* Thu Sep 29 2005 Jay Fenlason <fenlason@redhat.com> 2.2.28-2

- Upgrade to nev upstream version.  This makes the 2.2.*-hop patch obsolete.

* Mon Aug 22 2005 Jay Fenlason <fenlason@redhat.com> 2.2.26-2
- Move the slapd.pem file to /etc/pki/tls/certs
  and edit the -config patch to match to close
  bz#143393  Creates certificates + keys at an insecure/bad place
- also use _sysconfdir instead of hard-coding /etc

* Thu Aug 11 2005 Jay Fenlason <fenlason@redhat.com>
- Add the tls-fix-connection-test patch to close
  bz#161991 openldap password disclosure issue
- add the hop patches to prevent infinite looping when chasing referrals.
  OpenLDAP ITS #3578

.cvsignore

@@ -1,15 +1 @@
-MigrationTools-45.tar.gz
+openldap-2.2.28.tgz
-autoconf-2.13.1.tar.gz
-automake-1.4a.tar.gz
-db-4.0.14.tar.gz
-db-4.2.52.tar.gz
-openldap-2.0.27.tgz
-openldap-2.1.30.tgz
-openldap-2.2.13.tgz
-openldap-2.2.17.tgz
-openldap-2.2.20.tgz
-db-4.3.27.tar.gz
-openldap-2.2.23.tgz
-openldap-2.2.24.tgz
-openldap-2.2.25.tgz
-openldap-2.2.26.tgz

openldap-2.2.13-tls-fix-connection-test.patch

@@ -0,0 +1,12 @@
+--- openldap-2.2.13/libraries/libldap/#tls.c~	2005-07-06 13:14:00.000000000 -0400
++++ openldap-2.2.13/libraries/libldap/tls.c	2005-07-06 13:14:00.000000000 -0400
+@@ -1736,7 +1736,8 @@
+ 
+ 	/* XXYYZ: this initiates operation only on default connection! */
+ 
+-	if ( ld->ld_sb != NULL && ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) {
++	if ( ( ld->ld_defconn != NULL ) ? ( ld->ld_defconn->lconn_sb != NULL && ldap_pvt_tls_inplace( ld->ld_defconn->lconn_sb ) != 0 )
++	    : ( ld->ld_sb != NULL && ldap_pvt_tls_inplace( ld->ld_sb ) != 0 ) ) {
+ 		return LDAP_LOCAL_ERROR;
+ 	}
+ 

openldap-2.2.15-config.patch

@@ -35,12 +35,12 @@ indexed attributes for the default database.
  
 +# The next three lines allow use of TLS for encrypting connections using a
 +# dummy test certificate which you can generate by changing to
-+# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
++# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
 +# slapd.pem so that the ldap user or group can read it.  Your client software
 +# may balk at self-signed certificates, however.
-+# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
++# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
-+# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
++# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
-+# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
++# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
 +
  # Sample security restrictions
  #	Require integrity protection (prevent hijacking)

