import openldap-2.4.46-11.el8_1

This commit is contained in:
CentOS Sources 2020-02-04 05:18:42 -05:00 committed by Andrew Lukoshko
commit 4389e8f83e
23 changed files with 3820 additions and 0 deletions

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
SOURCES/openldap-2.4.46.tgz

2
.openldap.metadata Normal file
View File

@ -0,0 +1,2 @@
444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
a9ae2273eb9bdd70090dafe0d018a3132606bef6 SOURCES/openldap-2.4.46.tgz

View File

@ -0,0 +1,41 @@
--- a/Makefile 2009-10-31 18:59:06.000000000 +0100
+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100
@@ -13,22 +13,11 @@
#
CONFIG=/etc/openldap/check_password.conf
-OPT=-g -O2 -Wall -fpic \
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
- -DCONFIG_FILE="\"$(CONFIG)\"" \
+CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
-DDEBUG
-# Where to find the OpenLDAP headers.
-#
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
-
-# Where to find the CrackLib headers.
-#
-CRACK_INC=
-
-INCS=$(LDAP_INC) $(CRACK_INC)
-
LDAP_LIB=-lldap_r -llber
# Comment out this line if you do NOT want to use the cracklib.
@@ -45,10 +34,10 @@
all: check_password
check_password.o:
- $(CC) $(OPT) -c $(INCS) check_password.c
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
check_password: clean check_password.o
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
install: check_password
cp -f check_password.so ../../../usr/lib/openldap/modules/

