Browse Source

openldap version update 2.4.46

Signed-off-by: basebuilder_pel7ppc64lebuilder0 <basebuilder@powerel.org>
master
basebuilder_pel7ppc64lebuilder0 4 years ago
parent
commit
514409597c
  1. 16
      SOURCES/check-password-makefile.patch
  2. 196
      SOURCES/check-password.patch
  3. 12
      SOURCES/ldap.conf
  4. BIN
      SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
  5. 8
      SOURCES/openldap-ai-addrconfig.patch
  6. 24
      SOURCES/openldap-allop-overlay.patch
  7. 39
      SOURCES/openldap-ldapi-sasl.patch
  8. 7
      SOURCES/openldap-manpages.patch
  9. 227
      SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch
  10. 34
      SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch
  11. 48
      SOURCES/openldap-openssl-manpage-defaultCA.patch
  12. 6
      SOURCES/openldap-reentrant-gethostby.patch
  13. 25
      SOURCES/openldap-smbk5pwd-overlay.patch
  14. 16
      SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
  15. 224
      SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch
  16. 28
      SOURCES/slapd.ldif
  17. 6
      SOURCES/slapd.service
  18. 668
      SPECS/openldap.spec

16
SOURCES/check-password-makefile.patch

@ -3,15 +3,15 @@
@@ -13,22 +13,11 @@ @@ -13,22 +13,11 @@
# #
CONFIG=/etc/openldap/check_password.conf CONFIG=/etc/openldap/check_password.conf

-OPT=-g -O2 -Wall -fpic \ -OPT=-g -O2 -Wall -fpic \
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ - -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
- -DCONFIG_FILE="\"$(CONFIG)\"" \ - -DCONFIG_FILE="\"$(CONFIG)\"" \
+CFLAGS+=-fpic \ +CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ + -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \ + -DCONFIG_FILE="\"$(CONFIG)\"" \
-DDEBUG -DDEBUG

-# Where to find the OpenLDAP headers. -# Where to find the OpenLDAP headers.
-# -#
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \ -LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
@ -24,18 +24,18 @@
-INCS=$(LDAP_INC) $(CRACK_INC) -INCS=$(LDAP_INC) $(CRACK_INC)
- -
LDAP_LIB=-lldap_r -llber LDAP_LIB=-lldap_r -llber

# Comment out this line if you do NOT want to use the cracklib. # Comment out this line if you do NOT want to use the cracklib.
@@ -45,10 +34,10 @@ @@ -45,10 +34,10 @@
all: check_password all: check_password

check_password.o: check_password.o:
- $(CC) $(OPT) -c $(INCS) check_password.c - $(CC) $(OPT) -c $(INCS) check_password.c
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c + $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c

check_password: clean check_password.o check_password: clean check_password.o
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) - $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) + $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)

install: check_password install: check_password
cp -f check_password.so ../../../usr/lib/openldap/modules/ cp -f check_password.so ../../../usr/lib/openldap/modules/

196
SOURCES/check-password.patch

@ -2,33 +2,33 @@
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100 +++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
@@ -10,7 +10,7 @@ @@ -10,7 +10,7 @@
#include <slap.h> #include <slap.h>

#ifdef HAVE_CRACKLIB #ifdef HAVE_CRACKLIB
-#include "crack.h" -#include "crack.h"
+#include <crack.h> +#include <crack.h>
#endif #endif

#if defined(DEBUG) #if defined(DEBUG)
@@ -34,18 +34,77 @@ @@ -34,18 +34,77 @@
#define PASSWORD_TOO_SHORT_SZ \ #define PASSWORD_TOO_SHORT_SZ \
"Password for dn=\"%s\" is too short (%d/6)" "Password for dn=\"%s\" is too short (%d/6)"
#define PASSWORD_QUALITY_SZ \ #define PASSWORD_QUALITY_SZ \
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)" - "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)" + "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
#define BAD_PASSWORD_SZ \ #define BAD_PASSWORD_SZ \
"Bad password for dn=\"%s\" because %s" "Bad password for dn=\"%s\" because %s"
+#define UNKNOWN_ERROR_SZ \ +#define UNKNOWN_ERROR_SZ \
+ "An unknown error occurred, please see your systems administrator" + "An unknown error occurred, please see your systems administrator"

typedef int (*validator) (char*); typedef int (*validator) (char*);
-static int read_config_file (char *); -static int read_config_file (char *);
+static int read_config_file (); +static int read_config_file ();
static validator valid_word (char *); static validator valid_word (char *);
static int set_quality (char *); static int set_quality (char *);
static int set_cracklib (char *); static int set_cracklib (char *);

int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);

+struct config_entry { +struct config_entry {
+ char* key; + char* key;
+ char* value; + char* value;
@ -90,9 +90,9 @@
{ {
#if defined(DEBUG) #if defined(DEBUG)
@@ -84,12 +143,12 @@ @@ -84,12 +143,12 @@
char * parameter; char * parameter;
validator dealer; validator dealer;
} list[] = { { "minPoints", set_quality }, } list[] = { { "minPoints", set_quality },
- { "useCracklib", set_cracklib }, - { "useCracklib", set_cracklib },
- { "minUpper", set_digit }, - { "minUpper", set_digit },
- { "minLower", set_digit }, - { "minLower", set_digit },
@ -105,49 +105,49 @@
+ { "minDigit", set_digit }, + { "minDigit", set_digit },
+ { "minPunct", set_digit }, + { "minPunct", set_digit },
+ { NULL, NULL } }; + { NULL, NULL } };
int index = 0; int index = 0;

#if defined(DEBUG) #if defined(DEBUG)
@@ -98,7 +157,7 @@ @@ -98,7 +157,7 @@

while (list[index].parameter != NULL) { while (list[index].parameter != NULL) {
if (strlen(word) == strlen(list[index].parameter) && if (strlen(word) == strlen(list[index].parameter) &&
- strcmp(list[index].parameter, word) == 0) { - strcmp(list[index].parameter, word) == 0) {
+ strcmp(list[index].parameter, word) == 0) { + strcmp(list[index].parameter, word) == 0) {
#if defined(DEBUG) #if defined(DEBUG)
syslog(LOG_NOTICE, "check_password: Parameter accepted."); syslog(LOG_NOTICE, "check_password: Parameter accepted.");
#endif #endif
@@ -114,13 +173,15 @@ @@ -114,13 +173,15 @@
return NULL; return NULL;
} }

-static int read_config_file (char *keyWord) -static int read_config_file (char *keyWord)
+static int read_config_file () +static int read_config_file ()
{ {
FILE * config; FILE * config;
char * line; char * line;
int returnValue = -1; int returnValue = -1;

- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) { - if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
+ line = ber_memcalloc(260, sizeof(char)); + line = ber_memcalloc(260, sizeof(char));
+ +
+ if ( line == NULL ) { + if ( line == NULL ) {
return returnValue; return returnValue;
} }

@@ -133,6 +194,8 @@ @@ -133,6 +194,8 @@
return returnValue; return returnValue;
} }

+ returnValue = 0; + returnValue = 0;
+ +
while (fgets(line, 256, config) != NULL) { while (fgets(line, 256, config) != NULL) {
char *start = line; char *start = line;
char *word, *value; char *word, *value;
@@ -145,23 +208,40 @@ @@ -145,23 +208,40 @@

while (isspace(*start) && isascii(*start)) start++; while (isspace(*start) && isascii(*start)) start++;

- if (! isascii(*start)) - if (! isascii(*start))
+ /* If we've got punctuation, just skip the line. */ + /* If we've got punctuation, just skip the line. */
+ if ( ispunct(*start)) { + if ( ispunct(*start)) {
@ -155,9 +155,9 @@
+ /* Debug traces to syslog. */ + /* Debug traces to syslog. */
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); + syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
+#endif +#endif
continue; continue;
+ } + }

- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) { - if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
- if ((value = strtok(NULL, " \t")) == NULL) - if ((value = strtok(NULL, " \t")) == NULL)
- continue; - continue;
@ -169,12 +169,12 @@
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) { + if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
+ while ( keyWord != NULL ) { + while ( keyWord != NULL ) {
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { + if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {

#if defined(DEBUG) #if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); - syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); + syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
#endif #endif

- returnValue = (*dealer)(value); - returnValue = (*dealer)(value);
+ centry[i].value = chomp(value); + centry[i].value = chomp(value);
+ break; + break;
@ -183,51 +183,51 @@
+ keyWord = centry[i].key; + keyWord = centry[i].key;
+ } + }
+ } + }
} }
} }
- -
fclose(config); fclose(config);
ber_memfree(line); ber_memfree(line);
+ +
return returnValue; return returnValue;
} }

@@ -170,7 +250,7 @@ @@ -170,7 +250,7 @@
if (curlen < nextlen + MEMORY_MARGIN) { if (curlen < nextlen + MEMORY_MARGIN) {
#if defined(DEBUG) #if defined(DEBUG)
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
- curlen, nextlen + MEMORY_MARGIN); - curlen, nextlen + MEMORY_MARGIN);
+ curlen, nextlen + MEMORY_MARGIN); + curlen, nextlen + MEMORY_MARGIN);
#endif #endif
ber_memfree(*target); ber_memfree(*target);
curlen = nextlen + MEMORY_MARGIN; curlen = nextlen + MEMORY_MARGIN;
@@ -180,7 +260,7 @@ @@ -180,7 +260,7 @@
return curlen; return curlen;
} }

