rpms/openldap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

new upstream release (2.4.28)

Browse Source 
- upstream changes:
  - server: support for delta-syncrepl in multi master replication
  - server: add experimental backend - MDB
  - server: dynamic configuration for passwd, perl, shell, sock,
    and sql backends
  - server: support passwords in APR1
  - library: support for Wahl (draft)
  - a lot of bugfixes
- remove patches which were merged upstream
This commit is contained in:
Jan Vcelak 2011-11-25 23:12:51 +01:00
parent 0fcc2f2eb2
commit ad3da8cc04
18 changed files with 265 additions and 900 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
/openldap-2.4.26.tgz
/openldap-2.4.28.tgz

81
openldap-constraint-overlay-config.patch
View File

@ -1,81 +0,0 @@
constraint overlay: fix config emit
Author: Pierangelo Masarati <ando@OpenLDAP.org>
Upstream ITS: #6986
Upstream commit: c0b669e14f4ef5b649f86bb3c1cc4ca76a00efa8
Resolves: #733067
diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
index fcb2830..e6a9267 100644
--- a/servers/slapd/overlays/constraint.c
+++ b/servers/slapd/overlays/constraint.c
@@ -145,6 +145,8 @@ constraint_cf_gen( ConfigArgs *c )
char *tstr = NULL;
int quotes = 0;
int j;
+ size_t val;
+ char val_buf[SLAP_TEXT_BUFLEN] = { '\0' };
bv.bv_len = STRLENOF(" ");
for (j = 0; cp->ap[j]; j++) {
@@ -156,6 +158,7 @@ constraint_cf_gen( ConfigArgs *c )
if (cp->re) {
tstr = REGEX_STR;
+ quotes = 1;
} else if (cp->lud) {
tstr = URI_STR;
quotes = 1;
@@ -164,8 +167,10 @@ constraint_cf_gen( ConfigArgs *c )
quotes = 1;
} else if (cp->size) {
tstr = SIZE_STR;
+ val = cp->size;
} else if (cp->count) {
tstr = COUNT_STR;
+ val = cp->count;
}
bv.bv_len += strlen(tstr);
@@ -175,6 +180,15 @@ constraint_cf_gen( ConfigArgs *c )
bv.bv_len += cp->restrict_val.bv_len + STRLENOF(" restrict=\"\"");
}
+ if (cp->count || cp->size) {
+ int len = snprintf(val_buf, sizeof(val_buf), "%d", val);
+ if (len <= 0) {
+ /* error */
+ return -1;
+ }
+ bv.bv_len += len;
+ }
+
s = bv.bv_val = ch_malloc(bv.bv_len + 1);
s = lutil_strncopy( s, cp->ap[0]->ad_cname.bv_val, cp->ap[0]->ad_cname.bv_len );
@@ -185,9 +199,13 @@ constraint_cf_gen( ConfigArgs *c )
*s++ = ' ';
s = lutil_strcopy( s, tstr );
*s++ = ' ';
- if ( quotes ) *s++ = '"';
- s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len );
- if ( quotes ) *s++ = '"';
+ if (cp->count || cp->size) {
+ s = lutil_strcopy( s, val_buf );
+ } else {
+ if ( quotes ) *s++ = '"';
+ s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len );
+ if ( quotes ) *s++ = '"';
+ }
if (cp->restrict_lud != NULL) {
s = lutil_strcopy( s, " restrict=\"" );
s = lutil_strncopy( s, cp->restrict_val.bv_val, cp->restrict_val.bv_len );
@@ -471,7 +489,7 @@ constraint_cf_gen( ConfigArgs *c )
}
}
- ber_str2bv(c->argv[argidx], 0, 1, &ap.restrict_val);
+ ber_str2bv(c->argv[argidx] + STRLENOF("restrict="), 0, 1, &ap.restrict_val);
} else {
/* cleanup */

