From ad3da8cc0414a625c91ccfc2f3be980fe1b63446 Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Fri, 25 Nov 2011 23:12:51 +0100 Subject: [PATCH] new upstream release (2.4.28) - upstream changes: - server: support for delta-syncrepl in multi master replication - server: add experimental backend - MDB - server: dynamic configuration for passwd, perl, shell, sock, and sql backends - server: support passwords in APR1 - library: support for Wahl (draft) - a lot of bugfixes - remove patches which were merged upstream --- .gitignore | 2 +- openldap-constraint-overlay-config.patch | 81 -------- openldap-cve-onebyte-buffer-overflow.patch | 55 ------ openldap-dds-overlay-tolerance.patch | 29 --- openldap-man-ldap-sync.patch | 25 --- openldap-man-slapo-unique.patch | 31 --- openldap-nss-free-peer-cert.patch | 28 --- openldap-nss-handshake-threadsafe.patch | 96 --------- openldap-nss-init-threadsafe.patch | 217 --------------------- openldap-nss-memleak-free-certs.patch | 40 ---- openldap-nss-reqcert-hostname.patch | 28 --- openldap-nss-verifycert.patch | 209 -------------------- openldap-nss-wildcards.patch | 17 -- openldap-security-pie.patch | 8 +- openldap.spec | 62 +++--- slapd.conf.obsolete | 141 +++++++++++++ slapd.ldif | 94 +++++++++ sources | 2 +- 18 files changed, 265 insertions(+), 900 deletions(-) delete mode 100644 openldap-constraint-overlay-config.patch delete mode 100644 openldap-cve-onebyte-buffer-overflow.patch delete mode 100644 openldap-dds-overlay-tolerance.patch delete mode 100644 openldap-man-ldap-sync.patch delete mode 100644 openldap-man-slapo-unique.patch delete mode 100644 openldap-nss-free-peer-cert.patch delete mode 100644 openldap-nss-handshake-threadsafe.patch delete mode 100644 openldap-nss-init-threadsafe.patch delete mode 100644 openldap-nss-memleak-free-certs.patch delete mode 100644 openldap-nss-reqcert-hostname.patch delete mode 100644 openldap-nss-verifycert.patch delete mode 100644 openldap-nss-wildcards.patch create mode 100644 slapd.conf.obsolete create mode 100644 slapd.ldif diff --git a/.gitignore b/.gitignore index 6fb7efc..4199374 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -/openldap-2.4.26.tgz +/openldap-2.4.28.tgz diff --git a/openldap-constraint-overlay-config.patch b/openldap-constraint-overlay-config.patch deleted file mode 100644 index 12e9948..0000000 --- a/openldap-constraint-overlay-config.patch +++ /dev/null @@ -1,81 +0,0 @@ -constraint overlay: fix config emit - -Author: Pierangelo Masarati -Upstream ITS: #6986 -Upstream commit: c0b669e14f4ef5b649f86bb3c1cc4ca76a00efa8 -Resolves: #733067 - -diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c -index fcb2830..e6a9267 100644 ---- a/servers/slapd/overlays/constraint.c -+++ b/servers/slapd/overlays/constraint.c -@@ -145,6 +145,8 @@ constraint_cf_gen( ConfigArgs *c ) - char *tstr = NULL; - int quotes = 0; - int j; -+ size_t val; -+ char val_buf[SLAP_TEXT_BUFLEN] = { '\0' }; - - bv.bv_len = STRLENOF(" "); - for (j = 0; cp->ap[j]; j++) { -@@ -156,6 +158,7 @@ constraint_cf_gen( ConfigArgs *c ) - - if (cp->re) { - tstr = REGEX_STR; -+ quotes = 1; - } else if (cp->lud) { - tstr = URI_STR; - quotes = 1; -@@ -164,8 +167,10 @@ constraint_cf_gen( ConfigArgs *c ) - quotes = 1; - } else if (cp->size) { - tstr = SIZE_STR; -+ val = cp->size; - } else if (cp->count) { - tstr = COUNT_STR; -+ val = cp->count; - } - - bv.bv_len += strlen(tstr); -@@ -175,6 +180,15 @@ constraint_cf_gen( ConfigArgs *c ) - bv.bv_len += cp->restrict_val.bv_len + STRLENOF(" restrict=\"\""); - } - -+ if (cp->count || cp->size) { -+ int len = snprintf(val_buf, sizeof(val_buf), "%d", val); -+ if (len <= 0) { -+ /* error */ -+ return -1; -+ } -+ bv.bv_len += len; -+ } -+ - s = bv.bv_val = ch_malloc(bv.bv_len + 1); - - s = lutil_strncopy( s, cp->ap[0]->ad_cname.bv_val, cp->ap[0]->ad_cname.bv_len ); -@@ -185,9 +199,13 @@ constraint_cf_gen( ConfigArgs *c ) - *s++ = ' '; - s = lutil_strcopy( s, tstr ); - *s++ = ' '; -- if ( quotes ) *s++ = '"'; -- s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len ); -- if ( quotes ) *s++ = '"'; -+ if (cp->count || cp->size) { -+ s = lutil_strcopy( s, val_buf ); -+ } else { -+ if ( quotes ) *s++ = '"'; -+ s = lutil_strncopy( s, cp->val.bv_val, cp->val.bv_len ); -+ if ( quotes ) *s++ = '"'; -+ } - if (cp->restrict_lud != NULL) { - s = lutil_strcopy( s, " restrict=\"" ); - s = lutil_strncopy( s, cp->restrict_val.bv_val, cp->restrict_val.bv_len ); -@@ -471,7 +489,7 @@ constraint_cf_gen( ConfigArgs *c ) - } - } - -- ber_str2bv(c->argv[argidx], 0, 1, &ap.restrict_val); -+ ber_str2bv(c->argv[argidx] + STRLENOF("restrict="), 0, 1, &ap.restrict_val); - - } else { - /* cleanup */ diff --git a/openldap-cve-onebyte-buffer-overflow.patch b/openldap-cve-onebyte-buffer-overflow.patch deleted file mode 100644 index 94a453d..0000000 --- a/openldap-cve-onebyte-buffer-overflow.patch +++ /dev/null @@ -1,55 +0,0 @@ -one-byte buffer overflow in slapd - -Resolves: #749324 (CVE-2011-4079) -Upstream ITS: #7059 -Upstream commits: d0dd861 5072387 -Author: Howard Chu - -diff -u ---- a/servers/slapd/schema_init.c -+++ b/servers/slapd/schema_init.c -@@ -1852,12 +1852,12 @@ UTF8StringNormalize( - } - nvalue.bv_val[nvalue.bv_len] = '\0'; - -- } else { -+ } else if ( tmp.bv_len ) { - /* string of all