powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

openldap version update 2.4.46 

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>
master
basebuilder_pel7ppc64lebuilder0 2021-05-26 13:53:49 +02:00
parent f353eab5f9
commit 514409597c
18 changed files with 1030 additions and 524 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
SOURCES/check-password-makefile.patch
View File

@ -3,15 +3,15 @@
@@ -13,22 +13,11 @@
#
CONFIG=/etc/openldap/check_password.conf

-OPT=-g -O2 -Wall -fpic \
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
- -DCONFIG_FILE="\"$(CONFIG)\"" \
+CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
-DDEBUG

-DDEBUG
-# Where to find the OpenLDAP headers.
-#
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
@ -24,18 +24,18 @@
-INCS=$(LDAP_INC) $(CRACK_INC)
-
LDAP_LIB=-lldap_r -llber

# Comment out this line if you do NOT want to use the cracklib.
@@ -45,10 +34,10 @@
all: check_password

check_password.o:
- $(CC) $(OPT) -c $(INCS) check_password.c
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c

check_password: clean check_password.o
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)

install: check_password
cp -f check_password.so ../../../usr/lib/openldap/modules/
cp -f check_password.so ../../../usr/lib/openldap/modules/

196
SOURCES/check-password.patch
View File

@ -2,33 +2,33 @@
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
@@ -10,7 +10,7 @@
#include <slap.h>

#ifdef HAVE_CRACKLIB
-#include "crack.h"
+#include <crack.h>
#endif

#if defined(DEBUG)
@@ -34,18 +34,77 @@
#define PASSWORD_TOO_SHORT_SZ \
"Password for dn=\"%s\" is too short (%d/6)"
"Password for dn=\"%s\" is too short (%d/6)"
#define PASSWORD_QUALITY_SZ \
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
#define BAD_PASSWORD_SZ \
"Bad password for dn=\"%s\" because %s"
"Bad password for dn=\"%s\" because %s"
+#define UNKNOWN_ERROR_SZ \
+ "An unknown error occurred, please see your systems administrator"

typedef int (*validator) (char*);
-static int read_config_file (char *);
+static int read_config_file ();
static validator valid_word (char *);
static int set_quality (char *);
static int set_cracklib (char *);

int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);

+struct config_entry {
+ char* key;
+ char* value;
@ -90,9 +90,9 @@
{
#if defined(DEBUG)
@@ -84,12 +143,12 @@
char * parameter;
validator dealer;
} list[] = { { "minPoints", set_quality },
char * parameter;
validator dealer;
} list[] = { { "minPoints", set_quality },
- { "useCracklib", set_cracklib },
- { "minUpper", set_digit },
- { "minLower", set_digit },
@ -105,49 +105,49 @@
+ { "minDigit", set_digit },
+ { "minPunct", set_digit },
+ { NULL, NULL } };
int index = 0;

int index = 0;
#if defined(DEBUG)
@@ -98,7 +157,7 @@

while (list[index].parameter != NULL) {
if (strlen(word) == strlen(list[index].parameter) &&
while (list[index].parameter != NULL) {
if (strlen(word) == strlen(list[index].parameter) &&
- strcmp(list[index].parameter, word) == 0) {
+ strcmp(list[index].parameter, word) == 0) {
#if defined(DEBUG)
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
#endif
@@ -114,13 +173,15 @@
return NULL;
return NULL;
}

-static int read_config_file (char *keyWord)
+static int read_config_file ()
{
FILE * config;
char * line;
int returnValue = -1;

FILE * config;
char * line;
int returnValue = -1;
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
+ line = ber_memcalloc(260, sizeof(char));
+
+ if ( line == NULL ) {
return returnValue;
}

return returnValue;
}
@@ -133,6 +194,8 @@
return returnValue;
}

return returnValue;
}
+ returnValue = 0;
+
while (fgets(line, 256, config) != NULL) {
char *start = line;
char *word, *value;
while (fgets(line, 256, config) != NULL) {
char *start = line;
char *word, *value;
@@ -145,23 +208,40 @@

while (isspace(*start) && isascii(*start)) start++;

while (isspace(*start) && isascii(*start)) start++;
- if (! isascii(*start))
+ /* If we've got punctuation, just skip the line. */
+ if ( ispunct(*start)) {
@ -155,9 +155,9 @@
+ /* Debug traces to syslog. */
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
+#endif
continue;
continue;
+ }

- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
- if ((value = strtok(NULL, " \t")) == NULL)
- continue;
@ -169,12 +169,12 @@
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
+ while ( keyWord != NULL ) {
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {

#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
#endif

- returnValue = (*dealer)(value);
+ centry[i].value = chomp(value);
+ break;
@ -183,51 +183,51 @@
+ keyWord = centry[i].key;
+ }
+ }
}
}
}
}
-
fclose(config);
ber_memfree(line);
fclose(config);
ber_memfree(line);
+
return returnValue;
return returnValue;
}

@@ -170,7 +250,7 @@
if (curlen < nextlen + MEMORY_MARGIN) {
if (curlen < nextlen + MEMORY_MARGIN) {
#if defined(DEBUG)
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
- curlen, nextlen + MEMORY_MARGIN);
+ curlen, nextlen + MEMORY_MARGIN);
#endif
ber_memfree(*target);
curlen = nextlen + MEMORY_MARGIN;
ber_memfree(*target);
curlen = nextlen + MEMORY_MARGIN;
@@ -180,7 +260,7 @@
return curlen;
return curlen;
}

- int
+int
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
{

@@ -210,20 +290,22 @@
nLen = strlen (pPasswd);
if ( nLen < 6) {
mem_len = realloc_error_message(&szErrStr, mem_len,
nLen = strlen (pPasswd);
if ( nLen < 6) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1);
+ strlen(PASSWORD_TOO_SHORT_SZ) +
+ strlen(pEntry->e_name.bv_val) + 1);
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
goto fail;
}

sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
goto fail;
}
- /* Read config file */
- minQuality = read_config_file("minPoints");
+ if (read_config_file() == -1) {
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
+ }

- useCracklib = read_config_file("useCracklib");
- minUpper = read_config_file("minUpper");
- minLower = read_config_file("minLower");
@ -239,22 +239,22 @@
+ minLower = get_config_entry_int("minLower");
+ minDigit = get_config_entry_int("minDigit");
+ minPunct = get_config_entry_int("minPunct");

/** The password must have at least minQuality strength points with one
* point for the first occurrance of a lower, upper, digit and
/** The password must have at least minQuality strength points with one
* point for the first occurrance of a lower, upper, digit and
@@ -232,8 +314,6 @@

for ( i = 0; i < nLen; i++ ) {

for ( i = 0; i < nLen; i++ ) {
- if ( nQuality >= minQuality ) break;
-
if ( islower (pPasswd[i]) ) {
minLower--;
if ( !nLower && (minLower < 1)) {
if ( islower (pPasswd[i]) ) {
minLower--;
if ( !nLower && (minLower < 1)) {
@@ -279,12 +359,23 @@
}
}

