rebase to 2.4.23

- package rebased
- removed embeded db4
- removed patches merged by upstream
- removed no longer required patches
- merged patches doing manpage changes
- merged patches exporting ldif API
- reapplied patches and added description to each one
- removed unnecessary BuildRequires
- cleaned %config, %build and %install sections
- updated database upgrade process:
  - database is exported (slapcat) and reimported (slapadd) when minor
	version of openldap changes (safe and recomended way)
  - database is upgraded (db4) when minor version of db4 package changes
	(this is not done in %post anymore, as the database is not embeded,
	but using triggers)

Resolved: #624616 Bogus links in "SEE ALSO" part of several man-pages
Resolved: #625740 openldap-2.4.23 is available
This commit is contained in:
Jan Vcelak 2010-08-24 18:25:50 +02:00
parent b68d557f79
commit 95d8d32fc5
27 changed files with 588 additions and 781 deletions

View File

@ -1,9 +0,0 @@
These files are here specifically for use in building the nss_ldap package,
and should not be used for any other purpose.
They contain a backported patch which adds two functions which nss_ldap can
use to avoid blocking in one particular use case, but which are not included
in the 2.2 branch of OpenLDAP.
When the openldap package updates to 2.3, these libraries will simply
disappear.

View File

@ -1,21 +0,0 @@
/* Gleaned from glibc, though I suppose it's documented in the specs, too.
NPTL requires support that isn't in kernels prior to 2.4.20 (or 2.5.36 if
you're not using a backported TLS implementation in your kernel), but ld.so
will try to use this library on an insufficiently-new system unless we make
a note of the required kernel version here.
We also add in a section which marks the library as not needing an
executable stack to avoid unintentionally disabling exec-shield and the
like (thanks Arjan!). */
.section ".note.ABI-tag", "a"
.p2align 2
.long 1f - 0f
.long 3f - 2f
.long 1
0: .asciz "GNU"
1: .p2align 2
2: .long 0
.long 2,4,20
3: .p2align 2
.section .note.GNU-stack, "", @progbits
.previous

View File

@ -1,13 +0,0 @@
diff -up openldap-2.4.11/libraries/libldap/init.c.patch2 openldap-2.4.11/libraries/libldap/init.c
--- openldap-2.4.11/libraries/libldap/init.c.patch2 2008-02-12 00:26:41.000000000 +0100
+++ openldap-2.4.11/libraries/libldap/init.c 2008-09-01 09:57:09.000000000 +0200
@@ -327,9 +327,6 @@ static void openldap_ldap_init_w_usercon
if(path != NULL) {
LDAP_FREE(path);
}
-
- /* try file */
- openldap_ldap_init_w_conf(file, 1);
}
static void openldap_ldap_init_w_env(

View File

@ -1,14 +0,0 @@
Don't read the user's configuration file if we're running in a setuid
or setgid application.
diff -up openldap-2.4.14/libraries/libldap/init.c.setugid openldap-2.4.14/libraries/libldap/init.c
--- openldap-2.4.14/libraries/libldap/init.c.setugid 2009-02-17 08:31:19.000000000 +0100
+++ openldap-2.4.14/libraries/libldap/init.c 2009-02-17 08:39:01.000000000 +0100
@@ -634,7 +634,7 @@ void ldap_int_initialize( struct ldapopt
openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
#ifdef HAVE_GETEUID
- if ( geteuid() != getuid() )
+ if ( geteuid() != getuid() || getegid() != getgid() )
return;
#endif

View File

@ -1,20 +0,0 @@
If libexecdir and sbindir are the same, avoid making an absolute symlink.
diff -up openldap-2.4.11/servers/slapd/Makefile.in.patch5 openldap-2.4.11/servers/slapd/Makefile.in
--- openldap-2.4.11/servers/slapd/Makefile.in.patch5 2008-09-01 09:57:09.000000000 +0200
+++ openldap-2.4.11/servers/slapd/Makefile.in 2008-09-01 09:57:09.000000000 +0200
@@ -270,7 +270,12 @@ slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
$(WRAP_LIBS)
$(RM) $(SLAPTOOLS)
for i in $(SLAPTOOLS); do \
- $(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); done
+ if test $(libexecdir) != $(sbindir) ; then \
+ $(LN_S) $(libexecdir)/slapd$(EXEEXT) $$i$(EXEEXT); \
+ else \
+ $(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); \
+ fi \
+ done
sslapd: version.o

View File

@ -1,112 +0,0 @@
--- openldap/clients/tools/common.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/common.c.option 2009-04-09 14:52:23.000000000 +0200
@@ -267,7 +267,6 @@ void
tool_common_usage( void )
{
static const char *const descriptions[] = {
-N_(" -c continuous operation mode (do not stop on errors)\n"),
N_(" -d level set LDAP debugging level to `level'\n"),
N_(" -D binddn bind DN\n"),
N_(" -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)\n")
@@ -298,18 +297,15 @@ N_(" [!]sessiontracking\n")
N_(" abandon, cancel, ignore (SIGINT sends abandon/cancel,\n"
" or ignores response; if critical, doesn't wait for SIGINT.\n"
" not really controls)\n")
-N_(" -f file read operations from `file'\n"),
N_(" -h host LDAP server\n"),
N_(" -H URI LDAP Uniform Resource Identifier(s)\n"),
N_(" -I use SASL Interactive mode\n"),
-N_(" -M enable Manage DSA IT control (-MM to make critical)\n"),
N_(" -n show what would be done but don't actually do it\n"),
N_(" -N do not use reverse DNS to canonicalize SASL host name\n"),
N_(" -O props SASL security properties\n"),
N_(" -o <opt>[=<optparam] general options\n"),
N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
N_(" -p port port on LDAP server\n"),
-N_(" -P version protocol version (default: 3)\n"),
N_(" -Q use SASL Quiet mode\n"),
N_(" -R realm SASL realm\n"),
N_(" -U authcid SASL authentication identity\n"),
--- openldap/clients/tools/ldapcompare.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapcompare.c.option 2009-04-09 14:46:37.000000000 +0200
@@ -85,6 +85,8 @@ usage( void )
fprintf( stderr, _("Compare options:\n"));
fprintf( stderr, _(" -E [!]<ext>[=<extparam>] compare extensions (! indicates criticality)\n"));
fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
fprintf( stderr, _(" -z Quiet mode,"
" don't print anything, use return values\n"));
tool_common_usage();
--- openldap/clients/tools/ldapdelete.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapdelete.c.option 2009-04-09 14:48:48.000000000 +0200
@@ -71,6 +71,10 @@ usage( void )
fprintf( stderr, _(" dn: list of DNs to delete. If not given, it will be readed from stdin\n"));
fprintf( stderr, _(" or from the file specified with \"-f file\".\n"));
fprintf( stderr, _("Delete Options:\n"));
+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n"));
+ fprintf( stderr, _(" -f file read operations from `file'\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
fprintf( stderr, _(" -r delete recursively\n"));
tool_common_usage();
exit( EXIT_FAILURE );
--- openldap/clients/tools/ldapmodify.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapmodify.c.option 2009-04-09 14:50:14.000000000 +0200
@@ -137,8 +137,12 @@ usage( void )
fprintf( stderr, _("Add or modify options:\n"));
fprintf( stderr, _(" -a add values (%s)\n"),
(ldapadd ? _("default") : _("default is to replace")));
+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n"));
fprintf( stderr, _(" -E [!]ext=extparam modify extensions"
" (! indicate s criticality)\n"));
+ fprintf( stderr, _(" -f file read operations from `file'\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
#ifdef LDAP_X_TXN
fprintf( stderr,
_(" [!]txn=<commit|abort> (transaction)\n"));
--- openldap/clients/tools/ldapmodrdn.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapmodrdn.c.option 2009-04-09 14:50:40.000000000 +0200
@@ -83,6 +83,10 @@ usage( void )
fprintf( stderr, _(" If not given, the list of modifications is read from stdin or\n"));
fprintf( stderr, _(" from the file specified by \"-f file\" (see man page).\n"));
fprintf( stderr, _("Rename options:\n"));
+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n"));
+ fprintf( stderr, _(" -f file read operations from `file'\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
fprintf( stderr, _(" -r remove old RDN\n"));
fprintf( stderr, _(" -s newsup new superior entry\n"));
tool_common_usage();
--- openldap/clients/tools/ldapsearch.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapsearch.c.option 2009-04-09 14:51:51.000000000 +0200
@@ -123,6 +123,7 @@ usage( void )
fprintf( stderr, _(" -a deref one of never (default), always, search, or find\n"));
fprintf( stderr, _(" -A retrieve attribute names only (no values)\n"));
fprintf( stderr, _(" -b basedn base dn for search\n"));
+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n"));
fprintf( stderr, _(" -E [!]<ext>[=<extparam>] search extensions (! indicates criticality)\n"));
fprintf( stderr, _(" [!]domainScope (domain scope)\n"));
fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n"));
@@ -137,12 +138,15 @@ usage( void )
fprintf( stderr, _(" [!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]\n"));
#endif
fprintf( stderr, _(" [!]<oid>=:<value> (generic control; no response handling)\n"));
+ fprintf( stderr, _(" -f file read operations from `file'\n"));
fprintf( stderr, _(" -F prefix URL prefix for files (default: %s)\n"), def_urlpre);
fprintf( stderr, _(" -l limit time limit (in seconds, or \"none\" or \"max\") for search\n"));
fprintf( stderr, _(" -L print responses in LDIFv1 format\n"));
fprintf( stderr, _(" -LL print responses in LDIF format without comments\n"));
fprintf( stderr, _(" -LLL print responses in LDIF format without comments\n"));
fprintf( stderr, _(" and version\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
fprintf( stderr, _(" -s scope one of base, one, sub or children (search scope)\n"));
fprintf( stderr, _(" -S attr sort the results by attribute `attr'\n"));
fprintf( stderr, _(" -t write binary values to files in temporary directory\n"));

