Makefile:build/top.mk:doc/man/man5/Makefile.in:build/man.mk doc/man/man8/Makefile:build/top.mk:doc/man/man8/Makefile.in:build/man.mk clients/Makefile:build/top.mk:clients/Makefile.in:build/dir.mk clients/tools/Makefile:build/top.mk:clients/tools/Makefile.in:build/rules.mk include/Makefile:build/top.mk:include/Makefile.in libraries/Makefile:build/top.mk:libraries/Makefile.in:build/dir.mk libraries/liblber/Makefile:build/top.mk:libraries/liblber/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/liblber/lber.pc libraries/liblber/liblber.vers libraries/libldap/Makefile:build/top.mk:libraries/libldap/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap/ldap.pc libraries/libldap/libldap.vers libraries/liblunicode/Makefile:build/top.mk:libraries/liblunicode/Makefile.in:build/lib.mk:build/lib-static.mk libraries/liblutil/Makefile:build/top.mk:libraries/liblutil/Makefile.in:build/lib.mk:build/lib-static.mk libraries/librewrite/Makefile:build/top.mk:libraries/librewrite/Makefile.in:build/lib.mk:build/lib-static.mk servers/Makefile:build/top.mk:servers/Makefile.in:build/dir.mk servers/slapd/Makefile:build/top.mk:servers/slapd/Makefile.in:build/srv.mk servers/slapd/back-dnssrv/Makefile:build/top.mk:servers/slapd/back-dnssrv/Makefile.in:build/mod.mk servers/slapd/back-ldap/Makefile:build/top.mk:servers/slapd/back-ldap/Makefile.in:build/mod.mk servers/slapd/back-ldif/Makefile:build/top.mk:servers/slapd/back-ldif/Makefile.in:build/mod.mk servers/slapd/back-mdb/Makefile:build/top.mk:servers/slapd/back-mdb/Makefile.in:build/mod.mk servers/slapd/back-meta/Makefile:build/top.mk:servers/slapd/back-meta/Makefile.in:build/mod.mk servers/slapd/back-asyncmeta/Makefile:build/top.mk:servers/slapd/back-asyncmeta/Makefile.in:build/mod.mk servers/slapd/back-monitor/Makefile:build/top.mk:servers/slapd/back-monitor/Makefile.in:build/mod.mk servers/slapd/back-ndb/Makefile:build/top.mk:servers/slapd/back-ndb/Makefile.in:build/mod.mk servers/slapd/back-null/Makefile:build/top.mk:servers/slapd/back-null/Makefile.in:build/mod.mk servers/slapd/back-passwd/Makefile:build/top.mk:servers/slapd/back-passwd/Makefile.in:build/mod.mk servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk servers/slapd/back-sock/Makefile:build/top.mk:servers/slapd/back-sock/Makefile.in:build/mod.mk servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk servers/slapd/back-wt/Makefile:build/top.mk:servers/slapd/back-wt/Makefile.in:build/mod.mk servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk servers/slapd/pwmods/Makefile:build/top.mk:servers/slapd/pwmods/Makefile.in:build/lib.mk servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in servers/lloadd/Makefile.server:servers/lloadd/Makefile_server.in:build/srv.mk servers/lloadd/Makefile.module:servers/lloadd/Makefile_module.in:build/mod.mk tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk tests/run tests/progs/Makefile:build/top.mk:tests/progs/Makefile.in:build/rules.mk" +ac_config_files="$ac_config_files Makefile:build/top.mk:Makefile.in:build/dir.mk doc/Makefile:build/top.mk:doc/Makefile.in:build/dir.mk doc/man/Makefile:build/top.mk:doc/man/Makefile.in:build/dir.mk doc/man/man1/Makefile:build/top.mk:doc/man/man1/Makefile.in:build/man.mk doc/man/man3/Makefile:build/top.mk:doc/man/man3/Makefile.in:build/man.mk doc/man/man5/Makefile:build/top.mk:doc/man/man5/Makefile.in:build/man.mk doc/man/man8/Makefile:build/top.mk:doc/man/man8/Makefile.in:build/man.mk clients/Makefile:build/top.mk:clients/Makefile.in:build/dir.mk clients/tools/Makefile:build/top.mk:clients/tools/Makefile.in:build/rules.mk include/Makefile:build/top.mk:include/Makefile.in libraries/Makefile:build/top.mk:libraries/Makefile.in:build/dir.mk libraries/liblber/Makefile:build/top.mk:libraries/liblber/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/liblber/lber.pc libraries/liblber/liblber.vers libraries/libldap/Makefile:build/top.mk:libraries/libldap/Makefile.in:build/lib.mk:build/lib-shared.mk libraries/libldap/ldap.pc libraries/libldap/libldap.vers libraries/liblunicode/Makefile:build/top.mk:libraries/liblunicode/Makefile.in:build/lib.mk:build/lib-static.mk libraries/liblutil/Makefile:build/top.mk:libraries/liblutil/Makefile.in:build/lib.mk:build/lib-static.mk libraries/librewrite/Makefile:build/top.mk:libraries/librewrite/Makefile.in:build/lib.mk:build/lib-static.mk servers/Makefile:build/top.mk:servers/Makefile.in:build/dir.mk servers/slapd/Makefile:build/top.mk:servers/slapd/Makefile.in:build/srv.mk servers/slapd/back-dnssrv/Makefile:build/top.mk:servers/slapd/back-dnssrv/Makefile.in:build/mod.mk servers/slapd/back-ldap/Makefile:build/top.mk:servers/slapd/back-ldap/Makefile.in:build/mod.mk servers/slapd/back-ldif/Makefile:build/top.mk:servers/slapd/back-ldif/Makefile.in:build/mod.mk servers/slapd/back-mdb/Makefile:build/top.mk:servers/slapd/back-mdb/Makefile.in:build/mod.mk servers/slapd/back-meta/Makefile:build/top.mk:servers/slapd/back-meta/Makefile.in:build/mod.mk servers/slapd/back-asyncmeta/Makefile:build/top.mk:servers/slapd/back-asyncmeta/Makefile.in:build/mod.mk servers/slapd/back-monitor/Makefile:build/top.mk:servers/slapd/back-monitor/Makefile.in:build/mod.mk servers/slapd/back-ndb/Makefile:build/top.mk:servers/slapd/back-ndb/Makefile.in:build/mod.mk servers/slapd/back-null/Makefile:build/top.mk:servers/slapd/back-null/Makefile.in:build/mod.mk servers/slapd/back-passwd/Makefile:build/top.mk:servers/slapd/back-passwd/Makefile.in:build/mod.mk servers/slapd/back-perl/Makefile:build/top.mk:servers/slapd/back-perl/Makefile.in:build/mod.mk servers/slapd/back-relay/Makefile:build/top.mk:servers/slapd/back-relay/Makefile.in:build/mod.mk servers/slapd/back-sock/Makefile:build/top.mk:servers/slapd/back-sock/Makefile.in:build/mod.mk servers/slapd/back-sql/Makefile:build/top.mk:servers/slapd/back-sql/Makefile.in:build/mod.mk servers/slapd/back-wt/Makefile:build/top.mk:servers/slapd/back-wt/Makefile.in:build/mod.mk servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk servers/slapd/pwmods/Makefile:build/top.mk:servers/slapd/pwmods/Makefile.in:build/lib.mk servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in:$BALANCER_MAKE tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk tests/run tests/progs/Makefile:build/top.mk:tests/progs/Makefile.in:build/rules.mk" ac_config_commands="$ac_config_commands default" @@ -26906,9 +26908,7 @@ "servers/slapd/slapi/Makefile") CONFIG_FILES="$CONFIG_FILES servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk" ;; "servers/slapd/overlays/Makefile") CONFIG_FILES="$CONFIG_FILES servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk" ;; "servers/slapd/pwmods/Makefile") CONFIG_FILES="$CONFIG_FILES servers/slapd/pwmods/Makefile:build/top.mk:servers/slapd/pwmods/Makefile.in:build/lib.mk" ;; - "servers/lloadd/Makefile") CONFIG_FILES="$CONFIG_FILES servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in" ;; - "servers/lloadd/Makefile.server") CONFIG_FILES="$CONFIG_FILES servers/lloadd/Makefile.server:servers/lloadd/Makefile_server.in:build/srv.mk" ;; - "servers/lloadd/Makefile.module") CONFIG_FILES="$CONFIG_FILES servers/lloadd/Makefile.module:servers/lloadd/Makefile_module.in:build/mod.mk" ;; + "servers/lloadd/Makefile") CONFIG_FILES="$CONFIG_FILES servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in:$BALANCER_MAKE" ;; "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk" ;; "tests/run") CONFIG_FILES="$CONFIG_FILES tests/run" ;; "tests/progs/Makefile") CONFIG_FILES="$CONFIG_FILES tests/progs/Makefile:build/top.mk:tests/progs/Makefile.in:build/rules.mk" ;; diff -Nru openldap-2.5.13+dfsg/configure.ac openldap-2.5.14+dfsg/configure.ac --- openldap-2.5.13+dfsg/configure.ac 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/configure.ac 2023-02-08 18:49:18.000000000 +0000 @@ -25,7 +25,7 @@ dnl Configure.in for OpenLDAP AC_COPYRIGHT([[Copyright 1998-2022 The OpenLDAP Foundation. All rights reserved. Restrictions apply, see COPYRIGHT and LICENSE files.]]) -AC_REVISION([$Id: 15bca89511fc428731cf9ab71a9b46e37511be67 $]) +AC_REVISION([$Id: 3943f6265060065483db582e5c7bef14fe934d80 $]) AC_INIT([OpenLDAP],,[https://bugs.openldap.org],,[https://www.openldap.org]) AC_CONFIG_SRCDIR(build/version.sh)dnl dnl ---------------------------------------------------------------- @@ -561,7 +561,6 @@ SLAPD_LIBS= BALANCER_LIBS= -BALANCER_INCLUDE= BUILD_SLAPD=no BUILD_BALANCER=no @@ -2084,7 +2083,7 @@ WITH_SYSTEMD=no systemdsystemunitdir= ol_link_systemd=no -if test $ol_enable_slapd == no && test $ol_enable_balancer != yes ; then +if test $ol_enable_slapd = no && test $ol_enable_balancer != yes ; then if test $ol_with_systemd != no ; then AC_MSG_WARN([servers disabled, ignoring --with-systemd=$ol_with_systemd argument]) ol_with_systemd=no @@ -3103,11 +3102,11 @@ -a "$ol_with_threads" != no \ -a "$have_libevent" = yes ; then if test "$ol_enable_balancer" = mod; then - BALANCER_INCLUDE=Makefile.module BUILD_BALANCER=mod + BALANCER_MAKE="servers/lloadd/Makefile_module.in:build/mod.mk" else - BALANCER_INCLUDE=Makefile.server BUILD_BALANCER=yes + BALANCER_MAKE="servers/lloadd/Makefile_server.in:build/srv.mk" fi fi @@ -3118,6 +3117,7 @@ fi OL_VERSIONED_SYMBOLS="" +DO_VERSIONED_SYMBOLS="# " if test $ol_enable_versioning != no; then LDVS=`$LD --help < /dev/null 2>/dev/null | grep gnu-version-script` if test -z "$LDVS"; then @@ -3132,6 +3132,9 @@ else OL_VERSIONED_SYMBOLS="-z gnu-version-script=" fi + if test -n "$OL_VERSIONED_SYMBOLS"; then + DO_VERSIONED_SYMBOLS="" + fi fi dnl ---------------------------------------------------------------- @@ -3158,6 +3161,7 @@ AC_SUBST(BUILD_THREAD) AC_SUBST(BUILD_LIBS_DYNAMIC) AC_SUBST(OL_VERSIONED_SYMBOLS) +AC_SUBST(DO_VERSIONED_SYMBOLS) AC_SUBST(BUILD_SLAPD) dnl slapi @@ -3254,8 +3258,6 @@ AC_SUBST(WT_CFLAGS) AC_SUBST(WT_LIBS) -AC_SUBST(BALANCER_INCLUDE) - dnl ---------------------------------------------------------------- dnl final help output AC_ARG_WITH(xxinstall,[ @@ -3305,9 +3307,7 @@ [servers/slapd/slapi/Makefile:build/top.mk:servers/slapd/slapi/Makefile.in:build/lib.mk:build/lib-shared.mk] [servers/slapd/overlays/Makefile:build/top.mk:servers/slapd/overlays/Makefile.in:build/lib.mk] [servers/slapd/pwmods/Makefile:build/top.mk:servers/slapd/pwmods/Makefile.in:build/lib.mk] -[servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in] -[servers/lloadd/Makefile.server:servers/lloadd/Makefile_server.in:build/srv.mk] -[servers/lloadd/Makefile.module:servers/lloadd/Makefile_module.in:build/mod.mk] +[servers/lloadd/Makefile:build/top.mk:servers/lloadd/Makefile.in:$BALANCER_MAKE] [tests/Makefile:build/top.mk:tests/Makefile.in:build/dir.mk] [tests/run] [tests/progs/Makefile:build/top.mk:tests/progs/Makefile.in:build/rules.mk]) diff -Nru openldap-2.5.13+dfsg/contrib/ldapc++/src/StringList.h openldap-2.5.14+dfsg/contrib/ldapc++/src/StringList.h --- openldap-2.5.13+dfsg/contrib/ldapc++/src/StringList.h 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/contrib/ldapc++/src/StringList.h 2023-02-08 18:49:18.000000000 +0000 @@ -35,7 +35,7 @@ * For internal use only * * This constructor is used by the library internally to create a - * list of string from a array for c-Strings (char*)thar was + * list of string from an array for c-Strings (char*)that was * returned by the C-API */ StringList(char** values); diff -Nru openldap-2.5.13+dfsg/contrib/slapd-modules/passwd/totp/README openldap-2.5.14+dfsg/contrib/slapd-modules/passwd/totp/README --- openldap-2.5.13+dfsg/contrib/slapd-modules/passwd/totp/README 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/contrib/slapd-modules/passwd/totp/README 2023-02-08 18:49:18.000000000 +0000 @@ -27,13 +27,13 @@ 1) Customize the LDAP_SRC variable in Makefile to point to the OpenLDAP source root. -2) Run 'make' to produce slapd-totp.so +2) Run 'make' to produce pw-totp.so -3) Copy slapd-totp.so somewhere permanent. +3) Copy pw-totp.so somewhere permanent. 4) Edit your slapd.conf (eg. /etc/ldap/slapd.conf), and add: -moduleload ...path/to/slapd-totp.so +moduleload ...path/to/pw-totp.so 5) This module replaces the function of the slapo-lastbind overlay. You cannot use that overlay on the same database as this one. diff -Nru openldap-2.5.13+dfsg/contrib/slapd-modules/passwd/totp/slapd-totp.c openldap-2.5.14+dfsg/contrib/slapd-modules/passwd/totp/slapd-totp.c --- openldap-2.5.13+dfsg/contrib/slapd-modules/passwd/totp/slapd-totp.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/contrib/slapd-modules/passwd/totp/slapd-totp.c 2023-02-08 18:49:18.000000000 +0000 @@ -133,15 +133,15 @@ static int totp_b32_ntop( - u_char const *src, + unsigned char const *src, size_t srclength, char *target, size_t targsize) { size_t datalength = 0; - u_char input0; - u_int input1; /* assumed to be at least 32 bits */ - u_char output[8]; + unsigned char input0; + unsigned int input1; /* assumed to be at least 32 bits */ + unsigned char output[8]; int i; while (4 < srclength) { @@ -204,7 +204,7 @@ static int totp_b32_pton( char const *src, - u_char *target, + unsigned char *target, size_t targsize) { int tarindex, state, ch; diff -Nru openldap-2.5.13+dfsg/contrib/slapd-modules/rbac/rbac.c openldap-2.5.14+dfsg/contrib/slapd-modules/rbac/rbac.c --- openldap-2.5.13+dfsg/contrib/slapd-modules/rbac/rbac.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/contrib/slapd-modules/rbac/rbac.c 2023-02-08 18:49:18.000000000 +0000 @@ -1077,7 +1077,7 @@ return rc; } -// checkAcess F (ALL) +// checkAccess F (ALL) static int rbac_check_access( Operation *op, SlapReply *rs ) { @@ -1146,7 +1146,7 @@ return rs->sr_err; } -// checkAcess A loop back +// checkAccess A loop back static int rbac_check_accessA( Operation *op, SlapReply *rs ) { @@ -1162,7 +1162,7 @@ return rc; } -// checkAcess B parse +// checkAccess B parse static int rbac_check_accessB( Operation *op, SlapReply *rs ) { @@ -1190,7 +1190,7 @@ return rc; } -// checkAcess C - parse request & read session record +// checkAccess C - parse request & read session record static int rbac_check_accessC( Operation *op, SlapReply *rs ) { @@ -1230,7 +1230,7 @@ return rc; } -// checkAcess D, parse, read perm +// checkAccess D, parse, read perm static int rbac_check_accessD( Operation *op, SlapReply *rs ) { @@ -1282,7 +1282,7 @@ return rc; } -// checkAcess E everything but the audit insert +// checkAccess E everything but the audit insert static int rbac_check_accessE( Operation *op, SlapReply *rs ) { diff -Nru openldap-2.5.13+dfsg/debian/changelog openldap-2.5.14+dfsg/debian/changelog --- openldap-2.5.13+dfsg/debian/changelog 2022-08-05 14:51:52.000000000 +0000 +++ openldap-2.5.14+dfsg/debian/changelog 2023-02-17 21:12:43.000000000 +0000 @@ -1,3 +1,11 @@ +openldap (2.5.14+dfsg-0ubuntu0.22.04.1) jammy; urgency=medium + + * New upstream version (LP: #2007625). + - Several fixes, including memory leaks that affect slapd and + certain slapo modules. + + -- Sergio Durigan Junior Fri, 17 Feb 2023 16:12:43 -0500 + openldap (2.5.13+dfsg-0ubuntu0.22.04.1) jammy; urgency=medium * New upstream version (LP: #1983618). diff -Nru openldap-2.5.13+dfsg/doc/guide/admin/guide.html openldap-2.5.14+dfsg/doc/guide/admin/guide.html --- openldap-2.5.13+dfsg/doc/guide/admin/guide.html 2022-07-14 18:36:30.000000000 +0000 +++ openldap-2.5.14+dfsg/doc/guide/admin/guide.html 2023-02-08 21:34:50.000000000 +0000 @@ -23,7 +23,7 @@

OpenLDAP Software 2.5 Administrator's Guide

The OpenLDAP Project <https://www.openldap.org/>
-
14 July 2022
+
8 February 2023

diff -Nru openldap-2.5.13+dfsg/doc/man/man3/ldap_bind.3 openldap-2.5.14+dfsg/doc/man/man3/ldap_bind.3 --- openldap-2.5.13+dfsg/doc/man/man3/ldap_bind.3 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/doc/man/man3/ldap_bind.3 2023-02-08 18:49:18.000000000 +0000 @@ -158,6 +158,9 @@ The result must be additionally parsed by .BR ldap_parse_sasl_bind_result () to obtain any server credentials sent from the server. + +Any returned server credentials should be freed using +.BR ber_bvfree (). .LP Many SASL mechanisms require multiple message exchanges to perform a complete authentication. Applications should generally use diff -Nru openldap-2.5.13+dfsg/doc/man/man5/slapd-asyncmeta.5 openldap-2.5.14+dfsg/doc/man/man5/slapd-asyncmeta.5 --- openldap-2.5.13+dfsg/doc/man/man5/slapd-asyncmeta.5 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/doc/man/man5/slapd-asyncmeta.5 2023-02-08 18:49:18.000000000 +0000 @@ -54,8 +54,7 @@ For each request redirected to a target, a different connection is selected. Each connection has a queue, to which the request is added before it is sent to the remote server, and is removed after the last response for that request is received. - For each new request, the connection with the smallest number of pending requests -is selected, or using round\-robin if the numbers are equal. + For each new request, a new connection is chosen using round\-robin scheduling. .LP .B Overlays: .LP diff -Nru openldap-2.5.13+dfsg/doc/man/man5/slapd-config.5 openldap-2.5.14+dfsg/doc/man/man5/slapd-config.5 --- openldap-2.5.13+dfsg/doc/man/man5/slapd-config.5 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/doc/man/man5/slapd-config.5 2023-02-08 18:49:18.000000000 +0000 @@ -501,7 +501,7 @@ .B olcWriteTimeout option. .TP -.B olcIndexHash64: { on | off } +.B olcIndexHash64: { TRUE | FALSE } Use a 64 bit hash for indexing. The default is to use 32 bit hashes. These hashes are used for equality and substring indexing. The 64 bit version may be needed to avoid index collisions when the number of diff -Nru openldap-2.5.13+dfsg/doc/man/man5/slapo-dynlist.5 openldap-2.5.14+dfsg/doc/man/man5/slapo-dynlist.5 --- openldap-2.5.13+dfsg/doc/man/man5/slapo-dynlist.5 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/doc/man/man5/slapo-dynlist.5 2023-02-08 18:49:18.000000000 +0000 @@ -11,21 +11,26 @@ .B dynlist overlay to .BR slapd (8) -allows expansion of dynamic groups and more. +allows expansion of dynamic lists and groups. Any time an entry with a specific objectClass (defined in the overlay configuration) is being returned, the LDAP URI-valued occurrences of a specific attribute (also defined in the overlay configuration) are -expanded into the corresponding entries, and the values -of the attributes listed in the URI are added to the original +expanded into the corresponding entries. + +For a dynamic list, the values +of the attributes listed in the URI are added from the matching entries to the original entry. No recursion is allowed, to avoid potential infinite loops. - The resulting entry must comply with the LDAP data model, so constraints are enforced. For example, if a \fISINGLE\-VALUE\fP attribute is listed, only the first value found during the list expansion appears in the final entry. + +For a dynamic group, the DNs of the matching entries are added to a member attribute +in the original entry. + All dynamic behavior is disabled when the \fImanageDSAit\fP control (RFC 3296) is used. -In that case, the contents of the dynamic group entry is returned; +In that case, the contents of the original entry is returned; namely, the URLs