- int - int
+int +int
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
{ {

@@ -210,20 +290,22 @@ @@ -210,20 +290,22 @@
nLen = strlen (pPasswd); nLen = strlen (pPasswd);
if ( nLen < 6) { if ( nLen < 6) {
mem_len = realloc_error_message(&szErrStr, mem_len, mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) + - strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1); - strlen(pEntry->e_name.bv_val) + 1);
+ strlen(PASSWORD_TOO_SHORT_SZ) + + strlen(PASSWORD_TOO_SHORT_SZ) +
+ strlen(pEntry->e_name.bv_val) + 1); + strlen(pEntry->e_name.bv_val) + 1);
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
goto fail; goto fail;
} }

- /* Read config file */ - /* Read config file */
- minQuality = read_config_file("minPoints"); - minQuality = read_config_file("minPoints");
+ if (read_config_file() == -1) { + if (read_config_file() == -1) {
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); + syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
+ } + }

- useCracklib = read_config_file("useCracklib"); - useCracklib = read_config_file("useCracklib");
- minUpper = read_config_file("minUpper"); - minUpper = read_config_file("minUpper");
- minLower = read_config_file("minLower"); - minLower = read_config_file("minLower");
@ -239,22 +239,22 @@
+ minLower = get_config_entry_int("minLower"); + minLower = get_config_entry_int("minLower");
+ minDigit = get_config_entry_int("minDigit"); + minDigit = get_config_entry_int("minDigit");
+ minPunct = get_config_entry_int("minPunct"); + minPunct = get_config_entry_int("minPunct");

/** The password must have at least minQuality strength points with one /** The password must have at least minQuality strength points with one
* point for the first occurrance of a lower, upper, digit and * point for the first occurrance of a lower, upper, digit and
@@ -232,8 +314,6 @@ @@ -232,8 +314,6 @@

for ( i = 0; i < nLen; i++ ) { for ( i = 0; i < nLen; i++ ) {

- if ( nQuality >= minQuality ) break; - if ( nQuality >= minQuality ) break;
- -
if ( islower (pPasswd[i]) ) { if ( islower (pPasswd[i]) ) {
minLower--; minLower--;
if ( !nLower && (minLower < 1)) { if ( !nLower && (minLower < 1)) {
@@ -279,12 +359,23 @@ @@ -279,12 +359,23 @@
} }
} }

- if ( nQuality < minQuality ) { - if ( nQuality < minQuality ) {
+ /* + /*
+ * If you have a required field, then it should be required in the strength + * If you have a required field, then it should be required in the strength
@ -268,54 +268,54 @@
+ (minPunct > 0 ) || + (minPunct > 0 ) ||
+ (nQuality < minQuality) + (nQuality < minQuality)
+ ) { + ) {
mem_len = realloc_error_message(&szErrStr, mem_len, mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_QUALITY_SZ) + - strlen(PASSWORD_QUALITY_SZ) +
- strlen(pEntry->e_name.bv_val) + 2); - strlen(pEntry->e_name.bv_val) + 2);
+ strlen(PASSWORD_QUALITY_SZ) + + strlen(PASSWORD_QUALITY_SZ) +
+ strlen(pEntry->e_name.bv_val) + 2); + strlen(pEntry->e_name.bv_val) + 2);
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
- nQuality, minQuality); - nQuality, minQuality);
+ nQuality, minQuality); + nQuality, minQuality);
goto fail; goto fail;
} }

@@ -306,7 +397,7 @@ @@ -306,7 +397,7 @@
for ( j = 0; j < 3; j++ ) { for ( j = 0; j < 3; j++ ) {

snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
- CRACKLIB_DICTPATH, ext[j]); - CRACKLIB_DICTPATH, ext[j]);
+ CRACKLIB_DICTPATH, ext[j]); + CRACKLIB_DICTPATH, ext[j]);

if (( fp = fopen ( filename, "r")) == NULL ) { if (( fp = fopen ( filename, "r")) == NULL ) {

@@ -326,9 +417,9 @@ @@ -326,9 +417,9 @@
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
if ( r != NULL ) { if ( r != NULL ) {
mem_len = realloc_error_message(&szErrStr, mem_len, mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(BAD_PASSWORD_SZ) + - strlen(BAD_PASSWORD_SZ) +
- strlen(pEntry->e_name.bv_val) + - strlen(pEntry->e_name.bv_val) +
- strlen(r)); - strlen(r));
+ strlen(BAD_PASSWORD_SZ) + + strlen(BAD_PASSWORD_SZ) +
+ strlen(pEntry->e_name.bv_val) + + strlen(pEntry->e_name.bv_val) +
+ strlen(r)); + strlen(r));
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
goto fail; goto fail;
} }
@@ -342,15 +433,15 @@ @@ -342,15 +433,15 @@
} }

#endif #endif
- -
+ dealloc_config_entries(); + dealloc_config_entries();
*ppErrStr = strdup (""); *ppErrStr = strdup ("");
ber_memfree(szErrStr); ber_memfree(szErrStr);
return (LDAP_SUCCESS); return (LDAP_SUCCESS);

fail: fail:
+ dealloc_config_entries(); + dealloc_config_entries();
*ppErrStr = strdup (szErrStr); *ppErrStr = strdup (szErrStr);
ber_memfree(szErrStr); ber_memfree(szErrStr);
return (EXIT_FAILURE); return (EXIT_FAILURE);

} }
- -

12
SOURCES/ldap.conf

@ -12,7 +12,17 @@
#TIMELIMIT 15 #TIMELIMIT 15
#DEREF never #DEREF never


TLS_CACERTDIR /etc/openldap/certs # When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem

# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM


# Turning this off breaks GSSAPI used with krb5 when rdns = false # Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on SASL_NOCANON on


BIN
SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz

Binary file not shown.

8
SOURCES/openldap-ai-addrconfig.patch

@ -9,12 +9,12 @@ index b31e05d..fa361ab 100644
--- a/libraries/libldap/os-ip.c --- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c +++ b/libraries/libldap/os-ip.c
@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, @@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,

#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
memset( &hints, '\0', sizeof(hints) ); memset( &hints, '\0', sizeof(hints) );
-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */ -#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */ - /* Use AI_ADDRCONFIG only on systems where its known to be needed. */
+#ifdef AI_ADDRCONFIG +#ifdef AI_ADDRCONFIG
hints.ai_flags = AI_ADDRCONFIG; hints.ai_flags = AI_ADDRCONFIG;
#endif #endif
hints.ai_family = ldap_int_inet4or6; hints.ai_family = ldap_int_inet4or6;

24
SOURCES/openldap-allop-overlay.patch

@ -1,34 +1,34 @@
Compile AllOp together with other overlays. Compile AllOp together with other overlays.


Author: Matus Honek <mhonek@redhat.com> Author: Matus Honek <mhonek@redhat.com>
Resolves: #990893 Resolves: #1319782


diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
--- a/servers/slapd/overlays/Makefile.in --- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in +++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \ @@ -33,7 +33,8 @@ SRCS = overlays.c \
translucent.c \ translucent.c \
unique.c \ unique.c \
valsort.c \ valsort.c \
- smbk5pwd.c - smbk5pwd.c
+ smbk5pwd.c \ + smbk5pwd.c \
+ allop.c + allop.c
OBJS = statover.o \ OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \ @SLAPD_STATIC_OVERLAYS@ \
overlays.o overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) @@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)

LIBRARY = ../liboverlays.a LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la -PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la +PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la

XINCPATH = -I.. -I$(srcdir)/.. XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS) XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo @@ -125,6 +126,12 @@ unique.la : unique.lo
smbk5pwd.la : smbk5pwd.lo smbk5pwd.la : smbk5pwd.lo
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)

+allop.lo : allop.c +allop.lo : allop.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< + $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+ +
@ -36,5 +36,5 @@ diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefil
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) + $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+ +
install-local: $(PROGRAMS) install-local: $(PROGRAMS)
@if test -n "$?" ; then \ @if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \ $(MKDIR) $(DESTDIR)$(moduledir); \

39
SOURCES/openldap-ldapi-sasl.patch

@ -13,20 +13,20 @@ index 28c241b..a9acf36 100644
--- a/libraries/libldap/cyrus.c --- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c +++ b/libraries/libldap/cyrus.c
@@ -394,6 +394,8 @@ ldap_int_sasl_bind( @@ -394,6 +394,8 @@ ldap_int_sasl_bind(
struct berval ccred = BER_BVNULL; struct berval ccred = BER_BVNULL;
int saslrc, rc; int saslrc, rc;
unsigned credlen; unsigned credlen;
+ char my_hostname[HOST_NAME_MAX + 1]; + char my_hostname[HOST_NAME_MAX + 1];
+ int free_saslhost = 0; + int free_saslhost = 0;

Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n", Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
mechs ? mechs : "<null>", 0, 0 ); mechs ? mechs : "<null>", 0, 0 );
@@ -454,14 +456,25 @@ ldap_int_sasl_bind( @@ -454,14 +456,25 @@ ldap_int_sasl_bind(

/* If we don't need to canonicalize just use the host /* If we don't need to canonicalize just use the host
* from the LDAP URI. * from the LDAP URI.
+ * Always use the result of gethostname() for LDAPI. + * Always use the result of gethostname() for LDAPI.
*/ */
- if ( nocanon ) - if ( nocanon )
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL && + if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) { + strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
@ -37,18 +37,19 @@ index 28c241b..a9acf36 100644
+ saslhost = "localhost"; + saslhost = "localhost";
+ } + }
+ } else if ( nocanon ) + } else if ( nocanon )
saslhost = ld->ld_defconn->lconn_server->lud_host; saslhost = ld->ld_defconn->lconn_server->lud_host;
- else - else
+ else { + else {
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
"localhost" ); "localhost" );
+ free_saslhost = 1; + free_saslhost = 1;
+ } + }
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
- if ( !nocanon ) - if ( !nocanon )
+ if ( free_saslhost ) + if ( free_saslhost )
LDAP_FREE( saslhost ); LDAP_FREE( saslhost );
} }

-- --
1.7.11.7 1.7.11.7


7
SOURCES/openldap-manpages.patch

@ -26,7 +26,7 @@ index cfde143..63592cb 100644
.B TLS_CACERTDIR. .B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility. +The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GnuTLS. This parameter is ignored with GnuTLS.

