- update to 2.2.23 (stable-20050125)

- update notes on upgrading from earlier versions
- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files
- warn about unreadable krb5 keytab files containing "ldap" keys
- warn about unreadable TLS-related files
- own a ref to subdirectories which we create under %%{_libdir}/tls
This commit is contained in:
Nalin Dahyabhai 2005-02-01 00:19:35 +00:00
parent f456bc962b
commit a2323f6d91
5 changed files with 173 additions and 137 deletions

View File

@ -7,3 +7,6 @@ openldap-2.0.27.tgz
openldap-2.1.30.tgz openldap-2.1.30.tgz
openldap-2.2.13.tgz openldap-2.2.13.tgz
openldap-2.2.17.tgz openldap-2.2.17.tgz
openldap-2.2.20.tgz
db-4.3.27.tar.gz
openldap-2.2.23.tgz

View File

@ -1,10 +1,68 @@
The OpenLDAP on-disk format has changed between the 2.0.x and 2.1.x releases. Before upgrading from OpenLDAP 2.0 or 2.1 to OpenLDAP 2.2, the system
administrator should dump out the contents of the the directory server's
databases using the 'slapcat' utility included in the openldap-servers package
and save the LDIF files which it produces.
If you are upgrading a server from OpenLDAP 2.0.x, you will very need to dump After the upgrade is complete, the data can be re-imported using the 'slapadd'
out your directory to a text file using "slapcat -n" before upgrading and utility. Some data which was exported from an OpenLDAP 2.0 server may not
re-import the entries into the new format using "slapadd" after the upgrade. import directly into an OpenLDAP 2.2 server. If this happens, check for these
common problems:
Because schema checking is now more restrictive, some entries may not import * Missing parent entries.
cleanly. In particular, if you have used previous versions of the migration Entries in the directory are no longer allowed to be children of entries
scripts, some of the entries (particularly oncRpc objects) may be missing which are not present in the directory. For example, earlier releases
"description" attributes which are now required by the schema. would allow an entry with distinguished name (DN)
"cn=foo,dc=devel,dc=example,dc=com" to be imported into a database for
suffix "dc=example,dc=com" which contained neither an entry for
"dc=devel,dc=example,dc=com" nor an entry for "dc=example,dc=com".
* Deprecated objectclasses and attribute types.
Entries of these classes should be replaced by entries of a different
class.
* the automountMap objectclass
Use the nisMap objectclass instead, replacing these old attributes
with new attributes:
+====================================+
| old attribute new attribute |
|------------------------------------|
| ou nisMapName |
+====================================+
* the automount objectclass
Use the nisObject objectclass instead, replacing these old attributes
with new attributes:
+====================================+
| old attribute new attribute |
|------------------------------------|
| cn cn |
| automountInformation nisMapEntry |
| (no counterpart) nisMapName |
+====================================+
* Missing objectclass definitions.
Some objectclasses are no longer defined because they are no longer used.
Remove the objectclass from the entry's list of objectclasses, and
remove any values for attributes which are unique to that objectclass.
These include:
* the "kerberosSecurityObject" objectclass and the "krbName" attribute
* the "dynamicObject" objectclass
* the "LDAPsubEntry" objectclass
* Missing attribute values.
Some objectclass definitions mark a given attribute as both optional (MAY)
and required (MUST). While such attributes may have been treated as
optional before, they are now treated as required. Some examples:
* the "ipProtocol" object class and its "description" attribute
* the "rpcService" object class and its "description" attribute
* the "oncRpc" object class and its "description" attribute
* the "residentialPerson" object class and its "localityName" attribute
* Structural vs. auxiliary objectclasses.
The set of objectclasses which any entry lists should include exactly one
STRUCTURAL class. This requirement may not have been enforced in previous
releases.
* The entry does not contain its own RDN as an attribute-value pair.
The naming attribute and value used as the entry's relative distinguished
name (RDN) must be explicitly defined for the entry. For example, an
entry named "cn=contrived,dc=example,dc=com" must include "contrived" as a
value for its "cn" attribute.

