commit 97fc77eba8f4393f58cafec3ace8d55538802ebf Author: James Antill Date: Mon Aug 8 12:29:28 2022 -0400 Import rpm: cd0fdc937340a9988d8e08e93603217dc290d511 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..708c42f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/slapi-nis-0.56.6.tar.gz diff --git a/0001-support-transition-from-libtirpc-to-libnsl-in-Fedora.patch b/0001-support-transition-from-libtirpc-to-libnsl-in-Fedora.patch new file mode 100644 index 0000000..d7c7d83 --- /dev/null +++ b/0001-support-transition-from-libtirpc-to-libnsl-in-Fedora.patch @@ -0,0 +1,28 @@ +From 062c157013c5af8714d9015582de898b42d1a981 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 2 May 2018 08:56:15 +0300 +Subject: [PATCH] support transition from libtirpc to libnsl in Fedora 28 + +libnsl2-devel in Fedora 28 depends on libtirpc-devel internally +so we can also reduce the dependency in spec + +diff --git a/configure.ac b/configure.ac +index 184a9af..80f2ca2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -273,6 +273,12 @@ AC_ARG_WITH(tirpc, + ]) + if test $use_tirpc = yes ; then + PKG_CHECK_MODULES(TIRPC,libtirpc) ++fi ++ ++PKG_CHECK_MODULES(NSL,libnsl,[use_libnsl=yes],[use_libnsl=no]) ++if test "$use_libnsl" = yes ; then ++ RPC_CFLAGS="$NSL_CFLAGS" ++ RPC_LIBS="$NSL_LIBS" + else + RPC_CFLAGS= + RPC_LIBS=-lnsl +-- +2.14.3 + diff --git a/cve-2021-3480-fix.patch b/cve-2021-3480-fix.patch new file mode 100644 index 0000000..592c2d3 --- /dev/null +++ b/cve-2021-3480-fix.patch @@ -0,0 +1,33 @@ +From 2f2b7ecd9d6a0f5044c24e4f96464942a1d873db Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 7 Apr 2021 14:40:52 +0300 +Subject: [PATCH] CVE-2021-3480: invalid bind DN crash + +For certain LDAP bind operations 389-ds would pass unvalidated bind DN +to bind plugins. A first attempt to normalize the DN would find that out +and should reject the request. + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/back-sch.c b/src/back-sch.c +index a5e4c04..d806627 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1988,6 +1988,11 @@ backend_locate_cb(const char *group, const char *set, bool_t flag, + rdn = slapi_rdn_new_sdn(cbdata->target_dn); + if (rdn != NULL) { + rdnstr = slapi_rdn_get_nrdn(rdn); ++ if (rdnstr == NULL) { ++ /* normalizing RDN failed, break the search */ ++ slapi_rdn_free(&rdn); ++ return FALSE; ++ } + if (map_match(cbdata->state, group, set, &flag, + strlen(rdnstr), rdnstr, + &ndnlen, &ndn, +-- +2.31.1 + diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..6ab516d --- /dev/null +++ b/gating.yaml @@ -0,0 +1,7 @@ +# recipients: abokovoy, frenaud, kaleem, ftrivino +--- !Policy +product_versions: + - rhel-9 +decision_context: osci_compose_gate +rules: + - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional} diff --git a/slapi-nis-0.56.6.tar.gz.asc b/slapi-nis-0.56.6.tar.gz.asc new file mode 100644 index 0000000..bd7d686 --- /dev/null +++ b/slapi-nis-0.56.6.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl/KPI0ACgkQRxniuKu/ +Yhp7KA//aI0HHAGWn56NjsbLCdk98tpt3YekptGwKpaDiFan7An2JtnJe3CvC71q +pAWtj1VduHLx+cAxRaRPKSheMkqv9qKrIvhtDHKEgTs9zkxZ02AYa8Emof9x8v6h +KsnRYMpy5TmKlvT8urnNbrkQXcxGvfjkaBYdaLegT87tSuLsB5vmZpfDbcdMuZ6V +mfU7JOoKpq0aXg/cYfSc3Br8njZujQXjdUipwKQMBQivNdFzkUk/ly6v8eWXP0O5 +TlD0Rg8QMcSVgqG8hcLVzka078AHzAlOK1B2hGRuFXfRrnd88mDxPps7UEbEfSy3 +oULXpXdQGVet7kujo8JfUyS5D4yiJOS2q/KmES8IGpIUeiwrV+383/pU2UY+lCUU +Cjv62t4YAwsFOOo+2z0thmzvpEc6FtP9mMx88JRX01OkSCapThgPaGKMfr8wM5Ez +/3YK4RC14FybOF6jruoTkvlW0b4d6wsZwPHOKs+IeflO8UzncwfxY8L7GiSwTmC/ +40QYCNrXmo79dyg9MGvXtBhUOnfZ41zSVdpzN3EZ5ulMZvdnsBeRK2ixImgQKLSf +80uZV0k/+koInWYnUQYMbTpKP1843KxZWnLmfd82w1ju5fAsSoDvu9MnomswiRhp +PzQdcWBSjcQxWjVxwN4RKXqcLCxm99xywTHYIP1xSCuN22KNOLk= +=EOmw +-----END PGP SIGNATURE----- diff --git a/slapi-nis-bz1958909.patch b/slapi-nis-bz1958909.patch