basebuilder_pel7ppc64bebuilder0
6 years ago
38 changed files with 6045 additions and 0 deletions
@ -0,0 +1,124 @@ |
|||||||
|
Correct log levels in check_password module. |
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com> |
||||||
|
Resolves: #1356158 |
||||||
|
|
||||||
|
diff --git a/check_password.c b/check_password.c |
||||||
|
--- a/check_password.c |
||||||
|
+++ b/check_password.c |
||||||
|
@@ -108,7 +108,7 @@ char* chomp(char *s) |
||||||
|
static int set_quality (char *value) |
||||||
|
{ |
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value); |
||||||
|
+ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value); |
||||||
|
#endif |
||||||
|
|
||||||
|
/* No need to require more quality than we can check for. */ |
||||||
|
@@ -120,7 +120,7 @@ static int set_quality (char *value) |
||||||
|
static int set_cracklib (char *value) |
||||||
|
{ |
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", value); |
||||||
|
+ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value); |
||||||
|
#endif |
||||||
|
|
||||||
|
|
||||||
|
@@ -131,7 +131,7 @@ static int set_cracklib (char *value) |
||||||
|
static int set_digit (char *value) |
||||||
|
{ |
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value); |
||||||
|
+ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value); |
||||||
|
#endif |
||||||
|
if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0; |
||||||
|
return (int) (value[0] - '0'); |
||||||
|
@@ -152,14 +152,14 @@ static validator valid_word (char *word) |
||||||
|
int index = 0; |
||||||
|
|
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word); |
||||||
|
#endif |
||||||
|
|
||||||
|
while (list[index].parameter != NULL) { |
||||||
|
if (strlen(word) == strlen(list[index].parameter) && |
||||||
|
strcmp(list[index].parameter, word) == 0) { |
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Parameter accepted."); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Parameter accepted."); |
||||||
|
#endif |
||||||
|
return list[index].dealer; |
||||||
|
} |
||||||
|
@@ -167,7 +167,7 @@ static validator valid_word (char *word) |
||||||
|
} |
||||||
|
|
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Parameter rejected."); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Parameter rejected."); |
||||||
|
#endif |
||||||
|
|
||||||
|
return NULL; |
||||||
|
@@ -203,7 +203,7 @@ static int read_config_file () |
||||||
|
|
||||||
|
#if defined(DEBUG) |
||||||
|
/* Debug traces to syslog. */ |
||||||
|
- syslog(LOG_NOTICE, "check_password: Got line |%s|", line); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Got line |%s|", line); |
||||||
|
#endif |
||||||
|
|
||||||
|
while (isspace(*start) && isascii(*start)) start++; |
||||||
|
@@ -212,7 +212,7 @@ static int read_config_file () |
||||||
|
if ( ispunct(*start)) { |
||||||
|
#if defined(DEBUG) |
||||||
|
/* Debug traces to syslog. */ |
||||||
|
- syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line); |
||||||
|
#endif |
||||||
|
continue; |
||||||
|
} |
||||||
|
@@ -227,7 +227,7 @@ static int read_config_file () |
||||||
|
if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { |
||||||
|
|
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value); |
||||||
|
#endif |
||||||
|
|
||||||
|
centry[i].value = chomp(value); |
||||||
|
@@ -319,7 +319,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||||
|
if ( !nLower && (minLower < 1)) { |
||||||
|
nLower = 1; nQuality++; |
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality); |
||||||
|
#endif |
||||||
|
} |
||||||
|
continue; |
||||||
|
@@ -330,7 +330,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||||
|
if ( !nUpper && (minUpper < 1)) { |
||||||
|
nUpper = 1; nQuality++; |
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality); |
||||||
|
#endif |
||||||
|
} |
||||||
|
continue; |
||||||
|
@@ -341,7 +341,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||||
|
if ( !nDigit && (minDigit < 1)) { |
||||||
|
nDigit = 1; nQuality++; |
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality); |
||||||
|
#endif |
||||||
|
} |
||||||
|
continue; |
||||||
|
@@ -352,7 +352,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||||
|
if ( !nPunct && (minPunct < 1)) { |
||||||
|
nPunct = 1; nQuality++; |
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality); |
||||||
|
+ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality); |
||||||
|
#endif |
||||||
|
} |
||||||
|
continue; |
@ -0,0 +1,41 @@ |
|||||||
|
--- a/Makefile 2009-10-31 18:59:06.000000000 +0100 |
||||||
|
+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100 |
||||||
|
@@ -13,22 +13,11 @@ |
||||||
|
# |
||||||
|
CONFIG=/etc/openldap/check_password.conf |
||||||
|
|
||||||
|
-OPT=-g -O2 -Wall -fpic \ |
||||||
|
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ |
||||||
|
- -DCONFIG_FILE="\"$(CONFIG)\"" \ |
||||||
|
+CFLAGS+=-fpic \ |
||||||
|
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ |
||||||
|
+ -DCONFIG_FILE="\"$(CONFIG)\"" \ |
||||||
|
-DDEBUG |
||||||
|
|
||||||
|
-# Where to find the OpenLDAP headers. |
||||||
|
-# |
||||||
|
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \ |
||||||
|
- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd |
||||||
|
- |
||||||
|
-# Where to find the CrackLib headers. |
||||||
|
-# |
||||||
|
-CRACK_INC= |
||||||
|
- |
||||||
|
-INCS=$(LDAP_INC) $(CRACK_INC) |
||||||
|
- |
||||||
|
LDAP_LIB=-lldap_r -llber |
||||||
|
|
||||||
|
# Comment out this line if you do NOT want to use the cracklib. |
||||||
|
@@ -45,10 +34,10 @@ |
||||||
|
all: check_password |
||||||
|
|
||||||
|
check_password.o: |
||||||
|
- $(CC) $(OPT) -c $(INCS) check_password.c |
||||||
|
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c |
||||||
|
|
||||||
|
check_password: clean check_password.o |
||||||
|
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) |
||||||
|
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) |
||||||
|
|
||||||
|
install: check_password |
||||||
|
cp -f check_password.so ../../../usr/lib/openldap/modules/ |
@ -0,0 +1,321 @@ |
|||||||
|
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100 |
||||||
|
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100 |
||||||
|
@@ -10,7 +10,7 @@ |
||||||
|
#include <slap.h> |
||||||
|
|
||||||
|
#ifdef HAVE_CRACKLIB |
||||||
|
-#include "crack.h" |
||||||
|
+#include <crack.h> |
||||||
|
#endif |
||||||
|
|
||||||
|
#if defined(DEBUG) |
||||||
|
@@ -34,18 +34,77 @@ |
||||||
|
#define PASSWORD_TOO_SHORT_SZ \ |
||||||
|
"Password for dn=\"%s\" is too short (%d/6)" |
||||||
|
#define PASSWORD_QUALITY_SZ \ |
||||||
|
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)" |
||||||
|
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)" |
||||||
|
#define BAD_PASSWORD_SZ \ |
||||||
|
"Bad password for dn=\"%s\" because %s" |
||||||
|
+#define UNKNOWN_ERROR_SZ \ |
||||||
|
+ "An unknown error occurred, please see your systems administrator" |
||||||
|
|
||||||
|
typedef int (*validator) (char*); |
||||||
|
-static int read_config_file (char *); |
||||||
|
+static int read_config_file (); |
||||||
|
static validator valid_word (char *); |
||||||
|
static int set_quality (char *); |
||||||
|
static int set_cracklib (char *); |
||||||
|
|
||||||
|
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); |
||||||
|
|
||||||
|
+struct config_entry { |
||||||
|
+ char* key; |
||||||
|
+ char* value; |
||||||
|
+ char* def_value; |
||||||
|
+} config_entries[] = { { "minPoints", NULL, "3"}, |
||||||
|
+ { "useCracklib", NULL, "1"}, |
||||||
|
+ { "minUpper", NULL, "0"}, |
||||||
|
+ { "minLower", NULL, "0"}, |
||||||
|
+ { "minDigit", NULL, "0"}, |
||||||
|
+ { "minPunct", NULL, "0"}, |
||||||
|
+ { NULL, NULL, NULL }}; |
||||||
|
+ |
||||||
|
+int get_config_entry_int(char* entry) { |
||||||
|
+ struct config_entry* centry = config_entries; |
||||||
|
+ |
||||||
|
+ int i = 0; |
||||||
|
+ char* key = centry[i].key; |
||||||
|
+ while (key != NULL) { |
||||||
|
+ if ( strncmp(key, entry, strlen(key)) == 0 ) { |
||||||
|
+ if ( centry[i].value == NULL ) { |
||||||
|
+ return atoi(centry[i].def_value); |
||||||
|
+ } |
||||||
|
+ else { |
||||||
|
+ return atoi(centry[i].value); |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
+ i++; |
||||||
|
+ key = centry[i].key; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ return -1; |
||||||
|
+} |
||||||
|
+ |
||||||
|
+void dealloc_config_entries() { |
||||||
|
+ struct config_entry* centry = config_entries; |
||||||
|
+ |
||||||
|
+ int i = 0; |
||||||
|
+ while (centry[i].key != NULL) { |
||||||
|
+ if ( centry[i].value != NULL ) { |
||||||
|
+ ber_memfree(centry[i].value); |
||||||
|
+ } |
||||||
|
+ i++; |
||||||
|
+ } |
||||||
|
+} |
||||||
|
+ |
||||||
|
+char* chomp(char *s) |
||||||
|
+{ |
||||||
|
+ char* t = ber_memalloc(strlen(s)+1); |
||||||
|
+ strncpy (t,s,strlen(s)+1); |
||||||
|
+ |
||||||
|
+ if ( t[strlen(t)-1] == '\n' ) { |
||||||
|
+ t[strlen(t)-1] = '\0'; |
||||||
|
+ } |
||||||
|
+ |
||||||
|
+ return t; |
||||||
|
+} |
||||||
|
+ |
||||||
|
static int set_quality (char *value) |
||||||
|
{ |
||||||
|
#if defined(DEBUG) |
||||||
|
@@ -84,12 +143,12 @@ |
||||||
|
char * parameter; |
||||||
|
validator dealer; |
||||||
|
} list[] = { { "minPoints", set_quality }, |
||||||
|
- { "useCracklib", set_cracklib }, |
||||||
|
- { "minUpper", set_digit }, |
||||||
|
- { "minLower", set_digit }, |
||||||
|
- { "minDigit", set_digit }, |
||||||
|
- { "minPunct", set_digit }, |
||||||
|
- { NULL, NULL } }; |
||||||
