- update to 2.2.23 (stable-20050125)

- update notes on upgrading from earlier versions
- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files
- warn about unreadable krb5 keytab files containing "ldap" keys
- warn about unreadable TLS-related files
- own a ref to subdirectories which we create under %%{_libdir}/tls

.cvsignore

@@ -7,3 +7,6 @@ openldap-2.0.27.tgz
 openldap-2.1.30.tgz
 openldap-2.2.13.tgz
 openldap-2.2.17.tgz
+openldap-2.2.20.tgz
+db-4.3.27.tar.gz
+openldap-2.2.23.tgz

README.upgrading

@@ -1,10 +1,68 @@
-The OpenLDAP on-disk format has changed between the 2.0.x and 2.1.x releases.
+Before upgrading from OpenLDAP 2.0 or 2.1 to OpenLDAP 2.2, the system
+administrator should dump out the contents of the the directory server's
+databases using the 'slapcat' utility included in the openldap-servers package
+and save the LDIF files which it produces.
 
-If you are upgrading a server from OpenLDAP 2.0.x, you will very need to dump
-out your directory to a text file using "slapcat -n" before upgrading and
-re-import the entries into the new format using "slapadd" after the upgrade.
+After the upgrade is complete, the data can be re-imported using the 'slapadd'
+utility.  Some data which was exported from an OpenLDAP 2.0 server may not
+import directly into an OpenLDAP 2.2 server.  If this happens, check for these
+common problems:
 
-Because schema checking is now more restrictive, some entries may not import
-cleanly.  In particular, if you have used previous versions of the migration
-scripts, some of the entries (particularly oncRpc objects) may be missing
-"description" attributes which are now required by the schema.
+  * Missing parent entries.
+    Entries in the directory are no longer allowed to be children of entries
+    which are not present in the directory.  For example, earlier releases
+    would allow an entry with distinguished name (DN)
+    "cn=foo,dc=devel,dc=example,dc=com" to be imported into a database for
+    suffix "dc=example,dc=com" which contained neither an entry for
+    "dc=devel,dc=example,dc=com" nor an entry for "dc=example,dc=com".
+
+  * Deprecated objectclasses and attribute types.
+    Entries of these classes should be replaced by entries of a different
+    class.
+     * the automountMap objectclass
+       Use the nisMap objectclass instead, replacing these old attributes
+       with new attributes:
+       +====================================+
+       | old attribute	    new attribute   |
+       |------------------------------------|
+       | ou		    nisMapName      |
+       +====================================+
+     * the automount objectclass
+       Use the nisObject objectclass instead, replacing these old attributes
+       with new attributes:
+       +====================================+
+       | old attribute	      new attribute |
+       |------------------------------------|
+       | cn                   cn            |
+       | automountInformation nisMapEntry   |
+       | (no counterpart)     nisMapName    |
+       +====================================+
+
+  * Missing objectclass definitions.
+    Some objectclasses are no longer defined because they are no longer used.
+    Remove the objectclass from the entry's list of objectclasses, and
+    remove any values for attributes which are unique to that objectclass.
+    These include:
+     * the "kerberosSecurityObject" objectclass and the "krbName" attribute
+     * the "dynamicObject" objectclass
+     * the "LDAPsubEntry" objectclass
+
+  * Missing attribute values.
+    Some objectclass definitions mark a given attribute as both optional (MAY)
+    and required (MUST).  While such attributes may have been treated as
+    optional before, they are now treated as required.  Some examples:
+     * the "ipProtocol" object class and its "description" attribute
+     * the "rpcService" object class and its "description" attribute
+     * the "oncRpc" object class and its "description" attribute
+     * the "residentialPerson" object class and its "localityName" attribute
+
+  * Structural vs. auxiliary objectclasses.
+    The set of objectclasses which any entry lists should include exactly one
+    STRUCTURAL class.  This requirement may not have been enforced in previous
+    releases.
+
+  * The entry does not contain its own RDN as an attribute-value pair.
+    The naming attribute and value used as the entry's relative distinguished
+    name (RDN) must be explicitly defined for the entry.  For example, an
+    entry named "cn=contrived,dc=example,dc=com" must include "contrived" as a
+    value for its "cn" attribute.

