Auto sync2gitlab import of openldap-2.4.46-18.el8.src.rpm
This commit is contained in:
parent
3643690a4f
commit
04698e993a
2
.gitignore
vendored
Normal file
2
.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
|
||||||
|
/openldap-2.4.46.tgz
|
41
check-password-makefile.patch
Normal file
41
check-password-makefile.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
--- a/Makefile 2009-10-31 18:59:06.000000000 +0100
|
||||||
|
+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100
|
||||||
|
@@ -13,22 +13,11 @@
|
||||||
|
#
|
||||||
|
CONFIG=/etc/openldap/check_password.conf
|
||||||
|
|
||||||
|
-OPT=-g -O2 -Wall -fpic \
|
||||||
|
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
|
||||||
|
- -DCONFIG_FILE="\"$(CONFIG)\"" \
|
||||||
|
+CFLAGS+=-fpic \
|
||||||
|
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
|
||||||
|
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
|
||||||
|
-DDEBUG
|
||||||
|
|
||||||
|
-# Where to find the OpenLDAP headers.
|
||||||
|
-#
|
||||||
|
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
|
||||||
|
- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
|
||||||
|
-
|
||||||
|
-# Where to find the CrackLib headers.
|
||||||
|
-#
|
||||||
|
-CRACK_INC=
|
||||||
|
-
|
||||||
|
-INCS=$(LDAP_INC) $(CRACK_INC)
|
||||||
|
-
|
||||||
|
LDAP_LIB=-lldap_r -llber
|
||||||
|
|
||||||
|
# Comment out this line if you do NOT want to use the cracklib.
|
||||||
|
@@ -45,10 +34,10 @@
|
||||||
|
all: check_password
|
||||||
|
|
||||||
|
check_password.o:
|
||||||
|
- $(CC) $(OPT) -c $(INCS) check_password.c
|
||||||
|
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
|
||||||
|
|
||||||
|
check_password: clean check_password.o
|
||||||
|
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
|
||||||
|
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
|
||||||
|
|
||||||
|
install: check_password
|
||||||
|
cp -f check_password.so ../../../usr/lib/openldap/modules/
|
321
check-password.patch
Normal file
321
check-password.patch
Normal file
@ -0,0 +1,321 @@
|
|||||||
|
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
|
||||||
|
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
|
||||||
|
@@ -10,7 +10,7 @@
|
||||||
|
#include <slap.h>
|
||||||
|
|
||||||
|
#ifdef HAVE_CRACKLIB
|
||||||
|
-#include "crack.h"
|
||||||
|
+#include <crack.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(DEBUG)
|
||||||
|
@@ -34,18 +34,77 @@
|
||||||
|
#define PASSWORD_TOO_SHORT_SZ \
|
||||||
|
"Password for dn=\"%s\" is too short (%d/6)"
|
||||||
|
#define PASSWORD_QUALITY_SZ \
|
||||||
|
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
|
||||||
|
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
|
||||||
|
#define BAD_PASSWORD_SZ \
|
||||||
|
"Bad password for dn=\"%s\" because %s"
|
||||||
|
+#define UNKNOWN_ERROR_SZ \
|
||||||
|
+ "An unknown error occurred, please see your systems administrator"
|
||||||
|
|
||||||
|
typedef int (*validator) (char*);
|
||||||
|
-static int read_config_file (char *);
|
||||||
|
+static int read_config_file ();
|
||||||
|
static validator valid_word (char *);
|
||||||
|
static int set_quality (char *);
|
||||||
|
static int set_cracklib (char *);
|
||||||
|
|
||||||
|
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
|
||||||
|
|
||||||
|
+struct config_entry {
|
||||||
|
+ char* key;
|
||||||
|
+ char* value;
|
||||||
|
+ char* def_value;
|
||||||
|
+} config_entries[] = { { "minPoints", NULL, "3"},
|
||||||
|
+ { "useCracklib", NULL, "1"},
|
||||||
|
+ { "minUpper", NULL, "0"},
|
||||||
|
+ { "minLower", NULL, "0"},
|
||||||
|
+ { "minDigit", NULL, "0"},
|
||||||
|
+ { "minPunct", NULL, "0"},
|
||||||
|
+ { NULL, NULL, NULL }};
|
||||||
|
+
|
||||||
|
+int get_config_entry_int(char* entry) {
|
||||||
|
+ struct config_entry* centry = config_entries;
|
||||||
|
+
|
||||||
|
+ int i = 0;
|
||||||
|
+ char* key = centry[i].key;
|
||||||
|
+ while (key != NULL) {
|
||||||
|
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
|
||||||
|
+ if ( centry[i].value == NULL ) {
|
||||||
|
+ return atoi(centry[i].def_value);
|
||||||
|
+ }
|
||||||
|
+ else {
|
||||||
|
+ return atoi(centry[i].value);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ i++;
|
||||||
|
+ key = centry[i].key;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void dealloc_config_entries() {
|
||||||
|
+ struct config_entry* centry = config_entries;
|
||||||
|
+
|
||||||
|
+ int i = 0;
|
||||||
|
+ while (centry[i].key != NULL) {
|
||||||
|
+ if ( centry[i].value != NULL ) {
|
||||||
|
+ ber_memfree(centry[i].value);
|
||||||
|
+ }
|
||||||
|
+ i++;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+char* chomp(char *s)
|
||||||
|
+{
|
||||||
|
+ char* t = ber_memalloc(strlen(s)+1);
|
||||||
|
+ strncpy (t,s,strlen(s)+1);
|
||||||
|
+
|
||||||
|
+ if ( t[strlen(t)-1] == '\n' ) {
|
||||||
|
+ t[strlen(t)-1] = '\0';
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return t;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int set_quality (char *value)
|
||||||
|
{
|
||||||
|
#if defined(DEBUG)
|
||||||
|
@@ -84,12 +143,12 @@
|
||||||
|
char * parameter;
|
||||||
|
validator dealer;
|
||||||
|
} list[] = { { "minPoints", set_quality },
|
||||||
|
- { "useCracklib", set_cracklib },
|
||||||
|
- { "minUpper", set_digit },
|
||||||
|
- { "minLower", set_digit },
|
||||||
|
- { "minDigit", set_digit },
|
||||||
|
- { "minPunct", set_digit },
|
||||||
|
- { NULL, NULL } };
|
||||||
|
+ { "useCracklib", set_cracklib },
|
||||||
|
+ { "minUpper", set_digit },
|
||||||
|
+ { "minLower", set_digit },
|
||||||
|
+ { "minDigit", set_digit },
|
||||||
|
+ { "minPunct", set_digit },
|
||||||
|
+ { NULL, NULL } };
|
||||||
|
int index = 0;
|
||||||
|
|
||||||
|
#if defined(DEBUG)
|
||||||
|
@@ -98,7 +157,7 @@
|
||||||
|
|
||||||
|
while (list[index].parameter != NULL) {
|
||||||
|
if (strlen(word) == strlen(list[index].parameter) &&
|
||||||
|
- strcmp(list[index].parameter, word) == 0) {
|
||||||
|
+ strcmp(list[index].parameter, word) == 0) {
|
||||||
|
#if defined(DEBUG)
|
||||||
|
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
|
||||||
|
#endif
|
||||||
|
@@ -114,13 +173,15 @@
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int read_config_file (char *keyWord)
|
||||||
|
+static int read_config_file ()
|
||||||
|
{
|
||||||
|
FILE * config;
|
||||||
|
char * line;
|
||||||
|
int returnValue = -1;
|
||||||
|
|
||||||
|
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
|
||||||
|
+ line = ber_memcalloc(260, sizeof(char));
|
||||||
|
+
|
||||||
|
+ if ( line == NULL ) {
|
||||||
|
return returnValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -133,6 +194,8 @@
|
||||||
|
return returnValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ returnValue = 0;
|
||||||
|
+
|
||||||
|
while (fgets(line, 256, config) != NULL) {
|
||||||
|
char *start = line;
|
||||||
|
char *word, *value;
|
||||||
|
@@ -145,23 +208,40 @@
|
||||||
|
|
||||||
|
while (isspace(*start) && isascii(*start)) start++;
|
||||||
|
|
||||||
|
- if (! isascii(*start))
|
||||||
|
+ /* If we've got punctuation, just skip the line. */
|
||||||
|
+ if ( ispunct(*start)) {
|
||||||
|
+#if defined(DEBUG)
|
||||||
|
+ /* Debug traces to syslog. */
|
||||||
|
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
|
||||||
|
+#endif
|
||||||
|
continue;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
|
||||||
|
- if ((value = strtok(NULL, " \t")) == NULL)
|
||||||
|
- continue;
|
||||||
|
+ if( isascii(*start)) {
|
||||||
|
+
|
||||||
|
+ struct config_entry* centry = config_entries;
|
||||||
|
+ int i = 0;
|
||||||
|
+ char* keyWord = centry[i].key;
|
||||||
|
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
|
||||||
|
+ while ( keyWord != NULL ) {
|
||||||
|
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
|
||||||
|
|
||||||
|
#if defined(DEBUG)
|
||||||
|
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
|
||||||
|
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- returnValue = (*dealer)(value);
|
||||||
|
+ centry[i].value = chomp(value);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ i++;
|
||||||
|
+ keyWord = centry[i].key;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
fclose(config);
|
||||||
|
ber_memfree(line);
|
||||||
|
+
|
||||||
|
return returnValue;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -170,7 +250,7 @@
|
||||||
|
if (curlen < nextlen + MEMORY_MARGIN) {
|
||||||
|
#if defined(DEBUG)
|
||||||
|
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
|
||||||
|
- curlen, nextlen + MEMORY_MARGIN);
|
||||||
|
+ curlen, nextlen + MEMORY_MARGIN);
|
||||||
|
#endif
|
||||||
|
ber_memfree(*target);
|
||||||
|
curlen = nextlen + MEMORY_MARGIN;
|
||||||
|
@@ -180,7 +260,7 @@
|
||||||
|
return curlen;
|
||||||
|
}
|
||||||
|
|
||||||
|
- int
|
||||||
|
+int
|
||||||
|
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
|
||||||
|
{
|
||||||
|
|
||||||
|
@@ -210,20 +290,22 @@
|
||||||
|
nLen = strlen (pPasswd);
|
||||||
|
if ( nLen < 6) {
|
||||||
|
mem_len = realloc_error_message(&szErrStr, mem_len,
|
||||||
|
- strlen(PASSWORD_TOO_SHORT_SZ) +
|
||||||
|
- strlen(pEntry->e_name.bv_val) + 1);
|
||||||
|
+ strlen(PASSWORD_TOO_SHORT_SZ) +
|
||||||
|
+ strlen(pEntry->e_name.bv_val) + 1);
|
||||||
|
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Read config file */
|
||||||
|
- minQuality = read_config_file("minPoints");
|
||||||
|
+ if (read_config_file() == -1) {
|
||||||
|
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- useCracklib = read_config_file("useCracklib");
|
||||||
|
- minUpper = read_config_file("minUpper");
|
||||||
|
- minLower = read_config_file("minLower");
|
||||||
|
- minDigit = read_config_file("minDigit");
|
||||||
|
- minPunct = read_config_file("minPunct");
|
||||||
|
+ minQuality = get_config_entry_int("minPoints");
|
||||||
|
+ useCracklib = get_config_entry_int("useCracklib");
|
||||||
|
+ minUpper = get_config_entry_int("minUpper");
|
||||||
|
+ minLower = get_config_entry_int("minLower");
|
||||||
|
+ minDigit = get_config_entry_int("minDigit");
|
||||||
|
+ minPunct = get_config_entry_int("minPunct");
|
||||||
|
|
||||||
|
/** The password must have at least minQuality strength points with one
|
||||||
|
* point for the first occurrance of a lower, upper, digit and
|
||||||
|
@@ -232,8 +314,6 @@
|
||||||
|
|
||||||
|
for ( i = 0; i < nLen; i++ ) {
|
||||||
|
|
||||||
|
- if ( nQuality >= minQuality ) break;
|
||||||
|
-
|
||||||
|
if ( islower (pPasswd[i]) ) {
|
||||||
|
minLower--;
|
||||||
|
if ( !nLower && (minLower < 1)) {
|
||||||
|
@@ -279,12 +359,23 @@
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ( nQuality < minQuality ) {
|
||||||
|
+ /*
|
||||||
|
+ * If you have a required field, then it should be required in the strength
|
||||||
|
+ * checks.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ if (
|
||||||
|
+ (minLower > 0 ) ||
|
||||||
|
+ (minUpper > 0 ) ||
|
||||||
|
+ (minDigit > 0 ) ||
|
||||||
|
+ (minPunct > 0 ) ||
|
||||||
|
+ (nQuality < minQuality)
|
||||||
|
+ ) {
|
||||||
|
mem_len = realloc_error_message(&szErrStr, mem_len,
|
||||||
|
- strlen(PASSWORD_QUALITY_SZ) +
|
||||||
|
- strlen(pEntry->e_name.bv_val) + 2);
|
||||||
|
+ strlen(PASSWORD_QUALITY_SZ) +
|
||||||
|
+ strlen(pEntry->e_name.bv_val) + 2);
|
||||||
|
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
|
||||||
|
- nQuality, minQuality);
|
||||||
|
+ nQuality, minQuality);
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -306,7 +397,7 @@
|
||||||
|
for ( j = 0; j < 3; j++ ) {
|
||||||
|
|
||||||
|
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
|
||||||
|
- CRACKLIB_DICTPATH, ext[j]);
|
||||||
|
+ CRACKLIB_DICTPATH, ext[j]);
|
||||||
|
|
||||||
|
if (( fp = fopen ( filename, "r")) == NULL ) {
|
||||||
|
|
||||||
|
@@ -326,9 +417,9 @@
|
||||||
|
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
|
||||||
|
if ( r != NULL ) {
|
||||||
|
mem_len = realloc_error_message(&szErrStr, mem_len,
|
||||||
|
- strlen(BAD_PASSWORD_SZ) +
|
||||||
|
- strlen(pEntry->e_name.bv_val) +
|
||||||
|
- strlen(r));
|
||||||
|
+ strlen(BAD_PASSWORD_SZ) +
|
||||||
|
+ strlen(pEntry->e_name.bv_val) +
|
||||||
|
+ strlen(r));
|
||||||
|
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
@@ -342,15 +433,15 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
-
|
||||||
|
+ dealloc_config_entries();
|
||||||
|
*ppErrStr = strdup ("");
|
||||||
|
ber_memfree(szErrStr);
|
||||||
|
return (LDAP_SUCCESS);
|
||||||
|
|
||||||
|
fail:
|
||||||
|
+ dealloc_config_entries();
|
||||||
|
*ppErrStr = strdup (szErrStr);
|
||||||
|
ber_memfree(szErrStr);
|
||||||
|
return (EXIT_FAILURE);
|
||||||
|
|
||||||
|
}
|
||||||
|
-
|
28
ldap.conf
Normal file
28
ldap.conf
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
#
|
||||||
|
# LDAP Defaults
|
||||||
|
#
|
||||||
|
|
||||||
|
# See ldap.conf(5) for details
|
||||||
|
# This file should be world readable but not world writable.
|
||||||
|
|
||||||
|
#BASE dc=example,dc=com
|
||||||
|
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
||||||
|
|
||||||
|
#SIZELIMIT 12
|
||||||
|
#TIMELIMIT 15
|
||||||
|
#DEREF never
|
||||||
|
|
||||||
|
# When no CA certificates are specified the Shared System Certificates
|
||||||
|
# are in use. In order to have these available along with the ones specified
|
||||||
|
# by TLS_CACERTDIR one has to include them explicitly:
|
||||||
|
#TLS_CACERT /etc/pki/tls/cert.pem
|
||||||
|
|
||||||
|
# System-wide Crypto Policies provide up to date cipher suite which should
|
||||||
|
# be used unless one needs a finer grinded selection of ciphers. Hence, the
|
||||||
|
# PROFILE=SYSTEM value represents the default behavior which is in place
|
||||||
|
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
|
||||||
|
#TLS_CIPHER_SUITE PROFILE=SYSTEM
|
||||||
|
|
||||||
|
# Turning this off breaks GSSAPI used with krb5 when rdns = false
|
||||||
|
SASL_NOCANON on
|
||||||
|
|
91
libexec-check-config.sh
Executable file
91
libexec-check-config.sh
Executable file
@ -0,0 +1,91 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||||
|
|
||||||
|
. /usr/libexec/openldap/functions
|
||||||
|
|
||||||
|
function check_config_syntax()
|
||||||
|
{
|
||||||
|
retcode=0
|
||||||
|
tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
|
||||||
|
run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
error "Checking configuration file failed:"
|
||||||
|
cat $tmp_slaptest >&2
|
||||||
|
retcode=1
|
||||||
|
fi
|
||||||
|
rm $tmp_slaptest
|
||||||
|
return $retcode
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_certs_perms()
|
||||||
|
{
|
||||||
|
retcode=0
|
||||||
|
for cert in `certificates`; do
|
||||||
|
run_as_ldap "/usr/bin/test -e \"$cert\""
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
error "TLS certificate/key/DB '%s' was not found." "$cert"
|
||||||
|
retcoder=1
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
run_as_ldap "/usr/bin/test -r \"$cert\""
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
error "TLS certificate/key/DB '%s' is not readable." "$cert"
|
||||||
|
retcode=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
return $retcode
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_db_perms()
|
||||||
|
{
|
||||||
|
retcode=0
|
||||||
|
for dbdir in `databases`; do
|
||||||
|
[ -d "$dbdir" ] || continue
|
||||||
|
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
|
||||||
|
run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
error "Read/write permissions for DB file '%s' are required." "$dbfile"
|
||||||
|
retcode=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
return $retcode
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_everything()
|
||||||
|
{
|
||||||
|
retcode=0
|
||||||
|
check_config_syntax || retcode=1
|
||||||
|
# TODO: need support for Mozilla NSS, disabling temporarily
|
||||||
|
#check_certs_perms || retcode=1
|
||||||
|
check_db_perms || retcode=1
|
||||||
|
return $retcode
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ `id -u` -ne 0 ]; then
|
||||||
|
error "You have to be root to run this script."
|
||||||
|
exit 4
|
||||||
|
fi
|
||||||
|
|
||||||
|
load_sysconfig
|
||||||
|
|
||||||
|
if [ -n "$SLAPD_CONFIG_DIR" ]; then
|
||||||
|
if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
|
||||||
|
error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
|
||||||
|
else
|
||||||
|
check_everything
|
||||||
|
exit $?
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$SLAPD_CONFIG_FILE" ]; then
|
||||||
|
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
|
||||||
|
error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
|
||||||
|
else
|
||||||
|
error "Warning: Usage of a configuration file is obsolete!"
|
||||||
|
check_everything
|
||||||
|
exit $?
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 1
|
134
libexec-functions
Normal file
134
libexec-functions
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||||
|
|
||||||
|
SLAPD_USER=
|
||||||
|
SLAPD_CONFIG_FILE=
|
||||||
|
SLAPD_CONFIG_DIR=
|
||||||
|
SLAPD_CONFIG_CUSTOM=
|
||||||
|
SLAPD_GLOBAL_OPTIONS=
|
||||||
|
SLAPD_SYSCONFIG_FILE=
|
||||||
|
|
||||||
|
function default_config()
|
||||||
|
{
|
||||||
|
SLAPD_USER=ldap
|
||||||
|
SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
|
||||||
|
SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
|
||||||
|
SLAPD_CONFIG_CUSTOM=
|
||||||
|
SLAPD_GLOBAL_OPTIONS=
|
||||||
|
SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
|
||||||
|
}
|
||||||
|
|
||||||
|
function parse_config_options()
|
||||||
|
{
|
||||||
|
user=
|
||||||
|
config_file=
|
||||||
|
config_dir=
|
||||||
|
while getopts :u:f:F: opt; do
|
||||||
|
case "$opt" in
|
||||||
|
u)
|
||||||
|
user="$OPTARG"
|
||||||
|
;;
|
||||||
|
f)
|
||||||
|
config_file="$OPTARG"
|
||||||
|
;;
|
||||||
|
F)
|
||||||
|
config_dir="$OPTARG"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -n "$user" ]; then
|
||||||
|
SLAPD_USER="$user"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -n "$config_dir" ]; then
|
||||||
|
SLAPD_CONFIG_DIR="$config_dir"
|
||||||
|
SLAPD_CONFIG_FILE=
|
||||||
|
SLAPD_CONFIG_CUSTOM=1
|
||||||
|
SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
|
||||||
|
elif [ -n "$config_file" ]; then
|
||||||
|
SLAPD_CONFIG_DIR=
|
||||||
|
SLAPD_CONFIG_FILE="$config_file"
|
||||||
|
SLAPD_CONFIG_CUSTOM=1
|
||||||
|
SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function uses_new_config()
|
||||||
|
{
|
||||||
|
[ -n "$SLAPD_CONFIG_DIR" ]
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
|
function run_as_ldap()
|
||||||
|
{
|
||||||
|
/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
|
||||||
|
return $?
|
||||||
|
}
|
||||||
|
|
||||||
|
function ldif_unbreak()
|
||||||
|
{
|
||||||
|
sed ':a;N;s/\n //;ta;P;D'
|
||||||
|
}
|
||||||
|
|
||||||
|
function ldif_value()
|
||||||
|
{
|
||||||
|
sed 's/^[^:]*: //'
|
||||||
|
}
|
||||||
|
|
||||||
|
function databases_new()
|
||||||
|
{
|
||||||
|
slapcat $SLAPD_GLOBAL_OPTIONS -c \
|
||||||
|
-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
|
||||||
|
ldif_unbreak | \
|
||||||
|
grep '^olcDbDirectory: ' | \
|
||||||
|
ldif_value
|
||||||
|
}
|
||||||
|
|
||||||
|
function databases_old()
|
||||||
|
{
|
||||||
|
awk 'begin { database="" }
|
||||||
|
$1 == "database" { database=$2 }
|
||||||
|
$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
|
||||||
|
"$SLAPD_CONFIG_FILE"
|
||||||
|
}
|
||||||
|
|
||||||
|
function certificates_new()
|
||||||
|
{
|
||||||
|
slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
|
||||||
|
ldif_unbreak | \
|
||||||
|
grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
|
||||||
|
ldif_value
|
||||||
|
}
|
||||||
|
|
||||||
|
function certificates_old()
|
||||||
|
{
|
||||||
|
awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
|
||||||
|
"$SLAPD_CONFIG_FILE"
|
||||||
|
}
|
||||||
|
|
||||||
|
function certificates()
|
||||||
|
{
|
||||||
|
uses_new_config && certificates_new || certificates_old
|
||||||
|
}
|
||||||
|
|
||||||
|
function databases()
|
||||||
|
{
|
||||||
|
uses_new_config && databases_new || databases_old
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
function error()
|
||||||
|
{
|
||||||
|
format="$1\n"; shift
|
||||||
|
printf "$format" $@ >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
function load_sysconfig()
|
||||||
|
{
|
||||||
|
[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
|
||||||
|
|
||||||
|
. "$SLAPD_SYSCONFIG_FILE"
|
||||||
|
[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
|
||||||
|
}
|
||||||
|
|
||||||
|
default_config
|
40
libexec-upgrade-db.sh
Executable file
40
libexec-upgrade-db.sh
Executable file
@ -0,0 +1,40 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
# Author: Jan Vcelak <jvcelak@redhat.com>
|
||||||
|
|
||||||
|
. /usr/libexec/openldap/functions
|
||||||
|
|
||||||
|
if [ `id -u` -ne 0 ]; then
|
||||||
|
error "You have to be root to run this command."
|
||||||
|
exit 4
|
||||||
|
fi
|
||||||
|
|
||||||
|
load_sysconfig
|
||||||
|
retcode=0
|
||||||
|
|
||||||
|
for dbdir in `databases`; do
|
||||||
|
upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
|
||||||
|
bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
|
||||||
|
|
||||||
|
# skip uninitialized database
|
||||||
|
[ -z "$bdb_files"] || continue
|
||||||
|
|
||||||
|
printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
|
||||||
|
|
||||||
|
# perform the update
|
||||||
|
for command in \
|
||||||
|
"/usr/bin/db_recover -v -h \"$dbdir\"" \
|
||||||
|
"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
|
||||||
|
"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
|
||||||
|
; do
|
||||||
|
printf "Executing: %s\n" "$command" &>>$upgrade_log
|
||||||
|
run_as_ldap "$command" &>>$upgrade_log
|
||||||
|
result=$?
|
||||||
|
printf "Exit code: %d\n" $result >>"$upgrade_log"
|
||||||
|
if [ $result -ne 0 ]; then
|
||||||
|
printf "Upgrade failed: %d\n" $result
|
||||||
|
retcode=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
exit $retcode
|
339
openldap-add-TLS_REQSAN-option.patch
Normal file
339
openldap-add-TLS_REQSAN-option.patch
Normal file
@ -0,0 +1,339 @@
|
|||||||
|
From c8050d1e6eb0f4f3deb187224945ddcfc3baa4d6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Howard Chu <hyc@openldap.org>
|
||||||
|
Date: Fri, 21 Aug 2020 09:15:15 +0100
|
||||||
|
Subject: [PATCH] ITS#9318 add TLS_REQSAN option
|
||||||
|
|
||||||
|
Add an option to specify how subjectAlternativeNames should be
|
||||||
|
handled when validating the names in a server certificate.
|
||||||
|
---
|
||||||
|
doc/man/man3/ldap_get_option.3 | 9 +++++++
|
||||||
|
doc/man/man5/ldap.conf.5 | 31 +++++++++++++++++++++++
|
||||||
|
include/ldap.h | 1 +
|
||||||
|
libraries/libldap/init.c | 2 ++
|
||||||
|
libraries/libldap/ldap-int.h | 1 +
|
||||||
|
libraries/libldap/tls2.c | 16 ++++++++++++
|
||||||
|
libraries/libldap/tls_g.c | 46 ++++++++++++++++++++++++++++++++--
|
||||||
|
libraries/libldap/tls_o.c | 44 ++++++++++++++++++++++++++++++--
|
||||||
|
8 files changed, 146 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
|
||||||
|
index d229ce6e3..7d760136f 100644
|
||||||
|
--- a/doc/man/man3/ldap_get_option.3
|
||||||
|
+++ b/doc/man/man3/ldap_get_option.3
|
||||||
|
@@ -788,6 +788,15 @@ one of
|
||||||
|
.BR LDAP_OPT_X_TLS_ALLOW ,
|
||||||
|
.BR LDAP_OPT_X_TLS_TRY .
|
||||||
|
.TP
|
||||||
|
+.B LDAP_OPT_X_TLS_REQUIRE_SAN
|
||||||
|
+Sets/gets the peer certificate subjectAlternativeName checking strategy,
|
||||||
|
+one of
|
||||||
|
+.BR LDAP_OPT_X_TLS_NEVER ,
|
||||||
|
+.BR LDAP_OPT_X_TLS_HARD ,
|
||||||
|
+.BR LDAP_OPT_X_TLS_DEMAND ,
|
||||||
|
+.BR LDAP_OPT_X_TLS_ALLOW ,
|
||||||
|
+.BR LDAP_OPT_X_TLS_TRY .
|
||||||
|
+.TP
|
||||||
|
.B LDAP_OPT_X_TLS_SSL_CTX
|
||||||
|
Gets the TLS session context associated with this handle.
|
||||||
|
.BR outvalue
|
||||||
|
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
|
||||||
|
index 2f1ee886d..cde2c875f 100644
|
||||||
|
--- a/doc/man/man5/ldap.conf.5
|
||||||
|
+++ b/doc/man/man5/ldap.conf.5
|
||||||
|
@@ -464,6 +464,37 @@ certificate is provided, or a bad certificate is provided, the session
|
||||||
|
is immediately terminated. This is the default setting.
|
||||||
|
.RE
|
||||||
|
.TP
|
||||||
|
+.B TLS_REQSAN <level>
|
||||||
|
+Specifies what checks to perform on the subjectAlternativeName
|
||||||
|
+(SAN) extensions in a server certificate when validating the certificate
|
||||||
|
+name against the specified hostname of the server. The
|
||||||
|
+.B <level>
|
||||||
|
+can be specified as one of the following keywords:
|
||||||
|
+.RS
|
||||||
|
+.TP
|
||||||
|
+.B never
|
||||||
|
+The client will not check any SAN in the certificate.
|
||||||
|
+.TP
|
||||||
|
+.B allow
|
||||||
|
+The SAN is checked against the specified hostname. If a SAN is
|
||||||
|
+present but none match the specified hostname, the SANs are ignored
|
||||||
|
+and the usual check against the certificate DN is used.
|
||||||
|
+This is the default setting.
|
||||||
|
+.TP
|
||||||
|
+.B try
|
||||||
|
+The SAN is checked against the specified hostname. If no SAN is present
|
||||||
|
+in the server certificate, the usual check against the certificate DN
|
||||||
|
+is used. If a SAN is present but doesn't match the specified hostname,
|
||||||
|
+the session is immediately terminated. This setting may be preferred
|
||||||
|
+when a mix of certs with and without SANs are in use.
|
||||||
|
+.TP
|
||||||
|
+.B demand | hard
|
||||||
|
+These keywords are equivalent. The SAN is checked against the specified
|
||||||
|
+hostname. If no SAN is present in the server certificate, or no SANs
|
||||||
|
+match, the session is immediately terminated. This setting should be
|
||||||
|
+used when only certificates with SANs are in use.
