1. Release Notes for 3.6.2

GBS/VW version 8.5

GBS/VA version 5.4.6

For more details on supported GBS and client Smalltalk platforms and requirements, see the GemBuilder for Smalltalk Installation Guide for that version of GBS.

NonPersistentArray

The class NonPersistentArray has also been added to the image; this is used by the GsTest framework, but is available for general use. It is a kind of Array with the class option #instancesNonPersistent.

Utf8 >> readStream now permitted

Previously, the method Utf8 >> readStream was implemented to disallow this operation. The disallowed implementation in Utf8 has been removed, so the version inherited from SequencableCollection can be used.

NetLDI -a attempted authentication with empty password

When a gslist -m request was made, it synthesized an empty password for the request to the remote NetLDI. If that remote NetLDI was running with authentication for new processes only (using startnetldi -a but not -s), the NetLDI attempted to authenticate using PAM, which would fail. This did not cause the gslist query to fail, since authentication for gslist is not required in this mode, and results were returned.

However, if this call was made often enough, these failures could result in the underlying account being locked as a result of too many failed authentication requests. (#49591)

The NetLDI no longer authenticates an empty password.

gslist -m not usable with remote NetLDI in secure mode

When gslist -m contacts the NetLDI on a remote host, it uses the userID of the user executing the gslist, and an empty host password. If the remote NetLDI is running in secure mode (startnetldi -s argument), then gslist -m would fail. (#49594)

The following option has been added to gslist:

-a userid Unix userId used for contacting remote netldi 

with -m. If -m also specified, prompts for a Unix password.

Has no effect unless -m is specified, required if remote

netldi was started with -s.

Do not use if remote netldi started with -k (for Kerberos).

On a system where the NetLDI is running with authentication (the startnetldi -a but not -s), using -a with gslist -m to a remote host is optional. If the NetLDI is running in secure mode (startnetldi -a and -s options), the gslist -a option is required with -m. The gslist -a argument has no effect running on the local host.

When gslist includes the -m and -a arguments, gslist prompts the user, on the command line, for the password for the remote host.

Note that single sign on using Kerberos legitimately uses an empty password. This mode is not affected by changes in this release; the -a option should not be used in a Single sign-on system.

Configuring objects to be tracked

A new instance variable, trackReads has been added to GsObjectSecurityPolicy; by default, this is false. When this is set to true, all objects associated with that security policy have reads tracked.

The following methods have been added:

GsObjectSecurityPolicy >> trackReads
Returns a Boolean, true if object read logging is enabled for objects in this security policy.

GsObjectSecurityPolicy >> trackReads: aBoolean
If aBoolean is true enables object read logging for objects in this security policy, false disables it. Signals an Error if any element of AllUsers has a userId incompatible with writing to a .csv file.

Before any read tracking can be recorded, the application configure the objects to be tracked by doing the following:

• Define a security policy with trackReads set to true
• Determine which application objects require read tracking
• Associate these objects with the read tracking security policy.

In addition, specific individual objects can be tracked within a specific session by using the following method:

Object >> trackRead
If receiver is not a special object, and (System objectReadLogEnabled == true) and ((System myUserProfile _hasPrivilegeName: #DisableObjectReadLogging) == false), add the receiver to the sessions read tracking buffer. Returns true if the object was added to the read tracking buffer, false otherwise.

This addition to the read tracking buffer is independent of whether (self objectSecurityPolicy trackReads == true) and is independent of whether this method has already been sent to the receiver.

Enable and disable Read Tracking

Read tracking must be enabled by setting the configuration parameters STN_OBJECT_READ_LOG_ENABLED and STN_OBJECT_READ_LOG_DIRECTORIES before the Stone is started up.

If a session logs in as a user with the DisableObjectReadLogging privilege, then read tracking is not enabled for that particular user.

If a session logs in as a user without the DisableObjectReadLogging, objects that have object read logging configured are written to the object read logs.

If the user additionally has the DynamicDisableObjectReadLogging privilege, the user can disable read tracking temporarily within that session by executing

System setObjectReadTracking: false

When object read tracking is dynamically disabled, a record is written to the object read tracking log.

