openldap package update

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>

SOURCES/check-password-loglevels.patch

@@ -0,0 +1,124 @@
+Correct log levels in check_password module.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1356158
+
+diff --git a/check_password.c b/check_password.c
+--- a/check_password.c
++++ b/check_password.c
+@@ -108,7 +108,7 @@ char* chomp(char *s)
+ static int set_quality (char *value)
+ {
+ #if defined(DEBUG)
+-	syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value);
++	syslog(LOG_INFO, "check_password: Setting quality to [%s]", value);
+ #endif
+
+	/* No need to require more quality than we can check for. */
+@@ -120,7 +120,7 @@ static int set_quality (char *value)
+ static int set_cracklib (char *value)
+ {
+ #if defined(DEBUG)
+-	syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", value);
++	syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value);
+ #endif
+
+
+@@ -131,7 +131,7 @@ static int set_cracklib (char *value)
+ static int set_digit (char *value)
+ {
+ #if defined(DEBUG)
+-	syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value);
++	syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value);
+ #endif
+	if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0;
+	return (int) (value[0] - '0');
+@@ -152,14 +152,14 @@ static validator valid_word (char *word)
+	int index = 0;
+
+ #if defined(DEBUG)
+-	syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word);
++	syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word);
+ #endif
+
+	while (list[index].parameter != NULL) {
+		if (strlen(word) == strlen(list[index].parameter) &&
+		    strcmp(list[index].parameter, word) == 0) {
+ #if defined(DEBUG)
+-			syslog(LOG_NOTICE, "check_password: Parameter accepted.");
++			syslog(LOG_DEBUG, "check_password: Parameter accepted.");
+ #endif
+			return list[index].dealer;
+		}
+@@ -167,7 +167,7 @@ static validator valid_word (char *word)
+	}
+
+ #if defined(DEBUG)
+-	syslog(LOG_NOTICE, "check_password: Parameter rejected.");
++	syslog(LOG_DEBUG, "check_password: Parameter rejected.");
+ #endif
+
+	return NULL;
+@@ -203,7 +203,7 @@ static int read_config_file ()
+
+ #if defined(DEBUG)
+		/* Debug traces to syslog. */
+-		syslog(LOG_NOTICE, "check_password: Got line |%s|", line);
++		syslog(LOG_DEBUG, "check_password: Got line |%s|", line);
+ #endif
+
+		while (isspace(*start) && isascii(*start)) start++;
+@@ -212,7 +212,7 @@ static int read_config_file ()
+		if ( ispunct(*start)) {
+ #if defined(DEBUG)
+			/* Debug traces to syslog. */
+-			syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
++			syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line);
+ #endif
+			continue;
+		}
+@@ -227,7 +227,7 @@ static int read_config_file ()
+					if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
+
+ #if defined(DEBUG)
+-						syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
++						syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value);
+ #endif
+
+						centry[i].value = chomp(value);
+@@ -319,7 +319,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+			if ( !nLower && (minLower < 1)) {
+				nLower = 1; nQuality++;
+ #if defined(DEBUG)
+-				syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality);
++				syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality);
+ #endif
+			}
+			continue;
+@@ -330,7 +330,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+			if ( !nUpper && (minUpper < 1)) {
+				nUpper = 1; nQuality++;
+ #if defined(DEBUG)
+-				syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality);
++				syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality);
+ #endif
+			}
+			continue;
+@@ -341,7 +341,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+			if ( !nDigit && (minDigit < 1)) {
+				nDigit = 1; nQuality++;
+ #if defined(DEBUG)
+-				syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality);
++				syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality);
+ #endif
+			}
+			continue;
+@@ -352,7 +352,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+			if ( !nPunct && (minPunct < 1)) {
+				nPunct = 1; nQuality++;
+ #if defined(DEBUG)
+-				syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality);
++				syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality);
+ #endif
+			}
+			continue;

SOURCES/check-password-makefile.patch

@@ -0,0 +1,41 @@
+--- a/Makefile	2009-10-31 18:59:06.000000000 +0100
++++ b/Makefile	2014-12-17 09:42:37.586079225 +0100
+@@ -13,22 +13,11 @@
+ #
+ CONFIG=/etc/openldap/check_password.conf
+
+-OPT=-g -O2 -Wall -fpic 						\
+-	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""	\
+-	-DCONFIG_FILE="\"$(CONFIG)\""					\
++CFLAGS+=-fpic                                                  \
++	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \
++	-DCONFIG_FILE="\"$(CONFIG)\""                          \
+	-DDEBUG
+
+-# Where to find the OpenLDAP headers.
+-#
+-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
+-	 -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
+-
+-# Where to find the CrackLib headers.
+-#
+-CRACK_INC=
+-
+-INCS=$(LDAP_INC) $(CRACK_INC)
+-
+ LDAP_LIB=-lldap_r -llber
+
+ # Comment out this line if you do NOT want to use the cracklib.
+@@ -45,10 +34,10 @@
+ all: 	check_password
+
+ check_password.o:
+-	$(CC) $(OPT) -c $(INCS) check_password.c
++	$(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
+
+ check_password: clean check_password.o
+-	$(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
++	$(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+
+ install: check_password
+	cp -f check_password.so ../../../usr/lib/openldap/modules/