ldap.init

@@ -20,7 +20,7 @@ if [ -r /etc/sysconfig/network ] ; then
 fi
 
 # Source an auxiliary options file if we have one, and pick up OPTIONS,
-# SLAPD_OPTIONS, and SLURPD_OPTIONS.
+# SLAPD_OPTIONS, SLURPD_OPTIONS, and maybe KRB5_KTNAME.
 if [ -r /etc/sysconfig/ldap ] ; then
 	. /etc/sysconfig/ldap
 fi
@@ -33,7 +33,61 @@ slaptest=/usr/sbin/slaptest
 
 RETVAL=0
 
-function start() {
+#
+# Pass commands given in $2 and later to "test" run as user given in $1.
+#
+function testasuser() {
+    local user= cmd=
+    user="$1"
+    shift
+    cmd="$@"
+    if test x"$user" != x ; then
+        if test x"$cmd" != x ; then
+            /sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
+        else
+            false
+        fi
+    else
+        false
+    fi
+}
+
+#
+# Check for read-access errors for the user given in $1 for a service named $2.
+# If $3 is specified, the command is run if "klist" can't be found.
+#
+function checkkeytab() {
+    local user= service= klist= default=
+    user="$1"
+    service="$2"
+    default="${3:-false}"
+    if test -x /usr/kerberos/bin/klist ; then
+        klist=/usr/kerberos/bin/klist
+    elif test -x /usr/bin/klist ; then
+        klist=/usr/bin/klist
+    fi
+    KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
+    if test -s "$KRB5_KTNAME" ; then
+        if test x"$klist" != x ; then
+            if LANG=C klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
+                if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
+                    true
+                else
+                    false
+                fi
+            else
+                false
+            fi
+        else
+            $default
+        fi
+    else
+        false
+    fi
+}
+
+function configtest() {
+	local user= ldapuid= dbdir= file=
         # Check for simple-but-common errors.
 	user=ldap
 	ldapuid=`id -u $user`
@@ -43,24 +97,33 @@ function start() {
 			echo -n $"$file is not owned by \"$user\"" ; warning ; echo
 		done
 	done
-	# Check the configuration file.
-        echo -n $"Checking configuration files for $prog: "
-	$slaptest
-	RETVAL=$?
-	if test $RETVAL -eq 0 ; then
-	    success
-	else
-	    failure
-	    exit 1
+	# Unaccessible keytab with an "ldap" key.
+	if checkkeytab $user ldap ; then
+		file=${KRB5_KTNAME:-/etc/krb5.keytab}
+		echo -n $"$file is not readable by \"$user\"" ; warning ; echo
 	fi
+	# Unaccessible TLS configuration files.
+	tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' /etc/openldap/slapd.conf | awk '{print $2}'`
+	for file in $tlsconfigs ; do
+		if ! testasuser $user -r $file ; then
+			echo -n $"$file is not readable by \"$user\"" ; warning ; echo
+		fi
+	done
+	# Check the configuration file.
+        action "Checking configuration files for $prog: " $slaptest || exit 1
+}
+
+function start() {
+	configtest
         # Start daemons.
+	user=ldap
 	prog=`basename ${slapd}`
         echo -n $"Starting $prog: "
 	if grep -q ^TLS /etc/openldap/slapd.conf ; then
-	    daemon ${slapd} -u ldap -h '"ldap:/// ldaps:///"' $OPTIONS $SLAPD_OPTIONS
+	    daemon ${slapd} -u ${user} -h "ldap:/// ldaps:///" $OPTIONS $SLAPD_OPTIONS
 	    RETVAL=$?
 	else
-	    daemon ${slapd} -u ldap -h "ldap:///" $OPTIONS $SLAPD_OPTIONS
+	    daemon ${slapd} -u ${user} -h "ldap:///" $OPTIONS $SLAPD_OPTIONS
 	    RETVAL=$?
 	fi
 	echo
@@ -99,6 +162,9 @@ function stop() {
 