To determine if the current session has read logging currently enabled, send:

System objectReadLogEnabled

The following methods have been added:

System class >> objectReadLogEnabled
Answer a Boolean indicating if the Stone was started with the configuration parameter STN_OBJECT_READ_LOG_ENABLED set to true. Note that the actual state of object read logging will depend on the privileges of the current session’s userProfile and if object reads tracking was dynamically disabled; see System class >> setObjectReadTracking:.

System class >> objectReadTrackingEnabled
Returns true if object read tracking is currently being performed for this session, for any objects with tracking configured via GsObjectSecurityPolicy >> trackReads or Object >> trackRead. It returns false if no object read logging will occur. Specifically, this method will:

• return false if Object read tracking is not enabled for the Stone
• return false if the current session’s UserProfile has the DisableObjectReadLogging privilege
• return false if the session has dynamically disabled Object Read Tracking; that is, System setObjectReadTracking:false must not have been executed and be still in effect.

System class >> setObjectReadTracking: aBoolean
Dynamically disable or re-enable object read tracking for the current session, and return the previous status of object read tracking. Requires the user executing have DynamicDisableObjectReadLogging privilege. If setObjectReadTracking: successfully disables or re-enables read tracking, a record is written to the Object read tracking log.

When aBoolean is false, then if object read logging is not enabled for the Stone, or if the current session’s UserProfile has the DisableObjectReadLogging privilege, or if setObjectReadTracking: false was previously invoked to disable read tracking, then this method has no effect, and returns false. A true value for aBoolean only has effect if setObjectReadTracking: false previously executed successfully.

setObjectReadTracking: is expected to be used in constructions such as:

|  prev | 

[  prev := System setObjectReadTracking: false.  

   query Execute ] ensure: 

      [ System setObjectReadTracking: prev ]

Read Tracking

Tracking occurs when an object is faulted into the temporary object memory of a session. Only one read is recorded per object per session. Once an object has been tracked as read, if the object is read again, no further tracking events are recorded for that object in that session.

The session sends tracking records to the Stone:

• At each transaction boundary (commit or abort)
• When the gem's tracking buffer is full. The buffer is about 100K bytes.
• When the gem explicitly calls System class >> flushObjectReadBuffer
• At session logout.

Each read record in the buffer has the timestamp of the first object recorded in the buffer (this avoids excessive calls to fetch exact timestamps from the OS). There is a final record in the buffer, indicating the end of the buffer, which also has an exact timestamp.

Limitation in Read Tracking

If the session terminates with a fatal error or is killed with SIGTERM, the last tracking buffer may be lost. This creates a way for a user to intentionally (as well as inadvertently) read an object without this read action being recorded in the log.

Object Read Log File

The object read log location is specified using a new stone configuration option, STN_OBJECT_READ_LOG_DIRECTORIES. This specifies a list of one or more directories in which to write object read log files. The Stone will not start up if STN_OBJECT_READ_LOG_ENABLED is true and STN_OBJECT_READ_LOG_DIRECTORIES does not contain at least one valid, writable directory.

The object read log file name will be composed as follows:

ObjectReadLogDir/stoneName-ObjectReadLog_timestamp[.current].csv

where:

• ObjectReadLogDir is the directory for object read logs, one of the directories specified by STN_OBJECT_READ_LOG_DIRECTORIES in the stone configuration file.
• stoneName is the short name of the stone (without the NRS).
• timestamp is UTC (GMT) time when the file was created, in the format YYYY-MM-DD-hh:mm:ss.nnn, where nnn is the 3 digit milliseconds of the time.
• [.current] is a suffix that appears only on the file that is currently being written by the Stone. Files that are not actively being written to do not have this suffix.

The maximum size of the object read log file in bytes is specified using the new stone configuration parameter STN_OBJECT_READ_LOG_MAX_FILE_SIZE. When the maximum file size is reached, the current object read log file will be closed and renamed to remove the .current suffix, after which a new log file will be opened.

If a buffer of records from a Gem needs to be written, but will not fit into the current object read log file without exceeding the file maximum size, a new log is started. The contents of a Gem’s buffer of read records is not split over two object read log files. Each Gem’s buffer of records is written contiguously, before another Gem’s buffer.

When stone starts, if a single .current.csv file is found within the directories specified by STN_OBJECT_READ_LOG_DIRECTORIES, and if this file is smaller than the maximum file size, it will be reopened for writing. Otherwise a new object read log file will be started.

When the local system time crosses midnight UTC, the current object read log is closed and a new one is started.

