Ubuntu
openldap package

pbkdf2 needs configurable hashing rounds for FIPS 140-3

  1. Questing (25.10)
  2. Bug #2125685
Bug #2125685 reported by Filippo
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
In Progress
Wishlist
Jonas Jelten
Jammy
In Progress
Wishlist
Jonas Jelten
Noble
In Progress
Wishlist
Jonas Jelten
Plucky
In Progress
Wishlist
Jonas Jelten
Questing
In Progress
Wishlist
Jonas Jelten

Bug Description

[ Impact ]

Add configurable rounds for pw-pbkdf2.so module

Without the ability to configure the iteration count, it is not possible to meet current security best practices or achieve compliance with FIPS 140-3, which requires configurable and sufficiently high iteration counts for PBKDF2.

[ Test Plan ]

 * install slapd and slapd-contrib
 * before update: only supports hardcoded 10000 rounds:
   slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512}
   -> observe {PBKDF2-SHA512}10000$...
 * after update, any round number can be configured:
   slappasswd -o module-load="pw-pbkdf2.so 1337" -h {PBKDF2-SHA512}
   -> observe {PBKDF2-SHA512}1337$...

[ Where problems could occur ]

 * pbkdf2 password validation/hashing could get a regression
 * Due to the configurable number amount, old passwords could become invalid due do different round counts

[ Original Report ]

On Ubuntu 24.04, the OpenLDAP package ships with the library /usr/lib/ldap/pw-pbkdf2.so.
While this module works for generating PBKDF2-SHA512 password hashes, it does not provide an option to configure the number of iterations.

For example:
slappasswd -o module-load=pw-pbkdf2.so -h {PBKDF2-SHA512}

generates a hash with a fixed iteration count (e.g. 10000) and does not accept parameters to increase it.

In contrast, the upstream contrib module passwd/pbkdf2 on https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modules/passwd/pbkdf2

supports the iteration count option and allows administrators to configure it.

moduleload pw-pbkdf2.so [iterations]

Steps to reproduce:

Install OpenLDAP on Ubuntu 24.04. (slapd and slapd-contrib pakages)
Run
slappasswd -o module-load=pw-pbkdf2.la -h {PBKDF2} -s secret
{PBKDF2}10000$ZvU8GRSybbefW48n8BeyuA$XE1t4W09ZP0z8zmLVb/SbwaOl2Y

