rpms/openldap
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9s
rpms:c10s
rpms:c8s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:imports/c10s/openldap-2.6.8-1.el10
rpms:imports/c8/openldap-2.4.46-20.el8_10
rpms:imports/c10s/openldap-2.6.7-7.el10
rpms:imports/c10s/openldap-2.6.7-6.el10
rpms:imports/c10s/openldap-2.6.7-5.el10
rpms:imports/c10s/openldap-2.6.7-4.el10
rpms:imports/c8/openldap-2.4.46-19.el8_10
rpms:imports/c9/openldap-2.6.6-3.el9
rpms:imports/c10s/openldap-2.6.7-1.el10
rpms:imports/c9/openldap-2.6.3-1.el9
rpms:imports/c9-beta/openldap-2.6.3-1.el9
rpms:imports/c9/openldap-2.6.2-3.el9
rpms:imports/c9-beta/openldap-2.6.2-3.el9
rpms:imports/c9/openldap-2.6.2-1.el9_0
rpms:imports/c9/openldap-2.4.59-4.el9_0
rpms:imports/c9-beta/openldap-2.4.59-4.el9_0
rpms:imports/c9-beta/openldap-2.4.59-3.el9
rpms:imports/c9-beta/openldap-2.4.57-8.el9
rpms:imports/c8/openldap-2.4.46-18.el8
rpms:imports/c8-beta/openldap-2.4.46-18.el8
rpms:imports/c8-beta/openldap-2.4.46-16.el8
rpms:imports/c8-beta/openldap-2.4.46-15.el8
rpms:imports/c8-beta/openldap-2.4.46-10.el8
rpms:imports/c8-beta/openldap-2.4.46-9.el8
rpms:imports/c8s/openldap-2.4.46-18.el8
rpms:imports/c8s/openldap-2.4.46-17.el8_4
rpms:imports/c8s/openldap-2.4.46-17.el8
rpms:imports/c8s/openldap-2.4.46-16.el8
rpms:imports/c8s/openldap-2.4.46-15.el8
rpms:imports/c8/openldap-2.4.46-17.el8_4
rpms:imports/c8/openldap-2.4.46-16.el8
rpms:imports/c8/openldap-2.4.46-15.el8
rpms:imports/c8/openldap-2.4.46-11.el8_1
rpms:imports/c8/openldap-2.4.46-11.el8
...
pull from: rpms:c9-beta
Branches Tags
rpms:c9s
rpms:c10s
rpms:c8
rpms:c8s
rpms:c9
rpms:c9-beta
rpms:c8-beta
rpms:imports/c10s/openldap-2.6.8-1.el10
rpms:imports/c8/openldap-2.4.46-20.el8_10
rpms:imports/c10s/openldap-2.6.7-7.el10
rpms:imports/c10s/openldap-2.6.7-6.el10
rpms:imports/c10s/openldap-2.6.7-5.el10
rpms:imports/c10s/openldap-2.6.7-4.el10
rpms:imports/c8/openldap-2.4.46-19.el8_10
rpms:imports/c9/openldap-2.6.6-3.el9
rpms:imports/c10s/openldap-2.6.7-1.el10
rpms:imports/c9/openldap-2.6.3-1.el9
rpms:imports/c9-beta/openldap-2.6.3-1.el9
rpms:imports/c9/openldap-2.6.2-3.el9
rpms:imports/c9-beta/openldap-2.6.2-3.el9
rpms:imports/c9/openldap-2.6.2-1.el9_0
rpms:imports/c9/openldap-2.4.59-4.el9_0
rpms:imports/c9-beta/openldap-2.4.59-4.el9_0
rpms:imports/c9-beta/openldap-2.4.59-3.el9
rpms:imports/c9-beta/openldap-2.4.57-8.el9
rpms:imports/c8/openldap-2.4.46-18.el8
rpms:imports/c8-beta/openldap-2.4.46-18.el8
rpms:imports/c8-beta/openldap-2.4.46-16.el8
rpms:imports/c8-beta/openldap-2.4.46-15.el8
rpms:imports/c8-beta/openldap-2.4.46-10.el8
rpms:imports/c8-beta/openldap-2.4.46-9.el8
rpms:imports/c8s/openldap-2.4.46-18.el8
rpms:imports/c8s/openldap-2.4.46-17.el8_4
rpms:imports/c8s/openldap-2.4.46-17.el8
rpms:imports/c8s/openldap-2.4.46-16.el8
rpms:imports/c8s/openldap-2.4.46-15.el8
rpms:imports/c8/openldap-2.4.46-17.el8_4
rpms:imports/c8/openldap-2.4.46-16.el8
rpms:imports/c8/openldap-2.4.46-15.el8
rpms:imports/c8/openldap-2.4.46-11.el8_1
rpms:imports/c8/openldap-2.4.46-11.el8