openldap.spec

@@ -3,7 +3,7 @@
 %define ldbm_backend berkeley
 %define version_20 2.0.27
 %define version_21 2.1.30
-%define version_22 2.2.26
+%define version_22 2.2.28
 %define nss_ldap_prefix %{_libdir}/nss_ldap-openldap
 %define nss_ldap_includedir %{nss_ldap_prefix}/include
 %define nss_ldap_libdir %{nss_ldap_prefix}/%{_lib}
@@ -18,7 +18,7 @@
 Summary: The configuration files, libraries, and documentation for OpenLDAP.
 Name: openldap
 Version: %{version_22}
-Release: 1
+Release: 1.1
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_22}.tgz
@@ -45,7 +45,6 @@ Patch7: openldap-2.2.15-toollinks.patch
 Patch8: openldap-2.2.13-nosql.patch
 Patch9: openldap-2.1.30-ldapi.patch
 Patch10: openldap-2.1.30-libdir.patch
-Patch11: openldap-2.2.23-hop.patch
 Patch12: db-4.0.14-disable-mutex.patch
 Patch13: db-4.0.14-libobjs.patch
 Patch21: MigrationTools-38-instdir.patch
@@ -56,9 +55,13 @@ Patch25: MigrationTools-44-schema.patch
 Patch26: MigrationTools-45-noaliases.patch
 Patch40: openldap-ntlm.diff
 Patch41: openldap-2.2.23-start_tls-async.patch
+Patch42: openldap-2.2.13-tls-fix-connection-test.patch
+Patch44: openldap-2.1.30-hop.patch
+Patch45: openldap-2.0.27-hop.patch
 Patch50: openldap-2.0.27-resolv.patch
 Patch51: openldap-2.1.30-resolv.patch
 Patch52: openldap-2.2.23-resolv.patch
+
 URL: http://www.openldap.org/
 BuildRoot: %{_tmppath}/%{name}-%{version_22}-root
 BuildPreReq: cyrus-sasl-devel >= 2.1, gdbm-devel, libtool >= 1.5.6-2, krb5-devel
@@ -161,6 +164,7 @@ pushd openldap-%{version_22}
 %patch7 -p1 -b .toollinks
 %patch8 -p1 -b .nosql
 %patch52 -p1 -b .resolv
+%patch42 -p1 -b .CAN-2005-2069
 cp %{_datadir}/libtool/config.{sub,guess} build/
 popd
 
@@ -210,6 +214,7 @@ popd
 pushd openldap-%{version_20}
 %patch9 -p1 -b .ldapi
 %patch50 -p1 -b .resolv
+%patch45 -p1 -b .hop
 	for subdir in build-gdbm build-db build-clients build-compat ; do
 		mkdir $subdir
 		ln -s ../configure $subdir
@@ -221,6 +226,7 @@ pushd openldap-%{version_21}
 %patch9 -p1 -b .ldapi
 %patch10 -p1 -b .libdir
 %patch51 -p1 -b .resolv
+%patch44 -p1 -b .hop
 	for subdir in build-servers build-compat ; do
 		mkdir $subdir
 		ln -s ../configure $subdir
@@ -508,6 +514,10 @@ popd
 # /etc/openldap/cacerts doesn't cause TLS startup of any kind to fail
 # when the directory doesn't exist.
 mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/openldap/cacerts
+# make sure the certs directory exists
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
+# Touch the dummy slapd.pem to make rpmbuild happy
+touch $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/slapd.pem
 
 # Install the padl.com migration tools.
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/openldap/migration
@@ -533,8 +543,8 @@ rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.default
 rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/schema/*.default
 
 # Install an init script for the servers.
-mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d
-install -m 755 $RPM_SOURCE_DIR/ldap.init $RPM_BUILD_ROOT/etc/rc.d/init.d/ldap
+install -m 755 $RPM_SOURCE_DIR/ldap.init $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/ldap
 
