Bug description: If a filter contains a range search, the
search retrieves one ID per one idl_fetch and merge it to
the idlist using idl_union, which is slow especially when
the range search result size is large.
Fix description: When the idlist size is larger than nsslapd-
lookthroughlimit, the range search returns ALLID (default
value of nsslapd-lookthroughlimit is 5000). Then, the range
search filter is evaluated before returning to the client.
If the default value of nsslapd-lookthroughlimit can be used,
the search elapsed time is much shorter than generating a
complete idlist in index_range_read_ext. Since the nsslapd-
lookthroughlimit is shared among all the search operations,
larger value might be required for other cases. To have its
own control, this patch introduces a new config parameter
nsslapd-rangelookthroughlimit for the range search.
Also, this patch replaced idl_union in index_range_read_ext
with idl_append_extend and sort the idlist at the end. It
improves the range search performance, but it is still slower
than just returning ALLID for the large db.
Bug description: Posix Account objectclass requires homeDirectory,
uidNumber, and gidNumber. When an AD entry has just some of these
attributes or other allow-to-have attributes, i.e., loginShell or
gecos, the entry is incompletely converted to Posix Account entry
and fails to be added due to the missing attribute error.
Fix description: Before transforming the AD entry to the DS posix
account entry, check the required attributes first. If any of the
above 3 attributes is missing, all of the posix account related
attributes are dropped and added to the DS as a non-posix account
entry. If the PLUGIN log level is set, this type of message is
logged in the error log.
 posix-winsync - AD entry CN=<CN>,OU=<OU>,DC=<DC>,DC=<COM> does
not have MUST attribute uidNumber for posixAccount objectclass.
Bug description: DNS keyword in ACI only accepted an FQDN returned
from gethostbyaddr. If an alias hostname was set in an ACI, a request
sent from the host was treated as the one from the primary hostname
and it failed to get the expected access rights.
Fix description: This patch is advertising a keyword "dnsalias".
In addition to the primary hostname, by setting the secondary host-
names as dnsalias, clients requests would obtain the expected access
rights. When an IP address is associated with multiple hostnames
(primary: hostA, aliases: hostB and hostC), they could be listed, for
instance, in an aci as follows:
aci: (targetattr = "*") (version 3.0;acl "dnsalias example";allow (all)
dns="hostA.example.com" or dnsalias="hostB.example.com" or dnslias=