initial package creation

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>

SOURCES/UPGRADE_INSTRUCTIONS

@@ -0,0 +1,30 @@
+You have upgraded your openldap-servers package.
+Any major version upgrade can cause database corruption or loss.
+Please, make sure that you have up-to-date back up and read this document carefully.
+
+It's still recommended to do the backup even on the minor version upgrade.
+
+Please, review the next links before performing any action:
+
+Upgrading from 2.4.x - https://www.openldap.org/doc/admin25/appendix-upgrading.html
+Upgrading from 2.5.x - https://www.openldap.org/doc/admin26/appendix-upgrading.html
+The normal upgrade procedure - https://www.openldap.org/doc/admin26/maintenance.html
+
+Additionally, please, review and perform the following steps that can help you with the upgrade:
+
+         1. Back up both data and configuration directories into a safe place;
+         2. Export data to an LDIF file using slapcat;
+a. If you have the deprecated DB type and you haven't performed the slapcat command, you need to move your data and configuration to the system with OpenLDAP 2.4 version and run slapcat command there;
+         3. Change the server's configuration according to the changes in the above documents;
+          a. If you are replacing the BDB/HDB with MDB, make sure to replace the BDB/HDB sections with their MDB counterparts;
+4. Clear out the current data directory;
+         5. Import data to a new database from the LDIF file using slapadd;
+         6. Make sure that your data is intact.
+
+After you have completed the above operations, you can remove this file (/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS) and start the server:
+
+        systemctl start slapd.service
+
+Be careful with this document's procedure, make sure you understand it, and test it in a non-production environment first. Always make sure that all backups are in place.
+
+You have been warned about the possibility of data corruption or loss.

SOURCES/check-password-makefile.patch

@@ -0,0 +1,58 @@
+diff --git a/Makefile b/Makefile
+index 4457bad..91de40b 100644
+--- a/Makefile
++++ b/Makefile
+@@ -13,17 +13,10 @@ CRACKLIB=/usr/share/cracklib/pw_dict
+ #
+ CONFIG=/etc/openldap/check_password.conf
+ 
+-
+-# Where to find the OpenLDAP headers.
+-#
+-LDAP_INC=-I/usr/include/openldap/include \
+-	 -I/usr/include/openldap/servers/slapd
+-
+-# Where to find the CrackLib headers.
+-#
+-CRACK_INC=
+-
+-INCS=$(LDAP_INC) $(CRACK_INC)
++CFLAGS+=-fpic                                                  \
++	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \
++	-DCONFIG_FILE="\"$(CONFIG)\""                          \
++	-DDEBUG
+ 
+ LDAP_LIB=-lldap_r -llber
+ 
+@@ -33,27 +26,21 @@ LDAP_LIB=-lldap_r -llber
+ #
+ CRACKLIB_LIB=-lcrack
+ 
+-CC_FLAGS=-g -O2 -Wall -fpic
+-CRACKLIB_OPT=-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""
+-DEBUG_OPT=-DDEBUG
+-CONFIG_OPT=-DCONFIG_FILE="\"$(CONFIG)\""
+-
+-OPT=$(CC_FLAGS) $(CRACKLIB_OPT) $(CONFIG_OPT) $(DEBUG_OPT)
+-
+ LIBS=$(LDAP_LIB) $(CRACKLIB_LIB)
+ 
+ LIBDIR=/usr/lib/openldap/
+ 
++
+ all: 	check_password
+ 
+ check_password.o:
+-	$(CC) $(OPT) -c $(INCS) check_password.c
++	$(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
+ 
+ check_password: clean check_password.o
+-	$(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
++	$(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ 
+ install: check_password
+-	cp -f check_password.so $(LIBDIR)
++	cp -f check_password.so ../../../usr/lib/openldap/modules/
+ 
+ clean:
+ 	$(RM) check_password.o check_password.so check_password.lo