|
+ { "useCracklib", set_cracklib }, |
||||||
|
+ { "minUpper", set_digit }, |
||||||
|
+ { "minLower", set_digit }, |
||||||
|
+ { "minDigit", set_digit }, |
||||||
|
+ { "minPunct", set_digit }, |
||||||
|
+ { NULL, NULL } }; |
||||||
|
int index = 0; |
||||||
|
|
||||||
|
#if defined(DEBUG) |
||||||
|
@@ -98,7 +157,7 @@ |
||||||
|
|
||||||
|
while (list[index].parameter != NULL) { |
||||||
|
if (strlen(word) == strlen(list[index].parameter) && |
||||||
|
- strcmp(list[index].parameter, word) == 0) { |
||||||
|
+ strcmp(list[index].parameter, word) == 0) { |
||||||
|
#if defined(DEBUG) |
||||||
|
syslog(LOG_NOTICE, "check_password: Parameter accepted."); |
||||||
|
#endif |
||||||
|
@@ -114,13 +173,15 @@ |
||||||
|
return NULL; |
||||||
|
} |
||||||
|
|
||||||
|
-static int read_config_file (char *keyWord) |
||||||
|
+static int read_config_file () |
||||||
|
{ |
||||||
|
FILE * config; |
||||||
|
char * line; |
||||||
|
int returnValue = -1; |
||||||
|
|
||||||
|
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) { |
||||||
|
+ line = ber_memcalloc(260, sizeof(char)); |
||||||
|
+ |
||||||
|
+ if ( line == NULL ) { |
||||||
|
return returnValue; |
||||||
|
} |
||||||
|
|
||||||
|
@@ -133,6 +194,8 @@ |
||||||
|
return returnValue; |
||||||
|
} |
||||||
|
|
||||||
|
+ returnValue = 0; |
||||||
|
+ |
||||||
|
while (fgets(line, 256, config) != NULL) { |
||||||
|
char *start = line; |
||||||
|
char *word, *value; |
||||||
|
@@ -145,23 +208,40 @@ |
||||||
|
|
||||||
|
while (isspace(*start) && isascii(*start)) start++; |
||||||
|
|
||||||
|
- if (! isascii(*start)) |
||||||
|
+ /* If we've got punctuation, just skip the line. */ |
||||||
|
+ if ( ispunct(*start)) { |
||||||
|
+#if defined(DEBUG) |
||||||
|
+ /* Debug traces to syslog. */ |
||||||
|
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); |
||||||
|
+#endif |
||||||
|
continue; |
||||||
|
+ } |
||||||
|
|
||||||
|
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) { |
||||||
|
- if ((value = strtok(NULL, " \t")) == NULL) |
||||||
|
- continue; |
||||||
|
+ if( isascii(*start)) { |
||||||
|
+ |
||||||
|
+ struct config_entry* centry = config_entries; |
||||||
|
+ int i = 0; |
||||||
|
+ char* keyWord = centry[i].key; |
||||||
|
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) { |
||||||
|
+ while ( keyWord != NULL ) { |
||||||
|
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { |
||||||
|
|
||||||
|
#if defined(DEBUG) |
||||||
|
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); |
||||||
|
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); |
||||||
|
#endif |
||||||
|
|
||||||
|
- returnValue = (*dealer)(value); |
||||||
|
+ centry[i].value = chomp(value); |
||||||
|
+ break; |
||||||
|
+ } |
||||||
|
+ i++; |
||||||
|
+ keyWord = centry[i].key; |
||||||
|
+ } |
||||||
|
+ } |
||||||
|
} |
||||||
|
} |
||||||
|
- |
||||||
|
fclose(config); |
||||||
|
ber_memfree(line); |
||||||
|
+ |
||||||
|
return returnValue; |
||||||
|
} |
||||||
|
|
||||||
|
@@ -170,7 +250,7 @@ |
||||||
|
if (curlen < nextlen + MEMORY_MARGIN) { |
||||||
|
#if defined(DEBUG) |
||||||
|
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", |
||||||
|
- curlen, nextlen + MEMORY_MARGIN); |
||||||
|
+ curlen, nextlen + MEMORY_MARGIN); |
||||||
|
#endif |
||||||
|
ber_memfree(*target); |
||||||
|
curlen = nextlen + MEMORY_MARGIN; |
||||||
|
@@ -180,7 +260,7 @@ |
||||||
|
return curlen; |
||||||
|
} |
||||||
|
|
||||||
|
- int |
||||||
|
+int |
||||||
|
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||||
|
{ |
||||||
|
|
||||||
|
@@ -210,20 +290,22 @@ |
||||||
|
nLen = strlen (pPasswd); |
||||||
|
if ( nLen < 6) { |
||||||
|
mem_len = realloc_error_message(&szErrStr, mem_len, |
||||||
|
- strlen(PASSWORD_TOO_SHORT_SZ) + |
||||||
|
- strlen(pEntry->e_name.bv_val) + 1); |
||||||
|
+ strlen(PASSWORD_TOO_SHORT_SZ) + |
||||||
|
+ strlen(pEntry->e_name.bv_val) + 1); |
||||||
|
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); |
||||||
|
goto fail; |
||||||
|
} |
||||||
|
|
||||||
|
- /* Read config file */ |
||||||
|
- minQuality = read_config_file("minPoints"); |
||||||
|
+ if (read_config_file() == -1) { |
||||||
|
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); |
||||||
|
+ } |
||||||
|
|
||||||
|
- useCracklib = read_config_file("useCracklib"); |
||||||
|
- minUpper = read_config_file("minUpper"); |
||||||
|
- minLower = read_config_file("minLower"); |
||||||
|
- minDigit = read_config_file("minDigit"); |
||||||
|
- minPunct = read_config_file("minPunct"); |
||||||
|
+ minQuality = get_config_entry_int("minPoints"); |
||||||
|
+ useCracklib = get_config_entry_int("useCracklib"); |
||||||
|
+ minUpper = get_config_entry_int("minUpper"); |
||||||
|
+ minLower = get_config_entry_int("minLower"); |
||||||
|
+ minDigit = get_config_entry_int("minDigit"); |
||||||
|
+ minPunct = get_config_entry_int("minPunct"); |
||||||
|
|
||||||
|
/** The password must have at least minQuality strength points with one |
||||||
|
* point for the first occurrance of a lower, upper, digit and |
||||||
|
@@ -232,8 +314,6 @@ |
||||||
|
|
||||||
|
for ( i = 0; i < nLen; i++ ) { |
||||||
|
|
||||||
|
- if ( nQuality >= minQuality ) break; |
||||||
|
- |
||||||
|
if ( islower (pPasswd[i]) ) { |
||||||
|
minLower--; |
||||||
|
if ( !nLower && (minLower < 1)) { |
||||||
|
@@ -279,12 +359,23 @@ |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
- if ( nQuality < minQuality ) { |
||||||
|
+ /* |
||||||
|
+ * If you have a required field, then it should be required in the strength |
||||||
|
+ * checks. |
||||||
|
+ */ |
||||||
|
+ |
||||||
|
+ if ( |
||||||
|
+ (minLower > 0 ) || |
||||||
|
+ (minUpper > 0 ) || |
||||||
|
+ (minDigit > 0 ) || |
||||||
|
+ (minPunct > 0 ) || |
||||||
|
+ (nQuality < minQuality) |
||||||
|
+ ) { |
||||||
|
mem_len = realloc_error_message(&szErrStr, mem_len, |
||||||
|
- strlen(PASSWORD_QUALITY_SZ) + |
||||||
|
- strlen(pEntry->e_name.bv_val) + 2); |
||||||
|
+ strlen(PASSWORD_QUALITY_SZ) + |
||||||
|
+ strlen(pEntry->e_name.bv_val) + 2); |
||||||
|
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, |
||||||
|
- nQuality, minQuality); |
||||||
|
+ nQuality, minQuality); |
||||||
|
goto fail; |
||||||
|
} |
||||||
|
|
||||||
|
@@ -306,7 +397,7 @@ |
||||||
|
for ( j = 0; j < 3; j++ ) { |
||||||
|
|
||||||
|
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ |
||||||
|
- CRACKLIB_DICTPATH, ext[j]); |
||||||
|
+ CRACKLIB_DICTPATH, ext[j]); |
||||||
|
|
||||||
|
if (( fp = fopen ( filename, "r")) == NULL ) { |
||||||
|
|
||||||
|
@@ -326,9 +417,9 @@ |
||||||
|
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); |
||||||
|
if ( r != NULL ) { |
||||||
|
mem_len = realloc_error_message(&szErrStr, mem_len, |
||||||
|
- strlen(BAD_PASSWORD_SZ) + |
||||||
|
- strlen(pEntry->e_name.bv_val) + |
||||||
|
- strlen(r)); |
||||||
|
+ strlen(BAD_PASSWORD_SZ) + |
||||||
|
+ strlen(pEntry->e_name.bv_val) + |
||||||
|
+ strlen(r)); |
||||||
|
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); |
||||||
|
goto fail; |
||||||
|
} |
||||||
|
@@ -342,15 +433,15 @@ |
||||||
|
} |
||||||
|
|
||||||
|
#endif |
||||||
|
- |
||||||
|
+ dealloc_config_entries(); |
||||||
|
*ppErrStr = strdup (""); |
||||||
|
ber_memfree(szErrStr); |
||||||
|
return (LDAP_SUCCESS); |
||||||
|
|
||||||
|
fail: |
||||||
|
+ dealloc_config_entries(); |
||||||
|
*ppErrStr = strdup (szErrStr); |
||||||
|
ber_memfree(szErrStr); |
||||||
|
return (EXIT_FAILURE); |
||||||
|
|
||||||
|
} |
||||||
|
- |
@ -0,0 +1,18 @@ |
|||||||
|
# |
||||||
|
# LDAP Defaults |
||||||
|
# |
||||||
|
|
||||||
|
# See ldap.conf(5) for details |
||||||
|
# This file should be world readable but not world writable. |
||||||
|
|
||||||
|
#BASE dc=example,dc=com |
||||||
|
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 |
||||||
|
|
||||||
|
#SIZELIMIT 12 |
||||||
|
#TIMELIMIT 15 |
||||||
|
#DEREF never |
||||||
|
|
||||||
|
TLS_CACERTDIR /etc/openldap/certs |
||||||
|
|
||||||
|
# Turning this off breaks GSSAPI used with krb5 when rdns = false |
||||||
|
SASL_NOCANON on |
@ -0,0 +1,91 @@ |
|||||||
|
#!/bin/sh |
||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
|
||||||
|
. /usr/libexec/openldap/functions |
||||||
|
|
||||||
|
function check_config_syntax() |
||||||
|
{ |
||||||
|
retcode=0 |
||||||
|
tmp_slaptest=`mktemp --tmpdir=/var/run/openldap` |
||||||
|
run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest |
||||||
|
if [ $? -ne 0 ]; then |
||||||
|
error "Checking configuration file failed:" |
||||||
|
cat $tmp_slaptest >&2 |
||||||
|
retcode=1 |
||||||
|
fi |
||||||
|
rm $tmp_slaptest |
||||||
|
return $retcode |
||||||
|
} |
||||||
|
|
||||||
|
function check_certs_perms() |
||||||
|
{ |
||||||
|
retcode=0 |
||||||
|
for cert in `certificates`; do |
||||||
|
run_as_ldap "/usr/bin/test -e \"$cert\"" |
||||||
|
if [ $? -ne 0 ]; then |
||||||
|
error "TLS certificate/key/DB '%s' was not found." "$cert" |
||||||
|
retcoder=1 |
||||||
|
continue |
||||||
|
fi |
||||||
|
run_as_ldap "/usr/bin/test -r \"$cert\"" |
||||||
|
if [ $? -ne 0 ]; then |
||||||
|
error "TLS certificate/key/DB '%s' is not readable." "$cert" |
||||||
|
retcode=1 |
||||||
|
fi |
||||||
|
done |
||||||
|
return $retcode |
||||||
|
} |
||||||
|
|
||||||
|
function check_db_perms() |
||||||
|
{ |
||||||
|
retcode=0 |
||||||
|
for dbdir in `databases`; do |
||||||
|
[ -d "$dbdir" ] || continue |
||||||
|
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do |
||||||
|
run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" |