spaces is treated as one space */ - nvalue.bv_val[0] = ' '; - nvalue.bv_val[1] = '\0'; - nvalue.bv_len = 1; -- } -+ } /* should never be entered with 0-length val */ - - *normalized = nvalue; - return LDAP_SUCCESS; -@@ -2331,13 +2331,18 @@ postalAddressNormalize( - } - lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val; - -- normalized->bv_len = l; -+ normalized->bv_len = c = l; - -- for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) { -+ for ( l = 0; l <= c; l++ ) { - /* NOTE: we directly normalize each line, - * without unescaping the values, since the special - * values '\24' ('$') and '\5C' ('\') are not affected - * by normalization */ -+ if ( !lines[l].bv_len ) { -+ nlines[l].bv_len = 0; -+ nlines[l].bv_val = NULL; -+ continue; -+ } - rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx ); - if ( rc != LDAP_SUCCESS ) { - rc = LDAP_INVALID_SYNTAX; -@@ -2350,7 +2355,7 @@ postalAddressNormalize( - normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx ); - - p = normalized->bv_val; -- for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) { -+ for ( l = 0; l <= c ; l++ ) { - p = lutil_strbvcopy( p, &nlines[l] ); - *p++ = '$'; - } diff --git a/openldap-dds-overlay-tolerance.patch b/openldap-dds-overlay-tolerance.patch deleted file mode 100644 index d22b227..0000000 --- a/openldap-dds-overlay-tolerance.patch +++ /dev/null @@ -1,29 +0,0 @@ -DDS overlay: fix TTL tolerance - -olcDDStolerance setting had inverse effect and in fact was shortening entries real TTL - -From cca0da2163f1ec83352d86015cf6b9b42b757dc7 Mon Sep 17 00:00:00 2001 -Author: Jan Vcelak -Upstream ITS: #7017 -Resolves: #733069 - ---- - servers/slapd/overlays/dds.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/servers/slapd/overlays/dds.c b/servers/slapd/overlays/dds.c -index 56d299f..661b309 100644 ---- a/servers/slapd/overlays/dds.c -+++ b/servers/slapd/overlays/dds.c -@@ -156,7 +156,7 @@ dds_expire( void *ctx, dds_info_t *di ) - op->ors_slimit = SLAP_NO_LIMIT; - op->ors_attrs = slap_anlist_no_attrs; - -- expire = slap_get_time() + di->di_tolerance; -+ expire = slap_get_time() - di->di_tolerance; - ts.bv_val = tsbuf; - ts.bv_len = sizeof( tsbuf ); - slap_timestamp( &expire, &ts ); --- -1.7.6 - diff --git a/openldap-man-ldap-sync.patch b/openldap-man-ldap-sync.patch deleted file mode 100644 index 78d7501..0000000 --- a/openldap-man-ldap-sync.patch +++ /dev/null @@ -1,25 +0,0 @@ -wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage - -Author: Jan Vcelak -Resolves: #717722 - ---- - doc/man/man3/ldap_sync.3 | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/doc/man/man3/ldap_sync.3 b/doc/man/man3/ldap_sync.3 -index ef15085..e2c0880 100644 ---- a/doc/man/man3/ldap_sync.3 -+++ b/doc/man/man3/ldap_sync.3 -@@ -20,7 +20,7 @@ OpenLDAP LDAP (libldap, \-lldap) - .LP - .BI "ldap_sync_t * ldap_sync_initialize(ldap_sync_t *" ls ");" - .LP --.BI "int ldap_sync_destroy(ldap_sync_t *" ls ", int " freeit ");" -+.BI "void ldap_sync_destroy(ldap_sync_t *" ls ", int " freeit ");" - .LP - .BI "typedef int (*" ldap_sync_search_entry_f ")(ldap_sync_t *" ls "," - .RS --- -1.7.6 - diff --git a/openldap-man-slapo-unique.patch b/openldap-man-slapo-unique.patch deleted file mode 100644 index b76ee1b..0000000 --- a/openldap-man-slapo-unique.patch +++ /dev/null @@ -1,31 +0,0 @@ -Errors in manual pages slapo-unique - -Author: Jan Vcelak -Resolves: #733070 - -diff --git a/doc/man/man5/slapo-unique.5 b/doc/man/man5/slapo-unique.5 -index 85270d8..849ffe9 100644 ---- a/doc/man/man5/slapo-unique.5 -+++ b/doc/man/man5/slapo-unique.5 -@@ -49,6 +49,12 @@ statements or - attributes will create independent domains, each with their own - independent lists of URIs and ignore/strict settings. - -+Keywords -+.B strict -+and -+.B ignore -+have to be enclosed in quotes (") together with the URI. -+ - The LDAP URI syntax is a subset of - .B RFC-4516, - and takes the form: -@@ -137,7 +143,7 @@ This legacy configuration parameter should be converted to a - .B unique_uri - parameter, as described above. - .TP --.B unique_strict -+.B unique_strict - This legacy configuration parameter should be converted to a - .B strict - keyword prepended to a diff --git a/openldap-nss-free-peer-cert.patch b/openldap-nss-free-peer-cert.patch deleted file mode 100644 index 6b58911..0000000 --- a/openldap-nss-free-peer-cert.patch +++ /dev/null @@ -1,28 +0,0 @@ -memleak in tlsm_auth_cert_handler - -In tlsm_auth_cert_handler, we get the peer's cert from the socket using -SSL_PeerCertificate. This value is allocated and/or cached. We must -destroy it using CERT_DestroyCertificate. - -Author: Rich Megginson -Upstream ITS: #6980 -Upstream commit: d944920 -Resolves: #717730 - -diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23.fix/libraries/libldap/tls_m.c ---- openldap-2.4.23/libraries/libldap/tls_m.c 2011-07-18 15:54:03.719226863 +0200 -+++ openldap-2.4.23.fix/libraries/libldap/tls_m.c 2011-07-18 16:02:59.284531374 +0200 -@@ -1034,10 +1034,12 @@ tlsm_auth_cert_handler(void *arg, PRFile - { - SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer; - SECStatus ret = SECSuccess; -+ CERTCertificate *peercert = SSL_PeerCertificate( fd ); - -- ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, SSL_PeerCertificate( fd ), -+ ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, peercert, - SSL_RevealPinArg( fd ), - checksig, certUsage, 0 ); -+ CERT_DestroyCertificate( peercert ); - - return ret; - } diff --git a/openldap-nss-handshake-threadsafe.patch b/openldap-nss-handshake-threadsafe.patch deleted file mode 100644 index 7062f45..0000000 --- a/openldap-nss-handshake-threadsafe.patch +++ /dev/null @@ -1,96 +0,0 @@ -Use mutex for connection handshake when using PEM nss - -PEM nss is not thread safe when establishing the initial connection -using SSL_ForceHandshake. Create a new mutex - tlsm_pem_mutex - to -protect this function call. -The call to SSL_ConfigServerSessionIDCache() is not thread-safe - move it -to the init section and protect it with the init mutex. - -Author: Rich Megginson -Resolves: #701678 -Upstream ITS: #7034 ---- - libraries/libldap/tls_m.c | 30 ++++++++++++++++++++++++------ - 1 files changed, 24 insertions(+), 6 deletions(-) - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index c85d322..9447db2 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -135,6 +135,7 @@ static int tlsm_init( void ); - to wrap the mutex creation in a prcallonce - */ - static ldap_pvt_thread_mutex_t tlsm_init_mutex; -+static ldap_pvt_thread_mutex_t tlsm_pem_mutex; - static PRCallOnceType tlsm_init_mutex_callonce = {0,0}; - - static PRStatus PR_CALLBACK -@@ -146,6 +147,12 @@ tlsm_thr_init_callonce( void ) - return PR_FAILURE; - } - -+ if ( ldap_pvt_thread_mutex_init( &tlsm_pem_mutex ) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not create mutex for PEM module: %d\n", errno, 0, 0 ); -+ return PR_FAILURE; -+ } -+ - return PR_SUCCESS; - } - -@@ -1728,6 +1735,14 @@ tlsm_deferred_init( void *arg ) - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - return -1; - } -+ -+ if ( ctx->tc_is_server ) { -+ LDAP_MUTEX_LOCK( &tlsm_init_mutex ); -+ /* 0 means use the defaults here */ -+ SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL ); -+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); -+ } -+ - #ifndef HAVE_NSS_INITCONTEXT - } - #endif /* HAVE_NSS_INITCONTEXT */ -@@ -1941,6 +1956,7 @@ tlsm_destroy( void ) - { - #ifdef LDAP_R_COMPILE - ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex ); -+ ldap_pvt_thread_mutex_destroy( &tlsm_pem_mutex ); - #endif - } - -@@ -2433,11 +2449,6 @@ tlsm_session_new ( tls_ctx * ctx, int is_server ) - return NULL; - } - -- if ( is_server ) { -- /* 0 means use the defaults here */ -- SSL_ConfigServerSessionIDCache( 0, 0, 0, NULL ); -- } -- - rc = SSL_ResetHandshake( session, is_server ); - if ( rc ) { - PRErrorCode err = PR_GetError(); -@@ -2457,9 +2468,16 @@ static int - tlsm_session_accept_or_connect( tls_session *session, int is_accept ) - { - tlsm_session *s = (tlsm_session *)session; -- int rc = SSL_ForceHandshake( s ); -+ int rc; - const char *op = is_accept ? "accept" : "connect"; - -+ if ( pem_module ) { -+ LDAP_MUTEX_LOCK( &tlsm_pem_mutex ); -+ } -+ rc = SSL_ForceHandshake( s ); -+ if ( pem_module ) { -+ LDAP_MUTEX_UNLOCK( &tlsm_pem_mutex ); -+ } - if ( rc ) { - PRErrorCode err = PR_GetError(); - rc = -1; --- -1.7.1 - diff --git a/openldap-nss-init-threadsafe.patch b/openldap-nss-init-threadsafe.patch deleted file mode 100644 index 6ef0976..0000000 --- a/openldap-nss-init-threadsafe.patch +++ /dev/null @@ -1,217 +0,0 @@ -NSS_Init* functions are not thread safe - -The NSS_InitContext et. al, and their corresponding shutdown functions, -are not thread safe. There can only be one thread at a time calling -these functions. Protect the calls with a mutex. Create the mutex -using a PR_CallOnce to ensure that the mutex is only created once and -not used before created. Move the registration of the nss shutdown -callback to also use a PR_CallOnce. Removed the call to -SSL_ClearSessionCache() because it is always called at shutdown, and we must -not call it more than once. - -Resolves: #731112 -Author: Rich Megginson -Upstream ITS: #7022 ---- - libraries/libldap/tls_m.c | 98 +++++++++++++++++++++++++++++++++++++++++--- - 1 files changed, 91 insertions(+), 7 deletions(-) - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 997b3eb..30c8a76 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -130,9 +130,29 @@ static int tlsm_init( void ); - - #ifdef LDAP_R_COMPILE - -+/* it doesn't seem guaranteed that a client will call -+ tlsm_thr_init in a non-threaded context - so we have -+ to wrap the mutex creation in a prcallonce -+*/ -+static ldap_pvt_thread_mutex_t tlsm_init_mutex; -+static PRCallOnceType tlsm_init_mutex_callonce = {0,0}; -+ -+static PRStatus PR_CALLBACK -+tlsm_thr_init_callonce( void ) -+{ -+ if ( ldap_pvt_thread_mutex_init( &tlsm_init_mutex ) ) { -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not create mutex for moznss initialization: %d\n", errno, 0, 0 ); -+ return PR_FAILURE; -+ } -+ -+ return PR_SUCCESS; -+} -+ - static void - tlsm_thr_init( void ) - { -+ ( void )PR_CallOnce( &tlsm_init_mutex_callonce, tlsm_thr_init_callonce ); - } - - #endif /* LDAP_R_COMPILE */ -@@ -1079,7 +1099,6 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData ) - SECStatus rc = SECSuccess; - - SSL_ShutdownServerSessionIDCache(); -- SSL_ClearSessionCache(); - - if ( pem_module ) { - SECMOD_UnloadUserModule( pem_module ); -@@ -1089,6 +1108,24 @@ tlsm_nss_shutdown_cb( void *appData, void *nssData ) - return rc; - } - -+static PRCallOnceType tlsm_register_shutdown_callonce = {0,0}; -+static PRStatus PR_CALLBACK -+tlsm_register_nss_shutdown_cb( void ) -+{ -+ if ( SECSuccess == NSS_RegisterShutdown( tlsm_nss_shutdown_cb, -+ NULL ) ) { -+ return PR_SUCCESS; -+ } -+ return PR_FAILURE; -+} -+ -+static PRStatus -+tlsm_register_nss_shutdown( void ) -+{ -+ return PR_CallOnce( &tlsm_register_shutdown_callonce, -+ tlsm_register_nss_shutdown_cb ); -+} -+ - static int - tlsm_init_pem_module( void ) - { -@@ -1529,6 +1566,12 @@ tlsm_deferred_init( void *arg ) - initParams.length = sizeof( initParams ); - #endif /* HAVE_NSS_INITCONTEXT */ - -+#ifdef LDAP_R_COMPILE -+ if ( PR_CallOnce( &tlsm_init_mutex_callonce, tlsm_thr_init_callonce ) ) { -+ return -1; -+ } -+#endif /* LDAP_R_COMPILE */ -+ - #ifndef HAVE_NSS_INITCONTEXT - if ( !NSS_IsInitialized() ) { - #endif /* HAVE_NSS_INITCONTEXT */ -@@ -1556,6 +1599,10 @@ tlsm_deferred_init( void *arg ) - } - - tlsm_get_certdb_prefix( securitydir, &realcertdir, &prefix ); -+#ifdef LDAP_R_COMPILE -+ LDAP_MUTEX_LOCK( &tlsm_init_mutex ); -+#endif /* LDAP_R_COMPILE */ -+ - #ifdef HAVE_NSS_INITCONTEXT - #ifdef INITCONTEXT_HACK - if ( !NSS_IsInitialized() && ctx->tc_is_server ) { -@@ -1574,6 +1621,10 @@ tlsm_deferred_init( void *arg ) - rc = NSS_Initialize( realcertdir, prefix, prefix, SECMOD_DB, NSS_INIT_READONLY ); - #endif - -+#ifdef LDAP_R_COMPILE -+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); -+#endif /* LDAP_R_COMPILE */ -+ - if ( rc != SECSuccess ) { - errcode = PORT_GetError(); - if ( securitydirs[ii] != lt->lt_cacertdir) { -@@ -1597,6 +1648,9 @@ tlsm_deferred_init( void *arg ) - } - - if ( errcode ) { /* no moznss db found, or not using moznss db */ -+#ifdef LDAP_R_COMPILE -+ LDAP_MUTEX_LOCK( &tlsm_init_mutex ); -+#endif /* LDAP_R_COMPILE */ - #ifdef HAVE_NSS_INITCONTEXT - int flags = NSS_INIT_READONLY|NSS_INIT_NOCERTDB|NSS_INIT_NOMODDB; - #ifdef INITCONTEXT_HACK -@@ -1615,6 +1669,9 @@ tlsm_deferred_init( void *arg ) - #else - rc = NSS_NoDB_Init( NULL ); - #endif -+#ifdef LDAP_R_COMPILE -+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); -+#endif /* LDAP_R_COMPILE */ - if ( rc != SECSuccess ) { - errcode = PORT_GetError(); - Debug( LDAP_DEBUG_ANY, -@@ -1628,13 +1685,22 @@ tlsm_deferred_init( void *arg ) - #endif - - /* initialize the PEM module */ -+#ifdef LDAP_R_COMPILE -+ LDAP_MUTEX_LOCK( &tlsm_init_mutex ); -+#endif /* LDAP_R_COMPILE */ - if ( tlsm_init_pem_module() ) { -+#ifdef LDAP_R_COMPILE -+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); -+#endif /* LDAP_R_COMPILE */ - errcode = PORT_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: could not initialize moznss PEM module - error %d:%s.\n", - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - return -1; - } -+#ifdef LDAP_R_COMPILE -+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); -+#endif /* LDAP_R_COMPILE */ - - if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) { - /* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode -@@ -1669,10 +1735,13 @@ tlsm_deferred_init( void *arg ) - PK11_SetPasswordFunc( tlsm_pin_prompt ); - - /* register cleanup function */ -- /* delete the old one, if any */ -- NSS_UnregisterShutdown( tlsm_nss_shutdown_cb, NULL ); -- NSS_RegisterShutdown( tlsm_nss_shutdown_cb, NULL ); -- -+ if ( tlsm_register_nss_shutdown() ) { -+ errcode = PORT_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not register NSS shutdown function: %d:%s\n", -+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); -+ return -1; -+ } - #ifndef HAVE_NSS_INITCONTEXT - } - #endif /* HAVE_NSS_INITCONTEXT */ -@@ -1884,6 +1953,9 @@ tlsm_clientauth_init( tlsm_ctx *ctx ) - static void - tlsm_destroy( void ) - { -+#ifdef LDAP_R_COMPILE -+ ldap_pvt_thread_mutex_destroy( &tlsm_init_mutex ); -+#endif - } - - static tls_ctx * -@@ -1949,8 +2021,20 @@ tlsm_ctx_free ( tls_ctx *ctx ) - PL_strfree( c->tc_slotname ); - tlsm_free_pem_objs( c ); - #ifdef HAVE_NSS_INITCONTEXT -- if (c->tc_initctx) -- NSS_ShutdownContext( c->tc_initctx ); -+ if ( c->tc_initctx ) { -+#ifdef LDAP_R_COMPILE -+ LDAP_MUTEX_LOCK( &tlsm_init_mutex ); -+#endif /* LDAP_R_COMPILE */ -+ if ( NSS_ShutdownContext( c->tc_initctx ) ) { -+ PRErrorCode errcode = PR_GetError(); -+ Debug( LDAP_DEBUG_ANY, -+ "TLS: could not shutdown NSS - error %d:%s.\n", -+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); -+ } -+#ifdef LDAP_R_COMPILE -+ LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); -+#endif /* LDAP_R_COMPILE */ -+ } - c->tc_initctx = NULL; - #endif /* HAVE_NSS_INITCONTEXT */ - #ifdef LDAP_R_COMPILE --- -1.7.1 - diff --git a/openldap-nss-memleak-free-certs.patch b/openldap-nss-memleak-free-certs.patch deleted file mode 100644 index f045c6c..0000000 --- a/openldap-nss-memleak-free-certs.patch +++ /dev/null @@ -1,40 +0,0 @@ -MozNSS: free the return of tlsm_find_and_verify_cert_key - -If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails -to verify them, it will leave them allocated for the caller to dispose of. -There were a couple of places that were not disposing of the cert and key -upon error. - -Author: Rich Megginson -Upstream ITS: #7001 -Upstream commit: fb4b4f7445d9392fbae097cc861e4cfb1694dcae -Resolves: #725818 