SOURCES/check-password.patch

@@ -0,0 +1,321 @@
+--- a/check_password.c	2009-10-31 18:59:06.000000000 +0100
++++ b/check_password.c	2014-12-17 12:25:00.148900907 +0100
+@@ -10,7 +10,7 @@
+ #include <slap.h>
+ 
+ #ifdef HAVE_CRACKLIB
+-#include "crack.h"
++#include <crack.h>
+ #endif
+ 
+ #if defined(DEBUG)
+@@ -34,18 +34,77 @@
+ #define PASSWORD_TOO_SHORT_SZ \
+ 	"Password for dn=\"%s\" is too short (%d/6)"
+ #define PASSWORD_QUALITY_SZ \
+-	"Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
++	"Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
+ #define BAD_PASSWORD_SZ \
+ 	"Bad password for dn=\"%s\" because %s"
++#define UNKNOWN_ERROR_SZ \
++	"An unknown error occurred, please see your systems administrator"
+ 
+ typedef int (*validator) (char*);
+-static int read_config_file (char *);
++static int read_config_file ();
+ static validator valid_word (char *);
+ static int set_quality (char *);
+ static int set_cracklib (char *);
+ 
+ int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+ 
++struct config_entry {
++	char* key;
++	char* value;
++	char* def_value;
++} config_entries[] = { { "minPoints", NULL, "3"},
++		       { "useCracklib", NULL, "1"},
++		       { "minUpper", NULL, "0"},
++		       { "minLower", NULL, "0"},
++		       { "minDigit", NULL, "0"},
++		       { "minPunct", NULL, "0"},
++		       { NULL, NULL, NULL }};
++
++int get_config_entry_int(char* entry) {
++	struct config_entry* centry = config_entries;
++
++	int i = 0;
++	char* key = centry[i].key;
++	while (key != NULL) {
++		if ( strncmp(key, entry, strlen(key)) == 0 ) {
++			if ( centry[i].value == NULL ) {
++				return atoi(centry[i].def_value);
++			}
++			else {
++				return atoi(centry[i].value);
++			}
++		}
++		i++;
++		key = centry[i].key;
++	}
++
++	return -1;
++}
++
++void dealloc_config_entries() {
++	struct config_entry* centry = config_entries;
++
++	int i = 0;
++	while (centry[i].key != NULL) {
++		if ( centry[i].value != NULL ) {
++			ber_memfree(centry[i].value);
++		}
++		i++;
++	}
++}
++
++char* chomp(char *s)
++{
++	char* t = ber_memalloc(strlen(s)+1);
++	strncpy (t,s,strlen(s)+1);
++
++	if ( t[strlen(t)-1] == '\n' ) {
++		t[strlen(t)-1] = '\0';
++	}
++
++	return t;
++}
++
+ static int set_quality (char *value)
+ {
+ #if defined(DEBUG)
+@@ -84,12 +143,12 @@
+ 		char * parameter;
+ 		validator dealer;
+ 	} list[] = { { "minPoints", set_quality },
+-		{ "useCracklib", set_cracklib },
+-		{ "minUpper", set_digit },
+-		{ "minLower", set_digit },
+-		{ "minDigit", set_digit },
+-		{ "minPunct", set_digit },
+-		{ NULL, NULL } };
++		     { "useCracklib", set_cracklib },
++		     { "minUpper", set_digit },
++		     { "minLower", set_digit },
++		     { "minDigit", set_digit },
++		     { "minPunct", set_digit },
++		     { NULL, NULL } };
+ 	int index = 0;
+ 
+ #if defined(DEBUG)
+@@ -98,7 +157,7 @@
+ 
+ 	while (list[index].parameter != NULL) {
+ 		if (strlen(word) == strlen(list[index].parameter) &&
+-				strcmp(list[index].parameter, word) == 0) {
++		    strcmp(list[index].parameter, word) == 0) {
+ #if defined(DEBUG)
+ 			syslog(LOG_NOTICE, "check_password: Parameter accepted.");
+ #endif
+@@ -114,13 +173,15 @@
+ 	return NULL;
+ }
+ 
+-static int read_config_file (char *keyWord)
++static int read_config_file ()
+ {
+ 	FILE * config;
+ 	char * line;
+ 	int returnValue =  -1;
+ 
+-	if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
++	line = ber_memcalloc(260, sizeof(char));
++
++	if ( line == NULL ) {
+ 		return returnValue;
+ 	}
+ 
+@@ -133,6 +194,8 @@
+ 		return returnValue;
+ 	}
+ 
++	returnValue = 0;
++
+ 	while (fgets(line, 256, config) != NULL) {
+ 		char *start = line;
+ 		char *word, *value;
+@@ -145,23 +208,40 @@
+ 
+ 		while (isspace(*start) && isascii(*start)) start++;
+ 
+-		if (! isascii(*start))
++		/* If we've got punctuation, just skip the line. */
++		if ( ispunct(*start)) {
++#if defined(DEBUG)
++			/* Debug traces to syslog. */
++			syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
++#endif
+ 			continue;
++		}
+ 
+-		if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
+-			if ((value = strtok(NULL, " \t")) == NULL)
+-				continue;
++		if( isascii(*start)) {
++
++			struct config_entry* centry = config_entries;
++			int i = 0;
++			char* keyWord = centry[i].key;
++			if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
++				while ( keyWord != NULL ) {
++					if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
+ 
+ #if defined(DEBUG)
+-			syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
++						syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ #endif
+ 
+-			returnValue = (*dealer)(value);
++						centry[i].value = chomp(value);
++						break;
++					}
++					i++;
++					keyWord = centry[i].key;
++				}
++			}
+ 		}
+ 	}
+-
+ 	fclose(config);
+ 	ber_memfree(line);
++
+ 	return returnValue;
+ }
+ 
+@@ -170,7 +250,7 @@
+ 	if (curlen < nextlen + MEMORY_MARGIN) {
+ #if defined(DEBUG)
+ 		syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
+-				curlen, nextlen + MEMORY_MARGIN);
++		       curlen, nextlen + MEMORY_MARGIN);
+ #endif
+ 		ber_memfree(*target);
+ 		curlen = nextlen + MEMORY_MARGIN;
+@@ -180,7 +260,7 @@
+ 	return curlen;
+ }
+ 
+-	int
++int
+ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ {
+ 
+@@ -210,20 +290,22 @@
+ 	nLen = strlen (pPasswd);
+ 	if ( nLen < 6) {
+ 		mem_len = realloc_error_message(&szErrStr, mem_len,
+-				strlen(PASSWORD_TOO_SHORT_SZ) +
+-				strlen(pEntry->e_name.bv_val) + 1);
++						strlen(PASSWORD_TOO_SHORT_SZ) +
++						strlen(pEntry->e_name.bv_val) + 1);
+ 		sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
+ 		goto fail;
+ 	}
+ 
+-	/* Read config file */
+-	minQuality = read_config_file("minPoints");
++	if (read_config_file() == -1) {
++		syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
++	}
+ 
+-	useCracklib = read_config_file("useCracklib");
+-	minUpper = read_config_file("minUpper");
+-	minLower = read_config_file("minLower");
+-	minDigit = read_config_file("minDigit");
+-	minPunct = read_config_file("minPunct");
++	minQuality = get_config_entry_int("minPoints");
++	useCracklib = get_config_entry_int("useCracklib");
++	minUpper = get_config_entry_int("minUpper");
++	minLower = get_config_entry_int("minLower");
++	minDigit = get_config_entry_int("minDigit");
++	minPunct = get_config_entry_int("minPunct");
+ 
+ 	/** The password must have at least minQuality strength points with one
+ 	 * point for the first occurrance of a lower, upper, digit and
+@@ -232,8 +314,6 @@
+ 
+ 	for ( i = 0; i < nLen; i++ ) {
+ 
+-		if ( nQuality >= minQuality ) break;
+-
+ 		if ( islower (pPasswd[i]) ) {
+ 			minLower--;
+ 			if ( !nLower && (minLower < 1)) {
+@@ -279,12 +359,23 @@
+ 		}
+ 	}
+ 
+-	if ( nQuality < minQuality ) {
++	/*
++	 * If you have a required field, then it should be required in the strength
++	 * checks.
++	 */
++
++	if (
++		(minLower > 0 ) ||
++		(minUpper > 0 ) ||
++		(minDigit > 0 ) ||
++		(minPunct > 0 ) ||
++		(nQuality < minQuality)
++		) {
+ 		mem_len = realloc_error_message(&szErrStr, mem_len,
+-				strlen(PASSWORD_QUALITY_SZ) +
+-				strlen(pEntry->e_name.bv_val) + 2);
++						strlen(PASSWORD_QUALITY_SZ) +
++						strlen(pEntry->e_name.bv_val) + 2);
+ 		sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
+-				nQuality, minQuality);
++			 nQuality, minQuality);
+ 		goto fail;
+ 	}
+ 
+@@ -306,7 +397,7 @@
+ 		for ( j = 0; j < 3; j++ ) {
+ 
+ 			snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
+-					CRACKLIB_DICTPATH, ext[j]);
++				  CRACKLIB_DICTPATH, ext[j]);
+ 
+ 			if (( fp = fopen ( filename, "r")) == NULL ) {
+ 
+@@ -326,9 +417,9 @@
+ 			r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
+ 			if ( r != NULL ) {
+ 				mem_len = realloc_error_message(&szErrStr, mem_len,
+-						strlen(BAD_PASSWORD_SZ) +
+-						strlen(pEntry->e_name.bv_val) +
+-						strlen(r));
++								strlen(BAD_PASSWORD_SZ) +
++								strlen(pEntry->e_name.bv_val) +
++								strlen(r));
+ 				sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
+ 				goto fail;
+ 			}
+@@ -342,15 +433,15 @@
+ 	}
+ 
+ #endif
+-
++	dealloc_config_entries();
+ 	*ppErrStr = strdup ("");
+ 	ber_memfree(szErrStr);
+ 	return (LDAP_SUCCESS);
+ 
+ fail:
++	dealloc_config_entries();
+ 	*ppErrStr = strdup (szErrStr);
+ 	ber_memfree(szErrStr);
+ 	return (EXIT_FAILURE);
+ 
+ }
+-