||||||
|
if [ $? -ne 0 ]; then |
||||||
|
error "Read/write permissions for DB file '%s' are required." "$dbfile" |
||||||
|
retcode=1 |
||||||
|
fi |
||||||
|
done |
||||||
|
done |
||||||
|
return $retcode |
||||||
|
} |
||||||
|
|
||||||
|
function check_everything() |
||||||
|
{ |
||||||
|
retcode=0 |
||||||
|
check_config_syntax || retcode=1 |
||||||
|
# TODO: need support for Mozilla NSS, disabling temporarily |
||||||
|
#check_certs_perms || retcode=1 |
||||||
|
check_db_perms || retcode=1 |
||||||
|
return $retcode |
||||||
|
} |
||||||
|
|
||||||
|
if [ `id -u` -ne 0 ]; then |
||||||
|
error "You have to be root to run this script." |
||||||
|
exit 4 |
||||||
|
fi |
||||||
|
|
||||||
|
load_sysconfig |
||||||
|
|
||||||
|
if [ -n "$SLAPD_CONFIG_DIR" ]; then |
||||||
|
if [ ! -d "$SLAPD_CONFIG_DIR" ]; then |
||||||
|
error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" |
||||||
|
else |
||||||
|
check_everything |
||||||
|
exit $? |
||||||
|
fi |
||||||
|
fi |
||||||
|
|
||||||
|
if [ -n "$SLAPD_CONFIG_FILE" ]; then |
||||||
|
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then |
||||||
|
error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" |
||||||
|
else |
||||||
|
error "Warning: Usage of a configuration file is obsolete!" |
||||||
|
check_everything |
||||||
|
exit $? |
||||||
|
fi |
||||||
|
fi |
||||||
|
|
||||||
|
exit 1 |
@ -0,0 +1,79 @@ |
|||||||
|
#!/bin/sh |
||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
|
||||||
|
. /usr/libexec/openldap/functions |
||||||
|
|
||||||
|
function help() |
||||||
|
{ |
||||||
|
error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`" |
||||||
|
exit 2 |
||||||
|
} |
||||||
|
|
||||||
|
load_sysconfig |
||||||
|
|
||||||
|
while getopts :f:F: opt; do |
||||||
|
case "$opt" in |
||||||
|
f) |
||||||
|
SLAPD_CONFIG_FILE="$OPTARG" |
||||||
|
;; |
||||||
|
F) |
||||||
|
SLAPD_CONFIG_DIR="$OPTARG" |
||||||
|
;; |
||||||
|
*) |
||||||
|
help |
||||||
|
;; |
||||||
|
esac |
||||||
|
done |
||||||
|
shift $((OPTIND-1)) |
||||||
|
[ -n "$1" ] && help |
||||||
|
|
||||||
|
# check source, target |
||||||
|
|
||||||
|
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then |
||||||
|
error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE" |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
|
||||||
|
if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then |
||||||
|
SLAPD_CONFIG_FILE_FORMAT=ldif |
||||||
|
else |
||||||
|
SLAPD_CONFIG_FILE_FORMAT=conf |
||||||
|
fi |
||||||
|
|
||||||
|
if [ -d "$SLAPD_CONFIG_DIR" ]; then |
||||||
|
if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then |
||||||
|
error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR" |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
fi |
||||||
|
|
||||||
|
# perform the conversion |
||||||
|
|
||||||
|
tmp_convert=`mktemp --tmpdir=/var/run/openldap` |
||||||
|
|
||||||
|
if [ `id -u` -eq 0 ]; then |
||||||
|
install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert |
||||||
|
if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then |
||||||
|
run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert |
||||||
|
else |
||||||
|
run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert |
||||||
|
fi |
||||||
|
retcode=$? |
||||||
|
else |
||||||
|
error "You are not root! Permission will not be set." |
||||||
|
install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert |
||||||
|
if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then |
||||||
|
/usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert |
||||||
|
else |
||||||
|
/usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert |
||||||
|
fi |
||||||
|
retcode=$? |
||||||
|
fi |
||||||
|
|
||||||
|
if [ $retcode -ne 0 ]; then |
||||||
|
error "Configuration conversion failed:" |
||||||
|
cat $tmp_convert >&2 |
||||||
|
fi |
||||||
|
|
||||||
|
rm $tmp_convert |
||||||
|
exit $retcode |
@ -0,0 +1,70 @@ |
|||||||
|
#!/bin/bash |
||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
|
||||||
|
set -e |
||||||
|
|
||||||
|
# default options |
||||||
|
|
||||||
|
CERTDB_DIR=/etc/openldap/certs |
||||||
|
|
||||||
|
# internals |
||||||
|
|
||||||
|
MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so" |
||||||
|
RANDOM_SOURCE=/dev/urandom |
||||||
|
PASSWORD_BYTES=32 |
||||||
|
|
||||||
|
# parse arguments |
||||||
|
|
||||||
|
usage() { |
||||||
|
printf "usage: create-certdb.sh [-d certdb]\n" >&2 |
||||||
|
exit 1 |
||||||
|
} |
||||||
|
|
||||||
|
while getopts "d:" opt; do |
||||||
|
case "$opt" in |
||||||
|
d) |
||||||
|
CERTDB_DIR="$OPTARG" |
||||||
|
;; |
||||||
|
\?) |
||||||
|
usage |
||||||
|
;; |
||||||
|
esac |
||||||
|
done |
||||||
|
|
||||||
|
[ "$OPTIND" -le "$#" ] && usage |
||||||
|
|
||||||
|
# verify target location |
||||||
|
|
||||||
|
if [ ! -d "$CERTDB_DIR" ]; then |
||||||
|
printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2 |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
|
||||||
|
if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then |
||||||
|
printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2 |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
|
||||||
|
# create the database |
||||||
|
|
||||||
|
printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2 |
||||||
|
|
||||||
|
PASSWORD_FILE="$CERTDB_DIR/password" |
||||||
|
OLD_UMASK="$(umask)" |
||||||
|
umask 0377 |
||||||
|
dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE" |
||||||
|
umask "$OLD_UMASK" |
||||||
|
|
||||||
|
certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null |
||||||
|
|
||||||
|
# load module with builtin CA certificates |
||||||
|
|
||||||
|
echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null |
||||||
|
|
||||||
|
# tune permissions |
||||||
|
|
||||||
|
for dbfile in "$CERTDB_DIR"/*.db; do |
||||||
|
chmod 0644 "$dbfile" |
||||||
|
done |
||||||
|
|
||||||
|
exit 0 |
@ -0,0 +1,134 @@ |
|||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
|
||||||
|
SLAPD_USER= |
||||||
|
SLAPD_CONFIG_FILE= |
||||||
|
SLAPD_CONFIG_DIR= |
||||||
|
SLAPD_CONFIG_CUSTOM= |
||||||
|
SLAPD_GLOBAL_OPTIONS= |
||||||
|
SLAPD_SYSCONFIG_FILE= |
||||||
|
|
||||||
|
function default_config() |
||||||
|
{ |
||||||
|
SLAPD_USER=ldap |
||||||
|
SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf |
||||||
|
SLAPD_CONFIG_DIR=/etc/openldap/slapd.d |
||||||
|
SLAPD_CONFIG_CUSTOM= |
||||||
|
SLAPD_GLOBAL_OPTIONS= |
||||||
|
SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd |
||||||
|
} |
||||||
|
|
||||||
|
function parse_config_options() |
||||||
|
{ |
||||||
|
user= |
||||||
|
config_file= |
||||||
|
config_dir= |
||||||
|
while getopts :u:f:F: opt; do |
||||||
|
case "$opt" in |
||||||
|
u) |
||||||
|
user="$OPTARG" |
||||||
|
;; |
||||||
|
f) |
||||||
|
config_file="$OPTARG" |
||||||
|
;; |
||||||
|
F) |
||||||
|
config_dir="$OPTARG" |
||||||
|
;; |
||||||
|
esac |
||||||
|
done |
||||||
|
|
||||||
|
if [ -n "$user" ]; then |
||||||
|
SLAPD_USER="$user" |
||||||
|
fi |
||||||
|
|
||||||
|
if [ -n "$config_dir" ]; then |
||||||
|
SLAPD_CONFIG_DIR="$config_dir" |
||||||
|
SLAPD_CONFIG_FILE= |
||||||
|
SLAPD_CONFIG_CUSTOM=1 |
||||||
|
SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" |
||||||
|
elif [ -n "$config_file" ]; then |
||||||
|
SLAPD_CONFIG_DIR= |
||||||
|
SLAPD_CONFIG_FILE="$config_file" |
||||||
|
SLAPD_CONFIG_CUSTOM=1 |
||||||
|
SLAPD_GLOBAL_OPTIONS="-f '$config_file'" |
||||||
|
fi |
||||||
|
} |
||||||
|
|
||||||
|
function uses_new_config() |
||||||
|
{ |
||||||
|
[ -n "$SLAPD_CONFIG_DIR" ] |
||||||
|
return $? |
||||||
|
} |
||||||
|
|
||||||
|
function run_as_ldap() |
||||||
|
{ |
||||||
|
/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" |
||||||
|
return $? |
||||||
|
} |
||||||
|
|
||||||
|
function ldif_unbreak() |
||||||
|
{ |
||||||
|
sed ':a;N;s/\n //;ta;P;D' |
||||||
|
} |
||||||
|
|
||||||
|
function ldif_value() |
||||||
|
{ |
||||||
|
sed 's/^[^:]*: //' |
||||||
|
} |
||||||
|
|
||||||
|
function databases_new() |
||||||
|
{ |
||||||
|
slapcat $SLAPD_GLOBAL_OPTIONS -c \ |
||||||
|
-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ |
||||||
|
ldif_unbreak | \ |
||||||
|
grep '^olcDbDirectory: ' | \ |
||||||
|
ldif_value |
||||||
|
} |
||||||
|
|
||||||
|
function databases_old() |
||||||
|
{ |
||||||
|
awk 'begin { database="" } |
||||||
|
$1 == "database" { database=$2 } |
||||||
|
$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ |
||||||
|
"$SLAPD_CONFIG_FILE" |
||||||
|
} |
||||||
|
|
||||||
|
function certificates_new() |
||||||
|
{ |
||||||
|
slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ |
||||||
|
ldif_unbreak | \ |
||||||
|
grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ |
||||||
|
ldif_value |
||||||
|
} |
||||||
|
|
||||||
|
function certificates_old() |
||||||
|
{ |
||||||
|
awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ |
||||||
|
"$SLAPD_CONFIG_FILE" |
||||||
|
} |
||||||
|
|
||||||
|
function certificates() |
||||||
|
{ |
||||||
|
uses_new_config && certificates_new || certificates_old |
||||||
|
} |
||||||
|
|
||||||
|
function databases() |
||||||
|
{ |
||||||
|
uses_new_config && databases_new || databases_old |
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
|
function error() |
||||||
|
{ |
||||||
|
format="$1\n"; shift |
||||||
|
printf "$format" $@ >&2 |
||||||
|
} |
||||||
|
|
||||||
|
function load_sysconfig() |
||||||
|
{ |
||||||
|
[ -r "$SLAPD_SYSCONFIG_FILE" ] || return |
||||||
|
|
||||||
|
. "$SLAPD_SYSCONFIG_FILE" |
||||||
|
