Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

- Resolves: rhbz#2424132 Upgrade from freeipa-4.12.5-3 and 390-ds-base-3.1.3-10 to latest rawhide fails

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,218 +1,4 @@
 *~
-/389-ds-base-1.2.7.2.tar.bz2
-/389-ds-base-1.2.7.3.tar.bz2
-/389-ds-base-1.2.7.4.tar.bz2
-/389-ds-base-1.2.7.5.tar.bz2
-/389-ds-base-1.2.8.a1.tar.bz2
-/389-ds-base-1.2.8.a2.tar.bz2
-/389-ds-base-1.2.8.a3.tar.bz2
-/389-ds-base-1.2.8.rc1.tar.bz2
-/389-ds-base-1.2.8.rc2.tar.bz2
-/389-ds-base-1.2.8.rc4.tar.bz2
-/389-ds-base-1.2.8.rc5.tar.bz2
-/389-ds-base-1.2.8.0.tar.bz2
-/389-ds-base-1.2.8.1.tar.bz2
-/389-ds-base-1.2.8.2.tar.bz2
-/389-ds-base-1.2.8.3.tar.bz2
-/389-ds-base-1.2.9.a1.tar.bz2
-/389-ds-base-1.2.9.a2.tar.bz2
-/389-ds-base-1.2.9.0.tar.bz2
-/389-ds-base-1.2.9.1.tar.bz2
-/389-ds-base-1.2.9.2.tar.bz2
-/389-ds-base-1.2.9.3.tar.bz2
-/389-ds-base-1.2.9.4.tar.bz2
-/389-ds-base-1.2.9.5.tar.bz2
-/389-ds-base-1.2.9.6.tar.bz2
-/389-ds-base-1.2.9.7.tar.bz2
-/389-ds-base-1.2.9.8.tar.bz2
-/389-ds-base-1.2.9.9.tar.bz2
-/389-ds-base-1.2.9.10.tar.bz2
-/389-ds-base-1.2.10.a1.tar.bz2
-/389-ds-base-1.2.10.a2.tar.bz2
-/389-ds-base-1.2.10.a3.tar.bz2
-/389-ds-base-1.2.10.a4.tar.bz2
-/389-ds-base-1.2.10.a5.tar.bz2
-/389-ds-base-1.2.10.a6.tar.bz2
-/389-ds-base-1.2.10.a7.tar.bz2
-/389-ds-base-1.2.10.a8.tar.bz2
-/389-ds-base-1.2.10.rc1.tar.bz2
-/389-ds-base-1.2.10.0.tar.bz2
-/389-ds-base-1.2.10.1.tar.bz2
-/389-ds-base-1.2.10.2.tar.bz2
-/389-ds-base-1.2.10.3.tar.bz2
-/389-ds-base-1.2.10.4.tar.bz2
-/389-ds-base-1.2.11.a1.tar.bz2
-/389-ds-base-1.2.11.1.tar.bz2
-/389-ds-base-1.2.11.2.tar.bz2
-/389-ds-base-1.2.11.3.tar.bz2
-/389-ds-base-1.2.11.4.tar.bz2
-/389-ds-base-1.2.11.5.tar.bz2
-/389-ds-base-1.2.11.6.tar.bz2
-/389-ds-base-1.2.11.7.tar.bz2
-/389-ds-base-1.2.11.8.tar.bz2
-/389-ds-base-1.2.11.9.tar.bz2
-/389-ds-base-1.2.11.10.tar.bz2
-/389-ds-base-1.2.11.11.tar.bz2
-/389-ds-base-1.2.11.12.tar.bz2
-/389-ds-base-1.2.11.13.tar.bz2
-/389-ds-base-1.2.11.14.tar.bz2
-/389-ds-base-1.2.11.15.tar.bz2
-/389-ds-base-1.3.0.a1.tar.bz2
-/389-ds-base-1.3.0.rc1.tar.bz2
-/389-ds-base-1.3.0.rc2.tar.bz2
-/389-ds-base-1.3.0.rc3.tar.bz2
-/389-ds-base-1.3.0.0.tar.bz2
-/389-ds-base-1.3.0.1.tar.bz2
-/389-ds-base-1.3.0.2.tar.bz2
-/389-ds-base-1.3.0.3.tar.bz2
-/389-ds-base-1.3.0.4.tar.bz2
-/389-ds-base-1.3.0.5.tar.bz2
-/389-ds-base-1.3.1.0.tar.bz2
-/389-ds-base-1.3.1.1.tar.bz2
-/389-ds-base-1.3.1.2.tar.bz2
-/389-ds-base-1.3.1.3.tar.bz2
-/389-ds-base-1.3.1.4.tar.bz2
-/389-ds-base-1.3.1.5.tar.bz2
-/389-ds-base-1.3.1.6.tar.bz2
-/389-ds-base-1.3.1.7.tar.bz2
-/389-ds-base-1.3.1.8.tar.bz2
-/389-ds-base-1.3.1.9.tar.bz2
-/389-ds-base-1.3.1.10.tar.bz2
-/389-ds-base-1.3.1.11.tar.bz2
-/389-ds-base-1.3.2.0.tar.bz2
-/389-ds-base-1.3.2.1.tar.bz2
-/389-ds-base-1.3.2.2.tar.bz2
-/389-ds-base-1.3.2.3.tar.bz2
-/389-ds-base-1.3.2.4.tar.bz2
-/389-ds-base-1.3.2.5.tar.bz2
-/389-ds-base-1.3.2.6.tar.bz2
-/389-ds-base-1.3.2.7.tar.bz2
-/389-ds-base-1.3.2.8.tar.bz2
-/389-ds-base-1.3.2.9.tar.bz2
-/389-ds-base-1.3.2.10.tar.bz2
-/389-ds-base-1.3.2.11.tar.bz2
-/389-ds-base-1.3.2.12.tar.bz2
-/389-ds-base-1.3.2.13.tar.bz2
-/389-ds-base-1.3.2.14.tar.bz2
-/389-ds-base-1.3.2.15.tar.bz2
-/389-ds-base-1.3.2.16.tar.bz2
-/389-ds-base-1.3.2.17.tar.bz2
-/389-ds-base-1.3.2.18.tar.bz2
-/389-ds-base-1.3.2.19.tar.bz2
-/389-ds-base-1.3.2.20.tar.bz2
-/389-ds-base-1.3.2.21.tar.bz2
-/389-ds-base-1.3.2.22.tar.bz2
-/389-ds-base-1.3.2.23.tar.bz2
-/389-ds-base-1.3.3.0.tar.bz2
-/389-ds-base-1.3.3.2.tar.bz2
-/389-ds-base-1.3.3.3.tar.bz2
-/389-ds-base-1.3.3.4.tar.bz2
-/389-ds-base-1.3.3.5.tar.bz2
-/389-ds-base-1.3.3.6.tar.bz2
-/389-ds-base-1.3.3.7.tar.bz2
-/389-ds-base-1.3.3.8.tar.bz2
-/389-ds-base-1.3.3.9.tar.bz2
-/389-ds-base-1.3.3.10.tar.bz2
-/389-ds-base-1.3.3.11.tar.bz2
-/389-ds-base-1.3.3.12.tar.bz2
-/389-ds-base-1.3.4.0.tar.bz2
-/nunc-stans-0.1.3.tar.bz2
-/nunc-stans-0.1.4.tar.bz2
-/389-ds-base-1.3.4.1.tar.bz2
-/nunc-stans-0.1.5.tar.bz2
-/389-ds-base-1.3.4.2.tar.bz2
-/389-ds-base-1.3.4.3.tar.bz2
-/389-ds-base-1.3.4.4.tar.bz2
-/389-ds-base-1.3.4.5.tar.bz2
-/389-ds-base-1.3.4.6.tar.bz2
-/389-ds-base-1.3.4.7.tar.bz2
-/389-ds-base-1.3.4.8.tar.bz2
-/389-ds-base-1.3.5.0.tar.bz2
-/nunc-stans-0.1.8.tar.bz2
-/389-ds-base-1.3.5.1.tar.bz2
-/389-ds-base-1.3.5.3.tar.bz2
-/389-ds-base-1.3.5.4.tar.bz2
-/389-ds-base-1.3.5.5.tar.bz2
-/389-ds-base-1.3.5.6.tar.bz2
-/389-ds-base-1.3.5.10.tar.bz2
-/389-ds-base-1.3.5.11.tar.bz2
-/389-ds-base-1.3.5.12.tar.bz2
-/389-ds-base-1.3.5.13.tar.bz2
-/389-ds-base-1.3.5.14.tar.bz2
-/nunc-stans-0.2.0.tar.bz2
-/389-ds-base-1.3.6.1.tar.bz2
-/389-ds-base-1.3.6.2.tar.bz2
-/389-ds-base-1.3.6.3.tar.bz2
-/389-ds-base-1.3.6.4.tar.bz2
-/389-ds-base-1.3.6.5.tar.bz2
-/389-ds-base-1.3.6.6.tar.bz2
-/389-ds-base-1.3.7.1.tar.bz2
-/389-ds-base-1.3.7.2.tar.bz2
-/389-ds-base-1.3.7.3.tar.bz2
-/389-ds-base-1.3.7.4.tar.bz2
-/389-ds-base-1.4.0.0.tar.bz2
-/389-ds-base-1.4.0.1.tar.bz2
-/389-ds-base-1.4.0.2.tar.bz2
-/389-ds-base-1.4.0.3.tar.bz2
-/389-ds-base-1.4.0.4.tar.bz2
-/389-ds-base-1.4.0.5.tar.bz2
-/389-ds-base-1.4.0.6.tar.bz2
-/389-ds-base-1.4.0.7.tar.bz2
-/389-ds-base-1.4.0.8.tar.bz2
-/389-ds-base-1.4.0.9.tar.bz2
-/389-ds-base-1.4.0.10.tar.bz2
-/jemalloc-5.0.1.tar.bz2
-/389-ds-base-1.4.0.11.tar.bz2
-/jemalloc-5.1.0.tar.bz2
-/389-ds-base-1.4.0.12.tar.bz2
-/389-ds-base-1.4.0.13.tar.bz2
-/389-ds-base-1.4.0.14.tar.bz2
-/389-ds-base-1.4.0.15.tar.bz2
-/389-ds-base-1.4.0.16.tar.bz2
-/389-ds-base-1.4.0.17.tar.bz2
-/389-ds-base-1.4.0.18.tar.bz2
-/389-ds-base-1.4.0.19.tar.bz2
-/389-ds-base-1.4.0.20.tar.bz2
-/389-ds-base-1.4.1.1.tar.bz2
-/389-ds-base-1.4.1.2.tar.bz2
-/389-ds-base-1.4.1.3.tar.bz2
-/389-ds-base-1.4.1.4.tar.bz2
-/389-ds-base-1.4.1.5.tar.bz2
-/jemalloc-5.2.0.tar.bz2
-/389-ds-base-1.4.1.6.tar.bz2
-/389-ds-base-1.4.2.1.tar.bz2
-/389-ds-base-1.4.2.2.tar.bz2
-/389-ds-base-1.4.2.3.tar.bz2
-/389-ds-base-1.4.2.4.tar.bz2
-/389-ds-base-1.4.2.5.tar.bz2
-/389-ds-base-1.4.3.1.tar.bz2
-/jemalloc-5.2.1.tar.bz2
-/389-ds-base-1.4.3.2.tar.bz2
-/389-ds-base-1.4.3.3.tar.bz2
-/389-ds-base-1.4.3.4.tar.bz2
-/389-ds-base-1.4.3.5.tar.bz2
-/389-ds-base-1.4.4.0.tar.bz2
-/389-ds-base-1.4.4.1.tar.bz2
-/389-ds-base-1.4.4.2.tar.bz2
-/389-ds-base-1.4.4.3.tar.bz2
-/389-ds-base-1.4.4.4.tar.bz2
-/389-ds-base-1.4.4.6.tar.bz2
-/389-ds-base-1.4.5.0.tar.bz2
-/389-ds-base-2.0.1.tar.bz2
-/389-ds-base-2.0.2.tar.bz2
-/389-ds-base-2.0.3.tar.bz2
-/389-ds-base-2.0.4.tar.bz2
-/389-ds-base-2.0.4.3.tar.bz2
-/389-ds-base-2.0.5.tar.bz2
-/389-ds-base-2.0.6.tar.bz2
-/389-ds-base-2.0.7.tar.bz2
-/389-ds-base-2.0.10.tar.bz2
-/389-ds-base-2.0.11.tar.bz2
-/389-ds-base-2.0.12.tar.bz2
-/389-ds-base-2.0.13.tar.bz2
-/389-ds-base-2.1.0.tar.bz2
-/389-ds-base-2.2.0.tar.bz2
-/389-ds-base-2.1.1.tar.bz2
-/jemalloc-5.3.0.tar.bz2
-/389-ds-base-2.2.1.tar.bz2
-/389-ds-base-2.2.2.tar.bz2
+/389-ds-base-*.tar.bz2
+/jemalloc-*.tar.bz2
+/libdb-5.3.28-59.tar.bz2