View File

@ -0,0 +1,321 @@
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
@@ -10,7 +10,7 @@
#include <slap.h>
#ifdef HAVE_CRACKLIB
-#include "crack.h"
+#include <crack.h>
#endif
#if defined(DEBUG)
@@ -34,18 +34,77 @@
#define PASSWORD_TOO_SHORT_SZ \
"Password for dn=\"%s\" is too short (%d/6)"
#define PASSWORD_QUALITY_SZ \
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
#define BAD_PASSWORD_SZ \
"Bad password for dn=\"%s\" because %s"
+#define UNKNOWN_ERROR_SZ \
+ "An unknown error occurred, please see your systems administrator"
typedef int (*validator) (char*);
-static int read_config_file (char *);
+static int read_config_file ();
static validator valid_word (char *);
static int set_quality (char *);
static int set_cracklib (char *);
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+struct config_entry {
+ char* key;
+ char* value;
+ char* def_value;
+} config_entries[] = { { "minPoints", NULL, "3"},
+ { "useCracklib", NULL, "1"},
+ { "minUpper", NULL, "0"},
+ { "minLower", NULL, "0"},
+ { "minDigit", NULL, "0"},
+ { "minPunct", NULL, "0"},
+ { NULL, NULL, NULL }};
+
+int get_config_entry_int(char* entry) {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ char* key = centry[i].key;
+ while (key != NULL) {
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
+ if ( centry[i].value == NULL ) {
+ return atoi(centry[i].def_value);
+ }
+ else {
+ return atoi(centry[i].value);
+ }
+ }
+ i++;
+ key = centry[i].key;
+ }
+
+ return -1;
+}
+
+void dealloc_config_entries() {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ while (centry[i].key != NULL) {
+ if ( centry[i].value != NULL ) {
+ ber_memfree(centry[i].value);
+ }
+ i++;
+ }
+}
+
+char* chomp(char *s)
+{
+ char* t = ber_memalloc(strlen(s)+1);
+ strncpy (t,s,strlen(s)+1);
+
+ if ( t[strlen(t)-1] == '\n' ) {
+ t[strlen(t)-1] = '\0';
+ }
+
+ return t;
+}
+
static int set_quality (char *value)
{
#if defined(DEBUG)
@@ -84,12 +143,12 @@
char * parameter;
validator dealer;
} list[] = { { "minPoints", set_quality },
- { "useCracklib", set_cracklib },
- { "minUpper", set_digit },
- { "minLower", set_digit },
- { "minDigit", set_digit },
- { "minPunct", set_digit },
- { NULL, NULL } };
+ { "useCracklib", set_cracklib },
+ { "minUpper", set_digit },
+ { "minLower", set_digit },
+ { "minDigit", set_digit },
+ { "minPunct", set_digit },
+ { NULL, NULL } };
int index = 0;
#if defined(DEBUG)
@@ -98,7 +157,7 @@
while (list[index].parameter != NULL) {
if (strlen(word) == strlen(list[index].parameter) &&
- strcmp(list[index].parameter, word) == 0) {
+ strcmp(list[index].parameter, word) == 0) {
#if defined(DEBUG)
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
#endif
@@ -114,13 +173,15 @@
return NULL;
}
-static int read_config_file (char *keyWord)
+static int read_config_file ()
{
FILE * config;
char * line;
int returnValue = -1;
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
+ line = ber_memcalloc(260, sizeof(char));
+
+ if ( line == NULL ) {
return returnValue;
}
@@ -133,6 +194,8 @@
return returnValue;
}
+ returnValue = 0;
+
while (fgets(line, 256, config) != NULL) {
char *start = line;
char *word, *value;
@@ -145,23 +208,40 @@
while (isspace(*start) && isascii(*start)) start++;
- if (! isascii(*start))
+ /* If we've got punctuation, just skip the line. */
+ if ( ispunct(*start)) {
+#if defined(DEBUG)
+ /* Debug traces to syslog. */
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
+#endif
continue;
+ }
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
- if ((value = strtok(NULL, " \t")) == NULL)
- continue;
+ if( isascii(*start)) {
+
+ struct config_entry* centry = config_entries;
+ int i = 0;
+ char* keyWord = centry[i].key;
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
+ while ( keyWord != NULL ) {
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
#endif
- returnValue = (*dealer)(value);
+ centry[i].value = chomp(value);
+ break;
+ }
+ i++;
+ keyWord = centry[i].key;
+ }
+ }
}
}
-
fclose(config);
ber_memfree(line);
+
return returnValue;
}
@@ -170,7 +250,7 @@
if (curlen < nextlen + MEMORY_MARGIN) {
#if defined(DEBUG)
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
- curlen, nextlen + MEMORY_MARGIN);
+ curlen, nextlen + MEMORY_MARGIN);
#endif
ber_memfree(*target);
curlen = nextlen + MEMORY_MARGIN;
@@ -180,7 +260,7 @@
return curlen;
}
- int
+int
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
{
@@ -210,20 +290,22 @@
nLen = strlen (pPasswd);
if ( nLen < 6) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1);
+ strlen(PASSWORD_TOO_SHORT_SZ) +
+ strlen(pEntry->e_name.bv_val) + 1);
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
goto fail;
}
- /* Read config file */
- minQuality = read_config_file("minPoints");
+ if (read_config_file() == -1) {
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
+ }
- useCracklib = read_config_file("useCracklib");
- minUpper = read_config_file("minUpper");
- minLower = read_config_file("minLower");
- minDigit = read_config_file("minDigit");
- minPunct = read_config_file("minPunct");
+ minQuality = get_config_entry_int("minPoints");
+ useCracklib = get_config_entry_int("useCracklib");
+ minUpper = get_config_entry_int("minUpper");
+ minLower = get_config_entry_int("minLower");
+ minDigit = get_config_entry_int("minDigit");
+ minPunct = get_config_entry_int("minPunct");
/** The password must have at least minQuality strength points with one
* point for the first occurrance of a lower, upper, digit and
@@ -232,8 +314,6 @@
for ( i = 0; i < nLen; i++ ) {
- if ( nQuality >= minQuality ) break;
-
if ( islower (pPasswd[i]) ) {
minLower--;
if ( !nLower && (minLower < 1)) {
@@ -279,12 +359,23 @@
}
}
- if ( nQuality < minQuality ) {
+ /*
+ * If you have a required field, then it should be required in the strength
+ * checks.
+ */
+
+ if (
+ (minLower > 0 ) ||
+ (minUpper > 0 ) ||
+ (minDigit > 0 ) ||
+ (minPunct > 0 ) ||
+ (nQuality < minQuality)
+ ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_QUALITY_SZ) +
- strlen(pEntry->e_name.bv_val) + 2);
+ strlen(PASSWORD_QUALITY_SZ) +
+ strlen(pEntry->e_name.bv_val) + 2);
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
- nQuality, minQuality);
+ nQuality, minQuality);
goto fail;
}
@@ -306,7 +397,7 @@
for ( j = 0; j < 3; j++ ) {
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
- CRACKLIB_DICTPATH, ext[j]);
+ CRACKLIB_DICTPATH, ext[j]);
if (( fp = fopen ( filename, "r")) == NULL ) {
@@ -326,9 +417,9 @@
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
if ( r != NULL ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(BAD_PASSWORD_SZ) +
- strlen(pEntry->e_name.bv_val) +
- strlen(r));
+ strlen(BAD_PASSWORD_SZ) +
+ strlen(pEntry->e_name.bv_val) +
+ strlen(r));
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
goto fail;
}
@@ -342,15 +433,15 @@
}
#endif
-
+ dealloc_config_entries();
*ppErrStr = strdup ("");
ber_memfree(szErrStr);
return (LDAP_SUCCESS);
fail:
+ dealloc_config_entries();
*ppErrStr = strdup (szErrStr);
ber_memfree(szErrStr);
return (EXIT_FAILURE);
}
-