View File

@ -20,7 +20,7 @@ if [ -r /etc/sysconfig/network ] ; then
fi fi
# Source an auxiliary options file if we have one, and pick up OPTIONS, # Source an auxiliary options file if we have one, and pick up OPTIONS,
# SLAPD_OPTIONS, and SLURPD_OPTIONS. # SLAPD_OPTIONS, SLURPD_OPTIONS, and maybe KRB5_KTNAME.
if [ -r /etc/sysconfig/ldap ] ; then if [ -r /etc/sysconfig/ldap ] ; then
. /etc/sysconfig/ldap . /etc/sysconfig/ldap
fi fi
@ -33,7 +33,61 @@ slaptest=/usr/sbin/slaptest
RETVAL=0 RETVAL=0
function start() { #
# Pass commands given in $2 and later to "test" run as user given in $1.
#
function testasuser() {
local user= cmd=
user="$1"
shift
cmd="$@"
if test x"$user" != x ; then
if test x"$cmd" != x ; then
/sbin/runuser -f -m -s /bin/sh -c "test $cmd" -- "$user"
else
false
fi
else
false
fi
}
#
# Check for read-access errors for the user given in $1 for a service named $2.
# If $3 is specified, the command is run if "klist" can't be found.
#
function checkkeytab() {
local user= service= klist= default=
user="$1"
service="$2"
default="${3:-false}"
if test -x /usr/kerberos/bin/klist ; then
klist=/usr/kerberos/bin/klist
elif test -x /usr/bin/klist ; then
klist=/usr/bin/klist
fi
KRB5_KTNAME="${KRB5_KTNAME:-/etc/krb5.keytab}"
if test -s "$KRB5_KTNAME" ; then
if test x"$klist" != x ; then
if LANG=C klist -k "$KRB5_KTNAME" | tail -n 4 | awk '{print $2}' | grep -q ^"$service"/ ; then
if ! testasuser "$user" -r ${KRB5_KTNAME:-/etc/krb5.keytab} ; then
true
else
false
fi
else
false
fi
else
$default
fi
else
false
fi
}
function configtest() {
local user= ldapuid= dbdir= file=
# Check for simple-but-common errors. # Check for simple-but-common errors.
user=ldap user=ldap
ldapuid=`id -u $user` ldapuid=`id -u $user`
@ -43,24 +97,33 @@ function start() {
echo -n $"$file is not owned by \"$user\"" ; warning ; echo echo -n $"$file is not owned by \"$user\"" ; warning ; echo
done done
done done
# Check the configuration file. # Unaccessible keytab with an "ldap" key.
echo -n $"Checking configuration files for $prog: " if checkkeytab $user ldap ; then
$slaptest file=${KRB5_KTNAME:-/etc/krb5.keytab}
RETVAL=$? echo -n $"$file is not readable by \"$user\"" ; warning ; echo
if test $RETVAL -eq 0 ; then
success
else
failure
exit 1
fi fi
# Unaccessible TLS configuration files.
tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' /etc/openldap/slapd.conf | awk '{print $2}'`
for file in $tlsconfigs ; do
if ! testasuser $user -r $file ; then
echo -n $"$file is not readable by \"$user\"" ; warning ; echo
fi
done
# Check the configuration file.
action "Checking configuration files for $prog: " $slaptest || exit 1
}
function start() {
configtest
# Start daemons. # Start daemons.
user=ldap
prog=`basename ${slapd}` prog=`basename ${slapd}`
echo -n $"Starting $prog: " echo -n $"Starting $prog: "
if grep -q ^TLS /etc/openldap/slapd.conf ; then if grep -q ^TLS /etc/openldap/slapd.conf ; then
daemon ${slapd} -u ldap -h '"ldap:/// ldaps:///"' $OPTIONS $SLAPD_OPTIONS daemon ${slapd} -u ${user} -h "ldap:/// ldaps:///" $OPTIONS $SLAPD_OPTIONS
RETVAL=$? RETVAL=$?
else else
daemon ${slapd} -u ldap -h "ldap:///" $OPTIONS $SLAPD_OPTIONS daemon ${slapd} -u ${user} -h "ldap:///" $OPTIONS $SLAPD_OPTIONS
RETVAL=$? RETVAL=$?
fi fi
echo echo
@ -99,6 +162,9 @@ function stop() {
# See how we were called. # See how we were called.
case "$1" in case "$1" in
configtest)
configtest
;;
start) start)
start start
;; ;;