View File

@ -1,10 +0,0 @@
--- openldap-2.4.16/doc/man/man5/ldap.conf.5.orig 2009-09-16 17:12:01.000000000 +0200
+++ openldap-2.4.16/doc/man/man5/ldap.conf.5 2009-09-16 17:15:32.000000000 +0200
@@ -305,6 +305,7 @@
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GNUtls.
.TP
.B TLS_CERT <filename>

View File

@ -1,11 +0,0 @@
--- openldap-2.4.19/servers/slapd/back-bdb/dn2id.c.orig 2010-02-24 09:55:39.000000000 +0100
+++ openldap-2.4.19/servers/slapd/back-bdb/dn2id.c 2010-02-24 09:56:07.000000000 +0100
@@ -676,7 +676,7 @@ hdb_dn2id_delete(
d->nrdnlen[0] = (BEI(e)->bei_nrdn.bv_len >> 8) | 0x80;
dlen[0] = d->nrdnlen[0];
dlen[1] = d->nrdnlen[1];
- strcpy( d->nrdn, BEI(e)->bei_nrdn.bv_val );
+ memcpy( d->nrdn, BEI(e)->bei_nrdn.bv_val, BEI(e)->bei_nrdn.bv_len+1 );
data.data = d;
rc = db->cursor( db, txn, &cursor, bdb->bi_db_opflags );

View File

@ -1,22 +0,0 @@
--- openldap-2.4.22/include/Makefile.in.orig 2010-06-03 07:38:29.000000000 -0600
+++ openldap-2.4.22/include/Makefile.in 2010-06-03 07:39:21.000000000 -0600
@@ -15,17 +15,18 @@
all-local: ldap_config.h FORCE
install-local: FORCE
-$(MKDIR) $(DESTDIR)$(includedir)
for header in $(srcdir)/lber.h lber_types.h \
$(srcdir)/ldap.h $(srcdir)/ldap_cdefs.h \
$(srcdir)/ldap_schema.h $(srcdir)/ldap_utf8.h \
- $(srcdir)/slapi-plugin.h ldap_features.h; \
+ $(srcdir)/slapi-plugin.h ldap_features.h \
+ $(srcdir)/ldif.h ; \
do \
$(INSTALL) $(INSTALLFLAGS) -m 644 $$header $(DESTDIR)$(includedir); \
done
clean-local: FORCE
$(RM) ldap_config.h
veryclean-local: clean-local FORCE

View File

@ -1,66 +0,0 @@
--- openldap-2.4.22/libraries/liblutil/Makefile.in.orig 2010-06-03 10:57:01.000000000 -0600
+++ openldap-2.4.22/libraries/liblutil/Makefile.in 2010-06-03 10:59:29.000000000 -0600
@@ -9,16 +9,19 @@
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
LIBRARY = liblutil.a
+
+SHAREDLIB = libldif.la
+
PROGRAM = testavl
LDAP_INCDIR= ../../include
LDAP_LIBDIR= ../../libraries
NT_SRCS = ntservice.c
NT_OBJS = ntservice.o slapdmsg.res
@@ -35,16 +38,18 @@
@LIBSRCS@ $(@PLAT@_SRCS)
OBJS = base64.o entropy.o sasl.o signal.o hash.o passfile.o \
md5.o passwd.o sha1.o getpass.o lockf.o utils.o uuid.o sockpair.o \
avl.o tavl.o ldif.o fetch.o \
meter.o \
@LIBOBJS@ $(@PLAT@_OBJS)
+SHAREDLIBOBJS = ldif.lo fetch.lo
+
testavl: $(XLIBS) testavl.o
(LTLINK) -o $@ testavl.o $(LIBS)
testtavl: $(XLIBS) testtavl.o
(LTLINK) -o $@ testtavl.o $(LIBS)
# These rules are for a Mingw32 build, specifically.
# It's ok for them to be here because the clean rule is harmless, and
@@ -54,8 +59,24 @@
@if [ ! -f $@ ]; then cp $(srcdir)/$@ .; fi
slapdmsg.res: slapdmsg.rc slapdmsg.bin
windres $< -O coff -o $@
clean-local:
$(RM) *.res
+all-local: $(SHAREDLIB)
+
+.SUFFIXES: .c .o .lo
+
+.c.lo:
+ $(LTCOMPILE_LIB) $<
+
+$(LIBRARY): $(SHAREDLIBOBJS) version.lo
+
+$(SHAREDLIB): $(SHAREDLIBOBJS) version.lo
+ $(LTLINK_LIB) -o $(SHAREDLIB) $(SHAREDLIBOBJS) version.lo $(LINK_LIBS)
+
+install-local: FORCE
+ -$(MKDIR) $(DESTDIR)$(libdir)
+ $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(SHAREDLIB) $(DESTDIR)$(libdir)
+ $(LTFINISH) $(DESTDIR)$(libdir)

View File

@ -1,74 +0,0 @@
bz #605448 CVE-2010-0211 openldap: modrdn processing uninitialized pointer free
bz #605452 CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference
diff -urp openldap-2.4.22/servers/slapd/dn.c openldap-2.4.22.new/servers/slapd/dn.c
--- openldap-2.4.22/servers/slapd/dn.c 2010-04-13 22:23:14.000000000 +0200
+++ openldap-2.4.22.new/servers/slapd/dn.c 2010-07-19 17:57:51.974346501 +0200
@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f
ava->la_attr = ad->ad_cname;
if( ava->la_flags & LDAP_AVA_BINARY ) {
- if( ava->la_value.bv_len == 0 ) {
- /* BER encoding is empty */
- return LDAP_INVALID_SYNTAX;
- }
+ /* AVA is binary encoded, not supported */
+ return LDAP_INVALID_SYNTAX;
/* Do not allow X-ORDERED 'VALUES' naming attributes */
} else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
return LDAP_INVALID_SYNTAX;
- /* AVA is binary encoded, don't muck with it */
} else if( flags & SLAP_LDAPDN_PRETTY ) {
transf = ad->ad_type->sat_syntax->ssyn_pretty;
if( !transf ) {
@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f
ava->la_value = bv;
ava->la_flags |= LDAP_AVA_FREE_VALUE;
}
+ /* reject empty values */
+ if (!ava->la_value.bv_len) {
+ return LDAP_INVALID_SYNTAX;
+ }
}
rc = LDAP_SUCCESS;
diff -urp openldap-2.4.22/servers/slapd/modrdn.c openldap-2.4.22.new/servers/slapd/modrdn.c
--- openldap-2.4.22/servers/slapd/modrdn.c 2010-04-13 22:23:16.000000000 +0200
+++ openldap-2.4.22.new/servers/slapd/modrdn.c 2010-07-19 17:57:51.975346274 +0200
@@ -445,12 +445,19 @@ slap_modrdn2mods(
mod_tmp->sml_values[1].bv_val = NULL;
if( desc->ad_type->sat_equality->smr_normalize) {
mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
- (void) (*desc->ad_type->sat_equality->smr_normalize)(
+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize(
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
desc->ad_type->sat_syntax,
desc->ad_type->sat_equality,
&mod_tmp->sml_values[0],
&mod_tmp->sml_nvalues[0], NULL );
+ if (rs->sr_err != LDAP_SUCCESS) {
+ ch_free(mod_tmp->sml_nvalues);
+ ch_free(mod_tmp->sml_values[0].bv_val);
+ ch_free(mod_tmp->sml_values);
+ ch_free(mod_tmp);
+ goto done;
+ }
mod_tmp->sml_nvalues[1].bv_val = NULL;
} else {
mod_tmp->sml_nvalues = NULL;
diff -urp openldap-2.4.22/servers/slapd/schema_init.c openldap-2.4.22.new/servers/slapd/schema_init.c
--- openldap-2.4.22/servers/slapd/schema_init.c 2010-04-14 20:12:15.000000000 +0200
+++ openldap-2.4.22.new/servers/slapd/schema_init.c 2010-07-19 17:57:51.978346712 +0200
@@ -1735,8 +1735,9 @@ UTF8StringNormalize(
? LDAP_UTF8_APPROX : 0;
val = UTF8bvnormalize( val, &tmp, flags, ctx );
+ /* out of memory or syntax error, the former is unlikely */
if( val == NULL ) {
- return LDAP_OTHER;
+ return LDAP_INVALID_SYNTAX;
}
/* collapse spaces (in place) */

View File

@ -1,30 +0,0 @@
diff -up openldap-2.4.11/doc/man/man8/slapd.8.patch9 openldap-2.4.11/doc/man/man8/slapd.8
--- openldap-2.4.11/doc/man/man8/slapd.8.patch9 2008-02-12 00:26:40.000000000 +0100
+++ openldap-2.4.11/doc/man/man8/slapd.8 2008-09-01 09:57:09.000000000 +0200
@@ -5,7 +5,7 @@
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-4 | \-6 ]
[\c
@@ -312,7 +312,7 @@ on voluminous debugging which will be pr
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+ slapd -f /var/tmp/slapd.conf -d 255
.ft
.fi
.LP
@@ -320,7 +320,7 @@ To test whether the configuration file i
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-Tt
+ slapd -Tt
.ft
.fi
.LP