28
SOURCES/ldap.conf Normal file
View File

@ -0,0 +1,28 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on

91
SOURCES/libexec-check-config.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/sh
# Author: Jan Vcelak <jvcelak@redhat.com>
. /usr/libexec/openldap/functions
function check_config_syntax()
{
retcode=0
tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
if [ $? -ne 0 ]; then
error "Checking configuration file failed:"
cat $tmp_slaptest >&2
retcode=1
fi
rm $tmp_slaptest
return $retcode
}
function check_certs_perms()
{
retcode=0
for cert in `certificates`; do
run_as_ldap "/usr/bin/test -e \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' was not found." "$cert"
retcoder=1
continue
fi
run_as_ldap "/usr/bin/test -r \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' is not readable." "$cert"
retcode=1
fi
done
return $retcode
}
function check_db_perms()
{
retcode=0
for dbdir in `databases`; do
[ -d "$dbdir" ] || continue
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
if [ $? -ne 0 ]; then
error "Read/write permissions for DB file '%s' are required." "$dbfile"
retcode=1
fi
done
done
return $retcode
}
function check_everything()
{
retcode=0
check_config_syntax || retcode=1
# TODO: need support for Mozilla NSS, disabling temporarily
#check_certs_perms || retcode=1
check_db_perms || retcode=1
return $retcode
}
if [ `id -u` -ne 0 ]; then
error "You have to be root to run this script."
exit 4
fi
load_sysconfig
if [ -n "$SLAPD_CONFIG_DIR" ]; then
if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
else
check_everything
exit $?
fi
fi
if [ -n "$SLAPD_CONFIG_FILE" ]; then
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
else
error "Warning: Usage of a configuration file is obsolete!"
check_everything
exit $?
fi
fi
exit 1

134
SOURCES/libexec-functions Normal file
View File

@ -0,0 +1,134 @@
# Author: Jan Vcelak <jvcelak@redhat.com>
SLAPD_USER=
SLAPD_CONFIG_FILE=
SLAPD_CONFIG_DIR=
SLAPD_CONFIG_CUSTOM=
SLAPD_GLOBAL_OPTIONS=
SLAPD_SYSCONFIG_FILE=
function default_config()
{
SLAPD_USER=ldap
SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
SLAPD_CONFIG_CUSTOM=
SLAPD_GLOBAL_OPTIONS=
SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
}
function parse_config_options()
{
user=
config_file=
config_dir=
while getopts :u:f:F: opt; do
case "$opt" in
u)
user="$OPTARG"
;;
f)
config_file="$OPTARG"
;;
F)
config_dir="$OPTARG"
;;
esac
done
if [ -n "$user" ]; then
SLAPD_USER="$user"
fi
if [ -n "$config_dir" ]; then
SLAPD_CONFIG_DIR="$config_dir"
SLAPD_CONFIG_FILE=
SLAPD_CONFIG_CUSTOM=1
SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
elif [ -n "$config_file" ]; then
SLAPD_CONFIG_DIR=
SLAPD_CONFIG_FILE="$config_file"
SLAPD_CONFIG_CUSTOM=1
SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
fi
}
function uses_new_config()
{
[ -n "$SLAPD_CONFIG_DIR" ]
return $?
}
function run_as_ldap()
{
/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
return $?
}
function ldif_unbreak()
{
sed ':a;N;s/\n //;ta;P;D'
}
function ldif_value()
{
sed 's/^[^:]*: //'
}
function databases_new()
{
slapcat $SLAPD_GLOBAL_OPTIONS -c \
-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
ldif_unbreak | \
grep '^olcDbDirectory: ' | \
ldif_value
}
function databases_old()
{
awk 'begin { database="" }
$1 == "database" { database=$2 }
$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
"$SLAPD_CONFIG_FILE"
}
function certificates_new()
{
slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
ldif_unbreak | \
grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
ldif_value
}
function certificates_old()
{
awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
"$SLAPD_CONFIG_FILE"
}
function certificates()
{
uses_new_config && certificates_new || certificates_old
}
function databases()
{
uses_new_config && databases_new || databases_old
}
function error()
{
format="$1\n"; shift
printf "$format" $@ >&2
}
function load_sysconfig()
{
[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
. "$SLAPD_SYSCONFIG_FILE"
[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
}
default_config

