From 95d8d32fc5c1111badf1006505a7a7b0a9e32cea Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Tue, 24 Aug 2010 18:25:50 +0200 Subject: [PATCH] rebase to 2.4.23 - package rebased - removed embeded db4 - removed patches merged by upstream - removed no longer required patches - merged patches doing manpage changes - merged patches exporting ldif API - reapplied patches and added description to each one - removed unnecessary BuildRequires - cleaned %config, %build and %install sections - updated database upgrade process: - database is exported (slapcat) and reimported (slapadd) when minor version of openldap changes (safe and recomended way) - database is upgraded (db4) when minor version of db4 package changes (this is not done in %post anymore, as the database is not embeded, but using triggers) Resolved: #624616 Bogus links in "SEE ALSO" part of several man-pages Resolved: #625740 openldap-2.4.23 is available --- README.nss_ldap | 9 - nptl-abi-note.S | 21 - openldap-2.0.11-ldaprc.patch | 13 - openldap-2.2.13-setugid.patch | 14 - openldap-2.3.11-toollinks.patch | 20 - openldap-2.4.12-options.patch | 112 ---- openldap-2.4.16-doc-cacertdir.patch | 10 - openldap-2.4.21-dn2id-segfault.patch | 11 - openldap-2.4.22-ldif_h.patch | 22 - openldap-2.4.22-libldif.patch | 66 -- openldap-2.4.22-modrdn-segfault.patch | 74 --- openldap-2.4.6-multilib.patch | 30 - openldap-2.4.6-nosql.patch | 12 - openldap-2.4.6-pie.patch | 16 - ...tlm.patch => openldap-evolution-ntlm.patch | 23 +- openldap-export-ldif.patch | 61 ++ openldap-ldaprc-currentdir.patch | 19 + openldap-manpages.patch | 103 +++ ....patch => openldap-nss-ca-selfsigned.patch | 5 +- ...tch => openldap-nss-delay-token-auth.patch | 7 +- ...atch => openldap-reentrant-gethostby.patch | 15 +- openldap-security-pie.patch | 17 + ...-config.patch => openldap-slapd-conf.patch | 8 +- ...d.patch => openldap-smbk5pwd-overlay.patch | 27 +- openldap-sql-linking.patch | 15 + openldap-userconfig-setgid.patch | 17 + openldap.spec | 622 +++++++++--------- 27 files changed, 588 insertions(+), 781 deletions(-) delete mode 100644 README.nss_ldap delete mode 100644 nptl-abi-note.S delete mode 100644 openldap-2.0.11-ldaprc.patch delete mode 100644 openldap-2.2.13-setugid.patch delete mode 100644 openldap-2.3.11-toollinks.patch delete mode 100644 openldap-2.4.12-options.patch delete mode 100644 openldap-2.4.16-doc-cacertdir.patch delete mode 100644 openldap-2.4.21-dn2id-segfault.patch delete mode 100644 openldap-2.4.22-ldif_h.patch delete mode 100644 openldap-2.4.22-libldif.patch delete mode 100644 openldap-2.4.22-modrdn-segfault.patch delete mode 100644 openldap-2.4.6-multilib.patch delete mode 100644 openldap-2.4.6-nosql.patch delete mode 100644 openldap-2.4.6-pie.patch rename openldap-2.4.6-evolution-ntlm.patch => openldap-evolution-ntlm.patch (82%) create mode 100644 openldap-export-ldif.patch create mode 100644 openldap-ldaprc-currentdir.patch create mode 100644 openldap-manpages.patch rename openldap-2.4.23-selfsignedcacert.patch => openldap-nss-ca-selfsigned.patch (96%) rename openldap-2.4.22-initauthtoken.patch => openldap-nss-delay-token-auth.patch (89%) rename openldap-2.3.19-gethostbyXXXX_r.patch => openldap-reentrant-gethostby.patch (69%) create mode 100644 openldap-security-pie.patch rename openldap-2.4.6-config.patch => openldap-slapd-conf.patch (92%) rename openldap-2.3.37-smbk5pwd.patch => openldap-smbk5pwd-overlay.patch (55%) create mode 100644 openldap-sql-linking.patch create mode 100644 openldap-userconfig-setgid.patch diff --git a/README.nss_ldap b/README.nss_ldap deleted file mode 100644 index 6d5abce..0000000 --- a/README.nss_ldap +++ /dev/null @@ -1,9 +0,0 @@ -These files are here specifically for use in building the nss_ldap package, -and should not be used for any other purpose. - -They contain a backported patch which adds two functions which nss_ldap can -use to avoid blocking in one particular use case, but which are not included -in the 2.2 branch of OpenLDAP. - -When the openldap package updates to 2.3, these libraries will simply -disappear. diff --git a/nptl-abi-note.S b/nptl-abi-note.S deleted file mode 100644 index e8de1d9..0000000 --- a/nptl-abi-note.S +++ /dev/null @@ -1,21 +0,0 @@ -/* Gleaned from glibc, though I suppose it's documented in the specs, too. - NPTL requires support that isn't in kernels prior to 2.4.20 (or 2.5.36 if - you're not using a backported TLS implementation in your kernel), but ld.so - will try to use this library on an insufficiently-new system unless we make - a note of the required kernel version here. - We also add in a section which marks the library as not needing an - executable stack to avoid unintentionally disabling exec-shield and the - like (thanks Arjan!). */ - .section ".note.ABI-tag", "a" - .p2align 2 - .long 1f - 0f - .long 3f - 2f - .long 1 -0: .asciz "GNU" -1: .p2align 2 -2: .long 0 - .long 2,4,20 -3: .p2align 2 - -.section .note.GNU-stack, "", @progbits -.previous diff --git a/openldap-2.0.11-ldaprc.patch b/openldap-2.0.11-ldaprc.patch deleted file mode 100644 index 78974ea..0000000 --- a/openldap-2.0.11-ldaprc.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up openldap-2.4.11/libraries/libldap/init.c.patch2 openldap-2.4.11/libraries/libldap/init.c ---- openldap-2.4.11/libraries/libldap/init.c.patch2 2008-02-12 00:26:41.000000000 +0100 -+++ openldap-2.4.11/libraries/libldap/init.c 2008-09-01 09:57:09.000000000 +0200 -@@ -327,9 +327,6 @@ static void openldap_ldap_init_w_usercon - if(path != NULL) { - LDAP_FREE(path); - } -- -- /* try file */ -- openldap_ldap_init_w_conf(file, 1); - } - - static void openldap_ldap_init_w_env( diff --git a/openldap-2.2.13-setugid.patch b/openldap-2.2.13-setugid.patch deleted file mode 100644 index 9cb7db7..0000000 --- a/openldap-2.2.13-setugid.patch +++ /dev/null @@ -1,14 +0,0 @@ -Don't read the user's configuration file if we're running in a setuid -or setgid application. -diff -up openldap-2.4.14/libraries/libldap/init.c.setugid openldap-2.4.14/libraries/libldap/init.c ---- openldap-2.4.14/libraries/libldap/init.c.setugid 2009-02-17 08:31:19.000000000 +0100 -+++ openldap-2.4.14/libraries/libldap/init.c 2009-02-17 08:39:01.000000000 +0100 -@@ -634,7 +634,7 @@ void ldap_int_initialize( struct ldapopt - openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); - - #ifdef HAVE_GETEUID -- if ( geteuid() != getuid() ) -+ if ( geteuid() != getuid() || getegid() != getgid() ) - return; - #endif - diff --git a/openldap-2.3.11-toollinks.patch b/openldap-2.3.11-toollinks.patch deleted file mode 100644 index afa99d4..0000000 --- a/openldap-2.3.11-toollinks.patch +++ /dev/null @@ -1,20 +0,0 @@ -If libexecdir and sbindir are the same, avoid making an absolute symlink. - - -diff -up openldap-2.4.11/servers/slapd/Makefile.in.patch5 openldap-2.4.11/servers/slapd/Makefile.in ---- openldap-2.4.11/servers/slapd/Makefile.in.patch5 2008-09-01 09:57:09.000000000 +0200 -+++ openldap-2.4.11/servers/slapd/Makefile.in 2008-09-01 09:57:09.000000000 +0200 -@@ -270,7 +270,12 @@ slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ - $(WRAP_LIBS) - $(RM) $(SLAPTOOLS) - for i in $(SLAPTOOLS); do \ -- $(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); done -+ if test $(libexecdir) != $(sbindir) ; then \ -+ $(LN_S) $(libexecdir)/slapd$(EXEEXT) $$i$(EXEEXT); \ -+ else \ -+ $(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); \ -+ fi \ -+ done - - - sslapd: version.o diff --git a/openldap-2.4.12-options.patch b/openldap-2.4.12-options.patch deleted file mode 100644 index bfc6a6c..0000000 --- a/openldap-2.4.12-options.patch +++ /dev/null @@ -1,112 +0,0 @@ ---- openldap/clients/tools/common.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/common.c.option 2009-04-09 14:52:23.000000000 +0200 -@@ -267,7 +267,6 @@ void - tool_common_usage( void ) - { - static const char *const descriptions[] = { --N_(" -c continuous operation mode (do not stop on errors)\n"), - N_(" -d level set LDAP debugging level to `level'\n"), - N_(" -D binddn bind DN\n"), - N_(" -e [!][=] general extensions (! indicates criticality)\n") -@@ -298,18 +297,15 @@ N_(" [!]sessiontracking\n") - N_(" abandon, cancel, ignore (SIGINT sends abandon/cancel,\n" - " or ignores response; if critical, doesn't wait for SIGINT.\n" - " not really controls)\n") --N_(" -f file read operations from `file'\n"), - N_(" -h host LDAP server\n"), - N_(" -H URI LDAP Uniform Resource Identifier(s)\n"), - N_(" -I use SASL Interactive mode\n"), --N_(" -M enable Manage DSA IT control (-MM to make critical)\n"), - N_(" -n show what would be done but don't actually do it\n"), - N_(" -N do not use reverse DNS to canonicalize SASL host name\n"), - N_(" -O props SASL security properties\n"), - N_(" -o [= (in seconds, or \"none\" or \"max\")\n"), - N_(" -p port port on LDAP server\n"), --N_(" -P version protocol version (default: 3)\n"), - N_(" -Q use SASL Quiet mode\n"), - N_(" -R realm SASL realm\n"), - N_(" -U authcid SASL authentication identity\n"), - ---- openldap/clients/tools/ldapcompare.