basebuilder_pel7ppc64bebuilder0
6 years ago
38 changed files with 6045 additions and 0 deletions
@ -0,0 +1,124 @@
@@ -0,0 +1,124 @@
|
||||
Correct log levels in check_password module. |
||||
|
||||
Author: Matus Honek <mhonek@redhat.com> |
||||
Resolves: #1356158 |
||||
|
||||
diff --git a/check_password.c b/check_password.c |
||||
--- a/check_password.c |
||||
+++ b/check_password.c |
||||
@@ -108,7 +108,7 @@ char* chomp(char *s) |
||||
static int set_quality (char *value) |
||||
{ |
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Setting quality to [%s]", value); |
||||
+ syslog(LOG_INFO, "check_password: Setting quality to [%s]", value); |
||||
#endif |
||||
|
||||
/* No need to require more quality than we can check for. */ |
||||
@@ -120,7 +120,7 @@ static int set_quality (char *value) |
||||
static int set_cracklib (char *value) |
||||
{ |
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Setting cracklib usage to [%s]", value); |
||||
+ syslog(LOG_INFO, "check_password: Setting cracklib usage to [%s]", value); |
||||
#endif |
||||
|
||||
|
||||
@@ -131,7 +131,7 @@ static int set_cracklib (char *value) |
||||
static int set_digit (char *value) |
||||
{ |
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Setting parameter to [%s]", value); |
||||
+ syslog(LOG_INFO, "check_password: Setting parameter to [%s]", value); |
||||
#endif |
||||
if (!isdigit(*value) || (int) (value[0] - '0') > 9) return 0; |
||||
return (int) (value[0] - '0'); |
||||
@@ -152,14 +152,14 @@ static validator valid_word (char *word) |
||||
int index = 0; |
||||
|
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Validating parameter [%s]", word); |
||||
+ syslog(LOG_DEBUG, "check_password: Validating parameter [%s]", word); |
||||
#endif |
||||
|
||||
while (list[index].parameter != NULL) { |
||||
if (strlen(word) == strlen(list[index].parameter) && |
||||
strcmp(list[index].parameter, word) == 0) { |
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Parameter accepted."); |
||||
+ syslog(LOG_DEBUG, "check_password: Parameter accepted."); |
||||
#endif |
||||
return list[index].dealer; |
||||
} |
||||
@@ -167,7 +167,7 @@ static validator valid_word (char *word) |
||||
} |
||||
|
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Parameter rejected."); |
||||
+ syslog(LOG_DEBUG, "check_password: Parameter rejected."); |
||||
#endif |
||||
|
||||
return NULL; |
||||
@@ -203,7 +203,7 @@ static int read_config_file () |
||||
|
||||
#if defined(DEBUG) |
||||
/* Debug traces to syslog. */ |
||||
- syslog(LOG_NOTICE, "check_password: Got line |%s|", line); |
||||
+ syslog(LOG_DEBUG, "check_password: Got line |%s|", line); |
||||
#endif |
||||
|
||||
while (isspace(*start) && isascii(*start)) start++; |
||||
@@ -212,7 +212,7 @@ static int read_config_file () |
||||
if ( ispunct(*start)) { |
||||
#if defined(DEBUG) |
||||
/* Debug traces to syslog. */ |
||||
- syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); |
||||
+ syslog(LOG_DEBUG, "check_password: Skipped line |%s|", line); |
||||
#endif |
||||
continue; |
||||
} |
||||
@@ -227,7 +227,7 @@ static int read_config_file () |
||||
if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { |
||||
|
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); |
||||
+ syslog(LOG_DEBUG, "check_password: Word = %s, value = %s", word, value); |
||||
#endif |
||||
|
||||
centry[i].value = chomp(value); |
||||
@@ -319,7 +319,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||
if ( !nLower && (minLower < 1)) { |
||||
nLower = 1; nQuality++; |
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Found lower character - quality raise %d", nQuality); |
||||
+ syslog(LOG_DEBUG, "check_password: Found lower character - quality raise %d", nQuality); |
||||
#endif |
||||
} |
||||
continue; |
||||
@@ -330,7 +330,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||
if ( !nUpper && (minUpper < 1)) { |
||||
nUpper = 1; nQuality++; |
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Found upper character - quality raise %d", nQuality); |
||||
+ syslog(LOG_DEBUG, "check_password: Found upper character - quality raise %d", nQuality); |
||||
#endif |
||||
} |
||||
continue; |
||||
@@ -341,7 +341,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||
if ( !nDigit && (minDigit < 1)) { |
||||
nDigit = 1; nQuality++; |
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Found digit character - quality raise %d", nQuality); |
||||
+ syslog(LOG_DEBUG, "check_password: Found digit character - quality raise %d", nQuality); |
||||
#endif |
||||
} |
||||
continue; |
||||
@@ -352,7 +352,7 @@ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||
if ( !nPunct && (minPunct < 1)) { |
||||
nPunct = 1; nQuality++; |
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Found punctuation character - quality raise %d", nQuality); |
||||
+ syslog(LOG_DEBUG, "check_password: Found punctuation character - quality raise %d", nQuality); |
||||
#endif |
||||
} |
||||
continue; |
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
--- a/Makefile 2009-10-31 18:59:06.000000000 +0100 |
||||
+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100 |
||||
@@ -13,22 +13,11 @@ |
||||
# |
||||
CONFIG=/etc/openldap/check_password.conf |
||||
|
||||
-OPT=-g -O2 -Wall -fpic \ |
||||
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ |
||||
- -DCONFIG_FILE="\"$(CONFIG)\"" \ |
||||
+CFLAGS+=-fpic \ |
||||
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ |
||||
+ -DCONFIG_FILE="\"$(CONFIG)\"" \ |
||||
-DDEBUG |
||||
|
||||
-# Where to find the OpenLDAP headers. |
||||
-# |
||||
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \ |
||||
- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd |
||||
- |
||||
-# Where to find the CrackLib headers. |
||||
-# |
||||
-CRACK_INC= |
||||
- |
||||
-INCS=$(LDAP_INC) $(CRACK_INC) |
||||
- |
||||
LDAP_LIB=-lldap_r -llber |
||||
|
||||
# Comment out this line if you do NOT want to use the cracklib. |
||||
@@ -45,10 +34,10 @@ |
||||
all: check_password |
||||
|
||||
check_password.o: |
||||
- $(CC) $(OPT) -c $(INCS) check_password.c |
||||
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c |
||||
|
||||
check_password: clean check_password.o |
||||
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) |
||||
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) |
||||
|
||||
install: check_password |
||||
cp -f check_password.so ../../../usr/lib/openldap/modules/ |
@ -0,0 +1,321 @@
@@ -0,0 +1,321 @@
|
||||
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100 |
||||
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100 |
||||
@@ -10,7 +10,7 @@ |
||||
#include <slap.h> |
||||
|
||||
#ifdef HAVE_CRACKLIB |
||||
-#include "crack.h" |
||||
+#include <crack.h> |
||||
#endif |
||||
|
||||
#if defined(DEBUG) |
||||
@@ -34,18 +34,77 @@ |
||||
#define PASSWORD_TOO_SHORT_SZ \ |
||||
"Password for dn=\"%s\" is too short (%d/6)" |
||||
#define PASSWORD_QUALITY_SZ \ |
||||
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)" |
||||
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)" |
||||
#define BAD_PASSWORD_SZ \ |
||||
"Bad password for dn=\"%s\" because %s" |
||||
+#define UNKNOWN_ERROR_SZ \ |
||||
+ "An unknown error occurred, please see your systems administrator" |
||||
|
||||
typedef int (*validator) (char*); |
||||
-static int read_config_file (char *); |
||||
+static int read_config_file (); |
||||
static validator valid_word (char *); |
||||
static int set_quality (char *); |
||||
static int set_cracklib (char *); |
||||
|
||||
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); |
||||
|
||||
+struct config_entry { |
||||
+ char* key; |
||||
+ char* value; |
||||
+ char* def_value; |
||||
+} config_entries[] = { { "minPoints", NULL, "3"}, |
||||
+ { "useCracklib", NULL, "1"}, |
||||
+ { "minUpper", NULL, "0"}, |
||||
+ { "minLower", NULL, "0"}, |
||||
+ { "minDigit", NULL, "0"}, |
||||
+ { "minPunct", NULL, "0"}, |
||||
+ { NULL, NULL, NULL }}; |
||||
+ |
||||
+int get_config_entry_int(char* entry) { |
||||
+ struct config_entry* centry = config_entries; |
||||
+ |
||||
+ int i = 0; |
||||
+ char* key = centry[i].key; |
||||
+ while (key != NULL) { |
||||
+ if ( strncmp(key, entry, strlen(key)) == 0 ) { |
||||
+ if ( centry[i].value == NULL ) { |
||||
+ return atoi(centry[i].def_value); |
||||
+ } |
||||
+ else { |
||||
+ return atoi(centry[i].value); |
||||
+ } |
||||
+ } |
||||
+ i++; |
||||
+ key = centry[i].key; |
||||
+ } |
||||
+ |
||||
+ return -1; |
||||
+} |
||||
+ |
||||
+void dealloc_config_entries() { |
||||
+ struct config_entry* centry = config_entries; |
||||
+ |
||||
+ int i = 0; |
||||
+ while (centry[i].key != NULL) { |
||||
+ if ( centry[i].value != NULL ) { |
||||
+ ber_memfree(centry[i].value); |
