#6 Update to new major release OpenLDAP 2.5.5:
Opened 5 months ago by terjeros. Modified a month ago
rpms/ terjeros/openldap rawhide  into  rawhide

Rebase to OpenLDAP 2.5.5
Terje Rosten • 4 months ago  
Undo too some buildreq cleaning
Terje Rosten • 5 months ago  
file modified
+3
@@ -26,3 +26,6 @@ 

  /openldap-2.4.56.tgz

  /openldap-2.4.57.tgz

  /openldap-2.4.58.tgz

+ /openldap-2.5.4.tgz

+ /openldap-ppolicy-check-password-1.1.tar.gz

+ /openldap-2.5.5.tgz

file modified
+34 -17
@@ -1,32 +1,45 @@ 

- --- a/Makefile	2009-10-31 18:59:06.000000000 +0100

- +++ b/Makefile	2014-12-17 09:42:37.586079225 +0100

- @@ -13,22 +13,11 @@

+ diff --git a/Makefile b/Makefile

+ index 4457bad..91de40b 100644

+ --- a/Makefile

+ +++ b/Makefile

+ @@ -13,17 +13,10 @@ CRACKLIB=/usr/share/cracklib/pw_dict

   #

   CONFIG=/etc/openldap/check_password.conf

   

- -OPT=-g -O2 -Wall -fpic 						\

- -	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""	\

- -	-DCONFIG_FILE="\"$(CONFIG)\""					\

- +CFLAGS+=-fpic                                                  \

- +	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \

- +	-DCONFIG_FILE="\"$(CONFIG)\""                          \

-  	-DDEBUG

-  

+ -

  -# Where to find the OpenLDAP headers.

  -#

- -LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \

- -	 -I/home/pyb/tmp/openldap-2.3.39/servers/slapd

+ -LDAP_INC=-I/usr/include/openldap/include \

+ -	 -I/usr/include/openldap/servers/slapd

  -

  -# Where to find the CrackLib headers.

  -#

  -CRACK_INC=

  -

  -INCS=$(LDAP_INC) $(CRACK_INC)

- -

+ +CFLAGS+=-fpic                                                  \

+ +	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \

+ +	-DCONFIG_FILE="\"$(CONFIG)\""                          \

+ +	-DDEBUG

+  

   LDAP_LIB=-lldap_r -llber

   

-  # Comment out this line if you do NOT want to use the cracklib.

- @@ -45,10 +34,10 @@

+ @@ -33,27 +26,21 @@ LDAP_LIB=-lldap_r -llber

+  #

+  CRACKLIB_LIB=-lcrack

+  

+ -CC_FLAGS=-g -O2 -Wall -fpic

+ -CRACKLIB_OPT=-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""

+ -DEBUG_OPT=-DDEBUG

+ -CONFIG_OPT=-DCONFIG_FILE="\"$(CONFIG)\""

+ -

+ -OPT=$(CC_FLAGS) $(CRACKLIB_OPT) $(CONFIG_OPT) $(DEBUG_OPT)

+ -

+  LIBS=$(LDAP_LIB) $(CRACKLIB_LIB)

+  

+  LIBDIR=/usr/lib/openldap/

+  

+ +

   all: 	check_password

   

   check_password.o:
@@ -38,4 +51,8 @@ 

  +	$(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)

   

   install: check_password

-  	cp -f check_password.so ../../../usr/lib/openldap/modules/

+ -	cp -f check_password.so $(LIBDIR)

+ +	cp -f check_password.so ../../../usr/lib/openldap/modules/

+  

+  clean:

+  	$(RM) check_password.o check_password.so check_password.lo

file modified
+3 -4
@@ -1,4 +1,4 @@ 

- #!/bin/sh

+ #! /usr/bin/sh

  # Author: Jan Vcelak <jvcelak@redhat.com>

  

  . /usr/libexec/openldap/functions
@@ -41,7 +41,7 @@ 

  	retcode=0

  	for dbdir in `databases`; do

  		[ -d "$dbdir" ] || continue

- 		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do

+ 		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.mdb"` ; do

I wonder if the former line still can be useful to somebody.

All Berkely DB files are gone by now?

Not removing handling of completely obsolete files types are just noise?

Okay, sounds good!

  			run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""

  			if [ $? -ne 0 ]; then

  				error "Read/write permissions for DB file '%s' are required." "$dbfile"
@@ -56,8 +56,7 @@ 

  {

  	retcode=0

  	check_config_syntax || retcode=1

- 	# TODO: need support for Mozilla NSS, disabling temporarily

- 	#check_certs_perms || retcode=1

+ 	check_certs_perms || retcode=1

  	check_db_perms || retcode=1

  	return $retcode

  }

file modified
+2 -16
@@ -84,14 +84,6 @@ 

  		ldif_value

  }

  

- function databases_old()

- {

- 	awk	'begin { database="" }

- 		$1 == "database" { database=$2 }

- 		$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \

- 		"$SLAPD_CONFIG_FILE"

- }

- 

  function certificates_new()

  {

  	slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
@@ -100,20 +92,14 @@ 

  		ldif_value

  }

  

- function certificates_old()

- {

- 	awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \

Could you please elaborate why this function is removed? I don't see (or miss) the changes to this area.

This is handling stuff for the pre cn=config area, that's soon 10 years ago? No reason to keep that around now.

Ack

- 		"$SLAPD_CONFIG_FILE"

- }

- 

  function certificates()

  {

- 	uses_new_config && certificates_new || certificates_old

+ 	uses_new_config && certificates_new

  }

  

  function databases()

  {

- 	uses_new_config && databases_new || databases_old

+ 	uses_new_config && databases_new

  }

  

  

file removed
-40
@@ -1,40 +0,0 @@ 

- #!/bin/sh

- # Author: Jan Vcelak <jvcelak@redhat.com>

- 

- . /usr/libexec/openldap/functions

- 

- if [ `id -u` -ne 0 ]; then

- 	error "You have to be root to run this command."

- 	exit 4

- fi

- 

- load_sysconfig

- retcode=0

- 

- for dbdir in `databases`; do

- 	upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"

- 	bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`

- 

- 	# skip uninitialized database

- 	[ -z "$bdb_files"]  || continue

- 

- 	printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"

- 

- 	# perform the update

- 	for command in \

- 		"/usr/bin/db_recover -v -h \"$dbdir\"" \

- 		"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \

- 		"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \

- 	; do

- 		printf "Executing: %s\n" "$command" &>>$upgrade_log

- 		run_as_ldap "$command" &>>$upgrade_log

- 		result=$?

