- add %{_sysconfdir}/openldap/cacerts, which authconfig sets as the

TLS_CACERTDIR path in /etc/openldap/ldap.conf now
- use a temporary wrapper script to launch slapd, in case we have arguments
  with embedded whitespace (#158111)

ldap.init

@@ -20,7 +20,8 @@ if [ -r /etc/sysconfig/network ] ; then
 fi
 
 # Source an auxiliary options file if we have one, and pick up OPTIONS,
-# SLAPD_OPTIONS, SLURPD_OPTIONS, and maybe KRB5_KTNAME.
+# SLAPD_OPTIONS, SLURPD_OPTIONS, SLAPD_LDAPS, SLAPD_LDAPI, and maybe
+# KRB5_KTNAME.
 if [ -r /etc/sysconfig/ldap ] ; then
 	. /etc/sysconfig/ldap
 fi
@@ -42,13 +43,13 @@ function testasuser() {
     shift
     cmd="$@"
     if test x"$user" != x ; then
-        if test x"$cmd" != x ; then
-            /sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
-        else
-            false
-        fi
+	if test x"$cmd" != x ; then
+	    /sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
+	else
+	    false
+	fi
     else
-        false
+	false
     fi
 }
 
@@ -62,34 +63,34 @@ function checkkeytab() {
     service="$2"
     default="${3:-false}"
     if test -x /usr/kerberos/bin/klist ; then
-        klist=/usr/kerberos/bin/klist
+	klist=/usr/kerberos/bin/klist
     elif test -x /usr/bin/klist ; then
-        klist=/usr/bin/klist
+	klist=/usr/bin/klist
     fi
     KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
     export KRB5_KTNAME
     if test -s "$KRB5_KTNAME" ; then
-        if test x"$klist" != x ; then
-            if LANG=C klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
-                if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
-                    true
-                else
-                    false
-                fi
-            else
-                false
-            fi
-        else
-            $default
-        fi
+	if test x"$klist" != x ; then
+	    if LANG=C klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
+		if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
+		    true
+		else
+		    false
+		fi
+	    else
+		false
+	    fi
+	else
+	    $default
+	fi
     else
-        false
+	false
     fi
 }
 
 function configtest() {
 	local user= ldapuid= dbdir= file=
-        # Check for simple-but-common errors.
+	# Check for simple-but-common errors.
 	user=ldap
 	prog=`basename ${slapd}`
 	ldapuid=`id -u $user`
@@ -100,8 +101,8 @@ function configtest() {
 			echo -n $"$file is not owned by \"$user\"" ; warning ; echo
 		done
 		if ! test -s ${dbdir}/id2entry.dbb ; then
-			if ! test -s ${dbdir}/id2entry.bdb ; then
-				if ! test -s ${dbdir}/id2entry.gdbm ; then
+			if ! test -s ${dbdir}/id2entry.gdbm ; then
+				if ! test -s ${dbdir}/id2entry.bdb ; then
 					slaptestflags=-u
 				fi
 			fi
@@ -120,8 +121,8 @@ function configtest() {
 		fi
 	done
 	# Check the configuration file.
-        if ! action $"Checking configuration files for $prog: " $slaptest $slaptestflags ; then
-        	if $slaptest -u > /dev/null 2> /dev/null ; then
+	if ! action $"Checking configuration files for $prog: " $slaptest $slaptestflags ; then
+		if $slaptest -u > /dev/null 2> /dev/null ; then
 			dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' /etc/openldap/slapd.conf | awk '{print $2}'`
 			for directory in $dirs ; do
 				if test -r $directory/__db.001 ; then
@@ -135,33 +136,48 @@ function configtest() {
 
