Bump version to 1.4.3.39-20

- Resolves: RHEL-140086 - Upgrading IDM to latest version: 389-ds-base and ipa-server breaks replication [rhel-8.10.z]
2026-01-13 13:14:29 +05:30 · 2026-01-13 13:14:29 +05:30 · f40036e368
commit f40036e368
parent cd1fe41d86
3 changed files with 163 additions and 1 deletions
--- a/0074-Issue-7172-Index-ordering-mismatch-after-upgrade-717.patch
+++ b/0074-Issue-7172-Index-ordering-mismatch-after-upgrade-717.patch
@ -0,0 +1,90 @@
+From aa0240c73c000f1d8a009a7394b04afc806504b3 Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Fri, 9 Jan 2026 11:39:50 +0100
+Subject: [PATCH 1/2] Issue 7172 - Index ordering mismatch after upgrade
+ (#7173)
+
+Bug Description:
+Commit daf731f55071d45eaf403a52b63d35f4e699ff28 introduced a regression.
+After upgrading to a version that adds `integerOrderingMatch` matching
+rule to `parentid` and `ancestorid` indexes, searches may return empty
+or incorrect results.
+
+This happens because the existing index data was created with
+lexicographic ordering, but the new compare function expects integer
+ordering. Index lookups fail because the compare function doesn't match
+the data ordering.
+The root cause is that `ldbm_instance_create_default_indexes()` calls
+`attr_index_config()` unconditionally for `parentid` and `ancestorid`
+indexes, which triggers `ainfo_dup()` to overwrite `ai_key_cmp_fn` on
+existing indexes. This breaks indexes that were created without the
+`integerOrderingMatch` matching rule.
+
+Fix Description:
+* Call `attr_index_config()` for `parentid` and `ancestorid` indexes
+only if index config doesn't exist.
+
+* Add `upgrade_check_id_index_matching_rule()` that logs an error on
+server startup if `parentid` or `ancestorid` indexes are missing the
+integerOrderingMatch matching rule, advising administrators to reindex.
+
+Fixes: https://github.com/389ds/389-ds-base/issues/7172
+
+Reviewed by: @tbordaz, @progier389, @droideck (Thanks!)
+---
+ ldap/servers/slapd/back-ldbm/instance.c | 25 +++++++++++++++++--------
+ 1 file changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c
+index 65084c61c..04340a992 100644
+--- a/ldap/servers/slapd/back-ldbm/instance.c
+++ b/ldap/servers/slapd/back-ldbm/instance.c
+@@ -191,6 +191,7 @@ ldbm_instance_create_default_indexes(backend *be)
+     char *ancestorid_indexes_limit = NULL;
+     char *parentid_indexes_limit = NULL;
+     struct attrinfo *ai = NULL;
+    struct attrinfo *index_already_configured = NULL;
+     struct index_idlistsizeinfo *iter;
+     int cookie;
+     int limit;
+@@ -255,10 +256,14 @@ ldbm_instance_create_default_indexes(backend *be)
+         slapi_entry_free(e);
+     }
+ 
+-    e = ldbm_instance_init_config_entry(LDBM_PARENTID_STR, "eq", 0, 0, 0, "integerOrderingMatch", parentid_indexes_limit);
+-    ldbm_instance_config_add_index_entry(inst, e, flags);
+-    attr_index_config(be, "ldbm index init", 0, e, 1, 0, NULL);
+-    slapi_entry_free(e);
+    ainfo_get(be, (char *)LDBM_PARENTID_STR, &ai);
+    index_already_configured = ai;
+    if (!index_already_configured) {
+        e = ldbm_instance_init_config_entry(LDBM_PARENTID_STR, "eq", 0, 0, 0, "integerOrderingMatch", parentid_indexes_limit);
+        ldbm_instance_config_add_index_entry(inst, e, flags);
+        attr_index_config(be, "ldbm index init", 0, e, 1, 0, NULL);
+        slapi_entry_free(e);
+    }
+ 
+     e = ldbm_instance_init_config_entry("objectclass", "eq", 0, 0, 0, 0, 0);
+     ldbm_instance_config_add_index_entry(inst, e, flags);
+@@ -302,10 +307,14 @@ ldbm_instance_create_default_indexes(backend *be)
+          * ancestorid is special, there is actually no such attr type
+          * but we still want to use the attr index file APIs.
+          */
+-        e = ldbm_instance_init_config_entry(LDBM_ANCESTORID_STR, "eq", 0, 0, 0, "integerOrderingMatch", ancestorid_indexes_limit);
+-        ldbm_instance_config_add_index_entry(inst, e, flags);
+-        attr_index_config(be, "ldbm index init", 0, e, 1, 0, NULL);
+-        slapi_entry_free(e);
+        ainfo_get(be, (char *)LDBM_ANCESTORID_STR, &ai);
+        index_already_configured = ai;
+        if (!index_already_configured) {
+            e = ldbm_instance_init_config_entry(LDBM_ANCESTORID_STR, "eq", 0, 0, 0, "integerOrderingMatch", ancestorid_indexes_limit);
+            ldbm_instance_config_add_index_entry(inst, e, flags);
+            attr_index_config(be, "ldbm index init", 0, e, 1, 0, NULL);
+            slapi_entry_free(e);
+        }
+     }
+ 
+     slapi_ch_free_string(&ancestorid_indexes_limit);
+-- 
+2.52.0
+
--- a/0075-Issue-7172-2nd-Index-ordering-mismatch-after-upgrade.patch
+++ b/0075-Issue-7172-2nd-Index-ordering-mismatch-after-upgrade.patch
@ -0,0 +1,67 @@