[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS |
||||||
|
} |
||||||
|
|
||||||
|
default_config |
@ -0,0 +1,118 @@ |
|||||||
|
#!/bin/bash |
||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
|
||||||
|
set -e |
||||||
|
|
||||||
|
# default options |
||||||
|
|
||||||
|
CERTDB_DIR=/etc/openldap/certs |
||||||
|
CERT_NAME="OpenLDAP Server" |
||||||
|
PASSWORD_FILE= |
||||||
|
HOSTNAME_FQDN="$(hostname --fqdn)" |
||||||
|
ALT_NAMES= |
||||||
|
ONCE=0 |
||||||
|
|
||||||
|
# internals |
||||||
|
|
||||||
|
RANDOM_SOURCE=/dev/urandom |
||||||
|
CERT_RANDOM_BYTES=256 |
||||||
|
CERT_KEY_TYPE=rsa |
||||||
|
CERT_KEY_SIZE=1024 |
||||||
|
CERT_VALID_MONTHS=12 |
||||||
|
|
||||||
|
# parse arguments |
||||||
|
|
||||||
|
usage() { |
||||||
|
printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2 |
||||||
|
printf " [-p password-file] [-h hostnames]\n" >&2 |
||||||
|
printf " [-a dns-alt-names] [-o]\n" >&2 |
||||||
|
exit 1 |
||||||
|
} |
||||||
|
|
||||||
|
while getopts "d:n:p:h:a:o" opt; do |
||||||
|
case "$opt" in |
||||||
|
d) |
||||||
|
CERTDB_DIR="$OPTARG" |
||||||
|
;; |
||||||
|
n) |
||||||
|
CERT_NAME="$OPTARG" |
||||||
|
;; |
||||||
|
p) |
||||||
|
PASSWORD_FILE="$OPTARG" |
||||||
|
;; |
||||||
|
h) |
||||||
|
HOSTNAME_FQDN="$OPTARG" |
||||||
|
;; |
||||||
|
a) |
||||||
|
ALT_NAMES="$OPTARG" |
||||||
|
;; |
||||||
|
o) |
||||||
|
ONCE=1 |
||||||
|
;; |
||||||
|
\?) |
||||||
|
usage |
||||||
|
;; |
||||||
|
esac |
||||||
|
done |
||||||
|
|
||||||
|
[ "$OPTIND" -le "$#" ] && usage |
||||||
|
|
||||||
|
# generated options |
||||||
|
|
||||||
|
ONCE_FILE="$CERTDB_DIR/.slapd-leave" |
||||||
|
PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}" |
||||||
|
ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}" |
||||||
|
|
||||||
|
# verify target location |
||||||
|
|
||||||
|
if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then |
||||||
|
printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2 |
||||||
|
exit 0 |
||||||
|
fi |
||||||
|
|
||||||
|
if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then |
||||||
|
printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2 |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
|
||||||
|
printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2 |
||||||
|
|
||||||
|
if [ ! -r "$PASSWORD_FILE" ]; then |
||||||
|
printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2 |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
|
||||||
|
if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then |
||||||
|
printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2 |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
|
||||||
|
# generate server certificate (self signed) |
||||||
|
|
||||||
|
|
||||||
|
CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap) |
||||||
|
dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null |
||||||
|
|
||||||
|
certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \ |
||||||
|
-S -x -n "$CERT_NAME" \ |
||||||
|
-s "CN=$HOSTNAME_FQDN" \ |
||||||
|
-t TC,, \ |
||||||
|
-k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \ |
||||||
|
-v $CERT_VALID_MONTHS \ |
||||||
|
-8 "$ALT_NAMES" \ |
||||||
|
&>/dev/null |
||||||
|
|
||||||
|
rm -f $CERT_RANDOM |
||||||
|
|
||||||
|
# tune permissions |
||||||
|
|
||||||
|
if [ "$(id -u)" -eq 0 ]; then |
||||||
|
chgrp ldap "$PASSWORD_FILE" |
||||||
|
chmod g+r "$PASSWORD_FILE" |
||||||
|
else |
||||||
|
printf "WARNING: The server requires read permissions on the password file in order to\n" >&2 |
||||||
|
printf " load it's private key from the certificate database.\n" >&2 |
||||||
|
fi |
||||||
|
|
||||||
|
touch "$ONCE_FILE" |
||||||
|
exit 0 |
@ -0,0 +1,142 @@ |
|||||||
|
#!/bin/bash |
||||||
|
# This script serves one purpose, to add a possibly missing attribute |
||||||
|
# to a ppolicy schema in a dynamic configuration of OpenLDAP. This |
||||||
|
# attribute was introduced in openldap-2.4.43 and slapd will not |
||||||
|
# start without it later on. |
||||||
|
# |
||||||
|
# The script tries to update in a directory given as first parameter, |
||||||
|
# or in /etc/openldap/slapd.d implicitly. |
||||||
|
# |
||||||
|
# Author: Matus Honek <mhonek@redhat.com> |
||||||
|
# Bugzilla: #1487857 |
||||||
|
|
||||||
|
function log { |
||||||
|
echo "Update dynamic configuration: " $@ |
||||||
|
true |
||||||
|
} |
||||||
|
|
||||||
|
function iferr { |
||||||
|
if [ $? -ne 0 ]; then |
||||||
|
log "ERROR: " $@ |
||||||
|
true |
||||||
|
else |
||||||
|
false |
||||||
|
fi |
||||||
|
} |
||||||
|
|
||||||
|
function update { |
||||||
|
set -u |
||||||
|
shopt -s extglob |
||||||
|
|
||||||
|
ORIGINAL="${1:-/etc/openldap/slapd.d}" |
||||||
|
ORIGINAL="${ORIGINAL%*(/)}" |
||||||
|
|
||||||
|
### check if necessary |
||||||
|
grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null |
||||||
|
[ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0 |
||||||
|
|
||||||
|
### prep |
||||||
|
log "Prepare environment." |
||||||
|
|
||||||
|
TEMPDIR=$(mktemp -d) |
||||||
|
iferr "Could not create a temporary directory. Quitting." && return 1 |
||||||
|
DBDIR="${TEMPDIR}/db" |
||||||
|
SUBDBDIR="${DBDIR}/cn=temporary" |
||||||
|
|
||||||
|
mkdir "${DBDIR}" |
||||||
|
iferr "Could not create temporary configuration directory. Quitting." && return 1 |
||||||
|
cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}" |
||||||
|
iferr "Could not copy configuration. Quitting." && return 1 |
||||||
|
|
||||||
|
pushd "$TEMPDIR" >/dev/null |
||||||
|
|
||||||
|
cat > temp.conf <<EOF |
||||||
|
database ldif |
||||||
|
suffix cn=temporary |
||||||
|
directory db |
||||||
|
access to * by * manage |
||||||
|
EOF |
||||||
|
|
||||||
|
SOCKET="$(pwd)/socket" |
||||||
|
LISTENER="ldapi://${SOCKET//\//%2F}" |
||||||
|
CONN_PARAMS=("-Y" "EXTERNAL" "-H" "${LISTENER}") |
||||||
|
|
||||||
|
slapd -f temp.conf -h "$LISTENER" -d 0 >/dev/null 2>&1 & |
||||||
|
SLAPDPID="$!" |
||||||
|
sleep 2 |
||||||
|
|
||||||
|
ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF |
||||||
|
dn: cn=temporary |
||||||
|
objectClass: olcGlobal |
||||||
|
cn: temporary |
||||||
|
EOF |
||||||
|
iferr "Could not populate the temporary database. Quitting." && return 1 |
||||||
|
|
||||||
|
### update |
||||||
|
log "Update with new pwdMaxRecordedFailure attribute." |
||||||
|
FILTER="(&" |
||||||
|
FILTER+="(olcObjectClasses=*'pwdPolicy'*)" |
||||||
|
FILTER+="(!(olcObjectClasses=*'pwdPolicy'*'pwdMaxRecordedFailure'*))" |
||||||
|
FILTER+="(!(olcAttributeTypes=*'pwdMaxRecordedFailure'*))" |
||||||
|
FILTER+=")" |
||||||
|
RES=$(ldapsearch ${CONN_PARAMS[@]} \ |
||||||
|
-b cn=schema,cn=config,cn=temporary \ |
||||||
|
-LLL \ |
||||||
|
-o ldif-wrap=no \ |
||||||
|
"$FILTER" \ |
||||||
|
dn olcObjectClasses \ |
||||||
|
2>/dev/null \ |
||||||
|
| sed '/^$/d') |
||||||
|
DN=$(printf "$RES" | grep '^dn:') |
||||||
|
OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'") |
||||||
|
NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }" |
||||||
|
|
||||||
|
test $(echo "$DN" | wc -l) = 1 |
||||||
|
iferr "Received more than one DN. Cannot continue. Quitting." && return 1 |
||||||
|
test "$NEWOC" != "$OC" |
||||||
|
iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1 |
||||||
|
|
||||||
|
ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF |
||||||
|
$DN |
||||||
|
changetype: modify |
||||||
|
add: olcAttributeTypes |
||||||
|
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur |
||||||
|
e' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1. |
||||||
|
1466.115.121.1.27 SINGLE-VALUE ) |
||||||
|
- |
||||||
|
delete: olcObjectClasses |
||||||
|
$OC |
||||||
|
- |
||||||
|
add: olcObjectClasses |
||||||
|
$NEWOC |
||||||
|
EOF |
||||||
|
iferr "Updating with new attribute failed. Quitting." && return 1 |
||||||
|
|
||||||
|
popd >/dev/null |
||||||
|
|
||||||
|
### apply |
||||||
|
log "Apply changes." |
||||||
|
cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup" |
||||||
|
iferr "Backing up old configuration failed. Quitting." && return 1 |
||||||
|
cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL" |
||||||
|
iferr "Applying new configuration failed. Quitting." && return 1 |
||||||
|
|
||||||
|
### clean up |
||||||
|
log "Clean up." |
||||||
|
kill "$SLAPDPID" |
||||||
|
SLAPDPID= |
||||||
|
rm -rf "$TEMPDIR" |
||||||
|
TEMPDIR= |
||||||
|
} |
||||||
|
|
||||||
|
SLAPDPID= |
||||||
|
TEMPDIR= |
||||||
|
update "$1" |
||||||
|
if [ $? -ne 0 ]; then |
||||||
|
log "Clean up." |
||||||
|
echo "$SLAPDPID" |
||||||
|
echo "$TEMPDIR" |
||||||
|
kill "$SLAPDPID" |
||||||
|
rm -rf "$TEMPDIR" |
||||||
|
fi |
||||||
|
log "Finished." |
@ -0,0 +1,40 @@ |
|||||||
|
#!/bin/sh |
||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
|
||||||
|
. /usr/libexec/openldap/functions |
||||||
|
|
||||||
|
if [ `id -u` -ne 0 ]; then |
||||||
|
error "You have to be root to run this command." |
||||||
|
exit 4 |
||||||
|
fi |
||||||
|
|
||||||
|
load_sysconfig |
||||||
|
retcode=0 |
||||||
|
|
||||||
|
for dbdir in `databases`; do |
||||||
|
upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" |
||||||
|
bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` |
||||||
|
|
||||||
|
# skip uninitialized database |
||||||
|
[ -z "$bdb_files"] || continue |
||||||
|
|
||||||
|
printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" |
||||||
|
|
||||||
|
# perform the update |
||||||
|
for command in \ |
||||||
|
"/usr/bin/db_recover -v -h \"$dbdir\"" \ |
||||||
|
"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ |
||||||
|
"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ |
||||||
|
; do |
||||||
|
printf "Executing: %s\n" "$command" &>>$upgrade_log |
||||||
|
run_as_ldap "$command" &>>$upgrade_log |
||||||
|
result=$? |
||||||
|
printf "Exit code: %d\n" $result >>"$upgrade_log" |
||||||
|
if [ $result -ne 0 ]; then |
||||||
|
printf "Upgrade failed: %d\n" $result |
||||||
|
retcode=1 |
||||||
|
fi |
||||||
|
done |
||||||
|
done |
||||||
|
|
||||||
|
exit $retcode |
@ -0,0 +1,21 @@ |
|||||||
|
Backport upstream fix for a crash in back-relay when doing do_search. |
||||||
|
RHBZ: #1316450 |
||||||
|
|
||||||
|
commit 2e60bf5ed00c1a8794131f53a6c72a78c0766e21 |
||||||
|
Author: Howard Chu <hyc@openldap.org> |
||||||
|
Date: Wed May 18 12:30:31 2016 +0100 |
||||||
|
|
||||||
|
ITS#8428 init sc_writewait |
||||||
|
|
||||||
|
diff --git a/servers/slapd/back-relay/op.c b/servers/slapd/back-relay/op.c |
||||||
|
index 4fdc08a..f7c1fee 100644 |
||||||
|
--- a/servers/slapd/back-relay/op.c |
||||||
|
+++ b/servers/slapd/back-relay/op.c |
||||||
|
@@ -97,6 +97,7 @@ relay_back_response_cb( Operation *op, SlapReply *rs ) |
||||||
|
(rcb)->rcb_sc.sc_next = (op)->o_callback; \ |
||||||
|
(rcb)->rcb_sc.sc_response = relay_back_response_cb; \ |
||||||
|
(rcb)->rcb_sc.sc_cleanup = 0; \ |
||||||
|
+ (rcb)->rcb_sc.sc_writewait = 0; \ |
||||||
|
(rcb)->rcb_sc.sc_private = (op)->o_bd; \ |
||||||
|
(op)->o_callback = (slap_callback *) (rcb); \ |
||||||
|
} |
@ -0,0 +1,23 @@ |
|||||||
|
commit ec2fe743f5795eb7aaf43687e6b257ac071cef22 |
||||||
|
Author: Ryan Tandy <ryan@nardis.ca> |
||||||
|
Date: Wed May 17 20:07:39 2017 -0700 |
||||||
|
|
||||||
|
ITS#8655 fix double free on paged search with pagesize 0 |
||||||
|
|
||||||
|
Fixes a double free when a search includes the Paged Results control |
||||||
|
with a page size of 0 and the search base matches the filter. |
||||||
|
|
||||||
|
diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c |
||||||
|
index 009939d..d0db918 100644 |
||||||
|
--- a/servers/slapd/back-mdb/search.c |
||||||
|
+++ b/servers/slapd/back-mdb/search.c |
||||||
|
@@ -1066,7 +1066,8 @@ notfound: |
||||||
|
/* check size limit */ |
||||||
|
if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) { |
||||||
|
if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) { |
||||||
|
- mdb_entry_return( op, e ); |
||||||
|
+ if (e != base) |
||||||
|
+ mdb_entry_return( op, e ); |
||||||
|
e = NULL; |
||||||
|
send_paged_response( op, rs, &lastid, tentries ); |
||||||
|
goto done; |
@ -0,0 +1,20 @@ |
|||||||
|
use AI_ADDRCONFIG if defined in the environment |
||||||
|
|
||||||
|
Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
Upstream ITS: #7326 |
||||||
|
Resolves: #835013 |
||||||
|
|
||||||
|
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c |
||||||
|
index b31e05d..fa361ab 100644 |
||||||
|
--- a/libraries/libldap/os-ip.c |
||||||
|
+++ b/libraries/libldap/os-ip.c |
||||||
|
@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, |
||||||
|
|
||||||
|
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) |
||||||
|
memset( &hints, '\0', sizeof(hints) ); |
||||||
|
-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */ |
||||||
|
- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */ |
||||||
|
+#ifdef AI_ADDRCONFIG |
||||||
|
hints.ai_flags = AI_ADDRCONFIG; |
||||||
|
#endif |
||||||
|
hints.ai_family = ldap_int_inet4or6; |
@ -0,0 +1,40 @@ |
|||||||
|
Compile AllOp together with other overlays. |
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com> |
||||||
|
Resolves: #990893 |
||||||
|
|
||||||
|
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in |
||||||
|
--- a/servers/slapd/overlays/Makefile.in |
||||||
|
+++ b/servers/slapd/overlays/Makefile.in |
||||||
|
@@ -33,7 +33,8 @@ SRCS = overlays.c \ |
||||||
|
translucent.c \ |
||||||
|
unique.c \ |
||||||
|
valsort.c \ |
||||||
|
- smbk5pwd.c |
||||||
|
+ smbk5pwd.c \ |
||||||
|
+ allop.c |
||||||
|
OBJS = statover.o \ |
||||||
|
@SLAPD_STATIC_OVERLAYS@ \ |
||||||
|
overlays.o |
||||||
|
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||||
|
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||||
|
|
||||||
|
LIBRARY = ../liboverlays.a |
||||||
|
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la |
||||||
|
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la |
||||||
|
|
||||||
|
XINCPATH = -I.. -I$(srcdir)/.. |
||||||
|
XDEFS = $(MODULES_CPPFLAGS) |
||||||
|
@@ -125,6 +126,12 @@ unique.la : unique.lo |
||||||
|
smbk5pwd.la : smbk5pwd.lo |
||||||
|
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) |
||||||
|
|
||||||
|
+allop.lo : allop.c |
||||||
|
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< |
||||||
|
+ |
||||||
|
+allop.la : allop.lo |
||||||
|
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) |
||||||
|
+ |
||||||
|
install-local: $(PROGRAMS) |
||||||
|
@if test -n "$?" ; then \ |
||||||
|
$(MKDIR) $(DESTDIR)$(moduledir); \ |
@ -0,0 +1,17 @@ |
|||||||
|
Correct key pointer usage in bdb_idl_fetch_key. |
||||||
|
|
||||||
|
Author: Shogo Matsumoto |
||||||
|
Resolves: #1356165 |
||||||
|
|
||||||
|
diff --git a/servers/slapd/back-bdb/idl.c b/servers/slapd/back-bdb/idl.c |
||||||
|
--- a/servers/slapd/back-bdb/idl.c |
||||||
|
+++ b/servers/slapd/back-bdb/idl.c |
||||||
|
@@ -628,7 +628,7 @@ bdb_idl_fetch_key( |
||||||
|
BDB_DISK2ID( j, i ); |
||||||
|
} |
||||||
|
} |
||||||
|
- rc = cursor->c_get( cursor, key, &data, flags | DB_NEXT_DUP ); |
||||||
|
+ rc = cursor->c_get( cursor, kptr, &data, flags | DB_NEXT_DUP ); |
||||||
|
} |
||||||
|
if ( rc == DB_NOTFOUND ) rc = 0; |
||||||
|
ids[0] = i - ids; |
@ -0,0 +1,22 @@ |
|||||||
|
Skip any empty parameters when parsing command line options. |
||||||
|
This is required because systemd does not expand variables the same way as shell does, |
||||||
|
we need it because of an empty SLAPD_OPTIONS in environment file. |
||||||
|
|
||||||
|
Fedora specific patch. |
||||||
|
|
||||||
|
Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
|
||||||
|
diff --git a/servers/slapd/main.c b/servers/slapd/main.c |
||||||
|
index dac4864..83614f4 100644 |
||||||
|
--- a/servers/slapd/main.c |
||||||
|
+++ b/servers/slapd/main.c |
||||||
|
@@ -685,6 +685,10 @@ unhandled_option:; |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
+ /* skip empty parameters */ |
||||||
|
+ while ( optind < argc && *argv[optind] == '\0' ) |
||||||
|
+ optind += 1; |
||||||
|
+ |
||||||
|
if ( optind != argc ) |
||||||
|
goto unhandled_option; |
@ -0,0 +1,54 @@ |
|||||||
|
From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001 |
||||||
|
From: Sumit Bose <sbose@redhat.com> |
||||||
|
Date: Tue, 7 May 2013 17:02:57 +0200 |
||||||
|
Subject: [PATCH] LDAPI SASL fix |
||||||
|
|
||||||
|
Resolves: #960222 |
||||||
|
--- |
||||||
|
libraries/libldap/cyrus.c | 19 ++++++++++++++++--- |
||||||
|
1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-) |
||||||
|
|
||||||
|
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c |
||||||
|
index 28c241b..a9acf36 100644 |
||||||
|
--- a/libraries/libldap/cyrus.c |
||||||
|
+++ b/libraries/libldap/cyrus.c |
||||||
|
@@ -394,6 +394,8 @@ ldap_int_sasl_bind( |
||||||
|
struct berval ccred = BER_BVNULL; |
||||||
|
int saslrc, rc; |
||||||
|
unsigned credlen; |
||||||
|
+ char my_hostname[HOST_NAME_MAX + 1]; |
||||||
|
+ int free_saslhost = 0; |
||||||
|
|
||||||
|
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n", |
||||||
|
mechs ? mechs : "<null>", 0, 0 ); |
||||||
|
@@ -454,14 +456,25 @@ ldap_int_sasl_bind( |
||||||
|
|
||||||
|
/* If we don't need to canonicalize just use the host |
||||||
|
* from the LDAP URI. |
||||||
|
+ * Always use the result of gethostname() for LDAPI. |
||||||
|
*/ |
||||||
|
- if ( nocanon ) |
||||||
|
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL && |
||||||
|
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) { |
||||||
|
+ rc = gethostname(my_hostname, HOST_NAME_MAX + 1); |
||||||
|
+ if (rc == 0) { |
||||||
|
+ saslhost = my_hostname; |
||||||
|
+ } else { |
||||||
|
+ saslhost = "localhost"; |
||||||
|
+ } |
||||||
|
+ } else if ( nocanon ) |
||||||
|
saslhost = ld->ld_defconn->lconn_server->lud_host; |
||||||
|
- else |
||||||
|
+ else { |
||||||
|
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, |
||||||
|
"localhost" ); |
||||||
|
+ free_saslhost = 1; |
||||||
|
+ } |
||||||
|
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); |
||||||
|
- if ( !nocanon ) |
||||||
|
+ if ( free_saslhost ) |
||||||
|
LDAP_FREE( saslhost ); |
||||||
|
} |
||||||
|
|
||||||
|
-- |
||||||
|
1.7.11.7 |
@ -0,0 +1,20 @@ |
|||||||
|
Disables opening of ldaprc file in current directory. |
||||||
|
|
||||||
|
Resolves: #38402 |
||||||
|
Upstream: ITS #1131 |
||||||
|
Author: Henning Schmiedehausen <hps@intermeta.de> |
||||||
|
|
||||||
|
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c |
||||||
|
index 8617527..e6b17b4 100644 |
||||||
|
--- a/libraries/libldap/init.c |
||||||
|
+++ b/libraries/libldap/init.c |
||||||
|
@@ -352,9 +352,6 @@ static void openldap_ldap_init_w_userconf(const char *file) |
||||||
|
if(path != NULL) { |
||||||
|
LDAP_FREE(path); |
||||||
|
} |
||||||
|
- |
||||||
|
- /* try file */ |
||||||
|
- openldap_ldap_init_w_conf(file, 1); |
||||||
|
} |
||||||
|
|
||||||
|
static void openldap_ldap_init_w_env( |
@ -0,0 +1,25 @@ |
|||||||
|
This patch makes clear what is the actual behavior in RHEL due to bug #38402. |
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com> |
||||||
|