are returned instead of being expanded. .SH CONFIGURATION @@ -51,7 +56,8 @@ .B overlay directive. .TP -.B dynlist\-attrset [] [[:][+[*]] ...] +.B dynlist\-attrset [] [options] + The value .B group\-oc is the name of the objectClass that triggers the dynamic expansion of the @@ -71,9 +77,33 @@ in the URI is empty, no expansion occurs for that specific URI. It must be a subtype of \fIlabeledURI\fP. -The value +The remaining options depend on whether a dynamic list or a dynamic group +is being configured. + +For a dynamic list, the allowed options have the form + +.B [: ...] + +The +.B mapped-ad +can be used to remap attributes obtained through expansion. +The +.B list-ad +must be one of the attributes returned in the expansion of the URIs in the +.B URL-ad +attribute of the dynamic entry. Multiple mapping statements can be used. +Note that in order for dynamic lists +to be usable in a search filter, the dynamic attributes to be filtered +must be explicitly mapped. They can be mapped to themselves +if no transformation is required. + +For a dynamic group, the allowed options are + +.B [+[@[*]]] + +The .B member-ad -is optional; if present, the overlay behaves as a dynamic group: this +is required; this attribute will list the DN of the entries resulting from the internal search. In this case, the \fIattrs\fP portion of the URIs in the .B URL-ad @@ -104,16 +134,6 @@ populated recursively, for nested groups. Note that currently nesting is only supported for Search operations, not Compares. -Alternatively, -.B mapped-ad -can be used to remap attributes obtained through expansion. -.B member-ad -attributes are not filled by expanded DN, but are remapped as -.B mapped-ad -attributes. Multiple mapping statements can be used. The -.B memberOf-ad -option is not used in this case. - .LP The dynlist overlay may be used with any backend, but it is mainly intended for use with local storage backends. @@ -176,6 +196,24 @@ If no are provided in the URI, all (non-operational) attributes are collected. +The values of the above list can not be evaluated in a search filter. To enable +filter evaluation on the dynamic list, the configuration must be changed to +explicitly map the dynamic attributes to be filtered. In this case +.B mail +is just mapped to itself. + +.LP +.nf + include /path/to/dyngroup.schema + # ... + + database + # ... + + overlay dynlist + dynlist\-attrset groupOfURLs memberURL mail:mail +.fi + This example implements the dynamic group feature on the .B member attribute: diff -Nru openldap-2.5.13+dfsg/doc/man/man5/slapo-unique.5 openldap-2.5.14+dfsg/doc/man/man5/slapo-unique.5 --- openldap-2.5.13+dfsg/doc/man/man5/slapo-unique.5 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/doc/man/man5/slapo-unique.5 2023-02-08 18:49:18.000000000 +0000 @@ -54,7 +54,8 @@ .BR ignore , and .B serialize -have to be enclosed in quotes (") together with the URI. +have to be enclosed in quotes (") together with the URI when using +deprecated slapd.conf configurations. The LDAP URI syntax is a subset of .B RFC-4516, diff -Nru openldap-2.5.13+dfsg/include/ac/socket.h openldap-2.5.14+dfsg/include/ac/socket.h --- openldap-2.5.13+dfsg/include/ac/socket.h 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/include/ac/socket.h 2023-02-08 18:49:18.000000000 +0000 @@ -63,7 +63,7 @@ #ifdef HAVE_WINSOCK2 #include #include -#elif HAVE_WINSOCK +#elif defined(HAVE_WINSOCK) #include #endif @@ -111,22 +111,20 @@ LBER_F( char * ) ber_pvt_wsa_err2string LDAP_P((int)); -#elif MACOS +#elif defined(MACOS) # define tcp_close( s ) tcpclose( s ) # define tcp_read( s, buf, len ) tcpread( s, buf, len ) # define tcp_write( s, buf, len ) tcpwrite( s, buf, len ) -#elif DOS -# ifdef PCNFS -# define tcp_close( s ) close( s ) -# define tcp_read( s, buf, len ) recv( s, buf, len, 0 ) -# define tcp_write( s, buf, len ) send( s, buf, len, 0 ) -# endif /* PCNFS */ -# ifdef NCSA -# define tcp_close( s ) do { netclose( s ); netshut() } while(0) -# define tcp_read( s, buf, len ) nread( s, buf, len ) -# define tcp_write( s, buf, len ) netwrite( s, buf, len ) -# endif /* NCSA */ +#elif defined(HAVE_PCNFS) +# define tcp_close( s ) close( s ) +# define tcp_read( s, buf, len ) recv( s, buf, len, 0 ) +# define tcp_write( s, buf, len ) send( s, buf, len, 0 ) + +#elif defined(HAVE_NCSA) +# define tcp_close( s ) do { netclose( s ); netshut() } while(0) +# define tcp_read( s, buf, len ) nread( s, buf, len ) +# define tcp_write( s, buf, len ) netwrite( s, buf, len ) #elif defined(HAVE_CLOSESOCKET) # define tcp_close( s ) closesocket( s ) diff -Nru openldap-2.5.13+dfsg/include/ldap_pvt_thread.h openldap-2.5.14+dfsg/include/ldap_pvt_thread.h --- openldap-2.5.13+dfsg/include/ldap_pvt_thread.h 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/include/ldap_pvt_thread.h 2023-02-08 18:49:18.000000000 +0000 @@ -253,7 +253,8 @@ LDAP_PVT_THREAD_POOL_PARAM_ACTIVE_MAX, LDAP_PVT_THREAD_POOL_PARAM_PENDING_MAX, LDAP_PVT_THREAD_POOL_PARAM_BACKLOAD_MAX, - LDAP_PVT_THREAD_POOL_PARAM_STATE + LDAP_PVT_THREAD_POOL_PARAM_STATE, + LDAP_PVT_THREAD_POOL_PARAM_PAUSED } ldap_pvt_thread_pool_param_t; #endif /* !LDAP_PVT_THREAD_H_DONE */ diff -Nru openldap-2.5.13+dfsg/libraries/liblber/bprint.c openldap-2.5.14+dfsg/libraries/liblber/bprint.c --- openldap-2.5.13+dfsg/libraries/liblber/bprint.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblber/bprint.c 2023-02-08 18:49:18.000000000 +0000 @@ -266,9 +266,9 @@ } sprintf( buf, "ber_dump: buf=%p ptr=%p end=%p len=%ld\n", - ber->ber_buf, - ber->ber_ptr, - ber->ber_end, + (void *) ber->ber_buf, + (void *) ber->ber_ptr, + (void *) ber->ber_end, (long) len ); (void) (*ber_pvt_log_print)( buf ); diff -Nru openldap-2.5.13+dfsg/libraries/liblber/Makefile.in openldap-2.5.14+dfsg/libraries/liblber/Makefile.in --- openldap-2.5.13+dfsg/libraries/liblber/Makefile.in 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblber/Makefile.in 2023-02-08 18:49:18.000000000 +0000 @@ -38,9 +38,7 @@ XXLIBS = NT_LINK_LIBS = $(AC_LIBS) UNIX_LINK_LIBS = $(AC_LIBS) -ifneq (,$(OL_VERSIONED_SYMBOLS)) - SYMBOL_VERSION_FLAGS=$(OL_VERSIONED_SYMBOLS)$(LDAP_LIBDIR)/liblber/liblber.vers -endif +@DO_VERSIONED_SYMBOLS@SYMBOL_VERSION_FLAGS=$(OL_VERSIONED_SYMBOLS)$(LDAP_LIBDIR)/liblber/liblber.vers dtest: $(XLIBS) dtest.o $(LTLINK) -o $@ dtest.o $(LIBS) diff -Nru openldap-2.5.13+dfsg/libraries/liblber/stdio.c openldap-2.5.14+dfsg/libraries/liblber/stdio.c --- openldap-2.5.13+dfsg/libraries/liblber/stdio.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblber/stdio.c 2023-02-08 18:49:18.000000000 +0000 @@ -20,6 +20,7 @@ #include #include #include +#include #if !defined(HAVE_VSNPRINTF) && !defined(HAVE_EBCDIC) /* Write at most n characters to the buffer in str, return the diff -Nru openldap-2.5.13+dfsg/libraries/libldap/cyrus.c openldap-2.5.14+dfsg/libraries/libldap/cyrus.c --- openldap-2.5.13+dfsg/libraries/libldap/cyrus.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/libldap/cyrus.c 2023-02-08 18:49:18.000000000 +0000 @@ -389,7 +389,7 @@ char endpoint_prefix[] = "tls-server-end-point:"; char cbinding[ 64 ]; struct berval cbv = { 64, cbinding }; - void *cb_data; /* used since cb->data is const* */ + unsigned char *cb_data; /* used since cb->data is const* */ sasl_channel_binding_t *cb; char *prefix; int plen; @@ -415,7 +415,7 @@ cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len ); cb->len = plen + cbv.bv_len; - cb->data = cb_data = cb+1; + cb->data = cb_data = (unsigned char *)(cb+1); memcpy( cb_data, prefix, plen ); memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len ); cb->name = "ldap"; diff -Nru openldap-2.5.13+dfsg/libraries/libldap/fetch.c openldap-2.5.14+dfsg/libraries/libldap/fetch.c --- openldap-2.5.13+dfsg/libraries/libldap/fetch.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/libldap/fetch.c 2023-02-08 18:49:18.000000000 +0000 @@ -69,6 +69,8 @@ } p = ber_strdup( urlstr ); + if ( p == NULL ) + return NULL; /* But we should convert to LDAP_DIRSEP before use */ if ( LDAP_DIRSEP[0] != '/' ) { diff -Nru openldap-2.5.13+dfsg/libraries/libldap/filter.c openldap-2.5.14+dfsg/libraries/libldap/filter.c --- openldap-2.5.13+dfsg/libraries/libldap/filter.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/libldap/filter.c 2023-02-08 18:49:18.000000000 +0000 @@ -555,6 +555,8 @@ Debug1( LDAP_DEBUG_TRACE, "put_simple_filter: \"%s\"\n", str ); + if ( str[0] == '=' ) return -1; + str = LDAP_STRDUP( str ); if( str == NULL ) return -1; diff -Nru openldap-2.5.13+dfsg/libraries/libldap/Makefile.in openldap-2.5.14+dfsg/libraries/libldap/Makefile.in --- openldap-2.5.13+dfsg/libraries/libldap/Makefile.in 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/libldap/Makefile.in 2023-02-08 18:49:18.000000000 +0000 @@ -58,9 +58,7 @@ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) -ifneq (,$(OL_VERSIONED_SYMBOLS)) - SYMBOL_VERSION_FLAGS=$(OL_VERSIONED_SYMBOLS)$(LDAP_LIBDIR)/libldap/libldap.vers -endif +@DO_VERSIONED_SYMBOLS@SYMBOL_VERSION_FLAGS=$(OL_VERSIONED_SYMBOLS)$(LDAP_LIBDIR)/libldap/libldap.vers apitest: $(XLIBS) apitest.o $(LTLINK) -o $@ apitest.o $(LIBS) diff -Nru openldap-2.5.13+dfsg/libraries/libldap/request.c openldap-2.5.14+dfsg/libraries/libldap/request.c --- openldap-2.5.13+dfsg/libraries/libldap/request.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/libldap/request.c 2023-02-08 18:49:18.000000000 +0000 @@ -961,7 +961,7 @@ Debug3( LDAP_DEBUG_TRACE, "ldap_do_free_request: " "asked to free lr %p msgid %d refcnt %d\n", - lr, lr->lr_msgid, lr->lr_refcnt ); + (void *) lr, lr->lr_msgid, lr->lr_refcnt ); /* if lr_refcnt > 0, the request has been looked up * by ldap_find_request_by_msgid(); if in the meanwhile * the request is free()'d by someone else, just decrease @@ -1008,7 +1008,7 @@ assert( !removed || removed == lr ); Debug3( LDAP_DEBUG_TRACE, "ldap_free_request_int: " "lr %p msgid %d%s removed\n", - lr, lr->lr_msgid, removed ? "" : " not" ); + (void *) lr, lr->lr_msgid, removed ? "" : " not" ); ldap_do_free_request( lr ); } @@ -1673,12 +1673,12 @@ lr->lr_refcnt++; Debug3( LDAP_DEBUG_TRACE, "ldap_find_request_by_msgid: " "msgid %d, lr %p lr->lr_refcnt = %d\n", - msgid, lr, lr->lr_refcnt ); + msgid, (void *) lr, lr->lr_refcnt ); return lr; } Debug2( LDAP_DEBUG_TRACE, "ldap_find_request_by_msgid: " - "msgid %d, lr %p\n", msgid, lr ); + "msgid %d, lr %p\n", msgid, (void *) lr ); return NULL; } @@ -1690,7 +1690,7 @@ lr = ldap_tavl_find( ld->ld_requests, lrx, ldap_req_cmp ); Debug2( LDAP_DEBUG_TRACE, "ldap_return_request: " - "lrx %p, lr %p\n", lrx, lr ); + "lrx %p, lr %p\n", (void *) lrx, (void *) lr ); if ( lr ) { assert( lr == lrx ); if ( lr->lr_refcnt > 0 ) { diff -Nru openldap-2.5.13+dfsg/libraries/libldap/tpool.c openldap-2.5.14+dfsg/libraries/libldap/tpool.c --- openldap-2.5.13+dfsg/libraries/libldap/tpool.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/libldap/tpool.c 2023-02-08 18:49:18.000000000 +0000 @@ -769,6 +769,12 @@ } break; + case LDAP_PVT_THREAD_POOL_PARAM_PAUSED: + ldap_pvt_thread_mutex_lock(&pool->ltp_mutex); + count = (pool->ltp_pause == PAUSED); + ldap_pvt_thread_mutex_unlock(&pool->ltp_mutex); + break; + case LDAP_PVT_THREAD_POOL_PARAM_UNKNOWN: break; } diff -Nru openldap-2.5.13+dfsg/libraries/libldap/url.c openldap-2.5.14+dfsg/libraries/libldap/url.c --- openldap-2.5.13+dfsg/libraries/libldap/url.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/libldap/url.c 2023-02-08 18:49:18.000000000 +0000 @@ -1385,24 +1385,22 @@ } ludp->lud_port = port; ludp->lud_host = specs[i]; - specs[i] = NULL; p = strchr(ludp->lud_host, ':'); if (p != NULL) { /* more than one :, IPv6 address */ if ( strchr(p+1, ':') != NULL ) { /* allow [address] and [address]:port */ if ( *ludp->lud_host == '[' ) { - p = LDAP_STRDUP(ludp->lud_host+1); - /* copied, make sure we free source later */ - specs[i] = ludp->lud_host; - ludp->lud_host = p; - p = strchr( ludp->lud_host, ']' ); + p = strchr( ludp->lud_host+1, ']' ); if ( p == NULL ) { LDAP_FREE(ludp); ldap_charray_free(specs); return LDAP_PARAM_ERROR; } - *p++ = '\0'; + /* Truncate trailing ']' and shift hostname down 1 char */ + *p = '\0'; + AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host ); + p++; if ( *p != ':' ) { if ( *p != '\0' ) { LDAP_FREE(ludp); @@ -1428,14 +1426,19 @@ } } } - ldap_pvt_hex_unescape(ludp->lud_host); ludp->lud_scheme = LDAP_STRDUP("ldap"); + if ( ludp->lud_scheme == NULL ) { + LDAP_FREE(ludp); + ldap_charray_free(specs); + return LDAP_NO_MEMORY; + } + specs[i] = NULL; + ldap_pvt_hex_unescape(ludp->lud_host); ludp->lud_next = *ludlist; *ludlist = ludp; } /* this should be an array of NULLs now */ - /* except entries starting with [ */ ldap_charray_free(specs); return LDAP_SUCCESS; } diff -Nru openldap-2.5.13+dfsg/libraries/liblmdb/CHANGES openldap-2.5.14+dfsg/libraries/liblmdb/CHANGES --- openldap-2.5.13+dfsg/libraries/liblmdb/CHANGES 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblmdb/CHANGES 2023-02-08 18:49:18.000000000 +0000 @@ -1,5 +1,12 @@ LMDB 0.9 Change Log +LMDB 0.9.30 Release (2023/02/08) + ITS#9806 - LMDB page_split: key threshold depends on page size + ITS#9916 - avoid gcc optimization bug on sparc64 linux + ITS#9919 - Mark infrequently used functions as cold + ITS#9723 - clear C_EOF on cursor with MDB_FIRST_DUP + ITS#9030 - Use sys/cachectl.h rather than asm/cachectl.h on mips + LMDB 0.9.29 Release (2021/03/16) ITS#9461 refix ITS#9376 ITS#9500 fix regression from ITS#8662 diff -Nru openldap-2.5.13+dfsg/libraries/liblmdb/lmdb.h openldap-2.5.14+dfsg/libraries/liblmdb/lmdb.h --- openldap-2.5.13+dfsg/libraries/liblmdb/lmdb.h 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblmdb/lmdb.h 2023-02-08 18:49:18.000000000 +0000 @@ -200,7 +200,7 @@ /** Library minor version */ #define MDB_VERSION_MINOR 9 /** Library patch version */ -#define MDB_VERSION_PATCH 29 +#define MDB_VERSION_PATCH 30 /** Combine args a,b,c into a single integer for easy version comparisons */ #define MDB_VERINT(a,b,c) (((a) << 24) | ((b) << 16) | (c)) @@ -210,7 +210,7 @@ MDB_VERINT(MDB_VERSION_MAJOR,MDB_VERSION_MINOR,MDB_VERSION_PATCH) /** The release date of this library version */ -#define MDB_VERSION_DATE "March 16, 2021" +#define MDB_VERSION_DATE "February 8, 2023" /** A stringifier for the version info */ #define MDB_VERSTR(a,b,c,d) "LMDB " #a "." #b "." #c ": (" d ")" diff -Nru openldap-2.5.13+dfsg/libraries/liblmdb/mdb.c openldap-2.5.14+dfsg/libraries/liblmdb/mdb.c --- openldap-2.5.13+dfsg/libraries/liblmdb/mdb.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblmdb/mdb.c 2023-02-08 18:49:18.000000000 +0000 @@ -77,8 +77,7 @@ #if defined(__mips) && defined(__linux) /* MIPS has cache coherency issues, requires explicit cache control */ -#include -extern int cacheflush(char *addr, int nbytes, int cache); +#include #define CACHEFLUSH(addr, bytes, cache) cacheflush(addr, bytes, cache) #else #define CACHEFLUSH(addr, bytes, cache) @@ -200,15 +199,21 @@ # error "Two's complement, reasonably sized integer types, please" #endif -#ifdef __GNUC__ -/** Put infrequently used env functions in separate section */ -# ifdef __APPLE__ -# define ESECT __attribute__ ((section("__TEXT,text_env"))) +#if (((__clang_major__ << 8) | __clang_minor__) >= 0x0302) || (((__GNUC__ << 8) | __GNUC_MINOR__) >= 0x0403) +/** Mark infrequently used env functions as cold. This puts them in a separate + * section, and optimizes them for size */ +#define ESECT __attribute__ ((cold)) +#else +/* On older compilers, use a separate section */ +# ifdef __GNUC__ +# ifdef __APPLE__ +# define ESECT __attribute__ ((section("__TEXT,text_env"))) +# else +# define ESECT __attribute__ ((section("text_env"))) +# endif # else -# define ESECT __attribute__ ((section("text_env"))) +# define ESECT # endif -#else -#define ESECT #endif #ifdef _WIN32 @@ -833,9 +838,26 @@ } pb; uint32_t pb_pages; /**< number of overflow pages */ } mp_pb; - indx_t mp_ptrs[1]; /**< dynamic size */ + indx_t mp_ptrs[0]; /**< dynamic size */ } MDB_page; +/** Alternate page header, for 2-byte aligned access */ +typedef struct MDB_page2 { + uint16_t mp2_p[sizeof(pgno_t)/2]; + uint16_t mp2_pad; + uint16_t mp2_flags; + indx_t mp2_lower; + indx_t mp2_upper; + indx_t mp2_ptrs[0]; +} MDB_page2; + +#define MP_PGNO(p) (((MDB_page2 *)(void *)(p))->mp2_p) +#define MP_PAD(p) (((MDB_page2 *)(void *)(p))->mp2_pad) +#define MP_FLAGS(p) (((MDB_page2 *)(void *)(p))->mp2_flags) +#define MP_LOWER(p) (((MDB_page2 *)(void *)(p))->mp2_lower) +#define MP_UPPER(p) (((MDB_page2 *)(void *)(p))->mp2_upper) +#define MP_PTRS(p) (((MDB_page2 *)(void *)(p))->mp2_ptrs) + /** Size of the page header, excluding dynamic data at the end */ #define PAGEHDRSZ ((unsigned) offsetof(MDB_page, mp_ptrs)) @@ -846,10 +868,10 @@ #define PAGEBASE ((MDB_DEVEL) ? PAGEHDRSZ : 0) /** Number of nodes on a page */ -#define NUMKEYS(p) (((p)->mp_lower - (PAGEHDRSZ-PAGEBASE)) >> 1) +#define NUMKEYS(p) ((MP_LOWER(p) - (PAGEHDRSZ-PAGEBASE)) >> 1) /** The amount of space remaining in the page */ -#define SIZELEFT(p) (indx_t)((p)->mp_upper - (p)->mp_lower) +#define SIZELEFT(p) (indx_t)(MP_UPPER(p) - MP_LOWER(p)) /** The percentage of space used in the page, in tenths of a percent. */ #define PAGEFILL(env, p) (1000L * ((env)->me_psize - PAGEHDRSZ - SIZELEFT(p)) / \ @@ -860,15 +882,15 @@ #define FILL_THRESHOLD 250 /** Test if a page is a leaf page */ -#define IS_LEAF(p) F_ISSET((p)->mp_flags, P_LEAF) +#define IS_LEAF(p) F_ISSET(MP_FLAGS(p), P_LEAF) /** Test if a page is a LEAF2 page */ -#define IS_LEAF2(p) F_ISSET((p)->mp_flags, P_LEAF2) +#define IS_LEAF2(p) F_ISSET(MP_FLAGS(p), P_LEAF2) /** Test if a page is a branch page */ -#define IS_BRANCH(p) F_ISSET((p)->mp_flags, P_BRANCH) +#define IS_BRANCH(p) F_ISSET(MP_FLAGS(p), P_BRANCH) /** Test if a page is an overflow page */ -#define IS_OVERFLOW(p) F_ISSET((p)->mp_flags, P_OVERFLOW) +#define IS_OVERFLOW(p) F_ISSET(MP_FLAGS(p), P_OVERFLOW) /** Test if a page is a sub page */ -#define IS_SUBP(p) F_ISSET((p)->mp_flags, P_SUBP) +#define IS_SUBP(p) F_ISSET(MP_FLAGS(p), P_SUBP) /** The number of overflow pages needed to store the given size. */ #define OVPAGES(size, psize) ((PAGEHDRSZ-1 + (size)) / (psize) + 1) @@ -936,7 +958,7 @@ #define LEAFSIZE(k, d) (NODESIZE + (k)->mv_size + (d)->mv_size) /** Address of node \b i in page \b p */ -#define NODEPTR(p, i) ((MDB_node *)((char *)(p) + (p)->mp_ptrs[i] + PAGEBASE)) +#define NODEPTR(p, i) ((MDB_node *)((char *)(p) + MP_PTRS(p)[i] + PAGEBASE)) /** Address of the key for the node */ #define NODEKEY(node) (void *)((node)->mn_data) @@ -964,6 +986,8 @@ /** Copy a page number from src to dst */ #ifdef MISALIGNED_OK #define COPY_PGNO(dst,src) dst = src +#undef MP_PGNO +#define MP_PGNO(p) ((p)->mp_pgno) #else #if SIZE_MAX > 4294967295UL #define COPY_PGNO(dst,src) do { \ @@ -1517,6 +1541,8 @@ NULL, err, 0, ptr, MSGSIZE, (va_list *)buf+MSGSIZE); return ptr; #else + if (err < 0) + return "Invalid error code"; return strerror(err); #endif } @@ -1554,7 +1580,7 @@ mdb_dbg_pgno(MDB_page *mp) { pgno_t ret; - COPY_PGNO(ret, mp->mp_pgno); + COPY_PGNO(ret, MP_PGNO(mp)); return ret; } @@ -1601,13 +1627,13 @@ mdb_page_list(MDB_page *mp) { pgno_t pgno = mdb_dbg_pgno(mp); - const char *type, *state = (mp->mp_flags & P_DIRTY) ? ", dirty" : ""; + const char *type, *state = (MP_FLAGS(mp) & P_DIRTY) ? ", dirty" : ""; MDB_node *node; unsigned int i, nkeys, nsize, total = 0; MDB_val key; DKBUF; - switch (mp->mp_flags & (P_BRANCH|P_LEAF|P_LEAF2|P_META|P_OVERFLOW|P_SUBP)) { + switch (MP_FLAGS(mp) & (P_BRANCH|P_LEAF|P_LEAF2|P_META|P_OVERFLOW|P_SUBP)) { case P_BRANCH: type = "Branch page"; break; case P_LEAF: type = "Leaf page"; break; case P_LEAF|P_SUBP: type = "Sub-page"; break; @@ -1622,7 +1648,7 @@ pgno, ((MDB_meta *)METADATA(mp))->mm_txnid); return; default: - fprintf(stderr, "Bad page %"Z"u flags 0x%X\n", pgno, mp->mp_flags); + fprintf(stderr, "Bad page %"Z"u flags 0x%X\n", pgno, MP_FLAGS(mp)); return; } @@ -1658,7 +1684,7 @@ total = EVEN(total); } fprintf(stderr, "Total: header %d + contents %d + unused %d\n", - IS_LEAF2(mp) ? PAGEHDRSZ : PAGEBASE + mp->mp_lower, total, SIZELEFT(mp)); + IS_LEAF2(mp) ? PAGEHDRSZ : PAGEBASE + MP_LOWER(mp), total, SIZELEFT(mp)); } void @@ -2418,7 +2444,7 @@ pgno_t pgno; int rc; - if (!F_ISSET(mp->mp_flags, P_DIRTY)) { + if (!F_ISSET(MP_FLAGS(mp), P_DIRTY)) { if (txn->mt_flags & MDB_TXN_SPILLS) { np = NULL; rc = mdb_page_unspill(txn, mp, &np); @@ -6061,7 +6087,7 @@ mc->mc_ki[mc->mc_top] = 0; return MDB_NOTFOUND; } - if (mp->mp_flags & P_LEAF2) { + if (MP_FLAGS(mp) & P_LEAF2) { nodekey.mv_size = mc->mc_db->md_pad; nodekey.mv_data = LEAF2KEY(mp, 0, nodekey.mv_size); } else { @@ -6082,7 +6108,7 @@ unsigned int i; unsigned int nkeys = NUMKEYS(mp); if (nkeys > 1) { - if (mp->mp_flags & P_LEAF2) { + if (MP_FLAGS(mp) & P_LEAF2) { nodekey.mv_data = LEAF2KEY(mp, nkeys-1, nodekey.mv_size); } else { @@ -6100,7 +6126,7 @@ if (rc < 0) { if (mc->mc_ki[mc->mc_top] < NUMKEYS(mp)) { /* This is definitely the right page, skip search_page */ - if (mp->mp_flags & P_LEAF2) { + if (MP_FLAGS(mp) & P_LEAF2) { nodekey.mv_data = LEAF2KEY(mp, mc->mc_ki[mc->mc_top], nodekey.mv_size); } else { @@ -6477,6 +6503,7 @@ rc = MDB_NOTFOUND; break; } + mc->mc_flags &= ~C_EOF; { MDB_node *leaf = NODEPTR(mc->mc_pg[mc->mc_top], mc->mc_ki[mc->mc_top]); if (!F_ISSET(leaf->mn_flags, F_DUPDATA)) { @@ -6663,7 +6690,7 @@ *mc->mc_dbflag |= DB_DIRTY; if ((mc->mc_db->md_flags & (MDB_DUPSORT|MDB_DUPFIXED)) == MDB_DUPFIXED) - np->mp_flags |= P_LEAF2; + MP_FLAGS(np) |= P_LEAF2; mc->mc_flags |= C_INITIALIZED; } else { /* make sure all cursor pages are writable */ @@ -6685,7 +6712,7 @@ fp_flags = P_LEAF|P_DIRTY; fp = env->me_pbuf; fp->mp_pad = data->mv_size; /* used if MDB_DUPFIXED */ - fp->mp_lower = fp->mp_upper = (PAGEHDRSZ-PAGEBASE); + MP_LOWER(fp) = MP_UPPER(fp) = (PAGEHDRSZ-PAGEBASE); olddata.mv_size = PAGEHDRSZ; goto prep_subDB; } @@ -6761,18 +6788,18 @@ dkey.mv_data = memcpy(fp+1, olddata.mv_data, olddata.mv_size); /* Make sub-page header for the dup items, with dummy body */ - fp->mp_flags = P_LEAF|P_DIRTY|P_SUBP; - fp->mp_lower = (PAGEHDRSZ-PAGEBASE); + MP_FLAGS(fp) = P_LEAF|P_DIRTY|P_SUBP; + MP_LOWER(fp) = (PAGEHDRSZ-PAGEBASE); xdata.mv_size = PAGEHDRSZ + dkey.mv_size + data->mv_size; if (mc->mc_db->md_flags & MDB_DUPFIXED) { - fp->mp_flags |= P_LEAF2; + MP_FLAGS(fp) |= P_LEAF2; fp->mp_pad = data->mv_size; xdata.mv_size += 2 * data->mv_size; /* leave space for 2 more */ } else { xdata.mv_size += 2 * (sizeof(indx_t) + NODESIZE) + (dkey.mv_size & 1) + (data->mv_size & 1); } - fp->mp_upper = xdata.mv_size - PAGEBASE; + MP_UPPER(fp) = xdata.mv_size - PAGEBASE; olddata.mv_size = xdata.mv_size; /* pretend olddata is fp */ } else if (leaf->mn_flags & F_SUBDATA) { /* Data is on sub-DB, just store it */ @@ -6795,8 +6822,8 @@ } /* FALLTHRU */ /* Big enough MDB_DUPFIXED sub-page */ case MDB_CURRENT: - fp->mp_flags |= P_DIRTY; - COPY_PGNO(fp->mp_pgno, mp->mp_pgno); + MP_FLAGS(fp) |= P_DIRTY; + COPY_PGNO(MP_PGNO(fp), MP_PGNO(mp)); mc->mc_xcursor->mx_cursor.mc_pg[0] = fp; flags |= F_DUPDATA; goto put_sub; @@ -6804,7 +6831,7 @@ xdata.mv_size = olddata.mv_size + offset; } - fp_flags = fp->mp_flags; + fp_flags = MP_FLAGS(fp); if (NODESIZE + NODEKSZ(leaf) + xdata.mv_size > env->me_nodemax) { /* Too big for a sub-page, convert to sub-DB */ fp_flags &= ~P_SUBP; @@ -6834,16 +6861,16 @@ sub_root = mp; } if (mp != fp) { - mp->mp_flags = fp_flags | P_DIRTY; - mp->mp_pad = fp->mp_pad; - mp->mp_lower = fp->mp_lower; - mp->mp_upper = fp->mp_upper + offset; + MP_FLAGS(mp) = fp_flags | P_DIRTY; + MP_PAD(mp) = MP_PAD(fp); + MP_LOWER(mp) = MP_LOWER(fp); + MP_UPPER(mp) = MP_UPPER(fp) + offset; if (fp_flags & P_LEAF2) { memcpy(METADATA(mp), METADATA(fp), NUMKEYS(fp) * fp->mp_pad); } else { - memcpy((char *)mp + mp->mp_upper + PAGEBASE, (char *)fp + fp->mp_upper + PAGEBASE, - olddata.mv_size - fp->mp_upper - PAGEBASE); - memcpy((char *)(&mp->mp_ptrs), (char *)(&fp->mp_ptrs), NUMKEYS(fp) * sizeof(mp->mp_ptrs[0])); + memcpy((char *)mp + MP_UPPER(mp) + PAGEBASE, (char *)fp + MP_UPPER(fp) + PAGEBASE, + olddata.mv_size - MP_UPPER(fp) - PAGEBASE); + memcpy((char *)MP_PTRS(mp), (char *)MP_PTRS(fp), NUMKEYS(fp) * sizeof(mp->mp_ptrs[0])); for (i=0; imp_ptrs[i] += offset; } @@ -6908,7 +6935,7 @@ * Copy end of page, adjusting alignment so * compiler may copy words instead of bytes. */ - off = (PAGEHDRSZ + data->mv_size) & -sizeof(size_t); + off = (PAGEHDRSZ + data->mv_size) & -(int)sizeof(size_t); memcpy((size_t *)((char *)np + off), (size_t *)((char *)omp + off), sz - off); sz = PAGEHDRSZ; @@ -7291,7 +7318,7 @@ void *ndata; DKBUF; - mdb_cassert(mc, mp->mp_upper >= mp->mp_lower); + mdb_cassert(mc, MP_UPPER(mp) >= MP_LOWER(mp)); DPRINTF(("add to %s %spage %"Z"u index %i, data size %"Z"u key size %"Z"u [%s]", IS_LEAF(mp) ? "leaf" : "branch", @@ -7310,8 +7337,8 @@ memcpy(ptr, key->mv_data, ksize); /* Just using these for counting */ - mp->mp_lower += sizeof(indx_t); - mp->mp_upper -= ksize - sizeof(indx_t); + MP_LOWER(mp) += sizeof(indx_t); + MP_UPPER(mp) -= ksize - sizeof(indx_t); return MDB_SUCCESS; } @@ -7348,14 +7375,14 @@ update: /* Move higher pointers up one slot. */ for (i = NUMKEYS(mp); i > indx; i--) - mp->mp_ptrs[i] = mp->mp_ptrs[i - 1]; + MP_PTRS(mp)[i] = MP_PTRS(mp)[i - 1]; /* Adjust free space offsets. */ - ofs = mp->mp_upper - node_size; - mdb_cassert(mc, ofs >= mp->mp_lower + sizeof(indx_t)); - mp->mp_ptrs[indx] = ofs; - mp->mp_upper = ofs; - mp->mp_lower += sizeof(indx_t); + ofs = MP_UPPER(mp) - node_size; + mdb_cassert(mc, ofs >= MP_LOWER(mp) + sizeof(indx_t)); + MP_PTRS(mp)[indx] = ofs; + MP_UPPER(mp) = ofs; + MP_LOWER(mp) += sizeof(indx_t); /* Write the node data. */ node = NODEPTR(mp, indx); @@ -7393,7 +7420,7 @@ full: DPRINTF(("not enough room in page %"Z"u, got %u ptrs", mdb_dbg_pgno(mp), NUMKEYS(mp))); - DPRINTF(("upper-lower = %u - %u = %"Z"d", mp->mp_upper,mp->mp_lower,room)); + DPRINTF(("upper-lower = %u - %u = %"Z"d", MP_UPPER(mp),MP_LOWER(mp),room)); DPRINTF(("node size = %"Z"u", node_size)); mc->mc_txn->mt_flags |= MDB_TXN_ERROR; return MDB_PAGE_FULL; @@ -7424,8 +7451,8 @@ base = LEAF2KEY(mp, indx, ksize); if (x) memmove(base, base + ksize, x * ksize); - mp->mp_lower -= sizeof(indx_t); - mp->mp_upper += ksize - sizeof(indx_t); + MP_LOWER(mp) -= sizeof(indx_t); + MP_UPPER(mp) += ksize - sizeof(indx_t); return; } @@ -7439,21 +7466,21 @@ } sz = EVEN(sz); - ptr = mp->mp_ptrs[indx]; + ptr = MP_PTRS(mp)[indx]; for (i = j = 0; i < numkeys; i++) { if (i != indx) { - mp->mp_ptrs[j] = mp->mp_ptrs[i]; - if (mp->mp_ptrs[i] < ptr) - mp->mp_ptrs[j] += sz; + MP_PTRS(mp)[j] = MP_PTRS(mp)[i]; + if (MP_PTRS(mp)[i] < ptr) + MP_PTRS(mp)[j] += sz; j++; } } - base = (char *)mp + mp->mp_upper + PAGEBASE; - memmove(base + sz, base, ptr - mp->mp_upper); + base = (char *)mp + MP_UPPER(mp) + PAGEBASE; + memmove(base + sz, base, ptr - MP_UPPER(mp)); - mp->mp_lower -= sizeof(indx_t); - mp->mp_upper += sz; + MP_LOWER(mp) -= sizeof(indx_t); + MP_UPPER(mp) += sz; } /** Compact the main page after deleting a node on a subpage. @@ -7482,11 +7509,11 @@ } else { xp = (MDB_page *)((char *)sp + delta); /* destination subpage */ for (i = NUMKEYS(sp); --i >= 0; ) - xp->mp_ptrs[i] = sp->mp_ptrs[i] - delta; + MP_PTRS(xp)[i] = MP_PTRS(sp)[i] - delta; len = PAGEHDRSZ; } - sp->mp_upper = sp->mp_lower; - COPY_PGNO(sp->mp_pgno, mp->mp_pgno); + MP_UPPER(sp) = MP_LOWER(sp); + COPY_PGNO(MP_PGNO(sp), mp->mp_pgno); SETDSZ(node, nsize); /* Shift upward */ @@ -7557,7 +7584,7 @@ mx->mx_db.md_leaf_pages = 1; mx->mx_db.md_overflow_pages = 0; mx->mx_db.md_entries = NUMKEYS(fp); - COPY_PGNO(mx->mx_db.md_root, fp->mp_pgno); + COPY_PGNO(mx->mx_db.md_root, MP_PGNO(fp)); mx->mx_cursor.mc_snum = 1; mx->mx_cursor.mc_top = 0; mx->mx_cursor.mc_flags = C_INITIALIZED|C_SUB; @@ -8729,9 +8756,13 @@ mc->mc_ki[mc->mc_top] = x; } } else { - int psize, nsize, k; + int psize, nsize, k, keythresh; + /* Maximum free space in an empty page */ pmax = env->me_psize - PAGEHDRSZ; + /* Threshold number of keys considered "small" */ + keythresh = env->me_psize >> 7; + if (IS_LEAF(mp)) nsize = mdb_leaf_size(env, newkey, newdata); else @@ -8772,7 +8803,7 @@ * the split so the new page is emptier than the old page. * This yields better packing during sequential inserts. */ - if (nkeys < 32 || nsize > pmax/16 || newindx >= nkeys) { + if (nkeys < keythresh || nsize > pmax/16 || newindx >= nkeys) { /* Find split point */ psize = 0; if (newindx <= split_indx || newindx >= nkeys) { diff -Nru openldap-2.5.13+dfsg/libraries/liblmdb/mdb_dump.c openldap-2.5.14+dfsg/libraries/liblmdb/mdb_dump.c --- openldap-2.5.13+dfsg/libraries/liblmdb/mdb_dump.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblmdb/mdb_dump.c 2023-02-08 18:49:18.000000000 +0000 @@ -192,7 +192,7 @@ break; case 'l': list = 1; - /*FALLTHROUGH*/; + /*FALLTHROUGH*/ case 'a': if (subname) usage(prog); diff -Nru openldap-2.5.13+dfsg/libraries/liblunicode/ucdata/ucgendat.c openldap-2.5.14+dfsg/libraries/liblunicode/ucdata/ucgendat.c --- openldap-2.5.13+dfsg/libraries/liblunicode/ucdata/ucgendat.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblunicode/ucdata/ucgendat.c 2023-02-08 18:49:18.000000000 +0000 @@ -1655,7 +1655,7 @@ } #endif -#ifdef HARDCODE_DATA +#if HARDCODE_DATA fprintf(out, PREF "ac_uint4 _uckdcmp_size = %ld;\n\n", kdecomps_used * 2L); @@ -1753,7 +1753,7 @@ * Generate the combining class data. * *****************************************************************/ -#ifdef HARDCODE_DATA +#if HARDCODE_DATA fprintf(out, PREF "ac_uint4 _uccmcl_size = %ld;\n\n", (long) ccl_used); fprintf(out, PREF "ac_uint4 _uccmcl_nodes[] = {"); diff -Nru openldap-2.5.13+dfsg/libraries/liblunicode/ucstr.c openldap-2.5.14+dfsg/libraries/liblunicode/ucstr.c --- openldap-2.5.13+dfsg/libraries/liblunicode/ucstr.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblunicode/ucstr.c 2023-02-08 18:49:18.000000000 +0000 @@ -240,6 +240,17 @@ if ( approx ) { for ( j = 0; j < ucsoutlen; j++ ) { if ( ucsout[j] < 0x80 ) { + if ( outpos >= outsize ) { + outsize += ( ucsoutlen - j ) + 1; + outtmp = (char *) ber_memrealloc_x( out, outsize, ctx ); + if ( outtmp == NULL ) { + ber_memfree_x( ucsout, ctx ); + ber_memfree_x( ucs, ctx ); + ber_memfree_x( out, ctx ); + goto fail; + } + out = outtmp; + } out[outpos++] = ucsout[j]; } } diff -Nru openldap-2.5.13+dfsg/libraries/liblutil/base64.c openldap-2.5.14+dfsg/libraries/liblutil/base64.c --- openldap-2.5.13+dfsg/libraries/liblutil/base64.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblutil/base64.c 2023-02-08 18:49:18.000000000 +0000 @@ -116,14 +116,14 @@ int lutil_b64_ntop( - u_char const *src, + unsigned char const *src, size_t srclength, char *target, size_t targsize) { size_t datalength = 0; - u_char input[3]; - u_char output[4]; + unsigned char input[3]; + unsigned char output[4]; size_t i; while (2 < srclength) { @@ -188,7 +188,7 @@ int lutil_b64_pton( char const *src, - u_char *target, + unsigned char *target, size_t targsize) { int tarindex, state, ch; diff -Nru openldap-2.5.13+dfsg/libraries/liblutil/sha1.c openldap-2.5.14+dfsg/libraries/liblutil/sha1.c --- openldap-2.5.13+dfsg/libraries/liblutil/sha1.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/libraries/liblutil/sha1.c 2023-02-08 18:49:18.000000000 +0000 @@ -156,7 +156,7 @@ uint32 len ) { - u_int i, j; + unsigned int i, j; j = context->count[0]; if ((context->count[0] += len << 3) < j) @@ -181,7 +181,7 @@ void lutil_SHA1Final( unsigned char *digest, lutil_SHA1_CTX *context ) { - u_int i; + unsigned int i; unsigned char finalcount[8]; for (i = 0; i < 8; i++) { diff -Nru openldap-2.5.13+dfsg/servers/lloadd/bind.c openldap-2.5.14+dfsg/servers/lloadd/bind.c --- openldap-2.5.13+dfsg/servers/lloadd/bind.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/bind.c 2023-02-08 18:49:18.000000000 +0000 @@ -406,7 +406,7 @@ Debug( LDAP_DEBUG_ANY, "request_bind: " "ber_alloc failed\n" ); - operation_unlink( op ); + OPERATION_UNLINK(op); CONNECTION_LOCK(client); goto fail; @@ -985,7 +985,7 @@ } done: - operation_unlink( op ); + OPERATION_UNLINK(op); ber_free( ber, 1 ); return rc; } diff -Nru openldap-2.5.13+dfsg/servers/lloadd/client.c openldap-2.5.14+dfsg/servers/lloadd/client.c --- openldap-2.5.13+dfsg/servers/lloadd/client.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/client.c 2023-02-08 18:49:18.000000000 +0000 @@ -45,7 +45,7 @@ "connid=%lu msgid=%d invalid integer sent in abandon request\n", c->c_connid, op->o_client_msgid ); - operation_unlink( op ); + OPERATION_UNLINK(op); CONNECTION_LOCK_DESTROY(c); return -1; } @@ -81,7 +81,7 @@ operation_abandon( request ); done: - operation_unlink( op ); + OPERATION_UNLINK(op); return rc; } @@ -201,7 +201,7 @@ operation_send_reject( op, LDAP_OTHER, "internal error", 0 ); } - operation_unlink( op ); + OPERATION_UNLINK(op); if ( rc ) { CONNECTION_LOCK_DESTROY(client); } @@ -250,7 +250,7 @@ case LDAP_REQ_UNBIND: /* There is never a response for this operation */ op->o_res = LLOAD_OP_COMPLETED; - operation_unlink( op ); + OPERATION_UNLINK(op); Debug( LDAP_DEBUG_STATS, "handle_one_request: " "received unbind, closing client connid=%lu\n", diff -Nru openldap-2.5.13+dfsg/servers/lloadd/config.c openldap-2.5.14+dfsg/servers/lloadd/config.c --- openldap-2.5.13+dfsg/servers/lloadd/config.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/config.c 2023-02-08 18:49:18.000000000 +0000 @@ -613,7 +613,7 @@ &config_generic, "( OLcfgBkAt:13.26 " "NAME 'olcBkLloadIOTimeout' " - "DESC 'I/O timeout threshold in miliseconds' " + "DESC 'I/O timeout threshold in milliseconds' " "EQUALITY integerMatch " "SYNTAX OMsInteger " "SINGLE-VALUE )", diff -Nru openldap-2.5.13+dfsg/servers/lloadd/connection.c openldap-2.5.14+dfsg/servers/lloadd/connection.c --- openldap-2.5.13+dfsg/servers/lloadd/connection.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/connection.c 2023-02-08 18:49:18.000000000 +0000 @@ -545,7 +545,7 @@ } CONNECTION_UNLOCK(c); - operation_unlink( op ); + OPERATION_UNLINK(op); CONNECTION_LOCK(c); } while ( c->c_ops ); diff -Nru openldap-2.5.13+dfsg/servers/lloadd/daemon.c openldap-2.5.14+dfsg/servers/lloadd/daemon.c --- openldap-2.5.13+dfsg/servers/lloadd/daemon.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/daemon.c 2023-02-08 18:49:18.000000000 +0000 @@ -946,7 +946,8 @@ static void * lload_listener_thread( void *ctx ) { - int rc = event_base_dispatch( listener_base ); + /* ITS#9984 Survive the listeners being paused if we run out of fds */ + int rc = event_base_loop( listener_base, EVLOOP_NO_EXIT_ON_EMPTY ); Debug( LDAP_DEBUG_ANY, "lload_listener_thread: " "event loop finished: rc=%d\n", rc ); diff -Nru openldap-2.5.13+dfsg/servers/lloadd/design.md openldap-2.5.14+dfsg/servers/lloadd/design.md --- openldap-2.5.13+dfsg/servers/lloadd/design.md 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/design.md 1970-01-01 00:00:00.000000000 +0000 @@ -1,282 +0,0 @@ -TODO: -- [ ] keep a global op in-flight counter? (might need locking) -- [-] scheduling (who does what, more than one select thread? How does the proxy - work get distributed between threads?) -- [ ] managing timeouts? -- [X] outline locking policy: seems like there might be a lock inversion in the - design looming: when working with op, might need a lock on both client and - upstream but depending on where we started, we might want to start with - locking one, then other -- [ ] how to deal with the balancer running out of fds? Especially when we hit - the limit, then lose an upstream connection and accept() a client, we - wouldn't be able to initiate a new one. A bit of a DoS... But probably not - a concern for Ericsson -- [ ] non-Linux? No idea how anything other than poll works (moot if building a - libevent/libuv-based load balancer since they take care of that, except - edge-triggered I/O?) -- [-] rootDSE? Controls and exops might have different semantics and need - binding to the same upstream connection. -- [ ] Just piggybacking on OpenLDAP as a module? Would still need some updates - in the core and the module/subsystem would be a very invasive one. On the - other hand, allows to expose live configuration and monitoring over LDAP - over the current slapd listeners without re-inventing the wheel. - - -Expecting to handle only LDAPv3 - -terms: - server - configured target - upstream - a single connection to a server - client - an incoming connection - -To maintain fairness `G( requested => ( F( progressed | failed ) ) )`, use -queues and put timeouts in - -Runtime organisation ------- -- main thread with its own event base handling signals -- one thread (later possibly more) listening on the rendezvous sockets, handing - the new sockets to worker threads -- n worker threads dealing with client and server I/O (dispatching actual work - to the thread pool most likely) -- a thread pool to handle actual work - -Operational behaviour ------- - -- client read -> upstream write: - - client read: - - if TLS_SETUP, keep processing, set state back when finished and note that - we're under TLS - - ber_get_next(), if we don't have a tag, finished (unless we have true - edge-triggered I/O, also put the fd back into the ones we're waiting for) - - peek at op tag: - - unbind: - - with a single lock, mark all pending ops in upstreams abandoned, clear - client link (would it be fast enough if we remove them from upstream - map instead?) - - locked per op: - - remove op from upstream map - - check upstream is not write-suspended, if it is ... - - try to write the abandon op to upstream, suspend upstream if not - fully sent - - remove op from client map (how if we're in avl_apply?, another pass?) - - would be nice if we could wipe the complete client map then, otherwise - we need to queue it to have it freed when all abandons get passed onto - the upstream (just dropping them might put extra strain on upstreams, - will probably have a queue on each client/upstream anyway, not just a - single Ber) - - bind: - - check mechanism is not EXTERNAL (or implement it) - - abandon existing ops (see unbind) - - set state to BINDING, put DN into authzid - - pick upstream, create PDU and sent - - abandon: - - find op, mark for abandon, send to appropriate