}
}
- if ( nQuality < minQuality ) {
+ /*
+ * If you have a required field, then it should be required in the strength
@ -268,54 +268,54 @@
+ (minPunct > 0 ) ||
+ (nQuality < minQuality)
+ ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_QUALITY_SZ) +
- strlen(pEntry->e_name.bv_val) + 2);
+ strlen(PASSWORD_QUALITY_SZ) +
+ strlen(pEntry->e_name.bv_val) + 2);
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
- nQuality, minQuality);
+ nQuality, minQuality);
goto fail;
}

goto fail;
}
@@ -306,7 +397,7 @@
for ( j = 0; j < 3; j++ ) {

snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
for ( j = 0; j < 3; j++ ) {
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
- CRACKLIB_DICTPATH, ext[j]);
+ CRACKLIB_DICTPATH, ext[j]);

if (( fp = fopen ( filename, "r")) == NULL ) {

if (( fp = fopen ( filename, "r")) == NULL ) {
@@ -326,9 +417,9 @@
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
if ( r != NULL ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
if ( r != NULL ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(BAD_PASSWORD_SZ) +
- strlen(pEntry->e_name.bv_val) +
- strlen(r));
+ strlen(BAD_PASSWORD_SZ) +
+ strlen(pEntry->e_name.bv_val) +
+ strlen(r));
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
goto fail;
}
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
goto fail;
}
@@ -342,15 +433,15 @@
}

}
#endif
-
+ dealloc_config_entries();
*ppErrStr = strdup ("");
ber_memfree(szErrStr);
return (LDAP_SUCCESS);

*ppErrStr = strdup ("");
ber_memfree(szErrStr);
return (LDAP_SUCCESS);
fail:
+ dealloc_config_entries();
*ppErrStr = strdup (szErrStr);
ber_memfree(szErrStr);
return (EXIT_FAILURE);

*ppErrStr = strdup (szErrStr);
ber_memfree(szErrStr);
return (EXIT_FAILURE);
}
-

12
SOURCES/ldap.conf
View File

@ -12,7 +12,17 @@
#TIMELIMIT 15
#DEREF never

TLS_CACERTDIR /etc/openldap/certs
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem

# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on


BIN
SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz Normal file
View File

Binary file not shown.

8
SOURCES/openldap-ai-addrconfig.patch
View File

@ -9,12 +9,12 @@ index b31e05d..fa361ab 100644
--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,

#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
memset( &hints, '\0', sizeof(hints) );
memset( &hints, '\0', sizeof(hints) );
-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */
+#ifdef AI_ADDRCONFIG
hints.ai_flags = AI_ADDRCONFIG;
hints.ai_flags = AI_ADDRCONFIG;
#endif
hints.ai_family = ldap_int_inet4or6;
hints.ai_family = ldap_int_inet4or6;

24
SOURCES/openldap-allop-overlay.patch
View File

@ -1,34 +1,34 @@
Compile AllOp together with other overlays.

Author: Matus Honek <mhonek@redhat.com>
Resolves: #990893
Resolves: #1319782

diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
translucent.c \
unique.c \
valsort.c \
translucent.c \
unique.c \
valsort.c \
- smbk5pwd.c
+ smbk5pwd.c \
+ allop.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)

LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la

XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
smbk5pwd.la : smbk5pwd.lo
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)

$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+allop.lo : allop.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
@ -36,5 +36,5 @@ diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefil
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \

39
SOURCES/openldap-ldapi-sasl.patch
View File

@ -13,20 +13,20 @@ index 28c241b..a9acf36 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
struct berval ccred = BER_BVNULL;
int saslrc, rc;
unsigned credlen;
struct berval ccred = BER_BVNULL;
int saslrc, rc;
unsigned credlen;
+ char my_hostname[HOST_NAME_MAX + 1];
+ int free_saslhost = 0;

Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
mechs ? mechs : "<null>", 0, 0 );
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
mechs ? mechs : "<null>", 0, 0 );
@@ -454,14 +456,25 @@ ldap_int_sasl_bind(

/* If we don't need to canonicalize just use the host
* from the LDAP URI.
/* If we don't need to canonicalize just use the host
* from the LDAP URI.
+ * Always use the result of gethostname() for LDAPI.
*/
*/
- if ( nocanon )
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
@ -37,18 +37,19 @@ index 28c241b..a9acf36 100644
+ saslhost = "localhost";
+ }
+ } else if ( nocanon )
saslhost = ld->ld_defconn->lconn_server->lud_host;
- else
saslhost = ld->ld_defconn->lconn_server->lud_host;
- else
+ else {
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
"localhost" );
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
"localhost" );
+ free_saslhost = 1;
+ }
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
- if ( !nocanon )
+ if ( free_saslhost )
LDAP_FREE( saslhost );
}

--
LDAP_FREE( saslhost );
}
--
1.7.11.7


7
SOURCES/openldap-manpages.patch
View File

@ -26,7 +26,7 @@ index cfde143..63592cb 100644
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GnuTLS.

When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index b739f4d..e2a1a00 100644
@ -36,7 +36,7 @@ index b739f4d..e2a1a00 100644
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
-.B LIBEXECDIR/slapd
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-4 | \-6 ]
@ -68,5 +68,6 @@ index b739f4d..e2a1a00 100644
.ft
.fi
.LP
--
--
1.8.1.4


227
SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch Normal file
View File

@ -0,0 +1,227 @@
ITS#7595 Add Elliptic Curve support for OpenSSL

Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
Author: Howard Chu <hyc@openldap.org>
Date: Sat Sep 7 09:47:19 2013 -0700

diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 9c72e8296..2311c3096 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -922,6 +922,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B olcTLSECName: <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B olcTLSProtocolMin: <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index f504adcf9..ef03e0ad8 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1153,6 +1153,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B TLSECName <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/include/ldap.h b/include/ldap.h
index c245651c2..0964a193e 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_NEWCTX 0x600f
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
+#define LDAP_OPT_X_TLS_ECNAME 0x6012
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 66e04ae80..db7193f4f 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -165,6 +165,7 @@ struct ldaptls {
char *lt_ciphersuite;
char *lt_crlfile;
char *lt_randfile; /* OpenSSL only */
+ char *lt_ecname; /* OpenSSL only */
int lt_protocol_min;
};
#endif
@@ -250,6 +251,7 @@ struct ldapoptions {
#define ldo_tls_certfile ldo_tls_info.lt_certfile
#define ldo_tls_keyfile ldo_tls_info.lt_keyfile
#define ldo_tls_dhfile ldo_tls_info.lt_dhfile
+#define ldo_tls_ecname ldo_tls_info.lt_ecname
#define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index d25c190ea..0451b01af 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = NULL;
}
+ if ( lo->ldo_tls_ecname ) {
+ LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = NULL;
+ }
if ( lo->ldo_tls_cacertfile ) {
LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = NULL;
@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
__atoe( lts.lt_dhfile );
}
+ if ( lts.lt_ecname ) {
+ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
+ __atoe( lts.lt_ecname );
+ }
#endif
lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
if ( lo->ldo_tls_ctx == NULL ) {
@@ -257,6 +265,7 @@ error_exit:
LDAP_FREE( lts.lt_crlfile );
LDAP_FREE( lts.lt_cacertdir );
LDAP_FREE( lts.lt_dhfile );
+ LDAP_FREE( lts.lt_ecname );
#endif
return rc;
}
@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
*(char **)arg = lo->ldo_tls_dhfile ?
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
break;
+ case LDAP_OPT_X_TLS_ECNAME:
+ *(char **)arg = lo->ldo_tls_ecname ?
+ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
+ break;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
*(char **)arg = lo->ldo_tls_crlfile ?
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
+ case LDAP_OPT_X_TLS_ECNAME:
+ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index f24060b7e..1370923af 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
- if ( lo->ldo_tls_dhfile ) {
- DH *dh = NULL;
+ if ( is_server && lo->ldo_tls_dhfile ) {
+ DH *dh;
BIO *bio;
- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
Debug( LDAP_DEBUG_ANY,
@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
BIO_free( bio );
SSL_CTX_set_tmp_dh( ctx, dh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+ DH_free( dh );
+ }
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ if ( is_server && lo->ldo_tls_ecname ) {
+ EC_KEY *ecdh;
+
+ int nid = OBJ_sn2nid( lt->lt_ecname );
+ if ( nid == NID_undef ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ ecdh = EC_KEY_new_by_curve_name( nid );
+ if ( ecdh == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not generate key for EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
+ EC_KEY_free( ecdh );
}
+#endif
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 250f14100..8b1e4e582 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -194,6 +194,7 @@ enum {
CFG_ACL_ADD,
CFG_SYNC_SUBENTRY,
CFG_LTHREADS,
+ CFG_TLS_ECNAME,
CFG_LAST
};
@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
#endif
"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "TLSECName", NULL, 2, 2, 0,
+#ifdef HAVE_TLS
+ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
+#else
+ ARG_IGNORED, NULL,
+#endif
+ "( OLcfgGlAt:96 NAME 'olcTLSECName' "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "TLSProtocolMin", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
"olcTLSCACertificatePath $ olcTLSCertificateFile $ "
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
+ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
"olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
"olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
"olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
+ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
#ifdef HAVE_GNUTLS
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
#endif

