%global _hardened_build 1

%global systemctl_bin /usr/bin/systemctl

%global check_password_version 1.1

Name: openldap

Version: 2.4.40

Release: 4%{?dist}

Summary: LDAP support libraries

Group: System Environment/Daemons

License: OpenLDAP

URL: http://www.openldap.org/

Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz

Source1: slapd.service

Source3: slapd.tmpfiles

Source4: slapd.ldif

Source5: ldap.conf

Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz

Source50: libexec-functions

Source51: libexec-convert-config.sh

Source52: libexec-check-config.sh

Source53: libexec-upgrade-db.sh

Source54: libexec-create-certdb.sh

Source55: libexec-generate-server-cert.sh

# patches for 2.4

Patch0: openldap-manpages.patch

Patch2: openldap-sql-linking.patch

Patch3: openldap-reentrant-gethostby.patch

Patch4: openldap-smbk5pwd-overlay.patch

Patch5: openldap-ldaprc-currentdir.patch

Patch6: openldap-userconfig-setgid.patch

Patch8: openldap-syncrepl-unset-tls-options.patch

Patch9: openldap-man-sasl-nocanon.patch

Patch10: openldap-ai-addrconfig.patch

Patch11: openldap-nss-update-list-of-ciphers.patch

Patch12: openldap-tls-no-reuse-of-tls_session.patch

Patch13: openldap-nss-regex-search-hashed-cacert-dir.patch

Patch14: openldap-nss-ignore-certdb-type-prefix.patch

Patch15: openldap-nss-certs-from-certdb-fallback-pem.patch

Patch16: openldap-nss-pk11-freeslot.patch

# fix back_perl problems with lt_dlopen()

# might cause crashes because of symbol collisions

# the proper fix is to link all perl modules against libperl

# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585

Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch

# ldapi sasl fix pending upstream inclusion

Patch20: openldap-ldapi-sasl.patch

# TLSv1 support, already included upstream

Patch21: openldap-support-tlsv1-and-later.patch

# Fedora specific patches

Patch100: openldap-autoconf-pkgconfig-nss.patch

Patch102: openldap-fedora-systemd.patch

BuildRequires: cyrus-sasl-devel, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel

BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl, perl-devel, perl(ExtUtils::Embed)

# smbk5pwd overlay:

BuildRequires: openssl-devel

Requires: nss-tools

%description

OpenLDAP is an open source suite of LDAP (Lightweight Directory Access

Protocol) applications and development tools. LDAP is a set of

protocols for accessing directory services (usually phone book style

information, but other information is possible) over the Internet,

similar to the way DNS (Domain Name System) information is propagated

over the Internet. The openldap package contains configuration files,

libraries, and documentation for OpenLDAP.

%package devel

Summary: LDAP development libraries and header files

Group: Development/Libraries

Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa}

%description devel

The openldap-devel package includes the development libraries and

header files needed for compiling applications that use LDAP

(Lightweight Directory Access Protocol) internals. LDAP is a set of

protocols for enabling directory services over the Internet. Install

this package only if you plan to develop or will need to compile

customized LDAP clients.

%package servers

Summary: LDAP server

License: OpenLDAP

Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils

Requires(pre): shadow-utils

Requires(post): systemd, systemd-sysv, chkconfig

Requires(preun): systemd

Requires(postun): systemd

BuildRequires: libdb-devel

BuildRequires: systemd-units

BuildRequires: cracklib-devel

Group: System Environment/Daemons

# migrationtools (slapadd functionality):

Provides: ldif2ldbm

%description servers

OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access

Protocol) applications and development tools. LDAP is a set of

protocols for accessing directory services (usually phone book style

information, but other information is possible) over the Internet,

similar to the way DNS (Domain Name System) information is propagated

over the Internet. This package contains the slapd server and related files.

%package servers-sql

Summary: SQL support module for OpenLDAP server

Requires: openldap-servers%{?_isa} = %{version}-%{release}

Group: System Environment/Daemons

%description servers-sql

OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access

Protocol) applications and development tools. LDAP is a set of

protocols for accessing directory services (usually phone book style

information, but other information is possible) over the Internet,

similar to the way DNS (Domain Name System) information is propagated

over the Internet. This package contains a loadable module which the

slapd server can use to read data from an RDBMS.

