From 04698e993a6e30d26adf50d710e1d8c1738434c7 Mon Sep 17 00:00:00 2001 From: James Antill Date: Thu, 26 May 2022 12:27:44 -0400 Subject: [PATCH] Auto sync2gitlab import of openldap-2.4.46-18.el8.src.rpm --- .gitignore | 2 + EMPTY | 1 - check-password-makefile.patch | 41 + check-password.patch | 321 +++ ldap.conf | 28 + libexec-check-config.sh | 91 + libexec-functions | 134 + libexec-upgrade-db.sh | 40 + openldap-add-TLS_REQSAN-option.patch | 339 +++ openldap-ai-addrconfig.patch | 20 + openldap-allop-overlay.patch | 40 + ...cbinding-Add-channel-binding-support.patch | 291 +++ ...nding-Convert-test077-to-LDIF-config.patch | 167 ++ ...dap-cbinding-Fix-slaptest-in-test077.patch | 62 + ...ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch | 220 ++ ...-Add-missing-URI-variables-for-tests.patch | 70 + ...nding-ITS-8573-TLS-option-test-suite.patch | 2108 ++++++++++++++++ ...ll-libldap-options-in-tools-o-option.patch | 582 +++++ ...-9189_1-rework-sasl-cbinding-support.patch | 631 +++++ ...TS-9189_2-add-channel-bindings-tests.patch | 190 ++ ...ize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch | 27 + ...ke-prototypes-available-where-needed.patch | 64 + ...dap-cbinding-Update-keys-to-RSA-4096.patch | 526 ++++ ...-cbinding-auth-add-SASL-GSSAPI-tests.patch | 487 ++++ ...dap-change-TLS_REQSAN-default-to-TRY.patch | 46 + ...-check-for-error-on-connected-socket.patch | 41 + openldap-ldapi-sasl.patch | 55 + openldap-manpages.patch | 73 + ...dap-openssl-ITS7595-Add-EC-support-1.patch | 227 ++ ...dap-openssl-ITS7595-Add-EC-support-2.patch | 34 + openldap-openssl-manpage-defaultCA.patch | 48 + openldap-reentrant-gethostby.patch | 33 + openldap-smbk5pwd-overlay.patch | 62 + ..._dlopenadvise-to-get-RTLD_GLOBAL-set.patch | 41 + openldap.spec | 2177 +++++++++++++++++ slapd.ldif | 158 ++ slapd.service | 17 + slapd.tmpfiles | 2 + sources | 2 + 39 files changed, 9497 insertions(+), 1 deletion(-) create mode 100644 .gitignore delete mode 100644 EMPTY create mode 100644 check-password-makefile.patch create mode 100644 check-password.patch create mode 100644 ldap.conf create mode 100755 libexec-check-config.sh create mode 100644 libexec-functions create mode 100755 libexec-upgrade-db.sh create mode 100644 openldap-add-TLS_REQSAN-option.patch create mode 100644 openldap-ai-addrconfig.patch create mode 100644 openldap-allop-overlay.patch create mode 100644 openldap-cbinding-Add-channel-binding-support.patch create mode 100644 openldap-cbinding-Convert-test077-to-LDIF-config.patch create mode 100644 openldap-cbinding-Fix-slaptest-in-test077.patch create mode 100644 openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch create mode 100644 openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch create mode 100644 openldap-cbinding-ITS-8573-TLS-option-test-suite.patch create mode 100644 openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch create mode 100644 openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch create mode 100644 openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch create mode 100644 openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch create mode 100644 openldap-cbinding-Make-prototypes-available-where-needed.patch create mode 100644 openldap-cbinding-Update-keys-to-RSA-4096.patch create mode 100644 openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch create mode 100644 openldap-change-TLS_REQSAN-default-to-TRY.patch create mode 100644 openldap-cldap-check-for-error-on-connected-socket.patch create mode 100644 openldap-ldapi-sasl.patch create mode 100644 openldap-manpages.patch create mode 100644 openldap-openssl-ITS7595-Add-EC-support-1.patch create mode 100644 openldap-openssl-ITS7595-Add-EC-support-2.patch create mode 100644 openldap-openssl-manpage-defaultCA.patch create mode 100644 openldap-reentrant-gethostby.patch create mode 100644 openldap-smbk5pwd-overlay.patch create mode 100644 openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch create mode 100644 openldap.spec create mode 100644 slapd.ldif create mode 100644 slapd.service create mode 100644 slapd.tmpfiles create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..6c99406 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz +/openldap-2.4.46.tgz diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/check-password-makefile.patch b/check-password-makefile.patch new file mode 100644 index 0000000..f39ba81 --- /dev/null +++ b/check-password-makefile.patch @@ -0,0 +1,41 @@ +--- a/Makefile 2009-10-31 18:59:06.000000000 +0100 ++++ b/Makefile 2014-12-17 09:42:37.586079225 +0100 +@@ -13,22 +13,11 @@ + # + CONFIG=/etc/openldap/check_password.conf + +-OPT=-g -O2 -Wall -fpic \ +- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ +- -DCONFIG_FILE="\"$(CONFIG)\"" \ ++CFLAGS+=-fpic \ ++ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \ ++ -DCONFIG_FILE="\"$(CONFIG)\"" \ + -DDEBUG + +-# Where to find the OpenLDAP headers. +-# +-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \ +- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd +- +-# Where to find the CrackLib headers. +-# +-CRACK_INC= +- +-INCS=$(LDAP_INC) $(CRACK_INC) +- + LDAP_LIB=-lldap_r -llber + + # Comment out this line if you do NOT want to use the cracklib. +@@ -45,10 +34,10 @@ + all: check_password + + check_password.o: +- $(CC) $(OPT) -c $(INCS) check_password.c ++ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c + + check_password: clean check_password.o +- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) ++ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB) + + install: check_password + cp -f check_password.so ../../../usr/lib/openldap/modules/ diff --git a/check-password.patch b/check-password.patch new file mode 100644 index 0000000..7a79e95 --- /dev/null +++ b/check-password.patch @@ -0,0 +1,321 @@ +--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100 ++++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100 +@@ -10,7 +10,7 @@ + #include + + #ifdef HAVE_CRACKLIB +-#include "crack.h" ++#include + #endif + + #if defined(DEBUG) +@@ -34,18 +34,77 @@ + #define PASSWORD_TOO_SHORT_SZ \ + "Password for dn=\"%s\" is too short (%d/6)" + #define PASSWORD_QUALITY_SZ \ +- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)" ++ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)" + #define BAD_PASSWORD_SZ \ + "Bad password for dn=\"%s\" because %s" ++#define UNKNOWN_ERROR_SZ \ ++ "An unknown error occurred, please see your systems administrator" + + typedef int (*validator) (char*); +-static int read_config_file (char *); ++static int read_config_file (); + static validator valid_word (char *); + static int set_quality (char *); + static int set_cracklib (char *); + + int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); + ++struct config_entry { ++ char* key; ++ char* value; ++ char* def_value; ++} config_entries[] = { { "minPoints", NULL, "3"}, ++ { "useCracklib", NULL, "1"}, ++ { "minUpper", NULL, "0"}, ++ { "minLower", NULL, "0"}, ++ { "minDigit", NULL, "0"}, ++ { "minPunct", NULL, "0"}, ++ { NULL, NULL, NULL }}; ++ ++int get_config_entry_int(char* entry) { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ char* key = centry[i].key; ++ while (key != NULL) { ++ if ( strncmp(key, entry, strlen(key)) == 0 ) { ++ if ( centry[i].value == NULL ) { ++ return atoi(centry[i].def_value); ++ } ++ else { ++ return atoi(centry[i].value); ++ } ++ } ++ i++; ++ key = centry[i].key; ++ } ++ ++ return -1; ++} ++ ++void dealloc_config_entries() { ++ struct config_entry* centry = config_entries; ++ ++ int i = 0; ++ while (centry[i].key != NULL) { ++ if ( centry[i].value != NULL ) { ++ ber_memfree(centry[i].value); ++ } ++ i++; ++ } ++} ++ ++char* chomp(char *s) ++{ ++ char* t = ber_memalloc(strlen(s)+1); ++ strncpy (t,s,strlen(s)+1); ++ ++ if ( t[strlen(t)-1] == '\n' ) { ++ t[strlen(t)-1] = '\0'; ++ } ++ ++ return t; ++} ++ + static int set_quality (char *value) + { + #if defined(DEBUG) +@@ -84,12 +143,12 @@ + char * parameter; + validator dealer; + } list[] = { { "minPoints", set_quality }, +- { "useCracklib", set_cracklib }, +- { "minUpper", set_digit }, +- { "minLower", set_digit }, +- { "minDigit", set_digit }, +- { "minPunct", set_digit }, +- { NULL, NULL } }; ++ { "useCracklib", set_cracklib }, ++ { "minUpper", set_digit }, ++ { "minLower", set_digit }, ++ { "minDigit", set_digit }, ++ { "minPunct", set_digit }, ++ { NULL, NULL } }; + int index = 0; + + #if defined(DEBUG) +@@ -98,7 +157,7 @@ + + while (list[index].parameter != NULL) { + if (strlen(word) == strlen(list[index].parameter) && +- strcmp(list[index].parameter, word) == 0) { ++ strcmp(list[index].parameter, word) == 0) { + #if defined(DEBUG) + syslog(LOG_NOTICE, "check_password: Parameter accepted."); + #endif +@@ -114,13 +173,15 @@ + return NULL; + } + +-static int read_config_file (char *keyWord) ++static int read_config_file () + { + FILE * config; + char * line; + int returnValue = -1; + +- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) { ++ line = ber_memcalloc(260, sizeof(char)); ++ ++ if ( line == NULL ) { + return returnValue; + } + +@@ -133,6 +194,8 @@ + return returnValue; + } + ++ returnValue = 0; ++ + while (fgets(line, 256, config) != NULL) { + char *start = line; + char *word, *value; +@@ -145,23 +208,40 @@ + + while (isspace(*start) && isascii(*start)) start++; + +- if (! isascii(*start)) ++ /* If we've got punctuation, just skip the line. */ ++ if ( ispunct(*start)) { ++#if defined(DEBUG) ++ /* Debug traces to syslog. */ ++ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line); ++#endif + continue; ++ } + +- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) { +- if ((value = strtok(NULL, " \t")) == NULL) +- continue; ++ if( isascii(*start)) { ++ ++ struct config_entry* centry = config_entries; ++ int i = 0; ++ char* keyWord = centry[i].key; ++ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) { ++ while ( keyWord != NULL ) { ++ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) { + + #if defined(DEBUG) +- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); ++ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value); + #endif + +- returnValue = (*dealer)(value); ++ centry[i].value = chomp(value); ++ break; ++ } ++ i++; ++ keyWord = centry[i].key; ++ } ++ } + } + } +- + fclose(config); + ber_memfree(line); ++ + return returnValue; + } + +@@ -170,7 +250,7 @@ + if (curlen < nextlen + MEMORY_MARGIN) { + #if defined(DEBUG) + syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d", +- curlen, nextlen + MEMORY_MARGIN); ++ curlen, nextlen + MEMORY_MARGIN); + #endif + ber_memfree(*target); + curlen = nextlen + MEMORY_MARGIN; +@@ -180,7 +260,7 @@ + return curlen; + } + +- int ++int + check_password (char *pPasswd, char **ppErrStr, Entry *pEntry) + { + +@@ -210,20 +290,22 @@ + nLen = strlen (pPasswd); + if ( nLen < 6) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(PASSWORD_TOO_SHORT_SZ) + +- strlen(pEntry->e_name.bv_val) + 1); ++ strlen(PASSWORD_TOO_SHORT_SZ) + ++ strlen(pEntry->e_name.bv_val) + 1); + sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen); + goto fail; + } + +- /* Read config file */ +- minQuality = read_config_file("minPoints"); ++ if (read_config_file() == -1) { ++ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE); ++ } + +- useCracklib = read_config_file("useCracklib"); +- minUpper = read_config_file("minUpper"); +- minLower = read_config_file("minLower"); +- minDigit = read_config_file("minDigit"); +- minPunct = read_config_file("minPunct"); ++ minQuality = get_config_entry_int("minPoints"); ++ useCracklib = get_config_entry_int("useCracklib"); ++ minUpper = get_config_entry_int("minUpper"); ++ minLower = get_config_entry_int("minLower"); ++ minDigit = get_config_entry_int("minDigit"); ++ minPunct = get_config_entry_int("minPunct"); + + /** The password must have at least minQuality strength points with one + * point for the first occurrance of a lower, upper, digit and +@@ -232,8 +314,6 @@ + + for ( i = 0; i < nLen; i++ ) { + +- if ( nQuality >= minQuality ) break; +- + if ( islower (pPasswd[i]) ) { + minLower--; + if ( !nLower && (minLower < 1)) { +@@ -279,12 +359,23 @@ + } + } + +- if ( nQuality < minQuality ) { ++ /* ++ * If you have a required field, then it should be required in the strength ++ * checks. ++ */ ++ ++ if ( ++ (minLower > 0 ) || ++ (minUpper > 0 ) || ++ (minDigit > 0 ) || ++ (minPunct > 0 ) || ++ (nQuality < minQuality) ++ ) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(PASSWORD_QUALITY_SZ) + +- strlen(pEntry->e_name.bv_val) + 2); ++ strlen(PASSWORD_QUALITY_SZ) + ++ strlen(pEntry->e_name.bv_val) + 2); + sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val, +- nQuality, minQuality); ++ nQuality, minQuality); + goto fail; + } + +@@ -306,7 +397,7 @@ + for ( j = 0; j < 3; j++ ) { + + snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \ +- CRACKLIB_DICTPATH, ext[j]); ++ CRACKLIB_DICTPATH, ext[j]); + + if (( fp = fopen ( filename, "r")) == NULL ) { + +@@ -326,9 +417,9 @@ + r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH); + if ( r != NULL ) { + mem_len = realloc_error_message(&szErrStr, mem_len, +- strlen(BAD_PASSWORD_SZ) + +- strlen(pEntry->e_name.bv_val) + +- strlen(r)); ++ strlen(BAD_PASSWORD_SZ) + ++ strlen(pEntry->e_name.bv_val) + ++ strlen(r)); + sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r); + goto fail; + } +@@ -342,15 +433,15 @@ + } + + #endif +- ++ dealloc_config_entries(); + *ppErrStr = strdup (""); + ber_memfree(szErrStr); + return (LDAP_SUCCESS); + + fail: ++ dealloc_config_entries(); + *ppErrStr = strdup (szErrStr); + ber_memfree(szErrStr); + return (EXIT_FAILURE); + + } +- diff --git a/ldap.conf b/ldap.conf new file mode 100644 index 0000000..02c595f --- /dev/null +++ b/ldap.conf @@ -0,0 +1,28 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +# When no CA certificates are specified the Shared System Certificates +# are in use. In order to have these available along with the ones specified +# by TLS_CACERTDIR one has to include them explicitly: +#TLS_CACERT /etc/pki/tls/cert.pem + +# System-wide Crypto Policies provide up to date cipher suite which should +# be used unless one needs a finer grinded selection of ciphers. Hence, the +# PROFILE=SYSTEM value represents the default behavior which is in place +# when no explicit setting is used. (see openssl-ciphers(1) for more info) +#TLS_CIPHER_SUITE PROFILE=SYSTEM + +# Turning this off breaks GSSAPI used with krb5 when rdns = false +SASL_NOCANON on + diff --git a/libexec-check-config.sh b/libexec-check-config.sh new file mode 100755 index 0000000..87e377f --- /dev/null +++ b/libexec-check-config.sh @@ -0,0 +1,91 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +function check_config_syntax() +{ + retcode=0 + tmp_slaptest=`mktemp --tmpdir=/var/run/openldap` + run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest + if [ $? -ne 0 ]; then + error "Checking configuration file failed:" + cat $tmp_slaptest >&2 + retcode=1 + fi + rm $tmp_slaptest + return $retcode +} + +function check_certs_perms() +{ + retcode=0 + for cert in `certificates`; do + run_as_ldap "/usr/bin/test -e \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' was not found." "$cert" + retcoder=1 + continue + fi + run_as_ldap "/usr/bin/test -r \"$cert\"" + if [ $? -ne 0 ]; then + error "TLS certificate/key/DB '%s' is not readable." "$cert" + retcode=1 + fi + done + return $retcode +} + +function check_db_perms() +{ + retcode=0 + for dbdir in `databases`; do + [ -d "$dbdir" ] || continue + for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do + run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\"" + if [ $? -ne 0 ]; then + error "Read/write permissions for DB file '%s' are required." "$dbfile" + retcode=1 + fi + done + done + return $retcode +} + +function check_everything() +{ + retcode=0 + check_config_syntax || retcode=1 + # TODO: need support for Mozilla NSS, disabling temporarily + #check_certs_perms || retcode=1 + check_db_perms || retcode=1 + return $retcode +} + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this script." + exit 4 +fi + +load_sysconfig + +if [ -n "$SLAPD_CONFIG_DIR" ]; then + if [ ! -d "$SLAPD_CONFIG_DIR" ]; then + error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR" + else + check_everything + exit $? + fi +fi + +if [ -n "$SLAPD_CONFIG_FILE" ]; then + if [ ! -f "$SLAPD_CONFIG_FILE" ]; then + error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE" + else + error "Warning: Usage of a configuration file is obsolete!" + check_everything + exit $? + fi +fi + +exit 1 diff --git a/libexec-functions b/libexec-functions new file mode 100644 index 0000000..990d2b8 --- /dev/null +++ b/libexec-functions @@ -0,0 +1,134 @@ +# Author: Jan Vcelak + +SLAPD_USER= +SLAPD_CONFIG_FILE= +SLAPD_CONFIG_DIR= +SLAPD_CONFIG_CUSTOM= +SLAPD_GLOBAL_OPTIONS= +SLAPD_SYSCONFIG_FILE= + +function default_config() +{ + SLAPD_USER=ldap + SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf + SLAPD_CONFIG_DIR=/etc/openldap/slapd.d + SLAPD_CONFIG_CUSTOM= + SLAPD_GLOBAL_OPTIONS= + SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd +} + +function parse_config_options() +{ + user= + config_file= + config_dir= + while getopts :u:f:F: opt; do + case "$opt" in + u) + user="$OPTARG" + ;; + f) + config_file="$OPTARG" + ;; + F) + config_dir="$OPTARG" + ;; + esac + done + + if [ -n "$user" ]; then + SLAPD_USER="$user" + fi + + if [ -n "$config_dir" ]; then + SLAPD_CONFIG_DIR="$config_dir" + SLAPD_CONFIG_FILE= + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-F '$config_dir'" + elif [ -n "$config_file" ]; then + SLAPD_CONFIG_DIR= + SLAPD_CONFIG_FILE="$config_file" + SLAPD_CONFIG_CUSTOM=1 + SLAPD_GLOBAL_OPTIONS="-f '$config_file'" + fi +} + +function uses_new_config() +{ + [ -n "$SLAPD_CONFIG_DIR" ] + return $? +} + +function run_as_ldap() +{ + /sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER" + return $? +} + +function ldif_unbreak() +{ + sed ':a;N;s/\n //;ta;P;D' +} + +function ldif_value() +{ + sed 's/^[^:]*: //' +} + +function databases_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c \ + -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcDbDirectory: ' | \ + ldif_value +} + +function databases_old() +{ + awk 'begin { database="" } + $1 == "database" { database=$2 } + $1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates_new() +{ + slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \ + ldif_unbreak | \ + grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \ + ldif_value +} + +function certificates_old() +{ + awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \ + "$SLAPD_CONFIG_FILE" +} + +function certificates() +{ + uses_new_config && certificates_new || certificates_old +} + +function databases() +{ + uses_new_config && databases_new || databases_old +} + + +function error() +{ + format="$1\n"; shift + printf "$format" $@ >&2 +} + +function load_sysconfig() +{ + [ -r "$SLAPD_SYSCONFIG_FILE" ] || return + + . "$SLAPD_SYSCONFIG_FILE" + [ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS +} + +default_config diff --git a/libexec-upgrade-db.sh b/libexec-upgrade-db.sh new file mode 100755 index 0000000..1543c80 --- /dev/null +++ b/libexec-upgrade-db.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# Author: Jan Vcelak + +. /usr/libexec/openldap/functions + +if [ `id -u` -ne 0 ]; then + error "You have to be root to run this command." + exit 4 +fi + +load_sysconfig +retcode=0 + +for dbdir in `databases`; do + upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log" + bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '` + + # skip uninitialized database + [ -z "$bdb_files"] || continue + + printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log" + + # perform the update + for command in \ + "/usr/bin/db_recover -v -h \"$dbdir\"" \ + "/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \ + "/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \ + ; do + printf "Executing: %s\n" "$command" &>>$upgrade_log + run_as_ldap "$command" &>>$upgrade_log + result=$? + printf "Exit code: %d\n" $result >>"$upgrade_log" + if [ $result -ne 0 ]; then + printf "Upgrade failed: %d\n" $result + retcode=1 + fi + done +done + +exit $retcode diff --git a/openldap-add-TLS_REQSAN-option.patch b/openldap-add-TLS_REQSAN-option.patch new file mode 100644 index 0000000..875c8eb --- /dev/null +++ b/openldap-add-TLS_REQSAN-option.patch @@ -0,0 +1,339 @@ +From c8050d1e6eb0f4f3deb187224945ddcfc3baa4d6 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Fri, 21 Aug 2020 09:15:15 +0100 +Subject: [PATCH] ITS#9318 add TLS_REQSAN option + +Add an option to specify how subjectAlternativeNames should be +handled when validating the names in a server certificate. +--- + doc/man/man3/ldap_get_option.3 | 9 +++++++ + doc/man/man5/ldap.conf.5 | 31 +++++++++++++++++++++++ + include/ldap.h | 1 + + libraries/libldap/init.c | 2 ++ + libraries/libldap/ldap-int.h | 1 + + libraries/libldap/tls2.c | 16 ++++++++++++ + libraries/libldap/tls_g.c | 46 ++++++++++++++++++++++++++++++++-- + libraries/libldap/tls_o.c | 44 ++++++++++++++++++++++++++++++-- + 8 files changed, 146 insertions(+), 4 deletions(-) + +diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 +index d229ce6e3..7d760136f 100644 +--- a/doc/man/man3/ldap_get_option.3 ++++ b/doc/man/man3/ldap_get_option.3 +@@ -788,6 +788,15 @@ one of + .BR LDAP_OPT_X_TLS_ALLOW , + .BR LDAP_OPT_X_TLS_TRY . + .TP ++.B LDAP_OPT_X_TLS_REQUIRE_SAN ++Sets/gets the peer certificate subjectAlternativeName checking strategy, ++one of ++.BR LDAP_OPT_X_TLS_NEVER , ++.BR LDAP_OPT_X_TLS_HARD , ++.BR LDAP_OPT_X_TLS_DEMAND , ++.BR LDAP_OPT_X_TLS_ALLOW , ++.BR LDAP_OPT_X_TLS_TRY . ++.TP + .B LDAP_OPT_X_TLS_SSL_CTX + Gets the TLS session context associated with this handle. + .BR outvalue +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index 2f1ee886d..cde2c875f 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -464,6 +464,37 @@ certificate is provided, or a bad certificate is provided, the session + is immediately terminated. This is the default setting. + .RE + .TP ++.B TLS_REQSAN ++Specifies what checks to perform on the subjectAlternativeName ++(SAN) extensions in a server certificate when validating the certificate ++name against the specified hostname of the server. The ++.B ++can be specified as one of the following keywords: ++.RS ++.TP ++.B never ++The client will not check any SAN in the certificate. ++.TP ++.B allow ++The SAN is checked against the specified hostname. If a SAN is ++present but none match the specified hostname, the SANs are ignored ++and the usual check against the certificate DN is used. ++This is the default setting. ++.TP ++.B try ++The SAN is checked against the specified hostname. If no SAN is present ++in the server certificate, the usual check against the certificate DN ++is used. If a SAN is present but doesn't match the specified hostname, ++the session is immediately terminated. This setting may be preferred ++when a mix of certs with and without SANs are in use. ++.TP ++.B demand | hard ++These keywords are equivalent. The SAN is checked against the specified ++hostname. If no SAN is present in the server certificate, or no SANs ++match, the session is immediately terminated. This setting should be ++used when only certificates with SANs are in use. ++.RE ++.TP + .B TLS_CRLCHECK + Specifies if the Certificate Revocation List (CRL) of the CA should be + used to verify if the server certificates have not been revoked. This +diff --git a/include/ldap.h b/include/ldap.h +index 4b81a6841..4877de24a 100644 +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_PACKAGE 0x6011 + #define LDAP_OPT_X_TLS_ECNAME 0x6012 + #define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */ ++#define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a + + #define LDAP_OPT_X_TLS_NEVER 0 + #define LDAP_OPT_X_TLS_HARD 1 +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index d503019aa..0d91808ec 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -128,6 +128,7 @@ static const struct ol_attribute { + {0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE}, + {0, ATTR_TLS, "TLS_CACERTDIR", NULL, LDAP_OPT_X_TLS_CACERTDIR}, + {0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT}, ++ {0, ATTR_TLS, "TLS_REQSAN", NULL, LDAP_OPT_X_TLS_REQUIRE_SAN}, + {0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE}, + {0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE}, + {0, ATTR_TLS, "TLS_PROTOCOL_MIN", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN}, +@@ -624,6 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl + gopts->ldo_tls_connect_cb = NULL; + gopts->ldo_tls_connect_arg = NULL; + gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; ++ gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW; + #endif + gopts->ldo_keepalive_probes = 0; + gopts->ldo_keepalive_interval = 0; +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index 753014ad0..2bf5d4ff6 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -262,6 +262,7 @@ struct ldapoptions { + int ldo_tls_require_cert; + int ldo_tls_impl; + int ldo_tls_crlcheck; ++ int ldo_tls_require_san; + #define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0 + #else + #define LDAP_LDO_TLS_NULLARG +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 6a2113255..670292c22 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -539,6 +539,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg ) + return ldap_pvt_tls_set_option( ld, option, (void *) arg ); + + case LDAP_OPT_X_TLS_REQUIRE_CERT: ++ case LDAP_OPT_X_TLS_REQUIRE_SAN: + case LDAP_OPT_X_TLS: + i = -1; + if ( strcasecmp( arg, "never" ) == 0 ) { +@@ -669,6 +670,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) + case LDAP_OPT_X_TLS_REQUIRE_CERT: + *(int *)arg = lo->ldo_tls_require_cert; + break; ++ case LDAP_OPT_X_TLS_REQUIRE_SAN: ++ *(int *)arg = lo->ldo_tls_require_san; ++ break; + #ifdef HAVE_OPENSSL_CRL + case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ + *(int *)arg = lo->ldo_tls_crlcheck; +@@ -818,6 +822,18 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + return 0; + } + return -1; ++ case LDAP_OPT_X_TLS_REQUIRE_SAN: ++ if ( !arg ) return -1; ++ switch( *(int *) arg ) { ++ case LDAP_OPT_X_TLS_NEVER: ++ case LDAP_OPT_X_TLS_DEMAND: ++ case LDAP_OPT_X_TLS_ALLOW: ++ case LDAP_OPT_X_TLS_TRY: ++ case LDAP_OPT_X_TLS_HARD: ++ lo->ldo_tls_require_san = * (int *) arg; ++ return 0; ++ } ++ return -1; + #ifdef HAVE_OPENSSL_CRL + case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */ + if ( !arg ) return -1; +diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c +index 15ce0bbb8..e3486c9b4 100644 +--- a/libraries/libldap/tls_g.c ++++ b/libraries/libldap/tls_g.c +@@ -496,6 +496,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) + { + tlsg_session *s = (tlsg_session *)session; + int i, ret; ++ int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0; + const gnutls_datum_t *peer_cert_list; + unsigned int list_size; + char altname[NI_MAXHOST]; +@@ -558,12 +559,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) + } + } + ++ if (chkSAN) { + for ( i=0, ret=0; ret >= 0; i++ ) { + altnamesize = sizeof(altname); + ret = gnutls_x509_crt_get_subject_alt_name( cert, i, + altname, &altnamesize, NULL ); + if ( ret < 0 ) break; + ++ gotSAN = 1; + /* ignore empty */ + if ( altnamesize == 0 ) continue; + +@@ -599,7 +602,45 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) + } + if ( ret >= 0 ) { + ret = LDAP_SUCCESS; +- } else { ++ } ++ } ++ if (ret != LDAP_SUCCESS && chkSAN) { ++ switch(chkSAN) { ++ case LDAP_OPT_X_TLS_DEMAND: ++ case LDAP_OPT_X_TLS_HARD: ++ if (!gotSAN) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: unable to get subjectAltName from peer certificate.\n", ++ 0, 0, 0 ); ++ ret = LDAP_CONNECT_ERROR; ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ } ++ ld->ld_error = LDAP_STRDUP( ++ _("TLS: unable to get subjectAltName from peer certificate")); ++ goto done; ++ } ++ /* FALLTHRU */ ++ case LDAP_OPT_X_TLS_TRY: ++ if (gotSAN) { ++ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " ++ "subjectAltName in certificate.\n", ++ name, 0, 0 ); ++ ret = LDAP_CONNECT_ERROR; ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ } ++ ld->ld_error = LDAP_STRDUP( ++ _("TLS: hostname does not match subjectAltName in peer certificate")); ++ goto done; ++ } ++ break; ++ case LDAP_OPT_X_TLS_ALLOW: ++ break; ++ } ++ } ++ ++ if ( ret != LDAP_SUCCESS ){ + /* find the last CN */ + i=0; + do { +@@ -654,9 +695,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in ) + LDAP_FREE( ld->ld_error ); + } + ld->ld_error = LDAP_STRDUP( +- _("TLS: hostname does not match CN in peer certificate")); ++ _("TLS: hostname does not match name in peer certificate")); + } + } ++done: + gnutls_x509_crt_deinit( cert ); + return ret; + } +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 4006f7a4f..6f27168e9 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -600,6 +600,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + { + tlso_session *s = (tlso_session *)sess; + int i, ret = LDAP_LOCAL_ERROR; ++ int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0; + X509 *x; + const char *name; + char *ptr; +@@ -638,7 +639,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) { + if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4; + } +- ++ ++ if (chkSAN) { + i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); + if (i >= 0) { + X509_EXTENSION *ex; +@@ -651,6 +653,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + char *domain = NULL; + GENERAL_NAME *gn; + ++ gotSAN = 1; + if (ntype == IS_DNS) { + domain = strchr(name, '.'); + if (domain) { +@@ -709,6 +712,42 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + } + } + } ++ } ++ if (ret != LDAP_SUCCESS && chkSAN) { ++ switch(chkSAN) { ++ case LDAP_OPT_X_TLS_DEMAND: ++ case LDAP_OPT_X_TLS_HARD: ++ if (!gotSAN) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: unable to get subjectAltName from peer certificate.\n", ++ 0, 0, 0 ); ++ ret = LDAP_CONNECT_ERROR; ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ } ++ ld->ld_error = LDAP_STRDUP( ++ _("TLS: unable to get subjectAltName from peer certificate")); ++ goto done; ++ } ++ /* FALLTHRU */ ++ case LDAP_OPT_X_TLS_TRY: ++ if (gotSAN) { ++ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " ++ "subjectAltName in certificate.\n", ++ name, 0, 0 ); ++ ret = LDAP_CONNECT_ERROR; ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ } ++ ld->ld_error = LDAP_STRDUP( ++ _("TLS: hostname does not match subjectAltName in peer certificate")); ++ goto done; ++ } ++ break; ++ case LDAP_OPT_X_TLS_ALLOW: ++ break; ++ } ++ } + + if (ret != LDAP_SUCCESS) { + X509_NAME *xn; +@@ -772,9 +811,10 @@ no_cn: + LDAP_FREE( ld->ld_error ); + } + ld->ld_error = LDAP_STRDUP( +- _("TLS: hostname does not match CN in peer certificate")); ++ _("TLS: hostname does not match name in peer certificate")); + } + } ++done: + X509_free(x); + return ret; + } +-- +2.31.1 + diff --git a/openldap-ai-addrconfig.patch b/openldap-ai-addrconfig.patch new file mode 100644 index 0000000..0858fac --- /dev/null +++ b/openldap-ai-addrconfig.patch @@ -0,0 +1,20 @@ +use AI_ADDRCONFIG if defined in the environment + +Author: Jan Vcelak +Upstream ITS: #7326 +Resolves: #835013 + +diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c +index b31e05d..fa361ab 100644 +--- a/libraries/libldap/os-ip.c ++++ b/libraries/libldap/os-ip.c +@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb, + + #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP ) + memset( &hints, '\0', sizeof(hints) ); +-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */ +- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */ ++#ifdef AI_ADDRCONFIG + hints.ai_flags = AI_ADDRCONFIG; + #endif + hints.ai_family = ldap_int_inet4or6; diff --git a/openldap-allop-overlay.patch b/openldap-allop-overlay.patch new file mode 100644 index 0000000..608ee44 --- /dev/null +++ b/openldap-allop-overlay.patch @@ -0,0 +1,40 @@ +Compile AllOp together with other overlays. + +Author: Matus Honek +Resolves: #1319782 + +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -33,7 +33,8 @@ SRCS = overlays.c \ + translucent.c \ + unique.c \ + valsort.c \ +- smbk5pwd.c ++ smbk5pwd.c \ ++ allop.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -125,6 +126,12 @@ unique.la : unique.lo + smbk5pwd.la : smbk5pwd.lo + $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) + ++allop.lo : allop.c ++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< ++ ++allop.la : allop.lo ++ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ diff --git a/openldap-cbinding-Add-channel-binding-support.patch b/openldap-cbinding-Add-channel-binding-support.patch new file mode 100644 index 0000000..bc4ee65 --- /dev/null +++ b/openldap-cbinding-Add-channel-binding-support.patch @@ -0,0 +1,291 @@ +From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Mon, 26 Aug 2013 23:31:48 -0700 +Subject: [PATCH] Add channel binding support + +Currently only implemented for OpenSSL. +Needs an option to set the criticality flag. +--- + include/ldap_pvt.h | 1 + + libraries/libldap/cyrus.c | 22 ++++++++++++++++++++++ + libraries/libldap/ldap-int.h | 1 + + libraries/libldap/ldap-tls.h | 2 ++ + libraries/libldap/tls2.c | 7 +++++++ + libraries/libldap/tls_g.c | 7 +++++++ + libraries/libldap/tls_m.c | 7 +++++++ + libraries/libldap/tls_o.c | 16 ++++++++++++++++ + servers/slapd/connection.c | 8 ++++++++ + servers/slapd/sasl.c | 18 ++++++++++++++++++ + servers/slapd/slap.h | 1 + + 11 files changed, 90 insertions(+) + +diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h +index 871e7c180..fdc9d2de3 100644 +--- a/include/ldap_pvt.h ++++ b/include/ldap_pvt.h +@@ -430,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn, + LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn, + LDAPDN_rewrite_dummy *func, unsigned flags )); + LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx )); ++LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server )); + + LDAP_END_DECL + +diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c +index 28c241b0b..a57292800 100644 +--- a/libraries/libldap/cyrus.c ++++ b/libraries/libldap/cyrus.c +@@ -369,6 +369,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc ) + lc->lconn_sasl_sockctx = NULL; + lc->lconn_sasl_authctx = NULL; + } ++ if( lc->lconn_sasl_cbind ) { ++ ldap_memfree( lc->lconn_sasl_cbind ); ++ lc->lconn_sasl_cbind = NULL; ++ } + + return LDAP_SUCCESS; + } +@@ -482,6 +486,24 @@ ldap_int_sasl_bind( + + (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac ); + LDAP_FREE( authid.bv_val ); ++#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */ ++ { ++ char cbinding[64]; ++ struct berval cbv = { sizeof(cbinding), cbinding }; ++ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) { ++ sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) + ++ cbv.bv_len); ++ cb->name = "ldap"; ++ cb->critical = 0; ++ cb->data = (char *)(cb+1); ++ cb->len = cbv.bv_len; ++ memcpy( cb->data, cbv.bv_val, cbv.bv_len ); ++ sasl_setprop( ld->ld_defconn->lconn_sasl_authctx, ++ SASL_CHANNEL_BINDING, cb ); ++ ld->ld_defconn->lconn_sasl_cbind = cb; ++ } ++ } ++#endif + } + #endif + +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index 37c342e26..1915ecab4 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -305,6 +305,7 @@ typedef struct ldap_conn { + #ifdef HAVE_CYRUS_SASL + void *lconn_sasl_authctx; /* context for bind */ + void *lconn_sasl_sockctx; /* for security layer */ ++ void *lconn_sasl_cbind; /* for channel binding */ + #endif + #ifdef HAVE_GSSAPI + void *lconn_gss_ctx; /* gss_ctx_id_t */ +diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h +index 75661c005..1eb5ae47e 100644 +--- a/libraries/libldap/ldap-tls.h ++++ b/libraries/libldap/ldap-tls.h +@@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len + typedef int (TI_session_dn)(tls_session *sess, struct berval *dn); + typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); + typedef int (TI_session_strength)(tls_session *sess); ++typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server); + + typedef void (TI_thr_init)(void); + +@@ -64,6 +65,7 @@ typedef struct tls_impl { + TI_session_dn *ti_session_peer_dn; + TI_session_chkhost *ti_session_chkhost; + TI_session_strength *ti_session_strength; ++ TI_session_unique *ti_session_unique; + + Sockbuf_IO *ti_sbio; + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index e11d1a8a3..957e73c03 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -981,6 +981,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func, + rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags ); + return rc; + } ++ ++int ++ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server ) ++{ ++ tls_session *session = s; ++ return tls_imp->ti_session_unique( session, buf, is_server ); ++} + #endif /* HAVE_TLS */ + + int +diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c +index ed1f8f1cb..dfdc35da4 100644 +--- a/libraries/libldap/tls_g.c ++++ b/libraries/libldap/tls_g.c +@@ -780,6 +780,12 @@ tlsg_session_strength( tls_session *session ) + return gnutls_cipher_get_key_size( c ) * 8; + } + ++static int ++tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server) ++{ ++ return 0; ++} ++ + /* suites is a string of colon-separated cipher suite names. */ + static int + tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ) +@@ -1110,6 +1116,7 @@ tls_impl ldap_int_tls_impl = { + tlsg_session_peer_dn, + tlsg_session_chkhost, + tlsg_session_strength, ++ tlsg_session_unique, + + &tlsg_sbio, + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 072d41d56..240bd9ff6 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -2838,6 +2838,12 @@ tlsm_session_strength( tls_session *session ) + return rc ? 