SOURCES/check-password.patch

@@ -0,0 +1,321 @@
+--- a/check_password.c	2009-10-31 18:59:06.000000000 +0100
++++ b/check_password.c	2014-12-17 12:25:00.148900907 +0100
+@@ -10,7 +10,7 @@
+ #include <slap.h>
+
+ #ifdef HAVE_CRACKLIB
+-#include "crack.h"
++#include <crack.h>
+ #endif
+
+ #if defined(DEBUG)
+@@ -34,18 +34,77 @@
+ #define PASSWORD_TOO_SHORT_SZ \
+	"Password for dn=\"%s\" is too short (%d/6)"
+ #define PASSWORD_QUALITY_SZ \
+-	"Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
++	"Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
+ #define BAD_PASSWORD_SZ \
+	"Bad password for dn=\"%s\" because %s"
++#define UNKNOWN_ERROR_SZ \
++	"An unknown error occurred, please see your systems administrator"
+
+ typedef int (*validator) (char*);
+-static int read_config_file (char *);
++static int read_config_file ();
+ static validator valid_word (char *);
+ static int set_quality (char *);
+ static int set_cracklib (char *);
+
+ int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+
++struct config_entry {
++	char* key;
++	char* value;
++	char* def_value;
++} config_entries[] = { { "minPoints", NULL, "3"},
++		       { "useCracklib", NULL, "1"},
++		       { "minUpper", NULL, "0"},
++		       { "minLower", NULL, "0"},
++		       { "minDigit", NULL, "0"},
++		       { "minPunct", NULL, "0"},
++		       { NULL, NULL, NULL }};
++
++int get_config_entry_int(char* entry) {
++	struct config_entry* centry = config_entries;
++
++	int i = 0;
++	char* key = centry[i].key;
++	while (key != NULL) {
++		if ( strncmp(key, entry, strlen(key)) == 0 ) {
++			if ( centry[i].value == NULL ) {
++				return atoi(centry[i].def_value);
++			}
++			else {
++				return atoi(centry[i].value);
++			}
++		}
++		i++;
++		key = centry[i].key;
++	}
++
++	return -1;
++}
++
++void dealloc_config_entries() {
++	struct config_entry* centry = config_entries;
++
++	int i = 0;
++	while (centry[i].key != NULL) {
++		if ( centry[i].value != NULL ) {
++			ber_memfree(centry[i].value);
++		}
++		i++;
++	}
++}
++
++char* chomp(char *s)
++{
++	char* t = ber_memalloc(strlen(s)+1);
++	strncpy (t,s,strlen(s)+1);
++
++	if ( t[strlen(t)-1] == '\n' ) {
++		t[strlen(t)-1] = '\0';
++	}
++
++	return t;
++}
++
+ static int set_quality (char *value)
+ {
+ #if defined(DEBUG)
+@@ -84,12 +143,12 @@
+		char * parameter;
+		validator dealer;
+	} list[] = { { "minPoints", set_quality },
+-		{ "useCracklib", set_cracklib },
+-		{ "minUpper", set_digit },
+-		{ "minLower", set_digit },
+-		{ "minDigit", set_digit },
+-		{ "minPunct", set_digit },
+-		{ NULL, NULL } };
++		     { "useCracklib", set_cracklib },
++		     { "minUpper", set_digit },
++		     { "minLower", set_digit },
++		     { "minDigit", set_digit },
++		     { "minPunct", set_digit },
++		     { NULL, NULL } };
+	int index = 0;
+
+ #if defined(DEBUG)
+@@ -98,7 +157,7 @@
+
+	while (list[index].parameter != NULL) {
+		if (strlen(word) == strlen(list[index].parameter) &&
+-				strcmp(list[index].parameter, word) == 0) {
++		    strcmp(list[index].parameter, word) == 0) {
+ #if defined(DEBUG)
+			syslog(LOG_NOTICE, "check_password: Parameter accepted.");
+ #endif
+@@ -114,13 +173,15 @@
+	return NULL;
+ }
+
+-static int read_config_file (char *keyWord)
++static int read_config_file ()
+ {
+	FILE * config;
+	char * line;
+	int returnValue =  -1;
+
+-	if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
++	line = ber_memcalloc(260, sizeof(char));
++
++	if ( line == NULL ) {
+		return returnValue;
+	}
+
+@@ -133,6 +194,8 @@
+		return returnValue;
+	}
+
++	returnValue = 0;
++
+	while (fgets(line, 256, config) != NULL) {
+		char *start = line;
+		char *word, *value;
+@@ -145,23 +208,40 @@
+
+		while (isspace(*start) && isascii(*start)) start++;
+
+-		if (! isascii(*start))
++		/* If we've got punctuation, just skip the line. */
++		if ( ispunct(*start)) {
++#if defined(DEBUG)
++			/* Debug traces to syslog. */
++			syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
++#endif
+			continue;
++		}
+
+-		if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
+-			if ((value = strtok(NULL, " \t")) == NULL)
+-				continue;
++		if( isascii(*start)) {
++
++			struct config_entry* centry = config_entries;
++			int i = 0;
++			char* keyWord = centry[i].key;
++			if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
++				while ( keyWord != NULL ) {
++					if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
+
+ #if defined(DEBUG)
+-			syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
++						syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ #endif
+
+-			returnValue = (*dealer)(value);
++						centry[i].value = chomp(value);
++						break;
++					}
++					i++;
++					keyWord = centry[i].key;
++				}
++			}
+		}
+	}
+-
+	fclose(config);
+	ber_memfree(line);
++
+	return returnValue;
+ }
+
+@@ -170,7 +250,7 @@
+	if (curlen < nextlen + MEMORY_MARGIN) {
+ #if defined(DEBUG)
+		syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
+-				curlen, nextlen + MEMORY_MARGIN);
++		       curlen, nextlen + MEMORY_MARGIN);
+ #endif
+		ber_memfree(*target);
+		curlen = nextlen + MEMORY_MARGIN;
+@@ -180,7 +260,7 @@
+	return curlen;
+ }
+
+-	int
++int
+ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ {
+
+@@ -210,20 +290,22 @@
+	nLen = strlen (pPasswd);
+	if ( nLen < 6) {
+		mem_len = realloc_error_message(&szErrStr, mem_len,
+-				strlen(PASSWORD_TOO_SHORT_SZ) +
+-				strlen(pEntry->e_name.bv_val) + 1);
++						strlen(PASSWORD_TOO_SHORT_SZ) +
++						strlen(pEntry->e_name.bv_val) + 1);
+		sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
+		goto fail;
+	}
+
+-	/* Read config file */
+-	minQuality = read_config_file("minPoints");
++	if (read_config_file() == -1) {
++		syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
++	}
+
+-	useCracklib = read_config_file("useCracklib");
+-	minUpper = read_config_file("minUpper");
+-	minLower = read_config_file("minLower");
+-	minDigit = read_config_file("minDigit");
+-	minPunct = read_config_file("minPunct");
++	minQuality = get_config_entry_int("minPoints");
++	useCracklib = get_config_entry_int("useCracklib");
++	minUpper = get_config_entry_int("minUpper");
++	minLower = get_config_entry_int("minLower");
++	minDigit = get_config_entry_int("minDigit");
++	minPunct = get_config_entry_int("minPunct");
+
+	/** The password must have at least minQuality strength points with one
+	 * point for the first occurrance of a lower, upper, digit and
+@@ -232,8 +314,6 @@
+
+	for ( i = 0; i < nLen; i++ ) {
+
+-		if ( nQuality >= minQuality ) break;
+-
+		if ( islower (pPasswd[i]) ) {
+			minLower--;
+			if ( !nLower && (minLower < 1)) {
+@@ -279,12 +359,23 @@
+		}
+	}
+
+-	if ( nQuality < minQuality ) {
++	/*
++	 * If you have a required field, then it should be required in the strength
++	 * checks.
++	 */
++
++	if (
++		(minLower > 0 ) ||
++		(minUpper > 0 ) ||
++		(minDigit > 0 ) ||
++		(minPunct > 0 ) ||
++		(nQuality < minQuality)
++		) {
+		mem_len = realloc_error_message(&szErrStr, mem_len,
+-				strlen(PASSWORD_QUALITY_SZ) +
+-				strlen(pEntry->e_name.bv_val) + 2);
++						strlen(PASSWORD_QUALITY_SZ) +
++						strlen(pEntry->e_name.bv_val) + 2);
+		sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
+-				nQuality, minQuality);
++			 nQuality, minQuality);
+		goto fail;
+	}
+
+@@ -306,7 +397,7 @@
+		for ( j = 0; j < 3; j++ ) {
+
+			snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
+-					CRACKLIB_DICTPATH, ext[j]);
++				  CRACKLIB_DICTPATH, ext[j]);
+
+			if (( fp = fopen ( filename, "r")) == NULL ) {
+
+@@ -326,9 +417,9 @@
+			r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
+			if ( r != NULL ) {
+				mem_len = realloc_error_message(&szErrStr, mem_len,
+-						strlen(BAD_PASSWORD_SZ) +
+-						strlen(pEntry->e_name.bv_val) +
+-						strlen(r));
++								strlen(BAD_PASSWORD_SZ) +
++								strlen(pEntry->e_name.bv_val) +
++								strlen(r));
+				sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
+				goto fail;
+			}
+@@ -342,15 +433,15 @@
+	}
+
+ #endif
+-
++	dealloc_config_entries();
+	*ppErrStr = strdup ("");
+	ber_memfree(szErrStr);
+	return (LDAP_SUCCESS);
+
+ fail:
++	dealloc_config_entries();
+	*ppErrStr = strdup (szErrStr);
+	ber_memfree(szErrStr);
+	return (EXIT_FAILURE);
+
+ }
+-

