diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4b4f04b --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz +SOURCES/openldap-2.4.44.tgz diff --git a/.openldap.metadata b/.openldap.metadata new file mode 100644 index 0000000..12ca5b7 --- /dev/null +++ b/.openldap.metadata @@ -0,0 +1,2 @@ +444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz +016a738d050a68d388602a74b5e991035cdba149 SOURCES/openldap-2.4.44.tgz diff --git a/SOURCES/check-password-loglevels.patch b/SOURCES/check-password-loglevels.patch new file mode 100644 index 0000000..e8ddea7 --- /dev/null +++ b/SOURCES/check-password-loglevels.patch @@ -0,0 +1,124 @@ +Correct log levels in check_password module. + +Author: Matus Honek +Resolves: #1356158 + +diff --git a/check_password.c b/check_password.c +--- a/check_password.c ++++ b/check_password.c +@@ -108,7 +108,7 @@ char* chomp(char *s) + static int set_quality (char *value) + { + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value); ++ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value); + #endif + + /* No need to require more quality than we can check for. */ +@@ -120,7 +120,7 @@ static int set_quality (char *value) + static int set_cracklib (char *value) + { + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", value); ++ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value); + #endif + + +@@ -131,7 +131,7 @@ static int set_cracklib (char *value) + static int set_digit (char *value) + { + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value); ++ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value); + #endif + if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0; + return (int) (value[0] - '0'); +@@ -152,14 +152,14 @@ static validator valid_word (char *word) + int index = 0; + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word); ++ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word); + #endif + + while (list[index].parameter != NULL) { + if (strlen(word) == strlen(list[index].parameter) && + strcmp(list[index].parameter, word) == 0) { + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Parameter accepted."); ++ syslog(LOG_DEBUG, "check_password: Parameter accepted."); + #endif + return list[index].dealer; + } +@@ -167,7 +167,7 @@ static validator valid_word (char *word) + } + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Parameter rejected."); ++ syslog(LOG_DEBUG, "check_password: Parameter rejected."); + #endif + + return NULL; +@@ -203,7 +203,7 @@ static int read_config_file () + + #if defined(DEBUG) + /* Debug traces to syslog. */ +- syslog(LOG_NOTICE, "check_password: Got line |%s|", line); ++ syslog(LOG_DEBUG, "check_password: Got line |%s|", line); + #endif + + while (isspace(*start) && isascii(*start)) start++; +@@ -212,7 +212,7 @@ static int read_config_file () + if ( ispunct(*start)) { + #if defined(DEBUG) + /* Debug traces to syslog. */ +- syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); ++ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line); + #endif + continue; + } +@@ -227,7 +227,7 @@ static int read_config_file () + if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); ++ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value); + #endif + + centry[i].value = chomp(value); +@@ -319,7 +319,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + if ( !nLower && (minLower < 1)) { + nLower = 1; nQuality++; + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality); ++ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality); + #endif + } + continue; +@@ -330,7 +330,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + if ( !nUpper && (minUpper < 1)) { + nUpper = 1; nQuality++; + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality); ++ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality); + #endif + } + continue; +@@ -341,7 +341,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + if ( !nDigit && (minDigit < 1)) { + nDigit = 1; nQuality++; + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality); ++ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality); + #endif + } + continue; +@@ -352,7 +352,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + if ( !nPunct && (minPunct < 1)) { + nPunct = 1; nQuality++; + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality); ++ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality); + #endif + } + continue; diff --git a/SOURCES/check-password-makefile.patch b/SOURCES/check-password-makefile.patch new file mode 100644 index 0000000..f39ba81 --- /dev/null +++ b/SOURCES/check-password-makefile.patch @@ -0,0 +1,41 @@ +--- a/Makefile 2009-10-31 18:59:06.000000000 +0100 ++++ b/Makefile 2014-12-17 09:42:37.586079225 +0100 +@@ -13,22 +13,11 @@ + # + CONFIG=/etc/openldap/check_password.conf + +-OPT=-g -O2 -Wall -fpic \ +- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ +- -DCONFIG_FILE="\"$(CONFIG)\"" \ ++CFLAGS+=-fpic \ ++ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ ++ -DCONFIG_FILE="\"$(CONFIG)\"" \ + -DDEBUG + +-# Where to find the OpenLDAP headers. +-# +-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \ +- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd +- +-# Where to find the CrackLib headers. +-# +-CRACK_INC= +- +-INCS=$(LDAP_INC) $(CRACK_INC) +- + LDAP_LIB=-lldap_r -llber + + # Comment out this line if you do NOT want to use the cracklib. +@@ -45,10 +34,10 @@ + all: check_password + + check_password.o: +- $(CC) $(OPT) -c $(INCS) check_password.c ++ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c + + check_password: clean check_password.o +- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) ++ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) + + install: check_password + cp -f check_password.so ../../../usr/lib/openldap/modules/ diff --git a/SOURCES/check-password.patch b/SOURCES/check-password.patch new file mode 100644 index 0000000..7a79e95 --- /dev/null +++ b/SOURCES/check-password.patch @@ -0,0 +1,321 @@ +--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100 ++++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100 +@@ -10,7 +10,7 @@ + #include + + #ifdef HAVE_CRACKLIB +-#include "crack.h" ++#include + #endif + + #if defined(DEBUG) +@@ -34,18 +34,77 @@ + #define PASSWORD_TOO_SHORT_SZ \ + "Password for dn=\"%s\" is too short (%d/6)" + #define PASSWORD_QUALITY_SZ \ +- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)" ++ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)" + #define BAD_PASSWORD_SZ \ + "Bad password for dn=\"%s\" because %s" ++#define UNKNOWN_ERROR_SZ \ ++ "An unknown error occurred, please see your systems administrator" + + typedef int (*validator) (char*); +-static int read_config_file (char *); ++static int read_config_file (); + static validator valid_word (char *); + static int set_quality (char *); + static int set_cracklib (char *); + + int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); + ++struct config_entry { ++ char* key; ++ char* value; ++ char* def_value; ++} config_entries[] = { { "minPoints", NULL, "3"}, ++ { "useCracklib", NULL, "1"}, ++ { "minUpper", NULL, "0"}, ++ { "minLower", NULL, "0"}, ++ { "minDigit", NULL, "0"}, ++ { "minPunct", NULL, "0"}, ++ { NULL, NULL, NULL }}; ++ ++int get_config_entry_int(char* entry) { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ char* key = centry[i].key; ++ while (key != NULL) { ++ if ( strncmp(key, entry, strlen(key)) == 0 ) { ++ if ( centry[i].value == NULL ) { ++ return atoi(centry[i].def_value); ++ } ++ else { ++ return atoi(centry[i].value); ++ } ++ } ++ i++; ++ key = centry[i].key; ++ } ++ ++ return -1; ++} ++ ++void dealloc_config_entries() { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ while (centry[i].key != NULL) { ++ if ( centry[i].value != NULL ) { ++ ber_memfree(centry[i].value); ++ } ++ i++; ++ } ++} ++ ++char* chomp(char *s) ++{ ++ char* t = ber_memalloc(strlen(s)+1); ++ strncpy (t,s,strlen(s)+1); ++ ++ if ( t[strlen(t)-1] == '\n' ) { ++ t[strlen(t)-1] = '\0'; ++ } ++ ++ return t; ++} ++ + static int set_quality (char *value) + { + #if defined(DEBUG) +@@ -84,12 +143,12 @@ + char * parameter; + validator dealer; + } list[] = { { "minPoints", set_quality }, +- { "useCracklib", set_cracklib }, +- { "minUpper", set_digit }, +- { "minLower", set_digit }, +- { "minDigit", set_digit }, +- { "minPunct", set_digit }, +- { NULL, NULL } }; ++ { "useCracklib", set_cracklib }, ++ { "minUpper", set_digit }, ++ { "minLower", set_digit }, ++ { "minDigit", set_digit }, ++ { "minPunct", set_digit }, ++ { NULL, NULL } }; + int index = 0; + + #if defined(DEBUG) +@@ -98,7 +157,7 @@ + + while (list[index].parameter != NULL) { + if (strlen(word) == strlen(list[index].parameter) && +- strcmp(list[index].parameter, word) == 0) { ++ strcmp(list[index].parameter, word) == 0) { + #if defined(DEBUG) + syslog(LOG_NOTICE, "check_password: Parameter accepted."); + #endif +@@ -114,13 +173,15 @@ + return NULL; + } + +-static int read_config_file (char *keyWord) ++static int read_config_file () + { + FILE * config; + char * line; + int returnValue = -1; + +- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) { ++ line = ber_memcalloc(260, sizeof(char)); ++ ++ if ( line == NULL ) { + return returnValue; + } + +@@ -133,6 +194,8 @@ + return returnValue; + } + ++ returnValue = 0; ++ + while (fgets(line, 256, config) != NULL) { + char *start = line; + char *word, *value; +@@ -145,23 +208,40 @@ + + while (isspace(*start) && isascii(*start)) start++; + +- if (! isascii(*start)) ++ /* If we've got punctuation, just skip the line. */ ++ if ( ispunct(*start)) { ++#if defined(DEBUG) ++ /* Debug traces to syslog. */ ++ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); ++#endif + continue; ++ } + +- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) { +- if ((value = strtok(NULL, " \t")) == NULL) +- continue; ++ if( isascii(*start)) { ++ ++ struct config_entry* centry = config_entries; ++ int i = 0; ++ char* keyWord = centry[i].key; ++ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) { ++ while ( keyWord != NULL ) { ++ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); ++ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); + #endif + +- returnValue = (*dealer)(value); ++ centry[i].value = chomp(value); ++ break; ++ } ++ i++; ++ keyWord = centry[i].key; ++ } ++ } + } + } +- + fclose(config); + ber_memfree(line); ++ + return returnValue; + } + +@@ -170,7 +250,7 @@ + if (curlen < nextlen + MEMORY_MARGIN) { + #if defined(DEBUG) + syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", +- curlen, nextlen + MEMORY_MARGIN); ++ curlen, nextlen + MEMORY_MARGIN); + #endif + ber_memfree(*target); + curlen = nextlen + MEMORY_MARGIN; +@@ -180,7 +260,7 @@ + return curlen; + } + +- int ++int + check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + { + +@@ -210,20 +290,22 @@ + nLen = strlen (pPasswd); + if ( nLen < 6) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(PASSWORD_TOO_SHORT_SZ) + +- strlen(pEntry->e_name.bv_val) + 1); ++ strlen(PASSWORD_TOO_SHORT_SZ) + ++ strlen(pEntry->e_name.bv_val) + 1); + sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); + goto fail; + } + +- /* Read config file */ +- minQuality = read_config_file("minPoints"); ++ if (read_config_file() == -1) { ++ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); ++ } + +- useCracklib = read_config_file("useCracklib"); +- minUpper = read_config_file("minUpper"); +- minLower = read_config_file("minLower"); +- minDigit = read_config_file("minDigit"); +- minPunct = read_config_file("minPunct"); ++ minQuality = get_config_entry_int("minPoints"); ++ useCracklib = get_config_entry_int("useCracklib"); ++ minUpper = get_config_entry_int("minUpper"); ++ minLower = get_config_entry_int("minLower"); ++ minDigit = get_config_entry_int("minDigit"); ++ minPunct = get_config_entry_int("minPunct"); + + /** The password must have at least minQuality strength points with one + * point for the first occurrance of a lower, upper, digit and +@@ -232,8 +314,6 @@ + + for ( i = 0; i < nLen; i++ ) { + +- if ( nQuality >= minQuality ) break; +- + if ( islower (pPasswd[i]) ) { + minLower--; + if ( !nLower && (minLower < 1)) { +@@ -279,12 +359,23 @@ + } + } + +- if ( nQuality < minQuality ) { ++ /* ++ * If you have a required field, then it should be required in the strength ++ * checks. ++ */ ++ ++ if ( ++ (minLower > 0 ) || ++ (minUpper > 0 ) || ++ (minDigit > 0 ) || ++ (minPunct > 0 ) || ++ (nQuality < minQuality) ++ ) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(PASSWORD_QUALITY_SZ) + +- strlen(pEntry->e_name.bv_val) + 2); ++ strlen(PASSWORD_QUALITY_SZ) + ++ strlen(pEntry->e_name.bv_val) + 2); + sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, +- nQuality, minQuality); ++ nQuality, minQuality); + goto fail; + } + +@@ -306,7 +397,7 @@ + for ( j = 0; j < 3; j++ ) { + + snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ +- CRACKLIB_DICTPATH, ext[j]); ++ CRACKLIB_DICTPATH, ext[j]); + + if (( fp = fopen ( filename, "r")) == NULL ) { + +@@ -326,9 +417,9 @@ + r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); + if ( r != NULL ) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(BAD_PASSWORD_SZ) + +- strlen(pEntry->e_name.bv_val) + +- strlen(r)); ++ strlen(BAD_PASSWORD_SZ) + ++ strlen(pEntry->e_name.bv_val) + ++ strlen(r)); + sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); + goto fail; + } +@@ -342,15 +433,15 @@ + } + + #endif +- ++ dealloc_config_entries(); + *ppErrStr = strdup (""); + ber_memfree(szErrStr); + return (LDAP_SUCCESS); + + fail: ++ dealloc_config_entries(); + *ppErrStr = strdup (szErrStr); + ber_memfree(szErrStr); + return (EXIT_FAILURE); + + } +- diff --git a/SOURCES/ldap.conf b/SOURCES/ldap.conf new file mode 100644 index 0000000..aa6f8fd --- /dev/null +++ b/SOURCES/ldap.conf @@ -0,0 +1,18 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +TLS_CACERTDIR /etc/openldap/certs + +# Turning this off breaks GSSAPI used with krb5 when rdns = false +SASL_NOCANON on diff --git a/SOURCES/libexec-check-config.sh b/SOURCES/libexec-check-config.sh new file mode 100755 index 0000000..87e377f --- /dev/null +++ b/SOURCES/libexec-check-config.sh @@ -0,0 +1,91 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +function check_config_syntax() +{ + retcode=0 + tmp_slaptest=`mktemp --tmpdir=/var/run/openldap` + run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest + if [ $? -ne 0 ]; then + error "Checking configuration file failed:" + cat $tmp_slaptest >&2 + retcode=1 + fi + rm $tmp_slaptest + return $retcode +} + +function check_certs_perms() +{ + retcode=0 + for cert in `certificates`; do + run_as_ldap "/usr/bin/test -e \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' was not found." "$cert" + retcoder=1 + continue + fi + run_as_ldap "/usr/bin/test -r \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' is not readable." "$cert" + retcode=1 + fi + done + return $retcode +} + +function check_db_perms() +{ + retcode=0 + for dbdir in `databases`; do + [ -d "$dbdir" ] || continue + for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do + run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" + if [ $? -ne 0 ]; then + error "Read/write permissions for DB file '%s' are required." "$dbfile" + retcode=1 + fi + done + done + return $retcode +} + +function check_everything() +{ + retcode=0 + check_config_syntax || retcode=1 + # TODO: need support for Mozilla NSS, disabling temporarily + #check_certs_perms || retcode=1 + check_db_perms || retcode=1 + return $retcode +} + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this script." + exit 4 +fi + +load_sysconfig + +if [ -n "$SLAPD_CONFIG_DIR" ]; then + if [ ! -d "$SLAPD_CONFIG_DIR" ]; then + error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" + else + check_everything + exit $? + fi +fi + +if [ -n "$SLAPD_CONFIG_FILE" ]; then + if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" + else + error "Warning: Usage of a configuration file is obsolete!" + check_everything + exit $? + fi +fi + +exit 1 diff --git a/SOURCES/libexec-convert-config.sh b/SOURCES/libexec-convert-config.sh new file mode 100755 index 0000000..824c3b1 --- /dev/null +++ b/SOURCES/libexec-convert-config.sh @@ -0,0 +1,79 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +function help() +{ + error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`" + exit 2 +} + +load_sysconfig + +while getopts :f:F: opt; do + case "$opt" in + f) + SLAPD_CONFIG_FILE="$OPTARG" + ;; + F) + SLAPD_CONFIG_DIR="$OPTARG" + ;; + *) + help + ;; + esac +done +shift $((OPTIND-1)) +[ -n "$1" ] && help + +# check source, target + +if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE" + exit 1 +fi + +if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then + SLAPD_CONFIG_FILE_FORMAT=ldif +else + SLAPD_CONFIG_FILE_FORMAT=conf +fi + +if [ -d "$SLAPD_CONFIG_DIR" ]; then + if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then + error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR" + exit 1 + fi +fi + +# perform the conversion + +tmp_convert=`mktemp --tmpdir=/var/run/openldap` + +if [ `id -u` -eq 0 ]; then + install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert + if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then + run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert + else + run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert + fi + retcode=$? +else + error "You are not root! Permission will not be set." + install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert + if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then + /usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert + else + /usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert + fi + retcode=$? +fi + +if [ $retcode -ne 0 ]; then + error "Configuration conversion failed:" + cat $tmp_convert >&2 +fi + +rm $tmp_convert +exit $retcode diff --git a/SOURCES/libexec-create-certdb.sh b/SOURCES/libexec-create-certdb.sh new file mode 100755 index 0000000..2377fdd --- /dev/null +++ b/SOURCES/libexec-create-certdb.sh @@ -0,0 +1,70 @@ +#!/bin/bash +# Author: Jan Vcelak + +set -e + +# default options + +CERTDB_DIR=/etc/openldap/certs + +# internals + +MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so" +RANDOM_SOURCE=/dev/urandom +PASSWORD_BYTES=32 + +# parse arguments + +usage() { + printf "usage: create-certdb.sh [-d certdb]\n" >&2 + exit 1 +} + +while getopts "d:" opt; do + case "$opt" in + d) + CERTDB_DIR="$OPTARG" + ;; + \?) + usage + ;; + esac +done + +[ "$OPTIND" -le "$#" ] && usage + +# verify target location + +if [ ! -d "$CERTDB_DIR" ]; then + printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2 + exit 1 +fi + +if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then + printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2 + exit 1 +fi + +# create the database + +printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2 + +PASSWORD_FILE="$CERTDB_DIR/password" +OLD_UMASK="$(umask)" +umask 0377 +dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE" +umask "$OLD_UMASK" + +certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null + +# load module with builtin CA certificates + +echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null + +# tune permissions + +for dbfile in "$CERTDB_DIR"/*.db; do + chmod 0644 "$dbfile" +done + +exit 0 diff --git a/SOURCES/libexec-functions b/SOURCES/libexec-functions new file mode 100644 index 0000000..98c8631 --- /dev/null +++ b/SOURCES/libexec-functions @@ -0,0 +1,136 @@ +# Author: Jan Vcelak + +SLAPD_USER= +SLAPD_CONFIG_FILE= +SLAPD_CONFIG_DIR= +SLAPD_CONFIG_CUSTOM= +SLAPD_GLOBAL_OPTIONS= +SLAPD_SYSCONFIG_FILE= + +function default_config() +{ + SLAPD_USER=ldap + SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf + SLAPD_CONFIG_DIR=/etc/openldap/slapd.d + SLAPD_CONFIG_CUSTOM= + SLAPD_GLOBAL_OPTIONS= + SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd +} + +function parse_config_options() +{ + user= + config_file= + config_dir= + while getopts :u:f:F: opt; do + case "$opt" in + u) + user="$OPTARG" + ;; + f) + config_file="$OPTARG" + ;; + F) + config_dir="$OPTARG" + ;; + esac + done + + unset OPTIND + + if [ -n "$user" ]; then + SLAPD_USER="$user" + fi + + if [ -n "$config_dir" ]; then + SLAPD_CONFIG_DIR="$config_dir" + SLAPD_CONFIG_FILE= + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" + elif [ -n "$config_file" ]; then + SLAPD_CONFIG_DIR= + SLAPD_CONFIG_FILE="$config_file" + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-f '$config_file'" + fi +} + +function uses_new_config() +{ + [ -n "$SLAPD_CONFIG_DIR" ] + return $? +} + +function run_as_ldap() +{ + /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" + return $? +} + +function ldif_unbreak() +{ + sed ':a;N;s/\n //;ta;P;D' +} + +function ldif_value() +{ + sed 's/^[^:]*: //' +} + +function databases_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c \ + -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcDbDirectory: ' | \ + ldif_value +} + +function databases_old() +{ + awk 'begin { database="" } + $1 == "database" { database=$2 } + $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ + ldif_value +} + +function certificates_old() +{ + awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates() +{ + uses_new_config && certificates_new || certificates_old +} + +function databases() +{ + uses_new_config && databases_new || databases_old +} + + +function error() +{ + format="$1\n"; shift + printf "$format" $@ >&2 +} + +function load_sysconfig() +{ + [ -r "$SLAPD_SYSCONFIG_FILE" ] || return + + . "$SLAPD_SYSCONFIG_FILE" + [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS +} + +default_config diff --git a/SOURCES/libexec-generate-server-cert.sh b/SOURCES/libexec-generate-server-cert.sh new file mode 100755 index 0000000..e2f4974 --- /dev/null +++ b/SOURCES/libexec-generate-server-cert.sh @@ -0,0 +1,118 @@ +#!/bin/bash +# Author: Jan Vcelak + +set -e + +# default options + +CERTDB_DIR=/etc/openldap/certs +CERT_NAME="OpenLDAP Server" +PASSWORD_FILE= +HOSTNAME_FQDN="$(hostname --fqdn)" +ALT_NAMES= +ONCE=0 + +# internals + +RANDOM_SOURCE=/dev/urandom +CERT_RANDOM_BYTES=256 +CERT_KEY_TYPE=rsa +CERT_KEY_SIZE=1024 +CERT_VALID_MONTHS=12 + +# parse arguments + +usage() { + printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2 + printf " [-p password-file] [-h hostnames]\n" >&2 + printf " [-a dns-alt-names] [-o]\n" >&2 + exit 1 +} + +while getopts "d:n:p:h:a:o" opt; do + case "$opt" in + d) + CERTDB_DIR="$OPTARG" + ;; + n) + CERT_NAME="$OPTARG" + ;; + p) + PASSWORD_FILE="$OPTARG" + ;; + h) + HOSTNAME_FQDN="$OPTARG" + ;; + a) + ALT_NAMES="$OPTARG" + ;; + o) + ONCE=1 + ;; + \?) + usage + ;; + esac +done + +[ "$OPTIND" -le "$#" ] && usage + +# generated options + +ONCE_FILE="$CERTDB_DIR/.slapd-leave" +PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}" +ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}" + +# verify target location + +if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then + printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2 + exit 0 +fi + +if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then + printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2 + exit 1 +fi + +printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2 + +if [ ! -r "$PASSWORD_FILE" ]; then + printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2 + exit 1 +fi + +if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then + printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2 + exit 1 +fi + +# generate server certificate (self signed) + + +CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap) +dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null + +certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \ + -S -x -n "$CERT_NAME" \ + -s "CN=$HOSTNAME_FQDN" \ + -t TC,, \ + -k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \ + -v $CERT_VALID_MONTHS \ + -8 "$ALT_NAMES" \ + &>/dev/null + +rm -f $CERT_RANDOM + +# tune permissions + +if [ "$(id -u)" -eq 0 ]; then + chgrp ldap "$PASSWORD_FILE" + chmod g+r "$PASSWORD_FILE" +else + printf "WARNING: The server requires read permissions on the password file in order to\n" >&2 + printf " load it's private key from the certificate database.\n" >&2 +fi + +touch "$ONCE_FILE" +exit 0 diff --git a/SOURCES/libexec-update-ppolicy-schema.sh b/SOURCES/libexec-update-ppolicy-schema.sh new file mode 100755 index 0000000..a853b27 --- /dev/null +++ b/SOURCES/libexec-update-ppolicy-schema.sh @@ -0,0 +1,142 @@ +#!/bin/bash +# This script serves one purpose, to add a possibly missing attribute +# to a ppolicy schema in a dynamic configuration of OpenLDAP. This +# attribute was introduced in openldap-2.4.43 and slapd will not +# start without it later on. +# +# The script tries to update in a directory given as first parameter, +# or in /etc/openldap/slapd.d implicitly. +# +# Author: Matus Honek +# Bugzilla: #1487857 + +function log { + echo "Update dynamic configuration: " $@ + true +} + +function iferr { + if [ $? -ne 0 ]; then + log "ERROR: " $@ + true + else + false + fi +} + +function update { + set -u + shopt -s extglob + + ORIGINAL="${1:-/etc/openldap/slapd.d}" + ORIGINAL="${ORIGINAL%*(/)}" + + ### check if necessary + grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null + [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0 + + ### prep + log "Prepare environment." + + TEMPDIR=$(mktemp -d) + iferr "Could not create a temporary directory. Quitting." && return 1 + DBDIR="${TEMPDIR}/db" + SUBDBDIR="${DBDIR}/cn=temporary" + + mkdir "${DBDIR}" + iferr "Could not create temporary configuration directory. Quitting." && return 1 + cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}" + iferr "Could not copy configuration. Quitting." && return 1 + + pushd "$TEMPDIR" >/dev/null + + cat > temp.conf </dev/null 2>&1 & + SLAPDPID="$!" + sleep 2 + + ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 </dev/null \ + | sed '/^$/d') + DN=$(printf "$RES" | grep '^dn:') + OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'") + NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }" + + test $(echo "$DN" | wc -l) = 1 + iferr "Received more than one DN. Cannot continue. Quitting." && return 1 + test "$NEWOC" != "$OC" + iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1 + + ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 </dev/null + + ### apply + log "Apply changes." + cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup" + iferr "Backing up old configuration failed. Quitting." && return 1 + cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL" + iferr "Applying new configuration failed. Quitting." && return 1 + + ### clean up + log "Clean up." + kill "$SLAPDPID" + SLAPDPID= + rm -rf "$TEMPDIR" + TEMPDIR= +} + +SLAPDPID= +TEMPDIR= +update "$1" +if [ $? -ne 0 ]; then + log "Clean up." + echo "$SLAPDPID" + echo "$TEMPDIR" + kill "$SLAPDPID" + rm -rf "$TEMPDIR" +fi +log "Finished." diff --git a/SOURCES/libexec-upgrade-db.sh b/SOURCES/libexec-upgrade-db.sh new file mode 100755 index 0000000..1543c80 --- /dev/null +++ b/SOURCES/libexec-upgrade-db.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this command." + exit 4 +fi + +load_sysconfig +retcode=0 + +for dbdir in `databases`; do + upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" + bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` + + # skip uninitialized database + [ -z "$bdb_files"] || continue + + printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" + + # perform the update + for command in \ + "/usr/bin/db_recover -v -h \"$dbdir\"" \ + "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ + "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ + ; do + printf "Executing: %s\n" "$command" &>>$upgrade_log + run_as_ldap "$command" &>>$upgrade_log + result=$? + printf "Exit code: %d\n" $result >>"$upgrade_log" + if [ $result -ne 0 ]; then + printf "Upgrade failed: %d\n" $result + retcode=1 + fi + done +done + +exit $retcode diff --git a/SOURCES/openldap-ITS8428-init-sc_writewait.patch b/SOURCES/openldap-ITS8428-init-sc_writewait.patch new file mode 100644 index 0000000..a1af400 --- /dev/null +++ b/SOURCES/openldap-ITS8428-init-sc_writewait.patch @@ -0,0 +1,21 @@ +Backport upstream fix for a crash in back-relay when doing do_search. +RHBZ: #1316450 + +commit 2e60bf5ed00c1a8794131f53a6c72a78c0766e21 +Author: Howard Chu +Date: Wed May 18 12:30:31 2016 +0100 + + ITS#8428 init sc_writewait + +diff --git a/servers/slapd/back-relay/op.c b/servers/slapd/back-relay/op.c +index 4fdc08a..f7c1fee 100644 +--- a/servers/slapd/back-relay/op.c ++++ b/servers/slapd/back-relay/op.c +@@ -97,6 +97,7 @@ relay_back_response_cb( Operation *op, SlapReply *rs ) + (rcb)->rcb_sc.sc_next = (op)->o_callback; \ + (rcb)->rcb_sc.sc_response = relay_back_response_cb; \ + (rcb)->rcb_sc.sc_cleanup = 0; \ ++ (rcb)->rcb_sc.sc_writewait = 0; \ + (rcb)->rcb_sc.sc_private = (op)->o_bd; \ + (op)->o_callback = (slap_callback *) (rcb); \ + } diff --git a/SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch b/SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch new file mode 100644 index 0000000..7ccec9e --- /dev/null +++ b/SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch @@ -0,0 +1,23 @@ +commit ec2fe743f5795eb7aaf43687e6b257ac071cef22 +Author: Ryan Tandy +Date: Wed May 17 20:07:39 2017 -0700 + + ITS#8655 fix double free on paged search with pagesize 0 + + Fixes a double free when a search includes the Paged Results control + with a page size of 0 and the search base matches the filter. + +diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c +index 009939d..d0db918 100644 +--- a/servers/slapd/back-mdb/search.c ++++ b/servers/slapd/back-mdb/search.c +@@ -1066,7 +1066,8 @@ notfound: + /* check size limit */ + if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) { + if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) { +- mdb_entry_return( op, e ); ++ if (e != base) ++ mdb_entry_return( op, e ); + e = NULL; + send_paged_response( op, rs, &lastid, tentries ); + goto done; diff --git a/SOURCES/openldap-ITS8720-back-ldap-starttls-timeout.patch b/SOURCES/openldap-ITS8720-back-ldap-starttls-timeout.patch new file mode 100644 index 0000000..d40fecb --- /dev/null +++ b/SOURCES/openldap-ITS8720-back-ldap-starttls-timeout.patch @@ -0,0 +1,94 @@ +Fix back-ldap to respect the user configured timeout + +Upstream: ITS#8720 +Resolves: #1540336 + +diff --git a/servers/slapd/back-ldap/back-ldap.h b/servers/slapd/back-ldap/back-ldap.h +index 1e2c14a..e35f622 100644 +--- a/servers/slapd/back-ldap/back-ldap.h ++++ b/servers/slapd/back-ldap/back-ldap.h +@@ -89,6 +89,7 @@ typedef struct ldapconn_base_t { + (BER_BVISEMPTY(&(op)->o_ndn) ? \ + LDAP_BACK_PCONN_ANON_SET((lc), (op)) : LDAP_BACK_PCONN_ROOTDN_SET((lc), (op))) + ++ struct ldapinfo_t *lcb_ldapinfo; + struct berval lcb_local_ndn; + unsigned lcb_refcnt; + time_t lcb_create_time; +@@ -98,6 +99,7 @@ typedef struct ldapconn_base_t { + typedef struct ldapconn_t { + ldapconn_base_t lc_base; + #define lc_conn lc_base.lcb_conn ++#define lc_ldapinfo lc_base.lcb_ldapinfo + #define lc_local_ndn lc_base.lcb_local_ndn + #define lc_refcnt lc_base.lcb_refcnt + #define lc_create_time lc_base.lcb_create_time +diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c +index ff759d7..7808f7a 100644 +--- a/servers/slapd/back-ldap/bind.c ++++ b/servers/slapd/back-ldap/bind.c +@@ -532,7 +532,7 @@ ldap_back_start_tls( + int *is_tls, + const char *url, + unsigned flags, +- int retries, ++ int timeout, + const char **text ) + { + int rc = LDAP_SUCCESS; +@@ -567,22 +567,14 @@ ldap_back_start_tls( + LDAPMessage *res = NULL; + struct timeval tv; + +- LDAP_BACK_TV_SET( &tv ); +- +-retry:; ++ if ( timeout ) { ++ tv.tv_sec = timeout; ++ tv.tv_usec = 0; ++ } else { ++ LDAP_BACK_TV_SET( &tv ); ++ } + rc = ldap_result( ld, msgid, LDAP_MSG_ALL, &tv, &res ); +- if ( rc < 0 ) { +- rc = LDAP_UNAVAILABLE; +- +- } else if ( rc == 0 ) { +- if ( retries != LDAP_BACK_RETRY_NEVER ) { +- ldap_pvt_thread_yield(); +- if ( retries > 0 ) { +- retries--; +- } +- LDAP_BACK_TV_SET( &tv ); +- goto retry; +- } ++ if ( rc <= 0 ) { + rc = LDAP_UNAVAILABLE; + + } else if ( rc == LDAP_RES_EXTENDED ) { +@@ -754,7 +746,7 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_ + assert( li->li_uri_mutex_do_not_lock == 0 ); + li->li_uri_mutex_do_not_lock = 1; + rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls, +- li->li_uri, flags, li->li_nretries, &rs->sr_text ); ++ li->li_uri, flags, li->li_timeout[ SLAP_OP_EXTENDED ], &rs->sr_text ); + li->li_uri_mutex_do_not_lock = 0; + ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex ); + if ( rs->sr_err != LDAP_SUCCESS ) { +@@ -980,6 +972,7 @@ retry_lock: + lc = (ldapconn_t *)ch_calloc( 1, sizeof( ldapconn_t ) ); + lc->lc_flags = li->li_flags; + lc->lc_lcflags = lc_curr.lc_lcflags; ++ lc->lc_ldapinfo = li; + if ( ldap_back_prepare_conn( lc, op, rs, sendok ) != LDAP_SUCCESS ) { + ch_free( lc ); + return NULL; +@@ -1649,7 +1642,7 @@ ldap_back_default_rebind( LDAP *ld, LDAP_CONST char *url, ber_tag_t request, + const char *text = NULL; + + rc = ldap_back_start_tls( ld, 0, &is_tls, url, lc->lc_flags, +- LDAP_BACK_RETRY_DEFAULT, &text ); ++ lc->lc_ldapinfo->li_timeout[ SLAP_OP_EXTENDED ], &text ); + if ( rc != LDAP_SUCCESS ) { + return rc; + } diff --git a/SOURCES/openldap-ai-addrconfig.patch b/SOURCES/openldap-ai-addrconfig.patch new file mode 100644 index 0000000..0858fac --- /dev/null +++ b/SOURCES/openldap-ai-addrconfig.patch @@ -0,0 +1,20 @@ +use AI_ADDRCONFIG if defined in the environment + +Author: Jan Vcelak +Upstream ITS: #7326 +Resolves: #835013 + +diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c +index b31e05d..fa361ab 100644 +--- a/libraries/libldap/os-ip.c ++++ b/libraries/libldap/os-ip.c +@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, + + #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) + memset( &hints, '\0', sizeof(hints) ); +-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */ +- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */ ++#ifdef AI_ADDRCONFIG + hints.ai_flags = AI_ADDRCONFIG; + #endif + hints.ai_family = ldap_int_inet4or6; diff --git a/SOURCES/openldap-allop-overlay.patch b/SOURCES/openldap-allop-overlay.patch new file mode 100644 index 0000000..8281bd0 --- /dev/null +++ b/SOURCES/openldap-allop-overlay.patch @@ -0,0 +1,40 @@ +Compile AllOp together with other overlays. + +Author: Matus Honek +Resolves: #990893 + +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -33,7 +33,8 @@ SRCS = overlays.c \ + translucent.c \ + unique.c \ + valsort.c \ +- smbk5pwd.c ++ smbk5pwd.c \ ++ allop.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -125,6 +126,12 @@ unique.la : unique.lo + smbk5pwd.la : smbk5pwd.lo + $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) + ++allop.lo : allop.c ++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< ++ ++allop.la : allop.lo ++ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ diff --git a/SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch b/SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch new file mode 100644 index 0000000..641ecb1 --- /dev/null +++ b/SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch @@ -0,0 +1,17 @@ +Correct key pointer usage in bdb_idl_fetch_key. + +Author: Shogo Matsumoto +Resolves: #1356165 + +diff --git a/servers/slapd/back-bdb/idl.c b/servers/slapd/back-bdb/idl.c +--- a/servers/slapd/back-bdb/idl.c ++++ b/servers/slapd/back-bdb/idl.c +@@ -628,7 +628,7 @@ bdb_idl_fetch_key( + BDB_DISK2ID( j, i ); + } + } +- rc = cursor->c_get( cursor, key, &data, flags | DB_NEXT_DUP ); ++ rc = cursor->c_get( cursor, kptr, &data, flags | DB_NEXT_DUP ); + } + if ( rc == DB_NOTFOUND ) rc = 0; + ids[0] = i - ids; diff --git a/SOURCES/openldap-fedora-systemd.patch b/SOURCES/openldap-fedora-systemd.patch new file mode 100644 index 0000000..fa59ca2 --- /dev/null +++ b/SOURCES/openldap-fedora-systemd.patch @@ -0,0 +1,23 @@ +Skip any empty parameters when parsing command line options. +This is required because systemd does not expand variables the same way as shell does, +we need it because of an empty SLAPD_OPTIONS in environment file. + +Fedora specific patch. + +Author: Jan Vcelak + +diff --git a/servers/slapd/main.c b/servers/slapd/main.c +index dac4864..83614f4 100644 +--- a/servers/slapd/main.c ++++ b/servers/slapd/main.c +@@ -685,6 +685,10 @@ unhandled_option:; + } + } + ++ /* skip empty parameters */ ++ while ( optind < argc && *argv[optind] == '\0' ) ++ optind += 1; ++ + if ( optind != argc ) + goto unhandled_option; + diff --git a/SOURCES/openldap-ldapi-sasl.patch b/SOURCES/openldap-ldapi-sasl.patch new file mode 100644 index 0000000..058cc1c --- /dev/null +++ b/SOURCES/openldap-ldapi-sasl.patch @@ -0,0 +1,55 @@ +From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 7 May 2013 17:02:57 +0200 +Subject: [PATCH] LDAPI SASL fix + +Resolves: #960222 +--- + libraries/libldap/cyrus.c | 19 ++++++++++++++++--- + 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-) + +diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c +index 28c241b..a9acf36 100644 +--- a/libraries/libldap/cyrus.c ++++ b/libraries/libldap/cyrus.c +@@ -394,6 +394,8 @@ ldap_int_sasl_bind( + struct berval ccred = BER_BVNULL; + int saslrc, rc; + unsigned credlen; ++ char my_hostname[HOST_NAME_MAX + 1]; ++ int free_saslhost = 0; + + Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n", + mechs ? mechs : "", 0, 0 ); +@@ -454,14 +456,25 @@ ldap_int_sasl_bind( + + /* If we don't need to canonicalize just use the host + * from the LDAP URI. ++ * Always use the result of gethostname() for LDAPI. + */ +- if ( nocanon ) ++ if (ld->ld_defconn->lconn_server->lud_scheme != NULL && ++ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) { ++ rc = gethostname(my_hostname, HOST_NAME_MAX + 1); ++ if (rc == 0) { ++ saslhost = my_hostname; ++ } else { ++ saslhost = "localhost"; ++ } ++ } else if ( nocanon ) + saslhost = ld->ld_defconn->lconn_server->lud_host; +- else ++ else { + saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, + "localhost" ); ++ free_saslhost = 1; ++ } + rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); +- if ( !nocanon ) ++ if ( free_saslhost ) + LDAP_FREE( saslhost ); + } + +-- +1.7.11.7 + diff --git a/SOURCES/openldap-ldaprc-currentdir.patch b/SOURCES/openldap-ldaprc-currentdir.patch new file mode 100644 index 0000000..420c1f9 --- /dev/null +++ b/SOURCES/openldap-ldaprc-currentdir.patch @@ -0,0 +1,20 @@ +Disables opening of ldaprc file in current directory. + +Resolves: #38402 +Upstream: ITS #1131 +Author: Henning Schmiedehausen + +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index 8617527..e6b17b4 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -352,9 +352,6 @@ static void openldap_ldap_init_w_userconf(const char *file) + if(path != NULL) { + LDAP_FREE(path); + } +- +- /* try file */ +- openldap_ldap_init_w_conf(file, 1); + } + + static void openldap_ldap_init_w_env( diff --git a/SOURCES/openldap-man-ldap-conf.patch b/SOURCES/openldap-man-ldap-conf.patch new file mode 100644 index 0000000..5dbf2fb --- /dev/null +++ b/SOURCES/openldap-man-ldap-conf.patch @@ -0,0 +1,25 @@ +This patch makes clear what is the actual behavior in RHEL due to bug #38402. + +Author: Matus Honek +Resolves: #1498841 + +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -25,7 +25,7 @@ in their home directory which will be used to override the system-wide + defaults file. + The file + .I ldaprc +-in the current working directory is also used. ++in the current working directory is \fBNOT\fP used (this differs from upstream). + .LP + .LP + Additional configuration files can be specified using +@@ -50,7 +50,7 @@ Thus the following files and variables are read, in order: + .nf + variable $LDAPNOINIT, and if that is not set: + system file ETCDIR/ldap.conf, +- user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, ++ user files $HOME/ldaprc, $HOME/.ldaprc, (\fBNOT\fP ./ldaprc, see above), + system file $LDAPCONF, + user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, + variables $LDAP. diff --git a/SOURCES/openldap-man-sasl-nocanon.patch b/SOURCES/openldap-man-sasl-nocanon.patch new file mode 100644 index 0000000..c4a9e39 --- /dev/null +++ b/SOURCES/openldap-man-sasl-nocanon.patch @@ -0,0 +1,23 @@ +fix: SASL_NOCANON option missing in ldap.conf manual page + +Author: Jan Vcelak +Upstream ITS: #7177 +Resolves: #732915 + +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index 51f774f..5f17122 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -284,6 +284,9 @@ description). The default is + specifies the maximum security layer receive buffer + size allowed. 0 disables security layers. The default is 65536. + .RE ++.TP ++.B SASL_NOCANON ++Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off. + .SH GSSAPI OPTIONS + If OpenLDAP is built with Generic Security Services Application Programming Interface support, + there are more options you can specify. +-- +1.7.6.5 + diff --git a/SOURCES/openldap-man-tls-reqcert.patch b/SOURCES/openldap-man-tls-reqcert.patch new file mode 100644 index 0000000..a435655 --- /dev/null +++ b/SOURCES/openldap-man-tls-reqcert.patch @@ -0,0 +1,53 @@ +From f7027b3118ea90d616d0ddeeb348f15ba91cd08b Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Wed, 13 Nov 2013 13:34:06 +0100 +Subject: [PATCH] Fix client manpage + +--- + doc/man/man5/ldap.conf.5 | 18 ++++++++---------- + 1 file changed, 8 insertions(+), 10 deletions(-) + +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index 7f5bc64..bef0672 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -431,8 +431,8 @@ The environment variable RANDFILE can also be used to specify the filename. + This parameter is ignored with GnuTLS and Mozilla NSS. + .TP + .B TLS_REQCERT +-Specifies what checks to perform on server certificates in a TLS session, +-if any. The ++Specifies what checks to perform on server certificates in a TLS session. ++The + .B + can be specified as one of the following keywords: + .RS +@@ -441,19 +441,17 @@ can be specified as one of the following keywords: + The client will not request or check any server certificate. + .TP + .B allow +-The server certificate is requested. If no certificate is provided, +-the session proceeds normally. If a bad certificate is provided, it will ++The server certificate is requested. If a bad certificate is provided, it will + be ignored and the session proceeds normally. + .TP + .B try +-The server certificate is requested. If no certificate is provided, +-the session proceeds normally. If a bad certificate is provided, +-the session is immediately terminated. ++The server certificate is requested. If a bad certificate is provided, the ++session is immediately terminated. + .TP + .B demand | hard +-These keywords are equivalent. The server certificate is requested. If no +-certificate is provided, or a bad certificate is provided, the session +-is immediately terminated. This is the default setting. ++These keywords are equivalent and semantically same as ++.BR try . ++This is the default setting. + .RE + .TP + .B TLS_CRLCHECK +-- +1.8.3.1 + diff --git a/SOURCES/openldap-manpages.patch b/SOURCES/openldap-manpages.patch new file mode 100644 index 0000000..b69a391 --- /dev/null +++ b/SOURCES/openldap-manpages.patch @@ -0,0 +1,73 @@ +Various manual pages changes: +* removes LIBEXECDIR from slapd.8 +* removes references to non-existing manpages (bz 624616) + +diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 +index 3def6da..466c772 100644 +--- a/doc/man/man1/ldapmodify.1 ++++ b/doc/man/man1/ldapmodify.1 +@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error. + .BR ldap_add_ext (3), + .BR ldap_delete_ext (3), + .BR ldap_modify_ext (3), +-.BR ldap_modrdn_ext (3), +-.BR ldif (5). ++.BR ldif (5) + .SH AUTHOR + The OpenLDAP Project + .SH ACKNOWLEDGEMENTS +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index cfde143..63592cb 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -317,6 +317,7 @@ certificates in separate individual files. The + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. ++The specified directory must be managed with the OpenSSL c_rehash utility. + This parameter is ignored with GnuTLS. + + When using Mozilla NSS, may contain a Mozilla NSS cert/key +diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 +index b739f4d..e2a1a00 100644 +--- a/doc/man/man8/slapd.8 ++++ b/doc/man/man8/slapd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ slapd + .ft + .fi + .LP +@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ slapd -f /var/tmp/slapd.conf -d 255 + .ft + .fi + .LP +@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ slapd -Tt + .ft + .fi + .LP +-- +1.8.1.4 + diff --git a/SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch b/SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch new file mode 100644 index 0000000..f7ff064 --- /dev/null +++ b/SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch @@ -0,0 +1,24 @@ +A mutex lock might not get unlocked when plausible + +In the preceding if-statement a mutex may get locked. This is unlocked on +'done' label, but not called when plausible. Based on the current code logic +this seems to not be able to happen, but might when code gets changed at +some point in time. This patch fixes the issue. + +The issue was found by Coverity scan +http://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/11054/38577/ + +Author: Matus Honek +Resolves: #1261003 + +--- a/servers/slapd/overlays/accesslog.c ++++ b/servers/slapd/overlays/accesslog.c +@@ -1519,7 +1519,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) { + + /* ignore these internal reads */ + if (( lo->mask & LOG_OP_READS ) && op->o_do_not_cache ) { +- return SLAP_CB_CONTINUE; ++ goto done; + } + + if ( li->li_success && rs->sr_err != LDAP_SUCCESS ) diff --git a/SOURCES/openldap-module-passwd-sha2.patch b/SOURCES/openldap-module-passwd-sha2.patch new file mode 100644 index 0000000..864607d --- /dev/null +++ b/SOURCES/openldap-module-passwd-sha2.patch @@ -0,0 +1,42 @@ +Include sha2 module + +Author: Matus Honek + +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -35,7 +35,8 @@ SRCS = overlays.c \ + unique.c \ + valsort.c \ + smbk5pwd.c \ +- allop.c ++ allop.c \ ++ sha2.c slapd-sha2.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -55,7 +56,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -139,6 +140,15 @@ allop.lo : allop.c + allop.la : allop.lo + $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) + ++sha2.lo : sha2.c ++ $(LTCOMPILE_MOD) $< ++ ++slapd-sha2.lo : slapd-sha2.c ++ $(LTCOMPILE_MOD) $< ++ ++pw-sha2.la : sha2.lo slapd-sha2.lo ++ $(LTLINK_MOD) -module -o $@ $? version.lo $(LINK_LIBS) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ diff --git a/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch new file mode 100644 index 0000000..62af09f --- /dev/null +++ b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch @@ -0,0 +1,227 @@ +ITS#7595 Add Elliptic Curve support for OpenSSL + +Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08 +Author: Howard Chu +Date: Sat Sep 7 09:47:19 2013 -0700 + +diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +index 49a3959ae..9cd0a4dd1 100644 +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -918,6 +918,13 @@ from the default, otherwise no certificate exchanges or verification will + be done. When using GnuTLS or Mozilla NSS these parameters are always generated randomly + so this directive is ignored. + .TP ++.B olcTLSECName: ++Specify the name of a curve to use for Elliptic curve Diffie-Hellman ++ephemeral key exchange. This is required to enable ECDHE algorithms in ++OpenSSL. This option is not used with GnuTLS; the curves may be ++chosen in the GnuTLS ciphersuite specification. This option is also ++ignored for Mozilla NSS. ++.TP + .B olcTLSProtocolMin: [.] + Specifies minimum SSL/TLS protocol version that will be negotiated. + If the server doesn't support at least that version, +diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +index e2344547e..4eb238162 100644 +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -1149,6 +1149,13 @@ from the default, otherwise no certificate exchanges or verification will + be done. When using GnuTLS these parameters are always generated randomly so + this directive is ignored. This directive is ignored when using Mozilla NSS. + .TP ++.B TLSECName ++Specify the name of a curve to use for Elliptic curve Diffie-Hellman ++ephemeral key exchange. This is required to enable ECDHE algorithms in ++OpenSSL. This option is not used with GnuTLS; the curves may be ++chosen in the GnuTLS ciphersuite specification. This option is also ++ignored for Mozilla NSS. ++.TP + .B TLSProtocolMin [.] + Specifies minimum SSL/TLS protocol version that will be negotiated. + If the server doesn't support at least that version, +diff --git a/include/ldap.h b/include/ldap.h +index d4d10fa79..9922c9fa8 100644 +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_NEWCTX 0x600f + #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ + #define LDAP_OPT_X_TLS_PACKAGE 0x6011 ++#define LDAP_OPT_X_TLS_ECNAME 0x6012 + #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY 0x6050 + + #define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0 +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index 1a26b3cb0..5fff785d8 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -165,6 +165,7 @@ struct ldaptls { + char *lt_ciphersuite; + char *lt_crlfile; + char *lt_randfile; /* OpenSSL only */ ++ char *lt_ecname; /* OpenSSL only */ + int lt_protocol_min; + }; + #endif +@@ -250,6 +251,7 @@ struct ldapoptions { + #define ldo_tls_certfile ldo_tls_info.lt_certfile + #define ldo_tls_keyfile ldo_tls_info.lt_keyfile + #define ldo_tls_dhfile ldo_tls_info.lt_dhfile ++#define ldo_tls_ecname ldo_tls_info.lt_ecname + #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile + #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir + #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index a616133da..f39546450 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -121,6 +121,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo ) + LDAP_FREE( lo->ldo_tls_dhfile ); + lo->ldo_tls_dhfile = NULL; + } ++ if ( lo->ldo_tls_ecname ) { ++ LDAP_FREE( lo->ldo_tls_ecname ); ++ lo->ldo_tls_ecname = NULL; ++ } + if ( lo->ldo_tls_cacertfile ) { + LDAP_FREE( lo->ldo_tls_cacertfile ); + lo->ldo_tls_cacertfile = NULL; +@@ -257,6 +261,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) + lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile ); + __atoe( lts.lt_dhfile ); + } ++ if ( lts.lt_ecname ) { ++ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname ); ++ __atoe( lts.lt_ecname ); ++ } + #endif + lo->ldo_tls_ctx = ti->ti_ctx_new( lo ); + if ( lo->ldo_tls_ctx == NULL ) { +@@ -282,6 +290,7 @@ error_exit: + LDAP_FREE( lts.lt_crlfile ); + LDAP_FREE( lts.lt_cacertdir ); + LDAP_FREE( lts.lt_dhfile ); ++ LDAP_FREE( lts.lt_ecname ); + #endif + return rc; + } +@@ -674,6 +683,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) + *(char **)arg = lo->ldo_tls_dhfile ? + LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; + break; ++ case LDAP_OPT_X_TLS_ECNAME: ++ *(char **)arg = lo->ldo_tls_ecname ? ++ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL; ++ break; + case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ + *(char **)arg = lo->ldo_tls_crlfile ? + LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; +@@ -796,6 +809,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); + lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; ++ case LDAP_OPT_X_TLS_ECNAME: ++ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname ); ++ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ return 0; + case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ + if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); + lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index a2d9cd31f..1a81bc625 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -296,10 +296,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + return -1; + } + +- if ( lo->ldo_tls_dhfile ) { +- DH *dh = NULL; ++ if ( is_server && lo->ldo_tls_dhfile ) { ++ DH *dh; + BIO *bio; +- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); + + if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { + Debug( LDAP_DEBUG_ANY, +@@ -318,7 +317,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + } + BIO_free( bio ); + SSL_CTX_set_tmp_dh( ctx, dh ); ++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); ++ DH_free( dh ); ++ } ++ ++#ifdef SSL_OP_SINGLE_ECDH_USE ++ if ( is_server && lo->ldo_tls_ecname ) { ++ EC_KEY *ecdh; ++ ++ int nid = OBJ_sn2nid( lt->lt_ecname ); ++ if ( nid == NID_undef ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use EC name `%s'.\n", ++ lo->ldo_tls_ecname,0,0); ++ tlso_report_error(); ++ return -1; ++ } ++ ecdh = EC_KEY_new_by_curve_name( nid ); ++ if ( ecdh == NULL ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not generate key for EC name `%s'.\n", ++ lo->ldo_tls_ecname,0,0); ++ tlso_report_error(); ++ return -1; ++ } ++ SSL_CTX_set_tmp_ecdh( ctx, ecdh ); ++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); ++ EC_KEY_free( ecdh ); + } ++#endif + + if ( tlso_opt_trace ) { + SSL_CTX_set_info_callback( ctx, tlso_info_cb ); +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 8ade0c3f2..5a3c67a72 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -194,6 +194,7 @@ enum { + CFG_ACL_ADD, + CFG_SYNC_SUBENTRY, + CFG_LTHREADS, ++ CFG_TLS_ECNAME, + + CFG_LAST + }; +@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = { + #endif + "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, ++ { "TLSECName", NULL, 2, 2, 0, ++#ifdef HAVE_TLS ++ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option, ++#else ++ ARG_IGNORED, NULL, ++#endif ++ "( OLcfgGlAt:96 NAME 'olcTLSECName' " ++ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "TLSProtocolMin", NULL, 2, 2, 0, + #ifdef HAVE_TLS + CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, +@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = { + "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ " + "olcTLSCACertificatePath $ olcTLSCertificateFile $ " + "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " +- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ " ++ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ " + "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ " + "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " + "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global }, +@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) { + case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break; + case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break; + case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break; ++ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break; + #ifdef HAVE_GNUTLS + case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break; + #endif diff --git a/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch new file mode 100644 index 0000000..6c28f3f --- /dev/null +++ b/SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch @@ -0,0 +1,34 @@ +ITS#7595 don't try to use EC if OpenSSL lacks it + +Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d +Author: Howard Chu +Date: Sun Sep 8 06:32:23 2013 -0700 + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 1a81bc625..71c2b055c 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + DH_free( dh ); + } + +-#ifdef SSL_OP_SINGLE_ECDH_USE + if ( is_server && lo->ldo_tls_ecname ) { ++#ifdef OPENSSL_NO_EC ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: Elliptic Curves not supported.\n", 0,0,0 ); ++ return -1; ++#else + EC_KEY *ecdh; + + int nid = OBJ_sn2nid( lt->lt_ecname ); +@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + SSL_CTX_set_tmp_ecdh( ctx, ecdh ); + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); + EC_KEY_free( ecdh ); +- } + #endif ++ } + + if ( tlso_opt_trace ) { + SSL_CTX_set_info_callback( ctx, tlso_info_cb ); diff --git a/SOURCES/openldap-openssl-its7506-fix-DH-params-1.patch b/SOURCES/openldap-openssl-its7506-fix-DH-params-1.patch new file mode 100644 index 0000000..5e105e2 --- /dev/null +++ b/SOURCES/openldap-openssl-its7506-fix-DH-params-1.patch @@ -0,0 +1,219 @@ +commit aa6c4c5a7425d5fb21c5e3f10cb025fb930d79c8 +Author: Ben Jencks +Date: Sun Jan 27 18:27:03 2013 -0500 + + ITS#7506 tls_o.c: Fix Diffie-Hellman parameter usage. + + If a DHParamFile or olcDHParamFile is specified, then it will be used, + otherwise a hardcoded 1024 bit parameter will be used. This allows the use of + larger parameters; previously only 512 or 1024 bit parameters would ever be + used. + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 48ce1ceab..c6a3540c9 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -59,15 +59,13 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); + static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); + static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); + +-static DH * tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ); +- +-typedef struct dhplist { +- struct dhplist *next; +- int keylength; +- DH *param; +-} dhplist; +- +-static dhplist *tlso_dhparams; ++/* From the OpenSSL 0.9.7 distro */ ++static const char tlso_dhpem1024[] = ++"-----BEGIN DH PARAMETERS-----\n\ ++MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ ++/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ ++/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ ++-----END DH PARAMETERS-----\n"; + + static int tlso_seed_PRNG( const char *randfile ); + +@@ -76,7 +74,6 @@ static int tlso_seed_PRNG( const char *randfile ); + * provide mutexes for the OpenSSL library. + */ + static ldap_pvt_thread_mutex_t tlso_mutexes[CRYPTO_NUM_LOCKS]; +-static ldap_pvt_thread_mutex_t tlso_dh_mutex; + + static void tlso_locking_cb( int mode, int type, const char *file, int line ) + { +@@ -107,7 +104,6 @@ static void tlso_thr_init( void ) + for( i=0; i< CRYPTO_NUM_LOCKS ; i++ ) { + ldap_pvt_thread_mutex_init( &tlso_mutexes[i] ); + } +- ldap_pvt_thread_mutex_init( &tlso_dh_mutex ); + CRYPTO_set_locking_callback( tlso_locking_cb ); + CRYPTO_set_id_callback( tlso_thread_self ); + } +@@ -308,28 +304,32 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + return -1; + } + +- if ( lo->ldo_tls_dhfile ) { ++ if (is_server) { + DH *dh = NULL; + BIO *bio; +- dhplist *p; ++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); ++ if ( lo->ldo_tls_dhfile ) { + +- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { ++ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use DH parameters file `%s'.\n", ++ lo->ldo_tls_dhfile,0,0); ++ tlso_report_error(); ++ return -1; ++ } ++ } else { ++ bio = BIO_new_mem_buf( tlso_dhpem1024, -1 ); ++ } ++ if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { + Debug( LDAP_DEBUG_ANY, +- "TLS: could not use DH parameters file `%s'.\n", ++ "TLS: could not read DH parameters file `%s'.\n", + lo->ldo_tls_dhfile,0,0); + tlso_report_error(); ++ BIO_free( bio ); + return -1; + } +- while (( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { +- p = LDAP_MALLOC( sizeof(dhplist) ); +- if ( p != NULL ) { +- p->keylength = DH_size( dh ) * 8; +- p->param = dh; +- p->next = tlso_dhparams; +- tlso_dhparams = p; +- } +- } + BIO_free( bio ); ++ SSL_CTX_set_tmp_dh( ctx, dh ); + } + + if ( tlso_opt_trace ) { +@@ -349,9 +349,6 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ? + tlso_verify_ok : tlso_verify_cb ); + SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb ); +- if ( lo->ldo_tls_dhfile ) { +- SSL_CTX_set_tmp_dh_callback( ctx, tlso_tmp_dh_cb ); +- } + #ifdef HAVE_OPENSSL_CRL + if ( lo->ldo_tls_crlcheck ) { + X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx ); +@@ -1160,108 +1157,6 @@ tlso_seed_PRNG( const char *randfile ) + return 0; + } + +-struct dhinfo { +- int keylength; +- const char *pem; +- size_t size; +-}; +- +- +-/* From the OpenSSL 0.9.7 distro */ +-static const char tlso_dhpem512[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MEYCQQDaWDwW2YUiidDkr3VvTMqS3UvlM7gE+w/tlO+cikQD7VdGUNNpmdsp13Yn\n\ +-a6LT1BLiGPTdHghM9tgAPnxHdOgzAgEC\n\ +------END DH PARAMETERS-----\n"; +- +-static const char tlso_dhpem1024[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ +-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ +-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ +------END DH PARAMETERS-----\n"; +- +-static const char tlso_dhpem2048[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIIBCAKCAQEA7ZKJNYJFVcs7+6J2WmkEYb8h86tT0s0h2v94GRFS8Q7B4lW9aG9o\n\ +-AFO5Imov5Jo0H2XMWTKKvbHbSe3fpxJmw/0hBHAY8H/W91hRGXKCeyKpNBgdL8sh\n\ +-z22SrkO2qCnHJ6PLAMXy5fsKpFmFor2tRfCzrfnggTXu2YOzzK7q62bmqVdmufEo\n\ +-pT8igNcLpvZxk5uBDvhakObMym9mX3rAEBoe8PwttggMYiiw7NuJKO4MqD1llGkW\n\ +-aVM8U2ATsCun1IKHrRxynkE1/MJ86VHeYYX8GZt2YA8z+GuzylIOKcMH6JAWzMwA\n\ +-Gbatw6QwizOhr9iMjZ0B26TE3X8LvW84wwIBAg==\n\ +------END DH PARAMETERS-----\n"; +- +-static const char tlso_dhpem4096[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIICCAKCAgEA/urRnb6vkPYc/KEGXWnbCIOaKitq7ySIq9dTH7s+Ri59zs77zty7\n\ +-vfVlSe6VFTBWgYjD2XKUFmtqq6CqXMhVX5ElUDoYDpAyTH85xqNFLzFC7nKrff/H\n\ +-TFKNttp22cZE9V0IPpzedPfnQkE7aUdmF9JnDyv21Z/818O93u1B4r0szdnmEvEF\n\ +-bKuIxEHX+bp0ZR7RqE1AeifXGJX3d6tsd2PMAObxwwsv55RGkn50vHO4QxtTARr1\n\ +-rRUV5j3B3oPMgC7Offxx+98Xn45B1/G0Prp11anDsR1PGwtaCYipqsvMwQUSJtyE\n\ +-EOQWk+yFkeMe4vWv367eEi0Sd/wnC+TSXBE3pYvpYerJ8n1MceI5GQTdarJ77OW9\n\ +-bGTHmxRsLSCM1jpLdPja5jjb4siAa6EHc4qN9c/iFKS3PQPJEnX7pXKBRs5f7AF3\n\ +-W3RIGt+G9IVNZfXaS7Z/iCpgzgvKCs0VeqN38QsJGtC1aIkwOeyjPNy2G6jJ4yqH\n\ +-ovXYt/0mc00vCWeSNS1wren0pR2EiLxX0ypjjgsU1mk/Z3b/+zVf7fZSIB+nDLjb\n\ +-NPtUlJCVGnAeBK1J1nG3TQicqowOXoM6ISkdaXj5GPJdXHab2+S7cqhKGv5qC7rR\n\ +-jT6sx7RUr0CNTxzLI7muV2/a4tGmj0PSdXQdsZ7tw7gbXlaWT1+MM2MCAQI=\n\ +------END DH PARAMETERS-----\n"; +- +-static const struct dhinfo tlso_dhpem[] = { +- { 512, tlso_dhpem512, sizeof(tlso_dhpem512) }, +- { 1024, tlso_dhpem1024, sizeof(tlso_dhpem1024) }, +- { 2048, tlso_dhpem2048, sizeof(tlso_dhpem2048) }, +- { 4096, tlso_dhpem4096, sizeof(tlso_dhpem4096) }, +- { 0, NULL, 0 } +-}; +- +-static DH * +-tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length ) +-{ +- struct dhplist *p = NULL; +- BIO *b = NULL; +- DH *dh = NULL; +- int i; +- +- /* Do we have params of this length already? */ +- LDAP_MUTEX_LOCK( &tlso_dh_mutex ); +- for ( p = tlso_dhparams; p; p=p->next ) { +- if ( p->keylength == key_length ) { +- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); +- return p->param; +- } +- } +- +- /* No - check for hardcoded params */ +- +- for (i=0; tlso_dhpem[i].keylength; i++) { +- if ( tlso_dhpem[i].keylength == key_length ) { +- b = BIO_new_mem_buf( (char *)tlso_dhpem[i].pem, tlso_dhpem[i].size ); +- break; +- } +- } +- +- if ( b ) { +- dh = PEM_read_bio_DHparams( b, NULL, NULL, NULL ); +- BIO_free( b ); +- } +- +- /* Generating on the fly is expensive/slow... */ +- if ( !dh ) { +- dh = DH_generate_parameters( key_length, DH_GENERATOR_2, NULL, NULL ); +- } +- if ( dh ) { +- p = LDAP_MALLOC( sizeof(struct dhplist) ); +- if ( p != NULL ) { +- p->keylength = key_length; +- p->param = dh; +- p->next = tlso_dhparams; +- tlso_dhparams = p; +- } +- } +- +- LDAP_MUTEX_UNLOCK( &tlso_dh_mutex ); +- return dh; +-} + + tls_impl ldap_int_tls_impl = { + "OpenSSL", diff --git a/SOURCES/openldap-openssl-its7506-fix-DH-params-2.patch b/SOURCES/openldap-openssl-its7506-fix-DH-params-2.patch new file mode 100644 index 0000000..799c6e5 --- /dev/null +++ b/SOURCES/openldap-openssl-its7506-fix-DH-params-2.patch @@ -0,0 +1,58 @@ +commit eacd5798a5d83e6658a823c01bcb0f600e3b9898 +Author: Howard Chu +Date: Sat Sep 7 06:39:53 2013 -0700 + + ITS#7506 fix prev commit + + The patch unconditionally enabled DHparams, which is a significant + change of behavior. Reverting to previous behavior, which only enables + DH use if a DHparam file was configured. + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index c6a3540c9..a2d9cd31f 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -59,14 +59,6 @@ static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx ); + static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx ); + static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length ); + +-/* From the OpenSSL 0.9.7 distro */ +-static const char tlso_dhpem1024[] = +-"-----BEGIN DH PARAMETERS-----\n\ +-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq\n\ +-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx\n\ +-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC\n\ +------END DH PARAMETERS-----\n"; +- + static int tlso_seed_PRNG( const char *randfile ); + + #ifdef LDAP_R_COMPILE +@@ -304,21 +296,17 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + return -1; + } + +- if (is_server) { ++ if ( lo->ldo_tls_dhfile ) { + DH *dh = NULL; + BIO *bio; + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); +- if ( lo->ldo_tls_dhfile ) { + +- if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { +- Debug( LDAP_DEBUG_ANY, +- "TLS: could not use DH parameters file `%s'.\n", +- lo->ldo_tls_dhfile,0,0); +- tlso_report_error(); +- return -1; +- } +- } else { +- bio = BIO_new_mem_buf( tlso_dhpem1024, -1 ); ++ if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use DH parameters file `%s'.\n", ++ lo->ldo_tls_dhfile,0,0); ++ tlso_report_error(); ++ return -1; + } + if (!( dh=PEM_read_bio_DHparams( bio, NULL, NULL, NULL ))) { + Debug( LDAP_DEBUG_ANY, diff --git a/SOURCES/openldap-ppolicy-loglevels.patch b/SOURCES/openldap-ppolicy-loglevels.patch new file mode 100644 index 0000000..4e17409 --- /dev/null +++ b/SOURCES/openldap-ppolicy-loglevels.patch @@ -0,0 +1,35 @@ +Correct log levels in ppolicy overlay. + +Author: Matus Honek +Resolves: #1356158 + +diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c +--- a/servers/slapd/overlays/ppolicy.c ++++ b/servers/slapd/overlays/ppolicy.c +@@ -643,7 +643,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE + if ((mod = lt_dlopen( pp->pwdCheckModule )) == NULL) { + err = lt_dlerror(); + +- Debug(LDAP_DEBUG_ANY, ++ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, + "check_password_quality: lt_dlopen failed: (%s) %s.\n", + pp->pwdCheckModule, err, 0 ); + ok = LDAP_OTHER; /* internal error */ +@@ -658,7 +658,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE + if ((prog = lt_dlsym( mod, "check_password" )) == NULL) { + err = lt_dlerror(); + +- Debug(LDAP_DEBUG_ANY, ++ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, + "check_password_quality: lt_dlsym failed: (%s) %s.\n", + pp->pwdCheckModule, err, 0 ); + ok = LDAP_OTHER; +@@ -667,7 +667,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE + ok = prog( ptr, txt, e ); + ldap_pvt_thread_mutex_unlock( &chk_syntax_mutex ); + if (ok != LDAP_SUCCESS) { +- Debug(LDAP_DEBUG_ANY, ++ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, + "check_password_quality: module error: (%s) %s.[%d]\n", + pp->pwdCheckModule, *txt ? *txt : "", ok ); + } diff --git a/SOURCES/openldap-reentrant-gethostby.patch b/SOURCES/openldap-reentrant-gethostby.patch new file mode 100644 index 0000000..140b6e3 --- /dev/null +++ b/SOURCES/openldap-reentrant-gethostby.patch @@ -0,0 +1,33 @@ +The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for +example if libldap needs to be initialized from within gethostbyXXXX() (which +actually happens if nss_ldap is used for hostname resolution and earlier +modules can't resolve the local host name), so use the reentrant versions of +the functions, even if we're not being compiled for use in libldap_r + +Resolves: #179730 +Author: Jeffery Layton + +diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c +index 373c81c..a012062 100644 +--- a/libraries/libldap/util-int.c ++++ b/libraries/libldap/util-int.c +@@ -52,8 +52,8 @@ extern int h_errno; + #ifndef LDAP_R_COMPILE + # undef HAVE_REENTRANT_FUNCTIONS + # undef HAVE_CTIME_R +-# undef HAVE_GETHOSTBYNAME_R +-# undef HAVE_GETHOSTBYADDR_R ++/* # undef HAVE_GETHOSTBYNAME_R */ ++/* # undef HAVE_GETHOSTBYADDR_R */ + + #else + # include +@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) + #define BUFSTART (1024-32) + #define BUFMAX (32*1024-32) + +-#if defined(LDAP_R_COMPILE) ++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R) + static char *safe_realloc( char **buf, int len ); + + #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) diff --git a/SOURCES/openldap-smbk5pwd-overlay.patch b/SOURCES/openldap-smbk5pwd-overlay.patch new file mode 100644 index 0000000..38936cf --- /dev/null +++ b/SOURCES/openldap-smbk5pwd-overlay.patch @@ -0,0 +1,62 @@ +Compile smbk5pwd together with other overlays. + +Author: Jan Šafránek +Resolves: #550895 + +Update to link against OpenSSL + +Author: Jan Vcelak +Resolves: #841560 + +diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README +index f20ad94..b6433ff 100644 +--- a/contrib/slapd-modules/smbk5pwd/README ++++ b/contrib/slapd-modules/smbk5pwd/README +@@ -1,3 +1,8 @@ ++****************************************************************************** ++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module ++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux. ++****************************************************************************** ++ + This directory contains a slapd overlay, smbk5pwd, that extends the + PasswordModify Extended Operation to update Kerberos keys and Samba + password hashes for an LDAP user. +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +index 3af20e8..ef73663 100644 +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -33,7 +33,8 @@ SRCS = overlays.c \ + syncprov.c \ + translucent.c \ + unique.c \ +- valsort.c ++ valsort.c \ ++ smbk5pwd.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -125,6 +126,12 @@ unique.la : unique.lo + valsort.la : valsort.lo + $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) + ++smbk5pwd.lo : smbk5pwd.c ++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< ++ ++smbk5pwd.la : smbk5pwd.lo ++ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ +-- +1.7.10.4 + diff --git a/SOURCES/openldap-sql-linking.patch b/SOURCES/openldap-sql-linking.patch new file mode 100644 index 0000000..c7edf8c --- /dev/null +++ b/SOURCES/openldap-sql-linking.patch @@ -0,0 +1,14 @@ +Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package +independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.) + +--- openldap-2.4.24.orig/build/top.mk ++++ openldap-2.4.24/build/top.mk +@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@ + SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@ + SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@ + +-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) ++SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) + + # Our Defaults + CC = $(AC_CC) diff --git a/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch new file mode 100644 index 0000000..ed4f2ad --- /dev/null +++ b/SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch @@ -0,0 +1,41 @@ +From: Jan-Marek Glogowski +Date: Tue, 18 May 2010 17:47:05 +0200 +Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set. + +Proof of concept for fixing http://bugs.debian.org/327585 +(patch ported from freeradius bug http://bugs.debian.org/416266) + +Resolves: #960048 +--- +--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200 ++++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200 +@@ -117,6 +117,20 @@ + return -1; /* not found */ + } + ++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) ++{ ++ lt_dlhandle handle = 0; ++ lt_dladvise advise; ++ ++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) ++ && !lt_dladvise_global (&advise)) ++ handle = lt_dlopenadvise (filename, advise); ++ ++ lt_dladvise_destroy (&advise); ++ ++ return handle; ++} ++ + int module_load(const char* file_name, int argc, char *argv[]) + { + module_loaded_t *module; +@@ -180,7 +194,7 @@ + * to calling Debug. This is because Debug is a macro that expands + * into multiple function calls. + */ +- if ((module->lib = lt_dlopenext(file)) == NULL) { ++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { + error = lt_dlerror(); + #ifdef HAVE_EBCDIC + strcpy( ebuf, error ); diff --git a/SOURCES/openldap-syncrepl-unset-tls-options.patch b/SOURCES/openldap-syncrepl-unset-tls-options.patch new file mode 100644 index 0000000..156971a --- /dev/null +++ b/SOURCES/openldap-syncrepl-unset-tls-options.patch @@ -0,0 +1,62 @@ +allow unsetting of tls_* syncrepl options + +Author: Patrick Monnerat +Upstream ITS: #7042 +Resolves: #734187 + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 654a4bf..10b993b 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -735,27 +735,27 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + return 0; + case LDAP_OPT_X_TLS_CACERTFILE: + if ( lo->ldo_tls_cacertfile ) LDAP_FREE( lo->ldo_tls_cacertfile ); +- lo->ldo_tls_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_cacertfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_CACERTDIR: + if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir ); +- lo->ldo_tls_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_cacertdir = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_CERTFILE: + if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile ); +- lo->ldo_tls_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_certfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_KEYFILE: + if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile ); +- lo->ldo_tls_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_keyfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_DHFILE: + if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); +- lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ + if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); +- lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + case LDAP_OPT_X_TLS_REQUIRE_CERT: + if ( !arg ) return -1; +@@ -783,7 +783,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + #endif + case LDAP_OPT_X_TLS_CIPHER_SUITE: + if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite ); +- lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_ciphersuite = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; + + case LDAP_OPT_X_TLS_PROTOCOL_MIN: +@@ -794,7 +794,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + if ( ld != NULL ) + return -1; + if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile ); +- lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ lo->ldo_tls_randfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; + break; + case LDAP_OPT_X_TLS_NEWCTX: + if ( !arg ) return -1; diff --git a/SOURCES/openldap-tlsmc.patch b/SOURCES/openldap-tlsmc.patch new file mode 100644 index 0000000..6d327ec --- /dev/null +++ b/SOURCES/openldap-tlsmc.patch @@ -0,0 +1,1816 @@ +MozNSS Interception Code + +Author: Matus Honek +Date: Thu Jun 21 20:37:25 CEST 2018 +diff --git a/configure.in b/configure.in +--- a/configure.in ++++ b/configure.in +@@ -237,6 +237,7 @@ dnl OL_ARG_ENABLE(referrals,[ --enable-referrals enable LDAPv2+ Referrals (ex + ol_enable_referrals=${ol_enable_referrals-no} + OL_ARG_ENABLE(ipv6,[ --enable-ipv6 enable IPv6 support], auto)dnl + OL_ARG_ENABLE(local,[ --enable-local enable AF_LOCAL (AF_UNIX) socket support], auto)dnl ++OL_ARG_ENABLE(moznss_compatibility,[ --enable-moznss-compatibility enable MozNSS compatibility], no)dnl + + dnl ---------------------------------------------------------------- + dnl General "with" options +@@ -1256,6 +1257,26 @@ if test $ol_link_tls = no ; then + fi + fi + ++if test $ol_enable_moznss_compatibility = yes ; then ++ if test $have_openssl = yes ; then ++ if test $ol_with_tls = openssl ; then ++ PKG_CHECK_MODULES(MOZNSS, [nss nspr], [have_moznss_libs=yes], [have_moznss_libs=no]) ++ if test $have_moznss_libs = yes ; then ++ AC_DEFINE(HAVE_MOZNSS_COMPATIBILITY, 1, ++ [define if you want to support MozNSS databases when compiled with OpenSSL]) ++ TLS_LIBS="$TLS_LIBS $MOZNSS_LIBS" ++ CFLAGS="$CFLAGS $MOZNSS_CFLAGS" ++ else ++ AC_MSG_ERROR([For MOZNSS_COMPATIBILITY you have to have MozNSS present.]) ++ fi ++ else ++ AC_MSG_ERROR([For MOZNSS_COMPATIBILITY you have to compile with OpenSSL for crypto. (see --with-tls flag)]) ++ fi ++ else ++ AC_MSG_ERROR([For MOZNSS_COMPATIBILITY you have to have OpenSSL devel available. (unable to build with OpenSSL)]) ++ fi ++fi ++ + WITH_TLS=no + if test $ol_link_tls = yes ; then + AC_DEFINE(HAVE_TLS, 1, [define if you have TLS]) +diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 +--- a/doc/man/man3/ldap_get_option.3 ++++ b/doc/man/man3/ldap_get_option.3 +@@ -772,6 +772,19 @@ must be + When using the OpenSSL library this is an SSL*. When using other + crypto libraries this is a pointer to an OpenLDAP private structure. + Applications generally should not use this option. ++.TP ++.B LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY ++Sets/gets the status of the MozNSS database compatibility layer for TLS options. This options is available only if OpenLDAP is compiled with OpenSSL. This has effect only before the TLS context is established. ++This option defaults to be on. ++.BR invalue ++should either be ++.BR LDAP_OPT_OFF ++or ++.BR LDAP_OPT_ON ; ++.BR outvalue ++must be ++.BR "int *" . ++When set, just before TLS context initialization the library will first check if TLS settings are MozNSS-specific and if so it will export certificates from a preconfigured database and set other TLS settings so that OpenSSL can continue without issues. + .SH ERRORS + On success, the functions return + .BR LDAP_OPT_SUCCESS , +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -483,6 +483,11 @@ Check the CRL for a whole certificate chain + Specifies the file containing a Certificate Revocation List to be used + to verify if the server certificates have not been revoked. This + parameter is only supported with GnuTLS and Mozilla NSS. ++.RE ++.TP ++.B TLS_MOZNSS_COMPATIBILITY ++Specifies whether the MozNSS database compatibility layer for TLS options should be enabled. This options is available only if OpenLDAP is compiled with OpenSSL. ++This option defaults to be on. + .SH "ENVIRONMENT VARIABLES" + .TP + LDAPNOINIT +diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -1004,6 +1004,11 @@ Check the CRL for a whole certificate chain + Specifies a file containing a Certificate Revocation List to be used + for verifying that certificates have not been revoked. This parameter + is only valid when using GnuTLS or Mozilla NSS. ++.RE ++.TP ++.B olcTLSMozNSSCompatibility ++Specifies whether the MozNSS database compatibility layer for TLS options should be enabled. This options is available only if OpenLDAP is compiled with OpenSSL. ++This option defaults to be on. + .SH DYNAMIC MODULE OPTIONS + If + .B slapd +diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -1235,6 +1235,11 @@ Check the CRL for a whole certificate chain + Specifies a file containing a Certificate Revocation List to be used + for verifying that certificates have not been revoked. This directive is + only valid when using GnuTLS and Mozilla NSS. ++.RE ++.TP ++.B TLSMozNSSCompatibility ++Specifies whether the MozNSS database compatibility layer for TLS options should be enabled. This options is available only if OpenLDAP is compiled with OpenSSL. ++This option defaults to be on. + .SH GENERAL BACKEND OPTIONS + Options in this section only apply to the configuration file section + for the specified backend. They are supported by every +diff --git a/include/ldap.h b/include/ldap.h +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -158,6 +158,10 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_NEWCTX 0x600f + #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ + #define LDAP_OPT_X_TLS_PACKAGE 0x6011 ++#define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY 0x6050 ++ ++#define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED 0 ++#define LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_ENABLED 1 + + #define LDAP_OPT_X_TLS_NEVER 0 + #define LDAP_OPT_X_TLS_HARD 1 +diff --git a/libraries/libldap/Makefile.in b/libraries/libldap/Makefile.in +--- a/libraries/libldap/Makefile.in ++++ b/libraries/libldap/Makefile.in +@@ -26,7 +26,7 @@ SRCS = bind.c open.c result.c error.c compare.c search.c \ + request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \ + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ +- tls2.c tls_o.c tls_g.c tls_m.c \ ++ tls2.c tls_o.c tls_g.c tls_m.c tls_mc.c tls_mc_ossl.c \ + turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ + assertion.c deref.c ldif.c fetch.c + +@@ -39,7 +39,7 @@ OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ + request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ +- tls2.lo tls_o.lo tls_g.lo tls_m.lo \ ++ tls2.lo tls_o.lo tls_g.lo tls_m.lo tls_mc.lo tls_mc_ossl.lo \ + turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -137,7 +137,9 @@ static const struct ol_attribute { + #ifdef HAVE_GNUTLS + {0, ATTR_TLS, "TLS_CRLFILE", NULL, LDAP_OPT_X_TLS_CRLFILE}, + #endif +- ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ {0, ATTR_TLS, "TLS_MOZNSS_COMPATIBILITY", NULL, LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY}, ++#endif + #endif + + {0, ATTR_NONE, NULL, NULL, 0} +@@ -582,6 +584,9 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl + gopts->ldo_tls_connect_cb = NULL; + gopts->ldo_tls_connect_arg = NULL; + gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ gopts->ldo_tls_moznss_compatibility = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_ENABLED; ++#endif + #endif + gopts->ldo_keepalive_probes = 0; + gopts->ldo_keepalive_interval = 0; +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -260,7 +260,8 @@ struct ldapoptions { + int ldo_tls_require_cert; + int ldo_tls_impl; + int ldo_tls_crlcheck; +-#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0 ++ int ldo_tls_moznss_compatibility; ++#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0,0 + #else + #define LDAP_LDO_TLS_NULLARG + #endif +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -37,6 +37,8 @@ + + #include "ldap-tls.h" + ++#include "tls_mc.h" ++ + static tls_impl *tls_imp = &ldap_int_tls_impl; + #define HAS_TLS( sb ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_HAS_IO, \ + (void *)tls_imp->ti_sbio ) +@@ -96,6 +98,7 @@ tls_ctx_ref( tls_ctx *ctx ) + * an extra mutex for the default ctx. + */ + static ldap_pvt_thread_mutex_t tls_def_ctx_mutex; ++ldap_pvt_thread_mutex_t tlsmc_mutex; + #endif + + void +@@ -161,6 +164,7 @@ tls_init(tls_impl *impl ) + if ( !tls_initialized++ ) { + #ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_init( &tls_def_ctx_mutex ); ++ ldap_pvt_thread_mutex_init( &tlsmc_mutex ); + #endif + } + +@@ -196,6 +200,27 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) + + tls_init( ti ); + ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ if ( LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_ENABLED == lo->ldo_tls_moznss_compatibility ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLSMC: MozNSS compatibility interception begins.\n", ++ 0, 0, 0 ); ++ if ( 0 == tlsmc_intercept_initialization( lo, is_server ) ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "TLSMC: ERROR: MozNSS compatibility layer failed.\n", ++ 0, 0, 0 ); ++ } ++ lts = lo->ldo_tls_info; ++ Debug( LDAP_DEBUG_ANY, ++ "TLSMC: MozNSS compatibility interception ends.\n", ++ 0, 0, 0 ); ++ } else { ++ Debug( LDAP_DEBUG_TRACE, ++ "TLS: MozNSS compatibility layer disabled.\n", ++ 0, 0, 0 ); ++ } ++#endif ++ + if ( is_server && !lts.lt_certfile && !lts.lt_keyfile && + !lts.lt_cacertfile && !lts.lt_cacertdir ) { + /* minimum configuration not provided */ +@@ -572,6 +597,21 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg ) + return ldap_pvt_tls_set_option( ld, option, &i ); + } + return -1; ++#endif ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY: ++ i = -1; ++ if ( (strcasecmp( arg, "yes" ) == 0) || ++ (strcasecmp( arg, "true" ) == 0) || ++ (strcasecmp( arg, "on" ) == 0) ) { ++ i = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_ENABLED; ++ } ++ if ( (strcasecmp( arg, "no" ) == 0) || ++ (strcasecmp( arg, "false" ) == 0) || ++ (strcasecmp( arg, "off" ) == 0) ) { ++ i = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED; ++ } ++ return ldap_pvt_tls_set_option( ld, option, &i ); + #endif + } + return -1; +@@ -675,6 +715,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) + case LDAP_OPT_X_TLS_CONNECT_ARG: + *(void **)arg = lo->ldo_tls_connect_arg; + break; ++ case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY: ++ *(int *)arg = lo->ldo_tls_moznss_compatibility; ++ break; + default: + return -1; + } +@@ -802,6 +845,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx ); + lo->ldo_tls_ctx = NULL; + return ldap_int_tls_init_ctx( lo, *(int *)arg ); ++ case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY: ++ if ( !arg ) return -1; ++ lo->ldo_tls_moznss_compatibility = *(int *)arg; ++ break; + default: + return -1; + } +diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c +new file mode 100644 +--- /dev/null ++++ b/libraries/libldap/tls_mc.c +@@ -0,0 +1,1369 @@ ++#include "portable.h" ++ ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include "ldap-int.h" ++#include "ldap-tls.h" ++#include "ldap_pvt_thread.h" ++ ++#include "tls_mc.h" ++#include "tls_mc_ossl.h" ++ ++#define TLSMC_CHECKSUM_LEN 32 ++ ++#define TLSMC_CACERTS_DIR_NAME "cacerts" ++#define TLSMC_CERT_FILE_NAME "cert.pem" ++#define TLSMC_KEY_FILE_NAME "key.pem" ++#define TLSMC_README_FILE_NAME "README" ++ ++#define TLSM_CERTDB_DESC "ldap" ++#define DEFAULT_TOKEN_NAME "default" ++ ++#define TLSMC_IS_INPLACE 1 ++#define TLSMC_IS_TEMPORARY 2 ++ ++#define DONOTEDIT \ ++ "This file is auto-generated by the MozNSS Compatibility Layer of OpenLDAP software.\n" \ ++ "This layer is not part of the OpenLDAP software distributed in upstream.\n" \ ++ "Please file any related bugs with your GNU/Linux distribution.\n" \ ++ "Do not edit contents of this directory structure directly. Rather, change your configuration to use the OpenSSL-style TLS options, so that this directory structure does not need to be generated anymore.\n" \ ++ "Please refer to the slapd.conf(5), slapd-config(5), and ldap.conf(5) man pages for more information." ++#define PEM_CERT_HEADER "-----BEGIN CERTIFICATE-----" ++#define PEM_CERT_FOOTER "-----END CERTIFICATE-----" ++#define PEM_KEY_HEADER "-----BEGIN PRIVATE KEY-----" ++#define PEM_KEY_FOOTER "-----END PRIVATE KEY-----" ++#define README_HEADER "The contents of this file are hashed and used as part of the name of the parent directory.\n" ++ ++#ifdef LDAP_R_COMPILE ++ldap_pvt_thread_mutex_t tlsmc_mutex; ++#endif ++/*******************************************************************/ ++ ++ ++char * ++tlsmc_path2name( char *path ) ++{ ++ if ( NULL == path ) return NULL; ++ char *last_slash = strrchr( path, '/' ); ++ if ( NULL == last_slash ) ++ return path; ++ else ++ return last_slash + 1; ++} ++ ++ ++int ++tlsmc_write_file( char *filename, char *buf, mode_t final_mode ) ++{ ++ int rv = 0; ++ int fd = -1; ++ if ( 0 > ( fd = open( filename, O_WRONLY | O_CREAT | O_EXCL, S_IWUSR ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not open file: `%s': %s.\n", ++ filename, strerror(errno), 0 ); ++ goto bail; ++ } ++ if ( -1 >= write( fd, buf, strlen(buf) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not write file: `%s': %s.\n", ++ filename, strerror(errno), 0 ); ++ goto bail; ++ } ++ if ( -1 >= fchmod( fd, final_mode ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not set file mode: `%s': %s.\n", ++ filename, strerror(errno), 0 ); ++ goto bail; ++ } ++ if ( -1 >= fsync( fd ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not fsync file: `%s': %s.\n", ++ filename, strerror(errno), 0 ); ++ goto bail; ++ } ++ if ( 0 > close( fd ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_write_file: ERROR: could not close file: `%s': %s.\n", ++ filename, strerror(errno), 0 ); ++ fd = -1; ++ goto bail; ++ } ++ fd = -1; ++ rv = 1; ++bail: ++ if ( fd > -1 ) close( fd ); ++ return rv; ++} ++ ++ ++static int ++tlsmc_remove_dir_recursively( const char *dir_name ) ++{ ++ int rv = 0; ++ DIR *dir = NULL; ++ struct dirent *entry = NULL; ++ char *full_path = NULL; ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: starting recursively removing directory `%s'.\n", ++ dir_name, 0, 0 ); ++ if ( NULL == ( dir = opendir( dir_name ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: ERROR: could not open the directory (errno %d: %s).\n", ++ errno, strerror( errno ), 0 ); ++ goto bail; ++ } ++ ++ while ( NULL != ( entry = readdir( dir ) ) ) { ++ struct stat info; ++ ++ full_path = NULL; ++ full_path = PR_smprintf( "%s/%s", dir_name, entry->d_name ); ++ ++ if ( 0 != strcmp( entry->d_name, "." ) && 0 != strcmp( entry->d_name, ".." ) ) { ++ if ( 0 == lstat( full_path, &info ) ) { ++ if ( S_ISDIR( info.st_mode ) ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: stepping into directory `%s'.\n", ++ entry->d_name, 0, 0 ); ++ if ( 0 == tlsmc_remove_dir_recursively( full_path ) ) { ++ goto bail_and_close_dir; ++ } ++ } else { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: removing file `%s'.\n", ++ entry->d_name, 0, 0 ); ++ if ( 0 != remove( full_path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: ERROR: could not remove the file (errno %d: %s).\n", ++ errno, strerror( errno ), 0 ); ++ goto bail_and_close_dir; ++ } ++ } ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: ERROR: could not stat `%s', (errno %d: %s).\n", ++ full_path, errno, strerror( errno ) ); ++ goto bail_and_close_dir; ++ } ++ } ++ ++ if ( full_path ) { ++ PR_smprintf_free( full_path ); ++ full_path = NULL; ++ } ++ ++ } ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: stepping out of the directory.\n", ++ 0, 0, 0 ); ++ if ( 0 != closedir( dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: WARN: could not close the directory (errno %d: %s).\n", ++ errno, strerror( errno ), 0 ); ++ goto bail; ++ } ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_remove_dir_recursively: INFO: removing the directory itself.\n", ++ 0, 0, 0 ); ++ if ( 0 != remove( dir_name ) ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_remove_dir_recursively: ERROR: could not remove the directory (errno %d: %s).\n", ++ errno, strerror( errno ), 0 ); ++ goto bail; ++ } ++ ++ rv = 1; ++ goto bail; ++bail_and_close_dir: ++ closedir( dir ); ++bail: ++ if ( full_path ) PR_smprintf_free( full_path ); ++ return rv; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++static void ++tlsmc_get_certdb_prefix( const char *certdir, char **nsscertdir, char **realcertdir, char **prefix ) ++{ ++ char sep = PR_GetDirectorySeparator(); ++ char *ptr = NULL; ++ char *chkpath = NULL; ++ struct PRFileInfo prfi; ++ PRStatus prc; ++ ++ *realcertdir = (char *)certdir; /* default is the one passed in */ ++ ++ /* if certdir is not given, just return */ ++ if ( !certdir ) return; ++ ++ *nsscertdir = certdir; ++ ++ /* ignore database type prefix (e.g. sql:, dbm:) if provided */ ++ if ( NULL != ( chkpath = strchr( certdir, ':' ) ) ) { ++ *realcertdir = chkpath + 1; ++ } ++ ++ /* if certdir exists (file or directory) then it cannot specify a prefix */ ++ prc = PR_GetFileInfo( *realcertdir, &prfi ); ++ if ( prc == PR_SUCCESS ) { ++ goto finish; ++ } ++ ++ /* if certdir was given, and there is a '/' in certdir, see if there ++ is anything after the last '/' - if so, assume it is the prefix */ ++ /* if ( ( ( ptr = strrchr( *realcertdir, sep ) ) ) && *(ptr + 1) ) { */ ++ /* *realcertdir = PL_strndup( *realcertdir, ptr - (*realcertdir) ); */ ++ /* *prefix = PL_strdup( ptr + 1 ); */ ++ /* } */ ++ ++ ++ if ( ptr = strrchr( *realcertdir, sep ) ) { ++ if ( *(ptr + 1) ) { ++ *ptr = '\0'; ++ *prefix = ptr + 1; ++ } else { ++ *prefix = *realcertdir + strlen( *realcertdir ); // empty string ++ } ++ } else { ++ *prefix = *realcertdir; ++ *realcertdir = *prefix + strlen( *prefix ); // empty string ++ } ++finish: ++ /* drop potential last '/' from realcertdir */ ++ do { ++ ptr = strrchr( *realcertdir, sep ); ++ if ( ptr && (! *(ptr+1) ) ) { ++ *ptr = '\0'; ++ } else { ++ break; ++ } ++ } while (1); ++ ++ return; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++static char * ++tlsmc_get_pin_from_file(const char *token_name, char *filename) ++{ ++ char *pwdstr = NULL; ++ char *contents = NULL; ++ char *lasts = NULL; ++ char *line = NULL; ++ char *candidate = NULL; ++ PRFileInfo file_info; ++ PRFileDesc *pwd_fileptr = NULL; ++ pwd_fileptr = PR_Open( filename, PR_RDONLY, 00400 ); ++ ++ /* open the password file */ ++ if ( !pwd_fileptr ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_get_pin_from_file: could not open security pin file %s - error %d:%s.\n", ++ filename, errcode, ++ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ goto done; ++ } ++ ++ /* get the file size */ ++ if ( PR_SUCCESS != PR_GetFileInfo( filename, &file_info ) ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_get_pin_from_file: could not get file info from pin file %s - error %d:%s.\n", ++ filename, errcode, ++ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ goto done; ++ } ++ ++ /* create a buffer to hold the file contents */ ++ if ( !( contents = PR_CALLOC( file_info.size + 1 ) ) ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_get_pin_from_file: could not alloc a buffer for contents of pin file %s - error %d:%s.\n", ++ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ goto done; ++ } ++ ++ /* read file into the buffer */ ++ if( PR_Read( pwd_fileptr, contents, file_info.size ) <= 0 ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_get_pin_from_file: could not read the file contents from pin file %s - error %d:%s.\n", ++ filename, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ goto done; ++ } ++ ++ /* format is [tokenname:]password EOL [tokenname:]password EOL ... */ ++ /* if you want to use a password containing a colon character, use ++ the special tokenname "default" */ ++ for ( line = PL_strtok_r( contents, "\r\n", &lasts ); line; ++ line = PL_strtok_r( NULL, "\r\n", &lasts ) ) { ++ char *colon; ++ ++ if ( !*line ) { ++ continue; /* skip blank lines */ ++ } ++ colon = PL_strchr( line, ':' ); ++ if ( colon ) { ++ if ( *(colon + 1) && token_name && ++ !PL_strncmp( token_name, line, colon-line ) ) { ++ candidate = colon + 1; /* found a definite match */ ++ break; ++ } else if ( !PL_strncmp( DEFAULT_TOKEN_NAME, line, colon-line ) ) { ++ candidate = colon + 1; /* found possible match */ ++ } ++ } else { /* no token name */ ++ candidate = line; ++ } ++ } ++done: ++ if ( pwd_fileptr ) { ++ PR_Close( pwd_fileptr ); ++ } ++ if ( candidate ) { ++ pwdstr = PL_strdup( candidate ); ++ } ++ PL_strfree( contents ); ++ ++ return pwdstr; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++/* ++ * Turn the echoing off on a tty. ++ */ ++static void ++echoOff(int fd) ++{ ++ if ( isatty( fd ) ) { ++ struct termios tio; ++ tcgetattr( fd, &tio ); ++ tio.c_lflag &= ~ECHO; ++ tcsetattr( fd, TCSAFLUSH, &tio ); ++ } ++} ++ ++/* BORROWED FROM tls_m.c */ ++/* ++ * Turn the echoing on on a tty. ++ */ ++static void ++echoOn(int fd) ++{ ++ if ( isatty( fd ) ) { ++ struct termios tio; ++ tcgetattr( fd, &tio ); ++ tio.c_lflag |= ECHO; ++ tcsetattr( fd, TCSAFLUSH, &tio ); ++ tcsetattr( fd, TCSAFLUSH, &tio ); ++ } ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++char * ++tlsmc_get_pin( PK11SlotInfo *slot, PRBool retry, void * filename) ++{ ++ char *token_name = NULL; ++ char *pwdstr = NULL; ++ ++ token_name = PK11_GetTokenName( slot ); ++ /* Try to get the passwords from the password file if it exists. ++ * THIS IS UNSAFE and is provided for convenience only. Without this ++ * capability the server would have to be started in foreground mode ++ * if using an encrypted key. ++ */ ++ if ( filename ) { ++ fprintf( stderr, ++ "tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.\n"); ++ pwdstr = tlsmc_get_pin_from_file( token_name, (char *)filename ); ++ if ( retry && pwdstr != NULL ) ++ return NULL; ++ } ++ if ( !pwdstr ) { ++ int infd = PR_FileDesc2NativeHandle( PR_STDIN ); ++ int isTTY = isatty( infd ); ++ unsigned char phrase[200]; ++ /* Prompt for password */ ++ if ( isTTY ) { ++ fprintf( stderr, ++ "tlsmc_get_pin: INFO: Please note the extracted key file will not be protected with a PIN any more, however it will be still protected at least by file permissions.\n"); ++ fprintf( stdout, ++ "Please enter pin, password, or pass phrase for security token '%s': ", ++ token_name ? token_name : DEFAULT_TOKEN_NAME ); ++ echoOff( infd ); ++ } ++ fgets( (char*)phrase, sizeof(phrase), stdin ); ++ if ( isTTY ) { ++ fprintf( stdout, "\n" ); ++ echoOn( infd ); ++ } ++ /* stomp on newline */ ++ phrase[strlen((char*)phrase)-1] = 0; ++ ++ pwdstr = PL_strdup( (char*)phrase ); ++ } ++ ++ return pwdstr; ++} ++ ++ ++int ++tlsmc_hash( char **dest, const char *src ) ++{ ++ int rv = 0; ++ unsigned char fp[SHA256_LENGTH]; ++ SECItem fpItem; ++ ++ if ( SECSuccess != ( rv = PK11_HashBuf( SEC_OID_SHA256, fp, src, strlen(src) ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_hash: could not hash a buffer", ++ NULL, NULL, NULL ); ++ goto bail; ++ } ++ fpItem.data = fp; ++ fpItem.len = SHA256_LENGTH; ++ if ( NULL == ( *dest = CERT_Hexify( &fpItem, 0 ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_hash: could not hexify the hash", ++ NULL, NULL, NULL ); ++ goto bail; ++ } ++ ++ rv = 1; ++bail: ++ return rv; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++int ++tlsmc_open_nssdb( char *ld_cacertdir, NSSInitContext **out_initctx, char **out_nssdb_dir, char **out_nssdb_prefix ) ++{ ++#define SECURITYDIRS_COUNT 3 ++ int rc = 0; ++ PRErrorCode errcode = 1; ++ ++ /* restart secmod modules */ ++#ifdef HAVE_SECMOD_RESTARTMODULES ++ /* NSS enforces the pkcs11 requirement that modules should be unloaded after ++ a fork() - since there is no portable way to determine if NSS has been ++ already initialized in a parent process, we just call SECMOD_RestartModules ++ with force == FALSE - if the module has been unloaded due to a fork, it will ++ be reloaded, otherwise, it is a no-op */ ++ if ( 0 == ( rc = SECMOD_RestartModules(PR_FALSE /* do not force */) ) ) { ++ errcode = PORT_GetError(); ++ if ( errcode != SEC_ERROR_NOT_INITIALIZED ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_open_nssdb: WARN: could not restart the security modules: %d:%s.\n", ++ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); ++ } else { ++ errcode = 1; ++ } ++ } ++#endif ++ ++ ++ /* context and certdb */ ++ char *dir_moznss = PR_GetEnv( "MOZNSS_DIR" ); ++ char *dir_default_moznss = PR_GetEnv( "DEFAULT_MOZNSS_DIR" ); ++ const char *securitydirs[SECURITYDIRS_COUNT] = { dir_moznss, ld_cacertdir, dir_default_moznss }; ++ int done = 0; ++ int ii = 0; ++ for ( ii = 0; !done && ( ii < SECURITYDIRS_COUNT ); ++ii ) { ++ // get certdb prefix ++ const char *securitydir = securitydirs[ii]; ++ char *nsscertdir = NULL; ++ char *realcertdir = NULL; ++ const char *defprefix = ""; ++ char *prefix = (char *)defprefix; ++ if ( securitydir == NULL ) continue; ++ tlsmc_get_certdb_prefix( securitydir, &nsscertdir, &realcertdir, &prefix ); ++ *out_nssdb_dir = strdup( realcertdir ); ++ *out_nssdb_prefix = strdup( prefix ); ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `%s` prefix `%s`.\n", ++ nsscertdir, prefix, NULL); ++ ++ // init context ++ NSSInitContext *initctx = NULL; ++ NSSInitParameters initparams; ++ memset( &initparams, 0, sizeof( initparams ) ); ++ initparams.length = sizeof( initparams ); ++ ++ initctx = NSS_InitContext( nsscertdir, ++ prefix, ++ prefix, ++ SECMOD_DB, ++ &initparams, ++ NSS_INIT_READONLY // | NSS_INIT_NOCERTDB ++ ); ++ rc = initctx ? 1 : 0; ++ ++ *out_initctx = initctx; ++ ++ if ( rc != 1 ) { ++ errcode = PORT_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_open_nssdb: WARN: could not initialize MozNSS context - error %d.\n", ++ errcode, 0, 0 ); ++ } else { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_open_nssdb: INFO: initialized MozNSS context.\n", ++ 0, 0, 0 ); ++ errcode = 0; ++ done = 1; ++ } ++ } ++ ++ PR_Free( dir_moznss ); ++ PR_Free( dir_default_moznss ); ++ ++ PK11_SetPasswordFunc( tlsmc_get_pin ); ++ ++ if ( done && (errcode == 0) && out_initctx ) { ++ return 1; ++ } else { ++ return 0; ++ } ++} ++ ++ ++int ++tlsmc_filestamp( char **filestamp, char *path ) ++{ ++ int rv = 0; ++ struct stat attr; ++ char stime[20]; ++ ++ if ( 0 != stat( path, &attr ) ) { ++ rv = -1; ++ goto bail; ++ } ++ if ( 0 == strftime(stime, sizeof(stime), "%FT%T", localtime(&attr.st_mtime)) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_filestamp: ERROR: could not format mtime: %s.\n", ++ strerror(errno), 0, 0 ); ++ goto bail; ++ } ++ ++ *filestamp = PR_smprintf("mtime %s.%d, size %lld", ++ stime, attr.st_mtim.tv_nsec, (long long) attr.st_size); ++ ++ rv = 1; ++bail: ++ return rv; ++} ++ ++ ++char * ++tlsmc_compute_checksum( char *nssdb_dir, char *nssdb_prefix, ++ char *ld_cacertdir, char *ld_cert, char *ld_key, ++ char **out_data) ++{ ++ int rv = 0; ++ char *data = NULL; ++ char *checksum = NULL; ++ ++ /* gather data */ ++ data = PR_sprintf_append( data, ++ DONOTEDIT "\n" ++ README_HEADER "\n" ++ "PARAMETERS:\n" ++ "nssdb_dir: %s\n" ++ "nssdb_prefix: %s\n" ++ "ld_cacertdir: %s\n" ++ "ld_cert: %s\n" ++ "ld_key: %s\n" ++ "euid: %d\n\n" ++ "FILES:\n", ++ nssdb_dir, nssdb_prefix, ld_cacertdir, ld_cert, ld_key, geteuid() ); ++ ++ char *files[] = { "cert8.db", "cert9.db", "key3.db", "key4.db", "secmod.db", NULL }; ++ char **filep = NULL; ++ for ( filep = files; NULL != *filep; filep++ ) { ++ char *filestamp = NULL; ++ char *path = NULL; ++ path = PR_smprintf( "%s/%s%s", nssdb_dir, nssdb_prefix, *filep ); ++ if ( 0 == tlsmc_filestamp( &filestamp, path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_compute_checksum: INFO: could not check file `%s'.\n", ++ path, 0, 0 ); ++ rv = -1; ++ } else { ++ data = PR_sprintf_append( data, "%s: %s\n", *filep, filestamp ); ++ } ++ if ( filestamp ) PR_smprintf_free( filestamp ); ++ if ( path ) PR_smprintf_free( path ); ++ if ( -1 == rv ) goto bail; ++ } ++ ++ /* compute data checksum */ ++ if ( 1 != tlsmc_hash( &checksum, (const char*) data ) ) { ++ checksum = NULL; ++ goto bail; ++ } ++ ++ /* possibly supply data */ ++ if ( out_data ) { ++ *out_data = strdup( data ); ++ } ++ ++ /* return checksum */ ++bail: ++ if ( data ) PR_smprintf_free( data ); ++ return checksum; ++} ++ ++ ++int ++tlsmc_prepare_dir( char *dir ) ++{ ++ int rv = 0; ++ char *cacerts_dir = NULL; ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_prepare_dir: INFO: preparing PEM directory `%s'.\n", ++ dir, 0, 0 ); ++ ++ if ( 0 != mkdir( dir, S_IRWXU /* u+rwx */ ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_prepare_dir: WARN: could not create the PEM directory.\n", ++ 0, 0, 0 ); ++ rv = 0; ++ goto bail; ++ } ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_prepare_dir: INFO: creating a subdirectory `%s'.\n", ++ TLSMC_CACERTS_DIR_NAME, 0, 0 ); ++ cacerts_dir = PR_smprintf( "%s/%s", dir, TLSMC_CACERTS_DIR_NAME ); ++ if ( 0 != mkdir( cacerts_dir, S_IRWXU /* u+rwx */ ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_prepare_dir: WARN: could not create the subdirectory.\n", ++ 0, 0, 0 ); ++ rv = 0; ++ goto bail; ++ } ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_prepare_dir: INFO: successfully created PEM directory structure.\n", ++ TLSMC_CACERTS_DIR_NAME, 0, 0 ); ++ rv = 1; ++ ++bail: ++ if ( cacerts_dir ) PR_smprintf_free( cacerts_dir ); ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_extract_cert_to_file(CERTCertDBHandle *certdb_handle, CERTCertificate *cert, char *file_path) ++{ ++ int rv = 0; ++ SECItem data; ++ char *b64 = NULL; ++ char *output = NULL; ++ ++ if ( ! cert ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_to_file: ERROR: cert empty.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ data.data = cert->derCert.data; ++ data.len = cert->derCert.len; ++ b64 = BTOA_DataToAscii(data.data, data.len); ++ if ( ! b64 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_to_file: ERROR: could not base64 encode.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ output = PR_smprintf( DONOTEDIT "\n\n" ++ "NSS nickname: %s\n" ++ "Issuer: %s\n" ++ "Subject: %s\n" ++ PEM_CERT_HEADER "\n" ++ "%s\n" ++ PEM_CERT_FOOTER "\n", ++ cert->nickname, ++ cert->issuerName, ++ cert->subjectName, ++ b64 ); ++ ++ if ( 0 == tlsmc_write_file( file_path, output, S_IRUSR ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_to_file: ERROR: could not write certificate.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ rv = 1; ++bail: ++ if ( output ) PR_smprintf_free( output ); ++ if ( b64 ) PORT_Free( b64 ); ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_decrypt_key(SECKEYEncryptedPrivateKeyInfo *epki, ++ SECOidTag algTag, ++ SECItem *pwitem, ++ void *pin_arg, ++ SECItem *derPKI) ++{ ++ SECItem *cryptoParam = NULL; ++ PK11SymKey *symKey = NULL; ++ PK11Context *ctx = NULL; ++ int rv = 0; ++ ++ if (!pwitem) return rv; ++ ++ do { ++ SECAlgorithmID algid = epki->algorithm; ++ CK_MECHANISM_TYPE cryptoMechType; ++ CK_ATTRIBUTE_TYPE operation = CKA_DECRYPT; ++ PK11SlotInfo *slot = NULL; ++ ++ cryptoMechType = PK11_GetPBECryptoMechanism(&algid, &cryptoParam, pwitem); ++ if (cryptoMechType == CKM_INVALID_MECHANISM) { ++ goto bail; ++ } ++ ++ if ( NULL == ( slot = PK11_GetBestSlot(cryptoMechType, NULL) ) ) { ++ goto bail; ++ } ++ ++ if ( NULL == ( symKey = PK11_PBEKeyGen(slot, &algid, pwitem, PR_FALSE, pin_arg) ) ) { ++ rv = -1; ++ goto bail_one; ++ } ++ ++ if ( NULL == ( ctx = PK11_CreateContextBySymKey( ++ cryptoMechType, operation, symKey, cryptoParam) ) ) { ++ rv = -1; ++ goto bail_one; ++ } ++ ++ if ( SECSuccess != PK11_CipherOp(ctx, ++ derPKI->data, /* out */ ++ (int *)(&derPKI->len), /* out len */ ++ (int)epki->encryptedData.len, /* max out */ ++ epki->encryptedData.data, /* in */ ++ (int)epki->encryptedData.len /* in len */ ) ) { ++ rv = -1; ++ goto bail_one; ++ } ++ ++ if ( derPKI->len != epki->encryptedData.len ) goto bail_one; ++ if ( SECSuccess != PK11_Finalize(ctx) ) goto bail_one; ++ bail_one: ++ if (slot) PK11_FreeSlot(slot); ++ } while (0); ++ ++ rv = ((rv == 0) ? 1 : 0); ++bail: ++ if (symKey) PK11_FreeSymKey(symKey); ++ if (cryptoParam) { ++ SECITEM_ZfreeItem(cryptoParam, PR_TRUE); ++ cryptoParam = NULL; ++ } ++ if (ctx) PK11_DestroyContext(ctx, PR_TRUE); ++ ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_extract_key_of_cert_to_file(CERTCertificate *cert, ++ char *pin_filename, ++ char *filename) ++{ ++ int rv = 0; ++ SECKEYPrivateKey *key = NULL; ++ SECItem pwitem; ++ SECKEYEncryptedPrivateKeyInfo *epki = NULL; ++ PLArenaPool *arenaForPKI = NULL; ++ SECItem clearKeyDER; ++ char *b64 = NULL; ++ char *output = NULL; ++ ++ // establish password ++ pwitem.data = "secretpw"; // FIXME use pin_filename ++ pwitem.len = strlen(pwitem.data); ++ pwitem.type = siBuffer; ++ ++ // get key ++ if ( NULL == ( key = PK11_FindKeyByAnyCert(cert, (void *)pin_filename) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: PK11_FindKeyByAnyCert failed.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ // get key info ++ if ( NULL == ( epki = PK11_ExportEncryptedPrivKeyInfo( ++ NULL, SEC_OID_DES_EDE3_CBC, &pwitem, key, 1000, (void *)pin_filename) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: PK11_ExportEncryptedPrivKeyInfo returned NULL.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ // get clear DER ++ if ( NULL == ( arenaForPKI = PORT_NewArena(2048) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: PORT_NewArena failed.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ clearKeyDER.data = PORT_ArenaAlloc(arenaForPKI, epki->encryptedData.len); ++ clearKeyDER.len = epki->encryptedData.len; ++ clearKeyDER.type = siBuffer; ++ ++ if ( 0 == tlsmc_decrypt_key(epki, SEC_OID_DES_EDE3_CBC, &pwitem, ++ (void *)pin_filename, &clearKeyDER) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: could not decrypt the key.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ // base64 encode ++ if ( NULL == ( b64 = BTOA_ConvertItemToAscii(&clearKeyDER) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: could not base64 encode.\n", ++ 0,0,0); ++ goto bail; ++ } ++ ++ // print out ++ output = PR_smprintf( DONOTEDIT "\n" ++ PEM_KEY_HEADER "\n" ++ "%s\n" ++ PEM_KEY_FOOTER "\n", ++ b64 ); ++ ++ if ( 0 == tlsmc_write_file( filename, output, S_IRUSR ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_key_of_cert_to_file: ERROR: could not write PK.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ rv = 1; ++ ++bail: ++ if (b64) PORT_Free(b64); ++ if (arenaForPKI) PORT_FreeArena(arenaForPKI, PR_FALSE); ++ if (epki) SECKEY_DestroyEncryptedPrivateKeyInfo(epki, PR_TRUE); ++ if (key) SECKEY_DestroyPrivateKey(key); ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_extract_cert_key_pair(char *nickname, char *pin_filename, char *dir_name) ++{ ++ int rv = 0; ++ CERTCertDBHandle *certHandle = NULL; ++ CERTCertificate *cert = NULL; ++ char *cert_file_path = NULL; ++ char *key_file_path = NULL; ++ char *file_realpath = NULL; ++ ++ ++ cert_file_path = PR_smprintf( "%s/cert.pem", dir_name ); ++ key_file_path = PR_smprintf( "%s/key.pem", dir_name ); ++ ++ if ( NULL == nickname ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: WARN: supplied nickname is empty (NULL).\n", ++ 0, 0, 0 ); ++ rv = 1; ++ goto bail; ++ } ++ if ( NULL == ( certHandle = CERT_GetDefaultCertDB() ) ) { ++ // FIXME see same in tlsmc_extract_cacerts() ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not get certificate handle.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( NULL != ( cert = PK11_FindCertFromNickname(nickname, NULL) ) ) { ++ /* extract cert/key from NSS db */ ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cert_key_pair: INFO: extracting certificate `%s' to file `%s'.\n", ++ nickname, cert_file_path, 0 ); ++ if ( 0 == tlsmc_extract_cert_to_file(certHandle, cert, cert_file_path) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not extract certificate.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cert_key_pair: INFO: extracting associated PK to file `%s'.\n", ++ key_file_path, 0, 0 ); ++ if ( 0 == tlsmc_extract_key_of_cert_to_file( cert, pin_filename, key_file_path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not extract PK.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ } else { ++ /* symlink PEM cert/key PEM files */ ++ ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: INFO: could not find certificate with nickname `%s', expecting a PEM file.\n", ++ nickname, 0, 0 ); ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cert_key_pair: INFO: symlinking certificate file `%s' to file `%s'.\n", ++ nickname, cert_file_path, 0 ); ++ if ( NULL == ( file_realpath = realpath( nickname, NULL ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not get realpath of certificate file `%s'.\n", ++ nickname, 0, 0 ); ++ goto bail; ++ } ++ if ( -1 == symlink( file_realpath, cert_file_path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not create a symlink of `%s' to `%s'.\n", ++ file_realpath, cert_file_path, 0 ); ++ goto bail; ++ } ++ if ( file_realpath ) free( file_realpath ); ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cert_key_pair: INFO: symlinking PK file `%s' to file `%s'.\n", ++ pin_filename, key_file_path, 0 ); ++ if ( NULL == ( file_realpath = realpath( pin_filename, NULL ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not get realpath of PK file `%s'.\n", ++ pin_filename, 0, 0 ); ++ goto bail; ++ } ++ if ( -1 == symlink( file_realpath, key_file_path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cert_key_pair: ERROR: could not create a symlink of `%s' to `%s'.\n", ++ file_realpath, key_file_path, 0 ); ++ goto bail; ++ } ++ } ++ ++ rv = 1; ++ ++bail: ++ if (file_realpath) free(file_realpath); ++ if (key_file_path) PR_smprintf_free(key_file_path); ++ if (cert_file_path) PR_smprintf_free(cert_file_path); ++ if (cert) CERT_DestroyCertificate(cert); ++ return rv; ++} ++ ++ ++/* BORROWED FROM 389ds: ssl.c */ ++int ++tlsmc_extract_cacerts( char *dir_name ) ++{ ++ int rv = 0; ++ CERTCertDBHandle *certHandle = NULL; ++ CERTCertListNode *node = NULL; ++ CERTCertList *list = NULL; ++ char *cacerts_dir = NULL; ++ int cert_cnt = 0; ++ ++ cacerts_dir = PR_smprintf( "%s/" TLSMC_CACERTS_DIR_NAME, dir_name ); ++ ++ certHandle = CERT_GetDefaultCertDB(); // FIXME maybe we should really use certdb_slot? ++ if ( ! certHandle ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cacerts: could not get certificate database handle.\n", ++ 0, 0, 0); ++ goto bail; ++ } ++ ++ list = PK11_ListCerts(PK11CertListAll, NULL); ++ if ( ! list ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cacerts: could not get list of certificates.\n", ++ 0, 0, 0); ++ goto bail; ++ } ++ for ( node = CERT_LIST_HEAD(list); ++ !CERT_LIST_END(node, list); ++ node = CERT_LIST_NEXT(node)) { ++ ++ CERTCertificate *cert = NULL; ++ CERTCertTrust trust; ++ char *cert_file_path = NULL; ++ int is_ca = 0; ++ ++ cert = node->cert; ++ if ( SECFailure == CERT_GetCertTrust( cert, &trust ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cacerts: ERROR: could not get trust flags of certificate nick=`%s'.\n", ++ cert->nickname, 0, 0); ++ goto bail; ++ } ++ if (trust.sslFlags & ++ (CERTDB_VALID_CA | CERTDB_TRUSTED_CA | CERTDB_TRUSTED_CLIENT_CA)) { ++ is_ca = 1; ++ } ++ ++ Debug(LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cacerts: INFO: found cert nick=`%s'%s.\n", ++ cert->nickname, is_ca ? ", a trusted CA" : ", _not_ a trusted CA, skipping", 0); ++ if ( ! is_ca ) continue; ++ ++ cert_file_path = PR_smprintf( "%s/cert%d.pem", cacerts_dir, cert_cnt ); ++ cert_cnt++; ++ Debug(LDAP_DEBUG_TRACE, ++ "tlsmc_extract_cacerts: INFO: extracting cert nick=`%s' to file `%s'.\n", ++ cert->nickname, cert_file_path, 0); ++ if ( 0 == tlsmc_extract_cert_to_file( certHandle, cert, cert_file_path ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cacerts: ERROR: could not extract the certificate.\n", ++ 0, 0, 0); ++ goto bail_one; ++ } ++ if ( 0 == tlsmc_cert_create_hash_symlink( cert_file_path, cacerts_dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_cacerts: ERROR: could not rehash the certificate.\n", ++ 0, 0, 0); ++ goto bail_one; ++ } ++ if ( cert_file_path ) PR_smprintf_free( cert_file_path ); ++ continue; ++ bail_one: ++ if ( cert_file_path ) PR_smprintf_free( cert_file_path ); ++ goto bail; ++ } ++ ++ rv = 1; ++bail: ++ if ( cacerts_dir ) PR_smprintf_free( cacerts_dir ); ++ if ( list ) CERT_DestroyCertList( list ); ++ return rv; ++} ++ ++ ++/* returns 1 if successfull; ++ returns -1 if only cert-key pair is NULL or could not be extracted; ++ returns 0 if any other error ++*/ ++int ++tlsmc_extract_nssdb( char *dir_name, char **ld_cacertdir, char **ld_cert, char **ld_key ) ++{ ++ int rv = 0; ++ ++ if ( ! dir_name ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_nssdb: FATAL: target dir name empty.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ if ( 0 == tlsmc_extract_cacerts( dir_name ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_nssdb: ERROR: could not export CA certificates.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ if ( 0 == tlsmc_extract_cert_key_pair( *ld_cert, *ld_key, dir_name ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_extract_nssdb: ERROR: could not export user cert and/or key.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ rv = 1; ++bail: ++ return rv; ++} ++ ++ ++/* BORROWED FROM tls_m.c */ ++int ++tlsmc_close_nssdb(NSSInitContext **initctx) ++{ ++ if ( *initctx && NSS_ShutdownContext( *initctx ) ) { ++ PRErrorCode errcode = PR_GetError(); ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_close_nssdb: ERROR: could not shutdown NSS - error %d:%s.\n", ++ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); ++ return 0; ++ } else { ++ return 1; ++ } ++} ++ ++ ++int ++tlsmc_convert( char **ld_cacertdir, char **ld_cert, char **ld_key ) ++{ ++ ++ int rv = 0; ++ ++ NSSInitContext *nss_ctx = NULL; ++ char *nssdb_dir_path = NULL; ++ char *nssdb_prefix = NULL; ++ char *pem_dir = NULL; ++ char *readme_path = NULL; ++ char *data = NULL; // data before checksum ++ char *checksum = NULL; // checksummed data ++ struct stat stat_buf; ++ ++#ifdef LDAP_R_COMPILE ++ ldap_pvt_thread_mutex_lock( &tlsmc_mutex ); ++#endif ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `%s'.\n", ++ *ld_cacertdir, 0, 0 ); ++ if ( NULL == ld_cacertdir || NULL == ld_cert || NULL == ld_key ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: ERROR: cannot proceed, some of the arguments are NULL.\n", ++ 0, 0, 0 ); ++ rv = 1; ++ goto bail; ++ } ++ if ( 0 == tlsmc_open_nssdb( *ld_cacertdir, &nss_ctx, &nssdb_dir_path, &nssdb_prefix ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: INFO: cannot open the NSS DB, expecting PEM configuration is present.\n", ++ 0, 0, 0 ); ++ rv = 1; ++ goto bail; ++ } ++ ++ if ( NULL == ( checksum = tlsmc_compute_checksum( nssdb_dir_path, nssdb_prefix, ++ *ld_cacertdir, *ld_cert, *ld_key, ++ &data ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: ERROR: could not compute checksum.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ if ( NULL == ( pem_dir = PR_smprintf( "/tmp/openldap-tlsmc-%s-%s-%s", ++ tlsmc_path2name( nssdb_dir_path ), ++ nssdb_prefix, ++ checksum) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not allocate memory.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( NULL == ( readme_path = PR_smprintf( "%s/" TLSMC_README_FILE_NAME, pem_dir ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not allocate memory.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_convert: INFO: trying with PEM dir = `%s'.\n", ++ pem_dir, 0, 0 ); ++ if ( 0 == stat( pem_dir, &stat_buf ) ) { ++ if ( S_ISDIR(stat_buf.st_mode) ) { ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_convert: INFO: using the existing PEM dir.\n", ++ 0, 0, 0 ); ++ if ( 0 == stat( readme_path, &stat_buf ) ) { ++ goto pem_dir_exists; ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: ERROR: the PEM dir found does not contain README file. Will remove the PEM dir and try to recreate it.\n", ++ 0, 0, 0 ); ++ if ( 0 == tlsmc_remove_dir_recursively( pem_dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not remove the PEM dir. Cannot properly set TLS.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ } ++ } else { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: tried to stat the PEM dir but it is not a directory.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ } ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_convert: WARN: will try to create PEM dir.\n", ++ 0, 0, 0 ); ++ if ( 0 == tlsmc_prepare_dir( pem_dir ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: cannot prepare the PEM dir.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( 0 == tlsmc_extract_nssdb( pem_dir, ld_cacertdir, ld_cert, ld_key ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: FATAL: could not extract from the NSS DB.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( 0 == tlsmc_write_file( readme_path, data, S_IRUSR ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: ERROR: could not create README file.\n", ++ 0, 0, 0 ); ++ } ++ ++pem_dir_exists: ++ if (*ld_cacertdir) free(*ld_cacertdir); ++ *ld_cacertdir = PR_smprintf( "%s/" TLSMC_CACERTS_DIR_NAME, pem_dir ); ++ if ( ! ( ( 0 == stat( *ld_cacertdir, &stat_buf ) ) ++ && S_ISDIR(stat_buf.st_mode) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: WARN: extracted cacerts dir is not present.\n", ++ 0, 0, 0 ); ++ if ( *ld_cacertdir ) PR_smprintf_free( *ld_cacertdir ); ++ *ld_cacertdir = NULL; ++ } ++ ++ if (*ld_cert) free(*ld_cert); ++ *ld_cert = PR_smprintf( "%s/" TLSMC_CERT_FILE_NAME, pem_dir ); ++ if ( ! ( ( 0 == stat( *ld_cert, &stat_buf ) ) ++ && ( S_ISREG(stat_buf.st_mode) ++ || S_ISLNK(stat_buf.st_mode) ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: WARN: extracted cert file is not present.\n", ++ 0, 0, 0 ); ++ if ( *ld_cert ) PR_smprintf_free( *ld_cert ); ++ *ld_cert = NULL; ++ } ++ ++ if (*ld_key) free(*ld_key); ++ *ld_key = PR_smprintf( "%s/" TLSMC_KEY_FILE_NAME, pem_dir ); ++ if ( ! ( ( 0 == stat( *ld_key, &stat_buf ) ) ++ && ( S_ISREG(stat_buf.st_mode) ++ || S_ISLNK(stat_buf.st_mode) ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_convert: WARN: extracted key file is not present.\n", ++ 0, 0, 0 ); ++ if ( *ld_key ) PR_smprintf_free( *ld_key ); ++ *ld_key = NULL; ++ } ++ ++ rv = 1; ++ ++bail: ++ if ( checksum ) free( checksum ); ++ if ( pem_dir ) PR_smprintf_free( pem_dir ); ++ if ( readme_path ) PR_smprintf_free( readme_path ); ++ if ( data ) free( data ); ++ if ( nssdb_prefix ) free( nssdb_prefix ); ++ if ( nssdb_dir_path ) free( nssdb_dir_path ); ++ if ( nss_ctx ) tlsmc_close_nssdb( &nss_ctx ); ++ ++#ifdef LDAP_R_COMPILE ++ ldap_pvt_thread_mutex_unlock( &tlsmc_mutex ); ++#endif ++ ++ return rv; ++} ++ ++ ++// returns 0 when successful ++int ++tlsmc_intercept_initialization( struct ldapoptions *lo, int is_server ) ++{ ++ int rv = 0; ++ char *ld_cacertdir = NULL; ++ char *ld_cert = NULL; ++ char *ld_key = NULL; ++ ++ ld_cacertdir = lo->ldo_tls_cacertdir ? LDAP_STRDUP( (char *) lo->ldo_tls_cacertdir ) : NULL; ++ ld_cert = lo->ldo_tls_certfile ? LDAP_STRDUP( (char *) lo->ldo_tls_certfile ) : NULL; ++ ld_key = lo->ldo_tls_keyfile ? LDAP_STRDUP( (char *) lo->ldo_tls_keyfile ) : NULL; ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_intercept_initialization: INFO: entry options follow:\n" ++ "tlsmc_intercept_initialization: INFO: cacertdir = `%s'\n" ++ "tlsmc_intercept_initialization: INFO: certfile = `%s'\n" ++ "tlsmc_intercept_initialization: INFO: keyfile = `%s'\n", ++ lo->ldo_tls_cacertdir, lo->ldo_tls_certfile, lo->ldo_tls_keyfile ); ++ ++ if ( 0 == tlsmc_convert( &ld_cacertdir, &ld_cert, &ld_key ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_intercept_initialization: FATAL: could not intercept TLS initialization. TLS will not work!\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir ); ++ lo->ldo_tls_cacertdir = ld_cacertdir ? LDAP_STRDUP( (char *) ld_cacertdir ) : NULL; ++ ++ if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile ); ++ lo->ldo_tls_certfile = ld_cert ? LDAP_STRDUP( (char *) ld_cert ) : NULL; ++ ++ if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile ); ++ lo->ldo_tls_keyfile = ld_key ? LDAP_STRDUP( (char *) ld_key ) : NULL; ++ ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_intercept_initialization: INFO: altered options follow:\n" ++ "tlsmc_intercept_initialization: INFO: cacertdir = `%s'\n" ++ "tlsmc_intercept_initialization: INFO: certfile = `%s'\n" ++ "tlsmc_intercept_initialization: INFO: keyfile = `%s'\n", ++ lo->ldo_tls_cacertdir, lo->ldo_tls_certfile, lo->ldo_tls_keyfile ); ++ ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_intercept_initialization: INFO: successfully intercepted TLS initialization. Continuing with OpenSSL only.\n", ++ 0, 0, 0 ); ++ rv = 1; ++bail: ++ if ( ld_cacertdir ) LDAP_FREE( ld_cacertdir ); ++ if ( ld_cert ) LDAP_FREE( ld_cert ); ++ if ( ld_key ) LDAP_FREE( ld_key ); ++ return rv; ++} ++ ++ ++#endif /* HAVE_MOZNSS_COMPATIBILITY */ ++/* ++ emacs settings ++ Local Variables: ++ indent-tabs-mode: t ++ tab-width: 4 ++ End: ++*/ +diff --git a/libraries/libldap/tls_mc.h b/libraries/libldap/tls_mc.h +new file mode 100644 +--- /dev/null ++++ b/libraries/libldap/tls_mc.h +@@ -0,0 +1,18 @@ ++#ifndef _LDAP_TLSMC_H ++#define _LDAP_TLSMC_H ++ ++#include "portable.h" ++ ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ ++#include "ldap-int.h" ++ ++int ++tlsmc_convert( char **ld_cacertdir, char **ld_cert, char **ld_key ); ++ ++int ++tlsmc_intercept_initialization( struct ldapoptions *lo, int is_server ); ++ ++ ++#endif /* HAVE_MOZNSS_COMPATIBILITY */ ++#endif /* _LDAP_TLSMC_H */ +diff --git a/libraries/libldap/tls_mc_ossl.c b/libraries/libldap/tls_mc_ossl.c +new file mode 100644 +--- /dev/null ++++ b/libraries/libldap/tls_mc_ossl.c +@@ -0,0 +1,95 @@ ++#include "portable.h" ++ ++/* This file contains functions that require OpenSSL headers due to some ++ conflicts with what MozNSS defines. ++*/ ++ ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ ++#include ++#include ++#include "ldap-int.h" ++#include ++#include ++#include ++ ++ ++int ++tlsmc_cert_create_hash_symlink( char *cert_path, char *cacerts_dir ) ++{ ++ int rv = 0; ++ X509 *cert = NULL; ++ FILE *fp = NULL; ++ unsigned long hash = 0; ++ char *cert_filename_p = NULL; ++ char *last_slash_p = NULL; ++ char *symlink_path = NULL; ++ int cnt = 0; ++ ++ if ( NULL == ( fp = fopen( cert_path, "r" ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: could not open the cert file.\n", ++ 0, 0, 0 ); ++ perror( "tlsmc_cert_create_hash_symlink: ERROR: OS error" ); ++ goto bail; ++ } ++ if ( NULL == PEM_read_X509( fp, &cert, NULL, NULL ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: could not read PEM data.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ if ( 0 == ( hash = X509_subject_name_hash( cert ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: could not hash subject.\n", ++ 0, 0, 0 ); ++ goto bail; ++ } ++ ++ last_slash_p = strrchr( cert_path, '/' ); ++ cert_filename_p = last_slash_p ? last_slash_p + 1 : cert_path; ++ for ( cnt = 0; cnt < 10; cnt++ ) { ++ if ( NULL == ( symlink_path = PR_smprintf( "%s/%08lx.%d", cacerts_dir, hash, cnt ) ) ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: memory allocation error.\n", ++ 0, 0, 0 ); ++ continue; ++ } ++ if ( 0 != symlink( cert_filename_p, symlink_path ) ) { ++ if ( errno == EEXIST ) { ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: INFO: symlink `%s' already exists.\n", ++ symlink_path, 0, 0 ); ++ if ( symlink_path ) PR_smprintf( symlink_path ); ++ continue; ++ } ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: ERROR: could not create symlink.\n", ++ 0, 0, 0 ); ++ perror( "tlsmc_cert_create_hash_symlink: ERROR: OS error" ); ++ goto bail; ++ } ++ Debug( LDAP_DEBUG_TRACE, ++ "tlsmc_cert_create_hash_symlink: INFO: the cert is now symlinked to %s.\n", ++ symlink_path, 0, 0 ); ++ rv = 1; ++ goto bail; ++ } ++ Debug( LDAP_DEBUG_ANY, ++ "tlsmc_cert_create_hash_symlink: INFO: could not create symlink (all possible file names taken).\n", ++ 0, 0, 0 ); ++bail: ++ if ( symlink_path ) PR_smprintf_free( symlink_path ); ++ if ( cert ) X509_free( cert ); ++ if ( fp ) fclose( fp ); ++ return rv; ++} ++ ++#endif /* HAVE_MOZNSS_COMPATIBILITY */ ++/* ++ emacs settings ++ Local Variables: ++ indent-tabs-mode: t ++ tab-width: 4 ++ End: ++*/ +diff --git a/libraries/libldap/tls_mc_ossl.h b/libraries/libldap/tls_mc_ossl.h +new file mode 100644 +--- /dev/null ++++ b/libraries/libldap/tls_mc_ossl.h +@@ -0,0 +1,12 @@ ++#ifndef _LDAP_TLSMC_OSSL_H ++#define _LDAP_TLSMC_OSSL_H ++ ++#include "portable.h" ++ ++#ifdef HAVE_MOZNSS_COMPATIBILITY ++ ++int ++tlsmc_cert_create_hash_symlink( char *cert_path, char *cacerts_dir ); ++ ++#endif ++#endif +diff --git a/libraries/libldap_r/Makefile.in b/libraries/libldap_r/Makefile.in +--- a/libraries/libldap_r/Makefile.in ++++ b/libraries/libldap_r/Makefile.in +@@ -28,7 +28,7 @@ XXSRCS = apitest.c test.c \ + request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \ + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ +- tls2.c tls_o.c tls_g.c tls_m.c \ ++ tls2.c tls_o.c tls_g.c tls_m.c tls_mc.c tls_mc_ossl.c \ + turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ + assertion.c deref.c ldif.c fetch.c + SRCS = threads.c rdwr.c rmutex.c tpool.c rq.c \ +@@ -46,7 +46,7 @@ OBJS = threads.lo rdwr.lo rmutex.lo tpool.lo rq.lo \ + request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ +- tls2.lo tls_o.lo tls_g.lo tls_m.lo \ ++ tls2.lo tls_o.lo tls_g.lo tls_m.lo tls_mc.lo tls_mc_ossl.lo \ + turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + diff --git a/SOURCES/openldap-userconfig-setgid.patch b/SOURCES/openldap-userconfig-setgid.patch new file mode 100644 index 0000000..70f0d28 --- /dev/null +++ b/SOURCES/openldap-userconfig-setgid.patch @@ -0,0 +1,18 @@ +Normally, skips reading of user configuration file when running with different effective UID. +This patch adds the same behavior for GID. + +Author: Nalin Dahyabhai + +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index e6b17b4..fbf4829 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -678,7 +678,7 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl ) + openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); + + #ifdef HAVE_GETEUID +- if ( geteuid() != getuid() ) ++ if ( geteuid() != getuid() || getegid() != getgid() ) + return; + #endif + diff --git a/SOURCES/openldap.tmpfiles b/SOURCES/openldap.tmpfiles new file mode 100644 index 0000000..aa0e805 --- /dev/null +++ b/SOURCES/openldap.tmpfiles @@ -0,0 +1,3 @@ +# OpenLDAP TLSMC runtime directories +x /tmp/openldap-tlsmc-* +X /tmp/openldap-tlsmc-* diff --git a/SOURCES/slapd.ldif b/SOURCES/slapd.ldif new file mode 100644 index 0000000..7b7f328 --- /dev/null +++ b/SOURCES/slapd.ldif @@ -0,0 +1,148 @@ +# +# See slapd-config(5) for details on configuration options. +# This file should NOT be world readable. +# + +dn: cn=config +objectClass: olcGlobal +cn: config +olcArgsFile: /var/run/openldap/slapd.args +olcPidFile: /var/run/openldap/slapd.pid +# +# TLS settings +# +olcTLSCACertificatePath: /etc/openldap/certs +olcTLSCertificateFile: "OpenLDAP Server" +olcTLSCertificateKeyFile: /etc/openldap/certs/password +# +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +# +#olcReferral: ldap://root.openldap.org +# +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +# +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + + +# +# Load dynamic backend modules: +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la backend requires openldap-servers-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time +# + +#dn: cn=module,cn=config +#objectClass: olcModuleList +#cn: module +#olcModulepath: /usr/lib/openldap +#olcModulepath: /usr/lib64/openldap +#olcModuleload: accesslog.la +#olcModuleload: auditlog.la +#olcModuleload: back_dnssrv.la +#olcModuleload: back_ldap.la +#olcModuleload: back_mdb.la +#olcModuleload: back_meta.la +#olcModuleload: back_null.la +#olcModuleload: back_passwd.la +#olcModuleload: back_relay.la +#olcModuleload: back_shell.la +#olcModuleload: back_sock.la +#olcModuleload: collect.la +#olcModuleload: constraint.la +#olcModuleload: dds.la +#olcModuleload: deref.la +#olcModuleload: dyngroup.la +#olcModuleload: dynlist.la +#olcModuleload: memberof.la +#olcModuleload: pcache.la +#olcModuleload: ppolicy.la +#olcModuleload: refint.la +#olcModuleload: retcode.la +#olcModuleload: rwm.la +#olcModuleload: seqmod.la +#olcModuleload: smbk5pwd.la +#olcModuleload: sssvlv.la +#olcModuleload: syncprov.la +#olcModuleload: translucent.la +#olcModuleload: unique.la +#olcModuleload: valsort.la + + +# +# Schema settings +# + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/openldap/schema/core.ldif + +# +# Frontend settings +# + +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +objectClass: olcFrontendConfig +olcDatabase: frontend +# +# Sample global access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# +#olcAccess: to dn.base="" by * read +#olcAccess: to dn.base="cn=Subschema" by * read +#olcAccess: to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! +# + +# +# Configuration database +# + +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" manage by * none + +# +# Server status monitoring +# + +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none + +# +# Backend database definitions +# + +dn: olcDatabase=hdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcHdbConfig +olcDatabase: hdb +olcSuffix: dc=my-domain,dc=com +olcRootDN: cn=Manager,dc=my-domain,dc=com +olcDbDirectory: /var/lib/ldap +olcDbIndex: objectClass eq,pres +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub diff --git a/SOURCES/slapd.service b/SOURCES/slapd.service new file mode 100644 index 0000000..8a3a722 --- /dev/null +++ b/SOURCES/slapd.service @@ -0,0 +1,19 @@ +[Unit] +Description=OpenLDAP Server Daemon +After=syslog.target network-online.target +Documentation=man:slapd +Documentation=man:slapd-config +Documentation=man:slapd-hdb +Documentation=man:slapd-mdb +Documentation=file:///usr/share/doc/openldap-servers/guide.html + +[Service] +Type=forking +PIDFile=/var/run/openldap/slapd.pid +Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS=" +EnvironmentFile=/etc/sysconfig/slapd +ExecStartPre=/usr/libexec/openldap/check-config.sh +ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS + +[Install] +WantedBy=multi-user.target diff --git a/SOURCES/slapd.sysconfig b/SOURCES/slapd.sysconfig new file mode 100644 index 0000000..68091a5 --- /dev/null +++ b/SOURCES/slapd.sysconfig @@ -0,0 +1,15 @@ +# OpenLDAP server configuration +# see 'man slapd' for additional information + +# Where the server will run (-h option) +# - ldapi:/// is required for on-the-fly configuration using client tools +# (use SASL with EXTERNAL mechanism for authentication) +# - default: ldapi:/// ldap:/// +# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// +SLAPD_URLS="ldapi:/// ldap:///" + +# Any custom options +#SLAPD_OPTIONS="" + +# Keytab location for GSSAPI Kerberos authentication +#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" diff --git a/SOURCES/slapd.tmpfiles b/SOURCES/slapd.tmpfiles new file mode 100644 index 0000000..56aa32e --- /dev/null +++ b/SOURCES/slapd.tmpfiles @@ -0,0 +1,2 @@ +# openldap runtime directory for slapd.arg and slapd.pid +d /var/run/openldap 0755 ldap ldap - diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec new file mode 100644 index 0000000..5570043 --- /dev/null +++ b/SPECS/openldap.spec @@ -0,0 +1,2214 @@ +%global _hardened_build 1 + +%global systemctl_bin /usr/bin/systemctl +%global check_password_version 1.1 + +Name: openldap +Version: 2.4.44 +Release: 21%{?dist} +Summary: LDAP support libraries +Group: System Environment/Daemons +License: OpenLDAP +URL: http://www.openldap.org/ +Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz +Source1: slapd.service +Source2: slapd.sysconfig +Source3: slapd.tmpfiles +Source4: slapd.ldif +Source5: ldap.conf +Source6: openldap.tmpfiles +Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz +Source50: libexec-functions +Source51: libexec-convert-config.sh +Source52: libexec-check-config.sh +Source53: libexec-upgrade-db.sh +Source54: libexec-create-certdb.sh +Source55: libexec-generate-server-cert.sh +Source56: libexec-update-ppolicy-schema.sh + +# patches for 2.4 +Patch0: openldap-manpages.patch +Patch1: openldap-ppolicy-loglevels.patch +Patch2: openldap-sql-linking.patch +Patch3: openldap-reentrant-gethostby.patch +Patch4: openldap-smbk5pwd-overlay.patch +Patch5: openldap-ldaprc-currentdir.patch +Patch6: openldap-userconfig-setgid.patch +Patch7: openldap-allop-overlay.patch +Patch8: openldap-syncrepl-unset-tls-options.patch +Patch9: openldap-man-sasl-nocanon.patch +Patch10: openldap-ai-addrconfig.patch +# fix back_perl problems with lt_dlopen() +# might cause crashes because of symbol collisions +# the proper fix is to link all perl modules against libperl +# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 +Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch +# ldapi sasl fix pending upstream inclusion +Patch20: openldap-ldapi-sasl.patch +# coverity - missin_unlock in servers/slapd/overlays/accesslog.c +Patch21: openldap-missing-unlock-in-accesslog-overlay.patch +Patch23: openldap-module-passwd-sha2.patch +# pending upstream inclusion, ITS #7744 +Patch24: openldap-man-tls-reqcert.patch +Patch25: openldap-man-ldap-conf.patch +Patch35: openldap-ITS8428-init-sc_writewait.patch +Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch +Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch +Patch38: openldap-ITS8720-back-ldap-starttls-timeout.patch + +# fixes for DH and ECDH +Patch50: openldap-openssl-its7506-fix-DH-params-1.patch +Patch51: openldap-openssl-its7506-fix-DH-params-2.patch +Patch52: openldap-openssl-ITS7595-Add-EC-support-1.patch +Patch53: openldap-openssl-ITS7595-Add-EC-support-2.patch + +# check-password module specific patches +Patch90: check-password-makefile.patch +Patch91: check-password.patch +Patch92: check-password-loglevels.patch + +# MozNSS compatibility layer +Patch101: openldap-tlsmc.patch +# Fedora specific patches +Patch102: openldap-fedora-systemd.patch + +BuildRequires: cyrus-sasl-devel, nss-devel, openssl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel +BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed) +Requires: nss-tools +Requires(post): rpm, coreutils, findutils + +%description +OpenLDAP is an open source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap package contains configuration files, +libraries, and documentation for OpenLDAP. + +%package devel +Summary: LDAP development libraries and header files +Group: Development/Libraries +Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} + +%description devel +The openldap-devel package includes the development libraries and +header files needed for compiling applications that use LDAP +(Lightweight Directory Access Protocol) internals. LDAP is a set of +protocols for enabling directory services over the Internet. Install +this package only if you plan to develop or will need to compile +customized LDAP clients. + +%package servers +Summary: LDAP server +License: OpenLDAP +Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils +Requires(pre): shadow-utils +Requires(post): systemd, systemd-sysv, chkconfig +Requires(preun): systemd +Requires(postun): systemd +BuildRequires: libdb-devel +BuildRequires: systemd-units +BuildRequires: cracklib-devel +Group: System Environment/Daemons +# migrationtools (slapadd functionality): +Provides: ldif2ldbm + +%description servers +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. This package contains the slapd server and related files. + +%package servers-sql +Summary: SQL support module for OpenLDAP server +Requires: openldap-servers%{?_isa} = %{version}-%{release} +Group: System Environment/Daemons + +%description servers-sql +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. This package contains a loadable module which the +slapd server can use to read data from an RDBMS. + +%package clients +Summary: LDAP client utilities +Requires: openldap%{?_isa} = %{version}-%{release} +Group: Applications/Internet + +%description clients +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap-clients package contains the client +programs needed for accessing and modifying OpenLDAP directories. + +%prep +%setup -q -c -a 0 -a 10 + +pushd openldap-%{version} + +%patch101 -p1 + +# alternative include paths for Mozilla NSS +ln -s %{_includedir}/nss3 include/nss +ln -s %{_includedir}/nspr4 include/nspr + +AUTOMAKE=%{_bindir}/true autoreconf -fi + +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch35 -p1 +%patch36 -p1 +%patch37 -p1 +%patch38 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 + +%patch102 -p1 + +# build smbk5pwd with other overlays +ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays +mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd +# build allop with other overlays +ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays +mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop +mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5 +# build sha2 with other overlays +ln -s ../../../contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} \ + servers/slapd/overlays +ls servers/slapd/overlays +mv contrib/slapd-modules/passwd/sha2/README{,.sha2} + +mv servers/slapd/back-perl/README{,.back_perl} + +# fix documentation encoding +for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do + iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8" + mv "$filename.utf8" "$filename" +done + +popd + +pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +%patch90 -p1 +%patch91 -p1 +%patch92 -p1 +popd + +%build + +%ifarch s390 s390x + export CFLAGS="-fPIE" +%else + export CFLAGS="-fpie" +%endif +export LDFLAGS="-pie" +# avoid stray dependencies (linker flag --as-needed) +# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) +export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS" + +pushd openldap-%{version} +%configure \ + --enable-debug \ + --enable-dynamic \ + --enable-syslog \ + --enable-proctitle \ + --enable-ipv6 \ + --enable-local \ + \ + --enable-slapd \ + --enable-dynacl \ + --enable-aci \ + --enable-cleartext \ + --enable-crypt \ + --enable-lmpasswd \ + --enable-spasswd \ + --enable-modules \ + --enable-rewrite \ + --enable-rlookups \ + --enable-slapi \ + --disable-slp \ + --enable-wrappers \ + \ + --enable-backends=mod \ + --enable-bdb=yes \ + --enable-hdb=yes \ + --enable-mdb=yes \ + --enable-monitor=yes \ + --disable-ndb \ + \ + --enable-overlays=mod \ + \ + --disable-static \ + --enable-shared \ + \ + --enable-moznss-compatibility=yes \ + \ + --with-cyrus-sasl \ + --without-fetch \ + --with-threads \ + --with-pic \ + --with-gnu-ld \ + \ + --libexecdir=%{_libdir} + +make %{_smp_mflags} + +# build mdb_* tools +pushd libraries/liblmdb +export XCFLAGS="$CFLAGS" +make %{_smp_mflags} +popd +popd + +pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +make LDAP_INC="-I../openldap-%{version}/include \ + -I../openldap-%{version}/servers/slapd \ + -I../openldap-%{version}/build-servers/include" +popd + +%install + +mkdir -p %{buildroot}%{_libdir}/ + +pushd openldap-%{version} +make install DESTDIR=%{buildroot} STRIP="" +pushd libraries/liblmdb +make install DESTDIR=%{buildroot} +popd +popd + +# install check_password module +pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +mv check_password.so check_password.so.%{check_password_version} +ln -s check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/check_password.so +install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/ +# install -m 644 README %{buildroot}%{_libdir}/openldap +install -d -m 755 %{buildroot}%{_sysconfdir}/openldap +cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf <&/dev/null || : + +%postun +#update only on package erase +if [ $1 == 0 ]; then + /sbin/ldconfig +fi + +%pre servers + +# create ldap user and group +getent group ldap &>/dev/null || groupadd -r -g 55 ldap +getent passwd ldap &>/dev/null || \ + useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap + +if [ $1 -eq 2 ]; then + # package upgrade + + old_version=$(rpm -q --qf=%%{version} openldap-servers) + new_version=%{version} + + if [ "$old_version" != "$new_version" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null + fi +fi + +exit 0 + + +%post servers + +/sbin/ldconfig -n %{_libdir}/openldap + +%systemd_post slapd.service + +# generate sample TLS certificate for server (will not replace) +%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || : + +# generate/upgrade configuration +if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then + if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then + %{_libexecdir}/openldap/convert-config.sh &>/dev/null + mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak + else + %{_libexecdir}/openldap/convert-config.sh -f %{_datadir}/openldap-servers/slapd.ldif &>/dev/null + fi +fi + +start_slapd=0 + +# upgrade the database +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start_slapd=1 + fi + + %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap +fi + +# ensure ppolicy schema updated (bug #1487857) +if [ $1 -eq 2 ]; then + if [ -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then + %{_libexecdir}/openldap/update-ppolicy-schema.sh &>/dev/null + fi +fi + +# conversion from /etc/sysconfig/ldap to /etc/sysconfig/slapd +if [ $1 -eq 2 ]; then + # we expect that 'ldap' will be renamed to 'ldap.rpmsave' after removing the old package + if [ -r %{_sysconfdir}/sysconfig/ldap ]; then + source %{_sysconfdir}/sysconfig/ldap &>/dev/null + + new_urls= + [ "$SLAPD_LDAP" != "no" ] && new_urls="$new_urls ldap:///" + [ "$SLAPD_LDAPI" != "no" ] && new_urls="$new_urls ldapi:///" + [ "$SLAPD_LDAPS" == "yes" ] && new_urls="$new_urls ldaps:///" + [ -n "$SLAPD_URLS" ] && new_urls="$new_urls $SLAPD_URLS" + + failure=0 + cp -f %{_sysconfdir}/sysconfig/slapd %{_sysconfdir}/sysconfig/slapd.rpmconvert + sed -i '/^#\?SLAPD_URLS=/s@.*@SLAPD_URLS="'"$new_urls"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1 + [ -n "$SLAPD_OPTIONS" ] && \ + sed -i '/^#\?SLAPD_OPTIONS=/s@.*$@SLAPD_OPTIONS="'"$SLAPD_OPTIONS"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1 + + if [ $failure -eq 0 ]; then + mv -f %{_sysconfdir}/sysconfig/slapd.rpmconvert %{_sysconfdir}/sysconfig/slapd + else + rm -f %{_sysconfdir}/sysconfig/slapd.rpmconvert + fi + fi +fi + +# restart after upgrade +if [ $1 -ge 1 ]; then + if [ $start_slapd -eq 1 ]; then + %{systemctl_bin} start slapd.service &>/dev/null || : + else + %{systemctl_bin} condrestart slapd.service &>/dev/null || : + fi +fi + +exit 0 + +%preun servers + +%systemd_preun slapd.service + + +%postun servers + +/sbin/ldconfig ${_libdir}/openldap +%systemd_postun_with_restart slapd.service + + +%triggerun servers -- openldap-servers < 2.4.26-6 + +# migration from SysV to systemd +/usr/bin/systemd-sysv-convert --save slapd &>/dev/null || : +/usr/sbin/chkconfig --del slapd &>/dev/null || : +%{systemctl_bin} try-restart slapd.service &>/dev/null || : + + +%triggerin servers -- libdb + +# libdb upgrade (setup for %%triggerun) +if [ $2 -eq 2 ]; then + # we are interested in minor version changes (both versions of libdb are installed at this moment) + if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb + else + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + fi +fi + +exit 0 + + +%triggerun servers -- libdb + +# libdb upgrade (finish %%triggerin) +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start=1 + else + start=0 + fi + + %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + + [ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null +fi + +exit 0 + + +%files +%doc openldap-%{version}/ANNOUNCEMENT +%doc openldap-%{version}/CHANGES +%doc openldap-%{version}/COPYRIGHT +%doc openldap-%{version}/LICENSE +%doc openldap-%{version}/README +%dir %{_sysconfdir}/openldap +%dir %{_sysconfdir}/openldap/certs +%config(noreplace) %{_sysconfdir}/openldap/ldap.conf +%config(noreplace) %{_tmpfilesdir}/openldap.conf +%dir %{_libexecdir}/openldap/ +%{_libexecdir}/openldap/create-certdb.sh +%{_libdir}/liblber-2.4*.so.* +%{_libdir}/libldap-2.4*.so.* +%{_libdir}/libldap_r-2.4*.so.* +%{_libdir}/libslapi-2.4*.so.* +%{_mandir}/man5/ldif.5* +%{_mandir}/man5/ldap.conf.5* + +%files servers +%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd +%doc openldap-%{version}/doc/guide/admin/*.html +%doc openldap-%{version}/doc/guide/admin/*.png +%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm +%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl +%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl +%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd +%doc README.schema +%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d +%config(noreplace) %{_sysconfdir}/openldap/schema +%config(noreplace) %{_sysconfdir}/sysconfig/slapd +%config(noreplace) %{_tmpfilesdir}/slapd.conf +%config(noreplace) %{_sysconfdir}/openldap/check_password.conf +%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap +%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap +%{_unitdir}/slapd.service +%{_datadir}/openldap-servers/ +%{_libdir}/openldap/accesslog* +%{_libdir}/openldap/auditlog* +%{_libdir}/openldap/allop* +%{_libdir}/openldap/back_dnssrv* +%{_libdir}/openldap/back_ldap* +%{_libdir}/openldap/back_meta* +%{_libdir}/openldap/back_null* +%{_libdir}/openldap/back_passwd* +%{_libdir}/openldap/back_relay* +%{_libdir}/openldap/back_shell* +%{_libdir}/openldap/back_sock* +%{_libdir}/openldap/back_perl* +%{_libdir}/openldap/collect* +%{_libdir}/openldap/constraint* +%{_libdir}/openldap/dds* +%{_libdir}/openldap/deref* +%{_libdir}/openldap/dyngroup* +%{_libdir}/openldap/dynlist* +%{_libdir}/openldap/memberof* +%{_libdir}/openldap/pcache* +%{_libdir}/openldap/ppolicy* +%{_libdir}/openldap/refint* +%{_libdir}/openldap/retcode* +%{_libdir}/openldap/rwm* +%{_libdir}/openldap/seqmod* +%{_libdir}/openldap/pw-sha2* +%{_libdir}/openldap/smbk5pwd* +%{_libdir}/openldap/sssvlv* +%{_libdir}/openldap/syncprov* +%{_libdir}/openldap/translucent* +%{_libdir}/openldap/unique* +%{_libdir}/openldap/valsort* +%{_libdir}/openldap/check_password* +%{_libexecdir}/openldap/functions +%{_libexecdir}/openldap/convert-config.sh +%{_libexecdir}/openldap/check-config.sh +%{_libexecdir}/openldap/upgrade-db.sh +%{_libexecdir}/openldap/generate-server-cert.sh +%{_libexecdir}/openldap/update-ppolicy-schema.sh +%{_libexecdir}/openldap/mdb_* +%{_libexecdir}/openldap/man/man1/mdb_* +%{_sbindir}/sl* +%{_mandir}/man8/* +%{_mandir}/man5/slapd*.5* +%{_mandir}/man5/slapo-*.5* +# obsolete configuration +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak + +%files servers-sql +%doc openldap-%{version}/servers/slapd/back-sql/docs/* +%doc openldap-%{version}/servers/slapd/back-sql/rdbms_depend +%{_libdir}/openldap/back_sql* + +%files clients +%{_bindir}/* +%{_mandir}/man1/* + +%files devel +%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc +%{_libdir}/lib*.so +%{_includedir}/* +%{_mandir}/man3/* + +%changelog +* Tue Dec 18 2018 Matus Honek - 2.4.44-21 +- MozNSS Compat. Layer: Protect /tmp/openldap-tlsmc-* files (#1590184) + +* Tue Aug 21 2018 Matus Honek - 2.4.44-20 +- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1584922) + +* Tue Aug 14 2018 Matus Honek - 2.4.44-19 +- Backport upstream fixes for ITS 7506 - fix OpenSSL DH params usage (#1584922) + +* Thu Jun 21 2018 Matus Honek - 2.4.44-18 +- MozNSS Compat. Layer: Make log messages more clear (#1543955) +- Build with LDAP_USE_NON_BLOCKING_TLS (#1471039) + +* Thu Jun 21 2018 Matus Honek - 2.4.44-17 +- MozNSS Compat. Layer: Fix memleaks reported by valgrind (#1575549) +- Reset OPTIND in libexec/functions for getopts to work in subsequent calls (#1564382) +- MozNSS Compat. Layer: Fix typos, and spelling in the README file header (#1543451) + +* Wed Apr 4 2018 Matus Honek - 2.4.44-16 +- fix: back-ldap StartTLS short connection timeout with high latency connections (#1540336) + +* Thu Mar 29 2018 Matus Honek - 2.4.44-14 +- MozNSS Compat. Layer: Enforce fail when cannot extract CA certs (#1547922) + +* Wed Jan 31 2018 Matus Honek - 2.4.44-13 +- MozNSS Compat. Layer: fix recursive directory deletion (#1516409) +- MozNSS Compat. Layer: fix PIN disclaimer not always shown (#1516409) +- MozNSS Compat. Layer: fix incorrect parsing of CACertDir (#1533955) + +* Thu Jan 11 2018 Matus Honek - 2.4.44-12 +- MozNSS Compat. Layer: Ensure consistency of a PEM dir before usage (#1516409) + + Warn just before use of a PIN about key file extraction + +* Wed Jan 10 2018 Matus Honek - 2.4.44-11 +- MozNSS Compat. Layer: Enable usage of NSS DB with PEM cert/key (#1525485) + + Fix a possible invalid dereference (covscan) + +* Tue Nov 28 2017 Matus Honek - 2.4.44-10 +- Drop update-ppolicy-schema.sh scriptlet's output (#1487857) +- Fix issues in MozNSS compatibility layer (#1400578) + + Force write file with fsync to avoid race conditions + + Always filestamp both sql and dbm NSS DB variants to not rely on default DB type prefix + + Allow missing cert and key which is a valid usecase + + Create extraction folder only in /tmp to simplify selinux rules + + Fix Covscan issues + +* Fri Nov 3 2017 Matus Honek - 2.4.44-9 +- Build with OpenSSL and MozNSS compatibility layer instead of MozNSS (#1400578) + +* Thu Nov 2 2017 Matus Honek - 2.4.44-8 +- fix: Upgrading to OpenLDAP >= 2.4.43 breaks server due to ppolicy changes (#1487857) + +* Thu Nov 2 2017 Matus Honek - 2.4.44-7 +- fix: Manpage incorrectly states ./ldaprc config file is used (#1498841) + +* Thu Nov 2 2017 Matus Honek - 2.4.44-6 +- fix: Upgrading openldap-servers does not restart slapd when rebasing (#1479309) + +* Tue Jun 6 2017 Matus Honek - 2.4.44-5 +- fix CVE-2017-9287 openldap: Double free vulnerability in servers/slapd/back-mdb/search.c (#1458210) + +* Fri Mar 24 2017 Matus Honek - 2.4.44-4 +- NSS: Include some CHACHA20POLY1305 ciphers (#1432907) + +* Wed Mar 15 2017 Matus Honek - 2.4.44-3 +- NSS: re-register NSS_Shutdown callback (#1405354) + +* Wed Mar 15 2017 Matus Honek - 2.4.44-2 +- Include MDB tools in openldap-servers (#1428740) + +* Wed Jan 4 2017 Matus Honek - 2.4.44-1 +- Rebase to openldap-2.4.44 (#1386365) + +* Wed Aug 17 2016 Matus Honek - 2.4.40-13 +- fix: Bad log levels in check_password module +- fix: We can't search expected entries from LDAP server +- fix: OpenLDAP ciphersuite parsing doesn't match OpenSSL ciphers man page + + Add TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 to list of ciphers + + Add DH cipher string parsing option + + Correct handling kECDH ciphers with aRSA or aECDSA + +* Fri Jul 1 2016 Matus Honek - 2.4.40-12 +- fix: slapd crash in do_search (#1316450) +- fix: Setting olcTLSProtocolMin does not change supported protocols (#1249093) + +* Mon May 30 2016 Matus Honek - 2.4.40-11 +- fix: correct inconsistent slapd.d directory permissions (#1255433) + +* Mon May 30 2016 Matus Honek - 2.4.40-10 +- fix: slapd fails to start on boot (#1315958) +- fix: id_query option is not available after rebasing openldap to 2.4.39 (#1311832) +- Include sha2 module (#1292568) +- Compile AllOp together with other overlays (#990893) +- Missing mutex unlock in accesslog overlay (#1261003) +- ITS#8337 fix missing olcDbChecksum config attr (#1292590) +- ITS#8003 fix off-by-one in LDIF length (#1292619) + +* Mon Feb 22 2016 Matúš Honěk - 2.4.40-9 +- fix: nslcd segfaults due to incorrect mutex initialization (#1294385) + +* Wed Sep 23 2015 Matúš Honěk - 2.4.40-8 +- NSS does not support string ordering (#1231522) +- implement and correct order of parsing attributes (#1231522) +- add multi_mask and multi_strength to correctly handle sets of attributes (#1231522) +- add new cipher suites and correct AES-GCM attributes (#1245279) +- correct DEFAULT ciphers handling to exclude eNULL cipher suites (#1245279) + +* Mon Sep 14 2015 Matúš Honěk - 2.4.40-7 +- Merge two MozNSS cipher suite definition patches into one. (#1245279) +- Use what NSS considers default for DEFAULT cipher string. (#1245279) +- Remove unnecesary defaults from ciphers' definitions (#1245279) + +* Tue Sep 01 2015 Matúš Honěk - 2.4.40-6 +- fix: OpenLDAP shared library destructor triggers memory leaks in NSPR (#1249977) + +* Fri Jul 24 2015 Matúš Honěk - 2.4.40-5 +- enhancement: support TLS 1.1 and later (#1231522,#1160467) +- fix: openldap ciphersuite parsing code handles masks incorrectly (#1231522) +- fix the patch in commit da1b5c (fix: OpenLDAP crash in NSS shutdown handling) (#1231228) + +* Mon Jun 29 2015 Matúš Honěk - 2.4.40-4 +- fix: rpm -V complains (#1230263) -- make the previous fix do what was intended + +* Mon Jun 22 2015 Matúš Honěk - 2.4.40-3 +- fix: rpm -V complains (#1230263) + +* Wed Jun 3 2015 Matúš Honěk - 2.4.40-2 +- fix: missing frontend database indexing (#1226600) + +* Wed May 20 2015 Matúš Honěk - 2.4.40-1 +- new upstream release (#1147982) +- fix: PIE and RELRO check (#1092562) +- fix: slaptest doesn't convert perlModuleConfig lines (#1184585) +- fix: OpenLDAP crash in NSS shutdown handling (#1158005) +- fix: slapd.service may fail to start if binding to NIC ip (#1198781) +- fix: deadlock during SSL_ForceHandshake when getting connection to replica (#1125152) +- improve check_password (#1174723, #1196243) +- provide an unversioned symlink to check_password.so.1.1 (#1174634) +- add findutils to requires (#1209229) + +* Thu Dec 4 2014 Jan Synáček - 2.4.39-6 +- refix: slapd.ldif olcFrontend missing important/required objectclass (#1132094) + +* Fri Nov 28 2014 Jan Synáček - 2.4.39-5 +- add documentation reference to service file (#1087288) +- fix: tls_reqcert try has bad behavior (#1027613) + +* Tue Nov 25 2014 Jan Synáček - 2.4.39-4 +- support TLS 1.1 and later (#1160468) +- fix: /etc/openldap/certs directory is empty after installation (#1064251) +- fix: Typo in script to generate /usr/libexec/openldap/generate-server-cert.sh (#1087490) +- fix: remove correct tmp file when generating server cert (#1103101) +- fix: slapd.ldif olcFrontend missing important/required objectclass (#1132094) + +* Wed Feb 26 2014 Jan Synáček - 2.4.39-3 +- move tmpfiles config to correct location (#1069513) + +* Wed Feb 5 2014 Jan Synáček - 2.4.39-2 +- CVE-2013-4449: segfault on certain queries with rwm overlay (#1061405) + +* Thu Jan 30 2014 Jan Synáček - 2.4.39-1 +- new upstream release (#1040324) + +* Fri Jan 24 2014 Daniel Mach - 2.4.35-12 +- Mass rebuild 2014-01-24 + +* Thu Jan 16 2014 Jan Synáček - 2.4.35-11 +- fix: missing EOL at the end of default /etc/openldap/ldap.conf (#1053005) + +* Fri Dec 27 2013 Daniel Mach - 2.4.35-10 +- Mass rebuild 2013-12-27 + +* Tue Dec 17 2013 Jan Synáček - 2.4.35-9 +- fix: more typos in manpages (#948562) + +* Wed Nov 13 2013 Jan Synáček - 2.4.35-8 +- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1023415) + +* Mon Oct 14 2013 Jan Synáček - 2.4.35-7 +- fix: CLDAP is broken for IPv6 (#1007421) + +* Wed Sep 4 2013 Jan Synáček - 2.4.35-6 +- fix: typos in manpages (#948562) + +* Fri Jun 14 2013 Jan Synáček - 2.4.35-5 +- fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0" + +* Thu May 09 2013 Jan Synáček 2.4.35-4 +- do not needlessly run ldconfig after installing openldap-devel +- fix: LDAPI with GSSAPI does not work if SASL_NOCANON=on (#960222) +- fix: lt_dlopen() with back_perl (#960048) + +* Tue Apr 09 2013 Jan Synáček 2.4.35-3 +- fix: minor documentation fixes +- set SASL_NOCANON to on by default (#949864) +- remove trailing spaces + +* Fri Apr 05 2013 Jan Synáček 2.4.35-2 +- drop the evolution patch + +* Tue Apr 02 2013 Jan Synáček 2.4.35-1 +- new upstream release (#947235) +- fix: slapd.service should ensure that network is up before starting (#946921) +- fix: NSS related resource leak (#929357) + +* Mon Mar 18 2013 Jan Synáček 2.4.34-2 +- fix: syncrepl push DELETE operation does not recover (#920482) +- run autoreconf every build, drop autoreconf patch (#926280) + +* Mon Mar 11 2013 Jan Synáček 2.4.34-1 +- enable perl backend (#820547) +- package ppolicy-check-password (#829749) +- add perl specific BuildRequires +- fix bogus dates + +* Wed Mar 06 2013 Jan Vcelak 2.4.34-1 +- new upstream release (#917603) +- fix: slapcat segfaults if cn=config.ldif not present (#872784) +- use systemd-rpm macros in spec file (#850247) + +* Thu Jan 31 2013 Jan Synáček 2.4.33-4 +- rebuild against new cyrus-sasl + +* Wed Oct 31 2012 Jan Vcelak 2.4.33-3 +- fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455) + +* Fri Oct 12 2012 Jan Vcelak 2.4.33-2 +- fix: slapd with rwm overlay segfault following ldapmodify (#865685) + +* Thu Oct 11 2012 Jan Vcelak 2.4.33-1 +- new upstream release: + + slapd: ACLs, syncrepl + + backends: locking and memory management in MDB + + manpages: slapo-refint +- patch update: MozNSS certificate database in SQL format cannot be used (#860317) +- fix: slapd.service should not use /tmp (#859019) + +* Fri Sep 14 2012 Jan Vcelak 2.4.32-3 +- fix: some TLS ciphers cannot be enabled (#852338) +- fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476) +- fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded (#852786) +- fix: MozNSS certificate database in SQL format cannot be used (#857373) +- fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455) + +* Mon Aug 20 2012 Jan Vcelak 2.4.32-2 +- enhancement: TLS, prefer private keys from authenticated slots +- enhancement: TLS, allow certificate specification including token name +- resolve TLS failures in replication in 389 Directory Server + +* Wed Aug 01 2012 Jan Vcelak 2.4.32-1 +- new upstream release + + library: double free, SASL handling + + tools: read SASL_NOCANON from config file + + slapd: config index renumbering, duplicate error response + + backends: various fixes in mdb, bdb/hdb, ldap + + accesslog, syncprov: fix memory leaks in with replication + + sha2: portability, thread safety, support SSHA256,384,512 + + documentation fixes + +* Sat Jul 21 2012 Jan Vcelak 2.4.31-7 +- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022) + +* Fri Jul 20 2012 Jan Vcelak 2.4.31-6 +- multilib fix: move libslapi from openldap-servers to openldap package + +* Thu Jul 19 2012 Jan Vcelak 2.4.31-5 +- fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013) +- fix: smbk5pwd module computes invalid LM hashes (#841560) + +* Wed Jul 18 2012 Jan Vcelak 2.4.31-4 +- modify the package build process + + fix autoconfig files to detect Mozilla NSS library using pkg-config + + remove compiler flags which are not needed currently + + build server, client and library together + + avoid stray dependencies by using --as-needed linker flag + + enable SLAPI interface in slapd + +* Wed Jun 27 2012 Jan Vcelak 2.4.31-3 +- update fix: count constraint broken when using multiple modifications (#795766) +- fix: invalid order of TLS shutdown operations (#808464) +- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462) +- fix: reading pin from file can make all TLS connections hang (#829317) +- CVE-2012-2668: cipher suite selection by name can be ignored (#825875) +- fix: slapd fails to start on reboot (#829272) +- fix: default cipher suite is always selected (#828790) +- fix: less influence between individual TLS contexts: + - replication with TLS does not work (#795763) + - possibly others + +* Fri May 18 2012 Jan Vcelak 2.4.31-2 +- fix: nss-tools package is required by the base package, not the server subpackage +- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536) + +* Tue Apr 24 2012 Jan Vcelak 2.4.31-1 +- new upstream release + + library: IPv6 url detection + + library: rebinding to failed connections + + server: various fixes in mdb backend + + server: various fixes in replication + + server: various fixes in overlays and minor backends + + documentation fixes +- remove patches which were merged upstream + +* Thu Apr 05 2012 Jan Vcelak 2.4.30-3 +- rebuild due to libdb rebase + +* Mon Mar 26 2012 Jan Synáček 2.4.30-2 +- fix: Re-binding to a failed connection can segfault (#784989) + +* Thu Mar 01 2012 Jan Vcelak 2.4.30-1 +- new upstream release + + server: fixes in mdb backend + + server: fixes in manual pages + + server: fixes in syncprov, syncrepl, and pcache +- removed patches which were merged upstream + +* Wed Feb 22 2012 Jan Vcelak 2.4.29-4 +- fix: missing options in manual pages of client tools (#796232) +- fix: SASL_NOCANON option missing in ldap.conf manual page (#732915) + +* Tue Feb 21 2012 Jan Vcelak 2.4.29-3 +- fix: ldap_result does not succeed for sssd (#771484) +- Jan Synáček : + + fix: count constraint broken when using multiple modifications (#795766) + +* Mon Feb 20 2012 Jan Vcelak 2.4.29-2 +- fix update: provide ldif2ldbm, not ldib2ldbm (#437104) +- Jan Synáček : + + unify systemctl binary paths throughout the specfile and make them usrmove compliant + + make path to chkconfig binary usrmove compliant + +* Wed Feb 15 2012 Jan Vcelak 2.4.29-1 +- new upstream release + + MozNSS fixes + + connection handling fixes + + server: buxfixes in mdb backend + + server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm) +- openldap-servers now provide ldib2ldbm (#437104) +- certificates management improvements + + create empty Mozilla NSS certificate database during installation + + enable builtin Root CA in generated database (#789088) + + generate server certificate using Mozilla NSS tools instead of OpenSSL tools + + fix: correct path to check-config.sh in service file (Jan Synáček ) +- temporarily disable certificates checking in check-config.sh script +- fix: check-config.sh get stuck when executing command as a ldap user + +* Tue Jan 31 2012 Jan Vcelak 2.4.28-3 +- fix: replication (syncrepl) with TLS causes segfault (#783431) +- fix: slapd segfaults when PEM certificate is used and key is not set (#772890) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.4.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Nov 30 2011 Jan Vcelak 2.4.28-1 +- new upstream release + + server: support for delta-syncrepl in multi master replication + + server: add experimental backend - MDB + + server: dynamic configuration for passwd, perl, shell, sock, and sql backends + + server: support passwords in APR1 + + library: support for Wahl (draft) + + a lot of bugfixes +- remove patches which were merged upstream +- compile backends as modules (except BDB, HDB, and monitor) +- reload systemd daemon after installation + +* Tue Nov 01 2011 Jan Vcelak 2.4.26-6 +- package cleanup: + + hardened build: switch from LDFLAGS to RPM macros + + remove old provides and obsoletes + + add new slapd maintainance scripts + + drop defattr macros, clean up permissions in specfile + + fix rpmlint warnings: macros in comments/changelog + + fix rpmlint warnings: non UTF-8 documentation + + rename environment file to be more consistent (ldap -> slapd) +- replace sysv initscript with systemd service file (# +- new format of environment file due to switch to systemd + (automatic conversion is performed) +- patch OpenLDAP to skip empty command line arguments + (arguments expansion in systemd works different than in shell) +- CVE-2011-4079: one-byte buffer overflow in slapd (#749324) + +* Thu Oct 06 2011 Jan Vcelak 2.4.26-5 +- rebuild: openldap does not work after libdb rebase (#743824) +- regression fix: openldap built without tcp_wrappers (#743213) + +* Wed Sep 21 2011 Jan Vcelak 2.4.26-4 +- new feature update: honor priority/weight with ldap_domain2hostlist (#733078) + +* Mon Sep 12 2011 Jan Vcelak 2.4.26-3 +- fix: SSL_ForceHandshake function is not thread safe (#701678) +- fix: allow unsetting of tls_* syncrepl options (#734187) + +* Wed Aug 24 2011 Jan Vcelak 2.4.26-2 +- security hardening: library needs partial RELRO support added (#733071) +- fix: NSS_Init* functions are not thread safe (#731112) +- fix: incorrect behavior of allow/try options of VerifyCert and TLS_REQCERT (#725819) +- fix: memleak - free the return of tlsm_find_and_verify_cert_key (#725818) +- fix: conversion of constraint overlay settings to cn=config is incorrect (#733067) +- fix: DDS overlay tolerance parametr doesn't function and breakes default TTL (#733069) +- manpage fix: errors in manual page slapo-unique (#733070) +- fix: matching wildcard hostnames in certificate Subject field does not work (#733073) +- new feature: honor priority/weight with ldap_domain2hostlist (#733078) +- manpage fix: wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage (#717722) + +* Sun Aug 14 2011 Rex Dieter - 2.4.26-1.1 +- Rebuilt for rpm (#728707) + +* Wed Jul 20 2011 Jan Vcelak 2.4.26-1 +- rebase to new upstream release +- fix: memleak in tlsm_auth_cert_handler (#717730) + +* Mon Jun 27 2011 Jan Vcelak 2.4.25-1 +- rebase to new upstream release +- change default database type from BDB to HDB +- enable ldapi:/// interface by default +- set cn=config management ACLs for root user, SASL external schema (#712495) +- fix: server scriptlets require initscripts package (#716857) +- fix: connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT + is set to 'never' (#716854) +- fix: segmentation fault caused by double-free in ldapexop (#699683) +- fix: segmentation fault of client tool when input line in LDIF file + is splitted but indented incorrectly (#716855) +- fix: segmentation fault of client tool when LDIF input file is not terminated + by a new line character (#716858) + +* Fri Mar 18 2011 Jan Vcelak 2.4.24-2 +- new: system resource limiting for slapd using ulimit +- fix update: openldap can't use TLS after a fork() (#636956) +- fix: possible null pointer dereference in NSS implementation +- fix: openldap-servers upgrade hangs or do not upgrade the database (#664433) + +* Mon Feb 14 2011 Jan Vcelak 2.4.24-1 +- rebase to 2.4.24 +- BDB backend switch from DB4 to DB5 + +* Tue Feb 08 2011 Fedora Release Engineering - 2.4.23-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Feb 02 2011 Jan Vcelak 2.4.23-8 +- fix update: openldap can't use TLS after a fork() (#636956) + +* Tue Jan 25 2011 Jan Vcelak 2.4.23-7 +- fix: openldap can't use TLS after a fork() (#636956) +- fix: openldap-server upgrade gets stuck when the database is damaged (#664433) + +* Thu Jan 20 2011 Jan Vcelak 2.4.23-6 +- fix: some server certificates refused with inadequate type error (#668899) +- fix: default encryption strength dropped in switch to using NSS (#669446) +- systemd compatibility: add configuration file (#656647, #668223) + +* Thu Jan 06 2011 Jan Vcelak 2.4.23-5 +- initscript: slaptest with '-u' to skip database opening (#667768) +- removed slurpd options from sysconfig/ldap +- fix: verification of self issued certificates (#657984) + +* Mon Nov 22 2010 Jan Vcelak 2.4.23-4 +- Mozilla NSS - implement full non-blocking semantics + ldapsearch -Z hangs server if starttls fails (#652822) +- updated list of all overlays in slapd.conf (#655899) +- fix database upgrade process (#656257) + +* Thu Nov 18 2010 Jan Vcelak 2.4.23-3 +- add support for multiple prefixed Mozilla NSS database files in TLS_CACERTDIR +- reject non-file keyfiles in TLS_CACERTDIR (#652315) +- TLS_CACERTDIR precedence over TLS_CACERT (#652304) +- accept only files in hash.0 format in TLS_CACERTDIR (#650288) +- improve SSL/TLS trace messages (#652818) + +* Mon Nov 01 2010 Jan Vcelak 2.4.23-2 +- fix possible infinite loop when checking permissions of TLS files (#641946) +- removed outdated autofs.schema (#643045) +- removed outdated README.upgrade +- removed relics of migrationtools + +* Fri Aug 27 2010 Jan Vcelak 2.4.23-1 +- rebase to 2.4.23 +- embeded db4 library removed +- removed bogus links in "SEE ALSO" in several man-pages (#624616) + +* Thu Jul 22 2010 Jan Vcelak 2.4.22-7 +- Mozilla NSS - delay token auth until needed (#616552) +- Mozilla NSS - support use of self signed CA certs as server certs (#614545) + +* Tue Jul 20 2010 Jan Vcelak - 2.4.22-6 +- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448) +- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452) +- obsolete configuration file moved to /usr/share/openldap-servers (#612602) + +* Thu Jul 01 2010 Jan Zeleny - 2.4.22-5 +- another shot at previous fix + +* Thu Jul 01 2010 Jan Zeleny - 2.4.22-4 +- fixed issue with owner of /usr/lib/ldap/__db.* (#609523) + +* Thu Jun 3 2010 Rich Megginson - 2.4.22-3 +- added ldif.h to the public api in the devel package +- added -lldif to the public api +- added HAVE_MOZNSS and other flags to use Mozilla NSS for crypto + +* Tue May 18 2010 Jan Zeleny - 2.4.22-2 +- rebuild with connectionless support (#587722) +- updated autofs schema (#584808) + +* Tue May 04 2010 Jan Zeleny - 2.4.22-1 +- rebased to 2.4.22 (mostly bugfixes, added back-ldif, back-null testing support) +- due to some possible issues pointed out in last update testing phase, I'm + pulling back the last change (slapd can't be moved since it depends on /usr + possibly mounted from network) + +* Fri Mar 19 2010 Jan Zeleny - 2.4.21-6 +- moved slapd to start earlier during boot sequence + +* Tue Mar 16 2010 Jan Zeleny - 2.4.21-5 +- minor corrections of init script (#571235, #570057, #573804) + +* Wed Feb 24 2010 Jan Zeleny - 2.4.21-4 +- fixed SIGSEGV when deleting data using hdb (#562227) + +* Mon Feb 01 2010 Jan Zeleny - 2.4.21-3 +- fixed broken link /usr/sbin/slapschema (#559873) + +* Tue Jan 19 2010 Jan Zeleny - 2.4.21-2 +- removed some static libraries from openldap-devel (#556090) + +* Mon Jan 11 2010 Jan Zeleny - 2.4.21-1 +- rebased openldap to 2.4.21 +- rebased bdb to 4.8.26 + +* Mon Nov 23 2009 Jan Zeleny - 2.4.19-3 +- minor corrections in init script + +* Mon Nov 16 2009 Jan Zeleny - 2.4.19-2 +- fixed tls connection accepting when TLSVerifyClient = allow +- /etc/openldap/ldap.conf removed from files owned by openldap-servers +- minor changes in spec file to supress warnings +- some changes in init script, so it would be possible to use it when + using old configuration style + +* Fri Nov 06 2009 Jan Zeleny - 2.4.19-1 +- rebased openldap to 2.4.19 +- rebased bdb to 4.8.24 + +* Wed Oct 07 2009 Jan Zeleny 2.4.18-4 +- updated smbk5pwd patch to be linked with libldap (#526500) +- the last buffer overflow patch replaced with the one from upstream +- added /etc/openldap/slapd.d and /etc/openldap/slapd.conf.bak + to files owned by openldap-servers + +* Thu Sep 24 2009 Jan Zeleny 2.4.18-3 +- cleanup of previous patch fixing buffer overflow + +* Tue Sep 22 2009 Jan Zeleny 2.4.18-2 +- changed configuration approach. Instead od slapd.conf slapd + is using slapd.d directory now +- fix of some issues caused by renaming of init script +- fix of buffer overflow issue in ldif.c pointed out by new glibc + +* Fri Sep 18 2009 Jan Zeleny 2.4.18-1 +- rebase of openldap to 2.4.18 + +* Wed Sep 16 2009 Jan Zeleny 2.4.16-7 +- updated documentation (hashing the cacert dir) + +* Wed Sep 16 2009 Jan Zeleny 2.4.16-6 +- updated init script to be LSB-compliant (#523434) +- init script renamed to slapd + +* Thu Aug 27 2009 Tomas Mraz - 2.4.16-5 +- rebuilt with new openssl + +* Tue Aug 25 2009 Jan Zeleny 2.4.16-4 +- updated %%pre script to correctly install openldap group + +* Sat Jul 25 2009 Fedora Release Engineering - 2.4.16-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 01 2009 Jan Zeleny 2.4.16-1 +- rebase of openldap to 2.4.16 +- fixed minor issue in spec file (output looking interactive + when installing servers) + +* Tue Jun 09 2009 Jan Zeleny 2.4.15-4 +- added $SLAPD_URLS variable to init script (#504504) + +* Thu Apr 09 2009 Jan Zeleny 2.4.15-3 +- extended previous patch (#481310) to remove options cfMP + from some client tools +- correction of patch setugid (#494330) + +* Thu Mar 26 2009 Jan Zeleny 2.4.15-2 +- removed -f option from some client tools (#481310) + +* Wed Feb 25 2009 Jan Safranek 2.4.15-1 +- new upstream release + +* Tue Feb 17 2009 Jan Safranek 2.4.14-1 +- new upstream release +- upgraded to db-4.7.25 + +* Sat Jan 17 2009 Tomas Mraz 2.4.12-3 +- rebuild with new openssl + +* Mon Dec 15 2008 Caolán McNamara 2.4.12-2 +- rebuild for libltdl, i.e. copy config.sub|guess from new location + +* Wed Oct 15 2008 Jan Safranek 2.4.12-1 +- new upstream release + +* Mon Oct 13 2008 Jan Safranek 2.4.11-3 +- add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins + to set non-default slapd shutdown timeout +- add checkpoint to default slapd.conf file (#458679) + +* Mon Sep 1 2008 Jan Safranek 2.4.11-2 +- provide ldif2ldbm functionality for migrationtools +- rediff all patches to get rid of patch fuzz + +* Mon Jul 21 2008 Jan Safranek 2.4.11-1 +- new upstream release +- apply official bdb-4.6.21 patches + +* Wed Jul 2 2008 Jan Safranek 2.4.10-2 +- fix CVE-2008-2952 (#453728) + +* Thu Jun 12 2008 Jan Safranek 2.4.10-1 +- new upstream release + +* Wed May 28 2008 Jan Safranek 2.4.9-5 +- use /sbin/nologin as shell of ldap user (#447919) + +* Tue May 13 2008 Jan Safranek 2.4.9-4 +- new upstream release +- removed unnecessary MigrationTools patches + +* Thu Apr 10 2008 Jan Safranek 2.4.8-4 +- bdb upgraded to 4.6.21 +- reworked upgrade logic again to run db_upgrade when bdb version + changes + +* Wed Mar 5 2008 Jan Safranek 2.4.8-3 +- reworked the upgrade logic, slapcat/slapadd of the whole database + is needed only if minor version changes (2.3.x -> 2.4.y) +- do not try to save database in LDIF format, if openldap-servers package + is being removed (it's up to the admin to do so manually) + +* Thu Feb 28 2008 Jan Safranek 2.4.8-2 +- migration tools carved out to standalone package "migrationtools" + (#236697) + +* Fri Feb 22 2008 Jan Safranek 2.4.8-1 +- new upstream release + +* Fri Feb 8 2008 Jan Safranek 2.4.7-7 +- fix CVE-2008-0658 (#432014) + +* Mon Jan 28 2008 Jan Safranek 2.4.7-6 +- init script fixes + +* Mon Jan 28 2008 Jan Safranek 2.4.7-5 +- init script made LSB-compliant (#247012) + +* Fri Jan 25 2008 Jan Safranek 2.4.7-4 +- fixed rpmlint warnings and errors + - /etc/openldap/schema/README moved to /usr/share/doc/openldap + +* Tue Jan 22 2008 Jan Safranek 2.4.7-3 +- obsoleting compat-openldap properly again :) + +* Tue Jan 22 2008 Jan Safranek 2.4.7-2 +- obsoleting compat-openldap properly (#429591) + +* Mon Jan 14 2008 Jan Safranek 2.4.7-1 +- new upstream version (openldap-2.4.7) + +* Mon Dec 3 2007 Jan Safranek 2.4.6-1 +- new upstream version (openldap-2.4) +- deprecating compat- package + +* Mon Nov 5 2007 Jan Safranek 2.3.39-1 +- new upstream release + +* Tue Oct 23 2007 Jan Safranek 2.3.38-4 +- fixed multilib issues - all platform independent files have the + same content now (#342791) + +* Thu Oct 4 2007 Jan Safranek 2.3.38-3 +- BDB downgraded back to 4.4.20 because 4.6.18 is not supported by + openldap (#314821) + +* Mon Sep 17 2007 Jan Safranek 2.3.38-2 +- skeleton /etc/sysconfig/ldap added +- new SLAPD_LDAP option to turn off listening on ldap:/// (#292591) +- fixed checking of SSL (#292611) +- fixed upgrade with empty database + +* Thu Sep 6 2007 Jan Safranek 2.3.38-1 +- new upstream version +- added images to the guide.html (#273581) + +* Wed Aug 22 2007 Jan Safranek 2.3.37-3 +- just rebuild + +* Thu Aug 2 2007 Jan Safranek 2.3.37-2 +- do not use specific automake and autoconf +- do not distinguish between NPTL and non-NPTL platforms, we have NPTL + everywhere +- db-4.6.18 integrated +- updated openldap-servers License: field to reference BDB license + +* Tue Jul 31 2007 Jan Safranek 2.3.37-1 +- new upstream version + +* Fri Jul 20 2007 Jan Safranek 2.3.34-7 +- MigrationTools-47 integrated + +* Wed Jul 4 2007 Jan Safranek 2.3.34-6 +- fix compat-slapcat compilation. Now it can be found in + /usr/lib/compat-openldap/slapcat, because the tool checks argv[0] + (#246581) + +* Fri Jun 29 2007 Jan Safranek 2.3.34-5 +- smbk5pwd added (#220895) +- correctly distribute modules between servers and servers-sql packages + +* Mon Jun 25 2007 Jan Safranek 2.3.34-4 +- Fix initscript return codes (#242667) +- Provide overlays (as modules; #246036, #245896) +- Add available modules to config file + +* Tue May 22 2007 Jan Safranek 2.3.34-3 +- do not create script in /tmp on startup (bz#188298) +- add compat-slapcat to openldap-compat (bz#179378) +- do not import ddp services with migrate_services.pl + (bz#201183) +- sort the hosts by adders, preventing duplicities + in migrate*nis*.pl (bz#201540) +- start slupd for each replicated database (bz#210155) +- add ldconfig to devel post/postun (bz#240253) +- include misc.schema in default slapd.conf (bz#147805) + +* Mon Apr 23 2007 Jan Safranek 2.3.34-2 +- slapadd during package update is now quiet (bz#224581) +- use _localstatedir instead of var/ during build (bz#220970) +- bind-libbind-devel removed from BuildRequires (bz#216851) +- slaptest is now quiet during service ldap start, if + there is no error/warning (bz#143697) +- libldap_r.so now links with pthread (bz#198226) +- do not strip binaries to produce correct .debuginfo packages + (bz#152516) + +* Mon Feb 19 2007 Jay Fenlason 2.3.34-1 +- New upstream release +- Upgrade the scripts for migrating the database so that they might + actually work. +- change bind-libbind-devel to bind-devel in BuildPreReq + +* Mon Dec 4 2006 Thomas Woerner 2.3.30-1.1 +- tcp_wrappers has a new devel and libs sub package, therefore changing build + requirement for tcp_wrappers to tcp_wrappers-devel + +* Wed Nov 15 2006 Jay Fenlason 2.3.30-1 +- New upstream version + +* Wed Oct 25 2006 Jay Fenlason 2.3.28-1 +- New upstream version + +* Sun Oct 01 2006 Jesse Keating - 2.3.27-4 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Mon Sep 18 2006 Jay Fenlason 2.3.27-3 +- Include --enable-multimaster to close + bz#185821: adding slapd_multimaster to the configure options +- Upgade guide.html to the correct one for openladp-2.3.27, closing + bz#190383: openldap 2.3 packages contain the administrator's guide for 2.2 +- Remove the quotes from around the slaptestflags in ldap.init + This closes one part of + bz#204593: service ldap fails after having added entries to ldap +- include __db.* in the list of files to check ownership of in + ldap.init, as suggested in + bz#199322: RFE: perform cleanup in ldap.init + +* Fri Aug 25 2006 Jay Fenlason 2.3.27-2 +- New upstream release +- Include the gethostbyname_r patch so that nss_ldap won't hang + on recursive attemts to ldap_initialize. + +* Wed Jul 12 2006 Jesse Keating - 2.3.24-2.1 +- rebuild + +* Wed Jun 7 2006 Jay Fenlason 2.3.24-2 +- New upstream version + +* Thu Apr 27 2006 Jay Fenlason 2.3.21-2 +- Upgrade to 2.3.21 +- Add two upstream patches for db-4.4.20 + +* Mon Feb 13 2006 Jay Fenlason 2.3.19-4 +- Re-fix ldap.init + +* Fri Feb 10 2006 Jesse Keating - 2.3.19-3.1 +- bump again for double-long bug on ppc(64) + +* Thu Feb 9 2006 Jay Fenlason 2.3.19-3 +- Modify the ldap.init script to call runuser correctly. + +* Tue Feb 07 2006 Jesse Keating - 2.3.19-2.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 10 2006 Jay Fenlason 2.3.19-2 +- Upgrade to 2.3.19, which upstream now considers stable +- Modify the -config.patch, ldap.init, and this spec file to put the + pid file and args file in an ldap-owned openldap subdirectory under + /var/run. +- Move back_sql* out of _sbindir/openldap , which requires + hand-moving slapd and slurpd to _sbindir, and recreating symlinks + by hand. +- Retire openldap-2.3.11-ads.patch, which went upstream. +- Update the ldap.init script to run slaptest as the ldap user rather + than as root. This solves + bz#150172 Startup failure after database problem +- Add to the servers post and preun scriptlets so that on preun, the + database is slapcatted to /var/lib/ldap/upgrade.ldif and the + database files are saved to /var/lib/ldap/rpmorig. On post, if + /var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that + on upgrades from 2.3.16-2 to higher versions, the database files may + be automatically upgraded. Unfortunatly, because of the changes to + the preun scriptlet, users have to do the slapcat, etc by hand when + upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig + files need to be removed by hand because automatically removing your + emergency fallback files is a bad idea. +- Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will + require that users slapcat their databases into a temp file, move + /var/lib/ldap someplace safe, upgrade the openldap rpms, then + slapadd the temp file. + + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Nov 21 2005 Jay Fenlason 2.3.11-3 +- Remove Requires: cyrus-sasl and cyrus-sasl-md5 from openldap- and + compat-openldap- to close + bz#173313 Remove exlicit 'Requires: cyrus-sasl" + 'Requires: cyrus-sasl-md5' + +* Thu Nov 10 2005 Jay Fenlason 2.3.11-2 +- Upgrade to 2.3.11, which upstream now considers stable. +- Switch compat-openldap to 2.2.29 +- remove references to nss_ldap_build from the spec file +- remove references to 2.0 and 2.1 from the spec file. +- reorganize the build() function slightly in the spec file to limit the + number of redundant and conflicting options passedto configure. +- Remove the attempt to hardlink ldapmodify and ldapadd together, since + the current make install make ldapadd a symlink to ldapmodify. +- Include the -ads patches to allow SASL binds to an Active Directory + server to work. Nalin wrote the patch, based on my + broken first attempt. + +* Thu Nov 10 2005 Tomas Mraz 2.2.29-3 +- rebuilt against new openssl + +* Mon Oct 10 2005 Jay Fenlason 2.2.29-2 +- New upstream version. + +* Thu Sep 29 2005 Jay Fenlason 2.2.28-2 +- Upgrade to nev upstream version. This makes the 2.2.*-hop patch obsolete. + +* Mon Aug 22 2005 Jay Fenlason 2.2.26-2 +- Move the slapd.pem file to /etc/pki/tls/certs + and edit the -config patch to match to close + bz#143393 Creates certificates + keys at an insecure/bad place +- also use _sysconfdir instead of hard-coding /etc + +* Thu Aug 11 2005 Jay Fenlason +- Add the tls-fix-connection-test patch to close + bz#161991 openldap password disclosure issue +- add the hop patches to prevent infinite looping when chasing referrals. + OpenLDAP ITS #3578 + +* Fri Aug 5 2005 Nalin Dahyabhai +- fix typo in ldap.init (call $klist instead of klist, from Charles Lopes) + +* Thu May 19 2005 Nalin Dahyabhai 2.2.26-1 +- run slaptest with the -u flag if no id2entry db files are found, because + you can't check for read-write access to a non-existent database (#156787) +- add _sysconfdir/openldap/cacerts, which authconfig sets as the + TLS_CACERTDIR path in /etc/openldap/ldap.conf now +- use a temporary wrapper script to launch slapd, in case we have arguments + with embedded whitespace (#158111) + +* Wed May 4 2005 Nalin Dahyabhai +- update to 2.2.26 (stable 20050429) +- enable the lmpasswd scheme +- print a warning if slaptest fails, slaptest -u succeeds, and one of the + directories listed as the storage location for a given suffix in slapd.conf + contains a readable file named __db.001 (#118678) + +* Tue Apr 26 2005 Nalin Dahyabhai 2.2.25-1 +- update to 2.2.25 (release) + +* Tue Apr 26 2005 Nalin Dahyabhai 2.2.24-1 +- update to 2.2.24 (stable 20050318) +- export KRB5_KTNAME in the init script, in case it was set in the sysconfig + file but not exported + +* Tue Mar 1 2005 Nalin Dahyabhai 2.2.23-4 +- prefer libresolv to libbind + +* Tue Mar 1 2005 Nalin Dahyabhai 2.2.23-3 +- add bind-libbind-devel and libtool-ltdl-devel buildprereqs + +* Tue Mar 1 2005 Tomas Mraz 2.2.23-2 +- rebuild with openssl-0.9.7e + +* Mon Jan 31 2005 Nalin Dahyabhai 2.2.23-1 +- update to 2.2.23 (stable-20050125) +- update notes on upgrading from earlier versions +- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files + +* Tue Jan 4 2005 Nalin Dahyabhai 2.2.20-1 +- update to 2.2.20 (stable-20050103) +- warn about unreadable krb5 keytab files containing "ldap" keys +- warn about unreadable TLS-related files +- own a ref to subdirectories which we create under _libdir/tls + +* Tue Nov 2 2004 Nalin Dahyabhai 2.2.17-0 +- rebuild + +* Thu Sep 30 2004 Nalin Dahyabhai +- update to 2.2.17 (stable-20040923) (#135188) +- move nptl libraries into arch-specific subdirectories on x86 boxes +- require a newer glibc which can provide nptl libpthread on i486/i586 + +* Tue Aug 24 2004 Nalin Dahyabhai +- move slapd startup to earlier in the boot sequence (#103160) +- update to 2.2.15 (stable-20040822) +- change version number on compat-openldap to include the non-compat version + from which it's compiled, otherwise would have to start 2.2.15 at release 3 + so that it upgrades correctly + +* Thu Aug 19 2004 Nalin Dahyabhai 2.2.13-2 +- build a separate, static set of libraries for openldap-devel with the + non-standard ntlm bind patch applied, for use by the evolution-connector + package (#125579), and installing them under + evolution_connector_prefix) +- provide openldap-evolution-devel = version-release in openldap-devel + so that evolution-connector's source package can require a version of + openldap-devel which provides what it wants + +* Mon Jul 26 2004 Nalin Dahyabhai +- update administrator guide + +* Wed Jun 16 2004 Nalin Dahyabhai 2.2.13-1 +- add compat-openldap subpackage +- default to bdb, as upstream does, gambling that we're only going to be + on systems with nptl now + +* Tue Jun 15 2004 Nalin Dahyabhai 2.2.13-0 +- preliminary 2.2.13 update +- move ucdata to the -servers subpackage where it belongs + +* Tue Jun 15 2004 Nalin Dahyabhai 2.1.30-1 +- build experimental sql backend as a loadable module + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue May 18 2004 Nalin Dahyabhai 2.1.30-0 +- update to 2.1.30 + +* Thu May 13 2004 Thomas Woerner 2.1.29-3 +- removed rpath +- added pie patch: slapd and slurpd are now pie +- requires libtool >= 1.5.6-2 (PIC libltdl.a) + +* Fri Apr 16 2004 Nalin Dahyabhai 2.1.29-2 +- move rfc documentation from main to -devel (#121025) + +* Wed Apr 14 2004 Nalin Dahyabhai 2.1.29-1 +- rebuild + +* Tue Apr 6 2004 Nalin Dahyabhai 2.1.29-0 +- update to 2.1.29 (stable 20040329) + +* Mon Mar 29 2004 Nalin Dahyabhai +- don't build servers with --with-kpasswd, that option hasn't been recognized + since 2.1.23 + +* Tue Mar 02 2004 Elliot Lee 2.1.25-5.1 +- rebuilt + +* Mon Feb 23 2004 Tim Waugh 2.1.25-5 +- Use ':' instead of '.' as separator for chown. + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Feb 10 2004 Nalin Dahyabhai 2.1.25-4 +- remove 'reload' from the init script -- it never worked as intended (#115310) + +* Wed Feb 4 2004 Nalin Dahyabhai 2.1.25-3 +- commit that last fix correctly this time + +* Tue Feb 3 2004 Nalin Dahyabhai 2.1.25-2 +- fix incorrect use of find when attempting to detect a common permissions + error in the init script (#114866) + +* Fri Jan 16 2004 Nalin Dahyabhai +- add bug fix patch for DB 4.2.52 + +* Thu Jan 8 2004 Nalin Dahyabhai 2.1.25-1 +- change logging facility used from daemon to local4 (#112730, reversing #11047) + BEHAVIOR CHANGE - SHOULD BE MENTIONED IN THE RELEASE NOTES. + +* Wed Jan 7 2004 Nalin Dahyabhai +- incorporate fix for logic quasi-bug in slapd's SASL auxprop code (Dave Jones) + +* Thu Dec 18 2003 Nalin Dahyabhai +- update to 2.1.25, now marked STABLE + +* Thu Dec 11 2003 Jeff Johnson 2.1.22-9 +- update to db-4.2.52. + +* Thu Oct 23 2003 Nalin Dahyabhai 2.1.22-8 +- add another section to the ABI note for the TLS libdb so that it's marked as + not needing an executable stack (from Arjan Van de Ven) + +* Thu Oct 16 2003 Nalin Dahyabhai 2.1.22-7 +- force bundled libdb to not use O_DIRECT by making it forget that we have it + +* Wed Oct 15 2003 Nalin Dahyabhai +- build bundled libdb for slapd dynamically to make the package smaller, + among other things +- on tls-capable arches, build libdb both with and without shared posix + mutexes, otherwise just without +- disable posix mutexes unconditionally for db 4.0, which shouldn't need + them for the migration cases where it's used +- update to MigrationTools 45 + +* Thu Sep 25 2003 Jeff Johnson 2.1.22-6.1 +- upgrade db-4.1.25 to db-4.2.42. + +* Fri Sep 12 2003 Nalin Dahyabhai 2.1.22-6 +- drop rfc822-MailMember.schema, merged into upstream misc.schema at some point + +* Wed Aug 27 2003 Nalin Dahyabhai +- actually require newer libtool, as was intended back in 2.1.22-0, noted as + missed by Jim Richardson + +* Fri Jul 25 2003 Nalin Dahyabhai 2.1.22-5 +- enable rlookups, they don't cost anything unless also enabled in slapd's + configuration file + +* Tue Jul 22 2003 Nalin Dahyabhai 2.1.22-4 +- rebuild + +* Thu Jul 17 2003 Nalin Dahyabhai 2.1.22-3 +- rebuild + +* Wed Jul 16 2003 Nalin Dahyabhai 2.1.22-2 +- rebuild + +* Tue Jul 15 2003 Nalin Dahyabhai 2.1.22-1 +- build + +* Mon Jul 14 2003 Nalin Dahyabhai 2.1.22-0 +- 2.1.22 now badged stable +- be more aggressive in what we index by default +- use/require libtool 1.5 + +* Mon Jun 30 2003 Nalin Dahyabhai +- update to 2.1.22 + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Jun 3 2003 Nalin Dahyabhai 2.1.21-1 +- update to 2.1.21 +- enable ldap, meta, monitor, null, rewrite in slapd + +* Mon May 19 2003 Nalin Dahyabhai 2.1.20-1 +- update to 2.1.20 + +* Thu May 8 2003 Nalin Dahyabhai 2.1.19-1 +- update to 2.1.19 + +* Mon May 5 2003 Nalin Dahyabhai 2.1.17-1 +- switch to db with crypto + +* Fri May 2 2003 Nalin Dahyabhai +- install the db utils for the bundled libdb as %%{_sbindir}/slapd_db_* +- install slapcat/slapadd from 2.0.x for migration purposes + +* Wed Apr 30 2003 Nalin Dahyabhai +- update to 2.1.17 +- disable the shell backend, not expected to work well with threads +- drop the kerberosSecurityObject schema, the krbName attribute it + contains is only used if slapd is built with v2 kbind support + +* Mon Feb 10 2003 Nalin Dahyabhai 2.0.27-8 +- back down to db 4.0.x, which 2.0.x can compile with in ldbm-over-db setups +- tweak SuSE patch to fix a few copy-paste errors and a NULL dereference + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Jan 7 2003 Nalin Dahyabhai 2.0.27-6 +- rebuild + +* Mon Dec 16 2002 Nalin Dahyabhai 2.0.27-5 +- rebuild + +* Fri Dec 13 2002 Nalin Dahyabhai 2.0.27-4 +- check for setgid as well + +* Thu Dec 12 2002 Nalin Dahyabhai 2.0.27-3 +- rebuild + +* Thu Dec 12 2002 Nalin Dahyabhai +- incorporate fixes from SuSE's security audit, except for fixes to ITS 1963, + 1936, 2007, 2009, which were included in 2.0.26. +- add two more patches for db 4.1.24 from sleepycat's updates page +- use openssl pkgconfig data, if any is available + +* Mon Nov 11 2002 Nalin Dahyabhai 2.0.27-2 +- add patches for db 4.1.24 from sleepycat's updates page + +* Mon Nov 4 2002 Nalin Dahyabhai +- add a sample TLSCACertificateFile directive to the default slapd.conf + +* Tue Sep 24 2002 Nalin Dahyabhai 2.0.27-1 +- update to 2.0.27 + +* Fri Sep 20 2002 Nalin Dahyabhai 2.0.26-1 +- update to 2.0.26, db 4.1.24.NC + +* Fri Sep 13 2002 Nalin Dahyabhai 2.0.25-2 +- change LD_FLAGS to refer to /usr/kerberos/_libdir instead of + /usr/kerberos/lib, which might not be right on some arches + +* Mon Aug 26 2002 Nalin Dahyabhai 2.0.25-1 +- update to 2.0.25 "stable", ldbm-over-gdbm (putting off migration of LDBM + slapd databases until we move to 2.1.x) +- use %%{_smp_mflags} when running make +- update to MigrationTools 44 +- enable dynamic module support in slapd + +* Thu May 16 2002 Nalin Dahyabhai 2.0.23-5 +- rebuild in new environment + +* Wed Feb 20 2002 Nalin Dahyabhai 2.0.23-3 +- use the gdbm backend again + +* Mon Feb 18 2002 Nalin Dahyabhai 2.0.23-2 +- make slapd.conf read/write by root, read by ldap + +* Sun Feb 17 2002 Nalin Dahyabhai +- fix corner case in sendbuf fix +- 2.0.23 now marked "stable" + +* Tue Feb 12 2002 Nalin Dahyabhai 2.0.23-1 +- update to 2.0.23 + +* Fri Feb 8 2002 Nalin Dahyabhai 2.0.22-2 +- switch to an internalized Berkeley DB as the ldbm back-end (NOTE: this breaks + access to existing on-disk directory data) +- add slapcat/slapadd with gdbm for migration purposes +- remove Kerberos dependency in client libs (the direct Kerberos dependency + is used by the server for checking {kerberos} passwords) + +* Fri Feb 1 2002 Nalin Dahyabhai 2.0.22-1 +- update to 2.0.22 + +* Sat Jan 26 2002 Florian La Roche 2.0.21-5 +- prereq chkconfig for server subpackage + +* Fri Jan 25 2002 Nalin Dahyabhai 2.0.21-4 +- update migration tools to version 40 + +* Wed Jan 23 2002 Nalin Dahyabhai 2.0.21-3 +- free ride through the build system + +* Wed Jan 16 2002 Nalin Dahyabhai 2.0.21-2 +- update to 2.0.21, now earmarked as STABLE + +* Wed Jan 16 2002 Nalin Dahyabhai 2.0.20-2 +- temporarily disable optimizations for ia64 arches +- specify pthreads at configure-time instead of letting configure guess + +* Mon Jan 14 2002 Nalin Dahyabhai +- and one for Raw Hide + +* Mon Jan 14 2002 Nalin Dahyabhai 2.0.20-0.7 +- build for RHL 7/7.1 + +* Mon Jan 14 2002 Nalin Dahyabhai 2.0.20-1 +- update to 2.0.20 (security errata) + +* Thu Dec 20 2001 Nalin Dahyabhai 2.0.19-1 +- update to 2.0.19 + +* Tue Nov 6 2001 Nalin Dahyabhai 2.0.18-2 +- fix the commented-out replication example in slapd.conf + +* Fri Oct 26 2001 Nalin Dahyabhai 2.0.18-1 +- update to 2.0.18 + +* Mon Oct 15 2001 Nalin Dahyabhai 2.0.17-1 +- update to 2.0.17 + +* Wed Oct 10 2001 Nalin Dahyabhai +- disable kbind support (deprecated, and I suspect unused) +- configure with --with-kerberos=k5only instead of --with-kerberos=k5 +- build slapd with threads + +* Thu Sep 27 2001 Nalin Dahyabhai 2.0.15-2 +- rebuild, 2.0.15 is now designated stable + +* Fri Sep 21 2001 Nalin Dahyabhai 2.0.15-1 +- update to 2.0.15 + +* Mon Sep 10 2001 Nalin Dahyabhai 2.0.14-1 +- update to 2.0.14 + +* Fri Aug 31 2001 Nalin Dahyabhai 2.0.12-1 +- update to 2.0.12 to pull in fixes for setting of default TLS options, among + other things +- update to migration tools 39 +- drop tls patch, which was fixed better in this release + +* Tue Aug 21 2001 Nalin Dahyabhai 2.0.11-13 +- install saucer correctly + +* Thu Aug 16 2001 Nalin Dahyabhai +- try to fix ldap_set_options not being able to set global options related + to TLS correctly + +* Thu Aug 9 2001 Nalin Dahyabhai +- don't attempt to create a cert at install-time, it's usually going + to get the wrong CN (#51352) + +* Mon Aug 6 2001 Nalin Dahyabhai +- add a build-time requirement on pam-devel +- add a build-time requirement on a sufficiently-new libtool to link + shared libraries to other shared libraries (which is needed in order + for prelinking to work) + +* Fri Aug 3 2001 Nalin Dahyabhai +- require cyrus-sasl-md5 (support for DIGEST-MD5 is required for RFC + compliance) by name (follows from #43079, which split cyrus-sasl's + cram-md5 and digest-md5 modules out into cyrus-sasl-md5) + +* Fri Jul 20 2001 Nalin Dahyabhai +- enable passwd back-end (noted by Alan Sparks and Sergio Kessler) + +* Wed Jul 18 2001 Nalin Dahyabhai +- start to prep for errata release + +* Fri Jul 6 2001 Nalin Dahyabhai +- link libldap with liblber + +* Wed Jul 4 2001 Than Ngo 2.0.11-6 +- add symlink liblber.so libldap.so and libldap_r.so in /usr/lib + +* Tue Jul 3 2001 Nalin Dahyabhai +- move shared libraries to /lib +- redo init script for better internationalization (#26154) +- don't use ldaprc files in the current directory (#38402) (patch from + hps@intermeta.de) +- add BuildPrereq on tcp wrappers since we configure with + --enable-wrappers (#43707) +- don't overflow debug buffer in mail500 (#41751) +- don't call krb5_free_creds instead of krb5_free_cred_contents any + more (#43159) + +* Mon Jul 2 2001 Nalin Dahyabhai +- make config files noreplace (#42831) + +* Tue Jun 26 2001 Nalin Dahyabhai +- actually change the default config to use the dummy cert +- update to MigrationTools 38 + +* Mon Jun 25 2001 Nalin Dahyabhai +- build dummy certificate in %%post, use it in default config +- configure-time shenanigans to help a confused configure script + +* Wed Jun 20 2001 Nalin Dahyabhai +- tweak migrate_automount and friends so that they can be run from anywhere + +* Thu May 24 2001 Nalin Dahyabhai +- update to 2.0.11 + +* Wed May 23 2001 Nalin Dahyabhai +- update to 2.0.10 + +* Mon May 21 2001 Nalin Dahyabhai +- update to 2.0.9 + +* Tue May 15 2001 Nalin Dahyabhai +- update to 2.0.8 +- drop patch which came from upstream + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Thu Feb 8 2001 Nalin Dahyabhai +- back out pidfile patches, which interact weirdly with Linux threads +- mark non-standard schema as such by moving them to a different directory + +* Mon Feb 5 2001 Nalin Dahyabhai +- update to MigrationTools 36, adds netgroup support + +* Mon Jan 29 2001 Nalin Dahyabhai +- fix thinko in that last patch + +* Thu Jan 25 2001 Nalin Dahyabhai +- try to work around some buffering problems + +* Tue Jan 23 2001 Nalin Dahyabhai +- gettextize the init script + +* Thu Jan 18 2001 Nalin Dahyabhai +- gettextize the init script + +* Fri Jan 12 2001 Nalin Dahyabhai +- move the RFCs to the base package (#21701) +- update to MigrationTools 34 + +* Wed Jan 10 2001 Nalin Dahyabhai +- add support for additional OPTIONS, SLAPD_OPTIONS, and SLURPD_OPTIONS in + a /etc/sysconfig/ldap file (#23549) + +* Fri Dec 29 2000 Nalin Dahyabhai +- change automount object OID from 1.3.6.1.1.1.2.9 to 1.3.6.1.1.1.2.13, + per mail from the ldap-nis mailing list + +* Tue Dec 5 2000 Nalin Dahyabhai +- force -fPIC so that shared libraries don't fall over + +* Mon Dec 4 2000 Nalin Dahyabhai +- add Norbert Klasen's patch (via Del) to fix searches using ldaps URLs + (OpenLDAP ITS #889) +- add "-h ldaps:///" to server init when TLS is enabled, in order to support + ldaps in addition to the regular STARTTLS (suggested by Del) + +* Mon Nov 27 2000 Nalin Dahyabhai +- correct mismatched-dn-cn bug in migrate_automount.pl + +* Mon Nov 20 2000 Nalin Dahyabhai +- update to the correct OIDs for automount and automountInformation +- add notes on upgrading + +* Tue Nov 7 2000 Nalin Dahyabhai +- update to 2.0.7 +- drop chdir patch (went mainstream) + +* Thu Nov 2 2000 Nalin Dahyabhai +- change automount object classes from auxiliary to structural + +* Tue Oct 31 2000 Nalin Dahyabhai +- update to Migration Tools 27 +- change the sense of the last simple patch + +* Wed Oct 25 2000 Nalin Dahyabhai +- reorganize the patch list to separate MigrationTools and OpenLDAP patches +- switch to Luke Howard's rfc822MailMember schema instead of the aliases.schema +- configure slapd to run as the non-root user "ldap" (#19370) +- chdir() before chroot() (we don't use chroot, though) (#19369) +- disable saving of the pid file because the parent thread which saves it and + the child thread which listens have different pids + +* Wed Oct 11 2000 Nalin Dahyabhai +- add missing required attributes to conversion scripts to comply with schema +- add schema for mail aliases, autofs, and kerberosSecurityObject rooted in + our own OID tree to define attributes and classes migration scripts expect +- tweak automounter migration script + +* Mon Oct 9 2000 Nalin Dahyabhai +- try adding the suffix first when doing online migrations +- force ldapadd to use simple authentication in migration scripts +- add indexing of a few attributes to the default configuration +- add commented-out section on using TLS to default configuration + +* Thu Oct 5 2000 Nalin Dahyabhai +- update to 2.0.6 +- add buildprereq on cyrus-sasl-devel, krb5-devel, openssl-devel +- take the -s flag off of slapadd invocations in migration tools +- add the cosine.schema to the default server config, needed by inetorgperson + +* Wed Oct 4 2000 Nalin Dahyabhai +- add the nis.schema and inetorgperson.schema to the default server config +- make ldapadd a hard link to ldapmodify because they're identical binaries + +* Fri Sep 22 2000 Nalin Dahyabhai +- update to 2.0.4 + +* Fri Sep 15 2000 Nalin Dahyabhai +- remove prereq on /etc/init.d (#17531) +- update to 2.0.3 +- add saucer to the included clients + +* Wed Sep 6 2000 Nalin Dahyabhai +- update to 2.0.1 + +* Fri Sep 1 2000 Nalin Dahyabhai +- update to 2.0.0 +- patch to build against MIT Kerberos 1.1 and later instead of 1.0.x + +* Tue Aug 22 2000 Nalin Dahyabhai +- remove that pesky default password +- change "Copyright:" to "License:" + +* Sun Aug 13 2000 Nalin Dahyabhai +- adjust permissions in files lists +- move libexecdir from %%{_prefix}/sbin to %%{_sbindir} + +* Fri Aug 11 2000 Nalin Dahyabhai +- add migrate_automount.pl to the migration scripts set + +* Tue Aug 8 2000 Nalin Dahyabhai +- build a semistatic slurpd with threads, everything else without +- disable reverse lookups, per email on OpenLDAP mailing lists +- make sure the execute bits are set on the shared libraries + +* Mon Jul 31 2000 Nalin Dahyabhai +- change logging facility used from local4 to daemon (#11047) + +* Thu Jul 27 2000 Nalin Dahyabhai +- split off clients and servers to shrink down the package and remove the + base package's dependency on Perl +- make certain that the binaries have sane permissions + +* Mon Jul 17 2000 Nalin Dahyabhai +- move the init script back + +* Thu Jul 13 2000 Nalin Dahyabhai +- tweak the init script to only source /etc/sysconfig/network if it's found + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Mon Jul 10 2000 Nalin Dahyabhai +- switch to gdbm; I'm getting off the db merry-go-round +- tweak the init script some more +- add instdir to @INC in migration scripts + +* Thu Jul 6 2000 Nalin Dahyabhai +- tweak init script to return error codes properly +- change initscripts dependency to one on /etc/init.d + +* Tue Jul 4 2000 Nalin Dahyabhai +- prereq initscripts +- make migration scripts use mktemp + +* Tue Jun 27 2000 Nalin Dahyabhai +- do condrestart in post and stop in preun +- move init script to /etc/init.d + +* Fri Jun 16 2000 Nalin Dahyabhai +- update to 1.2.11 +- add condrestart logic to init script +- munge migration scripts so that you don't have to be + /usr/share/openldap/migration to run them +- add code to create pid files in /var/run + +* Mon Jun 5 2000 Nalin Dahyabhai +- FHS tweaks +- fix for compiling with libdb2 + +* Thu May 4 2000 Bill Nottingham +- minor tweak so it builds on ia64 + +* Wed May 3 2000 Nalin Dahyabhai +- more minimalistic fix for bug #11111 after consultation with OpenLDAP team +- backport replacement for the ldapuser patch + +* Tue May 2 2000 Nalin Dahyabhai +- fix segfaults from queries with commas in them in in.xfingerd (bug #11111) + +* Tue Apr 25 2000 Nalin Dahyabhai +- update to 1.2.10 +- add revamped version of patch from kos@bastard.net to allow execution as + any non-root user +- remove test suite from %%build because of weirdness in the build system + +* Wed Apr 12 2000 Nalin Dahyabhai +- move the defaults for databases and whatnot to /var/lib/ldap (bug #10714) +- fix some possible string-handling problems + +* Mon Feb 14 2000 Bill Nottingham +- start earlier, stop later. + +* Thu Feb 3 2000 Nalin Dahyabhai +- auto rebuild in new environment (release 4) + +* Tue Feb 1 2000 Nalin Dahyabhai +- add -D_REENTRANT to make threaded stuff more stable, even though it looks + like the sources define it, too +- mark *.ph files in migration tools as config files + +* Fri Jan 21 2000 Nalin Dahyabhai +- update to 1.2.9 + +* Mon Sep 13 1999 Bill Nottingham +- strip files + +* Sat Sep 11 1999 Bill Nottingham +- update to 1.2.7 +- fix some bugs from bugzilla (#4885, #4887, #4888, #4967) +- take include files out of base package + +* Fri Aug 27 1999 Jeff Johnson +- missing ;; in init script reload) (#4734). + +* Tue Aug 24 1999 Cristian Gafton +- move stuff from /usr/libexec to /usr/sbin +- relocate config dirs to /etc/openldap + +* Mon Aug 16 1999 Bill Nottingham +- initscript munging + +* Wed Aug 11 1999 Cristian Gafton +- add the migration tools to the package + +* Fri Aug 06 1999 Cristian Gafton +- upgrade to 1.2.6 +- add rc.d script +- split -devel package + +* Sun Feb 07 1999 Preston Brown +- upgrade to latest stable (1.1.4), it now uses configure macro. + +* Fri Jan 15 1999 Bill Nottingham +- build on arm, glibc2.1 + +* Wed Oct 28 1998 Preston Brown +- initial cut. +- patches for signal handling on the alpha