||||
+ } |
||||
+ i++; |
||||
+ } |
||||
+} |
||||
+ |
||||
+char* chomp(char *s) |
||||
+{ |
||||
+ char* t = ber_memalloc(strlen(s)+1); |
||||
+ strncpy (t,s,strlen(s)+1); |
||||
+ |
||||
+ if ( t[strlen(t)-1] == '\n' ) { |
||||
+ t[strlen(t)-1] = '\0'; |
||||
+ } |
||||
+ |
||||
+ return t; |
||||
+} |
||||
+ |
||||
static int set_quality (char *value) |
||||
{ |
||||
#if defined(DEBUG) |
||||
@@ -84,12 +143,12 @@ |
||||
char * parameter; |
||||
validator dealer; |
||||
} list[] = { { "minPoints", set_quality }, |
||||
- { "useCracklib", set_cracklib }, |
||||
- { "minUpper", set_digit }, |
||||
- { "minLower", set_digit }, |
||||
- { "minDigit", set_digit }, |
||||
- { "minPunct", set_digit }, |
||||
- { NULL, NULL } }; |
||||
+ { "useCracklib", set_cracklib }, |
||||
+ { "minUpper", set_digit }, |
||||
+ { "minLower", set_digit }, |
||||
+ { "minDigit", set_digit }, |
||||
+ { "minPunct", set_digit }, |
||||
+ { NULL, NULL } }; |
||||
int index = 0; |
||||
|
||||
#if defined(DEBUG) |
||||
@@ -98,7 +157,7 @@ |
||||
|
||||
while (list[index].parameter != NULL) { |
||||
if (strlen(word) == strlen(list[index].parameter) && |
||||
- strcmp(list[index].parameter, word) == 0) { |
||||
+ strcmp(list[index].parameter, word) == 0) { |
||||
#if defined(DEBUG) |
||||
syslog(LOG_NOTICE, "check_password: Parameter accepted."); |
||||
#endif |
||||
@@ -114,13 +173,15 @@ |
||||
return NULL; |
||||
} |
||||
|
||||
-static int read_config_file (char *keyWord) |
||||
+static int read_config_file () |
||||
{ |
||||
FILE * config; |
||||
char * line; |
||||
int returnValue = -1; |
||||
|
||||
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) { |
||||
+ line = ber_memcalloc(260, sizeof(char)); |
||||
+ |
||||
+ if ( line == NULL ) { |
||||
return returnValue; |
||||
} |
||||
|
||||
@@ -133,6 +194,8 @@ |
||||
return returnValue; |
||||
} |
||||
|
||||
+ returnValue = 0; |
||||
+ |
||||
while (fgets(line, 256, config) != NULL) { |
||||
char *start = line; |
||||
char *word, *value; |
||||
@@ -145,23 +208,40 @@ |
||||
|
||||
while (isspace(*start) && isascii(*start)) start++; |
||||
|
||||
- if (! isascii(*start)) |
||||
+ /* If we've got punctuation, just skip the line. */ |
||||
+ if ( ispunct(*start)) { |
||||
+#if defined(DEBUG) |
||||
+ /* Debug traces to syslog. */ |
||||
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); |
||||
+#endif |
||||
continue; |
||||
+ } |
||||
|
||||
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) { |
||||
- if ((value = strtok(NULL, " \t")) == NULL) |
||||
- continue; |
||||
+ if( isascii(*start)) { |
||||
+ |
||||
+ struct config_entry* centry = config_entries; |
||||
+ int i = 0; |
||||
+ char* keyWord = centry[i].key; |
||||
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) { |
||||
+ while ( keyWord != NULL ) { |
||||
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { |
||||
|
||||
#if defined(DEBUG) |
||||
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); |
||||
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); |
||||
#endif |
||||
|
||||
- returnValue = (*dealer)(value); |
||||
+ centry[i].value = chomp(value); |
||||
+ break; |
||||
+ } |
||||
+ i++; |
||||
+ keyWord = centry[i].key; |
||||
+ } |
||||
+ } |
||||
} |
||||
} |
||||
- |
||||
fclose(config); |
||||
ber_memfree(line); |
||||
+ |
||||
return returnValue; |
||||
} |
||||
|
||||
@@ -170,7 +250,7 @@ |
||||
if (curlen < nextlen + MEMORY_MARGIN) { |
||||
#if defined(DEBUG) |
||||
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", |
||||
- curlen, nextlen + MEMORY_MARGIN); |
||||
+ curlen, nextlen + MEMORY_MARGIN); |
||||
#endif |
||||
ber_memfree(*target); |
||||
curlen = nextlen + MEMORY_MARGIN; |
||||
@@ -180,7 +260,7 @@ |
||||
return curlen; |
||||
} |
||||
|
||||
- int |
||||
+int |
||||
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) |
||||
{ |
||||
|
||||
@@ -210,20 +290,22 @@ |
||||
nLen = strlen (pPasswd); |
||||
if ( nLen < 6) { |
||||
mem_len = realloc_error_message(&szErrStr, mem_len, |
||||
- strlen(PASSWORD_TOO_SHORT_SZ) + |
||||
- strlen(pEntry->e_name.bv_val) + 1); |
||||
+ strlen(PASSWORD_TOO_SHORT_SZ) + |
||||
+ strlen(pEntry->e_name.bv_val) + 1); |
||||
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); |
||||
goto fail; |
||||
} |
||||
|
||||
- /* Read config file */ |
||||
- minQuality = read_config_file("minPoints"); |
||||
+ if (read_config_file() == -1) { |
||||
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); |
||||
+ } |
||||
|
||||
- useCracklib = read_config_file("useCracklib"); |
||||
- minUpper = read_config_file("minUpper"); |
||||
- minLower = read_config_file("minLower"); |
||||
- minDigit = read_config_file("minDigit"); |
||||
- minPunct = read_config_file("minPunct"); |
||||
+ minQuality = get_config_entry_int("minPoints"); |
||||
+ useCracklib = get_config_entry_int("useCracklib"); |
||||
+ minUpper = get_config_entry_int("minUpper"); |
||||
+ minLower = get_config_entry_int("minLower"); |
||||
+ minDigit = get_config_entry_int("minDigit"); |
||||
+ minPunct = get_config_entry_int("minPunct"); |
||||
|
||||
/** The password must have at least minQuality strength points with one |
||||
* point for the first occurrance of a lower, upper, digit and |
||||
@@ -232,8 +314,6 @@ |
||||
|
||||
for ( i = 0; i < nLen; i++ ) { |
||||
|
||||
- if ( nQuality >= minQuality ) break; |
||||
- |
||||
if ( islower (pPasswd[i]) ) { |
||||
minLower--; |
||||
if ( !nLower && (minLower < 1)) { |
||||
@@ -279,12 +359,23 @@ |
||||
} |
||||
} |
||||
|
||||
- if ( nQuality < minQuality ) { |
||||
+ /* |
||||
+ * If you have a required field, then it should be required in the strength |
||||
+ * checks. |
||||
+ */ |
||||
+ |
||||
+ if ( |
||||
+ (minLower > 0 ) || |
||||
+ (minUpper > 0 ) || |
||||
+ (minDigit > 0 ) || |
||||
+ (minPunct > 0 ) || |
||||
+ (nQuality < minQuality) |
||||
+ ) { |
||||
mem_len = realloc_error_message(&szErrStr, mem_len, |
||||
- strlen(PASSWORD_QUALITY_SZ) + |
||||
- strlen(pEntry->e_name.bv_val) + 2); |
||||
+ strlen(PASSWORD_QUALITY_SZ) + |
||||
+ strlen(pEntry->e_name.bv_val) + 2); |
||||
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, |
||||
- nQuality, minQuality); |
||||
+ nQuality, minQuality); |
||||
goto fail; |
||||
} |
||||
|
||||
@@ -306,7 +397,7 @@ |
||||
for ( j = 0; j < 3; j++ ) { |
||||
|
||||
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ |
||||
- CRACKLIB_DICTPATH, ext[j]); |
||||
+ CRACKLIB_DICTPATH, ext[j]); |
||||
|
||||
if (( fp = fopen ( filename, "r")) == NULL ) { |
||||
|
||||
@@ -326,9 +417,9 @@ |
||||
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); |
||||
if ( r != NULL ) { |
||||
mem_len = realloc_error_message(&szErrStr, mem_len, |
||||
- strlen(BAD_PASSWORD_SZ) + |
||||
- strlen(pEntry->e_name.bv_val) + |
||||
- strlen(r)); |
||||
+ strlen(BAD_PASSWORD_SZ) + |
||||
+ strlen(pEntry->e_name.bv_val) + |
||||
+ strlen(r)); |
||||
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); |
||||
goto fail; |
||||
} |
||||
@@ -342,15 +433,15 @@ |
||||
} |
||||
|
||||
#endif |
||||
- |
||||
+ dealloc_config_entries(); |
||||
*ppErrStr = strdup (""); |
||||
ber_memfree(szErrStr); |
||||
return (LDAP_SUCCESS); |
||||
|
||||
fail: |
||||
+ dealloc_config_entries(); |
||||
*ppErrStr = strdup (szErrStr); |
||||
ber_memfree(szErrStr); |
||||
return (EXIT_FAILURE); |
||||
|
||||
} |
||||
- |
@ -0,0 +1,18 @@
@@ -0,0 +1,18 @@
|
||||
# |
||||
# LDAP Defaults |
||||
# |
||||
|
||||
# See ldap.conf(5) for details |
||||
# This file should be world readable but not world writable. |
||||
|
||||
#BASE dc=example,dc=com |
||||
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 |
||||
|
||||
#SIZELIMIT 12 |
||||
#TIMELIMIT 15 |
||||
#DEREF never |
||||
|
||||
TLS_CACERTDIR /etc/openldap/certs |
||||
|
||||
# Turning this off breaks GSSAPI used with krb5 when rdns = false |
||||
SASL_NOCANON on |
@ -0,0 +1,91 @@
@@ -0,0 +1,91 @@
|
||||
#!/bin/sh |
||||
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||
|
||||
. /usr/libexec/openldap/functions |
||||
|
||||
function check_config_syntax() |
||||
{ |
||||
retcode=0 |
||||
tmp_slaptest=`mktemp --tmpdir=/var/run/openldap` |
||||
run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest |
||||
if [ $? -ne 0 ]; then |
||||
error "Checking configuration file failed:" |
||||
cat $tmp_slaptest >&2 |
||||
retcode=1 |
||||
fi |
||||
rm $tmp_slaptest |
||||
return $retcode |
||||
} |
||||
|
||||
function check_certs_perms() |
||||
{ |
||||
retcode=0 |
||||
for cert in `certificates`; do |
||||
run_as_ldap "/usr/bin/test -e \"$cert\"" |
||||
if [ $? -ne 0 ]; then |
||||
error "TLS certificate/key/DB '%s' was not found." "$cert" |
||||
retcoder=1 |
||||
continue |
||||
fi |
||||
run_as_ldap "/usr/bin/test -r \"$cert\"" |