0 : keySize; + } + ++static int ++tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server) ++{ ++ return 0; ++} ++ + /* + * TLS support for LBER Sockbufs + */ +@@ -3266,6 +3272,7 @@ tls_impl ldap_int_tls_impl = { + tlsm_session_peer_dn, + tlsm_session_chkhost, + tlsm_session_strength, ++ tlsm_session_unique, + + &tlsm_sbio, + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 3c077f895..2ecee465b 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -676,6 +676,21 @@ tlso_session_strength( tls_session *sess ) + return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL); + } + ++static int ++tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) ++{ ++ tlso_session *s = (tlso_session *)sess; ++ ++ /* Usually the client sends the finished msg. But if the ++ * session was resumed, the server sent the msg. ++ */ ++ if (SSL_session_reused(s) ^ !is_server) ++ buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len); ++ else ++ buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len); ++ return buf->bv_len; ++} ++ + /* + * TLS support for LBER Sockbufs + */ +@@ -1283,6 +1298,7 @@ tls_impl ldap_int_tls_impl = { + tlso_session_peer_dn, + tlso_session_chkhost, + tlso_session_strength, ++ tlso_session_unique, + + &tlso_sbio, + +diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c +index e34703cb3..bc2b8a4d0 100644 +--- a/servers/slapd/connection.c ++++ b/servers/slapd/connection.c +@@ -406,6 +406,7 @@ Connection * connection_init( + c->c_sasl_sockctx = NULL; + c->c_sasl_extra = NULL; + c->c_sasl_bindop = NULL; ++ c->c_sasl_cbind = NULL; + + c->c_sb = ber_sockbuf_alloc( ); + +@@ -451,6 +452,7 @@ Connection * connection_init( + assert( c->c_sasl_sockctx == NULL ); + assert( c->c_sasl_extra == NULL ); + assert( c->c_sasl_bindop == NULL ); ++ assert( c->c_sasl_cbind == NULL ); + assert( c->c_currentber == NULL ); + assert( c->c_writewaiter == 0); + assert( c->c_writers == 0); +@@ -1408,6 +1410,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri ) + c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 ); + slap_sasl_external( c, c->c_tls_ssf, &authid ); + if ( authid.bv_val ) free( authid.bv_val ); ++ { ++ char cbinding[64]; ++ struct berval cbv = { sizeof(cbinding), cbinding }; ++ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 )) ++ slap_sasl_cbinding( c, &cbv ); ++ } + } else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb, + LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */ + slapd_set_write( s, 1 ); +diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c +index 0bd6259be..57907d79b 100644 +--- a/servers/slapd/sasl.c ++++ b/servers/slapd/sasl.c +@@ -1503,6 +1503,21 @@ int slap_sasl_external( + return LDAP_SUCCESS; + } + ++int slap_sasl_cbinding( Connection *conn, struct berval *cbv ) ++{ ++#ifdef SASL_CHANNEL_BINDING ++ sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );; ++ cb->name = "ldap"; ++ cb->critical = 0; ++ cb->data = (char *)(cb+1); ++ cb->len = cbv->bv_len; ++ memcpy( cb->data, cbv->bv_val, cbv->bv_len ); ++ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb ); ++ conn->c_sasl_cbind = cb; ++#endif ++ return LDAP_SUCCESS; ++} ++ + int slap_sasl_reset( Connection *conn ) + { + return LDAP_SUCCESS; +@@ -1568,6 +1583,9 @@ int slap_sasl_close( Connection *conn ) + free( conn->c_sasl_extra ); + conn->c_sasl_extra = NULL; + ++ free( conn->c_sasl_cbind ); ++ conn->c_sasl_cbind = NULL; ++ + #elif defined(SLAP_BUILTIN_SASL) + SASL_CTX *ctx = conn->c_sasl_authctx; + if( ctx ) { +diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h +index 09c1854f8..4b3bbd12e 100644 +--- a/servers/slapd/slap.h ++++ b/servers/slapd/slap.h +@@ -2910,6 +2910,7 @@ struct Connection { + void *c_sasl_authctx; /* SASL authentication context */ + void *c_sasl_sockctx; /* SASL security layer context */ + void *c_sasl_extra; /* SASL session extra stuff */ ++ void *c_sasl_cbind; /* SASL channel binding */ + Operation *c_sasl_bindop; /* set to current op if it's a bind */ + + #ifdef LDAP_X_TXN +-- +2.26.2 + diff --git a/openldap-cbinding-Convert-test077-to-LDIF-config.patch b/openldap-cbinding-Convert-test077-to-LDIF-config.patch new file mode 100644 index 0000000..4bf9b63 --- /dev/null +++ b/openldap-cbinding-Convert-test077-to-LDIF-config.patch @@ -0,0 +1,167 @@ +From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001 +From: Ryan Tandy +Date: Mon, 27 Apr 2020 23:24:16 -0700 +Subject: [PATCH] Convert test077 to LDIF config + +--- + tests/data/slapd-sasl-gssapi.conf | 68 ------------------------------- + tests/scripts/defines.sh | 1 - + tests/scripts/test077-sasl-gssapi | 35 +++++++++++++--- + 3 files changed, 30 insertions(+), 74 deletions(-) + delete mode 100644 tests/data/slapd-sasl-gssapi.conf + +diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf +deleted file mode 100644 +index 29ab6040b..000000000 +--- a/tests/data/slapd-sasl-gssapi.conf ++++ /dev/null +@@ -1,68 +0,0 @@ +-# stand-alone slapd config -- for testing (with indexing) +-# $OpenLDAP$ +-## This work is part of OpenLDAP Software . +-## +-## Copyright 1998-2020 The OpenLDAP Foundation. +-## All rights reserved. +-## +-## Redistribution and use in source and binary forms, with or without +-## modification, are permitted only as authorized by the OpenLDAP +-## Public License. +-## +-## A copy of this license is available in the file LICENSE in the +-## top-level directory of the distribution or, alternatively, at +-## . +- +-# +-include @SCHEMADIR@/core.schema +-include @SCHEMADIR@/cosine.schema +-# +-include @SCHEMADIR@/corba.schema +-include @SCHEMADIR@/java.schema +-include @SCHEMADIR@/inetorgperson.schema +-include @SCHEMADIR@/misc.schema +-include @SCHEMADIR@/nis.schema +-include @SCHEMADIR@/openldap.schema +-# +-include @SCHEMADIR@/duaconf.schema +-include @SCHEMADIR@/dyngroup.schema +- +-# +-pidfile @TESTDIR@/slapd.1.pid +-argsfile @TESTDIR@/slapd.1.args +- +-# SSL configuration +-TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt +-TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key +-TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt +- +-# +-rootdse @DATADIR@/rootdse.ldif +- +-#mod#modulepath ../servers/slapd/back-@BACKEND@/ +-#mod#moduleload back_@BACKEND@.la +-#monitormod#modulepath ../servers/slapd/back-monitor/ +-#monitormod#moduleload back_monitor.la +- +- +-####################################################################### +-# database definitions +-####################################################################### +- +-database @BACKEND@ +-suffix "dc=example,dc=com" +-rootdn "cn=Manager,dc=example,dc=com" +-rootpw secret +-#~null~#directory @TESTDIR@/db.1.a +-#indexdb#index objectClass eq +-#indexdb#index mail eq +-#ndb#dbname db_1_a +-#ndb#include @DATADIR@/ndb.conf +- +-#monitor#database monitor +- +-sasl-realm @KRB5REALM@ +-sasl-host localhost +- +-database config +-rootpw secret +diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh +index f9e5578ee..a84fd0a65 100755 +--- a/tests/scripts/defines.sh ++++ b/tests/scripts/defines.sh +@@ -114,7 +114,6 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf + SCHEMACONF=$DATADIR/slapd-schema.conf + TLSCONF=$DATADIR/slapd-tls.conf + TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf +-SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf + GLUECONF=$DATADIR/slapd-glue.conf + REFINTCONF=$DATADIR/slapd-refint.conf + RETCODECONF=$DATADIR/slapd-retcode.conf +diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi +index 20c414600..322df60a4 100755 +--- a/tests/scripts/test077-sasl-gssapi ++++ b/tests/scripts/test077-sasl-gssapi +@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then + exit 0 + fi + ++CONFDIR=$TESTDIR/slapd.d ++CONFLDIF=$TESTDIR/slapd.ldif ++ + mkdir -p $TESTDIR $DBDIR1 $CONFDIR + cp -r $DATADIR/tls $TESTDIR ++$SLAPPASSWD -g -n >$CONFIGPWF + + echo "Starting KDC for SASL/GSSAPI tests..." + . $SRCDIR/scripts/setup_kdc.sh + +-echo "Running slapadd to build slapd database..." +-. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1 +-$SLAPADD -f $CONF1 -l $LDIFORDERED ++echo "Configuring slapd..." ++cat > $CONFLDIF < $LOG1 2>&1 & ++$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & + PID=$! + if test $WAIT != 0 ; then + echo PID $PID +@@ -151,7 +176,7 @@ else + for acb in "none" "tls-unique" "tls-endpoint" ; do + + echo "Modifying slapd's olcSaslCBinding to ${acb} ..." +- $LDAPMODIFY -D cn=config -H $URI1 -w secret < $TESTOUT 2>&1 ++ $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF < $TESTOUT 2>&1 + dn: cn=config + changetype: modify + replace: olcSaslCBinding +-- +2.26.2 + diff --git a/openldap-cbinding-Fix-slaptest-in-test077.patch b/openldap-cbinding-Fix-slaptest-in-test077.patch new file mode 100644 index 0000000..fc1e034 --- /dev/null +++ b/openldap-cbinding-Fix-slaptest-in-test077.patch @@ -0,0 +1,62 @@ +From e006994d83af9dcb7813a18253cf4e5beacee043 Mon Sep 17 00:00:00 2001 +From: Ryan Tandy +Date: Sun, 26 Apr 2020 11:40:23 -0700 +Subject: [PATCH] Fix slaptest in test077 + +The libtool wrapper scripts lose argv[0] when exec'ing the real binary. + +In the CI Docker container, where the build runs as root, this was +actually starting a real slapd on the default port. + +Outside Docker, running as a non-root user, this slapd would just fail +to start, and wouldn't convert the config either. + +Using "slapd -Tt" fixes the issue but also prints a warning from +slaptest since the database hasn't been initialized yet. + +Dynamic config isn't actually used in this test script, so let's just +run slapd off the config file directly. +--- + tests/scripts/test077-sasl-gssapi | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi +index 19f665622..20c414600 100755 +--- a/tests/scripts/test077-sasl-gssapi ++++ b/tests/scripts/test077-sasl-gssapi +@@ -21,22 +21,15 @@ if test $WITH_SASL = no ; then + exit 0 + fi + +-SLAPTEST="$TESTWD/../servers/slapd/slaptest" +-CONFDIR=$TESTDIR/slapd.d +- + mkdir -p $TESTDIR $DBDIR1 $CONFDIR + cp -r $DATADIR/tls $TESTDIR + +-cd $TESTWD +- +- + echo "Starting KDC for SASL/GSSAPI tests..." + . $SRCDIR/scripts/setup_kdc.sh + + echo "Running slapadd to build slapd database..." + . $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1 +-$SLAPTEST -f $CONF1 -F $CONFDIR +-$SLAPADD -F $CONFDIR -l $LDIFORDERED ++$SLAPADD -f $CONF1 -l $LDIFORDERED + RC=$? + if test $RC != 0 ; then + echo "slapadd failed ($RC)!" +@@ -45,7 +38,7 @@ if test $RC != 0 ; then + fi + + echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." +-$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & ++$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & + PID=$! + if test $WAIT != 0 ; then + echo PID $PID +-- +2.26.2 + diff --git a/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch b/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch new file mode 100644 index 0000000..b0454f8 --- /dev/null +++ b/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch @@ -0,0 +1,220 @@ +NOTE: The patch has been adjusted to match the base code before backporting. + +From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Tue, 10 Sep 2013 04:26:51 -0700 +Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT + +retrieve peer cert for an active TLS session +--- + doc/man/man3/ldap_get_option.3 | 8 ++++++++ + include/ldap.h | 1 + + libraries/libldap/ldap-tls.h | 2 ++ + libraries/libldap/tls2.c | 23 +++++++++++++++++++++++ + libraries/libldap/tls_g.c | 19 +++++++++++++++++++ + libraries/libldap/tls_m.c | 17 +++++++++++++++++ + libraries/libldap/tls_o.c | 16 ++++++++++++++++ + 7 files changed, 86 insertions(+) + +diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 +index e67de75e9..1bb55d357 100644 +--- a/doc/man/man3/ldap_get_option.3 ++++ b/doc/man/man3/ldap_get_option.3 +@@ -732,6 +732,14 @@ A non-zero value pointed to by + .BR invalue + tells the library to create a context for a server. + .TP ++.B LDAP_OPT_X_TLS_PEERCERT ++Gets the peer's certificate in DER format from an established TLS session. ++.BR outvalue ++must be ++.BR "struct berval *" , ++and the data it returns needs to be freed by the caller using ++.BR ldap_memfree (3). ++.TP + .B LDAP_OPT_X_TLS_PROTOCOL_MIN + Sets/gets the minimum protocol version. + .BR invalue +diff --git a/include/ldap.h b/include/ldap.h +index 4de3f7f32..97ca524d7 100644 +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -161,6 +161,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ + #define LDAP_OPT_X_TLS_PACKAGE 0x6011 + #define LDAP_OPT_X_TLS_ECNAME 0x6012 ++#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */ + + #define LDAP_OPT_X_TLS_NEVER 0 + #define LDAP_OPT_X_TLS_HARD 1 +diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h +index 548814d7f..890d20dc7 100644 +--- a/libraries/libldap/ldap-tls.h ++++ b/libraries/libldap/ldap-tls.h +@@ -43,6 +43,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn); + typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); + typedef int (TI_session_strength)(tls_session *sess); + typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server); ++typedef int (TI_session_peercert)(tls_session *s, struct berval *der); + + typedef void (TI_thr_init)(void); + +@@ -69,6 +70,7 @@ typedef struct tls_impl { + TI_session_chkhost *ti_session_chkhost; + TI_session_strength *ti_session_strength; + TI_session_unique *ti_session_unique; ++ TI_session_peercert *ti_session_peercert; + + Sockbuf_IO *ti_sbio; + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 05fce3218..cbf73bdd5 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -718,6 +718,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) + case LDAP_OPT_X_TLS_CONNECT_ARG: + *(void **)arg = lo->ldo_tls_connect_arg; + break; ++ case LDAP_OPT_X_TLS_PEERCERT: { ++ void *sess = NULL; ++ struct berval *bv = arg; ++ bv->bv_len = 0; ++ bv->bv_val = NULL; ++ if ( ld != NULL ) { ++ LDAPConn *conn = ld->ld_defconn; ++ if ( conn != NULL ) { ++ Sockbuf *sb = conn->lconn_sb; ++ sess = ldap_pvt_tls_sb_ctx( sb ); ++ if ( sess != NULL ) ++ return ldap_pvt_tls_get_peercert( sess, bv ); ++ } ++ } ++ break; ++ } ++ + default: + return -1; + } +@@ -1050,6 +1066,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server ) + tls_session *session = s; + return tls_imp->ti_session_unique( session, buf, is_server ); + } ++ ++int ++ldap_pvt_tls_get_peercert( void *s, struct berval *der ) ++{ ++ tls_session *session = s; ++ return tls_imp->ti_session_peercert( session, der ); ++} + #endif /* HAVE_TLS */ + + int +diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c +index ce422387c..739680439 100644 +--- a/libraries/libldap/tls_g.c ++++ b/libraries/libldap/tls_g.c +@@ -830,6 +830,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server) + return 0; + } + ++static int ++tlsg_session_peercert( tls_session *sess, struct berval *der ) ++{ ++ tlsg_session *s = (tlsg_session *)sess; ++ const gnutls_datum_t *peer_cert_list; ++ unsigned int list_size; ++ ++ peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size ); ++ if (!peer_cert_list) ++ return -1; ++ der->bv_len = peer_cert_list[0].size; ++ der->bv_val = LDAP_MALLOC( der->bv_len ); ++ if (!der->bv_val) ++ return -1; ++ memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len); ++ return 0; ++} ++ + /* suites is a string of colon-separated cipher suite names. */ + static int + tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites ) +@@ -1166,6 +1184,7 @@ tls_impl ldap_int_tls_impl = { + tlsg_session_chkhost, + tlsg_session_strength, + tlsg_session_unique, ++ tlsg_session_peercert, + + &tlsg_sbio, + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 4bd9e63cb..36dc989ef 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -2891,6 +2891,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server) + return 0; + } + ++static int ++tlsm_session_peercert( tls_session *sess, struct berval *der ) ++{ ++ tlsm_session *s = (tlsm_session *)sess; ++ CERTCertificate *cert; ++ cert = SSL_PeerCertificate( s ); ++ if (!cert) ++ return -1; ++ der->bv_len = cert->derCert.len; ++ der->bv_val = LDAP_MALLOC( der->bv_len ); ++ if (!der->bv_val) ++ return -1; ++ memcpy( der->bv_val, cert->derCert.data, der->bv_len ); ++ return 0; ++} ++ + /* + * TLS support for LBER Sockbufs + */ +@@ -3322,6 +3338,7 @@ tls_impl ldap_int_tls_impl = { + tlsm_session_chkhost, + tlsm_session_strength, + tlsm_session_unique, ++ tlsm_session_peercert, + + &tlsm_sbio, + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 6288456d3..1fa50392f 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -721,6 +721,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) + return buf->bv_len; + } + ++static int ++tlso_session_peercert( tls_session *sess, struct berval *der ) ++{ ++ tlso_session *s = (tlso_session *)sess; ++ unsigned char *ptr; ++ X509 *x = SSL_get_peer_certificate(s); ++ der->bv_len = i2d_X509(x, NULL); ++ der->bv_val = LDAP_MALLOC(der->bv_len); ++ if ( !der->bv_val ) ++ return -1; ++ ptr = der->bv_val; ++ i2d_X509(x, &ptr); ++ return 0; ++} ++ + /* + * TLS support for LBER Sockbufs + */ +@@ -1229,6 +1244,7 @@ tls_impl ldap_int_tls_impl = { + tlso_session_chkhost, + tlso_session_strength, + tlso_session_unique, ++ tlso_session_peercert, + + &tlso_sbio, + +-- +2.26.2 + diff --git a/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch b/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch new file mode 100644 index 0000000..71cfbf0 --- /dev/null +++ b/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch @@ -0,0 +1,70 @@ +From 465b1c5972eef1d4e60eb98ae3776d33e270853d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Fri, 15 Jun 2018 15:12:28 +0100 +Subject: [PATCH] ITS#8573 Add missing URI variables for tests + +--- + tests/scripts/conf.sh | 18 ++++++++++++++++++ + tests/scripts/defines.sh | 7 +++++++ + 2 files changed, 25 insertions(+) + +diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh +index fe5e60509..02629f190 100755 +--- a/tests/scripts/conf.sh ++++ b/tests/scripts/conf.sh +@@ -75,6 +75,24 @@ sed -e "s/@BACKEND@/${BACKEND}/" \ + -e "s;@PORT4@;${PORT4};" \ + -e "s;@PORT5@;${PORT5};" \ + -e "s;@PORT6@;${PORT6};" \ ++ -e "s;@SURI1@;${SURI1};" \ ++ -e "s;@SURI2@;${SURI2};" \ ++ -e "s;@SURI3@;${SURI3};" \ ++ -e "s;@SURI4@;${SURI4};" \ ++ -e "s;@SURI5@;${SURI5};" \ ++ -e "s;@SURI6@;${SURI6};" \ ++ -e "s;@URIP1@;${URIP1};" \ ++ -e "s;@URIP2@;${URIP2};" \ ++ -e "s;@URIP3@;${URIP3};" \ ++ -e "s;@URIP4@;${URIP4};" \ ++ -e "s;@URIP5@;${URIP5};" \ ++ -e "s;@URIP6@;${URIP6};" \ ++ -e "s;@SURIP1@;${SURIP1};" \ ++ -e "s;@SURIP2@;${SURIP2};" \ ++ -e "s;@SURIP3@;${SURIP3};" \ ++ -e "s;@SURIP4@;${SURIP4};" \ ++ -e "s;@SURIP5@;${SURIP5};" \ ++ -e "s;@SURIP6@;${SURIP6};" \ + -e "s/@SASL_MECH@/${SASL_MECH}/" \ + -e "s;@TESTDIR@;${TESTDIR};" \ + -e "s;@TESTWD@;${TESTWD};" \ +diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh +index 2c9e8f76a..9816034f9 100755 +--- a/tests/scripts/defines.sh ++++ b/tests/scripts/defines.sh +@@ -223,16 +223,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/" + URI3="ldap://${LOCALHOST}:$PORT3/" + URIP3="ldap://${LOCALIP}:$PORT3/" + URI4="ldap://${LOCALHOST}:$PORT4/" ++URIP4="ldap://${LOCALIP}:$PORT4/" + URI5="ldap://${LOCALHOST}:$PORT5/" ++URIP5="ldap://${LOCALIP}:$PORT5/" + URI6="ldap://${LOCALHOST}:$PORT6/" ++URIP6="ldap://${LOCALIP}:$PORT6/" + SURI1="ldaps://${LOCALHOST}:$PORT1/" + SURIP1="ldaps://${LOCALIP}:$PORT1/" + SURI2="ldaps://${LOCALHOST}:$PORT2/" + SURIP2="ldaps://${LOCALIP}:$PORT2/" + SURI3="ldaps://${LOCALHOST}:$PORT3/" ++SURIP3="ldaps://${LOCALIP}:$PORT3/" + SURI4="ldaps://${LOCALHOST}:$PORT4/" ++SURIP4="ldaps://${LOCALIP}:$PORT4/" + SURI5="ldaps://${LOCALHOST}:$PORT5/" ++SURIP5="ldaps://${LOCALIP}:$PORT5/" + SURI6="ldaps://${LOCALHOST}:$PORT6/" ++SURIP6="ldaps://${LOCALIP}:$PORT6/" + + # LDIF + LDIF=$DATADIR/test.ldif +-- +2.26.2 + diff --git a/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch b/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch new file mode 100644 index 0000000..2a7e4b0 --- /dev/null +++ b/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch @@ -0,0 +1,2108 @@ +From eb087e0861f207858a4e08c72836a86f26d9701c Mon Sep 17 00:00:00 2001 +From: Quanah Gibson-Mount +Date: Thu, 14 Jun 2018 16:12:59 +0100 +Subject: [PATCH] ITS#8573 TLS option test suite + +--- + configure | 4 + + configure.in | 4 + + tests/data/slapd-tls-sasl.conf | 65 ++ + tests/data/slapd-tls.conf | 61 ++ + tests/data/tls/ca/certs/testsuiteCA.crt | 16 + + tests/data/tls/ca/private/testsuiteCA.key | 16 + + .../tls/certs/bjensen@mailgw.example.com.crt | 16 + + tests/data/tls/certs/localhost.crt | 16 + + tests/data/tls/conf/openssl.cnf | 129 ++++ + tests/data/tls/create-crt.sh | 78 +++ + .../private/bjensen@mailgw.example.com.key | 16 + + tests/data/tls/private/localhost.key | 16 + + tests/run.in | 3 +- + tests/scripts/defines.sh | 21 +- + tests/scripts/test067-tls | 140 +++++ + tests/scripts/test068-sasl-tls-external | 102 ++++ + .../test069-delta-multimaster-starttls | 574 ++++++++++++++++++ + tests/scripts/test070-delta-multimaster-ldaps | 571 +++++++++++++++++ + 18 files changed, 1846 insertions(+), 2 deletions(-) + create mode 100644 tests/data/slapd-tls-sasl.conf + create mode 100644 tests/data/slapd-tls.conf + create mode 100644 tests/data/tls/ca/certs/testsuiteCA.crt + create mode 100644 tests/data/tls/ca/private/testsuiteCA.key + create mode 100644 tests/data/tls/certs/bjensen@mailgw.example.com.crt + create mode 100644 tests/data/tls/certs/localhost.crt + create mode 100644 tests/data/tls/conf/openssl.cnf + create mode 100755 tests/data/tls/create-crt.sh + create mode 100644 tests/data/tls/private/bjensen@mailgw.example.com.key + create mode 100644 tests/data/tls/private/localhost.key + create mode 100755 tests/scripts/test067-tls + create mode 100755 tests/scripts/test068-sasl-tls-external + create mode 100755 tests/scripts/test069-delta-multimaster-starttls + create mode 100755 tests/scripts/test070-delta-multimaster-ldaps + +diff --git a/configure b/configure +index 16d4ab884..29b7ad91d 100755 +--- a/configure ++++ b/configure +@@ -761,6 +761,7 @@ AUTH_LIBS + LIBSLAPI + SLAPI_LIBS + MODULES_LIBS ++WITH_TLS_TYPE + TLS_LIBS + SASL_LIBS + KRB5_LIBS +@@ -5223,6 +5224,7 @@ KRB4_LIBS= + KRB5_LIBS= + SASL_LIBS= + TLS_LIBS= ++WITH_TLS_TYPE= + MODULES_LIBS= + SLAPI_LIBS= + LIBSLAPI= +@@ -15701,6 +15703,7 @@ fi + if test $have_openssl = yes ; then + ol_with_tls=openssl + ol_link_tls=yes ++ WITH_TLS_TYPE=openssl + + + $as_echo "#define HAVE_OPENSSL 1" >>confdefs.h +@@ -15835,6 +15838,7 @@ fi + if test $have_gnutls = yes ; then + ol_with_tls=gnutls + ol_link_tls=yes ++ WITH_TLS_TYPE=gnutls + + TLS_LIBS="-lgnutls" + +diff --git a/configure.in b/configure.in +index ee25a4a90..60c446096 100644 +--- a/configure.in ++++ b/configure.in +@@ -610,6 +610,7 @@ KRB4_LIBS= + KRB5_LIBS= + SASL_LIBS= + TLS_LIBS= ++WITH_TLS_TYPE= + MODULES_LIBS= + SLAPI_LIBS= + LIBSLAPI= +@@ -1210,6 +1211,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then + if test $have_openssl = yes ; then + ol_with_tls=openssl + ol_link_tls=yes ++ WITH_TLS_TYPE=openssl + + AC_DEFINE(HAVE_OPENSSL, 1, + [define if you have OpenSSL]) +@@ -1250,6 +1252,7 @@ if test $ol_link_tls = no ; then + if test $have_gnutls = yes ; then + ol_with_tls=gnutls + ol_link_tls=yes ++ WITH_TLS_TYPE=gnutls + + TLS_LIBS="-lgnutls" + +@@ -3261,6 +3264,7 @@ AC_SUBST(KRB4_LIBS) + AC_SUBST(KRB5_LIBS) + AC_SUBST(SASL_LIBS) + AC_SUBST(TLS_LIBS) ++AC_SUBST(WITH_TLS_TYPE) + AC_SUBST(MODULES_LIBS) + AC_SUBST(SLAPI_LIBS) + AC_SUBST(LIBSLAPI) +diff --git a/tests/data/slapd-tls-sasl.conf b/tests/data/slapd-tls-sasl.conf +new file mode 100644 +index 000000000..f4bb0773e +--- /dev/null ++++ b/tests/data/slapd-tls-sasl.conf +@@ -0,0 +1,65 @@ ++# stand-alone slapd config -- for testing (with indexing) ++# $OpenLDAP$ ++## This work is part of OpenLDAP Software . ++## ++## Copyright 1998-2017 The OpenLDAP Foundation. ++## All rights reserved. ++## ++## Redistribution and use in source and binary forms, with or without ++## modification, are permitted only as authorized by the OpenLDAP ++## Public License. ++## ++## A copy of this license is available in the file LICENSE in the ++## top-level directory of the distribution or, alternatively, at ++## . ++ ++# ++include @SCHEMADIR@/core.schema ++include @SCHEMADIR@/cosine.schema ++# ++include @SCHEMADIR@/corba.schema ++include @SCHEMADIR@/java.schema ++include @SCHEMADIR@/inetorgperson.schema ++include @SCHEMADIR@/misc.schema ++include @SCHEMADIR@/nis.schema ++include @SCHEMADIR@/openldap.schema ++# ++include @SCHEMADIR@/duaconf.schema ++include @SCHEMADIR@/dyngroup.schema ++include @SCHEMADIR@/ppolicy.schema ++ ++# ++pidfile @TESTDIR@/slapd.1.pid ++argsfile @TESTDIR@/slapd.1.args ++ ++# SSL configuration ++TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt ++TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key ++TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt ++TLSVerifyClient hard ++ ++# ++rootdse @DATADIR@/rootdse.ldif ++ ++#mod#modulepath ../servers/slapd/back-@BACKEND@/ ++#mod#moduleload back_@BACKEND@.la ++#monitormod#modulepath ../servers/slapd/back-monitor/ ++#monitormod#moduleload back_monitor.la ++ ++authz-regexp "email=([^,]*),cn=[^,]*,ou=OpenLDAP,o=OpenLDAP Foundation,st=CA,c=US" ldap:///ou=People,dc=example,dc=com??sub?(mail=$1) ++ ++####################################################################### ++# database definitions ++####################################################################### ++ ++database @BACKEND@ ++suffix "dc=example,dc=com" ++rootdn "cn=Manager,dc=example,dc=com" ++rootpw secret ++#~null~#directory @TESTDIR@/db.1.a ++#indexdb#index objectClass eq ++#indexdb#index mail eq ++#ndb#dbname db_1_a ++#ndb#include @DATADIR@/ndb.conf ++ ++#monitor#database monitor +diff --git a/tests/data/slapd-tls.conf b/tests/data/slapd-tls.conf +new file mode 100644 +index 000000000..6a7785557 +--- /dev/null ++++ b/tests/data/slapd-tls.conf +@@ -0,0 +1,61 @@ ++# stand-alone slapd config -- for testing (with indexing) ++# $OpenLDAP$ ++## This work is part of OpenLDAP Software . ++## ++## Copyright 1998-2017 The OpenLDAP Foundation. ++## All rights reserved. ++## ++## Redistribution and use in source and binary forms, with or without ++## modification, are permitted only as authorized by the OpenLDAP ++## Public License. ++## ++## A copy of this license is available in the file LICENSE in the ++## top-level directory of the distribution or, alternatively, at ++## . ++ ++# ++include @SCHEMADIR@/core.schema ++include @SCHEMADIR@/cosine.schema ++# ++include @SCHEMADIR@/corba.schema ++include @SCHEMADIR@/java.schema ++include @SCHEMADIR@/inetorgperson.schema ++include @SCHEMADIR@/misc.schema ++include @SCHEMADIR@/nis.schema ++include @SCHEMADIR@/openldap.schema ++# ++include @SCHEMADIR@/duaconf.schema ++include @SCHEMADIR@/dyngroup.schema ++include @SCHEMADIR@/ppolicy.schema ++ ++# ++pidfile @TESTDIR@/slapd.1.pid ++argsfile @TESTDIR@/slapd.1.args ++ ++# SSL configuration ++TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key ++TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt ++ ++# ++rootdse @DATADIR@/rootdse.ldif ++ ++#mod#modulepath ../servers/slapd/back-@BACKEND@/ ++#mod#moduleload back_@BACKEND@.la ++#monitormod#modulepath ../servers/slapd/back-monitor/ ++#monitormod#moduleload back_monitor.la ++ ++####################################################################### ++# database definitions ++####################################################################### ++ ++database @BACKEND@ ++suffix "dc=example,dc=com" ++rootdn "cn=Manager,dc=example,dc=com" ++rootpw secret ++#~null~#directory @TESTDIR@/db.1.a ++#indexdb#index objectClass eq ++#indexdb#index mail eq ++#ndb#dbname db_1_a ++#ndb#include @DATADIR@/ndb.conf ++ ++#monitor#database monitor +diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt +new file mode 100644 +index 000000000..7458e7461 +--- /dev/null ++++ b/tests/data/tls/ca/certs/testsuiteCA.crt +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV ++BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv ++bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0 ++NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB ++MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB ++UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd ++rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb ++lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL ++6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU ++7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB ++SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/ ++wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws ++ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q ++aL52EFPS0o3tiAJXS82U2wrQdJ0YEw== ++-----END CERTIFICATE----- +diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key +new file mode 100644 +index 000000000..2e14d7033 +--- /dev/null ++++ b/tests/data/tls/ca/private/testsuiteCA.key +@@ -0,0 +1,16 @@ ++-----BEGIN PRIVATE KEY----- ++MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ ++WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc ++338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/ ++dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg ++O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf ++7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn ++rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f ++wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk ++AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l ++vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9 ++27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X ++KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N ++I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL +++b2qljWeZbGH ++-----END PRIVATE KEY----- +diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt +new file mode 100644 +index 000000000..93e3a0d39 +--- /dev/null ++++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL ++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV ++BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx ++ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV ++BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD ++VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa ++YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A ++MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg ++QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU ++U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL ++MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn ++wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f ++7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo ++4DnnYQBDnq48VORVX94= ++-----END CERTIFICATE----- +diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt +new file mode 100644 +index 000000000..194cb119d +--- /dev/null ++++ b/tests/data/tls/certs/localhost.crt +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL ++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV ++BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx ++ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE ++CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT ++dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB ++iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4 ++7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv ++8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ ++BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A ++AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG ++8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl ++0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR ++GjeZB1FxqDGHjxBq2O828iejw28bSz4= ++-----END CERTIFICATE----- +diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf +new file mode 100644 +index 000000000..a3c8ad9f6 +--- /dev/null ++++ b/tests/data/tls/conf/openssl.cnf +@@ -0,0 +1,129 @@ ++HOME = . ++RANDFILE = $ENV::HOME/.rnd ++ ++oid_section = new_oids ++ ++[ new_oids ] ++tsa_policy1 = 1.2.3.4.1 ++tsa_policy2 = 1.2.3.4.5.6 ++tsa_policy3 = 1.2.3.4.5.7 ++ ++[ ca ] ++default_ca = CA_default # The default ca section ++ ++[ CA_default ] ++ ++dir = ./cruft # Where everything is kept ++certs = $dir/certs # Where the issued certs are kept ++crl_dir = $dir/crl # Where the issued crl are kept ++database = $dir/index.txt # database index file. ++new_certs_dir = $dir/certs # default place for new certs. ++certificate = $dir/cacert.pem # The CA certificate ++serial = $dir/serial # The current serial number ++crlnumber = $dir/crlnumber # the current crl number ++crl = $dir/crl.pem # The current CRL ++private_key = $dir/private/cakey.pem# The private key ++RANDFILE = $dir/private/.rand # private random number file ++x509_extensions = usr_cert # The extentions to add to the cert ++name_opt = ca_default # Subject Name options ++cert_opt = ca_default # Certificate field options ++default_days = 365 # how long to certify for ++default_crl_days= 30 # how long before next CRL ++default_md = default # use public key default MD ++preserve = no # keep passed DN ordering ++policy = policy_match ++ ++[ policy_match ] ++countryName = match ++stateOrProvinceName = match ++organizationName = match ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++[ policy_anything ] ++countryName = optional ++stateOrProvinceName = optional ++localityName = optional ++organizationName = optional ++organizationalUnitName = optional ++commonName = supplied ++emailAddress = optional ++ ++[ req ] ++default_bits = 2048 ++default_keyfile = privkey.pem ++distinguished_name = req_distinguished_name ++attributes = req_attributes ++x509_extensions = v3_ca # The extentions to add to the self signed cert ++ ++string_mask = utf8only ++ ++[ req_distinguished_name ] ++basicConstraints=CA:FALSE ++ ++[ req_attributes ] ++challengePassword = A challenge password ++challengePassword_min = 4 ++challengePassword_max = 20 ++ ++unstructuredName = An optional company name ++ ++[ usr_cert ] ++ ++basicConstraints=CA:FALSE ++nsComment = "OpenSSL Generated Certificate" ++ ++subjectKeyIdentifier=hash ++authorityKeyIdentifier=keyid,issuer ++ ++[ v3_req ] ++ ++basicConstraints = CA:FALSE ++keyUsage = nonRepudiation, digitalSignature, keyEncipherment ++subjectAltName = DNS:localhost,IP:127.0.0.1,IP:::1 ++ ++[ v3_ca ] ++subjectKeyIdentifier=hash ++authorityKeyIdentifier=keyid:always,issuer ++basicConstraints = CA:true ++ ++[ crl_ext ] ++ ++authorityKeyIdentifier=keyid:always ++ ++[ proxy_cert_ext ] ++basicConstraints=CA:FALSE ++nsComment = "OpenSSL Generated Certificate" ++ ++subjectKeyIdentifier=hash ++authorityKeyIdentifier=keyid,issuer ++proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo ++ ++[ tsa ] ++ ++default_tsa = tsa_config1 # the default TSA section ++ ++[ tsa_config1 ] ++ ++dir = ./demoCA # TSA root directory ++serial = $dir/tsaserial # The current serial number (mandatory) ++crypto_device = builtin # OpenSSL engine to use for signing ++signer_cert = $dir/tsacert.pem # The TSA signing certificate ++ # (optional) ++certs = $dir/cacert.pem # Certificate chain to include in reply ++ # (optional) ++signer_key = $dir/private/tsakey.pem # The TSA private key (optional) ++ ++default_policy = tsa_policy1 # Policy if request did not specify it ++ # (optional) ++other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) ++digests = md5, sha1 # Acceptable message digests (mandatory) ++accuracy = secs:1, millisecs:500, microsecs:100 # (optional) ++clock_precision_digits = 0 # number of digits after dot. (optional) ++ordering = yes # Is ordering defined for timestamps? ++ # (optional, default: no) ++tsa_name = yes # Must the TSA name be included in the reply? ++ # (optional, default: no) ++ess_cert_id_chain = no # Must the ESS cert id chain be included? ++ # (optional, default: no) +diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh +new file mode 100755 +index 000000000..8c33a24fe +--- /dev/null ++++ b/tests/data/tls/create-crt.sh +@@ -0,0 +1,78 @@ ++#!