No commits in common. "c8" and "c9-beta" have entirely different histories.
c8 ... c9-beta

42 changed files with 889 additions and 6614 deletions
Show Stats Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
SOURCES/openldap-2.4.46.tgz
SOURCES/openldap-2.6.6.tgz
SOURCES/openldap-ppolicy-check-password-1.1.tar.gz

4
.openldap.metadata
View File

@ -1,2 +1,2 @@
444fe85f8c42d97355d88ec295b18ecb58faeb52 SOURCES/ltb-project-openldap-ppolicy-check-password-1.1.tar.gz
a9ae2273eb9bdd70090dafe0d018a3132606bef6 SOURCES/openldap-2.4.46.tgz
633bc0ce9b5d91852c1fe38c720763f32d18390f SOURCES/openldap-2.6.6.tgz
d9f2c30aa3ec5760d4eb5923f461ca8eed92703d SOURCES/openldap-ppolicy-check-password-1.1.tar.gz

72
SOURCES/0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch
View File

@ -1,72 +0,0 @@
From 840944e26f734bb03d925f26c4ef11a6cedcbb9c Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Thu, 25 Aug 2022 16:13:21 +0100
Subject: [PATCH] ITS#9904 ldap_url_parsehosts: check for strdup failure
Avoid unnecessary strdup in IPv6 addr parsing, check for strdup
failure when dup'ing scheme.
Code present since 2000, 8da110a9e726dbc612b302feafe0109271e6bc59
---
libraries/libldap/url.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/libraries/libldap/url.c b/libraries/libldap/url.c
index dcf2aac9e8..493fd7ce47 100644
--- a/libraries/libldap/url.c
+++ b/libraries/libldap/url.c
@@ -1385,24 +1385,22 @@ ldap_url_parsehosts(
}
ludp->lud_port = port;
ludp->lud_host = specs[i];
- specs[i] = NULL;
p = strchr(ludp->lud_host, ':');
if (p != NULL) {
/* more than one :, IPv6 address */
if ( strchr(p+1, ':') != NULL ) {
/* allow [address] and [address]:port */
if ( *ludp->lud_host == '[' ) {
- p = LDAP_STRDUP(ludp->lud_host+1);
- /* copied, make sure we free source later */
- specs[i] = ludp->lud_host;
- ludp->lud_host = p;
- p = strchr( ludp->lud_host, ']' );
+ p = strchr( ludp->lud_host+1, ']' );
if ( p == NULL ) {
LDAP_FREE(ludp);
ldap_charray_free(specs);
return LDAP_PARAM_ERROR;
}
- *p++ = '\0';
+ /* Truncate trailing ']' and shift hostname down 1 char */
+ *p = '\0';
+ AC_MEMCPY( ludp->lud_host, ludp->lud_host+1, p - ludp->lud_host );
+ p++;
if ( *p != ':' ) {
if ( *p != '\0' ) {
LDAP_FREE(ludp);
@@ -1428,14 +1426,19 @@ ldap_url_parsehosts(
}
}
}
- ldap_pvt_hex_unescape(ludp->lud_host);
ludp->lud_scheme = LDAP_STRDUP("ldap");
+ if ( ludp->lud_scheme == NULL ) {
+ LDAP_FREE(ludp);
+ ldap_charray_free(specs);
+ return LDAP_NO_MEMORY;
+ }
+ specs[i] = NULL;
+ ldap_pvt_hex_unescape(ludp->lud_host);
ludp->lud_next = *ludlist;
*ludlist = ludp;
}
/* this should be an array of NULLs now */
- /* except entries starting with [ */
ldap_charray_free(specs);
return LDAP_SUCCESS;
}
--
2.44.0

