.gitignore

@@ -1 +1,89 @@
-SOURCES/slapi-nis-0.60.0.tar.gz
+slapi-nis-0.8.tar.gz
+slapi-nis-0.8.1.tar.gz
+slapi-nis-0.9.tar.gz
+slapi-nis-0.10.tar.gz
+slapi-nis-0.11.tar.gz
+slapi-nis-0.13.tar.gz
+slapi-nis-0.14.tar.gz
+slapi-nis-0.15.tar.gz
+slapi-nis-0.16.tar.gz
+slapi-nis-0.17.tar.gz
+/slapi-nis-0.18.tar.gz
+/slapi-nis-0.19.tar.gz
+/slapi-nis-0.20.tar.gz
+/slapi-nis-0.21.tar.gz
+/slapi-nis-0.22.tar.gz
+/slapi-nis-0.23.tar.gz
+/slapi-nis-0.25.tar.gz
+/slapi-nis-0.26.tar.gz
+/slapi-nis-0.27.tar.gz
+/slapi-nis-0.27.tar.gz.sig
+/slapi-nis-0.28.tar.gz
+/slapi-nis-0.28.tar.gz.sig
+/slapi-nis-0.34.tar.gz
+/slapi-nis-0.34.tar.gz.sig
+/slapi-nis-0.36.tar.gz
+/slapi-nis-0.36.tar.gz.sig
+/slapi-nis-0.37.tar.gz
+/slapi-nis-0.37.tar.gz.sig
+/slapi-nis-0.38.tar.gz
+/slapi-nis-0.38.tar.gz.sig
+/slapi-nis-0.40.tar.gz
+/slapi-nis-0.40.tar.gz.sig
+/slapi-nis-0.42.tar.gz
+/slapi-nis-0.42.tar.gz.sig
+/slapi-nis-0.43.tar.gz
+/slapi-nis-0.43.tar.gz.sig
+/slapi-nis-0.44.tar.gz
+/slapi-nis-0.44.tar.gz.sig
+/slapi-nis-0.45.tar.gz
+/slapi-nis-0.45.tar.gz.sig
+/slapi-nis-0.46.tar.gz
+/slapi-nis-0.46.tar.gz.sig
+/slapi-nis-0.47.tar.gz
+/slapi-nis-0.47.tar.gz.sig
+/slapi-nis-0.47.5.tar.gz
+/slapi-nis-0.47.5.tar.gz.sig
+/slapi-nis-0.47.7.tar.gz
+/slapi-nis-0.47.7.tar.gz.sig
+/slapi-nis-0.48.tar.gz
+/slapi-nis-0.48.tar.gz.sig
+/slapi-nis-0.49.tar.gz
+/slapi-nis-0.49.tar.gz.sig
+/slapi-nis-0.50.tar.gz
+/slapi-nis-0.50.tar.gz.sig
+/slapi-nis-0.51.tar.gz
+/slapi-nis-0.51.tar.gz.sig
+/slapi-nis-0.52.tar.gz
+/slapi-nis-0.52.tar.gz.sig
+/slapi-nis-0.53.tar.gz
+/slapi-nis-0.53.tar.gz.sig
+/slapi-nis-0.54.tar.gz
+/slapi-nis-0.54.tar.gz.sig
+/slapi-nis-0.54.1.tar.gz
+/slapi-nis-0.54.1.tar.gz.sig
+/slapi-nis-0.54.2.tar.gz
+/slapi-nis-0.54.2.tar.gz.sig
+/slapi-nis-0.55.tar.gz
+/slapi-nis-0.55.tar.gz.sig
+/slapi-nis-0.56.tar.gz
+/slapi-nis-0.56.tar.gz.sig
+/slapi-nis-0.56.0.tar.gz
+/slapi-nis-0.56.0.tar.gz.sig
+/slapi-nis-0.56.1.tar.gz
+/slapi-nis-0.56.1.tar.gz.sig
+/slapi-nis-0.56.2.tar.gz
+/slapi-nis-0.56.2.tar.gz.sig
+/slapi-nis-0.56.3.tar.gz
+/slapi-nis-0.56.3.tar.gz.sig
+/slapi-nis-0.56.4.tar.gz
+/slapi-nis-0.56.4.tar.gz.asc
+/slapi-nis-0.56.4.tar.gz.sig
+/slapi-nis-0.56.5.tar.gz
+/slapi-nis-0.56.5.tar.gz.asc
+/slapi-nis-0.56.6.tar.gz
+/slapi-nis-0.56.6.tar.gz.asc
+/slapi-nis-0.56.7.tar.gz
+/slapi-nis-0.56.7.tar.gz.asc
+/slapi-nis-0.60.0.tar.gz
+/slapi-nis-0.60.0.tar.gz.asc