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapcompare.c.option 2009-04-09 14:46:37.000000000 +0200 -@@ -85,6 +85,8 @@ usage( void ) - fprintf( stderr, _("Compare options:\n")); - fprintf( stderr, _(" -E [!][=] compare extensions (! indicates criticality)\n")); - fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - fprintf( stderr, _(" -z Quiet mode," - " don't print anything, use return values\n")); - tool_common_usage(); - ---- openldap/clients/tools/ldapdelete.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapdelete.c.option 2009-04-09 14:48:48.000000000 +0200 -@@ -71,6 +71,10 @@ usage( void ) - fprintf( stderr, _(" dn: list of DNs to delete. If not given, it will be readed from stdin\n")); - fprintf( stderr, _(" or from the file specified with \"-f file\".\n")); - fprintf( stderr, _("Delete Options:\n")); -+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n")); -+ fprintf( stderr, _(" -f file read operations from `file'\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - fprintf( stderr, _(" -r delete recursively\n")); - tool_common_usage(); - exit( EXIT_FAILURE ); - ---- openldap/clients/tools/ldapmodify.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapmodify.c.option 2009-04-09 14:50:14.000000000 +0200 -@@ -137,8 +137,12 @@ usage( void ) - fprintf( stderr, _("Add or modify options:\n")); - fprintf( stderr, _(" -a add values (%s)\n"), - (ldapadd ? _("default") : _("default is to replace"))); -+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n")); - fprintf( stderr, _(" -E [!]ext=extparam modify extensions" - " (! indicate s criticality)\n")); -+ fprintf( stderr, _(" -f file read operations from `file'\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - #ifdef LDAP_X_TXN - fprintf( stderr, - _(" [!]txn= (transaction)\n")); - ---- openldap/clients/tools/ldapmodrdn.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapmodrdn.c.option 2009-04-09 14:50:40.000000000 +0200 -@@ -83,6 +83,10 @@ usage( void ) - fprintf( stderr, _(" If not given, the list of modifications is read from stdin or\n")); - fprintf( stderr, _(" from the file specified by \"-f file\" (see man page).\n")); - fprintf( stderr, _("Rename options:\n")); -+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n")); -+ fprintf( stderr, _(" -f file read operations from `file'\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - fprintf( stderr, _(" -r remove old RDN\n")); - fprintf( stderr, _(" -s newsup new superior entry\n")); - tool_common_usage(); - ---- openldap/clients/tools/ldapsearch.c 2009-04-09 11:37:06.000000000 +0200 -+++ openldap/clients/tools/ldapsearch.c.option 2009-04-09 14:51:51.000000000 +0200 -@@ -123,6 +123,7 @@ usage( void ) - fprintf( stderr, _(" -a deref one of never (default), always, search, or find\n")); - fprintf( stderr, _(" -A retrieve attribute names only (no values)\n")); - fprintf( stderr, _(" -b basedn base dn for search\n")); -+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n")); - fprintf( stderr, _(" -E [!][=] search extensions (! indicates criticality)\n")); - fprintf( stderr, _(" [!]domainScope (domain scope)\n")); - fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n")); -@@ -137,12 +138,15 @@ usage( void ) - fprintf( stderr, _(" [!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]\n")); - #endif - fprintf( stderr, _(" [!]=: (generic control; no response handling)\n")); -+ fprintf( stderr, _(" -f file read operations from `file'\n")); - fprintf( stderr, _(" -F prefix URL prefix for files (default: %s)\n"), def_urlpre); - fprintf( stderr, _(" -l limit time limit (in seconds, or \"none\" or \"max\") for search\n")); - fprintf( stderr, _(" -L print responses in LDIFv1 format\n")); - fprintf( stderr, _(" -LL print responses in LDIF format without comments\n")); - fprintf( stderr, _(" -LLL print responses in LDIF format without comments\n")); - fprintf( stderr, _(" and version\n")); -+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n")); -+ fprintf( stderr, _(" -P version protocol version (default: 3)\n")); - fprintf( stderr, _(" -s scope one of base, one, sub or children (search scope)\n")); - fprintf( stderr, _(" -S attr sort the results by attribute `attr'\n")); - fprintf( stderr, _(" -t write binary values to files in temporary directory\n")); diff --git a/openldap-2.4.16-doc-cacertdir.patch b/openldap-2.4.16-doc-cacertdir.patch deleted file mode 100644 index db7363d..0000000 --- a/openldap-2.4.16-doc-cacertdir.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- openldap-2.4.16/doc/man/man5/ldap.conf.5.orig 2009-09-16 17:12:01.000000000 +0200 -+++ openldap-2.4.16/doc/man/man5/ldap.conf.5 2009-09-16 17:15:32.000000000 +0200 -@@ -305,6 +305,7 @@ - .B TLS_CACERT - is always used before - .B TLS_CACERTDIR. -+The specified directory must be managed with the OpenSSL c_rehash utility. - This parameter is ignored with GNUtls. - .TP - .B TLS_CERT diff --git a/openldap-2.4.21-dn2id-segfault.patch b/openldap-2.4.21-dn2id-segfault.patch deleted file mode 100644 index 411f06a..0000000 --- a/openldap-2.4.21-dn2id-segfault.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openldap-2.4.19/servers/slapd/back-bdb/dn2id.c.orig 2010-02-24 09:55:39.000000000 +0100 -+++ openldap-2.4.19/servers/slapd/back-bdb/dn2id.c 2010-02-24 09:56:07.000000000 +0100 -@@ -676,7 +676,7 @@ hdb_dn2id_delete( - d->nrdnlen[0] = (BEI(e)->bei_nrdn.bv_len >> 8) | 0x80; - dlen[0] = d->nrdnlen[0]; - dlen[1] = d->nrdnlen[1]; -- strcpy( d->nrdn, BEI(e)->bei_nrdn.bv_val ); -+ memcpy( d->nrdn, BEI(e)->bei_nrdn.bv_val, BEI(e)->bei_nrdn.bv_len+1 ); - data.data = d; - - rc = db->cursor( db, txn, &cursor, bdb->bi_db_opflags ); diff --git a/openldap-2.4.22-ldif_h.patch b/openldap-2.4.22-ldif_h.patch deleted file mode 100644 index ebf1c0b..0000000 --- a/openldap-2.4.22-ldif_h.patch +++ /dev/null @@ -1,22 +0,0 @@ ---- openldap-2.4.22/include/Makefile.in.orig 2010-06-03 07:38:29.000000000 -0600 -+++ openldap-2.4.22/include/Makefile.in 2010-06-03 07:39:21.000000000 -0600 -@@ -15,17 +15,18 @@ - - all-local: ldap_config.h FORCE - - install-local: FORCE - -$(MKDIR) $(DESTDIR)$(includedir) - for header in $(srcdir)/lber.h lber_types.h \ - $(srcdir)/ldap.h $(srcdir)/ldap_cdefs.h \ - $(srcdir)/ldap_schema.h $(srcdir)/ldap_utf8.h \ -- $(srcdir)/slapi-plugin.h ldap_features.h; \ -+ $(srcdir)/slapi-plugin.h ldap_features.h \ -+ $(srcdir)/ldif.h ; \ - do \ - $(INSTALL) $(INSTALLFLAGS) -m 644 $$header $(DESTDIR)$(includedir); \ - done - - clean-local: FORCE - $(RM) ldap_config.h - - veryclean-local: clean-local FORCE diff --git a/openldap-2.4.22-libldif.patch b/openldap-2.4.22-libldif.patch deleted file mode 100644 index d5f3e91..0000000 --- a/openldap-2.4.22-libldif.patch +++ /dev/null @@ -1,66 +0,0 @@ ---- openldap-2.4.22/libraries/liblutil/Makefile.in.orig 2010-06-03 10:57:01.000000000 -0600 -+++ openldap-2.4.22/libraries/liblutil/Makefile.in 2010-06-03 10:59:29.000000000 -0600 -@@ -9,16 +9,19 @@ - ## modification, are permitted only as authorized by the OpenLDAP - ## Public License. - ## - ## A copy of this license is available in the file LICENSE in the - ## top-level directory of the distribution or, alternatively, at - ## . - - LIBRARY = liblutil.a -+ -+SHAREDLIB = libldif.la -+ - PROGRAM = testavl - - LDAP_INCDIR= ../../include - LDAP_LIBDIR= ../../libraries - - NT_SRCS = ntservice.c - NT_OBJS = ntservice.o slapdmsg.res - -@@ -35,16 +38,18 @@ - @LIBSRCS@ $(@PLAT@_SRCS) - - OBJS = base64.o entropy.o sasl.o signal.o hash.o passfile.o \ - md5.o passwd.o sha1.o getpass.o lockf.o utils.o uuid.o sockpair.o \ - avl.o tavl.o ldif.o fetch.o \ - meter.o \ - @LIBOBJS@ $(@PLAT@_OBJS) - -+SHAREDLIBOBJS = ldif.lo fetch.lo -+ - testavl: $(XLIBS) testavl.o - (LTLINK) -o $@ testavl.o $(LIBS) - - testtavl: $(XLIBS) testtavl.o - (LTLINK) -o $@ testtavl.o $(LIBS) - - # These rules are for a Mingw32 build, specifically. - # It's ok for them to be here because the clean rule is harmless, and -@@ -54,8 +59,24 @@ - @if [ ! -f $@ ]; then cp $(srcdir)/$@ .; fi - - slapdmsg.res: slapdmsg.rc slapdmsg.bin - windres $< -O coff -o $@ - - clean-local: - $(RM) *.res - -+all-local: $(SHAREDLIB) -+ -+.SUFFIXES: .c .o .lo -+ -+.c.lo: -+ $(LTCOMPILE_LIB) $< -+ -+$(LIBRARY): $(SHAREDLIBOBJS) version.lo -+ -+$(SHAREDLIB): $(SHAREDLIBOBJS) version.lo -+ $(LTLINK_LIB) -o $(SHAREDLIB) $(SHAREDLIBOBJS) version.lo $(LINK_LIBS) -+ -+install-local: FORCE -+ -$(MKDIR) $(DESTDIR)$(libdir) -+ $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(SHAREDLIB) $(DESTDIR)$(libdir) -+ $(LTFINISH) $(DESTDIR)$(libdir) diff --git a/openldap-2.4.22-modrdn-segfault.patch b/openldap-2.4.22-modrdn-segfault.patch deleted file mode 100644 index ed46756..0000000 --- a/openldap-2.4.22-modrdn-segfault.patch +++ /dev/null @@ -1,74 +0,0 @@ -bz #605448 