View File

@ -1,10 +1,9 @@
%define migtools_version 45 %define migtools_version 45
%define db_version 4.2.52 %define db_version 4.3.27
%define db_version_40 4.0.14
%define ldbm_backend berkeley %define ldbm_backend berkeley
%define version_20 2.0.27 %define version_20 2.0.27
%define version_21 2.1.30 %define version_21 2.1.30
%define version_22 2.2.17 %define version_22 2.2.23
%define evolution_connector_prefix %{_libdir}/evolution-openldap %define evolution_connector_prefix %{_libdir}/evolution-openldap
%define evolution_connector_includedir %{evolution_connector_prefix}/include %define evolution_connector_includedir %{evolution_connector_prefix}/include
%define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib} %define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
@ -15,7 +14,7 @@
Summary: The configuration files, libraries, and documentation for OpenLDAP. Summary: The configuration files, libraries, and documentation for OpenLDAP.
Name: openldap Name: openldap
Version: %{version_22} Version: %{version_22}
Release: 0 Release: 1
License: OpenLDAP License: OpenLDAP
Group: System Environment/Daemons Group: System Environment/Daemons
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_22}.tgz Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_22}.tgz
@ -23,8 +22,7 @@ Source1: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version
Source2: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_21}.tgz Source2: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version_21}.tgz
Source3: ftp://ftp.OpenLDAP.org/pub/tools/autoconf-2.13.1.tar.gz Source3: ftp://ftp.OpenLDAP.org/pub/tools/autoconf-2.13.1.tar.gz
Source4: ftp://ftp.OpenLDAP.org/pub/tools/automake-1.4a.tar.gz Source4: ftp://ftp.OpenLDAP.org/pub/tools/automake-1.4a.tar.gz
Source5: http://www.sleepycat.com/update/snapshot/db-%{db_version}.tar.gz Source5: http://downloads.sleepycat.com/db-%{db_version}.tar.gz
Source6: http://www.sleepycat.com/update/snapshot/db-%{db_version_40}.tar.gz
Source7: ldap.init Source7: ldap.init
Source8: ftp://ftp.padl.com/pub/MigrationTools-%{migtools_version}.tar.gz Source8: ftp://ftp.padl.com/pub/MigrationTools-%{migtools_version}.tar.gz
Source9: migration-tools.txt Source9: migration-tools.txt
@ -50,8 +48,6 @@ Patch23: MigrationTools-27-simple.patch
Patch24: MigrationTools-26-suffix.patch Patch24: MigrationTools-26-suffix.patch
Patch25: MigrationTools-44-schema.patch Patch25: MigrationTools-44-schema.patch
Patch26: MigrationTools-45-noaliases.patch Patch26: MigrationTools-45-noaliases.patch
Patch30: http://www.sleepycat.com/update/4.2.52/patch.4.2.52.1
Patch31: http://www.sleepycat.com/update/4.2.52/patch.4.2.52.2
Patch40: openldap-ntlm.diff Patch40: openldap-ntlm.diff
URL: http://www.openldap.org/ URL: http://www.openldap.org/
BuildRoot: %{_tmppath}/%{name}-%{version_22}-root BuildRoot: %{_tmppath}/%{name}-%{version_22}-root
@ -85,7 +81,7 @@ customized LDAP clients.
%package servers %package servers
Summary: OpenLDAP servers and related files. Summary: OpenLDAP servers and related files.
Prereq: fileutils, make, openldap = %{version_22}-%{release}, openssl, /usr/sbin/useradd, /sbin/chkconfig Prereq: fileutils, make, openldap = %{version_22}-%{release}, openssl, /usr/sbin/useradd, /sbin/chkconfig, /sbin/runuser
Group: System Environment/Daemons Group: System Environment/Daemons
%description servers %description servers
@ -144,7 +140,7 @@ includes older versions of the OpenLDAP shared libraries which may be
required by some applications. required by some applications.
%prep %prep
%setup -q -c -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 8 %setup -q -c -a 1 -a 2 -a 3 -a 4 -a 5 -a 8
pushd openldap-%{version_22} pushd openldap-%{version_22}
%patch0 -p1 -b .config %patch0 -p1 -b .config
@ -161,23 +157,14 @@ popd
# non-standard NTLM bind type which is needed to connect to Win2k GC servers # non-standard NTLM bind type which is needed to connect to Win2k GC servers
# (Win2k3 supports SASL with DIGEST-MD5, so this shouldn't be needed for those # (Win2k3 supports SASL with DIGEST-MD5, so this shouldn't be needed for those
# servers, though as of version 1.4 the connector doesn't try SASL first). # servers, though as of version 1.4 the connector doesn't try SASL first).
if ! cp -al openldap-%{version_22} evo-openldap-%{version_22} ; then
rm -fr evo-openldap-%{version_22}
cp -a openldap-%{version_22} evo-openldap-%{version_22} cp -a openldap-%{version_22} evo-openldap-%{version_22}
fi
pushd evo-openldap-%{version_22} pushd evo-openldap-%{version_22}
%patch40 -p0 -b .evolution-ntlm %patch40 -p0 -b .evolution-ntlm
popd popd
pushd db-%{db_version_40}
%patch12 -p1 -b .disable-mutex
%patch13 -p1 -b .libobj
cd dist
./s_config
popd
pushd db-%{db_version}
%patch30 -b .db-1
%patch31 -b .db-2
popd
pushd MigrationTools-%{migtools_version} pushd MigrationTools-%{migtools_version}
%patch21 -p1 -b .instdir %patch21 -p1 -b .instdir
%patch22 -p1 -b .mktemp %patch22 -p1 -b .mktemp
@ -237,53 +224,6 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS -O0"
# Set CFLAGS to incorporate RPM_OPT_FLAGS. # Set CFLAGS to incorporate RPM_OPT_FLAGS.
CFLAGS="$RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS CFLAGS="$RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS
# Build the 2.0 server tools for dumping out old on-disk databases. This
# requires Berkeley DB 4.0.x (which we must build) and gdbm.
pushd db-%{db_version_40}/dist
./configure -C \
--with-pic \
--disable-shared \
--with-uniquename=_openldap_slapd_rhl_40 \
