.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,42 +1,2 @@
-/openldap-2.4.28.tgz
-/openldap-2.4.29.tgz
-/openldap-2.4.30.tgz
-/openldap-2.4.31.tgz
-/openldap-2.4.32.tgz
-/openldap-2.4.33.tgz
-/openldap-2.4.34.tgz
-/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
-/openldap-2.4.35.tgz
-/openldap-2.4.36.tgz
-/openldap-2.4.37.tgz
-/openldap-2.4.38.tgz
-/openldap-2.4.39.tgz
-/openldap-2.4.40.tgz
-/openldap-2.4.41.tgz
-/openldap-2.4.43.tgz
-/openldap-2.4.44.tgz
-/openldap-2.4.45.tgz
-/openldap-2.4.46.tgz
-/openldap-2.4.47.tgz
-/openldap-2.4.50.tgz
-/openldap-2.4.52.tgz
-/openldap-2.4.53.tgz
-/openldap-2.4.54.tgz
-/openldap-2.4.55.tgz
-/openldap-2.4.56.tgz
-/openldap-2.4.57.tgz
-/openldap-2.4.58.tgz
-/openldap-2.4.59.tgz
-/openldap-2.5.4.tgz
-/openldap-ppolicy-check-password-1.1.tar.gz
-/openldap-2.5.5.tgz
-/openldap-2.5.7.tgz
-/openldap-2.5.8.tgz
-/openldap-2.6.1.tgz
-/openldap-2.6.2.tgz
-/openldap-2.6.3.tgz
-/openldap-2.6.4.tgz
-/openldap-2.6.5.tgz
-/openldap-2.6.6.tgz
-/openldap-2.6.7.tgz
-/openldap-2.6.8.tgz
+SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
+SOURCES/openldap-2.4.46.tgz

.openldap.metadata

@@ -0,0 +1,2 @@
+444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
+a9ae2273eb9bdd70090dafe0d018a3132606bef6 SOURCES/openldap-2.4.46.tgz

SOURCES/0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch

@@ -0,0 +1,72 @@
+From 840944e26f734bb03d925f26c4ef11a6cedcbb9c Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 25 Aug 2022 16:13:21 +0100
+Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure
+
+Avoid unnecessary strdup in IPv6 addr parsing, check for strdup
+failure when dup'ing scheme.
+
+Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59
+---
+ libraries/libldap/url.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c
+index dcf2aac9e8..493fd7ce47 100644
+--- a/libraries/libldap/url.c
++++ b/libraries/libldap/url.c
+@@ -1385,24 +1385,22 @@ ldap_url_parsehosts(
+ 		}
+ 		ludp->lud_port = port;
+ 		ludp->lud_host = specs[i];
+-		specs[i] = NULL;
+ 		p = strchr(ludp->lud_host, ':');
+ 		if (p != NULL) {
+ 			/* more than one :, IPv6 address */
+ 			if ( strchr(p+1, ':') != NULL ) {
+ 				/* allow [address] and [address]:port */
+ 				if ( *ludp->lud_host == '[' ) {
+-					p = LDAP_STRDUP(ludp->lud_host+1);
+-					/* copied, make sure we free source later */
+-					specs[i] = ludp->lud_host;
+-					ludp->lud_host = p;
+-					p = strchr( ludp->lud_host, ']' );
++					p = strchr( ludp->lud_host+1, ']' );
+ 					if ( p == NULL ) {
+ 						LDAP_FREE(ludp);
+ 						ldap_charray_free(specs);
+ 						return LDAP_PARAM_ERROR;
+ 					}
+-					*p++ = '\0';
++					/* Truncate trailing ']' and shift hostname down 1 char */
++					*p = '\0';
++					AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host );
++					p++;
+ 					if ( *p != ':' ) {
+ 						if ( *p != '\0' ) {
+ 							LDAP_FREE(ludp);
+@@ -1428,14 +1426,19 @@ ldap_url_parsehosts(
+ 				}
+ 			}
+ 		}
+-		ldap_pvt_hex_unescape(ludp->lud_host);
+ 		ludp->lud_scheme = LDAP_STRDUP("ldap");
++		if ( ludp->lud_scheme == NULL ) {
++			LDAP_FREE(ludp);
++			ldap_charray_free(specs);
++			return LDAP_NO_MEMORY;
++		}
++		specs[i] = NULL;
++		ldap_pvt_hex_unescape(ludp->lud_host);
+ 		ludp->lud_next = *ludlist;
+ 		*ludlist = ludp;
+ 	}
+ 
+ 	/* this should be an array of NULLs now */
+-	/* except entries starting with [ */
+ 	ldap_charray_free(specs);
+ 	return LDAP_SUCCESS;
+ }
+-- 
+2.44.0
+

SOURCES/0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch

@@ -0,0 +1,26 @@
+From c5c8c06a8bd52ea7b843e7d8ca961a7d1800ce5f Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 24 Aug 2022 14:40:51 +0100
+Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure
+
+Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a
+---
+ libraries/libldap/fetch.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c
+index 9e426dc647..536871bcfe 100644
+--- a/libraries/libldap/fetch.c
++++ b/libraries/libldap/fetch.c
+@@ -69,6 +69,8 @@ ldif_open_url(
+ 		}
+ 
+ 		p = ber_strdup( urlstr );
++		if ( p == NULL )
++			return NULL;
+ 
+ 		/* But we should convert to LDAP_DIRSEP before use */
+ 		if ( LDAP_DIRSEP[0] != '/' ) {
+-- 
+2.44.0
+

SOURCES/check-password-makefile.patch

@@ -0,0 +1,41 @@
+--- a/Makefile	2009-10-31 18:59:06.000000000 +0100
++++ b/Makefile	2014-12-17 09:42:37.586079225 +0100
+@@ -13,22 +13,11 @@
+ #
+ CONFIG=/etc/openldap/check_password.conf
+ 
+-OPT=-g -O2 -Wall -fpic 						\
+-	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""	\
+-	-DCONFIG_FILE="\"$(CONFIG)\""					\
++CFLAGS+=-fpic                                                  \
++	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \
++	-DCONFIG_FILE="\"$(CONFIG)\""                          \
+ 	-DDEBUG
+ 
+-# Where to find the OpenLDAP headers.
+-#
+-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
+-	 -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
+-
+-# Where to find the CrackLib headers.
+-#
+-CRACK_INC=
+-
+-INCS=$(LDAP_INC) $(CRACK_INC)
+-
+ LDAP_LIB=-lldap_r -llber
+ 
+ # Comment out this line if you do NOT want to use the cracklib.
+@@ -45,10 +34,10 @@
+ all: 	check_password
+ 
+ check_password.o:
+-	$(CC) $(OPT) -c $(INCS) check_password.c
++	$(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
+ 
+ check_password: clean check_password.o
+-	$(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
++	$(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ 
+ install: check_password
+ 	cp -f check_password.so ../../../usr/lib/openldap/modules/

SOURCES/libexec-check-config.sh

@@ -1,4 +1,4 @@
-#! /usr/bin/sh
+#!/bin/sh
 # Author: Jan Vcelak <jvcelak@redhat.com>
 
 . /usr/libexec/openldap/functions
@@ -41,7 +41,7 @@ function check_db_perms()
 	retcode=0
 	for dbdir in `databases`; do
 		[ -d "$dbdir" ] || continue
-		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.mdb"` ; do
+		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
 			run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
 			if [ $? -ne 0 ]; then
 				error "Read/write permissions for DB file '%s' are required." "$dbfile"
@@ -52,21 +52,12 @@ function check_db_perms()
 	return $retcode
 }
 
-function check_major_upgrade()
-{
-	retcode=0
-	if [ -f "/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS" ]; then
-		error "You have upgraded your openldap-servers package. There are actions that need to be performed. Please, read the /usr/share/openldap-servers/UPGRADE_INSTRUCTIONS file"
-		retcode=1
-	fi
-	return $retcode
-}
-
 function check_everything()
 {
 	retcode=0
 	check_config_syntax || retcode=1
-	check_certs_perms || retcode=1
+	# TODO: need support for Mozilla NSS, disabling temporarily
+	#check_certs_perms || retcode=1
 	check_db_perms || retcode=1
 	return $retcode
 }
@@ -76,8 +67,6 @@ if [ `id -u` -ne 0 ]; then
 	exit 4
 fi
 
-check_major_upgrade || return 1
-
 load_sysconfig
 
 if [ -n "$SLAPD_CONFIG_DIR" ]; then

SOURCES/libexec-functions

@@ -84,6 +84,14 @@ function databases_new()
 		ldif_value
 }
 
+function databases_old()
+{
+	awk	'begin { database="" }
+		$1 == "database" { database=$2 }
+		$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
+		"$SLAPD_CONFIG_FILE"
+}
+
 function certificates_new()
 {
 	slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
@@ -92,14 +100,20 @@ function certificates_new()
 		ldif_value
 }
 
+function certificates_old()
+{
+	awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
+		"$SLAPD_CONFIG_FILE"
+}
+
 function certificates()
 {
-	uses_new_config && certificates_new
+	uses_new_config && certificates_new || certificates_old
 }
 
 function databases()
 {
-	uses_new_config && databases_new
+	uses_new_config && databases_new || databases_old
 }
 
 

SOURCES/libexec-upgrade-db.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+if [ `id -u` -ne 0 ]; then
+	error "You have to be root to run this command."
+	exit 4
+fi
+
+load_sysconfig
+retcode=0
+
+for dbdir in `databases`; do
+	upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
+	bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
+
+	# skip uninitialized database
+	[ -z "$bdb_files"]  || continue
+
+	printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
+
+	# perform the update
+	for command in \
+		"/usr/bin/db_recover -v -h \"$dbdir\"" \
+		"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
+		"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
+	; do
+		printf "Executing: %s\n" "$command" &>>$upgrade_log
+		run_as_ldap "$command" &>>$upgrade_log
+		result=$?
+		printf "Exit code: %d\n" $result >>"$upgrade_log"
+		if [ $result -ne 0 ]; then
+			printf "Upgrade failed: %d\n" $result
+			retcode=1
+		fi
+	done
+done
+
+exit $retcode

SOURCES/openldap-add-TLS_REQSAN-option.patch

@@ -0,0 +1,339 @@
+From c8050d1e6eb0f4f3deb187224945ddcfc3baa4d6 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 21 Aug 2020 09:15:15 +0100
+Subject: [PATCH] ITS#9318 add TLS_REQSAN option
+
+Add an option to specify how subjectAlternativeNames should be
+handled when validating the names in a server certificate.
+---
+ doc/man/man3/ldap_get_option.3 |  9 +++++++
+ doc/man/man5/ldap.conf.5       | 31 +++++++++++++++++++++++
+ include/ldap.h                 |  1 +
+ libraries/libldap/init.c       |  2 ++
+ libraries/libldap/ldap-int.h   |  1 +
+ libraries/libldap/tls2.c       | 16 ++++++++++++
+ libraries/libldap/tls_g.c      | 46 ++++++++++++++++++++++++++++++++--
+ libraries/libldap/tls_o.c      | 44 ++++++++++++++++++++++++++++++--
+ 8 files changed, 146 insertions(+), 4 deletions(-)
+
+diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
+index d229ce6e3..7d760136f 100644
+--- a/doc/man/man3/ldap_get_option.3
++++ b/doc/man/man3/ldap_get_option.3
+@@ -788,6 +788,15 @@ one of
+ .BR LDAP_OPT_X_TLS_ALLOW ,
+ .BR LDAP_OPT_X_TLS_TRY .
+ .TP
++.B LDAP_OPT_X_TLS_REQUIRE_SAN
++Sets/gets the peer certificate subjectAlternativeName checking strategy,
++one of
++.BR LDAP_OPT_X_TLS_NEVER ,
++.BR LDAP_OPT_X_TLS_HARD ,
++.BR LDAP_OPT_X_TLS_DEMAND ,
++.BR LDAP_OPT_X_TLS_ALLOW ,
++.BR LDAP_OPT_X_TLS_TRY .
++.TP
+ .B LDAP_OPT_X_TLS_SSL_CTX
+ Gets the TLS session context associated with this handle.
+ .BR outvalue
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index 2f1ee886d..cde2c875f 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -464,6 +464,37 @@ certificate is provided, or a bad certificate is provided, the session
+ is immediately terminated. This is the default setting.
+ .RE
+ .TP
++.B TLS_REQSAN <level>
++Specifies what checks to perform on the subjectAlternativeName
++(SAN) extensions in a server certificate when validating the certificate
++name against the specified hostname of the server. The
++.B <level>
++can be specified as one of the following keywords:
++.RS
++.TP
++.B never
++The client will not check any SAN in the certificate.
++.TP
++.B allow
++The SAN is checked against the specified hostname. If a SAN is
++present but none match the specified hostname, the SANs are ignored
++and the usual check against the certificate DN is used.
++This is the default setting.
++.TP
++.B try
++The SAN is checked against the specified hostname. If no SAN is present
++in the server certificate, the usual check against the certificate DN
++is used. If a SAN is present but doesn't match the specified hostname,
++the session is immediately terminated. This setting may be preferred
++when a mix of certs with and without SANs are in use.
++.TP
++.B demand | hard
++These keywords are equivalent. The SAN is checked against the specified
++hostname. If no SAN is present in the server certificate, or no SANs
++match, the session is immediately terminated. This setting should be
++used when only certificates with SANs are in use.
++.RE
++.TP
+ .B TLS_CRLCHECK <level>
+ Specifies if the Certificate Revocation List (CRL) of the CA should be 
+ used to verify if the server certificates have not been revoked. This
+diff --git a/include/ldap.h b/include/ldap.h
+index 4b81a6841..4877de24a 100644
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_PACKAGE		0x6011
+ #define LDAP_OPT_X_TLS_ECNAME		0x6012
+ #define LDAP_OPT_X_TLS_PEERCERT		0x6015	/* read-only */
++#define LDAP_OPT_X_TLS_REQUIRE_SAN	0x601a
+ 
+ #define LDAP_OPT_X_TLS_NEVER	0
+ #define LDAP_OPT_X_TLS_HARD		1
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index d503019aa..0d91808ec 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -128,6 +128,7 @@ static const struct ol_attribute {
+   	{0, ATTR_TLS,	"TLS_CACERT",		NULL,	LDAP_OPT_X_TLS_CACERTFILE},
+   	{0, ATTR_TLS,	"TLS_CACERTDIR",	NULL,	LDAP_OPT_X_TLS_CACERTDIR},
+   	{0, ATTR_TLS,	"TLS_REQCERT",		NULL,	LDAP_OPT_X_TLS_REQUIRE_CERT},
++	{0, ATTR_TLS,	"TLS_REQSAN",		NULL,	LDAP_OPT_X_TLS_REQUIRE_SAN},
+ 	{0, ATTR_TLS,	"TLS_RANDFILE",		NULL,	LDAP_OPT_X_TLS_RANDOM_FILE},
+ 	{0, ATTR_TLS,	"TLS_CIPHER_SUITE",	NULL,	LDAP_OPT_X_TLS_CIPHER_SUITE},
+ 	{0, ATTR_TLS,	"TLS_PROTOCOL_MIN",	NULL,	LDAP_OPT_X_TLS_PROTOCOL_MIN},
+@@ -624,6 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
+ 	gopts->ldo_tls_connect_cb = NULL;
+ 	gopts->ldo_tls_connect_arg = NULL;
+ 	gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
++	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
+ #endif
+ 	gopts->ldo_keepalive_probes = 0;
+ 	gopts->ldo_keepalive_interval = 0;
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 753014ad0..2bf5d4ff6 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -262,6 +262,7 @@ struct ldapoptions {
+    	int			ldo_tls_require_cert;
+ 	int			ldo_tls_impl;
+    	int			ldo_tls_crlcheck;
++	int			ldo_tls_require_san;
+ #define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0
+ #else
+ #define LDAP_LDO_TLS_NULLARG
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 6a2113255..670292c22 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -539,6 +539,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
+ 		return ldap_pvt_tls_set_option( ld, option, (void *) arg );
+ 
+ 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
++	case LDAP_OPT_X_TLS_REQUIRE_SAN:
+ 	case LDAP_OPT_X_TLS:
+ 		i = -1;
+ 		if ( strcasecmp( arg, "never" ) == 0 ) {
+@@ -669,6 +670,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
+ 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
+ 		*(int *)arg = lo->ldo_tls_require_cert;
+ 		break;
++	case LDAP_OPT_X_TLS_REQUIRE_SAN:
++		*(int *)arg = lo->ldo_tls_require_san;
++		break;
+ #ifdef HAVE_OPENSSL_CRL
+ 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
+ 		*(int *)arg = lo->ldo_tls_crlcheck;
+@@ -818,6 +822,18 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+ 			return 0;
+ 		}
+ 		return -1;
++	case LDAP_OPT_X_TLS_REQUIRE_SAN:
++		if ( !arg ) return -1;
++		switch( *(int *) arg ) {
++		case LDAP_OPT_X_TLS_NEVER:
++		case LDAP_OPT_X_TLS_DEMAND:
++		case LDAP_OPT_X_TLS_ALLOW:
++		case LDAP_OPT_X_TLS_TRY:
++		case LDAP_OPT_X_TLS_HARD:
++			lo->ldo_tls_require_san = * (int *) arg;
++			return 0;
++		}
++		return -1;
+ #ifdef HAVE_OPENSSL_CRL
+ 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
+ 		if ( !arg ) return -1;
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index 15ce0bbb8..e3486c9b4 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -496,6 +496,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
+ {
+ 	tlsg_session *s = (tlsg_session *)session;
+ 	int i, ret;
++	int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
+ 	const gnutls_datum_t *peer_cert_list;
+ 	unsigned int list_size;
+ 	char altname[NI_MAXHOST];
+@@ -558,12 +559,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
+ 		}
+ 	}
+ 
++	if (chkSAN) {
+ 	for ( i=0, ret=0; ret >= 0; i++ ) {
+ 		altnamesize = sizeof(altname);
+ 		ret = gnutls_x509_crt_get_subject_alt_name( cert, i, 
+ 			altname, &altnamesize, NULL );
+ 		if ( ret < 0 ) break;
+ 
++		gotSAN = 1;
+ 		/* ignore empty */
+ 		if ( altnamesize == 0 ) continue;
+ 
+@@ -599,7 +602,45 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
+ 	}
+ 	if ( ret >= 0 ) {
+ 		ret = LDAP_SUCCESS;
+-	} else {
++	}
++	}
++	if (ret != LDAP_SUCCESS && chkSAN) {
++		switch(chkSAN) {
++		case LDAP_OPT_X_TLS_DEMAND:
++		case LDAP_OPT_X_TLS_HARD:
++			if (!gotSAN) {
++				Debug( LDAP_DEBUG_ANY,
++					"TLS: unable to get subjectAltName from peer certificate.\n",
++					0, 0, 0 );
++				ret = LDAP_CONNECT_ERROR;
++				if ( ld->ld_error ) {
++					LDAP_FREE( ld->ld_error );
++				}
++				ld->ld_error = LDAP_STRDUP(
++					_("TLS: unable to get subjectAltName from peer certificate"));
++				goto done;
++			}
++			/* FALLTHRU */
++		case LDAP_OPT_X_TLS_TRY:
++			if (gotSAN) {
++				Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
++					"subjectAltName in certificate.\n",
++					name, 0, 0 );
++				ret = LDAP_CONNECT_ERROR;
++				if ( ld->ld_error ) {
++					LDAP_FREE( ld->ld_error );
++				}
++				ld->ld_error = LDAP_STRDUP(
++					_("TLS: hostname does not match subjectAltName in peer certificate"));
++				goto done;
++			}
++			break;
++		case LDAP_OPT_X_TLS_ALLOW:
++			break;
++		}
++	}
++
++	if ( ret != LDAP_SUCCESS ){
+ 		/* find the last CN */
+ 		i=0;
+ 		do {
+@@ -654,9 +695,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
+ 				LDAP_FREE( ld->ld_error );
+ 			}
+ 			ld->ld_error = LDAP_STRDUP(
+-				_("TLS: hostname does not match CN in peer certificate"));
++				_("TLS: hostname does not match name in peer certificate"));
+ 		}
+ 	}
++done:
+ 	gnutls_x509_crt_deinit( cert );
+ 	return ret;
+ }
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 4006f7a4f..6f27168e9 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -600,6 +600,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ {
+ 	tlso_session *s = (tlso_session *)sess;
+ 	int i, ret = LDAP_LOCAL_ERROR;
++	int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
+ 	X509 *x;
+ 	const char *name;
+ 	char *ptr;
+@@ -638,7 +639,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ 	if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
+ 		if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
+ 	}
+-	
++
++	if (chkSAN) {
+ 	i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
+ 	if (i >= 0) {
+ 		X509_EXTENSION *ex;
+@@ -651,6 +653,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ 			char *domain = NULL;
+ 			GENERAL_NAME *gn;
+ 
++			gotSAN = 1;
+ 			if (ntype == IS_DNS) {
+ 				domain = strchr(name, '.');
+ 				if (domain) {
+@@ -709,6 +712,42 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
+ 			}
+ 		}
+ 	}
++	}
++	if (ret != LDAP_SUCCESS && chkSAN) {
++		switch(chkSAN) {
++		case LDAP_OPT_X_TLS_DEMAND:
++		case LDAP_OPT_X_TLS_HARD:
++			if (!gotSAN) {
++				Debug( LDAP_DEBUG_ANY,
++					"TLS: unable to get subjectAltName from peer certificate.\n",
++					0, 0, 0 );
++				ret = LDAP_CONNECT_ERROR;
++				if ( ld->ld_error ) {
++					LDAP_FREE( ld->ld_error );
++				}
++				ld->ld_error = LDAP_STRDUP(
++					_("TLS: unable to get subjectAltName from peer certificate"));
++				goto done;
++			}
++			/* FALLTHRU */
++		case LDAP_OPT_X_TLS_TRY:
++			if (gotSAN) {
++				Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
++					"subjectAltName in certificate.\n",
++					name, 0, 0 );
++				ret = LDAP_CONNECT_ERROR;
++				if ( ld->ld_error ) {
++					LDAP_FREE( ld->ld_error );
++				}
++				ld->ld_error = LDAP_STRDUP(
++					_("TLS: hostname does not match subjectAltName in peer certificate"));
++				goto done;
++			}
++			break;
++		case LDAP_OPT_X_TLS_ALLOW:
++			break;
++		}
++	}
+ 
+ 	if (ret != LDAP_SUCCESS) {
+ 		X509_NAME *xn;
+@@ -772,9 +811,10 @@ no_cn:
+ 				LDAP_FREE( ld->ld_error );
+ 			}
+ 			ld->ld_error = LDAP_STRDUP(
+-				_("TLS: hostname does not match CN in peer certificate"));
++				_("TLS: hostname does not match name in peer certificate"));
+ 		}
+ 	}
++done:
+ 	X509_free(x);
+ 	return ret;
+ }
+-- 
+2.31.1
+

SOURCES/openldap-ai-addrconfig.patch

@@ -5,10 +5,10 @@ Upstream ITS: #7326
 Resolves: #835013
 
 diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
-index 14899cc..b25e750 100644
+index b31e05d..fa361ab 100644
 --- a/libraries/libldap/os-ip.c
 +++ b/libraries/libldap/os-ip.c
-@@ -620,8 +620,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
+@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
  
  #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
  	memset( &hints, '\0', sizeof(hints) );

SOURCES/openldap-allop-overlay.patch

@@ -4,10 +4,9 @@ Author: Matus Honek <mhonek@redhat.com>
 Resolves: #1319782
 
 diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
-index b5c3fc8..9aa8a4f 100644
 --- a/servers/slapd/overlays/Makefile.in
 +++ b/servers/slapd/overlays/Makefile.in
-@@ -38,7 +38,8 @@ SRCS = overlays.c \
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
  	translucent.c \
  	unique.c \
  	valsort.c \
@@ -17,7 +16,7 @@ index b5c3fc8..9aa8a4f 100644
  OBJS = statover.o \
  	@SLAPD_STATIC_OVERLAYS@ \
  	overlays.o
-@@ -58,7 +59,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
  UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
  
  LIBRARY = ../liboverlays.a
@@ -26,7 +25,7 @@ index b5c3fc8..9aa8a4f 100644
  
  XINCPATH = -I.. -I$(srcdir)/..
  XDEFS = $(MODULES_CPPFLAGS)
-@@ -148,6 +149,12 @@ smbk5pwd.lo : smbk5pwd.c
+@@ -125,6 +126,12 @@ unique.la : unique.lo
  smbk5pwd.la : smbk5pwd.lo
  	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
  

SOURCES/openldap-cbinding-Add-channel-binding-support.patch

@@ -0,0 +1,291 @@
+From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 26 Aug 2013 23:31:48 -0700
+Subject: [PATCH] Add channel binding support
+
+Currently only implemented for OpenSSL.
+Needs an option to set the criticality flag.
+---
+ include/ldap_pvt.h           |  1 +
+ libraries/libldap/cyrus.c    | 22 ++++++++++++++++++++++
+ libraries/libldap/ldap-int.h |  1 +
+ libraries/libldap/ldap-tls.h |  2 ++
+ libraries/libldap/tls2.c     |  7 +++++++
+ libraries/libldap/tls_g.c    |  7 +++++++
+ libraries/libldap/tls_m.c    |  7 +++++++
+ libraries/libldap/tls_o.c    | 16 ++++++++++++++++
+ servers/slapd/connection.c   |  8 ++++++++
+ servers/slapd/sasl.c         | 18 ++++++++++++++++++
+ servers/slapd/slap.h         |  1 +
+ 11 files changed, 90 insertions(+)
+
+diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
+index 871e7c180..fdc9d2de3 100644
+--- a/include/ldap_pvt.h
++++ b/include/ldap_pvt.h
+@@ -430,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
+ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
+ 	LDAPDN_rewrite_dummy *func, unsigned flags ));
+ LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
++LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
+ 
+ LDAP_END_DECL
+ 
+diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
+index 28c241b0b..a57292800 100644
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -369,6 +369,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
+ 		lc->lconn_sasl_sockctx = NULL;
+ 		lc->lconn_sasl_authctx = NULL;
+ 	}
++	if( lc->lconn_sasl_cbind ) {
++		ldap_memfree( lc->lconn_sasl_cbind );
++		lc->lconn_sasl_cbind = NULL;
++	}
+ 
+ 	return LDAP_SUCCESS;
+ }
+@@ -482,6 +486,24 @@ ldap_int_sasl_bind(
+ 
+ 			(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
+ 			LDAP_FREE( authid.bv_val );
++#ifdef SASL_CHANNEL_BINDING	/* 2.1.25+ */
++			{
++				char cbinding[64];
++				struct berval cbv = { sizeof(cbinding), cbinding };
++				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
++					sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
++						cbv.bv_len);
++					cb->name = "ldap";
++					cb->critical = 0;
++					cb->data = (char *)(cb+1);
++					cb->len = cbv.bv_len;
++					memcpy( cb->data, cbv.bv_val, cbv.bv_len );
++					sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
++						SASL_CHANNEL_BINDING, cb );
++					ld->ld_defconn->lconn_sasl_cbind = cb;
++				}
++			}
++#endif
+ 		}
+ #endif
+ 
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 37c342e26..1915ecab4 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -305,6 +305,7 @@ typedef struct ldap_conn {
+ #ifdef HAVE_CYRUS_SASL
+ 	void		*lconn_sasl_authctx;	/* context for bind */
+ 	void		*lconn_sasl_sockctx;	/* for security layer */
++	void		*lconn_sasl_cbind;		/* for channel binding */
+ #endif
+ #ifdef HAVE_GSSAPI
+ 	void		*lconn_gss_ctx;		/* gss_ctx_id_t */
+diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
+index 75661c005..1eb5ae47e 100644
+--- a/libraries/libldap/ldap-tls.h
++++ b/libraries/libldap/ldap-tls.h
+@@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len
+ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
+ typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
+ typedef int (TI_session_strength)(tls_session *sess);
++typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
+ 
+ typedef void (TI_thr_init)(void);
+ 
+@@ -64,6 +65,7 @@ typedef struct tls_impl {
+ 	TI_session_dn *ti_session_peer_dn;
+ 	TI_session_chkhost *ti_session_chkhost;
+ 	TI_session_strength *ti_session_strength;
++	TI_session_unique *ti_session_unique;
+ 
+ 	Sockbuf_IO *ti_sbio;
+ 
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index e11d1a8a3..957e73c03 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -981,6 +981,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
+ 		rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
+ 	return rc;
+ }
++
++int
++ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
++{
++	tls_session *session = s;
++	return tls_imp->ti_session_unique( session, buf, is_server );
++}
+ #endif /* HAVE_TLS */
+ 
+ int
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index ed1f8f1cb..dfdc35da4 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -780,6 +780,12 @@ tlsg_session_strength( tls_session *session )
+ 	return gnutls_cipher_get_key_size( c ) * 8;
+ }
+ 
++static int
++tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
++{
++	return 0;
++}
++
+ /* suites is a string of colon-separated cipher suite names. */
+ static int
+ tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
+@@ -1110,6 +1116,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsg_session_peer_dn,
+ 	tlsg_session_chkhost,
+ 	tlsg_session_strength,
++	tlsg_session_unique,
+ 
+ 	&tlsg_sbio,
+ 
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 072d41d56..240bd9ff6 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -2838,6 +2838,12 @@ tlsm_session_strength( tls_session *session )
+ 	return rc ? 0 : keySize;
+ }
+ 
++static int
++tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
++{
++	return 0;
++}
++
+ /*
+  * TLS support for LBER Sockbufs
+  */
+@@ -3266,6 +3272,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsm_session_peer_dn,
+ 	tlsm_session_chkhost,
+ 	tlsm_session_strength,
++	tlsm_session_unique,
+ 
+ 	&tlsm_sbio,
+ 
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 3c077f895..2ecee465b 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -676,6 +676,21 @@ tlso_session_strength( tls_session *sess )
+ 	return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
+ }
+ 
++static int
++tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
++{
++	tlso_session *s = (tlso_session *)sess;
++
++	/* Usually the client sends the finished msg. But if the
++	 * session was resumed, the server sent the msg.
++	 */
++	if (SSL_session_reused(s) ^ !is_server)
++		buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len);
++	else
++		buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len);
++	return buf->bv_len;
++}
++
+ /*
+  * TLS support for LBER Sockbufs
+  */
+@@ -1283,6 +1298,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlso_session_peer_dn,
+ 	tlso_session_chkhost,
+ 	tlso_session_strength,
++	tlso_session_unique,
+ 
+ 	&tlso_sbio,
+ 
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index e34703cb3..bc2b8a4d0 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -406,6 +406,7 @@ Connection * connection_init(
+ 		c->c_sasl_sockctx = NULL;
+ 		c->c_sasl_extra = NULL;
+ 		c->c_sasl_bindop = NULL;
++		c->c_sasl_cbind = NULL;
+ 
+ 		c->c_sb = ber_sockbuf_alloc( );
+ 
+@@ -451,6 +452,7 @@ Connection * connection_init(
+ 	assert( c->c_sasl_sockctx == NULL );
+ 	assert( c->c_sasl_extra == NULL );
+ 	assert( c->c_sasl_bindop == NULL );
++	assert( c->c_sasl_cbind == NULL );
+ 	assert( c->c_currentber == NULL );
+ 	assert( c->c_writewaiter == 0);
+ 	assert( c->c_writers == 0);
+@@ -1408,6 +1410,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
+ 			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
+ 			slap_sasl_external( c, c->c_tls_ssf, &authid );
+ 			if ( authid.bv_val ) free( authid.bv_val );
++			{
++				char cbinding[64];
++				struct berval cbv = { sizeof(cbinding), cbinding };
++				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
++					slap_sasl_cbinding( c, &cbv );
++			}
+ 		} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
+ 			LBER_SB_OPT_NEEDS_WRITE, NULL )) {	/* need to retry */
+ 			slapd_set_write( s, 1 );
+diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
+index 0bd6259be..57907d79b 100644
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1503,6 +1503,21 @@ int slap_sasl_external(
+ 	return LDAP_SUCCESS;
+ }
+ 
++int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
++{
++#ifdef SASL_CHANNEL_BINDING
++	sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
++	cb->name = "ldap";
++	cb->critical = 0;
++	cb->data = (char *)(cb+1);
++	cb->len = cbv->bv_len;
++	memcpy( cb->data, cbv->bv_val, cbv->bv_len );
++	sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
++	conn->c_sasl_cbind = cb;
++#endif
++	return LDAP_SUCCESS;
++}
++
+ int slap_sasl_reset( Connection *conn )
+ {
+ 	return LDAP_SUCCESS;
+@@ -1568,6 +1583,9 @@ int slap_sasl_close( Connection *conn )
+ 	free( conn->c_sasl_extra );
+ 	conn->c_sasl_extra = NULL;
+ 
++	free( conn->c_sasl_cbind );
++	conn->c_sasl_cbind = NULL;
++
+ #elif defined(SLAP_BUILTIN_SASL)
+ 	SASL_CTX *ctx = conn->c_sasl_authctx;
+ 	if( ctx ) {
+diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
+index 09c1854f8..4b3bbd12e 100644
+--- a/servers/slapd/slap.h
++++ b/servers/slapd/slap.h
+@@ -2910,6 +2910,7 @@ struct Connection {
+ 	void	*c_sasl_authctx;	/* SASL authentication context */
+ 	void	*c_sasl_sockctx;	/* SASL security layer context */
+ 	void	*c_sasl_extra;		/* SASL session extra stuff */
++	void	*c_sasl_cbind;		/* SASL channel binding */
+ 	Operation	*c_sasl_bindop;	/* set to current op if it's a bind */
+ 
+ #ifdef LDAP_X_TXN
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-Convert-test077-to-LDIF-config.patch