 # See how we were called.
 case "$1" in
+    configtest)
+        configtest
+        ;;
     start)
         start
         ;;

openldap.spec

@@ -1,10 +1,9 @@
 %define migtools_version 45
-%define db_version 4.2.52
-%define db_version_40 4.0.14
+%define db_version 4.3.27
 %define ldbm_backend berkeley
 %define version_20 2.0.27
 %define version_21 2.1.30
-%define version_22 2.2.17
+%define version_22 2.2.23
 %define evolution_connector_prefix %{_libdir}/evolution-openldap
 %define evolution_connector_includedir %{evolution_connector_prefix}/include
 %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
@@ -15,7 +14,7 @@
 Summary: The configuration files, libraries, and documentation for OpenLDAP.
 Name: openldap
 Version: %{version_22}
-Release: 0
+Release: 1
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_22}.tgz
@@ -23,8 +22,7 @@ Source1: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version
 Source2: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_21}.tgz
 Source3: ftp://ftp.OpenLDAP.org/pub/tools/autoconf-2.13.1.tar.gz
 Source4: ftp://ftp.OpenLDAP.org/pub/tools/automake-1.4a.tar.gz
-Source5: http://www.sleepycat.com/update/snapshot/db-%{db_version}.tar.gz
-Source6: http://www.sleepycat.com/update/snapshot/db-%{db_version_40}.tar.gz
+Source5: http://downloads.sleepycat.com/db-%{db_version}.tar.gz
 Source7: ldap.init
 Source8: ftp://ftp.padl.com/pub/MigrationTools-%{migtools_version}.tar.gz
 Source9: migration-tools.txt
@@ -50,8 +48,6 @@ Patch23: MigrationTools-27-simple.patch
 Patch24: MigrationTools-26-suffix.patch
 Patch25: MigrationTools-44-schema.patch
 Patch26: MigrationTools-45-noaliases.patch
-Patch30: http://www.sleepycat.com/update/4.2.52/patch.4.2.52.1
-Patch31: http://www.sleepycat.com/update/4.2.52/patch.4.2.52.2
 Patch40: openldap-ntlm.diff
 URL: http://www.openldap.org/
 BuildRoot: %{_tmppath}/%{name}-%{version_22}-root
@@ -85,7 +81,7 @@ customized LDAP clients.
 
 %package servers
 Summary: OpenLDAP servers and related files.
-Prereq: fileutils, make, openldap = %{version_22}-%{release}, openssl, /usr/sbin/useradd, /sbin/chkconfig
+Prereq: fileutils, make, openldap = %{version_22}-%{release}, openssl, /usr/sbin/useradd, /sbin/chkconfig, /sbin/runuser
 Group: System Environment/Daemons
 
 %description servers
@@ -144,7 +140,7 @@ includes older versions of the OpenLDAP shared libraries which may be
 required by some applications.
 
 %prep
-%setup -q -c -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 8
+%setup -q -c -a 1 -a 2 -a 3 -a 4 -a 5 -a 8
 
 pushd openldap-%{version_22}
 %patch0 -p1 -b .config
@@ -161,23 +157,14 @@ popd
 # non-standard NTLM bind type which is needed to connect to Win2k GC servers
 # (Win2k3 supports SASL with DIGEST-MD5, so this shouldn't be needed for those
 # servers, though as of version 1.4 the connector doesn't try SASL first).
-cp -a openldap-%{version_22} evo-openldap-%{version_22}
+if ! cp -al openldap-%{version_22} evo-openldap-%{version_22} ; then
+     rm -fr evo-openldap-%{version_22}
+     cp -a  openldap-%{version_22} evo-openldap-%{version_22}
+fi
 pushd evo-openldap-%{version_22}
 %patch40 -p0 -b .evolution-ntlm
 popd
 