SOURCES/ldap.conf

@@ -0,0 +1,18 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+TLS_CACERTDIR	/etc/openldap/certs
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON	on

SOURCES/libexec-check-config.sh

@@ -0,0 +1,91 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function check_config_syntax()
+{
+	retcode=0
+	tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
+	run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
+	if [ $? -ne 0 ]; then
+		error "Checking configuration file failed:"
+		cat $tmp_slaptest >&2
+		retcode=1
+	fi
+	rm $tmp_slaptest
+	return $retcode
+}
+
+function check_certs_perms()
+{
+	retcode=0
+	for cert in `certificates`; do
+		run_as_ldap "/usr/bin/test -e \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' was not found." "$cert"
+			retcoder=1
+			continue
+		fi
+		run_as_ldap "/usr/bin/test -r \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' is not readable." "$cert"
+			retcode=1
+		fi
+	done
+	return $retcode
+}
+
+function check_db_perms()
+{
+	retcode=0
+	for dbdir in `databases`; do
+		[ -d "$dbdir" ] || continue
+		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
+			run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
+			if [ $? -ne 0 ]; then
+				error "Read/write permissions for DB file '%s' are required." "$dbfile"
+				retcode=1
+			fi
+		done
+	done
+	return $retcode
+}
+
+function check_everything()
+{
+	retcode=0
+	check_config_syntax || retcode=1
+	# TODO: need support for Mozilla NSS, disabling temporarily
+	#check_certs_perms || retcode=1
+	check_db_perms || retcode=1
+	return $retcode
+}
+
+if [ `id -u` -ne 0 ]; then
+	error "You have to be root to run this script."
+	exit 4
+fi
+
+load_sysconfig
+
+if [ -n "$SLAPD_CONFIG_DIR" ]; then
+	if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
+		error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
+	else
+		check_everything
+		exit $?
+	fi
+fi
+
+if [ -n "$SLAPD_CONFIG_FILE" ]; then
+	if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+		error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
+	else
+		error "Warning: Usage of a configuration file is obsolete!"
+		check_everything
+		exit $?
+	fi
+fi
+
+exit 1

SOURCES/libexec-convert-config.sh

@@ -0,0 +1,79 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function help()
+{
+	error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`"
+	exit 2
+}
+
+load_sysconfig
+
+while getopts :f:F: opt; do
+	case "$opt" in
+	f)
+		SLAPD_CONFIG_FILE="$OPTARG"
+		;;
+	F)
+		SLAPD_CONFIG_DIR="$OPTARG"
+		;;
+	*)
+		help
+		;;
+	esac
+done
+shift $((OPTIND-1))
+[ -n "$1" ] && help
+
+# check source, target
+
+if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+	error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE"
+	exit 1
+fi
+
+if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then
+	SLAPD_CONFIG_FILE_FORMAT=ldif
+else
+	SLAPD_CONFIG_FILE_FORMAT=conf
+fi
+
+if [ -d "$SLAPD_CONFIG_DIR" ]; then
+	if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then
+		error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR"
+		exit 1
+	fi
+fi
+
+# perform the conversion
+
+tmp_convert=`mktemp --tmpdir=/var/run/openldap`
+
+if [ `id -u` -eq 0 ]; then
+	install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+	if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
+		run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert
+	else
+		run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert
+	fi
+	retcode=$?
+else
+	error "You are not root! Permission will not be set."
+	install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+	if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then
+		/usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert
+	else
+		/usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert
+	fi
+	retcode=$?
+fi
+
+if [ $retcode -ne 0 ]; then
+	error "Configuration conversion failed:"
+	cat $tmp_convert >&2
+fi
+
+rm $tmp_convert
+exit $retcode

SOURCES/libexec-create-certdb.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+set -e
+
+# default options
+
+CERTDB_DIR=/etc/openldap/certs
+
+# internals
+
+MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so"
+RANDOM_SOURCE=/dev/urandom
+PASSWORD_BYTES=32
+
+# parse arguments
+
+usage() {
+	printf "usage: create-certdb.sh [-d certdb]\n" >&2
+	exit 1
+}
+
+while getopts "d:" opt; do
+	case "$opt" in
+	d)
+		CERTDB_DIR="$OPTARG"
+		;;
+	\?)
+		usage
+		;;
+	esac
+done
+
+[ "$OPTIND" -le "$#" ] && usage
+
+# verify target location
+
+if [ ! -d "$CERTDB_DIR" ]; then
+	printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2
+	exit 1
+fi
+
+if [ ! "$(find "$CERTDB_DIR"  -maxdepth 0 -empty | wc -l)" -eq 1 ]; then
+	printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2
+	exit 1
+fi
+
+# create the database
+
+printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2
+
+PASSWORD_FILE="$CERTDB_DIR/password"
+OLD_UMASK="$(umask)"
+umask 0377
+dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE"
+umask "$OLD_UMASK"
+
+certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null
+
+# load module with builtin CA certificates
+
+echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null
+
+# tune permissions
+
+for dbfile in "$CERTDB_DIR"/*.db; do
+	chmod 0644 "$dbfile"
+done
+
+exit 0

SOURCES/libexec-functions

@@ -0,0 +1,134 @@
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+SLAPD_USER=
+SLAPD_CONFIG_FILE=
+SLAPD_CONFIG_DIR=
+SLAPD_CONFIG_CUSTOM=
+SLAPD_GLOBAL_OPTIONS=
+SLAPD_SYSCONFIG_FILE=
+
+function default_config()
+{
+	SLAPD_USER=ldap
+	SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
+	SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
+	SLAPD_CONFIG_CUSTOM=
+	SLAPD_GLOBAL_OPTIONS=
+	SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
+}
+
+function parse_config_options()
+{
+	user=
+	config_file=
+	config_dir=
+	while getopts :u:f:F: opt; do
+		case "$opt" in
+		u)
+			user="$OPTARG"
+			;;
+		f)
+			config_file="$OPTARG"
+			;;
+		F)
+			config_dir="$OPTARG"
+			;;
+		esac
+	done
+
+	if [ -n "$user" ]; then
+		SLAPD_USER="$user"
+	fi
+
+	if [ -n "$config_dir" ]; then
+		SLAPD_CONFIG_DIR="$config_dir"
+		SLAPD_CONFIG_FILE=
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
+	elif [ -n "$config_file" ]; then
+		SLAPD_CONFIG_DIR=
+		SLAPD_CONFIG_FILE="$config_file"
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
+	fi
+}
+
+function uses_new_config()
+{
+	[ -n "$SLAPD_CONFIG_DIR" ]
+	return $?
+}
+
+function run_as_ldap()
+{
+	/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
+	return $?
+}
+
+function ldif_unbreak()
+{
+	sed ':a;N;s/\n //;ta;P;D'
+}
+
+function ldif_value()
+{
+	sed 's/^[^:]*: //'
+}
+
+function databases_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c \
+	-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcDbDirectory: ' | \
+		ldif_value
+}
+
+function databases_old()
+{
+	awk	'begin { database="" }
+		$1 == "database" { database=$2 }
+		$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
+		"$SLAPD_CONFIG_FILE"
+}
+
+function certificates_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
+		ldif_value
+}
+
+function certificates_old()
+{
+	awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
+		"$SLAPD_CONFIG_FILE"
+}
+
+function certificates()
+{
+	uses_new_config && certificates_new || certificates_old
+}
+
+function databases()
+{
+	uses_new_config && databases_new || databases_old
+}
+
+
+function error()
+{
+	format="$1\n"; shift
+	printf "$format" $@ >&2
+}
+
+function load_sysconfig()
+{
+	[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
+
+	. "$SLAPD_SYSCONFIG_FILE"
+	[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
+}
+
+default_config

