---------------------------------------------------------------------------= ----- Fedora Update Notification FEDORA-2011-14639 2011-10-20 09:34:15 ---------------------------------------------------------------------------= -----
Name : 389-ds-base Product : Fedora 15 Version : 1.2.10 Release : 0.4.a4.fc15 URL : http://port389.org/ Summary : 389 Directory Server (base) Description : 389 Directory Server is an LDAPv3 compliant server. The base package inclu= des the LDAP server and command line utilities for server administration.
---------------------------------------------------------------------------= ----- Update Information:
2011-10-21: Added selinux-policy and updated SSSD with explicit Requires
2011-10-23: Changed Requires: to Conflicts: for selinux-policy in sssd
FreeIPA:
=3D=3D What happened to 2.1.2!? =3D=3D
Right after tagging 2.1.2 we found an upgrade issue that would have =
affected any users using the selfsign CA (installed with --selfsign). We =
decided to hold back the release, fix a few more bugs, and just push out =
2.1.3 instead about a week later. So here we are.
=3D=3D Highlights in 2.1.3 =3D=3D
* Enforce that system hostname matches hostname of IPA server. * Require that /etc/hosts is sane even when configuring DNS. * Increase default server-side LDAP search limits. * Client enrollment improvements including longer wait for sssd to =
start, recovery if discovered IPA server is not responsive and when =
anonymous bind is disabled in 389-ds.
=3D=3D Highlights in 2.1.2 =3D=3D
* Upgrade older dogtag installs to use new PKI proxy configuration * hbactest improvements * Added platform-independent code to make ipa-client-install more portable * Make client uninstaller more robust, should restore state more completely. * UI usability improvements * Tool for Enabling/Disabling Managed Entry Plugins * Managed Entries configuration is now replicated * IPv6 client enrollment improvements * Man page improvements * Performance improvements when calculating indirect membership * Improved handling of disabled anonymous binds in 389-ds * user is now prompted to enter current password when changing to a new password * ipa server now support multiple namingContexts. ipa-client-install and password migration were fixed
=3D=3D Upgrading =3D=3D
=3D=3D=3D Server =3D=3D=3D
To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following: # yum update freeipa-server --enablerepo=3Dupdates-testing
This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c =
packages (and perhaps some others). A script will be executed in the rpm =
postinstall phase to update the IPA LDAP server with any required changes.
There is a bug reported against 389-ds, =
https://bugzilla.redhat.com/show_bug.cgi?id=3D730387, related to =
read-write locks. The NSPR RW lock implementation does not safely allow =
re-entrant use of reader locks. This is a timing issue so it is difficult to predict. During =
testing one user experienced this and the upgrade hung. To break the =
hang kill the ns-slapd process for your realm, wait for the yum =
transaction to complete, then restart 389-ds and manually run the update =
process:
# service dirsrv start # ipa-ldap-updater --update
=3D=3D=3D Client =3D=3D=3D
The ipa-client-install tool in the ipa-client package is just a =
configuration tool. There should be no need to re-run this on every =
client already enrolled.
SSSD: =3D=3D Highlights =3D=3D * Improved handling of users and groups with multi-valued name attributes (aliases) * Performance enhancements * Initgroups on RFC2307bis/FreeIPA * HBAC rule processing * Improved process-hang detection and restarting * Enabled the midpoint cache refresh by default (fewer cache misses on commonly-used entries) * Cleaned up the example configuration
389-ds-base: * fix config del/add mods * memberof is transaction aware resource * limits for simple paged results * Native systemd support * Fix for managed entry * Fixed source tarball * fix transaction support in ldbm_delete
---------------------------------------------------------------------------= ----- ChangeLog:
* Fri Oct 7 2011 Rich Megginson rmeggins@redhat.com - 1.2.10-0.4.a4 - Bug 741744 - part3 - MOD operations with chained delete/add get back erro= r 53 - 1d2f5a0 make memberof transaction aware and able to be a betxnpostoperati= on plug in - b6d3ba7 pass the plugin config entry to the plugin init function - 28f7bfb set the ENTRY_POST_OP for modrdn betxnpostoperation plugins - Bug 743966 - Compiler warnings in account usability plugin * Wed Oct 5 2011 Rich Megginson rmeggins@redhat.com - 1.2.10.a3-0.3 - 498c42b fix transaction support in ldbm_delete * Wed Oct 5 2011 Rich Megginson rmeggins@redhat.com - 1.2.10.a2-0.2 - Bug 740942 - allow resource limits to be set for paged searches independe= ntly of limits for other searches/operations - Bug 741744 - MOD operations with chained delete/add get back error 53 on = backend config - Bug 742324 - allow nsslapd-idlistscanlimit to be set dynamically and per-= user * Tue Sep 27 2011 Rich Megginson rmeggins@redhat.com - 1.2.10.a1-0.1 - Bug 739172 - Allow separate fractional attrs for incremental and total pr= otocols - 6120b3d Make all backend operations transaction aware - 056cc35 Add support for pre/post db transaction plugins - Bug 736712 - Modifying ruv entry deadlocks server - Bug 590826 - Reloading database from ldif causes changelog to emit "data = no longer matches" errors - Bug 730387 - Add slapi_rwlock API and use POSIX rwlocks - Bug 611438 - Add Account Usability Control support * Wed Sep 7 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.10-2 - corrected source * Wed Sep 7 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.10-1 - Bug 735114 - renaming a managed entry does not update mepmanagedby * Thu Sep 1 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.9-1 - Bug 735121 - simple paged search + ip/dns based ACI hangs server - Bug 722292 - (cov#11030) Leak of mapped_sdn in winsync rename code - Bug 703990 - cross-platform - Support upgrade from Red Hat Directory Serv= er - Introducing an environment variable USE_VALGRIND to clean up the entry ca= che and dn cache on exit. * Wed Aug 31 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.8-1 - Bug 732153 - subtree and user account lockout policies implemented? - Bug 722292 - Entries in DS are not updated properly when using WinSync API * Wed Aug 24 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.7-1 - Bug 733103 - large targetattr list with syntax errors cause server to cra= sh or hang - Bug 633803 - passwordisglobalpolicy attribute brakes TLS chaining - Bug 732541 - Ignore error 32 when adding automember config - Bug 728592 - Allow ns-slapd to start with an invalid server cert * Wed Aug 10 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.6-1 - Bug 728510 - Run dirsync after sending updates to AD - Bug 729717 - Fatal error messages when syncing deletes from AD - Bug 729369 - upgrade DB to upgrade from entrydn to entryrdn format is not= working. - Bug 729378 - delete user subtree container in AD + modify password in DS = =3D=3D DS crash - Bug 723937 - Slapi_Counter API broken on 32-bit F15 - fixed again - separate tests for atomic ops and atomic bool cas * Mon Aug 8 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.5-1 - Bug 727511 - ldclt SSL search requests are failing with "illegal error nu= mber -1" error - Fix another coverity NULL deref in previous patch * Thu Aug 4 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.4-1 - Bug 727511 - ldclt SSL search requests are failing with "illegal error nu= mber -1" error - Fix coverity NULL deref in previous patch * Wed Aug 3 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.3-1 - Bug 727511 - ldclt SSL search requests are failing with "illegal error nu= mber -1" error - previous patch broke build on el5 * Wed Aug 3 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.2-1 - Bug 727511 - ldclt SSL search requests are failing with "illegal error nu= mber -1" error * Tue Aug 2 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.1-2 - Bug 723937 - Slapi_Counter API broken on 32-bit F15 - fixed to use configure test for GCC provided 64-bit atomic functions * Wed Jul 27 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.1-1 - Bug 663752 - Cert renewal for attrcrypt and encchangelog - this was "re-fixed" due to a deadlock condition with cl2ldif task cancel - Bug 725953 - Winsync: DS entries fail to sync to AD, if the User's CN ent= ry contains a comma - Bug 725743 - Make memberOf use PRMonitor for it's operation lock - Bug 725542 - Instance upgrade fails when upgrading 389-ds-base package - Bug 723937 - Slapi_Counter API broken on 32-bit F15 * Fri Jul 15 2011 Rich Megginson rmeggins@redhat.com - 1.2.9.0-1 - Bug 720059 - RDN with % can cause crashes or missing entries - Bug 709468 - RSA Authentication Server timeouts when using