@@ -0,0 +1,167 @@
+From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Mon, 27 Apr 2020 23:24:16 -0700
+Subject: [PATCH] Convert test077 to LDIF config
+
+---
+ tests/data/slapd-sasl-gssapi.conf | 68 -------------------------------
+ tests/scripts/defines.sh          |  1 -
+ tests/scripts/test077-sasl-gssapi | 35 +++++++++++++---
+ 3 files changed, 30 insertions(+), 74 deletions(-)
+ delete mode 100644 tests/data/slapd-sasl-gssapi.conf
+
+diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
+deleted file mode 100644
+index 29ab6040b..000000000
+--- a/tests/data/slapd-sasl-gssapi.conf
++++ /dev/null
+@@ -1,68 +0,0 @@
+-# stand-alone slapd config -- for testing (with indexing)
+-# $OpenLDAP$
+-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+-##
+-## Copyright 1998-2020 The OpenLDAP Foundation.
+-## All rights reserved.
+-##
+-## Redistribution and use in source and binary forms, with or without
+-## modification, are permitted only as authorized by the OpenLDAP
+-## Public License.
+-##
+-## A copy of this license is available in the file LICENSE in the
+-## top-level directory of the distribution or, alternatively, at
+-## <http://www.OpenLDAP.org/license.html>.
+-
+-#
+-include		@SCHEMADIR@/core.schema
+-include		@SCHEMADIR@/cosine.schema
+-#
+-include		@SCHEMADIR@/corba.schema
+-include		@SCHEMADIR@/java.schema
+-include		@SCHEMADIR@/inetorgperson.schema
+-include		@SCHEMADIR@/misc.schema
+-include		@SCHEMADIR@/nis.schema
+-include		@SCHEMADIR@/openldap.schema
+-#
+-include		@SCHEMADIR@/duaconf.schema
+-include		@SCHEMADIR@/dyngroup.schema
+-
+-#
+-pidfile		@TESTDIR@/slapd.1.pid
+-argsfile	@TESTDIR@/slapd.1.args
+-
+-# SSL configuration
+-TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
+-TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
+-TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
+-
+-#
+-rootdse 	@DATADIR@/rootdse.ldif
+-
+-#mod#modulepath	../servers/slapd/back-@BACKEND@/
+-#mod#moduleload	back_@BACKEND@.la
+-#monitormod#modulepath ../servers/slapd/back-monitor/
+-#monitormod#moduleload back_monitor.la
+-
+-
+-#######################################################################
+-# database definitions
+-#######################################################################
+-
+-database	@BACKEND@
+-suffix          "dc=example,dc=com"
+-rootdn          "cn=Manager,dc=example,dc=com"
+-rootpw          secret
+-#~null~#directory	@TESTDIR@/db.1.a
+-#indexdb#index		objectClass eq
+-#indexdb#index		mail eq
+-#ndb#dbname db_1_a
+-#ndb#include @DATADIR@/ndb.conf
+-
+-#monitor#database	monitor
+-
+-sasl-realm	@KRB5REALM@
+-sasl-host	localhost
+-
+-database	config
+-rootpw		secret
+diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
+index f9e5578ee..a84fd0a65 100755
+--- a/tests/scripts/defines.sh
++++ b/tests/scripts/defines.sh
+@@ -114,7 +114,6 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
+ SCHEMACONF=$DATADIR/slapd-schema.conf
+ TLSCONF=$DATADIR/slapd-tls.conf
+ TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
+-SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
+ GLUECONF=$DATADIR/slapd-glue.conf
+ REFINTCONF=$DATADIR/slapd-refint.conf
+ RETCODECONF=$DATADIR/slapd-retcode.conf
+diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
+index 20c414600..322df60a4 100755
+--- a/tests/scripts/test077-sasl-gssapi
++++ b/tests/scripts/test077-sasl-gssapi
+@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then
+         exit 0
+ fi
+ 
++CONFDIR=$TESTDIR/slapd.d
++CONFLDIF=$TESTDIR/slapd.ldif
++
+ mkdir -p $TESTDIR $DBDIR1 $CONFDIR
+ cp -r $DATADIR/tls $TESTDIR
++$SLAPPASSWD -g -n >$CONFIGPWF
+ 
+ echo "Starting KDC for SASL/GSSAPI tests..."
+ . $SRCDIR/scripts/setup_kdc.sh
+ 
+-echo "Running slapadd to build slapd database..."
+-. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
+-$SLAPADD -f $CONF1 -l $LDIFORDERED
++echo "Configuring slapd..."
++cat > $CONFLDIF <<EOF
++dn: cn=config
++objectClass: olcGlobal
++cn: config
++olcSaslHost: localhost
++olcSaslRealm: $KRB5REALM
++olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt
++olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
++olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
++
++dn: cn=schema,cn=config
++objectClass: olcSchemaConfig
++cn: schema
++
++include: file://$ABS_SCHEMADIR/core.ldif
++
++dn: olcDatabase={0}config,cn=config
++objectClass: olcDatabaseConfig
++olcDatabase: {0}config
++olcRootPW:< file://$TESTDIR/configpw
++
++EOF
++$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
+ RC=$?
+ if test $RC != 0 ; then
+ 	echo "slapadd failed ($RC)!"
+@@ -38,7 +63,7 @@ if test $RC != 0 ; then
+ fi
+ 
+ echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
+-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
++$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+ PID=$!
+ if test $WAIT != 0 ; then
+     echo PID $PID
+@@ -151,7 +176,7 @@ else
+ 	for acb in "none" "tls-unique" "tls-endpoint" ; do
+ 
+ 		echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
+-		$LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
++		$LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
+ dn: cn=config
+ changetype: modify
+ replace: olcSaslCBinding
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-Fix-slaptest-in-test077.patch

@@ -0,0 +1,62 @@
+From e006994d83af9dcb7813a18253cf4e5beacee043 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Sun, 26 Apr 2020 11:40:23 -0700
+Subject: [PATCH] Fix slaptest in test077
+
+The libtool wrapper scripts lose argv[0] when exec'ing the real binary.
+
+In the CI Docker container, where the build runs as root, this was
+actually starting a real slapd on the default port.
+
+Outside Docker, running as a non-root user, this slapd would just fail
+to start, and wouldn't convert the config either.
+
+Using "slapd -Tt" fixes the issue but also prints a warning from
+slaptest since the database hasn't been initialized yet.
+
+Dynamic config isn't actually used in this test script, so let's just
+run slapd off the config file directly.
+---
+ tests/scripts/test077-sasl-gssapi | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
+index 19f665622..20c414600 100755
+--- a/tests/scripts/test077-sasl-gssapi
++++ b/tests/scripts/test077-sasl-gssapi
+@@ -21,22 +21,15 @@ if test $WITH_SASL = no ; then
+         exit 0
+ fi
+ 
+-SLAPTEST="$TESTWD/../servers/slapd/slaptest"
+-CONFDIR=$TESTDIR/slapd.d
+-
+ mkdir -p $TESTDIR $DBDIR1 $CONFDIR
+ cp -r $DATADIR/tls $TESTDIR
+ 
+-cd $TESTWD
+-
+-
+ echo "Starting KDC for SASL/GSSAPI tests..."
+ . $SRCDIR/scripts/setup_kdc.sh
+ 
+ echo "Running slapadd to build slapd database..."
+ . $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
+-$SLAPTEST -f $CONF1 -F $CONFDIR
+-$SLAPADD -F $CONFDIR -l $LDIFORDERED
++$SLAPADD -f $CONF1 -l $LDIFORDERED
+ RC=$?
+ if test $RC != 0 ; then
+ 	echo "slapadd failed ($RC)!"
+@@ -45,7 +38,7 @@ if test $RC != 0 ; then
+ fi
+ 
+ echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
+-$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
++$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+ PID=$!
+ if test $WAIT != 0 ; then
+     echo PID $PID
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch

@@ -0,0 +1,220 @@
+NOTE: The patch has been adjusted to match the base code before backporting.
+
+From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 10 Sep 2013 04:26:51 -0700
+Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT
+
+retrieve peer cert for an active TLS session
+---
+ doc/man/man3/ldap_get_option.3 |  8 ++++++++
+ include/ldap.h                 |  1 +
+ libraries/libldap/ldap-tls.h   |  2 ++
+ libraries/libldap/tls2.c       | 23 +++++++++++++++++++++++
+ libraries/libldap/tls_g.c      | 19 +++++++++++++++++++
+ libraries/libldap/tls_m.c      | 17 +++++++++++++++++
+ libraries/libldap/tls_o.c      | 16 ++++++++++++++++
+ 7 files changed, 86 insertions(+)
+
+diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
+index e67de75e9..1bb55d357 100644
+--- a/doc/man/man3/ldap_get_option.3
++++ b/doc/man/man3/ldap_get_option.3
+@@ -732,6 +732,14 @@ A non-zero value pointed to by
+ .BR invalue
+ tells the library to create a context for a server.
+ .TP
++.B LDAP_OPT_X_TLS_PEERCERT
++Gets the peer's certificate in DER format from an established TLS session.
++.BR outvalue
++must be
++.BR "struct berval *" ,
++and the data it returns needs to be freed by the caller using
++.BR ldap_memfree (3).
++.TP
+ .B LDAP_OPT_X_TLS_PROTOCOL_MIN
+ Sets/gets the minimum protocol version.
+ .BR invalue
+diff --git a/include/ldap.h b/include/ldap.h
+index 4de3f7f32..97ca524d7 100644
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -161,6 +161,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_CRLFILE		0x6010	/* GNUtls only */
+ #define LDAP_OPT_X_TLS_PACKAGE		0x6011
+ #define LDAP_OPT_X_TLS_ECNAME		0x6012
++#define LDAP_OPT_X_TLS_PEERCERT		0x6015	/* read-only */
+ 
+ #define LDAP_OPT_X_TLS_NEVER	0
+ #define LDAP_OPT_X_TLS_HARD		1
+diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
+index 548814d7f..890d20dc7 100644
+--- a/libraries/libldap/ldap-tls.h
++++ b/libraries/libldap/ldap-tls.h
+@@ -43,6 +43,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
+ typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
+ typedef int (TI_session_strength)(tls_session *sess);
+ typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
++typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
+ 
+ typedef void (TI_thr_init)(void);
+ 
+@@ -69,6 +70,7 @@ typedef struct tls_impl {
+	TI_session_chkhost *ti_session_chkhost;
+	TI_session_strength *ti_session_strength;
+ 	TI_session_unique *ti_session_unique;
++	TI_session_peercert *ti_session_peercert;
+ 
+ 	Sockbuf_IO *ti_sbio;
+ 
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 05fce3218..cbf73bdd5 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -718,6 +718,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
+ 	case LDAP_OPT_X_TLS_CONNECT_ARG:
+ 		*(void **)arg = lo->ldo_tls_connect_arg;
+ 		break;
++	case LDAP_OPT_X_TLS_PEERCERT: {
++		void *sess = NULL;
++		struct berval *bv = arg;
++		bv->bv_len = 0;
++		bv->bv_val = NULL;
++		if ( ld != NULL ) {
++			LDAPConn *conn = ld->ld_defconn;
++			if ( conn != NULL ) {
++				Sockbuf *sb = conn->lconn_sb;
++				sess = ldap_pvt_tls_sb_ctx( sb );
++				if ( sess != NULL )
++					return ldap_pvt_tls_get_peercert( sess, bv );
++			}
++		}
++		break;
++	}
++
+ 	default:
+ 		return -1;
+ 	}
+@@ -1050,6 +1066,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
+ 	tls_session *session = s;
+ 	return tls_imp->ti_session_unique( session, buf, is_server );
+ }
++
++int
++ldap_pvt_tls_get_peercert( void *s, struct berval *der )
++{
++	tls_session *session = s;
++	return tls_imp->ti_session_peercert( session, der );
++}
+ #endif /* HAVE_TLS */
+ 
+ int
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index ce422387c..739680439 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -830,6 +830,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return 0;
+ }
+ 
++static int
++tlsg_session_peercert( tls_session *sess, struct berval *der )
++{
++	tlsg_session *s = (tlsg_session *)sess;
++	const gnutls_datum_t *peer_cert_list;
++	unsigned int list_size;
++
++	peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
++	if (!peer_cert_list)
++		return -1;
++	der->bv_len = peer_cert_list[0].size;
++	der->bv_val = LDAP_MALLOC( der->bv_len );
++	if (!der->bv_val)
++		return -1;
++	memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
++	return 0;
++}
++
+ /* suites is a string of colon-separated cipher suite names. */
+ static int
+ tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
+@@ -1166,6 +1184,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsg_session_chkhost,
+ 	tlsg_session_strength,
+ 	tlsg_session_unique,
++	tlsg_session_peercert,
+ 
+ 	&tlsg_sbio,
+ 
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 4bd9e63cb..36dc989ef 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -2891,6 +2891,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return 0;
+ }
+ 
++static int
++tlsm_session_peercert( tls_session *sess, struct berval *der )
++{
++	tlsm_session *s = (tlsm_session *)sess;
++	CERTCertificate *cert;
++	cert = SSL_PeerCertificate( s );
++	if (!cert)
++		return -1;
++	der->bv_len = cert->derCert.len;
++	der->bv_val = LDAP_MALLOC( der->bv_len );
++	if (!der->bv_val)
++		return -1;
++	memcpy( der->bv_val, cert->derCert.data, der->bv_len );
++	return 0;
++}
++
+ /*
+  * TLS support for LBER Sockbufs
+  */
+@@ -3322,6 +3338,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsm_session_chkhost,
+ 	tlsm_session_strength,
+ 	tlsm_session_unique,
++	tlsm_session_peercert,
+ 
+ 	&tlsm_sbio,
+ 
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 6288456d3..1fa50392f 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -721,6 +721,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return buf->bv_len;
+ }
+ 
++static int
++tlso_session_peercert( tls_session *sess, struct berval *der )
++{
++	tlso_session *s = (tlso_session *)sess;
++	unsigned char *ptr;
++	X509 *x = SSL_get_peer_certificate(s);
++	der->bv_len = i2d_X509(x, NULL);
++	der->bv_val = LDAP_MALLOC(der->bv_len);
++	if ( !der->bv_val )
++		return -1;
++	ptr = der->bv_val;
++	i2d_X509(x, &ptr);
++	return 0;
++}
++
+ /*
+  * TLS support for LBER Sockbufs
+  */
+@@ -1229,6 +1244,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlso_session_chkhost,
+ 	tlso_session_strength,
+ 	tlso_session_unique,
++	tlso_session_peercert,
+ 
+ 	&tlso_sbio,
+ 
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch

@@ -0,0 +1,70 @@
+From 465b1c5972eef1d4e60eb98ae3776d33e270853d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <okuznik@symas.com>
+Date: Fri, 15 Jun 2018 15:12:28 +0100
+Subject: [PATCH] ITS#8573 Add missing URI variables for tests
+
+---
+ tests/scripts/conf.sh    | 18 ++++++++++++++++++
+ tests/scripts/defines.sh |  7 +++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
+index fe5e60509..02629f190 100755
+--- a/tests/scripts/conf.sh
++++ b/tests/scripts/conf.sh
+@@ -75,6 +75,24 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\
+ 	-e "s;@PORT4@;${PORT4};"			\
+ 	-e "s;@PORT5@;${PORT5};"			\
+ 	-e "s;@PORT6@;${PORT6};"			\
++	-e "s;@SURI1@;${SURI1};"			\
++	-e "s;@SURI2@;${SURI2};"			\
++	-e "s;@SURI3@;${SURI3};"			\
++	-e "s;@SURI4@;${SURI4};"			\
++	-e "s;@SURI5@;${SURI5};"			\
++	-e "s;@SURI6@;${SURI6};"			\
++	-e "s;@URIP1@;${URIP1};"			\
++	-e "s;@URIP2@;${URIP2};"			\
++	-e "s;@URIP3@;${URIP3};"			\
++	-e "s;@URIP4@;${URIP4};"			\
++	-e "s;@URIP5@;${URIP5};"			\
++	-e "s;@URIP6@;${URIP6};"			\
++	-e "s;@SURIP1@;${SURIP1};"			\
++	-e "s;@SURIP2@;${SURIP2};"			\
++	-e "s;@SURIP3@;${SURIP3};"			\
++	-e "s;@SURIP4@;${SURIP4};"			\
++	-e "s;@SURIP5@;${SURIP5};"			\
++	-e "s;@SURIP6@;${SURIP6};"			\
+ 	-e "s/@SASL_MECH@/${SASL_MECH}/"		\
+ 	-e "s;@TESTDIR@;${TESTDIR};"			\
+ 	-e "s;@TESTWD@;${TESTWD};"			\
+diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
+index 2c9e8f76a..9816034f9 100755
+--- a/tests/scripts/defines.sh
++++ b/tests/scripts/defines.sh
+@@ -223,16 +223,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/"
+ URI3="ldap://${LOCALHOST}:$PORT3/"
+ URIP3="ldap://${LOCALIP}:$PORT3/"
+ URI4="ldap://${LOCALHOST}:$PORT4/"
++URIP4="ldap://${LOCALIP}:$PORT4/"
+ URI5="ldap://${LOCALHOST}:$PORT5/"
++URIP5="ldap://${LOCALIP}:$PORT5/"
+ URI6="ldap://${LOCALHOST}:$PORT6/"
++URIP6="ldap://${LOCALIP}:$PORT6/"
+ SURI1="ldaps://${LOCALHOST}:$PORT1/"
+ SURIP1="ldaps://${LOCALIP}:$PORT1/"
+ SURI2="ldaps://${LOCALHOST}:$PORT2/"
+ SURIP2="ldaps://${LOCALIP}:$PORT2/"
+ SURI3="ldaps://${LOCALHOST}:$PORT3/"
++SURIP3="ldaps://${LOCALIP}:$PORT3/"
+ SURI4="ldaps://${LOCALHOST}:$PORT4/"
++SURIP4="ldaps://${LOCALIP}:$PORT4/"
+ SURI5="ldaps://${LOCALHOST}:$PORT5/"
++SURIP5="ldaps://${LOCALIP}:$PORT5/"
+ SURI6="ldaps://${LOCALHOST}:$PORT6/"
++SURIP6="ldaps://${LOCALIP}:$PORT6/"
+ 
+ # LDIF
+ LDIF=$DATADIR/test.ldif
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch

@@ -0,0 +1,582 @@
+NOTE: The patch has been adjusted to match the base code before backporting.
+
+From 8a259e3df16def3f05828f355e98a5089cd6e6d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
+Date: Thu, 14 Jun 2018 16:14:15 +0100
+Subject: [PATCH] ITS#8573 allow all libldap options in tools -o option
+
+---
+ clients/tools/common.c     |  15 ++-
+ doc/devel/args             |   2 +-
+ doc/man/man1/ldapcompare.1 |   9 +-
+ doc/man/man1/ldapdelete.1  |   9 +-
+ doc/man/man1/ldapexop.1    |   9 +-
+ doc/man/man1/ldapmodify.1  |   9 +-
+ doc/man/man1/ldapmodrdn.1  |   9 +-
+ doc/man/man1/ldappasswd.1  |   9 +-
+ doc/man/man1/ldapsearch.1  |   9 +-
+ doc/man/man1/ldapwhoami.1  |  13 ++-
+ doc/man/man8/slapcat.8     |   2 +-
+ include/ldap_pvt.h         |   5 +
+ libraries/libldap/init.c   | 231 ++++++++++++++++++++++---------------
+ servers/slapd/slapcommon.c |   5 +-
+ 14 files changed, 200 insertions(+), 136 deletions(-)
+
+diff --git a/clients/tools/common.c b/clients/tools/common.c
+index 1cd8a2c1b..b1edffdaf 100644
+--- a/clients/tools/common.c
++++ b/clients/tools/common.c
+@@ -374,9 +374,9 @@ N_("  -I         use SASL Interactive mode\n"),
+ N_("  -n         show what would be done but don't actually do it\n"),
+ N_("  -N         do not use reverse DNS to canonicalize SASL host name\n"),
+ N_("  -O props   SASL security properties\n"),
+-N_("  -o <opt>[=<optparam>] general options\n"),
++N_("  -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n"),
++N_("             ldif_wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
+ N_("             nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
+-N_("             ldif-wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
+ N_("  -p port    port on LDAP server\n"),
+ N_("  -Q         use SASL Quiet mode\n"),
+ N_("  -R realm   SASL realm\n"),
+@@ -838,6 +838,11 @@ tool_args( int argc, char **argv )
+ 			if ( (cvalue = strchr( control, '=' )) != NULL ) {
+ 				*cvalue++ = '\0';
+ 			}
++			for ( next=control; *next; next++ ) {
++				if ( *next == '-' ) {
++					*next = '_';
++				}
++			}
+ 
+ 			if ( strcasecmp( control, "nettimeout" ) == 0 ) {
+ 				if( nettimeout.tv_sec != -1 ) {
+@@ -867,7 +872,7 @@ tool_args( int argc, char **argv )
+ 	 				exit( EXIT_FAILURE );
+  				}
+ 
+-			} else if ( strcasecmp( control, "ldif-wrap" ) == 0 ) {
++			} else if ( strcasecmp( control, "ldif_wrap" ) == 0 ) {
+ 				if ( cvalue == 0 ) {
+ 					ldif_wrap = LDIF_LINE_WIDTH;
+ 
+@@ -878,13 +883,13 @@ tool_args( int argc, char **argv )
+ 					unsigned int u;
+ 					if ( lutil_atou( &u, cvalue ) ) {
+ 						fprintf( stderr,
+-							_("Unable to parse ldif-wrap=\"%s\"\n"), cvalue );
++							_("Unable to parse ldif_wrap=\"%s\"\n"), cvalue );
+ 		 				exit( EXIT_FAILURE );
+ 					}
+ 					ldif_wrap = (ber_len_t)u;
+ 				}
+ 
+-			} else {
++			} else if ( ldap_pvt_conf_option( control, cvalue, 1 ) ) {
+ 				fprintf( stderr, "Invalid general option name: %s\n",
+ 					control );
+ 				usage();
+diff --git a/doc/devel/args b/doc/devel/args
+index 9796fe528..c5aa02f11 100644
+--- a/doc/devel/args
++++ b/doc/devel/args
+@@ -28,7 +28,7 @@ ldapwhoami       * DE**HI**  NO QR  UVWXYZ   def*h*** *nop*    vwxy
+ 	-h host
+ 	-n no-op
+ 	-N no (SASLprep) normalization of simple bind password
+-	-o general options (currently nettimeout and ldif-wrap only)
++	-o general libldap options (plus ldif_wrap and nettimeout for backwards comp.)
+ 	-p port
+ 	-v verbose
+ 	-V version
+diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
+index 9e66cd4b2..a0e58d7c3 100644
+--- a/doc/man/man1/ldapcompare.1
++++ b/doc/man/man1/ldapcompare.1
+@@ -186,13 +186,14 @@ Compare extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
+index 394d35275..85dbf4360 100644
+--- a/doc/man/man1/ldapdelete.1
++++ b/doc/man/man1/ldapdelete.1
+@@ -192,13 +192,14 @@ Delete extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
+index 503d681ca..26e1730a8 100644
+--- a/doc/man/man1/ldapexop.1
++++ b/doc/man/man1/ldapexop.1
+@@ -189,13 +189,14 @@ Specify general extensions.  \'!\' indicates criticality.
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
+index 2792d460b..6c277d89c 100644
+--- a/doc/man/man1/ldapmodify.1
++++ b/doc/man/man1/ldapmodify.1
+@@ -255,13 +255,14 @@ Modify extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
+index 5d0f3fcd9..b24e500fe 100644
+--- a/doc/man/man1/ldapmodrdn.1
++++ b/doc/man/man1/ldapmodrdn.1
+@@ -186,13 +186,14 @@ Modrdn extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
+index 36857ab8f..a2805e57b 100644
+--- a/doc/man/man1/ldappasswd.1
++++ b/doc/man/man1/ldappasswd.1
+@@ -188,13 +188,14 @@ Passwd Modify extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
+index 036ce6245..1914eafbf 100644
+--- a/doc/man/man1/ldapsearch.1
++++ b/doc/man/man1/ldapsearch.1
+@@ -332,13 +332,14 @@ Search extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
+index 5912af5ba..2c8cfded2 100644
+--- a/doc/man/man1/ldapwhoami.1
++++ b/doc/man/man1/ldapwhoami.1
+@@ -143,13 +143,18 @@ WhoAmI extensions:
+ .TP
+ .BI \-o \ opt \fR[= optparam \fR]
+ 
+-Specify general options.
+-
+-General options:
++Specify any
++.BR ldap.conf (5)
++option or one of the following:
+ .nf
+   nettimeout=<timeout>  (in seconds, or "none" or "max")
+-  ldif-wrap=<width>     (in columns, or "no" for no wrapping)
++  ldif_wrap=<width>     (in columns, or "no" for no wrapping)
+ .fi
++
++.B -o
++option that can be passed here, check
++.BR ldap.conf (5)
++for details.
+ .TP
+ .BI \-O \ security-properties
+ Specify SASL security properties.
+diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8
+index 57c41deff..2085e9176 100644
+--- a/doc/man/man8/slapcat.8
++++ b/doc/man/man8/slapcat.8
+@@ -149,7 +149,7 @@ Possible generic options/values are:
+               syslog\-level=<level> (see `\-S' in slapd(8))
+               syslog\-user=<user>   (see `\-l' in slapd(8))
+ 
+-              ldif-wrap={no|<n>}
++              ldif_wrap={no|<n>}
+ 
+ .in
+ \fIn\fP is the number of columns allowed for the LDIF output
+diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
+index 31f37277c..e86b032cb 100644
+--- a/include/ldap_pvt.h
++++ b/include/ldap_pvt.h
+@@ -326,6 +326,11 @@ struct ldifrecord;
+ LDAP_F ( int ) ldap_pvt_discard LDAP_P((
+ 	struct ldap *ld, ber_int_t msgid ));
+ 
++/* init.c */
++LDAP_F( int )
++ldap_pvt_conf_option LDAP_P((
++	char *cmd, char *opt, int userconf ));
++
+ /* messages.c */
+ LDAP_F( BerElement * )
+ ldap_get_message_ber LDAP_P((
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 548d2c1cb..4a7e81bdb 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -147,6 +147,141 @@ static const struct ol_attribute {
+ #define MAX_LDAP_ATTR_LEN  sizeof("GSSAPI_ALLOW_REMOTE_PRINCIPAL")
+ #define MAX_LDAP_ENV_PREFIX_LEN 8
+ 
++static int
++ldap_int_conf_option(
++	struct ldapoptions *gopts,
++	char *cmd, char *opt, int userconf )
++{
++	int i;
++
++	for(i=0; attrs[i].type != ATTR_NONE; i++) {
++		void *p;
++
++		if( !userconf && attrs[i].useronly ) {
++			continue;
++		}
++
++		if(strcasecmp(cmd, attrs[i].name) != 0) {
++			continue;
++		}
++
++		switch(attrs[i].type) {
++		case ATTR_BOOL:
++			if((strcasecmp(opt, "on") == 0)
++				|| (strcasecmp(opt, "yes") == 0)
++				|| (strcasecmp(opt, "true") == 0))
++			{
++				LDAP_BOOL_SET(gopts, attrs[i].offset);
++
++			} else {
++				LDAP_BOOL_CLR(gopts, attrs[i].offset);
++			}
++
++			break;
++
++		case ATTR_INT: {
++			char *next;
++			long l;
++			p = &((char *) gopts)[attrs[i].offset];
++			l = strtol( opt, &next, 10 );
++			if ( next != opt && next[ 0 ] == '\0' ) {
++				* (int*) p = l;
++			}
++			} break;
++
++		case ATTR_KV: {
++				const struct ol_keyvalue *kv;
++
++				for(kv = attrs[i].data;
++					kv->key != NULL;
++					kv++) {
++
++					if(strcasecmp(opt, kv->key) == 0) {
++						p = &((char *) gopts)[attrs[i].offset];
++						* (int*) p = kv->value;
++						break;
++					}
++				}
++			} break;
++
++		case ATTR_STRING:
++			p = &((char *) gopts)[attrs[i].offset];
++			if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
++			* (char**) p = LDAP_STRDUP(opt);
++			break;
++		case ATTR_OPTION:
++			ldap_set_option( NULL, attrs[i].offset, opt );
++			break;
++		case ATTR_SASL:
++#ifdef HAVE_CYRUS_SASL
++			ldap_int_sasl_config( gopts, attrs[i].offset, opt );
++#endif
++			break;
++		case ATTR_GSSAPI:
++#ifdef HAVE_GSSAPI
++			ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
++#endif
++			break;
++		case ATTR_TLS:
++#ifdef HAVE_TLS
++			ldap_int_tls_config( NULL, attrs[i].offset, opt );
++#endif
++			break;
++		case ATTR_OPT_TV: {
++			struct timeval tv;
++			char *next;
++			tv.tv_usec = 0;
++			tv.tv_sec = strtol( opt, &next, 10 );
++			if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
++				(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
++			}
++			} break;
++		case ATTR_OPT_INT: {
++			long l;
++			char *next;
++			l = strtol( opt, &next, 10 );
++			if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
++				int v = (int)l;
++				(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
++			}
++			} break;
++		}
++
++		break;
++	}
++
++	if ( attrs[i].type == ATTR_NONE ) {
++		Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_config: "
++				"unknown option '%s'",
++				cmd, 0, 0 );
++		return 1;
++	}
++
++	return 0;
++}
++
++int
++ldap_pvt_conf_option(
++	char *cmd, char *opt, int userconf )
++{
++	struct ldapoptions *gopts;
++	int rc = LDAP_OPT_ERROR;
++
++	/* Get pointer to global option structure */
++	gopts = LDAP_INT_GLOBAL_OPT();
++	if (NULL == gopts) {
++		return LDAP_NO_MEMORY;
++	}
++
++	if ( gopts->ldo_valid != LDAP_INITIALIZED ) {
++		ldap_int_initialize(gopts, NULL);
++		if ( gopts->ldo_valid != LDAP_INITIALIZED )
++			return LDAP_LOCAL_ERROR;
++	}
++
++	return ldap_int_conf_option( gopts, cmd, opt, userconf );
++}
++
+ static void openldap_ldap_init_w_conf(
+ 	const char *file, int userconf )
+ {
+@@ -212,101 +347,7 @@ static void openldap_ldap_init_w_conf(
+ 		while(isspace((unsigned char)*start)) start++;
+ 		opt = start;
+ 
+-		for(i=0; attrs[i].type != ATTR_NONE; i++) {
+-			void *p;
+-
+-			if( !userconf && attrs[i].useronly ) {
+-				continue;
+-			}
+-
+-			if(strcasecmp(cmd, attrs[i].name) != 0) {
+-				continue;
+-			}
+-
+-			switch(attrs[i].type) {
+-			case ATTR_BOOL:
+-				if((strcasecmp(opt, "on") == 0) 
+-					|| (strcasecmp(opt, "yes") == 0)
+-					|| (strcasecmp(opt, "true") == 0))
+-				{
+-					LDAP_BOOL_SET(gopts, attrs[i].offset);
+-
+-				} else {
+-					LDAP_BOOL_CLR(gopts, attrs[i].offset);
+-				}
+-
+-				break;
+-
+-			case ATTR_INT: {
+-				char *next;
+-				long l;
+-				p = &((char *) gopts)[attrs[i].offset];
+-				l = strtol( opt, &next, 10 );
+-				if ( next != opt && next[ 0 ] == '\0' ) {
+-					* (int*) p = l;
+-				}
+-				} break;
+-
+-			case ATTR_KV: {
+-					const struct ol_keyvalue *kv;
+-
+-					for(kv = attrs[i].data;
+-						kv->key != NULL;
+-						kv++) {
+-
+-						if(strcasecmp(opt, kv->key) == 0) {
+-							p = &((char *) gopts)[attrs[i].offset];
+-							* (int*) p = kv->value;
+-							break;
+-						}
+-					}
+-				} break;
+-
+-			case ATTR_STRING:
+-				p = &((char *) gopts)[attrs[i].offset];
+-				if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
+-				* (char**) p = LDAP_STRDUP(opt);
+-				break;
+-			case ATTR_OPTION:
+-				ldap_set_option( NULL, attrs[i].offset, opt );
+-				break;
+-			case ATTR_SASL:
+-#ifdef HAVE_CYRUS_SASL
+-			   	ldap_int_sasl_config( gopts, attrs[i].offset, opt );
+-#endif
+-				break;
+-			case ATTR_GSSAPI:
+-#ifdef HAVE_GSSAPI
+-				ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
+-#endif
+-				break;
+-			case ATTR_TLS:
+-#ifdef HAVE_TLS
+-			   	ldap_int_tls_config( NULL, attrs[i].offset, opt );
+-#endif
+-				break;
+-			case ATTR_OPT_TV: {
+-				struct timeval tv;
+-				char *next;
+-				tv.tv_usec = 0;
+-				tv.tv_sec = strtol( opt, &next, 10 );
+-				if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
+-					(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
+-				}
+-				} break;
+-			case ATTR_OPT_INT: {
+-				long l;
+-				char *next;
+-				l = strtol( opt, &next, 10 );
+-				if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
+-					int v = (int)l;
+-					(void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
+-				}
+-				} break;
+-			}
+-
+-			break;
+-		}
++		ldap_int_conf_option( gopts, cmd, opt, userconf );
+ 	}
+ 
+ 	fclose(fp);
+diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
+index 87ea0ea06..39384e5e9 100644
+--- a/servers/slapd/slapcommon.c
++++ b/servers/slapd/slapcommon.c
+@@ -228,7 +228,8 @@ parse_slapopt( int tool, int *mode )
+ 			break;
+ 		}
+ 
+-	} else if ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) {
++	} else if ( ( strncasecmp( optarg, "ldif_wrap", len ) == 0 ) ||
++			( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) ) {
+ 		switch ( tool ) {
+ 		case SLAPCAT:
+ 			if ( strcasecmp( p, "no" ) == 0 ) {
+@@ -237,7 +238,7 @@ parse_slapopt( int tool, int *mode )
+ 			} else {
+ 				unsigned int u;
+ 				if ( lutil_atou( &u, p ) ) {
+-					Debug( LDAP_DEBUG_ANY, "unable to parse ldif-wrap=\"%s\".\n", p, 0, 0 );
++					Debug( LDAP_DEBUG_ANY, "unable to parse ldif_wrap=\"%s\".\n", p, 0, 0 );
+ 					return -1;
+ 				}
+ 				ldif_wrap = (ber_len_t)u;
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch

@@ -0,0 +1,631 @@
+NOTE: The patch has been adjusted to match the base code before backporting.
+
+From 3cd50fa8b32a21040a9892e2a8a7a9dfc7541ce6 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 14 Apr 2020 16:10:48 +0300
+Subject: [PATCH] ITS#9189 rework sasl-cbinding support
+
+Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use,
+defaults to "none".
+
+Add "tls-endpoint" binding type implementing "tls-server-end-point" from
+RCF 5929, which is compatible with Windows.
+
+Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
+---
+ doc/man/man3/ldap_get_option.3 |  16 +++++
+ doc/man/man5/ldap.conf.5       |   3 +
+ doc/man/man5/slapd-config.5    |   4 ++
+ doc/man/man5/slapd.conf.5      |   3 +
+ include/ldap.h                 |   5 ++
+ include/ldap_pvt.h             |   5 ++
+ libraries/libldap/cyrus.c      | 103 ++++++++++++++++++++++++++++-----
+ libraries/libldap/init.c       |   1 +
+ libraries/libldap/ldap-int.h   |   1 +
+ libraries/libldap/ldap-tls.h   |   2 +
+ libraries/libldap/tls2.c       |   7 +++
+ libraries/libldap/tls_g.c      |  59 +++++++++++++++++++
+ libraries/libldap/tls_o.c      |  45 ++++++++++++++
+ servers/slapd/bconfig.c        |  11 +++-
+ servers/slapd/config.c         |   1 +
+ servers/slapd/connection.c     |   9 +--
+ servers/slapd/proto-slap.h     |   4 +-
+ servers/slapd/sasl.c           |  27 ++++++---
+ 18 files changed, 274 insertions(+), 32 deletions(-)
+
+diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
+index 4f03a01a3..fd1b3c91c 100644
+--- a/doc/man/man3/ldap_get_option.3
++++ b/doc/man/man3/ldap_get_option.3
+@@ -563,6 +563,22 @@ must be a
+ .BR "char **" .
+ Its content needs to be freed by the caller using
+ .BR ldap_memfree (3).
++.B LDAP_OPT_X_SASL_CBINDING
++Sets/gets the channel-binding type to use in SASL,
++one of
++.BR LDAP_OPT_X_SASL_CBINDING_NONE
++(the default),
++.BR LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE
++the "tls-unique" type from RCF 5929.
++.BR LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT
++the "tls-server-end-point" from RCF 5929, compatible with Windows.
++.BR invalue
++must be
++.BR "const int *" ;
++.BR outvalue
++must be
++.BR "int *" .
++.TP
+ .SH TCP OPTIONS
+ The TCP options are OpenLDAP specific.
+ Mainly intended for use with Linux, they may not be portable.
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index 65ad40c1b..4974f8340 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -286,6 +286,9 @@ size allowed.  0 disables security layers.  The default is 65536.
+ .TP
+ .B SASL_NOCANON <on/true/yes/off/false/no>
+ Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off.
++.TP
++.B SASL_CBINDING <none/tls-unique/tls-endpoint>
++The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.
+ .SH GSSAPI OPTIONS
+ If OpenLDAP is built with Generic Security Services Application Programming Interface support,
+ there are more options you can specify.
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+index 18518a186..dc0ab769f 100644
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -720,6 +720,10 @@ Used to specify the fully qualified domain name used for SASL processing.
+ .B olcSaslRealm: <realm>
+ Specify SASL realm.  Default is empty.
+ .TP
++.B olcSaslCbinding: none | tls-unique | tls-endpoint
++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
++Default is none.
++.TP
+ .B olcSaslSecProps: <properties>
+ Used to specify Cyrus SASL security properties.
+ The
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+index f2094b7fd..73a151a70 100644
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -914,6 +914,9 @@ The
+ property specifies the maximum security layer receive buffer
+ size allowed.  0 disables security layers.  The default is 65536.
+ .TP
++.B sasl\-cbinding none | tls-unique | tls-endpoint
++Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
++.TP
+ .B schemadn <dn>
+ Specify the distinguished name for the subschema subentry that
+ controls the entries on this server.  The default is "cn=Subschema".
+diff --git a/include/ldap.h b/include/ldap.h
+index 7b4fc9d64..9d5679ae8 100644
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -186,6 +186,10 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1		((3 << 8) + 2)
+ #define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2		((3 << 8) + 3)
+ 
++#define LDAP_OPT_X_SASL_CBINDING_NONE		0
++#define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE	1
++#define LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT	2
++
+ /* OpenLDAP SASL options */
+ #define LDAP_OPT_X_SASL_MECH			0x6100
+ #define LDAP_OPT_X_SASL_REALM			0x6101
+@@ -201,6 +205,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_SASL_NOCANON			0x610b
+ #define LDAP_OPT_X_SASL_USERNAME		0x610c /* read-only */
+ #define LDAP_OPT_X_SASL_GSS_CREDS		0x610d
++#define LDAP_OPT_X_SASL_CBINDING		0x610e
+ 
+ /* OpenLDAP GSSAPI options */
+ #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT      0x6200
+diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
+index 783d280a5..01220d00a 100644
+--- a/include/ldap_pvt.h
++++ b/include/ldap_pvt.h
+@@ -262,6 +262,10 @@ LDAP_F (void *) ldap_pvt_sasl_mutex_new LDAP_P((void));
+ LDAP_F (int) ldap_pvt_sasl_mutex_lock LDAP_P((void *mutex));
+ LDAP_F (int) ldap_pvt_sasl_mutex_unlock LDAP_P((void *mutex));
+ LDAP_F (void) ldap_pvt_sasl_mutex_dispose LDAP_P((void *mutex));
++
++LDAP_F (int) ldap_pvt_sasl_cbinding_parse LDAP_P(( const char *arg ));
++LDAP_F (void *) ldap_pvt_sasl_cbinding LDAP_P(( void *ssl, int type,
++					        int is_server ));
+ #endif /* HAVE_CYRUS_SASL */
+ 
+ struct sockbuf; /* avoid pulling in <lber.h> */
+@@ -438,6 +442,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
+ 	LDAPDN_rewrite_dummy *func, unsigned flags ));
+ LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
+ LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
++LDAP_F (int) ldap_pvt_tls_get_endpoint LDAP_P(( void *ctx, struct berval *buf, int is_server ));
+ 
+ LDAP_END_DECL
+ 
+diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
+index beb1cf4a0..4d4d5b3e3 100644
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -372,6 +372,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
+ 	return LDAP_SUCCESS;
+ }
+ 
++int ldap_pvt_sasl_cbinding_parse( const char *arg )
++{
++	int i = -1;
++
++	if ( strcasecmp(arg, "none") == 0 )
++		i = LDAP_OPT_X_SASL_CBINDING_NONE;
++	else if ( strcasecmp(arg, "tls-unique") == 0 )
++		i = LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE;
++	else if ( strcasecmp(arg, "tls-endpoint") == 0 )
++		i = LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT;
++
++	return i;
++}
++
++void *ldap_pvt_sasl_cbinding( void *ssl, int type, int is_server )
++{
++#if defined(SASL_CHANNEL_BINDING) && defined(HAVE_TLS)
++	char unique_prefix[] = "tls-unique:";
++	char endpoint_prefix[] = "tls-server-end-point:";
++	char cbinding[ 64 ];
++	struct berval cbv = { 64, cbinding };
++	void *cb_data; /* used since cb->data is const* */
++	sasl_channel_binding_t *cb;
++	char *prefix;
++	int plen;
++
++	switch (type) {
++	case LDAP_OPT_X_SASL_CBINDING_NONE:
++		return NULL;
++	case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
++		if ( !ldap_pvt_tls_get_unique( ssl, &cbv, is_server ))
++			return NULL;
++		prefix = unique_prefix;
++		plen = sizeof(unique_prefix) -1;
++		break;
++	case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
++		if ( !ldap_pvt_tls_get_endpoint( ssl, &cbv, is_server ))
++			return NULL;
++		prefix = endpoint_prefix;
++		plen = sizeof(endpoint_prefix) -1;
++		break;
++	default:
++		return NULL;
++	}
++
++	cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len );
++	cb->len = plen + cbv.bv_len;
++	cb->data = cb_data = cb+1;
++	memcpy( cb_data, prefix, plen );
++	memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len );
++	cb->name = "ldap";
++	cb->critical = 0;
++
++	return cb;
++#else
++	return NULL;
++#endif
++}
++
+ int
+ ldap_int_sasl_bind(
+ 	LDAP			*ld,
+@@ -497,17 +556,12 @@ ldap_int_sasl_bind(
+ 			(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
+ 			LDAP_FREE( authid.bv_val );
+ #ifdef SASL_CHANNEL_BINDING	/* 2.1.25+ */
+-			{
+-				char cbinding[64];
+-				struct berval cbv = { sizeof(cbinding), cbinding };
+-				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
+-					sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
+-						cbv.bv_len);
+-					cb->name = "ldap";
+-					cb->critical = 0;
+-					cb->data = (char *)(cb+1);
+-					cb->len = cbv.bv_len;
+-					memcpy( cb->data, cbv.bv_val, cbv.bv_len );
++			if ( ld->ld_defconn->lconn_sasl_cbind == NULL ) {
++				void *cb;
++				cb = ldap_pvt_sasl_cbinding( ssl,
++							     ld->ld_options.ldo_sasl_cbinding,
++							     0 );
++				if ( cb != NULL ) {
+ 					sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
+ 						SASL_CHANNEL_BINDING, cb );
+ 					ld->ld_defconn->lconn_sasl_cbind = cb;
+@@ -931,12 +983,20 @@ int ldap_pvt_sasl_secprops(
+ int
+ ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
+ {
+-	int rc;
++	int rc, i;
+ 
+ 	switch( option ) {
+ 	case LDAP_OPT_X_SASL_SECPROPS:
+ 		rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops );
+ 		if( rc == LDAP_SUCCESS ) return 0;
++		break;
++	case LDAP_OPT_X_SASL_CBINDING:
++		i = ldap_pvt_sasl_cbinding_parse( arg );
++		if ( i >= 0 ) {
++			lo->ldo_sasl_cbinding = i;
++			return 0;
++		}
++		break;
+ 	}
+ 
+ 	return -1;
+@@ -1042,6 +1102,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
+ 			/* this option is write only */
+ 			return -1;
+ 
++		case LDAP_OPT_X_SASL_CBINDING:
++			*(int *)arg = ld->ld_options.ldo_sasl_cbinding;
++			break;
++
+ #ifdef SASL_GSS_CREDS
+ 		case LDAP_OPT_X_SASL_GSS_CREDS: {
+ 			sasl_conn_t *ctx;
+@@ -1143,6 +1207,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
+ 		return sc == LDAP_SUCCESS ? 0 : -1;
+ 		}
+ 
++	case LDAP_OPT_X_SASL_CBINDING:
++		if ( !arg ) return -1;
++		switch( *(int *) arg ) {
++		case LDAP_OPT_X_SASL_CBINDING_NONE:
++		case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
++		case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
++			ld->ld_options.ldo_sasl_cbinding = *(int *) arg;
++			return 0;
++		}
++		return -1;
++
+ #ifdef SASL_GSS_CREDS
+ 	case LDAP_OPT_X_SASL_GSS_CREDS: {
+ 		sasl_conn_t *ctx;
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 3468ee249..dfe1ea9da 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -110,6 +110,7 @@ static const struct ol_attribute {
+ 		offsetof(struct ldapoptions, ldo_def_sasl_authzid)},
+ 	{0, ATTR_SASL,		"SASL_SECPROPS",	NULL,	LDAP_OPT_X_SASL_SECPROPS},
+ 	{0, ATTR_BOOL,		"SASL_NOCANON",	NULL,	LDAP_BOOL_SASL_NOCANON},
++	{0, ATTR_SASL,		"SASL_CBINDING",	NULL,	LDAP_OPT_X_SASL_CBINDING},
+ #endif
+ 
+ #ifdef HAVE_GSSAPI
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 67e8bd6da..c6c6891a9 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -300,6 +300,7 @@ struct ldapoptions {
+ 
+ 	/* SASL Security Properties */
+ 	struct sasl_security_properties	ldo_sasl_secprops;
++	int ldo_sasl_cbinding;
+ #define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
+ #else
+ #define LDAP_LDO_SASL_NULLARG
+diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
+index efd51aaa2..9f01ddda1 100644
+--- a/libraries/libldap/ldap-tls.h
++++ b/libraries/libldap/ldap-tls.h
+@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
+ typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
+ typedef int (TI_session_strength)(tls_session *sess);
+ typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
++typedef int (TI_session_endpoint)(tls_session *sess, struct berval *buf, int is_server);
+ typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
+
+ typedef void (TI_thr_init)(void);
+@@ -69,6 +70,7 @@ typedef struct tls_impl {
+ 	TI_session_chkhost *ti_session_chkhost;
+ 	TI_session_strength *ti_session_strength;
+ 	TI_session_unique *ti_session_unique;
++	TI_session_endpoint *ti_session_endpoint;
+ 	TI_session_peercert *ti_session_peercert;
+ 
+ 	Sockbuf_IO *ti_sbio;
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 79a651a38..72827a1a3 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -1200,6 +1200,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
+ 	return tls_imp->ti_session_unique( session, buf, is_server );
+ }
+ 
++int
++ldap_pvt_tls_get_endpoint( void *s, struct berval *buf, int is_server )
++{
++	tls_session *session = s;
++	return tls_imp->ti_session_endpoint( session, buf, is_server );
++}
++
+ int
+ ldap_pvt_tls_get_peercert( void *s, struct berval *der )
+ {
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index 956a9ec90..ef0f44e20 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -729,6 +729,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return 0;
+ }
+ 
++static int
++tlsg_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
++{
++	tlsg_session *s = (tlsg_session *)sess;
++	const gnutls_datum_t *cert_data;
++	gnutls_x509_crt_t server_cert;
++	gnutls_digest_algorithm_t md;
++	int sign_algo, md_len, rc;
++
++	if ( is_server )
++		cert_data = gnutls_certificate_get_ours( s->session );
++	else
++		cert_data = gnutls_certificate_get_peers( s->session, NULL );
++
++	if ( cert_data == NULL )
++		return 0;
++
++	rc = gnutls_x509_crt_init( &server_cert );
++	if ( rc != GNUTLS_E_SUCCESS )
++		return 0;
++
++	rc = gnutls_x509_crt_import( server_cert, cert_data, GNUTLS_X509_FMT_DER );
++	if ( rc != GNUTLS_E_SUCCESS ) {
++		gnutls_x509_crt_deinit( server_cert );
++		return 0;
++	}
++
++	sign_algo = gnutls_x509_crt_get_signature_algorithm( server_cert );
++	gnutls_x509_crt_deinit( server_cert );
++	if ( sign_algo <= GNUTLS_SIGN_UNKNOWN )
++		return 0;
++
++	md = gnutls_sign_get_hash_algorithm( sign_algo );
++	if ( md == GNUTLS_DIG_UNKNOWN )
++		return 0;
++
++	/* See RFC 5929 */
++	switch (md) {
++	case GNUTLS_DIG_NULL:
++	case GNUTLS_DIG_MD2:
++	case GNUTLS_DIG_MD5:
++	case GNUTLS_DIG_SHA1:
++		md = GNUTLS_DIG_SHA256;
++	}
++
++	md_len = gnutls_hash_get_len( md );
++	if ( md_len == 0 || md_len > buf->bv_len )
++		return 0;
++
++	rc = gnutls_hash_fast( md, cert_data->data, cert_data->size, buf->bv_val );
++	if ( rc != GNUTLS_E_SUCCESS )
++		return 0;
++
++	buf->bv_len = md_len;
++
++	return md_len;
++}
++
+ static int
+ tlsg_session_peercert( tls_session *sess, struct berval *der )
+ {
+@@ -1117,6 +1175,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlsg_session_chkhost,
+ 	tlsg_session_strength,
+ 	tlsg_session_unique,
++	tlsg_session_endpoint,
+ 	tlsg_session_peercert,
+ 
+ 	&tlsg_sbio,
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index cf97d7632..aa855d77a 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -858,6 +858,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
+ 	return buf->bv_len;
+ }
+ 
++static int
++tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
++{
++	tlso_session *s = (tlso_session *)sess;
++	const EVP_MD *md;
++	unsigned int md_len;
++	X509 *cert;
++
++	if ( buf->bv_len < EVP_MAX_MD_SIZE )
++		return 0;
++
++	if ( is_server )
++		cert = SSL_get_certificate( s );
++	else
++		cert = SSL_get_peer_certificate( s );
++
++	if ( cert == NULL )
++		return 0;
++
++#if OPENSSL_VERSION_NUMBER >= 0x10100000
++	md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
++#else
++	md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
++#endif
++
++	/* See RFC 5929 */
++	if ( md == NULL ||
++	     md == EVP_md_null() ||
++#ifndef OPENSSL_NO_MD2
++	     md == EVP_md2() ||
++#endif
++	     md == EVP_md4() ||
++	     md == EVP_md5() ||
++	     md == EVP_sha1() )
++		md = EVP_sha256();
++
++	if ( !X509_digest( cert, md, buf->bv_val, &md_len ))
++		return 0;
++
++	buf->bv_len = md_len;
++
++	return md_len;
++}
++
+ static int
+ tlso_session_peercert( tls_session *sess, struct berval *der )
+ {
+@@ -1474,6 +1518,7 @@ tls_impl ldap_int_tls_impl = {
+ 	tlso_session_chkhost,
+ 	tlso_session_strength,
+ 	tlso_session_unique,
++	tlso_session_endpoint,
+ 	tlso_session_peercert,
+ 
+ 	&tlso_sbio,
+diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
+index 6069ee203..4c90715be 100644
+--- a/servers/slapd/bconfig.c
++++ b/servers/slapd/bconfig.c
+@@ -630,6 +630,15 @@ static ConfigTable config_back_cf_table[] = {
+ #endif
+ 		"( OLcfgGlAt:89 NAME 'olcSaslAuxprops' "
+ 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
++	{ "sasl-cbinding", NULL, 2, 2, 0,
++#ifdef HAVE_CYRUS_SASL
++		ARG_STRING, &sasl_cbinding,
++#else
++		ARG_IGNORED, NULL,
++#endif
++		"( OLcfgGlAt:100 NAME 'olcSaslCBinding' "
++			"EQUALITY caseIgnoreMatch "
++			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ 	{ "sasl-host", "host", 2, 2, 0,
+ #ifdef HAVE_CYRUS_SASL
+ 		ARG_STRING|ARG_UNIQUE, &sasl_host,
+@@ -948,7 +957,7 @@ static ConfigOCs cf_ocs[] = {
+ 		 "olcPluginLogFile $ olcReadOnly $ olcReferral $ "
+ 		 "olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "
+ 		 "olcRootDSE $ "
+-		 "olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
++		 "olcSaslAuxprops $ olcSaslCBinding $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
+ 		 "olcSecurity $ olcServerID $ olcSizeLimit $ "
+ 		 "olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
+ 		 "olcTCPBuffer $ "
+diff --git a/servers/slapd/config.c b/servers/slapd/config.c
+index 060d3410f..3d713d4fb 100644
+--- a/servers/slapd/config.c
++++ b/servers/slapd/config.c
+@@ -73,6 +73,7 @@ char	*global_host = NULL;
+ struct berval global_host_bv = BER_BVNULL;
+ char	*global_realm = NULL;
+ char	*sasl_host = NULL;
++char	*sasl_cbinding = NULL;
+ char		**default_passwd_hash = NULL;
+ struct berval default_search_base = BER_BVNULL;
+ struct berval default_search_nbase = BER_BVNULL;
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index 5f11a0cf1..6d9bb8e85 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -1440,12 +1440,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
+ 			    c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
+ 			slap_sasl_external( c, c->c_tls_ssf, &authid );
+ 			if ( authid.bv_val ) free( authid.bv_val );
+-			{
+-				char cbinding[64];
+-				struct berval cbv = { sizeof(cbinding), cbinding };
+-				if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
+-					slap_sasl_cbinding( c, &cbv );
+-			}
++
++			slap_sasl_cbinding( c, ssl );
++
+ 		} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
+ 			LBER_SB_OPT_NEEDS_WRITE, NULL )) {	/* need to retry */
+ 			slapd_set_write( s, 1 );
+diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
+index b89fa836a..0790a8004 100644
+--- a/servers/slapd/proto-slap.h
++++ b/servers/slapd/proto-slap.h
+@@ -1681,8 +1681,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
+ 	slap_ssf_t ssf,	/* relative strength of external security */
+ 	struct berval *authid );	/* asserted authenication id */
+ 
+-LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
+-	struct berval *cbv );
++LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, void *ssl );
+ 
+ LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
+ LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
+@@ -2072,6 +2071,7 @@ LDAP_SLAPD_V (char *)	global_host;
+ LDAP_SLAPD_V (struct berval)	global_host_bv;
+ LDAP_SLAPD_V (char *)	global_realm;
+ LDAP_SLAPD_V (char *)	sasl_host;
++LDAP_SLAPD_V (char *)	sasl_cbinding;
+ LDAP_SLAPD_V (char *)	slap_sasl_auxprops;
+ LDAP_SLAPD_V (char **)	default_passwd_hash;
+ LDAP_SLAPD_V (int)		lber_debug;
+diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
+index fc023904a..5cced358c 100644
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1320,6 +1320,8 @@ int slap_sasl_destroy( void )
+ #endif
+ 	free( sasl_host );
+ 	sasl_host = NULL;
++	free( sasl_cbinding );
++	sasl_cbinding = NULL;
+ 
+ 	return 0;
+ }
+@@ -1506,17 +1508,24 @@ int slap_sasl_external(
+ 	return LDAP_SUCCESS;
+ }
+ 
+-int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
++int slap_sasl_cbinding( Connection *conn, void *ssl )
+ {
+ #ifdef SASL_CHANNEL_BINDING
+-	sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
+-	cb->name = "ldap";
+-	cb->critical = 0;
+-	cb->data = (char *)(cb+1);
+-	cb->len = cbv->bv_len;
+-	memcpy( cb->data, cbv->bv_val, cbv->bv_len );
+-	sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
+-	conn->c_sasl_cbind = cb;
++	void *cb;
++	int i;
++
++	if ( sasl_cbinding == NULL )
++		return LDAP_SUCCESS;
++
++	i = ldap_pvt_sasl_cbinding_parse( sasl_cbinding );
++	if ( i < 0 )
++		return LDAP_SUCCESS;
++
++	cb = ldap_pvt_sasl_cbinding( ssl, i, 1 );
++	if ( cb != NULL ) {
++		sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
++		conn->c_sasl_cbind = cb;
++	}
+ #endif
+ 	return LDAP_SUCCESS;
+ }
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch

@@ -0,0 +1,190 @@
+From 7b0017ad49a2290ec26cbcdffded8a527799e981 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Sat, 18 Apr 2020 16:30:03 +0200
+Subject: [PATCH] ITS#9189 add channel-bindings tests
+
+---
+ tests/data/slapd-sasl-gssapi.conf       |  3 +
+ tests/scripts/setup_kdc.sh              |  8 +++
+ tests/scripts/test068-sasl-tls-external | 22 +++++++
+ tests/scripts/test077-sasl-gssapi       | 83 ++++++++++++++++++++++++-
+ 4 files changed, 113 insertions(+), 3 deletions(-)
+
+diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
+index 611fc7097..29ab6040b 100644
+--- a/tests/data/slapd-sasl-gssapi.conf
++++ b/tests/data/slapd-sasl-gssapi.conf
+@@ -63,3 +63,6 @@ rootpw          secret
+ 
+ sasl-realm	@KRB5REALM@
+ sasl-host	localhost
++
++database	config
++rootpw		secret
+diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
+index 1cb784075..98bcd9f96 100755
+--- a/tests/scripts/setup_kdc.sh
++++ b/tests/scripts/setup_kdc.sh
+@@ -142,3 +142,11 @@ if test $RC != 0 ; then
+ 		exit 0
+ 	fi
+ fi
++
++HAVE_SASL_GSS_CBIND=no
++
++grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1
++RC=$?
++if test $RC = 0 ; then
++	HAVE_SASL_GSS_CBIND=yes
++fi
+diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external
+index f647b1012..0b91aa197 100755
+--- a/tests/scripts/test068-sasl-tls-external
++++ b/tests/scripts/test068-sasl-tls-external
+@@ -88,6 +88,28 @@ else
+ 	echo "success"
+ fi
+ 
++# Exercise channel-bindings code in builds without SASL support
++for cb in "none" "tls-unique" "tls-endpoint" ; do
++
++	echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
++
++	$LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt     \
++	-o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt           \
++	-o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key          \
++	-o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1      \
++	> $TESTOUT 2>&1
++
++	RC=$?
++	if test $RC != 0 ; then
++		echo "ldapwhoami failed ($RC)!"
++		test $KILLSERVERS != no && kill -HUP $PID
++		exit $RC
++	else
++		echo "success"
++	fi
++done
++
++
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ 
+ if test $RC != 0 ; then
+diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
+index 64abe16fe..19f665622 100755
+--- a/tests/scripts/test077-sasl-gssapi
++++ b/tests/scripts/test077-sasl-gssapi
+@@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then
+         exit 0
+ fi
+ 
+-mkdir -p $TESTDIR $DBDIR1
++SLAPTEST="$TESTWD/../servers/slapd/slaptest"
++CONFDIR=$TESTDIR/slapd.d
++
++mkdir -p $TESTDIR $DBDIR1 $CONFDIR
+ cp -r $DATADIR/tls $TESTDIR
+ 
+ cd $TESTWD
+@@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..."
+ 
+ echo "Running slapadd to build slapd database..."
+ . $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
+-$SLAPADD -f $CONF1 -l $LDIFORDERED
++$SLAPTEST -f $CONF1 -F $CONFDIR
++$SLAPADD -F $CONFDIR -l $LDIFORDERED
+ RC=$?
+ if test $RC != 0 ; then
+ 	echo "slapadd failed ($RC)!"
+@@ -41,7 +45,7 @@ if test $RC != 0 ; then
+ fi
+ 
+ echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
+-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
++$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+ PID=$!
+ if test $WAIT != 0 ; then
+     echo PID $PID
+@@ -144,6 +148,79 @@ else
+ 	fi
+ fi
+ 
++if test $WITH_TLS = no ; then
++        echo "TLS support not available, skipping channe-binding test"
++elif test $HAVE_SASL_GSS_CBIND = no ; then
++        echo "SASL has no channel-binding support in GSSAPI, test skipped"
++else
++	echo "Testing SASL/GSSAPI with SASL_CBINDING..."
++
++	for acb in "none" "tls-unique" "tls-endpoint" ; do
++
++		echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
++		$LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
++dn: cn=config
++changetype: modify
++replace: olcSaslCBinding
++olcSaslCBinding: ${acb}
++EOF
++		RC=$?
++		if test $RC != 0 ; then
++			echo "ldapmodify failed ($RC)!"
++			kill $KDCPROC
++			test $KILLSERVERS != no && kill -HUP $KILLPIDS
++			exit $RC
++		fi
++
++		for icb in "none" "tls-unique" "tls-endpoint" ; do
++
++			# The gnutls implemantation of "tls-unique" seems broken
++			if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
++				if test $WITH_TLS_TYPE == gnutls  ; then
++					continue
++				fi
++			fi
++
++			fail="no"
++			if test $icb != $acb -a $acb != "none" ; then
++				# This currently fails in MIT, but it is planned to be
++				# fixed not to fail like in heimdal - avoid testing.
++				if test $icb = "none" ; then
++					continue
++				fi
++				# Otherwise unmatching bindings are expected to fail.
++				fail="yes"
++			fi
++
++			echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
++			echo -ne "(client: ${icb},\tserver: ${acb}): "
++
++			$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
++			-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
++			-o SASL_CBINDING=$icb > $TESTOUT 2>&1
++
++			RC=$?
++			if test $RC != 0 ; then
++				if test $fail = "no" ; then
++					echo "test failed ($RC)!"
++					kill $KDCPROC
++					test $KILLSERVERS != no && kill -HUP $KILLPIDS
++					exit $RC
++				fi
++			elif test $fail = "yes" ; then
++				echo "failed: command succeeded unexpectedly."
++				kill $KDCPROC
++				test $KILLSERVERS != no && kill -HUP $KILLPIDS
++				exit 1
++			fi
++
++			echo "success"
++			RC=0
++		done
++	done
++fi
++
++
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ 
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch

@@ -0,0 +1,27 @@
+From 4cac398b19c21ad56949ef7e67e285c6c8e7ecea Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Thu, 23 Apr 2020 22:47:32 +0200
+Subject: [PATCH] ITS#9189 - initialize ldo_sasl_cbinding in
+ LDAP_LDO_SASL_NULLARG
+
+Reported-by: Ryan Tandy @ryan
+---
+ libraries/libldap/ldap-int.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index c6c6891a9..336448115 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -301,7 +301,7 @@ struct ldapoptions {
+ 	/* SASL Security Properties */
+ 	struct sasl_security_properties	ldo_sasl_secprops;
+ 	int ldo_sasl_cbinding;
+-#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
++#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0},0
+ #else
+ #define LDAP_LDO_SASL_NULLARG
+ #endif
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-Make-prototypes-available-where-needed.patch

@@ -0,0 +1,64 @@
+NOTE: The patch has been adjusted to match the base code before backporting.
+
+From cd914149a665167b2c5ae16baa0c438824588819 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
+Date: Tue, 19 Feb 2019 10:26:39 +0000
+Subject: [PATCH] Make prototypes available where needed
+
+---
+ libraries/libldap/tls2.c   | 3 +++
+ servers/slapd/config.c     | 1 +
+ servers/slapd/proto-slap.h | 4 ++++
+ 3 files changed, 8 insertions(+)
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index 1a96b62c3..869de2eb5 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -76,6 +76,9 @@ static oid_name oids[] = {
+ 
+ #ifdef HAVE_TLS
+ 
++LDAP_F(int) ldap_pvt_tls_check_hostname LDAP_P(( LDAP *ld, void *s, const char *name_in ));
++LDAP_F(int) ldap_pvt_tls_get_peercert LDAP_P(( void *s, struct berval *der ));
++
+ void
+ ldap_pvt_tls_ctx_free ( void *c )
+ {
+diff --git a/servers/slapd/config.c b/servers/slapd/config.c
+index 778365fd0..2816455a3 100644
+--- a/servers/slapd/config.c
++++ b/servers/slapd/config.c
+@@ -48,6 +48,7 @@
+ #endif
+ #include "lutil.h"
+ #include "lutil_ldap.h"
++#include "ldif.h"
+ #include "config.h"
+ 
+ #ifdef _WIN32
+diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
+index 4bfdcf930..e33e3b7d9 100644
+--- a/servers/slapd/proto-slap.h
++++ b/servers/slapd/proto-slap.h
+@@ -755,6 +755,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
+ LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
+ 	slap_bindconf *bc, LDAP *ld ));
+ LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
++LDAP_SLAPD_F (void) slap_client_keepalive LDAP_P(( LDAP *ld, slap_keepalive *sk ));
+ LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb ));
+ LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
+ 	const char *fname, int lineno, int argc, char **argv ));
+@@ -1683,6 +1684,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
+ 	slap_ssf_t ssf,	/* relative strength of external security */
+ 	struct berval *authid );	/* asserted authenication id */
+ 
++LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
++	struct berval *cbv );
++
+ LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
+ LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
+ 
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-Update-keys-to-RSA-4096.patch

