SOURCES/slapi-nis-RHEL-5134.patch

@@ -1,102 +0,0 @@
-From ee94788e63d9f35daca7c0d1e80a488f738a9c52 Mon Sep 17 00:00:00 2001
-From: Thierry Bordaz <tbordaz@redhat.com>
-Date: Fri, 1 Sep 2023 11:02:08 +0200
-Subject: [PATCH 1/2] BZ 2124214 - schema compat plugin deadlock on delete post
- op
-
-Bug description:
-	backends locks (SC map and retroCL) are acquired in
-	the opposite order
-	(https://bugzilla.redhat.com/show_bug.cgi?id=2124214#c17)
-
-Fix description:
-	Credits of the fix are to Pierre Rogier who found
-	a reproducible testcase, did the fix and verified it.
-
-	In specific condition of retroCL trimming the DEL
-	callback of the SC should check if the backend should
-	be ignored
-
-relates: 2124214
----
- src/back-shr.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/back-shr.c b/src/back-shr.c
-index ce2b1f3..1792bef 100644
---- a/src/back-shr.c
-+++ b/src/back-shr.c
-@@ -2811,6 +2811,18 @@ backend_shr_delete_cb(Slapi_PBlock *pb)
- 	if (wrap_get_call_level() > 0) {
- 		return 0;
- 	}
-+        /* especially important to test if we want to prevent frequent
-+         * deadlocks when backends are accesses in opposite order.
-+         * i.e. "regular" update on domain map+retroCL and retroCL trimming
-+         * retroCL+domain map
-+         */
-+        if (backend_shr_write_ignore(pb)) {
-+#if DEBUG_MAP_LOCK
-+        slapi_log_error(SLAPI_LOG_FATAL, "schema-compat",
-+                "backend_shr_delete_cb: (%p) operation is not impacting schema compat\n", PR_MyThreadId(), 1);
-+#endif
-+		return 0;
-+	}
- 
- 	/* Read parameters from the pblock. */
- 	slapi_pblock_get(pb, SLAPI_PLUGIN_PRIVATE, &cbdata.state);
--- 
-2.41.0
-
-
-From 61fcf534c3da767788e27641f3ebfe4d6a6c0b25 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Mon, 9 Oct 2023 13:53:28 +0300
-Subject: [PATCH 2/2] Add more ignores to modrdn and modify cases
-
-BZ 2124214 - schema compat plugin deadlock on delete post op
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- src/back-shr.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/src/back-shr.c b/src/back-shr.c
-index 1792bef..4cbc39b 100644
---- a/src/back-shr.c
-+++ b/src/back-shr.c
-@@ -2463,6 +2463,15 @@ backend_shr_modify_cb(Slapi_PBlock *pb)
- 		/* No data yet, ignore */
- 		return 0;
- 	}
-+
-+	if (backend_shr_write_ignore(pb)) {
-+#if DEBUG_MAP_LOCK
-+        slapi_log_error(SLAPI_LOG_FATAL, "schema-compat",
-+                "backend_shr_modify_cb: (%p) operation is not impacting schema compat\n", PR_MyThreadId(), 1);
-+#endif
-+		return 0;
-+	}
-+
- 	slapi_pblock_get(pb, SLAPI_MODIFY_TARGET, &dn);
- 	slapi_pblock_get(pb, SLAPI_MODIFY_MODS, &cbdata.mods);
- 	slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &cbdata.e_pre);
-@@ -2669,6 +2678,15 @@ backend_shr_modrdn_cb(Slapi_PBlock *pb)
- 		/* No data yet, ignore */
- 		return 0;
- 	}
-+
-+	if (backend_shr_write_ignore(pb)) {
-+#if DEBUG_MAP_LOCK
-+        slapi_log_error(SLAPI_LOG_FATAL, "schema-compat",
-+                "backend_shr_modrdn_cb: (%p) operation is not impacting schema compat\n", PR_MyThreadId(), 1);
-+#endif
-+		return 0;
-+	}
-+
- 	slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &cbdata.e_pre);
- 	slapi_pblock_get(pb, SLAPI_ENTRY_POST_OP, &cbdata.e_post);
- 
--- 
-2.41.0
-

