diff --git a/slapi-nis-bz1979619.patch b/slapi-nis-bz1979619.patch new file mode 100644 index 0000000..93762b4 --- /dev/null +++ b/slapi-nis-bz1979619.patch @@ -0,0 +1,52 @@ +From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 16 Jun 2021 11:08:21 +0300 +Subject: [PATCH] back-sch-nss: only loop if asked to try again + +slapi-nis uses sss-idmap library to discover user group membership. Its +sss_nss_getgrouplist_timeout() function can return timeout errors as +well which might cause a busy looping. sss_nss_getgrouplist_timeout() +will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN. + +Fixes: rhbz#1967179 + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch-nss.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c +index df04a96..b595f3b 100644 +--- a/src/back-sch-nss.c ++++ b/src/back-sch-nss.c +@@ -589,19 +589,22 @@ repeat: + return NULL; + } + +- do { ++ for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) { + rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid, + grouplist, &ngroups, + &lerrno); +- if ((rc != NSS_STATUS_SUCCESS)) { +- tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); +- if (tmp_list == NULL) { ++ if (rc == NSS_STATUS_TRYAGAIN) { ++ tmp_list = NULL; ++ if (lerrno == ERANGE) { ++ tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); ++ } ++ if ((tmp_list == NULL) || (lerrno == ENOMEM)) { + free(grouplist); + return NULL; + } + grouplist = tmp_list; + } +- } while (rc != NSS_STATUS_SUCCESS); ++ } + + entries = calloc(ngroups + 1, sizeof(entries[0])); + if (entries == NULL) { +-- +2.31.1 + diff --git a/slapi-nis-bz1979623.patch b/slapi-nis-bz1979623.patch new file mode 100644 index 0000000..07c2282 --- /dev/null +++ b/slapi-nis-bz1979623.patch @@ -0,0 +1,41 @@ +From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 1 Jul 2021 11:37:38 +0300 +Subject: [PATCH] back-sch: reuse backend_should_descend + +When backend_search_find_set_dn_cb() is called, use the same logic as in +other callbacks -- identify whether we should descend into the group by +using backend_should_descend(). + +The issue was introduced in 2015 with ID Views support but was masked +until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through +to the full scan of the groups anyway. with the latter change the +fell-through part was removed. + +Resolves: rhbz#1958909 + +Signed-off-by: Alexander Bokovoy +Signed-off-by: Thierry Bordaz +--- + src/back-sch.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index d806627..0ed06fb 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data) + + /* Check the group itself. */ + group_dn = slapi_sdn_new_dn_byval(group); +- if (slapi_sdn_scope_test(group_dn, cbdata->target_dn, +- cbdata->scope) == 1) { ++ if (backend_should_descend(group_dn, ++ cbdata->target_dn, ++ cbdata->scope)) { + cbdata->answer = TRUE; + slapi_sdn_free(&group_dn); + return TRUE; +-- +2.31.1 + diff --git a/slapi-nis.spec b/slapi-nis.spec index 9bd6cf2..3e7d3a7 100644 --- a/slapi-nis.spec +++ b/slapi-nis.spec @@ -11,12 +11,15 @@ Name: slapi-nis Version: 0.56.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: NIS Server and Schema Compatibility plugins for Directory Server License: GPLv2 URL: http://pagure.io/slapi-nis/ Source0: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz Source1: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc +Patch1: slapi-nis-bz1979623.patch +Patch2: slapi-nis-bz1979619.patch + BuildRequires: make BuildRequires: autoconf BuildRequires: automake @@ -55,6 +58,8 @@ for attributes from multiple entries in the tree. %prep %setup -q +%patch1 -p1 +%patch2 -p1 %build autoconf --force @@ -82,6 +87,12 @@ make check %{_sbindir}/nisserver-plugin-defs %changelog +* Wed Jul 07 2021 Alexander Bokovoy - 0.56.7-2 +- Resolves: rhbz#1979619 + IPA: High CPU utilization (over 1000% plus) by ns-slapd process +- Resolves: rhbz#1979623 + With base object scope, ldapsearch against compat tree does not return any data on Rhel8 IPA servers. + * Wed May 19 2021 Alexander Bokovoy - 0.56.7-1 - CVE-2021-3480: invalid bind DN crash - New upstream release