From 95d8d32fc5c1111badf1006505a7a7b0a9e32cea Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Aug 27 2010 12:45:25 +0000 Subject: rebase to 2.4.23 - package rebased - removed embeded db4 - removed patches merged by upstream - removed no longer required patches - merged patches doing manpage changes - merged patches exporting ldif API - reapplied patches and added description to each one - removed unnecessary BuildRequires - cleaned %config, %build and %install sections - updated database upgrade process: - database is exported (slapcat) and reimported (slapadd) when minor version of openldap changes (safe and recomended way) - database is upgraded (db4) when minor version of db4 package changes (this is not done in %post anymore, as the database is not embeded, but using triggers) Resolved: #624616 Bogus links in "SEE ALSO" part of several man-pages Resolved: #625740 openldap-2.4.23 is available --- diff --git a/README.nss_ldap b/README.nss_ldap deleted file mode 100644 index 6d5abce..0000000 --- a/README.nss_ldap +++ /dev/null @@ -1,9 +0,0 @@ -These files are here specifically for use in building the nss_ldap package, -and should not be used for any other purpose. - -They contain a backported patch which adds two functions which nss_ldap can -use to avoid blocking in one particular use case, but which are not included -in the 2.2 branch of OpenLDAP. - -When the openldap package updates to 2.3, these libraries will simply -disappear. diff --git a/nptl-abi-note.S b/nptl-abi-note.S deleted file mode 100644 index e8de1d9..0000000 --- a/nptl-abi-note.S +++ /dev/null @@ -1,21 +0,0 @@ -/* Gleaned from glibc, though I suppose it's documented in the specs, too. - NPTL requires support that isn't in kernels prior to 2.4.20 (or 2.5.36 if - you're not using a backported TLS implementation in your kernel), but ld.so - will try to use this library on an insufficiently-new system unless we make - a note of the required kernel version here. - We also add in a section which marks the library as not needing an - executable stack to avoid unintentionally disabling exec-shield and the - like (thanks Arjan!). */ - .section ".note.ABI-tag", "a" - .p2align 2 - .long 1f - 0f - .long 3f - 2f - .long 1 -0: .asciz "GNU" -1: .p2align 2 -2: .long 0 - .long 2,4,20 -3: .p2align 2 - -.section .note.GNU-stack, "", @progbits -.previous diff --git a/openldap-2.0.11-ldaprc.patch b/openldap-2.0.11-ldaprc.patch deleted file mode 100644 index 78974ea..0000000 --- a/openldap-2.0.11-ldaprc.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up openldap-2.4.11/libraries/libldap/init.c.patch2 openldap-2.4.11/libraries/libldap/init.c ---- openldap-2.4.11/libraries/libldap/init.c.patch2 2008-02-12 00:26:41.000000000 +0100 -+++ openldap-2.4.11/libraries/libldap/init.c 2008-09-01 09:57:09.000000000 +0200 -@@ -327,9 +327,6 @@ static void openldap_ldap_init_w_usercon - if(path != NULL) { - LDAP_FREE(path); - } -- -- /* try file */ -- openldap_ldap_init_w_conf(file, 1); - } - - static void openldap_ldap_init_w_env( diff --git a/openldap-2.2.13-setugid.patch b/openldap-2.2.13-setugid.patch deleted file mode 100644 index 9cb7db7..0000000 --- a/openldap-2.2.13-setugid.patch +++ /dev/null @@ -1,14 +0,0 @@ -Don't read the user's configuration file if we're running in a setuid -or setgid application. -diff -up openldap-2.4.14/libraries/libldap/init.c.setugid openldap-2.4.14/libraries/libldap/init.c ---- openldap-2.4.14/libraries/libldap/init.c.setugid 2009-02-17 08:31:19.000000000 +0100 -+++ openldap-2.4.14/libraries/libldap/init.c 2009-02-17 08:39:01.000000000 +0100 -@@ -634,7 +634,7 @@ void ldap_int_initialize( struct ldapopt - openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); - - #ifdef HAVE_GETEUID -- if ( geteuid() != getuid() ) -+ if ( geteuid() != getuid() || getegid() != getgid() ) - return; - #endif - diff --git a/openldap-2.3.11-toollinks.patch b/openldap-2.3.11-toollinks.patch deleted file mode 100644 index afa99d4..0000000 --- a/openldap-2.3.11-toollinks.patch +++ /dev/null @@ -1,20 +0,0 @@ -If libexecdir and sbindir are the same, avoid making an absolute symlink. - - -diff -up openldap-2.4.11/servers/slapd/Makefile.in.patch5 openldap-2.4.11/servers/slapd/Makefile.in ---- openldap-2.4.11/servers/slapd/Makefile.in.patch5 2008-09-01 09:57:09.000000000 +0200 -+++ openldap-2.4.11/servers/slapd/Makefile.in 2008-09-01 09:57:09.000000000 +0200 -@@ -270,7 +270,12 @@ slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ - $(WRAP_LIBS) - $(RM) $(SLAPTOOLS) - for i in $(SLAPTOOLS); do \ -- $(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); done -+ if test $(libexecdir) != $(sbindir) ; then \ -+ $(LN_S) $(libexecdir)/slapd$(EXEEXT) $$i$(EXEEXT); \ -+ else \ -+ $(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); \ -+ fi \ -+ done - - - sslapd: version.o diff --git a/openldap-2.3.19-gethostbyXXXX_r.patch b/openldap-2.3.19-gethostbyXXXX_r.patch deleted file mode 100644 index 7fc9727..0000000 --- a/openldap-2.3.19-gethostbyXXXX_r.patch +++ /dev/null @@ -1,29 +0,0 @@ -The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for -example if libldap needs to be initialized from within gethostbyXXXX() (which -actually happens if nss_ldap is used for hostname resolution and earlier -modules can't resolve the local host name), so use the reentrant versions of -the functions, even if we're not being compiled for use in libldap_r (patch -from Jeffery Layton, #179730). -diff -up openldap-2.4.11/libraries/libldap/util-int.c.patch7 openldap-2.4.11/libraries/libldap/util-int.c ---- openldap-2.4.11/libraries/libldap/util-int.c.patch7 2008-02-12 00:26:41.000000000 +0100 -+++ openldap-2.4.11/libraries/libldap/util-int.c 2008-09-01 09:57:09.000000000 +0200 -@@ -52,8 +52,8 @@ extern int h_errno; - #ifndef LDAP_R_COMPILE - # undef HAVE_REENTRANT_FUNCTIONS - # undef HAVE_CTIME_R --# undef HAVE_GETHOSTBYNAME_R --# undef HAVE_GETHOSTBYADDR_R -+/* # undef HAVE_GETHOSTBYNAME_R */ -+/* # undef HAVE_GETHOSTBYADDR_R */ - - #else - # include -@@ -110,7 +110,7 @@ char *ldap_pvt_ctime( const time_t *tp, - #define BUFSTART (1024-32) - #define BUFMAX (32*1024-32) - --#if defined(LDAP_R_COMPILE) -+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R) - static char *safe_realloc( char **buf, int len ); - - #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) diff --git a/openldap-2.3.37-smbk5pwd.patch b/openldap-2.3.37-smbk5pwd.patch deleted file mode 100644 index b15c6c0..0000000 --- a/openldap-2.3.37-smbk5pwd.patch +++ /dev/null @@ -1,54 +0,0 @@ -Compile smbk5pwd together with other overlays. - -diff -up openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README.patch8 openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README ---- openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README.patch8 2005-11-12 16:18:09.000000000 +0100 -+++ openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README 2008-09-01 09:57:09.000000000 +0200 -@@ -1,3 +1,8 @@ -+*************************************************************** -+Red Hat note: Kerberos support is NOT compiled into -+this version of smbk5pwd because we do not use Heimdall. -+*************************************************************** -+ - This directory contains a slapd overlay, smbk5pwd, that extends the - PasswordModify Extended Operation to update Kerberos keys and Samba - password hashes for an LDAP user. -diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4.11/servers/slapd/overlays/Makefile.in ---- openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 2008-02-12 00:26:48.000000000 +0100 -+++ openldap-2.4.11/servers/slapd/overlays/Makefile.in 2008-09-01 09:57:09.000000000 +0200 -@@ -30,7 +30,8 @@ SRCS = overlays.c \ - syncprov.c \ - translucent.c \ - unique.c \ -- valsort.c -+ valsort.c \ -+ smbk5pwd.c - OBJS = statover.o \ - @SLAPD_STATIC_OVERLAYS@ \ - overlays.o -@@ -43,14 +44,14 @@ LTONLY_MOD = $(LTONLY_mod) - LDAP_INCDIR= ../../../include - LDAP_LIBDIR= ../../../libraries - --MOD_DEFS = -DSLAPD_IMPORT -+MOD_DEFS = -DSLAPD_IMPORT -DDO_SAMBA - - shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) - NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) - UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) - - LIBRARY = ../liboverlays.a --PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ -+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la - - XINCPATH = -I.. -I$(srcdir)/.. - XDEFS = $(MODULES_CPPFLAGS) -@@ -113,6 +114,9 @@ unique.la : unique.lo - valsort.la : valsort.lo - $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) - -+smbk5pwd.la : smbk5pwd.lo -+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo -lldap -L../../../libraries/libldap/.libs/ $(LINK_LIBS) -+ - install-local: $(PROGRAMS) - @if test -n "$?" ; then \ - $(MKDIR) $(DESTDIR)$(moduledir); \ diff --git a/openldap-2.4.12-options.patch b/openldap-2.4.12-options.patch deleted file mode 100644 index bfc6a6c..0000000 --- a/openldap-2.4.12-options.patch +++ /dev/null @@ -1,112 +0,0 @@ ---- openldap/clients/tools/common.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/common.c.option 2009-04-09 14:52:23.000000000 +0200 -@@ -267,7 +267,6 @@ void - tool_common_usage( void ) - { - static const char *const descriptions[] = { --N_(" -c continuous operation mode (do not stop on errors)\n"), - N_(" -d level set LDAP debugging level to `level'\n"), - N_(" -D binddn bind DN\n"), - N_(" -e [!][=] general extensions (! indicates criticality)\n") -@@ -298,18 +297,15 @@ N_(" [!]sessiontracking\n") - N_(" abandon, cancel, ignore (SIGINT sends abandon/cancel,\n" - " or ignores response; if critical, doesn't wait for SIGINT.\n" - " not really controls)\n") --N_(" -f file read operations from `file'\n"), - N_(" -h host LDAP server\n"), - N_(" -H URI LDAP Uniform Resource Identifier(s)\n"), - N_(" -I use SASL Interactive mode\n"), --N_(" -M enable Manage DSA IT control (-MM to make critical)\n"), - N_(" -n show what would be done but don't actually do it\n"), - N_(" -N do not use reverse DNS to canonicalize SASL host name\n"), - N_(" -O props SASL security properties\n"), - N_(" -o [= (in seconds, or \"none\" or \"max\")\n"), - N_(" -p port port on LDAP server\n"), --N_(" -P version protocol version (default: 3)\n"), - N_(" -Q use SASL Quiet mode\n"), - N_(" -R realm SASL realm\n"), - N_(" -U authcid SASL authentication identity\n"), - ---- openldap/clients/tools/ldapcompare.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapcompare.c.option 2009-04-09 14:46:37.000000000 +0200 -@@ -85,6 +85,8 @@ usage( void ) - fprintf( stderr, _("Compare options:\n")); - fprintf( stderr, _(" -E [!][=] compare extensions (! indicates criticality)\n")); - fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - fprintf( stderr, _(" -z Quiet mode," - " don't print anything, use return values\n")); - tool_common_usage(); - ---- openldap/clients/tools/ldapdelete.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapdelete.c.option 2009-04-09 14:48:48.000000000 +0200 -@@ -71,6 +71,10 @@ usage( void ) - fprintf( stderr, _(" dn: list of DNs to delete. If not given, it will be readed from stdin\n")); - fprintf( stderr, _(" or from the file specified with \"-f file\".\n")); - fprintf( stderr, _("Delete Options:\n")); -+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n")); -+ fprintf( stderr, _(" -f file read operations from `file'\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - fprintf( stderr, _(" -r delete recursively\n")); - tool_common_usage(); - exit( EXIT_FAILURE ); - ---- openldap/clients/tools/ldapmodify.