From a2323f6d91fe54ca7ef0ca532e582f74320e2a6e Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 1 Feb 2005 00:19:35 +0000 Subject: [PATCH] - update to 2.2.23 (stable-20050125) - update notes on upgrading from earlier versions - drop slapcat variations for 2.0/2.1, which choke on 2.2's config files - warn about unreadable krb5 keytab files containing "ldap" keys - warn about unreadable TLS-related files - own a ref to subdirectories which we create under %%{_libdir}/tls --- .cvsignore | 3 ++ README.upgrading | 74 +++++++++++++++++++++++--- ldap.init | 92 +++++++++++++++++++++++++++----- openldap.spec | 136 ++++++++--------------------------------------- sources | 5 +- 5 files changed, 173 insertions(+), 137 deletions(-) diff --git a/.cvsignore b/.cvsignore index 0a19b8c..607ce96 100644 --- a/.cvsignore +++ b/.cvsignore @@ -7,3 +7,6 @@ openldap-2.0.27.tgz openldap-2.1.30.tgz openldap-2.2.13.tgz openldap-2.2.17.tgz +openldap-2.2.20.tgz +db-4.3.27.tar.gz +openldap-2.2.23.tgz diff --git a/README.upgrading b/README.upgrading index 287b1ea..d570c32 100644 --- a/README.upgrading +++ b/README.upgrading @@ -1,10 +1,68 @@ -The OpenLDAP on-disk format has changed between the 2.0.x and 2.1.x releases. +Before upgrading from OpenLDAP 2.0 or 2.1 to OpenLDAP 2.2, the system +administrator should dump out the contents of the the directory server's +databases using the 'slapcat' utility included in the openldap-servers package +and save the LDIF files which it produces. -If you are upgrading a server from OpenLDAP 2.0.x, you will very need to dump -out your directory to a text file using "slapcat -n" before upgrading and -re-import the entries into the new format using "slapadd" after the upgrade. +After the upgrade is complete, the data can be re-imported using the 'slapadd' +utility. Some data which was exported from an OpenLDAP 2.0 server may not +import directly into an OpenLDAP 2.2 server. If this happens, check for these +common problems: -Because schema checking is now more restrictive, some entries may not import -cleanly. In particular, if you have used previous versions of the migration -scripts, some of the entries (particularly oncRpc objects) may be missing -"description" attributes which are now required by the schema. + * Missing parent entries. + Entries in the directory are no longer allowed to be children of entries + which are not present in the directory. For example, earlier releases + would allow an entry with distinguished name (DN) + "cn=foo,dc=devel,dc=example,dc=com" to be imported into a database for + suffix "dc=example,dc=com" which contained neither an entry for + "dc=devel,dc=example,dc=com" nor an entry for "dc=example,dc=com". + + * Deprecated objectclasses and attribute types. + Entries of these classes should be replaced by entries of a different + class. + * the automountMap objectclass + Use the nisMap objectclass instead, replacing these old attributes + with new attributes: + +====================================+ + | old attribute new attribute | + |------------------------------------| + | ou nisMapName | + +====================================+ + * the automount objectclass + Use the nisObject objectclass instead, replacing these old attributes + with new attributes: + +====================================+ + | old attribute new attribute | + |------------------------------------| + | cn cn | + | automountInformation nisMapEntry | + | (no counterpart) nisMapName | + +====================================+ + + * Missing objectclass definitions. + Some objectclasses are no longer defined because they are no longer used. + Remove the objectclass from the entry's list of objectclasses, and + remove any values for attributes which are unique to that objectclass. + These include: + * the "kerberosSecurityObject" objectclass and the "krbName" attribute + * the "dynamicObject" objectclass + * the "LDAPsubEntry" objectclass + + * Missing attribute values. + Some objectclass definitions mark a given attribute as both optional (MAY) + and required (MUST). While such attributes may have been treated as + optional before, they are now treated as required. Some examples: + * the "ipProtocol" object class and its "description" attribute + * the "rpcService" object