Synchronize slapi-nis with RHEL 8.5 build

Resolves: rhbz#1979619 IPA: High CPU utilization (over 1000% plus) by ns-slapd process Resolves: rhbz#1979623 With base object scope, ldapsearch against compat tree does not return any data on Rhel8 IPA servers. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2021-07-07 14:11:56 +03:00 · 2021-07-07 14:11:56 +03:00 · 970d600dd5
parent 82146c00c9
commit 970d600dd5
3 changed files with 105 additions and 1 deletions
--- a/slapi-nis-bz1979619.patch
+++ b/slapi-nis-bz1979619.patch
@ -0,0 +1,52 @@
+From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 16 Jun 2021 11:08:21 +0300
+Subject: [PATCH] back-sch-nss: only loop if asked to try again
+
+slapi-nis uses sss-idmap library to discover user group membership.  Its
+sss_nss_getgrouplist_timeout() function can return timeout errors as
+well which might cause a busy looping.  sss_nss_getgrouplist_timeout()
+will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
+
+Fixes: rhbz#1967179
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch-nss.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
+index df04a96..b595f3b 100644
+--- a/src/back-sch-nss.c
+++ b/src/back-sch-nss.c
+@@ -589,19 +589,22 @@ repeat:
+ 		return NULL;
+ 	}
+ 
+-	do {
+	for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
+ 		rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
+ 					      grouplist, &ngroups,
+ 					      &lerrno);
+-		if ((rc != NSS_STATUS_SUCCESS)) {
+-			tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
+-			if (tmp_list == NULL) {
+		if (rc == NSS_STATUS_TRYAGAIN) {
+			tmp_list = NULL;
+			if (lerrno == ERANGE) {
+				tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
+			}
+			if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
+ 				free(grouplist);
+ 				return NULL;
+ 			}
+ 			grouplist = tmp_list;
+ 		}
+-	} while (rc != NSS_STATUS_SUCCESS);
+	}
+ 
+ 	entries = calloc(ngroups + 1, sizeof(entries[0]));
+ 	if (entries == NULL) {
+-- 
+2.31.1
+
--- a/slapi-nis-bz1979623.patch
+++ b/slapi-nis-bz1979623.patch
@ -0,0 +1,41 @@
+From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 1 Jul 2021 11:37:38 +0300
+Subject: [PATCH] back-sch: reuse backend_should_descend
+
+When backend_search_find_set_dn_cb() is called, use the same logic as in
+other callbacks -- identify whether we should descend into the group by
+using backend_should_descend().
+
+The issue was introduced in 2015 with ID Views support but was masked
+until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
+to the full scan of the groups anyway. with the latter change the
+fell-through part was removed.
+
+Resolves: rhbz#1958909
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
+---
+ src/back-sch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index d806627..0ed06fb 100644
+--- a/src/back-sch.c
+++ b/src/back-sch.c
+@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
+ 
+ 	/* Check the group itself. */
+ 	group_dn = slapi_sdn_new_dn_byval(group);
+-	if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
+-				 cbdata->scope) == 1) {
+	if (backend_should_descend(group_dn,
+				   cbdata->target_dn,
+				   cbdata->scope)) {
+ 		cbdata->answer = TRUE;
+ 		slapi_sdn_free(&group_dn);
+ 		return TRUE;
+-- 
+2.31.1
+
--- a/slapi-nis.spec
+++ b/slapi-nis.spec
@ -11,12 +11,15 @@

 Name:		slapi-nis
 Version:	0.56.7
-Release:	1%{?dist}
+Release:	2%{?dist}
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
 License:	GPLv2
 URL:		http://pagure.io/slapi-nis/
 Source0:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
 Source1:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
+Patch1:         slapi-nis-bz1979623.patch
+Patch2:         slapi-nis-bz1979619.patch
+
 BuildRequires: make
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -55,6 +58,8 @@ for attributes from multiple entries in the tree.

 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1

 %build
 autoconf --force
@ -82,6 +87,12 @@ make check
 %{_sbindir}/nisserver-plugin-defs

 %changelog
+* Wed Jul 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-2
+- Resolves: rhbz#1979619
+  IPA: High CPU utilization (over 1000% plus) by ns-slapd process
+- Resolves: rhbz#1979623
+  With base object scope, ldapsearch against compat tree does not return any data on Rhel8 IPA servers.
+
 * Wed May 19 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-1
 - CVE-2021-3480: invalid bind DN crash
 - New upstream release