See original description
Tags: server-todo

Related branches

~jj/ubuntu/+source/openldap:lp2119884-fix-apparmor-questing
Athos Ribeiro: Pending requested
Canonical Server Reporter: Pending requested
Diff: 257 lines (+159/-11)
8 files modified
debian/apparmor-profile (+3/-0)
debian/changelog (+13/-0)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+22/-0)
debian/patches/series (+2/-0)
debian/rules (+6/-8)
debian/tests/control (+1/-1)
debian/tests/slapd (+20/-2)
~jj/ubuntu/+source/openldap:lp2119884-fix-apparmor-resolute
Canonical Server: Pending requested
Canonical Server Reporter: Pending requested
Diff: 257 lines (+159/-11)
8 files modified
debian/apparmor-profile (+3/-0)
debian/changelog (+13/-0)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+22/-0)
debian/patches/series (+2/-0)
debian/rules (+6/-8)
debian/tests/control (+1/-1)
debian/tests/slapd (+20/-2)
~jj/ubuntu/+source/openldap:lp2119884-fix-apparmor-questing
Athos Ribeiro (community): Needs Information
Canonical Server Reporter: Pending requested
Diff: 254 lines (+157/-10)
8 files modified
debian/apparmor-profile (+3/-0)
debian/changelog (+13/-0)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+22/-0)
debian/patches/series (+2/-0)
debian/rules (+6/-8)
debian/tests/control (+1/-1)
debian/tests/slapd (+18/-1)
~jj/ubuntu/+source/openldap:lp2112527-backport-2.5.20-jammy
Athos Ribeiro: Pending requested
Canonical Server Reporter: Pending requested
Diff: 12367 lines (+11779/-92)
19 files modified
CHANGES (+15/-0)
build/version.var (+4/-4)
clients/tools/common.c (+14/-0)
clients/tools/ldapvc.c (+15/-0)
contrib/slapd-modules/autogroup/autogroup.c (+2/-0)
debian/changelog (+12/-0)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+22/-0)
debian/patches/series (+2/-0)
doc/guide/admin/guide.html (+11455/-0)
doc/guide/admin/slapdconf2.sdf (+62/-61)
doc/man/man5/ldap.conf.5 (+8/-6)
doc/man/man5/slapd-config.5 (+17/-3)
doc/man/man5/slapo-dynlist.5 (+3/-0)
libraries/librewrite/subst.c (+6/-6)
servers/lloadd/config.c (+4/-0)
servers/slapd/bconfig.c (+18/-10)
servers/slapd/overlays/pcache.c (+8/-2)
servers/slapd/slapcommon.c (+20/-0)
~jj/ubuntu/+source/openldap:lp2112527-backport-2.6.10-noble
Athos Ribeiro: Pending requested
Canonical Server Reporter: Pending requested
Diff: 61117 lines (+14765/-18837)
1349 files modified
ANNOUNCEMENT (+1/-1)
CHANGES (+90/-0)
COPYRIGHT (+1/-1)
INSTALL (+1/-1)
Makefile.in (+1/-1)
README (+1/-1)
aclocal.m4 (+79/-11)
build/dir.mk (+1/-1)
build/info.mk (+1/-1)
build/lib-shared.mk (+1/-1)
build/lib-static.mk (+1/-1)
build/lib.mk (+1/-1)
build/man.mk (+1/-1)
build/mkdep (+1/-1)
build/mkdep.aix (+1/-1)
build/mkrelease (+1/-1)
build/mkvers.bat (+1/-1)
build/mkversion (+3/-3)
build/mod.mk (+1/-1)
build/openldap.m4 (+1/-1)
build/rules.mk (+1/-1)
build/srv.mk (+1/-1)
build/top.mk (+2/-3)
build/version.h (+2/-2)
build/version.sh (+1/-1)
build/version.var (+4/-4)
clients/Makefile.in (+1/-1)
clients/tools/Makefile.in (+1/-1)
clients/tools/common.c (+16/-2)
clients/tools/common.h (+1/-1)
clients/tools/ldapcompare.c (+1/-1)
clients/tools/ldapdelete.c (+1/-1)
clients/tools/ldapexop.c (+1/-1)
clients/tools/ldapmodify.c (+22/-4)
clients/tools/ldapmodrdn.c (+1/-1)
clients/tools/ldappasswd.c (+1/-1)
clients/tools/ldapsearch.c (+6/-3)
clients/tools/ldapurl.c (+1/-1)
clients/tools/ldapvc.c (+16/-1)
clients/tools/ldapwhoami.c (+1/-1)
configure (+6569/-5267)
configure.ac (+50/-35)
contrib/ConfigOIDs (+4/-0)
contrib/ldapc++/COPYRIGHT (+1/-1)
contrib/ldapc++/Makefile.am (+1/-1)
contrib/ldapc++/Makefile.in (+1/-1)
contrib/ldapc++/configure (+2/-2)
contrib/ldapc++/configure.ac (+3/-3)
contrib/ldapc++/examples/Makefile.am (+1/-1)
contrib/ldapc++/examples/Makefile.in (+1/-1)
contrib/ldapc++/examples/main.cpp (+1/-1)
contrib/ldapc++/examples/readSchema.cpp (+1/-1)
contrib/ldapc++/examples/startTls.cpp (+1/-1)
contrib/ldapc++/examples/urlTest.cpp (+1/-1)
contrib/ldapc++/src/LDAPAddRequest.cpp (+1/-1)
contrib/ldapc++/src/LDAPAddRequest.h (+1/-1)
contrib/ldapc++/src/LDAPAsynConnection.cpp (+1/-1)
contrib/ldapc++/src/LDAPAsynConnection.h (+1/-1)
contrib/ldapc++/src/LDAPAttrType.cpp (+1/-1)
contrib/ldapc++/src/LDAPAttrType.h (+1/-1)
contrib/ldapc++/src/LDAPAttribute.cpp (+1/-1)
contrib/ldapc++/src/LDAPAttribute.h (+1/-1)
contrib/ldapc++/src/LDAPAttributeList.cpp (+1/-1)
contrib/ldapc++/src/LDAPAttributeList.h (+1/-1)
contrib/ldapc++/src/LDAPBindRequest.cpp (+1/-1)
contrib/ldapc++/src/LDAPBindRequest.h (+1/-1)
contrib/ldapc++/src/LDAPCompareRequest.cpp (+1/-1)
contrib/ldapc++/src/LDAPCompareRequest.h (+1/-1)
contrib/ldapc++/src/LDAPConnection.cpp (+1/-1)
contrib/ldapc++/src/LDAPConnection.h (+1/-1)
contrib/ldapc++/src/LDAPConstraints.cpp (+1/-1)
contrib/ldapc++/src/LDAPConstraints.h (+1/-1)
contrib/ldapc++/src/LDAPControl.cpp (+1/-1)
contrib/ldapc++/src/LDAPControl.h (+1/-1)
contrib/ldapc++/src/LDAPControlSet.cpp (+1/-1)
contrib/ldapc++/src/LDAPControlSet.h (+1/-1)
contrib/ldapc++/src/LDAPDeleteRequest.cpp (+1/-1)
contrib/ldapc++/src/LDAPDeleteRequest.h (+1/-1)
contrib/ldapc++/src/LDAPEntry.cpp (+1/-1)
contrib/ldapc++/src/LDAPEntry.h (+1/-1)
contrib/ldapc++/src/LDAPEntryList.cpp (+1/-1)
contrib/ldapc++/src/LDAPEntryList.h (+1/-1)
contrib/ldapc++/src/LDAPException.cpp (+1/-1)
contrib/ldapc++/src/LDAPException.h (+1/-1)
contrib/ldapc++/src/LDAPExtRequest.cpp (+1/-1)
contrib/ldapc++/src/LDAPExtRequest.h (+1/-1)
contrib/ldapc++/src/LDAPExtResult.cpp (+1/-1)
contrib/ldapc++/src/LDAPExtResult.h (+1/-1)
contrib/ldapc++/src/LDAPMessage.cpp (+1/-1)
contrib/ldapc++/src/LDAPMessage.h (+1/-1)
contrib/ldapc++/src/LDAPMessageQueue.cpp (+1/-1)
contrib/ldapc++/src/LDAPMessageQueue.h (+1/-1)
contrib/ldapc++/src/LDAPModDNRequest.cpp (+1/-1)
contrib/ldapc++/src/LDAPModDNRequest.h (+1/-1)
contrib/ldapc++/src/LDAPModList.cpp (+1/-1)
contrib/ldapc++/src/LDAPModList.h (+1/-1)
contrib/ldapc++/src/LDAPModification.cpp (+1/-1)
contrib/ldapc++/src/LDAPModification.h (+1/-1)
contrib/ldapc++/src/LDAPModifyRequest.cpp (+1/-1)
contrib/ldapc++/src/LDAPModifyRequest.h (+1/-1)
contrib/ldapc++/src/LDAPObjClass.cpp (+1/-1)
contrib/ldapc++/src/LDAPObjClass.h (+1/-1)
contrib/ldapc++/src/LDAPRebind.cpp (+1/-1)
contrib/ldapc++/src/LDAPRebind.h (+1/-1)
contrib/ldapc++/src/LDAPRebindAuth.cpp (+1/-1)
contrib/ldapc++/src/LDAPRebindAuth.h (+1/-1)
contrib/ldapc++/src/LDAPReferenceList.cpp (+1/-1)
contrib/ldapc++/src/LDAPReferenceList.h (+1/-1)
contrib/ldapc++/src/LDAPRequest.cpp (+1/-1)
contrib/ldapc++/src/LDAPRequest.h (+1/-1)
contrib/ldapc++/src/LDAPResult.cpp (+1/-1)
contrib/ldapc++/src/LDAPResult.h (+1/-1)
contrib/ldapc++/src/LDAPSaslBindResult.cpp (+1/-1)
contrib/ldapc++/src/LDAPSaslBindResult.h (+1/-1)
contrib/ldapc++/src/LDAPSchema.cpp (+1/-1)
contrib/ldapc++/src/LDAPSchema.h (+1/-1)
contrib/ldapc++/src/LDAPSearchReference.cpp (+1/-1)
contrib/ldapc++/src/LDAPSearchReference.h (+1/-1)
contrib/ldapc++/src/LDAPSearchRequest.cpp (+1/-1)
contrib/ldapc++/src/LDAPSearchRequest.h (+1/-1)
contrib/ldapc++/src/LDAPSearchResult.cpp (+1/-1)
contrib/ldapc++/src/LDAPSearchResult.h (+1/-1)
contrib/ldapc++/src/LDAPSearchResults.cpp (+1/-1)
contrib/ldapc++/src/LDAPSearchResults.h (+1/-1)
contrib/ldapc++/src/LDAPUrl.cpp (+1/-1)
contrib/ldapc++/src/LDAPUrl.h (+1/-1)
contrib/ldapc++/src/LDAPUrlList.cpp (+1/-1)
contrib/ldapc++/src/LDAPUrlList.h (+1/-1)
contrib/ldapc++/src/LdifReader.cpp (+1/-1)
contrib/ldapc++/src/LdifReader.h (+1/-1)
contrib/ldapc++/src/LdifWriter.cpp (+1/-1)
contrib/ldapc++/src/LdifWriter.h (+1/-1)
contrib/ldapc++/src/Makefile.am (+1/-1)
contrib/ldapc++/src/Makefile.in (+1/-1)
contrib/ldapc++/src/SaslInteraction.cpp (+1/-1)
contrib/ldapc++/src/SaslInteraction.h (+1/-1)
contrib/ldapc++/src/SaslInteractionHandler.cpp (+1/-1)
contrib/ldapc++/src/SaslInteractionHandler.h (+1/-1)
contrib/ldapc++/src/StringList.cpp (+1/-1)
contrib/ldapc++/src/StringList.h (+1/-1)
contrib/ldapc++/src/TlsOptions.cpp (+1/-1)
contrib/ldapc++/src/TlsOptions.h (+1/-1)
contrib/ldapc++/src/ac/time.h (+1/-1)
contrib/ldapc++/src/debug.h (+1/-1)
contrib/ldapc++/version.sh (+1/-1)
contrib/ldapc++/version.var (+1/-1)
contrib/ldaptcl/COPYRIGHT (+1/-1)
contrib/slapd-modules/README (+1/-1)
contrib/slapd-modules/acl/README.posixgroup (+1/-1)
contrib/slapd-modules/acl/now.c (+1/-1)
contrib/slapd-modules/acl/posixgroup.c (+1/-1)
contrib/slapd-modules/addpartial/README (+1/-1)
contrib/slapd-modules/addpartial/addpartial-overlay.c (+1/-1)
contrib/slapd-modules/alias/Makefile (+82/-0)
contrib/slapd-modules/alias/alias.c (+673/-0)
contrib/slapd-modules/alias/slapo-alias.5 (+121/-0)
contrib/slapd-modules/alias/tests/Rules.mk (+23/-0)
contrib/slapd-modules/alias/tests/data/alias.conf (+4/-0)
contrib/slapd-modules/alias/tests/data/config.ldif (+5/-0)
contrib/slapd-modules/alias/tests/data/test001-00a-invalid.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-00b-invalid.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-01a-same-alias.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-01b-same-attr.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-01c-chained.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-01d-chained.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-02a-operational.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-02b-single.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-02c-syntax.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-02d-matching.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test001-02e-no-ordering.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test002-add-rdn.ldif (+5/-0)
contrib/slapd-modules/alias/tests/data/test002-add.ldif (+18/-0)
contrib/slapd-modules/alias/tests/data/test002-delete.ldif (+3/-0)
contrib/slapd-modules/alias/tests/data/test002-modify.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test002-modrdn.ldif (+5/-0)