55
openldap-cve-onebyte-buffer-overflow.patch
View File

@ -1,55 +0,0 @@
one-byte buffer overflow in slapd
Resolves: #749324 (CVE-2011-4079)
Upstream ITS: #7059
Upstream commits: d0dd861 5072387
Author: Howard Chu <hyc@openldap.org>
diff -u
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -1852,12 +1852,12 @@ UTF8StringNormalize(
}
nvalue.bv_val[nvalue.bv_len] = '\0';
- } else {
+ } else if ( tmp.bv_len ) {
/* string of all spaces is treated as one space */
nvalue.bv_val[0] = ' ';
nvalue.bv_val[1] = '\0';
nvalue.bv_len = 1;
- }
+ } /* should never be entered with 0-length val */
*normalized = nvalue;
return LDAP_SUCCESS;
@@ -2331,13 +2331,18 @@ postalAddressNormalize(
}
lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;
- normalized->bv_len = l;
+ normalized->bv_len = c = l;
- for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {
+ for ( l = 0; l <= c; l++ ) {
/* NOTE: we directly normalize each line,
* without unescaping the values, since the special
* values '\24' ('$') and '\5C' ('\') are not affected
* by normalization */
+ if ( !lines[l].bv_len ) {
+ nlines[l].bv_len = 0;
+ nlines[l].bv_val = NULL;
+ continue;
+ }
rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );
if ( rc != LDAP_SUCCESS ) {
rc = LDAP_INVALID_SYNTAX;
@@ -2350,7 +2355,7 @@ postalAddressNormalize(
normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
p = normalized->bv_val;
- for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
+ for ( l = 0; l <= c ; l++ ) {
p = lutil_strbvcopy( p, &nlines[l] );
*p++ = '$';
}

29
openldap-dds-overlay-tolerance.patch
View File

@ -1,29 +0,0 @@
DDS overlay: fix TTL tolerance
olcDDStolerance setting had inverse effect and in fact was shortening entries real TTL
From cca0da2163f1ec83352d86015cf6b9b42b757dc7 Mon Sep 17 00:00:00 2001
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7017
Resolves: #733069
---
servers/slapd/overlays/dds.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/servers/slapd/overlays/dds.c b/servers/slapd/overlays/dds.c
index 56d299f..661b309 100644
--- a/servers/slapd/overlays/dds.c
+++ b/servers/slapd/overlays/dds.c
@@ -156,7 +156,7 @@ dds_expire( void *ctx, dds_info_t *di )
op->ors_slimit = SLAP_NO_LIMIT;
op->ors_attrs = slap_anlist_no_attrs;
- expire = slap_get_time() + di->di_tolerance;
+ expire = slap_get_time() - di->di_tolerance;
ts.bv_val = tsbuf;
ts.bv_len = sizeof( tsbuf );
slap_timestamp( &expire, &ts );
--
1.7.6

25
openldap-man-ldap-sync.patch
View File

@ -1,25 +0,0 @@
wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #717722
---
doc/man/man3/ldap_sync.3 | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/doc/man/man3/ldap_sync.3 b/doc/man/man3/ldap_sync.3
index ef15085..e2c0880 100644
--- a/doc/man/man3/ldap_sync.3
+++ b/doc/man/man3/ldap_sync.3
@@ -20,7 +20,7 @@ OpenLDAP LDAP (libldap, \-lldap)
.LP
.BI "ldap_sync_t * ldap_sync_initialize(ldap_sync_t *" ls ");"
.LP
-.BI "int ldap_sync_destroy(ldap_sync_t *" ls ", int " freeit ");"
+.BI "void ldap_sync_destroy(ldap_sync_t *" ls ", int " freeit ");"
.LP
.BI "typedef int (*" ldap_sync_search_entry_f ")(ldap_sync_t *" ls ","
.RS
--
1.7.6

31
openldap-man-slapo-unique.patch
View File

@ -1,31 +0,0 @@
Errors in manual pages slapo-unique
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #733070
diff --git a/doc/man/man5/slapo-unique.5 b/doc/man/man5/slapo-unique.5
index 85270d8..849ffe9 100644
--- a/doc/man/man5/slapo-unique.5
+++ b/doc/man/man5/slapo-unique.5
@@ -49,6 +49,12 @@ statements or
attributes will create independent domains, each with their own
independent lists of URIs and ignore/strict settings.
+Keywords
+.B strict
+and
+.B ignore
+have to be enclosed in quotes (") together with the URI.
+
The LDAP URI syntax is a subset of
.B RFC-4516,
and takes the form:
@@ -137,7 +143,7 @@ This legacy configuration parameter should be converted to a
.B unique_uri
parameter, as described above.
.TP
-.B unique_strict
+.B unique_strict <attribute...>
This legacy configuration parameter should be converted to a
.B strict
keyword prepended to a

28
openldap-nss-free-peer-cert.patch
View File

@ -1,28 +0,0 @@
memleak in tlsm_auth_cert_handler
In tlsm_auth_cert_handler, we get the peer's cert from the socket using
SSL_PeerCertificate. This value is allocated and/or cached. We must
destroy it using CERT_DestroyCertificate.
Author: Rich Megginson <rmeggins@redhat.com>
Upstream ITS: #6980
Upstream commit: d944920
Resolves: #717730
diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23.fix/libraries/libldap/tls_m.c
--- openldap-2.4.23/libraries/libldap/tls_m.c 2011-07-18 15:54:03.719226863 +0200
+++ openldap-2.4.23.fix/libraries/libldap/tls_m.c 2011-07-18 16:02:59.284531374 +0200
@@ -1034,10 +1034,12 @@ tlsm_auth_cert_handler(void *arg, PRFile
{
SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
SECStatus ret = SECSuccess;
+ CERTCertificate *peercert = SSL_PeerCertificate( fd );
- ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, SSL_PeerCertificate( fd ),
+ ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, peercert,
SSL_RevealPinArg( fd ),
checksig, certUsage, 0 );
+ CERT_DestroyCertificate( peercert );
return ret;
}

