openldap version update 2.4.46

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>

SOURCES/check-password-makefile.patch

@@ -3,15 +3,15 @@
 @@ -13,22 +13,11 @@
  #
  CONFIG=/etc/openldap/check_password.conf
-
+ 
 -OPT=-g -O2 -Wall -fpic 						\
 -	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""	\
 -	-DCONFIG_FILE="\"$(CONFIG)\""					\
 +CFLAGS+=-fpic                                                  \
 +	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \
 +	-DCONFIG_FILE="\"$(CONFIG)\""                          \
-	-DDEBUG
-
+ 	-DDEBUG
+ 
 -# Where to find the OpenLDAP headers.
 -#
 -LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
@@ -24,18 +24,18 @@
 -INCS=$(LDAP_INC) $(CRACK_INC)
 -
  LDAP_LIB=-lldap_r -llber
-
+ 
  # Comment out this line if you do NOT want to use the cracklib.
 @@ -45,10 +34,10 @@
  all: 	check_password
-
+ 
  check_password.o:
 -	$(CC) $(OPT) -c $(INCS) check_password.c
 +	$(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
-
+ 
  check_password: clean check_password.o
 -	$(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
 +	$(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
-
+ 
  install: check_password
-	cp -f check_password.so ../../../usr/lib/openldap/modules/
+ 	cp -f check_password.so ../../../usr/lib/openldap/modules/

SOURCES/check-password.patch

@@ -2,33 +2,33 @@
 +++ b/check_password.c	2014-12-17 12:25:00.148900907 +0100
 @@ -10,7 +10,7 @@
  #include <slap.h>
-
+ 
  #ifdef HAVE_CRACKLIB
 -#include "crack.h"
 +#include <crack.h>
  #endif
-
+ 
  #if defined(DEBUG)
 @@ -34,18 +34,77 @@
  #define PASSWORD_TOO_SHORT_SZ \
-	"Password for dn=\"%s\" is too short (%d/6)"
+ 	"Password for dn=\"%s\" is too short (%d/6)"
  #define PASSWORD_QUALITY_SZ \
 -	"Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
 +	"Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
  #define BAD_PASSWORD_SZ \
-	"Bad password for dn=\"%s\" because %s"
+ 	"Bad password for dn=\"%s\" because %s"
 +#define UNKNOWN_ERROR_SZ \
 +	"An unknown error occurred, please see your systems administrator"
-
+ 
  typedef int (*validator) (char*);
 -static int read_config_file (char *);
 +static int read_config_file ();
  static validator valid_word (char *);
  static int set_quality (char *);
  static int set_cracklib (char *);
-
+ 
  int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
-
+ 
 +struct config_entry {
 +	char* key;
 +	char* value;
@@ -90,9 +90,9 @@
  {
  #if defined(DEBUG)
 @@ -84,12 +143,12 @@
-		char * parameter;
-		validator dealer;
-	} list[] = { { "minPoints", set_quality },
+ 		char * parameter;
+ 		validator dealer;
+ 	} list[] = { { "minPoints", set_quality },
 -		{ "useCracklib", set_cracklib },
 -		{ "minUpper", set_digit },
 -		{ "minLower", set_digit },
@@ -105,49 +105,49 @@
 +		     { "minDigit", set_digit },
 +		     { "minPunct", set_digit },
 +		     { NULL, NULL } };
-	int index = 0;
-
+ 	int index = 0;
+ 
  #if defined(DEBUG)
 @@ -98,7 +157,7 @@
-
-	while (list[index].parameter != NULL) {
-		if (strlen(word) == strlen(list[index].parameter) &&
+ 
+ 	while (list[index].parameter != NULL) {
+ 		if (strlen(word) == strlen(list[index].parameter) &&
 -				strcmp(list[index].parameter, word) == 0) {
 +		    strcmp(list[index].parameter, word) == 0) {
  #if defined(DEBUG)
-			syslog(LOG_NOTICE, "check_password: Parameter accepted.");
+ 			syslog(LOG_NOTICE, "check_password: Parameter accepted.");
  #endif
 @@ -114,13 +173,15 @@
-	return NULL;
+ 	return NULL;
  }
-
+ 
 -static int read_config_file (char *keyWord)
 +static int read_config_file ()
  {
-	FILE * config;
-	char * line;
-	int returnValue =  -1;
-
+ 	FILE * config;
+ 	char * line;
+ 	int returnValue =  -1;
+ 
 -	if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
 +	line = ber_memcalloc(260, sizeof(char));
 +
 +	if ( line == NULL ) {
-		return returnValue;
-	}
-
+ 		return returnValue;
+ 	}
+ 
 @@ -133,6 +194,8 @@
-		return returnValue;
-	}
-
+ 		return returnValue;
+ 	}
+ 
 +	returnValue = 0;
 +
-	while (fgets(line, 256, config) != NULL) {
-		char *start = line;
-		char *word, *value;
+ 	while (fgets(line, 256, config) != NULL) {
+ 		char *start = line;
+ 		char *word, *value;
 @@ -145,23 +208,40 @@
-
-		while (isspace(*start) && isascii(*start)) start++;
-
+ 
+ 		while (isspace(*start) && isascii(*start)) start++;
+ 
 -		if (! isascii(*start))
 +		/* If we've got punctuation, just skip the line. */
 +		if ( ispunct(*start)) {
@@ -155,9 +155,9 @@
 +			/* Debug traces to syslog. */
 +			syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
 +#endif
-			continue;
+ 			continue;
 +		}
-
+ 
 -		if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
 -			if ((value = strtok(NULL, " \t")) == NULL)
 -				continue;
@@ -169,12 +169,12 @@
 +			if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
 +				while ( keyWord != NULL ) {
 +					if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
-
+ 
  #if defined(DEBUG)
 -			syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
 +						syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
  #endif
-
+ 
 -			returnValue = (*dealer)(value);
 +						centry[i].value = chomp(value);
 +						break;
@@ -183,51 +183,51 @@
 +					keyWord = centry[i].key;
 +				}
 +			}
-		}
-	}
+ 		}
+ 	}
 -
-	fclose(config);
-	ber_memfree(line);
+ 	fclose(config);
+ 	ber_memfree(line);
 +
-	return returnValue;
+ 	return returnValue;
  }
-
+ 
 @@ -170,7 +250,7 @@
-	if (curlen < nextlen + MEMORY_MARGIN) {
+ 	if (curlen < nextlen + MEMORY_MARGIN) {
  #if defined(DEBUG)
-		syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
+ 		syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
 -				curlen, nextlen + MEMORY_MARGIN);
 +		       curlen, nextlen + MEMORY_MARGIN);
  #endif
-		ber_memfree(*target);
-		curlen = nextlen + MEMORY_MARGIN;
+ 		ber_memfree(*target);
+ 		curlen = nextlen + MEMORY_MARGIN;
 @@ -180,7 +260,7 @@
-	return curlen;
+ 	return curlen;
  }
-
+ 
 -	int
 +int
  check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
  {
-
+ 
 @@ -210,20 +290,22 @@
-	nLen = strlen (pPasswd);
-	if ( nLen < 6) {
-		mem_len = realloc_error_message(&szErrStr, mem_len,
+ 	nLen = strlen (pPasswd);
+ 	if ( nLen < 6) {
+ 		mem_len = realloc_error_message(&szErrStr, mem_len,
 -				strlen(PASSWORD_TOO_SHORT_SZ) +
 -				strlen(pEntry->e_name.bv_val) + 1);
 +						strlen(PASSWORD_TOO_SHORT_SZ) +
 +						strlen(pEntry->e_name.bv_val) + 1);
-		sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
-		goto fail;
-	}
-
+ 		sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
+ 		goto fail;
+ 	}
+ 
 -	/* Read config file */
 -	minQuality = read_config_file("minPoints");
 +	if (read_config_file() == -1) {
 +		syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
 +	}
-
+ 
 -	useCracklib = read_config_file("useCracklib");
 -	minUpper = read_config_file("minUpper");
 -	minLower = read_config_file("minLower");
@@ -239,22 +239,22 @@
 +	minLower = get_config_entry_int("minLower");
 +	minDigit = get_config_entry_int("minDigit");
 +	minPunct = get_config_entry_int("minPunct");
-
-	/** The password must have at least minQuality strength points with one
-	 * point for the first occurrance of a lower, upper, digit and
+ 
+ 	/** The password must have at least minQuality strength points with one
+ 	 * point for the first occurrance of a lower, upper, digit and
 @@ -232,8 +314,6 @@
-
-	for ( i = 0; i < nLen; i++ ) {
-
+ 
+ 	for ( i = 0; i < nLen; i++ ) {
+ 
 -		if ( nQuality >= minQuality ) break;
 -
-		if ( islower (pPasswd[i]) ) {
-			minLower--;
-			if ( !nLower && (minLower < 1)) {
+ 		if ( islower (pPasswd[i]) ) {
+ 			minLower--;
+ 			if ( !nLower && (minLower < 1)) {
 @@ -279,12 +359,23 @@
-		}
-	}
-
+ 		}
+ 	}
+ 
 -	if ( nQuality < minQuality ) {
 +	/*
 +	 * If you have a required field, then it should be required in the strength
@@ -268,54 +268,54 @@
 +		(minPunct > 0 ) ||
 +		(nQuality < minQuality)
 +		) {
-		mem_len = realloc_error_message(&szErrStr, mem_len,
+ 		mem_len = realloc_error_message(&szErrStr, mem_len,
 -				strlen(PASSWORD_QUALITY_SZ) +
 -				strlen(pEntry->e_name.bv_val) + 2);
 +						strlen(PASSWORD_QUALITY_SZ) +
 +						strlen(pEntry->e_name.bv_val) + 2);
-		sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
+ 		sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
 -				nQuality, minQuality);
 +			 nQuality, minQuality);
-		goto fail;
-	}
-
+ 		goto fail;
+ 	}
+ 
 @@ -306,7 +397,7 @@
-		for ( j = 0; j < 3; j++ ) {
-
-			snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
+ 		for ( j = 0; j < 3; j++ ) {
+ 
+ 			snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
 -					CRACKLIB_DICTPATH, ext[j]);
 +				  CRACKLIB_DICTPATH, ext[j]);
-
-			if (( fp = fopen ( filename, "r")) == NULL ) {
-
+ 
+ 			if (( fp = fopen ( filename, "r")) == NULL ) {
+ 
 @@ -326,9 +417,9 @@
-			r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
-			if ( r != NULL ) {
-				mem_len = realloc_error_message(&szErrStr, mem_len,
+ 			r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
+ 			if ( r != NULL ) {
+ 				mem_len = realloc_error_message(&szErrStr, mem_len,
 -						strlen(BAD_PASSWORD_SZ) +
 -						strlen(pEntry->e_name.bv_val) +
 -						strlen(r));
 +								strlen(BAD_PASSWORD_SZ) +
 +								strlen(pEntry->e_name.bv_val) +
 +								strlen(r));
-				sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
-				goto fail;
-			}
+ 				sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
+ 				goto fail;
+ 			}
 @@ -342,15 +433,15 @@
-	}
-
+ 	}
+ 
  #endif
 -
 +	dealloc_config_entries();
-	*ppErrStr = strdup ("");
-	ber_memfree(szErrStr);
-	return (LDAP_SUCCESS);
-
+ 	*ppErrStr = strdup ("");
+ 	ber_memfree(szErrStr);
+ 	return (LDAP_SUCCESS);
+ 
  fail:
 +	dealloc_config_entries();
-	*ppErrStr = strdup (szErrStr);
-	ber_memfree(szErrStr);
-	return (EXIT_FAILURE);
-
+ 	*ppErrStr = strdup (szErrStr);
+ 	ber_memfree(szErrStr);
+ 	return (EXIT_FAILURE);
+ 
  }
 -