SOURCES/slapi-nis-bz2183469.patch

@@ -1,78 +0,0 @@
-From 24eeccd408d9627299231d7843ca9e65e71af3de Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Tue, 21 Mar 2023 17:32:47 +0200
-Subject: [PATCH 1/2] Test the case when container is a child of the target DN
-
-We can have target DN both inside or outside of a container.
-Previously, the code did not look into the latter one. When container is
-a child of the target DN (like using IPA's base DN instead of
-cn=compat,$BASE_DN) and a search was done with a subtree scope, the
-check failed.
-
-With this change a subtree scope search which starts with a base DN
-that includes a compat tree's container would be considered for the
-search.
-
-Fixes: rhbz#2168893
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- src/back-sch.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/src/back-sch.c b/src/back-sch.c
-index 93746b1..e447bda 100644
---- a/src/back-sch.c
-+++ b/src/back-sch.c
-@@ -1340,11 +1340,12 @@ backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_
- 
- 	if (slapi_sdn_scope_test(cbdata->target_dn,
- 				 set_data->container_sdn,
--				 cbdata->scope) == 1) {
-+				 cbdata->scope) != 0) {
- 		cbdata->answer = TRUE;
--	}
--
--	if (slapi_sdn_issuffix(cbdata->target_dn, set_data->container_sdn) == 1) {
-+	} else if ((cbdata->scope == LDAP_SCOPE_SUBTREE) &&
-+		   slapi_sdn_scope_test(set_data->container_sdn,
-+					cbdata->target_dn,
-+					cbdata->scope) != 0) {
- 		cbdata->answer = TRUE;
- 	}
- 
--- 
-2.40.0
-
-
-From 73058645eac86b40913deec01807854e0a8bda0d Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Mon, 24 Apr 2023 12:19:10 +0300
-Subject: [PATCH 2/2] Identify the container without search base check
-
-Ignore the actual search base when identifying whether a target DN is
-within a known data container. The reason is that we need to know
-whether a search would have to descent into a particular container. The
-scope validation will happen later.
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- src/back-sch.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/back-sch.c b/src/back-sch.c
-index e447bda..a79f61b 100644
---- a/src/back-sch.c
-+++ b/src/back-sch.c
-@@ -1340,7 +1340,7 @@ backend_search_find_set_dn_in_group_cb(const char *group, const char *set, bool_
- 
- 	if (slapi_sdn_scope_test(cbdata->target_dn,
- 				 set_data->container_sdn,
--				 cbdata->scope) != 0) {
-+				 LDAP_SCOPE_SUBTREE) != 0) {
- 		cbdata->answer = TRUE;
- 	} else if ((cbdata->scope == LDAP_SCOPE_SUBTREE) &&
- 		   slapi_sdn_scope_test(set_data->container_sdn,
--- 
-2.40.0
-

SPECS/slapi-nis.spec

@@ -11,20 +11,14 @@
 
 Name:		slapi-nis
 Version:	0.60.0
-Release:	4%{?dist}.alma.1
+Release:	2%{?dist}
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
-Group:		System Environment/Daemons
 License:	GPLv3
 URL:		http://pagure.io/slapi-nis/
 Source0:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
 Source1:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
-Patch0:         slapi-nis-bz2183469.patch
 
-# Patches were taken from:
+BuildRequires: make
-# https://gitlab.com/redhat/centos-stream/rpms/slapi-nis/-/commit/0c099f8456d77e063b51c39fac7c70105816855a
-Patch1:         slapi-nis-RHEL-5134.patch
-
-BuildRequires:  make
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -42,7 +36,7 @@ BuildRequires:	libtirpc-devel
 %else
 BuildRequires:  libnsl2-devel
 %endif
-%if 0%{?fedora} > 27 || 0%{?rhel} > 7
+%if 0%{?fedora} > 27 || 0%{?rhel} >= 9
 ExcludeArch: %{ix86}
 %endif
 Requires: 389-ds-base >= 1.3.5.6
@@ -62,8 +56,6 @@ for attributes from multiple entries in the tree.
 