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapmodify.c.option 2009-04-09 14:50:14.000000000 +0200 -@@ -137,8 +137,12 @@ usage( void ) - fprintf( stderr, _("Add or modify options:\n")); - fprintf( stderr, _(" -a add values (%s)\n"), - (ldapadd ? _("default") : _("default is to replace"))); -+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n")); - fprintf( stderr, _(" -E [!]ext=extparam modify extensions" - " (! indicate s criticality)\n")); -+ fprintf( stderr, _(" -f file read operations from `file'\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - #ifdef LDAP_X_TXN - fprintf( stderr, - _(" [!]txn= (transaction)\n")); - ---- openldap/clients/tools/ldapmodrdn.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapmodrdn.c.option 2009-04-09 14:50:40.000000000 +0200 -@@ -83,6 +83,10 @@ usage( void ) - fprintf( stderr, _(" If not given, the list of modifications is read from stdin or\n")); - fprintf( stderr, _(" from the file specified by \"-f file\" (see man page).\n")); - fprintf( stderr, _("Rename options:\n")); -+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n")); -+ fprintf( stderr, _(" -f file read operations from `file'\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - fprintf( stderr, _(" -r remove old RDN\n")); - fprintf( stderr, _(" -s newsup new superior entry\n")); - tool_common_usage(); - ---- openldap/clients/tools/ldapsearch.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapsearch.c.option 2009-04-09 14:51:51.000000000 +0200 -@@ -123,6 +123,7 @@ usage( void ) - fprintf( stderr, _(" -a deref one of never (default), always, search, or find\n")); - fprintf( stderr, _(" -A retrieve attribute names only (no values)\n")); - fprintf( stderr, _(" -b basedn base dn for search\n")); -+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n")); - fprintf( stderr, _(" -E [!][=] search extensions (! indicates criticality)\n")); - fprintf( stderr, _(" [!]domainScope (domain scope)\n")); - fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n")); -@@ -137,12 +138,15 @@ usage( void ) - fprintf( stderr, _(" [!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]\n")); - #endif - fprintf( stderr, _(" [!]=: (generic control; no response handling)\n")); -+ fprintf( stderr, _(" -f file read operations from `file'\n")); - fprintf( stderr, _(" -F prefix URL prefix for files (default: %s)\n"), def_urlpre); - fprintf( stderr, _(" -l limit time limit (in seconds, or \"none\" or \"max\") for search\n")); - fprintf( stderr, _(" -L print responses in LDIFv1 format\n")); - fprintf( stderr, _(" -LL print responses in LDIF format without comments\n")); - fprintf( stderr, _(" -LLL print responses in LDIF format without comments\n")); - fprintf( stderr, _(" and version\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - fprintf( stderr, _(" -s scope one of base, one, sub or children (search scope)\n")); - fprintf( stderr, _(" -S attr sort the results by attribute `attr'\n")); - fprintf( stderr, _(" -t write binary values to files in temporary directory\n")); diff --git a/openldap-2.4.16-doc-cacertdir.patch b/openldap-2.4.16-doc-cacertdir.patch deleted file mode 100644 index db7363d..0000000 --- a/openldap-2.4.16-doc-cacertdir.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- openldap-2.4.16/doc/man/man5/ldap.conf.5.orig 2009-09-16 17:12:01.000000000 +0200 -+++ openldap-2.4.16/doc/man/man5/ldap.conf.5 2009-09-16 17:15:32.000000000 +0200 -@@ -305,6 +305,7 @@ - .B TLS_CACERT - is always used before - .B TLS_CACERTDIR. -+The specified directory must be managed with the OpenSSL c_rehash utility. - This parameter is ignored with GNUtls. - .TP - .B TLS_CERT diff --git a/openldap-2.4.21-dn2id-segfault.patch b/openldap-2.4.21-dn2id-segfault.patch deleted file mode 100644 index 411f06a..0000000 --- a/openldap-2.4.21-dn2id-segfault.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openldap-2.4.19/servers/slapd/back-bdb/dn2id.c.orig 2010-02-24 09:55:39.000000000 +0100 -+++ openldap-2.4.19/servers/slapd/back-bdb/dn2id.c 2010-02-24 09:56:07.000000000 +0100 -@@ -676,7 +676,7 @@ hdb_dn2id_delete( - d->nrdnlen[0] = (BEI(e)->bei_nrdn.bv_len >> 8) | 0x80; - dlen[0] = d->nrdnlen[0]; - dlen[1] = d->nrdnlen[1]; -- strcpy( d->nrdn, BEI(e)->bei_nrdn.bv_val ); -+ memcpy( d->nrdn, BEI(e)->bei_nrdn.bv_val, BEI(e)->bei_nrdn.bv_len+1 ); - data.data = d; - - rc = db->cursor( db, txn, &cursor, bdb->bi_db_opflags ); diff --git a/openldap-2.4.22-initauthtoken.patch b/openldap-2.4.22-initauthtoken.patch deleted file mode 100644 index 69a2e08..0000000 --- a/openldap-2.4.22-initauthtoken.patch +++ /dev/null @@ -1,44 +0,0 @@ -#616552 Mozilla NSS - delay token auth until needed -upstream: http://www.openldap.org/its/index.cgi issue 6595 - -diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c ---- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200 -+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:58:19.030686912 +0200 -@@ -930,26 +930,6 @@ - return rc; - } - --static int --tlsm_init_tokens( tlsm_ctx *ctx ) --{ -- PK11SlotList *slotList; -- PK11SlotListElement *listEntry; -- int rc = 0; -- -- slotList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL ); -- -- for ( listEntry = PK11_GetFirstSafe( slotList ); !rc && listEntry; -- listEntry = PK11_GetNextSafe( slotList, listEntry, PR_FALSE ) ) { -- PK11SlotInfo *slot = listEntry->slot; -- rc = tlsm_authenticate_to_slot( ctx, slot ); -- } -- -- PK11_FreeSlotList( slotList ); -- -- return rc; --} -- - static SECStatus - tlsm_nss_shutdown_cb( void *appData, void *nssData ) - { -@@ -1365,10 +1345,6 @@ - - PK11_SetPasswordFunc( tlsm_pin_prompt ); - -- if ( tlsm_init_tokens( ctx ) ) { -- return -1; -- } -- - /* register cleanup function */ - /* delete the old one, if any */ - NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL ); diff --git a/openldap-2.4.22-ldif_h.patch b/openldap-2.4.22-ldif_h.patch deleted file mode 100644 index ebf1c0b..0000000 --- a/openldap-2.4.22-ldif_h.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- openldap-2.4.22/include/Makefile.in.orig 2010-06-03 07:38:29.000000000 -0600 -+++ openldap-2.4.22/include/Makefile.in 2010-06-03 07:39:21.000000000 -0600 -@@ -15,17 +15,18 @@ - - all-local: ldap_config.h FORCE - - install-local: FORCE - -$(MKDIR) $(DESTDIR)$(includedir) - for header in $(srcdir)/lber.h lber_types.h \ - $(srcdir)/ldap.h $(srcdir)/ldap_cdefs.h \ - $(srcdir)/ldap_schema.h $(srcdir)/ldap_utf8.h \ -- $(srcdir)/slapi-plugin.h ldap_features.h; \ -+ $(srcdir)/slapi-plugin.h ldap_features.h \ -+ $(srcdir)/ldif.h ; \ - do \ - $(INSTALL) $(INSTALLFLAGS) -m 644 $$header $(DESTDIR)$(includedir); \ - done - - clean-local: FORCE - $(RM) ldap_config.h - - veryclean-local: clean-local FORCE diff --git a/openldap-2.4.22-libldif.patch b/openldap-2.4.22-libldif.patch deleted file mode 100644 index d5f3e91..0000000 --- a/openldap-2.4.22-libldif.patch +++ /dev/null @@ -1,66 +0,0 @@ ---- openldap-2.4.22/libraries/liblutil/Makefile.in.orig 2010-06-03 10:57:01.000000000 -0600 -+++ openldap-2.4.22/libraries/liblutil/Makefile.in 2010-06-03 10:59:29.000000000 -0600 -@@ -9,16 +9,19 @@ - ## modification, are permitted only as authorized by the OpenLDAP - ## Public License. - ## - ## A copy of this license is available in the file LICENSE in the - ## top-level directory of the distribution or, alternatively, at - ## . - - LIBRARY = liblutil.a -+ -+SHAREDLIB = libldif.la -+ - PROGRAM = testavl - - LDAP_INCDIR= ../../include - LDAP_LIBDIR= ../../libraries - - NT_SRCS = ntservice.c - NT_OBJS = ntservice.o slapdmsg.res - -@@ -35,16 +38,18 @@ - @LIBSRCS@ $(@PLAT@_SRCS) - - OBJS = base64.o entropy.o sasl.o signal.o hash.o passfile.o \ - md5.o passwd.o sha1.o getpass.o lockf.o utils.o uuid.o sockpair.o \ - avl.o tavl.o ldif.o fetch.o \ - meter.o \ - @LIBOBJS@ $(@PLAT@_OBJS) - -+SHAREDLIBOBJS = ldif.lo fetch.lo -+ - testavl: $(XLIBS) testavl.o - (LTLINK) -o $@ testavl.o $(LIBS) - - testtavl: $(XLIBS) testtavl.o - (LTLINK) -o $@ testtavl.o $(LIBS) - - # These rules are for a Mingw32 build, specifically. - # It's ok for them to be here because the clean rule is harmless, and -@@ -54,8 +59,24 @@ - @if [ ! -f $@ ]; then cp $(srcdir)/$@ .; fi - - slapdmsg.res: slapdmsg.rc slapdmsg.bin - windres $< -O coff -o $@ - - clean-local: - $(RM) *.res - -+all-local: $(SHAREDLIB) -+ -+.SUFFIXES: .c .o .lo -+ -+.c.lo: -+ $(LTCOMPILE_LIB) $< -+ -+$(LIBRARY): $(SHAREDLIBOBJS) version.lo -+ -+$(SHAREDLIB): $(SHAREDLIBOBJS) version.lo -+ $(LTLINK_LIB) -o $(SHAREDLIB) $(SHAREDLIBOBJS) version.lo $(LINK_LIBS) -+ -+install-local: FORCE -+ -$(MKDIR) $(DESTDIR)$(libdir) -+ $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(SHAREDLIB) $(DESTDIR)$(libdir) -+ $(LTFINISH) $(DESTDIR)$(libdir) diff --git a/openldap-2.4.22-modrdn-segfault.patch b/openldap-2.4.22-modrdn-segfault.patch deleted file mode 100644 index ed46756..0000000 --- a/openldap-2.4.22-modrdn-segfault.patch +++ /dev/null @@ -1,74 +0,0 @@ -bz #605448 CVE-2010-0211 openldap: modrdn processing uninitialized pointer free -bz #605452 CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference - -diff -urp openldap-2.4.22/servers/slapd/dn.c openldap-2.4.22.new/servers/slapd/dn.c ---- openldap-2.4.22/servers/slapd/dn.c 2010-04-13 22:23:14.000000000 +0200 -+++ openldap-2.4.22.new/servers/slapd/dn.c 2010-07-19 17:57:51.974346501 +0200 -@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f - ava->la_attr = ad->ad_cname; - - if( ava->la_flags & LDAP_AVA_BINARY ) { -- if( ava->la_value.bv_len == 0 ) { -- /* BER encoding is empty */ -- return LDAP_INVALID_SYNTAX; -- } -+ /* AVA is binary encoded, not supported */ -+ return LDAP_INVALID_SYNTAX; - - /* Do not allow X-ORDERED 'VALUES' naming attributes */ - } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { - return LDAP_INVALID_SYNTAX; - -- /* AVA is binary encoded, don't muck with it */ - } else if( flags & SLAP_LDAPDN_PRETTY ) { - transf = ad->ad_type->sat_syntax->ssyn_pretty; - if( !transf ) { -@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f - ava->la_value = bv; - ava->la_flags |= LDAP_AVA_FREE_VALUE; - } -+ /* reject empty values */ -+ if (!ava->la_value.bv_len) { -+ return LDAP_INVALID_SYNTAX; -+ } - } - rc = LDAP_SUCCESS; - -diff -urp openldap-2.4.22/servers/slapd/modrdn.c openldap-2.4.22.new/servers/slapd/modrdn.c ---- openldap-2.4.22/servers/slapd/modrdn.c 2010-04-13 22:23:16.000000000 +0200 -+++ openldap-2.4.22.new/servers/slapd/modrdn.c 2010-07-19 17:57:51.975346274 +0200 -@@ -445,12 +445,19 @@ slap_modrdn2mods( - mod_tmp->sml_values[1].bv_val = NULL; - if( desc->ad_type->sat_equality->smr_normalize) { - mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); -- (void) (*desc->ad_type->sat_equality->smr_normalize)( -+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize( - SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, - desc->ad_type->sat_syntax, - desc->ad_type->sat_equality, - &mod_tmp->sml_values[0], - &mod_tmp->sml_nvalues[0], NULL ); -+ if (rs->sr_err != LDAP_SUCCESS) { -+ ch_free(mod_tmp->sml_nvalues); -+ ch_free(mod_tmp->sml_values[0].bv_val); -+ ch_free(mod_tmp->sml_values); -+ ch_free(mod_tmp); -+ goto done; -+ } - mod_tmp->sml_nvalues[1].bv_val = NULL; - } else { - mod_tmp->sml_nvalues = NULL; -diff -urp openldap-2.4.22/servers/slapd/schema_init.c openldap-2.4.22.new/servers/slapd/schema_init.c ---- openldap-2.4.22/servers/slapd/schema_init.c 2010-04-14 20:12:15.000000000 +0200 -+++ openldap-2.4.22.new/servers/slapd/schema_init.c 2010-07-19 17:57:51.978346712 +0200 -@@ -1735,8 +1735,9 @@ UTF8StringNormalize( - ? LDAP_UTF8_APPROX : 0; - - val = UTF8bvnormalize( val, &tmp, flags, ctx ); -+ /* out of memory or syntax error, the former is unlikely */ - if( val == NULL ) { -- return LDAP_OTHER; -+ return LDAP_INVALID_SYNTAX; - } - - /* collapse spaces (in place) */ diff --git a/openldap-2.4.23-selfsignedcacert.patch b/openldap-2.4.23-selfsignedcacert.patch deleted file mode 100644 index 52d91d9..0000000 --- a/openldap-2.4.23-selfsignedcacert.patch +++ /dev/null @@ -1,51 +0,0 @@ -#614545 Mozilla NSS - support use of self signed CA certs as server certs -upstream: http://www.openldap.org/its/index.cgi issue 6589 - -diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c ---- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200 -+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200 -@@ -1491,11 +1491,40 @@ - status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert, - checkSig, certUsage, - pin_arg, NULL ); -- if (status != SECSuccess) { -+ if ( status != SECSuccess ) { -+ /* NSS doesn't like self-signed CA certs that are also used for -+ TLS/SSL server certs (such as generated by openssl req -x509) -+ CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case -+ so, see if the cert and issuer are the same cert -+ */ - PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -- "TLS: error: the certificate %s is not valid - error %d:%s\n", -- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ -+ if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) { -+ CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer ); -+ if ( NULL == issuer ) { -+ /* no issuer - warn and allow */ -+ status = SECSuccess; -+ rc = 0; -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: warning: the server certificate %s has no issuer - " -+ "please check this certificate for validity\n", -+ certname, 0, 0 ); -+ } else if ( CERT_CompareCerts( cert, issuer ) ) { -+ /* self signed - warn and allow */ -+ status = SECSuccess; -+ rc = 0; -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: warning: using self-signed server certificate %s\n", -+ certname, 0, 0 ); -+ } -+ CERT_DestroyCertificate( issuer ); -+ } -+ -+ if ( status != SECSuccess ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: error: the certificate %s is not valid - error %d:%s\n", -+ certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -+ } - } else { - rc = 0; /* success */ - } diff --git a/openldap-2.4.6-config.patch b/openldap-2.4.6-config.patch deleted file mode 100644 index 0c8913d..0000000 --- a/openldap-2.4.6-config.patch +++ /dev/null @@ -1,118 +0,0 @@ -diff -up openldap-2.4.11/servers/slapd/slapd.conf.config openldap-2.4.11/servers/slapd/slapd.conf ---- openldap-2.4.11/servers/slapd/slapd.conf.config 2007-02-13 21:22:22.000000000 +0100 -+++ openldap-2.4.11/servers/slapd/slapd.conf 2008-10-09 16:13:52.000000000 +0200 -@@ -2,22 +2,57 @@ - # See slapd.conf(5) for details on configuration options. - # This file should NOT be world readable. - # --include %SYSCONFDIR%/schema/core.schema - --# Define global ACLs to disable default read access. -+include /etc/openldap/schema/corba.schema -+include /etc/openldap/schema/core.schema -+include /etc/openldap/schema/cosine.schema -+include /etc/openldap/schema/duaconf.schema -+include /etc/openldap/schema/dyngroup.schema -+include /etc/openldap/schema/inetorgperson.schema -+include /etc/openldap/schema/java.schema -+include /etc/openldap/schema/misc.schema -+include /etc/openldap/schema/nis.schema -+include /etc/openldap/schema/openldap.schema -+include /etc/openldap/schema/ppolicy.schema -+include /etc/openldap/schema/collective.schema -+ -+# Allow LDAPv2 client connections. This is NOT the default. -+allow bind_v2 - - # Do not enable referrals until AFTER you have a working directory - # service AND an understanding of referrals. - #referral ldap://root.openldap.org - --pidfile %LOCALSTATEDIR%/run/slapd.pid --argsfile %LOCALSTATEDIR%/run/slapd.args -+pidfile /var/run/openldap/slapd.pid -+argsfile /var/run/openldap/slapd.args - - # Load dynamic backend modules: --# modulepath %MODULEDIR% --# moduleload back_bdb.la --# moduleload back_hdb.la --# moduleload back_ldap.la -+# modulepath /usr/lib/openldap # or /usr/lib64/openldap -+# moduleload accesslog.la -+# moduleload auditlog.la -+# moduleload back_sql.la -+# moduleload denyop.la -+# moduleload dyngroup.la -+# moduleload dynlist.la -+# moduleload lastmod.la -+# moduleload pcache.la -+# moduleload ppolicy.la -+# moduleload refint.la -+# moduleload retcode.la -+# moduleload rwm.la -+# moduleload syncprov.la -+# moduleload translucent.la -+# moduleload unique.la -+# moduleload valsort.la -+ -+# The next three lines allow use of TLS for encrypting connections using a -+# dummy test certificate which you can generate by changing to -+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on -+# slapd.pem so that the ldap user or group can read it. Your client software -+# may balk at self-signed certificates, however. -+# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt -+# TLSCertificateFile /etc/pki/tls/certs/slapd.pem -+# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem - - # Sample security restrictions - # Require integrity protection (prevent hijacking) -@@ -47,19 +82,42 @@ argsfile %LOCALSTATEDIR%/run/slapd.args - # rootdn can always read and write EVERYTHING! - - ####################################################################### --# BDB database definitions -+# ldbm and/or bdb database definitions - ####################################################################### - - database bdb - suffix "dc=my-domain,dc=com" -+checkpoint 1024 15 - rootdn "cn=Manager,dc=my-domain,dc=com" - # Cleartext passwords, especially for the rootdn, should --# be avoid. See slappasswd(8) and slapd.conf(5) for details. -+# be avoided. See slappasswd(8) and slapd.conf(5) for details. - # Use of strong authentication encouraged. --rootpw secret -+# rootpw secret -+# rootpw {crypt}ijFYNcSNctBYg -+ - # The database directory MUST exist prior to running slapd AND - # should only be accessible by the slapd and slap tools. - # Mode 700 recommended. --directory %LOCALSTATEDIR%/openldap-data --# Indices to maintain --index objectClass eq -+directory /var/lib/ldap -+ -+# Indices to maintain for this database -+index objectClass eq,pres -+index ou,cn,mail,surname,givenname eq,pres,sub -+index uidNumber,gidNumber,loginShell eq,pres -+index uid,memberUid eq,pres,sub -+index nisMapName,nisMapEntry eq,pres,sub -+ -+# Replicas of this database -+#replogfile /var/lib/ldap/openldap-master-replog -+#replica host=ldap-1.example.com:389 starttls=critical -+# bindmethod=sasl saslmech=GSSAPI -+# authcId=host/ldap-master.example.com@EXAMPLE.COM -+ -+ -+# enable monitoring -+database monitor -+ -+# allow onlu rootdn to read the monitor -+access to * -+ by dn.exact="cn=Manager,dc=my-domain,dc=com" read -+ by * none diff --git a/openldap-2.4.6-evolution-ntlm.patch b/openldap-2.4.6-evolution-ntlm.patch deleted file mode 100644 index 33ff29e..0000000 --- a/openldap-2.4.6-evolution-ntlm.patch +++ /dev/null @@ -1,192 +0,0 @@ -diff -up evo-openldap-2.4.14/include/ldap.h.evolution-ntlm evo-openldap-2.4.14/include/ldap.h ---- evo-openldap-2.4.14/include/ldap.h.evolution-ntlm 2009-01-27 00:29:53.000000000 +0100 -+++ evo-openldap-2.4.14/include/ldap.h 2009-02-17 10:10:00.000000000 +0100 -@@ -2461,5 +2461,26 @@ ldap_parse_deref_control LDAP_P(( - LDAPControl **ctrls, - LDAPDerefRes **drp )); - -+/* -+ * hacks for NTLM -+ */ -+#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) -+#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) -+LDAP_F( int ) -+ldap_ntlm_bind LDAP_P(( -+ LDAP *ld, -+ LDAP_CONST char *dn, -+ ber_tag_t tag, -+ struct berval *cred, -+ LDAPControl **sctrls, -+ LDAPControl **cctrls, -+ int *msgidp )); -+LDAP_F( int ) -+ldap_parse_ntlm_bind_result LDAP_P(( -+ LDAP *ld, -+ LDAPMessage *res, -+ struct berval *challenge)); -+ -+ - LDAP_END_DECL - #endif /* _LDAP_H */ -diff -up evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm evo-openldap-2.4.14/libraries/libldap/Makefile.in ---- evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm 2009-01-27 00:29:53.000000000 +0100 -+++ evo-openldap-2.4.14/libraries/libldap/Makefile.in 2009-02-17 10:10:00.000000000 +0100 -@@ -20,7 +20,7 @@ PROGRAMS = apitest dntest ftest ltest ur - SRCS = bind.c open.c result.c error.c compare.c search.c \ - controls.c messages.c references.c extended.c cyrus.c \ - modify.c add.c modrdn.c delete.c abandon.c \ -- sasl.c gssapi.c sbind.c unbind.c cancel.c \ -+ sasl.c ntlm.c gssapi.c sbind.c unbind.c cancel.c \ - filter.c free.c sort.c passwd.c whoami.c \ - getdn.c getentry.c getattr.c getvalues.c addentry.c \ - request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \ -@@ -33,7 +33,7 @@ SRCS = bind.c open.c result.c error.c co - OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ - controls.lo messages.lo references.lo extended.lo cyrus.lo \ - modify.lo add.lo modrdn.lo delete.lo abandon.lo \ -- sasl.lo gssapi.lo sbind.lo unbind.lo cancel.lo \ -+ sasl.lo ntlm.lo gssapi.lo sbind.lo unbind.lo cancel.lo \ - filter.lo free.lo sort.lo passwd.lo whoami.lo \ - getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ - request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ -diff -up /dev/null evo-openldap-2.4.14/libraries/libldap/ntlm.c ---- /dev/null 2009-02-17 09:19:52.829004420 +0100 -+++ evo-openldap-2.4.14/libraries/libldap/ntlm.c 2009-02-17 10:10:00.000000000 +0100 -@@ -0,0 +1,137 @@ -+/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ -+/* -+ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. -+ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file -+ */ -+ -+/* Mostly copied from sasl.c */ -+ -+#include "portable.h" -+ -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+#include "ldap-int.h" -+ -+int -+ldap_ntlm_bind( -+ LDAP *ld, -+ LDAP_CONST char *dn, -+ ber_tag_t tag, -+ struct berval *cred, -+ LDAPControl **sctrls, -+ LDAPControl **cctrls, -+ int *msgidp ) -+{ -+ BerElement *ber; -+ int rc; -+ ber_int_t id; -+ -+ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); -+ -+ assert( ld != NULL ); -+ assert( LDAP_VALID( ld ) ); -+ assert( msgidp != NULL ); -+ -+ if( msgidp == NULL ) { -+ ld->ld_errno = LDAP_PARAM_ERROR; -+ return ld->ld_errno; -+ } -+ -+ /* create a message to send */ -+ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { -+ ld->ld_errno = LDAP_NO_MEMORY; -+ return ld->ld_errno; -+ } -+ -+ assert( LBER_VALID( ber ) ); -+ -+ LDAP_NEXT_MSGID( ld, id ); -+ rc = ber_printf( ber, "{it{istON}" /*}*/, -+ id, LDAP_REQ_BIND, -+ ld->ld_version, dn, tag, -+ cred ); -+ -+ /* Put Server Controls */ -+ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { -+ ber_free( ber, 1 ); -+ return ld->ld_errno; -+ } -+ -+ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { -+ ld->ld_errno = LDAP_ENCODING_ERROR; -+ ber_free( ber, 1 ); -+ return ld->ld_errno; -+ } -+ -+ /* send the message */ -+ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); -+ -+ if(*msgidp < 0) -+ return ld->ld_errno; -+ -+ return LDAP_SUCCESS; -+} -+ -+int -+ldap_parse_ntlm_bind_result( -+ LDAP *ld, -+ LDAPMessage *res, -+ struct berval *challenge) -+{ -+ ber_int_t errcode; -+ ber_tag_t tag; -+ BerElement *ber; -+ ber_len_t len; -+ -+ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); -+ -+ assert( ld != NULL ); -+ assert( LDAP_VALID( ld ) ); -+ assert( res != NULL ); -+ -+ if ( ld == NULL || res == NULL ) { -+ return LDAP_PARAM_ERROR; -+ } -+ -+ if( res->lm_msgtype != LDAP_RES_BIND ) { -+ ld->ld_errno = LDAP_PARAM_ERROR; -+ return ld->ld_errno; -+ } -+ -+ if ( ld->ld_error ) { -+ LDAP_FREE( ld->ld_error ); -+ ld->ld_error = NULL; -+ } -+ if ( ld->ld_matched ) { -+ LDAP_FREE( ld->ld_matched ); -+ ld->ld_matched = NULL; -+ } -+ -+ /* parse results */ -+ -+ ber = ber_dup( res->lm_ber ); -+ -+ if( ber == NULL ) { -+ ld->ld_errno = LDAP_NO_MEMORY; -+ return ld->ld_errno; -+ } -+ -+ tag = ber_scanf( ber, "{ioa" /*}*/, -+ &errcode, challenge, &ld->ld_error ); -+ ber_free( ber, 0 ); -+ -+ if( tag == LBER_ERROR ) { -+ ld->ld_errno = LDAP_DECODING_ERROR; -+ return ld->ld_errno; -+ } -+ -+ ld->ld_errno = errcode; -+ -+ return( ld->ld_errno ); -+} diff --git a/openldap-2.4.6-multilib.patch b/openldap-2.4.6-multilib.patch deleted file mode 100644 index 5622963..0000000 --- a/openldap-2.4.6-multilib.