Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Dear SRM,
Please consider this openldap update for stretch. I apologize for the
late request and will understand if it doesn't make it.
Both fixes have already had some time in testing and stretch-backports.
* Import upstream patch to fix an out-of-sync issue with delta-syncrepl
replication in multi-master environments, resulting from changes losing
tracking information and being applied multiple times.
(ITS#84444) (Closes: #877166)
This issue impacts replication when the memberof overlay is used in a
multi-master setup. Sven Mäder (in X-D-CC) has tested the proposed
package on a stretch system and verified the fix.
* Really fix upgrades when the config contains backslash-escaped special
characters. The previous fix was incomplete and didn't fully fix upgrades
involving a database reload. (Closes: #864719)
The first part of this, fixing simple upgrades that don't require a
database reload, is already in stretch (as +deb9u1). This additional
patch deals with code that is not executed in a typical upgrade but
might be triggered based on the old version or the debconf settings.
thanks,
Ryan
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8),
LANGUAGE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru openldap-2.4.44+dfsg/debian/changelog
openldap-2.4.44+dfsg/debian/changelog
--- openldap-2.4.44+dfsg/debian/changelog 2017-08-10 12:12:46.000000000
-0700
+++ openldap-2.4.44+dfsg/debian/changelog 2018-05-22 21:25:19.000000000
-0700
@@ -1,3 +1,15 @@
+openldap (2.4.44+dfsg-5+deb9u2) stretch; urgency=medium
+
+ * Import upstream patch to fix an out-of-sync issue with delta-syncrepl
+ replication in multi-master environments, resulting from changes losing
+ tracking information and being applied multiple times.
+ (ITS#8444) (Closes: #877166)
+ * Really fix upgrades when the config contains backslash-escaped special
+ characters. The previous fix was incomplete and didn't fully fix upgrades
+ involving a database reload. (Closes: #864719)
+
+ -- Ryan Tandy <r...@nardis.ca> Tue, 22 May 2018 21:25:19 -0700
+
openldap (2.4.44+dfsg-5+deb9u1) stretch; urgency=medium
* Relax the dependency of libldap-2.4-2 on libldap-common to also permit
diff -Nru
openldap-2.4.44+dfsg/debian/patches/ITS-8444-Do-not-clear-the-pending-operation-when-che.patch
openldap-2.4.44+dfsg/debian/patches/ITS-8444-Do-not-clear-the-pending-operation-when-che.patch
---
openldap-2.4.44+dfsg/debian/patches/ITS-8444-Do-not-clear-the-pending-operation-when-che.patch
1969-12-31 16:00:00.000000000 -0800
+++
openldap-2.4.44+dfsg/debian/patches/ITS-8444-Do-not-clear-the-pending-operation-when-che.patch
2018-05-22 21:25:19.000000000 -0700
@@ -0,0 +1,30 @@
+From bb6438fb7ae32a622f456af8c4c9b8d479d5b209 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <on...@mistotebe.net>
+Date: Fri, 25 Aug 2017 16:25:23 +0100
+Subject: [PATCH] ITS#8444 Do not clear the pending operation when
+ checkpointing
+
+When a checkpoint happens, if we remove the CSN from the pending list,
+accesslog won't pass it onto the accesslog DB. But in a delta-mmr
+scenario, an accesslog entry without a CSN faces a race where it might
+be applied twice - that usually fails and causes a full refresh, other
+times it can cause a silent desync - both are undesirable.