CVE-2010-0211 openldap: modrdn processing uninitialized pointer free -bz #605452 CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference - -diff -urp openldap-2.4.22/servers/slapd/dn.c openldap-2.4.22.new/servers/slapd/dn.c ---- openldap-2.4.22/servers/slapd/dn.c 2010-04-13 22:23:14.000000000 +0200 -+++ openldap-2.4.22.new/servers/slapd/dn.c 2010-07-19 17:57:51.974346501 +0200 -@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f - ava->la_attr = ad->ad_cname; - - if( ava->la_flags & LDAP_AVA_BINARY ) { -- if( ava->la_value.bv_len == 0 ) { -- /* BER encoding is empty */ -- return LDAP_INVALID_SYNTAX; -- } -+ /* AVA is binary encoded, not supported */ -+ return LDAP_INVALID_SYNTAX; - - /* Do not allow X-ORDERED 'VALUES' naming attributes */ - } else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) { - return LDAP_INVALID_SYNTAX; - -- /* AVA is binary encoded, don't muck with it */ - } else if( flags & SLAP_LDAPDN_PRETTY ) { - transf = ad->ad_type->sat_syntax->ssyn_pretty; - if( !transf ) { -@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f - ava->la_value = bv; - ava->la_flags |= LDAP_AVA_FREE_VALUE; - } -+ /* reject empty values */ -+ if (!ava->la_value.bv_len) { -+ return LDAP_INVALID_SYNTAX; -+ } - } - rc = LDAP_SUCCESS; - -diff -urp openldap-2.4.22/servers/slapd/modrdn.c openldap-2.4.22.new/servers/slapd/modrdn.c ---- openldap-2.4.22/servers/slapd/modrdn.c 2010-04-13 22:23:16.000000000 +0200 -+++ openldap-2.4.22.new/servers/slapd/modrdn.c 2010-07-19 17:57:51.975346274 +0200 -@@ -445,12 +445,19 @@ slap_modrdn2mods( - mod_tmp->sml_values[1].bv_val = NULL; - if( desc->ad_type->sat_equality->smr_normalize) { - mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); -- (void) (*desc->ad_type->sat_equality->smr_normalize)( -+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize( - SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, - desc->ad_type->sat_syntax, - desc->ad_type->sat_equality, - &mod_tmp->sml_values[0], - &mod_tmp->sml_nvalues[0], NULL ); -+ if (rs->sr_err != LDAP_SUCCESS) { -+ ch_free(mod_tmp->sml_nvalues); -+ ch_free(mod_tmp->sml_values[0].bv_val); -+ ch_free(mod_tmp->sml_values); -+ ch_free(mod_tmp); -+ goto done; -+ } - mod_tmp->sml_nvalues[1].bv_val = NULL; - } else { - mod_tmp->sml_nvalues = NULL; -diff -urp openldap-2.4.22/servers/slapd/schema_init.c openldap-2.4.22.new/servers/slapd/schema_init.c ---- openldap-2.4.22/servers/slapd/schema_init.c 2010-04-14 20:12:15.000000000 +0200 -+++ openldap-2.4.22.new/servers/slapd/schema_init.c 2010-07-19 17:57:51.978346712 +0200 -@@ -1735,8 +1735,9 @@ UTF8StringNormalize( - ? LDAP_UTF8_APPROX : 0; - - val = UTF8bvnormalize( val, &tmp, flags, ctx ); -+ /* out of memory or syntax error, the former is unlikely */ - if( val == NULL ) { -- return LDAP_OTHER; -+ return LDAP_INVALID_SYNTAX; - } - - /* collapse spaces (in place) */ diff --git a/openldap-2.4.6-multilib.patch b/openldap-2.4.6-multilib.patch deleted file mode 100644 index 5622963..0000000 --- a/openldap-2.4.6-multilib.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff -up openldap-2.4.11/doc/man/man8/slapd.8.patch9 openldap-2.4.11/doc/man/man8/slapd.8 ---- openldap-2.4.11/doc/man/man8/slapd.8.patch9 2008-02-12 00:26:40.000000000 +0100 -+++ openldap-2.4.11/doc/man/man8/slapd.8 2008-09-01 09:57:09.000000000 +0200 -@@ -5,7 +5,7 @@ - .SH NAME - slapd \- Stand-alone LDAP Daemon - .SH SYNOPSIS --.B LIBEXECDIR/slapd -+.B slapd - [\c - .BR \-4 | \-6 ] - [\c -@@ -312,7 +312,7 @@ on voluminous debugging which will be pr - .LP - .nf - .ft tt -- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 -+ slapd -f /var/tmp/slapd.conf -d 255 - .ft - .fi - .LP -@@ -320,7 +320,7 @@ To test whether the configuration file i - .LP - .nf - .ft tt -- LIBEXECDIR/slapd \-Tt -+ slapd -Tt - .ft - .fi - .LP diff --git a/openldap-2.4.6-nosql.patch b/openldap-2.4.6-nosql.patch deleted file mode 100644 index a3e4c64..0000000 --- a/openldap-2.4.6-nosql.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openldap-2.4.11/build/top.mk.patch6 openldap-2.4.11/build/top.mk ---- openldap-2.4.11/build/top.mk.patch6 2008-02-12 00:26:38.000000000 +0100 -+++ openldap-2.4.11/build/top.mk 2008-09-01 09:57:09.000000000 +0200 -@@ -199,7 +199,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@ - SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@ - SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@ - --SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) -+SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_SLP_LIBS@ $(ICU_LIBS) - - # Our Defaults - CC = $(AC_CC) diff --git a/openldap-2.4.6-pie.patch b/openldap-2.4.6-pie.patch deleted file mode 100644 index 0e2f1c4..0000000 --- a/openldap-2.4.6-pie.patch +++ /dev/null @@ -1,16 +0,0 @@ -Build both slapd as position-independent executables. This really -should be threaded into the various autotools, but I guess this is what we have -until that happens, if it happens. - -diff -up openldap-2.4.11/servers/slapd/Makefile.in.patch4 openldap-2.4.11/servers/slapd/Makefile.in ---- openldap-2.4.11/servers/slapd/Makefile.in.patch4 2008-02-12 00:26:43.000000000 +0100 -+++ openldap-2.4.11/servers/slapd/Makefile.in 2008-09-01 09:57:09.000000000 +0200 -@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a - cp slapi/.libs/libslapi.a . - - slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ -- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \ -+ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \ - $(WRAP_LIBS) - $(RM) $(SLAPTOOLS) - for i in $(SLAPTOOLS); do \ diff --git a/openldap-2.4.6-evolution-ntlm.patch b/openldap-evolution-ntlm.patch similarity index 82% rename from openldap-2.4.6-evolution-ntlm.patch rename to openldap-evolution-ntlm.patch index 33ff29e..b84a92f 100644 --- a/openldap-2.4.6-evolution-ntlm.patch +++ b/openldap-evolution-ntlm.patch @@ -1,7 +1,10 @@ -diff -up evo-openldap-2.4.14/include/ldap.h.evolution-ntlm evo-openldap-2.4.14/include/ldap.h ---- evo-openldap-2.4.14/include/ldap.h.evolution-ntlm 2009-01-27 00:29:53.000000000 +0100 -+++ evo-openldap-2.4.14/include/ldap.h 2009-02-17 10:10:00.000000000 +0100 -@@ -2461,5 +2461,26 @@ ldap_parse_deref_control LDAP_P(( +Get rid of this patch as soon as possible. +More details are provided in README.evolution + +diff -uNPrp openldap-2.4.23.old/include/ldap.h openldap-2.4.23.new/include/ldap.h +--- openldap-2.4.23.old/include/ldap.h 2010-06-10 20:48:36.000000000 +0200 ++++ openldap-2.4.23.new/include/ldap.h 2010-08-24 18:17:46.306679878 +0200 +@@ -2487,5 +2487,26 @@ ldap_parse_deref_control LDAP_P(( LDAPControl **ctrls, LDAPDerefRes **drp )); @@ -28,9 +31,9 @@ diff -up evo-openldap-2.4.14/include/ldap.h.evolution-ntlm evo-openldap-2.4.14/i + LDAP_END_DECL #endif /* _LDAP_H */ -diff -up evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm evo-openldap-2.4.14/libraries/libldap/Makefile.in ---- evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm 2009-01-27 00:29:53.000000000 +0100 -+++ evo-openldap-2.4.14/libraries/libldap/Makefile.in 2009-02-17 10:10:00.000000000 +0100 +diff -uNPrp openldap-2.4.23.old/libraries/libldap/Makefile.in openldap-2.4.23.new/libraries/libldap/Makefile.in +--- openldap-2.4.23.old/libraries/libldap/Makefile.in 2010-04-13 22:22:55.000000000 +0200 ++++ openldap-2.4.23.new/libraries/libldap/Makefile.in 2010-08-24 18:17:46.306679878 +0200 @@ -20,7 +20,7 @@ PROGRAMS = apitest dntest ftest ltest ur SRCS = bind.c open.c result.c error.c compare.c search.c \ controls.c messages.c references.c extended.c cyrus.c \ @@ -49,9 +52,9 @@ diff -up evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm evo-op filter.lo free.lo sort.lo passwd.lo whoami.lo \ getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ -diff -up /dev/null evo-openldap-2.4.14/libraries/libldap/ntlm.c ---- /dev/null 2009-02-17 09:19:52.829004420 +0100 -+++ evo-openldap-2.4.14/libraries/libldap/ntlm.c 2009-02-17 10:10:00.000000000 +0100 +diff -uNPrp openldap-2.4.23.old/libraries/libldap/ntlm.c openldap-2.4.23.new/libraries/libldap/ntlm.c +--- openldap-2.4.23.old/libraries/libldap/ntlm.c 1970-01-01 01:00:00.000000000 +0100 ++++ openldap-2.4.23.new/libraries/libldap/ntlm.c 2010-08-24 18:17:46.330680333 +0200 @@ -0,0 +1,137 @@ +/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ +/* diff --git a/openldap-export-ldif.patch b/openldap-export-ldif.patch new file mode 100644 index 0000000..5accb41 --- /dev/null +++ b/openldap-export-ldif.patch @@ -0,0 +1,61 @@ +Patch exposes LDIF reading/writing API. This change is required to replace +mozldap with openldap in FreeIPA project. + +Upstream: ITS #6194 +Author: Rich Megginson + +diff -uNPrp openldap-2.4.23.old/include/Makefile.in openldap-2.4.23.new/include/Makefile.in +--- openldap-2.4.23.old/include/Makefile.in 2010-04-13 22:22:47.000000000 +0200 ++++ openldap-2.4.23.new/include/Makefile.in 2010-08-19 17:40:29.073805139 +0200 +@@ -20,7 +20,8 @@ install-local: FORCE + for header in $(srcdir)/lber.h lber_types.h \ + $(srcdir)/ldap.h $(srcdir)/ldap_cdefs.h \ + $(srcdir)/ldap_schema.h $(srcdir)/ldap_utf8.h \ +- $(srcdir)/slapi-plugin.h ldap_features.h; \ ++ $(srcdir)/slapi-plugin.h ldap_features.h \ ++ $(srcdir)/ldif.h ; \ + do \ + $(INSTALL) $(INSTALLFLAGS) -m 644 $$header $(DESTDIR)$(includedir); \ + done +diff -uNPrp openldap-2.4.23.old/libraries/liblutil/Makefile.in openldap-2.4.23.new/libraries/liblutil/Makefile.in +--- openldap-2.4.23.old/libraries/liblutil/Makefile.in 2010-04-19 18:53:01.000000000 +0200 ++++ openldap-2.4.23.new/libraries/liblutil/Makefile.in 2010-08-19 17:40:20.424679962 +0200 +@@ -14,6 +14,9 @@ + ## . + + LIBRARY = liblutil.a ++ ++SHAREDLIB = libldif.la ++ + PROGRAM = testavl + + LDAP_INCDIR= ../../include +@@ -40,6 +43,8 @@ OBJS = base64.o entropy.o sasl.o signal. + meter.o \ + @LIBOBJS@ $(@PLAT@_OBJS) + ++SHAREDLIBOBJS = ldif.lo fetch.lo ++ + testavl: $(XLIBS) testavl.o + (LTLINK) -o $@ testavl.o $(LIBS) + +@@ -59,3 +64,19 @@ slapdmsg.res: slapdmsg.rc slapdmsg.bin + clean-local: + $(RM) *.res + ++all-local: $(SHAREDLIB) ++ ++.SUFFIXES: .c .o .lo ++ ++.c.lo: ++ $(LTCOMPILE_LIB) $< ++ ++$(LIBRARY): $(SHAREDLIBOBJS) version.lo ++ ++$(SHAREDLIB): $(SHAREDLIBOBJS) version.lo ++ $(LTLINK_LIB) -o $(SHAREDLIB) $(SHAREDLIBOBJS) version.lo $(LINK_LIBS) ++ ++install-local: FORCE ++ -$(MKDIR) $(DESTDIR)$(libdir) ++ $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(SHAREDLIB) $(DESTDIR)$(libdir) ++ $(LTFINISH) $(DESTDIR)$(libdir) diff --git a/openldap-ldaprc-currentdir.patch b/openldap-ldaprc-currentdir.patch new file mode 100644 index 0000000..625382b --- /dev/null +++ b/openldap-ldaprc-currentdir.patch @@ -0,0 +1,19 @@ +Disables opening of ldaprc file in current directory. + +Resolves: #38402 +Upstream: ITS #1131 +Author: Henning Schmiedehausen + +diff -u -uNPrp openldap-2.4.23.old/libraries/libldap/init.c openldap-2.4.23.new/libraries/libldap/init.c +--- openldap-2.4.23.old/libraries/libldap/init.c 2010-04-13 22:22:57.000000000 +0200 ++++ openldap-2.4.23.new/libraries/libldap/init.c 2010-08-24 15:34:27.780680598 +0200 +@@ -346,9 +346,6 @@ static void openldap_ldap_init_w_usercon + if(path != NULL) { + LDAP_FREE(path); + } +- +- /* try file */ +- openldap_ldap_init_w_conf(file, 1); + } + + static void openldap_ldap_init_w_env( diff --git a/openldap-manpages.patch b/openldap-manpages.patch new file mode 100644 index 0000000..4916d65 --- /dev/null +++ b/openldap-manpages.patch @@ -0,0 +1,103 @@ +Various manual pages changes: +* removes LIBEXECDIR from slapd.8 +* removes references to non-existing manpages (bz 624616) + +diff -uNPrp openldap-2.4.23.old/doc/man/man1/ldapmodify.1 openldap-2.4.23.new/doc/man/man1/ldapmodify.1 +--- openldap-2.4.23.old/doc/man/man1/ldapmodify.1 2010-04-13 22:22:36.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man1/ldapmodify.1 2010-08-19 17:42:10.256805450 +0200 +@@ -364,9 +364,7 @@ exit status and a diagnostic message bei + .BR ldap_add_ext (3), + .BR ldap_delete_ext (3), + .BR ldap_modify_ext (3), +-.BR ldap_modrdn_ext (3), +-.BR ldif (5), +-.BR slapd.replog (5) ++.BR ldif (5) + .SH AUTHOR + The OpenLDAP Project + .SH ACKNOWLEDGEMENTS +diff -uNPrp openldap-2.4.23.old/doc/man/man5/ldap.conf.5 openldap-2.4.23.new/doc/man/man5/ldap.conf.5 +--- openldap-2.4.23.old/doc/man/man5/ldap.conf.5 2010-04-13 22:22:41.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man5/ldap.conf.5 2010-08-19 17:43:25.312805428 +0200 +@@ -317,6 +317,7 @@ certificates in separate individual file + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. ++The specified directory must be managed with the OpenSSL c_rehash utility. + This parameter is ignored with GNUtls. + .TP + .B TLS_CERT +diff -uNPrp openldap-2.4.23.old/doc/man/man5/ldif.5 openldap-2.4.23.new/doc/man/man5/ldif.5 +--- openldap-2.4.23.old/doc/man/man5/ldif.5 2010-04-13 22:22:41.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man5/ldif.5 2010-08-19 17:42:10.256805450 +0200 +@@ -270,8 +270,7 @@ commands. + .BR ldapmodify (1), + .BR slapadd (8), + .BR slapcat (8), +-.BR slapd\-ldif (5), +-.BR slapd.replog (5). ++.BR slapd\-ldif (5). + .LP + "LDAP Data Interchange Format," Good, G., RFC 2849. + .SH ACKNOWLEDGEMENTS +diff -uNPrp openldap-2.4.23.old/doc/man/man5/slapd-config.5 openldap-2.4.23.new/doc/man/man5/slapd-config.5 +--- openldap-2.4.23.old/doc/man/man5/slapd-config.5 2010-06-10 19:17:53.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man5/slapd-config.5 2010-08-19 17:42:10.258805346 +0200 +@@ -1995,7 +1995,6 @@ default slapd configuration directory + .BR slapd.conf (5), + .BR slapd.overlays (5), + .BR slapd.plugin (5), +-.BR slapd.replog (5), + .BR slapd (8), + .BR slapacl (8), + .BR slapadd (8), +diff -uNPrp openldap-2.4.23.old/doc/man/man5/slapd.conf.5 openldap-2.4.23.new/doc/man/man5/slapd.conf.5 +--- openldap-2.4.23.old/doc/man/man5/slapd.conf.5 2010-04-16 20:05:07.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man5/slapd.conf.5 2010-08-19 17:42:10.261805644 +0200 +@@ -1927,7 +1927,6 @@ default slapd configuration file + .BR slapd.backends (5), + .BR slapd.overlays (5), + .BR slapd.plugin (5), +-.BR slapd.replog (5), + .BR slapd (8), + .BR slapacl (8), + .BR slapadd (8), +diff -uNPrp openldap-2.4.23.old/doc/man/man8/slapd.8 openldap-2.4.23.new/doc/man/man8/slapd.8 +--- openldap-2.4.23.old/doc/man/man8/slapd.8 2010-04-13 22:22:46.000000000 +0200 ++++ openldap-2.4.23.new/doc/man/man8/slapd.8 2010-08-19 17:44:19.996680613 +0200 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -301,7 +301,7 @@ the LDAP databases defined in the defaul + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ slapd + .ft + .fi + .LP +@@ -312,7 +312,7 @@ on voluminous debugging which will be pr + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ slapd -f /var/tmp/slapd.conf -d 255 + .ft + .fi + .LP +@@ -320,7 +320,7 @@ To test whether the configuration file i + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ slapd -Tt + .ft + .fi + .LP diff --git a/openldap-2.4.23-selfsignedcacert.patch b/openldap-nss-ca-selfsigned.patch similarity index 96% rename from openldap-2.4.23-selfsignedcacert.patch rename to openldap-nss-ca-selfsigned.patch index 52d91d9..071eaf0 100644 --- a/openldap-2.4.23-selfsignedcacert.patch +++ b/openldap-nss-ca-selfsigned.patch @@ -1,5 +1,8 @@ #614545 Mozilla NSS - support use of self signed CA certs as server certs -upstream: http://www.openldap.org/its/index.cgi issue 6589 + +Resolves: #614545 +Upstream: ITS #6589 +Author: Rich Megginson diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c --- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200 diff --git a/openldap-2.4.22-initauthtoken.patch b/openldap-nss-delay-token-auth.patch similarity index 89% rename from openldap-2.4.22-initauthtoken.patch rename to openldap-nss-delay-token-auth.patch index 69a2e08..1b8e25f 100644 --- a/openldap-2.4.22-initauthtoken.patch +++ b/openldap-nss-delay-token-auth.patch @@ -1,5 +1,8 @@ -#616552 Mozilla NSS - delay token auth until needed -upstream: http://www.openldap.org/its/index.cgi issue 6595 +Mozilla NSS - delay token auth until needed + +Resolves: #616552 +Upstream: ITS #6595 +Author: Rich Megginson diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c --- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200 diff --git a/openldap-2.3.19-gethostbyXXXX_r.patch b/openldap-reentrant-gethostby.patch similarity index 69% rename from openldap-2.3.19-gethostbyXXXX_r.patch rename to openldap-reentrant-gethostby.patch index 7fc9727..03bb485 100644 --- a/openldap-2.3.19-gethostbyXXXX_r.patch +++ b/openldap-reentrant-gethostby.patch @@ -2,11 +2,14 @@ The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for example if libldap needs to be initialized from within gethostbyXXXX() (which actually happens if nss_ldap is used for hostname resolution and earlier modules can't resolve the local host name), so use the reentrant versions of -the functions, even if we're not being compiled for use in libldap_r (patch -from Jeffery Layton, #179730). -diff -up openldap-2.4.11/libraries/libldap/util-int.c.patch7 openldap-2.4.11/libraries/libldap/util-int.c ---- openldap-2.4.11/libraries/libldap/util-int.c.patch7 2008-02-12 00:26:41.000000000 +0100 -+++ openldap-2.4.11/libraries/libldap/util-int.c 2008-09-01 09:57:09.000000000 +0200 +the functions, even if we're not being compiled for use in libldap_r + +Resolves: #179730 +Author: Jeffery Layton + +diff -uNPrp openldap-2.4.23.old/libraries/libldap/util-int.c openldap-2.4.23.new/libraries/libldap/util-int.c +--- openldap-2.4.23.old/libraries/libldap/util-int.c 2010-04-19 18:53:01.000000000 +0200 ++++ openldap-2.4.23.new/libraries/libldap/util-int.c 2010-08-19 17:47:52.456805354 +0200 @@ -52,8 +52,8 @@ extern int h_errno; #ifndef LDAP_R_COMPILE # undef HAVE_REENTRANT_FUNCTIONS @@ -18,7 +21,7 @@ diff -up openldap-2.4.11/libraries/libldap/util-int.c.patch7 