contrib/slapd-modules/alias/tests/data/test003-config.ldif (+4/-0)
contrib/slapd-modules/alias/tests/data/test003-out.ldif (+66/-0)
contrib/slapd-modules/alias/tests/run (+17/-0)
contrib/slapd-modules/alias/tests/scripts/all (+93/-0)
contrib/slapd-modules/alias/tests/scripts/common.sh (+105/-0)
contrib/slapd-modules/alias/tests/scripts/test001-config (+248/-0)
contrib/slapd-modules/alias/tests/scripts/test002-add-delete (+76/-0)
contrib/slapd-modules/alias/tests/scripts/test003-search (+151/-0)
contrib/slapd-modules/allop/README (+1/-1)
contrib/slapd-modules/allop/allop.c (+1/-1)
contrib/slapd-modules/allop/slapo-allop.5 (+1/-1)
contrib/slapd-modules/allowed/Makefile (+1/-1)
contrib/slapd-modules/allowed/README (+1/-1)
contrib/slapd-modules/allowed/allowed.c (+1/-1)
contrib/slapd-modules/authzid/Makefile (+1/-1)
contrib/slapd-modules/authzid/authzid.c (+1/-1)
contrib/slapd-modules/autogroup/Makefile (+23/-1)
contrib/slapd-modules/autogroup/README (+1/-1)
contrib/slapd-modules/autogroup/autogroup.c (+164/-98)
contrib/slapd-modules/autogroup/slapo-autogroup.5 (+5/-2)
contrib/slapd-modules/ciboolean/Makefile (+1/-1)
contrib/slapd-modules/ciboolean/ciboolean.c (+1/-1)
contrib/slapd-modules/ciboolean/slapo-ciboolean.5 (+1/-1)
contrib/slapd-modules/ciboolean/tests/run (+1/-1)
contrib/slapd-modules/ciboolean/tests/scripts/test001-ciboolean (+1/-1)
contrib/slapd-modules/cloak/cloak.c (+1/-1)
contrib/slapd-modules/cloak/slapo-cloak.5 (+1/-1)
contrib/slapd-modules/comp_match/Makefile (+1/-1)
contrib/slapd-modules/datamorph/Makefile (+1/-1)
contrib/slapd-modules/datamorph/datamorph.c (+13/-13)
contrib/slapd-modules/datamorph/tests/run (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/all (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/common.sh (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/test001-config (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/test002-add-delete (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/test003-search (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/test004-compare (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/test005-modify (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/test006-modrdn (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/test007-transformed-replication (+1/-1)
contrib/slapd-modules/datamorph/tests/scripts/test008-ignored-replication (+1/-1)
contrib/slapd-modules/denyop/denyop.c (+1/-1)
contrib/slapd-modules/dsaschema/README (+1/-1)
contrib/slapd-modules/dsaschema/dsaschema.c (+1/-1)
contrib/slapd-modules/dupent/Makefile (+1/-1)
contrib/slapd-modules/dupent/dupent.c (+1/-1)
contrib/slapd-modules/emptyds/Makefile (+1/-1)
contrib/slapd-modules/emptyds/README (+1/-1)
contrib/slapd-modules/emptyds/emptyds.c (+1/-1)
contrib/slapd-modules/emptyds/slapo-emptyds.5 (+1/-1)
contrib/slapd-modules/emptyds/tests/data/emptyds.conf (+1/-1)
contrib/slapd-modules/emptyds/tests/run (+1/-1)
contrib/slapd-modules/emptyds/tests/scripts/all (+1/-1)
contrib/slapd-modules/emptyds/tests/scripts/test001-emptyds (+1/-1)
contrib/slapd-modules/kinit/README (+1/-1)
contrib/slapd-modules/kinit/kinit.c (+1/-1)
contrib/slapd-modules/lastmod/lastmod.c (+1/-1)
contrib/slapd-modules/lastmod/slapo-lastmod.5 (+1/-1)
contrib/slapd-modules/noopsrch/Makefile (+1/-1)
contrib/slapd-modules/noopsrch/noopsrch.c (+1/-1)
contrib/slapd-modules/nops/nops.c (+1/-1)
contrib/slapd-modules/nssov/Makefile (+1/-1)
contrib/slapd-modules/nssov/README (+1/-1)
contrib/slapd-modules/nssov/alias.c (+1/-1)
contrib/slapd-modules/nssov/ether.c (+1/-1)
contrib/slapd-modules/nssov/group.c (+1/-1)
contrib/slapd-modules/nssov/host.c (+1/-1)
contrib/slapd-modules/nssov/netgroup.c (+1/-1)
contrib/slapd-modules/nssov/network.c (+1/-1)
contrib/slapd-modules/nssov/nssov.c (+1/-1)
contrib/slapd-modules/nssov/nssov.h (+1/-1)
contrib/slapd-modules/nssov/pam.c (+1/-1)
contrib/slapd-modules/nssov/passwd.c (+1/-1)
contrib/slapd-modules/nssov/protocol.c (+1/-1)
contrib/slapd-modules/nssov/rpc.c (+1/-1)
contrib/slapd-modules/nssov/service.c (+1/-1)
contrib/slapd-modules/nssov/shadow.c (+1/-1)
contrib/slapd-modules/nssov/slapo-nssov.5 (+1/-1)
contrib/slapd-modules/passwd/README (+1/-1)
contrib/slapd-modules/passwd/kerberos.c (+1/-1)
contrib/slapd-modules/passwd/netscape.c (+1/-1)
contrib/slapd-modules/passwd/pbkdf2/README (+1/-1)
contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c (+1/-1)
contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5 (+1/-1)
contrib/slapd-modules/passwd/radius.c (+1/-1)
contrib/slapd-modules/passwd/sha2/README (+1/-1)
contrib/slapd-modules/passwd/sha2/slapd-pw-sha2.5 (+1/-1)
contrib/slapd-modules/passwd/sha2/slapd-sha2.c (+1/-1)
contrib/slapd-modules/passwd/slapd-pw-radius.5 (+1/-1)
contrib/slapd-modules/passwd/totp/README (+1/-1)
contrib/slapd-modules/passwd/totp/slapd-totp.c (+1/-1)
contrib/slapd-modules/passwd/totp/slapo-totp.5 (+1/-1)
contrib/slapd-modules/proxyOld/Makefile (+1/-1)
contrib/slapd-modules/proxyOld/README (+1/-1)
contrib/slapd-modules/proxyOld/proxyOld.c (+1/-1)
contrib/slapd-modules/rbac/rbac.c (+1/-1)
contrib/slapd-modules/rbac/rbac.h (+1/-1)
contrib/slapd-modules/samba4/Makefile (+1/-1)
contrib/slapd-modules/samba4/README (+1/-1)
contrib/slapd-modules/samba4/pguid.c (+1/-1)
contrib/slapd-modules/samba4/rdnval.c (+1/-1)
contrib/slapd-modules/samba4/vernum.c (+1/-1)
contrib/slapd-modules/smbk5pwd/Makefile (+1/-1)
contrib/slapd-modules/smbk5pwd/README (+1/-1)
contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 (+1/-1)
contrib/slapd-modules/smbk5pwd/smbk5pwd.c (+2/-1)
contrib/slapd-modules/trace/trace.c (+1/-1)
contrib/slapd-modules/usn/README (+1/-1)
contrib/slapd-modules/usn/usn.c (+1/-1)
contrib/slapd-modules/variant/Makefile (+1/-1)
contrib/slapd-modules/variant/tests/run (+1/-1)
contrib/slapd-modules/variant/tests/scripts/all (+1/-1)
contrib/slapd-modules/variant/tests/scripts/common.sh (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test001-config (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test002-add-delete (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test003-search (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test004-compare (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test005-modify (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test006-acl (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test007-subtypes (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test008-variant-replication (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test009-ignored-replication (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test010-limits (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test011-referral (+1/-1)
contrib/slapd-modules/variant/tests/scripts/test012-crossdb (+1/-1)
contrib/slapd-modules/variant/variant.c (+12/-12)
contrib/slapd-modules/vc/Makefile (+1/-1)
contrib/slapd-modules/vc/vc.c (+1/-1)
contrib/slapd-tools/README (+1/-1)
contrib/slapd-tools/statslog (+1/-1)
contrib/slapd-tools/wrap_slap_ops (+1/-1)
contrib/slapi-plugins/addrdnvalues/README (+1/-1)
contrib/slapi-plugins/addrdnvalues/addrdnvalues.c (+1/-1)
debian/changelog (+65/-0)
debian/patches/64-bit-time-t-compat.patch (+55/-55)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+22/-0)
debian/patches/series (+2/-2)
debian/slapd.install (+1/-0)
debian/slapd.manpages (+2/-0)
dev/null (+0/-11498)
doc/Makefile.in (+1/-1)
doc/guide/admin/Makefile (+1/-1)
doc/guide/admin/README.spellcheck (+1/-1)
doc/guide/admin/abstract.sdf (+1/-1)
doc/guide/admin/access-control.sdf (+1/-1)
doc/guide/admin/admin.sdf (+1/-1)
doc/guide/admin/appendix-changes.sdf (+1/-1)
doc/guide/admin/appendix-common-errors.sdf (+1/-1)
doc/guide/admin/appendix-configs.sdf (+1/-1)
doc/guide/admin/appendix-contrib.sdf (+1/-1)
doc/guide/admin/appendix-deployments.sdf (+1/-1)
doc/guide/admin/appendix-ldap-result-codes.sdf (+1/-1)
doc/guide/admin/appendix-recommended-versions.sdf (+1/-1)
doc/guide/admin/appendix-upgrading.sdf (+1/-1)
doc/guide/admin/backends.sdf (+1/-1)
doc/guide/admin/booktitle.sdf (+1/-1)
doc/guide/admin/config.sdf (+1/-1)
doc/guide/admin/dbtools.sdf (+1/-1)
doc/guide/admin/glossary.sdf (+1/-1)
doc/guide/admin/guide.sdf (+1/-1)
doc/guide/admin/index.sdf (+1/-1)
doc/guide/admin/install.sdf (+1/-1)
doc/guide/admin/intro.sdf (+1/-1)
doc/guide/admin/limits.sdf (+1/-1)
doc/guide/admin/loadbalancer.sdf (+1/-1)
doc/guide/admin/maintenance.sdf (+1/-1)
doc/guide/admin/master.sdf (+1/-1)
doc/guide/admin/monitoringslapd.sdf (+1/-1)
doc/guide/admin/overlays.sdf (+1/-1)
doc/guide/admin/preface.sdf (+1/-1)
doc/guide/admin/quickstart.sdf (+1/-1)
doc/guide/admin/referrals.sdf (+1/-1)
doc/guide/admin/replication.sdf (+23/-4)
doc/guide/admin/runningslapd.sdf (+1/-1)
doc/guide/admin/sasl.sdf (+1/-1)
doc/guide/admin/schema.sdf (+1/-1)
doc/guide/admin/security.sdf (+1/-1)
doc/guide/admin/slapdconf2.sdf (+63/-62)
doc/guide/admin/slapdconfig.sdf (+1/-1)
doc/guide/admin/title.sdf (+1/-1)
doc/guide/admin/tls.sdf (+1/-1)
doc/guide/admin/troubleshooting.sdf (+1/-1)
doc/guide/admin/tuning.sdf (+1/-1)
doc/guide/images/src/README.fonts (+1/-1)
doc/guide/plain.sdf (+2/-2)
doc/guide/preamble.sdf (+3/-3)
doc/guide/release/copyright-plain.sdf (+1/-1)
doc/guide/release/copyright.sdf (+1/-1)
doc/guide/release/install.sdf (+1/-1)
doc/guide/release/license-plain.sdf (+1/-1)
doc/guide/release/license.sdf (+1/-1)
doc/man/Makefile.in (+1/-1)
doc/man/man1/Makefile.in (+1/-1)
doc/man/man1/ldapcompare.1 (+1/-1)
doc/man/man1/ldapdelete.1 (+1/-1)
doc/man/man1/ldapmodify.1 (+10/-1)
doc/man/man1/ldapmodrdn.1 (+1/-1)
doc/man/man1/ldappasswd.1 (+1/-1)
doc/man/man1/ldapsearch.1 (+1/-1)
doc/man/man1/ldapurl.1 (+1/-1)
doc/man/man1/ldapvc.1 (+1/-1)
doc/man/man1/ldapwhoami.1 (+1/-1)