SOURCES/libexec-generate-server-cert.sh

@@ -0,0 +1,118 @@
+#!/bin/bash
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+set -e
+
+# default options
+
+CERTDB_DIR=/etc/openldap/certs
+CERT_NAME="OpenLDAP Server"
+PASSWORD_FILE=
+HOSTNAME_FQDN="$(hostname --fqdn)"
+ALT_NAMES=
+ONCE=0
+
+# internals
+
+RANDOM_SOURCE=/dev/urandom
+CERT_RANDOM_BYTES=256
+CERT_KEY_TYPE=rsa
+CERT_KEY_SIZE=1024
+CERT_VALID_MONTHS=12
+
+# parse arguments
+
+usage() {
+	printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2
+	printf "                               [-p password-file] [-h hostnames]\n" >&2
+	printf "                               [-a dns-alt-names] [-o]\n" >&2
+	exit 1
+}
+
+while getopts "d:n:p:h:a:o" opt; do
+	case "$opt" in
+	d)
+		CERTDB_DIR="$OPTARG"
+		;;
+	n)
+		CERT_NAME="$OPTARG"
+		;;
+	p)
+		PASSWORD_FILE="$OPTARG"
+		;;
+	h)
+		HOSTNAME_FQDN="$OPTARG"
+		;;
+	a)
+		ALT_NAMES="$OPTARG"
+		;;
+	o)
+		ONCE=1
+		;;
+	\?)
+		usage
+		;;
+	esac
+done
+
+[ "$OPTIND" -le "$#" ] && usage
+
+# generated options
+
+ONCE_FILE="$CERTDB_DIR/.slapd-leave"
+PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}"
+ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}"
+
+# verify target location
+
+if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then
+	printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2
+	exit 0
+fi
+
+if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then
+	printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2
+	exit 1
+fi
+
+printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2
+
+if [ ! -r "$PASSWORD_FILE" ]; then
+	printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2
+	exit 1
+fi
+
+if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then
+	printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2
+	exit 1
+fi
+
+# generate server certificate (self signed)
+
+
+CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap)
+dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null
+
+certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \
+	-S -x -n "$CERT_NAME" \
+	-s "CN=$HOSTNAME_FQDN" \
+	-t TC,, \
+	-k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \
+	-v $CERT_VALID_MONTHS \
+	-8 "$ALT_NAMES" \
+	&>/dev/null
+
+rm -f $CERT_RANDOM
+
+# tune permissions
+
+if [ "$(id -u)" -eq 0 ]; then
+	chgrp ldap "$PASSWORD_FILE"
+	chmod g+r "$PASSWORD_FILE"
+else
+	printf "WARNING: The server requires read permissions on the password file in order to\n" >&2
+	printf "         load it's private key from the certificate database.\n" >&2
+fi
+
+touch "$ONCE_FILE"
+exit 0

SOURCES/libexec-update-ppolicy-schema.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# This script serves one purpose, to add a possibly missing attribute
+# to a ppolicy schema in a dynamic configuration of OpenLDAP. This
+# attribute was introduced in openldap-2.4.43 and slapd will not
+# start without it later on.
+#
+# The script tries to update in a directory given as first parameter,
+# or in /etc/openldap/slapd.d implicitly.
+#
+# Author: Matus Honek <mhonek@redhat.com>
+# Bugzilla: #1487857
+
+function log {
+    echo "Update dynamic configuration: " $@
+    true
+}
+
+function iferr {
+    if [ $? -ne 0 ]; then
+	log "ERROR: " $@
+	true
+    else
+	false
+    fi
+}
+
+function update {
+    set -u
+    shopt -s extglob
+
+    ORIGINAL="${1:-/etc/openldap/slapd.d}"
+    ORIGINAL="${ORIGINAL%*(/)}"
+
+    ### check if necessary
+    grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null
+    [ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0
+
+    ### prep
+    log "Prepare environment."
+
+    TEMPDIR=$(mktemp -d)
+    iferr "Could not create a temporary directory. Quitting." && return 1
+    DBDIR="${TEMPDIR}/db"
+    SUBDBDIR="${DBDIR}/cn=temporary"
+
+    mkdir "${DBDIR}"
+    iferr "Could not create temporary configuration directory. Quitting." && return 1
+    cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}"
+    iferr "Could not copy configuration. Quitting." && return 1
+
+    pushd "$TEMPDIR" >/dev/null
+
+    cat > temp.conf <<EOF
+database ldif
+suffix cn=temporary
+directory db
+access to * by * manage
+EOF
+
+    SOCKET="$(pwd)/socket"
+    LISTENER="ldapi://${SOCKET//\//%2F}"
+    CONN_PARAMS=("-Y" "EXTERNAL" "-H" "${LISTENER}")
+
+    slapd -f temp.conf -h "$LISTENER" -d 0 >/dev/null 2>&1 &
+    SLAPDPID="$!"
+    sleep 2
+
+    ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
+dn: cn=temporary
+objectClass: olcGlobal
+cn: temporary
+EOF
+    iferr "Could not populate the temporary database. Quitting." && return 1
+
+    ### update
+    log "Update with new pwdMaxRecordedFailure attribute."
+    FILTER="(&"
+    FILTER+="(olcObjectClasses=*'pwdPolicy'*)"
+    FILTER+="(!(olcObjectClasses=*'pwdPolicy'*'pwdMaxRecordedFailure'*))"
+    FILTER+="(!(olcAttributeTypes=*'pwdMaxRecordedFailure'*))"
+    FILTER+=")"
+    RES=$(ldapsearch ${CONN_PARAMS[@]} \
+		     -b cn=schema,cn=config,cn=temporary \
+		     -LLL \
+		     -o ldif-wrap=no \
+		     "$FILTER" \
+		     dn olcObjectClasses \
+		     2>/dev/null \
+	      | sed '/^$/d')
+    DN=$(printf "$RES" | grep '^dn:')
+    OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'")
+    NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }"
+
+    test $(echo "$DN" | wc -l) = 1
+    iferr "Received more than one DN. Cannot continue. Quitting." && return 1
+    test "$NEWOC" != "$OC"
+    iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1
+
+    ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF
+$DN
+changetype: modify
+add: olcAttributeTypes
+olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur
+ e' EQUALITY integerMatch ORDERING integerOrderingMatch  SYNTAX 1.3.6.1.4.1.
+ 1466.115.121.1.27 SINGLE-VALUE )
+-
+delete: olcObjectClasses
+$OC
+-
+add: olcObjectClasses
+$NEWOC
+EOF
+    iferr "Updating with new attribute failed. Quitting." && return 1
+
+    popd >/dev/null
+
+    ### apply
+    log "Apply changes."
+    cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup"
+    iferr "Backing up old configuration failed. Quitting." && return 1
+    cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL"
+    iferr "Applying new configuration failed. Quitting." && return 1
+
+    ### clean up
+    log "Clean up."
+    kill "$SLAPDPID"
+    SLAPDPID=
+    rm -rf "$TEMPDIR"
+    TEMPDIR=
+}
+
+SLAPDPID=
+TEMPDIR=
+update "$1"
+if [ $? -ne 0 ]; then
+    log "Clean up."
+    echo "$SLAPDPID"
+    echo "$TEMPDIR"
+    kill "$SLAPDPID"
+    rm -rf "$TEMPDIR"
+fi
+log "Finished."