- 		printf "Exit code: %d\n" $result >>"$upgrade_log"

- 		if [ $result -ne 0 ]; then

- 			printf "Upgrade failed: %d\n" $result

- 			retcode=1

- 		fi

- 	done

- done

- 

- exit $retcode

file modified
+2 -2
@@ -5,10 +5,10 @@ 

  Resolves: #835013

  

  diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c

- index b31e05d..fa361ab 100644

+ index 14899cc..b25e750 100644

  --- a/libraries/libldap/os-ip.c

  +++ b/libraries/libldap/os-ip.c

- @@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,

+ @@ -620,8 +620,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,

   

   #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )

   	memset( &hints, '\0', sizeof(hints) );

file modified
+4 -3
@@ -4,9 +4,10 @@ 

  Resolves: #1319782

  

  diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in

+ index b5c3fc8..9aa8a4f 100644

  --- a/servers/slapd/overlays/Makefile.in

  +++ b/servers/slapd/overlays/Makefile.in

- @@ -33,7 +33,8 @@ SRCS = overlays.c \

+ @@ -38,7 +38,8 @@ SRCS = overlays.c \

   	translucent.c \

   	unique.c \

   	valsort.c \
@@ -16,7 +17,7 @@ 

   OBJS = statover.o \

   	@SLAPD_STATIC_OVERLAYS@ \

   	overlays.o

- @@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)

+ @@ -58,7 +59,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)

   UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)

   

   LIBRARY = ../liboverlays.a
@@ -25,7 +26,7 @@ 

   

   XINCPATH = -I.. -I$(srcdir)/..

   XDEFS = $(MODULES_CPPFLAGS)

- @@ -125,6 +126,12 @@ unique.la : unique.lo

+ @@ -148,6 +149,12 @@ smbk5pwd.lo : smbk5pwd.c

   smbk5pwd.la : smbk5pwd.lo

   	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)

   

@@ -1,291 +0,0 @@ 

- From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001

- From: Howard Chu <hyc@openldap.org>

- Date: Mon, 26 Aug 2013 23:31:48 -0700

- Subject: [PATCH] Add channel binding support

- 

- Currently only implemented for OpenSSL.

- Needs an option to set the criticality flag.

- ---

-  include/ldap_pvt.h           |  1 +

-  libraries/libldap/cyrus.c    | 22 ++++++++++++++++++++++

-  libraries/libldap/ldap-int.h |  1 +

-  libraries/libldap/ldap-tls.h |  2 ++

-  libraries/libldap/tls2.c     |  7 +++++++

-  libraries/libldap/tls_g.c    |  7 +++++++

-  libraries/libldap/tls_m.c    |  7 +++++++

-  libraries/libldap/tls_o.c    | 16 ++++++++++++++++

-  servers/slapd/connection.c   |  8 ++++++++

-  servers/slapd/sasl.c         | 18 ++++++++++++++++++

-  servers/slapd/slap.h         |  1 +

-  11 files changed, 90 insertions(+)

- 

- diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h

- index 716c1a90f..61c620785 100644

- --- a/include/ldap_pvt.h

- +++ b/include/ldap_pvt.h

- @@ -420,6 +420,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,

-  LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,

-  	LDAPDN_rewrite_dummy *func, unsigned flags ));

-  LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));

- +LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));

-  

-  LDAP_END_DECL

-  

- diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c

- index 4c0089d5d..3171d56a3 100644

- --- a/libraries/libldap/cyrus.c

- +++ b/libraries/libldap/cyrus.c

- @@ -360,6 +360,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )

-  		lc->lconn_sasl_sockctx = NULL;

-  		lc->lconn_sasl_authctx = NULL;

-  	}

- +	if( lc->lconn_sasl_cbind ) {

- +		ldap_memfree( lc->lconn_sasl_cbind );

- +		lc->lconn_sasl_cbind = NULL;

- +	}

-  

-  	return LDAP_SUCCESS;

-  }

- @@ -492,6 +496,24 @@ ldap_int_sasl_bind(

-  

-  			(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );

-  			LDAP_FREE( authid.bv_val );

- +#ifdef SASL_CHANNEL_BINDING	/* 2.1.25+ */

- +			{

- +				char cbinding[64];

- +				struct berval cbv = { sizeof(cbinding), cbinding };

- +				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {

- +					sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +

- +						cbv.bv_len);

- +					cb->name = "ldap";

- +					cb->critical = 0;

- +					cb->data = (char *)(cb+1);

- +					cb->len = cbv.bv_len;

- +					memcpy( cb->data, cbv.bv_val, cbv.bv_len );

- +					sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,

- +						SASL_CHANNEL_BINDING, cb );

- +					ld->ld_defconn->lconn_sasl_cbind = cb;

- +				}

- +			}

- +#endif

-  		}

-  #endif

-  

- diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h

- index 98ad4dc05..397894271 100644

- --- a/libraries/libldap/ldap-int.h

- +++ b/libraries/libldap/ldap-int.h

- @@ -308,6 +308,7 @@ typedef struct ldap_conn {

-  #ifdef HAVE_CYRUS_SASL

-  	void		*lconn_sasl_authctx;	/* context for bind */

-  	void		*lconn_sasl_sockctx;	/* for security layer */

- +	void		*lconn_sasl_cbind;		/* for channel binding */

-  #endif

-  #ifdef HAVE_GSSAPI

-  	void		*lconn_gss_ctx;		/* gss_ctx_id_t */

- diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h

- index c8a27112f..0ecf81ab9 100644

- --- a/libraries/libldap/ldap-tls.h

- +++ b/libraries/libldap/ldap-tls.h

- @@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len

-  typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);

-  typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);

-  typedef int (TI_session_strength)(tls_session *sess);

- +typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);

-  

-  typedef void (TI_thr_init)(void);

-  

- @@ -64,6 +65,7 @@ typedef struct tls_impl {

-  	TI_session_dn *ti_session_peer_dn;

-  	TI_session_chkhost *ti_session_chkhost;

-  	TI_session_strength *ti_session_strength;

- +	TI_session_unique *ti_session_unique;

-  

-  	Sockbuf_IO *ti_sbio;

-  

- diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c

- index 82ca5272c..13d734362 100644

- --- a/libraries/libldap/tls2.c

- +++ b/libraries/libldap/tls2.c

- @@ -1013,6 +1013,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,

-  		rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );

-  	return rc;

-  }

- +

- +int

- +ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )

- +{

- +	tls_session *session = s;

- +	return tls_imp->ti_session_unique( session, buf, is_server );

- +}

-  #endif /* HAVE_TLS */

-  

-  int

- diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c

- index 3b72cd2a1..b78c12086 100644

- --- a/libraries/libldap/tls_g.c

- +++ b/libraries/libldap/tls_g.c

- @@ -669,6 +669,12 @@ tlsg_session_strength( tls_session *session )

-  	return gnutls_cipher_get_key_size( c ) * 8;

-  }

-  

- +static int

- +tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)

- +{

- +	return 0;

- +}

- +

-  /* suites is a string of colon-separated cipher suite names. */

-  static int

-  tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )

- @@ -925,6 +931,7 @@ tls_impl ldap_int_tls_impl = {

-  	tlsg_session_peer_dn,

-  	tlsg_session_chkhost,

-  	tlsg_session_strength,

- +	tlsg_session_unique,

-  

-  	&tlsg_sbio,

-  

- diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c

- index 43fbae4bc..c64f4c176 100644

- --- a/libraries/libldap/tls_m.c

- +++ b/libraries/libldap/tls_m.c

- @@ -2874,6 +2874,12 @@ tlsm_session_strength( tls_session *session )

-  	return rc ? 0 : keySize;

-  }

-  

- +static int

- +tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)

- +{

- +	return 0;

- +}

- +

-  /*

-   * TLS support for LBER Sockbufs

-   */

- @@ -3302,6 +3308,7 @@ tls_impl ldap_int_tls_impl = {

-  	tlsm_session_peer_dn,

-  	tlsm_session_chkhost,

-  	tlsm_session_strength,

- +	tlsm_session_unique,

-  

-  	&tlsm_sbio,

-  

- diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c

- index a13f11fb5..f741a461f 100644

- --- a/libraries/libldap/tls_o.c

- +++ b/libraries/libldap/tls_o.c

- @@ -846,6 +846,21 @@ tlso_session_strength( tls_session *sess )

-  	return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);

-  }

-  

- +static int

- +tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)

- +{

- +	tlso_session *s = (tlso_session *)sess;

- +

- +	/* Usually the client sends the finished msg. But if the

- +	 * session was resumed, the server sent the msg.