Resolves: #1498841 |
||||||
|
|
||||||
|
--- a/doc/man/man5/ldap.conf.5 |
||||||
|
+++ b/doc/man/man5/ldap.conf.5 |
||||||
|
@@ -25,7 +25,7 @@ in their home directory which will be used to override the system-wide |
||||||
|
defaults file. |
||||||
|
The file |
||||||
|
.I ldaprc |
||||||
|
-in the current working directory is also used. |
||||||
|
+in the current working directory is \fBNOT\fP used (this differs from upstream). |
||||||
|
.LP |
||||||
|
.LP |
||||||
|
Additional configuration files can be specified using |
||||||
|
@@ -50,7 +50,7 @@ Thus the following files and variables are read, in order: |
||||||
|
.nf |
||||||
|
variable $LDAPNOINIT, and if that is not set: |
||||||
|
system file ETCDIR/ldap.conf, |
||||||
|
- user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, |
||||||
|
+ user files $HOME/ldaprc, $HOME/.ldaprc, (\fBNOT\fP ./ldaprc, see above), |
||||||
|
system file $LDAPCONF, |
||||||
|
user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, |
||||||
|
variables $LDAP<uppercase option name>. |
@ -0,0 +1,22 @@ |
|||||||
|
fix: SASL_NOCANON option missing in ldap.conf manual page |
||||||
|
|
||||||
|
Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
Upstream ITS: #7177 |
||||||
|
Resolves: #732915 |
||||||
|
|
||||||
|
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 |
||||||
|
index 51f774f..5f17122 100644 |
||||||
|
--- a/doc/man/man5/ldap.conf.5 |
||||||
|
+++ b/doc/man/man5/ldap.conf.5 |
||||||
|
@@ -284,6 +284,9 @@ description). The default is |
||||||
|
specifies the maximum security layer receive buffer |
||||||
|
size allowed. 0 disables security layers. The default is 65536. |
||||||
|
.RE |
||||||
|
+.TP |
||||||
|
+.B SASL_NOCANON <on/true/yes/off/false/no> |
||||||
|
+Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off. |
||||||
|
.SH GSSAPI OPTIONS |
||||||
|
If OpenLDAP is built with Generic Security Services Application Programming Interface support, |
||||||
|
there are more options you can specify. |
||||||
|
-- |
||||||
|
1.7.6.5 |
@ -0,0 +1,52 @@ |
|||||||
|
From f7027b3118ea90d616d0ddeeb348f15ba91cd08b Mon Sep 17 00:00:00 2001 |
||||||
|
From: Jan Synacek <jsynacek@redhat.com> |
||||||
|
Date: Wed, 13 Nov 2013 13:34:06 +0100 |
||||||
|
Subject: [PATCH] Fix client manpage |
||||||
|
|
||||||
|
--- |
||||||
|
doc/man/man5/ldap.conf.5 | 18 ++++++++---------- |
||||||
|
1 file changed, 8 insertions(+), 10 deletions(-) |
||||||
|
|
||||||
|
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 |
||||||
|
index 7f5bc64..bef0672 100644 |
||||||
|
--- a/doc/man/man5/ldap.conf.5 |
||||||
|
+++ b/doc/man/man5/ldap.conf.5 |
||||||
|
@@ -431,8 +431,8 @@ The environment variable RANDFILE can also be used to specify the filename. |
||||||
|
This parameter is ignored with GnuTLS and Mozilla NSS. |
||||||
|
.TP |
||||||
|
.B TLS_REQCERT <level> |
||||||
|
-Specifies what checks to perform on server certificates in a TLS session, |
||||||
|
-if any. The |
||||||
|
+Specifies what checks to perform on server certificates in a TLS session. |
||||||
|
+The |
||||||
|
.B <level> |
||||||
|
can be specified as one of the following keywords: |
||||||
|
.RS |
||||||
|
@@ -441,19 +441,17 @@ can be specified as one of the following keywords: |
||||||
|
The client will not request or check any server certificate. |
||||||
|
.TP |
||||||
|
.B allow |
||||||
|
-The server certificate is requested. If no certificate is provided, |
||||||
|
-the session proceeds normally. If a bad certificate is provided, it will |
||||||
|
+The server certificate is requested. If a bad certificate is provided, it will |
||||||
|
be ignored and the session proceeds normally. |
||||||
|
.TP |
||||||
|
.B try |
||||||
|
-The server certificate is requested. If no certificate is provided, |
||||||
|
-the session proceeds normally. If a bad certificate is provided, |
||||||
|
-the session is immediately terminated. |
||||||
|
+The server certificate is requested. If a bad certificate is provided, the |
||||||
|
+session is immediately terminated. |
||||||
|
.TP |
||||||
|
.B demand | hard |
||||||
|
-These keywords are equivalent. The server certificate is requested. If no |
||||||
|
-certificate is provided, or a bad certificate is provided, the session |
||||||
|
-is immediately terminated. This is the default setting. |
||||||
|
+These keywords are equivalent and semantically same as |
||||||
|
+.BR try . |
||||||
|
+This is the default setting. |
||||||
|
.RE |
||||||
|
.TP |
||||||
|
.B TLS_CRLCHECK <level> |
||||||
|
-- |
||||||
|
1.8.3.1 |
@ -0,0 +1,72 @@ |
|||||||
|
Various manual pages changes: |
||||||
|
* removes LIBEXECDIR from slapd.8 |
||||||
|
* removes references to non-existing manpages (bz 624616) |
||||||
|
|
||||||
|
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 |
||||||
|
index 3def6da..466c772 100644 |
||||||
|
--- a/doc/man/man1/ldapmodify.1 |
||||||
|
+++ b/doc/man/man1/ldapmodify.1 |
||||||
|
@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error. |
||||||
|
.BR ldap_add_ext (3), |
||||||
|
.BR ldap_delete_ext (3), |
||||||
|
.BR ldap_modify_ext (3), |
||||||
|
-.BR ldap_modrdn_ext (3), |
||||||
|
-.BR ldif (5). |
||||||
|
+.BR ldif (5) |
||||||
|
.SH AUTHOR |
||||||
|
The OpenLDAP Project <http://www.openldap.org/> |
||||||
|
.SH ACKNOWLEDGEMENTS |
||||||
|
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 |
||||||
|
index cfde143..63592cb 100644 |
||||||
|
--- a/doc/man/man5/ldap.conf.5 |
||||||
|
+++ b/doc/man/man5/ldap.conf.5 |
||||||
|
@@ -317,6 +317,7 @@ certificates in separate individual files. The |
||||||
|
.B TLS_CACERT |
||||||
|
is always used before |
||||||
|
.B TLS_CACERTDIR. |
||||||
|
+The specified directory must be managed with the OpenSSL c_rehash utility. |
||||||
|
This parameter is ignored with GnuTLS. |
||||||
|
|
||||||
|
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key |
||||||
|
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 |
||||||
|
index b739f4d..e2a1a00 100644 |
||||||
|
--- a/doc/man/man8/slapd.8 |
||||||
|
+++ b/doc/man/man8/slapd.8 |
||||||
|
@@ -5,7 +5,7 @@ |
||||||
|
.SH NAME |
||||||
|
slapd \- Stand-alone LDAP Daemon |
||||||
|
.SH SYNOPSIS |
||||||
|
-.B LIBEXECDIR/slapd |
||||||
|
+.B slapd |
||||||
|
[\c |
||||||
|
.BR \-4 | \-6 ] |
||||||
|
[\c |
||||||
|
@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type: |
||||||
|
.LP |
||||||
|
.nf |
||||||
|
.ft tt |
||||||
|
- LIBEXECDIR/slapd |
||||||
|
+ slapd |
||||||
|
.ft |
||||||
|
.fi |
||||||
|
.LP |
||||||
|
@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type: |
||||||
|
.LP |
||||||
|
.nf |
||||||
|
.ft tt |
||||||
|
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 |
||||||
|
+ slapd -f /var/tmp/slapd.conf -d 255 |
||||||
|
.ft |
||||||
|
.fi |
||||||
|
.LP |
||||||
|
@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type: |
||||||
|
.LP |
||||||
|
.nf |
||||||
|
.ft tt |
||||||
|
- LIBEXECDIR/slapd \-Tt |
||||||
|
+ slapd -Tt |
||||||
|
.ft |
||||||
|
.fi |
||||||
|
.LP |
||||||
|
-- |
||||||
|
1.8.1.4 |
@ -0,0 +1,24 @@ |
|||||||
|
A mutex lock might not get unlocked when plausible |
||||||
|
|
||||||
|
In the preceding if-statement a mutex may get locked. This is unlocked on |
||||||
|
'done' label, but not called when plausible. Based on the current code logic |
||||||
|
this seems to not be able to happen, but might when code gets changed at |
||||||
|
some point in time. This patch fixes the issue. |
||||||
|
|
||||||
|
The issue was found by Coverity scan |
||||||
|
http://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/11054/38577/ |
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com> |
||||||
|
Resolves: #1261003 |
||||||
|
|
||||||
|
--- a/servers/slapd/overlays/accesslog.c |
||||||
|
+++ b/servers/slapd/overlays/accesslog.c |
||||||
|
@@ -1519,7 +1519,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) { |
||||||
|
|
||||||
|
/* ignore these internal reads */ |
||||||
|
if (( lo->mask & LOG_OP_READS ) && op->o_do_not_cache ) { |
||||||
|
- return SLAP_CB_CONTINUE; |
||||||
|
+ goto done; |
||||||
|
} |
||||||
|
|
||||||
|
if ( li->li_success && rs->sr_err != LDAP_SUCCESS ) |
@ -0,0 +1,42 @@ |
|||||||
|
Include sha2 module |
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com> |
||||||
|
|
||||||
|
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in |
||||||
|
--- a/servers/slapd/overlays/Makefile.in |
||||||
|
+++ b/servers/slapd/overlays/Makefile.in |
||||||
|
@@ -35,7 +35,8 @@ SRCS = overlays.c \ |
||||||
|
unique.c \ |
||||||
|
valsort.c \ |
||||||
|
smbk5pwd.c \ |
||||||
|
- allop.c |
||||||
|
+ allop.c \ |
||||||
|
+ sha2.c slapd-sha2.c |
||||||
|
OBJS = statover.o \ |
||||||
|
@SLAPD_STATIC_OVERLAYS@ \ |
||||||
|
overlays.o |
||||||
|
@@ -55,7 +56,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||||
|
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||||
|
|
||||||
|
LIBRARY = ../liboverlays.a |
||||||
|
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la |
||||||
|
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la |
||||||
|
|
||||||
|
XINCPATH = -I.. -I$(srcdir)/.. |
||||||
|
XDEFS = $(MODULES_CPPFLAGS) |
||||||
|
@@ -139,6 +140,15 @@ allop.lo : allop.c |
||||||
|
allop.la : allop.lo |
||||||
|
$(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) |
||||||
|
|
||||||
|
+sha2.lo : sha2.c |
||||||
|
+ $(LTCOMPILE_MOD) $< |
||||||
|
+ |
||||||
|
+slapd-sha2.lo : slapd-sha2.c |
||||||
|
+ $(LTCOMPILE_MOD) $< |
||||||
|
+ |
||||||
|
+pw-sha2.la : sha2.lo slapd-sha2.lo |
||||||
|