26
SOURCES/0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
View File

@ -1,26 +0,0 @@
From c5c8c06a8bd52ea7b843e7d8ca961a7d1800ce5f Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 24 Aug 2022 14:40:51 +0100
Subject: [PATCH] ITS#9904 ldif_open_url: check for ber_strdup failure
Code present since 1999, df8f7cbb9b79be3be9205d116d1dd0b263d6861a
---
libraries/libldap/fetch.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/libraries/libldap/fetch.c b/libraries/libldap/fetch.c
index 9e426dc647..536871bcfe 100644
--- a/libraries/libldap/fetch.c
+++ b/libraries/libldap/fetch.c
@@ -69,6 +69,8 @@ ldif_open_url(
}
p = ber_strdup( urlstr );
+ if ( p == NULL )
+ return NULL;
/* But we should convert to LDAP_DIRSEP before use */
if ( LDAP_DIRSEP[0] != '/' ) {
--
2.44.0

30
SOURCES/UPGRADE_INSTRUCTIONS Normal file
View File

@ -0,0 +1,30 @@
You have upgraded your openldap-servers package.
Any major version upgrade can cause database corruption or loss.
Please, make sure that you have up-to-date back up and read this document carefully.
It's still recommended to do the backup even on the minor version upgrade.
Please, review the next links before performing any action:
Upgrading from 2.4.x - https://www.openldap.org/doc/admin25/appendix-upgrading.html
Upgrading from 2.5.x - https://www.openldap.org/doc/admin26/appendix-upgrading.html
The normal upgrade procedure - https://www.openldap.org/doc/admin26/maintenance.html
Additionally, please, review and perform the following steps that can help you with the upgrade:
1. Back up both data and configuration directories into a safe place;
2. Export data to an LDIF file using slapcat;
a. If you have the deprecated DB type and you haven't performed the slapcat command, you need to move your data and configuration to the system with OpenLDAP 2.4 version and run slapcat command there;
3. Change the server's configuration according to the changes in the above documents;
a. If you are replacing the BDB/HDB with MDB, make sure to replace the BDB/HDB sections with their MDB counterparts;
4. Clear out the current data directory;
5. Import data to a new database from the LDIF file using slapadd;
6. Make sure that your data is intact.
After you have completed the above operations, you can remove this file (/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS) and start the server:
systemctl start slapd.service
Be careful with this document's procedure, make sure you understand it, and test it in a non-production environment first. Always make sure that all backups are in place.
You have been warned about the possibility of data corruption or loss.

51
SOURCES/check-password-makefile.patch
View File

@ -1,32 +1,45 @@
--- a/Makefile 2009-10-31 18:59:06.000000000 +0100
+++ b/Makefile 2014-12-17 09:42:37.586079225 +0100
@@ -13,22 +13,11 @@
diff --git a/Makefile b/Makefile
index 4457bad..91de40b 100644
--- a/Makefile
+++ b/Makefile
@@ -13,17 +13,10 @@ CRACKLIB=/usr/share/cracklib/pw_dict
#
CONFIG=/etc/openldap/check_password.conf
-OPT=-g -O2 -Wall -fpic \
- -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
- -DCONFIG_FILE="\"$(CONFIG)\"" \
+CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
-DDEBUG
-
-# Where to find the OpenLDAP headers.
-#
-LDAP_INC=-I/home/pyb/tmp/openldap-2.3.39/include \
- -I/home/pyb/tmp/openldap-2.3.39/servers/slapd
-LDAP_INC=-I/usr/include/openldap/include \
- -I/usr/include/openldap/servers/slapd
-
-# Where to find the CrackLib headers.
-#
-CRACK_INC=
-
-INCS=$(LDAP_INC) $(CRACK_INC)
-
+CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
+ -DDEBUG
LDAP_LIB=-lldap_r -llber
# Comment out this line if you do NOT want to use the cracklib.
@@ -45,10 +34,10 @@
@@ -33,27 +26,21 @@ LDAP_LIB=-lldap_r -llber
#
CRACKLIB_LIB=-lcrack
-CC_FLAGS=-g -O2 -Wall -fpic
-CRACKLIB_OPT=-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""
-DEBUG_OPT=-DDEBUG
-CONFIG_OPT=-DCONFIG_FILE="\"$(CONFIG)\""
-
-OPT=$(CC_FLAGS) $(CRACKLIB_OPT) $(CONFIG_OPT) $(DEBUG_OPT)
-
LIBS=$(LDAP_LIB) $(CRACKLIB_LIB)
LIBDIR=/usr/lib/openldap/
+
all: check_password
check_password.o:
@ -38,4 +51,8 @@
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
install: check_password
cp -f check_password.so ../../../usr/lib/openldap/modules/
- cp -f check_password.so $(LIBDIR)
+ cp -f check_password.so ../../../usr/lib/openldap/modules/
clean:
$(RM) check_password.o check_password.so check_password.lo

