diff --git a/.openldap.metadata b/.openldap.metadata new file mode 100644 index 0000000..80bf8dc --- /dev/null +++ b/.openldap.metadata @@ -0,0 +1,2 @@ +db02243150b050baac6a8ea4145ad73a1f6d2266 SOURCES/openldap-2.4.35.tgz +444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/ldap.conf b/SOURCES/ldap.conf new file mode 100644 index 0000000..661a259 --- /dev/null +++ b/SOURCES/ldap.conf @@ -0,0 +1,18 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +TLS_CACERTDIR /etc/openldap/certs + +# Turning this off breaks GSSAPI used with krb5 when rdns = false +SASL_NOCANON on \ No newline at end of file diff --git a/SOURCES/libexec-check-config.sh b/SOURCES/libexec-check-config.sh new file mode 100755 index 0000000..87e377f --- /dev/null +++ b/SOURCES/libexec-check-config.sh @@ -0,0 +1,91 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +function check_config_syntax() +{ + retcode=0 + tmp_slaptest=`mktemp --tmpdir=/var/run/openldap` + run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest + if [ $? -ne 0 ]; then + error "Checking configuration file failed:" + cat $tmp_slaptest >&2 + retcode=1 + fi + rm $tmp_slaptest + return $retcode +} + +function check_certs_perms() +{ + retcode=0 + for cert in `certificates`; do + run_as_ldap "/usr/bin/test -e \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' was not found." "$cert" + retcoder=1 + continue + fi + run_as_ldap "/usr/bin/test -r \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' is not readable." "$cert" + retcode=1 + fi + done + return $retcode +} + +function check_db_perms() +{ + retcode=0 + for dbdir in `databases`; do + [ -d "$dbdir" ] || continue + for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do + run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" + if [ $? -ne 0 ]; then + error "Read/write permissions for DB file '%s' are required." "$dbfile" + retcode=1 + fi + done + done + return $retcode +} + +function check_everything() +{ + retcode=0 + check_config_syntax || retcode=1 + # TODO: need support for Mozilla NSS, disabling temporarily + #check_certs_perms || retcode=1 + check_db_perms || retcode=1 + return $retcode +} + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this script." + exit 4 +fi + +load_sysconfig + +if [ -n "$SLAPD_CONFIG_DIR" ]; then + if [ ! -d "$SLAPD_CONFIG_DIR" ]; then + error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" + else + check_everything + exit $? + fi +fi + +if [ -n "$SLAPD_CONFIG_FILE" ]; then + if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" + else + error "Warning: Usage of a configuration file is obsolete!" + check_everything + exit $? + fi +fi + +exit 1 diff --git a/SOURCES/libexec-convert-config.sh b/SOURCES/libexec-convert-config.sh new file mode 100755 index 0000000..ca9884f --- /dev/null +++ b/SOURCES/libexec-convert-config.sh @@ -0,0 +1,79 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +function help() +{ + error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`" + exit 2 +} + +load_sysconfig + +while getopts :f:F: opt; do + case "$opt" in + f) + SLAPD_CONFIG_FILE="$OPTARG" + ;; + F) + SLAPD_CONFIG_DIR="$OPTARG" + ;; + *) + help + ;; + esac +done +shift $((OPTIND-1)) +[ -n "$1" ] && help + +# check source, target + +if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE" + exit 1 +fi + +if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then + SLAPD_CONFIG_FILE_FORMAT=ldif +else + SLAPD_CONFIG_FILE_FORMAT=conf +fi + +if [ -d "$SLAPD_CONFIG_DIR" ]; then + if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then + error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR" + exit 1 + fi +fi + +# perform the conversion + +tmp_convert=`mktemp --tmpdir=/var/run/openldap` + +if [ `id -u` -eq 0 ]; then + install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert + if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then + run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert + else + run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert + fi + retcode=$? +else + error "You are not root! Permission will not be set." + install -d --mode 0700 "$SLAPD_CONFIG_DIR" &>>$tmp_convert + if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then + /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert + else + /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert + fi + retcode=$? +fi + +if [ $retcode -ne 0 ]; then + error "Configuration conversion failed:" + cat $tmp_convert >&2 +fi + +rm $tmp_convert +exit $retcode diff --git a/SOURCES/libexec-create-certdb.sh b/SOURCES/libexec-create-certdb.sh new file mode 100755 index 0000000..2377fdd --- /dev/null +++ b/SOURCES/libexec-create-certdb.sh @@ -0,0 +1,70 @@ +#!/bin/bash +# Author: Jan Vcelak + +set -e + +# default options + +CERTDB_DIR=/etc/openldap/certs + +# internals + +MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so" +RANDOM_SOURCE=/dev/urandom +PASSWORD_BYTES=32 + +# parse arguments + +usage() { + printf "usage: create-certdb.sh [-d certdb]\n" >&2 + exit 1 +} + +while getopts "d:" opt; do + case "$opt" in + d) + CERTDB_DIR="$OPTARG" + ;; + \?) + usage + ;; + esac +done + +[ "$OPTIND" -le "$#" ] && usage + +# verify target location + +if [ ! -d "$CERTDB_DIR" ]; then + printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2 + exit 1 +fi + +if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then + printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2 + exit 1 +fi + +# create the database + +printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2 + +PASSWORD_FILE="$CERTDB_DIR/password" +OLD_UMASK="$(umask)" +umask 0377 +dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE" +umask "$OLD_UMASK" + +certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null + +# load module with builtin CA certificates + +echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null + +# tune permissions + +for dbfile in "$CERTDB_DIR"/*.db; do + chmod 0644 "$dbfile" +done + +exit 0 diff --git a/SOURCES/libexec-functions b/SOURCES/libexec-functions new file mode 100644 index 0000000..990d2b8 --- /dev/null +++ b/SOURCES/libexec-functions @@ -0,0 +1,134 @@ +# Author: Jan Vcelak + +SLAPD_USER= +SLAPD_CONFIG_FILE= +SLAPD_CONFIG_DIR= +SLAPD_CONFIG_CUSTOM= +SLAPD_GLOBAL_OPTIONS= +SLAPD_SYSCONFIG_FILE= + +function default_config() +{ + SLAPD_USER=ldap + SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf + SLAPD_CONFIG_DIR=/etc/openldap/slapd.d + SLAPD_CONFIG_CUSTOM= + SLAPD_GLOBAL_OPTIONS= + SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd +} + +function parse_config_options() +{ + user= + config_file= + config_dir= + while getopts :u:f:F: opt; do + case "$opt" in + u) + user="$OPTARG" + ;; + f) + config_file="$OPTARG" + ;; + F) + config_dir="$OPTARG" + ;; + esac + done + + if [ -n "$user" ]; then + SLAPD_USER="$user" + fi + + if [ -n "$config_dir" ]; then + SLAPD_CONFIG_DIR="$config_dir" + SLAPD_CONFIG_FILE= + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" + elif [ -n "$config_file" ]; then + SLAPD_CONFIG_DIR= + SLAPD_CONFIG_FILE="$config_file" + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-f '$config_file'" + fi +} + +function uses_new_config() +{ + [ -n "$SLAPD_CONFIG_DIR" ] + return $? +} + +function run_as_ldap() +{ + /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" + return $? +} + +function ldif_unbreak() +{ + sed ':a;N;s/\n //;ta;P;D' +} + +function ldif_value() +{ + sed 's/^[^:]*: //' +} + +function databases_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c \ + -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcDbDirectory: ' | \ + ldif_value +} + +function databases_old() +{ + awk 'begin { database="" } + $1 == "database" { database=$2 } + $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ + ldif_value +} + +function certificates_old() +{ + awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates() +{ + uses_new_config && certificates_new || certificates_old +} + +function databases() +{ + uses_new_config && databases_new || databases_old +} + + +function error() +{ + format="$1\n"; shift + printf "$format" $@ >&2 +} + +function load_sysconfig() +{ + [ -r "$SLAPD_SYSCONFIG_FILE" ] || return + + . "$SLAPD_SYSCONFIG_FILE" + [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS +} + +default_config diff --git a/SOURCES/libexec-generate-server-cert.sh b/SOURCES/libexec-generate-server-cert.sh new file mode 100755 index 0000000..1a66b8c --- /dev/null +++ b/SOURCES/libexec-generate-server-cert.sh @@ -0,0 +1,118 @@ +#!/bin/bash +# Author: Jan Vcelak + +set -e + +# default options + +CERTDB_DIR=/etc/openldap/certs +CERT_NAME="OpenLDAP Server" +PASSWORD_FILE= +HOSTNAME_FQDN="$(hostname --fqdn)" +ALT_NAMES= +ONCE=0 + +# internals + +RANDOM_SOURCE=/dev/urandom +CERT_RANDOM_BYTES=256 +CERT_KEY_TYPE=rsa +CERT_KEY_SIZE=1024 +CERT_VALID_MONTHS=12 + +# parse arguments + +usage() { + printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2 + printf " [-p password-file] [-h hostnames]\n" >&2 + pritnf " [-a dns-alt-names] [-o]\n" >&2 + exit 1 +} + +while getopts "d:n:p:h:a:o" opt; do + case "$opt" in + d) + CERTDB_DIR="$OPTARG" + ;; + n) + CERT_NAME="$OPTARG" + ;; + p) + PASSWORD_FILE="$OPTARG" + ;; + h) + HOSTNAME_FQDN="$OPTARG" + ;; + a) + ALT_NAMES="$OPTARG" + ;; + o) + ONCE=1 + ;; + \?) + usage + ;; + esac +done + +[ "$OPTIND" -le "$#" ] && usage + +# generated options + +ONCE_FILE="$CERTDB_DIR/.slapd-leave" +PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}" +ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}" + +# verify target location + +if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then + printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2 + exit 0 +fi + +if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then + printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2 + exit 1 +fi + +printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2 + +if [ ! -r "$PASSWORD_FILE" ]; then + printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2 + exit 1 +fi + +if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then + printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2 + exit 1 +fi + +# generate server certificate (self signed) + + +CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap) +dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null + +certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \ + -S -x -n "$CERT_NAME" \ + -s "CN=$HOSTNAME_FQDN" \ + -t TC,, \ + -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \ + -v $CERT_VALID_MONTHS \ + -8 "$ALT_NAMES" \ + &>/dev/null + +rm -f $RANDOM_DATA + +# tune permissions + +if [ "$(id -u)" -eq 0 ]; then + chgrp ldap "$PASSWORD_FILE" + chmod g+r "$PASSWORD_FILE" +else + printf "WARNING: The server requires read permissions on the password file in order to\n" >&2 + printf " load it's private key from the certificate database.\n" >&2 +fi + +touch "$ONCE_FILE" +exit 0 diff --git a/SOURCES/libexec-upgrade-db.sh b/SOURCES/libexec-upgrade-db.sh new file mode 100755 index 0000000..1543c80 --- /dev/null +++ b/SOURCES/libexec-upgrade-db.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this command." + exit 4 +fi + +load_sysconfig +retcode=0 + +for dbdir in `databases`; do + upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" + bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` + + # skip uninitialized database + [ -z "$bdb_files"] || continue + + printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" + + # perform the update + for command in \ + "/usr/bin/db_recover -v -h \"$dbdir\"" \ + "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ + "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ + ; do + printf "Executing: %s\n" "$command" &>>$upgrade_log + run_as_ldap "$command" &>>$upgrade_log + result=$? + printf "Exit code: %d\n" $result >>"$upgrade_log" + if [ $result -ne 0 ]; then + printf "Upgrade failed: %d\n" $result + retcode=1 + fi + done +done + +exit $retcode diff --git a/SOURCES/openldap-ai-addrconfig.patch b/SOURCES/openldap-ai-addrconfig.patch new file mode 100644 index 0000000..0858fac --- /dev/null +++ b/SOURCES/openldap-ai-addrconfig.patch @@ -0,0 +1,20 @@ +use AI_ADDRCONFIG if defined in the environment + +Author: Jan Vcelak +Upstream ITS: #7326 +Resolves: #835013 + +diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c +index b31e05d..fa361ab 100644 +--- a/libraries/libldap/os-ip.c ++++ b/libraries/libldap/os-ip.c +@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, + + #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) + memset( &hints, '\0', sizeof(hints) ); +-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */ +- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */ ++#ifdef AI_ADDRCONFIG + hints.ai_flags = AI_ADDRCONFIG; + #endif + hints.ai_family = ldap_int_inet4or6; diff --git a/SOURCES/openldap-autoconf-pkgconfig-nss.patch b/SOURCES/openldap-autoconf-pkgconfig-nss.patch new file mode 100644 index 0000000..8b4bb19 --- /dev/null +++ b/SOURCES/openldap-autoconf-pkgconfig-nss.patch @@ -0,0 +1,49 @@ +Use pkg-config for Mozilla NSS library detection + +Author: Jan Vcelak + +--- + configure.in | 22 +++++----------------- + 1 file changed, 5 insertions(+), 17 deletions(-) + +diff --git a/configure.in b/configure.in +index ecffe30..2a9cfb4 100644 +--- a/configure.in ++++ b/configure.in +@@ -1223,28 +1223,16 @@ if test $ol_link_tls = no ; then + fi + fi + +-dnl NOTE: caller must specify -I/path/to/nspr4 and -I/path/to/nss3 +-dnl and -L/path/to/nspr4 libs and -L/path/to/nss3 libs if those libs +-dnl are not in the default system location + if test $ol_link_tls = no ; then + if test $ol_with_tls = moznss || test $ol_with_tls = auto ; then +- have_moznss=no +- AC_CHECK_HEADERS([nssutil.h]) +- if test "$ac_cv_header_nssutil_h" = yes ; then +- AC_CHECK_LIB([nss3], [NSS_Initialize], +- [ have_moznss=yes ], [ have_moznss=no ]) +- fi ++ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss=yes], [have_moznss=no]) + +- if test "$have_moznss" = yes ; then ++ if test $have_moznss = yes ; then + ol_with_tls=moznss + ol_link_tls=yes +- AC_DEFINE(HAVE_MOZNSS, 1, +- [define if you have MozNSS]) +- TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" +- else +- if test $ol_with_tls = moznss ; then +- AC_MSG_ERROR([MozNSS not found - please specify the location to the NSPR and NSS header files in CPPFLAGS and the location to the NSPR and NSS libraries in LDFLAGS (if not in the system location)]) +- fi ++ AC_DEFINE(HAVE_MOZNSS, 1, [define if you have MozNSS]) ++ TLS_LIBS="$MOZNSS_LIBS" ++ CFLAGS="$CFLAGS $MOZNSS_CFLAGS" + fi + fi + fi +-- +1.7.11.7 + diff --git a/SOURCES/openldap-cldap.patch b/SOURCES/openldap-cldap.patch new file mode 100644 index 0000000..834b74f --- /dev/null +++ b/SOURCES/openldap-cldap.patch @@ -0,0 +1,270 @@ +This is a 3-part patch that fixes connectionless ldap when used with IPv6. +================================================================================ +Don't try to parse the result of a CLDAP bind request. Since these are +faked, no message is actually returned. + +Author: Stef Walter +Upstream commit: 5c919894779d67280fa26afdd94d99248fc38099 +ITS: #7695 +Backported-By: Jan Synacek + +--- a/clients/tools/common.c 2013-08-16 20:12:59.000000000 +0200 ++++ b/clients/tools/common.c 2013-10-14 09:35:50.817033451 +0200 +@@ -1521,11 +1521,13 @@ tool_bind( LDAP *ld ) + tool_exit( ld, LDAP_LOCAL_ERROR ); + } + +- rc = ldap_parse_result( ld, result, &err, &matched, &info, &refs, +- &ctrls, 1 ); +- if ( rc != LDAP_SUCCESS ) { +- tool_perror( "ldap_bind parse result", rc, NULL, matched, info, refs ); +- tool_exit( ld, LDAP_LOCAL_ERROR ); ++ if ( result ) { ++ rc = ldap_parse_result( ld, result, &err, &matched, &info, &refs, ++ &ctrls, 1 ); ++ if ( rc != LDAP_SUCCESS ) { ++ tool_perror( "ldap_bind parse result", rc, NULL, matched, info, refs ); ++ tool_exit( ld, LDAP_LOCAL_ERROR ); ++ } + } + + #ifdef LDAP_CONTROL_PASSWORDPOLICYREQUEST +================================================================================ +commit d51ee964fc5e1f02b035811de0f95eee81c2789f +Author: Howard Chu +Date: Thu Oct 10 10:48:08 2013 -0700 + + ITS#7694 more for IPv6 CLDAP, slapd fix + +diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c +index e169494..7ed3f63 100644 +--- a/servers/slapd/connection.c ++++ b/servers/slapd/connection.c +@@ -1499,22 +1499,53 @@ connection_input( Connection *conn , conn_readinfo *cri ) + + #ifdef LDAP_CONNECTIONLESS + if ( conn->c_is_udp ) { ++#if defined(LDAP_PF_INET6) ++ char peername[sizeof("IP=[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]:65535")]; ++ char addr[INET6_ADDRSTRLEN]; ++#else + char peername[sizeof("IP=255.255.255.255:65336")]; ++ char addr[INET_ADDRSTRLEN]; ++#endif + const char *peeraddr_string = NULL; + +- len = ber_int_sb_read(conn->c_sb, &peeraddr, sizeof(struct sockaddr)); +- if (len != sizeof(struct sockaddr)) return 1; ++ len = ber_int_sb_read(conn->c_sb, &peeraddr, sizeof(Sockaddr)); ++ if (len != sizeof(Sockaddr)) return 1; + ++#if defined(LDAP_PF_INET6) ++ if (peeraddr.sa_addr.sa_family == AF_INET6) { ++ if ( IN6_IS_ADDR_V4MAPPED(&peeraddr.sa_in6_addr.sin6_addr) ) { + #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) +- char addr[INET_ADDRSTRLEN]; +- peeraddr_string = inet_ntop( AF_INET, &peeraddr.sa_in_addr.sin_addr, ++ peeraddr_string = inet_ntop( AF_INET, ++ ((struct in_addr *)&peeraddr.sa_in6_addr.sin6_addr.s6_addr[12]), ++ addr, sizeof(addr) ); ++#else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */ ++ peeraddr_string = inet_ntoa( *((struct in_addr *) ++ &peeraddr.sa_in6_addr.sin6_addr.s6_addr[12]) ); ++#endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */ ++ if ( !peeraddr_string ) peeraddr_string = SLAP_STRING_UNKNOWN; ++ sprintf( peername, "IP=%s:%d", peeraddr_string, ++ (unsigned) ntohs( peeraddr.sa_in6_addr.sin6_port ) ); ++ } else { ++ peeraddr_string = inet_ntop( AF_INET6, ++ &peeraddr.sa_in6_addr.sin6_addr, ++ addr, sizeof addr ); ++ if ( !peeraddr_string ) peeraddr_string = SLAP_STRING_UNKNOWN; ++ sprintf( peername, "IP=[%s]:%d", peeraddr_string, ++ (unsigned) ntohs( peeraddr.sa_in6_addr.sin6_port ) ); ++ } ++ } else ++#endif ++#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) ++ { ++ peeraddr_string = inet_ntop( AF_INET, &peeraddr.sa_in_addr.sin_addr, + addr, sizeof(addr) ); + #else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */ +- peeraddr_string = inet_ntoa( peeraddr.sa_in_addr.sin_addr ); ++ peeraddr_string = inet_ntoa( peeraddr.sa_in_addr.sin_addr ); + #endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */ +- sprintf( peername, "IP=%s:%d", +- peeraddr_string, +- (unsigned) ntohs( peeraddr.sa_in_addr.sin_port ) ); ++ sprintf( peername, "IP=%s:%d", ++ peeraddr_string, ++ (unsigned) ntohs( peeraddr.sa_in_addr.sin_port ) ); ++ } + Statslog( LDAP_DEBUG_STATS, + "conn=%lu UDP request from %s (%s) accepted.