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 7ae7d82..72fdf49 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -1811,6 +1811,14 @@ tlsm_get_client_auth_data( void *arg, PRFileDesc *fd, - Debug( LDAP_DEBUG_ANY, - "TLS: error: unable to perform client certificate authentication for " - "certificate named %s\n", ctx->tc_certname, 0, 0 ); -+ if ( pRetKey && *pRetKey ) { -+ SECKEY_DestroyPrivateKey( *pRetKey ); -+ *pRetKey = NULL; -+ } -+ if ( pRetCert && *pRetCert ) { -+ CERT_DestroyCertificate( *pRetCert ); -+ *pRetCert = NULL; -+ } - return SECFailure; - } - -@@ -2162,6 +2170,8 @@ tlsm_deferred_ctx_init( void *arg ) - Debug( LDAP_DEBUG_ANY, - "TLS: error: unable to find and verify server's cert and key for certificate %s\n", - ctx->tc_certname, 0, 0 ); -+ CERT_DestroyCertificate( serverCert ); -+ SECKEY_DestroyPrivateKey( serverKey ); - return -1; - } - diff --git a/openldap-nss-reqcert-hostname.patch b/openldap-nss-reqcert-hostname.patch deleted file mode 100644 index 325319c..0000000 --- a/openldap-nss-reqcert-hostname.patch +++ /dev/null @@ -1,28 +0,0 @@ -Do not check server hostname when TLS_REQCERT is 'allow'. - -If server certificate hostname does not match the server hostname, -connection is closed even if client has set TLS_REQCERT to 'allow'. This -is wrong - the documentation says, that bad certificates are being -ignored when TLS_REQCERT is set to 'allow'. - -Author: Jan Vcelak -Upstream ITS: #7014 -Resolves: #725819 - -diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c -index f38db27..3f05c1e 100644 ---- a/libraries/libldap/tls2.c -+++ b/libraries/libldap/tls2.c -@@ -838,7 +838,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) - /* - * compare host with name(s) in certificate - */ -- if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER) { -+ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && -+ ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { - ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); - if (ld->ld_errno != LDAP_SUCCESS) { - return ld->ld_errno; --- -1.7.6 - diff --git a/openldap-nss-verifycert.patch b/openldap-nss-verifycert.patch deleted file mode 100644 index 9504eff..0000000 --- a/openldap-nss-verifycert.patch +++ /dev/null @@ -1,209 +0,0 @@ -Fix server side VerifyCert allow/try behavior - -If the olcTLSVerifyClient is set to a value other than "never", the server -should request that the client send a client certificate for possible use -with client cert auth (e.g. SASL/EXTERNAL). -If set to "allow", if the client sends a cert, and there are problems with -it, the server will warn about problems, but will allow the SSL session to -proceed without a client cert. -If set to "try", if the client sends a cert, and there are problems with -it, the server will warn about those problems, and shutdown the SSL session. -If set to "demand" or "hard", the client must send a cert, and the server -will shutdown the SSL session if there are problems. -I added a new member of the tlsm context structure - tc_warn_only - if this -is set, tlsm_verify_cert will only warn about errors, and only if TRACE -level debug is set. This allows the server to warn but allow bad certs -if "allow" is set, and warn and fail if "try" is set. - -Author: Rich Megginson -Upstream ITS: #7002 -Upstream commit: 210b156ece28a71cb625283fa5c30ee76d639cdc -Resolves: #725819 - -diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c -index 72fdf49..997b3eb 100644 ---- a/libraries/libldap/tls_m.c -+++ b/libraries/libldap/tls_m.c -@@ -96,6 +96,7 @@ typedef struct tlsm_ctx { - #endif - PK11GenericObject **tc_pem_objs; /* array of objects to free */ - int tc_n_pem_objs; /* number of objects */ -+ PRBool tc_warn_only; /* only warn of errors in validation */ - #ifdef LDAP_R_COMPILE - ldap_pvt_thread_mutex_t tc_refmutex; - #endif -@@ -945,6 +946,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg, - CERTVerifyLog verifylog; - SECStatus ret = SECSuccess; - const char *name; -+ int debug_level = LDAP_DEBUG_ANY; -+ -+ if ( errorToIgnore == -1 ) { -+ debug_level = LDAP_DEBUG_TRACE; -+ } - - /* the log captures information about every cert in the chain, so we can tell - which cert caused the problem and what the problem was */ -@@ -965,7 +971,7 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg, - /* it is possible for CERT_VerifyCertificate return with an error with no logging */ - if ( ret != SECSuccess ) { - PRErrorCode errcode = PR_GetError(); -- Debug( LDAP_DEBUG_ANY, -+ Debug( debug_level, - "TLS: certificate [%s] is not valid - error %d:%s.\n", - name ? name : "(unknown)", - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); -@@ -995,17 +1001,17 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg, - "please fix your certs if possible\n", name, 0, 0 ); - } else { /* does not have basicconstraint, or some other error */ - ret = SECFailure; -- Debug( LDAP_DEBUG_ANY, -+ Debug( debug_level, - "TLS: certificate [%s] is not valid - CA cert is not valid\n", - name, 0, 0 ); - } - } else if ( errorToIgnore && ( node->error == errorToIgnore ) ) { -- Debug( LDAP_DEBUG_ANY, -+ Debug( debug_level, - "TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n", - name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) ); - } else { - ret = SECFailure; -- Debug( LDAP_DEBUG_ANY, -+ Debug( debug_level, - "TLS: certificate [%s] is not valid - error %ld:%s.