0001-Issue-7096-During-replication-online-total-init-the-.patch

@@ -0,0 +1,318 @@
+From 1c9c535888b9a850095794787d67900b04924a76 Mon Sep 17 00:00:00 2001
+From: tbordaz <tbordaz@redhat.com>
+Date: Wed, 7 Jan 2026 11:21:12 +0100
+Subject: [PATCH] Issue 7096 - During replication online total init the
+ function idl_id_is_in_idlist is not scaling with large database (#7145)
+
+Bug description:
+	During a online total initialization, the supplier sorts
+	the candidate list of entries so that the parents are sent before
+	children entries.
+	With large DB the ID array used for the sorting is not
+	scaling. It takes so long to build the candidate list that
+	the connection gets closed
+
+Fix description:
+        Instead of using an ID array, uses a list of ID ranges
+
+fixes: #7096
+
+Reviewed by: Mark Reynolds, Pierre Rogier (Thanks !!)
+---
+ ldap/servers/slapd/back-ldbm/back-ldbm.h      |  12 ++
+ ldap/servers/slapd/back-ldbm/idl_common.c     | 163 ++++++++++++++++++
+ ldap/servers/slapd/back-ldbm/idl_new.c        |  30 ++--
+ .../servers/slapd/back-ldbm/proto-back-ldbm.h |   3 +
+ 4 files changed, 189 insertions(+), 19 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/back-ldbm.h b/ldap/servers/slapd/back-ldbm/back-ldbm.h
+index 1bc36720d..b187c26bc 100644
+--- a/ldap/servers/slapd/back-ldbm/back-ldbm.h
++++ b/ldap/servers/slapd/back-ldbm/back-ldbm.h
+@@ -282,6 +282,18 @@ typedef struct _idlist_set
+ #define INDIRECT_BLOCK(idl) ((idl)->b_nids == INDBLOCK)
+ #define IDL_NIDS(idl)       (idl ? (idl)->b_nids : (NIDS)0)
+ 
++/*
++ * used by the supplier during online total init
++ * it stores the ranges of ID that are already present
++ * in the candidate list ('parentid>=1')
++ */
++typedef struct IdRange {
++    ID first;
++    ID last;
++    struct IdRange *next;
++} IdRange_t;
++
++
+ typedef size_t idl_iterator;
+ 
+ /* small hashtable implementation used in the entry cache -- the table
+diff --git a/ldap/servers/slapd/back-ldbm/idl_common.c b/ldap/servers/slapd/back-ldbm/idl_common.c
+index fcb0ece4b..fdc9b4e67 100644
+--- a/ldap/servers/slapd/back-ldbm/idl_common.c
++++ b/ldap/servers/slapd/back-ldbm/idl_common.c
+@@ -172,6 +172,169 @@ idl_min(IDList *a, IDList *b)
+     return (a->b_nids > b->b_nids ? b : a);
+ }
+ 
++/*
++ * This is a faster version of idl_id_is_in_idlist.
++ * idl_id_is_in_idlist uses an array of ID so lookup is expensive
++ * idl_id_is_in_idlist_ranges uses a list of ranges of ID lookup is faster
++ * returns
++ *   1: 'id' is present in idrange_list
++ *   0: 'id' is not present in idrange_list
++ */
++int
++idl_id_is_in_idlist_ranges(IDList *idl, IdRange_t *idrange_list, ID id)
++{
++    IdRange_t *range = idrange_list;
++    int found = 0;
++
++    if (NULL == idl || NOID == id) {
++        return 0; /* not in the list */
++    }
++    if (ALLIDS(idl)) {
++        return 1; /* in the list */
++    }
++
++    for(;range; range = range->next) {
++        if (id > range->last) {
++            /* check if it belongs to the next range */
++            continue;
++        }
++        if (id >= range->first) {
++            /* It belongs to that range [first..last ] */
++            found = 1;
++            break;
++        } else {
++            /* this range is after id */
++            break;
++        }
++    }
++    return found;
++}
++
++/* This function is used during the online total initialisation
++ * (see next function)
++ * It frees all ranges of ID in the list
++ */
++void idrange_free(IdRange_t **head)
++{
++    IdRange_t *curr, *sav;
++
++    if ((head == NULL) || (*head == NULL)) {
++        return;
++    }
++    curr = *head;
++    sav = NULL;
++    for (; curr;) {
++        sav = curr;
++        curr = curr->next;
++        slapi_ch_free((void *) &sav);
++    }
++    if (sav) {
++        slapi_ch_free((void *) &sav);
++    }
++    *head = NULL;
++}
++
++/* This function is used during the online total initialisation
++ * Because a MODRDN can move entries under a parent that
++ * has a higher ID we need to sort the IDList so that parents
++ * are sent, to the consumer, before the children are sent.
++ * The sorting with a simple IDlist does not scale instead
++ * a list of IDs ranges is much faster.
++ * In that list we only ADD/lookup ID.
++ */
++IdRange_t *idrange_add_id(IdRange_t **head, ID id)
++{
++    if (head == NULL) {
++        slapi_log_err(SLAPI_LOG_ERR, "idrange_add_id",
++                      "Can not add ID %d in non defined list\n", id);
++        return NULL;
++    }
++
++    if (*head == NULL) {
++        /* This is the first range */
++        IdRange_t *new_range = (IdRange_t *)slapi_ch_malloc(sizeof(IdRange_t));
++        new_range->first = id;
++        new_range->last = id;
++        new_range->next = NULL;
++        *head = new_range;
++        return *head;
++    }
++
++    IdRange_t *curr = *head, *prev = NULL;
++
++    /* First, find if id already falls within any existing range, or it is adjacent to any */
++    while (curr) {
++        if (id >= curr->first && id <= curr->last) {
++            /* inside a range, nothing to do */
++            return curr;
++        }
++
++        if (id == curr->last + 1) {
++            /* Extend this range upwards */
++            curr->last = id;
++
++            /* Check for possible merge with next range */
++            IdRange_t *next = curr->next;
++            if (next && curr->last + 1 >= next->first) {
++                slapi_log_err(SLAPI_LOG_REPL, "idrange_add_id",
++                        "(id=%d) merge current  with next range [%d..%d]\n", id, curr->first, curr->last);
++                curr->last = (next->last > curr->last) ? next->last : curr->last;
++                curr->next = next->next;
++                slapi_ch_free((void*) &next);
++            } else {
++                slapi_log_err(SLAPI_LOG_REPL, "idrange_add_id",
++                              "(id=%d) extend forward current range [%d..%d]\n", id, curr->first, curr->last);
++            }
++            return curr;
++        }
++
++        if (id + 1 == curr->first) {
++            /* Extend this range downwards */
++            curr->first = id;
++
++            /* Check for possible merge with previous range */
++            if (prev && prev->last + 1 >= curr->first) {
++                prev->last = curr->last;
++                prev->next = curr->next;
++                slapi_ch_free((void *) &curr);
++                slapi_log_err(SLAPI_LOG_REPL, "idrange_add_id",
++                              "(id=%d) merge current with previous range [%d..%d]\n", id, prev->first, prev->last);
++                return prev;
++            } else {
++                slapi_log_err(SLAPI_LOG_REPL, "idrange_add_id",
++                              "(id=%d) extend backward current range [%d..%d]\n", id, curr->first, curr->last);
++                return curr;
++            }
++        }
++
++        /* If id is before the current range, break so we can insert before */
++        if (id < curr->first) {
++            break;
++        }
++
++        prev = curr;
++        curr = curr->next;
++    }
++    /* Need to insert a new standalone IdRange */
++    IdRange_t *new_range = (IdRange_t *)slapi_ch_malloc(sizeof(IdRange_t));
++    new_range->first = id;
++    new_range->last = id;
++    new_range->next = curr;
++
++    if (prev) {
++        slapi_log_err(SLAPI_LOG_REPL, "idrange_add_id",
++                      "(id=%d) add new range [%d..%d]\n", id, new_range->first, new_range->last);
++        prev->next = new_range;
++    } else {
++        /* Insert at head */
++        slapi_log_err(SLAPI_LOG_REPL, "idrange_add_id",
++                      "(id=%d) head range [%d..%d]\n", id, new_range->first, new_range->last);
++        *head = new_range;
++    }
++    return *head;
++}
++
++
+ int
+ idl_id_is_in_idlist(IDList *idl, ID id)
+ {
+diff --git a/ldap/servers/slapd/back-ldbm/idl_new.c b/ldap/servers/slapd/back-ldbm/idl_new.c
+index 5fbcaff2e..2d978353f 100644
+--- a/ldap/servers/slapd/back-ldbm/idl_new.c
++++ b/ldap/servers/slapd/back-ldbm/idl_new.c
+@@ -417,7 +417,6 @@ idl_new_range_fetch(
+ {
+     int ret = 0;
+     int ret2 = 0;
+-    int idl_rc = 0;
+     dbi_cursor_t cursor = {0};
+     IDList *idl = NULL;
+     dbi_val_t cur_key = {0};
+@@ -436,6 +435,7 @@ idl_new_range_fetch(
+     size_t leftoverlen = 32;
+     size_t leftovercnt = 0;
+     char *index_id = get_index_name(be, db, ai);
++    IdRange_t *idrange_list = NULL;
+ 
+ 
+     if (NULL == flag_err) {
+@@ -578,10 +578,12 @@ idl_new_range_fetch(
+                      * found entry is the one from the suffix
+                      */
+                     suffix = key;
+-                    idl_rc = idl_append_extend(&idl, id);
+-                } else if ((key == suffix) || idl_id_is_in_idlist(idl, key)) {
++                    idl_append_extend(&idl, id);
++                    idrange_add_id(&idrange_list, id);
++                } else if ((key == suffix) || idl_id_is_in_idlist_ranges(idl, idrange_list, key)) {
+                     /* the parent is the suffix or already in idl. */
+-                    idl_rc = idl_append_extend(&idl, id);
++                    idl_append_extend(&idl, id);
++                    idrange_add_id(&idrange_list, id);
+                 } else {
+                     /* Otherwise, keep the {key,id} in leftover array */
+                     if (!leftover) {
+@@ -596,13 +598,7 @@ idl_new_range_fetch(
+                     leftovercnt++;
+                 }
+             } else {
+-                idl_rc = idl_append_extend(&idl, id);
+-            }
+-            if (idl_rc) {
+-                slapi_log_err(SLAPI_LOG_ERR, "idl_new_range_fetch",
+-                              "Unable to extend id list (err=%d)\n", idl_rc);
+-                idl_free(&idl);
+-                goto error;
++                idl_append_extend(&idl, id);
+             }
+ 
+             count++;
+@@ -695,21 +691,17 @@ error:
+ 
+         while(remaining > 0) {
+             for (size_t i = 0; i < leftovercnt; i++) {
+-                if (leftover[i].key > 0 && idl_id_is_in_idlist(idl, leftover[i].key) != 0) {
++                if (leftover[i].key > 0 && idl_id_is_in_idlist_ranges(idl, idrange_list, leftover[i].key) != 0) {
+                     /* if the leftover key has its parent in the idl */
+-                    idl_rc = idl_append_extend(&idl, leftover[i].id);
+-                    if (idl_rc) {
+-                        slapi_log_err(SLAPI_LOG_ERR, "idl_new_range_fetch",
+-                                      "Unable to extend id list (err=%d)\n", idl_rc);
+-                        idl_free(&idl);
+-                        return NULL;
+-                    }
++                    idl_append_extend(&idl, leftover[i].id);
++                    idrange_add_id(&idrange_list, leftover[i].id);
+                     leftover[i].key = 0;
+                     remaining--;
+                 }
+             }
+         }
+         slapi_ch_free((void **)&leftover);
++        idrange_free(&idrange_list);
+     }
+     slapi_log_err(SLAPI_LOG_FILTER, "idl_new_range_fetch",
+                   "Found %d candidates; error code is: %d\n",
+diff --git a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
+index 91d61098a..30a7aa11f 100644
+--- a/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
++++ b/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h
+@@ -217,6 +217,9 @@ ID idl_firstid(IDList *idl);
+ ID idl_nextid(IDList *idl, ID id);
+ int idl_init_private(backend *be, struct attrinfo *a);
+ int idl_release_private(struct attrinfo *a);
++IdRange_t *idrange_add_id(IdRange_t **head, ID id);
++void idrange_free(IdRange_t **head);
++int idl_id_is_in_idlist_ranges(IDList *idl, IdRange_t *idrange_list, ID id);
+ int idl_id_is_in_idlist(IDList *idl, ID id);
+ 
+ idl_iterator idl_iterator_init(const IDList *idl);
+-- 
+2.52.0
+