SOURCES/ldap.conf

@@ -12,7 +12,17 @@
 #TIMELIMIT	15
 #DEREF		never
 
-TLS_CACERTDIR	/etc/openldap/certs
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT	/etc/pki/tls/cert.pem
+
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
 
 # Turning this off breaks GSSAPI used with krb5 when rdns = false
 SASL_NOCANON	on
+

SOURCES/openldap-ai-addrconfig.patch

@@ -9,12 +9,12 @@ index b31e05d..fa361ab 100644
 --- a/libraries/libldap/os-ip.c
 +++ b/libraries/libldap/os-ip.c
 @@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
-
+ 
  #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
-	memset( &hints, '\0', sizeof(hints) );
+ 	memset( &hints, '\0', sizeof(hints) );
 -#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
 -	/* Use AI_ADDRCONFIG only on systems where its known to be needed. */
 +#ifdef AI_ADDRCONFIG
-	hints.ai_flags = AI_ADDRCONFIG;
+ 	hints.ai_flags = AI_ADDRCONFIG;
  #endif
-	hints.ai_family = ldap_int_inet4or6;
+ 	hints.ai_family = ldap_int_inet4or6;

SOURCES/openldap-allop-overlay.patch

@@ -1,34 +1,34 @@
 Compile AllOp together with other overlays.
 
 Author: Matus Honek <mhonek@redhat.com>
-Resolves: #990893
+Resolves: #1319782
 
 diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
 --- a/servers/slapd/overlays/Makefile.in
 +++ b/servers/slapd/overlays/Makefile.in
 @@ -33,7 +33,8 @@ SRCS = overlays.c \
-	translucent.c \
-	unique.c \
-	valsort.c \
+ 	translucent.c \
+ 	unique.c \
+ 	valsort.c \
 -	smbk5pwd.c
 +	smbk5pwd.c \
 +	allop.c
  OBJS = statover.o \
-	@SLAPD_STATIC_OVERLAYS@ \
-	overlays.o
+ 	@SLAPD_STATIC_OVERLAYS@ \
+ 	overlays.o
 @@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
  UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
-
+ 
  LIBRARY = ../liboverlays.a
 -PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
 +PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
-
+ 
  XINCPATH = -I.. -I$(srcdir)/..
  XDEFS = $(MODULES_CPPFLAGS)
 @@ -125,6 +126,12 @@ unique.la : unique.lo
  smbk5pwd.la : smbk5pwd.lo
-	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
-
+ 	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+ 
 +allop.lo : allop.c
 +	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
 +
@@ -36,5 +36,5 @@ diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefil
 +	$(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
 +
  install-local:	$(PROGRAMS)
-	@if test -n "$?" ; then \
-		$(MKDIR) $(DESTDIR)$(moduledir); \
+ 	@if test -n "$?" ; then \
+ 		$(MKDIR) $(DESTDIR)$(moduledir); \

SOURCES/openldap-ldapi-sasl.patch

@@ -13,20 +13,20 @@ index 28c241b..a9acf36 100644
 --- a/libraries/libldap/cyrus.c
 +++ b/libraries/libldap/cyrus.c
 @@ -394,6 +394,8 @@ ldap_int_sasl_bind(
-	struct berval	ccred = BER_BVNULL;
-	int saslrc, rc;
-	unsigned credlen;
+ 	struct berval	ccred = BER_BVNULL;
+ 	int saslrc, rc;
+ 	unsigned credlen;
 +	char my_hostname[HOST_NAME_MAX + 1];
 +	int free_saslhost = 0;
-
-	Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
-		mechs ? mechs : "<null>", 0, 0 );
+ 
+ 	Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
+ 		mechs ? mechs : "<null>", 0, 0 );
 @@ -454,14 +456,25 @@ ldap_int_sasl_bind(
-
-			/* If we don't need to canonicalize just use the host
-			 * from the LDAP URI.
+ 
+ 			/* If we don't need to canonicalize just use the host
+ 			 * from the LDAP URI.
 +			 * Always use the result of gethostname() for LDAPI.
-			 */
+ 			 */
 -			if ( nocanon )
 +			if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
 +			    strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
@@ -37,18 +37,19 @@ index 28c241b..a9acf36 100644
 +					saslhost = "localhost";
 +				}
 +			} else if ( nocanon )
-				saslhost = ld->ld_defconn->lconn_server->lud_host;
--			else
+ 				saslhost = ld->ld_defconn->lconn_server->lud_host;
+-			else 
 +			else {
-				saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
-				"localhost" );
+ 				saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
+ 				"localhost" );
 +				free_saslhost = 1;
 +			}
-			rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
+ 			rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
 -			if ( !nocanon )
 +			if ( free_saslhost )
-				LDAP_FREE( saslhost );
-		}
-
---
+ 				LDAP_FREE( saslhost );
+ 		}
+ 
+-- 
 1.7.11.7
+

SOURCES/openldap-manpages.patch

@@ -26,7 +26,7 @@ index cfde143..63592cb 100644
  .B TLS_CACERTDIR.
 +The specified directory must be managed with the OpenSSL c_rehash utility.
  This parameter is ignored with GnuTLS.
-
+ 
  When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
 diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
 index b739f4d..e2a1a00 100644
@@ -36,7 +36,7 @@ index b739f4d..e2a1a00 100644
  .SH NAME
  slapd \- Stand-alone LDAP Daemon
  .SH SYNOPSIS
--.B LIBEXECDIR/slapd
+-.B LIBEXECDIR/slapd 
 +.B slapd
  [\c
  .BR \-4 | \-6 ]
@@ -68,5 +68,6 @@ index b739f4d..e2a1a00 100644
  .ft
  .fi
  .LP
---
+-- 
 1.8.1.4
+

SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch

@@ -0,0 +1,227 @@
+ITS#7595 Add Elliptic Curve support for OpenSSL
+
+Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
+Author:    Howard Chu <hyc@openldap.org>
+Date:      Sat Sep 7 09:47:19 2013 -0700
+
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+index 9c72e8296..2311c3096 100644
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -922,6 +922,13 @@ are not used.
+ When using Mozilla NSS these parameters are always generated randomly
+ so this directive is ignored.
+ .TP
++.B olcTLSECName: <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange.  This is required to enable ECDHE algorithms in
++OpenSSL.  This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B olcTLSProtocolMin: <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+index f504adcf9..ef03e0ad8 100644
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -1153,6 +1153,13 @@ are not used.
+ When using Mozilla NSS these parameters are always generated randomly
+ so this directive is ignored.
+ .TP
++.B TLSECName <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange.  This is required to enable ECDHE algorithms in
++OpenSSL.  This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B TLSProtocolMin <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+diff --git a/include/ldap.h b/include/ldap.h
+index c245651c2..0964a193e 100644
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_NEWCTX		0x600f
+ #define LDAP_OPT_X_TLS_CRLFILE		0x6010	/* GNUtls only */
+ #define LDAP_OPT_X_TLS_PACKAGE		0x6011
++#define LDAP_OPT_X_TLS_ECNAME		0x6012
+ 
+ #define LDAP_OPT_X_TLS_NEVER	0
+ #define LDAP_OPT_X_TLS_HARD		1
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 66e04ae80..db7193f4f 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -165,6 +165,7 @@ struct ldaptls {
+ 	char		*lt_ciphersuite;
+ 	char		*lt_crlfile;
+ 	char		*lt_randfile;	/* OpenSSL only */
++	char		*lt_ecname;		/* OpenSSL only */
+ 	int		lt_protocol_min;
+ };
+ #endif
+@@ -250,6 +251,7 @@ struct ldapoptions {
+ #define ldo_tls_certfile	ldo_tls_info.lt_certfile
+ #define ldo_tls_keyfile	ldo_tls_info.lt_keyfile
+ #define ldo_tls_dhfile	ldo_tls_info.lt_dhfile
++#define ldo_tls_ecname	ldo_tls_info.lt_ecname
+ #define ldo_tls_cacertfile	ldo_tls_info.lt_cacertfile
+ #define ldo_tls_cacertdir	ldo_tls_info.lt_cacertdir
+ #define ldo_tls_ciphersuite	ldo_tls_info.lt_ciphersuite
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index d25c190ea..0451b01af 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
+ 		LDAP_FREE( lo->ldo_tls_dhfile );
+ 		lo->ldo_tls_dhfile = NULL;
+ 	}
++	if ( lo->ldo_tls_ecname ) {
++		LDAP_FREE( lo->ldo_tls_ecname );
++		lo->ldo_tls_ecname = NULL;
++	}
+ 	if ( lo->ldo_tls_cacertfile ) {
+ 		LDAP_FREE( lo->ldo_tls_cacertfile );
+ 		lo->ldo_tls_cacertfile = NULL;
+@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
+ 		lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
+ 		__atoe( lts.lt_dhfile );
+ 	}
++	if ( lts.lt_ecname ) {
++		lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
++		__atoe( lts.lt_ecname );
++	}
+ #endif
+ 	lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
+ 	if ( lo->ldo_tls_ctx == NULL ) {
+@@ -257,6 +265,7 @@ error_exit:
+ 	LDAP_FREE( lts.lt_crlfile );
+ 	LDAP_FREE( lts.lt_cacertdir );
+ 	LDAP_FREE( lts.lt_dhfile );
++	LDAP_FREE( lts.lt_ecname );
+ #endif
+ 	return rc;
+ }
+@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
+ 		*(char **)arg = lo->ldo_tls_dhfile ?
+ 			LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
+ 		break;
++	case LDAP_OPT_X_TLS_ECNAME:
++		*(char **)arg = lo->ldo_tls_ecname ?
++			LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
++		break;
+ 	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
+ 		*(char **)arg = lo->ldo_tls_crlfile ?
+ 			LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
+@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+ 		if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
+ 		lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ 		return 0;
++	case LDAP_OPT_X_TLS_ECNAME:
++		if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
++		lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		return 0;
+ 	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
+ 		if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
+ 		lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index f24060b7e..1370923af 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 		return -1;
+ 	}
+ 
+-	if ( lo->ldo_tls_dhfile ) {
+-		DH *dh = NULL;
++	if ( is_server && lo->ldo_tls_dhfile ) {
++		DH *dh;
+ 		BIO *bio;
+-		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+ 
+ 		if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
+ 			Debug( LDAP_DEBUG_ANY,
+@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 		}
+ 		BIO_free( bio );
+ 		SSL_CTX_set_tmp_dh( ctx, dh );
++		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
++		DH_free( dh );
++	}
++
++#ifdef SSL_OP_SINGLE_ECDH_USE
++	if ( is_server && lo->ldo_tls_ecname ) {
++		EC_KEY *ecdh;
++
++		int nid = OBJ_sn2nid( lt->lt_ecname );
++		if ( nid == NID_undef ) {
++			Debug( LDAP_DEBUG_ANY,
++				"TLS: could not use EC name `%s'.\n",
++				lo->ldo_tls_ecname,0,0);
++			tlso_report_error();
++			return -1;
++		}
++		ecdh = EC_KEY_new_by_curve_name( nid );
++		if ( ecdh == NULL ) {
++			Debug( LDAP_DEBUG_ANY,
++				"TLS: could not generate key for EC name `%s'.\n",
++				lo->ldo_tls_ecname,0,0);
++			tlso_report_error();
++			return -1;
++		}
++		SSL_CTX_set_tmp_ecdh( ctx, ecdh );
++		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
++		EC_KEY_free( ecdh );
+ 	}
++#endif
+ 
+ 	if ( tlso_opt_trace ) {
+ 		SSL_CTX_set_info_callback( ctx, tlso_info_cb );
+diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
+index 250f14100..8b1e4e582 100644
+--- a/servers/slapd/bconfig.c
++++ b/servers/slapd/bconfig.c
+@@ -194,6 +194,7 @@ enum {
+ 	CFG_ACL_ADD,
+ 	CFG_SYNC_SUBENTRY,
+ 	CFG_LTHREADS,
++	CFG_TLS_ECNAME,
+ 
+ 	CFG_LAST
+ };
+@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
+ #endif
+ 		"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
+ 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
++	{ "TLSECName", NULL, 2, 2, 0,
++#ifdef HAVE_TLS
++		CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
++#else
++		ARG_IGNORED, NULL,
++#endif
++		"( OLcfgGlAt:96 NAME 'olcTLSECName' "
++			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ 	{ "TLSProtocolMin",	NULL, 2, 2, 0,
+ #ifdef HAVE_TLS
+ 		CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
+@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
+ 		 "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
+ 		 "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
+ 		 "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
+-		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
++		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
+ 		 "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
+ 		 "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
+ 		 "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
+@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
+ 	case CFG_TLS_CA_PATH:	flag = LDAP_OPT_X_TLS_CACERTDIR;	break;
+ 	case CFG_TLS_CA_FILE:	flag = LDAP_OPT_X_TLS_CACERTFILE;	break;
+ 	case CFG_TLS_DH_FILE:	flag = LDAP_OPT_X_TLS_DHFILE;	break;
++	case CFG_TLS_ECNAME:	flag = LDAP_OPT_X_TLS_ECNAME;	break;
+ #ifdef HAVE_GNUTLS
+ 	case CFG_TLS_CRL_FILE:	flag = LDAP_OPT_X_TLS_CRLFILE;	break;
+ #endif

SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch

@@ -0,0 +1,34 @@
+ITS#7595 don't try to use EC if OpenSSL lacks it
+
+Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
+Author: Howard Chu <hyc@openldap.org>
+Date: Sun Sep 8 06:32:23 2013 -0700
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 1a81bc625..71c2b055c 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 		DH_free( dh );
+ 	}
+ 
+-#ifdef SSL_OP_SINGLE_ECDH_USE
+ 	if ( is_server && lo->ldo_tls_ecname ) {
++#ifdef OPENSSL_NO_EC
++		Debug( LDAP_DEBUG_ANY,
++			"TLS: Elliptic Curves not supported.\n", 0,0,0 );
++		return -1;
++#else
+ 		EC_KEY *ecdh;
+ 
+ 		int nid = OBJ_sn2nid( lt->lt_ecname );
+@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 		SSL_CTX_set_tmp_ecdh( ctx, ecdh );
+ 		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
+ 		EC_KEY_free( ecdh );
+-	}
+ #endif
++	}
+ 
+ 	if ( tlso_opt_trace ) {
+ 		SSL_CTX_set_info_callback( ctx, tlso_info_cb );

SOURCES/openldap-openssl-manpage-defaultCA.patch

@@ -0,0 +1,48 @@
+Reference default system-wide CA certificates in manpages
+
+OpenSSL, unless explicitly configured, uses system-wide default set of CA
+certificates.
+
+Author: Matus Honek <mhonek@redhat.com>
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -307,6 +307,9 @@ are more options you can specify.  These options are used when an
+ .B ldaps:// URI
+ is selected (by default or otherwise) or when the application
+ negotiates TLS by issuing the LDAP StartTLS operation.
++.LP
++When using OpenSSL, if neither  \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
++is set, the system-wide default set of CA certificates is used.
+ .TP
+ .B TLS_CACERT <filename>
+ Specifies the file that contains certificates for all of the Certificate
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -801,6 +801,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither  \fBolcTLSCACertificateFile\fP nor
++\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B olcTLSCipherSuite: <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -1032,6 +1032,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither  \fBTLSCACertificateFile\fP nor
++\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B TLSCipherSuite <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.