||||
if [ $? -ne 0 ]; then |
||||
error "TLS certificate/key/DB '%s' is not readable." "$cert" |
||||
retcode=1 |
||||
fi |
||||
done |
||||
return $retcode |
||||
} |
||||
|
||||
function check_db_perms() |
||||
{ |
||||
retcode=0 |
||||
for dbdir in `databases`; do |
||||
[ -d "$dbdir" ] || continue |
||||
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do |
||||
run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" |
||||
if [ $? -ne 0 ]; then |
||||
error "Read/write permissions for DB file '%s' are required." "$dbfile" |
||||
retcode=1 |
||||
fi |
||||
done |
||||
done |
||||
return $retcode |
||||
} |
||||
|
||||
function check_everything() |
||||
{ |
||||
retcode=0 |
||||
check_config_syntax || retcode=1 |
||||
# TODO: need support for Mozilla NSS, disabling temporarily |
||||
#check_certs_perms || retcode=1 |
||||
check_db_perms || retcode=1 |
||||
return $retcode |
||||
} |
||||
|
||||
if [ `id -u` -ne 0 ]; then |
||||
error "You have to be root to run this script." |
||||
exit 4 |
||||
fi |
||||
|
||||
load_sysconfig |
||||
|
||||
if [ -n "$SLAPD_CONFIG_DIR" ]; then |
||||
if [ ! -d "$SLAPD_CONFIG_DIR" ]; then |
||||
error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" |
||||
else |
||||
check_everything |
||||
exit $? |
||||
fi |
||||
fi |
||||
|
||||
if [ -n "$SLAPD_CONFIG_FILE" ]; then |
||||
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then |
||||
error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" |
||||
else |
||||
error "Warning: Usage of a configuration file is obsolete!" |
||||
check_everything |
||||
exit $? |
||||
fi |
||||
fi |
||||
|
||||
exit 1 |
@ -0,0 +1,79 @@
@@ -0,0 +1,79 @@
|
||||
#!/bin/sh |
||||
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||
|
||||
. /usr/libexec/openldap/functions |
||||
|
||||
function help() |
||||
{ |
||||
error "usage: %s [-f config-file] [-F config-dir]\n" "`basename $0`" |
||||
exit 2 |
||||
} |
||||
|
||||
load_sysconfig |
||||
|
||||
while getopts :f:F: opt; do |
||||
case "$opt" in |
||||
f) |
||||
SLAPD_CONFIG_FILE="$OPTARG" |
||||
;; |
||||
F) |
||||
SLAPD_CONFIG_DIR="$OPTARG" |
||||
;; |
||||
*) |
||||
help |
||||
;; |
||||
esac |
||||
done |
||||
shift $((OPTIND-1)) |
||||
[ -n "$1" ] && help |
||||
|
||||
# check source, target |
||||
|
||||
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then |
||||
error "Source configuration file '%s' not found." "$SLAPD_CONFIG_FILE" |
||||
exit 1 |
||||
fi |
||||
|
||||
if grep -iq '^dn: cn=config$' "$SLAPD_CONFIG_FILE"; then |
||||
SLAPD_CONFIG_FILE_FORMAT=ldif |
||||
else |
||||
SLAPD_CONFIG_FILE_FORMAT=conf |
||||
fi |
||||
|
||||
if [ -d "$SLAPD_CONFIG_DIR" ]; then |
||||
if [ `find "$SLAPD_CONFIG_DIR" -maxdepth 0 -empty | wc -l` -eq 0 ]; then |
||||
error "Target configuration directory '%s' is not empty." "$SLAPD_CONFIG_DIR" |
||||
exit 1 |
||||
fi |
||||
fi |
||||
|
||||
# perform the conversion |
||||
|
||||
tmp_convert=`mktemp --tmpdir=/var/run/openldap` |
||||
|
||||
if [ `id -u` -eq 0 ]; then |
||||
install -d --owner $SLAPD_USER --group `id -g $SLAPD_USER` --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert |
||||
if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then |
||||
run_as_ldap "/usr/sbin/slapadd -F \"$SLAPD_CONFIG_DIR\" -n 0 -l \"$SLAPD_CONFIG_FILE\"" &>>$tmp_convert |
||||
else |
||||
run_as_ldap "/usr/sbin/slaptest -f \"$SLAPD_CONFIG_FILE\" -F \"$SLAPD_CONFIG_DIR\"" &>>$tmp_convert |
||||
fi |
||||
retcode=$? |
||||
else |
||||
error "You are not root! Permission will not be set." |
||||
install -d --mode 0750 "$SLAPD_CONFIG_DIR" &>>$tmp_convert |
||||
if [ $SLAPD_CONFIG_FILE_FORMAT = ldif ]; then |
||||
/usr/sbin/slapadd -F "$SLAPD_CONFIG_DIR" -n 0 -l "$SLAPD_CONFIG_FILE" &>>$tmp_convert |
||||
else |
||||
/usr/sbin/slaptest -f "$SLAPD_CONFIG_FILE" -F "$SLAPD_CONFIG_DIR" &>>$tmp_convert |
||||
fi |
||||
retcode=$? |
||||
fi |
||||
|
||||
if [ $retcode -ne 0 ]; then |
||||
error "Configuration conversion failed:" |
||||
cat $tmp_convert >&2 |
||||
fi |
||||
|
||||
rm $tmp_convert |
||||
exit $retcode |
@ -0,0 +1,70 @@
@@ -0,0 +1,70 @@
|
||||
#!/bin/bash |
||||
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||
|
||||
set -e |
||||
|
||||
# default options |
||||
|
||||
CERTDB_DIR=/etc/openldap/certs |
||||
|
||||
# internals |
||||
|
||||
MODULE_CKBI="$(rpm --eval %{_libdir})/libnssckbi.so" |
||||
RANDOM_SOURCE=/dev/urandom |
||||
PASSWORD_BYTES=32 |
||||
|
||||
# parse arguments |
||||
|
||||
usage() { |
||||
printf "usage: create-certdb.sh [-d certdb]\n" >&2 |
||||
exit 1 |
||||
} |
||||
|
||||
while getopts "d:" opt; do |
||||
case "$opt" in |
||||
d) |
||||
CERTDB_DIR="$OPTARG" |
||||
;; |
||||
\?) |
||||
usage |
||||
;; |
||||
esac |
||||
done |
||||
|
||||
[ "$OPTIND" -le "$#" ] && usage |
||||
|
||||
# verify target location |
||||
|
||||
if [ ! -d "$CERTDB_DIR" ]; then |
||||
printf "Directory '%s' does not exist.\n" "$CERTDB_DIR" >&2 |
||||
exit 1 |
||||
fi |
||||
|
||||
if [ ! "$(find "$CERTDB_DIR" -maxdepth 0 -empty | wc -l)" -eq 1 ]; then |
||||
printf "Directory '%s' is not empty.\n" "$CERTDB_DIR" >&2 |
||||
exit 1 |
||||
fi |
||||
|
||||
# create the database |
||||
|
||||
printf "Creating certificate database in '%s'.\n" "$CERTDB_DIR" >&2 |
||||
|
||||
PASSWORD_FILE="$CERTDB_DIR/password" |
||||
OLD_UMASK="$(umask)" |
||||
umask 0377 |
||||
dd if=$RANDOM_SOURCE bs=$PASSWORD_BYTES count=1 2>/dev/null | base64 > "$PASSWORD_FILE" |
||||
umask "$OLD_UMASK" |
||||
|
||||
certutil -d "$CERTDB_DIR" -N -f "$PASSWORD_FILE" &>/dev/null |
||||
|
||||
# load module with builtin CA certificates |
||||
|
||||
echo | modutil -dbdir "$CERTDB_DIR" -add "Root Certs" -libfile "$MODULE_CKBI" &>/dev/null |
||||
|
||||
# tune permissions |
||||
|
||||
for dbfile in "$CERTDB_DIR"/*.db; do |
||||
chmod 0644 "$dbfile" |
||||
done |
||||
|
||||
exit 0 |
@ -0,0 +1,134 @@
@@ -0,0 +1,134 @@
|
||||
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||
|
||||
SLAPD_USER= |
||||
SLAPD_CONFIG_FILE= |
||||
SLAPD_CONFIG_DIR= |
||||
SLAPD_CONFIG_CUSTOM= |
||||
SLAPD_GLOBAL_OPTIONS= |
||||
SLAPD_SYSCONFIG_FILE= |
||||
|
||||
function default_config() |
||||
{ |
||||
SLAPD_USER=ldap |
||||
SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf |
||||
SLAPD_CONFIG_DIR=/etc/openldap/slapd.d |
||||
SLAPD_CONFIG_CUSTOM= |
||||
SLAPD_GLOBAL_OPTIONS= |
||||
SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd |
||||
} |
||||
|
||||
function parse_config_options() |
||||
{ |
||||
user= |
||||
config_file= |
||||
config_dir= |
||||
while getopts :u:f:F: opt; do |
||||
case "$opt" in |
||||
u) |
||||
user="$OPTARG" |
||||
;; |
||||
f) |
||||
config_file="$OPTARG" |
||||
;; |
||||
F) |
||||
config_dir="$OPTARG" |
||||
;; |
||||
esac |
||||
done |
||||
|
||||
if [ -n "$user" ]; then |
||||
SLAPD_USER="$user" |
||||
fi |
||||
|
||||
if [ -n "$config_dir" ]; then |
||||
SLAPD_CONFIG_DIR="$config_dir" |
||||
SLAPD_CONFIG_FILE= |
||||
SLAPD_CONFIG_CUSTOM=1 |
||||
SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" |
||||
elif [ -n "$config_file" ]; then |
||||
SLAPD_CONFIG_DIR= |
||||
SLAPD_CONFIG_FILE="$config_file" |
||||
SLAPD_CONFIG_CUSTOM=1 |
||||
SLAPD_GLOBAL_OPTIONS="-f '$config_file'" |
||||
fi |
||||
} |
||||
|
||||
function uses_new_config() |
||||
{ |
||||
[ -n "$SLAPD_CONFIG_DIR" ] |
||||
return $? |
||||
} |
||||
|
||||
function run_as_ldap() |
||||
{ |
||||
/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" |
||||
return $? |
||||
} |
||||
|
||||
function ldif_unbreak() |
||||
{ |
||||
sed ':a;N;s/\n //;ta;P;D' |
||||
} |
||||
|
||||
function ldif_value() |
||||
{ |
||||
sed 's/^[^:]*: //' |
||||
} |
||||
|
||||
function databases_new() |
||||
{ |
||||
slapcat $SLAPD_GLOBAL_OPTIONS -c \ |
||||
-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ |
||||
ldif_unbreak | \ |
||||
grep '^olcDbDirectory: ' | \ |
||||
ldif_value |
||||
} |
||||
|
||||
function databases_old() |
||||
{ |
||||
awk 'begin { database="" } |
||||
$1 == "database" { database=$2 } |
||||
$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ |
||||
"$SLAPD_CONFIG_FILE" |
||||
} |
||||
|
||||
function certificates_new() |
||||
{ |
||||
slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ |
||||
ldif_unbreak | \ |
||||
grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ |
||||
ldif_value |
||||
} |
||||
|
||||
function certificates_old() |
||||
{ |
||||
awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ |
||||
"$SLAPD_CONFIG_FILE" |
||||
} |
||||
|
||||
function certificates() |
||||
{ |
||||
uses_new_config && certificates_new || certificates_old |
||||
} |
||||
|
||||
function databases() |
||||
{ |
||||
uses_new_config && databases_new || databases_old |
||||
} |
||||
|
||||
|
||||
function error() |
||||