96
openldap-nss-handshake-threadsafe.patch
View File

@ -1,96 +0,0 @@
Use mutex for connection handshake when using PEM nss
PEM nss is not thread safe when establishing the initial connection
using SSL_ForceHandshake. Create a new mutex - tlsm_pem_mutex - to
protect this function call.
The call to SSL_ConfigServerSessionIDCache() is not thread-safe - move it
to the init section and protect it with the init mutex.
Author: Rich Megginson <rmeggins@redhat.com>
Resolves: #701678
Upstream ITS: #7034
---
libraries/libldap/tls_m.c | 30 ++++++++++++++++++++++++------
1 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index c85d322..9447db2 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -135,6 +135,7 @@ static int tlsm_init( void );
to wrap the mutex creation in a prcallonce
*/
static ldap_pvt_thread_mutex_t tlsm_init_mutex;
+static ldap_pvt_thread_mutex_t tlsm_pem_mutex;
static PRCallOnceType tlsm_init_mutex_callonce = {0,0};
static PRStatus PR_CALLBACK
@@ -146,6 +147,12 @@ tlsm_thr_init_callonce( void )
return PR_FAILURE;
}
+ if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 );
+ return PR_FAILURE;
+ }
+
return PR_SUCCESS;
}
@@ -1728,6 +1735,14 @@ tlsm_deferred_init( void *arg )
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
return -1;
}
+
+ if ( ctx->tc_is_server ) {
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
+ /* 0 means use the defaults here */
+ SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL );
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
+ }
+
#ifndef HAVE_NSS_INITCONTEXT
}
#endif /* HAVE_NSS_INITCONTEXT */
@@ -1941,6 +1956,7 @@ tlsm_destroy( void )
{
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex );
+ ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex );
#endif
}
@@ -2433,11 +2449,6 @@ tlsm_session_new ( tls_ctx * ctx, int is_server )
return NULL;
}
- if ( is_server ) {
- /* 0 means use the defaults here */
- SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL );
- }
-
rc = SSL_ResetHandshake( session, is_server );
if ( rc ) {
PRErrorCode err = PR_GetError();
@@ -2457,9 +2468,16 @@ static int
tlsm_session_accept_or_connect( tls_session *session, int is_accept )
{
tlsm_session *s = (tlsm_session *)session;
- int rc = SSL_ForceHandshake( s );
+ int rc;
const char *op = is_accept ? "accept" : "connect";
+ if ( pem_module ) {
+ LDAP_MUTEX_LOCK( &tlsm_pem_mutex );
+ }
+ rc = SSL_ForceHandshake( s );
+ if ( pem_module ) {
+ LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex );
+ }
if ( rc ) {
PRErrorCode err = PR_GetError();
rc = -1;
--
1.7.1