34
SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch Normal file
View File

@ -0,0 +1,34 @@
ITS#7595 don't try to use EC if OpenSSL lacks it

Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
Author: Howard Chu <hyc@openldap.org>
Date: Sun Sep 8 06:32:23 2013 -0700

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 1a81bc625..71c2b055c 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
DH_free( dh );
}
-#ifdef SSL_OP_SINGLE_ECDH_USE
if ( is_server && lo->ldo_tls_ecname ) {
+#ifdef OPENSSL_NO_EC
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: Elliptic Curves not supported.\n", 0,0,0 );
+ return -1;
+#else
EC_KEY *ecdh;
int nid = OBJ_sn2nid( lt->lt_ecname );
@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
SSL_CTX_set_tmp_ecdh( ctx, ecdh );
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
EC_KEY_free( ecdh );
- }
#endif
+ }
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );

48
SOURCES/openldap-openssl-manpage-defaultCA.patch Normal file
View File

@ -0,0 +1,48 @@
Reference default system-wide CA certificates in manpages

OpenSSL, unless explicitly configured, uses system-wide default set of CA
certificates.

Author: Matus Honek <mhonek@redhat.com>

diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an
.B ldaps:// URI
is selected (by default or otherwise) or when the application
negotiates TLS by issuing the LDAP StartTLS operation.
+.LP
+When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
+is set, the system-wide default set of CA certificates is used.
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -801,6 +801,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor
+\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1032,6 +1032,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor
+\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.

6
SOURCES/openldap-reentrant-gethostby.patch
View File

@ -19,15 +19,15 @@ index 373c81c..a012062 100644
-# undef HAVE_GETHOSTBYADDR_R
+/* # undef HAVE_GETHOSTBYNAME_R */
+/* # undef HAVE_GETHOSTBYADDR_R */

#else
# include <ldap_pvt_thread.h>
@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
#define BUFSTART (1024-32)
#define BUFMAX (32*1024-32)

-#if defined(LDAP_R_COMPILE)
+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
static char *safe_realloc( char **buf, int len );

#if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

25
SOURCES/openldap-smbk5pwd-overlay.patch
View File

@ -26,28 +26,28 @@ index 3af20e8..ef73663 100644
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
syncprov.c \
translucent.c \
unique.c \
syncprov.c \
translucent.c \
unique.c \
- valsort.c
+ valsort.c \
+ smbk5pwd.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)

LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la

XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)

$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+smbk5pwd.lo : smbk5pwd.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
@ -55,7 +55,8 @@ index 3af20e8..ef73663 100644
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \
--
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \
--
1.7.10.4


16
SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
View File

@ -10,9 +10,9 @@ Resolves: #960048
--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200
+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200
@@ -117,6 +117,20 @@
return -1; /* not found */
return -1; /* not found */
}

+static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
+{
+ lt_dlhandle handle = 0;
@ -29,13 +29,13 @@ Resolves: #960048
+
int module_load(const char* file_name, int argc, char *argv[])
{
module_loaded_t *module;
module_loaded_t *module;
@@ -180,7 +194,7 @@
* to calling Debug. This is because Debug is a macro that expands
* into multiple function calls.
*/
* to calling Debug. This is because Debug is a macro that expands
* into multiple function calls.
*/
- if ((module->lib = lt_dlopenext(file)) == NULL) {
+ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
error = lt_dlerror();
error = lt_dlerror();
#ifdef HAVE_EBCDIC
strcpy( ebuf, error );
strcpy( ebuf, error );

224
SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch Normal file
View File

@ -0,0 +1,224 @@
From f2978fefa13eb92b73922e49d2f6c12b4f92ea85 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Fri, 10 Jan 2020 18:35:02 +0100
Subject: [PATCH] Use OpenSSL API to verify host

Replace custom hostname and IP address verification with OpenSSL 1.0.2
APIs.
---
libraries/libldap/tls_o.c | 184 ++++++--------------------------------
1 file changed, 28 insertions(+), 156 deletions(-)