SOURCES/ldap.conf

@@ -0,0 +1,28 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT	/etc/pki/tls/cert.pem
+
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON	on
+

SOURCES/libexec-check-config.sh

@@ -0,0 +1,102 @@
+#!/usr/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function check_config_syntax()
+{
+	retcode=0
+	tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
+	run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
+	if [ $? -ne 0 ]; then
+		error "Checking configuration file failed:"
+		cat $tmp_slaptest >&2
+		retcode=1
+	fi
+	rm $tmp_slaptest
+	return $retcode
+}
+
+function check_certs_perms()
+{
+	retcode=0
+	for cert in `certificates`; do
+		run_as_ldap "/usr/bin/test -e \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' was not found." "$cert"
+			retcoder=1
+			continue
+		fi
+		run_as_ldap "/usr/bin/test -r \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' is not readable." "$cert"
+			retcode=1
+		fi
+	done
+	return $retcode
+}
+
+function check_db_perms()
+{
+	retcode=0
+	for dbdir in `databases`; do
+		[ -d "$dbdir" ] || continue
+		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.mdb"` ; do
+			run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
+			if [ $? -ne 0 ]; then
+				error "Read/write permissions for DB file '%s' are required." "$dbfile"
+				retcode=1
+			fi
+		done
+	done
+	return $retcode
+}
+
+function check_major_upgrade()
+{
+	retcode=0
+	if [ -f "/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS" ]; then
+		error "You have upgraded your openldap-servers package. There are actions that need to be performed. Please, read the /usr/share/openldap-servers/UPGRADE_INSTRUCTIONS file"
+		retcode=1
+	fi
+	return $retcode
+}
+
+function check_everything()
+{
+	retcode=0
+	check_config_syntax || retcode=1
+	check_certs_perms || retcode=1
+	check_db_perms || retcode=1
+	return $retcode
+}
+
+if [ `id -u` -ne 0 ]; then
+	error "You have to be root to run this script."
+	exit 4
+fi
+
+check_major_upgrade || return 1
+
+load_sysconfig
+
+if [ -n "$SLAPD_CONFIG_DIR" ]; then
+	if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
+		error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
+	else
+		check_everything
+		exit $?
+	fi
+fi
+
+if [ -n "$SLAPD_CONFIG_FILE" ]; then
+	if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+		error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
+	else
+		error "Warning: Usage of a configuration file is obsolete!"
+		check_everything
+		exit $?
+	fi
+fi
+
+exit 1

SOURCES/libexec-functions

@@ -0,0 +1,120 @@
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+SLAPD_USER=
+SLAPD_CONFIG_FILE=
+SLAPD_CONFIG_DIR=
+SLAPD_CONFIG_CUSTOM=
+SLAPD_GLOBAL_OPTIONS=
+SLAPD_SYSCONFIG_FILE=
+
+function default_config()
+{
+	SLAPD_USER=ldap
+	SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
+	SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
+	SLAPD_CONFIG_CUSTOM=
+	SLAPD_GLOBAL_OPTIONS=
+	SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
+}
+
+function parse_config_options()
+{
+	user=
+	config_file=
+	config_dir=
+	while getopts :u:f:F: opt; do
+		case "$opt" in
+		u)
+			user="$OPTARG"
+			;;
+		f)
+			config_file="$OPTARG"
+			;;
+		F)
+			config_dir="$OPTARG"
+			;;
+		esac
+	done
+
+	if [ -n "$user" ]; then
+		SLAPD_USER="$user"
+	fi
+
+	if [ -n "$config_dir" ]; then
+		SLAPD_CONFIG_DIR="$config_dir"
+		SLAPD_CONFIG_FILE=
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
+	elif [ -n "$config_file" ]; then
+		SLAPD_CONFIG_DIR=
+		SLAPD_CONFIG_FILE="$config_file"
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
+	fi
+}
+
+function uses_new_config()
+{
+	[ -n "$SLAPD_CONFIG_DIR" ]
+	return $?
+}
+
+function run_as_ldap()
+{
+	/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
+	return $?
+}
+
+function ldif_unbreak()
+{
+	sed ':a;N;s/\n //;ta;P;D'
+}
+
+function ldif_value()
+{
+	sed 's/^[^:]*: //'
+}
+
+function databases_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c \
+	-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcDbDirectory: ' | \
+		ldif_value
+}
+
+function certificates_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
+		ldif_value
+}
+
+function certificates()
+{
+	uses_new_config && certificates_new
+}
+
+function databases()
+{
+	uses_new_config && databases_new
+}
+
+
+function error()
+{
+	format="$1\n"; shift
+	printf "$format" $@ >&2
+}
+
+function load_sysconfig()
+{
+	[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
+
+	. "$SLAPD_SYSCONFIG_FILE"
+	[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
+}
+
+default_config