upstream - - Exop: - - check not BINDING (unless it's a cancel?) - - check OID: - - STARTTLS: - - check we don't have TLS yet - - abandon all - - set state to TLS_SETUP - - send the hello - - VC(?): - - similar to bind except for the abandons/state change - - other: - - check not BINDING - - pick an upstream - - create a PDU, send (marking upstream suspended if not written in full) - - check if should read again (keep a counter of number of times to read - off a connection in a single pass so that we maintain fairness) - - if read enough requests and can still read, re-queue ourselves (if we - don't have true edge-triggered I/O, we can just register the fd again) - - upstream write (only when suspended): - - flush the current BER - - there shouldn't be anything else? -- upstream read -> client write: - - upstream read: - - ber_get_next(), if we don't have a tag, finished (unless we have true - edge-triggered I/O, also put the fd back into the ones we're waiting for) - - when we get it, peek at msgid, resolve client connection, lock, check: - - if unsolicited, handle as close (and mark connection closing) - - if op is abandoned or does not exist, drop PDU and op, update counters - - if client backlogged, suspend upstream, register callback to unsuspend - (on progress when writing to client or abandon from client (connection - death, abandon proper, ...)) - - reconstruct final PDU, write BER to client, if did not write fully, - suspend client - - if a final response, decrement operation counts on upstream and client - - check if should read again (keep a counter of number of responses to read - off a connection in a single pass so that we don't starve any?) - - client write ready (only checked for when suspended): - - write the rest of pending BER if any - - on successful write, pick all pending ops that need failure response, push - to client (are there any controls that need to be present in response even - in the case of failure?, what to do with them?) - - on successfully flushing them, walk through suspended upstreams, picking - the pending PDU (unsuspending the upstream) and writing, if PDU flushed - successfully, pick next upstream - - if we successfully flushed all suspended upstreams, unsuspend client - (and disable the write callback) -- upstream close/error: - - look up pending ops, try to write to clients, mark clients suspended that - have ops that need responses (another queue associated with client to speed - up?) - - schedule a new connection open -- client close/error: - - same as unbind -- client inactive (no pending ops and nothing happened in x seconds) - - might just send notice of disconnection and close -- op timeout handling: - - mark for abandon - - send abandon - - send timeLimitExceeded/adminLimitExceeded to client - -Picking an upstream: -- while there is a level available: - - pick a random ordering of upstreams based on weights - - while there is an upstream in the level: - - check number of ops in-flight (this is where we lock the upstream map) - - find the least busy connection (and check if a new connection should be - opened) - - try to lock for socket write, if available (no BER queued) we have our - upstream - -PDU processing: -- request (have an upstream selected): - - get new msgid from upstream - - create an Op structure (actually, with the need for freelist lock, we can - make it a cache for freed operation structures, avoiding some malloc - traffic, to reset, we need slap_sl_mem_create( ,,, 1 )) - - check proxyauthz is not present? or just let upstream reject it if there are - two? - - add own controls at the end: - - construct proxyauthz from authzid - - construct session tracking from remote IP, own name, authzid - - send over - - insert Op into client and upstream maps -- response/intermediate/entry: - - look up Op in upstream's map - - write old msgid, rest of the response can go unchanged - - if a response, remove Op from all maps (client and upstream) - -Managing upstreams: -- async connect up to min_connections (is there a point in having a connection - count range if we can't use it when needed since all of the below is async?) -- when connected, set up TLS (if requested) -- when done, send a bind -- go for the bind interaction -- when done, add it to the upstream's connection list -- (if a connection is suspended or connections are over 75 % op limit, schedule - creating a new connection setup unless connection limit has been hit) - -Managing timeouts: -- two options: - - maintain a separate locked priority queue to give a perfect ordering to when - each operation is to time out, would need to maintain yet another place - where operations can be found. - - the locking protocol for disposing of the operation would need to be - adjusted and might become even more complicated, might do the alternative - initially and then attempt this if it helps performance - - just do a sweep over all clients (that mutex is less contended) every so - often. With many in-flight operations might be a lot of wasted work. - - we still need to sweep over all clients to check if they should be killed - anyway - -Dispatcher thread (2^n of them, fd x is handled by thread no x % (2^n)): -- poll on all registered fds -- remove each fd that's ready from the registered list and schedule the work -- work threads can put their fd back in if they deem necessary (=not suspended) -- this works as a poor man's edge-triggered polling, with enough workers, should - we do proper edge triggered I/O? What about non-Linux? - -Listener thread: -- slapd has just one, which then reassigns the sockets to separate I/O - threads - -Threading: -- if using slap_sl_malloc, how much perf do we gain? To allocate a context per - op, we should have a dedicated parent context so that when we free it, we can - use that exclusively. The parent context's parent would be the main thread's - context. This implies a lot of slap_sl_mem_setctx/slap_sl_mem_create( ,,, 0 ) - and making sure an op does not allocate/free things from two threads at the - same time (might need an Op mutex after all? Not such a huge cost if we - routinely reuse Op structures) - -Locking policy: -- read mutexes are unnecessary, we only have one thread receiving data from the - connection - the one started from the dispatcher -- two reference counters of operation structures (an op is accessible from - client and upstream map, each counter is consistent when thread has a lock on - corresponding map), when decreasing the counter to zero, start freeing - procedure -- place to mark disposal finished for each side, consistency enforced by holding - the freelist lock when reading/manipulating -- when op is created, we already have a write lock on upstream socket and map, - start writing, insert to upstream map with upstream refcount 1, unlock, lock - client, insert (client refcount 0), unlock, lock upstream, decrement refcount - (triggers a test if we need to drop it now), unlock upstream, done -- when upstream processes a PDU, locks its map, increments counter, (potentially - removes if it's a response), unlocks, locks client's map, write mutex (this - order?) and full client mutex (if a bind response) -- when client side wants to work with a PDU (abandon, (un)bind), locks its map, - increase refcount, unlocks, locks upstream map, write mutex, sends or queues - abandon, unlocks write mutex, initiates freeing procedure from upstream side - (or if having to remember we've already increased client-side refcount, mark - for deletion, lose upstream lock, lock client, decref, either triggering - deletion from client or mark for it) -- if we have operation lock, we can simplify a bit (no need for three-stage - locking above) - -Shutdown: -- stop accept() thread(s) - potentially add a channel to hand these listening - sockets over for zero-downtime restart -- if very gentle, mark connections as closing, start timeout and: - - when a new non-abandon PDU comes in from client - return LDAP_UNAVAILABLE - - when receiving a PDU from upstream, send over to client, if no ops pending, - send unsolicited response and close (RFC4511 suggests unsolicited response - is the last PDU coming from the upstream and libldap agrees, so we can't - send it for a socket we want to shut down more gracefully) -- gentle (or very gentle timed out): - - set timeout - - mark all ops as abandoned - - send unbind to all upstreams - - send unsolicited to all clients -- imminent (or gentle timed out): - - async close all connections? - - exit() - -RootDSE: -- default option is not to care and if a control/exop has special restrictions, - it is the admin's job to flag it as such in the load-balancer's config -- another is not to care about the search request but check each search entry - being passed back, check DN and if it's a rootDSE, filter the list of - controls/exops/sasl mechs (external!) that are supported -- last one is to check all search requests for the DN/scope and synthesise the - response locally - probably not (would need to configure the complete list of - controls, exops, sasl mechs, naming contexts in the balancer) - -Potential red flags: -- we suspend upstreams, if we ever suspend clients we need to be sure we can't - create dependency cycles - - is this an issue when only suspending the read side of each? Because even if - we stop reading from everything, we should eventually flush data to those we - can still talk to, as upstreams are flushed, we can start sending new - requests from live clients (those that are suspended are due to their own - inability to accept data) - - we might need to suspend a client if there is a reason to choose a - particular upstream (multi-request operation - bind, VC, PR, TXN, ...) - - a SASL bind, but that means there are no outstanding ops to receive - it holds that !suspended(client) \or !suspended(upstream), so they - cannot participate in a cycle - - VC - multiple binds at the same time - !!! more analysis needed - - PR - should only be able to have one per connection (that's a problem - for later, maybe even needs a dedicated upstream connection) - - TXN - ??? probably same situation as PR - - or if we have a queue for pending Bers on the server, we not need to suspend - clients, upstream is only chosen if the queue is free or there is a reason - to send it to that particular upstream (multi-stage bind/VC, PR, ...), but - that still makes it possible for a client to exhaust all our memory by - sending requests (VC or other ones bound to a slow upstream or by not - reading the responses at all) diff -Nru openldap-2.5.13+dfsg/servers/lloadd/epoch.c openldap-2.5.14+dfsg/servers/lloadd/epoch.c --- openldap-2.5.13+dfsg/servers/lloadd/epoch.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/epoch.c 2023-02-08 18:49:18.000000000 +0000 @@ -181,67 +181,42 @@ * Anything could happen between the subtract and the lock being acquired * above, so check again. But once we hold this lock (and confirm no more * threads still observe either prospective epoch), noone will be able to - * finish epoch_join until we've released epoch_mutex since it holds that: + * finish epoch_join until we've released epoch_mutex since we *first* make + * sure it holds that: * * epoch_threads[EPOCH_PREV(current_epoch)] == 0 * * and that leads epoch_join() to acquire a write lock on &epoch_mutex. */ - if ( __atomic_load_n( &epoch_threads[epoch], __ATOMIC_RELAXED ) ) { - /* Epoch counter has run full circle */ + if ( epoch != current_epoch && epoch != EPOCH_PREV(current_epoch) ) { + /* Epoch counter has run away from us, no need to do anything */ + ldap_pvt_thread_rdwr_runlock( &epoch_mutex ); + return; + } + if ( __atomic_load_n( + &epoch_threads[EPOCH_PREV(current_epoch)], + __ATOMIC_ACQUIRE ) ) { + /* There is another thread still running */ + ldap_pvt_thread_rdwr_runlock( &epoch_mutex ); + return; + } + if ( __atomic_load_n( &epoch_threads[current_epoch], __ATOMIC_ACQUIRE ) ) { + /* There is another thread still running */ ldap_pvt_thread_rdwr_runlock( &epoch_mutex ); return; - } else if ( epoch == current_epoch ) { - if ( __atomic_load_n( - &epoch_threads[EPOCH_PREV(epoch)], __ATOMIC_RELAXED ) ) { - /* There is another (older) thread still running */ - ldap_pvt_thread_rdwr_runlock( &epoch_mutex ); - return; - } - - /* We're all alone, it's safe to claim all references and free them. */ - __atomic_exchange( &references[EPOCH_PREV(epoch)], &old_refs, - &old_refs, __ATOMIC_ACQ_REL ); - __atomic_exchange( &references[epoch], ¤t_refs, ¤t_refs, - __ATOMIC_ACQ_REL ); - } else if ( epoch == EPOCH_PREV(current_epoch) ) { - if ( __atomic_load_n( - &epoch_threads[EPOCH_NEXT(epoch)], __ATOMIC_RELAXED ) ) { - /* There is another (newer) thread still running */ - ldap_pvt_thread_rdwr_runlock( &epoch_mutex ); - return; - } - - /* We're all alone, it's safe to claim all references and free them. */ - __atomic_exchange( - &references[epoch], &old_refs, &old_refs, __ATOMIC_ACQ_REL ); - __atomic_exchange( &references[EPOCH_NEXT(epoch)], ¤t_refs, - ¤t_refs, __ATOMIC_ACQ_REL ); } - /* - * Else the current_epoch has moved far enough that no references remain to - * be freed. - */ - ldap_pvt_thread_rdwr_runlock( &epoch_mutex ); /* - * Trigger a memory-independent read fence to make sure we're reading the - * state after all threads actually finished - which might have happened - * after we acquired epoch_mutex so ldap_pvt_thread_rdwr_rlock would not - * catch everything. - * - * TODO is to confirm the below: - * It might be that the tests and exchanges above only enforce a fence for - * the locations affected, so we could still read stale memory for - * unrelated locations? At least that's the only explanation I've been able - * to establish for repeated crashes that seem to have gone away with this - * in place. - * - * But then that's contrary to the second example in Acquire/Release - * section here: - * https://gcc.gnu.org/wiki/Atomic/GCCMM/AtomicSync + * We're all alone (apart from anyone who reached epoch_leave() at the same + * time), it's safe to claim all references and free them. */ - __atomic_thread_fence( __ATOMIC_ACQUIRE ); + __atomic_exchange( + &references[EPOCH_PREV(current_epoch)], &old_refs, &old_refs, + __ATOMIC_ACQ_REL ); + __atomic_exchange( + &references[current_epoch], ¤t_refs, ¤t_refs, + __ATOMIC_ACQ_REL ); + ldap_pvt_thread_rdwr_runlock( &epoch_mutex ); for ( p = old_refs; p; p = next ) { next = p->next; @@ -314,7 +289,11 @@ } int -try_release_ref( uintptr_t *refp, void *object, dispose_cb *cb ) +try_release_ref( + uintptr_t *refp, + void *object, + dispose_cb *unlink_cb, + dispose_cb *destroy_cb ) { uintptr_t refcnt, new_refcnt; @@ -332,7 +311,10 @@ assert( new_refcnt == refcnt - 1 ); if ( !new_refcnt ) { - epoch_append( object, cb ); + if ( unlink_cb ) { + unlink_cb( object ); + } + epoch_append( object, destroy_cb ); } return refcnt; diff -Nru openldap-2.5.13+dfsg/servers/lloadd/epoch.h openldap-2.5.14+dfsg/servers/lloadd/epoch.h --- openldap-2.5.13+dfsg/servers/lloadd/epoch.h 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/epoch.h 2023-02-08 18:49:18.000000000 +0000 @@ -108,7 +108,11 @@ * @return 0 if reference was already zero, non-zero if reference * count was non-zero at the time of call */ -int try_release_ref( uintptr_t *refp, void *object, dispose_cb *cb ); +int try_release_ref( + uintptr_t *refp, + void *object, + dispose_cb *unlink_cb, + dispose_cb *destroy_cb ); /** @brief Read reference count * diff -Nru openldap-2.5.13+dfsg/servers/lloadd/extended.c openldap-2.5.14+dfsg/servers/lloadd/extended.c --- openldap-2.5.13+dfsg/servers/lloadd/extended.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/extended.c 2023-02-08 18:49:18.000000000 +0000 @@ -90,7 +90,7 @@ output = c->c_pendingber; if ( output == NULL && (output = ber_alloc()) == NULL ) { checked_unlock( &c->c_io_mutex ); - operation_unlink( op ); + OPERATION_UNLINK(op); CONNECTION_LOCK_DESTROY(c); return -1; } @@ -115,7 +115,7 @@ op->o_res = LLOAD_OP_COMPLETED; CONNECTION_UNLOCK(c); - operation_unlink( op ); + OPERATION_UNLINK(op); return -1; #endif /* HAVE_TLS */ diff -Nru openldap-2.5.13+dfsg/servers/lloadd/lload.h openldap-2.5.14+dfsg/servers/lloadd/lload.h --- openldap-2.5.13+dfsg/servers/lloadd/lload.h 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/lload.h 2023-02-08 18:49:18.000000000 +0000 @@ -337,8 +337,8 @@ #define CONNECTION_UNLINK_(c) \ do { \ if ( __atomic_exchange_n( &(c)->c_live, 0, __ATOMIC_ACQ_REL ) ) { \ - RELEASE_REF( (c), c_refcnt, c->c_destroy ); \ (c)->c_unlink( (c) ); \ + RELEASE_REF( (c), c_refcnt, c->c_destroy ); \ } \ } while (0) #define CONNECTION_DESTROY(c) \ @@ -431,11 +431,15 @@ /* * Operation reference tracking: * - o_refcnt is set to 1, never incremented - * - operation_unlink sets it to 0 and on transition from 1 clears both + * - OPERATION_UNLINK sets it to 0 and on transition from 1 clears both * connection links (o_client, o_upstream) */ struct LloadOperation { uintptr_t o_refcnt; +#define OPERATION_UNLINK(op) \ + try_release_ref( &(op)->o_refcnt, (op), \ + (dispose_cb *)operation_unlink, \ + (dispose_cb *)operation_destroy ) LloadConnection *o_client; unsigned long o_client_connid; diff -Nru openldap-2.5.13+dfsg/servers/lloadd/Makefile.in openldap-2.5.14+dfsg/servers/lloadd/Makefile.in --- openldap-2.5.13+dfsg/servers/lloadd/Makefile.in 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/Makefile.in 2023-02-08 18:49:18.000000000 +0000 @@ -16,14 +16,17 @@ XSRCS = version.c -NT_SRCS = nt_svc.c -NT_OBJS = nt_svc.o ../../libraries/liblutil/slapdmsg.res SRCS = backend.c bind.c config.c connection.c client.c \ daemon.c epoch.c extended.c init.c operation.c \ upstream.c libevent_support.c \ $(@PLAT@_SRCS) +O = o + +OBJS = backend.$O bind.$O config.$O connection.$O client.$O \ + daemon.$O epoch.$O extended.$O init.$O operation.$O \ + upstream.$O libevent_support.