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index e52c5507c..5adf7b74f 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -660,25 +660,15 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
return 0;
}
-/* what kind of hostname were we given? */
-#define IS_DNS 0
-#define IS_IP4 1
-#define IS_IP6 2
-
static int
tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
{
tlso_session *s = (tlso_session *)sess;
- int i, ret = LDAP_LOCAL_ERROR;
+ int ret = LDAP_LOCAL_ERROR;
X509 *x;
const char *name;
- char *ptr;
- int ntype = IS_DNS, nlen;
-#ifdef LDAP_PF_INET6
- struct in6_addr addr;
-#else
- struct in_addr addr;
-#endif
+ int flags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
+ ASN1_OCTET_STRING *ip;
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
@@ -687,7 +677,6 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
} else {
name = name_in;
}
- nlen = strlen(name);
x = tlso_get_cert(s);
if (!x) {
@@ -619,150 +619,32 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
return LDAP_SUCCESS;
}
-#ifdef LDAP_PF_INET6
- if (inet_pton(AF_INET6, name, &addr)) {
- ntype = IS_IP6;
- } else
-#endif
- if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
- if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
- }
-
- i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
- if (i >= 0) {
- X509_EXTENSION *ex;
- STACK_OF(GENERAL_NAME) *alt;
-
- ex = X509_get_ext(x, i);
- alt = X509V3_EXT_d2i(ex);
- if (alt) {
- int n, len2 = 0;
- char *domain = NULL;
- GENERAL_NAME *gn;
-
- if (ntype == IS_DNS) {
- domain = strchr(name, '.');
- if (domain) {
- len2 = nlen - (domain-name);
- }
- }
- n = sk_GENERAL_NAME_num(alt);
- for (i=0; i<n; i++) {
- char *sn;
- int sl;
- gn = sk_GENERAL_NAME_value(alt, i);
- if (gn->type == GEN_DNS) {
- if (ntype != IS_DNS) continue;
-
- sn = (char *) ASN1_STRING_data(gn->d.ia5);
- sl = ASN1_STRING_length(gn->d.ia5);
-
- /* ignore empty */
- if (sl == 0) continue;
-
- /* Is this an exact match? */
- if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
- break;
- }
-
- /* Is this a wildcard match? */
- if (domain && (sn[0] == '*') && (sn[1] == '.') &&
- (len2 == sl-1) && !strncasecmp(domain, &sn[1], len2))
- {
- break;
- }
-
- } else if (gn->type == GEN_IPADD) {
- if (ntype == IS_DNS) continue;
-
- sn = (char *) ASN1_STRING_data(gn->d.ia5);
- sl = ASN1_STRING_length(gn->d.ia5);
-
-#ifdef LDAP_PF_INET6
- if (ntype == IS_IP6 && sl != sizeof(struct in6_addr)) {
- continue;
- } else
-#endif
- if (ntype == IS_IP4 && sl != sizeof(struct in_addr)) {
- continue;
- }
- if (!memcmp(sn, &addr, sl)) {
- break;
- }
- }
- }
-
- GENERAL_NAMES_free(alt);
- if (i < n) { /* Found a match */
- ret = LDAP_SUCCESS;
- }
- }
- }
-
- if (ret != LDAP_SUCCESS) {
- X509_NAME *xn;
- X509_NAME_ENTRY *ne;
- ASN1_OBJECT *obj;
- ASN1_STRING *cn = NULL;
- int navas;
-
- /* find the last CN */
- obj = OBJ_nid2obj( NID_commonName );
- if ( !obj ) goto no_cn; /* should never happen */
-
- xn = X509_get_subject_name(x);
- navas = X509_NAME_entry_count( xn );
- for ( i=navas-1; i>=0; i-- ) {
- ne = X509_NAME_get_entry( xn, i );
- if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) {
- cn = X509_NAME_ENTRY_get_data( ne );
- break;
- }
+ /* attempt to encode name as IP address */
+ ip = a2i_IPADDRESS(name);
+ if (ip == NULL) {
+ ERR_clear_error();
+ /* it's a hostname */
+ if (X509_check_host(x, name, strlen(name), flags, NULL) == 1) {
+ ret = LDAP_SUCCESS;
}
-
- if( !cn )
- {
-no_cn:
- Debug( LDAP_DEBUG_ANY,
- "TLS: unable to get common name from peer certificate.\n",
- 0, 0, 0 );
- ret = LDAP_CONNECT_ERROR;
- if ( ld->ld_error ) {
- LDAP_FREE( ld->ld_error );
- }
- ld->ld_error = LDAP_STRDUP(
- _("TLS: unable to get CN from peer certificate"));
-
- } else if ( cn->length == nlen &&
- strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
+ } else {
+ /* It's an IPv4 or IPv6 address */
+ if (X509_check_ip(x, ASN1_STRING_data(ip),
+ ASN1_STRING_length(ip), 0) == 1) {
ret = LDAP_SUCCESS;
-
- } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
- char *domain = strchr(name, '.');
- if( domain ) {
- int dlen;
-
- dlen = nlen - (domain-name);
-
- /* Is this a wildcard match? */
- if ((dlen == cn->length-1) &&
- !strncasecmp(domain, (char *) &cn->data[1], dlen)) {
- ret = LDAP_SUCCESS;
- }
- }
}
+ ASN1_OCTET_STRING_free(ip);
+ }
- if( ret == LDAP_LOCAL_ERROR ) {
- Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
- "common name in certificate (%.*s).\n",
- name, cn->length, cn->data );
- ret = LDAP_CONNECT_ERROR;
- if ( ld->ld_error ) {
- LDAP_FREE( ld->ld_error );
- }
- ld->ld_error = LDAP_STRDUP(
- _("TLS: hostname does not match CN in peer certificate"));
+ if( ret == LDAP_LOCAL_ERROR ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+ "peer certificate.\n", name, 0, 0);
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
}
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: hostname does not match peer certificate"));
}
X509_free(x);
return ret;

28
SOURCES/slapd.ldif
View File

@ -6,14 +6,25 @@
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: "OpenLDAP Server"
olcTLSCertificateKeyFile: /etc/openldap/certs/password
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by oclTLSCACertificatePath one has to include them explicitly:
#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
#
# Private cert and key are not pregenerated.
#olcTLSCertificateFile:
#olcTLSCertificateKeyFile:
#
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#olcTLSCipherSuite: PROFILE=SYSTEM


#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
@ -88,7 +99,6 @@ include: file:///etc/openldap/schema/core.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
@ -137,10 +147,10 @@ olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
# Backend database definitions
#

dn: olcDatabase=hdb,cn=config
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbDirectory: /var/lib/ldap

6
SOURCES/slapd.service
View File

@ -9,11 +9,9 @@ Documentation=file:///usr/share/doc/openldap-servers/guide.html

[Service]
Type=forking
PIDFile=/var/run/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"

[Install]
WantedBy=multi-user.target
Alias=openldap.service

638
SPECS/openldap.spec
View File

@ -4,39 +4,29 @@
%global check_password_version 1.1

Name: openldap
Version: 2.4.44
Release: 13%{?dist}
Version: 2.4.46
Release: 11%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
URL: http://www.openldap.org/

Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source1: slapd.service
Source2: slapd.sysconfig
Source3: slapd.tmpfiles
Source4: slapd.ldif
Source5: ldap.conf
Source2: slapd.tmpfiles
Source3: slapd.ldif
Source4: ldap.conf
Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz
Source50: libexec-functions
Source51: libexec-convert-config.sh
Source52: libexec-check-config.sh
Source53: libexec-upgrade-db.sh
Source54: libexec-create-certdb.sh
Source55: libexec-generate-server-cert.sh
Source56: libexec-update-ppolicy-schema.sh

# patches for 2.4
Patch0: openldap-manpages.patch
Patch1: openldap-ppolicy-loglevels.patch
Patch2: openldap-sql-linking.patch
Patch3: openldap-reentrant-gethostby.patch
Patch4: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ldaprc-currentdir.patch
Patch6: openldap-userconfig-setgid.patch
Patch7: openldap-allop-overlay.patch
Patch8: openldap-syncrepl-unset-tls-options.patch
Patch9: openldap-man-sasl-nocanon.patch
Patch10: openldap-ai-addrconfig.patch
Patch2: openldap-reentrant-gethostby.patch
Patch3: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ai-addrconfig.patch
Patch17: openldap-allop-overlay.patch

# fix back_perl problems with lt_dlopen()
# might cause crashes because of symbol collisions
# the proper fix is to link all perl modules against libperl
@ -44,30 +34,17 @@ Patch10: openldap-ai-addrconfig.patch
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# ldapi sasl fix pending upstream inclusion
Patch20: openldap-ldapi-sasl.patch
# coverity - missin_unlock in servers/slapd/overlays/accesslog.c
Patch21: openldap-missing-unlock-in-accesslog-overlay.patch
Patch23: openldap-module-passwd-sha2.patch
# pending upstream inclusion, ITS #7744
Patch24: openldap-man-tls-reqcert.patch
Patch25: openldap-man-ldap-conf.patch
Patch35: openldap-ITS8428-init-sc_writewait.patch
Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch
Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch
Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
Patch24: openldap-openssl-manpage-defaultCA.patch
Patch25: openldap-tlso-use-openssl-api-to-verify-host.patch

# check-password module specific patches
Patch90: check-password-makefile.patch
Patch91: check-password.patch
Patch92: check-password-loglevels.patch

# MozNSS compatibility layer
Patch101: openldap-tlsmc.patch
# Fedora specific patches
Patch102: openldap-fedora-systemd.patch

BuildRequires: cyrus-sasl-devel, nss-devel, openssl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed)
Requires: nss-tools
Requires(post): rpm, coreutils, findutils
BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-devel, perl(ExtUtils::Embed)

%description
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@ -80,7 +57,6 @@ libraries, and documentation for OpenLDAP.