0002-Issue-Revise-paged-result-search-locking.patch

@@ -0,0 +1,765 @@
+From 446bc42e7b64a8496c2c3fe486f86bba318bed5e Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Wed, 7 Jan 2026 16:55:27 -0500
+Subject: [PATCH] Issue - Revise paged result search locking
+
+Description:
+
+Move to a single lock approach verses having two locks. This will impact
+concurrency when multiple async paged result searches are done on the same
+connection, but it simplifies the code and avoids race conditions and
+deadlocks.
+
+Relates: https://github.com/389ds/389-ds-base/issues/7118
+
+Reviewed by: progier & tbordaz (Thanks!!)
+---
+ ldap/servers/slapd/abandon.c      |   2 +-
+ ldap/servers/slapd/opshared.c     |  60 ++++----
+ ldap/servers/slapd/pagedresults.c | 228 +++++++++++++++++++-----------
+ ldap/servers/slapd/proto-slap.h   |  26 ++--
+ ldap/servers/slapd/slap.h         |   5 +-
+ 5 files changed, 187 insertions(+), 134 deletions(-)
+
+diff --git a/ldap/servers/slapd/abandon.c b/ldap/servers/slapd/abandon.c
+index 6024fcd31..1f47c531c 100644
+--- a/ldap/servers/slapd/abandon.c
++++ b/ldap/servers/slapd/abandon.c
+@@ -179,7 +179,7 @@ do_abandon(Slapi_PBlock *pb)
+     logpb.tv_sec = -1;
+     logpb.tv_nsec = -1;
+ 
+-    if (0 == pagedresults_free_one_msgid(pb_conn, id, pageresult_lock_get_addr(pb_conn))) {
++    if (0 == pagedresults_free_one_msgid(pb_conn, id, PR_NOT_LOCKED)) {
+         if (log_format != LOG_FORMAT_DEFAULT) {
+             /* JSON logging */
+             logpb.target_op = "Simple Paged Results";
+diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
+index a5cddfd23..bf800f7dc 100644
+--- a/ldap/servers/slapd/opshared.c
++++ b/ldap/servers/slapd/opshared.c
+@@ -572,8 +572,8 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
+                         be = be_list[index];
+                     }
+                 }
+-                pr_search_result = pagedresults_get_search_result(pb_conn, operation, 0 /*not locked*/, pr_idx);
+-                estimate = pagedresults_get_search_result_set_size_estimate(pb_conn, operation, pr_idx);
++                pr_search_result = pagedresults_get_search_result(pb_conn, operation, PR_NOT_LOCKED, pr_idx);
++                estimate = pagedresults_get_search_result_set_size_estimate(pb_conn, operation, PR_NOT_LOCKED, pr_idx);
+                 /* Set operation note flags as required. */
+                 if (pagedresults_get_unindexed(pb_conn, operation, pr_idx)) {
+                     slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_UNINDEXED);
+@@ -619,14 +619,7 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
+             int32_t tlimit;
+             slapi_pblock_get(pb, SLAPI_SEARCH_TIMELIMIT, &tlimit);
+             pagedresults_set_timelimit(pb_conn, operation, (time_t)tlimit, pr_idx);
+-            /* When using this mutex in conjunction with the main paged
+-             * result lock, you must do so in this order:
+-             *
+-             * --> pagedresults_lock()
+-             *    --> pagedresults_mutex
+-             *    <-- pagedresults_mutex
+-             * <-- pagedresults_unlock()
+-             */
++            /* IMPORTANT: Never acquire pagedresults_mutex when holding c_mutex. */
+             pagedresults_mutex = pageresult_lock_get_addr(pb_conn);
+         }
+ 
+@@ -743,17 +736,15 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
+         if (op_is_pagedresults(operation) && pr_search_result) {
+             void *sr = NULL;
+             /* PAGED RESULTS and already have the search results from the prev op */
+-            pagedresults_lock(pb_conn, pr_idx);
+             /*
+              * In async paged result case, the search result might be released
+              * by other theads.  We need to double check it in the locked region.
+              */
+             pthread_mutex_lock(pagedresults_mutex);
+-            pr_search_result = pagedresults_get_search_result(pb_conn, operation, 1 /*locked*/, pr_idx);
++            pr_search_result = pagedresults_get_search_result(pb_conn, operation, PR_LOCKED, pr_idx);
+             if (pr_search_result) {
+-                if (pagedresults_is_abandoned_or_notavailable(pb_conn, 1 /*locked*/, pr_idx)) {
++                if (pagedresults_is_abandoned_or_notavailable(pb_conn, PR_LOCKED, pr_idx)) {
+                     pthread_mutex_unlock(pagedresults_mutex);
+-                    pagedresults_unlock(pb_conn, pr_idx);
+                     /* Previous operation was abandoned and the simplepaged object is not in use. */
+                     send_ldap_result(pb, 0, NULL, "Simple Paged Results Search abandoned", 0, NULL);
+                     rc = LDAP_SUCCESS;
+@@ -764,14 +755,13 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
+ 
+                     /* search result could be reset in the backend/dse */
+                     slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_SET, &sr);
+-                    pagedresults_set_search_result(pb_conn, operation, sr, 1 /*locked*/, pr_idx);
++                    pagedresults_set_search_result(pb_conn, operation, sr, PR_LOCKED, pr_idx);
+                 }
+             } else {
+                 pr_stat = PAGEDRESULTS_SEARCH_END;
+                 rc = LDAP_SUCCESS;
+             }
+             pthread_mutex_unlock(pagedresults_mutex);
+-            pagedresults_unlock(pb_conn, pr_idx);
+ 
+             if ((PAGEDRESULTS_SEARCH_END == pr_stat) || (0 == pnentries)) {
+                 /* no more entries to send in the backend */
+@@ -789,22 +779,22 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
+             }
+             pagedresults_set_response_control(pb, 0, estimate,
+                                               curr_search_count, pr_idx);
+-            if (pagedresults_get_with_sort(pb_conn, operation, pr_idx)) {
++            if (pagedresults_get_with_sort(pb_conn, operation, PR_NOT_LOCKED, pr_idx)) {
+                 sort_make_sort_response_control(pb, CONN_GET_SORT_RESULT_CODE, NULL);
+             }
+             pagedresults_set_search_result_set_size_estimate(pb_conn,
+                                                              operation,
+-                                                             estimate, pr_idx);
++                                                             estimate, PR_NOT_LOCKED, pr_idx);
+             if (PAGEDRESULTS_SEARCH_END == pr_stat) {
+-                pagedresults_lock(pb_conn, pr_idx);
++                pthread_mutex_lock(pagedresults_mutex);
+                 slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_SET, NULL);
+-                if (!pagedresults_is_abandoned_or_notavailable(pb_conn, 0 /*not locked*/, pr_idx)) {
+-                    pagedresults_free_one(pb_conn, operation, pr_idx);
++                if (!pagedresults_is_abandoned_or_notavailable(pb_conn, PR_LOCKED, pr_idx)) {
++                    pagedresults_free_one(pb_conn, operation, PR_LOCKED, pr_idx);
+                 }
+-                pagedresults_unlock(pb_conn, pr_idx);
++                pthread_mutex_unlock(pagedresults_mutex);
+                 if (next_be) {
+                     /* no more entries, but at least another backend */
+-                    if (pagedresults_set_current_be(pb_conn, next_be, pr_idx, 0) < 0) {
++                    if (pagedresults_set_current_be(pb_conn, next_be, pr_idx, PR_NOT_LOCKED) < 0) {
+                         goto free_and_return;
+                     }
+                 }
+@@ -915,7 +905,7 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
+                         }
+                     }
+                     pagedresults_set_search_result(pb_conn, operation, NULL, 1, pr_idx);
+-                    rc = pagedresults_set_current_be(pb_conn, NULL, pr_idx, 1);
++                    rc = pagedresults_set_current_be(pb_conn, NULL, pr_idx, PR_LOCKED);
+                     pthread_mutex_unlock(pagedresults_mutex);
+ #pragma GCC diagnostic pop
+                 }
+@@ -954,7 +944,7 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
+                         pthread_mutex_lock(pagedresults_mutex);
+                         pagedresults_set_search_result(pb_conn, operation, NULL, 1, pr_idx);
+                         be->be_search_results_release(&sr);
+-                        rc = pagedresults_set_current_be(pb_conn, next_be, pr_idx, 1);
++                        rc = pagedresults_set_current_be(pb_conn, next_be, pr_idx, PR_LOCKED);
+                         pthread_mutex_unlock(pagedresults_mutex);
+                         pr_stat = PAGEDRESULTS_SEARCH_END; /* make sure stat is SEARCH_END */
+                         if (NULL == next_be) {
+@@ -967,23 +957,23 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
+                     } else {
+                         curr_search_count = pnentries;
+                         slapi_pblock_get(pb, SLAPI_SEARCH_RESULT_SET_SIZE_ESTIMATE, &estimate);
+-                        pagedresults_lock(pb_conn, pr_idx);
+-                        if ((pagedresults_set_current_be(pb_conn, be, pr_idx, 0) < 0) ||
+-                            (pagedresults_set_search_result(pb_conn, operation, sr, 0, pr_idx) < 0) ||
+-                            (pagedresults_set_search_result_count(pb_conn, operation, curr_search_count, pr_idx) < 0) ||
+-                            (pagedresults_set_search_result_set_size_estimate(pb_conn, operation, estimate, pr_idx) < 0) ||
+-                            (pagedresults_set_with_sort(pb_conn, operation, with_sort, pr_idx) < 0)) {
+-                            pagedresults_unlock(pb_conn, pr_idx);
++                        pthread_mutex_lock(pagedresults_mutex);
++                        if ((pagedresults_set_current_be(pb_conn, be, pr_idx, PR_LOCKED) < 0) ||
++                            (pagedresults_set_search_result(pb_conn, operation, sr, PR_LOCKED, pr_idx) < 0) ||
++                            (pagedresults_set_search_result_count(pb_conn, operation, curr_search_count, PR_LOCKED, pr_idx) < 0) ||
++                            (pagedresults_set_search_result_set_size_estimate(pb_conn, operation, estimate, PR_LOCKED, pr_idx) < 0) ||
++                            (pagedresults_set_with_sort(pb_conn, operation, with_sort, PR_LOCKED, pr_idx) < 0)) {
++                            pthread_mutex_unlock(pagedresults_mutex);
+                             cache_return_target_entry(pb, be, operation);
+                             goto free_and_return;
+                         }
+-                        pagedresults_unlock(pb_conn, pr_idx);
++                        pthread_mutex_unlock(pagedresults_mutex);
+                     }
+                     slapi_pblock_set(pb, SLAPI_SEARCH_RESULT_SET, NULL);
+                     next_be = NULL; /* to break the loop */
+                     if (operation->o_status & SLAPI_OP_STATUS_ABANDONED) {
+                         /* It turned out this search was abandoned. */
+-                        pagedresults_free_one_msgid(pb_conn, operation->o_msgid, pagedresults_mutex);
++                        pagedresults_free_one_msgid(pb_conn, operation->o_msgid, PR_NOT_LOCKED);
+                         /* paged-results-request was abandoned; making an empty cookie. */
+                         pagedresults_set_response_control(pb, 0, estimate, -1, pr_idx);
+                         send_ldap_result(pb, 0, NULL, "Simple Paged Results Search abandoned", 0, NULL);
+@@ -993,7 +983,7 @@ op_shared_search(Slapi_PBlock *pb, int send_result)
+                     }
+                     pagedresults_set_response_control(pb, 0, estimate, curr_search_count, pr_idx);
+                     if (curr_search_count == -1) {
+-                        pagedresults_free_one(pb_conn, operation, pr_idx);
++                        pagedresults_free_one(pb_conn, operation, PR_NOT_LOCKED, pr_idx);
+                     }
+                 }
+ 
+diff --git a/ldap/servers/slapd/pagedresults.c b/ldap/servers/slapd/pagedresults.c
+index 941ab97e3..0d6c4a1aa 100644
+--- a/ldap/servers/slapd/pagedresults.c
++++ b/ldap/servers/slapd/pagedresults.c
+@@ -34,9 +34,9 @@ pageresult_lock_cleanup()
+     slapi_ch_free((void**)&lock_hash);
+ }
+ 
+-/* Beware to the lock order with c_mutex:
+- * c_mutex is sometime locked while holding pageresult_lock
+- * ==> Do not lock pageresult_lock when holing c_mutex
++/* Lock ordering constraint with c_mutex:
++ * c_mutex is sometimes locked while holding pageresult_lock.
++ * Therefore: DO NOT acquire pageresult_lock when holding c_mutex.
+  */
+ pthread_mutex_t *
+ pageresult_lock_get_addr(Connection *conn)
+@@ -44,7 +44,11 @@ pageresult_lock_get_addr(Connection *conn)
+     return &lock_hash[(((size_t)conn)/sizeof (Connection))%LOCK_HASH_SIZE];
+ }
+ 
+-/* helper function to clean up one prp slot */
++/* helper function to clean up one prp slot
++ *
++ * NOTE: This function must be called while holding the pageresult_lock
++ * (via pageresult_lock_get_addr(conn)) to ensure thread-safe cleanup.
++ */
+ static void
+ _pr_cleanup_one_slot(PagedResults *prp)
+ {
+@@ -56,7 +60,7 @@ _pr_cleanup_one_slot(PagedResults *prp)
+         prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+     }
+ 
+-    /* clean up the slot except the mutex */
++    /* clean up the slot */
+     prp->pr_current_be = NULL;
+     prp->pr_search_result_set = NULL;
+     prp->pr_search_result_count = 0;
+@@ -136,6 +140,8 @@ pagedresults_parse_control_value(Slapi_PBlock *pb,
+         return LDAP_UNWILLING_TO_PERFORM;
+     }
+ 
++    /* Acquire hash-based lock for paged results list access
++     * IMPORTANT: Never acquire this lock when holding c_mutex */
+     pthread_mutex_lock(pageresult_lock_get_addr(conn));
+     /* the ber encoding is no longer needed */
+     ber_free(ber, 1);
+@@ -184,10 +190,6 @@ pagedresults_parse_control_value(Slapi_PBlock *pb,
+             goto bail;
+         }
+ 
+-        if ((*index > -1) && (*index < conn->c_pagedresults.prl_maxlen) &&
+-            !conn->c_pagedresults.prl_list[*index].pr_mutex) {
+-            conn->c_pagedresults.prl_list[*index].pr_mutex = PR_NewLock();
+-        }
+         conn->c_pagedresults.prl_count++;
+     } else {
+         /* Repeated paged results request.
+@@ -327,8 +329,14 @@ bailout:
+                   "<= idx=%d\n", index);
+ }
+ 
++/*
++ * Free one paged result entry by index.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ int
+-pagedresults_free_one(Connection *conn, Operation *op, int index)
++pagedresults_free_one(Connection *conn, Operation *op, bool locked, int index)
+ {
+     int rc = -1;
+ 
+@@ -338,7 +346,9 @@ pagedresults_free_one(Connection *conn, Operation *op, int index)
+     slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_free_one",
+                   "=> idx=%d\n", index);
+     if (conn && (index > -1)) {
+-        pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        }
+         if (conn->c_pagedresults.prl_count <= 0) {
+             slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_free_one",
+                           "conn=%" PRIu64 " paged requests list count is %d\n",
+@@ -349,7 +359,9 @@ pagedresults_free_one(Connection *conn, Operation *op, int index)
+             conn->c_pagedresults.prl_count--;
+             rc = 0;
+         }
+-        pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        }
+     }
+ 
+     slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_free_one", "<= %d\n", rc);
+@@ -357,21 +369,28 @@ pagedresults_free_one(Connection *conn, Operation *op, int index)
+ }
+ 
+ /*
+- * Used for abandoning - pageresult_lock_get_addr(conn) is already locked in do_abandone.
++ * Free one paged result entry by message ID.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
+  */
+ int
+-pagedresults_free_one_msgid(Connection *conn, ber_int_t msgid, pthread_mutex_t *mutex)
++pagedresults_free_one_msgid(Connection *conn, ber_int_t msgid, bool locked)
+ {
+     int rc = -1;
+     int i;
++    pthread_mutex_t *lock = NULL;
+ 
+     if (conn && (msgid > -1)) {
+         if (conn->c_pagedresults.prl_maxlen <= 0) {
+             ; /* Not a paged result. */
+         } else {
+             slapi_log_err(SLAPI_LOG_TRACE,
+-                          "pagedresults_free_one_msgid_nolock", "=> msgid=%d\n", msgid);
+-            pthread_mutex_lock(mutex);
++                          "pagedresults_free_one_msgid", "=> msgid=%d\n", msgid);
++            lock = pageresult_lock_get_addr(conn);
++            if (!locked) {
++                pthread_mutex_lock(lock);
++            }
+             for (i = 0; i < conn->c_pagedresults.prl_maxlen; i++) {
+                 if (conn->c_pagedresults.prl_list[i].pr_msgid == msgid) {
+                     PagedResults *prp = conn->c_pagedresults.prl_list + i;
+@@ -390,9 +409,11 @@ pagedresults_free_one_msgid(Connection *conn, ber_int_t msgid, pthread_mutex_t *
+                     break;
+                 }
+             }
+-            pthread_mutex_unlock(mutex);
++            if (!locked) {