{ |
||||
format="$1\n"; shift |
||||
printf "$format" $@ >&2 |
||||
} |
||||
|
||||
function load_sysconfig() |
||||
{ |
||||
[ -r "$SLAPD_SYSCONFIG_FILE" ] || return |
||||
|
||||
. "$SLAPD_SYSCONFIG_FILE" |
||||
[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS |
||||
} |
||||
|
||||
default_config |
@ -0,0 +1,118 @@
@@ -0,0 +1,118 @@
|
||||
#!/bin/bash |
||||
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||
|
||||
set -e |
||||
|
||||
# default options |
||||
|
||||
CERTDB_DIR=/etc/openldap/certs |
||||
CERT_NAME="OpenLDAP Server" |
||||
PASSWORD_FILE= |
||||
HOSTNAME_FQDN="$(hostname --fqdn)" |
||||
ALT_NAMES= |
||||
ONCE=0 |
||||
|
||||
# internals |
||||
|
||||
RANDOM_SOURCE=/dev/urandom |
||||
CERT_RANDOM_BYTES=256 |
||||
CERT_KEY_TYPE=rsa |
||||
CERT_KEY_SIZE=1024 |
||||
CERT_VALID_MONTHS=12 |
||||
|
||||
# parse arguments |
||||
|
||||
usage() { |
||||
printf "usage: generate-server-cert.sh [-d certdb-dir] [-n cert-name]\n" >&2 |
||||
printf " [-p password-file] [-h hostnames]\n" >&2 |
||||
printf " [-a dns-alt-names] [-o]\n" >&2 |
||||
exit 1 |
||||
} |
||||
|
||||
while getopts "d:n:p:h:a:o" opt; do |
||||
case "$opt" in |
||||
d) |
||||
CERTDB_DIR="$OPTARG" |
||||
;; |
||||
n) |
||||
CERT_NAME="$OPTARG" |
||||
;; |
||||
p) |
||||
PASSWORD_FILE="$OPTARG" |
||||
;; |
||||
h) |
||||
HOSTNAME_FQDN="$OPTARG" |
||||
;; |
||||
a) |
||||
ALT_NAMES="$OPTARG" |
||||
;; |
||||
o) |
||||
ONCE=1 |
||||
;; |
||||
\?) |
||||
usage |
||||
;; |
||||
esac |
||||
done |
||||
|
||||
[ "$OPTIND" -le "$#" ] && usage |
||||
|
||||
# generated options |
||||
|
||||
ONCE_FILE="$CERTDB_DIR/.slapd-leave" |
||||
PASSWORD_FILE="${PASSWORD_FILE:-${CERTDB_DIR}/password}" |
||||
ALT_NAMES="${ALT_NAMES:-${HOSTNAME_FQDN},localhost,localhost.localdomain}" |
||||
|
||||
# verify target location |
||||
|
||||
if [ "$ONCE" -eq 1 -a -f "$ONCE_FILE" ]; then |
||||
printf "Skipping certificate generating, '%s' exists.\n" "$ONCE_FILE" >&2 |
||||
exit 0 |
||||
fi |
||||
|
||||
if ! certutil -d "$CERTDB_DIR" -U &>/dev/null; then |
||||
printf "Directory '%s' is not a valid certificate database.\n" "$CERTDB_DIR" >&2 |
||||
exit 1 |
||||
fi |
||||
|
||||
printf "Creating new server certificate in '%s'.\n" "$CERTDB_DIR" >&2 |
||||
|
||||
if [ ! -r "$PASSWORD_FILE" ]; then |
||||
printf "Password file '%s' is not readable.\n" "$PASSWORD_FILE" >&2 |
||||
exit 1 |
||||
fi |
||||
|
||||
if certutil -d "$CERTDB_DIR" -L -a -n "$CERT_NAME" &>/dev/null; then |
||||
printf "Certificate '%s' already exists in the certificate database.\n" "$CERT_NAME" >&2 |
||||
exit 1 |
||||
fi |
||||
|
||||
# generate server certificate (self signed) |
||||
|
||||
|
||||
CERT_RANDOM=$(mktemp --tmpdir=/var/run/openldap) |
||||
dd if=$RANDOM_SOURCE bs=$CERT_RANDOM_BYTES count=1 of=$CERT_RANDOM &>/dev/null |
||||
|
||||
certutil -d "$CERTDB_DIR" -f "$PASSWORD_FILE" -z "$CERT_RANDOM" \ |
||||
-S -x -n "$CERT_NAME" \ |
||||
-s "CN=$HOSTNAME_FQDN" \ |
||||
-t TC,, \ |
||||
-k $CERT_KEY_TYPE -g $CERT_KEY_SIZE \ |
||||
-v $CERT_VALID_MONTHS \ |
||||
-8 "$ALT_NAMES" \ |
||||
&>/dev/null |
||||
|
||||
rm -f $CERT_RANDOM |
||||
|
||||
# tune permissions |
||||
|
||||
if [ "$(id -u)" -eq 0 ]; then |
||||
chgrp ldap "$PASSWORD_FILE" |
||||
chmod g+r "$PASSWORD_FILE" |
||||
else |
||||
printf "WARNING: The server requires read permissions on the password file in order to\n" >&2 |
||||
printf " load it's private key from the certificate database.\n" >&2 |
||||
fi |
||||
|
||||
touch "$ONCE_FILE" |
||||
exit 0 |
@ -0,0 +1,142 @@
@@ -0,0 +1,142 @@
|
||||
#!/bin/bash |
||||
# This script serves one purpose, to add a possibly missing attribute |
||||
# to a ppolicy schema in a dynamic configuration of OpenLDAP. This |
||||
# attribute was introduced in openldap-2.4.43 and slapd will not |
||||
# start without it later on. |
||||
# |
||||
# The script tries to update in a directory given as first parameter, |
||||
# or in /etc/openldap/slapd.d implicitly. |
||||
# |
||||
# Author: Matus Honek <mhonek@redhat.com> |
||||
# Bugzilla: #1487857 |
||||
|
||||
function log { |
||||
echo "Update dynamic configuration: " $@ |
||||
true |
||||
} |
||||
|
||||
function iferr { |
||||
if [ $? -ne 0 ]; then |
||||
log "ERROR: " $@ |
||||
true |
||||
else |
||||
false |
||||
fi |
||||
} |
||||
|
||||
function update { |
||||
set -u |
||||
shopt -s extglob |
||||
|
||||
ORIGINAL="${1:-/etc/openldap/slapd.d}" |
||||
ORIGINAL="${ORIGINAL%*(/)}" |
||||
|
||||
### check if necessary |
||||
grep -r "pwdMaxRecordedFail" "${ORIGINAL}/cn=config/cn=schema" >/dev/null |
||||
[ $? -eq 0 ] && log "Schemas look up to date. Ok. Quitting." && return 0 |
||||
|
||||
### prep |
||||
log "Prepare environment." |
||||
|
||||
TEMPDIR=$(mktemp -d) |
||||
iferr "Could not create a temporary directory. Quitting." && return 1 |
||||
DBDIR="${TEMPDIR}/db" |
||||
SUBDBDIR="${DBDIR}/cn=temporary" |
||||
|
||||
mkdir "${DBDIR}" |
||||
iferr "Could not create temporary configuration directory. Quitting." && return 1 |
||||
cp -r --no-target-directory "${ORIGINAL}" "${SUBDBDIR}" |
||||
iferr "Could not copy configuration. Quitting." && return 1 |
||||
|
||||
pushd "$TEMPDIR" >/dev/null |
||||
|
||||
cat > temp.conf <<EOF |
||||
database ldif |
||||
suffix cn=temporary |
||||
directory db |
||||
access to * by * manage |
||||
EOF |
||||
|
||||
SOCKET="$(pwd)/socket" |
||||
LISTENER="ldapi://${SOCKET//\//%2F}" |
||||
CONN_PARAMS=("-Y" "EXTERNAL" "-H" "${LISTENER}") |
||||
|
||||
slapd -f temp.conf -h "$LISTENER" -d 0 >/dev/null 2>&1 & |
||||
SLAPDPID="$!" |
||||
sleep 2 |
||||
|
||||
ldapadd ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF |
||||
dn: cn=temporary |
||||
objectClass: olcGlobal |
||||
cn: temporary |
||||
EOF |
||||
iferr "Could not populate the temporary database. Quitting." && return 1 |
||||
|
||||
### update |
||||
log "Update with new pwdMaxRecordedFailure attribute." |
||||
FILTER="(&" |
||||
FILTER+="(olcObjectClasses=*'pwdPolicy'*)" |
||||
FILTER+="(!(olcObjectClasses=*'pwdPolicy'*'pwdMaxRecordedFailure'*))" |
||||
FILTER+="(!(olcAttributeTypes=*'pwdMaxRecordedFailure'*))" |
||||
FILTER+=")" |
||||
RES=$(ldapsearch ${CONN_PARAMS[@]} \ |
||||
-b cn=schema,cn=config,cn=temporary \ |
||||
-LLL \ |
||||
-o ldif-wrap=no \ |
||||
"$FILTER" \ |
||||
dn olcObjectClasses \ |
||||
2>/dev/null \ |
||||
| sed '/^$/d') |
||||
DN=$(printf "$RES" | grep '^dn:') |
||||
OC=$(printf "$RES" | grep "^olcObjectClasses:.*'pwdPolicy'") |
||||
NEWOC="${OC//$ pwdSafeModify /$ pwdSafeModify $ pwdMaxRecordedFailure }" |
||||
|
||||
test $(echo "$DN" | wc -l) = 1 |
||||
iferr "Received more than one DN. Cannot continue. Quitting." && return 1 |
||||
test "$NEWOC" != "$OC" |
||||
iferr "Updating pwdPolicy objectClass definition failed. Quitting." && return 1 |
||||
|
||||
ldapmodify ${CONN_PARAMS[@]} -d 0 >/dev/null 2>&1 <<EOF |
||||
$DN |
||||
changetype: modify |
||||
add: olcAttributeTypes |
||||
olcAttributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.30 NAME 'pwdMaxRecordedFailur |
||||
e' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1. |
||||
1466.115.121.1.27 SINGLE-VALUE ) |
||||
- |
||||
delete: olcObjectClasses |
||||
$OC |
||||
- |
||||
add: olcObjectClasses |
||||
$NEWOC |
||||
EOF |
||||
iferr "Updating with new attribute failed. Quitting." && return 1 |
||||
|
||||
popd >/dev/null |
||||
|
||||
### apply |
||||
log "Apply changes." |
||||
cp -r --no-target-directory "$ORIGINAL" "$ORIGINAL~backup" |
||||
iferr "Backing up old configuration failed. Quitting." && return 1 |
||||
cp -r --no-target-directory "$SUBDBDIR" "$ORIGINAL" |
||||
iferr "Applying new configuration failed. Quitting." && return 1 |
||||
|
||||
### clean up |
||||
log "Clean up." |
||||
kill "$SLAPDPID" |
||||
SLAPDPID= |
||||
rm -rf "$TEMPDIR" |
||||
TEMPDIR= |
||||
} |
||||
|
||||
SLAPDPID= |
||||
TEMPDIR= |
||||
update "$1" |
||||
if [ $? -ne 0 ]; then |
||||
log "Clean up." |
||||
echo "$SLAPDPID" |
||||
echo "$TEMPDIR" |
||||
kill "$SLAPDPID" |
||||
rm -rf "$TEMPDIR" |
||||
fi |
||||
log "Finished." |
@ -0,0 +1,40 @@
@@ -0,0 +1,40 @@
|
||||
#!/bin/sh |
||||
# Author: Jan Vcelak <jvcelak@redhat.com> |
||||
|
||||
. /usr/libexec/openldap/functions |
||||
|
||||
if [ `id -u` -ne 0 ]; then |
||||
error "You have to be root to run this command." |
||||
exit 4 |
||||
fi |
||||
|
||||
load_sysconfig |
||||
retcode=0 |
||||
|
||||
for dbdir in `databases`; do |
||||
upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" |
||||
bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` |
||||
|
||||
# skip uninitialized database |
||||
[ -z "$bdb_files"] || continue |
||||
|
||||
printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" |
||||
|
||||
# perform the update |
||||
for command in \ |
