From 1ba07db975a325ccf1f0e02d5ca6dad4ea11e54c Mon Sep 17 00:00:00 2001 From: fenlason Date: Fri, 30 Sep 2005 19:29:43 +0000 Subject: [PATCH] * Thu Sep 29 2005 Jay Fenlason 2.2.28-2 - Upgrade to nev upstream version. This makes the 2.2.*-hop patch obsolete. * Mon Aug 22 2005 Jay Fenlason 2.2.26-2 - Move the slapd.pem file to /etc/pki/tls/certs and edit the -config patch to match to close bz#143393 Creates certificates + keys at an insecure/bad place - also use _sysconfdir instead of hard-coding /etc * Thu Aug 11 2005 Jay Fenlason - Add the tls-fix-connection-test patch to close bz#161991 openldap password disclosure issue - add the hop patches to prevent infinite looping when chasing referrals. OpenLDAP ITS #3578 --- .cvsignore | 16 +---- openldap-2.2.13-tls-fix-connection-test.patch | 12 ++++ openldap-2.2.15-config.patch | 8 +-- openldap.spec | 60 +++++++++++++------ sources | 2 +- 5 files changed, 61 insertions(+), 37 deletions(-) create mode 100644 openldap-2.2.13-tls-fix-connection-test.patch diff --git a/.cvsignore b/.cvsignore index 3463584..ed4999b 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,15 +1 @@ -MigrationTools-45.tar.gz -autoconf-2.13.1.tar.gz -automake-1.4a.tar.gz -db-4.0.14.tar.gz -db-4.2.52.tar.gz -openldap-2.0.27.tgz -openldap-2.1.30.tgz -openldap-2.2.13.tgz -openldap-2.2.17.tgz -openldap-2.2.20.tgz -db-4.3.27.tar.gz -openldap-2.2.23.tgz -openldap-2.2.24.tgz -openldap-2.2.25.tgz -openldap-2.2.26.tgz +openldap-2.2.28.tgz diff --git a/openldap-2.2.13-tls-fix-connection-test.patch b/openldap-2.2.13-tls-fix-connection-test.patch new file mode 100644 index 0000000..0f694ae --- /dev/null +++ b/openldap-2.2.13-tls-fix-connection-test.patch @@ -0,0 +1,12 @@ +--- openldap-2.2.13/libraries/libldap/#tls.c~ 2005-07-06 13:14:00.000000000 -0400 ++++ openldap-2.2.13/libraries/libldap/tls.c 2005-07-06 13:14:00.000000000 -0400 +@@ -1736,7 +1736,8 @@ + + /* XXYYZ: this initiates operation only on default connection! */ + +- if ( ld->ld_sb != NULL && ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) { ++ if ( ( ld->ld_defconn != NULL ) ? ( ld->ld_defconn->lconn_sb != NULL && ldap_pvt_tls_inplace( ld->ld_defconn->lconn_sb ) != 0 ) ++ : ( ld->ld_sb != NULL && ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) ) { + return LDAP_LOCAL_ERROR; + } + diff --git a/openldap-2.2.15-config.patch b/openldap-2.2.15-config.patch index 5a3f2c5..7b7535f 100644 --- a/openldap-2.2.15-config.patch +++ b/openldap-2.2.15-config.patch @@ -35,12 +35,12 @@ indexed attributes for the default database. +# The next three lines allow use of TLS for encrypting connections using a +# dummy test certificate which you can generate by changing to -+# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on ++# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on +# slapd.pem so that the ldap user or group can read it. Your client software +# may balk at self-signed certificates, however. -+# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt -+# TLSCertificateFile /usr/share/ssl/certs/slapd.pem -+# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem ++# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt ++# TLSCertificateFile /etc/pki/tls/certs/slapd.pem ++# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem + # Sample security restrictions # Require integrity protection (prevent hijacking) diff --git