++                pthread_mutex_unlock(lock);
++            }
+             slapi_log_err(SLAPI_LOG_TRACE,
+-                          "pagedresults_free_one_msgid_nolock", "<= %d\n", rc);
++                          "pagedresults_free_one_msgid", "<= %d\n", rc);
+         }
+     }
+ 
+@@ -418,29 +439,43 @@ pagedresults_get_current_be(Connection *conn, int index)
+     return be;
+ }
+ 
++/*
++ * Set current backend for a paged result entry.
++ *
++ * Locking: If locked=false, acquires pageresult_lock. If locked=true, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ int
+-pagedresults_set_current_be(Connection *conn, Slapi_Backend *be, int index, int nolock)
++pagedresults_set_current_be(Connection *conn, Slapi_Backend *be, int index, bool locked)
+ {
+     int rc = -1;
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "pagedresults_set_current_be", "=> idx=%d\n", index);
+     if (conn && (index > -1)) {
+-        if (!nolock)
++        if (!locked) {
+             pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        }
+         if (index < conn->c_pagedresults.prl_maxlen) {
+             conn->c_pagedresults.prl_list[index].pr_current_be = be;
+         }
+         rc = 0;
+-        if (!nolock)
++        if (!locked) {
+             pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        }
+     }
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "pagedresults_set_current_be", "<= %d\n", rc);
+     return rc;
+ }
+ 
++/*
++ * Get search result set for a paged result entry.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ void *
+-pagedresults_get_search_result(Connection *conn, Operation *op, int locked, int index)
++pagedresults_get_search_result(Connection *conn, Operation *op, bool locked, int index)
+ {
+     void *sr = NULL;
+     if (!op_is_pagedresults(op)) {
+@@ -465,8 +500,14 @@ pagedresults_get_search_result(Connection *conn, Operation *op, int locked, int
+     return sr;
+ }
+ 
++/*
++ * Set search result set for a paged result entry.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ int
+-pagedresults_set_search_result(Connection *conn, Operation *op, void *sr, int locked, int index)
++pagedresults_set_search_result(Connection *conn, Operation *op, void *sr, bool locked, int index)
+ {
+     int rc = -1;
+     if (!op_is_pagedresults(op)) {
+@@ -494,8 +535,14 @@ pagedresults_set_search_result(Connection *conn, Operation *op, void *sr, int lo
+     return rc;
+ }
+ 
++/*
++ * Get search result count for a paged result entry.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ int
+-pagedresults_get_search_result_count(Connection *conn, Operation *op, int index)
++pagedresults_get_search_result_count(Connection *conn, Operation *op, bool locked, int index)
+ {
+     int count = 0;
+     if (!op_is_pagedresults(op)) {
+@@ -504,19 +551,29 @@ pagedresults_get_search_result_count(Connection *conn, Operation *op, int index)
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "pagedresults_get_search_result_count", "=> idx=%d\n", index);
+     if (conn && (index > -1)) {
+-        pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        }
+         if (index < conn->c_pagedresults.prl_maxlen) {
+             count = conn->c_pagedresults.prl_list[index].pr_search_result_count;
+         }
+-        pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        }
+     }
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "pagedresults_get_search_result_count", "<= %d\n", count);
+     return count;
+ }
+ 
++/*
++ * Set search result count for a paged result entry.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ int
+-pagedresults_set_search_result_count(Connection *conn, Operation *op, int count, int index)
++pagedresults_set_search_result_count(Connection *conn, Operation *op, int count, bool locked, int index)
+ {
+     int rc = -1;
+     if (!op_is_pagedresults(op)) {
+@@ -525,11 +582,15 @@ pagedresults_set_search_result_count(Connection *conn, Operation *op, int count,
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "pagedresults_set_search_result_count", "=> idx=%d\n", index);
+     if (conn && (index > -1)) {
+-        pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        }
+         if (index < conn->c_pagedresults.prl_maxlen) {
+             conn->c_pagedresults.prl_list[index].pr_search_result_count = count;
+         }
+-        pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        }
+         rc = 0;
+     }
+     slapi_log_err(SLAPI_LOG_TRACE,
+@@ -537,9 +598,16 @@ pagedresults_set_search_result_count(Connection *conn, Operation *op, int count,
+     return rc;
+ }
+ 
++/*
++ * Get search result set size estimate for a paged result entry.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ int
+ pagedresults_get_search_result_set_size_estimate(Connection *conn,
+                                                  Operation *op,
++                                                 bool locked,
+                                                  int index)
+ {
+     int count = 0;
+@@ -550,11 +618,15 @@ pagedresults_get_search_result_set_size_estimate(Connection *conn,
+                   "pagedresults_get_search_result_set_size_estimate",
+                   "=> idx=%d\n", index);
+     if (conn && (index > -1)) {
+-        pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        }
+         if (index < conn->c_pagedresults.prl_maxlen) {
+             count = conn->c_pagedresults.prl_list[index].pr_search_result_set_size_estimate;
+         }
+-        pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        }
+     }
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "pagedresults_get_search_result_set_size_estimate", "<= %d\n",
+@@ -562,10 +634,17 @@ pagedresults_get_search_result_set_size_estimate(Connection *conn,
+     return count;
+ }
+ 
++/*
++ * Set search result set size estimate for a paged result entry.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ int
+ pagedresults_set_search_result_set_size_estimate(Connection *conn,
+                                                  Operation *op,
+                                                  int count,
++                                                 bool locked,
+                                                  int index)
+ {
+     int rc = -1;
+@@ -576,11 +655,15 @@ pagedresults_set_search_result_set_size_estimate(Connection *conn,
+                   "pagedresults_set_search_result_set_size_estimate",
+                   "=> idx=%d\n", index);
+     if (conn && (index > -1)) {
+-        pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        }
+         if (index < conn->c_pagedresults.prl_maxlen) {
+             conn->c_pagedresults.prl_list[index].pr_search_result_set_size_estimate = count;
+         }
+-        pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        }
+         rc = 0;
+     }
+     slapi_log_err(SLAPI_LOG_TRACE,
+@@ -589,8 +672,14 @@ pagedresults_set_search_result_set_size_estimate(Connection *conn,
+     return rc;
+ }
+ 
++/*
++ * Get with_sort flag for a paged result entry.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ int
+-pagedresults_get_with_sort(Connection *conn, Operation *op, int index)
++pagedresults_get_with_sort(Connection *conn, Operation *op, bool locked, int index)
+ {
+     int flags = 0;
+     if (!op_is_pagedresults(op)) {
+@@ -599,19 +688,29 @@ pagedresults_get_with_sort(Connection *conn, Operation *op, int index)
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "pagedresults_get_with_sort", "=> idx=%d\n", index);
+     if (conn && (index > -1)) {
+-        pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        }
+         if (index < conn->c_pagedresults.prl_maxlen) {
+             flags = conn->c_pagedresults.prl_list[index].pr_flags & CONN_FLAG_PAGEDRESULTS_WITH_SORT;
+         }
+-        pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        }
+     }
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "pagedresults_get_with_sort", "<= %d\n", flags);
+     return flags;
+ }
+ 
++/*
++ * Set with_sort flag for a paged result entry.
++ *
++ * Locking: If locked=0, acquires pageresult_lock. If locked=1, assumes
++ * caller already holds pageresult_lock. Never call when holding c_mutex.
++ */
+ int
+-pagedresults_set_with_sort(Connection *conn, Operation *op, int flags, int index)
++pagedresults_set_with_sort(Connection *conn, Operation *op, int flags, bool locked, int index)
+ {
+     int rc = -1;
+     if (!op_is_pagedresults(op)) {
+@@ -620,14 +719,18 @@ pagedresults_set_with_sort(Connection *conn, Operation *op, int flags, int index
+     slapi_log_err(SLAPI_LOG_TRACE,
+                   "pagedresults_set_with_sort", "=> idx=%d\n", index);
+     if (conn && (index > -1)) {
+-        pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_lock(pageresult_lock_get_addr(conn));
++        }
+         if (index < conn->c_pagedresults.prl_maxlen) {
+             if (flags & OP_FLAG_SERVER_SIDE_SORTING) {
+                 conn->c_pagedresults.prl_list[index].pr_flags |=
+                     CONN_FLAG_PAGEDRESULTS_WITH_SORT;
+             }
+         }
+-        pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        if (!locked) {
++            pthread_mutex_unlock(pageresult_lock_get_addr(conn));
++        }
+         rc = 0;
+     }
+     slapi_log_err(SLAPI_LOG_TRACE, "pagedresults_set_with_sort", "<= %d\n", rc);
+@@ -802,10 +905,6 @@ pagedresults_cleanup(Connection *conn, int needlock)
+             rc = 1;
+         }
+         prp->pr_current_be = NULL;
+-        if (prp->pr_mutex) {
+-            PR_DestroyLock(prp->pr_mutex);
+-            prp->pr_mutex = NULL;
+-        }
+         memset(prp, '\0', sizeof(PagedResults));
+     }
+     conn->c_pagedresults.prl_count = 0;
+@@ -840,10 +939,6 @@ pagedresults_cleanup_all(Connection *conn, int needlock)
+                 i < conn->c_pagedresults.prl_maxlen;
+          i++) {
+         prp = conn->c_pagedresults.prl_list + i;
+-        if (prp->pr_mutex) {
+-            PR_DestroyLock(prp->pr_mutex);
+-            prp->pr_mutex = NULL;
+-        }
+         if (prp->pr_current_be && prp->pr_search_result_set &&
+             prp->pr_current_be->be_search_results_release) {
+             prp->pr_current_be->be_search_results_release(&(prp->pr_search_result_set));
+@@ -1010,43 +1105,8 @@ op_set_pagedresults(Operation *op)
+     op->o_flags |= OP_FLAG_PAGED_RESULTS;
+ }
+ 
+-/*
+- * pagedresults_lock/unlock -- introduced to protect search results for the
+- * asynchronous searches. Do not call these functions while the PR conn lock
+- * is held (e.g. pageresult_lock_get_addr(conn))
+- */
+-void
+-pagedresults_lock(Connection *conn, int index)
+-{
+-    PagedResults *prp;
+-    if (!conn || (index < 0) || (index >= conn->c_pagedresults.prl_maxlen)) {
+-        return;
+-    }
+-    pthread_mutex_lock(pageresult_lock_get_addr(conn));
+-    prp = conn->c_pagedresults.prl_list + index;
+-    if (prp->pr_mutex) {
+-        PR_Lock(prp->pr_mutex);
+-    }
+-    pthread_mutex_unlock(pageresult_lock_get_addr(conn));
+-}
+-
+-void
+-pagedresults_unlock(Connection *conn, int index)
+-{
+-    PagedResults *prp;
+-    if (!conn || (index < 0) || (index >= conn->c_pagedresults.prl_maxlen)) {
+-        return;
+-    }
+-    pthread_mutex_lock(pageresult_lock_get_addr(conn));
+-    prp = conn->c_pagedresults.prl_list + index;
+-    if (prp->pr_mutex) {
+-        PR_Unlock(prp->pr_mutex);
+-    }
+-    pthread_mutex_unlock(pageresult_lock_get_addr(conn));
+-}
+-
+ int
+-pagedresults_is_abandoned_or_notavailable(Connection *conn, int locked, int index)
++pagedresults_is_abandoned_or_notavailable(Connection *conn, bool locked, int index)
+ {
+     PagedResults *prp;
+     int32_t result;
+@@ -1066,7 +1126,7 @@ pagedresults_is_abandoned_or_notavailable(Connection *conn, int locked, int inde
+ }
+ 
+ int
+-pagedresults_set_search_result_pb(Slapi_PBlock *pb, void *sr, int locked)
++pagedresults_set_search_result_pb(Slapi_PBlock *pb, void *sr, bool locked)
+ {
+     int rc = -1;
+     Connection *conn = NULL;
+diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
+index 765c12bf5..455d6d718 100644
+--- a/ldap/servers/slapd/proto-slap.h
++++ b/ldap/servers/slapd/proto-slap.h
+@@ -1614,20 +1614,22 @@ pthread_mutex_t *pageresult_lock_get_addr(Connection *conn);
+ int pagedresults_parse_control_value(Slapi_PBlock *pb, struct berval *psbvp, ber_int_t *pagesize, int *index, Slapi_Backend *be);
+ void pagedresults_set_response_control(Slapi_PBlock *pb, int iscritical, ber_int_t estimate, int curr_search_count, int index);
+ Slapi_Backend *pagedresults_get_current_be(Connection *conn, int index);
+-int pagedresults_set_current_be(Connection *conn, Slapi_Backend *be, int index, int nolock);
+-void *pagedresults_get_search_result(Connection *conn, Operation *op, int locked, int index);
+-int pagedresults_set_search_result(Connection *conn, Operation *op, void *sr, int locked, int index);
+-int pagedresults_get_search_result_count(Connection *conn, Operation *op, int index);
+-int pagedresults_set_search_result_count(Connection *conn, Operation *op, int cnt, int index);
++int pagedresults_set_current_be(Connection *conn, Slapi_Backend *be, int index, bool locked);
++void *pagedresults_get_search_result(Connection *conn, Operation *op, bool locked, int index);
++int pagedresults_set_search_result(Connection *conn, Operation *op, void *sr, bool locked, int index);
++int pagedresults_get_search_result_count(Connection *conn, Operation *op, bool locked, int index);
++int pagedresults_set_search_result_count(Connection *conn, Operation *op, int cnt, bool locked, int index);
+ int pagedresults_get_search_result_set_size_estimate(Connection *conn,
+                                                      Operation *op,
++                                                     bool locked,
+                                                      int index);
+ int pagedresults_set_search_result_set_size_estimate(Connection *conn,
+                                                      Operation *op,
+                                                      int cnt,
++                                                     bool locked,
+                                                      int index);
+-int pagedresults_get_with_sort(Connection *conn, Operation *op, int index);
+-int pagedresults_set_with_sort(Connection *conn, Operation *op, int flags, int index);
++int pagedresults_get_with_sort(Connection *conn, Operation *op, bool locked, int index);
++int pagedresults_set_with_sort(Connection *conn, Operation *op, int flags, bool locked, int index);
+ int pagedresults_get_unindexed(Connection *conn, Operation *op, int index);
+ int pagedresults_set_unindexed(Connection *conn, Operation *op, int index);
+ int pagedresults_get_sort_result_code(Connection *conn, Operation *op, int index);
+@@ -1639,15 +1641,13 @@ int pagedresults_cleanup(Connection *conn, int needlock);
+ int pagedresults_is_timedout_nolock(Connection *conn);
+ int pagedresults_reset_timedout_nolock(Connection *conn);
+ int pagedresults_in_use_nolock(Connection *conn);
+-int pagedresults_free_one(Connection *conn, Operation *op, int index);
+-int pagedresults_free_one_msgid(Connection *conn, ber_int_t msgid, pthread_mutex_t *mutex);
++int pagedresults_free_one(Connection *conn, Operation *op, bool locked, int index);
++int pagedresults_free_one_msgid(Connection *conn, ber_int_t msgid, bool locked);
+ int op_is_pagedresults(Operation *op);
+ int pagedresults_cleanup_all(Connection *conn, int needlock);
+ void op_set_pagedresults(Operation *op);
+-void pagedresults_lock(Connection *conn, int index);
+-void pagedresults_unlock(Connection *conn, int index);
+-int pagedresults_is_abandoned_or_notavailable(Connection *conn, int locked, int index);
+-int pagedresults_set_search_result_pb(Slapi_PBlock *pb, void *sr, int locked);
++int pagedresults_is_abandoned_or_notavailable(Connection *conn, bool locked, int index);
++int pagedresults_set_search_result_pb(Slapi_PBlock *pb, void *sr, bool locked);
+ 
+ /*
+  * sort.c
+diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
+index 11c5602e3..d494931c2 100644
+--- a/ldap/servers/slapd/slap.h
++++ b/ldap/servers/slapd/slap.h
+@@ -89,6 +89,10 @@ static char ptokPBE[34] = "Internal (Software) Token        ";
+ #include <stdbool.h>
+ #include <time.h> /* For timespec definitions */
+ 
++/* Macros for paged results lock parameter */
++#define PR_LOCKED true
++#define PR_NOT_LOCKED false
++
+ /* Provides our int types and platform specific requirements. */
+ #include <slapi_pal.h>
+ 
+@@ -1669,7 +1673,6 @@ typedef struct _paged_results
+     struct timespec pr_timelimit_hr;        /* expiry time of this request rel to clock monotonic */
+     int pr_flags;
+     ber_int_t pr_msgid; /* msgid of the request; to abandon */
+-    PRLock *pr_mutex;   /* protect each conn structure    */
+ } PagedResults;
+ 
+ /* array of simple paged structure stashed in connection */
+-- 
+2.52.0
+