new file mode 100644 index 0000000..07c2282 --- /dev/null +++ b/slapi-nis-bz1958909.patch @@ -0,0 +1,41 @@ +From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 1 Jul 2021 11:37:38 +0300 +Subject: [PATCH] back-sch: reuse backend_should_descend + +When backend_search_find_set_dn_cb() is called, use the same logic as in +other callbacks -- identify whether we should descend into the group by +using backend_should_descend(). + +The issue was introduced in 2015 with ID Views support but was masked +until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through +to the full scan of the groups anyway. with the latter change the +fell-through part was removed. + +Resolves: rhbz#1958909 + +Signed-off-by: Alexander Bokovoy +Signed-off-by: Thierry Bordaz +--- + src/back-sch.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index d806627..0ed06fb 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data) + + /* Check the group itself. */ + group_dn = slapi_sdn_new_dn_byval(group); +- if (slapi_sdn_scope_test(group_dn, cbdata->target_dn, +- cbdata->scope) == 1) { ++ if (backend_should_descend(group_dn, ++ cbdata->target_dn, ++ cbdata->scope)) { + cbdata->answer = TRUE; + slapi_sdn_free(&group_dn); + return TRUE; +-- +2.31.1 + diff --git a/slapi-nis-bz1978189.patch b/slapi-nis-bz1978189.patch new file mode 100644 index 0000000..93762b4 --- /dev/null +++ b/slapi-nis-bz1978189.patch @@ -0,0 +1,52 @@ +From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 16 Jun 2021 11:08:21 +0300 +Subject: [PATCH] back-sch-nss: only loop if asked to try again + +slapi-nis uses sss-idmap library to discover user group membership. Its +sss_nss_getgrouplist_timeout() function can return timeout errors as +well which might cause a busy looping. sss_nss_getgrouplist_timeout() +will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN. + +Fixes: rhbz#1967179 + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch-nss.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c +index df04a96..b595f3b 100644 +--- a/src/back-sch-nss.c ++++ b/src/back-sch-nss.c +@@ -589,19 +589,22 @@ repeat: + return NULL; + } + +- do { ++ for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) { + rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid, + grouplist, &ngroups, + &lerrno); +- if ((rc != NSS_STATUS_SUCCESS)) { +- tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); +- if (tmp_list == NULL) { ++ if (rc == NSS_STATUS_TRYAGAIN) { ++ tmp_list = NULL; ++ if (lerrno == ERANGE) { ++ tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); ++ } ++ if ((tmp_list == NULL) || (lerrno == ENOMEM)) { + free(grouplist); + return NULL; + } + grouplist = tmp_list; + } +- } while (rc != NSS_STATUS_SUCCESS); ++ } + + entries = calloc(ngroups + 1, sizeof(entries[0])); + if (entries == NULL) { +-- +2.31.1 + diff --git a/slapi-nis-bz1979619.patch b/slapi-nis-bz1979619.patch new file mode 100644 index 0000000..93762b4 --- /dev/null +++ b/slapi-nis-bz1979619.patch @@ -0,0 +1,52 @@ +From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 16 Jun 2021 11:08:21 +0300 +Subject: [PATCH] back-sch-nss: only loop if asked to try again + +slapi-nis uses sss-idmap library to discover user group membership. Its +sss_nss_getgrouplist_timeout() function can return timeout errors as +well which might cause a busy looping. sss_nss_getgrouplist_timeout() +will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN. + +Fixes: rhbz#1967179 + +Signed-off-by: Alexander Bokovoy +--- + src/back-sch-nss.