openldap-2.4.11/lib #else # include -@@ -110,7 +110,7 @@ char *ldap_pvt_ctime( const time_t *tp, +@@ -330,7 +330,7 @@ ldap_pvt_csnstr(char *buf, size_t len, u #define BUFSTART (1024-32) #define BUFMAX (32*1024-32) diff --git a/openldap-security-pie.patch b/openldap-security-pie.patch new file mode 100644 index 0000000..338c9e6 --- /dev/null +++ b/openldap-security-pie.patch @@ -0,0 +1,17 @@ +Build slapd as position-independent executable (PIE) to take an advantage of +address space layout randomization (ASLD). + +Author: Thomas Woerner + +diff -uNPrp openldap-2.4.23.old/servers/slapd/Makefile.in openldap-2.4.23.new/servers/slapd/Makefile.in +--- openldap-2.4.23.old/servers/slapd/Makefile.in 2010-04-13 22:23:09.000000000 +0200 ++++ openldap-2.4.23.new/servers/slapd/Makefile.in 2010-08-24 15:09:08.999680712 +0200 +@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a + cp slapi/.libs/libslapi.a . + + slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ +- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \ ++ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \ + $(WRAP_LIBS) + $(RM) $(SLAPTOOLS) + for i in $(SLAPTOOLS); do \ diff --git a/openldap-2.4.6-config.patch b/openldap-slapd-conf.patch similarity index 92% rename from openldap-2.4.6-config.patch rename to openldap-slapd-conf.patch index 0c8913d..843049f 100644 --- a/openldap-2.4.6-config.patch +++ b/openldap-slapd-conf.patch @@ -1,6 +1,8 @@ -diff -up openldap-2.4.11/servers/slapd/slapd.conf.config openldap-2.4.11/servers/slapd/slapd.conf ---- openldap-2.4.11/servers/slapd/slapd.conf.config 2007-02-13 21:22:22.000000000 +0100 -+++ openldap-2.4.11/servers/slapd/slapd.conf 2008-10-09 16:13:52.000000000 +0200 +Updates initial slapd configuration. + +diff -urNPp openldap-2.4.23.old/servers/slapd/slapd.conf openldap-2.4.23.new/servers/slapd/slapd.conf +--- openldap-2.4.23.old/servers/slapd/slapd.conf 2007-02-13 21:22:22.000000000 +0100 ++++ openldap-2.4.23.new/servers/slapd/slapd.conf 2010-08-19 15:45:05.835681213 +0200 @@ -2,22 +2,57 @@ # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. diff --git a/openldap-2.3.37-smbk5pwd.patch b/openldap-smbk5pwd-overlay.patch similarity index 55% rename from openldap-2.3.37-smbk5pwd.patch rename to openldap-smbk5pwd-overlay.patch index b15c6c0..366ce50 100644 --- a/openldap-2.3.37-smbk5pwd.patch +++ b/openldap-smbk5pwd-overlay.patch @@ -1,21 +1,24 @@ Compile smbk5pwd together with other overlays. -diff -up openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README.patch8 openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README ---- openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README.patch8 2005-11-12 16:18:09.000000000 +0100 -+++ openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README 2008-09-01 09:57:09.000000000 +0200 +Resolves: 550895 +Author: Jan Šafránek + +diff -urNPp openldap-2.4.23.old/contrib/slapd-modules/smbk5pwd/README openldap-2.4.23.new/contrib/slapd-modules/smbk5pwd/README +--- openldap-2.4.23.old/contrib/slapd-modules/smbk5pwd/README 2010-04-13 22:22:30.000000000 +0200 ++++ openldap-2.4.23.new/contrib/slapd-modules/smbk5pwd/README 2010-08-23 13:20:33.338687818 +0200 @@ -1,3 +1,8 @@ -+*************************************************************** ++******************************************************* +Red Hat note: Kerberos support is NOT compiled into -+this version of smbk5pwd because we do not use Heimdall. -+*************************************************************** ++this version of smbk5pwd because we do not use Heimdal. ++******************************************************* + This directory contains a slapd overlay, smbk5pwd, that extends the PasswordModify Extended Operation to update Kerberos keys and Samba password hashes for an LDAP user. -diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4.11/servers/slapd/overlays/Makefile.in ---- openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 2008-02-12 00:26:48.000000000 +0100 -+++ openldap-2.4.11/servers/slapd/overlays/Makefile.in 2008-09-01 09:57:09.000000000 +0200 -@@ -30,7 +30,8 @@ SRCS = overlays.c \ +diff -urNPp openldap-2.4.23.old/servers/slapd/overlays/Makefile.in openldap-2.4.23.new/servers/slapd/overlays/Makefile.in +--- openldap-2.4.23.old/servers/slapd/overlays/Makefile.in 2010-04-13 22:23:44.000000000 +0200 ++++ openldap-2.4.23.new/servers/slapd/overlays/Makefile.in 2010-08-23 13:20:33.338687818 +0200 +@@ -33,7 +33,8 @@ SRCS = overlays.c \ syncprov.c \ translucent.c \ unique.c \ @@ -25,7 +28,7 @@ diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4. OBJS = statover.o \ @SLAPD_STATIC_OVERLAYS@ \ overlays.o -@@ -43,14 +44,14 @@ LTONLY_MOD = $(LTONLY_mod) +@@ -46,14 +47,14 @@ LTONLY_MOD = $(LTONLY_mod) LDAP_INCDIR= ../../../include LDAP_LIBDIR= ../../../libraries @@ -42,7 +45,7 @@ diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4. XINCPATH = -I.. -I$(srcdir)/.. XDEFS = $(MODULES_CPPFLAGS) -@@ -113,6 +114,9 @@ unique.la : unique.lo +@@ -125,6 +126,9 @@ unique.la : unique.lo valsort.la : valsort.lo $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) diff --git a/openldap-sql-linking.patch b/openldap-sql-linking.patch new file mode 100644 index 0000000..463e0da --- /dev/null +++ b/openldap-sql-linking.patch @@ -0,0 +1,15 @@ +Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package +independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.) + +diff -uNPrp openldap-2.4.23.old/build/top.mk openldap-2.4.23.new/build/top.mk +--- openldap-2.4.23.old/build/top.mk 2010-04-13 22:22:22.000000000 +0200 ++++ openldap-2.4.23.new/build/top.mk 2010-08-25 15:58:18.477648731 +0200 +@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@ + SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@ + SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@ + +-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) ++SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS) + + # Our Defaults + CC = $(AC_CC) diff --git a/openldap-userconfig-setgid.patch b/openldap-userconfig-setgid.patch new file mode 100644 index 0000000..62c76b2 --- /dev/null +++ b/openldap-userconfig-setgid.patch @@ -0,0 +1,17 @@ +Normally, skips reading of user configuration file when running with different effective UID. +This patch adds the same behavior for GID. + +Author: Nalin Dahyabhai + +diff -uNPrp openldap-2.4.23.old/libraries/libldap/init.c openldap-2.4.23.new/libraries/libldap/init.c +--- openldap-2.4.23.old/libraries/libldap/init.c 2010-04-13 22:22:57.000000000 +0200 ++++ openldap-2.4.23.new/libraries/libldap/init.c 2010-08-24 17:25:07.207682002 +0200 +@@ -663,7 +663,7 @@ void ldap_int_initialize( struct ldapopt + openldap_ldap_init_w_sysconf(LDAP_CONF_FILE); + + #ifdef HAVE_GETEUID +- if ( geteuid() != getuid() ) ++ if ( geteuid() != getuid() || getegid() != getgid() ) + return; + #endif + diff --git a/openldap.spec b/openldap.spec index c1f5ba2..e1b0d93 100644 --- a/openldap.spec +++ b/openldap.spec @@ -1,59 +1,52 @@ -# We distribute own version of Berkeley DB to prevent -# problems on db4.rpm upgrade - some versions of db4 do -# not work with some versions of OpenLDAP. -%define db_version 4.8.26 +# TODO: add make test after build + %define ldbm_backend berkeley -%define version 2.4.22 %define evolution_connector_prefix %{_libdir}/evolution-openldap %define evolution_connector_includedir %{evolution_connector_prefix}/include %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib} -Summary: LDAP support libraries Name: openldap -Version: %{version} -Release: 7%{?dist} -License: OpenLDAP +Version: 2.4.23 +Release: 1%{?dist} +Summary: LDAP support libraries Group: System Environment/Daemons -Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz -Source1: http://download.oracle.com/berkeley-db/db-%{db_version}.tar.gz -Source3: README.migration -Source4: ldap.init -Source5: migration-tools.txt -Source6: autofs.schema -Source7: README.upgrading -Source9: README.evolution -Source10: ldap.sysconfig - -# Patches for 2.4 -Patch0: openldap-2.4.6-config.patch -Patch1: openldap-2.0.11-ldaprc.patch -Patch2: openldap-2.2.13-setugid.patch -Patch3: openldap-2.4.6-pie.patch -Patch4: openldap-2.3.11-toollinks.patch -Patch5: openldap-2.4.6-nosql.patch -Patch6: openldap-2.3.19-gethostbyXXXX_r.patch -Patch9: openldap-2.3.37-smbk5pwd.patch -Patch10: openldap-2.4.6-multilib.patch -Patch11: openldap-2.4.16-doc-cacertdir.patch -Patch12: openldap-2.4.21-dn2id-segfault.patch -Patch13: openldap-2.4.22-ldif_h.patch -Patch14: openldap-2.4.22-libldif.patch -Patch15: openldap-2.4.22-modrdn-segfault.patch -Patch16: openldap-2.4.23-selfsignedcacert.patch -Patch17: openldap-2.4.22-initauthtoken.patch - -# Patches for the evolution library -Patch200: openldap-2.4.6-evolution-ntlm.patch - +License: OpenLDAP URL: http://www.openldap.org/ -BuildRoot: %{_tmppath}/%{name}-%{version}-root -BuildRequires: cyrus-sasl-devel >= 2.1, gdbm-devel, libtool >= 1.5.6-2, krb5-devel -BuildRequires: openssl-devel, pam-devel, perl, pkgconfig, tcp_wrappers-devel, -BuildRequires: unixODBC-devel, libtool-ltdl-devel, groff -BuildRequires: nss-devel -Requires: glibc >= 2.2.3-48, mktemp -Obsoletes: compat-openldap < 2.4 +Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz +Source1: ldap.init +Source2: ldap.sysconfig +Source3: autofs.schema +Source4: migration-tools.txt +Source5: README.migration +Source6: README.upgrading +Source7: README.evolution +# patches for 2.4 +Patch0: openldap-slapd-conf.patch +Patch1: openldap-manpages.patch +Patch2: openldap-security-pie.patch +Patch3: openldap-sql-linking.patch +Patch4: openldap-reentrant-gethostby.patch +Patch5: openldap-export-ldif.patch +Patch6: openldap-smbk5pwd-overlay.patch +Patch7: openldap-ldaprc-currentdir.patch +Patch8: openldap-userconfig-setgid.patch + +# already merged upstream +Patch100: openldap-nss-ca-selfsigned.patch +Patch101: openldap-nss-delay-token-auth.patch + +# patches for the evolution library (see README.evolution) +Patch200: openldap-evolution-ntlm.