||||
"/usr/bin/db_recover -v -h \"$dbdir\"" \ |
||||
"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ |
||||
"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ |
||||
; do |
||||
printf "Executing: %s\n" "$command" &>>$upgrade_log |
||||
run_as_ldap "$command" &>>$upgrade_log |
||||
result=$? |
||||
printf "Exit code: %d\n" $result >>"$upgrade_log" |
||||
if [ $result -ne 0 ]; then |
||||
printf "Upgrade failed: %d\n" $result |
||||
retcode=1 |
||||
fi |
||||
done |
||||
done |
||||
|
||||
exit $retcode |
@ -0,0 +1,21 @@
@@ -0,0 +1,21 @@
|
||||
Backport upstream fix for a crash in back-relay when doing do_search. |
||||
RHBZ: #1316450 |
||||
|
||||
commit 2e60bf5ed00c1a8794131f53a6c72a78c0766e21 |
||||
Author: Howard Chu <hyc@openldap.org> |
||||
Date: Wed May 18 12:30:31 2016 +0100 |
||||
|
||||
ITS#8428 init sc_writewait |
||||
|
||||
diff --git a/servers/slapd/back-relay/op.c b/servers/slapd/back-relay/op.c |
||||
index 4fdc08a..f7c1fee 100644 |
||||
--- a/servers/slapd/back-relay/op.c |
||||
+++ b/servers/slapd/back-relay/op.c |
||||
@@ -97,6 +97,7 @@ relay_back_response_cb( Operation *op, SlapReply *rs ) |
||||
(rcb)->rcb_sc.sc_next = (op)->o_callback; \ |
||||
(rcb)->rcb_sc.sc_response = relay_back_response_cb; \ |
||||
(rcb)->rcb_sc.sc_cleanup = 0; \ |
||||
+ (rcb)->rcb_sc.sc_writewait = 0; \ |
||||
(rcb)->rcb_sc.sc_private = (op)->o_bd; \ |
||||
(op)->o_callback = (slap_callback *) (rcb); \ |
||||
} |
@ -0,0 +1,23 @@
@@ -0,0 +1,23 @@
|
||||
commit ec2fe743f5795eb7aaf43687e6b257ac071cef22 |
||||
Author: Ryan Tandy <ryan@nardis.ca> |
||||
Date: Wed May 17 20:07:39 2017 -0700 |
||||
|
||||
ITS#8655 fix double free on paged search with pagesize 0 |
||||
|
||||
Fixes a double free when a search includes the Paged Results control |
||||
with a page size of 0 and the search base matches the filter. |
||||
|
||||
diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c |
||||
index 009939d..d0db918 100644 |
||||
--- a/servers/slapd/back-mdb/search.c |
||||
+++ b/servers/slapd/back-mdb/search.c |
||||
@@ -1066,7 +1066,8 @@ notfound: |
||||
/* check size limit */ |
||||
if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) { |
||||
if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) { |
||||
- mdb_entry_return( op, e ); |
||||
+ if (e != base) |
||||
+ mdb_entry_return( op, e ); |
||||
e = NULL; |
||||
send_paged_response( op, rs, &lastid, tentries ); |
||||
goto done; |
@ -0,0 +1,20 @@
@@ -0,0 +1,20 @@
|
||||
use AI_ADDRCONFIG if defined in the environment |
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com> |
||||
Upstream ITS: #7326 |
||||
Resolves: #835013 |
||||
|
||||
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c |
||||
index b31e05d..fa361ab 100644 |
||||
--- a/libraries/libldap/os-ip.c |
||||
+++ b/libraries/libldap/os-ip.c |
||||
@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, |
||||
|
||||
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) |
||||
memset( &hints, '\0', sizeof(hints) ); |
||||
-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */ |
||||
- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */ |
||||
+#ifdef AI_ADDRCONFIG |
||||
hints.ai_flags = AI_ADDRCONFIG; |
||||
#endif |
||||
hints.ai_family = ldap_int_inet4or6; |
@ -0,0 +1,40 @@
@@ -0,0 +1,40 @@
|
||||
Compile AllOp together with other overlays. |
||||
|
||||
Author: Matus Honek <mhonek@redhat.com> |
||||
Resolves: #990893 |
||||
|
||||
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in |
||||
--- a/servers/slapd/overlays/Makefile.in |
||||
+++ b/servers/slapd/overlays/Makefile.in |
||||
@@ -33,7 +33,8 @@ SRCS = overlays.c \ |
||||
translucent.c \ |
||||
unique.c \ |
||||
valsort.c \ |
||||
- smbk5pwd.c |
||||
+ smbk5pwd.c \ |
||||
+ allop.c |
||||
OBJS = statover.o \ |
||||
@SLAPD_STATIC_OVERLAYS@ \ |
||||
overlays.o |
||||
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||
|
||||
LIBRARY = ../liboverlays.a |
||||
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la |
||||
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la |
||||
|
||||
XINCPATH = -I.. -I$(srcdir)/.. |
||||
XDEFS = $(MODULES_CPPFLAGS) |
||||
@@ -125,6 +126,12 @@ unique.la : unique.lo |
||||
smbk5pwd.la : smbk5pwd.lo |
||||
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) |
||||
|
||||
+allop.lo : allop.c |
||||
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< |
||||
+ |
||||
+allop.la : allop.lo |
||||
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) |
||||
+ |
||||
install-local: $(PROGRAMS) |
||||
@if test -n "$?" ; then \ |
||||
$(MKDIR) $(DESTDIR)$(moduledir); \ |
@ -0,0 +1,17 @@
@@ -0,0 +1,17 @@
|
||||
Correct key pointer usage in bdb_idl_fetch_key. |
||||
|
||||
Author: Shogo Matsumoto |
||||
Resolves: #1356165 |
||||
|
||||
diff --git a/servers/slapd/back-bdb/idl.c b/servers/slapd/back-bdb/idl.c |
||||
--- a/servers/slapd/back-bdb/idl.c |
||||
+++ b/servers/slapd/back-bdb/idl.c |
||||
@@ -628,7 +628,7 @@ bdb_idl_fetch_key( |
||||
BDB_DISK2ID( j, i ); |
||||
} |
||||
} |
||||
- rc = cursor->c_get( cursor, key, &data, flags | DB_NEXT_DUP ); |
||||
+ rc = cursor->c_get( cursor, kptr, &data, flags | DB_NEXT_DUP ); |
||||
} |
||||
if ( rc == DB_NOTFOUND ) rc = 0; |
||||
ids[0] = i - ids; |
@ -0,0 +1,22 @@
@@ -0,0 +1,22 @@
|
||||
Skip any empty parameters when parsing command line options. |
||||
This is required because systemd does not expand variables the same way as shell does, |
||||
we need it because of an empty SLAPD_OPTIONS in environment file. |
||||
|
||||
Fedora specific patch. |
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com> |
||||
|
||||
diff --git a/servers/slapd/main.c b/servers/slapd/main.c |
||||
index dac4864..83614f4 100644 |
||||
--- a/servers/slapd/main.c |
||||
+++ b/servers/slapd/main.c |
||||
@@ -685,6 +685,10 @@ unhandled_option:; |
||||
} |
||||
} |
||||
|
||||
+ /* skip empty parameters */ |
||||
+ while ( optind < argc && *argv[optind] == '\0' ) |
||||
+ optind += 1; |
||||
+ |
||||
if ( optind != argc ) |
||||
goto unhandled_option; |
@ -0,0 +1,54 @@
@@ -0,0 +1,54 @@
|
||||
From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001 |
||||
From: Sumit Bose <sbose@redhat.com> |
||||
Date: Tue, 7 May 2013 17:02:57 +0200 |
||||
Subject: [PATCH] LDAPI SASL fix |
||||
|
||||
Resolves: #960222 |
||||
--- |
||||
libraries/libldap/cyrus.c | 19 ++++++++++++++++--- |
||||
1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-) |
||||
|
||||
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c |
||||
index 28c241b..a9acf36 100644 |
||||
--- a/libraries/libldap/cyrus.c |
||||
+++ b/libraries/libldap/cyrus.c |
||||
@@ -394,6 +394,8 @@ ldap_int_sasl_bind( |
||||
struct berval ccred = BER_BVNULL; |
||||
int saslrc, rc; |
||||
unsigned credlen; |
||||
+ char my_hostname[HOST_NAME_MAX + 1]; |
||||
+ int free_saslhost = 0; |
||||
|
||||
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n", |
||||
mechs ? mechs : "<null>", 0, 0 ); |
||||
@@ -454,14 +456,25 @@ ldap_int_sasl_bind( |
||||
|
||||
/* If we don't need to canonicalize just use the host |
||||
* from the LDAP URI. |
||||
+ * Always use the result of gethostname() for LDAPI. |
||||
*/ |
||||
- if ( nocanon ) |
||||
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL && |
||||
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) { |
||||
+ rc = gethostname(my_hostname, HOST_NAME_MAX + 1); |
||||
+ if (rc == 0) { |
||||
+ saslhost = my_hostname; |
||||
+ } else { |
||||
+ saslhost = "localhost"; |
||||
+ } |
||||
+ } else if ( nocanon ) |
||||
saslhost = ld->ld_defconn->lconn_server->lud_host; |
||||
- else |
||||
+ else { |
||||
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, |
||||
"localhost" ); |
||||
+ free_saslhost = 1; |
||||
+ } |
||||
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); |
||||
- if ( !nocanon ) |
||||
+ if ( free_saslhost ) |
||||
LDAP_FREE( saslhost ); |
||||
} |
||||
|
||||
-- |
||||
1.7.11.7 |
@ -0,0 +1,20 @@
@@ -0,0 +1,20 @@
|
||||
Disables opening of ldaprc file in current directory. |
||||
|
||||
Resolves: #38402 |
||||
Upstream: ITS #1131 |
||||
Author: Henning Schmiedehausen <hps@intermeta.de> |
||||
|
||||
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c |
||||
index 8617527..e6b17b4 100644 |
||||
--- a/libraries/libldap/init.c |
||||
+++ b/libraries/libldap/init.c |
||||
@@ -352,9 +352,6 @@ static void openldap_ldap_init_w_userconf(const char *file) |
||||
if(path != NULL) { |
||||
LDAP_FREE(path); |
||||
} |
||||
- |
||||
- /* try file */ |
||||
- openldap_ldap_init_w_conf(file, 1); |
||||
} |
||||
|
||||
static void openldap_ldap_init_w_env( |
@ -0,0 +1,25 @@
@@ -0,0 +1,25 @@
|
||||
This patch makes clear what is the actual behavior in RHEL due to bug #38402. |
||||
|
||||