40
SOURCES/libexec-upgrade-db.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# Author: Jan Vcelak <jvcelak@redhat.com>
. /usr/libexec/openldap/functions
if [ `id -u` -ne 0 ]; then
error "You have to be root to run this command."
exit 4
fi
load_sysconfig
retcode=0
for dbdir in `databases`; do
upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
# skip uninitialized database
[ -z "$bdb_files"] || continue
printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
# perform the update
for command in \
"/usr/bin/db_recover -v -h \"$dbdir\"" \
"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
; do
printf "Executing: %s\n" "$command" &>>$upgrade_log
run_as_ldap "$command" &>>$upgrade_log
result=$?
printf "Exit code: %d\n" $result >>"$upgrade_log"
if [ $result -ne 0 ]; then
printf "Upgrade failed: %d\n" $result
retcode=1
fi
done
done
exit $retcode

View File

@ -0,0 +1,20 @@
use AI_ADDRCONFIG if defined in the environment
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7326
Resolves: #835013
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
index b31e05d..fa361ab 100644
--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
memset( &hints, '\0', sizeof(hints) );
-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */
+#ifdef AI_ADDRCONFIG
hints.ai_flags = AI_ADDRCONFIG;
#endif
hints.ai_family = ldap_int_inet4or6;

View File

@ -0,0 +1,40 @@
Compile AllOp together with other overlays.
Author: Matus Honek <mhonek@redhat.com>
Resolves: #1319782
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
translucent.c \
unique.c \
valsort.c \
- smbk5pwd.c
+ smbk5pwd.c \
+ allop.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
smbk5pwd.la : smbk5pwd.lo
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+allop.lo : allop.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
+allop.la : allop.lo
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \

View File

@ -0,0 +1,55 @@
From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 May 2013 17:02:57 +0200
Subject: [PATCH] LDAPI SASL fix
Resolves: #960222
---
libraries/libldap/cyrus.c | 19 ++++++++++++++++---
1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 28c241b..a9acf36 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
struct berval ccred = BER_BVNULL;
int saslrc, rc;
unsigned credlen;
+ char my_hostname[HOST_NAME_MAX + 1];
+ int free_saslhost = 0;
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
mechs ? mechs : "<null>", 0, 0 );
@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
/* If we don't need to canonicalize just use the host
* from the LDAP URI.
+ * Always use the result of gethostname() for LDAPI.
*/
- if ( nocanon )
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
+ rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
+ if (rc == 0) {
+ saslhost = my_hostname;
+ } else {
+ saslhost = "localhost";
+ }
+ } else if ( nocanon )
saslhost = ld->ld_defconn->lconn_server->lud_host;
- else
+ else {
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
"localhost" );
+ free_saslhost = 1;
+ }
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
- if ( !nocanon )
+ if ( free_saslhost )
LDAP_FREE( saslhost );
}
--
1.7.11.7