SOURCES/openldap-Revert-ITS-8618-Remove-deprecated-h-and-p.patch

@@ -0,0 +1,393 @@
+From e1782a92cc0e6dde404fa5fb18cb8dba46887fc0 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@redhat.com>
+Date: Thu, 26 May 2022 17:17:39 -0700
+Subject: [PATCH] Revert "ITS#8618 - Remove deprecated -h and -p options to
+ client tools"
+
+Except tests. For tests, use -H option.
+---
+ clients/tools/common.c     | 53 +++++++++++++++++++++++++++++++++++++-
+ clients/tools/common.h     |  2 ++
+ doc/man/man1/ldapcompare.1 | 12 +++++++++
+ doc/man/man1/ldapdelete.1  | 12 +++++++++
+ doc/man/man1/ldapexop.1    | 12 +++++++++
+ doc/man/man1/ldapmodify.1  | 16 ++++++++++++
+ doc/man/man1/ldapmodrdn.1  | 12 +++++++++
+ doc/man/man1/ldappasswd.1  | 12 +++++++++
+ doc/man/man1/ldapsearch.1  | 12 +++++++++
+ doc/man/man1/ldapwhoami.1  | 12 +++++++++
+ 10 files changed, 154 insertions(+), 1 deletion(-)
+
+diff --git a/clients/tools/common.c b/clients/tools/common.c
+index b88f219b3..28178d64c 100644
+--- a/clients/tools/common.c
++++ b/clients/tools/common.c
+@@ -71,6 +71,8 @@ char		*prog = NULL;
+ 
+ /* connection */
+ char		*ldapuri = NULL;
++char		*ldaphost = NULL;
++int  		ldapport = 0;
+ int		use_tls = 0;
+ int		protocol = -1;
+ int		version = 0;
+@@ -348,6 +350,7 @@ N_("             [!]sessiontracking[=<username>]\n")
+ N_("             abandon, cancel, ignore (SIGINT sends abandon/cancel,\n"
+    "             or ignores response; if critical, doesn't wait for SIGINT.\n"
+    "             not really controls)\n")
++N_("  -h host    LDAP server (deprecated in favor of \"-H\")\n"),
+ N_("  -H URI     LDAP Uniform Resource Identifier(s)\n"),
+ N_("  -I         use SASL Interactive mode\n"),
+ N_("  -n         show what would be done but don't actually do it\n"),
+@@ -356,6 +359,7 @@ N_("  -O props   SASL security properties\n"),
+ N_("  -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n"),
+ N_("             ldif_wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
+ N_("             nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
++N_("  -p port    port on LDAP server (deprecated in favor of \"-H\")\n"),
+ N_("  -Q         use SASL Quiet mode\n"),
+ N_("  -R realm   SASL realm\n"),
+ N_("  -U authcid SASL authentication identity\n"),
+@@ -774,6 +778,13 @@ tool_args( int argc, char **argv )
+ 			}
+ 			infile = optarg;
+ 			break;
++		case 'h':	/* ldap host */
++			if( ldaphost != NULL ) {
++				fprintf( stderr, "%s: -h previously specified\n", prog );
++				exit( EXIT_FAILURE );
++			}
++			ldaphost = optarg;
++			break;
+ 		case 'H':	/* ldap URI */
+ 			if( ldapuri != NULL ) {
+ 				fprintf( stderr, "%s: -H previously specified\n", prog );
+@@ -887,6 +898,18 @@ tool_args( int argc, char **argv )
+ 			exit( EXIT_FAILURE );
+ #endif
+ 			break;
++		case 'p':
++			if( ldapport ) {
++				fprintf( stderr, "%s: -p previously specified\n", prog );
++				exit( EXIT_FAILURE );
++			}
++			ival = strtol( optarg, &next, 10 );
++			if ( next == NULL || next[0] != '\0' ) {
++				fprintf( stderr, "%s: unable to parse port number \"%s\"\n", prog, optarg );
++				exit( EXIT_FAILURE );
++			}
++			ldapport = ival;
++			break;
+ 		case 'P':
+ 			ival = strtol( optarg, &next, 10 );
+ 			if ( next == NULL || next[0] != '\0' ) {
+@@ -1121,6 +1144,22 @@ tool_args( int argc, char **argv )
+ #endif
+ 	}
+ 
++	if( ldapuri == NULL ) {
++		if( ldapport && ( ldaphost == NULL )) {
++			fprintf( stderr, "%s: -p without -h is invalid.\n", prog );
++			exit( EXIT_FAILURE );
++		}
++	} else {
++		if( ldaphost != NULL ) {
++			fprintf( stderr, "%s: -H incompatible with -h\n", prog );
++			exit( EXIT_FAILURE );
++		}
++		if( ldapport ) {
++			fprintf( stderr, "%s: -H incompatible with -p\n", prog );
++			exit( EXIT_FAILURE );
++		}
++	}
++
+ 	if( protocol == LDAP_VERSION2 ) {
+ 		if( assertctl || authzid || manageDIT || manageDSAit ||
+ #ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
+@@ -1191,7 +1230,19 @@ tool_conn_setup( int dont, void (*private_setup)( LDAP * ) )
+ 	if ( !dont ) {
+ 		int rc;
+ 
+-		if ( ldapuri != NULL ) {
++		if( ( ldaphost != NULL || ldapport ) && ( ldapuri == NULL ) ) {
++			/* construct URL */
++			LDAPURLDesc url;
++			memset( &url, 0, sizeof(url));
++
++			url.lud_scheme = "ldap";
++			url.lud_host = ldaphost;
++			url.lud_port = ldapport;
++			url.lud_scope = LDAP_SCOPE_DEFAULT;
++
++			ldapuri = ldap_url_desc2str( &url );
++
++		} else if ( ldapuri != NULL ) {
+ 			LDAPURLDesc	*ludlist, **ludp;
+ 			char		**urls = NULL;
+ 			int		nurls = 0;
+diff --git a/clients/tools/common.h b/clients/tools/common.h
+index c4377da17..41c3d874a 100644
+--- a/clients/tools/common.h
++++ b/clients/tools/common.h
+@@ -61,6 +61,8 @@ extern char		*prog;
+ 
+ /* connection */
+ extern char		*ldapuri;
++extern char		*ldaphost;
++extern int		ldapport;
+ extern int		use_tls;
+ extern int		protocol;
+ extern int		version;
+diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
+index b15b0c4f8..b7747ad8c 100644
+--- a/doc/man/man1/ldapcompare.1
++++ b/doc/man/man1/ldapcompare.1
+@@ -31,6 +31,10 @@ ldapcompare \- LDAP compare tool
+ [\c
+ .BI \-H \ ldapuri\fR]
+ [\c
++.BI \-h \ ldaphost\fR]
++[\c
++.BI \-p \ ldapport\fR]
++[\c
+ .BR \-P \ { 2 \||\| 3 }]
+ [\c
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+@@ -139,6 +143,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+ fields are allowed; a list of URI, separated by whitespace or commas
+ is expected.
+ .TP
++.BI \-h \ ldaphost
++Specify an alternate host on which the ldap server is running.
++Deprecated in favor of \fB\-H\fP.
++.TP
++.BI \-p \ ldapport
++Specify an alternate TCP port where the ldap server is listening.
++Deprecated in favor of \fB\-H\fP.
++.TP
+ .BR \-P \ { 2 \||\| 3 }
+ Specify the LDAP protocol version to use.
+ .TP
+diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
+index e12cc56bb..84dbd882c 100644
+--- a/doc/man/man1/ldapdelete.1
++++ b/doc/man/man1/ldapdelete.1
+@@ -37,6 +37,10 @@ ldapdelete \- LDAP delete entry tool
+ [\c
+ .BI \-H \ ldapuri\fR]
+ [\c
++.BI \-h \ ldaphost\fR]
++[\c
++.BI \-p \ ldapport\fR]
++[\c
+ .BR \-P \ { 2 \||\| 3 }]
+ [\c
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+@@ -145,6 +149,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+ fields are allowed; a list of URI, separated by whitespace or commas