The following methods have been added:

System class >> currentObjectReadLogFile
Answer a string containing the current object read log file which the stone is writing to, or nil if the object read logging feature is disabled.

System class >> startNewObjectReadLog
Requests Stone close the current object read log file and start a new one. Blocks until the operation has completed. Returns true on success, false if the object read logging feature is disabled, and raises an exception on error. Requires FileControl privilege.

System class >> flushObjectReadBuffer
Forces the gem to immediately send any buffered object read records to the stone.

File Management

Applications must manage storage and archiving of object read log files, to ensure the file system containing these logs does not become full.

It is recommended that the log files be compressed using gzip or lz4 data compression, and that archiving scripts run using CRON so that object read log files are automatically archived.

If a write to the object read log file fails, the following actions will be taken in sequence:

1. Log a message to the stone log regarding the write failure.

2. Retry the write 3 times.

3. If the write still fails, open a new object read log file in the next directory.

4. Repeat item 2 until all object read log directories have been tried.

5. Log a message to the stone log indicating all object read log space is full.

6. Suspend (block) the session and retry opening a new object read log file periodically.

7. Terminate the session if the writes cannot be completed within 5 minutes or the blocked session causes a commit record backlog, whichever occurs first.

Errors opening, renaming and writing the object read log file are recorded in the Stone log.

Added Configuration File Options

UserProfiles exempt from read tracking

UserProfiles may be given a new privilege, DisableObjectReadLogging.

UserProfiles with this privilege do not have their object reads tracked. To allow an automated batch job to operated without generating excessive read tracking, execute that job as a UserProfile with the DisableObjectReadLogging privilege.

To ensure the UserProfiles can be clearly written to the .csv file, creation of new UserProfiles requires that the userId contain only compatible characters; see Admin GcGem’s number of threads is now dynamically configured.

Added Privileges

Added Cache Statistics

The following cache statistics related to object read tracking have been added:

NumInReadTrackingQueue (Stn)
Number of sessions waiting for data to be written to the Read Tracking Log.

ObjectsReadTracked (Gem)
Number of object faults for which a record was added to the Read Tracking Log.

ReadTrackingFileSize (Stn)
Size in bytes of the currently open Read Tracking Log.

ReadTrackingServiceCount (Stn)
Number of Read Tracking buffers processed by stone.

Object Read Log File Format

The object read log is in CSV file format, as specified by RFC 4180.

The first line of each file will contain column headers.

There are three record types: O, F, and R.

The first field of a record is a single letter, either O, F, or R, indicating the type.

• An O record includes the details on a specific read record.
• An F record marks the end of a group of O records that were in the same buffer composed by a gem.
• An R record is generated when System class >> setObjectReadTracking: is used, indicating dynamic disable or re-enable of object tracking.

The fields for each record are:

O, TimeGMT, UserName, UserProfileOop, GemProcessId, GemHostName, GemHostIpAddress, GemClientIpAddress, ObjectReadOop, ObjectReadClassOop, ObjectReadClassName

R, TimeGMT, UserName, UserProfileOop, GemProcessId, GemHostName, GemHostIpAddress, GemClientIpAddress, empty, empty, ReadTrackState

F, TimeGMT, UserName, UserProfileOop, GemProcessId

The following fields are defined:

TimeGMT (Integer)
Timestamp in GMT of the object read operation, updated when a gem composes the first O record of a session, when an R record is written, and when the F record is composed by a gem to flush a buffer.

UserName (String)
The GemStone user name of the user performing the read, UTF8 encoded and enclosed in double quotes. Taken from the userId instance variable of the session’s UserProfile object.

UserProfileOop (Integer)
The OOP of the user profile.

GemProcessId (String)
The process ID of the session.

GemHostName (String)
The name of the host on which the gem is running, the result of calling hostname(). This field is enclosed in double quotes.

GemHostIpAddress (String)
The IP Address of the gem’s end of the GCI client to gem connection; the result of calling getsockname() on the socket for the GCI client to gem connection. Does not do a reverse DNS lookup. For linked sessions, such as topaz -l, this field is empty.

GemClientIpAddress (String)
The IP Address of the gem’s client’s host, the result of calling getpeername() on the socket which is the gem's end of the GCI client to gem connection. For linked sessions, such as topaz -l, this field is set to gcilnk.

ObjectReadOop (Integer)
The OOP of the object read by the user.