a/openldap.spec b/openldap.spec index 7f9930e..f3fafdc 100644 --- a/openldap.spec +++ b/openldap.spec @@ -3,7 +3,7 @@ %define ldbm_backend berkeley %define version_20 2.0.27 %define version_21 2.1.30 -%define version_22 2.2.26 +%define version_22 2.2.28 %define nss_ldap_prefix %{_libdir}/nss_ldap-openldap %define nss_ldap_includedir %{nss_ldap_prefix}/include %define nss_ldap_libdir %{nss_ldap_prefix}/%{_lib} @@ -18,7 +18,7 @@ Summary: The configuration files, libraries, and documentation for OpenLDAP. Name: openldap Version: %{version_22} -Release: 1 +Release: 1.1 License: OpenLDAP Group: System Environment/Daemons Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_22}.tgz @@ -45,7 +45,6 @@ Patch7: openldap-2.2.15-toollinks.patch Patch8: openldap-2.2.13-nosql.patch Patch9: openldap-2.1.30-ldapi.patch Patch10: openldap-2.1.30-libdir.patch -Patch11: openldap-2.2.23-hop.patch Patch12: db-4.0.14-disable-mutex.patch Patch13: db-4.0.14-libobjs.patch Patch21: MigrationTools-38-instdir.patch @@ -56,9 +55,13 @@ Patch25: MigrationTools-44-schema.patch Patch26: MigrationTools-45-noaliases.patch Patch40: openldap-ntlm.diff Patch41: openldap-2.2.23-start_tls-async.patch +Patch42: openldap-2.2.13-tls-fix-connection-test.patch +Patch44: openldap-2.1.30-hop.patch +Patch45: openldap-2.0.27-hop.patch Patch50: openldap-2.0.27-resolv.patch Patch51: openldap-2.1.30-resolv.patch Patch52: openldap-2.2.23-resolv.patch + URL: http://www.openldap.org/ BuildRoot: %{_tmppath}/%{name}-%{version_22}-root BuildPreReq: cyrus-sasl-devel >= 2.1, gdbm-devel, libtool >= 1.5.6-2, krb5-devel @@ -161,6 +164,7 @@ pushd openldap-%{version_22} %patch7 -p1 -b .toollinks %patch8 -p1 -b .nosql %patch52 -p1 -b .resolv +%patch42 -p1 -b .CAN-2005-2069 cp %{_datadir}/libtool/config.{sub,guess} build/ popd @@ -210,6 +214,7 @@ popd pushd openldap-%{version_20} %patch9 -p1 -b .ldapi %patch50 -p1 -b .resolv +%patch45 -p1 -b .hop for subdir in build-gdbm build-db build-clients build-compat ; do mkdir $subdir ln -s ../configure $subdir @@ -221,6 +226,7 @@ pushd openldap-%{version_21} %patch9 -p1 -b .ldapi %patch10 -p1 -b .libdir %patch51 -p1 -b .resolv +%patch44 -p1 -b .hop for subdir in build-servers build-compat ; do mkdir $subdir ln -s ../configure $subdir @@ -508,6 +514,10 @@ popd # /etc/openldap/cacerts doesn't cause TLS startup of any kind to fail # when the directory doesn't exist. mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/openldap/cacerts +# make sure the certs directory exists +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs +# Touch the dummy slapd.pem to make rpmbuild happy +touch $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/slapd.pem # Install the padl.com migration tools. mkdir -p $RPM_BUILD_ROOT%{_datadir}/openldap/migration @@ -533,8 +543,8 @@ rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.default rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/schema/*.default # Install an init script for the servers. -mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d -install -m 755 $RPM_SOURCE_DIR/ldap.