217
openldap-nss-init-threadsafe.patch
View File

@ -1,217 +0,0 @@
NSS_Init* functions are not thread safe
The NSS_InitContext et. al, and their corresponding shutdown functions,
are not thread safe. There can only be one thread at a time calling
these functions. Protect the calls with a mutex. Create the mutex
using a PR_CallOnce to ensure that the mutex is only created once and
not used before created. Move the registration of the nss shutdown
callback to also use a PR_CallOnce. Removed the call to
SSL_ClearSessionCache() because it is always called at shutdown, and we must
not call it more than once.
Resolves: #731112
Author: Rich Megginson <rmeggins@redhat.com>
Upstream ITS: #7022
---
libraries/libldap/tls_m.c | 98 +++++++++++++++++++++++++++++++++++++++++---
1 files changed, 91 insertions(+), 7 deletions(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 997b3eb..30c8a76 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -130,9 +130,29 @@ static int tlsm_init( void );
#ifdef LDAP_R_COMPILE
+/* it doesn't seem guaranteed that a client will call
+ tlsm_thr_init in a non-threaded context - so we have
+ to wrap the mutex creation in a prcallonce
+*/
+static ldap_pvt_thread_mutex_t tlsm_init_mutex;
+static PRCallOnceType tlsm_init_mutex_callonce = {0,0};
+
+static PRStatus PR_CALLBACK
+tlsm_thr_init_callonce( void )
+{
+ if ( ldap_pvt_thread_mutex_init( &tlsm_init_mutex ) ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not create mutex for moznss initialization: %d\n", errno, 0, 0 );
+ return PR_FAILURE;
+ }
+
+ return PR_SUCCESS;
+}
+
static void
tlsm_thr_init( void )
{
+ ( void )PR_CallOnce( &tlsm_init_mutex_callonce, tlsm_thr_init_callonce );
}
#endif /* LDAP_R_COMPILE */
@@ -1079,7 +1099,6 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData )
SECStatus rc = SECSuccess;
SSL_ShutdownServerSessionIDCache();
- SSL_ClearSessionCache();
if ( pem_module ) {
SECMOD_UnloadUserModule( pem_module );
@@ -1089,6 +1108,24 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData )
return rc;
}
+static PRCallOnceType tlsm_register_shutdown_callonce = {0,0};
+static PRStatus PR_CALLBACK
+tlsm_register_nss_shutdown_cb( void )
+{
+ if ( SECSuccess == NSS_RegisterShutdown( tlsm_nss_shutdown_cb,
+ NULL ) ) {
+ return PR_SUCCESS;
+ }
+ return PR_FAILURE;
+}
+
+static PRStatus
+tlsm_register_nss_shutdown( void )
+{
+ return PR_CallOnce( &tlsm_register_shutdown_callonce,
+ tlsm_register_nss_shutdown_cb );
+}
+
static int
tlsm_init_pem_module( void )
{
@@ -1529,6 +1566,12 @@ tlsm_deferred_init( void *arg )
initParams.length = sizeof( initParams );
#endif /* HAVE_NSS_INITCONTEXT */
+#ifdef LDAP_R_COMPILE
+ if ( PR_CallOnce( &tlsm_init_mutex_callonce, tlsm_thr_init_callonce ) ) {
+ return -1;
+ }
+#endif /* LDAP_R_COMPILE */
+
#ifndef HAVE_NSS_INITCONTEXT
if ( !NSS_IsInitialized() ) {
#endif /* HAVE_NSS_INITCONTEXT */
@@ -1556,6 +1599,10 @@ tlsm_deferred_init( void *arg )
}
tlsm_get_certdb_prefix( securitydir, &realcertdir, &prefix );
+#ifdef LDAP_R_COMPILE
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
+#endif /* LDAP_R_COMPILE */
+
#ifdef HAVE_NSS_INITCONTEXT
#ifdef INITCONTEXT_HACK
if ( !NSS_IsInitialized() && ctx->tc_is_server ) {
@@ -1574,6 +1621,10 @@ tlsm_deferred_init( void *arg )
rc = NSS_Initialize( realcertdir, prefix, prefix, SECMOD_DB, NSS_INIT_READONLY );
#endif
+#ifdef LDAP_R_COMPILE
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
+#endif /* LDAP_R_COMPILE */
+
if ( rc != SECSuccess ) {
errcode = PORT_GetError();
if ( securitydirs[ii] != lt->lt_cacertdir) {
@@ -1597,6 +1648,9 @@ tlsm_deferred_init( void *arg )
}
if ( errcode ) { /* no moznss db found, or not using moznss db */
+#ifdef LDAP_R_COMPILE
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
+#endif /* LDAP_R_COMPILE */
#ifdef HAVE_NSS_INITCONTEXT
int flags = NSS_INIT_READONLY|NSS_INIT_NOCERTDB|NSS_INIT_NOMODDB;
#ifdef INITCONTEXT_HACK
@@ -1615,6 +1669,9 @@ tlsm_deferred_init( void *arg )
#else
rc = NSS_NoDB_Init( NULL );
#endif
+#ifdef LDAP_R_COMPILE
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
+#endif /* LDAP_R_COMPILE */
if ( rc != SECSuccess ) {
errcode = PORT_GetError();
Debug( LDAP_DEBUG_ANY,
@@ -1628,13 +1685,22 @@ tlsm_deferred_init( void *arg )
#endif
/* initialize the PEM module */
+#ifdef LDAP_R_COMPILE
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
+#endif /* LDAP_R_COMPILE */
if ( tlsm_init_pem_module() ) {
+#ifdef LDAP_R_COMPILE
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
+#endif /* LDAP_R_COMPILE */
errcode = PORT_GetError();
Debug( LDAP_DEBUG_ANY,
"TLS: could not initialize moznss PEM module - error %d:%s.\n",
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
return -1;
}
+#ifdef LDAP_R_COMPILE
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
+#endif /* LDAP_R_COMPILE */
if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
/* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode
@@ -1669,10 +1735,13 @@ tlsm_deferred_init( void *arg )
PK11_SetPasswordFunc( tlsm_pin_prompt );
/* register cleanup function */
- /* delete the old one, if any */
- NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL );
- NSS_RegisterShutdown( tlsm_nss_shutdown_cb, NULL );
-
+ if ( tlsm_register_nss_shutdown() ) {
+ errcode = PORT_GetError();
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not register NSS shutdown function: %d:%s\n",
+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
+ return -1;
+ }
#ifndef HAVE_NSS_INITCONTEXT
}
#endif /* HAVE_NSS_INITCONTEXT */
@@ -1884,6 +1953,9 @@ tlsm_clientauth_init( tlsm_ctx *ctx )
static void
tlsm_destroy( void )
{
+#ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex );
+#endif
}
static tls_ctx *
@@ -1949,8 +2021,20 @@ tlsm_ctx_free ( tls_ctx *ctx )
PL_strfree( c->tc_slotname );
tlsm_free_pem_objs( c );
#ifdef HAVE_NSS_INITCONTEXT
- if (c->tc_initctx)
- NSS_ShutdownContext( c->tc_initctx );
+ if ( c->tc_initctx ) {
+#ifdef LDAP_R_COMPILE
+ LDAP_MUTEX_LOCK( &tlsm_init_mutex );
+#endif /* LDAP_R_COMPILE */
+ if ( NSS_ShutdownContext( c->tc_initctx ) ) {
+ PRErrorCode errcode = PR_GetError();
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not shutdown NSS - error %d:%s.\n",
+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
+ }
+#ifdef LDAP_R_COMPILE
+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
+#endif /* LDAP_R_COMPILE */
+ }
c->tc_initctx = NULL;
#endif /* HAVE_NSS_INITCONTEXT */
#ifdef LDAP_R_COMPILE
--
1.7.1