\n", - name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) ); - } -@@ -1020,7 +1026,9 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg, - if ( ret == SECSuccess ) { - Debug( LDAP_DEBUG_TRACE, - "TLS: certificate [%s] is valid\n", name, 0, 0 ); -- } -+ } else if ( errorToIgnore == -1 ) { -+ ret = SECSuccess; -+ } - - return ret; - } -@@ -1032,10 +1040,15 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, - SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer; - SECStatus ret = SECSuccess; - CERTCertificate *peercert = SSL_PeerCertificate( fd ); -+ int errorToIgnore = 0; -+ tlsm_ctx *ctx = (tlsm_ctx *)arg; -+ -+ if (ctx && ctx->tc_warn_only ) -+ errorToIgnore = -1; - -- ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, peercert, -+ ret = tlsm_verify_cert( ctx->tc_certdb, peercert, - SSL_RevealPinArg( fd ), -- checksig, certUsage, 0 ); -+ checksig, certUsage, errorToIgnore ); - CERT_DestroyCertificate( peercert ); - - return ret; -@@ -1758,6 +1771,8 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx, PRFileDesc *fd, const char *certnam - SECCertificateUsage certUsage; - PRBool checkSig = PR_TRUE; - SECStatus status; -+ /* may not have a CA cert - ok - ignore SEC_ERROR_UNKNOWN_ISSUER */ -+ int errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; - - if ( pRetKey ) { - *pRetKey = key; /* caller will deal with this */ -@@ -1774,9 +1789,11 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx, PRFileDesc *fd, const char *certnam - } else { - checkSig = PR_FALSE; - } -- /* may not have a CA cert - ok - ignore SEC_ERROR_UNKNOWN_ISSUER */ -+ if ( ctx->tc_warn_only ) { -+ errorToIgnore = -1; -+ } - status = tlsm_verify_cert( ctx->tc_certdb, cert, pin_arg, -- checkSig, certUsage, SEC_ERROR_UNKNOWN_ISSUER ); -+ checkSig, certUsage, errorToIgnore ); - if ( status == SECSuccess ) { - rc = 0; - } -@@ -1803,10 +1820,14 @@ tlsm_get_client_auth_data( void *arg, PRFileDesc *fd, - { - tlsm_ctx *ctx = (tlsm_ctx *)arg; - int rc; -+ PRBool saveval; - - /* don't need caNames - this function will call CERT_VerifyCertificateNow - which will verify the cert against the known CAs */ -+ saveval = ctx->tc_warn_only; -+ ctx->tc_warn_only = PR_TRUE; - rc = tlsm_find_and_verify_cert_key( ctx, fd, ctx->tc_certname, 0, pRetCert, pRetKey ); -+ ctx->tc_warn_only = saveval; - if ( rc ) { - Debug( LDAP_DEBUG_ANY, - "TLS: error: unable to perform client certificate authentication for " -@@ -1837,8 +1858,12 @@ tlsm_clientauth_init( tlsm_ctx *ctx ) - { - SECStatus status = SECFailure; - int rc; -+ PRBool saveval; - -+ saveval = ctx->tc_warn_only; -+ ctx->tc_warn_only = PR_TRUE; - rc = tlsm_find_and_verify_cert_key( ctx, ctx->tc_model, ctx->tc_certname, 0, NULL, NULL ); -+ ctx->tc_warn_only = saveval; - if ( rc ) { - Debug( LDAP_DEBUG_ANY, - "TLS: error: unable to set up client certificate authentication for " -@@ -1887,6 +1912,7 @@ tlsm_ctx_new ( struct ldapoptions *lo ) - #endif /* HAVE_NSS_INITCONTEXT */ - ctx->tc_pem_objs = NULL; - ctx->tc_n_pem_objs = 0; -+ ctx->tc_warn_only = PR_FALSE; - } - return (tls_ctx *)ctx; - } -@@ -2048,7 +2074,9 @@ tlsm_deferred_ctx_init( void *arg ) - return -1; - } - -- if ( ctx->tc_require_cert ) { -+ if ( !ctx->tc_require_cert ) { -+ ctx->tc_verify_cert = PR_FALSE; -+ } else if ( !ctx->tc_is_server ) { - request_cert = PR_TRUE; - require_cert = SSL_REQUIRE_NO_ERROR; - if ( ctx->tc_require_cert == LDAP_OPT_X_TLS_DEMAND || -@@ -2057,8 +2085,22 @@ tlsm_deferred_ctx_init( void *arg ) - } - if ( ctx->tc_require_cert != LDAP_OPT_X_TLS_ALLOW ) - ctx->tc_verify_cert = PR_TRUE; -- } else { -- ctx->tc_verify_cert = PR_FALSE; -+ } else { /* server */ -+ /* server does not request certs by default */ -+ /* if allow - client may send cert, server will ignore if errors */ -+ /* if try - client may send cert, server will error if bad cert */ -+ /* if hard or demand - client must send cert, server will error if bad cert */ -+ request_cert = PR_TRUE; -+ require_cert = SSL_REQUIRE_NO_ERROR; -+ if ( ctx->tc_require_cert == LDAP_OPT_X_TLS_DEMAND || -+ ctx->tc_require_cert == LDAP_OPT_X_TLS_HARD ) { -+ require_cert = SSL_REQUIRE_ALWAYS; -+ } -+ if ( ctx->tc_require_cert != LDAP_OPT_X_TLS_ALLOW ) { -+ ctx->tc_verify_cert = PR_TRUE; -+ } else { -+ ctx->tc_warn_only = PR_TRUE; -+ } - } - - if ( SECSuccess != SSL_OptionSet( ctx->tc_model, SSL_REQUEST_CERTIFICATE, request_cert ) ) { -@@ -2193,7 +2235,7 @@ tlsm_deferred_ctx_init( void *arg ) - - /* Callback for authenticating certificate */ - if ( SSL_AuthCertificateHook( ctx->tc_model, tlsm_auth_cert_handler, -- ctx->tc_certdb ) != SECSuccess ) { -+ ctx ) != SECSuccess ) { - PRErrorCode err = PR_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: error: could not set auth cert handler for moznss - error %d:%s\n", diff --git a/openldap-nss-wildcards.patch b/openldap-nss-wildcards.patch deleted file mode 100644 index 4d7a266..0000000 --- a/openldap-nss-wildcards.patch +++ /dev/null @@ -1,17 +0,0 @@ -matching wildcard hostnames in certificate Subject field does not work - -Upstream ITS: #7006 -Author: Philippe Kueck -Resolves: #733073 - ---- openldap-2.4.23.orig/libraries/libldap/tls_m.c 2011-08-01 12:43:59.000000000 +0200 -+++ openldap-2.4.23.orig/libraries/libldap/tls_m.c 2011-08-01 13:53:05.000000000 +0200 -@@ -2601,7 +2601,7 @@ - if ( av->len == nlen && !strncasecmp( name, (char *)av->data, nlen )) { - ret = LDAP_SUCCESS; - } else if ( av->data[0] == '*' && av->data[1] == '.' && -- domain && dlen == av->len - 1 && !strncasecmp( name, -+ domain && dlen == av->len - 1 && !strncasecmp( domain, - (char *)(av->data+1), dlen )) { - ret = LDAP_SUCCESS; - } else { diff --git a/openldap-security-pie.patch b/openldap-security-pie.patch index 42725b2..025c3d4 100644 --- a/openldap-security-pie.patch +++ b/openldap-security-pie.patch @@ -3,10 +3,10 @@ address space layout randomization (ASLD). Author: Thomas Woerner ---- openldap-2.4.24.orig/servers/slapd/Makefile.in -+++ openldap-2.4.24/servers/slapd/Makefile.in -@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a - cp slapi/.libs/libslapi.a . +--- a/servers/slapd/Makefile.in ++++ b/servers/slapd/Makefile.in +@@ -263,7 +263,7 @@ slapi/libslapi.la: FORCE + (cd slapi; $(MAKE) $(MFLAGS) all) slapd: $(SLAPD_DEPENDS) @LIBSLAPI@ - $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \ diff --git a/openldap.spec b/openldap.spec index 5931826..2ab1913 100644 --- a/openldap.spec +++ b/openldap.spec @@ -5,8 +5,8 @@ %global evolution_connector_libdir %{evolution_connector_prefix}/%{_lib} Name: openldap -Version: 2.4.26 -Release: 6%{?dist} +Version: 2.4.28 +Release: 1%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -30,20 +30,8 @@ Patch3: openldap-reentrant-gethostby.patch Patch4: openldap-smbk5pwd-overlay.patch Patch5: openldap-ldaprc-currentdir.patch Patch6: openldap-userconfig-setgid.patch -Patch7: openldap-nss-free-peer-cert.patch -Patch8: openldap-nss-init-threadsafe.patch -Patch9: openldap-nss-reqcert-hostname.patch -Patch10: openldap-nss-verifycert.patch -Patch11: openldap-nss-memleak-free-certs.patch -Patch12: openldap-constraint-overlay-config.patch -Patch13: openldap-dds-overlay-tolerance.patch -Patch14: openldap-man-slapo-unique.patch -Patch15: openldap-nss-wildcards.patch -Patch16: openldap-dns-priority.patch -Patch17: openldap-man-ldap-sync.patch -Patch18: openldap-nss-handshake-threadsafe.patch -Patch19: openldap-syncrepl-unset-tls-options.patch -Patch20: openldap-cve-onebyte-buffer-overflow.patch +Patch7: openldap-dns-priority.patch +Patch8: openldap-syncrepl-unset-tls-options.patch # Fedora specific patches Patch100: openldap-fedora-systemd.patch @@ -136,29 +124,17 @@ programs needed for accessing and modifying OpenLDAP directories. pushd openldap-%{version} -%patch0 -p1 -b .manpages -%patch1 -p1 -b .security-pie -%patch2 -p1 -b .sql-linking -%patch3 -p1 -b .reentrant-gethostby -%patch4 -p1 -b .smbk5pwd-overlay -%patch5 -p1 -b .ldaprc-currentdir -%patch6 -p1 -b .userconfig-setgid -%patch7 -p1 -b .nss-free-peer-cert -%patch8 -p1 -b .nss-init-threadsafe -%patch9 -p1 -b .nss-reqcert-hostname -%patch10 -p1 -b .nss-verifycert -%patch11 -p1 -b .nss-memleak-free-certs -%patch12 -p1 -b .constraint-overlay-config -%patch13 -p1 -b .dds-overlay-tolerance -%patch14 -p1 -b .man-slapo-unique -%patch15 -p1 -b .nss-wildcards -%patch16 -p1 -b .dns-priority -%patch17 -p1 -b .man-ldap-sync -%patch18 -p1 -b .nss-handshake-threadsafe -%patch19 -p1 -b .syncrepl-unset-tls-options -%patch20 -p1 -b .cve-onebyte-buffer-overflow +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 -%patch100 -p1 -b .fedora-systemd +%patch100 -p1 cp %{_datadir}/libtool/config/config.{sub,guess} build/ @@ -638,6 +614,16 @@ exit 0 %{evolution_connector_prefix}/ %changelog +* Wed Nov 30 2011 Jan Vcelak 2.4.28-1 +- new upstream release + + server: support for delta-syncrepl in multi master replication + + server: add experimental backend - MDB + + server: dynamic configuration for passwd, perl, shell, sock, and sql backends + + server: support passwords in APR1 + + library: support for Wahl (draft) + + a lot of bugfixes +- remove patches which were merged upstream + * Tue Nov 01 2011 Jan Vcelak 2.4.26-6 - package cleanup: + hardened build: switch from LDFLAGS to RPM macros diff --git a/slapd.conf.obsolete b/slapd.conf.obsolete new file mode 100644 index 0000000..6def6d2 --- /dev/null +++ b/slapd.conf.obsolete @@ -0,0 +1,141 @@ +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# + +include /etc/openldap/schema/corba.schema +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/duaconf.schema +include /etc/openldap/schema/dyngroup.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/java.schema +include /etc/openldap/schema/misc.