|
||||||
|
+.RE
|
||||||
|
+.TP
|
||||||
|
.B TLS_CRLCHECK <level>
|
||||||
|
Specifies if the Certificate Revocation List (CRL) of the CA should be
|
||||||
|
used to verify if the server certificates have not been revoked. This
|
||||||
|
diff --git a/include/ldap.h b/include/ldap.h
|
||||||
|
index 4b81a6841..4877de24a 100644
|
||||||
|
--- a/include/ldap.h
|
||||||
|
+++ b/include/ldap.h
|
||||||
|
@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
|
||||||
|
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
|
||||||
|
#define LDAP_OPT_X_TLS_ECNAME 0x6012
|
||||||
|
#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */
|
||||||
|
+#define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a
|
||||||
|
|
||||||
|
#define LDAP_OPT_X_TLS_NEVER 0
|
||||||
|
#define LDAP_OPT_X_TLS_HARD 1
|
||||||
|
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
|
||||||
|
index d503019aa..0d91808ec 100644
|
||||||
|
--- a/libraries/libldap/init.c
|
||||||
|
+++ b/libraries/libldap/init.c
|
||||||
|
@@ -128,6 +128,7 @@ static const struct ol_attribute {
|
||||||
|
{0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE},
|
||||||
|
{0, ATTR_TLS, "TLS_CACERTDIR", NULL, LDAP_OPT_X_TLS_CACERTDIR},
|
||||||
|
{0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT},
|
||||||
|
+ {0, ATTR_TLS, "TLS_REQSAN", NULL, LDAP_OPT_X_TLS_REQUIRE_SAN},
|
||||||
|
{0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
|
||||||
|
{0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE},
|
||||||
|
{0, ATTR_TLS, "TLS_PROTOCOL_MIN", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN},
|
||||||
|
@@ -624,6 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
|
||||||
|
gopts->ldo_tls_connect_cb = NULL;
|
||||||
|
gopts->ldo_tls_connect_arg = NULL;
|
||||||
|
gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
|
||||||
|
+ gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
|
||||||
|
#endif
|
||||||
|
gopts->ldo_keepalive_probes = 0;
|
||||||
|
gopts->ldo_keepalive_interval = 0;
|
||||||
|
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
|
||||||
|
index 753014ad0..2bf5d4ff6 100644
|
||||||
|
--- a/libraries/libldap/ldap-int.h
|
||||||
|
+++ b/libraries/libldap/ldap-int.h
|
||||||
|
@@ -262,6 +262,7 @@ struct ldapoptions {
|
||||||
|
int ldo_tls_require_cert;
|
||||||
|
int ldo_tls_impl;
|
||||||
|
int ldo_tls_crlcheck;
|
||||||
|
+ int ldo_tls_require_san;
|
||||||
|
#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0
|
||||||
|
#else
|
||||||
|
#define LDAP_LDO_TLS_NULLARG
|
||||||
|
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
||||||
|
index 6a2113255..670292c22 100644
|
||||||
|
--- a/libraries/libldap/tls2.c
|
||||||
|
+++ b/libraries/libldap/tls2.c
|
||||||
|
@@ -539,6 +539,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
|
||||||
|
return ldap_pvt_tls_set_option( ld, option, (void *) arg );
|
||||||
|
|
||||||
|
case LDAP_OPT_X_TLS_REQUIRE_CERT:
|
||||||
|
+ case LDAP_OPT_X_TLS_REQUIRE_SAN:
|
||||||
|
case LDAP_OPT_X_TLS:
|
||||||
|
i = -1;
|
||||||
|
if ( strcasecmp( arg, "never" ) == 0 ) {
|
||||||
|
@@ -669,6 +670,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
|
||||||
|
case LDAP_OPT_X_TLS_REQUIRE_CERT:
|
||||||
|
*(int *)arg = lo->ldo_tls_require_cert;
|
||||||
|
break;
|
||||||
|
+ case LDAP_OPT_X_TLS_REQUIRE_SAN:
|
||||||
|
+ *(int *)arg = lo->ldo_tls_require_san;
|
||||||
|
+ break;
|
||||||
|
#ifdef HAVE_OPENSSL_CRL
|
||||||
|
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
|
||||||
|
*(int *)arg = lo->ldo_tls_crlcheck;
|
||||||
|
@@ -818,6 +822,18 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
return -1;
|
||||||
|
+ case LDAP_OPT_X_TLS_REQUIRE_SAN:
|
||||||
|
+ if ( !arg ) return -1;
|
||||||
|
+ switch( *(int *) arg ) {
|
||||||
|
+ case LDAP_OPT_X_TLS_NEVER:
|
||||||
|
+ case LDAP_OPT_X_TLS_DEMAND:
|
||||||
|
+ case LDAP_OPT_X_TLS_ALLOW:
|
||||||
|
+ case LDAP_OPT_X_TLS_TRY:
|
||||||
|
+ case LDAP_OPT_X_TLS_HARD:
|
||||||
|
+ lo->ldo_tls_require_san = * (int *) arg;
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return -1;
|
||||||
|
#ifdef HAVE_OPENSSL_CRL
|
||||||
|
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
|
||||||
|
if ( !arg ) return -1;
|
||||||
|
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
|
||||||
|
index 15ce0bbb8..e3486c9b4 100644
|
||||||
|
--- a/libraries/libldap/tls_g.c
|
||||||
|
+++ b/libraries/libldap/tls_g.c
|
||||||
|
@@ -496,6 +496,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
|
||||||
|
{
|
||||||
|
tlsg_session *s = (tlsg_session *)session;
|
||||||
|
int i, ret;
|
||||||
|
+ int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
|
||||||
|
const gnutls_datum_t *peer_cert_list;
|
||||||
|
unsigned int list_size;
|
||||||
|
char altname[NI_MAXHOST];
|
||||||
|
@@ -558,12 +559,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (chkSAN) {
|
||||||
|
for ( i=0, ret=0; ret >= 0; i++ ) {
|
||||||
|
altnamesize = sizeof(altname);
|
||||||
|
ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
|
||||||
|
altname, &altnamesize, NULL );
|
||||||
|
if ( ret < 0 ) break;
|
||||||
|
|
||||||
|
+ gotSAN = 1;
|
||||||
|
/* ignore empty */
|
||||||
|
if ( altnamesize == 0 ) continue;
|
||||||
|
|
||||||
|
@@ -599,7 +602,45 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
|
||||||
|
}
|
||||||
|
if ( ret >= 0 ) {
|
||||||
|
ret = LDAP_SUCCESS;
|
||||||
|
- } else {
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (ret != LDAP_SUCCESS && chkSAN) {
|
||||||
|
+ switch(chkSAN) {
|
||||||
|
+ case LDAP_OPT_X_TLS_DEMAND:
|
||||||
|
+ case LDAP_OPT_X_TLS_HARD:
|
||||||
|
+ if (!gotSAN) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: unable to get subjectAltName from peer certificate.\n",
|
||||||
|
+ 0, 0, 0 );
|
||||||
|
+ ret = LDAP_CONNECT_ERROR;
|
||||||
|
+ if ( ld->ld_error ) {
|
||||||
|
+ LDAP_FREE( ld->ld_error );
|
||||||
|
+ }
|
||||||
|
+ ld->ld_error = LDAP_STRDUP(
|
||||||
|
+ _("TLS: unable to get subjectAltName from peer certificate"));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ /* FALLTHRU */
|
||||||
|
+ case LDAP_OPT_X_TLS_TRY:
|
||||||
|
+ if (gotSAN) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
|
||||||
|
+ "subjectAltName in certificate.\n",
|
||||||
|
+ name, 0, 0 );
|
||||||
|
+ ret = LDAP_CONNECT_ERROR;
|
||||||
|
+ if ( ld->ld_error ) {
|
||||||
|
+ LDAP_FREE( ld->ld_error );
|
||||||
|
+ }
|
||||||
|
+ ld->ld_error = LDAP_STRDUP(
|
||||||
|
+ _("TLS: hostname does not match subjectAltName in peer certificate"));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case LDAP_OPT_X_TLS_ALLOW:
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ( ret != LDAP_SUCCESS ){
|
||||||
|
/* find the last CN */
|
||||||
|
i=0;
|
||||||
|
do {
|
||||||
|
@@ -654,9 +695,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
|
||||||
|
LDAP_FREE( ld->ld_error );
|
||||||
|
}
|
||||||
|
ld->ld_error = LDAP_STRDUP(
|
||||||
|
- _("TLS: hostname does not match CN in peer certificate"));
|
||||||
|
+ _("TLS: hostname does not match name in peer certificate"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+done:
|
||||||
|
gnutls_x509_crt_deinit( cert );
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||||
|
index 4006f7a4f..6f27168e9 100644
|
||||||
|
--- a/libraries/libldap/tls_o.c
|
||||||
|
+++ b/libraries/libldap/tls_o.c
|
||||||
|
@@ -600,6 +600,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
|
||||||
|
{
|
||||||
|
tlso_session *s = (tlso_session *)sess;
|
||||||
|
int i, ret = LDAP_LOCAL_ERROR;
|
||||||
|
+ int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
|
||||||
|
X509 *x;
|
||||||
|
const char *name;
|
||||||
|
char *ptr;
|
||||||
|
@@ -638,7 +639,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
|
||||||
|
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
|
||||||
|
if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
+ if (chkSAN) {
|
||||||
|
i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
|
||||||
|
if (i >= 0) {
|
||||||
|
X509_EXTENSION *ex;
|
||||||
|
@@ -651,6 +653,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
|
||||||
|
char *domain = NULL;
|
||||||
|
GENERAL_NAME *gn;
|
||||||
|
|
||||||
|
+ gotSAN = 1;
|
||||||
|
if (ntype == IS_DNS) {
|
||||||
|
domain = strchr(name, '.');
|
||||||
|
if (domain) {
|
||||||
|
@@ -709,6 +712,42 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+ }
|
||||||
|
+ if (ret != LDAP_SUCCESS && chkSAN) {
|
||||||
|
+ switch(chkSAN) {
|
||||||
|
+ case LDAP_OPT_X_TLS_DEMAND:
|
||||||
|
+ case LDAP_OPT_X_TLS_HARD:
|
||||||
|
+ if (!gotSAN) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: unable to get subjectAltName from peer certificate.\n",
|
||||||
|
+ 0, 0, 0 );
|
||||||
|
+ ret = LDAP_CONNECT_ERROR;
|
||||||
|
+ if ( ld->ld_error ) {
|
||||||
|
+ LDAP_FREE( ld->ld_error );
|
||||||
|
+ }
|
||||||
|
+ ld->ld_error = LDAP_STRDUP(
|
||||||
|
+ _("TLS: unable to get subjectAltName from peer certificate"));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ /* FALLTHRU */
|
||||||
|
+ case LDAP_OPT_X_TLS_TRY:
|
||||||
|
+ if (gotSAN) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
|
||||||
|
+ "subjectAltName in certificate.\n",
|
||||||
|
+ name, 0, 0 );
|
||||||
|
+ ret = LDAP_CONNECT_ERROR;
|
||||||
|
+ if ( ld->ld_error ) {
|
||||||
|
+ LDAP_FREE( ld->ld_error );
|
||||||
|
+ }
|
||||||
|
+ ld->ld_error = LDAP_STRDUP(
|
||||||
|
+ _("TLS: hostname does not match subjectAltName in peer certificate"));
|
||||||
|
+ goto done;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case LDAP_OPT_X_TLS_ALLOW:
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (ret != LDAP_SUCCESS) {
|
||||||
|
X509_NAME *xn;
|
||||||
|
@@ -772,9 +811,10 @@ no_cn:
|
||||||
|
LDAP_FREE( ld->ld_error );
|
||||||
|
}
|
||||||
|
ld->ld_error = LDAP_STRDUP(
|
||||||
|
- _("TLS: hostname does not match CN in peer certificate"));
|
||||||
|
+ _("TLS: hostname does not match name in peer certificate"));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+done:
|
||||||
|
X509_free(x);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
20
openldap-ai-addrconfig.patch
Normal file
20
openldap-ai-addrconfig.patch
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
use AI_ADDRCONFIG if defined in the environment
|
||||||
|
|
||||||
|
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||||
|
Upstream ITS: #7326
|
||||||
|
Resolves: #835013
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
|
||||||
|
index b31e05d..fa361ab 100644
|
||||||
|
--- a/libraries/libldap/os-ip.c
|
||||||
|
+++ b/libraries/libldap/os-ip.c
|
||||||
|
@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
|
||||||
|
|
||||||
|
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
|
||||||
|
memset( &hints, '\0', sizeof(hints) );
|
||||||
|
-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
|
||||||
|
- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */
|
||||||
|
+#ifdef AI_ADDRCONFIG
|
||||||
|
hints.ai_flags = AI_ADDRCONFIG;
|
||||||
|
#endif
|
||||||
|
hints.ai_family = ldap_int_inet4or6;
|
40
openldap-allop-overlay.patch
Normal file
40
openldap-allop-overlay.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
Compile AllOp together with other overlays.
|
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com>
|
||||||
|
Resolves: #1319782
|
||||||
|
|
||||||
|
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
|
||||||
|
--- a/servers/slapd/overlays/Makefile.in
|
||||||
|
+++ b/servers/slapd/overlays/Makefile.in
|
||||||
|
@@ -33,7 +33,8 @@ SRCS = overlays.c \
|
||||||
|
translucent.c \
|
||||||
|
unique.c \
|
||||||
|
valsort.c \
|
||||||
|
- smbk5pwd.c
|
||||||
|
+ smbk5pwd.c \
|
||||||
|
+ allop.c
|
||||||
|
OBJS = statover.o \
|
||||||
|
@SLAPD_STATIC_OVERLAYS@ \
|
||||||
|
overlays.o
|
||||||
|
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
|
||||||
|
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
|
||||||
|
|
||||||
|
LIBRARY = ../liboverlays.a
|
||||||
|
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
|
||||||
|
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
|
||||||
|
|
||||||
|
XINCPATH = -I.. -I$(srcdir)/..
|
||||||
|
XDEFS = $(MODULES_CPPFLAGS)
|
||||||
|
@@ -125,6 +126,12 @@ unique.la : unique.lo
|
||||||
|
smbk5pwd.la : smbk5pwd.lo
|
||||||
|
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
|
||||||
|
|
||||||
|
+allop.lo : allop.c
|
||||||
|
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
|
||||||
|
+
|
||||||
|
+allop.la : allop.lo
|
||||||
|
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
|
||||||
|
+
|
||||||
|
install-local: $(PROGRAMS)
|
||||||
|
@if test -n "$?" ; then \
|
||||||
|
$(MKDIR) $(DESTDIR)$(moduledir); \
|
291
openldap-cbinding-Add-channel-binding-support.patch
Normal file
291
openldap-cbinding-Add-channel-binding-support.patch
Normal file
@ -0,0 +1,291 @@
|
|||||||
|
From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Howard Chu <hyc@openldap.org>
|
||||||
|
Date: Mon, 26 Aug 2013 23:31:48 -0700
|
||||||
|
Subject: [PATCH] Add channel binding support
|
||||||
|
|
||||||
|
Currently only implemented for OpenSSL.
|
||||||
|
Needs an option to set the criticality flag.
|
||||||
|
---
|
||||||
|
include/ldap_pvt.h | 1 +
|
||||||
|
libraries/libldap/cyrus.c | 22 ++++++++++++++++++++++
|
||||||
|
libraries/libldap/ldap-int.h | 1 +
|
||||||
|
libraries/libldap/ldap-tls.h | 2 ++
|
||||||
|
libraries/libldap/tls2.c | 7 +++++++
|
||||||
|
libraries/libldap/tls_g.c | 7 +++++++
|
||||||
|
libraries/libldap/tls_m.c | 7 +++++++
|
||||||
|
libraries/libldap/tls_o.c | 16 ++++++++++++++++
|
||||||
|
servers/slapd/connection.c | 8 ++++++++
|
||||||
|
servers/slapd/sasl.c | 18 ++++++++++++++++++
|
||||||
|
servers/slapd/slap.h | 1 +
|
||||||
|
11 files changed, 90 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
|
||||||
|
index 871e7c180..fdc9d2de3 100644
|
||||||
|
--- a/include/ldap_pvt.h
|
||||||
|
+++ b/include/ldap_pvt.h
|
||||||
|
@@ -430,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
|
||||||
|
LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
|
||||||
|
LDAPDN_rewrite_dummy *func, unsigned flags ));
|
||||||
|
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
|
||||||
|
+LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
|
||||||
|
|
||||||
|
LDAP_END_DECL
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
|
||||||
|
index 28c241b0b..a57292800 100644
|
||||||
|
--- a/libraries/libldap/cyrus.c
|
||||||
|
+++ b/libraries/libldap/cyrus.c
|
||||||
|
@@ -369,6 +369,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
|
||||||
|
lc->lconn_sasl_sockctx = NULL;
|
||||||
|
lc->lconn_sasl_authctx = NULL;
|
||||||
|
}
|
||||||
|
+ if( lc->lconn_sasl_cbind ) {
|
||||||
|
+ ldap_memfree( lc->lconn_sasl_cbind );
|
||||||
|
+ lc->lconn_sasl_cbind = NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return LDAP_SUCCESS;
|
||||||
|
}
|
||||||
|
@@ -482,6 +486,24 @@ ldap_int_sasl_bind(
|
||||||
|
|
||||||
|
(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
|
||||||
|
LDAP_FREE( authid.bv_val );
|
||||||
|
+#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
|
||||||
|
+ {
|
||||||
|
+ char cbinding[64];
|
||||||
|
+ struct berval cbv = { sizeof(cbinding), cbinding };
|
||||||
|
+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
|
||||||
|
+ sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
|
||||||
|
+ cbv.bv_len);
|
||||||
|
+ cb->name = "ldap";
|
||||||
|
+ cb->critical = 0;
|
||||||
|
+ cb->data = (char *)(cb+1);
|
||||||
|
+ cb->len = cbv.bv_len;
|
||||||
|
+ memcpy( cb->data, cbv.bv_val, cbv.bv_len );
|
||||||
|
+ sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
|
||||||
|
+ SASL_CHANNEL_BINDING, cb );
|
||||||
|
+ ld->ld_defconn->lconn_sasl_cbind = cb;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
|
||||||
|
index 37c342e26..1915ecab4 100644
|
||||||
|
--- a/libraries/libldap/ldap-int.h
|
||||||
|
+++ b/libraries/libldap/ldap-int.h
|
||||||
|
@@ -305,6 +305,7 @@ typedef struct ldap_conn {
|
||||||
|
#ifdef HAVE_CYRUS_SASL
|
||||||
|
void *lconn_sasl_authctx; /* context for bind */
|
||||||
|
void *lconn_sasl_sockctx; /* for security layer */
|
||||||
|
+ void *lconn_sasl_cbind; /* for channel binding */
|
||||||
|
#endif
|
||||||
|
#ifdef HAVE_GSSAPI
|
||||||
|
void *lconn_gss_ctx; /* gss_ctx_id_t */
|
||||||
|
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
|
||||||
|
index 75661c005..1eb5ae47e 100644
|
||||||
|
--- a/libraries/libldap/ldap-tls.h
|
||||||
|
+++ b/libraries/libldap/ldap-tls.h
|
||||||
|
@@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len
|
||||||
|
typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
|
||||||
|
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
|
||||||
|
typedef int (TI_session_strength)(tls_session *sess);
|
||||||
|
+typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
|
||||||
|
|
||||||
|
typedef void (TI_thr_init)(void);
|
||||||
|
|
||||||
|
@@ -64,6 +65,7 @@ typedef struct tls_impl {
|
||||||
|
TI_session_dn *ti_session_peer_dn;
|
||||||
|
TI_session_chkhost *ti_session_chkhost;
|
||||||
|
TI_session_strength *ti_session_strength;
|
||||||
|
+ TI_session_unique *ti_session_unique;
|
||||||
|
|
||||||
|
Sockbuf_IO *ti_sbio;
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
||||||
|
index e11d1a8a3..957e73c03 100644
|
||||||
|
--- a/libraries/libldap/tls2.c
|
||||||
|
+++ b/libraries/libldap/tls2.c
|
||||||
|
@@ -981,6 +981,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
|
||||||
|
rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
|
||||||
|
+{
|
||||||
|
+ tls_session *session = s;
|
||||||
|
+ return tls_imp->ti_session_unique( session, buf, is_server );
|
||||||
|
+}
|
||||||
|
#endif /* HAVE_TLS */
|
||||||
|
|
||||||
|
int
|
||||||
|
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
|
||||||
|
index ed1f8f1cb..dfdc35da4 100644
|
||||||
|
--- a/libraries/libldap/tls_g.c
|
||||||
|
+++ b/libraries/libldap/tls_g.c
|
||||||
|
@@ -780,6 +780,12 @@ tlsg_session_strength( tls_session *session )
|
||||||
|
return gnutls_cipher_get_key_size( c ) * 8;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||||
|
+{
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* suites is a string of colon-separated cipher suite names. */
|
||||||
|
static int
|
||||||
|
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
|
||||||
|
@@ -1110,6 +1116,7 @@ tls_impl ldap_int_tls_impl = {
|
||||||
|
tlsg_session_peer_dn,
|
||||||
|
tlsg_session_chkhost,
|
||||||
|
tlsg_session_strength,
|
||||||
|
+ tlsg_session_unique,
|
||||||
|
|
||||||
|
&tlsg_sbio,
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||||
|
index 072d41d56..240bd9ff6 100644
|
||||||
|
--- a/libraries/libldap/tls_m.c
|
||||||
|
+++ b/libraries/libldap/tls_m.c
|
||||||
|
@@ -2838,6 +2838,12 @@ tlsm_session_strength( tls_session *session )
|
||||||
|
return rc ? 0 : keySize;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||||
|
+{
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* TLS support for LBER Sockbufs
|
||||||
|
*/
|
||||||
|
@@ -3266,6 +3272,7 @@ tls_impl ldap_int_tls_impl = {
|
||||||
|
tlsm_session_peer_dn,
|
||||||
|
tlsm_session_chkhost,
|
||||||
|
tlsm_session_strength,
|
||||||
|
+ tlsm_session_unique,
|
||||||
|
|
||||||
|
&tlsm_sbio,
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||||
|
index 3c077f895..2ecee465b 100644
|
||||||
|
--- a/libraries/libldap/tls_o.c
|
||||||
|
+++ b/libraries/libldap/tls_o.c
|
||||||
|
@@ -676,6 +676,21 @@ tlso_session_strength( tls_session *sess )
|
||||||
|
return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||||
|
+{
|
||||||
|
+ tlso_session *s = (tlso_session *)sess;
|
||||||
|
+
|
||||||
|
+ /* Usually the client sends the finished msg. But if the
|
||||||
|
+ * session was resumed, the server sent the msg.
|
||||||
|
+ */
|
||||||
|
+ if (SSL_session_reused(s) ^ !is_server)
|
||||||
|
+ buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len);
|
||||||
|
+ else
|
||||||
|
+ buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len);
|
||||||
|
+ return buf->bv_len;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* TLS support for LBER Sockbufs
|
||||||
|
*/
|
||||||
|
@@ -1283,6 +1298,7 @@ tls_impl ldap_int_tls_impl = {
|
||||||
|
tlso_session_peer_dn,
|
||||||
|
tlso_session_chkhost,
|
||||||
|
tlso_session_strength,
|
||||||
|
+ tlso_session_unique,
|
||||||
|
|
||||||
|
&tlso_sbio,
|
||||||
|
|
||||||
|
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
|
||||||
|
index e34703cb3..bc2b8a4d0 100644
|
||||||
|
--- a/servers/slapd/connection.c
|
||||||
|
+++ b/servers/slapd/connection.c
|
||||||
|
@@ -406,6 +406,7 @@ Connection * connection_init(
|
||||||
|
c->c_sasl_sockctx = NULL;
|
||||||
|
c->c_sasl_extra = NULL;
|
||||||
|
c->c_sasl_bindop = NULL;
|
||||||
|
+ c->c_sasl_cbind = NULL;
|
||||||
|
|
||||||
|
c->c_sb = ber_sockbuf_alloc( );
|
||||||
|
|
||||||
|
@@ -451,6 +452,7 @@ Connection * connection_init(
|
||||||
|
assert( c->c_sasl_sockctx == NULL );
|
||||||
|
assert( c->c_sasl_extra == NULL );
|
||||||
|
assert( c->c_sasl_bindop == NULL );
|
||||||
|
+ assert( c->c_sasl_cbind == NULL );
|
||||||
|
assert( c->c_currentber == NULL );
|
||||||
|
assert( c->c_writewaiter == 0);
|
||||||
|
assert( c->c_writers == 0);
|
||||||
|
@@ -1408,6 +1410,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
|
||||||
|
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
|
||||||
|
slap_sasl_external( c, c->c_tls_ssf, &authid );
|
||||||
|
if ( authid.bv_val ) free( authid.bv_val );
|
||||||
|
+ {
|
||||||
|
+ char cbinding[64];
|
||||||
|
+ struct berval cbv = { sizeof(cbinding), cbinding };
|
||||||
|
+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
|
||||||
|
+ slap_sasl_cbinding( c, &cbv );
|
||||||
|
+ }
|
||||||
|
} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
|
||||||
|
LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */
|
||||||
|
slapd_set_write( s, 1 );
|
||||||
|
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
|
||||||
|
index 0bd6259be..57907d79b 100644
|
||||||
|
--- a/servers/slapd/sasl.c
|
||||||
|
+++ b/servers/slapd/sasl.c
|
||||||
|
@@ -1503,6 +1503,21 @@ int slap_sasl_external(
|
||||||
|
return LDAP_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
+int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
|
||||||
|
+{
|
||||||
|
+#ifdef SASL_CHANNEL_BINDING
|
||||||
|
+ sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
|
||||||
|
+ cb->name = "ldap";
|
||||||
|
+ cb->critical = 0;
|
||||||
|
+ cb->data = (char *)(cb+1);
|
||||||
|
+ cb->len = cbv->bv_len;
|
||||||
|
+ memcpy( cb->data, cbv->bv_val, cbv->bv_len );
|
||||||
|
+ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
|
||||||
|
+ conn->c_sasl_cbind = cb;
|
||||||
|
+#endif
|
||||||
|
+ return LDAP_SUCCESS;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int slap_sasl_reset( Connection *conn )
|
||||||
|
{
|
||||||
|
return LDAP_SUCCESS;
|
||||||
|
@@ -1568,6 +1583,9 @@ int slap_sasl_close( Connection *conn )
|
||||||
|
free( conn->c_sasl_extra );
|
||||||
|
conn->c_sasl_extra = NULL;
|
||||||
|
|
||||||
|
+ free( conn->c_sasl_cbind );
|
||||||
|
+ conn->c_sasl_cbind = NULL;
|
||||||
|
+
|
||||||
|
#elif defined(SLAP_BUILTIN_SASL)
|
||||||
|
SASL_CTX *ctx = conn->c_sasl_authctx;
|
||||||
|
if( ctx ) {
|
||||||
|
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
|
||||||
|
index 09c1854f8..4b3bbd12e 100644
|
||||||
|
--- a/servers/slapd/slap.h
|
||||||
|
+++ b/servers/slapd/slap.h
|
||||||
|
@@ -2910,6 +2910,7 @@ struct Connection {
|
||||||
|
void *c_sasl_authctx; /* SASL authentication context */
|
||||||
|
void *c_sasl_sockctx; /* SASL security layer context */
|
||||||
|
void *c_sasl_extra; /* SASL session extra stuff */
|
||||||
|
+ void *c_sasl_cbind; /* SASL channel binding */
|
||||||
|
Operation *c_sasl_bindop; /* set to current op if it's a bind */
|
||||||
|
|
||||||
|
#ifdef LDAP_X_TXN
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
167
openldap-cbinding-Convert-test077-to-LDIF-config.patch
Normal file
167
openldap-cbinding-Convert-test077-to-LDIF-config.patch
Normal file
@ -0,0 +1,167 @@
|
|||||||
|
From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ryan Tandy <ryan@nardis.ca>
|
||||||
|
Date: Mon, 27 Apr 2020 23:24:16 -0700
|
||||||
|
Subject: [PATCH] Convert test077 to LDIF config
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/data/slapd-sasl-gssapi.conf | 68 -------------------------------
|
||||||
|
tests/scripts/defines.sh | 1 -
|
||||||
|
tests/scripts/test077-sasl-gssapi | 35 +++++++++++++---
|
||||||
|
3 files changed, 30 insertions(+), 74 deletions(-)
|
||||||
|
delete mode 100644 tests/data/slapd-sasl-gssapi.conf
|
||||||
|
|
||||||
|
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
|
||||||
|
deleted file mode 100644
|
||||||
|
index 29ab6040b..000000000
|
||||||
|
--- a/tests/data/slapd-sasl-gssapi.conf
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1,68 +0,0 @@
|
||||||
|
-# stand-alone slapd config -- for testing (with indexing)
|
||||||
|
-# $OpenLDAP$
|
||||||
|
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
||||||
|
-##
|
||||||
|
-## Copyright 1998-2020 The OpenLDAP Foundation.
|
||||||
|
-## All rights reserved.
|
||||||
|
-##
|
||||||
|
-## Redistribution and use in source and binary forms, with or without
|
||||||
|
-## modification, are permitted only as authorized by the OpenLDAP
|
||||||
|
-## Public License.
|
||||||
|
-##
|
||||||
|
-## A copy of this license is available in the file LICENSE in the
|
||||||
|
-## top-level directory of the distribution or, alternatively, at
|
||||||
|
-## <http://www.OpenLDAP.org/license.html>.
|
||||||
|
-
|
||||||
|
-#
|
||||||
|
-include @SCHEMADIR@/core.schema
|
||||||
|
-include @SCHEMADIR@/cosine.schema
|
||||||
|
-#
|
||||||
|
-include @SCHEMADIR@/corba.schema
|
||||||
|
-include @SCHEMADIR@/java.schema
|
||||||
|
-include @SCHEMADIR@/inetorgperson.schema
|
||||||
|
-include @SCHEMADIR@/misc.schema
|
||||||
|
-include @SCHEMADIR@/nis.schema
|
||||||
|
-include @SCHEMADIR@/openldap.schema
|
||||||
|
-#
|
||||||
|
-include @SCHEMADIR@/duaconf.schema
|
||||||
|
-include @SCHEMADIR@/dyngroup.schema
|
||||||
|
-
|
||||||
|
-#
|
||||||
|
-pidfile @TESTDIR@/slapd.1.pid
|
||||||
|
-argsfile @TESTDIR@/slapd.1.args
|
||||||
|
-
|
||||||
|
-# SSL configuration
|
||||||
|
-TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
|
||||||
|
-TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
|
||||||
|
-TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
|
||||||
|
-
|
||||||
|
-#
|
||||||
|
-rootdse @DATADIR@/rootdse.ldif
|
||||||
|
-
|
||||||
|
-#mod#modulepath ../servers/slapd/back-@BACKEND@/
|
||||||
|
-#mod#moduleload back_@BACKEND@.la
|
||||||
|
-#monitormod#modulepath ../servers/slapd/back-monitor/
|
||||||
|
-#monitormod#moduleload back_monitor.la
|
||||||
|
-
|
||||||
|
-
|
||||||
|
-#######################################################################
|
||||||
|
-# database definitions
|
||||||
|
-#######################################################################
|
||||||
|
-
|
||||||
|
-database @BACKEND@
|
||||||
|
-suffix "dc=example,dc=com"
|
||||||
|
-rootdn "cn=Manager,dc=example,dc=com"
|
||||||
|
-rootpw secret
|
||||||
|
-#~null~#directory @TESTDIR@/db.1.a
|
||||||
|
-#indexdb#index objectClass eq
|
||||||
|
-#indexdb#index mail eq
|
||||||
|
-#ndb#dbname db_1_a
|
||||||
|
-#ndb#include @DATADIR@/ndb.conf
|
||||||
|
-
|
||||||
|
-#monitor#database monitor
|
||||||
|
-
|
||||||
|
-sasl-realm @KRB5REALM@
|
||||||
|
-sasl-host localhost
|
||||||
|
-
|
||||||
|
-database config
|
||||||
|
-rootpw secret
|
||||||
|
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
|
||||||
|
index f9e5578ee..a84fd0a65 100755
|
||||||
|
--- a/tests/scripts/defines.sh
|
||||||
|
+++ b/tests/scripts/defines.sh
|
||||||
|
@@ -114,7 +114,6 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
|
||||||
|
SCHEMACONF=$DATADIR/slapd-schema.conf
|
||||||
|
TLSCONF=$DATADIR/slapd-tls.conf
|
||||||
|
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
|
||||||
|
-SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
|
||||||
|
GLUECONF=$DATADIR/slapd-glue.conf
|
||||||
|
REFINTCONF=$DATADIR/slapd-refint.conf
|
||||||
|
RETCODECONF=$DATADIR/slapd-retcode.conf
|
||||||
|
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
|
||||||
|
index 20c414600..322df60a4 100755
|
||||||
|
--- a/tests/scripts/test077-sasl-gssapi
|
||||||
|
+++ b/tests/scripts/test077-sasl-gssapi
|
||||||
|
@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
+CONFDIR=$TESTDIR/slapd.d
|
||||||
|
+CONFLDIF=$TESTDIR/slapd.ldif
|
||||||
|
+
|
||||||
|
mkdir -p $TESTDIR $DBDIR1 $CONFDIR
|
||||||
|
cp -r $DATADIR/tls $TESTDIR
|
||||||
|
+$SLAPPASSWD -g -n >$CONFIGPWF
|
||||||
|
|
||||||
|
echo "Starting KDC for SASL/GSSAPI tests..."
|
||||||
|
. $SRCDIR/scripts/setup_kdc.sh
|
||||||
|
|
||||||
|
-echo "Running slapadd to build slapd database..."
|
||||||
|
-. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
|
||||||
|
-$SLAPADD -f $CONF1 -l $LDIFORDERED
|
||||||
|
+echo "Configuring slapd..."
|
||||||
|
+cat > $CONFLDIF <<EOF
|
||||||
|
+dn: cn=config
|
||||||
|
+objectClass: olcGlobal
|
||||||
|
+cn: config
|
||||||
|
+olcSaslHost: localhost
|
||||||
|
+olcSaslRealm: $KRB5REALM
|
||||||
|
+olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt
|
||||||
|
+olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
|
||||||
|
+olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
|
||||||
|
+
|
||||||
|
+dn: cn=schema,cn=config
|
||||||
|
+objectClass: olcSchemaConfig
|
||||||
|
+cn: schema
|
||||||
|
+
|
||||||
|
+include: file://$ABS_SCHEMADIR/core.ldif
|
||||||
|
+
|
||||||
|
+dn: olcDatabase={0}config,cn=config
|
||||||
|
+objectClass: olcDatabaseConfig
|
||||||
|
+olcDatabase: {0}config
|
||||||
|
+olcRootPW:< file://$TESTDIR/configpw
|
||||||
|
+
|
||||||
|
+EOF
|
||||||
|
+$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
|
||||||
|
RC=$?
|
||||||
|
if test $RC != 0 ; then
|
||||||
|
echo "slapadd failed ($RC)!"
|
||||||
|
@@ -38,7 +63,7 @@ if test $RC != 0 ; then
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
|
||||||
|
-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
||||||
|
+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
||||||
|
PID=$!
|
||||||
|
if test $WAIT != 0 ; then
|
||||||
|
echo PID $PID
|
||||||
|
@@ -151,7 +176,7 @@ else
|
||||||
|
for acb in "none" "tls-unique" "tls-endpoint" ; do
|
||||||
|
|
||||||
|
echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
|
||||||
|
- $LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
|
||||||
|
+ $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
|
||||||
|
dn: cn=config
|
||||||
|
changetype: modify
|
||||||
|
replace: olcSaslCBinding
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
62
openldap-cbinding-Fix-slaptest-in-test077.patch
Normal file
62
openldap-cbinding-Fix-slaptest-in-test077.patch
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
From e006994d83af9dcb7813a18253cf4e5beacee043 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ryan Tandy <ryan@nardis.ca>
|
||||||
|
Date: Sun, 26 Apr 2020 11:40:23 -0700
|
||||||
|
Subject: [PATCH] Fix slaptest in test077
|
||||||
|
|
||||||
|
The libtool wrapper scripts lose argv[0] when exec'ing the real binary.