--prefix=${dbdir40} \
--includedir=${dbdir40}/include \
--libdir=${dbdir40}/%{_lib}
make %{_smp_mflags}
make install
popd
# Set CPPFLAGS/CFLAGS/LDFLAGS to find our just-built DB 4.0.
CPPFLAGS="-I${dbdir40}/include" ; export CPPFLAGS
CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS
LDFLAGS="-L${dbdir40}/%{_lib}" ; export LDFLAGS
pushd openldap-%{version_20}/build-gdbm
%configure \
--disable-shared \
--without-cyrus-sasl \
--without-kerberos \
--without-threads \
--without-tls \
--enable-ldbm \
--with-ldbm-api=gdbm \
--program-suffix=-slapd-2.0-gdbm
make %{_smp_mflags}
popd
pushd openldap-%{version_20}/build-db
LIBS=-lpthread; export LIBS
%configure \
--disable-shared \
--without-cyrus-sasl \
--without-kerberos \
--without-threads \
--without-tls \
--enable-ldbm \
--with-ldbm-api=berkeley \
--program-suffix=-slapd-2.0-dbb
make %{_smp_mflags}
unset LIBS
popd
# Build Berkeley DB and install it into a temporary area, isolating OpenLDAP # Build Berkeley DB and install it into a temporary area, isolating OpenLDAP
# from any future changes to the system-wide Berkeley DB library. Version 4.2 # from any future changes to the system-wide Berkeley DB library. Version 4.2
# or later is required by the BDB backend in OpenLDAP 2.1 and later. # or later is required by the BDB backend in OpenLDAP 2.1 and later.
@ -351,26 +291,6 @@ CPPFLAGS="-I${dbdir}/include $OPENSSL_CPPFLAGS" ; export CPPFLAGS
CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS
LDFLAGS="-L${dbdir}/%{_lib} $OPENSSL_LDFLAGS" ; export LDFLAGS LDFLAGS="-L${dbdir}/%{_lib} $OPENSSL_LDFLAGS" ; export LDFLAGS
# Build the 2.1 server tools for dumping out old on-disk databases. This
# requires Berkeley DB 4.2.x.
pushd openldap-%{version_21}/build-servers
LIBS=-lpthread; export LIBS
%configure \
--disable-shared \
--disable-dynamic \
--without-cyrus-sasl \
--without-kerberos \
--without-threads \
--without-tls \
--enable-slapd --disable-slurpd \
--enable-bdb \
--enable-ldbm \
--with-ldbm-api=%{ldbm_backend} \
--program-suffix=-slapd-2.1
make %{_smp_mflags}
unset LIBS
popd
# Build the client libraries for the compat package. # Build the client libraries for the compat package.
pushd openldap-%{compat_version}/build-compat pushd openldap-%{compat_version}/build-compat
%configure \ %configure \
@ -408,6 +328,7 @@ make %{_smp_mflags} LIBTOOL="$libtool"
# Build the servers with Kerberos support (for password checking, mainly). # Build the servers with Kerberos support (for password checking, mainly).
LIBS=-lpthread; export LIBS LIBS=-lpthread; export LIBS
LD_LIBRARY_PATH=${dbdir}/lib${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}; export LD_LIBRARY_PATH
pushd openldap-%{version_22}/build-servers pushd openldap-%{version_22}/build-servers
build \ build \
--enable-plugins \ --enable-plugins \
@ -465,22 +386,6 @@ popd
libtool='%{_bindir}/libtool' libtool='%{_bindir}/libtool'
tagname=CC; export tagname tagname=CC; export tagname
# Install the 2.0 server tools for dumping out old on-disk databases.
mkdir -p $RPM_BUILD_ROOT/%{_sbindir}/
pushd openldap-%{version_20}
pushd build-gdbm/servers/slapd/tools
for bin in slapadd slapcat ; do
../../../libtool --mode=install install -m755 $bin $RPM_BUILD_ROOT/%{_sbindir}/$bin-slapd-2.0-gdbm
done
popd
pushd build-db/servers/slapd/tools
for bin in slapadd slapcat ; do
../../../libtool --mode=install install -m755 $bin $RPM_BUILD_ROOT/%{_sbindir}/$bin-slapd-2.0-dbb
done
popd
popd
# Install the 2.0 or 2.1 shared libraries for compatibility. The two sets of # Install the 2.0 or 2.1 shared libraries for compatibility. The two sets of
# libraries share sonames, so we have to choose one or the other. # libraries share sonames, so we have to choose one or the other.
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/
@ -491,13 +396,6 @@ pushd openldap-%{compat_version}/build-compat/libraries
rm $RPM_BUILD_ROOT/%{_libdir}/*.so rm $RPM_BUILD_ROOT/%{_libdir}/*.so
popd popd
# Install the 2.1 server tools for dumping out old on-disk databases.
pushd openldap-%{version_21}/build-servers/servers/slapd/tools
for bin in slapadd slapcat ; do
../../../libtool --mode=install install -m755 $bin $RPM_BUILD_ROOT/%{_sbindir}/$bin-slapd-2.1
done
popd
# Install servers. # Install servers.
%ifarch %{nptl_arches} %ifarch %{nptl_arches}
case %{_target_platform} in case %{_target_platform} in
@ -710,6 +608,7 @@ fi
%ifnarch %{ix86} %ifnarch %{ix86}
%attr(0755,root,root) %{_libdir}/tls/libslapd_db-*.*.so %attr(0755,root,root) %{_libdir}/tls/libslapd_db-*.*.so
%else %else
%dir %attr(0755,root,root) %{_libdir}/tls/*
%attr(0755,root,root) %{_libdir}/tls/*/libslapd_db-*.*.so %attr(0755,root,root) %{_libdir}/tls/*/libslapd_db-*.*.so
%endif %endif
%endif %endif
@ -741,6 +640,17 @@ fi
%attr(0644,root,root) %{evolution_connector_libdir}/*.a %attr(0644,root,root) %{evolution_connector_libdir}/*.a
%changelog %changelog
* Mon Jan 31 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.23-1
- update to 2.2.23 (stable-20050125)
- update notes on upgrading from earlier versions
- drop slapcat variations for 2.0/2.1, which choke on 2.2's config files
* Tue Jan 4 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.20-1
- update to 2.2.20 (stable-20050103)
- warn about unreadable krb5 keytab files containing "ldap" keys
- warn about unreadable TLS-related files
- own a ref to subdirectories which we create under %%{_libdir}/tls
* Tue Nov 2 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.17-0 * Tue Nov 2 2004 Nalin Dahyabhai <nalin@redhat.com> 2.2.17-0
- rebuild - rebuild