View File

@ -0,0 +1,73 @@
Various manual pages changes:
* removes LIBEXECDIR from slapd.8
* removes references to non-existing manpages (bz 624616)
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index 3def6da..466c772 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
.BR ldap_add_ext (3),
.BR ldap_delete_ext (3),
.BR ldap_modify_ext (3),
-.BR ldap_modrdn_ext (3),
-.BR ldif (5).
+.BR ldif (5)
.SH AUTHOR
The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index cfde143..63592cb 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -317,6 +317,7 @@ certificates in separate individual files. The
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index b739f4d..e2a1a00 100644
--- a/doc/man/man8/slapd.8
+++ b/doc/man/man8/slapd.8
@@ -5,7 +5,7 @@
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-4 | \-6 ]
[\c
@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd
+ slapd
.ft
.fi
.LP
@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+ slapd -f /var/tmp/slapd.conf -d 255
.ft
.fi
.LP
@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-Tt
+ slapd -Tt
.ft
.fi
.LP
--
1.8.1.4

View File

@ -0,0 +1,227 @@
ITS#7595 Add Elliptic Curve support for OpenSSL
Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
Author: Howard Chu <hyc@openldap.org>
Date: Sat Sep 7 09:47:19 2013 -0700
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 9c72e8296..2311c3096 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -922,6 +922,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B olcTLSECName: <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B olcTLSProtocolMin: <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index f504adcf9..ef03e0ad8 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1153,6 +1153,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B TLSECName <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/include/ldap.h b/include/ldap.h
index c245651c2..0964a193e 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_NEWCTX 0x600f
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
+#define LDAP_OPT_X_TLS_ECNAME 0x6012
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 66e04ae80..db7193f4f 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -165,6 +165,7 @@ struct ldaptls {
char *lt_ciphersuite;
char *lt_crlfile;
char *lt_randfile; /* OpenSSL only */
+ char *lt_ecname; /* OpenSSL only */
int lt_protocol_min;
};
#endif
@@ -250,6 +251,7 @@ struct ldapoptions {
#define ldo_tls_certfile ldo_tls_info.lt_certfile
#define ldo_tls_keyfile ldo_tls_info.lt_keyfile
#define ldo_tls_dhfile ldo_tls_info.lt_dhfile
+#define ldo_tls_ecname ldo_tls_info.lt_ecname
#define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index d25c190ea..0451b01af 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = NULL;
}
+ if ( lo->ldo_tls_ecname ) {
+ LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = NULL;
+ }
if ( lo->ldo_tls_cacertfile ) {
LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = NULL;
@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
__atoe( lts.lt_dhfile );
}
+ if ( lts.lt_ecname ) {
+ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
+ __atoe( lts.lt_ecname );
+ }
#endif
lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
if ( lo->ldo_tls_ctx == NULL ) {
@@ -257,6 +265,7 @@ error_exit:
LDAP_FREE( lts.lt_crlfile );
LDAP_FREE( lts.lt_cacertdir );
LDAP_FREE( lts.lt_dhfile );
+ LDAP_FREE( lts.lt_ecname );
#endif
return rc;
}
@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
*(char **)arg = lo->ldo_tls_dhfile ?
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
break;
+ case LDAP_OPT_X_TLS_ECNAME:
+ *(char **)arg = lo->ldo_tls_ecname ?
+ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
+ break;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
*(char **)arg = lo->ldo_tls_crlfile ?
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
+ case LDAP_OPT_X_TLS_ECNAME:
+ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index f24060b7e..1370923af 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
- if ( lo->ldo_tls_dhfile ) {
- DH *dh = NULL;
+ if ( is_server && lo->ldo_tls_dhfile ) {
+ DH *dh;
BIO *bio;
- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
Debug( LDAP_DEBUG_ANY,
@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
BIO_free( bio );
SSL_CTX_set_tmp_dh( ctx, dh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+ DH_free( dh );
+ }
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ if ( is_server && lo->ldo_tls_ecname ) {
+ EC_KEY *ecdh;
+
+ int nid = OBJ_sn2nid( lt->lt_ecname );
+ if ( nid == NID_undef ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ ecdh = EC_KEY_new_by_curve_name( nid );
+ if ( ecdh == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not generate key for EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
+ EC_KEY_free( ecdh );
}
+#endif
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 250f14100..8b1e4e582 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -194,6 +194,7 @@ enum {
CFG_ACL_ADD,
CFG_SYNC_SUBENTRY,
CFG_LTHREADS,
+ CFG_TLS_ECNAME,
CFG_LAST
};
@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
#endif
"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "TLSECName", NULL, 2, 2, 0,
+#ifdef HAVE_TLS
+ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
+#else
+ ARG_IGNORED, NULL,
+#endif
+ "( OLcfgGlAt:96 NAME 'olcTLSECName' "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "TLSProtocolMin", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
"olcTLSCACertificatePath $ olcTLSCertificateFile $ "
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
+ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
"olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
"olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
"olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
+ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
#ifdef HAVE_GNUTLS
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
#endif