|
||||||
|
|
||||||
|
In the CI Docker container, where the build runs as root, this was
|
||||||
|
actually starting a real slapd on the default port.
|
||||||
|
|
||||||
|
Outside Docker, running as a non-root user, this slapd would just fail
|
||||||
|
to start, and wouldn't convert the config either.
|
||||||
|
|
||||||
|
Using "slapd -Tt" fixes the issue but also prints a warning from
|
||||||
|
slaptest since the database hasn't been initialized yet.
|
||||||
|
|
||||||
|
Dynamic config isn't actually used in this test script, so let's just
|
||||||
|
run slapd off the config file directly.
|
||||||
|
---
|
||||||
|
tests/scripts/test077-sasl-gssapi | 11 ++---------
|
||||||
|
1 file changed, 2 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
|
||||||
|
index 19f665622..20c414600 100755
|
||||||
|
--- a/tests/scripts/test077-sasl-gssapi
|
||||||
|
+++ b/tests/scripts/test077-sasl-gssapi
|
||||||
|
@@ -21,22 +21,15 @@ if test $WITH_SASL = no ; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
-SLAPTEST="$TESTWD/../servers/slapd/slaptest"
|
||||||
|
-CONFDIR=$TESTDIR/slapd.d
|
||||||
|
-
|
||||||
|
mkdir -p $TESTDIR $DBDIR1 $CONFDIR
|
||||||
|
cp -r $DATADIR/tls $TESTDIR
|
||||||
|
|
||||||
|
-cd $TESTWD
|
||||||
|
-
|
||||||
|
-
|
||||||
|
echo "Starting KDC for SASL/GSSAPI tests..."
|
||||||
|
. $SRCDIR/scripts/setup_kdc.sh
|
||||||
|
|
||||||
|
echo "Running slapadd to build slapd database..."
|
||||||
|
. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
|
||||||
|
-$SLAPTEST -f $CONF1 -F $CONFDIR
|
||||||
|
-$SLAPADD -F $CONFDIR -l $LDIFORDERED
|
||||||
|
+$SLAPADD -f $CONF1 -l $LDIFORDERED
|
||||||
|
RC=$?
|
||||||
|
if test $RC != 0 ; then
|
||||||
|
echo "slapadd failed ($RC)!"
|
||||||
|
@@ -45,7 +38,7 @@ if test $RC != 0 ; then
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
|
||||||
|
-$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
||||||
|
+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
||||||
|
PID=$!
|
||||||
|
if test $WAIT != 0 ; then
|
||||||
|
echo PID $PID
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
220
openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
Normal file
220
openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
Normal file
@ -0,0 +1,220 @@
|
|||||||
|
NOTE: The patch has been adjusted to match the base code before backporting.
|
||||||
|
|
||||||
|
From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Howard Chu <hyc@openldap.org>
|
||||||
|
Date: Tue, 10 Sep 2013 04:26:51 -0700
|
||||||
|
Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT
|
||||||
|
|
||||||
|
retrieve peer cert for an active TLS session
|
||||||
|
---
|
||||||
|
doc/man/man3/ldap_get_option.3 | 8 ++++++++
|
||||||
|
include/ldap.h | 1 +
|
||||||
|
libraries/libldap/ldap-tls.h | 2 ++
|
||||||
|
libraries/libldap/tls2.c | 23 +++++++++++++++++++++++
|
||||||
|
libraries/libldap/tls_g.c | 19 +++++++++++++++++++
|
||||||
|
libraries/libldap/tls_m.c | 17 +++++++++++++++++
|
||||||
|
libraries/libldap/tls_o.c | 16 ++++++++++++++++
|
||||||
|
7 files changed, 86 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
|
||||||
|
index e67de75e9..1bb55d357 100644
|
||||||
|
--- a/doc/man/man3/ldap_get_option.3
|
||||||
|
+++ b/doc/man/man3/ldap_get_option.3
|
||||||
|
@@ -732,6 +732,14 @@ A non-zero value pointed to by
|
||||||
|
.BR invalue
|
||||||
|
tells the library to create a context for a server.
|
||||||
|
.TP
|
||||||
|
+.B LDAP_OPT_X_TLS_PEERCERT
|
||||||
|
+Gets the peer's certificate in DER format from an established TLS session.
|
||||||
|
+.BR outvalue
|
||||||
|
+must be
|
||||||
|
+.BR "struct berval *" ,
|
||||||
|
+and the data it returns needs to be freed by the caller using
|
||||||
|
+.BR ldap_memfree (3).
|
||||||
|
+.TP
|
||||||
|
.B LDAP_OPT_X_TLS_PROTOCOL_MIN
|
||||||
|
Sets/gets the minimum protocol version.
|
||||||
|
.BR invalue
|
||||||
|
diff --git a/include/ldap.h b/include/ldap.h
|
||||||
|
index 4de3f7f32..97ca524d7 100644
|
||||||
|
--- a/include/ldap.h
|
||||||
|
+++ b/include/ldap.h
|
||||||
|
@@ -161,6 +161,7 @@ LDAP_BEGIN_DECL
|
||||||
|
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
|
||||||
|
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
|
||||||
|
#define LDAP_OPT_X_TLS_ECNAME 0x6012
|
||||||
|
+#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */
|
||||||
|
|
||||||
|
#define LDAP_OPT_X_TLS_NEVER 0
|
||||||
|
#define LDAP_OPT_X_TLS_HARD 1
|
||||||
|
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
|
||||||
|
index 548814d7f..890d20dc7 100644
|
||||||
|
--- a/libraries/libldap/ldap-tls.h
|
||||||
|
+++ b/libraries/libldap/ldap-tls.h
|
||||||
|
@@ -43,6 +43,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
|
||||||
|
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
|
||||||
|
typedef int (TI_session_strength)(tls_session *sess);
|
||||||
|
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
|
||||||
|
+typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
|
||||||
|
|
||||||
|
typedef void (TI_thr_init)(void);
|
||||||
|
|
||||||
|
@@ -69,6 +70,7 @@ typedef struct tls_impl {
|
||||||
|
TI_session_chkhost *ti_session_chkhost;
|
||||||
|
TI_session_strength *ti_session_strength;
|
||||||
|
TI_session_unique *ti_session_unique;
|
||||||
|
+ TI_session_peercert *ti_session_peercert;
|
||||||
|
|
||||||
|
Sockbuf_IO *ti_sbio;
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
||||||
|
index 05fce3218..cbf73bdd5 100644
|
||||||
|
--- a/libraries/libldap/tls2.c
|
||||||
|
+++ b/libraries/libldap/tls2.c
|
||||||
|
@@ -718,6 +718,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
|
||||||
|
case LDAP_OPT_X_TLS_CONNECT_ARG:
|
||||||
|
*(void **)arg = lo->ldo_tls_connect_arg;
|
||||||
|
break;
|
||||||
|
+ case LDAP_OPT_X_TLS_PEERCERT: {
|
||||||
|
+ void *sess = NULL;
|
||||||
|
+ struct berval *bv = arg;
|
||||||
|
+ bv->bv_len = 0;
|
||||||
|
+ bv->bv_val = NULL;
|
||||||
|
+ if ( ld != NULL ) {
|
||||||
|
+ LDAPConn *conn = ld->ld_defconn;
|
||||||
|
+ if ( conn != NULL ) {
|
||||||
|
+ Sockbuf *sb = conn->lconn_sb;
|
||||||
|
+ sess = ldap_pvt_tls_sb_ctx( sb );
|
||||||
|
+ if ( sess != NULL )
|
||||||
|
+ return ldap_pvt_tls_get_peercert( sess, bv );
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
default:
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@@ -1050,6 +1066,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
|
||||||
|
tls_session *session = s;
|
||||||
|
return tls_imp->ti_session_unique( session, buf, is_server );
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+ldap_pvt_tls_get_peercert( void *s, struct berval *der )
|
||||||
|
+{
|
||||||
|
+ tls_session *session = s;
|
||||||
|
+ return tls_imp->ti_session_peercert( session, der );
|
||||||
|
+}
|
||||||
|
#endif /* HAVE_TLS */
|
||||||
|
|
||||||
|
int
|
||||||
|
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
|
||||||
|
index ce422387c..739680439 100644
|
||||||
|
--- a/libraries/libldap/tls_g.c
|
||||||
|
+++ b/libraries/libldap/tls_g.c
|
||||||
|
@@ -830,6 +830,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+tlsg_session_peercert( tls_session *sess, struct berval *der )
|
||||||
|
+{
|
||||||
|
+ tlsg_session *s = (tlsg_session *)sess;
|
||||||
|
+ const gnutls_datum_t *peer_cert_list;
|
||||||
|
+ unsigned int list_size;
|
||||||
|
+
|
||||||
|
+ peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
|
||||||
|
+ if (!peer_cert_list)
|
||||||
|
+ return -1;
|
||||||
|
+ der->bv_len = peer_cert_list[0].size;
|
||||||
|
+ der->bv_val = LDAP_MALLOC( der->bv_len );
|
||||||
|
+ if (!der->bv_val)
|
||||||
|
+ return -1;
|
||||||
|
+ memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* suites is a string of colon-separated cipher suite names. */
|
||||||
|
static int
|
||||||
|
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
|
||||||
|
@@ -1166,6 +1184,7 @@ tls_impl ldap_int_tls_impl = {
|
||||||
|
tlsg_session_chkhost,
|
||||||
|
tlsg_session_strength,
|
||||||
|
tlsg_session_unique,
|
||||||
|
+ tlsg_session_peercert,
|
||||||
|
|
||||||
|
&tlsg_sbio,
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||||
|
index 4bd9e63cb..36dc989ef 100644
|
||||||
|
--- a/libraries/libldap/tls_m.c
|
||||||
|
+++ b/libraries/libldap/tls_m.c
|
||||||
|
@@ -2891,6 +2891,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+tlsm_session_peercert( tls_session *sess, struct berval *der )
|
||||||
|
+{
|
||||||
|
+ tlsm_session *s = (tlsm_session *)sess;
|
||||||
|
+ CERTCertificate *cert;
|
||||||
|
+ cert = SSL_PeerCertificate( s );
|
||||||
|
+ if (!cert)
|
||||||
|
+ return -1;
|
||||||
|
+ der->bv_len = cert->derCert.len;
|
||||||
|
+ der->bv_val = LDAP_MALLOC( der->bv_len );
|
||||||
|
+ if (!der->bv_val)
|
||||||
|
+ return -1;
|
||||||
|
+ memcpy( der->bv_val, cert->derCert.data, der->bv_len );
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* TLS support for LBER Sockbufs
|
||||||
|
*/
|
||||||
|
@@ -3322,6 +3338,7 @@ tls_impl ldap_int_tls_impl = {
|
||||||
|
tlsm_session_chkhost,
|
||||||
|
tlsm_session_strength,
|
||||||
|
tlsm_session_unique,
|
||||||
|
+ tlsm_session_peercert,
|
||||||
|
|
||||||
|
&tlsm_sbio,
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||||
|
index 6288456d3..1fa50392f 100644
|
||||||
|
--- a/libraries/libldap/tls_o.c
|
||||||
|
+++ b/libraries/libldap/tls_o.c
|
||||||
|
@@ -721,6 +721,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||||
|
return buf->bv_len;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+tlso_session_peercert( tls_session *sess, struct berval *der )
|
||||||
|
+{
|
||||||
|
+ tlso_session *s = (tlso_session *)sess;
|
||||||
|
+ unsigned char *ptr;
|
||||||
|
+ X509 *x = SSL_get_peer_certificate(s);
|
||||||
|
+ der->bv_len = i2d_X509(x, NULL);
|
||||||
|
+ der->bv_val = LDAP_MALLOC(der->bv_len);
|
||||||
|
+ if ( !der->bv_val )
|
||||||
|
+ return -1;
|
||||||
|
+ ptr = der->bv_val;
|
||||||
|
+ i2d_X509(x, &ptr);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* TLS support for LBER Sockbufs
|
||||||
|
*/
|
||||||
|
@@ -1229,6 +1244,7 @@ tls_impl ldap_int_tls_impl = {
|
||||||
|
tlso_session_chkhost,
|
||||||
|
tlso_session_strength,
|
||||||
|
tlso_session_unique,
|
||||||
|
+ tlso_session_peercert,
|
||||||
|
|
||||||
|
&tlso_sbio,
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,70 @@
|
|||||||
|
From 465b1c5972eef1d4e60eb98ae3776d33e270853d Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <okuznik@symas.com>
|
||||||
|
Date: Fri, 15 Jun 2018 15:12:28 +0100
|
||||||
|
Subject: [PATCH] ITS#8573 Add missing URI variables for tests
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/scripts/conf.sh | 18 ++++++++++++++++++
|
||||||
|
tests/scripts/defines.sh | 7 +++++++
|
||||||
|
2 files changed, 25 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
|
||||||
|
index fe5e60509..02629f190 100755
|
||||||
|
--- a/tests/scripts/conf.sh
|
||||||
|
+++ b/tests/scripts/conf.sh
|
||||||
|
@@ -75,6 +75,24 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
|
||||||
|
-e "s;@PORT4@;${PORT4};" \
|
||||||
|
-e "s;@PORT5@;${PORT5};" \
|
||||||
|
-e "s;@PORT6@;${PORT6};" \
|
||||||
|
+ -e "s;@SURI1@;${SURI1};" \
|
||||||
|
+ -e "s;@SURI2@;${SURI2};" \
|
||||||
|
+ -e "s;@SURI3@;${SURI3};" \
|
||||||
|
+ -e "s;@SURI4@;${SURI4};" \
|
||||||
|
+ -e "s;@SURI5@;${SURI5};" \
|
||||||
|
+ -e "s;@SURI6@;${SURI6};" \
|
||||||
|
+ -e "s;@URIP1@;${URIP1};" \
|
||||||
|
+ -e "s;@URIP2@;${URIP2};" \
|
||||||
|
+ -e "s;@URIP3@;${URIP3};" \
|
||||||
|
+ -e "s;@URIP4@;${URIP4};" \
|
||||||
|
+ -e "s;@URIP5@;${URIP5};" \
|
||||||
|
+ -e "s;@URIP6@;${URIP6};" \
|
||||||
|
+ -e "s;@SURIP1@;${SURIP1};" \
|
||||||
|
+ -e "s;@SURIP2@;${SURIP2};" \
|
||||||
|
+ -e "s;@SURIP3@;${SURIP3};" \
|
||||||
|
+ -e "s;@SURIP4@;${SURIP4};" \
|
||||||
|
+ -e "s;@SURIP5@;${SURIP5};" \
|
||||||
|
+ -e "s;@SURIP6@;${SURIP6};" \
|
||||||
|
-e "s/@SASL_MECH@/${SASL_MECH}/" \
|
||||||
|
-e "s;@TESTDIR@;${TESTDIR};" \
|
||||||
|
-e "s;@TESTWD@;${TESTWD};" \
|
||||||
|
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
|
||||||
|
index 2c9e8f76a..9816034f9 100755
|
||||||
|
--- a/tests/scripts/defines.sh
|
||||||
|
+++ b/tests/scripts/defines.sh
|
||||||
|
@@ -223,16 +223,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/"
|
||||||
|
URI3="ldap://${LOCALHOST}:$PORT3/"
|
||||||
|
URIP3="ldap://${LOCALIP}:$PORT3/"
|
||||||
|
URI4="ldap://${LOCALHOST}:$PORT4/"
|
||||||
|
+URIP4="ldap://${LOCALIP}:$PORT4/"
|
||||||
|
URI5="ldap://${LOCALHOST}:$PORT5/"
|
||||||
|
+URIP5="ldap://${LOCALIP}:$PORT5/"
|
||||||
|
URI6="ldap://${LOCALHOST}:$PORT6/"
|
||||||
|
+URIP6="ldap://${LOCALIP}:$PORT6/"
|
||||||
|
SURI1="ldaps://${LOCALHOST}:$PORT1/"
|
||||||
|
SURIP1="ldaps://${LOCALIP}:$PORT1/"
|
||||||
|
SURI2="ldaps://${LOCALHOST}:$PORT2/"
|
||||||
|
SURIP2="ldaps://${LOCALIP}:$PORT2/"
|
||||||
|
SURI3="ldaps://${LOCALHOST}:$PORT3/"
|
||||||
|
+SURIP3="ldaps://${LOCALIP}:$PORT3/"
|
||||||
|
SURI4="ldaps://${LOCALHOST}:$PORT4/"
|
||||||
|
+SURIP4="ldaps://${LOCALIP}:$PORT4/"
|
||||||
|
SURI5="ldaps://${LOCALHOST}:$PORT5/"
|
||||||
|
+SURIP5="ldaps://${LOCALIP}:$PORT5/"
|
||||||
|
SURI6="ldaps://${LOCALHOST}:$PORT6/"
|
||||||
|
+SURIP6="ldaps://${LOCALIP}:$PORT6/"
|
||||||
|
|
||||||
|
# LDIF
|
||||||
|
LDIF=$DATADIR/test.ldif
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
2108
openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
Normal file
2108
openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,582 @@
|
|||||||
|
NOTE: The patch has been adjusted to match the base code before backporting.
|
||||||
|
|
||||||
|
From 8a259e3df16def3f05828f355e98a5089cd6e6d0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
|
||||||
|
Date: Thu, 14 Jun 2018 16:14:15 +0100
|
||||||
|
Subject: [PATCH] ITS#8573 allow all libldap options in tools -o option
|
||||||
|
|
||||||
|
---
|
||||||
|
clients/tools/common.c | 15 ++-
|
||||||
|
doc/devel/args | 2 +-
|
||||||
|
doc/man/man1/ldapcompare.1 | 9 +-
|
||||||
|
doc/man/man1/ldapdelete.1 | 9 +-
|
||||||
|
doc/man/man1/ldapexop.1 | 9 +-
|
||||||
|
doc/man/man1/ldapmodify.1 | 9 +-
|
||||||
|
doc/man/man1/ldapmodrdn.1 | 9 +-
|
||||||
|
doc/man/man1/ldappasswd.1 | 9 +-
|
||||||
|
doc/man/man1/ldapsearch.1 | 9 +-
|
||||||
|
doc/man/man1/ldapwhoami.1 | 13 ++-
|
||||||
|
doc/man/man8/slapcat.8 | 2 +-
|
||||||
|
include/ldap_pvt.h | 5 +
|
||||||
|
libraries/libldap/init.c | 231 ++++++++++++++++++++++---------------
|
||||||
|
servers/slapd/slapcommon.c | 5 +-
|
||||||
|
14 files changed, 200 insertions(+), 136 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/clients/tools/common.c b/clients/tools/common.c
|
||||||
|
index 1cd8a2c1b..b1edffdaf 100644
|
||||||
|
--- a/clients/tools/common.c
|
||||||
|
+++ b/clients/tools/common.c
|
||||||
|
@@ -374,9 +374,9 @@ N_(" -I use SASL Interactive mode\n"),
|
||||||
|
N_(" -n show what would be done but don't actually do it\n"),
|
||||||
|
N_(" -N do not use reverse DNS to canonicalize SASL host name\n"),
|
||||||
|
N_(" -O props SASL security properties\n"),
|
||||||
|
-N_(" -o <opt>[=<optparam>] general options\n"),
|
||||||
|
+N_(" -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n"),
|
||||||
|
+N_(" ldif_wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
|
||||||
|
N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
|
||||||
|
-N_(" ldif-wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
|
||||||
|
N_(" -p port port on LDAP server\n"),
|
||||||
|
N_(" -Q use SASL Quiet mode\n"),
|
||||||
|
N_(" -R realm SASL realm\n"),
|
||||||
|
@@ -838,6 +838,11 @@ tool_args( int argc, char **argv )
|
||||||
|
if ( (cvalue = strchr( control, '=' )) != NULL ) {
|
||||||
|
*cvalue++ = '\0';
|
||||||
|
}
|
||||||
|
+ for ( next=control; *next; next++ ) {
|
||||||
|
+ if ( *next == '-' ) {
|
||||||
|
+ *next = '_';
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if ( strcasecmp( control, "nettimeout" ) == 0 ) {
|
||||||
|
if( nettimeout.tv_sec != -1 ) {
|
||||||
|
@@ -867,7 +872,7 @@ tool_args( int argc, char **argv )
|
||||||
|
exit( EXIT_FAILURE );
|
||||||
|
}
|
||||||
|
|
||||||
|
- } else if ( strcasecmp( control, "ldif-wrap" ) == 0 ) {
|
||||||
|
+ } else if ( strcasecmp( control, "ldif_wrap" ) == 0 ) {
|
||||||
|
if ( cvalue == 0 ) {
|
||||||
|
ldif_wrap = LDIF_LINE_WIDTH;
|
||||||
|
|
||||||
|
@@ -878,13 +883,13 @@ tool_args( int argc, char **argv )
|
||||||
|
unsigned int u;
|
||||||
|
if ( lutil_atou( &u, cvalue ) ) {
|
||||||
|
fprintf( stderr,
|
||||||
|
- _("Unable to parse ldif-wrap=\"%s\"\n"), cvalue );
|
||||||
|
+ _("Unable to parse ldif_wrap=\"%s\"\n"), cvalue );
|
||||||
|
exit( EXIT_FAILURE );
|
||||||
|
}
|
||||||
|
ldif_wrap = (ber_len_t)u;
|
||||||
|
}
|
||||||
|
|
||||||
|
- } else {
|
||||||
|
+ } else if ( ldap_pvt_conf_option( control, cvalue, 1 ) ) {
|
||||||
|
fprintf( stderr, "Invalid general option name: %s\n",
|
||||||
|
control );
|
||||||
|
usage();
|
||||||
|
diff --git a/doc/devel/args b/doc/devel/args
|
||||||
|
index 9796fe528..c5aa02f11 100644
|
||||||
|
--- a/doc/devel/args
|
||||||
|
+++ b/doc/devel/args
|
||||||
|
@@ -28,7 +28,7 @@ ldapwhoami * DE**HI** NO QR UVWXYZ def*h*** *nop* vwxy
|
||||||
|
-h host
|
||||||
|
-n no-op
|
||||||
|
-N no (SASLprep) normalization of simple bind password
|
||||||
|
- -o general options (currently nettimeout and ldif-wrap only)
|
||||||
|
+ -o general libldap options (plus ldif_wrap and nettimeout for backwards comp.)
|
||||||
|
-p port
|
||||||
|
-v verbose
|
||||||
|
-V version
|
||||||
|
diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
|
||||||
|
index 9e66cd4b2..a0e58d7c3 100644
|
||||||
|
--- a/doc/man/man1/ldapcompare.1
|
||||||
|
+++ b/doc/man/man1/ldapcompare.1
|
||||||
|
@@ -186,13 +186,14 @@ Compare extensions:
|
||||||
|
.TP
|
||||||
|
.BI \-o \ opt \fR[= optparam \fR]
|
||||||
|
|
||||||
|
-Specify general options.
|
||||||
|
-
|
||||||
|
-General options:
|
||||||
|
+Specify any
|
||||||
|
+.BR ldap.conf (5)
|
||||||
|
+option or one of the following:
|
||||||
|
.nf
|
||||||
|
nettimeout=<timeout> (in seconds, or "none" or "max")
|
||||||
|
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
.fi
|
||||||
|
+
|
||||||
|
.TP
|
||||||
|
.BI \-O \ security-properties
|
||||||
|
Specify SASL security properties.
|
||||||
|
diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
|
||||||
|
index 394d35275..85dbf4360 100644
|
||||||
|
--- a/doc/man/man1/ldapdelete.1
|
||||||
|
+++ b/doc/man/man1/ldapdelete.1
|
||||||
|
@@ -192,13 +192,14 @@ Delete extensions:
|
||||||
|
.TP
|
||||||
|
.BI \-o \ opt \fR[= optparam \fR]
|
||||||
|
|
||||||
|
-Specify general options.
|
||||||
|
-
|
||||||
|
-General options:
|
||||||
|
+Specify any
|
||||||
|
+.BR ldap.conf (5)
|
||||||
|
+option or one of the following:
|
||||||
|
.nf
|
||||||
|
nettimeout=<timeout> (in seconds, or "none" or "max")
|
||||||
|
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
.fi
|
||||||
|
+
|
||||||
|
.TP
|
||||||
|
.BI \-O \ security-properties
|
||||||
|
Specify SASL security properties.
|
||||||
|
diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
|
||||||
|
index 503d681ca..26e1730a8 100644
|
||||||
|
--- a/doc/man/man1/ldapexop.1
|
||||||
|
+++ b/doc/man/man1/ldapexop.1
|
||||||
|
@@ -189,13 +189,14 @@ Specify general extensions. \'!\' indicates criticality.
|
||||||
|
.TP
|
||||||
|
.BI \-o \ opt \fR[= optparam \fR]
|
||||||
|
|
||||||
|
-Specify general options.
|
||||||
|
-
|
||||||
|
-General options:
|
||||||
|
+Specify any
|
||||||
|
+.BR ldap.conf (5)
|
||||||
|
+option or one of the following:
|
||||||
|
.nf
|
||||||
|
nettimeout=<timeout> (in seconds, or "none" or "max")
|
||||||
|
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
.fi
|
||||||
|
+
|
||||||
|
.TP
|
||||||
|
.BI \-O \ security-properties
|
||||||
|
Specify SASL security properties.
|
||||||
|
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
|
||||||
|
index 2792d460b..6c277d89c 100644
|
||||||
|
--- a/doc/man/man1/ldapmodify.1
|
||||||
|
+++ b/doc/man/man1/ldapmodify.1
|
||||||
|
@@ -255,13 +255,14 @@ Modify extensions:
|
||||||
|
.TP
|
||||||
|
.BI \-o \ opt \fR[= optparam \fR]]
|
||||||
|
|
||||||
|
-Specify general options.
|
||||||
|
-
|
||||||
|
-General options:
|
||||||
|
+Specify any
|
||||||
|
+.BR ldap.conf (5)
|
||||||
|
+option or one of the following:
|
||||||
|
.nf
|
||||||
|
nettimeout=<timeout> (in seconds, or "none" or "max")
|
||||||
|
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
.fi
|
||||||
|
+
|
||||||
|
.TP
|
||||||
|
.BI \-O \ security-properties
|
||||||
|
Specify SASL security properties.
|
||||||
|
diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
|
||||||
|
index 5d0f3fcd9..b24e500fe 100644
|
||||||
|
--- a/doc/man/man1/ldapmodrdn.1
|
||||||
|
+++ b/doc/man/man1/ldapmodrdn.1
|
||||||
|
@@ -186,13 +186,14 @@ Modrdn extensions:
|
||||||
|
.TP
|
||||||
|
.BI \-o \ opt \fR[= optparam \fR]
|
||||||
|
|
||||||
|
-Specify general options.
|
||||||
|
-
|
||||||
|
-General options:
|
||||||
|
+Specify any
|
||||||
|
+.BR ldap.conf (5)
|
||||||
|
+option or one of the following:
|
||||||
|
.nf
|
||||||
|
nettimeout=<timeout> (in seconds, or "none" or "max")
|
||||||
|
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
.fi
|
||||||
|
+
|
||||||
|
.TP
|
||||||
|
.BI \-O \ security-properties
|
||||||
|
Specify SASL security properties.
|
||||||
|
diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
|
||||||
|
index 36857ab8f..a2805e57b 100644
|
||||||
|
--- a/doc/man/man1/ldappasswd.1
|
||||||
|
+++ b/doc/man/man1/ldappasswd.1
|
||||||
|
@@ -188,13 +188,14 @@ Passwd Modify extensions:
|
||||||
|
.TP
|
||||||
|
.BI \-o \ opt \fR[= optparam \fR]]
|
||||||
|
|
||||||
|
-Specify general options.
|
||||||
|
-
|
||||||
|
-General options:
|
||||||
|
+Specify any
|
||||||
|
+.BR ldap.conf (5)
|
||||||
|
+option or one of the following:
|
||||||
|
.nf
|
||||||
|
nettimeout=<timeout> (in seconds, or "none" or "max")
|
||||||
|
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
.fi
|
||||||
|
+
|
||||||
|
.TP
|
||||||
|
.BI \-O \ security-properties
|
||||||
|
Specify SASL security properties.
|
||||||
|
diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
|
||||||
|
index 036ce6245..1914eafbf 100644
|
||||||
|
--- a/doc/man/man1/ldapsearch.1
|
||||||
|
+++ b/doc/man/man1/ldapsearch.1
|
||||||
|
@@ -332,13 +332,14 @@ Search extensions:
|
||||||
|
.TP
|
||||||
|
.BI \-o \ opt \fR[= optparam \fR]
|
||||||
|
|
||||||
|
-Specify general options.
|
||||||
|
-
|
||||||
|
-General options:
|
||||||
|
+Specify any
|
||||||
|
+.BR ldap.conf (5)
|
||||||
|
+option or one of the following:
|
||||||
|
.nf
|
||||||
|
nettimeout=<timeout> (in seconds, or "none" or "max")
|
||||||
|
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
.fi
|
||||||
|
+
|
||||||
|
.TP
|
||||||
|
.BI \-O \ security-properties
|
||||||
|
Specify SASL security properties.
|
||||||
|
diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
|
||||||
|
index 5912af5ba..2c8cfded2 100644
|
||||||
|
--- a/doc/man/man1/ldapwhoami.1
|
||||||
|
+++ b/doc/man/man1/ldapwhoami.1
|
||||||
|
@@ -143,13 +143,18 @@ WhoAmI extensions:
|
||||||
|
.TP
|
||||||
|
.BI \-o \ opt \fR[= optparam \fR]
|
||||||
|
|
||||||
|
-Specify general options.
|
||||||
|
-
|
||||||
|
-General options:
|
||||||
|
+Specify any
|
||||||
|
+.BR ldap.conf (5)
|
||||||
|
+option or one of the following:
|
||||||
|
.nf
|
||||||
|
nettimeout=<timeout> (in seconds, or "none" or "max")
|
||||||
|
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
|
||||||
|
.fi
|
||||||
|
+
|
||||||
|
+.B -o
|
||||||
|
+option that can be passed here, check
|
||||||
|
+.BR ldap.conf (5)
|
||||||
|
+for details.
|
||||||
|
.TP
|
||||||
|
.BI \-O \ security-properties
|
||||||
|
Specify SASL security properties.