doc/man/man3/Makefile.in (+1/-1)
doc/man/man3/lber-decode.3 (+1/-1)
doc/man/man3/lber-encode.3 (+1/-1)
doc/man/man3/lber-memory.3 (+1/-1)
doc/man/man3/lber-sockbuf.3 (+1/-1)
doc/man/man3/lber-types.3 (+1/-1)
doc/man/man3/ldap.3 (+1/-1)
doc/man/man3/ldap_abandon.3 (+1/-1)
doc/man/man3/ldap_add.3 (+1/-1)
doc/man/man3/ldap_bind.3 (+1/-1)
doc/man/man3/ldap_compare.3 (+1/-1)
doc/man/man3/ldap_controls.3 (+1/-1)
doc/man/man3/ldap_delete.3 (+1/-1)
doc/man/man3/ldap_dup.3 (+1/-1)
doc/man/man3/ldap_error.3 (+1/-1)
doc/man/man3/ldap_extended_operation.3 (+1/-1)
doc/man/man3/ldap_first_attribute.3 (+1/-1)
doc/man/man3/ldap_first_entry.3 (+1/-1)
doc/man/man3/ldap_first_message.3 (+1/-1)
doc/man/man3/ldap_first_reference.3 (+1/-1)
doc/man/man3/ldap_get_dn.3 (+1/-1)
doc/man/man3/ldap_get_option.3 (+1/-1)
doc/man/man3/ldap_get_values.3 (+1/-1)
doc/man/man3/ldap_memory.3 (+1/-1)
doc/man/man3/ldap_modify.3 (+1/-1)
doc/man/man3/ldap_modrdn.3 (+1/-1)
doc/man/man3/ldap_open.3 (+1/-1)
doc/man/man3/ldap_parse_reference.3 (+1/-1)
doc/man/man3/ldap_parse_result.3 (+1/-1)
doc/man/man3/ldap_parse_sort_control.3 (+1/-1)
doc/man/man3/ldap_parse_vlv_control.3 (+1/-1)
doc/man/man3/ldap_rename.3 (+1/-1)
doc/man/man3/ldap_result.3 (+1/-1)
doc/man/man3/ldap_schema.3 (+1/-1)
doc/man/man3/ldap_search.3 (+1/-1)
doc/man/man3/ldap_sort.3 (+1/-1)
doc/man/man3/ldap_sync.3 (+1/-1)
doc/man/man3/ldap_tls.3 (+1/-1)
doc/man/man3/ldap_url.3 (+1/-1)
doc/man/man5/Makefile.in (+1/-1)
doc/man/man5/ldap.conf.5 (+9/-7)
doc/man/man5/ldif.5 (+1/-1)
doc/man/man5/lloadd.conf.5 (+1/-1)
doc/man/man5/slapd-asyncmeta.5 (+1/-10)
doc/man/man5/slapd-config.5 (+19/-5)
doc/man/man5/slapd-dnssrv.5 (+1/-1)
doc/man/man5/slapd-ldap.5 (+1/-1)
doc/man/man5/slapd-ldif.5 (+1/-1)
doc/man/man5/slapd-mdb.5 (+1/-1)
doc/man/man5/slapd-meta.5 (+1/-1)
doc/man/man5/slapd-monitor.5 (+1/-1)
doc/man/man5/slapd-null.5 (+1/-1)
doc/man/man5/slapd-passwd.5 (+1/-1)
doc/man/man5/slapd-relay.5 (+1/-1)
doc/man/man5/slapd-sock.5 (+1/-1)
doc/man/man5/slapd-wt.5 (+1/-1)
doc/man/man5/slapd.access.5 (+1/-1)
doc/man/man5/slapd.backends.5 (+1/-1)
doc/man/man5/slapd.conf.5 (+2/-2)
doc/man/man5/slapd.overlays.5 (+1/-1)
doc/man/man5/slapd.plugin.5 (+1/-1)
doc/man/man5/slapo-accesslog.5 (+1/-1)
doc/man/man5/slapo-auditlog.5 (+1/-1)
doc/man/man5/slapo-autoca.5 (+1/-1)
doc/man/man5/slapo-chain.5 (+1/-1)
doc/man/man5/slapo-collect.5 (+1/-1)
doc/man/man5/slapo-constraint.5 (+1/-1)
doc/man/man5/slapo-dds.5 (+1/-1)
doc/man/man5/slapo-deref.5 (+1/-1)
doc/man/man5/slapo-dyngroup.5 (+1/-1)
doc/man/man5/slapo-dynlist.5 (+4/-1)
doc/man/man5/slapo-homedir.5 (+1/-1)
doc/man/man5/slapo-memberof.5 (+23/-9)
doc/man/man5/slapo-nestgroup.5 (+92/-0)
doc/man/man5/slapo-otp.5 (+1/-1)
doc/man/man5/slapo-pbind.5 (+1/-1)
doc/man/man5/slapo-pcache.5 (+1/-1)
doc/man/man5/slapo-ppolicy.5 (+1/-1)
doc/man/man5/slapo-refint.5 (+1/-1)
doc/man/man5/slapo-remoteauth.5 (+2/-2)
doc/man/man5/slapo-retcode.5 (+1/-1)
doc/man/man5/slapo-rwm.5 (+1/-1)
doc/man/man5/slapo-sssvlv.5 (+1/-1)
doc/man/man5/slapo-syncprov.5 (+1/-1)
doc/man/man5/slapo-translucent.5 (+1/-1)
doc/man/man5/slapo-unique.5 (+1/-1)
doc/man/man5/slapo-valsort.5 (+1/-1)
doc/man/man5/slappw-argon2.5 (+1/-1)
doc/man/man8/Makefile.in (+1/-1)
doc/man/man8/lloadd.8 (+1/-1)
doc/man/man8/slapacl.8 (+5/-5)
doc/man/man8/slapadd.8 (+1/-1)
doc/man/man8/slapauth.8 (+1/-1)
doc/man/man8/slapcat.8 (+1/-1)
doc/man/man8/slapd.8 (+1/-1)
doc/man/man8/slapdn.8 (+1/-1)
doc/man/man8/slapindex.8 (+1/-1)
doc/man/man8/slapmodify.8 (+1/-1)
doc/man/man8/slappasswd.8 (+1/-1)
doc/man/man8/slapschema.8 (+1/-1)
doc/man/man8/slaptest.8 (+1/-1)
include/Makefile.in (+1/-1)
include/ac/alloca.h (+1/-1)
include/ac/assert.h (+1/-1)
include/ac/bytes.h (+1/-1)
include/ac/crypt.h (+1/-1)
include/ac/ctype.h (+1/-1)
include/ac/dirent.h (+1/-1)
include/ac/errno.h (+1/-1)
include/ac/fdset.h (+1/-1)
include/ac/localize.h (+1/-1)
include/ac/param.h (+1/-1)
include/ac/regex.h (+1/-1)
include/ac/signal.h (+1/-1)
include/ac/socket.h (+1/-1)
include/ac/stdarg.h (+1/-1)
include/ac/stdlib.h (+1/-1)
include/ac/string.h (+1/-1)
include/ac/sysexits.h (+1/-1)
include/ac/syslog.h (+1/-1)
include/ac/termios.h (+1/-1)
include/ac/time.h (+1/-1)
include/ac/unistd.h (+1/-1)
include/ac/wait.h (+1/-1)
include/getopt-compat.h (+1/-1)
include/lber.h (+1/-1)
include/lber_pvt.h (+1/-1)
include/lber_types.hin (+1/-1)
include/ldap.h (+1/-1)
include/ldap_avl.h (+1/-1)
include/ldap_cdefs.h (+1/-1)
include/ldap_config.hin (+1/-1)
include/ldap_defaults.h (+1/-1)
include/ldap_features.hin (+1/-1)
include/ldap_int_thread.h (+1/-1)
include/ldap_log.h (+1/-1)
include/ldap_pvt.h (+1/-1)
include/ldap_pvt_thread.h (+1/-1)
include/ldap_pvt_uc.h (+1/-1)
include/ldap_queue.h (+1/-1)
include/ldap_rq.h (+1/-1)
include/ldap_schema.h (+1/-1)
include/ldap_utf8.h (+1/-1)
include/ldif.h (+1/-1)
include/lutil.h (+1/-1)
include/lutil_hash.h (+1/-1)
include/lutil_ldap.h (+1/-1)
include/lutil_lockf.h (+1/-1)
include/lutil_md5.h (+1/-1)
include/lutil_sha1.h (+1/-1)
include/openldap.h (+1/-1)
include/portable.hin (+10/-2)
include/rewrite.h (+1/-1)
include/sd-notify.h (+64/-0)
include/slapi-plugin.h (+1/-1)
include/sysexits-compat.h (+1/-1)
libraries/Makefile.in (+1/-1)
libraries/liblber/Makefile.in (+1/-1)
libraries/liblber/assert.c (+1/-1)
libraries/liblber/bprint.c (+1/-1)
libraries/liblber/debug.c (+1/-1)
libraries/liblber/decode.c (+1/-1)
libraries/liblber/dtest.c (+1/-1)
libraries/liblber/encode.c (+1/-1)
libraries/liblber/etest.c (+1/-1)
libraries/liblber/idtest.c (+1/-1)
libraries/liblber/io.c (+1/-1)
libraries/liblber/lber-int.h (+1/-1)
libraries/liblber/memory.c (+1/-1)
libraries/liblber/nt_err.c (+1/-1)
libraries/liblber/options.c (+1/-1)
libraries/liblber/sockbuf.c (+1/-1)
libraries/liblber/stdio.c (+1/-1)
libraries/libldap/Makefile.in (+1/-1)
libraries/libldap/abandon.c (+1/-1)
libraries/libldap/account_usability.c (+1/-1)
libraries/libldap/add.c (+1/-1)
libraries/libldap/addentry.c (+1/-1)
libraries/libldap/apitest.c (+1/-1)
libraries/libldap/assertion.c (+1/-1)
libraries/libldap/avl.c (+1/-1)
libraries/libldap/bind.c (+1/-1)
libraries/libldap/cancel.c (+1/-1)
libraries/libldap/charray.c (+1/-1)
libraries/libldap/compare.c (+1/-1)
libraries/libldap/controls.c (+1/-1)
libraries/libldap/cyrus.c (+1/-1)
libraries/libldap/dds.c (+1/-1)
libraries/libldap/delete.c (+1/-1)
libraries/libldap/deref.c (+1/-1)
libraries/libldap/dnssrv.c (+1/-1)
libraries/libldap/dntest.c (+1/-1)
libraries/libldap/error.c (+20/-1)
libraries/libldap/extended.c (+1/-1)
libraries/libldap/fetch.c (+1/-1)
libraries/libldap/filter.c (+1/-1)
libraries/libldap/free.c (+1/-1)
libraries/libldap/ftest.c (+1/-1)
libraries/libldap/getattr.c (+1/-1)
libraries/libldap/getdn.c (+1/-1)
libraries/libldap/getentry.c (+1/-1)
libraries/libldap/getvalues.c (+1/-1)
libraries/libldap/init.c (+4/-1)
libraries/libldap/lbase64.c (+1/-1)
libraries/libldap/ldap-int.h (+2/-1)
libraries/libldap/ldap-tls.h (+1/-1)
libraries/libldap/ldap_sync.c (+1/-1)
libraries/libldap/ldap_thr_debug.h (+1/-1)
libraries/libldap/ldif.c (+1/-1)
libraries/libldap/ldifutil.c (+23/-7)
libraries/libldap/messages.c (+1/-1)
libraries/libldap/modify.c (+1/-1)
libraries/libldap/modrdn.c (+1/-1)
libraries/libldap/msctrl.c (+1/-1)
libraries/libldap/open.c (+1/-1)
libraries/libldap/options.c (+1/-1)
libraries/libldap/os-ip.c (+1/-1)
libraries/libldap/os-local.c (+1/-1)
libraries/libldap/pagectrl.c (+1/-1)
libraries/libldap/passwd.c (+1/-1)
libraries/libldap/ppolicy.c (+1/-1)
libraries/libldap/print.c (+1/-1)
libraries/libldap/psearchctrl.c (+1/-1)
libraries/libldap/rdwr.c (+1/-1)
libraries/libldap/references.c (+1/-1)
libraries/libldap/request.c (+1/-1)
libraries/libldap/result.c (+68/-3)
libraries/libldap/rq.c (+1/-1)
libraries/libldap/sasl.c (+1/-1)
libraries/libldap/sbind.c (+1/-1)
libraries/libldap/schema.c (+1/-1)
libraries/libldap/search.c (+1/-1)
libraries/libldap/sort.c (+1/-1)
libraries/libldap/sortctrl.c (+1/-1)
libraries/libldap/stctrl.c (+1/-1)
libraries/libldap/string.c (+1/-1)
libraries/libldap/t61.c (+1/-1)
libraries/libldap/tavl.c (+1/-1)
libraries/libldap/test.c (+1/-1)
libraries/libldap/testavl.c (+1/-1)
libraries/libldap/testtavl.c (+1/-1)
libraries/libldap/thr_debug.c (+1/-1)
libraries/libldap/thr_nt.c (+1/-1)
libraries/libldap/thr_posix.c (+1/-1)
libraries/libldap/thr_pth.c (+1/-1)
libraries/libldap/thr_thr.c (+1/-1)
libraries/libldap/threads.c (+1/-1)
libraries/libldap/tls2.c (+19/-15)
libraries/libldap/tls_g.c (+5/-4)
libraries/libldap/tls_o.c (+37/-13)
libraries/libldap/tpool.c (+1/-1)
libraries/libldap/turn.c (+1/-1)
libraries/libldap/txn.c (+1/-1)
libraries/libldap/unbind.c (+1/-1)
libraries/libldap/url.c (+1/-1)
libraries/libldap/urltest.c (+1/-1)
libraries/libldap/utf-8-conv.c (+1/-1)
libraries/libldap/utf-8.c (+1/-1)
libraries/libldap/util-int.c (+1/-1)
libraries/libldap/vc.c (+1/-1)
libraries/libldap/vlvctrl.c (+1/-1)
libraries/libldap/whoami.c (+1/-1)
libraries/liblmdb/CHANGES (+5/-0)
libraries/liblmdb/lmdb.h (+2/-2)
libraries/liblmdb/mdb.c (+8/-3)
libraries/liblmdb/midl.c (+1/-1)
libraries/liblmdb/midl.h (+1/-1)
libraries/liblunicode/Makefile.in (+1/-1)
libraries/liblunicode/ucdata/ucdata.c (+1/-1)
libraries/liblunicode/ucdata/ucdata.h (+1/-1)
libraries/liblunicode/ucdata/ucgendat.c (+1/-1)
libraries/liblunicode/ucdata/ucpgba.c (+1/-1)
libraries/liblunicode/ucdata/ucpgba.h (+1/-1)
libraries/liblunicode/ucstr.c (+1/-1)
libraries/liblunicode/ure/ure.c (+1/-1)
libraries/liblunicode/ure/ure.h (+1/-1)
libraries/liblunicode/ure/urestubs.c (+1/-1)
libraries/liblunicode/utbm/utbm.c (+1/-1)
libraries/liblunicode/utbm/utbm.h (+1/-1)
libraries/liblunicode/utbm/utbmstub.c (+1/-1)
libraries/liblutil/Makefile.in (+1/-1)
libraries/liblutil/base64.c (+1/-1)
libraries/liblutil/detach.c (+1/-1)
