- fixed tls connection accepting when TLSVerifyClient = allow
- /etc/openldap/ldap.conf removed from files owned by openldap-servers - minor changes in spec file to supress warnings - some changes in init script, so it would be possible to use it when using old configuration style
This commit is contained in:
Jan Zeleny
parent
e5c21d4af6
commit
4333efc198
46
ldap.init
46
ldap.init
@ -43,6 +43,7 @@ slapd=/usr/sbin/slapd
|
||||
slaptest=/usr/sbin/slaptest
|
||||
lockfile=/var/lock/subsys/slapd
|
||||
configdir=/etc/openldap/slapd.d/
|
||||
configfile=/etc/openldap/slapd.conf
|
||||
pidfile=/var/run/slapd.pid
|
||||
slapd_pidfile=/var/run/openldap/slapd.pid
|
||||
|
||||
@ -104,7 +105,6 @@ function checkkeytab() {
|
||||
|
||||
function configtest() {
|
||||
local user= ldapuid= dbdir= file=
|
||||
[ -d $configdir ] || exit 6
|
||||
# Check for simple-but-common errors.
|
||||
user=ldap
|
||||
prog=`basename ${slapd}`
|
||||
@ -112,11 +112,20 @@ function configtest() {
|
||||
# Unaccessible database files.
|
||||
slaptestflags=""
|
||||
dbdirs=""
|
||||
for configfile in `ls -1 $configdir/cn\=config/olcDatabase*`; do
|
||||
dbdirs=$dbdirs"
|
||||
"`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'`
|
||||
done
|
||||
if [ -d $configdir ]; then
|
||||
for configfile in `ls -1 $configdir/cn\=config/olcDatabase*`; do
|
||||
dbdirs=$dbdirs"
|
||||
"`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'`
|
||||
done
|
||||
elif [ -f $configfile ]; then
|
||||
dbdirs=`LANG=C egrep '^directory[[:space:]]+' $configfile | sed 's,^directory[[:space:]]*,,'`
|
||||
else
|
||||
exit 6
|
||||
fi
|
||||
for dbdir in $dbdirs; do
|
||||
if [ ! -d $dbdir ]; then
|
||||
exit 6
|
||||
fi
|
||||
for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do
|
||||
echo -n $"$file is not owned by \"$user\"" ; warning ; echo
|
||||
done
|
||||
@ -134,7 +143,11 @@ function configtest() {
|
||||
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
|
||||
fi
|
||||
# Unaccessible TLS configuration files.
|
||||
tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'`
|
||||
if [ -d $configdir ]; then
|
||||
tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'`
|
||||
elif [ -f $configfile ]; then
|
||||
tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]+' $configfile | awk '{print $2}'`
|
||||
fi
|
||||
for file in $tlsconfigs ; do
|
||||
if ! testasuser $user -r $file ; then
|
||||
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
|
||||
@ -218,24 +231,39 @@ case "$1" in
|
||||
configtest
|
||||
;;
|
||||
start)
|
||||
start
|
||||
msg=`status -p $pidfile ${slapd} > /dev/null 2>&1`
|
||||
RETVAL=$?
|
||||
if [ "$RETVAL" != "0" ]; then
|
||||
echo $msg
|
||||
RETVAL=1
|
||||
else
|
||||
start
|
||||
RETVAL=$?
|
||||
fi
|
||||
;;
|
||||
stop)
|
||||
stop
|
||||
msg=`status -p $pidfile ${slapd} > /dev/null 2>&1`
|
||||
RETVAL=$?
|
||||
if [ "$RETVAL" = "0" ]; then
|
||||
echo $msg
|
||||
RETVAL=7
|
||||
else
|
||||
stop
|
||||
RETVAL=$?
|
||||
fi
|
||||
;;
|
||||
status)
|
||||
status -p $pidfile ${slapd}
|
||||
RETVAL=$?
|
||||
;;
|
||||
restart|force-reload)
|
||||
status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 7
|
||||
stop
|
||||
start
|
||||
RETVAL=$?