|
||||||
|
diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8
|
||||||
|
index 57c41deff..2085e9176 100644
|
||||||
|
--- a/doc/man/man8/slapcat.8
|
||||||
|
+++ b/doc/man/man8/slapcat.8
|
||||||
|
@@ -149,7 +149,7 @@ Possible generic options/values are:
|
||||||
|
syslog\-level=<level> (see `\-S' in slapd(8))
|
||||||
|
syslog\-user=<user> (see `\-l' in slapd(8))
|
||||||
|
|
||||||
|
- ldif-wrap={no|<n>}
|
||||||
|
+ ldif_wrap={no|<n>}
|
||||||
|
|
||||||
|
.in
|
||||||
|
\fIn\fP is the number of columns allowed for the LDIF output
|
||||||
|
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
|
||||||
|
index 31f37277c..e86b032cb 100644
|
||||||
|
--- a/include/ldap_pvt.h
|
||||||
|
+++ b/include/ldap_pvt.h
|
||||||
|
@@ -326,6 +326,11 @@ struct ldifrecord;
|
||||||
|
LDAP_F ( int ) ldap_pvt_discard LDAP_P((
|
||||||
|
struct ldap *ld, ber_int_t msgid ));
|
||||||
|
|
||||||
|
+/* init.c */
|
||||||
|
+LDAP_F( int )
|
||||||
|
+ldap_pvt_conf_option LDAP_P((
|
||||||
|
+ char *cmd, char *opt, int userconf ));
|
||||||
|
+
|
||||||
|
/* messages.c */
|
||||||
|
LDAP_F( BerElement * )
|
||||||
|
ldap_get_message_ber LDAP_P((
|
||||||
|
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
|
||||||
|
index 548d2c1cb..4a7e81bdb 100644
|
||||||
|
--- a/libraries/libldap/init.c
|
||||||
|
+++ b/libraries/libldap/init.c
|
||||||
|
@@ -147,6 +147,141 @@ static const struct ol_attribute {
|
||||||
|
#define MAX_LDAP_ATTR_LEN sizeof("GSSAPI_ALLOW_REMOTE_PRINCIPAL")
|
||||||
|
#define MAX_LDAP_ENV_PREFIX_LEN 8
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+ldap_int_conf_option(
|
||||||
|
+ struct ldapoptions *gopts,
|
||||||
|
+ char *cmd, char *opt, int userconf )
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ for(i=0; attrs[i].type != ATTR_NONE; i++) {
|
||||||
|
+ void *p;
|
||||||
|
+
|
||||||
|
+ if( !userconf && attrs[i].useronly ) {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if(strcasecmp(cmd, attrs[i].name) != 0) {
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ switch(attrs[i].type) {
|
||||||
|
+ case ATTR_BOOL:
|
||||||
|
+ if((strcasecmp(opt, "on") == 0)
|
||||||
|
+ || (strcasecmp(opt, "yes") == 0)
|
||||||
|
+ || (strcasecmp(opt, "true") == 0))
|
||||||
|
+ {
|
||||||
|
+ LDAP_BOOL_SET(gopts, attrs[i].offset);
|
||||||
|
+
|
||||||
|
+ } else {
|
||||||
|
+ LDAP_BOOL_CLR(gopts, attrs[i].offset);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ case ATTR_INT: {
|
||||||
|
+ char *next;
|
||||||
|
+ long l;
|
||||||
|
+ p = &((char *) gopts)[attrs[i].offset];
|
||||||
|
+ l = strtol( opt, &next, 10 );
|
||||||
|
+ if ( next != opt && next[ 0 ] == '\0' ) {
|
||||||
|
+ * (int*) p = l;
|
||||||
|
+ }
|
||||||
|
+ } break;
|
||||||
|
+
|
||||||
|
+ case ATTR_KV: {
|
||||||
|
+ const struct ol_keyvalue *kv;
|
||||||
|
+
|
||||||
|
+ for(kv = attrs[i].data;
|
||||||
|
+ kv->key != NULL;
|
||||||
|
+ kv++) {
|
||||||
|
+
|
||||||
|
+ if(strcasecmp(opt, kv->key) == 0) {
|
||||||
|
+ p = &((char *) gopts)[attrs[i].offset];
|
||||||
|
+ * (int*) p = kv->value;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ } break;
|
||||||
|
+
|
||||||
|
+ case ATTR_STRING:
|
||||||
|
+ p = &((char *) gopts)[attrs[i].offset];
|
||||||
|
+ if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
|
||||||
|
+ * (char**) p = LDAP_STRDUP(opt);
|
||||||
|
+ break;
|
||||||
|
+ case ATTR_OPTION:
|
||||||
|
+ ldap_set_option( NULL, attrs[i].offset, opt );
|
||||||
|
+ break;
|
||||||
|
+ case ATTR_SASL:
|
||||||
|
+#ifdef HAVE_CYRUS_SASL
|
||||||
|
+ ldap_int_sasl_config( gopts, attrs[i].offset, opt );
|
||||||
|
+#endif
|
||||||
|
+ break;
|
||||||
|
+ case ATTR_GSSAPI:
|
||||||
|
+#ifdef HAVE_GSSAPI
|
||||||
|
+ ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
|
||||||
|
+#endif
|
||||||
|
+ break;
|
||||||
|
+ case ATTR_TLS:
|
||||||
|
+#ifdef HAVE_TLS
|
||||||
|
+ ldap_int_tls_config( NULL, attrs[i].offset, opt );
|
||||||
|
+#endif
|
||||||
|
+ break;
|
||||||
|
+ case ATTR_OPT_TV: {
|
||||||
|
+ struct timeval tv;
|
||||||
|
+ char *next;
|
||||||
|
+ tv.tv_usec = 0;
|
||||||
|
+ tv.tv_sec = strtol( opt, &next, 10 );
|
||||||
|
+ if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
|
||||||
|
+ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
|
||||||
|
+ }
|
||||||
|
+ } break;
|
||||||
|
+ case ATTR_OPT_INT: {
|
||||||
|
+ long l;
|
||||||
|
+ char *next;
|
||||||
|
+ l = strtol( opt, &next, 10 );
|
||||||
|
+ if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
|
||||||
|
+ int v = (int)l;
|
||||||
|
+ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
|
||||||
|
+ }
|
||||||
|
+ } break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ( attrs[i].type == ATTR_NONE ) {
|
||||||
|
+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_config: "
|
||||||
|
+ "unknown option '%s'",
|
||||||
|
+ cmd, 0, 0 );
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int
|
||||||
|
+ldap_pvt_conf_option(
|
||||||
|
+ char *cmd, char *opt, int userconf )
|
||||||
|
+{
|
||||||
|
+ struct ldapoptions *gopts;
|
||||||
|
+ int rc = LDAP_OPT_ERROR;
|
||||||
|
+
|
||||||
|
+ /* Get pointer to global option structure */
|
||||||
|
+ gopts = LDAP_INT_GLOBAL_OPT();
|
||||||
|
+ if (NULL == gopts) {
|
||||||
|
+ return LDAP_NO_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ( gopts->ldo_valid != LDAP_INITIALIZED ) {
|
||||||
|
+ ldap_int_initialize(gopts, NULL);
|
||||||
|
+ if ( gopts->ldo_valid != LDAP_INITIALIZED )
|
||||||
|
+ return LDAP_LOCAL_ERROR;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ldap_int_conf_option( gopts, cmd, opt, userconf );
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void openldap_ldap_init_w_conf(
|
||||||
|
const char *file, int userconf )
|
||||||
|
{
|
||||||
|
@@ -212,101 +347,7 @@ static void openldap_ldap_init_w_conf(
|
||||||
|
while(isspace((unsigned char)*start)) start++;
|
||||||
|
opt = start;
|
||||||
|
|
||||||
|
- for(i=0; attrs[i].type != ATTR_NONE; i++) {
|
||||||
|
- void *p;
|
||||||
|
-
|
||||||
|
- if( !userconf && attrs[i].useronly ) {
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if(strcasecmp(cmd, attrs[i].name) != 0) {
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- switch(attrs[i].type) {
|
||||||
|
- case ATTR_BOOL:
|
||||||
|
- if((strcasecmp(opt, "on") == 0)
|
||||||
|
- || (strcasecmp(opt, "yes") == 0)
|
||||||
|
- || (strcasecmp(opt, "true") == 0))
|
||||||
|
- {
|
||||||
|
- LDAP_BOOL_SET(gopts, attrs[i].offset);
|
||||||
|
-
|
||||||
|
- } else {
|
||||||
|
- LDAP_BOOL_CLR(gopts, attrs[i].offset);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
- case ATTR_INT: {
|
||||||
|
- char *next;
|
||||||
|
- long l;
|
||||||
|
- p = &((char *) gopts)[attrs[i].offset];
|
||||||
|
- l = strtol( opt, &next, 10 );
|
||||||
|
- if ( next != opt && next[ 0 ] == '\0' ) {
|
||||||
|
- * (int*) p = l;
|
||||||
|
- }
|
||||||
|
- } break;
|
||||||
|
-
|
||||||
|
- case ATTR_KV: {
|
||||||
|
- const struct ol_keyvalue *kv;
|
||||||
|
-
|
||||||
|
- for(kv = attrs[i].data;
|
||||||
|
- kv->key != NULL;
|
||||||
|
- kv++) {
|
||||||
|
-
|
||||||
|
- if(strcasecmp(opt, kv->key) == 0) {
|
||||||
|
- p = &((char *) gopts)[attrs[i].offset];
|
||||||
|
- * (int*) p = kv->value;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- } break;
|
||||||
|
-
|
||||||
|
- case ATTR_STRING:
|
||||||
|
- p = &((char *) gopts)[attrs[i].offset];
|
||||||
|
- if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
|
||||||
|
- * (char**) p = LDAP_STRDUP(opt);
|
||||||
|
- break;
|
||||||
|
- case ATTR_OPTION:
|
||||||
|
- ldap_set_option( NULL, attrs[i].offset, opt );
|
||||||
|
- break;
|
||||||
|
- case ATTR_SASL:
|
||||||
|
-#ifdef HAVE_CYRUS_SASL
|
||||||
|
- ldap_int_sasl_config( gopts, attrs[i].offset, opt );
|
||||||
|
-#endif
|
||||||
|
- break;
|
||||||
|
- case ATTR_GSSAPI:
|
||||||
|
-#ifdef HAVE_GSSAPI
|
||||||
|
- ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
|
||||||
|
-#endif
|
||||||
|
- break;
|
||||||
|
- case ATTR_TLS:
|
||||||
|
-#ifdef HAVE_TLS
|
||||||
|
- ldap_int_tls_config( NULL, attrs[i].offset, opt );
|
||||||
|
-#endif
|
||||||
|
- break;
|
||||||
|
- case ATTR_OPT_TV: {
|
||||||
|
- struct timeval tv;
|
||||||
|
- char *next;
|
||||||
|
- tv.tv_usec = 0;
|
||||||
|
- tv.tv_sec = strtol( opt, &next, 10 );
|
||||||
|
- if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
|
||||||
|
- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
|
||||||
|
- }
|
||||||
|
- } break;
|
||||||
|
- case ATTR_OPT_INT: {
|
||||||
|
- long l;
|
||||||
|
- char *next;
|
||||||
|
- l = strtol( opt, &next, 10 );
|
||||||
|
- if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
|
||||||
|
- int v = (int)l;
|
||||||
|
- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
|
||||||
|
- }
|
||||||
|
- } break;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
+ ldap_int_conf_option( gopts, cmd, opt, userconf );
|
||||||
|
}
|
||||||
|
|
||||||
|
fclose(fp);
|
||||||
|
diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
|
||||||
|
index 87ea0ea06..39384e5e9 100644
|
||||||
|
--- a/servers/slapd/slapcommon.c
|
||||||
|
+++ b/servers/slapd/slapcommon.c
|
||||||
|
@@ -228,7 +228,8 @@ parse_slapopt( int tool, int *mode )
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
- } else if ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) {
|
||||||
|
+ } else if ( ( strncasecmp( optarg, "ldif_wrap", len ) == 0 ) ||
|
||||||
|
+ ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) ) {
|
||||||
|
switch ( tool ) {
|
||||||
|
case SLAPCAT:
|
||||||
|
if ( strcasecmp( p, "no" ) == 0 ) {
|
||||||
|
@@ -237,7 +238,7 @@ parse_slapopt( int tool, int *mode )
|
||||||
|
} else {
|
||||||
|
unsigned int u;
|
||||||
|
if ( lutil_atou( &u, p ) ) {
|
||||||
|
- Debug( LDAP_DEBUG_ANY, "unable to parse ldif-wrap=\"%s\".\n", p, 0, 0 );
|
||||||
|
+ Debug( LDAP_DEBUG_ANY, "unable to parse ldif_wrap=\"%s\".\n", p, 0, 0 );
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
ldif_wrap = (ber_len_t)u;
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
631
openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
Normal file
631
openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
Normal file
@ -0,0 +1,631 @@
|
|||||||
|
NOTE: The patch has been adjusted to match the base code before backporting.
|
||||||
|
|
||||||
|
From 3cd50fa8b32a21040a9892e2a8a7a9dfc7541ce6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Isaac Boukris <iboukris@gmail.com>
|
||||||
|
Date: Tue, 14 Apr 2020 16:10:48 +0300
|
||||||
|
Subject: [PATCH] ITS#9189 rework sasl-cbinding support
|
||||||
|
|
||||||
|
Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use,
|
||||||
|
defaults to "none".
|
||||||
|
|
||||||
|
Add "tls-endpoint" binding type implementing "tls-server-end-point" from
|
||||||
|
RCF 5929, which is compatible with Windows.
|
||||||
|
|
||||||
|
Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
|
||||||
|
---
|
||||||
|
doc/man/man3/ldap_get_option.3 | 16 +++++
|
||||||
|
doc/man/man5/ldap.conf.5 | 3 +
|
||||||
|
doc/man/man5/slapd-config.5 | 4 ++
|
||||||
|
doc/man/man5/slapd.conf.5 | 3 +
|
||||||
|
include/ldap.h | 5 ++
|
||||||
|
include/ldap_pvt.h | 5 ++
|
||||||
|
libraries/libldap/cyrus.c | 103 ++++++++++++++++++++++++++++-----
|
||||||
|
libraries/libldap/init.c | 1 +
|
||||||
|
libraries/libldap/ldap-int.h | 1 +
|
||||||
|
libraries/libldap/ldap-tls.h | 2 +
|
||||||
|
libraries/libldap/tls2.c | 7 +++
|
||||||
|
libraries/libldap/tls_g.c | 59 +++++++++++++++++++
|
||||||
|
libraries/libldap/tls_o.c | 45 ++++++++++++++
|
||||||
|
servers/slapd/bconfig.c | 11 +++-
|
||||||
|
servers/slapd/config.c | 1 +
|
||||||
|
servers/slapd/connection.c | 9 +--
|
||||||
|
servers/slapd/proto-slap.h | 4 +-
|
||||||
|
servers/slapd/sasl.c | 27 ++++++---
|
||||||
|
18 files changed, 274 insertions(+), 32 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
|
||||||
|
index 4f03a01a3..fd1b3c91c 100644
|
||||||
|
--- a/doc/man/man3/ldap_get_option.3
|
||||||
|
+++ b/doc/man/man3/ldap_get_option.3
|
||||||
|
@@ -563,6 +563,22 @@ must be a
|
||||||
|
.BR "char **" .
|
||||||
|
Its content needs to be freed by the caller using
|
||||||
|
.BR ldap_memfree (3).
|
||||||
|
+.B LDAP_OPT_X_SASL_CBINDING
|
||||||
|
+Sets/gets the channel-binding type to use in SASL,
|
||||||
|
+one of
|
||||||
|
+.BR LDAP_OPT_X_SASL_CBINDING_NONE
|
||||||
|
+(the default),
|
||||||
|
+.BR LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE
|
||||||
|
+the "tls-unique" type from RCF 5929.
|
||||||
|
+.BR LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT
|
||||||
|
+the "tls-server-end-point" from RCF 5929, compatible with Windows.
|
||||||
|
+.BR invalue
|
||||||
|
+must be
|
||||||
|
+.BR "const int *" ;
|
||||||
|
+.BR outvalue
|
||||||
|
+must be
|
||||||
|
+.BR "int *" .
|
||||||
|
+.TP
|
||||||
|
.SH TCP OPTIONS
|
||||||
|
The TCP options are OpenLDAP specific.
|
||||||
|
Mainly intended for use with Linux, they may not be portable.
|
||||||
|
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
|
||||||
|
index 65ad40c1b..4974f8340 100644
|
||||||
|
--- a/doc/man/man5/ldap.conf.5
|
||||||
|
+++ b/doc/man/man5/ldap.conf.5
|
||||||
|
@@ -286,6 +286,9 @@ size allowed. 0 disables security layers. The default is 65536.
|
||||||
|
.TP
|
||||||
|
.B SASL_NOCANON <on/true/yes/off/false/no>
|
||||||
|
Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off.
|
||||||
|
+.TP
|
||||||
|
+.B SASL_CBINDING <none/tls-unique/tls-endpoint>
|
||||||
|
+The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.
|
||||||
|
.SH GSSAPI OPTIONS
|
||||||
|
If OpenLDAP is built with Generic Security Services Application Programming Interface support,
|
||||||
|
there are more options you can specify.
|
||||||
|
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
|
||||||
|
index 18518a186..dc0ab769f 100644
|
||||||
|
--- a/doc/man/man5/slapd-config.5
|
||||||
|
+++ b/doc/man/man5/slapd-config.5
|
||||||
|
@@ -720,6 +720,10 @@ Used to specify the fully qualified domain name used for SASL processing.
|
||||||
|
.B olcSaslRealm: <realm>
|
||||||
|
Specify SASL realm. Default is empty.
|
||||||
|
.TP
|
||||||
|
+.B olcSaslCbinding: none | tls-unique | tls-endpoint
|
||||||
|
+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
|
||||||
|
+Default is none.
|
||||||
|
+.TP
|
||||||
|
.B olcSaslSecProps: <properties>
|
||||||
|
Used to specify Cyrus SASL security properties.
|
||||||
|
The
|
||||||
|
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
|
||||||
|
index f2094b7fd..73a151a70 100644
|
||||||
|
--- a/doc/man/man5/slapd.conf.5
|
||||||
|
+++ b/doc/man/man5/slapd.conf.5
|
||||||
|
@@ -914,6 +914,9 @@ The
|
||||||
|
property specifies the maximum security layer receive buffer
|
||||||
|
size allowed. 0 disables security layers. The default is 65536.
|
||||||
|
.TP
|
||||||
|
+.B sasl\-cbinding none | tls-unique | tls-endpoint
|
||||||
|
+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
|
||||||
|
+.TP
|
||||||
|
.B schemadn <dn>
|
||||||
|
Specify the distinguished name for the subschema subentry that
|
||||||
|
controls the entries on this server. The default is "cn=Subschema".
|
||||||
|
diff --git a/include/ldap.h b/include/ldap.h
|
||||||
|
index 7b4fc9d64..9d5679ae8 100644
|
||||||
|
--- a/include/ldap.h
|
||||||
|
+++ b/include/ldap.h
|
||||||
|
@@ -186,6 +186,10 @@ LDAP_BEGIN_DECL
|
||||||
|
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
|
||||||
|
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
|
||||||
|
|
||||||
|
+#define LDAP_OPT_X_SASL_CBINDING_NONE 0
|
||||||
|
+#define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE 1
|
||||||
|
+#define LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT 2
|
||||||
|
+
|
||||||
|
/* OpenLDAP SASL options */
|
||||||
|
#define LDAP_OPT_X_SASL_MECH 0x6100
|
||||||
|
#define LDAP_OPT_X_SASL_REALM 0x6101
|
||||||
|
@@ -201,6 +205,7 @@ LDAP_BEGIN_DECL
|
||||||
|
#define LDAP_OPT_X_SASL_NOCANON 0x610b
|
||||||
|
#define LDAP_OPT_X_SASL_USERNAME 0x610c /* read-only */
|
||||||
|
#define LDAP_OPT_X_SASL_GSS_CREDS 0x610d
|
||||||
|
+#define LDAP_OPT_X_SASL_CBINDING 0x610e
|
||||||
|
|
||||||
|
/* OpenLDAP GSSAPI options */
|
||||||
|
#define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200
|
||||||
|
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
|
||||||
|
index 783d280a5..01220d00a 100644
|
||||||
|
--- a/include/ldap_pvt.h
|
||||||
|
+++ b/include/ldap_pvt.h
|
||||||
|
@@ -262,6 +262,10 @@ LDAP_F (void *) ldap_pvt_sasl_mutex_new LDAP_P((void));
|
||||||
|
LDAP_F (int) ldap_pvt_sasl_mutex_lock LDAP_P((void *mutex));
|
||||||
|
LDAP_F (int) ldap_pvt_sasl_mutex_unlock LDAP_P((void *mutex));
|
||||||
|
LDAP_F (void) ldap_pvt_sasl_mutex_dispose LDAP_P((void *mutex));
|
||||||
|
+
|
||||||
|
+LDAP_F (int) ldap_pvt_sasl_cbinding_parse LDAP_P(( const char *arg ));
|
||||||
|
+LDAP_F (void *) ldap_pvt_sasl_cbinding LDAP_P(( void *ssl, int type,
|
||||||
|
+ int is_server ));
|
||||||
|
#endif /* HAVE_CYRUS_SASL */
|
||||||
|
|
||||||
|
struct sockbuf; /* avoid pulling in <lber.h> */
|
||||||
|
@@ -438,6 +442,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
|
||||||
|
LDAPDN_rewrite_dummy *func, unsigned flags ));
|
||||||
|
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
|
||||||
|
LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
|
||||||
|
+LDAP_F (int) ldap_pvt_tls_get_endpoint LDAP_P(( void *ctx, struct berval *buf, int is_server ));
|
||||||
|
|
||||||
|
LDAP_END_DECL
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
|
||||||
|
index beb1cf4a0..4d4d5b3e3 100644
|
||||||
|
--- a/libraries/libldap/cyrus.c
|
||||||
|
+++ b/libraries/libldap/cyrus.c
|
||||||
|
@@ -372,6 +372,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
|
||||||
|
return LDAP_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
+int ldap_pvt_sasl_cbinding_parse( const char *arg )
|
||||||
|
+{
|
||||||
|
+ int i = -1;
|
||||||
|
+
|
||||||
|
+ if ( strcasecmp(arg, "none") == 0 )
|
||||||
|
+ i = LDAP_OPT_X_SASL_CBINDING_NONE;
|
||||||
|
+ else if ( strcasecmp(arg, "tls-unique") == 0 )
|
||||||
|
+ i = LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE;
|
||||||
|
+ else if ( strcasecmp(arg, "tls-endpoint") == 0 )
|
||||||
|
+ i = LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT;
|
||||||
|
+
|
||||||
|
+ return i;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void *ldap_pvt_sasl_cbinding( void *ssl, int type, int is_server )
|
||||||
|
+{
|
||||||
|
+#if defined(SASL_CHANNEL_BINDING) && defined(HAVE_TLS)
|
||||||
|
+ char unique_prefix[] = "tls-unique:";
|
||||||
|
+ char endpoint_prefix[] = "tls-server-end-point:";
|
||||||
|
+ char cbinding[ 64 ];
|
||||||
|
+ struct berval cbv = { 64, cbinding };
|
||||||
|
+ void *cb_data; /* used since cb->data is const* */
|
||||||
|
+ sasl_channel_binding_t *cb;
|
||||||
|
+ char *prefix;
|
||||||
|
+ int plen;
|
||||||
|
+
|
||||||
|
+ switch (type) {
|
||||||
|
+ case LDAP_OPT_X_SASL_CBINDING_NONE:
|
||||||
|
+ return NULL;
|
||||||
|
+ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
|
||||||
|
+ if ( !ldap_pvt_tls_get_unique( ssl, &cbv, is_server ))
|
||||||
|
+ return NULL;
|
||||||
|
+ prefix = unique_prefix;
|
||||||
|
+ plen = sizeof(unique_prefix) -1;
|
||||||
|
+ break;
|
||||||
|
+ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
|
||||||
|
+ if ( !ldap_pvt_tls_get_endpoint( ssl, &cbv, is_server ))
|
||||||
|
+ return NULL;
|
||||||
|
+ prefix = endpoint_prefix;
|
||||||
|
+ plen = sizeof(endpoint_prefix) -1;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len );
|
||||||
|
+ cb->len = plen + cbv.bv_len;
|
||||||
|
+ cb->data = cb_data = cb+1;
|
||||||
|
+ memcpy( cb_data, prefix, plen );
|
||||||
|
+ memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len );
|
||||||
|
+ cb->name = "ldap";
|
||||||
|
+ cb->critical = 0;
|
||||||
|
+
|
||||||
|
+ return cb;
|
||||||
|
+#else
|
||||||
|
+ return NULL;
|
||||||
|
+#endif
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
ldap_int_sasl_bind(
|
||||||
|
LDAP *ld,
|
||||||
|
@@ -497,17 +556,12 @@ ldap_int_sasl_bind(
|
||||||
|
(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
|
||||||
|
LDAP_FREE( authid.bv_val );
|
||||||
|
#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
|
||||||
|
- {
|
||||||
|
- char cbinding[64];
|
||||||
|
- struct berval cbv = { sizeof(cbinding), cbinding };
|
||||||
|
- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
|
||||||
|
- sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
|
||||||
|
- cbv.bv_len);
|
||||||
|
- cb->name = "ldap";
|
||||||
|
- cb->critical = 0;
|
||||||
|
- cb->data = (char *)(cb+1);
|
||||||
|
- cb->len = cbv.bv_len;
|
||||||
|
- memcpy( cb->data, cbv.bv_val, cbv.bv_len );
|
||||||
|
+ if ( ld->ld_defconn->lconn_sasl_cbind == NULL ) {
|
||||||
|
+ void *cb;
|
||||||
|
+ cb = ldap_pvt_sasl_cbinding( ssl,
|
||||||
|
+ ld->ld_options.ldo_sasl_cbinding,
|
||||||
|
+ 0 );
|
||||||
|
+ if ( cb != NULL ) {
|
||||||
|
sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
|
||||||
|
SASL_CHANNEL_BINDING, cb );
|
||||||
|
ld->ld_defconn->lconn_sasl_cbind = cb;
|
||||||
|
@@ -931,12 +983,20 @@ int ldap_pvt_sasl_secprops(
|
||||||
|
int
|
||||||
|
ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
|
||||||
|
{
|
||||||
|
- int rc;
|
||||||
|
+ int rc, i;
|
||||||
|
|
||||||
|
switch( option ) {
|
||||||
|
case LDAP_OPT_X_SASL_SECPROPS:
|
||||||
|
rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops );
|
||||||
|
if( rc == LDAP_SUCCESS ) return 0;
|
||||||
|
+ break;
|
||||||
|
+ case LDAP_OPT_X_SASL_CBINDING:
|
||||||
|
+ i = ldap_pvt_sasl_cbinding_parse( arg );
|
||||||
|
+ if ( i >= 0 ) {
|
||||||
|
+ lo->ldo_sasl_cbinding = i;
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return -1;
|
||||||
|
@@ -1042,6 +1102,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
|
||||||
|
/* this option is write only */
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
+ case LDAP_OPT_X_SASL_CBINDING:
|
||||||
|
+ *(int *)arg = ld->ld_options.ldo_sasl_cbinding;
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
#ifdef SASL_GSS_CREDS
|
||||||
|
case LDAP_OPT_X_SASL_GSS_CREDS: {
|
||||||
|
sasl_conn_t *ctx;
|
||||||
|
@@ -1143,6 +1207,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
|
||||||
|
return sc == LDAP_SUCCESS ? 0 : -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ case LDAP_OPT_X_SASL_CBINDING:
|
||||||
|
+ if ( !arg ) return -1;
|
||||||
|
+ switch( *(int *) arg ) {
|
||||||
|
+ case LDAP_OPT_X_SASL_CBINDING_NONE:
|
||||||
|
+ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
|
||||||
|
+ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
|
||||||
|
+ ld->ld_options.ldo_sasl_cbinding = *(int *) arg;
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
#ifdef SASL_GSS_CREDS
|
||||||
|
case LDAP_OPT_X_SASL_GSS_CREDS: {
|
||||||
|
sasl_conn_t *ctx;
|
||||||
|
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
|
||||||
|
index 3468ee249..dfe1ea9da 100644
|
||||||
|
--- a/libraries/libldap/init.c
|
||||||
|
+++ b/libraries/libldap/init.c
|
||||||
|
@@ -110,6 +110,7 @@ static const struct ol_attribute {
|
||||||
|
offsetof(struct ldapoptions, ldo_def_sasl_authzid)},
|
||||||
|
{0, ATTR_SASL, "SASL_SECPROPS", NULL, LDAP_OPT_X_SASL_SECPROPS},
|
||||||
|
{0, ATTR_BOOL, "SASL_NOCANON", NULL, LDAP_BOOL_SASL_NOCANON},
|
||||||
|
+ {0, ATTR_SASL, "SASL_CBINDING", NULL, LDAP_OPT_X_SASL_CBINDING},
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef HAVE_GSSAPI
|
||||||
|
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
|
||||||
|
index 67e8bd6da..c6c6891a9 100644
|
||||||
|
--- a/libraries/libldap/ldap-int.h
|
||||||
|
+++ b/libraries/libldap/ldap-int.h
|
||||||
|
@@ -300,6 +300,7 @@ struct ldapoptions {
|
||||||
|
|
||||||
|
/* SASL Security Properties */
|
||||||
|
struct sasl_security_properties ldo_sasl_secprops;
|
||||||
|
+ int ldo_sasl_cbinding;
|
||||||
|
#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
|
||||||
|
#else
|
||||||
|
#define LDAP_LDO_SASL_NULLARG
|
||||||
|
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
|
||||||
|
index efd51aaa2..9f01ddda1 100644
|
||||||
|
--- a/libraries/libldap/ldap-tls.h
|
||||||
|
+++ b/libraries/libldap/ldap-tls.h
|
||||||
|
@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
|
||||||
|
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
|
||||||
|
typedef int (TI_session_strength)(tls_session *sess);
|
||||||
|
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
|
||||||
|
+typedef int (TI_session_endpoint)(tls_session *sess, struct berval *buf, int is_server);
|
||||||
|
typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
|
||||||
|
|
||||||
|
typedef void (TI_thr_init)(void);
|
||||||
|
@@ -69,6 +70,7 @@ typedef struct tls_impl {
|
||||||
|
TI_session_chkhost *ti_session_chkhost;
|
||||||
|
TI_session_strength *ti_session_strength;
|
||||||
|
TI_session_unique *ti_session_unique;
|
||||||
|
+ TI_session_endpoint *ti_session_endpoint;
|
||||||
|
TI_session_peercert *ti_session_peercert;
|
||||||
|
|
||||||
|
Sockbuf_IO *ti_sbio;
|
||||||
|
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
||||||
|
index 79a651a38..72827a1a3 100644
|
||||||
|
--- a/libraries/libldap/tls2.c
|
||||||
|
+++ b/libraries/libldap/tls2.c
|
||||||
|
@@ -1200,6 +1200,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
|
||||||
|
return tls_imp->ti_session_unique( session, buf, is_server );
|
||||||
|
}
|
||||||
|
|
||||||
|
+int
|
||||||
|
+ldap_pvt_tls_get_endpoint( void *s, struct berval *buf, int is_server )
|
||||||
|
+{
|
||||||
|
+ tls_session *session = s;
|
||||||
|
+ return tls_imp->ti_session_endpoint( session, buf, is_server );
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
ldap_pvt_tls_get_peercert( void *s, struct berval *der )
|
||||||
|
{
|
||||||
|
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
|
||||||
|
index 956a9ec90..ef0f44e20 100644
|
||||||
|
--- a/libraries/libldap/tls_g.c
|
||||||
|
+++ b/libraries/libldap/tls_g.c
|
||||||
|
@@ -729,6 +729,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+tlsg_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
|
||||||
|
+{
|
||||||
|