libraries/liblutil/entropy.c (+1/-1)
libraries/liblutil/getopt.c (+1/-1)
libraries/liblutil/getpass.c (+1/-1)
libraries/liblutil/getpeereid.c (+1/-1)
libraries/liblutil/hash.c (+1/-1)
libraries/liblutil/lockf.c (+1/-1)
libraries/liblutil/md5.c (+1/-1)
libraries/liblutil/memcmp.c (+1/-1)
libraries/liblutil/ntservice.c (+1/-1)
libraries/liblutil/passfile.c (+1/-1)
libraries/liblutil/passwd.c (+1/-1)
libraries/liblutil/ptest.c (+1/-1)
libraries/liblutil/sasl.c (+1/-1)
libraries/liblutil/sha1.c (+1/-1)
libraries/liblutil/signal.c (+1/-1)
libraries/liblutil/sockpair.c (+1/-1)
libraries/liblutil/utils.c (+1/-1)
libraries/liblutil/uuid.c (+1/-1)
libraries/librewrite/Makefile.in (+1/-1)
libraries/librewrite/config.c (+1/-1)
libraries/librewrite/context.c (+1/-1)
libraries/librewrite/escapemap.c (+1/-1)
libraries/librewrite/info.c (+1/-1)
libraries/librewrite/ldapmap.c (+1/-1)
libraries/librewrite/map.c (+1/-1)
libraries/librewrite/params.c (+1/-1)
libraries/librewrite/parse.c (+1/-1)
libraries/librewrite/rewrite-int.h (+1/-1)
libraries/librewrite/rewrite-map.h (+1/-1)
libraries/librewrite/rewrite.c (+1/-1)
libraries/librewrite/rule.c (+1/-1)
libraries/librewrite/session.c (+1/-1)
libraries/librewrite/subst.c (+7/-7)
libraries/librewrite/var.c (+1/-1)
libraries/librewrite/xmap.c (+1/-1)
servers/Makefile.in (+1/-1)
servers/lloadd/Makefile.in (+1/-1)
servers/lloadd/Makefile_module.in (+1/-1)
servers/lloadd/Makefile_server.in (+1/-3)
servers/lloadd/backend.c (+1/-1)
servers/lloadd/bind.c (+1/-1)
servers/lloadd/client.c (+1/-1)
servers/lloadd/config.c (+5/-1)
servers/lloadd/connection.c (+1/-1)
servers/lloadd/daemon.c (+3/-3)
servers/lloadd/epoch.c (+1/-1)
servers/lloadd/epoch.h (+1/-1)
servers/lloadd/extended.c (+1/-1)
servers/lloadd/init.c (+1/-1)
servers/lloadd/libevent_support.c (+1/-1)
servers/lloadd/lload-config.h (+1/-1)
servers/lloadd/lload.h (+1/-1)
servers/lloadd/main.c (+1/-1)
servers/lloadd/module_init.c (+1/-1)
servers/lloadd/monitor.c (+1/-1)
servers/lloadd/operation.c (+1/-1)
servers/lloadd/proto-lload.h (+1/-1)
servers/lloadd/tier.c (+1/-1)
servers/lloadd/tier_bestof.c (+1/-1)
servers/lloadd/tier_roundrobin.c (+1/-1)
servers/lloadd/tier_weighted.c (+1/-1)
servers/lloadd/upstream.c (+1/-1)
servers/lloadd/value.c (+1/-1)
servers/slapd/Makefile.in (+1/-1)
servers/slapd/abandon.c (+1/-1)
servers/slapd/aci.c (+1/-1)
servers/slapd/acl.c (+1/-1)
servers/slapd/aclparse.c (+1/-1)
servers/slapd/ad.c (+1/-1)
servers/slapd/add.c (+1/-1)
servers/slapd/at.c (+1/-1)
servers/slapd/attr.c (+1/-1)
servers/slapd/ava.c (+1/-1)
servers/slapd/back-asyncmeta/Makefile.in (+1/-1)
servers/slapd/back-asyncmeta/add.c (+1/-1)
servers/slapd/back-asyncmeta/back-asyncmeta.h (+8/-1)
servers/slapd/back-asyncmeta/bind.c (+20/-6)
servers/slapd/back-asyncmeta/candidates.c (+1/-1)
servers/slapd/back-asyncmeta/compare.c (+1/-1)
servers/slapd/back-asyncmeta/config.c (+58/-45)
servers/slapd/back-asyncmeta/conn.c (+1/-1)
servers/slapd/back-asyncmeta/delete.c (+1/-1)
servers/slapd/back-asyncmeta/dncache.c (+1/-1)
servers/slapd/back-asyncmeta/init.c (+56/-50)
servers/slapd/back-asyncmeta/map.c (+1/-1)
servers/slapd/back-asyncmeta/message_queue.c (+1/-1)
servers/slapd/back-asyncmeta/meta_result.c (+18/-1)
servers/slapd/back-asyncmeta/modify.c (+1/-1)
servers/slapd/back-asyncmeta/modrdn.c (+1/-1)
servers/slapd/back-asyncmeta/proto-asyncmeta.h (+1/-1)
servers/slapd/back-asyncmeta/search.c (+1/-1)
servers/slapd/back-dnssrv/Makefile.in (+1/-1)
servers/slapd/back-dnssrv/bind.c (+1/-1)
servers/slapd/back-dnssrv/compare.c (+1/-1)
servers/slapd/back-dnssrv/config.c (+1/-1)
servers/slapd/back-dnssrv/init.c (+1/-1)
servers/slapd/back-dnssrv/proto-dnssrv.h (+1/-1)
servers/slapd/back-dnssrv/referral.c (+1/-1)
servers/slapd/back-dnssrv/search.c (+1/-1)
servers/slapd/back-ldap/Makefile.in (+1/-1)
servers/slapd/back-ldap/add.c (+2/-2)
servers/slapd/back-ldap/back-ldap.h (+1/-1)
servers/slapd/back-ldap/bind.c (+6/-6)
servers/slapd/back-ldap/chain.c (+1/-1)
servers/slapd/back-ldap/compare.c (+2/-2)
servers/slapd/back-ldap/config.c (+1/-1)
servers/slapd/back-ldap/delete.c (+2/-2)
servers/slapd/back-ldap/distproc.c (+1/-1)
servers/slapd/back-ldap/extended.c (+3/-3)
servers/slapd/back-ldap/init.c (+1/-1)
servers/slapd/back-ldap/modify.c (+2/-2)
servers/slapd/back-ldap/modrdn.c (+2/-2)
servers/slapd/back-ldap/monitor.c (+1/-1)
servers/slapd/back-ldap/pbind.c (+1/-1)
servers/slapd/back-ldap/proto-ldap.h (+1/-1)
servers/slapd/back-ldap/search.c (+2/-2)
servers/slapd/back-ldap/unbind.c (+1/-1)
servers/slapd/back-ldif/Makefile.in (+1/-1)
servers/slapd/back-ldif/ldif.c (+72/-23)
servers/slapd/back-mdb/Makefile.in (+1/-1)
servers/slapd/back-mdb/add.c (+1/-1)
servers/slapd/back-mdb/attr.c (+4/-1)
servers/slapd/back-mdb/back-mdb.h (+1/-1)
servers/slapd/back-mdb/bind.c (+1/-1)
servers/slapd/back-mdb/compare.c (+1/-1)
servers/slapd/back-mdb/config.c (+4/-1)
servers/slapd/back-mdb/delete.c (+12/-11)
servers/slapd/back-mdb/dn2entry.c (+1/-1)
servers/slapd/back-mdb/dn2id.c (+1/-1)
servers/slapd/back-mdb/extended.c (+1/-1)
servers/slapd/back-mdb/filterindex.c (+1/-1)
servers/slapd/back-mdb/id2entry.c (+1/-1)
servers/slapd/back-mdb/idl.c (+4/-2)
servers/slapd/back-mdb/idl.h (+1/-1)
servers/slapd/back-mdb/index.c (+1/-1)
servers/slapd/back-mdb/init.c (+1/-1)
servers/slapd/back-mdb/key.c (+1/-1)
servers/slapd/back-mdb/modify.c (+1/-1)
servers/slapd/back-mdb/modrdn.c (+1/-1)
servers/slapd/back-mdb/monitor.c (+1/-1)
servers/slapd/back-mdb/nextid.c (+1/-1)
servers/slapd/back-mdb/operational.c (+1/-1)
servers/slapd/back-mdb/proto-mdb.h (+1/-1)
servers/slapd/back-mdb/referral.c (+1/-1)
servers/slapd/back-mdb/search.c (+1/-1)
servers/slapd/back-mdb/tools.c (+3/-2)
servers/slapd/back-meta/Makefile.in (+1/-1)
servers/slapd/back-meta/add.c (+8/-6)
servers/slapd/back-meta/back-meta.h (+12/-5)
servers/slapd/back-meta/bind.c (+9/-10)
servers/slapd/back-meta/candidates.c (+3/-3)
servers/slapd/back-meta/compare.c (+8/-4)
servers/slapd/back-meta/config.c (+39/-36)
servers/slapd/back-meta/conn.c (+10/-60)
servers/slapd/back-meta/delete.c (+8/-4)
servers/slapd/back-meta/dncache.c (+1/-1)
servers/slapd/back-meta/init.c (+4/-4)
servers/slapd/back-meta/map.c (+1/-1)
servers/slapd/back-meta/modify.c (+8/-4)
servers/slapd/back-meta/modrdn.c (+8/-4)
servers/slapd/back-meta/proto-meta.h (+1/-1)
servers/slapd/back-meta/search.c (+6/-6)
servers/slapd/back-meta/suffixmassage.c (+1/-1)
servers/slapd/back-meta/unbind.c (+1/-1)
servers/slapd/back-monitor/Makefile.in (+1/-1)
servers/slapd/back-monitor/back-monitor.h (+1/-1)
servers/slapd/back-monitor/backend.c (+1/-1)
servers/slapd/back-monitor/bind.c (+1/-1)
servers/slapd/back-monitor/cache.c (+1/-1)
servers/slapd/back-monitor/compare.c (+1/-1)
servers/slapd/back-monitor/conn.c (+1/-1)
servers/slapd/back-monitor/database.c (+1/-1)
servers/slapd/back-monitor/entry.c (+1/-1)
servers/slapd/back-monitor/init.c (+1/-1)
servers/slapd/back-monitor/listener.c (+1/-1)
servers/slapd/back-monitor/log.c (+1/-1)
servers/slapd/back-monitor/modify.c (+1/-1)
servers/slapd/back-monitor/operation.c (+1/-1)
servers/slapd/back-monitor/operational.c (+1/-1)
servers/slapd/back-monitor/overlay.c (+1/-1)
servers/slapd/back-monitor/proto-back-monitor.h (+1/-1)
servers/slapd/back-monitor/rww.c (+1/-1)
servers/slapd/back-monitor/search.c (+1/-1)
servers/slapd/back-monitor/sent.c (+1/-1)
servers/slapd/back-monitor/thread.c (+1/-1)
servers/slapd/back-monitor/time.c (+1/-1)
servers/slapd/back-null/Makefile.in (+1/-1)
servers/slapd/back-null/null.c (+1/-1)
servers/slapd/back-passwd/Makefile.in (+1/-1)
servers/slapd/back-passwd/back-passwd.h (+1/-1)
servers/slapd/back-passwd/config.c (+1/-1)
servers/slapd/back-passwd/init.c (+1/-1)
servers/slapd/back-passwd/proto-passwd.h (+1/-1)
servers/slapd/back-passwd/search.c (+1/-1)
servers/slapd/back-perl/Makefile.in (+1/-1)
servers/slapd/back-perl/SampleLDAP.pm (+1/-1)
servers/slapd/back-perl/add.c (+1/-1)
servers/slapd/back-perl/asperl_undefs.h (+1/-1)
servers/slapd/back-perl/bind.c (+1/-1)
servers/slapd/back-perl/close.c (+1/-1)
servers/slapd/back-perl/compare.c (+1/-1)
servers/slapd/back-perl/config.c (+1/-1)
servers/slapd/back-perl/delete.c (+1/-1)
servers/slapd/back-perl/init.c (+1/-1)
servers/slapd/back-perl/modify.c (+1/-1)
servers/slapd/back-perl/modrdn.c (+1/-1)
servers/slapd/back-perl/perl_back.h (+1/-1)
servers/slapd/back-perl/proto-perl.h (+1/-1)
servers/slapd/back-perl/search.c (+1/-1)
servers/slapd/back-relay/Makefile.in (+1/-1)
servers/slapd/back-relay/back-relay.h (+1/-1)
servers/slapd/back-relay/init.c (+1/-1)
servers/slapd/back-relay/op.c (+1/-1)
servers/slapd/back-relay/proto-back-relay.h (+1/-1)
servers/slapd/back-sock/Makefile.in (+1/-1)
servers/slapd/back-sock/add.c (+1/-1)
servers/slapd/back-sock/back-sock.h (+1/-1)
servers/slapd/back-sock/bind.c (+1/-1)
servers/slapd/back-sock/compare.c (+1/-1)
servers/slapd/back-sock/config.c (+1/-1)
servers/slapd/back-sock/delete.c (+1/-1)
servers/slapd/back-sock/extended.c (+1/-1)
servers/slapd/back-sock/init.c (+1/-1)
servers/slapd/back-sock/modify.c (+1/-1)
servers/slapd/back-sock/modrdn.c (+1/-1)
servers/slapd/back-sock/opensock.c (+1/-1)
servers/slapd/back-sock/proto-sock.h (+1/-1)
servers/slapd/back-sock/result.c (+1/-1)
servers/slapd/back-sock/search.c (+1/-1)
servers/slapd/back-sock/searchexample.conf (+1/-1)
servers/slapd/back-sock/searchexample.pl (+1/-1)
servers/slapd/back-sock/unbind.c (+1/-1)
servers/slapd/back-sql/Makefile.in (+1/-1)
servers/slapd/back-sql/add.c (+1/-1)
servers/slapd/back-sql/api.c (+1/-1)
servers/slapd/back-sql/back-sql.h (+1/-1)
servers/slapd/back-sql/bind.c (+1/-1)
servers/slapd/back-sql/compare.c (+1/-1)
servers/slapd/back-sql/config.c (+1/-1)
servers/slapd/back-sql/delete.c (+1/-1)