View File

@ -1,12 +0,0 @@
diff -up openldap-2.4.11/build/top.mk.patch6 openldap-2.4.11/build/top.mk
--- openldap-2.4.11/build/top.mk.patch6 2008-02-12 00:26:38.000000000 +0100
+++ openldap-2.4.11/build/top.mk 2008-09-01 09:57:09.000000000 +0200
@@ -199,7 +199,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@
SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@
SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@
-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
+SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_SLP_LIBS@ $(ICU_LIBS)
# Our Defaults
CC = $(AC_CC)

View File

@ -1,16 +0,0 @@
Build both slapd as position-independent executables. This really
should be threaded into the various autotools, but I guess this is what we have
until that happens, if it happens.
diff -up openldap-2.4.11/servers/slapd/Makefile.in.patch4 openldap-2.4.11/servers/slapd/Makefile.in
--- openldap-2.4.11/servers/slapd/Makefile.in.patch4 2008-02-12 00:26:43.000000000 +0100
+++ openldap-2.4.11/servers/slapd/Makefile.in 2008-09-01 09:57:09.000000000 +0200
@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a
cp slapi/.libs/libslapi.a .
slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \
+ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \
$(WRAP_LIBS)
$(RM) $(SLAPTOOLS)
for i in $(SLAPTOOLS); do \

View File

@ -1,7 +1,10 @@
diff -up evo-openldap-2.4.14/include/ldap.h.evolution-ntlm evo-openldap-2.4.14/include/ldap.h Get rid of this patch as soon as possible.
--- evo-openldap-2.4.14/include/ldap.h.evolution-ntlm 2009-01-27 00:29:53.000000000 +0100 More details are provided in README.evolution
+++ evo-openldap-2.4.14/include/ldap.h 2009-02-17 10:10:00.000000000 +0100
@@ -2461,5 +2461,26 @@ ldap_parse_deref_control LDAP_P(( diff -uNPrp openldap-2.4.23.old/include/ldap.h openldap-2.4.23.new/include/ldap.h
--- openldap-2.4.23.old/include/ldap.h 2010-06-10 20:48:36.000000000 +0200
+++ openldap-2.4.23.new/include/ldap.h 2010-08-24 18:17:46.306679878 +0200
@@ -2487,5 +2487,26 @@ ldap_parse_deref_control LDAP_P((
LDAPControl **ctrls, LDAPControl **ctrls,
LDAPDerefRes **drp )); LDAPDerefRes **drp ));
@ -28,9 +31,9 @@ diff -up evo-openldap-2.4.14/include/ldap.h.evolution-ntlm evo-openldap-2.4.14/i
+ +
LDAP_END_DECL LDAP_END_DECL
#endif /* _LDAP_H */ #endif /* _LDAP_H */
diff -up evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm evo-openldap-2.4.14/libraries/libldap/Makefile.in diff -uNPrp openldap-2.4.23.old/libraries/libldap/Makefile.in openldap-2.4.23.new/libraries/libldap/Makefile.in
--- evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm 2009-01-27 00:29:53.000000000 +0100 --- openldap-2.4.23.old/libraries/libldap/Makefile.in 2010-04-13 22:22:55.000000000 +0200
+++ evo-openldap-2.4.14/libraries/libldap/Makefile.in 2009-02-17 10:10:00.000000000 +0100 +++ openldap-2.4.23.new/libraries/libldap/Makefile.in 2010-08-24 18:17:46.306679878 +0200
@@ -20,7 +20,7 @@ PROGRAMS = apitest dntest ftest ltest ur @@ -20,7 +20,7 @@ PROGRAMS = apitest dntest ftest ltest ur
SRCS = bind.c open.c result.c error.c compare.c search.c \ SRCS = bind.c open.c result.c error.c compare.c search.c \
controls.c messages.c references.c extended.c cyrus.c \ controls.c messages.c references.c extended.c cyrus.c \
@ -49,9 +52,9 @@ diff -up evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm evo-op
filter.lo free.lo sort.lo passwd.lo whoami.lo \ filter.lo free.lo sort.lo passwd.lo whoami.lo \
getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \ getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \
request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \ request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \
diff -up /dev/null evo-openldap-2.4.14/libraries/libldap/ntlm.c diff -uNPrp openldap-2.4.23.old/libraries/libldap/ntlm.c openldap-2.4.23.new/libraries/libldap/ntlm.c
--- /dev/null 2009-02-17 09:19:52.829004420 +0100 --- openldap-2.4.23.old/libraries/libldap/ntlm.c 1970-01-01 01:00:00.000000000 +0100
+++ evo-openldap-2.4.14/libraries/libldap/ntlm.c 2009-02-17 10:10:00.000000000 +0100 +++ openldap-2.4.23.new/libraries/libldap/ntlm.c 2010-08-24 18:17:46.330680333 +0200
@@ -0,0 +1,137 @@ @@ -0,0 +1,137 @@
+/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ +/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */
+/* +/*

View File

@ -0,0 +1,61 @@
Patch exposes LDIF reading/writing API. This change is required to replace
mozldap with openldap in FreeIPA project.
Upstream: ITS #6194
Author: Rich Megginson <rmeggins@redhat.com>
diff -uNPrp openldap-2.4.23.old/include/Makefile.in openldap-2.4.23.new/include/Makefile.in
--- openldap-2.4.23.old/include/Makefile.in 2010-04-13 22:22:47.000000000 +0200
+++ openldap-2.4.23.new/include/Makefile.in 2010-08-19 17:40:29.073805139 +0200
@@ -20,7 +20,8 @@ install-local: FORCE
for header in $(srcdir)/lber.h lber_types.h \
$(srcdir)/ldap.h $(srcdir)/ldap_cdefs.h \
$(srcdir)/ldap_schema.h $(srcdir)/ldap_utf8.h \
- $(srcdir)/slapi-plugin.h ldap_features.h; \
+ $(srcdir)/slapi-plugin.h ldap_features.h \
+ $(srcdir)/ldif.h ; \
do \
$(INSTALL) $(INSTALLFLAGS) -m 644 $$header $(DESTDIR)$(includedir); \
done
diff -uNPrp openldap-2.4.23.old/libraries/liblutil/Makefile.in openldap-2.4.23.new/libraries/liblutil/Makefile.in
--- openldap-2.4.23.old/libraries/liblutil/Makefile.in 2010-04-19 18:53:01.000000000 +0200
+++ openldap-2.4.23.new/libraries/liblutil/Makefile.in 2010-08-19 17:40:20.424679962 +0200
@@ -14,6 +14,9 @@
## <http://www.OpenLDAP.org/license.html>.
LIBRARY = liblutil.a
+
+SHAREDLIB = libldif.la
+
PROGRAM = testavl
LDAP_INCDIR= ../../include
@@ -40,6 +43,8 @@ OBJS = base64.o entropy.o sasl.o signal.
meter.o \
@LIBOBJS@ $(@PLAT@_OBJS)
+SHAREDLIBOBJS = ldif.lo fetch.lo
+
testavl: $(XLIBS) testavl.o
(LTLINK) -o $@ testavl.o $(LIBS)
@@ -59,3 +64,19 @@ slapdmsg.res: slapdmsg.rc slapdmsg.bin
clean-local:
$(RM) *.res
+all-local: $(SHAREDLIB)
+
+.SUFFIXES: .c .o .lo
+
+.c.lo:
+ $(LTCOMPILE_LIB) $<
+
+$(LIBRARY): $(SHAREDLIBOBJS) version.lo
+
+$(SHAREDLIB): $(SHAREDLIBOBJS) version.lo
+ $(LTLINK_LIB) -o $(SHAREDLIB) $(SHAREDLIBOBJS) version.lo $(LINK_LIBS)
+
+install-local: FORCE
+ -$(MKDIR) $(DESTDIR)$(libdir)
+ $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(SHAREDLIB) $(DESTDIR)$(libdir)
+ $(LTFINISH) $(DESTDIR)$(libdir)

View File

@ -0,0 +1,19 @@
Disables opening of ldaprc file in current directory.
Resolves: #38402
Upstream: ITS #1131
Author: Henning Schmiedehausen <hps@intermeta.de>
diff -u -uNPrp openldap-2.4.23.old/libraries/libldap/init.c openldap-2.4.23.new/libraries/libldap/init.c
--- openldap-2.4.23.old/libraries/libldap/init.c 2010-04-13 22:22:57.000000000 +0200
+++ openldap-2.4.23.new/libraries/libldap/init.c 2010-08-24 15:34:27.780680598 +0200
@@ -346,9 +346,6 @@ static void openldap_ldap_init_w_usercon
if(path != NULL) {
LDAP_FREE(path);
}
-
- /* try file */
- openldap_ldap_init_w_conf(file, 1);
}
static void openldap_ldap_init_w_env(