%package clients

Summary: LDAP client utilities

Requires: openldap%{?_isa} = %{version}-%{release}

Group: Applications/Internet

%description clients

OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access

Protocol) applications and development tools. LDAP is a set of

protocols for accessing directory services (usually phone book style

information, but other information is possible) over the Internet,

similar to the way DNS (Domain Name System) information is propagated

over the Internet. The openldap-clients package contains the client

programs needed for accessing and modifying OpenLDAP directories.

%prep

%setup -q -c -a 0 -a 10

pushd openldap-%{version}

# use pkg-config for Mozilla NSS library

%patch100 -p1

# alternative include paths for Mozilla NSS

ln -s %{_includedir}/nss3 include/nss

ln -s %{_includedir}/nspr4 include/nspr

AUTOMAKE=%{_bindir}/true autoreconf -fi

%patch0 -p1

%patch2 -p1

%patch3 -p1

%patch4 -p1

%patch5 -p1

%patch6 -p1

%patch8 -p1

%patch9 -p1

%patch10 -p1

%patch11 -p1

%patch12 -p1

%patch13 -p1

%patch14 -p1

%patch15 -p1

%patch16 -p1

%patch19 -p1

%patch20 -p1

%patch21 -p1

%patch102 -p1

# build smbk5pwd with other overlays

ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays

mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd

mv servers/slapd/back-perl/README{,.back_perl}

# fix documentation encoding

for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do

	iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8"

	mv "$filename.utf8" "$filename"

done

popd

%build

%ifarch s390 s390x

  export CFLAGS="-fPIE"

%else

  export CFLAGS="-fpie"

%endif

export LDFLAGS="-pie"

# avoid stray dependencies (linker flag --as-needed)

# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)

export CFLAGS="${CFLAGS} %{optflags} -Wl,--as-needed -DLDAP_CONNECTIONLESS"

pushd openldap-%{version}

%configure \

	--enable-debug \

	--enable-dynamic \

	--enable-syslog \

	--enable-proctitle \

	--enable-ipv6 \

	--enable-local \

	\

	--enable-slapd \

	--enable-dynacl \

	--enable-aci \

	--enable-cleartext \

	--enable-crypt \

	--enable-lmpasswd \

	--enable-spasswd \

	--enable-modules \

	--enable-rewrite \

	--enable-rlookups \

	--enable-slapi \

	--disable-slp \

	--enable-wrappers \

	\

	--enable-backends=mod \

	--enable-bdb=yes \

	--enable-hdb=yes \

	--enable-mdb=yes \

	--enable-monitor=yes \

	--disable-ndb \

	\

	--enable-overlays=mod \

	\

	--disable-static \

	--enable-shared \

	\

	--with-cyrus-sasl \

	--without-fetch \

	--with-threads \

	--with-pic \

	--with-tls=moznss \

	--with-gnu-ld \

	\

	--libexecdir=%{_libdir}

make %{_smp_mflags}

popd

pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}

make LDAP_INC="-I../openldap-%{version}/include \

 -I../openldap-%{version}/servers/slapd \

 -I../openldap-%{version}/build-servers/include"

popd

%install

mkdir -p %{buildroot}%{_libdir}/

pushd openldap-%{version}

make install DESTDIR=%{buildroot} STRIP=""

popd

# install check_password module

pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}

install -m 755 check_password.so %{buildroot}%{_libdir}/openldap/

# install -m 644 README %{buildroot}%{_libdir}/openldap

install -d -m 755 %{buildroot}%{_sysconfdir}/openldap

cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf <

# OpenLDAP pwdChecker library configuration

#useCracklib 1

#minPoints 3

#minUpper 0

#minLower 0

#minDigit 0

#minPunct 0

EOF

sed -i -e 's/check_password\.so/check_password.so.%{check_password_version}/' README

mv README{,.check_pwd}

popd

# rename the library

mv %{buildroot}%{_libdir}/openldap/check_password.so{,.%{check_password_version}}