+ is expected.
+ .TP
++.BI \-h \ ldaphost
++Specify an alternate host on which the ldap server is running.
++Deprecated in favor of \fB\-H\fP.
++.TP
++.BI \-p \ ldapport
++Specify an alternate TCP port where the ldap server is listening.
++Deprecated in favor of \fB\-H\fP.
++.TP
+ .BR \-P \ { 2 \||\| 3 }
+ Specify the LDAP protocol version to use.
+ .TP
+diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
+index 2040c3e45..26e1730a8 100644
+--- a/doc/man/man1/ldapexop.1
++++ b/doc/man/man1/ldapexop.1
+@@ -42,6 +42,10 @@ ldapexop
+ [\c
+ .BI \-H \ URI\fR]
+ [\c
++.BI \-h \ ldaphost\fR]
++[\c
++.BI \-p \ ldapport\fR]
++[\c
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+ [\c
+ .BI \-o \ opt \fR[= optparam \fR]]
+@@ -156,6 +160,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+ fields are allowed; a list of URI, separated by whitespace or commas
+ is expected.
+ .TP
++.BI \-h \ ldaphost
++Specify the host on which the ldap server is running.
++Deprecated in favor of \fB\-H\fP.
++.TP
++.BI \-p \ ldapport
++Specify the TCP port where the ldap server is listening.
++Deprecated in favor of \fB\-H\fP.
++.TP
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+ Specify general extensions.  \'!\' indicates criticality.
+ .nf
+diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
+index 1104e9f2a..affc661ea 100644
+--- a/doc/man/man1/ldapmodify.1
++++ b/doc/man/man1/ldapmodify.1
+@@ -37,6 +37,10 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
+ [\c
+ .BI \-H \ ldapuri\fR]
+ [\c
++.BI \-h \ ldaphost\fR]
++[\c
++.BI \-p \ ldapport\fR]
++[\c
+ .BR \-P \ { 2 \||\| 3 }]
+ [\c
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+@@ -93,6 +97,10 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
+ [\c
+ .BI \-H \ ldapuri\fR]
+ [\c
++.BI \-h \ ldaphost\fR]
++[\c
++.BI \-p \ ldapport\fR]
++[\c
+ .BR \-P \ { 2 \||\| 3 }]
+ [\c
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+@@ -204,6 +212,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+ fields are allowed; a list of URI, separated by whitespace or commas
+ is expected.
+ .TP
++.BI \-h \ ldaphost
++Specify an alternate host on which the ldap server is running.
++Deprecated in favor of \fB\-H\fP.
++.TP
++.BI \-p \ ldapport
++Specify an alternate TCP port where the ldap server is listening.
++Deprecated in favor of \fB\-H\fP.
++.TP
+ .BR \-P \ { 2 \||\| 3 }
+ Specify the LDAP protocol version to use.
+ .TP
+diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
+index 777c539ad..0226db5d2 100644
+--- a/doc/man/man1/ldapmodrdn.1
++++ b/doc/man/man1/ldapmodrdn.1
+@@ -37,6 +37,10 @@ ldapmodrdn \- LDAP rename entry tool
+ [\c
+ .BI \-H \ ldapuri\fR]
+ [\c
++.BI \-h \ ldaphost\fR]
++[\c
++.BI \-p \ ldapport\fR]
++[\c
+ .BR \-P \ { 2 \||\| 3 }]
+ [\c
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+@@ -139,6 +143,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+ fields are allowed; a list of URI, separated by whitespace or commas
+ is expected.
+ .TP
++.BI \-h \ ldaphost
++Specify an alternate host on which the ldap server is running.
++Deprecated in favor of \fB\-H\fP.
++.TP
++.BI \-p \ ldapport
++Specify an alternate TCP port where the ldap server is listening.
++Deprecated in favor of \fB\-H\fP.
++.TP
+ .BR \-P \ { 2 \||\| 3 }
+ Specify the LDAP protocol version to use.
+ .TP
+diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
+index d1aea0c8b..c9cea59c5 100644
+--- a/doc/man/man1/ldappasswd.1
++++ b/doc/man/man1/ldappasswd.1
+@@ -39,6 +39,10 @@ ldappasswd \- change the password of an LDAP entry
+ [\c
+ .BI \-H \ ldapuri\fR]
+ [\c
++.BI \-h \ ldaphost\fR]
++[\c
++.BI \-p \ ldapport\fR]
++[\c
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+ [\c
+ .BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+@@ -144,6 +148,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+ fields are allowed; a list of URI, separated by whitespace or commas
+ is expected.
+ .TP
++.BI \-h \ ldaphost
++Specify an alternate host on which the ldap server is running.
++Deprecated in favor of \fB\-H\fP.
++.TP
++.BI \-p \ ldapport
++Specify an alternate TCP port where the ldap server is listening.
++Deprecated in favor of \fB\-H\fP.
++.TP
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+ .TP
+ .BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
+index 7f3ec4095..7496602b8 100644
+--- a/doc/man/man1/ldapsearch.1
++++ b/doc/man/man1/ldapsearch.1
+@@ -57,6 +57,10 @@ ldapsearch \- LDAP search tool
+ [\c
+ .BI \-H \ ldapuri\fR]
+ [\c
++.BI \-h \ ldaphost\fR]
++[\c
++.BI \-p \ ldapport\fR]
++[\c
+ .BR \-P \ { 2 \||\| 3 }]
+ [\c
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+@@ -277,6 +281,14 @@ DNS SRV records, according to RFC 2782.  The DN must be a non-empty
+ sequence of AVAs whose attribute type is "dc" (domain component),
+ and must be escaped according to RFC 2396.
+ .TP
++.BI \-h \ ldaphost
++Specify an alternate host on which the ldap server is running.
++Deprecated in favor of \fB\-H\fP.
++.TP
++.BI \-p \ ldapport
++Specify an alternate TCP port where the ldap server is listening.
++Deprecated in favor of \fB\-H\fP.
++.TP
+ .BR \-P \ { 2 \||\| 3 }
+ Specify the LDAP protocol version to use.
+ .TP
+diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
+index 49b1187b2..adbc3f52c 100644
+--- a/doc/man/man1/ldapwhoami.1
++++ b/doc/man/man1/ldapwhoami.1
+@@ -27,6 +27,10 @@ ldapwhoami \- LDAP who am i? tool
+ [\c
+ .BI \-H \ ldapuri\fR]
+ [\c
++.BI \-h \ ldaphost\fR]
++[\c
++.BI \-p \ ldapport\fR]
++[\c
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+ [\c
+ .BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
+@@ -99,6 +103,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
+ fields are allowed; a list of URI, separated by whitespace or commas
+ is expected.
+ .TP
++.BI \-h \ ldaphost
++Specify an alternate host on which the ldap server is running.
++Deprecated in favor of \fB\-H\fP.
++.TP
++.BI \-p \ ldapport
++Specify an alternate TCP port where the ldap server is listening.
++Deprecated in favor of \fB\-H\fP.
++.TP
+ .BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+ .TP
+ .BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
+-- 
+2.35.3
+