+---
+ servers/slapd/overlays/syncprov.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/servers/slapd/overlays/syncprov.c
b/servers/slapd/overlays/syncprov.c
+index 3e7667336..4c2d939d4 100644
+--- a/servers/slapd/overlays/syncprov.c
++++ b/servers/slapd/overlays/syncprov.c
+@@ -1494,6 +1494,7 @@ syncprov_checkpoint( Operation *op, slap_overinst *on )
+ opm.o_bd->bd_info = on->on_info->oi_orig;
+ opm.o_managedsait = SLAP_CONTROL_NONCRITICAL;
+ opm.o_no_schema_check = 1;
++ opm.o_opid = -1;
+ opm.o_bd->be_modify( &opm, &rsm );
+
+ if ( rsm.sr_err == LDAP_NO_SUCH_OBJECT &&
+--
+2.11.0
+
diff -Nru openldap-2.4.44+dfsg/debian/patches/series
openldap-2.4.44+dfsg/debian/patches/series
--- openldap-2.4.44+dfsg/debian/patches/series 2017-08-09 22:07:34.000000000
-0700
+++ openldap-2.4.44+dfsg/debian/patches/series 2018-05-22 21:25:19.000000000
-0700
@@ -31,3 +31,4 @@
ITS-8432-fix-infinite-looping-mods-in-delta-mmr.patch
ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
ITS-8648-init-SASL-library-in-global-init.patch
+ITS-8444-Do-not-clear-the-pending-operation-when-che.patch
diff -Nru openldap-2.4.44+dfsg/debian/slapd.scripts-common
openldap-2.4.44+dfsg/debian/slapd.scripts-common
--- openldap-2.4.44+dfsg/debian/slapd.scripts-common 2017-08-09
22:07:34.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/slapd.scripts-common 2018-05-22
21:25:19.000000000 -0700
@@ -182,11 +182,11 @@
dir=`database_dumping_destdir`
echo >&2 " Dumping to $dir: "
- (get_suffix | while read suffix; do
+ (get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
if [ -n "$dbdir" ]; then
file="$dir/$suffix.ldif"
- echo -n " - directory $suffix... " >&2
+ printf ' - directory %s... ' "$suffix" >&2
# Need to support slapd.d migration from preinst
if [ -f "${SLAPD_CONF}" ]; then
slapcat_opts="-g -f ${SLAPD_CONF}"
@@ -215,7 +215,7 @@
echo >&2 " Loading from $dir: "
# restore by increasing suffix length due to possibly glued databases
get_suffix | awk '{ print length, $0 }' | sort -n | cut -d ' ' -f 2- \
- | while read suffix; do
+ | while read -r suffix; do
dbdir=`get_directory "$suffix"`
if [ -z "$dbdir" ]; then
continue
@@ -227,11 +227,11 @@
fi
file="$dir/$suffix.ldif"
- echo -n " - directory $suffix... " >&2
+ printf ' - directory %s... ' "$suffix" >&2
# If there is an old DB_CONFIG file, restore it before
# running slapadd
- backupdir=`compute_backup_path -n "$dbdir" "$suffix"`
+ backupdir="$(compute_backup_path -n "$dbdir" "$suffix")"
if [ -e "$backupdir"/DB_CONFIG ]; then
cp -a "$backupdir"/DB_CONFIG "$dbdir"/
fi
@@ -267,7 +267,7 @@
# }}}
move_incompatible_databases_away() { # {{{
echo >&2 " Moving old database directories to /var/backups:"
- (get_suffix | while read suffix; do
+ (get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
move_old_database_away "$dbdir" "$suffix" <&5
done) 5<&0 </dev/null
@@ -287,7 +287,7 @@
get_suffix() { # {{{
if [ -f "${SLAPD_CONF}" ]; then
for f in `get_all_slapd_conf_files`; do
- sed -n -e's/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/p' $f
+ sed -n -e '/^suffix[[:space:]]/ {
s/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/; s/\\\\/\\/g; p }' $f
done
else
grep -h ^olcSuffix ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif |
cut -d: -f 2
@@ -297,13 +297,15 @@
get_directory() { # {{{
# Returns the db directory for a given suffix
if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -Fq "$1" ; then
- sed -n 's/^olcDbDirectory: *//p' `grep -Fl "^olcSuffix: $1"
${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
+ sed -n 's/^olcDbDirectory: *//p' `grep -Flx "olcSuffix: $1"
${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
elif [ -f "${SLAPD_CONF}" ]; then
# Extract the directory for the given suffix ($1)
+ # Quote backslashes once for slapd.conf parser, again for awk
+ quoted="$(printf '%s' "$1" | sed 's/\\/\\\\\\\\/g')"
for f in `get_all_slapd_conf_files`; do
awk ' BEGIN { DB=0; SUF=""; DIR="" } ;
/^database/ { DB=1; SUF=""; DIR="" } ;
- DB==1 && /^suffix[ \t]+"?'"$1"'"?$/ { SUF=$2 ; } ;
+ DB==1 && /^suffix[ \t]+"?'"$quoted"'"?$/ { SUF=$2 ; } ;
DB==1 && /^directory/ { DIR=$2 ;} ;
DB==1 && SUF!="" && DIR!="" { sub(/^"/,"",DIR) ;
sub(/"$/,"",DIR) ; print DIR; SUF=""; DIR="" }' "${f}" | \
sed -e's/\([^\\]\|^\)"/\1/g; s/\\"/"/g; s/\\\\/\\/g'
@@ -369,7 +371,7 @@
exit 1
fi
- echo "$target"
+ printf '%s' "$target"
}
# }}}
@@ -397,8 +399,8 @@
# include mount points as well anyway, but it's much less likely.
db_get slapd/move_old_database
if [ "$RET" = true ]; then
- backupdir=`compute_backup_path "$databasedir" "$suffix"`
- echo -n " - directory $suffix... " >&2
+ backupdir="$(compute_backup_path "$databasedir" "$suffix")"
+ printf ' - directory %s... ' "$suffix" >&2
mkdir -p "$backupdir"
find -H "$databasedir" -mindepth 1 -maxdepth 1 -type f \
-exec mv {} "$backupdir" \;
