- fixed tls connection accepting when TLSVerifyClient = allow

- /etc/openldap/ldap.conf removed from files owned by openldap-servers
- minor changes in spec file to supress warnings
- some changes in init script, so it would be possible to use it when
  using old configuration style
This commit is contained in:
Jan Zeleny 2009-11-16 13:06:35 +00:00
parent e5c21d4af6
commit 4333efc198
3 changed files with 77 additions and 12 deletions

View File

@ -43,6 +43,7 @@ slapd=/usr/sbin/slapd
slaptest=/usr/sbin/slaptest
lockfile=/var/lock/subsys/slapd
configdir=/etc/openldap/slapd.d/
configfile=/etc/openldap/slapd.conf
pidfile=/var/run/slapd.pid
slapd_pidfile=/var/run/openldap/slapd.pid
@ -104,7 +105,6 @@ function checkkeytab() {
function configtest() {
local user= ldapuid= dbdir= file=
[ -d $configdir ] || exit 6
# Check for simple-but-common errors.
user=ldap
prog=`basename ${slapd}`
@ -112,11 +112,20 @@ function configtest() {
# Unaccessible database files.
slaptestflags=""
dbdirs=""
if [ -d $configdir ]; then
for configfile in `ls -1 $configdir/cn\=config/olcDatabase*`; do
dbdirs=$dbdirs"
"`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'`
done
elif [ -f $configfile ]; then
dbdirs=`LANG=C egrep '^directory[[:space:]]+' $configfile | sed 's,^directory[[:space:]]*,,'`
else
exit 6
fi
for dbdir in $dbdirs; do
if [ ! -d $dbdir ]; then
exit 6
fi
for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do
echo -n $"$file is not owned by \"$user\"" ; warning ; echo
done
@ -134,7 +143,11 @@ function configtest() {
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
fi
# Unaccessible TLS configuration files.
if [ -d $configdir ]; then
tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'`
elif [ -f $configfile ]; then
tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]+' $configfile | awk '{print $2}'`
fi
for file in $tlsconfigs ; do
if ! testasuser $user -r $file ; then
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
@ -218,24 +231,39 @@ case "$1" in
configtest
;;
start)
msg=`status -p $pidfile ${slapd} > /dev/null 2>&1`
RETVAL=$?
if [ "$RETVAL" != "0" ]; then
echo $msg
RETVAL=1
else
start
RETVAL=$?
fi
;;
stop)
msg=`status -p $pidfile ${slapd} > /dev/null 2>&1`
RETVAL=$?
if [ "$RETVAL" = "0" ]; then
echo $msg
RETVAL=7
else
stop
RETVAL=$?
fi
;;
status)
status -p $pidfile ${slapd}
RETVAL=$?
;;
restart|force-reload)
status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 7
stop
start
RETVAL=$?
;;
condrestart|try-restart)
status -p $pidfile ${slapd} || exit 0
status -p $pidfile ${slapd} > /dev/null 2>&1 || exit 0
stop
start
;;

View File

@ -0,0 +1,29 @@
--- openldap-2.4.19/servers/slapd/connection.c.orig 2009-11-16 12:54:33.000000000 +0100
+++ openldap-2.4.19/servers/slapd/connection.c 2009-11-16 13:23:25.000000000 +0100
@@ -1376,6 +1376,11 @@ connection_read( ber_socket_t s, conn_re
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
slap_sasl_external( c, c->c_tls_ssf, &authid );
if ( authid.bv_val ) free( authid.bv_val );
+ } else if ( rc == 1 ) { /* need to retry */
+ slapd_set_read( s, 0 );
+ slapd_set_write( s, 1 );
+ connection_return( c );
+ return 0;
}
/* if success and data is ready, fall thru to data input loop */
@@ -1875,6 +1880,14 @@ int connection_write(ber_socket_t s)
return -1;
}
+#ifdef HAVE_TLS
+ if ( c->c_is_tls && c->c_needs_tls_accept ) {
+ connection_return( c );
+ connection_read_activate( s );
+ return 0;
+ }
+#endif
+
c->c_n_write++;
Debug( LDAP_DEBUG_TRACE,

View File

@ -11,7 +11,7 @@
Summary: LDAP support libraries
Name: openldap
Version: %{version}
Release: 1%{?dist}
Release: 2%{?dist}
License: OpenLDAP
Group: System Environment/Daemons
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@ -35,6 +35,7 @@ Patch6: openldap-2.3.19-gethostbyXXXX_r.patch
Patch9: openldap-2.3.37-smbk5pwd.patch
Patch10: openldap-2.4.6-multilib.patch
Patch11: openldap-2.4.16-doc-cacertdir.patch
Patch12: openldap-2.4.19-tls-accept.patch
# Patches for the evolution library
Patch200: openldap-2.4.6-evolution-ntlm.patch
@ -130,6 +131,7 @@ pushd openldap-%{version}
%patch9 -p1 -b .smbk5pwd
%patch10 -p1 -b .multilib
%patch11 -p1 -b .cacertdir
%patch12 -p1 -b .tls-accept
cp %{_datadir}/libtool/config/config.{sub,guess} build/
popd
@ -490,7 +492,7 @@ if [ -f /var/lib/ldap/need_db_upgrade ]; then
fi
if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then
pushd %{_sysconfdir}/pki/tls/certs
pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1
umask 077
cat << EOF | make slapd.pem > /dev/null 2>&1
--
@ -586,7 +588,6 @@ fi
%doc README.schema
%ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem
%attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/openldap/ldap*.conf
%attr(0640,root,ldap) %config(noreplace,missingok) %{_sysconfdir}/openldap/slapd.conf
%attr(0640,root,ldap) %ghost %{_sysconfdir}/openldap/slapd.conf.bak
%attr(0640,ldap,ldap) %ghost %{_sysconfdir}/openldap/slapd.d
@ -632,6 +633,13 @@ fi
%attr(0644,root,root) %{evolution_connector_libdir}/*.a
%changelog
* Mon Nov 16 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-2
- fixed tls connection accepting when TLSVerifyClient = allow
- /etc/openldap/ldap.conf removed from files owned by openldap-servers
- minor changes in spec file to supress warnings
- some changes in init script, so it would be possible to use it when
using old configuration style
* Fri Nov 06 2009 Jan Zeleny <jzeleny@redhat.com> - 2.4.19-1
- rebased openldap to 2.4.19
- rebased bdb to 4.8.24