When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index b739f4d..e2a1a00 100644 index b739f4d..e2a1a00 100644
@ -36,7 +36,7 @@ index b739f4d..e2a1a00 100644
.SH NAME .SH NAME
slapd \- Stand-alone LDAP Daemon slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS .SH SYNOPSIS
-.B LIBEXECDIR/slapd -.B LIBEXECDIR/slapd
+.B slapd +.B slapd
[\c [\c
.BR \-4 | \-6 ] .BR \-4 | \-6 ]
@ -68,5 +68,6 @@ index b739f4d..e2a1a00 100644
.ft .ft
.fi .fi
.LP .LP
-- --
1.8.1.4 1.8.1.4


227
SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch

@ -0,0 +1,227 @@
ITS#7595 Add Elliptic Curve support for OpenSSL

Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
Author: Howard Chu <hyc@openldap.org>
Date: Sat Sep 7 09:47:19 2013 -0700

diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 9c72e8296..2311c3096 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -922,6 +922,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B olcTLSECName: <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B olcTLSProtocolMin: <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index f504adcf9..ef03e0ad8 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1153,6 +1153,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B TLSECName <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/include/ldap.h b/include/ldap.h
index c245651c2..0964a193e 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_NEWCTX 0x600f
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
+#define LDAP_OPT_X_TLS_ECNAME 0x6012
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 66e04ae80..db7193f4f 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -165,6 +165,7 @@ struct ldaptls {
char *lt_ciphersuite;
char *lt_crlfile;
char *lt_randfile; /* OpenSSL only */
+ char *lt_ecname; /* OpenSSL only */
int lt_protocol_min;
};
#endif
@@ -250,6 +251,7 @@ struct ldapoptions {
#define ldo_tls_certfile ldo_tls_info.lt_certfile
#define ldo_tls_keyfile ldo_tls_info.lt_keyfile
#define ldo_tls_dhfile ldo_tls_info.lt_dhfile
+#define ldo_tls_ecname ldo_tls_info.lt_ecname
#define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index d25c190ea..0451b01af 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = NULL;
}
+ if ( lo->ldo_tls_ecname ) {
+ LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = NULL;
+ }
if ( lo->ldo_tls_cacertfile ) {
LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = NULL;
@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
__atoe( lts.lt_dhfile );
}
+ if ( lts.lt_ecname ) {
+ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
+ __atoe( lts.lt_ecname );
+ }
#endif
lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
if ( lo->ldo_tls_ctx == NULL ) {
@@ -257,6 +265,7 @@ error_exit:
LDAP_FREE( lts.lt_crlfile );
LDAP_FREE( lts.lt_cacertdir );
LDAP_FREE( lts.lt_dhfile );
+ LDAP_FREE( lts.lt_ecname );
#endif
return rc;
}
@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
*(char **)arg = lo->ldo_tls_dhfile ?
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
break;
+ case LDAP_OPT_X_TLS_ECNAME:
+ *(char **)arg = lo->ldo_tls_ecname ?
+ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
+ break;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
*(char **)arg = lo->ldo_tls_crlfile ?
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
+ case LDAP_OPT_X_TLS_ECNAME:
+ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index f24060b7e..1370923af 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
- if ( lo->ldo_tls_dhfile ) {
- DH *dh = NULL;
+ if ( is_server && lo->ldo_tls_dhfile ) {
+ DH *dh;
BIO *bio;
- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
Debug( LDAP_DEBUG_ANY,
@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
BIO_free( bio );
SSL_CTX_set_tmp_dh( ctx, dh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+ DH_free( dh );
+ }
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ if ( is_server && lo->ldo_tls_ecname ) {
+ EC_KEY *ecdh;
+
+ int nid = OBJ_sn2nid( lt->lt_ecname );
+ if ( nid == NID_undef ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ ecdh = EC_KEY_new_by_curve_name( nid );
+ if ( ecdh == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not generate key for EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
+ EC_KEY_free( ecdh );
}
+#endif
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 250f14100..8b1e4e582 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -194,6 +194,7 @@ enum {
CFG_ACL_ADD,
CFG_SYNC_SUBENTRY,
CFG_LTHREADS,
+ CFG_TLS_ECNAME,
CFG_LAST
};
@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
#endif
"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "TLSECName", NULL, 2, 2, 0,
+#ifdef HAVE_TLS
+ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
+#else
+ ARG_IGNORED, NULL,
+#endif
+ "( OLcfgGlAt:96 NAME 'olcTLSECName' "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "TLSProtocolMin", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
"olcTLSCACertificatePath $ olcTLSCertificateFile $ "
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
+ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
"olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
"olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
"olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
+ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
#ifdef HAVE_GNUTLS
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
#endif

34
SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch

@ -0,0 +1,34 @@
ITS#7595 don't try to use EC if OpenSSL lacks it

Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
Author: Howard Chu <hyc@openldap.org>
Date: Sun Sep 8 06:32:23 2013 -0700

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 1a81bc625..71c2b055c 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
DH_free( dh );
}
-#ifdef SSL_OP_SINGLE_ECDH_USE
if ( is_server && lo->ldo_tls_ecname ) {
+#ifdef OPENSSL_NO_EC
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: Elliptic Curves not supported.\n", 0,0,0 );
+ return -1;
+#else
EC_KEY *ecdh;
int nid = OBJ_sn2nid( lt->lt_ecname );
@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
SSL_CTX_set_tmp_ecdh( ctx, ecdh );
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
EC_KEY_free( ecdh );
- }
#endif
+ }
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );

48
SOURCES/openldap-openssl-manpage-defaultCA.patch

@ -0,0 +1,48 @@
Reference default system-wide CA certificates in manpages

OpenSSL, unless explicitly configured, uses system-wide default set of CA
certificates.

Author: Matus Honek <mhonek@redhat.com>

diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an
.B ldaps:// URI
is selected (by default or otherwise) or when the application
negotiates TLS by issuing the LDAP StartTLS operation.
+.LP
+When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
+is set, the system-wide default set of CA certificates is used.
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -801,6 +801,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor
+\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1032,6 +1032,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor
+\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.

6
SOURCES/openldap-reentrant-gethostby.patch

@ -19,15 +19,15 @@ index 373c81c..a012062 100644
-# undef HAVE_GETHOSTBYADDR_R -# undef HAVE_GETHOSTBYADDR_R
+/* # undef HAVE_GETHOSTBYNAME_R */ +/* # undef HAVE_GETHOSTBYNAME_R */
+/* # undef HAVE_GETHOSTBYADDR_R */ +/* # undef HAVE_GETHOSTBYADDR_R */

#else #else
# include <ldap_pvt_thread.h> # include <ldap_pvt_thread.h>
@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) @@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
#define BUFSTART (1024-32) #define BUFSTART (1024-32)
#define BUFMAX (32*1024-32) #define BUFMAX (32*1024-32)

-#if defined(LDAP_R_COMPILE) -#if defined(LDAP_R_COMPILE)
+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R) +#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
static char *safe_realloc( char **buf, int len ); static char *safe_realloc( char **buf, int len );

#if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

25
SOURCES/openldap-smbk5pwd-overlay.patch

@ -26,28 +26,28 @@ index 3af20e8..ef73663 100644
--- a/servers/slapd/overlays/Makefile.in --- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in +++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \ @@ -33,7 +33,8 @@ SRCS = overlays.c \
syncprov.c \ syncprov.c \
translucent.c \ translucent.c \
unique.c \ unique.c \
- valsort.c - valsort.c
+ valsort.c \ + valsort.c \
+ smbk5pwd.c + smbk5pwd.c
OBJS = statover.o \ OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \ @SLAPD_STATIC_OVERLAYS@ \
overlays.o overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) @@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)

LIBRARY = ../liboverlays.a LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ -PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la +PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la

XINCPATH = -I.. -I$(srcdir)/.. XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS) XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo @@ -125,6 +126,12 @@ unique.la : unique.lo
valsort.la : valsort.lo valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)

+smbk5pwd.lo : smbk5pwd.c +smbk5pwd.lo : smbk5pwd.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< + $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+ +
@ -55,7 +55,8 @@ index 3af20e8..ef73663 100644
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) + $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+ +
install-local: $(PROGRAMS) install-local: $(PROGRAMS)
@if test -n "$?" ; then \ @if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \ $(MKDIR) $(DESTDIR)$(moduledir); \
-- --
1.7.10.4 1.7.10.4