 function start() {
 	configtest
-        # Start daemons.
+	# Define a couple of local variables which we'll need. Maybe.
 	user=ldap
 	prog=`basename ${slapd}`
-        echo -n $"Starting $prog: "
-	if grep -q ^TLS /etc/openldap/slapd.conf ; then
-	    daemon ${slapd} -u ${user} -h "ldap:/// ldaps:///" $OPTIONS $SLAPD_OPTIONS
-	    RETVAL=$?
-	else
-	    daemon ${slapd} -u ${user} -h "ldap:///" $OPTIONS $SLAPD_OPTIONS
-	    RETVAL=$?
+	# Build a wrapper script to exec slapd with the right arguments, to
+	# avoid being tripped out by changes or weirdness in how daemon()
+	# handles quoted arguments.
+	wrapper=`mktemp ${TMP:-/tmp}/start-slapd.XXXXXX`
+	harg="ldap:///"
+	if grep -q ^TLS /etc/openldap/slapd.conf || test x$SLAPD_LDAPS = xyes ; then
+	    harg="$harg ldaps:///"
 	fi
+	if test x$SLAPD_LDAPI = xyes ; then
+	    harg="$harg ldapi:///"
+	fi
+	if test -z "$wrapper" ; then
+	    return 1
+	fi
+	cat >> $wrapper <<- EOF
+	exec ${slapd} -h "$harg" -u ${user} $OPTIONS $SLAPD_OPTIONS
+	EOF
+	chmod u+x $wrapper
+	trap "rm -f $wrapper" EXIT
+	# Start daemons.
+	echo -n $"Starting $prog: "
+	daemon --check=$prog $wrapper
+	RETVAL=$?
 	echo
 	if [ $RETVAL -eq 0 ]; then
-            if grep -q "^replogfile" /etc/openldap/slapd.conf; then
+	    if grep -q "^replogfile" /etc/openldap/slapd.conf; then
 		prog=`basename ${slurpd}`
 		echo -n $"Starting $prog: "
-                daemon ${slurpd} $OPTIONS $SLURPD_OPTIONS
+		daemon ${slurpd} $OPTIONS $SLURPD_OPTIONS
 		RETVAL=$?
 		echo
-            fi
+	    fi
 	fi
 	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ldap
 	return $RETVAL
 }
 
 function stop() {
-        # Stop daemons.
+	# Stop daemons.
 	prog=`basename ${slapd}`
 	echo -n $"Stopping $prog: "
 	killproc ${slapd}
@@ -176,25 +192,25 @@ function stop() {
 		echo
 	    fi
 	fi
-        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ldap /var/run/slapd.args
+	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ldap /var/run/slapd.args
 	return $RETVAL
 }
 
 # See how we were called.
 case "$1" in
     configtest)
-        configtest
-        ;;
+	configtest
+	;;
     start)
-        start
-        ;;
+	start
+	;;
     stop)
-        stop
-        ;;
+	stop
+	;;
     status)
-        status ${slapd}
-        if grep -q "^replogfile" /etc/openldap/slapd.conf ; then
-            status ${slurpd}
+	status ${slapd}
+	if grep -q "^replogfile" /etc/openldap/slapd.conf ; then
+	    status ${slurpd}
 	fi
 	;;
     restart)
@@ -202,10 +218,10 @@ case "$1" in
 	start
 	;;
     condrestart)
-        if [ -f /var/lock/subsys/ldap ] ; then
-            stop
-            start
-        fi
+	if [ -f /var/lock/subsys/ldap ] ; then
+	    stop
+	    start
+	fi
 	;;
     *)
 	echo $"Usage: $0 {start|stop|restart|status|condrestart}"

openldap.spec

@@ -503,6 +503,11 @@ pushd openldap-%{version_22}/build-clients
 make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool"
 popd
 
+# Create this directory so that authconfig setting TLS_CACERT to
+# /etc/openldap/cacerts doesn't cause TLS startup of any kind to fail
+# when the directory doesn't exist.
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/openldap/cacerts
+
 # Install the padl.com migration tools.
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/openldap/migration
 install -m 755 MigrationTools-%{migtools_version}/migrate_* \
@@ -619,6 +624,7 @@ fi
 %doc openldap-%{version_22}/LICENSE
 %doc openldap-%{version_22}/README
 %attr(0755,root,root) %dir /etc/openldap
+%attr(0755,root,root) %dir /etc/openldap/cacerts
 %attr(0644,root,root) %config(noreplace) /etc/openldap/ldap*.conf
 %attr(0755,root,root) %{_libdir}/liblber-*.so.*
 %attr(0755,root,root) %{_libdir}/libldap-*.so.*
@@ -711,7 +717,11 @@ fi
 %changelog
 * Thu May 19 2005 Nalin Dahyabhai <nalin@redhat.com>
 - run slaptest with the -u flag if no id2entry db files are found, because
-  you can't read-write access a non-existent database (#156787)
+  you can't check for read-write access to a non-existent database (#156787)
+- add %{_sysconfdir}/openldap/cacerts, which authconfig sets as the
+  TLS_CACERTDIR path in /etc/openldap/ldap.conf now
+- use a temporary wrapper script to launch slapd, in case we have arguments
+  with embedded whitespace (#158111)
 
 * Wed May  4 2005 Nalin Dahyabhai <nalin@redhat.com>
 - update to 2.2.26 (stable 20050429)