- +	 */

- +	if (SSL_session_reused(s) ^ !is_server)

- +		buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len);

- +	else

- +		buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len);

- +	return buf->bv_len;

- +}

- +

-  /*

-   * TLS support for LBER Sockbufs

-   */

- @@ -1363,6 +1378,7 @@ tls_impl ldap_int_tls_impl = {

-  	tlso_session_peer_dn,

-  	tlso_session_chkhost,

-  	tlso_session_strength,

- +	tlso_session_unique,

-  

-  	&tlso_sbio,

-  

- diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c

- index 44c3fc63d..0602fdceb 100644

- --- a/servers/slapd/connection.c

- +++ b/servers/slapd/connection.c

- @@ -406,6 +406,7 @@ Connection * connection_init(

-  		c->c_sasl_sockctx = NULL;

-  		c->c_sasl_extra = NULL;

-  		c->c_sasl_bindop = NULL;

- +		c->c_sasl_cbind = NULL;

-  

-  		c->c_sb = ber_sockbuf_alloc( );

-  

- @@ -451,6 +452,7 @@ Connection * connection_init(

-  	assert( c->c_sasl_sockctx == NULL );

-  	assert( c->c_sasl_extra == NULL );

-  	assert( c->c_sasl_bindop == NULL );

- +	assert( c->c_sasl_cbind == NULL );

-  	assert( c->c_currentber == NULL );

-  	assert( c->c_writewaiter == 0);

-  	assert( c->c_writers == 0);

- @@ -1428,6 +1430,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )

-  			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );

-  			slap_sasl_external( c, c->c_tls_ssf, &authid );

-  			if ( authid.bv_val ) free( authid.bv_val );

- +			{

- +				char cbinding[64];

- +				struct berval cbv = { sizeof(cbinding), cbinding };

- +				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))

- +					slap_sasl_cbinding( c, &cbv );

- +			}

-  		} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,

-  			LBER_SB_OPT_NEEDS_WRITE, NULL )) {	/* need to retry */

-  			slapd_set_write( s, 1 );

- diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c

- index 5144170d1..258cd5407 100644

- --- a/servers/slapd/sasl.c

- +++ b/servers/slapd/sasl.c

- @@ -1389,6 +1389,21 @@ int slap_sasl_external(

-  	return LDAP_SUCCESS;

-  }

-  

- +int slap_sasl_cbinding( Connection *conn, struct berval *cbv )

- +{

- +#ifdef SASL_CHANNEL_BINDING

- +	sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;

- +	cb->name = "ldap";

- +	cb->critical = 0;

- +	cb->data = (char *)(cb+1);

- +	cb->len = cbv->bv_len;

- +	memcpy( cb->data, cbv->bv_val, cbv->bv_len );

- +	sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );

- +	conn->c_sasl_cbind = cb;

- +#endif

- +	return LDAP_SUCCESS;

- +}

- +

-  int slap_sasl_reset( Connection *conn )

-  {

-  	return LDAP_SUCCESS;

- @@ -1454,6 +1469,9 @@ int slap_sasl_close( Connection *conn )

-  	free( conn->c_sasl_extra );

-  	conn->c_sasl_extra = NULL;

-  

- +	free( conn->c_sasl_cbind );

- +	conn->c_sasl_cbind = NULL;

- +

-  #elif defined(SLAP_BUILTIN_SASL)

-  	SASL_CTX *ctx = conn->c_sasl_authctx;

-  	if( ctx ) {

- diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h

- index 7581967be..ad797d752 100644

- --- a/servers/slapd/slap.h

- +++ b/servers/slapd/slap.h

- @@ -2910,6 +2910,7 @@ struct Connection {

-  	void	*c_sasl_authctx;	/* SASL authentication context */

-  	void	*c_sasl_sockctx;	/* SASL security layer context */

-  	void	*c_sasl_extra;		/* SASL session extra stuff */

- +	void	*c_sasl_cbind;		/* SASL channel binding */

-  	Operation	*c_sasl_bindop;	/* set to current op if it's a bind */

-  

-  #ifdef LDAP_X_TXN

- -- 

- 2.29.2

- 

@@ -1,236 +0,0 @@ 

- From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001

- From: Ryan Tandy <ryan@nardis.ca>

- Date: Mon, 27 Apr 2020 23:24:16 -0700

- Subject: [PATCH] Convert test077 to LDIF config

- 

- ---

-  tests/data/slapd-sasl-gssapi.conf |  65 ------------------

-  tests/scripts/defines.sh          |   1 -

-  tests/scripts/test077-sasl-gssapi | 108 ++++++++++++++++++++++++++++--

-  3 files changed, 103 insertions(+), 71 deletions(-)

-  delete mode 100644 tests/data/slapd-sasl-gssapi.conf

- 

- diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf

- deleted file mode 100644

- index 611fc7097..000000000

- --- a/tests/data/slapd-sasl-gssapi.conf

- +++ /dev/null

- @@ -1,65 +0,0 @@

- -# stand-alone slapd config -- for testing (with indexing)

- -# $OpenLDAP$

- -## This work is part of OpenLDAP Software <http://www.openldap.org/>.

- -##

- -## Copyright 1998-2020 The OpenLDAP Foundation.

- -## All rights reserved.

- -##

- -## Redistribution and use in source and binary forms, with or without

- -## modification, are permitted only as authorized by the OpenLDAP

- -## Public License.

- -##

- -## A copy of this license is available in the file LICENSE in the

- -## top-level directory of the distribution or, alternatively, at

- -## <http://www.OpenLDAP.org/license.html>.