SOURCES/openldap-reentrant-gethostby.patch

@@ -19,15 +19,15 @@ index 373c81c..a012062 100644
 -# undef HAVE_GETHOSTBYADDR_R
 +/* # undef HAVE_GETHOSTBYNAME_R */
 +/* # undef HAVE_GETHOSTBYADDR_R */
-
+ 
  #else
  # include <ldap_pvt_thread.h>
 @@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
  #define BUFSTART (1024-32)
  #define BUFMAX (32*1024-32)
-
+ 
 -#if defined(LDAP_R_COMPILE)
 +#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
  static char *safe_realloc( char **buf, int len );
-
+ 
  #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

SOURCES/openldap-smbk5pwd-overlay.patch

@@ -26,28 +26,28 @@ index 3af20e8..ef73663 100644
 --- a/servers/slapd/overlays/Makefile.in
 +++ b/servers/slapd/overlays/Makefile.in
 @@ -33,7 +33,8 @@ SRCS = overlays.c \
-	syncprov.c \
-	translucent.c \
-	unique.c \
+ 	syncprov.c \
+ 	translucent.c \
+ 	unique.c \
 -	valsort.c
 +	valsort.c \
 +	smbk5pwd.c
  OBJS = statover.o \
-	@SLAPD_STATIC_OVERLAYS@ \
-	overlays.o
+ 	@SLAPD_STATIC_OVERLAYS@ \
+ 	overlays.o
 @@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
  UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
-
+ 
  LIBRARY = ../liboverlays.a
 -PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
 +PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
-
+ 
  XINCPATH = -I.. -I$(srcdir)/..
  XDEFS = $(MODULES_CPPFLAGS)
 @@ -125,6 +126,12 @@ unique.la : unique.lo
  valsort.la : valsort.lo
-	$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
-
+ 	$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+ 
 +smbk5pwd.lo : smbk5pwd.c
 +	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
 +
@@ -55,7 +55,8 @@ index 3af20e8..ef73663 100644
 +	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
 +
  install-local:	$(PROGRAMS)
-	@if test -n "$?" ; then \
-		$(MKDIR) $(DESTDIR)$(moduledir); \
---
+ 	@if test -n "$?" ; then \
+ 		$(MKDIR) $(DESTDIR)$(moduledir); \
+-- 
 1.7.10.4
+

SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch

@@ -10,9 +10,9 @@ Resolves: #960048
 --- openldap/servers/slapd/module.c.orig	2010-05-18 17:42:04.000000000 +0200
 +++ openldap/servers/slapd/module.c	2010-05-18 17:45:46.000000000 +0200
 @@ -117,6 +117,20 @@
-	return -1;	/* not found */
+ 	return -1;	/* not found */
  }
-
+ 
 +static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
 +{
 +	lt_dlhandle handle = 0;
@@ -29,13 +29,13 @@ Resolves: #960048
 +
  int module_load(const char* file_name, int argc, char *argv[])
  {
-	module_loaded_t *module;
+ 	module_loaded_t *module;
 @@ -180,7 +194,7 @@
-	 * to calling Debug. This is because Debug is a macro that expands
-	 * into multiple function calls.
-	 */
+ 	 * to calling Debug. This is because Debug is a macro that expands
+ 	 * into multiple function calls.
+ 	 */
 -	if ((module->lib = lt_dlopenext(file)) == NULL) {
 +	if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
-		error = lt_dlerror();
+ 		error = lt_dlerror();
  #ifdef HAVE_EBCDIC
-		strcpy( ebuf, error );
+ 		strcpy( ebuf, error );

SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch

@@ -0,0 +1,224 @@
+From f2978fefa13eb92b73922e49d2f6c12b4f92ea85 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Fri, 10 Jan 2020 18:35:02 +0100
+Subject: [PATCH] Use OpenSSL API to verify host
+
+Replace custom hostname and IP address verification with OpenSSL 1.0.2
+APIs.
+---
+ libraries/libldap/tls_o.c | 184 ++++++--------------------------------
+ 1 file changed, 28 insertions(+), 156 deletions(-)
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index e52c5507c..5adf7b74f 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -660,25 +660,15 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
+ 	return 0;
+ }
+ 
+-/* what kind of hostname were we given? */
+-#define	IS_DNS	0
+-#define	IS_IP4	1
+-#define	IS_IP6	2
+-
+ static int
+ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ {
+ 	tlso_session *s = (tlso_session *)sess;
+-	int i, ret = LDAP_LOCAL_ERROR;
++	int ret = LDAP_LOCAL_ERROR;
+ 	X509 *x;
+ 	const char *name;
+-	char *ptr;
+-	int ntype = IS_DNS, nlen;
+-#ifdef LDAP_PF_INET6
+-	struct in6_addr addr;
+-#else
+-	struct in_addr addr;
+-#endif
++	int flags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
++	ASN1_OCTET_STRING *ip;
+ 
+ 	if( ldap_int_hostname &&
+ 		( !name_in || !strcasecmp( name_in, "localhost" ) ) )
+@@ -687,7 +677,6 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ 	} else {
+ 		name = name_in;
+ 	}
+-	nlen = strlen(name);
+ 
+ 	x = tlso_get_cert(s);
+ 	if (!x) {
+@@ -619,150 +619,32 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ 		return LDAP_SUCCESS;
+ 	}
+ 
+-#ifdef LDAP_PF_INET6
+-	if (inet_pton(AF_INET6, name, &addr)) {
+-		ntype = IS_IP6;
+-	} else 
+-#endif
+-	if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
+-		if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
+-	}
+-	
+-	i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
+-	if (i >= 0) {
+-		X509_EXTENSION *ex;
+-		STACK_OF(GENERAL_NAME) *alt;
+-
+-		ex = X509_get_ext(x, i);
+-		alt = X509V3_EXT_d2i(ex);
+-		if (alt) {
+-			int n, len2 = 0;
+-			char *domain = NULL;
+-			GENERAL_NAME *gn;
+-
+-			if (ntype == IS_DNS) {
+-				domain = strchr(name, '.');
+-				if (domain) {
+-					len2 = nlen - (domain-name);
+-				}
+-			}
+-			n = sk_GENERAL_NAME_num(alt);
+-			for (i=0; i<n; i++) {
+-				char *sn;
+-				int sl;
+-				gn = sk_GENERAL_NAME_value(alt, i);
+-				if (gn->type == GEN_DNS) {
+-					if (ntype != IS_DNS) continue;
+-
+-					sn = (char *) ASN1_STRING_data(gn->d.ia5);
+-					sl = ASN1_STRING_length(gn->d.ia5);
+-
+-					/* ignore empty */
+-					if (sl == 0) continue;
+-
+-					/* Is this an exact match? */
+-					if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
+-						break;
+-					}
+-
+-					/* Is this a wildcard match? */
+-					if (domain && (sn[0] == '*') && (sn[1] == '.') &&
+-						(len2 == sl-1) && !strncasecmp(domain, &sn[1], len2))
+-					{
+-						break;
+-					}
+-
+-				} else if (gn->type == GEN_IPADD) {
+-					if (ntype == IS_DNS) continue;
+-
+-					sn = (char *) ASN1_STRING_data(gn->d.ia5);
+-					sl = ASN1_STRING_length(gn->d.ia5);
+-
+-#ifdef LDAP_PF_INET6
+-					if (ntype == IS_IP6 && sl != sizeof(struct in6_addr)) {
+-						continue;
+-					} else
+-#endif
+-					if (ntype == IS_IP4 && sl != sizeof(struct in_addr)) {
+-						continue;
+-					}
+-					if (!memcmp(sn, &addr, sl)) {
+-						break;
+-					}
+-				}
+-			}
+-
+-			GENERAL_NAMES_free(alt);
+-			if (i < n) {	/* Found a match */
+-				ret = LDAP_SUCCESS;
+-			}
+-		}
+-	}
+-
+-	if (ret != LDAP_SUCCESS) {
+-		X509_NAME *xn;
+-		X509_NAME_ENTRY *ne;
+-		ASN1_OBJECT *obj;
+-		ASN1_STRING *cn = NULL;
+-		int navas;
+-
+-		/* find the last CN */
+-		obj = OBJ_nid2obj( NID_commonName );
+-		if ( !obj ) goto no_cn;	/* should never happen */
+-
+-		xn = X509_get_subject_name(x);
+-		navas = X509_NAME_entry_count( xn );
+-		for ( i=navas-1; i>=0; i-- ) {
+-			ne = X509_NAME_get_entry( xn, i );
+-			if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) {
+-				cn = X509_NAME_ENTRY_get_data( ne );
+-				break;
+-			}
++	/* attempt to encode name as IP address */
++	ip = a2i_IPADDRESS(name);
++	if (ip == NULL) {
++		ERR_clear_error();
++		/* it's a hostname */
++		if (X509_check_host(x, name, strlen(name), flags, NULL) == 1) {
++			ret = LDAP_SUCCESS;
+ 		}
+-
+-		if( !cn )
+-		{
+-no_cn:
+-			Debug( LDAP_DEBUG_ANY,
+-				"TLS: unable to get common name from peer certificate.\n",
+-				0, 0, 0 );
+-			ret = LDAP_CONNECT_ERROR;
+-			if ( ld->ld_error ) {
+-				LDAP_FREE( ld->ld_error );
+-			}
+-			ld->ld_error = LDAP_STRDUP(
+-				_("TLS: unable to get CN from peer certificate"));
+-
+-		} else if ( cn->length == nlen &&
+-			strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
++	} else {
++		/* It's an IPv4 or IPv6 address */
++		if (X509_check_ip(x, ASN1_STRING_data(ip),
++		                  ASN1_STRING_length(ip), 0) == 1) {
+ 			ret = LDAP_SUCCESS;
+-
+-		} else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
+-			char *domain = strchr(name, '.');
+-			if( domain ) {
+-				int dlen;
+-
+-				dlen = nlen - (domain-name);
+-
+-				/* Is this a wildcard match? */
+-				if ((dlen == cn->length-1) &&
+-					!strncasecmp(domain, (char *) &cn->data[1], dlen)) {
+-					ret = LDAP_SUCCESS;
+-				}
+-			}
+ 		}
++		ASN1_OCTET_STRING_free(ip);
++	}
+ 
+-		if( ret == LDAP_LOCAL_ERROR ) {
+-			Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+-				"common name in certificate (%.*s).\n", 
+-				name, cn->length, cn->data );
+-			ret = LDAP_CONNECT_ERROR;
+-			if ( ld->ld_error ) {
+-				LDAP_FREE( ld->ld_error );
+-			}
+-			ld->ld_error = LDAP_STRDUP(
+-				_("TLS: hostname does not match CN in peer certificate"));
++	if( ret == LDAP_LOCAL_ERROR ) {
++		Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
++			"peer certificate.\n", name, 0, 0);
++		ret = LDAP_CONNECT_ERROR;
++		if ( ld->ld_error ) {
++			LDAP_FREE( ld->ld_error );
+ 		}
++		ld->ld_error = LDAP_STRDUP(
++			_("TLS: hostname does not match peer certificate"));
+ 	}
+ 	X509_free(x);
+ 	return ret;