ObjectReadClassOop (Integer)
The OOP of the class of the object read.

ObjectReadClassName (String)
The name of the class, UTF8 encoded.

ReadTrackState (String)
Either 'True' or 'False'

Added LdapDirectoryServer methods

The following methods have been added:

LdapDirectoryServer >> validatePassword: aPassword forUserId: aUserId withBaseDn: aBaseDn filterDn: aFilterDn
Use the receiver LdapDirectoryServer to validate the given userId and password. See the method comments for examples on using this method for validation.

LdapDirectoryServer class >> basicNewWithUri: uri bindDN: aBindDn password: password baseDN: baseDn tlsCaCert: caCert tlsCert: cert tlsKey: key tlsReqCert: aSymbol
Creates a new instance of the receiver but does not add it to the list of LdapDirectoryServer objects used to authorize logins.

LdapDirectoryServer class >> newWithUri: uri bindDN: aBindDn password: password baseDN: baseDn tlsCaCert: caCert tlsCert: cert tlsKey: key tlsReqCert: aSymbol
Creates a new instance of the receiver and adds the resulting object to the list of LdapDirectoryServer objects used to authorize logins.

LdapDirectoryServer class >> testConnectionToServer: uri bindDN: aBindDn password: password baseDN: baseDn tlsCaCert: caCert tlsCert: cert tlsKey: key tlsReqCert: aSymbol
Attempts to perform a bind using aBindDn and password to the LDAP server specified by uri. Also sets the TLS credentials, if those arguments are not nil. Returns true if the connection was successful, otherwise returns false.

Extracting a string from a CByteArray

CByteArray >> stringFrom: zeroBasedStart
return a new String containing the bytes of the receiver from specified start byte to the first byte preceding a zero byte. Interprets the data starting at &body[zeroBasedStart] as NUL terminated char* data, and returns an instance of String containing that data.

CByteArray >> strlenFrom: zeroBasedStart
return result of strlen() starting from the byte of receiver specified by zeroBasedStart.

CByteArray >> decodeUTF8from: zeroBasedStart to: zeroBasedEnd unicode: unicodeBoolean
Decode the UTF8 encode bytes of the receiver from zeroBasedStart to zeroBasedEnd; if unicodeBoolean==false returns a String, DoubleByteString or QuadByteString, if unicodeBoolean==true returns a Unicode7, Unicode16 or Unicode32. If zeroBasedEnd == -1, strlen() is used starting from zeroBasedStart to determine the number of bytes to be decoded.

Extracting a string from a CPointer

CPointer >> decodeFromUTF8ToString
Decode the NUL terminated UTF8 data starting at self memoryAddress and return a String, DoubleByteString or QuadByteString.

CPointer >> decodeFromUTF8ToUnicode
Decode the NUL terminated UTF8 data starting at self memoryAddress and return a Unicode7, Unicode16 or Unicode32.

CPointer >> stringFromCharStar
Return a String from the char* data starting at self memoryAddress.

CPointer >> utf8FromCharStar
Return a Utf8 from the char* data starting at self memoryAddress.

CByteArray added instance creation methods

The following added methods allow you to create a CByteArray based on an Array of strings or integers.

CByteArray class >> fromArrayEncodeUtf8: arrayOfStrings extraNullPointer: addExtraNull
Takes an array of Strings objects and creates a C array of pointers to UTF8 encoded bytes. Each element of arrayOfStrings must be a String or MultiByteString. Space for a NUL character for each element is included in the total. If addExtraNull is true, an extra NULL pointer is appended to the list of pointers to terminate the list.

CByteArray class >> fromArrayOfByteObjects: arrayOfByteObjs extraNullPointer: addExtraNull
Takes an array of byte objects and creates a C array of pointers to bytes. Each element of arrayOfByteObjs must be a String; note that DoubleByteString or QuadByteString are not allowed. Space for a NUL character for each element is included in the total. If addExtraNull is true, an extra NULL pointer is appended to the list of pointers to terminate the list.

CByteArray class >> fromArrayOfInt32: arrayOfInt32s
Takes an array of 32-bit ints and creates a C array.

CByteArray class >> fromArrayOfInt64: arrayOfInt64s
Takes an array of 64-bit ints and creates a C array.