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cyrus-sasl-devel >= 2.1, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel +BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl +# smbk5pwd overlay: +BuildRequires: openssl-devel + +Obsoletes: compat-openldap < 2.4 # provide ldif2ldbm functionality for migrationtools Provides: ldif2ldbm @@ -82,9 +75,12 @@ customized LDAP clients. %package servers Summary: LDAP server -# OpenLDAP server includes Berkeley DB library, which is licensed under Sleepycat and BSD licenses) -License: OpenLDAP and (Sleepycat and BSD) -Requires: fileutils, make, openldap = %{version}-%{release}, openssl, /usr/sbin/useradd, /usr/sbin/groupadd, /sbin/chkconfig, /sbin/runuser +License: OpenLDAP +Requires: openldap = %{version}-%{release}, openssl +Requires(pre): shadow-utils +Requires(post): chkconfig, /sbin/runuser, make +Requires(preun): chkconfig +BuildRequires: db4-devel >= 4.4, db4-devel <= 4.8 Group: System Environment/Daemons %description servers @@ -124,101 +120,74 @@ over the Internet. The openldap-clients package contains the client programs needed for accessing and modifying OpenLDAP directories. %prep -%setup -q -c -a 1 +%setup -q -c -a 0 + +# setup tree for openldap pushd openldap-%{version} + %patch0 -p1 -b .config -%patch1 -p1 -b .ldaprc -%patch2 -p1 -b .setugid -%patch3 -p1 -b .pie -%patch4 -p1 -b .toollinks -%patch5 -p1 -b .nosql -%patch6 -p1 -b .gethostbyname_r -%patch9 -p1 -b .smbk5pwd -%patch10 -p1 -b .multilib -%patch11 -p1 -b .cacertdir -%patch12 -p1 -b .segfault -%patch13 -p1 -b .ldif_h -%patch14 -p1 -b .libldif -%patch15 -p1 -b .modrdn-segfault -%patch16 -p1 -b .selfsignedcacert -%patch17 -p1 -b .initauthtoken +%patch1 -p1 -b .manpages +%patch2 -p1 -b .security-pie +%patch3 -p1 -b .sql-linking +%patch4 -p1 -b .reentrant-gethostby +%patch5 -p1 -b .export-ldif +%patch6 -p1 -b .smbk5pwd-overlay +%patch7 -p1 -b .ldaprc-currentdir +%patch8 -p1 -b .userconfig-setgid + +%patch100 -p1 -b .nss-ca-selfsigned +%patch101 -p1 -b .nss-delay-token-auth cp %{_datadir}/libtool/config/config.{sub,guess} build/ + +for subdir in build-servers build-clients ; do + mkdir $subdir + ln -s ../configure $subdir +done + +# build smbk5pwd with other overlays +ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays +mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd + popd -# Set up a build tree for a static version of libldap with the hooks for the -# non-standard NTLM bind type which is needed to connect to Win2k GC servers -# (Win2k3 supports SASL with DIGEST-MD5, so this shouldn't be needed for those -# servers, though as of version 1.4 the connector doesn't try SASL first). +# setup tree for openldap with evolution-specific patches + if ! cp -al openldap-%{version} evo-openldap-%{version} ; then - rm -fr evo-openldap-%{version} - cp -a openldap-%{version} evo-openldap-%{version} + rm -fr evo-openldap-%{version} + cp -a openldap-%{version} evo-openldap-%{version} fi pushd evo-openldap-%{version} %patch200 -p1 -b .evolution-ntlm popd -pushd openldap-%{version} - for subdir in build-servers build-clients ; do - mkdir $subdir - ln -s ../configure $subdir - done -# build smbk5pwd with other overlays -ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays -mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd -popd - %build -dbdir=`pwd`/db-instroot + libtool='%{_bindir}/libtool' -tagname=CC; export tagname +export tagname=CC %ifarch ia64 RPM_OPT_FLAGS="$RPM_OPT_FLAGS -O0" %endif -# Set CFLAGS to incorporate RPM_OPT_FLAGS. -CFLAGS="$RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS - -# Build Berkeley DB and install it into a temporary area, isolating OpenLDAP -# from any future changes to the system-wide Berkeley DB library. Version 4.2 -# or later is required by the BDB backend in OpenLDAP 2.1 and later. -install -d db-%{db_version}/build-rpm -pushd db-%{db_version}/build-rpm -../dist/configure -C \ - --with-pic \ - --disable-static \ - --enable-shared \ - --with-uniquename=_openldap_slapd_46 \ - --prefix=${dbdir} \ - --includedir=${dbdir}/include \ - --libdir=${dbdir}/%{_lib}${subdir:+/${subdir}} -# fix libtool: no rpath -perl -pi -e 's|hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=\"-L\\\$libdir\"|g;' libtool - -make %{_smp_mflags} libdb_base=libslapd_db libso_base=libslapd_db -make install libdb_base=libslapd_db libso_base=libslapd_db strip="false" -ln -sf libslapd_db.so ${dbdir}/%{_lib}/${subdir}/libdb.so -popd - -export CPPFLAGS="-I${dbdir}/include -I%_includedir/nss3 -I%_includedir/nspr4" -export CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -DLDAP_CONNECTIONLESS -fPIC -D_GNU_SOURCE -DHAVE_TLS -DHAVE_MOZNSS -DSLAPD_LMHASH" -export LDFLAGS="-L${dbdir}/%{_lib}" -export LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}} -MOZNSS_TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" -export LIBS="$MOZNSS_TLS_LIBS" +export CPPFLAGS="-I%_includedir/nss3 -I%_includedir/nspr4" +export CFLAGS="$RPM_OPT_FLAGS $CPPFLAGS -fPIC -D_REENTRANT -DLDAP_CONNECTIONLESS -D_GNU_SOURCE -DHAVE_TLS -DHAVE_MOZNSS -DSLAPD_LMHASH" +export NSS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4" +export LIBS="" build() { + %configure \ --with-threads=posix \ \ - --enable-local --enable-rlookups \ + --enable-local \ + --enable-rlookups \ \ --with-tls=no \ --with-cyrus-sasl \ \ - --enable-wrappers \ + --with-wrappers \ \ --enable-passwd \ \ @@ -231,24 +200,27 @@ build() { \ --libexecdir=%{_libdir} \ $@ -# HACK HACK HACK -# openldap uses #include -# this doesn't work on fedora and similar which uses /usr/include/nss3 -# so we have to fake it out + +# allow #include and pushd include if [ ! -d nss ] ; then - ln -s %_includedir/nss3 nss + ln -s %{_includedir}/nss3 nss fi if [ ! -d nspr ] ; then - ln -s %_includedir/nspr4 nspr + ln -s %{_includedir}/nspr4 nspr fi popd + make %{_smp_mflags} LIBTOOL="$libtool" + } -# Build the servers with Kerberos support (for password checking, mainly). -LIBS="$LIBS -lpthread"; export LIBS -LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}; export LD_LIBRARY_PATH +# Kerberos support: +# - enabled in server (mainly for password checking) +# - disabled in clients (not needed, to avoid stray dependencies) + +# build servers +export LIBS="$NSS_LIBS -lpthread" pushd openldap-%{version}/build-servers build \ --enable-plugins \ @@ -273,12 +245,10 @@ build \ --disable-dynamic \ --with-kerberos=k5only \ --enable-overlays=mod -unset LIBS popd -# Build clients without Kerberos password-checking support, which is only -# useful in the server anyway, to avoid stray dependencies. -export LIBS="$MOZNSS_TLS_LIBS" +# build clients +export LIBS="$NSS_LIBS" pushd openldap-%{version}/build-clients build \ --disable-slapd \ @@ -288,8 +258,8 @@ build \ --with-pic popd -# Build evolution-specific clients just as we would normal clients, except with -# a different installation directory in mind and no shared libraries. +# build evolution-specific clients +# (specific patch, different installation directory, no shared libraries) pushd evo-openldap-%{version} build \ --disable-slapd \ @@ -303,224 +273,180 @@ build \ popd %install -[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} libtool='%{_bindir}/libtool' -tagname=CC; export tagname +export tagname=CC -mkdir -p $RPM_BUILD_ROOT/%{_libdir}/ - -pushd db-instroot/%{_lib}/ -install -d $RPM_BUILD_ROOT/%{_libdir}/ -install -m755 libslapd_db-*.