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c +index df04a96..b595f3b 100644 +--- a/src/back-sch-nss.c ++++ b/src/back-sch-nss.c +@@ -589,19 +589,22 @@ repeat: + return NULL; + } + +- do { ++ for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) { + rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid, + grouplist, &ngroups, + &lerrno); +- if ((rc != NSS_STATUS_SUCCESS)) { +- tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); +- if (tmp_list == NULL) { ++ if (rc == NSS_STATUS_TRYAGAIN) { ++ tmp_list = NULL; ++ if (lerrno == ERANGE) { ++ tmp_list = realloc(grouplist, ngroups * sizeof(gid_t)); ++ } ++ if ((tmp_list == NULL) || (lerrno == ENOMEM)) { + free(grouplist); + return NULL; + } + grouplist = tmp_list; + } +- } while (rc != NSS_STATUS_SUCCESS); ++ } + + entries = calloc(ngroups + 1, sizeof(entries[0])); + if (entries == NULL) { +-- +2.31.1 + diff --git a/slapi-nis-bz1979623.patch b/slapi-nis-bz1979623.patch new file mode 100644 index 0000000..07c2282 --- /dev/null +++ b/slapi-nis-bz1979623.patch @@ -0,0 +1,41 @@ +From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 1 Jul 2021 11:37:38 +0300 +Subject: [PATCH] back-sch: reuse backend_should_descend + +When backend_search_find_set_dn_cb() is called, use the same logic as in +other callbacks -- identify whether we should descend into the group by +using backend_should_descend(). + +The issue was introduced in 2015 with ID Views support but was masked +until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through +to the full scan of the groups anyway. with the latter change the +fell-through part was removed. + +Resolves: rhbz#1958909 + +Signed-off-by: Alexander Bokovoy +Signed-off-by: Thierry Bordaz +--- + src/back-sch.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/back-sch.c b/src/back-sch.c +index d806627..0ed06fb 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data) + + /* Check the group itself. */ + group_dn = slapi_sdn_new_dn_byval(group); +- if (slapi_sdn_scope_test(group_dn, cbdata->target_dn, +- cbdata->scope) == 1) { ++ if (backend_should_descend(group_dn, ++ cbdata->target_dn, ++ cbdata->scope)) { + cbdata->answer = TRUE; + slapi_sdn_free(&group_dn); + return TRUE; +-- +2.31.1 + diff --git a/slapi-nis-bz2000919.patch b/slapi-nis-bz2000919.patch new file mode 100644 index 0000000..af220f9 --- /dev/null +++ b/slapi-nis-bz2000919.patch @@ -0,0 +1,27 @@ +From 02a9cb46ece79d6205a847e6941a772febe47cff Mon Sep 17 00:00:00 2001 +From: Viktor Ashirov +Date: Thu, 5 Aug 2021 16:04:49 +0200 +Subject: [PATCH] back-sch: fix memory leak in backend_search_cb() + +Resolves: rhbz#1967906 + +Signed-off-by: Viktor Ashirov +--- + src/back-sch.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/back-sch.c b/src/back-sch.c +index 0ed06fb..172d619 100644 +--- a/src/back-sch.c ++++ b/src/back-sch.c +@@ -1793,6 +1793,7 @@ backend_search_cb(Slapi_PBlock *pb) + slapi_ch_free_string(&target); + if (cbdata.answer == FALSE) { + /* None of the configured trees in the sets matched the target at all, ignore search */ ++ slapi_sdn_free(&cbdata.target_dn); + return 0; + } + } +-- +2.31.1 + diff --git a/slapi-nis.spec b/slapi-nis.spec new file mode 100644 index 0000000..bcd68e9 --- /dev/null +++ b/slapi-nis.spec @@ -0,0 +1,526 @@ +%if 0%{?fedora} >= 14 || 0%{?rhel} >= 6 +%define ldap_impl openldap +%else +%define ldap_impl mozldap +%endif +%if 0%{?fedora} >= 18 || 0%{?rhel} >= 6 +%define betxn_opts --enable-be-txns-by-default +%else +%define betxn_opts --disable-be-txns-by-default +%endif + +Name: slapi-nis +Version: 0.56.6 +Release: 4%{?dist} +Summary: NIS Server and Schema Compatibility plugins for Directory Server +Group: System Environment/Daemons +License: GPLv2 +URL: http://pagure.io/slapi-nis/ +Source0: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz +Source1: https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc +Patch1: cve-2021-3480-fix.patch +Patch2: slapi-nis-bz1978189.patch +Patch3: slapi-nis-bz1958909.patch +Patch4: slapi-nis-bz2000919.patch + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: 389-ds-base-devel >= 1.3.5.6, %{ldap_impl}-devel +BuildRequires: nspr-devel, nss-devel, /usr/bin/rpcgen +%if 0%{?fedora} > 18 || 0%{?rhel} > 6 +BuildRequires: libsss_nss_idmap-devel > 1.16.0-5 +%define sss_nss_opts --with-sss-nss-idmap --with-idviews +%else +%define sss_nss_opts %{nil} +%endif +BuildRequires: pam-devel +%if (0%{?fedora} > 14 && 0%{?fedora} < 28) || (0%{?rhel} > 6 && 0%{?rhel} < 8) +BuildRequires: libtirpc-devel +%else +BuildRequires: libnsl2-devel +%endif +%if 0%{?fedora} > 27 || 0%{?rhel} > 7 +ExcludeArch: %{ix86} +%endif +Requires: 389-ds-base >= 1.3.5.6 + +%description +This package provides two plugins for Red Hat and 389 Directory Server. + +The NIS Server plugin allows the directory server to act as a NIS server +for clients, dynamically generating and updating NIS maps according to +its configuration and the contents of the DIT, and serving the results to +clients using the NIS protocol as if it were an ordinary NIS server. + +The Schema Compatibility plugin allows the directory server to provide an +alternate view of entries stored in part of the DIT, optionally adding, +dropping, or renaming attribute values, and optionally retrieving values +for attributes from multiple entries in the tree. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 + +%build +autoconf --force +%configure --disable-static --with-ldap=%{ldap_impl} \ + --with-nsswitch --with-pam --with-pam-service=system-auth \ + %{sss_nss_opts} %{betxn_opts} +sed -i -e 's,%{_libdir}/dirsrv/plugins/,,g' -e 's,.so$,,g' doc/examples/*.ldif +make %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT +rm $RPM_BUILD_ROOT/%{_libdir}/dirsrv/plugins/*.la + +%if 0 +# ns-slapd doesn't want to start in koji, so no tests get run +%check +make check +%endif + +%files +%defattr(-,root,root,-) +%doc COPYING NEWS README STATUS doc/*.txt doc/examples/*.ldif doc/ipa +%{_mandir}/man1/* +%{_libdir}/dirsrv/plugins/*.so +%{_sbindir}/nisserver-plugin-defs + +%changelog +* Mon Sep 13 2021 Alexander Bokovoy - 0.56.6-4 +- Resolves: rhbz#2000919 - memory leak in backend_search_cb + +* Thu Jul 01 2021 Alexander Bokovoy - 0.56.6-3 +- Resolves: rhbz#1958909 - fix regression for scoped searches in compat tree +- Resolves: rhbz#1978189 - better handle error response from libsss_nss_idmap + +* Wed Apr 07 2021 Alexander Bokovoy - 0.56.6-2 +- CVE 2021-3480: idm:DL1/slapi-nis: NULL dereference (DoS) with specially crafted Binding DN +- Resolves: rhbz#1944713 + +* Fri Dec 04 2020 Alexander Bokovoy - 0.56.6-1 +- Upstream release 0.56.6 +- Resolves rhbz#1891741 + +* Mon Sep 14 2020 Alexander Bokovoy - 0.56.5-4 +- Ignore unmatched searches +- Resolves: rhbz#1874015 + +* Thu Sep 10 2020 Alexander Bokovoy - 0.56.5-3 +- Fix memory leaks in ID views processing +- Resolves: rhbz#1875348 + +* Wed May 06 2020 Alexander Bokovoy - 0.56.5-2 +- Initialize map lock in NIS plugin +- Resolves: rhbz#1832331 + +* Mon May 04 2020 Alexander Bokovoy - 0.56.5-1 +- Upstream release 0.56.5 +- Resolves: rhbz#1751295: (2) When sync-repl is enabled, slapi-nis can deadlock during retrochanglog trimming +- Resolves: rhbz#1768156: ERR - schemacompat - map rdlock: old way MAP_MONITOR_DISABLED + +* Fri Aug 16 2019 Alexander Bokovoy - 0.56.3-2 +- Resolves rhbz#1741881 + ns-slapd is crashing intermittently + +* Wed Jun 05 2019 Alexander Bokovoy - 0.56.3-1 +- New upstream release +- Resolves rhbz#1684563 + +* Mon Jul 23 2018 Alexander Bokovoy - 0.56.2-7 +- 389-ds is not available on i686 architecture, don't build there + +* Wed May 02 2018 Alexander Bokovoy - 0.56.2-6 +- Force rebuild of configure + +* Wed May 02 2018 Alexander Bokovoy - 0.56.2-5 +- Link with libnsl explicitly in Fedora 28 or later +- Require libnsl2-devel for build +- Resolves rhbz#1573636 + +* Thu Mar 15 2018 Alexander Bokovoy - 0.56.2-4 +- Remove tcpwrappers support as they aren't available in Fedora anymore + +* Thu Mar 15 2018 Alexander Bokovoy - 0.56.2-3 +- Do not build on i686 in Fedora 28 or later as 389-ds-base is not available there anymore +- Resolves rhbz#1556448 +- Remove outdated ExclusiveArch for RHEL6 + +* Fri Feb 09 2018 Fedora Release Engineering - 0.56.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 19 2018 Alexander Bokovoy - 0.56.2-1 +- New upstream release +- Update links to the upstream project page and releases +- Use extended SSSD API to signal that an entry should not be cached anymore +- Add support for timeout-based NSS queries with libsss_nss_idmap + +* Thu Aug 03 2017 Fedora Release Engineering - 0.56.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.56.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 0.56.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Aug 08 2016 Alexander Bokovoy - 0.56.1-1 +- Support querying external users by UPN alias +- Don't clobber target of the pblock for ID views + +* Mon Jun 20 2016 Alexander Bokovoy - 0.56.0-2 +- Updated upstream tarball + +* Mon Jun 20 2016 Alexander Bokovoy - 0.56-1 +- Add support for changing passwords for users from a primary tree + - requires DS 1.3.5.6 or later + +* Mon May 30 2016 Alexander Bokovoy - 0.55-3 +- Add support to properly shutdown priming cache from RHEL 7.2.4 + +* Fri Feb 05 2016 Fedora Release Engineering - 0.55-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jan 26 2016 Alexander Bokovoy - 0.55-1 +- Support external members of IPA groups in schema compat +- Support bind over ID overrides when uid is not overridden +- Populate schema compat trees in parallel to LDAP server startup + +* Fri Jun 19 2015 Fedora Release Engineering - 0.54.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Mar 26 2015 Alexander Bokovoy - 0.54.2-1 +- CVE-2015-0283 slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() (#1206049) +- Make sure nss_sss.so.2 module is used directly +- Allow building slapi-nis with ID views against 389-ds-base from RHEL7.0/CentOS7.0 releases + +* Thu Nov 6 2014 Alexander Bokovoy - 0.54.1-1 +- support FreeIPA overrides in LDAP BIND callback +- ignore FreeIPA override searchs outside configured schema compat subtrees + +* Fri Oct 10 2014 Alexander Bokovoy - 0.54-1 +- Add support for FreeIPA's ID views +- Allow searching SSSD-provided users as memberUid case-insensitevly + Fixes bug #1130131 + +* Mon Aug 18 2014 Fedora Release Engineering - 0.53-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 0.53-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Apr 22 2014 Nalin Dahyabhai - 0.53-1 +- correct the default NIS map settings for hosts.byname and hosts.byaddr, + from report by Rik Megens +- fix several problems when hitting out-of-memory conditions, spotted by + static analysis + +* Mon Jan 20 2014 Nalin Dahyabhai - 0.52-3 +- remove ExclusiveArch if %%{rhel} is 7 or higher, because 389-ds-base gets + built for everything now (#1055711) + +* Fri Dec 27 2013 Daniel Mach - 0.52-2 +- Mass rebuild 2013-12-27 + +* Mon Dec 16 2013 Nalin Dahyabhai - 0.52-1 +- correctly reflect whether or not we're built with transaction support in + the module's nsslapd-pluginVersion attribute +- fix a couple of should've-used-memmove()-instead-of-memcpy() cases which + would hit when removing maps or groups of maps (#1043546/#1043638) + +* Mon Dec 9 2013 Nalin Dahyabhai - 0.51-1 +- fix another request argument memory leak in NIS server (#1040159) +- fix miscellaneous items found by static analysis + +* Tue Oct 1 2013 Nalin Dahyabhai - 0.50-1 +- if we get an EPIPE while registering with rpcbind, try to reconnect and + retransmit before giving up + +* Thu Sep 19 2013 Nalin Dahyabhai - 0.49-1 +- add {nis,schema-compat}-ignore-subtree and -restrict-subtree settings, + which should let us avoid deadlocks when tasks are modifying data in + the