/bin/sh ++openssl=$(which openssl) ++ ++if [ x"$openssl" = "x" ]; then ++echo "OpenSSL command line binary not found, skipping..." ++fi ++ ++USAGE="$0 [-s] [-u ]" ++SERVER=0 ++USER=0 ++EMAIL= ++ ++while test $# -gt 0 ; do ++ case "$1" in ++ -s | -server) ++ SERVER=1; ++ shift;; ++ -u | -user) ++ if [ x"$2" = "x" ]; then ++ echo "User cert requires an email address as an argument" ++ exit; ++ fi ++ USER=1; ++ EMAIL="$2"; ++ shift; shift;; ++ -) ++ shift;; ++ -*) ++ echo "$USAGE"; exit 1 ++ ;; ++ *) ++ break;; ++ esac ++done ++ ++if [ $SERVER = 0 -a $USER = 0 ]; then ++ echo "$USAGE"; ++ exit 1; ++fi ++ ++rm -rf ./openssl.cnf cruft ++mkdir -p private certs cruft/private cruft/certs ++ ++echo "00" > cruft/serial ++touch cruft/index.txt ++touch cruft/index.txt.attr ++hn=$(hostname -f) ++sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf > ./openssl.cnf ++ ++if [ $SERVER = 1 ]; then ++ rm -rf private/localhost.key certs/localhost.crt ++ ++ $openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \ ++ -newkey rsa:1024 -config ./openssl.cnf \ ++ -subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \ ++ -batch > /dev/null 2>&1 ++ ++ $openssl ca -out certs/localhost.crt -notext -config ./openssl.cnf -days 183000 -in localhost.csr \ ++ -keyfile ca/private/testsuiteCA.key -extensions v3_req -cert ca/certs/testsuiteCA.crt \ ++ -batch >/dev/null 2>&1 ++ ++ rm -rf ./openssl.cnf ./localhost.csr cruft ++fi ++ ++if [ $USER = 1 ]; then ++ rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr ++ ++ $openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \ ++ -newkey rsa:1024 -config ./openssl.cnf \ ++ -subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \ ++ -batch >/dev/null 2>&1 ++ ++ $openssl ca -out certs/$EMAIL.crt -notext -config ./openssl.cnf -days 183000 -in $EMAIL.csr \ ++ -keyfile ca/private/testsuiteCA.key -extensions req_distinguished_name \ ++ -cert ca/certs/testsuiteCA.crt -batch >/dev/null 2>&1 ++ ++ rm -rf ./openssl.cnf ./$EMAIL.csr cruft ++fi +diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key +new file mode 100644 +index 000000000..5f4625fd7 +--- /dev/null ++++ b/tests/data/tls/private/bjensen@mailgw.example.com.key +@@ -0,0 +1,16 @@ ++-----BEGIN PRIVATE KEY----- ++MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2 ++xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4 ++9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z ++yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r ++oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e ++nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg ++xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra ++EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd ++9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/ ++pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI ++tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ ++3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D ++tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg ++36Ixj3L+5H18 ++-----END PRIVATE KEY----- +diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key +new file mode 100644 +index 000000000..8a24f69f8 +--- /dev/null ++++ b/tests/data/tls/private/localhost.key +@@ -0,0 +1,16 @@ ++-----BEGIN PRIVATE KEY----- ++MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg ++ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM ++w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM ++brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij ++Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf ++2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ ++bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q ++1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf ++3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U ++VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7 ++TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b ++iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP ++5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3 ++b61hkjQZfbEg5cg= ++-----END PRIVATE KEY----- +diff --git a/tests/run.in b/tests/run.in +index 6c33d4d20..793e388c1 100644 +--- a/tests/run.in ++++ b/tests/run.in +@@ -57,6 +57,7 @@ AC_valsort=valsort@BUILD_VALSORT@ + # misc + AC_WITH_SASL=@WITH_SASL@ + AC_WITH_TLS=@WITH_TLS@ ++AC_TLS_TYPE=@WITH_TLS_TYPE@ + AC_WITH_MODULES_ENABLED=@WITH_MODULES_ENABLED@ + AC_ACI_ENABLED=aci@WITH_ACI_ENABLED@ + AC_THREADS=threads@BUILD_THREAD@ +@@ -75,7 +76,7 @@ export AC_bdb AC_hdb AC_ldap AC_mdb AC_meta AC_monitor AC_null AC_relay AC_sql \ + AC_refint AC_retcode AC_rwm AC_unique AC_syncprov AC_translucent \ + AC_valsort \ + AC_WITH_SASL AC_WITH_TLS AC_WITH_MODULES_ENABLED AC_ACI_ENABLED \ +- AC_THREADS AC_LIBS_DYNAMIC ++ AC_THREADS AC_LIBS_DYNAMIC AC_WITH_TLS AC_TLS_TYPE + + if test ! -x ../servers/slapd/slapd ; then + echo "Could not locate slapd(8)" +diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh +index a7dacebdd..2c9e8f76a 100755 +--- a/tests/scripts/defines.sh ++++ b/tests/scripts/defines.sh +@@ -46,6 +46,9 @@ VALSORT=${AC_valsort-valsortno} + # misc + WITH_SASL=${AC_WITH_SASL-no} + USE_SASL=${SLAPD_USE_SASL-no} ++WITH_TLS=${AC_WITH_TLS-no} ++WITH_TLS_TYPE=${AC_TLS_TYPE-no} ++ + ACI=${AC_ACI_ENABLED-acino} + THREADS=${AC_THREADS-threadsno} + SLEEP0=${SLEEP0-1} +@@ -104,6 +107,8 @@ P2SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist2.conf + P3SRSLAVECONF=$DATADIR/slapd-syncrepl-slave-persist3.conf + REFSLAVECONF=$DATADIR/slapd-ref-slave.conf + SCHEMACONF=$DATADIR/slapd-schema.conf ++TLSCONF=$DATADIR/slapd-tls.conf ++TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf + GLUECONF=$DATADIR/slapd-glue.conf + REFINTCONF=$DATADIR/slapd-refint.conf + RETCODECONF=$DATADIR/slapd-retcode.conf +@@ -164,6 +169,7 @@ SLURPLOG=$TESTDIR/slurp.log + CONFIGPWF=$TESTDIR/configpw + + # args ++SASLARGS="-Q" + TOOLARGS="-x $LDAP_TOOLARGS" + TOOLPROTO="-P 3" + +@@ -186,7 +192,8 @@ BCMP="diff -iB" + CMPOUT=/dev/null + SLAPD="$TESTWD/../servers/slapd/slapd -s0" + LDAPPASSWD="$CLIENTDIR/ldappasswd $TOOLARGS" +-LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $LDAP_TOOLARGS -LLL" ++LDAPSASLSEARCH="$CLIENTDIR/ldapsearch $SASLARGS $TOOLPROTO $LDAP_TOOLARGS -LLL" ++LDAPSASLWHOAMI="$CLIENTDIR/ldapwhoami $SASLARGS $LDAP_TOOLARGS" + LDAPSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS -LLL" + LDAPRSEARCH="$CLIENTDIR/ldapsearch $TOOLPROTO $TOOLARGS" + LDAPDELETE="$CLIENTDIR/ldapdelete $TOOLPROTO $TOOLARGS" +@@ -201,6 +208,7 @@ LDIFFILTER=$PROGDIR/ldif-filter + SLAPDMTREAD=$PROGDIR/slapd-mtread + LVL=${SLAPD_DEBUG-0x4105} + LOCALHOST=localhost ++LOCALIP=127.0.0.1 + BASEPORT=${SLAPD_BASEPORT-9010} + PORT1=`expr $BASEPORT + 1` + PORT2=`expr $BASEPORT + 2` +@@ -209,11 +217,22 @@ PORT4=`expr $BASEPORT + 4` + PORT5=`expr $BASEPORT + 5` + PORT6=`expr $BASEPORT + 6` + URI1="ldap://${LOCALHOST}:$PORT1/" ++URIP1="ldap://${LOCALIP}:$PORT1/" + URI2="ldap://${LOCALHOST}:$PORT2/" ++URIP2="ldap://${LOCALIP}:$PORT2/" + URI3="ldap://${LOCALHOST}:$PORT3/" ++URIP3="ldap://${LOCALIP}:$PORT3/" + URI4="ldap://${LOCALHOST}:$PORT4/" + URI5="ldap://${LOCALHOST}:$PORT5/" + URI6="ldap://${LOCALHOST}:$PORT6/" ++SURI1="ldaps://${LOCALHOST}:$PORT1/" ++SURIP1="ldaps://${LOCALIP}:$PORT1/" ++SURI2="ldaps://${LOCALHOST}:$PORT2/" ++SURIP2="ldaps://${LOCALIP}:$PORT2/" ++SURI3="ldaps://${LOCALHOST}:$PORT3/" ++SURI4="ldaps://${LOCALHOST}:$PORT4/" ++SURI5="ldaps://${LOCALHOST}:$PORT5/" ++SURI6="ldaps://${LOCALHOST}:$PORT6/" + + # LDIF + LDIF=$DATADIR/test.ldif +diff --git a/tests/scripts/test067-tls b/tests/scripts/test067-tls +new file mode 100755 +index 000000000..2b245f5f5 +--- /dev/null ++++ b/tests/scripts/test067-tls +@@ -0,0 +1,140 @@ ++#! /bin/sh ++# $OpenLDAP$ ++## This work is part of OpenLDAP Software . ++## ++## Copyright 1998-2017 The OpenLDAP Foundation. ++## All rights reserved. ++## ++## Redistribution and use in source and binary forms, with or without ++## modification, are permitted only as authorized by the OpenLDAP ++## Public License. ++## ++## A copy of this license is available in the file LICENSE in the ++## top-level directory of the distribution or, alternatively, at ++## . ++ ++echo "running defines.sh" ++. $SRCDIR/scripts/defines.sh ++ ++if test $WITH_TLS = no ; then ++ echo "TLS support not available, test skipped" ++ exit 0 ++fi ++ ++mkdir -p $TESTDIR $DBDIR1 ++cp -r $DATADIR/tls $TESTDIR ++ ++cd $TESTWD ++ ++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." ++. $CONFFILTER $BACKEND $MONITORDB < $TLSCONF > $CONF1 ++$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & ++PID=$! ++if test $WAIT != 0 ; then ++ echo PID $PID ++ read foo ++fi ++KILLPIDS="$PID" ++ ++sleep 1 ++ ++for i in 0 1 2 3 4 5; do ++ $LDAPSEARCH -s base -b "" -H $URI1 \ ++ 'objectclass=*' > /dev/null 2>&1 ++ RC=$? ++ if test $RC = 0 ; then ++ break ++ fi ++ echo "Waiting 5 seconds for slapd to start..." ++ sleep 5 ++done ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++echo -n "Using ldapsearch with startTLS with no server cert validation...." ++$LDAPSEARCH -o tls_reqcert=never -ZZ -b "" -s base -H $URIP1 \ ++ '@extensibleObject' > $SEARCHOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapsearch (startTLS) failed ($RC)!" ++ exit $RC ++else ++ echo "success" ++fi ++ ++echo -n "Using ldapsearch with startTLS with hard require cert...." ++$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -ZZ -b "" -s base -H $URIP1 \ ++ '@extensibleObject' > $SEARCHOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapsearch (startTLS) failed ($RC)!" ++ exit $RC ++else ++ echo "success" ++fi ++ ++if test $WITH_TLS_TYPE = openssl ; then ++ echo -n "Using ldapsearch with startTLS and specific protocol version...." ++ $LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -o tls_protocol_min=3.3 -ZZ -b "" -s base -H $URIP1 \ ++ '@extensibleObject' > $SEARCHOUT 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "ldapsearch (protocol-min) failed ($RC)!" ++ exit $RC ++ else ++ echo "success" ++ fi ++fi ++ ++echo -n "Using ldapsearch on $SURI2 with no server cert validation..." ++$LDAPSEARCH -o tls_reqcert=never -b "cn=Subschema" -s base -H $SURIP2 \ ++ '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ ++ >> $SEARCHOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapsearch (ldaps) failed($RC)!" ++ exit $RC ++else ++ echo "success" ++fi ++ ++echo -n "Using ldapsearch on $SURI2 with reqcert HARD and no CA cert. Should fail..." ++$LDAPSEARCH -o tls_reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \ ++ '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ ++ >> $SEARCHOUT 2>&1 ++RC=$? ++if test $RC = 0 ; then ++ echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!" ++ exit 1 ++else ++ echo "failed correctly with error code ($RC)" ++fi ++ ++echo -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..." ++$LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \ ++ '(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \ ++ >> $SEARCHOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapsearch (ldaps) failed ($RC)!" ++ exit $RC ++else ++ echo "success" ++fi ++ ++test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ ++if test $RC != 0 ; then ++ echo ">>>>> Test failed" ++else ++ echo ">>>>> Test succeeded" ++ RC=0 ++fi ++ ++test $KILLSERVERS != no && wait ++ ++exit $RC +diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external +new file mode 100755 +index 000000000..dcbc50fd4 +--- /dev/null ++++ b/tests/scripts/test068-sasl-tls-external +@@ -0,0 +1,102 @@ ++#! /bin/sh ++# $OpenLDAP$ ++## This work is part of OpenLDAP Software . ++## ++## Copyright 1998-2017 The OpenLDAP Foundation. ++## All rights reserved. ++## ++## Redistribution and use in source and binary forms, with or without ++## modification, are permitted only as authorized by the OpenLDAP ++## Public License. ++## ++## A copy of this license is available in the file LICENSE in the ++## top-level directory of the distribution or, alternatively, at ++## . ++ ++echo "running defines.sh" ++. $SRCDIR/scripts/defines.sh ++ ++if test $WITH_TLS = no ; then ++ echo "TLS support not available, test skipped" ++ exit 0 ++fi ++ ++mkdir -p $TESTDIR $DBDIR1 ++cp -r $DATADIR/tls $TESTDIR ++ ++cd $TESTWD ++ ++echo "Running slapadd to build slapd database..." ++. $CONFFILTER $BACKEND $MONITORDB < $TLSSASLCONF > $CONF1 ++$SLAPADD -f $CONF1 -l $LDIFORDERED ++RC=$? ++if test $RC != 0 ; then ++ echo "slapadd failed ($RC)!" ++ exit $RC ++fi ++ ++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." ++$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & ++PID=$! ++if test $WAIT != 0 ; then ++ echo PID $PID ++ read foo ++fi ++KILLPIDS="$PID" ++ ++sleep 1 ++ ++for i in 0 1 2 3 4 5; do ++ $LDAPSEARCH -s base -b "" -H $URI1 \ ++ 'objectclass=*' > /dev/null 2>&1 ++ RC=$? ++ if test $RC = 0 ; then ++ break ++ fi ++ echo "Waiting 5 seconds for slapd to start..." ++ sleep 5 ++done ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++echo -n "Using ldapwhoami with SASL/EXTERNAL...." ++$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard \ ++ -o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt -o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key -ZZ -Y EXTERNAL -H $URIP1 \ ++ > $TESTOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapwhoami (startTLS) failed ($RC)!" ++ exit $RC ++else ++ echo "success" ++fi ++ ++echo -n "Validating mapped SASL ID..." ++echo 'dn:cn=barbara jensen,ou=information technology division,ou=people,dc=example,dc=com' > $TESTDIR/dn.out ++$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT ++ ++RC=$? ++if test $RC != 0 ; then ++ echo "Comparison failed" ++ test $KILLSERVERS != no && kill -HUP $PID ++ exit $RC ++else ++ echo "success" ++fi ++ ++test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ ++if test $RC != 0 ; then ++ echo ">>>>> Test failed" ++else ++ echo ">>>>> Test succeeded" ++ RC=0 ++fi ++ ++test $KILLSERVERS != no && wait ++ ++exit $RC +diff --git a/tests/scripts/test069-delta-multimaster-starttls b/tests/scripts/test069-delta-multimaster-starttls +new file mode 100755 +index 000000000..2dfbb30a1 +--- /dev/null ++++ b/tests/scripts/test069-delta-multimaster-starttls +@@ -0,0 +1,574 @@ ++#! /bin/sh ++# $OpenLDAP$ ++## This work is part of OpenLDAP Software . ++## ++## Copyright 1998-2017 The OpenLDAP Foundation. ++## All rights reserved. ++## ++## Redistribution and use in source and binary forms, with or without ++## modification, are permitted only as authorized by the OpenLDAP ++## Public License. ++## ++## A copy of this license is available in the file LICENSE in the ++## top-level directory of the distribution or, alternatively, at ++## . ++ ++echo "running defines.sh" ++. $SRCDIR/scripts/defines.sh ++ ++if test $WITH_TLS = no ; then ++ echo "TLS support not available, test skipped" ++ exit 0 ++fi ++ ++if test $SYNCPROV = syncprovno; then ++ echo "Syncrepl provider overlay not available, test skipped" ++ exit 0 ++fi ++if test $ACCESSLOG = accesslogno; then ++ echo "Accesslog overlay not available, test skipped" ++ exit 0 ++fi ++ ++MMR=2 ++ ++XDIR=$TESTDIR/srv ++TMP=$TESTDIR/tmp ++ ++mkdir -p $TESTDIR ++cp -r $DATADIR/tls $TESTDIR ++ ++$SLAPPASSWD -g -n >$CONFIGPWF ++ ++if test x"$SYNCMODE" = x ; then ++ SYNCMODE=rp ++fi ++case "$SYNCMODE" in ++ ro) ++ SYNCTYPE="type=refreshOnly interval=00:00:00:03" ++ ;; ++ rp) ++ SYNCTYPE="type=refreshAndPersist interval=00:00:00:03" ++ ;; ++ *) ++ echo "unknown sync mode $SYNCMODE" ++ exit 1; ++ ;; ++esac ++ ++# ++# Test delta-sync mmr ++# - start servers ++# - configure over ldap ++# - populate over ldap ++# - configure syncrepl over ldap ++# - break replication ++# - modify each server separately ++# - restore replication ++# - compare results ++# ++ ++nullExclude="" ++test $BACKEND = null && nullExclude="# " ++ ++KILLPIDS= ++ ++echo "Initializing server configurations..." ++n=1 ++while [ $n -le $MMR ]; do ++ ++DBDIR=${XDIR}$n/db ++CFDIR=${XDIR}$n/slapd.d ++ ++mkdir -p ${XDIR}$n $DBDIR.1 $DBDIR.2 $CFDIR ++ ++o=`expr 3 - $n` ++cat > $TMP <> $TMP ++dn: cn=module,cn=config ++objectClass: olcModuleList ++cn: module ++olcModulePath: $TESTWD/../servers/slapd/overlays ++EOF ++ if [ "$SYNCPROV" = syncprovmod ]; then ++ echo "olcModuleLoad: syncprov.la" >> $TMP ++ fi ++ if [ "$ACCESSLOG" = accesslogmod ]; then ++ echo "olcModuleLoad: accesslog.la" >> $TMP ++ fi ++ echo "" >> $TMP ++fi ++ ++if [ "$BACKENDTYPE" = mod ]; then ++cat <> $TMP ++dn: cn=module,cn=config ++objectClass: olcModuleList ++cn: module ++olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND ++olcModuleLoad: back_$BACKEND.la ++ ++EOF ++fi ++MYURI=`eval echo '$URI'$n` ++PROVIDERURI=`eval echo '$URIP'$o` ++if test $INDEXDB = indexdb ; then ++INDEX1="olcDbIndex: objectClass,entryCSN,reqStart,reqDN,reqResult eq" ++INDEX2="olcDbIndex: objectClass,entryCSN,entryUUID eq" ++else ++INDEX1= ++INDEX2= ++fi ++cat >> $TMP < $TESTOUT 2>&1 ++PORT=`eval echo '$PORT'$n` ++echo "Starting server $n on TCP/IP port $PORT..." ++cd ${XDIR}${n} ++LOG=`eval echo '$LOG'$n` ++$SLAPD -F slapd.d -h $MYURI -d $LVL $TIMING > $LOG 2>&1 & ++PID=$! ++if test $WAIT != 0 ; then ++ echo PID $PID ++ read foo ++fi ++KILLPIDS="$PID $KILLPIDS" ++cd $TESTWD ++ ++echo "Using ldapsearch to check that server $n is running..." ++for i in 0 1 2 3 4 5; do ++ $LDAPSEARCH -s base -b "" -H $MYURI \ ++ 'objectclass=*' > /dev/null 2>&1 ++ RC=$? ++ if test $RC = 0 ; then ++ break ++ fi ++ echo "Waiting 5 seconds for slapd to start..." ++ sleep 5 ++done ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++if [ $n = 1 ]; then ++echo "Using ldapadd for context on server 1..." ++$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFORDEREDCP \ ++ >> $TESTOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapadd failed for server $n database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++fi ++ ++n=`expr $n + 1` ++done ++ ++echo "Using ldapadd to populate server 1..." ++$LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $LDIFORDEREDNOCP \ ++ >> $TESTOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapadd failed for server $n database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." ++sleep $SLEEP1 ++ ++n=1 ++while [ $n -le $MMR ]; do ++PORT=`expr $BASEPORT + $n` ++URI="ldap://${LOCALHOST}:$PORT/" ++ ++echo "Using ldapsearch to read all the entries from server $n..." ++$LDAPSEARCH -S "" -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD \ ++ 'objectclass=*' > $TESTDIR/server$n.out 2>&1 ++RC=$? ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed at server $n ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt ++n=`expr $n + 1` ++done ++ ++n=2 ++while [ $n -le $MMR ]; do ++echo "Comparing retrieved entries from server 1 and server $n..." ++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT ++ ++if test $? != 0 ; then ++ echo "test failed - server 1 and server $n databases differ" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit 1 ++fi ++n=`expr $n + 1` ++done ++ ++echo "Using ldapadd to populate server 2..." ++$LDAPADD -D "$MANAGERDN" -H $URI2 -w $PASSWD -f $LDIFADD1 \ ++ >> $TESTOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapadd failed for server 2 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com" ++sleep 1 ++for i in 1 2 3; do ++ $LDAPSEARCH -S "" -b "$THEDN" -H $URI1 \ ++ -s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1 ++ RC=$? ++ ++ if test $RC = 0 ; then ++ break ++ fi ++ ++ if test $RC != 32 ; then ++ echo "ldapsearch failed at slave ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++ fi ++ ++ echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." ++ sleep $SLEEP1 ++done ++ ++n=1 ++while [ $n -le $MMR ]; do ++PORT=`expr $BASEPORT + $n` ++URI="ldap://${LOCALHOST}:$PORT/" ++ ++echo "Using ldapsearch to read all the entries from server $n..." ++$LDAPSEARCH -S "" -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD \ ++ 'objectclass=*' > $TESTDIR/server$n.out 2>&1 ++RC=$? ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed at server $n ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt ++n=`expr $n + 1` ++done ++ ++n=2 ++while [ $n -le $MMR ]; do ++echo "Comparing retrieved entries from server 1 and server $n..." ++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT ++ ++if test $? != 0 ; then ++ echo "test failed - server 1 and server $n databases differ" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit 1 ++fi ++n=`expr $n + 1` ++done ++ ++echo "Breaking replication between server 1 and 2..." ++n=1 ++while [ $n -le $MMR ]; do ++o=`expr 3 - $n` ++MYURI=`eval echo '$URI'$n` ++PROVIDERURI=`eval echo '$URIP'$o` ++$LDAPMODIFY -D cn=config -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 <> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++add: description ++description: Amazing ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 1 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -D "$MANAGERDN" -H $URI2 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++add: description ++description: Stupendous ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 2 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++delete: description ++description: Outstanding ++- ++add: description ++description: Mindboggling ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 1 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -D "$MANAGERDN" -H $URI2 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++delete: description ++description: OutStanding ++- ++add: description ++description: Bizarre ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 2 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++add: carLicense ++carLicense: 123-XYZ ++- ++add: employeeNumber ++employeeNumber: 32 ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 1 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -D "$MANAGERDN" -H $URI2 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++add: employeeType ++employeeType: deadwood ++- ++add: employeeNumber ++employeeNumber: 64 ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 2 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -D "$MANAGERDN" -H $URI1 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++replace: sn ++sn: Replaced later ++- ++replace: sn ++sn: Surname ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 1 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++echo "Restoring replication between server 1 and 2..." ++n=1 ++while [ $n -le $MMR ]; do ++o=`expr 3 - $n` ++MYURI=`eval echo '$URI'$n` ++PROVIDERURI=`eval echo '$URIP'$o` ++$LDAPMODIFY -D cn=config -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 < $TESTDIR/server$n.out 2>&1 ++RC=$? ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed at server $n ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++$LDIFFILTER -s a < $TESTDIR/server$n.out > $TESTDIR/server$n.flt ++n=`expr $n + 1` ++done ++ ++n=2 ++while [ $n -le $MMR ]; do ++echo "Comparing retrieved entries from server 1 and server $n..." ++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT ++ ++if test $? != 0 ; then ++ echo "test failed - server 1 and server $n databases differ" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit 1 ++fi ++n=`expr $n + 1` ++done ++ ++test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ ++echo ">>>>> Test succeeded" ++ ++test $KILLSERVERS != no && wait ++ ++exit 0 +diff --git a/tests/scripts/test070-delta-multimaster-ldaps b/tests/scripts/test070-delta-multimaster-ldaps +new file mode 100755 +index 000000000..1024640ef +--- /dev/null ++++ b/tests/scripts/test070-delta-multimaster-ldaps +@@ -0,0 +1,571 @@ ++#! /bin/sh ++# $OpenLDAP$ ++## This work is part of OpenLDAP Software . ++## ++## Copyright 1998-2017 The OpenLDAP Foundation. ++## All rights reserved. ++## ++## Redistribution and use in source and binary forms, with or without ++## modification, are permitted only as authorized by the OpenLDAP ++## Public License. ++## ++## A copy of this license is available in the file LICENSE in the ++## top-level directory of the distribution or, alternatively, at ++## . ++ ++echo "running defines.sh" ++. $SRCDIR/scripts/defines.sh ++ ++if test $WITH_TLS = no ; then ++ echo "TLS support not available, test skipped" ++ exit 0 ++fi ++ ++if test $SYNCPROV = syncprovno; then ++ echo "Syncrepl provider overlay not available, test skipped" ++ exit 0 ++fi ++if test $ACCESSLOG = accesslogno; then ++ echo "Accesslog overlay not available, test skipped" ++ exit 0 ++fi ++ ++MMR=2 ++ ++XDIR=$TESTDIR/srv ++TMP=$TESTDIR/tmp ++ ++mkdir -p $TESTDIR ++cp -r $DATADIR/tls $TESTDIR ++ ++$SLAPPASSWD -g -n >$CONFIGPWF ++ ++if test x"$SYNCMODE" = x ; then ++ SYNCMODE=rp ++fi ++case "$SYNCMODE" in ++ ro) ++ SYNCTYPE="type=refreshOnly interval=00:00:00:03" ++ ;; ++ rp) ++ SYNCTYPE="type=refreshAndPersist interval=00:00:00:03" ++ ;; ++ *) ++ echo "unknown sync mode $SYNCMODE" ++ exit 1; ++ ;; ++esac ++ ++# ++# Test delta-sync mmr ++# - start servers ++# - configure over ldap ++# - populate over ldap ++# - configure syncrepl over ldap ++# - break replication ++# - modify each server separately ++# - restore replication ++# - compare results ++# ++ ++nullExclude="" ++test $BACKEND = null && nullExclude="# " ++ ++KILLPIDS= ++ ++echo "Initializing server configurations..." ++n=1 ++while [ $n -le $MMR ]; do ++ ++DBDIR=${XDIR}$n/db ++CFDIR=${XDIR}$n/slapd.d ++ ++mkdir -p ${XDIR}$n $DBDIR.1 $DBDIR.2 $CFDIR ++ ++o=`expr 3 - $n` ++cat > $TMP <> $TMP ++dn: cn=module,cn=config ++objectClass: olcModuleList ++cn: module ++olcModulePath: $TESTWD/../servers/slapd/overlays ++EOF ++ if [ "$SYNCPROV" = syncprovmod ]; then ++ echo "olcModuleLoad: syncprov.la" >> $TMP ++ fi ++ if [ "$ACCESSLOG" = accesslogmod ]; then ++ echo "olcModuleLoad: accesslog.la" >> $TMP ++ fi ++ echo "" >> $TMP ++fi ++ ++if [ "$BACKENDTYPE" = mod ]; then ++cat <> $TMP ++dn: cn=module,cn=config ++objectClass: olcModuleList ++cn: module ++olcModulePath: $TESTWD/../servers/slapd/back-$BACKEND ++olcModuleLoad: back_$BACKEND.la ++ ++EOF ++fi ++MYURI=`eval echo '$SURIP'$n` ++PROVIDERURI=`eval echo '$SURIP'$o` ++if test $INDEXDB = indexdb ; then ++INDEX1="olcDbIndex: objectClass,entryCSN,reqStart,reqDN,reqResult eq" ++INDEX2="olcDbIndex: objectClass,entryCSN,entryUUID eq" ++else ++INDEX1= ++INDEX2= ++fi ++cat >> $TMP < $TESTOUT 2>&1 ++PORT=`eval echo '$PORT'$n` ++echo "Starting server $n on TCP/IP port $PORT..." ++cd ${XDIR}${n} ++LOG=`eval echo '$LOG'$n` ++$SLAPD -F slapd.d -h $MYURI -d $LVL $TIMING > $LOG 2>&1 & ++PID=$! ++if test $WAIT != 0 ; then ++ echo PID $PID ++ read foo ++fi ++KILLPIDS="$PID $KILLPIDS" ++cd $TESTWD ++ ++echo "Using ldapsearch to check that server $n is running..." ++for i in 0 1 2 3 4 5; do ++ $LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -s base -b "" -H $MYURI \ ++ 'objectclass=*' > /dev/null 2>&1 ++ RC=$? ++ if test $RC = 0 ; then ++ break ++ fi ++ echo "Waiting 5 seconds for slapd to start..." ++ sleep 5 ++done ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++if [ $n = 1 ]; then ++echo "Using ldapadd for context on server 1..." ++$LDAPADD -D "$MANAGERDN" -H $SURIP1 -w $PASSWD -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -f $LDIFORDEREDCP \ ++ >> $TESTOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapadd failed for server $n database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++fi ++ ++n=`expr $n + 1` ++done ++ ++echo "Using ldapadd to populate server 1..." ++$LDAPADD -D "$MANAGERDN" -H $SURIP1 -w $PASSWD -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -f $LDIFORDEREDNOCP \ ++ >> $TESTOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapadd failed for server $n database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." ++sleep $SLEEP1 ++ ++n=1 ++while [ $n -le $MMR ]; do ++PORT=`expr $BASEPORT + $n` ++URI="ldaps://${LOCALIP}:$PORT/" ++ ++echo "Using ldapsearch to read all the entries from server $n..." ++$LDAPSEARCH -S "" -b "$BASEDN" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $URI -w $PASSWD \ ++ 'objectclass=*' > $TESTDIR/server$n.out 2>&1 ++RC=$? ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed at server $n ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt ++n=`expr $n + 1` ++done ++ ++n=2 ++while [ $n -le $MMR ]; do ++echo "Comparing retrieved entries from server 1 and server $n..." ++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT ++ ++if test $? != 0 ; then ++ echo "test failed - server 1 and server $n databases differ" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit 1 ++fi ++n=`expr $n + 1` ++done ++ ++echo "Using ldapadd to populate server 2..." ++$LDAPADD -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD -f $LDIFADD1 \ ++ >> $TESTOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapadd failed for server 2 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++THEDN="cn=James A Jones 2,ou=Alumni Association,ou=People,dc=example,dc=com" ++sleep 1 ++for i in 1 2 3; do ++ $LDAPSEARCH -S "" -b "$THEDN" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -H $SURIP1 \ ++ -s base '(objectClass=*)' entryCSN > "${MASTEROUT}.$i" 2>&1 ++ RC=$? ++ ++ if test $RC = 0 ; then ++ break ++ fi ++ ++ if test $RC != 32 ; then ++ echo "ldapsearch failed at slave ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++ fi ++ ++ echo "Waiting $SLEEP1 seconds for syncrepl to receive changes..." ++ sleep $SLEEP1 ++done ++ ++n=1 ++while [ $n -le $MMR ]; do ++PORT=`expr $BASEPORT + $n` ++URI="ldaps://${LOCALIP}:$PORT/" ++ ++echo "Using ldapsearch to read all the entries from server $n..." ++$LDAPSEARCH -S "" -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -b "$BASEDN" -D "$MANAGERDN" -H $URI -w $PASSWD \ ++ 'objectclass=*' > $TESTDIR/server$n.out 2>&1 ++RC=$? ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed at server $n ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++$LDIFFILTER < $TESTDIR/server$n.out > $TESTDIR/server$n.flt ++n=`expr $n + 1` ++done ++ ++n=2 ++while [ $n -le $MMR ]; do ++echo "Comparing retrieved entries from server 1 and server $n..." ++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT ++ ++if test $? != 0 ; then ++ echo "test failed - server 1 and server $n databases differ" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit 1 ++fi ++n=`expr $n + 1` ++done ++ ++echo "Breaking replication between server 1 and 2..." ++n=1 ++while [ $n -le $MMR ]; do ++o=`expr 3 - $n` ++MYURI=`eval echo '$SURIP'$n` ++PROVIDERURI=`eval echo '$SURIP'$o` ++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D cn=config -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 <> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++add: description ++description: Amazing ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 1 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++add: description ++description: Stupendous ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 2 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++delete: description ++description: Outstanding ++- ++add: description ++description: Mindboggling ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 1 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++delete: description ++description: OutStanding ++- ++add: description ++description: Bizarre ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 2 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++add: carLicense ++carLicense: 123-XYZ ++- ++add: employeeNumber ++employeeNumber: 32 ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 1 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP2 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++add: employeeType ++employeeType: deadwood ++- ++add: employeeNumber ++employeeNumber: 64 ++ ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 2 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPMODIFY -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -D "$MANAGERDN" -H $SURIP1 -w $PASSWD \ ++ >> $TESTOUT 2>&1 << EOF ++dn: $THEDN ++changetype: modify ++replace: sn ++sn: Replaced later ++- ++replace: sn ++sn: Surname ++EOF ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapmodify failed for server 1 database ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++echo "Restoring replication between server 1 and 2..." ++n=1 ++while [ $n -le $MMR ]; do ++o=`expr 3 - $n` ++MYURI=`eval echo '$SURIP'$n` ++PROVIDERURI=`eval echo '$SURIP'$o` ++$LDAPMODIFY -D cn=config -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -H $MYURI -y $CONFIGPWF > $TESTOUT 2>&1 < $TESTDIR/server$n.out 2>&1 ++RC=$? ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed at server $n ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++$LDIFFILTER -s a < $TESTDIR/server$n.out > $TESTDIR/server$n.flt ++n=`expr $n + 1` ++done ++ ++n=2 ++while [ $n -le $MMR ]; do ++echo "Comparing retrieved entries from server 1 and server $n..." ++$CMP $MASTERFLT $TESTDIR/server$n.flt > $CMPOUT ++ ++if test $? != 0 ; then ++ echo "test failed - server 1 and server $n databases differ" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit 1 ++fi ++n=`expr $n + 1` ++done ++ ++test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ ++echo ">>>>> Test succeeded" ++ ++test $KILLSERVERS != no && wait ++ ++exit 0 +-- +2.26.2 + diff --git a/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch b/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch new file mode 100644 index 0000000..2a288fa --- /dev/null +++ b/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch @@ -0,0 +1,582 @@ +NOTE: The patch has been adjusted to match the base code before backporting. + +From 8a259e3df16def3f05828f355e98a5089cd6e6d0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Thu, 14 Jun 2018 16:14:15 +0100 +Subject: [PATCH] ITS#8573 allow all libldap options in tools -o option + +--- + clients/tools/common.c | 15 ++- + doc/devel/args | 2 +- + doc/man/man1/ldapcompare.1 | 9 +- + doc/man/man1/ldapdelete.1 | 9 +- + doc/man/man1/ldapexop.1 | 9 +- + doc/man/man1/ldapmodify.1 | 9 +- + doc/man/man1/ldapmodrdn.1 | 9 +- + doc/man/man1/ldappasswd.1 | 9 +- + doc/man/man1/ldapsearch.1 | 9 +- + doc/man/man1/ldapwhoami.1 | 13 ++- + doc/man/man8/slapcat.8 | 2 +- + include/ldap_pvt.h | 5 + + libraries/libldap/init.c | 231 ++++++++++++++++++++++--------------- + servers/slapd/slapcommon.c | 5 +- + 14 files changed, 200 insertions(+), 136 deletions(-) + +diff --git a/clients/tools/common.c b/clients/tools/common.c +index 1cd8a2c1b..b1edffdaf 100644 +--- a/clients/tools/common.c ++++ b/clients/tools/common.c +@@ -374,9 +374,9 @@ N_(" -I use SASL Interactive mode\n"), + N_(" -n show what would be done but don't actually do it\n"), + N_(" -N do not use reverse DNS to canonicalize SASL host name\n"), + N_(" -O props SASL security properties\n"), +-N_(" -o [=] general options\n"), ++N_(" -o [=] any libldap ldap.conf options, plus\n"), ++N_(" ldif_wrap= (in columns, or \"no\" for no wrapping)\n"), + N_(" nettimeout= (in seconds, or \"none\" or \"max\")\n"), +-N_(" ldif-wrap= (in columns, or \"no\" for no wrapping)\n"), + N_(" -p port port on LDAP server\n"), + N_(" -Q use SASL Quiet mode\n"), + N_(" -R realm SASL realm\n"), +@@ -838,6 +838,11 @@ tool_args( int argc, char **argv ) + if ( (cvalue = strchr( control, '=' )) != NULL ) { + *cvalue++ = '\0'; + } ++ for ( next=control; *next; next++ ) { ++ if ( *next == '-' ) { ++ *next = '_'; ++ } ++ } + + if ( strcasecmp( control, "nettimeout" ) == 0 ) { + if( nettimeout.tv_sec != -1 ) { +@@ -867,7 +872,7 @@ tool_args( int argc, char **argv ) + exit( EXIT_FAILURE ); + } + +- } else if ( strcasecmp( control, "ldif-wrap" ) == 0 ) { ++ } else if ( strcasecmp( control, "ldif_wrap" ) == 0 ) { + if ( cvalue == 0 ) { + ldif_wrap = LDIF_LINE_WIDTH; + +@@ -878,13 +883,13 @@ tool_args( int argc, char **argv ) + unsigned int u; + if ( lutil_atou( &u, cvalue ) ) { + fprintf( stderr, +- _("Unable to parse ldif-wrap=\"%s\"\n"), cvalue ); ++ _("Unable to parse ldif_wrap=\"%s\"\n"), cvalue ); + exit( EXIT_FAILURE ); + } + ldif_wrap = (ber_len_t)u; + } + +- } else { ++ } else if ( ldap_pvt_conf_option( control, cvalue, 1 ) ) { + fprintf( stderr, "Invalid general option name: %s\n", + control ); + usage(); +diff --git a/doc/devel/args b/doc/devel/args +index 9796fe528..c5aa02f11 100644 +--- a/doc/devel/args ++++ b/doc/devel/args +@@ -28,7 +28,7 @@ ldapwhoami * DE**HI** NO QR UVWXYZ def*h*** *nop* vwxy + -h host + -n no-op + -N no (SASLprep) normalization of simple bind password +- -o general options (currently nettimeout and ldif-wrap only) ++ -o general libldap options (plus ldif_wrap and nettimeout for backwards comp.) + -p port + -v verbose + -V version +diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1 +index 9e66cd4b2..a0e58d7c3 100644 +--- a/doc/man/man1/ldapcompare.1 ++++ b/doc/man/man1/ldapcompare.1 +@@ -186,13 +186,14 @@ Compare extensions: + .TP + .BI \-o \ opt \fR[= optparam \fR] + +-Specify general options. +- +-General options: ++Specify any ++.BR ldap.conf (5) ++option or one of the following: + .nf + nettimeout= (in seconds, or "none" or "max") +- ldif-wrap= (in columns, or "no" for no wrapping) ++ ldif_wrap= (in columns, or "no" for no wrapping) + .fi ++ + .TP + .BI \-O \ security-properties + Specify SASL security properties. +diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1 +index 394d35275..85dbf4360 100644 +--- a/doc/man/man1/ldapdelete.1 ++++ b/doc/man/man1/ldapdelete.1 +@@ -192,13 +192,14 @@ Delete extensions: + .TP + .BI \-o \ opt \fR[= optparam \fR] + +-Specify general options. +- +-General options: ++Specify any ++.BR ldap.conf (5) ++option or one of the following: + .nf + nettimeout= (in seconds, or "none" or "max") +- ldif-wrap= (in columns, or "no" for no wrapping) ++ ldif_wrap= (in columns, or "no" for no wrapping) + .fi ++ + .TP + .BI \-O \ security-properties + Specify SASL security properties. +diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1 +index 503d681ca..26e1730a8 100644 +--- a/doc/man/man1/ldapexop.1 ++++ b/doc/man/man1/ldapexop.1 +@@ -189,13 +189,14 @@ Specify general extensions. \'!\' indicates criticality. + .TP + .BI \-o \ opt \fR[= optparam \fR] + +-Specify general options. +- +-General options: ++Specify any ++.BR ldap.conf (5) ++option or one of the following: + .nf + nettimeout= (in seconds, or "none" or "max") +- ldif-wrap= (in columns, or "no" for no wrapping) ++ ldif_wrap= (in columns, or "no" for no wrapping) + .fi ++ + .TP + .BI \-O \ security-properties + Specify SASL security properties. +diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 +index 2792d460b..6c277d89c 100644 +--- a/doc/man/man1/ldapmodify.1 ++++ b/doc/man/man1/ldapmodify.1 +@@ -255,13 +255,14 @@ Modify extensions: + .TP + .BI \-o \ opt \fR[= optparam \fR]] + +-Specify general options. +- +-General options: ++Specify any ++.BR ldap.conf (5) ++option or one of the following: + .nf + nettimeout= (in seconds, or "none" or "max") +- ldif-wrap= (in columns, or "no" for no wrapping) ++ ldif_wrap= (in columns, or "no" for no wrapping) + .fi ++ + .TP + .BI \-O \ security-properties + Specify SASL security properties. +diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1 +index 5d0f3fcd9..b24e500fe 100644 +--- a/doc/man/man1/ldapmodrdn.1 ++++ b/doc/man/man1/ldapmodrdn.1 +@@ -186,13 +186,14 @@ Modrdn extensions: + .TP + .BI \-o \ opt \fR[= optparam \fR] + +-Specify general options. +- +-General options: ++Specify any ++.BR ldap.conf (5) ++option or one of the following: + .nf + nettimeout= (in seconds, or "none" or "max") +- ldif-wrap= (in columns, or "no" for no wrapping) ++ ldif_wrap= (in columns, or "no" for no wrapping) + .fi ++ + .TP + .BI \-O \ security-properties + Specify SASL security properties. +diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1 +index 36857ab8f..a2805e57b 100644 +--- a/doc/man/man1/ldappasswd.1 ++++ b/doc/man/man1/ldappasswd.1 +@@ -188,13 +188,14 @@ Passwd Modify extensions: + .TP + .BI \-o \ opt \fR[= optparam \fR]] + +-Specify general options. +- +-General options: ++Specify any ++.BR ldap.conf (5) ++option or one of the following: + .nf + nettimeout= (in seconds, or "none" or "max") +- ldif-wrap= (in columns, or "no" for no wrapping) ++ ldif_wrap= (in columns, or "no" for no wrapping) + .fi ++ + .TP + .BI \-O \ security-properties + Specify SASL security properties. +diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1 +index 036ce6245..1914eafbf 100644 +--- a/doc/man/man1/ldapsearch.1 ++++ b/doc/man/man1/ldapsearch.1 +@@ -332,13 +332,14 @@ Search extensions: + .TP + .BI \-o \ opt \fR[= optparam \fR] + +-Specify general options. +- +-General options: ++Specify any ++.BR ldap.conf (5) ++option or one of the following: + .nf + nettimeout= (in seconds, or "none" or "max") +- ldif-wrap= (in columns, or "no" for no wrapping) ++ ldif_wrap= (in columns, or "no" for no wrapping) + .fi ++ + .TP + .BI \-O \ security-properties + Specify SASL security properties. +diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1 +index 5912af5ba..2c8cfded2 100644 +--- a/doc/man/man1/ldapwhoami.1 ++++ b/doc/man/man1/ldapwhoami.1 +@@ -143,13 +143,18 @@ WhoAmI extensions: + .TP + .BI \-o \ opt \fR[= optparam \fR] + +-Specify general options. +- +-General options: ++Specify any ++.BR ldap.conf (5) ++option or one of the following: + .nf + nettimeout= (in seconds, or "none" or "max") +- ldif-wrap= (in columns, or "no" for no wrapping) ++ ldif_wrap= (in columns, or "no" for no wrapping) + .fi ++ ++.B -o ++option that can be passed here, check ++.BR ldap.conf (5) ++for details. + .TP + .BI \-O \ security-properties + Specify SASL security properties. +diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8 +index 57c41deff..2085e9176 100644 +--- a/doc/man/man8/slapcat.8 ++++ b/doc/man/man8/slapcat.8 +@@ -149,7 +149,7 @@ Possible generic options/values are: + syslog\-level= (see `\-S' in slapd(8)) + syslog\-user= (see `\-l' in slapd(8)) + +- ldif-wrap={no|} ++ ldif_wrap={no|} + + .in + \fIn\fP is the number of columns allowed for the LDIF output +diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h +index 31f37277c..e86b032cb 100644 +--- a/include/ldap_pvt.h ++++ b/include/ldap_pvt.h +@@ -326,6 +326,11 @@ struct ldifrecord; + LDAP_F ( int ) ldap_pvt_discard LDAP_P(( + struct ldap *ld, ber_int_t msgid )); + ++/* init.c */ ++LDAP_F( int ) ++ldap_pvt_conf_option LDAP_P(( ++ char *cmd, char *opt, int userconf )); ++ + /* messages.c */ + LDAP_F( BerElement * ) + ldap_get_message_ber LDAP_P(( +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index 548d2c1cb..4a7e81bdb 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -147,6 +147,141 @@ static const struct ol_attribute { + #define MAX_LDAP_ATTR_LEN sizeof("GSSAPI_ALLOW_REMOTE_PRINCIPAL") + #define MAX_LDAP_ENV_PREFIX_LEN 8 + ++static int ++ldap_int_conf_option( ++ struct ldapoptions *gopts, ++ char *cmd, char *opt, int userconf ) ++{ ++ int i; ++ ++ for(i=0; attrs[i].type != ATTR_NONE; i++) { ++ void *p; ++ ++ if( !userconf && attrs[i].useronly ) { ++ continue; ++ } ++ ++ if(strcasecmp(cmd, attrs[i].name) != 0) { ++ continue; ++ } ++ ++ switch(attrs[i].type) { ++ case ATTR_BOOL: ++ if((strcasecmp(opt, "on") == 0) ++ || (strcasecmp(opt, "yes") == 0) ++ || (strcasecmp(opt, "true") == 0)) ++ { ++ LDAP_BOOL_SET(gopts, attrs[i].offset); ++ ++ } else { ++ LDAP_BOOL_CLR(gopts, attrs[i].offset); ++ } ++ ++ break; ++ ++ case ATTR_INT: { ++ char *next; ++ long l; ++ p = &((char *) gopts)[attrs[i].offset]; ++ l = strtol( opt, &next, 10 ); ++ if ( next != opt && next[ 0 ] == '\0' ) { ++ * (int*) p = l; ++ } ++ } break; ++ ++ case ATTR_KV: { ++ const struct ol_keyvalue *kv; ++ ++ for(kv = attrs[i].data; ++ kv->key != NULL; ++ kv++) { ++ ++ if(strcasecmp(opt, kv->key) == 0) { ++ p = &((char *) gopts)[attrs[i].offset]; ++ * (int*) p = kv->value; ++ break; ++ } ++ } ++ } break; ++ ++ case ATTR_STRING: ++ p = &((char *) gopts)[attrs[i].offset]; ++ if (* (char**) p != NULL) LDAP_FREE(* (char**) p); ++ * (char**) p = LDAP_STRDUP(opt); ++ break; ++ case ATTR_OPTION: ++ ldap_set_option( NULL, attrs[i].offset, opt ); ++ break; ++ case ATTR_SASL: ++#ifdef HAVE_CYRUS_SASL ++ ldap_int_sasl_config( gopts, attrs[i].offset, opt ); ++#endif ++ break; ++ case ATTR_GSSAPI: ++#ifdef HAVE_GSSAPI ++ ldap_int_gssapi_config( gopts, attrs[i].offset, opt ); ++#endif ++ break; ++ case ATTR_TLS: ++#ifdef HAVE_TLS ++ ldap_int_tls_config( NULL, attrs[i].offset, opt ); ++#endif ++ break; ++ case ATTR_OPT_TV: { ++ struct timeval tv; ++ char *next; ++ tv.tv_usec = 0; ++ tv.tv_sec = strtol( opt, &next, 10 ); ++ if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) { ++ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv ); ++ } ++ } break; ++ case ATTR_OPT_INT: { ++ long l; ++ char *next; ++ l = strtol( opt, &next, 10 ); ++ if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) { ++ int v = (int)l; ++ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v ); ++ } ++ } break; ++ } ++ ++ break; ++ } ++ ++ if ( attrs[i].type == ATTR_NONE ) { ++ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_config: " ++ "unknown option '%s'", ++ cmd, 0, 0 ); ++ return 1; ++ } ++ ++ return 0; ++} ++ ++int ++ldap_pvt_conf_option( ++ char *cmd, char *opt, int userconf ) ++{ ++ struct ldapoptions *gopts; ++ int rc = LDAP_OPT_ERROR; ++ ++ /* Get pointer to global option structure */ ++ gopts = LDAP_INT_GLOBAL_OPT(); ++ if (NULL == gopts) { ++ return LDAP_NO_MEMORY; ++ } ++ ++ if ( gopts->ldo_valid != LDAP_INITIALIZED ) { ++ ldap_int_initialize(gopts, NULL); ++ if ( gopts->ldo_valid != LDAP_INITIALIZED ) ++ return LDAP_LOCAL_ERROR; ++ } ++ ++ return ldap_int_conf_option( gopts, cmd, opt, userconf ); ++} ++ + static void openldap_ldap_init_w_conf( + const char *file, int userconf ) + { +@@ -212,101 +347,7 @@ static void openldap_ldap_init_w_conf( + while(isspace((unsigned char)*start)) start++; + opt = start; + +- for(i=0; attrs[i].type != ATTR_NONE; i++) { +- void *p; +- +- if( !userconf && attrs[i].useronly ) { +- continue; +- } +- +- if(strcasecmp(cmd, attrs[i].name) != 0) { +- continue; +- } +- +- switch(attrs[i].type) { +- case ATTR_BOOL: +- if((strcasecmp(opt, "on") == 0) +- || (strcasecmp(opt, "yes") == 0) +- || (strcasecmp(opt, "true") == 0)) +- { +- LDAP_BOOL_SET(gopts, attrs[i].offset); +- +- } else { +- LDAP_BOOL_CLR(gopts, attrs[i].offset); +- } +- +- break; +- +- case ATTR_INT: { +- char *next; +- long l; +- p = &((char *) gopts)[attrs[i].offset]; +- l = strtol( opt, &next, 10 ); +- if ( next != opt && next[ 0 ] == '\0' ) { +- * (int*) p = l; +- } +- } break; +- +- case ATTR_KV: { +- const struct ol_keyvalue *kv; +- +- for(kv = attrs[i].data; +- kv->key != NULL; +- kv++) { +- +- if(strcasecmp(opt, kv->key) == 0) { +- p = &((char *) gopts)[attrs[i].offset]; +- * (int*) p = kv->value; +- break; +- } +- } +- } break; +- +- case ATTR_STRING: +- p = &((char *) gopts)[attrs[i].offset]; +- if (* (char**) p != NULL) LDAP_FREE(* (char**) p); +- * (char**) p = LDAP_STRDUP(opt); +- break; +- case ATTR_OPTION: +- ldap_set_option( NULL, attrs[i].offset, opt ); +- break; +- case ATTR_SASL: +-#ifdef HAVE_CYRUS_SASL +- ldap_int_sasl_config( gopts, attrs[i].offset, opt ); +-#endif +- break; +- case ATTR_GSSAPI: +-#ifdef HAVE_GSSAPI +- ldap_int_gssapi_config( gopts, attrs[i].offset, opt ); +-#endif +- break; +- case ATTR_TLS: +-#ifdef HAVE_TLS +- ldap_int_tls_config( NULL, attrs[i].offset, opt ); +-#endif +- break; +- case ATTR_OPT_TV: { +- struct timeval tv; +- char *next; +- tv.tv_usec = 0; +- tv.tv_sec = strtol( opt, &next, 10 ); +- if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) { +- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv ); +- } +- } break; +- case ATTR_OPT_INT: { +- long l; +- char *next; +- l = strtol( opt, &next, 10 ); +- if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) { +- int v = (int)l; +- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v ); +- } +- } break; +- } +- +- break; +- } ++ ldap_int_conf_option( gopts, cmd, opt, userconf ); + } + + fclose(fp); +diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c +index 87ea0ea06..39384e5e9 100644 +--- a/servers/slapd/slapcommon.c ++++ b/servers/slapd/slapcommon.c +@@ -228,7 +228,8 @@ parse_slapopt( int tool, int *mode ) + break; + } + +- } else if ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) { ++ } else if ( ( strncasecmp( optarg, "ldif_wrap", len ) == 0 ) || ++ ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) ) { + switch ( tool ) { + case SLAPCAT: + if ( strcasecmp( p, "no" ) == 0 ) { +@@ -237,7 +238,7 @@ parse_slapopt( int tool, int *mode ) + } else { + unsigned int u; + if ( lutil_atou( &u, p ) ) { +- Debug( LDAP_DEBUG_ANY, "unable to parse ldif-wrap=\"%s\".\n", p, 0, 0 ); ++ Debug( LDAP_DEBUG_ANY, "unable to parse ldif_wrap=\"%s\".\n", p, 0, 0 ); + return -1; + } + ldif_wrap = (ber_len_t)u; +-- +2.26.2 + diff --git a/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch b/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch new file mode 100644 index 0000000..1410482 --- /dev/null +++ b/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch @@ -0,0 +1,631 @@ +NOTE: The patch has been adjusted to match the base code before backporting. + +From 3cd50fa8b32a21040a9892e2a8a7a9dfc7541ce6 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Tue, 14 Apr 2020 16:10:48 +0300 +Subject: [PATCH] ITS#9189 rework sasl-cbinding support + +Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use, +defaults to "none". + +Add "tls-endpoint" binding type implementing "tls-server-end-point" from +RCF 5929, which is compatible with Windows. + +Fix "tls-unique" to include the prefix in the bindings as per RFC 5056. +--- + doc/man/man3/ldap_get_option.3 | 16 +++++ + doc/man/man5/ldap.conf.5 | 3 + + doc/man/man5/slapd-config.5 | 4 ++ + doc/man/man5/slapd.conf.5 | 3 + + include/ldap.h | 5 ++ + include/ldap_pvt.h | 5 ++ + libraries/libldap/cyrus.c | 103 ++++++++++++++++++++++++++++----- + libraries/libldap/init.c | 1 + + libraries/libldap/ldap-int.h | 1 + + libraries/libldap/ldap-tls.h | 2 + + libraries/libldap/tls2.c | 7 +++ + libraries/libldap/tls_g.c | 59 +++++++++++++++++++ + libraries/libldap/tls_o.c | 45 ++++++++++++++ + servers/slapd/bconfig.c | 11 +++- + servers/slapd/config.c | 1 + + servers/slapd/connection.c | 9 +-- + servers/slapd/proto-slap.h | 4 +- + servers/slapd/sasl.c | 27 ++++++--- + 18 files changed, 274 insertions(+), 32 deletions(-) + +diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3 +index 4f03a01a3..fd1b3c91c 100644 +--- a/doc/man/man3/ldap_get_option.3 ++++ b/doc/man/man3/ldap_get_option.3 +@@ -563,6 +563,22 @@ must be a + .BR "char **" . + Its content needs to be freed by the caller using + .BR ldap_memfree (3). ++.B LDAP_OPT_X_SASL_CBINDING ++Sets/gets the channel-binding type to use in SASL, ++one of ++.BR LDAP_OPT_X_SASL_CBINDING_NONE ++(the default), ++.BR LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE ++the "tls-unique" type from RCF 5929. ++.BR LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT ++the "tls-server-end-point" from RCF 5929, compatible with Windows. ++.BR invalue ++must be ++.BR "const int *" ; ++.BR outvalue ++must be ++.BR "int *" . ++.TP + .SH TCP OPTIONS + The TCP options are OpenLDAP specific. + Mainly intended for use with Linux, they may not be portable. +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index 65ad40c1b..4974f8340 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -286,6 +286,9 @@ size allowed. 0 disables security layers. The default is 65536. + .TP + .B SASL_NOCANON + Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off. ++.TP ++.B SASL_CBINDING ++The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none. + .SH GSSAPI OPTIONS + If OpenLDAP is built with Generic Security Services Application Programming Interface support, + there are more options you can specify. +diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +index 18518a186..dc0ab769f 100644 +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -720,6 +720,10 @@ Used to specify the fully qualified domain name used for SASL processing. + .B olcSaslRealm: + Specify SASL realm. Default is empty. + .TP ++.B olcSaslCbinding: none | tls-unique | tls-endpoint ++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING. ++Default is none. ++.TP + .B olcSaslSecProps: + Used to specify Cyrus SASL security properties. + The +diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +index f2094b7fd..73a151a70 100644 +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -914,6 +914,9 @@ The + property specifies the maximum security layer receive buffer + size allowed. 0 disables security layers. The default is 65536. + .TP ++.B sasl\-cbinding none | tls-unique | tls-endpoint ++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING. ++.TP + .B schemadn + Specify the distinguished name for the subschema subentry that + controls the entries on this server. The default is "cn=Subschema". +diff --git a/include/ldap.h b/include/ldap.h +index 7b4fc9d64..9d5679ae8 100644 +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -186,6 +186,10 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2) + #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3) + ++#define LDAP_OPT_X_SASL_CBINDING_NONE 0 ++#define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE 1 ++#define LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT 2 ++ + /* OpenLDAP SASL options */ + #define LDAP_OPT_X_SASL_MECH 0x6100 + #define LDAP_OPT_X_SASL_REALM 0x6101 +@@ -201,6 +205,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_SASL_NOCANON 0x610b + #define LDAP_OPT_X_SASL_USERNAME 0x610c /* read-only */ + #define LDAP_OPT_X_SASL_GSS_CREDS 0x610d ++#define LDAP_OPT_X_SASL_CBINDING 0x610e + + /* OpenLDAP GSSAPI options */ + #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200 +diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h +index 783d280a5..01220d00a 100644 +--- a/include/ldap_pvt.h ++++ b/include/ldap_pvt.h +@@ -262,6 +262,10 @@ LDAP_F (void *) ldap_pvt_sasl_mutex_new LDAP_P((void)); + LDAP_F (int) ldap_pvt_sasl_mutex_lock LDAP_P((void *mutex)); + LDAP_F (int) ldap_pvt_sasl_mutex_unlock LDAP_P((void *mutex)); + LDAP_F (void) ldap_pvt_sasl_mutex_dispose LDAP_P((void *mutex)); ++ ++LDAP_F (int) ldap_pvt_sasl_cbinding_parse LDAP_P(( const char *arg )); ++LDAP_F (void *) ldap_pvt_sasl_cbinding LDAP_P(( void *ssl, int type, ++ int is_server )); + #endif /* HAVE_CYRUS_SASL */ + + struct sockbuf; /* avoid pulling in */ +@@ -438,6 +442,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn, + LDAPDN_rewrite_dummy *func, unsigned flags )); + LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx )); + LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server )); ++LDAP_F (int) ldap_pvt_tls_get_endpoint LDAP_P(( void *ctx, struct berval *buf, int is_server )); + + LDAP_END_DECL + +diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c +index beb1cf4a0..4d4d5b3e3 100644 +--- a/libraries/libldap/cyrus.c ++++ b/libraries/libldap/cyrus.c +@@ -372,6 +372,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc ) + return LDAP_SUCCESS; + } + ++int ldap_pvt_sasl_cbinding_parse( const char *arg ) ++{ ++ int i = -1; ++ ++ if ( strcasecmp(arg, "none") == 0 ) ++ i = LDAP_OPT_X_SASL_CBINDING_NONE; ++ else if ( strcasecmp(arg, "tls-unique") == 0 ) ++ i = LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE; ++ else if ( strcasecmp(arg, "tls-endpoint") == 0 ) ++ i = LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT; ++ ++ return i; ++} ++ ++void *ldap_pvt_sasl_cbinding( void *ssl, int type, int is_server ) ++{ ++#if defined(SASL_CHANNEL_BINDING) && defined(HAVE_TLS) ++ char unique_prefix[] = "tls-unique:"; ++ char endpoint_prefix[] = "tls-server-end-point:"; ++ char cbinding[ 64 ]; ++ struct berval cbv = { 64, cbinding }; ++ void *cb_data; /* used since cb->data is const* */ ++ sasl_channel_binding_t *cb; ++ char *prefix; ++ int plen; ++ ++ switch (type) { ++ case LDAP_OPT_X_SASL_CBINDING_NONE: ++ return NULL; ++ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE: ++ if ( !ldap_pvt_tls_get_unique( ssl, &cbv, is_server )) ++ return NULL; ++ prefix = unique_prefix; ++ plen = sizeof(unique_prefix) -1; ++ break; ++ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT: ++ if ( !ldap_pvt_tls_get_endpoint( ssl, &cbv, is_server )) ++ return NULL; ++ prefix = endpoint_prefix; ++ plen = sizeof(endpoint_prefix) -1; ++ break; ++ default: ++ return NULL; ++ } ++ ++ cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len ); ++ cb->len = plen + cbv.bv_len; ++ cb->data = cb_data = cb+1; ++ memcpy( cb_data, prefix, plen ); ++ memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len ); ++ cb->name = "ldap"; ++ cb->critical = 0; ++ ++ return cb; ++#else ++ return NULL; ++#endif ++} ++ + int + ldap_int_sasl_bind( + LDAP *ld, +@@ -497,17 +556,12 @@ ldap_int_sasl_bind( + (void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac ); + LDAP_FREE( authid.bv_val ); + #ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */ +- { +- char cbinding[64]; +- struct berval cbv = { sizeof(cbinding), cbinding }; +- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) { +- sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) + +- cbv.bv_len); +- cb->name = "ldap"; +- cb->critical = 0; +- cb->data = (char *)(cb+1); +- cb->len = cbv.bv_len; +- memcpy( cb->data, cbv.bv_val, cbv.bv_len ); ++ if ( ld->ld_defconn->lconn_sasl_cbind == NULL ) { ++ void *cb; ++ cb = ldap_pvt_sasl_cbinding( ssl, ++ ld->ld_options.ldo_sasl_cbinding, ++ 0 ); ++ if ( cb != NULL ) { + sasl_setprop( ld->ld_defconn->lconn_sasl_authctx, + SASL_CHANNEL_BINDING, cb ); + ld->ld_defconn->lconn_sasl_cbind = cb; +@@ -931,12 +983,20 @@ int ldap_pvt_sasl_secprops( + int + ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg ) + { +- int rc; ++ int rc, i; + + switch( option ) { + case LDAP_OPT_X_SASL_SECPROPS: + rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops ); + if( rc == LDAP_SUCCESS ) return 0; ++ break; ++ case LDAP_OPT_X_SASL_CBINDING: ++ i = ldap_pvt_sasl_cbinding_parse( arg ); ++ if ( i >= 0 ) { ++ lo->ldo_sasl_cbinding = i; ++ return 0; ++ } ++ break; + } + + return -1; +@@ -1042,6 +1102,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg ) + /* this option is write only */ + return -1; + ++ case LDAP_OPT_X_SASL_CBINDING: ++ *(int *)arg = ld->ld_options.ldo_sasl_cbinding; ++ break; ++ + #ifdef SASL_GSS_CREDS + case LDAP_OPT_X_SASL_GSS_CREDS: { + sasl_conn_t *ctx; +@@ -1143,6 +1207,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg ) + return sc == LDAP_SUCCESS ? 0 : -1; + } + ++ case LDAP_OPT_X_SASL_CBINDING: ++ if ( !arg ) return -1; ++ switch( *(int *) arg ) { ++ case LDAP_OPT_X_SASL_CBINDING_NONE: ++ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE: ++ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT: ++ ld->ld_options.ldo_sasl_cbinding = *(int *) arg; ++ return 0; ++ } ++ return -1; ++ + #ifdef SASL_GSS_CREDS + case LDAP_OPT_X_SASL_GSS_CREDS: { + sasl_conn_t *ctx; +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index 3468ee249..dfe1ea9da 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -110,6 +110,7 @@ static const struct ol_attribute { + offsetof(struct ldapoptions, ldo_def_sasl_authzid)}, + {0, ATTR_SASL, "SASL_SECPROPS", NULL, LDAP_OPT_X_SASL_SECPROPS}, + {0, ATTR_BOOL, "SASL_NOCANON", NULL, LDAP_BOOL_SASL_NOCANON}, ++ {0, ATTR_SASL, "SASL_CBINDING", NULL, LDAP_OPT_X_SASL_CBINDING}, + #endif + + #ifdef HAVE_GSSAPI +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index 67e8bd6da..c6c6891a9 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -300,6 +300,7 @@ struct ldapoptions { + + /* SASL Security Properties */ + struct sasl_security_properties ldo_sasl_secprops; ++ int ldo_sasl_cbinding; + #define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0} + #else + #define LDAP_LDO_SASL_NULLARG +diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h +index efd51aaa2..9f01ddda1 100644 +--- a/libraries/libldap/ldap-tls.h ++++ b/libraries/libldap/ldap-tls.h +@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn); + typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in); + typedef int (TI_session_strength)(tls_session *sess); + typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server); ++typedef int (TI_session_endpoint)(tls_session *sess, struct berval *buf, int is_server); + typedef int (TI_session_peercert)(tls_session *s, struct berval *der); + + typedef void (TI_thr_init)(void); +@@ -69,6 +70,7 @@ typedef struct tls_impl { + TI_session_chkhost *ti_session_chkhost; + TI_session_strength *ti_session_strength; + TI_session_unique *ti_session_unique; ++ TI_session_endpoint *ti_session_endpoint; + TI_session_peercert *ti_session_peercert; + + Sockbuf_IO *ti_sbio; +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 79a651a38..72827a1a3 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -1200,6 +1200,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server ) + return tls_imp->ti_session_unique( session, buf, is_server ); + } + ++int ++ldap_pvt_tls_get_endpoint( void *s, struct berval *buf, int is_server ) ++{ ++ tls_session *session = s; ++ return tls_imp->ti_session_endpoint( session, buf, is_server ); ++} ++ + int + ldap_pvt_tls_get_peercert( void *s, struct berval *der ) + { +diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c +index 956a9ec90..ef0f44e20 100644 +--- a/libraries/libldap/tls_g.c ++++ b/libraries/libldap/tls_g.c +@@ -729,6 +729,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server) + return 0; + } + ++static int ++tlsg_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) ++{ ++ tlsg_session *s = (tlsg_session *)sess; ++ const gnutls_datum_t *cert_data; ++ gnutls_x509_crt_t server_cert; ++ gnutls_digest_algorithm_t md; ++ int sign_algo, md_len, rc; ++ ++ if ( is_server ) ++ cert_data = gnutls_certificate_get_ours( s->session ); ++ else ++ cert_data = gnutls_certificate_get_peers( s->session, NULL ); ++ ++ if ( cert_data == NULL ) ++ return 0; ++ ++ rc = gnutls_x509_crt_init( &server_cert ); ++ if ( rc != GNUTLS_E_SUCCESS ) ++ return 0; ++ ++ rc = gnutls_x509_crt_import( server_cert, cert_data, GNUTLS_X509_FMT_DER ); ++ if ( rc != GNUTLS_E_SUCCESS ) { ++ gnutls_x509_crt_deinit( server_cert ); ++ return 0; ++ } ++ ++ sign_algo = gnutls_x509_crt_get_signature_algorithm( server_cert ); ++ gnutls_x509_crt_deinit( server_cert ); ++ if ( sign_algo <= GNUTLS_SIGN_UNKNOWN ) ++ return 0; ++ ++ md = gnutls_sign_get_hash_algorithm( sign_algo ); ++ if ( md == GNUTLS_DIG_UNKNOWN ) ++ return 0; ++ ++ /* See RFC 5929 */ ++ switch (md) { ++ case GNUTLS_DIG_NULL: ++ case GNUTLS_DIG_MD2: ++ case GNUTLS_DIG_MD5: ++ case GNUTLS_DIG_SHA1: ++ md = GNUTLS_DIG_SHA256; ++ } ++ ++ md_len = gnutls_hash_get_len( md ); ++ if ( md_len == 0 || md_len > buf->bv_len ) ++ return 0; ++ ++ rc = gnutls_hash_fast( md, cert_data->data, cert_data->size, buf->bv_val ); ++ if ( rc != GNUTLS_E_SUCCESS ) ++ return 0; ++ ++ buf->bv_len = md_len; ++ ++ return md_len; ++} ++ + static int + tlsg_session_peercert( tls_session *sess, struct berval *der ) + { +@@ -1117,6 +1175,7 @@ tls_impl ldap_int_tls_impl = { + tlsg_session_chkhost, + tlsg_session_strength, + tlsg_session_unique, ++ tlsg_session_endpoint, + tlsg_session_peercert, + + &tlsg_sbio, +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index cf97d7632..aa855d77a 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -858,6 +858,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server) + return buf->bv_len; + } + ++static int ++tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server ) ++{ ++ tlso_session *s = (tlso_session *)sess; ++ const EVP_MD *md; ++ unsigned int md_len; ++ X509 *cert; ++ ++ if ( buf->bv_len < EVP_MAX_MD_SIZE ) ++ return 0; ++ ++ if ( is_server ) ++ cert = SSL_get_certificate( s ); ++ else ++ cert = SSL_get_peer_certificate( s ); ++ ++ if ( cert == NULL ) ++ return 0; ++ ++#if OPENSSL_VERSION_NUMBER >= 0x10100000 ++ md = EVP_get_digestbynid( X509_get_signature_nid( cert )); ++#else ++ md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm )); ++#endif ++ ++ /* See RFC 5929 */ ++ if ( md == NULL || ++ md == EVP_md_null() || ++#ifndef OPENSSL_NO_MD2 ++ md == EVP_md2() || ++#endif ++ md == EVP_md4() || ++ md == EVP_md5() || ++ md == EVP_sha1() ) ++ md = EVP_sha256(); ++ ++ if ( !X509_digest( cert, md, buf->bv_val, &md_len )) ++ return 0; ++ ++ buf->bv_len = md_len; ++ ++ return md_len; ++} ++ + static int + tlso_session_peercert( tls_session *sess, struct berval *der ) + { +@@ -1474,6 +1518,7 @@ tls_impl ldap_int_tls_impl = { + tlso_session_chkhost, + tlso_session_strength, + tlso_session_unique, ++ tlso_session_endpoint, + tlso_session_peercert, + + &tlso_sbio, +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 6069ee203..4c90715be 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -630,6 +630,15 @@ static ConfigTable config_back_cf_table[] = { + #endif + "( OLcfgGlAt:89 NAME 'olcSaslAuxprops' " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, ++ { "sasl-cbinding", NULL, 2, 2, 0, ++#ifdef HAVE_CYRUS_SASL ++ ARG_STRING, &sasl_cbinding, ++#else ++ ARG_IGNORED, NULL, ++#endif ++ "( OLcfgGlAt:100 NAME 'olcSaslCBinding' " ++ "EQUALITY caseIgnoreMatch " ++ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "sasl-host", "host", 2, 2, 0, + #ifdef HAVE_CYRUS_SASL + ARG_STRING|ARG_UNIQUE, &sasl_host, +@@ -948,7 +957,7 @@ static ConfigOCs cf_ocs[] = { + "olcPluginLogFile $ olcReadOnly $ olcReferral $ " + "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ " + "olcRootDSE $ " +- "olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ " ++ "olcSaslAuxprops $ olcSaslCBinding $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ " + "olcSecurity $ olcServerID $ olcSizeLimit $ " + "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ " + "olcTCPBuffer $ " +diff --git a/servers/slapd/config.c b/servers/slapd/config.c +index 060d3410f..3d713d4fb 100644 +--- a/servers/slapd/config.c ++++ b/servers/slapd/config.c +@@ -73,6 +73,7 @@ char *global_host = NULL; + struct berval global_host_bv = BER_BVNULL; + char *global_realm = NULL; + char *sasl_host = NULL; ++char *sasl_cbinding = NULL; + char **default_passwd_hash = NULL; + struct berval default_search_base = BER_BVNULL; + struct berval default_search_nbase = BER_BVNULL; +diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c +index 5f11a0cf1..6d9bb8e85 100644 +--- a/servers/slapd/connection.c ++++ b/servers/slapd/connection.c +@@ -1440,12 +1440,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri ) + c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 ); + slap_sasl_external( c, c->c_tls_ssf, &authid ); + if ( authid.bv_val ) free( authid.bv_val ); +- { +- char cbinding[64]; +- struct berval cbv = { sizeof(cbinding), cbinding }; +- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 )) +- slap_sasl_cbinding( c, &cbv ); +- } ++ ++ slap_sasl_cbinding( c, ssl ); ++ + } else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb, + LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */ + slapd_set_write( s, 1 ); +diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h +index b89fa836a..0790a8004 100644 +--- a/servers/slapd/proto-slap.h ++++ b/servers/slapd/proto-slap.h +@@ -1681,8 +1681,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c, + slap_ssf_t ssf, /* relative strength of external security */ + struct berval *authid ); /* asserted authenication id */ + +-LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, +- struct berval *cbv ); ++LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, void *ssl ); + + LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c ); + LDAP_SLAPD_F (int) slap_sasl_close( Connection *c ); +@@ -2072,6 +2071,7 @@ LDAP_SLAPD_V (char *) global_host; + LDAP_SLAPD_V (struct berval) global_host_bv; + LDAP_SLAPD_V (char *) global_realm; + LDAP_SLAPD_V (char *) sasl_host; ++LDAP_SLAPD_V (char *) sasl_cbinding; + LDAP_SLAPD_V (char *) slap_sasl_auxprops; + LDAP_SLAPD_V (char **) default_passwd_hash; + LDAP_SLAPD_V (int) lber_debug; +diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c +index fc023904a..5cced358c 100644 +--- a/servers/slapd/sasl.c ++++ b/servers/slapd/sasl.c +@@ -1320,6 +1320,8 @@ int slap_sasl_destroy( void ) + #endif + free( sasl_host ); + sasl_host = NULL; ++ free( sasl_cbinding ); ++ sasl_cbinding = NULL; + + return 0; + } +@@ -1506,17 +1508,24 @@ int slap_sasl_external( + return LDAP_SUCCESS; + } + +-int slap_sasl_cbinding( Connection *conn, struct berval *cbv ) ++int slap_sasl_cbinding( Connection *conn, void *ssl ) + { + #ifdef SASL_CHANNEL_BINDING +- sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );; +- cb->name = "ldap"; +- cb->critical = 0; +- cb->data = (char *)(cb+1); +- cb->len = cbv->bv_len; +- memcpy( cb->data, cbv->bv_val, cbv->bv_len ); +- sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb ); +- conn->c_sasl_cbind = cb; ++ void *cb; ++ int i; ++ ++ if ( sasl_cbinding == NULL ) ++ return LDAP_SUCCESS; ++ ++ i = ldap_pvt_sasl_cbinding_parse( sasl_cbinding ); ++ if ( i < 0 ) ++ return LDAP_SUCCESS; ++ ++ cb = ldap_pvt_sasl_cbinding( ssl, i, 1 ); ++ if ( cb != NULL ) { ++ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb ); ++ conn->c_sasl_cbind = cb; ++ } + #endif + return LDAP_SUCCESS; + } +-- +2.26.2 + diff --git a/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch b/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch new file mode 100644 index 0000000..5478022 --- /dev/null +++ b/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch @@ -0,0 +1,190 @@ +From 7b0017ad49a2290ec26cbcdffded8a527799e981 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Sat, 18 Apr 2020 16:30:03 +0200 +Subject: [PATCH] ITS#9189 add channel-bindings tests + +--- + tests/data/slapd-sasl-gssapi.conf | 3 + + tests/scripts/setup_kdc.sh | 8 +++ + tests/scripts/test068-sasl-tls-external | 22 +++++++ + tests/scripts/test077-sasl-gssapi | 83 ++++++++++++++++++++++++- + 4 files changed, 113 insertions(+), 3 deletions(-) + +diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf +index 611fc7097..29ab6040b 100644 +--- a/tests/data/slapd-sasl-gssapi.conf ++++ b/tests/data/slapd-sasl-gssapi.conf +@@ -63,3 +63,6 @@ rootpw secret + + sasl-realm @KRB5REALM@ + sasl-host localhost ++ ++database config ++rootpw secret +diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh +index 1cb784075..98bcd9f96 100755 +--- a/tests/scripts/setup_kdc.sh ++++ b/tests/scripts/setup_kdc.sh +@@ -142,3 +142,11 @@ if test $RC != 0 ; then + exit 0 + fi + fi ++ ++HAVE_SASL_GSS_CBIND=no ++ ++grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1 ++RC=$? ++if test $RC = 0 ; then ++ HAVE_SASL_GSS_CBIND=yes ++fi +diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external +index f647b1012..0b91aa197 100755 +--- a/tests/scripts/test068-sasl-tls-external ++++ b/tests/scripts/test068-sasl-tls-external +@@ -88,6 +88,28 @@ else + echo "success" + fi + ++# Exercise channel-bindings code in builds without SASL support ++for cb in "none" "tls-unique" "tls-endpoint" ; do ++ ++ echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...." ++ ++ $LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ ++ -o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \ ++ -o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \ ++ -o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1 \ ++ > $TESTOUT 2>&1 ++ ++ RC=$? ++ if test $RC != 0 ; then ++ echo "ldapwhoami failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $PID ++ exit $RC ++ else ++ echo "success" ++ fi ++done ++ ++ + test $KILLSERVERS != no && kill -HUP $KILLPIDS + + if test $RC != 0 ; then +diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi +index 64abe16fe..19f665622 100755 +--- a/tests/scripts/test077-sasl-gssapi ++++ b/tests/scripts/test077-sasl-gssapi +@@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then + exit 0 + fi + +-mkdir -p $TESTDIR $DBDIR1 ++SLAPTEST="$TESTWD/../servers/slapd/slaptest" ++CONFDIR=$TESTDIR/slapd.d ++ ++mkdir -p $TESTDIR $DBDIR1 $CONFDIR + cp -r $DATADIR/tls $TESTDIR + + cd $TESTWD +@@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..." + + echo "Running slapadd to build slapd database..." + . $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1 +-$SLAPADD -f $CONF1 -l $LDIFORDERED ++$SLAPTEST -f $CONF1 -F $CONFDIR ++$SLAPADD -F $CONFDIR -l $LDIFORDERED + RC=$? + if test $RC != 0 ; then + echo "slapadd failed ($RC)!" +@@ -41,7 +45,7 @@ if test $RC != 0 ; then + fi + + echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." +-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & ++$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & + PID=$! + if test $WAIT != 0 ; then + echo PID $PID +@@ -144,6 +148,79 @@ else + fi + fi + ++if test $WITH_TLS = no ; then ++ echo "TLS support not available, skipping channe-binding test" ++elif test $HAVE_SASL_GSS_CBIND = no ; then ++ echo "SASL has no channel-binding support in GSSAPI, test skipped" ++else ++ echo "Testing SASL/GSSAPI with SASL_CBINDING..." ++ ++ for acb in "none" "tls-unique" "tls-endpoint" ; do ++ ++ echo "Modifying slapd's olcSaslCBinding to ${acb} ..." ++ $LDAPMODIFY -D cn=config -H $URI1 -w secret < $TESTOUT 2>&1 ++dn: cn=config ++changetype: modify ++replace: olcSaslCBinding ++olcSaslCBinding: ${acb} ++EOF ++ RC=$? ++ if test $RC != 0 ; then ++ echo "ldapmodify failed ($RC)!" ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++ fi ++ ++ for icb in "none" "tls-unique" "tls-endpoint" ; do ++ ++ # The gnutls implemantation of "tls-unique" seems broken ++ if test $icb = "tls-unique" -o $acb = "tls-unique" ; then ++ if test $WITH_TLS_TYPE == gnutls ; then ++ continue ++ fi ++ fi ++ ++ fail="no" ++ if test $icb != $acb -a $acb != "none" ; then ++ # This currently fails in MIT, but it is planned to be ++ # fixed not to fail like in heimdal - avoid testing. ++ if test $icb = "none" ; then ++ continue ++ fi ++ # Otherwise unmatching bindings are expected to fail. ++ fail="yes" ++ fi ++ ++ echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING " ++ echo -ne "(client: ${icb},\tserver: ${acb}): " ++ ++ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \ ++ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ ++ -o SASL_CBINDING=$icb > $TESTOUT 2>&1 ++ ++ RC=$? ++ if test $RC != 0 ; then ++ if test $fail = "no" ; then ++ echo "test failed ($RC)!" ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++ fi ++ elif test $fail = "yes" ; then ++ echo "failed: command succeeded unexpectedly." ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit 1 ++ fi ++ ++ echo "success" ++ RC=0 ++ done ++ done ++fi ++ ++ + kill $KDCPROC + test $KILLSERVERS != no && kill -HUP $KILLPIDS + +-- +2.26.2 + diff --git a/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch b/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch new file mode 100644 index 0000000..f8ee932 --- /dev/null +++ b/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch @@ -0,0 +1,27 @@ +From 4cac398b19c21ad56949ef7e67e285c6c8e7ecea Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Thu, 23 Apr 2020 22:47:32 +0200 +Subject: [PATCH] ITS#9189 - initialize ldo_sasl_cbinding in + LDAP_LDO_SASL_NULLARG + +Reported-by: Ryan Tandy @ryan +--- + libraries/libldap/ldap-int.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index c6c6891a9..336448115 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -301,7 +301,7 @@ struct ldapoptions { + /* SASL Security Properties */ + struct sasl_security_properties ldo_sasl_secprops; + int ldo_sasl_cbinding; +-#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0} ++#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0},0 + #else + #define LDAP_LDO_SASL_NULLARG + #endif +-- +2.26.2 + diff --git a/openldap-cbinding-Make-prototypes-available-where-needed.patch b/openldap-cbinding-Make-prototypes-available-where-needed.patch new file mode 100644 index 0000000..534b418 --- /dev/null +++ b/openldap-cbinding-Make-prototypes-available-where-needed.patch @@ -0,0 +1,64 @@ +NOTE: The patch has been adjusted to match the base code before backporting. + +From cd914149a665167b2c5ae16baa0c438824588819 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Tue, 19 Feb 2019 10:26:39 +0000 +Subject: [PATCH] Make prototypes available where needed + +--- + libraries/libldap/tls2.c | 3 +++ + servers/slapd/config.c | 1 + + servers/slapd/proto-slap.h | 4 ++++ + 3 files changed, 8 insertions(+) + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index 1a96b62c3..869de2eb5 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -76,6 +76,9 @@ static oid_name oids[] = { + + #ifdef HAVE_TLS + ++LDAP_F(int) ldap_pvt_tls_check_hostname LDAP_P(( LDAP *ld, void *s, const char *name_in )); ++LDAP_F(int) ldap_pvt_tls_get_peercert LDAP_P(( void *s, struct berval *der )); ++ + void + ldap_pvt_tls_ctx_free ( void *c ) + { +diff --git a/servers/slapd/config.c b/servers/slapd/config.c +index 778365fd0..2816455a3 100644 +--- a/servers/slapd/config.c ++++ b/servers/slapd/config.c +@@ -48,6 +48,7 @@ + #endif + #include "lutil.h" + #include "lutil_ldap.h" ++#include "ldif.h" + #include "config.h" + + #ifdef _WIN32 +diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h +index 4bfdcf930..e33e3b7d9 100644 +--- a/servers/slapd/proto-slap.h ++++ b/servers/slapd/proto-slap.h +@@ -755,6 +755,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P(( + LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P(( + slap_bindconf *bc, LDAP *ld )); + LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc )); ++LDAP_SLAPD_F (void) slap_client_keepalive LDAP_P(( LDAP *ld, slap_keepalive *sk )); + LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb )); + LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be, + const char *fname, int lineno, int argc, char **argv )); +@@ -1683,6 +1684,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c, + slap_ssf_t ssf, /* relative strength of external security */ + struct berval *authid ); /* asserted authenication id */ + ++LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, ++ struct berval *cbv ); ++ + LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c ); + LDAP_SLAPD_F (int) slap_sasl_close( Connection *c ); + +-- +2.26.2 + diff --git a/openldap-cbinding-Update-keys-to-RSA-4096.patch b/openldap-cbinding-Update-keys-to-RSA-4096.patch new file mode 100644 index 0000000..288d7d0 --- /dev/null +++ b/openldap-cbinding-Update-keys-to-RSA-4096.patch @@ -0,0 +1,526 @@ +From 3ab98b2fc98843289c1833891518fb3b5b42dcd8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= +Date: Tue, 30 Oct 2018 15:42:35 +0000 +Subject: [PATCH] Update keys to RSA 4096 + +--- + tests/data/tls/ca/certs/testsuiteCA.crt | 133 ++++++++++++++++-- + tests/data/tls/ca/private/testsuiteCA.key | 64 +++++++-- + .../tls/certs/bjensen@mailgw.example.com.crt | 44 ++++-- + tests/data/tls/certs/localhost.crt | 44 ++++-- + tests/data/tls/conf/openssl.cnf | 2 +- + tests/data/tls/create-crt.sh | 9 +- + .../private/bjensen@mailgw.example.com.key | 64 +++++++-- + tests/data/tls/private/localhost.key | 64 +++++++-- + 8 files changed, 336 insertions(+), 88 deletions(-) + +diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt +index 7458e7461..62c88acca 100644 +--- a/tests/data/tls/ca/certs/testsuiteCA.crt ++++ b/tests/data/tls/ca/certs/testsuiteCA.crt +@@ -1,16 +1,121 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: ++ 0b:43:f8:e9:ee:d3:38:37:92:db:19:65:d9:94:17:cc:70:45:d4:06 ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite ++ Validity ++ Not Before: Oct 30 15:29:02 2018 GMT ++ Not After : Nov 13 15:29:02 2519 GMT ++ Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ RSA Public-Key: (4096 bit) ++ Modulus: ++ 00:be:e0:ff:36:89:65:c0:4e:46:e6:24:e8:3d:81: ++ 97:92:28:4b:11:c6:21:ac:28:14:31:b2:a3:64:24: ++ 62:61:24:bd:76:7b:9e:7c:3a:50:65:fa:97:f3:c5: ++ 9d:49:cc:61:3a:31:6f:0d:a4:d8:70:57:73:c8:c6: ++ 66:06:d0:59:3f:24:3b:56:5d:70:20:e4:51:2b:88: ++ 5e:f4:78:82:bc:55:b5:d5:5b:f6:e5:55:1f:3a:af: ++ 59:9f:b7:5d:72:70:fe:b6:a4:dd:4e:f9:d0:38:e8: ++ 15:14:c7:45:ed:5e:d3:4c:ee:02:34:3a:37:d8:75: ++ f1:49:0d:f6:8a:7b:8c:87:39:c9:fb:f2:3a:96:57: ++ cd:7c:18:a7:bb:35:de:d3:c4:79:57:20:48:07:b9: ++ 65:f6:bd:7b:01:5c:99:8a:92:35:7c:b7:e3:96:1c: ++ 6f:4c:47:42:c1:77:d6:62:49:0e:be:01:8f:c9:f4: ++ 64:68:4c:b0:ec:10:12:d0:0e:5f:67:0e:e8:a4:bd: ++ df:9c:fb:5b:04:6f:3c:2a:35:1b:5a:ca:98:ba:f3: ++ 61:f4:3a:77:28:be:a3:63:f1:d6:94:0d:fb:a0:87: ++ e3:a5:9f:56:b6:a6:6a:90:13:80:2a:2e:ae:fe:af: ++ aa:e3:e7:d8:3b:2b:a3:52:4f:73:2d:12:aa:e2:a3: ++ 0c:aa:fb:11:40:86:68:de:be:2b:9b:36:19:9c:d7: ++ d7:5e:13:21:c9:b3:34:6d:09:53:ff:a3:2e:92:f4: ++ 33:80:de:7a:47:1c:47:57:68:53:2a:db:73:6e:6d: ++ fa:40:df:55:25:a1:fc:87:c4:86:ef:6e:16:ec:f8: ++ 48:35:f5:96:b3:55:ce:56:a9:6e:c1:8c:ea:32:85: ++ 26:ea:af:0c:92:24:05:e2:49:12:b7:07:8f:06:96: ++ be:13:fa:ec:49:f7:d4:49:6f:b9:c7:6c:79:53:39: ++ a3:89:c4:4a:92:66:b0:f3:0c:72:6d:50:3c:63:1f: ++ f3:76:63:a8:aa:b7:fd:db:ef:98:b4:5b:49:b6:84: ++ 66:e5:fc:60:0b:c1:f7:b0:f7:84:68:7e:71:5d:ac: ++ fc:a9:cb:f6:02:fc:86:d3:a7:c3:42:ef:ba:f4:1a: ++ 27:71:5d:22:f5:53:e1:a6:f4:a5:dc:31:38:45:0b: ++ a1:6d:ab:9c:05:2e:87:8c:31:02:99:80:6d:3f:66: ++ e8:8a:d7:64:4f:08:7e:2f:f0:1f:28:ff:85:57:22: ++ ee:6a:a7:05:72:f8:cf:5d:07:c6:73:23:82:85:82: ++ 76:4e:36:8a:ec:ea:f1:53:1e:e0:77:d1:4a:9f:df: ++ ec:87:91:0a:56:40:b7:23:19:fa:60:14:d0:f0:32: ++ 4d:11:39 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Subject Key Identifier: ++ 90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50 ++ X509v3 Authority Key Identifier: ++ keyid:90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50 ++ ++ X509v3 Basic Constraints: critical ++ CA:TRUE ++ Signature Algorithm: sha256WithRSAEncryption ++ 0f:7f:a0:c5:3c:ac:dc:ed:8f:56:3e:64:89:e6:87:d0:ca:a5: ++ 37:b8:0e:49:aa:93:d3:e5:ac:ff:54:24:91:07:1b:9c:dc:08: ++ e6:cc:15:53:be:85:4c:51:52:d3:88:d0:d8:c7:b7:98:40:41: ++ 8a:a7:7a:4c:96:85:61:8c:98:76:f6:a3:2c:10:31:a1:d8:e6: ++ a7:4c:ec:c3:29:ad:04:8b:e3:f2:2d:4c:30:0d:a4:bc:c8:93: ++ d2:9b:88:1d:a4:25:eb:ff:9f:f2:d9:c5:3b:bf:51:91:71:06: ++ 92:35:96:5c:ca:6d:d6:86:47:63:07:7f:37:35:53:68:e9:4e: ++ d0:d0:25:42:18:e0:00:9e:ca:f5:bd:b7:94:ee:99:51:44:3a: ++ 0c:44:40:e3:87:e6:ce:6c:2b:3f:c1:01:6c:5c:32:d5:59:b5: ++ bd:25:a3:1a:ff:85:a5:89:9c:d8:24:4b:fa:59:99:5a:64:ab: ++ a1:d8:0f:c0:19:28:84:1e:89:c2:a1:15:4e:0f:7e:1f:bf:f8: ++ 92:df:9f:1c:d5:4a:98:40:82:ee:41:1f:de:f7:25:11:fd:76: ++ 0a:cf:37:40:bc:c2:2d:6a:ea:4a:0c:6d:b0:e6:75:37:b5:63: ++ a8:a1:c5:81:d0:84:c0:f3:e0:c3:5c:c4:9f:ec:3b:9f:8a:74: ++ ce:f0:cc:e3:e9:15:08:a0:ea:3e:a9:8e:bc:9a:01:00:96:fe: ++ 37:6f:61:b5:2c:4b:1f:5d:d7:24:09:fe:bf:f4:77:47:e4:ee: ++ 7c:ea:6b:67:84:ee:56:4f:5f:b9:b8:e4:db:70:e1:4a:b3:94: ++ 4d:dd:52:45:05:4d:79:d4:7c:8b:9d:9b:6a:0b:73:9e:f3:0e: ++ d5:d5:46:da:b4:fb:4a:ea:5b:ab:8e:42:68:0e:96:cd:8a:6e: ++ 35:a8:e6:1b:6a:ed:a8:9e:3c:cc:3b:44:54:b8:2d:ba:c7:83: ++ 91:7c:70:40:0c:14:b8:21:7a:12:ac:8c:96:4c:94:a6:ee:fe: ++ cc:77:34:8e:e3:c3:c0:44:19:51:85:07:6c:d8:d1:2e:69:8d: ++ b1:0e:42:fb:e6:16:65:86:c6:e3:2f:a7:3f:b4:8e:4f:1c:83: ++ c4:0a:ae:a0:d9:17:fd:cf:a2:38:a1:9f:70:dc:5c:df:3c:07: ++ 7b:64:01:ff:35:8c:45:43:e8:fa:a4:f6:c4:71:78:17:6e:6a: ++ 7f:d1:6e:66:c6:89:33:3b:28:4a:76:bf:ca:29:05:51:07:98: ++ ce:63:62:25:61:7f:5e:c6:91:23:02:13:15:4f:fd:24:58:9d: ++ 2d:ac:eb:cb:9a:c2:82:2f:50:5c:5a:16:bb:8c:bf:4d:66:2c: ++ 6f:1c:c4:a9:28:e1:3d:4d + -----BEGIN CERTIFICATE----- +-MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV +-BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv +-bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0 +-NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB +-MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB +-UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd +-rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb +-lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL +-6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU +-7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB +-SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/ +-wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws +-ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q +-aL52EFPS0o3tiAJXS82U2wrQdJ0YEw== ++MIIFjzCCA3egAwIBAgIUC0P46e7TODeS2xll2ZQXzHBF1AYwDQYJKoZIhvcNAQEL ++BQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRwwGgYDVQQKDBNPcGVuTERB ++UCBGb3VuZGF0aW9uMRwwGgYDVQQLDBNPcGVuTERBUCBUZXN0IFN1aXRlMCAXDTE4 ++MTAzMDE1MjkwMloYDzI1MTkxMTEzMTUyOTAyWjBWMQswCQYDVQQGEwJVUzELMAkG ++A1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNVBAsM ++E09wZW5MREFQIFRlc3QgU3VpdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK ++AoICAQC+4P82iWXATkbmJOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfz ++xZ1JzGE6MW8NpNhwV3PIxmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mf ++t11ycP62pN1O+dA46BUUx0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7 ++Nd7TxHlXIEgHuWX2vXsBXJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQ ++Dl9nDuikvd+c+1sEbzwqNRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4Aq ++Lq7+r6rj59g7K6NST3MtEqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S ++9DOA3npHHEdXaFMq23NubfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbq ++rwySJAXiSRK3B48Glr4T+uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iq ++t/3b75i0W0m2hGbl/GALwfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm ++9KXcMThFC6Ftq5wFLoeMMQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8Zz ++I4KFgnZONors6vFTHuB30Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABo1MwUTAd ++BgNVHQ4EFgQUkM9RHegI1Ew0cHFr0gsAaNn9YFAwHwYDVR0jBBgwFoAUkM9RHegI ++1Ew0cHFr0gsAaNn9YFAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC ++AgEAD3+gxTys3O2PVj5kieaH0MqlN7gOSaqT0+Ws/1QkkQcbnNwI5swVU76FTFFS ++04jQ2Me3mEBBiqd6TJaFYYyYdvajLBAxodjmp0zswymtBIvj8i1MMA2kvMiT0puI ++HaQl6/+f8tnFO79RkXEGkjWWXMpt1oZHYwd/NzVTaOlO0NAlQhjgAJ7K9b23lO6Z ++UUQ6DERA44fmzmwrP8EBbFwy1Vm1vSWjGv+FpYmc2CRL+lmZWmSrodgPwBkohB6J ++wqEVTg9+H7/4kt+fHNVKmECC7kEf3vclEf12Cs83QLzCLWrqSgxtsOZ1N7VjqKHF ++gdCEwPPgw1zEn+w7n4p0zvDM4+kVCKDqPqmOvJoBAJb+N29htSxLH13XJAn+v/R3 ++R+TufOprZ4TuVk9fubjk23DhSrOUTd1SRQVNedR8i52bagtznvMO1dVG2rT7Supb ++q45CaA6WzYpuNajmG2rtqJ48zDtEVLgtuseDkXxwQAwUuCF6EqyMlkyUpu7+zHc0 ++juPDwEQZUYUHbNjRLmmNsQ5C++YWZYbG4y+nP7SOTxyDxAquoNkX/c+iOKGfcNxc ++3zwHe2QB/zWMRUPo+qT2xHF4F25qf9FuZsaJMzsoSna/yikFUQeYzmNiJWF/XsaR ++IwITFU/9JFidLazry5rCgi9QXFoWu4y/TWYsbxzEqSjhPU0= + -----END CERTIFICATE----- +diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key +index 2e14d7033..01a6614c1 100644 +--- a/tests/data/tls/ca/private/testsuiteCA.key ++++ b/tests/data/tls/ca/private/testsuiteCA.key +@@ -1,16 +1,52 @@ + -----BEGIN PRIVATE KEY----- +-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ +-WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc +-338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/ +-dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg +-O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf +-7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn +-rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f +-wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk +-AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l +-vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9 +-27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X +-KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N +-I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL +-+b2qljWeZbGH ++MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+4P82iWXATkbm ++JOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfzxZ1JzGE6MW8NpNhwV3PI ++xmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mft11ycP62pN1O+dA46BUU ++x0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7Nd7TxHlXIEgHuWX2vXsB ++XJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQDl9nDuikvd+c+1sEbzwq ++NRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4AqLq7+r6rj59g7K6NST3Mt ++Eqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S9DOA3npHHEdXaFMq23Nu ++bfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbqrwySJAXiSRK3B48Glr4T +++uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iqt/3b75i0W0m2hGbl/GAL ++wfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm9KXcMThFC6Ftq5wFLoeM ++MQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8ZzI4KFgnZONors6vFTHuB3 ++0Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABAoICAQCVkIdpnE92V9+GBfVT/G9f ++vuLTkoRf+SeZqXgNx9SuebNbW5HblXXZ8nmOMZIFeXfVuVZjQn+1x1CaSZs4S5ki ++uKkmCyEJJN3VVo3Q0XzfRemsvNrA5+oIec2oMG2wdomfY59leqmFbZTXKy3HyT2Y ++Uga4FcYcfo4JyD8eU6DRdJ6oJC10EGiajFchghyPoqvRcSH/q24R4Ha5om1M/zOZ ++/hz+SlmLU2sjXVtGuCgtCdw5Sp5Ce5VF43JaRGjMwAnazEyjHPE8kEx8ZhCBG66B ++DqP6UrV736T3c0/Hww0fxFrENA4mIE/vhNgwNVQ5jDxDSC9ObesTW93Lu4za+Re6 ++pmP1eeS/oe1OcI1d/xK2IIQwzB7ZkJ0StbFLnjs7DATO7BGzhC9egC6s+z9oSgTS ++KvmLyoiL5U4fesVJwcCPKwwkVH9n22TuqmvB5mmvZvRTe2+OgDH55Nkfx1SoI8+Q ++/fwV9UXIIg5en+Kv8lOaWCZujmMsjHC79bwxPLeaePRwD/RBkT1MLW/T4fWGpAt3 ++H89+yufH31Y/1QMxVVtR9OdxCtljiXno/bArMNZ0oE1TiCcckMzdjKh7RNfkEXRM ++Pga92HBTgtJ3tfWJ4qOtJ4NKJPQ7wRmR03Bug8+bGM4K5HDO08fNuag/pP3AQvrM ++QGbHFVho3I7/DXnmRBq/gQKCAQEA75eptBtP8PWnN9uNsQoWxvFKQBtbLfPKUcVP +++LWOWF4ag2YRRf6TIzvGfIk54OGSL/srWCDKjXWJ0NgUn6yiqOkoP4oxEE1m2QDY ++7oCk9vJipJcrtNCKL6NhKwZDOjlDSROb/hBeMgr14Da/WkPE6zQhuwN5y4Japbjs ++cBYTao2uOg4QQz5Aee+ee55L6iAgMT0PnlQtv1uVW3D46e02CrQKtRmtDxqT3Nux ++nudJdz+rMFM0EDgVKUYRwFCa6xjI4y2K1aCwCtJG9yTJpYqCD9hehfwEije6dNNg ++p5RX3M9ai710Yx4F26cwX/t8AxqgF/2XBI0ZWD6x69cp7suPTQKCAQEAy/NUEgXN ++nymq8NK+umZwFJU7cy3weozRuEkmgmCWj4XYhbvTw6MbK+2R9XKa3ilqSd2sU2lX ++qE66kfAgqZMJ9RB+7nDOaLAMUuGw1DrwFZE7r3mKXgc4NgjtmGav4E3URXPHj5zb ++JbbN95zl96Fm3Nevs5p8sb0KexgbzHe4UzJNYFgT0l+TjJbJUAiNPsEw1bnV4cxn ++b1HO2CWTeGtAOJyjMRNwI+40wnk2N6An+Ddvb2mj2h30HujSZHnL94RAqa7RHDb6 ++lU+7JX/ll5G0mFQOFQAs4UPos2bg7hS1mfYO+UVrG4OH9gXns12158WqFED+lhmJ ++O8WDWEVAblVrnQKCAQAB9aOVrYOB3QB5HHqUMBjvl5mb3J1qSswkzxBQYGvBnUNq ++P7N0dxiM+TguXJD0neOsMMmx9tKxRXzTEHFavPa3mvCRVHgCQh/NNoyPps2yl1jn ++L7VTzUDUEuoAiBSUrVM3jcmA0nFyx1QreUcnXdaGde6wsN6WI4LKSDDm2cde37nF ++D8hiRGgSlzscl7bXO1wICw/No7KcFguqq8ndX+tJOx+7S3J25SjAbauOOSYIq6Si ++yItsdoj1xXTvtbkOoy1BbmXsSVwnOoEKFGrxx6g4qPRc9Cq1Vq9XtULdHAF79NYw ++vmPtS5mQqlVi85OYEuesSo6pot3KMvkRjLjzEwchAoIBACEvrvZfy12iwhX9tNtP ++39z5i3rqdr76OwXpoUKFxPoFpX3dWk/zMnCrb5yo0VplEs6CK5BHC+RvKxykHix5 ++qJ0f2geig3O1ccvqvYNLM9XOlA+xjzpNom/odADgdK3i/C9w74AG3gH9BPbNqP3q ++XXqB/i0Tbkbdo97zxVI4CN5AySZsLo2Ez9WIk6laOuGDPhcI7iyXvhz3CtlRA/YM ++PZ74nfVWXGD8WclrP889WEOjgZZ3choD1b1R1SpUR0Q3WO5Da/NTXuL83k7zyMAp ++DWHcC46PQL5G9o56pw8Wf5ZV24nkKdGITY9S1qjxDrBwEYTKLqLt9M6tDPpICnvp ++mmECggEBALfnUgpdGugn46UmQUMI1y+NZbSKhJHG+OBWdcc1j4kDZhF/Ei7g8pvk ++hFU5p/YA6JbGioZxiqjdrYLvgTPnJVkxy7arLTN2j2GVlhUA74BY+kNzENk2Tj9c ++zJSMVZn+WZrXNQhfYyA3FyW3wGN67GBXAHPQxFTdU3G4mR1WcyJCxKIyzP+2M8o9 ++16tpb80QRnc0OLm9Izppe7JUp2hCQt+O6E8izvLE8k2ldOr5ncTNWlxTJ0yx0hEO ++WTFqhwOM1pEmtxas1gLr8MX0hNsaQR+kjG2f8rPmH+GEZeeAwuhoJY1PcKAOYM5Y ++yu/1yFXYTrmhD/P0+nJn1DfS5JljCJY= + -----END PRIVATE KEY----- +diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt +index 93e3a0d39..eb0fc693f 100644 +--- a/tests/data/tls/certs/bjensen@mailgw.example.com.crt ++++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt +@@ -1,16 +1,32 @@ + -----BEGIN CERTIFICATE----- +-MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL +-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV +-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx +-ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV +-BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD +-VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa +-YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A +-MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg +-QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU +-U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL +-MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn +-wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f +-7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo +-4DnnYQBDnq48VORVX94= ++MIIFfDCCA2SgAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL ++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV ++BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNzQwWhgPMjUxOTEx ++MTMxNTM3NDBaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNVBAoM ++E09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYDVQQD ++DBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYaYmpl ++bnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw ++ggIKAoICAQCcHBkHcUSKG4s7nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA ++7qkZvMJR8ws2u8TQU/18FhH4+0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWg ++qPYe/K3bAtSRtF7wDxF77eb2Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38 ++kpIB5WENCEy77QK9GEGAlMVIRXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nN ++LxTdLe1qbZyRgEqRKgW5WcWrW46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yIms ++CbzlSRLC1dfj++2mzCMxoc3xpZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvR ++X9uQOnXnazQvlRfsaHQjGUKyhMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzL ++twWkESVDU0tNg/czWLn56smV7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjI ++LQuEBssrV1h8WblruWRU31Mn+mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5ui ++cNcYTXCfa5ZpPL608f7cWuG2GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4 ++yPXHATrCtYO1wqIyu9Yuirdg7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABow0w ++CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCq8VvpcoAgCK/D5yi/2puB ++LD7kYaVaSXxrUQBeLTmKERw3akpgW7QTGCNgM425VVaBQRPtv8YcX9OycUAylAA+ ++7lzwdP95OJGnUOjQY4x4iRAwCPkpDCcnwc43c3WAyQb2S46aZJaWK4S0+RM3CmWH ++1Fzb6aODdnoBEKk0XgNrB6/teB+UWgtTSxWiY/HWiArDaZDPMAxqEK0hnB+b/sBD ++ZoBYnfnQXezylqbk9vkzTIbSVrv5ZZdQELOAnPuxUCFpYew1OGKcg+1twYKDHgBS ++s13zN03eMEnC/O4Z01dhu16vqdikdP+tJJrppjvZtJys0KIP24ltDnpA6h/3m/Cl ++U1eiTDgWO+SsfiL1K4gcTL1eLjnCBFfnHN5gfgAV5w5DaKzvKp7Qu8db4DtH+S4o ++W/MBKuaHHKWUPGksvFUiGNgE/XyDU4MK34/5ulzbrWmqb24pYAzm1MyjsdzmXObw +++fzg6EDBB14cWA2hA7mSqnzkiW1pELVym6+uTaIlopSIFr8nNAimwLiY5QJNGYvd ++hgNNvOyUUO+nON3aHsC/rRMgar3eo7A9AkQJ6qKVvPR2h1317PJLuKaLfjbaCzNw ++iA3JSQjcwR2ydlSgKKN2d/XXm/G4PZ9tUcBY4Zngn0ViT0/m7MFy9qsiWG97+yaZ ++nYsN5WfwDZrtG24dTotxVQ== + -----END CERTIFICATE----- +diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt +index 194cb119d..3aeae3c16 100644 +--- a/tests/data/tls/certs/localhost.crt ++++ b/tests/data/tls/certs/localhost.crt +@@ -1,16 +1,32 @@ + -----BEGIN CERTIFICATE----- +-MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL +-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV +-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx +-ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE +-CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT +-dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB +-iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4 +-7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv +-8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ +-BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A +-AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG +-8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl +-0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR +-GjeZB1FxqDGHjxBq2O828iejw28bSz4= ++MIIFhTCCA22gAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL ++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV ++BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNjMwWhgPMjUxOTEx ++MTMxNTM2MzBaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT ++T3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBTdWl0 ++ZTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC ++CgKCAgEA6Ud89ugah2oWY00q1g+M6NkpluewwvGq4tkMau1gq+Q5Biv61bubgdSA ++Z+Zkkxe3Sx0Zv7i5wldIN4wXqEDlMg2qhfzKDSNKUofc0z7FLMb0Cn46WqlciUCY ++VetHhBghGd+6fxOOz+x98FhiiAif+AdiUWBTKFFohWXo/9aiGgm0ueJj2NS3Eyac ++xOKoTcDd9TMsOJ2fMH2MlquArLobCvuphOrVbqBoeeol2SzFDDOW8ryPDzFGy5xh ++ZHkm/3sGIoDpDkDR0yhvBzn47qdLI5myc6Fj96s7S2xgqiqGXJW0D0FCfpUQXxfm ++ahz/Jdwl+hqs5Eg/aA+LE/7lmS7szo3zwJQ53ApdcaupHi4fU60wPVrdo29wLwDO ++hDuS+Oc1os1UyJt0T0a+zB4PIP2rxifyxI1iWmZFt7tJyLv1k7yMN7CLCWzsSy5P ++BZpGmHV9Wbvb660N6NzlFDMqnjJWDAr1BLoV4ywmpiWPhy/7JtKXFe1V3jT5MvGM ++26IOC+zCwwZVyEIIASeWepZDuto00Lqo7jOKSlLRmuhTX1ELK8xYX6ZU/fz0FwYn ++bLu6bI4mRGfbJ12fWYm5QMje2QAuvndfi759HUeuLl6TgmeQFgqFA/6Kkwoz0Ncb ++Kaaj+ByvLXfI4S3lvkwT26nOAt966fb1bsdkb8P52NdkqeSMk5cCAwEAAaNIMEYw ++CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/ ++AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4ICAQCGQCs10hwY ++t5o3AWjU8oT8HWnLDsEzIvI/Z2dvtsFSOFotH14d8a7CdCKNiry8BbQ82A4sG/Xw ++0aVdP1EscxGhpJuMHG4Ph9PZBm31ZW2VoRHOEs7/Moi6G/1yldVxWUH/qXO00Dw9 ++cEsiUQdPrPQDoVBKYAMuV15RP9b3iPpw3GY1EkIu+akGVziHFmFYUoU2gctiGIZ6 ++6KiqBFvCP1Yvm3RSZ5t/Kv/jPMetAnCq+9JAUAodAh2+goBvUCAN9Itr/tEs98jq ++9d14J7gzIRDdNHKOLrRFmoMrTaDZNtqBe5jiMf0O55tgjv4BqN4w11M51bjY4umd ++GX+OXoBJG+MK7AZyaHPjHa1NMoLDOUhTvHb4zPNkPiVb8r3lYkQ4VCtre+4qqrEn ++cEt9KWGpHkoz4GSKn6uidQebdi4waexcGttsHbKPaKZqzYXAJ2bjFZnv85zPtpjO ++qxzqrMUruiCU7EfjGAdZ8S0lwjdMihznLATjKuwQkJ2mVg2HbLgxZu578FHTBOHW ++LjVIr/80auF4Ino9ocHpIwL/E4jpYQWP/Uv4KBHwkAktmUOwqyt0iysRaWy4Gp7S ++keBI9FoGtJ1Mq5M2tVINBzt1ESC3t03KqyY+/9r/IeY7A7yukC0YJnJ+HorfuQFf ++0//7DOEA58bRswyWTLOAjYMJHilTKOozSQ== + -----END CERTIFICATE----- +diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf +index a3c8ad9f6..632cff11c 100644 +--- a/tests/data/tls/conf/openssl.cnf ++++ b/tests/data/tls/conf/openssl.cnf +@@ -51,7 +51,7 @@ commonName = supplied + emailAddress = optional + + [ req ] +-default_bits = 2048 ++default_bits = @KEY_BITS@ + default_keyfile = privkey.pem + distinguished_name = req_distinguished_name + attributes = req_attributes +diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh +index 8c33a24fe..739f8eaf1 100755 +--- a/tests/data/tls/create-crt.sh ++++ b/tests/data/tls/create-crt.sh +@@ -5,6 +5,9 @@ if [ x"$openssl" = "x" ]; then + echo "OpenSSL command line binary not found, skipping..." + fi + ++KEY_BITS=4096 ++KEY_TYPE=rsa:$KEY_BITS ++ + USAGE="$0 [-s] [-u ]" + SERVER=0 + USER=0 +@@ -45,13 +48,13 @@ echo "00" > cruft/serial + touch cruft/index.txt + touch cruft/index.txt.attr + hn=$(hostname -f) +-sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf > ./openssl.cnf ++sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf > ./openssl.cnf + + if [ $SERVER = 1 ]; then + rm -rf private/localhost.key certs/localhost.crt + + $openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \ +- -newkey rsa:1024 -config ./openssl.cnf \ ++ -newkey $KEY_TYPE -config ./openssl.cnf \ + -subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \ + -batch > /dev/null 2>&1 + +@@ -66,7 +69,7 @@ if [ $USER = 1 ]; then + rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr + + $openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \ +- -newkey rsa:1024 -config ./openssl.cnf \ ++ -newkey $KEY_TYPE -config ./openssl.cnf \ + -subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \ + -batch >/dev/null 2>&1 + +diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key +index 5f4625fd7..e30e11586 100644 +--- a/tests/data/tls/private/bjensen@mailgw.example.com.key ++++ b/tests/data/tls/private/bjensen@mailgw.example.com.key +@@ -1,16 +1,52 @@ + -----BEGIN PRIVATE KEY----- +-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2 +-xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4 +-9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z +-yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r +-oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e +-nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg +-xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra +-EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd +-9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/ +-pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI +-tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ +-3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D +-tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg +-36Ixj3L+5H18 ++MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCcHBkHcUSKG4s7 ++nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA7qkZvMJR8ws2u8TQU/18FhH4 +++0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWgqPYe/K3bAtSRtF7wDxF77eb2 ++Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38kpIB5WENCEy77QK9GEGAlMVI ++RXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nNLxTdLe1qbZyRgEqRKgW5WcWr ++W46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yImsCbzlSRLC1dfj++2mzCMxoc3x ++pZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvRX9uQOnXnazQvlRfsaHQjGUKy ++hMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzLtwWkESVDU0tNg/czWLn56smV ++7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjILQuEBssrV1h8WblruWRU31Mn +++mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5uicNcYTXCfa5ZpPL608f7cWuG2 ++GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4yPXHATrCtYO1wqIyu9Yuirdg ++7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABAoICAQCWY/s40EXXRvG7XBGKe1Sn ++MZGGllyduVVQMFzJIkOsnkDKKuTY+dZlP4Zo5Q/PIvWKpRnWGRP6lsh5tJkukiHd ++jk4VvJk4AzS7mNhkRyYy3ZW3ulB5NpsXS67P610RwIhIVhuf6ORPH8GBW9lRxwoL ++1v4WpGjbywHkKQvR0Sp7lVGULuwnM0dSK2G9sdztUTGbWZlp0hRIawojtcrRt2ft ++Liyy4hooWMmAFS3wu1y3fHSNn5kEFpfis5jF+5jdDvvmsFElx/X7uiBUFMAV2vry ++wu2mceibiGjnq7Nn6I7fhgKzGnkgzzDSLA9uVBde2+RAHlO0fLTq+5YLVhe0pNBM ++J1Y0soNaO3XfVV6Vnyz8X+ruHItW2OBF9AYhIlXq/6d3MMX51BEM6odEtsi8zFgo ++ENN0GAXoyoofg+IvzPiVU2Ud7s4pAlK473d7sAQEeiFWaj7iwueAgofSUFRz7E/H ++umdhytKiJXqcjJ9O2k4sBsmQoPIB++LlUPRIlZY9UvTFxLbd/ifFUv5fqa6z0IX6 ++wkIzXmRHhG+ETk1IZBJAAho7iyyYOTP+JnnToUAMWoUaZUO2bzaZfQha8Z3KVtG/ ++PJUfHClBXqvFNaAUvA9Df3JoJddJ4pO1g0QjS/dp4C2KwNkH4oqMJctvCersoPWu ++5DYiWY6KR4GjokJ1lBeWAQKCAQEAzSKa+m2C4ANNCJB9tcKYDbYIdibCpzO+k1Fb ++gZUtNi9dEE0Po8rMG0jthm+GKJjNjiG5idSUMo+WNEGBPkELueex81AlEpOqQ6/9 ++67cyjAsF/FvgkWOpKJnGOySF/TpK4kPGYyS3ICvs1KNE5HEywHyC4C/MD8N9Z5tX ++/DfW6sBM/wPipE9YDpKfAg3fDG9YJN/gJZ8TlZVqzzw75rKGcMeLc8f0mbMo+KWQ ++VKV4vrgz1eiVrHc5VeGUaXe1Yei5El671wAdtFdmm51A2fWd80fPlQdqfAwpX7x4 ++FWuo9z2QX70rM/NTWfk4nQ6ZFEHxtm++OiTfh7RwauI8fxye6QKCAQEAwtF/tOth ++UgHrohB2DCE9gA0rxkynJHK9/SXSd0KBjERO2i41iuC9YlJT/NpNz9fM7l+L02aP ++wWLMqyC7moNmIpJMY2xBGU0EowQ/3xsSNo3u/fvOS4MyGLKENUPMFgO0J7yopiqt ++Ea31TcrFSTMSmFZCv8cGt38EwS6sdJZd/RB+h3yxesit8pouwpfbtLPx6LSGkPHY ++5nNVPgbt6xaxZJ/1kNbLFObSoZ3lzWBwp93dQh/WqeeeI51LGdM1G6fTL8HrmGFJ ++EX0AKpexFVnG/GROJc8taWtMbk9W5oK30JqR7hpSaluYbonpr9k4WQA+EAZjXfcJ ++0V0AMsMUhGtvFwKCAQAQZf7LnCuFKt5im+JgwFCVcALXJxwSb7GBZ1SQVFOL7Fdd ++MTvZ1SFh4P+T6qBn6GcuQIXrfcHnFNFmFgJ17o84akwwbiy4gnNu+8epqzhwN4Vf +++hxGoxfntftByRao+pr34YEfddTpznkdOnwMYvwypQF1WHzQmckRmjp7YB9fHsZI ++8I+SoQEiERiC+oblIJWERR1PBJt1Lr+eF2uWcpkKtPjx5X8pNkhFMD8MdTnkzSbf ++p7snUVSVB/ZsQ/SNAiShUk9jzY+SVhZOxFBl3BunUgtHF5OsnPBFxfQ3iia0tQgw ++jxfADGiSXbjn3T3hf7AJ7H7heQchewwtjy5U3v3ZAoIBAQCEAyRPe0SKJoT+X7su ++QwQClmo4SE7mUt5NAOkaKTXRz6PDEpbzkZCjZHhHGcKqeWgDizkbuh7lg0Z/G4Ik ++lK+L86jRolSGiXr/3+xMCXMRBqKQ9qV24+L5e1Y9JcDQlhfo6V06pCZ8mW1lFmcT ++UAlksucuPvZdNzQIl9ECe7YauqeStbsqIXxFrZbMA808KMde0Z1x8H/ywOpdSqLD ++r6/rKL1lNTeN5U+Ldox228fa6Gt62EpE/Y9aQMbYLBeLsvBXJ0e3DQ1PTW3kbr/v ++YNOGyY1u73GtQqkbAqY3MxLNxz/loW6BZanoFYoFv+L/5Dsp7ro8vR6pASUWQLzR ++cl9nAoIBAQCre87G76UXv6FIggT+cKM9MKS69KIE3mzNTYUo90L74vF65hJqlaIa ++mfEcPpEU+UY+ufZSIHtTDBj/9Rswaf5whJY7RfL42pSGnW2YOMpuwDIKAEvcJedu ++kZhbthBin4pa28X6L5sNxug+7Wykgesd48PmMLG4pTF+D9u7SgO37Ew5UzylPWNi ++Lrv9TlX1vv9rNFh/hOCA93DNrJlNNPltIcMDByVVjrq31QmxMJwE7cdvl1V7eoiO ++NQuGuGyFIEKPtl9dEUaA4SGYZ7fUqPZaZuzzM0Xa5UMpdcIzcuYYNn3G6FvV6vwU ++dH+lv5X1bTB18GK88ANpC2qLCKRJPCTx + -----END PRIVATE KEY----- +diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key +index 8a24f69f8..99cb512c4 100644 +--- a/tests/data/tls/private/localhost.key ++++ b/tests/data/tls/private/localhost.key +@@ -1,16 +1,52 @@ + -----BEGIN PRIVATE KEY----- +-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg +-ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM +-w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM +-brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij +-Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf +-2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ +-bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q +-1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf +-3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U +-VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7 +-TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b +-iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP +-5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3 +-b61hkjQZfbEg5cg= ++MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDpR3z26BqHahZj ++TSrWD4zo2SmW57DC8ari2Qxq7WCr5DkGK/rVu5uB1IBn5mSTF7dLHRm/uLnCV0g3 ++jBeoQOUyDaqF/MoNI0pSh9zTPsUsxvQKfjpaqVyJQJhV60eEGCEZ37p/E47P7H3w ++WGKICJ/4B2JRYFMoUWiFZej/1qIaCbS54mPY1LcTJpzE4qhNwN31Myw4nZ8wfYyW ++q4CsuhsK+6mE6tVuoGh56iXZLMUMM5byvI8PMUbLnGFkeSb/ewYigOkOQNHTKG8H ++Ofjup0sjmbJzoWP3qztLbGCqKoZclbQPQUJ+lRBfF+ZqHP8l3CX6GqzkSD9oD4sT ++/uWZLuzOjfPAlDncCl1xq6keLh9TrTA9Wt2jb3AvAM6EO5L45zWizVTIm3RPRr7M ++Hg8g/avGJ/LEjWJaZkW3u0nIu/WTvIw3sIsJbOxLLk8FmkaYdX1Zu9vrrQ3o3OUU ++MyqeMlYMCvUEuhXjLCamJY+HL/sm0pcV7VXeNPky8Yzbog4L7MLDBlXIQggBJ5Z6 ++lkO62jTQuqjuM4pKUtGa6FNfUQsrzFhfplT9/PQXBidsu7psjiZEZ9snXZ9ZiblA ++yN7ZAC6+d1+Lvn0dR64uXpOCZ5AWCoUD/oqTCjPQ1xsppqP4HK8td8jhLeW+TBPb ++qc4C33rp9vVux2Rvw/nY12Sp5IyTlwIDAQABAoICADh1+wLvjmwz+xMxvCpvPRWm ++afCCR0AHqeqZye2fYoR4Cm05+837SFoWCrYbB0CqvsxJUNAcb6lf4rS/DYLFojOJ ++JzqiwmyHnBd5lrLyQFrkFHDtuEX1M9ZscfJprbeE944BnmvfWfNtM9YWLlLqc31e ++nCdB/x6FBZ0z2z8Avd87dih/aNc0NNNHxy3IBiA7i/0q04soaz0bRgm5nL0xlhYE ++bzUieWH7JQ5M47g6o76eReyeQqnUrWPeh5v/zraLGiMDvGScv6wx3x2KpHtutjr5 ++mj1uVHm/UeyhYIwPGtIR0bDXhLaKcZnyeOw59G8/Z1mvVyUxb1dKW8kNKpj2yI2H ++Y1SjhW5qaOeaDPxAPqVyo6SUQIzOn6SD0l7aGyOyvYULjiw342HQYU4rQeSPOtjt +++NYMirnT7WNnmoSIsXx7nwUe38EWx5gCHy8taF4aZr5K85yZKnmsiX3vX/hH30yc ++GLOnDDa3b0FE2J2eYos14ru8RTqSLSxclr5Ru2yTdwLgE0gg+iygO1/tYYkqxZ09 ++j+METJpg4wv+cQUG/BxysISqNjaPSPHdyJeTMzC8B+PUUpbRoBuvLLokkZ9P95nG ++72TFklEOB0m0VMxrEfev0HGSzkQm92s2Bf41TRaHTPSkg+G1s0haZTNqRVTGPrr/ ++eyiz0qH2bgDeubJ3VuTBAoIBAQD9N+KeKo+hRWeV/I6BCBOfMeQOqlqIxYfYAxU+ ++CuutILbTnGKFMTAx43syh/a5EV7q4yM81RCXKK/Lmja2OIeYJUb88bC/h0x/gq5W ++LLxHbKgFDUDF2VcWShMqDOo8J8FbzWwb9bOOShqASoR6FacJuOqlFvS8gaswZtiW ++fOvlWRKO2ybULgQctX5gOf1ctuab1VrzuHnNB30gVFc95Dg1b6RiyVAa8AFm6gs9 ++6Rewk527+4T5Ho5UXvdsTVJsAhzJgVjPSyF2Vc1CRrp8lIffsg5Prb4w8kvB0i64 ++09zn+jAfVRpjdGWqMI7BR1pCdheGMqv006ZVYY+QhcBIb0BHAoIBAQDr14d5PPDv ++pCjlJnCKNzX2irU6bdIY+zvXoemj/cYvHqQbPOe/kaCWFNPMxANKMmZSTdSM7qqR ++s0P1RW/R7moWNSesYwW+2Jp2hIhiWmy+E+ksXeTlFwVpuMHSDPS/N61N8XgmT3pI ++Qngl1hgxGbttniKEwI+Nc7Z3FYDDCp206nmC5y33D+ZYHv1L3e33pyqHdHD/uIeU ++57OPr7Mmd/J6pmClh1dqyZwVBClc2V6w0y2G8Lk1v79wOMrn+4/p9KH2BgkFe2gr ++uB8TOLlUhttQ8VfzXCd+Zi9s3oW0h7Vkvt4kDlJm0MrnMmK0aqgKB+7XkKE0ccVQ ++xSodzbBdDYoxAoIBAH2qGmD8JkOWug2JRP9sDrDWhaNxj3SI8x2Uiho8OTG2JoVl +++s621oArsJwnNZ4qrLxM9NPfuVgK7RNR+Qz9iO1MsqodF+Y1MxWkuPgzQ0z+83Nu ++XFLTxZBeOpyHxEcOQ7tXeut1SCK5S+WXFZ+w1zDQAELl3ZcfkuF2aM5mOHuddMRI ++pkBuhcPpnkoK/V3htxhnDbgeOPQzXzmIIbOpauu5+A6+cW6s5UU5qVKUNxl+aK09 ++6YPoUiI07v1kch7//WFTO8vEMVsUwcS+bRYecD/nkYqhYt3PoSETOfSnz92gH/ms ++tmfdAAcyCeaJjpWlHY+P3h6mWsnMnP7QIdjQvUkCggEAGFkiBWRDQ5phFndHex2E ++FrXvS972p9mYLgTrSCD1CvxQ2PcKvf5c4+G2lBdQd6KIacrbPMmPFoe5ZmMKzlOc ++5DoMpIF8oF1gZQf9xJmtTFpl4ky3Sud7iZSnffYUdoFbBQb+7oWaDEfAe7eEu9z6 ++OrDuw2HV8DaYCedQadJ4warLbLZNSop7r3FTmTeKT90USPO+jsgQR1E8eoMbLceI ++Yx02MSCt57p0wL6zPoC6g+rpclr75A6txvo2CIkyLGczKWEqIUTCVnEl1CgxCgb6 ++MXsZJ2jGMwh9sPGwQBkaoxIJgRNxcmfv6rqK8jFos9Bp2ht2aSGty07vsDACGzlA ++oQKCAQEA8PzgkyGYHs2DwNhmv3j5ZFaP0RukwbdChSoxmbC9JP2JJxxYcnww5jYH ++xeM1bahqkdKyG5iDRiYB74EolZUMA3Zny13R4HWxNe4aUZW1H8mdmhllXX90aUOU ++WEvF2yYZbg9CQIq7zQh8HsF/S8sDTsXoZOx30zrPgb44spWKRmxdwUJt944weXvc ++p5XkLvVzBVJ+RD5IgPTBFl1iCkw3eq01CFcbTdfe9cS8V9IgDy0Jq2GvRE3Y2JS6 ++xqtBB1MgZvrUoAZ8jPacRRXddg87Hwgs9+R1jaE+ZYixojOFg+JnQOGkUd9FhJAW ++bcnWV4XIPIMbouL4132Ove+GukJlPA== + -----END PRIVATE KEY----- +-- +2.26.2 + diff --git a/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch b/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch new file mode 100644 index 0000000..323d531 --- /dev/null +++ b/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch @@ -0,0 +1,487 @@ +From 8e3e85e329f5cbd989936b0df8a0ac06906a4824 Mon Sep 17 00:00:00 2001 +From: Isaac Boukris +Date: Tue, 14 Apr 2020 16:19:05 +0300 +Subject: [PATCH] auth: add SASL/GSSAPI tests + +--- + tests/data/krb5.conf | 32 ++++++ + tests/data/slapd-sasl-gssapi.conf | 65 ++++++++++++ + tests/scripts/conf.sh | 3 + + tests/scripts/defines.sh | 5 + + tests/scripts/setup_kdc.sh | 144 +++++++++++++++++++++++++++ + tests/scripts/test077-sasl-gssapi | 159 ++++++++++++++++++++++++++++++ + 6 files changed, 408 insertions(+) + create mode 100644 tests/data/krb5.conf + create mode 100644 tests/data/slapd-sasl-gssapi.conf + create mode 100755 tests/scripts/setup_kdc.sh + create mode 100755 tests/scripts/test077-sasl-gssapi + +diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf +new file mode 100644 +index 000000000..739113742 +--- /dev/null ++++ b/tests/data/krb5.conf +@@ -0,0 +1,32 @@ ++[libdefaults] ++ default_realm = @KRB5REALM@ ++ dns_lookup_realm = false ++ dns_lookup_kdc = false ++ default_ccache_name = FILE://@TESTDIR@/ccache ++ #udp_preference_limit = 1 ++[realms] ++ @KRB5REALM@ = { ++ kdc = @KDCHOST@:@KDCPORT@ ++ acl_file = @TESTDIR@/kadm.acl ++ database_name = @TESTDIR@/kdc.db ++ key_stash_file = @TESTDIR@/kdc.stash ++ } ++[kdcdefaults] ++ kdc_ports = @KDCPORT@ ++ kdc_tcp_ports = @KDCPORT@ ++[logging] ++ kdc = FILE:@TESTDIR@/kdc.log ++ admin_server = FILE:@TESTDIR@/kadm.log ++ default = FILE:@TESTDIR@/krb5.log ++ ++#Heimdal ++[kdc] ++ database = { ++ dbname = @TESTDIR@/kdc.db ++ realm = @KRB5REALM@ ++ mkey_file = @TESTDIR@/kdc.stash ++ log_file = @TESTDIR@/kdc.log ++ acl_file = @TESTDIR@/kadm.acl ++ } ++[hdb] ++ db-dir = @TESTDIR@ +diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf +new file mode 100644 +index 000000000..611fc7097 +--- /dev/null ++++ b/tests/data/slapd-sasl-gssapi.conf +@@ -0,0 +1,65 @@ ++# stand-alone slapd config -- for testing (with indexing) ++# $OpenLDAP$ ++## This work is part of OpenLDAP Software . ++## ++## Copyright 1998-2020 The OpenLDAP Foundation. ++## All