SOURCES/slapd.ldif

@@ -6,14 +6,25 @@
 dn: cn=config
 objectClass: olcGlobal
 cn: config
-olcArgsFile: /var/run/openldap/slapd.args
-olcPidFile: /var/run/openldap/slapd.pid
 #
 # TLS settings
 #
-olcTLSCACertificatePath: /etc/openldap/certs
-olcTLSCertificateFile: "OpenLDAP Server"
-olcTLSCertificateKeyFile: /etc/openldap/certs/password
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by oclTLSCACertificatePath one has to include them explicitly:
+#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
+#
+# Private cert and key are not pregenerated.
+#olcTLSCertificateFile:
+#olcTLSCertificateKeyFile:
+#
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#olcTLSCipherSuite: PROFILE=SYSTEM
+
+
 #
 # Do not enable referrals until AFTER you have a working directory
 # service AND an understanding of referrals.
@@ -88,7 +99,6 @@ include: file:///etc/openldap/schema/core.ldif
 
 dn: olcDatabase=frontend,cn=config
 objectClass: olcDatabaseConfig
-objectClass: olcFrontendConfig
 olcDatabase: frontend
 #
 # Sample global access control policy:
@@ -137,10 +147,10 @@ olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
 # Backend database definitions
 #
 
-dn: olcDatabase=hdb,cn=config
+dn: olcDatabase=mdb,cn=config
 objectClass: olcDatabaseConfig
-objectClass: olcHdbConfig
-olcDatabase: hdb
+objectClass: olcMdbConfig
+olcDatabase: mdb
 olcSuffix: dc=my-domain,dc=com
 olcRootDN: cn=Manager,dc=my-domain,dc=com
 olcDbDirectory:	/var/lib/ldap

SOURCES/slapd.service

@@ -9,11 +9,9 @@ Documentation=file:///usr/share/doc/openldap-servers/guide.html
 
 [Service]
 Type=forking
-PIDFile=/var/run/openldap/slapd.pid
-Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
-EnvironmentFile=/etc/sysconfig/slapd
 ExecStartPre=/usr/libexec/openldap/check-config.sh
-ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
+ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
 
 [Install]
 WantedBy=multi-user.target
+Alias=openldap.service

SPECS/openldap.spec

@@ -4,39 +4,29 @@
 %global check_password_version 1.1
 
 Name: openldap
-Version: 2.4.44
-Release: 13%{?dist}
+Version: 2.4.46
+Release: 11%{?dist}
 Summary: LDAP support libraries
-Group: System Environment/Daemons
 License: OpenLDAP
 URL: http://www.openldap.org/
+
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
 Source1: slapd.service
-Source2: slapd.sysconfig
-Source3: slapd.tmpfiles
-Source4: slapd.ldif
-Source5: ldap.conf
+Source2: slapd.tmpfiles
+Source3: slapd.ldif
+Source4: ldap.conf
 Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz
 Source50: libexec-functions
-Source51: libexec-convert-config.sh
 Source52: libexec-check-config.sh
 Source53: libexec-upgrade-db.sh
-Source54: libexec-create-certdb.sh
-Source55: libexec-generate-server-cert.sh
-Source56: libexec-update-ppolicy-schema.sh
 
 # patches for 2.4
 Patch0: openldap-manpages.patch
-Patch1: openldap-ppolicy-loglevels.patch
-Patch2: openldap-sql-linking.patch
-Patch3: openldap-reentrant-gethostby.patch
-Patch4: openldap-smbk5pwd-overlay.patch
-Patch5: openldap-ldaprc-currentdir.patch
-Patch6: openldap-userconfig-setgid.patch
-Patch7: openldap-allop-overlay.patch
-Patch8: openldap-syncrepl-unset-tls-options.patch
-Patch9: openldap-man-sasl-nocanon.patch
-Patch10: openldap-ai-addrconfig.patch
+Patch2: openldap-reentrant-gethostby.patch
+Patch3: openldap-smbk5pwd-overlay.patch
+Patch5: openldap-ai-addrconfig.patch
+Patch17: openldap-allop-overlay.patch
+
 # fix back_perl problems with lt_dlopen()
 # might cause crashes because of symbol collisions
 # the proper fix is to link all perl modules against libperl
@@ -44,30 +34,17 @@ Patch10: openldap-ai-addrconfig.patch
 Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
 # ldapi sasl fix pending upstream inclusion
 Patch20: openldap-ldapi-sasl.patch
-# coverity - missin_unlock in servers/slapd/overlays/accesslog.c
-Patch21: openldap-missing-unlock-in-accesslog-overlay.patch
-Patch23: openldap-module-passwd-sha2.patch
-# pending upstream inclusion, ITS #7744
-Patch24: openldap-man-tls-reqcert.patch
-Patch25: openldap-man-ldap-conf.patch
-Patch35: openldap-ITS8428-init-sc_writewait.patch
-Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch
-Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch
+Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
+Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
+Patch24: openldap-openssl-manpage-defaultCA.patch
+Patch25: openldap-tlso-use-openssl-api-to-verify-host.patch
 
 # check-password module specific patches
 Patch90: check-password-makefile.patch
 Patch91: check-password.patch
-Patch92: check-password-loglevels.patch
 
-# MozNSS compatibility layer
-Patch101: openldap-tlsmc.patch
-# Fedora specific patches
-Patch102: openldap-fedora-systemd.patch
-
-BuildRequires: cyrus-sasl-devel, nss-devel, openssl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
-BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed)
-Requires: nss-tools
-Requires(post): rpm, coreutils, findutils
+BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel
+BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-devel, perl(ExtUtils::Embed)
 
 %description
 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@@ -80,7 +57,6 @@ libraries, and documentation for OpenLDAP.
 
 %package devel
 Summary: LDAP development libraries and header files
-Group: Development/Libraries
 Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa}
 
 %description devel
@@ -96,13 +72,10 @@ Summary: LDAP server
 License: OpenLDAP
 Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils
 Requires(pre): shadow-utils
-Requires(post): systemd, systemd-sysv, chkconfig
-Requires(preun): systemd
-Requires(postun): systemd
+BuildRequires: systemd
+%{?systemd_requires}
 BuildRequires: libdb-devel
-BuildRequires: systemd-units
 BuildRequires: cracklib-devel
-Group: System Environment/Daemons
 # migrationtools (slapadd functionality):
 Provides: ldif2ldbm
 
@@ -114,24 +87,9 @@ information, but other information is possible) over the Internet,
 similar to the way DNS (Domain Name System) information is propagated
 over the Internet. This package contains the slapd server and related files.
 
-%package servers-sql
-Summary: SQL support module for OpenLDAP server
-Requires: openldap-servers%{?_isa} = %{version}-%{release}
-Group: System Environment/Daemons
-
-%description servers-sql
-OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
-Protocol) applications and development tools. LDAP is a set of
-protocols for accessing directory services (usually phone book style
-information, but other information is possible) over the Internet,
-similar to the way DNS (Domain Name System) information is propagated
-over the Internet. This package contains a loadable module which the
-slapd server can use to read data from an RDBMS.
-
 %package clients
 Summary: LDAP client utilities
 Requires: openldap%{?_isa} = %{version}-%{release}
-Group: Applications/Internet
 
 %description clients
 OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
@@ -147,36 +105,19 @@ programs needed for accessing and modifying OpenLDAP directories.
 
 pushd openldap-%{version}
 
-%patch101 -p1
-
-# alternative include paths for Mozilla NSS
-ln -s %{_includedir}/nss3 include/nss
-ln -s %{_includedir}/nspr4 include/nspr
-
 AUTOMAKE=%{_bindir}/true autoreconf -fi
 
 %patch0 -p1
-%patch1 -p1
 %patch2 -p1
 %patch3 -p1
-%patch4 -p1
 %patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
-%patch10 -p1
+%patch17 -p1
 %patch19 -p1
 %patch20 -p1
-%patch21 -p1
+%patch22 -p1
 %patch23 -p1
 %patch24 -p1
 %patch25 -p1
-%patch35 -p1
-%patch36 -p1
-%patch37 -p1
-
-%patch102 -p1
 
 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@@ -185,11 +126,6 @@ mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.s
 ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays
 mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop
 mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5
-# build sha2 with other overlays
-ln -s ../../../contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} \
-      servers/slapd/overlays
-ls servers/slapd/overlays
-mv contrib/slapd-modules/passwd/sha2/README{,.sha2}
 
 mv servers/slapd/back-perl/README{,.back_perl}
 
@@ -204,33 +140,19 @@ popd
 pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
 %patch90 -p1
 %patch91 -p1
-%patch92 -p1
 popd
 