$O LDAP_INCDIR= ../../include -I$(srcdir) -I$(srcdir)/../slapd LDAP_LIBDIR= ../../libraries @@ -43,6 +46,3 @@ LLOADD_DEPENDS = $(@PLAT@_DEPENDS) LLOADD_OBJECTS = $(@PLAT@_OBJECTS) -include @BALANCER_INCLUDE@ - - diff -Nru openldap-2.5.13+dfsg/servers/lloadd/Makefile_module.in openldap-2.5.14+dfsg/servers/lloadd/Makefile_module.in --- openldap-2.5.13+dfsg/servers/lloadd/Makefile_module.in 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/Makefile_module.in 2023-02-08 18:49:18.000000000 +0000 @@ -1,4 +1,4 @@ -# Makefile.in for Load Balancer +# Makefile.in for Load Balancer module # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## @@ -13,33 +13,16 @@ ## top-level directory of the distribution or, alternatively, at ## . - -XSRCS = version.c - -NT_SRCS = ../slapd/nt_svc.c -NT_OBJS = ../slapd/nt_svc.o ../../libraries/liblutil/slapdmsg.res +O = lo SRCS += module_init.c monitor.c -OBJS = $(patsubst %.c,%.lo,$(SRCS)) $(@PLAT@_OBJS) +OBJS += module_init.lo monitor.lo BUILD_OPT = "--enable-balancer=mod" BUILD_MOD = @BUILD_BALANCER@ LIBBASE=lloadd -# $(LTHREAD_LIBS) must be last! -XLIBS = $(LLOADD_L) -XXLIBS = $(LLOADD_LIBS) $(SECURITY_LIBS) $(LUTIL_LIBS) -XXXLIBS = $(LTHREAD_LIBS) - -NT_DEPENDS = slapd.exp -NT_OBJECTS = slapd.exp symdummy.o $(LLOADD_OBJS) version.o - -UNIX_DEPENDS = version.o $(LLOADD_L) -UNIX_OBJECTS = $(OBJS) version.o - -LLOADD_DEPENDS = $(@PLAT@_DEPENDS) -LLOADD_OBJECTS = $(@PLAT@_OBJECTS) LINK_LIBS=$(LLOADD_LIBS) MOD_DEFS = -DSLAPD_IMPORT -DBALANCER_MODULE diff -Nru openldap-2.5.13+dfsg/servers/lloadd/Makefile_server.in openldap-2.5.14+dfsg/servers/lloadd/Makefile_server.in --- openldap-2.5.13+dfsg/servers/lloadd/Makefile_server.in 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/Makefile_server.in 2023-02-08 18:49:18.000000000 +0000 @@ -1,4 +1,4 @@ -# Makefile.in for Load Balancer +# Makefile.in for standalone Load Balancer # $OpenLDAP$ ## This work is part of OpenLDAP Software . ## @@ -16,35 +16,23 @@ PROGRAMS = lloadd XPROGRAMS = slloadd -XSRCS = version.c - NT_SRCS = ../slapd/nt_svc.c NT_OBJS = ../slapd/nt_svc.o ../../libraries/liblutil/slapdmsg.res SRCS += main.c value.c \ ../slapd/ch_malloc.c ../slapd/proxyp.c ../slapd/sl_malloc.c ../slapd/user.c -OBJS = $(patsubst %.c,%.o,$(SRCS)) $(@PLAT@_OBJS) +OBJS += main.o value.o \ + ../slapd/ch_malloc.o ../slapd/proxyp.o \ + ../slapd/sl_malloc.o ../slapd/user.o \ + $(@PLAT@_OBJS) BUILD_OPT = "--enable-balancer" BUILD_SRV = @BUILD_BALANCER@ all-local-srv: $(PROGRAMS) all-cffiles -# $(LTHREAD_LIBS) must be last! -XLIBS = $(LLOADD_L) -XXLIBS = $(LLOADD_LIBS) $(SECURITY_LIBS) $(LUTIL_LIBS) $(SYSTEMD_LIBS) -XXXLIBS = $(LTHREAD_LIBS) - -NT_DEPENDS = slapd.exp -NT_OBJECTS = slapd.exp symdummy.o $(LLOADD_OBJS) version.o - -UNIX_DEPENDS = version.o $(LLOADD_L) -UNIX_OBJECTS = $(OBJS) version.o - -LLOADD_DEPENDS = $(@PLAT@_DEPENDS) -LLOADD_OBJECTS = $(@PLAT@_OBJECTS) - +XXLIBS += $(SYSTEMD_LIBS) lloadd: $(LLOADD_DEPENDS) version.o $(LTLINK) -o $@ $(OBJS) version.o $(LIBS) diff -Nru openldap-2.5.13+dfsg/servers/lloadd/nt_svc.c openldap-2.5.14+dfsg/servers/lloadd/nt_svc.c --- openldap-2.5.13+dfsg/servers/lloadd/nt_svc.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/nt_svc.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,110 +0,0 @@ -/* $OpenLDAP$ */ -/* This work is part of OpenLDAP Software . - * - * Copyright 1998-2022 The OpenLDAP Foundation. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted only as authorized by the OpenLDAP - * Public License. - * - * A copy of this license is available in the file LICENSE in the - * top-level directory of the distribution or, alternatively, at - * . - */ - -#include "portable.h" -#include -#include -#include "slap.h" -#include "lutil.h" - -#ifdef HAVE_NT_SERVICE_MANAGER - -/* in main.c */ -void WINAPI ServiceMain( DWORD argc, LPTSTR *argv ); - -/* in ntservice.c */ -int main( int argc, LPTSTR *argv ) -{ - int length; - char filename[MAX_PATH], *fname_start; - - /* - * Because the service was registered as SERVICE_WIN32_OWN_PROCESS, - * the lpServiceName element of the SERVICE_TABLE_ENTRY will be - * ignored. - */ - - SERVICE_TABLE_ENTRY DispatchTable[] = { - { "", (LPSERVICE_MAIN_FUNCTION) ServiceMain }, - { NULL, NULL } - }; - - /* - * set the service's current directory to the installation directory - * for the service. this way we don't have to write absolute paths - * in the configuration files - */ - GetModuleFileName( NULL, filename, sizeof( filename ) ); - fname_start = strrchr( filename, *LDAP_DIRSEP ); - - if ( argc > 1 ) { - if ( _stricmp( "install", argv[1] ) == 0 ) - { - char *svcName = SERVICE_NAME; - char *displayName = "OpenLDAP Directory Service"; - BOOL auto_start = FALSE; - - if ( (argc > 2) && (argv[2] != NULL) ) - svcName = argv[2]; - - if ( argc > 3 && argv[3]) - displayName = argv[3]; - - if ( argc > 4 && stricmp(argv[4], "auto") == 0) - auto_start = TRUE; - - strcat(filename, " service"); - if ( !lutil_srv_install(svcName, displayName, filename, auto_start) ) - { - fputs( "service failed installation ...\n", stderr ); - return EXIT_FAILURE; - } - fputs( "service has been installed ...\n", stderr ); - return EXIT_SUCCESS; - } - - if ( _stricmp( "remove", argv[1] ) == 0 ) - { - char *svcName = SERVICE_NAME; - if ( (argc > 2) && (argv[2] != NULL) ) - svcName = argv[2]; - if ( !lutil_srv_remove(svcName, filename) ) - { - fputs( "failed to remove the service ...\n", stderr ); - return EXIT_FAILURE; - } - fputs( "service has been removed ...\n", stderr ); - return EXIT_SUCCESS; - } - if ( _stricmp( "service", argv[1] ) == 0 ) - { - is_NT_Service = 1; - *fname_start = '\0'; - SetCurrentDirectory( filename ); - } - } - - if (is_NT_Service) - { - StartServiceCtrlDispatcher(DispatchTable); - } else - { - ServiceMain( argc, argv ); - } - - return EXIT_SUCCESS; -} - -#endif diff -Nru openldap-2.5.13+dfsg/servers/lloadd/operation.c openldap-2.5.14+dfsg/servers/lloadd/operation.c --- openldap-2.5.13+dfsg/servers/lloadd/operation.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/operation.c 2023-02-08 18:49:18.000000000 +0000 @@ -223,12 +223,7 @@ uintptr_t prev_refcnt; int result = 0; - if ( !( prev_refcnt = try_release_ref( - &op->o_refcnt, op, (dispose_cb *)operation_destroy ) ) ) { - return result; - } - - assert( prev_refcnt == 1 ); + assert( op->o_refcnt == 0 ); Debug( LDAP_DEBUG_TRACE, "operation_unlink: " "unlinking operation between client connid=%lu and upstream " @@ -432,7 +427,7 @@ } done: - operation_unlink( op ); + OPERATION_UNLINK(op); } void @@ -499,7 +494,7 @@ connection_write_cb( -1, 0, c ); done: - operation_unlink( op ); + OPERATION_UNLINK(op); } /* @@ -592,7 +587,7 @@ if ( upstream->c_type != LLOAD_C_BIND && rc == LDAP_SUCCESS ) { rc = operation_send_abandon( op, upstream ); } - operation_unlink( op ); + OPERATION_UNLINK(op); } if ( rc == LDAP_SUCCESS ) { diff -Nru openldap-2.5.13+dfsg/servers/lloadd/upstream.c openldap-2.5.14+dfsg/servers/lloadd/upstream.c --- openldap-2.5.13+dfsg/servers/lloadd/upstream.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/lloadd/upstream.c 2023-02-08 18:49:18.000000000 +0000 @@ -108,7 +108,7 @@ op->o_res = LLOAD_OP_COMPLETED; if ( !op->o_pin_id ) { - operation_unlink( op ); + OPERATION_UNLINK(op); } return rc; diff -Nru openldap-2.5.13+dfsg/servers/slapd/add.c openldap-2.5.14+dfsg/servers/slapd/add.c --- openldap-2.5.13+dfsg/servers/slapd/add.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/add.c 2023-02-08 18:49:18.000000000 +0000 @@ -198,7 +198,6 @@ return rc; } - LDAP_SLIST_REMOVE(&op->o_extra, &oex->oe, OpExtra, oe_next); if ( rc == LDAP_TXN_SPECIFY_OKAY ) { /* skip cleanup */ return rc; @@ -214,6 +213,7 @@ op->o_bd = bd; } } + LDAP_SLIST_REMOVE(&op->o_extra, &oex->oe, OpExtra, oe_next); op->o_tmpfree( oex, op->o_tmpmemctx ); done:; diff -Nru openldap-2.5.13+dfsg/servers/slapd/at.c openldap-2.5.14+dfsg/servers/slapd/at.c --- openldap-2.5.13+dfsg/servers/slapd/at.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/at.c 2023-02-08 18:49:18.000000000 +0000 @@ -274,6 +274,17 @@ } } + if ( a->sat_ordering ) { + MatchingRule *mr; + + mr = mr_find( a->sat_ordering->smr_oid ); + assert( mr != NULL ); + if ( mr != a->sat_ordering ) { + ch_free( a->sat_ordering ); + a->sat_ordering = NULL; + } + } + assert( a->sat_syntax != NULL ); if ( a->sat_syntax != NULL ) { Syntax *syn; diff -Nru openldap-2.5.13+dfsg/servers/slapd/ava.c openldap-2.5.14+dfsg/servers/slapd/ava.c --- openldap-2.5.13+dfsg/servers/slapd/ava.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/ava.c 2023-02-08 18:49:18.000000000 +0000 @@ -53,6 +53,22 @@ if ( freeit ) op->o_tmpfree( (char *) ava, op->o_tmpmemctx ); } +AttributeAssertion * +ava_dup( + AttributeAssertion *ava, + void *memctx ) +{ + BerMemoryFunctions *mf = &slap_sl_mfuncs; + AttributeAssertion *nava; + + nava = mf->bmf_malloc( sizeof(AttributeAssertion), memctx ); + *nava = *ava; + if ( ava->aa_desc->ad_flags & SLAP_DESC_TEMPORARY ) + nava->aa_desc = slap_bv2tmp_ad( &ava->aa_desc->ad_cname, memctx ); + ber_dupbv_x( &nava->aa_value, &ava->aa_value, memctx ); + return nava; +} + int get_ava( Operation *op, diff -Nru openldap-2.5.13+dfsg/servers/slapd/backend.c openldap-2.5.14+dfsg/servers/slapd/backend.c --- openldap-2.5.13+dfsg/servers/slapd/backend.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/backend.c 2023-02-08 18:49:18.000000000 +0000 @@ -1593,7 +1593,7 @@ if ( rc2 != 0 ) { /* give up... */ rc = (rc2 == LDAP_NO_SUCH_OBJECT) ? rc2 : LDAP_OTHER; - goto loopit; + goto nouser; } } @@ -1602,6 +1602,7 @@ { rc = 0; } +nouser: filter_free_x( op, filter, 1 ); } loopit: diff -Nru openldap-2.5.13+dfsg/servers/slapd/back-mdb/back-mdb.h openldap-2.5.14+dfsg/servers/slapd/back-mdb/back-mdb.h --- openldap-2.5.13+dfsg/servers/slapd/back-mdb/back-mdb.h 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/back-mdb/back-mdb.h 2023-02-08 18:49:18.000000000 +0000 @@ -41,7 +41,7 @@ /* The minimum we can function with */ #define MINIMUM_SEARCH_STACK_DEPTH 8 -#define MDB_INDICES 128 +#define MDB_INDICES 256 #define MDB_MAXADS 65536 diff -Nru openldap-2.5.13+dfsg/servers/slapd/back-mdb/filterindex.c openldap-2.5.14+dfsg/servers/slapd/back-mdb/filterindex.c --- openldap-2.5.13+dfsg/servers/slapd/back-mdb/filterindex.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/back-mdb/filterindex.c 2023-02-08 18:49:18.000000000 +0000 @@ -678,7 +678,7 @@ rc = 0; } else if( rc != LDAP_SUCCESS ) { Debug( LDAP_DEBUG_TRACE, - "<= mdb_presense_candidates: (%s) " + "<= mdb_presence_candidates: (%s) " "key read failed (%d)\n", desc->ad_cname.bv_val, rc ); goto done; diff -Nru openldap-2.5.13+dfsg/servers/slapd/back-mdb/id2entry.c openldap-2.5.14+dfsg/servers/slapd/back-mdb/id2entry.c --- openldap-2.5.13+dfsg/servers/slapd/back-mdb/id2entry.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/back-mdb/id2entry.c 2023-02-08 18:49:18.000000000 +0000 @@ -552,17 +552,23 @@ { struct mdb_info *mdb = (struct mdb_info *) op->o_bd->be_private; struct mdb_op_info *moi = NULL; + int release = 1; /* slapMode : SLAP_SERVER_MODE, SLAP_TOOL_MODE, SLAP_TRUNCATE_MODE, SLAP_UNDEFINED_MODE */ - int release = 1; if ( slapMode & SLAP_SERVER_MODE ) { OpExtra *oex; + + /* Only Add ops call with rw set, and in that case the entry + * was not created by the backend. So always just release it. + * + * Otherwise, the entry was read from a backend, and we need + * to be sure it was read from this backend, otherwise leave + * it alone for someone else to release. + */ LDAP_SLIST_FOREACH( oex, &op->o_extra, oe_next ) { - release = 0; if ( oex->oe_key == mdb ) { - mdb_entry_return( op, e ); moi = (mdb_op_info *)oex; /* If it was setup by entry_get we should probably free it */ if (( moi->moi_flag & (MOI_FREEIT|MOI_KEEPER)) == MOI_FREEIT ) { @@ -577,12 +583,15 @@ break; } } + /* If read, other backends were in use, and not ours, don't release */ + if ( !rw && ( LDAP_SLIST_FIRST( &op->o_extra ) && !oex )) + release = 0; } if (release) mdb_entry_return( op, e ); - return 0; + return release ? 0 : SLAP_CB_CONTINUE; } /* return LDAP_SUCCESS IFF we can retrieve the specified entry. diff -Nru openldap-2.5.13+dfsg/servers/slapd/back-mdb/tools.c openldap-2.5.14+dfsg/servers/slapd/back-mdb/tools.c --- openldap-2.5.13+dfsg/servers/slapd/back-mdb/tools.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/back-mdb/tools.c 2023-02-08 18:49:18.000000000 +0000 @@ -419,7 +419,9 @@ e->e_name = dn; e->e_nname = ndn; } else { + e->e_name.bv_len = 0; e->e_name.bv_val = NULL; + e->e_nname.bv_len = 0; e->e_nname.bv_val = NULL; } diff -Nru openldap-2.5.13+dfsg/servers/slapd/bconfig.c openldap-2.5.14+dfsg/servers/slapd/bconfig.c --- openldap-2.5.13+dfsg/servers/slapd/bconfig.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/bconfig.c 2023-02-08 18:49:18.000000000 +0000 @@ -6941,7 +6941,6 @@ return rs->sr_err; } -/* no-op, we never free entries */ int config_entry_release( Operation *op, Entry *e, @@ -6961,6 +6960,8 @@ } else { entry_free( e ); } + } else { + entry_free( e ); } return rc; } @@ -6977,21 +6978,34 @@ { CfBackInfo *cfb; CfEntryInfo *ce, *last; - int rc = LDAP_NO_SUCH_OBJECT; + Entry *e = NULL; + int paused = 0, rc = LDAP_NO_SUCH_OBJECT; cfb = (CfBackInfo *)op->o_bd->be_private; + if ( ldap_pvt_thread_pool_query( &connection_pool, + LDAP_PVT_THREAD_POOL_PARAM_PAUSED, &paused ) ) { + return -1; + } + if ( !paused ) { + ldap_pvt_thread_rdwr_rlock( &cfb->cb_rwlock ); + } ce = config_find_base( cfb->cb_root, ndn, &last ); if ( ce ) { - *ent = ce->ce_entry; - if ( *ent ) { + e = ce->ce_entry; + if ( e ) { rc = LDAP_SUCCESS; - if ( oc && !is_entry_objectclass_or_sub( *ent, oc ) ) { + if ( oc && !is_entry_objectclass_or_sub( e, oc ) ) { rc = LDAP_NO_SUCH_ATTRIBUTE; - *ent = NULL; + e = NULL; } } } + if ( e ) { + *ent = entry_dup( e ); + } + if ( !paused ) + ldap_pvt_thread_rdwr_runlock( &cfb->cb_rwlock ); return rc; } diff -Nru openldap-2.5.13+dfsg/servers/slapd/filter.c openldap-2.5.14+dfsg/servers/slapd/filter.c --- openldap-2.5.13+dfsg/servers/slapd/filter.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/filter.c 2023-02-08 18:49:18.000000000 +0000 @@ -910,12 +910,7 @@ case LDAP_FILTER_GE: case LDAP_FILTER_LE: case LDAP_FILTER_APPROX: - /* Should this be ava_dup() ? */ - n->f_ava = mf->bmf_calloc( 1, sizeof(AttributeAssertion), memctx ); - *n->f_ava = *f->f_ava; - if ( f->f_av_desc->ad_flags & SLAP_DESC_TEMPORARY ) - n->f_av_desc = slap_bv2tmp_ad( &f->f_av_desc->ad_cname, memctx ); - ber_dupbv_x( &n->f_av_value, &f->f_av_value, memctx ); + n->f_ava = ava_dup( f->f_ava, memctx ); break; case LDAP_FILTER_SUBSTRINGS: n->f_sub = mf->bmf_calloc( 1, sizeof(SubstringsAssertion), memctx ); diff -Nru openldap-2.5.13+dfsg/servers/slapd/Makefile.in openldap-2.5.14+dfsg/servers/slapd/Makefile.in --- openldap-2.5.13+dfsg/servers/slapd/Makefile.in 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/Makefile.in 2023-02-08 18:49:18.000000000 +0000 @@ -118,7 +118,7 @@ # # 2) be used to generate the symdummy.c file. # -# 3) be used to help create slapd.exp, the binary-formated slapd export file. +# 3) be used to help create slapd.exp, the binary-formatted slapd export file. # # The import library is used by dynamic modules at link time. With this # library, dynamic modules indicate to the linker that it will resolve diff -Nru openldap-2.5.13+dfsg/servers/slapd/overlays/accesslog.c openldap-2.5.14+dfsg/servers/slapd/overlays/accesslog.c --- openldap-2.5.13+dfsg/servers/slapd/overlays/accesslog.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/overlays/accesslog.c 2023-02-08 18:49:18.000000000 +0000 @@ -2668,7 +2668,7 @@ { int i, rc; Syntax *rdnTimestampSyntax; - MatchingRule *rdnTimestampMatch; + MatchingRule *rdnTimestampMatch, *rdnTimestampOrdering; accesslog.on_bi.bi_type = "accesslog"; accesslog.on_bi.bi_db_init = accesslog_db_init; @@ -2732,21 +2732,26 @@ /* Inject custom normalizer for reqStart/reqEnd */ rdnTimestampMatch = ch_malloc( sizeof( MatchingRule )); + rdnTimestampOrdering = ch_malloc( sizeof( MatchingRule )); rdnTimestampSyntax = ch_malloc( sizeof( Syntax )); *rdnTimestampMatch = *ad_reqStart->ad_type->sat_equality; rdnTimestampMatch->smr_normalize = rdnTimestampNormalize; + *rdnTimestampOrdering = *ad_reqStart->ad_type->sat_ordering; + rdnTimestampOrdering->smr_normalize = rdnTimestampNormalize; *rdnTimestampSyntax = *ad_reqStart->ad_type->sat_syntax; rdnTimestampSyntax->ssyn_validate = rdnTimestampValidate; ad_reqStart->ad_type->sat_equality = rdnTimestampMatch; + ad_reqStart->ad_type->sat_ordering = rdnTimestampOrdering; ad_reqStart->ad_type->sat_syntax = rdnTimestampSyntax; rdnTimestampMatch = ch_malloc( sizeof( MatchingRule )); + rdnTimestampOrdering = ch_malloc( sizeof( MatchingRule )); rdnTimestampSyntax = ch_malloc( sizeof( Syntax )); *rdnTimestampMatch = *ad_reqStart->ad_type->sat_equality; - rdnTimestampMatch->smr_normalize = rdnTimestampNormalize; + *rdnTimestampOrdering = *ad_reqStart->ad_type->sat_ordering; *rdnTimestampSyntax = *ad_reqStart->ad_type->sat_syntax; - rdnTimestampSyntax->ssyn_validate = rdnTimestampValidate; ad_reqEnd->ad_type->sat_equality = rdnTimestampMatch; + ad_reqEnd->ad_type->sat_ordering = rdnTimestampOrdering; ad_reqEnd->ad_type->sat_syntax = rdnTimestampSyntax; for ( i=0; locs[i].ot; i++ ) { diff -Nru openldap-2.5.13+dfsg/servers/slapd/overlays/deref.c openldap-2.5.14+dfsg/servers/slapd/overlays/deref.c --- openldap-2.5.13+dfsg/servers/slapd/overlays/deref.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/overlays/deref.c 2023-02-08 18:49:18.000000000 +0000 @@ -439,7 +439,7 @@ rc = ber_printf( ber, "{O[W]}", &dr->dr_spec.ds_attributes[ j ]->ad_cname, dr->dr_vals[ i ].dv_attrVals[ j ] ); - op->o_tmpfree( dr->dr_vals[ i ].dv_attrVals[ j ], + ber_bvarray_free_x( dr->dr_vals[ i ].dv_attrVals[ j ], op->o_tmpmemctx ); } } diff -Nru openldap-2.5.13+dfsg/servers/slapd/overlays/dynlist.c openldap-2.5.14+dfsg/servers/slapd/overlays/dynlist.c --- openldap-2.5.13+dfsg/servers/slapd/overlays/dynlist.