class and its "description" attribute + * the "oncRpc" object class and its "description" attribute + * the "residentialPerson" object class and its "localityName" attribute + + * Structural vs. auxiliary objectclasses. + The set of objectclasses which any entry lists should include exactly one + STRUCTURAL class. This requirement may not have been enforced in previous + releases. + + * The entry does not contain its own RDN as an attribute-value pair. + The naming attribute and value used as the entry's relative distinguished + name (RDN) must be explicitly defined for the entry. For example, an + entry named "cn=contrived,dc=example,dc=com" must include "contrived" as a + value for its "cn" attribute. diff --git a/ldap.init b/ldap.init index 4a7126b..fe9ba9d 100644 --- a/ldap.init +++ b/ldap.init @@ -20,7 +20,7 @@ if [ -r /etc/sysconfig/network ] ; then fi # Source an auxiliary options file if we have one, and pick up OPTIONS, -# SLAPD_OPTIONS, and SLURPD_OPTIONS. +# SLAPD_OPTIONS, SLURPD_OPTIONS, and maybe KRB5_KTNAME. if [ -r /etc/sysconfig/ldap ] ; then . /etc/sysconfig/ldap fi @@ -33,7 +33,61 @@ slaptest=/usr/sbin/slaptest RETVAL=0 -function start() { +# +# Pass commands given in $2 and later to "test" run as user given in $1. +# +function testasuser() { + local user= cmd= + user="$1" + shift + cmd="$@" + if test x"$user" != x ; then + if test x"$cmd" != x ; then + /sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user" + else + false + fi + else + false + fi +} + +# +# Check for read-access errors for the user given in $1 for a service named $2. +# If $3 is specified, the command is run if "klist" can't be found. +# +function checkkeytab() { + local user= service= klist= default= + user="$1" + service="$2" + default="${3:-false}" + if test -x /usr/kerberos/bin/klist ; then + klist=/usr/kerberos/bin/klist + elif test -x /usr/bin/klist ; then + klist=/usr/bin/klist + fi + KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}" + if test -s "$KRB5_KTNAME" ; then + if test x"$klist" != x ; then + if LANG=C klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then + if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then + true + else + false + fi + else + false + fi + else + $default + fi + else + false + fi +} + +function configtest() { + local user= ldapuid= dbdir= file= # Check for simple-but-common errors. user=ldap ldapuid=`id -u $user` @@ -43,24 +97,33 @@ function start() { echo -n $"$file is not owned by \"$user\"" ; warning ; echo done done - # Check the configuration file. - echo -n $"Checking configuration files for $prog: " - $slaptest - RETVAL=$? - if test $RETVAL -eq 0 ; then - success - else - failure - exit 1 + # Unaccessible keytab with an "ldap" key. + if checkkeytab $user ldap ; then + file=${KRB5_KTNAME:-/etc/krb5.keytab} + echo -n $"$file is not readable by \"$user\"" ; warning ; echo fi + # Unaccessible TLS configuration files. + tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' /etc/openldap/slapd.conf | awk '{print $2}'` + for file in $tlsconfigs ; do + if ! testasuser $user -r $file ; then + echo -n $"$file is not readable by \"$user\"" ; warning ; echo + fi + done + # Check the configuration file. + action "Checking configuration files for $prog: " $slaptest || exit 1 +} + +function start() { + configtest # Start daemons. + user=ldap prog=`basename ${slapd}` echo -n $"Starting $prog: " if grep -q ^TLS /etc/openldap/slapd.conf ; then - daemon ${slapd} -u ldap -h '"ldap:/// ldaps:///"' $OPTIONS $SLAPD_OPTIONS + daemon ${slapd} -u ${user} -h "ldap:/// ldaps:///" $OPTIONS $SLAPD_OPTIONS RETVAL=$? else - daemon ${slapd} -u ldap -h "ldap:///" $OPTIONS $SLAPD_OPTIONS + daemon ${slapd} -u ${user} -h "ldap:///" $OPTIONS $SLAPD_OPTIONS RETVAL=$? fi echo @@ -99,6 +162,9 @@ function stop() { # See how we were called. case "$1" in + configtest) + configtest + ;; start) start ;; diff --git a/openldap.spec b/openldap.spec index 74c26b6..54612f5 100644 --- a/openldap.spec +++ b/openldap.spec @@ -1,10 +1,9 @@ %define migtools_version 45 -%define db_version 4.2.52 -%define db_version_40 4.0.14 +%define db_version 4.3.27 %define ldbm_backend berkeley %define version_20 2.0.27 %define version_21 2.1.30 -%define version_22 2.2.17 +%define version_22 