SOURCES/libexec-upgrade-db.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+if [ `id -u` -ne 0 ]; then
+	error "You have to be root to run this command."
+	exit 4
+fi
+
+load_sysconfig
+retcode=0
+
+for dbdir in `databases`; do
+	upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
+	bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
+
+	# skip uninitialized database
+	[ -z "$bdb_files"]  || continue
+
+	printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
+
+	# perform the update
+	for command in \
+		"/usr/bin/db_recover -v -h \"$dbdir\"" \
+		"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
+		"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
+	; do
+		printf "Executing: %s\n" "$command" &>>$upgrade_log
+		run_as_ldap "$command" &>>$upgrade_log
+		result=$?
+		printf "Exit code: %d\n" $result >>"$upgrade_log"
+		if [ $result -ne 0 ]; then
+			printf "Upgrade failed: %d\n" $result
+			retcode=1
+		fi
+	done
+done
+
+exit $retcode

SOURCES/openldap-ITS8428-init-sc_writewait.patch

@@ -0,0 +1,21 @@
+Backport upstream fix for a crash in back-relay when doing do_search.
+RHBZ: #1316450
+
+commit 2e60bf5ed00c1a8794131f53a6c72a78c0766e21
+Author: Howard Chu <hyc@openldap.org>
+Date:   Wed May 18 12:30:31 2016 +0100
+
+    ITS#8428 init sc_writewait
+
+diff --git a/servers/slapd/back-relay/op.c b/servers/slapd/back-relay/op.c
+index 4fdc08a..f7c1fee 100644
+--- a/servers/slapd/back-relay/op.c
++++ b/servers/slapd/back-relay/op.c
+@@ -97,6 +97,7 @@ relay_back_response_cb( Operation *op, SlapReply *rs )
+		(rcb)->rcb_sc.sc_next = (op)->o_callback;	\
+		(rcb)->rcb_sc.sc_response = relay_back_response_cb; \
+		(rcb)->rcb_sc.sc_cleanup = 0;			\
++		(rcb)->rcb_sc.sc_writewait = 0;			\
+		(rcb)->rcb_sc.sc_private = (op)->o_bd;		\
+		(op)->o_callback = (slap_callback *) (rcb);	\
+ }

SOURCES/openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch

@@ -0,0 +1,23 @@
+commit ec2fe743f5795eb7aaf43687e6b257ac071cef22
+Author: Ryan Tandy <ryan@nardis.ca>
+Date:   Wed May 17 20:07:39 2017 -0700
+
+    ITS#8655 fix double free on paged search with pagesize 0
+
+    Fixes a double free when a search includes the Paged Results control
+    with a page size of 0 and the search base matches the filter.
+
+diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c
+index 009939d..d0db918 100644
+--- a/servers/slapd/back-mdb/search.c
++++ b/servers/slapd/back-mdb/search.c
+@@ -1066,7 +1066,8 @@ notfound:
+			/* check size limit */
+			if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
+				if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
+-					mdb_entry_return( op, e );
++					if (e != base)
++						mdb_entry_return( op, e );
+					e = NULL;
+					send_paged_response( op, rs, &lastid, tentries );
+					goto done;

SOURCES/openldap-ai-addrconfig.patch

@@ -0,0 +1,20 @@
+use AI_ADDRCONFIG if defined in the environment
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7326
+Resolves: #835013
+
+diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
+index b31e05d..fa361ab 100644
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
+
+ #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
+	memset( &hints, '\0', sizeof(hints) );
+-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
+-	/* Use AI_ADDRCONFIG only on systems where its known to be needed. */
++#ifdef AI_ADDRCONFIG
+	hints.ai_flags = AI_ADDRCONFIG;
+ #endif
+	hints.ai_family = ldap_int_inet4or6;

SOURCES/openldap-allop-overlay.patch

@@ -0,0 +1,40 @@
+Compile AllOp together with other overlays.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #990893
+
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
+	translucent.c \
+	unique.c \
+	valsort.c \
+-	smbk5pwd.c
++	smbk5pwd.c \
++	allop.c
+ OBJS = statover.o \
+	@SLAPD_STATIC_OVERLAYS@ \
+	overlays.o
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
+
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -125,6 +126,12 @@ unique.la : unique.lo
+ smbk5pwd.la : smbk5pwd.lo
+	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
++allop.lo : allop.c
++	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++allop.la : allop.lo
++	$(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local:	$(PROGRAMS)
+	@if test -n "$?" ; then \
+		$(MKDIR) $(DESTDIR)$(moduledir); \

SOURCES/openldap-bdb_idl_fetch_key-correct-key-pointer.patch

@@ -0,0 +1,17 @@
+Correct key pointer usage in bdb_idl_fetch_key.
+
+Author: Shogo Matsumoto
+Resolves: #1356165
+
+diff --git a/servers/slapd/back-bdb/idl.c b/servers/slapd/back-bdb/idl.c
+--- a/servers/slapd/back-bdb/idl.c
++++ b/servers/slapd/back-bdb/idl.c
+@@ -628,7 +628,7 @@ bdb_idl_fetch_key(
+					BDB_DISK2ID( j, i );
+				}
+			}
+-			rc = cursor->c_get( cursor, key, &data, flags | DB_NEXT_DUP );
++			rc = cursor->c_get( cursor, kptr, &data, flags | DB_NEXT_DUP );
+		}
+		if ( rc == DB_NOTFOUND ) rc = 0;
+		ids[0] = i - ids;

SOURCES/openldap-fedora-systemd.patch

@@ -0,0 +1,22 @@
+Skip any empty parameters when parsing command line options.
+This is required because systemd does not expand variables the same way as shell does,
+we need it because of an empty SLAPD_OPTIONS in environment file.
+
+Fedora specific patch.
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+
+diff --git a/servers/slapd/main.c b/servers/slapd/main.c
+index dac4864..83614f4 100644
+--- a/servers/slapd/main.c
++++ b/servers/slapd/main.c
+@@ -685,6 +685,10 @@ unhandled_option:;
+		}
+	}
+
++	/* skip empty parameters */
++	while ( optind < argc && *argv[optind] == '\0' )
++		optind += 1;
++
+	if ( optind != argc )
+		goto unhandled_option;