rights reserved. ++## ++## Redistribution and use in source and binary forms, with or without ++## modification, are permitted only as authorized by the OpenLDAP ++## Public License. ++## ++## A copy of this license is available in the file LICENSE in the ++## top-level directory of the distribution or, alternatively, at ++## . ++ ++# ++include @SCHEMADIR@/core.schema ++include @SCHEMADIR@/cosine.schema ++# ++include @SCHEMADIR@/corba.schema ++include @SCHEMADIR@/java.schema ++include @SCHEMADIR@/inetorgperson.schema ++include @SCHEMADIR@/misc.schema ++include @SCHEMADIR@/nis.schema ++include @SCHEMADIR@/openldap.schema ++# ++include @SCHEMADIR@/duaconf.schema ++include @SCHEMADIR@/dyngroup.schema ++ ++# ++pidfile @TESTDIR@/slapd.1.pid ++argsfile @TESTDIR@/slapd.1.args ++ ++# SSL configuration ++TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt ++TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key ++TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt ++ ++# ++rootdse @DATADIR@/rootdse.ldif ++ ++#mod#modulepath ../servers/slapd/back-@BACKEND@/ ++#mod#moduleload back_@BACKEND@.la ++#monitormod#modulepath ../servers/slapd/back-monitor/ ++#monitormod#moduleload back_monitor.la ++ ++ ++####################################################################### ++# database definitions ++####################################################################### ++ ++database @BACKEND@ ++suffix "dc=example,dc=com" ++rootdn "cn=Manager,dc=example,dc=com" ++rootpw secret ++#~null~#directory @TESTDIR@/db.1.a ++#indexdb#index objectClass eq ++#indexdb#index mail eq ++#ndb#dbname db_1_a ++#ndb#include @DATADIR@/ndb.conf ++ ++#monitor#database monitor ++ ++sasl-realm @KRB5REALM@ ++sasl-host localhost +diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh +index b0393865d..c9e1a4b0a 100755 +--- a/tests/scripts/conf.sh ++++ b/tests/scripts/conf.sh +@@ -99,4 +99,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \ + -e "s;@TESTWD@;${TESTWD};" \ + -e "s;@DATADIR@;${DATADIR};" \ + -e "s;@SCHEMADIR@;${SCHEMADIR};" \ ++ -e "s;@KRB5REALM@;${KRB5REALM};" \ ++ -e "s;@KDCHOST@;${KDCHOST};" \ ++ -e "s;@KDCPORT@;${KDCPORT};" \ + -e "/^#/d" +diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh +index 1d6c2b3f1..ccb2e5b41 100755 +--- a/tests/scripts/defines.sh ++++ b/tests/scripts/defines.sh +@@ -114,6 +114,7 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf + SCHEMACONF=$DATADIR/slapd-schema.conf + TLSCONF=$DATADIR/slapd-tls.conf + TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf ++SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf + GLUECONF=$DATADIR/slapd-glue.conf + REFINTCONF=$DATADIR/slapd-refint.conf + RETCODECONF=$DATADIR/slapd-retcode.conf +@@ -223,6 +224,7 @@ PORT3=`expr $BASEPORT + 3` + PORT4=`expr $BASEPORT + 4` + PORT5=`expr $BASEPORT + 5` + PORT6=`expr $BASEPORT + 6` ++KDCPORT=`expr $BASEPORT + 7` + URI1="ldap://${LOCALHOST}:$PORT1/" + URIP1="ldap://${LOCALIP}:$PORT1/" + URI2="ldap://${LOCALHOST}:$PORT2/" +@@ -248,6 +250,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/" + SURI6="ldaps://${LOCALHOST}:$PORT6/" + SURIP6="ldaps://${LOCALIP}:$PORT6/" + ++KRB5REALM="K5.REALM" ++KDCHOST=$LOCALHOST ++ + # LDIF + LDIF=$DATADIR/test.ldif + LDIFADD1=$DATADIR/do_add.1 +diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh +new file mode 100755 +index 000000000..1cb784075 +--- /dev/null ++++ b/tests/scripts/setup_kdc.sh +@@ -0,0 +1,144 @@ ++#! /bin/sh ++# $OpenLDAP$ ++## This work is part of OpenLDAP Software . ++## ++## Copyright 1998-2020 The OpenLDAP Foundation. ++## All rights reserved. ++## ++## Redistribution and use in source and binary forms, with or without ++## modification, are permitted only as authorized by the OpenLDAP ++## Public License. ++## ++## A copy of this license is available in the file LICENSE in the ++## top-level directory of the distribution or, alternatively, at ++## . ++ ++export KRB5_TRACE=$TESTDIR/k5_trace ++export KRB5_CONFIG=$TESTDIR/krb5.conf ++export KRB5_KDC_PROFILE=$KRB5_CONFIG ++export KRB5_KTNAME=$TESTDIR/server.kt ++export KRB5_CLIENT_KTNAME=$TESTDIR/client.kt ++export KRB5CCNAME=$TESTDIR/client.ccache ++ ++KDCLOG=$TESTDIR/setup_kdc.log ++KSERVICE=ldap/$LOCALHOST ++KUSER=kuser ++ ++. $CONFFILTER < $DATADIR/krb5.conf > $KRB5_CONFIG ++ ++PATH=${PATH}:/usr/lib/heimdal-servers:/usr/sbin:/usr/local/sbin ++ ++echo "Trying Heimdal KDC..." ++ ++kdc --version 2>&1 | grep Heimdal > $KDCLOG 2>&1 ++RC=$? ++if test $RC = 0 ; then ++ ++ kstash --random-key > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "Heimdal: kstash failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ flags="--realm-max-ticket-life=1h --realm-max-renewable-life=1h" ++ kadmin -l init $flags $KRB5REALM > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "Heimdal: kadmin init failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ kadmin -l add --random-key --use-defaults $KSERVICE > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "Heimdal: kadmin add failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ kadmin -l ext -k $KRB5_KTNAME $KSERVICE > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ kadmin -l add --random-key --use-defaults $KUSER > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "Heimdal: kadmin add failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ kadmin -l ext -k $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ kdc --addresses=$LOCALIP --ports="$KDCPORT/udp" > $KDCLOG 2>&1 & ++else ++ echo "Trying MIT KDC..." ++ ++ kdb5_util create -r $KRB5REALM -s -P password > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "MIT: kdb5_util create failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ kadmin.local -q "addprinc -randkey $KSERVICE" > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "MIT: admin addprinc failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ kadmin.local -q "ktadd -k $KRB5_KTNAME $KSERVICE" > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ kadmin.local -q "addprinc -randkey $KUSER" > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "MIT: kadmin addprinc failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ kadmin.local -q "ktadd -k $KRB5_CLIENT_KTNAME $KUSER" > $KDCLOG 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests" ++ exit 0 ++ fi ++ ++ krb5kdc -n > $KDCLOG 2>&1 & ++fi ++ ++KDCPROC=$! ++sleep 1 ++ ++kinit -kt $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ kill $KDCPROC ++ echo "SASL/GSSAPI: kinit failed, skipping GSSAPI tests" ++ exit 0 ++fi ++ ++pluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null ++RC=$? ++if test $RC != 0 ; then ++ ++ saslpluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null ++ RC=$? ++ if test $RC != 0 ; then ++ kill $KDCPROC ++ echo "cyrus-sasl has no GSSAPI support, test skipped" ++ exit 0 ++ fi ++fi +diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi +new file mode 100755 +index 000000000..64abe16fe +--- /dev/null ++++ b/tests/scripts/test077-sasl-gssapi +@@ -0,0 +1,159 @@ ++#! /bin/sh ++# $OpenLDAP$ ++## This work is part of OpenLDAP Software . ++## ++## Copyright 1998-2020 The OpenLDAP Foundation. ++## All rights reserved. ++## ++## Redistribution and use in source and binary forms, with or without ++## modification, are permitted only as authorized by the OpenLDAP ++## Public License. ++## ++## A copy of this license is available in the file LICENSE in the ++## top-level directory of the distribution or, alternatively, at ++## . ++ ++echo "running defines.sh" ++. $SRCDIR/scripts/defines.sh ++ ++if test $WITH_SASL = no ; then ++ echo "SASL support not available, test skipped" ++ exit 0 ++fi ++ ++mkdir -p $TESTDIR $DBDIR1 ++cp -r $DATADIR/tls $TESTDIR ++ ++cd $TESTWD ++ ++ ++echo "Starting KDC for SASL/GSSAPI tests..." ++. $SRCDIR/scripts/setup_kdc.sh ++ ++echo "Running slapadd to build slapd database..." ++. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1 ++$SLAPADD -f $CONF1 -l $LDIFORDERED ++RC=$? ++if test $RC != 0 ; then ++ echo "slapadd failed ($RC)!" ++ kill $KDCPROC ++ exit $RC ++fi ++ ++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..." ++$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 & ++PID=$! ++if test $WAIT != 0 ; then ++ echo PID $PID ++ read foo ++fi ++KILLPIDS="$PID" ++ ++sleep 1 ++ ++for i in 0 1 2 3 4 5; do ++ $LDAPSEARCH -s base -b "" -H $URI1 \ ++ 'objectclass=*' > /dev/null 2>&1 ++ RC=$? ++ if test $RC = 0 ; then ++ break ++ fi ++ echo "Waiting 5 seconds for slapd to start..." ++ sleep 5 ++done ++ ++if test $RC != 0 ; then ++ echo "ldapsearch failed ($RC)!" ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapsearch failed ($RC)!" ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++grep GSSAPI $TESTOUT ++RC=$? ++if test $RC != 0 ; then ++ echo "failed: GSSAPI mechanism not in supportedSASLMechanisms." ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ ++echo -n "Using ldapwhoami with SASL/GSSAPI: " ++$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1 ++RC=$? ++if test $RC != 0 ; then ++ echo "ldapwhoami failed ($RC)!" ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++else ++ echo "success" ++fi ++ ++echo -n "Validating mapped SASL/GSSAPI ID: " ++echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out ++$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT ++RC=$? ++if test $RC != 0 ; then ++ echo "Comparison failed" ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++else ++ echo "success" ++fi ++ ++if test $WITH_TLS = no ; then ++ echo "SASL/GSSAPI: TLS support not available, skipping TLS part." ++else ++ echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: " ++ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \ ++ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ ++ > $TESTOUT 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "ldapwhoami failed ($RC)!" ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++ else ++ echo "success" ++ fi ++ ++ echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: " ++ $LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow \ ++ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \ ++ > $TESTOUT 2>&1 ++ RC=$? ++ if test $RC != 0 ; then ++ echo "ldapwhoami failed ($RC)!" ++ kill $KDCPROC ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++ else ++ echo "success" ++ fi ++fi ++ ++kill $KDCPROC ++test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ ++if test $RC != 0 ; then ++ echo ">>>>> Test failed" ++else ++ echo ">>>>> Test succeeded" ++ RC=0 ++fi ++ ++test $KILLSERVERS != no && wait ++ ++exit $RC +-- +2.26.2 + diff --git a/openldap-change-TLS_REQSAN-default-to-TRY.patch b/openldap-change-TLS_REQSAN-default-to-TRY.patch new file mode 100644 index 0000000..601d08b --- /dev/null +++ b/openldap-change-TLS_REQSAN-default-to-TRY.patch @@ -0,0 +1,46 @@ +From 2dfe3f35c7fef4792f15f0b3f9c9a10e5f9a4692 Mon Sep 17 00:00:00 2001 +From: Simon Pichugin +Date: Thu, 5 Aug 2021 16:15:09 +0200 +Subject: [PATCH] Change TLS_REQSAN default to TRY + +--- + doc/man/man5/ldap.conf.5 | 2 +- + libraries/libldap/init.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index cde2c875f..9f1aa2c0a 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -479,7 +479,6 @@ The client will not check any SAN in the certificate. + The SAN is checked against the specified hostname. If a SAN is + present but none match the specified hostname, the SANs are ignored + and the usual check against the certificate DN is used. +-This is the default setting. + .TP + .B try + The SAN is checked against the specified hostname. If no SAN is present +@@ -487,6 +486,7 @@ in the server certificate, the usual check against the certificate DN + is used. If a SAN is present but doesn't match the specified hostname, + the session is immediately terminated. This setting may be preferred + when a mix of certs with and without SANs are in use. ++This is the default setting. + .TP + .B demand | hard + These keywords are equivalent. The SAN is checked against the specified +diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c +index 0d91808ec..fa4c176fd 100644 +--- a/libraries/libldap/init.c ++++ b/libraries/libldap/init.c +@@ -625,7 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl + gopts->ldo_tls_connect_cb = NULL; + gopts->ldo_tls_connect_arg = NULL; + gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; +- gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW; ++ gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_TRY; + #endif + gopts->ldo_keepalive_probes = 0; + gopts->ldo_keepalive_interval = 0; +-- +2.31.1 + diff --git a/openldap-cldap-check-for-error-on-connected-socket.patch b/openldap-cldap-check-for-error-on-connected-socket.patch new file mode 100644 index 0000000..bade69a --- /dev/null +++ b/openldap-cldap-check-for-error-on-connected-socket.patch @@ -0,0 +1,41 @@ +From ec5eba5393e5cc65b05e54658c55500cdbff775a Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 26 Aug 2020 13:22:52 +0100 +Subject: [PATCH 01/34] ITS#9328 cldap: check for error on connected socket + +libldap doesn't use a connected socket for UDP sessions, but 3rd +parties can, passed in with ldap_init_fd(). +--- + libraries/libldap/result.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c +index bdced135b..e2b220630 100644 +--- a/libraries/libldap/result.c ++++ b/libraries/libldap/result.c +@@ -486,7 +486,8 @@ retry: + #ifdef LDAP_CONNECTIONLESS + if ( LDAP_IS_UDP(ld) ) { + struct sockaddr_storage from; +- ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ); ++ if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 ) ++ goto fail; + if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1; + } + nextresp3: +@@ -502,10 +503,11 @@ nextresp3: + break; + + case LBER_DEFAULT: ++fail: + err = sock_errno(); + #ifdef LDAP_DEBUG + Debug( LDAP_DEBUG_CONNS, +- "ber_get_next failed.\n", 0, 0, 0 ); ++ "ber_get_next failed, errno=%d.\n", err, 0, 0 ); + #endif + if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING; + if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING; +-- +2.26.2 + diff --git a/openldap-ldapi-sasl.patch b/openldap-ldapi-sasl.patch new file mode 100644 index 0000000..058cc1c --- /dev/null +++ b/openldap-ldapi-sasl.patch @@ -0,0 +1,55 @@ +From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 7 May 2013 17:02:57 +0200 +Subject: [PATCH] LDAPI SASL fix + +Resolves: #960222 +--- + libraries/libldap/cyrus.c | 19 ++++++++++++++++--- + 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-) + +diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c +index 28c241b..a9acf36 100644 +--- a/libraries/libldap/cyrus.c ++++ b/libraries/libldap/cyrus.c +@@ -394,6 +394,8 @@ ldap_int_sasl_bind( + struct berval ccred = BER_BVNULL; + int saslrc, rc; + unsigned credlen; ++ char my_hostname[HOST_NAME_MAX + 1]; ++ int free_saslhost = 0; + + Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n", + mechs ? mechs : "", 0, 0 ); +@@ -454,14 +456,25 @@ ldap_int_sasl_bind( + + /* If we don't need to canonicalize just use the host + * from the LDAP URI. ++ * Always use the result of gethostname() for LDAPI. + */ +- if ( nocanon ) ++ if (ld->ld_defconn->lconn_server->lud_scheme != NULL && ++ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) { ++ rc = gethostname(my_hostname, HOST_NAME_MAX + 1); ++ if (rc == 0) { ++ saslhost = my_hostname; ++ } else { ++ saslhost = "localhost"; ++ } ++ } else if ( nocanon ) + saslhost = ld->ld_defconn->lconn_server->lud_host; +- else ++ else { + saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb, + "localhost" ); ++ free_saslhost = 1; ++ } + rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost ); +- if ( !nocanon ) ++ if ( free_saslhost ) + LDAP_FREE( saslhost ); + } + +-- +1.7.11.7 + diff --git a/openldap-manpages.patch b/openldap-manpages.patch new file mode 100644 index 0000000..b69a391 --- /dev/null +++ b/openldap-manpages.patch @@ -0,0 +1,73 @@ +Various manual pages changes: +* removes LIBEXECDIR from slapd.8 +* removes references to non-existing manpages (bz 624616) + +diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1 +index 3def6da..466c772 100644 +--- a/doc/man/man1/ldapmodify.1 ++++ b/doc/man/man1/ldapmodify.1 +@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error. + .BR ldap_add_ext (3), + .BR ldap_delete_ext (3), + .BR ldap_modify_ext (3), +-.BR ldap_modrdn_ext (3), +-.BR ldif (5). ++.BR ldif (5) + .SH AUTHOR + The OpenLDAP Project + .SH ACKNOWLEDGEMENTS +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +index cfde143..63592cb 100644 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -317,6 +317,7 @@ certificates in separate individual files. The + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. ++The specified directory must be managed with the OpenSSL c_rehash utility. + This parameter is ignored with GnuTLS. + + When using Mozilla NSS, may contain a Mozilla NSS cert/key +diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8 +index b739f4d..e2a1a00 100644 +--- a/doc/man/man8/slapd.8 ++++ b/doc/man/man8/slapd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ slapd + .ft + .fi + .LP +@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ slapd -f /var/tmp/slapd.conf -d 255 + .ft + .fi + .LP +@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type: + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ slapd -Tt + .ft + .fi + .LP +-- +1.8.1.4 + diff --git a/openldap-openssl-ITS7595-Add-EC-support-1.patch b/openldap-openssl-ITS7595-Add-EC-support-1.patch new file mode 100644 index 0000000..61e1df5 --- /dev/null +++ b/openldap-openssl-ITS7595-Add-EC-support-1.patch @@ -0,0 +1,227 @@ +ITS#7595 Add Elliptic Curve support for OpenSSL + +Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08 +Author: Howard Chu +Date: Sat Sep 7 09:47:19 2013 -0700 + +diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +index 9c72e8296..2311c3096 100644 +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -922,6 +922,13 @@ are not used. + When using Mozilla NSS these parameters are always generated randomly + so this directive is ignored. + .TP ++.B olcTLSECName: ++Specify the name of a curve to use for Elliptic curve Diffie-Hellman ++ephemeral key exchange. This is required to enable ECDHE algorithms in ++OpenSSL. This option is not used with GnuTLS; the curves may be ++chosen in the GnuTLS ciphersuite specification. This option is also ++ignored for Mozilla NSS. ++.TP + .B olcTLSProtocolMin: [.] + Specifies minimum SSL/TLS protocol version that will be negotiated. + If the server doesn't support at least that version, +diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +index f504adcf9..ef03e0ad8 100644 +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -1153,6 +1153,13 @@ are not used. + When using Mozilla NSS these parameters are always generated randomly + so this directive is ignored. + .TP ++.B TLSECName ++Specify the name of a curve to use for Elliptic curve Diffie-Hellman ++ephemeral key exchange. This is required to enable ECDHE algorithms in ++OpenSSL. This option is not used with GnuTLS; the curves may be ++chosen in the GnuTLS ciphersuite specification. This option is also ++ignored for Mozilla NSS. ++.TP + .B TLSProtocolMin [.] + Specifies minimum SSL/TLS protocol version that will be negotiated. + If the server doesn't support at least that version, +diff --git a/include/ldap.h b/include/ldap.h +index c245651c2..0964a193e 100644 +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL + #define LDAP_OPT_X_TLS_NEWCTX 0x600f + #define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */ + #define LDAP_OPT_X_TLS_PACKAGE 0x6011 ++#define LDAP_OPT_X_TLS_ECNAME 0x6012 + + #define LDAP_OPT_X_TLS_NEVER 0 + #define LDAP_OPT_X_TLS_HARD 1 +diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h +index 66e04ae80..db7193f4f 100644 +--- a/libraries/libldap/ldap-int.h ++++ b/libraries/libldap/ldap-int.h +@@ -165,6 +165,7 @@ struct ldaptls { + char *lt_ciphersuite; + char *lt_crlfile; + char *lt_randfile; /* OpenSSL only */ ++ char *lt_ecname; /* OpenSSL only */ + int lt_protocol_min; + }; + #endif +@@ -250,6 +251,7 @@ struct ldapoptions { + #define ldo_tls_certfile ldo_tls_info.lt_certfile + #define ldo_tls_keyfile ldo_tls_info.lt_keyfile + #define ldo_tls_dhfile ldo_tls_info.lt_dhfile ++#define ldo_tls_ecname ldo_tls_info.lt_ecname + #define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile + #define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir + #define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index d25c190ea..0451b01af 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo ) + LDAP_FREE( lo->ldo_tls_dhfile ); + lo->ldo_tls_dhfile = NULL; + } ++ if ( lo->ldo_tls_ecname ) { ++ LDAP_FREE( lo->ldo_tls_ecname ); ++ lo->ldo_tls_ecname = NULL; ++ } + if ( lo->ldo_tls_cacertfile ) { + LDAP_FREE( lo->ldo_tls_cacertfile ); + lo->ldo_tls_cacertfile = NULL; +@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server ) + lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile ); + __atoe( lts.lt_dhfile ); + } ++ if ( lts.lt_ecname ) { ++ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname ); ++ __atoe( lts.lt_ecname ); ++ } + #endif + lo->ldo_tls_ctx = ti->ti_ctx_new( lo ); + if ( lo->ldo_tls_ctx == NULL ) { +@@ -257,6 +265,7 @@ error_exit: + LDAP_FREE( lts.lt_crlfile ); + LDAP_FREE( lts.lt_cacertdir ); + LDAP_FREE( lts.lt_dhfile ); ++ LDAP_FREE( lts.lt_ecname ); + #endif + return rc; + } +@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg ) + *(char **)arg = lo->ldo_tls_dhfile ? + LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL; + break; ++ case LDAP_OPT_X_TLS_ECNAME: ++ *(char **)arg = lo->ldo_tls_ecname ? ++ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL; ++ break; + case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ + *(char **)arg = lo->ldo_tls_crlfile ? + LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL; +@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg ) + if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile ); + lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; + return 0; ++ case LDAP_OPT_X_TLS_ECNAME: ++ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname ); ++ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL; ++ return 0; + case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */ + if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile ); + lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL; +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index f24060b7e..1370923af 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + return -1; + } + +- if ( lo->ldo_tls_dhfile ) { +- DH *dh = NULL; ++ if ( is_server && lo->ldo_tls_dhfile ) { ++ DH *dh; + BIO *bio; +- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); + + if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) { + Debug( LDAP_DEBUG_ANY, +@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + } + BIO_free( bio ); + SSL_CTX_set_tmp_dh( ctx, dh ); ++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE ); ++ DH_free( dh ); ++ } ++ ++#ifdef SSL_OP_SINGLE_ECDH_USE ++ if ( is_server && lo->ldo_tls_ecname ) { ++ EC_KEY *ecdh; ++ ++ int nid = OBJ_sn2nid( lt->lt_ecname ); ++ if ( nid == NID_undef ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use EC name `%s'.\n", ++ lo->ldo_tls_ecname,0,0); ++ tlso_report_error(); ++ return -1; ++ } ++ ecdh = EC_KEY_new_by_curve_name( nid ); ++ if ( ecdh == NULL ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not generate key for EC name `%s'.\n", ++ lo->ldo_tls_ecname,0,0); ++ tlso_report_error(); ++ return -1; ++ } ++ SSL_CTX_set_tmp_ecdh( ctx, ecdh ); ++ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); ++ EC_KEY_free( ecdh ); + } ++#endif + + if ( tlso_opt_trace ) { + SSL_CTX_set_info_callback( ctx, tlso_info_cb ); +diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c +index 250f14100..8b1e4e582 100644 +--- a/servers/slapd/bconfig.c ++++ b/servers/slapd/bconfig.c +@@ -194,6 +194,7 @@ enum { + CFG_ACL_ADD, + CFG_SYNC_SUBENTRY, + CFG_LTHREADS, ++ CFG_TLS_ECNAME, + + CFG_LAST + }; +@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = { + #endif + "( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' " + "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, ++ { "TLSECName", NULL, 2, 2, 0, ++#ifdef HAVE_TLS ++ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option, ++#else ++ ARG_IGNORED, NULL, ++#endif ++ "( OLcfgGlAt:96 NAME 'olcTLSECName' " ++ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL }, + { "TLSProtocolMin", NULL, 2, 2, 0, + #ifdef HAVE_TLS + CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config, +@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = { + "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ " + "olcTLSCACertificatePath $ olcTLSCertificateFile $ " + "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ " +- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ " ++ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ " + "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ " + "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ " + "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global }, +@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) { + case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break; + case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break; + case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break; ++ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break; + #ifdef HAVE_GNUTLS + case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break; + #endif diff --git a/openldap-openssl-ITS7595-Add-EC-support-2.patch b/openldap-openssl-ITS7595-Add-EC-support-2.patch new file mode 100644 index 0000000..6c28f3f --- /dev/null +++ b/openldap-openssl-ITS7595-Add-EC-support-2.patch @@ -0,0 +1,34 @@ +ITS#7595 don't try to use EC if OpenSSL lacks it + +Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d +Author: Howard Chu +Date: Sun Sep 8 06:32:23 2013 -0700 + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 1a81bc625..71c2b055c 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + DH_free( dh ); + } + +-#ifdef SSL_OP_SINGLE_ECDH_USE + if ( is_server && lo->ldo_tls_ecname ) { ++#ifdef OPENSSL_NO_EC ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: Elliptic Curves not supported.\n", 0,0,0 ); ++ return -1; ++#else + EC_KEY *ecdh; + + int nid = OBJ_sn2nid( lt->lt_ecname ); +@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + SSL_CTX_set_tmp_ecdh( ctx, ecdh ); + SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE ); + EC_KEY_free( ecdh ); +- } + #endif ++ } + + if ( tlso_opt_trace ) { + SSL_CTX_set_info_callback( ctx, tlso_info_cb ); diff --git a/openldap-openssl-manpage-defaultCA.patch b/openldap-openssl-manpage-defaultCA.patch new file mode 100644 index 0000000..7ec2caa --- /dev/null +++ b/openldap-openssl-manpage-defaultCA.patch @@ -0,0 +1,48 @@ +Reference default system-wide CA certificates in manpages + +OpenSSL, unless explicitly configured, uses system-wide default set of CA +certificates. + +Author: Matus Honek + +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an + .B ldaps:// URI + is selected (by default or otherwise) or when the application + negotiates TLS by issuing the LDAP StartTLS operation. ++.LP ++When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP ++is set, the system-wide default set of CA certificates is used. + .TP + .B TLS_CACERT + Specifies the file that contains certificates for all of the Certificate +diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -801,6 +801,10 @@ If + .B slapd + is built with support for Transport Layer Security, there are more options + you can specify. ++.LP ++When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor ++\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA ++certificates is used. + .TP + .B olcTLSCipherSuite: + Permits configuring what ciphers will be accepted and the preference order. +diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -1032,6 +1032,10 @@ If + .B slapd + is built with support for Transport Layer Security, there are more options + you can specify. ++.LP ++When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor ++\fBTLSCACertificatePath\fP is set, the system-wide default set of CA ++certificates is used. + .TP + .B TLSCipherSuite + Permits configuring what ciphers will be accepted and the preference order. diff --git a/openldap-reentrant-gethostby.patch b/openldap-reentrant-gethostby.patch new file mode 100644 index 0000000..140b6e3 --- /dev/null +++ b/openldap-reentrant-gethostby.patch @@ -0,0 +1,33 @@ +The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for +example if libldap needs to be initialized from within gethostbyXXXX() (which +actually happens if nss_ldap is used for hostname resolution and earlier +modules can't resolve the local host name), so use the reentrant versions of +the functions, even if we're not being compiled for use in libldap_r + +Resolves: #179730 +Author: Jeffery Layton + +diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c +index 373c81c..a012062 100644 +--- a/libraries/libldap/util-int.c ++++ b/libraries/libldap/util-int.c +@@ -52,8 +52,8 @@ extern int h_errno; + #ifndef LDAP_R_COMPILE + # undef HAVE_REENTRANT_FUNCTIONS + # undef HAVE_CTIME_R +-# undef HAVE_GETHOSTBYNAME_R +-# undef HAVE_GETHOSTBYADDR_R ++/* # undef HAVE_GETHOSTBYNAME_R */ ++/* # undef HAVE_GETHOSTBYADDR_R */ + + #else + # include +@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod) + #define BUFSTART (1024-32) + #define BUFMAX (32*1024-32) + +-#if defined(LDAP_R_COMPILE) ++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R) + static char *safe_realloc( char **buf, int len ); + + #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)) diff --git a/openldap-smbk5pwd-overlay.patch b/openldap-smbk5pwd-overlay.patch new file mode 100644 index 0000000..38936cf --- /dev/null +++ b/openldap-smbk5pwd-overlay.patch @@ -0,0 +1,62 @@ +Compile smbk5pwd together with other overlays. + +Author: Jan Šafránek +Resolves: #550895 + +Update to link against OpenSSL + +Author: Jan Vcelak +Resolves: #841560 + +diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README +index f20ad94..b6433ff 100644 +--- a/contrib/slapd-modules/smbk5pwd/README ++++ b/contrib/slapd-modules/smbk5pwd/README +@@ -1,3 +1,8 @@ ++****************************************************************************** ++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module ++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux. ++****************************************************************************** ++ + This directory contains a slapd overlay, smbk5pwd, that extends the + PasswordModify Extended Operation to update Kerberos keys and Samba + password hashes for an LDAP user. +diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in +index 3af20e8..ef73663 100644 +--- a/servers/slapd/overlays/Makefile.in ++++ b/servers/slapd/overlays/Makefile.in +@@ -33,7 +33,8 @@ SRCS = overlays.c \ + syncprov.c \ + translucent.c \ + unique.c \ +- valsort.c ++ valsort.c \ ++ smbk5pwd.c + OBJS = statover.o \ + @SLAPD_STATIC_OVERLAYS@ \ + overlays.o +@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS) + + LIBRARY = ../liboverlays.a +-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ ++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la + + XINCPATH = -I.. -I$(srcdir)/.. + XDEFS = $(MODULES_CPPFLAGS) +@@ -125,6 +126,12 @@ unique.la : unique.lo + valsort.la : valsort.lo + $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) + ++smbk5pwd.lo : smbk5pwd.c ++ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $< ++ ++smbk5pwd.la : smbk5pwd.lo ++ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs) ++ + install-local: $(PROGRAMS) + @if test -n "$?" ; then \ + $(MKDIR) $(DESTDIR)$(moduledir); \ +-- +1.7.10.4 + diff --git a/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch b/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch new file mode 100644 index 0000000..ed4f2ad --- /dev/null +++ b/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch @@ -0,0 +1,41 @@ +From: Jan-Marek Glogowski +Date: Tue, 18 May 2010 17:47:05 +0200 +Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set. + +Proof of concept for fixing http://bugs.debian.org/327585 +(patch ported from freeradius bug http://bugs.debian.org/416266) + +Resolves: #960048 +--- +--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200 ++++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200 +@@ -117,6 +117,20 @@ + return -1; /* not found */ + } + ++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) ++{ ++ lt_dlhandle handle = 0; ++ lt_dladvise advise; ++ ++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) ++ && !lt_dladvise_global (&advise)) ++ handle = lt_dlopenadvise (filename, advise); ++ ++ lt_dladvise_destroy (&advise); ++ ++ return handle; ++} ++ + int module_load(const char* file_name, int argc, char *argv[]) + { + module_loaded_t *module; +@@ -180,7 +194,7 @@ + * to calling Debug. This is because Debug is a macro that expands + * into multiple function calls. + */ +- if ((module->lib = lt_dlopenext(file)) == NULL) { ++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { + error = lt_dlerror(); + #ifdef HAVE_EBCDIC + strcpy( ebuf, error ); diff --git a/openldap.spec b/openldap.spec new file mode 100644 index 0000000..feae96b --- /dev/null +++ b/openldap.spec @@ -0,0 +1,2177 @@ +%global _hardened_build 1 + +%global systemctl_bin /usr/bin/systemctl +%global check_password_version 1.1 + +Name: openldap +Version: 2.4.46 +Release: 18%{?dist} +Summary: LDAP support libraries +License: OpenLDAP +URL: http://www.openldap.org/ + +Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz +Source1: slapd.service +Source2: slapd.tmpfiles +Source3: slapd.ldif +Source4: ldap.conf +Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz +Source50: libexec-functions +Source52: libexec-check-config.sh +Source53: libexec-upgrade-db.sh + +# patches for 2.4 +Patch0: openldap-manpages.patch +Patch2: openldap-reentrant-gethostby.patch +Patch3: openldap-smbk5pwd-overlay.patch +Patch5: openldap-ai-addrconfig.patch +Patch17: openldap-allop-overlay.patch +Patch18: openldap-cldap-check-for-error-on-connected-socket.patch + +# fix back_perl problems with lt_dlopen() +# might cause crashes because of symbol collisions +# the proper fix is to link all perl modules against libperl +# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585 +Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch +# ldapi sasl fix pending upstream inclusion +Patch20: openldap-ldapi-sasl.patch +Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch +Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch +Patch24: openldap-openssl-manpage-defaultCA.patch + +# The below patches come from upstream master and are necessary for Channel Binding +# (both tls-unique and tls-server-end-point) to work properly. +# Additionally, for Samba to be able to implement Channel Binding, the PEERCERT option +# is being included as well. +Patch50: openldap-cbinding-Add-channel-binding-support.patch +Patch51: openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch +Patch52: openldap-cbinding-ITS-8573-TLS-option-test-suite.patch +Patch53: openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch +Patch54: openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch +Patch55: openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch +Patch56: openldap-cbinding-Make-prototypes-available-where-needed.patch +Patch57: openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch +Patch58: openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch +Patch59: openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch +Patch60: openldap-cbinding-Fix-slaptest-in-test077.patch +Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch +Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch +Patch63: openldap-add-TLS_REQSAN-option.patch +Patch64: openldap-change-TLS_REQSAN-default-to-TRY.patch + +# check-password module specific patches +Patch90: check-password-makefile.patch +Patch91: check-password.patch + +BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel +BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed) + +%description +OpenLDAP is an open source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap package contains configuration files, +libraries, and documentation for OpenLDAP. + +%package devel +Summary: LDAP development libraries and header files +Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa} + +%description devel +The openldap-devel package includes the development libraries and +header files needed for compiling applications that use LDAP +(Lightweight Directory Access Protocol) internals. LDAP is a set of +protocols for enabling directory services over the Internet. Install +this package only if you plan to develop or will need to compile +customized LDAP clients. + +%package servers +Summary: LDAP server +License: OpenLDAP +Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils +Requires(pre): shadow-utils +BuildRequires: systemd +%{?systemd_requires} +BuildRequires: libdb-devel +BuildRequires: cracklib-devel +# migrationtools (slapadd functionality): +Provides: ldif2ldbm + +%description servers +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. This package contains the slapd server and related files. + +%package clients +Summary: LDAP client utilities +Requires: openldap%{?