rpms/openldap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS openldap-2.6.8-4.el9

Browse Source
This commit is contained in:
eabdullin 2025-03-11 07:53:45 +00:00
parent 8c4c77dfeb
commit ca6944a374
7 changed files with 396 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/openldap-2.6.6.tgz
SOURCES/openldap-2.6.8.tgz
SOURCES/openldap-ppolicy-check-password-1.1.tar.gz

2
.openldap.metadata
View File

@ -1,2 +1,2 @@
633bc0ce9b5d91852c1fe38c720763f32d18390f SOURCES/openldap-2.6.6.tgz
6fd946938df37e2133e043c422039d3a71bd90d4 SOURCES/openldap-2.6.8.tgz
d9f2c30aa3ec5760d4eb5923f461ca8eed92703d SOURCES/openldap-ppolicy-check-password-1.1.tar.gz

139
SOURCES/openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch Normal file
View File

@ -0,0 +1,139 @@
From 25db869956b0f8edaa3a688a4b3dc92c2d9832f5 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Thu, 12 Dec 2024 19:58:37 -0800
Subject: [PATCH] Revert "ITS#9917 Remove 'h' and 'p' from options[] in client
tools"
This reverts commit a8f7fd00043e2c63b6216aeb3ba69b0d0485311b.
---
clients/tools/ldapcompare.c | 2 +-
clients/tools/ldapdelete.c | 2 +-
clients/tools/ldapexop.c | 2 +-
clients/tools/ldapmodify.c | 2 +-
clients/tools/ldapmodrdn.c | 2 +-
clients/tools/ldappasswd.c | 2 +-
clients/tools/ldapsearch.c | 2 +-
clients/tools/ldapvc.c | 2 +-
clients/tools/ldapwhoami.c | 2 +-
9 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/clients/tools/ldapcompare.c b/clients/tools/ldapcompare.c
index e571600f35..39b7b80aec 100644
--- a/clients/tools/ldapcompare.c
+++ b/clients/tools/ldapcompare.c
@@ -104,7 +104,7 @@ static int docompare LDAP_P((
const char options[] = "z"
- "Cd:D:e:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z";
+ "Cd:D:e:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
#ifdef LDAP_CONTROL_DONTUSECOPY
int dontUseCopy = 0;
diff --git a/clients/tools/ldapdelete.c b/clients/tools/ldapdelete.c
index f31e5bb3f8..b3676faaa7 100644
--- a/clients/tools/ldapdelete.c
+++ b/clients/tools/ldapdelete.c
@@ -82,7 +82,7 @@ usage( void )
const char options[] = "r"
- "cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:z:Z";
+ "cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:z:Z";
int
handle_private_option( int i )
diff --git a/clients/tools/ldapexop.c b/clients/tools/ldapexop.c
index d66f2cfb1f..10fe910dc3 100644
--- a/clients/tools/ldapexop.c
+++ b/clients/tools/ldapexop.c
@@ -52,7 +52,7 @@ usage( void )
const char options[] = ""
- "d:D:e:H:InNO:o:QR:U:vVw:WxX:y:Y:Z";
+ "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff --git a/clients/tools/ldapmodify.c b/clients/tools/ldapmodify.c
index 032e4e1479..d33b092308 100644
--- a/clients/tools/ldapmodify.c
+++ b/clients/tools/ldapmodify.c
@@ -127,7 +127,7 @@ usage( void )
const char options[] = "aE:rS:"
- "cd:D:e:f:H:Ij:MnNO:o:P:QR:U:vVw:WxX:y:Y:Z";
+ "cd:D:e:f:h:H:Ij:MnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff --git a/clients/tools/ldapmodrdn.c b/clients/tools/ldapmodrdn.c
index 1197d3813f..6ea8b66380 100644
--- a/clients/tools/ldapmodrdn.c
+++ b/clients/tools/ldapmodrdn.c
@@ -95,7 +95,7 @@ usage( void )
const char options[] = "rs:"
- "cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z";
+ "cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff --git a/clients/tools/ldappasswd.c b/clients/tools/ldappasswd.c
index cd0650e914..e34d897c7b 100644
--- a/clients/tools/ldappasswd.c
+++ b/clients/tools/ldappasswd.c
@@ -83,7 +83,7 @@ usage( void )
const char options[] = "Ea:As:St:T:"
- "d:D:e:H:InNO:o:QR:U:vVw:WxX:y:Y:Z";
+ "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff --git a/clients/tools/ldapsearch.c b/clients/tools/ldapsearch.c
index 3755a937d2..ab9308f593 100644
--- a/clients/tools/ldapsearch.c
+++ b/clients/tools/ldapsearch.c
@@ -363,7 +363,7 @@ parse_vlv(char *cvalue)
}
const char options[] = "a:Ab:cE:F:l:Ls:S:tT:uz:"
- "Cd:D:e:f:H:IMnNO:o:P:QR:U:vVw:WxX:y:Y:Z";
+ "Cd:D:e:f:h:H:IMnNO:o:p:P:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff --git a/clients/tools/ldapvc.c b/clients/tools/ldapvc.c
index e359611882..a59595b56e 100644
--- a/clients/tools/ldapvc.c
+++ b/clients/tools/ldapvc.c
@@ -86,7 +86,7 @@ usage( void )
const char options[] = "abE:"
- "d:D:e:H:InNO:o:QR:U:vVw:WxX:y:Y:Z";
+ "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
diff --git a/clients/tools/ldapwhoami.c b/clients/tools/ldapwhoami.c
index be1f81300a..ac6197b061 100644
--- a/clients/tools/ldapwhoami.c
+++ b/clients/tools/ldapwhoami.c
@@ -62,7 +62,7 @@ usage( void )
const char options[] = ""
- "d:D:e:H:InNO:o:QR:U:vVw:WxX:y:Y:Z";
+ "d:D:e:h:H:InNO:o:p:QR:U:vVw:WxX:y:Y:Z";
int
handle_private_option( int i )
--
2.47.1