103
openldap-manpages.patch Normal file
View File

@ -0,0 +1,103 @@
Various manual pages changes:
* removes LIBEXECDIR from slapd.8
* removes references to non-existing manpages (bz 624616)
diff -uNPrp openldap-2.4.23.old/doc/man/man1/ldapmodify.1 openldap-2.4.23.new/doc/man/man1/ldapmodify.1
--- openldap-2.4.23.old/doc/man/man1/ldapmodify.1 2010-04-13 22:22:36.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man1/ldapmodify.1 2010-08-19 17:42:10.256805450 +0200
@@ -364,9 +364,7 @@ exit status and a diagnostic message bei
.BR ldap_add_ext (3),
.BR ldap_delete_ext (3),
.BR ldap_modify_ext (3),
-.BR ldap_modrdn_ext (3),
-.BR ldif (5),
-.BR slapd.replog (5)
+.BR ldif (5)
.SH AUTHOR
The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
diff -uNPrp openldap-2.4.23.old/doc/man/man5/ldap.conf.5 openldap-2.4.23.new/doc/man/man5/ldap.conf.5
--- openldap-2.4.23.old/doc/man/man5/ldap.conf.5 2010-04-13 22:22:41.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man5/ldap.conf.5 2010-08-19 17:43:25.312805428 +0200
@@ -317,6 +317,7 @@ certificates in separate individual file
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GNUtls.
.TP
.B TLS_CERT <filename>
diff -uNPrp openldap-2.4.23.old/doc/man/man5/ldif.5 openldap-2.4.23.new/doc/man/man5/ldif.5
--- openldap-2.4.23.old/doc/man/man5/ldif.5 2010-04-13 22:22:41.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man5/ldif.5 2010-08-19 17:42:10.256805450 +0200
@@ -270,8 +270,7 @@ commands.
.BR ldapmodify (1),
.BR slapadd (8),
.BR slapcat (8),
-.BR slapd\-ldif (5),
-.BR slapd.replog (5).
+.BR slapd\-ldif (5).
.LP
"LDAP Data Interchange Format," Good, G., RFC 2849.
.SH ACKNOWLEDGEMENTS
diff -uNPrp openldap-2.4.23.old/doc/man/man5/slapd-config.5 openldap-2.4.23.new/doc/man/man5/slapd-config.5
--- openldap-2.4.23.old/doc/man/man5/slapd-config.5 2010-06-10 19:17:53.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man5/slapd-config.5 2010-08-19 17:42:10.258805346 +0200
@@ -1995,7 +1995,6 @@ default slapd configuration directory
.BR slapd.conf (5),
.BR slapd.overlays (5),
.BR slapd.plugin (5),
-.BR slapd.replog (5),
.BR slapd (8),
.BR slapacl (8),
.BR slapadd (8),
diff -uNPrp openldap-2.4.23.old/doc/man/man5/slapd.conf.5 openldap-2.4.23.new/doc/man/man5/slapd.conf.5
--- openldap-2.4.23.old/doc/man/man5/slapd.conf.5 2010-04-16 20:05:07.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man5/slapd.conf.5 2010-08-19 17:42:10.261805644 +0200
@@ -1927,7 +1927,6 @@ default slapd configuration file
.BR slapd.backends (5),
.BR slapd.overlays (5),
.BR slapd.plugin (5),
-.BR slapd.replog (5),
.BR slapd (8),
.BR slapacl (8),
.BR slapadd (8),
diff -uNPrp openldap-2.4.23.old/doc/man/man8/slapd.8 openldap-2.4.23.new/doc/man/man8/slapd.8
--- openldap-2.4.23.old/doc/man/man8/slapd.8 2010-04-13 22:22:46.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man8/slapd.8 2010-08-19 17:44:19.996680613 +0200
@@ -5,7 +5,7 @@
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-4 | \-6 ]
[\c
@@ -301,7 +301,7 @@ the LDAP databases defined in the defaul
.LP
.nf
.ft tt
- LIBEXECDIR/slapd
+ slapd
.ft
.fi
.LP
@@ -312,7 +312,7 @@ on voluminous debugging which will be pr
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+ slapd -f /var/tmp/slapd.conf -d 255
.ft
.fi
.LP
@@ -320,7 +320,7 @@ To test whether the configuration file i
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-Tt
+ slapd -Tt
.ft
.fi
.LP

View File

@ -1,5 +1,8 @@
#614545 Mozilla NSS - support use of self signed CA certs as server certs #614545 Mozilla NSS - support use of self signed CA certs as server certs
upstream: http://www.openldap.org/its/index.cgi issue 6589
Resolves: #614545
Upstream: ITS #6589
Author: Rich Megginson <rmeggins@redhat.com>
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200 --- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200

View File

@ -1,5 +1,8 @@
#616552 Mozilla NSS - delay token auth until needed Mozilla NSS - delay token auth until needed
upstream: http://www.openldap.org/its/index.cgi issue 6595
Resolves: #616552
Upstream: ITS #6595
Author: Rich Megginson <rmeggins@redhat.com>
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200 --- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200

View File

@ -2,11 +2,14 @@ The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
example if libldap needs to be initialized from within gethostbyXXXX() (which example if libldap needs to be initialized from within gethostbyXXXX() (which
actually happens if nss_ldap is used for hostname resolution and earlier actually happens if nss_ldap is used for hostname resolution and earlier
modules can't resolve the local host name), so use the reentrant versions of modules can't resolve the local host name), so use the reentrant versions of
the functions, even if we're not being compiled for use in libldap_r (patch the functions, even if we're not being compiled for use in libldap_r
from Jeffery Layton, #179730).
diff -up openldap-2.4.11/libraries/libldap/util-int.c.patch7 openldap-2.4.11/libraries/libldap/util-int.c Resolves: #179730
--- openldap-2.4.11/libraries/libldap/util-int.c.patch7 2008-02-12 00:26:41.000000000 +0100 Author: Jeffery Layton <jlayton@redhat.com>
+++ openldap-2.4.11/libraries/libldap/util-int.c 2008-09-01 09:57:09.000000000 +0200
diff -uNPrp openldap-2.4.23.old/libraries/libldap/util-int.c openldap-2.4.23.new/libraries/libldap/util-int.c
--- openldap-2.4.23.old/libraries/libldap/util-int.c 2010-04-19 18:53:01.000000000 +0200
+++ openldap-2.4.23.new/libraries/libldap/util-int.c 2010-08-19 17:47:52.456805354 +0200
@@ -52,8 +52,8 @@ extern int h_errno; @@ -52,8 +52,8 @@ extern int h_errno;
#ifndef LDAP_R_COMPILE #ifndef LDAP_R_COMPILE
# undef HAVE_REENTRANT_FUNCTIONS # undef HAVE_REENTRANT_FUNCTIONS
@ -18,7 +21,7 @@ diff -up openldap-2.4.11/libraries/libldap/util-int.c.patch7 openldap-2.4.11/lib
#else #else
# include <ldap_pvt_thread.h> # include <ldap_pvt_thread.h>
@@ -110,7 +110,7 @@ char *ldap_pvt_ctime( const time_t *tp, @@ -330,7 +330,7 @@ ldap_pvt_csnstr(char *buf, size_t len, u
#define BUFSTART (1024-32) #define BUFSTART (1024-32)
#define BUFMAX (32*1024-32) #define BUFMAX (32*1024-32)

View File

@ -0,0 +1,17 @@
Build slapd as position-independent executable (PIE) to take an advantage of
address space layout randomization (ASLD).
Author: Thomas Woerner <twoerner@redhat.com>
diff -uNPrp openldap-2.4.23.old/servers/slapd/Makefile.in openldap-2.4.23.new/servers/slapd/Makefile.in
--- openldap-2.4.23.old/servers/slapd/Makefile.in 2010-04-13 22:23:09.000000000 +0200
+++ openldap-2.4.23.new/servers/slapd/Makefile.in 2010-08-24 15:09:08.999680712 +0200
@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a
cp slapi/.libs/libslapi.a .
slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \
+ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \
$(WRAP_LIBS)
$(RM) $(SLAPTOOLS)
for i in $(SLAPTOOLS); do \

View File

@ -1,6 +1,8 @@
diff -up openldap-2.4.11/servers/slapd/slapd.conf.config openldap-2.4.11/servers/slapd/slapd.conf Updates initial slapd configuration.
--- openldap-2.4.11/servers/slapd/slapd.conf.config 2007-02-13 21:22:22.000000000 +0100
+++ openldap-2.4.11/servers/slapd/slapd.conf 2008-10-09 16:13:52.000000000 +0200 diff -urNPp openldap-2.4.23.old/servers/slapd/slapd.conf openldap-2.4.23.new/servers/slapd/slapd.conf
--- openldap-2.4.23.old/servers/slapd/slapd.conf 2007-02-13 21:22:22.000000000 +0100
+++ openldap-2.4.23.new/servers/slapd/slapd.conf 2010-08-19 15:45:05.835681213 +0200
@@ -2,22 +2,57 @@ @@ -2,22 +2,57 @@
# See slapd.conf(5) for details on configuration options. # See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable. # This file should NOT be world readable.