_isa} = %{version}-%{release} + +%description clients +OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access +Protocol) applications and development tools. LDAP is a set of +protocols for accessing directory services (usually phone book style +information, but other information is possible) over the Internet, +similar to the way DNS (Domain Name System) information is propagated +over the Internet. The openldap-clients package contains the client +programs needed for accessing and modifying OpenLDAP directories. + +%prep +%setup -q -c -a 0 -a 10 + +pushd openldap-%{version} + +AUTOMAKE=%{_bindir}/true autoreconf -fi + +%patch0 -p1 +%patch2 -p1 +%patch3 -p1 +%patch5 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch50 -p1 +%patch51 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 +%patch59 -p1 +%patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 + +# build smbk5pwd with other overlays +ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays +mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd +# build allop with other overlays +ln -s ../../../contrib/slapd-modules/allop/allop.c servers/slapd/overlays +mv contrib/slapd-modules/allop/README contrib/slapd-modules/allop/README.allop +mv contrib/slapd-modules/allop/slapo-allop.5 doc/man/man5/slapo-allop.5 + +mv servers/slapd/back-perl/README{,.back_perl} + +# fix documentation encoding +for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do + iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8" + mv "$filename.utf8" "$filename" +done + +popd + +pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +%patch90 -p1 +%patch91 -p1 +popd + +%build + +%set_build_flags +# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS) +export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS -DOPENSSL_NO_MD2" + +pushd openldap-%{version} +%configure \ + --enable-debug \ + --enable-dynamic \ + \ + --enable-dynacl \ + --enable-cleartext \ + --enable-crypt \ + --enable-lmpasswd \ + --enable-spasswd \ + --enable-modules \ + --enable-rewrite \ + --enable-rlookups \ + --enable-slapi \ + --disable-slp \ + \ + --enable-backends=mod \ + --enable-bdb=yes \ + --enable-hdb=yes \ + --enable-mdb=yes \ + --enable-monitor=yes \ + --disable-ndb \ + --disable-sql \ + \ + --enable-overlays=mod \ + \ + --disable-static \ + \ + --with-cyrus-sasl \ + --without-fetch \ + --with-threads \ + --with-pic \ + --with-gnu-ld \ + \ + --libexecdir=%{_libdir} + +make %{_smp_mflags} +popd + +pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +make LDAP_INC="-I../openldap-%{version}/include \ + -I../openldap-%{version}/servers/slapd \ + -I../openldap-%{version}/build-servers/include" +popd + +%install + +mkdir -p %{buildroot}%{_libdir}/ + +pushd openldap-%{version} +make install DESTDIR=%{buildroot} STRIP="" +popd + +# install check_password module +pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version} +mv check_password.so check_password.so.%{check_password_version} +ln -s check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/check_password.so +install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/ +# install -m 644 README %{buildroot}%{_libdir}/openldap +install -d -m 755 %{buildroot}%{_sysconfdir}/openldap +cat > %{buildroot}%{_sysconfdir}/openldap/check_password.conf </dev/null || groupadd -r -g 55 ldap +getent passwd ldap &>/dev/null || \ + useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap + +if [ $1 -eq 2 ]; then + # package upgrade + + old_version=$(rpm -q --qf=%%{version} openldap-servers) + new_version=%{version} + + if [ "$old_version" != "$new_version" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null + fi +fi + +exit 0 + + +%post servers +%systemd_post slapd.service + +# generate configuration if necessary +if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \ + ! -f %{_sysconfdir}/openldap/slapd.conf + ]]; then + # if there is no configuration available, generate one from the defaults + mkdir -p %{_sysconfdir}/openldap/slapd.d/ &>/dev/null || : + /usr/sbin/slapadd -F %{_sysconfdir}/openldap/slapd.d/ -n0 -l %{_datadir}/openldap-servers/slapd.ldif + chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d/ + %{systemctl_bin} try-restart slapd.service &>/dev/null +fi + +start_slapd=0 + +# upgrade the database +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start_slapd=1 + fi + + %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap +fi + +# restart after upgrade +if [ $1 -ge 1 ]; then + if [ $start_slapd -eq 1 ]; then + %{systemctl_bin} start slapd.service &>/dev/null || : + else + %{systemctl_bin} condrestart slapd.service &>/dev/null || : + fi +fi + +exit 0 + +%preun servers +%systemd_preun slapd.service + +%postun servers +%systemd_postun_with_restart slapd.service + +%triggerin servers -- libdb + +# libdb upgrade (setup for %%triggerun) +if [ $2 -eq 2 ]; then + # we are interested in minor version changes (both versions of libdb are installed at this moment) + if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then + touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb + else + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + fi +fi + +exit 0 + + +%triggerun servers -- libdb + +# libdb upgrade (finish %%triggerin) +if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then + if %{systemctl_bin} --quiet is-active slapd.service; then + %{systemctl_bin} stop slapd.service + start=1 + else + start=0 + fi + + %{_libexecdir}/openldap/upgrade-db.sh &>/dev/null + rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb + + [ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null +fi + +exit 0 + + +%files +%doc openldap-%{version}/ANNOUNCEMENT +%doc openldap-%{version}/CHANGES +%license openldap-%{version}/COPYRIGHT +%license openldap-%{version}/LICENSE +%doc openldap-%{version}/README +%dir %{_sysconfdir}/openldap +%dir %{_sysconfdir}/openldap/certs +%config(noreplace) %{_sysconfdir}/openldap/ldap.conf +%dir %{_libexecdir}/openldap/ +%{_libdir}/liblber-2.4*.so.* +%{_libdir}/libldap-2.4*.so.* +%{_libdir}/libldap_r-2.4*.so.* +%{_libdir}/libslapi-2.4*.so.* +%{_mandir}/man5/ldif.5* +%{_mandir}/man5/ldap.conf.5* + +%files servers +%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd +%doc openldap-%{version}/doc/guide/admin/*.html +%doc openldap-%{version}/doc/guide/admin/*.png +%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm +%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl +%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl +%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd +%doc README.schema +%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d +%config(noreplace) %{_sysconfdir}/openldap/schema +%config(noreplace) %{_sysconfdir}/openldap/check_password.conf +%{_tmpfilesdir}/slapd.conf +%dir %attr(0700,ldap,ldap) %{_sharedstatedir}/ldap +%dir %attr(-,ldap,ldap) %{_localstatedir}/run/openldap +%{_unitdir}/slapd.service +%{_datadir}/openldap-servers/ +%{_libdir}/openldap/accesslog* +%{_libdir}/openldap/auditlog* +%{_libdir}/openldap/allop* +%{_libdir}/openldap/back_dnssrv* +%{_libdir}/openldap/back_ldap* +%{_libdir}/openldap/back_meta* +%{_libdir}/openldap/back_null* +%{_libdir}/openldap/back_passwd* +%{_libdir}/openldap/back_relay* +%{_libdir}/openldap/back_shell* +%{_libdir}/openldap/back_sock* +%{_libdir}/openldap/back_perl* +%{_libdir}/openldap/collect* +%{_libdir}/openldap/constraint* +%{_libdir}/openldap/dds* +%{_libdir}/openldap/deref* +%{_libdir}/openldap/dyngroup* +%{_libdir}/openldap/dynlist* +%{_libdir}/openldap/memberof* +%{_libdir}/openldap/pcache* +%{_libdir}/openldap/ppolicy* +%{_libdir}/openldap/refint* +%{_libdir}/openldap/retcode* +%{_libdir}/openldap/rwm* +%{_libdir}/openldap/seqmod* +%{_libdir}/openldap/smbk5pwd* +%{_libdir}/openldap/sssvlv* +%{_libdir}/openldap/syncprov* +%{_libdir}/openldap/translucent* +%{_libdir}/openldap/unique* +%{_libdir}/openldap/valsort* +%{_libdir}/openldap/check_password* +%{_libexecdir}/openldap/functions +%{_libexecdir}/openldap/check-config.sh +%{_libexecdir}/openldap/upgrade-db.sh +%{_sbindir}/sl* +%{_mandir}/man8/* +%{_mandir}/man5/slapd*.5* +%{_mandir}/man5/slapo-*.5* +# obsolete configuration +%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf + +%files clients +%{_bindir}/* +%{_mandir}/man1/* + +%files devel +%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc +%{_libdir}/lib*.so +%{_includedir}/* +%{_mandir}/man3/* + +%changelog +* Thu Aug 5 2021 Simon Pichugin - 2.4.46-18 +- Add TLS_REQSAN option and change the default to TRY (#1814674) + +* Wed Jun 16 2021 Simon Pichugin - 2.4.46-17 +- Rebuild without MP_2 support (#1909037) + +* Thu Sep 10 2020 Simon Pichugin - 2.4.46-16 +- CLDAP ldap_result hangs if nobody listens on the port (#1875361) + +* Thu Jun 18 2020 Matus Honek - 2.4.46-15 +- Fix covscan issues from previous release (#1822737) + +* Tue Jun 16 2020 Matus Honek - 2.4.46-14 +- Backport Channel Binding support (#1822904, #1822737) + +* Wed Jan 15 2020 Matus Honek - 2.4.46-11 +- Use OpenSSL-1.0.2+ API for host name verification (#1788572) + +* Sun Aug 18 2019 Matus Honek - 2.4.46-10 +- Do not fallback to checking CN when no SAN matched (#1740070) + +* Mon Dec 17 2018 Matus Honek - 2.4.46-9 +- Reference default system-wide CA certificates in manpages (#1611624) + +* Tue Oct 16 2018 Matus Honek - 2.4.46-8 +- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623497) + +* Fri Jul 13 2018 Fedora Release Engineering - 2.4.46-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jul 6 2018 Matus Honek - 2.4.46-6 +- Build with LDAP_USE_NON_BLOCKING_TLS (#1594928) +- Remove unused leftover MozNSS Compat. Layer references (cont.) (#1557967) + +* Fri Jul 06 2018 Petr Pisar - 2.4.46-5 +- Perl 5.28 rebuild + +* Wed Jul 4 2018 Matus Honek - 2.4.46-4 +- Remove unused leftover MozNSS Compat. Layer references (#1557967) + +* Wed Jul 4 2018 Matus Honek - 2.4.46-3 +- MozNSS Compat. Layer: Make log messages more clear (#1598103) +- MozNSS Compat. Layer: Fix memleaks reported by valgrind (#1595203) + +* Wed Jun 27 2018 Jitka Plesnikova - 2.4.46-2 +- Perl 5.28 rebuild +- MozNSS Compat. Layer: Fix typos, and spelling in the README file header (#1564161) + +* Tue Mar 27 2018 Matus Honek - 2.4.46-1 +- Rebase to version OpenLDAP 2.4.46 (#1559652) + +* Mon Mar 5 2018 Matus Honek - 2.4.45-14 +- Utilize system-wide crypto-policies (#1483979) + +* Thu Mar 1 2018 Matus Honek - 2.4.45-13 +- fix: openldap does not use Fedora build flags + + makes use of redhat-rpm-config package +- Drop superfluous back-sql linking patch + +* Wed Feb 28 2018 Matus Honek - 2.4.45-12 +- MozNSS Compat. Layer: fix: libldap tlsmc continues even after it fails to extract CA certificates (#1550110) + +* Wed Feb 21 2018 Matus Honek - 2.4.45-11 +- TLS: Use system trusted CA store by default (#1270678, #1537259) + +* Sun Feb 11 2018 Matus Honek - 2.4.45-10 +- Complete change: Disable TLSMC in F29+ + +* Fri Feb 09 2018 Igor Gnatenko - 2.4.45-9 +- Escape macros in %%changelog +- Disable TLSMC in F29+ +- Remove obsolete Group tag +- Don't call ldconfig in servers subpackage +- Switch to %%ldconfig_scriptlets +- Remove unneeded Requires(post): systemd-sysv, chkconfig +- Switch to %%systemd_requires +- Change BuildRequires: systemd-units to systemd + +* Wed Feb 7 2018 Matus Honek - 2.4.45-8 +- Drop TCP wrappers support (#1531487) + +* Wed Feb 7 2018 Matus Honek - 2.4.45-7 +- MozNSS Compat. Layer fixes (#1400570) + - fix incorrect parsing of CACertDir (orig. #1533955) + - fix PIN disclaimer not always shown (orig. #1516409) + - fix recursive directory deletion (orig. #1516409) + - Ensure consistency of a PEM dir before usage (orig. #1516409) + + Warn just before use of a PIN about key file extraction + - Enable usage of NSS DB with PEM cert/key (orig. #1525485) + + Fix a possible invalid dereference (covscan) + +* Sat Jan 20 2018 Björn Esser - 2.4.45-6 +- Rebuilt for switch to libxcrypt + +* Wed Dec 6 2017 Matus Honek - 2.4.45-5 +- Fix issues in MozNSS compatibility layer (#1400570) + + Force write file with fsync to avoid race conditions + + Always filestamp both sql and dbm NSS DB variants to not rely on default DB type prefix + + Allow missing cert and key which is a valid usecase + + Create extraction folder only in /tmp to simplify selinux rules + + Fix Covscan issues + +* Fri Nov 3 2017 Matus Honek - 2.4.45-4 +- Build with OpenSSL with MozNSS compatibility layer (#1400570) + +* Thu Aug 03 2017 Fedora Release Engineering - 2.4.45-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.4.45-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jul 7 2017 Matus Honek - 2.4.45-1 +- Rebase to version 2.4.45 (#1458081) + * fixes CVE-2017-9287 (#1456712, #1456713) +- Update the 'sources' file with new SHA512 hashes + +* Fri Jul 7 2017 Matus Honek - 2.4.44-12 +- Change Requires to Recommends for nss-tools (#1415086) + +* Sun Jun 04 2017 Jitka Plesnikova - 2.4.44-11 +- Perl 5.26 rebuild + +* Fri Mar 31 2017 Matus Honek - 2.4.44-10 +- NSS: Maximal TLS protocol version should be equal to NSS default (#1435692) + +* Thu Mar 30 2017 Matus Honek - 2.4.44-9 +- NSS: Enhance OpenLDAP to support TLSv1.3 protocol with NSS (#1435692) +- NSS: Rearrange ciphers-, parsing-, and protocol-related patches (#1435692) + +* Sat Feb 11 2017 Fedora Release Engineering - 2.4.44-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Mon Jan 30 2017 Matus Honek - 2.4.44-7 +- NSS: Update list of ciphers (#1387868) + +* Mon Jan 30 2017 Matus Honek - 2.4.44-6 +- NSS: Use what NSS considers default for DEFAULT cipher string (#1387868) + +* Thu Jan 26 2017 Matus Honek - 2.4.44-5 +- NSS: fix: incorrect multi-keyword parsing and support new ones (#1243517) + +* Mon Jan 23 2017 Matus Honek - 2.4.44-4 +- fix previous commit (#1375432) + +* Fri Jan 20 2017 Matus Honek - 2.4.44-3 +- fix: Setting olcTLSProtocolMin does not change supported protocols (#1375432) +- fix: slapd should start after network-online.service (#1336487) + +* Sun May 15 2016 Jitka Plesnikova - 2.4.44-2 +- Perl 5.24 rebuild + +* Wed May 11 2016 Matus Honek - 2.4.44-1 +- Update to 2.4.44 (#1305191) + +* Tue May 3 2016 Matus Honek - 2.4.43-5 +- Bring back *.la files in %%{_libdir}/openldap/ (#1331484) + +* Wed Apr 27 2016 Matus Honek - 2.4.43-4 +- Keep *.so libraries in %%{_libdir}/openldap/ (#1331484) +- Include AllOp overlay (#1319782) + +* Sun Apr 10 2016 Peter Robinson 2.4.43-3 +- Ensure all libtool archive files are removed (.la) + +* Thu Feb 04 2016 Fedora Release Engineering - 2.4.43-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Dec 02 2015 Fedora Release Monitoring - 2.4.43-1 +- Update to 2.4.43 (#1253871) + +* Thu Jul 16 2015 Matúš Honěk - 2.4.41-1 +- New upstream release 2.4.41 (#1238251) + +* Wed Jun 17 2015 Fedora Release Engineering - 2.4.40-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Wed Jun 03 2015 Jitka Plesnikova - 2.4.40-13 +- Perl 5.22 rebuild + +* Mon Apr 27 2015 Jan Synáček - 2.4.40-12 +- fix: bring back tmpfiles config (#1215655) + +* Mon Mar 30 2015 Jan Synáček - 2.4.40-11 +- remove spurious ghosted file + +* Fri Feb 20 2015 Jan Synáček - 2.4.40-10 +- link against moznss again (#1187742) + +* Wed Feb 11 2015 Jan Synáček - 2.4.40-9 +- fix: Unknown Berkeley DB major version in db.h (#1191098) + +* Tue Feb 10 2015 Jan Synáček - 2.4.40-9 +- CVE-2015-1545: slapd crashes on search with deref control (#1190645) + +* Tue Jan 27 2015 Jan Synáček - 2.4.40-8 +- link against openssl by default +- simplify package even more by removing certificate generation + +* Mon Jan 26 2015 Jan Synáček - 2.4.40-7 +- remove tmpfiles config since it's no longer needed +- fix invalid ldif +- simplify checking for missing server configuration + +* Fri Jan 16 2015 Jan Synáček - 2.4.40-6 +- remove openldap-fedora-systemd.patch +- remove openldap-ldaprc-currentdir.patch +- remove openldap-userconfig-setgid.patch +- remove openldap-syncrepl-unset-tls-options.patch +- remove unneeded configure flags, disable sql backend and aci +- make mdb default after a new installation +- remove pid file and args file +- renumber patches and sources + +* Wed Dec 17 2014 Jan Synáček - 2.4.40-5 +- harden the build +- improve check_password +- provide an unversioned symlink to check_password.so.1.1 + +* Tue Dec 16 2014 Jan Synáček - 2.4.40-4 +- remove openldap.pc + +* Tue Dec 9 2014 Jan Synáček - 2.4.40-3 +- enhancement: generate openldap.pc (#1171493) + +* Fri Nov 14 2014 Jan Synáček - 2.4.40-2 +- enhancement: support TLSv1 and later (#1160466) + +* Mon Oct 6 2014 Jan Synáček - 2.4.40-1 +- new upstream release (#1147877) + +* Wed Aug 27 2014 Jitka Plesnikova - 2.4.39-12 +- Perl 5.20 rebuild + +* Sun Aug 17 2014 Fedora Release Engineering - 2.4.39-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 18 2014 Tom Callaway - 2.4.39-10 +- fix license handling + +* Mon Jul 14 2014 Jan Synáček - 2.4.39-9 +- fix: fix typo in generate-server-cert.sh (#1117229) + +* Mon Jun 9 2014 Jan Synáček - 2.4.39-8 +- fix: make default service configuration listen on ldaps:/// as well (#1105634) + +* Sat Jun 07 2014 Fedora Release Engineering - 2.4.39-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Fri May 30 2014 Jan Synáček - 2.4.39-6 +- fix: remove correct tmp file when generating server cert (#1103102) + +* Mon Mar 24 2014 Jan Synáček - 2.4.39-5 +- re-symlink unversioned libraries, so ldconfig is not confused (#1028557) + +* Tue Mar 4 2014 Jan Synáček - 2.4.39-4 +- don't automatically convert slapd.conf to slapd-config + +* Wed Feb 19 2014 Jan Synáček - 2.4.39-3 +- remove redundant sysconfig-related stuff +- add documentation reference to service file +- alias slapd.service as openldap.service + +* Tue Feb 4 2014 Jan Synáček - 2.4.39-2 +- CVE-2013-4449: segfault on certain queries with rwm overlay (#1060851) + +* Wed Jan 29 2014 Jan Synáček - 2.4.39-1 +- new upstream release (#1059186) + +* Mon Nov 18 2013 Jan Synáček - 2.4.38-1 +- new upstream release (#1031608) + +* Mon Nov 11 2013 Jan Synáček - 2.4.37-2 +- fix: slaptest incorrectly handles 'include' directives containing a custom file (#1028935) + +* Wed Oct 30 2013 Jan Synáček - 2.4.37-1 +- new upstream release (#1023916) +- fix: missing a linefeed at the end of file /etc/openldap/ldap.conf (#1019836) + +* Mon Oct 21 2013 Jan Synáček - 2.4.36-4 +- fix: slapd daemon fails to start with segmentation fault on s390x (#1020661) + +* Tue Oct 15 2013 Jan Synáček - 2.4.36-3 +- rebuilt for libdb-5.3.28 + +* Mon Oct 14 2013 Jan Synáček - 2.4.36-2 +- fix: CLDAP is broken for IPv6 (#1018688) + +* Wed Sep 4 2013 Jan Synáček - 2.4.36-2 +- fix: typos in manpages + +* Tue Aug 20 2013 Jan Synáček - 2.4.36-1 +- new upstream release + + compile-in mdb backend + +* Sat Aug 03 2013 Fedora Release Engineering - 2.4.35-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Petr Pisar - 2.4.35-6 +- Perl 5.18 rebuild + +* Fri Jun 14 2013 Jan Synáček - 2.4.35-5 +- fix: using slaptest to convert slapd.conf to LDIF format ignores "loglevel 0" + +* Thu May 09 2013 Jan Synáček 2.4.35-4 +- do not needlessly run ldconfig after installing openldap-devel +- fix: LDAPI with GSSAPI does not work if SASL_NOCANON=on (#960222) +- fix: lt_dlopen() with back_perl (#960048) + +* Tue Apr 09 2013 Jan Synáček 2.4.35-3 +- fix: minor documentation fixes +- set SASL_NOCANON to on by default (#949864) +- remove trailing spaces + +* Fri Apr 05 2013 Jan Synáček 2.4.35-2 +- drop the evolution patch + +* Tue Apr 02 2013 Jan Synáček 2.4.35-1 +- new upstream release (#947235) +- fix: slapd.service should ensure that network is up before starting (#946921) +- fix: NSS related resource leak (#929357) + +* Mon Mar 18 2013 Jan Synáček 2.4.34-2 +- fix: syncrepl push DELETE operation does not recover (#920482) +- run autoreconf every build, drop autoreconf patch (#926280) + +* Mon Mar 11 2013 Jan Synáček 2.4.34-1 +- enable perl backend (#820547) +- package ppolicy-check-password (#829749) +- add perl specific BuildRequires +- fix bogus dates + +* Wed Mar 06 2013 Jan Vcelak 2.4.34-1 +- new upstream release (#917603) +- fix: slapcat segfaults if cn=config.ldif not present (#872784) +- use systemd-rpm macros in spec file (#850247) + +* Thu Jan 31 2013 Jan Synáček 2.4.33-4 +- rebuild against new cyrus-sasl + +* Wed Oct 31 2012 Jan Vcelak 2.4.33-3 +- fix update: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455) + +* Fri Oct 12 2012 Jan Vcelak 2.4.33-2 +- fix: slapd with rwm overlay segfault following ldapmodify (#865685) + +* Thu Oct 11 2012 Jan Vcelak 2.4.33-1 +- new upstream release: + + slapd: ACLs, syncrepl + + backends: locking and memory management in MDB + + manpages: slapo-refint +- patch update: MozNSS certificate database in SQL format cannot be used (#860317) +- fix: slapd.service should not use /tmp (#859019) + +* Fri Sep 14 2012 Jan Vcelak 2.4.32-3 +- fix: some TLS ciphers cannot be enabled (#852338) +- fix: connection hangs after fallback to second server when certificate hostname verification fails (#852476) +- fix: not all certificates in OpenSSL compatible CA certificate directory format are loaded (#852786) +- fix: MozNSS certificate database in SQL format cannot be used (#857373) +- fix: libldap does not load PEM certificate if certdb is used as TLS_CACERTDIR (#857455) + +* Mon Aug 20 2012 Jan Vcelak 2.4.32-2 +- enhancement: TLS, prefer private keys from authenticated slots +- enhancement: TLS, allow certificate specification including token name +- resolve TLS failures in replication in 389 Directory Server + +* Wed Aug 01 2012 Jan Vcelak 2.4.32-1 +- new upstream release + + library: double free, SASL handling + + tools: read SASL_NOCANON from config file + + slapd: config index renumbering, duplicate error response + + backends: various fixes in mdb, bdb/hdb, ldap + + accesslog, syncprov: fix memory leaks in with replication + + sha2: portability, thread safety, support SSHA256,384,512 + + documentation fixes + +* Sat Jul 21 2012 Jan Vcelak 2.4.31-7 +- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022) + +* Fri Jul 20 2012 Jan Vcelak 2.4.31-6 +- multilib fix: move libslapi from openldap-servers to openldap package + +* Thu Jul 19 2012 Jan Vcelak 2.4.31-5 +- fix: querying for IPv6 DNS records when IPv6 is disabled on the host (#835013) +- fix: smbk5pwd module computes invalid LM hashes (#841560) + +* Wed Jul 18 2012 Jan Vcelak 2.4.31-4 +- modify the package build process + + fix autoconfig files to detect Mozilla NSS library using pkg-config + + remove compiler flags which are not needed currently + + build server, client and library together + + avoid stray dependencies by using --as-needed linker flag + + enable SLAPI interface in slapd + +* Wed Jun 27 2012 Jan Vcelak 2.4.31-3 +- update fix: count constraint broken when using multiple modifications (#795766) +- fix: invalid order of TLS shutdown operations (#808464) +- fix: TLS error messages overwriting in tlsm_verify_cert() (#810462) +- fix: reading pin from file can make all TLS connections hang (#829317) +- CVE-2012-2668: cipher suite selection by name can be ignored (#825875) +- fix: slapd fails to start on reboot (#829272) +- fix: default cipher suite is always selected (#828790) +- fix: less influence between individual TLS contexts: + - replication with TLS does not work (#795763) + - possibly others + +* Fri May 18 2012 Jan Vcelak 2.4.31-2 +- fix: nss-tools package is required by the base package, not the server subpackage +- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536) + +* Tue Apr 24 2012 Jan Vcelak 2.4.31-1 +- new upstream release + + library: IPv6 url detection + + library: rebinding to failed connections + + server: various fixes in mdb backend + + server: various fixes in replication + + server: various fixes in overlays and minor backends + + documentation fixes +- remove patches which were merged upstream + +* Thu Apr 05 2012 Jan Vcelak 2.4.30-3 +- rebuild due to libdb rebase + +* Mon Mar 26 2012 Jan Synáček 2.4.30-2 +- fix: Re-binding to a failed connection can segfault (#784989) + +* Thu Mar 01 2012 Jan Vcelak 2.4.30-1 +- new upstream release + + server: fixes in mdb backend + + server: fixes in manual pages + + server: fixes in syncprov, syncrepl, and pcache +- removed patches which were merged upstream + +* Wed Feb 22 2012 Jan Vcelak 2.4.29-4 +- fix: missing options in manual pages of client tools (#796232) +- fix: SASL_NOCANON option missing in ldap.conf manual page (#732915) + +* Tue Feb 21 2012 Jan Vcelak 2.4.29-3 +- fix: ldap_result does not succeed for sssd (#771484) +- Jan Synáček : + + fix: count constraint broken when using multiple modifications (#795766) + +* Mon Feb 20 2012 Jan Vcelak 2.4.29-2 +- fix update: provide ldif2ldbm, not ldib2ldbm (#437104) +- Jan Synáček : + + unify systemctl binary paths throughout the specfile and make them usrmove compliant + + make path to chkconfig binary usrmove compliant + +* Wed Feb 15 2012 Jan Vcelak 2.4.29-1 +- new upstream release + + MozNSS fixes + + connection handling fixes + + server: buxfixes in mdb backend + + server: buxfixes in overlays (syncrepl, meta, monitor, perl, sql, dds, rwm) +- openldap-servers now provide ldib2ldbm (#437104) +- certificates management improvements + + create empty Mozilla NSS certificate database during installation + + enable builtin Root CA in generated database (#789088) + + generate server certificate using Mozilla NSS tools instead of OpenSSL tools + + fix: correct path to check-config.sh in service file (Jan Synáček ) +- temporarily disable certificates checking in check-config.sh script +- fix: check-config.sh get stuck when executing command as a ldap user + +* Tue Jan 31 2012 Jan Vcelak 2.4.28-3 +- fix: replication (syncrepl) with TLS causes segfault (#783431) +- fix: slapd segfaults when PEM certificate is used and key is not set (#772890) + +* Fri Jan 13 2012 Fedora Release Engineering - 2.4.28-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Wed Nov 30 2011 Jan Vcelak 2.4.28-1 +- new upstream release + + server: support for delta-syncrepl in multi master replication + + server: add experimental backend - MDB + + server: dynamic configuration for passwd, perl, shell, sock, and sql backends + + server: support passwords in APR1 + + library: support for Wahl (draft) + + a lot of bugfixes +- remove patches which were merged upstream +- compile backends as modules (except BDB, HDB, and monitor) +- reload systemd daemon after installation + +* Tue Nov 01 2011 Jan Vcelak 2.4.26-6 +- package cleanup: + + hardened build: switch from LDFLAGS to RPM macros + + remove old provides and obsoletes + + add new slapd maintainance scripts + + drop defattr macros, clean up permissions in specfile + + fix rpmlint warnings: macros in comments/changelog + + fix rpmlint warnings: non UTF-8 documentation + + rename environment file to be more consistent (ldap -> slapd) +- replace sysv initscript with systemd service file (# +- new format of environment file due to switch to systemd + (automatic conversion is performed) +- patch OpenLDAP to skip empty command line arguments + (arguments expansion in systemd works different than in shell) +- CVE-2011-4079: one-byte buffer overflow in slapd (#749324) + +* Thu Oct 06 2011 Jan Vcelak 2.4.26-5 +- rebuild: openldap does not work after libdb rebase (#743824) +- regression fix: openldap built without tcp_wrappers (#743213) + +* Wed Sep 21 2011 Jan Vcelak 2.4.26-4 +- new feature update: honor priority/weight with ldap_domain2hostlist (#733078) + +* Mon Sep 12 2011 Jan Vcelak 2.4.26-3 +- fix: SSL_ForceHandshake function is not thread safe (#701678) +- fix: allow unsetting of tls_* syncrepl options (#734187) + +* Wed Aug 24 2011 Jan Vcelak 2.4.26-2 +- security hardening: library needs partial RELRO support added (#733071) +- fix: NSS_Init* functions are not thread safe (#731112) +- fix: incorrect behavior of allow/try options of VerifyCert and TLS_REQCERT (#725819) +- fix: memleak - free the return of tlsm_find_and_verify_cert_key (#725818) +- fix: conversion of constraint overlay settings to cn=config is incorrect (#733067) +- fix: DDS overlay tolerance parametr doesn't function and breakes default TTL (#733069) +- manpage fix: errors in manual page slapo-unique (#733070) +- fix: matching wildcard hostnames in certificate Subject field does not work (#733073) +- new feature: honor priority/weight with ldap_domain2hostlist (#733078) +- manpage fix: wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage (#717722) + +* Sun Aug 14 2011 Rex Dieter - 2.4.26-1.1 +- Rebuilt for rpm (#728707) + +* Wed Jul 20 2011 Jan Vcelak 2.4.26-1 +- rebase to new upstream release +- fix: memleak in tlsm_auth_cert_handler (#717730) + +* Mon Jun 27 2011 Jan Vcelak 2.4.25-1 +- rebase to new upstream release +- change default database type from BDB to HDB +- enable ldapi:/// interface by default +- set cn=config management ACLs for root user, SASL external schema (#712495) +- fix: server scriptlets require initscripts package (#716857) +- fix: connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT + is set to 'never' (#716854) +- fix: segmentation fault caused by double-free in ldapexop (#699683) +- fix: segmentation fault of client tool when input line in LDIF file + is splitted but indented incorrectly (#716855) +- fix: segmentation fault of client tool when LDIF input file is not terminated + by a new line character (#716858) + +* Fri Mar 18 2011 Jan Vcelak 2.4.24-2 +- new: system resource limiting for slapd using ulimit +- fix update: openldap can't use TLS after a fork() (#636956) +- fix: possible null pointer dereference in NSS implementation +- fix: openldap-servers upgrade hangs or do not upgrade the database (#664433) + +* Mon Feb 14 2011 Jan Vcelak 2.4.24-1 +- rebase to 2.4.24 +- BDB backend switch from DB4 to DB5 + +* Tue Feb 08 2011 Fedora Release Engineering - 2.4.23-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Feb 02 2011 Jan Vcelak 2.4.23-8 +- fix update: openldap can't use TLS after a fork() (#636956) + +* Tue Jan 25 2011 Jan Vcelak 2.4.23-7 +- fix: openldap can't use TLS after a fork() (#636956) +- fix: openldap-server upgrade gets stuck when the database is damaged (#664433) + +* Thu Jan 20 2011 Jan Vcelak 2.4.23-6 +- fix: some server certificates refused with inadequate type error (#668899) +- fix: default encryption strength dropped in switch to using NSS (#669446) +- systemd compatibility: add configuration file (#656647, #668223) + +* Thu Jan 06 2011 Jan Vcelak 2.4.23-5 +- initscript: slaptest with '-u' to skip database opening (#667768) +- removed slurpd options from sysconfig/ldap +- fix: verification of self issued certificates (#657984) + +* Mon Nov 22 2010 Jan Vcelak 2.4.23-4 +- Mozilla NSS - implement full non-blocking semantics + ldapsearch -Z hangs server if starttls fails (#652822) +- updated list of all overlays in slapd.conf (#655899) +- fix database upgrade process (#656257) + +* Thu Nov 18 2010 Jan Vcelak 2.4.23-3 +- add support for multiple prefixed Mozilla NSS database files in TLS_CACERTDIR +- reject non-file keyfiles in TLS_CACERTDIR (#652315) +- TLS_CACERTDIR precedence over TLS_CACERT (#652304) +- accept only files in hash.0 format in TLS_CACERTDIR (#650288) +- improve SSL/TLS trace messages (#652818) + +* Mon Nov 01 2010 Jan Vcelak 2.4.23-2 +- fix possible infinite loop when checking permissions of TLS files (#641946) +- removed outdated autofs.schema (#643045) +- removed outdated README.upgrade +- removed relics of migrationtools + +* Fri Aug 27 2010 Jan Vcelak 2.4.23-1 +- rebase to 2.4.23 +- embeded db4 library removed +- removed bogus links in "SEE ALSO" in several man-pages (#624616) + +* Thu Jul 22 2010 Jan Vcelak 2.4.22-7 +- Mozilla NSS - delay token auth until needed (#616552) +- Mozilla NSS - support use of self signed CA certs as server certs (#614545) + +* Tue Jul 20 2010 Jan Vcelak - 2.4.22-6 +- CVE-2010-0211 openldap: modrdn processing uninitialized pointer free (#605448) +- CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference (#605452) +- obsolete configuration file moved to /usr/share/openldap-servers (#612602) + +* Thu Jul 01 2010 Jan Zeleny - 2.4.22-5 +- another shot at previous fix + +* Thu Jul 01 2010 Jan Zeleny - 2.4.22-4 +- fixed issue with owner of /usr/lib/ldap/__db.