# setup directories for TLS certificates

mkdir -p %{buildroot}%{_sysconfdir}/openldap/certs

# setup data and runtime directories

mkdir -p %{buildroot}%{_sharedstatedir}

mkdir -p %{buildroot}%{_localstatedir}

install -m 0700 -d %{buildroot}%{_sharedstatedir}/ldap

install -m 0755 -d %{buildroot}%{_localstatedir}/run/openldap

# setup autocreation of runtime directories on tmpfs

mkdir -p %{buildroot}%{_tmpfilesdir}

install -m 0644 %SOURCE3 %{buildroot}%{_tmpfilesdir}/slapd.conf

# install default ldap.conf (customized)

rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf

install -m 0644 %SOURCE5 %{buildroot}%{_sysconfdir}/openldap/ldap.conf

# setup maintainance scripts

mkdir -p %{buildroot}%{_libexecdir}

install -m 0755 -d %{buildroot}%{_libexecdir}/openldap

install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions

install -m 0755 %SOURCE51 %{buildroot}%{_libexecdir}/openldap/convert-config.sh

install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh

install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh

install -m 0755 %SOURCE54 %{buildroot}%{_libexecdir}/openldap/create-certdb.sh

install -m 0755 %SOURCE55 %{buildroot}%{_libexecdir}/openldap/generate-server-cert.sh

# remove build root from config files and manual pages

perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf

perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*

# we don't need the default files -- RPM handles changes

rm -f %{buildroot}%{_sysconfdir}/openldap/*.default

rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default

# install an init script for the servers

mkdir -p %{buildroot}%{_unitdir}

install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service

# move slapd out of _libdir

mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/

# setup tools as symlinks to slapd

rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}

rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}

for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done

# re-symlink unversioned libraries, so ldconfig is not confused

pushd %{buildroot}%{_libdir}

v=%{version}

version=$(echo ${v%.[0-9]*})

for lib in liblber libldap libldap_r libslapi; do

	rm -f ${lib}.so

	ln -s ${lib}-${version}.so.2 ${lib}.so

done

popd

# tweak permissions on the libraries to make sure they're correct

chmod 0755 %{buildroot}%{_libdir}/lib*.so*

chmod 0644 %{buildroot}%{_libdir}/lib*.*a

# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)

mkdir -p %{buildroot}%{_datadir}

install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers

install -m 0644 %SOURCE4 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif

install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d

rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf

rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif

# move doc files out of _sysconfdir

mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema

mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example

chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh

chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example

# remove files which we don't want packaged

rm -f %{buildroot}%{_libdir}/*.la

rm -f %{buildroot}%{_libdir}/openldap/*.so

rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example

rmdir %{buildroot}%{_localstatedir}/openldap-data

%post

/sbin/ldconfig

# create certificate database

%{_libexecdir}/openldap/create-certdb.sh >&/dev/null || :

%postun -p /sbin/ldconfig

%pre servers

# create ldap user and group

getent group ldap &>/dev/null || groupadd -r -g 55 ldap

getent passwd ldap &>/dev/null || \

	useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap

if [ $1 -eq 2 ]; then

	# package upgrade

	old_version=$(rpm -q --qf=%%{version} openldap-servers)

	new_version=%{version}

	if [ "$old_version" != "$new_version" ]; then

		touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null

	fi

fi

exit 0

%post servers

/sbin/ldconfig

%systemd_post slapd.service

# generate sample TLS certificate for server (will not replace)

%{_libexecdir}/openldap/generate-server-cert.sh -o &>/dev/null || :

# generate configuration if necessary

if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \

      ! -f %{_sysconfdir}/openldap/slapd.conf

   ]]; then

    %{_libexecdir}/openldap/convert-config.sh -f %{_datadir}/openldap-servers/slapd.ldif &>/dev/null

fi

start_slapd=0

# upgrade the database

if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then

	if %{systemctl_bin} --quiet is-active slapd.service; then

		%{systemctl_bin} stop slapd.service

		start_slapd=1

	fi

	%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null

	rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap

fi

# restart after upgrade

if [ $1 -ge 1 ]; then

	if [ $start_slapd -eq 1 ]; then

		%{systemctl_bin} start slapd.service &>/dev/null || :

	else

		%{systemctl_bin} condrestart slapd.service &>/dev/null || :

	fi

fi

exit 0

%preun servers

%systemd_preun slapd.service

%postun servers

/sbin/ldconfig

%systemd_postun_with_restart slapd.service

%triggerun servers -- openldap-servers < 2.4.26-6

# migration from SysV to systemd

/usr/bin/systemd-sysv-convert --save slapd &>/dev/null || :