%package devel
Summary: LDAP development libraries and header files
Group: Development/Libraries
Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa}

%description devel
@ -96,13 +72,10 @@ Summary: LDAP server
License: OpenLDAP
Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils
Requires(pre): shadow-utils
Requires(post): systemd, systemd-sysv, chkconfig
Requires(preun): systemd
Requires(postun): systemd
BuildRequires: systemd
%{?systemd_requires}
BuildRequires: libdb-devel
BuildRequires: systemd-units
BuildRequires: cracklib-devel
Group: System Environment/Daemons
# migrationtools (slapadd functionality):
Provides: ldif2ldbm

@ -114,24 +87,9 @@ information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. This package contains the slapd server and related files.

%package servers-sql
Summary: SQL support module for OpenLDAP server
Requires: openldap-servers%{?_isa} = %{version}-%{release}
Group: System Environment/Daemons

%description servers-sql
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. This package contains a loadable module which the
slapd server can use to read data from an RDBMS.

%package clients
Summary: LDAP client utilities
Requires: openldap%{?_isa} = %{version}-%{release}
Group: Applications/Internet

%description clients
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
@ -147,36 +105,19 @@ programs needed for accessing and modifying OpenLDAP directories.

pushd openldap-%{version}

%patch101 -p1

# alternative include paths for Mozilla NSS
ln -s %{_includedir}/nss3 include/nss
ln -s %{_includedir}/nspr4 include/nspr

AUTOMAKE=%{_bindir}/true autoreconf -fi

%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch17 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch25 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1

%patch102 -p1

# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -185,11 +126,6 @@ mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.s
ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays
mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop
mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5
# build sha2 with other overlays
ln -s ../../../contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} \
servers/slapd/overlays
ls servers/slapd/overlays
mv contrib/slapd-modules/passwd/sha2/README{,.sha2}

mv servers/slapd/back-perl/README{,.back_perl}

@ -204,33 +140,19 @@ popd
pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
%patch90 -p1
%patch91 -p1
%patch92 -p1
popd

%build

%ifarch s390 s390x
export CFLAGS="-fPIE"
%else
export CFLAGS="-fpie"
%endif
export LDFLAGS="-pie"
# avoid stray dependencies (linker flag --as-needed)
# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS"

export CFLAGS="%{optflags} ${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS"
export CXXFLAGS="%{optflags} ${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS"
pushd openldap-%{version}
%configure \
--enable-debug \
--enable-dynamic \
--enable-syslog \
--enable-proctitle \
--enable-ipv6 \
--enable-local \
\
--enable-slapd \
--enable-dynacl \
--enable-aci \
--enable-cleartext \
--enable-crypt \
--enable-lmpasswd \
@ -240,7 +162,6 @@ pushd openldap-%{version}
--enable-rlookups \
--enable-slapi \
--disable-slp \
--enable-wrappers \
\
--enable-backends=mod \
--enable-bdb=yes \
@ -248,13 +169,11 @@ pushd openldap-%{version}
--enable-mdb=yes \
--enable-monitor=yes \
--disable-ndb \
--disable-sql \
\
--enable-overlays=mod \
\
--disable-static \
--enable-shared \
\
--enable-moznss-compatibility=yes \
\
--with-cyrus-sasl \
--without-fetch \
@ -265,12 +184,6 @@ pushd openldap-%{version}
--libexecdir=%{_libdir}

make %{_smp_mflags}

# build mdb_* tools
pushd libraries/liblmdb
export XCFLAGS="$CFLAGS"
make %{_smp_mflags}
popd
popd

pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
@ -285,9 +198,6 @@ mkdir -p %{buildroot}%{_libdir}/

pushd openldap-%{version}
make install DESTDIR=%{buildroot} STRIP=""
pushd libraries/liblmdb
make install DESTDIR=%{buildroot}
popd
popd

# install check_password module
@ -320,31 +230,19 @@ install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap
install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap

# setup autocreation of runtime directories on tmpfs
mkdir -p %{buildroot}%{_tmpfilesdir}/
install -m 0644 %SOURCE3 %{buildroot}%{_tmpfilesdir}/slapd.conf
mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %SOURCE2 %{buildroot}%{_tmpfilesdir}/slapd.conf

# install default ldap.conf (customized)
rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
install -m 0644 %SOURCE5 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
install -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/openldap/ldap.conf

# setup maintainance scripts
mkdir -p %{buildroot}%{_libexecdir}
install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
install -m 0755 %SOURCE51 %{buildroot}%{_libexecdir}/openldap/convert-config.sh
install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh
install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh
install -m 0755 %SOURCE56 %{buildroot}%{_libexecdir}/openldap/update-ppolicy-schema.sh

# install mdb_* tools
mv %{buildroot}/usr/local/bin/mdb_{copy,dump,load,stat} %{buildroot}%{_libexecdir}/openldap/
mkdir -p %{buildroot}%{_libexecdir}/openldap/man/man1
mv %{buildroot}/usr/local/share/man/man1/mdb_{copy,dump,load,stat}.1 %{buildroot}%{_libexecdir}/openldap/man/man1/
# we don't want the library itself nor header file
rm -f %{buildroot}/usr/local/include/lmdb.h
rm -f %{buildroot}/usr/local/lib/liblmdb.{a,so}

# remove build root from config files and manual pages
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
@ -358,10 +256,6 @@ rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default
mkdir -p %{buildroot}%{_unitdir}
install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service

# install syconfig/ldap
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
install -m 644 %SOURCE2 %{buildroot}%{_sysconfdir}/sysconfig/slapd

# move slapd out of _libdir
mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/

@ -370,43 +264,41 @@ rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done

# re-symlink unversioned libraries, so ldconfig is not confused
pushd %{buildroot}%{_libdir}
v=%{version}
version=$(echo ${v%.[0-9]*})
for lib in liblber libldap libldap_r libslapi; do
rm -f ${lib}.so
ln -s ${lib}-${version}.so.2 ${lib}.so
done
popd

# tweak permissions on the libraries to make sure they're correct
chmod 0755 %{buildroot}%{_libdir}/lib*.so*
chmod 0644 %{buildroot}%{_libdir}/lib*.*a

# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
# new configuration will be generated in %%post
mkdir -p %{buildroot}%{_datadir}
install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
install -m 0644 %SOURCE4 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
install -m 0750 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
install -m 0644 %SOURCE3 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf
rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif

# move doc files out of _sysconfdir
mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh
chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example

# remove files which we don't want packaged
rm -f %{buildroot}%{_libdir}/*.la
mv %{buildroot}%{_libdir}/openldap/check_password.so{,.tmp}
rm -f %{buildroot}%{_libdir}/openldap/*.so
mv %{buildroot}%{_libdir}/openldap/check_password.so{.tmp,}
rm -f %{buildroot}%{_libdir}/*.la # because we do not want files in %{_libdir}/openldap/ removed, yet

rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
rmdir %{buildroot}%{_localstatedir}/openldap-data

%post
# create certificate database
%{_libexecdir}/openldap/create-certdb.sh >&/dev/null || :

%postun
#update only on package erase
if [ $1 == 0 ]; then
/sbin/ldconfig
fi
%pre -p /sbin/ldconfig
%post -p /sbin/ldconfig

%pre servers

@ -430,22 +322,17 @@ exit 0


%post servers

/sbin/ldconfig -n %{_libdir}/openldap

%systemd_post slapd.service

# generate sample TLS certificate for server (will not replace)
%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || :

# generate/upgrade configuration
if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
%{_libexecdir}/openldap/convert-config.sh &>/dev/null
mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
else
%{_libexecdir}/openldap/convert-config.sh -f %{_datadir}/openldap-servers/slapd.ldif &>/dev/null
fi
# generate configuration if necessary
if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
! -f %{_sysconfdir}/openldap/slapd.conf
]]; then
# if there is no configuration available, generate one from the defaults
mkdir -p %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || :
/usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/openldap-servers/slapd.ldif
chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/
%{systemctl_bin} try-restart slapd.service &>/dev/null
fi

start_slapd=0
@ -461,39 +348,6 @@ if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
fi

# ensure ppolicy schema updated (bug #1487857)
if [ $1 -eq 2 ]; then
if [ -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
%{_libexecdir}/openldap/update-ppolicy-schema.sh &>/dev/null
fi
fi

# conversion from /etc/sysconfig/ldap to /etc/sysconfig/slapd
if [ $1 -eq 2 ]; then
# we expect that 'ldap' will be renamed to 'ldap.rpmsave' after removing the old package
if [ -r %{_sysconfdir}/sysconfig/ldap ]; then
source %{_sysconfdir}/sysconfig/ldap &>/dev/null

new_urls=
[ "$SLAPD_LDAP" != "no" ] && new_urls="$new_urls ldap:///"
[ "$SLAPD_LDAPI" != "no" ] && new_urls="$new_urls ldapi:///"
[ "$SLAPD_LDAPS" == "yes" ] && new_urls="$new_urls ldaps:///"
[ -n "$SLAPD_URLS" ] && new_urls="$new_urls $SLAPD_URLS"

failure=0
cp -f %{_sysconfdir}/sysconfig/slapd %{_sysconfdir}/sysconfig/slapd.rpmconvert
sed -i '/^#\?SLAPD_URLS=/s@.*@SLAPD_URLS="'"$new_urls"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1
[ -n "$SLAPD_OPTIONS" ] && \
sed -i '/^#\?SLAPD_OPTIONS=/s@.*$@SLAPD_OPTIONS="'"$SLAPD_OPTIONS"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1

if [ $failure -eq 0 ]; then
mv -f %{_sysconfdir}/sysconfig/slapd.rpmconvert %{_sysconfdir}/sysconfig/slapd
else
rm -f %{_sysconfdir}/sysconfig/slapd.rpmconvert
fi
fi
fi

# restart after upgrade
if [ $1 -ge 1 ]; then
if [ $start_slapd -eq 1 ]; then
@ -506,24 +360,11 @@ fi
exit 0

%preun servers

%systemd_preun slapd.service


%postun servers

/sbin/ldconfig ${_libdir}/openldap
%systemd_postun_with_restart slapd.service


%triggerun servers -- openldap-servers < 2.4.26-6

# migration from SysV to systemd
/usr/bin/systemd-sysv-convert --save slapd &>/dev/null || :
/usr/sbin/chkconfig --del slapd &>/dev/null || :
%{systemctl_bin} try-restart slapd.service &>/dev/null || :


%triggerin servers -- libdb

# libdb upgrade (setup for %%triggerun)
@ -562,14 +403,13 @@ exit 0
%files
%doc openldap-%{version}/ANNOUNCEMENT
%doc openldap-%{version}/CHANGES
%doc openldap-%{version}/COPYRIGHT
%doc openldap-%{version}/LICENSE
%license openldap-%{version}/COPYRIGHT
%license openldap-%{version}/LICENSE
%doc openldap-%{version}/README
%dir %{_sysconfdir}/openldap
%dir %{_sysconfdir}/openldap/certs
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%dir %{_libexecdir}/openldap/
%{_libexecdir}/openldap/create-certdb.sh
%{_libdir}/liblber-2.4*.so.*
%{_libdir}/libldap-2.4*.so.*
%{_libdir}/libldap_r-2.4*.so.*
@ -588,9 +428,8 @@ exit 0
%doc README.schema
%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
%config(noreplace) %{_sysconfdir}/openldap/schema
%config(noreplace) %{_sysconfdir}/sysconfig/slapd
%config(noreplace) %{_tmpfilesdir}/slapd.conf
%config(noreplace) %{_sysconfdir}/openldap/check_password.conf
%{_tmpfilesdir}/slapd.conf
%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
%{_unitdir}/slapd.service
@ -620,7 +459,6 @@ exit 0
%{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm*
%{_libdir}/openldap/seqmod*
%{_libdir}/openldap/pw-sha2*
%{_libdir}/openldap/smbk5pwd*
%{_libdir}/openldap/sssvlv*
%{_libdir}/openldap/syncprov*
@ -629,25 +467,14 @@ exit 0
%{_libdir}/openldap/valsort*
%{_libdir}/openldap/check_password*
%{_libexecdir}/openldap/functions
%{_libexecdir}/openldap/convert-config.sh
%{_libexecdir}/openldap/check-config.sh
%{_libexecdir}/openldap/upgrade-db.sh
%{_libexecdir}/openldap/generate-server-cert.sh
%{_libexecdir}/openldap/update-ppolicy-schema.sh
%{_libexecdir}/openldap/mdb_*
%{_libexecdir}/openldap/man/man1/mdb_*
%{_sbindir}/sl*
%{_mandir}/man8/*
%{_mandir}/man5/slapd*.5*
%{_mandir}/man5/slapo-*.5*
# obsolete configuration
%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak

%files servers-sql
%doc openldap-%{version}/servers/slapd/back-sql/docs/*
%doc openldap-%{version}/servers/slapd/back-sql/rdbms_depend
%{_libdir}/openldap/back_sql*

%files clients
%{_bindir}/*
@ -660,165 +487,290 @@ exit 0
%{_mandir}/man3/*

%changelog
* Wed Jan 31 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-13
- MozNSS Compat. Layer: fix recursive directory deletion (#1516409)
- MozNSS Compat. Layer: fix PIN disclaimer not always shown (#1516409)
- MozNSS Compat. Layer: fix incorrect parsing of CACertDir (#1533955)
* Wed Jan 15 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-11
- Use OpenSSL-1.0.2+ API for host name verification (#1788572)

