fix: conversion of constraint overlay settings to cn=config is incorrect

Resolves: #733067

openldap-constraint-overlay-config.patch

@@ -0,0 +1,81 @@
+constraint overlay: fix config emit
+
+Author: Pierangelo Masarati <ando@OpenLDAP.org>
+Upstream ITS: #6986
+Upstream commit: c0b669e14f4ef5b649f86bb3c1cc4ca76a00efa8
+Resolves: #733067
+
+diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
+index fcb2830..e6a9267 100644
+--- a/servers/slapd/overlays/constraint.c
++++ b/servers/slapd/overlays/constraint.c
+@@ -145,6 +145,8 @@ constraint_cf_gen( ConfigArgs *c )
+ 				char *tstr = NULL;
+ 				int quotes = 0;
+ 				int j;
++				size_t val;
++				char val_buf[SLAP_TEXT_BUFLEN] = { '\0' };
+ 
+ 				bv.bv_len = STRLENOF("  ");
+ 				for (j = 0; cp->ap[j]; j++) {
+@@ -156,6 +158,7 @@ constraint_cf_gen( ConfigArgs *c )
+ 
+ 				if (cp->re) {
+ 					tstr = REGEX_STR;
++					quotes = 1;
+ 				} else if (cp->lud) {
+ 					tstr = URI_STR;
+ 					quotes = 1;
+@@ -164,8 +167,10 @@ constraint_cf_gen( ConfigArgs *c )
+ 					quotes = 1;
+ 				} else if (cp->size) {
+ 					tstr = SIZE_STR;
++					val = cp->size;
+ 				} else if (cp->count) {
+ 					tstr = COUNT_STR;
++					val = cp->count;
+ 				}
+ 
+ 				bv.bv_len += strlen(tstr);
+@@ -175,6 +180,15 @@ constraint_cf_gen( ConfigArgs *c )
+ 					bv.bv_len += cp->restrict_val.bv_len + STRLENOF(" restrict=\"\"");
+ 				}
+ 
++				if (cp->count || cp->size) {
++					int len = snprintf(val_buf, sizeof(val_buf), "%d", val);
++					if (len <= 0) {
++						/* error */
++						return -1;
++					}
++					bv.bv_len += len;
++				}
++
+ 				s = bv.bv_val = ch_malloc(bv.bv_len + 1);
+ 
+ 				s = lutil_strncopy( s, cp->ap[0]->ad_cname.bv_val, cp->ap[0]->ad_cname.bv_len );
+@@ -185,9 +199,13 @@ constraint_cf_gen( ConfigArgs *c )
+ 				*s++ = ' ';
+ 				s = lutil_strcopy( s, tstr );
+ 				*s++ = ' ';
+-				if ( quotes ) *s++ = '"';
+-				s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len );
+-				if ( quotes ) *s++ = '"';
++				if (cp->count || cp->size) {
++					s = lutil_strcopy( s, val_buf );
++				} else {
++					if ( quotes ) *s++ = '"';
++					s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len );
++					if ( quotes ) *s++ = '"';
++				}
+ 				if (cp->restrict_lud != NULL) {
+ 					s = lutil_strcopy( s, " restrict=\"" );
+ 					s = lutil_strncopy( s, cp->restrict_val.bv_val, cp->restrict_val.bv_len );
+@@ -471,7 +489,7 @@ constraint_cf_gen( ConfigArgs *c )
+ 							}
+ 						}
+ 
+-						ber_str2bv(c->argv[argidx], 0, 1, &ap.restrict_val);
++						ber_str2bv(c->argv[argidx] + STRLENOF("restrict="), 0, 1, &ap.restrict_val);
+ 
+ 					} else {
+ 						/* cleanup */

openldap.spec

@@ -34,6 +34,7 @@ Patch8: openldap-nss-init-threadsafe.patch
 Patch9: openldap-nss-reqcert-hostname.patch
 Patch10: openldap-nss-verifycert.patch
 Patch11: openldap-nss-memleak-free-certs.patch
+Patch12: openldap-constraint-overlay-config.patch
 
 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@@ -138,6 +139,7 @@ pushd openldap-%{version}
 %patch9 -p1 -b .nss-reqcert-hostname
 %patch10 -p1 -b .nss-verifycert
 %patch11 -p1 -b .nss-memleak-free-certs
+%patch12 -p1 -b .constraint-overlay-config
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 
@@ -666,6 +668,7 @@ exit 0
 - fix: NSS_Init* functions are not thread safe (#731112)
 - fix: incorrect behavior of allow/try options of VerifyCert and TLS_REQCERT (#725819)
 - fix: memleak - free the return of tlsm_find_and_verify_cert_key (#725818)
+- fix: conversion of constraint overlay settings to cn=config is incorrect (#733067)
 
 * Sun Aug 14 2011 Rex Dieter <rdieter@fedoraproject.org> - 2.4.26-1.1
 - Rebuilt for rpm (#728707)