Author: Matus Honek <mhonek@redhat.com> |
||||
Resolves: #1498841 |
||||
|
||||
--- a/doc/man/man5/ldap.conf.5 |
||||
+++ b/doc/man/man5/ldap.conf.5 |
||||
@@ -25,7 +25,7 @@ in their home directory which will be used to override the system-wide |
||||
defaults file. |
||||
The file |
||||
.I ldaprc |
||||
-in the current working directory is also used. |
||||
+in the current working directory is \fBNOT\fP used (this differs from upstream). |
||||
.LP |
||||
.LP |
||||
Additional configuration files can be specified using |
||||
@@ -50,7 +50,7 @@ Thus the following files and variables are read, in order: |
||||
.nf |
||||
variable $LDAPNOINIT, and if that is not set: |
||||
system file ETCDIR/ldap.conf, |
||||
- user files $HOME/ldaprc, $HOME/.ldaprc, ./ldaprc, |
||||
+ user files $HOME/ldaprc, $HOME/.ldaprc, (\fBNOT\fP ./ldaprc, see above), |
||||
system file $LDAPCONF, |
||||
user files $HOME/$LDAPRC, $HOME/.$LDAPRC, ./$LDAPRC, |
||||
variables $LDAP<uppercase option name>. |
@ -0,0 +1,22 @@
@@ -0,0 +1,22 @@
|
||||
fix: SASL_NOCANON option missing in ldap.conf manual page |
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com> |
||||
Upstream ITS: #7177 |
||||
Resolves: #732915 |
||||
|
||||
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 |
||||
index 51f774f..5f17122 100644 |
||||
--- a/doc/man/man5/ldap.conf.5 |
||||
+++ b/doc/man/man5/ldap.conf.5 |
||||
@@ -284,6 +284,9 @@ description). The default is |
||||
specifies the maximum security layer receive buffer |
||||
size allowed. 0 disables security layers. The default is 65536. |
||||
.RE |
||||
+.TP |
||||
+.B SASL_NOCANON <on/true/yes/off/false/no> |
||||
+Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off. |
||||
.SH GSSAPI OPTIONS |
||||
If OpenLDAP is built with Generic Security Services Application Programming Interface support, |
||||
there are more options you can specify. |
||||
-- |
||||
1.7.6.5 |
@ -0,0 +1,52 @@
@@ -0,0 +1,52 @@
|
||||
From f7027b3118ea90d616d0ddeeb348f15ba91cd08b Mon Sep 17 00:00:00 2001 |
||||
From: Jan Synacek <jsynacek@redhat.com> |
||||
Date: Wed, 13 Nov 2013 13:34:06 +0100 |
||||
Subject: [PATCH] Fix client manpage |
||||
|
||||
--- |
||||
doc/man/man5/ldap.conf.5 | 18 ++++++++---------- |
||||
1 file changed, 8 insertions(+), 10 deletions(-) |
||||
|
||||
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 |
||||
index 7f5bc64..bef0672 100644 |
||||
--- a/doc/man/man5/ldap.conf.5 |
||||
+++ b/doc/man/man5/ldap.conf.5 |
||||
@@ -431,8 +431,8 @@ The environment variable RANDFILE can also be used to specify the filename. |
||||
This parameter is ignored with GnuTLS and Mozilla NSS. |
||||
.TP |
||||
.B TLS_REQCERT <level> |
||||
-Specifies what checks to perform on server certificates in a TLS session, |
||||
-if any. The |
||||
+Specifies what checks to perform on server certificates in a TLS session. |
||||
+The |
||||
.B <level> |
||||
can be specified as one of the following keywords: |
||||
.RS |
||||
@@ -441,19 +441,17 @@ can be specified as one of the following keywords: |
||||
The client will not request or check any server certificate. |
||||
.TP |
||||
.B allow |
||||
-The server certificate is requested. If no certificate is provided, |
||||
-the session proceeds normally. If a bad certificate is provided, it will |
||||
+The server certificate is requested. If a bad certificate is provided, it will |
||||
be ignored and the session proceeds normally. |
||||
.TP |
||||
.B try |
||||
-The server certificate is requested. If no certificate is provided, |
||||
-the session proceeds normally. If a bad certificate is provided, |
||||
-the session is immediately terminated. |
||||
+The server certificate is requested. If a bad certificate is provided, the |
||||
+session is immediately terminated. |
||||
.TP |
||||
.B demand | hard |
||||
-These keywords are equivalent. The server certificate is requested. If no |
||||
-certificate is provided, or a bad certificate is provided, the session |
||||
-is immediately terminated. This is the default setting. |
||||
+These keywords are equivalent and semantically same as |
||||
+.BR try . |
||||
+This is the default setting. |
||||
.RE |
||||
.TP |
||||
.B TLS_CRLCHECK <level> |
||||
-- |
||||
1.8.3.1 |
@ -0,0 +1,72 @@
@@ -0,0 +1,72 @@
|
||||
Various manual pages changes: |
||||
* removes LIBEXECDIR from slapd.8 |
||||
* removes references to non-existing manpages (bz 624616) |
||||
|
||||
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 |
||||
index 3def6da..466c772 100644 |
||||
--- a/doc/man/man1/ldapmodify.1 |
||||
+++ b/doc/man/man1/ldapmodify.1 |
||||
@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error. |
||||
.BR ldap_add_ext (3), |
||||
.BR ldap_delete_ext (3), |
||||
.BR ldap_modify_ext (3), |
||||
-.BR ldap_modrdn_ext (3), |
||||
-.BR ldif (5). |
||||
+.BR ldif (5) |
||||
.SH AUTHOR |
||||
The OpenLDAP Project <http://www.openldap.org/> |
||||
.SH ACKNOWLEDGEMENTS |
||||
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 |
||||
index cfde143..63592cb 100644 |
||||
--- a/doc/man/man5/ldap.conf.5 |
||||
+++ b/doc/man/man5/ldap.conf.5 |
||||
@@ -317,6 +317,7 @@ certificates in separate individual files. The |
||||
.B TLS_CACERT |
||||
is always used before |
||||
.B TLS_CACERTDIR. |
||||
+The specified directory must be managed with the OpenSSL c_rehash utility. |
||||
This parameter is ignored with GnuTLS. |
||||
|
||||
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key |
||||
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 |
||||
index b739f4d..e2a1a00 100644 |
||||
--- a/doc/man/man8/slapd.8 |
||||
+++ b/doc/man/man8/slapd.8 |
||||
@@ -5,7 +5,7 @@ |
||||
.SH NAME |
||||
slapd \- Stand-alone LDAP Daemon |
||||
.SH SYNOPSIS |
||||
-.B LIBEXECDIR/slapd |
||||
+.B slapd |
||||
[\c |
||||
.BR \-4 | \-6 ] |
||||
[\c |
||||
@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type: |
||||
.LP |
||||
.nf |
||||
.ft tt |
||||
- LIBEXECDIR/slapd |
||||
+ slapd |
||||
.ft |
||||
.fi |
||||
.LP |
||||
@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type: |
||||
.LP |
||||
.nf |
||||
.ft tt |
||||
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 |
||||
+ slapd -f /var/tmp/slapd.conf -d 255 |
||||
.ft |
||||
.fi |
||||
.LP |
||||
@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type: |
||||
.LP |
||||
.nf |
||||
.ft tt |
||||
- LIBEXECDIR/slapd \-Tt |
||||
+ slapd -Tt |
||||
.ft |
||||
.fi |
||||
.LP |
||||
-- |
||||
1.8.1.4 |
@ -0,0 +1,24 @@
@@ -0,0 +1,24 @@
|
||||
A mutex lock might not get unlocked when plausible |
||||
|
||||
In the preceding if-statement a mutex may get locked. This is unlocked on |
||||
'done' label, but not called when plausible. Based on the current code logic |
||||
this seems to not be able to happen, but might when code gets changed at |
||||
some point in time. This patch fixes the issue. |
||||
|
||||
The issue was found by Coverity scan |
||||
http://cov01.lab.eng.brq.redhat.com/covscanhub/waiving/11054/38577/ |
||||
|
||||
Author: Matus Honek <mhonek@redhat.com> |
||||
Resolves: #1261003 |
||||
|
||||
--- a/servers/slapd/overlays/accesslog.c |
||||
+++ b/servers/slapd/overlays/accesslog.c |
||||
@@ -1519,7 +1519,7 @@ static int accesslog_response(Operation *op, SlapReply *rs) { |
||||
|
||||
/* ignore these internal reads */ |
||||
if (( lo->mask & LOG_OP_READS ) && op->o_do_not_cache ) { |
||||
- return SLAP_CB_CONTINUE; |
||||
+ goto done; |
||||
} |
||||
|
||||
if ( li->li_success && rs->sr_err != LDAP_SUCCESS ) |
@ -0,0 +1,42 @@
@@ -0,0 +1,42 @@
|
||||
Include sha2 module |
||||
|
||||
Author: Matus Honek <mhonek@redhat.com> |
||||
|
||||
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in |
||||
--- a/servers/slapd/overlays/Makefile.in |
||||
+++ b/servers/slapd/overlays/Makefile.in |
||||
@@ -35,7 +35,8 @@ SRCS = overlays.c \ |
||||
unique.c \ |
||||
valsort.c \ |
||||
smbk5pwd.c \ |
||||
- allop.c |
||||
+ allop.c \ |
||||
+ sha2.c slapd-sha2.c |
||||
OBJS = statover.o \ |
||||
@SLAPD_STATIC_OVERLAYS@ \ |
||||
overlays.o |
||||
@@ -55,7 +56,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||
|
||||
LIBRARY = ../liboverlays.a |
||||
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la |
||||
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la pw-sha2.la |
||||
|
||||
XINCPATH = -I.. -I$(srcdir)/.. |
||||
XDEFS = $(MODULES_CPPFLAGS) |
||||
@@ -139,6 +140,15 @@ allop.lo : allop.c |
||||
allop.la : allop.lo |
||||
$(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) |
||||
|
||||
+sha2.lo : sha2.c |
||||
+ $(LTCOMPILE_MOD) $< |
||||
+ |
||||
+slapd-sha2.lo : slapd-sha2.c |
||||
+ $(LTCOMPILE_MOD) $< |
||||
+ |
||||
+pw-sha2.la : sha2.lo slapd-sha2.lo |
||||
+ $(LTLINK_MOD) -module -o $@ $? version.lo $(LINK_LIBS) |
||||
+ |
||||