\n", + conn->c_connid, peername, conn->c_sock_name.bv_val, 0, 0 ); +================================================================================ +commit 743a9783d57ea6b693e56f6545ac5d68dc9242c7 +Author: Stef Walter +Date: Thu Sep 12 15:49:36 2013 +0200 + + ITS#7694 Fix use of IPv6 with LDAP_CONNECTIONLESS + + LDAP_CONNECTIONLESS code assumed that the size of an peer address + is equal to or smaller than sizeof (struct sockaddr). + + Fix to use struct sockaddr_storage instead which is intended for + this purpose. Use getnameinfo() where appropriate so we don't + assume anything about the contents of struct sockaddr + +diff --git a/libraries/liblber/sockbuf.c b/libraries/liblber/sockbuf.c +index d997e92..858c942 100644 +--- a/libraries/liblber/sockbuf.c ++++ b/libraries/liblber/sockbuf.c +@@ -888,8 +888,8 @@ Sockbuf_IO ber_sockbuf_io_debug = { + * + * All I/O at this level must be atomic. For ease of use, the sb_readahead + * must be used above this module. All data reads and writes are prefixed +- * with a sockaddr containing the address of the remote entity. Upper levels +- * must read and write this sockaddr before doing the usual ber_printf/scanf ++ * with a sockaddr_storage containing the address of the remote entity. Upper levels ++ * must read and write this sockaddr_storage before doing the usual ber_printf/scanf + * operations on LDAP messages. + */ + +@@ -914,13 +914,13 @@ sb_dgram_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len ) + assert( SOCKBUF_VALID( sbiod->sbiod_sb ) ); + assert( buf != NULL ); + +- addrlen = sizeof( struct sockaddr ); ++ addrlen = sizeof( struct sockaddr_storage ); + src = buf; + buf = (char *) buf + addrlen; + len -= addrlen; + rc = recvfrom( sbiod->sbiod_sb->sb_fd, buf, len, 0, src, &addrlen ); + +- return rc > 0 ? rc+sizeof(struct sockaddr) : rc; ++ return rc > 0 ? rc+sizeof(struct sockaddr_storage) : rc; + } + + static ber_slen_t +@@ -934,11 +934,11 @@ sb_dgram_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len ) + assert( buf != NULL ); + + dst = buf; +- buf = (char *) buf + sizeof( struct sockaddr ); +- len -= sizeof( struct sockaddr ); ++ buf = (char *) buf + sizeof( struct sockaddr_storage ); ++ len -= sizeof( struct sockaddr_storage ); + + rc = sendto( sbiod->sbiod_sb->sb_fd, buf, len, 0, dst, +- sizeof( struct sockaddr ) ); ++ sizeof( struct sockaddr_storage ) ); + + if ( rc < 0 ) return -1; + +@@ -949,7 +949,7 @@ sb_dgram_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len ) + # endif + return -1; + } +- rc = len + sizeof(struct sockaddr); ++ rc = len + sizeof(struct sockaddr_storage); + return rc; + } + +diff --git a/libraries/libldap/abandon.c b/libraries/libldap/abandon.c +index d999b07..8fd9bc2 100644 +--- a/libraries/libldap/abandon.c ++++ b/libraries/libldap/abandon.c +@@ -209,7 +209,7 @@ start_again:; + LDAP_NEXT_MSGID(ld, i); + #ifdef LDAP_CONNECTIONLESS + if ( LDAP_IS_UDP(ld) ) { +- struct sockaddr sa = {0}; ++ struct sockaddr_storage sa = {0}; + /* dummy, filled with ldo_peer in request.c */ + err = ber_write( ber, (char *) &sa, sizeof(sa), 0 ); + } +diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c +index 24d8a41..5b2613a 100644 +--- a/libraries/libldap/open.c ++++ b/libraries/libldap/open.c +@@ -268,6 +268,7 @@ ldap_init_fd( + int rc; + LDAP *ld; + LDAPConn *conn; ++ socklen_t len; + + *ldp = NULL; + rc = ldap_create( &ld ); +@@ -308,6 +309,15 @@ ldap_init_fd( + + #ifdef LDAP_CONNECTIONLESS + case LDAP_PROTO_UDP: ++ LDAP_IS_UDP(ld) = 1; ++ if( ld->ld_options.ldo_peer ) ++ ldap_memfree( ld->ld_options.ldo_peer ); ++ ld->ld_options.ldo_peer = ldap_memalloc( sizeof( struct sockaddr_storage ) ); ++ len = sizeof( struct sockaddr_storage ); ++ if( getpeername ( fd, ld->ld_options.ldo_peer, &len ) < 0) { ++ ldap_unbind_ext( ld, NULL, NULL ); ++ return( AC_SOCKET_ERROR ); ++ } + #ifdef LDAP_DEBUG + ber_sockbuf_add_io( conn->lconn_sb, &ber_sockbuf_io_debug, + LBER_SBIOD_LEVEL_PROVIDER, (void *)"udp_" ); +diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c +index b31e05d..90b92df 100644 +--- a/libraries/libldap/os-ip.c ++++ b/libraries/libldap/os-ip.c +@@ -422,8 +422,8 @@ ldap_pvt_connect(LDAP *ld, ber_socket_t s, + if (LDAP_IS_UDP(ld)) { + if (ld->ld_options.ldo_peer) + ldap_memfree(ld->ld_options.ldo_peer); +- ld->ld_options.ldo_peer=ldap_memalloc(sizeof(struct sockaddr)); +- AC_MEMCPY(ld->ld_options.ldo_peer,sin,sizeof(struct sockaddr)); ++ ld->ld_options.ldo_peer=ldap_memcalloc(1, sizeof(struct sockaddr_storage)); ++ AC_MEMCPY(ld->ld_options.ldo_peer,sin,addrlen); + return ( 0 ); + } + #endif +diff --git a/libraries/libldap/request.c b/libraries/libldap/request.c +index fc2f4d0..4822a63 100644 +--- a/libraries/libldap/request.c ++++ b/libraries/libldap/request.c +@@ -308,7 +308,7 @@ ldap_send_server_request( + ber_rewind( &tmpber ); + LDAP_MUTEX_LOCK( &ld->ld_options.ldo_mutex ); + rc = ber_write( &tmpber, ld->ld_options.ldo_peer, +- sizeof( struct sockaddr ), 0 ); ++ sizeof( struct sockaddr_storage ), 0 ); + LDAP_MUTEX_UNLOCK( &ld->ld_options.ldo_mutex ); + if ( rc == -1 ) { + ld->ld_errno = LDAP_ENCODING_ERROR; +diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c +index f2a6c7b..d293299 100644 +--- a/libraries/libldap/result.c ++++ b/libraries/libldap/result.c +@@ -482,8 +482,8 @@ retry: + sock_errset(0); + #ifdef LDAP_CONNECTIONLESS + if ( LDAP_IS_UDP(ld) ) { +- struct sockaddr from; +- ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr) ); ++ struct sockaddr_storage from; ++ ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ); + if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1; + } + nextresp3: +diff --git a/libraries/libldap/search.c b/libraries/libldap/search.c +index 3867b5b..b966d1a 100644 +--- a/libraries/libldap/search.c ++++ b/libraries/libldap/search.c +@@ -305,7 +305,7 @@ ldap_build_search_req( + LDAP_NEXT_MSGID( ld, *idp ); + #ifdef LDAP_CONNECTIONLESS + if ( LDAP_IS_UDP(ld) ) { +- struct sockaddr sa = {0}; ++ struct sockaddr_storage sa = {0}; + /* dummy, filled with ldo_peer in request.c */ + err = ber_write( ber, (char *) &sa, sizeof( sa ), 0 ); + } diff --git a/SOURCES/openldap-dns-priority.patch b/SOURCES/openldap-dns-priority.patch new file mode 100644 index 0000000..8dc0923 --- /dev/null +++ b/SOURCES/openldap-dns-priority.patch @@ -0,0 +1,192 @@ +Implement priority/weight for DNS SRV records + +From RFC 2782: + + A client MUST attempt to contact the target host with the + lowest-numbered priority it can reach. + +This patch sorts the DNS SRV records by their priority, and +additionally gives records with a larger weight a higher probability +of appearing earlier. This way, the DNS SRV records are tried in the +order of their priority. + +Author: James M Leddy +Upstream ITS: #7027 +Resolves: #733078 + +--- + libraries/libldap/dnssrv.c | 106 ++++++++++++++++++++++++++++++++++---------- + 1 files changed, 83 insertions(+), 23 deletions(-) + +diff --git a/libraries/libldap/dnssrv.c b/libraries/libldap/dnssrv.c +index 16b1544..40f93b4 100644 +--- a/libraries/libldap/dnssrv.c ++++ b/libraries/libldap/dnssrv.c +@@ -174,6 +174,46 @@ int ldap_domain2dn( + return LDAP_SUCCESS; + } + ++#ifdef HAVE_RES_QUERY ++#define DNSBUFSIZ (64*1024) ++typedef struct srv_record { ++ u_short priority; ++ u_short weight; ++ u_short port; ++ char hostname[DNSBUFSIZ]; ++} srv_record; ++ ++ ++static int srv_cmp(const void *aa, const void *bb){ ++ srv_record *a=(srv_record *)aa; ++ srv_record *b=(srv_record *)bb; ++ u_long total; ++ ++ if(a->priority < b->priority) { ++ return -1; ++ } ++ if(a->priority > b->priority) { ++ return 1; ++ } ++ if(a->priority == b->priority){ ++ /* targets with same priority are in psudeo random order */ ++ if (a->weight == 0 && b->weight == 0) { ++ if (rand() % 2) { ++ return -1; ++ } else { ++ return 1; ++ } ++ } ++ total = a->weight + b->weight; ++ if (rand() % total < a->weight) { ++ return -1; ++ } else { ++ return 1; ++ } ++ } ++} ++#endif /* HAVE_RES_QUERY */ ++ + /* + * Lookup and return LDAP servers for domain (using the DNS + * SRV record _ldap._tcp.domain). +@@ -183,15 +223,16 @@ int ldap_domain2hostlist( + char **list ) + { + #ifdef HAVE_RES_QUERY +-#define DNSBUFSIZ (64*1024) +- char *request; +- char *hostlist = NULL; ++ char *request; ++ char *hostlist = NULL; ++ srv_record *hostent_head=NULL; ++ int i; + int rc, len, cur = 0; + unsigned char reply[DNSBUFSIZ]; ++ int hostent_count=0; + + assert( domain != NULL ); + assert( list != NULL ); +- + if( *domain == '\0' ) { + return LDAP_PARAM_ERROR; + } +@@ -223,8 +264,7 @@ int ldap_domain2hostlist( + unsigned char *p; + char host[DNSBUFSIZ]; + int status; +- u_short port; +- /* int priority, weight; */ ++ u_short port, priority, weight; + + /* Parse out query */ + p = reply; +@@ -263,40 +303,56 @@ int ldap_domain2hostlist( + size = (p[0] << 8) | p[1]; + p += 2; + if (type == T_SRV) { +- int buflen; + status = dn_expand(reply, reply + len, p + 6, host, sizeof(host)); + if (status < 0) { + goto out; + } +- /* ignore priority and weight for now */ +- /* priority = (p[0] << 8) | p[1]; */ +- /* weight = (p[2] << 8) | p[3]; */ ++ ++ /* Get priority weight and port */ ++ priority = (p[0] << 8) | p[1]; ++ weight = (p[2] << 8) | p[3]; + port = (p[4] << 8) | p[5]; + + if ( port == 0 || host[ 0 ] == '\0' ) { + goto add_size; + } + +- buflen = strlen(host) + STRLENOF(":65355 "); +- hostlist = (char *) LDAP_REALLOC(hostlist, cur + buflen + 1); +- if (hostlist == NULL) { +- rc = LDAP_NO_MEMORY; +- goto out; ++ hostent_head = (srv_record *) LDAP_REALLOC(hostent_head, (hostent_count+1)*(sizeof(srv_record))); ++ if(hostent_head==NULL){ ++ rc=LDAP_NO_MEMORY; ++ goto out; ++ + } +- if (cur > 0) { +- /* not first time around */ +- hostlist[cur++] = ' '; +- } +- cur += sprintf(&hostlist[cur], "%s:%hu", host, port); ++ hostent_head[hostent_count].priority=priority; ++ hostent_head[hostent_count].weight=weight; ++ hostent_head[hostent_count].port=port; ++ strncpy(hostent_head[hostent_count].hostname, host,255); ++ hostent_count=hostent_count+1; + } + add_size:; + p += size; + } + } ++ qsort(hostent_head, hostent_count, sizeof(srv_record), srv_cmp); ++ ++ for(i=0; i0){ ++ hostlist[cur++]=' '; ++ } ++ cur += sprintf(&hostlist[cur], "%s:%hd", hostent_head[i].hostname, hostent_head[i].port); ++ } ++ + if (hostlist == NULL) { +- /* No LDAP servers found in DNS. */ +- rc = LDAP_UNAVAILABLE; +- goto out; ++ /* No LDAP servers found in DNS. */ ++ rc = LDAP_UNAVAILABLE; ++ goto out; + } + + rc = LDAP_SUCCESS; +@@ -308,8 +364,12 @@ add_size:; + if (request != NULL) { + LDAP_FREE(request); + } ++ if (hostent_head != NULL) { ++ LDAP_FREE(hostent_head); ++ } + if (rc != LDAP_SUCCESS && hostlist != NULL) { + LDAP_FREE(hostlist); ++ + } + return rc; + #else +-- +1.7.6 + diff --git a/SOURCES/openldap-doc1.patch b/SOURCES/openldap-doc1.patch new file mode 100644 index 0000000..13c4c41 --- /dev/null +++ b/SOURCES/openldap-doc1.patch @@ -0,0 +1,36 @@ +Upstream ITS: #7568 + +From 6be982c000133ccf9da949d39eed23a93bc7bfc5 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 9 Apr 2013 12:41:38 +0200 +Subject: [PATCH 1/2] Fix typos in ldap.conf.5 + +--- + doc/man/man5/ldap.conf.5 | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index cfde143..8f7fecd 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -297,7 +297,7 @@ Specifies if GSSAPI encryption (GSS_C_INTEG_FLAG and GSS_C_CONF_FLAG) + should be used. The default is off. + .TP + .B GSSAPI_ALLOW_REMOTE_PRINCIPAL +-Specifies if GSSAPI based authentification should try to form the ++Specifies if GSSAPI based authentication should try to form the + target principal name out of the ldapServiceName or dnsHostName + attribute of the targets RootDSE entry. The default is off. + .SH TLS OPTIONS +@@ -354,7 +354,7 @@ it is of critical importance that the key file is protected carefully. + When using Mozilla NSS, TLS_KEY specifies the name of a file that contains + the password for the key for the certificate specified with TLS_CERT. The + modutil command can be used to turn off password protection for the cert/key +-database. For example, if TLS_CACERTDIR specifes /home/scarter/.moznss as ++database. For example, if TLS_CACERTDIR specifies /home/scarter/.moznss as + the location of the cert/key database, use modutil to change the password + to the empty string: + .nf +-- +1.8.1.4 + diff --git a/SOURCES/openldap-doc2.patch b/SOURCES/openldap-doc2.patch new file mode 100644 index 0000000..47b1c13 --- /dev/null +++ b/SOURCES/openldap-doc2.patch @@ -0,0 +1,27 @@ +Upstream ITS: #7568 + +From 05c726c62785b2c307f9c5343a253d43ec7322c6 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 9 Apr 2013 12:42:31 +0200 +Subject: [PATCH 2/2] Add -Q to slaptest's help + +--- + servers/slapd/slapcommon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c +index 714e2bc..153310f 100644 +--- a/servers/slapd/slapcommon.c ++++ b/servers/slapd/slapcommon.c +@@ -92,7 +92,7 @@ usage( int tool, const char *progname ) + break; + + case SLAPTEST: +- options = " [-n databasenumber] [-u]\n"; ++ options = " [-n databasenumber] [-u] [-Q]\n"; + break; + + case SLAPSCHEMA: +-- +1.8.1.4 + diff --git a/SOURCES/openldap-doc3.patch b/SOURCES/openldap-doc3.patch new file mode 100644 index 0000000..d0e7821 --- /dev/null +++ b/SOURCES/openldap-doc3.patch @@ -0,0 +1,39 @@ +From 128a8c486e86b8e8c8d34f0eb9fdc0b580212e5b Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 3 Sep 2013 14:09:37 +0200 +Subject: [PATCH] Fix typos in manpages. + +--- + doc/man/man1/ldapsearch.1 | 2 +- + doc/man/man5/slapd-passwd.5 | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1 +index 82ddddb..150f064 100644 +--- a/doc/man/man1/ldapsearch.1 ++++ b/doc/man/man1/ldapsearch.1 +@@ -456,7 +456,7 @@ This command: + .fi + .LP + will perform a one-level search at the c=US level for all entries +-whose organization name (o) begins begins with \fBUniversity\fP. ++whose organization name (o) begins with \fBUniversity\fP. + The organization name and description attribute values will be retrieved + and printed to standard output, resulting in output similar to this: + .LP +diff --git a/doc/man/man5/slapd-passwd.5 b/doc/man/man5/slapd-passwd.5 +index fbd30f2..2dc5c5d 100644 +--- a/doc/man/man5/slapd-passwd.5 ++++ b/doc/man/man5/slapd-passwd.5 +@@ -13,7 +13,7 @@ serves up the user account information listed in the system + .BR passwd (5) + file. This backend is provided for demonstration purposes only. + The DN of each entry is "uid=,". +-Note that non-base searches scan the the entire passwd file, and ++Note that non-base searches scan the entire passwd file, and + are best suited for hosts with small passwd files. + .SH CONFIGURATION + This +-- +1.8.3.1 + diff --git a/SOURCES/openldap-fedora-systemd.patch b/SOURCES/openldap-fedora-systemd.patch new file mode 100644 index 0000000..fa59ca2 --- /dev/null +++ b/SOURCES/openldap-fedora-systemd.patch @@ -0,0 +1,23 @@ +Skip any empty parameters when parsing command line options. +This is required because systemd does not expand variables the same way as shell does, +we need it because of an empty SLAPD_OPTIONS in environment file. + +Fedora specific patch. + +Author: Jan Vcelak + +diff --git a/servers/slapd/main.c b/servers/slapd/main.c +index dac4864..83614f4 100644 +--- a/servers/slapd/main.c ++++ b/servers/slapd/main.c +@@ -685,6 +685,10 @@ unhandled_option:; + } + } + ++ /* skip empty parameters */ ++ while ( optind < argc && *argv[optind] == '\0' ) ++ optind += 1; ++ + if ( optind != argc ) + goto unhandled_option; + diff --git a/SOURCES/openldap-ldapi-sasl.patch b/SOURCES/openldap-ldapi-sasl.patch new file mode 100644 index 0000000..058cc1c --- /dev/null +++ b/SOURCES/openldap-ldapi-sasl.patch @@ -0,0 +1,55 @@ +From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 7 May 2013 17:02:57 +0200 +Subject: [PATCH] LDAPI SASL fix + +Resolves: #960222 +--- + libraries/libldap/cyrus.c | 19 ++++++++++++++++--- + 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-) + +diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c +index 28c241b..a9acf36 100644 +--- a/libraries/libldap/cyrus.c ++++ b/libraries/libldap/cyrus.c +@@ -394,6 +394,8 @@ ldap_int_sasl_bind( + struct berval ccred = BER_BVNULL; + int saslrc, rc; + unsigned credlen; ++ char my_hostname[HOST_NAME_MAX + 1]; ++ int free_saslhost = 0; + + Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n", + mechs ? mechs : "", 0, 0 ); +@@ -454,14 +456,25 @@ ldap_int_sasl_bind( + + /* If we don't need to canonicalize just use the host + * from the LDAP URI. ++ * Always use the result of gethostname() for LDAPI. + */ +- if ( nocanon ) ++ if (ld->ld_defconn->lconn_server->lud_scheme != NULL && ++ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) { ++ rc = gethostname(my_hostname, HOST_NAME_MAX + 1); ++ if (rc == 0) { ++ saslhost = my_hostname; ++ } else { ++ saslhost = "localhost"; ++ } ++ } else if ( nocanon ) + saslhost = ld->ld_defconn->lconn_server->lud_host; +- else ++ else { + saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, + "localhost" ); ++ free_saslhost = 1; ++ } + rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); +- if ( !nocanon ) ++ if ( free_saslhost ) + LDAP_FREE( saslhost ); + } + +-- +1.7.11.7 + diff --git a/SOURCES/openldap-ldaprc-currentdir.patch b/SOURCES/openldap-ldaprc-currentdir.patch new file mode 100644 index 0000000..420c1f9 --- /dev/null +++ b/SOURCES/openldap-ldaprc-currentdir.patch @@ -0,0 +1,20 @@ +Disables opening of ldaprc file in current directory. + +Resolves: #38402 +Upstream: ITS #1131 +Author: Henning Schmiedehausen + +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index 8617527..e6b17b4 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -352,9 +352,6 @@ static void openldap_ldap_init_w_userconf(const char *file) + if(path != NULL) { + LDAP_FREE(path); + } +- +- /* try file */ +- openldap_ldap_init_w_conf(file, 1); + } + + static void openldap_ldap_init_w_env( diff --git a/SOURCES/openldap-loglevel2bvarray.patch b/SOURCES/openldap-loglevel2bvarray.patch new file mode 100644 index 0000000..1a0e766 --- /dev/null +++ b/SOURCES/openldap-loglevel2bvarray.patch @@ -0,0 +1,27 @@ +From 4313b91b0bc2fe6585656cd69a03f9755b5af3c4 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Wed, 29 May 2013 10:21:40 +0200 +Subject: [PATCH] Fix loglevel2bvarray + +--- + servers/slapd/bconfig.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 4e1f1b5..def6daf 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -3622,6 +3622,10 @@ loglevel2bvarray( int l, BerVarray *bva ) + loglevel_init(); + } + ++ if ( l == 0 ) { ++ return value_add_one( bva, ber_bvstr( "0" ) ); ++ } ++ + return mask_to_verbs( loglevel_ops, l, bva ); + } + +-- +1.8.1.4 + diff --git a/SOURCES/openldap-man-sasl-nocanon.patch b/SOURCES/openldap-man-sasl-nocanon.patch new file mode 100644 index 0000000..c4a9e39 --- /dev/null +++ b/SOURCES/openldap-man-sasl-nocanon.patch @@ -0,0 +1,23 @@ +fix: SASL_NOCANON option missing in ldap.conf manual page + +Author: Jan Vcelak +Upstream ITS: #7177 +Resolves: #732915 + +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index 51f774f..5f17122 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -284,6 +284,9 @@ description). The default is + specifies the maximum security layer receive buffer + size allowed. 0 disables security layers. The default is 65536. + .RE ++.TP ++.B SASL_NOCANON ++Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off. + .SH GSSAPI OPTIONS + If OpenLDAP is built with Generic Security Services Application Programming Interface support, + there are more options you can specify. +-- +1.7.6.5 + diff --git a/SOURCES/openldap-manpages.patch b/SOURCES/openldap-manpages.patch new file mode 100644 index 0000000..1678b38 --- /dev/null +++ b/SOURCES/openldap-manpages.patch @@ -0,0 +1,112 @@ +Various manual pages changes: +* removes LIBEXECDIR from slapd.8 +* removes references to non-existing manpages (bz 624616) + +diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 +index 3def6da..466c772 100644 +--- a/doc/man/man1/ldapmodify.1 ++++ b/doc/man/man1/ldapmodify.1 +@@ -397,9 +397,7 @@ exit status and a diagnostic message being written to standard error. + .BR ldap_add_ext (3), + .BR ldap_delete_ext (3), + .BR ldap_modify_ext (3), +-.BR ldap_modrdn_ext (3), +-.BR ldif (5), +-.BR slapd.replog (5) ++.BR ldif (5) + .SH AUTHOR + The OpenLDAP Project + .SH ACKNOWLEDGEMENTS +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index cfde143..63592cb 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -317,6 +317,7 @@ certificates in separate individual files. The + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. ++The specified directory must be managed with the OpenSSL c_rehash utility. + This parameter is ignored with GnuTLS. + + When using Mozilla NSS, may contain a Mozilla NSS cert/key +diff --git a/doc/man/man5/ldif.5 b/doc/man/man5/ldif.5 +index 79615b6..2c06246 100644 +--- a/doc/man/man5/ldif.5 ++++ b/doc/man/man5/ldif.5 +@@ -270,8 +270,7 @@ commands. + .BR ldapmodify (1), + .BR slapadd (8), + .BR slapcat (8), +-.BR slapd\-ldif (5), +-.BR slapd.replog (5). ++.BR slapd\-ldif (5). + .LP + "LDAP Data Interchange Format," Good, G., RFC 2849. + .SH ACKNOWLEDGEMENTS +diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +index 742876a..31643c7 100644 +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -2086,7 +2086,6 @@ default slapd configuration directory + .BR slapd.conf (5), + .BR slapd.overlays (5), + .BR slapd.plugin (5), +-.BR slapd.replog (5), + .BR slapd (8), + .BR slapacl (8), + .BR slapadd (8), +diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +index 0a3a955..352cc7e 100644 +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -2016,7 +2016,6 @@ default slapd configuration file + .BR slapd.backends (5), + .BR slapd.overlays (5), + .BR slapd.plugin (5), +-.BR slapd.replog (5), + .BR slapd (8), + .BR slapacl (8), + .BR slapadd (8), +diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 +index b739f4d..e2a1a00 100644 +--- a/doc/man/man8/slapd.8 ++++ b/doc/man/man8/slapd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ slapd + .ft + .fi + .LP +@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ slapd -f /var/tmp/slapd.conf -d 255 + .ft + .fi + .LP +@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ slapd -Tt + .ft + .fi + .LP +-- +1.8.1.4 + diff --git a/SOURCES/openldap-nss-certs-from-certdb-fallback-pem.patch b/SOURCES/openldap-nss-certs-from-certdb-fallback-pem.patch new file mode 100644 index 0000000..d20e48a --- /dev/null +++ b/SOURCES/openldap-nss-certs-from-certdb-fallback-pem.patch @@ -0,0 +1,86 @@ +MozNSS: load certificates from certdb, fallback to PEM + +If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS +certificate database, the backend assumed that the certificate is always +located in the certificate database. This assumption might be wrong. + +This patch makes the library to try to load the certificate from NSS +database and fallback to PEM file if unsuccessfull. + +Author: Jan Vcelak +Upstream ITS: #7389 +Resolves: #857455 + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 6847bea..8339391 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -1412,7 +1412,7 @@ tlsm_ctx_load_private_key( tlsm_ctx *ctx ) + /* prefer unlocked key, then key from opened certdb, then any other */ + if ( unlocked_key ) + ctx->tc_private_key = unlocked_key; +- else if ( ctx->tc_certdb_slot ) ++ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem ) + ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg ); + else + ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg ); +@@ -1909,8 +1909,6 @@ tlsm_deferred_init( void *arg ) + } + return -1; + } +- +- ctx->tc_using_pem = PR_TRUE; + } + + NSS_SetDomesticPolicy(); +@@ -2363,15 +2361,9 @@ tlsm_deferred_ctx_init( void *arg ) + + /* set up our cert and key, if any */ + if ( lt->lt_certfile ) { +- /* if using the PEM module, load the PEM file specified by lt_certfile */ +- /* otherwise, assume this is the name of a cert already in the db */ +- if ( ctx->tc_using_pem ) { +- /* this sets ctx->tc_certificate to the correct value */ +- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ); +- if ( rc ) { +- return rc; +- } +- } else { ++ ++ /* first search in certdb (lt_certfile is nickname) */ ++ if ( ctx->tc_certdb ) { + char *tmp_certname; + + if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) { +@@ -2391,8 +2383,31 @@ tlsm_deferred_ctx_init( void *arg ) + Debug( LDAP_DEBUG_ANY, + "TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n", + lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ } ++ } ++ ++ /* fallback to PEM module (lt_certfile is filename) */ ++ if ( !ctx->tc_certificate ) { ++ if ( !pem_module && tlsm_init_pem_module() ) { ++ int pem_errcode = PORT_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n", ++ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); + return -1; + } ++ ++ /* this sets ctx->tc_certificate to the correct value */ ++ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) { ++ ctx->tc_using_pem = PR_TRUE; ++ } ++ } ++ ++ if ( ctx->tc_certificate ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile, ++ ctx->tc_using_pem ? "PEM file" : "moznss database", 0); ++ } else { ++ return -1; + } + } + diff --git a/SOURCES/openldap-nss-ignore-certdb-type-prefix.patch b/SOURCES/openldap-nss-ignore-certdb-type-prefix.patch new file mode 100644 index 0000000..2fab916 --- /dev/null +++ b/SOURCES/openldap-nss-ignore-certdb-type-prefix.patch @@ -0,0 +1,47 @@ +MozNSS: ignore certdb database type prefix when checking existence of the directory + +If the certdb is specified including the database type prefix (e.g. +sql:, dbm:), the prefix has to be ignored when checking the +certificate directory existence. + +Author: Jan Vcelak +Upstream ITS: #7388 +Resolves: #857373 + +--- + libraries/libldap/tls_m.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 49a3f8f..5ee21a2 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -1633,6 +1633,7 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix ) + { + char sep = PR_GetDirectorySeparator(); + char *ptr = NULL; ++ char *chkpath = NULL; + struct PRFileInfo prfi; + PRStatus prc; + +@@ -1643,8 +1644,16 @@ tlsm_get_certdb_prefix( const char *certdir, char **realcertdir, char **prefix ) + return; + } + +- prc = PR_GetFileInfo( certdir, &prfi ); ++ /* ignore database type prefix (e.g. sql:, dbm:) if provided */ ++ chkpath = strchr( certdir, ':' ); ++ if ( chkpath != NULL ) { ++ chkpath += 1; ++ } else { ++ chkpath = certdir; ++ } ++ + /* if certdir exists (file or directory) then it cannot specify a prefix */ ++ prc = PR_GetFileInfo( chkpath, &prfi ); + if ( prc == PR_SUCCESS ) { + return; + } +-- +1.7.11.7 + diff --git a/SOURCES/openldap-nss-pk11-freeslot.patch b/SOURCES/openldap-nss-pk11-freeslot.patch new file mode 100644 index 0000000..9ac541d --- /dev/null +++ b/SOURCES/openldap-nss-pk11-freeslot.patch @@ -0,0 +1,27 @@ +Resolves: #929357 + +From 6330d1b87a45b447f33fe8ffd6fbbce9e60bb0ec Mon Sep 17 00:00:00 2001 +From: Rich Megginson +Date: Thu, 28 Mar 2013 19:05:02 -0600 +Subject: [PATCH] must call PK11_FreeSlot after SECMOD_CloseUserDB to remove ref to slot + +--- + libraries/libldap/tls_m.c | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 072d41d..c59d303 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -2063,6 +2063,8 @@ tlsm_ctx_free ( tls_ctx *ctx ) + "TLS: could not close certdb slot - error %d:%s.\n", + errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); + } ++ PK11_FreeSlot( c->tc_certdb_slot ); ++ c->tc_certdb_slot = NULL; + } + PL_strfree( c->tc_pin_file ); + c->tc_pin_file = NULL; +-- +1.7.1 + diff --git a/SOURCES/openldap-nss-regex-search-hashed-cacert-dir.patch b/SOURCES/openldap-nss-regex-search-hashed-cacert-dir.patch new file mode 100644 index 0000000..03493db --- /dev/null +++ b/SOURCES/openldap-nss-regex-search-hashed-cacert-dir.patch @@ -0,0 +1,91 @@ +MozNSS: better file name matching for hashed CA certificate directory + +CA certificate files in OpenSSL compatible CACERTDIR were loaded if the file extension was '.0'. However the file name +should be 8 letters long certificate hash of the certificate subject name, followed by a numeric suffix which is used +to differentiate between two certificates with the same subject name. + +Wit this patch, certificate file names are matched correctly (using regular expressions). + +Author: Jan Vcelak +Upstream ITS: #7374 +Resolves: #852786 + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 5e49fc5..61d71d4 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + #include "ldap-int.h" + #include "ldap-tls.h" +@@ -118,9 +119,7 @@ static const PRIOMethods tlsm_PR_methods; + + #define PEM_LIBRARY "nsspem" + #define PEM_MODULE "PEM" +-/* hash files for use with cacertdir have this file name suffix */ +-#define PEM_CA_HASH_FILE_SUFFIX ".0" +-#define PEM_CA_HASH_FILE_SUFFIX_LEN 2 ++#define PEM_CA_HASH_FILE_REGEX "^[0-9a-f]{8}\\.[0-9]+$" + + static SECMODModule *pem_module; + +@@ -1541,6 +1540,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir + PRDir *dir; + PRDirEntry *entry; + PRStatus fistatus = PR_FAILURE; ++ regex_t hashfile_re; + + memset( &fi, 0, sizeof(fi) ); + fistatus = PR_GetFileInfo( cacertdir, &fi ); +@@ -1570,20 +1570,30 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir + goto done; + } + ++ if ( regcomp( &hashfile_re, PEM_CA_HASH_FILE_REGEX, REG_NOSUB|REG_EXTENDED ) != 0 ) { ++ Debug( LDAP_DEBUG_ANY, "TLS: cannot compile regex for CA hash files matching\n", 0, 0, 0 ); ++ goto done; ++ } ++ + do { + entry = PR_ReadDir( dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN ); + if ( ( NULL != entry ) && ( NULL != entry->name ) ) { + char *fullpath = NULL; +- char *ptr; ++ int match; + +- ptr = PL_strrstr( entry->name, PEM_CA_HASH_FILE_SUFFIX ); +- if ( ( ptr == NULL ) || ( *(ptr + PEM_CA_HASH_FILE_SUFFIX_LEN) != '\0' ) ) { ++ match = regexec( &hashfile_re, entry->name, 0, NULL, 0 ); ++ if ( match == REG_NOMATCH ) { + Debug( LDAP_DEBUG_TRACE, +- "TLS: file %s does not end in [%s] - does not appear to be a CA certificate " +- "directory file with a properly hashed file name - skipping.\n", +- entry->name, PEM_CA_HASH_FILE_SUFFIX, 0 ); ++ "TLS: skipping '%s' - filename does not have expected format " ++ "(certificate hash with numeric suffix)\n", entry->name, 0, 0 ); ++ continue; ++ } else if ( match != 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: cannot execute regex for CA hash file matching (%d).\n", ++ match, 0, 0 ); + continue; + } ++ + fullpath = PR_smprintf( "%s/%s", cacertdir, entry->name ); + if ( !tlsm_add_cert_from_file( ctx, fullpath, isca ) ) { + Debug( LDAP_DEBUG_TRACE, +@@ -1599,6 +1609,7 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir + PR_smprintf_free( fullpath ); + } + } while ( NULL != entry ); ++ regfree ( &hashfile_re ); + PR_CloseDir( dir ); + } + done: +-- +1.7.11.4 + diff --git a/SOURCES/openldap-nss-update-list-of-ciphers.patch b/SOURCES/openldap-nss-update-list-of-ciphers.patch new file mode 100644 index 0000000..d5986c0 --- /dev/null +++ b/SOURCES/openldap-nss-update-list-of-ciphers.patch @@ -0,0 +1,193 @@ +MozNSS: update list of supported cipher suites + +The updated list includes all ciphers implemented in Mozilla NSS 3.13.15 + +Author: Jan Vcelak +Upstream ITS: #7374 + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 1422ce2..5e49fc5 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -211,27 +211,34 @@ typedef struct { + int num; /* The cipher id */ + int attr; /* cipher attributes: algorithms, etc */ + int version; /* protocol version valid for this cipher */ +- int bits; /* bits of strength */ +- int alg_bits; /* bits of the algorithm */ + int strength; /* LOW, MEDIUM, HIGH */ + int enabled; /* Enabled by default? */ + } cipher_properties; + + /* cipher attributes */ +-#define SSL_kRSA 0x00000001L +-#define SSL_aRSA 0x00000002L +-#define SSL_aDSS 0x00000004L +-#define SSL_DSS SSL_aDSS +-#define SSL_eNULL 0x00000008L +-#define SSL_DES 0x00000010L +-#define SSL_3DES 0x00000020L +-#define SSL_RC4 0x00000040L +-#define SSL_RC2 0x00000080L +-#define SSL_AES 0x00000100L +-#define SSL_MD5 0x00000200L +-#define SSL_SHA1 0x00000400L +-#define SSL_SHA SSL_SHA1 +-#define SSL_RSA (SSL_kRSA|SSL_aRSA) ++#define SSL_kRSA 0x00000001L ++#define SSL_aRSA 0x00000002L ++#define SSL_RSA (SSL_kRSA|SSL_aRSA) ++#define SSL_aDSA 0x00000004L ++#define SSL_DSA SSL_aDSA ++#define SSL_eNULL 0x00000008L ++#define SSL_DES 0x00000010L ++#define SSL_3DES 0x00000020L ++#define SSL_RC4 0x00000040L ++#define SSL_RC2 0x00000080L ++#define SSL_AES128 0x00000100L ++#define SSL_AES256 0x00000200L ++#define SSL_AES (SSL_AES128|SSL_AES256) ++#define SSL_MD5 0x00000400L ++#define SSL_SHA1 0x00000800L ++#define SSL_kEDH 0x00001000L ++#define SSL_CAMELLIA128 0x00002000L ++#define SSL_CAMELLIA256 0x00004000L ++#define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) ++#define SSL_SEED 0x00008000L ++#define SSL_kECDH 0x00010000L ++#define SSL_kECDHE 0x00020000L ++#define SSL_aECDSA 0x00040000L + + /* cipher strength */ + #define SSL_NULL 0x00000001L +@@ -248,29 +255,70 @@ typedef struct { + + /* Cipher translation */ + static cipher_properties ciphers_def[] = { +- /* SSL 2 ciphers */ +- {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, 168, 168, SSL_HIGH, SSL_ALLOWED}, +- {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, 56, 56, SSL_LOW, SSL_ALLOWED}, +- {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, +- {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, +- +- /* SSL3 ciphers */ +- {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, 128, 128, SSL_MEDIUM, SSL_ALLOWED}, +- {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, 168, 168, SSL_HIGH, SSL_ALLOWED}, +- {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, 56, 56, SSL_LOW, SSL_ALLOWED}, +- {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, 40, 128, SSL_EXPORT40, SSL_ALLOWED}, +- {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, 0, 0, SSL_EXPORT40, SSL_ALLOWED}, +- {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, +- {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, 0, 0, SSL_NULL, SSL_NOT_ALLOWED}, ++ ++ /* ++ * Use the same DEFAULT cipher list as OpenSSL, which is defined as: ALL:!aNULL:!eNULL:!SSLv2 ++ */ ++ ++ /* SSLv2 ciphers */ ++ {"DES-CBC-MD5", SSL_EN_DES_64_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_MD5, SSL2, SSL_LOW, SSL_NOT_ALLOWED}, ++ {"DES-CBC3-MD5", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_MD5, SSL2, SSL_HIGH, SSL_NOT_ALLOWED}, ++ {"RC2-CBC-MD5", SSL_EN_RC2_128_CBC_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, ++ {"RC4-MD5", SSL_EN_RC4_128_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_MEDIUM, SSL_NOT_ALLOWED}, ++ {"EXP-RC2-CBC-MD5", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, ++ {"EXP-RC4-MD5", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL2, SSL_EXPORT40, SSL_NOT_ALLOWED}, ++ ++ /* SSLv3 ciphers */ ++ {"NULL-MD5", SSL_RSA_WITH_NULL_MD5, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_MD5, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, ++ {"NULL-SHA", SSL_RSA_WITH_NULL_SHA, SSL_kRSA|SSL_aRSA|SSL_eNULL|SSL_SHA1, SSL3, SSL_NULL, SSL_NOT_ALLOWED}, ++ {"DES-CBC-SHA", SSL_RSA_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, ++ {"DES-CBC3-SHA", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, ++ {"RC4-MD5", SSL_RSA_WITH_RC4_128_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_MEDIUM, SSL_ALLOWED}, ++ {"RC4-SHA", SSL_RSA_WITH_RC4_128_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, SSL3, SSL_MEDIUM, SSL_ALLOWED}, ++ {"EXP-RC2-CBC-MD5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC2|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, ++ {"EXP-RC4-MD5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_MD5, SSL3, SSL_EXPORT40, SSL_ALLOWED}, ++ {"EDH-RSA-DES-CBC-SHA", SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, ++ {"EDH-RSA-DES-CBC3-SHA", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, ++ {"EDH-DSS-DES-CBC-SHA", SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_DES|SSL_SHA1, SSL3, SSL_LOW, SSL_ALLOWED}, ++ {"EDH-DSS-DES-CBC3-SHA", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_3DES|SSL_SHA1, SSL3, SSL_HIGH, SSL_ALLOWED}, + + /* TLSv1 ciphers */ +- {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, +- {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA, TLS1, 56, 56, SSL_EXPORT56, SSL_ALLOWED}, +- {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 128, 128, SSL_HIGH, SSL_ALLOWED}, +- {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA, TLS1, 256, 256, SSL_HIGH, SSL_ALLOWED}, ++ {"EXP1024-DES-CBC-SHA", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_DES|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, ++ {"EXP1024-RC4-SHA", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_kRSA|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_EXPORT56, SSL_ALLOWED}, ++ {"SEED-SHA", TLS_RSA_WITH_SEED_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_SEED|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, ++ {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"CAMELLIA256-SHA", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"CAMELLIA128-SHA", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kRSA|SSL_aRSA|SSL_CAMELLIA|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"DHE-RSA-CAMELLIA128-SHA", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"DHE-RSA-CAMELLIA256-SHA", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aRSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"DHE-DSS-RC4-SHA", TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_kEDH|SSL_aDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, ++ {"DHE-DSS-AES128-SHA", TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"DHE-DSS-AES256-SHA", TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"DHE-DSS-CAMELLIA128-SHA", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"DHE-DSS-CAMELLIA256-SHA", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_kEDH|SSL_aDSA|SSL_CAMELLIA256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDH-RSA-NULL-SHA", TLS_ECDH_RSA_WITH_NULL_SHA, SSL_kECDH|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, ++ {"ECDH-RSA-RC4-SHA", TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, ++ {"ECDH-RSA-DES-CBC3-SHA", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDH-RSA-AES128-SHA", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDH-RSA-AES256-SHA", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDH-ECDSA-NULL-SHA", TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_kECDH|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, ++ {"ECDH-ECDSA-RC4-SHA", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_kECDH|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, ++ {"ECDH-ECDSA-DES-CBC3-SHA", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDH-ECDSA-AES128-SHA", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDH-ECDSA-AES256-SHA", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDH|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDHE-RSA-NULL-SHA", TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aRSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, ++ {"ECDHE-RSA-RC4-SHA", TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aRSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, ++ {"ECDHE-RSA-DES-CBC3-SHA", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aRSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDHE-ECDSA-NULL-SHA", TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_kECDHE|SSL_aECDSA|SSL_eNULL|SSL_SHA1, TLS1, SSL_NULL, SSL_NOT_ALLOWED}, ++ {"ECDHE-ECDSA-RC4-SHA", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_kECDHE|SSL_aECDSA|SSL_RC4|SSL_SHA1, TLS1, SSL_MEDIUM, SSL_ALLOWED}, ++ {"ECDHE-ECDSA-DES-CBC3-SHA", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_3DES|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES128|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, ++ {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_kECDHE|SSL_aECDSA|SSL_AES256|SSL_SHA1, TLS1, SSL_HIGH, SSL_ALLOWED}, + }; + + #define ciphernum (sizeof(ciphers_def)/sizeof(cipher_properties)) +@@ -577,6 +625,10 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + mask |= SSL_RSA; + } else if ((!strcmp(cipher, "NULL")) || (!strcmp(cipher, "eNULL"))) { + mask |= SSL_eNULL; ++ } else if (!strcmp(cipher, "AES128")) { ++ mask |= SSL_AES128; ++ } else if (!strcmp(cipher, "AES256")) { ++ mask |= SSL_AES256; + } else if (!strcmp(cipher, "AES")) { + mask |= SSL_AES; + } else if (!strcmp(cipher, "3DES")) { +@@ -591,6 +643,24 @@ nss_parse_ciphers(const char *cipherstr, int cipher_list[ciphernum]) + mask |= SSL_MD5; + } else if ((!strcmp(cipher, "SHA")) || (!strcmp(cipher, "SHA1"))) { + mask |= SSL_SHA1; ++ } else if (!strcmp(cipher, "EDH")) { ++ mask |= SSL_kEDH; ++ } else if (!strcmp(cipher, "DSS")) { ++ mask |= SSL_aDSA; ++ } else if (!strcmp(cipher, "CAMELLIA128")) { ++ mask |= SSL_CAMELLIA128; ++ } else if (!strcmp(cipher, "CAMELLIA256")) { ++ mask |= SSL_CAMELLIA256; ++ } else if (!strcmp(cipher, "CAMELLIA")) { ++ mask |= SSL_CAMELLIA; ++ } else if (!strcmp(cipher, "SEED")) { ++ mask |= SSL_SEED; ++ } else if (!strcmp(cipher, "ECDH")) { ++ mask |= SSL_kECDH; ++ } else if (!strcmp(cipher, "ECDHE")) { ++ mask |= SSL_kECDHE; ++ } else if (!strcmp(cipher, "ECDSA")) { ++ mask |= SSL_aECDSA; + } else if (!strcmp(cipher, "SSLv2")) { + protocol |= SSL2; + } else if (!strcmp(cipher, "SSLv3")) { +-- +1.7.11.4 + diff --git a/SOURCES/openldap-reentrant-gethostby.patch b/SOURCES/openldap-reentrant-gethostby.patch new file mode 100644 index 0000000..140b6e3 --- /dev/null +++ b/SOURCES/openldap-reentrant-gethostby.patch @@ -0,0 +1,33 @@ +The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for +example if libldap needs to be initialized from within gethostbyXXXX() (which +actually happens if nss_ldap is used for hostname resolution and earlier +modules can't resolve the local host name), so use the reentrant versions of +the functions, even if we're not being compiled for use in libldap_r + +Resolves: #179730 +Author: Jeffery Layton + +diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c +index 373c81c..a012062 100644 +--- a/libraries/libldap/util-int.c ++++ b/libraries/libldap/util-int.c +@@ -52,8 +52,8 @@ extern int h_errno; + #ifndef LDAP_R_COMPILE + # undef HAVE_REENTRANT_FUNCTIONS + # undef HAVE_CTIME_R +-# undef HAVE_GETHOSTBYNAME_R +-# undef HAVE_GETHOSTBYADDR_R ++/* # undef HAVE_GETHOSTBYNAME_R */ ++/* # undef HAVE_GETHOSTBYADDR_R */ + + #else + # include +@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) + #define BUFSTART (1024-32) + #define BUFMAX (32*1024-32) + +-#if defined(LDAP_R_COMPILE) ++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R) + static char *safe_realloc( char **buf, int len ); + + #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) diff --git a/SOURCES/openldap-security-pie.patch b/SOURCES/openldap-security-pie.patch new file mode 100644 index 0000000..025c3d4 --- /dev/null +++ b/SOURCES/openldap-security-pie.patch @@ -0,0 +1,16 @@ +Build slapd as position-independent executable (PIE) to take an advantage of +address space layout randomization (ASLD). + +Author: Thomas Woerner + +--- a/servers/slapd/Makefile.in ++++ b/servers/slapd/Makefile.in +@@ -263,7 +263,7 @@ slapi/libslapi.la: FORCE + (cd slapi; $(MAKE) $(MFLAGS) all) + + slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ +- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \ ++ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \ + $(WRAP_LIBS) + $(RM) $(SLAPTOOLS) + for i in $(SLAPTOOLS); do \ diff --git a/SOURCES/openldap-smbk5pwd-overlay.patch b/SOURCES/openldap-smbk5pwd-overlay.patch new file mode 100644 index 0000000..38936cf --- /dev/null +++ b/SOURCES/openldap-smbk5pwd-overlay.patch @@ -0,0 +1,62 @@ +Compile smbk5pwd together with other overlays. + +Author: Jan Šafránek +Resolves: #550895 + +Update to link against OpenSSL + +Author: Jan Vcelak +Resolves: #841560 + +diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README +index f20ad94..b6433ff 100644 +--- a/contrib/slapd-modules/smbk5pwd/README ++++ b/contrib/slapd-modules/smbk5pwd/README +@@ -1,3 +1,8 @@ ++****************************************************************************** ++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module ++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux. ++****************************************************************************** ++ + This directory contains a slapd overlay, smbk5pwd, that extends the + PasswordModify Extended Operation to update Kerberos keys and Samba + password hashes for an LDAP user. +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +index 3af20e8..ef73663 100644 +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -33,7 +33,8 @@ SRCS = overlays.c \ + syncprov.c \ + translucent.c \ + unique.c \ +- valsort.c ++ valsort.c \ ++ smbk5pwd.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -125,6 +126,12 @@ unique.la : unique.lo + valsort.la : valsort.lo + $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) + ++smbk5pwd.lo : smbk5pwd.c ++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< ++ ++smbk5pwd.la : smbk5pwd.lo ++ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ +-- +1.7.10.4 + diff --git a/SOURCES/openldap-sql-linking.patch b/SOURCES/openldap-sql-linking.patch new file mode 100644 index 0000000..c7edf8c --- /dev/null +++ b/SOURCES/openldap-sql-linking.patch @@ -0,0 +1,14 @@ +Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package +independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.) + +--- openldap-2.4.24.orig/build/top.mk ++++ openldap-2.4.24/build/top.mk +@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@ + SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@ + SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@ + +-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) ++SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) + + # Our Defaults + CC = $(AC_CC) diff --git a/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch new file mode 100644 index 0000000..ed4f2ad --- /dev/null +++ b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch @@ -0,0 +1,41 @@ +From: Jan-Marek Glogowski +Date: Tue, 18 May 2010 17:47:05 +0200 +Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set. + +Proof of concept for fixing http://bugs.debian.org/327585 +(patch ported from freeradius bug http://bugs.debian.org/416266) + +Resolves: #960048 +--- +--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200 ++++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200 +@@ -117,6 +117,20 @@ + return -1; /* not found */ + } + ++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) ++{ ++ lt_dlhandle handle = 0; ++ lt_dladvise advise; ++ ++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) ++ && !lt_dladvise_global (&advise)) ++ handle = lt_dlopenadvise (filename, advise); ++ ++ lt_dladvise_destroy (&advise); ++ ++ return handle; ++} ++ + int module_load(const char* file_name, int argc, char *argv[]) + { + module_loaded_t *module; +@@ -180,7 +194,7 @@ + * to calling Debug. This is because Debug is a macro that expands + * into multiple function calls. + */ +- if ((module->lib = lt_dlopenext(file)) == NULL) { ++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { + error = lt_dlerror(); + #ifdef HAVE_EBCDIC + strcpy( ebuf, error ); diff --git a/SOURCES/openldap-syncrepl-unset-tls-options.patch b/SOURCES/openldap-syncrepl-unset-tls-options.patch new file mode 100644 index 0000000..156971a --- /dev/null +++ b/SOURCES/openldap-syncrepl-unset-tls-options.patch @@ -0,0 +1,62 @@ +allow unsetting of tls_* syncrepl options + +Author: Patrick Monnerat +Upstream ITS: #7042 +Resolves: #734187 + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 654a4bf..10b993b 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -735,27 +735,27 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + return 0; + case LDAP_OPT_X_TLS_CACERTFILE: + if ( lo->ldo_tls_cacertfile ) LDAP_FREE( lo->ldo_tls_cacertfile ); +- lo->ldo_tls_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_cacertfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_CACERTDIR: + if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir ); +- lo->ldo_tls_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_cacertdir = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_CERTFILE: + if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile ); +- lo->ldo_tls_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_certfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_KEYFILE: + if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile ); +- lo->ldo_tls_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_keyfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_DHFILE: + if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); +- lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ + if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); +- lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_REQUIRE_CERT: + if ( !arg ) return -1; +@@ -783,7 +783,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + #endif + case LDAP_OPT_X_TLS_CIPHER_SUITE: + if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite ); +- lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_ciphersuite = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + + case LDAP_OPT_X_TLS_PROTOCOL_MIN: +@@ -794,7 +794,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + if ( ld != NULL ) + return -1; + if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile ); +- lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_randfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + break; + case LDAP_OPT_X_TLS_NEWCTX: + if ( !arg ) return -1; diff --git a/SOURCES/openldap-tls-no-reuse-of-tls_session.patch b/SOURCES/openldap-tls-no-reuse-of-tls_session.patch new file mode 100644 index 0000000..5c397d1 --- /dev/null +++ b/SOURCES/openldap-tls-no-reuse-of-tls_session.patch @@ -0,0 +1,92 @@ +TLS: do not reuse tls_session if hostname check fails + +If multiple servers are specified, the connection to the first one succeeds, and the hostname verification fails, +*tls_session is not dropped, but reused when connecting to the second server. + +This is a problem with Mozilla NSS backend because another handshake cannot be performed on the same file descriptor. +From this reason, hostname checking was moved into ldap_int_tls_connect() before connection error handling. + +Author: Jan Vcelak +Upstream ITS: #7373 +Resolves: #852476 + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 10b993b..a3cd590 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -320,7 +320,7 @@ update_flags( Sockbuf *sb, tls_session * ssl, int rc ) + */ + + static int +-ldap_int_tls_connect( LDAP *ld, LDAPConn *conn ) ++ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host ) + { + Sockbuf *sb = conn->lconn_sb; + int err; +@@ -365,6 +365,10 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn ) + errno = WSAGetLastError(); + #endif + ++ if ( err == 0 ) { ++ err = ldap_pvt_tls_check_hostname( ld, ssl, host ); ++ } ++ + if ( err < 0 ) + { + char buf[256], *msg; +@@ -495,7 +499,15 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in ) + { + tls_session *session = s; + +- return tls_imp->ti_session_chkhost( ld, session, name_in ); ++ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && ++ ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { ++ ld->ld_errno = tls_imp->ti_session_chkhost( ld, session, name_in ); ++ if (ld->ld_errno != LDAP_SUCCESS) { ++ return ld->ld_errno; ++ } ++ } ++ ++ return LDAP_SUCCESS; + } + + int +@@ -857,7 +869,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + #endif /* LDAP_USE_NON_BLOCKING_TLS */ + + ld->ld_errno = LDAP_SUCCESS; +- ret = ldap_int_tls_connect( ld, conn ); ++ ret = ldap_int_tls_connect( ld, conn, host ); + + #ifdef LDAP_USE_NON_BLOCKING_TLS + while ( ret > 0 ) { /* this should only happen for non-blocking io */ +@@ -878,7 +890,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + } else { + /* ldap_int_poll called ldap_pvt_ndelay_off */ + ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_SET_NONBLOCK, sb ); +- ret = ldap_int_tls_connect( ld, conn ); ++ ret = ldap_int_tls_connect( ld, conn, host ); + if ( ret > 0 ) { /* need to call tls_connect once more */ + struct timeval curr_time_tv, delta_tv; + +@@ -935,20 +947,6 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) + return (ld->ld_errno); + } + +- ssl = ldap_pvt_tls_sb_ctx( sb ); +- assert( ssl != NULL ); +- +- /* +- * compare host with name(s) in certificate +- */ +- if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && +- ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { +- ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); +- if (ld->ld_errno != LDAP_SUCCESS) { +- return ld->ld_errno; +- } +- } +- + return LDAP_SUCCESS; + } + diff --git a/SOURCES/openldap-userconfig-setgid.patch b/SOURCES/openldap-userconfig-setgid.patch new file mode 100644 index 0000000..70f0d28 --- /dev/null +++ b/SOURCES/openldap-userconfig-setgid.patch @@ -0,0 +1,18 @@ +Normally, skips reading of user configuration file when running with different effective UID. +This patch adds the same behavior for GID. + +Author: Nalin Dahyabhai + +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index e6b17b4..fbf4829 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -678,7 +678,7 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl ) + openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); + + #ifdef HAVE_GETEUID +- if ( geteuid() != getuid() ) ++ if ( geteuid() != getuid() || getegid() != getgid() ) + return; + #endif + diff --git a/SOURCES/slapd.ldif b/SOURCES/slapd.ldif new file mode 100644 index 0000000..9ce13ea --- /dev/null +++ b/SOURCES/slapd.ldif @@ -0,0 +1,147 @@ +# +# See slapd-config(5) for details on configuration options. +# This file should NOT be world readable. +# + +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /var/run/openldap/slapd.args +olcPidFile: /var/run/openldap/slapd.pid +# +# TLS settings +# +olcTLSCACertificatePath: /etc/openldap/certs +olcTLSCertificateFile: "OpenLDAP Server" +olcTLSCertificateKeyFile: /etc/openldap/certs/password +# +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +# +#olcReferral: ldap://root.openldap.org +# +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +# +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + + +# +# Load dynamic backend modules: +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la backend requires openldap-servers-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time +# + +#dn: cn=module,cn=config +#objectClass: olcModuleList +#cn: module +#olcModulepath: /usr/lib/openldap +#olcModulepath: /usr/lib64/openldap +#olcModuleload: accesslog.la +#olcModuleload: auditlog.la +#olcModuleload: back_dnssrv.la +#olcModuleload: back_ldap.la +#olcModuleload: back_mdb.la +#olcModuleload: back_meta.la +#olcModuleload: back_null.la +#olcModuleload: back_passwd.la +#olcModuleload: back_relay.la +#olcModuleload: back_shell.la +#olcModuleload: back_sock.la +#olcModuleload: collect.la +#olcModuleload: constraint.la +#olcModuleload: dds.la +#olcModuleload: deref.la +#olcModuleload: dyngroup.la +#olcModuleload: dynlist.la +#olcModuleload: memberof.la +#olcModuleload: pcache.la +#olcModuleload: ppolicy.la +#olcModuleload: refint.la +#olcModuleload: retcode.la +#olcModuleload: rwm.la +#olcModuleload: seqmod.la +#olcModuleload: smbk5pwd.la +#olcModuleload: sssvlv.la +#olcModuleload: syncprov.la +#olcModuleload: translucent.la +#olcModuleload: unique.la +#olcModuleload: valsort.la + + +# +# Schema settings +# + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/openldap/schema/core.ldif + +# +# Frontend settings +# + +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +olcDatabase: frontend +# +# Sample global access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# +#olcAccess: to dn.base="" by * read +#olcAccess: to dn.base="cn=Subschema" by * read +#olcAccess: to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! +# + +# +# Configuration database +# + +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" manage by * none + +# +# Server status monitoring +# + +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none + +# +# Backend database definitions +# + +dn: olcDatabase=hdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcHdbConfig +olcDatabase: hdb +olcSuffix: dc=my-domain,dc=com +olcRootDN: cn=Manager,dc=my-domain,dc=com +olcDbDirectory: /var/lib/ldap +olcDbIndex: objectClass eq,pres +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service new file mode 100644 index 0000000..7e0589c --- /dev/null +++ b/SOURCES/slapd.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenLDAP Server Daemon +After=syslog.target network.target + +[Service] +Type=forking +PIDFile=/var/run/openldap/slapd.pid +Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS=" +EnvironmentFile=/etc/sysconfig/slapd +ExecStartPre=/usr/libexec/openldap/check-config.sh +ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/slapd.sysconfig b/SOURCES/slapd.sysconfig new file mode 100644 index 0000000..68091a5 --- /dev/null +++ b/SOURCES/slapd.sysconfig @@ -0,0 +1,15 @@ +# OpenLDAP server configuration +# see 'man slapd' for additional information + +# Where the server will run (-h option) +# - ldapi:/// is required for on-the-fly configuration using client tools +# (use SASL with EXTERNAL mechanism for authentication) +# - default: ldapi:/// ldap:/// +# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// +SLAPD_URLS="ldapi:/// ldap:///" + +# Any custom options +#SLAPD_OPTIONS="" + +# Keytab location for GSSAPI Kerberos authentication +#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" diff --git a/SOURCES/slapd.tmpfiles b/SOURCES/slapd.tmpfiles new file mode 100644 index 0000000..56aa32e --- /dev/null +++ b/SOURCES/slapd.tmpfiles @@ -0,0 +1,2 @@ +# openldap runtime directory for slapd.arg and slapd.pid +d /var/run/openldap 0755 ldap ldap - diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec new file mode 100644 index 0000000..470c05a --- /dev/null +++ b/SPECS/openldap.spec @@ -0,0 +1,1970 @@ +%global _hardened_build 1 + +%global systemctl_bin /usr/bin/systemctl +%global check_password_version 1.1 + +Name: openldap +Version: 2.4.35 +Release: 7%{?dist} +Summary: LDAP support libraries +Group: System Environment/Daemons +License: OpenLDAP +URL: http://www.openldap.org/ +Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz +Source1: slapd.service +Source2: slapd.sysconfig +Source3: slapd.tmpfiles +Source4: slapd.ldif +Source5: ldap.conf +Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz +Source50: libexec-functions +Source51: libexec-convert-config.sh +Source52: libexec-check-config.sh +Source53: libexec-upgrade-db.sh +Source54: libexec-create-certdb.sh +Source55: libexec-generate-server-cert.sh + +# patches for 2.4 +Patch0: openldap-manpages.patch +Patch1: openldap-security-pie.patch +Patch2: openldap-sql-linking.patch +Patch3: openldap-reentrant-gethostby.patch +Patch4: openldap-smbk5pwd-overlay.patch +Patch5: openldap-ldaprc-currentdir.patch +Patch6: openldap-userconfig-setgid.patch +Patch7: openldap-dns-priority.patch +Patch8: openldap-syncrepl-unset-tls-options.patch +Patch9: openldap-man-sasl-nocanon.patch +Patch10: openldap-ai-addrconfig.patch +Patch11: openldap-nss-update-list-of-ciphers.patch +Patch12: openldap-tls-no-reuse-of-tls_session.patch +Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch +Patch14: openldap-nss-ignore-certdb-type-prefix.patch +Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch +Patch16: openldap-nss-pk11-freeslot.patch +# documentation patches, already included upstream +Patch17: openldap-doc1.patch +Patch18: openldap-doc2.patch +# fix back_perl problems with lt_dlopen() +# might cause crashes because of symbol collisions +# the proper fix is to link all perl modules against libperl +# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 +Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch +# ldapi sasl fix pending upstream inclusion +Patch20: openldap-ldapi-sasl.patch +# already included upstream +Patch21: openldap-loglevel2bvarray.patch +# more documentation fixes, upstreamed +Patch22: openldap-doc3.patch +# cldap fixes, upstreamed +Patch23: openldap-cldap.patch + +# Fedora specific patches +Patch100: openldap-autoconf-pkgconfig-nss.patch +Patch102: openldap-fedora-systemd.patch + +BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel +BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed) +# smbk5pwd overlay: +BuildRequires: openssl-devel +Requires: nss-tools + +%description +OpenLDAP is an open source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap package contains configuration files, +libraries, and documentation for OpenLDAP. + +%package devel +Summary: LDAP development libraries and header files +Group: Development/Libraries +Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} + +%description devel +The openldap-devel package includes the development libraries and +header files needed for compiling applications that use LDAP +(Lightweight Directory Access Protocol) internals. LDAP is a set of +protocols for enabling directory services over the Internet. Install +this package only if you plan to develop or will need to compile +customized LDAP clients. + +%package servers +Summary: LDAP server +License: OpenLDAP +Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils +Requires(pre): shadow-utils +Requires(post): systemd, systemd-sysv, chkconfig +Requires(preun): systemd +Requires(postun): systemd +BuildRequires: libdb-devel +BuildRequires: systemd-units +BuildRequires: cracklib-devel +Group: System Environment/Daemons +# migrationtools (slapadd functionality): +Provides: ldif2ldbm + +%description servers +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. This package contains the slapd server and related files. + +%package servers-sql +Summary: SQL support module for OpenLDAP server +Requires: openldap-servers%{?_isa} = %{version}-%{release} +Group: System Environment/Daemons + +%description servers-sql +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. This package contains a loadable module which the +slapd server can use to read data from an RDBMS. + +%package clients +Summary: LDAP client utilities +Requires: openldap%{?_isa} = %{version}-%{release} +Group: Applications/Internet + +%description clients +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap-clients package contains the client +programs needed for accessing and modifying OpenLDAP directories. + +%prep +%setup -q -c -a 0 -a 10 + +pushd openldap-%{version} + +# use pkg-config for Mozilla NSS library +%patch100 -p1 + +# alternative include paths for Mozilla NSS +ln -s %{_includedir}/nss3 include/nss +ln -s %{_includedir}/nspr4 include/nspr + +AUTOMAKE=%{_bindir}/true autoreconf -fi + +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 + +%patch102 -p1 + +# build smbk5pwd with other overlays +ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays +mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd + +mv servers/slapd/back-perl/README{,.back_perl} + +# fix documentation encoding +for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do + iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8" + mv "$filename.utf8" "$filename" +done + +popd + +%build + +# avoid stray dependencies (linker flag --as-needed) +# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) +export CFLAGS="%{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS" + +pushd openldap-%{version} +%configure \ + --enable-debug \ + --enable-dynamic \ + --enable-syslog \ + --enable-proctitle \ + --enable-ipv6 \ + --enable-local \ + \ + --enable-slapd \ + --enable-dynacl \ + --enable-aci \ + --enable-cleartext \ + --enable-crypt \ + --enable-lmpasswd \ + --enable-spasswd \ + --enable-modules \ + --enable-rewrite \ + --enable-rlookups \ + --enable-slapi \ + --disable-slp \ + --enable-wrappers \ + \ + --enable-backends=mod \ + --enable-bdb=yes \ + --enable-hdb=yes \ + --enable-monitor=yes \ + --disable-ndb \ + \ + --enable-overlays=mod \ + \ + --disable-static \ + --enable-shared \ + \ + --with-cyrus-sasl \ + --without-fetch \ + --with-threads \ + --with-pic \ + --with-tls=moznss \ + --with-gnu-ld \ + \ + --libexecdir=%{_libdir} + +make %{_smp_mflags} +popd + +pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +make LDAP_INC="-I../openldap-%{version}/include \ + -I../openldap-%{version}/servers/slapd \ + -I../openldap-%{version}/build-servers/include" +popd + +%install + +mkdir -p %{buildroot}%{_libdir}/ + +pushd openldap-%{version} +make install DESTDIR=%{buildroot} STRIP="" +popd + +# install check_password module +pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +install -m 755 check_password.so %{buildroot}%{_libdir}/openldap/ +# install -m 644 README %{buildroot}%{_libdir}/openldap +install -d -m 755 %{buildroot}%{_sysconfdir}/openldap +cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf <&/dev/null || : + +%postun -p /sbin/ldconfig + +%pre servers + +# create ldap user and group +getent group ldap &>/dev/null || groupadd -r -g 55 ldap +getent passwd ldap &>/dev/null || \ + useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap + +if [ $1 -eq 2 ]; then + # package upgrade + + old_version=$(rpm -q --qf=%%{version} openldap-servers) + new_version=%{version} + + if [ "$old_version" != "$new_version" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null + fi +fi + +exit 0 + + +%post servers + +/sbin/ldconfig +%systemd_post slapd.service + +# generate sample TLS certificate for server (will not replace) +%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || : + +# generate/upgrade configuration +if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then + if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then + %{_libexecdir}/openldap/convert-config.sh &>/dev/null + mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak + else + %{_libexecdir}/openldap/convert-config.sh -f %{_datadir}/openldap-servers/slapd.ldif &>/dev/null + fi +fi + +start_slapd=0 + +# upgrade the database +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start_slapd=1 + fi + + %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap +fi + +# conversion from /etc/sysconfig/ldap to /etc/sysconfig/slapd +if [ $1 -eq 2 ]; then + # we expect that 'ldap' will be renamed to 'ldap.rpmsave' after removing the old package + [ -r %{_sysconfdir}/sysconfig/ldap ] || exit 0 + source %{_sysconfdir}/sysconfig/ldap &>/dev/null + + new_urls= + [ "$SLAPD_LDAP" != "no" ] && new_urls="$new_urls ldap:///" + [ "$SLAPD_LDAPI" != "no" ] && new_urls="$new_urls ldapi:///" + [ "$SLAPD_LDAPS" == "yes" ] && new_urls="$new_urls ldaps:///" + [ -n "$SLAPD_URLS" ] && new_urls="$new_urls $SLAPD_URLS" + + failure=0 + cp -f %{_sysconfdir}/sysconfig/slapd %{_sysconfdir}/sysconfig/slapd.rpmconvert + sed -i '/^#\?SLAPD_URLS=/s@.*@SLAPD_URLS="'"$new_urls"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1 + [ -n "$SLAPD_OPTIONS" ] && \ + sed -i '/^#\?SLAPD_OPTIONS=/s@.*$@SLAPD_OPTIONS="'"$SLAPD_OPTIONS"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1 + + if [ $failure -eq 0 ]; then + mv -f %{_sysconfdir}/sysconfig/slapd.rpmconvert %{_sysconfdir}/sysconfig/slapd + else + rm -f %{_sysconfdir}/sysconfig/slapd.rpmconvert + fi +fi + +# restart after upgrade +if [ $1 -ge 1 ]; then + if [ $start_slapd -eq 1 ]; then + %{systemctl_bin} start slapd.service &>/dev/null || : + else + %{systemctl_bin} condrestart slapd.service &>/dev/null || : + fi +fi + +exit 0 + +%preun servers + +%systemd_preun slapd.service + + +%postun servers + +/sbin/ldconfig +%systemd_postun_with_restart slapd.service + + +%triggerun servers -- openldap-servers < 2.4.26-6 + +# migration from SysV to systemd +/usr/bin/systemd-sysv-convert --save slapd &>/dev/null || : +/usr/sbin/chkconfig --del slapd &>/dev/null || : +%{systemctl_bin} try-restart slapd.service &>/dev/null || : + + +%triggerin servers -- libdb + +# libdb upgrade (setup for %%triggerun) +if [ $2 -eq 2 ]; then + # we are interested in minor version changes (both versions of libdb are installed at this moment) + if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb + else + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + fi +fi + +exit 0 + + +%triggerun servers -- libdb + +# libdb upgrade (finish %%triggerin) +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start=1 + else + start=0 + fi + + %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + + [ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null +fi + +exit 0 + + +%files +%doc openldap-%{version}/ANNOUNCEMENT +%doc openldap-%{version}/CHANGES +%doc openldap-%{version}/COPYRIGHT +%doc openldap-%{version}/LICENSE +%doc openldap-%{version}/README +%dir %{_sysconfdir}/openldap +%dir %{_sysconfdir}/openldap/certs +%config(noreplace) %{_sysconfdir}/openldap/ldap.conf +%dir %{_libexecdir}/openldap/ +%{_libexecdir}/openldap/create-certdb.sh +%{_libdir}/liblber-2.4*.so.* +%{_libdir}/libldap-2.4*.so.* +%{_libdir}/libldap_r-2.4*.so.* +%{_libdir}/libslapi-2.4*.so.* +%{_mandir}/man5/ldif.5* +%{_mandir}/man5/ldap.conf.5* + +%files servers +%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd +%doc openldap-%{version}/doc/guide/admin/*.html +%doc openldap-%{version}/doc/guide/admin/*.png +%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm +%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl +%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl +%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd +%doc README.schema +%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d +%config(noreplace) %{_sysconfdir}/openldap/schema +%config(noreplace) %{_sysconfdir}/sysconfig/slapd +%config(noreplace) %{_sysconfdir}/tmpfiles.d/slapd.conf +%config(noreplace) %{_sysconfdir}/openldap/check_password.conf +%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap +%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap +%{_unitdir}/slapd.service +%{_datadir}/openldap-servers/ +%{_libdir}/openldap/accesslog* +%{_libdir}/openldap/auditlog* +%{_libdir}/openldap/back_dnssrv* +%{_libdir}/openldap/back_ldap* +%{_libdir}/openldap/back_mdb* +%{_libdir}/openldap/back_meta* +%{_libdir}/openldap/back_null* +%{_libdir}/openldap/back_passwd* +%{_libdir}/openldap/back_relay* +%{_libdir}/openldap/back_shell* +%{_libdir}/openldap/back_sock* +%{_libdir}/openldap/back_perl* +%{_libdir}/openldap/collect* +%{_libdir}/openldap/constraint* +%{_libdir}/openldap/dds* +%{_libdir}/openldap/deref* +%{_libdir}/openldap/dyngroup* +%{_libdir}/openldap/dynlist* +%{_libdir}/openldap/memberof* +%{_libdir}/openldap/pcache* +%{_libdir}/openldap/ppolicy* +%{_libdir}/openldap/refint* +%{_libdir}/openldap/retcode* +%{_libdir}/openldap/rwm* +%{_libdir}/openldap/seqmod* +%{_libdir}/openldap/smbk5pwd* +%{_libdir}/openldap/sssvlv* +%{_libdir}/openldap/syncprov* +%{_libdir}/openldap/translucent* +%{_libdir}/openldap/unique* +%{_libdir}/openldap/valsort* +%{_libdir}/openldap/check_password* +%{_libexecdir}/openldap/functions +%{_libexecdir}/openldap/convert-config.sh +%{_libexecdir}/openldap/check-config.sh +%{_libexecdir}/openldap/upgrade-db.sh +%{_libexecdir}/openldap/generate-server-cert.sh +%{_sbindir}/sl* +%{_mandir}/man8/* +%{_mandir}/man5/slapd*.5* +%{_mandir}/man5/slapo-*.5* +# obsolete configuration +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak + +%files servers-sql +%doc openldap-%{version}/servers/slapd/back-sql/docs/* +%doc openldap-%{version}/servers/slapd/back-sql/rdbms_depend +%{_libdir}/openldap/back_sql* + +%files clients +%{_bindir}/* +%{_mandir}/man1/* + +%files devel +%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc +%{_libdir}/lib*.so +%{_includedir}/* +%{_mandir}/man3/* + +%changelog +* Mon Oct 14 2013 Jan Synáček - 2.4.35-7 +- fix: CLDAP is broken for IPv6 (#1007421) + +* Wed Sep 4 2013 Jan Synáček - 2.4.35-6 +- fix: typos in manpages (#948562) + +* Fri Jun 14 2013 Jan Synáček - 2.4.35-5 +- fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0" + +* Thu May 09 2013 Jan Synáček 2.4.35-4 +- do not needlessly run ldconfig after installing openldap-devel +- fix: LDAPI with GSSAPI does not work if SASL_NOCANON=on (#960222) +- fix: lt_dlopen() with back_perl (#960048) + +* Tue Apr 09 2013 Jan Synáček 2.4.35-3 +- fix: minor documentation fixes +- set SASL_NOCANON to on by default (#949864) +- remove trailing spaces + +* Fri Apr 05 2013 Jan Synáček 2.4.35-2 +- drop the evolution patch + +* Tue Apr 02 2013 Jan Synáček 2.4.35-1 +- new upstream release (#947235) +- fix: slapd.service should ensure that network is up before starting (#946921) +- fix: NSS related resource leak (#929357) + +* Mon Mar 18 2013 Jan Synáček 2.4.34-2 +- fix: syncrepl push DELETE operation does not recover (#920482) +- run autoreconf every build, drop autoreconf patch (#926280) + +* Mon Mar 11 2013 Jan Synáček 2.4.34-1 +- enable perl backend (#820547) +- package ppolicy-check-password (#829749) +- add perl specific BuildRequires +- fix bogus dates + +* Wed Mar 06 2013 Jan Vcelak 2.4.34-1 +- new upstream release (#917603) +- fix: slapcat segfaults if cn=config.ldif not present (#872784) +- use systemd-rpm macros in spec file (#850247) + +* Thu Jan 31 2013 Jan Synáček 2.4.33-4 +- rebuild against new cyrus-sasl + +* Wed Oct 31 2012 Jan Vcelak 2.4.33-3 +- fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455) + +* Fri Oct 12 2012 Jan Vcelak 2.4.33-2 +- fix: slapd with rwm overlay segfault following ldapmodify (#865685) + +* Thu Oct 11 2012 Jan Vcelak 2.4.33-1 +- new upstream release: + + slapd: ACLs, syncrepl + + backends: locking and memory management in MDB + + manpages: slapo-refint +- patch update: MozNSS certificate database in SQL format cannot be used (#860317) +- fix: slapd.service should not use /tmp (#859019) + +* Fri Sep 14 2012 Jan Vcelak 2.4.32-3 +- fix: some TLS ciphers cannot be enabled (#852338) +- fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476) +- fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded (#852786) +- fix: MozNSS certificate database in SQL format cannot be used (#857373) +- fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455) + +* Mon Aug 20 2012 Jan Vcelak 2.4.32-2 +- enhancement: TLS, prefer private keys from authenticated slots +- enhancement: TLS, allow certificate specification including token name +- resolve TLS failures in replication in 389 Directory Server + +* Wed Aug 01 2012 Jan Vcelak 2.4.32-1 +- new upstream release + + library: double free, SASL handling + + tools: read SASL_NOCANON from config file + + slapd: config index renumbering, duplicate error response + + backends: various fixes in mdb, bdb/hdb, ldap + + accesslog, syncprov: fix memory leaks in with replication + + sha2: portability, thread safety, support SSHA256,384,512 + + documentation fixes + +* Sat Jul 21 2012 Jan Vcelak 2.4.31-7 +- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022) + +* Fri Jul 20 2012 Jan Vcelak 2.4.31-6 +- multilib fix: move libslapi from openldap-servers to openldap package + +* Thu Jul 19 2012 Jan Vcelak 2.4.31-5 +- fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013) +- fix: smbk5pwd module computes invalid LM hashes (#841560) + +* Wed Jul 18 2012 Jan Vcelak 2.4.31-4 +- modify the package build process + + fix autoconfig files to detect Mozilla NSS library using pkg-config + + remove compiler flags which are not needed currently + + build server, client and library together + + avoid stray dependencies by using --as-needed linker flag + + enable SLAPI interface in slapd + +* Wed Jun 27 2012 Jan Vcelak 2.4.31-3 +- update fix: count constraint broken when using multiple modifications (#795766) +- fix: invalid order of TLS shutdown operations (#808464) +- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462) +- fix: reading pin from file can make all TLS connections hang (#829317) +- CVE-2012-2668: cipher suite selection by name can be ignored (#825875) +- fix: slapd fails to start on reboot (#829272) +- fix: default cipher suite is always selected (#828790) +- fix: less influence between individual TLS contexts: + - replication with TLS does not work (#795763) + - possibly others + +* Fri May 18 2012 Jan Vcelak 2.4.31-2 +- fix: nss-tools package is required by the base package, not the server subpackage +- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536) + +* Tue Apr 24 2012 Jan Vcelak 2.4.31-1 +- new upstream release + + library: IPv6 url detection + + library: rebinding to failed connections + + server: various fixes in mdb backend + + server: various fixes in replication + + server: various fixes in overlays and minor backends + + documentation fixes +- remove patches which were merged upstream + +* Thu Apr 05 2012 Jan Vcelak 2.4.30-3 +- rebuild due to libdb rebase + +* Mon Mar 26 2012 Jan Synáček 2.4.30-2 +- fix: Re-binding to a failed connection can segfault (#784989) + +* Thu Mar 01 2012 Jan Vcelak 2.4.30-1 +- new upstream release + + server: fixes in mdb backend + + server: fixes in manual pages + + server: fixes in syncprov, syncrepl, and pcache +- removed patches which were merged upstream + +* Wed Feb 22 2012 Jan Vcelak 2.4.29-4 +- fix: missing options in manual pages of client tools (#796232) +- fix: SASL_NOCANON option missing in ldap.conf manual page (#732915) + +* Tue Feb 21 2012 Jan Vcelak 2.4.29-3 +- fix: ldap_result does not succeed for sssd (#771484) +- Jan Synáček : + + fix: count constraint broken when using multiple modifications (#795766) + +* Mon Feb 20 2012 Jan Vcelak 2.4.29-2 +- fix update: provide ldif2ldbm, not ldib2ldbm (#437104) +- Jan Synáček : + + unify systemctl binary paths throughout the specfile and make them usrmove compliant + + make path to chkconfig binary usrmove compliant + +* Wed Feb 15 2012 Jan Vcelak 2.4.29-1 +- new upstream release + + MozNSS fixes + + connection handling fixes + + server: buxfixes in mdb backend + + server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm) +- openldap-servers now provide ldib2ldbm (#437104) +- certificates management improvements + + create empty Mozilla NSS certificate database during installation + + enable builtin Root CA in generated database (#789088) + + generate server certificate using Mozilla NSS tools instead of OpenSSL tools + + fix: correct path to check-config.sh in service file (Jan Synáček ) +- temporarily disable certificates checking in check-config.sh script +- fix: check-config.sh get stuck when executing command as a ldap user + +* Tue Jan 31 2012 Jan Vcelak 2.4.28-3 +- fix: replication (syncrepl) with TLS causes segfault (#783431) +- fix: slapd segfaults when PEM certificate is used and key is not set (#772890) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.4.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Nov 30 2011 Jan Vcelak 2.4.28-1 +- new upstream release + + server: support for delta-syncrepl in multi master replication + + server: add experimental backend - MDB + + server: dynamic configuration for passwd, perl, shell, sock, and sql backends + + server: support passwords in APR1 + + library: support for Wahl (draft) + + a lot of bugfixes +- remove patches which were merged upstream +- compile backends as modules (except BDB, HDB, and monitor) +- reload systemd daemon after installation + +* Tue Nov 01 2011 Jan Vcelak 2.4.26-6 +- package cleanup: + + hardened build: switch from LDFLAGS to RPM macros + + remove old provides and obsoletes + + add new slapd maintainance scripts + + drop defattr macros, clean up permissions in specfile + + fix rpmlint warnings: macros in comments/changelog + + fix rpmlint warnings: non UTF-8 documentation + + rename environment file to be more consistent (ldap -> slapd) +- replace sysv initscript with systemd service file (# +- new format of environment file due to switch to systemd + (automatic conversion is performed) +- patch OpenLDAP to skip empty command line arguments + (arguments expansion in systemd works different than in shell) +- CVE-2011-4079: one-byte buffer overflow in slapd (#749324) + +* Thu Oct 06 2011 Jan Vcelak 2.4.26-5 +- rebuild: openldap does not work after libdb rebase (#743824) +- regression fix: openldap built without tcp_wrappers (#743213) + +* Wed Sep 21 2011 Jan Vcelak 2.4.26-4 +- new feature update: honor priority/weight with ldap_domain2hostlist (#733078) + +* Mon Sep 12 2011 Jan Vcelak 2.4.26-3 +- fix: SSL_ForceHandshake function is not thread safe (#701678) +- fix: allow unsetting of tls_* syncrepl options (#734187) + +* Wed Aug 24 2011 Jan Vcelak 2.4.26-2 +- security hardening: library needs partial RELRO support added (#733071) +- fix: NSS_Init* functions are not thread safe (#731112) +- fix: incorrect behavior of allow/try options of VerifyCert and TLS_REQCERT (#725819) +- fix: memleak - free the return of tlsm_find_and_verify_cert_key (#725818) +- fix: conversion of constraint overlay settings to cn=config is incorrect (#733067) +- fix: DDS overlay tolerance parametr doesn't function and breakes default TTL (#733069) +- manpage fix: errors in manual page slapo-unique (#733070) +- fix: matching wildcard hostnames in certificate Subject field does not work (#733073) +- new feature: honor priority/weight with ldap_domain2hostlist (#733078) +- manpage fix: wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage (#717722) + +* Sun Aug 14 2011 Rex Dieter - 2.4.26-1.1 +- Rebuilt for rpm (#728707) + +* Wed Jul 20 2011 Jan Vcelak 2.4.26-1 +- rebase to new upstream release +- fix: memleak in tlsm_auth_cert_handler (#717730) + +* Mon Jun 27 2011 Jan Vcelak 2.4.25-1 +- rebase to new upstream release +- change default database type from BDB to HDB +- enable ldapi:/// interface by default +- set cn=config management ACLs for root user, SASL external schema (#712495) +- fix: server scriptlets require initscripts package (#716857) +- fix: connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT + is set to 'never' (#716854) +- fix: segmentation fault caused by double-free in ldapexop (#699683) +- fix: segmentation fault of client tool when input line in LDIF file + is splitted but indented incorrectly (#716855) +- fix: segmentation fault of client tool when LDIF input file is not terminated + by a new line character (#716858) + +* Fri Mar 18 2011 Jan Vcelak 2.4.24-2 +- new: system resource limiting for slapd using ulimit +- fix update: openldap can't use TLS after a fork() (#636956) +- fix: possible null pointer dereference in NSS implementation +- fix: openldap-servers upgrade hangs or do not upgrade the database (#664433) + +* Mon Feb 14 2011 Jan Vcelak 2.4.24-1 +- rebase to 2.4.24 +- BDB backend switch from DB4 to DB5 + +* Tue Feb 08 2011 Fedora Release Engineering - 2.4.23-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Feb 02 2011 Jan Vcelak 2.4.23-8 +- fix update: openldap can't use TLS after a fork() (#636956) + +* Tue Jan 25 2011 Jan Vcelak 2.4.23-7 +- fix: openldap can't use TLS after a fork() (#636956) +- fix: openldap-server upgrade gets stuck when the database is damaged (#664433) + +* Thu Jan 20 2011 Jan Vcelak 2.4.23-6 +- fix: some server certificates refused with inadequate type error (#668899) +- fix: default encryption strength dropped in switch to using NSS (#669446) +- systemd compatibility: add configuration file (#656647, #668223) + +* Thu Jan 06 2011 Jan Vcelak 2.4.23-5 +- initscript: slaptest with '-u' to skip database opening (#667768) +- removed slurpd options from sysconfig/ldap +- fix: verification of self issued certificates (#657984) + +* Mon Nov 22 2010 Jan Vcelak 2.4.23-4 +- Mozilla NSS - implement full non-blocking semantics + ldapsearch -Z hangs server if starttls fails (#652822) +- updated list of all overlays in slapd.conf (#655899) +- fix database upgrade process (#656257) + +* Thu Nov 18 2010 Jan Vcelak 2.4.23-3 +- add support for multiple prefixed Mozilla NSS database files in TLS_CACERTDIR +- reject non-file keyfiles in TLS_CACERTDIR (#652315) +- TLS_CACERTDIR precedence over TLS_CACERT (#652304) +- accept only files in hash.0 format in TLS_CACERTDIR (#650288) +- improve SSL/TLS trace messages (#652818) + +* Mon Nov 01 2010 Jan Vcelak 2.4.23-2 +- fix possible infinite loop when checking permissions of TLS files (#641946) +- removed outdated autofs.schema (#643045) +- removed outdated README.upgrade +- removed relics of migrationtools + +* Fri Aug 27 2010 Jan Vcelak 2.4.23-1 +- rebase to 2.4.23 +- embeded db4 library removed +- removed bogus links in "SEE ALSO" in several man-pages (#624616) + +* Thu Jul 22 2010 Jan Vcelak 2.4.22-7 +- Mozilla NSS - delay token auth until needed (#616552) +- Mozilla NSS - support use of self signed CA certs as server certs (#614545) + +* Tue Jul 20 2010 Jan Vcelak - 2.4.22-6 +- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448) +- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452) +- obsolete configuration file moved to /usr/share/openldap-servers (#612602) + +* Thu Jul 01 2010 Jan Zeleny - 2.4.22-5 +- another shot at previous fix + +* Thu Jul 01 2010 Jan Zeleny - 2.4.22-4 +- fixed issue with owner of /usr/lib/ldap/__db.* (#609523) + +* Thu Jun 3 2010 Rich Megginson - 2.4.22-3 +- added ldif.h to the public api in the devel package +- added -lldif to the public api +- added HAVE_MOZNSS and other flags to use Mozilla NSS for crypto + +* Tue May 18 2010 Jan Zeleny - 2.4.22-2 +- rebuild with connectionless support (#587722) +- updated autofs schema (#584808) + +* Tue May 04 2010 Jan Zeleny - 2.4.22-1 +- rebased to 2.4.22 (mostly bugfixes, added back-ldif, back-null testing support) +- due to some possible issues pointed out in last update testing phase, I'm + pulling back the last change (slapd can't be moved since it depends on /usr + possibly mounted from network) + +* Fri Mar 19 2010 Jan Zeleny - 2.4.21-6 +- moved slapd to start earlier during boot sequence + +* Tue Mar 16 2010 Jan Zeleny - 2.4.21-5 +- minor corrections of init script (#571235, #570057, #573804) + +* Wed Feb 24 2010 Jan Zeleny - 2.4.21-4 +- fixed SIGSEGV when deleting data using hdb (#562227) + +* Mon Feb 01 2010 Jan Zeleny - 2.4.21-3 +- fixed broken link /usr/sbin/slapschema (#559873) + +* Tue Jan 19 2010 Jan Zeleny - 2.4.21-2 +- removed some static libraries from openldap-devel (#556090) + +* Mon Jan 11 2010 Jan Zeleny - 2.4.21-1 +- rebased openldap to 2.4.21 +- rebased bdb to 4.8.26 + +* Mon Nov 23 2009 Jan Zeleny - 2.4.19-3 +- minor corrections in init script + +* Mon Nov 16 2009 Jan Zeleny - 2.4.19-2 +- fixed tls connection accepting when TLSVerifyClient = allow +- /etc/openldap/ldap.conf removed from files owned by openldap-servers +- minor changes in spec file to supress warnings +- some changes in init script, so it would be possible to use it when + using old configuration style + +* Fri Nov 06 2009 Jan Zeleny - 2.4.19-1 +- rebased openldap to 2.4.19 +- rebased bdb to 4.8.24 + +* Wed Oct 07 2009 Jan Zeleny 2.4.18-4 +- updated smbk5pwd patch to be linked with libldap (#526500) +- the last buffer overflow patch replaced with the one from upstream +- added /etc/openldap/slapd.d and /etc/openldap/slapd.conf.bak + to files owned by openldap-servers + +* Thu Sep 24 2009 Jan Zeleny 2.4.18-3 +- cleanup of previous patch fixing buffer overflow + +* Tue Sep 22 2009 Jan Zeleny 2.4.18-2 +- changed configuration approach. Instead od slapd.conf slapd + is using slapd.d directory now +- fix of some issues caused by renaming of init script +- fix of buffer overflow issue in ldif.c pointed out by new glibc + +* Fri Sep 18 2009 Jan Zeleny 2.4.18-1 +- rebase of openldap to 2.4.18 + +* Wed Sep 16 2009 Jan Zeleny 2.4.16-7 +- updated documentation (hashing the cacert dir) + +* Wed Sep 16 2009 Jan Zeleny 2.4.16-6 +- updated init script to be LSB-compliant (#523434) +- init script renamed to slapd + +* Thu Aug 27 2009 Tomas Mraz - 2.4.16-5 +- rebuilt with new openssl + +* Tue Aug 25 2009 Jan Zeleny 2.4.16-4 +- updated %%pre script to correctly install openldap group + +* Sat Jul 25 2009 Fedora Release Engineering - 2.4.16-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 01 2009 Jan Zeleny 2.4.16-1 +- rebase of openldap to 2.4.16 +- fixed minor issue in spec file (output looking interactive + when installing servers) + +* Tue Jun 09 2009 Jan Zeleny 2.4.15-4 +- added $SLAPD_URLS variable to init script (#504504) + +* Thu Apr 09 2009 Jan Zeleny 2.4.15-3 +- extended previous patch (#481310) to remove options cfMP + from some client tools +- correction of patch setugid (#494330) + +* Thu Mar 26 2009 Jan Zeleny 2.4.15-2 +- removed -f option from some client tools (#481310) + +* Wed Feb 25 2009 Jan Safranek 2.4.15-1 +- new upstream release + +* Tue Feb 17 2009 Jan Safranek 2.4.14-1 +- new upstream release +- upgraded to db-4.7.25 + +* Sat Jan 17 2009 Tomas Mraz 2.4.12-3 +- rebuild with new openssl + +* Mon Dec 15 2008 Caolán McNamara 2.4.12-2 +- rebuild for libltdl, i.e. copy config.sub|guess from new location + +* Wed Oct 15 2008 Jan Safranek 2.4.12-1 +- new upstream release + +* Mon Oct 13 2008 Jan Safranek 2.4.11-3 +- add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins + to set non-default slapd shutdown timeout +- add checkpoint to default slapd.conf file (#458679) + +* Mon Sep 1 2008 Jan Safranek 2.4.11-2 +- provide ldif2ldbm functionality for migrationtools +- rediff all patches to get rid of patch fuzz + +* Mon Jul 21 2008 Jan Safranek 2.4.11-1 +- new upstream release +- apply official bdb-4.6.21 patches + +* Wed Jul 2 2008 Jan Safranek 2.4.10-2 +- fix CVE-2008-2952 (#453728) + +* Thu Jun 12 2008 Jan Safranek 2.4.10-1 +- new upstream release + +* Wed May 28 2008 Jan Safranek 2.4.9-5 +- use /sbin/nologin as shell of ldap user (#447919) + +* Tue May 13 2008 Jan Safranek 2.4.9-4 +- new upstream release +- removed unnecessary MigrationTools patches + +* Thu Apr 10 2008 Jan Safranek 2.4.8-4 +- bdb upgraded to 4.6.21 +- reworked upgrade logic again to run db_upgrade when bdb version + changes + +* Wed Mar 5 2008 Jan Safranek 2.4.8-3 +- reworked the upgrade logic, slapcat/slapadd of the whole database + is needed only if minor version changes (2.3.x -> 2.4.y) +- do not try to save database in LDIF format, if openldap-servers package + is being removed (it's up to the admin to do so manually) + +* Thu Feb 28 2008 Jan Safranek 2.4.8-2 +- migration tools carved out to standalone package "migrationtools" + (#236697) + +* Fri Feb 22 2008 Jan Safranek 2.4.8-1 +- new upstream release + +* Fri Feb 8 2008 Jan Safranek 2.4.7-7 +- fix CVE-2008-0658 (#432014) + +* Mon Jan 28 2008 Jan Safranek 2.4.7-6 +- init script fixes + +* Mon Jan 28 2008 Jan Safranek 2.4.7-5 +- init script made LSB-compliant (#247012) + +* Fri Jan 25 2008 Jan Safranek 2.4.7-4 +- fixed rpmlint warnings and errors + - /etc/openldap/schema/README moved to /usr/share/doc/openldap + +* Tue Jan 22 2008 Jan Safranek 2.4.7-3 +- obsoleting compat-openldap properly again :) + +* Tue Jan 22 2008 Jan Safranek 2.4.7-2 +- obsoleting compat-openldap properly (#429591) + +* Mon Jan 14 2008 Jan Safranek 2.4.7-1 +- new upstream version (openldap-2.4.7) + +* Mon Dec 3 2007 Jan Safranek 2.4.6-1 +- new upstream version (openldap-2.4) +- deprecating compat- package + +* Mon Nov 5 2007 Jan Safranek 2.3.39-1 +- new upstream release + +* Tue Oct 23 2007 Jan Safranek 2.3.38-4 +- fixed multilib issues - all platform independent files have the + same content now (#342791) + +* Thu Oct 4 2007 Jan Safranek 2.3.38-3 +- BDB downgraded back to 4.4.20 because 4.6.18 is not supported by + openldap (#314821) + +* Mon Sep 17 2007 Jan Safranek 2.3.38-2 +- skeleton /etc/sysconfig/ldap added +- new SLAPD_LDAP option to turn off listening on ldap:/// (#292591) +- fixed checking of SSL (#292611) +- fixed upgrade with empty database + +* Thu Sep 6 2007 Jan Safranek 2.3.38-1 +- new upstream version +- added images to the guide.html (#273581) + +* Wed Aug 22 2007 Jan Safranek 2.3.37-3 +- just rebuild + +* Thu Aug 2 2007 Jan Safranek 2.3.37-2 +- do not use specific automake and autoconf +- do not distinguish between NPTL and non-NPTL platforms, we have NPTL + everywhere +- db-4.6.18 integrated +- updated openldap-servers License: field to reference BDB license + +* Tue Jul 31 2007 Jan Safranek 2.3.37-1 +- new upstream version + +* Fri Jul 20 2007 Jan Safranek 2.3.34-7 +- MigrationTools-47 integrated + +* Wed Jul 4 2007 Jan Safranek 2.3.34-6 +- fix compat-slapcat compilation. Now it can be found in + /usr/lib/compat-openldap/slapcat, because the tool checks argv[0] + (#246581) + +* Fri Jun 29 2007 Jan Safranek 2.3.34-5 +- smbk5pwd added (#220895) +- correctly distribute modules between servers and servers-sql packages + +* Mon Jun 25 2007 Jan Safranek 2.3.34-4 +- Fix initscript return codes (#242667) +- Provide overlays (as modules; #246036, #245896) +- Add available modules to config file + +* Tue May 22 2007 Jan Safranek 2.3.34-3 +- do not create script in /tmp on startup (bz#188298) +- add compat-slapcat to openldap-compat (bz#179378) +- do not import ddp services with migrate_services.pl + (bz#201183) +- sort the hosts by adders, preventing duplicities + in migrate*nis*.pl (bz#201540) +- start slupd for each replicated database (bz#210155) +- add ldconfig to devel post/postun (bz#240253) +- include misc.schema in default slapd.conf (bz#147805) + +* Mon Apr 23 2007 Jan Safranek 2.3.34-2 +- slapadd during package update is now quiet (bz#224581) +- use _localstatedir instead of var/ during build (bz#220970) +- bind-libbind-devel removed from BuildRequires (bz#216851) +- slaptest is now quiet during service ldap start, if + there is no error/warning (bz#143697) +- libldap_r.so now links with pthread (bz#198226) +- do not strip binaries to produce correct .debuginfo packages + (bz#152516) + +* Mon Feb 19 2007 Jay Fenlason 2.3.34-1 +- New upstream release +- Upgrade the scripts for migrating the database so that they might + actually work. +- change bind-libbind-devel to bind-devel in BuildPreReq + +* Mon Dec 4 2006 Thomas Woerner 2.3.30-1.1 +- tcp_wrappers has a new devel and libs sub package, therefore changing build + requirement for tcp_wrappers to tcp_wrappers-devel + +* Wed Nov 15 2006 Jay Fenlason 2.3.30-1 +- New upstream version + +* Wed Oct 25 2006 Jay Fenlason 2.3.28-1 +- New upstream version + +* Sun Oct 01 2006 Jesse Keating - 2.3.27-4 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Mon Sep 18 2006 Jay Fenlason 2.3.27-3 +- Include --enable-multimaster to close + bz#185821: adding slapd_multimaster to the configure options +- Upgade guide.html to the correct one for openladp-2.3.27, closing + bz#190383: openldap 2.3 packages contain the administrator's guide for 2.2 +- Remove the quotes from around the slaptestflags in ldap.init + This closes one part of + bz#204593: service ldap fails after having added entries to ldap +- include __db.* in the list of files to check ownership of in + ldap.init, as suggested in + bz#199322: RFE: perform cleanup in ldap.init + +* Fri Aug 25 2006 Jay Fenlason 2.3.27-2 +- New upstream release +- Include the gethostbyname_r patch so that nss_ldap won't hang + on recursive attemts to ldap_initialize. + +* Wed Jul 12 2006 Jesse Keating - 2.3.24-2.1 +- rebuild + +* Wed Jun 7 2006 Jay Fenlason 2.3.24-2 +- New upstream version + +* Thu Apr 27 2006 Jay Fenlason 2.3.21-2 +- Upgrade to 2.3.21 +- Add two upstream patches for db-4.4.20 + +* Mon Feb 13 2006 Jay Fenlason 2.3.19-4 +- Re-fix ldap.init + +* Fri Feb 10 2006 Jesse Keating - 2.3.19-3.1 +- bump again for double-long bug on ppc(64) + +* Thu Feb 9 2006 Jay Fenlason 2.3.19-3 +- Modify the ldap.init script to call runuser correctly. + +* Tue Feb 07 2006 Jesse Keating - 2.3.19-2.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 10 2006 Jay Fenlason 2.3.19-2 +- Upgrade to 2.3.19, which upstream now considers stable +- Modify the -config.patch, ldap.init, and this spec file to put the + pid file and args file in an ldap-owned openldap subdirectory under + /var/run. +- Move back_sql* out of _sbindir/openldap , which requires + hand-moving slapd and slurpd to _sbindir, and recreating symlinks + by hand. +- Retire openldap-2.3.11-ads.patch, which went upstream. +- Update the ldap.init script to run slaptest as the ldap user rather + than as root. This solves + bz#150172 Startup failure after database problem +- Add to the servers post and preun scriptlets so that on preun, the + database is slapcatted to /var/lib/ldap/upgrade.ldif and the + database files are saved to /var/lib/ldap/rpmorig. On post, if + /var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that + on upgrades from 2.3.16-2 to higher versions, the database files may + be automatically upgraded. Unfortunatly, because of the changes to + the preun scriptlet, users have to do the slapcat, etc by hand when + upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig + files need to be removed by hand because automatically removing your + emergency fallback files is a bad idea. +- Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will + require that users slapcat their databases into a temp file, move + /var/lib/ldap someplace safe, upgrade the openldap rpms, then + slapadd the temp file. + + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Nov 21 2005 Jay Fenlason 2.3.11-3 +- Remove Requires: cyrus-sasl and cyrus-sasl-md5 from openldap- and + compat-openldap- to close + bz#173313 Remove exlicit 'Requires: cyrus-sasl" + 'Requires: cyrus-sasl-md5' + +* Thu Nov 10 2005 Jay Fenlason 2.3.11-2 +- Upgrade to 2.3.11, which upstream now considers stable. +- Switch compat-openldap to 2.2.29 +- remove references to nss_ldap_build from the spec file +- remove references to 2.0 and 2.1 from the spec file. +- reorganize the build() function slightly in the spec file to limit the + number of redundant and conflicting options passedto configure. +- Remove the attempt to hardlink ldapmodify and ldapadd together, since + the current make install make ldapadd a symlink to ldapmodify. +- Include the -ads patches to allow SASL binds to an Active Directory + server to work. Nalin wrote the patch, based on my + broken first attempt. + +* Thu Nov 10 2005 Tomas Mraz 2.2.29-3 +- rebuilt against new openssl + +* Mon Oct 10 2005 Jay Fenlason 2.2.29-2 +- New upstream version. + +* Thu Sep 29 2005 Jay Fenlason 2.2.28-2 +- Upgrade to nev upstream version. This makes the 2.2.*-hop patch obsolete. + +* Mon Aug 22 2005 Jay Fenlason 2.2.26-2 +- Move the slapd.pem file to /etc/pki/tls/certs + and edit the -config patch to match to close + bz#143393 Creates certificates + keys at an insecure/bad place +- also use _sysconfdir instead of hard-coding /etc + +* Thu Aug 11 2005 Jay Fenlason +- Add the tls-fix-connection-test patch to close + bz#161991 openldap password disclosure issue +- add the hop patches to prevent infinite looping when chasing referrals. + OpenLDAP ITS #3578 + +* Fri Aug 5 2005 Nalin Dahyabhai +- fix typo in ldap.init (call $klist instead of klist, from Charles Lopes) + +* Thu May 19 2005 Nalin Dahyabhai 2.2.26-1 +- run slaptest with the -u flag if no id2entry db files are found, because + you can't check for read-write access to a non-existent database (#156787) +- add _sysconfdir/openldap/cacerts, which authconfig sets as the + TLS_CACERTDIR path in /etc/openldap/ldap.conf now +- use a temporary wrapper script to launch slapd, in case we have arguments + with embedded whitespace (#158111) + +* Wed May 4 2005 Nalin Dahyabhai +- update to 2.2.26 (stable 20050429) +- enable the lmpasswd scheme +- print a warning if slaptest fails, slaptest -u succeeds, and one of the + directories listed as the storage location for a given suffix in slapd.conf + contains a readable file named __db.001 (#118678) + +* Tue Apr 26 2005 Nalin Dahyabhai 2.2.25-1 +- update to 2.2.25 (release) + +* Tue Apr 26 2005 Nalin Dahyabhai 2.2.24-1 +- update to 2.2.24 (stable 20050318) +- export KRB5_KTNAME in the init script, in case it was set in the sysconfig + file but not exported + +* Tue Mar 1 2005 Nalin Dahyabhai 2.2.23-4 +- prefer libresolv to libbind + +* Tue Mar 1 2005 Nalin Dahyabhai 2.2.23-3 +- add bind-libbind-devel and libtool-ltdl-devel buildprereqs + +* Tue Mar 1 2005 Tomas Mraz 2.2.23-2 +- rebuild with openssl-0.9.7e + +* Mon Jan 31 2005 Nalin Dahyabhai 2.2.23-1 +- update to 2.2.23 (stable-20050125) +- update notes on upgrading from earlier versions +- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files + +* Tue Jan 4 2005 Nalin Dahyabhai 2.2.20-1 +- update to 2.2.20 (stable-20050103) +- warn about unreadable krb5 keytab files containing "ldap" keys +- warn about unreadable TLS-related files +- own a ref to subdirectories which we create under _libdir/tls + +* Tue Nov 2 2004 Nalin Dahyabhai 2.2.17-0 +- rebuild + +* Thu Sep 30 2004 Nalin Dahyabhai +- update to 2.2.17 (stable-20040923) (#135188) +- move nptl libraries into arch-specific subdirectories on x86 boxes +- require a newer glibc which can provide nptl libpthread on i486/i586 + +* Tue Aug 24 2004 Nalin Dahyabhai +- move slapd startup to earlier in the boot sequence (#103160) +- update to 2.2.15 (stable-20040822) +- change version number on compat-openldap to include the non-compat version + from which it's compiled, otherwise would have to start 2.2.15 at release 3 + so that it upgrades correctly + +* Thu Aug 19 2004 Nalin Dahyabhai 2.2.13-2 +- build a separate, static set of libraries for openldap-devel with the + non-standard ntlm bind patch applied, for use by the evolution-connector + package (#125579), and installing them under + evolution_connector_prefix) +- provide openldap-evolution-devel = version-release in openldap-devel + so that evolution-connector's source package can require a version of + openldap-devel which provides what it wants + +* Mon Jul 26 2004 Nalin Dahyabhai +- update administrator guide + +* Wed Jun 16 2004 Nalin Dahyabhai 2.2.13-1 +- add compat-openldap subpackage +- default to bdb, as upstream does, gambling that we're only going to be + on systems with nptl now + +* Tue Jun 15 2004 Nalin Dahyabhai 2.2.13-0 +- preliminary 2.2.13 update +- move ucdata to the -servers subpackage where it belongs + +* Tue Jun 15 2004 Nalin Dahyabhai 2.1.30-1 +- build experimental sql backend as a loadable module + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue May 18 2004 Nalin Dahyabhai 2.1.30-0 +- update to 2.1.30 + +* Thu May 13 2004 Thomas Woerner 2.1.29-3 +- removed rpath +- added pie patch: slapd and slurpd are now pie +- requires libtool >= 1.5.6-2 (PIC libltdl.a) + +* Fri Apr 16 2004 Nalin Dahyabhai 2.1.29-2 +- move rfc documentation from main to -devel (#121025) + +* Wed Apr 14 2004 Nalin Dahyabhai 2.1.29-1 +- rebuild + +* Tue Apr 6 2004 Nalin Dahyabhai 2.1.29-0 +- update to 2.1.29 (stable 20040329) + +* Mon Mar 29 2004 Nalin Dahyabhai +- don't build servers with --with-kpasswd, that option hasn't been recognized + since 2.1.23 + +* Tue Mar 02 2004 Elliot Lee 2.1.25-5.1 +- rebuilt + +* Mon Feb 23 2004 Tim Waugh 2.1.25-5 +- Use ':' instead of '.' as separator for chown. + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Feb 10 2004 Nalin Dahyabhai 2.1.25-4 +- remove 'reload' from the init script -- it never worked as intended (#115310) + +* Wed Feb 4 2004 Nalin Dahyabhai 2.1.25-3 +- commit that last fix correctly this time + +* Tue Feb 3 2004 Nalin Dahyabhai 2.1.25-2 +- fix incorrect use of find when attempting to detect a common permissions + error in the init script (#114866) + +* Fri Jan 16 2004 Nalin Dahyabhai +- add bug fix patch for DB 4.2.52 + +* Thu Jan 8 2004 Nalin Dahyabhai 2.1.25-1 +- change logging facility used from daemon to local4 (#112730, reversing #11047) + BEHAVIOR CHANGE - SHOULD BE MENTIONED IN THE RELEASE NOTES. + +* Wed Jan 7 2004 Nalin Dahyabhai +- incorporate fix for logic quasi-bug in slapd's SASL auxprop code (Dave Jones) + +* Thu Dec 18 2003 Nalin Dahyabhai +- update to 2.1.25, now marked STABLE + +* Thu Dec 11 2003 Jeff Johnson 2.1.22-9 +- update to db-4.2.52. + +* Thu Oct 23 2003 Nalin Dahyabhai 2.1.22-8 +- add another section to the ABI note for the TLS libdb so that it's marked as + not needing an executable stack (from Arjan Van de Ven) + +* Thu Oct 16 2003 Nalin Dahyabhai 2.1.22-7 +- force bundled libdb to not use O_DIRECT by making it forget that we have it + +* Wed Oct 15 2003 Nalin Dahyabhai +- build bundled libdb for slapd dynamically to make the package smaller, + among other things +- on tls-capable arches, build libdb both with and without shared posix + mutexes, otherwise just without +- disable posix mutexes unconditionally for db 4.0, which shouldn't need + them for the migration cases where it's used +- update to MigrationTools 45 + +* Thu Sep 25 2003 Jeff Johnson 2.1.22-6.1 +- upgrade db-4.1.25 to db-4.2.42. + +* Fri Sep 12 2003 Nalin Dahyabhai 2.1.22-6 +- drop rfc822-MailMember.schema, merged into upstream misc.schema at some point + +* Wed Aug 27 2003 Nalin Dahyabhai +- actually require newer libtool, as was intended back in 2.1.22-0, noted as + missed by Jim Richardson + +* Fri Jul 25 2003 Nalin Dahyabhai 2.1.22-5 +- enable rlookups, they don't cost anything unless also enabled in slapd's + configuration file + +* Tue Jul 22 2003 Nalin Dahyabhai 2.1.22-4 +- rebuild + +* Thu Jul 17 2003 Nalin Dahyabhai 2.1.22-3 +- rebuild + +* Wed Jul 16 2003 Nalin Dahyabhai 2.1.22-2 +- rebuild + +* Tue Jul 15 2003 Nalin Dahyabhai 2.1.22-1 +- build + +* Mon Jul 14 2003 Nalin Dahyabhai 2.1.22-0 +- 2.1.22 now badged stable +- be more aggressive in what we index by default +- use/require libtool 1.5 + +* Mon Jun 30 2003 Nalin Dahyabhai +- update to 2.1.22 + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Jun 3 2003 Nalin Dahyabhai 2.1.21-1 +- update to 2.1.21 +- enable ldap, meta, monitor, null, rewrite in slapd + +* Mon May 19 2003 Nalin Dahyabhai 2.1.20-1 +- update to 2.1.20 + +* Thu May 8 2003 Nalin Dahyabhai 2.1.19-1 +- update to 2.1.19 + +* Mon May 5 2003 Nalin Dahyabhai 2.1.17-1 +- switch to db with crypto + +* Fri May 2 2003 Nalin Dahyabhai +- install the db utils for the bundled libdb as %%{_sbindir}/slapd_db_* +- install slapcat/slapadd from 2.0.x for migration purposes + +* Wed Apr 30 2003 Nalin Dahyabhai +- update to 2.1.17 +- disable the shell backend, not expected to work well with threads +- drop the kerberosSecurityObject schema, the krbName attribute it + contains is only used if slapd is built with v2 kbind support + +* Mon Feb 10 2003 Nalin Dahyabhai 2.0.27-8 +- back down to db 4.0.x, which 2.0.x can compile with in ldbm-over-db setups +- tweak SuSE patch to fix a few copy-paste errors and a NULL dereference + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Jan 7 2003 Nalin Dahyabhai 2.0.27-6 +- rebuild + +* Mon Dec 16 2002 Nalin Dahyabhai 2.0.27-5 +- rebuild + +* Fri Dec 13 2002 Nalin Dahyabhai 2.0.27-4 +- check for setgid as well + +* Thu Dec 12 2002 Nalin Dahyabhai 2.0.27-3 +- rebuild + +* Thu Dec 12 2002 Nalin Dahyabhai +- incorporate fixes from SuSE's security audit, except for fixes to ITS 1963, + 1936, 2007, 2009, which were included in 2.0.26. +- add two more patches for db 4.1.24 from sleepycat's updates page +- use openssl pkgconfig data, if any is available + +* Mon Nov 11 2002 Nalin Dahyabhai 2.0.27-2 +- add patches for db 4.1.24 from sleepycat's updates page + +* Mon Nov 4 2002 Nalin Dahyabhai +- add a sample TLSCACertificateFile directive to the default slapd.conf + +* Tue Sep 24 2002 Nalin Dahyabhai 2.0.27-1 +- update to 2.0.27 + +* Fri Sep 20 2002 Nalin Dahyabhai 2.0.26-1 +- update to 2.0.26, db 4.1.24.NC + +* Fri Sep 13 2002 Nalin Dahyabhai 2.0.25-2 +- change LD_FLAGS to refer to /usr/kerberos/_libdir instead of + /usr/kerberos/lib, which might not be right on some arches + +* Mon Aug 26 2002 Nalin Dahyabhai 2.0.25-1 +- update to 2.0.25 "stable", ldbm-over-gdbm (putting off migration of LDBM + slapd databases until we move to 2.1.x) +- use %%{_smp_mflags} when running make +- update to MigrationTools 44 +- enable dynamic module support in slapd + +* Thu May 16 2002 Nalin Dahyabhai 2.0.23-5 +- rebuild in new environment + +* Wed Feb 20 2002 Nalin Dahyabhai 2.0.23-3 +- use the gdbm backend again + +* Mon Feb 18 2002 Nalin Dahyabhai 2.0.23-2 +- make slapd.conf read/write by root, read by ldap + +* Sun Feb 17 2002 Nalin Dahyabhai +- fix corner case in sendbuf fix +- 2.0.23 now marked "stable" + +* Tue Feb 12 2002 Nalin Dahyabhai 2.0.23-1 +- update to 2.0.23 + +* Fri Feb 8 2002 Nalin Dahyabhai 2.0.22-2 +- switch to an internalized Berkeley DB as the ldbm back-end (NOTE: this breaks + access to existing on-disk directory data) +- add slapcat/slapadd with gdbm for migration purposes +- remove Kerberos dependency in client libs (the direct Kerberos dependency + is used by the server for checking {kerberos} passwords) + +* Fri Feb 1 2002 Nalin Dahyabhai 2.0.22-1 +- update to 2.0.22 + +* Sat Jan 26 2002 Florian La Roche 2.0.21-5 +- prereq chkconfig for server subpackage + +* Fri Jan 25 2002 Nalin Dahyabhai 2.0.21-4 +- update migration tools to version 40 + +* Wed Jan 23 2002 Nalin Dahyabhai 2.0.21-3 +- free ride through the build system + +* Wed Jan 16 2002 Nalin Dahyabhai 2.0.21-2 +- update to 2.0.21, now earmarked as STABLE + +* Wed Jan 16 2002 Nalin Dahyabhai 2.0.20-2 +- temporarily disable optimizations for ia64 arches +- specify pthreads at configure-time instead of letting configure guess + +* Mon Jan 14 2002 Nalin Dahyabhai +- and one for Raw Hide + +* Mon Jan 14 2002 Nalin Dahyabhai 2.0.20-0.7 +- build for RHL 7/7.1 + +* Mon Jan 14 2002 Nalin Dahyabhai 2.0.20-1 +- update to 2.0.20 (security errata) + +* Thu Dec 20 2001 Nalin Dahyabhai 2.0.19-1 +- update to 2.0.19 + +* Tue Nov 6 2001 Nalin Dahyabhai 2.0.18-2 +- fix the commented-out replication example in slapd.conf + +* Fri Oct 26 2001 Nalin Dahyabhai 2.0.18-1 +- update to 2.0.18 + +* Mon Oct 15 2001 Nalin Dahyabhai 2.0.17-1 +- update to 2.0.17 + +* Wed Oct 10 2001 Nalin Dahyabhai +- disable kbind support (deprecated, and I suspect unused) +- configure with --with-kerberos=k5only instead of --with-kerberos=k5 +- build slapd with threads + +* Thu Sep 27 2001 Nalin Dahyabhai 2.0.15-2 +- rebuild, 2.0.15 is now designated stable + +* Fri Sep 21 2001 Nalin Dahyabhai 2.0.15-1 +- update to 2.0.15 + +* Mon Sep 10 2001 Nalin Dahyabhai 2.0.14-1 +- update to 2.0.14 + +* Fri Aug 31 2001 Nalin Dahyabhai 2.0.12-1 +- update to 2.0.12 to pull in fixes for setting of default TLS options, among + other things +- update to migration tools 39 +- drop tls patch, which was fixed better in this release + +* Tue Aug 21 2001 Nalin Dahyabhai 2.0.11-13 +- install saucer correctly + +* Thu Aug 16 2001 Nalin Dahyabhai +- try to fix ldap_set_options not being able to set global options related + to TLS correctly + +* Thu Aug 9 2001 Nalin Dahyabhai +- don't attempt to create a cert at install-time, it's usually going + to get the wrong CN (#51352) + +* Mon Aug 6 2001 Nalin Dahyabhai +- add a build-time requirement on pam-devel +- add a build-time requirement on a sufficiently-new libtool to link + shared libraries to other shared libraries (which is needed in order + for prelinking to work) + +* Fri Aug 3 2001 Nalin Dahyabhai +- require cyrus-sasl-md5 (support for DIGEST-MD5 is required for RFC + compliance) by name (follows from #43079, which split cyrus-sasl's + cram-md5 and digest-md5 modules out into cyrus-sasl-md5) + +* Fri Jul 20 2001 Nalin Dahyabhai +- enable passwd back-end (noted by Alan Sparks and Sergio Kessler) + +* Wed Jul 18 2001 Nalin Dahyabhai +- start to prep for errata release + +* Fri Jul 6 2001 Nalin Dahyabhai +- link libldap with liblber + +* Wed Jul 4 2001 Than Ngo 2.0.11-6 +- add symlink liblber.so libldap.so and libldap_r.so in /usr/lib + +* Tue Jul 3 2001 Nalin Dahyabhai +- move shared libraries to /lib +- redo init script for better internationalization (#26154) +- don't use ldaprc files in the current directory (#38402) (patch from + hps@intermeta.de) +- add BuildPrereq on tcp wrappers since we configure with + --enable-wrappers (#43707) +- don't overflow debug buffer in mail500 (#41751) +- don't call krb5_free_creds instead of krb5_free_cred_contents any + more (#43159) + +* Mon Jul 2 2001 Nalin Dahyabhai +- make config files noreplace (#42831) + +* Tue Jun 26 2001 Nalin Dahyabhai +- actually change the default config to use the dummy cert +- update to MigrationTools 38 + +* Mon Jun 25 2001 Nalin Dahyabhai +- build dummy certificate in %%post, use it in default config +- configure-time shenanigans to help a confused configure script + +* Wed Jun 20 2001 Nalin Dahyabhai +- tweak migrate_automount and friends so that they can be run from anywhere + +* Thu May 24 2001 Nalin Dahyabhai +- update to 2.0.11 + +* Wed May 23 2001 Nalin Dahyabhai +- update to 2.0.10 + +* Mon May 21 2001 Nalin Dahyabhai +- update to 2.0.9 + +* Tue May 15 2001 Nalin Dahyabhai +- update to 2.0.8 +- drop patch which came from upstream + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Thu Feb 8 2001 Nalin Dahyabhai +- back out pidfile patches, which interact weirdly with Linux threads +- mark non-standard schema as such by moving them to a different directory + +* Mon Feb 5 2001 Nalin Dahyabhai +- update to MigrationTools 36, adds netgroup support + +* Mon Jan 29 2001 Nalin Dahyabhai +- fix thinko in that last patch + +* Thu Jan 25 2001 Nalin Dahyabhai +- try to work around some buffering problems + +* Tue Jan 23 2001 Nalin Dahyabhai +- gettextize the init script + +* Thu Jan 18 2001 Nalin Dahyabhai +- gettextize the init script + +* Fri Jan 12 2001 Nalin Dahyabhai +- move the RFCs to the base package (#21701) +- update to MigrationTools 34 + +* Wed Jan 10 2001 Nalin Dahyabhai +- add support for additional OPTIONS, SLAPD_OPTIONS, and SLURPD_OPTIONS in + a /etc/sysconfig/ldap file (#23549) + +* Fri Dec 29 2000 Nalin Dahyabhai +- change automount object OID from 1.3.6.1.1.1.2.9 to 1.3.6.1.1.1.2.13, + per mail from the ldap-nis mailing list + +* Tue Dec 5 2000 Nalin Dahyabhai +- force -fPIC so that shared libraries don't fall over + +* Mon Dec 4 2000 Nalin Dahyabhai +- add Norbert Klasen's patch (via Del) to fix searches using ldaps URLs + (OpenLDAP ITS #889) +- add "-h ldaps:///" to server init when TLS is enabled, in order to support + ldaps in addition to the regular STARTTLS (suggested by Del) + +* Mon Nov 27 2000 Nalin Dahyabhai +- correct mismatched-dn-cn bug in migrate_automount.pl + +* Mon Nov 20 2000 Nalin Dahyabhai +- update to the correct OIDs for automount and automountInformation +- add notes on upgrading + +* Tue Nov 7 2000 Nalin Dahyabhai +- update to 2.0.7 +- drop chdir patch (went mainstream) + +* Thu Nov 2 2000 Nalin Dahyabhai +- change automount object classes from auxiliary to structural + +* Tue Oct 31 2000 Nalin Dahyabhai +- update to Migration Tools 27 +- change the sense of the last simple patch + +* Wed Oct 25 2000 Nalin Dahyabhai +- reorganize the patch list to separate MigrationTools and OpenLDAP patches +- switch to Luke Howard's rfc822MailMember schema instead of the aliases.schema +- configure slapd to run as the non-root user "ldap" (#19370) +- chdir() before chroot() (we don't use chroot, though) (#19369) +- disable saving of the pid file because the parent thread which saves it and + the child thread which listens have different pids + +* Wed Oct 11 2000 Nalin Dahyabhai +- add missing required attributes to conversion scripts to comply with schema +- add schema for mail aliases, autofs, and kerberosSecurityObject rooted in + our own OID tree to define attributes and classes migration scripts expect +- tweak automounter migration script + +* Mon Oct 9 2000 Nalin Dahyabhai +- try adding the suffix first when doing online migrations +- force ldapadd to use simple authentication in migration scripts +- add indexing of a few attributes to the default configuration +- add commented-out section on using TLS to default configuration + +* Thu Oct 5 2000 Nalin Dahyabhai +- update to 2.0.6 +- add buildprereq on cyrus-sasl-devel, krb5-devel, openssl-devel +- take the -s flag off of slapadd invocations in migration tools +- add the cosine.schema to the default server config, needed by inetorgperson + +* Wed Oct 4 2000 Nalin Dahyabhai +- add the nis.schema and inetorgperson.schema to the default server config +- make ldapadd a hard link to ldapmodify because they're identical binaries + +* Fri Sep 22 2000 Nalin Dahyabhai +- update to 2.0.4 + +* Fri Sep 15 2000 Nalin Dahyabhai +- remove prereq on /etc/init.d (#17531) +- update to 2.0.3 +- add saucer to the included clients + +* Wed Sep 6 2000 Nalin Dahyabhai +- update to 2.0.1 + +* Fri Sep 1 2000 Nalin Dahyabhai +- update to 2.0.0 +- patch to build against MIT Kerberos 1.1 and later instead of 1.0.x + +* Tue Aug 22 2000 Nalin Dahyabhai +- remove that pesky default password +- change "Copyright:" to "License:" + +* Sun Aug 13 2000 Nalin Dahyabhai +- adjust permissions in files lists +- move libexecdir from %%{_prefix}/sbin to %%{_sbindir} + +* Fri Aug 11 2000 Nalin Dahyabhai +- add migrate_automount.pl to the migration scripts set + +* Tue Aug 8 2000 Nalin Dahyabhai +- build a semistatic slurpd with threads, everything else without +- disable reverse lookups, per email on OpenLDAP mailing lists +- make sure the execute bits are set on the shared libraries + +* Mon Jul 31 2000 Nalin Dahyabhai +- change logging facility used from local4 to daemon (#11047) + +* Thu Jul 27 2000 Nalin Dahyabhai +- split off clients and servers to shrink down the package and remove the + base package's dependency on Perl +- make certain that the binaries have sane permissions + +* Mon Jul 17 2000 Nalin Dahyabhai +- move the init script back + +* Thu Jul 13 2000 Nalin Dahyabhai +- tweak the init script to only source /etc/sysconfig/network if it's found + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Mon Jul 10 2000 Nalin Dahyabhai +- switch to gdbm; I'm getting off the db merry-go-round +- tweak the init script some more +- add instdir to @INC in migration scripts + +* Thu Jul 6 2000 Nalin Dahyabhai +- tweak init script to return error codes properly +- change initscripts dependency to one on /etc/init.d + +* Tue Jul 4 2000 Nalin Dahyabhai +- prereq initscripts +- make migration scripts use mktemp + +* Tue Jun 27 2000 Nalin Dahyabhai +- do condrestart in post and stop in preun +- move init script to /etc/init.d + +* Fri Jun 16 2000 Nalin Dahyabhai +- update to 1.2.11 +- add condrestart logic to init script +- munge migration scripts so that you don't have to be + /usr/share/openldap/migration to run them +- add code to create pid files in /var/run + +* Mon Jun 5 2000 Nalin Dahyabhai +- FHS tweaks +- fix for compiling with libdb2 + +* Thu May 4 2000 Bill Nottingham +- minor tweak so it builds on ia64 + +* Wed May 3 2000 Nalin Dahyabhai +- more minimalistic fix for bug #11111 after consultation with OpenLDAP team +- backport replacement for the ldapuser patch + +* Tue May 2 2000 Nalin Dahyabhai +- fix segfaults from queries with commas in them in in.xfingerd (bug #11111) + +* Tue Apr 25 2000 Nalin Dahyabhai +- update to 1.2.10 +- add revamped version of patch from kos@bastard.net to allow execution as + any non-root user +- remove test suite from %%build because of weirdness in the build system + +* Wed Apr 12 2000 Nalin Dahyabhai +- move the defaults for databases and whatnot to /var/lib/ldap (bug #10714) +- fix some possible string-handling problems + +* Mon Feb 14 2000 Bill Nottingham +- start earlier, stop later. + +* Thu Feb 3 2000 Nalin Dahyabhai +- auto rebuild in new environment (release 4) + +* Tue Feb 1 2000 Nalin Dahyabhai +- add -D_REENTRANT to make threaded stuff more stable, even though it looks + like the sources define it, too +- mark *.ph files in migration tools as config files + +* Fri Jan 21 2000 Nalin Dahyabhai +- update to 1.2.9 + +* Mon Sep 13 1999 Bill Nottingham +- strip files + +* Sat Sep 11 1999 Bill Nottingham +- update to 1.2.7 +- fix some bugs from bugzilla (#4885, #4887, #4888, #4967) +- take include files out of base package + +* Fri Aug 27 1999 Jeff Johnson +- missing ;; in init script reload) (#4734). + +* Tue Aug 24 1999 Cristian Gafton +- move stuff from /usr/libexec to /usr/sbin +- relocate config dirs to /etc/openldap + +* Mon Aug 16 1999 Bill Nottingham +- initscript munging + +* Wed Aug 11 1999 Cristian Gafton +- add the migration tools to the package + +* Fri Aug 06 1999 Cristian Gafton +- upgrade to 1.2.6 +- add rc.d script +- split -devel package + +* Sun Feb 07 1999 Preston Brown +- upgrade to latest stable (1.1.4), it now uses configure macro. + +* Fri Jan 15 1999 Bill Nottingham +- build on arm, glibc2.1 + +* Wed Oct 28 1998 Preston Brown +- initial cut. +- patches for signal handling on the alpha