- -

- -#

- -include		@SCHEMADIR@/core.schema

- -include		@SCHEMADIR@/cosine.schema

- -#

- -include		@SCHEMADIR@/corba.schema

- -include		@SCHEMADIR@/java.schema

- -include		@SCHEMADIR@/inetorgperson.schema

- -include		@SCHEMADIR@/misc.schema

- -include		@SCHEMADIR@/nis.schema

- -include		@SCHEMADIR@/openldap.schema

- -#

- -include		@SCHEMADIR@/duaconf.schema

- -include		@SCHEMADIR@/dyngroup.schema

- -

- -#

- -pidfile		@TESTDIR@/slapd.1.pid

- -argsfile	@TESTDIR@/slapd.1.args

- -

- -# SSL configuration

- -TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt

- -TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key

- -TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt

- -

- -#

- -rootdse 	@DATADIR@/rootdse.ldif

- -

- -#mod#modulepath	../servers/slapd/back-@BACKEND@/

- -#mod#moduleload	back_@BACKEND@.la

- -#monitormod#modulepath ../servers/slapd/back-monitor/

- -#monitormod#moduleload back_monitor.la

- -

- -

- -#######################################################################

- -# database definitions

- -#######################################################################

- -

- -database	@BACKEND@

- -suffix          "dc=example,dc=com"

- -rootdn          "cn=Manager,dc=example,dc=com"

- -rootpw          secret

- -#~null~#directory	@TESTDIR@/db.1.a

- -#indexdb#index		objectClass eq

- -#indexdb#index		mail eq

- -#ndb#dbname db_1_a

- -#ndb#include @DATADIR@/ndb.conf

- -

- -#monitor#database	monitor

- -

- -sasl-realm	@KRB5REALM@

- -sasl-host	localhost

- diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh

- index 78dc1f8ae..76c85b442 100755

- --- a/tests/scripts/defines.sh

- +++ b/tests/scripts/defines.sh

- @@ -108,7 +108,6 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf

-  SCHEMACONF=$DATADIR/slapd-schema.conf

-  TLSCONF=$DATADIR/slapd-tls.conf

-  TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf

- -SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf

-  GLUECONF=$DATADIR/slapd-glue.conf

-  REFINTCONF=$DATADIR/slapd-refint.conf

-  RETCODECONF=$DATADIR/slapd-retcode.conf

- diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi

- index bde9006ca..322df60a4 100755

- --- a/tests/scripts/test077-sasl-gssapi

- +++ b/tests/scripts/test077-sasl-gssapi

- @@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then

-          exit 0

-  fi

-  

- -mkdir -p $TESTDIR $DBDIR1

- +CONFDIR=$TESTDIR/slapd.d

- +CONFLDIF=$TESTDIR/slapd.ldif

- +

- +mkdir -p $TESTDIR $DBDIR1 $CONFDIR

-  cp -r $DATADIR/tls $TESTDIR

- +$SLAPPASSWD -g -n >$CONFIGPWF

-  

-  echo "Starting KDC for SASL/GSSAPI tests..."

-  . $SRCDIR/scripts/setup_kdc.sh

-  

- -echo "Running slapadd to build slapd database..."

- -. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1

- -$SLAPADD -f $CONF1 -l $LDIFORDERED

- +echo "Configuring slapd..."

- +cat > $CONFLDIF <<EOF

- +dn: cn=config

- +objectClass: olcGlobal

- +cn: config

- +olcSaslHost: localhost

- +olcSaslRealm: $KRB5REALM

- +olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt

- +olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt

- +olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key

- +

- +dn: cn=schema,cn=config

- +objectClass: olcSchemaConfig

- +cn: schema

- +

- +include: file://$ABS_SCHEMADIR/core.ldif

- +

- +dn: olcDatabase={0}config,cn=config

- +objectClass: olcDatabaseConfig

- +olcDatabase: {0}config

- +olcRootPW:< file://$TESTDIR/configpw

- +

- +EOF

- +$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF

-  RC=$?

-  if test $RC != 0 ; then

-  	echo "slapadd failed ($RC)!"

- @@ -38,7 +63,7 @@ if test $RC != 0 ; then

-  fi

-  

-  echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."

- -$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &

- +$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &

-  PID=$!

-  if test $WAIT != 0 ; then

-      echo PID $PID

- @@ -141,6 +166,79 @@ else

-  	fi

-  fi

-  

- +if test $WITH_TLS = no ; then

- +        echo "TLS support not available, skipping channe-binding test"

- +elif test $HAVE_SASL_GSS_CBIND = no ; then

- +        echo "SASL has no channel-binding support in GSSAPI, test skipped"

- +else

- +	echo "Testing SASL/GSSAPI with SASL_CBINDING..."

- +

- +	for acb in "none" "tls-unique" "tls-endpoint" ; do

- +

- +		echo "Modifying slapd's olcSaslCBinding to ${acb} ..."

- +		$LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1

- +dn: cn=config

- +changetype: modify

- +replace: olcSaslCBinding

- +olcSaslCBinding: ${acb}

- +EOF

- +		RC=$?

- +		if test $RC != 0 ; then

- +			echo "ldapmodify failed ($RC)!"

- +			kill $KDCPROC

- +			test $KILLSERVERS != no && kill -HUP $KILLPIDS

- +			exit $RC

- +		fi

- +

- +		for icb in "none" "tls-unique" "tls-endpoint" ; do

- +

- +			# The gnutls implemantation of "tls-unique" seems broken

- +			if test $icb = "tls-unique" -o $acb = "tls-unique" ; then

- +				if test $WITH_TLS_TYPE == gnutls  ; then

- +					continue

- +				fi

- +			fi

- +

- +			fail="no"

- +			if test $icb != $acb -a $acb != "none" ; then

- +				# This currently fails in MIT, but it is planned to be

- +				# fixed not to fail like in heimdal - avoid testing.

- +				if test $icb = "none" ; then

- +					continue

- +				fi

- +				# Otherwise unmatching bindings are expected to fail.

- +				fail="yes"

- +			fi

- +

- +			echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "

- +			echo -ne "(client: ${icb},\tserver: ${acb}): "

- +

- +			$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\

- +			-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\

- +			-o SASL_CBINDING=$icb > $TESTOUT 2>&1

- +

- +			RC=$?

- +			if test $RC != 0 ; then

- +				if test $fail = "no" ; then

- +					echo "test failed ($RC)!"

- +					kill $KDCPROC

- +					test $KILLSERVERS != no && kill -HUP $KILLPIDS

- +					exit $RC

- +				fi

- +			elif test $fail = "yes" ; then

- +				echo "failed: command succeeded unexpectedly."

- +				kill $KDCPROC

- +				test $KILLSERVERS != no && kill -HUP $KILLPIDS

- +				exit 1

- +			fi

- +

- +			echo "success"

- +			RC=0

- +		done

- +	done

- +fi

- +

- +

-  kill $KDCPROC

-  test $KILLSERVERS != no && kill -HUP $KILLPIDS

-  

- -- 

- 2.29.2

- 

@@ -1,39 +0,0 @@ 

- From e006994d83af9dcb7813a18253cf4e5beacee043 Mon Sep 17 00:00:00 2001

- From: Ryan Tandy <ryan@nardis.ca>

- Date: Sun, 26 Apr 2020 11:40:23 -0700

- Subject: [PATCH] Fix slaptest in test077

- 

- The libtool wrapper scripts lose argv[0] when exec'ing the real binary.

- 

- In the CI Docker container, where the build runs as root, this was

- actually starting a real slapd on the default port.

- 

- Outside Docker, running as a non-root user, this slapd would just fail

- to start, and wouldn't convert the config either.