@@ -0,0 +1,526 @@
+From 3ab98b2fc98843289c1833891518fb3b5b42dcd8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
+Date: Tue, 30 Oct 2018 15:42:35 +0000
+Subject: [PATCH] Update keys to RSA 4096
+
+---
+ tests/data/tls/ca/certs/testsuiteCA.crt       | 133 ++++++++++++++++--
+ tests/data/tls/ca/private/testsuiteCA.key     |  64 +++++++--
+ .../tls/certs/bjensen@mailgw.example.com.crt  |  44 ++++--
+ tests/data/tls/certs/localhost.crt            |  44 ++++--
+ tests/data/tls/conf/openssl.cnf               |   2 +-
+ tests/data/tls/create-crt.sh                  |   9 +-
+ .../private/bjensen@mailgw.example.com.key    |  64 +++++++--
+ tests/data/tls/private/localhost.key          |  64 +++++++--
+ 8 files changed, 336 insertions(+), 88 deletions(-)
+
+diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt
+index 7458e7461..62c88acca 100644
+--- a/tests/data/tls/ca/certs/testsuiteCA.crt
++++ b/tests/data/tls/ca/certs/testsuiteCA.crt
+@@ -1,16 +1,121 @@
++Certificate:
++    Data:
++        Version: 3 (0x2)
++        Serial Number:
++            0b:43:f8:e9:ee:d3:38:37:92:db:19:65:d9:94:17:cc:70:45:d4:06
++        Signature Algorithm: sha256WithRSAEncryption
++        Issuer: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
++        Validity
++            Not Before: Oct 30 15:29:02 2018 GMT
++            Not After : Nov 13 15:29:02 2519 GMT
++        Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
++        Subject Public Key Info:
++            Public Key Algorithm: rsaEncryption
++                RSA Public-Key: (4096 bit)
++                Modulus:
++                    00:be:e0:ff:36:89:65:c0:4e:46:e6:24:e8:3d:81:
++                    97:92:28:4b:11:c6:21:ac:28:14:31:b2:a3:64:24:
++                    62:61:24:bd:76:7b:9e:7c:3a:50:65:fa:97:f3:c5:
++                    9d:49:cc:61:3a:31:6f:0d:a4:d8:70:57:73:c8:c6:
++                    66:06:d0:59:3f:24:3b:56:5d:70:20:e4:51:2b:88:
++                    5e:f4:78:82:bc:55:b5:d5:5b:f6:e5:55:1f:3a:af:
++                    59:9f:b7:5d:72:70:fe:b6:a4:dd:4e:f9:d0:38:e8:
++                    15:14:c7:45:ed:5e:d3:4c:ee:02:34:3a:37:d8:75:
++                    f1:49:0d:f6:8a:7b:8c:87:39:c9:fb:f2:3a:96:57:
++                    cd:7c:18:a7:bb:35:de:d3:c4:79:57:20:48:07:b9:
++                    65:f6:bd:7b:01:5c:99:8a:92:35:7c:b7:e3:96:1c:
++                    6f:4c:47:42:c1:77:d6:62:49:0e:be:01:8f:c9:f4:
++                    64:68:4c:b0:ec:10:12:d0:0e:5f:67:0e:e8:a4:bd:
++                    df:9c:fb:5b:04:6f:3c:2a:35:1b:5a:ca:98:ba:f3:
++                    61:f4:3a:77:28:be:a3:63:f1:d6:94:0d:fb:a0:87:
++                    e3:a5:9f:56:b6:a6:6a:90:13:80:2a:2e:ae:fe:af:
++                    aa:e3:e7:d8:3b:2b:a3:52:4f:73:2d:12:aa:e2:a3:
++                    0c:aa:fb:11:40:86:68:de:be:2b:9b:36:19:9c:d7:
++                    d7:5e:13:21:c9:b3:34:6d:09:53:ff:a3:2e:92:f4:
++                    33:80:de:7a:47:1c:47:57:68:53:2a:db:73:6e:6d:
++                    fa:40:df:55:25:a1:fc:87:c4:86:ef:6e:16:ec:f8:
++                    48:35:f5:96:b3:55:ce:56:a9:6e:c1:8c:ea:32:85:
++                    26:ea:af:0c:92:24:05:e2:49:12:b7:07:8f:06:96:
++                    be:13:fa:ec:49:f7:d4:49:6f:b9:c7:6c:79:53:39:
++                    a3:89:c4:4a:92:66:b0:f3:0c:72:6d:50:3c:63:1f:
++                    f3:76:63:a8:aa:b7:fd:db:ef:98:b4:5b:49:b6:84:
++                    66:e5:fc:60:0b:c1:f7:b0:f7:84:68:7e:71:5d:ac:
++                    fc:a9:cb:f6:02:fc:86:d3:a7:c3:42:ef:ba:f4:1a:
++                    27:71:5d:22:f5:53:e1:a6:f4:a5:dc:31:38:45:0b:
++                    a1:6d:ab:9c:05:2e:87:8c:31:02:99:80:6d:3f:66:
++                    e8:8a:d7:64:4f:08:7e:2f:f0:1f:28:ff:85:57:22:
++                    ee:6a:a7:05:72:f8:cf:5d:07:c6:73:23:82:85:82:
++                    76:4e:36:8a:ec:ea:f1:53:1e:e0:77:d1:4a:9f:df:
++                    ec:87:91:0a:56:40:b7:23:19:fa:60:14:d0:f0:32:
++                    4d:11:39
++                Exponent: 65537 (0x10001)
++        X509v3 extensions:
++            X509v3 Subject Key Identifier: 
++                90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
++            X509v3 Authority Key Identifier: 
++                keyid:90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
++
++            X509v3 Basic Constraints: critical
++                CA:TRUE
++    Signature Algorithm: sha256WithRSAEncryption
++         0f:7f:a0:c5:3c:ac:dc:ed:8f:56:3e:64:89:e6:87:d0:ca:a5:
++         37:b8:0e:49:aa:93:d3:e5:ac:ff:54:24:91:07:1b:9c:dc:08:
++         e6:cc:15:53:be:85:4c:51:52:d3:88:d0:d8:c7:b7:98:40:41:
++         8a:a7:7a:4c:96:85:61:8c:98:76:f6:a3:2c:10:31:a1:d8:e6:
++         a7:4c:ec:c3:29:ad:04:8b:e3:f2:2d:4c:30:0d:a4:bc:c8:93:
++         d2:9b:88:1d:a4:25:eb:ff:9f:f2:d9:c5:3b:bf:51:91:71:06:
++         92:35:96:5c:ca:6d:d6:86:47:63:07:7f:37:35:53:68:e9:4e:
++         d0:d0:25:42:18:e0:00:9e:ca:f5:bd:b7:94:ee:99:51:44:3a:
++         0c:44:40:e3:87:e6:ce:6c:2b:3f:c1:01:6c:5c:32:d5:59:b5:
++         bd:25:a3:1a:ff:85:a5:89:9c:d8:24:4b:fa:59:99:5a:64:ab:
++         a1:d8:0f:c0:19:28:84:1e:89:c2:a1:15:4e:0f:7e:1f:bf:f8:
++         92:df:9f:1c:d5:4a:98:40:82:ee:41:1f:de:f7:25:11:fd:76:
++         0a:cf:37:40:bc:c2:2d:6a:ea:4a:0c:6d:b0:e6:75:37:b5:63:
++         a8:a1:c5:81:d0:84:c0:f3:e0:c3:5c:c4:9f:ec:3b:9f:8a:74:
++         ce:f0:cc:e3:e9:15:08:a0:ea:3e:a9:8e:bc:9a:01:00:96:fe:
++         37:6f:61:b5:2c:4b:1f:5d:d7:24:09:fe:bf:f4:77:47:e4:ee:
++         7c:ea:6b:67:84:ee:56:4f:5f:b9:b8:e4:db:70:e1:4a:b3:94:
++         4d:dd:52:45:05:4d:79:d4:7c:8b:9d:9b:6a:0b:73:9e:f3:0e:
++         d5:d5:46:da:b4:fb:4a:ea:5b:ab:8e:42:68:0e:96:cd:8a:6e:
++         35:a8:e6:1b:6a:ed:a8:9e:3c:cc:3b:44:54:b8:2d:ba:c7:83:
++         91:7c:70:40:0c:14:b8:21:7a:12:ac:8c:96:4c:94:a6:ee:fe:
++         cc:77:34:8e:e3:c3:c0:44:19:51:85:07:6c:d8:d1:2e:69:8d:
++         b1:0e:42:fb:e6:16:65:86:c6:e3:2f:a7:3f:b4:8e:4f:1c:83:
++         c4:0a:ae:a0:d9:17:fd:cf:a2:38:a1:9f:70:dc:5c:df:3c:07:
++         7b:64:01:ff:35:8c:45:43:e8:fa:a4:f6:c4:71:78:17:6e:6a:
++         7f:d1:6e:66:c6:89:33:3b:28:4a:76:bf:ca:29:05:51:07:98:
++         ce:63:62:25:61:7f:5e:c6:91:23:02:13:15:4f:fd:24:58:9d:
++         2d:ac:eb:cb:9a:c2:82:2f:50:5c:5a:16:bb:8c:bf:4d:66:2c:
++         6f:1c:c4:a9:28:e1:3d:4d
+ -----BEGIN CERTIFICATE-----
+-MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
+-BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv
+-bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0
+-NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
+-MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB
+-UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd
+-rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb
+-lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL
+-6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU
+-7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB
+-SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/
+-wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws
+-ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q
+-aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==
++MIIFjzCCA3egAwIBAgIUC0P46e7TODeS2xll2ZQXzHBF1AYwDQYJKoZIhvcNAQEL
++BQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRwwGgYDVQQKDBNPcGVuTERB
++UCBGb3VuZGF0aW9uMRwwGgYDVQQLDBNPcGVuTERBUCBUZXN0IFN1aXRlMCAXDTE4
++MTAzMDE1MjkwMloYDzI1MTkxMTEzMTUyOTAyWjBWMQswCQYDVQQGEwJVUzELMAkG
++A1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNVBAsM
++E09wZW5MREFQIFRlc3QgU3VpdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
++AoICAQC+4P82iWXATkbmJOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfz
++xZ1JzGE6MW8NpNhwV3PIxmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mf
++t11ycP62pN1O+dA46BUUx0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7
++Nd7TxHlXIEgHuWX2vXsBXJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQ
++Dl9nDuikvd+c+1sEbzwqNRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4Aq
++Lq7+r6rj59g7K6NST3MtEqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S
++9DOA3npHHEdXaFMq23NubfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbq
++rwySJAXiSRK3B48Glr4T+uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iq
++t/3b75i0W0m2hGbl/GALwfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm
++9KXcMThFC6Ftq5wFLoeMMQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8Zz
++I4KFgnZONors6vFTHuB30Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABo1MwUTAd
++BgNVHQ4EFgQUkM9RHegI1Ew0cHFr0gsAaNn9YFAwHwYDVR0jBBgwFoAUkM9RHegI
++1Ew0cHFr0gsAaNn9YFAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
++AgEAD3+gxTys3O2PVj5kieaH0MqlN7gOSaqT0+Ws/1QkkQcbnNwI5swVU76FTFFS
++04jQ2Me3mEBBiqd6TJaFYYyYdvajLBAxodjmp0zswymtBIvj8i1MMA2kvMiT0puI
++HaQl6/+f8tnFO79RkXEGkjWWXMpt1oZHYwd/NzVTaOlO0NAlQhjgAJ7K9b23lO6Z
++UUQ6DERA44fmzmwrP8EBbFwy1Vm1vSWjGv+FpYmc2CRL+lmZWmSrodgPwBkohB6J
++wqEVTg9+H7/4kt+fHNVKmECC7kEf3vclEf12Cs83QLzCLWrqSgxtsOZ1N7VjqKHF
++gdCEwPPgw1zEn+w7n4p0zvDM4+kVCKDqPqmOvJoBAJb+N29htSxLH13XJAn+v/R3
++R+TufOprZ4TuVk9fubjk23DhSrOUTd1SRQVNedR8i52bagtznvMO1dVG2rT7Supb
++q45CaA6WzYpuNajmG2rtqJ48zDtEVLgtuseDkXxwQAwUuCF6EqyMlkyUpu7+zHc0
++juPDwEQZUYUHbNjRLmmNsQ5C++YWZYbG4y+nP7SOTxyDxAquoNkX/c+iOKGfcNxc
++3zwHe2QB/zWMRUPo+qT2xHF4F25qf9FuZsaJMzsoSna/yikFUQeYzmNiJWF/XsaR
++IwITFU/9JFidLazry5rCgi9QXFoWu4y/TWYsbxzEqSjhPU0=
+ -----END CERTIFICATE-----
+diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key
+index 2e14d7033..01a6614c1 100644
+--- a/tests/data/tls/ca/private/testsuiteCA.key
++++ b/tests/data/tls/ca/private/testsuiteCA.key
+@@ -1,16 +1,52 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ
+-WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc
+-338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/
+-dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg
+-O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf
+-7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn
+-rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f
+-wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk
+-AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l
+-vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9
+-27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X
+-KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N
+-I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL
+-+b2qljWeZbGH
++MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+4P82iWXATkbm
++JOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfzxZ1JzGE6MW8NpNhwV3PI
++xmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mft11ycP62pN1O+dA46BUU
++x0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7Nd7TxHlXIEgHuWX2vXsB
++XJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQDl9nDuikvd+c+1sEbzwq
++NRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4AqLq7+r6rj59g7K6NST3Mt
++Eqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S9DOA3npHHEdXaFMq23Nu
++bfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbqrwySJAXiSRK3B48Glr4T
+++uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iqt/3b75i0W0m2hGbl/GAL
++wfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm9KXcMThFC6Ftq5wFLoeM
++MQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8ZzI4KFgnZONors6vFTHuB3
++0Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABAoICAQCVkIdpnE92V9+GBfVT/G9f
++vuLTkoRf+SeZqXgNx9SuebNbW5HblXXZ8nmOMZIFeXfVuVZjQn+1x1CaSZs4S5ki
++uKkmCyEJJN3VVo3Q0XzfRemsvNrA5+oIec2oMG2wdomfY59leqmFbZTXKy3HyT2Y
++Uga4FcYcfo4JyD8eU6DRdJ6oJC10EGiajFchghyPoqvRcSH/q24R4Ha5om1M/zOZ
++/hz+SlmLU2sjXVtGuCgtCdw5Sp5Ce5VF43JaRGjMwAnazEyjHPE8kEx8ZhCBG66B
++DqP6UrV736T3c0/Hww0fxFrENA4mIE/vhNgwNVQ5jDxDSC9ObesTW93Lu4za+Re6
++pmP1eeS/oe1OcI1d/xK2IIQwzB7ZkJ0StbFLnjs7DATO7BGzhC9egC6s+z9oSgTS
++KvmLyoiL5U4fesVJwcCPKwwkVH9n22TuqmvB5mmvZvRTe2+OgDH55Nkfx1SoI8+Q
++/fwV9UXIIg5en+Kv8lOaWCZujmMsjHC79bwxPLeaePRwD/RBkT1MLW/T4fWGpAt3
++H89+yufH31Y/1QMxVVtR9OdxCtljiXno/bArMNZ0oE1TiCcckMzdjKh7RNfkEXRM
++Pga92HBTgtJ3tfWJ4qOtJ4NKJPQ7wRmR03Bug8+bGM4K5HDO08fNuag/pP3AQvrM
++QGbHFVho3I7/DXnmRBq/gQKCAQEA75eptBtP8PWnN9uNsQoWxvFKQBtbLfPKUcVP
+++LWOWF4ag2YRRf6TIzvGfIk54OGSL/srWCDKjXWJ0NgUn6yiqOkoP4oxEE1m2QDY
++7oCk9vJipJcrtNCKL6NhKwZDOjlDSROb/hBeMgr14Da/WkPE6zQhuwN5y4Japbjs
++cBYTao2uOg4QQz5Aee+ee55L6iAgMT0PnlQtv1uVW3D46e02CrQKtRmtDxqT3Nux
++nudJdz+rMFM0EDgVKUYRwFCa6xjI4y2K1aCwCtJG9yTJpYqCD9hehfwEije6dNNg
++p5RX3M9ai710Yx4F26cwX/t8AxqgF/2XBI0ZWD6x69cp7suPTQKCAQEAy/NUEgXN
++nymq8NK+umZwFJU7cy3weozRuEkmgmCWj4XYhbvTw6MbK+2R9XKa3ilqSd2sU2lX
++qE66kfAgqZMJ9RB+7nDOaLAMUuGw1DrwFZE7r3mKXgc4NgjtmGav4E3URXPHj5zb
++JbbN95zl96Fm3Nevs5p8sb0KexgbzHe4UzJNYFgT0l+TjJbJUAiNPsEw1bnV4cxn
++b1HO2CWTeGtAOJyjMRNwI+40wnk2N6An+Ddvb2mj2h30HujSZHnL94RAqa7RHDb6
++lU+7JX/ll5G0mFQOFQAs4UPos2bg7hS1mfYO+UVrG4OH9gXns12158WqFED+lhmJ
++O8WDWEVAblVrnQKCAQAB9aOVrYOB3QB5HHqUMBjvl5mb3J1qSswkzxBQYGvBnUNq
++P7N0dxiM+TguXJD0neOsMMmx9tKxRXzTEHFavPa3mvCRVHgCQh/NNoyPps2yl1jn
++L7VTzUDUEuoAiBSUrVM3jcmA0nFyx1QreUcnXdaGde6wsN6WI4LKSDDm2cde37nF
++D8hiRGgSlzscl7bXO1wICw/No7KcFguqq8ndX+tJOx+7S3J25SjAbauOOSYIq6Si
++yItsdoj1xXTvtbkOoy1BbmXsSVwnOoEKFGrxx6g4qPRc9Cq1Vq9XtULdHAF79NYw
++vmPtS5mQqlVi85OYEuesSo6pot3KMvkRjLjzEwchAoIBACEvrvZfy12iwhX9tNtP
++39z5i3rqdr76OwXpoUKFxPoFpX3dWk/zMnCrb5yo0VplEs6CK5BHC+RvKxykHix5
++qJ0f2geig3O1ccvqvYNLM9XOlA+xjzpNom/odADgdK3i/C9w74AG3gH9BPbNqP3q
++XXqB/i0Tbkbdo97zxVI4CN5AySZsLo2Ez9WIk6laOuGDPhcI7iyXvhz3CtlRA/YM
++PZ74nfVWXGD8WclrP889WEOjgZZ3choD1b1R1SpUR0Q3WO5Da/NTXuL83k7zyMAp
++DWHcC46PQL5G9o56pw8Wf5ZV24nkKdGITY9S1qjxDrBwEYTKLqLt9M6tDPpICnvp
++mmECggEBALfnUgpdGugn46UmQUMI1y+NZbSKhJHG+OBWdcc1j4kDZhF/Ei7g8pvk
++hFU5p/YA6JbGioZxiqjdrYLvgTPnJVkxy7arLTN2j2GVlhUA74BY+kNzENk2Tj9c
++zJSMVZn+WZrXNQhfYyA3FyW3wGN67GBXAHPQxFTdU3G4mR1WcyJCxKIyzP+2M8o9
++16tpb80QRnc0OLm9Izppe7JUp2hCQt+O6E8izvLE8k2ldOr5ncTNWlxTJ0yx0hEO
++WTFqhwOM1pEmtxas1gLr8MX0hNsaQR+kjG2f8rPmH+GEZeeAwuhoJY1PcKAOYM5Y
++yu/1yFXYTrmhD/P0+nJn1DfS5JljCJY=
+ -----END PRIVATE KEY-----
+diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
+index 93e3a0d39..eb0fc693f 100644
+--- a/tests/data/tls/certs/bjensen@mailgw.example.com.crt
++++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
+@@ -1,16 +1,32 @@
+ -----BEGIN CERTIFICATE-----
+-MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
+-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
+-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
+-ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV
+-BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD
+-VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa
+-YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
+-MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg
+-QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU
+-U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL
+-MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn
+-wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f
+-7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo
+-4DnnYQBDnq48VORVX94=
++MIIFfDCCA2SgAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
++BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNzQwWhgPMjUxOTEx
++MTMxNTM3NDBaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNVBAoM
++E09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYDVQQD
++DBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYaYmpl
++bnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
++ggIKAoICAQCcHBkHcUSKG4s7nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA
++7qkZvMJR8ws2u8TQU/18FhH4+0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWg
++qPYe/K3bAtSRtF7wDxF77eb2Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38
++kpIB5WENCEy77QK9GEGAlMVIRXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nN
++LxTdLe1qbZyRgEqRKgW5WcWrW46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yIms
++CbzlSRLC1dfj++2mzCMxoc3xpZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvR
++X9uQOnXnazQvlRfsaHQjGUKyhMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzL
++twWkESVDU0tNg/czWLn56smV7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjI
++LQuEBssrV1h8WblruWRU31Mn+mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5ui
++cNcYTXCfa5ZpPL608f7cWuG2GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4
++yPXHATrCtYO1wqIyu9Yuirdg7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABow0w
++CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCq8VvpcoAgCK/D5yi/2puB
++LD7kYaVaSXxrUQBeLTmKERw3akpgW7QTGCNgM425VVaBQRPtv8YcX9OycUAylAA+
++7lzwdP95OJGnUOjQY4x4iRAwCPkpDCcnwc43c3WAyQb2S46aZJaWK4S0+RM3CmWH
++1Fzb6aODdnoBEKk0XgNrB6/teB+UWgtTSxWiY/HWiArDaZDPMAxqEK0hnB+b/sBD
++ZoBYnfnQXezylqbk9vkzTIbSVrv5ZZdQELOAnPuxUCFpYew1OGKcg+1twYKDHgBS
++s13zN03eMEnC/O4Z01dhu16vqdikdP+tJJrppjvZtJys0KIP24ltDnpA6h/3m/Cl
++U1eiTDgWO+SsfiL1K4gcTL1eLjnCBFfnHN5gfgAV5w5DaKzvKp7Qu8db4DtH+S4o
++W/MBKuaHHKWUPGksvFUiGNgE/XyDU4MK34/5ulzbrWmqb24pYAzm1MyjsdzmXObw
+++fzg6EDBB14cWA2hA7mSqnzkiW1pELVym6+uTaIlopSIFr8nNAimwLiY5QJNGYvd
++hgNNvOyUUO+nON3aHsC/rRMgar3eo7A9AkQJ6qKVvPR2h1317PJLuKaLfjbaCzNw
++iA3JSQjcwR2ydlSgKKN2d/XXm/G4PZ9tUcBY4Zngn0ViT0/m7MFy9qsiWG97+yaZ
++nYsN5WfwDZrtG24dTotxVQ==
+ -----END CERTIFICATE-----
+diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt
+index 194cb119d..3aeae3c16 100644
+--- a/tests/data/tls/certs/localhost.crt
++++ b/tests/data/tls/certs/localhost.crt
+@@ -1,16 +1,32 @@
+ -----BEGIN CERTIFICATE-----
+-MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
+-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
+-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
+-ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE
+-CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT
+-dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
+-iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4
+-7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv
+-8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ
+-BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A
+-AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG
+-8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl
+-0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR
+-GjeZB1FxqDGHjxBq2O828iejw28bSz4=
++MIIFhTCCA22gAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
++MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
++BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNjMwWhgPMjUxOTEx
++MTMxNTM2MzBaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT
++T3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBTdWl0
++ZTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
++CgKCAgEA6Ud89ugah2oWY00q1g+M6NkpluewwvGq4tkMau1gq+Q5Biv61bubgdSA
++Z+Zkkxe3Sx0Zv7i5wldIN4wXqEDlMg2qhfzKDSNKUofc0z7FLMb0Cn46WqlciUCY
++VetHhBghGd+6fxOOz+x98FhiiAif+AdiUWBTKFFohWXo/9aiGgm0ueJj2NS3Eyac
++xOKoTcDd9TMsOJ2fMH2MlquArLobCvuphOrVbqBoeeol2SzFDDOW8ryPDzFGy5xh
++ZHkm/3sGIoDpDkDR0yhvBzn47qdLI5myc6Fj96s7S2xgqiqGXJW0D0FCfpUQXxfm
++ahz/Jdwl+hqs5Eg/aA+LE/7lmS7szo3zwJQ53ApdcaupHi4fU60wPVrdo29wLwDO
++hDuS+Oc1os1UyJt0T0a+zB4PIP2rxifyxI1iWmZFt7tJyLv1k7yMN7CLCWzsSy5P
++BZpGmHV9Wbvb660N6NzlFDMqnjJWDAr1BLoV4ywmpiWPhy/7JtKXFe1V3jT5MvGM
++26IOC+zCwwZVyEIIASeWepZDuto00Lqo7jOKSlLRmuhTX1ELK8xYX6ZU/fz0FwYn
++bLu6bI4mRGfbJ12fWYm5QMje2QAuvndfi759HUeuLl6TgmeQFgqFA/6Kkwoz0Ncb
++Kaaj+ByvLXfI4S3lvkwT26nOAt966fb1bsdkb8P52NdkqeSMk5cCAwEAAaNIMEYw
++CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/
++AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4ICAQCGQCs10hwY
++t5o3AWjU8oT8HWnLDsEzIvI/Z2dvtsFSOFotH14d8a7CdCKNiry8BbQ82A4sG/Xw
++0aVdP1EscxGhpJuMHG4Ph9PZBm31ZW2VoRHOEs7/Moi6G/1yldVxWUH/qXO00Dw9
++cEsiUQdPrPQDoVBKYAMuV15RP9b3iPpw3GY1EkIu+akGVziHFmFYUoU2gctiGIZ6
++6KiqBFvCP1Yvm3RSZ5t/Kv/jPMetAnCq+9JAUAodAh2+goBvUCAN9Itr/tEs98jq
++9d14J7gzIRDdNHKOLrRFmoMrTaDZNtqBe5jiMf0O55tgjv4BqN4w11M51bjY4umd
++GX+OXoBJG+MK7AZyaHPjHa1NMoLDOUhTvHb4zPNkPiVb8r3lYkQ4VCtre+4qqrEn
++cEt9KWGpHkoz4GSKn6uidQebdi4waexcGttsHbKPaKZqzYXAJ2bjFZnv85zPtpjO
++qxzqrMUruiCU7EfjGAdZ8S0lwjdMihznLATjKuwQkJ2mVg2HbLgxZu578FHTBOHW
++LjVIr/80auF4Ino9ocHpIwL/E4jpYQWP/Uv4KBHwkAktmUOwqyt0iysRaWy4Gp7S
++keBI9FoGtJ1Mq5M2tVINBzt1ESC3t03KqyY+/9r/IeY7A7yukC0YJnJ+HorfuQFf
++0//7DOEA58bRswyWTLOAjYMJHilTKOozSQ==
+ -----END CERTIFICATE-----
+diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf
+index a3c8ad9f6..632cff11c 100644
+--- a/tests/data/tls/conf/openssl.cnf
++++ b/tests/data/tls/conf/openssl.cnf
+@@ -51,7 +51,7 @@ commonName              = supplied
+ emailAddress            = optional
+ 
+ [ req ]
+-default_bits            = 2048
++default_bits            = @KEY_BITS@
+ default_keyfile         = privkey.pem
+ distinguished_name      = req_distinguished_name
+ attributes              = req_attributes
+diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh
+index 8c33a24fe..739f8eaf1 100755
+--- a/tests/data/tls/create-crt.sh
++++ b/tests/data/tls/create-crt.sh
+@@ -5,6 +5,9 @@ if [ x"$openssl" = "x" ]; then
+ echo "OpenSSL command line binary not found, skipping..."
+ fi
+ 
++KEY_BITS=4096
++KEY_TYPE=rsa:$KEY_BITS
++
+ USAGE="$0 [-s] [-u <user@domain.com>]"
+ SERVER=0
+ USER=0
+@@ -45,13 +48,13 @@ echo "00" > cruft/serial
+ touch cruft/index.txt
+ touch cruft/index.txt.attr
+ hn=$(hostname -f)
+-sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf >  ./openssl.cnf
++sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf >  ./openssl.cnf
+ 
+ if [ $SERVER = 1 ]; then
+ 	rm -rf private/localhost.key certs/localhost.crt
+ 
+ 	$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \
+-		-newkey rsa:1024 -config ./openssl.cnf \
++		-newkey $KEY_TYPE -config ./openssl.cnf \
+ 		-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \
+ 		-batch > /dev/null 2>&1
+ 
+@@ -66,7 +69,7 @@ if [ $USER = 1 ]; then
+ 	rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr
+ 
+ 	$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \
+-		-newkey rsa:1024 -config ./openssl.cnf \
++		-newkey $KEY_TYPE -config ./openssl.cnf \
+ 		-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \
+ 		-batch >/dev/null 2>&1
+ 
+diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key
+index 5f4625fd7..e30e11586 100644
+--- a/tests/data/tls/private/bjensen@mailgw.example.com.key
++++ b/tests/data/tls/private/bjensen@mailgw.example.com.key
+@@ -1,16 +1,52 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2
+-xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4
+-9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z
+-yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r
+-oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e
+-nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg
+-xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra
+-EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd
+-9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/
+-pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI
+-tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ
+-3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D
+-tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg
+-36Ixj3L+5H18
++MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCcHBkHcUSKG4s7
++nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA7qkZvMJR8ws2u8TQU/18FhH4
+++0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWgqPYe/K3bAtSRtF7wDxF77eb2
++Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38kpIB5WENCEy77QK9GEGAlMVI
++RXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nNLxTdLe1qbZyRgEqRKgW5WcWr
++W46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yImsCbzlSRLC1dfj++2mzCMxoc3x
++pZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvRX9uQOnXnazQvlRfsaHQjGUKy
++hMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzLtwWkESVDU0tNg/czWLn56smV
++7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjILQuEBssrV1h8WblruWRU31Mn
+++mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5uicNcYTXCfa5ZpPL608f7cWuG2
++GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4yPXHATrCtYO1wqIyu9Yuirdg
++7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABAoICAQCWY/s40EXXRvG7XBGKe1Sn
++MZGGllyduVVQMFzJIkOsnkDKKuTY+dZlP4Zo5Q/PIvWKpRnWGRP6lsh5tJkukiHd
++jk4VvJk4AzS7mNhkRyYy3ZW3ulB5NpsXS67P610RwIhIVhuf6ORPH8GBW9lRxwoL
++1v4WpGjbywHkKQvR0Sp7lVGULuwnM0dSK2G9sdztUTGbWZlp0hRIawojtcrRt2ft
++Liyy4hooWMmAFS3wu1y3fHSNn5kEFpfis5jF+5jdDvvmsFElx/X7uiBUFMAV2vry
++wu2mceibiGjnq7Nn6I7fhgKzGnkgzzDSLA9uVBde2+RAHlO0fLTq+5YLVhe0pNBM
++J1Y0soNaO3XfVV6Vnyz8X+ruHItW2OBF9AYhIlXq/6d3MMX51BEM6odEtsi8zFgo
++ENN0GAXoyoofg+IvzPiVU2Ud7s4pAlK473d7sAQEeiFWaj7iwueAgofSUFRz7E/H
++umdhytKiJXqcjJ9O2k4sBsmQoPIB++LlUPRIlZY9UvTFxLbd/ifFUv5fqa6z0IX6
++wkIzXmRHhG+ETk1IZBJAAho7iyyYOTP+JnnToUAMWoUaZUO2bzaZfQha8Z3KVtG/
++PJUfHClBXqvFNaAUvA9Df3JoJddJ4pO1g0QjS/dp4C2KwNkH4oqMJctvCersoPWu
++5DYiWY6KR4GjokJ1lBeWAQKCAQEAzSKa+m2C4ANNCJB9tcKYDbYIdibCpzO+k1Fb
++gZUtNi9dEE0Po8rMG0jthm+GKJjNjiG5idSUMo+WNEGBPkELueex81AlEpOqQ6/9
++67cyjAsF/FvgkWOpKJnGOySF/TpK4kPGYyS3ICvs1KNE5HEywHyC4C/MD8N9Z5tX
++/DfW6sBM/wPipE9YDpKfAg3fDG9YJN/gJZ8TlZVqzzw75rKGcMeLc8f0mbMo+KWQ
++VKV4vrgz1eiVrHc5VeGUaXe1Yei5El671wAdtFdmm51A2fWd80fPlQdqfAwpX7x4
++FWuo9z2QX70rM/NTWfk4nQ6ZFEHxtm++OiTfh7RwauI8fxye6QKCAQEAwtF/tOth
++UgHrohB2DCE9gA0rxkynJHK9/SXSd0KBjERO2i41iuC9YlJT/NpNz9fM7l+L02aP
++wWLMqyC7moNmIpJMY2xBGU0EowQ/3xsSNo3u/fvOS4MyGLKENUPMFgO0J7yopiqt
++Ea31TcrFSTMSmFZCv8cGt38EwS6sdJZd/RB+h3yxesit8pouwpfbtLPx6LSGkPHY
++5nNVPgbt6xaxZJ/1kNbLFObSoZ3lzWBwp93dQh/WqeeeI51LGdM1G6fTL8HrmGFJ
++EX0AKpexFVnG/GROJc8taWtMbk9W5oK30JqR7hpSaluYbonpr9k4WQA+EAZjXfcJ
++0V0AMsMUhGtvFwKCAQAQZf7LnCuFKt5im+JgwFCVcALXJxwSb7GBZ1SQVFOL7Fdd
++MTvZ1SFh4P+T6qBn6GcuQIXrfcHnFNFmFgJ17o84akwwbiy4gnNu+8epqzhwN4Vf
+++hxGoxfntftByRao+pr34YEfddTpznkdOnwMYvwypQF1WHzQmckRmjp7YB9fHsZI
++8I+SoQEiERiC+oblIJWERR1PBJt1Lr+eF2uWcpkKtPjx5X8pNkhFMD8MdTnkzSbf
++p7snUVSVB/ZsQ/SNAiShUk9jzY+SVhZOxFBl3BunUgtHF5OsnPBFxfQ3iia0tQgw
++jxfADGiSXbjn3T3hf7AJ7H7heQchewwtjy5U3v3ZAoIBAQCEAyRPe0SKJoT+X7su
++QwQClmo4SE7mUt5NAOkaKTXRz6PDEpbzkZCjZHhHGcKqeWgDizkbuh7lg0Z/G4Ik
++lK+L86jRolSGiXr/3+xMCXMRBqKQ9qV24+L5e1Y9JcDQlhfo6V06pCZ8mW1lFmcT
++UAlksucuPvZdNzQIl9ECe7YauqeStbsqIXxFrZbMA808KMde0Z1x8H/ywOpdSqLD
++r6/rKL1lNTeN5U+Ldox228fa6Gt62EpE/Y9aQMbYLBeLsvBXJ0e3DQ1PTW3kbr/v
++YNOGyY1u73GtQqkbAqY3MxLNxz/loW6BZanoFYoFv+L/5Dsp7ro8vR6pASUWQLzR
++cl9nAoIBAQCre87G76UXv6FIggT+cKM9MKS69KIE3mzNTYUo90L74vF65hJqlaIa
++mfEcPpEU+UY+ufZSIHtTDBj/9Rswaf5whJY7RfL42pSGnW2YOMpuwDIKAEvcJedu
++kZhbthBin4pa28X6L5sNxug+7Wykgesd48PmMLG4pTF+D9u7SgO37Ew5UzylPWNi
++Lrv9TlX1vv9rNFh/hOCA93DNrJlNNPltIcMDByVVjrq31QmxMJwE7cdvl1V7eoiO
++NQuGuGyFIEKPtl9dEUaA4SGYZ7fUqPZaZuzzM0Xa5UMpdcIzcuYYNn3G6FvV6vwU
++dH+lv5X1bTB18GK88ANpC2qLCKRJPCTx
+ -----END PRIVATE KEY-----
+diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key
+index 8a24f69f8..99cb512c4 100644
+--- a/tests/data/tls/private/localhost.key
++++ b/tests/data/tls/private/localhost.key
+@@ -1,16 +1,52 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg
+-ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM
+-w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM
+-brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij
+-Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf
+-2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ
+-bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q
+-1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf
+-3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U
+-VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7
+-TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b
+-iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP
+-5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3
+-b61hkjQZfbEg5cg=
++MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDpR3z26BqHahZj
++TSrWD4zo2SmW57DC8ari2Qxq7WCr5DkGK/rVu5uB1IBn5mSTF7dLHRm/uLnCV0g3
++jBeoQOUyDaqF/MoNI0pSh9zTPsUsxvQKfjpaqVyJQJhV60eEGCEZ37p/E47P7H3w
++WGKICJ/4B2JRYFMoUWiFZej/1qIaCbS54mPY1LcTJpzE4qhNwN31Myw4nZ8wfYyW
++q4CsuhsK+6mE6tVuoGh56iXZLMUMM5byvI8PMUbLnGFkeSb/ewYigOkOQNHTKG8H
++Ofjup0sjmbJzoWP3qztLbGCqKoZclbQPQUJ+lRBfF+ZqHP8l3CX6GqzkSD9oD4sT
++/uWZLuzOjfPAlDncCl1xq6keLh9TrTA9Wt2jb3AvAM6EO5L45zWizVTIm3RPRr7M
++Hg8g/avGJ/LEjWJaZkW3u0nIu/WTvIw3sIsJbOxLLk8FmkaYdX1Zu9vrrQ3o3OUU
++MyqeMlYMCvUEuhXjLCamJY+HL/sm0pcV7VXeNPky8Yzbog4L7MLDBlXIQggBJ5Z6
++lkO62jTQuqjuM4pKUtGa6FNfUQsrzFhfplT9/PQXBidsu7psjiZEZ9snXZ9ZiblA
++yN7ZAC6+d1+Lvn0dR64uXpOCZ5AWCoUD/oqTCjPQ1xsppqP4HK8td8jhLeW+TBPb
++qc4C33rp9vVux2Rvw/nY12Sp5IyTlwIDAQABAoICADh1+wLvjmwz+xMxvCpvPRWm
++afCCR0AHqeqZye2fYoR4Cm05+837SFoWCrYbB0CqvsxJUNAcb6lf4rS/DYLFojOJ
++JzqiwmyHnBd5lrLyQFrkFHDtuEX1M9ZscfJprbeE944BnmvfWfNtM9YWLlLqc31e
++nCdB/x6FBZ0z2z8Avd87dih/aNc0NNNHxy3IBiA7i/0q04soaz0bRgm5nL0xlhYE
++bzUieWH7JQ5M47g6o76eReyeQqnUrWPeh5v/zraLGiMDvGScv6wx3x2KpHtutjr5
++mj1uVHm/UeyhYIwPGtIR0bDXhLaKcZnyeOw59G8/Z1mvVyUxb1dKW8kNKpj2yI2H
++Y1SjhW5qaOeaDPxAPqVyo6SUQIzOn6SD0l7aGyOyvYULjiw342HQYU4rQeSPOtjt
+++NYMirnT7WNnmoSIsXx7nwUe38EWx5gCHy8taF4aZr5K85yZKnmsiX3vX/hH30yc
++GLOnDDa3b0FE2J2eYos14ru8RTqSLSxclr5Ru2yTdwLgE0gg+iygO1/tYYkqxZ09
++j+METJpg4wv+cQUG/BxysISqNjaPSPHdyJeTMzC8B+PUUpbRoBuvLLokkZ9P95nG
++72TFklEOB0m0VMxrEfev0HGSzkQm92s2Bf41TRaHTPSkg+G1s0haZTNqRVTGPrr/
++eyiz0qH2bgDeubJ3VuTBAoIBAQD9N+KeKo+hRWeV/I6BCBOfMeQOqlqIxYfYAxU+
++CuutILbTnGKFMTAx43syh/a5EV7q4yM81RCXKK/Lmja2OIeYJUb88bC/h0x/gq5W
++LLxHbKgFDUDF2VcWShMqDOo8J8FbzWwb9bOOShqASoR6FacJuOqlFvS8gaswZtiW
++fOvlWRKO2ybULgQctX5gOf1ctuab1VrzuHnNB30gVFc95Dg1b6RiyVAa8AFm6gs9
++6Rewk527+4T5Ho5UXvdsTVJsAhzJgVjPSyF2Vc1CRrp8lIffsg5Prb4w8kvB0i64
++09zn+jAfVRpjdGWqMI7BR1pCdheGMqv006ZVYY+QhcBIb0BHAoIBAQDr14d5PPDv
++pCjlJnCKNzX2irU6bdIY+zvXoemj/cYvHqQbPOe/kaCWFNPMxANKMmZSTdSM7qqR
++s0P1RW/R7moWNSesYwW+2Jp2hIhiWmy+E+ksXeTlFwVpuMHSDPS/N61N8XgmT3pI
++Qngl1hgxGbttniKEwI+Nc7Z3FYDDCp206nmC5y33D+ZYHv1L3e33pyqHdHD/uIeU
++57OPr7Mmd/J6pmClh1dqyZwVBClc2V6w0y2G8Lk1v79wOMrn+4/p9KH2BgkFe2gr
++uB8TOLlUhttQ8VfzXCd+Zi9s3oW0h7Vkvt4kDlJm0MrnMmK0aqgKB+7XkKE0ccVQ
++xSodzbBdDYoxAoIBAH2qGmD8JkOWug2JRP9sDrDWhaNxj3SI8x2Uiho8OTG2JoVl
+++s621oArsJwnNZ4qrLxM9NPfuVgK7RNR+Qz9iO1MsqodF+Y1MxWkuPgzQ0z+83Nu
++XFLTxZBeOpyHxEcOQ7tXeut1SCK5S+WXFZ+w1zDQAELl3ZcfkuF2aM5mOHuddMRI
++pkBuhcPpnkoK/V3htxhnDbgeOPQzXzmIIbOpauu5+A6+cW6s5UU5qVKUNxl+aK09
++6YPoUiI07v1kch7//WFTO8vEMVsUwcS+bRYecD/nkYqhYt3PoSETOfSnz92gH/ms
++tmfdAAcyCeaJjpWlHY+P3h6mWsnMnP7QIdjQvUkCggEAGFkiBWRDQ5phFndHex2E
++FrXvS972p9mYLgTrSCD1CvxQ2PcKvf5c4+G2lBdQd6KIacrbPMmPFoe5ZmMKzlOc
++5DoMpIF8oF1gZQf9xJmtTFpl4ky3Sud7iZSnffYUdoFbBQb+7oWaDEfAe7eEu9z6
++OrDuw2HV8DaYCedQadJ4warLbLZNSop7r3FTmTeKT90USPO+jsgQR1E8eoMbLceI
++Yx02MSCt57p0wL6zPoC6g+rpclr75A6txvo2CIkyLGczKWEqIUTCVnEl1CgxCgb6
++MXsZJ2jGMwh9sPGwQBkaoxIJgRNxcmfv6rqK8jFos9Bp2ht2aSGty07vsDACGzlA
++oQKCAQEA8PzgkyGYHs2DwNhmv3j5ZFaP0RukwbdChSoxmbC9JP2JJxxYcnww5jYH
++xeM1bahqkdKyG5iDRiYB74EolZUMA3Zny13R4HWxNe4aUZW1H8mdmhllXX90aUOU
++WEvF2yYZbg9CQIq7zQh8HsF/S8sDTsXoZOx30zrPgb44spWKRmxdwUJt944weXvc
++p5XkLvVzBVJ+RD5IgPTBFl1iCkw3eq01CFcbTdfe9cS8V9IgDy0Jq2GvRE3Y2JS6
++xqtBB1MgZvrUoAZ8jPacRRXddg87Hwgs9+R1jaE+ZYixojOFg+JnQOGkUd9FhJAW
++bcnWV4XIPIMbouL4132Ove+GukJlPA==
+ -----END PRIVATE KEY-----
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch

@@ -0,0 +1,487 @@
+From 8e3e85e329f5cbd989936b0df8a0ac06906a4824 Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Tue, 14 Apr 2020 16:19:05 +0300
+Subject: [PATCH] auth: add SASL/GSSAPI tests
+
+---
+ tests/data/krb5.conf              |  32 ++++++
+ tests/data/slapd-sasl-gssapi.conf |  65 ++++++++++++
+ tests/scripts/conf.sh             |   3 +
+ tests/scripts/defines.sh          |   5 +
+ tests/scripts/setup_kdc.sh        | 144 +++++++++++++++++++++++++++
+ tests/scripts/test077-sasl-gssapi | 159 ++++++++++++++++++++++++++++++
+ 6 files changed, 408 insertions(+)
+ create mode 100644 tests/data/krb5.conf
+ create mode 100644 tests/data/slapd-sasl-gssapi.conf
+ create mode 100755 tests/scripts/setup_kdc.sh
+ create mode 100755 tests/scripts/test077-sasl-gssapi
+
+diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf
+new file mode 100644
+index 000000000..739113742
+--- /dev/null
++++ b/tests/data/krb5.conf
+@@ -0,0 +1,32 @@
++[libdefaults]
++  default_realm = @KRB5REALM@
++  dns_lookup_realm = false
++  dns_lookup_kdc = false
++  default_ccache_name = FILE://@TESTDIR@/ccache
++  #udp_preference_limit = 1
++[realms]
++ @KRB5REALM@ = {
++  kdc = @KDCHOST@:@KDCPORT@
++  acl_file = @TESTDIR@/kadm.acl
++  database_name = @TESTDIR@/kdc.db
++  key_stash_file = @TESTDIR@/kdc.stash
++ }
++[kdcdefaults]
++  kdc_ports = @KDCPORT@
++  kdc_tcp_ports = @KDCPORT@
++[logging]
++  kdc = FILE:@TESTDIR@/kdc.log
++  admin_server = FILE:@TESTDIR@/kadm.log
++  default = FILE:@TESTDIR@/krb5.log
++
++#Heimdal
++[kdc]
++ database = {
++  dbname = @TESTDIR@/kdc.db
++  realm = @KRB5REALM@
++  mkey_file = @TESTDIR@/kdc.stash
++  log_file = @TESTDIR@/kdc.log
++  acl_file = @TESTDIR@/kadm.acl
++ }
++[hdb]
++  db-dir = @TESTDIR@
+diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
+new file mode 100644
+index 000000000..611fc7097
+--- /dev/null
++++ b/tests/data/slapd-sasl-gssapi.conf
+@@ -0,0 +1,65 @@
++# stand-alone slapd config -- for testing (with indexing)
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2020 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++#
++include		@SCHEMADIR@/core.schema
++include		@SCHEMADIR@/cosine.schema
++#
++include		@SCHEMADIR@/corba.schema
++include		@SCHEMADIR@/java.schema
++include		@SCHEMADIR@/inetorgperson.schema
++include		@SCHEMADIR@/misc.schema
++include		@SCHEMADIR@/nis.schema
++include		@SCHEMADIR@/openldap.schema
++#
++include		@SCHEMADIR@/duaconf.schema
++include		@SCHEMADIR@/dyngroup.schema
++
++#
++pidfile		@TESTDIR@/slapd.1.pid
++argsfile	@TESTDIR@/slapd.1.args
++
++# SSL configuration
++TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
++TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
++TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
++
++#
++rootdse 	@DATADIR@/rootdse.ldif
++
++#mod#modulepath	../servers/slapd/back-@BACKEND@/
++#mod#moduleload	back_@BACKEND@.la
++#monitormod#modulepath ../servers/slapd/back-monitor/
++#monitormod#moduleload back_monitor.la
++
++
++#######################################################################
++# database definitions
++#######################################################################
++
++database	@BACKEND@
++suffix          "dc=example,dc=com"
++rootdn          "cn=Manager,dc=example,dc=com"
++rootpw          secret
++#~null~#directory	@TESTDIR@/db.1.a
++#indexdb#index		objectClass eq
++#indexdb#index		mail eq
++#ndb#dbname db_1_a
++#ndb#include @DATADIR@/ndb.conf
++
++#monitor#database	monitor
++
++sasl-realm	@KRB5REALM@
++sasl-host	localhost
+diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
+index b0393865d..c9e1a4b0a 100755
+--- a/tests/scripts/conf.sh
++++ b/tests/scripts/conf.sh
+@@ -99,4 +99,7 @@ sed -e "s/@BACKEND@/${BACKEND}/"			\
+ 	-e "s;@TESTWD@;${TESTWD};"			\
+ 	-e "s;@DATADIR@;${DATADIR};"			\
+ 	-e "s;@SCHEMADIR@;${SCHEMADIR};"		\
++	-e "s;@KRB5REALM@;${KRB5REALM};"		\
++	-e "s;@KDCHOST@;${KDCHOST};"			\
++	-e "s;@KDCPORT@;${KDCPORT};"			\
+ 	-e "/^#/d"
+diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
+index 1d6c2b3f1..ccb2e5b41 100755
+--- a/tests/scripts/defines.sh
++++ b/tests/scripts/defines.sh
+@@ -114,6 +114,7 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
+ SCHEMACONF=$DATADIR/slapd-schema.conf
+ TLSCONF=$DATADIR/slapd-tls.conf
+ TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
++SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
+ GLUECONF=$DATADIR/slapd-glue.conf
+ REFINTCONF=$DATADIR/slapd-refint.conf
+ RETCODECONF=$DATADIR/slapd-retcode.conf
+@@ -223,6 +224,7 @@ PORT3=`expr $BASEPORT + 3`
+ PORT4=`expr $BASEPORT + 4`
+ PORT5=`expr $BASEPORT + 5`
+ PORT6=`expr $BASEPORT + 6`
++KDCPORT=`expr $BASEPORT + 7`
+ URI1="ldap://${LOCALHOST}:$PORT1/"
+ URIP1="ldap://${LOCALIP}:$PORT1/"
+ URI2="ldap://${LOCALHOST}:$PORT2/"
+@@ -248,6 +250,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/"
+ SURI6="ldaps://${LOCALHOST}:$PORT6/"
+ SURIP6="ldaps://${LOCALIP}:$PORT6/"
+ 
++KRB5REALM="K5.REALM"
++KDCHOST=$LOCALHOST
++
+ # LDIF
+ LDIF=$DATADIR/test.ldif
+ LDIFADD1=$DATADIR/do_add.1
+diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
+new file mode 100755
+index 000000000..1cb784075
+--- /dev/null
++++ b/tests/scripts/setup_kdc.sh
+@@ -0,0 +1,144 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2020 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++export KRB5_TRACE=$TESTDIR/k5_trace
++export KRB5_CONFIG=$TESTDIR/krb5.conf
++export KRB5_KDC_PROFILE=$KRB5_CONFIG
++export KRB5_KTNAME=$TESTDIR/server.kt
++export KRB5_CLIENT_KTNAME=$TESTDIR/client.kt
++export KRB5CCNAME=$TESTDIR/client.ccache
++
++KDCLOG=$TESTDIR/setup_kdc.log
++KSERVICE=ldap/$LOCALHOST
++KUSER=kuser
++
++. $CONFFILTER < $DATADIR/krb5.conf > $KRB5_CONFIG
++
++PATH=${PATH}:/usr/lib/heimdal-servers:/usr/sbin:/usr/local/sbin
++
++echo "Trying Heimdal KDC..."
++
++kdc --version 2>&1 | grep Heimdal > $KDCLOG 2>&1
++RC=$?
++if test $RC = 0 ; then
++
++	kstash --random-key > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kstash failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	flags="--realm-max-ticket-life=1h --realm-max-renewable-life=1h"
++	kadmin -l init $flags $KRB5REALM > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin init failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin -l add --random-key --use-defaults $KSERVICE > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin -l ext -k $KRB5_KTNAME $KSERVICE > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin -l add --random-key --use-defaults $KUSER > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin -l ext -k $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kdc --addresses=$LOCALIP --ports="$KDCPORT/udp" > $KDCLOG 2>&1 &
++else
++	echo "Trying MIT KDC..."
++
++	kdb5_util create -r $KRB5REALM -s -P password > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: kdb5_util create failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin.local -q "addprinc -randkey $KSERVICE" > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: admin addprinc failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin.local -q "ktadd -k $KRB5_KTNAME $KSERVICE" > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin.local -q "addprinc -randkey $KUSER" > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: kadmin addprinc failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	kadmin.local -q "ktadd -k $KRB5_CLIENT_KTNAME $KUSER" > $KDCLOG 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
++		exit 0
++	fi
++
++	krb5kdc -n > $KDCLOG 2>&1 &
++fi
++
++KDCPROC=$!
++sleep 1
++
++kinit -kt $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
++RC=$?
++if test $RC != 0 ; then
++	kill $KDCPROC
++	echo "SASL/GSSAPI: kinit failed, skipping GSSAPI tests"
++	exit 0
++fi
++
++pluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
++RC=$?
++if test $RC != 0 ; then
++
++	saslpluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
++	RC=$?
++	if test $RC != 0 ; then
++		kill $KDCPROC
++		echo "cyrus-sasl has no GSSAPI support, test skipped"
++		exit 0
++	fi
++fi
+diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
+new file mode 100755
+index 000000000..64abe16fe
+--- /dev/null
++++ b/tests/scripts/test077-sasl-gssapi
+@@ -0,0 +1,159 @@
++#! /bin/sh
++# $OpenLDAP$
++## This work is part of OpenLDAP Software <http://www.openldap.org/>.
++##
++## Copyright 1998-2020 The OpenLDAP Foundation.
++## All rights reserved.
++##
++## Redistribution and use in source and binary forms, with or without
++## modification, are permitted only as authorized by the OpenLDAP
++## Public License.
++##
++## A copy of this license is available in the file LICENSE in the
++## top-level directory of the distribution or, alternatively, at
++## <http://www.OpenLDAP.org/license.html>.
++
++echo "running defines.sh"
++. $SRCDIR/scripts/defines.sh
++
++if test $WITH_SASL = no ; then
++        echo "SASL support not available, test skipped"
++        exit 0
++fi
++
++mkdir -p $TESTDIR $DBDIR1
++cp -r $DATADIR/tls $TESTDIR
++
++cd $TESTWD
++
++
++echo "Starting KDC for SASL/GSSAPI tests..."
++. $SRCDIR/scripts/setup_kdc.sh
++
++echo "Running slapadd to build slapd database..."
++. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
++$SLAPADD -f $CONF1 -l $LDIFORDERED
++RC=$?
++if test $RC != 0 ; then
++	echo "slapadd failed ($RC)!"
++	kill $KDCPROC
++	exit $RC
++fi
++
++echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
++$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
++PID=$!
++if test $WAIT != 0 ; then
++    echo PID $PID
++    read foo
++fi
++KILLPIDS="$PID"
++
++sleep 1
++
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "" -H $URI1 \
++		'objectclass=*' > /dev/null 2>&1
++        RC=$?
++        if test $RC = 0 ; then
++                break
++        fi
++        echo "Waiting 5 seconds for slapd to start..."
++        sleep 5
++done
++
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++grep GSSAPI $TESTOUT
++RC=$?
++if test $RC != 0 ; then
++	echo "failed: GSSAPI mechanism not in supportedSASLMechanisms."
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
++echo -n "Using ldapwhoami with SASL/GSSAPI: "
++$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1
++RC=$?
++if test $RC != 0 ; then
++	echo "ldapwhoami failed ($RC)!"
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++else
++	echo "success"
++fi
++
++echo -n "Validating mapped SASL/GSSAPI ID: "
++echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out
++$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
++RC=$?
++if test $RC != 0 ; then
++	echo "Comparison failed"
++	kill $KDCPROC
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++else
++	echo "success"
++fi
++
++if test $WITH_TLS = no ; then
++        echo "SASL/GSSAPI: TLS support not available, skipping TLS part."
++else
++	echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: "
++	$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow	\
++		-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
++		> $TESTOUT 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "ldapwhoami failed ($RC)!"
++		kill $KDCPROC
++		test $KILLSERVERS != no && kill -HUP $KILLPIDS
++		exit $RC
++	else
++		echo "success"
++	fi
++
++	echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: "
++	$LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow	\
++		-o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt	\
++		> $TESTOUT 2>&1
++	RC=$?
++	if test $RC != 0 ; then
++		echo "ldapwhoami failed ($RC)!"
++		kill $KDCPROC
++		test $KILLSERVERS != no && kill -HUP $KILLPIDS
++		exit $RC
++	else
++		echo "success"
++	fi
++fi
++
++kill $KDCPROC
++test $KILLSERVERS != no && kill -HUP $KILLPIDS
++
++if test $RC != 0 ; then
++	echo ">>>>> Test failed"
++else
++	echo ">>>>> Test succeeded"
++	RC=0
++fi
++
++test $KILLSERVERS != no && wait
++
++exit $RC
+-- 
+2.26.2
+