backend database (#1007451) + +* Mon Aug 12 2013 Nalin Dahyabhai - 0.48-1 +- try to gracefully handle failures obtaining internal locks +- fix locating-by-name of entries with names that require escaping +- add self-tests for nsswitch and PAM functionality +- make nsswitch mode properly handle user and group names with commas in them +- handle attempts to PAM authenticate to compat groups (i.e., with failure) +- drop the "schema-compat-origin" attribute + +* Wed Aug 7 2013 Nalin Dahyabhai - 0.47.7-1 +- fix building against versions of directory server older than 1.3.0, which + first introduced slapi_escape_filter_value() + +* Wed Aug 7 2013 Nalin Dahyabhai - 0.47.6-1 +- only buildrequire libsss_nss_idmap-devel on releases that included SSSD + version 1.10 or later, where it first appeared + +* Wed Aug 7 2013 Nalin Dahyabhai - 0.47.5-1 +- merge Alexander Bokovoy's patches to + - teach the schema compatibility plugin to optionally serve user and group + information retrieved from libc as part of a set of compat entries + - handle simple bind requests for those entries by calling out to PAM + - to rewrite the DN of incoming bind requests to compat entries to point + at the source entries, instead of returning a referral which most clients + won't handle +- include IPA-specific docs as docs + +* Sun Aug 04 2013 Fedora Release Engineering - 0.47-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Fri May 24 2013 Nalin Dahyabhai - 0.47-1 +- fix request argument memory leaks in NIS server +- add a %%sort function + +* Thu Apr 4 2013 Nalin Dahyabhai - 0.46-1 +- when checking if we can skip processing for a given change, pay attention to + whether or not the changes cause the entry to need to be added or removed + from a map (#912673) +- check SLAPI_PLUGIN_OPRETURN in post-change hooks, in case the backend failed + to update things but the server called us anyway + +* Tue Mar 19 2013 Nalin Dahyabhai - 0.45-1 +- fix dispatching for multiple connected clients in the NIS plugin (#923336) + +* Tue Feb 5 2013 Nalin Dahyabhai - 0.44-3 +- work around multilib differences in the example .ldif files (internal + tooling) + +* Tue Nov 20 2012 Nalin Dahyabhai - 0.44-2 +- set betxn support to be disabled by default on Fedora 17 or EL 5 or older, + which have versions of IPA < 3.0, per mkosek on freeipa-devel + +* Wed Nov 14 2012 Nalin Dahyabhai - 0.44-1 +- add missing newline to a couple of debug log messages +- note whether or not betxn support is compiled in as part of the + nsslapd-pluginVersion value we report to the server +- register callbacks in the same order in both plugins, so that + their log messages are logged in the same order + +* Tue Nov 13 2012 Nalin Dahyabhai - 0.43-1 +- reintroduce support for directory server transactions (nhosoi, IPA#3046) +- control transaction support at run-time, deciding when to do things based + on the value of the nsslapd-pluginbetxn attribute in the plugin's entry +- NIS: add default settings for shadow.byname and passwd.adjunct.byname maps + +* Sat Jul 21 2012 Fedora Release Engineering - 0.42-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jun 13 2012 Nalin Dahyabhai - 0.42-1 +- drop support for directory server transactions (richm, #766320) + +* Tue May 22 2012 Nalin Dahyabhai +- fix a leak due to us assuming that slapi_mods_add_smod() not taking ownership + of an smod along with its contents, when it just keeps the contents + +* Tue Apr 10 2012 Nalin Dahyabhai - 0.41-1 +- log errors evaluating pad expressions in %%link rather than continuing on + until we hit an arithmetic exception (#810258) + +* Fri Mar 30 2012 Nalin Dahyabhai - 0.40-1 +- treat padding values passed to the "link" function as expressions to be + evaluated rather than simply as literal values (part of #767372) + +* Wed Mar 28 2012 Nalin Dahyabhai - 0.39-1 +- add a "default" function for trying to evaluate one expression, then + another, then another... (part of #767372) +- when creating a compat entry based on a real entry, set an entryUSN based on + the source entry or the rootDSE (freeipa #864); the "scaffolding" entries + won't have them + +* Tue Mar 6 2012 Nalin Dahyabhai - 0.38-1 +- properly escape RDN values when building compat entries (#796509, #800625) + +* Mon Feb 13 2012 Nalin Dahyabhai - 0.37-1 +- fix a compile error on systems where LDAP_SCOPE_SUBORDINATE isn't defined + (reported by Christian Neuhold) +- conditionalize whether we have a build dependency on tcp_wrappers (older + releases) or tcp_wrappers-devel (newer releases) + +* Tue Jan 24 2012 Nalin Dahyabhai - 0.36-1 +- take steps to avoid making yp_first/yp_next clients loop indefinitely + when a single LDAP entry produces multiple copies of the same NIS key + for a given map + +* Tue Jan 24 2012 Nalin Dahyabhai - 0.35-1 +- add mmatch/mregmatch[i]/mregsub[i] formatting functions which work like + match/regmatch[i]/regsub[i], but which can handle and return lists of + zero or more results (part of #783274) + +* Thu Jan 19 2012 Nalin Dahyabhai - 0.34-1 +- do entry comparisons ourselves, albeit less throughly, to avoid the worst + case in pathological cases (more of #771444) + +* Tue Jan 17 2012 Nalin Dahyabhai - 0.33-1 +- get more aggressive about skipping unnecessary calculations (most of + the problem in #771444, though not the approach described there) + +* Mon Jan 16 2012 Nalin Dahyabhai - 0.32-1 +- add support for directory server transactions (#758830,#766320) + +* Sat Jan 14 2012 Fedora Release Engineering - 0.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Jan 11 2012 Nalin Dahyabhai - 0.31-1 +- fix some memory leaks (more of #771493) + +* Tue Jan 10 2012 Nalin Dahyabhai - 0.30-1 +- skip recalculations when the attributes which changed don't factor into + our calculations (part of #771493) + +* Wed Jan 4 2012 Nalin Dahyabhai - 0.29-1 +- add regmatchi/regsubi formatting functions which work like regmatch/regsub, + but do matching in a case-insensitive manner +- update NIS map defaults to match {CRYPT} userPassword values in a + case-insensitive manner so that we also use {crypt} userPassword values +- fix inconsistencies in the NIS service stemming from using not-normalized DNs + in some places where it should have used normalized DNs + +* Mon Dec 19 2011 Nalin Dahyabhai - 0.28-1 +- when configured with --with-ldap=openldap, link with -lldap_r rather + than -lldap (rmeggins, #769107) + +* Tue Dec 6 2011 Nalin Dahyabhai - 0.27-1 +- when building for 389-ds, use Slapi_RWLocks if they appear to be available + (the rest of #730394/#730403) + +* Fri Aug 12 2011 Nalin Dahyabhai - 0.26-1 +- when building for 389-ds, use libpthread's read-write locks instead of + NSPR's (part of #730394/#730403) + +* Wed Jul 27 2011 Nalin Dahyabhai - 0.25-1 +- speed up building compat entries which reference thousands of other entries + (more of #692690) +- 389-ds-base is apparently exclusive to x86_64 and %%{ix86} on EL, so we have + to be, too + +* Fri May 13 2011 Nalin Dahyabhai - 0.24-1 +- carry our own yp.x, so that we don't get bitten if libc doesn't include + yp client routines +- we need rpcgen at build-time now + +* Thu Mar 31 2011 Nalin Dahyabhai - 0.23-1 +- speed up building compat entries with attributes with thousands of literal + values (#692690) + +* Wed Feb 09 2011 Fedora Release Engineering - 0.22-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Jan 6 2011 Nalin Dahyabhai - 0.22-1 +- fix a number of scanner-uncovered defects + +* Thu Jan 6 2011 Nalin Dahyabhai - 0.21-2 +- make sure we always pull in nss-devel and nspr-devel, and the right + ldap toolkit for the Fedora or RHEL version + +* Tue Nov 23 2010 