2.2.23 %define evolution_connector_prefix %{_libdir}/evolution-openldap %define evolution_connector_includedir %{evolution_connector_prefix}/include %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib} @@ -15,7 +14,7 @@ Summary: The configuration files, libraries, and documentation for OpenLDAP. Name: openldap Version: %{version_22} -Release: 0 +Release: 1 License: OpenLDAP Group: System Environment/Daemons Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_22}.tgz @@ -23,8 +22,7 @@ Source1: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version Source2: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_21}.tgz Source3: ftp://ftp.OpenLDAP.org/pub/tools/autoconf-2.13.1.tar.gz Source4: ftp://ftp.OpenLDAP.org/pub/tools/automake-1.4a.tar.gz -Source5: http://www.sleepycat.com/update/snapshot/db-%{db_version}.tar.gz -Source6: http://www.sleepycat.com/update/snapshot/db-%{db_version_40}.tar.gz +Source5: http://downloads.sleepycat.com/db-%{db_version}.tar.gz Source7: ldap.init Source8: ftp://ftp.padl.com/pub/MigrationTools-%{migtools_version}.tar.gz Source9: migration-tools.txt @@ -50,8 +48,6 @@ Patch23: MigrationTools-27-simple.patch Patch24: MigrationTools-26-suffix.patch Patch25: MigrationTools-44-schema.patch Patch26: MigrationTools-45-noaliases.patch -Patch30: http://www.sleepycat.com/update/4.2.52/patch.4.2.52.1 -Patch31: http://www.sleepycat.com/update/4.2.52/patch.4.2.52.2 Patch40: openldap-ntlm.diff URL: http://www.openldap.org/ BuildRoot: %{_tmppath}/%{name}-%{version_22}-root @@ -85,7 +81,7 @@ customized LDAP clients. %package servers Summary: OpenLDAP servers and related files. -Prereq: fileutils, make, openldap = %{version_22}-%{release}, openssl, /usr/sbin/useradd, /sbin/chkconfig +Prereq: fileutils, make, openldap = %{version_22}-%{release}, openssl, /usr/sbin/useradd, /sbin/chkconfig, /sbin/runuser Group: System Environment/Daemons %description servers @@ -144,7 +140,7 @@ includes older versions of the OpenLDAP shared libraries which may be required by some applications. %prep -%setup -q -c -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 8 +%setup -q -c -a 1 -a 2 -a 3 -a 4 -a 5 -a 8 pushd openldap-%{version_22} %patch0 -p1 -b .config @@ -161,23 +157,14 @@ popd # non-standard NTLM bind type which is needed to connect to Win2k GC servers # (Win2k3 supports SASL with DIGEST-MD5, so this shouldn't be needed for those # servers, though as of version 1.4 the connector doesn't try SASL first). -cp -a openldap-%{version_22} evo-openldap-%{version_22} +if ! cp -al openldap-%{version_22} evo-openldap-%{version_22} ; then + rm -fr evo-openldap-%{version_22} + cp -a openldap-%{version_22} evo-openldap-%{version_22} +fi pushd evo-openldap-%{version_22} %patch40 -p0 -b .evolution-ntlm popd -pushd db-%{db_version_40} -%patch12 -p1 -b .disable-mutex -%patch13 -p1 -b .libobj -cd dist -./s_config -popd - -pushd db-%{db_version} -%patch30 -b .db-1 -%patch31 -b .db-2 -popd - pushd MigrationTools-%{migtools_version} %patch21 -p1 -b .instdir %patch22 -p1 -b .mktemp @@ -237,53 +224,6 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -O0" # Set CFLAGS to incorporate RPM_OPT_FLAGS. CFLAGS="$RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS -# Build the 2.0 server tools for dumping out old on-disk databases. This -# requires Berkeley DB 4.0.x (which we must build) and gdbm. -pushd db-%{db_version_40}/dist -./configure -C \ - --with-pic \ - --disable-shared \ - --with-uniquename=_openldap_slapd_rhl_40 \ - --prefix=${dbdir40} \ - --includedir=${dbdir40}/include \ - --libdir=${dbdir40}/%{_lib} -make %{_smp_mflags} -make install -popd - -# Set CPPFLAGS/CFLAGS/LDFLAGS to find our just-built DB 4.0. -CPPFLAGS="-I${dbdir40}/include" ; export CPPFLAGS -CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS -LDFLAGS="-L${dbdir40}/%{_lib}" ; export LDFLAGS - -pushd openldap-%{version_20}/build-gdbm -%configure \ - --disable-shared \ - --without-cyrus-sasl \ - --without-kerberos \ - --without-threads \ - --without-tls \ - --enable-ldbm \ - --with-ldbm-api=gdbm \ - --program-suffix=-slapd-2.0-gdbm -make %{_smp_mflags} -popd - -pushd openldap-%{version_20}/build-db -LIBS=-lpthread; export LIBS -%configure \ - --disable-shared \ - --without-cyrus-sasl \ - --without-kerberos \ - --without-threads \ - --without-tls \ - --enable-ldbm \ - --with-ldbm-api=berkeley \ - --program-suffix=-slapd-2.0-dbb -make %{_smp_mflags} -unset LIBS -popd - # Build Berkeley DB and install it into a temporary area, isolating OpenLDAP # from any future changes to the system-wide Berkeley DB library. Version 4.2 # or later is required by the BDB backend in OpenLDAP 2.1 and later. @@ -351,26 +291,6 @@ CPPFLAGS="-I${dbdir}/include $OPENSSL_CPPFLAGS" ; export CPPFLAGS CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS LDFLAGS="-L${dbdir}/%{_lib} $OPENSSL_LDFLAGS" ; export LDFLAGS -# Build the 2.1 server tools for dumping out old on-disk databases. This -# requires Berkeley DB 4.2.x. -pushd openldap-%{version_21}/build-servers -LIBS=-lpthread; export LIBS -%configure \ - --disable-shared \ - --disable-dynamic \ - --without-cyrus-sasl \ - --without-kerberos \ - --without-threads \ - --without-tls \ - --enable-slapd --disable-slurpd \ - --enable-bdb \ - --enable-ldbm \ - --with-ldbm-api=%{ldbm_backend} \ - --program-suffix=-slapd-2.1 -make %{_smp_mflags} -unset LIBS -popd - # Build the client libraries for the compat package. pushd openldap-%{compat_version}/build-compat %configure \ @@ -408,6 +328,7 @@ make %{_smp_mflags} LIBTOOL="$libtool" # Build the servers with Kerberos support (for password checking, mainly). LIBS=-lpthread; export LIBS +LD_LIBRARY_PATH=${dbdir}/lib${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}; export LD_LIBRARY_PATH pushd openldap-%{version_22}/build-servers build \ --enable-plugins \ @@ -465,22 +386,6 @@ popd libtool='%{_bindir}/libtool' tagname=CC; export tagname -# Install the 2.0 server tools for dumping out old on-disk databases. -mkdir -p $RPM_BUILD_ROOT/%{_sbindir}/ -pushd openldap-%{version_20} - pushd build-gdbm/servers/slapd/tools - for bin in slapadd slapcat ; do - ../../../libtool --mode=install install -m755 $bin $RPM_BUILD_ROOT/%{_sbindir}/$bin-slapd-2.0-gdbm - done - popd - - pushd build-db/servers/slapd/tools - for bin in slapadd slapcat ; do - ../../../libtool --mode=install install -m755 $bin $RPM_BUILD_ROOT/%{_sbindir}/$bin-slapd-2.0-dbb - done - popd -popd - # Install the 2.0 or 2.1 shared libraries for compatibility. The two sets of # libraries share sonames, so we have to choose one or the other. mkdir -p $RPM_BUILD_ROOT/%{_libdir}/ @@ -491,13 +396,6 @@ pushd openldap-%{compat_version}/build-compat/libraries rm $RPM_BUILD_ROOT/%{_libdir}/*.so popd -# Install the 2.1 server tools for dumping out old on-disk databases. -pushd openldap-%{version_21}/build-servers/servers/slapd/tools - for bin in slapadd slapcat ; do - ../../../libtool --mode=install install -m755 $bin $RPM_BUILD_ROOT/%{_sbindir}/$bin-slapd-2.1 - done -popd - # Install servers. %ifarch %{nptl_arches} case %{_target_platform} in @@ -710,6 +608,7 @@ fi %ifnarch %{ix86} %attr(0755,root,root) %{_libdir}/tls/libslapd_db-*.*.so %else +%dir %attr(0755,root,root) %{_libdir}/tls/* %attr(0755,root,root) %{_libdir}/tls/*/libslapd_db-*.*.so %endif %endif @@ -741,6 +640,17 @@ fi %attr(0644,root,root) %{evolution_connector_libdir}/*.a %changelog +* Mon Jan 31 2005 Nalin Dahyabhai 2.2.23-1 +- update to 2.2.23 (stable-20050125) +- update notes on upgrading from earlier versions +- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files + +* Tue Jan 4 2005 Nalin Dahyabhai 2.2.20-1 +- update to 2.2.20 (stable-20050103) +- warn about unreadable krb5 keytab files containing "ldap" keys +- warn about unreadable TLS-related files +- own a ref to subdirectories which we create under %%{_libdir}/tls + * Tue Nov 2 2004 Nalin Dahyabhai 2.2.17-0 - rebuild diff --git a/sources b/sources index b170c29..a031472 100644 --- a/sources +++ b/sources @@ -1,8 +1,7 @@ 2355e54f17a1fdc87b0d56ed9ea3e115 MigrationTools-45.tar.gz 5a9e617c1d5339d3c90c545c93e30949 autoconf-2.13.1.tar.gz 0faee50993f7e4fe00f4b921b640b84d automake-1.4a.tar.gz -12262c64fcd64b772e7cffad8e4d0ebc db-4.0.14.tar.gz -cbc77517c9278cdb47613ce8cb55779f db-4.2.52.tar.gz a1e6508c471dd47205a3492cf57110a6 openldap-2.0.27.tgz e2ae8148c4bed07d7a70edd930bdc403 openldap-2.1.30.tgz -aa10b961d02fbe331cd53214b7746c73 openldap-2.2.17.tgz +fcc481d52c3b80e20a328f8c0cb042bd db-4.3.27.tar.gz +51d1cf0a8f77f5cd27a5aa2b82a344ec openldap-2.2.23.tgz