SOURCES/openldap-cbinding-fix-openssl-digest.patch

@@ -0,0 +1,18 @@
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 6f27168..eb7b97c 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -862,7 +862,12 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
+ 		return 0;
+ 
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000
+-	md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
++	{
++		int mdnid;
++		if ( !OBJ_find_sigid_algs( X509_get_signature_nid( cert ), &mdnid, NULL ))
++			return 0;
++		md = EVP_get_digestbynid( mdnid );
++	}
+ #else
+ 	md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
+ #endif

SOURCES/openldap-change-TLS_REQSAN-default-to-TRY.patch

@@ -0,0 +1,46 @@
+From 2dfe3f35c7fef4792f15f0b3f9c9a10e5f9a4692 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@rehdat.com>
+Date: Thu, 5 Aug 2021 16:15:09 +0200
+Subject: [PATCH] Change TLS_REQSAN default to TRY
+
+---
+ doc/man/man5/ldap.conf.5 | 2 +-
+ libraries/libldap/init.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index cde2c875f..9f1aa2c0a 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -479,7 +479,6 @@ The client will not check any SAN in the certificate.
+ The SAN is checked against the specified hostname. If a SAN is
+ present but none match the specified hostname, the SANs are ignored
+ and the usual check against the certificate DN is used.
+-This is the default setting.
+ .TP
+ .B try
+ The SAN is checked against the specified hostname. If no SAN is present
+@@ -487,6 +486,7 @@ in the server certificate, the usual check against the certificate DN
+ is used. If a SAN is present but doesn't match the specified hostname,
+ the session is immediately terminated. This setting may be preferred
+ when a mix of certs with and without SANs are in use.
++This is the default setting.
+ .TP
+ .B demand | hard
+ These keywords are equivalent. The SAN is checked against the specified
+diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
+index 0d91808ec..fa4c176fd 100644
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -625,7 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
+ 	gopts->ldo_tls_connect_cb = NULL;
+ 	gopts->ldo_tls_connect_arg = NULL;
+ 	gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
+-	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
++	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_TRY;
+ #endif
+ 	gopts->ldo_keepalive_probes = 0;
+ 	gopts->ldo_keepalive_interval = 0;
+-- 
+2.31.1
+

SOURCES/openldap-cldap-check-for-error-on-connected-socket.patch

@@ -0,0 +1,41 @@
+From ec5eba5393e5cc65b05e54658c55500cdbff775a Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 26 Aug 2020 13:22:52 +0100
+Subject: [PATCH 01/34] ITS#9328 cldap: check for error on connected socket
+
+libldap doesn't use a connected socket for UDP sessions, but 3rd
+parties can, passed in with ldap_init_fd().
+---
+ libraries/libldap/result.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
+index bdced135b..e2b220630 100644
+--- a/libraries/libldap/result.c
++++ b/libraries/libldap/result.c
+@@ -486,7 +486,8 @@ retry:
+ #ifdef LDAP_CONNECTIONLESS
+ 	if ( LDAP_IS_UDP(ld) ) {
+ 		struct sockaddr_storage from;
+-		ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) );
++		if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 )
++			goto fail;
+ 		if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1;
+ 	}
+ nextresp3:
+@@ -502,10 +503,11 @@ nextresp3:
+ 		break;
+ 
+ 	case LBER_DEFAULT:
++fail:
+ 		err = sock_errno();
+ #ifdef LDAP_DEBUG		   
+ 		Debug( LDAP_DEBUG_CONNS,
+-			"ber_get_next failed.\n", 0, 0, 0 );
++			"ber_get_next failed, errno=%d.\n", err, 0, 0 );
+ #endif		   
+ 		if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING;
+ 		if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING;
+-- 
+2.26.2
+

SOURCES/openldap-ldapi-sasl.patch

@@ -0,0 +1,55 @@
+From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 7 May 2013 17:02:57 +0200
+Subject: [PATCH] LDAPI SASL fix
+
+Resolves: #960222
+---
+ libraries/libldap/cyrus.c | 19 ++++++++++++++++---
+ 1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
+
+diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
+index 28c241b..a9acf36 100644
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
+ 	struct berval	ccred = BER_BVNULL;
+ 	int saslrc, rc;
+ 	unsigned credlen;
++	char my_hostname[HOST_NAME_MAX + 1];
++	int free_saslhost = 0;
+ 
+ 	Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
+ 		mechs ? mechs : "<null>", 0, 0 );
+@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
+ 
+ 			/* If we don't need to canonicalize just use the host
+ 			 * from the LDAP URI.
++			 * Always use the result of gethostname() for LDAPI.
+ 			 */
+-			if ( nocanon )
++			if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
++			    strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
++				rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
++				if (rc == 0) {
++					saslhost = my_hostname;
++				} else {
++					saslhost = "localhost";
++				}
++			} else if ( nocanon )
+ 				saslhost = ld->ld_defconn->lconn_server->lud_host;
+-			else 
++			else {
+ 				saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
+ 				"localhost" );
++				free_saslhost = 1;
++			}
+ 			rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
+-			if ( !nocanon )
++			if ( free_saslhost )
+ 				LDAP_FREE( saslhost );
+ 		}
+ 
+-- 
+1.7.11.7
+

SOURCES/openldap-manpages.patch

@@ -3,10 +3,10 @@ Various manual pages changes:
 * removes references to non-existing manpages (bz 624616)
 
 diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
-index 353b075..cf37856 100644
+index 3def6da..466c772 100644
 --- a/doc/man/man1/ldapmodify.1
 +++ b/doc/man/man1/ldapmodify.1
-@@ -382,8 +382,7 @@ exit status and a diagnostic message being written to standard error.
+@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
  .BR ldap_add_ext (3),
  .BR ldap_delete_ext (3),
  .BR ldap_modify_ext (3),
@@ -17,19 +17,19 @@ index 353b075..cf37856 100644
  The OpenLDAP Project <http://www.openldap.org/>
  .SH ACKNOWLEDGEMENTS
 diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
-index 17b7154..6084298 100644
+index cfde143..63592cb 100644
 --- a/doc/man/man5/ldap.conf.5
 +++ b/doc/man/man5/ldap.conf.5
-@@ -338,6 +338,7 @@ certificates in separate individual files. The
+@@ -317,6 +317,7 @@ certificates in separate individual files. The
  .B TLS_CACERT
  is always used before
  .B TLS_CACERTDIR.
 +The specified directory must be managed with the OpenSSL c_rehash utility.
- .TP
- .B TLS_CERT <filename>
- Specifies the file that contains the client certificate.
+ This parameter is ignored with GnuTLS.
+ 
+ When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
 diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
-index 8504b37..f02f1fa 100644
+index b739f4d..e2a1a00 100644
 --- a/doc/man/man8/slapd.8
 +++ b/doc/man/man8/slapd.8
 @@ -5,7 +5,7 @@
@@ -39,9 +39,9 @@ index 8504b37..f02f1fa 100644
 -.B LIBEXECDIR/slapd 
 +.B slapd
  [\c
- .BR \-V [ V [ V ]]
+ .BR \-4 | \-6 ]
  [\c
-@@ -332,7 +332,7 @@ the LDAP databases defined in the default config file, just type:
+@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
  .LP
  .nf
  .ft tt
@@ -50,7 +50,7 @@ index 8504b37..f02f1fa 100644
  .ft
  .fi
  .LP
-@@ -343,7 +343,7 @@ on voluminous debugging which will be printed on standard error, type:
+@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
  .LP
  .nf
  .ft tt
@@ -59,7 +59,7 @@ index 8504b37..f02f1fa 100644
  .ft
  .fi
  .LP
-@@ -351,7 +351,7 @@ To test whether the configuration file is correct or not, type:
+@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
  .LP
  .nf
  .ft tt
@@ -68,3 +68,6 @@ index 8504b37..f02f1fa 100644
  .ft
  .fi
  .LP
+-- 
+1.8.1.4
+

SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch

@@ -0,0 +1,227 @@
+ITS#7595 Add Elliptic Curve support for OpenSSL
+
+Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
+Author:    Howard Chu <hyc@openldap.org>
+Date:      Sat Sep 7 09:47:19 2013 -0700
+
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+index 9c72e8296..2311c3096 100644
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -922,6 +922,13 @@ are not used.
+ When using Mozilla NSS these parameters are always generated randomly
+ so this directive is ignored.
+ .TP
++.B olcTLSECName: <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange.  This is required to enable ECDHE algorithms in
++OpenSSL.  This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B olcTLSProtocolMin: <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+index f504adcf9..ef03e0ad8 100644
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -1153,6 +1153,13 @@ are not used.
+ When using Mozilla NSS these parameters are always generated randomly
+ so this directive is ignored.
+ .TP
++.B TLSECName <name>
++Specify the name of a curve to use for Elliptic curve Diffie-Hellman
++ephemeral key exchange.  This is required to enable ECDHE algorithms in
++OpenSSL.  This option is not used with GnuTLS; the curves may be
++chosen in the GnuTLS ciphersuite specification. This option is also
++ignored for Mozilla NSS.
++.TP
+ .B TLSProtocolMin <major>[.<minor>]
+ Specifies minimum SSL/TLS protocol version that will be negotiated.
+ If the server doesn't support at least that version,
+diff --git a/include/ldap.h b/include/ldap.h
+index c245651c2..0964a193e 100644
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
+ #define LDAP_OPT_X_TLS_NEWCTX		0x600f
+ #define LDAP_OPT_X_TLS_CRLFILE		0x6010	/* GNUtls only */
+ #define LDAP_OPT_X_TLS_PACKAGE		0x6011
++#define LDAP_OPT_X_TLS_ECNAME		0x6012
+ 
+ #define LDAP_OPT_X_TLS_NEVER	0
+ #define LDAP_OPT_X_TLS_HARD		1
+diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
+index 66e04ae80..db7193f4f 100644
+--- a/libraries/libldap/ldap-int.h
++++ b/libraries/libldap/ldap-int.h
+@@ -165,6 +165,7 @@ struct ldaptls {
+ 	char		*lt_ciphersuite;
+ 	char		*lt_crlfile;
+ 	char		*lt_randfile;	/* OpenSSL only */
++	char		*lt_ecname;		/* OpenSSL only */
+ 	int		lt_protocol_min;
+ };
+ #endif
+@@ -250,6 +251,7 @@ struct ldapoptions {
+ #define ldo_tls_certfile	ldo_tls_info.lt_certfile
+ #define ldo_tls_keyfile	ldo_tls_info.lt_keyfile
+ #define ldo_tls_dhfile	ldo_tls_info.lt_dhfile
++#define ldo_tls_ecname	ldo_tls_info.lt_ecname
+ #define ldo_tls_cacertfile	ldo_tls_info.lt_cacertfile
+ #define ldo_tls_cacertdir	ldo_tls_info.lt_cacertdir
+ #define ldo_tls_ciphersuite	ldo_tls_info.lt_ciphersuite
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index d25c190ea..0451b01af 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
+ 		LDAP_FREE( lo->ldo_tls_dhfile );
+ 		lo->ldo_tls_dhfile = NULL;
+ 	}
++	if ( lo->ldo_tls_ecname ) {
++		LDAP_FREE( lo->ldo_tls_ecname );
++		lo->ldo_tls_ecname = NULL;
++	}
+ 	if ( lo->ldo_tls_cacertfile ) {
+ 		LDAP_FREE( lo->ldo_tls_cacertfile );
+ 		lo->ldo_tls_cacertfile = NULL;
+@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
+ 		lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
+ 		__atoe( lts.lt_dhfile );
+ 	}
++	if ( lts.lt_ecname ) {
++		lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
++		__atoe( lts.lt_ecname );
++	}
+ #endif
+ 	lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
+ 	if ( lo->ldo_tls_ctx == NULL ) {
+@@ -257,6 +265,7 @@ error_exit:
+ 	LDAP_FREE( lts.lt_crlfile );
+ 	LDAP_FREE( lts.lt_cacertdir );
+ 	LDAP_FREE( lts.lt_dhfile );
++	LDAP_FREE( lts.lt_ecname );
+ #endif
+ 	return rc;
+ }
+@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
+ 		*(char **)arg = lo->ldo_tls_dhfile ?
+ 			LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
+ 		break;
++	case LDAP_OPT_X_TLS_ECNAME:
++		*(char **)arg = lo->ldo_tls_ecname ?
++			LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
++		break;
+ 	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
+ 		*(char **)arg = lo->ldo_tls_crlfile ?
+ 			LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
+@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
+ 		if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
+ 		lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ 		return 0;
++	case LDAP_OPT_X_TLS_ECNAME:
++		if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
++		lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
++		return 0;
+ 	case LDAP_OPT_X_TLS_CRLFILE:	/* GnuTLS only */
+ 		if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
+ 		lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index f24060b7e..1370923af 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 		return -1;
+ 	}
+ 
+-	if ( lo->ldo_tls_dhfile ) {
+-		DH *dh = NULL;
++	if ( is_server && lo->ldo_tls_dhfile ) {
++		DH *dh;
+ 		BIO *bio;
+-		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+ 
+ 		if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
+ 			Debug( LDAP_DEBUG_ANY,
+@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 		}
+ 		BIO_free( bio );
+ 		SSL_CTX_set_tmp_dh( ctx, dh );
++		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
++		DH_free( dh );
++	}
++
++#ifdef SSL_OP_SINGLE_ECDH_USE
++	if ( is_server && lo->ldo_tls_ecname ) {
++		EC_KEY *ecdh;
++
++		int nid = OBJ_sn2nid( lt->lt_ecname );
++		if ( nid == NID_undef ) {
++			Debug( LDAP_DEBUG_ANY,
++				"TLS: could not use EC name `%s'.\n",
++				lo->ldo_tls_ecname,0,0);
++			tlso_report_error();
++			return -1;
++		}
++		ecdh = EC_KEY_new_by_curve_name( nid );
++		if ( ecdh == NULL ) {
++			Debug( LDAP_DEBUG_ANY,
++				"TLS: could not generate key for EC name `%s'.\n",
++				lo->ldo_tls_ecname,0,0);
++			tlso_report_error();
++			return -1;
++		}
++		SSL_CTX_set_tmp_ecdh( ctx, ecdh );
++		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
++		EC_KEY_free( ecdh );
+ 	}
++#endif
+ 
+ 	if ( tlso_opt_trace ) {
+ 		SSL_CTX_set_info_callback( ctx, tlso_info_cb );
+diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
+index 250f14100..8b1e4e582 100644
+--- a/servers/slapd/bconfig.c
++++ b/servers/slapd/bconfig.c
+@@ -194,6 +194,7 @@ enum {
+ 	CFG_ACL_ADD,
+ 	CFG_SYNC_SUBENTRY,
+ 	CFG_LTHREADS,
++	CFG_TLS_ECNAME,
+ 
+ 	CFG_LAST
+ };
+@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
+ #endif
+ 		"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
+ 			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
++	{ "TLSECName", NULL, 2, 2, 0,
++#ifdef HAVE_TLS
++		CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
++#else
++		ARG_IGNORED, NULL,
++#endif
++		"( OLcfgGlAt:96 NAME 'olcTLSECName' "
++			"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ 	{ "TLSProtocolMin",	NULL, 2, 2, 0,
+ #ifdef HAVE_TLS
+ 		CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
+@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
+ 		 "olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
+ 		 "olcTLSCACertificatePath $ olcTLSCertificateFile $ "
+ 		 "olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
+-		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
++		 "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
+ 		 "olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
+ 		 "olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
+ 		 "olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
+@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
+ 	case CFG_TLS_CA_PATH:	flag = LDAP_OPT_X_TLS_CACERTDIR;	break;
+ 	case CFG_TLS_CA_FILE:	flag = LDAP_OPT_X_TLS_CACERTFILE;	break;
+ 	case CFG_TLS_DH_FILE:	flag = LDAP_OPT_X_TLS_DHFILE;	break;
++	case CFG_TLS_ECNAME:	flag = LDAP_OPT_X_TLS_ECNAME;	break;
+ #ifdef HAVE_GNUTLS
+ 	case CFG_TLS_CRL_FILE:	flag = LDAP_OPT_X_TLS_CRLFILE;	break;
+ #endif

SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch

@@ -0,0 +1,34 @@
+ITS#7595 don't try to use EC if OpenSSL lacks it
+
+Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
+Author: Howard Chu <hyc@openldap.org>
+Date: Sun Sep 8 06:32:23 2013 -0700
+
+diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
+index 1a81bc625..71c2b055c 100644
+--- a/libraries/libldap/tls_o.c
++++ b/libraries/libldap/tls_o.c
+@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 		DH_free( dh );
+ 	}
+ 
+-#ifdef SSL_OP_SINGLE_ECDH_USE
+ 	if ( is_server && lo->ldo_tls_ecname ) {
++#ifdef OPENSSL_NO_EC
++		Debug( LDAP_DEBUG_ANY,
++			"TLS: Elliptic Curves not supported.\n", 0,0,0 );
++		return -1;
++#else
+ 		EC_KEY *ecdh;
+ 
+ 		int nid = OBJ_sn2nid( lt->lt_ecname );
+@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ 		SSL_CTX_set_tmp_ecdh( ctx, ecdh );
+ 		SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
+ 		EC_KEY_free( ecdh );
+-	}
+ #endif
++	}
+ 
+ 	if ( tlso_opt_trace ) {
+ 		SSL_CTX_set_info_callback( ctx, tlso_info_cb );

SOURCES/openldap-openssl-manpage-defaultCA.patch

@@ -6,10 +6,9 @@ certificates.
 Author: Matus Honek <mhonek@redhat.com>
 
 diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
-index 6084298..3070bb4 100644
 --- a/doc/man/man5/ldap.conf.5
 +++ b/doc/man/man5/ldap.conf.5
-@@ -327,6 +327,9 @@ are more options you can specify.  These options are used when an
+@@ -307,6 +307,9 @@ are more options you can specify.  These options are used when an
  .B ldaps:// URI
  is selected (by default or otherwise) or when the application
  negotiates TLS by issuing the LDAP StartTLS operation.
@@ -20,10 +19,9 @@ index 6084298..3070bb4 100644
  .B TLS_CACERT <filename>
  Specifies the file that contains certificates for all of the Certificate
 diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
-index a559b0c..adda87a 100644
 --- a/doc/man/man5/slapd-config.5
 +++ b/doc/man/man5/slapd-config.5
-@@ -878,6 +878,10 @@ If
+@@ -801,6 +801,10 @@ If
  .B slapd
  is built with support for Transport Layer Security, there are more options
  you can specify.
@@ -35,10 +33,9 @@ index a559b0c..adda87a 100644
  .B olcTLSCipherSuite: <cipher-suite-spec>
  Permits configuring what ciphers will be accepted and the preference order.
 diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
-index b6e9250..1653a1b 100644
 --- a/doc/man/man5/slapd.conf.5
 +++ b/doc/man/man5/slapd.conf.5
-@@ -1108,6 +1108,10 @@ If
+@@ -1032,6 +1032,10 @@ If
  .B slapd
  is built with support for Transport Layer Security, there are more options
  you can specify.

SOURCES/openldap-reentrant-gethostby.patch

@@ -8,7 +8,7 @@ Resolves: #179730
 Author: Jeffery Layton <jlayton@redhat.com>
 
 diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
-index aa69f70..4461bf2 100644
+index 373c81c..a012062 100644
 --- a/libraries/libldap/util-int.c
 +++ b/libraries/libldap/util-int.c
 @@ -52,8 +52,8 @@ extern int h_errno;
@@ -22,7 +22,7 @@ index aa69f70..4461bf2 100644
  
  #else
  # include <ldap_pvt_thread.h>
-@@ -442,7 +442,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
+@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
  #define BUFSTART (1024-32)
  #define BUFMAX (32*1024-32)
  

SOURCES/openldap-smbk5pwd-overlay.patch

@@ -9,7 +9,7 @@ Author: Jan Vcelak <jvcelak@redhat.com>
 Resolves: #841560
 
 diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
-index 4a710a7..0cd4e9e 100644
+index f20ad94..b6433ff 100644
 --- a/contrib/slapd-modules/smbk5pwd/README
 +++ b/contrib/slapd-modules/smbk5pwd/README
 @@ -1,3 +1,8 @@
@@ -22,10 +22,10 @@ index 4a710a7..0cd4e9e 100644
  PasswordModify Extended Operation to update Kerberos keys and Samba
  password hashes for an LDAP user.
 diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
-index b84bc54..b5c3fc8 100644
+index 3af20e8..ef73663 100644
 --- a/servers/slapd/overlays/Makefile.in
 +++ b/servers/slapd/overlays/Makefile.in
-@@ -37,7 +37,8 @@ SRCS = overlays.c \
+@@ -33,7 +33,8 @@ SRCS = overlays.c \
  	syncprov.c \
  	translucent.c \
  	unique.c \
@@ -35,7 +35,7 @@ index b84bc54..b5c3fc8 100644
  OBJS = statover.o \
  	@SLAPD_STATIC_OVERLAYS@ \
  	overlays.o
-@@ -57,7 +58,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
  UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
  
  LIBRARY = ../liboverlays.a
@@ -44,7 +44,7 @@ index b84bc54..b5c3fc8 100644
  
  XINCPATH = -I.. -I$(srcdir)/..
  XDEFS = $(MODULES_CPPFLAGS)
-@@ -141,6 +142,12 @@ unique.la : unique.lo
+@@ -125,6 +126,12 @@ unique.la : unique.lo
  valsort.la : valsort.lo
  	$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
  
@@ -57,3 +57,6 @@ index b84bc54..b5c3fc8 100644
  install-local:	$(PROGRAMS)
  	@if test -n "$?" ; then \
  		$(MKDIR) $(DESTDIR)$(moduledir); \
+-- 
+1.7.10.4
+

SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch

@@ -6,12 +6,10 @@ Proof of concept for fixing http://bugs.debian.org/327585
 (patch ported from freeradius bug http://bugs.debian.org/416266)
 
 Resolves: #960048
-
-diff --git a/servers/slapd/module.c b/servers/slapd/module.c
-index e616f1d..52bacff 100644
---- a/servers/slapd/module.c
-+++ b/servers/slapd/module.c
-@@ -117,6 +117,20 @@ int module_unload( const char *file_name )
+---
+--- openldap/servers/slapd/module.c.orig	2010-05-18 17:42:04.000000000 +0200
++++ openldap/servers/slapd/module.c	2010-05-18 17:45:46.000000000 +0200
+@@ -117,6 +117,20 @@
  	return -1;	/* not found */
  }
  
@@ -32,7 +30,7 @@ index e616f1d..52bacff 100644
  int module_load(const char* file_name, int argc, char *argv[])
  {
  	module_loaded_t *module;
-@@ -179,7 +193,7 @@ int module_load(const char* file_name, int argc, char *argv[])
+@@ -180,7 +194,7 @@
  	 * to calling Debug. This is because Debug is a macro that expands
  	 * into multiple function calls.
  	 */

SOURCES/slapd.ldif

@@ -42,41 +42,36 @@ cn: config
 #
 # Load dynamic backend modules:
 # - modulepath is architecture dependent value (32/64-bit system)
+# - back_sql.la backend requires openldap-servers-sql package
 # - dyngroup.la and dynlist.la cannot be used at the same time
 #
 
 #dn: cn=module,cn=config
 #objectClass: olcModuleList
 #cn: module
-#olcModulepath: /usr/lib/openldap
-#olcModulepath: /usr/lib64/openldap
+#olcModulepath:	/usr/lib/openldap
+#olcModulepath:	/usr/lib64/openldap
 #olcModuleload: accesslog.la
-#olcModuleload: allop.la
 #olcModuleload: auditlog.la
-#olcModuleload: autoca.la
-#olcModuleload: back_asyncmeta.la
 #olcModuleload: back_dnssrv.la
 #olcModuleload: back_ldap.la
+#olcModuleload: back_mdb.la
 #olcModuleload: back_meta.la
 #olcModuleload: back_null.la
 #olcModuleload: back_passwd.la
 #olcModuleload: back_relay.la
+#olcModuleload: back_shell.la
 #olcModuleload: back_sock.la
-#olcModuleload: check_password.la
 #olcModuleload: collect.la
 #olcModuleload: constraint.la
 #olcModuleload: dds.la
 #olcModuleload: deref.la
 #olcModuleload: dyngroup.la
 #olcModuleload: dynlist.la
-#olcModuleload: home.la
-#olcModuleload: lloadd.la
 #olcModuleload: memberof.la
-#olcModuleload: otp.la
 #olcModuleload: pcache.la
 #olcModuleload: ppolicy.la
 #olcModuleload: refint.la
-#olcModuleload: remoteauth.la
 #olcModuleload: retcode.la
 #olcModuleload: rwm.la
 #olcModuleload: seqmod.la