- 

- Using "slapd -Tt" fixes the issue but also prints a warning from

- slaptest since the database hasn't been initialized yet.

- 

- Dynamic config isn't actually used in this test script, so let's just

- run slapd off the config file directly.

- ---

-  tests/scripts/test077-sasl-gssapi | 3 ---

-  1 file changed, 3 deletions(-)

- 

- diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi

- index 64abe16fe..bde9006ca 100755

- --- a/tests/scripts/test077-sasl-gssapi

- +++ b/tests/scripts/test077-sasl-gssapi

- @@ -24,9 +24,6 @@ fi

-  mkdir -p $TESTDIR $DBDIR1

-  cp -r $DATADIR/tls $TESTDIR

-  

- -cd $TESTWD

- -

- -

-  echo "Starting KDC for SASL/GSSAPI tests..."

-  . $SRCDIR/scripts/setup_kdc.sh

-  

- -- 

- 2.29.2

- 

@@ -1,220 +0,0 @@ 

- NOTE: The patch has been adjusted to match the base code before backporting.

- 

- From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001

- From: Howard Chu <hyc@openldap.org>

- Date: Tue, 10 Sep 2013 04:26:51 -0700

- Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT

- 

- retrieve peer cert for an active TLS session

- ---

-  doc/man/man3/ldap_get_option.3 |  8 ++++++++

-  include/ldap.h                 |  1 +

-  libraries/libldap/ldap-tls.h   |  2 ++

-  libraries/libldap/tls2.c       | 24 ++++++++++++++++++++++++

-  libraries/libldap/tls_g.c      | 19 +++++++++++++++++++

-  libraries/libldap/tls_m.c      | 17 +++++++++++++++++

-  libraries/libldap/tls_o.c      | 16 ++++++++++++++++

-  7 files changed, 87 insertions(+)

- 

- diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3

- index eb3f25b33..7546875f5 100644

- --- a/doc/man/man3/ldap_get_option.3

- +++ b/doc/man/man3/ldap_get_option.3

- @@ -744,6 +744,14 @@ A non-zero value pointed to by

-  .BR invalue

-  tells the library to create a context for a server.

-  .TP

- +.B LDAP_OPT_X_TLS_PEERCERT

- +Gets the peer's certificate in DER format from an established TLS session.

- +.BR outvalue

- +must be

- +.BR "struct berval *" ,

- +and the data it returns needs to be freed by the caller using

- +.BR ldap_memfree (3).

- +.TP

-  .B LDAP_OPT_X_TLS_PROTOCOL_MIN

-  Sets/gets the minimum protocol version.

-  .BR invalue

- diff --git a/include/ldap.h b/include/ldap.h

- index 389441031..88bfcabf8 100644

- --- a/include/ldap.h

- +++ b/include/ldap.h

- @@ -160,6 +160,7 @@ LDAP_BEGIN_DECL

-  #define LDAP_OPT_X_TLS_PACKAGE		0x6011

-  #define LDAP_OPT_X_TLS_ECNAME		0x6012

-  #define LDAP_OPT_X_TLS_REQUIRE_SAN	0x601a

- +#define LDAP_OPT_X_TLS_PEERCERT		0x6015	/* read-only */

-  

-  #define LDAP_OPT_X_TLS_NEVER	0

-  #define LDAP_OPT_X_TLS_HARD		1

- diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h

- index 0ecf81ab9..103004fa7 100644

- --- a/libraries/libldap/ldap-tls.h

- +++ b/libraries/libldap/ldap-tls.h

- @@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);

-  typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);

-  typedef int (TI_session_strength)(tls_session *sess);

-  typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);

- +typedef int (TI_session_peercert)(tls_session *s, struct berval *der);

-  

-  typedef void (TI_thr_init)(void);

-  

- @@ -66,6 +67,7 @@ typedef struct tls_impl {

-  	TI_session_chkhost *ti_session_chkhost;

-  	TI_session_strength *ti_session_strength;

-  	TI_session_unique *ti_session_unique;

- +	TI_session_peercert *ti_session_peercert;

-  

-  	Sockbuf_IO *ti_sbio;

-  

- diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c

- index 13d734362..ad09ba39b 100644

- --- a/libraries/libldap/tls2.c

- +++ b/libraries/libldap/tls2.c

- @@ -705,6 +705,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )

-  	case LDAP_OPT_X_TLS_CONNECT_ARG:

-  		*(void **)arg = lo->ldo_tls_connect_arg;

-  		break;

- +	case LDAP_OPT_X_TLS_PEERCERT: {

- +		void *sess = NULL;

- +		struct berval *bv = arg;

- +		bv->bv_len = 0;

- +		bv->bv_val = NULL;

- +		if ( ld != NULL ) {

- +			LDAPConn *conn = ld->ld_defconn;

- +			if ( conn != NULL ) {

- +				Sockbuf *sb = conn->lconn_sb;

- +				sess = ldap_pvt_tls_sb_ctx( sb );

- +				if ( sess != NULL )

- +					return ldap_pvt_tls_get_peercert( sess, bv );

- +			}

- +		}

- +		break;

- +	}

- +

-  	default:

-  		return -1;

-  	}

- @@ -1020,6 +1037,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )

-  	tls_session *session = s;

-  	return tls_imp->ti_session_unique( session, buf, is_server );

-  }

- +

- +int

- +ldap_pvt_tls_get_peercert( void *s, struct berval *der )

- +{

- +	tls_session *session = s;

- +	return tls_imp->ti_session_peercert( session, der );

- +}

-  #endif /* HAVE_TLS */

-  

-  int

- diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c

- index b78c12086..26d9f99ce 100644

- --- a/libraries/libldap/tls_g.c

- +++ b/libraries/libldap/tls_g.c

- @@ -675,6 +675,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)

-  	return 0;

-  }

-  

- +static int

- +tlsg_session_peercert( tls_session *sess, struct berval *der )

- +{

- +	tlsg_session *s = (tlsg_session *)sess;

- +	const gnutls_datum_t *peer_cert_list;

- +	unsigned int list_size;

- +

- +	peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );

- +	if (!peer_cert_list)

- +		return -1;

- +	der->bv_len = peer_cert_list[0].size;

- +	der->bv_val = LDAP_MALLOC( der->bv_len );

- +	if (!der->bv_val)

- +		return -1;

- +	memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);

- +	return 0;

- +}

- +

-  /* suites is a string of colon-separated cipher suite names. */

-  static int

-  tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )

- @@ -932,6 +950,7 @@ tls_impl ldap_int_tls_impl = {

-  	tlsg_session_chkhost,

-  	tlsg_session_strength,

-  	tlsg_session_unique,

- +	tlsg_session_peercert,

-  

-  	&tlsg_sbio,

-  

- diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c

- index c64f4c176..d35a803de 100644

- --- a/libraries/libldap/tls_m.c

- +++ b/libraries/libldap/tls_m.c

- @@ -2880,6 +2880,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)

-  	return 0;

-  }

-  

- +static int

- +tlsm_session_peercert( tls_session *sess, struct berval *der )