/usr/sbin/chkconfig --del slapd &>/dev/null || :

%{systemctl_bin} try-restart slapd.service &>/dev/null || :

%triggerin servers -- libdb

# libdb upgrade (setup for %%triggerun)

if [ $2 -eq 2 ]; then

	# we are interested in minor version changes (both versions of libdb are installed at this moment)

	if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then

		touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb

	else

		rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb

	fi

fi

exit 0

%triggerun servers -- libdb

# libdb upgrade (finish %%triggerin)

if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then

	if %{systemctl_bin} --quiet is-active slapd.service; then

		%{systemctl_bin} stop slapd.service

		start=1

	else

		start=0

	fi

	%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null

	rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb

	[ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null

fi

exit 0

%files

%doc openldap-%{version}/ANNOUNCEMENT

%doc openldap-%{version}/CHANGES

%{!?_licensedir:%global license %%doc}

%license openldap-%{version}/COPYRIGHT

%license openldap-%{version}/LICENSE

%doc openldap-%{version}/README

%dir %{_sysconfdir}/openldap

%dir %{_sysconfdir}/openldap/certs

%config(noreplace) %{_sysconfdir}/openldap/ldap.conf

%dir %{_libexecdir}/openldap/

%{_libexecdir}/openldap/create-certdb.sh

%{_libdir}/liblber-2.4*.so.*

%{_libdir}/libldap-2.4*.so.*

%{_libdir}/libldap_r-2.4*.so.*

%{_libdir}/libslapi-2.4*.so.*

%{_mandir}/man5/ldif.5*

%{_mandir}/man5/ldap.conf.5*

%files servers

%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd

%doc openldap-%{version}/doc/guide/admin/*.html

%doc openldap-%{version}/doc/guide/admin/*.png

%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm

%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl

%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl

%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd

%doc README.schema

%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d

%config(noreplace) %{_sysconfdir}/openldap/schema

%config(noreplace) %{_sysconfdir}/openldap/check_password.conf

%{_tmpfilesdir}/slapd.conf

%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap

%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap

%{_unitdir}/slapd.service

%{_datadir}/openldap-servers/

%{_libdir}/openldap/accesslog*

%{_libdir}/openldap/auditlog*

%{_libdir}/openldap/back_dnssrv*

%{_libdir}/openldap/back_ldap*

%{_libdir}/openldap/back_meta*

%{_libdir}/openldap/back_null*

%{_libdir}/openldap/back_passwd*

%{_libdir}/openldap/back_relay*

%{_libdir}/openldap/back_shell*

%{_libdir}/openldap/back_sock*

%{_libdir}/openldap/back_perl*

%{_libdir}/openldap/collect*

%{_libdir}/openldap/constraint*

%{_libdir}/openldap/dds*

%{_libdir}/openldap/deref*

%{_libdir}/openldap/dyngroup*

%{_libdir}/openldap/dynlist*

%{_libdir}/openldap/memberof*

%{_libdir}/openldap/pcache*

%{_libdir}/openldap/ppolicy*

%{_libdir}/openldap/refint*

%{_libdir}/openldap/retcode*

%{_libdir}/openldap/rwm*

%{_libdir}/openldap/seqmod*

%{_libdir}/openldap/smbk5pwd*

%{_libdir}/openldap/sssvlv*

%{_libdir}/openldap/syncprov*

%{_libdir}/openldap/translucent*

%{_libdir}/openldap/unique*

%{_libdir}/openldap/valsort*

%{_libdir}/openldap/check_password*

%{_libexecdir}/openldap/functions

%{_libexecdir}/openldap/convert-config.sh

%{_libexecdir}/openldap/check-config.sh

%{_libexecdir}/openldap/upgrade-db.sh

%{_libexecdir}/openldap/generate-server-cert.sh

%{_sbindir}/sl*

%{_mandir}/man8/*

%{_mandir}/man5/slapd*.5*

%{_mandir}/man5/slapo-*.5*

# obsolete configuration

%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf

%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf.bak

%files servers-sql

%doc openldap-%{version}/servers/slapd/back-sql/docs/*

%doc openldap-%{version}/servers/slapd/back-sql/rdbms_depend

%{_libdir}/openldap/back_sql*

%files clients

%{_bindir}/*

%{_mandir}/man1/*

%files devel

%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc

%{_libdir}/lib*.so

%{_includedir}/*

%{_mandir}/man3/*

%changelog

* Fri Nov 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-2

- enhancement: support TLSv1 and later (#1160466)