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up openldap-2.4.11/doc/man/man8/slapd.8.patch9 openldap-2.4.11/doc/man/man8/slapd.8 ---- openldap-2.4.11/doc/man/man8/slapd.8.patch9 2008-02-12 00:26:40.000000000 +0100 -+++ openldap-2.4.11/doc/man/man8/slapd.8 2008-09-01 09:57:09.000000000 +0200 -@@ -5,7 +5,7 @@ - .SH NAME - slapd \- Stand-alone LDAP Daemon - .SH SYNOPSIS --.B LIBEXECDIR/slapd -+.B slapd - [\c - .BR \-4 | \-6 ] - [\c -@@ -312,7 +312,7 @@ on voluminous debugging which will be pr - .LP - .nf - .ft tt -- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 -+ slapd -f /var/tmp/slapd.conf -d 255 - .ft - .fi - .LP -@@ -320,7 +320,7 @@ To test whether the configuration file i - .LP - .nf - .ft tt -- LIBEXECDIR/slapd \-Tt -+ slapd -Tt - .ft - .fi - .LP diff --git a/openldap-2.4.6-nosql.patch b/openldap-2.4.6-nosql.patch deleted file mode 100644 index a3e4c64..0000000 --- a/openldap-2.4.6-nosql.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openldap-2.4.11/build/top.mk.patch6 openldap-2.4.11/build/top.mk ---- openldap-2.4.11/build/top.mk.patch6 2008-02-12 00:26:38.000000000 +0100 -+++ openldap-2.4.11/build/top.mk 2008-09-01 09:57:09.000000000 +0200 -@@ -199,7 +199,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@ - SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@ - SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@ - --SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) -+SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_SLP_LIBS@ $(ICU_LIBS) - - # Our Defaults - CC = $(AC_CC) diff --git a/openldap-2.4.6-pie.patch b/openldap-2.4.6-pie.patch deleted file mode 100644 index 0e2f1c4..0000000 --- a/openldap-2.4.6-pie.patch +++ /dev/null @@ -1,16 +0,0 @@ -Build both slapd as position-independent executables. This really -should be threaded into the various autotools, but I guess this is what we have -until that happens, if it happens. - -diff -up openldap-2.4.11/servers/slapd/Makefile.in.patch4 openldap-2.4.11/servers/slapd/Makefile.in ---- openldap-2.4.11/servers/slapd/Makefile.in.patch4 2008-02-12 00:26:43.000000000 +0100 -+++ openldap-2.4.11/servers/slapd/Makefile.in 2008-09-01 09:57:09.000000000 +0200 -@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a - cp slapi/.libs/libslapi.a . - - slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ -- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \ -+ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \ - $(WRAP_LIBS) - $(RM) $(SLAPTOOLS) - for i in $(SLAPTOOLS); do \ diff --git a/openldap-evolution-ntlm.patch b/openldap-evolution-ntlm.patch new file mode 100644 index 0000000..b84a92f --- /dev/null +++ b/openldap-evolution-ntlm.patch @@ -0,0 +1,195 @@ +Get rid of this patch as soon as possible. +More details are provided in README.evolution + +diff -uNPrp openldap-2.4.23.old/include/ldap.h openldap-2.4.23.new/include/ldap.h +--- openldap-2.4.23.old/include/ldap.h 2010-06-10 20:48:36.000000000 +0200 ++++ openldap-2.4.23.new/include/ldap.h 2010-08-24 18:17:46.306679878 +0200 +@@ -2487,5 +2487,26 @@ ldap_parse_deref_control LDAP_P(( + LDAPControl **ctrls, + LDAPDerefRes **drp )); + ++/* ++ * hacks for NTLM ++ */ ++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) ++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) ++LDAP_F( int ) ++ldap_ntlm_bind LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp )); ++LDAP_F( int ) ++ldap_parse_ntlm_bind_result LDAP_P(( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge)); ++ ++ + LDAP_END_DECL + #endif /* _LDAP_H */ +diff -uNPrp openldap-2.4.23.old/libraries/libldap/Makefile.in openldap-2.4.23.new/libraries/libldap/Makefile.in +--- openldap-2.4.23.old/libraries/libldap/Makefile.in 2010-04-13 22:22:55.000000000 +0200 ++++ openldap-2.4.23.new/libraries/libldap/Makefile.in 2010-08-24 18:17:46.306679878 +0200 +@@ -20,7 +20,7 @@ PROGRAMS = apitest dntest ftest ltest ur + SRCS = bind.c open.c result.c error.c compare.c search.c \ + controls.c messages.c references.c extended.c cyrus.c \ + modify.c add.c modrdn.c delete.c abandon.c \ +- sasl.c gssapi.c sbind.c unbind.c cancel.c \ ++ sasl.c ntlm.c gssapi.c sbind.c unbind.c cancel.c \ + filter.c free.c sort.c passwd.c whoami.c \ + getdn.c getentry.c getattr.c getvalues.c addentry.c \ + request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \ +@@ -33,7 +33,7 @@ SRCS = bind.c open.c result.c error.c co + OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ + controls.lo messages.lo references.lo extended.lo cyrus.lo \ + modify.lo add.lo modrdn.lo delete.lo abandon.lo \ +- sasl.lo gssapi.lo sbind.lo unbind.lo cancel.lo \ ++ sasl.lo ntlm.lo gssapi.lo sbind.lo unbind.lo cancel.lo \ + filter.lo free.lo sort.lo passwd.lo whoami.lo \ + getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ + request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ +diff -uNPrp openldap-2.4.23.old/libraries/libldap/ntlm.c openldap-2.4.23.new/libraries/libldap/ntlm.c +--- openldap-2.4.23.old/libraries/libldap/ntlm.c 1970-01-01 01:00:00.000000000 +0100 ++++ openldap-2.4.23.new/libraries/libldap/ntlm.c 2010-08-24 18:17:46.330680333 +0200 +@@ -0,0 +1,137 @@ ++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ ++/* ++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. ++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file ++ */ ++ ++/* Mostly copied from sasl.c */ ++ ++#include "portable.h" ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include "ldap-int.h" ++ ++int ++ldap_ntlm_bind( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp ) ++{ ++ BerElement *ber; ++ int rc; ++ ber_int_t id; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( msgidp != NULL ); ++ ++ if( msgidp == NULL ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ /* create a message to send */ ++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ assert( LBER_VALID( ber ) ); ++ ++ LDAP_NEXT_MSGID( ld, id ); ++ rc = ber_printf( ber, "{it{istON}" /*}*/, ++ id, LDAP_REQ_BIND, ++ ld->ld_version, dn, tag, ++ cred ); ++ ++ /* Put Server Controls */ ++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { ++ ld->ld_errno = LDAP_ENCODING_ERROR; ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ /* send the message */ ++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); ++ ++ if(*msgidp < 0) ++ return ld->ld_errno; ++ ++ return LDAP_SUCCESS; ++} ++ ++int ++ldap_parse_ntlm_bind_result( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge) ++{ ++ ber_int_t errcode; ++ ber_tag_t tag; ++ BerElement *ber; ++ ber_len_t len; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( res != NULL ); ++ ++ if ( ld == NULL || res == NULL ) { ++ return LDAP_PARAM_ERROR; ++ } ++ ++ if( res->lm_msgtype != LDAP_RES_BIND ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ ld->ld_error = NULL; ++ } ++ if ( ld->ld_matched ) { ++ LDAP_FREE( ld->ld_matched ); ++ ld->ld_matched = NULL; ++ } ++ ++ /* parse results */ ++ ++ ber = ber_dup( res->lm_ber ); ++ ++ if( ber == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ tag = ber_scanf( ber, "{ioa" /*}*/, ++ &errcode, challenge, &ld->ld_error ); ++ ber_free( ber, 0 ); ++ ++ if( tag == LBER_ERROR ) { ++ ld->ld_errno = LDAP_DECODING_ERROR; ++ return ld->ld_errno; ++ } ++ ++ ld->ld_errno = errcode; ++ ++ return( ld->ld_errno ); ++} diff --git a/openldap-export-ldif.patch b/openldap-export-ldif.patch new file mode 100644 index 0000000..5accb41 --- /dev/null +++ b/openldap-export-ldif.patch @@ -0,0 +1,61 @@ +Patch exposes LDIF reading/writing API. This change is required to replace +mozldap with openldap in FreeIPA project. + +Upstream: ITS #6194 +Author: Rich Megginson + +diff -uNPrp openldap-2.4.23.old/include/Makefile.in openldap-2.4.23.new/include/Makefile.in +--- openldap-2.4.23.old/include/Makefile.in 2010-04-13 22:22:47.000000000 +0200 ++++ openldap-2.4.23.new/include/Makefile.in 2010-08-19 17:40:29.073805139 +0200 +@@ -20,7 +20,8 @@ install-local: FORCE + for header in $(srcdir)/lber.h lber_types.h \ + $(srcdir)/ldap.h $(srcdir)/ldap_cdefs.h \ + $(srcdir)/ldap_schema.h $(srcdir)/ldap_utf8.h \ +- $(srcdir)/slapi-plugin.h ldap_features.h; \ ++ $(srcdir)/slapi-plugin.h ldap_features.h \ ++ $(srcdir)/ldif.h ; \ + do \ + $(INSTALL) $(INSTALLFLAGS) -m 644 $$header $(DESTDIR)$(includedir); \ + done +diff -uNPrp openldap-2.4.23.old/libraries/liblutil/Makefile.in openldap-2.4.23.new/libraries/liblutil/Makefile.in +--- openldap-2.4.23.old/libraries/liblutil/Makefile.in 2010-04-19 18:53:01.000000000 +0200 ++++ openldap-2.4.23.new/libraries/liblutil/Makefile.in 2010-08-19 17:40:20.424679962 +0200 +@@ -14,6 +14,9 @@ + ## . + + LIBRARY = liblutil.a ++ ++SHAREDLIB = libldif.la ++ + PROGRAM = testavl + + LDAP_INCDIR= ../../include +@@ -40,6 +43,8 @@ OBJS = base64.o entropy.o sasl.o signal. + meter.o \ + @LIBOBJS@ $(@PLAT@_OBJS) + ++SHAREDLIBOBJS = ldif.lo fetch.lo ++ + testavl: $(XLIBS) testavl.o + (LTLINK) -o $@ testavl.o $(LIBS) + +@@ -59,3 +64,19 @@ slapdmsg.res: slapdmsg.rc slapdmsg.bin + clean-local: + $(RM) *.res + ++all-local: $(SHAREDLIB) ++ ++.SUFFIXES: .c .o .lo ++ ++.c.lo: ++ $(LTCOMPILE_LIB) $< ++ ++$(LIBRARY): $(SHAREDLIBOBJS) version.lo ++ ++$(SHAREDLIB): $(SHAREDLIBOBJS) version.lo ++ $(LTLINK_LIB) -o $(SHAREDLIB) $(SHAREDLIBOBJS) version.lo $(LINK_LIBS) ++ ++install-local: FORCE ++ -$(MKDIR) $(DESTDIR)$(libdir) ++ $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(SHAREDLIB) $(DESTDIR)$(libdir) ++ $(LTFINISH) $(DESTDIR)$(libdir) diff --git a/openldap-ldaprc-currentdir.patch b/openldap-ldaprc-currentdir.patch new file mode 100644 index 0000000..625382b --- /dev/null +++ b/openldap-ldaprc-currentdir.patch @@ -0,0 +1,19 @@ +Disables opening of ldaprc file in current directory. + +Resolves: #38402 +Upstream: ITS #1131 +Author: Henning Schmiedehausen + +diff -u -uNPrp openldap-2.4.23.old/libraries/libldap/init.c openldap-2.4.23.new/libraries/libldap/init.c +--- openldap-2.4.23.old/libraries/libldap/init.c 2010-04-13 22:22:57.000000000 +0200 ++++ openldap-2.4.23.new/libraries/libldap/init.c 2010-08-24 15:34:27.780680598 +0200 +@@ -346,9 +346,6 @@ static void openldap_ldap_init_w_usercon + if(path != NULL) { + LDAP_FREE(path); + } +- +- /* try file */ +- openldap_ldap_init_w_conf(file, 1); + } + + static void openldap_ldap_init_w_env( diff --git a/openldap-manpages.patch b/openldap-manpages.patch new file mode 100644 index 0000000..4916d65 --- /dev/null +++ b/openldap-manpages.patch @@ -0,0 +1,103 @@ +Various manual pages changes: +* removes LIBEXECDIR from slapd.8 +* removes references to non-existing manpages (bz 624616) + +diff -uNPrp openldap-2.4.23.old/doc/man/man1/ldapmodify.1 openldap-2.4.23.new/doc/man/man1/ldapmodify.1 +--- openldap-2.4.23.old/doc/man/man1/ldapmodify.1 2010-04-13 22:22:36.