SOURCES/slapd.service

@@ -3,6 +3,7 @@ Description=OpenLDAP Server Daemon
 After=syslog.target network-online.target
 Documentation=man:slapd
 Documentation=man:slapd-config
+Documentation=man:slapd-hdb
 Documentation=man:slapd-mdb
 Documentation=file:///usr/share/doc/openldap-servers/guide.html
 

SOURCES/slapd.tmpfiles

@@ -1,2 +1,2 @@
 # openldap runtime directory for slapd.arg and slapd.pid
-d /run/openldap 0755 ldap ldap -
+d /var/run/openldap 0755 ldap ldap -

SPECS/openldap.spec

@@ -3,77 +3,71 @@
 %global systemctl_bin /usr/bin/systemctl
 %global check_password_version 1.1
 
-%global so_ver 2
-%global so_ver_compat 2
-
-# Build openldap-servers package and its libslapi in openldap-devel and openldap-compat
-%bcond servers 0
-
-# When you change "Version: " to the new major version, remember to change this value too
-%global major_version 2.6
-
-# Disable automatic .la file removal
-%global __brp_remove_la_files %nil
-
 Name: openldap
-Version: 2.6.8
-Release: 1%{?dist}
+Version: 2.4.46
+Release: 20%{?dist}
 Summary: LDAP support libraries
-License: OLDAP-2.8
+License: OpenLDAP
 URL: http://www.openldap.org/
 
-Source0: https://openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
+Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
 Source1: slapd.service
 Source2: slapd.tmpfiles
 Source3: slapd.ldif
 Source4: ldap.conf
-Source5: UPGRADE_INSTRUCTIONS
-Source6: openldap.sysusers
-Source10: https://github.com/ltb-project/openldap-ppolicy-check-password/archive/v%{check_password_version}/openldap-ppolicy-check-password-%{check_password_version}.tar.gz
+Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz
 Source50: libexec-functions
 Source52: libexec-check-config.sh
+Source53: libexec-upgrade-db.sh
 
-# Patches for 2.6
+# patches for 2.4
 Patch0: openldap-manpages.patch
-Patch1: openldap-reentrant-gethostby.patch
-
+Patch2: openldap-reentrant-gethostby.patch
 Patch3: openldap-smbk5pwd-overlay.patch
-Patch4: openldap-ai-addrconfig.patch
-Patch5: openldap-allop-overlay.patch
+Patch5: openldap-ai-addrconfig.patch
+Patch17: openldap-allop-overlay.patch
+Patch18: openldap-cldap-check-for-error-on-connected-socket.patch
 
 # fix back_perl problems with lt_dlopen()
 # might cause crashes because of symbol collisions
 # the proper fix is to link all perl modules against libperl
 # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
-Patch6: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
+Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
+# ldapi sasl fix pending upstream inclusion
+Patch20: openldap-ldapi-sasl.patch
+Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
+Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
+Patch24: openldap-openssl-manpage-defaultCA.patch
 
-# System-wide default for CA certs
-Patch7: openldap-openssl-manpage-defaultCA.patch
-Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
-Patch9: openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch
+# The below patches come from upstream master and are necessary for Channel Binding
+# (both tls-unique and tls-server-end-point) to work properly.
+# Additionally, for Samba to be able to implement Channel Binding, the PEERCERT option
+# is being included as well.
+Patch50: openldap-cbinding-Add-channel-binding-support.patch
+Patch51: openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch
+Patch52: openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
+Patch53: openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch
+Patch54: openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
+Patch55: openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
+Patch56: openldap-cbinding-Make-prototypes-available-where-needed.patch
+Patch57: openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
+Patch58: openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
+Patch59: openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch
+Patch60: openldap-cbinding-Fix-slaptest-in-test077.patch
+Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch
+Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch
+Patch63: openldap-add-TLS_REQSAN-option.patch
+Patch64: openldap-change-TLS_REQSAN-default-to-TRY.patch
+Patch65: openldap-cbinding-fix-openssl-digest.patch
+Patch66: 0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch
+Patch67: 0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
 
 # check-password module specific patches
 Patch90: check-password-makefile.patch
 Patch91: check-password.patch
 
-BuildRequires: cyrus-sasl-devel
-BuildRequires: gcc
-BuildRequires: glibc-devel
-BuildRequires: groff
-BuildRequires: krb5-devel
-BuildRequires: libtool-ltdl-devel
-BuildRequires: libevent-devel
-BuildRequires: make
-BuildRequires: openssl-devel
-BuildRequires: perl(ExtUtils::Embed)
-BuildRequires: perl-devel
-BuildRequires: perl-generators
-BuildRequires: perl-interpreter
-BuildRequires: unixODBC-devel
-BuildRequires: cracklib-devel
-BuildRequires: systemd
-BuildRequires: systemd-rpm-macros
-%{?sysusers_requires_compat}
+BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel
+BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed)
 
 %description
 OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@@ -86,8 +80,7 @@ libraries, and documentation for OpenLDAP.
 
 %package devel
 Summary: LDAP development libraries and header files
-Requires: openldap%{?_isa} = %{version}-%{release}
-Requires: cyrus-sasl-devel%{?_isa}
+Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa}
 
 %description devel
 The openldap-devel package includes the development libraries and
@@ -97,43 +90,15 @@ protocols for enabling directory services over the Internet. Install
 this package only if you plan to develop or will need to compile
 customized LDAP clients.
 
-%package compat
-Summary: Package providing legacy non-threaded libldap
-Requires: openldap%{?_isa} = %{version}-%{release}
-# since libldap is manually linked from libldap_r, the provides is not generated automatically
-%ifarch armv7hl i686
-Provides: libldap-2.4.so.%{so_ver_compat}
-Provides: libldap_r-2.4.so.%{so_ver_compat}
-Provides: liblber-2.4.so.%{so_ver_compat}
-%if %{with servers}
-Provides: libslapi-2.4.so.%{so_ver_compat}
-%endif
-%else
-Provides: libldap-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit)
-Provides: libldap_r-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit)
-Provides: liblber-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit)
-%if %{with servers}
-Provides: libslapi-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit)
-%endif
-%endif
-
-%description compat
-The openldap-compat package contains shared libraries named as libldap-2.4.so,
-%if %{with servers}
-libldap_r-2.4.so, liblber-2.4.so and libslapi-2.4.so.
-%else
-libldap_r-2.4.so and liblber-2.4.so
-%endif
-The libraries are just links to the current version shared libraries,
-and are available for compatibility reasons.
-
-%if %{with servers}
 %package servers
 Summary: LDAP server
 License: OpenLDAP
-Requires: openldap%{?_isa} = %{version}-%{release}
-%{?systemd_requires}
+Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils
 Requires(pre): shadow-utils
+BuildRequires: systemd
+%{?systemd_requires}
+BuildRequires: libdb-devel
+BuildRequires: cracklib-devel
 # migrationtools (slapadd functionality):
 Provides: ldif2ldbm
 
@@ -144,8 +109,6 @@ protocols for accessing directory services (usually phone book style
 information, but other information is possible) over the Internet,
 similar to the way DNS (Domain Name System) information is propagated
 over the Internet. This package contains the slapd server and related files.
-# endif servers
-%endif
 
 %package clients
 Summary: LDAP client utilities
@@ -164,15 +127,38 @@ programs needed for accessing and modifying OpenLDAP directories.
 %setup -q -c -a 0 -a 10
 
 pushd openldap-%{version}
-%patch -P0 -p1
-%patch -P1 -p1
-%patch -P3 -p1
-%patch -P4 -p1
-%patch -P5 -p1
-%patch -P6 -p1
-%patch -P7 -p1
-%patch -P8 -p1
-%patch -P9 -p1
+
+AUTOMAKE=%{_bindir}/true autoreconf -fi
+
+%patch0 -p1
+%patch2 -p1
+%patch3 -p1
+%patch5 -p1
+%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
+%patch50 -p1
+%patch51 -p1
+%patch52 -p1
+%patch53 -p1
+%patch54 -p1
+%patch55 -p1
+%patch56 -p1
+%patch57 -p1
+%patch58 -p1
+%patch59 -p1
+%patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
+%patch64 -p1
+%patch65 -p1
+%patch66 -p1
+%patch67 -p1
 
 # build smbk5pwd with other overlays
 ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@@ -186,30 +172,27 @@ mv servers/slapd/back-perl/README{,.back_perl}
 
 # fix documentation encoding
 for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do
-  iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8"
-  mv "$filename.utf8" "$filename"
+	iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8"
+	mv "$filename.utf8" "$filename"
 done
 
 popd
 
-pushd openldap-ppolicy-check-password-%{check_password_version}
-%patch -P90 -p1
-%patch -P91 -p1
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+%patch90 -p1
+%patch91 -p1
 popd
 
 %build
 
 %set_build_flags
 # enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
-export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS"
-# disable legacy hash algorithm
-export CFLAGS="${CFLAGS} -DOPENSSL_NO_MD2"
+export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS -DOPENSSL_NO_MD2"
 
 pushd openldap-%{version}
 %configure \
 	--enable-debug \
 	--enable-dynamic \
-	--enable-versioning \
 	\
 	--enable-dynacl \
 	--enable-cleartext \
@@ -217,12 +200,9 @@ pushd openldap-%{version}
 	--enable-lmpasswd \
 	--enable-spasswd \
 	--enable-modules \
-	--enable-perl \
 	--enable-rewrite \
 	--enable-rlookups \
-%if %{with servers}
 	--enable-slapi \
-%endif
 	--disable-slp \
 	\
 	--enable-backends=mod \
@@ -232,14 +212,11 @@ pushd openldap-%{version}
 	--enable-monitor=yes \
 	--disable-ndb \
 	--disable-sql \
-	--disable-wt \
 	\
 	--enable-overlays=mod \
 	\
 	--disable-static \
 	\
-	--enable-balancer=mod \
-        \
 	--with-cyrus-sasl \
 	--without-fetch \
 	--with-threads \
@@ -248,11 +225,11 @@ pushd openldap-%{version}
 	\
 	--libexecdir=%{_libdir}
 
-%make_build
+make %{_smp_mflags}
 popd
 
-pushd openldap-ppolicy-check-password-%{check_password_version}
-%make_build LDAP_INC="-I../openldap-%{version}/include \
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
+make LDAP_INC="-I../openldap-%{version}/include \
  -I../openldap-%{version}/servers/slapd \
  -I../openldap-%{version}/build-servers/include"
 popd
@@ -260,16 +237,13 @@ popd
 %install
 
 mkdir -p %{buildroot}%{_libdir}/
-%if %{with servers}
-install -p -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/openldap.conf
-%endif
 
 pushd openldap-%{version}
-%make_install STRIP_OPTS=""
+make install DESTDIR=%{buildroot} STRIP=""
 popd
 
 # install check_password module
-pushd openldap-ppolicy-check-password-%{check_password_version}
+pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
 mv check_password.so check_password.so.%{check_password_version}
 ln -s check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/check_password.so
 install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/
@@ -302,7 +276,7 @@ mkdir -p %{buildroot}%{_tmpfilesdir}
 install -m 0644 %SOURCE2 %{buildroot}%{_tmpfilesdir}/slapd.conf
 
 # install default ldap.conf (customized)
-rm %{buildroot}%{_sysconfdir}/openldap/ldap.conf
+rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
 install -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
 
 # setup maintainance scripts
@@ -310,13 +284,15 @@ mkdir -p %{buildroot}%{_libexecdir}
 install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
 install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
 install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
+install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
 
 # remove build root from config files and manual pages
 perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
 perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*
 
 # we don't need the default files -- RPM handles changes
-rm %{buildroot}%{_sysconfdir}/openldap/*.default
+rm -f %{buildroot}%{_sysconfdir}/openldap/*.default
+rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default
 
 # install an init script for the servers
 mkdir -p %{buildroot}%{_unitdir}
@@ -326,87 +302,69 @@ install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service
 mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/
 
 # setup tools as symlinks to slapd
-for X in acl add auth cat dn index modify passwd test schema ; do
-  rm %{buildroot}%{_sbindir}/slap$X
-  ln -s slapd %{buildroot}%{_sbindir}/slap$X
-done
+rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
+rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
+for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done
 
 # re-symlink unversioned libraries, so ldconfig is not confused
 pushd %{buildroot}%{_libdir}
 v=%{version}
 version=$(echo ${v%.[0-9]*})
-for lib in liblber libldap %{?with_servers:libslapi}; do
-        rm -f ${lib}.so
-        ln -s ${lib}.so.%{so_ver} ${lib}.so
+for lib in liblber libldap libldap_r libslapi; do
+	rm -f ${lib}.so
+	ln -s ${lib}-${version}.so.2 ${lib}.so
 done
-
-for lib in $(ls | grep libldap); do
-    IFS='.'
-    read -r -a libsplit <<< "$lib"
-    if [[ -z "${libsplit[3]}" && -n "${libsplit[2]}" ]]
-    then
-        so_ver_short_2_4="%{so_ver_compat}"
-    elif [ -n "${libsplit[3]}" ]
-    then
-        so_ver_full_2_4="%{so_ver_compat}.${libsplit[3]}.${libsplit[4]}"
-    fi
-    unset IFS
-done
-
-# Provide only libldap and copy it to libldap_r for both 2.4 and 2.6+ versions, make a versioned lib link
-# We increase it by 2 because libldap-2.4 has the 'so.2' major version on 2.4.59 (one of the last versions which is EOL)
-gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed \
-       -Wl,-soname -Wl,libldap-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -Wl,-z,now -lldap
-gcc -shared -o "%{buildroot}%{_libdir}/libldap_r-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed \
-       -Wl,-soname -Wl,libldap_r-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -Wl,-z,now -lldap
-gcc -shared -o "%{buildroot}%{_libdir}/liblber-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed \
-       -Wl,-soname -Wl,liblber-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -Wl,-z,now -llber
-%if %{with servers}
-gcc -shared -o "%{buildroot}%{_libdir}/libslapi-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed \
-       -Wl,-soname -Wl,libslapi-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -Wl,-z,now -lslapi
-ln -s libslapi-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}}
-%endif
-ln -s libldap-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}}
-ln -s libldap_r-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}}
-ln -s liblber-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}}
-
 popd
 
 # tweak permissions on the libraries to make sure they're correct
 chmod 0755 %{buildroot}%{_libdir}/lib*.so*
 chmod 0644 %{buildroot}%{_libdir}/lib*.*a
-chmod 0644 %{buildroot}%{_libdir}/openldap/*.la
 
 # slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
 mkdir -p %{buildroot}%{_datadir}
 install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
 install -m 0644 %SOURCE3 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
-install -m 0644 %SOURCE5 %{buildroot}%{_datadir}/openldap-servers/UPGRADE_INSTRUCTIONS
 install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
-rm %{buildroot}%{_sysconfdir}/openldap/slapd.conf
-rm %{buildroot}%{_sysconfdir}/openldap/slapd.ldif
+rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf
+rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif
 
 # move doc files out of _sysconfdir
 mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
+mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
+chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
 
 # remove files which we don't want packaged
-rm %{buildroot}%{_libdir}/*.la  # because we do not want files in %{_libdir}/openldap/ removed, yet
+rm -f %{buildroot}%{_libdir}/*.la  # because we do not want files in %{_libdir}/openldap/ removed, yet
+
+rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
+rmdir %{buildroot}%{_localstatedir}/openldap-data
 
 %ldconfig_scriptlets
 
-%if %{with servers}
 %pre servers
+
 # create ldap user and group
-# sysusers.d format https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format
-%sysusers_create_compat %{SOURCE6}
+getent group ldap &>/dev/null || groupadd -r -g 55 ldap
+getent passwd ldap &>/dev/null || \
+	useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap
+
+if [ $1 -eq 2 ]; then
+	# package upgrade
+
+	old_version=$(rpm -q --qf=%%{version} openldap-servers)
+	new_version=%{version}
+
+	if [ "$old_version" != "$new_version" ]; then
+		touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null
+	fi
+fi
+
+exit 0
+
 
 %post servers
 %systemd_post slapd.service
 
-# If it's not upgrade - we remove the UPGRADE_INSTRUCTIONS
-if [ $1 -lt 2 ] ; then
-    rm %{_datadir}/openldap-servers/UPGRADE_INSTRUCTIONS
-fi
 # generate configuration if necessary
 if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
       ! -f %{_sysconfdir}/openldap/slapd.conf
@@ -418,9 +376,26 @@ if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
       %{systemctl_bin} try-restart slapd.service &>/dev/null
 fi
 
+start_slapd=0
+
+# upgrade the database
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
+	if %{systemctl_bin} --quiet is-active slapd.service; then
+		%{systemctl_bin} stop slapd.service
+		start_slapd=1
+	fi
+
+	%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
+	rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
+fi
+
 # restart after upgrade
 if [ $1 -ge 1 ]; then
-    %{systemctl_bin} condrestart slapd.service &>/dev/null || :
+	if [ $start_slapd -eq 1 ]; then
+		%{systemctl_bin} start slapd.service &>/dev/null || :
+	else
+		%{systemctl_bin} condrestart slapd.service &>/dev/null || :
+	fi
 fi
 
 exit 0
@@ -430,8 +405,41 @@ exit 0
 
 %postun servers
 %systemd_postun_with_restart slapd.service
-%endif
-# endif servers
+
+%triggerin servers -- libdb
+
+# libdb upgrade (setup for %%triggerun)
+if [ $2 -eq 2 ]; then
+	# we are interested in minor version changes (both versions of libdb are installed at this moment)
+	if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
+		touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+	else
+		rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+	fi
+fi
+
+exit 0
+
+
+%triggerun servers -- libdb
+
+# libdb upgrade (finish %%triggerin)
+if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then
+	if %{systemctl_bin} --quiet is-active slapd.service; then
+		%{systemctl_bin} stop slapd.service
+		start=1
+	else
+		start=0
+	fi
+
+	%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
+	rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
+
+	[ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null
+fi
+
+exit 0
+
 
 %files
 %doc openldap-%{version}/ANNOUNCEMENT
@@ -443,22 +451,21 @@ exit 0
 %dir %{_sysconfdir}/openldap/certs
 %config(noreplace) %{_sysconfdir}/openldap/ldap.conf
 %dir %{_libexecdir}/openldap/
-%{_libdir}/liblber.so.*
-%{_libdir}/libldap.so.*
-%if %{with servers}
-%{_libdir}/libslapi.so.*
-%endif
+%{_libdir}/liblber-2.4*.so.*
+%{_libdir}/libldap-2.4*.so.*
+%{_libdir}/libldap_r-2.4*.so.*
+%{_libdir}/libslapi-2.4*.so.*
 %{_mandir}/man5/ldif.5*
 %{_mandir}/man5/ldap.conf.5*
 
-%if %{with servers}
 %files servers
 %doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd
 %doc openldap-%{version}/doc/guide/admin/*.html
 %doc openldap-%{version}/doc/guide/admin/*.png
 %doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm
 %doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
-%doc openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd
+%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
+%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd
 %doc README.schema
 %config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
 %config(noreplace) %{_sysconfdir}/openldap/schema
@@ -469,33 +476,27 @@ exit 0
 %{_unitdir}/slapd.service
 %{_datadir}/openldap-servers/
 %{_libdir}/openldap/accesslog*
-%{_libdir}/openldap/allop*
 %{_libdir}/openldap/auditlog*
-%{_libdir}/openldap/autoca*
-%{_libdir}/openldap/back_asyncmeta*
+%{_libdir}/openldap/allop*
 %{_libdir}/openldap/back_dnssrv*
 %{_libdir}/openldap/back_ldap*
 %{_libdir}/openldap/back_meta*
 %{_libdir}/openldap/back_null*
 %{_libdir}/openldap/back_passwd*
 %{_libdir}/openldap/back_relay*
+%{_libdir}/openldap/back_shell*
 %{_libdir}/openldap/back_sock*
-%{_libdir}/openldap/check_password*
+%{_libdir}/openldap/back_perl*
 %{_libdir}/openldap/collect*
 %{_libdir}/openldap/constraint*
 %{_libdir}/openldap/dds*
 %{_libdir}/openldap/deref*
 %{_libdir}/openldap/dyngroup*
 %{_libdir}/openldap/dynlist*
-%{_libdir}/openldap/home*
-%{_libdir}/openldap/lloadd*
 %{_libdir}/openldap/memberof*
-%{_libdir}/openldap/nestgroup*
-%{_libdir}/openldap/otp*
 %{_libdir}/openldap/pcache*
 %{_libdir}/openldap/ppolicy*
 %{_libdir}/openldap/refint*
-%{_libdir}/openldap/remoteauth*
 %{_libdir}/openldap/retcode*
 %{_libdir}/openldap/rwm*
 %{_libdir}/openldap/seqmod*
@@ -505,35 +506,16 @@ exit 0
 %{_libdir}/openldap/translucent*
 %{_libdir}/openldap/unique*
 %{_libdir}/openldap/valsort*
+%{_libdir}/openldap/check_password*
 %{_libexecdir}/openldap/functions
 %{_libexecdir}/openldap/check-config.sh
+%{_libexecdir}/openldap/upgrade-db.sh
 %{_sbindir}/sl*
 %{_mandir}/man8/*
-%{_mandir}/man5/lloadd.conf.5*
 %{_mandir}/man5/slapd*.5*
 %{_mandir}/man5/slapo-*.5*
-%{_mandir}/man5/slappw-argon2.5*
-%{_sysusersdir}/openldap.conf
 # obsolete configuration
 %ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
-%else
-%exclude %{_datadir}/openldap-servers/
-%exclude %{_libdir}/openldap/
-%exclude %{_libexecdir}/openldap/check-config.sh
-%exclude %{_libexecdir}/openldap/functions
-%exclude %{_mandir}/man5/slapd*.5*
-%exclude %{_mandir}/man5/slapo-*.5*
-%exclude %{_mandir}/man5/lloadd.conf.5*
-%exclude %{_mandir}/man5/slappw-argon2.5*
-%exclude %{_mandir}/man8/*
-%exclude %{_sbindir}/sl*
-%exclude %{_sysconfdir}/openldap/check_password.conf
-%exclude %{_sysconfdir}/openldap/schema
-%exclude %{_tmpfilesdir}/slapd.conf
-%exclude %{_unitdir}/slapd.service
-%endif
-# endif servers
-
 
 %files clients
 %{_bindir}/*
@@ -541,253 +523,45 @@ exit 0
 
 %files devel
 %doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc
-%{_libdir}/liblber.so
-%{_libdir}/libldap.so
-%if %{with servers}
-%{_libdir}/libslapi.so
-%endif
+%{_libdir}/lib*.so
 %{_includedir}/*
-%{_libdir}/pkgconfig/lber.pc
-%{_libdir}/pkgconfig/ldap.pc
 %{_mandir}/man3/*
 
-%files compat
-%{_libdir}/libldap-2.4*.so.*
-%{_libdir}/libldap_r-2.4*.so.*
-%{_libdir}/liblber-2.4*.so.*
-%if %{with servers}
-%{_libdir}/libslapi-2.4*.so.*
-%endif
-
 %changelog
-* Mon Dec 16 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.8-1
-- Rebase to version 2.6.8 (RHEL-71052)
-- Avoid SSL context cleanup during library destruction (RHEL-68424)
+* Wed Jul  3 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.46-20
+- Bump version to 2.4.46-20
+- Resolves: RHEL-35538 - Fix OpenSSL channel binding digest
 
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.6.7-7
-- Bump release for October 2024 mass rebuild:
-  Resolves: RHEL-64018
+* Tue Apr 30 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.46-19
+- Bump version to 2.4.46-19
+- Resolves: RHEL-34283 - openldap: null pointer dereference in ber_memalloc_x function
 
-* Fri Oct 11 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.7-6
-- Disable MD2 hash algorithm
-  Resolves: RHEL-61830
+* Thu Aug  5 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.46-18
+- Add TLS_REQSAN option and change the default to TRY (#1814674)
 
-* Thu Aug 15 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.7-5
-- Fix vlvResult patch (RHEL-36474)
-- Fix libslapi definition and a comment typo
+* Wed Jun 16 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.46-17
+- Rebuild without MP_2 support (#1909037)
 
-* Thu Jul  4 2024 Troy Dawson <tdawson@redhat.com> - 2.6.7-4
-- Fix annocheck bind-now issue (RHEL-33514)
-- Fix vlvResult comment (RHEL-36474)
+* Thu Sep 10 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.46-16
+- CLDAP ldap_result hangs if nobody listens on the port (#1875361)
 
-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.6.7-3
-- Bump release for June 2024 mass rebuild
+* Thu Jun 18 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-15
+- Fix covscan issues from previous release (#1822737)
 
-* Mon Jun 24 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.7-2
-- Remove libslapi from the main package (RHEL-35581)
-- Add "servers" conditional which includes libslapi
-
-* Fri Feb 9 2024 Simon Pichugin <spichugi@redhat.com> - 2.6.7-1
-- Rebase to version 2.6.7 (rhbz#2261163)
-- Use systemd-sysusers for ldap user and group (rhbz#2173965)
-- Fix compiler errors (rhbz#2261427)
-- Replace License with SPDX identifier
-
-* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.6-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.6-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
-
-* Mon Jul 31 2023 Simon Pichugin <spichugi@redhat.com> - 2.6.6-1
-- Rebase to version 2.6.6
-  Related: rhbz#2227948
-
-* Wed Jul 26 2023 Simon Pichugin <spichugi@redhat.com> - 2.6.5-1
-- Rebase to version 2.6.5
-  Related: rhbz#2221798
-
-* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.4-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-
-* Tue Jul 11 2023 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.4-3
-- Perl 5.38 rebuild
-
-* Sat Apr 15 2023 Florian Weimer <fweimer@redhat.com> - 2.6.4-2
-- Apply upstream patch to fix C99 compatibility issues
-
-* Mon Feb 27 2023 Simon Pichugin <spichugi@redhat.com> - 2.6.4-1
-- Rebase to version 2.6.4
-  Related: rhbz#2168351
-
-* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.3-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
-
-* Wed Aug 17 2022 Simon Pichugin <spichugi@redhat.com> - 2.6.3-1
-- Rebase to version 2.6.3
-  Related: rhbz#2107382
-
-* Thu Aug 11 2022 Simon Pichugin <spichugi@redhat.com> - 2.6.2-5
-- Add export symbols related to LDAP_CONNECTIONLESS
-  Related: rhbz#2117825
-
-* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.2-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
-
-* Mon Jun 27 2022 Simon Pichugin <spichugi@redhat.com> - 2.6.2-3
-- Fix debuginfo missing issue (#2101615)
-
-* Mon May 30 2022 Jitka Plesnikova <jplesnik@redhat.com> - 2.6.2-2
-- Perl 5.36 rebuild
-
-* Wed May 25 2022 Simon Pichugin <spichugi@redhat.com> - 2.6.2-1
-- Rebase to version 2.6.2 (#2090447)
-
-* Wed Feb 2 2022 Simon Pichugin <spichugi@redhat.com> - 2.6.1-2
-- Fix twice packaged compat libraries issue (#2049085)
-
-* Mon Jan 31 2022 Simon Pichugin <spichugi@redhat.com> - 2.6.1-1
-- Update to new major release OpenLDAP 2.6.1 (#1955293)
-  + rediff all patches and remove patches now upstream
-  + use upstream source location for check password module
-  + and rediff patch due to this
-  + add patch to fix build issue in 2.5.4 (from upstream)
-  + clean and sort buildreqs
-  + remove various refs to bdb
-  + remove now default -DLDAP_USE_NON_BLOCKING_TLS
-  + add new modules and enable load balancer as module
-  + disable wiredtired backend due to missing build deps
-  + don't remove files that don't exist
-  + let check-config work on *.mdb over legacy files
-  + remove refs to old-style config
-  + new soname names
-  + remove libldap_r link as the library was merged with libldap
-  + refactor openldap-compat package to support the transition from 2.4
-  + add UPGRADE_INSTRUCTIONS for openldap-server upgrade
-- The original patch was submitted by Fedora user - terjeros
-  https://src.fedoraproject.org/rpms/openldap/pull-request/6
-
-* Mon Jan 24 2022 Timm Bäder <tbaeder@redhat.com> - 2.4.59-6
-- Disable automatic .la file removal
-- https://fedoraproject.org/wiki/Changes/RemoveLaFiles
-
-* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.59-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Thu Sep 30 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.59-4
-- Backport TLS SNI feature from OpenLDAP 2.5 (#2009534)
-
-* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.4.59-3
-- Rebuilt with OpenSSL 3.0.0
-
-* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.59-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Wed Jul  7 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.59-1
-- Rebase to version 2.4.59 (#1980015)
-- Update the spec file for upcoming autoconf-2.71 (#1943079)
-
-* Tue Jun 15 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.58-5
-- Fix slapd.tmpfiles complaints (#1972147)
-- Use https:// for source (#1972141)
-
-* Thu Jun  3 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.58-4
-- Rebuild without MP_2 support (#1967136)
-- Fix coverity issues
-
-* Fri May 21 2021 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.58-3
-- Perl 5.34 rebuild
-
-* Thu Apr  8 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.58-2
+* Tue Jun 16 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-14
 - Backport Channel Binding support (#1822904, #1822737)
 
-* Tue Mar 23 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.58-1
-- Rebase to version 2.4.58 (#1939663)
+* Wed Jan 15 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-11
+- Use OpenSSL-1.0.2+ API for host name verification (#1788572)
 
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.4.57-3
-- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
+* Sun Aug 18 2019 Matus Honek <mhonek@redhat.com> - 2.4.46-10
+- Do not fallback to checking CN when no SAN matched (#1740070)
 
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.57-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
+- Reference default system-wide CA certificates in manpages (#1611624)
 