simple paged r= esults on RHDS 8.2. - Bug 691313 - Need TLS/SSL error messages in repl status and errors log - Bug 712855 - Directory Server 8.2 logs "Netscape Portable Runtime error -= 5961 (TCP connection reset by peer.)" to error log whereas Directory Server= 8.1 did not - Bug 713209 - Update sudo schema - Bug 719069 - clean up compiler warnings in 389-ds-base 1.2.9 - Bug 718303 - Intensive updates on masters could break the consumer's cache - Bug 711679 - unresponsive LDAP service when deleting vlv on replica * Mon Jun 27 2011 Rich Megginson rmeggins@redhat.com - 1.2.9-0.2.a2 - 389-ds-base-1.2.9.a2 - look for separate openldap ldif library - Split automember regex rules into separate entries - writing Inf file shows SchemaFile =3D ARRAY(0xhexnum) - add support for ldif files with changetype: add - Bug 716980 - winsync uses old AD entry if new one not found - Bug 697694 - rhds82 - incr update state stop_fatal_error "requires admini= strator action", with extop_result: 9 - bump console version to 1.2.6 - Bug 711679 - unresponsive LDAP service when deleting vlv on replica - Bug 703703 - setup-ds-admin.pl asks for legal agreement to a non-existant= file - Bug 706209 - LEGAL: RHEL6.1 License issue for 389-ds-base package - Bug 663752 - Cert renewal for attrcrypt and encchangelog - Bug 706179 - DS can not restart after create a new objectClass has entryu= sn attribute - Bug 711906 - ns-slapd segfaults using suffix referrals - Bug 707384 - only allow FIPS approved cipher suites in FIPS mode - Bug 710377 - Import with chain-on-update crashes ns-slapd - Bug 709826 - Memory leak: when extra referrals configured * Thu May 26 2011 Rich Megginson rmeggins@redhat.com - 1.2.9-0.1.a1 - 389-ds-base-1.2.9.a1 - Auto Membership - More Coverity fixes * Mon May 2 2011 Rich Megginson rmeggins@redhat.com - 1.2.8.3-1 - 389-ds-base-1.2.8.3 - Bug 700145 - userpasswd not replicating - Bug 700557 - Linked attrs callbacks access free'd pointers after close - Bug 694336 - Group sync hangs Windows initial Sync - Bug 700215 - ldclt core dumps - Bug 695779 - windows sync can lose old values when a new value is added - Bug 697027 - 12 - minor memory leaks found by Valgrind + TET * Wed Apr 27 2011 Rich Megginson rmeggins@redhat.com - 1.2.8.2-2 - explicitly disable the use of systemd ---------------------------------------------------------------------------= ----- References:
[ 1 ] Bug #743035 - HBAC processing is very slow when dealing with FreeIP= A deployments with large numbers of hosts. https://bugzilla.redhat.com/show_bug.cgi?id=3D743035 [ 2 ] Bug #741744 - MOD operations with chained delete/add get back error= 53 on backend config https://bugzilla.redhat.com/show_bug.cgi?id=3D741744 [ 3 ] Bug #743966 - Compiler warnings in account usability plugin https://bugzilla.redhat.com/show_bug.cgi?id=3D743966 [ 4 ] Bug #740942 - allow resource limits to be set for paged searches in= dependently of limits for other searches/operations https://bugzilla.redhat.com/show_bug.cgi?id=3D740942 [ 5 ] Bug #742324 - allow nsslapd-idlistscanlimit to be set dynamically a= nd per-user https://bugzilla.redhat.com/show_bug.cgi?id=3D742324 [ 6 ] Bug #739172 - Allow separate fractional attrs to be defined for inc= remental and total protocols https://bugzilla.redhat.com/show_bug.cgi?id=3D739172 [ 7 ] Bug #736712 - Modifying ruv entry deadlocks server https://bugzilla.redhat.com/show_bug.cgi?id=3D736712 [ 8 ] Bug #590826 - Reloading database from ldif causes changelog to emit= "data no longer matches" errors https://bugzilla.redhat.com/show_bug.cgi?id=3D590826 [ 9 ] Bug #730387 - Use POSIX RW locks instead of NSPR implementation https://bugzilla.redhat.com/show_bug.cgi?id=3D730387 [ 10 ] Bug #611438 - [RFE] [CRM#2027194] adding Account Usable Request Co= ntrol '1.3.6.1.4.1.42.2.27.9.5.8' in RHDS https://bugzilla.redhat.com/show_bug.cgi?id=3D611438 [ 11 ] Bug #735114 - renaming a managed entry does not update mepmanagedby https://bugzilla.redhat.com/show_bug.cgi?id=3D735114 ---------------------------------------------------------------------------= -----
This update can be installed with the "yum" update program. Use =
su -c 'yum update 389-ds-base' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on t= he GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys ---------------------------------------------------------------------------= -----
package-announce@lists.fedoraproject.org
-
updates@fedoraproject.org