+ tlsg_session *s = (tlsg_session *)sess;
|
||||||
|
+ const gnutls_datum_t *cert_data;
|
||||||
|
+ gnutls_x509_crt_t server_cert;
|
||||||
|
+ gnutls_digest_algorithm_t md;
|
||||||
|
+ int sign_algo, md_len, rc;
|
||||||
|
+
|
||||||
|
+ if ( is_server )
|
||||||
|
+ cert_data = gnutls_certificate_get_ours( s->session );
|
||||||
|
+ else
|
||||||
|
+ cert_data = gnutls_certificate_get_peers( s->session, NULL );
|
||||||
|
+
|
||||||
|
+ if ( cert_data == NULL )
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ rc = gnutls_x509_crt_init( &server_cert );
|
||||||
|
+ if ( rc != GNUTLS_E_SUCCESS )
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ rc = gnutls_x509_crt_import( server_cert, cert_data, GNUTLS_X509_FMT_DER );
|
||||||
|
+ if ( rc != GNUTLS_E_SUCCESS ) {
|
||||||
|
+ gnutls_x509_crt_deinit( server_cert );
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ sign_algo = gnutls_x509_crt_get_signature_algorithm( server_cert );
|
||||||
|
+ gnutls_x509_crt_deinit( server_cert );
|
||||||
|
+ if ( sign_algo <= GNUTLS_SIGN_UNKNOWN )
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ md = gnutls_sign_get_hash_algorithm( sign_algo );
|
||||||
|
+ if ( md == GNUTLS_DIG_UNKNOWN )
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ /* See RFC 5929 */
|
||||||
|
+ switch (md) {
|
||||||
|
+ case GNUTLS_DIG_NULL:
|
||||||
|
+ case GNUTLS_DIG_MD2:
|
||||||
|
+ case GNUTLS_DIG_MD5:
|
||||||
|
+ case GNUTLS_DIG_SHA1:
|
||||||
|
+ md = GNUTLS_DIG_SHA256;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ md_len = gnutls_hash_get_len( md );
|
||||||
|
+ if ( md_len == 0 || md_len > buf->bv_len )
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ rc = gnutls_hash_fast( md, cert_data->data, cert_data->size, buf->bv_val );
|
||||||
|
+ if ( rc != GNUTLS_E_SUCCESS )
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ buf->bv_len = md_len;
|
||||||
|
+
|
||||||
|
+ return md_len;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
tlsg_session_peercert( tls_session *sess, struct berval *der )
|
||||||
|
{
|
||||||
|
@@ -1117,6 +1175,7 @@ tls_impl ldap_int_tls_impl = {
|
||||||
|
tlsg_session_chkhost,
|
||||||
|
tlsg_session_strength,
|
||||||
|
tlsg_session_unique,
|
||||||
|
+ tlsg_session_endpoint,
|
||||||
|
tlsg_session_peercert,
|
||||||
|
|
||||||
|
&tlsg_sbio,
|
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||||
|
index cf97d7632..aa855d77a 100644
|
||||||
|
--- a/libraries/libldap/tls_o.c
|
||||||
|
+++ b/libraries/libldap/tls_o.c
|
||||||
|
@@ -858,6 +858,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
|
||||||
|
return buf->bv_len;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
|
||||||
|
+{
|
||||||
|
+ tlso_session *s = (tlso_session *)sess;
|
||||||
|
+ const EVP_MD *md;
|
||||||
|
+ unsigned int md_len;
|
||||||
|
+ X509 *cert;
|
||||||
|
+
|
||||||
|
+ if ( buf->bv_len < EVP_MAX_MD_SIZE )
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if ( is_server )
|
||||||
|
+ cert = SSL_get_certificate( s );
|
||||||
|
+ else
|
||||||
|
+ cert = SSL_get_peer_certificate( s );
|
||||||
|
+
|
||||||
|
+ if ( cert == NULL )
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
||||||
|
+ md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
|
||||||
|
+#else
|
||||||
|
+ md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ /* See RFC 5929 */
|
||||||
|
+ if ( md == NULL ||
|
||||||
|
+ md == EVP_md_null() ||
|
||||||
|
+#ifndef OPENSSL_NO_MD2
|
||||||
|
+ md == EVP_md2() ||
|
||||||
|
+#endif
|
||||||
|
+ md == EVP_md4() ||
|
||||||
|
+ md == EVP_md5() ||
|
||||||
|
+ md == EVP_sha1() )
|
||||||
|
+ md = EVP_sha256();
|
||||||
|
+
|
||||||
|
+ if ( !X509_digest( cert, md, buf->bv_val, &md_len ))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ buf->bv_len = md_len;
|
||||||
|
+
|
||||||
|
+ return md_len;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
tlso_session_peercert( tls_session *sess, struct berval *der )
|
||||||
|
{
|
||||||
|
@@ -1474,6 +1518,7 @@ tls_impl ldap_int_tls_impl = {
|
||||||
|
tlso_session_chkhost,
|
||||||
|
tlso_session_strength,
|
||||||
|
tlso_session_unique,
|
||||||
|
+ tlso_session_endpoint,
|
||||||
|
tlso_session_peercert,
|
||||||
|
|
||||||
|
&tlso_sbio,
|
||||||
|
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
|
||||||
|
index 6069ee203..4c90715be 100644
|
||||||
|
--- a/servers/slapd/bconfig.c
|
||||||
|
+++ b/servers/slapd/bconfig.c
|
||||||
|
@@ -630,6 +630,15 @@ static ConfigTable config_back_cf_table[] = {
|
||||||
|
#endif
|
||||||
|
"( OLcfgGlAt:89 NAME 'olcSaslAuxprops' "
|
||||||
|
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
|
||||||
|
+ { "sasl-cbinding", NULL, 2, 2, 0,
|
||||||
|
+#ifdef HAVE_CYRUS_SASL
|
||||||
|
+ ARG_STRING, &sasl_cbinding,
|
||||||
|
+#else
|
||||||
|
+ ARG_IGNORED, NULL,
|
||||||
|
+#endif
|
||||||
|
+ "( OLcfgGlAt:100 NAME 'olcSaslCBinding' "
|
||||||
|
+ "EQUALITY caseIgnoreMatch "
|
||||||
|
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
|
||||||
|
{ "sasl-host", "host", 2, 2, 0,
|
||||||
|
#ifdef HAVE_CYRUS_SASL
|
||||||
|
ARG_STRING|ARG_UNIQUE, &sasl_host,
|
||||||
|
@@ -948,7 +957,7 @@ static ConfigOCs cf_ocs[] = {
|
||||||
|
"olcPluginLogFile $ olcReadOnly $ olcReferral $ "
|
||||||
|
"olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "
|
||||||
|
"olcRootDSE $ "
|
||||||
|
- "olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
|
||||||
|
+ "olcSaslAuxprops $ olcSaslCBinding $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
|
||||||
|
"olcSecurity $ olcServerID $ olcSizeLimit $ "
|
||||||
|
"olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
|
||||||
|
"olcTCPBuffer $ "
|
||||||
|
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
|
||||||
|
index 060d3410f..3d713d4fb 100644
|
||||||
|
--- a/servers/slapd/config.c
|
||||||
|
+++ b/servers/slapd/config.c
|
||||||
|
@@ -73,6 +73,7 @@ char *global_host = NULL;
|
||||||
|
struct berval global_host_bv = BER_BVNULL;
|
||||||
|
char *global_realm = NULL;
|
||||||
|
char *sasl_host = NULL;
|
||||||
|
+char *sasl_cbinding = NULL;
|
||||||
|
char **default_passwd_hash = NULL;
|
||||||
|
struct berval default_search_base = BER_BVNULL;
|
||||||
|
struct berval default_search_nbase = BER_BVNULL;
|
||||||
|
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
|
||||||
|
index 5f11a0cf1..6d9bb8e85 100644
|
||||||
|
--- a/servers/slapd/connection.c
|
||||||
|
+++ b/servers/slapd/connection.c
|
||||||
|
@@ -1440,12 +1440,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
|
||||||
|
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
|
||||||
|
slap_sasl_external( c, c->c_tls_ssf, &authid );
|
||||||
|
if ( authid.bv_val ) free( authid.bv_val );
|
||||||
|
- {
|
||||||
|
- char cbinding[64];
|
||||||
|
- struct berval cbv = { sizeof(cbinding), cbinding };
|
||||||
|
- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
|
||||||
|
- slap_sasl_cbinding( c, &cbv );
|
||||||
|
- }
|
||||||
|
+
|
||||||
|
+ slap_sasl_cbinding( c, ssl );
|
||||||
|
+
|
||||||
|
} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
|
||||||
|
LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */
|
||||||
|
slapd_set_write( s, 1 );
|
||||||
|
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
|
||||||
|
index b89fa836a..0790a8004 100644
|
||||||
|
--- a/servers/slapd/proto-slap.h
|
||||||
|
+++ b/servers/slapd/proto-slap.h
|
||||||
|
@@ -1681,8 +1681,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
|
||||||
|
slap_ssf_t ssf, /* relative strength of external security */
|
||||||
|
struct berval *authid ); /* asserted authenication id */
|
||||||
|
|
||||||
|
-LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
|
||||||
|
- struct berval *cbv );
|
||||||
|
+LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, void *ssl );
|
||||||
|
|
||||||
|
LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
|
||||||
|
LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
|
||||||
|
@@ -2072,6 +2071,7 @@ LDAP_SLAPD_V (char *) global_host;
|
||||||
|
LDAP_SLAPD_V (struct berval) global_host_bv;
|
||||||
|
LDAP_SLAPD_V (char *) global_realm;
|
||||||
|
LDAP_SLAPD_V (char *) sasl_host;
|
||||||
|
+LDAP_SLAPD_V (char *) sasl_cbinding;
|
||||||
|
LDAP_SLAPD_V (char *) slap_sasl_auxprops;
|
||||||
|
LDAP_SLAPD_V (char **) default_passwd_hash;
|
||||||
|
LDAP_SLAPD_V (int) lber_debug;
|
||||||
|
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
|
||||||
|
index fc023904a..5cced358c 100644
|
||||||
|
--- a/servers/slapd/sasl.c
|
||||||
|
+++ b/servers/slapd/sasl.c
|
||||||
|
@@ -1320,6 +1320,8 @@ int slap_sasl_destroy( void )
|
||||||
|
#endif
|
||||||
|
free( sasl_host );
|
||||||
|
sasl_host = NULL;
|
||||||
|
+ free( sasl_cbinding );
|
||||||
|
+ sasl_cbinding = NULL;
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -1506,17 +1508,24 @@ int slap_sasl_external(
|
||||||
|
return LDAP_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
|
||||||
|
+int slap_sasl_cbinding( Connection *conn, void *ssl )
|
||||||
|
{
|
||||||
|
#ifdef SASL_CHANNEL_BINDING
|
||||||
|
- sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
|
||||||
|
- cb->name = "ldap";
|
||||||
|
- cb->critical = 0;
|
||||||
|
- cb->data = (char *)(cb+1);
|
||||||
|
- cb->len = cbv->bv_len;
|
||||||
|
- memcpy( cb->data, cbv->bv_val, cbv->bv_len );
|
||||||
|
- sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
|
||||||
|
- conn->c_sasl_cbind = cb;
|
||||||
|
+ void *cb;
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ if ( sasl_cbinding == NULL )
|
||||||
|
+ return LDAP_SUCCESS;
|
||||||
|
+
|
||||||
|
+ i = ldap_pvt_sasl_cbinding_parse( sasl_cbinding );
|
||||||
|
+ if ( i < 0 )
|
||||||
|
+ return LDAP_SUCCESS;
|
||||||
|
+
|
||||||
|
+ cb = ldap_pvt_sasl_cbinding( ssl, i, 1 );
|
||||||
|
+ if ( cb != NULL ) {
|
||||||
|
+ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
|
||||||
|
+ conn->c_sasl_cbind = cb;
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
return LDAP_SUCCESS;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
190
openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
Normal file
190
openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
Normal file
@ -0,0 +1,190 @@
|
|||||||
|
From 7b0017ad49a2290ec26cbcdffded8a527799e981 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Isaac Boukris <iboukris@gmail.com>
|
||||||
|
Date: Sat, 18 Apr 2020 16:30:03 +0200
|
||||||
|
Subject: [PATCH] ITS#9189 add channel-bindings tests
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/data/slapd-sasl-gssapi.conf | 3 +
|
||||||
|
tests/scripts/setup_kdc.sh | 8 +++
|
||||||
|
tests/scripts/test068-sasl-tls-external | 22 +++++++
|
||||||
|
tests/scripts/test077-sasl-gssapi | 83 ++++++++++++++++++++++++-
|
||||||
|
4 files changed, 113 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
|
||||||
|
index 611fc7097..29ab6040b 100644
|
||||||
|
--- a/tests/data/slapd-sasl-gssapi.conf
|
||||||
|
+++ b/tests/data/slapd-sasl-gssapi.conf
|
||||||
|
@@ -63,3 +63,6 @@ rootpw secret
|
||||||
|
|
||||||
|
sasl-realm @KRB5REALM@
|
||||||
|
sasl-host localhost
|
||||||
|
+
|
||||||
|
+database config
|
||||||
|
+rootpw secret
|
||||||
|
diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
|
||||||
|
index 1cb784075..98bcd9f96 100755
|
||||||
|
--- a/tests/scripts/setup_kdc.sh
|
||||||
|
+++ b/tests/scripts/setup_kdc.sh
|
||||||
|
@@ -142,3 +142,11 @@ if test $RC != 0 ; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
+
|
||||||
|
+HAVE_SASL_GSS_CBIND=no
|
||||||
|
+
|
||||||
|
+grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1
|
||||||
|
+RC=$?
|
||||||
|
+if test $RC = 0 ; then
|
||||||
|
+ HAVE_SASL_GSS_CBIND=yes
|
||||||
|
+fi
|
||||||
|
diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external
|
||||||
|
index f647b1012..0b91aa197 100755
|
||||||
|
--- a/tests/scripts/test068-sasl-tls-external
|
||||||
|
+++ b/tests/scripts/test068-sasl-tls-external
|
||||||
|
@@ -88,6 +88,28 @@ else
|
||||||
|
echo "success"
|
||||||
|
fi
|
||||||
|
|
||||||
|
+# Exercise channel-bindings code in builds without SASL support
|
||||||
|
+for cb in "none" "tls-unique" "tls-endpoint" ; do
|
||||||
|
+
|
||||||
|
+ echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
|
||||||
|
+
|
||||||
|
+ $LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
|
||||||
|
+ -o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \
|
||||||
|
+ -o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \
|
||||||
|
+ -o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1 \
|
||||||
|
+ > $TESTOUT 2>&1
|
||||||
|
+
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "ldapwhoami failed ($RC)!"
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $PID
|
||||||
|
+ exit $RC
|
||||||
|
+ else
|
||||||
|
+ echo "success"
|
||||||
|
+ fi
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+
|
||||||
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
|
||||||
|
if test $RC != 0 ; then
|
||||||
|
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
|
||||||
|
index 64abe16fe..19f665622 100755
|
||||||
|
--- a/tests/scripts/test077-sasl-gssapi
|
||||||
|
+++ b/tests/scripts/test077-sasl-gssapi
|
||||||
|
@@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
-mkdir -p $TESTDIR $DBDIR1
|
||||||
|
+SLAPTEST="$TESTWD/../servers/slapd/slaptest"
|
||||||
|
+CONFDIR=$TESTDIR/slapd.d
|
||||||
|
+
|
||||||
|
+mkdir -p $TESTDIR $DBDIR1 $CONFDIR
|
||||||
|
cp -r $DATADIR/tls $TESTDIR
|
||||||
|
|
||||||
|
cd $TESTWD
|
||||||
|
@@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..."
|
||||||
|
|
||||||
|
echo "Running slapadd to build slapd database..."
|
||||||
|
. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
|
||||||
|
-$SLAPADD -f $CONF1 -l $LDIFORDERED
|
||||||
|
+$SLAPTEST -f $CONF1 -F $CONFDIR
|
||||||
|
+$SLAPADD -F $CONFDIR -l $LDIFORDERED
|
||||||
|
RC=$?
|
||||||
|
if test $RC != 0 ; then
|
||||||
|
echo "slapadd failed ($RC)!"
|
||||||
|
@@ -41,7 +45,7 @@ if test $RC != 0 ; then
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
|
||||||
|
-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
||||||
|
+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
||||||
|
PID=$!
|
||||||
|
if test $WAIT != 0 ; then
|
||||||
|
echo PID $PID
|
||||||
|
@@ -144,6 +148,79 @@ else
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
+if test $WITH_TLS = no ; then
|
||||||
|
+ echo "TLS support not available, skipping channe-binding test"
|
||||||
|
+elif test $HAVE_SASL_GSS_CBIND = no ; then
|
||||||
|
+ echo "SASL has no channel-binding support in GSSAPI, test skipped"
|
||||||
|
+else
|
||||||
|
+ echo "Testing SASL/GSSAPI with SASL_CBINDING..."
|
||||||
|
+
|
||||||
|
+ for acb in "none" "tls-unique" "tls-endpoint" ; do
|
||||||
|
+
|
||||||
|
+ echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
|
||||||
|
+ $LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
|
||||||
|
+dn: cn=config
|
||||||
|
+changetype: modify
|
||||||
|
+replace: olcSaslCBinding
|
||||||
|
+olcSaslCBinding: ${acb}
|
||||||
|
+EOF
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "ldapmodify failed ($RC)!"
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit $RC
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ for icb in "none" "tls-unique" "tls-endpoint" ; do
|
||||||
|
+
|
||||||
|
+ # The gnutls implemantation of "tls-unique" seems broken
|
||||||
|
+ if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
|
||||||
|
+ if test $WITH_TLS_TYPE == gnutls ; then
|
||||||
|
+ continue
|
||||||
|
+ fi
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ fail="no"
|
||||||
|
+ if test $icb != $acb -a $acb != "none" ; then
|
||||||
|
+ # This currently fails in MIT, but it is planned to be
|
||||||
|
+ # fixed not to fail like in heimdal - avoid testing.
|
||||||
|
+ if test $icb = "none" ; then
|
||||||
|
+ continue
|
||||||
|
+ fi
|
||||||
|
+ # Otherwise unmatching bindings are expected to fail.
|
||||||
|
+ fail="yes"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
|
||||||
|
+ echo -ne "(client: ${icb},\tserver: ${acb}): "
|
||||||
|
+
|
||||||
|
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
|
||||||
|
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
|
||||||
|
+ -o SASL_CBINDING=$icb > $TESTOUT 2>&1
|
||||||
|
+
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ if test $fail = "no" ; then
|
||||||
|
+ echo "test failed ($RC)!"
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit $RC
|
||||||
|
+ fi
|
||||||
|
+ elif test $fail = "yes" ; then
|
||||||
|
+ echo "failed: command succeeded unexpectedly."
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit 1
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ echo "success"
|
||||||
|
+ RC=0
|
||||||
|
+ done
|
||||||
|
+ done
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+
|
||||||
|
kill $KDCPROC
|
||||||
|
test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,27 @@
|
|||||||
|
From 4cac398b19c21ad56949ef7e67e285c6c8e7ecea Mon Sep 17 00:00:00 2001
|
||||||
|
From: Isaac Boukris <iboukris@gmail.com>
|
||||||
|
Date: Thu, 23 Apr 2020 22:47:32 +0200
|
||||||
|
Subject: [PATCH] ITS#9189 - initialize ldo_sasl_cbinding in
|
||||||
|
LDAP_LDO_SASL_NULLARG
|
||||||
|
|
||||||
|
Reported-by: Ryan Tandy @ryan
|
||||||
|
---
|
||||||
|
libraries/libldap/ldap-int.h | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
|
||||||
|
index c6c6891a9..336448115 100644
|
||||||
|
--- a/libraries/libldap/ldap-int.h
|
||||||
|
+++ b/libraries/libldap/ldap-int.h
|
||||||
|
@@ -301,7 +301,7 @@ struct ldapoptions {
|
||||||
|
/* SASL Security Properties */
|
||||||
|
struct sasl_security_properties ldo_sasl_secprops;
|
||||||
|
int ldo_sasl_cbinding;
|
||||||
|
-#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
|
||||||
|
+#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0},0
|
||||||
|
#else
|
||||||
|
#define LDAP_LDO_SASL_NULLARG
|
||||||
|
#endif
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
@ -0,0 +1,64 @@
|
|||||||
|
NOTE: The patch has been adjusted to match the base code before backporting.
|
||||||
|
|
||||||
|
From cd914149a665167b2c5ae16baa0c438824588819 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
|
||||||
|
Date: Tue, 19 Feb 2019 10:26:39 +0000
|
||||||
|
Subject: [PATCH] Make prototypes available where needed
|
||||||
|
|
||||||
|
---
|
||||||
|
libraries/libldap/tls2.c | 3 +++
|
||||||
|
servers/slapd/config.c | 1 +
|
||||||
|
servers/slapd/proto-slap.h | 4 ++++
|
||||||
|
3 files changed, 8 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
||||||
|
index 1a96b62c3..869de2eb5 100644
|
||||||
|
--- a/libraries/libldap/tls2.c
|
||||||
|
+++ b/libraries/libldap/tls2.c
|
||||||
|
@@ -76,6 +76,9 @@ static oid_name oids[] = {
|
||||||
|
|
||||||
|
#ifdef HAVE_TLS
|
||||||
|
|
||||||
|
+LDAP_F(int) ldap_pvt_tls_check_hostname LDAP_P(( LDAP *ld, void *s, const char *name_in ));
|
||||||
|
+LDAP_F(int) ldap_pvt_tls_get_peercert LDAP_P(( void *s, struct berval *der ));
|
||||||
|
+
|
||||||
|
void
|
||||||
|
ldap_pvt_tls_ctx_free ( void *c )
|
||||||
|
{
|
||||||
|
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
|
||||||
|
index 778365fd0..2816455a3 100644
|
||||||
|
--- a/servers/slapd/config.c
|
||||||
|
+++ b/servers/slapd/config.c
|
||||||
|
@@ -48,6 +48,7 @@
|
||||||
|
#endif
|
||||||
|
#include "lutil.h"
|
||||||
|
#include "lutil_ldap.h"
|
||||||
|
+#include "ldif.h"
|
||||||
|
#include "config.h"
|
||||||
|
|
||||||
|
#ifdef _WIN32
|
||||||
|
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
|
||||||
|
index 4bfdcf930..e33e3b7d9 100644
|
||||||
|
--- a/servers/slapd/proto-slap.h
|
||||||
|
+++ b/servers/slapd/proto-slap.h
|
||||||
|
@@ -755,6 +755,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
|
||||||
|
LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
|
||||||
|
slap_bindconf *bc, LDAP *ld ));
|
||||||
|
LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
|
||||||
|
+LDAP_SLAPD_F (void) slap_client_keepalive LDAP_P(( LDAP *ld, slap_keepalive *sk ));
|
||||||
|
LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb ));
|
||||||
|
LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
|
||||||
|
const char *fname, int lineno, int argc, char **argv ));
|
||||||
|
@@ -1683,6 +1684,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
|
||||||
|
slap_ssf_t ssf, /* relative strength of external security */
|
||||||
|
struct berval *authid ); /* asserted authenication id */
|
||||||
|
|
||||||
|
+LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
|
||||||
|
+ struct berval *cbv );
|
||||||
|
+
|
||||||
|
LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
|
||||||
|
LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
|
||||||
|
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
526
openldap-cbinding-Update-keys-to-RSA-4096.patch
Normal file
526
openldap-cbinding-Update-keys-to-RSA-4096.patch
Normal file
@ -0,0 +1,526 @@
|
|||||||
|
From 3ab98b2fc98843289c1833891518fb3b5b42dcd8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
|
||||||
|
Date: Tue, 30 Oct 2018 15:42:35 +0000
|
||||||
|
Subject: [PATCH] Update keys to RSA 4096
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/data/tls/ca/certs/testsuiteCA.crt | 133 ++++++++++++++++--
|
||||||
|
tests/data/tls/ca/private/testsuiteCA.key | 64 +++++++--
|
||||||
|
.../tls/certs/bjensen@mailgw.example.com.crt | 44 ++++--
|
||||||
|
tests/data/tls/certs/localhost.crt | 44 ++++--
|
||||||
|
tests/data/tls/conf/openssl.cnf | 2 +-
|
||||||
|
tests/data/tls/create-crt.sh | 9 +-
|
||||||
|
.../private/bjensen@mailgw.example.com.key | 64 +++++++--
|
||||||
|
tests/data/tls/private/localhost.key | 64 +++++++--
|
||||||
|
8 files changed, 336 insertions(+), 88 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt
|
||||||
|
index 7458e7461..62c88acca 100644
|
||||||
|
--- a/tests/data/tls/ca/certs/testsuiteCA.crt
|
||||||
|
+++ b/tests/data/tls/ca/certs/testsuiteCA.crt
|
||||||
|
@@ -1,16 +1,121 @@
|
||||||
|
+Certificate:
|
||||||
|
+ Data:
|
||||||
|
+ Version: 3 (0x2)
|
||||||
|
+ Serial Number:
|
||||||
|
+ 0b:43:f8:e9:ee:d3:38:37:92:db:19:65:d9:94:17:cc:70:45:d4:06
|
||||||
|
+ Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
+ Issuer: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
|
||||||
|
+ Validity
|
||||||
|
+ Not Before: Oct 30 15:29:02 2018 GMT
|
||||||
|
+ Not After : Nov 13 15:29:02 2519 GMT
|
||||||
|
+ Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
|
||||||
|
+ Subject Public Key Info:
|
||||||
|
+ Public Key Algorithm: rsaEncryption
|
||||||
|
+ RSA Public-Key: (4096 bit)
|
||||||
|
+ Modulus:
|
||||||
|
+ 00:be:e0:ff:36:89:65:c0:4e:46:e6:24:e8:3d:81:
|
||||||
|
+ 97:92:28:4b:11:c6:21:ac:28:14:31:b2:a3:64:24:
|
||||||
|
+ 62:61:24:bd:76:7b:9e:7c:3a:50:65:fa:97:f3:c5:
|
||||||
|
+ 9d:49:cc:61:3a:31:6f:0d:a4:d8:70:57:73:c8:c6:
|
||||||
|
+ 66:06:d0:59:3f:24:3b:56:5d:70:20:e4:51:2b:88:
|
||||||
|
+ 5e:f4:78:82:bc:55:b5:d5:5b:f6:e5:55:1f:3a:af:
|
||||||
|
+ 59:9f:b7:5d:72:70:fe:b6:a4:dd:4e:f9:d0:38:e8:
|
||||||
|
+ 15:14:c7:45:ed:5e:d3:4c:ee:02:34:3a:37:d8:75:
|
||||||
|
+ f1:49:0d:f6:8a:7b:8c:87:39:c9:fb:f2:3a:96:57:
|
||||||
|
+ cd:7c:18:a7:bb:35:de:d3:c4:79:57:20:48:07:b9:
|
||||||
|
+ 65:f6:bd:7b:01:5c:99:8a:92:35:7c:b7:e3:96:1c:
|
||||||
|
+ 6f:4c:47:42:c1:77:d6:62:49:0e:be:01:8f:c9:f4:
|
||||||
|
+ 64:68:4c:b0:ec:10:12:d0:0e:5f:67:0e:e8:a4:bd:
|
||||||
|
+ df:9c:fb:5b:04:6f:3c:2a:35:1b:5a:ca:98:ba:f3:
|
||||||
|
+ 61:f4:3a:77:28:be:a3:63:f1:d6:94:0d:fb:a0:87:
|
||||||
|
+ e3:a5:9f:56:b6:a6:6a:90:13:80:2a:2e:ae:fe:af:
|
||||||
|
+ aa:e3:e7:d8:3b:2b:a3:52:4f:73:2d:12:aa:e2:a3:
|
||||||
|
+ 0c:aa:fb:11:40:86:68:de:be:2b:9b:36:19:9c:d7:
|
||||||
|
+ d7:5e:13:21:c9:b3:34:6d:09:53:ff:a3:2e:92:f4:
|
||||||
|
+ 33:80:de:7a:47:1c:47:57:68:53:2a:db:73:6e:6d:
|
||||||
|
+ fa:40:df:55:25:a1:fc:87:c4:86:ef:6e:16:ec:f8:
|
||||||
|
+ 48:35:f5:96:b3:55:ce:56:a9:6e:c1:8c:ea:32:85:
|
||||||
|
+ 26:ea:af:0c:92:24:05:e2:49:12:b7:07:8f:06:96:
|
||||||
|
+ be:13:fa:ec:49:f7:d4:49:6f:b9:c7:6c:79:53:39:
|
||||||
|
+ a3:89:c4:4a:92:66:b0:f3:0c:72:6d:50:3c:63:1f:
|
||||||
|
+ f3:76:63:a8:aa:b7:fd:db:ef:98:b4:5b:49:b6:84:
|
||||||
|
+ 66:e5:fc:60:0b:c1:f7:b0:f7:84:68:7e:71:5d:ac:
|
||||||
|
+ fc:a9:cb:f6:02:fc:86:d3:a7:c3:42:ef:ba:f4:1a:
|
||||||
|
+ 27:71:5d:22:f5:53:e1:a6:f4:a5:dc:31:38:45:0b:
|
||||||
|
+ a1:6d:ab:9c:05:2e:87:8c:31:02:99:80:6d:3f:66:
|
||||||
|
+ e8:8a:d7:64:4f:08:7e:2f:f0:1f:28:ff:85:57:22:
|
||||||
|
+ ee:6a:a7:05:72:f8:cf:5d:07:c6:73:23:82:85:82:
|
||||||
|
+ 76:4e:36:8a:ec:ea:f1:53:1e:e0:77:d1:4a:9f:df:
|
||||||
|
+ ec:87:91:0a:56:40:b7:23:19:fa:60:14:d0:f0:32:
|
||||||
|
+ 4d:11:39
|
||||||
|
+ Exponent: 65537 (0x10001)
|
||||||
|
+ X509v3 extensions:
|
||||||
|
+ X509v3 Subject Key Identifier:
|
||||||
|
+ 90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
|
||||||
|
+ X509v3 Authority Key Identifier:
|
||||||
|
+ keyid:90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
|
||||||
|
+
|
||||||
|
+ X509v3 Basic Constraints: critical
|
||||||
|
+ CA:TRUE
|
||||||
|
+ Signature Algorithm: sha256WithRSAEncryption
|
||||||
|
+ 0f:7f:a0:c5:3c:ac:dc:ed:8f:56:3e:64:89:e6:87:d0:ca:a5:
|
||||||
|
+ 37:b8:0e:49:aa:93:d3:e5:ac:ff:54:24:91:07:1b:9c:dc:08:
|
||||||
|
+ e6:cc:15:53:be:85:4c:51:52:d3:88:d0:d8:c7:b7:98:40:41:
|
||||||
|
+ 8a:a7:7a:4c:96:85:61:8c:98:76:f6:a3:2c:10:31:a1:d8:e6:
|
||||||
|
+ a7:4c:ec:c3:29:ad:04:8b:e3:f2:2d:4c:30:0d:a4:bc:c8:93:
|
||||||
|
+ d2:9b:88:1d:a4:25:eb:ff:9f:f2:d9:c5:3b:bf:51:91:71:06:
|
||||||
|
+ 92:35:96:5c:ca:6d:d6:86:47:63:07:7f:37:35:53:68:e9:4e:
|
||||||
|
+ d0:d0:25:42:18:e0:00:9e:ca:f5:bd:b7:94:ee:99:51:44:3a:
|
||||||
|
+ 0c:44:40:e3:87:e6:ce:6c:2b:3f:c1:01:6c:5c:32:d5:59:b5:
|
||||||
|
+ bd:25:a3:1a:ff:85:a5:89:9c:d8:24:4b:fa:59:99:5a:64:ab:
|
||||||
|
+ a1:d8:0f:c0:19:28:84:1e:89:c2:a1:15:4e:0f:7e:1f:bf:f8:
|
||||||
|
+ 92:df:9f:1c:d5:4a:98:40:82:ee:41:1f:de:f7:25:11:fd:76:
|
||||||
|
+ 0a:cf:37:40:bc:c2:2d:6a:ea:4a:0c:6d:b0:e6:75:37:b5:63:
|
||||||
|
+ a8:a1:c5:81:d0:84:c0:f3:e0:c3:5c:c4:9f:ec:3b:9f:8a:74:
|
||||||
|
+ ce:f0:cc:e3:e9:15:08:a0:ea:3e:a9:8e:bc:9a:01:00:96:fe:
|
||||||
|
+ 37:6f:61:b5:2c:4b:1f:5d:d7:24:09:fe:bf:f4:77:47:e4:ee:
|
||||||
|
+ 7c:ea:6b:67:84:ee:56:4f:5f:b9:b8:e4:db:70:e1:4a:b3:94:
|
||||||
|