SOURCES/openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch

@@ -0,0 +1,37 @@
+From 6779e56fafb0aa8ae5efa7068da34a630b51b530 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@redhat.com>
+Date: Fri, 5 Aug 2022 13:23:52 -0700
+Subject: [PATCH] Add export symbols related to LDAP_CONNECTIONLESS
+
+---
+ libraries/liblber/lber.map | 1 +
+ libraries/libldap/ldap.map | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/libraries/liblber/lber.map b/libraries/liblber/lber.map
+index 9a4094b0f..083cd1f32 100644
+--- a/libraries/liblber/lber.map
++++ b/libraries/liblber/lber.map
+@@ -121,6 +121,7 @@ OPENLDAP_2.200
+     ber_sockbuf_io_fd;
+     ber_sockbuf_io_readahead;
+     ber_sockbuf_io_tcp;
++    ber_sockbuf_io_udp;
+     ber_sockbuf_remove_io;
+     ber_sos_dump;
+     ber_start;
+diff --git a/libraries/libldap/ldap.map b/libraries/libldap/ldap.map
+index b28c9c21e..021aaba63 100644
+--- a/libraries/libldap/ldap.map
++++ b/libraries/libldap/ldap.map
+@@ -200,6 +200,7 @@ OPENLDAP_2.200
+     ldap_is_ldap_url;
+     ldap_is_ldapi_url;
+     ldap_is_ldaps_url;
++    ldap_is_ldapc_url;
+     ldap_is_read_ready;
+     ldap_is_write_ready;
+     ldap_ld_free;
+-- 
+2.37.1
+