19
SOURCES/libexec-check-config.sh
View File

@ -1,4 +1,4 @@
#!/bin/sh
#!/usr/bin/sh
# Author: Jan Vcelak <jvcelak@redhat.com>
. /usr/libexec/openldap/functions
@ -41,7 +41,7 @@ function check_db_perms()
retcode=0
for dbdir in `databases`; do
[ -d "$dbdir" ] || continue
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name "alock"`; do
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.mdb"` ; do
run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
if [ $? -ne 0 ]; then
error "Read/write permissions for DB file '%s' are required." "$dbfile"
@ -52,12 +52,21 @@ function check_db_perms()
return $retcode
}
function check_major_upgrade()
{
retcode=0
if [ -f "/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS" ]; then
error "You have upgraded your openldap-servers package. There are actions that need to be performed. Please, read the /usr/share/openldap-servers/UPGRADE_INSTRUCTIONS file"
retcode=1
fi
return $retcode
}
function check_everything()
{
retcode=0
check_config_syntax || retcode=1
# TODO: need support for Mozilla NSS, disabling temporarily
#check_certs_perms || retcode=1
check_certs_perms || retcode=1
check_db_perms || retcode=1
return $retcode
}
@ -67,6 +76,8 @@ if [ `id -u` -ne 0 ]; then
exit 4
fi
check_major_upgrade || return 1
load_sysconfig
if [ -n "$SLAPD_CONFIG_DIR" ]; then

18
SOURCES/libexec-functions
View File

@ -84,14 +84,6 @@ function databases_new()
ldif_value
}
function databases_old()
{
awk 'begin { database="" }
$1 == "database" { database=$2 }
$1 == "directory" { if (database == "bdb" || database == "hdb") print $2}' \
"$SLAPD_CONFIG_FILE"
}
function certificates_new()
{
slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
@ -100,20 +92,14 @@ function certificates_new()
ldif_value
}
function certificates_old()
{
awk '$1 ~ "^TLS(CACertificate(File|Path)|CertificateFile|CertificateKeyFile)$" { print $2 } ' \
"$SLAPD_CONFIG_FILE"
}
function certificates()
{
uses_new_config && certificates_new || certificates_old
uses_new_config && certificates_new
}
function databases()
{
uses_new_config && databases_new || databases_old
uses_new_config && databases_new
}

40
SOURCES/libexec-upgrade-db.sh
View File

@ -1,40 +0,0 @@
#!/bin/sh
# Author: Jan Vcelak <jvcelak@redhat.com>
. /usr/libexec/openldap/functions
if [ `id -u` -ne 0 ]; then
error "You have to be root to run this command."
exit 4
fi
load_sysconfig
retcode=0
for dbdir in `databases`; do
upgrade_log="$dbdir/db_upgrade.`date +%Y%m%d%H%M%S`.log"
bdb_files=`find "$dbdir" -maxdepth 1 -name "*.bdb" -printf '"%f" '`
# skip uninitialized database
[ -z "$bdb_files"] || continue
printf "Updating '%s', logging into '%s'\n" "$dbdir" "$upgrade_log"
# perform the update
for command in \
"/usr/bin/db_recover -v -h \"$dbdir\"" \
"/usr/bin/db_upgrade -v -h \"$dbdir\" $bdb_files" \
"/usr/bin/db_checkpoint -v -h \"$dbdir\" -1" \
; do
printf "Executing: %s\n" "$command" &>>$upgrade_log
run_as_ldap "$command" &>>$upgrade_log
result=$?
printf "Exit code: %d\n" $result >>"$upgrade_log"
if [ $result -ne 0 ]; then
printf "Upgrade failed: %d\n" $result
retcode=1
fi
done
done
exit $retcode