|
||||
;;
|
||||
condrestart|try-restart)
|
||||
status -p $pidfile ${slapd} || exit 0
|
||||
status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 0
|
||||
stop
|
||||
start
|
||||
;;
|
||||
|
||||
29
openldap-2.4.19-tls-accept.patch
Normal file
29
openldap-2.4.19-tls-accept.patch
Normal file
@ -0,0 +1,29 @@
|
||||
--- openldap-2.4.19/servers/slapd/connection.c.orig 2009-11-16 12:54:33.000000000 +0100
|
||||
+++ openldap-2.4.19/servers/slapd/connection.c 2009-11-16 13:23:25.000000000 +0100
|
||||
@@ -1376,6 +1376,11 @@ connection_read( ber_socket_t s, conn_re
|
||||
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
|
||||
slap_sasl_external( c, c->c_tls_ssf, &authid );
|
||||
if ( authid.bv_val ) free( authid.bv_val );
|
||||
+ } else if ( rc == 1 ) { /* need to retry */
|
||||
+ slapd_set_read( s, 0 );
|
||||
+ slapd_set_write( s, 1 );
|
||||
+ connection_return( c );
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
/* if success and data is ready, fall thru to data input loop */
|
||||
@@ -1875,6 +1880,14 @@ int connection_write(ber_socket_t s)
|
||||
return -1;
|
||||
}
|
||||
|
||||
+#ifdef HAVE_TLS
|
||||
+ if ( c->c_is_tls && c->c_needs_tls_accept ) {
|
||||
+ connection_return( c );
|
||||
+ connection_read_activate( s );
|
||||
+ return 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
c->c_n_write++;
|
||||
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
@ -11,7 +11,7 @@
|
||||
Summary: LDAP support libraries
|
||||
Name: openldap
|
||||
Version: %{version}
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: OpenLDAP
|
||||
Group: System Environment/Daemons
|
||||
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
|
||||
@ -35,6 +35,7 @@ Patch6: openldap-2.3.19-gethostbyXXXX_r.patch
|
||||
Patch9: openldap-2.3.37-smbk5pwd.patch
|
||||
Patch10: openldap-2.4.6-multilib.patch
|
||||
Patch11: openldap-2.4.16-doc-cacertdir.patch
|
||||
Patch12: openldap-2.4.19-tls-accept.patch
|
||||
|
||||
# Patches for the evolution library
|
||||
Patch200: openldap-2.4.6-evolution-ntlm.patch
|
||||
@ -130,6 +131,7 @@ pushd openldap-%{version}
|
||||
%patch9 -p1 -b .smbk5pwd
|
||||
%patch10 -p1 -b .multilib
|
||||
%patch11 -p1 -b .cacertdir
|
||||
%patch12 -p1 -b .tls-accept
|
||||
|
||||
cp %{_datadir}/libtool/config/config.{sub,guess} build/
|
||||
popd
|
||||
@ -490,7 +492,7 @@ if [ -f /var/lib/ldap/need_db_upgrade ]; then
|
||||
fi
|
||||
|
||||
if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then
|
||||
pushd %{_sysconfdir}/pki/tls/certs
|
||||
pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1
|
||||
umask 077
|
||||
cat << EOF | make slapd.pem > /dev/null 2>&1
|
||||
--
|
||||
@ -586,7 +588,6 @@ fi
|
||||
%doc README.schema
|
||||
%ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem
|
||||
%attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd
|
||||
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/ldap*.conf
|
||||
%attr(0640,root,ldap) %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf
|
||||
%attr(0640,root,ldap) %ghost %{_sysconfdir}/openldap/slapd.conf.bak
|
||||
%attr(0640,ldap,ldap) %ghost %{_sysconfdir}/openldap/slapd.d
|
||||
@ -632,6 +633,13 @@ fi
|
||||
%attr(0644,root,root) %{evolution_connector_libdir}/*.a
|
||||
|
||||
%changelog
|
||||
* Mon Nov 16 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-2
|
||||
- fixed tls connection accepting when TLSVerifyClient = allow
|
||||
- /etc/openldap/ldap.conf removed from files owned by openldap-servers
|
||||
- minor changes in spec file to supress warnings
|
||||
- some changes in init script, so it would be possible to use it when
|
||||
using old configuration style
|
||||
|
||||
* Fri Nov 06 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-1
|
||||
- rebased openldap to 2.4.19
|
||||
- rebased bdb to 4.8.24
|
||||
|
||||
Loading…
Reference in New Issue
Block a user