Importing an Array into a CByteArray

The following methods import the contents of an Array into a CByteArray

CByteArray >> addArrayOfByteObjects: arrayOfByteObjs extraNullPointer: addExtraNull
Write the elements of arrayOfByteObjs, which must be a kinds of String (single-byte), to the receiver, starting at offset 1 and overwriting existing contents. Signal an error if any of the elements of arrayOfByteObjs contain codePoint zero.

CByteArray >> addArrayOfInt32: arrayOfInt32
Write the elements of arrayOfInt32 to the receiver, starting at offset 1 and overwriting existing contents.

CByteArray >> addArrayOfInt64: arrayOfInt64
Write the elements of arrayOfInt64 to the receiver, starting at offset 1 and overwriting existing contents.

CByteArray >> addUtf8Encoded: arrayOfStrings extraNullPointer: addExtraNull
Write the elements of arrayOfStrings, which must be a kinds of String or MultiByteString, to the receiver, starting at offset 1 and overwriting existing contents. Signals an Error if any of the elements of arrayOfStrings contain codePoint zero.

Adding a UTF8-encoded string to a CByteArray

CByteArray >> encodeUTF8From: anObject into: zeroBasedDestOffset allowCodePointZero: zeroBoolean
anObject may be a String or MultiByteString. The codepoints in anObject are encoded into UTF8 and the resulting UTF8 bytes are copied into the receiver starting at zeroBasedDestOffset. If zeroBoolean==false, signals an Error if anObject contains codePoint zero. Returns a SmallInteger, possibly zero, the number of UTF8 bytes copied into the receiver. There is no terminating NUL byte written to the destination.

Computing required CByteArray space for the contents of an Array

The following added methods compute the space required for a CByteArray that would be created from an Array of strings or integers.

CByteArray class >> computeSizeForArrayOfByteObjects: arrayOfByteObjs extraNullPointer: addExtraNull
Compute the number of bytes needed to contain arrayOfByteObjs in an instance of the receiver which will represent an array of bytes in C. Each element of arrayOfByteObjs must be a kind of String (MultiByteStrings are not allowed). Space for a NULL character for each element is included in the total. If addExtraNull is true, space for an additional NULL element in the array of C pointers will be included.

CByteArray class >> computeSizeForArrayOfInt32: arrayOfInt32
Compute the number of bytes needed to contain arrayOfInt32 in an instance of the receiver which will represent an array of bytes in C.

CByteArray class >> computeSizeForArrayOfInt64: arrayOfInt64
Compute the number of bytes needed to contain arrayOfInt64 in an instance of the receiver which will represent an array of bytes in C.

CByteArray class >> computeSizeForArrayOfUtf8Encoded: arrayOfStrings extraNullPointer: extraNullBoolean
Compute the number of bytes needed to contain arrayOfStrings in an instance of the receiver which will represent an array of bytes in C. Elements in arrayOfStrings must be kinds of String or MultiByteString. Space for a NULL character for each element is included in the total. If addExtraNull is true, space for an additional NULL element in the array of C pointers will be included.

MultiByteString >> sizeForEncodeAsUTF8

String >> sizeForEncodeAsUTF8

Utf8 >> sizeForEncodeAsUTF8

Handling code point zero

The C primitive that handles CByteArray copy now can detect if the argument contains NUL characters, which may or may not be allowed depending on the contents of the CByteArray. The following is the new method:

CByteArray >> copyBytesFrom: anObject from: oneBasedStart to: oneBasedEnd into: zeroBasedDestOffset allowCodePointZero: zeroBoolean
Copy the specified bytes of anObject into the receiver at the given offset. anObject may be any byte format object or a CByteArray. Returns number of bytes copied (possibly zero).

Other Added FFI methods

CPointer >> isNull
Answer true if the receiver is a NULL pointer, false otherwise.

CPointer >> notNull
Answer true if the receiver is not a NULL pointer, false otherwise.

GsFile >> filePointer
Returns a CPointer representing the underlying FILE * in C. Valid for open server files only. Returns nil if the file is compressed, on the client, or if an error occurs. Care must be taken to not access the result of this method after the receiver has been closed.

GS_ERR_READ_TRACKING_FULL/4020

When using Object Read Tracking, Error when all STN_OBJECT_READ_LOG_DIRECTORIES are full.

GS_ERR_INVALID_TRANLOG_RECORD / 4021

An invalid tranlog record was received by the Stone.

ERR_SshSocketError/2759

Reserved to support features in future releases.