SOURCES/openldap-ldapi-sasl.patch

@@ -0,0 +1,54 @@
+From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 7 May 2013 17:02:57 +0200
+Subject: [PATCH] LDAPI SASL fix
+
+Resolves: #960222
+---
+ libraries/libldap/cyrus.c | 19 ++++++++++++++++---
+ 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
+
+diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
+index 28c241b..a9acf36 100644
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
+	struct berval	ccred = BER_BVNULL;
+	int saslrc, rc;
+	unsigned credlen;
++	char my_hostname[HOST_NAME_MAX + 1];
++	int free_saslhost = 0;
+
+	Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
+		mechs ? mechs : "<null>", 0, 0 );
+@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
+
+			/* If we don't need to canonicalize just use the host
+			 * from the LDAP URI.
++			 * Always use the result of gethostname() for LDAPI.
+			 */
+-			if ( nocanon )
++			if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
++			    strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
++				rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
++				if (rc == 0) {
++					saslhost = my_hostname;
++				} else {
++					saslhost = "localhost";
++				}
++			} else if ( nocanon )
+				saslhost = ld->ld_defconn->lconn_server->lud_host;
+-			else
++			else {
+				saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
+				"localhost" );
++				free_saslhost = 1;
++			}
+			rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
+-			if ( !nocanon )
++			if ( free_saslhost )
+				LDAP_FREE( saslhost );
+		}
+
+--
+1.7.11.7

SOURCES/openldap-ldaprc-currentdir.patch

@@ -0,0 +1,20 @@
+Disables opening of ldaprc file in current directory.
+
+Resolves: #38402
+Upstream: ITS #1131
+Author: Henning Schmiedehausen <hps@intermeta.de>
+
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 8617527..e6b17b4 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -352,9 +352,6 @@ static void openldap_ldap_init_w_userconf(const char *file)
+	if(path != NULL) {
+		LDAP_FREE(path);
+	}
+-
+-	/* try file */
+-	openldap_ldap_init_w_conf(file, 1);
+ }
+
+ static void openldap_ldap_init_w_env(

SOURCES/openldap-man-ldap-conf.patch

@@ -0,0 +1,25 @@
+This patch makes clear what is the actual behavior in RHEL due to bug #38402.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1498841
+
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -25,7 +25,7 @@ in their home directory which will be used to override the system-wide
+ defaults file.
+ The file
+ .I ldaprc
+-in the current working directory is also used.
++in the current working directory is \fBNOT\fP used (this differs from upstream).
+ .LP
+ .LP
+ Additional configuration files can be specified using
+@@ -50,7 +50,7 @@ Thus the following files and variables are read, in order:
+ .nf
+     variable     $LDAPNOINIT, and if that is not set:
+     system file  ETCDIR/ldap.conf,
+-    user files   $HOME/ldaprc,  $HOME/.ldaprc,  ./ldaprc,
++    user files   $HOME/ldaprc,  $HOME/.ldaprc,  (\fBNOT\fP ./ldaprc, see above),
+     system file  $LDAPCONF,
+     user files   $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC,
+     variables    $LDAP<uppercase option name>.

SOURCES/openldap-man-sasl-nocanon.patch

@@ -0,0 +1,22 @@
+fix: SASL_NOCANON option missing in ldap.conf manual page
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7177
+Resolves: #732915
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index 51f774f..5f17122 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -284,6 +284,9 @@ description).  The default is
+ specifies the maximum security layer receive buffer
+ size allowed.  0 disables security layers.  The default is 65536.
+ .RE
++.TP
++.B SASL_NOCANON <on/true/yes/off/false/no>
++Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off.
+ .SH GSSAPI OPTIONS
+ If OpenLDAP is built with Generic Security Services Application Programming Interface support,
+ there are more options you can specify.
+--
+1.7.6.5

SOURCES/openldap-man-tls-reqcert.patch

@@ -0,0 +1,52 @@
+From f7027b3118ea90d616d0ddeeb348f15ba91cd08b Mon Sep 17 00:00:00 2001
+From: Jan Synacek <jsynacek@redhat.com>
+Date: Wed, 13 Nov 2013 13:34:06 +0100
+Subject: [PATCH] Fix client manpage
+
+---
+ doc/man/man5/ldap.conf.5 | 18 ++++++++----------
+ 1 file changed, 8 insertions(+), 10 deletions(-)
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index 7f5bc64..bef0672 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -431,8 +431,8 @@ The environment variable RANDFILE can also be used to specify the filename.
+ This parameter is ignored with GnuTLS and Mozilla NSS.
+ .TP
+ .B TLS_REQCERT <level>
+-Specifies what checks to perform on server certificates in a TLS session,
+-if any. The
++Specifies what checks to perform on server certificates in a TLS session.
++The
+ .B <level>
+ can be specified as one of the following keywords:
+ .RS
+@@ -441,19 +441,17 @@ can be specified as one of the following keywords:
+ The client will not request or check any server certificate.
+ .TP
+ .B allow
+-The server certificate is requested. If no certificate is provided,
+-the session proceeds normally. If a bad certificate is provided, it will
++The server certificate is requested.  If a bad certificate is provided, it will
+ be ignored and the session proceeds normally.
+ .TP
+ .B try
+-The server certificate is requested. If no certificate is provided,
+-the session proceeds normally. If a bad certificate is provided,
+-the session is immediately terminated.
++The server certificate is requested. If a bad certificate is provided, the
++session is immediately terminated.
+ .TP
+ .B demand | hard
+-These keywords are equivalent. The server certificate is requested. If no
+-certificate is provided, or a bad certificate is provided, the session
+-is immediately terminated. This is the default setting.
++These keywords are equivalent and semantically same as
++.BR try .
++This is the default setting.
+ .RE
+ .TP
+ .B TLS_CRLCHECK <level>
+--
+1.8.3.1

SOURCES/openldap-manpages.patch

@@ -0,0 +1,72 @@
+Various manual pages changes:
+* removes LIBEXECDIR from slapd.8
+* removes references to non-existing manpages (bz 624616)
+
+diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
+index 3def6da..466c772 100644
+--- a/doc/man/man1/ldapmodify.1
++++ b/doc/man/man1/ldapmodify.1
+@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
+ .BR ldap_add_ext (3),
+ .BR ldap_delete_ext (3),
+ .BR ldap_modify_ext (3),
+-.BR ldap_modrdn_ext (3),
+-.BR ldif (5).
++.BR ldif (5)
+ .SH AUTHOR
+ The OpenLDAP Project <http://www.openldap.org/>
+ .SH ACKNOWLEDGEMENTS
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index cfde143..63592cb 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -317,6 +317,7 @@ certificates in separate individual files. The
+ .B TLS_CACERT
+ is always used before
+ .B TLS_CACERTDIR.
++The specified directory must be managed with the OpenSSL c_rehash utility.
+ This parameter is ignored with GnuTLS.
+
+ When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
+index b739f4d..e2a1a00 100644
+--- a/doc/man/man8/slapd.8
++++ b/doc/man/man8/slapd.8
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd
++.B slapd
+ [\c
+ .BR \-4 | \-6 ]
+ [\c
+@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd
++	slapd
+ .ft
+ .fi
+ .LP
+@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++	slapd -f /var/tmp/slapd.conf -d 255
+ .ft
+ .fi
+ .LP
+@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-Tt
++	slapd -Tt
+ .ft
+ .fi
+ .LP
+--
+1.8.1.4