* Mon Oct  6 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.40-1

- new upstream release (#1147877)

* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.39-12

- Perl 5.20 rebuild

* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-11

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.4.39-10

- fix license handling

* Mon Jul 14 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-9

- fix: fix typo in generate-server-cert.sh (#1117229)

* Mon Jun  9 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-8

- fix: make default service configuration listen on ldaps:/// as well (#1105634)

* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.39-7

- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

* Fri May 30 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-6

- fix: remove correct tmp file when generating server cert (#1103102)

* Mon Mar 24 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-5

- re-symlink unversioned libraries, so ldconfig is not confused (#1028557)

* Tue Mar  4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-4

- don't automatically convert slapd.conf to slapd-config

* Wed Feb 19 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-3

- remove redundant sysconfig-related stuff

- add documentation reference to service file

- alias slapd.service as openldap.service

* Tue Feb  4 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-2

- CVE-2013-4449: segfault on certain queries with rwm overlay (#1060851)

* Wed Jan 29 2014 Jan Synáček <jsynacek@redhat.com> - 2.4.39-1

- new upstream release (#1059186)

* Mon Nov 18 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.38-1

- new upstream release (#1031608)

* Mon Nov 11 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-2

- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1028935)

* Wed Oct 30 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.37-1

- new upstream release (#1023916)

- fix: missing a linefeed at the end of file /etc/openldap/ldap.conf (#1019836)

* Mon Oct 21 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-4

- fix: slapd daemon fails to start with segmentation fault on s390x (#1020661)

* Tue Oct 15 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-3

- rebuilt for libdb-5.3.28

* Mon Oct 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2

- fix: CLDAP is broken for IPv6 (#1018688)

* Wed Sep  4 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-2

- fix: typos in manpages

* Tue Aug 20 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.36-1

- new upstream release

  + compile-in mdb backend

* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.35-7

- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild

* Wed Jul 17 2013 Petr Pisar <ppisar@redhat.com> - 2.4.35-6

- Perl 5.18 rebuild

* Fri Jun 14 2013 Jan Synáček <jsynacek@redhat.com> - 2.4.35-5

- fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0"

* Thu May 09 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-4

- do not needlessly run ldconfig after installing openldap-devel

- fix: LDAPI with GSSAPI does not work if SASL_NOCANON=on (#960222)

- fix: lt_dlopen() with back_perl (#960048)

* Tue Apr 09 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-3

- fix: minor documentation fixes

- set SASL_NOCANON to on by default (#949864)

- remove trailing spaces

* Fri Apr 05 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-2

- drop the evolution patch

* Tue Apr 02 2013 Jan Synáček <jsynacek@redhat.com> 2.4.35-1

- new upstream release (#947235)

- fix: slapd.service should ensure that network is up before starting (#946921)

- fix: NSS related resource leak (#929357)

* Mon Mar 18 2013 Jan Synáček <jsynacek@redhat.com> 2.4.34-2

- fix: syncrepl push DELETE operation does not recover (#920482)

- run autoreconf every build, drop autoreconf patch (#926280)

* Mon Mar 11 2013 Jan Synáček <jsynacek@redhat.com> 2.4.34-1

- enable perl backend (#820547)

- package ppolicy-check-password (#829749)

- add perl specific BuildRequires

- fix bogus dates

* Wed Mar 06 2013 Jan Vcelak <jvcelak@fedoraproject.org> 2.4.34-1

- new upstream release (#917603)

- fix: slapcat segfaults if cn=config.ldif not present (#872784)

- use systemd-rpm macros in spec file (#850247)

* Thu Jan 31 2013 Jan Synáček <jsynacek@redhat.com> 2.4.33-4

- rebuild against new cyrus-sasl

* Wed Oct 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-3

- fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)

* Fri Oct 12 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-2

- fix: slapd with rwm overlay segfault following ldapmodify (#865685)

* Thu Oct 11 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.33-1

- new upstream release:

  + slapd: ACLs, syncrepl

  + backends: locking and memory management in MDB

  + manpages: slapo-refint

- patch update: MozNSS certificate database in SQL format cannot be used (#860317)