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man1/ldapmodify.1 2010-08-19 17:42:10.256805450 +0200 +@@ -364,9 +364,7 @@ exit status and a diagnostic message bei + .BR ldap_add_ext (3), + .BR ldap_delete_ext (3), + .BR ldap_modify_ext (3), +-.BR ldap_modrdn_ext (3), +-.BR ldif (5), +-.BR slapd.replog (5) ++.BR ldif (5) + .SH AUTHOR + The OpenLDAP Project + .SH ACKNOWLEDGEMENTS +diff -uNPrp openldap-2.4.23.old/doc/man/man5/ldap.conf.5 openldap-2.4.23.new/doc/man/man5/ldap.conf.5 +--- openldap-2.4.23.old/doc/man/man5/ldap.conf.5 2010-04-13 22:22:41.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man5/ldap.conf.5 2010-08-19 17:43:25.312805428 +0200 +@@ -317,6 +317,7 @@ certificates in separate individual file + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. ++The specified directory must be managed with the OpenSSL c_rehash utility. + This parameter is ignored with GNUtls. + .TP + .B TLS_CERT +diff -uNPrp openldap-2.4.23.old/doc/man/man5/ldif.5 openldap-2.4.23.new/doc/man/man5/ldif.5 +--- openldap-2.4.23.old/doc/man/man5/ldif.5 2010-04-13 22:22:41.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man5/ldif.5 2010-08-19 17:42:10.256805450 +0200 +@@ -270,8 +270,7 @@ commands. + .BR ldapmodify (1), + .BR slapadd (8), + .BR slapcat (8), +-.BR slapd\-ldif (5), +-.BR slapd.replog (5). ++.BR slapd\-ldif (5). + .LP + "LDAP Data Interchange Format," Good, G., RFC 2849. + .SH ACKNOWLEDGEMENTS +diff -uNPrp openldap-2.4.23.old/doc/man/man5/slapd-config.5 openldap-2.4.23.new/doc/man/man5/slapd-config.5 +--- openldap-2.4.23.old/doc/man/man5/slapd-config.5 2010-06-10 19:17:53.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man5/slapd-config.5 2010-08-19 17:42:10.258805346 +0200 +@@ -1995,7 +1995,6 @@ default slapd configuration directory + .BR slapd.conf (5), + .BR slapd.overlays (5), + .BR slapd.plugin (5), +-.BR slapd.replog (5), + .BR slapd (8), + .BR slapacl (8), + .BR slapadd (8), +diff -uNPrp openldap-2.4.23.old/doc/man/man5/slapd.conf.5 openldap-2.4.23.new/doc/man/man5/slapd.conf.5 +--- openldap-2.4.23.old/doc/man/man5/slapd.conf.5 2010-04-16 20:05:07.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man5/slapd.conf.5 2010-08-19 17:42:10.261805644 +0200 +@@ -1927,7 +1927,6 @@ default slapd configuration file + .BR slapd.backends (5), + .BR slapd.overlays (5), + .BR slapd.plugin (5), +-.BR slapd.replog (5), + .BR slapd (8), + .BR slapacl (8), + .BR slapadd (8), +diff -uNPrp openldap-2.4.23.old/doc/man/man8/slapd.8 openldap-2.4.23.new/doc/man/man8/slapd.8 +--- openldap-2.4.23.old/doc/man/man8/slapd.8 2010-04-13 22:22:46.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man8/slapd.8 2010-08-19 17:44:19.996680613 +0200 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -301,7 +301,7 @@ the LDAP databases defined in the defaul + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ slapd + .ft + .fi + .LP +@@ -312,7 +312,7 @@ on voluminous debugging which will be pr + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ slapd -f /var/tmp/slapd.conf -d 255 + .ft + .fi + .LP +@@ -320,7 +320,7 @@ To test whether the configuration file i + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ slapd -Tt + .ft + .fi + .LP diff --git a/openldap-nss-ca-selfsigned.patch b/openldap-nss-ca-selfsigned.patch new file mode 100644 index 0000000..071eaf0 --- /dev/null +++ b/openldap-nss-ca-selfsigned.patch @@ -0,0 +1,54 @@ +#614545 Mozilla NSS - support use of self signed CA certs as server certs + +Resolves: #614545 +Upstream: ITS #6589 +Author: Rich Megginson + +diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c +--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200 ++++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200 +@@ -1491,11 +1491,40 @@ + status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert, + checkSig, certUsage, + pin_arg, NULL ); +- if (status != SECSuccess) { ++ if ( status != SECSuccess ) { ++ /* NSS doesn't like self-signed CA certs that are also used for ++ TLS/SSL server certs (such as generated by openssl req -x509) ++ CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case ++ so, see if the cert and issuer are the same cert ++ */ + PRErrorCode errcode = PR_GetError(); +- Debug( LDAP_DEBUG_ANY, +- "TLS: error: the certificate %s is not valid - error %d:%s\n", +- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ ++ if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) { ++ CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer ); ++ if ( NULL == issuer ) { ++ /* no issuer - warn and allow */ ++ status = SECSuccess; ++ rc = 0; ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: warning: the server certificate %s has no issuer - " ++ "please check this certificate for validity\n", ++ certname, 0, 0 ); ++ } else if ( CERT_CompareCerts( cert, issuer ) ) { ++ /* self signed - warn and allow */ ++ status = SECSuccess; ++ rc = 0; ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: warning: using self-signed server certificate %s\n", ++ certname, 0, 0 ); ++ } ++ CERT_DestroyCertificate( issuer ); ++ } ++ ++ if ( status != SECSuccess ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: error: the certificate %s is not valid - error %d:%s\n", ++ certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ } + } else { + rc = 0; /* success */ + } diff --git a/openldap-nss-delay-token-auth.patch b/openldap-nss-delay-token-auth.patch new file mode 100644 index 0000000..1b8e25f --- /dev/null +++ b/openldap-nss-delay-token-auth.patch @@ -0,0 +1,47 @@ +Mozilla NSS - delay token auth until needed + +Resolves: #616552 +Upstream: ITS #6595 +Author: Rich Megginson + +diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c +--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200 ++++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:58:19.030686912 +0200 +@@ -930,26 +930,6 @@ + return rc; + } + +-static int +-tlsm_init_tokens( tlsm_ctx *ctx ) +-{ +- PK11SlotList *slotList; +- PK11SlotListElement *listEntry; +- int rc = 0; +- +- slotList = PK11_GetAllTokens( CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL ); +- +- for ( listEntry = PK11_GetFirstSafe( slotList ); !rc && listEntry; +- listEntry = PK11_GetNextSafe( slotList, listEntry, PR_FALSE ) ) { +- PK11SlotInfo *slot = listEntry->slot; +- rc = tlsm_authenticate_to_slot( ctx, slot ); +- } +- +- PK11_FreeSlotList( slotList ); +- +- return rc; +-} +- + static SECStatus + tlsm_nss_shutdown_cb( void *appData, void *nssData ) + { +@@ -1365,10 +1345,6 @@ + + PK11_SetPasswordFunc( tlsm_pin_prompt ); + +- if ( tlsm_init_tokens( ctx ) ) { +- return -1; +- } +- + /* register cleanup function */ + /* delete the old one, if any */ + NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL ); diff --git a/openldap-reentrant-gethostby.patch b/openldap-reentrant-gethostby.patch new file mode 100644 index 0000000..03bb485 --- /dev/null +++ b/openldap-reentrant-gethostby.patch @@ -0,0 +1,32 @@ +The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for +example if libldap needs to be initialized from within gethostbyXXXX() (which +actually happens if nss_ldap is used for hostname resolution and earlier +modules can't resolve the local host name), so use the reentrant versions of +the functions, even if we're not being compiled for use in libldap_r + +Resolves: #179730 +Author: Jeffery Layton + +diff -uNPrp openldap-2.4.23.old/libraries/libldap/util-int.c openldap-2.4.23.new/libraries/libldap/util-int.c +--- openldap-2.4.23.old/libraries/libldap/util-int.c 2010-04-19 18:53:01.000000000 +0200 ++++ openldap-2.4.23.new/libraries/libldap/util-int.c 2010-08-19 17:47:52.456805354 +0200 +@@ -52,8 +52,8 @@ extern int h_errno; + #ifndef LDAP_R_COMPILE + # undef HAVE_REENTRANT_FUNCTIONS + # undef HAVE_CTIME_R +-# undef HAVE_GETHOSTBYNAME_R +-# undef HAVE_GETHOSTBYADDR_R ++/* # undef HAVE_GETHOSTBYNAME_R */ ++/* # undef HAVE_GETHOSTBYADDR_R */ + + #else + # include +@@ -330,7 +330,7 @@ ldap_pvt_csnstr(char *buf, size_t len, u + #define BUFSTART (1024-32) + #define BUFMAX (32*1024-32) + +-#if defined(LDAP_R_COMPILE) ++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R) + static char *safe_realloc( char **buf, int len ); + + #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) diff --git a/openldap-security-pie.patch b/openldap-security-pie.patch new file mode 100644 index 0000000..338c9e6 --- /dev/null +++ b/openldap-security-pie.patch @@ -0,0 +1,17 @@ +Build slapd as position-independent executable (PIE) to take an advantage of +address space layout randomization (ASLD). + +Author: Thomas Woerner + +diff -uNPrp openldap-2.4.23.old/servers/slapd/Makefile.in openldap-2.4.23.new/servers/slapd/Makefile.in +--- openldap-2.4.23.old/servers/slapd/Makefile.in 2010-04-13 22:23:09.000000000 +0200 ++++ openldap-2.4.23.new/servers/slapd/Makefile.in 2010-08-24 15:09:08.999680712 +0200 +@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a + cp slapi/.libs/libslapi.a . + + slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ +- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \ ++ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \ + $(WRAP_LIBS) + $(RM) $(SLAPTOOLS) + for i in $(SLAPTOOLS); do \ diff --git a/openldap-slapd-conf.patch b/openldap-slapd-conf.patch new file mode 100644 index 0000000..843049f --- /dev/null +++ b/openldap-slapd-conf.patch @@ -0,0 +1,120 @@ +Updates initial slapd configuration. + +diff -urNPp openldap-2.4.23.old/servers/slapd/slapd.conf openldap-2.4.23.new/servers/slapd/slapd.conf +--- openldap-2.4.23.old/servers/slapd/slapd.conf 2007-02-13 21:22:22.000000000 +0100 ++++ openldap-2.4.23.new/servers/slapd/slapd.conf 2010-08-19 15:45:05.835681213 +0200 +@@ -2,22 +2,57 @@ + # See slapd.conf(5) for details on configuration options. + # This file should NOT be world readable. + # +-include %SYSCONFDIR%/schema/core.schema + +-# Define global ACLs to disable default read access. ++include /etc/openldap/schema/corba.schema ++include /etc/openldap/schema/core.schema ++include /etc/openldap/schema/cosine.schema ++include /etc/openldap/schema/duaconf.schema ++include /etc/openldap/schema/dyngroup.schema ++include /etc/openldap/schema/inetorgperson.schema ++include /etc/openldap/schema/java.schema ++include /etc/openldap/schema/misc.schema ++include /etc/openldap/schema/nis.schema ++include /etc/openldap/schema/openldap.schema ++include /etc/openldap/schema/ppolicy.schema ++include /etc/openldap/schema/collective.schema ++ ++# Allow LDAPv2 client connections. This is NOT the default. ++allow bind_v2 + + # Do not enable referrals until AFTER you have a working directory + # service AND an understanding of referrals. + #referral ldap://root.openldap.org + +-pidfile %LOCALSTATEDIR%/run/slapd.pid +-argsfile %LOCALSTATEDIR%/run/slapd.args ++pidfile /var/run/openldap/slapd.pid ++argsfile /var/run/openldap/slapd.args + + # Load dynamic backend modules: +-# modulepath %MODULEDIR% +-# moduleload back_bdb.la +-# moduleload back_hdb.la +-# moduleload back_ldap.la ++# modulepath /usr/lib/openldap # or /usr/lib64/openldap ++# moduleload accesslog.la ++# moduleload auditlog.la ++# moduleload back_sql.la ++# moduleload denyop.la ++# moduleload dyngroup.la ++# moduleload dynlist.la ++# moduleload lastmod.la ++# moduleload pcache.la ++# moduleload ppolicy.la ++# moduleload refint.la ++# moduleload retcode.la ++# moduleload rwm.la ++# moduleload syncprov.la ++# moduleload translucent.la ++# moduleload unique.la ++# moduleload valsort.la ++ ++# The next three lines allow use of TLS for encrypting connections using a ++# dummy test certificate which you can generate by changing to ++# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on ++# slapd.pem so that the ldap user or group can read it. Your client software ++# may balk at self-signed certificates, however. ++# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt ++# TLSCertificateFile /etc/pki/tls/certs/slapd.pem ++# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem + + # Sample security restrictions + # Require integrity protection (prevent hijacking) +@@ -47,19 +82,42 @@ argsfile %LOCALSTATEDIR%/run/slapd.args + # rootdn can always read and write EVERYTHING! + + ####################################################################### +-# BDB database definitions ++# ldbm and/or bdb database definitions + ####################################################################### + + database bdb + suffix "dc=my-domain,dc=com" ++checkpoint 1024 15 + rootdn "cn=Manager,dc=my-domain,dc=com" + # Cleartext passwords, especially for the rootdn, should +-# be avoid. See slappasswd(8) and slapd.conf(5) for details. ++# be avoided. See slappasswd(8) and slapd.conf(5) for details. + # Use of strong authentication encouraged. +-rootpw secret ++# rootpw secret ++# rootpw {crypt}ijFYNcSNctBYg ++ + # The database directory MUST exist prior to running slapd AND + # should only be accessible by the slapd and slap tools. + # Mode 700 recommended. +-directory %LOCALSTATEDIR%/openldap-data +-# Indices to maintain +-index objectClass eq ++directory /var/lib/ldap ++ ++# Indices to maintain for this database ++index objectClass eq,pres ++index ou,cn,mail,surname,givenname eq,pres,sub ++index uidNumber,gidNumber,loginShell eq,pres ++index uid,memberUid eq,pres,sub ++index nisMapName,nisMapEntry eq,pres,sub ++ ++# Replicas of this database ++#replogfile /var/lib/ldap/openldap-master-replog ++#replica host=ldap-1.example.com:389 starttls=critical ++# bindmethod=sasl saslmech=GSSAPI ++# authcId=host/ldap-master.example.com@EXAMPLE.COM ++ ++ ++# enable monitoring ++database monitor ++ ++# allow onlu rootdn to read the monitor ++access to * ++ by dn.exact="cn=Manager,dc=my-domain,dc=com" read ++ by * none diff --git a/openldap-smbk5pwd-overlay.patch b/openldap-smbk5pwd-overlay.patch new file mode 100644 index 0000000..366ce50 --- /dev/null +++ b/openldap-smbk5pwd-overlay.patch @@ -0,0 +1,57 @@ +Compile smbk5pwd together with other overlays. + +Resolves: 550895 +Author: Jan Šafránek + +diff -urNPp openldap-2.4.23.old/contrib/slapd-modules/smbk5pwd/README openldap-2.4.23.new/contrib/slapd-modules/smbk5pwd/README +--- openldap-2.4.23.old/contrib/slapd-modules/smbk5pwd/README 2010-04-13 22:22:30.000000000 +0200 ++++ openldap-2.4.23.new/contrib/slapd-modules/smbk5pwd/README 2010-08-23 13:20:33.338687818 +0200 +@@ -1,3 +1,8 @@ ++******************************************************* ++Red Hat note: Kerberos support is NOT compiled into ++this version of smbk5pwd because we do not use Heimdal. ++******************************************************* ++ + This directory contains a slapd overlay, smbk5pwd, that extends the + PasswordModify Extended Operation to update Kerberos keys and Samba + password hashes for an LDAP user. +diff -urNPp openldap-2.4.23.old/servers/slapd/overlays/Makefile.in openldap-2.4.23.new/servers/slapd/overlays/Makefile.in +--- openldap-2.4.23.old/servers/slapd/overlays/Makefile.in 2010-04-13 22:23:44.000000000 +0200 ++++ openldap-2.4.23.new/servers/slapd/overlays/Makefile.in 2010-08-23 13:20:33.338687818 +0200 +@@ -33,7 +33,8 @@ SRCS = overlays.c \ + syncprov.c \ + translucent.c \ + unique.c \ +- valsort.c ++ valsort.c \ ++ smbk5pwd.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -46,14 +47,14 @@ LTONLY_MOD = $(LTONLY_mod) + LDAP_INCDIR= ../../../include + LDAP_LIBDIR= ../../../libraries + +-MOD_DEFS = -DSLAPD_IMPORT ++MOD_DEFS = -DSLAPD_IMPORT -DDO_SAMBA + + shared_LDAP_LIBS = $(LDAP_LIBLDAP_R_LA) $(LDAP_LIBLBER_LA) + NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -125,6 +126,9 @@ unique.la : unique.lo + valsort.la : valsort.lo + $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) + ++smbk5pwd.la : smbk5pwd.lo ++ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo -lldap -L../../../libraries/libldap/.libs/ $(LINK_LIBS) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ diff --git a/openldap-sql-linking.patch b/openldap-sql-linking.patch new file mode 100644 index 0000000..463e0da --- /dev/null +++ b/openldap-sql-linking.patch @@ -0,0 +1,15 @@ +Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package +independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.) + +diff -uNPrp openldap-2.4.23.old/build/top.mk openldap-2.4.23.new/build/top.mk +--- openldap-2.4.23.old/build/top.mk 2010-04-13 22:22:22.000000000 +0200 ++++ openldap-2.4.23.new/build/top.mk 2010-08-25 15:58:18.477648731 +0200 +@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@ + SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@ + SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@ + +-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) ++SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) + + # Our Defaults + CC = $(AC_CC) diff --git a/openldap-userconfig-setgid.patch b/openldap-userconfig-setgid.patch new file mode 100644 index 0000000..62c76b2 --- /dev/null +++ b/openldap-userconfig-setgid.patch @@ -0,0 +1,17 @@ +Normally, skips reading of user configuration file when running with different effective UID. +This patch adds the same behavior for GID. + +Author: Nalin Dahyabhai + +diff -uNPrp openldap-2.4.23.old/libraries/libldap/init.c openldap-2.4.23.new/libraries/libldap/init.c +--- openldap-2.4.23.old/libraries/libldap/init.c 2010-04-13 22:22:57.000000000 +0200 ++++ openldap-2.4.23.new/libraries/libldap/init.c 2010-08-24 17:25:07.207682002 +0200 +@@ -663,7 +663,7 @@ void ldap_int_initialize( struct ldapopt + openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); + + #ifdef HAVE_GETEUID +- if ( geteuid() != getuid() ) ++ if ( geteuid() != getuid() || getegid() != getgid() ) + return; + #endif + diff --git a/openldap.spec b/openldap.spec index c1f5ba2..e1b0d93 100644 --- a/openldap.spec +++ b/openldap.spec @@ -1,59 +1,52 @@ -# We distribute own version of Berkeley DB to prevent -# problems on db4.rpm upgrade - some versions of db4 do -# not work with some versions of OpenLDAP. -%define db_version 4.8.26 +# TODO: add make test after build + %define ldbm_backend berkeley -%define version 2.4.22 %define evolution_connector_prefix %{_libdir}/evolution-openldap %define evolution_connector_includedir %{evolution_connector_prefix}/include %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib} -Summary: LDAP support libraries Name: openldap -Version: %{version} -Release: 7%{?dist} -License: OpenLDAP +Version: 2.4.23 +Release: 1%{?dist} +Summary: LDAP support libraries Group: System Environment/Daemons +License: OpenLDAP +URL: http://www.openldap.org/ Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz -Source1: http://download.oracle.com/berkeley-db/db-%{db_version}.tar.gz -Source3: README.migration -Source4: ldap.init -Source5: migration-tools.txt -Source6: autofs.schema -Source7: README.upgrading -Source9: README.evolution -Source10: ldap.sysconfig - -# Patches for 2.4 -Patch0: openldap-2.4.6-config.patch -Patch1: openldap-2.0.11-ldaprc.patch -Patch2: openldap-2.2.13-setugid.patch -Patch3: openldap-2.4.6-pie.patch -Patch4: openldap-2.3.11-toollinks.patch -Patch5: openldap-2.4.6-nosql.patch -Patch6: openldap-2.3.19-gethostbyXXXX_r.patch -Patch9: openldap-2.3.37-smbk5pwd.patch -Patch10: openldap-2.4.6-multilib.patch -Patch11: openldap-2.4.16-doc-cacertdir.patch -Patch12: openldap-2.4.21-dn2id-segfault.patch -Patch13: openldap-2.4.22-ldif_h.patch -Patch14: openldap-2.4.22-libldif.patch -Patch15: openldap-2.4.22-modrdn-segfault.patch -Patch16: openldap-2.4.23-selfsignedcacert.patch -Patch17: openldap-2.4.22-initauthtoken.patch - -# Patches for the evolution library -Patch200: openldap-2.4.6-evolution-ntlm.patch +Source1: ldap.init +Source2: ldap.sysconfig +Source3: autofs.schema +Source4: migration-tools.txt +Source5: README.migration +Source6: README.upgrading +Source7: README.evolution + +# patches for 2.4 +Patch0: openldap-slapd-conf.patch +Patch1: openldap-manpages.patch +Patch2: openldap-security-pie.patch +Patch3: openldap-sql-linking.patch +Patch4: openldap-reentrant-gethostby.patch +Patch5: openldap-export-ldif.patch +Patch6: openldap-smbk5pwd-overlay.patch +Patch7: openldap-ldaprc-currentdir.patch +Patch8: openldap-userconfig-setgid.patch + +# already merged upstream +Patch100: openldap-nss-ca-selfsigned.patch +Patch101: openldap-nss-delay-token-auth.patch + +# patches for the evolution library (see README.evolution) +Patch200: openldap-evolution-ntlm.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cyrus-sasl-devel >= 2.1, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel +BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl +# smbk5pwd overlay: +BuildRequires: openssl-devel -URL: http://www.openldap.org/ -BuildRoot: %{_tmppath}/%{name}-%{version}-root -BuildRequires: cyrus-sasl-devel >= 2.1, gdbm-devel, libtool >= 1.5.6-2, krb5-devel -BuildRequires: openssl-devel, pam-devel, perl, pkgconfig, tcp_wrappers-devel, -BuildRequires: unixODBC-devel, libtool-ltdl-devel, groff -BuildRequires: nss-devel -Requires: glibc >= 2.2.3-48, mktemp Obsoletes: compat-openldap < 2.4 - # provide ldif2ldbm functionality for migrationtools Provides: ldif2ldbm @@ -82,9 +75,12 @@ customized LDAP clients. %package servers Summary: LDAP server -# OpenLDAP server includes Berkeley DB library, which is licensed under Sleepycat and BSD licenses) -License: OpenLDAP and (Sleepycat and BSD) -Requires: fileutils, make, openldap = %{version}-%{release}, openssl, /usr/sbin/useradd, /usr/sbin/groupadd, /sbin/chkconfig, /sbin/runuser +License: OpenLDAP +Requires: openldap = %{version}-%{release}, openssl +Requires(pre): shadow-utils +Requires(post): chkconfig, /sbin/runuser, make +Requires(preun): chkconfig +BuildRequires: db4-devel >= 4.4, db4-devel <= 4.8 Group: System Environment/Daemons %description servers @@ -124,101 +120,74 @@ over the Internet. The openldap-clients package contains the client programs needed for accessing and modifying OpenLDAP directories. %prep -%setup -q -c -a 1 +%setup -q -c -a 0 + +# setup tree for openldap pushd openldap-%{version} + %patch0 -p1 -b .config -%patch1 -p1 -b .ldaprc -%patch2 -p1 -b .setugid -%patch3 -p1 -b .pie -%patch4 -p1 -b .toollinks -%patch5 -p1 -b .nosql -%patch6 -p1 -b .gethostbyname_r -%patch9 -p1 -b .smbk5pwd -%patch10 -p1 -b .multilib -%patch11 -p1 -b .cacertdir -%patch12 -p1 -b .segfault -%patch13 -p1 -b .ldif_h -%patch14 -p1 -b .libldif -%patch15 -p1 -b .modrdn-segfault -%patch16 -p1 -b .selfsignedcacert -%patch17 -p1 -b .initauthtoken +%patch1 -p1 -b .manpages +%patch2 -p1 -b .security-pie +%patch3 -p1 -b .sql-linking +%patch4 -p1 -b .reentrant-gethostby +%patch5 -p1 -b .export-ldif +%patch6 -p1 -b .smbk5pwd-overlay +%patch7 -p1 -b .ldaprc-currentdir +%patch8 -p1 -b .userconfig-setgid + +%patch100 -p1 -b .nss-ca-selfsigned +%patch101 -p1 -b .nss-delay-token-auth cp %{_datadir}/libtool/config/config.