install-local: $(PROGRAMS) |
||||
@if test -n "$?" ; then \ |
||||
$(MKDIR) $(DESTDIR)$(moduledir); \ |
@ -0,0 +1,35 @@
@@ -0,0 +1,35 @@
|
||||
Correct log levels in ppolicy overlay. |
||||
|
||||
Author: Matus Honek <mhonek@redhat.com> |
||||
Resolves: #1356158 |
||||
|
||||
diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c |
||||
--- a/servers/slapd/overlays/ppolicy.c |
||||
+++ b/servers/slapd/overlays/ppolicy.c |
||||
@@ -643,7 +643,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE |
||||
if ((mod = lt_dlopen( pp->pwdCheckModule )) == NULL) { |
||||
err = lt_dlerror(); |
||||
|
||||
- Debug(LDAP_DEBUG_ANY, |
||||
+ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, |
||||
"check_password_quality: lt_dlopen failed: (%s) %s.\n", |
||||
pp->pwdCheckModule, err, 0 ); |
||||
ok = LDAP_OTHER; /* internal error */ |
||||
@@ -658,7 +658,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE |
||||
if ((prog = lt_dlsym( mod, "check_password" )) == NULL) { |
||||
err = lt_dlerror(); |
||||
|
||||
- Debug(LDAP_DEBUG_ANY, |
||||
+ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, |
||||
"check_password_quality: lt_dlsym failed: (%s) %s.\n", |
||||
pp->pwdCheckModule, err, 0 ); |
||||
ok = LDAP_OTHER; |
||||
@@ -667,7 +667,7 @@ check_password_quality( struct berval *cred, PassPolicy *pp, LDAPPasswordPolicyE |
||||
ok = prog( ptr, txt, e ); |
||||
ldap_pvt_thread_mutex_unlock( &chk_syntax_mutex ); |
||||
if (ok != LDAP_SUCCESS) { |
||||
- Debug(LDAP_DEBUG_ANY, |
||||
+ Log3(LDAP_DEBUG_ANY, LDAP_LEVEL_WARNING, |
||||
"check_password_quality: module error: (%s) %s.[%d]\n", |
||||
pp->pwdCheckModule, *txt ? *txt : "", ok ); |
||||
} |
@ -0,0 +1,33 @@
@@ -0,0 +1,33 @@
|
||||
The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for |
||||
example if libldap needs to be initialized from within gethostbyXXXX() (which |
||||
actually happens if nss_ldap is used for hostname resolution and earlier |
||||
modules can't resolve the local host name), so use the reentrant versions of |
||||
the functions, even if we're not being compiled for use in libldap_r |
||||
|
||||
Resolves: #179730 |
||||
Author: Jeffery Layton <jlayton@redhat.com> |
||||
|
||||
diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c |
||||
index 373c81c..a012062 100644 |
||||
--- a/libraries/libldap/util-int.c |
||||
+++ b/libraries/libldap/util-int.c |
||||
@@ -52,8 +52,8 @@ extern int h_errno; |
||||
#ifndef LDAP_R_COMPILE |
||||
# undef HAVE_REENTRANT_FUNCTIONS |
||||
# undef HAVE_CTIME_R |
||||
-# undef HAVE_GETHOSTBYNAME_R |
||||
-# undef HAVE_GETHOSTBYADDR_R |
||||
+/* # undef HAVE_GETHOSTBYNAME_R */ |
||||
+/* # undef HAVE_GETHOSTBYADDR_R */ |
||||
|
||||
#else |
||||
# include <ldap_pvt_thread.h> |
||||
@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) |
||||
#define BUFSTART (1024-32) |
||||
#define BUFMAX (32*1024-32) |
||||
|
||||
-#if defined(LDAP_R_COMPILE) |
||||
+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R) |
||||
static char *safe_realloc( char **buf, int len ); |
||||
|
||||
#if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) |
@ -0,0 +1,61 @@
@@ -0,0 +1,61 @@
|
||||
Compile smbk5pwd together with other overlays. |
||||
|
||||
Author: Jan Šafránek <jsafrane@redhat.com> |
||||
Resolves: #550895 |
||||
|
||||
Update to link against OpenSSL |
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com> |
||||
Resolves: #841560 |
||||
|
||||
diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README |
||||
index f20ad94..b6433ff 100644 |
||||
--- a/contrib/slapd-modules/smbk5pwd/README |
||||
+++ b/contrib/slapd-modules/smbk5pwd/README |
||||
@@ -1,3 +1,8 @@ |
||||
+****************************************************************************** |
||||
+Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module |
||||
+is compiled only with Samba features in Fedora and Red Hat Enterprise Linux. |
||||
+****************************************************************************** |
||||
+ |
||||
This directory contains a slapd overlay, smbk5pwd, that extends the |
||||
PasswordModify Extended Operation to update Kerberos keys and Samba |
||||
password hashes for an LDAP user. |
||||
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in |
||||
index 3af20e8..ef73663 100644 |
||||
--- a/servers/slapd/overlays/Makefile.in |
||||
+++ b/servers/slapd/overlays/Makefile.in |
||||
@@ -33,7 +33,8 @@ SRCS = overlays.c \ |
||||
syncprov.c \ |
||||
translucent.c \ |
||||
unique.c \ |
||||
- valsort.c |
||||
+ valsort.c \ |
||||
+ smbk5pwd.c |
||||
OBJS = statover.o \ |
||||
@SLAPD_STATIC_OVERLAYS@ \ |
||||
overlays.o |
||||
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) |
||||
|
||||
LIBRARY = ../liboverlays.a |
||||
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ |
||||
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la |
||||
|
||||
XINCPATH = -I.. -I$(srcdir)/.. |
||||
XDEFS = $(MODULES_CPPFLAGS) |
||||
@@ -125,6 +126,12 @@ unique.la : unique.lo |
||||
valsort.la : valsort.lo |
||||
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) |
||||
|
||||
+smbk5pwd.lo : smbk5pwd.c |
||||
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< |
||||
+ |
||||
+smbk5pwd.la : smbk5pwd.lo |
||||
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) |
||||
+ |
||||
install-local: $(PROGRAMS) |
||||
@if test -n "$?" ; then \ |
||||
$(MKDIR) $(DESTDIR)$(moduledir); \ |
||||
-- |
||||
1.7.10.4 |
@ -0,0 +1,14 @@
@@ -0,0 +1,14 @@
|
||||
Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package |
||||
independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.) |
||||
|
||||
--- openldap-2.4.24.orig/build/top.mk |
||||
+++ openldap-2.4.24/build/top.mk |
||||
@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@ |
||||
SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@ |
||||
SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@ |
||||
|
||||
-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) |
||||
+SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) |
||||
|
||||
# Our Defaults |
||||
CC = $(AC_CC) |
@ -0,0 +1,41 @@
@@ -0,0 +1,41 @@
|
||||
From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de> |
||||
Date: Tue, 18 May 2010 17:47:05 +0200 |
||||
Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set. |
||||
|
||||
Proof of concept for fixing http://bugs.debian.org/327585 |
||||
(patch ported from freeradius bug http://bugs.debian.org/416266) |
||||
|
||||
Resolves: #960048 |
||||
--- |
||||
--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200 |
||||
+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200 |
||||
@@ -117,6 +117,20 @@ |
||||
return -1; /* not found */ |
||||
} |
||||
|
||||
+static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) |
||||
+{ |
||||
+ lt_dlhandle handle = 0; |
||||
+ lt_dladvise advise; |
||||
+ |
||||
+ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) |
||||
+ && !lt_dladvise_global (&advise)) |
||||
+ handle = lt_dlopenadvise (filename, advise); |
||||
+ |
||||
+ lt_dladvise_destroy (&advise); |
||||
+ |
||||
+ return handle; |
||||
+} |
||||
+ |
||||
int module_load(const char* file_name, int argc, char *argv[]) |
||||
{ |
||||
module_loaded_t *module; |
||||
@@ -180,7 +194,7 @@ |
||||
* to calling Debug. This is because Debug is a macro that expands |
||||
* into multiple function calls. |
||||
*/ |
||||
- if ((module->lib = lt_dlopenext(file)) == NULL) { |
||||
+ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { |
||||
error = lt_dlerror(); |
||||
#ifdef HAVE_EBCDIC |
||||
strcpy( ebuf, error ); |
@ -0,0 +1,62 @@
@@ -0,0 +1,62 @@
|
||||
allow unsetting of tls_* syncrepl options |
||||
|
||||
Author: Patrick Monnerat <pm@datasphere.ch> |
||||
Upstream ITS: #7042 |
||||
Resolves: #734187 |
||||
|
||||
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c |
||||
index 654a4bf..10b993b 100644 |
||||
--- a/libraries/libldap/tls2.c |
||||
+++ b/libraries/libldap/tls2.c |
||||
@@ -735,27 +735,27 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) |
||||
return 0; |
||||
case LDAP_OPT_X_TLS_CACERTFILE: |
||||
if ( lo->ldo_tls_cacertfile ) LDAP_FREE( lo->ldo_tls_cacertfile ); |
||||
- lo->ldo_tls_cacertfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
+ lo->ldo_tls_cacertfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
return 0; |
||||
case LDAP_OPT_X_TLS_CACERTDIR: |
||||
if ( lo->ldo_tls_cacertdir ) LDAP_FREE( lo->ldo_tls_cacertdir ); |
||||
- lo->ldo_tls_cacertdir = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
+ lo->ldo_tls_cacertdir = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
return 0; |
||||
case LDAP_OPT_X_TLS_CERTFILE: |
||||
if ( lo->ldo_tls_certfile ) LDAP_FREE( lo->ldo_tls_certfile ); |
||||
- lo->ldo_tls_certfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