- fix: slapd.service should not use /tmp (#859019)

* Fri Sep 14 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-3

- fix: some TLS ciphers cannot be enabled (#852338)

- fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476)

- fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded (#852786)

- fix: MozNSS certificate database in SQL format cannot be used (#857373)

- fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455)

* Mon Aug 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-2

- enhancement: TLS, prefer private keys from authenticated slots

- enhancement: TLS, allow certificate specification including token name

- resolve TLS failures in replication in 389 Directory Server

* Wed Aug 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.32-1

- new upstream release

  + library: double free, SASL handling

  + tools: read SASL_NOCANON from config file

  + slapd: config index renumbering, duplicate error response

  + backends: various fixes in mdb, bdb/hdb, ldap

  + accesslog, syncprov: fix memory leaks in with replication

  + sha2: portability, thread safety, support SSHA256,384,512

  + documentation fixes

* Sat Jul 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-7

- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)

* Fri Jul 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-6

- multilib fix: move libslapi from openldap-servers to openldap package

* Thu Jul 19 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-5

- fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013)

- fix: smbk5pwd module computes invalid LM hashes (#841560)

* Wed Jul 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-4

- modify the package build process

  + fix autoconfig files to detect Mozilla NSS library using pkg-config

  + remove compiler flags which are not needed currently

  + build server, client and library together

  + avoid stray dependencies by using --as-needed linker flag

  + enable SLAPI interface in slapd

* Wed Jun 27 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-3

- update fix: count constraint broken when using multiple modifications (#795766)

- fix: invalid order of TLS shutdown operations (#808464)

- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462)

- fix: reading pin from file can make all TLS connections hang (#829317)

- CVE-2012-2668: cipher suite selection by name can be ignored (#825875)

- fix: slapd fails to start on reboot (#829272)

- fix: default cipher suite is always selected (#828790)

- fix: less influence between individual TLS contexts:

  - replication with TLS does not work (#795763)

  - possibly others

* Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2

- fix: nss-tools package is required by the base package, not the server subpackage

- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536)

* Tue Apr 24 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-1

- new upstream release

  + library: IPv6 url detection

  + library: rebinding to failed connections

  + server: various fixes in mdb backend

  + server: various fixes in replication

  + server: various fixes in overlays and minor backends

  + documentation fixes

- remove patches which were merged upstream

* Thu Apr 05 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.30-3

- rebuild due to libdb rebase

* Mon Mar 26 2012 Jan Synáček <jsynacek@redhat.com> 2.4.30-2

- fix: Re-binding to a failed connection can segfault (#784989)

* Thu Mar 01 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.30-1

- new upstream release

  + server: fixes in mdb backend

  + server: fixes in manual pages

  + server: fixes in syncprov, syncrepl, and pcache

- removed patches which were merged upstream

* Wed Feb 22 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-4

- fix: missing options in manual pages of client tools (#796232)

- fix: SASL_NOCANON option missing in ldap.conf manual page (#732915)

* Tue Feb 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-3

- fix: ldap_result does not succeed for sssd (#771484)

- Jan Synáček <jsynacek@redhat.com>:

  + fix: count constraint broken when using multiple modifications (#795766)

* Mon Feb 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-2

- fix update: provide ldif2ldbm, not ldib2ldbm (#437104)

- Jan Synáček <jsynacek@redhat.com>:

  + unify systemctl binary paths throughout the specfile and make them usrmove compliant

  + make path to chkconfig binary usrmove compliant

* Wed Feb 15 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.29-1

- new upstream release

  + MozNSS fixes

  + connection handling fixes

  + server: buxfixes in mdb backend

  + server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm)

- openldap-servers now provide ldib2ldbm (#437104)

- certificates management improvements

  + create empty Mozilla NSS certificate database during installation

  + enable builtin Root CA in generated database (#789088)

  + generate server certificate using Mozilla NSS tools instead of OpenSSL tools

  + fix: correct path to check-config.sh in service file (Jan Synáček <jsynacek@redhat.com>)

- temporarily disable certificates checking in check-config.sh script

- fix: check-config.sh get stuck when executing command as a ldap user

* Tue Jan 31 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.28-3

- fix: replication (syncrepl) with TLS causes segfault (#783431)

- fix: slapd segfaults when PEM certificate is used and key is not set (#772890)