+ 4d:dd:52:45:05:4d:79:d4:7c:8b:9d:9b:6a:0b:73:9e:f3:0e:
|
||||||
|
+ d5:d5:46:da:b4:fb:4a:ea:5b:ab:8e:42:68:0e:96:cd:8a:6e:
|
||||||
|
+ 35:a8:e6:1b:6a:ed:a8:9e:3c:cc:3b:44:54:b8:2d:ba:c7:83:
|
||||||
|
+ 91:7c:70:40:0c:14:b8:21:7a:12:ac:8c:96:4c:94:a6:ee:fe:
|
||||||
|
+ cc:77:34:8e:e3:c3:c0:44:19:51:85:07:6c:d8:d1:2e:69:8d:
|
||||||
|
+ b1:0e:42:fb:e6:16:65:86:c6:e3:2f:a7:3f:b4:8e:4f:1c:83:
|
||||||
|
+ c4:0a:ae:a0:d9:17:fd:cf:a2:38:a1:9f:70:dc:5c:df:3c:07:
|
||||||
|
+ 7b:64:01:ff:35:8c:45:43:e8:fa:a4:f6:c4:71:78:17:6e:6a:
|
||||||
|
+ 7f:d1:6e:66:c6:89:33:3b:28:4a:76:bf:ca:29:05:51:07:98:
|
||||||
|
+ ce:63:62:25:61:7f:5e:c6:91:23:02:13:15:4f:fd:24:58:9d:
|
||||||
|
+ 2d:ac:eb:cb:9a:c2:82:2f:50:5c:5a:16:bb:8c:bf:4d:66:2c:
|
||||||
|
+ 6f:1c:c4:a9:28:e1:3d:4d
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
-MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
|
||||||
|
-BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv
|
||||||
|
-bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0
|
||||||
|
-NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
|
||||||
|
-MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB
|
||||||
|
-UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd
|
||||||
|
-rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb
|
||||||
|
-lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL
|
||||||
|
-6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU
|
||||||
|
-7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB
|
||||||
|
-SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/
|
||||||
|
-wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws
|
||||||
|
-ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q
|
||||||
|
-aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==
|
||||||
|
+MIIFjzCCA3egAwIBAgIUC0P46e7TODeS2xll2ZQXzHBF1AYwDQYJKoZIhvcNAQEL
|
||||||
|
+BQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRwwGgYDVQQKDBNPcGVuTERB
|
||||||
|
+UCBGb3VuZGF0aW9uMRwwGgYDVQQLDBNPcGVuTERBUCBUZXN0IFN1aXRlMCAXDTE4
|
||||||
|
+MTAzMDE1MjkwMloYDzI1MTkxMTEzMTUyOTAyWjBWMQswCQYDVQQGEwJVUzELMAkG
|
||||||
|
+A1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNVBAsM
|
||||||
|
+E09wZW5MREFQIFRlc3QgU3VpdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
|
||||||
|
+AoICAQC+4P82iWXATkbmJOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfz
|
||||||
|
+xZ1JzGE6MW8NpNhwV3PIxmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mf
|
||||||
|
+t11ycP62pN1O+dA46BUUx0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7
|
||||||
|
+Nd7TxHlXIEgHuWX2vXsBXJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQ
|
||||||
|
+Dl9nDuikvd+c+1sEbzwqNRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4Aq
|
||||||
|
+Lq7+r6rj59g7K6NST3MtEqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S
|
||||||
|
+9DOA3npHHEdXaFMq23NubfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbq
|
||||||
|
+rwySJAXiSRK3B48Glr4T+uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iq
|
||||||
|
+t/3b75i0W0m2hGbl/GALwfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm
|
||||||
|
+9KXcMThFC6Ftq5wFLoeMMQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8Zz
|
||||||
|
+I4KFgnZONors6vFTHuB30Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABo1MwUTAd
|
||||||
|
+BgNVHQ4EFgQUkM9RHegI1Ew0cHFr0gsAaNn9YFAwHwYDVR0jBBgwFoAUkM9RHegI
|
||||||
|
+1Ew0cHFr0gsAaNn9YFAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
|
||||||
|
+AgEAD3+gxTys3O2PVj5kieaH0MqlN7gOSaqT0+Ws/1QkkQcbnNwI5swVU76FTFFS
|
||||||
|
+04jQ2Me3mEBBiqd6TJaFYYyYdvajLBAxodjmp0zswymtBIvj8i1MMA2kvMiT0puI
|
||||||
|
+HaQl6/+f8tnFO79RkXEGkjWWXMpt1oZHYwd/NzVTaOlO0NAlQhjgAJ7K9b23lO6Z
|
||||||
|
+UUQ6DERA44fmzmwrP8EBbFwy1Vm1vSWjGv+FpYmc2CRL+lmZWmSrodgPwBkohB6J
|
||||||
|
+wqEVTg9+H7/4kt+fHNVKmECC7kEf3vclEf12Cs83QLzCLWrqSgxtsOZ1N7VjqKHF
|
||||||
|
+gdCEwPPgw1zEn+w7n4p0zvDM4+kVCKDqPqmOvJoBAJb+N29htSxLH13XJAn+v/R3
|
||||||
|
+R+TufOprZ4TuVk9fubjk23DhSrOUTd1SRQVNedR8i52bagtznvMO1dVG2rT7Supb
|
||||||
|
+q45CaA6WzYpuNajmG2rtqJ48zDtEVLgtuseDkXxwQAwUuCF6EqyMlkyUpu7+zHc0
|
||||||
|
+juPDwEQZUYUHbNjRLmmNsQ5C++YWZYbG4y+nP7SOTxyDxAquoNkX/c+iOKGfcNxc
|
||||||
|
+3zwHe2QB/zWMRUPo+qT2xHF4F25qf9FuZsaJMzsoSna/yikFUQeYzmNiJWF/XsaR
|
||||||
|
+IwITFU/9JFidLazry5rCgi9QXFoWu4y/TWYsbxzEqSjhPU0=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key
|
||||||
|
index 2e14d7033..01a6614c1 100644
|
||||||
|
--- a/tests/data/tls/ca/private/testsuiteCA.key
|
||||||
|
+++ b/tests/data/tls/ca/private/testsuiteCA.key
|
||||||
|
@@ -1,16 +1,52 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ
|
||||||
|
-WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc
|
||||||
|
-338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/
|
||||||
|
-dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg
|
||||||
|
-O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf
|
||||||
|
-7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn
|
||||||
|
-rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f
|
||||||
|
-wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk
|
||||||
|
-AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l
|
||||||
|
-vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9
|
||||||
|
-27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X
|
||||||
|
-KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N
|
||||||
|
-I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL
|
||||||
|
-+b2qljWeZbGH
|
||||||
|
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+4P82iWXATkbm
|
||||||
|
+JOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfzxZ1JzGE6MW8NpNhwV3PI
|
||||||
|
+xmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mft11ycP62pN1O+dA46BUU
|
||||||
|
+x0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7Nd7TxHlXIEgHuWX2vXsB
|
||||||
|
+XJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQDl9nDuikvd+c+1sEbzwq
|
||||||
|
+NRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4AqLq7+r6rj59g7K6NST3Mt
|
||||||
|
+Eqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S9DOA3npHHEdXaFMq23Nu
|
||||||
|
+bfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbqrwySJAXiSRK3B48Glr4T
|
||||||
|
++uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iqt/3b75i0W0m2hGbl/GAL
|
||||||
|
+wfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm9KXcMThFC6Ftq5wFLoeM
|
||||||
|
+MQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8ZzI4KFgnZONors6vFTHuB3
|
||||||
|
+0Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABAoICAQCVkIdpnE92V9+GBfVT/G9f
|
||||||
|
+vuLTkoRf+SeZqXgNx9SuebNbW5HblXXZ8nmOMZIFeXfVuVZjQn+1x1CaSZs4S5ki
|
||||||
|
+uKkmCyEJJN3VVo3Q0XzfRemsvNrA5+oIec2oMG2wdomfY59leqmFbZTXKy3HyT2Y
|
||||||
|
+Uga4FcYcfo4JyD8eU6DRdJ6oJC10EGiajFchghyPoqvRcSH/q24R4Ha5om1M/zOZ
|
||||||
|
+/hz+SlmLU2sjXVtGuCgtCdw5Sp5Ce5VF43JaRGjMwAnazEyjHPE8kEx8ZhCBG66B
|
||||||
|
+DqP6UrV736T3c0/Hww0fxFrENA4mIE/vhNgwNVQ5jDxDSC9ObesTW93Lu4za+Re6
|
||||||
|
+pmP1eeS/oe1OcI1d/xK2IIQwzB7ZkJ0StbFLnjs7DATO7BGzhC9egC6s+z9oSgTS
|
||||||
|
+KvmLyoiL5U4fesVJwcCPKwwkVH9n22TuqmvB5mmvZvRTe2+OgDH55Nkfx1SoI8+Q
|
||||||
|
+/fwV9UXIIg5en+Kv8lOaWCZujmMsjHC79bwxPLeaePRwD/RBkT1MLW/T4fWGpAt3
|
||||||
|
+H89+yufH31Y/1QMxVVtR9OdxCtljiXno/bArMNZ0oE1TiCcckMzdjKh7RNfkEXRM
|
||||||
|
+Pga92HBTgtJ3tfWJ4qOtJ4NKJPQ7wRmR03Bug8+bGM4K5HDO08fNuag/pP3AQvrM
|
||||||
|
+QGbHFVho3I7/DXnmRBq/gQKCAQEA75eptBtP8PWnN9uNsQoWxvFKQBtbLfPKUcVP
|
||||||
|
++LWOWF4ag2YRRf6TIzvGfIk54OGSL/srWCDKjXWJ0NgUn6yiqOkoP4oxEE1m2QDY
|
||||||
|
+7oCk9vJipJcrtNCKL6NhKwZDOjlDSROb/hBeMgr14Da/WkPE6zQhuwN5y4Japbjs
|
||||||
|
+cBYTao2uOg4QQz5Aee+ee55L6iAgMT0PnlQtv1uVW3D46e02CrQKtRmtDxqT3Nux
|
||||||
|
+nudJdz+rMFM0EDgVKUYRwFCa6xjI4y2K1aCwCtJG9yTJpYqCD9hehfwEije6dNNg
|
||||||
|
+p5RX3M9ai710Yx4F26cwX/t8AxqgF/2XBI0ZWD6x69cp7suPTQKCAQEAy/NUEgXN
|
||||||
|
+nymq8NK+umZwFJU7cy3weozRuEkmgmCWj4XYhbvTw6MbK+2R9XKa3ilqSd2sU2lX
|
||||||
|
+qE66kfAgqZMJ9RB+7nDOaLAMUuGw1DrwFZE7r3mKXgc4NgjtmGav4E3URXPHj5zb
|
||||||
|
+JbbN95zl96Fm3Nevs5p8sb0KexgbzHe4UzJNYFgT0l+TjJbJUAiNPsEw1bnV4cxn
|
||||||
|
+b1HO2CWTeGtAOJyjMRNwI+40wnk2N6An+Ddvb2mj2h30HujSZHnL94RAqa7RHDb6
|
||||||
|
+lU+7JX/ll5G0mFQOFQAs4UPos2bg7hS1mfYO+UVrG4OH9gXns12158WqFED+lhmJ
|
||||||
|
+O8WDWEVAblVrnQKCAQAB9aOVrYOB3QB5HHqUMBjvl5mb3J1qSswkzxBQYGvBnUNq
|
||||||
|
+P7N0dxiM+TguXJD0neOsMMmx9tKxRXzTEHFavPa3mvCRVHgCQh/NNoyPps2yl1jn
|
||||||
|
+L7VTzUDUEuoAiBSUrVM3jcmA0nFyx1QreUcnXdaGde6wsN6WI4LKSDDm2cde37nF
|
||||||
|
+D8hiRGgSlzscl7bXO1wICw/No7KcFguqq8ndX+tJOx+7S3J25SjAbauOOSYIq6Si
|
||||||
|
+yItsdoj1xXTvtbkOoy1BbmXsSVwnOoEKFGrxx6g4qPRc9Cq1Vq9XtULdHAF79NYw
|
||||||
|
+vmPtS5mQqlVi85OYEuesSo6pot3KMvkRjLjzEwchAoIBACEvrvZfy12iwhX9tNtP
|
||||||
|
+39z5i3rqdr76OwXpoUKFxPoFpX3dWk/zMnCrb5yo0VplEs6CK5BHC+RvKxykHix5
|
||||||
|
+qJ0f2geig3O1ccvqvYNLM9XOlA+xjzpNom/odADgdK3i/C9w74AG3gH9BPbNqP3q
|
||||||
|
+XXqB/i0Tbkbdo97zxVI4CN5AySZsLo2Ez9WIk6laOuGDPhcI7iyXvhz3CtlRA/YM
|
||||||
|
+PZ74nfVWXGD8WclrP889WEOjgZZ3choD1b1R1SpUR0Q3WO5Da/NTXuL83k7zyMAp
|
||||||
|
+DWHcC46PQL5G9o56pw8Wf5ZV24nkKdGITY9S1qjxDrBwEYTKLqLt9M6tDPpICnvp
|
||||||
|
+mmECggEBALfnUgpdGugn46UmQUMI1y+NZbSKhJHG+OBWdcc1j4kDZhF/Ei7g8pvk
|
||||||
|
+hFU5p/YA6JbGioZxiqjdrYLvgTPnJVkxy7arLTN2j2GVlhUA74BY+kNzENk2Tj9c
|
||||||
|
+zJSMVZn+WZrXNQhfYyA3FyW3wGN67GBXAHPQxFTdU3G4mR1WcyJCxKIyzP+2M8o9
|
||||||
|
+16tpb80QRnc0OLm9Izppe7JUp2hCQt+O6E8izvLE8k2ldOr5ncTNWlxTJ0yx0hEO
|
||||||
|
+WTFqhwOM1pEmtxas1gLr8MX0hNsaQR+kjG2f8rPmH+GEZeeAwuhoJY1PcKAOYM5Y
|
||||||
|
+yu/1yFXYTrmhD/P0+nJn1DfS5JljCJY=
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
|
||||||
|
index 93e3a0d39..eb0fc693f 100644
|
||||||
|
--- a/tests/data/tls/certs/bjensen@mailgw.example.com.crt
|
||||||
|
+++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
|
||||||
|
@@ -1,16 +1,32 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
-MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
|
||||||
|
-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
|
||||||
|
-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
|
||||||
|
-ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV
|
||||||
|
-BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD
|
||||||
|
-VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa
|
||||||
|
-YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
|
||||||
|
-MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg
|
||||||
|
-QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU
|
||||||
|
-U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL
|
||||||
|
-MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn
|
||||||
|
-wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f
|
||||||
|
-7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo
|
||||||
|
-4DnnYQBDnq48VORVX94=
|
||||||
|
+MIIFfDCCA2SgAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
|
||||||
|
+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
|
||||||
|
+BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNzQwWhgPMjUxOTEx
|
||||||
|
+MTMxNTM3NDBaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNVBAoM
|
||||||
|
+E09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYDVQQD
|
||||||
|
+DBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYaYmpl
|
||||||
|
+bnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
|
||||||
|
+ggIKAoICAQCcHBkHcUSKG4s7nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA
|
||||||
|
+7qkZvMJR8ws2u8TQU/18FhH4+0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWg
|
||||||
|
+qPYe/K3bAtSRtF7wDxF77eb2Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38
|
||||||
|
+kpIB5WENCEy77QK9GEGAlMVIRXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nN
|
||||||
|
+LxTdLe1qbZyRgEqRKgW5WcWrW46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yIms
|
||||||
|
+CbzlSRLC1dfj++2mzCMxoc3xpZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvR
|
||||||
|
+X9uQOnXnazQvlRfsaHQjGUKyhMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzL
|
||||||
|
+twWkESVDU0tNg/czWLn56smV7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjI
|
||||||
|
+LQuEBssrV1h8WblruWRU31Mn+mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5ui
|
||||||
|
+cNcYTXCfa5ZpPL608f7cWuG2GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4
|
||||||
|
+yPXHATrCtYO1wqIyu9Yuirdg7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABow0w
|
||||||
|
+CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCq8VvpcoAgCK/D5yi/2puB
|
||||||
|
+LD7kYaVaSXxrUQBeLTmKERw3akpgW7QTGCNgM425VVaBQRPtv8YcX9OycUAylAA+
|
||||||
|
+7lzwdP95OJGnUOjQY4x4iRAwCPkpDCcnwc43c3WAyQb2S46aZJaWK4S0+RM3CmWH
|
||||||
|
+1Fzb6aODdnoBEKk0XgNrB6/teB+UWgtTSxWiY/HWiArDaZDPMAxqEK0hnB+b/sBD
|
||||||
|
+ZoBYnfnQXezylqbk9vkzTIbSVrv5ZZdQELOAnPuxUCFpYew1OGKcg+1twYKDHgBS
|
||||||
|
+s13zN03eMEnC/O4Z01dhu16vqdikdP+tJJrppjvZtJys0KIP24ltDnpA6h/3m/Cl
|
||||||
|
+U1eiTDgWO+SsfiL1K4gcTL1eLjnCBFfnHN5gfgAV5w5DaKzvKp7Qu8db4DtH+S4o
|
||||||
|
+W/MBKuaHHKWUPGksvFUiGNgE/XyDU4MK34/5ulzbrWmqb24pYAzm1MyjsdzmXObw
|
||||||
|
++fzg6EDBB14cWA2hA7mSqnzkiW1pELVym6+uTaIlopSIFr8nNAimwLiY5QJNGYvd
|
||||||
|
+hgNNvOyUUO+nON3aHsC/rRMgar3eo7A9AkQJ6qKVvPR2h1317PJLuKaLfjbaCzNw
|
||||||
|
+iA3JSQjcwR2ydlSgKKN2d/XXm/G4PZ9tUcBY4Zngn0ViT0/m7MFy9qsiWG97+yaZ
|
||||||
|
+nYsN5WfwDZrtG24dTotxVQ==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt
|
||||||
|
index 194cb119d..3aeae3c16 100644
|
||||||
|
--- a/tests/data/tls/certs/localhost.crt
|
||||||
|
+++ b/tests/data/tls/certs/localhost.crt
|
||||||
|
@@ -1,16 +1,32 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
-MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
|
||||||
|
-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
|
||||||
|
-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
|
||||||
|
-ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE
|
||||||
|
-CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT
|
||||||
|
-dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
|
||||||
|
-iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4
|
||||||
|
-7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv
|
||||||
|
-8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ
|
||||||
|
-BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A
|
||||||
|
-AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG
|
||||||
|
-8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl
|
||||||
|
-0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR
|
||||||
|
-GjeZB1FxqDGHjxBq2O828iejw28bSz4=
|
||||||
|
+MIIFhTCCA22gAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
|
||||||
|
+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
|
||||||
|
+BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNjMwWhgPMjUxOTEx
|
||||||
|
+MTMxNTM2MzBaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT
|
||||||
|
+T3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBTdWl0
|
||||||
|
+ZTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
|
||||||
|
+CgKCAgEA6Ud89ugah2oWY00q1g+M6NkpluewwvGq4tkMau1gq+Q5Biv61bubgdSA
|
||||||
|
+Z+Zkkxe3Sx0Zv7i5wldIN4wXqEDlMg2qhfzKDSNKUofc0z7FLMb0Cn46WqlciUCY
|
||||||
|
+VetHhBghGd+6fxOOz+x98FhiiAif+AdiUWBTKFFohWXo/9aiGgm0ueJj2NS3Eyac
|
||||||
|
+xOKoTcDd9TMsOJ2fMH2MlquArLobCvuphOrVbqBoeeol2SzFDDOW8ryPDzFGy5xh
|
||||||
|
+ZHkm/3sGIoDpDkDR0yhvBzn47qdLI5myc6Fj96s7S2xgqiqGXJW0D0FCfpUQXxfm
|
||||||
|
+ahz/Jdwl+hqs5Eg/aA+LE/7lmS7szo3zwJQ53ApdcaupHi4fU60wPVrdo29wLwDO
|
||||||
|
+hDuS+Oc1os1UyJt0T0a+zB4PIP2rxifyxI1iWmZFt7tJyLv1k7yMN7CLCWzsSy5P
|
||||||
|
+BZpGmHV9Wbvb660N6NzlFDMqnjJWDAr1BLoV4ywmpiWPhy/7JtKXFe1V3jT5MvGM
|
||||||
|
+26IOC+zCwwZVyEIIASeWepZDuto00Lqo7jOKSlLRmuhTX1ELK8xYX6ZU/fz0FwYn
|
||||||
|
+bLu6bI4mRGfbJ12fWYm5QMje2QAuvndfi759HUeuLl6TgmeQFgqFA/6Kkwoz0Ncb
|
||||||
|
+Kaaj+ByvLXfI4S3lvkwT26nOAt966fb1bsdkb8P52NdkqeSMk5cCAwEAAaNIMEYw
|
||||||
|
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/
|
||||||
|
+AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4ICAQCGQCs10hwY
|
||||||
|
+t5o3AWjU8oT8HWnLDsEzIvI/Z2dvtsFSOFotH14d8a7CdCKNiry8BbQ82A4sG/Xw
|
||||||
|
+0aVdP1EscxGhpJuMHG4Ph9PZBm31ZW2VoRHOEs7/Moi6G/1yldVxWUH/qXO00Dw9
|
||||||
|
+cEsiUQdPrPQDoVBKYAMuV15RP9b3iPpw3GY1EkIu+akGVziHFmFYUoU2gctiGIZ6
|
||||||
|
+6KiqBFvCP1Yvm3RSZ5t/Kv/jPMetAnCq+9JAUAodAh2+goBvUCAN9Itr/tEs98jq
|
||||||
|
+9d14J7gzIRDdNHKOLrRFmoMrTaDZNtqBe5jiMf0O55tgjv4BqN4w11M51bjY4umd
|
||||||
|
+GX+OXoBJG+MK7AZyaHPjHa1NMoLDOUhTvHb4zPNkPiVb8r3lYkQ4VCtre+4qqrEn
|
||||||
|
+cEt9KWGpHkoz4GSKn6uidQebdi4waexcGttsHbKPaKZqzYXAJ2bjFZnv85zPtpjO
|
||||||
|
+qxzqrMUruiCU7EfjGAdZ8S0lwjdMihznLATjKuwQkJ2mVg2HbLgxZu578FHTBOHW
|
||||||
|
+LjVIr/80auF4Ino9ocHpIwL/E4jpYQWP/Uv4KBHwkAktmUOwqyt0iysRaWy4Gp7S
|
||||||
|
+keBI9FoGtJ1Mq5M2tVINBzt1ESC3t03KqyY+/9r/IeY7A7yukC0YJnJ+HorfuQFf
|
||||||
|
+0//7DOEA58bRswyWTLOAjYMJHilTKOozSQ==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf
|
||||||
|
index a3c8ad9f6..632cff11c 100644
|
||||||
|
--- a/tests/data/tls/conf/openssl.cnf
|
||||||
|
+++ b/tests/data/tls/conf/openssl.cnf
|
||||||
|
@@ -51,7 +51,7 @@ commonName = supplied
|
||||||
|
emailAddress = optional
|
||||||
|
|
||||||
|
[ req ]
|
||||||
|
-default_bits = 2048
|
||||||
|
+default_bits = @KEY_BITS@
|
||||||
|
default_keyfile = privkey.pem
|
||||||
|
distinguished_name = req_distinguished_name
|
||||||
|
attributes = req_attributes
|
||||||
|
diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh
|
||||||
|
index 8c33a24fe..739f8eaf1 100755
|
||||||
|
--- a/tests/data/tls/create-crt.sh
|
||||||
|
+++ b/tests/data/tls/create-crt.sh
|
||||||
|
@@ -5,6 +5,9 @@ if [ x"$openssl" = "x" ]; then
|
||||||
|
echo "OpenSSL command line binary not found, skipping..."
|
||||||
|
fi
|
||||||
|
|
||||||
|
+KEY_BITS=4096
|
||||||
|
+KEY_TYPE=rsa:$KEY_BITS
|
||||||
|
+
|
||||||
|
USAGE="$0 [-s] [-u <user@domain.com>]"
|
||||||
|
SERVER=0
|
||||||
|
USER=0
|
||||||
|
@@ -45,13 +48,13 @@ echo "00" > cruft/serial
|
||||||
|
touch cruft/index.txt
|
||||||
|
touch cruft/index.txt.attr
|
||||||
|
hn=$(hostname -f)
|
||||||
|
-sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf > ./openssl.cnf
|
||||||
|
+sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf > ./openssl.cnf
|
||||||
|
|
||||||
|
if [ $SERVER = 1 ]; then
|
||||||
|
rm -rf private/localhost.key certs/localhost.crt
|
||||||
|
|
||||||
|
$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \
|
||||||
|
- -newkey rsa:1024 -config ./openssl.cnf \
|
||||||
|
+ -newkey $KEY_TYPE -config ./openssl.cnf \
|
||||||
|
-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \
|
||||||
|
-batch > /dev/null 2>&1
|
||||||
|
|
||||||
|
@@ -66,7 +69,7 @@ if [ $USER = 1 ]; then
|
||||||
|
rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr
|
||||||
|
|
||||||
|
$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \
|
||||||
|
- -newkey rsa:1024 -config ./openssl.cnf \
|
||||||
|
+ -newkey $KEY_TYPE -config ./openssl.cnf \
|
||||||
|
-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \
|
||||||
|
-batch >/dev/null 2>&1
|
||||||
|
|
||||||
|
diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key
|
||||||
|
index 5f4625fd7..e30e11586 100644
|
||||||
|
--- a/tests/data/tls/private/bjensen@mailgw.example.com.key
|
||||||
|
+++ b/tests/data/tls/private/bjensen@mailgw.example.com.key
|
||||||
|
@@ -1,16 +1,52 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2
|
||||||
|
-xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4
|
||||||
|
-9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z
|
||||||
|
-yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r
|
||||||
|
-oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e
|
||||||
|
-nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg
|
||||||
|
-xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra
|
||||||
|
-EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd
|
||||||
|
-9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/
|
||||||
|
-pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI
|
||||||
|
-tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ
|
||||||
|
-3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D
|
||||||
|
-tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg
|
||||||
|
-36Ixj3L+5H18
|
||||||
|
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCcHBkHcUSKG4s7
|
||||||
|
+nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA7qkZvMJR8ws2u8TQU/18FhH4
|
||||||
|
++0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWgqPYe/K3bAtSRtF7wDxF77eb2
|
||||||
|
+Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38kpIB5WENCEy77QK9GEGAlMVI
|
||||||
|
+RXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nNLxTdLe1qbZyRgEqRKgW5WcWr
|
||||||
|
+W46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yImsCbzlSRLC1dfj++2mzCMxoc3x
|
||||||
|
+pZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvRX9uQOnXnazQvlRfsaHQjGUKy
|
||||||
|
+hMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzLtwWkESVDU0tNg/czWLn56smV
|
||||||
|
+7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjILQuEBssrV1h8WblruWRU31Mn
|
||||||
|
++mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5uicNcYTXCfa5ZpPL608f7cWuG2
|
||||||
|
+GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4yPXHATrCtYO1wqIyu9Yuirdg
|
||||||
|
+7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABAoICAQCWY/s40EXXRvG7XBGKe1Sn
|
||||||
|
+MZGGllyduVVQMFzJIkOsnkDKKuTY+dZlP4Zo5Q/PIvWKpRnWGRP6lsh5tJkukiHd
|
||||||
|
+jk4VvJk4AzS7mNhkRyYy3ZW3ulB5NpsXS67P610RwIhIVhuf6ORPH8GBW9lRxwoL
|
||||||
|
+1v4WpGjbywHkKQvR0Sp7lVGULuwnM0dSK2G9sdztUTGbWZlp0hRIawojtcrRt2ft
|
||||||
|
+Liyy4hooWMmAFS3wu1y3fHSNn5kEFpfis5jF+5jdDvvmsFElx/X7uiBUFMAV2vry
|
||||||
|
+wu2mceibiGjnq7Nn6I7fhgKzGnkgzzDSLA9uVBde2+RAHlO0fLTq+5YLVhe0pNBM
|
||||||
|
+J1Y0soNaO3XfVV6Vnyz8X+ruHItW2OBF9AYhIlXq/6d3MMX51BEM6odEtsi8zFgo
|
||||||
|
+ENN0GAXoyoofg+IvzPiVU2Ud7s4pAlK473d7sAQEeiFWaj7iwueAgofSUFRz7E/H
|
||||||
|
+umdhytKiJXqcjJ9O2k4sBsmQoPIB++LlUPRIlZY9UvTFxLbd/ifFUv5fqa6z0IX6
|
||||||
|
+wkIzXmRHhG+ETk1IZBJAAho7iyyYOTP+JnnToUAMWoUaZUO2bzaZfQha8Z3KVtG/
|
||||||
|
+PJUfHClBXqvFNaAUvA9Df3JoJddJ4pO1g0QjS/dp4C2KwNkH4oqMJctvCersoPWu
|
||||||
|
+5DYiWY6KR4GjokJ1lBeWAQKCAQEAzSKa+m2C4ANNCJB9tcKYDbYIdibCpzO+k1Fb
|
||||||
|
+gZUtNi9dEE0Po8rMG0jthm+GKJjNjiG5idSUMo+WNEGBPkELueex81AlEpOqQ6/9
|
||||||
|
+67cyjAsF/FvgkWOpKJnGOySF/TpK4kPGYyS3ICvs1KNE5HEywHyC4C/MD8N9Z5tX
|
||||||
|
+/DfW6sBM/wPipE9YDpKfAg3fDG9YJN/gJZ8TlZVqzzw75rKGcMeLc8f0mbMo+KWQ
|
||||||
|
+VKV4vrgz1eiVrHc5VeGUaXe1Yei5El671wAdtFdmm51A2fWd80fPlQdqfAwpX7x4
|
||||||
|
+FWuo9z2QX70rM/NTWfk4nQ6ZFEHxtm++OiTfh7RwauI8fxye6QKCAQEAwtF/tOth
|
||||||
|
+UgHrohB2DCE9gA0rxkynJHK9/SXSd0KBjERO2i41iuC9YlJT/NpNz9fM7l+L02aP
|
||||||
|
+wWLMqyC7moNmIpJMY2xBGU0EowQ/3xsSNo3u/fvOS4MyGLKENUPMFgO0J7yopiqt
|
||||||
|
+Ea31TcrFSTMSmFZCv8cGt38EwS6sdJZd/RB+h3yxesit8pouwpfbtLPx6LSGkPHY
|
||||||
|
+5nNVPgbt6xaxZJ/1kNbLFObSoZ3lzWBwp93dQh/WqeeeI51LGdM1G6fTL8HrmGFJ
|
||||||
|
+EX0AKpexFVnG/GROJc8taWtMbk9W5oK30JqR7hpSaluYbonpr9k4WQA+EAZjXfcJ
|
||||||
|
+0V0AMsMUhGtvFwKCAQAQZf7LnCuFKt5im+JgwFCVcALXJxwSb7GBZ1SQVFOL7Fdd
|
||||||
|
+MTvZ1SFh4P+T6qBn6GcuQIXrfcHnFNFmFgJ17o84akwwbiy4gnNu+8epqzhwN4Vf
|
||||||
|
++hxGoxfntftByRao+pr34YEfddTpznkdOnwMYvwypQF1WHzQmckRmjp7YB9fHsZI
|
||||||
|
+8I+SoQEiERiC+oblIJWERR1PBJt1Lr+eF2uWcpkKtPjx5X8pNkhFMD8MdTnkzSbf
|
||||||
|
+p7snUVSVB/ZsQ/SNAiShUk9jzY+SVhZOxFBl3BunUgtHF5OsnPBFxfQ3iia0tQgw
|
||||||
|
+jxfADGiSXbjn3T3hf7AJ7H7heQchewwtjy5U3v3ZAoIBAQCEAyRPe0SKJoT+X7su
|
||||||
|
+QwQClmo4SE7mUt5NAOkaKTXRz6PDEpbzkZCjZHhHGcKqeWgDizkbuh7lg0Z/G4Ik
|
||||||
|
+lK+L86jRolSGiXr/3+xMCXMRBqKQ9qV24+L5e1Y9JcDQlhfo6V06pCZ8mW1lFmcT
|
||||||
|
+UAlksucuPvZdNzQIl9ECe7YauqeStbsqIXxFrZbMA808KMde0Z1x8H/ywOpdSqLD
|
||||||
|
+r6/rKL1lNTeN5U+Ldox228fa6Gt62EpE/Y9aQMbYLBeLsvBXJ0e3DQ1PTW3kbr/v
|
||||||
|
+YNOGyY1u73GtQqkbAqY3MxLNxz/loW6BZanoFYoFv+L/5Dsp7ro8vR6pASUWQLzR
|
||||||
|
+cl9nAoIBAQCre87G76UXv6FIggT+cKM9MKS69KIE3mzNTYUo90L74vF65hJqlaIa
|
||||||
|
+mfEcPpEU+UY+ufZSIHtTDBj/9Rswaf5whJY7RfL42pSGnW2YOMpuwDIKAEvcJedu
|
||||||
|
+kZhbthBin4pa28X6L5sNxug+7Wykgesd48PmMLG4pTF+D9u7SgO37Ew5UzylPWNi
|
||||||
|
+Lrv9TlX1vv9rNFh/hOCA93DNrJlNNPltIcMDByVVjrq31QmxMJwE7cdvl1V7eoiO
|
||||||
|
+NQuGuGyFIEKPtl9dEUaA4SGYZ7fUqPZaZuzzM0Xa5UMpdcIzcuYYNn3G6FvV6vwU
|
||||||
|
+dH+lv5X1bTB18GK88ANpC2qLCKRJPCTx
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key
|
||||||
|
index 8a24f69f8..99cb512c4 100644
|
||||||
|
--- a/tests/data/tls/private/localhost.key
|
||||||
|
+++ b/tests/data/tls/private/localhost.key
|
||||||
|
@@ -1,16 +1,52 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg
|
||||||
|
-ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM
|
||||||
|
-w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM
|
||||||
|
-brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij
|
||||||
|
-Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf
|
||||||
|
-2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ
|
||||||
|
-bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q
|
||||||
|
-1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf
|
||||||
|
-3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U
|
||||||
|
-VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7
|
||||||
|
-TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b
|
||||||
|
-iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP
|
||||||
|
-5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3
|
||||||
|
-b61hkjQZfbEg5cg=
|
||||||
|
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDpR3z26BqHahZj
|
||||||
|
+TSrWD4zo2SmW57DC8ari2Qxq7WCr5DkGK/rVu5uB1IBn5mSTF7dLHRm/uLnCV0g3
|
||||||
|
+jBeoQOUyDaqF/MoNI0pSh9zTPsUsxvQKfjpaqVyJQJhV60eEGCEZ37p/E47P7H3w
|
||||||
|
+WGKICJ/4B2JRYFMoUWiFZej/1qIaCbS54mPY1LcTJpzE4qhNwN31Myw4nZ8wfYyW
|
||||||
|
+q4CsuhsK+6mE6tVuoGh56iXZLMUMM5byvI8PMUbLnGFkeSb/ewYigOkOQNHTKG8H
|
||||||
|
+Ofjup0sjmbJzoWP3qztLbGCqKoZclbQPQUJ+lRBfF+ZqHP8l3CX6GqzkSD9oD4sT
|
||||||
|
+/uWZLuzOjfPAlDncCl1xq6keLh9TrTA9Wt2jb3AvAM6EO5L45zWizVTIm3RPRr7M
|
||||||
|
+Hg8g/avGJ/LEjWJaZkW3u0nIu/WTvIw3sIsJbOxLLk8FmkaYdX1Zu9vrrQ3o3OUU
|
||||||
|
+MyqeMlYMCvUEuhXjLCamJY+HL/sm0pcV7VXeNPky8Yzbog4L7MLDBlXIQggBJ5Z6
|
||||||
|
+lkO62jTQuqjuM4pKUtGa6FNfUQsrzFhfplT9/PQXBidsu7psjiZEZ9snXZ9ZiblA
|
||||||
|
+yN7ZAC6+d1+Lvn0dR64uXpOCZ5AWCoUD/oqTCjPQ1xsppqP4HK8td8jhLeW+TBPb
|
||||||
|
+qc4C33rp9vVux2Rvw/nY12Sp5IyTlwIDAQABAoICADh1+wLvjmwz+xMxvCpvPRWm
|
||||||
|
+afCCR0AHqeqZye2fYoR4Cm05+837SFoWCrYbB0CqvsxJUNAcb6lf4rS/DYLFojOJ
|
||||||
|
+JzqiwmyHnBd5lrLyQFrkFHDtuEX1M9ZscfJprbeE944BnmvfWfNtM9YWLlLqc31e
|
||||||
|
+nCdB/x6FBZ0z2z8Avd87dih/aNc0NNNHxy3IBiA7i/0q04soaz0bRgm5nL0xlhYE