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ldap +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d +install -m 755 $RPM_SOURCE_DIR/ldap.init $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/ldap # If ldapadd and ldapmodify are the same binary, make them a hard link if cmp $RPM_BUILD_ROOT%{_bindir}/ldapadd $RPM_BUILD_ROOT%{_bindir}/ldapmodify ; then @@ -587,8 +597,8 @@ fi /sbin/ldconfig /sbin/chkconfig --add ldap exec > /dev/null 2> /dev/null -if [ ! -f %{_datadir}/ssl/certs/slapd.pem ] ; then -pushd %{_datadir}/ssl/certs +if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then +pushd %{_sysconfdir}/pki/tls/certs umask 077 cat << EOF | make slapd.pem -- @@ -624,9 +634,9 @@ fi %doc openldap-%{version_22}/COPYRIGHT %doc openldap-%{version_22}/LICENSE %doc openldap-%{version_22}/README -%attr(0755,root,root) %dir /etc/openldap -%attr(0755,root,root) %dir /etc/openldap/cacerts -%attr(0644,root,root) %config(noreplace) /etc/openldap/ldap*.conf +%attr(0755,root,root) %dir %{_sysconfdir}/openldap +%attr(0755,root,root) %dir %{_sysconfdir}/openldap/cacerts +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/ldap*.conf %attr(0755,root,root) %{_libdir}/liblber-*.so.* %attr(0755,root,root) %{_libdir}/libldap-*.so.* %attr(0755,root,root) %{_libdir}/libldap_r-*.so.* @@ -652,13 +662,14 @@ fi %doc README.migration %doc TOOLS.migration %doc $RPM_SOURCE_DIR/README.upgrading $RPM_SOURCE_DIR/guide.html -%attr(0755,root,root) %config /etc/rc.d/init.d/ldap -%attr(0640,root,ldap) %config(noreplace) /etc/openldap/slapd.conf -%attr(0755,root,root) %dir /etc/openldap/schema -%attr(0644,root,root) %dir /etc/openldap/schema/README* -%attr(0644,root,root) %config(noreplace) /etc/openldap/schema/*.schema* -%attr(0755,root,root) %dir /etc/openldap/schema/redhat -%attr(0644,root,root) %config(noreplace) /etc/openldap/schema/redhat/*.schema* +%ghost %config %{_sysconfdir}/pki/tls/certs/slapd.pem +%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/ldap +%attr(0640,root,ldap) %config(noreplace) %{_sysconfdir}/openldap/slapd.conf +%attr(0755,root,root) %dir %{_sysconfdir}/openldap/schema +%attr(0644,root,root) %dir %{_sysconfdir}/openldap/schema/README* +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/schema/*.schema* +%attr(0755,root,root) %dir %{_sysconfdir}/openldap/schema/redhat +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/schema/redhat/*.schema* %attr(0755,root,root) %{_sbindir}/sl* %attr(0644,root,root) %{_mandir}/man8/* %attr(0644,root,root) %{_mandir}/man5/slapd*.5* @@ -716,6 +727,21 @@ fi %endif %changelog +* Thu Sep 29 2005 Jay Fenlason 2.2.28-2 +- Upgrade to nev upstream version. This makes the 2.2.*-hop patch obsolete. + +* Mon Aug 22 2005 Jay Fenlason 2.2.26-2 +- Move the slapd.pem file to /etc/pki/tls/certs + and edit the -config patch to match to close + bz#143393 Creates certificates + keys at an insecure/bad place +- also use _sysconfdir instead of hard-coding /etc + +* Thu Aug 11 2005 Jay Fenlason +- Add the tls-fix-connection-test patch to close + bz#161991 openldap password disclosure issue +- add the hop patches to prevent infinite looping when chasing referrals. + OpenLDAP ITS #3578 + * Fri Aug 5 2005 Nalin Dahyabhai - fix typo in ldap.init (call $klist instead of klist, from Charles Lopes) diff --git a/sources b/sources index 6e86311..4cdd20f 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ a1e6508c471dd47205a3492cf57110a6 openldap-2.0.27.tgz e2ae8148c4bed07d7a70edd930bdc403 openldap-2.1.30.tgz fcc481d52c3b80e20a328f8c0cb042bd db-4.3.27.tar.gz -afc8700b5738da863b30208e1d3e9de8 openldap-2.2.26.tgz +b51db7328430b9cbe527696da726f1fb openldap-2.2.28.tgz