View File

@ -0,0 +1,34 @@
ITS#7595 don't try to use EC if OpenSSL lacks it
Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
Author: Howard Chu <hyc@openldap.org>
Date: Sun Sep 8 06:32:23 2013 -0700
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 1a81bc625..71c2b055c 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
DH_free( dh );
}
-#ifdef SSL_OP_SINGLE_ECDH_USE
if ( is_server && lo->ldo_tls_ecname ) {
+#ifdef OPENSSL_NO_EC
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: Elliptic Curves not supported.\n", 0,0,0 );
+ return -1;
+#else
EC_KEY *ecdh;
int nid = OBJ_sn2nid( lt->lt_ecname );
@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
SSL_CTX_set_tmp_ecdh( ctx, ecdh );
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
EC_KEY_free( ecdh );
- }
#endif
+ }
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );

View File

@ -0,0 +1,48 @@
Reference default system-wide CA certificates in manpages
OpenSSL, unless explicitly configured, uses system-wide default set of CA
certificates.
Author: Matus Honek <mhonek@redhat.com>
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an
.B ldaps:// URI
is selected (by default or otherwise) or when the application
negotiates TLS by issuing the LDAP StartTLS operation.
+.LP
+When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
+is set, the system-wide default set of CA certificates is used.
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -801,6 +801,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor
+\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1032,6 +1032,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor
+\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.

View File

@ -0,0 +1,33 @@
The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
example if libldap needs to be initialized from within gethostbyXXXX() (which
actually happens if nss_ldap is used for hostname resolution and earlier
modules can't resolve the local host name), so use the reentrant versions of
the functions, even if we're not being compiled for use in libldap_r
Resolves: #179730
Author: Jeffery Layton <jlayton@redhat.com>
diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
index 373c81c..a012062 100644
--- a/libraries/libldap/util-int.c
+++ b/libraries/libldap/util-int.c
@@ -52,8 +52,8 @@ extern int h_errno;
#ifndef LDAP_R_COMPILE
# undef HAVE_REENTRANT_FUNCTIONS
# undef HAVE_CTIME_R
-# undef HAVE_GETHOSTBYNAME_R
-# undef HAVE_GETHOSTBYADDR_R
+/* # undef HAVE_GETHOSTBYNAME_R */
+/* # undef HAVE_GETHOSTBYADDR_R */
#else
# include <ldap_pvt_thread.h>
@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
#define BUFSTART (1024-32)
#define BUFMAX (32*1024-32)
-#if defined(LDAP_R_COMPILE)
+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
static char *safe_realloc( char **buf, int len );
#if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

View File

@ -0,0 +1,62 @@
Compile smbk5pwd together with other overlays.
Author: Jan Šafránek <jsafrane@redhat.com>
Resolves: #550895
Update to link against OpenSSL
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #841560
diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
index f20ad94..b6433ff 100644
--- a/contrib/slapd-modules/smbk5pwd/README
+++ b/contrib/slapd-modules/smbk5pwd/README
@@ -1,3 +1,8 @@
+******************************************************************************
+Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
+is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
+******************************************************************************
+
This directory contains a slapd overlay, smbk5pwd, that extends the
PasswordModify Extended Operation to update Kerberos keys and Samba
password hashes for an LDAP user.
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
index 3af20e8..ef73663 100644
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
syncprov.c \
translucent.c \
unique.c \
- valsort.c
+ valsort.c \
+ smbk5pwd.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+smbk5pwd.lo : smbk5pwd.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
+smbk5pwd.la : smbk5pwd.lo
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \
--
1.7.10.4

