- new configuration schema - directory instead of file

- fixed buffer overflow issue pointed out by new glibc - fixed behaviour during installation / upgrade caused by renamed init script
2009-09-24 11:30:24 +00:00 · 2009-09-24 11:30:24 +00:00 · 45f722d160
commit 45f722d160
parent a629500293
3 changed files with 89 additions and 18 deletions
--- a/ldap.init
+++ b/ldap.init
@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# ldap	This shell script takes care of starting and stopping
+# slapd	This shell script takes care of starting and stopping
 #	ldap servers (slapd).
 #
 # chkconfig: - 27 73
@ -42,7 +42,7 @@ fi
 slapd=/usr/sbin/slapd
 slaptest=/usr/sbin/slaptest
 lockfile=/var/lock/subsys/slapd
-configfile=/etc/openldap/slapd.conf
+configdir=/etc/openldap/slapd.d/
 pidfile=/var/run/slapd.pid
 slapd_pidfile=/var/run/openldap/slapd.pid

@ -104,14 +104,19 @@ function checkkeytab() {

 function configtest() {
 	local user= ldapuid= dbdir= file=
-	[ -f $configfile ] || exit 6
+	[ -d $configdir ] || exit 6
 	# Check for simple-but-common errors.
 	user=ldap
 	prog=`basename ${slapd}`
 	ldapuid=`id -u $user`
 	# Unaccessible database files.
 	slaptestflags=""
-	for dbdir in `LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | sed s,^directory,,` ; do
+	dbdirs=""
+	for configfile in `ls -1 $configdir/cn\=config/olcDatabase*`; do
+		dbdirs=$dbdirs"
+		"`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'`
+	done
+	for dbdir in $dbdirs; do
 		for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do
 			echo -n $"$file is not owned by \"$user\"" ; warning ; echo
 		done
@ -129,7 +134,7 @@ function configtest() {
 		echo -n $"$file is not readable by \"$user\"" ; warning ; echo
 	fi
 	# Unaccessible TLS configuration files.
-	tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' $configfile | awk '{print $2}'`
+	tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'`
 	for file in $tlsconfigs ; do
 		if ! testasuser $user -r $file ; then
 			echo -n $"$file is not readable by \"$user\"" ; warning ; echo
@ -151,8 +156,8 @@ function configtest() {
 		echo -n $"Checking configuration files for $prog: " ; failure ; echo
 		echo "$slaptestout"
 		if /sbin/runuser -m -s "$slaptest" -- "$user" "-u" > /dev/null 2> /dev/null ; then
-			dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | awk '{print $2}'`
-			for directory in $dirs ; do
+			#dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | awk '{print $2}'`
+			for directory in $dbdirs ; do
 				if test -r $directory/__db.001 ; then
 					echo -n $"stale lock files may be present in $directory" ; warning ; echo
 				fi
--- a/openldap-2.4.18-ldif-buf-overflow.patch
+++ b/openldap-2.4.18-ldif-buf-overflow.patch
@ -0,0 +1,26 @@
+--- openldap-2.4.18/servers/slapd/back-ldif/ldif.c.orig	2009-09-24 09:46:01.000000000 +0200
+++ openldap-2.4.18/servers/slapd/back-ldif/ldif.c	2009-09-24 12:41:09.000000000 +0200
+@@ -593,9 +593,12 @@ typedef struct bvlist {
+ 	char *trunc;	/* filename was truncated here */
+ 	int  inum;		/* num from "attr={num}" in filename, or INT_MIN */
+ 	char savech;	/* original char at *trunc */
+-	char fname;		/* variable length array BVL_NAME(bvl) = &fname */
+-#	define BVL_NAME(bvl) ((char *) (bvl) + offsetof(bvlist, fname))
+-#	define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen))
+	char *fname;		/* variable length array BVL_NAME(bvl) = &fname */
+	//char fname;		/* variable length array BVL_NAME(bvl) = &fname */
+#	define BVL_NAME(bvl) ((bvl)->fname)
+#	define BVL_SIZE(namelen) (sizeof(bvlist))
+//#	define BVL_NAME(bvl) ((char *) (bvl) + offsetof(bvlist, fname))
+//#	define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen))
+ } bvlist;
+ 
+ static int
+@@ -710,6 +713,7 @@ ldif_readdir(
+ 				*fname_maxlenp = fname_len;
+ 
+ 			bvl = SLAP_MALLOC( BVL_SIZE( fname_len ) );
+			bvl->fname = SLAP_MALLOC( fname_len+1 );
+ 			if ( bvl == NULL ) {
+ 				rc = LDAP_OTHER;
+ 				save_errno = errno;
--- a/openldap.spec
+++ b/openldap.spec
@ -11,7 +11,7 @@
 Summary: LDAP support libraries
 Name: openldap
 Version: %{version}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@ -35,6 +35,7 @@ Patch6: openldap-2.3.19-gethostbyXXXX_r.patch
 Patch9: openldap-2.3.37-smbk5pwd.patch
 Patch10: openldap-2.4.6-multilib.patch
 Patch11: openldap-2.4.16-doc-cacertdir.patch
+Patch12: openldap-2.4.18-ldif-buf-overflow.patch

 # Patches for the evolution library
 Patch200: openldap-2.4.6-evolution-ntlm.patch
@ -141,6 +142,7 @@ pushd openldap-%{version}
 %patch9 -p1 -b .smbk5pwd
 %patch10 -p1 -b .multilib
 %patch11 -p1 -b .cacertdir
+%patch12 -p1 -b .malloc