100
SOURCES/openldap-fix-TLS-connection-timeout-handling.patch Normal file
View File

@ -0,0 +1,100 @@
From 5645e37044e77c72f8868ecf62b6c7983c0afc2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Mon, 21 Oct 2024 11:50:11 +0100
Subject: [PATCH 1/6] ITS#8047 Fix TLS connection timeout handling
The test for async in ldap_int_tls_start was inverted, we already
support calling ldap_int_tls_connect repeatedly. And so long as
LBER_SB_OPT_NEEDS_* are managed correctly, the application should be
able to do the right thing.
Might require a new result code rather than reporposing
LDAP_X_CONNECTING for this.
---
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/tls2.c | 18 +++++++++++++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 3ef17643b1..7e754775e8 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -368,6 +368,7 @@ typedef struct ldap_conn {
#define LDAP_CONNST_NEEDSOCKET 1
#define LDAP_CONNST_CONNECTING 2
#define LDAP_CONNST_CONNECTED 3
+#define LDAP_CONNST_TLS_INPROGRESS 4
LDAPURLDesc *lconn_server;
BerElement *lconn_ber; /* ber receiving on this conn. */
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index dea46de0ad..cf6f4dcf9a 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -383,6 +383,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
if ( lo && lo->ldo_tls_connect_cb && lo->ldo_tls_connect_cb !=
ld->ld_options.ldo_tls_connect_cb )
lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
+ conn->lconn_status = LDAP_CONNST_TLS_INPROGRESS;
}
/* pass hostname for SNI, but only if it's an actual name
@@ -441,9 +442,11 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
LBER_SBIOD_LEVEL_TRANSPORT );
#endif
+ conn->lconn_status = LDAP_CONNST_CONNECTED;
return -1;
}
+ conn->lconn_status = LDAP_CONNST_CONNECTED;
return 0;
}
@@ -516,8 +519,9 @@ int
ldap_tls_inplace( LDAP *ld )
{
Sockbuf *sb = NULL;
+ LDAPConn *lc = ld->ld_defconn;
- if ( ld->ld_defconn && ld->ld_defconn->lconn_sb ) {
+ if ( lc && lc->lconn_sb ) {
sb = ld->ld_defconn->lconn_sb;
} else if ( ld->ld_sb ) {
@@ -527,6 +531,10 @@ ldap_tls_inplace( LDAP *ld )
return 0;
}
+ if ( lc && lc->lconn_status == LDAP_CONNST_TLS_INPROGRESS ) {
+ return 0;
+ }
+
return ldap_pvt_tls_inplace( sb );
}
@@ -1159,6 +1167,9 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
*/
while ( ret > 0 ) {
if ( async ) {
+ ld->ld_errno = LDAP_X_CONNECTING;
+ return (ld->ld_errno);
+ } else {
struct timeval curr_time_tv, delta_tv;
int wr=0;
@@ -1217,6 +1228,11 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
ret = ldap_int_tls_connect( ld, conn, host );
}
+ if ( !async && ld->ld_options.ldo_tm_net.tv_sec >= 0 ) {
+ /* Restore original sb status */
+ ber_sockbuf_ctrl( sb, LBER_SB_OPT_SET_NONBLOCK, (void*)0 );
+ }
+
if ( ret < 0 ) {
if ( ld->ld_errno == LDAP_SUCCESS )
ld->ld_errno = LDAP_CONNECT_ERROR;
--
2.47.1