- +{

- +	tlsm_session *s = (tlsm_session *)sess;

- +	CERTCertificate *cert;

- +	cert = SSL_PeerCertificate( s );

- +	if (!cert)

- +		return -1;

- +	der->bv_len = cert->derCert.len;

- +	der->bv_val = LDAP_MALLOC( der->bv_len );

- +	if (!der->bv_val)

- +		return -1;

- +	memcpy( der->bv_val, cert->derCert.data, der->bv_len );

- +	return 0;

- +}

- +

-  /*

-   * TLS support for LBER Sockbufs

-   */

- @@ -3309,6 +3325,7 @@ tls_impl ldap_int_tls_impl = {

-  	tlsm_session_chkhost,

-  	tlsm_session_strength,

-  	tlsm_session_unique,

- +	tlsm_session_peercert,

-  

-  	&tlsm_sbio,

-  

- diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c

- index f741a461f..157923289 100644

- --- a/libraries/libldap/tls_o.c

- +++ b/libraries/libldap/tls_o.c

- @@ -861,6 +861,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)

-  	return buf->bv_len;

-  }

-  

- +static int

- +tlso_session_peercert( tls_session *sess, struct berval *der )

- +{

- +	tlso_session *s = (tlso_session *)sess;

- +	unsigned char *ptr;

- +	X509 *x = SSL_get_peer_certificate(s);

- +	der->bv_len = i2d_X509(x, NULL);

- +	der->bv_val = LDAP_MALLOC(der->bv_len);

- +	if ( !der->bv_val )

- +		return -1;

- +	ptr = der->bv_val;

- +	i2d_X509(x, &ptr);

- +	return 0;

- +}

- +

-  /*

-   * TLS support for LBER Sockbufs

-   */

- @@ -1379,6 +1394,7 @@ tls_impl ldap_int_tls_impl = {

-  	tlso_session_chkhost,

-  	tlso_session_strength,

-  	tlso_session_unique,

- +	tlso_session_peercert,

-  

-  	&tlso_sbio,

-  

- -- 

- 2.29.2

- 

@@ -1,70 +0,0 @@ 

- From 465b1c5972eef1d4e60eb98ae3776d33e270853d Mon Sep 17 00:00:00 2001

- From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <okuznik@symas.com>

- Date: Fri, 15 Jun 2018 15:12:28 +0100

- Subject: [PATCH] ITS#8573 Add missing URI variables for tests

- 

- ---

-  tests/scripts/conf.sh    | 18 ++++++++++++++++++

-  tests/scripts/defines.sh |  7 +++++++

-  2 files changed, 25 insertions(+)

- 

- diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh

- index 9a33d88e9..2a859d89d 100755

- --- a/tests/scripts/conf.sh

- +++ b/tests/scripts/conf.sh

- @@ -74,6 +74,24 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\

-  	-e "s;@PORT4@;${PORT4};"			\

-  	-e "s;@PORT5@;${PORT5};"			\

-  	-e "s;@PORT6@;${PORT6};"			\

- +	-e "s;@SURI1@;${SURI1};"			\

- +	-e "s;@SURI2@;${SURI2};"			\

- +	-e "s;@SURI3@;${SURI3};"			\

- +	-e "s;@SURI4@;${SURI4};"			\

- +	-e "s;@SURI5@;${SURI5};"			\

- +	-e "s;@SURI6@;${SURI6};"			\

- +	-e "s;@URIP1@;${URIP1};"			\

- +	-e "s;@URIP2@;${URIP2};"			\

- +	-e "s;@URIP3@;${URIP3};"			\

- +	-e "s;@URIP4@;${URIP4};"			\

- +	-e "s;@URIP5@;${URIP5};"			\

- +	-e "s;@URIP6@;${URIP6};"			\

- +	-e "s;@SURIP1@;${SURIP1};"			\

- +	-e "s;@SURIP2@;${SURIP2};"			\

- +	-e "s;@SURIP3@;${SURIP3};"			\

- +	-e "s;@SURIP4@;${SURIP4};"			\

- +	-e "s;@SURIP5@;${SURIP5};"			\

- +	-e "s;@SURIP6@;${SURIP6};"			\

-  	-e "s/@SASL_MECH@/${SASL_MECH}/"		\

-  	-e "s;@TESTDIR@;${TESTDIR};"			\

-  	-e "s;@TESTWD@;${TESTWD};"			\

- diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh

- index 8f7c7b853..26dab1bae 100755

- --- a/tests/scripts/defines.sh

- +++ b/tests/scripts/defines.sh

- @@ -221,16 +221,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/"

-  URI3="ldap://${LOCALHOST}:$PORT3/"

-  URIP3="ldap://${LOCALIP}:$PORT3/"

-  URI4="ldap://${LOCALHOST}:$PORT4/"

- +URIP4="ldap://${LOCALIP}:$PORT4/"

-  URI5="ldap://${LOCALHOST}:$PORT5/"

- +URIP5="ldap://${LOCALIP}:$PORT5/"

-  URI6="ldap://${LOCALHOST}:$PORT6/"

- +URIP6="ldap://${LOCALIP}:$PORT6/"

-  SURI1="ldaps://${LOCALHOST}:$PORT1/"

-  SURIP1="ldaps://${LOCALIP}:$PORT1/"

-  SURI2="ldaps://${LOCALHOST}:$PORT2/"

-  SURIP2="ldaps://${LOCALIP}:$PORT2/"

-  SURI3="ldaps://${LOCALHOST}:$PORT3/"

- +SURIP3="ldaps://${LOCALIP}:$PORT3/"

-  SURI4="ldaps://${LOCALHOST}:$PORT4/"

- +SURIP4="ldaps://${LOCALIP}:$PORT4/"

-  SURI5="ldaps://${LOCALHOST}:$PORT5/"

- +SURIP5="ldaps://${LOCALIP}:$PORT5/"

-  SURI6="ldaps://${LOCALHOST}:$PORT6/"

- +SURIP6="ldaps://${LOCALIP}:$PORT6/"

-  

-  # LDIF

-  LDIF=$DATADIR/test.ldif

- -- 

- 2.29.2

- 

@@ -1,2108 +0,0 @@ 

- From eb087e0861f207858a4e08c72836a86f26d9701c Mon Sep 17 00:00:00 2001

- From: Quanah Gibson-Mount <quanah@openldap.org>

- Date: Thu, 14 Jun 2018 16:12:59 +0100

- Subject: [PATCH] ITS#8573 TLS option test suite

- 

- ---

-  configure                                     |   4 +

-  configure.in                                  |   4 +

-  tests/data/slapd-tls-sasl.conf                |  65 ++

-  tests/data/slapd-tls.conf                     |  61 ++

-  tests/data/tls/ca/certs/testsuiteCA.crt       |  16 +

-  tests/data/tls/ca/private/testsuiteCA.key     |  16 +

-  .../tls/certs/bjensen@mailgw.example.com.crt  |  16 +

-  tests/data/tls/certs/localhost.crt            |  16 +

-  tests/data/tls/conf/openssl.cnf               | 129 ++++

-  tests/data/tls/create-crt.sh                  |  78 +++

-  .../private/bjensen@mailgw.example.com.key    |  16 +

-  tests/data/tls/private/localhost.key          |  16 +

-  tests/run.in                                  |   3 +-

-  tests/scripts/defines.sh                      |  21 +-

-  tests/scripts/test067-tls                     | 140 +++++

-  tests/scripts/test068-sasl-tls-external       | 102 ++++

-  .../test069-delta-multimaster-starttls        | 574 ++++++++++++++++++

-  tests/scripts/test070-delta-multimaster-ldaps | 571 +++++++++++++++++

-  18 files changed, 1846 insertions(+), 2 deletions(-)