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/overlays/dynlist.c 2023-02-08 18:49:18.000000000 +0000 @@ -99,6 +99,47 @@ return 0; } +typedef struct dynlist_filterinst_t { + AttributeAssertion *df_a; + Entry *df_e; +} dynlist_filterinst_t; + +/* Record occurrences of ad in filter. Ignore in negated filters. */ +static void +dynlist_filter_instances( Operation *op, AttributeDescription *ad, Filter *f, int not, int *dfn, dynlist_filterinst_t **dfp ) +{ + if ( !f ) + return; + + switch( f->f_choice & SLAPD_FILTER_MASK ) { + case LDAP_FILTER_EQUALITY: + if ( !not && f->f_av_desc == ad ) { + dynlist_filterinst_t *df = *dfp; + int n = *dfn; + df = op->o_tmprealloc( df, (n + 1) * sizeof(dynlist_filterinst_t), op->o_tmpmemctx ); + df[n].df_a = f->f_ava; + df[n++].df_e = NULL; + *dfp = df; + *dfn = n; + } + break; + case SLAPD_FILTER_COMPUTED: + case LDAP_FILTER_PRESENT: + case LDAP_FILTER_GE: + case LDAP_FILTER_LE: + case LDAP_FILTER_APPROX: + case LDAP_FILTER_SUBSTRINGS: + case LDAP_FILTER_EXT: + break; + case LDAP_FILTER_NOT: not ^= 1; + /* FALLTHRU */ + case LDAP_FILTER_AND: + case LDAP_FILTER_OR: + for ( f = f->f_list; f; f = f->f_next ) + dynlist_filter_instances( op, ad, f, not, dfn, dfp ); + } +} + static int dynlist_make_filter( Operation *op, Entry *e, dynlist_info_t *dli, const char *url, struct berval *oldf, struct berval *newf ) { @@ -328,8 +369,10 @@ } typedef struct dynlist_name_t { + struct berval dy_nname; struct berval dy_name; dynlist_info_t *dy_dli; + dynlist_map_t *dy_dlm; AttributeDescription *dy_staticmember; int dy_seen; int dy_numuris; @@ -352,6 +395,7 @@ o.ors_attrs = NULL; memset( o.o_ctrlflag, 0, sizeof( o.o_ctrlflag )); o.o_callback = sc; + o.o_do_not_cache = 1; for (i=0; idy_numuris; i++) { ludp = dyn->dy_uris[i]; @@ -390,10 +434,10 @@ if ( attr_valfind( a, SLAP_MR_EQUALITY | SLAP_MR_VALUE_OF_ASSERTION_SYNTAX | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH | SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH, - &dyn->dy_name, &slot, NULL ) == LDAP_SUCCESS ) + &dyn->dy_nname, &slot, NULL ) == LDAP_SUCCESS ) continue; } - attr_merge_one( e, ad, &dyn->dy_name, &dyn->dy_name ); + attr_merge_one( e, ad, &dyn->dy_name, &dyn->dy_nname ); if ( !a ) a = attr_find( e->e_attrs, ad ); if ( dyn->dy_sups ) @@ -452,7 +496,7 @@ dyn = ptr->avl_data; if ( ldap_tavl_insert( &dm->dm_groups, dyn, dynlist_ptr_cmp, ldap_avl_dup_error )) continue; - if ( overlay_entry_get_ov( op, &dyn->dy_name, NULL, NULL, 0, &ne, on ) != LDAP_SUCCESS || ne == NULL ) + if ( overlay_entry_get_ov( op, &dyn->dy_nname, NULL, NULL, 0, &ne, on ) != LDAP_SUCCESS || ne == NULL ) continue; b = attr_find( ne->e_attrs, dm->dm_ad ); if ( b ) { @@ -509,7 +553,11 @@ || ad_infilter( ad, op->ors_filter )) break; } - if ( dli->dli_dlm && !dlm ) + + /* If nothing matched and this was a search, skip over to nesting check. + * If this was a compare, keep on going. + */ + if ( dli->dli_dlm && !dlm && o.o_acl_priv != ACL_COMPARE ) goto checkdyn; if ( ad_dgIdentity && ( id = attrs_find( rs->sr_entry->e_attrs, ad_dgIdentity ))) { @@ -548,6 +596,7 @@ o.ors_limit = NULL; o.ors_tlimit = SLAP_NO_LIMIT; o.ors_slimit = SLAP_NO_LIMIT; + o.o_do_not_cache = 1; memset( o.o_ctrlflag, 0, sizeof( o.o_ctrlflag )); for ( url = a->a_nvals; !BER_BVISNULL( url ); url++ ) { @@ -785,33 +834,20 @@ return SLAP_CB_CONTINUE; } -/* dynlist_sc_compare_entry() callback set by dynlist_compare() */ -typedef struct dynlist_cc_t { - slap_callback dc_cb; -# define dc_ava dc_cb.sc_private /* attr:val to compare with */ - int *dc_res; -} dynlist_cc_t; - static int -dynlist_sc_compare_entry( Operation *op, SlapReply *rs ) +dynlist_check_scope( Operation *op, Entry *e, dynlist_info_t *dli ) { - if ( rs->sr_type == REP_SEARCH && rs->sr_entry != NULL ) { - dynlist_cc_t *dc = (dynlist_cc_t *)op->o_callback; - AttributeAssertion *ava = dc->dc_ava; - Attribute *a = attrs_find( rs->sr_entry->e_attrs, ava->aa_desc ); - - if ( a != NULL ) { - while ( LDAP_SUCCESS != attr_valfind( a, - SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | - SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, - &ava->aa_value, NULL, op->o_tmpmemctx ) - && (a = attrs_find( a->a_next, ava->aa_desc )) != NULL ) - ; - *dc->dc_res = a ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE; - } + if ( dli->dli_lud ) { + if ( !BER_BVISNULL( &dli->dli_uri_nbase ) && + !dnIsSuffixScope( &e->e_nname, + &dli->dli_uri_nbase, + dli->dli_lud->lud_scope )) + return 0; + if ( dli->dli_uri_filter && test_filter( op, e, + dli->dli_uri_filter ) != LDAP_COMPARE_TRUE ) + return 0; } - - return 0; + return 1; } static int @@ -846,15 +882,25 @@ */ BerVarray id = NULL, authz = NULL; + if ( e == NULL && ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) != + LDAP_SUCCESS || e == NULL )) + { + return SLAP_CB_CONTINUE; + } + if ( !is_entry_objectclass_or_sub( e, dli->dli_oc ) || + !dynlist_check_scope( op, e, dli )) { + continue; + } + o.o_do_not_cache = 1; - if ( ad_dgIdentity && backend_attribute( &o, NULL, &o.o_req_ndn, + if ( ad_dgIdentity && backend_attribute( &o, e, &o.o_req_ndn, ad_dgIdentity, &id, ACL_READ ) == LDAP_SUCCESS ) { /* if not rootdn and dgAuthz is present, * check if user can be authorized as dgIdentity */ if ( ad_dgAuthz && !BER_BVISEMPTY( id ) && !be_isroot( op ) - && backend_attribute( &o, NULL, &o.o_req_ndn, + && backend_attribute( &o, e, &o.o_req_ndn, ad_dgAuthz, &authz, ACL_READ ) == LDAP_SUCCESS ) { @@ -871,7 +917,7 @@ o.o_groups = NULL; /* authz changed, invalidate cached groups */ } - rs->sr_err = backend_group( &o, NULL, &o.o_req_ndn, + rs->sr_err = backend_group( &o, e, &o.o_req_ndn, &o.oq_compare.rs_ava->aa_value, dli->dli_oc, dli->dli_ad ); switch ( rs->sr_err ) { case LDAP_SUCCESS: @@ -899,6 +945,7 @@ done:; if ( id ) ber_bvarray_free_x( id, o.o_tmpmemctx ); + overlay_entry_release_ov( &o, e, 0, on ); send_ldap_result( op, rs ); return rs->sr_err; @@ -910,15 +957,16 @@ return SLAP_CB_CONTINUE; } - if ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) != - LDAP_SUCCESS || e == NULL ) + if ( e == NULL && ( overlay_entry_get_ov( &o, &o.o_req_ndn, NULL, NULL, 0, &e, on ) != + LDAP_SUCCESS || e == NULL )) { return SLAP_CB_CONTINUE; } /* check for dynlist objectClass; done if not found */ dli = (dynlist_info_t *)dlg->dlg_dli; - while ( dli != NULL && !is_entry_objectclass_or_sub( e, dli->dli_oc ) ) { + while ( dli != NULL && ( !is_entry_objectclass_or_sub( e, dli->dli_oc ) || + !dynlist_check_scope( op, e, dli ))) { dli = dli->dli_next; } if ( dli == NULL ) { @@ -1023,9 +1071,9 @@ int rc; n1 = c1; n2 = c2; - rc = n1->dy_name.bv_len - n2->dy_name.bv_len; + rc = n1->dy_nname.bv_len - n2->dy_nname.bv_len; if ( rc ) return rc; - return ber_bvcmp( &n1->dy_name, &n2->dy_name ); + return ber_bvcmp( &n1->dy_nname, &n2->dy_nname ); } /* build a list of dynamic entries */ @@ -1039,6 +1087,11 @@ if ( ds->ds_dlm && ds->ds_dlm->dlm_static_oc && is_entry_objectclass( rs->sr_entry, ds->ds_dlm->dlm_static_oc, 0 )) b = attr_find( rs->sr_entry->e_attrs, ds->ds_dlm->dlm_member_ad ); a = attr_find( rs->sr_entry->e_attrs, ds->ds_dli->dli_ad ); + + /* enforce scope of dynamic entries */ + if ( a && !dynlist_check_scope( op, rs->sr_entry, ds->ds_dli )) + a = NULL; + if ( a || b ) { unsigned len; dynlist_name_t *dyn; @@ -1051,10 +1104,14 @@ else len = 0; - dyn = ch_calloc(1, sizeof(dynlist_name_t)+rs->sr_entry->e_nname.bv_len + 1 + len); + dyn = ch_calloc(1, sizeof(dynlist_name_t)+rs->sr_entry->e_nname.bv_len + 1 + + rs->sr_entry->e_name.bv_len + 1 + len); dyn->dy_name.bv_val = ((char *)(dyn+1)) + len; + dyn->dy_name.bv_len = rs->sr_entry->e_name.bv_len; + dyn->dy_nname.bv_val = dyn->dy_name.bv_val + dyn->dy_name.bv_len + 1; + dyn->dy_nname.bv_len = rs->sr_entry->e_nname.bv_len; dyn->dy_dli = ds->ds_dli; - dyn->dy_name.bv_len = rs->sr_entry->e_nname.bv_len; + dyn->dy_dlm = ds->ds_dlm; if ( a ) { Filter *f; /* parse and validate the URIs */ @@ -1092,7 +1149,8 @@ } } dyn->dy_numuris = j; - memcpy(dyn->dy_name.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len ); + memcpy(dyn->dy_name.bv_val, rs->sr_entry->e_name.bv_val, rs->sr_entry->e_name.bv_len ); + memcpy(dyn->dy_nname.bv_val, rs->sr_entry->e_nname.bv_val, rs->sr_entry->e_nname.bv_len ); if ( b ) dyn->dy_staticmember = ds->ds_dlm->dlm_member_ad; @@ -1249,7 +1307,7 @@ if ( ldap_tavl_insert( &ds->ds_fnodes, dyn, dynlist_ptr_cmp, ldap_avl_dup_error )) return 0; - if ( overlay_entry_get_ov( op, &dyn->dy_name, NULL, NULL, 0, &e, on ) != + if ( overlay_entry_get_ov( op, &dyn->dy_nname, NULL, NULL, 0, &e, on ) != LDAP_SUCCESS || e == NULL ) { return -1; } @@ -1282,47 +1340,32 @@ static Filter * dynlist_filter_dup( Operation *op, Filter *f, AttributeDescription *ad, dynlist_search_t *ds ) { - Filter *n = NULL; + Filter *n; if ( !f ) return NULL; - n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx ); - n->f_next = NULL; switch( f->f_choice & SLAPD_FILTER_MASK ) { - case SLAPD_FILTER_COMPUTED: - n->f_choice = f->f_choice; - n->f_result = f->f_result; - break; - - case LDAP_FILTER_PRESENT: - n->f_choice = f->f_choice; - n->f_desc = f->f_desc; - break; - case LDAP_FILTER_EQUALITY: + n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx ); + n->f_next = NULL; if ( f->f_av_desc == ad ) { dynlist_name_t *dyn = ldap_tavl_find( ds->ds_names, &f->f_av_value, dynlist_avl_cmp ); n->f_choice = SLAPD_FILTER_COMPUTED; if ( dyn && !dynlist_filter_group( op, dyn, n, ds )) break; } - /* FALLTHRU */ + n->f_choice = LDAP_FILTER_EQUALITY; + n->f_ava = ava_dup( f->f_ava, op->o_tmpmemctx ); + break; + case SLAPD_FILTER_COMPUTED: + case LDAP_FILTER_PRESENT: case LDAP_FILTER_GE: case LDAP_FILTER_LE: case LDAP_FILTER_APPROX: - n->f_choice = f->f_choice; - n->f_ava = f->f_ava; - break; - case LDAP_FILTER_SUBSTRINGS: - n->f_choice = f->f_choice; - n->f_sub = f->f_sub; - break; - case LDAP_FILTER_EXT: - n->f_choice = f->f_choice; - n->f_mra = f->f_mra; + n = filter_dup( f, op->o_tmpmemctx ); break; case LDAP_FILTER_NOT: @@ -1330,6 +1373,8 @@ case LDAP_FILTER_OR: { Filter **p; + n = op->o_tmpalloc( sizeof(Filter), op->o_tmpmemctx ); + n->f_next = NULL; n->f_choice = f->f_choice; for ( p = &n->f_list, f = f->f_list; f; f = f->f_next ) { @@ -1345,29 +1390,6 @@ } static void -dynlist_filter_free( Operation *op, Filter *f ) -{ - Filter *p, *next; - - if ( f == NULL ) - return; - - f->f_choice &= SLAPD_FILTER_MASK; - switch( f->f_choice ) { - case LDAP_FILTER_AND: - case LDAP_FILTER_OR: - case LDAP_FILTER_NOT: - for ( p = f->f_list; p; p = next ) { - next = p->f_next; - op->o_tmpfree( p, op->o_tmpmemctx ); - } - break; - default: - op->o_tmpfree( f, op->o_tmpmemctx ); - } -} - -static void dynlist_search_free( void *ptr ) { dynlist_name_t *dyn = (dynlist_name_t *)ptr; @@ -1401,7 +1423,7 @@ ldap_tavl_free( ds->ds_fnodes, NULL ); if ( ds->ds_origfilter ) { op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); - dynlist_filter_free( op, op->ors_filter ); + filter_free_x( op, op->ors_filter, 1 ); op->ors_filter = ds->ds_origfilter; op->ors_filterstr = ds->ds_origfilterbv; } @@ -1413,23 +1435,12 @@ } static int -dynlist_test_membership(Operation *op, dynlist_name_t *dyn, Entry *e) +dynlist_test_dynmember(Operation *op, dynlist_name_t *dyn, Entry *e) { LDAPURLDesc *ludp; struct berval nbase, bv; int i, rc = LDAP_COMPARE_FALSE; - if ( dyn->dy_staticmember ) { - Entry *grp; - if ( overlay_entry_get_ov( op, &dyn->dy_name, NULL, NULL, 0, &grp, (slap_overinst *)op->o_bd->bd_info ) == LDAP_SUCCESS && grp ) { - Attribute *a = attr_find( grp->e_attrs, dyn->dy_staticmember ); - if ( a ) { - i = value_find_ex( dyn->dy_staticmember, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | - SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, a->a_nvals, &e->e_nname, op->o_tmpmemctx ); - } - overlay_entry_release_ov( op, grp, 0, (slap_overinst *)op->o_bd->bd_info ); - return i == LDAP_SUCCESS ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE; - } - } + for (i=0; idy_numuris; i++) { ludp = dyn->dy_uris[i]; nbase.bv_val = ludp->lud_dn; @@ -1466,6 +1477,28 @@ return rc; } +static int +dynlist_test_membership(Operation *op, dynlist_name_t *dyn, Entry *e) +{ + if ( dyn->dy_staticmember ) { + Entry *grp; + if ( overlay_entry_get_ov( op, &dyn->dy_nname, NULL, NULL, 0, &grp, (slap_overinst *)op->o_bd->bd_info ) == LDAP_SUCCESS && grp ) { + Attribute *a = attr_find( grp->e_attrs, dyn->dy_staticmember ); + int rc; + if ( a ) { + rc = value_find_ex( dyn->dy_staticmember, SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH | + SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH, a->a_nvals, &e->e_nname, op->o_tmpmemctx ); + rc = ( rc == LDAP_SUCCESS ) ? LDAP_COMPARE_TRUE : LDAP_COMPARE_FALSE; + } else { + rc = LDAP_COMPARE_FALSE; + } + overlay_entry_release_ov( op, grp, 0, (slap_overinst *)op->o_bd->bd_info ); + return rc; + } + } + return dynlist_test_dynmember( op, dyn, e ); +} + static void dynlist_add_memberOf(Operation *op, SlapReply *rs, dynlist_search_t *ds) { @@ -1493,11 +1526,11 @@ if ( attr_valfind( a, SLAP_MR_EQUALITY | SLAP_MR_VALUE_OF_ASSERTION_SYNTAX | SLAP_MR_ASSERTED_VALUE_NORMALIZED_MATCH | SLAP_MR_ATTRIBUTE_VALUE_NORMALIZED_MATCH, - &dyn->dy_name, &slot, NULL ) != LDAP_SUCCESS ) + &dyn->dy_nname, &slot, NULL ) != LDAP_SUCCESS ) a = NULL; } if ( !a ) - attr_merge_one( e, dlm->dlm_memberOf_ad, &dyn->dy_name, &dyn->dy_name ); + attr_merge_one( e, dlm->dlm_memberOf_ad, &dyn->dy_name, &dyn->dy_nname ); if ( dyn->dy_sups ) { dynlist_nested_memberOf( e, dlm->dlm_memberOf_ad, dyn->dy_sups ); } @@ -1512,6 +1545,23 @@ } } +/* See if a DN-valued filter attribute belongs to a dyngroup */ +static int +dynmember( dynlist_name_t *dyn, Filter *f, int ndf, dynlist_filterinst_t *df ) +{ + int i; + int ret = 1; /* default to accepting everything */ + + for ( i = 0; i < ndf; i++ ) { + if ( df[i].df_e ) { + ret = dynlist_test_dynmember( NULL, dyn, df[i].df_e ) == LDAP_COMPARE_TRUE; + if ( ret ) + break; + } + } + return ret; +} + /* process the search responses */ static int dynlist_search2resp( Operation *op, SlapReply *rs ) @@ -1522,22 +1572,41 @@ if ( rs->sr_type == REP_SEARCH && rs->sr_entry != NULL ) { rc = SLAP_CB_CONTINUE; - /* See if this is one of our dynamic entries */ - dyn = ldap_tavl_find( ds->ds_names, &rs->sr_entry->e_nname, dynlist_avl_cmp ); - if ( dyn ) { - dyn->dy_seen = 1; - rc = dynlist_prepare_entry( op, rs, dyn->dy_dli, dyn ); - } else if ( ds->ds_want ) - dynlist_add_memberOf( op, rs, ds ); + /* See if this is one of our dynamic groups */ + dyn = NULL; + if ( ds->ds_names ) { + dyn = ldap_tavl_find( ds->ds_names, &rs->sr_entry->e_nname, dynlist_avl_cmp ); + if ( dyn ) { + dyn->dy_seen = 1; + rc = dynlist_prepare_entry( op, rs, dyn->dy_dli, dyn ); + } else if ( ds->ds_want ) + dynlist_add_memberOf( op, rs, ds ); + } + /* Then check for dynamic lists */ + if ( dyn == NULL ) { + dynlist_info_t *dli; + Attribute *a = attr_find ( rs->sr_entry->e_attrs, slap_schema.si_ad_objectClass ); + if ( a ) { + for ( dli = ds->ds_dli; dli; dli = dli->dli_next ) { + if ( is_entry_objectclass_or_sub( rs->sr_entry, dli->dli_oc ) && + dynlist_check_scope( op, rs->sr_entry, dli )) + rc = dynlist_prepare_entry( op, rs, dli, NULL ); + } + } + } if ( ds->ds_origfilter && test_filter( op, rs->sr_entry, ds->ds_origfilter ) != LDAP_COMPARE_TRUE ) { rs_flush_entry( op, rs, NULL ); return LDAP_SUCCESS; } return rc; } else if ( rs->sr_type == REP_RESULT && rs->sr_err == LDAP_SUCCESS ) { - TAvlnode *ptr; + slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; + TAvlnode *ptr, *skip = NULL; SlapReply r = *rs; + dynlist_map_t *dlm = NULL; Filter *f = ds->ds_origfilter ? ds->ds_origfilter : op->ors_filter; + dynlist_filterinst_t *df = NULL; + int ndf = 0; if ( get_pagedresults( op ) > SLAP_CONTROL_IGNORED ) return SLAP_CB_CONTINUE; @@ -1545,16 +1614,43 @@ /* Check for any unexpanded dynamic group entries that weren't picked up * by the original search filter. */ - for ( ptr = ldap_tavl_end( ds->ds_names, TAVL_DIR_LEFT ); ptr; - ptr = ldap_tavl_next( ptr, TAVL_DIR_RIGHT )) { + ptr = ldap_tavl_end( ds->ds_names, TAVL_DIR_LEFT ); + while ( ptr ) { dyn = ptr->avl_data; if ( dyn->dy_seen ) - continue; - if ( !dnIsSuffixScope( &dyn->dy_name, &op->o_req_ndn, op->ors_scope )) - continue; - if ( overlay_entry_get_ov( op, &dyn->dy_name, NULL, NULL, 0, &r.sr_entry, (slap_overinst *)op->o_bd->bd_info ) != LDAP_SUCCESS || + goto next; + dyn->dy_seen = 1; + if ( !dnIsSuffixScope( &dyn->dy_nname, &op->o_req_ndn, op->ors_scope )) + goto next; + /* can only pre-check if this is a dyngroup, otherwise just build the entry */ + if ( dyn->dy_dli->dli_dlm && !dyn->dy_dli->dli_dlm->dlm_next && + dyn->dy_dlm && !dyn->dy_dlm->dlm_mapped_ad ) { + if ( !dlm ) { + AttributeDescription *ad; + int i; + dlm = dyn->dy_dlm; + ad = dlm->dlm_member_ad; + /* can only pre-check DN-valued attrs */ + if ( ad->ad_type->sat_syntax == slap_schema.si_syn_distinguishedName ) { + /* find any instances of this ad in the filter */ + dynlist_filter_instances( op, ad, f, 0, &ndf, &df ); + for ( i = 0; i < ndf; i++ ) { + overlay_entry_get_ov( op, &df[i].df_a->aa_value, NULL, NULL, 0, &df[i].df_e, on ); + } + } + } else if ( dlm != dyn->dy_dlm ) { /* if a different map, do it later */ + if ( !skip ) + skip = ptr; + dyn->dy_seen = 0; /* we'll want to process it next time thru */ + goto next; + } + /* only pre-check for non-nested */ + if ( !dyn->dy_sups && !dyn->dy_subs && ndf && !dynmember( dyn, f, ndf, df )) + goto next; + } + if ( overlay_entry_get_ov( op, &dyn->dy_nname, NULL, NULL, 0, &r.sr_entry, on ) != LDAP_SUCCESS || r.sr_entry == NULL ) - continue; + goto next; r.sr_flags = REP_ENTRY_MUSTRELEASE; dynlist_prepare_entry( op, &r, dyn->dy_dli, dyn ); if ( test_filter( op, r.sr_entry, f ) == LDAP_COMPARE_TRUE ) { @@ -1562,10 +1658,36 @@ rs->sr_err = send_search_entry( op, &r ); if ( rs->sr_err != LDAP_SUCCESS ) break; - } else { + r.sr_entry = NULL; + } + if ( r.sr_entry ) rs_flush_entry( op, &r, NULL ); +next: + ptr = ldap_tavl_next( ptr, TAVL_DIR_RIGHT ); + if ( !ptr ) { + int i; + for ( i = 0; io_tmpfree( df, op->o_tmpmemctx ); + ndf = 0; + if ( skip ) { /* go back for dyns we skipped */ + ptr = skip; + skip = NULL; + dlm = NULL; + df = NULL; + } } } + if ( ndf ) { + int i; + for ( i = 0; io_tmpfree( df, op->o_tmpmemctx ); + } rs->sr_nentries = r.sr_nentries; } return SLAP_CB_CONTINUE; @@ -1577,7 +1699,7 @@ Filter *f; f = dynlist_filter_dup( op, op->ors_filter, ad, ds ); if ( ds->ds_origfilter ) { - dynlist_filter_free( op, op->ors_filter ); + filter_free_x( op, op->ors_filter, 1 ); op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); } else { ds->ds_origfilter = op->ors_filter; @@ -1629,7 +1751,7 @@ ptr = ldap_tavl_next( ptr, TAVL_DIR_RIGHT )) { di = ptr->avl_data; if ( ds->ds_dlm ) { - if ( overlay_entry_get_ov( op, &di->dy_name, NULL, NULL, 0, &e, on ) != LDAP_SUCCESS || e == NULL ) + if ( overlay_entry_get_ov( op, &di->dy_nname, NULL, NULL, 0, &e, on ) != LDAP_SUCCESS || e == NULL ) continue; a = attr_find( e->e_attrs, ds->ds_dlm->dlm_member_ad ); if ( a ) { @@ -1687,6 +1809,7 @@ memset( o.o_ctrlflag, 0, sizeof( o.o_ctrlflag )); o.o_managedsait = SLAP_CONTROL_CRITICAL; + o.o_do_not_cache = 1; /* Are we using memberOf, and does it affect this request? */ if ( dlg->dlg_memberOf ) { @@ -1703,7 +1826,19 @@ static_oc = NULL; nested = 0; tmpwant = 0; - if ( dlg->dlg_memberOf ) { + + if ( !dli->dli_dlm ) { + /* A dynamic list returning arbitrary attrs: + * we don't know what attrs it might return, + * so we can't check if any of its attrs are + * in the filter. So assume none of them are. + * + * If filtering is desired, the filterable attrs + * must be explicitly mapped (even to + * themselves if nothing else). + */ + continue; + } else { for ( dlm = dli->dli_dlm; dlm; dlm = dlm->dlm_next ) { if ( dlm->dlm_memberOf_ad ) { int want = 0; @@ -1761,71 +1896,87 @@ } } } + { + AttributeDescription *ad = dlm->dlm_mapped_ad ? dlm->dlm_mapped_ad : dlm->dlm_member_ad; + if ( ad_infilter( ad, op->ors_filter )) { + tmpwant |= WANT_MEMBER; + ds->ds_want = tmpwant; + ds->ds_dlm = dlm; + } + } } } - if ( static_oc ) { - f[0].f_choice = LDAP_FILTER_OR; - f[0].f_list = &f[1]; - f[0].f_next = NULL; - f[1].f_choice = LDAP_FILTER_EQUALITY; - f[1].f_next = &f[2]; - f[1].f_ava = &ava[0]; - f[1].f_av_desc = slap_schema.si_ad_objectClass; - f[1].f_av_value = dli->dli_oc->soc_cname; - f[2].f_choice = LDAP_FILTER_EQUALITY; - f[2].f_ava = &ava[1]; - f[2].f_av_desc = slap_schema.si_ad_objectClass; - f[2].f_av_value = static_oc->soc_cname; - f[2].f_next = NULL; - } else { - f[0].f_choice = LDAP_FILTER_EQUALITY; - f[0].f_ava = ava; - f[0].f_av_desc = slap_schema.si_ad_objectClass; - f[0].f_av_value = dli->dli_oc->soc_cname; - f[0].f_next = NULL; - } + if ( tmpwant ) { - if ( o.o_callback != sc ) { - o.o_callback = sc; - o.ors_filter = f; - if ( tmpwant ) { - o.o_req_dn = op->o_bd->be_suffix[0]; - o.o_req_ndn = op->o_bd->be_nsuffix[0]; - o.ors_scope = LDAP_SCOPE_SUBTREE; + if ( static_oc ) { + f[0].f_choice = LDAP_FILTER_OR; + f[0].f_list = &f[1]; + f[0].f_next = NULL; + f[1].f_choice = LDAP_FILTER_EQUALITY; + f[1].f_next = &f[2]; + f[1].f_ava = &ava[0]; + f[1].f_av_desc = slap_schema.si_ad_objectClass; + f[1].f_av_value = dli->dli_oc->soc_cname; + f[2].f_choice = LDAP_FILTER_EQUALITY; + f[2].f_ava = &ava[1]; + f[2].f_av_desc = slap_schema.si_ad_objectClass; + f[2].f_av_value = static_oc->soc_cname; + f[2].f_next = NULL; } else { - o.o_req_dn = op->o_req_dn; - o.o_req_ndn = op->o_req_ndn; - o.ors_scope = op->ors_scope; - } - o.ors_attrsonly = 0; - o.ors_attrs = an; - o.o_bd = select_backend( op->o_bd->be_nsuffix, 1 ); - BER_BVZERO( &o.ors_filterstr ); - sc->sc_response = dynlist_search1resp; - } + f[0].f_choice = LDAP_FILTER_EQUALITY; + f[0].f_ava = ava; + f[0].f_av_desc = slap_schema.si_ad_objectClass; + f[0].f_av_value = dli->dli_oc->soc_cname; + f[0].f_next = NULL; + } - ds->ds_dli = dli; - if ( o.ors_filterstr.bv_val ) + if ( o.o_callback != sc ) { + o.o_callback = sc; + o.ors_filter = f; + if ( tmpwant ) { + o.o_req_dn = op->o_bd->be_suffix[0]; + o.o_req_ndn = op->o_bd->be_nsuffix[0]; + o.ors_scope = LDAP_SCOPE_SUBTREE; + } else { + o.o_req_dn = op->o_req_dn; + o.o_req_ndn = op->o_req_ndn; + o.ors_scope = op->ors_scope; + } + o.ors_attrsonly = 0; + o.ors_attrs = an; + o.o_bd = select_backend( op->o_bd->be_nsuffix, 1 ); + BER_BVZERO( &o.ors_filterstr ); + sc->sc_response = dynlist_search1resp; + } + + ds->ds_dli = dli; + if ( o.ors_filterstr.bv_val ) + o.o_tmpfree( o.ors_filterstr.bv_val, o.o_tmpmemctx ); + filter2bv_x( &o, f, &o.ors_filterstr ); + an[0].an_desc = dli->dli_ad; + an[0].an_name = dli->dli_ad->ad_cname; + found = ds->ds_found; + { + SlapReply r = { REP_SEARCH }; + (void)o.o_bd->be_search( &o, &r ); + } o.o_tmpfree( o.ors_filterstr.bv_val, o.o_tmpmemctx ); - filter2bv_x( &o, f, &o.ors_filterstr ); - an[0].an_desc = dli->dli_ad; - an[0].an_name = dli->dli_ad->ad_cname; - found = ds->ds_found; - { - SlapReply r = { REP_SEARCH }; - (void)o.o_bd->be_search( &o, &r ); + o.ors_filterstr.bv_val = NULL; + if ( found != ds->ds_found && nested ) + dynlist_nestlink( op, ds ); } - if ( found != ds->ds_found && nested ) - dynlist_nestlink( op, ds ); } - if ( ds->ds_names != NULL ) { + if ( dlg->dlg_dli || ds->ds_names != NULL ) { sc->sc_response = dynlist_search2resp; sc->sc_cleanup = dynlist_search_cleanup; sc->sc_next = op->o_callback; op->o_callback = sc; + /* dynamic lists need this */ + ds->ds_dli = dlg->dlg_dli; + /* see if filter needs fixing */ if ( dlg->dlg_memberOf ) { for ( dli = dlg->dlg_dli; dli; dli = dli->dli_next ) { diff -Nru openldap-2.5.13+dfsg/servers/slapd/overlays/pcache.c openldap-2.5.14+dfsg/servers/slapd/overlays/pcache.c --- openldap-2.5.13+dfsg/servers/slapd/overlays/pcache.