|
||||||
|
+bzUieWH7JQ5M47g6o76eReyeQqnUrWPeh5v/zraLGiMDvGScv6wx3x2KpHtutjr5
|
||||||
|
+mj1uVHm/UeyhYIwPGtIR0bDXhLaKcZnyeOw59G8/Z1mvVyUxb1dKW8kNKpj2yI2H
|
||||||
|
+Y1SjhW5qaOeaDPxAPqVyo6SUQIzOn6SD0l7aGyOyvYULjiw342HQYU4rQeSPOtjt
|
||||||
|
++NYMirnT7WNnmoSIsXx7nwUe38EWx5gCHy8taF4aZr5K85yZKnmsiX3vX/hH30yc
|
||||||
|
+GLOnDDa3b0FE2J2eYos14ru8RTqSLSxclr5Ru2yTdwLgE0gg+iygO1/tYYkqxZ09
|
||||||
|
+j+METJpg4wv+cQUG/BxysISqNjaPSPHdyJeTMzC8B+PUUpbRoBuvLLokkZ9P95nG
|
||||||
|
+72TFklEOB0m0VMxrEfev0HGSzkQm92s2Bf41TRaHTPSkg+G1s0haZTNqRVTGPrr/
|
||||||
|
+eyiz0qH2bgDeubJ3VuTBAoIBAQD9N+KeKo+hRWeV/I6BCBOfMeQOqlqIxYfYAxU+
|
||||||
|
+CuutILbTnGKFMTAx43syh/a5EV7q4yM81RCXKK/Lmja2OIeYJUb88bC/h0x/gq5W
|
||||||
|
+LLxHbKgFDUDF2VcWShMqDOo8J8FbzWwb9bOOShqASoR6FacJuOqlFvS8gaswZtiW
|
||||||
|
+fOvlWRKO2ybULgQctX5gOf1ctuab1VrzuHnNB30gVFc95Dg1b6RiyVAa8AFm6gs9
|
||||||
|
+6Rewk527+4T5Ho5UXvdsTVJsAhzJgVjPSyF2Vc1CRrp8lIffsg5Prb4w8kvB0i64
|
||||||
|
+09zn+jAfVRpjdGWqMI7BR1pCdheGMqv006ZVYY+QhcBIb0BHAoIBAQDr14d5PPDv
|
||||||
|
+pCjlJnCKNzX2irU6bdIY+zvXoemj/cYvHqQbPOe/kaCWFNPMxANKMmZSTdSM7qqR
|
||||||
|
+s0P1RW/R7moWNSesYwW+2Jp2hIhiWmy+E+ksXeTlFwVpuMHSDPS/N61N8XgmT3pI
|
||||||
|
+Qngl1hgxGbttniKEwI+Nc7Z3FYDDCp206nmC5y33D+ZYHv1L3e33pyqHdHD/uIeU
|
||||||
|
+57OPr7Mmd/J6pmClh1dqyZwVBClc2V6w0y2G8Lk1v79wOMrn+4/p9KH2BgkFe2gr
|
||||||
|
+uB8TOLlUhttQ8VfzXCd+Zi9s3oW0h7Vkvt4kDlJm0MrnMmK0aqgKB+7XkKE0ccVQ
|
||||||
|
+xSodzbBdDYoxAoIBAH2qGmD8JkOWug2JRP9sDrDWhaNxj3SI8x2Uiho8OTG2JoVl
|
||||||
|
++s621oArsJwnNZ4qrLxM9NPfuVgK7RNR+Qz9iO1MsqodF+Y1MxWkuPgzQ0z+83Nu
|
||||||
|
+XFLTxZBeOpyHxEcOQ7tXeut1SCK5S+WXFZ+w1zDQAELl3ZcfkuF2aM5mOHuddMRI
|
||||||
|
+pkBuhcPpnkoK/V3htxhnDbgeOPQzXzmIIbOpauu5+A6+cW6s5UU5qVKUNxl+aK09
|
||||||
|
+6YPoUiI07v1kch7//WFTO8vEMVsUwcS+bRYecD/nkYqhYt3PoSETOfSnz92gH/ms
|
||||||
|
+tmfdAAcyCeaJjpWlHY+P3h6mWsnMnP7QIdjQvUkCggEAGFkiBWRDQ5phFndHex2E
|
||||||
|
+FrXvS972p9mYLgTrSCD1CvxQ2PcKvf5c4+G2lBdQd6KIacrbPMmPFoe5ZmMKzlOc
|
||||||
|
+5DoMpIF8oF1gZQf9xJmtTFpl4ky3Sud7iZSnffYUdoFbBQb+7oWaDEfAe7eEu9z6
|
||||||
|
+OrDuw2HV8DaYCedQadJ4warLbLZNSop7r3FTmTeKT90USPO+jsgQR1E8eoMbLceI
|
||||||
|
+Yx02MSCt57p0wL6zPoC6g+rpclr75A6txvo2CIkyLGczKWEqIUTCVnEl1CgxCgb6
|
||||||
|
+MXsZJ2jGMwh9sPGwQBkaoxIJgRNxcmfv6rqK8jFos9Bp2ht2aSGty07vsDACGzlA
|
||||||
|
+oQKCAQEA8PzgkyGYHs2DwNhmv3j5ZFaP0RukwbdChSoxmbC9JP2JJxxYcnww5jYH
|
||||||
|
+xeM1bahqkdKyG5iDRiYB74EolZUMA3Zny13R4HWxNe4aUZW1H8mdmhllXX90aUOU
|
||||||
|
+WEvF2yYZbg9CQIq7zQh8HsF/S8sDTsXoZOx30zrPgb44spWKRmxdwUJt944weXvc
|
||||||
|
+p5XkLvVzBVJ+RD5IgPTBFl1iCkw3eq01CFcbTdfe9cS8V9IgDy0Jq2GvRE3Y2JS6
|
||||||
|
+xqtBB1MgZvrUoAZ8jPacRRXddg87Hwgs9+R1jaE+ZYixojOFg+JnQOGkUd9FhJAW
|
||||||
|
+bcnWV4XIPIMbouL4132Ove+GukJlPA==
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
487
openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
Normal file
487
openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
Normal file
@ -0,0 +1,487 @@
|
|||||||
|
From 8e3e85e329f5cbd989936b0df8a0ac06906a4824 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Isaac Boukris <iboukris@gmail.com>
|
||||||
|
Date: Tue, 14 Apr 2020 16:19:05 +0300
|
||||||
|
Subject: [PATCH] auth: add SASL/GSSAPI tests
|
||||||
|
|
||||||
|
---
|
||||||
|
tests/data/krb5.conf | 32 ++++++
|
||||||
|
tests/data/slapd-sasl-gssapi.conf | 65 ++++++++++++
|
||||||
|
tests/scripts/conf.sh | 3 +
|
||||||
|
tests/scripts/defines.sh | 5 +
|
||||||
|
tests/scripts/setup_kdc.sh | 144 +++++++++++++++++++++++++++
|
||||||
|
tests/scripts/test077-sasl-gssapi | 159 ++++++++++++++++++++++++++++++
|
||||||
|
6 files changed, 408 insertions(+)
|
||||||
|
create mode 100644 tests/data/krb5.conf
|
||||||
|
create mode 100644 tests/data/slapd-sasl-gssapi.conf
|
||||||
|
create mode 100755 tests/scripts/setup_kdc.sh
|
||||||
|
create mode 100755 tests/scripts/test077-sasl-gssapi
|
||||||
|
|
||||||
|
diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..739113742
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/krb5.conf
|
||||||
|
@@ -0,0 +1,32 @@
|
||||||
|
+[libdefaults]
|
||||||
|
+ default_realm = @KRB5REALM@
|
||||||
|
+ dns_lookup_realm = false
|
||||||
|
+ dns_lookup_kdc = false
|
||||||
|
+ default_ccache_name = FILE://@TESTDIR@/ccache
|
||||||
|
+ #udp_preference_limit = 1
|
||||||
|
+[realms]
|
||||||
|
+ @KRB5REALM@ = {
|
||||||
|
+ kdc = @KDCHOST@:@KDCPORT@
|
||||||
|
+ acl_file = @TESTDIR@/kadm.acl
|
||||||
|
+ database_name = @TESTDIR@/kdc.db
|
||||||
|
+ key_stash_file = @TESTDIR@/kdc.stash
|
||||||
|
+ }
|
||||||
|
+[kdcdefaults]
|
||||||
|
+ kdc_ports = @KDCPORT@
|
||||||
|
+ kdc_tcp_ports = @KDCPORT@
|
||||||
|
+[logging]
|
||||||
|
+ kdc = FILE:@TESTDIR@/kdc.log
|
||||||
|
+ admin_server = FILE:@TESTDIR@/kadm.log
|
||||||
|
+ default = FILE:@TESTDIR@/krb5.log
|
||||||
|
+
|
||||||
|
+#Heimdal
|
||||||
|
+[kdc]
|
||||||
|
+ database = {
|
||||||
|
+ dbname = @TESTDIR@/kdc.db
|
||||||
|
+ realm = @KRB5REALM@
|
||||||
|
+ mkey_file = @TESTDIR@/kdc.stash
|
||||||
|
+ log_file = @TESTDIR@/kdc.log
|
||||||
|
+ acl_file = @TESTDIR@/kadm.acl
|
||||||
|
+ }
|
||||||
|
+[hdb]
|
||||||
|
+ db-dir = @TESTDIR@
|
||||||
|
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..611fc7097
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/data/slapd-sasl-gssapi.conf
|
||||||
|
@@ -0,0 +1,65 @@
|
||||||
|
+# stand-alone slapd config -- for testing (with indexing)
|
||||||
|
+# $OpenLDAP$
|
||||||
|
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
||||||
|
+##
|
||||||
|
+## Copyright 1998-2020 The OpenLDAP Foundation.
|
||||||
|
+## All rights reserved.
|
||||||
|
+##
|
||||||
|
+## Redistribution and use in source and binary forms, with or without
|
||||||
|
+## modification, are permitted only as authorized by the OpenLDAP
|
||||||
|
+## Public License.
|
||||||
|
+##
|
||||||
|
+## A copy of this license is available in the file LICENSE in the
|
||||||
|
+## top-level directory of the distribution or, alternatively, at
|
||||||
|
+## <http://www.OpenLDAP.org/license.html>.
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+include @SCHEMADIR@/core.schema
|
||||||
|
+include @SCHEMADIR@/cosine.schema
|
||||||
|
+#
|
||||||
|
+include @SCHEMADIR@/corba.schema
|
||||||
|
+include @SCHEMADIR@/java.schema
|
||||||
|
+include @SCHEMADIR@/inetorgperson.schema
|
||||||
|
+include @SCHEMADIR@/misc.schema
|
||||||
|
+include @SCHEMADIR@/nis.schema
|
||||||
|
+include @SCHEMADIR@/openldap.schema
|
||||||
|
+#
|
||||||
|
+include @SCHEMADIR@/duaconf.schema
|
||||||
|
+include @SCHEMADIR@/dyngroup.schema
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+pidfile @TESTDIR@/slapd.1.pid
|
||||||
|
+argsfile @TESTDIR@/slapd.1.args
|
||||||
|
+
|
||||||
|
+# SSL configuration
|
||||||
|
+TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
|
||||||
|
+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
|
||||||
|
+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+rootdse @DATADIR@/rootdse.ldif
|
||||||
|
+
|
||||||
|
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
|
||||||
|
+#mod#moduleload back_@BACKEND@.la
|
||||||
|
+#monitormod#modulepath ../servers/slapd/back-monitor/
|
||||||
|
+#monitormod#moduleload back_monitor.la
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+#######################################################################
|
||||||
|
+# database definitions
|
||||||
|
+#######################################################################
|
||||||
|
+
|
||||||
|
+database @BACKEND@
|
||||||
|
+suffix "dc=example,dc=com"
|
||||||
|
+rootdn "cn=Manager,dc=example,dc=com"
|
||||||
|
+rootpw secret
|
||||||
|
+#~null~#directory @TESTDIR@/db.1.a
|
||||||
|
+#indexdb#index objectClass eq
|
||||||
|
+#indexdb#index mail eq
|
||||||
|
+#ndb#dbname db_1_a
|
||||||
|
+#ndb#include @DATADIR@/ndb.conf
|
||||||
|
+
|
||||||
|
+#monitor#database monitor
|
||||||
|
+
|
||||||
|
+sasl-realm @KRB5REALM@
|
||||||
|
+sasl-host localhost
|
||||||
|
diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
|
||||||
|
index b0393865d..c9e1a4b0a 100755
|
||||||
|
--- a/tests/scripts/conf.sh
|
||||||
|
+++ b/tests/scripts/conf.sh
|
||||||
|
@@ -99,4 +99,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
|
||||||
|
-e "s;@TESTWD@;${TESTWD};" \
|
||||||
|
-e "s;@DATADIR@;${DATADIR};" \
|
||||||
|
-e "s;@SCHEMADIR@;${SCHEMADIR};" \
|
||||||
|
+ -e "s;@KRB5REALM@;${KRB5REALM};" \
|
||||||
|
+ -e "s;@KDCHOST@;${KDCHOST};" \
|
||||||
|
+ -e "s;@KDCPORT@;${KDCPORT};" \
|
||||||
|
-e "/^#/d"
|
||||||
|
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
|
||||||
|
index 1d6c2b3f1..ccb2e5b41 100755
|
||||||
|
--- a/tests/scripts/defines.sh
|
||||||
|
+++ b/tests/scripts/defines.sh
|
||||||
|
@@ -114,6 +114,7 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
|
||||||
|
SCHEMACONF=$DATADIR/slapd-schema.conf
|
||||||
|
TLSCONF=$DATADIR/slapd-tls.conf
|
||||||
|
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
|
||||||
|
+SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
|
||||||
|
GLUECONF=$DATADIR/slapd-glue.conf
|
||||||
|
REFINTCONF=$DATADIR/slapd-refint.conf
|
||||||
|
RETCODECONF=$DATADIR/slapd-retcode.conf
|
||||||
|
@@ -223,6 +224,7 @@ PORT3=`expr $BASEPORT + 3`
|
||||||
|
PORT4=`expr $BASEPORT + 4`
|
||||||
|
PORT5=`expr $BASEPORT + 5`
|
||||||
|
PORT6=`expr $BASEPORT + 6`
|
||||||
|
+KDCPORT=`expr $BASEPORT + 7`
|
||||||
|
URI1="ldap://${LOCALHOST}:$PORT1/"
|
||||||
|
URIP1="ldap://${LOCALIP}:$PORT1/"
|
||||||
|
URI2="ldap://${LOCALHOST}:$PORT2/"
|
||||||
|
@@ -248,6 +250,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/"
|
||||||
|
SURI6="ldaps://${LOCALHOST}:$PORT6/"
|
||||||
|
SURIP6="ldaps://${LOCALIP}:$PORT6/"
|
||||||
|
|
||||||
|
+KRB5REALM="K5.REALM"
|
||||||
|
+KDCHOST=$LOCALHOST
|
||||||
|
+
|
||||||
|
# LDIF
|
||||||
|
LDIF=$DATADIR/test.ldif
|
||||||
|
LDIFADD1=$DATADIR/do_add.1
|
||||||
|
diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 000000000..1cb784075
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/scripts/setup_kdc.sh
|
||||||
|
@@ -0,0 +1,144 @@
|
||||||
|
+#! /bin/sh
|
||||||
|
+# $OpenLDAP$
|
||||||
|
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
||||||
|
+##
|
||||||
|
+## Copyright 1998-2020 The OpenLDAP Foundation.
|
||||||
|
+## All rights reserved.
|
||||||
|
+##
|
||||||
|
+## Redistribution and use in source and binary forms, with or without
|
||||||
|
+## modification, are permitted only as authorized by the OpenLDAP
|
||||||
|
+## Public License.
|
||||||
|
+##
|
||||||
|
+## A copy of this license is available in the file LICENSE in the
|
||||||
|
+## top-level directory of the distribution or, alternatively, at
|
||||||
|
+## <http://www.OpenLDAP.org/license.html>.
|
||||||
|
+
|
||||||
|
+export KRB5_TRACE=$TESTDIR/k5_trace
|
||||||
|
+export KRB5_CONFIG=$TESTDIR/krb5.conf
|
||||||
|
+export KRB5_KDC_PROFILE=$KRB5_CONFIG
|
||||||
|
+export KRB5_KTNAME=$TESTDIR/server.kt
|
||||||
|
+export KRB5_CLIENT_KTNAME=$TESTDIR/client.kt
|
||||||
|
+export KRB5CCNAME=$TESTDIR/client.ccache
|
||||||
|
+
|
||||||
|
+KDCLOG=$TESTDIR/setup_kdc.log
|
||||||
|
+KSERVICE=ldap/$LOCALHOST
|
||||||
|
+KUSER=kuser
|
||||||
|
+
|
||||||
|
+. $CONFFILTER < $DATADIR/krb5.conf > $KRB5_CONFIG
|
||||||
|
+
|
||||||
|
+PATH=${PATH}:/usr/lib/heimdal-servers:/usr/sbin:/usr/local/sbin
|
||||||
|
+
|
||||||
|
+echo "Trying Heimdal KDC..."
|
||||||
|
+
|
||||||
|
+kdc --version 2>&1 | grep Heimdal > $KDCLOG 2>&1
|
||||||
|
+RC=$?
|
||||||
|
+if test $RC = 0 ; then
|
||||||
|
+
|
||||||
|
+ kstash --random-key > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "Heimdal: kstash failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ flags="--realm-max-ticket-life=1h --realm-max-renewable-life=1h"
|
||||||
|
+ kadmin -l init $flags $KRB5REALM > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "Heimdal: kadmin init failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ kadmin -l add --random-key --use-defaults $KSERVICE > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ kadmin -l ext -k $KRB5_KTNAME $KSERVICE > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ kadmin -l add --random-key --use-defaults $KUSER > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ kadmin -l ext -k $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ kdc --addresses=$LOCALIP --ports="$KDCPORT/udp" > $KDCLOG 2>&1 &
|
||||||
|
+else
|
||||||
|
+ echo "Trying MIT KDC..."
|
||||||
|
+
|
||||||
|
+ kdb5_util create -r $KRB5REALM -s -P password > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "MIT: kdb5_util create failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ kadmin.local -q "addprinc -randkey $KSERVICE" > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "MIT: admin addprinc failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ kadmin.local -q "ktadd -k $KRB5_KTNAME $KSERVICE" > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ kadmin.local -q "addprinc -randkey $KUSER" > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "MIT: kadmin addprinc failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ kadmin.local -q "ktadd -k $KRB5_CLIENT_KTNAME $KUSER" > $KDCLOG 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ krb5kdc -n > $KDCLOG 2>&1 &
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+KDCPROC=$!
|
||||||
|
+sleep 1
|
||||||
|
+
|
||||||
|
+kinit -kt $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
|
||||||
|
+RC=$?
|
||||||
|
+if test $RC != 0 ; then
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ echo "SASL/GSSAPI: kinit failed, skipping GSSAPI tests"
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+pluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
|
||||||
|
+RC=$?
|
||||||
|
+if test $RC != 0 ; then
|
||||||
|
+
|
||||||
|
+ saslpluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ echo "cyrus-sasl has no GSSAPI support, test skipped"
|
||||||
|
+ exit 0
|
||||||
|
+ fi
|
||||||
|
+fi
|
||||||
|
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
|
||||||
|
new file mode 100755
|
||||||
|
index 000000000..64abe16fe
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tests/scripts/test077-sasl-gssapi
|
||||||
|
@@ -0,0 +1,159 @@
|
||||||
|
+#! /bin/sh
|
||||||
|
+# $OpenLDAP$
|
||||||
|
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
|
||||||
|
+##
|
||||||
|
+## Copyright 1998-2020 The OpenLDAP Foundation.
|
||||||
|
+## All rights reserved.
|
||||||
|
+##
|
||||||
|
+## Redistribution and use in source and binary forms, with or without
|
||||||
|
+## modification, are permitted only as authorized by the OpenLDAP
|
||||||
|
+## Public License.
|
||||||
|
+##
|
||||||
|
+## A copy of this license is available in the file LICENSE in the
|
||||||
|
+## top-level directory of the distribution or, alternatively, at
|
||||||
|
+## <http://www.OpenLDAP.org/license.html>.
|
||||||
|
+
|
||||||
|
+echo "running defines.sh"
|
||||||
|
+. $SRCDIR/scripts/defines.sh
|
||||||
|
+
|
||||||
|
+if test $WITH_SASL = no ; then
|
||||||
|
+ echo "SASL support not available, test skipped"
|
||||||
|
+ exit 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+mkdir -p $TESTDIR $DBDIR1
|
||||||
|
+cp -r $DATADIR/tls $TESTDIR
|
||||||
|
+
|
||||||
|
+cd $TESTWD
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+echo "Starting KDC for SASL/GSSAPI tests..."
|
||||||
|
+. $SRCDIR/scripts/setup_kdc.sh
|
||||||
|
+
|
||||||
|
+echo "Running slapadd to build slapd database..."
|
||||||
|
+. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
|
||||||
|
+$SLAPADD -f $CONF1 -l $LDIFORDERED
|
||||||
|
+RC=$?
|
||||||
|
+if test $RC != 0 ; then
|
||||||
|
+ echo "slapadd failed ($RC)!"
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ exit $RC
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
|
||||||
|
+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
|
||||||
|
+PID=$!
|
||||||
|
+if test $WAIT != 0 ; then
|
||||||
|
+ echo PID $PID
|
||||||
|
+ read foo
|
||||||
|
+fi
|
||||||
|
+KILLPIDS="$PID"
|
||||||
|
+
|
||||||
|
+sleep 1
|
||||||
|
+
|
||||||
|
+for i in 0 1 2 3 4 5; do
|
||||||
|
+ $LDAPSEARCH -s base -b "" -H $URI1 \
|
||||||
|
+ 'objectclass=*' > /dev/null 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC = 0 ; then
|
||||||
|
+ break
|
||||||
|
+ fi
|
||||||
|
+ echo "Waiting 5 seconds for slapd to start..."
|
||||||
|
+ sleep 5
|
||||||
|
+done
|
||||||
|
+
|
||||||
|
+if test $RC != 0 ; then
|
||||||
|
+ echo "ldapsearch failed ($RC)!"
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit $RC
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1
|
||||||
|
+RC=$?
|
||||||
|
+if test $RC != 0 ; then
|
||||||
|
+ echo "ldapsearch failed ($RC)!"
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit $RC
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+grep GSSAPI $TESTOUT
|
||||||
|
+RC=$?
|
||||||
|
+if test $RC != 0 ; then
|
||||||
|
+ echo "failed: GSSAPI mechanism not in supportedSASLMechanisms."
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit $RC
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+echo -n "Using ldapwhoami with SASL/GSSAPI: "
|
||||||
|
+$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1
|
||||||
|
+RC=$?
|
||||||
|
+if test $RC != 0 ; then
|
||||||
|
+ echo "ldapwhoami failed ($RC)!"
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit $RC
|
||||||
|
+else
|
||||||
|
+ echo "success"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+echo -n "Validating mapped SASL/GSSAPI ID: "
|
||||||
|
+echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out
|
||||||
|
+$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
|
||||||
|
+RC=$?
|
||||||
|
+if test $RC != 0 ; then
|
||||||
|
+ echo "Comparison failed"
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit $RC
|
||||||
|
+else
|
||||||
|
+ echo "success"
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if test $WITH_TLS = no ; then
|
||||||
|
+ echo "SASL/GSSAPI: TLS support not available, skipping TLS part."
|
||||||
|
+else
|
||||||
|
+ echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: "
|
||||||
|
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
|
||||||
|
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
|
||||||
|
+ > $TESTOUT 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "ldapwhoami failed ($RC)!"
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit $RC
|
||||||
|
+ else
|
||||||
|
+ echo "success"
|
||||||
|
+ fi
|
||||||
|
+
|
||||||
|
+ echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: "
|
||||||
|
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow \
|
||||||
|
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
|
||||||
|
+ > $TESTOUT 2>&1
|
||||||
|
+ RC=$?
|
||||||
|
+ if test $RC != 0 ; then
|
||||||
|
+ echo "ldapwhoami failed ($RC)!"
|
||||||
|
+ kill $KDCPROC
|
||||||
|
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+ exit $RC
|
||||||
|
+ else
|
||||||
|
+ echo "success"
|
||||||
|
+ fi
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+kill $KDCPROC
|
||||||
|
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
|
||||||
|
+
|
||||||
|
+if test $RC != 0 ; then
|
||||||
|
+ echo ">>>>> Test failed"
|
||||||
|
+else
|
||||||
|
+ echo ">>>>> Test succeeded"
|
||||||
|
+ RC=0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+test $KILLSERVERS != no && wait
|
||||||
|
+
|
||||||
|
+exit $RC
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
46
openldap-change-TLS_REQSAN-default-to-TRY.patch
Normal file
46
openldap-change-TLS_REQSAN-default-to-TRY.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From 2dfe3f35c7fef4792f15f0b3f9c9a10e5f9a4692 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Simon Pichugin <spichugi@rehdat.com>
|
||||||
|
Date: Thu, 5 Aug 2021 16:15:09 +0200
|
||||||
|
Subject: [PATCH] Change TLS_REQSAN default to TRY
|
||||||
|
|
||||||
|
---
|
||||||
|
doc/man/man5/ldap.conf.5 | 2 +-
|
||||||
|
libraries/libldap/init.c | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
|
||||||
|
index cde2c875f..9f1aa2c0a 100644
|
||||||
|
--- a/doc/man/man5/ldap.conf.5
|
||||||
|
+++ b/doc/man/man5/ldap.conf.5
|
||||||
|
@@ -479,7 +479,6 @@ The client will not check any SAN in the certificate.
|
||||||
|
The SAN is checked against the specified hostname. If a SAN is
|
||||||
|
present but none match the specified hostname, the SANs are ignored
|
||||||
|
and the usual check against the certificate DN is used.
|
||||||
|
-This is the default setting.
|
||||||
|
.TP
|
||||||
|
.B try
|
||||||
|
The SAN is checked against the specified hostname. If no SAN is present
|
||||||
|
@@ -487,6 +486,7 @@ in the server certificate, the usual check against the certificate DN
|
||||||
|
is used. If a SAN is present but doesn't match the specified hostname,
|
||||||
|
the session is immediately terminated. This setting may be preferred
|
||||||
|
when a mix of certs with and without SANs are in use.
|
||||||
|
+This is the default setting.
|
||||||
|
.TP
|
||||||
|
.B demand | hard
|
||||||
|
These keywords are equivalent. The SAN is checked against the specified
|
||||||
|
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
|
||||||
|
index 0d91808ec..fa4c176fd 100644
|
||||||
|
--- a/libraries/libldap/init.c
|
||||||
|
+++ b/libraries/libldap/init.c
|
||||||
|
@@ -625,7 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
|
||||||
|
gopts->ldo_tls_connect_cb = NULL;
|
||||||
|
gopts->ldo_tls_connect_arg = NULL;
|
||||||
|
gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
|
||||||
|
- gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
|
||||||
|
+ gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_TRY;
|
||||||
|
#endif
|
||||||
|
gopts->ldo_keepalive_probes = 0;
|
||||||
|
gopts->ldo_keepalive_interval = 0;
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
41
openldap-cldap-check-for-error-on-connected-socket.patch
Normal file
41
openldap-cldap-check-for-error-on-connected-socket.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From ec5eba5393e5cc65b05e54658c55500cdbff775a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Howard Chu <hyc@openldap.org>
|
||||||
|
Date: Wed, 26 Aug 2020 13:22:52 +0100
|
||||||
|
Subject: [PATCH 01/34] ITS#9328 cldap: check for error on connected socket
|
||||||
|
|
||||||
|
libldap doesn't use a connected socket for UDP sessions, but 3rd
|
||||||
|
parties can, passed in with ldap_init_fd().
|
||||||
|
---
|
||||||
|
libraries/libldap/result.c | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
|
||||||
|
index bdced135b..e2b220630 100644
|
||||||
|
--- a/libraries/libldap/result.c
|
||||||
|
+++ b/libraries/libldap/result.c
|
||||||
|
@@ -486,7 +486,8 @@ retry:
|
||||||
|
#ifdef LDAP_CONNECTIONLESS
|
||||||
|
if ( LDAP_IS_UDP(ld) ) {
|
||||||
|
struct sockaddr_storage from;
|
||||||
|
- ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) );
|
||||||
|
+ if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 )
|
||||||
|
+ goto fail;
|
||||||
|
if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1;
|
||||||
|
}
|
||||||
|
nextresp3:
|
||||||
|
@@ -502,10 +503,11 @@ nextresp3:
|
||||||
|
break;
|
||||||
|
|
||||||
|
case LBER_DEFAULT:
|
||||||
|
+fail:
|
||||||
|
err = sock_errno();
|
||||||
|
#ifdef LDAP_DEBUG
|
||||||
|
Debug( LDAP_DEBUG_CONNS,
|
||||||
|
- "ber_get_next failed.\n", 0, 0, 0 );
|
||||||
|
+ "ber_get_next failed, errno=%d.\n", err, 0, 0 );
|
||||||
|
#endif
|
||||||
|
if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING;
|
||||||
|
if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING;
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
55
openldap-ldapi-sasl.patch
Normal file
55
openldap-ldapi-sasl.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Tue, 7 May 2013 17:02:57 +0200
|
||||||
|
Subject: [PATCH] LDAPI SASL fix
|
||||||
|
|
||||||
|
Resolves: #960222
|
||||||
|
---
|
||||||
|
libraries/libldap/cyrus.c | 19 ++++++++++++++++---
|
||||||
|
1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
|
||||||
|
index 28c241b..a9acf36 100644
|
||||||
|
--- a/libraries/libldap/cyrus.c
|
||||||
|
+++ b/libraries/libldap/cyrus.c
|
||||||
|
@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
|
||||||
|
struct berval ccred = BER_BVNULL;
|
||||||
|
int saslrc, rc;
|
||||||
|
unsigned credlen;
|
||||||
|
+ char my_hostname[HOST_NAME_MAX + 1];
|
||||||
|
+ int free_saslhost = 0;
|
||||||
|
|
||||||
|
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
|
||||||
|
mechs ? mechs : "<null>", 0, 0 );
|
||||||
|
@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
|
||||||
|
|
||||||
|
/* If we don't need to canonicalize just use the host
|
||||||
|
* from the LDAP URI.
|
||||||
|
+ * Always use the result of gethostname() for LDAPI.
|
||||||
|
*/
|
||||||
|
- if ( nocanon )
|
||||||
|
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
|
||||||
|
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
|
||||||
|
+ rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
|
||||||
|
+ if (rc == 0) {
|
||||||
|
+ saslhost = my_hostname;
|
||||||
|
+ } else {
|
||||||
|
+ saslhost = "localhost";
|
||||||
|
+ }
|
||||||
|
+ } else if ( nocanon )
|
||||||
|
saslhost = ld->ld_defconn->lconn_server->lud_host;
|
||||||
|
- else
|
||||||
|
+ else {
|
||||||
|
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
|
||||||
|
"localhost" );
|
||||||
|
+ free_saslhost = 1;
|
||||||
|
+ }
|
||||||
|
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
|
||||||
|
- if ( !nocanon )
|
||||||
|
+ if ( free_saslhost )
|
||||||
|
LDAP_FREE( saslhost );
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
1.7.11.7
|
||||||
|
|
73
openldap-manpages.patch
Normal file
73
openldap-manpages.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
Various manual pages changes:
|
||||||
|
* removes LIBEXECDIR from slapd.8
|
||||||
|
* removes references to non-existing manpages (bz 624616)
|
||||||
|
|
||||||
|
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
|
||||||
|
index 3def6da..466c772 100644
|
||||||
|
--- a/doc/man/man1/ldapmodify.1
|
||||||
|
+++ b/doc/man/man1/ldapmodify.1
|
||||||
|
@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
|
||||||
|
.BR ldap_add_ext (3),
|
||||||
|
.BR ldap_delete_ext (3),
|
||||||
|
.BR ldap_modify_ext (3),
|
||||||
|
-.BR ldap_modrdn_ext (3),
|
||||||
|
-.BR ldif (5).