servers/slapd/back-sql/entry-id.c (+1/-1)
servers/slapd/back-sql/init.c (+1/-1)
servers/slapd/back-sql/modify.c (+1/-1)
servers/slapd/back-sql/modrdn.c (+1/-1)
servers/slapd/back-sql/operational.c (+1/-1)
servers/slapd/back-sql/proto-sql.h (+1/-1)
servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/Makefile (+1/-1)
servers/slapd/back-sql/rdbms_depend/timesten/dnreverse/dnreverse.cpp (+1/-1)
servers/slapd/back-sql/schema-map.c (+1/-1)
servers/slapd/back-sql/search.c (+1/-1)
servers/slapd/back-sql/sql-wrap.c (+1/-1)
servers/slapd/back-sql/util.c (+1/-1)
servers/slapd/back-wt/Makefile.in (+1/-1)
servers/slapd/back-wt/add.c (+1/-1)
servers/slapd/back-wt/attr.c (+1/-1)
servers/slapd/back-wt/back-wt.h (+1/-1)
servers/slapd/back-wt/bind.c (+1/-1)
servers/slapd/back-wt/cache.c (+1/-1)
servers/slapd/back-wt/compare.c (+1/-1)
servers/slapd/back-wt/config.c (+1/-1)
servers/slapd/back-wt/ctx.c (+1/-1)
servers/slapd/back-wt/delete.c (+1/-1)
servers/slapd/back-wt/dn2entry.c (+1/-1)
servers/slapd/back-wt/dn2id.c (+1/-1)
servers/slapd/back-wt/extended.c (+1/-1)
servers/slapd/back-wt/filterindex.c (+1/-1)
servers/slapd/back-wt/id2entry.c (+3/-2)
servers/slapd/back-wt/idl.c (+6/-7)
servers/slapd/back-wt/idl.h (+1/-1)
servers/slapd/back-wt/index.c (+1/-1)
servers/slapd/back-wt/init.c (+1/-1)
servers/slapd/back-wt/key.c (+1/-1)
servers/slapd/back-wt/modify.c (+1/-1)
servers/slapd/back-wt/modrdn.c (+1/-1)
servers/slapd/back-wt/nextid.c (+1/-1)
servers/slapd/back-wt/operational.c (+1/-1)
servers/slapd/back-wt/proto-wt.h (+1/-1)
servers/slapd/back-wt/search.c (+2/-2)
servers/slapd/back-wt/tools.c (+1/-1)
servers/slapd/backend.c (+1/-1)
servers/slapd/backglue.c (+1/-1)
servers/slapd/backover.c (+1/-1)
servers/slapd/bconfig.c (+126/-32)
servers/slapd/bind.c (+1/-1)
servers/slapd/cancel.c (+1/-1)
servers/slapd/ch_malloc.c (+1/-1)
servers/slapd/compare.c (+1/-1)
servers/slapd/component.c (+1/-1)
servers/slapd/component.h (+1/-1)
servers/slapd/config.c (+2/-2)
servers/slapd/connection.c (+1/-1)
servers/slapd/controls.c (+1/-1)
servers/slapd/cr.c (+1/-1)
servers/slapd/ctxcsn.c (+1/-1)
servers/slapd/daemon.c (+5/-5)
servers/slapd/delete.c (+1/-1)
servers/slapd/dn.c (+1/-1)
servers/slapd/entry.c (+1/-1)
servers/slapd/extended.c (+1/-1)
servers/slapd/filter.c (+1/-1)
servers/slapd/filterentry.c (+1/-1)
servers/slapd/frontend.c (+1/-1)
servers/slapd/globals.c (+1/-1)
servers/slapd/index.c (+1/-1)
servers/slapd/init.c (+1/-1)
servers/slapd/ldapsync.c (+1/-1)
servers/slapd/limits.c (+1/-1)
servers/slapd/lock.c (+1/-1)
servers/slapd/logging.c (+78/-16)
servers/slapd/main.c (+1/-1)
servers/slapd/matchedValues.c (+1/-1)
servers/slapd/modify.c (+1/-1)
servers/slapd/modrdn.c (+1/-1)
servers/slapd/mods.c (+1/-1)
servers/slapd/module.c (+1/-1)
servers/slapd/mr.c (+1/-1)
servers/slapd/mra.c (+1/-1)
servers/slapd/nt_svc.c (+1/-1)
servers/slapd/oc.c (+1/-1)
servers/slapd/oidm.c (+1/-1)
servers/slapd/operation.c (+1/-1)
servers/slapd/operational.c (+1/-1)
servers/slapd/overlays/Makefile.in (+5/-1)
servers/slapd/overlays/accesslog.c (+8/-2)
servers/slapd/overlays/auditlog.c (+1/-1)
servers/slapd/overlays/autoca.c (+2/-1)
servers/slapd/overlays/collect.c (+1/-1)
servers/slapd/overlays/constraint.c (+2/-1)
servers/slapd/overlays/dds.c (+1/-1)
servers/slapd/overlays/deref.c (+1/-1)
servers/slapd/overlays/dyngroup.c (+2/-2)
servers/slapd/overlays/dynlist.c (+4/-1)
servers/slapd/overlays/homedir.c (+1/-1)
servers/slapd/overlays/memberof.c (+129/-8)
servers/slapd/overlays/nestgroup.c (+909/-0)
servers/slapd/overlays/otp.c (+1/-1)
servers/slapd/overlays/overlays.c (+1/-1)
servers/slapd/overlays/pcache.c (+9/-3)
servers/slapd/overlays/ppolicy.c (+1/-1)
servers/slapd/overlays/refint.c (+2/-1)
servers/slapd/overlays/remoteauth.c (+1/-1)
servers/slapd/overlays/retcode.c (+1/-1)
servers/slapd/overlays/rwm.c (+1/-1)
servers/slapd/overlays/rwm.h (+1/-1)
servers/slapd/overlays/rwmconf.c (+1/-1)
servers/slapd/overlays/rwmdn.c (+1/-1)
servers/slapd/overlays/rwmmap.c (+1/-1)
servers/slapd/overlays/seqmod.c (+1/-1)
servers/slapd/overlays/sssvlv.c (+1/-1)
servers/slapd/overlays/syncprov.c (+5/-5)
servers/slapd/overlays/translucent.c (+5/-4)
servers/slapd/overlays/unique.c (+1/-1)
servers/slapd/overlays/valsort.c (+2/-2)
servers/slapd/passwd.c (+1/-1)
servers/slapd/phonetic.c (+1/-1)
servers/slapd/proto-slap.h (+1/-1)
servers/slapd/proxyp.c (+1/-1)
servers/slapd/pwmods/Makefile.in (+1/-1)
servers/slapd/pwmods/README.argon2 (+1/-1)
servers/slapd/pwmods/argon2.c (+6/-6)
servers/slapd/referral.c (+1/-1)
servers/slapd/result.c (+1/-1)
servers/slapd/root_dse.c (+1/-1)
servers/slapd/sasl.c (+1/-1)
servers/slapd/saslauthz.c (+1/-1)
servers/slapd/schema.c (+1/-1)
servers/slapd/schema/README (+1/-1)
servers/slapd/schema/collective.ldif (+1/-1)
servers/slapd/schema/corba.ldif (+1/-1)
servers/slapd/schema/cosine.ldif (+1/-1)
servers/slapd/schema/dsee.ldif (+1/-1)
servers/slapd/schema/dsee.schema (+1/-1)
servers/slapd/schema/duaconf.ldif (+1/-1)
servers/slapd/schema/dyngroup.ldif (+1/-1)
servers/slapd/schema/dyngroup.schema (+1/-1)
servers/slapd/schema/inetorgperson.ldif (+1/-1)
servers/slapd/schema/java.ldif (+1/-1)
servers/slapd/schema/misc.ldif (+1/-1)
servers/slapd/schema/misc.schema (+1/-1)
servers/slapd/schema/msuser.ldif (+1/-1)
servers/slapd/schema/msuser.schema (+1/-1)
servers/slapd/schema/namedobject.ldif (+1/-1)
servers/slapd/schema/nis.ldif (+1/-1)
servers/slapd/schema/nis.schema (+1/-1)
servers/slapd/schema/openldap.ldif (+1/-1)
servers/slapd/schema/openldap.schema (+1/-1)
servers/slapd/schema/pmi.ldif (+1/-1)
servers/slapd/schema_check.c (+1/-1)
servers/slapd/schema_init.c (+1/-1)
servers/slapd/schema_prep.c (+1/-1)
servers/slapd/schemaparse.c (+1/-1)
servers/slapd/search.c (+1/-1)
servers/slapd/sets.c (+1/-1)
servers/slapd/sets.h (+1/-1)
servers/slapd/sl_malloc.c (+1/-1)
servers/slapd/slap-cfglog.h (+1/-1)
servers/slapd/slap-config.h (+1/-1)
servers/slapd/slap.h (+1/-1)
servers/slapd/slapacl.c (+15/-1)
servers/slapd/slapadd.c (+3/-2)
servers/slapd/slapauth.c (+1/-1)
servers/slapd/slapcat.c (+1/-1)
servers/slapd/slapcommon.c (+21/-1)
servers/slapd/slapcommon.h (+1/-1)
servers/slapd/slapdn.c (+1/-1)
servers/slapd/slapi/Makefile.in (+1/-1)
servers/slapd/slapi/plugin.c (+2/-2)
servers/slapd/slapi/printmsg.c (+1/-1)
servers/slapd/slapi/proto-slapi.h (+1/-1)
servers/slapd/slapi/slapi.h (+1/-1)
servers/slapd/slapi/slapi_dn.c (+1/-1)
servers/slapd/slapi/slapi_ext.c (+1/-1)
servers/slapd/slapi/slapi_ops.c (+1/-1)
servers/slapd/slapi/slapi_overlay.c (+1/-1)
servers/slapd/slapi/slapi_pblock.c (+1/-1)
servers/slapd/slapi/slapi_utils.c (+1/-1)
servers/slapd/slapindex.c (+1/-1)
servers/slapd/slapmodify.c (+1/-1)
servers/slapd/slappasswd.c (+1/-1)
servers/slapd/slapschema.c (+1/-1)
servers/slapd/slaptest.c (+1/-1)
servers/slapd/starttls.c (+1/-1)
servers/slapd/str2filter.c (+1/-1)
servers/slapd/syncrepl.c (+20/-14)
servers/slapd/syntax.c (+1/-1)
servers/slapd/txn.c (+1/-1)
servers/slapd/unbind.c (+1/-1)
servers/slapd/user.c (+1/-1)
servers/slapd/value.c (+1/-1)
servers/slapd/verbs.c (+1/-1)
servers/slapd/zn_malloc.c (+1/-1)
tests/Makefile.in (+1/-1)
tests/data/ditcontentrules.conf (+1/-1)
tests/data/lloadd-anon.conf (+1/-1)
tests/data/lloadd-backend-issues.conf (+1/-1)
tests/data/lloadd-empty.conf (+1/-1)
tests/data/lloadd-sasl.conf (+1/-1)
tests/data/lloadd-tls.conf (+1/-1)
tests/data/lloadd.conf (+1/-1)
tests/data/memberof.out (+64/-0)
tests/data/nestgroup.out.1 (+416/-0)
tests/data/nestgroup.out.2 (+628/-0)
tests/data/regressions/its10248/its10248 (+205/-0)
tests/data/regressions/its10248/slapd-local.conf (+77/-0)
tests/data/regressions/its10248/subuser.ldif (+6/-0)
tests/data/regressions/its4184/its4184 (+1/-1)
tests/data/regressions/its4326/its4326 (+1/-1)
tests/data/regressions/its4326/slapd.conf (+1/-1)
tests/data/regressions/its4336/its4336 (+1/-1)
tests/data/regressions/its4336/slapd.conf (+1/-1)
tests/data/regressions/its4448/its4448 (+1/-1)
tests/data/regressions/its4448/slapd-meta.conf (+1/-1)
tests/data/regressions/its6794/its6794 (+1/-1)
tests/data/regressions/its6794/slapd-glue.conf (+1/-1)
tests/data/regressions/its7573/its7573 (+1/-1)
tests/data/regressions/its8427/its8427 (+1/-1)
tests/data/regressions/its8427/its8427-2 (+1/-1)
tests/data/regressions/its8427/slapd.conf (+1/-1)
tests/data/regressions/its8444/its8444 (+1/-1)
tests/data/regressions/its8521/its8521 (+1/-1)
tests/data/regressions/its8616/its8616 (+1/-1)
tests/data/regressions/its8663/its8663 (+1/-1)
tests/data/regressions/its8667/its8667 (+1/-1)
tests/data/regressions/its8721/its8721 (+1/-1)
tests/data/regressions/its8721/slapd-backend.conf (+1/-1)
tests/data/regressions/its8721/slapd-proxy.conf (+1/-1)
tests/data/regressions/its8752/its8752 (+1/-1)
tests/data/regressions/its8752/slapd.conf (+1/-1)
tests/data/regressions/its8752/slapd.conf.mpr (+1/-1)
tests/data/regressions/its8800/its8800 (+1/-1)
tests/data/regressions/its9051/its9051 (+1/-1)
tests/data/regressions/its9282/its9282 (+1/-1)
tests/data/regressions/its9288/its9288 (+1/-1)
tests/data/regressions/its9288/slapd-proxy.conf (+1/-1)
tests/data/regressions/its9338/its9338 (+1/-1)
tests/data/regressions/its9400/its9400 (+1/-1)
tests/data/regressions/its9400/slapd-proxy-idassert.conf (+1/-1)
tests/data/regressions/its9468/its9468 (+1/-1)
tests/data/regressions/its9468/slapd-proxy.conf (+1/-1)
tests/data/regressions/its9468/slapd-remote.conf (+1/-1)
tests/data/regressions/its9863/its9863 (+1/-1)
tests/data/retcode.conf (+1/-1)
tests/data/slapd-2db.conf (+1/-1)
tests/data/slapd-aci.conf (+1/-1)
tests/data/slapd-acl.conf (+1/-1)
tests/data/slapd-asyncmeta.conf (+1/-1)
tests/data/slapd-cache-provider-proxyauthz.conf (+1/-1)
tests/data/slapd-cache-provider.conf (+1/-1)
tests/data/slapd-chain1.conf (+1/-1)