SOURCES/openldap-ai-addrconfig.patch

@@ -0,0 +1,20 @@
+use AI_ADDRCONFIG if defined in the environment
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7326
+Resolves: #835013
+
+diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
+index 14899cc..b25e750 100644
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -620,8 +620,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
+ 
+ #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
+ 	memset( &hints, '\0', sizeof(hints) );
+-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
+-	/* Use AI_ADDRCONFIG only on systems where its known to be needed. */
++#ifdef AI_ADDRCONFIG
+ 	hints.ai_flags = AI_ADDRCONFIG;
+ #endif
+ 	hints.ai_family = ldap_int_inet4or6;

SOURCES/openldap-allop-overlay.patch

@@ -0,0 +1,41 @@
+Compile AllOp together with other overlays.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1319782
+
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index b5c3fc8..9aa8a4f 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -38,7 +38,8 @@ SRCS = overlays.c \
+ 	translucent.c \
+ 	unique.c \
+ 	valsort.c \
+-	smbk5pwd.c
++	smbk5pwd.c \
++	allop.c
+ OBJS = statover.o \
+ 	@SLAPD_STATIC_OVERLAYS@ \
+ 	overlays.o
+@@ -58,7 +59,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ 
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
+ 
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -148,6 +149,12 @@ smbk5pwd.lo : smbk5pwd.c
+ smbk5pwd.la : smbk5pwd.lo
+ 	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+ 
++allop.lo : allop.c
++	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++allop.la : allop.lo
++	$(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local:	$(PROGRAMS)
+ 	@if test -n "$?" ; then \
+ 		$(MKDIR) $(DESTDIR)$(moduledir); \

SOURCES/openldap-manpages.patch

@@ -0,0 +1,70 @@
+Various manual pages changes:
+* removes LIBEXECDIR from slapd.8
+* removes references to non-existing manpages (bz 624616)
+
+diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
+index 353b075..cf37856 100644
+--- a/doc/man/man1/ldapmodify.1
++++ b/doc/man/man1/ldapmodify.1
+@@ -382,8 +382,7 @@ exit status and a diagnostic message being written to standard error.
+ .BR ldap_add_ext (3),
+ .BR ldap_delete_ext (3),
+ .BR ldap_modify_ext (3),
+-.BR ldap_modrdn_ext (3),
+-.BR ldif (5).
++.BR ldif (5)
+ .SH AUTHOR
+ The OpenLDAP Project <http://www.openldap.org/>
+ .SH ACKNOWLEDGEMENTS
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index 17b7154..6084298 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -338,6 +338,7 @@ certificates in separate individual files. The
+ .B TLS_CACERT
+ is always used before
+ .B TLS_CACERTDIR.
++The specified directory must be managed with the OpenSSL c_rehash utility.
+ .TP
+ .B TLS_CERT <filename>
+ Specifies the file that contains the client certificate.
+diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
+index 8504b37..f02f1fa 100644
+--- a/doc/man/man8/slapd.8
++++ b/doc/man/man8/slapd.8
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd 
++.B slapd
+ [\c
+ .BR \-V [ V [ V ]]
+ [\c
+@@ -332,7 +332,7 @@ the LDAP databases defined in the default config file, just type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd
++	slapd
+ .ft
+ .fi
+ .LP
+@@ -343,7 +343,7 @@ on voluminous debugging which will be printed on standard error, type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++	slapd -f /var/tmp/slapd.conf -d 255
+ .ft
+ .fi
+ .LP
+@@ -351,7 +351,7 @@ To test whether the configuration file is correct or not, type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-Tt
++	slapd -Tt
+ .ft
+ .fi
+ .LP

SOURCES/openldap-openssl-manpage-defaultCA.patch

@@ -0,0 +1,51 @@
+Reference default system-wide CA certificates in manpages
+
+OpenSSL, unless explicitly configured, uses system-wide default set of CA
+certificates.
+
+Author: Matus Honek <mhonek@redhat.com>
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index 6084298..3070bb4 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -327,6 +327,9 @@ are more options you can specify.  These options are used when an
+ .B ldaps:// URI
+ is selected (by default or otherwise) or when the application
+ negotiates TLS by issuing the LDAP StartTLS operation.
++.LP
++When using OpenSSL, if neither  \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
++is set, the system-wide default set of CA certificates is used.
+ .TP
+ .B TLS_CACERT <filename>
+ Specifies the file that contains certificates for all of the Certificate
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+index a559b0c..adda87a 100644
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -878,6 +878,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither  \fBolcTLSCACertificateFile\fP nor
++\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B olcTLSCipherSuite: <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+index b6e9250..1653a1b 100644
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -1108,6 +1108,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither  \fBTLSCACertificateFile\fP nor
++\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B TLSCipherSuite <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.

SOURCES/openldap-reentrant-gethostby.patch

@@ -0,0 +1,33 @@
+The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
+example if libldap needs to be initialized from within gethostbyXXXX() (which
+actually happens if nss_ldap is used for hostname resolution and earlier
+modules can't resolve the local host name), so use the reentrant versions of
+the functions, even if we're not being compiled for use in libldap_r
+
+Resolves: #179730
+Author: Jeffery Layton <jlayton@redhat.com>
+
+diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
+index aa69f70..4461bf2 100644
+--- a/libraries/libldap/util-int.c
++++ b/libraries/libldap/util-int.c
+@@ -52,8 +52,8 @@ extern int h_errno;
+ #ifndef LDAP_R_COMPILE
+ # undef HAVE_REENTRANT_FUNCTIONS
+ # undef HAVE_CTIME_R
+-# undef HAVE_GETHOSTBYNAME_R
+-# undef HAVE_GETHOSTBYADDR_R
++/* # undef HAVE_GETHOSTBYNAME_R */
++/* # undef HAVE_GETHOSTBYADDR_R */
+ 
+ #else
+ # include <ldap_pvt_thread.h>
+@@ -442,7 +442,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
+ #define BUFSTART (1024-32)
+ #define BUFMAX (32*1024-32)
+ 
+-#if defined(LDAP_R_COMPILE)
++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
+ static char *safe_realloc( char **buf, int len );
+ 
+ #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