0003-Issue-7108-Fix-shutdown-crash-in-entry-cache-destruc.patch

@@ -0,0 +1,183 @@
+From 4936f953fa3b0726c2b178f135cd78dcac7463ba Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@redhat.com>
+Date: Thu, 8 Jan 2026 10:02:39 -0800
+Subject: [PATCH] Issue 7108 - Fix shutdown crash in entry cache destruction
+ (#7163)
+
+Description: The entry cache could experience LRU list corruption when
+using pinned entries, leading to crashes during cache flush operations.
+
+In entrycache_add_int(), when returning an existing cached entry, the
+code checked the wrong entry's state before calling lru_delete(). It
+checked the new entry 'e' but operated on the existing entry 'my_alt',
+causing lru_delete() to be called on entries not in the LRU list. This
+is fixed by checking my_alt's refcnt and pinned state instead.
+
+In flush_hash(), pinned_remove() and lru_delete() were both called on
+pinned entries. Since pinned entries are in the pinned list, calling
+lru_delete() afterwards corrupted the list. This is fixed by calling
+either pinned_remove() or lru_delete() based on the entry's state.
+
+A NULL check is added in entrycache_flush() and dncache_flush() to
+gracefully handle corrupted LRU lists and prevent crashes when
+traversing backwards through the list encounters an unexpected NULL.
+
+Entry pointers are now always cleared after lru_delete() removal to
+prevent stale pointer issues in non-debug builds.
+
+Fixes: https://github.com/389ds/389-ds-base/issues/7108
+
+Reviewed by: @progier389, @vashirov (Thanks!!)
+---
+ ldap/servers/slapd/back-ldbm/cache.c | 48 +++++++++++++++++++++++++---
+ 1 file changed, 43 insertions(+), 5 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/cache.c b/ldap/servers/slapd/back-ldbm/cache.c
+index 2e4126134..a87f30687 100644
+--- a/ldap/servers/slapd/back-ldbm/cache.c
++++ b/ldap/servers/slapd/back-ldbm/cache.c
+@@ -458,11 +458,13 @@ static void
+ lru_delete(struct cache *cache, void *ptr)
+ {
+     struct backcommon *e;
++
+     if (NULL == ptr) {
+         LOG("=> lru_delete\n<= lru_delete (null entry)\n");
+         return;
+     }
+     e = (struct backcommon *)ptr;
++
+ #ifdef LDAP_CACHE_DEBUG_LRU
+     pinned_verify(cache, __LINE__);
+     lru_verify(cache, e, 1);
+@@ -475,8 +477,9 @@ lru_delete(struct cache *cache, void *ptr)
+         e->ep_lrunext->ep_lruprev = e->ep_lruprev;
+     else
+         cache->c_lrutail = e->ep_lruprev;
+-#ifdef LDAP_CACHE_DEBUG_LRU
++    /* Always clear pointers after removal to prevent stale pointer issues */
+     e->ep_lrunext = e->ep_lruprev = NULL;
++#ifdef LDAP_CACHE_DEBUG_LRU
+     lru_verify(cache, e, 0);
+ #endif
+ }
+@@ -633,9 +636,14 @@ flush_hash(struct cache *cache, struct timespec *start_time, int32_t type)
+                 if (entry->ep_refcnt == 0) {
+                     entry->ep_refcnt++;
+                     if (entry->ep_state & ENTRY_STATE_PINNED) {
++                        /* Entry is in pinned list, not LRU - remove from pinned only.
++                         * pinned_remove clears lru pointers and won't add to LRU since refcnt > 0.
++                         */
+                         pinned_remove(cache, laste);
++                    } else {
++                        /* Entry is in LRU list - remove from LRU */
++                        lru_delete(cache, laste);
+                     }
+-                    lru_delete(cache, laste);
+                     if (type == ENTRY_CACHE) {
+                         entrycache_remove_int(cache, laste);
+                         entrycache_return(cache, (struct backentry **)&laste, PR_TRUE);
+@@ -679,9 +687,14 @@ flush_hash(struct cache *cache, struct timespec *start_time, int32_t type)
+                     if (entry->ep_refcnt == 0) {
+                         entry->ep_refcnt++;
+                         if (entry->ep_state & ENTRY_STATE_PINNED) {
++                            /* Entry is in pinned list, not LRU - remove from pinned only.
++                             * pinned_remove clears lru pointers and won't add to LRU since refcnt > 0.
++                             */
+                             pinned_remove(cache, laste);
++                        } else {
++                            /* Entry is in LRU list - remove from LRU */
++                            lru_delete(cache, laste);
+                         }
+-                        lru_delete(cache, laste);
+                         entrycache_remove_int(cache, laste);
+                         entrycache_return(cache, (struct backentry **)&laste, PR_TRUE);
+                     } else {
+@@ -772,6 +785,11 @@ entrycache_flush(struct cache *cache)
+         } else {
+             e = BACK_LRU_PREV(e, struct backentry *);
+         }
++        if (e == NULL) {
++            slapi_log_err(SLAPI_LOG_WARNING, "entrycache_flush",
++                          "Unexpected NULL entry while flushing cache - LRU list may be corrupted\n");
++            break;
++        }
+         ASSERT(e->ep_refcnt == 0);
+         e->ep_refcnt++;
+         if (entrycache_remove_int(cache, e) < 0) {
+@@ -1160,6 +1178,7 @@ pinned_remove(struct cache *cache, void *ptr)
+ {
+     struct backentry *e = (struct backentry *)ptr;
+     ASSERT(e->ep_state & ENTRY_STATE_PINNED);
++
+     cache->c_pinned_ctx->npinned--;
+     cache->c_pinned_ctx->size -= e->ep_size;
+     e->ep_state &= ~ENTRY_STATE_PINNED;
+@@ -1172,13 +1191,23 @@ pinned_remove(struct cache *cache, void *ptr)
+             cache->c_pinned_ctx->head = cache->c_pinned_ctx->tail = NULL;
+         } else {
+             cache->c_pinned_ctx->head = BACK_LRU_NEXT(e, struct backentry *);
++            /* Update new head's prev pointer to NULL */
++            if (cache->c_pinned_ctx->head) {
++                cache->c_pinned_ctx->head->ep_lruprev = NULL;
++            }
+         }
+     } else if (cache->c_pinned_ctx->tail == e) {
+         cache->c_pinned_ctx->tail = BACK_LRU_PREV(e, struct backentry *);
++        /* Update new tail's next pointer to NULL */
++        if (cache->c_pinned_ctx->tail) {
++            cache->c_pinned_ctx->tail->ep_lrunext = NULL;
++        }
+     } else {
++        /* Middle of list: update both neighbors to point to each other */
+         BACK_LRU_PREV(e, struct backentry *)->ep_lrunext = BACK_LRU_NEXT(e, struct backcommon *);
+         BACK_LRU_NEXT(e, struct backentry *)->ep_lruprev = BACK_LRU_PREV(e, struct backcommon *);
+     }
++    /* Clear the removed entry's pointers */
+     e->ep_lrunext = e->ep_lruprev = NULL;
+     if (e->ep_refcnt == 0) {
+         lru_add(cache, ptr);
+@@ -1245,6 +1274,7 @@ pinned_add(struct cache *cache, void *ptr)
+             return false;
+     }
+     /* Now it is time to insert the entry in the pinned list */
++
+     cache->c_pinned_ctx->npinned++;
+     cache->c_pinned_ctx->size += e->ep_size;
+     e->ep_state |= ENTRY_STATE_PINNED;
+@@ -1754,7 +1784,7 @@ entrycache_add_int(struct cache *cache, struct backentry *e, int state, struct b
+                  * 3) ep_state: 0 && state: 0
+                  *    ==> increase the refcnt
+                  */
+-                if (e->ep_refcnt == 0)
++                if (e->ep_refcnt == 0 && (e->ep_state & ENTRY_STATE_PINNED) == 0)
+                     lru_delete(cache, (void *)e);
+                 e->ep_refcnt++;
+                 e->ep_state &= ~ENTRY_STATE_UNAVAILABLE;
+@@ -1781,7 +1811,7 @@ entrycache_add_int(struct cache *cache, struct backentry *e, int state, struct b
+             } else {
+                 if (alt) {
+                     *alt = my_alt;
+-                    if (e->ep_refcnt == 0 && (e->ep_state & ENTRY_STATE_PINNED) == 0)
++                    if (my_alt->ep_refcnt == 0 && (my_alt->ep_state & ENTRY_STATE_PINNED) == 0)
+                         lru_delete(cache, (void *)*alt);
+                     (*alt)->ep_refcnt++;
+                     LOG("the entry %s already exists.  returning existing entry %s (state: 0x%x)\n",
+@@ -2379,6 +2409,14 @@ dncache_flush(struct cache *cache)
+         } else {
+             dn = BACK_LRU_PREV(dn, struct backdn *);
+         }
++        if (dn == NULL) {
++            /* Safety check: we should normally exit via the CACHE_LRU_HEAD check.
++             * If we get here, c_lruhead may be NULL or the LRU list is corrupted.
++             */
++            slapi_log_err(SLAPI_LOG_WARNING, "dncache_flush",
++                          "Unexpected NULL entry while flushing cache - LRU list may be corrupted\n");
++            break;
++        }
+         ASSERT(dn->ep_refcnt == 0);
+         dn->ep_refcnt++;
+         if (dncache_remove_int(cache, dn) < 0) {
+-- 
+2.52.0
+

0004-Issue-7172-Index-ordering-mismatch-after-upgrade-717.patch

@@ -0,0 +1,215 @@
+From 742c12e0247ab64e87da000a4de2f3e5c99044ab Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Fri, 9 Jan 2026 11:39:50 +0100
+Subject: [PATCH] Issue 7172 - Index ordering mismatch after upgrade (#7173)
+
+Bug Description:
+Commit daf731f55071d45eaf403a52b63d35f4e699ff28 introduced a regression.
+After upgrading to a version that adds `integerOrderingMatch` matching
+rule to `parentid` and `ancestorid` indexes, searches may return empty
+or incorrect results.
+
+This happens because the existing index data was created with
+lexicographic ordering, but the new compare function expects integer
+ordering. Index lookups fail because the compare function doesn't match
+the data ordering.
+The root cause is that `ldbm_instance_create_default_indexes()` calls
+`attr_index_config()` unconditionally for `parentid` and `ancestorid`
+indexes, which triggers `ainfo_dup()` to overwrite `ai_key_cmp_fn` on
+existing indexes. This breaks indexes that were created without the
+`integerOrderingMatch` matching rule.
+
+Fix Description:
+* Call `attr_index_config()` for `parentid` and `ancestorid` indexes
+only if index config doesn't exist.
+
+* Add `upgrade_check_id_index_matching_rule()` that logs an error on
+server startup if `parentid` or `ancestorid` indexes are missing the
+integerOrderingMatch matching rule, advising administrators to reindex.
+
+Fixes: https://github.com/389ds/389-ds-base/issues/7172
+
+Reviewed by: @tbordaz, @progier389, @droideck (Thanks!)
+---
+ ldap/servers/slapd/back-ldbm/instance.c |  25 ++++--
+ ldap/servers/slapd/upgrade.c            | 107 +++++++++++++++++++++++-
+ 2 files changed, 123 insertions(+), 9 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c
+index cb002c379..71bf0f6fa 100644
+--- a/ldap/servers/slapd/back-ldbm/instance.c
++++ b/ldap/servers/slapd/back-ldbm/instance.c
+@@ -190,6 +190,7 @@ ldbm_instance_create_default_indexes(backend *be)
+     char *ancestorid_indexes_limit = NULL;
+     char *parentid_indexes_limit = NULL;
+     struct attrinfo *ai = NULL;
++    struct attrinfo *index_already_configured = NULL;
+     struct index_idlistsizeinfo *iter;
+     int cookie;
+     int limit;
+@@ -248,10 +249,14 @@ ldbm_instance_create_default_indexes(backend *be)
+     ldbm_instance_config_add_index_entry(inst, e, flags);
+     slapi_entry_free(e);
+ 
+-    e = ldbm_instance_init_config_entry(LDBM_PARENTID_STR, "eq", 0, 0, 0, "integerOrderingMatch", parentid_indexes_limit);
+-    ldbm_instance_config_add_index_entry(inst, e, flags);
+-    attr_index_config(be, "ldbm index init", 0, e, 1, 0, NULL);
+-    slapi_entry_free(e);
++    ainfo_get(be, (char *)LDBM_PARENTID_STR, &ai);
++    index_already_configured = ai;
++    if (!index_already_configured) {
++        e = ldbm_instance_init_config_entry(LDBM_PARENTID_STR, "eq", 0, 0, 0, "integerOrderingMatch", parentid_indexes_limit);
++        ldbm_instance_config_add_index_entry(inst, e, flags);
++        attr_index_config(be, "ldbm index init", 0, e, 1, 0, NULL);
++        slapi_entry_free(e);
++    }
+ 
+     e = ldbm_instance_init_config_entry("objectclass", "eq", 0, 0, 0, 0, 0);
+     ldbm_instance_config_add_index_entry(inst, e, flags);
+@@ -288,10 +293,14 @@ ldbm_instance_create_default_indexes(backend *be)
+      * ancestorid is special, there is actually no such attr type
+      * but we still want to use the attr index file APIs.
+      */
+-    e = ldbm_instance_init_config_entry(LDBM_ANCESTORID_STR, "eq", 0, 0, 0, "integerOrderingMatch", ancestorid_indexes_limit);
+-    ldbm_instance_config_add_index_entry(inst, e, flags);
+-    attr_index_config(be, "ldbm index init", 0, e, 1, 0, NULL);
+-    slapi_entry_free(e);
++    ainfo_get(be, (char *)LDBM_ANCESTORID_STR, &ai);
++    index_already_configured = ai;
++    if (!index_already_configured) {
++        e = ldbm_instance_init_config_entry(LDBM_ANCESTORID_STR, "eq", 0, 0, 0, "integerOrderingMatch", ancestorid_indexes_limit);
++        ldbm_instance_config_add_index_entry(inst, e, flags);
++        attr_index_config(be, "ldbm index init", 0, e, 1, 0, NULL);
++        slapi_entry_free(e);
++    }
+ 
+     slapi_ch_free_string(&ancestorid_indexes_limit);
+     slapi_ch_free_string(&parentid_indexes_limit);
+diff --git a/ldap/servers/slapd/upgrade.c b/ldap/servers/slapd/upgrade.c
+index 858392564..b02e37ed6 100644
+--- a/ldap/servers/slapd/upgrade.c
++++ b/ldap/servers/slapd/upgrade.c
+@@ -330,6 +330,107 @@ upgrade_remove_subtree_rename(void)
+     return UPGRADE_SUCCESS;
+ }
+ 
++/*
++ * Check if parentid/ancestorid indexes are missing the integerOrderingMatch
++ * matching rule.
++ *
++ * This function logs a warning if we detect this condition, advising
++ * the administrator to reindex the affected attributes.
++ */
++static upgrade_status
++upgrade_check_id_index_matching_rule(void)
++{
++    struct slapi_pblock *pb = slapi_pblock_new();
++    Slapi_Entry **backends = NULL;
++    const char *be_base_dn = "cn=ldbm database,cn=plugins,cn=config";
++    const char *be_filter = "(objectclass=nsBackendInstance)";
++    const char *attrs_to_check[] = {"parentid", "ancestorid", NULL};
++    upgrade_status uresult = UPGRADE_SUCCESS;
++
++    /* Search for all backend instances */
++    slapi_search_internal_set_pb(
++            pb, be_base_dn,
++            LDAP_SCOPE_ONELEVEL,
++            be_filter, NULL, 0, NULL, NULL,
++            plugin_get_default_component_id(), 0);
++    slapi_search_internal_pb(pb);
++    slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &backends);
++
++    if (backends) {
++        for (size_t be_idx = 0; backends[be_idx] != NULL; be_idx++) {
++            const char *be_name = slapi_entry_attr_get_ref(backends[be_idx], "cn");
++            if (!be_name) {
++                continue;
++            }
++
++            /* Check each attribute that should have integerOrderingMatch */
++            for (size_t attr_idx = 0; attrs_to_check[attr_idx] != NULL; attr_idx++) {
++                const char *attr_name = attrs_to_check[attr_idx];
++                struct slapi_pblock *idx_pb = slapi_pblock_new();
++                Slapi_Entry **idx_entries = NULL;
++                char *idx_dn = slapi_create_dn_string("cn=%s,cn=index,cn=%s,%s",
++                                                       attr_name, be_name, be_base_dn);
++                char *idx_filter = "(objectclass=nsIndex)";
++                PRBool has_matching_rule = PR_FALSE;
++
++                if (!idx_dn) {
++                    slapi_pblock_destroy(idx_pb);
++                    continue;
++                }
++
++                slapi_search_internal_set_pb(
++                        idx_pb, idx_dn,
++                        LDAP_SCOPE_BASE,
++                        idx_filter, NULL, 0, NULL, NULL,
++                        plugin_get_default_component_id(), 0);
++                slapi_search_internal_pb(idx_pb);
++                slapi_pblock_get(idx_pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &idx_entries);
++
++                if (idx_entries && idx_entries[0]) {
++                    /* Index exists, check if it has integerOrderingMatch */
++                    Slapi_Attr *mr_attr = NULL;
++                    if (slapi_entry_attr_find(idx_entries[0], "nsMatchingRule", &mr_attr) == 0) {
++                        Slapi_Value *sval = NULL;
++                        int idx;
++                        for (idx = slapi_attr_first_value(mr_attr, &sval);
++                             idx != -1;
++                             idx = slapi_attr_next_value(mr_attr, idx, &sval)) {
++                            const struct berval *bval = slapi_value_get_berval(sval);
++                            if (bval && bval->bv_val &&
++                                strcasecmp(bval->bv_val, "integerOrderingMatch") == 0) {
++                                has_matching_rule = PR_TRUE;
++                                break;
++                            }
++                        }
++                    }
++
++                    if (!has_matching_rule) {
++                        /* Index exists but doesn't have integerOrderingMatch, log a warning */
++                        slapi_log_err(SLAPI_LOG_ERR, "upgrade_check_id_index_matching_rule",
++                                "Index '%s' in backend '%s' is missing 'nsMatchingRule: integerOrderingMatch'. "
++                                "Incorrectly configured system indexes can lead to poor search performance, replication issues, and other operational problems. "
++                                "To fix this, add the matching rule and reindex: "
++                                "dsconf <instance> backend index set --add-mr integerOrderingMatch --attr %s %s && "
++                                "dsconf <instance> backend index reindex --attr %s %s. "
++                                "WARNING: Reindexing can be resource-intensive and may impact server performance on a live system. "
++                                "Consider scheduling reindexing during maintenance windows or periods of low activity.\n",
++                                attr_name, be_name, attr_name, be_name, attr_name, be_name);
++                    }
++                }
++
++                slapi_ch_free_string(&idx_dn);
++                slapi_free_search_results_internal(idx_pb);
++                slapi_pblock_destroy(idx_pb);
++            }
++        }
++    }
++
++    slapi_free_search_results_internal(pb);
++    slapi_pblock_destroy(pb);
++
++    return uresult;
++}
++
+ /*
+  * Upgrade the base config of the PAM PTA plugin.
+  *
+@@ -547,7 +648,11 @@ upgrade_server(void)
+     if (upgrade_pam_pta_default_config() != UPGRADE_SUCCESS) {
+         return UPGRADE_FAILURE;
+     }
+-    
++
++    if (upgrade_check_id_index_matching_rule() != UPGRADE_SUCCESS) {
++        return UPGRADE_FAILURE;
++    }
++
+     return UPGRADE_SUCCESS;
+ }
+ 
+-- 
+2.52.0
+