393
SOURCES/openldap-Revert-ITS-8618-Remove-deprecated-h-and-p.patch Normal file
View File

@ -0,0 +1,393 @@
From e1782a92cc0e6dde404fa5fb18cb8dba46887fc0 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Thu, 26 May 2022 17:17:39 -0700
Subject: [PATCH] Revert "ITS#8618 - Remove deprecated -h and -p options to
client tools"
Except tests. For tests, use -H option.
---
clients/tools/common.c | 53 +++++++++++++++++++++++++++++++++++++-
clients/tools/common.h | 2 ++
doc/man/man1/ldapcompare.1 | 12 +++++++++
doc/man/man1/ldapdelete.1 | 12 +++++++++
doc/man/man1/ldapexop.1 | 12 +++++++++
doc/man/man1/ldapmodify.1 | 16 ++++++++++++
doc/man/man1/ldapmodrdn.1 | 12 +++++++++
doc/man/man1/ldappasswd.1 | 12 +++++++++
doc/man/man1/ldapsearch.1 | 12 +++++++++
doc/man/man1/ldapwhoami.1 | 12 +++++++++
10 files changed, 154 insertions(+), 1 deletion(-)
diff --git a/clients/tools/common.c b/clients/tools/common.c
index b88f219b3..28178d64c 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -71,6 +71,8 @@ char *prog = NULL;
/* connection */
char *ldapuri = NULL;
+char *ldaphost = NULL;
+int ldapport = 0;
int use_tls = 0;
int protocol = -1;
int version = 0;
@@ -348,6 +350,7 @@ N_(" [!]sessiontracking[=<username>]\n")
N_(" abandon, cancel, ignore (SIGINT sends abandon/cancel,\n"
" or ignores response; if critical, doesn't wait for SIGINT.\n"
" not really controls)\n")
+N_(" -h host LDAP server (deprecated in favor of \"-H\")\n"),
N_(" -H URI LDAP Uniform Resource Identifier(s)\n"),
N_(" -I use SASL Interactive mode\n"),
N_(" -n show what would be done but don't actually do it\n"),
@@ -356,6 +359,7 @@ N_(" -O props SASL security properties\n"),
N_(" -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n"),
N_(" ldif_wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
+N_(" -p port port on LDAP server (deprecated in favor of \"-H\")\n"),
N_(" -Q use SASL Quiet mode\n"),
N_(" -R realm SASL realm\n"),
N_(" -U authcid SASL authentication identity\n"),
@@ -774,6 +778,13 @@ tool_args( int argc, char **argv )
}
infile = optarg;
break;
+ case 'h': /* ldap host */
+ if( ldaphost != NULL ) {
+ fprintf( stderr, "%s: -h previously specified\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ ldaphost = optarg;
+ break;
case 'H': /* ldap URI */
if( ldapuri != NULL ) {
fprintf( stderr, "%s: -H previously specified\n", prog );
@@ -887,6 +898,18 @@ tool_args( int argc, char **argv )
exit( EXIT_FAILURE );
#endif
break;
+ case 'p':
+ if( ldapport ) {
+ fprintf( stderr, "%s: -p previously specified\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ ival = strtol( optarg, &next, 10 );
+ if ( next == NULL || next[0] != '\0' ) {
+ fprintf( stderr, "%s: unable to parse port number \"%s\"\n", prog, optarg );
+ exit( EXIT_FAILURE );
+ }
+ ldapport = ival;
+ break;
case 'P':
ival = strtol( optarg, &next, 10 );
if ( next == NULL || next[0] != '\0' ) {
@@ -1121,6 +1144,22 @@ tool_args( int argc, char **argv )
#endif
}
+ if( ldapuri == NULL ) {
+ if( ldapport && ( ldaphost == NULL )) {
+ fprintf( stderr, "%s: -p without -h is invalid.\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ } else {
+ if( ldaphost != NULL ) {
+ fprintf( stderr, "%s: -H incompatible with -h\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ if( ldapport ) {
+ fprintf( stderr, "%s: -H incompatible with -p\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ }
+
if( protocol == LDAP_VERSION2 ) {
if( assertctl || authzid || manageDIT || manageDSAit ||
#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
@@ -1191,7 +1230,19 @@ tool_conn_setup( int dont, void (*private_setup)( LDAP * ) )
if ( !dont ) {
int rc;
- if ( ldapuri != NULL ) {
+ if( ( ldaphost != NULL || ldapport ) && ( ldapuri == NULL ) ) {
+ /* construct URL */
+ LDAPURLDesc url;
+ memset( &url, 0, sizeof(url));
+
+ url.lud_scheme = "ldap";
+ url.lud_host = ldaphost;
+ url.lud_port = ldapport;
+ url.lud_scope = LDAP_SCOPE_DEFAULT;
+
+ ldapuri = ldap_url_desc2str( &url );
+
+ } else if ( ldapuri != NULL ) {
LDAPURLDesc *ludlist, **ludp;
char **urls = NULL;
int nurls = 0;
diff --git a/clients/tools/common.h b/clients/tools/common.h
index c4377da17..41c3d874a 100644
--- a/clients/tools/common.h
+++ b/clients/tools/common.h
@@ -61,6 +61,8 @@ extern char *prog;
/* connection */
extern char *ldapuri;
+extern char *ldaphost;
+extern int ldapport;
extern int use_tls;
extern int protocol;
extern int version;
diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
index b15b0c4f8..b7747ad8c 100644
--- a/doc/man/man1/ldapcompare.1
+++ b/doc/man/man1/ldapcompare.1
@@ -31,6 +31,10 @@ ldapcompare \- LDAP compare tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -139,6 +143,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
index e12cc56bb..84dbd882c 100644
--- a/doc/man/man1/ldapdelete.1
+++ b/doc/man/man1/ldapdelete.1
@@ -37,6 +37,10 @@ ldapdelete \- LDAP delete entry tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -145,6 +149,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
index 2040c3e45..26e1730a8 100644
--- a/doc/man/man1/ldapexop.1
+++ b/doc/man/man1/ldapexop.1
@@ -42,6 +42,10 @@ ldapexop
[\c
.BI \-H \ URI\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BI \-o \ opt \fR[= optparam \fR]]
@@ -156,6 +160,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify the host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify the TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
Specify general extensions. \'!\' indicates criticality.
.nf
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index 1104e9f2a..affc661ea 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -37,6 +37,10 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -93,6 +97,10 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -204,6 +212,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
index 777c539ad..0226db5d2 100644
--- a/doc/man/man1/ldapmodrdn.1
+++ b/doc/man/man1/ldapmodrdn.1
@@ -37,6 +37,10 @@ ldapmodrdn \- LDAP rename entry tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -139,6 +143,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
index d1aea0c8b..c9cea59c5 100644
--- a/doc/man/man1/ldappasswd.1
+++ b/doc/man/man1/ldappasswd.1
@@ -39,6 +39,10 @@ ldappasswd \- change the password of an LDAP entry
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -144,6 +148,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
.TP
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
index 7f3ec4095..7496602b8 100644
--- a/doc/man/man1/ldapsearch.1
+++ b/doc/man/man1/ldapsearch.1
@@ -57,6 +57,10 @@ ldapsearch \- LDAP search tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -277,6 +281,14 @@ DNS SRV records, according to RFC 2782. The DN must be a non-empty
sequence of AVAs whose attribute type is "dc" (domain component),
and must be escaped according to RFC 2396.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
index 49b1187b2..adbc3f52c 100644
--- a/doc/man/man1/ldapwhoami.1
+++ b/doc/man/man1/ldapwhoami.1
@@ -27,6 +27,10 @@ ldapwhoami \- LDAP who am i? tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -99,6 +103,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
.TP
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
--
2.35.3