.slapi-nis.metadata

@@ -1 +1,2 @@
-e5a84cf93b13b174c6d865de2f735cbfbc950917 SOURCES/slapi-nis-0.60.0.tar.gz
+e5a84cf93b13b174c6d865de2f735cbfbc950917 slapi-nis-0.60.0.tar.gz
+22f0d39d1a22a76058ff6bbe5f41df5a2f84272b slapi-nis-0.60.0.tar.gz.asc

0001-support-transition-from-libtirpc-to-libnsl-in-Fedora.patch

@@ -0,0 +1,28 @@
+From 062c157013c5af8714d9015582de898b42d1a981 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 2 May 2018 08:56:15 +0300
+Subject: [PATCH] support transition from libtirpc to libnsl in Fedora 28
+
+libnsl2-devel in Fedora 28 depends on libtirpc-devel internally
+so we can also reduce the dependency in spec
+
+diff --git a/configure.ac b/configure.ac
+index 184a9af..80f2ca2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -273,6 +273,12 @@ AC_ARG_WITH(tirpc,
+ 	    ])
+ if test $use_tirpc = yes ; then
+ 	PKG_CHECK_MODULES(TIRPC,libtirpc)
++fi
++
++PKG_CHECK_MODULES(NSL,libnsl,[use_libnsl=yes],[use_libnsl=no])
++if test "$use_libnsl" = yes ; then
++	RPC_CFLAGS="$NSL_CFLAGS"
++	RPC_LIBS="$NSL_LIBS"
+ else
+ 	RPC_CFLAGS=
+ 	RPC_LIBS=-lnsl
+-- 
+2.14.3
+

SOURCES/slapi-nis-0.60.0.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmMAimgACgkQRxniuKu/
-YhorRw/8D0typYdDLGlalL7nMo57rjSApgy6gA4FKxMsNg/KiN1/7rMoCbu13iG0
-sP6wpeZLjBNI/nWGYLRuQOyi7DSxgXYlNp+8xzJDMKjnNjRSaK+/EjqIcWhdWoEq
-Q1JDjTdJ3hDCWCMQFrA/EBqb/WgQAhdmPdVzMoy6L2GBvX7W+UlCWaSMfpq5hnqg
-9SZe4NpC7i6BVhHrnWUMsQRcApnjdHlC8tQmzqdD0+iNer0asXmJcQGCI9W7EwAs
-MT4be/C2hfLfWgBdaMCZGgefGFYGI1ec+hfM9jyGsJcBsRXQ8Rq+VOLEI7lkD+wc
-nQwq1VVVcAwFkbziQ5JBZqOKdem8lo9Mucn/sQ297EIfIi8NVhlDDZFtkgsYAglT
-gaEeK4+d0QNz2+ViwJxGp2l0mG2inV8GjiyINpntbw8dh+qwI8xLI6/6B7R6wP30
-Kj/90EehX0vFXX2ylrkrvg3d7UGp6PBgsiqeaJT5bL2ItVKJl8FyD0N9JsEL766/
-SKqNHGZjEJv1rzPf2MMqutLHe1aSyTBjq4JBYPJKHAXPdvZluyALLM94erZqA/tJ
-17PCLAf3P+OvixcnyzsUTP9U7SNlLPiMqwyvUB26ul0+CqEqKzZxiTOfpbKQ8p/j
-3QpkrKLn0JbofZN1K7H6x/Mdwe5scdeTP0T8YPJm+ofZq+fBdnI=
-=ZUV6
------END PGP SIGNATURE-----

gating.yaml

@@ -0,0 +1,7 @@
+# recipients: abokovoy, frenaud, kaleem, ftrivino
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