View File

@ -0,0 +1,41 @@
From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
Date: Tue, 18 May 2010 17:47:05 +0200
Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
Proof of concept for fixing http://bugs.debian.org/327585
(patch ported from freeradius bug http://bugs.debian.org/416266)
Resolves: #960048
---
--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200
+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200
@@ -117,6 +117,20 @@
return -1; /* not found */
}
+static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
+{
+ lt_dlhandle handle = 0;
+ lt_dladvise advise;
+
+ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
+ && !lt_dladvise_global (&advise))
+ handle = lt_dlopenadvise (filename, advise);
+
+ lt_dladvise_destroy (&advise);
+
+ return handle;
+}
+
int module_load(const char* file_name, int argc, char *argv[])
{
module_loaded_t *module;
@@ -180,7 +194,7 @@
* to calling Debug. This is because Debug is a macro that expands
* into multiple function calls.
*/
- if ((module->lib = lt_dlopenext(file)) == NULL) {
+ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
error = lt_dlerror();
#ifdef HAVE_EBCDIC
strcpy( ebuf, error );

View File

@ -0,0 +1,224 @@
From f2978fefa13eb92b73922e49d2f6c12b4f92ea85 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Fri, 10 Jan 2020 18:35:02 +0100
Subject: [PATCH] Use OpenSSL API to verify host
Replace custom hostname and IP address verification with OpenSSL 1.0.2
APIs.
---
libraries/libldap/tls_o.c | 184 ++++++--------------------------------
1 file changed, 28 insertions(+), 156 deletions(-)
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index e52c5507c..5adf7b74f 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -660,25 +660,15 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
return 0;
}
-/* what kind of hostname were we given? */
-#define IS_DNS 0
-#define IS_IP4 1
-#define IS_IP6 2
-
static int
tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
{
tlso_session *s = (tlso_session *)sess;
- int i, ret = LDAP_LOCAL_ERROR;
+ int ret = LDAP_LOCAL_ERROR;
X509 *x;
const char *name;
- char *ptr;
- int ntype = IS_DNS, nlen;
-#ifdef LDAP_PF_INET6
- struct in6_addr addr;
-#else
- struct in_addr addr;
-#endif
+ int flags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
+ ASN1_OCTET_STRING *ip;
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
@@ -687,7 +677,6 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
} else {
name = name_in;
}
- nlen = strlen(name);
x = tlso_get_cert(s);
if (!x) {
@@ -619,150 +619,32 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
return LDAP_SUCCESS;
}
-#ifdef LDAP_PF_INET6
- if (inet_pton(AF_INET6, name, &addr)) {
- ntype = IS_IP6;
- } else
-#endif
- if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
- if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
- }
-
- i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
- if (i >= 0) {
- X509_EXTENSION *ex;
- STACK_OF(GENERAL_NAME) *alt;
-
- ex = X509_get_ext(x, i);
- alt = X509V3_EXT_d2i(ex);
- if (alt) {
- int n, len2 = 0;
- char *domain = NULL;
- GENERAL_NAME *gn;
-
- if (ntype == IS_DNS) {
- domain = strchr(name, '.');
- if (domain) {
- len2 = nlen - (domain-name);
- }
- }
- n = sk_GENERAL_NAME_num(alt);
- for (i=0; i<n; i++) {
- char *sn;
- int sl;
- gn = sk_GENERAL_NAME_value(alt, i);
- if (gn->type == GEN_DNS) {
- if (ntype != IS_DNS) continue;
-
- sn = (char *) ASN1_STRING_data(gn->d.ia5);
- sl = ASN1_STRING_length(gn->d.ia5);
-
- /* ignore empty */
- if (sl == 0) continue;
-
- /* Is this an exact match? */
- if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
- break;
- }
-
- /* Is this a wildcard match? */
- if (domain && (sn[0] == '*') && (sn[1] == '.') &&
- (len2 == sl-1) && !strncasecmp(domain, &sn[1], len2))
- {
- break;
- }
-
- } else if (gn->type == GEN_IPADD) {