+From 2d9618da04161d7aecf2a19f5c06cd0b5749921c Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Mon, 12 Jan 2026 10:58:02 +0100
+Subject: [PATCH 2/2] Issue 7172 - (2nd) Index ordering mismatch after upgrade
+ (#7180)
+
+Commit 742c12e0247ab64e87da000a4de2f3e5c99044ab introduced a regression
+where the check to skip creating parentid/ancestorid indexes if they
+already exist was incorrect.
+The `ainfo_get()` function falls back to returning
+LDBM_PSEUDO_ATTR_DEFAULT attrinfo when the requested attribute is not
+found.
+Since LDBM_PSEUDO_ATTR_DEFAULT is created before the ancestorid check,
+`ainfo_get()` returns LDBM_PSEUDO_ATTR_DEFAULT instead of NULL, causing
+the ancestorid index creation to be skipped entirely.
+
+When operations later try to use the ancestorid index, they fall back to
+LDBM_PSEUDO_ATTR_DEFAULT, and attempting to open the .default dbi
+mid-transaction fails with MDB_NOTFOUND (-30798).
+
+Fix Description:
+Instead of just checking if `ainfo_get()` returns non-NULL, verify that
+the returned attrinfo is actually for the requested attribute.
+
+Fixes: https://github.com/389ds/389-ds-base/issues/7172
+
+Reviewed by: @tbordaz (Thanks!)
+---
+ ldap/servers/slapd/back-ldbm/instance.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c
+index 04340a992..29643f7e4 100644
+--- a/ldap/servers/slapd/back-ldbm/instance.c
+++ b/ldap/servers/slapd/back-ldbm/instance.c
+@@ -191,7 +191,7 @@ ldbm_instance_create_default_indexes(backend *be)
+     char *ancestorid_indexes_limit = NULL;
+     char *parentid_indexes_limit = NULL;
+     struct attrinfo *ai = NULL;
+-    struct attrinfo *index_already_configured = NULL;
+    int index_already_configured = 0;
+     struct index_idlistsizeinfo *iter;
+     int cookie;
+     int limit;
+@@ -257,7 +257,8 @@ ldbm_instance_create_default_indexes(backend *be)
+     }
+ 
+     ainfo_get(be, (char *)LDBM_PARENTID_STR, &ai);
+-    index_already_configured = ai;
+    /* Check if the attrinfo is actually for parentid, not a fallback to .default */
+    index_already_configured = (ai != NULL && strcmp(ai->ai_type, LDBM_PARENTID_STR) == 0);
+     if (!index_already_configured) {
+         e = ldbm_instance_init_config_entry(LDBM_PARENTID_STR, "eq", 0, 0, 0, "integerOrderingMatch", parentid_indexes_limit);
+         ldbm_instance_config_add_index_entry(inst, e, flags);
+@@ -308,7 +309,8 @@ ldbm_instance_create_default_indexes(backend *be)
+          * but we still want to use the attr index file APIs.
+          */
+         ainfo_get(be, (char *)LDBM_ANCESTORID_STR, &ai);
+-        index_already_configured = ai;
+        /* Check if the attrinfo is actually for ancestorid, not a fallback to .default */
+        index_already_configured = (ai != NULL && strcmp(ai->ai_type, LDBM_ANCESTORID_STR) == 0);
+         if (!index_already_configured) {
+             e = ldbm_instance_init_config_entry(LDBM_ANCESTORID_STR, "eq", 0, 0, 0, "integerOrderingMatch", ancestorid_indexes_limit);
+             ldbm_instance_config_add_index_entry(inst, e, flags);
+-- 
+2.52.0
+
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -52,7 +52,7 @@ ExcludeArch: i686
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
 Version:          1.4.3.39
-Release:          %{?relprefix}19%{?prerel}%{?dist}
+Release:          %{?relprefix}20%{?prerel}%{?dist}
 License:          GPL-3.0-or-later WITH GPL-3.0-389-ds-base-exception AND (0BSD OR Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR BSD-2-Clause OR MIT) AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR LGPL-2.1-or-later OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (Apache-2.0 OR MIT) AND (MIT OR Apache-2.0) AND Unicode-3.0 AND (MIT OR Unlicense) AND Apache-2.0 AND BSD-3-Clause AND MIT AND MPL-2.0
 URL:              https://www.port389.org
 Group:            System Environment/Daemons
@ -371,6 +371,8 @@ Patch70:          0070-Issue-6901-Update-changelog-trimming-logging-7102.patch
 Patch71:          0071-Issue-7007-Improve-paged-result-search-locking.patch
 Patch72:          0072-Issue-6966-2nd-On-large-DB-unlimited-IDL-scan-limit-.patch
 Patch73:          0073-Issue-7056-DSBLE0007-doesn-t-generate-remediation-st.patch
+Patch74:          0074-Issue-7172-Index-ordering-mismatch-after-upgrade-717.patch
+Patch75:          0075-Issue-7172-2nd-Index-ordering-mismatch-after-upgrade.patch


 #Patch100:         cargo.patch
@ -996,6 +998,9 @@ exit 0
 %doc README.md

 %changelog
+* Tue Jan 13 2026 Arun Bansal <arbansal@redhat.com> - 1.4.3.39-20
+- Resolves: RHEL-140086 - Upgrading IDM to latest version: 389-ds-base and ipa-server breaks replication [rhel-8.10.z]
+
 * Fri Dec 05 2025 Masahiro Matsuya <mmatsuya@redhat.com> - 1.4.3.39-19
 - Resolves: RHEL-117759 - Replication online reinitialization of a large database gets stalled. [rhel-8.10.z]