-* Tue Jan 19 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-1
-- Rebase to version 2.4.57 (#1917583)
-
-* Thu Nov 26 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-4
-- Use gcc to link libldap_r to libldap (#1537260)
-
-* Fri Nov 20 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-3
-- Fix 32-bit libraries build (#1537260)
-
-* Fri Nov 20 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-2
-- Drop non-threaded libldap (#1537260)
-
-* Wed Nov 18 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-1
-- Rebase to version 2.4.56 (#1896508)
-
-* Mon Nov 02 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.55-1
-- Rebase to version 2.4.55 (#1891622)
-
-* Tue Oct 13 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.54-1
-- Rebase to version 2.4.54 (#1887581)
-
-* Thu Sep 10 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.53-1
-- Rebase to version 2.4.53 (#1868240)
-
-* Thu Sep 03 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.52-1
-- Rebase to version 2.4.52 (#1868240)
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.50-4
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.50-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.50-2
-- Perl 5.32 rebuild
-
-* Wed Jun 17 2020 Matus Honek <mhonek@redhat.com> - 2.4.50-1
-- Rebase to version 2.4.50 (#1742285)
-
-* Tue Jun 16 2020 Tom Stellard <tstellar@redhat.com> - 2.4.47-5
-- Spec file cleanups
-- Add BuildRequres: gcc [1]
-- make_build [2] and make_install [3]
-- [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/#_buildrequires_and_requires
-- [2] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
-- [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_why_the_makeinstall_macro_should_not_be_used
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.47-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.47-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.47-2
-- Perl 5.30 rebuild
-
-* Wed Feb 13 2019 Matus Honek <mhonek@redhat.com> - 2.4.47-1
-- Rebase to upstream version 2.4.47
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-13
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2.4.46-12
-- Rebuilt for libcrypt.so.2 (#1666033)
-
-* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-11
-- Reference default system-wide CA certificates in manpages (#1611591)
-
-* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-10
-- Revert "Fix: Cannot use SSL3 anymore"
-
-* Mon Oct 08 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
-- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623495)
-
-* Tue Aug 14 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
-- Fix: Cannot use SSL3 anymore (#1592431)
+* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
+- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623497)
 
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-7
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

UPGRADE_INSTRUCTIONS

@@ -1,30 +0,0 @@
-You have upgraded your openldap-servers package.
-Any major version upgrade can cause database corruption or loss.
-Please, make sure that you have up-to-date back up and read this document carefully.
-
-It's still recommended to do the backup even on the minor version upgrade.
-
-Please, review the next links before performing any action:
-
-Upgrading from 2.4.x - https://www.openldap.org/doc/admin25/appendix-upgrading.html
-Upgrading from 2.5.x - https://www.openldap.org/doc/admin26/appendix-upgrading.html
-The normal upgrade procedure - https://www.openldap.org/doc/admin26/maintenance.html
-
-Additionally, please, review and perform the following steps that can help you with the upgrade:
-
-         1. Back up both data and configuration directories into a safe place;
-         2. Export data to an LDIF file using slapcat;
-a. If you have the deprecated DB type and you haven't performed the slapcat command, you need to move your data and configuration to the system with OpenLDAP 2.4 version and run slapcat command there;
-         3. Change the server's configuration according to the changes in the above documents;
-          a. If you are replacing the BDB/HDB with MDB, make sure to replace the BDB/HDB sections with their MDB counterparts;
-4. Clear out the current data directory;
-         5. Import data to a new database from the LDIF file using slapadd;
-         6. Make sure that your data is intact.
-
-After you have completed the above operations, you can remove this file (/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS) and start the server:
-
-        systemctl start slapd.service
-
-Be careful with this document's procedure, make sure you understand it, and test it in a non-production environment first. Always make sure that all backups are in place.
-
-You have been warned about the possibility of data corruption or loss.

check-password-makefile.patch

@@ -1,58 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 4457bad..91de40b 100644
---- a/Makefile
-+++ b/Makefile
-@@ -13,17 +13,10 @@ CRACKLIB=/usr/share/cracklib/pw_dict
- #
- CONFIG=/etc/openldap/check_password.conf
- 
--
--# Where to find the OpenLDAP headers.
--#
--LDAP_INC=-I/usr/include/openldap/include \
--	 -I/usr/include/openldap/servers/slapd
--
--# Where to find the CrackLib headers.
--#
--CRACK_INC=
--
--INCS=$(LDAP_INC) $(CRACK_INC)
-+CFLAGS+=-fpic                                                  \
-+	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \
-+	-DCONFIG_FILE="\"$(CONFIG)\""                          \
-+	-DDEBUG
- 
- LDAP_LIB=-lldap_r -llber
- 
-@@ -33,27 +26,21 @@ LDAP_LIB=-lldap_r -llber
- #
- CRACKLIB_LIB=-lcrack
- 
--CC_FLAGS=-g -O2 -Wall -fpic
--CRACKLIB_OPT=-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""
--DEBUG_OPT=-DDEBUG
--CONFIG_OPT=-DCONFIG_FILE="\"$(CONFIG)\""
--
--OPT=$(CC_FLAGS) $(CRACKLIB_OPT) $(CONFIG_OPT) $(DEBUG_OPT)
--
- LIBS=$(LDAP_LIB) $(CRACKLIB_LIB)
- 
- LIBDIR=/usr/lib/openldap/
- 
-+
- all: 	check_password
- 
- check_password.o:
--	$(CC) $(OPT) -c $(INCS) check_password.c
-+	$(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
- 
- check_password: clean check_password.o
--	$(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
-+	$(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
- 
- install: check_password
--	cp -f check_password.so $(LIBDIR)
-+	cp -f check_password.so ../../../usr/lib/openldap/modules/
- 
- clean:
- 	$(RM) check_password.o check_password.so check_password.lo

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch

@@ -1,37 +0,0 @@
-From 6779e56fafb0aa8ae5efa7068da34a630b51b530 Mon Sep 17 00:00:00 2001
-From: Simon Pichugin <spichugi@redhat.com>
-Date: Fri, 5 Aug 2022 13:23:52 -0700
-Subject: [PATCH] Add export symbols related to LDAP_CONNECTIONLESS
-
----
- libraries/liblber/lber.map | 1 +
- libraries/libldap/ldap.map | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/libraries/liblber/lber.map b/libraries/liblber/lber.map
-index 9a4094b0f..083cd1f32 100644
---- a/libraries/liblber/lber.map
-+++ b/libraries/liblber/lber.map
-@@ -121,6 +121,7 @@ OPENLDAP_2.200
-     ber_sockbuf_io_fd;
-     ber_sockbuf_io_readahead;
-     ber_sockbuf_io_tcp;
-+    ber_sockbuf_io_udp;
-     ber_sockbuf_remove_io;
-     ber_sos_dump;
-     ber_start;
-diff --git a/libraries/libldap/ldap.map b/libraries/libldap/ldap.map
-index b28c9c21e..021aaba63 100644
---- a/libraries/libldap/ldap.map
-+++ b/libraries/libldap/ldap.map
-@@ -200,6 +200,7 @@ OPENLDAP_2.200
-     ldap_is_ldap_url;
-     ldap_is_ldapi_url;
-     ldap_is_ldaps_url;
-+    ldap_is_ldapc_url;
-     ldap_is_read_ready;
-     ldap_is_write_ready;
-     ldap_ld_free;
--- 
-2.37.1
-

openldap-add-tls-sni-support-to-libldap.patch

@@ -1,197 +0,0 @@
-From 19e631e977c4f57905b2380cf79ccaf8e6d99e9d Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Mon, 27 Apr 2020 03:41:12 +0100
-Subject: [PATCH 1/4] ITS#9176 Add TLS SNI support to libldap
-
-Implemented for OpenSSL, GnuTLS just stubbed
----
- libraries/libldap/ldap-tls.h | 2 +-
- libraries/libldap/tls2.c     | 2 +-
- libraries/libldap/tls_g.c    | 2 +-
- libraries/libldap/tls_o.c    | 8 ++++++--
- 4 files changed, 9 insertions(+), 5 deletions(-)
-
-diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
-index c8a27112f1..c149b1867c 100644
---- a/libraries/libldap/ldap-tls.h
-+++ b/libraries/libldap/ldap-tls.h
-@@ -34,7 +34,7 @@ typedef void (TI_ctx_free)(tls_ctx *ctx);
- typedef int (TI_ctx_init)(struct ldapoptions *lo, struct ldaptls *lt, int is_server);
- 
- typedef tls_session *(TI_session_new)(tls_ctx *ctx, int is_server);
--typedef int (TI_session_connect)(LDAP *ld, tls_session *s);
-+typedef int (TI_session_connect)(LDAP *ld, tls_session *s, const char *name_in);
- typedef int (TI_session_accept)(tls_session *s);
- typedef int (TI_session_upflags)(Sockbuf *sb, tls_session *s, int rc);
- typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len );
-diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
-index 82ca5272cc..cbeea8c6c4 100644
---- a/libraries/libldap/tls2.c
-+++ b/libraries/libldap/tls2.c
-@@ -368,7 +368,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
- 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
- 	}
- 
--	err = tls_imp->ti_session_connect( ld, ssl );
-+	err = tls_imp->ti_session_connect( ld, ssl, host );
- 
- #ifdef HAVE_WINSOCK
- 	errno = WSAGetLastError();
-diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
-index 3b72cd2a1f..5468ed3f05 100644
---- a/libraries/libldap/tls_g.c
-+++ b/libraries/libldap/tls_g.c
-@@ -336,7 +336,7 @@ tlsg_session_accept( tls_session *session )
- }
- 
- static int
--tlsg_session_connect( LDAP *ld, tls_session *session )
-+tlsg_session_connect( LDAP *ld, tls_session *session, const char *name_in )
- {
- 	return tlsg_session_accept( session);
- }
-diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
-index 498f805fa1..455b23c0e9 100644
---- a/libraries/libldap/tls_o.c
-+++ b/libraries/libldap/tls_o.c
-@@ -548,12 +548,16 @@ tlso_session_new( tls_ctx *ctx, int is_server )
- }
- 
- static int
--tlso_session_connect( LDAP *ld, tls_session *sess )
-+tlso_session_connect( LDAP *ld, tls_session *sess, const char *name_in )
- {
- 	tlso_session *s = (tlso_session *)sess;
-+	int rc;
- 
-+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
-+	SSL_set_tlsext_host_name( s, name_in );
-+#endif
- 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
--	int rc = SSL_connect( s ) - 1;
-+	rc = SSL_connect( s ) - 1;
- #ifdef LDAP_USE_NON_BLOCKING_TLS
- 	if ( rc < 0 ) {
- 		int sockerr = sock_errno();
-
-From 421c2021c7209bd7cd947ccb8b989bddab7b63cb Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Mon, 27 Apr 2020 18:25:10 +0100
-Subject: [PATCH 2/4] ITS#9176 check for numeric addrs before passing SNI
-
----
- libraries/libldap/tls2.c  | 22 +++++++++++++++++++++-
- libraries/libldap/tls_o.c |  4 +++-
- 2 files changed, 24 insertions(+), 2 deletions(-)
-
-diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
-index cbeea8c6c4..85628bc3b3 100644
---- a/libraries/libldap/tls2.c
-+++ b/libraries/libldap/tls2.c
-@@ -334,6 +334,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
- 	Sockbuf *sb = conn->lconn_sb;
- 	int	err;
- 	tls_session	*ssl = NULL;
-+	char *sni = host;
- 
- 	if ( HAS_TLS( sb )) {
- 		ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
-@@ -368,7 +369,26 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn, const char *host )
- 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
- 	}
- 
--	err = tls_imp->ti_session_connect( ld, ssl, host );
-+	/* pass hostname for SNI, but only if it's an actual name
-+	 * and not a numeric address
-+	 */
-+	{
-+		int numeric = 1;
-+		char *c;
-+		for ( c = sni; *c; c++ ) {
-+			if ( *c == ':' )	/* IPv6 address */
-+				break;
-+			if ( *c == '.' )
-+				continue;
-+			if ( !isdigit( *c )) {
-+				numeric = 0;
-+				break;
-+			}
-+		}
-+		if ( numeric )
-+			sni = NULL;
-+	}
-+	err = tls_imp->ti_session_connect( ld, ssl, sni );
- 
- #ifdef HAVE_WINSOCK
- 	errno = WSAGetLastError();
-diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
-index 455b23c0e9..45948dbc64 100644
---- a/libraries/libldap/tls_o.c
-+++ b/libraries/libldap/tls_o.c
-@@ -554,7 +554,9 @@ tlso_session_connect( LDAP *ld, tls_session *sess, const char *name_in )
- 	int rc;
- 
- #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
--	SSL_set_tlsext_host_name( s, name_in );
-+	if ( name_in ) {
-+		SSL_set_tlsext_host_name( s, name_in );
-+	}
- #endif
- 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
- 	rc = SSL_connect( s ) - 1;
-
-From 05a65a46c684031a841bcc39cf01a82e8cc713a0 Mon Sep 17 00:00:00 2001
-From: Howard Chu <hyc@openldap.org>
-Date: Mon, 27 Apr 2020 18:54:02 +0100
-Subject: [PATCH 3/4] ITS#9176 check for failure setting SNI
-
----
- libraries/libldap/tls_o.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
-index 45948dbc64..86e86db3b6 100644
---- a/libraries/libldap/tls_o.c
-+++ b/libraries/libldap/tls_o.c
-@@ -555,7 +555,9 @@ tlso_session_connect( LDAP *ld, tls_session *sess, const char *name_in )
- 
- #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
- 	if ( name_in ) {
--		SSL_set_tlsext_host_name( s, name_in );
-+		rc = SSL_set_tlsext_host_name( s, name_in );
-+		if ( !rc )		/* can fail to strdup the name */
-+			return -1;
- 	}
- #endif
- 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
-
-From d059488fa86b58744ad70819516d3bf4a37dbb8e Mon Sep 17 00:00:00 2001
-From: Ryan Tandy <ryan@nardis.ca>
-Date: Mon, 27 Apr 2020 11:01:01 -0700
-Subject: [PATCH 4/4] ITS#9176 Implement SNI for GnuTLS
-
----
- libraries/libldap/tls_g.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
-index 5468ed3f05..5fceb3e935 100644
---- a/libraries/libldap/tls_g.c
-+++ b/libraries/libldap/tls_g.c
-@@ -338,6 +338,16 @@ tlsg_session_accept( tls_session *session )
- static int
- tlsg_session_connect( LDAP *ld, tls_session *session, const char *name_in )
- {
-+	tlsg_session *s = (tlsg_session *)session;
-+	int rc;
-+
-+	if ( name_in ) {
-+		rc = gnutls_server_name_set( s->session, GNUTLS_NAME_DNS, name_in, strlen(name_in) );
-+		if ( rc != GNUTLS_E_SUCCESS ) {
-+			return rc;
-+		}
-+	}
-+
- 	return tlsg_session_accept( session);
- }
- 

openldap-configure-c99.patch

@@ -1,906 +0,0 @@
-commit 14f81bc47a4c462ccc609fce74feb014185e2bf9
-Author: Sam James <sam@gentoo.org>
-Date:   Thu Feb 9 23:17:53 2023 +0000
-
-    ITS#10011 build: fix compatibility with stricter C99 compilers
-    
-    Fix the following warnings:
-    - -Wimplicit-int (fatal with Clang 16)
-    - -Wimplicit-function-declaration (fatal with Clang 16)
-    - -Wincompatible-function-pointer-types (fatal with Clang 16)
-    - -Wint-conversion (fatal with Clang 15)
-    - Old style prototypes (K&R, removed from C23)
-    
-    These warnings-now-error led to misconfigurations and failure to build
-    OpenLDAP, as the tests used during configure caused the wrong results
-    to be emitted.
-    
-    For more information, see LWN.net [0] or LLVM's Discourse [1], the Gentoo wiki [2],
-    or the (new) c-std-porting mailing list [3].
-    
-    [0] https://lwn.net/Articles/913505/
-    [1] https://discourse.llvm.org/t/configure-script-breakage-with-the-new-werror-implicit-function-declaration/65213
-    [2] https://wiki.gentoo.org/wiki/Modern_C_porting
-    [3] hosted at lists.linux.dev.
-    
-    Bug: https://bugs.gentoo.org/871288
-    Signed-off-by: Sam James <sam@gentoo.org>
-
-diff -ur openldap-2.6.4.orig/openldap-2.6.4/build/openldap.m4 openldap-2.6.4/openldap-2.6.4/build/openldap.m4
---- openldap-2.6.4.orig/openldap-2.6.4/build/openldap.m4	2023-02-08 19:53:35.000000000 +0100
-+++ openldap-2.6.4/openldap-2.6.4/build/openldap.m4	2023-04-15 19:21:07.377380382 +0200
-@@ -154,6 +154,7 @@
- if test $ol_cv_header_stdc = yes; then
-   # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
- AC_RUN_IFELSE([AC_LANG_SOURCE([[#include <ctype.h>
-+#include <stdlib.h>
- #ifndef HAVE_EBCDIC
- #	define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
- #	define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-@@ -303,8 +304,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -360,9 +365,13 @@
- AC_DEFUN([OL_PTHREAD_TEST_PROGRAM],
- [AC_LANG_SOURCE([OL_PTHREAD_TEST_INCLUDES
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- OL_PTHREAD_TEST_FUNCTION
- }
-@@ -484,7 +493,7 @@
- #include <sys/types.h>
- #include <regex.h>
- static char *pattern, *string;
--main()
-+int main(void)
- {
- 	int rc;
- 	regex_t re;
-@@ -511,7 +520,8 @@
- [AC_CACHE_CHECK([if toupper() requires islower()],ol_cv_c_upper_lower,[
- 	AC_RUN_IFELSE([AC_LANG_SOURCE([[
- #include <ctype.h>
--main()
-+#include <stdlib.h>
-+int main(void)
- {
- 	if ('C' == toupper('C'))
- 		exit(0);
-@@ -569,7 +579,7 @@
- 			]])],[ol_cv_nonposix_strerror_r=yes],[ol_cv_nonposix_strerror_r=no])
- 	else
- 		AC_RUN_IFELSE([AC_LANG_SOURCE([[
--			main() {
-+			int main(void) {
- 				char buf[100];
- 				buf[0] = 0;
- 				strerror_r( 1, buf, sizeof buf );
-diff -ur openldap-2.6.4.orig/openldap-2.6.4/configure openldap-2.6.4/openldap-2.6.4/configure
---- openldap-2.6.4.orig/openldap-2.6.4/configure	2023-02-08 19:53:35.000000000 +0100
-+++ openldap-2.6.4/openldap-2.6.4/configure	2023-04-15 19:23:17.437078213 +0200
-@@ -14978,6 +14966,7 @@
-   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- #include <ctype.h>
-+#include <stdlib.h>
- #ifndef HAVE_EBCDIC
- #	define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
- #	define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
-@@ -15946,6 +15935,10 @@
- else
-   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
-+#include <stdlib.h>
-+#ifdef HAVE_SYS_POLL_H
-+#include <sys/epoll.h>
-+#endif
- int main(int argc, char **argv)
- {
- 	int epfd = epoll_create(256);
-@@ -16126,7 +16119,7 @@
-   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
--			main() {
-+			int main(void) {
- 				char buf[100];
- 				buf[0] = 0;
- 				strerror_r( 1, buf, sizeof buf );
-@@ -16326,7 +16319,7 @@
- #include <sys/types.h>
- #include <regex.h>
- static char *pattern, *string;
--main()
-+int main(void)
- {
- 	int rc;
- 	regex_t re;
-@@ -17559,16 +17552,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -17664,8 +17665,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -17744,16 +17749,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -17854,8 +17867,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -17934,16 +17951,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -18044,8 +18069,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -18124,16 +18153,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -18234,8 +18271,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -18314,16 +18355,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -18424,8 +18473,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -18504,16 +18557,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -18615,8 +18676,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -18695,16 +18760,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -18805,8 +18878,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -18885,16 +18962,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -18996,8 +19081,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -19076,16 +19165,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -19187,8 +19284,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -19267,16 +19368,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -19377,8 +19486,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -19457,16 +19570,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -19568,8 +19689,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -19648,16 +19773,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -19759,8 +19892,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -19839,16 +19976,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -19949,8 +20094,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -20029,16 +20178,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -20139,8 +20296,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -20219,16 +20380,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -20330,8 +20499,12 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
-@@ -20410,16 +20583,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -20631,14 +20812,12 @@
- /* end confdefs.h.  */
- 
- #include <pthread.h>
--#ifndef NULL
--#define NULL (void*)0
--#endif
-+pthread_t thread;
- 
- int
- main ()
- {
--pthread_detach(NULL);
-+pthread_detach(thread);
-   ;
-   return 0;
- }
-@@ -20752,16 +20931,24 @@
- #define NULL (void*)0
- #endif
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	return (void *) (p == NULL);
- }
- 
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 
- 	/* pthread test function */
-@@ -20851,6 +21038,9 @@
-   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
-+#define _XOPEN_SOURCE 500               /* For pthread_setconcurrency() on glibc */
-+#include <stdlib.h>
-+#include <stdio.h>
- #include <sys/types.h>
- #include <sys/time.h>
- #include <unistd.h>
-@@ -20861,8 +21051,12 @@
- 
- static int fildes[2];
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	int i;
- 	struct timeval tv;
-@@ -20886,9 +21080,13 @@
- 	exit(0); /* if we exit here, the select blocked the whole process */
- }
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 	pthread_t t;
- 
-@@ -23241,7 +23439,8 @@
- /* end confdefs.h.  */
- 
- #include <ctype.h>
--main()
-+#include <stdlib.h>
-+int main(void)
- {
- 	if ('C' == toupper('C'))
- 		exit(0);
-diff -ur openldap-2.6.4.orig/openldap-2.6.4/configure.ac openldap-2.6.4/openldap-2.6.4/configure.ac
---- openldap-2.6.4.orig/openldap-2.6.4/configure.ac	2023-02-08 19:53:35.000000000 +0100
-+++ openldap-2.6.4/openldap-2.6.4/configure.ac	2023-04-15 19:21:07.377380382 +0200
-@@ -1003,7 +1003,11 @@
- AC_CHECK_HEADERS( sys/epoll.h )
- if test "${ac_cv_header_sys_epoll_h}" = yes; then
- 	AC_MSG_CHECKING(for epoll system call)
--	AC_RUN_IFELSE([AC_LANG_SOURCE([[int main(int argc, char **argv)
-+	AC_RUN_IFELSE([AC_LANG_SOURCE([[#include <stdlib.h>
-+#ifdef HAVE_SYS_POLL_H
-+#include <sys/epoll.h>
-+#endif
-+int main(int argc, char **argv)
- {
- 	int epfd = epoll_create(256);
- 	exit (epfd == -1 ? 1 : 0);
-@@ -1356,10 +1360,10 @@
- 		dnl 	pthread_create() in -lpthread (many)
- 		dnl 	pthread_create() in -lc_r (FreeBSD)
- 		dnl
--		dnl Check pthread (draft4) flags (depreciated)
-+		dnl Check pthread (draft4) flags (deprecated)
- 		dnl 	pthread_create() with -threads (OSF/1)
- 		dnl
--		dnl Check pthread (draft4) libraries (depreciated)
-+		dnl Check pthread (draft4) libraries (deprecated)
- 		dnl 	pthread_mutex_unlock() in -lpthreads -lmach -lexc -lc_r (OSF/1)
- 		dnl 	pthread_mutex_lock() in -lpthreads -lmach -lexc (OSF/1)
- 		dnl 	pthread_mutex_trylock() in -lpthreads -lexc (OSF/1)
-@@ -1378,7 +1382,7 @@
- 			ol_link_threads=posix
- 			ol_link_pthreads=""
- 		fi
--		
-+
- dnl		OL_PTHREAD_TRY([-mt],		[ol_cv_pthread_mt])
- 		OL_PTHREAD_TRY([-kthread],	[ol_cv_pthread_kthread])
- 		OL_PTHREAD_TRY([-pthread],	[ol_cv_pthread_pthread])
-@@ -1465,10 +1469,8 @@
- 				dnl save the flags
- 				AC_LINK_IFELSE([AC_LANG_PROGRAM([[
- #include <pthread.h>
--#ifndef NULL
--#define NULL (void*)0
--#endif
--]], [[pthread_detach(NULL);]])],[ol_cv_func_pthread_detach=yes],[ol_cv_func_pthread_detach=no])
-+pthread_t thread;
-+]], [[pthread_detach(thread);]])],[ol_cv_func_pthread_detach=yes],[ol_cv_func_pthread_detach=no])
- 			])
- 
- 			if test $ol_cv_func_pthread_detach = no ; then
-@@ -1523,6 +1525,9 @@
- 				AC_CACHE_CHECK([if select yields when using pthreads],
- 					ol_cv_pthread_select_yields,[
- 				AC_RUN_IFELSE([AC_LANG_SOURCE([[
-+#define _XOPEN_SOURCE 500               /* For pthread_setconcurrency() on glibc */
-+#include <stdlib.h>
-+#include <stdio.h>
- #include <sys/types.h>
- #include <sys/time.h>
- #include <unistd.h>
-@@ -1533,8 +1538,12 @@
- 
- static int fildes[2];
- 
-+#ifdef __STDC__
-+static void *task(void *p)
-+#else
- static void *task(p)
- 	void *p;
-+#endif
- {
- 	int i;
- 	struct timeval tv;
-@@ -1558,9 +1567,13 @@
- 	exit(0); /* if we exit here, the select blocked the whole process */
- }
- 
-+#ifdef __STDC__
-+int main(int argc, char **argv)
-+#else
- int main(argc, argv)
- 	int argc;
- 	char **argv;
-+#endif
- {
- 	pthread_t t;
- 

openldap-libldap-avoid-SSL-context-cleanup-during-library-des.patch

@@ -1,92 +0,0 @@
-From 5f4569f0605a73eb1a282ee5251ead073ed3b26e Mon Sep 17 00:00:00 2001
-From: Simon Pichugin <spichugi@redhat.com>
-Date: Tue, 26 Nov 2024 12:32:07 -0800
-Subject: [PATCH] libldap: avoid SSL context cleanup during library destruction
-
-Given that libldap can be pulled into random applications and applications
-are allowed to call OPENSSL_cleanup() before exiting, the only sane thing
-to do is to avoid trying to touch SSL context in ldap destructors, and just
-let them leak if the application does not explicitly free the ldap context.
-
-Add ldap_int_tls_destroy_safe() which skips SSL context cleanup while
-maintaining all other cleanup operations, and use it in the library
-destructor path.
-
-Fixes: https://bugs.openldap.org/show_bug.cgi?id=9952
----
- libraries/libldap/init.c     |  2 +-
- libraries/libldap/ldap-int.h |  1 +
- libraries/libldap/tls2.c     | 25 +++++++++++++++++++++----
- 3 files changed, 23 insertions(+), 5 deletions(-)
-
-diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
-index 213276b4b5..aa017f4128 100644
---- a/libraries/libldap/init.c
-+++ b/libraries/libldap/init.c
-@@ -545,7 +545,7 @@ ldap_int_destroy_global_options(void)
- 	}
- #endif
- #ifdef HAVE_TLS
--	ldap_int_tls_destroy( gopts );
-+	ldap_int_tls_destroy_safe( gopts );
- #endif
- }
- 
-diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
-index 7e754775e8..b73097ccc7 100644
---- a/libraries/libldap/ldap-int.h
-+++ b/libraries/libldap/ldap-int.h
-@@ -914,6 +914,7 @@ LDAP_F (int) ldap_int_tls_start LDAP_P(( LDAP *ld,
- 	LDAPConn *conn, LDAPURLDesc *srv ));
- 
- LDAP_F (void) ldap_int_tls_destroy LDAP_P(( struct ldapoptions *lo ));
-+LDAP_F (void) ldap_int_tls_destroy_safe LDAP_P(( struct ldapoptions *lo ));
- 
- /*
-  *	in getvalues.c
-diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
-index 0841005a59..82f8573602 100644
---- a/libraries/libldap/tls2.c
-+++ b/libraries/libldap/tls2.c
-@@ -97,10 +97,14 @@ tls_ctx_ref( tls_ctx *ctx )
- static ldap_pvt_thread_mutex_t tls_def_ctx_mutex;
- #endif
- 
--void
--ldap_int_tls_destroy( struct ldapoptions *lo )
--{
--	if ( lo->ldo_tls_ctx ) {
-+/*
-+ * Implementation function that handles all cleanup.
-+ * skip_ctx_cleanup: 1 when called from destructor, 0 for normal operation
-+ */
-+static void
-+ldap_int_tls_destroy_impl( struct ldapoptions *lo, int skip_ctx_cleanup )
-+ {
-+	if ( lo->ldo_tls_ctx && !skip_ctx_cleanup ) {
- 		ldap_pvt_tls_ctx_free( lo->ldo_tls_ctx );
- 		lo->ldo_tls_ctx = NULL;
- 	}
-@@ -147,6 +151,19 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
- 	BER_BVZERO( &lo->ldo_tls_pin );
- }
- 
-+
-+void
-+ldap_int_tls_destroy( struct ldapoptions *lo )
-+{
-+	ldap_int_tls_destroy_impl(lo, 0);
-+}
-+
-+/* Safe version for destructor use */
-+void ldap_int_tls_destroy_safe( struct ldapoptions *lo )
-+{
-+	ldap_int_tls_destroy_impl(lo, 1);
-+}
-+
- /*
-  * Tear down the TLS subsystem. Should only be called once.
-  */
--- 
-2.47.0
-

openldap.sysusers

@@ -1,3 +0,0 @@
-#Type Name     ID             GECOS                   Home directory  Shell
-g     ldap     55
-u     ldap     55:55          "OpenLDAP server"       /var/lib/ldap   /sbin/nologin

plans/gating.fmf

@@ -1,21 +0,0 @@
-summary: Regression test plan for openldap
-
-discover:
- - name: Internal openldap gating tests
-   how: fmf
-   url: https://pkgs.devel.redhat.com/git/tests/openldap
-   ref: master
-   filter: 'tag: Tier1 & tag: rhel9-buildroot'
-
-prepare:
-  - name: Enable beaker-tasks
-    how: shell
-    script:
-      - dnf config-manager --enable beaker-tasks
-
-execute:
-  how: tmt
-
-adjust:
-    enabled: false
-    when: distro == centos-stream or distro == fedora

sources

@@ -1,2 +0,0 @@
-SHA512 (openldap-ppolicy-check-password-1.1.tar.gz) = a92854d7438cb95fac361da80a49d084d502155e8ce0ad2ea679db9529bbe0182aa4354e6139793c775e496349375d8f017678941d23315ff1c20fefc9573cdc
-SHA512 (openldap-2.6.8.tgz) = c86bda8a0af2645e586d56a1494a5bd486ec5dd55c47859dbabcc2bb6ddc0a8307e23c6b58228d49ee3c8bc5e4d6ead305863442efdcee3dc2ab9953097b5a77