40
openldap-nss-memleak-free-certs.patch
View File

@ -1,40 +0,0 @@
MozNSS: free the return of tlsm_find_and_verify_cert_key
If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails
to verify them, it will leave them allocated for the caller to dispose of.
There were a couple of places that were not disposing of the cert and key
upon error.
Author: Rich Megginson <rmeggins@redhat.com>
Upstream ITS: #7001
Upstream commit: fb4b4f7445d9392fbae097cc861e4cfb1694dcae
Resolves: #725818
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 7ae7d82..72fdf49 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1811,6 +1811,14 @@ tlsm_get_client_auth_data( void *arg, PRFileDesc *fd,
Debug( LDAP_DEBUG_ANY,
"TLS: error: unable to perform client certificate authentication for "
"certificate named %s\n", ctx->tc_certname, 0, 0 );
+ if ( pRetKey && *pRetKey ) {
+ SECKEY_DestroyPrivateKey( *pRetKey );
+ *pRetKey = NULL;
+ }
+ if ( pRetCert && *pRetCert ) {
+ CERT_DestroyCertificate( *pRetCert );
+ *pRetCert = NULL;
+ }
return SECFailure;
}
@@ -2162,6 +2170,8 @@ tlsm_deferred_ctx_init( void *arg )
Debug( LDAP_DEBUG_ANY,
"TLS: error: unable to find and verify server's cert and key for certificate %s\n",
ctx->tc_certname, 0, 0 );
+ CERT_DestroyCertificate( serverCert );
+ SECKEY_DestroyPrivateKey( serverKey );
return -1;
}

28
openldap-nss-reqcert-hostname.patch
View File

@ -1,28 +0,0 @@
Do not check server hostname when TLS_REQCERT is 'allow'.
If server certificate hostname does not match the server hostname,
connection is closed even if client has set TLS_REQCERT to 'allow'. This
is wrong - the documentation says, that bad certificates are being
ignored when TLS_REQCERT is set to 'allow'.
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7014
Resolves: #725819
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index f38db27..3f05c1e 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -838,7 +838,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
/*
* compare host with name(s) in certificate
*/
- if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER) {
+ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
+ ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
if (ld->ld_errno != LDAP_SUCCESS) {
return ld->ld_errno;
--
1.7.6