View File

@ -1,21 +1,24 @@
Compile smbk5pwd together with other overlays. Compile smbk5pwd together with other overlays.
diff -up openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README.patch8 openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README Resolves: 550895
--- openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README.patch8 2005-11-12 16:18:09.000000000 +0100 Author: Jan Šafránek <jsafrane@redhat.com>
+++ openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README 2008-09-01 09:57:09.000000000 +0200
diff -urNPp openldap-2.4.23.old/contrib/slapd-modules/smbk5pwd/README openldap-2.4.23.new/contrib/slapd-modules/smbk5pwd/README
--- openldap-2.4.23.old/contrib/slapd-modules/smbk5pwd/README 2010-04-13 22:22:30.000000000 +0200
+++ openldap-2.4.23.new/contrib/slapd-modules/smbk5pwd/README 2010-08-23 13:20:33.338687818 +0200
@@ -1,3 +1,8 @@ @@ -1,3 +1,8 @@
+*************************************************************** +*******************************************************
+Red Hat note: Kerberos support is NOT compiled into +Red Hat note: Kerberos support is NOT compiled into
+this version of smbk5pwd because we do not use Heimdall. +this version of smbk5pwd because we do not use Heimdal.
+*************************************************************** +*******************************************************
+ +
This directory contains a slapd overlay, smbk5pwd, that extends the This directory contains a slapd overlay, smbk5pwd, that extends the
PasswordModify Extended Operation to update Kerberos keys and Samba PasswordModify Extended Operation to update Kerberos keys and Samba
password hashes for an LDAP user. password hashes for an LDAP user.
diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4.11/servers/slapd/overlays/Makefile.in diff -urNPp openldap-2.4.23.old/servers/slapd/overlays/Makefile.in openldap-2.4.23.new/servers/slapd/overlays/Makefile.in
--- openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 2008-02-12 00:26:48.000000000 +0100 --- openldap-2.4.23.old/servers/slapd/overlays/Makefile.in 2010-04-13 22:23:44.000000000 +0200
+++ openldap-2.4.11/servers/slapd/overlays/Makefile.in 2008-09-01 09:57:09.000000000 +0200 +++ openldap-2.4.23.new/servers/slapd/overlays/Makefile.in 2010-08-23 13:20:33.338687818 +0200
@@ -30,7 +30,8 @@ SRCS = overlays.c \ @@ -33,7 +33,8 @@ SRCS = overlays.c \
syncprov.c \ syncprov.c \
translucent.c \ translucent.c \
unique.c \ unique.c \
@ -25,7 +28,7 @@ diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4.
OBJS = statover.o \ OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \ @SLAPD_STATIC_OVERLAYS@ \
overlays.o overlays.o
@@ -43,14 +44,14 @@ LTONLY_MOD = $(LTONLY_mod) @@ -46,14 +47,14 @@ LTONLY_MOD = $(LTONLY_mod)
LDAP_INCDIR= ../../../include LDAP_INCDIR= ../../../include
LDAP_LIBDIR= ../../../libraries LDAP_LIBDIR= ../../../libraries
@ -42,7 +45,7 @@ diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4.
XINCPATH = -I.. -I$(srcdir)/.. XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS) XDEFS = $(MODULES_CPPFLAGS)
@@ -113,6 +114,9 @@ unique.la : unique.lo @@ -125,6 +126,9 @@ unique.la : unique.lo
valsort.la : valsort.lo valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS) $(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)

View File

@ -0,0 +1,15 @@
Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package
independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.)
diff -uNPrp openldap-2.4.23.old/build/top.mk openldap-2.4.23.new/build/top.mk
--- openldap-2.4.23.old/build/top.mk 2010-04-13 22:22:22.000000000 +0200
+++ openldap-2.4.23.new/build/top.mk 2010-08-25 15:58:18.477648731 +0200
@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@
SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@
SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@
-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
+SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
# Our Defaults
CC = $(AC_CC)

View File

@ -0,0 +1,17 @@
Normally, skips reading of user configuration file when running with different effective UID.
This patch adds the same behavior for GID.
Author: Nalin Dahyabhai <nalin@redhat.com>
diff -uNPrp openldap-2.4.23.old/libraries/libldap/init.c openldap-2.4.23.new/libraries/libldap/init.c
--- openldap-2.4.23.old/libraries/libldap/init.c 2010-04-13 22:22:57.000000000 +0200
+++ openldap-2.4.23.new/libraries/libldap/init.c 2010-08-24 17:25:07.207682002 +0200
@@ -663,7 +663,7 @@ void ldap_int_initialize( struct ldapopt
openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
#ifdef HAVE_GETEUID
- if ( geteuid() != getuid() )
+ if ( geteuid() != getuid() || getegid() != getgid() )
return;
#endif