0005-Issue-7172-2nd-Index-ordering-mismatch-after-upgrade.patch

@@ -0,0 +1,67 @@
+From f5de84e309d5a4435198c9cc9b31b5722979f1ff Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Mon, 12 Jan 2026 10:58:02 +0100
+Subject: [PATCH 5/5] Issue 7172 - (2nd) Index ordering mismatch after upgrade
+ (#7180)
+
+Commit 742c12e0247ab64e87da000a4de2f3e5c99044ab introduced a regression
+where the check to skip creating parentid/ancestorid indexes if they
+already exist was incorrect.
+The `ainfo_get()` function falls back to returning
+LDBM_PSEUDO_ATTR_DEFAULT attrinfo when the requested attribute is not
+found.
+Since LDBM_PSEUDO_ATTR_DEFAULT is created before the ancestorid check,
+`ainfo_get()` returns LDBM_PSEUDO_ATTR_DEFAULT instead of NULL, causing
+the ancestorid index creation to be skipped entirely.
+
+When operations later try to use the ancestorid index, they fall back to
+LDBM_PSEUDO_ATTR_DEFAULT, and attempting to open the .default dbi
+mid-transaction fails with MDB_NOTFOUND (-30798).
+
+Fix Description:
+Instead of just checking if `ainfo_get()` returns non-NULL, verify that
+the returned attrinfo is actually for the requested attribute.
+
+Fixes: https://github.com/389ds/389-ds-base/issues/7172
+
+Reviewed by: @tbordaz (Thanks!)
+---
+ ldap/servers/slapd/back-ldbm/instance.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/ldap/servers/slapd/back-ldbm/instance.c b/ldap/servers/slapd/back-ldbm/instance.c
+index 71bf0f6fa..2a6e8cbb8 100644
+--- a/ldap/servers/slapd/back-ldbm/instance.c
++++ b/ldap/servers/slapd/back-ldbm/instance.c
+@@ -190,7 +190,7 @@ ldbm_instance_create_default_indexes(backend *be)
+     char *ancestorid_indexes_limit = NULL;
+     char *parentid_indexes_limit = NULL;
+     struct attrinfo *ai = NULL;
+-    struct attrinfo *index_already_configured = NULL;
++    int index_already_configured = 0;
+     struct index_idlistsizeinfo *iter;
+     int cookie;
+     int limit;
+@@ -250,7 +250,8 @@ ldbm_instance_create_default_indexes(backend *be)
+     slapi_entry_free(e);
+ 
+     ainfo_get(be, (char *)LDBM_PARENTID_STR, &ai);
+-    index_already_configured = ai;
++    /* Check if the attrinfo is actually for parentid, not a fallback to .default */
++    index_already_configured = (ai != NULL && strcmp(ai->ai_type, LDBM_PARENTID_STR) == 0);
+     if (!index_already_configured) {
+         e = ldbm_instance_init_config_entry(LDBM_PARENTID_STR, "eq", 0, 0, 0, "integerOrderingMatch", parentid_indexes_limit);
+         ldbm_instance_config_add_index_entry(inst, e, flags);
+@@ -294,7 +295,8 @@ ldbm_instance_create_default_indexes(backend *be)
+      * but we still want to use the attr index file APIs.
+      */
+     ainfo_get(be, (char *)LDBM_ANCESTORID_STR, &ai);
+-    index_already_configured = ai;
++    /* Check if the attrinfo is actually for ancestorid, not a fallback to .default */
++    index_already_configured = (ai != NULL && strcmp(ai->ai_type, LDBM_ANCESTORID_STR) == 0);
+     if (!index_already_configured) {
+         e = ldbm_instance_init_config_entry(LDBM_ANCESTORID_STR, "eq", 0, 0, 0, "integerOrderingMatch", ancestorid_indexes_limit);
+         ldbm_instance_config_add_index_entry(inst, e, flags);
+-- 
+2.52.0
+

389-ds-base-devel.README

@@ -1,4 +1,4 @@
-For detailed information on developing plugins for 
-389 Directory Server visit.
+For detailed information on developing plugins for 389 Directory Server visit
 
-http://port389/wiki/Plugins
+https://www.port389.org/docs/389ds/design/plugins.html
+https://github.com/389ds/389-ds-base/blob/main/src/slapi_r_plugin/README.md

389-ds-base-git-local.sh

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-DATE=`date +%Y%m%d`
-# use a real tag name here
-VERSION=1.3.5.14
-PKGNAME=389-ds-base
-TAG=${TAG:-$PKGNAME-$VERSION}
-#SRCNAME=$PKGNAME-$VERSION-$DATE
-SRCNAME=$PKGNAME-$VERSION
-
-test -d .git || {
-    echo you must be in the ds git repo to use this
-    echo bye
-    exit 1
-}
-
-if [ -z "$1" ] ; then
-	dir=.
-else
-	dir="$1"
-fi
-
-git archive --prefix=$SRCNAME/ $TAG | bzip2 > $dir/$SRCNAME.tar.bz2

389-ds-base-git.sh

@@ -1,16 +0,0 @@
-#!/bin/bash
-
-DATE=`date +%Y%m%d`
-# use a real tag name here
-VERSION=1.3.5.14
-PKGNAME=389-ds-base
-TAG=${TAG:-$PKGNAME-$VERSION}
-URL="https://git.fedorahosted.org/git/?p=389/ds.git;a=snapshot;h=$TAG;sf=tgz"
-SRCNAME=$PKGNAME-$VERSION
-
-wget -O $SRCNAME.tar.gz "$URL"
-
-echo convert tgz format to tar.bz2 format
-
-gunzip $PKGNAME-$VERSION.tar.gz
-bzip2 $PKGNAME-$VERSION.tar

389-ds-base.sysusers

@@ -0,0 +1,3 @@
+#Type Name     ID             GECOS                   Home directory       Shell
+g     dirsrv   389
+u     dirsrv   389:389        "user for 389-ds-base"  /usr/share/dirsrv/   /sbin/nologin