209
openldap-nss-verifycert.patch
View File

@ -1,209 +0,0 @@
Fix server side VerifyCert allow/try behavior
If the olcTLSVerifyClient is set to a value other than "never", the server
should request that the client send a client certificate for possible use
with client cert auth (e.g. SASL/EXTERNAL).
If set to "allow", if the client sends a cert, and there are problems with
it, the server will warn about problems, but will allow the SSL session to
proceed without a client cert.
If set to "try", if the client sends a cert, and there are problems with
it, the server will warn about those problems, and shutdown the SSL session.
If set to "demand" or "hard", the client must send a cert, and the server
will shutdown the SSL session if there are problems.
I added a new member of the tlsm context structure - tc_warn_only - if this
is set, tlsm_verify_cert will only warn about errors, and only if TRACE
level debug is set. This allows the server to warn but allow bad certs
if "allow" is set, and warn and fail if "try" is set.
Author: Rich Megginson <rmeggins@redhat.com>
Upstream ITS: #7002
Upstream commit: 210b156ece28a71cb625283fa5c30ee76d639cdc
Resolves: #725819
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 72fdf49..997b3eb 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -96,6 +96,7 @@ typedef struct tlsm_ctx {
#endif
PK11GenericObject **tc_pem_objs; /* array of objects to free */
int tc_n_pem_objs; /* number of objects */
+ PRBool tc_warn_only; /* only warn of errors in validation */
#ifdef LDAP_R_COMPILE
ldap_pvt_thread_mutex_t tc_refmutex;
#endif
@@ -945,6 +946,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
CERTVerifyLog verifylog;
SECStatus ret = SECSuccess;
const char *name;
+ int debug_level = LDAP_DEBUG_ANY;
+
+ if ( errorToIgnore == -1 ) {
+ debug_level = LDAP_DEBUG_TRACE;
+ }
/* the log captures information about every cert in the chain, so we can tell
which cert caused the problem and what the problem was */
@@ -965,7 +971,7 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
/* it is possible for CERT_VerifyCertificate return with an error with no logging */
if ( ret != SECSuccess ) {
PRErrorCode errcode = PR_GetError();
- Debug( LDAP_DEBUG_ANY,
+ Debug( debug_level,
"TLS: certificate [%s] is not valid - error %d:%s.\n",
name ? name : "(unknown)",
errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
@@ -995,17 +1001,17 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
"please fix your certs if possible\n", name, 0, 0 );
} else { /* does not have basicconstraint, or some other error */
ret = SECFailure;
- Debug( LDAP_DEBUG_ANY,
+ Debug( debug_level,
"TLS: certificate [%s] is not valid - CA cert is not valid\n",
name, 0, 0 );
}
} else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
- Debug( LDAP_DEBUG_ANY,
+ Debug( debug_level,
"TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
} else {
ret = SECFailure;
- Debug( LDAP_DEBUG_ANY,
+ Debug( debug_level,
"TLS: certificate [%s] is not valid - error %ld:%s.\n",
name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
}
@@ -1020,7 +1026,9 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
if ( ret == SECSuccess ) {
Debug( LDAP_DEBUG_TRACE,
"TLS: certificate [%s] is valid\n", name, 0, 0 );
- }
+ } else if ( errorToIgnore == -1 ) {
+ ret = SECSuccess;
+ }
return ret;
}
@@ -1032,10 +1040,15 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
SECStatus ret = SECSuccess;
CERTCertificate *peercert = SSL_PeerCertificate( fd );
+ int errorToIgnore = 0;
+ tlsm_ctx *ctx = (tlsm_ctx *)arg;
+
+ if (ctx && ctx->tc_warn_only )
+ errorToIgnore = -1;
- ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, peercert,
+ ret = tlsm_verify_cert( ctx->tc_certdb, peercert,
SSL_RevealPinArg( fd ),
- checksig, certUsage, 0 );