16
SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch

@ -10,9 +10,9 @@ Resolves: #960048
--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200 --- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200
+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200 +++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200
@@ -117,6 +117,20 @@ @@ -117,6 +117,20 @@
return -1; /* not found */ return -1; /* not found */
} }

+static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) +static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
+{ +{
+ lt_dlhandle handle = 0; + lt_dlhandle handle = 0;
@ -29,13 +29,13 @@ Resolves: #960048
+ +
int module_load(const char* file_name, int argc, char *argv[]) int module_load(const char* file_name, int argc, char *argv[])
{ {
module_loaded_t *module; module_loaded_t *module;
@@ -180,7 +194,7 @@ @@ -180,7 +194,7 @@
* to calling Debug. This is because Debug is a macro that expands * to calling Debug. This is because Debug is a macro that expands
* into multiple function calls. * into multiple function calls.
*/ */
- if ((module->lib = lt_dlopenext(file)) == NULL) { - if ((module->lib = lt_dlopenext(file)) == NULL) {
+ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { + if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
error = lt_dlerror(); error = lt_dlerror();
#ifdef HAVE_EBCDIC #ifdef HAVE_EBCDIC
strcpy( ebuf, error ); strcpy( ebuf, error );

224
SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch

@ -0,0 +1,224 @@
From f2978fefa13eb92b73922e49d2f6c12b4f92ea85 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Fri, 10 Jan 2020 18:35:02 +0100
Subject: [PATCH] Use OpenSSL API to verify host

Replace custom hostname and IP address verification with OpenSSL 1.0.2
APIs.
---
libraries/libldap/tls_o.c | 184 ++++++--------------------------------
1 file changed, 28 insertions(+), 156 deletions(-)

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index e52c5507c..5adf7b74f 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -660,25 +660,15 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
return 0;
}
-/* what kind of hostname were we given? */
-#define IS_DNS 0
-#define IS_IP4 1
-#define IS_IP6 2
-
static int
tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
{
tlso_session *s = (tlso_session *)sess;
- int i, ret = LDAP_LOCAL_ERROR;
+ int ret = LDAP_LOCAL_ERROR;
X509 *x;
const char *name;
- char *ptr;
- int ntype = IS_DNS, nlen;
-#ifdef LDAP_PF_INET6
- struct in6_addr addr;
-#else
- struct in_addr addr;
-#endif
+ int flags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
+ ASN1_OCTET_STRING *ip;
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
@@ -687,7 +677,6 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
} else {
name = name_in;
}
- nlen = strlen(name);
x = tlso_get_cert(s);
if (!x) {
@@ -619,150 +619,32 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
return LDAP_SUCCESS;
}
-#ifdef LDAP_PF_INET6
- if (inet_pton(AF_INET6, name, &addr)) {
- ntype = IS_IP6;
- } else
-#endif
- if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
- if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
- }
-
- i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
- if (i >= 0) {
- X509_EXTENSION *ex;
- STACK_OF(GENERAL_NAME) *alt;
-
- ex = X509_get_ext(x, i);
- alt = X509V3_EXT_d2i(ex);
- if (alt) {
- int n, len2 = 0;
- char *domain = NULL;
- GENERAL_NAME *gn;
-
- if (ntype == IS_DNS) {
- domain = strchr(name, '.');
- if (domain) {
- len2 = nlen - (domain-name);
- }
- }
- n = sk_GENERAL_NAME_num(alt);
- for (i=0; i<n; i++) {
- char *sn;
- int sl;
- gn = sk_GENERAL_NAME_value(alt, i);
- if (gn->type == GEN_DNS) {
- if (ntype != IS_DNS) continue;
-
- sn = (char *) ASN1_STRING_data(gn->d.ia5);
- sl = ASN1_STRING_length(gn->d.ia5);
-
- /* ignore empty */
- if (sl == 0) continue;
-
- /* Is this an exact match? */
- if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
- break;
- }
-
- /* Is this a wildcard match? */
- if (domain && (sn[0] == '*') && (sn[1] == '.') &&
- (len2 == sl-1) && !strncasecmp(domain, &sn[1], len2))
- {
- break;
- }
-
- } else if (gn->type == GEN_IPADD) {
- if (ntype == IS_DNS) continue;
-
- sn = (char *) ASN1_STRING_data(gn->d.ia5);
- sl = ASN1_STRING_length(gn->d.ia5);
-
-#ifdef LDAP_PF_INET6
- if (ntype == IS_IP6 && sl != sizeof(struct in6_addr)) {
- continue;
- } else
-#endif
- if (ntype == IS_IP4 && sl != sizeof(struct in_addr)) {
- continue;
- }
- if (!memcmp(sn, &addr, sl)) {
- break;
- }
- }
- }
-
- GENERAL_NAMES_free(alt);
- if (i < n) { /* Found a match */
- ret = LDAP_SUCCESS;
- }
- }
- }
-
- if (ret != LDAP_SUCCESS) {
- X509_NAME *xn;
- X509_NAME_ENTRY *ne;
- ASN1_OBJECT *obj;
- ASN1_STRING *cn = NULL;
- int navas;
-
- /* find the last CN */
- obj = OBJ_nid2obj( NID_commonName );
- if ( !obj ) goto no_cn; /* should never happen */
-
- xn = X509_get_subject_name(x);
- navas = X509_NAME_entry_count( xn );
- for ( i=navas-1; i>=0; i-- ) {
- ne = X509_NAME_get_entry( xn, i );
- if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) {
- cn = X509_NAME_ENTRY_get_data( ne );
- break;
- }
+ /* attempt to encode name as IP address */
+ ip = a2i_IPADDRESS(name);
+ if (ip == NULL) {
+ ERR_clear_error();
+ /* it's a hostname */
+ if (X509_check_host(x, name, strlen(name), flags, NULL) == 1) {
+ ret = LDAP_SUCCESS;
}
-
- if( !cn )
- {
-no_cn:
- Debug( LDAP_DEBUG_ANY,
- "TLS: unable to get common name from peer certificate.\n",
- 0, 0, 0 );
- ret = LDAP_CONNECT_ERROR;
- if ( ld->ld_error ) {
- LDAP_FREE( ld->ld_error );
- }
- ld->ld_error = LDAP_STRDUP(
- _("TLS: unable to get CN from peer certificate"));
-
- } else if ( cn->length == nlen &&
- strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
+ } else {
+ /* It's an IPv4 or IPv6 address */
+ if (X509_check_ip(x, ASN1_STRING_data(ip),
+ ASN1_STRING_length(ip), 0) == 1) {
ret = LDAP_SUCCESS;
-
- } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
- char *domain = strchr(name, '.');
- if( domain ) {
- int dlen;
-
- dlen = nlen - (domain-name);
-
- /* Is this a wildcard match? */
- if ((dlen == cn->length-1) &&
- !strncasecmp(domain, (char *) &cn->data[1], dlen)) {
- ret = LDAP_SUCCESS;
- }
- }
}
+ ASN1_OCTET_STRING_free(ip);
+ }
- if( ret == LDAP_LOCAL_ERROR ) {
- Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
- "common name in certificate (%.*s).\n",
- name, cn->length, cn->data );
- ret = LDAP_CONNECT_ERROR;
- if ( ld->ld_error ) {
- LDAP_FREE( ld->ld_error );
- }
- ld->ld_error = LDAP_STRDUP(
- _("TLS: hostname does not match CN in peer certificate"));
+ if( ret == LDAP_LOCAL_ERROR ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+ "peer certificate.\n", name, 0, 0);
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
}
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: hostname does not match peer certificate"));
}
X509_free(x);
return ret;

28
SOURCES/slapd.ldif

@ -6,14 +6,25 @@
dn: cn=config dn: cn=config
objectClass: olcGlobal objectClass: olcGlobal
cn: config cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
# #
# TLS settings # TLS settings
# #
olcTLSCACertificatePath: /etc/openldap/certs # When no CA certificates are specified the Shared System Certificates
olcTLSCertificateFile: "OpenLDAP Server" # are in use. In order to have these available along with the ones specified
olcTLSCertificateKeyFile: /etc/openldap/certs/password # by oclTLSCACertificatePath one has to include them explicitly:
#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
#
# Private cert and key are not pregenerated.
#olcTLSCertificateFile:
#olcTLSCertificateKeyFile:
#
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#olcTLSCipherSuite: PROFILE=SYSTEM


# #
# Do not enable referrals until AFTER you have a working directory # Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals. # service AND an understanding of referrals.
@ -88,7 +99,6 @@ include: file:///etc/openldap/schema/core.ldif


dn: olcDatabase=frontend,cn=config dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend olcDatabase: frontend
# #
# Sample global access control policy: # Sample global access control policy:
@ -137,10 +147,10 @@ olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
# Backend database definitions # Backend database definitions
# #


dn: olcDatabase=hdb,cn=config dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig objectClass: olcDatabaseConfig
objectClass: olcHdbConfig objectClass: olcMdbConfig
olcDatabase: hdb olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbDirectory: /var/lib/ldap olcDbDirectory: /var/lib/ldap

6
SOURCES/slapd.service

@ -9,11 +9,9 @@ Documentation=file:///usr/share/doc/openldap-servers/guide.html


[Service] [Service]
Type=forking Type=forking
PIDFile=/var/run/openldap/slapd.pid
Environment="SLAPD_URLS=ldap:/// ldapi:///" "SLAPD_OPTIONS="
EnvironmentFile=/etc/sysconfig/slapd
ExecStartPre=/usr/libexec/openldap/check-config.sh ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"