slapi-nis-bz1979619.patch

@@ -0,0 +1,52 @@
+From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 16 Jun 2021 11:08:21 +0300
+Subject: [PATCH] back-sch-nss: only loop if asked to try again
+
+slapi-nis uses sss-idmap library to discover user group membership.  Its
+sss_nss_getgrouplist_timeout() function can return timeout errors as
+well which might cause a busy looping.  sss_nss_getgrouplist_timeout()
+will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
+
+Fixes: rhbz#1967179
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch-nss.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
+index df04a96..b595f3b 100644
+--- a/src/back-sch-nss.c
++++ b/src/back-sch-nss.c
+@@ -589,19 +589,22 @@ repeat:
+ 		return NULL;
+ 	}
+ 
+-	do {
++	for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
+ 		rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
+ 					      grouplist, &ngroups,
+ 					      &lerrno);
+-		if ((rc != NSS_STATUS_SUCCESS)) {
+-			tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
+-			if (tmp_list == NULL) {
++		if (rc == NSS_STATUS_TRYAGAIN) {
++			tmp_list = NULL;
++			if (lerrno == ERANGE) {
++				tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
++			}
++			if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
+ 				free(grouplist);
+ 				return NULL;
+ 			}
+ 			grouplist = tmp_list;
+ 		}
+-	} while (rc != NSS_STATUS_SUCCESS);
++	}
+ 
+ 	entries = calloc(ngroups + 1, sizeof(entries[0]));
+ 	if (entries == NULL) {
+-- 
+2.31.1
+

slapi-nis-bz1979623.patch

@@ -0,0 +1,41 @@
+From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 1 Jul 2021 11:37:38 +0300
+Subject: [PATCH] back-sch: reuse backend_should_descend
+
+When backend_search_find_set_dn_cb() is called, use the same logic as in
+other callbacks -- identify whether we should descend into the group by
+using backend_should_descend().
+
+The issue was introduced in 2015 with ID Views support but was masked
+until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
+to the full scan of the groups anyway. with the latter change the
+fell-through part was removed.
+
+Resolves: rhbz#1958909
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
+---
+ src/back-sch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index d806627..0ed06fb 100644
+--- a/src/back-sch.c
++++ b/src/back-sch.c
+@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
+ 
+ 	/* Check the group itself. */
+ 	group_dn = slapi_sdn_new_dn_byval(group);
+-	if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
+-				 cbdata->scope) == 1) {
++	if (backend_should_descend(group_dn,
++				   cbdata->target_dn,
++				   cbdata->scope)) {
+ 		cbdata->answer = TRUE;
+ 		slapi_sdn_free(&group_dn);
+ 		return TRUE;
+-- 
+2.31.1
+

slapi-nis.spec

@@ -11,20 +11,16 @@
 
 Name:		slapi-nis
 Version:	0.60.0
-Release:	4%{?dist}.alma.1
+Release:	5%{?dist}
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
-Group:		System Environment/Daemons
 License:	GPLv3
 URL:		http://pagure.io/slapi-nis/
 Source0:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
 Source1:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
-Patch0:         slapi-nis-bz2183469.patch
-
-# Patches were taken from:
-# https://gitlab.com/redhat/centos-stream/rpms/slapi-nis/-/commit/0c099f8456d77e063b51c39fac7c70105816855a
+Patch0:         slapi-nis-bz2183950.patch
 Patch1:         slapi-nis-RHEL-5134.patch
 
-BuildRequires:  make
+BuildRequires: make
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -42,7 +38,7 @@ BuildRequires:	libtirpc-devel
 %else
 BuildRequires:  libnsl2-devel
 %endif
-%if 0%{?fedora} > 27 || 0%{?rhel} > 7
+%if 0%{?fedora} > 27 || 0%{?rhel} >= 9
 ExcludeArch: %{ix86}
 %endif
 Requires: 389-ds-base >= 1.3.5.6
@@ -85,79 +81,97 @@ make check
 %endif
 
 %files
-%defattr(-,root,root,-)
 %doc COPYING NEWS README STATUS doc/*.txt doc/examples/*.ldif doc/ipa
 %{_mandir}/man1/*
 %{_libdir}/dirsrv/plugins/*.so
 %{_sbindir}/nisserver-plugin-defs
 
 %changelog
-* Wed Nov 15 2023 Eduard Abdullin <eabdullin@almalinux.org> - 0.60.0-4.alma.1
+* Tue Oct 10 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-5
 - Ignore updates from non-tracked subtrees during modify/modrdn/update
   to avoid deadlocks with retro changelog
+- Resolves: RHEL-11983
 