+ $(LTLINK_MOD) -module -o $@ $? version.lo $(LINK_LIBS) |
||||||
|
+ |
||||||
|
install-local: $(PROGRAMS) |
||||||
|
@if test -n "$?" ; then \ |
||||||
|
$(MKDIR) $(DESTDIR)$(moduledir); \ |
@ -0,0 +1,35 @@ |
|||||||
|
Correct log levels in ppolicy overlay. |
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com> |
||||||
|
Resolves: #1356158 |
||||||
|
|
||||||
|
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c |
||||||
|
--- a/servers/slapd/overlays/ppolicy.c |
||||||
|
+++ b/servers/slapd/overlays/ppolicy.c |
||||||
|
@@ -643,7 +643,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE |
||||||
|
if ((mod = lt_dlopen( pp->pwdCheckModule )) == NULL) { |
||||||
|
err = lt_dlerror(); |
||||||
|
|
||||||
|
- Debug(LDAP_DEBUG_ANY, |
||||||
|
+ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, |
||||||
|
"check_password_quality: lt_dlopen failed: (%s) %s.\n", |
||||||
|
pp->pwdCheckModule, err, 0 ); |
||||||
|
ok = LDAP_OTHER; /* internal error */ |
||||||
|
@@ -658,7 +658,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE |
||||||
|
if ((prog = lt_dlsym( mod, "check_password" )) == NULL) { |
||||||
|
err = lt_dlerror(); |
||||||
|
|
||||||
|
- Debug(LDAP_DEBUG_ANY, |
||||||
|
+ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, |
||||||
|
"check_password_quality: lt_dlsym failed: (%s) %s.\n", |
||||||
|
pp->pwdCheckModule, err, 0 ); |
||||||
|
ok = LDAP_OTHER; |
||||||
|
@@ -667,7 +667,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE |
||||||
|
ok = prog( ptr, txt, e ); |
||||||
|
ldap_pvt_thread_mutex_unlock( &chk_syntax_mutex ); |
||||||
|
if (ok != LDAP_SUCCESS) { |
||||||
|
- Debug(LDAP_DEBUG_ANY, |
||||||
|
+ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, |
||||||
|
"check_password_quality: module error: (%s) %s.[%d]\n", |
||||||
|
pp->pwdCheckModule, *txt ? *txt : "", ok ); |
||||||
|
} |
@ -0,0 +1,33 @@ |
|||||||
|
The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for |
||||||
|
example if libldap needs to be initialized from within gethostbyXXXX() (which |
||||||
|
actually happens if nss_ldap is used for hostname resolution and earlier |
||||||
|
modules can't resolve the local host name), so use the reentrant versions of |
||||||
|
the functions, even if we're not being compiled for use in libldap_r |
||||||
|
|
||||||
|
Resolves: #179730 |
||||||
|
Author: Jeffery Layton <jlayton@redhat.com> |
||||||
|
|
||||||
|
diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c |
||||||
|
index 373c81c..a012062 100644 |
||||||
|
--- a/libraries/libldap/util-int.c |
||||||
|
+++ b/libraries/libldap/util-int.c |
||||||
|
@@ -52,8 +52,8 @@ extern int h_errno; |
||||||
|
#ifndef LDAP_R_COMPILE |
||||||
|
# undef HAVE_REENTRANT_FUNCTIONS |
||||||
|
# undef HAVE_CTIME_R |
||||||
|
-# undef HAVE_GETHOSTBYNAME_R |
||||||
|
-# undef HAVE_GETHOSTBYADDR_R |
||||||
|
+/* # undef HAVE_GETHOSTBYNAME_R */ |
||||||
|
+/* # undef HAVE_GETHOSTBYADDR_R */ |
||||||
|
|
||||||
|
#else |
||||||
|
# include <ldap_pvt_thread.h> |
||||||
|
@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) |
||||||
|
#define BUFSTART (1024-32) |
||||||
|
#define BUFMAX (32*1024-32) |
||||||
|
|
||||||
|
-#if defined(LDAP_R_COMPILE) |
||||||
|
+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R) |
||||||
|
static char *safe_realloc( char **buf, int len ); |
||||||
|
|
||||||
|
#if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) |
@ -0,0 +1,61 @@ |
|||||||
|
Compile smbk5pwd together with other overlays. |
||||||
|
|
||||||
|
Author: Jan Šafránek <jsafrane@redhat.com> |
||||||
|
Resolves: #550895 |
||||||
|
|
||||||
|
Update to link against OpenSSL |
||||||
|
|
||||||
|
Author: Jan Vcelak <jvcelak@redhat.com> |
||||||
|
Resolves: #841560 |
||||||
|
|
||||||
|
diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README |
||||||
|
index f20ad94..b6433ff 100644 |
||||||
|
--- a/contrib/slapd-modules/smbk5pwd/README |
||||||
|
+++ b/contrib/slapd-modules/smbk5pwd/README |
||||||
|
@@ -1,3 +1,8 @@ |
||||||
|
+****************************************************************************** |
||||||
|
+Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module |
||||||
|
+is compiled only with Samba features in Fedora and Red Hat Enterprise Linux. |
||||||
|
+****************************************************************************** |
||||||
|
+ |
||||||
|
This directory contains a slapd overlay, smbk5pwd, that extends the |
||||||
|
PasswordModify Extended Operation to update Kerberos keys and Samba |
||||||
|
password hashes for an LDAP user. |
||||||
|
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in |
||||||
|
index 3af20e8..ef73663 100644 |
||||||
|
--- a/servers/slapd/overlays/Makefile.in |
||||||
|
+++ b/servers/slapd/overlays/Makefile.in |
||||||
|
@@ -33,7 +33,8 @@ SRCS = overlays.c \ |
||||||
|
syncprov.c \ |
||||||
|
translucent.c \ |
||||||
|
unique.c \ |
||||||
|
- valsort.c |
||||||
|
+ valsort.c \ |
||||||
|
+ smbk5pwd.c |
||||||
|
OBJS = statover.o \ |
||||||
|
@SLAPD_STATIC_OVERLAYS@ \ |
||||||
|
overlays.o |
||||||
|
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||||
|
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||||
|
|
||||||
|
LIBRARY = ../liboverlays.a |
||||||
|
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ |
||||||
|
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la |
||||||
|
|
||||||
|
XINCPATH = -I.. -I$(srcdir)/.. |
||||||
|
XDEFS = $(MODULES_CPPFLAGS) |
||||||
|
@@ -125,6 +126,12 @@ unique.la : unique.lo |
||||||
|
valsort.la : valsort.lo |
||||||
|
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) |
||||||
|
|
||||||
|
+smbk5pwd.lo : smbk5pwd.c |
||||||
|
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< |
||||||
|
+ |
||||||
|
+smbk5pwd.la : smbk5pwd.lo |
||||||
|
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) |
||||||
|
+ |
||||||
|
install-local: $(PROGRAMS) |
||||||
|
@if test -n "$?" ; then \ |
||||||
|
$(MKDIR) $(DESTDIR)$(moduledir); \ |
||||||
|
-- |
||||||
|
1.7.10.4 |
@ -0,0 +1,14 @@ |
|||||||
|
Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package |
||||||
|
independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.) |
||||||
|
|
||||||
|
--- openldap-2.4.24.orig/build/top.mk |
||||||
|
+++ openldap-2.4.24/build/top.mk |
||||||
|
@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@ |
||||||
|
SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@ |
||||||
|
SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@ |
||||||
|
|
||||||
|
-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) |
||||||
|
+SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) |
||||||
|
|
||||||
|
# Our Defaults |
||||||
|
CC = $(AC_CC) |
@ -0,0 +1,41 @@ |
|||||||
|
From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de> |
||||||
|
Date: Tue, 18 May 2010 17:47:05 +0200 |
||||||
|
Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set. |
||||||
|
|
||||||
|
Proof of concept for fixing http://bugs.debian.org/327585 |
||||||
|
(patch ported from freeradius bug http://bugs.debian.org/416266) |
||||||
|
|
||||||
|
Resolves: #960048 |
||||||
|
--- |
||||||
|
--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200 |
||||||
|
+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200 |
||||||
|
@@ -117,6 +117,20 @@ |
||||||
|
return -1; /* not found */ |
||||||
|
} |
||||||
|
|
||||||
|
+static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) |
||||||
|
+{ |
||||||
|
+ lt_dlhandle handle = 0; |
||||||
|
+ lt_dladvise advise; |
||||||
|
+ |
||||||
|
+ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) |
||||||
|
+ && !lt_dladvise_global (&advise)) |
||||||
|
+ handle = lt_dlopenadvise (filename, advise); |
||||||
|
+ |
||||||
|
+ lt_dladvise_destroy (&advise); |
||||||
|
+ |
||||||
|
+ return handle; |
||||||
|
+} |
||||||
|
+ |
||||||
|
int module_load(const char* file_name, int argc, char *argv[]) |
||||||
|
{ |
||||||
|
module_loaded_t *module; |
||||||
|
@@ -180,7 +194,7 @@ |
||||||
|
* to calling Debug. This is because Debug is a macro that expands |
||||||
|
* into multiple function calls. |
||||||
|
*/ |
||||||
|
- if ((module->lib = lt_dlopenext(file)) == NULL) { |
||||||
|
+ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { |
||||||
|
error = lt_dlerror(); |
||||||
|
#ifdef HAVE_EBCDIC |
||||||
|
strcpy( ebuf, error ); |
@ -0,0 +1,62 @@ |
|||||||
|
allow unsetting of tls_* syncrepl options |
||||||
|
|
||||||
|
Author: Patrick Monnerat <pm@datasphere.ch> |
||||||
|
Upstream ITS: #7042 |
||||||
|
Resolves: #734187 |
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c |
||||||
|
index 654a4bf..10b993b 100644 |
||||||
|
--- a/libraries/libldap/tls2.c |
||||||
|
+++ b/libraries/libldap/tls2.c |
||||||
|
@@ -735,27 +735,27 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) |
||||||
|
return 0; |
||||||
|
case LDAP_OPT_X_TLS_CACERTFILE: |
||||||
|
if ( lo->ldo_tls_cacertfile ) LDAP_FREE( lo->ldo_tls_cacertfile ); |
||||||
|
- lo->ldo_tls_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
+ lo->ldo_tls_cacertfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
return 0; |
||||||
|
case LDAP_OPT_X_TLS_CACERTDIR: |
||||||
|
if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir ); |
||||||
|
- lo->ldo_tls_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
+ lo->ldo_tls_cacertdir = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
return 0; |
||||||
|
case LDAP_OPT_X_TLS_CERTFILE: |
||||||
|
if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile ); |
||||||
|
- lo->ldo_tls_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