[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
Alias=openldap.service

668
SPECS/openldap.spec

@ -4,39 +4,29 @@
%global check_password_version 1.1 %global check_password_version 1.1


Name: openldap Name: openldap
Version: 2.4.44 Version: 2.4.46
Release: 13%{?dist} Release: 11%{?dist}
Summary: LDAP support libraries Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP License: OpenLDAP
URL: http://www.openldap.org/ URL: http://www.openldap.org/

Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source1: slapd.service Source1: slapd.service
Source2: slapd.sysconfig Source2: slapd.tmpfiles
Source3: slapd.tmpfiles Source3: slapd.ldif
Source4: slapd.ldif Source4: ldap.conf
Source5: ldap.conf
Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz
Source50: libexec-functions Source50: libexec-functions
Source51: libexec-convert-config.sh
Source52: libexec-check-config.sh Source52: libexec-check-config.sh
Source53: libexec-upgrade-db.sh Source53: libexec-upgrade-db.sh
Source54: libexec-create-certdb.sh
Source55: libexec-generate-server-cert.sh
Source56: libexec-update-ppolicy-schema.sh


# patches for 2.4 # patches for 2.4
Patch0: openldap-manpages.patch Patch0: openldap-manpages.patch
Patch1: openldap-ppolicy-loglevels.patch Patch2: openldap-reentrant-gethostby.patch
Patch2: openldap-sql-linking.patch Patch3: openldap-smbk5pwd-overlay.patch
Patch3: openldap-reentrant-gethostby.patch Patch5: openldap-ai-addrconfig.patch
Patch4: openldap-smbk5pwd-overlay.patch Patch17: openldap-allop-overlay.patch
Patch5: openldap-ldaprc-currentdir.patch
Patch6: openldap-userconfig-setgid.patch
Patch7: openldap-allop-overlay.patch
Patch8: openldap-syncrepl-unset-tls-options.patch
Patch9: openldap-man-sasl-nocanon.patch
Patch10: openldap-ai-addrconfig.patch
# fix back_perl problems with lt_dlopen() # fix back_perl problems with lt_dlopen()
# might cause crashes because of symbol collisions # might cause crashes because of symbol collisions
# the proper fix is to link all perl modules against libperl # the proper fix is to link all perl modules against libperl
@ -44,30 +34,17 @@ Patch10: openldap-ai-addrconfig.patch
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# ldapi sasl fix pending upstream inclusion # ldapi sasl fix pending upstream inclusion
Patch20: openldap-ldapi-sasl.patch Patch20: openldap-ldapi-sasl.patch
# coverity - missin_unlock in servers/slapd/overlays/accesslog.c Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
Patch21: openldap-missing-unlock-in-accesslog-overlay.patch Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
Patch23: openldap-module-passwd-sha2.patch Patch24: openldap-openssl-manpage-defaultCA.patch
# pending upstream inclusion, ITS #7744 Patch25: openldap-tlso-use-openssl-api-to-verify-host.patch
Patch24: openldap-man-tls-reqcert.patch
Patch25: openldap-man-ldap-conf.patch
Patch35: openldap-ITS8428-init-sc_writewait.patch
Patch36: openldap-bdb_idl_fetch_key-correct-key-pointer.patch
Patch37: openldap-ITS8655-fix-double-free-on-paged-search-with-pagesize-0.patch


# check-password module specific patches # check-password module specific patches
Patch90: check-password-makefile.patch Patch90: check-password-makefile.patch
Patch91: check-password.patch Patch91: check-password.patch
Patch92: check-password-loglevels.patch


# MozNSS compatibility layer BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel
Patch101: openldap-tlsmc.patch BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-devel, perl(ExtUtils::Embed)
# Fedora specific patches
Patch102: openldap-fedora-systemd.patch

BuildRequires: cyrus-sasl-devel, nss-devel, openssl-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed)
Requires: nss-tools
Requires(post): rpm, coreutils, findutils


%description %description
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@ -80,7 +57,6 @@ libraries, and documentation for OpenLDAP.


%package devel %package devel
Summary: LDAP development libraries and header files Summary: LDAP development libraries and header files
Group: Development/Libraries
Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa}


%description devel %description devel
@ -96,13 +72,10 @@ Summary: LDAP server
License: OpenLDAP License: OpenLDAP
Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils
Requires(pre): shadow-utils Requires(pre): shadow-utils
Requires(post): systemd, systemd-sysv, chkconfig BuildRequires: systemd
Requires(preun): systemd %{?systemd_requires}
Requires(postun): systemd
BuildRequires: libdb-devel BuildRequires: libdb-devel
BuildRequires: systemd-units
BuildRequires: cracklib-devel BuildRequires: cracklib-devel
Group: System Environment/Daemons
# migrationtools (slapadd functionality): # migrationtools (slapadd functionality):
Provides: ldif2ldbm Provides: ldif2ldbm


@ -114,24 +87,9 @@ information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated similar to the way DNS (Domain Name System) information is propagated
over the Internet. This package contains the slapd server and related files. over the Internet. This package contains the slapd server and related files.


%package servers-sql
Summary: SQL support module for OpenLDAP server
Requires: openldap-servers%{?_isa} = %{version}-%{release}
Group: System Environment/Daemons

%description servers-sql
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
Protocol) applications and development tools. LDAP is a set of
protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. This package contains a loadable module which the
slapd server can use to read data from an RDBMS.

%package clients %package clients
Summary: LDAP client utilities Summary: LDAP client utilities
Requires: openldap%{?_isa} = %{version}-%{release} Requires: openldap%{?_isa} = %{version}-%{release}
Group: Applications/Internet


%description clients %description clients
OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
@ -147,36 +105,19 @@ programs needed for accessing and modifying OpenLDAP directories.


pushd openldap-%{version} pushd openldap-%{version}


%patch101 -p1

# alternative include paths for Mozilla NSS
ln -s %{_includedir}/nss3 include/nss
ln -s %{_includedir}/nspr4 include/nspr

AUTOMAKE=%{_bindir}/true autoreconf -fi AUTOMAKE=%{_bindir}/true autoreconf -fi


%patch0 -p1 %patch0 -p1
%patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch17 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch19 -p1 %patch19 -p1
%patch20 -p1 %patch20 -p1
%patch21 -p1 %patch22 -p1
%patch23 -p1 %patch23 -p1
%patch24 -p1 %patch24 -p1
%patch25 -p1 %patch25 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1

%patch102 -p1


# build smbk5pwd with other overlays # build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -185,11 +126,6 @@ mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.s
ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays
mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop
mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5 mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5
# build sha2 with other overlays
ln -s ../../../contrib/slapd-modules/passwd/sha2/{sha2.{c,h},slapd-sha2.c} \
servers/slapd/overlays
ls servers/slapd/overlays
mv contrib/slapd-modules/passwd/sha2/README{,.sha2}


mv servers/slapd/back-perl/README{,.back_perl} mv servers/slapd/back-perl/README{,.back_perl}


@ -204,33 +140,19 @@ popd
pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
%patch90 -p1 %patch90 -p1
%patch91 -p1 %patch91 -p1
%patch92 -p1
popd popd


%build %build


%ifarch s390 s390x
export CFLAGS="-fPIE"
%else
export CFLAGS="-fpie"
%endif
export LDFLAGS="-pie"
# avoid stray dependencies (linker flag --as-needed)
# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
export CFLAGS="${CFLAGS} %{optflags} -Wl,-z,relro,-z,now,--as-needed -DLDAP_CONNECTIONLESS" export CFLAGS="%{optflags} ${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS"

export CXXFLAGS="%{optflags} ${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS"
pushd openldap-%{version} pushd openldap-%{version}
%configure \ %configure \
--enable-debug \ --enable-debug \
--enable-dynamic \ --enable-dynamic \
--enable-syslog \
--enable-proctitle \
--enable-ipv6 \
--enable-local \
\ \
--enable-slapd \
--enable-dynacl \ --enable-dynacl \
--enable-aci \
--enable-cleartext \ --enable-cleartext \
--enable-crypt \ --enable-crypt \
--enable-lmpasswd \ --enable-lmpasswd \
@ -240,7 +162,6 @@ pushd openldap-%{version}
--enable-rlookups \ --enable-rlookups \
--enable-slapi \ --enable-slapi \
--disable-slp \ --disable-slp \
--enable-wrappers \
\ \
--enable-backends=mod \ --enable-backends=mod \
--enable-bdb=yes \ --enable-bdb=yes \
@ -248,13 +169,11 @@ pushd openldap-%{version}
--enable-mdb=yes \ --enable-mdb=yes \
--enable-monitor=yes \ --enable-monitor=yes \
--disable-ndb \ --disable-ndb \
--disable-sql \
\ \
--enable-overlays=mod \ --enable-overlays=mod \
\ \
--disable-static \ --disable-static \
--enable-shared \
\
--enable-moznss-compatibility=yes \
\ \
--with-cyrus-sasl \ --with-cyrus-sasl \
--without-fetch \ --without-fetch \
@ -265,12 +184,6 @@ pushd openldap-%{version}
--libexecdir=%{_libdir} --libexecdir=%{_libdir}


make %{_smp_mflags} make %{_smp_mflags}

# build mdb_* tools
pushd libraries/liblmdb
export XCFLAGS="$CFLAGS"
make %{_smp_mflags}
popd
popd popd


pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
@ -285,9 +198,6 @@ mkdir -p %{buildroot}%{_libdir}/


pushd openldap-%{version} pushd openldap-%{version}
make install DESTDIR=%{buildroot} STRIP="" make install DESTDIR=%{buildroot} STRIP=""
pushd libraries/liblmdb
make install DESTDIR=%{buildroot}
popd
popd popd