+ checksig, certUsage, errorToIgnore );
CERT_DestroyCertificate( peercert );
return ret;
@@ -1758,6 +1771,8 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx, PRFileDesc *fd, const char *certnam
SECCertificateUsage certUsage;
PRBool checkSig = PR_TRUE;
SECStatus status;
+ /* may not have a CA cert - ok - ignore SEC_ERROR_UNKNOWN_ISSUER */
+ int errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER;
if ( pRetKey ) {
*pRetKey = key; /* caller will deal with this */
@@ -1774,9 +1789,11 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx, PRFileDesc *fd, const char *certnam
} else {
checkSig = PR_FALSE;
}
- /* may not have a CA cert - ok - ignore SEC_ERROR_UNKNOWN_ISSUER */
+ if ( ctx->tc_warn_only ) {
+ errorToIgnore = -1;
+ }
status = tlsm_verify_cert( ctx->tc_certdb, cert, pin_arg,
- checkSig, certUsage, SEC_ERROR_UNKNOWN_ISSUER );
+ checkSig, certUsage, errorToIgnore );
if ( status == SECSuccess ) {
rc = 0;
}
@@ -1803,10 +1820,14 @@ tlsm_get_client_auth_data( void *arg, PRFileDesc *fd,
{
tlsm_ctx *ctx = (tlsm_ctx *)arg;
int rc;
+ PRBool saveval;
/* don't need caNames - this function will call CERT_VerifyCertificateNow
which will verify the cert against the known CAs */
+ saveval = ctx->tc_warn_only;
+ ctx->tc_warn_only = PR_TRUE;
rc = tlsm_find_and_verify_cert_key( ctx, fd, ctx->tc_certname, 0, pRetCert, pRetKey );
+ ctx->tc_warn_only = saveval;
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"TLS: error: unable to perform client certificate authentication for "
@@ -1837,8 +1858,12 @@ tlsm_clientauth_init( tlsm_ctx *ctx )
{
SECStatus status = SECFailure;
int rc;
+ PRBool saveval;
+ saveval = ctx->tc_warn_only;
+ ctx->tc_warn_only = PR_TRUE;
rc = tlsm_find_and_verify_cert_key( ctx, ctx->tc_model, ctx->tc_certname, 0, NULL, NULL );
+ ctx->tc_warn_only = saveval;
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"TLS: error: unable to set up client certificate authentication for "
@@ -1887,6 +1912,7 @@ tlsm_ctx_new ( struct ldapoptions *lo )
#endif /* HAVE_NSS_INITCONTEXT */
ctx->tc_pem_objs = NULL;
ctx->tc_n_pem_objs = 0;
+ ctx->tc_warn_only = PR_FALSE;
}
return (tls_ctx *)ctx;
}
@@ -2048,7 +2074,9 @@ tlsm_deferred_ctx_init( void *arg )
return -1;
}
- if ( ctx->tc_require_cert ) {
+ if ( !ctx->tc_require_cert ) {
+ ctx->tc_verify_cert = PR_FALSE;
+ } else if ( !ctx->tc_is_server ) {
request_cert = PR_TRUE;
require_cert = SSL_REQUIRE_NO_ERROR;
if ( ctx->tc_require_cert == LDAP_OPT_X_TLS_DEMAND ||
@@ -2057,8 +2085,22 @@ tlsm_deferred_ctx_init( void *arg )
}
if ( ctx->tc_require_cert != LDAP_OPT_X_TLS_ALLOW )
ctx->tc_verify_cert = PR_TRUE;
- } else {
- ctx->tc_verify_cert = PR_FALSE;
+ } else { /* server */
+ /* server does not request certs by default */
+ /* if allow - client may send cert, server will ignore if errors */
+ /* if try - client may send cert, server will error if bad cert */
+ /* if hard or demand - client must send cert, server will error if bad cert */
+ request_cert = PR_TRUE;
+ require_cert = SSL_REQUIRE_NO_ERROR;
+ if ( ctx->tc_require_cert == LDAP_OPT_X_TLS_DEMAND ||
+ ctx->tc_require_cert == LDAP_OPT_X_TLS_HARD ) {
+ require_cert = SSL_REQUIRE_ALWAYS;
+ }
+ if ( ctx->tc_require_cert != LDAP_OPT_X_TLS_ALLOW ) {
+ ctx->tc_verify_cert = PR_TRUE;
+ } else {
+ ctx->tc_warn_only = PR_TRUE;
+ }
}
if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_REQUEST_CERTIFICATE, request_cert ) ) {
@@ -2193,7 +2235,7 @@ tlsm_deferred_ctx_init( void *arg )
/* Callback for authenticating certificate */
if ( SSL_AuthCertificateHook( ctx->tc_model, tlsm_auth_cert_handler,
- ctx->tc_certdb ) != SECSuccess ) {
+ ctx ) != SECSuccess ) {
PRErrorCode err = PR_GetError();
Debug( LDAP_DEBUG_ANY,
"TLS: error: could not set auth cert handler for moznss - error %d:%s\n",