-  create mode 100644 tests/data/slapd-tls-sasl.conf

-  create mode 100644 tests/data/slapd-tls.conf

-  create mode 100644 tests/data/tls/ca/certs/testsuiteCA.crt

-  create mode 100644 tests/data/tls/ca/private/testsuiteCA.key

-  create mode 100644 tests/data/tls/certs/bjensen@mailgw.example.com.crt

-  create mode 100644 tests/data/tls/certs/localhost.crt

-  create mode 100644 tests/data/tls/conf/openssl.cnf

-  create mode 100755 tests/data/tls/create-crt.sh

-  create mode 100644 tests/data/tls/private/bjensen@mailgw.example.com.key

-  create mode 100644 tests/data/tls/private/localhost.key

-  create mode 100755 tests/scripts/test067-tls

-  create mode 100755 tests/scripts/test068-sasl-tls-external

-  create mode 100755 tests/scripts/test069-delta-multimaster-starttls

-  create mode 100755 tests/scripts/test070-delta-multimaster-ldaps

- 

- diff --git a/configure b/configure

- index e87850ec2..e8a720961 100755

- --- a/configure

- +++ b/configure

- @@ -758,6 +758,7 @@ AUTH_LIBS

-  LIBSLAPI

-  SLAPI_LIBS

-  MODULES_LIBS

- +WITH_TLS_TYPE

-  TLS_LIBS

-  SASL_LIBS

-  KRB5_LIBS

- @@ -5133,6 +5134,7 @@ KRB4_LIBS=

-  KRB5_LIBS=

-  SASL_LIBS=

-  TLS_LIBS=

- +WITH_TLS_TYPE=

-  MODULES_LIBS=

-  SLAPI_LIBS=

-  LIBSLAPI=

- @@ -15582,6 +15584,7 @@ fi

-  		if test $have_openssl = yes ; then

-  			ol_with_tls=openssl

-  			ol_link_tls=yes

- +			WITH_TLS_TYPE=openssl

-  

-  

-  $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h

- @@ -15716,6 +15719,7 @@ fi

-  			if test $have_gnutls = yes ; then

-  				ol_with_tls=gnutls

-  				ol_link_tls=yes

- +				WITH_TLS_TYPE=gnutls

-  

-  				TLS_LIBS="-lgnutls"

-  

- diff --git a/configure.in b/configure.in

- index 0c7c0a9ee..cf143d9bf 100644

- --- a/configure.in

- +++ b/configure.in

- @@ -592,6 +592,7 @@ KRB4_LIBS=

-  KRB5_LIBS=

-  SASL_LIBS=

-  TLS_LIBS=

- +WITH_TLS_TYPE=

-  MODULES_LIBS=

-  SLAPI_LIBS=

-  LIBSLAPI=

- @@ -1186,6 +1187,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then

-  		if test $have_openssl = yes ; then

-  			ol_with_tls=openssl

-  			ol_link_tls=yes

- +			WITH_TLS_TYPE=openssl

-  

-  			AC_DEFINE(HAVE_OPENSSL, 1, 

-  				[define if you have OpenSSL])

- @@ -1226,6 +1228,7 @@ if test $ol_link_tls = no ; then

-  			if test $have_gnutls = yes ; then

-  				ol_with_tls=gnutls

-  				ol_link_tls=yes

- +				WITH_TLS_TYPE=gnutls

-  

-  				TLS_LIBS="-lgnutls"

-  

- @@ -3163,6 +3166,7 @@ AC_SUBST(KRB4_LIBS)

-  AC_SUBST(KRB5_LIBS)

-  AC_SUBST(SASL_LIBS)

-  AC_SUBST(TLS_LIBS)

- +AC_SUBST(WITH_TLS_TYPE)

-  AC_SUBST(MODULES_LIBS)

-  AC_SUBST(SLAPI_LIBS)

-  AC_SUBST(LIBSLAPI)

- diff --git a/tests/data/slapd-tls-sasl.conf b/tests/data/slapd-tls-sasl.conf

- new file mode 100644

- index 000000000..f4bb0773e

- --- /dev/null

- +++ b/tests/data/slapd-tls-sasl.conf

- @@ -0,0 +1,65 @@

- +# stand-alone slapd config -- for testing (with indexing)

- +# $OpenLDAP$

- +## This work is part of OpenLDAP Software <http://www.openldap.org/>.

- +##

- +## Copyright 1998-2017 The OpenLDAP Foundation.

- +## All rights reserved.

- +##

- +## Redistribution and use in source and binary forms, with or without

- +## modification, are permitted only as authorized by the OpenLDAP

- +## Public License.

- +##

- +## A copy of this license is available in the file LICENSE in the

- +## top-level directory of the distribution or, alternatively, at

- +## <http://www.OpenLDAP.org/license.html>.

- +

- +#

- +include		@SCHEMADIR@/core.schema

- +include		@SCHEMADIR@/cosine.schema

- +#

- +include		@SCHEMADIR@/corba.schema

- +include		@SCHEMADIR@/java.schema

- +include		@SCHEMADIR@/inetorgperson.schema

- +include		@SCHEMADIR@/misc.schema

- +include		@SCHEMADIR@/nis.schema

- +include		@SCHEMADIR@/openldap.schema

- +#

- +include		@SCHEMADIR@/duaconf.schema

- +include		@SCHEMADIR@/dyngroup.schema

- +include		@SCHEMADIR@/ppolicy.schema

- +

- +#

- +pidfile		@TESTDIR@/slapd.1.pid

- +argsfile	@TESTDIR@/slapd.1.args

- +

- +# SSL configuration

- +TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt

- +TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key

- +TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt

- +TLSVerifyClient hard

- +

- +#

- +rootdse 	@DATADIR@/rootdse.ldif

- +

- +#mod#modulepath	../servers/slapd/back-@BACKEND@/

- +#mod#moduleload	back_@BACKEND@.la

- +#monitormod#modulepath ../servers/slapd/back-monitor/

- +#monitormod#moduleload back_monitor.la

- +

- +authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1)

- +

- +#######################################################################

- +# database definitions

- +#######################################################################

- +

- +database	@BACKEND@

- +suffix          "dc=example,dc=com"

- +rootdn          "cn=Manager,dc=example,dc=com"

- +rootpw          secret

- +#~null~#directory	@TESTDIR@/db.1.a

- +#indexdb#index		objectClass eq

- +#indexdb#index		mail eq

- +#ndb#dbname db_1_a

- +#ndb#include @DATADIR@/ndb.conf

- +

- +#monitor#database	monitor

- diff --git a/tests/data/slapd-tls.conf b/tests/data/slapd-tls.conf

- new file mode 100644

- index 000000000..6a7785557

- --- /dev/null

- +++ b/tests/data/slapd-tls.conf

- @@ -0,0 +1,61 @@

- +# stand-alone slapd config -- for testing (with indexing)

- +# $OpenLDAP$

- +## This work is part of OpenLDAP Software <http://www.openldap.org/>.

- +##

- +## Copyright 1998-2017 The OpenLDAP Foundation.

- +## All rights reserved.

- +##

- +## Redistribution and use in source and binary forms, with or without

- +## modification, are permitted only as authorized by the OpenLDAP

- +## Public License.

- +##

- +## A copy of this license is available in the file LICENSE in the

- +## top-level directory of the distribution or, alternatively, at

- +## <http://www.OpenLDAP.org/license.html>.

- +

- +#

- +include		@SCHEMADIR@/core.schema

- +include		@SCHEMADIR@/cosine.schema

- +#

- +include		@SCHEMADIR@/corba.schema

- +include		@SCHEMADIR@/java.schema

- +include		@SCHEMADIR@/inetorgperson.schema

- +include		@SCHEMADIR@/misc.schema

- +include		@SCHEMADIR@/nis.schema

- +include		@SCHEMADIR@/openldap.schema

- +#

- +include		@SCHEMADIR@/duaconf.schema

- +include		@SCHEMADIR@/dyngroup.schema

- +include		@SCHEMADIR@/ppolicy.schema

- +

- +#

- +pidfile		@TESTDIR@/slapd.1.pid

- +argsfile	@TESTDIR@/slapd.1.args

- +

- +# SSL configuration

- +TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key

- +TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt

- +

- +#

- +rootdse 	@DATADIR@/rootdse.ldif

- +

- +#mod#modulepath	../servers/slapd/back-@BACKEND@/

- +#mod#moduleload	back_@BACKEND@.la

- +#monitormod#modulepath ../servers/slapd/back-monitor/

- +#monitormod#moduleload back_monitor.la

- +

- +#######################################################################

- +# database definitions

- +#######################################################################

- +

- +database	@BACKEND@

- +suffix          "dc=example,dc=com"

- +rootdn          "cn=Manager,dc=example,dc=com"

- +rootpw          secret

- +#~null~#directory	@TESTDIR@/db.1.a

- +#indexdb#index		objectClass eq

- +#indexdb#index		mail eq

- +#ndb#dbname db_1_a

- +#ndb#include @DATADIR@/ndb.conf

- +

- +#monitor#database	monitor

- diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt

- new file mode 100644

- index 000000000..7458e7461

- --- /dev/null

- +++ b/tests/data/tls/ca/certs/testsuiteCA.crt

- @@ -0,0 +1,16 @@

- +-----BEGIN CERTIFICATE-----

- +MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV

- +BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv

- +bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0

- +NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB

- +MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB

- +UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd

- +rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb

- +lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL

- +6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU

- +7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB

- +SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/

- +wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws

- +ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q

- +aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==

- +-----END CERTIFICATE-----

- diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key

- new file mode 100644

- index 000000000..2e14d7033

- --- /dev/null

- +++ b/tests/data/tls/ca/private/testsuiteCA.key

- @@ -0,0 +1,16 @@

- +-----BEGIN PRIVATE KEY-----

- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ

- +WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc

- +338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/

- +dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg

- +O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf

- +7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn

- +rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f

- +wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk

- +AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l

- +vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9

- +27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X

- +KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N

- +I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL

- ++b2qljWeZbGH

- +-----END PRIVATE KEY-----

- diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt

- new file mode 100644

- index 000000000..93e3a0d39

- --- /dev/null

- +++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt

- @@ -0,0 +1,16 @@

- +-----BEGIN CERTIFICATE-----

- +MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL

- +MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV

- +BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx

- +ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV

- +BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD

- +VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa

- +YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A

- +MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg

- +QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU

- +U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL

- +MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn

- +wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f

- +7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo

- +4DnnYQBDnq48VORVX94=

- +-----END CERTIFICATE-----

- diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt

- new file mode 100644

- index 000000000..194cb119d

- --- /dev/null

- +++ b/tests/data/tls/certs/localhost.crt

- @@ -0,0 +1,16 @@

- +-----BEGIN CERTIFICATE-----

- +MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL

- +MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV

- +BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx

- +ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE

- +CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT

- +dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB

- +iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4

- +7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv

- +8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ

- +BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A

- +AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG

- +8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl

- +0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR

- +GjeZB1FxqDGHjxBq2O828iejw28bSz4=

- +-----END CERTIFICATE-----

- diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf

- new file mode 100644

- index 000000000..a3c8ad9f6

- --- /dev/null

- +++ b/tests/data/tls/conf/openssl.cnf

- @@ -0,0 +1,129 @@

- +HOME                    = .

- +RANDFILE                = $ENV::HOME/.rnd

- +

- +oid_section             = new_oids

- +

- +[ new_oids ]

- +tsa_policy1 = 1.2.3.4.1

- +tsa_policy2 = 1.2.3.4.5.6

- +tsa_policy3 = 1.2.3.4.5.7

- +

- +[ ca ]

- +default_ca      = CA_default            # The default ca section

- +

- +[ CA_default ]

- +

- +dir             = ./cruft		# Where everything is kept

- +certs           = $dir/certs            # Where the issued certs are kept

- +crl_dir         = $dir/crl              # Where the issued crl are kept

- +database        = $dir/index.txt        # database index file.

- +new_certs_dir   = $dir/certs         # default place for new certs.

- +certificate     = $dir/cacert.pem       # The CA certificate

- +serial          = $dir/serial           # The current serial number

- +crlnumber       = $dir/crlnumber        # the current crl number

- +crl             = $dir/crl.pem          # The current CRL

- +private_key     = $dir/private/cakey.pem# The private key

- +RANDFILE        = $dir/private/.rand    # private random number file

- +x509_extensions = usr_cert              # The extentions to add to the cert

- +name_opt        = ca_default            # Subject Name options

- +cert_opt        = ca_default            # Certificate field options

- +default_days    = 365                   # how long to certify for

- +default_crl_days= 30                    # how long before next CRL

- +default_md      = default               # use public key default MD

- +preserve        = no                    # keep passed DN ordering

- +policy          = policy_match

- +

- +[ policy_match ]

- +countryName             = match

- +stateOrProvinceName     = match

- +organizationName        = match

- +organizationalUnitName  = optional

- +commonName              = supplied

- +emailAddress            = optional

- +

- +[ policy_anything ]

- +countryName             = optional

- +stateOrProvinceName     = optional

- +localityName            = optional

- +organizationName        = optional

- +organizationalUnitName  = optional

- +commonName              = supplied

- +emailAddress            = optional

- +

- +[ req ]

- +default_bits            = 2048

- +default_keyfile         = privkey.pem

- +distinguished_name      = req_distinguished_name

- +attributes              = req_attributes