# install check_password module # install check_password module
@ -320,31 +230,19 @@ install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap
install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap


# setup autocreation of runtime directories on tmpfs # setup autocreation of runtime directories on tmpfs
mkdir -p %{buildroot}%{_tmpfilesdir}/ mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %SOURCE3 %{buildroot}%{_tmpfilesdir}/slapd.conf install -m 0644 %SOURCE2 %{buildroot}%{_tmpfilesdir}/slapd.conf


# install default ldap.conf (customized) # install default ldap.conf (customized)
rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
install -m 0644 %SOURCE5 %{buildroot}%{_sysconfdir}/openldap/ldap.conf install -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/openldap/ldap.conf


# setup maintainance scripts # setup maintainance scripts
mkdir -p %{buildroot}%{_libexecdir} mkdir -p %{buildroot}%{_libexecdir}
install -m 0755 -d %{buildroot}%{_libexecdir}/openldap install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
install -m 0755 %SOURCE51 %{buildroot}%{_libexecdir}/openldap/convert-config.sh
install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh
install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh
install -m 0755 %SOURCE56 %{buildroot}%{_libexecdir}/openldap/update-ppolicy-schema.sh

# install mdb_* tools
mv %{buildroot}/usr/local/bin/mdb_{copy,dump,load,stat} %{buildroot}%{_libexecdir}/openldap/
mkdir -p %{buildroot}%{_libexecdir}/openldap/man/man1
mv %{buildroot}/usr/local/share/man/man1/mdb_{copy,dump,load,stat}.1 %{buildroot}%{_libexecdir}/openldap/man/man1/
# we don't want the library itself nor header file
rm -f %{buildroot}/usr/local/include/lmdb.h
rm -f %{buildroot}/usr/local/lib/liblmdb.{a,so}


# remove build root from config files and manual pages # remove build root from config files and manual pages
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
@ -358,10 +256,6 @@ rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default
mkdir -p %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{_unitdir}
install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service


# install syconfig/ldap
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
install -m 644 %SOURCE2 %{buildroot}%{_sysconfdir}/sysconfig/slapd

# move slapd out of _libdir # move slapd out of _libdir
mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/ mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/


@ -370,43 +264,41 @@ rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done


# re-symlink unversioned libraries, so ldconfig is not confused
pushd %{buildroot}%{_libdir}
v=%{version}
version=$(echo ${v%.[0-9]*})
for lib in liblber libldap libldap_r libslapi; do
rm -f ${lib}.so
ln -s ${lib}-${version}.so.2 ${lib}.so
done
popd

# tweak permissions on the libraries to make sure they're correct # tweak permissions on the libraries to make sure they're correct
chmod 0755 %{buildroot}%{_libdir}/lib*.so* chmod 0755 %{buildroot}%{_libdir}/lib*.so*
chmod 0644 %{buildroot}%{_libdir}/lib*.*a chmod 0644 %{buildroot}%{_libdir}/lib*.*a


# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5) # slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
# new configuration will be generated in %%post
mkdir -p %{buildroot}%{_datadir} mkdir -p %{buildroot}%{_datadir}
install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
install -m 0644 %SOURCE4 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif install -m 0644 %SOURCE3 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
install -m 0750 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf
rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif


# move doc files out of _sysconfdir # move doc files out of _sysconfdir
mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh
chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example


# remove files which we don't want packaged # remove files which we don't want packaged
rm -f %{buildroot}%{_libdir}/*.la rm -f %{buildroot}%{_libdir}/*.la # because we do not want files in %{_libdir}/openldap/ removed, yet
mv %{buildroot}%{_libdir}/openldap/check_password.so{,.tmp}
rm -f %{buildroot}%{_libdir}/openldap/*.so
mv %{buildroot}%{_libdir}/openldap/check_password.so{.tmp,}


rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
rmdir %{buildroot}%{_localstatedir}/openldap-data rmdir %{buildroot}%{_localstatedir}/openldap-data


%post %pre -p /sbin/ldconfig
# create certificate database %post -p /sbin/ldconfig
%{_libexecdir}/openldap/create-certdb.sh >&/dev/null || :

%postun
#update only on package erase
if [ $1 == 0 ]; then
/sbin/ldconfig
fi


%pre servers %pre servers


@ -430,22 +322,17 @@ exit 0




%post servers %post servers

/sbin/ldconfig -n %{_libdir}/openldap

%systemd_post slapd.service %systemd_post slapd.service


# generate sample TLS certificate for server (will not replace) # generate configuration if necessary
%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || : if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \

! -f %{_sysconfdir}/openldap/slapd.conf
# generate/upgrade configuration ]]; then
if [ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then # if there is no configuration available, generate one from the defaults
if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then mkdir -p %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || :
%{_libexecdir}/openldap/convert-config.sh &>/dev/null /usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/openldap-servers/slapd.ldif
mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/
else %{systemctl_bin} try-restart slapd.service &>/dev/null
%{_libexecdir}/openldap/convert-config.sh -f %{_datadir}/openldap-servers/slapd.ldif &>/dev/null
fi
fi fi


start_slapd=0 start_slapd=0
@ -461,39 +348,6 @@ if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
fi fi


# ensure ppolicy schema updated (bug #1487857)
if [ $1 -eq 2 ]; then
if [ -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif ]; then
%{_libexecdir}/openldap/update-ppolicy-schema.sh &>/dev/null
fi
fi

# conversion from /etc/sysconfig/ldap to /etc/sysconfig/slapd
if [ $1 -eq 2 ]; then
# we expect that 'ldap' will be renamed to 'ldap.rpmsave' after removing the old package
if [ -r %{_sysconfdir}/sysconfig/ldap ]; then
source %{_sysconfdir}/sysconfig/ldap &>/dev/null

new_urls=
[ "$SLAPD_LDAP" != "no" ] && new_urls="$new_urls ldap:///"
[ "$SLAPD_LDAPI" != "no" ] && new_urls="$new_urls ldapi:///"
[ "$SLAPD_LDAPS" == "yes" ] && new_urls="$new_urls ldaps:///"
[ -n "$SLAPD_URLS" ] && new_urls="$new_urls $SLAPD_URLS"

failure=0
cp -f %{_sysconfdir}/sysconfig/slapd %{_sysconfdir}/sysconfig/slapd.rpmconvert
sed -i '/^#\?SLAPD_URLS=/s@.*@SLAPD_URLS="'"$new_urls"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1
[ -n "$SLAPD_OPTIONS" ] && \
sed -i '/^#\?SLAPD_OPTIONS=/s@.*$@SLAPD_OPTIONS="'"$SLAPD_OPTIONS"'"@' %{_sysconfdir}/sysconfig/slapd.rpmconvert &>/dev/null || failure=1

if [ $failure -eq 0 ]; then
mv -f %{_sysconfdir}/sysconfig/slapd.rpmconvert %{_sysconfdir}/sysconfig/slapd
else
rm -f %{_sysconfdir}/sysconfig/slapd.rpmconvert
fi
fi
fi

# restart after upgrade # restart after upgrade
if [ $1 -ge 1 ]; then if [ $1 -ge 1 ]; then
if [ $start_slapd -eq 1 ]; then if [ $start_slapd -eq 1 ]; then
@ -506,24 +360,11 @@ fi
exit 0 exit 0


%preun servers %preun servers

%systemd_preun slapd.service %systemd_preun slapd.service



%postun servers %postun servers

/sbin/ldconfig ${_libdir}/openldap
%systemd_postun_with_restart slapd.service %systemd_postun_with_restart slapd.service



%triggerun servers -- openldap-servers < 2.4.26-6

# migration from SysV to systemd
/usr/bin/systemd-sysv-convert --save slapd &>/dev/null || :
/usr/sbin/chkconfig --del slapd &>/dev/null || :
%{systemctl_bin} try-restart slapd.service &>/dev/null || :