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/overlays/pcache.c 2023-02-08 18:49:18.000000000 +0000 @@ -3514,7 +3514,7 @@ Operation *op; CachedQuery *query, *qprev; - CachedQuery *expires = NULL; + CachedQuery *expires; int return_val, pause = PCACHE_CC_PAUSED; QueryTemplate *templ; @@ -3537,6 +3537,7 @@ time_t ttl; if ( !templ->query_last ) continue; pause = 0; + expires = NULL; op->o_time = slap_get_time(); if ( !templ->ttr ) { ttl = templ->ttl; diff -Nru openldap-2.5.13+dfsg/servers/slapd/overlays/remoteauth.c openldap-2.5.14+dfsg/servers/slapd/overlays/remoteauth.c --- openldap-2.5.13+dfsg/servers/slapd/overlays/remoteauth.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/overlays/remoteauth.c 2023-02-08 18:49:18.000000000 +0000 @@ -204,12 +204,12 @@ str = ch_malloc( strlen( map->domain ) + strlen( map->realm ) + 2 ); sprintf( str, "%s %s", map->domain, map->realm ); - ber_str2bv( str, strlen( str ), 1, &bv ); - ch_free( str ); + ber_str2bv( str, 0, 0, &bv ); rc = value_add_one( &c->rvalue_vals, &bv ); - if ( rc ) return rc; - rc = value_add_one( &c->rvalue_nvals, &bv ); - if ( rc ) return rc; + if ( !rc ) + rc = value_add_one( &c->rvalue_nvals, &bv ); + ch_free( str ); + if ( rc ) break; } break; case REMOTE_AUTH_DN_ATTRIBUTE: @@ -223,13 +223,13 @@ break; case REMOTE_AUTH_DEFAULT_DOMAIN: if ( ad->default_domain ) { - ber_str2bv( ad->default_domain, 0, 1, &bv ); + ber_str2bv( ad->default_domain, 0, 0, &bv ); value_add_one( &c->rvalue_vals, &bv ); } break; case REMOTE_AUTH_DEFAULT_REALM: if ( ad->default_realm ) { - ber_str2bv( ad->default_realm, 0, 1, &bv ); + ber_str2bv( ad->default_realm, 0, 0, &bv ); value_add_one( &c->rvalue_vals, &bv ); } break; @@ -246,6 +246,7 @@ } value_add_one( &c->rvalue_vals, &bv ); + ch_free( bv.bv_val ); break; case REMOTE_AUTH_TLS_PIN: { ad_pin *pin = ad->pins; @@ -950,14 +951,19 @@ ad_info *ai = ap->mappings; while ( ai ) { + ad_info *next = ai->next; + if ( ai->domain ) ch_free( ai->domain ); if ( ai->realm ) ch_free( ai->realm ); - ai = ai->next; + + ch_free( ai ); + ai = next; } if ( ap->dn ) ch_free( ap->dn ); if ( ap->default_domain ) ch_free( ap->default_domain ); if ( ap->default_realm ) ch_free( ap->default_realm ); + if ( ap->domain_attr ) ch_free( ap->domain_attr ); bindconf_free( &ap->ad_tls ); diff -Nru openldap-2.5.13+dfsg/servers/slapd/overlays/syncprov.c openldap-2.5.14+dfsg/servers/slapd/overlays/syncprov.c --- openldap-2.5.13+dfsg/servers/slapd/overlays/syncprov.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/overlays/syncprov.c 2023-02-08 18:49:18.000000000 +0000 @@ -3585,7 +3585,7 @@ if ( slap_str2ad( "reqType", &ad_reqType, &text ) ) { Debug( LDAP_DEBUG_ANY, "syncprov_setup_accesslog: " "couldn't get definition for attribute reqType, " - "is accessslog configured?\n" ); + "is accesslog configured?\n" ); return rc; } } @@ -3594,7 +3594,7 @@ if ( slap_str2ad( "reqResult", &ad_reqResult, &text ) ) { Debug( LDAP_DEBUG_ANY, "syncprov_setup_accesslog: " "couldn't get definition for attribute reqResult, " - "is accessslog configured?\n" ); + "is accesslog configured?\n" ); return rc; } } @@ -3603,7 +3603,7 @@ if ( slap_str2ad( "reqDN", &ad_reqDN, &text ) ) { Debug( LDAP_DEBUG_ANY, "syncprov_setup_accesslog: " "couldn't get definition for attribute reqDN, " - "is accessslog configured?\n" ); + "is accesslog configured?\n" ); return rc; } } @@ -3612,7 +3612,7 @@ if ( slap_str2ad( "reqEntryUUID", &ad_reqEntryUUID, &text ) ) { Debug( LDAP_DEBUG_ANY, "syncprov_setup_accesslog: " "couldn't get definition for attribute reqEntryUUID, " - "is accessslog configured?\n" ); + "is accesslog configured?\n" ); return rc; } } diff -Nru openldap-2.5.13+dfsg/servers/slapd/proto-slap.h openldap-2.5.14+dfsg/servers/slapd/proto-slap.h --- openldap-2.5.13+dfsg/servers/slapd/proto-slap.h 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/proto-slap.h 2023-02-08 18:49:18.000000000 +0000 @@ -331,6 +331,9 @@ Operation *op, AttributeAssertion *ava, int freeit )); +LDAP_SLAPD_F (AttributeAssertion *) ava_dup LDAP_P(( + AttributeAssertion *ava, + void *memctx )); /* * backend.c diff -Nru openldap-2.5.13+dfsg/servers/slapd/result.c openldap-2.5.14+dfsg/servers/slapd/result.c --- openldap-2.5.13+dfsg/servers/slapd/result.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/result.c 2023-02-08 18:49:18.000000000 +0000 @@ -354,9 +354,7 @@ conn->c_writers++; while ( conn->c_writers > 0 && conn->c_writing ) { - ldap_pvt_thread_pool_idle( &connection_pool ); ldap_pvt_thread_cond_wait( &conn->c_write1_cv, &conn->c_write1_mutex ); - ldap_pvt_thread_pool_unidle( &connection_pool ); } /* connection was closed under us */ @@ -400,20 +398,28 @@ conn->c_writing = 0; ldap_pvt_thread_mutex_unlock( &conn->c_write1_mutex ); ldap_pvt_thread_mutex_lock( &conn->c_mutex ); - connection_closing( conn, close_reason ); + /* conn may have been reused by the time we get the mutex */ + if ( op->o_connid == conn->c_connid ) + connection_closing( conn, close_reason ); ldap_pvt_thread_mutex_unlock( &conn->c_mutex ); return -1; } + /* if writer is blocked and we're waiting for a pool pause, + * just drop this connection. + */ + if ( ldap_pvt_thread_pool_pausing( &connection_pool ) > 0 ) { + close_reason = "writer blocked and pool pause pending"; + goto fail; + } + /* wait for socket to be write-ready */ do_resume = 1; conn->c_writewaiter = 1; ldap_pvt_thread_mutex_unlock( &conn->c_write1_mutex ); - ldap_pvt_thread_pool_idle( &connection_pool ); slap_writewait_play( op ); err = slapd_wait_writer( conn->c_sd ); conn->c_writewaiter = 0; - ldap_pvt_thread_pool_unidle( &connection_pool ); ldap_pvt_thread_mutex_lock( &conn->c_write1_mutex ); /* 0 is timeout, so we close it. * -1 is an error, close it. diff -Nru openldap-2.5.13+dfsg/servers/slapd/saslauthz.c openldap-2.5.14+dfsg/servers/slapd/saslauthz.c --- openldap-2.5.13+dfsg/servers/slapd/saslauthz.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/saslauthz.c 2023-02-08 18:49:18.000000000 +0000 @@ -1423,8 +1423,9 @@ return 1; } + i = valx; ber_memfree( authz_rewrites[ i ].bv_val ); - for ( i = valx; !BER_BVISNULL( &authz_rewrites[ i + 1 ] ); i++ ) + for ( ; !BER_BVISNULL( &authz_rewrites[ i + 1 ] ); i++ ) { authz_rewrites[ i ] = authz_rewrites[ i + 1 ]; } diff -Nru openldap-2.5.13+dfsg/servers/slapd/schema_init.c openldap-2.5.14+dfsg/servers/slapd/schema_init.c --- openldap-2.5.13+dfsg/servers/slapd/schema_init.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/schema_init.c 2023-02-08 18:49:18.000000000 +0000 @@ -1823,6 +1823,8 @@ for( ; u < end; u += len ) { /* get the length indicated by the first byte */ len = LDAP_UTF8_CHARLEN2( u, len ); + if ( u + len > end ) + return LDAP_INVALID_SYNTAX; /* very basic checks */ switch( len ) { diff -Nru openldap-2.5.13+dfsg/servers/slapd/slapcommon.c openldap-2.5.14+dfsg/servers/slapd/slapcommon.c --- openldap-2.5.13+dfsg/servers/slapd/slapcommon.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/slapcommon.c 2023-02-08 18:49:18.000000000 +0000 @@ -538,7 +538,7 @@ case SLAPSCHEMA: /* dump subtree */ ch_free( subtree ); - subtree = optarg; + subtree = ch_strdup( optarg ); break; } break; diff -Nru openldap-2.5.13+dfsg/servers/slapd/syncrepl.c openldap-2.5.14+dfsg/servers/slapd/syncrepl.c --- openldap-2.5.13+dfsg/servers/slapd/syncrepl.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/syncrepl.c 2023-02-08 18:49:18.000000000 +0000 @@ -1292,6 +1292,10 @@ ldap_pvt_thread_yield(); } } + if ( si->si_ctype < 0 ) { + ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_pmutex ); + return SYNC_SHUTDOWN; + } return 0; } @@ -2052,13 +2056,7 @@ Debug( LDAP_DEBUG_TRACE, "=>do_syncrepl %s\n", si->si_ridtxt ); - /* Don't get stuck here while a pause is initiated */ - while ( ldap_pvt_thread_mutex_trylock( &si->si_mutex )) { - if ( slapd_shutdown ) - return NULL; - if ( !ldap_pvt_thread_pool_pausecheck( &connection_pool )) - ldap_pvt_thread_yield(); - } + ldap_pvt_thread_mutex_lock( &si->si_mutex ); si->si_too_old = 0; @@ -5987,6 +5985,8 @@ if ( !BER_BVISEMPTY( &sie->si_monitor_ndn )) { syncrepl_monitor_del( sie ); } + ch_free( sie->si_lastCookieSent.bv_val ); + ch_free( sie->si_lastCookieRcvd.bv_val ); if ( sie->si_ld ) { if ( sie->si_conn ) { @@ -6103,7 +6103,7 @@ } if ( sie->si_cookieState ) { /* Could be called from do_syncrepl (server unpaused) */ - refresh_finished( sie ); + if ( !free_all ) refresh_finished( sie ); sie->si_cookieState->cs_ref--; if ( !sie->si_cookieState->cs_ref ) { @@ -7168,8 +7168,6 @@ monitor_extra_t *mbe = mi->bi_extra; mbe->unregister_entry( &si->si_monitor_ndn ); } - ch_free( si->si_lastCookieSent.bv_val ); - ch_free( si->si_lastCookieRcvd.bv_val ); ch_free( si->si_monitor_ndn.bv_val ); return 0; } diff -Nru openldap-2.5.13+dfsg/servers/slapd/txn.c openldap-2.5.14+dfsg/servers/slapd/txn.c --- openldap-2.5.13+dfsg/servers/slapd/txn.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/servers/slapd/txn.c 2023-02-08 18:49:18.000000000 +0000 @@ -260,6 +260,7 @@ rc = (&o->o_bd->bd_info->bi_op_bind)[opidx]( o, &rs ); ldap_pvt_thread_mutex_lock( &c->c_mutex ); } + LDAP_SLIST_REMOVE( &o->o_extra, txn, OpExtra, oe_next ); if ( rc ) { struct berval *bv = NULL; BerElementBuffer berbuf; @@ -304,8 +305,53 @@ drain: /* drain txn ops list */ while (( o = LDAP_STAILQ_FIRST( &c->c_txn_ops )) != NULL ) { + int freevals = 1; + LDAP_STAILQ_REMOVE_HEAD( &c->c_txn_ops, o_next ); LDAP_STAILQ_NEXT( o, o_next ) = NULL; + + switch ( o->o_tag ) { + case LDAP_REQ_ADD: { + if ( o->ora_e != NULL ) { + OpExtra *oex; + OpExtraDB *oexdb = NULL; + LDAP_SLIST_FOREACH(oex, &o->o_extra, oe_next) { + if ( oex->oe_key == (void *)do_add ) { + oexdb = (OpExtraDB *)oex; + break; + } + } + if ( oexdb && oexdb->oe_db ) { + BackendDB *bd = o->o_bd; + o->o_bd = oexdb->oe_db; + + be_entry_release_w( o, o->ora_e ); + + o->ora_e = NULL; + o->o_bd = bd; + } else { + entry_free( o->ora_e ); + } + if ( oexdb ) { + o->o_tmpfree( oexdb, o->o_tmpmemctx ); + } + } + freevals = 0; + } /* fallthru */ + case LDAP_REQ_MODIFY: + case LDAP_REQ_MODRDN: + if ( o->orr_modlist != NULL ) { + slap_mods_free( o->orr_modlist, freevals ); + } + break; + case LDAP_REQ_DELETE: + case LDAP_REQ_EXTENDED: + break; + default: + assert( 0 ); + } + o->o_tmpfree( o->o_req_dn.bv_val, o->o_tmpmemctx ); + o->o_tmpfree( o->o_req_ndn.bv_val, o->o_tmpmemctx ); slap_op_free( o, NULL ); } diff -Nru openldap-2.5.13+dfsg/tests/data/dynlist.out openldap-2.5.14+dfsg/tests/data/dynlist.out --- openldap-2.5.13+dfsg/tests/data/dynlist.out 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/data/dynlist.out 2023-02-08 18:49:18.000000000 +0000 @@ -344,7 +344,7 @@ pager: +1 313 555 7671 facsimileTelephoneNumber: +1 313 555 7762 telephoneNumber: +1 313 555 4177 -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com # Testing filtered memberOf functionality... dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com @@ -363,7 +363,66 @@ pager: +1 313 555 7671 facsimileTelephoneNumber: +1 313 555 7762 telephoneNumber: +1 313 555 4177 -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com + +# Testing filtered member functionality... +dn: cn=All Staff,ou=Groups,dc=example,dc=com +member: cn=Manager,dc=example,dc=com +member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam + ple,dc=com +member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc + =com +member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=exa + mple,dc=com +member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=exampl + e,dc=com +owner: cn=Manager,dc=example,dc=com +cn: All Staff +description: Everyone in the sample data +objectClass: groupofnames + +dn: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com +member: cn=Manager,dc=example,dc=com +member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com +owner: cn=Manager,dc=example,dc=com +description: All Alumni Assoc Staff +cn: Alumni Assoc Staff +objectClass: groupofnames + +dn: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com +objectClass: groupOfURLs +objectClass: dgIdentityAux +cn: Dynamic List of Members +memberURL: ldap:///ou=People,dc=example,dc=com??sub?(objectClass=person) +dgIdentity: cn=Bjorn Jensen,ou=Information Technology DivisioN,ou=People,dc=ex + ample,dc=com +dgAuthz: {0}dn:cn=Barbara Jensen,ou=Information Technology DivisioN,ou=People, + dc=example,dc=com +member: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=exam + ple,dc=com +member: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=exampl + e,dc=com +member: cn=Dorothy Stevens,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=James A Jones 1,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=exa + mple,dc=com +member: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc + =com +member: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com +member: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com # Testing static group memberOf functionality... dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com @@ -382,9 +441,9 @@ pager: +1 313 555 7671 facsimileTelephoneNumber: +1 313 555 7762 telephoneNumber: +1 313 555 4177 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=alumni assoc staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com # Testing static group member compare... TRUE @@ -441,7 +500,7 @@ memberURL: ldap:///ou=People,dc=example,dc=com??sub?(sn=Smith) description: Smith family member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com -memberOf: cn=meta group,ou=dynamic lists,dc=example,dc=com +memberOf: cn=Meta Group,ou=Dynamic Lists,dc=example,dc=com dn: cn=Mark Elliot,ou=Alumni Association,ou=People,dc=example,dc=com objectClass: OpenLDAPperson @@ -459,7 +518,7 @@ pager: +1 313 555 7671 facsimileTelephoneNumber: +1 313 555 7762 telephoneNumber: +1 313 555 4177 -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com # Testing nested static group functionality... dn: cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example, @@ -482,10 +541,10 @@ pager: +1 313 555 3233 facsimileTelephoneNumber: +1 313 555 2274 telephoneNumber: +1 313 555 9022 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=the jensens,ou=groups,dc=example,dc=com -memberOf: cn=jjs,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=The Jensens,ou=Groups,dc=example,dc=com +memberOf: cn=JJs,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc =com @@ -495,7 +554,7 @@ sn: Jensen uid: bjorn seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com -seeAlso: cn=itd staff,ou=groups,dc=example,dc=com +seeAlso: cn=ITD Staff,ou=Groups,dc=example,dc=com userPassword:: Ympvcm4= homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999 drink: Iced Tea @@ -507,10 +566,10 @@ pager: +1 313 555 4474 facsimileTelephoneNumber: +1 313 555 2177 telephoneNumber: +1 313 555 0355 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=the jensens,ou=groups,dc=example,dc=com -memberOf: cn=jjs,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=The Jensens,ou=Groups,dc=example,dc=com +memberOf: cn=JJs,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com objectClass: OpenLDAPperson @@ -526,10 +585,10 @@ pager: +1 313 555 2844 facsimileTelephoneNumber: +1 313 555 9700 telephoneNumber: +1 313 555 5331 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=bonus group,ou=groups,dc=example,dc=com -memberOf: cn=alumni assoc staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Bonus Group,ou=Groups,dc=example,dc=com +memberOf: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=example ,dc=com @@ -540,7 +599,7 @@ sn: Doe uid: jjones seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com -seeAlso: cn=itd staff,ou=groups,dc=example,dc=com +seeAlso: cn=ITD Staff,ou=Groups,dc=example,dc=com homePostalAddress: 933 Brooks $ Anytown, MI 48104 homePhone: +1 313 555 8838 title: Senior Manager, Information Technology Division @@ -550,9 +609,9 @@ pager: +1 313 555 2833 facsimileTelephoneNumber: +1 313 555 8688 telephoneNumber: +1 313 555 7334 -memberOf: cn=jjs,ou=groups,dc=example,dc=com -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=JJs,ou=Groups,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=Jane Doe,ou=Alumni Association,ou=People,dc=example,dc=com objectClass: OpenLDAPperson @@ -571,9 +630,9 @@ pager: +1 313 555 1220 facsimileTelephoneNumber: +1 313 555 2311 telephoneNumber: +1 313 555 4774 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=alumni assoc staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com objectClass: OpenLDAPperson @@ -583,7 +642,7 @@ uid: johnd postalAddress: ITD $ 535 W. William $ Anytown, MI 48109 seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com -seeAlso: cn=itd staff,ou=groups,dc=example,dc=com +seeAlso: cn=ITD Staff,ou=Groups,dc=example,dc=com homePostalAddress: 912 East Bllvd $ Anytown, MI 48104 title: System Administrator, Information Technology Division description: overworked! @@ -592,8 +651,8 @@ pager: +1 313 555 6573 facsimileTelephoneNumber: +1 313 555 4544 telephoneNumber: +1 313 555 9394 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com objectClass: OpenLDAPperson @@ -611,12 +670,12 @@ pager: +1 313 555 6442 facsimileTelephoneNumber: +1 313 555 2756 telephoneNumber: +1 313 555 8232 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=the smiths,ou=dynamic lists,dc=example,dc=com -memberOf: cn=meta group,ou=dynamic lists,dc=example,dc=com -memberOf: cn=bonus group,ou=groups,dc=example,dc=com -memberOf: cn=alumni assoc staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=The Smiths,ou=Dynamic Lists,dc=example,dc=com +memberOf: cn=Meta Group,ou=Dynamic Lists,dc=example,dc=com +memberOf: cn=Bonus Group,ou=Groups,dc=example,dc=com +memberOf: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com # Testing filtered nested memberOf functionality... dn: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com @@ -635,12 +694,12 @@ pager: +1 313 555 6442 facsimileTelephoneNumber: +1 313 555 2756 telephoneNumber: +1 313 555 8232 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=the smiths,ou=dynamic lists,dc=example,dc=com -memberOf: cn=meta group,ou=dynamic lists,dc=example,dc=com -memberOf: cn=bonus group,ou=groups,dc=example,dc=com -memberOf: cn=alumni assoc staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=The Smiths,ou=Dynamic Lists,dc=example,dc=com +memberOf: cn=Meta Group,ou=Dynamic Lists,dc=example,dc=com +memberOf: cn=Bonus Group,ou=Groups,dc=example,dc=com +memberOf: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=Meta Group,ou=Dynamic Lists,dc=example,dc=com objectClass: groupOfURLs @@ -649,7 +708,7 @@ 20family) member: cn=The Smiths,ou=Dynamic Lists,dc=example,dc=com member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com -memberOf: cn=bonus group,ou=groups,dc=example,dc=com +memberOf: cn=Bonus Group,ou=Groups,dc=example,dc=com dn: cn=The Smiths,ou=Dynamic Lists,dc=example,dc=com objectClass: groupOfURLs @@ -657,8 +716,8 @@ memberURL: ldap:///ou=People,dc=example,dc=com??sub?