 # If ldapadd and ldapmodify are the same binary, make them a hard link
 if cmp $RPM_BUILD_ROOT%{_bindir}/ldapadd $RPM_BUILD_ROOT%{_bindir}/ldapmodify ; then
@@ -587,8 +597,8 @@ fi
 /sbin/ldconfig
 /sbin/chkconfig --add ldap
 exec > /dev/null 2> /dev/null
-if [ ! -f %{_datadir}/ssl/certs/slapd.pem ] ; then
+if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then
-pushd %{_datadir}/ssl/certs
+pushd %{_sysconfdir}/pki/tls/certs
 umask 077
 cat << EOF | make slapd.pem
 --
@@ -624,9 +634,9 @@ fi
 %doc openldap-%{version_22}/COPYRIGHT
 %doc openldap-%{version_22}/LICENSE
 %doc openldap-%{version_22}/README
-%attr(0755,root,root) %dir /etc/openldap
+%attr(0755,root,root) %dir %{_sysconfdir}/openldap
-%attr(0755,root,root) %dir /etc/openldap/cacerts
+%attr(0755,root,root) %dir %{_sysconfdir}/openldap/cacerts
-%attr(0644,root,root) %config(noreplace) /etc/openldap/ldap*.conf
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/ldap*.conf
 %attr(0755,root,root) %{_libdir}/liblber-*.so.*
 %attr(0755,root,root) %{_libdir}/libldap-*.so.*
 %attr(0755,root,root) %{_libdir}/libldap_r-*.so.*
@@ -652,13 +662,14 @@ fi
 %doc README.migration
 %doc TOOLS.migration
 %doc $RPM_SOURCE_DIR/README.upgrading $RPM_SOURCE_DIR/guide.html
-%attr(0755,root,root) %config /etc/rc.d/init.d/ldap
+%ghost %config %{_sysconfdir}/pki/tls/certs/slapd.pem
-%attr(0640,root,ldap) %config(noreplace) /etc/openldap/slapd.conf
+%attr(0755,root,root) %config %{_sysconfdir}/rc.d/init.d/ldap
-%attr(0755,root,root) %dir /etc/openldap/schema
+%attr(0640,root,ldap) %config(noreplace) %{_sysconfdir}/openldap/slapd.conf
-%attr(0644,root,root) %dir /etc/openldap/schema/README*
+%attr(0755,root,root) %dir %{_sysconfdir}/openldap/schema
-%attr(0644,root,root) %config(noreplace) /etc/openldap/schema/*.schema*
+%attr(0644,root,root) %dir %{_sysconfdir}/openldap/schema/README*
-%attr(0755,root,root) %dir /etc/openldap/schema/redhat
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/schema/*.schema*
-%attr(0644,root,root) %config(noreplace) /etc/openldap/schema/redhat/*.schema*
+%attr(0755,root,root) %dir %{_sysconfdir}/openldap/schema/redhat
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/schema/redhat/*.schema*
 %attr(0755,root,root) %{_sbindir}/sl*
 %attr(0644,root,root) %{_mandir}/man8/*
 %attr(0644,root,root) %{_mandir}/man5/slapd*.5*
@@ -716,6 +727,21 @@ fi
 %endif
 
 %changelog
+* Thu Sep 29 2005 Jay Fenlason <fenlason@redhat.com> 2.2.28-2
+- Upgrade to nev upstream version.  This makes the 2.2.*-hop patch obsolete.
+
+* Mon Aug 22 2005 Jay Fenlason <fenlason@redhat.com> 2.2.26-2
+- Move the slapd.pem file to /etc/pki/tls/certs
+  and edit the -config patch to match to close
+  bz#143393  Creates certificates + keys at an insecure/bad place
+- also use _sysconfdir instead of hard-coding /etc
+
+* Thu Aug 11 2005 Jay Fenlason <fenlason@redhat.com> 
+- Add the tls-fix-connection-test patch to close
+  bz#161991 openldap password disclosure issue
+- add the hop patches to prevent infinite looping when chasing referrals.
+  OpenLDAP ITS #3578
+
 * Fri Aug  5 2005 Nalin Dahyabhai <nalin@redhat.com>
 - fix typo in ldap.init (call $klist instead of klist, from Charles Lopes)
 

sources

@@ -4,4 +4,4 @@
 a1e6508c471dd47205a3492cf57110a6  openldap-2.0.27.tgz
 e2ae8148c4bed07d7a70edd930bdc403  openldap-2.1.30.tgz
 fcc481d52c3b80e20a328f8c0cb042bd  db-4.3.27.tar.gz
-afc8700b5738da863b30208e1d3e9de8  openldap-2.2.26.tgz
+b51db7328430b9cbe527696da726f1fb  openldap-2.2.28.tgz