ERR_AwsError/2760

Reserved to support features in future releases.

ERR_PostgresError/2761

An exception signaled when Postgres operations fail; for use by GemConnect for Postgres.
A new class, PostgresError, has been added to the image to support this error.

GsFile position incorrect for r+ file mode with atEnd

If a GsFile was open for read/write, mode r+ (for example, GsFile class >> openUpdateOnServer:), then after invoking atEnd, the file position is incorrect; GsFile >> position will return 0. Subsequent writes will be in the correct location.

However, if GsFile >> position: is sent, followed by atEnd, a subsequent write may not be in the correct location. (#49568)

Failure in OS call from GsFile write primitives potential to SEGV

Within the GsFile write primitives, if an OS write call returned a negative value due to an unexpected write error, the code did not immediately return. Further execution could cause a SEGV. (#49540)

GC state change during multithreaded scan fails to report error

When voting or an atomic promote occurs while a multithreaded scan such as listInstances is in process, the results of the multithreaded scan are no longer reliable. This previously returned an empty collection; now, an error is signaled. The multithreaded scan operation can be executed again to get the results. (#49651)

Multi-threaded operations could use up all available process slots

When a multi-threader operation such as markForCollection was requested with more threads than currently available process slots in the repository, previously the operation executed with as many threads as available process slots. This prevented other sessions from logging in, including stopstone. In addition, if the multi-threaded operation was expected to run with a large number of threads but only a small number of slots was available, it would run with those few threads, unexpectedly taking much longer to complete. (#49611)

Now, if there are not enough process slots available, the requested operation is executed with half as many threads as requested.

If this is still more than is available, an error is reported, allowing you to determine the reason for unavailable slots and correct the problem, or retry with a smaller number of threads.

Cumulative algorithm changes in Symbol GC

Symbol Garbage Collection has undergone a number of internal changes in the algorithm used to ensure behavior is correct for large sets of dead symbols in active repositories, with additional validation on large customer repositories. Note that the documentation describing the internal algorithms used is no longer correct with respect to current behavior.

Symbol GC slow with many dead symbols

When Symbol GC found a very large number of possible dead symbols, the write set union sweep became unreasonably slow. This was a result of the possibleDeadSymbol structure containing large collision buckets; the objects referenced from the collision buckets were being read, which is unnecessary, since all contained objects would be symbols. (#49504)

CCallout string arguments allowed MultiByteString, disallowed Utf8

When invoking a CCallout method and specifying arguments of type char* or const char*, the checking for suitable GemStone classes was not correct. (#49557)

• These methods allow arguments of type String; MultiByteString was previously accepted, but is now disallowed.
• Arguments of type Utf8 are now allowed.

CDeclaration doesNotUnderstand: #'cByteArraySpecies'

The message sent to flexibly handle CByteArray classes was incorrect. (#49599)

CByteArray >> floatAt:put: did not accept SmallFloat arguments

The method CByteArray>>floatAt:put: errored with an argument that was a SmallFloat (#49493). While SmallFloat is largely deprecated in favor of SmallDouble, it is still used in the FFI when interfacing to libraries which take 8-bit floating points.

LDAP did not work for processes in setuid mode

If the process is in setuid mode (that is, the real and effective UNIX userIds of a process are not the same), LDAP does not read environment variables, nor files in the $HOME directory, and thus was not able to set all required information to connect to an LDAP server. (#49498)

With a setuid mode process, such as a Gem with the s bit set, you will need to use the new LdapDirectoryServer tls* instance variables within GemStone Smalltalk to set the certificate requirement, and certificates if necessary, that allow connection to the LDAP server. See LdapDirectoryServer now supports TLS options.

GemStone's LDAP library did not correctly set directory for ldap.conf

GemStone's LDAP library, libldap-N.N.N-64.so (depending on version), looked for ldap.conf in the installation directory, $GEMSTONE, which did not follow LDAP conventions. (#49515)

Now, it will look for /etc/openldap/ldap.conf. This setting can be overridden by environment variables, or by files .ldaprc or ldaprc. Note that the specific LDAP search sequence is distribution dependent; this is the RedHat/CentOS convention. See the ldap.conf man page for your distribution for details.

LDAP did not support reset of TLS credentials

The binding to TLS credentials in LDAP could not be done more than once; so changing TLS credentials required restarting the process. (#49499)