SOURCES/openldap-missing-unlock-in-accesslog-overlay.patch

@@ -0,0 +1,24 @@
+A mutex lock might not get unlocked when plausible
+
+In the preceding if-statement a mutex may get locked. This is unlocked on
+'done' label, but not called when plausible. Based on the current code logic
+this seems to not be able to happen, but might when code gets changed at
+some point in time. This patch fixes the issue.
+
+The issue was found by Coverity scan
+http://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/11054/38577/
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1261003
+
+--- a/servers/slapd/overlays/accesslog.c
++++ b/servers/slapd/overlays/accesslog.c
+@@ -1519,7 +1519,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) {
+
+	/* ignore these internal reads */
+	if (( lo->mask & LOG_OP_READS ) && op->o_do_not_cache ) {
+-		return SLAP_CB_CONTINUE;
++		goto done;
+	}
+
+	if ( li->li_success && rs->sr_err != LDAP_SUCCESS )

SOURCES/openldap-module-passwd-sha2.patch

@@ -0,0 +1,42 @@
+Include sha2 module
+
+Author: Matus Honek <mhonek@redhat.com>
+
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -35,7 +35,8 @@ SRCS = overlays.c \
+	unique.c \
+	valsort.c \
+	smbk5pwd.c \
+-	allop.c
++	allop.c \
++	sha2.c slapd-sha2.c
+ OBJS = statover.o \
+	@SLAPD_STATIC_OVERLAYS@ \
+	overlays.o
+@@ -55,7 +56,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la
+
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -139,6 +140,15 @@ allop.lo : allop.c
+ allop.la : allop.lo
+	$(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
++sha2.lo : sha2.c
++	$(LTCOMPILE_MOD) $<
++
++slapd-sha2.lo : slapd-sha2.c
++	$(LTCOMPILE_MOD) $<
++
++pw-sha2.la : sha2.lo slapd-sha2.lo
++	$(LTLINK_MOD) -module -o $@ $? version.lo $(LINK_LIBS)
++
+ install-local:	$(PROGRAMS)
+	@if test -n "$?" ; then \
+		$(MKDIR) $(DESTDIR)$(moduledir); \

SOURCES/openldap-ppolicy-loglevels.patch

@@ -0,0 +1,35 @@
+Correct log levels in ppolicy overlay.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1356158
+
+diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
+--- a/servers/slapd/overlays/ppolicy.c
++++ b/servers/slapd/overlays/ppolicy.c
+@@ -643,7 +643,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE
+		if ((mod = lt_dlopen( pp->pwdCheckModule )) == NULL) {
+			err = lt_dlerror();
+
+-			Debug(LDAP_DEBUG_ANY,
++			Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING,
+			"check_password_quality: lt_dlopen failed: (%s) %s.\n",
+				pp->pwdCheckModule, err, 0 );
+			ok = LDAP_OTHER; /* internal error */
+@@ -658,7 +658,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE
+			if ((prog = lt_dlsym( mod, "check_password" )) == NULL) {
+				err = lt_dlerror();
+
+-				Debug(LDAP_DEBUG_ANY,
++				Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING,
+					"check_password_quality: lt_dlsym failed: (%s) %s.\n",
+					pp->pwdCheckModule, err, 0 );
+				ok = LDAP_OTHER;
+@@ -667,7 +667,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE
+				ok = prog( ptr, txt, e );
+				ldap_pvt_thread_mutex_unlock( &chk_syntax_mutex );
+				if (ok != LDAP_SUCCESS) {
+-					Debug(LDAP_DEBUG_ANY,
++					Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING,
+						"check_password_quality: module error: (%s) %s.[%d]\n",
+						pp->pwdCheckModule, *txt ? *txt : "", ok );
+				}

SOURCES/openldap-reentrant-gethostby.patch

@@ -0,0 +1,33 @@
+The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
+example if libldap needs to be initialized from within gethostbyXXXX() (which
+actually happens if nss_ldap is used for hostname resolution and earlier
+modules can't resolve the local host name), so use the reentrant versions of
+the functions, even if we're not being compiled for use in libldap_r
+
+Resolves: #179730
+Author: Jeffery Layton <jlayton@redhat.com>
+
+diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
+index 373c81c..a012062 100644
+--- a/libraries/libldap/util-int.c
++++ b/libraries/libldap/util-int.c
+@@ -52,8 +52,8 @@ extern int h_errno;
+ #ifndef LDAP_R_COMPILE
+ # undef HAVE_REENTRANT_FUNCTIONS
+ # undef HAVE_CTIME_R
+-# undef HAVE_GETHOSTBYNAME_R
+-# undef HAVE_GETHOSTBYADDR_R
++/* # undef HAVE_GETHOSTBYNAME_R */
++/* # undef HAVE_GETHOSTBYADDR_R */
+
+ #else
+ # include <ldap_pvt_thread.h>
+@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
+ #define BUFSTART (1024-32)
+ #define BUFMAX (32*1024-32)
+
+-#if defined(LDAP_R_COMPILE)
++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
+ static char *safe_realloc( char **buf, int len );
+
+ #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

SOURCES/openldap-smbk5pwd-overlay.patch

@@ -0,0 +1,61 @@
+Compile smbk5pwd together with other overlays.
+
+Author: Jan Šafránek <jsafrane@redhat.com>
+Resolves: #550895
+
+Update to link against OpenSSL
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Resolves: #841560
+
+diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
+index f20ad94..b6433ff 100644
+--- a/contrib/slapd-modules/smbk5pwd/README
++++ b/contrib/slapd-modules/smbk5pwd/README
+@@ -1,3 +1,8 @@
++******************************************************************************
++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
++******************************************************************************
++
+ This directory contains a slapd overlay, smbk5pwd, that extends the
+ PasswordModify Extended Operation to update Kerberos keys and Samba
+ password hashes for an LDAP user.
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index 3af20e8..ef73663 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
+	syncprov.c \
+	translucent.c \
+	unique.c \
+-	valsort.c
++	valsort.c \
++	smbk5pwd.c
+ OBJS = statover.o \
+	@SLAPD_STATIC_OVERLAYS@ \
+	overlays.o
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -125,6 +126,12 @@ unique.la : unique.lo
+ valsort.la : valsort.lo
+	$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+
++smbk5pwd.lo : smbk5pwd.c
++	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++smbk5pwd.la : smbk5pwd.lo
++	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local:	$(PROGRAMS)
+	@if test -n "$?" ; then \
+		$(MKDIR) $(DESTDIR)$(moduledir); \
+--
+1.7.10.4

SOURCES/openldap-sql-linking.patch

@@ -0,0 +1,14 @@
+Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package
+independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.)
+
+--- openldap-2.4.24.orig/build/top.mk
++++ openldap-2.4.24/build/top.mk
+@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@
+ SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@
+ SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@
+
+-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
++SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
+
+ # Our Defaults
+ CC = $(AC_CC)

SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch

@@ -0,0 +1,41 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
+
+Proof of concept for fixing http://bugs.debian.org/327585
+(patch ported from freeradius bug http://bugs.debian.org/416266)
+
+Resolves: #960048
+---
+--- openldap/servers/slapd/module.c.orig	2010-05-18 17:42:04.000000000 +0200
++++ openldap/servers/slapd/module.c	2010-05-18 17:45:46.000000000 +0200
+@@ -117,6 +117,20 @@
+	return -1;	/* not found */
+ }
+
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++	lt_dlhandle handle = 0;
++	lt_dladvise advise;
++
++	if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++			&& !lt_dladvise_global (&advise))
++		handle = lt_dlopenadvise (filename, advise);
++
++	lt_dladvise_destroy (&advise);
++
++	return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+	module_loaded_t *module;
+@@ -180,7 +194,7 @@
+	 * to calling Debug. This is because Debug is a macro that expands
+	 * into multiple function calls.
+	 */
+-	if ((module->lib = lt_dlopenext(file)) == NULL) {
++	if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+		error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+		strcpy( ebuf, error );

SOURCES/openldap-syncrepl-unset-tls-options.patch

@@ -0,0 +1,62 @@
+allow unsetting of tls_* syncrepl options
+
+Author: Patrick Monnerat <pm@datasphere.ch>
+Upstream ITS: #7042
+Resolves: #734187
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 654a4bf..10b993b 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -735,27 +735,27 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+		return 0;
+	case LDAP_OPT_X_TLS_CACERTFILE:
+		if ( lo->ldo_tls_cacertfile ) LDAP_FREE( lo->ldo_tls_cacertfile );
+-		lo->ldo_tls_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		lo->ldo_tls_cacertfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+		return 0;
+	case LDAP_OPT_X_TLS_CACERTDIR:
+		if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir );
+-		lo->ldo_tls_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		lo->ldo_tls_cacertdir = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+		return 0;
+	case LDAP_OPT_X_TLS_CERTFILE:
+		if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile );
+-		lo->ldo_tls_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		lo->ldo_tls_certfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+		return 0;
+	case LDAP_OPT_X_TLS_KEYFILE:
+		if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile );
+-		lo->ldo_tls_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		lo->ldo_tls_keyfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+		return 0;
+	case LDAP_OPT_X_TLS_DHFILE:
+		if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
+-		lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+		return 0;
+	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
+		if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
+-		lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+		return 0;
+	case LDAP_OPT_X_TLS_REQUIRE_CERT:
+		if ( !arg ) return -1;
+@@ -783,7 +783,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+ #endif
+	case LDAP_OPT_X_TLS_CIPHER_SUITE:
+		if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite );
+-		lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		lo->ldo_tls_ciphersuite = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+		return 0;
+
+	case LDAP_OPT_X_TLS_PROTOCOL_MIN:
+@@ -794,7 +794,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+		if ( ld != NULL )
+			return -1;
+		if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile );
+-		lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		lo->ldo_tls_randfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL;
+		break;
+	case LDAP_OPT_X_TLS_NEWCTX:
+		if ( !arg ) return -1;

SOURCES/openldap-userconfig-setgid.patch

@@ -0,0 +1,17 @@
+Normally, skips reading of user configuration file when running with different effective UID.
+This patch adds the same behavior for GID.
+
+Author: Nalin Dahyabhai <nalin@redhat.com>
+
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index e6b17b4..fbf4829 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -678,7 +678,7 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl )
+	openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
+
+ #ifdef HAVE_GETEUID
+-	if ( geteuid() != getuid() )
++	if ( geteuid() != getuid() || getegid() != getgid() )
+		return;
+ #endif

SOURCES/slapd.ldif

@@ -0,0 +1,148 @@
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: /var/run/openldap/slapd.args
+olcPidFile: /var/run/openldap/slapd.pid
+#
+# TLS settings
+#
+olcTLSCACertificatePath: /etc/openldap/certs
+olcTLSCertificateFile: "OpenLDAP Server"
+olcTLSCertificateKeyFile: /etc/openldap/certs/password
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 64-bit encryption for simple bind
+#
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+# - modulepath is architecture dependent value (32/64-bit system)
+# - back_sql.la backend requires openldap-servers-sql package
+# - dyngroup.la and dynlist.la cannot be used at the same time
+#
+
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath:	/usr/lib/openldap
+#olcModulepath:	/usr/lib64/openldap
+#olcModuleload: accesslog.la
+#olcModuleload: auditlog.la
+#olcModuleload: back_dnssrv.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_mdb.la
+#olcModuleload: back_meta.la
+#olcModuleload: back_null.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_relay.la
+#olcModuleload: back_shell.la
+#olcModuleload: back_sock.la
+#olcModuleload: collect.la
+#olcModuleload: constraint.la
+#olcModuleload: dds.la
+#olcModuleload: deref.la
+#olcModuleload: dyngroup.la
+#olcModuleload: dynlist.la
+#olcModuleload: memberof.la
+#olcModuleload: pcache.la
+#olcModuleload: ppolicy.la
+#olcModuleload: refint.la
+#olcModuleload: retcode.la
+#olcModuleload: rwm.la
+#olcModuleload: seqmod.la
+#olcModuleload: smbk5pwd.la
+#olcModuleload: sssvlv.la
+#olcModuleload: syncprov.la
+#olcModuleload: translucent.la
+#olcModuleload: unique.la
+#olcModuleload: valsort.la
+
+
+#
+# Schema settings
+#
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+
+#
+# Frontend settings
+#
+
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+#
+# Configuration database
+#
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+
+#
+# Server status monitoring
+#
+
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
+
+#
+# Backend database definitions
+#
+
+dn: olcDatabase=hdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcHdbConfig
+olcDatabase: hdb
+olcSuffix: dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+olcDbDirectory:	/var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

SOURCES/slapd.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=OpenLDAP Server Daemon
+After=syslog.target network-online.target
+Documentation=man:slapd
+Documentation=man:slapd-config
+Documentation=man:slapd-hdb
+Documentation=man:slapd-mdb
+Documentation=file:///usr/share/doc/openldap-servers/guide.html
+
+[Service]
+Type=forking
+PIDFile=/var/run/openldap/slapd.pid
+Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
+EnvironmentFile=/etc/sysconfig/slapd
+ExecStartPre=/usr/libexec/openldap/check-config.sh
+ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
+
+[Install]
+WantedBy=multi-user.target

SOURCES/slapd.sysconfig

@@ -0,0 +1,15 @@
+# OpenLDAP server configuration
+# see 'man slapd' for additional information
+
+# Where the server will run (-h option)
+# - ldapi:/// is required for on-the-fly configuration using client tools
+#   (use SASL with EXTERNAL mechanism for authentication)
+# - default: ldapi:/// ldap:///
+# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:///
+SLAPD_URLS="ldapi:/// ldap:///"
+
+# Any custom options
+#SLAPD_OPTIONS=""
+
+# Keytab location for GSSAPI Kerberos authentication
+#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"

SOURCES/slapd.tmpfiles

@@ -0,0 +1,2 @@
+# openldap runtime directory for slapd.arg and slapd.pid
+d /var/run/openldap 0755 ldap ldap -