CHANGES

@@ -2,6 +2,7 @@ OpenLDAP 2.5 Change Log
 
 OpenLDAP 2.5.12 Engineering
 	Fixed libldap to drop connection when non-LDAP data is received (ITS#9803)
+	Fixed libldap to allow newlines at end of included file (ITS#9811)
 	Fixed slapd slaptest conversion of olcLastBind (ITS#9808)
 	Fixed slapd usage of thread local counters (ITS#9789)
 	Fixed slapd to clear runqueue task correctly (ITS#9785)
@@ -9,6 +10,11 @@ OpenLDAP 2.5.12 Engineering
 	Fixed slapd syncrepl handling of new sessions (ITS#9584)
 	Fixed slapd to clear connections on bind (ITS#9799)
 	Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801)
+	Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802)
+	Fixed slapd-ldap memory leak in keepalive setting (ITS#9802)
+	Fixed slapd-meta SEGV on config rewrite (ITS#9802)
+	Fixed slapd-meta ordering on config rewrite (ITS#9802)
+	Fixed slapd-meta memory leak in keepalive setting (ITS#9802)
 	Fixed slapd-monitor SEGV on shutdown (ITS#9809)
 	Fixed slapo-pcache SEGV on shutdown (ITS#9809)
 	Fixed slapo-ppolicy operation handling to be consistent (ITS#9794)
@@ -16,6 +22,8 @@ OpenLDAP 2.5.12 Engineering
 		Fix compilation with openssl exclusions (ITS#9791)
 		Fix warnings from make jobserver (ITS#9788)
 		Fix compiliation with certain versions of gcc (ITS#9790)
+	Documentation
+		Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit documentation (ITS#9804)
 
 OpenLDAP 2.5.11 Release (2022/01/20)
 	Fix broken build release variable

doc/man/man5/slapd-config.5

@@ -1945,9 +1945,8 @@ The \fBsizelimit\fP and \fBtimelimit\fP only
 accept "unlimited" and positive integers, and both default to "unlimited".
 The \fBsizelimit\fP and \fBtimelimit\fP parameters define
 a consumer requested limitation on the number of entries that can be returned
-by the LDAP Content Synchronization operation; as such, it is intended
-to implement partial replication based on the size of the replicated database
-and on the time required by the synchronization.
+by the LDAP Content Synchronization operation; these should be left unchanged
+from the default otherwise replication may never succeed.
 Note, however, that any provider-side limits for the replication identity
 will be enforced by the provider regardless of the limits requested
 by the LDAP Content Synchronization operation, much like for any other

doc/man/man5/slapd.conf.5

@@ -1877,9 +1877,8 @@ The \fBsizelimit\fP and \fBtimelimit\fP only
 accept "unlimited" and positive integers, and both default to "unlimited".
 The \fBsizelimit\fP and \fBtimelimit\fP parameters define
 a consumer requested limitation on the number of entries that can be returned
-by the LDAP Content Synchronization operation; as such, it is intended
-to implement partial replication based on the size of the replicated database
-and on the time required by the synchronization.
+by the LDAP Content Synchronization operation; these should be left unchanged
+from the default otherwise replication may never succeed.
 Note, however, that any provider-side limits for the replication identity
 will be enforced by the provider regardless of the limits requested
 by the LDAP Content Synchronization operation, much like for any other

libraries/libldap/ldif.c

@@ -796,6 +796,7 @@ ldif_read_record(
 		 * back to a previous file. (return from an include)
 		 */
 		while ( feof( lfp->fp )) {
+pop:
 			if ( lfp->prev ) {
 				LDIFFP *tmp = lfp->prev;
 				fclose( lfp->fp );
@@ -808,6 +809,10 @@ ldif_read_record(
 		}
 		if ( !stop ) {
 			if ( fgets( line, sizeof( line ), lfp->fp ) == NULL ) {
+				if ( !found_entry && !ferror( lfp->fp ) ) {
+					/* ITS#9811 Reached the end looking for an entry, try again */
+					goto pop;
+				}
 				stop = 1;
 				len = 0;
 			} else {

servers/slapd/back-asyncmeta/config.c

@@ -2405,9 +2405,11 @@ asyncmeta_back_cf_gen( ConfigArgs *c )
 		break;
 #endif /* SLAPD_META_CLIENT_PR */
 
-	case LDAP_BACK_CFG_KEEPALIVE:
-		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
-				 &mt->mt_tls.sb_keepalive, 0, 0, 0);
+	case LDAP_BACK_CFG_KEEPALIVE: {
+		struct berval bv;
+		ber_str2bv( c->argv[1], 0, 1, &bv );
+		slap_keepalive_parse( &bv, &mt->mt_tls.sb_keepalive, 0, 0, 0 );
+		}
 		break;
 
 	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:

servers/slapd/back-ldap/config.c

@@ -2051,9 +2051,11 @@ done_url:;
 		}
 		break;
 
-	case LDAP_BACK_CFG_KEEPALIVE:
-		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
-				 &li->li_tls.sb_keepalive, 0, 0, 0);
+	case LDAP_BACK_CFG_KEEPALIVE: {
+		struct berval bv;
+		ber_str2bv( c->argv[1], 0, 1, &bv );
+		slap_keepalive_parse( &bv, &li->li_tls.sb_keepalive, 0, 0, 0 );
+		}
 		break;
 
 	case LDAP_BACK_CFG_TCP_USER_TIMEOUT:

servers/slapd/back-meta/config.c

@@ -2662,9 +2662,9 @@ idassert-authzFrom	"dn:<rootdn>"
 						c->fname, c->lineno, ca.argc, ca.argv );
 				}
 				assert( rc == 0 );
-				ch_free( ca.argv );
 				ch_free( ca.tline );
 			}
+			ch_free( ca.argv );
 		}
 		argc = c->argc;
 		argv = c->argv;
@@ -2699,9 +2699,9 @@ idassert-authzFrom	"dn:<rootdn>"
 						c->fname, c->lineno, ca.argc, argv );
 				}
 				assert( rc == 0 );
-				ch_free( ca.argv );
 				ch_free( ca.tline );
 			}
+			ch_free( ca.argv );
 		}
 
 		/* save the rule info */
@@ -2718,7 +2718,7 @@ idassert-authzFrom	"dn:<rootdn>"
 			/* move it to the right slot */
 			if ( ix < cnt ) {
 				for ( i=cnt; i>ix; i-- )
-					mt->mt_rwmap.rwm_bva_rewrite[i+1] = mt->mt_rwmap.rwm_bva_rewrite[i];
+					mt->mt_rwmap.rwm_bva_rewrite[i] = mt->mt_rwmap.rwm_bva_rewrite[i-1];
 				mt->mt_rwmap.rwm_bva_rewrite[i] = bv;
 
 				/* destroy old rules */
@@ -2913,9 +2913,11 @@ map_fail:;
 		break;
 #endif /* SLAPD_META_CLIENT_PR */
 
-	case LDAP_BACK_CFG_KEEPALIVE:
-		slap_keepalive_parse( ber_bvstrdup(c->argv[1]),
-				 &mt->mt_tls.sb_keepalive, 0, 0, 0);
+	case LDAP_BACK_CFG_KEEPALIVE: {
+		struct berval bv;
+		ber_str2bv( c->argv[ 1 ], 0, 1, &bv );
+		slap_keepalive_parse( &bv, &mt->mt_tls.sb_keepalive, 0, 0, 0 );
+		}
 		break;
 
 	case LDAP_BACK_CFG_TCP_USER_TIMEOUT: