From 004e302f0d7513fcfb30a27cf74b13e85878787d Mon Sep 17 00:00:00 2001 From: Simon Pichugin Date: Thu, 16 Sep 2021 21:09:09 -0700 Subject: [PATCH] Update to new major release OpenLDAP 2.6.1 - rediff all patches and remove patches now upstream - use upstream source location for check password module and rediff patch due to this - add patch to fix build issue in 2.5.4 (from upstream) - clean and sort buildreqs - remove various refs to bdb - remove now default -DLDAP_USE_NON_BLOCKING_TLS - add new modules and enable load balancer as module - disable wiredtired backend due to missing build deps - don't remove files that don't exist - let check-config work on *.mdb over legacy files - remove refs to old-style config - new soname names - remove libldap_r link as the library was merged with libldap - refactor openldap-compat package to support the transition from 2.4 - add UPGRADE_INSTRUCTIONS for openldap-server upgrade The original patch was submitted by Fedora user - terjeros https://src.fedoraproject.org/rpms/openldap/pull-request/6 Resolves: #1955293 --- .gitignore | 6 + UPGRADE_INSTRUCTIONS | 30 + check-password-makefile.patch | 51 +- libexec-check-config.sh | 19 +- libexec-functions | 18 +- libexec-upgrade-db.sh | 40 - openldap-ai-addrconfig.patch | 4 +- openldap-allop-overlay.patch | 7 +- ...cbinding-Add-channel-binding-support.patch | 291 --- ...nding-Convert-test077-to-LDIF-config.patch | 236 -- ...dap-cbinding-Fix-slaptest-in-test077.patch | 39 - ...ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch | 220 -- ...-Add-missing-URI-variables-for-tests.patch | 70 - ...nding-ITS-8573-TLS-option-test-suite.patch | 2071 ----------------- ...ll-libldap-options-in-tools-o-option.patch | 582 ----- ...-9189_1-rework-sasl-cbinding-support.patch | 631 ----- ...TS-9189_2-add-channel-bindings-tests.patch | 45 - ...ize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch | 27 - ...binding-ITS-9215-fix-for-glibc-again.patch | 28 - ...ke-prototypes-available-where-needed.patch | 64 - ...dap-cbinding-Update-keys-to-RSA-4096.patch | 526 ----- ...-cbinding-auth-add-SASL-GSSAPI-tests.patch | 487 ---- openldap-fix-missing-mapping.patch | 24 + openldap-manpages.patch | 27 +- openldap-openssl-manpage-defaultCA.patch | 9 +- openldap-reentrant-gethostby.patch | 4 +- openldap-smbk5pwd-overlay.patch | 13 +- ..._dlopenadvise-to-get-RTLD_GLOBAL-set.patch | 12 +- openldap.spec | 328 ++- slapd.ldif | 15 +- slapd.service | 1 - sources | 4 +- 32 files changed, 307 insertions(+), 5622 deletions(-) create mode 100644 UPGRADE_INSTRUCTIONS delete mode 100755 libexec-upgrade-db.sh delete mode 100644 openldap-cbinding-Add-channel-binding-support.patch delete mode 100644 openldap-cbinding-Convert-test077-to-LDIF-config.patch delete mode 100644 openldap-cbinding-Fix-slaptest-in-test077.patch delete mode 100644 openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch delete mode 100644 openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch delete mode 100644 openldap-cbinding-ITS-8573-TLS-option-test-suite.patch delete mode 100644 openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch delete mode 100644 openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch delete mode 100644 openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch delete mode 100644 openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch delete mode 100644 openldap-cbinding-ITS-9215-fix-for-glibc-again.patch delete mode 100644 openldap-cbinding-Make-prototypes-available-where-needed.patch delete mode 100644 openldap-cbinding-Update-keys-to-RSA-4096.patch delete mode 100644 openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch create mode 100644 openldap-fix-missing-mapping.patch diff --git a/.gitignore b/.gitignore index aa6af81..11a76df 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,9 @@ /openldap-2.4.57.tgz /openldap-2.4.58.tgz /openldap-2.4.59.tgz +/openldap-2.5.4.tgz +/openldap-ppolicy-check-password-1.1.tar.gz +/openldap-2.5.5.tgz +/openldap-2.5.7.tgz +/openldap-2.5.8.tgz +/openldap-2.6.1.tgz diff --git a/UPGRADE_INSTRUCTIONS b/UPGRADE_INSTRUCTIONS new file mode 100644 index 0000000..14c051f --- /dev/null +++ b/UPGRADE_INSTRUCTIONS @@ -0,0 +1,30 @@ +You have upgraded your openldap-servers package. +Any major version upgrade can cause database corruption or loss. +Please, make sure that you have up-to-date back up and read this document carefully. + +It's still recommended to do the backup even on the minor version upgrade. + +Please, review the next links before performing any action: + +Upgrading from 2.4.x - https://www.openldap.org/doc/admin25/appendix-upgrading.html +Upgrading from 2.5.x - https://www.openldap.org/doc/admin26/appendix-upgrading.html +The normal upgrade procedure - https://www.openldap.org/doc/admin26/maintenance.html + +Additionally, please, review and perform the following steps that can help you with the upgrade: + + 1. Back up both data and configuration directories into a safe place; + 2. Export data to an LDIF file using slapcat; +a. If you have the deprecated DB type and you haven't performed the slapcat command, you need to move your data and configuration to the system with OpenLDAP 2.4 version and run slapcat command there; + 3. Change the server's configuration according to the changes in the above documents; + a. If you are replacing the BDB/HDB with MDB, make sure to replace the BDB/HDB sections with their MDB counterparts; +4. Clear out the current data directory; + 5. Import data to a new database from the LDIF file using slapadd; + 6. Make sure that your data is intact. + +After you have completed the above operations, you can remove this file (/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS) and start the server: + + systemctl start slapd.service + +Be careful with this document's procedure, make sure you understand it, and test it in a non-production environment first. Always make sure that all backups are in place. + +You have been warned about the possibility of data corruption or loss. diff --git a/check-password-makefile.patch b/check-password-makefile.patch index f39ba81..048ee2e 100644 --- a/check-password-makefile.patch +++ b/check-password-makefile.patch @@ -1,32 +1,45 @@ ---- a/Makefile 2009-10-31 18:59:06.000000000 +0100 -+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100 -@@ -13,22 +13,11 @@ +diff --git a/Makefile b/Makefile +index 4457bad..91de40b 100644 +--- a/Makefile ++++ b/Makefile +@@ -13,17 +13,10 @@ CRACKLIB=/usr/share/cracklib/pw_dict # CONFIG=/etc/openldap/check_password.conf --OPT=-g -O2 -Wall -fpic \ -- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ -- -DCONFIG_FILE="\"$(CONFIG)\"" \ -+CFLAGS+=-fpic \ -+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ -+ -DCONFIG_FILE="\"$(CONFIG)\"" \ - -DDEBUG - +- -# Where to find the OpenLDAP headers. -# --LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \ -- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd +-LDAP_INC=-I/usr/include/openldap/include \ +- -I/usr/include/openldap/servers/slapd - -# Where to find the CrackLib headers. -# -CRACK_INC= - -INCS=$(LDAP_INC) $(CRACK_INC) -- ++CFLAGS+=-fpic \ ++ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ ++ -DCONFIG_FILE="\"$(CONFIG)\"" \ ++ -DDEBUG + LDAP_LIB=-lldap_r -llber - # Comment out this line if you do NOT want to use the cracklib. -@@ -45,10 +34,10 @@ +@@ -33,27 +26,21 @@ LDAP_LIB=-lldap_r -llber + # + CRACKLIB_LIB=-lcrack + +-CC_FLAGS=-g -O2 -Wall -fpic +-CRACKLIB_OPT=-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" +-DEBUG_OPT=-DDEBUG +-CONFIG_OPT=-DCONFIG_FILE="\"$(CONFIG)\"" +- +-OPT=$(CC_FLAGS) $(CRACKLIB_OPT) $(CONFIG_OPT) $(DEBUG_OPT) +- + LIBS=$(LDAP_LIB) $(CRACKLIB_LIB) + + LIBDIR=/usr/lib/openldap/ + ++ all: check_password check_password.o: @@ -38,4 +51,8 @@ + $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) install: check_password - cp -f check_password.so ../../../usr/lib/openldap/modules/ +- cp -f check_password.so $(LIBDIR) ++ cp -f check_password.so ../../../usr/lib/openldap/modules/ + + clean: + $(RM) check_password.o check_password.so check_password.lo diff --git a/libexec-check-config.sh b/libexec-check-config.sh index 87e377f..de6f3a8 100755 --- a/libexec-check-config.sh +++ b/libexec-check-config.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#! /usr/bin/sh # Author: Jan Vcelak . /usr/libexec/openldap/functions @@ -41,7 +41,7 @@ function check_db_perms() retcode=0 for dbdir in `databases`; do [ -d "$dbdir" ] || continue - for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do + for dbfile in `find ${dbdir} -maxdepth 1 -name "*.mdb"` ; do run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" if [ $? -ne 0 ]; then error "Read/write permissions for DB file '%s' are required." "$dbfile" @@ -52,12 +52,21 @@ function check_db_perms() return $retcode } +function check_major_upgrade() +{ + retcode=0 + if [ -f "/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS" ]; then + error "You have upgraded your openldap-servers package. There are actions that need to be performed. Please, read the /usr/share/openldap-servers/UPGRADE_INSTRUCTIONS file" + retcode=1 + fi + return $retcode +} + function check_everything() { retcode=0 check_config_syntax || retcode=1 - # TODO: need support for Mozilla NSS, disabling temporarily - #check_certs_perms || retcode=1 + check_certs_perms || retcode=1 check_db_perms || retcode=1 return $retcode } @@ -67,6 +76,8 @@ if [ `id -u` -ne 0 ]; then exit 4 fi +check_major_upgrade || return 1 + load_sysconfig if [ -n "$SLAPD_CONFIG_DIR" ]; then diff --git a/libexec-functions b/libexec-functions index 990d2b8..8ee7500 100644 --- a/libexec-functions +++ b/libexec-functions @@ -84,14 +84,6 @@ function databases_new() ldif_value } -function databases_old() -{ - awk 'begin { database="" } - $1 == "database" { database=$2 } - $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ - "$SLAPD_CONFIG_FILE" -} - function certificates_new() { slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ @@ -100,20 +92,14 @@ function certificates_new() ldif_value } -function certificates_old() -{ - awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ - "$SLAPD_CONFIG_FILE" -} - function certificates() { - uses_new_config && certificates_new || certificates_old + uses_new_config && certificates_new } function databases() { - uses_new_config && databases_new || databases_old + uses_new_config && databases_new } diff --git a/libexec-upgrade-db.sh b/libexec-upgrade-db.sh deleted file mode 100755 index 1543c80..0000000 --- a/libexec-upgrade-db.sh +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh -# Author: Jan Vcelak - -. /usr/libexec/openldap/functions - -if [ `id -u` -ne 0 ]; then - error "You have to be root to run this command." - exit 4 -fi - -load_sysconfig -retcode=0 - -for dbdir in `databases`; do - upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" - bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` - - # skip uninitialized database - [ -z "$bdb_files"] || continue - - printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" - - # perform the update - for command in \ - "/usr/bin/db_recover -v -h \"$dbdir\"" \ - "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ - "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ - ; do - printf "Executing: %s\n" "$command" &>>$upgrade_log - run_as_ldap "$command" &>>$upgrade_log - result=$? - printf "Exit code: %d\n" $result >>"$upgrade_log" - if [ $result -ne 0 ]; then - printf "Upgrade failed: %d\n" $result - retcode=1 - fi - done -done - -exit $retcode diff --git a/openldap-ai-addrconfig.patch b/openldap-ai-addrconfig.patch index 0858fac..f9a7333 100644 --- a/openldap-ai-addrconfig.patch +++ b/openldap-ai-addrconfig.patch @@ -5,10 +5,10 @@ Upstream ITS: #7326 Resolves: #835013 diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c -index b31e05d..fa361ab 100644 +index 14899cc..b25e750 100644 --- a/libraries/libldap/os-ip.c +++ b/libraries/libldap/os-ip.c -@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, +@@ -620,8 +620,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) memset( &hints, '\0', sizeof(hints) ); diff --git a/openldap-allop-overlay.patch b/openldap-allop-overlay.patch index 608ee44..05a4c6e 100644 --- a/openldap-allop-overlay.patch +++ b/openldap-allop-overlay.patch @@ -4,9 +4,10 @@ Author: Matus Honek Resolves: #1319782 diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +index b5c3fc8..9aa8a4f 100644 --- a/servers/slapd/overlays/Makefile.in +++ b/servers/slapd/overlays/Makefile.in -@@ -33,7 +33,8 @@ SRCS = overlays.c \ +@@ -38,7 +38,8 @@ SRCS = overlays.c \ translucent.c \ unique.c \ valsort.c \ @@ -16,7 +17,7 @@ diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefil OBJS = statover.o \ @SLAPD_STATIC_OVERLAYS@ \ overlays.o -@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) +@@ -58,7 +59,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) LIBRARY = ../liboverlays.a @@ -25,7 +26,7 @@ diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefil XINCPATH = -I.. -I$(srcdir)/.. XDEFS = $(MODULES_CPPFLAGS) -@@ -125,6 +126,12 @@ unique.la : unique.lo +@@ -148,6 +149,12 @@ smbk5pwd.lo : smbk5pwd.c smbk5pwd.la : smbk5pwd.lo $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) diff --git a/openldap-cbinding-Add-channel-binding-support.patch b/openldap-cbinding-Add-channel-binding-support.patch deleted file mode 100644 index 42efaee..0000000 --- a/openldap-cbinding-Add-channel-binding-support.patch +++ /dev/null @@ -1,291 +0,0 @@ -From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Mon, 26 Aug 2013 23:31:48 -0700 -Subject: [PATCH] Add channel binding support - -Currently only implemented for OpenSSL. -Needs an option to set the criticality flag. ---- - include/ldap_pvt.h | 1 + - libraries/libldap/cyrus.c | 22 ++++++++++++++++++++++ - libraries/libldap/ldap-int.h | 1 + - libraries/libldap/ldap-tls.h | 2 ++ - libraries/libldap/tls2.c | 7 +++++++ - libraries/libldap/tls_g.c | 7 +++++++ - libraries/libldap/tls_m.c | 7 +++++++ - libraries/libldap/tls_o.c | 16 ++++++++++++++++ - servers/slapd/connection.c | 8 ++++++++ - servers/slapd/sasl.c | 18 ++++++++++++++++++ - servers/slapd/slap.h | 1 + - 11 files changed, 90 insertions(+) - -diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h -index 716c1a90f..61c620785 100644 ---- a/include/ldap_pvt.h -+++ b/include/ldap_pvt.h -@@ -420,6 +420,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn, - LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn, - LDAPDN_rewrite_dummy *func, unsigned flags )); - LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx )); -+LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server )); - - LDAP_END_DECL - -diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c -index 4c0089d5d..3171d56a3 100644 ---- a/libraries/libldap/cyrus.c -+++ b/libraries/libldap/cyrus.c -@@ -360,6 +360,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc ) - lc->lconn_sasl_sockctx = NULL; - lc->lconn_sasl_authctx = NULL; - } -+ if( lc->lconn_sasl_cbind ) { -+ ldap_memfree( lc->lconn_sasl_cbind ); -+ lc->lconn_sasl_cbind = NULL; -+ } - - return LDAP_SUCCESS; - } -@@ -492,6 +496,24 @@ ldap_int_sasl_bind( - - (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac ); - LDAP_FREE( authid.bv_val ); -+#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */ -+ { -+ char cbinding[64]; -+ struct berval cbv = { sizeof(cbinding), cbinding }; -+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) { -+ sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) + -+ cbv.bv_len); -+ cb->name = "ldap"; -+ cb->critical = 0; -+ cb->data = (char *)(cb+1); -+ cb->len = cbv.bv_len; -+ memcpy( cb->data, cbv.bv_val, cbv.bv_len ); -+ sasl_setprop( ld->ld_defconn->lconn_sasl_authctx, -+ SASL_CHANNEL_BINDING, cb ); -+ ld->ld_defconn->lconn_sasl_cbind = cb; -+ } -+ } -+#endif - } - #endif - -diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h -index 98ad4dc05..397894271 100644 ---- a/libraries/libldap/ldap-int.h -+++ b/libraries/libldap/ldap-int.h -@@ -308,6 +308,7 @@ typedef struct ldap_conn { - #ifdef HAVE_CYRUS_SASL - void *lconn_sasl_authctx; /* context for bind */ - void *lconn_sasl_sockctx; /* for security layer */ -+ void *lconn_sasl_cbind; /* for channel binding */ - #endif - #ifdef HAVE_GSSAPI - void *lconn_gss_ctx; /* gss_ctx_id_t */ -diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h -index c8a27112f..0ecf81ab9 100644 ---- a/libraries/libldap/ldap-tls.h -+++ b/libraries/libldap/ldap-tls.h -@@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len - typedef int (TI_session_dn)(tls_session *sess, struct berval *dn); - typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); - typedef int (TI_session_strength)(tls_session *sess); -+typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server); - - typedef void (TI_thr_init)(void); - -@@ -64,6 +65,7 @@ typedef struct tls_impl { - TI_session_dn *ti_session_peer_dn; - TI_session_chkhost *ti_session_chkhost; - TI_session_strength *ti_session_strength; -+ TI_session_unique *ti_session_unique; - - Sockbuf_IO *ti_sbio; - -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index 82ca5272c..13d734362 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -1013,6 +1013,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func, - rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags ); - return rc; - } -+ -+int -+ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server ) -+{ -+ tls_session *session = s; -+ return tls_imp->ti_session_unique( session, buf, is_server ); -+} - #endif /* HAVE_TLS */ - - int -diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c -index 3b72cd2a1..b78c12086 100644 ---- a/libraries/libldap/tls_g.c -+++ b/libraries/libldap/tls_g.c -@@ -669,6 +669,12 @@ tlsg_session_strength( tls_session *session ) - return gnutls_cipher_get_key_size( c ) * 8; - } - -+static int -+tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server) -+{ -+ return 0; -+} -+ - /* suites is a string of colon-separated cipher suite names. */ - static int - tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ) -@@ -925,6 +931,7 @@ tls_impl ldap_int_tls_impl = { - tlsg_session_peer_dn, - tlsg_session_chkhost, - tlsg_session_strength, -+ tlsg_session_unique, - - &tlsg_sbio, - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 43fbae4bc..c64f4c176 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -2874,6 +2874,12 @@ tlsm_session_strength( tls_session *session ) - return rc ? 0 : keySize; - } - -+static int -+tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server) -+{ -+ return 0; -+} -+ - /* - * TLS support for LBER Sockbufs - */ -@@ -3302,6 +3308,7 @@ tls_impl ldap_int_tls_impl = { - tlsm_session_peer_dn, - tlsm_session_chkhost, - tlsm_session_strength, -+ tlsm_session_unique, - - &tlsm_sbio, - -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index a13f11fb5..f741a461f 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -846,6 +846,21 @@ tlso_session_strength( tls_session *sess ) - return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL); - } - -+static int -+tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) -+{ -+ tlso_session *s = (tlso_session *)sess; -+ -+ /* Usually the client sends the finished msg. But if the -+ * session was resumed, the server sent the msg. -+ */ -+ if (SSL_session_reused(s) ^ !is_server) -+ buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len); -+ else -+ buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len); -+ return buf->bv_len; -+} -+ - /* - * TLS support for LBER Sockbufs - */ -@@ -1363,6 +1378,7 @@ tls_impl ldap_int_tls_impl = { - tlso_session_peer_dn, - tlso_session_chkhost, - tlso_session_strength, -+ tlso_session_unique, - - &tlso_sbio, - -diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c -index 44c3fc63d..0602fdceb 100644 ---- a/servers/slapd/connection.c -+++ b/servers/slapd/connection.c -@@ -406,6 +406,7 @@ Connection * connection_init( - c->c_sasl_sockctx = NULL; - c->c_sasl_extra = NULL; - c->c_sasl_bindop = NULL; -+ c->c_sasl_cbind = NULL; - - c->c_sb = ber_sockbuf_alloc( ); - -@@ -451,6 +452,7 @@ Connection * connection_init( - assert( c->c_sasl_sockctx == NULL ); - assert( c->c_sasl_extra == NULL ); - assert( c->c_sasl_bindop == NULL ); -+ assert( c->c_sasl_cbind == NULL ); - assert( c->c_currentber == NULL ); - assert( c->c_writewaiter == 0); - assert( c->c_writers == 0); -@@ -1428,6 +1430,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri ) - c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 ); - slap_sasl_external( c, c->c_tls_ssf, &authid ); - if ( authid.bv_val ) free( authid.bv_val ); -+ { -+ char cbinding[64]; -+ struct berval cbv = { sizeof(cbinding), cbinding }; -+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 )) -+ slap_sasl_cbinding( c, &cbv ); -+ } - } else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb, - LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */ - slapd_set_write( s, 1 ); -diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c -index 5144170d1..258cd5407 100644 ---- a/servers/slapd/sasl.c -+++ b/servers/slapd/sasl.c -@@ -1389,6 +1389,21 @@ int slap_sasl_external( - return LDAP_SUCCESS; - } - -+int slap_sasl_cbinding( Connection *conn, struct berval *cbv ) -+{ -+#ifdef SASL_CHANNEL_BINDING -+ sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );; -+ cb->name = "ldap"; -+ cb->critical = 0; -+ cb->data = (char *)(cb+1); -+ cb->len = cbv->bv_len; -+ memcpy( cb->data, cbv->bv_val, cbv->bv_len ); -+ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb ); -+ conn->c_sasl_cbind = cb; -+#endif -+ return LDAP_SUCCESS; -+} -+ - int slap_sasl_reset( Connection *conn ) - { - return LDAP_SUCCESS; -@@ -1454,6 +1469,9 @@ int slap_sasl_close( Connection *conn ) - free( conn->c_sasl_extra ); - conn->c_sasl_extra = NULL; - -+ free( conn->c_sasl_cbind ); -+ conn->c_sasl_cbind = NULL; -+ - #elif defined(SLAP_BUILTIN_SASL) - SASL_CTX *ctx = conn->c_sasl_authctx; - if( ctx ) { -diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h -index 7581967be..ad797d752 100644 ---- a/servers/slapd/slap.h -+++ b/servers/slapd/slap.h -@@ -2910,6 +2910,7 @@ struct Connection { - void *c_sasl_authctx; /* SASL authentication context */ - void *c_sasl_sockctx; /* SASL security layer context */ - void *c_sasl_extra; /* SASL session extra stuff */ -+ void *c_sasl_cbind; /* SASL channel binding */ - Operation *c_sasl_bindop; /* set to current op if it's a bind */ - - #ifdef LDAP_X_TXN --- -2.29.2 - diff --git a/openldap-cbinding-Convert-test077-to-LDIF-config.patch b/openldap-cbinding-Convert-test077-to-LDIF-config.patch deleted file mode 100644 index 5ca02fb..0000000 --- a/openldap-cbinding-Convert-test077-to-LDIF-config.patch +++ /dev/null @@ -1,236 +0,0 @@ -From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001 -From: Ryan Tandy -Date: Mon, 27 Apr 2020 23:24:16 -0700 -Subject: [PATCH] Convert test077 to LDIF config - ---- - tests/data/slapd-sasl-gssapi.conf | 65 ------------------ - tests/scripts/defines.sh | 1 - - tests/scripts/test077-sasl-gssapi | 108 ++++++++++++++++++++++++++++-- - 3 files changed, 103 insertions(+), 71 deletions(-) - delete mode 100644 tests/data/slapd-sasl-gssapi.conf - -diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf -deleted file mode 100644 -index 611fc7097..000000000 ---- a/tests/data/slapd-sasl-gssapi.conf -+++ /dev/null -@@ -1,65 +0,0 @@ --# stand-alone slapd config -- for testing (with indexing) --# $OpenLDAP$ --## This work is part of OpenLDAP Software . --## --## Copyright 1998-2020 The OpenLDAP Foundation. --## All rights reserved. --## --## Redistribution and use in source and binary forms, with or without --## modification, are permitted only as authorized by the OpenLDAP --## Public License. --## --## A copy of this license is available in the file LICENSE in the --## top-level directory of the distribution or, alternatively, at --## . -- --# --include @SCHEMADIR@/core.schema --include @SCHEMADIR@/cosine.schema --# --include @SCHEMADIR@/corba.schema --include @SCHEMADIR@/java.schema --include @SCHEMADIR@/inetorgperson.schema --include @SCHEMADIR@/misc.schema --include @SCHEMADIR@/nis.schema --include @SCHEMADIR@/openldap.schema --# --include @SCHEMADIR@/duaconf.schema --include @SCHEMADIR@/dyngroup.schema -- --# --pidfile @TESTDIR@/slapd.1.pid --argsfile @TESTDIR@/slapd.1.args -- --# SSL configuration --TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt --TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key --TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt -- --# --rootdse @DATADIR@/rootdse.ldif -- --#mod#modulepath ../servers/slapd/back-@BACKEND@/ --#mod#moduleload back_@BACKEND@.la --#monitormod#modulepath ../servers/slapd/back-monitor/ --#monitormod#moduleload back_monitor.la -- -- --####################################################################### --# database definitions --####################################################################### -- --database @BACKEND@ --suffix "dc=example,dc=com" --rootdn "cn=Manager,dc=example,dc=com" --rootpw secret --#~null~#directory @TESTDIR@/db.1.a --#indexdb#index objectClass eq --#indexdb#index mail eq --#ndb#dbname db_1_a --#ndb#include @DATADIR@/ndb.conf -- --#monitor#database monitor -- --sasl-realm @KRB5REALM@ --sasl-host localhost -diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh -index 78dc1f8ae..76c85b442 100755 ---- a/tests/scripts/defines.sh -+++ b/tests/scripts/defines.sh -@@ -108,7 +108,6 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf - SCHEMACONF=$DATADIR/slapd-schema.conf - TLSCONF=$DATADIR/slapd-tls.conf - TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf --SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf - GLUECONF=$DATADIR/slapd-glue.conf - REFINTCONF=$DATADIR/slapd-refint.conf - RETCODECONF=$DATADIR/slapd-retcode.conf -diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi -index bde9006ca..322df60a4 100755 ---- a/tests/scripts/test077-sasl-gssapi -+++ b/tests/scripts/test077-sasl-gssapi -@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then - exit 0 - fi - --mkdir -p $TESTDIR $DBDIR1 -+CONFDIR=$TESTDIR/slapd.d -+CONFLDIF=$TESTDIR/slapd.ldif -+ -+mkdir -p $TESTDIR $DBDIR1 $CONFDIR - cp -r $DATADIR/tls $TESTDIR -+$SLAPPASSWD -g -n >$CONFIGPWF - - echo "Starting KDC for SASL/GSSAPI tests..." - . $SRCDIR/scripts/setup_kdc.sh - --echo "Running slapadd to build slapd database..." --. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1 --$SLAPADD -f $CONF1 -l $LDIFORDERED -+echo "Configuring slapd..." -+cat > $CONFLDIF < $LOG1 2>&1 & -+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & - PID=$! - if test $WAIT != 0 ; then - echo PID $PID -@@ -141,6 +166,79 @@ else - fi - fi - -+if test $WITH_TLS = no ; then -+ echo "TLS support not available, skipping channe-binding test" -+elif test $HAVE_SASL_GSS_CBIND = no ; then -+ echo "SASL has no channel-binding support in GSSAPI, test skipped" -+else -+ echo "Testing SASL/GSSAPI with SASL_CBINDING..." -+ -+ for acb in "none" "tls-unique" "tls-endpoint" ; do -+ -+ echo "Modifying slapd's olcSaslCBinding to ${acb} ..." -+ $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF < $TESTOUT 2>&1 -+dn: cn=config -+changetype: modify -+replace: olcSaslCBinding -+olcSaslCBinding: ${acb} -+EOF -+ RC=$? -+ if test $RC != 0 ; then -+ echo "ldapmodify failed ($RC)!" -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+ fi -+ -+ for icb in "none" "tls-unique" "tls-endpoint" ; do -+ -+ # The gnutls implemantation of "tls-unique" seems broken -+ if test $icb = "tls-unique" -o $acb = "tls-unique" ; then -+ if test $WITH_TLS_TYPE == gnutls ; then -+ continue -+ fi -+ fi -+ -+ fail="no" -+ if test $icb != $acb -a $acb != "none" ; then -+ # This currently fails in MIT, but it is planned to be -+ # fixed not to fail like in heimdal - avoid testing. -+ if test $icb = "none" ; then -+ continue -+ fi -+ # Otherwise unmatching bindings are expected to fail. -+ fail="yes" -+ fi -+ -+ echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING " -+ echo -ne "(client: ${icb},\tserver: ${acb}): " -+ -+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \ -+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ -+ -o SASL_CBINDING=$icb > $TESTOUT 2>&1 -+ -+ RC=$? -+ if test $RC != 0 ; then -+ if test $fail = "no" ; then -+ echo "test failed ($RC)!" -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+ fi -+ elif test $fail = "yes" ; then -+ echo "failed: command succeeded unexpectedly." -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit 1 -+ fi -+ -+ echo "success" -+ RC=0 -+ done -+ done -+fi -+ -+ - kill $KDCPROC - test $KILLSERVERS != no && kill -HUP $KILLPIDS - --- -2.29.2 - diff --git a/openldap-cbinding-Fix-slaptest-in-test077.patch b/openldap-cbinding-Fix-slaptest-in-test077.patch deleted file mode 100644 index 0e93108..0000000 --- a/openldap-cbinding-Fix-slaptest-in-test077.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e006994d83af9dcb7813a18253cf4e5beacee043 Mon Sep 17 00:00:00 2001 -From: Ryan Tandy -Date: Sun, 26 Apr 2020 11:40:23 -0700 -Subject: [PATCH] Fix slaptest in test077 - -The libtool wrapper scripts lose argv[0] when exec'ing the real binary. - -In the CI Docker container, where the build runs as root, this was -actually starting a real slapd on the default port. - -Outside Docker, running as a non-root user, this slapd would just fail -to start, and wouldn't convert the config either. - -Using "slapd -Tt" fixes the issue but also prints a warning from -slaptest since the database hasn't been initialized yet. - -Dynamic config isn't actually used in this test script, so let's just -run slapd off the config file directly. ---- - tests/scripts/test077-sasl-gssapi | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi -index 64abe16fe..bde9006ca 100755 ---- a/tests/scripts/test077-sasl-gssapi -+++ b/tests/scripts/test077-sasl-gssapi -@@ -24,9 +24,6 @@ fi - mkdir -p $TESTDIR $DBDIR1 - cp -r $DATADIR/tls $TESTDIR - --cd $TESTWD -- -- - echo "Starting KDC for SASL/GSSAPI tests..." - . $SRCDIR/scripts/setup_kdc.sh - --- -2.29.2 - diff --git a/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch b/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch deleted file mode 100644 index b38dd83..0000000 --- a/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch +++ /dev/null @@ -1,220 +0,0 @@ -NOTE: The patch has been adjusted to match the base code before backporting. - -From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Tue, 10 Sep 2013 04:26:51 -0700 -Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT - -retrieve peer cert for an active TLS session ---- - doc/man/man3/ldap_get_option.3 | 8 ++++++++ - include/ldap.h | 1 + - libraries/libldap/ldap-tls.h | 2 ++ - libraries/libldap/tls2.c | 24 ++++++++++++++++++++++++ - libraries/libldap/tls_g.c | 19 +++++++++++++++++++ - libraries/libldap/tls_m.c | 17 +++++++++++++++++ - libraries/libldap/tls_o.c | 16 ++++++++++++++++ - 7 files changed, 87 insertions(+) - -diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 -index eb3f25b33..7546875f5 100644 ---- a/doc/man/man3/ldap_get_option.3 -+++ b/doc/man/man3/ldap_get_option.3 -@@ -744,6 +744,14 @@ A non-zero value pointed to by - .BR invalue - tells the library to create a context for a server. - .TP -+.B LDAP_OPT_X_TLS_PEERCERT -+Gets the peer's certificate in DER format from an established TLS session. -+.BR outvalue -+must be -+.BR "struct berval *" , -+and the data it returns needs to be freed by the caller using -+.BR ldap_memfree (3). -+.TP - .B LDAP_OPT_X_TLS_PROTOCOL_MIN - Sets/gets the minimum protocol version. - .BR invalue -diff --git a/include/ldap.h b/include/ldap.h -index 389441031..88bfcabf8 100644 ---- a/include/ldap.h -+++ b/include/ldap.h -@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL - #define LDAP_OPT_X_TLS_PACKAGE 0x6011 - #define LDAP_OPT_X_TLS_ECNAME 0x6012 - #define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a -+#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */ - - #define LDAP_OPT_X_TLS_NEVER 0 - #define LDAP_OPT_X_TLS_HARD 1 -diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h -index 0ecf81ab9..103004fa7 100644 ---- a/libraries/libldap/ldap-tls.h -+++ b/libraries/libldap/ldap-tls.h -@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn); - typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); - typedef int (TI_session_strength)(tls_session *sess); - typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server); -+typedef int (TI_session_peercert)(tls_session *s, struct berval *der); - - typedef void (TI_thr_init)(void); - -@@ -66,6 +67,7 @@ typedef struct tls_impl { - TI_session_chkhost *ti_session_chkhost; - TI_session_strength *ti_session_strength; - TI_session_unique *ti_session_unique; -+ TI_session_peercert *ti_session_peercert; - - Sockbuf_IO *ti_sbio; - -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index 13d734362..ad09ba39b 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -705,6 +705,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) - case LDAP_OPT_X_TLS_CONNECT_ARG: - *(void **)arg = lo->ldo_tls_connect_arg; - break; -+ case LDAP_OPT_X_TLS_PEERCERT: { -+ void *sess = NULL; -+ struct berval *bv = arg; -+ bv->bv_len = 0; -+ bv->bv_val = NULL; -+ if ( ld != NULL ) { -+ LDAPConn *conn = ld->ld_defconn; -+ if ( conn != NULL ) { -+ Sockbuf *sb = conn->lconn_sb; -+ sess = ldap_pvt_tls_sb_ctx( sb ); -+ if ( sess != NULL ) -+ return ldap_pvt_tls_get_peercert( sess, bv ); -+ } -+ } -+ break; -+ } -+ - default: - return -1; - } -@@ -1020,6 +1037,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server ) - tls_session *session = s; - return tls_imp->ti_session_unique( session, buf, is_server ); - } -+ -+int -+ldap_pvt_tls_get_peercert( void *s, struct berval *der ) -+{ -+ tls_session *session = s; -+ return tls_imp->ti_session_peercert( session, der ); -+} - #endif /* HAVE_TLS */ - - int -diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c -index b78c12086..26d9f99ce 100644 ---- a/libraries/libldap/tls_g.c -+++ b/libraries/libldap/tls_g.c -@@ -675,6 +675,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server) - return 0; - } - -+static int -+tlsg_session_peercert( tls_session *sess, struct berval *der ) -+{ -+ tlsg_session *s = (tlsg_session *)sess; -+ const gnutls_datum_t *peer_cert_list; -+ unsigned int list_size; -+ -+ peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size ); -+ if (!peer_cert_list) -+ return -1; -+ der->bv_len = peer_cert_list[0].size; -+ der->bv_val = LDAP_MALLOC( der->bv_len ); -+ if (!der->bv_val) -+ return -1; -+ memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len); -+ return 0; -+} -+ - /* suites is a string of colon-separated cipher suite names. */ - static int - tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ) -@@ -932,6 +950,7 @@ tls_impl ldap_int_tls_impl = { - tlsg_session_chkhost, - tlsg_session_strength, - tlsg_session_unique, -+ tlsg_session_peercert, - - &tlsg_sbio, - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index c64f4c176..d35a803de 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -2880,6 +2880,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server) - return 0; - } - -+static int -+tlsm_session_peercert( tls_session *sess, struct berval *der ) -+{ -+ tlsm_session *s = (tlsm_session *)sess; -+ CERTCertificate *cert; -+ cert = SSL_PeerCertificate( s ); -+ if (!cert) -+ return -1; -+ der->bv_len = cert->derCert.len; -+ der->bv_val = LDAP_MALLOC( der->bv_len ); -+ if (!der->bv_val) -+ return -1; -+ memcpy( der->bv_val, cert->derCert.data, der->bv_len ); -+ return 0; -+} -+ - /* - * TLS support for LBER Sockbufs - */ -@@ -3309,6 +3325,7 @@ tls_impl ldap_int_tls_impl = { - tlsm_session_chkhost, - tlsm_session_strength, - tlsm_session_unique, -+ tlsm_session_peercert, - - &tlsm_sbio, - -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index f741a461f..157923289 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -861,6 +861,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) - return buf->bv_len; - } - -+static int -+tlso_session_peercert( tls_session *sess, struct berval *der ) -+{ -+ tlso_session *s = (tlso_session *)sess; -+ unsigned char *ptr; -+ X509 *x = SSL_get_peer_certificate(s); -+ der->bv_len = i2d_X509(x, NULL); -+ der->bv_val = LDAP_MALLOC(der->bv_len); -+ if ( !der->bv_val ) -+ return -1; -+ ptr = der->bv_val; -+ i2d_X509(x, &ptr); -+ return 0; -+} -+ - /* - * TLS support for LBER Sockbufs - */ -@@ -1379,6 +1394,7 @@ tls_impl ldap_int_tls_impl = { - tlso_session_chkhost, - tlso_session_strength, - tlso_session_unique, -+ tlso_session_peercert, - - &tlso_sbio, - --- -2.29.2 - diff --git a/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch b/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch deleted file mode 100644 index 404c4a4..0000000 --- a/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 465b1c5972eef1d4e60eb98ae3776d33e270853d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Fri, 15 Jun 2018 15:12:28 +0100 -Subject: [PATCH] ITS#8573 Add missing URI variables for tests - ---- - tests/scripts/conf.sh | 18 ++++++++++++++++++ - tests/scripts/defines.sh | 7 +++++++ - 2 files changed, 25 insertions(+) - -diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh -index 9a33d88e9..2a859d89d 100755 ---- a/tests/scripts/conf.sh -+++ b/tests/scripts/conf.sh -@@ -74,6 +74,24 @@ sed -e "s/@BACKEND@/${BACKEND}/" \ - -e "s;@PORT4@;${PORT4};" \ - -e "s;@PORT5@;${PORT5};" \ - -e "s;@PORT6@;${PORT6};" \ -+ -e "s;@SURI1@;${SURI1};" \ -+ -e "s;@SURI2@;${SURI2};" \ -+ -e "s;@SURI3@;${SURI3};" \ -+ -e "s;@SURI4@;${SURI4};" \ -+ -e "s;@SURI5@;${SURI5};" \ -+ -e "s;@SURI6@;${SURI6};" \ -+ -e "s;@URIP1@;${URIP1};" \ -+ -e "s;@URIP2@;${URIP2};" \ -+ -e "s;@URIP3@;${URIP3};" \ -+ -e "s;@URIP4@;${URIP4};" \ -+ -e "s;@URIP5@;${URIP5};" \ -+ -e "s;@URIP6@;${URIP6};" \ -+ -e "s;@SURIP1@;${SURIP1};" \ -+ -e "s;@SURIP2@;${SURIP2};" \ -+ -e "s;@SURIP3@;${SURIP3};" \ -+ -e "s;@SURIP4@;${SURIP4};" \ -+ -e "s;@SURIP5@;${SURIP5};" \ -+ -e "s;@SURIP6@;${SURIP6};" \ - -e "s/@SASL_MECH@/${SASL_MECH}/" \ - -e "s;@TESTDIR@;${TESTDIR};" \ - -e "s;@TESTWD@;${TESTWD};" \ -diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh -index 8f7c7b853..26dab1bae 100755 ---- a/tests/scripts/defines.sh -+++ b/tests/scripts/defines.sh -@@ -221,16 +221,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/" - URI3="ldap://${LOCALHOST}:$PORT3/" - URIP3="ldap://${LOCALIP}:$PORT3/" - URI4="ldap://${LOCALHOST}:$PORT4/" -+URIP4="ldap://${LOCALIP}:$PORT4/" - URI5="ldap://${LOCALHOST}:$PORT5/" -+URIP5="ldap://${LOCALIP}:$PORT5/" - URI6="ldap://${LOCALHOST}:$PORT6/" -+URIP6="ldap://${LOCALIP}:$PORT6/" - SURI1="ldaps://${LOCALHOST}:$PORT1/" - SURIP1="ldaps://${LOCALIP}:$PORT1/" - SURI2="ldaps://${LOCALHOST}:$PORT2/" - SURIP2="ldaps://${LOCALIP}:$PORT2/" - SURI3="ldaps://${LOCALHOST}:$PORT3/" -+SURIP3="ldaps://${LOCALIP}:$PORT3/" - SURI4="ldaps://${LOCALHOST}:$PORT4/" -+SURIP4="ldaps://${LOCALIP}:$PORT4/" - SURI5="ldaps://${LOCALHOST}:$PORT5/" -+SURIP5="ldaps://${LOCALIP}:$PORT5/" - SURI6="ldaps://${LOCALHOST}:$PORT6/" -+SURIP6="ldaps://${LOCALIP}:$PORT6/" - - # LDIF - LDIF=$DATADIR/test.ldif --- -2.29.2 - diff --git a/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch b/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch deleted file mode 100644 index 4f9c34a..0000000 --- a/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch +++ /dev/null @@ -1,2071 +0,0 @@ -From eb087e0861f207858a4e08c72836a86f26d9701c Mon Sep 17 00:00:00 2001 -From: Quanah Gibson-Mount -Date: Thu, 14 Jun 2018 16:12:59 +0100 -Subject: [PATCH] ITS#8573 TLS option test suite - ---- - configure.in | 4 + - tests/data/slapd-tls-sasl.conf | 65 ++ - tests/data/slapd-tls.conf | 61 ++ - tests/data/tls/ca/certs/testsuiteCA.crt | 16 + - tests/data/tls/ca/private/testsuiteCA.key | 16 + - .../tls/certs/bjensen@mailgw.example.com.crt | 16 + - tests/data/tls/certs/localhost.crt | 16 + - tests/data/tls/conf/openssl.cnf | 129 ++++ - tests/data/tls/create-crt.sh | 78 +++ - .../private/bjensen@mailgw.example.com.key | 16 + - tests/data/tls/private/localhost.key | 16 + - tests/run.in | 3 +- - tests/scripts/defines.sh | 21 +- - tests/scripts/test067-tls | 140 +++++ - tests/scripts/test068-sasl-tls-external | 102 ++++ - .../test069-delta-multimaster-starttls | 574 ++++++++++++++++++ - tests/scripts/test070-delta-multimaster-ldaps | 571 +++++++++++++++++ - 18 files changed, 1846 insertions(+), 2 deletions(-) - create mode 100644 tests/data/slapd-tls-sasl.conf - create mode 100644 tests/data/slapd-tls.conf - create mode 100644 tests/data/tls/ca/certs/testsuiteCA.crt - create mode 100644 tests/data/tls/ca/private/testsuiteCA.key - create mode 100644 tests/data/tls/certs/bjensen@mailgw.example.com.crt - create mode 100644 tests/data/tls/certs/localhost.crt - create mode 100644 tests/data/tls/conf/openssl.cnf - create mode 100755 tests/data/tls/create-crt.sh - create mode 100644 tests/data/tls/private/bjensen@mailgw.example.com.key - create mode 100644 tests/data/tls/private/localhost.key - create mode 100755 tests/scripts/test067-tls - create mode 100755 tests/scripts/test068-sasl-tls-external - create mode 100755 tests/scripts/test069-delta-multimaster-starttls - create mode 100755 tests/scripts/test070-delta-multimaster-ldaps - -diff --git a/configure.in b/configure.in -index 0c7c0a9ee..cf143d9bf 100644 ---- a/configure.in -+++ b/configure.in -@@ -592,6 +592,7 @@ KRB4_LIBS= - KRB5_LIBS= - SASL_LIBS= - TLS_LIBS= -+WITH_TLS_TYPE= - MODULES_LIBS= - SLAPI_LIBS= - LIBSLAPI= -@@ -1186,6 +1187,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then - if test $have_openssl = yes ; then - ol_with_tls=openssl - ol_link_tls=yes -+ WITH_TLS_TYPE=openssl - - AC_DEFINE(HAVE_OPENSSL, 1, - [define if you have OpenSSL]) -@@ -1226,6 +1228,7 @@ if test $ol_link_tls = no ; then - if test $have_gnutls = yes ; then - ol_with_tls=gnutls - ol_link_tls=yes -+ WITH_TLS_TYPE=gnutls - - TLS_LIBS="-lgnutls" - -@@ -3163,6 +3166,7 @@ AC_SUBST(KRB4_LIBS) - AC_SUBST(KRB5_LIBS) - AC_SUBST(SASL_LIBS) - AC_SUBST(TLS_LIBS) -+AC_SUBST(WITH_TLS_TYPE) - AC_SUBST(MODULES_LIBS) - AC_SUBST(SLAPI_LIBS) - AC_SUBST(LIBSLAPI) -diff --git a/tests/data/slapd-tls-sasl.conf b/tests/data/slapd-tls-sasl.conf -new file mode 100644 -index 000000000..f4bb0773e ---- /dev/null -+++ b/tests/data/slapd-tls-sasl.conf -@@ -0,0 +1,65 @@ -+# stand-alone slapd config -- for testing (with indexing) -+# $OpenLDAP$ -+## This work is part of OpenLDAP Software . -+## -+## Copyright 1998-2017 The OpenLDAP Foundation. -+## All rights reserved. -+## -+## Redistribution and use in source and binary forms, with or without -+## modification, are permitted only as authorized by the OpenLDAP -+## Public License. -+## -+## A copy of this license is available in the file LICENSE in the -+## top-level directory of the distribution or, alternatively, at -+## . -+ -+# -+include @SCHEMADIR@/core.schema -+include @SCHEMADIR@/cosine.schema -+# -+include @SCHEMADIR@/corba.schema -+include @SCHEMADIR@/java.schema -+include @SCHEMADIR@/inetorgperson.schema -+include @SCHEMADIR@/misc.schema -+include @SCHEMADIR@/nis.schema -+include @SCHEMADIR@/openldap.schema -+# -+include @SCHEMADIR@/duaconf.schema -+include @SCHEMADIR@/dyngroup.schema -+include @SCHEMADIR@/ppolicy.schema -+ -+# -+pidfile @TESTDIR@/slapd.1.pid -+argsfile @TESTDIR@/slapd.1.args -+ -+# SSL configuration -+TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt -+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key -+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt -+TLSVerifyClient hard -+ -+# -+rootdse @DATADIR@/rootdse.ldif -+ -+#mod#modulepath ../servers/slapd/back-@BACKEND@/ -+#mod#moduleload back_@BACKEND@.la -+#monitormod#modulepath ../servers/slapd/back-monitor/ -+#monitormod#moduleload back_monitor.la -+ -+authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1) -+ -+####################################################################### -+# database definitions -+####################################################################### -+ -+database @BACKEND@ -+suffix "dc=example,dc=com" -+rootdn "cn=Manager,dc=example,dc=com" -+rootpw secret -+#~null~#directory @TESTDIR@/db.1.a -+#indexdb#index objectClass eq -+#indexdb#index mail eq -+#ndb#dbname db_1_a -+#ndb#include @DATADIR@/ndb.conf -+ -+#monitor#database monitor -diff --git a/tests/data/slapd-tls.conf b/tests/data/slapd-tls.conf -new file mode 100644 -index 000000000..6a7785557 ---- /dev/null -+++ b/tests/data/slapd-tls.conf -@@ -0,0 +1,61 @@ -+# stand-alone slapd config -- for testing (with indexing) -+# $OpenLDAP$ -+## This work is part of OpenLDAP Software . -+## -+## Copyright 1998-2017 The OpenLDAP Foundation. -+## All rights reserved. -+## -+## Redistribution and use in source and binary forms, with or without -+## modification, are permitted only as authorized by the OpenLDAP -+## Public License. -+## -+## A copy of this license is available in the file LICENSE in the -+## top-level directory of the distribution or, alternatively, at -+## . -+ -+# -+include @SCHEMADIR@/core.schema -+include @SCHEMADIR@/cosine.schema -+# -+include @SCHEMADIR@/corba.schema -+include @SCHEMADIR@/java.schema -+include @SCHEMADIR@/inetorgperson.schema -+include @SCHEMADIR@/misc.schema -+include @SCHEMADIR@/nis.schema -+include @SCHEMADIR@/openldap.schema -+# -+include @SCHEMADIR@/duaconf.schema -+include @SCHEMADIR@/dyngroup.schema -+include @SCHEMADIR@/ppolicy.schema -+ -+# -+pidfile @TESTDIR@/slapd.1.pid -+argsfile @TESTDIR@/slapd.1.args -+ -+# SSL configuration -+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key -+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt -+ -+# -+rootdse @DATADIR@/rootdse.ldif -+ -+#mod#modulepath ../servers/slapd/back-@BACKEND@/ -+#mod#moduleload back_@BACKEND@.la -+#monitormod#modulepath ../servers/slapd/back-monitor/ -+#monitormod#moduleload back_monitor.la -+ -+####################################################################### -+# database definitions -+####################################################################### -+ -+database @BACKEND@ -+suffix "dc=example,dc=com" -+rootdn "cn=Manager,dc=example,dc=com" -+rootpw secret -+#~null~#directory @TESTDIR@/db.1.a -+#indexdb#index objectClass eq -+#indexdb#index mail eq -+#ndb#dbname db_1_a -+#ndb#include @DATADIR@/ndb.conf -+ -+#monitor#database monitor -diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt -new file mode 100644 -index 000000000..7458e7461 ---- /dev/null -+++ b/tests/data/tls/ca/certs/testsuiteCA.crt -@@ -0,0 +1,16 @@ -+-----BEGIN CERTIFICATE----- -+MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV -+BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv -+bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0 -+NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB -+MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB -+UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd -+rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb -+lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL -+6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU -+7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB -+SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/ -+wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws -+ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q -+aL52EFPS0o3tiAJXS82U2wrQdJ0YEw== -+-----END CERTIFICATE----- -diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key -new file mode 100644 -index 000000000..2e14d7033 ---- /dev/null -+++ b/tests/data/tls/ca/private/testsuiteCA.key -@@ -0,0 +1,16 @@ -+-----BEGIN PRIVATE KEY----- -+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ -+WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc -+338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/ -+dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg -+O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf -+7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn -+rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f -+wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk -+AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l -+vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9 -+27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X -+KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N -+I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL -++b2qljWeZbGH -+-----END PRIVATE KEY----- -diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt -new file mode 100644 -index 000000000..93e3a0d39 ---- /dev/null -+++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt -@@ -0,0 +1,16 @@ -+-----BEGIN CERTIFICATE----- -+MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL -+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV -+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx -+ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV -+BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD -+VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa -+YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A -+MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg -+QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU -+U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL -+MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn -+wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f -+7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo -+4DnnYQBDnq48VORVX94= -+-----END CERTIFICATE----- -diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt -new file mode 100644 -index 000000000..194cb119d ---- /dev/null -+++ b/tests/data/tls/certs/localhost.crt -@@ -0,0 +1,16 @@ -+-----BEGIN CERTIFICATE----- -+MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL -+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV -+BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx -+ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE -+CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT -+dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB -+iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4 -+7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv -+8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ -+BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A -+AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG -+8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl -+0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR -+GjeZB1FxqDGHjxBq2O828iejw28bSz4= -+-----END CERTIFICATE----- -diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf -new file mode 100644 -index 000000000..a3c8ad9f6 ---- /dev/null -+++ b/tests/data/tls/conf/openssl.cnf -@@ -0,0 +1,129 @@ -+HOME = . -+RANDFILE = $ENV::HOME/.rnd -+ -+oid_section = new_oids -+ -+[ new_oids ] -+tsa_policy1 = 1.2.3.4.1 -+tsa_policy2 = 1.2.3.4.5.6 -+tsa_policy3 = 1.2.3.4.5.7 -+ -+[ ca ] -+default_ca = CA_default # The default ca section -+ -+[ CA_default ] -+ -+dir = ./cruft # Where everything is kept -+certs = $dir/certs # Where the issued certs are kept -+crl_dir = $dir/crl # Where the issued crl are kept -+database = $dir/index.txt # database index file. -+new_certs_dir = $dir/certs # default place for new certs. -+certificate = $dir/cacert.pem # The CA certificate -+serial = $dir/serial # The current serial number -+crlnumber = $dir/crlnumber # the current crl number -+crl = $dir/crl.pem # The current CRL -+private_key = $dir/private/cakey.pem# The private key -+RANDFILE = $dir/private/.rand # private random number file -+x509_extensions = usr_cert # The extentions to add to the cert -+name_opt = ca_default # Subject Name options -+cert_opt = ca_default # Certificate field options -+default_days = 365 # how long to certify for -+default_crl_days= 30 # how long before next CRL -+default_md = default # use public key default MD -+preserve = no # keep passed DN ordering -+policy = policy_match -+ -+[ policy_match ] -+countryName = match -+stateOrProvinceName = match -+organizationName = match -+organizationalUnitName = optional -+commonName = supplied -+emailAddress = optional -+ -+[ policy_anything ] -+countryName = optional -+stateOrProvinceName = optional -+localityName = optional -+organizationName = optional -+organizationalUnitName = optional -+commonName = supplied -+emailAddress = optional -+ -+[ req ] -+default_bits = 2048 -+default_keyfile = privkey.pem -+distinguished_name = req_distinguished_name -+attributes = req_attributes -+x509_extensions = v3_ca # The extentions to add to the self signed cert -+ -+string_mask = utf8only -+ -+[ req_distinguished_name ] -+basicConstraints=CA:FALSE -+ -+[ req_attributes ] -+challengePassword = A challenge password -+challengePassword_min = 4 -+challengePassword_max = 20 -+ -+unstructuredName = An optional company name -+ -+[ usr_cert ] -+ -+basicConstraints=CA:FALSE -+nsComment = "OpenSSL Generated Certificate" -+ -+subjectKeyIdentifier=hash -+authorityKeyIdentifier=keyid,issuer -+ -+[ v3_req ] -+ -+basicConstraints = CA:FALSE -+keyUsage = nonRepudiation, digitalSignature, keyEncipherment -+subjectAltName = DNS:localhost,IP:127.0.0.1,IP:::1 -+ -+[ v3_ca ] -+subjectKeyIdentifier=hash -+authorityKeyIdentifier=keyid:always,issuer -+basicConstraints = CA:true -+ -+[ crl_ext ] -+ -+authorityKeyIdentifier=keyid:always -+ -+[ proxy_cert_ext ] -+basicConstraints=CA:FALSE -+nsComment = "OpenSSL Generated Certificate" -+ -+subjectKeyIdentifier=hash -+authorityKeyIdentifier=keyid,issuer -+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo -+ -+[ tsa ] -+ -+default_tsa = tsa_config1 # the default TSA section -+ -+[ tsa_config1 ] -+ -+dir = ./demoCA # TSA root directory -+serial = $dir/tsaserial # The current serial number (mandatory) -+crypto_device = builtin # OpenSSL engine to use for signing -+signer_cert = $dir/tsacert.pem # The TSA signing certificate -+ # (optional) -+certs = $dir/cacert.pem # Certificate chain to include in reply -+ # (optional) -+signer_key = $dir/private/tsakey.pem # The TSA private key (optional) -+ -+default_policy = tsa_policy1 # Policy if request did not specify it -+ # (optional) -+other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) -+digests = md5, sha1 # Acceptable message digests (mandatory) -+accuracy = secs:1, millisecs:500, microsecs:100 # (optional) -+clock_precision_digits = 0 # number of digits after dot. (optional) -+ordering = yes # Is ordering defined for timestamps? -+ # (optional, default: no) -+tsa_name = yes # Must the TSA name be included in the reply? -+ # (optional, default: no) -+ess_cert_id_chain = no # Must the ESS cert id chain be included? -+ # (optional, default: no) -diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh -new file mode 100755 -index 000000000..8c33a24fe ---- /dev/null -+++ b/tests/data/tls/create-crt.sh -@@ -0,0 +1,78 @@ -+#!/bin/sh -+openssl=$(which openssl) -+ -+if [ x"$openssl" = "x" ]; then -+echo "OpenSSL command line binary not found, skipping..." -+fi -+ -+USAGE="$0 [-s] [-u ]" -+SERVER=0 -+USER=0 -+EMAIL= -+ -+while test $# -gt 0 ; do -+ case "$1" in -+ -s | -server) -+ SERVER=1; -+ shift;; -+ -u | -user) -+ if [ x"$2" = "x" ]; then -+ echo "User cert requires an email address as an argument" -+ exit; -+ fi -+ USER=1; -+ EMAIL="$2"; -+ shift; shift;; -+ -) -+ shift;; -+ -*) -+ echo "$USAGE"; exit 1 -+ ;; -+ *) -+ break;; -+ esac -+done -+ -+if [ $SERVER = 0 -a $USER = 0 ]; then -+ echo "$USAGE"; -+ exit 1; -+fi -+ -+rm -rf ./openssl.cnf cruft -+mkdir -p private certs cruft/private cruft/certs -+ -+echo "00" > cruft/serial -+touch cruft/index.txt -+touch cruft/index.txt.attr -+hn=$(hostname -f) -+sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf > ./openssl.cnf -+ -+if [ $SERVER = 1 ]; then -+ rm -rf private/localhost.key certs/localhost.crt -+ -+ $openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \ -+ -newkey rsa:1024 -config ./openssl.cnf \ -+ -subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \ -+ -batch > /dev/null 2>&1 -+ -+ $openssl ca -out certs/localhost.crt -notext -config ./openssl.cnf -days 183000 -in localhost.csr \ -+ -keyfile ca/private/testsuiteCA.key -extensions v3_req -cert ca/certs/testsuiteCA.crt \ -+ -batch >/dev/null 2>&1 -+ -+ rm -rf ./openssl.cnf ./localhost.csr cruft -+fi -+ -+if [ $USER = 1 ]; then -+ rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr -+ -+ $openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \ -+ -newkey rsa:1024 -config ./openssl.cnf \ -+ -subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \ -+ -batch >/dev/null 2>&1 -+ -+ $openssl ca -out certs/$EMAIL.crt -notext -config ./openssl.cnf -days 183000 -in $EMAIL.csr \ -+ -keyfile ca/private/testsuiteCA.key -extensions req_distinguished_name \ -+ -cert ca/certs/testsuiteCA.crt -batch >/dev/null 2>&1 -+ -+ rm -rf ./openssl.cnf ./$EMAIL.csr cruft -+fi -diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key -new file mode 100644 -index 000000000..5f4625fd7 ---- /dev/null -+++ b/tests/data/tls/private/bjensen@mailgw.example.com.key -@@ -0,0 +1,16 @@ -+-----BEGIN PRIVATE KEY----- -+MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2 -+xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4 -+9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z -+yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r -+oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e -+nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg -+xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra -+EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd -+9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/ -+pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI -+tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ -+3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D -+tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg -+36Ixj3L+5H18 -+-----END PRIVATE KEY----- -diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key -new file mode 100644 -index 000000000..8a24f69f8 ---- /dev/null -+++ b/tests/data/tls/private/localhost.key -@@ -0,0 +1,16 @@ -+-----BEGIN PRIVATE KEY----- -+MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg -+ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM -+w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM -+brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij -+Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf -+2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ -+bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q -+1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf -+3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U -+VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7 -+TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b -+iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP -+5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3 -+b61hkjQZfbEg5cg= -+-----END PRIVATE KEY----- -diff --git a/tests/run.in b/tests/run.in -index a542eedec..468c3e1f2 100644 ---- a/tests/run.in -+++ b/tests/run.in -@@ -56,6 +56,7 @@ AC_valsort=valsort@BUILD_VALSORT@ - # misc - AC_WITH_SASL=@WITH_SASL@ - AC_WITH_TLS=@WITH_TLS@ -+AC_TLS_TYPE=@WITH_TLS_TYPE@ - AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@ - AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@ - AC_THREADS=threads@BUILD_THREAD@ -@@ -74,7 +75,7 @@ export AC_bdb AC_hdb AC_ldap AC_mdb AC_meta AC_monitor AC_null AC_relay AC_sql \ - AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \ - AC_valsort \ - AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \ -- AC_THREADS AC_LIBS_DYNAMIC -+ AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE - - if test ! -x ../servers/slapd/slapd ; then - echo "Could not locate slapd(8)" -diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh -index b374cc500..8f7c7b853 100755 ---- a/tests/scripts/defines.sh -+++ b/tests/scripts/defines.sh -@@ -45,6 +45,9 @@ VALSORT=${AC_valsort-valsortno} - # misc - WITH_SASL=${AC_WITH_SASL-no} - USE_SASL=${SLAPD_USE_SASL-no} -+WITH_TLS=${AC_WITH_TLS-no} -+WITH_TLS_TYPE=${AC_TLS_TYPE-no} -+ - ACI=${AC_ACI_ENABLED-acino} - THREADS=${AC_THREADS-threadsno} - SLEEP0=${SLEEP0-1} -@@ -103,6 +106,8 @@ P2SRCONSUMERCONF=$DATADIR/slapd-syncrepl-consumer-persist2.conf - P3SRCONSUMERCONF=$DATADIR/slapd-syncrepl-consumer-persist3.conf - REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf - SCHEMACONF=$DATADIR/slapd-schema.conf -+TLSCONF=$DATADIR/slapd-tls.conf -+TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf - GLUECONF=$DATADIR/slapd-glue.conf - REFINTCONF=$DATADIR/slapd-refint.conf - RETCODECONF=$DATADIR/slapd-retcode.conf -@@ -163,6 +168,7 @@ SLURPLOG=$TESTDIR/slurp.log - CONFIGPWF=$TESTDIR/configpw - - # args -+SASLARGS="-Q" - TOOLARGS="-x $LDAP_TOOLARGS" - TOOLPROTO="-P 3" - -@@ -184,7 +190,8 @@ BCMP="diff -iB" - CMPOUT=/dev/null - SLAPD="$TESTWD/../servers/slapd/slapd -s0" - LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS" --LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS -LLL" -+LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $SASLARGS $TOOLPROTO $LDAP_TOOLARGS -LLL" -+LDAPSASLWHOAMI="$CLIENTDIR/ldapwhoami $SASLARGS $LDAP_TOOLARGS" - LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL" - LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS" - LDAPDELETE="$CLIENTDIR/ldapdelete $TOOLPROTO $TOOLARGS" -@@ -199,6 +206,7 @@ LDIFFILTER=$PROGDIR/ldif-filter - SLAPDMTREAD=$PROGDIR/slapd-mtread - LVL=${SLAPD_DEBUG-0x4105} - LOCALHOST=localhost -+LOCALIP=127.0.0.1 - BASEPORT=${SLAPD_BASEPORT-9010} - PORT1=`expr $BASEPORT + 1` - PORT2=`expr $BASEPORT + 2` -@@ -207,11 +215,22 @@ PORT4=`expr $BASEPORT + 4` - PORT5=`expr $BASEPORT + 5` - PORT6=`expr $BASEPORT + 6` - URI1="ldap://${LOCALHOST}:$PORT1/" -+URIP1="ldap://${LOCALIP}:$PORT1/" - URI2="ldap://${LOCALHOST}:$PORT2/" -+URIP2="ldap://${LOCALIP}:$PORT2/" - URI3="ldap://${LOCALHOST}:$PORT3/" -+URIP3="ldap://${LOCALIP}:$PORT3/" - URI4="ldap://${LOCALHOST}:$PORT4/" - URI5="ldap://${LOCALHOST}:$PORT5/" - URI6="ldap://${LOCALHOST}:$PORT6/" -+SURI1="ldaps://${LOCALHOST}:$PORT1/" -+SURIP1="ldaps://${LOCALIP}:$PORT1/" -+SURI2="ldaps://${LOCALHOST}:$PORT2/" -+SURIP2="ldaps://${LOCALIP}:$PORT2/" -+SURI3="ldaps://${LOCALHOST}:$PORT3/" -+SURI4="ldaps://${LOCALHOST}:$PORT4/" -+SURI5="ldaps://${LOCALHOST}:$PORT5/" -+SURI6="ldaps://${LOCALHOST}:$PORT6/" - - # LDIF - LDIF=$DATADIR/test.ldif -diff --git a/tests/scripts/test067-tls b/tests/scripts/test067-tls -new file mode 100755 -index 000000000..2b245f5f5 ---- /dev/null -+++ b/tests/scripts/test067-tls -@@ -0,0 +1,140 @@ -+#! /bin/sh -+# $OpenLDAP$ -+## This work is part of OpenLDAP Software . -+## -+## Copyright 1998-2017 The OpenLDAP Foundation. -+## All rights reserved. -+## -+## Redistribution and use in source and binary forms, with or without -+## modification, are permitted only as authorized by the OpenLDAP -+## Public License. -+## -+## A copy of this license is available in the file LICENSE in the -+## top-level directory of the distribution or, alternatively, at -+## . -+ -+echo "running defines.sh" -+. $SRCDIR/scripts/defines.sh -+ -+if test $WITH_TLS = no ; then -+ echo "TLS support not available, test skipped" -+ exit 0 -+fi -+ -+mkdir -p $TESTDIR $DBDIR1 -+cp -r $DATADIR/tls $TESTDIR -+ -+cd $TESTWD -+ -+echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." -+. $CONFFILTER $BACKEND $MONITORDB < $TLSCONF > $CONF1 -+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & -+PID=$! -+if test $WAIT != 0 ; then -+ echo PID $PID -+ read foo -+fi -+KILLPIDS="$PID" -+ -+sleep 1 -+ -+for i in 0 1 2 3 4 5; do -+ $LDAPSEARCH -s base -b "" -H $URI1 \ -+ 'objectclass=*' > /dev/null 2>&1 -+ RC=$? -+ if test $RC = 0 ; then -+ break -+ fi -+ echo "Waiting 5 seconds for slapd to start..." -+ sleep 5 -+done -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+echo -n "Using ldapsearch with startTLS with no server cert validation...." -+$LDAPSEARCH -o tls_reqcert=never -ZZ -b "" -s base -H $URIP1 \ -+ '@extensibleObject' > $SEARCHOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapsearch (startTLS) failed ($RC)!" -+ exit $RC -+else -+ echo "success" -+fi -+ -+echo -n "Using ldapsearch with startTLS with hard require cert...." -+$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -ZZ -b "" -s base -H $URIP1 \ -+ '@extensibleObject' > $SEARCHOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapsearch (startTLS) failed ($RC)!" -+ exit $RC -+else -+ echo "success" -+fi -+ -+if test $WITH_TLS_TYPE = openssl ; then -+ echo -n "Using ldapsearch with startTLS and specific protocol version...." -+ $LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -o tls_protocol_min=3.3 -ZZ -b "" -s base -H $URIP1 \ -+ '@extensibleObject' > $SEARCHOUT 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "ldapsearch (protocol-min) failed ($RC)!" -+ exit $RC -+ else -+ echo "success" -+ fi -+fi -+ -+echo -n "Using ldapsearch on $SURI2 with no server cert validation..." -+$LDAPSEARCH -o tls_reqcert=never -b "cn=Subschema" -s base -H $SURIP2 \ -+ '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ -+ >> $SEARCHOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapsearch (ldaps) failed($RC)!" -+ exit $RC -+else -+ echo "success" -+fi -+ -+echo -n "Using ldapsearch on $SURI2 with reqcert HARD and no CA cert. Should fail..." -+$LDAPSEARCH -o tls_reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \ -+ '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ -+ >> $SEARCHOUT 2>&1 -+RC=$? -+if test $RC = 0 ; then -+ echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!" -+ exit 1 -+else -+ echo "failed correctly with error code ($RC)" -+fi -+ -+echo -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..." -+$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \ -+ '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ -+ >> $SEARCHOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapsearch (ldaps) failed ($RC)!" -+ exit $RC -+else -+ echo "success" -+fi -+ -+test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ -+if test $RC != 0 ; then -+ echo ">>>>> Test failed" -+else -+ echo ">>>>> Test succeeded" -+ RC=0 -+fi -+ -+test $KILLSERVERS != no && wait -+ -+exit $RC -diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external -new file mode 100755 -index 000000000..dcbc50fd4 ---- /dev/null -+++ b/tests/scripts/test068-sasl-tls-external -@@ -0,0 +1,102 @@ -+#! /bin/sh -+# $OpenLDAP$ -+## This work is part of OpenLDAP Software . -+## -+## Copyright 1998-2017 The OpenLDAP Foundation. -+## All rights reserved. -+## -+## Redistribution and use in source and binary forms, with or without -+## modification, are permitted only as authorized by the OpenLDAP -+## Public License. -+## -+## A copy of this license is available in the file LICENSE in the -+## top-level directory of the distribution or, alternatively, at -+## . -+ -+echo "running defines.sh" -+. $SRCDIR/scripts/defines.sh -+ -+if test $WITH_TLS = no ; then -+ echo "TLS support not available, test skipped" -+ exit 0 -+fi -+ -+mkdir -p $TESTDIR $DBDIR1 -+cp -r $DATADIR/tls $TESTDIR -+ -+cd $TESTWD -+ -+echo "Running slapadd to build slapd database..." -+. $CONFFILTER $BACKEND $MONITORDB < $TLSSASLCONF > $CONF1 -+$SLAPADD -f $CONF1 -l $LDIFORDERED -+RC=$? -+if test $RC != 0 ; then -+ echo "slapadd failed ($RC)!" -+ exit $RC -+fi -+ -+echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." -+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & -+PID=$! -+if test $WAIT != 0 ; then -+ echo PID $PID -+ read foo -+fi -+KILLPIDS="$PID" -+ -+sleep 1 -+ -+for i in 0 1 2 3 4 5; do -+ $LDAPSEARCH -s base -b "" -H $URI1 \ -+ 'objectclass=*' > /dev/null 2>&1 -+ RC=$? -+ if test $RC = 0 ; then -+ break -+ fi -+ echo "Waiting 5 seconds for slapd to start..." -+ sleep 5 -+done -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+echo -n "Using ldapwhoami with SASL/EXTERNAL...." -+$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard \ -+ -o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt -o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key -ZZ -Y EXTERNAL -H $URIP1 \ -+ > $TESTOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapwhoami (startTLS) failed ($RC)!" -+ exit $RC -+else -+ echo "success" -+fi -+ -+echo -n "Validating mapped SASL ID..." -+echo 'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com' > $TESTDIR/dn.out -+$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT -+ -+RC=$? -+if test $RC != 0 ; then -+ echo "Comparison failed" -+ test $KILLSERVERS != no && kill -HUP $PID -+ exit $RC -+else -+ echo "success" -+fi -+ -+test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ -+if test $RC != 0 ; then -+ echo ">>>>> Test failed" -+else -+ echo ">>>>> Test succeeded" -+ RC=0 -+fi -+ -+test $KILLSERVERS != no && wait -+ -+exit $RC -diff --git a/tests/scripts/test069-delta-multimaster-starttls b/tests/scripts/test069-delta-multimaster-starttls -new file mode 100755 -index 000000000..2dfbb30a1 ---- /dev/null -+++ b/tests/scripts/test069-delta-multimaster-starttls -@@ -0,0 +1,574 @@ -+#! /bin/sh -+# $OpenLDAP$ -+## This work is part of OpenLDAP Software . -+## -+## Copyright 1998-2017 The OpenLDAP Foundation. -+## All rights reserved. -+## -+## Redistribution and use in source and binary forms, with or without -+## modification, are permitted only as authorized by the OpenLDAP -+## Public License. -+## -+## A copy of this license is available in the file LICENSE in the -+## top-level directory of the distribution or, alternatively, at -+## . -+ -+echo "running defines.sh" -+. $SRCDIR/scripts/defines.sh -+ -+if test $WITH_TLS = no ; then -+ echo "TLS support not available, test skipped" -+ exit 0 -+fi -+ -+if test $SYNCPROV = syncprovno; then -+ echo "Syncrepl provider overlay not available, test skipped" -+ exit 0 -+fi -+if test $ACCESSLOG = accesslogno; then -+ echo "Accesslog overlay not available, test skipped" -+ exit 0 -+fi -+ -+MMR=2 -+ -+XDIR=$TESTDIR/srv -+TMP=$TESTDIR/tmp -+ -+mkdir -p $TESTDIR -+cp -r $DATADIR/tls $TESTDIR -+ -+$SLAPPASSWD -g -n >$CONFIGPWF -+ -+if test x"$SYNCMODE" = x ; then -+ SYNCMODE=rp -+fi -+case "$SYNCMODE" in -+ ro) -+ SYNCTYPE="type=refreshOnly interval=00:00:00:03" -+ ;; -+ rp) -+ SYNCTYPE="type=refreshAndPersist interval=00:00:00:03" -+ ;; -+ *) -+ echo "unknown sync mode $SYNCMODE" -+ exit 1; -+ ;; -+esac -+ -+# -+# Test delta-sync mmr -+# - start servers -+# - configure over ldap -+# - populate over ldap -+# - configure syncrepl over ldap -+# - break replication -+# - modify each server separately -+# - restore replication -+# - compare results -+# -+ -+nullExclude="" -+test $BACKEND = null && nullExclude="# " -+ -+KILLPIDS= -+ -+echo "Initializing server configurations..." -+n=1 -+while [ $n -le $MMR ]; do -+ -+DBDIR=${XDIR}$n/db -+CFDIR=${XDIR}$n/slapd.d -+ -+mkdir -p ${XDIR}$n $DBDIR.1 $DBDIR.2 $CFDIR -+ -+o=`expr 3 - $n` -+cat > $TMP <> $TMP -+dn: cn=module,cn=config -+objectClass: olcModuleList -+cn: module -+olcModulePath: $TESTWD/../servers/slapd/overlays -+EOF -+ if [ "$SYNCPROV" = syncprovmod ]; then -+ echo "olcModuleLoad: syncprov.la" >> $TMP -+ fi -+ if [ "$ACCESSLOG" = accesslogmod ]; then -+ echo "olcModuleLoad: accesslog.la" >> $TMP -+ fi -+ echo "" >> $TMP -+fi -+ -+if [ "$BACKENDTYPE" = mod ]; then -+cat <> $TMP -+dn: cn=module,cn=config -+objectClass: olcModuleList -+cn: module -+olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND -+olcModuleLoad: back_$BACKEND.la -+ -+EOF -+fi -+MYURI=`eval echo '$URI'$n` -+PROVIDERURI=`eval echo '$URIP'$o` -+if test $INDEXDB = indexdb ; then -+INDEX1="olcDbIndex: objectClass,entryCSN,reqStart,reqDN,reqResult eq" -+INDEX2="olcDbIndex: objectClass,entryCSN,entryUUID eq" -+else -+INDEX1= -+INDEX2= -+fi -+cat >> $TMP < $TESTOUT 2>&1 -+PORT=`eval echo '$PORT'$n` -+echo "Starting server $n on TCP/IP port $PORT..." -+cd ${XDIR}${n} -+LOG=`eval echo '$LOG'$n` -+$SLAPD -F slapd.d -h $MYURI -d $LVL $TIMING > $LOG 2>&1 & -+PID=$! -+if test $WAIT != 0 ; then -+ echo PID $PID -+ read foo -+fi -+KILLPIDS="$PID $KILLPIDS" -+cd $TESTWD -+ -+echo "Using ldapsearch to check that server $n is running..." -+for i in 0 1 2 3 4 5; do -+ $LDAPSEARCH -s base -b "" -H $MYURI \ -+ 'objectclass=*' > /dev/null 2>&1 -+ RC=$? -+ if test $RC = 0 ; then -+ break -+ fi -+ echo "Waiting 5 seconds for slapd to start..." -+ sleep 5 -+done -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+if [ $n = 1 ]; then -+echo "Using ldapadd for context on server 1..." -+$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFORDEREDCP \ -+ >> $TESTOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapadd failed for server $n database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+fi -+ -+n=`expr $n + 1` -+done -+ -+echo "Using ldapadd to populate server 1..." -+$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFORDEREDNOCP \ -+ >> $TESTOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapadd failed for server $n database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." -+sleep $SLEEP1 -+ -+n=1 -+while [ $n -le $MMR ]; do -+PORT=`expr $BASEPORT + $n` -+URI="ldap://${LOCALHOST}:$PORT/" -+ -+echo "Using ldapsearch to read all the entries from server $n..." -+$LDAPSEARCH -S "" -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD \ -+ 'objectclass=*' > $TESTDIR/server$n.out 2>&1 -+RC=$? -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed at server $n ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt -+n=`expr $n + 1` -+done -+ -+n=2 -+while [ $n -le $MMR ]; do -+echo "Comparing retrieved entries from server 1 and server $n..." -+$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT -+ -+if test $? != 0 ; then -+ echo "test failed - server 1 and server $n databases differ" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit 1 -+fi -+n=`expr $n + 1` -+done -+ -+echo "Using ldapadd to populate server 2..." -+$LDAPADD -D "$MANAGERDN" -H $URI2 -w $PASSWD -f $LDIFADD1 \ -+ >> $TESTOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapadd failed for server 2 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com" -+sleep 1 -+for i in 1 2 3; do -+ $LDAPSEARCH -S "" -b "$THEDN" -H $URI1 \ -+ -s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1 -+ RC=$? -+ -+ if test $RC = 0 ; then -+ break -+ fi -+ -+ if test $RC != 32 ; then -+ echo "ldapsearch failed at slave ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+ fi -+ -+ echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." -+ sleep $SLEEP1 -+done -+ -+n=1 -+while [ $n -le $MMR ]; do -+PORT=`expr $BASEPORT + $n` -+URI="ldap://${LOCALHOST}:$PORT/" -+ -+echo "Using ldapsearch to read all the entries from server $n..." -+$LDAPSEARCH -S "" -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD \ -+ 'objectclass=*' > $TESTDIR/server$n.out 2>&1 -+RC=$? -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed at server $n ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt -+n=`expr $n + 1` -+done -+ -+n=2 -+while [ $n -le $MMR ]; do -+echo "Comparing retrieved entries from server 1 and server $n..." -+$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT -+ -+if test $? != 0 ; then -+ echo "test failed - server 1 and server $n databases differ" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit 1 -+fi -+n=`expr $n + 1` -+done -+ -+echo "Breaking replication between server 1 and 2..." -+n=1 -+while [ $n -le $MMR ]; do -+o=`expr 3 - $n` -+MYURI=`eval echo '$URI'$n` -+PROVIDERURI=`eval echo '$URIP'$o` -+$LDAPMODIFY -D cn=config -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 <> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+add: description -+description: Amazing -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 1 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -D "$MANAGERDN" -H $URI2 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+add: description -+description: Stupendous -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 2 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+delete: description -+description: Outstanding -+- -+add: description -+description: Mindboggling -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 1 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -D "$MANAGERDN" -H $URI2 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+delete: description -+description: OutStanding -+- -+add: description -+description: Bizarre -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 2 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+add: carLicense -+carLicense: 123-XYZ -+- -+add: employeeNumber -+employeeNumber: 32 -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 1 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -D "$MANAGERDN" -H $URI2 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+add: employeeType -+employeeType: deadwood -+- -+add: employeeNumber -+employeeNumber: 64 -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 2 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+replace: sn -+sn: Replaced later -+- -+replace: sn -+sn: Surname -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 1 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+echo "Restoring replication between server 1 and 2..." -+n=1 -+while [ $n -le $MMR ]; do -+o=`expr 3 - $n` -+MYURI=`eval echo '$URI'$n` -+PROVIDERURI=`eval echo '$URIP'$o` -+$LDAPMODIFY -D cn=config -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 < $TESTDIR/server$n.out 2>&1 -+RC=$? -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed at server $n ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+$LDIFFILTER -s a < $TESTDIR/server$n.out > $TESTDIR/server$n.flt -+n=`expr $n + 1` -+done -+ -+n=2 -+while [ $n -le $MMR ]; do -+echo "Comparing retrieved entries from server 1 and server $n..." -+$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT -+ -+if test $? != 0 ; then -+ echo "test failed - server 1 and server $n databases differ" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit 1 -+fi -+n=`expr $n + 1` -+done -+ -+test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ -+echo ">>>>> Test succeeded" -+ -+test $KILLSERVERS != no && wait -+ -+exit 0 -diff --git a/tests/scripts/test070-delta-multimaster-ldaps b/tests/scripts/test070-delta-multimaster-ldaps -new file mode 100755 -index 000000000..1024640ef ---- /dev/null -+++ b/tests/scripts/test070-delta-multimaster-ldaps -@@ -0,0 +1,571 @@ -+#! /bin/sh -+# $OpenLDAP$ -+## This work is part of OpenLDAP Software . -+## -+## Copyright 1998-2017 The OpenLDAP Foundation. -+## All rights reserved. -+## -+## Redistribution and use in source and binary forms, with or without -+## modification, are permitted only as authorized by the OpenLDAP -+## Public License. -+## -+## A copy of this license is available in the file LICENSE in the -+## top-level directory of the distribution or, alternatively, at -+## . -+ -+echo "running defines.sh" -+. $SRCDIR/scripts/defines.sh -+ -+if test $WITH_TLS = no ; then -+ echo "TLS support not available, test skipped" -+ exit 0 -+fi -+ -+if test $SYNCPROV = syncprovno; then -+ echo "Syncrepl provider overlay not available, test skipped" -+ exit 0 -+fi -+if test $ACCESSLOG = accesslogno; then -+ echo "Accesslog overlay not available, test skipped" -+ exit 0 -+fi -+ -+MMR=2 -+ -+XDIR=$TESTDIR/srv -+TMP=$TESTDIR/tmp -+ -+mkdir -p $TESTDIR -+cp -r $DATADIR/tls $TESTDIR -+ -+$SLAPPASSWD -g -n >$CONFIGPWF -+ -+if test x"$SYNCMODE" = x ; then -+ SYNCMODE=rp -+fi -+case "$SYNCMODE" in -+ ro) -+ SYNCTYPE="type=refreshOnly interval=00:00:00:03" -+ ;; -+ rp) -+ SYNCTYPE="type=refreshAndPersist interval=00:00:00:03" -+ ;; -+ *) -+ echo "unknown sync mode $SYNCMODE" -+ exit 1; -+ ;; -+esac -+ -+# -+# Test delta-sync mmr -+# - start servers -+# - configure over ldap -+# - populate over ldap -+# - configure syncrepl over ldap -+# - break replication -+# - modify each server separately -+# - restore replication -+# - compare results -+# -+ -+nullExclude="" -+test $BACKEND = null && nullExclude="# " -+ -+KILLPIDS= -+ -+echo "Initializing server configurations..." -+n=1 -+while [ $n -le $MMR ]; do -+ -+DBDIR=${XDIR}$n/db -+CFDIR=${XDIR}$n/slapd.d -+ -+mkdir -p ${XDIR}$n $DBDIR.1 $DBDIR.2 $CFDIR -+ -+o=`expr 3 - $n` -+cat > $TMP <> $TMP -+dn: cn=module,cn=config -+objectClass: olcModuleList -+cn: module -+olcModulePath: $TESTWD/../servers/slapd/overlays -+EOF -+ if [ "$SYNCPROV" = syncprovmod ]; then -+ echo "olcModuleLoad: syncprov.la" >> $TMP -+ fi -+ if [ "$ACCESSLOG" = accesslogmod ]; then -+ echo "olcModuleLoad: accesslog.la" >> $TMP -+ fi -+ echo "" >> $TMP -+fi -+ -+if [ "$BACKENDTYPE" = mod ]; then -+cat <> $TMP -+dn: cn=module,cn=config -+objectClass: olcModuleList -+cn: module -+olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND -+olcModuleLoad: back_$BACKEND.la -+ -+EOF -+fi -+MYURI=`eval echo '$SURIP'$n` -+PROVIDERURI=`eval echo '$SURIP'$o` -+if test $INDEXDB = indexdb ; then -+INDEX1="olcDbIndex: objectClass,entryCSN,reqStart,reqDN,reqResult eq" -+INDEX2="olcDbIndex: objectClass,entryCSN,entryUUID eq" -+else -+INDEX1= -+INDEX2= -+fi -+cat >> $TMP < $TESTOUT 2>&1 -+PORT=`eval echo '$PORT'$n` -+echo "Starting server $n on TCP/IP port $PORT..." -+cd ${XDIR}${n} -+LOG=`eval echo '$LOG'$n` -+$SLAPD -F slapd.d -h $MYURI -d $LVL $TIMING > $LOG 2>&1 & -+PID=$! -+if test $WAIT != 0 ; then -+ echo PID $PID -+ read foo -+fi -+KILLPIDS="$PID $KILLPIDS" -+cd $TESTWD -+ -+echo "Using ldapsearch to check that server $n is running..." -+for i in 0 1 2 3 4 5; do -+ $LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -s base -b "" -H $MYURI \ -+ 'objectclass=*' > /dev/null 2>&1 -+ RC=$? -+ if test $RC = 0 ; then -+ break -+ fi -+ echo "Waiting 5 seconds for slapd to start..." -+ sleep 5 -+done -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+if [ $n = 1 ]; then -+echo "Using ldapadd for context on server 1..." -+$LDAPADD -D "$MANAGERDN" -H $SURIP1 -w $PASSWD -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -f $LDIFORDEREDCP \ -+ >> $TESTOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapadd failed for server $n database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+fi -+ -+n=`expr $n + 1` -+done -+ -+echo "Using ldapadd to populate server 1..." -+$LDAPADD -D "$MANAGERDN" -H $SURIP1 -w $PASSWD -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -f $LDIFORDEREDNOCP \ -+ >> $TESTOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapadd failed for server $n database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." -+sleep $SLEEP1 -+ -+n=1 -+while [ $n -le $MMR ]; do -+PORT=`expr $BASEPORT + $n` -+URI="ldaps://${LOCALIP}:$PORT/" -+ -+echo "Using ldapsearch to read all the entries from server $n..." -+$LDAPSEARCH -S "" -b "$BASEDN" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $URI -w $PASSWD \ -+ 'objectclass=*' > $TESTDIR/server$n.out 2>&1 -+RC=$? -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed at server $n ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt -+n=`expr $n + 1` -+done -+ -+n=2 -+while [ $n -le $MMR ]; do -+echo "Comparing retrieved entries from server 1 and server $n..." -+$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT -+ -+if test $? != 0 ; then -+ echo "test failed - server 1 and server $n databases differ" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit 1 -+fi -+n=`expr $n + 1` -+done -+ -+echo "Using ldapadd to populate server 2..." -+$LDAPADD -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD -f $LDIFADD1 \ -+ >> $TESTOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapadd failed for server 2 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com" -+sleep 1 -+for i in 1 2 3; do -+ $LDAPSEARCH -S "" -b "$THEDN" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -H $SURIP1 \ -+ -s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1 -+ RC=$? -+ -+ if test $RC = 0 ; then -+ break -+ fi -+ -+ if test $RC != 32 ; then -+ echo "ldapsearch failed at slave ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+ fi -+ -+ echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." -+ sleep $SLEEP1 -+done -+ -+n=1 -+while [ $n -le $MMR ]; do -+PORT=`expr $BASEPORT + $n` -+URI="ldaps://${LOCALIP}:$PORT/" -+ -+echo "Using ldapsearch to read all the entries from server $n..." -+$LDAPSEARCH -S "" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD \ -+ 'objectclass=*' > $TESTDIR/server$n.out 2>&1 -+RC=$? -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed at server $n ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt -+n=`expr $n + 1` -+done -+ -+n=2 -+while [ $n -le $MMR ]; do -+echo "Comparing retrieved entries from server 1 and server $n..." -+$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT -+ -+if test $? != 0 ; then -+ echo "test failed - server 1 and server $n databases differ" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit 1 -+fi -+n=`expr $n + 1` -+done -+ -+echo "Breaking replication between server 1 and 2..." -+n=1 -+while [ $n -le $MMR ]; do -+o=`expr 3 - $n` -+MYURI=`eval echo '$SURIP'$n` -+PROVIDERURI=`eval echo '$SURIP'$o` -+$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D cn=config -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 <> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+add: description -+description: Amazing -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 1 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+add: description -+description: Stupendous -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 2 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+delete: description -+description: Outstanding -+- -+add: description -+description: Mindboggling -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 1 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+delete: description -+description: OutStanding -+- -+add: description -+description: Bizarre -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 2 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+add: carLicense -+carLicense: 123-XYZ -+- -+add: employeeNumber -+employeeNumber: 32 -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 1 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+add: employeeType -+employeeType: deadwood -+- -+add: employeeNumber -+employeeNumber: 64 -+ -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 2 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \ -+ >> $TESTOUT 2>&1 << EOF -+dn: $THEDN -+changetype: modify -+replace: sn -+sn: Replaced later -+- -+replace: sn -+sn: Surname -+EOF -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapmodify failed for server 1 database ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+echo "Restoring replication between server 1 and 2..." -+n=1 -+while [ $n -le $MMR ]; do -+o=`expr 3 - $n` -+MYURI=`eval echo '$SURIP'$n` -+PROVIDERURI=`eval echo '$SURIP'$o` -+$LDAPMODIFY -D cn=config -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 < $TESTDIR/server$n.out 2>&1 -+RC=$? -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed at server $n ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+$LDIFFILTER -s a < $TESTDIR/server$n.out > $TESTDIR/server$n.flt -+n=`expr $n + 1` -+done -+ -+n=2 -+while [ $n -le $MMR ]; do -+echo "Comparing retrieved entries from server 1 and server $n..." -+$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT -+ -+if test $? != 0 ; then -+ echo "test failed - server 1 and server $n databases differ" -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit 1 -+fi -+n=`expr $n + 1` -+done -+ -+test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ -+echo ">>>>> Test succeeded" -+ -+test $KILLSERVERS != no && wait -+ -+exit 0 --- -2.29.2 - diff --git a/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch b/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch deleted file mode 100644 index d86a707..0000000 --- a/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch +++ /dev/null @@ -1,582 +0,0 @@ -NOTE: The patch has been adjusted to match the base code before backporting. - -From 8a259e3df16def3f05828f355e98a5089cd6e6d0 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Thu, 14 Jun 2018 16:14:15 +0100 -Subject: [PATCH] ITS#8573 allow all libldap options in tools -o option - ---- - clients/tools/common.c | 15 ++- - doc/devel/args | 2 +- - doc/man/man1/ldapcompare.1 | 9 +- - doc/man/man1/ldapdelete.1 | 9 +- - doc/man/man1/ldapexop.1 | 9 +- - doc/man/man1/ldapmodify.1 | 9 +- - doc/man/man1/ldapmodrdn.1 | 9 +- - doc/man/man1/ldappasswd.1 | 9 +- - doc/man/man1/ldapsearch.1 | 9 +- - doc/man/man1/ldapwhoami.1 | 13 ++- - doc/man/man8/slapcat.8 | 2 +- - include/ldap_pvt.h | 5 + - libraries/libldap/init.c | 231 ++++++++++++++++++++++--------------- - servers/slapd/slapcommon.c | 5 +- - 14 files changed, 200 insertions(+), 136 deletions(-) - -diff --git a/clients/tools/common.c b/clients/tools/common.c -index 39db70b93..d5c3491fc 100644 ---- a/clients/tools/common.c -+++ b/clients/tools/common.c -@@ -351,9 +351,9 @@ N_(" -I use SASL Interactive mode\n"), - N_(" -n show what would be done but don't actually do it\n"), - N_(" -N do not use reverse DNS to canonicalize SASL host name\n"), - N_(" -O props SASL security properties\n"), --N_(" -o [=] general options\n"), -+N_(" -o [=] any libldap ldap.conf options, plus\n"), -+N_(" ldif_wrap= (in columns, or \"no\" for no wrapping)\n"), - N_(" nettimeout= (in seconds, or \"none\" or \"max\")\n"), --N_(" ldif-wrap= (in columns, or \"no\" for no wrapping)\n"), - N_(" -p port port on LDAP server\n"), - N_(" -Q use SASL Quiet mode\n"), - N_(" -R realm SASL realm\n"), -@@ -785,6 +785,11 @@ tool_args( int argc, char **argv ) - if ( (cvalue = strchr( control, '=' )) != NULL ) { - *cvalue++ = '\0'; - } -+ for ( next=control; *next; next++ ) { -+ if ( *next == '-' ) { -+ *next = '_'; -+ } -+ } - - if ( strcasecmp( control, "nettimeout" ) == 0 ) { - if( nettimeout.tv_sec != -1 ) { -@@ -814,7 +819,7 @@ tool_args( int argc, char **argv ) - exit( EXIT_FAILURE ); - } - -- } else if ( strcasecmp( control, "ldif-wrap" ) == 0 ) { -+ } else if ( strcasecmp( control, "ldif_wrap" ) == 0 ) { - if ( cvalue == 0 ) { - ldif_wrap = LDIF_LINE_WIDTH; - -@@ -825,13 +830,13 @@ tool_args( int argc, char **argv ) - unsigned int u; - if ( lutil_atou( &u, cvalue ) ) { - fprintf( stderr, -- _("Unable to parse ldif-wrap=\"%s\"\n"), cvalue ); -+ _("Unable to parse ldif_wrap=\"%s\"\n"), cvalue ); - exit( EXIT_FAILURE ); - } - ldif_wrap = (ber_len_t)u; - } - -- } else { -+ } else if ( ldap_pvt_conf_option( control, cvalue, 1 ) ) { - fprintf( stderr, "Invalid general option name: %s\n", - control ); - usage(); -diff --git a/doc/devel/args b/doc/devel/args -index 7805eff1c..31c22f948 100644 ---- a/doc/devel/args -+++ b/doc/devel/args -@@ -27,7 +27,7 @@ ldapwhoami * DE**HI** NO QR UVWXYZ def*h*** *nop* vwxy - -h host - -n no-op - -N no (SASLprep) normalization of simple bind password -- -o general options (currently nettimeout and ldif-wrap only) -+ -o general libldap options (plus ldif_wrap and nettimeout for backwards comp.) - -p port - -v verbose - -V version -diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1 -index 667815a26..de90498db 100644 ---- a/doc/man/man1/ldapcompare.1 -+++ b/doc/man/man1/ldapcompare.1 -@@ -186,13 +186,14 @@ Compare extensions: - .TP - .BI \-o \ opt \fR[= optparam \fR] - --Specify general options. -- --General options: -+Specify any -+.BR ldap.conf (5) -+option or one of the following: - .nf - nettimeout= (in seconds, or "none" or "max") -- ldif-wrap= (in columns, or "no" for no wrapping) -+ ldif_wrap= (in columns, or "no" for no wrapping) - .fi -+ - .TP - .BI \-O \ security-properties - Specify SASL security properties. -diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1 -index 9e7036230..872424a65 100644 ---- a/doc/man/man1/ldapdelete.1 -+++ b/doc/man/man1/ldapdelete.1 -@@ -192,13 +192,14 @@ Delete extensions: - .TP - .BI \-o \ opt \fR[= optparam \fR] - --Specify general options. -- --General options: -+Specify any -+.BR ldap.conf (5) -+option or one of the following: - .nf - nettimeout= (in seconds, or "none" or "max") -- ldif-wrap= (in columns, or "no" for no wrapping) -+ ldif_wrap= (in columns, or "no" for no wrapping) - .fi -+ - .TP - .BI \-O \ security-properties - Specify SASL security properties. -diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1 -index 5f5ae7aae..96a7c514e 100644 ---- a/doc/man/man1/ldapexop.1 -+++ b/doc/man/man1/ldapexop.1 -@@ -189,13 +189,14 @@ Specify general extensions. \'!\' indicates criticality. - .TP - .BI \-o \ opt \fR[= optparam \fR] - --Specify general options. -- --General options: -+Specify any -+.BR ldap.conf (5) -+option or one of the following: - .nf - nettimeout= (in seconds, or "none" or "max") -- ldif-wrap= (in columns, or "no" for no wrapping) -+ ldif_wrap= (in columns, or "no" for no wrapping) - .fi -+ - .TP - .BI \-O \ security-properties - Specify SASL security properties. -diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 -index f884c5bfb..90f813506 100644 ---- a/doc/man/man1/ldapmodify.1 -+++ b/doc/man/man1/ldapmodify.1 -@@ -255,13 +255,14 @@ Modify extensions: - .TP - .BI \-o \ opt \fR[= optparam \fR]] - --Specify general options. -- --General options: -+Specify any -+.BR ldap.conf (5) -+option or one of the following: - .nf - nettimeout= (in seconds, or "none" or "max") -- ldif-wrap= (in columns, or "no" for no wrapping) -+ ldif_wrap= (in columns, or "no" for no wrapping) - .fi -+ - .TP - .BI \-O \ security-properties - Specify SASL security properties. -diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1 -index fa9eac627..900ba7e0e 100644 ---- a/doc/man/man1/ldapmodrdn.1 -+++ b/doc/man/man1/ldapmodrdn.1 -@@ -186,13 +186,14 @@ Modrdn extensions: - .TP - .BI \-o \ opt \fR[= optparam \fR] - --Specify general options. -- --General options: -+Specify any -+.BR ldap.conf (5) -+option or one of the following: - .nf - nettimeout= (in seconds, or "none" or "max") -- ldif-wrap= (in columns, or "no" for no wrapping) -+ ldif_wrap= (in columns, or "no" for no wrapping) - .fi -+ - .TP - .BI \-O \ security-properties - Specify SASL security properties. -diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1 -index d3f45b082..bf273fb25 100644 ---- a/doc/man/man1/ldappasswd.1 -+++ b/doc/man/man1/ldappasswd.1 -@@ -188,13 +188,14 @@ Passwd Modify extensions: - .TP - .BI \-o \ opt \fR[= optparam \fR]] - --Specify general options. -- --General options: -+Specify any -+.BR ldap.conf (5) -+option or one of the following: - .nf - nettimeout= (in seconds, or "none" or "max") -- ldif-wrap= (in columns, or "no" for no wrapping) -+ ldif_wrap= (in columns, or "no" for no wrapping) - .fi -+ - .TP - .BI \-O \ security-properties - Specify SASL security properties. -diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1 -index 196179232..901e56043 100644 ---- a/doc/man/man1/ldapsearch.1 -+++ b/doc/man/man1/ldapsearch.1 -@@ -332,13 +332,14 @@ Search extensions: - .TP - .BI \-o \ opt \fR[= optparam \fR] - --Specify general options. -- --General options: -+Specify any -+.BR ldap.conf (5) -+option or one of the following: - .nf - nettimeout= (in seconds, or "none" or "max") -- ldif-wrap= (in columns, or "no" for no wrapping) -+ ldif_wrap= (in columns, or "no" for no wrapping) - .fi -+ - .TP - .BI \-O \ security-properties - Specify SASL security properties. -diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1 -index b684de54a..79864c729 100644 ---- a/doc/man/man1/ldapwhoami.1 -+++ b/doc/man/man1/ldapwhoami.1 -@@ -143,13 +143,18 @@ WhoAmI extensions: - .TP - .BI \-o \ opt \fR[= optparam \fR] - --Specify general options. -- --General options: -+Specify any -+.BR ldap.conf (5) -+option or one of the following: - .nf - nettimeout= (in seconds, or "none" or "max") -- ldif-wrap= (in columns, or "no" for no wrapping) -+ ldif_wrap= (in columns, or "no" for no wrapping) - .fi -+ -+.B -o -+option that can be passed here, check -+.BR ldap.conf (5) -+for details. - .TP - .BI \-O \ security-properties - Specify SASL security properties. -diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8 -index d05cfa643..24c8f03ea 100644 ---- a/doc/man/man8/slapcat.8 -+++ b/doc/man/man8/slapcat.8 -@@ -149,7 +149,7 @@ Possible generic options/values are: - syslog\-level= (see `\-S' in slapd(8)) - syslog\-user= (see `\-l' in slapd(8)) - -- ldif-wrap={no|} -+ ldif_wrap={no|} - - .in - \fIn\fP is the number of columns allowed for the LDIF output -diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h -index 61c620785..c586a95b5 100644 ---- a/include/ldap_pvt.h -+++ b/include/ldap_pvt.h -@@ -321,6 +321,11 @@ struct ldapmsg; - LDAP_F ( int ) ldap_pvt_discard LDAP_P(( - struct ldap *ld, ber_int_t msgid )); - -+/* init.c */ -+LDAP_F( int ) -+ldap_pvt_conf_option LDAP_P(( -+ char *cmd, char *opt, int userconf )); -+ - /* messages.c */ - LDAP_F( BerElement * ) - ldap_get_message_ber LDAP_P(( -diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c -index 182ef7d7e..746824fbd 100644 ---- a/libraries/libldap/init.c -+++ b/libraries/libldap/init.c -@@ -148,6 +148,141 @@ static const struct ol_attribute { - #define MAX_LDAP_ATTR_LEN sizeof("GSSAPI_ALLOW_REMOTE_PRINCIPAL") - #define MAX_LDAP_ENV_PREFIX_LEN 8 - -+static int -+ldap_int_conf_option( -+ struct ldapoptions *gopts, -+ char *cmd, char *opt, int userconf ) -+{ -+ int i; -+ -+ for(i=0; attrs[i].type != ATTR_NONE; i++) { -+ void *p; -+ -+ if( !userconf && attrs[i].useronly ) { -+ continue; -+ } -+ -+ if(strcasecmp(cmd, attrs[i].name) != 0) { -+ continue; -+ } -+ -+ switch(attrs[i].type) { -+ case ATTR_BOOL: -+ if((strcasecmp(opt, "on") == 0) -+ || (strcasecmp(opt, "yes") == 0) -+ || (strcasecmp(opt, "true") == 0)) -+ { -+ LDAP_BOOL_SET(gopts, attrs[i].offset); -+ -+ } else { -+ LDAP_BOOL_CLR(gopts, attrs[i].offset); -+ } -+ -+ break; -+ -+ case ATTR_INT: { -+ char *next; -+ long l; -+ p = &((char *) gopts)[attrs[i].offset]; -+ l = strtol( opt, &next, 10 ); -+ if ( next != opt && next[ 0 ] == '\0' ) { -+ * (int*) p = l; -+ } -+ } break; -+ -+ case ATTR_KV: { -+ const struct ol_keyvalue *kv; -+ -+ for(kv = attrs[i].data; -+ kv->key != NULL; -+ kv++) { -+ -+ if(strcasecmp(opt, kv->key) == 0) { -+ p = &((char *) gopts)[attrs[i].offset]; -+ * (int*) p = kv->value; -+ break; -+ } -+ } -+ } break; -+ -+ case ATTR_STRING: -+ p = &((char *) gopts)[attrs[i].offset]; -+ if (* (char**) p != NULL) LDAP_FREE(* (char**) p); -+ * (char**) p = LDAP_STRDUP(opt); -+ break; -+ case ATTR_OPTION: -+ ldap_set_option( NULL, attrs[i].offset, opt ); -+ break; -+ case ATTR_SASL: -+#ifdef HAVE_CYRUS_SASL -+ ldap_int_sasl_config( gopts, attrs[i].offset, opt ); -+#endif -+ break; -+ case ATTR_GSSAPI: -+#ifdef HAVE_GSSAPI -+ ldap_int_gssapi_config( gopts, attrs[i].offset, opt ); -+#endif -+ break; -+ case ATTR_TLS: -+#ifdef HAVE_TLS -+ ldap_int_tls_config( NULL, attrs[i].offset, opt ); -+#endif -+ break; -+ case ATTR_OPT_TV: { -+ struct timeval tv; -+ char *next; -+ tv.tv_usec = 0; -+ tv.tv_sec = strtol( opt, &next, 10 ); -+ if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) { -+ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv ); -+ } -+ } break; -+ case ATTR_OPT_INT: { -+ long l; -+ char *next; -+ l = strtol( opt, &next, 10 ); -+ if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) { -+ int v = (int)l; -+ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v ); -+ } -+ } break; -+ } -+ -+ break; -+ } -+ -+ if ( attrs[i].type == ATTR_NONE ) { -+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_config: " -+ "unknown option '%s'", -+ cmd, 0, 0 ); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+int -+ldap_pvt_conf_option( -+ char *cmd, char *opt, int userconf ) -+{ -+ struct ldapoptions *gopts; -+ int rc = LDAP_OPT_ERROR; -+ -+ /* Get pointer to global option structure */ -+ gopts = LDAP_INT_GLOBAL_OPT(); -+ if (NULL == gopts) { -+ return LDAP_NO_MEMORY; -+ } -+ -+ if ( gopts->ldo_valid != LDAP_INITIALIZED ) { -+ ldap_int_initialize(gopts, NULL); -+ if ( gopts->ldo_valid != LDAP_INITIALIZED ) -+ return LDAP_LOCAL_ERROR; -+ } -+ -+ return ldap_int_conf_option( gopts, cmd, opt, userconf ); -+} -+ - static void openldap_ldap_init_w_conf( - const char *file, int userconf ) - { -@@ -213,101 +348,7 @@ static void openldap_ldap_init_w_conf( - while(isspace((unsigned char)*start)) start++; - opt = start; - -- for(i=0; attrs[i].type != ATTR_NONE; i++) { -- void *p; -- -- if( !userconf && attrs[i].useronly ) { -- continue; -- } -- -- if(strcasecmp(cmd, attrs[i].name) != 0) { -- continue; -- } -- -- switch(attrs[i].type) { -- case ATTR_BOOL: -- if((strcasecmp(opt, "on") == 0) -- || (strcasecmp(opt, "yes") == 0) -- || (strcasecmp(opt, "true") == 0)) -- { -- LDAP_BOOL_SET(gopts, attrs[i].offset); -- -- } else { -- LDAP_BOOL_CLR(gopts, attrs[i].offset); -- } -- -- break; -- -- case ATTR_INT: { -- char *next; -- long l; -- p = &((char *) gopts)[attrs[i].offset]; -- l = strtol( opt, &next, 10 ); -- if ( next != opt && next[ 0 ] == '\0' ) { -- * (int*) p = l; -- } -- } break; -- -- case ATTR_KV: { -- const struct ol_keyvalue *kv; -- -- for(kv = attrs[i].data; -- kv->key != NULL; -- kv++) { -- -- if(strcasecmp(opt, kv->key) == 0) { -- p = &((char *) gopts)[attrs[i].offset]; -- * (int*) p = kv->value; -- break; -- } -- } -- } break; -- -- case ATTR_STRING: -- p = &((char *) gopts)[attrs[i].offset]; -- if (* (char**) p != NULL) LDAP_FREE(* (char**) p); -- * (char**) p = LDAP_STRDUP(opt); -- break; -- case ATTR_OPTION: -- ldap_set_option( NULL, attrs[i].offset, opt ); -- break; -- case ATTR_SASL: --#ifdef HAVE_CYRUS_SASL -- ldap_int_sasl_config( gopts, attrs[i].offset, opt ); --#endif -- break; -- case ATTR_GSSAPI: --#ifdef HAVE_GSSAPI -- ldap_int_gssapi_config( gopts, attrs[i].offset, opt ); --#endif -- break; -- case ATTR_TLS: --#ifdef HAVE_TLS -- ldap_int_tls_config( NULL, attrs[i].offset, opt ); --#endif -- break; -- case ATTR_OPT_TV: { -- struct timeval tv; -- char *next; -- tv.tv_usec = 0; -- tv.tv_sec = strtol( opt, &next, 10 ); -- if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) { -- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv ); -- } -- } break; -- case ATTR_OPT_INT: { -- long l; -- char *next; -- l = strtol( opt, &next, 10 ); -- if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) { -- int v = (int)l; -- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v ); -- } -- } break; -- } -- -- break; -- } -+ ldap_int_conf_option( gopts, cmd, opt, userconf ); - } - - fclose(fp); -diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c -index 01574af1e..a62c69581 100644 ---- a/servers/slapd/slapcommon.c -+++ b/servers/slapd/slapcommon.c -@@ -228,7 +228,8 @@ parse_slapopt( int tool, int *mode ) - break; - } - -- } else if ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) { -+ } else if ( ( strncasecmp( optarg, "ldif_wrap", len ) == 0 ) || -+ ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) ) { - switch ( tool ) { - case SLAPCAT: - if ( strcasecmp( p, "no" ) == 0 ) { -@@ -237,7 +238,7 @@ parse_slapopt( int tool, int *mode ) - } else { - unsigned int u; - if ( lutil_atou( &u, p ) ) { -- Debug( LDAP_DEBUG_ANY, "unable to parse ldif-wrap=\"%s\".\n", p, 0, 0 ); -+ Debug( LDAP_DEBUG_ANY, "unable to parse ldif_wrap=\"%s\".\n", p, 0, 0 ); - return -1; - } - ldif_wrap = (ber_len_t)u; --- -2.29.2 - diff --git a/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch b/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch deleted file mode 100644 index 31574ee..0000000 --- a/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch +++ /dev/null @@ -1,631 +0,0 @@ -NOTE: The patch has been adjusted to match the base code before backporting. - -From 3cd50fa8b32a21040a9892e2a8a7a9dfc7541ce6 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 14 Apr 2020 16:10:48 +0300 -Subject: [PATCH] ITS#9189 rework sasl-cbinding support - -Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use, -defaults to "none". - -Add "tls-endpoint" binding type implementing "tls-server-end-point" from -RCF 5929, which is compatible with Windows. - -Fix "tls-unique" to include the prefix in the bindings as per RFC 5056. ---- - doc/man/man3/ldap_get_option.3 | 16 ++++++ - doc/man/man5/ldap.conf.5 | 3 + - doc/man/man5/slapd-config.5 | 4 ++ - doc/man/man5/slapd.conf.5 | 3 + - include/ldap.h | 5 ++ - include/ldap_pvt.h | 5 ++ - libraries/libldap/cyrus.c | 101 +++++++++++++++++++++++++++++---- - libraries/libldap/init.c | 1 + - libraries/libldap/ldap-int.h | 1 + - libraries/libldap/ldap-tls.h | 2 + - libraries/libldap/tls2.c | 7 +++ - libraries/libldap/tls_g.c | 59 +++++++++++++++++++ - libraries/libldap/tls_o.c | 45 +++++++++++++++ - servers/slapd/bconfig.c | 11 +++- - servers/slapd/config.c | 1 + - servers/slapd/connection.c | 9 +-- - servers/slapd/proto-slap.h | 4 +- - servers/slapd/sasl.c | 27 ++++++--- - 18 files changed, 274 insertions(+), 30 deletions(-) - -diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 -index 7546875f5..e953900ce 100644 ---- a/doc/man/man3/ldap_get_option.3 -+++ b/doc/man/man3/ldap_get_option.3 -@@ -557,6 +557,22 @@ must be a - .BR "char **" . - Its content needs to be freed by the caller using - .BR ldap_memfree (3). -+.B LDAP_OPT_X_SASL_CBINDING -+Sets/gets the channel-binding type to use in SASL, -+one of -+.BR LDAP_OPT_X_SASL_CBINDING_NONE -+(the default), -+.BR LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE -+the "tls-unique" type from RCF 5929. -+.BR LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT -+the "tls-server-end-point" from RCF 5929, compatible with Windows. -+.BR invalue -+must be -+.BR "const int *" ; -+.BR outvalue -+must be -+.BR "int *" . -+.TP - .SH TCP OPTIONS - The TCP options are OpenLDAP specific. - Mainly intended for use with Linux, they may not be portable. -diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 -index adf134899..29810fc9f 100644 ---- a/doc/man/man5/ldap.conf.5 -+++ b/doc/man/man5/ldap.conf.5 -@@ -286,6 +286,9 @@ size allowed. 0 disables security layers. The default is 65536. - .TP - .B SASL_NOCANON - Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off. -+.TP -+.B SASL_CBINDING -+The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none. - .SH GSSAPI OPTIONS - If OpenLDAP is built with Generic Security Services Application Programming Interface support, - there are more options you can specify. -diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 -index 0dddfdb6c..8c987d8c1 100644 ---- a/doc/man/man5/slapd-config.5 -+++ b/doc/man/man5/slapd-config.5 -@@ -699,6 +699,10 @@ Used to specify the fully qualified domain name used for SASL processing. - .B olcSaslRealm: - Specify SASL realm. Default is empty. - .TP -+.B olcSaslCbinding: none | tls-unique | tls-endpoint -+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING. -+Default is none. -+.TP - .B olcSaslSecProps: - Used to specify Cyrus SASL security properties. - The -diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 -index 0071072b1..203ab988e 100644 ---- a/doc/man/man5/slapd.conf.5 -+++ b/doc/man/man5/slapd.conf.5 -@@ -893,6 +893,9 @@ The - property specifies the maximum security layer receive buffer - size allowed. 0 disables security layers. The default is 65536. - .TP -+.B sasl\-cbinding none | tls-unique | tls-endpoint -+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING. -+.TP - .B schemadn - Specify the distinguished name for the subschema subentry that - controls the entries on this server. The default is "cn=Subschema". -diff --git a/include/ldap.h b/include/ldap.h -index 88bfcabf8..e8ac968a9 100644 ---- a/include/ldap.h -+++ b/include/ldap.h -@@ -180,6 +180,10 @@ LDAP_BEGIN_DECL - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) - #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) - -+#define LDAP_OPT_X_SASL_CBINDING_NONE 0 -+#define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE 1 -+#define LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT 2 -+ - /* OpenLDAP SASL options */ - #define LDAP_OPT_X_SASL_MECH 0x6100 - #define LDAP_OPT_X_SASL_REALM 0x6101 -@@ -195,6 +199,7 @@ LDAP_BEGIN_DECL - #define LDAP_OPT_X_SASL_NOCANON 0x610b - #define LDAP_OPT_X_SASL_USERNAME 0x610c /* read-only */ - #define LDAP_OPT_X_SASL_GSS_CREDS 0x610d -+#define LDAP_OPT_X_SASL_CBINDING 0x610e - - /* OpenLDAP GSSAPI options */ - #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200 -diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h -index c586a95b5..b71552ec5 100644 ---- a/include/ldap_pvt.h -+++ b/include/ldap_pvt.h -@@ -262,6 +262,10 @@ LDAP_F (void *) ldap_pvt_sasl_mutex_new LDAP_P((void)); - LDAP_F (int) ldap_pvt_sasl_mutex_lock LDAP_P((void *mutex)); - LDAP_F (int) ldap_pvt_sasl_mutex_unlock LDAP_P((void *mutex)); - LDAP_F (void) ldap_pvt_sasl_mutex_dispose LDAP_P((void *mutex)); -+ -+LDAP_F (int) ldap_pvt_sasl_cbinding_parse LDAP_P(( const char *arg )); -+LDAP_F (void *) ldap_pvt_sasl_cbinding LDAP_P(( void *ssl, int type, -+ int is_server )); - #endif /* HAVE_CYRUS_SASL */ - - struct sockbuf; /* avoid pulling in */ -@@ -426,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn, - LDAPDN_rewrite_dummy *func, unsigned flags )); - LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx )); - LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server )); -+LDAP_F (int) ldap_pvt_tls_get_endpoint LDAP_P(( void *ctx, struct berval *buf, int is_server )); - - LDAP_END_DECL - -diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c -index 3171d56a3..081e3cea5 100644 ---- a/libraries/libldap/cyrus.c -+++ b/libraries/libldap/cyrus.c -@@ -368,6 +368,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc ) - return LDAP_SUCCESS; - } - -+int ldap_pvt_sasl_cbinding_parse( const char *arg ) -+{ -+ int i = -1; -+ -+ if ( strcasecmp(arg, "none") == 0 ) -+ i = LDAP_OPT_X_SASL_CBINDING_NONE; -+ else if ( strcasecmp(arg, "tls-unique") == 0 ) -+ i = LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE; -+ else if ( strcasecmp(arg, "tls-endpoint") == 0 ) -+ i = LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT; -+ -+ return i; -+} -+ -+void *ldap_pvt_sasl_cbinding( void *ssl, int type, int is_server ) -+{ -+#if defined(SASL_CHANNEL_BINDING) && defined(HAVE_TLS) -+ char unique_prefix[] = "tls-unique:"; -+ char endpoint_prefix[] = "tls-server-end-point:"; -+ char cbinding[ 64 ]; -+ struct berval cbv = { 64, cbinding }; -+ void *cb_data; /* used since cb->data is const* */ -+ sasl_channel_binding_t *cb; -+ char *prefix; -+ int plen; -+ -+ switch (type) { -+ case LDAP_OPT_X_SASL_CBINDING_NONE: -+ return NULL; -+ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE: -+ if ( !ldap_pvt_tls_get_unique( ssl, &cbv, is_server )) -+ return NULL; -+ prefix = unique_prefix; -+ plen = sizeof(unique_prefix) -1; -+ break; -+ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT: -+ if ( !ldap_pvt_tls_get_endpoint( ssl, &cbv, is_server )) -+ return NULL; -+ prefix = endpoint_prefix; -+ plen = sizeof(endpoint_prefix) -1; -+ break; -+ default: -+ return NULL; -+ } -+ -+ cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len ); -+ cb->len = plen + cbv.bv_len; -+ cb->data = cb_data = cb+1; -+ memcpy( cb_data, prefix, plen ); -+ memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len ); -+ cb->name = "ldap"; -+ cb->critical = 0; -+ -+ return cb; -+#else -+ return NULL; -+#endif -+} -+ - int - ldap_int_sasl_bind( - LDAP *ld, -@@ -497,17 +556,12 @@ ldap_int_sasl_bind( - (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac ); - LDAP_FREE( authid.bv_val ); - #ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */ -- { -- char cbinding[64]; -- struct berval cbv = { sizeof(cbinding), cbinding }; -- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) { -- sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) + -- cbv.bv_len); -- cb->name = "ldap"; -- cb->critical = 0; -- cb->data = (char *)(cb+1); -- cb->len = cbv.bv_len; -- memcpy( cb->data, cbv.bv_val, cbv.bv_len ); -+ if ( ld->ld_defconn->lconn_sasl_cbind == NULL ) { -+ void *cb; -+ cb = ldap_pvt_sasl_cbinding( ssl, -+ ld->ld_options.ldo_sasl_cbinding, -+ 0 ); -+ if ( cb != NULL ) { - sasl_setprop( ld->ld_defconn->lconn_sasl_authctx, - SASL_CHANNEL_BINDING, cb ); - ld->ld_defconn->lconn_sasl_cbind = cb; -@@ -930,12 +984,20 @@ int ldap_pvt_sasl_secprops( - int - ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg ) - { -- int rc; -+ int rc, i; - - switch( option ) { - case LDAP_OPT_X_SASL_SECPROPS: - rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops ); - if( rc == LDAP_SUCCESS ) return 0; -+ break; -+ case LDAP_OPT_X_SASL_CBINDING: -+ i = ldap_pvt_sasl_cbinding_parse( arg ); -+ if ( i >= 0 ) { -+ lo->ldo_sasl_cbinding = i; -+ return 0; -+ } -+ break; - } - - return -1; -@@ -1041,6 +1103,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg ) - /* this option is write only */ - return -1; - -+ case LDAP_OPT_X_SASL_CBINDING: -+ *(int *)arg = ld->ld_options.ldo_sasl_cbinding; -+ break; -+ - #ifdef SASL_GSS_CREDS - case LDAP_OPT_X_SASL_GSS_CREDS: { - sasl_conn_t *ctx; -@@ -1142,6 +1208,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg ) - return sc == LDAP_SUCCESS ? 0 : -1; - } - -+ case LDAP_OPT_X_SASL_CBINDING: -+ if ( !arg ) return -1; -+ switch( *(int *) arg ) { -+ case LDAP_OPT_X_SASL_CBINDING_NONE: -+ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE: -+ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT: -+ ld->ld_options.ldo_sasl_cbinding = *(int *) arg; -+ return 0; -+ } -+ return -1; -+ - #ifdef SASL_GSS_CREDS - case LDAP_OPT_X_SASL_GSS_CREDS: { - sasl_conn_t *ctx; -diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c -index 746824fbd..0c4b6237e 100644 ---- a/libraries/libldap/init.c -+++ b/libraries/libldap/init.c -@@ -113,6 +113,7 @@ static const struct ol_attribute { - offsetof(struct ldapoptions, ldo_def_sasl_authzid)}, - {0, ATTR_SASL, "SASL_SECPROPS", NULL, LDAP_OPT_X_SASL_SECPROPS}, - {0, ATTR_BOOL, "SASL_NOCANON", NULL, LDAP_BOOL_SASL_NOCANON}, -+ {0, ATTR_SASL, "SASL_CBINDING", NULL, LDAP_OPT_X_SASL_CBINDING}, - #endif - - #ifdef HAVE_GSSAPI -diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h -index 397894271..08d4b4a92 100644 ---- a/libraries/libldap/ldap-int.h -+++ b/libraries/libldap/ldap-int.h -@@ -276,6 +276,7 @@ struct ldapoptions { - - /* SASL Security Properties */ - struct sasl_security_properties ldo_sasl_secprops; -+ int ldo_sasl_cbinding; - #define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0} - #else - #define LDAP_LDO_SASL_NULLARG -diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h -index 103004fa7..77975bb6c 100644 ---- a/libraries/libldap/ldap-tls.h -+++ b/libraries/libldap/ldap-tls.h -@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn); - typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); - typedef int (TI_session_strength)(tls_session *sess); - typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server); -+typedef int (TI_session_endpoint)(tls_session *sess, struct berval *buf, int is_server); - typedef int (TI_session_peercert)(tls_session *s, struct berval *der); - - typedef void (TI_thr_init)(void); -@@ -67,6 +68,7 @@ typedef struct tls_impl { - TI_session_chkhost *ti_session_chkhost; - TI_session_strength *ti_session_strength; - TI_session_unique *ti_session_unique; -+ TI_session_endpoint *ti_session_endpoint; - TI_session_peercert *ti_session_peercert; - - Sockbuf_IO *ti_sbio; -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index 8b1fee748..f74af7d1d 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -1041,6 +1041,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server ) - return tls_imp->ti_session_unique( session, buf, is_server ); - } - -+int -+ldap_pvt_tls_get_endpoint( void *s, struct berval *buf, int is_server ) -+{ -+ tls_session *session = s; -+ return tls_imp->ti_session_endpoint( session, buf, is_server ); -+} -+ - int - ldap_pvt_tls_get_peercert( void *s, struct berval *der ) - { -diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c -index 26d9f99ce..52dfcd3ab 100644 ---- a/libraries/libldap/tls_g.c -+++ b/libraries/libldap/tls_g.c -@@ -675,6 +675,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server) - return 0; - } - -+static int -+tlsg_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) -+{ -+ tlsg_session *s = (tlsg_session *)sess; -+ const gnutls_datum_t *cert_data; -+ gnutls_x509_crt_t server_cert; -+ gnutls_digest_algorithm_t md; -+ int sign_algo, md_len, rc; -+ -+ if ( is_server ) -+ cert_data = gnutls_certificate_get_ours( s->session ); -+ else -+ cert_data = gnutls_certificate_get_peers( s->session, NULL ); -+ -+ if ( cert_data == NULL ) -+ return 0; -+ -+ rc = gnutls_x509_crt_init( &server_cert ); -+ if ( rc != GNUTLS_E_SUCCESS ) -+ return 0; -+ -+ rc = gnutls_x509_crt_import( server_cert, cert_data, GNUTLS_X509_FMT_DER ); -+ if ( rc != GNUTLS_E_SUCCESS ) { -+ gnutls_x509_crt_deinit( server_cert ); -+ return 0; -+ } -+ -+ sign_algo = gnutls_x509_crt_get_signature_algorithm( server_cert ); -+ gnutls_x509_crt_deinit( server_cert ); -+ if ( sign_algo <= GNUTLS_SIGN_UNKNOWN ) -+ return 0; -+ -+ md = gnutls_sign_get_hash_algorithm( sign_algo ); -+ if ( md == GNUTLS_DIG_UNKNOWN ) -+ return 0; -+ -+ /* See RFC 5929 */ -+ switch (md) { -+ case GNUTLS_DIG_NULL: -+ case GNUTLS_DIG_MD2: -+ case GNUTLS_DIG_MD5: -+ case GNUTLS_DIG_SHA1: -+ md = GNUTLS_DIG_SHA256; -+ } -+ -+ md_len = gnutls_hash_get_len( md ); -+ if ( md_len == 0 || md_len > buf->bv_len ) -+ return 0; -+ -+ rc = gnutls_hash_fast( md, cert_data->data, cert_data->size, buf->bv_val ); -+ if ( rc != GNUTLS_E_SUCCESS ) -+ return 0; -+ -+ buf->bv_len = md_len; -+ -+ return md_len; -+} -+ - static int - tlsg_session_peercert( tls_session *sess, struct berval *der ) - { -@@ -950,6 +1008,7 @@ tls_impl ldap_int_tls_impl = { - tlsg_session_chkhost, - tlsg_session_strength, - tlsg_session_unique, -+ tlsg_session_endpoint, - tlsg_session_peercert, - - &tlsg_sbio, -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index 157923289..8ede11572 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -861,6 +861,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) - return buf->bv_len; - } - -+static int -+tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) -+{ -+ tlso_session *s = (tlso_session *)sess; -+ const EVP_MD *md; -+ unsigned int md_len; -+ X509 *cert; -+ -+ if ( buf->bv_len < EVP_MAX_MD_SIZE ) -+ return 0; -+ -+ if ( is_server ) -+ cert = SSL_get_certificate( s ); -+ else -+ cert = SSL_get_peer_certificate( s ); -+ -+ if ( cert == NULL ) -+ return 0; -+ -+#if OPENSSL_VERSION_NUMBER >= 0x10100000 -+ md = EVP_get_digestbynid( X509_get_signature_nid( cert )); -+#else -+ md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm )); -+#endif -+ -+ /* See RFC 5929 */ -+ if ( md == NULL || -+ md == EVP_md_null() || -+#ifndef OPENSSL_NO_MD2 -+ md == EVP_md2() || -+#endif -+ md == EVP_md4() || -+ md == EVP_md5() || -+ md == EVP_sha1() ) -+ md = EVP_sha256(); -+ -+ if ( !X509_digest( cert, md, buf->bv_val, &md_len )) -+ return 0; -+ -+ buf->bv_len = md_len; -+ -+ return md_len; -+} -+ - static int - tlso_session_peercert( tls_session *sess, struct berval *der ) - { -@@ -1394,6 +1438,7 @@ tls_impl ldap_int_tls_impl = { - tlso_session_chkhost, - tlso_session_strength, - tlso_session_unique, -+ tlso_session_endpoint, - tlso_session_peercert, - - &tlso_sbio, -diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c -index 3188ccfbe..8c4ccb860 100644 ---- a/servers/slapd/bconfig.c -+++ b/servers/slapd/bconfig.c -@@ -569,6 +569,15 @@ static ConfigTable config_back_cf_table[] = { - #endif - "( OLcfgGlAt:89 NAME 'olcSaslAuxprops' " - "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, -+ { "sasl-cbinding", NULL, 2, 2, 0, -+#ifdef HAVE_CYRUS_SASL -+ ARG_STRING, &sasl_cbinding, -+#else -+ ARG_IGNORED, NULL, -+#endif -+ "( OLcfgGlAt:100 NAME 'olcSaslCBinding' " -+ "EQUALITY caseIgnoreMatch " -+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, - { "sasl-host", "host", 2, 2, 0, - #ifdef HAVE_CYRUS_SASL - ARG_STRING|ARG_UNIQUE, &sasl_host, -@@ -820,7 +829,7 @@ static ConfigOCs cf_ocs[] = { - "olcPluginLogFile $ olcReadOnly $ olcReferral $ " - "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ " - "olcRootDSE $ " -- "olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ " -+ "olcSaslAuxprops $ olcSaslCBinding $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ " - "olcSecurity $ olcServerID $ olcSizeLimit $ " - "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ " - "olcTCPBuffer $ " -diff --git a/servers/slapd/config.c b/servers/slapd/config.c -index 5108da696..77dd3c1ae 100644 ---- a/servers/slapd/config.c -+++ b/servers/slapd/config.c -@@ -73,6 +73,7 @@ char *global_host = NULL; - struct berval global_host_bv = BER_BVNULL; - char *global_realm = NULL; - char *sasl_host = NULL; -+char *sasl_cbinding = NULL; - char **default_passwd_hash = NULL; - struct berval default_search_base = BER_BVNULL; - struct berval default_search_nbase = BER_BVNULL; -diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c -index 0602fdceb..d074009e4 100644 ---- a/servers/slapd/connection.c -+++ b/servers/slapd/connection.c -@@ -1430,12 +1430,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri ) - c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 ); - slap_sasl_external( c, c->c_tls_ssf, &authid ); - if ( authid.bv_val ) free( authid.bv_val ); -- { -- char cbinding[64]; -- struct berval cbv = { sizeof(cbinding), cbinding }; -- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 )) -- slap_sasl_cbinding( c, &cbv ); -- } -+ -+ slap_sasl_cbinding( c, ssl ); -+ - } else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb, - LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */ - slapd_set_write( s, 1 ); -diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h -index de1cabf32..9b52760bd 100644 ---- a/servers/slapd/proto-slap.h -+++ b/servers/slapd/proto-slap.h -@@ -1657,8 +1657,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c, - slap_ssf_t ssf, /* relative strength of external security */ - struct berval *authid ); /* asserted authenication id */ - --LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, -- struct berval *cbv ); -+LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, void *ssl ); - - LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c ); - LDAP_SLAPD_F (int) slap_sasl_close( Connection *c ); -@@ -2039,6 +2038,7 @@ LDAP_SLAPD_V (char *) global_host; - LDAP_SLAPD_V (struct berval) global_host_bv; - LDAP_SLAPD_V (char *) global_realm; - LDAP_SLAPD_V (char *) sasl_host; -+LDAP_SLAPD_V (char *) sasl_cbinding; - LDAP_SLAPD_V (char *) slap_sasl_auxprops; - LDAP_SLAPD_V (char **) default_passwd_hash; - LDAP_SLAPD_V (int) lber_debug; -diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c -index 258cd5407..c14e8a628 100644 ---- a/servers/slapd/sasl.c -+++ b/servers/slapd/sasl.c -@@ -1203,6 +1203,8 @@ int slap_sasl_destroy( void ) - #endif - free( sasl_host ); - sasl_host = NULL; -+ free( sasl_cbinding ); -+ sasl_cbinding = NULL; - - return 0; - } -@@ -1389,17 +1391,24 @@ int slap_sasl_external( - return LDAP_SUCCESS; - } - --int slap_sasl_cbinding( Connection *conn, struct berval *cbv ) -+int slap_sasl_cbinding( Connection *conn, void *ssl ) - { - #ifdef SASL_CHANNEL_BINDING -- sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );; -- cb->name = "ldap"; -- cb->critical = 0; -- cb->data = (char *)(cb+1); -- cb->len = cbv->bv_len; -- memcpy( cb->data, cbv->bv_val, cbv->bv_len ); -- sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb ); -- conn->c_sasl_cbind = cb; -+ void *cb; -+ int i; -+ -+ if ( sasl_cbinding == NULL ) -+ return LDAP_SUCCESS; -+ -+ i = ldap_pvt_sasl_cbinding_parse( sasl_cbinding ); -+ if ( i < 0 ) -+ return LDAP_SUCCESS; -+ -+ cb = ldap_pvt_sasl_cbinding( ssl, i, 1 ); -+ if ( cb != NULL ) { -+ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb ); -+ conn->c_sasl_cbind = cb; -+ } - #endif - return LDAP_SUCCESS; - } --- -2.29.2 - diff --git a/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch b/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch deleted file mode 100644 index a8727dc..0000000 --- a/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 7b0017ad49a2290ec26cbcdffded8a527799e981 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Sat, 18 Apr 2020 16:30:03 +0200 -Subject: [PATCH] ITS#9189 add channel-bindings tests - ---- - tests/scripts/test068-sasl-tls-external | 22 ++++++++++++++++++++++ - 1 file changed, 22 insertions(+) - -diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external -index dcbc50fd4..ee112cf98 100755 ---- a/tests/scripts/test068-sasl-tls-external -+++ b/tests/scripts/test068-sasl-tls-external -@@ -88,6 +88,28 @@ else - echo "success" - fi - -+# Exercise channel-bindings code in builds without SASL support -+for cb in "none" "tls-unique" "tls-endpoint" ; do -+ -+ echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...." -+ -+ $LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ -+ -o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \ -+ -o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \ -+ -o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1 \ -+ > $TESTOUT 2>&1 -+ -+ RC=$? -+ if test $RC != 0 ; then -+ echo "ldapwhoami failed ($RC)!" -+ test $KILLSERVERS != no && kill -HUP $PID -+ exit $RC -+ else -+ echo "success" -+ fi -+done -+ -+ - test $KILLSERVERS != no && kill -HUP $KILLPIDS - - if test $RC != 0 ; then --- -2.29.2 - diff --git a/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch b/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch deleted file mode 100644 index ee9a3ca..0000000 --- a/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 4cac398b19c21ad56949ef7e67e285c6c8e7ecea Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Thu, 23 Apr 2020 22:47:32 +0200 -Subject: [PATCH] ITS#9189 - initialize ldo_sasl_cbinding in - LDAP_LDO_SASL_NULLARG - -Reported-by: Ryan Tandy @ryan ---- - libraries/libldap/ldap-int.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h -index 08d4b4a92..8c7f1e5c1 100644 ---- a/libraries/libldap/ldap-int.h -+++ b/libraries/libldap/ldap-int.h -@@ -277,7 +277,7 @@ struct ldapoptions { - /* SASL Security Properties */ - struct sasl_security_properties ldo_sasl_secprops; - int ldo_sasl_cbinding; --#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0} -+#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0},0 - #else - #define LDAP_LDO_SASL_NULLARG - #endif --- -2.29.2 - diff --git a/openldap-cbinding-ITS-9215-fix-for-glibc-again.patch b/openldap-cbinding-ITS-9215-fix-for-glibc-again.patch deleted file mode 100644 index ec62c85..0000000 --- a/openldap-cbinding-ITS-9215-fix-for-glibc-again.patch +++ /dev/null @@ -1,28 +0,0 @@ -From d548ab15e0d615524c403440c01a9748bfcac87d Mon Sep 17 00:00:00 2001 -From: Howard Chu -Date: Tue, 28 Apr 2020 16:33:41 +0100 -Subject: [PATCH] ITS#9215 fix for glibc again - ---- - libraries/libldap_r/thr_posix.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/libraries/libldap_r/thr_posix.c b/libraries/libldap_r/thr_posix.c -index e4b435707..62f94ca16 100644 ---- a/libraries/libldap_r/thr_posix.c -+++ b/libraries/libldap_r/thr_posix.c -@@ -18,6 +18,11 @@ - - #if defined( HAVE_PTHREADS ) - -+#ifdef __GLIBC__ -+#undef _FEATURES_H -+#define _XOPEN_SOURCE 500 /* For pthread_setconcurrency() on glibc */ -+#endif -+ - #include - - #ifdef REPLACE_BROKEN_YIELD --- -2.31.1 - diff --git a/openldap-cbinding-Make-prototypes-available-where-needed.patch b/openldap-cbinding-Make-prototypes-available-where-needed.patch deleted file mode 100644 index 206f7ca..0000000 --- a/openldap-cbinding-Make-prototypes-available-where-needed.patch +++ /dev/null @@ -1,64 +0,0 @@ -NOTE: The patch has been adjusted to match the base code before backporting. - -From cd914149a665167b2c5ae16baa0c438824588819 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Tue, 19 Feb 2019 10:26:39 +0000 -Subject: [PATCH] Make prototypes available where needed - ---- - libraries/libldap/tls2.c | 3 +++ - servers/slapd/config.c | 1 + - servers/slapd/proto-slap.h | 4 ++++ - 3 files changed, 8 insertions(+) - -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index ad09ba39b..8b1fee748 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -76,6 +76,9 @@ static oid_name oids[] = { - - #ifdef HAVE_TLS - -+LDAP_F(int) ldap_pvt_tls_check_hostname LDAP_P(( LDAP *ld, void *s, const char *name_in )); -+LDAP_F(int) ldap_pvt_tls_get_peercert LDAP_P(( void *s, struct berval *der )); -+ - void - ldap_pvt_tls_ctx_free ( void *c ) - { -diff --git a/servers/slapd/config.c b/servers/slapd/config.c -index bd68a2421..5108da696 100644 ---- a/servers/slapd/config.c -+++ b/servers/slapd/config.c -@@ -48,6 +48,7 @@ - #endif - #include "lutil.h" - #include "lutil_ldap.h" -+#include "ldif.h" - #include "config.h" - - #ifdef _WIN32 -diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h -index 7f8e604fa..de1cabf32 100644 ---- a/servers/slapd/proto-slap.h -+++ b/servers/slapd/proto-slap.h -@@ -739,6 +739,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P(( - LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P(( - slap_bindconf *bc, LDAP *ld )); - LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc )); -+LDAP_SLAPD_F (void) slap_client_keepalive LDAP_P(( LDAP *ld, slap_keepalive *sk )); - LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb )); - LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be, - const char *fname, int lineno, int argc, char **argv )); -@@ -1656,6 +1657,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c, - slap_ssf_t ssf, /* relative strength of external security */ - struct berval *authid ); /* asserted authenication id */ - -+LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, -+ struct berval *cbv ); -+ - LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c ); - LDAP_SLAPD_F (int) slap_sasl_close( Connection *c ); - --- -2.29.2 - diff --git a/openldap-cbinding-Update-keys-to-RSA-4096.patch b/openldap-cbinding-Update-keys-to-RSA-4096.patch deleted file mode 100644 index f4342e4..0000000 --- a/openldap-cbinding-Update-keys-to-RSA-4096.patch +++ /dev/null @@ -1,526 +0,0 @@ -From 3ab98b2fc98843289c1833891518fb3b5b42dcd8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= -Date: Tue, 30 Oct 2018 15:42:35 +0000 -Subject: [PATCH] Update keys to RSA 4096 - ---- - tests/data/tls/ca/certs/testsuiteCA.crt | 133 ++++++++++++++++-- - tests/data/tls/ca/private/testsuiteCA.key | 64 +++++++-- - .../tls/certs/bjensen@mailgw.example.com.crt | 44 ++++-- - tests/data/tls/certs/localhost.crt | 44 ++++-- - tests/data/tls/conf/openssl.cnf | 2 +- - tests/data/tls/create-crt.sh | 9 +- - .../private/bjensen@mailgw.example.com.key | 64 +++++++-- - tests/data/tls/private/localhost.key | 64 +++++++-- - 8 files changed, 336 insertions(+), 88 deletions(-) - -diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt -index 7458e7461..62c88acca 100644 ---- a/tests/data/tls/ca/certs/testsuiteCA.crt -+++ b/tests/data/tls/ca/certs/testsuiteCA.crt -@@ -1,16 +1,121 @@ -+Certificate: -+ Data: -+ Version: 3 (0x2) -+ Serial Number: -+ 0b:43:f8:e9:ee:d3:38:37:92:db:19:65:d9:94:17:cc:70:45:d4:06 -+ Signature Algorithm: sha256WithRSAEncryption -+ Issuer: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite -+ Validity -+ Not Before: Oct 30 15:29:02 2018 GMT -+ Not After : Nov 13 15:29:02 2519 GMT -+ Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite -+ Subject Public Key Info: -+ Public Key Algorithm: rsaEncryption -+ RSA Public-Key: (4096 bit) -+ Modulus: -+ 00:be:e0:ff:36:89:65:c0:4e:46:e6:24:e8:3d:81: -+ 97:92:28:4b:11:c6:21:ac:28:14:31:b2:a3:64:24: -+ 62:61:24:bd:76:7b:9e:7c:3a:50:65:fa:97:f3:c5: -+ 9d:49:cc:61:3a:31:6f:0d:a4:d8:70:57:73:c8:c6: -+ 66:06:d0:59:3f:24:3b:56:5d:70:20:e4:51:2b:88: -+ 5e:f4:78:82:bc:55:b5:d5:5b:f6:e5:55:1f:3a:af: -+ 59:9f:b7:5d:72:70:fe:b6:a4:dd:4e:f9:d0:38:e8: -+ 15:14:c7:45:ed:5e:d3:4c:ee:02:34:3a:37:d8:75: -+ f1:49:0d:f6:8a:7b:8c:87:39:c9:fb:f2:3a:96:57: -+ cd:7c:18:a7:bb:35:de:d3:c4:79:57:20:48:07:b9: -+ 65:f6:bd:7b:01:5c:99:8a:92:35:7c:b7:e3:96:1c: -+ 6f:4c:47:42:c1:77:d6:62:49:0e:be:01:8f:c9:f4: -+ 64:68:4c:b0:ec:10:12:d0:0e:5f:67:0e:e8:a4:bd: -+ df:9c:fb:5b:04:6f:3c:2a:35:1b:5a:ca:98:ba:f3: -+ 61:f4:3a:77:28:be:a3:63:f1:d6:94:0d:fb:a0:87: -+ e3:a5:9f:56:b6:a6:6a:90:13:80:2a:2e:ae:fe:af: -+ aa:e3:e7:d8:3b:2b:a3:52:4f:73:2d:12:aa:e2:a3: -+ 0c:aa:fb:11:40:86:68:de:be:2b:9b:36:19:9c:d7: -+ d7:5e:13:21:c9:b3:34:6d:09:53:ff:a3:2e:92:f4: -+ 33:80:de:7a:47:1c:47:57:68:53:2a:db:73:6e:6d: -+ fa:40:df:55:25:a1:fc:87:c4:86:ef:6e:16:ec:f8: -+ 48:35:f5:96:b3:55:ce:56:a9:6e:c1:8c:ea:32:85: -+ 26:ea:af:0c:92:24:05:e2:49:12:b7:07:8f:06:96: -+ be:13:fa:ec:49:f7:d4:49:6f:b9:c7:6c:79:53:39: -+ a3:89:c4:4a:92:66:b0:f3:0c:72:6d:50:3c:63:1f: -+ f3:76:63:a8:aa:b7:fd:db:ef:98:b4:5b:49:b6:84: -+ 66:e5:fc:60:0b:c1:f7:b0:f7:84:68:7e:71:5d:ac: -+ fc:a9:cb:f6:02:fc:86:d3:a7:c3:42:ef:ba:f4:1a: -+ 27:71:5d:22:f5:53:e1:a6:f4:a5:dc:31:38:45:0b: -+ a1:6d:ab:9c:05:2e:87:8c:31:02:99:80:6d:3f:66: -+ e8:8a:d7:64:4f:08:7e:2f:f0:1f:28:ff:85:57:22: -+ ee:6a:a7:05:72:f8:cf:5d:07:c6:73:23:82:85:82: -+ 76:4e:36:8a:ec:ea:f1:53:1e:e0:77:d1:4a:9f:df: -+ ec:87:91:0a:56:40:b7:23:19:fa:60:14:d0:f0:32: -+ 4d:11:39 -+ Exponent: 65537 (0x10001) -+ X509v3 extensions: -+ X509v3 Subject Key Identifier: -+ 90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50 -+ X509v3 Authority Key Identifier: -+ keyid:90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50 -+ -+ X509v3 Basic Constraints: critical -+ CA:TRUE -+ Signature Algorithm: sha256WithRSAEncryption -+ 0f:7f:a0:c5:3c:ac:dc:ed:8f:56:3e:64:89:e6:87:d0:ca:a5: -+ 37:b8:0e:49:aa:93:d3:e5:ac:ff:54:24:91:07:1b:9c:dc:08: -+ e6:cc:15:53:be:85:4c:51:52:d3:88:d0:d8:c7:b7:98:40:41: -+ 8a:a7:7a:4c:96:85:61:8c:98:76:f6:a3:2c:10:31:a1:d8:e6: -+ a7:4c:ec:c3:29:ad:04:8b:e3:f2:2d:4c:30:0d:a4:bc:c8:93: -+ d2:9b:88:1d:a4:25:eb:ff:9f:f2:d9:c5:3b:bf:51:91:71:06: -+ 92:35:96:5c:ca:6d:d6:86:47:63:07:7f:37:35:53:68:e9:4e: -+ d0:d0:25:42:18:e0:00:9e:ca:f5:bd:b7:94:ee:99:51:44:3a: -+ 0c:44:40:e3:87:e6:ce:6c:2b:3f:c1:01:6c:5c:32:d5:59:b5: -+ bd:25:a3:1a:ff:85:a5:89:9c:d8:24:4b:fa:59:99:5a:64:ab: -+ a1:d8:0f:c0:19:28:84:1e:89:c2:a1:15:4e:0f:7e:1f:bf:f8: -+ 92:df:9f:1c:d5:4a:98:40:82:ee:41:1f:de:f7:25:11:fd:76: -+ 0a:cf:37:40:bc:c2:2d:6a:ea:4a:0c:6d:b0:e6:75:37:b5:63: -+ a8:a1:c5:81:d0:84:c0:f3:e0:c3:5c:c4:9f:ec:3b:9f:8a:74: -+ ce:f0:cc:e3:e9:15:08:a0:ea:3e:a9:8e:bc:9a:01:00:96:fe: -+ 37:6f:61:b5:2c:4b:1f:5d:d7:24:09:fe:bf:f4:77:47:e4:ee: -+ 7c:ea:6b:67:84:ee:56:4f:5f:b9:b8:e4:db:70:e1:4a:b3:94: -+ 4d:dd:52:45:05:4d:79:d4:7c:8b:9d:9b:6a:0b:73:9e:f3:0e: -+ d5:d5:46:da:b4:fb:4a:ea:5b:ab:8e:42:68:0e:96:cd:8a:6e: -+ 35:a8:e6:1b:6a:ed:a8:9e:3c:cc:3b:44:54:b8:2d:ba:c7:83: -+ 91:7c:70:40:0c:14:b8:21:7a:12:ac:8c:96:4c:94:a6:ee:fe: -+ cc:77:34:8e:e3:c3:c0:44:19:51:85:07:6c:d8:d1:2e:69:8d: -+ b1:0e:42:fb:e6:16:65:86:c6:e3:2f:a7:3f:b4:8e:4f:1c:83: -+ c4:0a:ae:a0:d9:17:fd:cf:a2:38:a1:9f:70:dc:5c:df:3c:07: -+ 7b:64:01:ff:35:8c:45:43:e8:fa:a4:f6:c4:71:78:17:6e:6a: -+ 7f:d1:6e:66:c6:89:33:3b:28:4a:76:bf:ca:29:05:51:07:98: -+ ce:63:62:25:61:7f:5e:c6:91:23:02:13:15:4f:fd:24:58:9d: -+ 2d:ac:eb:cb:9a:c2:82:2f:50:5c:5a:16:bb:8c:bf:4d:66:2c: -+ 6f:1c:c4:a9:28:e1:3d:4d - -----BEGIN CERTIFICATE----- --MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV --BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv --bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0 --NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB --MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB --UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd --rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb --lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL --6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU --7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB --SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/ --wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws --ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q --aL52EFPS0o3tiAJXS82U2wrQdJ0YEw== -+MIIFjzCCA3egAwIBAgIUC0P46e7TODeS2xll2ZQXzHBF1AYwDQYJKoZIhvcNAQEL -+BQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRwwGgYDVQQKDBNPcGVuTERB -+UCBGb3VuZGF0aW9uMRwwGgYDVQQLDBNPcGVuTERBUCBUZXN0IFN1aXRlMCAXDTE4 -+MTAzMDE1MjkwMloYDzI1MTkxMTEzMTUyOTAyWjBWMQswCQYDVQQGEwJVUzELMAkG -+A1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNVBAsM -+E09wZW5MREFQIFRlc3QgU3VpdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK -+AoICAQC+4P82iWXATkbmJOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfz -+xZ1JzGE6MW8NpNhwV3PIxmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mf -+t11ycP62pN1O+dA46BUUx0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7 -+Nd7TxHlXIEgHuWX2vXsBXJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQ -+Dl9nDuikvd+c+1sEbzwqNRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4Aq -+Lq7+r6rj59g7K6NST3MtEqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S -+9DOA3npHHEdXaFMq23NubfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbq -+rwySJAXiSRK3B48Glr4T+uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iq -+t/3b75i0W0m2hGbl/GALwfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm -+9KXcMThFC6Ftq5wFLoeMMQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8Zz -+I4KFgnZONors6vFTHuB30Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABo1MwUTAd -+BgNVHQ4EFgQUkM9RHegI1Ew0cHFr0gsAaNn9YFAwHwYDVR0jBBgwFoAUkM9RHegI -+1Ew0cHFr0gsAaNn9YFAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC -+AgEAD3+gxTys3O2PVj5kieaH0MqlN7gOSaqT0+Ws/1QkkQcbnNwI5swVU76FTFFS -+04jQ2Me3mEBBiqd6TJaFYYyYdvajLBAxodjmp0zswymtBIvj8i1MMA2kvMiT0puI -+HaQl6/+f8tnFO79RkXEGkjWWXMpt1oZHYwd/NzVTaOlO0NAlQhjgAJ7K9b23lO6Z -+UUQ6DERA44fmzmwrP8EBbFwy1Vm1vSWjGv+FpYmc2CRL+lmZWmSrodgPwBkohB6J -+wqEVTg9+H7/4kt+fHNVKmECC7kEf3vclEf12Cs83QLzCLWrqSgxtsOZ1N7VjqKHF -+gdCEwPPgw1zEn+w7n4p0zvDM4+kVCKDqPqmOvJoBAJb+N29htSxLH13XJAn+v/R3 -+R+TufOprZ4TuVk9fubjk23DhSrOUTd1SRQVNedR8i52bagtznvMO1dVG2rT7Supb -+q45CaA6WzYpuNajmG2rtqJ48zDtEVLgtuseDkXxwQAwUuCF6EqyMlkyUpu7+zHc0 -+juPDwEQZUYUHbNjRLmmNsQ5C++YWZYbG4y+nP7SOTxyDxAquoNkX/c+iOKGfcNxc -+3zwHe2QB/zWMRUPo+qT2xHF4F25qf9FuZsaJMzsoSna/yikFUQeYzmNiJWF/XsaR -+IwITFU/9JFidLazry5rCgi9QXFoWu4y/TWYsbxzEqSjhPU0= - -----END CERTIFICATE----- -diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key -index 2e14d7033..01a6614c1 100644 ---- a/tests/data/tls/ca/private/testsuiteCA.key -+++ b/tests/data/tls/ca/private/testsuiteCA.key -@@ -1,16 +1,52 @@ - -----BEGIN PRIVATE KEY----- --MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ --WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc --338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/ --dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg --O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf --7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn --rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f --wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk --AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l --vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9 --27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X --KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N --I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL --+b2qljWeZbGH -+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+4P82iWXATkbm -+JOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfzxZ1JzGE6MW8NpNhwV3PI -+xmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mft11ycP62pN1O+dA46BUU -+x0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7Nd7TxHlXIEgHuWX2vXsB -+XJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQDl9nDuikvd+c+1sEbzwq -+NRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4AqLq7+r6rj59g7K6NST3Mt -+Eqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S9DOA3npHHEdXaFMq23Nu -+bfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbqrwySJAXiSRK3B48Glr4T -++uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iqt/3b75i0W0m2hGbl/GAL -+wfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm9KXcMThFC6Ftq5wFLoeM -+MQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8ZzI4KFgnZONors6vFTHuB3 -+0Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABAoICAQCVkIdpnE92V9+GBfVT/G9f -+vuLTkoRf+SeZqXgNx9SuebNbW5HblXXZ8nmOMZIFeXfVuVZjQn+1x1CaSZs4S5ki -+uKkmCyEJJN3VVo3Q0XzfRemsvNrA5+oIec2oMG2wdomfY59leqmFbZTXKy3HyT2Y -+Uga4FcYcfo4JyD8eU6DRdJ6oJC10EGiajFchghyPoqvRcSH/q24R4Ha5om1M/zOZ -+/hz+SlmLU2sjXVtGuCgtCdw5Sp5Ce5VF43JaRGjMwAnazEyjHPE8kEx8ZhCBG66B -+DqP6UrV736T3c0/Hww0fxFrENA4mIE/vhNgwNVQ5jDxDSC9ObesTW93Lu4za+Re6 -+pmP1eeS/oe1OcI1d/xK2IIQwzB7ZkJ0StbFLnjs7DATO7BGzhC9egC6s+z9oSgTS -+KvmLyoiL5U4fesVJwcCPKwwkVH9n22TuqmvB5mmvZvRTe2+OgDH55Nkfx1SoI8+Q -+/fwV9UXIIg5en+Kv8lOaWCZujmMsjHC79bwxPLeaePRwD/RBkT1MLW/T4fWGpAt3 -+H89+yufH31Y/1QMxVVtR9OdxCtljiXno/bArMNZ0oE1TiCcckMzdjKh7RNfkEXRM -+Pga92HBTgtJ3tfWJ4qOtJ4NKJPQ7wRmR03Bug8+bGM4K5HDO08fNuag/pP3AQvrM -+QGbHFVho3I7/DXnmRBq/gQKCAQEA75eptBtP8PWnN9uNsQoWxvFKQBtbLfPKUcVP -++LWOWF4ag2YRRf6TIzvGfIk54OGSL/srWCDKjXWJ0NgUn6yiqOkoP4oxEE1m2QDY -+7oCk9vJipJcrtNCKL6NhKwZDOjlDSROb/hBeMgr14Da/WkPE6zQhuwN5y4Japbjs -+cBYTao2uOg4QQz5Aee+ee55L6iAgMT0PnlQtv1uVW3D46e02CrQKtRmtDxqT3Nux -+nudJdz+rMFM0EDgVKUYRwFCa6xjI4y2K1aCwCtJG9yTJpYqCD9hehfwEije6dNNg -+p5RX3M9ai710Yx4F26cwX/t8AxqgF/2XBI0ZWD6x69cp7suPTQKCAQEAy/NUEgXN -+nymq8NK+umZwFJU7cy3weozRuEkmgmCWj4XYhbvTw6MbK+2R9XKa3ilqSd2sU2lX -+qE66kfAgqZMJ9RB+7nDOaLAMUuGw1DrwFZE7r3mKXgc4NgjtmGav4E3URXPHj5zb -+JbbN95zl96Fm3Nevs5p8sb0KexgbzHe4UzJNYFgT0l+TjJbJUAiNPsEw1bnV4cxn -+b1HO2CWTeGtAOJyjMRNwI+40wnk2N6An+Ddvb2mj2h30HujSZHnL94RAqa7RHDb6 -+lU+7JX/ll5G0mFQOFQAs4UPos2bg7hS1mfYO+UVrG4OH9gXns12158WqFED+lhmJ -+O8WDWEVAblVrnQKCAQAB9aOVrYOB3QB5HHqUMBjvl5mb3J1qSswkzxBQYGvBnUNq -+P7N0dxiM+TguXJD0neOsMMmx9tKxRXzTEHFavPa3mvCRVHgCQh/NNoyPps2yl1jn -+L7VTzUDUEuoAiBSUrVM3jcmA0nFyx1QreUcnXdaGde6wsN6WI4LKSDDm2cde37nF -+D8hiRGgSlzscl7bXO1wICw/No7KcFguqq8ndX+tJOx+7S3J25SjAbauOOSYIq6Si -+yItsdoj1xXTvtbkOoy1BbmXsSVwnOoEKFGrxx6g4qPRc9Cq1Vq9XtULdHAF79NYw -+vmPtS5mQqlVi85OYEuesSo6pot3KMvkRjLjzEwchAoIBACEvrvZfy12iwhX9tNtP -+39z5i3rqdr76OwXpoUKFxPoFpX3dWk/zMnCrb5yo0VplEs6CK5BHC+RvKxykHix5 -+qJ0f2geig3O1ccvqvYNLM9XOlA+xjzpNom/odADgdK3i/C9w74AG3gH9BPbNqP3q -+XXqB/i0Tbkbdo97zxVI4CN5AySZsLo2Ez9WIk6laOuGDPhcI7iyXvhz3CtlRA/YM -+PZ74nfVWXGD8WclrP889WEOjgZZ3choD1b1R1SpUR0Q3WO5Da/NTXuL83k7zyMAp -+DWHcC46PQL5G9o56pw8Wf5ZV24nkKdGITY9S1qjxDrBwEYTKLqLt9M6tDPpICnvp -+mmECggEBALfnUgpdGugn46UmQUMI1y+NZbSKhJHG+OBWdcc1j4kDZhF/Ei7g8pvk -+hFU5p/YA6JbGioZxiqjdrYLvgTPnJVkxy7arLTN2j2GVlhUA74BY+kNzENk2Tj9c -+zJSMVZn+WZrXNQhfYyA3FyW3wGN67GBXAHPQxFTdU3G4mR1WcyJCxKIyzP+2M8o9 -+16tpb80QRnc0OLm9Izppe7JUp2hCQt+O6E8izvLE8k2ldOr5ncTNWlxTJ0yx0hEO -+WTFqhwOM1pEmtxas1gLr8MX0hNsaQR+kjG2f8rPmH+GEZeeAwuhoJY1PcKAOYM5Y -+yu/1yFXYTrmhD/P0+nJn1DfS5JljCJY= - -----END PRIVATE KEY----- -diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt -index 93e3a0d39..eb0fc693f 100644 ---- a/tests/data/tls/certs/bjensen@mailgw.example.com.crt -+++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt -@@ -1,16 +1,32 @@ - -----BEGIN CERTIFICATE----- --MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL --MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV --BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx --ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV --BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD --VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa --YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A --MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg --QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU --U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL --MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn --wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f --7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo --4DnnYQBDnq48VORVX94= -+MIIFfDCCA2SgAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL -+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV -+BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNzQwWhgPMjUxOTEx -+MTMxNTM3NDBaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNVBAoM -+E09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYDVQQD -+DBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYaYmpl -+bnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw -+ggIKAoICAQCcHBkHcUSKG4s7nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA -+7qkZvMJR8ws2u8TQU/18FhH4+0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWg -+qPYe/K3bAtSRtF7wDxF77eb2Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38 -+kpIB5WENCEy77QK9GEGAlMVIRXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nN -+LxTdLe1qbZyRgEqRKgW5WcWrW46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yIms -+CbzlSRLC1dfj++2mzCMxoc3xpZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvR -+X9uQOnXnazQvlRfsaHQjGUKyhMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzL -+twWkESVDU0tNg/czWLn56smV7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjI -+LQuEBssrV1h8WblruWRU31Mn+mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5ui -+cNcYTXCfa5ZpPL608f7cWuG2GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4 -+yPXHATrCtYO1wqIyu9Yuirdg7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABow0w -+CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCq8VvpcoAgCK/D5yi/2puB -+LD7kYaVaSXxrUQBeLTmKERw3akpgW7QTGCNgM425VVaBQRPtv8YcX9OycUAylAA+ -+7lzwdP95OJGnUOjQY4x4iRAwCPkpDCcnwc43c3WAyQb2S46aZJaWK4S0+RM3CmWH -+1Fzb6aODdnoBEKk0XgNrB6/teB+UWgtTSxWiY/HWiArDaZDPMAxqEK0hnB+b/sBD -+ZoBYnfnQXezylqbk9vkzTIbSVrv5ZZdQELOAnPuxUCFpYew1OGKcg+1twYKDHgBS -+s13zN03eMEnC/O4Z01dhu16vqdikdP+tJJrppjvZtJys0KIP24ltDnpA6h/3m/Cl -+U1eiTDgWO+SsfiL1K4gcTL1eLjnCBFfnHN5gfgAV5w5DaKzvKp7Qu8db4DtH+S4o -+W/MBKuaHHKWUPGksvFUiGNgE/XyDU4MK34/5ulzbrWmqb24pYAzm1MyjsdzmXObw -++fzg6EDBB14cWA2hA7mSqnzkiW1pELVym6+uTaIlopSIFr8nNAimwLiY5QJNGYvd -+hgNNvOyUUO+nON3aHsC/rRMgar3eo7A9AkQJ6qKVvPR2h1317PJLuKaLfjbaCzNw -+iA3JSQjcwR2ydlSgKKN2d/XXm/G4PZ9tUcBY4Zngn0ViT0/m7MFy9qsiWG97+yaZ -+nYsN5WfwDZrtG24dTotxVQ== - -----END CERTIFICATE----- -diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt -index 194cb119d..3aeae3c16 100644 ---- a/tests/data/tls/certs/localhost.crt -+++ b/tests/data/tls/certs/localhost.crt -@@ -1,16 +1,32 @@ - -----BEGIN CERTIFICATE----- --MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL --MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV --BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx --ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE --CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT --dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB --iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4 --7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv --8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ --BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A --AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG --8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl --0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR --GjeZB1FxqDGHjxBq2O828iejw28bSz4= -+MIIFhTCCA22gAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL -+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV -+BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNjMwWhgPMjUxOTEx -+MTMxNTM2MzBaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT -+T3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBTdWl0 -+ZTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC -+CgKCAgEA6Ud89ugah2oWY00q1g+M6NkpluewwvGq4tkMau1gq+Q5Biv61bubgdSA -+Z+Zkkxe3Sx0Zv7i5wldIN4wXqEDlMg2qhfzKDSNKUofc0z7FLMb0Cn46WqlciUCY -+VetHhBghGd+6fxOOz+x98FhiiAif+AdiUWBTKFFohWXo/9aiGgm0ueJj2NS3Eyac -+xOKoTcDd9TMsOJ2fMH2MlquArLobCvuphOrVbqBoeeol2SzFDDOW8ryPDzFGy5xh -+ZHkm/3sGIoDpDkDR0yhvBzn47qdLI5myc6Fj96s7S2xgqiqGXJW0D0FCfpUQXxfm -+ahz/Jdwl+hqs5Eg/aA+LE/7lmS7szo3zwJQ53ApdcaupHi4fU60wPVrdo29wLwDO -+hDuS+Oc1os1UyJt0T0a+zB4PIP2rxifyxI1iWmZFt7tJyLv1k7yMN7CLCWzsSy5P -+BZpGmHV9Wbvb660N6NzlFDMqnjJWDAr1BLoV4ywmpiWPhy/7JtKXFe1V3jT5MvGM -+26IOC+zCwwZVyEIIASeWepZDuto00Lqo7jOKSlLRmuhTX1ELK8xYX6ZU/fz0FwYn -+bLu6bI4mRGfbJ12fWYm5QMje2QAuvndfi759HUeuLl6TgmeQFgqFA/6Kkwoz0Ncb -+Kaaj+ByvLXfI4S3lvkwT26nOAt966fb1bsdkb8P52NdkqeSMk5cCAwEAAaNIMEYw -+CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/ -+AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4ICAQCGQCs10hwY -+t5o3AWjU8oT8HWnLDsEzIvI/Z2dvtsFSOFotH14d8a7CdCKNiry8BbQ82A4sG/Xw -+0aVdP1EscxGhpJuMHG4Ph9PZBm31ZW2VoRHOEs7/Moi6G/1yldVxWUH/qXO00Dw9 -+cEsiUQdPrPQDoVBKYAMuV15RP9b3iPpw3GY1EkIu+akGVziHFmFYUoU2gctiGIZ6 -+6KiqBFvCP1Yvm3RSZ5t/Kv/jPMetAnCq+9JAUAodAh2+goBvUCAN9Itr/tEs98jq -+9d14J7gzIRDdNHKOLrRFmoMrTaDZNtqBe5jiMf0O55tgjv4BqN4w11M51bjY4umd -+GX+OXoBJG+MK7AZyaHPjHa1NMoLDOUhTvHb4zPNkPiVb8r3lYkQ4VCtre+4qqrEn -+cEt9KWGpHkoz4GSKn6uidQebdi4waexcGttsHbKPaKZqzYXAJ2bjFZnv85zPtpjO -+qxzqrMUruiCU7EfjGAdZ8S0lwjdMihznLATjKuwQkJ2mVg2HbLgxZu578FHTBOHW -+LjVIr/80auF4Ino9ocHpIwL/E4jpYQWP/Uv4KBHwkAktmUOwqyt0iysRaWy4Gp7S -+keBI9FoGtJ1Mq5M2tVINBzt1ESC3t03KqyY+/9r/IeY7A7yukC0YJnJ+HorfuQFf -+0//7DOEA58bRswyWTLOAjYMJHilTKOozSQ== - -----END CERTIFICATE----- -diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf -index a3c8ad9f6..632cff11c 100644 ---- a/tests/data/tls/conf/openssl.cnf -+++ b/tests/data/tls/conf/openssl.cnf -@@ -51,7 +51,7 @@ commonName = supplied - emailAddress = optional - - [ req ] --default_bits = 2048 -+default_bits = @KEY_BITS@ - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - attributes = req_attributes -diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh -index 8c33a24fe..739f8eaf1 100755 ---- a/tests/data/tls/create-crt.sh -+++ b/tests/data/tls/create-crt.sh -@@ -5,6 +5,9 @@ if [ x"$openssl" = "x" ]; then - echo "OpenSSL command line binary not found, skipping..." - fi - -+KEY_BITS=4096 -+KEY_TYPE=rsa:$KEY_BITS -+ - USAGE="$0 [-s] [-u ]" - SERVER=0 - USER=0 -@@ -45,13 +48,13 @@ echo "00" > cruft/serial - touch cruft/index.txt - touch cruft/index.txt.attr - hn=$(hostname -f) --sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf > ./openssl.cnf -+sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf > ./openssl.cnf - - if [ $SERVER = 1 ]; then - rm -rf private/localhost.key certs/localhost.crt - - $openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \ -- -newkey rsa:1024 -config ./openssl.cnf \ -+ -newkey $KEY_TYPE -config ./openssl.cnf \ - -subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \ - -batch > /dev/null 2>&1 - -@@ -66,7 +69,7 @@ if [ $USER = 1 ]; then - rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr - - $openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \ -- -newkey rsa:1024 -config ./openssl.cnf \ -+ -newkey $KEY_TYPE -config ./openssl.cnf \ - -subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \ - -batch >/dev/null 2>&1 - -diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key -index 5f4625fd7..e30e11586 100644 ---- a/tests/data/tls/private/bjensen@mailgw.example.com.key -+++ b/tests/data/tls/private/bjensen@mailgw.example.com.key -@@ -1,16 +1,52 @@ - -----BEGIN PRIVATE KEY----- --MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2 --xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4 --9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z --yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r --oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e --nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg --xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra --EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd --9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/ --pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI --tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ --3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D --tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg --36Ixj3L+5H18 -+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCcHBkHcUSKG4s7 -+nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA7qkZvMJR8ws2u8TQU/18FhH4 -++0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWgqPYe/K3bAtSRtF7wDxF77eb2 -+Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38kpIB5WENCEy77QK9GEGAlMVI -+RXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nNLxTdLe1qbZyRgEqRKgW5WcWr -+W46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yImsCbzlSRLC1dfj++2mzCMxoc3x -+pZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvRX9uQOnXnazQvlRfsaHQjGUKy -+hMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzLtwWkESVDU0tNg/czWLn56smV -+7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjILQuEBssrV1h8WblruWRU31Mn -++mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5uicNcYTXCfa5ZpPL608f7cWuG2 -+GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4yPXHATrCtYO1wqIyu9Yuirdg -+7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABAoICAQCWY/s40EXXRvG7XBGKe1Sn -+MZGGllyduVVQMFzJIkOsnkDKKuTY+dZlP4Zo5Q/PIvWKpRnWGRP6lsh5tJkukiHd -+jk4VvJk4AzS7mNhkRyYy3ZW3ulB5NpsXS67P610RwIhIVhuf6ORPH8GBW9lRxwoL -+1v4WpGjbywHkKQvR0Sp7lVGULuwnM0dSK2G9sdztUTGbWZlp0hRIawojtcrRt2ft -+Liyy4hooWMmAFS3wu1y3fHSNn5kEFpfis5jF+5jdDvvmsFElx/X7uiBUFMAV2vry -+wu2mceibiGjnq7Nn6I7fhgKzGnkgzzDSLA9uVBde2+RAHlO0fLTq+5YLVhe0pNBM -+J1Y0soNaO3XfVV6Vnyz8X+ruHItW2OBF9AYhIlXq/6d3MMX51BEM6odEtsi8zFgo -+ENN0GAXoyoofg+IvzPiVU2Ud7s4pAlK473d7sAQEeiFWaj7iwueAgofSUFRz7E/H -+umdhytKiJXqcjJ9O2k4sBsmQoPIB++LlUPRIlZY9UvTFxLbd/ifFUv5fqa6z0IX6 -+wkIzXmRHhG+ETk1IZBJAAho7iyyYOTP+JnnToUAMWoUaZUO2bzaZfQha8Z3KVtG/ -+PJUfHClBXqvFNaAUvA9Df3JoJddJ4pO1g0QjS/dp4C2KwNkH4oqMJctvCersoPWu -+5DYiWY6KR4GjokJ1lBeWAQKCAQEAzSKa+m2C4ANNCJB9tcKYDbYIdibCpzO+k1Fb -+gZUtNi9dEE0Po8rMG0jthm+GKJjNjiG5idSUMo+WNEGBPkELueex81AlEpOqQ6/9 -+67cyjAsF/FvgkWOpKJnGOySF/TpK4kPGYyS3ICvs1KNE5HEywHyC4C/MD8N9Z5tX -+/DfW6sBM/wPipE9YDpKfAg3fDG9YJN/gJZ8TlZVqzzw75rKGcMeLc8f0mbMo+KWQ -+VKV4vrgz1eiVrHc5VeGUaXe1Yei5El671wAdtFdmm51A2fWd80fPlQdqfAwpX7x4 -+FWuo9z2QX70rM/NTWfk4nQ6ZFEHxtm++OiTfh7RwauI8fxye6QKCAQEAwtF/tOth -+UgHrohB2DCE9gA0rxkynJHK9/SXSd0KBjERO2i41iuC9YlJT/NpNz9fM7l+L02aP -+wWLMqyC7moNmIpJMY2xBGU0EowQ/3xsSNo3u/fvOS4MyGLKENUPMFgO0J7yopiqt -+Ea31TcrFSTMSmFZCv8cGt38EwS6sdJZd/RB+h3yxesit8pouwpfbtLPx6LSGkPHY -+5nNVPgbt6xaxZJ/1kNbLFObSoZ3lzWBwp93dQh/WqeeeI51LGdM1G6fTL8HrmGFJ -+EX0AKpexFVnG/GROJc8taWtMbk9W5oK30JqR7hpSaluYbonpr9k4WQA+EAZjXfcJ -+0V0AMsMUhGtvFwKCAQAQZf7LnCuFKt5im+JgwFCVcALXJxwSb7GBZ1SQVFOL7Fdd -+MTvZ1SFh4P+T6qBn6GcuQIXrfcHnFNFmFgJ17o84akwwbiy4gnNu+8epqzhwN4Vf -++hxGoxfntftByRao+pr34YEfddTpznkdOnwMYvwypQF1WHzQmckRmjp7YB9fHsZI -+8I+SoQEiERiC+oblIJWERR1PBJt1Lr+eF2uWcpkKtPjx5X8pNkhFMD8MdTnkzSbf -+p7snUVSVB/ZsQ/SNAiShUk9jzY+SVhZOxFBl3BunUgtHF5OsnPBFxfQ3iia0tQgw -+jxfADGiSXbjn3T3hf7AJ7H7heQchewwtjy5U3v3ZAoIBAQCEAyRPe0SKJoT+X7su -+QwQClmo4SE7mUt5NAOkaKTXRz6PDEpbzkZCjZHhHGcKqeWgDizkbuh7lg0Z/G4Ik -+lK+L86jRolSGiXr/3+xMCXMRBqKQ9qV24+L5e1Y9JcDQlhfo6V06pCZ8mW1lFmcT -+UAlksucuPvZdNzQIl9ECe7YauqeStbsqIXxFrZbMA808KMde0Z1x8H/ywOpdSqLD -+r6/rKL1lNTeN5U+Ldox228fa6Gt62EpE/Y9aQMbYLBeLsvBXJ0e3DQ1PTW3kbr/v -+YNOGyY1u73GtQqkbAqY3MxLNxz/loW6BZanoFYoFv+L/5Dsp7ro8vR6pASUWQLzR -+cl9nAoIBAQCre87G76UXv6FIggT+cKM9MKS69KIE3mzNTYUo90L74vF65hJqlaIa -+mfEcPpEU+UY+ufZSIHtTDBj/9Rswaf5whJY7RfL42pSGnW2YOMpuwDIKAEvcJedu -+kZhbthBin4pa28X6L5sNxug+7Wykgesd48PmMLG4pTF+D9u7SgO37Ew5UzylPWNi -+Lrv9TlX1vv9rNFh/hOCA93DNrJlNNPltIcMDByVVjrq31QmxMJwE7cdvl1V7eoiO -+NQuGuGyFIEKPtl9dEUaA4SGYZ7fUqPZaZuzzM0Xa5UMpdcIzcuYYNn3G6FvV6vwU -+dH+lv5X1bTB18GK88ANpC2qLCKRJPCTx - -----END PRIVATE KEY----- -diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key -index 8a24f69f8..99cb512c4 100644 ---- a/tests/data/tls/private/localhost.key -+++ b/tests/data/tls/private/localhost.key -@@ -1,16 +1,52 @@ - -----BEGIN PRIVATE KEY----- --MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg --ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM --w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM --brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij --Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf --2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ --bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q --1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf --3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U --VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7 --TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b --iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP --5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3 --b61hkjQZfbEg5cg= -+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDpR3z26BqHahZj -+TSrWD4zo2SmW57DC8ari2Qxq7WCr5DkGK/rVu5uB1IBn5mSTF7dLHRm/uLnCV0g3 -+jBeoQOUyDaqF/MoNI0pSh9zTPsUsxvQKfjpaqVyJQJhV60eEGCEZ37p/E47P7H3w -+WGKICJ/4B2JRYFMoUWiFZej/1qIaCbS54mPY1LcTJpzE4qhNwN31Myw4nZ8wfYyW -+q4CsuhsK+6mE6tVuoGh56iXZLMUMM5byvI8PMUbLnGFkeSb/ewYigOkOQNHTKG8H -+Ofjup0sjmbJzoWP3qztLbGCqKoZclbQPQUJ+lRBfF+ZqHP8l3CX6GqzkSD9oD4sT -+/uWZLuzOjfPAlDncCl1xq6keLh9TrTA9Wt2jb3AvAM6EO5L45zWizVTIm3RPRr7M -+Hg8g/avGJ/LEjWJaZkW3u0nIu/WTvIw3sIsJbOxLLk8FmkaYdX1Zu9vrrQ3o3OUU -+MyqeMlYMCvUEuhXjLCamJY+HL/sm0pcV7VXeNPky8Yzbog4L7MLDBlXIQggBJ5Z6 -+lkO62jTQuqjuM4pKUtGa6FNfUQsrzFhfplT9/PQXBidsu7psjiZEZ9snXZ9ZiblA -+yN7ZAC6+d1+Lvn0dR64uXpOCZ5AWCoUD/oqTCjPQ1xsppqP4HK8td8jhLeW+TBPb -+qc4C33rp9vVux2Rvw/nY12Sp5IyTlwIDAQABAoICADh1+wLvjmwz+xMxvCpvPRWm -+afCCR0AHqeqZye2fYoR4Cm05+837SFoWCrYbB0CqvsxJUNAcb6lf4rS/DYLFojOJ -+JzqiwmyHnBd5lrLyQFrkFHDtuEX1M9ZscfJprbeE944BnmvfWfNtM9YWLlLqc31e -+nCdB/x6FBZ0z2z8Avd87dih/aNc0NNNHxy3IBiA7i/0q04soaz0bRgm5nL0xlhYE -+bzUieWH7JQ5M47g6o76eReyeQqnUrWPeh5v/zraLGiMDvGScv6wx3x2KpHtutjr5 -+mj1uVHm/UeyhYIwPGtIR0bDXhLaKcZnyeOw59G8/Z1mvVyUxb1dKW8kNKpj2yI2H -+Y1SjhW5qaOeaDPxAPqVyo6SUQIzOn6SD0l7aGyOyvYULjiw342HQYU4rQeSPOtjt -++NYMirnT7WNnmoSIsXx7nwUe38EWx5gCHy8taF4aZr5K85yZKnmsiX3vX/hH30yc -+GLOnDDa3b0FE2J2eYos14ru8RTqSLSxclr5Ru2yTdwLgE0gg+iygO1/tYYkqxZ09 -+j+METJpg4wv+cQUG/BxysISqNjaPSPHdyJeTMzC8B+PUUpbRoBuvLLokkZ9P95nG -+72TFklEOB0m0VMxrEfev0HGSzkQm92s2Bf41TRaHTPSkg+G1s0haZTNqRVTGPrr/ -+eyiz0qH2bgDeubJ3VuTBAoIBAQD9N+KeKo+hRWeV/I6BCBOfMeQOqlqIxYfYAxU+ -+CuutILbTnGKFMTAx43syh/a5EV7q4yM81RCXKK/Lmja2OIeYJUb88bC/h0x/gq5W -+LLxHbKgFDUDF2VcWShMqDOo8J8FbzWwb9bOOShqASoR6FacJuOqlFvS8gaswZtiW -+fOvlWRKO2ybULgQctX5gOf1ctuab1VrzuHnNB30gVFc95Dg1b6RiyVAa8AFm6gs9 -+6Rewk527+4T5Ho5UXvdsTVJsAhzJgVjPSyF2Vc1CRrp8lIffsg5Prb4w8kvB0i64 -+09zn+jAfVRpjdGWqMI7BR1pCdheGMqv006ZVYY+QhcBIb0BHAoIBAQDr14d5PPDv -+pCjlJnCKNzX2irU6bdIY+zvXoemj/cYvHqQbPOe/kaCWFNPMxANKMmZSTdSM7qqR -+s0P1RW/R7moWNSesYwW+2Jp2hIhiWmy+E+ksXeTlFwVpuMHSDPS/N61N8XgmT3pI -+Qngl1hgxGbttniKEwI+Nc7Z3FYDDCp206nmC5y33D+ZYHv1L3e33pyqHdHD/uIeU -+57OPr7Mmd/J6pmClh1dqyZwVBClc2V6w0y2G8Lk1v79wOMrn+4/p9KH2BgkFe2gr -+uB8TOLlUhttQ8VfzXCd+Zi9s3oW0h7Vkvt4kDlJm0MrnMmK0aqgKB+7XkKE0ccVQ -+xSodzbBdDYoxAoIBAH2qGmD8JkOWug2JRP9sDrDWhaNxj3SI8x2Uiho8OTG2JoVl -++s621oArsJwnNZ4qrLxM9NPfuVgK7RNR+Qz9iO1MsqodF+Y1MxWkuPgzQ0z+83Nu -+XFLTxZBeOpyHxEcOQ7tXeut1SCK5S+WXFZ+w1zDQAELl3ZcfkuF2aM5mOHuddMRI -+pkBuhcPpnkoK/V3htxhnDbgeOPQzXzmIIbOpauu5+A6+cW6s5UU5qVKUNxl+aK09 -+6YPoUiI07v1kch7//WFTO8vEMVsUwcS+bRYecD/nkYqhYt3PoSETOfSnz92gH/ms -+tmfdAAcyCeaJjpWlHY+P3h6mWsnMnP7QIdjQvUkCggEAGFkiBWRDQ5phFndHex2E -+FrXvS972p9mYLgTrSCD1CvxQ2PcKvf5c4+G2lBdQd6KIacrbPMmPFoe5ZmMKzlOc -+5DoMpIF8oF1gZQf9xJmtTFpl4ky3Sud7iZSnffYUdoFbBQb+7oWaDEfAe7eEu9z6 -+OrDuw2HV8DaYCedQadJ4warLbLZNSop7r3FTmTeKT90USPO+jsgQR1E8eoMbLceI -+Yx02MSCt57p0wL6zPoC6g+rpclr75A6txvo2CIkyLGczKWEqIUTCVnEl1CgxCgb6 -+MXsZJ2jGMwh9sPGwQBkaoxIJgRNxcmfv6rqK8jFos9Bp2ht2aSGty07vsDACGzlA -+oQKCAQEA8PzgkyGYHs2DwNhmv3j5ZFaP0RukwbdChSoxmbC9JP2JJxxYcnww5jYH -+xeM1bahqkdKyG5iDRiYB74EolZUMA3Zny13R4HWxNe4aUZW1H8mdmhllXX90aUOU -+WEvF2yYZbg9CQIq7zQh8HsF/S8sDTsXoZOx30zrPgb44spWKRmxdwUJt944weXvc -+p5XkLvVzBVJ+RD5IgPTBFl1iCkw3eq01CFcbTdfe9cS8V9IgDy0Jq2GvRE3Y2JS6 -+xqtBB1MgZvrUoAZ8jPacRRXddg87Hwgs9+R1jaE+ZYixojOFg+JnQOGkUd9FhJAW -+bcnWV4XIPIMbouL4132Ove+GukJlPA== - -----END PRIVATE KEY----- --- -2.29.2 - diff --git a/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch b/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch deleted file mode 100644 index 125ae6b..0000000 --- a/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch +++ /dev/null @@ -1,487 +0,0 @@ -From 8e3e85e329f5cbd989936b0df8a0ac06906a4824 Mon Sep 17 00:00:00 2001 -From: Isaac Boukris -Date: Tue, 14 Apr 2020 16:19:05 +0300 -Subject: [PATCH] auth: add SASL/GSSAPI tests - ---- - tests/data/krb5.conf | 32 ++++++ - tests/data/slapd-sasl-gssapi.conf | 65 ++++++++++++ - tests/scripts/conf.sh | 3 + - tests/scripts/defines.sh | 5 + - tests/scripts/setup_kdc.sh | 144 +++++++++++++++++++++++++++ - tests/scripts/test077-sasl-gssapi | 159 ++++++++++++++++++++++++++++++ - 6 files changed, 408 insertions(+) - create mode 100644 tests/data/krb5.conf - create mode 100644 tests/data/slapd-sasl-gssapi.conf - create mode 100755 tests/scripts/setup_kdc.sh - create mode 100755 tests/scripts/test077-sasl-gssapi - -diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf -new file mode 100644 -index 000000000..739113742 ---- /dev/null -+++ b/tests/data/krb5.conf -@@ -0,0 +1,32 @@ -+[libdefaults] -+ default_realm = @KRB5REALM@ -+ dns_lookup_realm = false -+ dns_lookup_kdc = false -+ default_ccache_name = FILE://@TESTDIR@/ccache -+ #udp_preference_limit = 1 -+[realms] -+ @KRB5REALM@ = { -+ kdc = @KDCHOST@:@KDCPORT@ -+ acl_file = @TESTDIR@/kadm.acl -+ database_name = @TESTDIR@/kdc.db -+ key_stash_file = @TESTDIR@/kdc.stash -+ } -+[kdcdefaults] -+ kdc_ports = @KDCPORT@ -+ kdc_tcp_ports = @KDCPORT@ -+[logging] -+ kdc = FILE:@TESTDIR@/kdc.log -+ admin_server = FILE:@TESTDIR@/kadm.log -+ default = FILE:@TESTDIR@/krb5.log -+ -+#Heimdal -+[kdc] -+ database = { -+ dbname = @TESTDIR@/kdc.db -+ realm = @KRB5REALM@ -+ mkey_file = @TESTDIR@/kdc.stash -+ log_file = @TESTDIR@/kdc.log -+ acl_file = @TESTDIR@/kadm.acl -+ } -+[hdb] -+ db-dir = @TESTDIR@ -diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf -new file mode 100644 -index 000000000..611fc7097 ---- /dev/null -+++ b/tests/data/slapd-sasl-gssapi.conf -@@ -0,0 +1,65 @@ -+# stand-alone slapd config -- for testing (with indexing) -+# $OpenLDAP$ -+## This work is part of OpenLDAP Software . -+## -+## Copyright 1998-2020 The OpenLDAP Foundation. -+## All rights reserved. -+## -+## Redistribution and use in source and binary forms, with or without -+## modification, are permitted only as authorized by the OpenLDAP -+## Public License. -+## -+## A copy of this license is available in the file LICENSE in the -+## top-level directory of the distribution or, alternatively, at -+## . -+ -+# -+include @SCHEMADIR@/core.schema -+include @SCHEMADIR@/cosine.schema -+# -+include @SCHEMADIR@/corba.schema -+include @SCHEMADIR@/java.schema -+include @SCHEMADIR@/inetorgperson.schema -+include @SCHEMADIR@/misc.schema -+include @SCHEMADIR@/nis.schema -+include @SCHEMADIR@/openldap.schema -+# -+include @SCHEMADIR@/duaconf.schema -+include @SCHEMADIR@/dyngroup.schema -+ -+# -+pidfile @TESTDIR@/slapd.1.pid -+argsfile @TESTDIR@/slapd.1.args -+ -+# SSL configuration -+TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt -+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key -+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt -+ -+# -+rootdse @DATADIR@/rootdse.ldif -+ -+#mod#modulepath ../servers/slapd/back-@BACKEND@/ -+#mod#moduleload back_@BACKEND@.la -+#monitormod#modulepath ../servers/slapd/back-monitor/ -+#monitormod#moduleload back_monitor.la -+ -+ -+####################################################################### -+# database definitions -+####################################################################### -+ -+database @BACKEND@ -+suffix "dc=example,dc=com" -+rootdn "cn=Manager,dc=example,dc=com" -+rootpw secret -+#~null~#directory @TESTDIR@/db.1.a -+#indexdb#index objectClass eq -+#indexdb#index mail eq -+#ndb#dbname db_1_a -+#ndb#include @DATADIR@/ndb.conf -+ -+#monitor#database monitor -+ -+sasl-realm @KRB5REALM@ -+sasl-host localhost -diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh -index 2a859d89d..5b477ed93 100755 ---- a/tests/scripts/conf.sh -+++ b/tests/scripts/conf.sh -@@ -97,4 +97,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \ - -e "s;@TESTWD@;${TESTWD};" \ - -e "s;@DATADIR@;${DATADIR};" \ - -e "s;@SCHEMADIR@;${SCHEMADIR};" \ -+ -e "s;@KRB5REALM@;${KRB5REALM};" \ -+ -e "s;@KDCHOST@;${KDCHOST};" \ -+ -e "s;@KDCPORT@;${KDCPORT};" \ - -e "/^#/d" -diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh -index 26dab1bae..78dc1f8ae 100755 ---- a/tests/scripts/defines.sh -+++ b/tests/scripts/defines.sh -@@ -108,6 +108,7 @@ REFCONSUMERCONF=$DATADIR/slapd-ref-consumer.conf - SCHEMACONF=$DATADIR/slapd-schema.conf - TLSCONF=$DATADIR/slapd-tls.conf - TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf -+SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf - GLUECONF=$DATADIR/slapd-glue.conf - REFINTCONF=$DATADIR/slapd-refint.conf - RETCODECONF=$DATADIR/slapd-retcode.conf -@@ -214,6 +215,7 @@ PORT3=`expr $BASEPORT + 3` - PORT4=`expr $BASEPORT + 4` - PORT5=`expr $BASEPORT + 5` - PORT6=`expr $BASEPORT + 6` -+KDCPORT=`expr $BASEPORT + 7` - URI1="ldap://${LOCALHOST}:$PORT1/" - URIP1="ldap://${LOCALIP}:$PORT1/" - URI2="ldap://${LOCALHOST}:$PORT2/" -@@ -239,6 +241,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/" - SURI6="ldaps://${LOCALHOST}:$PORT6/" - SURIP6="ldaps://${LOCALIP}:$PORT6/" - -+KRB5REALM="K5.REALM" -+KDCHOST=$LOCALHOST -+ - # LDIF - LDIF=$DATADIR/test.ldif - LDIFADD1=$DATADIR/do_add.1 -diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh -new file mode 100755 -index 000000000..1cb784075 ---- /dev/null -+++ b/tests/scripts/setup_kdc.sh -@@ -0,0 +1,144 @@ -+#! /bin/sh -+# $OpenLDAP$ -+## This work is part of OpenLDAP Software . -+## -+## Copyright 1998-2020 The OpenLDAP Foundation. -+## All rights reserved. -+## -+## Redistribution and use in source and binary forms, with or without -+## modification, are permitted only as authorized by the OpenLDAP -+## Public License. -+## -+## A copy of this license is available in the file LICENSE in the -+## top-level directory of the distribution or, alternatively, at -+## . -+ -+export KRB5_TRACE=$TESTDIR/k5_trace -+export KRB5_CONFIG=$TESTDIR/krb5.conf -+export KRB5_KDC_PROFILE=$KRB5_CONFIG -+export KRB5_KTNAME=$TESTDIR/server.kt -+export KRB5_CLIENT_KTNAME=$TESTDIR/client.kt -+export KRB5CCNAME=$TESTDIR/client.ccache -+ -+KDCLOG=$TESTDIR/setup_kdc.log -+KSERVICE=ldap/$LOCALHOST -+KUSER=kuser -+ -+. $CONFFILTER < $DATADIR/krb5.conf > $KRB5_CONFIG -+ -+PATH=${PATH}:/usr/lib/heimdal-servers:/usr/sbin:/usr/local/sbin -+ -+echo "Trying Heimdal KDC..." -+ -+kdc --version 2>&1 | grep Heimdal > $KDCLOG 2>&1 -+RC=$? -+if test $RC = 0 ; then -+ -+ kstash --random-key > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "Heimdal: kstash failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ flags="--realm-max-ticket-life=1h --realm-max-renewable-life=1h" -+ kadmin -l init $flags $KRB5REALM > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "Heimdal: kadmin init failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ kadmin -l add --random-key --use-defaults $KSERVICE > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ kadmin -l ext -k $KRB5_KTNAME $KSERVICE > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ kadmin -l add --random-key --use-defaults $KUSER > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ kadmin -l ext -k $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ kdc --addresses=$LOCALIP --ports="$KDCPORT/udp" > $KDCLOG 2>&1 & -+else -+ echo "Trying MIT KDC..." -+ -+ kdb5_util create -r $KRB5REALM -s -P password > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "MIT: kdb5_util create failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ kadmin.local -q "addprinc -randkey $KSERVICE" > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "MIT: admin addprinc failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ kadmin.local -q "ktadd -k $KRB5_KTNAME $KSERVICE" > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ kadmin.local -q "addprinc -randkey $KUSER" > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "MIT: kadmin addprinc failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ kadmin.local -q "ktadd -k $KRB5_CLIENT_KTNAME $KUSER" > $KDCLOG 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests" -+ exit 0 -+ fi -+ -+ krb5kdc -n > $KDCLOG 2>&1 & -+fi -+ -+KDCPROC=$! -+sleep 1 -+ -+kinit -kt $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ kill $KDCPROC -+ echo "SASL/GSSAPI: kinit failed, skipping GSSAPI tests" -+ exit 0 -+fi -+ -+pluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null -+RC=$? -+if test $RC != 0 ; then -+ -+ saslpluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null -+ RC=$? -+ if test $RC != 0 ; then -+ kill $KDCPROC -+ echo "cyrus-sasl has no GSSAPI support, test skipped" -+ exit 0 -+ fi -+fi -diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi -new file mode 100755 -index 000000000..64abe16fe ---- /dev/null -+++ b/tests/scripts/test077-sasl-gssapi -@@ -0,0 +1,159 @@ -+#! /bin/sh -+# $OpenLDAP$ -+## This work is part of OpenLDAP Software . -+## -+## Copyright 1998-2020 The OpenLDAP Foundation. -+## All rights reserved. -+## -+## Redistribution and use in source and binary forms, with or without -+## modification, are permitted only as authorized by the OpenLDAP -+## Public License. -+## -+## A copy of this license is available in the file LICENSE in the -+## top-level directory of the distribution or, alternatively, at -+## . -+ -+echo "running defines.sh" -+. $SRCDIR/scripts/defines.sh -+ -+if test $WITH_SASL = no ; then -+ echo "SASL support not available, test skipped" -+ exit 0 -+fi -+ -+mkdir -p $TESTDIR $DBDIR1 -+cp -r $DATADIR/tls $TESTDIR -+ -+cd $TESTWD -+ -+ -+echo "Starting KDC for SASL/GSSAPI tests..." -+. $SRCDIR/scripts/setup_kdc.sh -+ -+echo "Running slapadd to build slapd database..." -+. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1 -+$SLAPADD -f $CONF1 -l $LDIFORDERED -+RC=$? -+if test $RC != 0 ; then -+ echo "slapadd failed ($RC)!" -+ kill $KDCPROC -+ exit $RC -+fi -+ -+echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." -+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & -+PID=$! -+if test $WAIT != 0 ; then -+ echo PID $PID -+ read foo -+fi -+KILLPIDS="$PID" -+ -+sleep 1 -+ -+for i in 0 1 2 3 4 5; do -+ $LDAPSEARCH -s base -b "" -H $URI1 \ -+ 'objectclass=*' > /dev/null 2>&1 -+ RC=$? -+ if test $RC = 0 ; then -+ break -+ fi -+ echo "Waiting 5 seconds for slapd to start..." -+ sleep 5 -+done -+ -+if test $RC != 0 ; then -+ echo "ldapsearch failed ($RC)!" -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapsearch failed ($RC)!" -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+grep GSSAPI $TESTOUT -+RC=$? -+if test $RC != 0 ; then -+ echo "failed: GSSAPI mechanism not in supportedSASLMechanisms." -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+fi -+ -+echo -n "Using ldapwhoami with SASL/GSSAPI: " -+$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1 -+RC=$? -+if test $RC != 0 ; then -+ echo "ldapwhoami failed ($RC)!" -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+else -+ echo "success" -+fi -+ -+echo -n "Validating mapped SASL/GSSAPI ID: " -+echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out -+$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT -+RC=$? -+if test $RC != 0 ; then -+ echo "Comparison failed" -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+else -+ echo "success" -+fi -+ -+if test $WITH_TLS = no ; then -+ echo "SASL/GSSAPI: TLS support not available, skipping TLS part." -+else -+ echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: " -+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \ -+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ -+ > $TESTOUT 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "ldapwhoami failed ($RC)!" -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+ else -+ echo "success" -+ fi -+ -+ echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: " -+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow \ -+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ -+ > $TESTOUT 2>&1 -+ RC=$? -+ if test $RC != 0 ; then -+ echo "ldapwhoami failed ($RC)!" -+ kill $KDCPROC -+ test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ exit $RC -+ else -+ echo "success" -+ fi -+fi -+ -+kill $KDCPROC -+test $KILLSERVERS != no && kill -HUP $KILLPIDS -+ -+if test $RC != 0 ; then -+ echo ">>>>> Test failed" -+else -+ echo ">>>>> Test succeeded" -+ RC=0 -+fi -+ -+test $KILLSERVERS != no && wait -+ -+exit $RC --- -2.29.2 - diff --git a/openldap-fix-missing-mapping.patch b/openldap-fix-missing-mapping.patch new file mode 100644 index 0000000..dd4a7cc --- /dev/null +++ b/openldap-fix-missing-mapping.patch @@ -0,0 +1,24 @@ +From 59e013602d7b1aa0d7da79d65367c9ec391b96f8 Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Wed, 3 Nov 2021 19:03:40 -0700 +Subject: [PATCH] Fix missing mapping + +--- + libraries/liblber/lber.map | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libraries/liblber/lber.map b/libraries/liblber/lber.map +index 9a4094b0f..083cd1f32 100644 +--- a/libraries/liblber/lber.map ++++ b/libraries/liblber/lber.map +@@ -121,6 +121,7 @@ OPENLDAP_2.200 + ber_sockbuf_io_fd; + ber_sockbuf_io_readahead; + ber_sockbuf_io_tcp; ++ ber_sockbuf_io_udp; + ber_sockbuf_remove_io; + ber_sos_dump; + ber_start; +-- +2.31.1 + diff --git a/openldap-manpages.patch b/openldap-manpages.patch index b69a391..df0d879 100644 --- a/openldap-manpages.patch +++ b/openldap-manpages.patch @@ -3,10 +3,10 @@ Various manual pages changes: * removes references to non-existing manpages (bz 624616) diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 -index 3def6da..466c772 100644 +index 353b075..cf37856 100644 --- a/doc/man/man1/ldapmodify.1 +++ b/doc/man/man1/ldapmodify.1 -@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error. +@@ -382,8 +382,7 @@ exit status and a diagnostic message being written to standard error. .BR ldap_add_ext (3), .BR ldap_delete_ext (3), .BR ldap_modify_ext (3), @@ -17,19 +17,19 @@ index 3def6da..466c772 100644 The OpenLDAP Project .SH ACKNOWLEDGEMENTS diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 -index cfde143..63592cb 100644 +index 17b7154..6084298 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 -@@ -317,6 +317,7 @@ certificates in separate individual files. The +@@ -338,6 +338,7 @@ certificates in separate individual files. The .B TLS_CACERT is always used before .B TLS_CACERTDIR. +The specified directory must be managed with the OpenSSL c_rehash utility. - This parameter is ignored with GnuTLS. - - When using Mozilla NSS, may contain a Mozilla NSS cert/key + .TP + .B TLS_CERT + Specifies the file that contains the client certificate. diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 -index b739f4d..e2a1a00 100644 +index 8504b37..f02f1fa 100644 --- a/doc/man/man8/slapd.8 +++ b/doc/man/man8/slapd.8 @@ -5,7 +5,7 @@ @@ -39,9 +39,9 @@ index b739f4d..e2a1a00 100644 -.B LIBEXECDIR/slapd +.B slapd [\c - .BR \-4 | \-6 ] + .BR \-V [ V [ V ]] [\c -@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type: +@@ -332,7 +332,7 @@ the LDAP databases defined in the default config file, just type: .LP .nf .ft tt @@ -50,7 +50,7 @@ index b739f4d..e2a1a00 100644 .ft .fi .LP -@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type: +@@ -343,7 +343,7 @@ on voluminous debugging which will be printed on standard error, type: .LP .nf .ft tt @@ -59,7 +59,7 @@ index b739f4d..e2a1a00 100644 .ft .fi .LP -@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type: +@@ -351,7 +351,7 @@ To test whether the configuration file is correct or not, type: .LP .nf .ft tt @@ -68,6 +68,3 @@ index b739f4d..e2a1a00 100644 .ft .fi .LP --- -1.8.1.4 - diff --git a/openldap-openssl-manpage-defaultCA.patch b/openldap-openssl-manpage-defaultCA.patch index 7ec2caa..e0c7cb7 100644 --- a/openldap-openssl-manpage-defaultCA.patch +++ b/openldap-openssl-manpage-defaultCA.patch @@ -6,9 +6,10 @@ certificates. Author: Matus Honek diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index 6084298..3070bb4 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 -@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an +@@ -327,6 +327,9 @@ are more options you can specify. These options are used when an .B ldaps:// URI is selected (by default or otherwise) or when the application negotiates TLS by issuing the LDAP StartTLS operation. @@ -19,9 +20,10 @@ diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 .B TLS_CACERT Specifies the file that contains certificates for all of the Certificate diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +index a559b0c..adda87a 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 -@@ -801,6 +801,10 @@ If +@@ -878,6 +878,10 @@ If .B slapd is built with support for Transport Layer Security, there are more options you can specify. @@ -33,9 +35,10 @@ diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 .B olcTLSCipherSuite: Permits configuring what ciphers will be accepted and the preference order. diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +index b6e9250..1653a1b 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 -@@ -1032,6 +1032,10 @@ If +@@ -1108,6 +1108,10 @@ If .B slapd is built with support for Transport Layer Security, there are more options you can specify. diff --git a/openldap-reentrant-gethostby.patch b/openldap-reentrant-gethostby.patch index 140b6e3..dcb3b73 100644 --- a/openldap-reentrant-gethostby.patch +++ b/openldap-reentrant-gethostby.patch @@ -8,7 +8,7 @@ Resolves: #179730 Author: Jeffery Layton diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c -index 373c81c..a012062 100644 +index aa69f70..4461bf2 100644 --- a/libraries/libldap/util-int.c +++ b/libraries/libldap/util-int.c @@ -52,8 +52,8 @@ extern int h_errno; @@ -22,7 +22,7 @@ index 373c81c..a012062 100644 #else # include -@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) +@@ -442,7 +442,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) #define BUFSTART (1024-32) #define BUFMAX (32*1024-32) diff --git a/openldap-smbk5pwd-overlay.patch b/openldap-smbk5pwd-overlay.patch index 38936cf..e5aaa57 100644 --- a/openldap-smbk5pwd-overlay.patch +++ b/openldap-smbk5pwd-overlay.patch @@ -9,7 +9,7 @@ Author: Jan Vcelak Resolves: #841560 diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README -index f20ad94..b6433ff 100644 +index 4a710a7..0cd4e9e 100644 --- a/contrib/slapd-modules/smbk5pwd/README +++ b/contrib/slapd-modules/smbk5pwd/README @@ -1,3 +1,8 @@ @@ -22,10 +22,10 @@ index f20ad94..b6433ff 100644 PasswordModify Extended Operation to update Kerberos keys and Samba password hashes for an LDAP user. diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in -index 3af20e8..ef73663 100644 +index b84bc54..b5c3fc8 100644 --- a/servers/slapd/overlays/Makefile.in +++ b/servers/slapd/overlays/Makefile.in -@@ -33,7 +33,8 @@ SRCS = overlays.c \ +@@ -37,7 +37,8 @@ SRCS = overlays.c \ syncprov.c \ translucent.c \ unique.c \ @@ -35,7 +35,7 @@ index 3af20e8..ef73663 100644 OBJS = statover.o \ @SLAPD_STATIC_OVERLAYS@ \ overlays.o -@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) +@@ -57,7 +58,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) LIBRARY = ../liboverlays.a @@ -44,7 +44,7 @@ index 3af20e8..ef73663 100644 XINCPATH = -I.. -I$(srcdir)/.. XDEFS = $(MODULES_CPPFLAGS) -@@ -125,6 +126,12 @@ unique.la : unique.lo +@@ -141,6 +142,12 @@ unique.la : unique.lo valsort.la : valsort.lo $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) @@ -57,6 +57,3 @@ index 3af20e8..ef73663 100644 install-local: $(PROGRAMS) @if test -n "$?" ; then \ $(MKDIR) $(DESTDIR)$(moduledir); \ --- -1.7.10.4 - diff --git a/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch b/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch index ed4f2ad..0605304 100644 --- a/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch +++ b/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch @@ -6,10 +6,12 @@ Proof of concept for fixing http://bugs.debian.org/327585 (patch ported from freeradius bug http://bugs.debian.org/416266) Resolves: #960048 ---- ---- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200 -+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200 -@@ -117,6 +117,20 @@ + +diff --git a/servers/slapd/module.c b/servers/slapd/module.c +index e616f1d..52bacff 100644 +--- a/servers/slapd/module.c ++++ b/servers/slapd/module.c +@@ -117,6 +117,20 @@ int module_unload( const char *file_name ) return -1; /* not found */ } @@ -30,7 +32,7 @@ Resolves: #960048 int module_load(const char* file_name, int argc, char *argv[]) { module_loaded_t *module; -@@ -180,7 +194,7 @@ +@@ -179,7 +193,7 @@ int module_load(const char* file_name, int argc, char *argv[]) * to calling Debug. This is because Debug is a macro that expands * into multiple function calls. */ diff --git a/openldap.spec b/openldap.spec index 21864dc..e4f25e2 100644 --- a/openldap.spec +++ b/openldap.spec @@ -4,13 +4,17 @@ %global check_password_version 1.1 %global so_ver 2 +%global so_ver_compat 2 + +# When you change "Version: " to the new major version, remember to change this value too +%global major_version 2.6 # Disable automatic .la file removal %global __brp_remove_la_files %nil Name: openldap -Version: 2.4.59 -Release: 6%{?dist} +Version: 2.6.1 +Release: 1%{?dist} Summary: LDAP support libraries License: OpenLDAP URL: http://www.openldap.org/ @@ -20,53 +24,47 @@ Source1: slapd.service Source2: slapd.tmpfiles Source3: slapd.ldif Source4: ldap.conf -Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz +Source5: UPGRADE_INSTRUCTIONS +Source10: https://github.com/ltb-project/openldap-ppolicy-check-password/archive/v%{check_password_version}/openldap-ppolicy-check-password-%{check_password_version}.tar.gz Source50: libexec-functions Source52: libexec-check-config.sh -Source53: libexec-upgrade-db.sh -# patches for 2.4 +# Patches for 2.6 Patch0: openldap-manpages.patch -Patch2: openldap-reentrant-gethostby.patch +Patch1: openldap-reentrant-gethostby.patch + Patch3: openldap-smbk5pwd-overlay.patch -Patch5: openldap-ai-addrconfig.patch -Patch17: openldap-allop-overlay.patch +Patch4: openldap-ai-addrconfig.patch +Patch5: openldap-allop-overlay.patch # fix back_perl problems with lt_dlopen() # might cause crashes because of symbol collisions # the proper fix is to link all perl modules against libperl # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 -Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch -Patch24: openldap-openssl-manpage-defaultCA.patch +Patch6: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch -# The below patches come from upstream master and are necessary for Channel Binding -# (both tls-unique and tls-server-end-point) to work properly. -# Additionally, for Samba to be able to implement Channel Binding, the PEERCERT option -# is being included as well. -Patch50: openldap-cbinding-Add-channel-binding-support.patch -Patch51: openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch -Patch52: openldap-cbinding-ITS-8573-TLS-option-test-suite.patch -Patch53: openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch -Patch54: openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch -Patch55: openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch -Patch56: openldap-cbinding-Make-prototypes-available-where-needed.patch -Patch57: openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch -Patch58: openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch -Patch59: openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch -Patch60: openldap-cbinding-Fix-slaptest-in-test077.patch -Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch -Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch -Patch63: openldap-cbinding-ITS-9215-fix-for-glibc-again.patch -Patch64: openldap-add-tls-sni-support-to-libldap.patch +# System-wide default for CA certs +Patch7: openldap-openssl-manpage-defaultCA.patch +Patch8: openldap-fix-missing-mapping.patch # check-password module specific patches Patch90: check-password-makefile.patch Patch91: check-password.patch -BuildRequires: make -BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel -BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed) +BuildRequires: cyrus-sasl-devel BuildRequires: gcc +BuildRequires: glibc-devel +BuildRequires: groff +BuildRequires: krb5-devel +BuildRequires: libtool-ltdl-devel +BuildRequires: libevent-devel +BuildRequires: make +BuildRequires: openssl-devel +BuildRequires: perl(ExtUtils::Embed) +BuildRequires: perl-devel +BuildRequires: perl-generators +BuildRequires: perl-interpreter +BuildRequires: unixODBC-devel %description OpenLDAP is an open source suite of LDAP (Lightweight Directory Access @@ -79,7 +77,8 @@ libraries, and documentation for OpenLDAP. %package devel Summary: LDAP development libraries and header files -Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} +Requires: openldap%{?_isa} = %{version}-%{release} +Requires: cyrus-sasl-devel%{?_isa} %description devel The openldap-devel package includes the development libraries and @@ -94,27 +93,33 @@ Summary: Package providing legacy non-threaded libldap Requires: openldap%{?_isa} = %{version}-%{release} # since libldap is manually linked from libldap_r, the provides is not generated automatically %ifarch armv7hl i686 -Provides: libldap-2.4.so.%{so_ver} +Provides: libldap-2.4.so.%{so_ver_compat} +Provides: libldap_r-2.4.so.%{so_ver_compat} +Provides: liblber-2.4.so.%{so_ver_compat} +Provides: libslapi-2.4.so.%{so_ver_compat} %else -Provides: libldap-2.4.so.%{so_ver}()(%{__isa_bits}bit) +Provides: libldap-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit) +Provides: libldap_r-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit) +Provides: liblber-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit) +Provides: libslapi-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit) %endif %description compat -The openldap-compat package contains non-threaded variant of libldap -which should not be used. Instead, applications should link to libldap_r -which provides thread-safe variant with the very same API. +The openldap-compat package contains shared libraries named as libldap-2.4.so, +libldap_r-2.4.so, liblber-2.4.so and libslapi-2.4.so. +The libraries are just links to the current version shared libraries, +and are available for compatibility reasons. %package servers Summary: LDAP server License: OpenLDAP -Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils +Requires: openldap%{?_isa} = %{version}-%{release} Requires(pre): shadow-utils BuildRequires: systemd -%{?systemd_requires} -BuildRequires: libdb-devel BuildRequires: cracklib-devel # migrationtools (slapadd functionality): Provides: ldif2ldbm +%{?systemd_requires} %description servers OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access @@ -141,33 +146,14 @@ programs needed for accessing and modifying OpenLDAP directories. %setup -q -c -a 0 -a 10 pushd openldap-%{version} - %patch0 -p1 -%patch2 -p1 +%patch1 -p1 %patch3 -p1 +%patch4 -p1 %patch5 -p1 -%patch17 -p1 -%patch19 -p1 -%patch24 -p1 -%patch50 -p1 -%patch51 -p1 -%patch52 -p1 -%patch53 -p1 -%patch54 -p1 -%patch55 -p1 -%patch56 -p1 -%patch57 -p1 -%patch58 -p1 -%patch59 -p1 -%patch60 -p1 -%patch61 -p1 -%patch62 -p1 -%patch63 -p1 -%patch64 -p1 - -# The change is needed for autoconf-2.71 -sed 's@^AM_INIT_AUTOMAKE.*@AC_PROG_MAKE_SET@' -i configure.in -AUTOMAKE=%{_bindir}/true autoreconf -f -i +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 # build smbk5pwd with other overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays @@ -181,13 +167,13 @@ mv servers/slapd/back-perl/README{,.back_perl} # fix documentation encoding for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do - iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8" - mv "$filename.utf8" "$filename" + iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8" + mv "$filename.utf8" "$filename" done popd -pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +pushd openldap-ppolicy-check-password-%{check_password_version} %patch90 -p1 %patch91 -p1 popd @@ -196,12 +182,13 @@ popd %set_build_flags # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) -export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS -DOPENSSL_NO_MD2" +export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS" pushd openldap-%{version} %configure \ --enable-debug \ --enable-dynamic \ + --enable-versioning \ \ --enable-dynacl \ --enable-cleartext \ @@ -209,6 +196,7 @@ pushd openldap-%{version} --enable-lmpasswd \ --enable-spasswd \ --enable-modules \ + --enable-perl \ --enable-rewrite \ --enable-rlookups \ --enable-slapi \ @@ -221,11 +209,14 @@ pushd openldap-%{version} --enable-monitor=yes \ --disable-ndb \ --disable-sql \ + --disable-wt \ \ --enable-overlays=mod \ \ --disable-static \ \ + --enable-balancer=mod \ + \ --with-cyrus-sasl \ --without-fetch \ --with-threads \ @@ -237,7 +228,7 @@ pushd openldap-%{version} %make_build popd -pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +pushd openldap-ppolicy-check-password-%{check_password_version} %make_build LDAP_INC="-I../openldap-%{version}/include \ -I../openldap-%{version}/servers/slapd \ -I../openldap-%{version}/build-servers/include" @@ -252,7 +243,7 @@ pushd openldap-%{version} popd # install check_password module -pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +pushd openldap-ppolicy-check-password-%{check_password_version} mv check_password.so check_password.so.%{check_password_version} ln -s check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/check_password.so install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/ @@ -285,7 +276,7 @@ mkdir -p %{buildroot}%{_tmpfilesdir} install -m 0644 %SOURCE2 %{buildroot}%{_tmpfilesdir}/slapd.conf # install default ldap.conf (customized) -rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf +rm %{buildroot}%{_sysconfdir}/openldap/ldap.conf install -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/openldap/ldap.conf # setup maintainance scripts @@ -293,15 +284,13 @@ mkdir -p %{buildroot}%{_libexecdir} install -m 0755 -d %{buildroot}%{_libexecdir}/openldap install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh -install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh # remove build root from config files and manual pages perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.* # we don't need the default files -- RPM handles changes -rm -f %{buildroot}%{_sysconfdir}/openldap/*.default -rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default +rm %{buildroot}%{_sysconfdir}/openldap/*.default # install an init script for the servers mkdir -p %{buildroot}%{_unitdir} @@ -311,90 +300,86 @@ install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/ # setup tools as symlinks to slapd -rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} -rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} -for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done +for X in acl add auth cat dn index modify passwd test schema ; do + rm %{buildroot}%{_sbindir}/slap$X + ln -s slapd %{buildroot}%{_sbindir}/slap$X +done # re-symlink unversioned libraries, so ldconfig is not confused pushd %{buildroot}%{_libdir} v=%{version} version=$(echo ${v%.[0-9]*}) -for lib in liblber libldap libldap_r libslapi; do - rm -f ${lib}.so - ln -s ${lib}-${version}.so.%{so_ver} ${lib}.so +for lib in liblber libldap libslapi; do + rm -f ${lib}.so + ln -s ${lib}.so.%{so_ver} ${lib}.so done -# provide only libldap_r and copy it to libldap, make a versioned lib link -rm -f libldap.so -ln -s libldap_r.so "%{buildroot}%{_libdir}/libldap.so" -rm -f libldap-*.so.* -for lib in $(ls | grep libldap_r-); do +for lib in $(ls | grep libldap); do IFS='.' read -r -a libsplit <<< "$lib" - if [ -z "${libsplit[4]}" ] + if [[ -z "${libsplit[3]}" && -n "${libsplit[2]}" ]] then - so_ver_short="${libsplit[3]}" - unset IFS - gcc -shared -o "%{buildroot}%{_libdir}/libldap-${version}.so.${so_ver_short}" -Wl,--no-as-needed \ - -Wl,-soname -Wl,libldap-${version}.so.${so_ver_short} -L "%{buildroot}%{_libdir}" -lldap_r - else - so_ver_full="${libsplit[3]}.${libsplit[4]}.${libsplit[5]}" - unset IFS + so_ver_short_2_4="%{so_ver_compat}" + elif [ -n "${libsplit[3]}" ] + then + so_ver_full_2_4="%{so_ver_compat}.${libsplit[3]}.${libsplit[4]}" fi + unset IFS done -ln -s libldap-${version}.so.{${so_ver_short},${so_ver_full}} + +# Provide only libldap and copy it to libldap_r for both 2.4 and 2.6+ versions, make a versioned lib link +# We increase it by 2 because libldap-2.4 has the 'so.2' major version on 2.4.59 (one of the last versions which is EOF) +gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed \ + -Wl,-soname -Wl,libldap-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -lldap +gcc -shared -o "%{buildroot}%{_libdir}/libldap_r-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed \ + -Wl,-soname -Wl,libldap_r-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -lldap +gcc -shared -o "%{buildroot}%{_libdir}/liblber-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed \ + -Wl,-soname -Wl,liblber-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -llber +gcc -shared -o "%{buildroot}%{_libdir}/libslapi-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed \ + -Wl,-soname -Wl,libslapi-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -lslapi +ln -s libldap-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}} +ln -s libldap_r-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}} +ln -s liblber-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}} +ln -s libslapi-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}} popd # tweak permissions on the libraries to make sure they're correct chmod 0755 %{buildroot}%{_libdir}/lib*.so* chmod 0644 %{buildroot}%{_libdir}/lib*.*a +chmod 0644 %{buildroot}%{_libdir}/openldap/*.la # slapd.conf(5) is obsoleted since 2.3, see slapd-config(5) mkdir -p %{buildroot}%{_datadir} install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers install -m 0644 %SOURCE3 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif +install -m 0644 %SOURCE5 %{buildroot}%{_datadir}/openldap-servers/UPGRADE_INSTRUCTIONS install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d -rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf -rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif +rm %{buildroot}%{_sysconfdir}/openldap/slapd.conf +rm %{buildroot}%{_sysconfdir}/openldap/slapd.ldif # move doc files out of _sysconfdir mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema -mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example -chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example # remove files which we don't want packaged -rm -f %{buildroot}%{_libdir}/*.la # because we do not want files in %{_libdir}/openldap/ removed, yet - -rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example -rmdir %{buildroot}%{_localstatedir}/openldap-data +rm %{buildroot}%{_libdir}/*.la # because we do not want files in %{_libdir}/openldap/ removed, yet %ldconfig_scriptlets %pre servers - # create ldap user and group getent group ldap &>/dev/null || groupadd -r -g 55 ldap getent passwd ldap &>/dev/null || \ useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap - -if [ $1 -eq 2 ]; then - # package upgrade - - old_version=$(rpm -q --qf=%%{version} openldap-servers) - new_version=%{version} - - if [ "$old_version" != "$new_version" ]; then - touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null - fi -fi - exit 0 - %post servers %systemd_post slapd.service +# If it's not upgrade - we remove the UPGRADE_INSTRUCTIONS +if [ $1 -lt 2 ] ; then + rm %{_datadir}/openldap-servers/UPGRADE_INSTRUCTIONS +fi # generate configuration if necessary if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \ ! -f %{_sysconfdir}/openldap/slapd.conf @@ -406,26 +391,9 @@ if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \ %{systemctl_bin} try-restart slapd.service &>/dev/null fi -start_slapd=0 - -# upgrade the database -if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then - if %{systemctl_bin} --quiet is-active slapd.service; then - %{systemctl_bin} stop slapd.service - start_slapd=1 - fi - - %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null - rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap -fi - # restart after upgrade if [ $1 -ge 1 ]; then - if [ $start_slapd -eq 1 ]; then - %{systemctl_bin} start slapd.service &>/dev/null || : - else - %{systemctl_bin} condrestart slapd.service &>/dev/null || : - fi + %{systemctl_bin} condrestart slapd.service &>/dev/null || : fi exit 0 @@ -436,41 +404,6 @@ exit 0 %postun servers %systemd_postun_with_restart slapd.service -%triggerin servers -- libdb - -# libdb upgrade (setup for %%triggerun) -if [ $2 -eq 2 ]; then - # we are interested in minor version changes (both versions of libdb are installed at this moment) - if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then - touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb - else - rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb - fi -fi - -exit 0 - - -%triggerun servers -- libdb - -# libdb upgrade (finish %%triggerin) -if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then - if %{systemctl_bin} --quiet is-active slapd.service; then - %{systemctl_bin} stop slapd.service - start=1 - else - start=0 - fi - - %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null - rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb - - [ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null -fi - -exit 0 - - %files %doc openldap-%{version}/ANNOUNCEMENT %doc openldap-%{version}/CHANGES @@ -481,9 +414,9 @@ exit 0 %dir %{_sysconfdir}/openldap/certs %config(noreplace) %{_sysconfdir}/openldap/ldap.conf %dir %{_libexecdir}/openldap/ -%{_libdir}/liblber-2.4*.so.* -%{_libdir}/libldap_r-2.4*.so.* -%{_libdir}/libslapi-2.4*.so.* +%{_libdir}/liblber*.so.* +%{_libdir}/libldap*.so.* +%{_libdir}/libslapi*.so.* %{_mandir}/man5/ldif.5* %{_mandir}/man5/ldap.conf.5* @@ -493,8 +426,7 @@ exit 0 %doc openldap-%{version}/doc/guide/admin/*.png %doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm %doc openldap-%{version}/servers/slapd/back-perl/README.back_perl -%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl -%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd +%doc openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd %doc README.schema %config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d %config(noreplace) %{_sysconfdir}/openldap/schema @@ -505,27 +437,32 @@ exit 0 %{_unitdir}/slapd.service %{_datadir}/openldap-servers/ %{_libdir}/openldap/accesslog* -%{_libdir}/openldap/auditlog* %{_libdir}/openldap/allop* +%{_libdir}/openldap/auditlog* +%{_libdir}/openldap/autoca* +%{_libdir}/openldap/back_asyncmeta* %{_libdir}/openldap/back_dnssrv* %{_libdir}/openldap/back_ldap* %{_libdir}/openldap/back_meta* %{_libdir}/openldap/back_null* %{_libdir}/openldap/back_passwd* %{_libdir}/openldap/back_relay* -%{_libdir}/openldap/back_shell* %{_libdir}/openldap/back_sock* -%{_libdir}/openldap/back_perl* +%{_libdir}/openldap/check_password* %{_libdir}/openldap/collect* %{_libdir}/openldap/constraint* %{_libdir}/openldap/dds* %{_libdir}/openldap/deref* %{_libdir}/openldap/dyngroup* %{_libdir}/openldap/dynlist* +%{_libdir}/openldap/home* +%{_libdir}/openldap/lloadd* %{_libdir}/openldap/memberof* +%{_libdir}/openldap/otp* %{_libdir}/openldap/pcache* %{_libdir}/openldap/ppolicy* %{_libdir}/openldap/refint* +%{_libdir}/openldap/remoteauth* %{_libdir}/openldap/retcode* %{_libdir}/openldap/rwm* %{_libdir}/openldap/seqmod* @@ -535,14 +472,14 @@ exit 0 %{_libdir}/openldap/translucent* %{_libdir}/openldap/unique* %{_libdir}/openldap/valsort* -%{_libdir}/openldap/check_password* %{_libexecdir}/openldap/functions %{_libexecdir}/openldap/check-config.sh -%{_libexecdir}/openldap/upgrade-db.sh %{_sbindir}/sl* %{_mandir}/man8/* +%{_mandir}/man5/lloadd.conf.5* %{_mandir}/man5/slapd*.5* %{_mandir}/man5/slapo-*.5* +%{_mandir}/man5/slappw-argon2.5* # obsolete configuration %ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf @@ -552,15 +489,42 @@ exit 0 %files devel %doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc -%{_libdir}/lib*.so +%{_libdir}/liblber.so +%{_libdir}/libldap.so +%{_libdir}/libslapi.so %{_includedir}/* +%{_libdir}/pkgconfig/lber.pc +%{_libdir}/pkgconfig/ldap.pc %{_mandir}/man3/* - %files compat %{_libdir}/libldap-2.4*.so.* +%{_libdir}/libldap_r-2.4*.so.* +%{_libdir}/liblber-2.4*.so.* +%{_libdir}/libslapi-2.4*.so.* %changelog +* Mon Jan 31 2022 Simon Pichugin - 2.6.1-1 +- Update to new major release OpenLDAP 2.6.1 (#1955293) + + rediff all patches and remove patches now upstream + + use upstream source location for check password module + + and rediff patch due to this + + add patch to fix build issue in 2.5.4 (from upstream) + + clean and sort buildreqs + + remove various refs to bdb + + remove now default -DLDAP_USE_NON_BLOCKING_TLS + + add new modules and enable load balancer as module + + disable wiredtired backend due to missing build deps + + don't remove files that don't exist + + let check-config work on *.mdb over legacy files + + remove refs to old-style config + + new soname names + + remove libldap_r link as the library was merged with libldap + + refactor openldap-compat package to support the transition from 2.4 + + add UPGRADE_INSTRUCTIONS for openldap-server upgrade +- The original patch was submitted by Fedora user - terjeros + https://src.fedoraproject.org/rpms/openldap/pull-request/6 + * Mon Jan 24 2022 Timm Bäder - 2.4.59-6 - Disable automatic .la file removal - https://fedoraproject.org/wiki/Changes/RemoveLaFiles diff --git a/slapd.ldif b/slapd.ldif index a4ae4c0..e7449c1 100644 --- a/slapd.ldif +++ b/slapd.ldif @@ -42,36 +42,41 @@ cn: config # # Load dynamic backend modules: # - modulepath is architecture dependent value (32/64-bit system) -# - back_sql.la backend requires openldap-servers-sql package # - dyngroup.la and dynlist.la cannot be used at the same time # #dn: cn=module,cn=config #objectClass: olcModuleList #cn: module -#olcModulepath: /usr/lib/openldap -#olcModulepath: /usr/lib64/openldap +#olcModulepath: /usr/lib/openldap +#olcModulepath: /usr/lib64/openldap #olcModuleload: accesslog.la +#olcModuleload: allop.la #olcModuleload: auditlog.la +#olcModuleload: autoca.la +#olcModuleload: back_asyncmeta.la #olcModuleload: back_dnssrv.la #olcModuleload: back_ldap.la -#olcModuleload: back_mdb.la #olcModuleload: back_meta.la #olcModuleload: back_null.la #olcModuleload: back_passwd.la #olcModuleload: back_relay.la -#olcModuleload: back_shell.la #olcModuleload: back_sock.la +#olcModuleload: check_password.la #olcModuleload: collect.la #olcModuleload: constraint.la #olcModuleload: dds.la #olcModuleload: deref.la #olcModuleload: dyngroup.la #olcModuleload: dynlist.la +#olcModuleload: home.la +#olcModuleload: lloadd.la #olcModuleload: memberof.la +#olcModuleload: otp.la #olcModuleload: pcache.la #olcModuleload: ppolicy.la #olcModuleload: refint.la +#olcModuleload: remoteauth.la #olcModuleload: retcode.la #olcModuleload: rwm.la #olcModuleload: seqmod.la diff --git a/slapd.service b/slapd.service index 30821fd..02fab7f 100644 --- a/slapd.service +++ b/slapd.service @@ -3,7 +3,6 @@ Description=OpenLDAP Server Daemon After=syslog.target network-online.target Documentation=man:slapd Documentation=man:slapd-config -Documentation=man:slapd-hdb Documentation=man:slapd-mdb Documentation=file:///usr/share/doc/openldap-servers/guide.html diff --git a/sources b/sources index d5dfa58..3ecf658 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (ltb-project-openldap-ppolicy-check-password-1.1.tar.gz) = f3384a164ce5db488908cf6380bad8500b800b09d12a8f04e1b6ccb6f6af6ab3971fcdbe4acca7a1b6d16b408a11065c2b1ab2497863fe07d3c28262b0f6776e -SHA512 (openldap-2.4.59.tgz) = 233459ab446da6e107a7fc4ecd5668d6b08c11a11359ee76449550393e8f586a29b59d7ae09a050a1fca4fcf388ea61438ef60831b3ae802d92c048365ae3968 +SHA512 (openldap-2.6.1.tgz) = bdb961225313bc2717aabac7ba1dfcaabba7c933ab1c28959315b5e88074af0575f082c329fdfc0adde61b6b0e56315305156cee7eb879bc8e48b47cb9f5cd58 +SHA512 (openldap-ppolicy-check-password-1.1.tar.gz) = a92854d7438cb95fac361da80a49d084d502155e8ce0ad2ea679db9529bbe0182aa4354e6139793c775e496349375d8f017678941d23315ff1c20fefc9573cdc