-pushd db-%{db_version_40}
-%patch12 -p1 -b .disable-mutex
-%patch13 -p1 -b .libobj
-cd dist
-./s_config
-popd
-
-pushd db-%{db_version}
-%patch30 -b .db-1
-%patch31 -b .db-2
-popd
-
 pushd MigrationTools-%{migtools_version}
 %patch21 -p1 -b .instdir
 %patch22 -p1 -b .mktemp
@@ -237,53 +224,6 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -O0"
 # Set CFLAGS to incorporate RPM_OPT_FLAGS.
 CFLAGS="$RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS
 
-# Build the 2.0 server tools for dumping out old on-disk databases.  This
-# requires Berkeley DB 4.0.x (which we must build) and gdbm.
-pushd db-%{db_version_40}/dist
-./configure -C \
-	--with-pic \
-	--disable-shared \
-	--with-uniquename=_openldap_slapd_rhl_40 \
-	--prefix=${dbdir40} \
-	--includedir=${dbdir40}/include \
-	--libdir=${dbdir40}/%{_lib}
-make %{_smp_mflags}
-make install
-popd
-
-# Set CPPFLAGS/CFLAGS/LDFLAGS to find our just-built DB 4.0.
-CPPFLAGS="-I${dbdir40}/include" ; export CPPFLAGS
-CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS
-LDFLAGS="-L${dbdir40}/%{_lib}" ; export LDFLAGS
-
-pushd openldap-%{version_20}/build-gdbm
-%configure \
-	--disable-shared \
-	--without-cyrus-sasl \
-	--without-kerberos \
-	--without-threads \
-	--without-tls \
-	--enable-ldbm \
-	--with-ldbm-api=gdbm \
-	--program-suffix=-slapd-2.0-gdbm
-make %{_smp_mflags}
-popd
-
-pushd openldap-%{version_20}/build-db
-LIBS=-lpthread; export LIBS
-%configure \
-	--disable-shared \
-	--without-cyrus-sasl \
-	--without-kerberos \
-	--without-threads \
-	--without-tls \
-	--enable-ldbm \
-	--with-ldbm-api=berkeley \
-	--program-suffix=-slapd-2.0-dbb
-make %{_smp_mflags}
-unset LIBS
-popd
-
 # Build Berkeley DB and install it into a temporary area, isolating OpenLDAP
 # from any future changes to the system-wide Berkeley DB library.  Version 4.2
 # or later is required by the BDB backend in OpenLDAP 2.1 and later.
@@ -351,26 +291,6 @@ CPPFLAGS="-I${dbdir}/include $OPENSSL_CPPFLAGS" ; export CPPFLAGS
 CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS
 LDFLAGS="-L${dbdir}/%{_lib} $OPENSSL_LDFLAGS" ; export LDFLAGS
 
-# Build the 2.1 server tools for dumping out old on-disk databases.  This
-# requires Berkeley DB 4.2.x.
-pushd openldap-%{version_21}/build-servers
-LIBS=-lpthread; export LIBS
-%configure \
-	--disable-shared \
-	--disable-dynamic \
-	--without-cyrus-sasl \
-	--without-kerberos \
-	--without-threads \
-	--without-tls \
-	--enable-slapd --disable-slurpd \
-	--enable-bdb \
-	--enable-ldbm \
-	--with-ldbm-api=%{ldbm_backend} \
-	--program-suffix=-slapd-2.1
-make %{_smp_mflags}
-unset LIBS
-popd
-
 # Build the client libraries for the compat package.
 pushd openldap-%{compat_version}/build-compat
 %configure \
@@ -408,6 +328,7 @@ make %{_smp_mflags} LIBTOOL="$libtool"
 