*.so $RPM_BUILD_ROOT/%{_libdir}/ -popd - -pushd db-%{db_version} -mv LICENSE LICENSE.bdb-backend -popd +mkdir -p %{buildroot}/%{_libdir}/ +# install servers pushd openldap-%{version}/build-servers -make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool" STRIP="" +make install DESTDIR=%{buildroot} \ + libdir=%{_libdir} \ + LIBTOOL="$libtool" \ + STRIP="" popd -# Install the bdb maintenance tools. -pushd db-instroot/bin -for binary in db_* ; do - install -m755 ${binary} $RPM_BUILD_ROOT/%{_sbindir}/slapd_${binary} -done -popd - -# Install clients and shared libraries. Install the evo-specific versions -# first so that any conflicting files are overwritten by generic versions. +# install evolution-specific clients (conflicting files will be overwriten by generic version) pushd evo-openldap-%{version} -make install DESTDIR=$RPM_BUILD_ROOT \ +make install DESTDIR=%{buildroot} \ includedir=%{evolution_connector_includedir} \ libdir=%{evolution_connector_libdir} \ LIBTOOL="$libtool" \ STRIP="" - -install -m644 %SOURCE9 \ - $RPM_BUILD_ROOT/%{evolution_connector_prefix}/ +install -m 644 %SOURCE7 \ + %{buildroot}/%{evolution_connector_prefix}/ popd + +# install clients pushd openldap-%{version}/build-clients -make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool" STRIP="" +make install DESTDIR=%{buildroot} \ + libdir=%{_libdir} \ + LIBTOOL="$libtool" \ + STRIP="" popd -# Create this directory so that authconfig setting TLS_CACERT to -# /etc/openldap/cacerts doesn't cause TLS startup of any kind to fail -# when the directory doesn't exist. -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/openldap/cacerts -# make sure the certs directory exists -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs -# Touch the dummy slapd.pem to make rpmbuild happy -touch $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/slapd.pem +# setup directories for TLS certificates +mkdir -p %{buildroot}%{_sysconfdir}/openldap/cacerts +mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs -install -m 644 %SOURCE7 README.upgrading -install -m 644 %SOURCE3 README.migration +# install additional documentation +install -m 644 %SOURCE5 README.migration +install -m 644 %SOURCE6 README.upgrading -# Create the data directory. -mkdir -p $RPM_BUILD_ROOT/var/lib/ldap -# Create the new run directory -mkdir -p $RPM_BUILD_ROOT/var/run/openldap +# setup data and runtime directories +mkdir -p %{buildroot}/var/lib/ldap +mkdir -p %{buildroot}/var/run/openldap -# Hack the build root out of the default config files. -perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.conf +# remove build root from config files and manual pages +perl -pi -e "s|%{buildroot}||g" %{buildroot}/%{_sysconfdir}/openldap/*.conf +perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.* -# Get the buildroot out of the man pages. -perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/*/*.* +# we don't need the default files -- RPM handles changes +rm -f %{buildroot}/%{_sysconfdir}/openldap/*.default +rm -f %{buildroot}/%{_sysconfdir}/openldap/schema/*.default -# We don't need the default files -- RPM handles changes. -rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.default -rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/schema/*.default +# install an init script for the servers +mkdir -p %{buildroot}%{_sysconfdir}/rc.d/init.d +install -m 755 %SOURCE1 %{buildroot}%{_sysconfdir}/rc.d/init.d/slapd -# Install an init script for the servers. -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d -install -m 755 %SOURCE4 $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/slapd +# install syconfig/ldap +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +install -m 644 %SOURCE2 %{buildroot}%{_sysconfdir}/sysconfig/ldap -# Install syconfig/ldap -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig -install -m 644 %SOURCE10 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/ldap +# add some more schema for the sake of migration scripts +install -d -m755 %{buildroot}%{_sysconfdir}/openldap/schema/redhat +install -m644 %SOURCE3 \ + %{buildroot}%{_sysconfdir}/openldap/schema/redhat/ -# Add some more schema for the sake of migration scripts. -install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat -install -m644 %SOURCE6 \ - $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat/ +# move slapd out of _libdir +mv %{buildroot}/%{_libdir}/slapd %{buildroot}/%{_sbindir}/ -# Move slapd and slurpd out of _libdir -mv $RPM_BUILD_ROOT/%{_libdir}/slapd $RPM_BUILD_ROOT/%{_sbindir}/ -rm -f $RPM_BUILD_ROOT/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} -rm -f $RPM_BUILD_ROOT/%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} -for X in acl add auth cat dn index passwd test schema; do ln -s slapd $RPM_BUILD_ROOT/%{_sbindir}/slap$X ; done +# setup tools as symlinks to slapd +rm -f %{buildroot}/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} +rm -f %{buildroot}/%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} +for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}/%{_sbindir}/slap$X ; done -# Tweak permissions on the libraries to make sure they're correct. -chmod 755 $RPM_BUILD_ROOT/%{_libdir}/lib*.so* -chmod 644 $RPM_BUILD_ROOT/%{_libdir}/lib*.*a +# tweak permissions on the libraries to make sure they're correct +chmod 755 %{buildroot}/%{_libdir}/lib*.so* +chmod 644 %{buildroot}/%{_libdir}/lib*.*a # slapd.conf(5) is obsoleted since 2.3, see slapd-config(5) # new configuration will be generated in %post -mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openldap-servers -mkdir $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d -mv $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.conf $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete -chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete +mkdir -p %{buildroot}/%{_datadir}/openldap-servers +mkdir %{buildroot}/%{_sysconfdir}/openldap/slapd.d +mv %{buildroot}/%{_sysconfdir}/openldap/slapd.conf %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete +chmod 0644 %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete -# Move doc files out of _sysconfdir -mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/README README.schema -mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example +# move doc files out of _sysconfdir +mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema +mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}/%{_datadir}/openldap-servers/DB_CONFIG.example chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh -chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example +chmod 0644 %{buildroot}/%{_datadir}/openldap-servers/DB_CONFIG.example -# Remove files which we don't want packaged. -rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la -rm -f $RPM_BUILD_ROOT/%{_libdir}/*.a -rm -f $RPM_BUILD_ROOT/%{evolution_connector_libdir}/*.la -rm -f $RPM_BUILD_ROOT/%{evolution_connector_libdir}/*.so* -rm -f $RPM_BUILD_ROOT/%{_libdir}/openldap/*.a -rm -f $RPM_BUILD_ROOT/%{_libdir}/openldap/*.so +# remove files which we don't want packaged +rm -f %{buildroot}/%{_libdir}/*.la +rm -f %{buildroot}/%{_libdir}/*.a +rm -f %{buildroot}/%{evolution_connector_libdir}/*.la +rm -f %{buildroot}/%{evolution_connector_libdir}/*.so* +rm -f %{buildroot}/%{_libdir}/openldap/*.a +rm -f %{buildroot}/%{_libdir}/openldap/*.so -rm -f $RPM_BUILD_ROOT%{_localstatedir}/openldap-data/DB_CONFIG.example -rmdir $RPM_BUILD_ROOT%{_localstatedir}/openldap-data +rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example +rmdir %{buildroot}%{_localstatedir}/openldap-data %clean -rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %pre servers -# Take care to only do ownership-changing if we're adding the user. -getent group ldap > /dev/null || \ -/usr/sbin/groupadd -r -g 55 ldap -if /usr/sbin/useradd -c "LDAP User" -u 55 -g ldap \ - -s /sbin/nologin -r -d /var/lib/ldap ldap 2> /dev/null ; then - if [ -d /var/lib/ldap ] ; then - for dbfile in /var/lib/ldap/* ; do - if [ -f $dbfile ] ; then - chown ldap:ldap $dbfile - fi - done - fi + +# create ldap user and group +getent group ldap >/dev/null || groupadd -r -g 55 ldap +if ! getent passwd ldap >/dev/null; then + useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "LDAP User" ldap + # setup ownership of database files + if [ -d /var/lib/ldap ] ; then + for dbfile in /var/lib/ldap/* ; do + if [ -f $dbfile ] ; then + chown ldap:ldap $dbfile + fi + done + fi fi -if [ "$1" = "2" ]; then - # guess, if database upgrade is necessary - OLD_BDB_VERSION=$( slapd_db_upgrade -V | sed 's/.* \([0-9\.]*\)\.[0-9]*:.*/\1/' ) - NEW_BDB_VERSION=$( echo %{db_version} | sed 's/.[0-9]*$//' ) +# upgrade +if [ $1 -eq 2 ]; then + # safe way to migrate the database if minor version number changed (2.x -> 2.y) + # http://www.openldap.org/doc/admin24/maintenance.html - OLD_SLAPD_VERSION=$( rpm -q --qf "%{VERSION}" openldap-servers | sed 's/\.[0-9]*$//' ) - NEW_SLAPD_VERSION=$( echo %{version} | sed 's/\.[0-9]*$//' ) - # we need to detect how is the init script named - # - in older versions ldap - # - in newer versions slapd - if [ -f %{_initrddir}/ldap ]; then - SERVICE_NAME=ldap - elif [ -f %{_initrddir}/slapd ]; then - SERVICE_NAME=slapd - fi + old_version=$(rpm -q --qf=%%{version} openldap-servers | sed 's/\.