 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 popd
@ -425,6 +427,14 @@ if [ "$1" = "2" ]; then

    OLD_SLAPD_VERSION=$( rpm -q --qf "%{VERSION}" openldap-servers | sed 's/\.[0-9]*$//' )
    NEW_SLAPD_VERSION=$( echo %{version} | sed 's/\.[0-9]*$//' )
+    # we need to detect how is the init script named
+    # - in older versions ldap
+    # - in newer versions slapd
+    if [ -f %{_initrddir}/ldap ]; then
+        SERVICE_NAME=ldap
+    elif [ -f %{_initrddir}/slapd ]; then
+        SERVICE_NAME=slapd
+    fi

    if [ "$OLD_SLAPD_VERSION" != "$NEW_SLAPD_VERSION" ]; then
        # Minor version number has changed -> slapcat/slapadd of the BDB database 
@ -433,9 +443,9 @@ if [ "$1" = "2" ]; then
        # directory - Just In Case (TM)

        # stop the server
-        if /sbin/service ldap status &>/dev/null; then 
+        if /sbin/service $SERVICE_NAME status &>/dev/null; then 
            touch /var/lib/ldap/need_start
-            /sbin/service ldap stop &>/dev/null
+            /sbin/service $SERVICE_NAME stop &>/dev/null
        fi

        files=$(echo /var/lib/ldap/{log.*,__db.*,[a]lock})
@ -456,9 +466,9 @@ if [ "$1" = "2" ]; then
            # Minor version number of bdb has changed -> run db_upgrade in % post script 
    
            # stop the server
-            if /sbin/service ldap status &>/dev/null; then 
+            if /sbin/service $SERVICE_NAME status &>/dev/null; then 
                touch /var/lib/ldap/need_start
-                /sbin/service ldap stop &>/dev/null
+                /sbin/service $SERVICE_NAME stop &>/dev/null
            fi

            # Ensure, that the database is correct
@ -472,7 +482,7 @@ exit 0

 %post servers
 /sbin/ldconfig
-/sbin/chkconfig --add ldap
+/sbin/chkconfig --add slapd
 # If there's a /var/lib/ldap/upgrade.ldif file, slapadd it and delete it.
 # It was created by the % pre above.
 if [ -f /var/lib/ldap/upgrade.ldif ] ; then
@ -505,11 +515,34 @@ chmod 640 slapd.pem
 popd
 fi

+if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
+    # if there is no slapd.conf, we probably already have new configuration in place
+    mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
+    mkdir -p %{_sysconfdir}/openldap/slapd.d/
+    lines=`egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1`
+    lines=$(($lines-1))
+    head -n $lines %{_sysconfdir}/openldap/slapd.conf.bak > %{_sysconfdir}/openldap/slapd.conf
+    cat >> %{_sysconfdir}/openldap/slapd.conf << EOF
+database config
+rootdn   "cn=admin,cn=config"
+#rootpw   secret
+EOF
+    lines_r=`wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" "`
+    lines_r=$(($lines_r-$lines))
+    tail -n $lines_r %{_sysconfdir}/openldap/slapd.conf.bak >> %{_sysconfdir}/openldap/slapd.conf
+    slaptest -f %{_sysconfdir}/openldap/slapd.conf -F %{_sysconfdir}/openldap/slapd.d > /dev/null 2> /dev/null
+    chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d
+    chmod -R 000 %{_sysconfdir}/openldap/slapd.d
+    chmod -R u+rwX %{_sysconfdir}/openldap/slapd.d
+    rm -f %{_sysconfdir}/openldap/slapd.conf
+fi
+
+
 if [ $1 -ge 1 ] ; then
-    /sbin/service ldap condrestart &>/dev/null
-    /sbin/service ldap status &>/dev/null
+    /sbin/service slapd condrestart &>/dev/null
+    /sbin/service slapd status &>/dev/null
    if [ "$?" != "0" -a -f /var/lib/ldap/need_start ]; then
-        /sbin/service ldap start &>/dev/null
+        /sbin/service slapd start &>/dev/null
        rm -f /var/lib/ldap/need_start &>/dev/null 
    fi
 fi
@ -518,8 +551,8 @@ exit 0

 %preun servers
 if [ "$1" = "0" ] ; then
-  /sbin/service ldap stop > /dev/null 2>&1 || :
-  /sbin/chkconfig --del ldap
+  /sbin/service slapd stop > /dev/null 2>&1 || :
+  /sbin/chkconfig --del slapd
 # Openldap-servers are being removed from system.
 # Do not touch the database! Older versions of this
 # package attempted to store database in LDIF format, so
@ -606,6 +639,12 @@ fi
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a

 %changelog
+* Tue Sep 22 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-2
+- changed configuration approach. Instead od slapd.conf slapd
+  is using slapd.d directory now
+- fix of some issues caused by renaming of init script
+- fix of buffer overflow issue in ldif.c pointed out by new glibc
+
 * Fri Sep 18 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.18-1
 - rebase of openldap to 2.4.18

@ -614,6 +653,7 @@ fi

 * Wed Sep 16 2009 Jan Zeleny <jzeleny@redhat.com> 2.4.16-6
 - updated init script to be LSB-compliant (#523434)
+- init script renamed to slapd

 * Thu Aug 27 2009 Tomas Mraz <tmraz@redhat.com> - 2.4.16-5
 - rebuilt with new openssl