changelog

@@ -0,0 +1,513 @@
+* Tue May 14 2024 James Chapman <jachapma@redhat.com> - 3.1.0-1
+- Bump version to 3.1.0
+- Issue 6142 - Fix CI tests (#6161)
+- Issue 6157 - Cockipt crashes when getting replication status if topology contains an old 389ds version (#6158)
+- Issue 5105 - lmdb - Cannot create entries with long rdn - fix covscan (#6131)
+- Issue 6086 - Ambiguous warning about SELinux in dscreate for non-root user
+- Issue 6094 - Add coverity scan workflow
+- Issue 5962 - Rearrange includes for 32-bit support logic
+- Issue 6046 - Make dscreate to work during kickstart installations
+- Issue 6073 - Improve error log when running out of memory (#6084)
+- Issue 6071 - Instance creation/removal is slow
+- Issue 6010 - 389 ds ignores nsslapd-maxdescriptors (#6027)
+- Issue 6075 - Ignore build artifacts (#6076)
+- Issue 6068 - Add dscontainer stop function
+
+* Mon Apr 15 2024 James Chapman <jachapma@redhat.com> - 3.0.2-1
+- Bump version to 3.0.2
+- Issue 6082 - Remove explicit dependencies toward libdb - revert default (#6145)
+- Issue 6142 - [RFE] Add LMDB configuration related checks into Healthcheck tool (#6143)
+- Issue 6141 - freeipa test_topology_TestCASpecificRUVs is failing (#6144)
+- Issue 6136 - failure in freeipa tests (#6137)
+- Issue 6119 - Synchronise accept_thread with slapd_daemon (#6120)
+- Issue 6105 - lmdb - Cannot create entries with long rdn (#6130)
+- Issue 6082 - Remove explicit dependencies toward libdb (#6083)
+- Issue i6057 - Fix3 - Fix covscan issues (#6127)
+- Issue 6057 - vlv search may result wrong result with lmdb - Fix 2 (#6121)
+- Issue 6057 - vlv search may result wrong result with lmdb (#6091)
+- Issue 6092 - passwordHistory is not updated with a pre-hashed password (#6093)
+- Issue 6133 - Move slapi_pblock_set_flag_operation_notes() to slapi-plugin.h
+- Issue 6125 - dscreate interactive fails when chosing mdb backend (#6126)
+- Issue 6110 - Typo in Account Policy plugin message
+- Issue 6080 - ns-slapd crash in referint_get_config (#6081)
+- Issue 6117 - Fix the UTC offset print (#6118)
+- Issue 5305 - OpenLDAP version autodetection doesn't work
+- Issue 6112 - RFE - add new operation note for MFA authentications
+- Issue 5842 - Add log buffering to audit log
+- Issue 3527 - Support HAProxy and Instance on the same machine configuration (#6107)
+- Issue 6103 - New connection timeout error breaks errormap (#6104)
+- Issue 6096 - Improve connection timeout error logging (#6097)
+- Issue 6067 - Improve dsidm CLI No Such Entry handling (#6079)
+- Issue 6067 - Add hidden -v and -j options to each CLI subcommand (#6088)
+- Issue 6061 - Certificate lifetime displayed as NaN
+
+* Wed Jan 31 2024 Pete Walter <pwalter@fedoraproject.org> - 3.0.1-2
+- Rebuild for ICU 74
+
+* Tue Jan 30 2024 Simon Pichugin <spichugi@redhat.com> - 3.0.1-1
+- Bump version to 3.0.1
+- Issue 6043, 6044 - Enhance Rust and JS bundling and add SPDX licenses for both (#6045)
+- Issue 3555 - Remove audit-ci from dependencies (#6056)
+- Issue 6052 - Paged results test sets hostname to `localhost` on test collection
+- Issue 6051 - Drop unused pytest markers
+- Issue 6049 - lmdb - changelog is wrongly recreated by reindex task (#6050)
+- Issue 6047 - Add a check for tagged commits
+- Issue 6041 - dscreate ds-root - accepts relative path (#6042)
+- Switch default backend to lmdb and bump version to 3.0 (#6013)
+- Issue 6032 - Replication broken after backup restore (#6035)
+- Issue 6037 - Server crash at startup in vlvIndex_delete (#6038)
+- Issue 6034 - Change replica_id from str to int
+- Issue 6028 - vlv index keys inconsistencies (#6031)
+- Issue 5989 - RFE support of inChain Matching Rule (#5990)
+- Issue 6022 - lmdb inconsistency between vlv index and vlv cache names (#6026)
+- Issue 6015 - Fix typo remeber (#6014)
+- Issue 6016 - Pin upload/download artifacts action to v3
+- Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007)
+- Issue 4673 - Update Rust crates
+- Issue 6004 - idletimeout may be ignored (#6005)
+- Issue 5954 - Disable Transparent Huge Pages
+- Issue 5997 - test_inactivty_and_expiration CI testcase is wrong (#5999)
+- Issue 5993 - Fix several race condition around CI tests (#5996)
+- Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994)
+- Bump openssl from 0.10.55 to 0.10.60 in /src (#5995)
+- Issue 5980 - Improve instance startup failure handling (#5991)
+- Issue 5976 - Fix freeipa install regression with lmdb (#5977)
+- Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987)
+- Issue 5984 - Crash when paged result search are abandoned (#5985)
+- Issue 5947 - CI test_vlv_recreation_reindex fails on LMDB (#5979)
+
+* Mon Jan 29 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jan 18 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Thu Jan 18 2024 Viktor Ashirov <vashirov@redhat.com> - 2.4.5-1
+- Bump version to 2.4.5
+- Issue 5989 - RFE support of inChain Matching Rule (#5990)
+- Issue 5939 - During an update, if the target entry is reverted in the entry cache, the server should not retry to lock it (#6007)
+- Issue 5944 - Reversion of the entry cache should be limited to BETXN plugin failures (#5994)
+- Issue 5954 - Disable Transparent Huge Pages
+- Issue 5984 - Crash when paged result search are abandoned - fix2 (#5987)
+- Issue 5984 - Crash when paged result search are abandoned (#5985)
+
+* Wed Nov 15 2023 James Chapman <jachapma@redhat.com> - 2.4.4
+- Bump version to 2.4.4
+- Issue 5971 - CLI - Fix password prompt for repl status (#5972)
+- Issue 5973 - Fix fedora cop RawHide builds (#5974)
+- Revert "Issue 5761 - Worker thread dynamic management (#5796)" (#5970)
+- Issue 5966 - CLI - Custom schema object is removed on a failed edit (#5967)
+- Issue 5786 - Update permissions for Release workflow
+- Issue 5960 - Subpackages should have more strict interdependencies
+- Issue 3555 - UI - Fix audit issue with npm - babel/traverse (#5959)
+- Issue 4843 - Fix dscreate create-template issue (#5950)
+- bugfix for --passwd-file not working on latest version (#5934)
+- Issue 5843 - dsconf / dscreate should be able to handle lmdb parameters (#5943)
+- Bump postcss from 8.4.24 to 8.4.31 in /src/cockpit/389-console (#5945)
+- Issue 5938 - Attribute Names changed to lowercase after adding the Attributes (#5940)
+- issue 5924 - ASAN server build crash when looping opening/closing connections (#5926)
+- Issue 1925 - Add a CI test (#5936)
+- Issue 5732 - Localizing Cockpit's 389ds Plugin using CockpitPoPlugin (#5764)
+- Issue 1870 - Add a CI test (#5929)
+- Issue 843 - Add a warning to slapi_valueset_add_value_ext (#5925)
+- Issue 5761 - Worker thread dynamic management (#5796)
+- Issue 1802 - Improve ldclt man page (#5928)
+- Issue 1456 - Add a CI test that verifies there is no issue (#5927)
+- Issue 1317 - Add a CI test (#5923)
+- Issue 1081 - CI - Add more tests for overwriting x-origin issue (#5815)
+- Issue 1115 - Add a CI test (#5913)
+- Issue 5848 - Fix condition and add a CI test (#5916)
+- Issue 5848 - Fix condition and add a CI test (#5916)
+- Issue 5914 - UI - server settings page validation improvements and db index fixes
+- Issue 5909 - Multi listener hang with 20k connections (#5917)
+- Issue 5902 - Fix previous commit regression (#5919)
+- pass instance correctly to ds_is_older (#5903)
+- Issue 5909 - Multi listener hang with 20k connections (#5910)
+- Issue 5722 - improve testcase (#5904)
+- Issue 5203 - outdated version in provided metadata for lib389
+- Bug Description:
+- issue 5890 part 2 - Need a tester for testing multiple listening thread feature (#5897)
+- Issue i5846 - Crash when lmdb import is aborted (#5881)
+- Issue 5894 - lmdb import error fails with Could not store the entry (#5895)
+- Issue 5890 - Need a tester for testing multiple listening thread feature (#5891)
+- Issue 5082 - slugify: ModuleNotFoundError when running test cases
+- Issue 4551 - Part 2 - Fix build warning of previous PR (#5888)
+- Issue 5834 - AccountPolicyPlugin erroring for some users (#5866)
+- Issue 5872 - part 2 - fix is_dbi regression (#5887)
+- Issue 4758 - Add tests for WebUI
+- Issue 5848 - dsconf should prevent setting the replicaID for hub and consumer roles (#5849)
+- Issue 5883 - Remove connection mutex contention risk on autobind (#5886)
+- Issue 5872 - `dbscan()` in lib389 can return bytes
+
+* Thu Aug 3 2023 Mark Reynolds<mreynolds@redhat.com> - 2.4.3-1
+- Bump version to 2.4.3-1
+- Issue 5729 - Memory leak in factory_create_extension (#5814)
+- Issue 5870 - ns-slapd crashes at startup if a backend has no suffix (#5871)
+- Issue 5876 - CI Test random failure - Import (#5879)
+- Issue 5877 - test_basic_ldapagent breaks test_setup_ds_as_non_root* tests
+- Issue 5867 - lib389 should use filter for tarfile as recommended by PEP 706 (#5868)
+- Issue 5853 - Update Cargo.lock and fix minor warning (#5854)
+- Issue 5785 - CLI - arg completion is broken
+- Issue 5864 - Server fails to start after reboot because it's unable to access nsslapd-rundir
+- Issue 5856 - SyntaxWarning: invalid escape sequence '\,'
+- Issue 5859 - dbscan fails with AttributeError: 'list' object has no attribute 'extends'
+- Issue 3527 - UI - Add nsslapd-haproxy-trusted-ip to server setting (#5839)
+- Issue 4551 - Paged search impacts performance (#5838)
+- Issue 4758 - Add tests for WebUI
+- Issue 4169 - UI - Fix retrochangelog and schema Typeaheads (#5837)
+- issue 5833 - dsconf monitor backend fails on lmdb (#5835)
+- Issue 3555 - UI - Fix audit issue with npm - stylelint (#5836)
+
+* Mon Jul 24 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.2-5
+- Bump version to 2.4.2-5
+- Add the bash completion scripts to the appropriate files section
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Jul 11 2023 František Zatloukal <fzatlouk@redhat.com> - 2.4.2-3
+- Rebuilt for ICU 73.2
+
+* Mon Jul 10 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.2-2
+- Bump version to 2.4.2-2
+- Issue 5752 - RFE - Provide a history for LastLoginTime (#5807)
+= Issue 4719 - CI - Add dsconf add a PTA URL test
+
+* Fri Jul 7 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.2-1
+- Bump version to 2.4.2
+- Issue 5793 - UI - fix suffix selection in export modal
+- Issue 5793 - UI - Fix minor crashes (#5827)
+- Issue 5825 - healthcheck - password storage scheme warning needs more info
+- Issue 5822 - Allow empty export path for db2ldif
+- Issue 5755 - Massive memory leaking on update operations (#5824)
+- Issue 5701 - CI - Add more tests for referral mode fix (#5810)
+- Issue 5551 - Almost empty and not loaded ns-slapd high cpu load
+- Issue 5755 - The Massive memory leaking on update operations (#5803)
+- Issue 2375 - CLI - Healthcheck - revise and add new checks
+- Bump openssl from 0.10.52 to 0.10.55 in /src
+- Issue 5793 - UI - movce from webpack to esbuild bundler
+- Issue 5752 - CI - Add more tests for lastLoginHistorySize RFE (#5802)
+- Issue 3527 - Fix HAProxy x390x compatibility and compiler warnings (#5801)
+- Issue 5798 - CLI - Add multi-valued support to dsconf config (#5799)
+- Issue 5781 - Bug handling return code of pre-extended operation plugin.
+- Issue 5785 - move bash completion to post section of specfile
+- Issue 5156 - (cont) RFE slapi_memberof reusing memberof values (#5744)
+- Issue 4758 - Add tests for WebUI
+- Issue 3527 - Add PROXY protocol support (#5762)
+- Issue 5789 - Improve ds-replcheck error handling
+- Issue 5786 - CLI - registers tools for bash completion
+- Issue 5786 - Set minimal permissions on GitHub Workflows (#5787)
+- Issue 5646 - Various memory leaks (#5725)
+- Issue 5778 - UI - Remove error message if .dsrc is missing
+- Issue 5751 - Cleanallruv task crashes on consumer (#5775)
+
+* Wed Jun 28 2023 Python Maint <python-maint@redhat.com> - 2.4.1-2
+- Rebuilt for Python 3.12
+
+* Thu May 18 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.1-1
+- Bump version to 2.4.1
+- Issue 5770 - RFE - Extend Password Adminstrators to allow skipping password info updates
+- Issue 5768 - CLI/UI - cert checks are too strict, and other issues
+- Issue 5722 - fix compilation warnings (#5771)
+- Issue 5765 - Improve installer selinux handling
+- Issue 152  - RFE - Add support for LDAP alias entries
+- Issue 5052 - BUG - Custom filters prevented entry deletion (#5060)
+- Issue 5752 - RFE - Provide a history for LastLoginTime (#5753)
+- Issue 5722 - RFE When a filter contains 'nsrole', improve response time by rewriting the filter (#5723)
+- Issue 5704 - crash in sync_refresh_initial_content (#5720)
+- Issue 5738 - RFE - UI - Read/write replication monitor info to .dsrc file
+- Issue 5156 - build warnings (#5758)
+- Issue 5749 - RFE - Allow Account Policy Plugin to handle inactivity and expiration at the same time
+- Issue 5743 - Disabling replica crashes the server (#5746)
+- Issue 2562 - Copy config files into backup directory
+- Issue 5156 - fix build breakage from slapi-memberof commit
+- Issue 4758 - Add tests for WebUI
+
+* Tue Apr 25 2023 Mark Reynolds <mreynolds@redhat.com> - 2.4.0-1
+- Bump version to 2.4.0
+- Issue 5156 - RFE that implement slapi_memberof (#5694)
+- Issue 5734 - RFE - Exclude pwdFailureTime and ContextCSN (#5735)
+- Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727)
+- Issue 4758 - Add tests for WebUI
+- Issue 5718 - Memory leak in connection table (#5719)
+- Issue 5705 - Add config parameter to close client conns on failed bind (#5712)
+- Issue 4758 - Add tests for WebUI
+- Issue 5643 - Memory leak in entryrdn during delete (#5717)
+- Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations
+- Issue 5701 - CLI - Fix referral mode setting (#5708)
+- Bump openssl from 0.10.45 to 0.10.48 in /src (#5709)
+- Issue 5710 - subtree search statistics for index lookup does not report ancestorid/entryrdn lookups (#5711)
+- Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698)
+- Issue 1081 - Stop schema replication from overwriting x-origin
+- Issue 4812 - Listener thread does not scale with a high num of established connections (#5706)
+- Issue 4812 - Listener thread does not scale with a high num of established connections (#5681)
+- Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699)
+- Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5692)
+- Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5691)
+- Issue 5687 - UI - sensitive information disclosure
+- Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV (#5676)
+- Issue 5554 - Add more tests to security_basic_test suite
+- Issue 4583 - Update specfile to skip checks of ASAN builds
+- Issue 4758 - Add tests for WebUI
+- Issue 3604 - UI - Add support for Subject Alternative Names in CSR
+- Issue 5600 - buffer overflow when enabling sync repl plugin when dynamic plugins is enabled
+- Issue 5640 - Update logconv for new logging format
+- Issue 5162 - CI - fix error message for invalid pem file
+- Issue 5598 - In 2.x, SRCH throughput drops by 10% because of handling of referral (#5604)
+- Issue 5671 - covscan - clang warning (#5672)
+- Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn
+- Issue 5666 - CLI - Add timeout parameter for tasks
+- Issue 5567 - CLI - make ldifgen use the same default ldif name for all options
+- Issue 5647 - Fix unused variable warning from previous commit (#5670)
+- Issue 5162 - Lib389 - verify certificate type before adding
+- Issue 5642 - Build fails against setuptools 67.0.0
+- Issue 5630 - CLI - need to add logging filter for stdout
+- Issue 5646 - CLI/UI - do not hardcode password storage schemes
+- Issue 5640 - Update logconv for new logging format
+- issue 5647 - covscan: memory leak in audit log when adding entries (#5650)
+- Issue 5658 - CLI - unable to add attribute with matching rule
+- Issue 5653 - covscan - fix invalid dereference
+- Issue 5652 - Libasan crash in replication/cascading_test (#5659)
+- Issue 5628 - Handle graceful timeout in CI tests (#5657)
+- Issue 5648 - Covscan - Compiler warnings (#5651)
+- Issue 5630 - CLI - error messages should goto stderr
+- Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639)
+- Issue 5632 - CLI - improve error handling with db2ldif
+- Issue 5517 - Replication conflict CI test sometime fails (#5518)
+- Issue 5634 - Deprecated warning related to github action workflow code (#5635)
+- Issue 5637 - Covscan - fix Buffer Overflows (#5638)
+- Issue 5624 - RFE - UI - export certificates, and import text base64 encoded certificates
+- Bump tokio from 1.24.1 to 1.25.0 in /src (#5629)
+- Issue 4577 - Add LMDB pytest github action (#5627)
+- Issue 4293 - RFE - CLI - add dsrc options for setting user and group subtrees
+- Remove stale libevent(-devel) dependency
+- Issue 5578 - dscreate ds-root does not normaile paths (#5613)
+- Issue 5497 - boolean attributes should be case insensitive
+
+* Fri Mar 31 2023 Viktor Ashirov <vashirov@redhat.com> - 2.3.2-3
+- Fix build issue against setuptools 67.0.0 (#2183375)
+
+* Tue Feb 28 2023 Simon Pichugin <spichugi@redhat.com> - 2.3.2-2
+- Use systemd-sysusers for dirsrv user and group (#2173834)
+
+* Mon Jan 23 2023 Mark Reynolds <mreynolds@redhat.com> - 2.3.2-1
+- Bump version to 2.3.2
+- Issue 5547 - automember plugin improvements
+- Issue 5607, 5351, 5611 - UI/CLI - fix various issues
+- Issue 5610 - Build failure on Debian
+- Issue 5608 - UI - need to replace some "const" with "let"
+- Issue 5560 - dscreate run by non superuser set defaults requiring superuser privilege (#5579)
+- Issue 3604 - Create a private key/CSR with dsconf/Cockpit (#5584)
+- Issue 5605 - Adding a slapi_log_backtrace function in libslapd (#5606)
+- Issue 5602 - UI - browser crash when trying to modify read-only variable
+- Issue 5581 - UI - Support cockpit dark theme
+- Issue 5593 - CLI - dsidm account subtree-status fails with TypeError
+- Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592)
+- Fix latest npm audit failures
+- Issue 5599 - CI - webui tests randomly fail
+- Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries
+- Issue 5588 - Fix CI tests
+- Issue 5585 - lib389 password policy DN handling is incorrect (#5587)
+- Issue 5521 - UI - Update plugins for new split PAM and LDAP pass thru auth
+- Bump json5 from 2.2.1 to 2.2.3 in /src/cockpit/389-console
+- Issue 5236 - UI add specialized group edit modal
+- Issue 5550 - dsconf monitor crashes with Error math domain error (#5553)
+- Issue 5278 - CLI - dsidm asks for the old password on password reset
+- Issue 5531 - CI - use universal_lines in capture_output
+- Issue 5425 - CLI - add confirmation arg when deleting backend
+- Issue 5558 - non-root instance fails to start on creation (#5559)
+- Issue 5545 - A random crash in import over lmdb (#5546)
+- Issue 3615 - CLI - prevent virtual attribute indexing
+- Update specfile and rust crates
+- Issue 5413 - Allow mutliple MemberOf fixup tasks with different bases/filters
+- Issue 5554 - Add more tests to security_basic_test suite (#5555)
+- Issue 5561 - Nightly tests are failing
+- Issue 5521 - RFE - split pass through auth cli
+- Issue 5521 - BUG - Pam PTA multiple issues
+- Issue 5544 - Increase default task TTL
+- Issue 5526 - RFE - Improve saslauthd migration options (#5528)
+- Issue 5539 - Make logger's parameter name unified (#5540)
+- Issue 5541 - Fix typo in `lib389.cli_conf.backend._get_backend` (#5542)
+- Issue 3729 - (cont) RFE Extend log of operations statistics in access log (#5538)
+- Issue 5534 - Fix a rebase typo (#5537)
+- Issue 5534 - Add copyright text to the repository files
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sat Dec 31 2022 Pete Walter <pwalter@fedoraproject.org> - 2.3.1-2
+- Rebuild for ICU 72
+
+* Fri Nov 18 2022 Mark Reynolds <mreynolds@redhat.com> - 2.3.1-1
+- Bump version to 2.3.1
+- Issue 5532 - Make db compaction TOD day more robust.
+- Issue 3729 - RFE Extend log of operations statistics in access log (#5508)
+- Issue 5529 - UI - Fix npm vulnerability in loader-utils
+- Issue 5490 - tombstone in entryrdn index with lmdb but not with bdb (#5498)
+- Issue 5162 - Fix dsctl tls ca-certfiicate add-cert arg requirement
+- Issue 5510 - remove twalk_r dependency to build on RHEL8 (#5516)
+- Issue 5162 - RFE - CLI allow adding CA certificate bundles
+- Issue 5440 - memberof is slow on update/fixup if there are several 'groupattr' (#5455)
+- Issue 5512 - BUG - skip pwdPolicyChecker OC in migration (#5513)
+- Issue 3555 - UI - fix audit issue with npm loader-utils (#5514)
+- Issue 5505 - Fix compiler warning (#5506)
+- Issue 5469 - Increase the default value of nsslapd-conntablesize (#5472)
+- Issue 5408 - lmdb import is slow (#5481)
+- Issue 5429 - healthcheck - add checks for MemberOf group attrs being indexed
+- Issue 5502 - RFE - Add option to display entry attributes in audit log
+- Issue 5495 - BUG - Minor fix to dds skip, inconsistent attrs caused errors (#5501)
+- Issue 5367 - RFE - store full DN in database record
+- Issue 5495 - RFE - skip dds during migration. (#5496)
+- Issue 5491 - UI - Add rework and finish jpegPhoto functionality (#5492)
+- Issue 5368 - Retro Changelog trimming does not work (#5486)
+- Issue 5487 - Fix various issues with logconv.pl
+- Issue 5476 - RFE - add memberUid read aci by default (#5477)
+- Issue 5482 - lib389 - Can not enable replication with a mixed case suffix
+- Issue 5478 - Random crash in connection code during server shutdown (#5479)
+- Issue 3061 - RFE - Add password policy debug log level
+- Issue 5302 - Release tarballs don't contain cockpit webapp
+- Issue 5262 - high contention in find_entry_internal_dn on mixed load (#5264)
+- Issue 4324 - Revert recursive pthread mutex change (#5463)
+- Issue 5462 - RFE - add missing default indexes (#5464)
+- Issue 5465 - Fix dbscan linking (#5466)
+- Issue 5271 - Serialization of pam_passthrough causing high etimes (#5272)
+- Issue 5453 - UI/CLI - Changing Root DN breaks UI
+- Issue 5446 - Fix some covscan issues (#5451)
+- Issue 4308 - checking if an entry is a referral is expensive
+- Issue 5447 - UI - add NDN max cache size to UI
+- Issue 5443 - UI - disable save button while saving
+- Issue 5413 - Allow only one MemberOf fixup task at a time
+- Issue 4592 - dscreate error with custom dir_path (#5434)
+- Issue 5158 - entryuuid fixup tasks fails in replicated topology (#5439)
+
+* Tue Sep 20 2022 Mark Reynolds <mreynolds@redhat.com> - 2.3.0-2
+- Bump version to 2.3.0-2
+- Update old pcre-devel requirement to pcre2-devel
+
+* Thu Sep 1 2022 Mark Reynolds <mreynolds@redhat.com> - 2.3.0-1
+- Bump version to 2.3.0
+- Issue 5012 - Migrate pcre to pcre2 - remove match limit
+- Issue 5356 - Make Rust non-optional and update default password storage scheme
+- Issue 5012 - Migrate pcre to pcre2
+- Issue 5428 - Fix regression with nscpEntryWsi computation
+- Fix missing 'not' in description (closes #5423) (#5424)
+- Issue 5421 - CI - makes replication/acceptance_test.py::test_modify_entry more robust (#5422)
+- Issue 3903 - fix repl keep alive event interval
+- Issue 5418 - Sync_repl may crash while managing invalid cookie (#5420)
+- Issue 5415 - Hostname when set to localhost causing failures in other tests
+- Issue 5412 - lib389 - do not set backend name to lowercase
+- Issue 5407 - sync_repl crashes if enabled while dynamic plugin is enabled (#5411)
+- Issue 5385 - LMDB - import crash in rdncache_add_elem (#5406)
+- Issue 5403 - Memory leak in conntection table mulit list (#5404)
+- Issue 3903 - keep alive update event starts too soon
+- Issue 5397 - Fix various memory leaks
+- Issue 5399 - UI - LDAP Editor is not updated when we switch instances (#5400)
+- Issue 3903 - Supplier should do periodic updates
+- Issue 5377 - Code cleanup: Fix Covscan invalid reference (#5393)
+- Issue 5394 - configure doesn't check for lmdb and json-c
+- Issue 5392 - dscreate fails when using alternative ports in the SELinux hi_reserved_port_t label range
+- Issue 5386 - BUG - Update sudoers schema to correctly support UTF-8 (#5387)
+- Issue 5388 - fix use-after-free and deadcode
+- Issue 5383 - UI - Various fixes and RFE's for UI
+- Issue 4656 - Remove problematic language from source code
+- Issue 5380 - Separate cleanAllRUV code into new file
+- Issue 5322 - optime & wtime on rejected connections is not properly set
+- Issue 5335 - RFE - Add Security Audit Log
+- Issue 5375 - CI - disable TLS hostname checking
+- Issue 981  - Managed Entries betxnpreoperation - transaction not aborted on managed entry failure (#5369)
+- Issue 5373 - dsidm user get_dn fails with search_ext() argument 1 must be str, not function
+- Issue 5371 - Update npm and cargo packages
+- Issue 3069 - Support ECDSA private keys for TLS (#5365)
+- Issue 5290 - Importing certificate chain files via "import-server-key-cert" no longer works (#5293)
+
+* Mon Aug 01 2022 Frantisek Zatloukal <fzatlouk@redhat.com> - 2.2.2-3
+- Rebuilt for ICU 71.1
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jul 5 2022 Mark Reynolds <mreynolds@redhat.com> - 2.2.2-1
+- Bump version to 2.2.2
+- Issue 5221 - fix covscan (#5359)
+- Issue 5294 - Report Portal 5 is not processing an XML file with (#5358)
+- Issue 5353 - CLI - dsconf backend export breaks with multiple backends
+- Issue 5346 - New connection table fails with ASAN failures (#5350)
+- Issue 5345 - BUG - openldap migration fails when ppolicy is active (#5347)
+- Issue 5323 - BUG - improve skipping of monitor db (#5340)
+- Issue 5329 - Improve replication extended op logging
+- Issue 5343 - Various improvements to winsync
+- Issue 4932 - CLI - add parser aliases to long arg names
+- Issue 5332 - BUG - normalise filter as intended
+- Issue 5327 - Validate test metadata
+- Issue 4812 - Scalability with high number of connections (#5090)
+- Issue 4348 - Add tests for dsidm
+- Issue 5333 - 389-ds-base fails to build with Python 3.11
+
+* Thu Jun 16 2022 Python Maint <python-maint@redhat.com> - 2.2.1-4
+- Rebuilt for Python 3.11
+
+* Wed Jun 15 2022 Mark Reynolds <mreynolds@redhat.com> - 2.2.1-3
+- Bump version to 2.2.1-3
+- Issue 5332 - BUG - normalise filter as intended
+- Issue 5327 - Validate test metadata
+- Issue 4348 - Add tests for dsidm
+- Bump crossbeam-utils from 0.8.6 to 0.8.8 in /src
+- Issue 5333 - 389-ds-base fails to build with Python 3.11
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 2.2.1-2
+- Rebuilt for Python 3.11
+
+* Fri Jun 3 2022 Mark Reynolds <mreynolds@redhat.com> - 2.2.1-1
+- Bump version to 2.2.1
+- Issue 5323 - BUG - Fix issue in mdb tests with monitor (#5326)
+- Issue 5170 - BUG - incorrect behaviour of filter test (#5315)
+- Issue 5324 - plugin acceptance test needs hardening
+- Issue 5319 - dsctl_tls_test.py fails with openssl-3.x
+- Issue 5323 - BUG - migrating database for monitoring interface lead to crash (#5321)
+- Issue 5304 - Need a compatibility option about sub suffix handling (#5310)
+- Issue 5313 - dbgen test uses deprecated -h HOST and -p PORT options for ldapmodify
+- Issue 5311 - Missing Requires for acl in the spec file
+- Issue 5305 - OpenLDAP version autodetection doesn't work
+- Issue 5307 - VERSION_PREREL is not set correctly in CI builds
+- Issue 5302 - Release tarballs don't contain cockpit webapp
+- Issue 5170 - RFE - improve filter logging to assist debugging (#5301)
+- Issue 5299 - jemalloc 5.3 released
+- Issue 5175 - Remove stale zlib-devel dependency declaration (#5173)
+- Issue 5294 - Report Portal 5 is not processing test results XML file
+- Issue 5170 - BUG - ldapsubentries were incorrectly returned (#5285)
+- Issue 5291 - Harden ReplicationManager.wait_for_replication (#5292)
+- Issue  379 - RFE - Compress rotated logs (fix linker)
+- Issue  379 - RFE - Compress rotated logs
+- Issue 5281 - HIGH - basic test does not run
+- Issue 5284 - Replication broken after password change (#5286)
+- Issue 5279 - dscontainer: TypeError: unsupported operand type(s) for /: 'str' and 'int'
+- Issue 5170 - RFE - Filter optimiser (#5171)
+- Issue 5276 - CLI - improve task handling
+- Issue 5126 - Memory leak in slapi_ldap_get_lderrno (#5153)
+- Issue 3 - ansible-ds - Prefix handling fix (#5275)
+- Issue 5273 - CLI - add arg completer for instance name
+- Issue 2893 - CLI - dscreate - add options for setting up replication
+- Issue 4866 - CLI - when enabling replication set changelog trimming by default
+- Issue 5241 - UI - Add account locking missing functionality (#5251)
+- Issue 5180 - snmp_collator tries to unlock NULL mutex (#5266)
+- Issue 4904 - Fix various small issues
+- lib389 prerequisite for ansible-ds (#5253)
+- Issue 5260 - BUG - OpenLDAP allows multiple names of memberof overlay (#5261)
+- Issue 5252 - During DEL, vlv search can erroneously return NULL candidate (#5256)
+- Issue 5254 - dscreate create-template regression due to 5a3bdc336 (#5255)
+- Issue 5210 - Python undefined names in lib389
+- Issue 5065 - Crash in suite plugins - test_dna_max_value (#5108)
+- Issue 5247 - BUG - Missing attributes in samba schema (#5248)
+- Issue 5242- Craft message may crash the server (#5243)
+- Issue 4775 -plugin entryuuid failing (#5229)
+- Issue 5239 - Nightly copr builds are broken
+- Issue 5237 - audit-ci: Cannot convert undefined or null to object
+- Issue 5234 - UI - rename Users and Groups tab
+- Issue 5227 - UI - No way to move back to Get Started step (#5233)
+- Issue 5217 - Simplify instance creation and administration by non root user (#5224)