* (#609523) + +* Thu Jun 3 2010 Rich Megginson - 2.4.22-3 +- added ldif.h to the public api in the devel package +- added -lldif to the public api +- added HAVE_MOZNSS and other flags to use Mozilla NSS for crypto + +* Tue May 18 2010 Jan Zeleny - 2.4.22-2 +- rebuild with connectionless support (#587722) +- updated autofs schema (#584808) + +* Tue May 04 2010 Jan Zeleny - 2.4.22-1 +- rebased to 2.4.22 (mostly bugfixes, added back-ldif, back-null testing support) +- due to some possible issues pointed out in last update testing phase, I'm + pulling back the last change (slapd can't be moved since it depends on /usr + possibly mounted from network) + +* Fri Mar 19 2010 Jan Zeleny - 2.4.21-6 +- moved slapd to start earlier during boot sequence + +* Tue Mar 16 2010 Jan Zeleny - 2.4.21-5 +- minor corrections of init script (#571235, #570057, #573804) + +* Wed Feb 24 2010 Jan Zeleny - 2.4.21-4 +- fixed SIGSEGV when deleting data using hdb (#562227) + +* Mon Feb 01 2010 Jan Zeleny - 2.4.21-3 +- fixed broken link /usr/sbin/slapschema (#559873) + +* Tue Jan 19 2010 Jan Zeleny - 2.4.21-2 +- removed some static libraries from openldap-devel (#556090) + +* Mon Jan 11 2010 Jan Zeleny - 2.4.21-1 +- rebased openldap to 2.4.21 +- rebased bdb to 4.8.26 + +* Mon Nov 23 2009 Jan Zeleny - 2.4.19-3 +- minor corrections in init script + +* Mon Nov 16 2009 Jan Zeleny - 2.4.19-2 +- fixed tls connection accepting when TLSVerifyClient = allow +- /etc/openldap/ldap.conf removed from files owned by openldap-servers +- minor changes in spec file to supress warnings +- some changes in init script, so it would be possible to use it when + using old configuration style + +* Fri Nov 06 2009 Jan Zeleny - 2.4.19-1 +- rebased openldap to 2.4.19 +- rebased bdb to 4.8.24 + +* Wed Oct 07 2009 Jan Zeleny 2.4.18-4 +- updated smbk5pwd patch to be linked with libldap (#526500) +- the last buffer overflow patch replaced with the one from upstream +- added /etc/openldap/slapd.d and /etc/openldap/slapd.conf.bak + to files owned by openldap-servers + +* Thu Sep 24 2009 Jan Zeleny 2.4.18-3 +- cleanup of previous patch fixing buffer overflow + +* Tue Sep 22 2009 Jan Zeleny 2.4.18-2 +- changed configuration approach. Instead od slapd.conf slapd + is using slapd.d directory now +- fix of some issues caused by renaming of init script +- fix of buffer overflow issue in ldif.c pointed out by new glibc + +* Fri Sep 18 2009 Jan Zeleny 2.4.18-1 +- rebase of openldap to 2.4.18 + +* Wed Sep 16 2009 Jan Zeleny 2.4.16-7 +- updated documentation (hashing the cacert dir) + +* Wed Sep 16 2009 Jan Zeleny 2.4.16-6 +- updated init script to be LSB-compliant (#523434) +- init script renamed to slapd + +* Thu Aug 27 2009 Tomas Mraz - 2.4.16-5 +- rebuilt with new openssl + +* Tue Aug 25 2009 Jan Zeleny 2.4.16-4 +- updated %%pre script to correctly install openldap group + +* Sat Jul 25 2009 Fedora Release Engineering - 2.4.16-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 01 2009 Jan Zeleny 2.4.16-1 +- rebase of openldap to 2.4.16 +- fixed minor issue in spec file (output looking interactive + when installing servers) + +* Tue Jun 09 2009 Jan Zeleny 2.4.15-4 +- added $SLAPD_URLS variable to init script (#504504) + +* Thu Apr 09 2009 Jan Zeleny 2.4.15-3 +- extended previous patch (#481310) to remove options cfMP + from some client tools +- correction of patch setugid (#494330) + +* Thu Mar 26 2009 Jan Zeleny 2.4.15-2 +- removed -f option from some client tools (#481310) + +* Wed Feb 25 2009 Jan Safranek 2.4.15-1 +- new upstream release + +* Tue Feb 17 2009 Jan Safranek 2.4.14-1 +- new upstream release +- upgraded to db-4.7.25 + +* Sat Jan 17 2009 Tomas Mraz 2.4.12-3 +- rebuild with new openssl + +* Mon Dec 15 2008 Caolán McNamara 2.4.12-2 +- rebuild for libltdl, i.e. copy config.sub|guess from new location + +* Wed Oct 15 2008 Jan Safranek 2.4.12-1 +- new upstream release + +* Mon Oct 13 2008 Jan Safranek 2.4.11-3 +- add SLAPD_SHUTDOWN_TIMEOUT to /etc/sysconfig/ldap, allowing admins + to set non-default slapd shutdown timeout +- add checkpoint to default slapd.conf file (#458679) + +* Mon Sep 1 2008 Jan Safranek 2.4.11-2 +- provide ldif2ldbm functionality for migrationtools +- rediff all patches to get rid of patch fuzz + +* Mon Jul 21 2008 Jan Safranek 2.4.11-1 +- new upstream release +- apply official bdb-4.6.21 patches + +* Wed Jul 2 2008 Jan Safranek 2.4.10-2 +- fix CVE-2008-2952 (#453728) + +* Thu Jun 12 2008 Jan Safranek 2.4.10-1 +- new upstream release + +* Wed May 28 2008 Jan Safranek 2.4.9-5 +- use /sbin/nologin as shell of ldap user (#447919) + +* Tue May 13 2008 Jan Safranek 2.4.9-4 +- new upstream release +- removed unnecessary MigrationTools patches + +* Thu Apr 10 2008 Jan Safranek 2.4.8-4 +- bdb upgraded to 4.6.21 +- reworked upgrade logic again to run db_upgrade when bdb version + changes + +* Wed Mar 5 2008 Jan Safranek 2.4.8-3 +- reworked the upgrade logic, slapcat/slapadd of the whole database + is needed only if minor version changes (2.3.x -> 2.4.y) +- do not try to save database in LDIF format, if openldap-servers package + is being removed (it's up to the admin to do so manually) + +* Thu Feb 28 2008 Jan Safranek 2.4.8-2 +- migration tools carved out to standalone package "migrationtools" + (#236697) + +* Fri Feb 22 2008 Jan Safranek 2.4.8-1 +- new upstream release + +* Fri Feb 8 2008 Jan Safranek 2.4.7-7 +- fix CVE-2008-0658 (#432014) + +* Mon Jan 28 2008 Jan Safranek 2.4.7-6 +- init script fixes + +* Mon Jan 28 2008 Jan Safranek 2.4.7-5 +- init script made LSB-compliant (#247012) + +* Fri Jan 25 2008 Jan Safranek 2.4.7-4 +- fixed rpmlint warnings and errors + - /etc/openldap/schema/README moved to /usr/share/doc/openldap + +* Tue Jan 22 2008 Jan Safranek 2.4.7-3 +- obsoleting compat-openldap properly again :) + +* Tue Jan 22 2008 Jan Safranek 2.4.7-2 +- obsoleting compat-openldap properly (#429591) + +* Mon Jan 14 2008 Jan Safranek 2.4.7-1 +- new upstream version (openldap-2.4.7) + +* Mon Dec 3 2007 Jan Safranek 2.4.6-1 +- new upstream version (openldap-2.4) +- deprecating compat- package + +* Mon Nov 5 2007 Jan Safranek 2.3.39-1 +- new upstream release + +* Tue Oct 23 2007 Jan Safranek 2.3.38-4 +- fixed multilib issues - all platform independent files have the + same content now (#342791) + +* Thu Oct 4 2007 Jan Safranek 2.3.38-3 +- BDB downgraded back to 4.4.20 because 4.6.18 is not supported by + openldap (#314821) + +* Mon Sep 17 2007 Jan Safranek 2.3.38-2 +- skeleton /etc/sysconfig/ldap added +- new SLAPD_LDAP option to turn off listening on ldap:/// (#292591) +- fixed checking of SSL (#292611) +- fixed upgrade with empty database + +* Thu Sep 6 2007 Jan Safranek 2.3.38-1 +- new upstream version +- added images to the guide.html (#273581) + +* Wed Aug 22 2007 Jan Safranek 2.3.37-3 +- just rebuild + +* Thu Aug 2 2007 Jan Safranek 2.3.37-2 +- do not use specific automake and autoconf +- do not distinguish between NPTL and non-NPTL platforms, we have NPTL + everywhere +- db-4.6.18 integrated +- updated openldap-servers License: field to reference BDB license + +* Tue Jul 31 2007 Jan Safranek 2.3.37-1 +- new upstream version + +* Fri Jul 20 2007 Jan Safranek 2.3.34-7 +- MigrationTools-47 integrated + +* Wed Jul 4 2007 Jan Safranek 2.3.34-6 +- fix compat-slapcat compilation. Now it can be found in + /usr/lib/compat-openldap/slapcat, because the tool checks argv[0] + (#246581) + +* Fri Jun 29 2007 Jan Safranek 2.3.34-5 +- smbk5pwd added (#220895) +- correctly distribute modules between servers and servers-sql packages + +* Mon Jun 25 2007 Jan Safranek 2.3.34-4 +- Fix initscript return codes (#242667) +- Provide overlays (as modules; #246036, #245896) +- Add available modules to config file + +* Tue May 22 2007 Jan Safranek 2.3.34-3 +- do not create script in /tmp on startup (bz#188298) +- add compat-slapcat to openldap-compat (bz#179378) +- do not import ddp services with migrate_services.pl + (bz#201183) +- sort the hosts by adders, preventing duplicities + in migrate*nis*.pl (bz#201540) +- start slupd for each replicated database (bz#210155) +- add ldconfig to devel post/postun (bz#240253) +- include misc.schema in default slapd.conf (bz#147805) + +* Mon Apr 23 2007 Jan Safranek 2.3.34-2 +- slapadd during package update is now quiet (bz#224581) +- use _localstatedir instead of var/ during build (bz#220970) +- bind-libbind-devel removed from BuildRequires (bz#216851) +- slaptest is now quiet during service ldap start, if + there is no error/warning (bz#143697) +- libldap_r.so now links with pthread (bz#198226) +- do not strip binaries to produce correct .debuginfo packages + (bz#152516) + +* Mon Feb 19 2007 Jay Fenlason 2.3.34-1 +- New upstream release +- Upgrade the scripts for migrating the database so that they might + actually work. +- change bind-libbind-devel to bind-devel in BuildPreReq + +* Mon Dec 4 2006 Thomas Woerner 2.3.30-1.1 +- tcp_wrappers has a new devel and libs sub package, therefore changing build + requirement for tcp_wrappers to tcp_wrappers-devel + +* Wed Nov 15 2006 Jay Fenlason 2.3.30-1 +- New upstream version + +* Wed Oct 25 2006 Jay Fenlason 2.3.28-1 +- New upstream version + +* Sun Oct 01 2006 Jesse Keating - 2.3.27-4 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Mon Sep 18 2006 Jay Fenlason 2.3.27-3 +- Include --enable-multimaster to close + bz#185821: adding slapd_multimaster to the configure options +- Upgade guide.html to the correct one for openladp-2.3.27, closing + bz#190383: openldap 2.3 packages contain the administrator's guide for 2.2 +- Remove the quotes from around the slaptestflags in ldap.init + This closes one part of + bz#204593: service ldap fails after having added entries to ldap +- include __db.* in the list of files to check ownership of in + ldap.init, as suggested in + bz#199322: RFE: perform cleanup in ldap.init + +* Fri Aug 25 2006 Jay Fenlason 2.3.27-2 +- New upstream release +- Include the gethostbyname_r patch so that nss_ldap won't hang + on recursive attemts to ldap_initialize. + +* Wed Jul 12 2006 Jesse Keating - 2.3.24-2.1 +- rebuild + +* Wed Jun 7 2006 Jay Fenlason 2.3.24-2 +- New upstream version + +* Thu Apr 27 2006 Jay Fenlason 2.3.21-2 +- Upgrade to 2.3.21 +- Add two upstream patches for db-4.4.20 + +* Mon Feb 13 2006 Jay Fenlason 2.3.19-4 +- Re-fix ldap.init + +* Fri Feb 10 2006 Jesse Keating - 2.3.19-3.1 +- bump again for double-long bug on ppc(64) + +* Thu Feb 9 2006 Jay Fenlason 2.3.19-3 +- Modify the ldap.init script to call runuser correctly. + +* Tue Feb 07 2006 Jesse Keating - 2.3.19-2.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Tue Jan 10 2006 Jay Fenlason 2.3.19-2 +- Upgrade to 2.3.19, which upstream now considers stable +- Modify the -config.patch, ldap.init, and this spec file to put the + pid file and args file in an ldap-owned openldap subdirectory under + /var/run. +- Move back_sql* out of _sbindir/openldap , which requires + hand-moving slapd and slurpd to _sbindir, and recreating symlinks + by hand. +- Retire openldap-2.3.11-ads.patch, which went upstream. +- Update the ldap.init script to run slaptest as the ldap user rather + than as root. This solves + bz#150172 Startup failure after database problem +- Add to the servers post and preun scriptlets so that on preun, the + database is slapcatted to /var/lib/ldap/upgrade.ldif and the + database files are saved to /var/lib/ldap/rpmorig. On post, if + /var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that + on upgrades from 2.3.16-2 to higher versions, the database files may + be automatically upgraded. Unfortunatly, because of the changes to + the preun scriptlet, users have to do the slapcat, etc by hand when + upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig + files need to be removed by hand because automatically removing your + emergency fallback files is a bad idea. +- Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will + require that users slapcat their databases into a temp file, move + /var/lib/ldap someplace safe, upgrade the openldap rpms, then + slapadd the temp file. + + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Mon Nov 21 2005 Jay Fenlason 2.3.11-3 +- Remove Requires: cyrus-sasl and cyrus-sasl-md5 from openldap- and + compat-openldap- to close + bz#173313 Remove exlicit 'Requires: cyrus-sasl" + 'Requires: cyrus-sasl-md5' + +* Thu Nov 10 2005 Jay Fenlason 2.3.11-2 +- Upgrade to 2.3.11, which upstream now considers stable. +- Switch compat-openldap to 2.2.29 +- remove references to nss_ldap_build from the spec file +- remove references to 2.0 and 2.1 from the spec file. +- reorganize the build() function slightly in the spec file to limit the + number of redundant and conflicting options passedto configure. +- Remove the attempt to hardlink ldapmodify and ldapadd together, since + the current make install make ldapadd a symlink to ldapmodify. +- Include the -ads patches to allow SASL binds to an Active Directory + server to work. Nalin wrote the patch, based on my + broken first attempt. + +* Thu Nov 10 2005 Tomas Mraz 2.2.29-3 +- rebuilt against new openssl + +* Mon Oct 10 2005 Jay Fenlason 2.2.29-2 +- New upstream version. + +* Thu Sep 29 2005 Jay Fenlason 2.2.28-2 +- Upgrade to nev upstream version. This makes the 2.2.*-hop patch obsolete. + +* Mon Aug 22 2005 Jay Fenlason 2.2.26-2 +- Move the slapd.pem file to /etc/pki/tls/certs + and edit the -config patch to match to close + bz#143393 Creates certificates + keys at an insecure/bad place +- also use _sysconfdir instead of hard-coding /etc + +* Thu Aug 11 2005 Jay Fenlason +- Add the tls-fix-connection-test patch to close + bz#161991 openldap password disclosure issue +- add the hop patches to prevent infinite looping when chasing referrals. + OpenLDAP ITS #3578 + +* Fri Aug 5 2005 Nalin Dahyabhai +- fix typo in ldap.init (call $klist instead of klist, from Charles Lopes) + +* Thu May 19 2005 Nalin Dahyabhai 2.2.26-1 +- run slaptest with the -u flag if no id2entry db files are found, because + you can't check for read-write access to a non-existent database (#156787) +- add _sysconfdir/openldap/cacerts, which authconfig sets as the + TLS_CACERTDIR path in /etc/openldap/ldap.conf now +- use a temporary wrapper script to launch slapd, in case we have arguments + with embedded whitespace (#158111) + +* Wed May 4 2005 Nalin Dahyabhai +- update to 2.2.26 (stable 20050429) +- enable the lmpasswd scheme +- print a warning if slaptest fails, slaptest -u succeeds, and one of the + directories listed as the storage location for a given suffix in slapd.conf + contains a readable file named __db.001 (#118678) + +* Tue Apr 26 2005 Nalin Dahyabhai 2.2.25-1 +- update to 2.2.25 (release) + +* Tue Apr 26 2005 Nalin Dahyabhai 2.2.24-1 +- update to 2.2.24 (stable 20050318) +- export KRB5_KTNAME in the init script, in case it was set in the sysconfig + file but not exported + +* Tue Mar 1 2005 Nalin Dahyabhai 2.2.23-4 +- prefer libresolv to libbind + +* Tue Mar 1 2005 Nalin Dahyabhai 2.2.23-3 +- add bind-libbind-devel and libtool-ltdl-devel buildprereqs + +* Tue Mar 1 2005 Tomas Mraz 2.2.23-2 +- rebuild with openssl-0.9.7e + +* Mon Jan 31 2005 Nalin Dahyabhai 2.2.23-1 +- update to 2.2.23 (stable-20050125) +- update notes on upgrading from earlier versions +- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files + +* Tue Jan 4 2005 Nalin Dahyabhai 2.2.20-1 +- update to 2.2.20 (stable-20050103) +- warn about unreadable krb5 keytab files containing "ldap" keys +- warn about unreadable TLS-related files +- own a ref to subdirectories which we create under _libdir/tls + +* Tue Nov 2 2004 Nalin Dahyabhai 2.2.17-0 +- rebuild + +* Thu Sep 30 2004 Nalin Dahyabhai +- update to 2.2.17 (stable-20040923) (#135188) +- move nptl libraries into arch-specific subdirectories on x86 boxes +- require a newer glibc which can provide nptl libpthread on i486/i586 + +* Tue Aug 24 2004 Nalin Dahyabhai +- move slapd startup to earlier in the boot sequence (#103160) +- update to 2.2.15 (stable-20040822) +- change version number on compat-openldap to include the non-compat version + from which it's compiled, otherwise would have to start 2.2.15 at release 3 + so that it upgrades correctly + +* Thu Aug 19 2004 Nalin Dahyabhai 2.2.13-2 +- build a separate, static set of libraries for openldap-devel with the + non-standard ntlm bind patch applied, for use by the evolution-connector + package (#125579), and installing them under + evolution_connector_prefix) +- provide openldap-evolution-devel = version-release in openldap-devel + so that evolution-connector's source package can require a version of + openldap-devel which provides what it wants + +* Mon Jul 26 2004 Nalin Dahyabhai +- update administrator guide + +* Wed Jun 16 2004 Nalin Dahyabhai 2.2.13-1 +- add compat-openldap subpackage +- default to bdb, as upstream does, gambling that we're only going to be + on systems with nptl now + +* Tue Jun 15 2004 Nalin Dahyabhai 2.2.13-0 +- preliminary 2.2.13 update +- move ucdata to the -servers subpackage where it belongs + +* Tue Jun 15 2004 Nalin Dahyabhai 2.1.30-1 +- build experimental sql backend as a loadable module + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue May 18 2004 Nalin Dahyabhai 2.1.30-0 +- update to 2.1.30 + +* Thu May 13 2004 Thomas Woerner 2.1.29-3 +- removed rpath +- added pie patch: slapd and slurpd are now pie +- requires libtool >= 1.5.6-2 (PIC libltdl.a) + +* Fri Apr 16 2004 Nalin Dahyabhai 2.1.29-2 +- move rfc documentation from main to -devel (#121025) + +* Wed Apr 14 2004 Nalin Dahyabhai 2.1.29-1 +- rebuild + +* Tue Apr 6 2004 Nalin Dahyabhai 2.1.29-0 +- update to 2.1.29 (stable 20040329) + +* Mon Mar 29 2004 Nalin Dahyabhai +- don't build servers with --with-kpasswd, that option hasn't been recognized + since 2.1.23 + +* Tue Mar 02 2004 Elliot Lee 2.1.25-5.1 +- rebuilt + +* Mon Feb 23 2004 Tim Waugh 2.1.25-5 +- Use ':' instead of '.' as separator for chown. + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Feb 10 2004 Nalin Dahyabhai 2.1.25-4 +- remove 'reload' from the init script -- it never worked as intended (#115310) + +* Wed Feb 4 2004 Nalin Dahyabhai 2.1.25-3 +- commit that last fix correctly this time + +* Tue Feb 3 2004 Nalin Dahyabhai 2.1.25-2 +- fix incorrect use of find when attempting to detect a common permissions + error in the init script (#114866) + +* Fri Jan 16 2004 Nalin Dahyabhai +- add bug fix patch for DB 4.2.52 + +* Thu Jan 8 2004 Nalin Dahyabhai 2.1.25-1 +- change logging facility used from daemon to local4 (#112730, reversing #11047) + BEHAVIOR CHANGE - SHOULD BE MENTIONED IN THE RELEASE NOTES. + +* Wed Jan 7 2004 Nalin Dahyabhai +- incorporate fix for logic quasi-bug in slapd's SASL auxprop code (Dave Jones) + +* Thu Dec 18 2003 Nalin Dahyabhai +- update to 2.1.25, now marked STABLE + +* Thu Dec 11 2003 Jeff Johnson 2.1.22-9 +- update to db-4.2.52. + +* Thu Oct 23 2003 Nalin Dahyabhai 2.1.22-8 +- add another section to the ABI note for the TLS libdb so that it's marked as + not needing an executable stack (from Arjan Van de Ven) + +* Thu Oct 16 2003 Nalin Dahyabhai 2.1.22-7 +- force bundled libdb to not use O_DIRECT by making it forget that we have it + +* Wed Oct 15 2003 Nalin Dahyabhai +- build bundled libdb for slapd dynamically to make the package smaller, + among other things +- on tls-capable arches, build libdb both with and without shared posix + mutexes, otherwise just without +- disable posix mutexes unconditionally for db 4.0, which shouldn't need + them for the migration cases where it's used +- update to MigrationTools 45 + +* Thu Sep 25 2003 Jeff Johnson 2.1.22-6.1 +- upgrade db-4.1.25 to db-4.2.42. + +* Fri Sep 12 2003 Nalin Dahyabhai 2.1.22-6 +- drop rfc822-MailMember.schema, merged into upstream misc.schema at some point + +* Wed Aug 27 2003 Nalin Dahyabhai +- actually require newer libtool, as was intended back in 2.1.22-0, noted as + missed by Jim Richardson + +* Fri Jul 25 2003 Nalin Dahyabhai 2.1.22-5 +- enable rlookups, they don't cost anything unless also enabled in slapd's + configuration file + +* Tue Jul 22 2003 Nalin Dahyabhai 2.1.22-4 +- rebuild + +* Thu Jul 17 2003 Nalin Dahyabhai 2.1.22-3 +- rebuild + +* Wed Jul 16 2003 Nalin Dahyabhai 2.1.22-2 +- rebuild + +* Tue Jul 15 2003 Nalin Dahyabhai 2.1.22-1 +- build + +* Mon Jul 14 2003 Nalin Dahyabhai 2.1.22-0 +- 2.1.22 now badged stable +- be more aggressive in what we index by default +- use/require libtool 1.5 + +* Mon Jun 30 2003 Nalin Dahyabhai +- update to 2.1.22 + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Jun 3 2003 Nalin Dahyabhai 2.1.21-1 +- update to 2.1.21 +- enable ldap, meta, monitor, null, rewrite in slapd + +* Mon May 19 2003 Nalin Dahyabhai 2.1.20-1 +- update to 2.1.20 + +* Thu May 8 2003 Nalin Dahyabhai 2.1.19-1 +- update to 2.1.19 + +* Mon May 5 2003 Nalin Dahyabhai 2.1.17-1 +- switch to db with crypto + +* Fri May 2 2003 Nalin Dahyabhai +- install the db utils for the bundled libdb as %%{_sbindir}/slapd_db_* +- install slapcat/slapadd from 2.0.x for migration purposes + +* Wed Apr 30 2003 Nalin Dahyabhai +- update to 2.1.17 +- disable the shell backend, not expected to work well with threads +- drop the kerberosSecurityObject schema, the krbName attribute it + contains is only used if slapd is built with v2 kbind support + +* Mon Feb 10 2003 Nalin Dahyabhai 2.0.27-8 +- back down to db 4.0.x, which 2.0.x can compile with in ldbm-over-db setups +- tweak SuSE patch to fix a few copy-paste errors and a NULL dereference + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Jan 7 2003 Nalin Dahyabhai 2.0.27-6 +- rebuild + +* Mon Dec 16 2002 Nalin Dahyabhai 2.0.27-5 +- rebuild + +* Fri Dec 13 2002 Nalin Dahyabhai 2.0.27-4 +- check for setgid as well + +* Thu Dec 12 2002 Nalin Dahyabhai 2.0.27-3 +- rebuild + +* Thu Dec 12 2002 Nalin Dahyabhai +- incorporate fixes from SuSE's security audit, except for fixes to ITS 1963, + 1936, 2007, 2009, which were included in 2.0.26. +- add two more patches for db 4.1.24 from sleepycat's updates page +- use openssl pkgconfig data, if any is available + +* Mon Nov 11 2002 Nalin Dahyabhai 2.0.27-2 +- add patches for db 4.1.24 from sleepycat's updates page + +* Mon Nov 4 2002 Nalin Dahyabhai +- add a sample TLSCACertificateFile directive to the default slapd.conf + +* Tue Sep 24 2002 Nalin Dahyabhai 2.0.27-1 +- update to 2.0.27 + +* Fri Sep 20 2002 Nalin Dahyabhai 2.0.26-1 +- update to 2.0.26, db 4.1.24.NC + +* Fri Sep 13 2002 Nalin Dahyabhai 2.0.25-2 +- change LD_FLAGS to refer to /usr/kerberos/_libdir instead of + /usr/kerberos/lib, which might not be right on some arches + +* Mon Aug 26 2002 Nalin Dahyabhai 2.0.25-1 +- update to 2.0.25 "stable", ldbm-over-gdbm (putting off migration of LDBM + slapd databases until we move to 2.1.x) +- use %%{_smp_mflags} when running make +- update to MigrationTools 44 +- enable dynamic module support in slapd + +* Thu May 16 2002 Nalin Dahyabhai 2.0.23-5 +- rebuild in new environment + +* Wed Feb 20 2002 Nalin Dahyabhai 2.0.23-3 +- use the gdbm backend again + +* Mon Feb 18 2002 Nalin Dahyabhai 2.0.23-2 +- make slapd.conf read/write by root, read by ldap + +* Sun Feb 17 2002 Nalin Dahyabhai +- fix corner case in sendbuf fix +- 2.0.23 now marked "stable" + +* Tue Feb 12 2002 Nalin Dahyabhai 2.0.23-1 +- update to 2.0.23 + +* Fri Feb 8 2002 Nalin Dahyabhai 2.0.22-2 +- switch to an internalized Berkeley DB as the ldbm back-end (NOTE: this breaks + access to existing on-disk directory data) +- add slapcat/slapadd with gdbm for migration purposes +- remove Kerberos dependency in client libs (the direct Kerberos dependency + is used by the server for checking {kerberos} passwords) + +* Fri Feb 1 2002 Nalin Dahyabhai 2.0.22-1 +- update to 2.0.22 + +* Sat Jan 26 2002 Florian La Roche 2.0.21-5 +- prereq chkconfig for server subpackage + +* Fri Jan 25 2002 Nalin Dahyabhai 2.0.21-4 +- update migration tools to version 40 + +* Wed Jan 23 2002 Nalin Dahyabhai 2.0.21-3 +- free ride through the build system + +* Wed Jan 16 2002 Nalin Dahyabhai 2.0.21-2 +- update to 2.0.21, now earmarked as STABLE + +* Wed Jan 16 2002 Nalin Dahyabhai 2.0.20-2 +- temporarily disable optimizations for ia64 arches +- specify pthreads at configure-time instead of letting configure guess + +* Mon Jan 14 2002 Nalin Dahyabhai +- and one for Raw Hide + +* Mon Jan 14 2002 Nalin Dahyabhai 2.0.20-0.7 +- build for RHL 7/7.1 + +* Mon Jan 14 2002 Nalin Dahyabhai 2.0.20-1 +- update to 2.0.20 (security errata) + +* Thu Dec 20 2001 Nalin Dahyabhai 2.0.19-1 +- update to 2.0.19 + +* Tue Nov 6 2001 Nalin Dahyabhai 2.0.18-2 +- fix the commented-out replication example in slapd.conf + +* Fri Oct 26 2001 Nalin Dahyabhai 2.0.18-1 +- update to 2.0.18 + +* Mon Oct 15 2001 Nalin Dahyabhai 2.0.17-1 +- update to 2.0.17 + +* Wed Oct 10 2001 Nalin Dahyabhai +- disable kbind support (deprecated, and I suspect unused) +- configure with --with-kerberos=k5only instead of --with-kerberos=k5 +- build slapd with threads + +* Thu Sep 27 2001 Nalin Dahyabhai 2.0.15-2 +- rebuild, 2.0.15 is now designated stable + +* Fri Sep 21 2001 Nalin Dahyabhai 2.0.15-1 +- update to 2.0.15 + +* Mon Sep 10 2001 Nalin Dahyabhai 2.0.14-1 +- update to 2.0.14 + +* Fri Aug 31 2001 Nalin Dahyabhai 2.0.12-1 +- update to 2.0.12 to pull in fixes for setting of default TLS options, among + other things +- update to migration tools 39 +- drop tls patch, which was fixed better in this release + +* Tue Aug 21 2001 Nalin Dahyabhai 2.0.11-13 +- install saucer correctly + +* Thu Aug 16 2001 Nalin Dahyabhai +- try to fix ldap_set_options not being able to set global options related + to TLS correctly + +* Thu Aug 9 2001 Nalin Dahyabhai +- don't attempt to create a cert at install-time, it's usually going + to get the wrong CN (#51352) + +* Mon Aug 6 2001 Nalin Dahyabhai +- add a build-time requirement on pam-devel +- add a build-time requirement on a sufficiently-new libtool to link + shared libraries to other shared libraries (which is needed in order + for prelinking to work) + +* Fri Aug 3 2001 Nalin Dahyabhai +- require cyrus-sasl-md5 (support for DIGEST-MD5 is required for RFC + compliance) by name (follows from #43079, which split cyrus-sasl's + cram-md5 and digest-md5 modules out into cyrus-sasl-md5) + +* Fri Jul 20 2001 Nalin Dahyabhai +- enable passwd back-end (noted by Alan Sparks and Sergio Kessler) + +* Wed Jul 18 2001 Nalin Dahyabhai +- start to prep for errata release + +* Fri Jul 6 2001 Nalin Dahyabhai +- link libldap with liblber + +* Wed Jul 4 2001 Than Ngo 2.0.11-6 +- add symlink liblber.so libldap.so and libldap_r.so in /usr/lib + +* Tue Jul 3 2001 Nalin Dahyabhai +- move shared libraries to /lib +- redo init script for better internationalization (#26154) +- don't use ldaprc files in the current directory (#38402) (patch from + hps@intermeta.de) +- add BuildPrereq on tcp wrappers since we configure with + --enable-wrappers (#43707) +- don't overflow debug buffer in mail500 (#41751) +- don't call krb5_free_creds instead of krb5_free_cred_contents any + more (#43159) + +* Mon Jul 2 2001 Nalin Dahyabhai +- make config files noreplace (#42831) + +* Tue Jun 26 2001 Nalin Dahyabhai +- actually change the default config to use the dummy cert +- update to MigrationTools 38 + +* Mon Jun 25 2001 Nalin Dahyabhai +- build dummy certificate in %%post, use it in default config +- configure-time shenanigans to help a confused configure script + +* Wed Jun 20 2001 Nalin Dahyabhai +- tweak migrate_automount and friends so that they can be run from anywhere + +* Thu May 24 2001 Nalin Dahyabhai +- update to 2.0.11 + +* Wed May 23 2001 Nalin Dahyabhai +- update to 2.0.10 + +* Mon May 21 2001 Nalin Dahyabhai +- update to 2.0.9 + +* Tue May 15 2001 Nalin Dahyabhai +- update to 2.0.8 +- drop patch which came from upstream + +* Fri Mar 2 2001 Nalin Dahyabhai +- rebuild in new environment + +* Thu Feb 8 2001 Nalin Dahyabhai +- back out pidfile patches, which interact weirdly with Linux threads +- mark non-standard schema as such by moving them to a different directory + +* Mon Feb 5 2001 Nalin Dahyabhai +- update to MigrationTools 36, adds netgroup support + +* Mon Jan 29 2001 Nalin Dahyabhai +- fix thinko in that last patch + +* Thu Jan 25 2001 Nalin Dahyabhai +- try to work around some buffering problems + +* Tue Jan 23 2001 Nalin Dahyabhai +- gettextize the init script + +* Thu Jan 18 2001 Nalin Dahyabhai +- gettextize the init script + +* Fri Jan 12 2001 Nalin Dahyabhai +- move the RFCs to the base package (#21701) +- update to MigrationTools 34 + +* Wed Jan 10 2001 Nalin Dahyabhai +- add support for additional OPTIONS, SLAPD_OPTIONS, and SLURPD_OPTIONS in + a /etc/sysconfig/ldap file (#23549) + +* Fri Dec 29 2000 Nalin Dahyabhai +- change automount object OID from 1.3.6.1.1.1.2.9 to 1.3.6.1.1.1.2.13, + per mail from the ldap-nis mailing list + +* Tue Dec 5 2000 Nalin Dahyabhai +- force -fPIC so that shared libraries don't fall over + +* Mon Dec 4 2000 Nalin Dahyabhai +- add Norbert Klasen's patch (via Del) to fix searches using ldaps URLs + (OpenLDAP ITS #889) +- add "-h ldaps:///" to server init when TLS is enabled, in order to support + ldaps in addition to the regular STARTTLS (suggested by Del) + +* Mon Nov 27 2000 Nalin Dahyabhai +- correct mismatched-dn-cn bug in migrate_automount.pl + +* Mon Nov 20 2000 Nalin Dahyabhai +- update to the correct OIDs for automount and automountInformation +- add notes on upgrading + +* Tue Nov 7 2000 Nalin Dahyabhai +- update to 2.0.7 +- drop chdir patch (went mainstream) + +* Thu Nov 2 2000 Nalin Dahyabhai +- change automount object classes from auxiliary to structural + +* Tue Oct 31 2000 Nalin Dahyabhai +- update to Migration Tools 27 +- change the sense of the last simple patch + +* Wed Oct 25 2000 Nalin Dahyabhai +- reorganize the patch list to separate MigrationTools and OpenLDAP patches +- switch to Luke Howard's rfc822MailMember schema instead of the aliases.schema +- configure slapd to run as the non-root user "ldap" (#19370) +- chdir() before chroot() (we don't use chroot, though) (#19369) +- disable saving of the pid file because the parent thread which saves it and + the child thread which listens have different pids + +* Wed Oct 11 2000 Nalin Dahyabhai +- add missing required attributes to conversion scripts to comply with schema +- add schema for mail aliases, autofs, and kerberosSecurityObject rooted in + our own OID tree to define attributes and classes migration scripts expect +- tweak automounter migration script + +* Mon Oct 9 2000 Nalin Dahyabhai +- try adding the suffix first when doing online migrations +- force ldapadd to use simple authentication in migration scripts +- add indexing of a few attributes to the default configuration +- add commented-out section on using TLS to default configuration + +* Thu Oct 5 2000 Nalin Dahyabhai +- update to 2.0.6 +- add buildprereq on cyrus-sasl-devel, krb5-devel, openssl-devel +- take the -s flag off of slapadd invocations in migration tools +- add the cosine.schema to the default server config, needed by inetorgperson + +* Wed Oct 4 2000 Nalin Dahyabhai +- add the nis.schema and inetorgperson.schema to the default server config +- make ldapadd a hard link to ldapmodify because they're identical binaries + +* Fri Sep 22 2000 Nalin Dahyabhai +- update to 2.0.4 + +* Fri Sep 15 2000 Nalin Dahyabhai +- remove prereq on /etc/init.d (#17531) +- update to 2.0.3 +- add saucer to the included clients + +* Wed Sep 6 2000 Nalin Dahyabhai +- update to 2.0.1 + +* Fri Sep 1 2000 Nalin Dahyabhai +- update to 2.0.0 +- patch to build against MIT Kerberos 1.1 and later instead of 1.0.x + +* Tue Aug 22 2000 Nalin Dahyabhai +- remove that pesky default password +- change "Copyright:" to "License:" + +* Sun Aug 13 2000 Nalin Dahyabhai +- adjust permissions in files lists +- move libexecdir from %%{_prefix}/sbin to %%{_sbindir} + +* Fri Aug 11 2000 Nalin Dahyabhai +- add migrate_automount.pl to the migration scripts set + +* Tue Aug 8 2000 Nalin Dahyabhai +- build a semistatic slurpd with threads, everything else without +- disable reverse lookups, per email on OpenLDAP mailing lists +- make sure the execute bits are set on the shared libraries + +* Mon Jul 31 2000 Nalin Dahyabhai +- change logging facility used from local4 to daemon (#11047) + +* Thu Jul 27 2000 Nalin Dahyabhai +- split off clients and servers to shrink down the package and remove the + base package's dependency on Perl +- make certain that the binaries have sane permissions + +* Mon Jul 17 2000 Nalin Dahyabhai +- move the init script back + +* Thu Jul 13 2000 Nalin Dahyabhai +- tweak the init script to only source /etc/sysconfig/network if it's found + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Mon Jul 10 2000 Nalin Dahyabhai +- switch to gdbm; I'm getting off the db merry-go-round +- tweak the init script some more +- add instdir to @INC in migration scripts + +* Thu Jul 6 2000 Nalin Dahyabhai +- tweak init script to return error codes properly +- change initscripts dependency to one on /etc/init.d + +* Tue Jul 4 2000 Nalin Dahyabhai +- prereq initscripts +- make migration scripts use mktemp + +* Tue Jun 27 2000 Nalin Dahyabhai +- do condrestart in post and stop in preun +- move init script to /etc/init.d + +* Fri Jun 16 2000 Nalin Dahyabhai +- update to 1.2.11 +- add condrestart logic to init script +- munge migration scripts so that you don't have to be + /usr/share/openldap/migration to run them +- add code to create pid files in /var/run + +* Mon Jun 5 2000 Nalin Dahyabhai +- FHS tweaks +- fix for compiling with libdb2 + +* Thu May 4 2000 Bill Nottingham +- minor tweak so it builds on ia64 + +* Wed May 3 2000 Nalin Dahyabhai +- more minimalistic fix for bug #11111 after consultation with OpenLDAP team +- backport replacement for the ldapuser patch + +* Tue May 2 2000 Nalin Dahyabhai +- fix segfaults from queries with commas in them in in.xfingerd (bug #11111) + +* Tue Apr 25 2000 Nalin Dahyabhai +- update to 1.2.10 +- add revamped version of patch from kos@bastard.net to allow execution as + any non-root user +- remove test suite from %%build because of weirdness in the build system + +* Wed Apr 12 2000 Nalin Dahyabhai +- move the defaults for databases and whatnot to /var/lib/ldap (bug #10714) +- fix some possible string-handling problems + +* Mon Feb 14 2000 Bill Nottingham +- start earlier, stop later. + +* Thu Feb 3 2000 Nalin Dahyabhai +- auto rebuild in new environment (release 4) + +* Tue Feb 1 2000 Nalin Dahyabhai +- add -D_REENTRANT to make threaded stuff more stable, even though it looks + like the sources define it, too +- mark *.ph files in migration tools as config files + +* Fri Jan 21 2000 Nalin Dahyabhai +- update to 1.2.9 + +* Mon Sep 13 1999 Bill Nottingham +- strip files + +* Sat Sep 11 1999 Bill Nottingham +- update to 1.2.7 +- fix some bugs from bugzilla (#4885, #4887, #4888, #4967) +- take include files out of base package + +* Fri Aug 27 1999 Jeff Johnson +- missing ;; in init script reload) (#4734). + +* Tue Aug 24 1999 Cristian Gafton +- move stuff from /usr/libexec to /usr/sbin +- relocate config dirs to /etc/openldap + +* Mon Aug 16 1999 Bill Nottingham +- initscript munging + +* Wed Aug 11 1999 Cristian Gafton +- add the migration tools to the package + +* Fri Aug 06 1999 Cristian Gafton +- upgrade to 1.2.6 +- add rc.d script +- split -devel package + +* Sun Feb 07 1999 Preston Brown +- upgrade to latest stable (1.1.4), it now uses configure macro. + +* Fri Jan 15 1999 Bill Nottingham +- build on arm, glibc2.1 + +* Wed Oct 28 1998 Preston Brown +- initial cut. +- patches for signal handling on the alpha diff --git a/slapd.ldif b/slapd.ldif new file mode 100644 index 0000000..a4ae4c0 --- /dev/null +++ b/slapd.ldif @@ -0,0 +1,158 @@ +# +# See slapd-config(5) for details on configuration options. +# This file should NOT be world readable. +# + +dn: cn=config +objectClass: olcGlobal +cn: config +# +# TLS settings +# +# When no CA certificates are specified the Shared System Certificates +# are in use. In order to have these available along with the ones specified +# by oclTLSCACertificatePath one has to include them explicitly: +#olcTLSCACertificateFile: /etc/pki/tls/cert.pem +# +# Private cert and key are not pregenerated. +#olcTLSCertificateFile: +#olcTLSCertificateKeyFile: +# +# System-wide Crypto Policies provide up to date cipher suite which should +# be used unless one needs a finer grinded selection of ciphers. Hence, the +# PROFILE=SYSTEM value represents the default behavior which is in place +# when no explicit setting is used. (see openssl-ciphers(1) for more info) +#olcTLSCipherSuite: PROFILE=SYSTEM + + +# +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +# +#olcReferral: ldap://root.openldap.org +# +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +# +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + + +# +# Load dynamic backend modules: +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la backend requires openldap-servers-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time +# + +#dn: cn=module,cn=config +#objectClass: olcModuleList +#cn: module +#olcModulepath: /usr/lib/openldap +#olcModulepath: /usr/lib64/openldap +#olcModuleload: accesslog.la +#olcModuleload: auditlog.la +#olcModuleload: back_dnssrv.la +#olcModuleload: back_ldap.la +#olcModuleload: back_mdb.la +#olcModuleload: back_meta.la +#olcModuleload: back_null.la +#olcModuleload: back_passwd.la +#olcModuleload: back_relay.la +#olcModuleload: back_shell.la +#olcModuleload: back_sock.la +#olcModuleload: collect.la +#olcModuleload: constraint.la +#olcModuleload: dds.la +#olcModuleload: deref.la +#olcModuleload: dyngroup.la +#olcModuleload: dynlist.la +#olcModuleload: memberof.la +#olcModuleload: pcache.la +#olcModuleload: ppolicy.la +#olcModuleload: refint.la +#olcModuleload: retcode.la +#olcModuleload: rwm.la +#olcModuleload: seqmod.la +#olcModuleload: smbk5pwd.la +#olcModuleload: sssvlv.la +#olcModuleload: syncprov.la +#olcModuleload: translucent.la +#olcModuleload: unique.la +#olcModuleload: valsort.la + + +# +# Schema settings +# + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/openldap/schema/core.ldif + +# +# Frontend settings +# + +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +olcDatabase: frontend +# +# Sample global access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# +#olcAccess: to dn.base="" by * read +#olcAccess: to dn.base="cn=Subschema" by * read +#olcAccess: to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! +# + +# +# Configuration database +# + +dn: olcDatabase=config,cn=config +objectClass: olcDatabaseConfig +olcDatabase: config +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" manage by * none + +# +# Server status monitoring +# + +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +olcDatabase: monitor +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c + n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none + +# +# Backend database definitions +# + +dn: olcDatabase=mdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMdbConfig +olcDatabase: mdb +olcSuffix: dc=my-domain,dc=com +olcRootDN: cn=Manager,dc=my-domain,dc=com +olcDbDirectory: /var/lib/ldap +olcDbIndex: objectClass eq,pres +olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub diff --git a/slapd.service b/slapd.service new file mode 100644 index 0000000..30821fd --- /dev/null +++ b/slapd.service @@ -0,0 +1,17 @@ +[Unit] +Description=OpenLDAP Server Daemon +After=syslog.target network-online.target +Documentation=man:slapd +Documentation=man:slapd-config +Documentation=man:slapd-hdb +Documentation=man:slapd-mdb +Documentation=file:///usr/share/doc/openldap-servers/guide.html + +[Service] +Type=forking +ExecStartPre=/usr/libexec/openldap/check-config.sh +ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///" + +[Install] +WantedBy=multi-user.target +Alias=openldap.service diff --git a/slapd.tmpfiles b/slapd.tmpfiles new file mode 100644 index 0000000..56aa32e --- /dev/null +++ b/slapd.tmpfiles @@ -0,0 +1,2 @@ +# openldap runtime directory for slapd.arg and slapd.pid +d /var/run/openldap 0755 ldap ldap - diff --git a/sources b/sources new file mode 100644 index 0000000..c9ef3a9 --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (ltb-project-openldap-ppolicy-check-password-1.1.tar.gz) = f3384a164ce5db488908cf6380bad8500b800b09d12a8f04e1b6ccb6f6af6ab3971fcdbe4acca7a1b6d16b408a11065c2b1ab2497863fe07d3c28262b0f6776e +SHA512 (openldap-2.4.46.tgz) = eef39d43f04aa09c657a1422cefef060fe00368559ae40d0d97536c08ebeaaa1ab06207b3f121ba6afcde54abdc550027c3505e5217e5fd47ae6f8c001260186