 %build
 
-%ifarch s390 s390x
-  export CFLAGS="-fPIE"
-%else
-  export CFLAGS="-fpie"
-%endif
-export LDFLAGS="-pie"
-# avoid stray dependencies (linker flag --as-needed)
 # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
-export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS"
-
+export CFLAGS="%{optflags} ${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS"
+export CXXFLAGS="%{optflags} ${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS"
 pushd openldap-%{version}
 %configure \
 	--enable-debug \
 	--enable-dynamic \
-	--enable-syslog \
-	--enable-proctitle \
-	--enable-ipv6 \
-	--enable-local \
 	\
-	--enable-slapd \
 	--enable-dynacl \
-	--enable-aci \
 	--enable-cleartext \
 	--enable-crypt \
 	--enable-lmpasswd \
@@ -240,7 +162,6 @@ pushd openldap-%{version}
 	--enable-rlookups \
 	--enable-slapi \
 	--disable-slp \
-	--enable-wrappers \
 	\
 	--enable-backends=mod \
 	--enable-bdb=yes \
@@ -248,13 +169,11 @@ pushd openldap-%{version}
 	--enable-mdb=yes \
 	--enable-monitor=yes \
 	--disable-ndb \
+	--disable-sql \
 	\
 	--enable-overlays=mod \
 	\
 	--disable-static \
-	--enable-shared \
-	\
-	--enable-moznss-compatibility=yes \
 	\
 	--with-cyrus-sasl \
 	--without-fetch \
@@ -265,12 +184,6 @@ pushd openldap-%{version}
 	--libexecdir=%{_libdir}
 
 make %{_smp_mflags}
-
-# build mdb_* tools
-pushd libraries/liblmdb
-export XCFLAGS="$CFLAGS"
-make %{_smp_mflags}
-popd
 popd
 
 pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
@@ -285,9 +198,6 @@ mkdir -p %{buildroot}%{_libdir}/
 
 pushd openldap-%{version}
 make install DESTDIR=%{buildroot} STRIP=""
-pushd libraries/liblmdb
-make install DESTDIR=%{buildroot}
-popd
 popd
 
 # install check_password module
@@ -320,31 +230,19 @@ install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap
 install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap
 
 # setup autocreation of runtime directories on tmpfs
-mkdir -p %{buildroot}%{_tmpfilesdir}/
-install -m 0644 %SOURCE3 %{buildroot}%{_tmpfilesdir}/slapd.conf
+mkdir -p %{buildroot}%{_tmpfilesdir}
+install -m 0644 %SOURCE2 %{buildroot}%{_tmpfilesdir}/slapd.conf
 
 # install default ldap.conf (customized)
 rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
-install -m 0644 %SOURCE5 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
+install -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
 
 # setup maintainance scripts
 mkdir -p %{buildroot}%{_libexecdir}
 install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
 install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
-install -m 0755 %SOURCE51 %{buildroot}%{_libexecdir}/openldap/convert-config.sh
 install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
 install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
-install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh
-install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh
-install -m 0755 %SOURCE56 %{buildroot}%{_libexecdir}/openldap/update-ppolicy-schema.sh
-
-# install mdb_* tools
-mv %{buildroot}/usr/local/bin/mdb_{copy,dump,load,stat} %{buildroot}%{_libexecdir}/openldap/
-mkdir -p %{buildroot}%{_libexecdir}/openldap/man/man1
-mv %{buildroot}/usr/local/share/man/man1/mdb_{copy,dump,load,stat}.1 %{buildroot}%{_libexecdir}/openldap/man/man1/
-# we don't want the library itself nor header file
-rm -f %{buildroot}/usr/local/include/lmdb.h
-rm -f %{buildroot}/usr/local/lib/liblmdb.{a,so}
 
 # remove build root from config files and manual pages
 perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
@@ -358,10 +256,6 @@ rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default
 mkdir -p %{buildroot}%{_unitdir}
 install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service
 
-# install syconfig/ldap
-mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
-install -m 644 %SOURCE2 %{buildroot}%{_sysconfdir}/sysconfig/slapd
-
 # move slapd out of _libdir
 mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/
 
@@ -370,43 +264,41 @@ rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
 rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
 for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done
 
+# re-symlink unversioned libraries, so ldconfig is not confused
+pushd %{buildroot}%{_libdir}
+v=%{version}
+version=$(echo ${v%.[0-9]*})
+for lib in liblber libldap libldap_r libslapi; do
+	rm -f ${lib}.so
+	ln -s ${lib}-${version}.so.2 ${lib}.so
+done
+popd
+
 # tweak permissions on the libraries to make sure they're correct
 chmod 0755 %{buildroot}%{_libdir}/lib*.so*
 chmod 0644 %{buildroot}%{_libdir}/lib*.*a
 
 # slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
-# new configuration will be generated in %%post
 mkdir -p %{buildroot}%{_datadir}
 install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
-install -m 0644 %SOURCE4 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
-install -m 0750 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
+install -m 0644 %SOURCE3 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
+install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
 rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf
 rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif
 
 # move doc files out of _sysconfdir
 mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
 mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
-chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh
 chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
 
 # remove files which we don't want packaged
-rm -f %{buildroot}%{_libdir}/*.la
-mv %{buildroot}%{_libdir}/openldap/check_password.so{,.tmp}
-rm -f %{buildroot}%{_libdir}/openldap/*.so
-mv %{buildroot}%{_libdir}/openldap/check_password.so{.tmp,}
+rm -f %{buildroot}%{_libdir}/*.la  # because we do not want files in %{_libdir}/openldap/ removed, yet
 
 rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
 rmdir %{buildroot}%{_localstatedir}/openldap-data
 
-%post
-# create certificate database
-%{_libexecdir}/openldap/create-certdb.sh >&/dev/null || :
-
-%postun
-#update only on package erase
-if [ $1 == 0 ]; then
-    /sbin/ldconfig
-fi
+%pre -p /sbin/ldconfig
+%post -p /sbin/ldconfig
 
 %pre servers
 
@@ -430,22 +322,17 @@ exit 0
 
 
 %post servers
-
-/sbin/ldconfig -n %{_libdir}/openldap
-
 %systemd_post slapd.service
 
-# generate sample TLS certificate for server (will not replace)
-%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || :
-
-# generate/upgrade configuration
-if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
-	if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
-		%{_libexecdir}/openldap/convert-config.sh &>/dev/null
-		mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
-	else
-		%{_libexecdir}/openldap/convert-config.sh -f %{_datadir}/openldap-servers/slapd.ldif &>/dev/null
-	fi
+# generate configuration if necessary
+if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
+      ! -f %{_sysconfdir}/openldap/slapd.conf
+   ]]; then
+      # if there is no configuration available, generate one from the defaults
+      mkdir -p %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || :
+      /usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/openldap-servers/slapd.ldif
+      chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/
+      %{systemctl_bin} try-restart slapd.service &>/dev/null
 fi
 
 start_slapd=0
@@ -461,39 +348,6 @@ if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
 	rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
 fi
 
-# ensure ppolicy schema updated (bug #1487857)
-if [ $1 -eq 2 ]; then
-	if [ -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
-		%{_libexecdir}/openldap/update-ppolicy-schema.sh &>/dev/null
-	fi
-fi
-
-# conversion from /etc/sysconfig/ldap to /etc/sysconfig/slapd
-if [ $1 -eq 2 ]; then
-	# we expect that 'ldap' will be renamed to 'ldap.rpmsave' after removing the old package
-	if [ -r %{_sysconfdir}/sysconfig/ldap ]; then
-		source %{_sysconfdir}/sysconfig/ldap &>/dev/null
-
-		new_urls=
-		[ "$SLAPD_LDAP" != "no" ]   && new_urls="$new_urls ldap:///"
-		[ "$SLAPD_LDAPI" != "no" ]  && new_urls="$new_urls ldapi:///"
-		[ "$SLAPD_LDAPS" == "yes" ] && new_urls="$new_urls ldaps:///"
-		[ -n "$SLAPD_URLS" ]        && new_urls="$new_urls $SLAPD_URLS"
-
-		failure=0
-		cp -f %{_sysconfdir}/sysconfig/slapd %{_sysconfdir}/sysconfig/slapd.rpmconvert
-		sed -i '/^#\?SLAPD_URLS=/s@.*@SLAPD_URLS="'"$new_urls"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1
-		[ -n "$SLAPD_OPTIONS" ] && \
-			sed -i '/^#\?SLAPD_OPTIONS=/s@.*$@SLAPD_OPTIONS="'"$SLAPD_OPTIONS"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1
-
-		if [ $failure -eq 0 ]; then
-			mv -f %{_sysconfdir}/sysconfig/slapd.rpmconvert %{_sysconfdir}/sysconfig/slapd
-		else
-			rm -f %{_sysconfdir}/sysconfig/slapd.rpmconvert
-		fi
-	fi
-fi
-
 # restart after upgrade
 if [ $1 -ge 1 ]; then
 	if [ $start_slapd -eq 1 ]; then
@@ -506,24 +360,11 @@ fi
 exit 0
 
 %preun servers
-
 %systemd_preun slapd.service
 
-
 %postun servers
-
-/sbin/ldconfig ${_libdir}/openldap
 %systemd_postun_with_restart slapd.service
 
-
-%triggerun servers -- openldap-servers < 2.4.26-6
-
-# migration from SysV to systemd
-/usr/bin/systemd-sysv-convert --save slapd &>/dev/null || :
-/usr/sbin/chkconfig --del slapd &>/dev/null || :
-%{systemctl_bin} try-restart slapd.service &>/dev/null || :
-
-
 %triggerin servers -- libdb
 