(sn=Smith) description: Smith family member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com -memberOf: cn=meta group,ou=dynamic lists,dc=example,dc=com -memberOf: cn=bonus group,ou=groups,dc=example,dc=com +memberOf: cn=Meta Group,ou=Dynamic Lists,dc=example,dc=com +memberOf: cn=Bonus Group,ou=Groups,dc=example,dc=com dn: cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com objectClass: OpenLDAPperson @@ -674,10 +733,10 @@ pager: +1 313 555 2844 facsimileTelephoneNumber: +1 313 555 9700 telephoneNumber: +1 313 555 5331 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=bonus group,ou=groups,dc=example,dc=com -memberOf: cn=alumni assoc staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Bonus Group,ou=Groups,dc=example,dc=com +memberOf: cn=Alumni Assoc Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=example ,dc=com @@ -704,10 +763,10 @@ pager: +1 313 555 3233 facsimileTelephoneNumber: +1 313 555 2274 telephoneNumber: +1 313 555 9022 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=the jensens,ou=groups,dc=example,dc=com -memberOf: cn=jjs,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=The Jensens,ou=Groups,dc=example,dc=com +memberOf: cn=JJs,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=Bjorn Jensen,ou=Information Technology Division,ou=People,dc=example,dc =com @@ -717,7 +776,7 @@ sn: Jensen uid: bjorn seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com -seeAlso: cn=itd staff,ou=groups,dc=example,dc=com +seeAlso: cn=ITD Staff,ou=Groups,dc=example,dc=com userPassword:: Ympvcm4= homePostalAddress: 19923 Seven Mile Rd. $ South Lyon, MI 49999 drink: Iced Tea @@ -729,10 +788,10 @@ pager: +1 313 555 4474 facsimileTelephoneNumber: +1 313 555 2177 telephoneNumber: +1 313 555 0355 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=the jensens,ou=groups,dc=example,dc=com -memberOf: cn=jjs,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=The Jensens,ou=Groups,dc=example,dc=com +memberOf: cn=JJs,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=James A Jones 2,ou=Information Technology Division,ou=People,dc=example ,dc=com @@ -743,7 +802,7 @@ sn: Doe uid: jjones seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com -seeAlso: cn=itd staff,ou=groups,dc=example,dc=com +seeAlso: cn=ITD Staff,ou=Groups,dc=example,dc=com homePostalAddress: 933 Brooks $ Anytown, MI 48104 homePhone: +1 313 555 8838 title: Senior Manager, Information Technology Division @@ -753,9 +812,9 @@ pager: +1 313 555 2833 facsimileTelephoneNumber: +1 313 555 8688 telephoneNumber: +1 313 555 7334 -memberOf: cn=jjs,ou=groups,dc=example,dc=com -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=JJs,ou=Groups,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com dn: cn=John Doe,ou=Information Technology Division,ou=People,dc=example,dc=com objectClass: OpenLDAPperson @@ -765,7 +824,7 @@ uid: johnd postalAddress: ITD $ 535 W. William $ Anytown, MI 48109 seeAlso: cn=All Staff,ou=Groups,dc=example,dc=com -seeAlso: cn=itd staff,ou=groups,dc=example,dc=com +seeAlso: cn=ITD Staff,ou=Groups,dc=example,dc=com homePostalAddress: 912 East Bllvd $ Anytown, MI 48104 title: System Administrator, Information Technology Division description: overworked! @@ -774,8 +833,8 @@ pager: +1 313 555 6573 facsimileTelephoneNumber: +1 313 555 4544 telephoneNumber: +1 313 555 9394 -memberOf: cn=all staff,ou=groups,dc=example,dc=com -memberOf: cn=dynamic list of members,ou=dynamic lists,dc=example,dc=com +memberOf: cn=All Staff,ou=Groups,dc=example,dc=com +memberOf: cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com # Testing filtered nested member functionality... dn: cn=All Staff,ou=Groups,dc=example,dc=com @@ -851,7 +910,7 @@ 20family) member: cn=The Smiths,ou=Dynamic Lists,dc=example,dc=com member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com -memberOf: cn=bonus group,ou=groups,dc=example,dc=com +memberOf: cn=Bonus Group,ou=Groups,dc=example,dc=com dn: cn=The Smiths,ou=Dynamic Lists,dc=example,dc=com objectClass: groupOfURLs @@ -859,6 +918,6 @@ memberURL: ldap:///ou=People,dc=example,dc=com??sub?(sn=Smith) description: Smith family member: cn=Jennifer Smith,ou=Alumni Association,ou=People,dc=example,dc=com -memberOf: cn=meta group,ou=dynamic lists,dc=example,dc=com -memberOf: cn=bonus group,ou=groups,dc=example,dc=com +memberOf: cn=Meta Group,ou=Dynamic Lists,dc=example,dc=com +memberOf: cn=Bonus Group,ou=Groups,dc=example,dc=com diff -Nru openldap-2.5.13+dfsg/tests/data/regressions/its8667/its8667 openldap-2.5.14+dfsg/tests/data/regressions/its8667/its8667 --- openldap-2.5.13+dfsg/tests/data/regressions/its8667/its8667 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/data/regressions/its8667/its8667 2023-02-08 18:49:18.000000000 +0000 @@ -76,7 +76,7 @@ RC=$? if test $RC != 0 ; then - echo "slapcat -g failed for root databse ($RC)!" + echo "slapcat -g failed for root database ($RC)!" exit $RC fi diff -Nru openldap-2.5.13+dfsg/tests/data/regressions/its9400/its9400 openldap-2.5.14+dfsg/tests/data/regressions/its9400/its9400 --- openldap-2.5.13+dfsg/tests/data/regressions/its9400/its9400 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/data/regressions/its9400/its9400 2023-02-08 18:49:18.000000000 +0000 @@ -139,7 +139,7 @@ fi # -# UNSUCCESFUL SEARCH +# UNSUCCESSFUL SEARCH # echo "Using ldapsearch with idassert-bind..." $LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret" \ diff -Nru openldap-2.5.13+dfsg/tests/data/slapd-dynlist.conf openldap-2.5.14+dfsg/tests/data/slapd-dynlist.conf --- openldap-2.5.13+dfsg/tests/data/slapd-dynlist.conf 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/data/slapd-dynlist.conf 2023-02-08 18:49:18.000000000 +0000 @@ -48,7 +48,7 @@ # we'll reconfigure the attrset dynamically overlay dynlist -dynlist-attrset groupOfURLs memberURL +dynlist-attrset groupOfURLs memberURL mail:mail database config include @TESTDIR@/configpw.conf diff -Nru openldap-2.5.13+dfsg/tests/data/slapd-homedir.conf openldap-2.5.14+dfsg/tests/data/slapd-homedir.conf --- openldap-2.5.13+dfsg/tests/data/slapd-homedir.conf 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/data/slapd-homedir.conf 2023-02-08 18:49:18.000000000 +0000 @@ -46,7 +46,7 @@ overlay homedir homedir-min-uidnumber @MINUID@ -homedir-skeleton-path @DATADIR@/homedir/skel +homedir-skeleton-path @TESTDIR@/skel homedir-regexp ^(/home/[-_/a-z0-9]+)$ @TESTDIR@/$1 homedir-delete-style ARCHIVE homedir-archive-path @TESTDIR@/archive diff -Nru openldap-2.5.13+dfsg/tests/progs/slapd-addel.c openldap-2.5.14+dfsg/tests/progs/slapd-addel.c --- openldap-2.5.13+dfsg/tests/progs/slapd-addel.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/progs/slapd-addel.c 2023-02-08 18:49:18.000000000 +0000 @@ -65,9 +65,9 @@ char *filename = NULL, *buf = NULL; int friendly = 0; struct LDIFFP *fp; - LDIFRecord record = {}; + LDIFRecord record = {0}; struct tester_conn_args *config; - struct berval bv = {}; + struct berval bv = {0}; unsigned long lineno = 0; config = tester_init( "slapd-addel", TESTER_ADDEL ); diff -Nru openldap-2.5.13+dfsg/tests/progs/slapd-common.c openldap-2.5.14+dfsg/tests/progs/slapd-common.c --- openldap-2.5.13+dfsg/tests/progs/slapd-common.c 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/progs/slapd-common.c 2023-02-08 18:49:18.000000000 +0000 @@ -522,6 +522,8 @@ if ( rc != LDAP_SUCCESS ) { tester_ldap_error( ld, "ldap_sasl_bind_s", NULL ); + ldap_unbind_ext( ld, NULL, NULL ); + ld = NULL; switch ( rc ) { case LDAP_BUSY: case LDAP_UNAVAILABLE: @@ -533,8 +535,6 @@ goto retry; } } - ldap_unbind_ext( ld, NULL, NULL ); - ld = NULL; if ( !( flags & TESTER_INIT_NOEXIT )) exit( EXIT_FAILURE ); } diff -Nru openldap-2.5.13+dfsg/tests/scripts/all openldap-2.5.14+dfsg/tests/scripts/all --- openldap-2.5.13+dfsg/tests/scripts/all 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/scripts/all 2023-02-08 18:49:18.000000000 +0000 @@ -25,6 +25,15 @@ SKIPCOUNT=0 SLEEPTIME=10 +# check for BSD vs GNU date +date -j >/dev/null 2>&1 +RC=$? +if [ $RC -ne 0 ]; then + DATEOPT="-d @" +else + DATEOPT="-r " +fi + echo ">>>>> Executing all LDAP tests for $BACKEND" if [ -n "$NOEXIT" ]; then diff -Nru openldap-2.5.13+dfsg/tests/scripts/lloadd-all openldap-2.5.14+dfsg/tests/scripts/lloadd-all --- openldap-2.5.13+dfsg/tests/scripts/lloadd-all 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/scripts/lloadd-all 2023-02-08 18:49:18.000000000 +0000 @@ -25,6 +25,15 @@ SKIPCOUNT=0 SLEEPTIME=10 +# check for BSD vs GNU date +date -j >/dev/null 2>&1 +RC=$? +if [ $RC -ne 0 ]; then + DATEOPT="-d @" +else + DATEOPT="-r " +fi + echo ">>>>> Executing all LDAP tests for the Load Balancer" if [ -n "$NOEXIT" ]; then diff -Nru openldap-2.5.13+dfsg/tests/scripts/test022-ppolicy openldap-2.5.14+dfsg/tests/scripts/test022-ppolicy --- openldap-2.5.13+dfsg/tests/scripts/test022-ppolicy 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/scripts/test022-ppolicy 2023-02-08 18:49:18.000000000 +0000 @@ -104,7 +104,7 @@ fi DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \ - -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*seconds_before_unlock=\(\d*\)/\1/p'` + -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*seconds_before_unlock=\([[:digit:]]*\)/\1/p'` echo "Waiting $DELAY seconds for lockout to reset..." sleep $DELAY @@ -120,7 +120,7 @@ fi DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \ - -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'` + -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\([[:digit:]]*\)/\1/p'` echo "Testing password expiration" echo "Waiting $DELAY seconds for password to expire..." @@ -490,7 +490,7 @@ -b "$BASEDN" -s base > $SEARCHOUT 2>&1 DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \ - -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'` + -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\([[:digit:]]*\)/\1/p'` echo "Waiting $DELAY seconds for password to expire..." sleep $DELAY @@ -735,7 +735,7 @@ EOMODS DELAY=`$LDAPSEARCH -D "$MANAGERDN" -H $URI1 -w $PASSWD \ - -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\(\d*\)/\1/p'` + -b "$USER" -E accountUsability 1.1 | sed -n -e 's/.*expire=\([[:digit:]]*\)/\1/p'` DELAY=`expr $DELAY - 10` echo "Testing password expiration" diff -Nru openldap-2.5.13+dfsg/tests/scripts/test044-dynlist openldap-2.5.14+dfsg/tests/scripts/test044-dynlist --- openldap-2.5.13+dfsg/tests/scripts/test044-dynlist 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/scripts/test044-dynlist 2023-02-08 18:49:18.000000000 +0000 @@ -763,7 +763,20 @@ echo "# Testing filtered memberOf functionality..." >> $SEARCHOUT $LDAPSEARCH -S "" -b "ou=People,$BASEDN" -H $URI1 \ -D "$BABSDN" -w bjensen \ - '(&(memberOf=cn=Dynamic List of Members,ou=Dynamic Lists,dc=example,dc=com)(cn=Mark Elliot))' '*' 'memberOf' \ + "(&(memberOf=cn=Dynamic List of Members,ou=Dynamic Lists,$BASEDN)(cn=Mark Elliot))" '*' 'memberOf' \ + >> $SEARCHOUT 2>&1 +RC=$? +if test $RC != 0 ; then + echo "ldapsearch failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS + exit $RC +fi + +echo "Testing filtered member functionality..." +echo "# Testing filtered member functionality..." >> $SEARCHOUT +$LDAPSEARCH -S "" -b "$BASEDN" -H $URI1 \ + -D "$BABSDN" -w bjensen \ + "(member=cn=Jane Doe,ou=Alumni Association,ou=People,$BASEDN)" \ >> $SEARCHOUT 2>&1 RC=$? if test $RC != 0 ; then diff -Nru openldap-2.5.13+dfsg/tests/scripts/test079-proxy-timeout openldap-2.5.14+dfsg/tests/scripts/test079-proxy-timeout --- openldap-2.5.13+dfsg/tests/scripts/test079-proxy-timeout 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/scripts/test079-proxy-timeout 2023-02-08 18:49:18.000000000 +0000 @@ -139,10 +139,10 @@ echo "Checking that proxy has created connections towards backend (time_t now=`date +%s`)" -$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 0 ; then echo "Error: LDAP connection to remote LDAP server is not found ($RC)" @@ -150,10 +150,10 @@ exit $RC fi -$LDAPSEARCH -b "cn=Connections,cn=database 3,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 3,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 0 ; then echo "Error: LDAP connection to remote LDAP server is not found ($RC)" @@ -171,10 +171,10 @@ echo "Checking that proxy has closed expired connections towards the remote LDAP server (time_t now=`date +%s`)" -$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 1 ; then echo "Error: LDAP connection to remote LDAP server was not closed" @@ -182,10 +182,10 @@ exit $RC fi -$LDAPSEARCH -b "cn=Connections,cn=database 3,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 3,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 1 ; then echo "Error: LDAP connection to remote LDAP server was not closed" @@ -235,10 +235,10 @@ echo "Checking that proxy has created connections towards backend (time_t now=`date +%s`)" -$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 0 ; then echo "Error: LDAP connection to remote LDAP server is not found ($RC)" @@ -246,10 +246,10 @@ exit $RC fi -$LDAPSEARCH -b "cn=Connections,cn=database 3,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 3,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 0 ; then echo "Error: LDAP connection to remote LDAP server is not found ($RC)" @@ -267,10 +267,10 @@ echo "Checking that proxy has closed expired connections towards the remote LDAP server (time_t now=`date +%s`)" -$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 1 ; then echo "Error: LDAP connection to remote LDAP server was not closed" @@ -278,10 +278,10 @@ exit $RC fi -$LDAPSEARCH -b "cn=Connections,cn=database 3,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 3,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 1 ; then echo "Error: LDAP connection to remote LDAP server was not closed" @@ -339,10 +339,10 @@ NOW=`date +%s` sleep `expr $CONN_EXPIRES - $NOW - 2` echo "Check that connection is still alive due to idle-timeout reset (time_t now=`date +%s`)" -$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 0 ; then echo "Error: LDAP connection to remote LDAP server is not found ($RC)" @@ -354,10 +354,10 @@ NOW=`date +%s` sleep `expr $CONN_EXPIRES - $NOW + 2` echo "Check that connection is closed after extended idle-timeout has passed (time_t now=`date +%s`)" -$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL olmDbConnURI \ +$LDAPSEARCH -b "cn=Connections,cn=database 2,cn=databases,cn=monitor" -s one -LLL \ -D "cn=Manager,dc=local,dc=com" \ - -H $URI2 \ - -w $PASSWD 2>&1 | tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null + -H $URI2 -w $PASSWD olmDbConnURI 2>&1 | \ + tee -a $TESTOUT | grep ldap://${LOCALHOST}:$PORT1 >/dev/null RC=$? if test $RC != 1 ; then echo "Error: LDAP connection to remote LDAP server was not closed" diff -Nru openldap-2.5.13+dfsg/tests/scripts/test081-totp openldap-2.5.14+dfsg/tests/scripts/test081-totp --- openldap-2.5.13+dfsg/tests/scripts/test081-totp 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/scripts/test081-totp 2023-02-08 18:49:18.000000000 +0000 @@ -22,6 +22,12 @@ exit 0 fi +export URI1 MANAGERDN PASSWD BABSDN BJORNSDN + +OTP_DATA=$DATADIR/otp/totp.ldif + +mkdir -p $TESTDIR $DBDIR1 + for python in python3 python2 python2.7 python27 python ""; do if test x"$python" = x; then echo "Useable Python environment not found, skipping test" @@ -42,12 +48,6 @@ esac done -export URI1 MANAGERDN PASSWD BABSDN BJORNSDN - -OTP_DATA=$DATADIR/otp/totp.ldif - -mkdir -p $TESTDIR $DBDIR1 - echo "Running slapadd to build slapd database..." . $CONFFILTER $BACKEND < $CONF > $ADDCONF $SLAPADD -f $ADDCONF -l $LDIFORDERED diff -Nru openldap-2.5.13+dfsg/tests/scripts/test082-remoteauth openldap-2.5.14+dfsg/tests/scripts/test082-remoteauth --- openldap-2.5.13+dfsg/tests/scripts/test082-remoteauth 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/scripts/test082-remoteauth 2023-02-08 18:49:18.000000000 +0000 @@ -310,7 +310,7 @@ sleep $SLEEP0 echo "Testing slapd.conf support..." -sed -e "s,database\\s*monitor,\\ +sed -e "s,database.*monitor,\\ TLSCACertificateFile $TESTDIR/tls/ca/certs/testsuiteCA.crt\\ \\ #remoteauthmod#moduleload ../servers/slapd/overlays/remoteauth.la\\ diff -Nru openldap-2.5.13+dfsg/tests/scripts/test085-homedir openldap-2.5.14+dfsg/tests/scripts/test085-homedir --- openldap-2.5.13+dfsg/tests/scripts/test085-homedir 2022-07-14 17:09:57.000000000 +0000 +++ openldap-2.5.14+dfsg/tests/scripts/test085-homedir 2023-02-08 18:49:18.000000000 +0000 @@ -23,6 +23,10 @@ mkdir -p $TESTDIR $DBDIR1 $TESTDIR/home $TESTDIR/archive +# copy skel dir so we can create symlinks in it +cp -r $DATADIR/homedir/skel $TESTDIR +(cd $TESTDIR/skel; mkdir directory; ln -s directory symlink; cd directory; ln -s ../target "broken link") + $SLAPPASSWD -g -n >$CONFIGPWF echo "rootpw `$SLAPPASSWD -T $CONFIGPWF`" >$TESTDIR/configpw.conf