[0-9]*$//') + new_version=$(sed 's/\.[0-9]*$//' <<< %{version}) - if [ "$OLD_SLAPD_VERSION" != "$NEW_SLAPD_VERSION" ]; then - # Minor version number has changed -> slapcat/slapadd of the BDB database - # is necessary. Save an ldif of the database where the "% post servers" - # scriptlet can restore it. Also save the database files to a "rpmorig" - # directory - Just In Case (TM) + if [ "$old_version" != "$new_version" ]; then + pushd %{_sharedstatedir}/ldap - # stop the server - if /sbin/service $SERVICE_NAME status &>/dev/null; then - touch /var/lib/ldap/need_start - /sbin/service $SERVICE_NAME stop &>/dev/null - fi + # stop the service + if service slapd status &>/dev/null; then + touch need_start + service slapd stop + else + rm -f need_start + fi - files=$(echo /var/lib/ldap/{log.*,__db.*,[a]lock}) - if [ "$files" != '/var/lib/ldap/log.* /var/lib/ldap/__db.* /var/lib/ldap/[a]lock' ] ; then - if /usr/sbin/slapcat -l /var/lib/ldap/upgrade.ldif > /dev/null 2>&1 ; then - if [ -f /var/lib/ldap/upgrade.ldif ] ; then - /bin/rm -fr /var/lib/ldap/rpmorig > /dev/null 2>&1 || : - mkdir /var/lib/ldap/rpmorig - mv /var/lib/ldap/{alock,*.bdb,__db.*,log.*} /var/lib/ldap/rpmorig > /dev/null 2>&1 || : - cp -f /var/lib/ldap/DB_CONFIG /var/lib/ldap/rpmorig > /dev/null 2>&1 || : - else - /bin/rm -f /var/lib/ldap/upgrade.ldif - fi - fi - fi - else - if [ "$OLD_BDB_VERSION" != "$NEW_BDB_VERSION" ]; then - # Minor version number of bdb has changed -> run db_upgrade in % post script - - # stop the server - if /sbin/service $SERVICE_NAME status &>/dev/null; then - touch /var/lib/ldap/need_start - /sbin/service $SERVICE_NAME stop &>/dev/null - fi + if ls __db.* &>/dev/null; then + # export the database + if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then + slapcat -f %{_sysconfdir}/openldap/slapd.conf -l upgrade.ldif &>/dev/null + else + slapcat -F %{_sysconfdir}/openldap/slapd.d -l upgrade.ldif &>/dev/null + fi - # Ensure, that the database is correct - /sbin/runuser -m -s /usr/sbin/slapd_db_recover -- "ldap" -h /var/lib/ldap &>/dev/null - # Just create /var/lib/ldap/need_db_upgrade so % post knows - touch /var/lib/ldap/need_db_upgrade &>/dev/null - fi - fi + # backup the old database + if [ $? -eq 0 ]; then + rm -rf rpmorig + mv alock *.bdb __db.* log.* rpmorig &>/dev/null || : + cp -f rpmorig/DB_CONFIG . &>/dev/null || : + else + rm -f upgrade.ldif + fi + fi + + popd + fi fi + exit 0 %post servers + /sbin/ldconfig /sbin/chkconfig --add slapd -# If there's a /var/lib/ldap/upgrade.ldif file, slapadd it and delete it. -# It was created by the % pre above. -if [ -f /var/lib/ldap/upgrade.ldif ] ; then - /sbin/runuser -m -s /usr/sbin/slapadd -- "ldap" -l /var/lib/ldap/upgrade.ldif > /dev/null 2>&1 - rm -f /var/lib/ldap/upgrade.ldif -fi - -# If there's a /var/lib/ldap/need_db_upgrade file, run db_upgrade and delete it. -# It was created by the % pre above. -if [ -f /var/lib/ldap/need_db_upgrade ]; then - if ls /var/lib/ldap/*.bdb > /dev/null 2>&1; then - /sbin/runuser -m -s /usr/sbin/slapd_db_upgrade -- "ldap" -h /var/lib/ldap /var/lib/ldap/*.bdb - fi - /sbin/runuser -m -s /usr/sbin/slapd_db_checkpoint -- "ldap" -h /var/lib/ldap -1 - rm -f /var/lib/ldap/need_db_upgrade -fi +# generate sample TLS certificates if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1 umask 077 @@ -538,18 +464,20 @@ chmod 640 slapd.pem popd fi -if [ `find %{_sysconfdir}/openldap/slapd.d -maxdepth 0 -empty | wc -l` = "1" ]; then - # configuration in slapd.d not available +# generate configuration in slapd.d +if ! ls -d %{_sysconfdir}/openldap/slapd.d/* &>/dev/null; then + # fresh installation [ ! -f %{_sysconfdir}/openldap/slapd.conf ] fresh_install=$? [ $fresh_install -eq 0 ] && \ cp %{_datadir}/openldap-servers/slapd.conf.obsolete %{_sysconfdir}/openldap/slapd.conf + # convert from old style config slapd.conf mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak mkdir -p %{_sysconfdir}/openldap/slapd.d/ - lines=`egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1` + lines=$(egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1) lines=$(($lines-1)) head -n $lines %{_sysconfdir}/openldap/slapd.conf.bak > %{_sysconfdir}/openldap/slapd.conf cat >> %{_sysconfdir}/openldap/slapd.conf << EOF @@ -557,7 +485,7 @@ database config rootdn "cn=admin,cn=config" #rootpw secret EOF - lines_r=`wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" "` + lines_r=$(wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" ") lines_r=$(($lines_r-$lines)) tail -n $lines_r %{_sysconfdir}/openldap/slapd.conf.bak >> %{_sysconfdir}/openldap/slapd.conf slaptest -f %{_sysconfdir}/openldap/slapd.conf -F %{_sysconfdir}/openldap/slapd.d > /dev/null 2> /dev/null @@ -570,26 +498,31 @@ EOF [ $fresh_install -eq 0 ] && rm -f %{_sysconfdir}/openldap/slapd.conf.bak fi -if [ $1 -ge 1 ] ; then - /sbin/service slapd condrestart &>/dev/null - /sbin/service slapd status &>/dev/null - if [ "$?" != "0" -a -f /var/lib/ldap/need_start ]; then - /sbin/service slapd start &>/dev/null - rm -f /var/lib/ldap/need_start &>/dev/null - fi +# finish database migration (see %pre) +if [ -f %{_sharedstatedir}/ldap/upgrade.ldif ]; then + runuser -m -s /usr/sbin/slapadd -- ldap -l %{_sharedstatedir}/ldap/upgrade.ldif &>/dev/null + rm -f %{_sharedstatedir}/ldap/upgrade.ldif +fi + +# restart after upgrade +if [ $1 -ge 1 ]; then + if [ -f %{_sharedstatedir}/ldap/need_start ]; then + service slapd start + rm -f %{_sharedstatedir}/ldap/need_start + else + /sbin/service slapd condrestart + fi fi exit 0 %preun servers -if [ "$1" = "0" ] ; then - /sbin/service slapd stop > /dev/null 2>&1 || : - /sbin/chkconfig --del slapd -# Openldap-servers are being removed from system. -# Do not touch the database! Older versions of this -# package attempted to store database in LDIF format, so -# it can be restored later - but it's up to the administrator -# to save the database, if he/she wants so. +if [ $1 -eq 0 ] ; then + /sbin/service slapd stop > /dev/null 2>&1 || : + /sbin/chkconfig --del slapd + + # openldap-servers are being removed from system + # do not touch the database! fi %postun servers @@ -599,6 +532,58 @@ fi %postun devel -p /sbin/ldconfig +%triggerin servers -- db4 + +# db4 upgrade (see %triggerun) +if [ $2 -eq 2 ]; then + pushd %{_sharedstatedir}/ldap + + # we are interested in minor version changes (both versions of db4 are installed at this moment) + if [ "$(rpm -q --qf="%%{version}\n" db4 | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then + # stop the service + if service slapd status &>/dev/null; then + touch need_start + service slapd stop + fi + + # ensure the database is consistent + runuser -m -s /usr/sbin/db_recover -- "ldap" -h %{_sharedstatedir}/ldap &>/dev/null + + # upgrade will be performed after removing old db4 + touch upgrade_db4 + else + rm -f upgrade_db4 + fi + + popd +fi + +exit 0 + +%triggerun servers -- db4 + +# db4 upgrade (see %triggerin) +if [ -f %{_sharedstatedir}/ldap/upgrade_db4 ]; then + pushd %{_sharedstatedir}/ldap + + # perform the upgrade + if ls *.bdb &>/dev/null; then + runuser -m -s /usr/bin/db_upgrade -- "ldap" -h %{_sharedstatedir}/ldap %{_sharedstatedir}/ldap/*.bdb + runuser -m -s /usr/bin/db_checkpoint -- "ldap" -h %{_sharedstatedir}/ldap -1 + fi + + # start the service + if [ -f need_start ]; then + service slapd start + rm -f need_start + fi + + rm -f upgrade_db4 + popd +fi + +exit 0 + %files %defattr(-,root,root) %doc openldap-%{version}/ANNOUNCEMENT @@ -618,14 +603,13 @@ fi %files servers %defattr(-,root,root) -%doc db-%{db_version}/LICENSE.bdb-backend %doc README.upgrading %doc README.migration %doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd %doc openldap-%{version}/doc/guide/admin/*.html %doc openldap-%{version}/doc/guide/admin/*.png %doc README.schema -%ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem +%attr(0640,root,ldap) %ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem %attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd %attr(0750,ldap,ldap) %dir %config(noreplace) %{_sysconfdir}/openldap/slapd.d %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap @@ -640,7 +624,6 @@ fi %attr(0644,root,root) %{_mandir}/man5/slapo-*.5* %attr(0700,ldap,ldap) %dir /var/lib/ldap %attr(0755,ldap,ldap) %dir /var/run/openldap -%attr(0755,root,root) %{_libdir}/libslapd_db-*.*.so %attr(0755,root,root) %dir %{_libdir}/openldap %attr(0755,root,root) %{_libdir}/openldap/[^b]* %attr(0755,root,root) %dir %{_datadir}/openldap-servers @@ -675,6 +658,11 @@ fi %attr(0644,root,root) %{evolution_connector_libdir}/*.a %changelog +* Fri Aug 27 2010 Jan Vcelak 2.4.23-1 +- rebase to 2.4.23 +- embeded db4 library removed +- removed bogus links in "SEE ALSO" in several man-pages (#624616) + * Thu Jul 22 2010 Jan Vcelak 2.4.22-7 - Mozilla NSS - delay token auth until needed (#616552) - Mozilla NSS - support use of self signed CA certs as server certs (#614545)