 # libdb upgrade (setup for %%triggerun)
@@ -562,14 +403,13 @@ exit 0
 %files
 %doc openldap-%{version}/ANNOUNCEMENT
 %doc openldap-%{version}/CHANGES
-%doc openldap-%{version}/COPYRIGHT
-%doc openldap-%{version}/LICENSE
+%license openldap-%{version}/COPYRIGHT
+%license openldap-%{version}/LICENSE
 %doc openldap-%{version}/README
 %dir %{_sysconfdir}/openldap
 %dir %{_sysconfdir}/openldap/certs
 %config(noreplace) %{_sysconfdir}/openldap/ldap.conf
 %dir %{_libexecdir}/openldap/
-%{_libexecdir}/openldap/create-certdb.sh
 %{_libdir}/liblber-2.4*.so.*
 %{_libdir}/libldap-2.4*.so.*
 %{_libdir}/libldap_r-2.4*.so.*
@@ -588,9 +428,8 @@ exit 0
 %doc README.schema
 %config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
 %config(noreplace) %{_sysconfdir}/openldap/schema
-%config(noreplace) %{_sysconfdir}/sysconfig/slapd
-%config(noreplace) %{_tmpfilesdir}/slapd.conf
 %config(noreplace) %{_sysconfdir}/openldap/check_password.conf
+%{_tmpfilesdir}/slapd.conf
 %dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
 %dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
 %{_unitdir}/slapd.service
@@ -620,7 +459,6 @@ exit 0
 %{_libdir}/openldap/retcode*
 %{_libdir}/openldap/rwm*
 %{_libdir}/openldap/seqmod*
-%{_libdir}/openldap/pw-sha2*
 %{_libdir}/openldap/smbk5pwd*
 %{_libdir}/openldap/sssvlv*
 %{_libdir}/openldap/syncprov*
@@ -629,25 +467,14 @@ exit 0
 %{_libdir}/openldap/valsort*
 %{_libdir}/openldap/check_password*
 %{_libexecdir}/openldap/functions
-%{_libexecdir}/openldap/convert-config.sh
 %{_libexecdir}/openldap/check-config.sh
 %{_libexecdir}/openldap/upgrade-db.sh
-%{_libexecdir}/openldap/generate-server-cert.sh
-%{_libexecdir}/openldap/update-ppolicy-schema.sh
-%{_libexecdir}/openldap/mdb_*
-%{_libexecdir}/openldap/man/man1/mdb_*
 %{_sbindir}/sl*
 %{_mandir}/man8/*
 %{_mandir}/man5/slapd*.5*
 %{_mandir}/man5/slapo-*.5*
 # obsolete configuration
 %ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
-%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak
-
-%files servers-sql
-%doc openldap-%{version}/servers/slapd/back-sql/docs/*
-%doc openldap-%{version}/servers/slapd/back-sql/rdbms_depend
-%{_libdir}/openldap/back_sql*
 
 %files clients
 %{_bindir}/*
@@ -660,165 +487,290 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
-* Wed Jan 31 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-13
-- MozNSS Compat. Layer: fix recursive directory deletion (#1516409)
-- MozNSS Compat. Layer: fix PIN disclaimer not always shown (#1516409)
-- MozNSS Compat. Layer: fix incorrect parsing of CACertDir (#1533955)
-
-* Thu Jan 11 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-12
-- MozNSS Compat. Layer: Ensure consistency of a PEM dir before usage (#1516409)
-  + Warn just before use of a PIN about key file extraction
-
-* Wed Jan 10 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-11
-- MozNSS Compat. Layer: Enable usage of NSS DB with PEM cert/key (#1525485)
-  + Fix a possible invalid dereference (covscan)
-
-* Tue Nov 28 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-10
-- Drop update-ppolicy-schema.sh scriptlet's output (#1487857)
-- Fix issues in MozNSS compatibility layer (#1400578)
+* Wed Jan 15 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-11
+- Use OpenSSL-1.0.2+ API for host name verification (#1788572)
+
+* Sun Aug 18 2019 Matus Honek <mhonek@redhat.com> - 2.4.46-10
+- Do not fallback to checking CN when no SAN matched (#1740070)
+
+* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
+- Reference default system-wide CA certificates in manpages (#1611624)
+
+* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
+- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623497)
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jul  6 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-6
+- Build with LDAP_USE_NON_BLOCKING_TLS (#1594928)
+- Remove unused leftover MozNSS Compat. Layer references (cont.) (#1557967)
+
+* Fri Jul 06 2018 Petr Pisar <ppisar@redhat.com> - 2.4.46-5
+- Perl 5.28 rebuild
+
+* Wed Jul  4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-4
+- Remove unused leftover MozNSS Compat. Layer references (#1557967)
+
+* Wed Jul  4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-3
+- MozNSS Compat. Layer: Make log messages more clear (#1598103)
+- MozNSS Compat. Layer: Fix memleaks reported by valgrind (#1595203)
+
+* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.46-2
+- Perl 5.28 rebuild
+- MozNSS Compat. Layer: Fix typos, and spelling in the README file header (#1564161)
+
+* Tue Mar 27 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-1
+- Rebase to version OpenLDAP 2.4.46 (#1559652)
+
+* Mon Mar  5 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-14
+- Utilize system-wide crypto-policies (#1483979)
+
+* Thu Mar  1 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-13
+- fix: openldap does not use Fedora build flags
+  + makes use of redhat-rpm-config package
+- Drop superfluous back-sql linking patch
+
+* Wed Feb 28 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-12
+- MozNSS Compat. Layer: fix: libldap tlsmc continues even after it fails to extract CA certificates (#1550110)
+
+* Wed Feb 21 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-11
+- TLS: Use system trusted CA store by default (#1270678, #1537259)
+
+* Sun Feb 11 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-10
+- Complete change: Disable TLSMC in F29+
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.45-9
+- Escape macros in %%changelog
+- Disable TLSMC in F29+
+- Remove obsolete Group tag
+- Don't call ldconfig in servers subpackage
+- Switch to %%ldconfig_scriptlets
+- Remove unneeded Requires(post): systemd-sysv, chkconfig
+- Switch to %%systemd_requires
+- Change BuildRequires: systemd-units to systemd
+
+* Wed Feb  7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-8
+- Drop TCP wrappers support (#1531487)
+
+* Wed Feb  7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
+- MozNSS Compat. Layer fixes (#1400570)
+  - fix incorrect parsing of CACertDir (orig. #1533955)
+  - fix PIN disclaimer not always shown (orig. #1516409)
+  - fix recursive directory deletion (orig. #1516409)
+  - Ensure consistency of a PEM dir before usage (orig. #1516409)
+    + Warn just before use of a PIN about key file extraction
+  - Enable usage of NSS DB with PEM cert/key (orig. #1525485)
+    + Fix a possible invalid dereference (covscan)
+
+* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.45-6
+- Rebuilt for switch to libxcrypt
+
+* Wed Dec  6 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-5
+- Fix issues in MozNSS compatibility layer (#1400570)
   + Force write file with fsync to avoid race conditions
   + Always filestamp both sql and dbm NSS DB variants to not rely on default DB type prefix
   + Allow missing cert and key which is a valid usecase
   + Create extraction folder only in /tmp to simplify selinux rules
   + Fix Covscan issues
 
-* Fri Nov  3 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9
-- Build with OpenSSL and MozNSS compatibility layer instead of MozNSS (#1400578)
-
-* Thu Nov  2 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-8
-- fix: Upgrading to OpenLDAP >= 2.4.43 breaks server due to ppolicy changes (#1487857)
-
-* Thu Nov  2 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
-- fix: Manpage incorrectly states ./ldaprc config file is used (#1498841)
-
-* Thu Nov  2 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6
-- fix: Upgrading openldap-servers does not restart slapd when rebasing (#1479309)
-
-* Tue Jun  6 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5
-- fix CVE-2017-9287 openldap: Double free vulnerability in servers/slapd/back-mdb/search.c (#1458210)
-
-* Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-4
-- NSS: Include some CHACHA20POLY1305 ciphers (#1432907)
+* Fri Nov  3 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-4
+- Build with OpenSSL with MozNSS compatibility layer (#1400570)
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jul  7 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-1
+- Rebase to version 2.4.45 (#1458081)
+  * fixes CVE-2017-9287 (#1456712, #1456713)
+- Update the 'sources' file with new SHA512 hashes
+
+* Fri Jul  7 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-12
+- Change Requires to Recommends for nss-tools (#1415086)
+
+* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-11
+- Perl 5.26 rebuild
+
+* Fri Mar 31 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-10
+- NSS: Maximal TLS protocol version should be equal to NSS default (#1435692)
+
+* Thu Mar 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9
+- NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS (#1435692)
+- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435692)
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.44-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
+- NSS: Update list of ciphers (#1387868)
+
+* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6
+- NSS: Use what NSS considers default for DEFAULT cipher string (#1387868)
+
+* Thu Jan 26 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5
+- NSS: fix: incorrect multi-keyword parsing and support new ones (#1243517)
+
+* Mon Jan 23 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-4
+- fix previous commit (#1375432)
 
-* Wed Mar 15 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3
-- NSS: re-register NSS_Shutdown callback (#1405354)
+* Fri Jan 20 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3
+- fix: Setting olcTLSProtocolMin does not change supported protocols (#1375432)
+- fix: slapd should start after network-online.service (#1336487)
 
