Fedora 15 Update: 389-ds-base-1.2.10-0.4.a4.fc15

updates at fedoraproject.org updates at fedoraproject.org
Sun Oct 30 00:30:42 UTC 2011 

---------------------------------------------------------------------------=
-----
Fedora Update Notification
FEDORA-2011-14639
2011-10-20 09:34:15
---------------------------------------------------------------------------=
-----

Name        : 389-ds-base
Product     : Fedora 15
Version     : 1.2.10
Release     : 0.4.a4.fc15
URL         : http://port389.org/
Summary     : 389 Directory Server (base)
Description :
389 Directory Server is an LDAPv3 compliant server.  The base package inclu=
des
the LDAP server and command line utilities for server administration.

---------------------------------------------------------------------------=
-----
Update Information:

2011-10-21: Added selinux-policy and updated SSSD with explicit Requires

2011-10-23: Changed Requires: to Conflicts: for selinux-policy in sssd



FreeIPA:

=3D=3D What happened to 2.1.2!? =3D=3D

Right after tagging 2.1.2 we found an upgrade issue that would have =

affected any users using the selfsign CA (installed with --selfsign). We =

decided to hold back the release, fix a few more bugs, and just push out =

2.1.3 instead about a week later. So here we are.

=3D=3D Highlights in 2.1.3 =3D=3D

* Enforce that system hostname matches hostname of IPA server.
* Require that /etc/hosts is sane even when configuring DNS.
* Increase default server-side LDAP search limits.
* Client enrollment improvements including longer wait for sssd to =

start, recovery if discovered IPA server is not responsive and when =

anonymous bind is disabled in 389-ds.

=3D=3D Highlights in 2.1.2 =3D=3D

* Upgrade older dogtag installs to use new PKI proxy configuration
* hbactest improvements
* Added platform-independent code to make ipa-client-install more portable
* Make client uninstaller more robust, should restore state more completely.
* UI usability improvements
* Tool for Enabling/Disabling Managed Entry Plugins
* Managed Entries configuration is now replicated
* IPv6 client enrollment improvements
* Man page improvements
* Performance improvements when calculating indirect membership
* Improved handling of disabled anonymous binds in 389-ds
* user is now prompted to enter current password when changing to a new
password
* ipa server now support multiple namingContexts. ipa-client-install and
password migration were fixed

=3D=3D Upgrading =3D=3D

=3D=3D=3D Server =3D=3D=3D

To upgrade a 2.0.0, 2.0.1 or 2.1.0 server do the following:
  # yum update freeipa-server --enablerepo=3Dupdates-testing

This will pull in updated freeIPA, 389-ds, dogtag, libcurl and xmlrpc-c =

packages (and perhaps some others). A script will be executed in the rpm =

postinstall phase to update the IPA LDAP server with any required changes.

There is a bug reported against 389-ds, =

https://bugzilla.redhat.com/show_bug.cgi?id=3D730387, related to =

read-write locks. The NSPR RW lock implementation does not safely allow =

re-entrant use of reader
locks. This is a timing issue so it is difficult to predict. During =

testing one user experienced this and the upgrade hung. To break the =

hang kill the ns-slapd process for your realm, wait for the yum =

transaction to complete, then restart 389-ds and manually run the update =

process:

  # service dirsrv start
  # ipa-ldap-updater --update

=3D=3D=3D Client =3D=3D=3D

The ipa-client-install tool in the ipa-client package is just a =

configuration tool. There should be no need to re-run this on every =

client already enrolled.




SSSD:
=3D=3D Highlights =3D=3D
 * Improved handling of users and groups with multi-valued name
attributes (aliases)
 * Performance enhancements
  * Initgroups on RFC2307bis/FreeIPA
  * HBAC rule processing
 * Improved process-hang detection and restarting
 * Enabled the midpoint cache refresh by default (fewer cache misses on
commonly-used entries)
 * Cleaned up the example configuration


389-ds-base:
 * fix config del/add mods
 * memberof is transaction aware resource
 * limits for simple paged results
 * Native systemd support
 * Fix for managed entry
 * Fixed source tarball
 * fix transaction support in ldbm_delete

---------------------------------------------------------------------------=
-----
ChangeLog:

* Fri Oct  7 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.10-0.4.a4
- Bug 741744 - part3 - MOD operations with chained delete/add get back erro=
r 53
- 1d2f5a0 make memberof transaction aware and able to be a betxnpostoperati=
on plug in
- b6d3ba7 pass the plugin config entry to the plugin init function
- 28f7bfb set the ENTRY_POST_OP for modrdn betxnpostoperation plugins
- Bug 743966 - Compiler warnings in account usability plugin
* Wed Oct  5 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.10.a3-0.3
- 498c42b fix transaction support in ldbm_delete
* Wed Oct  5 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.10.a2-0.2
- Bug 740942 - allow resource limits to be set for paged searches independe=
ntly of limits for other searches/operations
- Bug 741744 - MOD operations with chained delete/add get back error 53 on =
backend config
- Bug 742324 - allow nsslapd-idlistscanlimit to be set dynamically and per-=
user
* Tue Sep 27 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.10.a1-0.1
- Bug 739172 - Allow separate fractional attrs for incremental and total pr=
otocols
- 6120b3d Make all backend operations transaction aware
- 056cc35 Add support for pre/post db transaction plugins
- Bug 736712 - Modifying ruv entry deadlocks server
- Bug 590826 - Reloading database from ldif causes changelog to emit "data =
no longer matches" errors
- Bug 730387 - Add slapi_rwlock API and use POSIX rwlocks
- Bug 611438 - Add Account Usability Control support
* Wed Sep  7 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.10-2
- corrected source
* Wed Sep  7 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.10-1
- Bug 735114 - renaming a managed entry does not update mepmanagedby
* Thu Sep  1 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.9-1
- Bug 735121 - simple paged search + ip/dns based ACI hangs server
- Bug 722292 - (cov#11030) Leak of mapped_sdn in winsync rename code
- Bug 703990 - cross-platform - Support upgrade from Red Hat Directory Serv=
er
- Introducing an environment variable USE_VALGRIND to clean up the entry ca=
che and dn cache on exit.
* Wed Aug 31 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.8-1
- Bug 732153 - subtree and user account lockout policies implemented?
- Bug 722292 - Entries in DS are not updated properly when using WinSync API
* Wed Aug 24 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.7-1
- Bug 733103 - large targetattr list with syntax errors cause server to cra=
sh or hang
- Bug 633803 - passwordisglobalpolicy attribute brakes TLS chaining
- Bug 732541 - Ignore error 32 when adding automember config
- Bug 728592 - Allow ns-slapd to start with an invalid server cert
* Wed Aug 10 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.6-1
- Bug 728510 - Run dirsync after sending updates to AD
- Bug 729717 - Fatal error messages when syncing deletes from AD
- Bug 729369 - upgrade DB to upgrade from entrydn to entryrdn format is not=
 working.
- Bug 729378 - delete user subtree container in AD + modify password in DS =
=3D=3D DS crash
- Bug 723937 - Slapi_Counter API broken on  32-bit F15
-   fixed again - separate tests for atomic ops and atomic bool cas
* Mon Aug  8 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.5-1
- Bug 727511 - ldclt SSL search requests are failing with "illegal error nu=
mber -1" error
-  Fix another coverity NULL deref in previous patch
* Thu Aug  4 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.4-1
- Bug 727511 - ldclt SSL search requests are failing with "illegal error nu=
mber -1" error
-  Fix coverity NULL deref in previous patch
* Wed Aug  3 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.3-1
- Bug 727511 - ldclt SSL search requests are failing with "illegal error nu=
mber -1" error
-  previous patch broke build on el5
* Wed Aug  3 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.2-1
- Bug 727511 - ldclt SSL search requests are failing with "illegal error nu=
mber -1" error
* Tue Aug  2 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.1-2
- Bug 723937 - Slapi_Counter API broken on  32-bit F15
-   fixed to use configure test for GCC provided 64-bit atomic functions
* Wed Jul 27 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.1-1
- Bug 663752 - Cert renewal for attrcrypt and encchangelog
-   this was "re-fixed" due to a deadlock condition with cl2ldif task cancel
- Bug 725953 - Winsync: DS entries fail to sync to AD, if the User's CN ent=
ry contains a comma
- Bug 725743 - Make memberOf use PRMonitor for it's operation lock
- Bug 725542 - Instance upgrade fails when upgrading 389-ds-base package
- Bug 723937 - Slapi_Counter API broken on  32-bit F15
* Fri Jul 15 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9.0-1
- Bug 720059 - RDN with % can cause crashes or missing entries
- Bug 709468 - RSA Authentication Server timeouts when using simple paged r=
esults on RHDS 8.2.
- Bug 691313 - Need TLS/SSL error messages in repl status and errors log
- Bug 712855 - Directory Server 8.2 logs "Netscape Portable Runtime error -=
5961 (TCP connection reset by peer.)" to error log whereas Directory Server=
 8.1 did not
- Bug 713209 - Update sudo schema
- Bug 719069 - clean up compiler warnings in 389-ds-base 1.2.9
- Bug 718303 - Intensive updates on masters could break the consumer's cache
- Bug 711679 - unresponsive LDAP service when deleting vlv on replica
* Mon Jun 27 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9-0.2.a2
- 389-ds-base-1.2.9.a2
- look for separate openldap ldif library
- Split automember regex rules into separate entries
- writing Inf file shows SchemaFile =3D ARRAY(0xhexnum)
- add support for ldif files with changetype: add
- Bug 716980 - winsync uses old AD entry if new one not found
- Bug 697694 - rhds82 - incr update state stop_fatal_error "requires admini=
strator action", with extop_result: 9
- bump console version to 1.2.6
- Bug 711679 - unresponsive LDAP service when deleting vlv on replica
- Bug 703703 - setup-ds-admin.pl asks for legal agreement to a non-existant=
 file
- Bug 706209 - LEGAL: RHEL6.1 License issue for 389-ds-base package
- Bug 663752 - Cert renewal for attrcrypt and encchangelog
- Bug 706179 - DS can not restart after create a new objectClass has entryu=
sn attribute
- Bug 711906 - ns-slapd segfaults using suffix referrals
- Bug 707384 - only allow FIPS approved cipher suites in FIPS mode
- Bug 710377 - Import with chain-on-update crashes ns-slapd
- Bug 709826 - Memory leak: when extra referrals configured
* Thu May 26 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.9-0.1.a1
- 389-ds-base-1.2.9.a1
- Auto Membership
- More Coverity fixes
* Mon May  2 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.8.3-1
- 389-ds-base-1.2.8.3
- Bug 700145 - userpasswd not replicating
- Bug 700557 - Linked attrs callbacks access free'd pointers after close
- Bug 694336 - Group sync hangs Windows initial Sync
- Bug 700215 - ldclt core dumps
- Bug 695779 - windows sync can lose old values when a new value is added
- Bug 697027 - 12 - minor memory leaks found by Valgrind + TET
* Wed Apr 27 2011 Rich Megginson <rmeggins at redhat.com> - 1.2.8.2-2
- explicitly disable the use of systemd
---------------------------------------------------------------------------=
-----
References:

  [ 1 ] Bug #743035 - HBAC processing is very slow when dealing with FreeIP=
A deployments with large numbers of hosts.
        https://bugzilla.redhat.com/show_bug.cgi?id=3D743035
  [ 2 ] Bug #741744 - MOD operations with chained delete/add get back error=
 53 on backend config
        https://bugzilla.redhat.com/show_bug.cgi?id=3D741744
  [ 3 ] Bug #743966 - Compiler warnings in account usability plugin
        https://bugzilla.redhat.com/show_bug.cgi?id=3D743966
  [ 4 ] Bug #740942 - allow resource limits to be set for paged searches in=
dependently of limits for other searches/operations
        https://bugzilla.redhat.com/show_bug.cgi?id=3D740942
  [ 5 ] Bug #742324 - allow nsslapd-idlistscanlimit to be set dynamically a=
nd per-user
        https://bugzilla.redhat.com/show_bug.cgi?id=3D742324
  [ 6 ] Bug #739172 - Allow separate fractional attrs to be defined for inc=
remental and total protocols
        https://bugzilla.redhat.com/show_bug.cgi?id=3D739172
  [ 7 ] Bug #736712 - Modifying ruv entry deadlocks server
        https://bugzilla.redhat.com/show_bug.cgi?id=3D736712
  [ 8 ] Bug #590826 - Reloading database from ldif causes changelog to emit=
 "data no longer matches" errors
        https://bugzilla.redhat.com/show_bug.cgi?id=3D590826
  [ 9 ] Bug #730387 - Use POSIX RW locks instead of NSPR implementation
        https://bugzilla.redhat.com/show_bug.cgi?id=3D730387
  [ 10 ] Bug #611438 - [RFE] [CRM#2027194] adding Account Usable Request Co=
ntrol '1.3.6.1.4.1.42.2.27.9.5.8' in RHDS
        https://bugzilla.redhat.com/show_bug.cgi?id=3D611438
  [ 11 ] Bug #735114 - renaming a managed entry does not update mepmanagedby
        https://bugzilla.redhat.com/show_bug.cgi?id=3D735114
---------------------------------------------------------------------------=
-----

This update can be installed with the "yum" update program.  Use =

su -c 'yum update 389-ds-base' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on t=
he
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
---------------------------------------------------------------------------=
-----

More information about the package-announce mailing list