View File

@ -1,8 +1,7 @@
2355e54f17a1fdc87b0d56ed9ea3e115 MigrationTools-45.tar.gz 2355e54f17a1fdc87b0d56ed9ea3e115 MigrationTools-45.tar.gz
5a9e617c1d5339d3c90c545c93e30949 autoconf-2.13.1.tar.gz 5a9e617c1d5339d3c90c545c93e30949 autoconf-2.13.1.tar.gz
0faee50993f7e4fe00f4b921b640b84d automake-1.4a.tar.gz 0faee50993f7e4fe00f4b921b640b84d automake-1.4a.tar.gz
12262c64fcd64b772e7cffad8e4d0ebc db-4.0.14.tar.gz
cbc77517c9278cdb47613ce8cb55779f db-4.2.52.tar.gz
a1e6508c471dd47205a3492cf57110a6 openldap-2.0.27.tgz a1e6508c471dd47205a3492cf57110a6 openldap-2.0.27.tgz
e2ae8148c4bed07d7a70edd930bdc403 openldap-2.1.30.tgz e2ae8148c4bed07d7a70edd930bdc403 openldap-2.1.30.tgz
aa10b961d02fbe331cd53214b7746c73 openldap-2.2.17.tgz fcc481d52c3b80e20a328f8c0cb042bd db-4.3.27.tar.gz
51d1cf0a8f77f5cd27a5aa2b82a344ec openldap-2.2.23.tgz