-* Wed Mar 15 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-2
-- Include MDB tools in openldap-servers (#1428740)
+* Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-2
+- Perl 5.24 rebuild
 
-* Wed Jan  4 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-1
-- Rebase to openldap-2.4.44 (#1386365)
+* Wed May 11 2016 Matus Honek <mhonek@redhat.com> - 2.4.44-1
+- Update to 2.4.44 (#1305191)
 
-* Wed Aug 17 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-13
-- fix: Bad log levels in check_password module
-- fix: We can't search expected entries from LDAP server
-- fix: OpenLDAP ciphersuite parsing doesn't match OpenSSL ciphers man page
-  + Add TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 to list of ciphers
-  + Add DH cipher string parsing option
-  + Correct handling kECDH ciphers with aRSA or aECDSA
+* Tue May  3 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-5
+- Bring back *.la files in %%{_libdir}/openldap/ (#1331484)
 
-* Fri Jul  1 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-12
-- fix: slapd crash in do_search (#1316450)
-- fix: Setting olcTLSProtocolMin does not change supported protocols (#1249093)
+* Wed Apr 27 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-4
+- Keep *.so libraries in %%{_libdir}/openldap/ (#1331484)
+- Include AllOp overlay (#1319782)
 
-* Mon May 30 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-11
-- fix: correct inconsistent slapd.d directory permissions (#1255433)
+* Sun Apr 10 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2.4.43-3
+- Ensure all libtool archive files are removed (.la)
 
-* Mon May 30 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-10
-- fix: slapd fails to start on boot (#1315958)
-- fix: id_query option is not available after rebasing openldap to 2.4.39 (#1311832)
-- Include sha2 module (#1292568)
-- Compile AllOp together with other overlays (#990893)
-- Missing mutex unlock in accesslog overlay (#1261003)
-- ITS#8337 fix missing olcDbChecksum config attr (#1292590)
-- ITS#8003 fix off-by-one in LDIF length (#1292619)
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.43-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 
-* Mon Feb 22 2016 Matúš Honěk <mhonek@redhat.com> - 2.4.40-9
-- fix: nslcd segfaults due to incorrect mutex initialization (#1294385)
+* Wed Dec 02 2015 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 2.4.43-1
+- Update to 2.4.43 (#1253871)
 
-* Wed Sep 23 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-8
-- NSS does not support string ordering (#1231522)
-- implement and correct order of parsing attributes (#1231522)
-- add multi_mask and multi_strength to correctly handle sets of attributes (#1231522)
-- add new cipher suites and correct AES-GCM attributes (#1245279)
-- correct DEFAULT ciphers handling to exclude eNULL cipher suites (#1245279)
+* Thu Jul 16 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.41-1
+- New upstream release 2.4.41 (#1238251)
 
-* Mon Sep 14 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-7
-- Merge two MozNSS cipher suite definition patches into one. (#1245279)
-- Use what NSS considers default for DEFAULT cipher string. (#1245279)
-- Remove unnecesary defaults from ciphers' definitions (#1245279)
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.40-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 
-* Tue Sep 01 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-6
-- fix: OpenLDAP shared library destructor triggers memory leaks in NSPR (#1249977)
+* Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.40-13
+- Perl 5.22 rebuild
 
-* Fri Jul 24 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-5
-- enhancement: support TLS 1.1 and later (#1231522,#1160467)
-- fix: openldap ciphersuite parsing code handles masks incorrectly (#1231522)
-- fix the patch in commit da1b5c (fix: OpenLDAP crash in NSS shutdown handling) (#1231228)
+* Mon Apr 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-12
+- fix: bring back tmpfiles config (#1215655)
 
-* Mon Jun 29 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-4
-- fix: rpm -V complains (#1230263) -- make the previous fix do what was intended
+* Mon Mar 30 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-11
+- remove spurious ghosted file
 
-* Mon Jun 22 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-3
-- fix: rpm -V complains (#1230263)
+* Fri Feb 20 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-10
+- link against moznss again (#1187742)
 
-* Wed Jun  3 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-2
-- fix: missing frontend database indexing (#1226600)
+* Wed Feb 11 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
+- fix: Unknown Berkeley DB major version in db.h (#1191098)
 
-* Wed May 20 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-1
-- new upstream release (#1147982)
-- fix: PIE and RELRO check (#1092562)
-- fix: slaptest doesn't convert perlModuleConfig lines (#1184585)
-- fix: OpenLDAP crash in NSS shutdown handling (#1158005)
-- fix: slapd.service may fail to start if binding to NIC ip (#1198781)
-- fix: deadlock during SSL_ForceHandshake when getting connection to replica (#1125152)
-- improve check_password (#1174723, #1196243)
-- provide an unversioned symlink to check_password.so.1.1 (#1174634)
-- add findutils to requires (#1209229)
+* Tue Feb 10 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
+- CVE-2015-1545: slapd crashes on search with deref control (#1190645)
 
-* Thu Dec  4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6
-- refix: slapd.ldif olcFrontend missing important/required objectclass (#1132094)
+* Tue Jan 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-8
+- link against openssl by default
+- simplify package even more by removing certificate generation
 
-* Fri Nov 28 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-5
-- add documentation reference to service file (#1087288)
-- fix: tls_reqcert try has bad behavior (#1027613)
+* Mon Jan 26 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-7
+- remove tmpfiles config since it's no longer needed
+- fix invalid ldif
+- simplify checking for missing server configuration
 
-* Tue Nov 25 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-4
-- support TLS 1.1 and later (#1160468)
-- fix: /etc/openldap/certs directory is empty after installation (#1064251)
-- fix: Typo in script to generate /usr/libexec/openldap/generate-server-cert.sh (#1087490)
-- fix: remove correct tmp file when generating server cert (#1103101)
-- fix: slapd.ldif olcFrontend missing important/required objectclass (#1132094)
+* Fri Jan 16 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-6
+- remove openldap-fedora-systemd.patch
+- remove openldap-ldaprc-currentdir.patch
+- remove openldap-userconfig-setgid.patch
+- remove openldap-syncrepl-unset-tls-options.patch
+- remove unneeded configure flags, disable sql backend and aci
+- make mdb default after a new installation
+- remove pid file and args file
+- renumber patches and sources
 
-* Wed Feb 26 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3
-- move tmpfiles config to correct location (#1069513)
+* Wed Dec 17 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-5
+- harden the build
+- improve check_password
+- provide an unversioned symlink to check_password.so.1.1
+
+* Tue Dec 16 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-4
+- remove openldap.pc
+
+* Tue Dec  9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-3
+- enhancement: generate openldap.pc (#1171493)
+
+* Fri Nov 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-2
+- enhancement: support TLSv1 and later (#1160466)
+
+* Mon Oct  6 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-1
+- new upstream release (#1147877)
+
+* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.39-12
+- Perl 5.20 rebuild
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.4.39-10
+- fix license handling
+
+* Mon Jul 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-9
+- fix: fix typo in generate-server-cert.sh (#1117229)
+
+* Mon Jun  9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-8
+- fix: make default service configuration listen on ldaps:/// as well (#1105634)
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Fri May 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6
+- fix: remove correct tmp file when generating server cert (#1103102)
+
+* Mon Mar 24 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-5
+- re-symlink unversioned libraries, so ldconfig is not confused (#1028557)
+
+* Tue Mar  4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-4
+- don't automatically convert slapd.conf to slapd-config
+
+* Wed Feb 19 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3
+- remove redundant sysconfig-related stuff
+- add documentation reference to service file
+- alias slapd.service as openldap.service
+
+* Tue Feb  4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2
+- CVE-2013-4449: segfault on certain queries with rwm overlay (#1060851)
+
+* Wed Jan 29 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1
+- new upstream release (#1059186)
+
+* Mon Nov 18 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.38-1
+- new upstream release (#1031608)
+
+* Mon Nov 11 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-2
+- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1028935)
+
+* Wed Oct 30 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-1
+- new upstream release (#1023916)
+- fix: missing a linefeed at the end of file /etc/openldap/ldap.conf (#1019836)
+
+* Mon Oct 21 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-4
+- fix: slapd daemon fails to start with segmentation fault on s390x (#1020661)
+
+* Tue Oct 15 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-3
+- rebuilt for libdb-5.3.28
+
+* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
+- fix: CLDAP is broken for IPv6 (#1018688)
+
+* Wed Sep  4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
+- fix: typos in manpages
+
+* Tue Aug 20 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-1
+- new upstream release
+  + compile-in mdb backend
 
-* Wed Feb  5 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2
-- CVE-2013-4449: segfault on certain queries with rwm overlay (#1061405)
-
-* Thu Jan 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1
-- new upstream release (#1040324)
-
-* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.4.35-12
-- Mass rebuild 2014-01-24
-
-* Thu Jan 16 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.35-11
-- fix: missing EOL at the end of default /etc/openldap/ldap.conf (#1053005)
-
-* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.4.35-10
-- Mass rebuild 2013-12-27
-
-* Tue Dec 17 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-9
-- fix: more typos in manpages (#948562)
-
-* Wed Nov 13 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-8
-- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1023415)
-
-* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-7
-- fix: CLDAP is broken for IPv6 (#1007421)
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.35-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
 
-* Wed Sep  4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-6
-- fix: typos in manpages (#948562)
+* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 2.4.35-6
+- Perl 5.18 rebuild
 
 * Fri Jun 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-5
 - fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0"