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/openldap.schema +include /etc/openldap/schema/ppolicy.schema +include /etc/openldap/schema/collective.schema + +# Allow LDAPv2 client connections. This is NOT the default. +allow bind_v2 + +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#referral ldap://root.openldap.org + +pidfile /var/run/openldap/slapd.pid +argsfile /var/run/openldap/slapd.args + +# Load dynamic backend modules +# - modulepath is architecture dependent value (32/64-bit system) +# - back_sql.la overlay requires openldap-server-sql package +# - dyngroup.la and dynlist.la cannot be used at the same time + +# modulepath /usr/lib/openldap +# modulepath /usr/lib64/openldap + +# moduleload accesslog.la +# moduleload auditlog.la +# moduleload back_sql.la +# moduleload chain.la +# moduleload collect.la +# moduleload constraint.la +# moduleload dds.la +# moduleload deref.la +# moduleload dyngroup.la +# moduleload dynlist.la +# moduleload memberof.la +# moduleload pbind.la +# moduleload pcache.la +# moduleload ppolicy.la +# moduleload refint.la +# moduleload retcode.la +# moduleload rwm.la +# moduleload seqmod.la +# moduleload smbk5pwd.la +# moduleload sssvlv.la +# moduleload syncprov.la +# moduleload translucent.la +# moduleload unique.la +# moduleload valsort.la + +# The next three lines allow use of TLS for encrypting connections using a +# dummy test certificate which you can generate by changing to +# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on +# slapd.pem so that the ldap user or group can read it. Your client software +# may balk at self-signed certificates, however. +# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt +# TLSCertificateFile /etc/pki/tls/certs/slapd.pem +# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem + +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 + +# Sample access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# Directives needed to implement policy: +# access to dn.base="" by * read +# access to dn.base="cn=Subschema" by * read +# access to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! + +# enable on-the-fly configuration (cn=config) +database config +access to * + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage + by * none + +# enable server status monitoring (cn=monitor) +database monitor +access to * + by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read + by dn.exact="cn=Manager,dc=my-domain,dc=com" read + by * none + +####################################################################### +# database definitions +####################################################################### + +database hdb +suffix "dc=my-domain,dc=com" +checkpoint 1024 15 +rootdn "cn=Manager,dc=my-domain,dc=com" +# Cleartext passwords, especially for the rootdn, should +# be avoided. See slappasswd(8) and slapd.conf(5) for details. +# Use of strong authentication encouraged. +# rootpw secret +# rootpw {crypt}ijFYNcSNctBYg + +# The database directory MUST exist prior to running slapd AND +# should only be accessible by the slapd and slap tools. +# Mode 700 recommended. +directory /var/lib/ldap + +# Indices to maintain for this database +index objectClass eq,pres +index ou,cn,mail,surname,givenname eq,pres,sub +index uidNumber,gidNumber,loginShell eq,pres +index uid,memberUid eq,pres,sub +index nisMapName,nisMapEntry eq,pres,sub + +# Replicas of this database +#replogfile /var/lib/ldap/openldap-master-replog +#replica host=ldap-1.example.com:389 starttls=critical +# bindmethod=sasl saslmech=GSSAPI +# authcId=host/ldap-master.example.com@EXAMPLE.COM diff --git a/slapd.ldif b/slapd.ldif new file mode 100644 index 0000000..7f0fa1b --- /dev/null +++ b/slapd.ldif @@ -0,0 +1,94 @@ +# +# See slapd.d(5) for details on configuration options. +# This file should NOT be world readable. +# +dn: cn=config +objectClass: olcGlobal +cn: config +# +# +# Define global ACLs to disable default read access. +# +olcArgsFile: /var/run/slapd.args +olcPidFile: /var/run/slapd.pid +# +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#olcReferral: ldap://root.openldap.org +# +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 64-bit encryption for simple bind +#olcSecurity: ssf=1 update_ssf=112 simple_bind=64 + + +# +# Load dynamic backend modules: +# +#dn: cn=module,cn=config +#objectClass: olcModuleList +#cn: module +#olcModulepath: /usr/lib64/openldap +#olcModuleload: back_bdb.la +#olcModuleload: back_hdb.la +#olcModuleload: back_ldap.la +#olcModuleload: back_passwd.la +#olcModuleload: back_shell.la + + +dn: cn=schema,cn=config +objectClass: olcSchemaConfig +cn: schema + +include: file:///etc/openldap/schema/core.ldif + +# Frontend settings +# +dn: olcDatabase=frontend,cn=config +objectClass: olcDatabaseConfig +olcDatabase: frontend +# +# Sample global access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# +#olcAccess: to dn.base="" by * read +#olcAccess: to dn.base="cn=Subschema" by * read +#olcAccess: to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! +# + + +####################################################################### +# BDB database definitions +####################################################################### +# +dn: olcDatabase=bdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcBdbConfig +olcDatabase: bdb +olcSuffix: dc=my-domain,dc=com +olcRootDN: cn=Manager,dc=my-domain,dc=com +# Cleartext passwords, especially for the rootdn, should +# be avoided. See slappasswd(8) and slapd-config(5) for details. +# Use of strong authentication encouraged. +olcRootPW: secret +# The database directory MUST exist prior to running slapd AND +# should only be accessible by the slapd and slap tools. +# Mode 700 recommended. +olcDbDirectory: /var/openldap-data +# Indices to maintain +olcDbIndex: objectClass eq diff --git a/sources b/sources index e809d56..3c387a0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f36f3086031dd56ae94f722ffae8df5e openldap-2.4.26.tgz +196023e552eeb259e048edcd61a9645b openldap-2.4.28.tgz