-
-* Mon Apr 24 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-3
+* Mon Apr 24 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-4
 - Also handle base searches within the compat tree
-- Related: rhbz#2183469
+- Related: rhbz#2183950
 
-* Wed Apr 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-2
+* Wed Apr 12 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-3
 - Fix base DN searches outside the compat tree
-- Resolves: rhbz#2183469
+- Resolves: rhbz#2183950
+
+* Sun Aug 21 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-2
+- Rebuild to fix changelog
+- Related: rhbz#2117299
 
 * Sat Aug 20 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-1
 - upstream release 0.60.0
 - Change license from GPLv2 to GPLv3+ to follow 389-ds licensing
-- Resolves: rhbz#1984010
-  Fix ID views integration
+- Fix ID views integration
 - Fix base scope lookups
-- Resolves: rhbz#1784172
-  Bump NIS max dgram size to 8KB by default instead of 1KB
-- Resolves: rhbz#2070575
+- Bump NIS max dgram size to 8KB by default instead of 1KB
+- Resolves: rhbz#2117299
   Allow to rebuild the compat tree
 
-* Mon Sep 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-4
-- Resolves: rhbz#2000919 - memory leak in backend_search_cb
+* Fri Jan 21 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-4
+- Rebuild against libnsl 2.0.0
+- Related: rhbz#2039220
 
-* Thu Jul 01 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-3
-- Resolves: rhbz#1958909 - fix regression for scoped searches in compat tree
-- Resolves: rhbz#1978189 - better handle error response from libsss_nss_idmap
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 0.56.7-3
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Wed Apr 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-2
-- CVE 2021-3480:  idm:DL1/slapi-nis: NULL dereference (DoS) with specially crafted Binding DN
-- Resolves: rhbz#1944713
+* Wed Jul 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-2
+- Resolves: rhbz#1979619
+  IPA: High CPU utilization (over 1000% plus) by ns-slapd process
+- Resolves: rhbz#1979623
+  With base object scope, ldapsearch against compat tree does not return any data on Rhel8 IPA servers.
+
+* Wed May 19 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.7-1
+- CVE-2021-3480: invalid bind DN crash
+- New upstream release
+- Resolves: rhbz#1947351
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.56.6-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
 * Fri Dec 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-1
-- Upstream release 0.56.6
-- Resolves rhbz#1891741
+- New upstream release
+- Ignore searches which don't match any configured map
 
-* Mon Sep 14 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-4
-- Ignore unmatched searches
-- Resolves: rhbz#1874015
-
-* Thu Sep 10 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-3
-- Fix memory leaks in ID views processing
-- Resolves: rhbz#1875348
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 
 * Wed May 06 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-2
-- Initialize map lock in NIS plugin
-- Resolves: rhbz#1832331
+- Initialize map locks in NIS plugin to prevent crash
 
 * Mon May 04 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.5-1
-- Upstream release 0.56.5
+- New upstream release
 - Resolves: rhbz#1751295: (2) When sync-repl is enabled, slapi-nis can deadlock during retrochanglog trimming
 - Resolves: rhbz#1768156: ERR - schemacompat - map rdlock: old way MAP_MONITOR_DISABLED
 
-* Fri Aug 16 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.3-2
-- Resolves rhbz#1741881
-  ns-slapd is crashing intermittently
-
-* Wed Jun 05 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.3-1
+* Fri Feb 07 2020 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.4-1
 - New upstream release
-- Resolves rhbz#1684563
+- Fix build with newer gcc versions
+- Resolves rhbz#1800097
 
-* Mon Jul 23 2018 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.2-7
-- 389-ds is not available on i686 architecture, don't build there
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jun 06 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.3-1
+- New upstream release
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.56.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Wed May 02 2018 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.2-6
 - Force rebuild of configure

sources

@@ -0,0 +1,2 @@
+SHA512 (slapi-nis-0.60.0.tar.gz) = 15fe7f821c6b7eea5f93edb46adcc8ba8ac8369e47b607bd56db23bbaf3e0a3e35da412bcc3665aa35bfd01d3863222d926d661adb70491f3ecce1204bc4b6e7
+SHA512 (slapi-nis-0.60.0.tar.gz.asc) = 117c1da76320ec065970752cfb5de379dbe7899e08dbcb7f2699daa26cb8cb429e1436092e4d5b39c162fc3b3f58b3c48a24c6884c2bd909767bccdd27cf7786