- fixed tls connection accepting when TLSVerifyClient = allow

- /etc/openldap/ldap.conf removed from files owned by openldap-servers
- minor changes in spec file to supress warnings
- some changes in init script, so it would be possible to use it when
  using old configuration style

ldap.init

@@ -43,6 +43,7 @@ slapd=/usr/sbin/slapd
 slaptest=/usr/sbin/slaptest
 lockfile=/var/lock/subsys/slapd
 configdir=/etc/openldap/slapd.d/
+configfile=/etc/openldap/slapd.conf
 pidfile=/var/run/slapd.pid
 slapd_pidfile=/var/run/openldap/slapd.pid
 
@@ -104,7 +105,6 @@ function checkkeytab() {
 
 function configtest() {
 	local user= ldapuid= dbdir= file=
-	[ -d $configdir ] || exit 6
 	# Check for simple-but-common errors.
 	user=ldap
 	prog=`basename ${slapd}`
@@ -112,11 +112,20 @@ function configtest() {
 	# Unaccessible database files.
 	slaptestflags=""
 	dbdirs=""
+    if [ -d $configdir ]; then
 	    for configfile in `ls -1 $configdir/cn\=config/olcDatabase*`; do
 		    dbdirs=$dbdirs"
 		    "`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'`
 	    done
+    elif [ -f $configfile ]; then
+		    dbdirs=`LANG=C egrep '^directory[[:space:]]+' $configfile | sed 's,^directory[[:space:]]*,,'`
+    else
+        exit 6
+    fi
 	for dbdir in $dbdirs; do
+		if [ ! -d $dbdir ]; then
+			exit 6
+		fi
 		for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do
 			echo -n $"$file is not owned by \"$user\"" ; warning ; echo
 		done
@@ -134,7 +143,11 @@ function configtest() {
 		echo -n $"$file is not readable by \"$user\"" ; warning ; echo
 	fi
 	# Unaccessible TLS configuration files.
+    if [ -d $configdir ]; then
 	    tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'`
+    elif [ -f $configfile ]; then
+	    tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]+' $configfile | awk '{print $2}'`
+    fi
 	for file in $tlsconfigs ; do
 		if ! testasuser $user -r $file ; then
 			echo -n $"$file is not readable by \"$user\"" ; warning ; echo
@@ -218,24 +231,39 @@ case "$1" in
 	configtest
 	;;
     start)
+	msg=`status -p $pidfile ${slapd} > /dev/null 2>&1`
+	RETVAL=$?
+	if [ "$RETVAL" != "0" ]; then
+		echo $msg
+		RETVAL=1
+	else
 		start
 		RETVAL=$?
+	fi
 	;;
     stop)
+	msg=`status -p $pidfile ${slapd} > /dev/null 2>&1`
+	RETVAL=$?
+	if [ "$RETVAL" = "0" ]; then
+		echo $msg
+		RETVAL=7
+	else
 		stop
 		RETVAL=$?
+	fi
 	;;
     status)
 	status -p $pidfile ${slapd}
 	RETVAL=$?
 	;;
     restart|force-reload)
+	status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 7
 	stop
 	start
 	RETVAL=$?
 	;;
     condrestart|try-restart)
-	status -p $pidfile ${slapd} || exit 0
+	status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 0
 	stop
 	start
 	;;

openldap-2.4.19-tls-accept.patch

@@ -0,0 +1,29 @@
+--- openldap-2.4.19/servers/slapd/connection.c.orig	2009-11-16 12:54:33.000000000 +0100
++++ openldap-2.4.19/servers/slapd/connection.c	2009-11-16 13:23:25.000000000 +0100
+@@ -1376,6 +1376,11 @@ connection_read( ber_socket_t s, conn_re
+ 			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
+ 			slap_sasl_external( c, c->c_tls_ssf, &authid );
+ 			if ( authid.bv_val ) free( authid.bv_val );
++		} else if ( rc == 1 ) { /* need to retry */
++			slapd_set_read( s, 0 );
++			slapd_set_write( s, 1 );
++			connection_return( c );
++			return 0;
+ 		}
+ 
+ 		/* if success and data is ready, fall thru to data input loop */
+@@ -1875,6 +1880,14 @@ int connection_write(ber_socket_t s)
+ 		return -1;
+ 	}
+ 
++#ifdef HAVE_TLS
++	if ( c->c_is_tls && c->c_needs_tls_accept ) {
++		connection_return( c );
++		connection_read_activate( s );
++		return 0;
++	}
++#endif
++
+ 	c->c_n_write++;
+ 
+ 	Debug( LDAP_DEBUG_TRACE,

openldap.spec

@@ -11,7 +11,7 @@
 Summary: LDAP support libraries
 Name: openldap
 Version: %{version}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@@ -35,6 +35,7 @@ Patch6: openldap-2.3.19-gethostbyXXXX_r.patch
 Patch9: openldap-2.3.37-smbk5pwd.patch
 Patch10: openldap-2.4.6-multilib.patch
 Patch11: openldap-2.4.16-doc-cacertdir.patch
+Patch12: openldap-2.4.19-tls-accept.patch
 
 # Patches for the evolution library
 Patch200: openldap-2.4.6-evolution-ntlm.patch
@@ -130,6 +131,7 @@ pushd openldap-%{version}
 %patch9 -p1 -b .smbk5pwd
 %patch10 -p1 -b .multilib
 %patch11 -p1 -b .cacertdir
+%patch12 -p1 -b .tls-accept
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 popd
@@ -490,7 +492,7 @@ if [ -f /var/lib/ldap/need_db_upgrade ]; then
 fi
 
 if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then
-pushd %{_sysconfdir}/pki/tls/certs
+pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1
 umask 077
 cat << EOF | make slapd.pem > /dev/null 2>&1
 --
@@ -586,7 +588,6 @@ fi
 %doc README.schema
 %ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem
 %attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/ldap*.conf
 %attr(0640,root,ldap) %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf
 %attr(0640,root,ldap) %ghost %{_sysconfdir}/openldap/slapd.conf.bak
 %attr(0640,ldap,ldap) %ghost %{_sysconfdir}/openldap/slapd.d
@@ -632,6 +633,13 @@ fi
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Mon Nov 16 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-2
+- fixed tls connection accepting when TLSVerifyClient = allow
+- /etc/openldap/ldap.conf removed from files owned by openldap-servers
+- minor changes in spec file to supress warnings
+- some changes in init script, so it would be possible to use it when
+  using old configuration style
+
 * Fri Nov 06 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-1
 - rebased openldap to 2.4.19
 - rebased bdb to 4.8.24