+ lo->ldo_tls_certfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
return 0; |
||||
case LDAP_OPT_X_TLS_KEYFILE: |
||||
if ( lo->ldo_tls_keyfile ) LDAP_FREE( lo->ldo_tls_keyfile ); |
||||
- lo->ldo_tls_keyfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
+ lo->ldo_tls_keyfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
return 0; |
||||
case LDAP_OPT_X_TLS_DHFILE: |
||||
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); |
||||
- lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
+ lo->ldo_tls_dhfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
return 0; |
||||
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ |
||||
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); |
||||
- lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
+ lo->ldo_tls_crlfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
return 0; |
||||
case LDAP_OPT_X_TLS_REQUIRE_CERT: |
||||
if ( !arg ) return -1; |
||||
@@ -783,7 +783,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) |
||||
#endif |
||||
case LDAP_OPT_X_TLS_CIPHER_SUITE: |
||||
if ( lo->ldo_tls_ciphersuite ) LDAP_FREE( lo->ldo_tls_ciphersuite ); |
||||
- lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
+ lo->ldo_tls_ciphersuite = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
return 0; |
||||
|
||||
case LDAP_OPT_X_TLS_PROTOCOL_MIN: |
||||
@@ -794,7 +794,7 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) |
||||
if ( ld != NULL ) |
||||
return -1; |
||||
if ( lo->ldo_tls_randfile ) LDAP_FREE (lo->ldo_tls_randfile ); |
||||
- lo->ldo_tls_randfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
+ lo->ldo_tls_randfile = (arg && *(char *)arg) ? LDAP_STRDUP( (char *) arg ) : NULL; |
||||
break; |
||||
case LDAP_OPT_X_TLS_NEWCTX: |
||||
if ( !arg ) return -1; |
@ -0,0 +1,17 @@
@@ -0,0 +1,17 @@
|
||||
Normally, skips reading of user configuration file when running with different effective UID. |
||||
This patch adds the same behavior for GID. |
||||
|
||||
Author: Nalin Dahyabhai <nalin@redhat.com> |
||||
|
||||
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c |
||||
index e6b17b4..fbf4829 100644 |
||||
--- a/libraries/libldap/init.c |
||||
+++ b/libraries/libldap/init.c |
||||
@@ -678,7 +678,7 @@ void ldap_int_initialize( struct ldapoptions *gopts, int *dbglvl ) |
||||
openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); |
||||
|
||||
#ifdef HAVE_GETEUID |
||||
- if ( geteuid() != getuid() ) |
||||
+ if ( geteuid() != getuid() || getegid() != getgid() ) |
||||
return; |
||||
#endif |
@ -0,0 +1,148 @@
@@ -0,0 +1,148 @@
|
||||
# |
||||
# See slapd-config(5) for details on configuration options. |
||||
# This file should NOT be world readable. |
||||
# |
||||
|
||||
dn: cn=config |
||||
objectClass: olcGlobal |
||||
cn: config |
||||
olcArgsFile: /var/run/openldap/slapd.args |
||||
olcPidFile: /var/run/openldap/slapd.pid |
||||
# |
||||
# TLS settings |
||||
# |
||||
olcTLSCACertificatePath: /etc/openldap/certs |
||||
olcTLSCertificateFile: "OpenLDAP Server" |
||||
olcTLSCertificateKeyFile: /etc/openldap/certs/password |
||||
# |
||||
# Do not enable referrals until AFTER you have a working directory |
||||
# service AND an understanding of referrals. |
||||
# |
||||
#olcReferral: ldap://root.openldap.org |
||||
# |
||||
# Sample security restrictions |
||||
# Require integrity protection (prevent hijacking) |
||||
# Require 112-bit (3DES or better) encryption for updates |
||||
# Require 64-bit encryption for simple bind |
||||
# |
||||
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 |
||||
|
||||
|
||||
# |
||||
# Load dynamic backend modules: |
||||
# - modulepath is architecture dependent value (32/64-bit system) |
||||
# - back_sql.la backend requires openldap-servers-sql package |
||||
# - dyngroup.la and dynlist.la cannot be used at the same time |
||||
# |
||||
|
||||
#dn: cn=module,cn=config |
||||
#objectClass: olcModuleList |
||||
#cn: module |
||||
#olcModulepath: /usr/lib/openldap |
||||
#olcModulepath: /usr/lib64/openldap |
||||
#olcModuleload: accesslog.la |
||||
#olcModuleload: auditlog.la |
||||
#olcModuleload: back_dnssrv.la |
||||
#olcModuleload: back_ldap.la |
||||
#olcModuleload: back_mdb.la |
||||
#olcModuleload: back_meta.la |
||||
#olcModuleload: back_null.la |
||||
#olcModuleload: back_passwd.la |
||||
#olcModuleload: back_relay.la |
||||
#olcModuleload: back_shell.la |
||||
#olcModuleload: back_sock.la |
||||
#olcModuleload: collect.la |
||||
#olcModuleload: constraint.la |
||||
#olcModuleload: dds.la |
||||
#olcModuleload: deref.la |
||||
#olcModuleload: dyngroup.la |
||||
#olcModuleload: dynlist.la |
||||
#olcModuleload: memberof.la |
||||
#olcModuleload: pcache.la |
||||
#olcModuleload: ppolicy.la |
||||
#olcModuleload: refint.la |
||||
#olcModuleload: retcode.la |
||||
#olcModuleload: rwm.la |
||||
#olcModuleload: seqmod.la |
||||
#olcModuleload: smbk5pwd.la |
||||
#olcModuleload: sssvlv.la |
||||
#olcModuleload: syncprov.la |
||||
#olcModuleload: translucent.la |
||||
#olcModuleload: unique.la |
||||
#olcModuleload: valsort.la |
||||
|
||||
|
||||
# |
||||
# Schema settings |
||||
# |
||||
|
||||
dn: cn=schema,cn=config |
||||
objectClass: olcSchemaConfig |
||||
cn: schema |
||||
|
||||
include: file:///etc/openldap/schema/core.ldif |
||||
|
||||
# |
||||
# Frontend settings |
||||
# |
||||
|
||||
dn: olcDatabase=frontend,cn=config |
||||
objectClass: olcDatabaseConfig |
||||
objectClass: olcFrontendConfig |
||||
olcDatabase: frontend |
||||
# |
||||
# Sample global access control policy: |
||||
# Root DSE: allow anyone to read it |
||||
# Subschema (sub)entry DSE: allow anyone to read it |
||||
# Other DSEs: |
||||
# Allow self write access |
||||
# Allow authenticated users read access |
||||
# Allow anonymous users to authenticate |
||||
# |
||||
#olcAccess: to dn.base="" by * read |
||||
#olcAccess: to dn.base="cn=Subschema" by * read |
||||
#olcAccess: to * |
||||
# by self write |
||||
# by users read |
||||
# by anonymous auth |
||||
# |
||||
# if no access controls are present, the default policy |
||||
# allows anyone and everyone to read anything but restricts |
||||
# updates to rootdn. (e.g., "access to * by * read") |
||||
# |
||||
# rootdn can always read and write EVERYTHING! |
||||
# |
||||
|
||||
# |
||||
# Configuration database |
||||
# |
||||
|
||||
dn: olcDatabase=config,cn=config |
||||
objectClass: olcDatabaseConfig |
||||
olcDatabase: config |
||||
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c |
||||
n=auth" manage by * none |
||||
|
||||
# |
||||
# Server status monitoring |
||||
# |
||||
|
||||
dn: olcDatabase=monitor,cn=config |
||||
objectClass: olcDatabaseConfig |
||||
olcDatabase: monitor |
||||
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c |
||||
n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none |
||||
|
||||
# |
||||
# Backend database definitions |
||||
# |
||||
|
||||
dn: olcDatabase=hdb,cn=config |
||||
objectClass: olcDatabaseConfig |
||||
objectClass: olcHdbConfig |
||||
olcDatabase: hdb |
||||
olcSuffix: dc=my-domain,dc=com |
||||
olcRootDN: cn=Manager,dc=my-domain,dc=com |
||||
olcDbDirectory: /var/lib/ldap |
||||
olcDbIndex: objectClass eq,pres |
||||
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub |
@ -0,0 +1,19 @@
@@ -0,0 +1,19 @@
|
||||
[Unit] |
||||
Description=OpenLDAP Server Daemon |
||||
After=syslog.target network-online.target |
||||
Documentation=man:slapd |
||||
Documentation=man:slapd-config |
||||
Documentation=man:slapd-hdb |
||||
Documentation=man:slapd-mdb |
||||
Documentation=file:///usr/share/doc/openldap-servers/guide.html |
||||
|
||||
[Service] |
||||
Type=forking |
||||
PIDFile=/var/run/openldap/slapd.pid |
||||
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS=" |
||||
EnvironmentFile=/etc/sysconfig/slapd |
||||
ExecStartPre=/usr/libexec/openldap/check-config.sh |
||||
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1,15 @@
@@ -0,0 +1,15 @@
|
||||
# OpenLDAP server configuration |
||||
# see 'man slapd' for additional information |
||||
|
||||
# Where the server will run (-h option) |
||||
# - ldapi:/// is required for on-the-fly configuration using client tools |
||||
# (use SASL with EXTERNAL mechanism for authentication) |
||||
# - default: ldapi:/// ldap:/// |
||||
# - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// |
||||
SLAPD_URLS="ldapi:/// ldap:///" |
||||
|
||||
# Any custom options |
||||
#SLAPD_OPTIONS="" |
||||
|
||||
# Keytab location for GSSAPI Kerberos authentication |
||||
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" |
@ -0,0 +1,2 @@
@@ -0,0 +1,2 @@
|
||||
# openldap runtime directory for slapd.arg and slapd.pid |
||||
d /var/run/openldap 0755 ldap ldap - |
Loading…
Reference in new issue