View File

@ -1,59 +1,52 @@
# We distribute own version of Berkeley DB to prevent # TODO: add make test after build
# problems on db4.rpm upgrade - some versions of db4 do
# not work with some versions of OpenLDAP.
%define db_version 4.8.26
%define ldbm_backend berkeley %define ldbm_backend berkeley
%define version 2.4.22
%define evolution_connector_prefix %{_libdir}/evolution-openldap %define evolution_connector_prefix %{_libdir}/evolution-openldap
%define evolution_connector_includedir %{evolution_connector_prefix}/include %define evolution_connector_includedir %{evolution_connector_prefix}/include
%define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib} %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
Summary: LDAP support libraries
Name: openldap Name: openldap
Version: %{version} Version: 2.4.23
Release: 7%{?dist} Release: 1%{?dist}
License: OpenLDAP Summary: LDAP support libraries
Group: System Environment/Daemons Group: System Environment/Daemons
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz License: OpenLDAP
Source1: http://download.oracle.com/berkeley-db/db-%{db_version}.tar.gz
Source3: README.migration
Source4: ldap.init
Source5: migration-tools.txt
Source6: autofs.schema
Source7: README.upgrading
Source9: README.evolution
Source10: ldap.sysconfig
# Patches for 2.4
Patch0: openldap-2.4.6-config.patch
Patch1: openldap-2.0.11-ldaprc.patch
Patch2: openldap-2.2.13-setugid.patch
Patch3: openldap-2.4.6-pie.patch
Patch4: openldap-2.3.11-toollinks.patch
Patch5: openldap-2.4.6-nosql.patch
Patch6: openldap-2.3.19-gethostbyXXXX_r.patch
Patch9: openldap-2.3.37-smbk5pwd.patch
Patch10: openldap-2.4.6-multilib.patch
Patch11: openldap-2.4.16-doc-cacertdir.patch
Patch12: openldap-2.4.21-dn2id-segfault.patch
Patch13: openldap-2.4.22-ldif_h.patch
Patch14: openldap-2.4.22-libldif.patch
Patch15: openldap-2.4.22-modrdn-segfault.patch
Patch16: openldap-2.4.23-selfsignedcacert.patch
Patch17: openldap-2.4.22-initauthtoken.patch
# Patches for the evolution library
Patch200: openldap-2.4.6-evolution-ntlm.patch
URL: http://www.openldap.org/ URL: http://www.openldap.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-root Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
BuildRequires: cyrus-sasl-devel >= 2.1, gdbm-devel, libtool >= 1.5.6-2, krb5-devel Source1: ldap.init
BuildRequires: openssl-devel, pam-devel, perl, pkgconfig, tcp_wrappers-devel, Source2: ldap.sysconfig
BuildRequires: unixODBC-devel, libtool-ltdl-devel, groff Source3: autofs.schema
BuildRequires: nss-devel Source4: migration-tools.txt
Requires: glibc >= 2.2.3-48, mktemp Source5: README.migration
Obsoletes: compat-openldap < 2.4 Source6: README.upgrading
Source7: README.evolution
# patches for 2.4
Patch0: openldap-slapd-conf.patch
Patch1: openldap-manpages.patch
Patch2: openldap-security-pie.patch
Patch3: openldap-sql-linking.patch
Patch4: openldap-reentrant-gethostby.patch
Patch5: openldap-export-ldif.patch
Patch6: openldap-smbk5pwd-overlay.patch
Patch7: openldap-ldaprc-currentdir.patch
Patch8: openldap-userconfig-setgid.patch
# already merged upstream
Patch100: openldap-nss-ca-selfsigned.patch
Patch101: openldap-nss-delay-token-auth.patch
# patches for the evolution library (see README.evolution)
Patch200: openldap-evolution-ntlm.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: cyrus-sasl-devel >= 2.1, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl
# smbk5pwd overlay:
BuildRequires: openssl-devel
Obsoletes: compat-openldap < 2.4
# provide ldif2ldbm functionality for migrationtools # provide ldif2ldbm functionality for migrationtools
Provides: ldif2ldbm Provides: ldif2ldbm
@ -82,9 +75,12 @@ customized LDAP clients.
%package servers %package servers
Summary: LDAP server Summary: LDAP server
# OpenLDAP server includes Berkeley DB library, which is licensed under Sleepycat and BSD licenses) License: OpenLDAP
License: OpenLDAP and (Sleepycat and BSD) Requires: openldap = %{version}-%{release}, openssl
Requires: fileutils, make, openldap = %{version}-%{release}, openssl, /usr/sbin/useradd, /usr/sbin/groupadd, /sbin/chkconfig, /sbin/runuser Requires(pre): shadow-utils
Requires(post): chkconfig, /sbin/runuser, make
Requires(preun): chkconfig
BuildRequires: db4-devel >= 4.4, db4-devel <= 4.8
Group: System Environment/Daemons Group: System Environment/Daemons
%description servers %description servers
@ -124,101 +120,74 @@ over the Internet. The openldap-clients package contains the client
programs needed for accessing and modifying OpenLDAP directories. programs needed for accessing and modifying OpenLDAP directories.
%prep %prep
%setup -q -c -a 1 %setup -q -c -a 0
# setup tree for openldap
pushd openldap-%{version} pushd openldap-%{version}
%patch0 -p1 -b .config %patch0 -p1 -b .config
%patch1 -p1 -b .ldaprc %patch1 -p1 -b .manpages
%patch2 -p1 -b .setugid %patch2 -p1 -b .security-pie
%patch3 -p1 -b .pie %patch3 -p1 -b .sql-linking
%patch4 -p1 -b .toollinks %patch4 -p1 -b .reentrant-gethostby
%patch5 -p1 -b .nosql %patch5 -p1 -b .export-ldif
%patch6 -p1 -b .gethostbyname_r %patch6 -p1 -b .smbk5pwd-overlay
%patch9 -p1 -b .smbk5pwd %patch7 -p1 -b .ldaprc-currentdir
%patch10 -p1 -b .multilib %patch8 -p1 -b .userconfig-setgid
%patch11 -p1 -b .cacertdir
%patch12 -p1 -b .segfault %patch100 -p1 -b .nss-ca-selfsigned
%patch13 -p1 -b .ldif_h %patch101 -p1 -b .nss-delay-token-auth
%patch14 -p1 -b .libldif
%patch15 -p1 -b .modrdn-segfault
%patch16 -p1 -b .selfsignedcacert
%patch17 -p1 -b .initauthtoken
cp %{_datadir}/libtool/config/config.{sub,guess} build/ cp %{_datadir}/libtool/config/config.{sub,guess} build/
for subdir in build-servers build-clients ; do
mkdir $subdir
ln -s ../configure $subdir
done
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
popd popd
# Set up a build tree for a static version of libldap with the hooks for the # setup tree for openldap with evolution-specific patches
# non-standard NTLM bind type which is needed to connect to Win2k GC servers
# (Win2k3 supports SASL with DIGEST-MD5, so this shouldn't be needed for those
# servers, though as of version 1.4 the connector doesn't try SASL first).
if ! cp -al openldap-%{version} evo-openldap-%{version} ; then if ! cp -al openldap-%{version} evo-openldap-%{version} ; then
rm -fr evo-openldap-%{version} rm -fr evo-openldap-%{version}
cp -a openldap-%{version} evo-openldap-%{version} cp -a openldap-%{version} evo-openldap-%{version}
fi fi
pushd evo-openldap-%{version} pushd evo-openldap-%{version}
%patch200 -p1 -b .evolution-ntlm %patch200 -p1 -b .evolution-ntlm
popd popd
pushd openldap-%{version}
for subdir in build-servers build-clients ; do
mkdir $subdir
ln -s ../configure $subdir
done
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
popd
%build %build
dbdir=`pwd`/db-instroot
libtool='%{_bindir}/libtool' libtool='%{_bindir}/libtool'
tagname=CC; export tagname export tagname=CC
%ifarch ia64 %ifarch ia64
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -O0" RPM_OPT_FLAGS="$RPM_OPT_FLAGS -O0"
%endif %endif
# Set CFLAGS to incorporate RPM_OPT_FLAGS. export CPPFLAGS="-I%_includedir/nss3 -I%_includedir/nspr4"
CFLAGS="$RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS export CFLAGS="$RPM_OPT_FLAGS $CPPFLAGS -fPIC -D_REENTRANT -DLDAP_CONNECTIONLESS -D_GNU_SOURCE -DHAVE_TLS -DHAVE_MOZNSS -DSLAPD_LMHASH"
export NSS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
# Build Berkeley DB and install it into a temporary area, isolating OpenLDAP export LIBS=""
# from any future changes to the system-wide Berkeley DB library. Version 4.2
# or later is required by the BDB backend in OpenLDAP 2.1 and later.
install -d db-%{db_version}/build-rpm
pushd db-%{db_version}/build-rpm
../dist/configure -C \
--with-pic \
--disable-static \
--enable-shared \
--with-uniquename=_openldap_slapd_46 \
--prefix=${dbdir} \
--includedir=${dbdir}/include \
--libdir=${dbdir}/%{_lib}${subdir:+/${subdir}}
# fix libtool: no rpath
perl -pi -e 's|hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=\"-L\\\$libdir\"|g;' libtool
make %{_smp_mflags} libdb_base=libslapd_db libso_base=libslapd_db
make install libdb_base=libslapd_db libso_base=libslapd_db strip="false"
ln -sf libslapd_db.so ${dbdir}/%{_lib}/${subdir}/libdb.so
popd
export CPPFLAGS="-I${dbdir}/include -I%_includedir/nss3 -I%_includedir/nspr4"
export CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -DLDAP_CONNECTIONLESS -fPIC -D_GNU_SOURCE -DHAVE_TLS -DHAVE_MOZNSS -DSLAPD_LMHASH"
export LDFLAGS="-L${dbdir}/%{_lib}"
export LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
MOZNSS_TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
export LIBS="$MOZNSS_TLS_LIBS"
build() { build() {
%configure \ %configure \
--with-threads=posix \ --with-threads=posix \
\ \
--enable-local --enable-rlookups \ --enable-local \
--enable-rlookups \
\ \
--with-tls=no \ --with-tls=no \
--with-cyrus-sasl \ --with-cyrus-sasl \
\ \
--enable-wrappers \ --with-wrappers \
\ \
--enable-passwd \ --enable-passwd \
\ \
@ -231,24 +200,27 @@ build() {
\ \
--libexecdir=%{_libdir} \ --libexecdir=%{_libdir} \
$@ $@
# HACK HACK HACK
# openldap uses #include <nss/somemoznssfile.h> # allow #include <nss/file.h> and <nspr/file.h>
# this doesn't work on fedora and similar which uses /usr/include/nss3
# so we have to fake it out
pushd include pushd include
if [ ! -d nss ] ; then if [ ! -d nss ] ; then
ln -s %_includedir/nss3 nss ln -s %{_includedir}/nss3 nss
fi fi
if [ ! -d nspr ] ; then if [ ! -d nspr ] ; then
ln -s %_includedir/nspr4 nspr ln -s %{_includedir}/nspr4 nspr
fi fi
popd popd
make %{_smp_mflags} LIBTOOL="$libtool" make %{_smp_mflags} LIBTOOL="$libtool"
} }
# Build the servers with Kerberos support (for password checking, mainly). # Kerberos support:
LIBS="$LIBS -lpthread"; export LIBS # - enabled in server (mainly for password checking)
LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}; export LD_LIBRARY_PATH # - disabled in clients (not needed, to avoid stray dependencies)
# build servers
export LIBS="$NSS_LIBS -lpthread"
pushd openldap-%{version}/build-servers pushd openldap-%{version}/build-servers
build \ build \
--enable-plugins \ --enable-plugins \
@ -273,12 +245,10 @@ build \
--disable-dynamic \ --disable-dynamic \
--with-kerberos=k5only \ --with-kerberos=k5only \
--enable-overlays=mod --enable-overlays=mod
unset LIBS
popd popd
# Build clients without Kerberos password-checking support, which is only # build clients
# useful in the server anyway, to avoid stray dependencies. export LIBS="$NSS_LIBS"
export LIBS="$MOZNSS_TLS_LIBS"
pushd openldap-%{version}/build-clients pushd openldap-%{version}/build-clients
build \ build \
--disable-slapd \ --disable-slapd \
@ -288,8 +258,8 @@ build \
--with-pic --with-pic
popd popd
# Build evolution-specific clients just as we would normal clients, except with # build evolution-specific clients
# a different installation directory in mind and no shared libraries. # (specific patch, different installation directory, no shared libraries)
pushd evo-openldap-%{version} pushd evo-openldap-%{version}
build \ build \
--disable-slapd \ --disable-slapd \
@ -303,224 +273,180 @@ build \
popd popd
%install %install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT rm -rf %{buildroot}
libtool='%{_bindir}/libtool' libtool='%{_bindir}/libtool'
tagname=CC; export tagname export tagname=CC
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/ mkdir -p %{buildroot}/%{_libdir}/
pushd db-instroot/%{_lib}/
install -d $RPM_BUILD_ROOT/%{_libdir}/
install -m755 libslapd_db-*.*.so $RPM_BUILD_ROOT/%{_libdir}/
popd
pushd db-%{db_version}
mv LICENSE LICENSE.bdb-backend
popd
# install servers
pushd openldap-%{version}/build-servers pushd openldap-%{version}/build-servers
make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool" STRIP="" make install DESTDIR=%{buildroot} \
libdir=%{_libdir} \
LIBTOOL="$libtool" \
STRIP=""
popd popd
# Install the bdb maintenance tools. # install evolution-specific clients (conflicting files will be overwriten by generic version)
pushd db-instroot/bin
for binary in db_* ; do
install -m755 ${binary} $RPM_BUILD_ROOT/%{_sbindir}/slapd_${binary}
done
popd
# Install clients and shared libraries. Install the evo-specific versions
# first so that any conflicting files are overwritten by generic versions.
pushd evo-openldap-%{version} pushd evo-openldap-%{version}
make install DESTDIR=$RPM_BUILD_ROOT \ make install DESTDIR=%{buildroot} \
includedir=%{evolution_connector_includedir} \ includedir=%{evolution_connector_includedir} \
libdir=%{evolution_connector_libdir} \ libdir=%{evolution_connector_libdir} \
LIBTOOL="$libtool" \ LIBTOOL="$libtool" \
STRIP="" STRIP=""
install -m 644 %SOURCE7 \
install -m644 %SOURCE9 \ %{buildroot}/%{evolution_connector_prefix}/
$RPM_BUILD_ROOT/%{evolution_connector_prefix}/
popd popd
# install clients
pushd openldap-%{version}/build-clients pushd openldap-%{version}/build-clients
make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool" STRIP="" make install DESTDIR=%{buildroot} \
libdir=%{_libdir} \
LIBTOOL="$libtool" \
STRIP=""
popd popd
# Create this directory so that authconfig setting TLS_CACERT to # setup directories for TLS certificates
# /etc/openldap/cacerts doesn't cause TLS startup of any kind to fail mkdir -p %{buildroot}%{_sysconfdir}/openldap/cacerts
# when the directory doesn't exist. mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/openldap/cacerts
# make sure the certs directory exists
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
# Touch the dummy slapd.pem to make rpmbuild happy
touch $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/slapd.pem
install -m 644 %SOURCE7 README.upgrading # install additional documentation
install -m 644 %SOURCE3 README.migration install -m 644 %SOURCE5 README.migration
install -m 644 %SOURCE6 README.upgrading
# Create the data directory. # setup data and runtime directories
mkdir -p $RPM_BUILD_ROOT/var/lib/ldap mkdir -p %{buildroot}/var/lib/ldap
# Create the new run directory mkdir -p %{buildroot}/var/run/openldap
mkdir -p $RPM_BUILD_ROOT/var/run/openldap
# Hack the build root out of the default config files. # remove build root from config files and manual pages
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.conf perl -pi -e "s|%{buildroot}||g" %{buildroot}/%{_sysconfdir}/openldap/*.conf
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*
# Get the buildroot out of the man pages. # we don't need the default files -- RPM handles changes
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/*/*.* rm -f %{buildroot}/%{_sysconfdir}/openldap/*.default
rm -f %{buildroot}/%{_sysconfdir}/openldap/schema/*.default
# We don't need the default files -- RPM handles changes. # install an init script for the servers
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.default mkdir -p %{buildroot}%{_sysconfdir}/rc.d/init.d
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/schema/*.default install -m 755 %SOURCE1 %{buildroot}%{_sysconfdir}/rc.d/init.d/slapd
# Install an init script for the servers. # install syconfig/ldap
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
install -m 755 %SOURCE4 $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/slapd install -m 644 %SOURCE2 %{buildroot}%{_sysconfdir}/sysconfig/ldap
# Install syconfig/ldap # add some more schema for the sake of migration scripts
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig install -d -m755 %{buildroot}%{_sysconfdir}/openldap/schema/redhat
install -m 644 %SOURCE10 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/ldap install -m644 %SOURCE3 \
%{buildroot}%{_sysconfdir}/openldap/schema/redhat/
# Add some more schema for the sake of migration scripts. # move slapd out of _libdir
install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat mv %{buildroot}/%{_libdir}/slapd %{buildroot}/%{_sbindir}/
install -m644 %SOURCE6 \
$RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat/
# Move slapd and slurpd out of _libdir # setup tools as symlinks to slapd
mv $RPM_BUILD_ROOT/%{_libdir}/slapd $RPM_BUILD_ROOT/%{_sbindir}/ rm -f %{buildroot}/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
rm -f $RPM_BUILD_ROOT/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} rm -f %{buildroot}/%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
rm -f $RPM_BUILD_ROOT/%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema} for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}/%{_sbindir}/slap$X ; done
for X in acl add auth cat dn index passwd test schema; do ln -s slapd $RPM_BUILD_ROOT/%{_sbindir}/slap$X ; done
# Tweak permissions on the libraries to make sure they're correct. # tweak permissions on the libraries to make sure they're correct
chmod 755 $RPM_BUILD_ROOT/%{_libdir}/lib*.so* chmod 755 %{buildroot}/%{_libdir}/lib*.so*
chmod 644 $RPM_BUILD_ROOT/%{_libdir}/lib*.*a chmod 644 %{buildroot}/%{_libdir}/lib*.*a
# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5) # slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
# new configuration will be generated in %post # new configuration will be generated in %post
mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openldap-servers mkdir -p %{buildroot}/%{_datadir}/openldap-servers
mkdir $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d mkdir %{buildroot}/%{_sysconfdir}/openldap/slapd.d
mv $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.conf $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete mv %{buildroot}/%{_sysconfdir}/openldap/slapd.conf %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete
chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete chmod 0644 %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete
# Move doc files out of _sysconfdir # move doc files out of _sysconfdir
mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/README README.schema mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}/%{_datadir}/openldap-servers/DB_CONFIG.example
chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh
chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example chmod 0644 %{buildroot}/%{_datadir}/openldap-servers/DB_CONFIG.example
# Remove files which we don't want packaged. # remove files which we don't want packaged
rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la rm -f %{buildroot}/%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT/%{_libdir}/*.a rm -f %{buildroot}/%{_libdir}/*.a
rm -f $RPM_BUILD_ROOT/%{evolution_connector_libdir}/*.la rm -f %{buildroot}/%{evolution_connector_libdir}/*.la
rm -f $RPM_BUILD_ROOT/%{evolution_connector_libdir}/*.so* rm -f %{buildroot}/%{evolution_connector_libdir}/*.so*
rm -f $RPM_BUILD_ROOT/%{_libdir}/openldap/*.a rm -f %{buildroot}/%{_libdir}/openldap/*.a
rm -f $RPM_BUILD_ROOT/%{_libdir}/openldap/*.so rm -f %{buildroot}/%{_libdir}/openldap/*.so
rm -f $RPM_BUILD_ROOT%{_localstatedir}/openldap-data/DB_CONFIG.example rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
rmdir $RPM_BUILD_ROOT%{_localstatedir}/openldap-data rmdir %{buildroot}%{_localstatedir}/openldap-data
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf %{buildroot}
%post -p /sbin/ldconfig %post -p /sbin/ldconfig
%postun -p /sbin/ldconfig %postun -p /sbin/ldconfig
%pre servers %pre servers
# Take care to only do ownership-changing if we're adding the user.
getent group ldap > /dev/null || \ # create ldap user and group
/usr/sbin/groupadd -r -g 55 ldap getent group ldap >/dev/null || groupadd -r -g 55 ldap
if /usr/sbin/useradd -c "LDAP User" -u 55 -g ldap \ if ! getent passwd ldap >/dev/null; then
-s /sbin/nologin -r -d /var/lib/ldap ldap 2> /dev/null ; then useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "LDAP User" ldap
if [ -d /var/lib/ldap ] ; then # setup ownership of database files
for dbfile in /var/lib/ldap/* ; do if [ -d /var/lib/ldap ] ; then
if [ -f $dbfile ] ; then for dbfile in /var/lib/ldap/* ; do
chown ldap:ldap $dbfile if [ -f $dbfile ] ; then
fi chown ldap:ldap $dbfile
done fi
fi done
fi
fi fi
if [ "$1" = "2" ]; then # upgrade
# guess, if database upgrade is necessary if [ $1 -eq 2 ]; then
OLD_BDB_VERSION=$( slapd_db_upgrade -V | sed 's/.* \([0-9\.]*\)\.[0-9]*:.*/\1/' ) # safe way to migrate the database if minor version number changed (2.x -> 2.y)
NEW_BDB_VERSION=$( echo %{db_version} | sed 's/.[0-9]*$//' ) # http://www.openldap.org/doc/admin24/maintenance.html
OLD_SLAPD_VERSION=$( rpm -q --qf "%{VERSION}" openldap-servers | sed 's/\.[0-9]*$//' ) old_version=$(rpm -q --qf=%%{version} openldap-servers | sed 's/\.[0-9]*$//')
NEW_SLAPD_VERSION=$( echo %{version} | sed 's/\.[0-9]*$//' ) new_version=$(sed 's/\.[0-9]*$//' <<< %{version})
# we need to detect how is the init script named
# - in older versions ldap
# - in newer versions slapd
if [ -f %{_initrddir}/ldap ]; then
SERVICE_NAME=ldap
elif [ -f %{_initrddir}/slapd ]; then
SERVICE_NAME=slapd
fi
if [ "$OLD_SLAPD_VERSION" != "$NEW_SLAPD_VERSION" ]; then if [ "$old_version" != "$new_version" ]; then