* Thu Jan 11 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-12
- MozNSS Compat. Layer: Ensure consistency of a PEM dir before usage (#1516409)
+ Warn just before use of a PIN about key file extraction
* Sun Aug 18 2019 Matus Honek <mhonek@redhat.com> - 2.4.46-10
- Do not fallback to checking CN when no SAN matched (#1740070)

* Wed Jan 10 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-11
- MozNSS Compat. Layer: Enable usage of NSS DB with PEM cert/key (#1525485)
+ Fix a possible invalid dereference (covscan)
* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
- Reference default system-wide CA certificates in manpages (#1611624)

* Tue Nov 28 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-10
- Drop update-ppolicy-schema.sh scriptlet's output (#1487857)
- Fix issues in MozNSS compatibility layer (#1400578)
* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623497)

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

* Fri Jul 6 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-6
- Build with LDAP_USE_NON_BLOCKING_TLS (#1594928)
- Remove unused leftover MozNSS Compat. Layer references (cont.) (#1557967)

* Fri Jul 06 2018 Petr Pisar <ppisar@redhat.com> - 2.4.46-5
- Perl 5.28 rebuild

* Wed Jul 4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-4
- Remove unused leftover MozNSS Compat. Layer references (#1557967)

* Wed Jul 4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-3
- MozNSS Compat. Layer: Make log messages more clear (#1598103)
- MozNSS Compat. Layer: Fix memleaks reported by valgrind (#1595203)

* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.46-2
- Perl 5.28 rebuild
- MozNSS Compat. Layer: Fix typos, and spelling in the README file header (#1564161)

* Tue Mar 27 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-1
- Rebase to version OpenLDAP 2.4.46 (#1559652)

* Mon Mar 5 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-14
- Utilize system-wide crypto-policies (#1483979)

* Thu Mar 1 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-13
- fix: openldap does not use Fedora build flags
+ makes use of redhat-rpm-config package
- Drop superfluous back-sql linking patch

* Wed Feb 28 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-12
- MozNSS Compat. Layer: fix: libldap tlsmc continues even after it fails to extract CA certificates (#1550110)

* Wed Feb 21 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-11
- TLS: Use system trusted CA store by default (#1270678, #1537259)

* Sun Feb 11 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-10
- Complete change: Disable TLSMC in F29+

* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.45-9
- Escape macros in %%changelog
- Disable TLSMC in F29+
- Remove obsolete Group tag
- Don't call ldconfig in servers subpackage
- Switch to %%ldconfig_scriptlets
- Remove unneeded Requires(post): systemd-sysv, chkconfig
- Switch to %%systemd_requires
- Change BuildRequires: systemd-units to systemd

* Wed Feb 7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-8
- Drop TCP wrappers support (#1531487)

* Wed Feb 7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
- MozNSS Compat. Layer fixes (#1400570)
- fix incorrect parsing of CACertDir (orig. #1533955)
- fix PIN disclaimer not always shown (orig. #1516409)
- fix recursive directory deletion (orig. #1516409)
- Ensure consistency of a PEM dir before usage (orig. #1516409)
+ Warn just before use of a PIN about key file extraction
- Enable usage of NSS DB with PEM cert/key (orig. #1525485)
+ Fix a possible invalid dereference (covscan)

* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.45-6
- Rebuilt for switch to libxcrypt

* Wed Dec 6 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-5
- Fix issues in MozNSS compatibility layer (#1400570)
+ Force write file with fsync to avoid race conditions
+ Always filestamp both sql and dbm NSS DB variants to not rely on default DB type prefix
+ Allow missing cert and key which is a valid usecase
+ Create extraction folder only in /tmp to simplify selinux rules
+ Fix Covscan issues

* Fri Nov 3 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9
- Build with OpenSSL and MozNSS compatibility layer instead of MozNSS (#1400578)
* Fri Nov 3 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-4
- Build with OpenSSL with MozNSS compatibility layer (#1400570)

* Thu Nov 2 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-8
- fix: Upgrading to OpenLDAP >= 2.4.43 breaks server due to ppolicy changes (#1487857)
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

* Thu Nov 2 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
- fix: Manpage incorrectly states ./ldaprc config file is used (#1498841)
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

* Thu Nov 2 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6
- fix: Upgrading openldap-servers does not restart slapd when rebasing (#1479309)
* Fri Jul 7 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-1
- Rebase to version 2.4.45 (#1458081)
* fixes CVE-2017-9287 (#1456712, #1456713)
- Update the 'sources' file with new SHA512 hashes

* Tue Jun 6 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5
- fix CVE-2017-9287 openldap: Double free vulnerability in servers/slapd/back-mdb/search.c (#1458210)
* Fri Jul 7 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-12
- Change Requires to Recommends for nss-tools (#1415086)

* Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-4
- NSS: Include some CHACHA20POLY1305 ciphers (#1432907)
* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-11
- Perl 5.26 rebuild

* Wed Mar 15 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3
- NSS: re-register NSS_Shutdown callback (#1405354)
* Fri Mar 31 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-10
- NSS: Maximal TLS protocol version should be equal to NSS default (#1435692)

* Wed Mar 15 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-2
- Include MDB tools in openldap-servers (#1428740)
* Thu Mar 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9
- NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS (#1435692)
- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435692)

* Wed Jan 4 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-1
- Rebase to openldap-2.4.44 (#1386365)
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.44-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Wed Aug 17 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-13
- fix: Bad log levels in check_password module
- fix: We can't search expected entries from LDAP server
- fix: OpenLDAP ciphersuite parsing doesn't match OpenSSL ciphers man page
+ Add TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 to list of ciphers
+ Add DH cipher string parsing option
+ Correct handling kECDH ciphers with aRSA or aECDSA
* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
- NSS: Update list of ciphers (#1387868)

* Fri Jul 1 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-12
- fix: slapd crash in do_search (#1316450)
- fix: Setting olcTLSProtocolMin does not change supported protocols (#1249093)
* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6
- NSS: Use what NSS considers default for DEFAULT cipher string (#1387868)

* Mon May 30 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-11
- fix: correct inconsistent slapd.d directory permissions (#1255433)
* Thu Jan 26 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5
- NSS: fix: incorrect multi-keyword parsing and support new ones (#1243517)

* Mon May 30 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-10
- fix: slapd fails to start on boot (#1315958)
- fix: id_query option is not available after rebasing openldap to 2.4.39 (#1311832)
- Include sha2 module (#1292568)
- Compile AllOp together with other overlays (#990893)
- Missing mutex unlock in accesslog overlay (#1261003)
- ITS#8337 fix missing olcDbChecksum config attr (#1292590)
- ITS#8003 fix off-by-one in LDIF length (#1292619)
* Mon Jan 23 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-4
- fix previous commit (#1375432)

* Mon Feb 22 2016 Matúš Honěk <mhonek@redhat.com> - 2.4.40-9
- fix: nslcd segfaults due to incorrect mutex initialization (#1294385)
* Fri Jan 20 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3
- fix: Setting olcTLSProtocolMin does not change supported protocols (#1375432)
- fix: slapd should start after network-online.service (#1336487)