tests/data/slapd-chain2.conf (+1/-1)
tests/data/slapd-component.conf (+1/-1)
tests/data/slapd-dds.conf (+1/-1)
tests/data/slapd-deltasync-consumer.conf (+1/-1)
tests/data/slapd-deltasync-provider.conf (+1/-1)
tests/data/slapd-deref.conf (+1/-1)
tests/data/slapd-dirsync1.conf (+1/-1)
tests/data/slapd-dn.conf (+1/-1)
tests/data/slapd-dnssrv.conf (+1/-1)
tests/data/slapd-dsee-consumer1.conf (+1/-1)
tests/data/slapd-dsee-consumer2.conf (+1/-1)
tests/data/slapd-dynlist.conf (+1/-1)
tests/data/slapd-emptydn.conf (+1/-1)
tests/data/slapd-glue-ldap.conf (+1/-1)
tests/data/slapd-glue-syncrepl1.conf (+1/-1)
tests/data/slapd-glue-syncrepl2.conf (+1/-1)
tests/data/slapd-glue.conf (+1/-1)
tests/data/slapd-homedir.conf (+1/-1)
tests/data/slapd-idassert.conf (+1/-1)
tests/data/slapd-ldapglue.conf (+1/-1)
tests/data/slapd-ldapgluegroups.conf (+1/-1)
tests/data/slapd-ldapgluepeople.conf (+1/-1)
tests/data/slapd-limits.conf (+1/-1)
tests/data/slapd-lload.conf (+1/-1)
tests/data/slapd-meta-target1.conf (+1/-1)
tests/data/slapd-meta-target2.conf (+1/-1)
tests/data/slapd-meta.conf (+1/-1)
tests/data/slapd-nis-provider.conf (+1/-1)
tests/data/slapd-passwd.conf (+1/-1)
tests/data/slapd-ppolicy.conf (+1/-1)
tests/data/slapd-provider.conf (+1/-1)
tests/data/slapd-proxyauthz.conf (+1/-1)
tests/data/slapd-proxycache.conf (+1/-1)
tests/data/slapd-proxytimeout.conf (+1/-1)
tests/data/slapd-pw.conf (+1/-1)
tests/data/slapd-ref-consumer.conf (+1/-1)
tests/data/slapd-referrals.conf (+1/-1)
tests/data/slapd-refint.conf (+1/-1)
tests/data/slapd-relay.conf (+1/-1)
tests/data/slapd-repl-consumer-remote.conf (+1/-1)
tests/data/slapd-retcode.conf (+1/-1)
tests/data/slapd-schema.conf (+1/-1)
tests/data/slapd-sql-syncrepl-provider.conf (+1/-1)
tests/data/slapd-sql.conf (+1/-1)
tests/data/slapd-syncrepl-consumer-persist-ldap.conf (+1/-1)
tests/data/slapd-syncrepl-consumer-persist1.conf (+1/-1)
tests/data/slapd-syncrepl-consumer-persist3.conf (+1/-1)
tests/data/slapd-syncrepl-consumer-refresh1.conf (+1/-1)
tests/data/slapd-syncrepl-consumer-refresh2.conf (+1/-1)
tests/data/slapd-syncrepl-multiproxy.conf (+1/-1)
tests/data/slapd-syncrepl-provider.conf (+1/-1)
tests/data/slapd-tls-sasl.conf (+1/-1)
tests/data/slapd-tls.conf (+1/-1)
tests/data/slapd-translucent-local.conf (+1/-1)
tests/data/slapd-translucent-remote.conf (+1/-1)
tests/data/slapd-unique.conf (+1/-1)
tests/data/slapd-valregex.conf (+1/-1)
tests/data/slapd-valsort.conf (+1/-1)
tests/data/slapd-whoami.conf (+1/-1)
tests/data/slapd.conf (+1/-1)
tests/data/slapd2.conf (+1/-1)
tests/data/test.schema (+1/-1)
tests/progs/Makefile.in (+1/-1)
tests/progs/ldif-filter.c (+1/-1)
tests/progs/slapd-addel.c (+1/-1)
tests/progs/slapd-auth.c (+1/-1)
tests/progs/slapd-bind.c (+1/-1)
tests/progs/slapd-common.c (+1/-1)
tests/progs/slapd-common.h (+1/-1)
tests/progs/slapd-modify.c (+1/-1)
tests/progs/slapd-modrdn.c (+1/-1)
tests/progs/slapd-mtread.c (+1/-1)
tests/progs/slapd-read.c (+1/-1)
tests/progs/slapd-search.c (+1/-1)
tests/progs/slapd-tester.c (+1/-1)
tests/progs/slapd-watcher.c (+1/-1)
tests/run.in (+3/-2)
tests/scripts/all (+1/-1)
tests/scripts/conf.sh (+3/-2)
tests/scripts/confdirsync.sh (+1/-1)
tests/scripts/defines.sh (+4/-1)
tests/scripts/functions.sh (+1/-1)
tests/scripts/gdb.py (+1/-1)
tests/scripts/grandchild_wrapper.py (+1/-1)
tests/scripts/its-all (+1/-1)
tests/scripts/lloadd-all (+1/-1)
tests/scripts/lloadd/test000-rootdse (+1/-1)
tests/scripts/lloadd/test001-backend-issues (+1/-1)
tests/scripts/lloadd/test002-load (+1/-1)
tests/scripts/lloadd/test003-cnconfig (+1/-1)
tests/scripts/lloadd/test004-monitor (+1/-1)
tests/scripts/lloadd/test005-tls (+1/-1)
tests/scripts/lloadd/test006-sasl (+2/-2)
tests/scripts/lloadd/test007-coherence (+1/-1)
tests/scripts/monitor_data.sh (+1/-1)
tests/scripts/passwd-search (+1/-1)
tests/scripts/relay (+1/-1)
tests/scripts/setup_kdc.sh (+1/-1)
tests/scripts/sql-all (+1/-1)
tests/scripts/sql-test000-read (+1/-1)
tests/scripts/sql-test001-concurrency (+1/-1)
tests/scripts/sql-test900-write (+1/-1)
tests/scripts/sql-test901-syncrepl (+1/-1)
tests/scripts/start-server (+1/-1)
tests/scripts/start-server-nolog (+1/-1)
tests/scripts/start-server2 (+1/-1)
tests/scripts/start-server2-nolog (+1/-1)
tests/scripts/startup_nis_ldap_server.sh (+1/-1)
tests/scripts/test000-rootdse (+1/-1)
tests/scripts/test001-slapadd (+1/-1)
tests/scripts/test002-populate (+1/-1)
tests/scripts/test003-search (+1/-1)
tests/scripts/test004-modify (+1/-1)
tests/scripts/test005-modrdn (+1/-1)
tests/scripts/test006-acls (+1/-1)
tests/scripts/test007-slapmodify (+1/-1)
tests/scripts/test008-concurrency (+1/-1)
tests/scripts/test009-referral (+1/-1)
tests/scripts/test010-passwd (+1/-1)
tests/scripts/test011-glue-slapadd (+1/-1)
tests/scripts/test012-glue-populate (+1/-1)
tests/scripts/test013-language (+1/-1)
tests/scripts/test014-whoami (+1/-1)
tests/scripts/test015-xsearch (+1/-1)
tests/scripts/test016-subref (+1/-1)
tests/scripts/test017-syncreplication-refresh (+1/-1)
tests/scripts/test018-syncreplication-persist (+1/-1)
tests/scripts/test019-syncreplication-cascade (+1/-1)
tests/scripts/test020-proxycache (+1/-1)
tests/scripts/test021-certificate (+1/-1)
tests/scripts/test022-ppolicy (+1/-1)
tests/scripts/test023-refint (+1/-1)
tests/scripts/test024-unique (+1/-1)
tests/scripts/test025-limits (+1/-1)
tests/scripts/test026-dn (+1/-1)
tests/scripts/test027-emptydn (+1/-1)
tests/scripts/test028-idassert (+3/-3)
tests/scripts/test029-ldapglue (+3/-3)
tests/scripts/test030-relay (+1/-1)
tests/scripts/test031-component-filter (+1/-1)
tests/scripts/test032-chain (+1/-1)
tests/scripts/test033-glue-syncrepl (+1/-1)
tests/scripts/test034-translucent (+11/-1)
tests/scripts/test035-meta (+1/-1)
tests/scripts/test036-meta-concurrency (+1/-1)
tests/scripts/test037-manage (+1/-1)
tests/scripts/test038-retcode (+1/-1)
tests/scripts/test039-glue-ldap-concurrency (+1/-1)
tests/scripts/test040-subtree-rename (+1/-1)
tests/scripts/test041-aci (+1/-1)
tests/scripts/test042-valsort (+1/-1)
tests/scripts/test043-delta-syncrepl (+1/-1)
tests/scripts/test044-dynlist (+1/-1)
tests/scripts/test045-syncreplication-proxied (+1/-1)
tests/scripts/test046-dds (+1/-1)
tests/scripts/test047-ldap (+1/-1)
tests/scripts/test048-syncrepl-multiproxy (+1/-1)
tests/scripts/test049-sync-config (+1/-1)
tests/scripts/test050-syncrepl-multiprovider (+1/-1)
tests/scripts/test051-config-undo (+1/-1)
tests/scripts/test052-memberof (+56/-1)
tests/scripts/test053-syncprov-glue (+1/-1)
tests/scripts/test054-syncreplication-parallel-load (+1/-1)
tests/scripts/test055-valregex (+1/-1)
tests/scripts/test056-monitor (+1/-1)
tests/scripts/test057-memberof-refint (+1/-1)
tests/scripts/test058-syncrepl-asymmetric (+1/-1)
tests/scripts/test059-consumer-config (+1/-1)
tests/scripts/test060-mt-hot (+1/-1)
tests/scripts/test061-syncreplication-initiation (+1/-1)
tests/scripts/test062-config-delete (+1/-1)
tests/scripts/test063-delta-multiprovider (+1/-1)
tests/scripts/test064-constraint (+1/-1)
tests/scripts/test065-proxyauthz (+1/-1)
tests/scripts/test066-autoca (+1/-1)
tests/scripts/test067-tls (+1/-1)
tests/scripts/test068-sasl-tls-external (+1/-1)
tests/scripts/test069-delta-multiprovider-starttls (+1/-1)
tests/scripts/test070-delta-multiprovider-ldaps (+1/-1)
tests/scripts/test071-dirsync (+1/-1)
tests/scripts/test072-dsee-sync (+1/-1)
tests/scripts/test073-asyncmeta (+1/-1)
tests/scripts/test074-asyncmeta-concurrency (+1/-1)
tests/scripts/test075-dsee-persist (+1/-1)
tests/scripts/test076-authid-rewrite (+9/-2)
tests/scripts/test077-sasl-gssapi (+1/-1)
tests/scripts/test078-persistent-sessionlog (+1/-1)
tests/scripts/test079-proxy-timeout (+1/-1)
tests/scripts/test080-hotp (+1/-1)
tests/scripts/test081-totp (+1/-1)
tests/scripts/test081-totp.py (+1/-1)
tests/scripts/test082-remoteauth (+1/-1)
tests/scripts/test083-argon2 (+1/-1)
tests/scripts/test084-deref (+1/-1)
tests/scripts/test085-homedir (+1/-1)
tests/scripts/test086-delta-consumer-config (+1/-1)
tests/scripts/test087-librewrite (+1/-1)
tests/scripts/test088-syncprov-glue-rwm (+1/-1)
tests/scripts/test089-nestgroup (+699/-0)
~jj/ubuntu/+source/openldap:lp2112527-backport-2.6.10-plucky
Athos Ribeiro: Pending requested
Canonical Server Reporter: Pending requested
Diff: 2144 lines (+733/-196)
38 files modified
CHANGES (+27/-0)
build/version.var (+3/-3)
clients/tools/common.c (+14/-0)
clients/tools/ldapvc.c (+15/-0)
contrib/slapd-modules/autogroup/autogroup.c (+2/-0)
contrib/slapd-modules/variant/variant.c (+12/-12)
debian/apparmor-profile (+3/-0)
debian/changelog (+21/-0)
debian/patches/lp2125685-pbkdf2-configurable-rounds.patch (+92/-0)
debian/patches/lp2125685-pbkdf2-fix-iteration-arg.patch (+22/-0)
debian/patches/series (+2/-0)
debian/rules (+6/-8)
debian/tests/control (+1/-1)
debian/tests/slapd (+20/-2)
doc/guide/admin/replication.sdf (+22/-3)
doc/guide/admin/slapdconf2.sdf (+62/-61)
doc/man/man5/ldap.conf.5 (+8/-6)
doc/man/man5/slapd-config.5 (+18/-4)
doc/man/man5/slapd.conf.5 (+1/-1)
doc/man/man5/slapo-dynlist.5 (+3/-0)
doc/man/man8/slapacl.8 (+4/-4)
libraries/libldap/error.c (+19/-0)
libraries/libldap/result.c (+60/-2)
libraries/librewrite/subst.c (+6/-6)
servers/lloadd/config.c (+4/-0)
servers/slapd/back-ldif/ldif.c (+71/-22)
servers/slapd/back-mdb/attr.c (+3/-0)
servers/slapd/back-mdb/config.c (+3/-0)
servers/slapd/back-mdb/delete.c (+11/-10)
servers/slapd/back-mdb/tools.c (+2/-1)
servers/slapd/bconfig.c (+109/-24)
servers/slapd/logging.c (+32/-9)
servers/slapd/overlays/autoca.c (+1/-0)
servers/slapd/overlays/memberof.c (+9/-8)
servers/slapd/overlays/pcache.c (+8/-2)
servers/slapd/slapacl.c (+14/-0)
servers/slapd/slapcommon.c (+20/-0)
servers/slapd/syncrepl.c (+3/-7)
Revision history for this message
Lena Voytek (lvoytek) wrote :