%triggerin servers -- libdb %triggerin servers -- libdb


# libdb upgrade (setup for %%triggerun) # libdb upgrade (setup for %%triggerun)
@ -562,14 +403,13 @@ exit 0
%files %files
%doc openldap-%{version}/ANNOUNCEMENT %doc openldap-%{version}/ANNOUNCEMENT
%doc openldap-%{version}/CHANGES %doc openldap-%{version}/CHANGES
%doc openldap-%{version}/COPYRIGHT %license openldap-%{version}/COPYRIGHT
%doc openldap-%{version}/LICENSE %license openldap-%{version}/LICENSE
%doc openldap-%{version}/README %doc openldap-%{version}/README
%dir %{_sysconfdir}/openldap %dir %{_sysconfdir}/openldap
%dir %{_sysconfdir}/openldap/certs %dir %{_sysconfdir}/openldap/certs
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf %config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%dir %{_libexecdir}/openldap/ %dir %{_libexecdir}/openldap/
%{_libexecdir}/openldap/create-certdb.sh
%{_libdir}/liblber-2.4*.so.* %{_libdir}/liblber-2.4*.so.*
%{_libdir}/libldap-2.4*.so.* %{_libdir}/libldap-2.4*.so.*
%{_libdir}/libldap_r-2.4*.so.* %{_libdir}/libldap_r-2.4*.so.*
@ -588,9 +428,8 @@ exit 0
%doc README.schema %doc README.schema
%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d %config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
%config(noreplace) %{_sysconfdir}/openldap/schema %config(noreplace) %{_sysconfdir}/openldap/schema
%config(noreplace) %{_sysconfdir}/sysconfig/slapd
%config(noreplace) %{_tmpfilesdir}/slapd.conf
%config(noreplace) %{_sysconfdir}/openldap/check_password.conf %config(noreplace) %{_sysconfdir}/openldap/check_password.conf
%{_tmpfilesdir}/slapd.conf
%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap %dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap
%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap %dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap
%{_unitdir}/slapd.service %{_unitdir}/slapd.service
@ -620,7 +459,6 @@ exit 0
%{_libdir}/openldap/retcode* %{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm* %{_libdir}/openldap/rwm*
%{_libdir}/openldap/seqmod* %{_libdir}/openldap/seqmod*
%{_libdir}/openldap/pw-sha2*
%{_libdir}/openldap/smbk5pwd* %{_libdir}/openldap/smbk5pwd*
%{_libdir}/openldap/sssvlv* %{_libdir}/openldap/sssvlv*
%{_libdir}/openldap/syncprov* %{_libdir}/openldap/syncprov*
@ -629,25 +467,14 @@ exit 0
%{_libdir}/openldap/valsort* %{_libdir}/openldap/valsort*
%{_libdir}/openldap/check_password* %{_libdir}/openldap/check_password*
%{_libexecdir}/openldap/functions %{_libexecdir}/openldap/functions
%{_libexecdir}/openldap/convert-config.sh
%{_libexecdir}/openldap/check-config.sh %{_libexecdir}/openldap/check-config.sh
%{_libexecdir}/openldap/upgrade-db.sh %{_libexecdir}/openldap/upgrade-db.sh
%{_libexecdir}/openldap/generate-server-cert.sh
%{_libexecdir}/openldap/update-ppolicy-schema.sh
%{_libexecdir}/openldap/mdb_*
%{_libexecdir}/openldap/man/man1/mdb_*
%{_sbindir}/sl* %{_sbindir}/sl*
%{_mandir}/man8/* %{_mandir}/man8/*
%{_mandir}/man5/slapd*.5* %{_mandir}/man5/slapd*.5*
%{_mandir}/man5/slapo-*.5* %{_mandir}/man5/slapo-*.5*
# obsolete configuration # obsolete configuration
%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf %ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak

%files servers-sql
%doc openldap-%{version}/servers/slapd/back-sql/docs/*
%doc openldap-%{version}/servers/slapd/back-sql/rdbms_depend
%{_libdir}/openldap/back_sql*


%files clients %files clients
%{_bindir}/* %{_bindir}/*
@ -660,165 +487,290 @@ exit 0
%{_mandir}/man3/* %{_mandir}/man3/*


%changelog %changelog
* Wed Jan 31 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-13 * Wed Jan 15 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-11
- MozNSS Compat. Layer: fix recursive directory deletion (#1516409) - Use OpenSSL-1.0.2+ API for host name verification (#1788572)
- MozNSS Compat. Layer: fix PIN disclaimer not always shown (#1516409)
- MozNSS Compat. Layer: fix incorrect parsing of CACertDir (#1533955) * Sun Aug 18 2019 Matus Honek <mhonek@redhat.com> - 2.4.46-10

- Do not fallback to checking CN when no SAN matched (#1740070)
* Thu Jan 11 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-12
- MozNSS Compat. Layer: Ensure consistency of a PEM dir before usage (#1516409) * Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
+ Warn just before use of a PIN about key file extraction - Reference default system-wide CA certificates in manpages (#1611624)


* Wed Jan 10 2018 Matus Honek <mhonek@redhat.com> - 2.4.44-11 * Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
- MozNSS Compat. Layer: Enable usage of NSS DB with PEM cert/key (#1525485) - Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623497)
+ Fix a possible invalid dereference (covscan)

* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-7
* Tue Nov 28 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
- Drop update-ppolicy-schema.sh scriptlet's output (#1487857)
- Fix issues in MozNSS compatibility layer (#1400578) * Fri Jul 6 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-6
- Build with LDAP_USE_NON_BLOCKING_TLS (#1594928)
- Remove unused leftover MozNSS Compat. Layer references (cont.) (#1557967)

* Fri Jul 06 2018 Petr Pisar <ppisar@redhat.com> - 2.4.46-5
- Perl 5.28 rebuild

* Wed Jul 4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-4
- Remove unused leftover MozNSS Compat. Layer references (#1557967)

* Wed Jul 4 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-3
- MozNSS Compat. Layer: Make log messages more clear (#1598103)
- MozNSS Compat. Layer: Fix memleaks reported by valgrind (#1595203)

* Wed Jun 27 2018 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.46-2
- Perl 5.28 rebuild
- MozNSS Compat. Layer: Fix typos, and spelling in the README file header (#1564161)

* Tue Mar 27 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-1
- Rebase to version OpenLDAP 2.4.46 (#1559652)

* Mon Mar 5 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-14
- Utilize system-wide crypto-policies (#1483979)

* Thu Mar 1 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-13
- fix: openldap does not use Fedora build flags
+ makes use of redhat-rpm-config package
- Drop superfluous back-sql linking patch

* Wed Feb 28 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-12
- MozNSS Compat. Layer: fix: libldap tlsmc continues even after it fails to extract CA certificates (#1550110)

* Wed Feb 21 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-11
- TLS: Use system trusted CA store by default (#1270678, #1537259)

* Sun Feb 11 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-10
- Complete change: Disable TLSMC in F29+

* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.45-9
- Escape macros in %%changelog
- Disable TLSMC in F29+
- Remove obsolete Group tag
- Don't call ldconfig in servers subpackage
- Switch to %%ldconfig_scriptlets
- Remove unneeded Requires(post): systemd-sysv, chkconfig
- Switch to %%systemd_requires
- Change BuildRequires: systemd-units to systemd

* Wed Feb 7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-8
- Drop TCP wrappers support (#1531487)

* Wed Feb 7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
- MozNSS Compat. Layer fixes (#1400570)
- fix incorrect parsing of CACertDir (orig. #1533955)
- fix PIN disclaimer not always shown (orig. #1516409)
- fix recursive directory deletion (orig. #1516409)
- Ensure consistency of a PEM dir before usage (orig. #1516409)
+ Warn just before use of a PIN about key file extraction
- Enable usage of NSS DB with PEM cert/key (orig. #1525485)
+ Fix a possible invalid dereference (covscan)

* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.45-6
- Rebuilt for switch to libxcrypt

* Wed Dec 6 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-5
- Fix issues in MozNSS compatibility layer (#1400570)
+ Force write file with fsync to avoid race conditions + Force write file with fsync to avoid race conditions
+ Always filestamp both sql and dbm NSS DB variants to not rely on default DB type prefix + Always filestamp both sql and dbm NSS DB variants to not rely on default DB type prefix
+ Allow missing cert and key which is a valid usecase + Allow missing cert and key which is a valid usecase
+ Create extraction folder only in /tmp to simplify selinux rules + Create extraction folder only in /tmp to simplify selinux rules
+ Fix Covscan issues + Fix Covscan issues


* Fri Nov 3 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9 * Fri Nov 3 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-4
- Build with OpenSSL and MozNSS compatibility layer instead of MozNSS (#1400578) - Build with OpenSSL with MozNSS compatibility layer (#1400570)


* Thu Nov 2 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-8 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-3
- fix: Upgrading to OpenLDAP >= 2.4.43 breaks server due to ppolicy changes (#1487857) - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild


* Thu Nov 2 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.45-2
- fix: Manpage incorrectly states ./ldaprc config file is used (#1498841) - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild


* Thu Nov 2 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6 * Fri Jul 7 2017 Matus Honek <mhonek@redhat.com> - 2.4.45-1
- fix: Upgrading openldap-servers does not restart slapd when rebasing (#1479309) - Rebase to version 2.4.45 (#1458081)

* fixes CVE-2017-9287 (#1456712, #1456713)
* Tue Jun 6 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5 - Update the 'sources' file with new SHA512 hashes
- fix CVE-2017-9287 openldap: Double free vulnerability in servers/slapd/back-mdb/search.c (#1458210)

* Fri Jul 7 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-12
* Fri Mar 24 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-4 - Change Requires to Recommends for nss-tools (#1415086)
- NSS: Include some CHACHA20POLY1305 ciphers (#1432907)
* Sun Jun 04 2017 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-11
- Perl 5.26 rebuild

* Fri Mar 31 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-10
- NSS: Maximal TLS protocol version should be equal to NSS default (#1435692)

* Thu Mar 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-9
- NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS (#1435692)
- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435692)

* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.44-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-7
- NSS: Update list of ciphers (#1387868)

* Mon Jan 30 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-6
- NSS: Use what NSS considers default for DEFAULT cipher string (#1387868)

* Thu Jan 26 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-5
- NSS: fix: incorrect multi-keyword parsing and support new ones (#1243517)

* Mon Jan 23 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-4
- fix previous commit (#1375432)