 %prep
 %setup -q
-%patch0 -p1
-%patch1 -p1
 
 %build
 autoconf --force
@@ -85,79 +77,84 @@ make check
 %endif
 
 %files
-%defattr(-,root,root,-)
 %doc COPYING NEWS README STATUS doc/*.txt doc/examples/*.ldif doc/ipa
 %{_mandir}/man1/*
 %{_libdir}/dirsrv/plugins/*.so
 %{_sbindir}/nisserver-plugin-defs
 
 %changelog
-* Wed Nov 15 2023 Eduard Abdullin <eabdullin@almalinux.org> - 0.60.0-4.alma.1
+* Sun Aug 21 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-2
-- Ignore updates from non-tracked subtrees during modify/modrdn/update
+- Rebuild to fix changelog
-  to avoid deadlocks with retro changelog
+- Related: rhbz#2117299
-
-
-* Mon Apr 24 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-3
-- Also handle base searches within the compat tree
-- Related: rhbz#2183469
-
-* Wed Apr 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-2
-- Fix base DN searches outside the compat tree
-- Resolves: rhbz#2183469
 
 * Sat Aug 20 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-1
 - upstream release 0.60.0
 - Change license from GPLv2 to GPLv3+ to follow 389-ds licensing
-- Resolves: rhbz#1984010
+- Fix ID views integration
-  Fix ID views integration
 - Fix base scope lookups
-- Resolves: rhbz#1784172
+- Bump NIS max dgram size to 8KB by default instead of 1KB
-  Bump NIS max dgram size to 8KB by default instead of 1KB
+- Resolves: rhbz#2117299
-- Resolves: rhbz#2070575
   Allow to rebuild the compat tree
 
-* Mon Sep 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-4
+* Fri Jan 21 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-4
-- Resolves: rhbz#2000919 - memory leak in backend_search_cb
+- Rebuild against libnsl 2.0.0
+- Related: rhbz#2039220
 
-* Thu Jul 01 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-3
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.56.7-3
-- Resolves: rhbz#1958909 - fix regression for scoped searches in compat tree
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-- Resolves: rhbz#1978189 - better handle error response from libsss_nss_idmap
+  Related: rhbz#1991688
 
-* Wed Apr 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-2
+* Wed Jul 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-2
-- CVE 2021-3480:  idm:DL1/slapi-nis: NULL dereference (DoS) with specially crafted Binding DN
+- Resolves: rhbz#1979619
-- Resolves: rhbz#1944713
+  IPA: High CPU utilization (over 1000% plus) by ns-slapd process
+- Resolves: rhbz#1979623
+  With base object scope, ldapsearch against compat tree does not return any data on Rhel8 IPA servers.
+
+* Wed May 19 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-1
+- CVE-2021-3480: invalid bind DN crash
+- New upstream release
+- Resolves: rhbz#1947351
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.56.6-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
 * Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-1
-- Upstream release 0.56.6
+- New upstream release
-- Resolves rhbz#1891741
+- Ignore searches which don't match any configured map
 
-* Mon Sep 14 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-4
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.5-3
-- Ignore unmatched searches
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-- Resolves: rhbz#1874015
-
-* Thu Sep 10 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-3
-- Fix memory leaks in ID views processing
-- Resolves: rhbz#1875348
 
 * Wed May 06 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-2
-- Initialize map lock in NIS plugin
+- Initialize map locks in NIS plugin to prevent crash
-- Resolves: rhbz#1832331
 
 * Mon May 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-1
-- Upstream release 0.56.5
+- New upstream release
 - Resolves: rhbz#1751295: (2) When sync-repl is enabled, slapi-nis can deadlock during retrochanglog trimming
 - Resolves: rhbz#1768156: ERR - schemacompat - map rdlock: old way MAP_MONITOR_DISABLED
 
-* Fri Aug 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.3-2
+* Fri Feb 07 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.4-1
-- Resolves rhbz#1741881
-  ns-slapd is crashing intermittently
-
-* Wed Jun 05 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.3-1
 - New upstream release
-- Resolves rhbz#1684563
+- Fix build with newer gcc versions
+- Resolves rhbz#1800097
 
-* Mon Jul 23 2018 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.2-7
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.3-3
-- 389-ds is not available on i686 architecture, don't build there
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jun 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.3-1
+- New upstream release
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Wed May 02 2018 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.2-6
 - Force rebuild of configure