92
SOURCES/openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch Normal file
View File

@ -0,0 +1,92 @@
From 5f4569f0605a73eb1a282ee5251ead073ed3b26e Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Tue, 26 Nov 2024 12:32:07 -0800
Subject: [PATCH] libldap: avoid SSL context cleanup during library destruction
Given that libldap can be pulled into random applications and applications
are allowed to call OPENSSL_cleanup() before exiting, the only sane thing
to do is to avoid trying to touch SSL context in ldap destructors, and just
let them leak if the application does not explicitly free the ldap context.
Add ldap_int_tls_destroy_safe() which skips SSL context cleanup while
maintaining all other cleanup operations, and use it in the library
destructor path.
Fixes: https://bugs.openldap.org/show_bug.cgi?id=9952
---
libraries/libldap/init.c | 2 +-
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/tls2.c | 25 +++++++++++++++++++++----
3 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 213276b4b5..aa017f4128 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -545,7 +545,7 @@ ldap_int_destroy_global_options(void)
}
#endif
#ifdef HAVE_TLS
- ldap_int_tls_destroy( gopts );
+ ldap_int_tls_destroy_safe( gopts );
#endif
}
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 7e754775e8..b73097ccc7 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -914,6 +914,7 @@ LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld,
LDAPConn *conn, LDAPURLDesc *srv ));
LDAP_F (void) ldap_int_tls_destroy LDAP_P(( struct ldapoptions *lo ));
+LDAP_F (void) ldap_int_tls_destroy_safe LDAP_P(( struct ldapoptions *lo ));
/*
* in getvalues.c
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 0841005a59..82f8573602 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -97,10 +97,14 @@ tls_ctx_ref( tls_ctx *ctx )
static ldap_pvt_thread_mutex_t tls_def_ctx_mutex;
#endif
-void
-ldap_int_tls_destroy( struct ldapoptions *lo )
-{
- if ( lo->ldo_tls_ctx ) {
+/*
+ * Implementation function that handles all cleanup.
+ * skip_ctx_cleanup: 1 when called from destructor, 0 for normal operation
+ */
+static void
+ldap_int_tls_destroy_impl( struct ldapoptions *lo, int skip_ctx_cleanup )
+ {
+ if ( lo->ldo_tls_ctx && !skip_ctx_cleanup ) {
ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
lo->ldo_tls_ctx = NULL;
}
@@ -147,6 +151,19 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
BER_BVZERO( &lo->ldo_tls_pin );
}
+
+void
+ldap_int_tls_destroy( struct ldapoptions *lo )
+{
+ ldap_int_tls_destroy_impl(lo, 0);
+}
+
+/* Safe version for destructor use */
+void ldap_int_tls_destroy_safe( struct ldapoptions *lo )
+{
+ ldap_int_tls_destroy_impl(lo, 1);
+}
+
/*
* Tear down the TLS subsystem. Should only be called once.
*/
--
2.47.0

3
SOURCES/openldap.sysusers Normal file
View File

@ -0,0 +1,3 @@
#Type Name ID GECOS Home directory Shell
g ldap 55
u ldap 55:55 "OpenLDAP server" /var/lib/ldap /sbin/nologin