Thank you for the bug report, I can confirm no releases of Ubuntu have the iterations option available since the feature was added recently for future OpenLDAP releases here - https://git.openldap.org/openldap/openldap/-/commit/f602563bf4a9512885c8e3488d03b3f812cf42d9. Updating the affected releases.

Changed in openldap (Ubuntu Jammy):
status: New → Confirmed
Changed in openldap (Ubuntu Noble):
status: New → Confirmed
Changed in openldap (Ubuntu Plucky):
status: New → Confirmed
Changed in openldap (Ubuntu Questing):
status: New → Confirmed
tags: added: server-triage-discuss
Revision history for this message
Christian Ehrhardt (paelzer) wrote :

Right Lena, this would be picked up natrually on the merge for 26.04 when upstream has a new release by then.

@Fillipo are you or anyone working (or demanding) on this to go to older releases for FIPS support?

I subscribed Henry for the FIPS aspect of it.

Revision history for this message
Filippo (filippom) wrote :

Hi Lena and Christian,

Thank you for your input and for pointing out that this functionality will "naturally" be available in 26.04 once upstream provides it.

I would kindly like to ask for your support regarding one point: since using PBKDF2 with a configurable number of iterations is quite important for meeting security requirements (including in some cases FIPS 140-3), do you think it would be possible to introduce this option also in Ubuntu 24.04 (perhaps via a maintenance update)?

Best regards,

Filippo

Revision history for this message
Lena Voytek (lvoytek) wrote :

Thank you for the response Filippo, I can work on adding this feature the stable releases :)

Changed in openldap (Ubuntu Questing):
status: Confirmed → In Progress
assignee: nobody → Lena Voytek (lvoytek)
Changed in openldap (Ubuntu Jammy):
assignee: nobody → Lena Voytek (lvoytek)
Changed in openldap (Ubuntu Noble):
assignee: nobody → Lena Voytek (lvoytek)
Changed in openldap (Ubuntu Plucky):
assignee: nobody → Lena Voytek (lvoytek)
tags: added: server-todo
removed: server-triage-discuss
Jonas Jelten (jj)
Changed in openldap (Ubuntu Questing):
assignee: Lena Voytek (lvoytek) → Jonas Jelten (jj)
Changed in openldap (Ubuntu Plucky):
assignee: Lena Voytek (lvoytek) → Jonas Jelten (jj)
Changed in openldap (Ubuntu Noble):
assignee: Lena Voytek (lvoytek) → Jonas Jelten (jj)
Changed in openldap (Ubuntu Jammy):
assignee: Lena Voytek (lvoytek) → Jonas Jelten (jj)
Jonas Jelten (jj)
Changed in openldap (Ubuntu Plucky):
status: Confirmed → In Progress
Changed in openldap (Ubuntu Noble):
status: Confirmed → In Progress
Changed in openldap (Ubuntu Jammy):
status: Confirmed → In Progress
status: In Progress → Won't Fix
Revision history for this message
Jonas Jelten (jj) wrote (last edit ):

Hi Filippo! I've added the stable update template above, please check if the test instructions seem reasonable :)
Then we can proceed to backport up to 22.04.

description: updated
Changed in openldap (Ubuntu Jammy):
status: Won't Fix → In Progress
Jonas Jelten (jj)
Changed in openldap (Ubuntu Jammy):
importance: Undecided → Wishlist
Changed in openldap (Ubuntu Noble):
importance: Undecided → Wishlist
Changed in openldap (Ubuntu Plucky):
importance: Undecided → Wishlist
Changed in openldap (Ubuntu Questing):
importance: Undecided → Wishlist
description: updated
Revision history for this message
Jonas Jelten (jj) wrote :

The upstream patch actually has a bug, the argument is off by one. Reported & sent patch: https://bugs.openldap.org/show_bug.cgi?id=10399

description: updated
Revision history for this message
Filippo (filippom) wrote :

Hi Jonas,

That looks great — the test instructions are clear and reasonable.
Thank you very much for your work on this!

Jonas Jelten (jj)
summary: - pbkdf2 module not make iterations configurable and FIPS 140-3
+ pbkdf2 needs configurable hashing rounds for FIPS 140-3
Revision history for this message
Henry Coggill (henrycoggill) wrote :

Jammy was the first Ubuntu LTS with FIPS 140-3 support, so if it's possible to backport to 22.04 then we should be covered for FIPS use-cases, thanks.

Revision history for this message
Jonas Jelten (jj) wrote (last edit ):

Yes, I've included the patch on 22.04! (at first i was confused and thought jammy didn't have the module :)

Jonas Jelten (jj)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.