gating.yaml

@@ -0,0 +1,15 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_testing]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - fedora-*
+decision_contexts: [bodhi_update_push_stable]
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}

jemalloc-5.3.0_throw_bad_alloc.patch

@@ -0,0 +1,41 @@
+#commit 3de0c24859f4413bf03448249078169bb50bda0f
+#Author: divanorama <divanorama@gmail.com>
+#Date:   Thu Sep 29 23:35:59 2022 +0200
+#
+#    Disable builtin malloc in tests
+#    
+#    With `--with-jemalloc-prefix=` and without `-fno-builtin` or `-O1` both clang and gcc may optimize out `malloc` calls
+#    whose result is unused. Comparing result to NULL also doesn't necessarily count as being used.
+#    
+#    This won't be a problem in most client programs as this only concerns really unused pointers, but in
+#    tests it's important to actually execute allocations.
+#    `-fno-builtin` should disable this optimization for both gcc and clang, and applying it only to tests code shouldn't hopefully be an issue.
+#    Another alternative is to force "use" of result but that'd require more changes and may miss some other optimization-related issues.
+#    
+#    This should resolve https://github.com/jemalloc/jemalloc/issues/2091
+#
+#diff --git a/Makefile.in b/Makefile.in
+#index 6809fb29..a964f07e 100644
+#--- a/Makefile.in
+#+++ b/Makefile.in
+#@@ -458,6 +458,8 @@ $(TESTS_OBJS): $(objroot)test/%.$(O): $(srcroot)test/%.c
+# $(TESTS_CPP_OBJS): $(objroot)test/%.$(O): $(srcroot)test/%.cpp
+# $(TESTS_OBJS): CPPFLAGS += -I$(srcroot)test/include -I$(objroot)test/include
+# $(TESTS_CPP_OBJS): CPPFLAGS += -I$(srcroot)test/include -I$(objroot)test/include
+#+$(TESTS_OBJS): CFLAGS += -fno-builtin
+#+$(TESTS_CPP_OBJS): CPPFLAGS += -fno-builtin
+# ifneq ($(IMPORTLIB),$(SO))
+# $(CPP_OBJS) $(C_SYM_OBJS) $(C_OBJS) $(C_JET_SYM_OBJS) $(C_JET_OBJS): CPPFLAGS += -DDLLEXPORT
+# endif
+diff --git a/src/jemalloc_cpp.cpp b/src/jemalloc_cpp.cpp
+index fffd6aee..5a682991 100644
+--- a/src/jemalloc_cpp.cpp
++++ b/src/jemalloc_cpp.cpp
+@@ -93,7 +93,7 @@ handleOOM(std::size_t size, bool nothrow) {
+        }
+
+        if (ptr == nullptr && !nothrow)
+-		std::__throw_bad_alloc();
++		throw std::bad_alloc();
+        return ptr;
+ }

main.fmf

@@ -0,0 +1,17 @@
+/plan:
+    summary: Basic test suite
+    discover:
+        how: fmf
+    execute:
+        how: tmt
+    prepare:
+      - name: install required packages
+        how: install
+        package: [389-ds-base, git, pytest]
+      - name: clone repo
+        how: shell
+        script: git clone https://github.com/389ds/389-ds-base /root/ds
+/test:
+    /upstream_basic:
+        test: pytest -v /root/ds/dirsrvtests/tests/suites/basic/basic_test.py
+        duration: 30m

sources

@@ -1,2 +1,3 @@
 SHA512 (jemalloc-5.3.0.tar.bz2) = 22907bb052096e2caffb6e4e23548aecc5cc9283dce476896a2b1127eee64170e3562fa2e7db9571298814a7a2c7df6e8d1fbe152bd3f3b0c1abec22a2de34b1
-SHA512 (389-ds-base-2.2.2.tar.bz2) = 96572dbd5dfb9fb10d353613cc367b8f761f1958d217c7e381a58e9cea13169884453a3f70f7da68289298669371968282c7fdf292c520f389bc2daa394355db
+SHA512 (libdb-5.3.28-59.tar.bz2) = 731a434fa2e6487ebb05c458b0437456eb9f7991284beb08cb3e21931e23bdeddddbc95bfabe3a2f9f029fe69cd33a2d4f0f5ce6a9811e9c3b940cb6fde4bf79
+SHA512 (389-ds-base-3.2.0.tar.bz2) = 9ff6aa56b30863c619f4f324344dca72cc883236bfe8d94520e8469d9e306f54b373ee2504eda18dcb0ecda33f915a3e64a6f3cdaa93a69b74d901caa48545e1

tests/tests.yml

@@ -1,26 +0,0 @@
----
-- hosts: localhost
-  remote_user: root
-  vars:
-    ds_repo_url: https://github.com/389ds/389-ds-base.git
-    ds_repo_dir: ds
-    ds_tests: "{{ ds_repo_dir }}/dirsrvtests/tests"
-    pytest: py.test-3
-    pytest_args: "-v --continue-on-collection-errors"
-    pytest_tests: "suites/basic"
-    artifacts: ./artifacts
-  roles:
-  - role: standard-test-basic
-    tags:
-    - classic
-    repositories:
-    - repo: "{{ ds_repo_url }}"
-      dest: "{{ ds_repo_dir }}"
-    tests:
-    - basic:
-        dir: "{{ ds_tests }}"
-        run: "{{ pytest }} {{ pytest_args }} {{ pytest_tests }}"
-    required_packages:
-    - python3-pytest
-    - 389-ds-base
-    - 389-ds-base-snmp