* Wed Sep 23 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-8
- NSS does not support string ordering (#1231522)
- implement and correct order of parsing attributes (#1231522)
- add multi_mask and multi_strength to correctly handle sets of attributes (#1231522)
- add new cipher suites and correct AES-GCM attributes (#1245279)
- correct DEFAULT ciphers handling to exclude eNULL cipher suites (#1245279)
* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-2
- Perl 5.24 rebuild

* Mon Sep 14 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-7
- Merge two MozNSS cipher suite definition patches into one. (#1245279)
- Use what NSS considers default for DEFAULT cipher string. (#1245279)
- Remove unnecesary defaults from ciphers' definitions (#1245279)
* Wed May 11 2016 Matus Honek <mhonek@redhat.com> - 2.4.44-1
- Update to 2.4.44 (#1305191)

* Tue Sep 01 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-6
- fix: OpenLDAP shared library destructor triggers memory leaks in NSPR (#1249977)
* Tue May 3 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-5
- Bring back *.la files in %%{_libdir}/openldap/ (#1331484)

* Fri Jul 24 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-5
- enhancement: support TLS 1.1 and later (#1231522,#1160467)
- fix: openldap ciphersuite parsing code handles masks incorrectly (#1231522)
- fix the patch in commit da1b5c (fix: OpenLDAP crash in NSS shutdown handling) (#1231228)
* Wed Apr 27 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-4
- Keep *.so libraries in %%{_libdir}/openldap/ (#1331484)
- Include AllOp overlay (#1319782)

* Mon Jun 29 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-4
- fix: rpm -V complains (#1230263) -- make the previous fix do what was intended
* Sun Apr 10 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2.4.43-3
- Ensure all libtool archive files are removed (.la)

* Mon Jun 22 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-3
- fix: rpm -V complains (#1230263)
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.43-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild

* Wed Jun 3 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-2
- fix: missing frontend database indexing (#1226600)
* Wed Dec 02 2015 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 2.4.43-1
- Update to 2.4.43 (#1253871)

* Wed May 20 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-1
- new upstream release (#1147982)
- fix: PIE and RELRO check (#1092562)
- fix: slaptest doesn't convert perlModuleConfig lines (#1184585)
- fix: OpenLDAP crash in NSS shutdown handling (#1158005)
- fix: slapd.service may fail to start if binding to NIC ip (#1198781)
- fix: deadlock during SSL_ForceHandshake when getting connection to replica (#1125152)
- improve check_password (#1174723, #1196243)
- provide an unversioned symlink to check_password.so.1.1 (#1174634)
- add findutils to requires (#1209229)
* Thu Jul 16 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.41-1
- New upstream release 2.4.41 (#1238251)

* Thu Dec 4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6
- refix: slapd.ldif olcFrontend missing important/required objectclass (#1132094)
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.40-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

* Fri Nov 28 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-5
- add documentation reference to service file (#1087288)
- fix: tls_reqcert try has bad behavior (#1027613)
* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.40-13
- Perl 5.22 rebuild

* Tue Nov 25 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-4
- support TLS 1.1 and later (#1160468)
- fix: /etc/openldap/certs directory is empty after installation (#1064251)
- fix: Typo in script to generate /usr/libexec/openldap/generate-server-cert.sh (#1087490)
- fix: remove correct tmp file when generating server cert (#1103101)
- fix: slapd.ldif olcFrontend missing important/required objectclass (#1132094)
* Mon Apr 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-12
- fix: bring back tmpfiles config (#1215655)

* Wed Feb 26 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3
- move tmpfiles config to correct location (#1069513)
* Mon Mar 30 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-11
- remove spurious ghosted file

* Wed Feb 5 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2
- CVE-2013-4449: segfault on certain queries with rwm overlay (#1061405)
* Fri Feb 20 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-10
- link against moznss again (#1187742)

* Thu Jan 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1
- new upstream release (#1040324)
* Wed Feb 11 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
- fix: Unknown Berkeley DB major version in db.h (#1191098)

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.4.35-12
- Mass rebuild 2014-01-24
* Tue Feb 10 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
- CVE-2015-1545: slapd crashes on search with deref control (#1190645)

* Thu Jan 16 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.35-11
- fix: missing EOL at the end of default /etc/openldap/ldap.conf (#1053005)
* Tue Jan 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-8
- link against openssl by default
- simplify package even more by removing certificate generation

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.4.35-10
- Mass rebuild 2013-12-27
* Mon Jan 26 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-7
- remove tmpfiles config since it's no longer needed
- fix invalid ldif
- simplify checking for missing server configuration

* Tue Dec 17 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-9
- fix: more typos in manpages (#948562)
* Fri Jan 16 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-6
- remove openldap-fedora-systemd.patch
- remove openldap-ldaprc-currentdir.patch
- remove openldap-userconfig-setgid.patch
- remove openldap-syncrepl-unset-tls-options.patch
- remove unneeded configure flags, disable sql backend and aci
- make mdb default after a new installation
- remove pid file and args file
- renumber patches and sources

* Wed Nov 13 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-8
- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1023415)
* Wed Dec 17 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-5
- harden the build
- improve check_password
- provide an unversioned symlink to check_password.so.1.1

* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-7
- fix: CLDAP is broken for IPv6 (#1007421)
* Tue Dec 16 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-4
- remove openldap.pc

* Wed Sep 4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-6
- fix: typos in manpages (#948562)
* Tue Dec 9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-3
- enhancement: generate openldap.pc (#1171493)

* Fri Nov 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-2
- enhancement: support TLSv1 and later (#1160466)

* Mon Oct 6 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-1
- new upstream release (#1147877)

* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.39-12
- Perl 5.20 rebuild

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.4.39-10
- fix license handling

* Mon Jul 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-9
- fix: fix typo in generate-server-cert.sh (#1117229)

* Mon Jun 9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-8
- fix: make default service configuration listen on ldaps:/// as well (#1105634)

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Fri May 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6
- fix: remove correct tmp file when generating server cert (#1103102)

* Mon Mar 24 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-5
- re-symlink unversioned libraries, so ldconfig is not confused (#1028557)

* Tue Mar 4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-4
- don't automatically convert slapd.conf to slapd-config

* Wed Feb 19 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3
- remove redundant sysconfig-related stuff
- add documentation reference to service file
- alias slapd.service as openldap.service

* Tue Feb 4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2
- CVE-2013-4449: segfault on certain queries with rwm overlay (#1060851)

* Wed Jan 29 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1
- new upstream release (#1059186)

* Mon Nov 18 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.38-1
- new upstream release (#1031608)

* Mon Nov 11 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-2
- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1028935)

* Wed Oct 30 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-1
- new upstream release (#1023916)
- fix: missing a linefeed at the end of file /etc/openldap/ldap.conf (#1019836)

* Mon Oct 21 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-4
- fix: slapd daemon fails to start with segmentation fault on s390x (#1020661)

* Tue Oct 15 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-3
- rebuilt for libdb-5.3.28

* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
- fix: CLDAP is broken for IPv6 (#1018688)

* Wed Sep 4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
- fix: typos in manpages

* Tue Aug 20 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-1
- new upstream release
+ compile-in mdb backend

* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.35-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 2.4.35-6
- Perl 5.18 rebuild

* Fri Jun 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-5
- fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0"