17
openldap-nss-wildcards.patch
View File

@ -1,17 +0,0 @@
matching wildcard hostnames in certificate Subject field does not work
Upstream ITS: #7006
Author: Philippe Kueck <hash_oldap@cycdolphin.net>
Resolves: #733073
--- openldap-2.4.23.orig/libraries/libldap/tls_m.c 2011-08-01 12:43:59.000000000 +0200
+++ openldap-2.4.23.orig/libraries/libldap/tls_m.c 2011-08-01 13:53:05.000000000 +0200
@@ -2601,7 +2601,7 @@
if ( av->len == nlen && !strncasecmp( name, (char *)av->data, nlen )) {
ret = LDAP_SUCCESS;
} else if ( av->data[0] == '*' && av->data[1] == '.' &&
- domain && dlen == av->len - 1 && !strncasecmp( name,
+ domain && dlen == av->len - 1 && !strncasecmp( domain,
(char *)(av->data+1), dlen )) {
ret = LDAP_SUCCESS;
} else {

8
openldap-security-pie.patch
View File

@ -3,10 +3,10 @@ address space layout randomization (ASLD).
Author: Thomas Woerner <twoerner@redhat.com>
--- openldap-2.4.24.orig/servers/slapd/Makefile.in
+++ openldap-2.4.24/servers/slapd/Makefile.in
@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a
cp slapi/.libs/libslapi.a .
--- a/servers/slapd/Makefile.in
+++ b/servers/slapd/Makefile.in
@@ -263,7 +263,7 @@ slapi/libslapi.la: FORCE
(cd slapi; $(MAKE) $(MFLAGS) all)
slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \

62
openldap.spec
View File

@ -5,8 +5,8 @@
%global evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
Name: openldap
Version: 2.4.26
Release: 6%{?dist}
Version: 2.4.28
Release: 1%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@ -30,20 +30,8 @@ Patch3: openldap-reentrant-gethostby.patch
Patch4: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ldaprc-currentdir.patch
Patch6: openldap-userconfig-setgid.patch
Patch7: openldap-nss-free-peer-cert.patch
Patch8: openldap-nss-init-threadsafe.patch
Patch9: openldap-nss-reqcert-hostname.patch
Patch10: openldap-nss-verifycert.patch
Patch11: openldap-nss-memleak-free-certs.patch
Patch12: openldap-constraint-overlay-config.patch
Patch13: openldap-dds-overlay-tolerance.patch
Patch14: openldap-man-slapo-unique.patch
Patch15: openldap-nss-wildcards.patch
Patch16: openldap-dns-priority.patch
Patch17: openldap-man-ldap-sync.patch
Patch18: openldap-nss-handshake-threadsafe.patch
Patch19: openldap-syncrepl-unset-tls-options.patch
Patch20: openldap-cve-onebyte-buffer-overflow.patch
Patch7: openldap-dns-priority.patch
Patch8: openldap-syncrepl-unset-tls-options.patch
# Fedora specific patches
Patch100: openldap-fedora-systemd.patch
@ -136,29 +124,17 @@ programs needed for accessing and modifying OpenLDAP directories.
pushd openldap-%{version}
%patch0 -p1 -b .manpages
%patch1 -p1 -b .security-pie
%patch2 -p1 -b .sql-linking
%patch3 -p1 -b .reentrant-gethostby
%patch4 -p1 -b .smbk5pwd-overlay
%patch5 -p1 -b .ldaprc-currentdir
%patch6 -p1 -b .userconfig-setgid
%patch7 -p1 -b .nss-free-peer-cert
%patch8 -p1 -b .nss-init-threadsafe
%patch9 -p1 -b .nss-reqcert-hostname
%patch10 -p1 -b .nss-verifycert
%patch11 -p1 -b .nss-memleak-free-certs
%patch12 -p1 -b .constraint-overlay-config
%patch13 -p1 -b .dds-overlay-tolerance
%patch14 -p1 -b .man-slapo-unique
%patch15 -p1 -b .nss-wildcards
%patch16 -p1 -b .dns-priority
%patch17 -p1 -b .man-ldap-sync
%patch18 -p1 -b .nss-handshake-threadsafe
%patch19 -p1 -b .syncrepl-unset-tls-options
%patch20 -p1 -b .cve-onebyte-buffer-overflow
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch100 -p1 -b .fedora-systemd
%patch100 -p1
cp %{_datadir}/libtool/config/config.{sub,guess} build/
@ -638,6 +614,16 @@ exit 0
%{evolution_connector_prefix}/
%changelog
* Wed Nov 30 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.28-1
- new upstream release
+ server: support for delta-syncrepl in multi master replication
+ server: add experimental backend - MDB
+ server: dynamic configuration for passwd, perl, shell, sock, and sql backends
+ server: support passwords in APR1
+ library: support for Wahl (draft)
+ a lot of bugfixes
- remove patches which were merged upstream
* Tue Nov 01 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.26-6
- package cleanup:
+ hardened build: switch from LDFLAGS to RPM macros

141
slapd.conf.obsolete Normal file
View File

@ -0,0 +1,141 @@
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it. Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database hdb
suffix "dc=my-domain,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM

94
slapd.ldif Normal file
View File

@ -0,0 +1,94 @@
#
# See slapd.d(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
#
# Define global ACLs to disable default read access.
#
olcArgsFile: /var/run/slapd.args
olcPidFile: /var/run/slapd.pid
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib64/openldap
#olcModuleload: back_bdb.la
#olcModuleload: back_hdb.la
#olcModuleload: back_ldap.la
#olcModuleload: back_passwd.la
#olcModuleload: back_shell.la
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#######################################################################
# BDB database definitions
#######################################################################
#
dn: olcDatabase=bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: bdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
olcDbDirectory: /var/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq

2
sources
View File

@ -1 +1 @@
f36f3086031dd56ae94f722ffae8df5e openldap-2.4.26.tgz
196023e552eeb259e048edcd61a9645b openldap-2.4.28.tgz