SOURCES/openldap-smbk5pwd-overlay.patch

@@ -0,0 +1,59 @@
+Compile smbk5pwd together with other overlays.
+
+Author: Jan Šafránek <jsafrane@redhat.com>
+Resolves: #550895
+
+Update to link against OpenSSL
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Resolves: #841560
+
+diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
+index 4a710a7..0cd4e9e 100644
+--- a/contrib/slapd-modules/smbk5pwd/README
++++ b/contrib/slapd-modules/smbk5pwd/README
+@@ -1,3 +1,8 @@
++******************************************************************************
++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
++******************************************************************************
++
+ This directory contains a slapd overlay, smbk5pwd, that extends the
+ PasswordModify Extended Operation to update Kerberos keys and Samba
+ password hashes for an LDAP user.
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index b84bc54..b5c3fc8 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -37,7 +37,8 @@ SRCS = overlays.c \
+ 	syncprov.c \
+ 	translucent.c \
+ 	unique.c \
+-	valsort.c
++	valsort.c \
++	smbk5pwd.c
+ OBJS = statover.o \
+ 	@SLAPD_STATIC_OVERLAYS@ \
+ 	overlays.o
+@@ -57,7 +58,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ 
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+ 
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -141,6 +142,12 @@ unique.la : unique.lo
+ valsort.la : valsort.lo
+ 	$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+ 
++smbk5pwd.lo : smbk5pwd.c
++	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++smbk5pwd.la : smbk5pwd.lo
++	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local:	$(PROGRAMS)
+ 	@if test -n "$?" ; then \
+ 		$(MKDIR) $(DESTDIR)$(moduledir); \

SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch

@@ -0,0 +1,43 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
+
+Proof of concept for fixing http://bugs.debian.org/327585
+(patch ported from freeradius bug http://bugs.debian.org/416266)
+
+Resolves: #960048
+
+diff --git a/servers/slapd/module.c b/servers/slapd/module.c
+index e616f1d..52bacff 100644
+--- a/servers/slapd/module.c
++++ b/servers/slapd/module.c
+@@ -117,6 +117,20 @@ int module_unload( const char *file_name )
+ 	return -1;	/* not found */
+ }
+ 
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++	lt_dlhandle handle = 0;
++	lt_dladvise advise;
++
++	if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++			&& !lt_dladvise_global (&advise))
++		handle = lt_dlopenadvise (filename, advise);
++
++	lt_dladvise_destroy (&advise);
++
++	return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ 	module_loaded_t *module;
+@@ -179,7 +193,7 @@ int module_load(const char* file_name, int argc, char *argv[])
+ 	 * to calling Debug. This is because Debug is a macro that expands
+ 	 * into multiple function calls.
+ 	 */
+-	if ((module->lib = lt_dlopenext(file)) == NULL) {
++	if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ 		error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ 		strcpy( ebuf, error );

SOURCES/slapd.ldif

@@ -0,0 +1,163 @@
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+#
+# TLS settings
+#
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by oclTLSCACertificatePath one has to include them explicitly:
+#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
+#
+# Private cert and key are not pregenerated.
+#olcTLSCertificateFile:
+#olcTLSCertificateKeyFile:
+#
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#olcTLSCipherSuite: PROFILE=SYSTEM
+
+
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 64-bit encryption for simple bind
+#
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+# - modulepath is architecture dependent value (32/64-bit system)
+# - dyngroup.la and dynlist.la cannot be used at the same time
+#
+
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath: /usr/lib/openldap
+#olcModulepath: /usr/lib64/openldap
+#olcModuleload: accesslog.la
+#olcModuleload: allop.la
+#olcModuleload: auditlog.la
+#olcModuleload: autoca.la
+#olcModuleload: back_asyncmeta.la
+#olcModuleload: back_dnssrv.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_meta.la
+#olcModuleload: back_null.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_relay.la
+#olcModuleload: back_sock.la
+#olcModuleload: check_password.la
+#olcModuleload: collect.la
+#olcModuleload: constraint.la
+#olcModuleload: dds.la
+#olcModuleload: deref.la
+#olcModuleload: dyngroup.la
+#olcModuleload: dynlist.la
+#olcModuleload: home.la
+#olcModuleload: lloadd.la
+#olcModuleload: memberof.la
+#olcModuleload: otp.la
+#olcModuleload: pcache.la
+#olcModuleload: ppolicy.la
+#olcModuleload: refint.la
+#olcModuleload: remoteauth.la
+#olcModuleload: retcode.la
+#olcModuleload: rwm.la
+#olcModuleload: seqmod.la
+#olcModuleload: smbk5pwd.la
+#olcModuleload: sssvlv.la
+#olcModuleload: syncprov.la
+#olcModuleload: translucent.la
+#olcModuleload: unique.la
+#olcModuleload: valsort.la
+
+
+#
+# Schema settings
+#
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+
+#
+# Frontend settings
+#
+
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+#
+# Configuration database
+#
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+
+#
+# Server status monitoring
+#
+
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
+
+#
+# Backend database definitions
+#
+
+dn: olcDatabase=mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcSuffix: dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+olcDbDirectory:	/var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

SOURCES/slapd.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=OpenLDAP Server Daemon
+After=syslog.target network-online.target
+Documentation=man:slapd
+Documentation=man:slapd-config
+Documentation=man:slapd-mdb
+Documentation=file:///usr/share/doc/openldap-servers/guide.html
+
+[Service]
+Type=forking
+ExecStartPre=/usr/libexec/openldap/check-config.sh
+ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
+
+[Install]
+WantedBy=multi-user.target
+Alias=openldap.service

SOURCES/slapd.tmpfiles

@@ -0,0 +1,2 @@
+# openldap runtime directory for slapd.arg and slapd.pid
+d /run/openldap 0755 ldap ldap -