{sub,guess} build/ + +for subdir in build-servers build-clients ; do + mkdir $subdir + ln -s ../configure $subdir +done + +# build smbk5pwd with other overlays +ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays +mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd + popd -# Set up a build tree for a static version of libldap with the hooks for the -# non-standard NTLM bind type which is needed to connect to Win2k GC servers -# (Win2k3 supports SASL with DIGEST-MD5, so this shouldn't be needed for those -# servers, though as of version 1.4 the connector doesn't try SASL first). +# setup tree for openldap with evolution-specific patches + if ! cp -al openldap-%{version} evo-openldap-%{version} ; then - rm -fr evo-openldap-%{version} - cp -a openldap-%{version} evo-openldap-%{version} + rm -fr evo-openldap-%{version} + cp -a openldap-%{version} evo-openldap-%{version} fi pushd evo-openldap-%{version} %patch200 -p1 -b .evolution-ntlm popd -pushd openldap-%{version} - for subdir in build-servers build-clients ; do - mkdir $subdir - ln -s ../configure $subdir - done -# build smbk5pwd with other overlays -ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays -mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd -popd - %build -dbdir=`pwd`/db-instroot + libtool='%{_bindir}/libtool' -tagname=CC; export tagname +export tagname=CC %ifarch ia64 RPM_OPT_FLAGS="$RPM_OPT_FLAGS -O0" %endif -# Set CFLAGS to incorporate RPM_OPT_FLAGS. -CFLAGS="$RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS - -# Build Berkeley DB and install it into a temporary area, isolating OpenLDAP -# from any future changes to the system-wide Berkeley DB library. Version 4.2 -# or later is required by the BDB backend in OpenLDAP 2.1 and later. -install -d db-%{db_version}/build-rpm -pushd db-%{db_version}/build-rpm -../dist/configure -C \ - --with-pic \ - --disable-static \ - --enable-shared \ - --with-uniquename=_openldap_slapd_46 \ - --prefix=${dbdir} \ - --includedir=${dbdir}/include \ - --libdir=${dbdir}/%{_lib}${subdir:+/${subdir}} -# fix libtool: no rpath -perl -pi -e 's|hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=\"-L\\\$libdir\"|g;' libtool - -make %{_smp_mflags} libdb_base=libslapd_db libso_base=libslapd_db -make install libdb_base=libslapd_db libso_base=libslapd_db strip="false" -ln -sf libslapd_db.so ${dbdir}/%{_lib}/${subdir}/libdb.so -popd - -export CPPFLAGS="-I${dbdir}/include -I%_includedir/nss3 -I%_includedir/nspr4" -export CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -DLDAP_CONNECTIONLESS -fPIC -D_GNU_SOURCE -DHAVE_TLS -DHAVE_MOZNSS -DSLAPD_LMHASH" -export LDFLAGS="-L${dbdir}/%{_lib}" -export LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} -MOZNSS_TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" -export LIBS="$MOZNSS_TLS_LIBS" +export CPPFLAGS="-I%_includedir/nss3 -I%_includedir/nspr4" +export CFLAGS="$RPM_OPT_FLAGS $CPPFLAGS -fPIC -D_REENTRANT -DLDAP_CONNECTIONLESS -D_GNU_SOURCE -DHAVE_TLS -DHAVE_MOZNSS -DSLAPD_LMHASH" +export NSS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" +export LIBS="" build() { + %configure \ --with-threads=posix \ \ - --enable-local --enable-rlookups \ + --enable-local \ + --enable-rlookups \ \ --with-tls=no \ --with-cyrus-sasl \ \ - --enable-wrappers \ + --with-wrappers \ \ --enable-passwd \ \ @@ -231,24 +200,27 @@ build() { \ --libexecdir=%{_libdir} \ $@ -# HACK HACK HACK -# openldap uses #include -# this doesn't work on fedora and similar which uses /usr/include/nss3 -# so we have to fake it out + +# allow #include and pushd include if [ ! -d nss ] ; then - ln -s %_includedir/nss3 nss + ln -s %{_includedir}/nss3 nss fi if [ ! -d nspr ] ; then - ln -s %_includedir/nspr4 nspr + ln -s %{_includedir}/nspr4 nspr fi popd + make %{_smp_mflags} LIBTOOL="$libtool" + } -# Build the servers with Kerberos support (for password checking, mainly). -LIBS="$LIBS -lpthread"; export LIBS -LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}; export LD_LIBRARY_PATH +# Kerberos support: +# - enabled in server (mainly for password checking) +# - disabled in clients (not needed, to avoid stray dependencies) + +# build servers +export LIBS="$NSS_LIBS -lpthread" pushd openldap-%{version}/build-servers build \ --enable-plugins \ @@ -273,12 +245,10 @@ build \ --disable-dynamic \ --with-kerberos=k5only \ --enable-overlays=mod -unset LIBS popd -# Build clients without Kerberos password-checking support, which is only -# useful in the server anyway, to avoid stray dependencies. -export LIBS="$MOZNSS_TLS_LIBS" +# build clients +export LIBS="$NSS_LIBS" pushd openldap-%{version}/build-clients build \ --disable-slapd \ @@ -288,8 +258,8 @@ build \ --with-pic popd -# Build evolution-specific clients just as we would normal clients, except with -# a different installation directory in mind and no shared libraries. +# build evolution-specific clients +# (specific patch, different installation directory, no shared libraries) pushd evo-openldap-%{version} build \ --disable-slapd \ @@ -303,224 +273,180 @@ build \ popd %install -[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} libtool='%{_bindir}/libtool' -tagname=CC; export tagname - -mkdir -p $RPM_BUILD_ROOT/%{_libdir}/ +export tagname=CC -pushd db-instroot/%{_lib}/ -install -d $RPM_BUILD_ROOT/%{_libdir}/ -install -m755 libslapd_db-*.*.so $RPM_BUILD_ROOT/%{_libdir}/ -popd - -pushd db-%{db_version} -mv LICENSE LICENSE.bdb-backend -popd +mkdir -p %{buildroot}/%{_libdir}/ +# install servers pushd openldap-%{version}/build-servers -make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool" STRIP="" +make install DESTDIR=%{buildroot} \ + libdir=%{_libdir} \ + LIBTOOL="$libtool" \ + STRIP="" popd -# Install the bdb maintenance tools. -pushd db-instroot/bin -for binary in db_* ; do - install -m755 ${binary} $RPM_BUILD_ROOT/%{_sbindir}/slapd_${binary} -done -popd - -# Install clients and shared libraries. Install the evo-specific versions -# first so that any conflicting files are overwritten by generic versions. +# install evolution-specific clients (conflicting files will be overwriten by generic version) pushd evo-openldap-%{version} -make install DESTDIR=$RPM_BUILD_ROOT \ +make install DESTDIR=%{buildroot} \ includedir=%{evolution_connector_includedir} \ libdir=%{evolution_connector_libdir} \ LIBTOOL="$libtool" \ STRIP="" - -install -m644 %SOURCE9 \ - $RPM_BUILD_ROOT/%{evolution_connector_prefix}/ +install -m 644 %SOURCE7 \ + %{buildroot}/%{evolution_connector_prefix}/ popd + +# install clients pushd openldap-%{version}/build-clients -make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool" STRIP="" +make install DESTDIR=%{buildroot} \ + libdir=%{_libdir} \ + LIBTOOL="$libtool" \ + STRIP="" popd -# Create this directory so that authconfig setting TLS_CACERT to -# /etc/openldap/cacerts doesn't cause TLS startup of any kind to fail -# when the directory doesn't exist. -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/openldap/cacerts -# make sure the certs directory exists -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs -# Touch the dummy slapd.pem to make rpmbuild happy -touch $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/slapd.pem +# setup directories for TLS certificates +mkdir -p %{buildroot}%{_sysconfdir}/openldap/cacerts +mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs -install -m 644 %SOURCE7 README.upgrading -install -m 644 %SOURCE3 README.migration +# install additional documentation +install -m 644 %SOURCE5 README.migration +install -m 644 %SOURCE6 README.upgrading -# Create the data directory. -mkdir -p $RPM_BUILD_ROOT/var/lib/ldap -# Create the new run directory -mkdir -p $RPM_BUILD_ROOT/var/run/openldap +# setup data and runtime directories +mkdir -p %{buildroot}/var/lib/ldap +mkdir -p %{buildroot}/var/run/openldap -# Hack the build root out of the default config files. -perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.conf +# remove build root from config files and manual pages +perl -pi -e "s|%{buildroot}||g" %{buildroot}/%{_sysconfdir}/openldap/*.conf +perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.* -# Get the buildroot out of the man pages. -perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/*/*.* +# we don't need the default files -- RPM handles changes +rm -f %{buildroot}/%{_sysconfdir}/openldap/*.default +rm -f %{buildroot}/%{_sysconfdir}/openldap/schema/*.default -# We don't need the default files -- RPM handles changes. -rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.default -rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/schema/*.default +# install an init script for the servers +mkdir -p %{buildroot}%{_sysconfdir}/rc.d/init.d +install -m 755 %SOURCE1 %{buildroot}%{_sysconfdir}/rc.d/init.d/slapd -# Install an init script for the servers. -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d -install -m 755 %SOURCE4 $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/slapd +# install syconfig/ldap +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +install -m 644 %SOURCE2 %{buildroot}%{_sysconfdir}/sysconfig/ldap -# Install syconfig/ldap -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig -install -m 644 %SOURCE10 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/ldap +# add some more schema for the sake of migration scripts +install -d -m755 %{buildroot}%{_sysconfdir}/openldap/schema/redhat +install -m644 %SOURCE3 \ + %{buildroot}%{_sysconfdir}/openldap/schema/redhat/ -# Add some more schema for the sake of migration scripts. -install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat -install -m644 %SOURCE6 \ - $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat/ +# move slapd out of _libdir +mv %{buildroot}/%{_libdir}/slapd %{buildroot}/%{_sbindir}/ -# Move slapd and slurpd out of _libdir -mv $RPM_BUILD_ROOT/%{_libdir}/slapd $RPM_BUILD_ROOT/%{_sbindir}/ -rm -f $RPM_BUILD_ROOT/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} -rm -f $RPM_BUILD_ROOT/%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} -for X in acl add auth cat dn index passwd test schema; do ln -s slapd $RPM_BUILD_ROOT/%{_sbindir}/slap$X ; done +# setup tools as symlinks to slapd +rm -f %{buildroot}/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} +rm -f %{buildroot}/%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} +for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}/%{_sbindir}/slap$X ; done -# Tweak permissions on the libraries to make sure they're correct. -chmod 755 $RPM_BUILD_ROOT/%{_libdir}/lib*.so* -chmod 644 $RPM_BUILD_ROOT/%{_libdir}/lib*.*a +# tweak permissions on the libraries to make sure they're correct +chmod 755 %{buildroot}/%{_libdir}/lib*.so* +chmod 644 %{buildroot}/%{_libdir}/lib*.