78
SPECS/openldap.spec
View File

@ -15,10 +15,10 @@
%global __brp_remove_la_files %nil
Name: openldap
Version: 2.6.6
Release: 1%{?dist}
Version: 2.6.8
Release: 4%{?dist}
Summary: LDAP support libraries
License: OpenLDAP
License: OLDAP-2.8
URL: http://www.openldap.org/
Source0: https://openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
@ -27,6 +27,7 @@ Source2: slapd.tmpfiles
Source3: slapd.ldif
Source4: ldap.conf
Source5: UPGRADE_INSTRUCTIONS
Source6: openldap.sysusers
Source10: https://github.com/ltb-project/openldap-ppolicy-check-password/archive/v%{check_password_version}/openldap-ppolicy-check-password-%{check_password_version}.tar.gz
Source50: libexec-functions
Source52: libexec-check-config.sh
@ -49,6 +50,9 @@ Patch6: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
Patch7: openldap-openssl-manpage-defaultCA.patch
Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
Patch9: openldap-Revert-ITS-8618-Remove-deprecated-h-and-p.patch
Patch10: openldap-Revert-ITS-9917-Remove--h-and-p-from-options.patch
Patch11: openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
Patch12: openldap-fix-TLS-connection-timeout-handling.patch
# check-password module specific patches
Patch90: check-password-makefile.patch
@ -71,6 +75,8 @@ BuildRequires: unixODBC-devel
BuildRequires: systemd
BuildRequires: libdb-devel
BuildRequires: cracklib-devel
BuildRequires: systemd-rpm-macros
%{?sysusers_requires_compat}
%description
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@ -153,15 +159,18 @@ programs needed for accessing and modifying OpenLDAP directories.
%setup -q -c -a 0 -a 10
pushd openldap-%{version}
%patch0 -p1
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch -P0 -p1
%patch -P1 -p1
%patch -P3 -p1
%patch -P4 -p1
%patch -P5 -p1
%patch -P6 -p1
%patch -P7 -p1
%patch -P8 -p1
%patch -P9 -p1
%patch -P10 -p1
%patch -P11 -p1
%patch -P12 -p1
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -182,8 +191,8 @@ done
popd
pushd openldap-ppolicy-check-password-%{check_password_version}
%patch90 -p1
%patch91 -p1
%patch -P90 -p1
%patch -P91 -p1
popd
%build
@ -191,6 +200,8 @@ popd
%set_build_flags
# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -Wl,-z,now -DLDAP_CONNECTIONLESS"
# disable legacy hash algorithm
export CFLAGS="${CFLAGS} -DOPENSSL_NO_MD2"
pushd openldap-%{version}
%configure \
@ -245,6 +256,9 @@ popd
%install
mkdir -p %{buildroot}%{_libdir}/
%if %{with servers}
install -p -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/openldap.conf
%endif
pushd openldap-%{version}
%make_install STRIP_OPTS=""
@ -382,10 +396,8 @@ rm %{buildroot}%{_libdir}/*.la # because we do not want files in %{_libdir}/ope
%if %{with servers}
%pre servers
# create ldap user and group
getent group ldap &>/dev/null || groupadd -r -g 55 ldap
getent passwd ldap &>/dev/null || \
useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap
exit 0
# sysusers.d format https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
%sysusers_create_compat %{SOURCE6}
%post servers
%systemd_post slapd.service
@ -476,6 +488,7 @@ exit 0
%{_libdir}/openldap/home*
%{_libdir}/openldap/lloadd*
%{_libdir}/openldap/memberof*
%{_libdir}/openldap/nestgroup*
%{_libdir}/openldap/otp*
%{_libdir}/openldap/pcache*
%{_libdir}/openldap/ppolicy*
@ -498,6 +511,7 @@ exit 0
%{_mandir}/man5/slapd*.5*
%{_mandir}/man5/slapo-*.5*
%{_mandir}/man5/slappw-argon2.5*
%{_sysusersdir}/openldap.conf
# obsolete configuration
%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
%else
@ -541,6 +555,34 @@ exit 0
%{_libdir}/libslapi-2.4*.so.*
%changelog
* Wed Feb 12 2025 Simon Pichugin <spichugi@redhat.com> - 2.6.8-4
- Fix TLS connection timeout handling (RHEL-78297)
* Wed Jan 08 2025 Viktor Ashirov <vashirov@redhat.com> - 2.6.8-3
- Migrate gating tests from STI to FMF (RHEL-71053)
* Tue Jan 7 2025 Simon Pichugin <spichugi@redhat.com> - 2.6.8-2
- Replace baseos-ci tests with osci (RHEL-71053)
* Mon Dec 16 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.8-1
- Rebase to version 2.6.8 (RHEL-71053)
- Avoid SSL context cleanup during library destruction (RHEL-56502)
* Fri Oct 11 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.6-4
- Disable MD2 hash algorithm
Resolves: RHEL-59715
* Fri Feb 9 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.6-3
- Use systemd-sysusers for ldap user and group
Replace License with SPDX identifier
Resolves: RHEL-5140
* Thu Dec 14 2023 Simon Pichugin <spichugi@redhat.com> - 2.6.6-2
- The client tools parameters '-h' and '-p' are still deprecated,
but this release brings back the client tools options that
were removed during the previous rebase.
Resolves: RHEL-19384
* Wed Oct 11 2023 Simon Pichugin <spichugi@redhat.com> - 2.6.6-1
- Rebase OpenLDAP in RHEL 9.4
Resolves: RHEL-11306