# Minor version number has changed -> slapcat/slapadd of the BDB database pushd %{_sharedstatedir}/ldap
# is necessary. Save an ldif of the database where the "% post servers"
# scriptlet can restore it. Also save the database files to a "rpmorig"
# directory - Just In Case (TM)
# stop the server # stop the service
if /sbin/service $SERVICE_NAME status &>/dev/null; then if service slapd status &>/dev/null; then
touch /var/lib/ldap/need_start touch need_start
/sbin/service $SERVICE_NAME stop &>/dev/null service slapd stop
fi else
rm -f need_start
fi
files=$(echo /var/lib/ldap/{log.*,__db.*,[a]lock}) if ls __db.* &>/dev/null; then
if [ "$files" != '/var/lib/ldap/log.* /var/lib/ldap/__db.* /var/lib/ldap/[a]lock' ] ; then # export the database
if /usr/sbin/slapcat -l /var/lib/ldap/upgrade.ldif > /dev/null 2>&1 ; then if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
if [ -f /var/lib/ldap/upgrade.ldif ] ; then slapcat -f %{_sysconfdir}/openldap/slapd.conf -l upgrade.ldif &>/dev/null
/bin/rm -fr /var/lib/ldap/rpmorig > /dev/null 2>&1 || : else
mkdir /var/lib/ldap/rpmorig slapcat -F %{_sysconfdir}/openldap/slapd.d -l upgrade.ldif &>/dev/null
mv /var/lib/ldap/{alock,*.bdb,__db.*,log.*} /var/lib/ldap/rpmorig > /dev/null 2>&1 || : fi
cp -f /var/lib/ldap/DB_CONFIG /var/lib/ldap/rpmorig > /dev/null 2>&1 || :
else
/bin/rm -f /var/lib/ldap/upgrade.ldif
fi
fi
fi
else
if [ "$OLD_BDB_VERSION" != "$NEW_BDB_VERSION" ]; then
# Minor version number of bdb has changed -> run db_upgrade in % post script
# stop the server # backup the old database
if /sbin/service $SERVICE_NAME status &>/dev/null; then if [ $? -eq 0 ]; then
touch /var/lib/ldap/need_start rm -rf rpmorig
/sbin/service $SERVICE_NAME stop &>/dev/null mv alock *.bdb __db.* log.* rpmorig &>/dev/null || :
fi cp -f rpmorig/DB_CONFIG . &>/dev/null || :
else
rm -f upgrade.ldif
fi
fi
# Ensure, that the database is correct popd
/sbin/runuser -m -s /usr/sbin/slapd_db_recover -- "ldap" -h /var/lib/ldap &>/dev/null fi
# Just create /var/lib/ldap/need_db_upgrade so % post knows
touch /var/lib/ldap/need_db_upgrade &>/dev/null
fi
fi
fi fi
exit 0 exit 0
%post servers %post servers
/sbin/ldconfig /sbin/ldconfig
/sbin/chkconfig --add slapd /sbin/chkconfig --add slapd
# If there's a /var/lib/ldap/upgrade.ldif file, slapadd it and delete it.
# It was created by the % pre above.
if [ -f /var/lib/ldap/upgrade.ldif ] ; then
/sbin/runuser -m -s /usr/sbin/slapadd -- "ldap" -l /var/lib/ldap/upgrade.ldif > /dev/null 2>&1
rm -f /var/lib/ldap/upgrade.ldif
fi
# If there's a /var/lib/ldap/need_db_upgrade file, run db_upgrade and delete it.
# It was created by the % pre above.
if [ -f /var/lib/ldap/need_db_upgrade ]; then
if ls /var/lib/ldap/*.bdb > /dev/null 2>&1; then
/sbin/runuser -m -s /usr/sbin/slapd_db_upgrade -- "ldap" -h /var/lib/ldap /var/lib/ldap/*.bdb
fi
/sbin/runuser -m -s /usr/sbin/slapd_db_checkpoint -- "ldap" -h /var/lib/ldap -1
rm -f /var/lib/ldap/need_db_upgrade
fi
# generate sample TLS certificates
if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then
pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1 pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1
umask 077 umask 077
@ -538,18 +464,20 @@ chmod 640 slapd.pem
popd popd
fi fi
if [ `find %{_sysconfdir}/openldap/slapd.d -maxdepth 0 -empty | wc -l` = "1" ]; then # generate configuration in slapd.d
# configuration in slapd.d not available if ! ls -d %{_sysconfdir}/openldap/slapd.d/* &>/dev/null; then
# fresh installation
[ ! -f %{_sysconfdir}/openldap/slapd.conf ] [ ! -f %{_sysconfdir}/openldap/slapd.conf ]
fresh_install=$? fresh_install=$?
[ $fresh_install -eq 0 ] && \ [ $fresh_install -eq 0 ] && \
cp %{_datadir}/openldap-servers/slapd.conf.obsolete %{_sysconfdir}/openldap/slapd.conf cp %{_datadir}/openldap-servers/slapd.conf.obsolete %{_sysconfdir}/openldap/slapd.conf
# convert from old style config slapd.conf
mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
mkdir -p %{_sysconfdir}/openldap/slapd.d/ mkdir -p %{_sysconfdir}/openldap/slapd.d/
lines=`egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1` lines=$(egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1)
lines=$(($lines-1)) lines=$(($lines-1))
head -n $lines %{_sysconfdir}/openldap/slapd.conf.bak > %{_sysconfdir}/openldap/slapd.conf head -n $lines %{_sysconfdir}/openldap/slapd.conf.bak > %{_sysconfdir}/openldap/slapd.conf
cat >> %{_sysconfdir}/openldap/slapd.conf << EOF cat >> %{_sysconfdir}/openldap/slapd.conf << EOF
@ -557,7 +485,7 @@ database config
rootdn "cn=admin,cn=config" rootdn "cn=admin,cn=config"
#rootpw secret #rootpw secret
EOF EOF
lines_r=`wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" "` lines_r=$(wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" ")
lines_r=$(($lines_r-$lines)) lines_r=$(($lines_r-$lines))
tail -n $lines_r %{_sysconfdir}/openldap/slapd.conf.bak >> %{_sysconfdir}/openldap/slapd.conf tail -n $lines_r %{_sysconfdir}/openldap/slapd.conf.bak >> %{_sysconfdir}/openldap/slapd.conf
slaptest -f %{_sysconfdir}/openldap/slapd.conf -F %{_sysconfdir}/openldap/slapd.d > /dev/null 2> /dev/null slaptest -f %{_sysconfdir}/openldap/slapd.conf -F %{_sysconfdir}/openldap/slapd.d > /dev/null 2> /dev/null
@ -570,26 +498,31 @@ EOF
[ $fresh_install -eq 0 ] && rm -f %{_sysconfdir}/openldap/slapd.conf.bak [ $fresh_install -eq 0 ] && rm -f %{_sysconfdir}/openldap/slapd.conf.bak
fi fi
if [ $1 -ge 1 ] ; then # finish database migration (see %pre)
/sbin/service slapd condrestart &>/dev/null if [ -f %{_sharedstatedir}/ldap/upgrade.ldif ]; then
/sbin/service slapd status &>/dev/null runuser -m -s /usr/sbin/slapadd -- ldap -l %{_sharedstatedir}/ldap/upgrade.ldif &>/dev/null
if [ "$?" != "0" -a -f /var/lib/ldap/need_start ]; then rm -f %{_sharedstatedir}/ldap/upgrade.ldif
/sbin/service slapd start &>/dev/null fi
rm -f /var/lib/ldap/need_start &>/dev/null
fi # restart after upgrade
if [ $1 -ge 1 ]; then
if [ -f %{_sharedstatedir}/ldap/need_start ]; then
service slapd start
rm -f %{_sharedstatedir}/ldap/need_start
else
/sbin/service slapd condrestart
fi
fi fi
exit 0 exit 0
%preun servers %preun servers
if [ "$1" = "0" ] ; then if [ $1 -eq 0 ] ; then
/sbin/service slapd stop > /dev/null 2>&1 || : /sbin/service slapd stop > /dev/null 2>&1 || :
/sbin/chkconfig --del slapd /sbin/chkconfig --del slapd
# Openldap-servers are being removed from system.
# Do not touch the database! Older versions of this # openldap-servers are being removed from system
# package attempted to store database in LDIF format, so # do not touch the database!
# it can be restored later - but it's up to the administrator
# to save the database, if he/she wants so.
fi fi
%postun servers %postun servers
@ -599,6 +532,58 @@ fi
%postun devel -p /sbin/ldconfig %postun devel -p /sbin/ldconfig
%triggerin servers -- db4
# db4 upgrade (see %triggerun)
if [ $2 -eq 2 ]; then
pushd %{_sharedstatedir}/ldap
# we are interested in minor version changes (both versions of db4 are installed at this moment)
if [ "$(rpm -q --qf="%%{version}\n" db4 | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
# stop the service
if service slapd status &>/dev/null; then
touch need_start
service slapd stop
fi
# ensure the database is consistent
runuser -m -s /usr/sbin/db_recover -- "ldap" -h %{_sharedstatedir}/ldap &>/dev/null
# upgrade will be performed after removing old db4
touch upgrade_db4
else
rm -f upgrade_db4
fi
popd
fi
exit 0
%triggerun servers -- db4
# db4 upgrade (see %triggerin)
if [ -f %{_sharedstatedir}/ldap/upgrade_db4 ]; then
pushd %{_sharedstatedir}/ldap
# perform the upgrade
if ls *.bdb &>/dev/null; then
runuser -m -s /usr/bin/db_upgrade -- "ldap" -h %{_sharedstatedir}/ldap %{_sharedstatedir}/ldap/*.bdb
runuser -m -s /usr/bin/db_checkpoint -- "ldap" -h %{_sharedstatedir}/ldap -1
fi
# start the service
if [ -f need_start ]; then
service slapd start
rm -f need_start
fi
rm -f upgrade_db4
popd
fi
exit 0
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%doc openldap-%{version}/ANNOUNCEMENT %doc openldap-%{version}/ANNOUNCEMENT
@ -618,14 +603,13 @@ fi
%files servers %files servers
%defattr(-,root,root) %defattr(-,root,root)
%doc db-%{db_version}/LICENSE.bdb-backend
%doc README.upgrading %doc README.upgrading
%doc README.migration %doc README.migration
%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd %doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd
%doc openldap-%{version}/doc/guide/admin/*.html %doc openldap-%{version}/doc/guide/admin/*.html
%doc openldap-%{version}/doc/guide/admin/*.png %doc openldap-%{version}/doc/guide/admin/*.png
%doc README.schema %doc README.schema
%ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem %attr(0640,root,ldap) %ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem
%attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd %attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd
%attr(0750,ldap,ldap) %dir %config(noreplace) %{_sysconfdir}/openldap/slapd.d %attr(0750,ldap,ldap) %dir %config(noreplace) %{_sysconfdir}/openldap/slapd.d
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap
@ -640,7 +624,6 @@ fi
%attr(0644,root,root) %{_mandir}/man5/slapo-*.5* %attr(0644,root,root) %{_mandir}/man5/slapo-*.5*
%attr(0700,ldap,ldap) %dir /var/lib/ldap %attr(0700,ldap,ldap) %dir /var/lib/ldap
%attr(0755,ldap,ldap) %dir /var/run/openldap %attr(0755,ldap,ldap) %dir /var/run/openldap
%attr(0755,root,root) %{_libdir}/libslapd_db-*.*.so
%attr(0755,root,root) %dir %{_libdir}/openldap %attr(0755,root,root) %dir %{_libdir}/openldap
%attr(0755,root,root) %{_libdir}/openldap/[^b]* %attr(0755,root,root) %{_libdir}/openldap/[^b]*
%attr(0755,root,root) %dir %{_datadir}/openldap-servers %attr(0755,root,root) %dir %{_datadir}/openldap-servers
@ -675,6 +658,11 @@ fi
%attr(0644,root,root) %{evolution_connector_libdir}/*.a %attr(0644,root,root) %{evolution_connector_libdir}/*.a
%changelog %changelog
* Fri Aug 27 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-1
- rebase to 2.4.23
- embeded db4 library removed
- removed bogus links in "SEE ALSO" in several man-pages (#624616)
* Thu Jul 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.22-7 * Thu Jul 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.22-7
- Mozilla NSS - delay token auth until needed (#616552) - Mozilla NSS - delay token auth until needed (#616552)
- Mozilla NSS - support use of self signed CA certs as server certs (#614545) - Mozilla NSS - support use of self signed CA certs as server certs (#614545)