*a # slapd.conf(5) is obsoleted since 2.3, see slapd-config(5) # new configuration will be generated in %post -mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openldap-servers -mkdir $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d -mv $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.conf $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete -chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete - -# Move doc files out of _sysconfdir -mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/README README.schema -mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example +mkdir -p %{buildroot}/%{_datadir}/openldap-servers +mkdir %{buildroot}/%{_sysconfdir}/openldap/slapd.d +mv %{buildroot}/%{_sysconfdir}/openldap/slapd.conf %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete +chmod 0644 %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete + +# move doc files out of _sysconfdir +mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema +mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}/%{_datadir}/openldap-servers/DB_CONFIG.example chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh -chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example +chmod 0644 %{buildroot}/%{_datadir}/openldap-servers/DB_CONFIG.example -# Remove files which we don't want packaged. -rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la -rm -f $RPM_BUILD_ROOT/%{_libdir}/*.a -rm -f $RPM_BUILD_ROOT/%{evolution_connector_libdir}/*.la -rm -f $RPM_BUILD_ROOT/%{evolution_connector_libdir}/*.so* -rm -f $RPM_BUILD_ROOT/%{_libdir}/openldap/*.a -rm -f $RPM_BUILD_ROOT/%{_libdir}/openldap/*.so +# remove files which we don't want packaged +rm -f %{buildroot}/%{_libdir}/*.la +rm -f %{buildroot}/%{_libdir}/*.a +rm -f %{buildroot}/%{evolution_connector_libdir}/*.la +rm -f %{buildroot}/%{evolution_connector_libdir}/*.so* +rm -f %{buildroot}/%{_libdir}/openldap/*.a +rm -f %{buildroot}/%{_libdir}/openldap/*.so -rm -f $RPM_BUILD_ROOT%{_localstatedir}/openldap-data/DB_CONFIG.example -rmdir $RPM_BUILD_ROOT%{_localstatedir}/openldap-data +rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example +rmdir %{buildroot}%{_localstatedir}/openldap-data %clean -rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %pre servers -# Take care to only do ownership-changing if we're adding the user. -getent group ldap > /dev/null || \ -/usr/sbin/groupadd -r -g 55 ldap -if /usr/sbin/useradd -c "LDAP User" -u 55 -g ldap \ - -s /sbin/nologin -r -d /var/lib/ldap ldap 2> /dev/null ; then - if [ -d /var/lib/ldap ] ; then - for dbfile in /var/lib/ldap/* ; do - if [ -f $dbfile ] ; then - chown ldap:ldap $dbfile - fi - done - fi + +# create ldap user and group +getent group ldap >/dev/null || groupadd -r -g 55 ldap +if ! getent passwd ldap >/dev/null; then + useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "LDAP User" ldap + # setup ownership of database files + if [ -d /var/lib/ldap ] ; then + for dbfile in /var/lib/ldap/* ; do + if [ -f $dbfile ] ; then + chown ldap:ldap $dbfile + fi + done + fi fi -if [ "$1" = "2" ]; then - # guess, if database upgrade is necessary - OLD_BDB_VERSION=$( slapd_db_upgrade -V | sed 's/.* \([0-9\.]*\)\.[0-9]*:.*/\1/' ) - NEW_BDB_VERSION=$( echo %{db_version} | sed 's/.[0-9]*$//' ) - - OLD_SLAPD_VERSION=$( rpm -q --qf "%{VERSION}" openldap-servers | sed 's/\.[0-9]*$//' ) - NEW_SLAPD_VERSION=$( echo %{version} | sed 's/\.[0-9]*$//' ) - # we need to detect how is the init script named - # - in older versions ldap - # - in newer versions slapd - if [ -f %{_initrddir}/ldap ]; then - SERVICE_NAME=ldap - elif [ -f %{_initrddir}/slapd ]; then - SERVICE_NAME=slapd - fi - - if [ "$OLD_SLAPD_VERSION" != "$NEW_SLAPD_VERSION" ]; then - # Minor version number has changed -> slapcat/slapadd of the BDB database - # is necessary. Save an ldif of the database where the "% post servers" - # scriptlet can restore it. Also save the database files to a "rpmorig" - # directory - Just In Case (TM) - - # stop the server - if /sbin/service $SERVICE_NAME status &>/dev/null; then - touch /var/lib/ldap/need_start - /sbin/service $SERVICE_NAME stop &>/dev/null - fi - - files=$(echo /var/lib/ldap/{log.*,__db.*,[a]lock}) - if [ "$files" != '/var/lib/ldap/log.* /var/lib/ldap/__db.* /var/lib/ldap/[a]lock' ] ; then - if /usr/sbin/slapcat -l /var/lib/ldap/upgrade.ldif > /dev/null 2>&1 ; then - if [ -f /var/lib/ldap/upgrade.ldif ] ; then - /bin/rm -fr /var/lib/ldap/rpmorig > /dev/null 2>&1 || : - mkdir /var/lib/ldap/rpmorig - mv /var/lib/ldap/{alock,*.bdb,__db.*,log.*} /var/lib/ldap/rpmorig > /dev/null 2>&1 || : - cp -f /var/lib/ldap/DB_CONFIG /var/lib/ldap/rpmorig > /dev/null 2>&1 || : - else - /bin/rm -f /var/lib/ldap/upgrade.ldif - fi - fi - fi - else - if [ "$OLD_BDB_VERSION" != "$NEW_BDB_VERSION" ]; then - # Minor version number of bdb has changed -> run db_upgrade in % post script - - # stop the server - if /sbin/service $SERVICE_NAME status &>/dev/null; then - touch /var/lib/ldap/need_start - /sbin/service $SERVICE_NAME stop &>/dev/null - fi - - # Ensure, that the database is correct - /sbin/runuser -m -s /usr/sbin/slapd_db_recover -- "ldap" -h /var/lib/ldap &>/dev/null - # Just create /var/lib/ldap/need_db_upgrade so % post knows - touch /var/lib/ldap/need_db_upgrade &>/dev/null - fi - fi +# upgrade +if [ $1 -eq 2 ]; then + # safe way to migrate the database if minor version number changed (2.x -> 2.y) + # http://www.openldap.org/doc/admin24/maintenance.html + + old_version=$(rpm -q --qf=%%{version} openldap-servers | sed 's/\.[0-9]*$//') + new_version=$(sed 's/\.[0-9]*$//' <<< %{version}) + + if [ "$old_version" != "$new_version" ]; then + pushd %{_sharedstatedir}/ldap + + # stop the service + if service slapd status &>/dev/null; then + touch need_start + service slapd stop + else + rm -f need_start + fi + + if ls __db.* &>/dev/null; then + # export the database + if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then + slapcat -f %{_sysconfdir}/openldap/slapd.conf -l upgrade.ldif &>/dev/null + else + slapcat -F %{_sysconfdir}/openldap/slapd.d -l upgrade.ldif &>/dev/null + fi + + # backup the old database + if [ $? -eq 0 ]; then + rm -rf rpmorig + mv alock *.bdb __db.* log.* rpmorig &>/dev/null || : + cp -f rpmorig/DB_CONFIG . &>/dev/null || : + else + rm -f upgrade.ldif + fi + fi + + popd + fi fi + exit 0 %post servers + /sbin/ldconfig /sbin/chkconfig --add slapd -# If there's a /var/lib/ldap/upgrade.ldif file, slapadd it and delete it. -# It was created by the % pre above. -if [ -f /var/lib/ldap/upgrade.ldif ] ; then - /sbin/runuser -m -s /usr/sbin/slapadd -- "ldap" -l /var/lib/ldap/upgrade.ldif > /dev/null 2>&1 - rm -f /var/lib/ldap/upgrade.ldif -fi - -# If there's a /var/lib/ldap/need_db_upgrade file, run db_upgrade and delete it. -# It was created by the % pre above. -if [ -f /var/lib/ldap/need_db_upgrade ]; then - if ls /var/lib/ldap/*.bdb > /dev/null 2>&1; then - /sbin/runuser -m -s /usr/sbin/slapd_db_upgrade -- "ldap" -h /var/lib/ldap /var/lib/ldap/*.bdb - fi - /sbin/runuser -m -s /usr/sbin/slapd_db_checkpoint -- "ldap" -h /var/lib/ldap -1 - rm -f /var/lib/ldap/need_db_upgrade -fi +# generate sample TLS certificates if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1 umask 077 @@ -538,18 +464,20 @@ chmod 640 slapd.pem popd fi -if [ `find %{_sysconfdir}/openldap/slapd.d -maxdepth 0 -empty | wc -l` = "1" ]; then - # configuration in slapd.d not available +# generate configuration in slapd.d +if ! ls -d %{_sysconfdir}/openldap/slapd.d/* &>/dev/null; then + # fresh installation [ ! -f %{_sysconfdir}/openldap/slapd.conf ] fresh_install=$? [ $fresh_install -eq 0 ] && \ cp %{_datadir}/openldap-servers/slapd.conf.obsolete %{_sysconfdir}/openldap/slapd.conf + # convert from old style config slapd.conf mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak mkdir -p %{_sysconfdir}/openldap/slapd.d/ - lines=`egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1` + lines=$(egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1) lines=$(($lines-1)) head -n $lines %{_sysconfdir}/openldap/slapd.conf.bak > %{_sysconfdir}/openldap/slapd.conf cat >> %{_sysconfdir}/openldap/slapd.conf << EOF @@ -557,7 +485,7 @@ database config rootdn "cn=admin,cn=config" #rootpw secret EOF - lines_r=`wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" "` + lines_r=$(wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" ") lines_r=$(($lines_r-$lines)) tail -n $lines_r %{_sysconfdir}/openldap/slapd.conf.bak >> %{_sysconfdir}/openldap/slapd.conf slaptest -f %{_sysconfdir}/openldap/slapd.conf -F %{_sysconfdir}/openldap/slapd.d > /dev/null 2> /dev/null @@ -570,26 +498,31 @@ EOF [ $fresh_install -eq 0 ] && rm -f %{_sysconfdir}/openldap/slapd.conf.bak fi -if [ $1 -ge 1 ] ; then - /sbin/service slapd condrestart &>/dev/null - /sbin/service slapd status &>/dev/null - if [ "$?" != "0" -a -f /var/lib/ldap/need_start ]; then - /sbin/service slapd start &>/dev/null - rm -f /var/lib/ldap/need_start &>/dev/null - fi +# finish database migration (see %pre) +if [ -f %{_sharedstatedir}/ldap/upgrade.ldif ]; then + runuser -m -s /usr/sbin/slapadd -- ldap -l %{_sharedstatedir}/ldap/upgrade.ldif &>/dev/null + rm -f %{_sharedstatedir}/ldap/upgrade.ldif +fi + +# restart after upgrade +if [ $1 -ge 1 ]; then + if [ -f %{_sharedstatedir}/ldap/need_start ]; then + service slapd start + rm -f %{_sharedstatedir}/ldap/need_start + else + /sbin/service slapd condrestart + fi fi exit 0 %preun servers -if [ "$1" = "0" ] ; then - /sbin/service slapd stop > /dev/null 2>&1 || : - /sbin/chkconfig --del slapd -# Openldap-servers are being removed from system. -# Do not touch the database! Older versions of this -# package attempted to store database in LDIF format, so -# it can be restored later - but it's up to the administrator -# to save the database, if he/she wants so. +if [ $1 -eq 0 ] ; then + /sbin/service slapd stop > /dev/null 2>&1 || : + /sbin/chkconfig --del slapd + + # openldap-servers are being removed from system + # do not touch the database! fi %postun servers @@ -599,6 +532,58 @@ fi %postun devel -p /sbin/ldconfig +%triggerin servers -- db4 + +# db4 upgrade (see %triggerun) +if [ $2 -eq 2 ]; then + pushd %{_sharedstatedir}/ldap + + # we are interested in minor version changes (both versions of db4 are installed at this moment) + if [ "$(rpm -q --qf="%%{version}\n" db4 | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then + # stop the service + if service slapd status &>/dev/null; then + touch need_start + service slapd stop + fi + + # ensure the database is consistent + runuser -m -s /usr/sbin/db_recover -- "ldap" -h %{_sharedstatedir}/ldap &>/dev/null + + # upgrade will be performed after removing old db4 + touch upgrade_db4 + else + rm -f upgrade_db4 + fi + + popd +fi + +exit 0 + +%triggerun servers -- db4 + +# db4 upgrade (see %triggerin) +if [ -f %{_sharedstatedir}/ldap/upgrade_db4 ]; then + pushd %{_sharedstatedir}/ldap + + # perform the upgrade + if ls *.bdb &>/dev/null; then + runuser -m -s /usr/bin/db_upgrade -- "ldap" -h %{_sharedstatedir}/ldap %{_sharedstatedir}/ldap/*.bdb + runuser -m -s /usr/bin/db_checkpoint -- "ldap" -h %{_sharedstatedir}/ldap -1 + fi + + # start the service + if [ -f need_start ]; then + service slapd start + rm -f need_start + fi + + rm -f upgrade_db4 + popd +fi + +exit 0 + %files %defattr(-,root,root) %doc openldap-%{version}/ANNOUNCEMENT @@ -618,14 +603,13 @@ fi %files servers %defattr(-,root,root) -%doc db-%{db_version}/LICENSE.bdb-backend %doc README.upgrading %doc README.migration %doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd %doc openldap-%{version}/doc/guide/admin/*.html %doc openldap-%{version}/doc/guide/admin/*.png %doc README.schema -%ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem +%attr(0640,root,ldap) %ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem %attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd %attr(0750,ldap,ldap) %dir %config(noreplace) %{_sysconfdir}/openldap/slapd.d %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap @@ -640,7 +624,6 @@ fi %attr(0644,root,root) %{_mandir}/man5/slapo-*.5* %attr(0700,ldap,ldap) %dir /var/lib/ldap %attr(0755,ldap,ldap) %dir /var/run/openldap -%attr(0755,root,root) %{_libdir}/libslapd_db-*.*.so %attr(0755,root,root) %dir %{_libdir}/openldap %attr(0755,root,root) %{_libdir}/openldap/[^b]* %attr(0755,root,root) %dir %{_datadir}/openldap-servers @@ -675,6 +658,11 @@ fi %attr(0644,root,root) %{evolution_connector_libdir}/*.a %changelog +* Fri Aug 27 2010 Jan Vcelak 2.4.23-1 +- rebase to 2.4.23 +- embeded db4 library removed +- removed bogus links in "SEE ALSO" in several man-pages (#624616) + * Thu Jul 22 2010 Jan Vcelak 2.4.22-7 - Mozilla NSS - delay token auth until needed (#616552) - Mozilla NSS - support use of self signed CA certs as server certs (#614545)