- if (ntype == IS_DNS) continue;
-
- sn = (char *) ASN1_STRING_data(gn->d.ia5);
- sl = ASN1_STRING_length(gn->d.ia5);
-
-#ifdef LDAP_PF_INET6
- if (ntype == IS_IP6 && sl != sizeof(struct in6_addr)) {
- continue;
- } else
-#endif
- if (ntype == IS_IP4 && sl != sizeof(struct in_addr)) {
- continue;
- }
- if (!memcmp(sn, &addr, sl)) {
- break;
- }
- }
- }
-
- GENERAL_NAMES_free(alt);
- if (i < n) { /* Found a match */
- ret = LDAP_SUCCESS;
- }
- }
- }
-
- if (ret != LDAP_SUCCESS) {
- X509_NAME *xn;
- X509_NAME_ENTRY *ne;
- ASN1_OBJECT *obj;
- ASN1_STRING *cn = NULL;
- int navas;
-
- /* find the last CN */
- obj = OBJ_nid2obj( NID_commonName );
- if ( !obj ) goto no_cn; /* should never happen */
-
- xn = X509_get_subject_name(x);
- navas = X509_NAME_entry_count( xn );
- for ( i=navas-1; i>=0; i-- ) {
- ne = X509_NAME_get_entry( xn, i );
- if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) {
- cn = X509_NAME_ENTRY_get_data( ne );
- break;
- }
+ /* attempt to encode name as IP address */
+ ip = a2i_IPADDRESS(name);
+ if (ip == NULL) {
+ ERR_clear_error();
+ /* it's a hostname */
+ if (X509_check_host(x, name, strlen(name), flags, NULL) == 1) {
+ ret = LDAP_SUCCESS;
}
-
- if( !cn )
- {
-no_cn:
- Debug( LDAP_DEBUG_ANY,
- "TLS: unable to get common name from peer certificate.\n",
- 0, 0, 0 );
- ret = LDAP_CONNECT_ERROR;
- if ( ld->ld_error ) {
- LDAP_FREE( ld->ld_error );
- }
- ld->ld_error = LDAP_STRDUP(
- _("TLS: unable to get CN from peer certificate"));
-
- } else if ( cn->length == nlen &&
- strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
+ } else {
+ /* It's an IPv4 or IPv6 address */
+ if (X509_check_ip(x, ASN1_STRING_data(ip),
+ ASN1_STRING_length(ip), 0) == 1) {
ret = LDAP_SUCCESS;
-
- } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
- char *domain = strchr(name, '.');
- if( domain ) {
- int dlen;
-
- dlen = nlen - (domain-name);
-
- /* Is this a wildcard match? */
- if ((dlen == cn->length-1) &&
- !strncasecmp(domain, (char *) &cn->data[1], dlen)) {
- ret = LDAP_SUCCESS;
- }
- }
}
+ ASN1_OCTET_STRING_free(ip);
+ }
- if( ret == LDAP_LOCAL_ERROR ) {
- Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
- "common name in certificate (%.*s).\n",
- name, cn->length, cn->data );
- ret = LDAP_CONNECT_ERROR;
- if ( ld->ld_error ) {
- LDAP_FREE( ld->ld_error );
- }
- ld->ld_error = LDAP_STRDUP(
- _("TLS: hostname does not match CN in peer certificate"));
+ if( ret == LDAP_LOCAL_ERROR ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+ "peer certificate.\n", name, 0, 0);
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
}
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: hostname does not match peer certificate"));
}
X509_free(x);
return ret;

158
SOURCES/slapd.ldif Normal file
View File

@ -0,0 +1,158 @@
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
# TLS settings
#
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by oclTLSCACertificatePath one has to include them explicitly:
#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
#
# Private cert and key are not pregenerated.
#olcTLSCertificateFile:
#olcTLSCertificateKeyFile:
#
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#olcTLSCipherSuite: PROFILE=SYSTEM
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none
#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

17
SOURCES/slapd.service Normal file
View File

@ -0,0 +1,17 @@
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html
[Service]
Type=forking
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
[Install]
WantedBy=multi-user.target
Alias=openldap.service

2
SOURCES/slapd.tmpfiles Normal file
View File

@ -0,0 +1,2 @@
# openldap runtime directory for slapd.arg and slapd.pid
d /var/run/openldap 0755 ldap ldap -

2127
SPECS/openldap.spec Normal file

File diff suppressed because it is too large Load Diff