|
||||||
|
+.BR ldif (5)
|
||||||
|
.SH AUTHOR
|
||||||
|
The OpenLDAP Project <http://www.openldap.org/>
|
||||||
|
.SH ACKNOWLEDGEMENTS
|
||||||
|
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
|
||||||
|
index cfde143..63592cb 100644
|
||||||
|
--- a/doc/man/man5/ldap.conf.5
|
||||||
|
+++ b/doc/man/man5/ldap.conf.5
|
||||||
|
@@ -317,6 +317,7 @@ certificates in separate individual files. The
|
||||||
|
.B TLS_CACERT
|
||||||
|
is always used before
|
||||||
|
.B TLS_CACERTDIR.
|
||||||
|
+The specified directory must be managed with the OpenSSL c_rehash utility.
|
||||||
|
This parameter is ignored with GnuTLS.
|
||||||
|
|
||||||
|
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
|
||||||
|
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
|
||||||
|
index b739f4d..e2a1a00 100644
|
||||||
|
--- a/doc/man/man8/slapd.8
|
||||||
|
+++ b/doc/man/man8/slapd.8
|
||||||
|
@@ -5,7 +5,7 @@
|
||||||
|
.SH NAME
|
||||||
|
slapd \- Stand-alone LDAP Daemon
|
||||||
|
.SH SYNOPSIS
|
||||||
|
-.B LIBEXECDIR/slapd
|
||||||
|
+.B slapd
|
||||||
|
[\c
|
||||||
|
.BR \-4 | \-6 ]
|
||||||
|
[\c
|
||||||
|
@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
|
||||||
|
.LP
|
||||||
|
.nf
|
||||||
|
.ft tt
|
||||||
|
- LIBEXECDIR/slapd
|
||||||
|
+ slapd
|
||||||
|
.ft
|
||||||
|
.fi
|
||||||
|
.LP
|
||||||
|
@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
|
||||||
|
.LP
|
||||||
|
.nf
|
||||||
|
.ft tt
|
||||||
|
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
|
||||||
|
+ slapd -f /var/tmp/slapd.conf -d 255
|
||||||
|
.ft
|
||||||
|
.fi
|
||||||
|
.LP
|
||||||
|
@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
|
||||||
|
.LP
|
||||||
|
.nf
|
||||||
|
.ft tt
|
||||||
|
- LIBEXECDIR/slapd \-Tt
|
||||||
|
+ slapd -Tt
|
||||||
|
.ft
|
||||||
|
.fi
|
||||||
|
.LP
|
||||||
|
--
|
||||||
|
1.8.1.4
|
||||||
|
|
227
openldap-openssl-ITS7595-Add-EC-support-1.patch
Normal file
227
openldap-openssl-ITS7595-Add-EC-support-1.patch
Normal file
@ -0,0 +1,227 @@
|
|||||||
|
ITS#7595 Add Elliptic Curve support for OpenSSL
|
||||||
|
|
||||||
|
Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
|
||||||
|
Author: Howard Chu <hyc@openldap.org>
|
||||||
|
Date: Sat Sep 7 09:47:19 2013 -0700
|
||||||
|
|
||||||
|
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
|
||||||
|
index 9c72e8296..2311c3096 100644
|
||||||
|
--- a/doc/man/man5/slapd-config.5
|
||||||
|
+++ b/doc/man/man5/slapd-config.5
|
||||||
|
@@ -922,6 +922,13 @@ are not used.
|
||||||
|
When using Mozilla NSS these parameters are always generated randomly
|
||||||
|
so this directive is ignored.
|
||||||
|
.TP
|
||||||
|
+.B olcTLSECName: <name>
|
||||||
|
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
|
||||||
|
+ephemeral key exchange. This is required to enable ECDHE algorithms in
|
||||||
|
+OpenSSL. This option is not used with GnuTLS; the curves may be
|
||||||
|
+chosen in the GnuTLS ciphersuite specification. This option is also
|
||||||
|
+ignored for Mozilla NSS.
|
||||||
|
+.TP
|
||||||
|
.B olcTLSProtocolMin: <major>[.<minor>]
|
||||||
|
Specifies minimum SSL/TLS protocol version that will be negotiated.
|
||||||
|
If the server doesn't support at least that version,
|
||||||
|
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
|
||||||
|
index f504adcf9..ef03e0ad8 100644
|
||||||
|
--- a/doc/man/man5/slapd.conf.5
|
||||||
|
+++ b/doc/man/man5/slapd.conf.5
|
||||||
|
@@ -1153,6 +1153,13 @@ are not used.
|
||||||
|
When using Mozilla NSS these parameters are always generated randomly
|
||||||
|
so this directive is ignored.
|
||||||
|
.TP
|
||||||
|
+.B TLSECName <name>
|
||||||
|
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
|
||||||
|
+ephemeral key exchange. This is required to enable ECDHE algorithms in
|
||||||
|
+OpenSSL. This option is not used with GnuTLS; the curves may be
|
||||||
|
+chosen in the GnuTLS ciphersuite specification. This option is also
|
||||||
|
+ignored for Mozilla NSS.
|
||||||
|
+.TP
|
||||||
|
.B TLSProtocolMin <major>[.<minor>]
|
||||||
|
Specifies minimum SSL/TLS protocol version that will be negotiated.
|
||||||
|
If the server doesn't support at least that version,
|
||||||
|
diff --git a/include/ldap.h b/include/ldap.h
|
||||||
|
index c245651c2..0964a193e 100644
|
||||||
|
--- a/include/ldap.h
|
||||||
|
+++ b/include/ldap.h
|
||||||
|
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
|
||||||
|
#define LDAP_OPT_X_TLS_NEWCTX 0x600f
|
||||||
|
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
|
||||||
|
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
|
||||||
|
+#define LDAP_OPT_X_TLS_ECNAME 0x6012
|
||||||
|
|
||||||
|
#define LDAP_OPT_X_TLS_NEVER 0
|
||||||
|
#define LDAP_OPT_X_TLS_HARD 1
|
||||||
|
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
|
||||||
|
index 66e04ae80..db7193f4f 100644
|
||||||
|
--- a/libraries/libldap/ldap-int.h
|
||||||
|
+++ b/libraries/libldap/ldap-int.h
|
||||||
|
@@ -165,6 +165,7 @@ struct ldaptls {
|
||||||
|
char *lt_ciphersuite;
|
||||||
|
char *lt_crlfile;
|
||||||
|
char *lt_randfile; /* OpenSSL only */
|
||||||
|
+ char *lt_ecname; /* OpenSSL only */
|
||||||
|
int lt_protocol_min;
|
||||||
|
};
|
||||||
|
#endif
|
||||||
|
@@ -250,6 +251,7 @@ struct ldapoptions {
|
||||||
|
#define ldo_tls_certfile ldo_tls_info.lt_certfile
|
||||||
|
#define ldo_tls_keyfile ldo_tls_info.lt_keyfile
|
||||||
|
#define ldo_tls_dhfile ldo_tls_info.lt_dhfile
|
||||||
|
+#define ldo_tls_ecname ldo_tls_info.lt_ecname
|
||||||
|
#define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
|
||||||
|
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
|
||||||
|
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
|
||||||
|
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
||||||
|
index d25c190ea..0451b01af 100644
|
||||||
|
--- a/libraries/libldap/tls2.c
|
||||||
|
+++ b/libraries/libldap/tls2.c
|
||||||
|
@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
|
||||||
|
LDAP_FREE( lo->ldo_tls_dhfile );
|
||||||
|
lo->ldo_tls_dhfile = NULL;
|
||||||
|
}
|
||||||
|
+ if ( lo->ldo_tls_ecname ) {
|
||||||
|
+ LDAP_FREE( lo->ldo_tls_ecname );
|
||||||
|
+ lo->ldo_tls_ecname = NULL;
|
||||||
|
+ }
|
||||||
|
if ( lo->ldo_tls_cacertfile ) {
|
||||||
|
LDAP_FREE( lo->ldo_tls_cacertfile );
|
||||||
|
lo->ldo_tls_cacertfile = NULL;
|
||||||
|
@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
|
||||||
|
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
|
||||||
|
__atoe( lts.lt_dhfile );
|
||||||
|
}
|
||||||
|
+ if ( lts.lt_ecname ) {
|
||||||
|
+ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
|
||||||
|
+ __atoe( lts.lt_ecname );
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
|
||||||
|
if ( lo->ldo_tls_ctx == NULL ) {
|
||||||
|
@@ -257,6 +265,7 @@ error_exit:
|
||||||
|
LDAP_FREE( lts.lt_crlfile );
|
||||||
|
LDAP_FREE( lts.lt_cacertdir );
|
||||||
|
LDAP_FREE( lts.lt_dhfile );
|
||||||
|
+ LDAP_FREE( lts.lt_ecname );
|
||||||
|
#endif
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
|
||||||
|
*(char **)arg = lo->ldo_tls_dhfile ?
|
||||||
|
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
|
||||||
|
break;
|
||||||
|
+ case LDAP_OPT_X_TLS_ECNAME:
|
||||||
|
+ *(char **)arg = lo->ldo_tls_ecname ?
|
||||||
|
+ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
|
||||||
|
+ break;
|
||||||
|
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
|
||||||
|
*(char **)arg = lo->ldo_tls_crlfile ?
|
||||||
|
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
|
||||||
|
@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
|
||||||
|
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
|
||||||
|
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
|
||||||
|
return 0;
|
||||||
|
+ case LDAP_OPT_X_TLS_ECNAME:
|
||||||
|
+ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
|
||||||
|
+ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
|
||||||
|
+ return 0;
|
||||||
|
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
|
||||||
|
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
|
||||||
|
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
|
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||||
|
index f24060b7e..1370923af 100644
|
||||||
|
--- a/libraries/libldap/tls_o.c
|
||||||
|
+++ b/libraries/libldap/tls_o.c
|
||||||
|
@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if ( lo->ldo_tls_dhfile ) {
|
||||||
|
- DH *dh = NULL;
|
||||||
|
+ if ( is_server && lo->ldo_tls_dhfile ) {
|
||||||
|
+ DH *dh;
|
||||||
|
BIO *bio;
|
||||||
|
- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
|
||||||
|
|
||||||
|
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
|
||||||
|
Debug( LDAP_DEBUG_ANY,
|
||||||
|
@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||||
|
}
|
||||||
|
BIO_free( bio );
|
||||||
|
SSL_CTX_set_tmp_dh( ctx, dh );
|
||||||
|
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
|
||||||
|
+ DH_free( dh );
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#ifdef SSL_OP_SINGLE_ECDH_USE
|
||||||
|
+ if ( is_server && lo->ldo_tls_ecname ) {
|
||||||
|
+ EC_KEY *ecdh;
|
||||||
|
+
|
||||||
|
+ int nid = OBJ_sn2nid( lt->lt_ecname );
|
||||||
|
+ if ( nid == NID_undef ) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: could not use EC name `%s'.\n",
|
||||||
|
+ lo->ldo_tls_ecname,0,0);
|
||||||
|
+ tlso_report_error();
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ ecdh = EC_KEY_new_by_curve_name( nid );
|
||||||
|
+ if ( ecdh == NULL ) {
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: could not generate key for EC name `%s'.\n",
|
||||||
|
+ lo->ldo_tls_ecname,0,0);
|
||||||
|
+ tlso_report_error();
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
|
||||||
|
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
|
||||||
|
+ EC_KEY_free( ecdh );
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
if ( tlso_opt_trace ) {
|
||||||
|
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
|
||||||
|
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
|
||||||
|
index 250f14100..8b1e4e582 100644
|
||||||
|
--- a/servers/slapd/bconfig.c
|
||||||
|
+++ b/servers/slapd/bconfig.c
|
||||||
|
@@ -194,6 +194,7 @@ enum {
|
||||||
|
CFG_ACL_ADD,
|
||||||
|
CFG_SYNC_SUBENTRY,
|
||||||
|
CFG_LTHREADS,
|
||||||
|
+ CFG_TLS_ECNAME,
|
||||||
|
|
||||||
|
CFG_LAST
|
||||||
|
};
|
||||||
|
@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
|
||||||
|
#endif
|
||||||
|
"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
|
||||||
|
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
|
||||||
|
+ { "TLSECName", NULL, 2, 2, 0,
|
||||||
|
+#ifdef HAVE_TLS
|
||||||
|
+ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
|
||||||
|
+#else
|
||||||
|
+ ARG_IGNORED, NULL,
|
||||||
|
+#endif
|
||||||
|
+ "( OLcfgGlAt:96 NAME 'olcTLSECName' "
|
||||||
|
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
|
||||||
|
{ "TLSProtocolMin", NULL, 2, 2, 0,
|
||||||
|
#ifdef HAVE_TLS
|
||||||
|
CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
|
||||||
|
@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
|
||||||
|
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
|
||||||
|
"olcTLSCACertificatePath $ olcTLSCertificateFile $ "
|
||||||
|
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
|
||||||
|
- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
|
||||||
|
+ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
|
||||||
|
"olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
|
||||||
|
"olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
|
||||||
|
"olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
|
||||||
|
@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
|
||||||
|
case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
|
||||||
|
case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
|
||||||
|
case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
|
||||||
|
+ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
|
||||||
|
#ifdef HAVE_GNUTLS
|
||||||
|
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
|
||||||
|
#endif
|
34
openldap-openssl-ITS7595-Add-EC-support-2.patch
Normal file
34
openldap-openssl-ITS7595-Add-EC-support-2.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
ITS#7595 don't try to use EC if OpenSSL lacks it
|
||||||
|
|
||||||
|
Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
|
||||||
|
Author: Howard Chu <hyc@openldap.org>
|
||||||
|
Date: Sun Sep 8 06:32:23 2013 -0700
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||||
|
index 1a81bc625..71c2b055c 100644
|
||||||
|
--- a/libraries/libldap/tls_o.c
|
||||||
|
+++ b/libraries/libldap/tls_o.c
|
||||||
|
@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||||
|
DH_free( dh );
|
||||||
|
}
|
||||||
|
|
||||||
|
-#ifdef SSL_OP_SINGLE_ECDH_USE
|
||||||
|
if ( is_server && lo->ldo_tls_ecname ) {
|
||||||
|
+#ifdef OPENSSL_NO_EC
|
||||||
|
+ Debug( LDAP_DEBUG_ANY,
|
||||||
|
+ "TLS: Elliptic Curves not supported.\n", 0,0,0 );
|
||||||
|
+ return -1;
|
||||||
|
+#else
|
||||||
|
EC_KEY *ecdh;
|
||||||
|
|
||||||
|
int nid = OBJ_sn2nid( lt->lt_ecname );
|
||||||
|
@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
|
||||||
|
SSL_CTX_set_tmp_ecdh( ctx, ecdh );
|
||||||
|
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
|
||||||
|
EC_KEY_free( ecdh );
|
||||||
|
- }
|
||||||
|
#endif
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if ( tlso_opt_trace ) {
|
||||||
|
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
|
48
openldap-openssl-manpage-defaultCA.patch
Normal file
48
openldap-openssl-manpage-defaultCA.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
Reference default system-wide CA certificates in manpages
|
||||||
|
|
||||||
|
OpenSSL, unless explicitly configured, uses system-wide default set of CA
|
||||||
|
certificates.
|
||||||
|
|
||||||
|
Author: Matus Honek <mhonek@redhat.com>
|
||||||
|
|
||||||
|
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
|
||||||
|
--- a/doc/man/man5/ldap.conf.5
|
||||||
|
+++ b/doc/man/man5/ldap.conf.5
|
||||||
|
@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an
|
||||||
|
.B ldaps:// URI
|
||||||
|
is selected (by default or otherwise) or when the application
|
||||||
|
negotiates TLS by issuing the LDAP StartTLS operation.
|
||||||
|
+.LP
|
||||||
|
+When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
|
||||||
|
+is set, the system-wide default set of CA certificates is used.
|
||||||
|
.TP
|
||||||
|
.B TLS_CACERT <filename>
|
||||||
|
Specifies the file that contains certificates for all of the Certificate
|
||||||
|
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
|
||||||
|
--- a/doc/man/man5/slapd-config.5
|
||||||
|
+++ b/doc/man/man5/slapd-config.5
|
||||||
|
@@ -801,6 +801,10 @@ If
|
||||||
|
.B slapd
|
||||||
|
is built with support for Transport Layer Security, there are more options
|
||||||
|
you can specify.
|
||||||
|
+.LP
|
||||||
|
+When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor
|
||||||
|
+\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
|
||||||
|
+certificates is used.
|
||||||
|
.TP
|
||||||
|
.B olcTLSCipherSuite: <cipher-suite-spec>
|
||||||
|
Permits configuring what ciphers will be accepted and the preference order.
|
||||||
|
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
|
||||||
|
--- a/doc/man/man5/slapd.conf.5
|
||||||
|
+++ b/doc/man/man5/slapd.conf.5
|
||||||
|
@@ -1032,6 +1032,10 @@ If
|
||||||
|
.B slapd
|
||||||
|
is built with support for Transport Layer Security, there are more options
|
||||||
|
you can specify.
|
||||||
|
+.LP
|
||||||
|
+When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor
|
||||||
|
+\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
|
||||||
|
+certificates is used.
|
||||||
|
.TP
|
||||||
|
.B TLSCipherSuite <cipher-suite-spec>
|
||||||
|
Permits configuring what ciphers will be accepted and the preference order.
|
33
openldap-reentrant-gethostby.patch
Normal file
33
openldap-reentrant-gethostby.patch
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
|
||||||
|
example if libldap needs to be initialized from within gethostbyXXXX() (which
|
||||||
|
actually happens if nss_ldap is used for hostname resolution and earlier
|
||||||
|
modules can't resolve the local host name), so use the reentrant versions of
|
||||||
|
the functions, even if we're not being compiled for use in libldap_r
|
||||||
|
|
||||||
|
Resolves: #179730
|
||||||
|
Author: Jeffery Layton <jlayton@redhat.com>
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
|
||||||
|
index 373c81c..a012062 100644
|
||||||
|
--- a/libraries/libldap/util-int.c
|
||||||
|
+++ b/libraries/libldap/util-int.c
|
||||||
|
@@ -52,8 +52,8 @@ extern int h_errno;
|
||||||
|
#ifndef LDAP_R_COMPILE
|
||||||
|
# undef HAVE_REENTRANT_FUNCTIONS
|
||||||
|
# undef HAVE_CTIME_R
|
||||||
|
-# undef HAVE_GETHOSTBYNAME_R
|
||||||
|
-# undef HAVE_GETHOSTBYADDR_R
|
||||||
|
+/* # undef HAVE_GETHOSTBYNAME_R */
|
||||||
|
+/* # undef HAVE_GETHOSTBYADDR_R */
|
||||||
|
|
||||||
|
#else
|
||||||
|
# include <ldap_pvt_thread.h>
|
||||||
|
@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
|
||||||
|
#define BUFSTART (1024-32)
|
||||||
|
#define BUFMAX (32*1024-32)
|
||||||
|
|
||||||
|
-#if defined(LDAP_R_COMPILE)
|
||||||
|
+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
|
||||||
|
static char *safe_realloc( char **buf, int len );
|
||||||
|
|
||||||
|
#if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))
|
62
openldap-smbk5pwd-overlay.patch
Normal file
62
openldap-smbk5pwd-overlay.patch
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
Compile smbk5pwd together with other overlays.
|
||||||
|
|
||||||
|
Author: Jan Šafránek <jsafrane@redhat.com>
|
||||||
|
Resolves: #550895
|
||||||
|
|
||||||
|
Update to link against OpenSSL
|
||||||
|
|
||||||
|
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||||
|
Resolves: #841560
|
||||||
|
|
||||||
|
diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
|
||||||
|
index f20ad94..b6433ff 100644
|
||||||
|
--- a/contrib/slapd-modules/smbk5pwd/README
|
||||||
|
+++ b/contrib/slapd-modules/smbk5pwd/README
|
||||||
|
@@ -1,3 +1,8 @@
|
||||||
|
+******************************************************************************
|
||||||
|
+Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
|
||||||
|
+is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
|
||||||
|
+******************************************************************************
|
||||||
|
+
|
||||||
|
This directory contains a slapd overlay, smbk5pwd, that extends the
|
||||||
|
PasswordModify Extended Operation to update Kerberos keys and Samba
|
||||||
|
password hashes for an LDAP user.
|
||||||
|
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
|
||||||
|
index 3af20e8..ef73663 100644
|
||||||
|
--- a/servers/slapd/overlays/Makefile.in
|
||||||
|
+++ b/servers/slapd/overlays/Makefile.in
|
||||||
|
@@ -33,7 +33,8 @@ SRCS = overlays.c \
|
||||||
|
syncprov.c \
|
||||||
|
translucent.c \
|
||||||
|
unique.c \
|
||||||
|
- valsort.c
|
||||||
|
+ valsort.c \
|
||||||
|
+ smbk5pwd.c
|
||||||
|
OBJS = statover.o \
|
||||||
|
@SLAPD_STATIC_OVERLAYS@ \
|
||||||
|
overlays.o
|
||||||
|
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
|
||||||
|
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
|
||||||
|
|
||||||
|
LIBRARY = ../liboverlays.a
|
||||||
|
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
|
||||||
|
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
|
||||||
|
|
||||||
|
XINCPATH = -I.. -I$(srcdir)/..
|
||||||
|
XDEFS = $(MODULES_CPPFLAGS)
|
||||||
|
@@ -125,6 +126,12 @@ unique.la : unique.lo
|
||||||
|
valsort.la : valsort.lo
|
||||||
|
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
|
||||||
|
|
||||||
|
+smbk5pwd.lo : smbk5pwd.c
|
||||||
|
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
|
||||||
|
+
|
||||||
|
+smbk5pwd.la : smbk5pwd.lo
|
||||||
|
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
|
||||||
|
+
|
||||||
|
install-local: $(PROGRAMS)
|
||||||
|
@if test -n "$?" ; then \
|
||||||
|
$(MKDIR) $(DESTDIR)$(moduledir); \
|
||||||
|
--
|
||||||
|
1.7.10.4
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
|
||||||
|
Date: Tue, 18 May 2010 17:47:05 +0200
|
||||||
|
Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
|
||||||
|
|
||||||
|
Proof of concept for fixing http://bugs.debian.org/327585
|
||||||
|
(patch ported from freeradius bug http://bugs.debian.org/416266)
|
||||||
|
|
||||||
|
Resolves: #960048
|
||||||
|
---
|
||||||
|
--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200
|
||||||
|
+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200
|
||||||
|
@@ -117,6 +117,20 @@
|
||||||
|
return -1; /* not found */
|
||||||
|
}
|
||||||
|
|
||||||
|
+static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
|
||||||
|
+{
|
||||||
|
+ lt_dlhandle handle = 0;
|
||||||
|
+ lt_dladvise advise;
|
||||||
|
+
|
||||||
|
+ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
|
||||||
|
+ && !lt_dladvise_global (&advise))
|
||||||
|
+ handle = lt_dlopenadvise (filename, advise);
|
||||||
|
+
|
||||||
|
+ lt_dladvise_destroy (&advise);
|
||||||
|
+
|
||||||
|
+ return handle;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int module_load(const char* file_name, int argc, char *argv[])
|
||||||
|
{
|
||||||
|
module_loaded_t *module;
|
||||||
|
@@ -180,7 +194,7 @@
|
||||||
|
* to calling Debug. This is because Debug is a macro that expands
|
||||||
|
* into multiple function calls.
|
||||||
|
*/
|
||||||
|
- if ((module->lib = lt_dlopenext(file)) == NULL) {
|
||||||
|
+ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
|
||||||
|
error = lt_dlerror();
|
||||||
|
#ifdef HAVE_EBCDIC
|
||||||
|
strcpy( ebuf, error );
|
2177
openldap.spec
Normal file
2177
openldap.spec
Normal file
File diff suppressed because it is too large
Load Diff
158
slapd.ldif
Normal file
158
slapd.ldif
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
#
|
||||||
|
# See slapd-config(5) for details on configuration options.
|
||||||
|
# This file should NOT be world readable.
|
||||||
|
#
|
||||||
|
|
||||||
|
dn: cn=config
|
||||||
|
objectClass: olcGlobal
|
||||||
|
cn: config
|
||||||
|
#
|
||||||
|
# TLS settings
|
||||||
|
#
|
||||||
|
# When no CA certificates are specified the Shared System Certificates
|
||||||
|
# are in use. In order to have these available along with the ones specified
|
||||||
|
# by oclTLSCACertificatePath one has to include them explicitly:
|
||||||
|
#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
|
||||||
|
#
|
||||||
|
# Private cert and key are not pregenerated.
|
||||||
|
#olcTLSCertificateFile:
|
||||||
|
#olcTLSCertificateKeyFile:
|
||||||
|
#
|
||||||
|
# System-wide Crypto Policies provide up to date cipher suite which should
|
||||||
|
# be used unless one needs a finer grinded selection of ciphers. Hence, the
|
||||||
|
# PROFILE=SYSTEM value represents the default behavior which is in place
|
||||||
|
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
|
||||||
|
#olcTLSCipherSuite: PROFILE=SYSTEM
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Do not enable referrals until AFTER you have a working directory
|
||||||
|
# service AND an understanding of referrals.
|
||||||
|
#
|
||||||
|
#olcReferral: ldap://root.openldap.org
|
||||||
|
#
|
||||||
|
# Sample security restrictions
|
||||||
|
# Require integrity protection (prevent hijacking)
|
||||||
|
# Require 112-bit (3DES or better) encryption for updates
|
||||||
|
# Require 64-bit encryption for simple bind
|
||||||
|
#
|
||||||
|
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Load dynamic backend modules:
|
||||||
|
# - modulepath is architecture dependent value (32/64-bit system)
|
||||||
|
# - back_sql.la backend requires openldap-servers-sql package
|
||||||
|
# - dyngroup.la and dynlist.la cannot be used at the same time
|
||||||
|
#
|
||||||
|
|
||||||
|
#dn: cn=module,cn=config
|
||||||
|
#objectClass: olcModuleList
|
||||||
|
#cn: module
|
||||||
|
#olcModulepath: /usr/lib/openldap
|
||||||
|
#olcModulepath: /usr/lib64/openldap
|
||||||
|
#olcModuleload: accesslog.la
|
||||||
|
#olcModuleload: auditlog.la
|
||||||
|
#olcModuleload: back_dnssrv.la
|
||||||
|
#olcModuleload: back_ldap.la
|
||||||
|
#olcModuleload: back_mdb.la
|
||||||
|
#olcModuleload: back_meta.la
|
||||||
|
#olcModuleload: back_null.la
|
||||||
|
#olcModuleload: back_passwd.la
|
||||||
|
#olcModuleload: back_relay.la
|
||||||
|
#olcModuleload: back_shell.la
|
||||||
|
#olcModuleload: back_sock.la
|
||||||
|
#olcModuleload: collect.la
|
||||||
|
#olcModuleload: constraint.la
|
||||||
|
#olcModuleload: dds.la
|
||||||
|
#olcModuleload: deref.la
|
||||||
|
#olcModuleload: dyngroup.la
|
||||||
|
#olcModuleload: dynlist.la
|
||||||
|
#olcModuleload: memberof.la
|
||||||
|
#olcModuleload: pcache.la
|
||||||
|
#olcModuleload: ppolicy.la
|
||||||
|
#olcModuleload: refint.la
|
||||||
|
#olcModuleload: retcode.la
|
||||||
|
#olcModuleload: rwm.la
|
||||||
|
#olcModuleload: seqmod.la
|
||||||
|
#olcModuleload: smbk5pwd.la
|
||||||
|
#olcModuleload: sssvlv.la
|
||||||
|
#olcModuleload: syncprov.la
|
||||||
|
#olcModuleload: translucent.la
|
||||||
|
#olcModuleload: unique.la
|
||||||
|
#olcModuleload: valsort.la
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Schema settings
|
||||||
|
#
|
||||||
|
|
||||||
|
dn: cn=schema,cn=config
|
||||||
|
objectClass: olcSchemaConfig
|
||||||
|
cn: schema
|
||||||
|
|
||||||
|
include: file:///etc/openldap/schema/core.ldif
|
||||||
|
|
||||||
|
#
|
||||||
|
# Frontend settings
|
||||||
|
#
|
||||||
|
|
||||||
|
dn: olcDatabase=frontend,cn=config
|
||||||
|
objectClass: olcDatabaseConfig
|
||||||
|
olcDatabase: frontend
|
||||||
|
#
|
||||||
|
# Sample global access control policy:
|
||||||
|
# Root DSE: allow anyone to read it
|
||||||
|
# Subschema (sub)entry DSE: allow anyone to read it
|
||||||
|
# Other DSEs:
|
||||||
|
# Allow self write access
|
||||||
|
# Allow authenticated users read access
|
||||||
|
# Allow anonymous users to authenticate
|
||||||
|
#
|
||||||
|
#olcAccess: to dn.base="" by * read
|
||||||
|
#olcAccess: to dn.base="cn=Subschema" by * read
|
||||||
|
#olcAccess: to *
|
||||||
|
# by self write
|
||||||
|
# by users read
|
||||||
|
# by anonymous auth
|
||||||
|
#
|
||||||
|
# if no access controls are present, the default policy
|
||||||
|
# allows anyone and everyone to read anything but restricts
|
||||||
|
# updates to rootdn. (e.g., "access to * by * read")
|
||||||
|
#
|
||||||
|
# rootdn can always read and write EVERYTHING!
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Configuration database
|
||||||
|
#
|
||||||
|
|
||||||
|
dn: olcDatabase=config,cn=config
|
||||||
|
objectClass: olcDatabaseConfig
|
||||||
|
olcDatabase: config
|
||||||
|
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
|
||||||
|
n=auth" manage by * none
|
||||||
|
|
||||||
|
#
|
||||||
|
# Server status monitoring
|
||||||
|
#
|
||||||
|
|
||||||
|
dn: olcDatabase=monitor,cn=config
|
||||||
|
objectClass: olcDatabaseConfig
|
||||||
|
olcDatabase: monitor
|
||||||
|
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
|
||||||
|
n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
|
||||||
|
|
||||||
|
#
|
||||||
|
# Backend database definitions
|
||||||
|
#
|
||||||
|
|
||||||
|
dn: olcDatabase=mdb,cn=config
|
||||||
|
objectClass: olcDatabaseConfig
|
||||||
|
objectClass: olcMdbConfig
|
||||||
|
olcDatabase: mdb
|
||||||
|
olcSuffix: dc=my-domain,dc=com
|
||||||
|
olcRootDN: cn=Manager,dc=my-domain,dc=com
|
||||||
|
olcDbDirectory: /var/lib/ldap
|
||||||
|
olcDbIndex: objectClass eq,pres
|
||||||
|
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
|
17
slapd.service
Normal file
17
slapd.service
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=OpenLDAP Server Daemon
|
||||||
|
After=syslog.target network-online.target
|
||||||
|
Documentation=man:slapd
|
||||||
|
Documentation=man:slapd-config
|
||||||
|
Documentation=man:slapd-hdb
|
||||||
|
Documentation=man:slapd-mdb
|
||||||
|
Documentation=file:///usr/share/doc/openldap-servers/guide.html
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
ExecStartPre=/usr/libexec/openldap/check-config.sh
|
||||||
|
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
Alias=openldap.service
|
2
slapd.tmpfiles
Normal file
2
slapd.tmpfiles
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# openldap runtime directory for slapd.arg and slapd.pid
|
||||||
|
d /var/run/openldap 0755 ldap ldap -
|
2
sources
Normal file
2
sources
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
SHA512 (ltb-project-openldap-ppolicy-check-password-1.1.tar.gz) = f3384a164ce5db488908cf6380bad8500b800b09d12a8f04e1b6ccb6f6af6ab3971fcdbe4acca7a1b6d16b408a11065c2b1ab2497863fe07d3c28262b0f6776e
|
||||||
|
SHA512 (openldap-2.4.46.tgz) = eef39d43f04aa09c657a1422cefef060fe00368559ae40d0d97536c08ebeaaa1ab06207b3f121ba6afcde54abdc550027c3505e5217e5fd47ae6f8c001260186
|
Loading…
Reference in New Issue
Block a user