* Wed Mar 15 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3 * Fri Jan 20 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-3
- NSS: re-register NSS_Shutdown callback (#1405354) - fix: Setting olcTLSProtocolMin does not change supported protocols (#1375432)
- fix: slapd should start after network-online.service (#1336487)


* Wed Mar 15 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-2 * Sun May 15 2016 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.44-2
- Include MDB tools in openldap-servers (#1428740) - Perl 5.24 rebuild


* Wed Jan 4 2017 Matus Honek <mhonek@redhat.com> - 2.4.44-1 * Wed May 11 2016 Matus Honek <mhonek@redhat.com> - 2.4.44-1
- Rebase to openldap-2.4.44 (#1386365) - Update to 2.4.44 (#1305191)


* Wed Aug 17 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-13 * Tue May 3 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-5
- fix: Bad log levels in check_password module - Bring back *.la files in %%{_libdir}/openldap/ (#1331484)
- fix: We can't search expected entries from LDAP server
- fix: OpenLDAP ciphersuite parsing doesn't match OpenSSL ciphers man page
+ Add TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 to list of ciphers
+ Add DH cipher string parsing option
+ Correct handling kECDH ciphers with aRSA or aECDSA


* Fri Jul 1 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-12 * Wed Apr 27 2016 Matus Honek <mhonek@redhat.com> - 2.4.43-4
- fix: slapd crash in do_search (#1316450) - Keep *.so libraries in %%{_libdir}/openldap/ (#1331484)
- fix: Setting olcTLSProtocolMin does not change supported protocols (#1249093) - Include AllOp overlay (#1319782)


* Mon May 30 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-11 * Sun Apr 10 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2.4.43-3
- fix: correct inconsistent slapd.d directory permissions (#1255433) - Ensure all libtool archive files are removed (.la)


* Mon May 30 2016 Matus Honek <mhonek@redhat.com> - 2.4.40-10 * Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.43-2
- fix: slapd fails to start on boot (#1315958) - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
- fix: id_query option is not available after rebasing openldap to 2.4.39 (#1311832)
- Include sha2 module (#1292568)
- Compile AllOp together with other overlays (#990893)
- Missing mutex unlock in accesslog overlay (#1261003)
- ITS#8337 fix missing olcDbChecksum config attr (#1292590)
- ITS#8003 fix off-by-one in LDIF length (#1292619)


* Mon Feb 22 2016 Matúš Honěk <mhonek@redhat.com> - 2.4.40-9 * Wed Dec 02 2015 Fedora Release Monitoring <release-monitoring@fedoraproject.org> - 2.4.43-1
- fix: nslcd segfaults due to incorrect mutex initialization (#1294385) - Update to 2.4.43 (#1253871)


* Wed Sep 23 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-8 * Thu Jul 16 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.41-1
- NSS does not support string ordering (#1231522) - New upstream release 2.4.41 (#1238251)
- implement and correct order of parsing attributes (#1231522)
- add multi_mask and multi_strength to correctly handle sets of attributes (#1231522)
- add new cipher suites and correct AES-GCM attributes (#1245279)
- correct DEFAULT ciphers handling to exclude eNULL cipher suites (#1245279)


* Mon Sep 14 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-7 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.40-14
- Merge two MozNSS cipher suite definition patches into one. (#1245279) - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
- Use what NSS considers default for DEFAULT cipher string. (#1245279)
- Remove unnecesary defaults from ciphers' definitions (#1245279)


* Tue Sep 01 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-6 * Wed Jun 03 2015 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.40-13
- fix: OpenLDAP shared library destructor triggers memory leaks in NSPR (#1249977) - Perl 5.22 rebuild


* Fri Jul 24 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-5 * Mon Apr 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-12
- enhancement: support TLS 1.1 and later (#1231522,#1160467) - fix: bring back tmpfiles config (#1215655)
- fix: openldap ciphersuite parsing code handles masks incorrectly (#1231522)
- fix the patch in commit da1b5c (fix: OpenLDAP crash in NSS shutdown handling) (#1231228)


* Mon Jun 29 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-4 * Mon Mar 30 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-11
- fix: rpm -V complains (#1230263) -- make the previous fix do what was intended - remove spurious ghosted file


* Mon Jun 22 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-3 * Fri Feb 20 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-10
- fix: rpm -V complains (#1230263) - link against moznss again (#1187742)


* Wed Jun 3 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-2 * Wed Feb 11 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
- fix: missing frontend database indexing (#1226600) - fix: Unknown Berkeley DB major version in db.h (#1191098)


* Wed May 20 2015 Matúš Honěk <mhonek@redhat.com> - 2.4.40-1 * Tue Feb 10 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-9
- new upstream release (#1147982) - CVE-2015-1545: slapd crashes on search with deref control (#1190645)
- fix: PIE and RELRO check (#1092562)
- fix: slaptest doesn't convert perlModuleConfig lines (#1184585)
- fix: OpenLDAP crash in NSS shutdown handling (#1158005)
- fix: slapd.service may fail to start if binding to NIC ip (#1198781)
- fix: deadlock during SSL_ForceHandshake when getting connection to replica (#1125152)
- improve check_password (#1174723, #1196243)
- provide an unversioned symlink to check_password.so.1.1 (#1174634)
- add findutils to requires (#1209229)


* Thu Dec 4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6 * Tue Jan 27 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-8
- refix: slapd.ldif olcFrontend missing important/required objectclass (#1132094) - link against openssl by default
- simplify package even more by removing certificate generation


* Fri Nov 28 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-5 * Mon Jan 26 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-7
- add documentation reference to service file (#1087288) - remove tmpfiles config since it's no longer needed
- fix: tls_reqcert try has bad behavior (#1027613) - fix invalid ldif
- simplify checking for missing server configuration


* Tue Nov 25 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-4 * Fri Jan 16 2015 Jan Synáček <jsynacek@redhat.com> - 2.4.40-6
- support TLS 1.1 and later (#1160468) - remove openldap-fedora-systemd.patch
- fix: /etc/openldap/certs directory is empty after installation (#1064251) - remove openldap-ldaprc-currentdir.patch
- fix: Typo in script to generate /usr/libexec/openldap/generate-server-cert.sh (#1087490) - remove openldap-userconfig-setgid.patch
- fix: remove correct tmp file when generating server cert (#1103101) - remove openldap-syncrepl-unset-tls-options.patch
- fix: slapd.ldif olcFrontend missing important/required objectclass (#1132094) - remove unneeded configure flags, disable sql backend and aci
- make mdb default after a new installation
- remove pid file and args file
- renumber patches and sources


* Wed Feb 26 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3 * Wed Dec 17 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-5
- move tmpfiles config to correct location (#1069513) - harden the build
- improve check_password
- provide an unversioned symlink to check_password.so.1.1

* Tue Dec 16 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-4
- remove openldap.pc

* Tue Dec 9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-3
- enhancement: generate openldap.pc (#1171493)

* Fri Nov 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-2
- enhancement: support TLSv1 and later (#1160466)

* Mon Oct 6 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-1
- new upstream release (#1147877)

* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.39-12
- Perl 5.20 rebuild

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.4.39-10
- fix license handling

* Mon Jul 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-9
- fix: fix typo in generate-server-cert.sh (#1117229)

* Mon Jun 9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-8
- fix: make default service configuration listen on ldaps:/// as well (#1105634)

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Fri May 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6
- fix: remove correct tmp file when generating server cert (#1103102)

* Mon Mar 24 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-5
- re-symlink unversioned libraries, so ldconfig is not confused (#1028557)

* Tue Mar 4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-4
- don't automatically convert slapd.conf to slapd-config

* Wed Feb 19 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3
- remove redundant sysconfig-related stuff
- add documentation reference to service file
- alias slapd.service as openldap.service

* Tue Feb 4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2
- CVE-2013-4449: segfault on certain queries with rwm overlay (#1060851)

* Wed Jan 29 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1
- new upstream release (#1059186)

* Mon Nov 18 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.38-1
- new upstream release (#1031608)

* Mon Nov 11 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-2
- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1028935)

* Wed Oct 30 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-1
- new upstream release (#1023916)
- fix: missing a linefeed at the end of file /etc/openldap/ldap.conf (#1019836)

* Mon Oct 21 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-4
- fix: slapd daemon fails to start with segmentation fault on s390x (#1020661)

* Tue Oct 15 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-3
- rebuilt for libdb-5.3.28

* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
- fix: CLDAP is broken for IPv6 (#1018688)

* Wed Sep 4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2
- fix: typos in manpages

* Tue Aug 20 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-1
- new upstream release
+ compile-in mdb backend


* Wed Feb 5 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.35-7
- CVE-2013-4449: segfault on certain queries with rwm overlay (#1061405) - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Thu Jan 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1
- new upstream release (#1040324)

* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.4.35-12
- Mass rebuild 2014-01-24

* Thu Jan 16 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.35-11
- fix: missing EOL at the end of default /etc/openldap/ldap.conf (#1053005)

* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.4.35-10
- Mass rebuild 2013-12-27

* Tue Dec 17 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-9
- fix: more typos in manpages (#948562)

* Wed Nov 13 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-8
- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1023415)

* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-7
- fix: CLDAP is broken for IPv6 (#1007421)


* Wed Sep 4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-6 * Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 2.4.35-6
- fix: typos in manpages (#948562) - Perl 5.18 rebuild


* Fri Jun 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-5 * Fri Jun 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-5
- fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0" - fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0"

Loading…
Cancel
Save