 # Build the servers with Kerberos support (for password checking, mainly).
 LIBS=-lpthread; export LIBS
+LD_LIBRARY_PATH=${dbdir}/lib${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}; export LD_LIBRARY_PATH
 pushd openldap-%{version_22}/build-servers
 build \
 	--enable-plugins \
@@ -465,22 +386,6 @@ popd
 libtool='%{_bindir}/libtool'
 tagname=CC; export tagname
 
-# Install the 2.0 server tools for dumping out old on-disk databases.
-mkdir -p $RPM_BUILD_ROOT/%{_sbindir}/
-pushd openldap-%{version_20}
-	pushd build-gdbm/servers/slapd/tools
-	for bin in slapadd slapcat ; do
-		../../../libtool --mode=install install -m755 $bin $RPM_BUILD_ROOT/%{_sbindir}/$bin-slapd-2.0-gdbm
-	done
-	popd
-
-	pushd build-db/servers/slapd/tools
-	for bin in slapadd slapcat ; do
-		../../../libtool --mode=install install -m755 $bin $RPM_BUILD_ROOT/%{_sbindir}/$bin-slapd-2.0-dbb
-	done
-	popd
-popd
-
 # Install the 2.0 or 2.1 shared libraries for compatibility.  The two sets of
 # libraries share sonames, so we have to choose one or the other.
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/
@@ -491,13 +396,6 @@ pushd openldap-%{compat_version}/build-compat/libraries
 	rm $RPM_BUILD_ROOT/%{_libdir}/*.so
 popd
 
-# Install the 2.1 server tools for dumping out old on-disk databases.
-pushd openldap-%{version_21}/build-servers/servers/slapd/tools
-	for bin in slapadd slapcat ; do
-		../../../libtool --mode=install install -m755 $bin $RPM_BUILD_ROOT/%{_sbindir}/$bin-slapd-2.1
-	done
-popd
-
 # Install servers.
 %ifarch %{nptl_arches}
 case %{_target_platform} in
@@ -710,6 +608,7 @@ fi
 %ifnarch %{ix86}
 %attr(0755,root,root) %{_libdir}/tls/libslapd_db-*.*.so
 %else
+%dir %attr(0755,root,root) %{_libdir}/tls/*
 %attr(0755,root,root) %{_libdir}/tls/*/libslapd_db-*.*.so
 %endif
 %endif
@@ -741,6 +640,17 @@ fi
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Mon Jan 31 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-1
+- update to 2.2.23 (stable-20050125)
+- update notes on upgrading from earlier versions
+- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files
+
+* Tue Jan  4 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.20-1
+- update to 2.2.20 (stable-20050103)
+- warn about unreadable krb5 keytab files containing "ldap" keys
+- warn about unreadable TLS-related files
+- own a ref to subdirectories which we create under %%{_libdir}/tls
+
 * Tue Nov  2 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.17-0
 - rebuild
 

sources

@@ -1,8 +1,7 @@
 2355e54f17a1fdc87b0d56ed9ea3e115  MigrationTools-45.tar.gz
 5a9e617c1d5339d3c90c545c93e30949  autoconf-2.13.1.tar.gz
 0faee50993f7e4fe00f4b921b640b84d  automake-1.4a.tar.gz
-12262c64fcd64b772e7cffad8e4d0ebc  db-4.0.14.tar.gz
-cbc77517c9278cdb47613ce8cb55779f  db-4.2.52.tar.gz
 a1e6508c471dd47205a3492cf57110a6  openldap-2.0.27.tgz
 e2ae8148c4bed07d7a70edd930bdc403  openldap-2.1.30.tgz
-aa10b961d02fbe331cd53214b7746c73  openldap-2.2.17.tgz
+fcc481d52c3b80e20a328f8c0cb042bd  db-4.3.27.tar.gz
+51d1cf0a8f77f5cd27a5aa2b82a344ec  openldap-2.2.23.tgz