Nalin Dahyabhai - 0.21-1 +- update to 0.21 + - schema-compat: don't look at standalone compat containers for a search, + since we'll already have looked at the group container + +* Tue Nov 23 2010 Nalin Dahyabhai - 0.20-1 +- update to 0.20 + - add a deref_f function + +* Mon Nov 22 2010 Nalin Dahyabhai - 0.19-1 +- fix a brown-paper-bag crash + +* Mon Nov 22 2010 Nalin Dahyabhai - 0.18-1 +- update to 0.18 + - add a deref_rf function + - schema-compat: don't respond to search requests for which there's no backend + - schema-compat: add the ability to do standalone compat containers + +* Wed Nov 17 2010 Nalin Dahyabhai - 0.17-6 +- revert that last change, it's unnecessary + +* Thu Nov 11 2010 Nalin Dahyabhai - 0.17-5 +- build against either 389-ds-base or redhat-ds-base, whichever is probably + more appropriate here + +* Sun Jul 26 2009 Fedora Release Engineering - 0.17-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 15 2009 Nalin Dahyabhai - 0.17-3 +- change buildreq from fedora-ds-base-devel to 389-ds-base-devel, which + should avoid multilib conflicts from installing both arches of the new + package (#511504) + +* Tue Jul 14 2009 Nalin Dahyabhai - 0.17-2 +- fixup changelog entries that resemble possible macro invocations + +* Thu May 14 2009 Nalin Dahyabhai - 0.17-1 +- actually send portmap registrations to the right server + +* Thu May 14 2009 Nalin Dahyabhai - 0.16-1 +- fix NIS server startup problem when no port is explicitly configured and + we're using portmap instead of rpcbind (#500903) + +* Fri May 8 2009 Nalin Dahyabhai - 0.15-1 +- fix %%deref and %%referred to fail rather than return a valid-but-empty + result when they fail to evaluate (reported by Rob Crittenden) + +* Wed May 6 2009 Nalin Dahyabhai - 0.14-1 +- correctly handle being loaded but disabled (#499404) + +* Thu Apr 30 2009 Nalin Dahyabhai - 0.13-1 +- update to 0.13, reworking %%link() to correct some bugs (#498432) + +* Thu Apr 30 2009 Nalin Dahyabhai - 0.12-1 +- correct test suite failures that 0.11 started triggering + +* Tue Apr 28 2009 Nalin Dahyabhai - 0.11-1 +- update to 0.11 (#497904) + +* Wed Mar 4 2009 Nalin Dahyabhai - 0.10-1 +- update to 0.10 + +* Wed Feb 25 2009 Fedora Release Engineering - 0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Dec 9 2008 Nalin Dahyabhai - 0.8.5-2 +- make the example nsslapd-pluginpath values the same on 32- and 64-bit + systems, because we can depend on the directory server "knowing" which + directory to search for the plugins + +* Mon Dec 8 2008 Nalin Dahyabhai - 0.8.5-1 +- update to 0.8.5 to suppress duplicate values for attributes in the schema + compatibility plugin + +* Thu Dec 4 2008 Nalin Dahyabhai - 0.8.4-1 +- update to 0.8.4 to fix: + - problems updating references, particularly those for %%referred() (#474478) + - inability to notice internal add/modify/modrdn/delete operations (really + this time) (#474426) + +* Wed Dec 3 2008 Nalin Dahyabhai - 0.8.3-1 +- update to 0.8.3 to also notice and reflect changes caused by internal + add/modify/modrdn/delete operations + +* Wed Nov 19 2008 Nalin Dahyabhai - 0.8.2-1 +- update to 0.8.2 to remove a redundant read lock in the schema-compat plugin + +* Fri Nov 7 2008 Nalin Dahyabhai - 0.9-1 +- update to 0.9 + +* Fri Oct 3 2008 Nalin Dahyabhai - 0.8.1-1 +- update to 0.8.1 to fix a heap corruption (Rich Megginson) + +* Wed Aug 6 2008 Nalin Dahyabhai - 0.8-1 +- update to 0.8 + +* Wed Aug 6 2008 Nalin Dahyabhai - 0.7-1 +- update to 0.7 + +* Wed Jul 23 2008 Nalin Dahyabhai - 0.6-1 +- rebuild (and make rpmlint happy) + +* Wed Jul 9 2008 Nalin Dahyabhai - 0.2-1 +- initial package diff --git a/sources b/sources new file mode 100644 index 0000000..e8fcdcc --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA1 (slapi-nis-0.56.6.tar.gz) = c32d869856123cbecd7b3786bc2bd880d01c47ed