+ lo->ldo_tls_certfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
return 0; |
||||||
|
case LDAP_OPT_X_TLS_KEYFILE: |
||||||
|
if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile ); |
||||||
|
- lo->ldo_tls_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
+ lo->ldo_tls_keyfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
return 0; |
||||||
|
case LDAP_OPT_X_TLS_DHFILE: |
||||||
|
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); |
||||||
|
- lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
+ lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
return 0; |
||||||
|
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ |
||||||
|
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); |
||||||
|
- lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
+ lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
return 0; |
||||||
|
case LDAP_OPT_X_TLS_REQUIRE_CERT: |
||||||
|
if ( !arg ) return -1; |
||||||
|
@@ -783,7 +783,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) |
||||||
|
#endif |
||||||
|
case LDAP_OPT_X_TLS_CIPHER_SUITE: |
||||||
|
if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite ); |
||||||
|
- lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
+ lo->ldo_tls_ciphersuite = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
return 0; |
||||||
|
|
||||||
|
case LDAP_OPT_X_TLS_PROTOCOL_MIN: |
||||||
|
@@ -794,7 +794,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) |
||||||
|
if ( ld != NULL ) |
||||||
|
return -1; |
||||||
|
if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile ); |
||||||
|
- lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
+ lo->ldo_tls_randfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||||
|
break; |
||||||
|
case LDAP_OPT_X_TLS_NEWCTX: |
||||||
|
if ( !arg ) return -1; |
@ -0,0 +1,17 @@ |
|||||||
|
Normally, skips reading of user configuration file when running with different effective UID. |
||||||
|
This patch adds the same behavior for GID. |
||||||
|
|
||||||
|
Author: Nalin Dahyabhai <nalin@redhat.com> |
||||||
|
|
||||||
|
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c |
||||||
|
index e6b17b4..fbf4829 100644 |
||||||
|
--- a/libraries/libldap/init.c |
||||||
|
+++ b/libraries/libldap/init.c |
||||||
|
@@ -678,7 +678,7 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl ) |
||||||
|
openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); |
||||||
|
|
||||||
|
#ifdef HAVE_GETEUID |
||||||
|
- if ( geteuid() != getuid() ) |
||||||
|
+ if ( geteuid() != getuid() || getegid() != getgid() ) |
||||||
|
return; |
||||||
|
#endif |
@ -0,0 +1,148 @@ |
|||||||
|
# |
||||||
|
# See slapd-config(5) for details on configuration options. |
||||||
|
# This file should NOT be world readable. |
||||||
|
# |
||||||
|
|
||||||
|
dn: cn=config |
||||||
|
objectClass: olcGlobal |
||||||
|
cn: config |
||||||
|
olcArgsFile: /var/run/openldap/slapd.args |
||||||
|
olcPidFile: /var/run/openldap/slapd.pid |
||||||
|
# |
||||||
|
# TLS settings |
||||||
|
# |
||||||
|
olcTLSCACertificatePath: /etc/openldap/certs |
||||||
|
olcTLSCertificateFile: "OpenLDAP Server" |
||||||
|
olcTLSCertificateKeyFile: /etc/openldap/certs/password |
||||||
|
# |
||||||
|
# Do not enable referrals until AFTER you have a working directory |
||||||
|
# service AND an understanding of referrals. |
||||||
|
# |
||||||
|
#olcReferral: ldap://root.openldap.org |
||||||
|
# |
||||||
|
# Sample security restrictions |
||||||
|
# Require integrity protection (prevent hijacking) |
||||||
|
# Require 112-bit (3DES or better) encryption for updates |
||||||
|
# Require 64-bit encryption for simple bind |
||||||
|
# |
||||||
|
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# Load dynamic backend modules: |
||||||
|
# - modulepath is architecture dependent value (32/64-bit system) |
||||||
|
# - back_sql.la backend requires openldap-servers-sql package |
||||||
|
# - dyngroup.la and dynlist.la cannot be used at the same time |
||||||
|
# |
||||||
|
|
||||||
|
#dn: cn=module,cn=config |
||||||
|
#objectClass: olcModuleList |
||||||
|
#cn: module |
||||||
|
#olcModulepath: /usr/lib/openldap |
||||||
|
#olcModulepath: /usr/lib64/openldap |
||||||
|
#olcModuleload: accesslog.la |
||||||
|
#olcModuleload: auditlog.la |
||||||
|
#olcModuleload: back_dnssrv.la |
||||||
|
#olcModuleload: back_ldap.la |
||||||
|
#olcModuleload: back_mdb.la |
||||||
|
#olcModuleload: back_meta.la |
||||||
|
#olcModuleload: back_null.la |
||||||
|
#olcModuleload: back_passwd.la |
||||||
|
#olcModuleload: back_relay.la |
||||||
|
#olcModuleload: back_shell.la |
||||||
|
#olcModuleload: back_sock.la |
||||||
|
#olcModuleload: collect.la |
||||||
|
#olcModuleload: constraint.la |
||||||
|
#olcModuleload: dds.la |
||||||
|
#olcModuleload: deref.la |
||||||
|
#olcModuleload: dyngroup.la |
||||||
|
#olcModuleload: dynlist.la |
||||||
|
#olcModuleload: memberof.la |
||||||
|
#olcModuleload: pcache.la |
||||||
|
#olcModuleload: ppolicy.la |
||||||
|
#olcModuleload: refint.la |
||||||
|
#olcModuleload: retcode.la |
||||||
|
#olcModuleload: rwm.la |
||||||
|
#olcModuleload: seqmod.la |
||||||
|
#olcModuleload: smbk5pwd.la |
||||||
|
#olcModuleload: sssvlv.la |
||||||
|
#olcModuleload: syncprov.la |
||||||
|
#olcModuleload: translucent.la |
||||||
|
#olcModuleload: unique.la |
||||||
|
#olcModuleload: valsort.la |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# Schema settings |
||||||
|
# |
||||||
|
|
||||||
|
dn: cn=schema,cn=config |
||||||
|
objectClass: olcSchemaConfig |
||||||
|
cn: schema |
||||||
|
|
||||||
|
include: file:///etc/openldap/schema/core.ldif |
||||||
|
|
||||||
|
# |
||||||
|
# Frontend settings |
||||||
|
# |
||||||
|
|
||||||
|
dn: olcDatabase=frontend,cn=config |
||||||
|
objectClass: olcDatabaseConfig |
||||||
|
objectClass: olcFrontendConfig |
||||||
|
olcDatabase: frontend |
||||||
|
# |
||||||
|
# Sample global access control policy: |
||||||
|
# Root DSE: allow anyone to read it |
||||||
|
# Subschema (sub)entry DSE: allow anyone to read it |
||||||
|
# Other DSEs: |
||||||
|
# Allow self write access |
||||||
|
# Allow authenticated users read access |
||||||
|
# Allow anonymous users to authenticate |
||||||
|
# |
||||||
|
#olcAccess: to dn.base="" by * read |
||||||
|
#olcAccess: to dn.base="cn=Subschema" by * read |
||||||
|
#olcAccess: to * |
||||||
|
# by self write |
||||||
|
# by users read |
||||||
|
# by anonymous auth |
||||||
|
# |
||||||
|
# if no access controls are present, the default policy |
||||||
|
# allows anyone and everyone to read anything but restricts |
||||||
|
# updates to rootdn. (e.g., "access to * by * read") |
||||||
|
# |
||||||
|
# rootdn can always read and write EVERYTHING! |
||||||
|
# |
||||||
|
|
||||||
|
# |
||||||
|
# Configuration database |
||||||
|
# |
||||||
|
|
||||||
|
dn: olcDatabase=config,cn=config |
||||||
|
objectClass: olcDatabaseConfig |
||||||
|
olcDatabase: config |
||||||
|
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c |
||||||
|
n=auth" manage by * none |
||||||
|
|
||||||
|
# |
||||||
|
# Server status monitoring |
||||||
|
# |
||||||
|
|
||||||
|
dn: olcDatabase=monitor,cn=config |
||||||
|
objectClass: olcDatabaseConfig |
||||||
|
olcDatabase: monitor |
||||||
|
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c |
||||||
|
n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none |
||||||
|
|
||||||
|
# |
||||||
|
# Backend database definitions |
||||||
|
# |
||||||
|
|
||||||
|
dn: olcDatabase=hdb,cn=config |
||||||
|
objectClass: olcDatabaseConfig |
||||||
|
objectClass: olcHdbConfig |
||||||
|
olcDatabase: hdb |
||||||
|
olcSuffix: dc=my-domain,dc=com |
||||||
|
olcRootDN: cn=Manager,dc=my-domain,dc=com |
||||||
|
olcDbDirectory: /var/lib/ldap |
||||||
|
olcDbIndex: objectClass eq,pres |
||||||
|
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub |
@ -0,0 +1,19 @@ |
|||||||
|
[Unit] |
||||||
|
Description=OpenLDAP Server Daemon |
||||||
|
After=syslog.target network-online.target |
||||||
|
Documentation=man:slapd |
||||||
|
Documentation=man:slapd-config |
||||||
|
Documentation=man:slapd-hdb |
||||||
|
Documentation=man:slapd-mdb |
||||||
|
Documentation=file:///usr/share/doc/openldap-servers/guide.html |
||||||
|
|
||||||
|
[Service] |
||||||
|
Type=forking |
||||||
|
PIDFile=/var/run/openldap/slapd.pid |
||||||
|
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS=" |
||||||
|
EnvironmentFile=/etc/sysconfig/slapd |
||||||
|
ExecStartPre=/usr/libexec/openldap/check-config.sh |
||||||
|
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS |
||||||
|
|
||||||
|
[Install] |
||||||
|
WantedBy=multi-user.target |
@ -0,0 +1,15 @@ |
|||||||
|
# OpenLDAP server configuration |
||||||
|
# see 'man slapd' for additional information |
||||||
|
|
||||||
|
# Where the server will run (-h option) |
||||||
|
# - ldapi:/// is required for on-the-fly configuration using client tools |
||||||
|
# (use SASL with EXTERNAL mechanism for authentication) |
||||||
|
# - default: ldapi:/// ldap:/// |
||||||
|
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// |
||||||
|
SLAPD_URLS="ldapi:/// ldap:///" |
||||||
|
|
||||||
|
# Any custom options |
||||||
|
#SLAPD_OPTIONS="" |
||||||
|
|
||||||
|
# Keytab location for GSSAPI Kerberos authentication |
||||||
|
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" |
@ -0,0 +1,2 @@ |
|||||||
|
# openldap runtime directory for slapd.arg and slapd.pid |
||||||
|
d /var/run/openldap 0755 ldap ldap - |
Loading…
Reference in new issue