339
SOURCES/openldap-add-TLS_REQSAN-option.patch
View File

@ -1,339 +0,0 @@
From c8050d1e6eb0f4f3deb187224945ddcfc3baa4d6 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Fri, 21 Aug 2020 09:15:15 +0100
Subject: [PATCH] ITS#9318 add TLS_REQSAN option
Add an option to specify how subjectAlternativeNames should be
handled when validating the names in a server certificate.
---
doc/man/man3/ldap_get_option.3 | 9 +++++++
doc/man/man5/ldap.conf.5 | 31 +++++++++++++++++++++++
include/ldap.h | 1 +
libraries/libldap/init.c | 2 ++
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/tls2.c | 16 ++++++++++++
libraries/libldap/tls_g.c | 46 ++++++++++++++++++++++++++++++++--
libraries/libldap/tls_o.c | 44 ++++++++++++++++++++++++++++++--
8 files changed, 146 insertions(+), 4 deletions(-)
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index d229ce6e3..7d760136f 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -788,6 +788,15 @@ one of
.BR LDAP_OPT_X_TLS_ALLOW ,
.BR LDAP_OPT_X_TLS_TRY .
.TP
+.B LDAP_OPT_X_TLS_REQUIRE_SAN
+Sets/gets the peer certificate subjectAlternativeName checking strategy,
+one of
+.BR LDAP_OPT_X_TLS_NEVER ,
+.BR LDAP_OPT_X_TLS_HARD ,
+.BR LDAP_OPT_X_TLS_DEMAND ,
+.BR LDAP_OPT_X_TLS_ALLOW ,
+.BR LDAP_OPT_X_TLS_TRY .
+.TP
.B LDAP_OPT_X_TLS_SSL_CTX
Gets the TLS session context associated with this handle.
.BR outvalue
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 2f1ee886d..cde2c875f 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -464,6 +464,37 @@ certificate is provided, or a bad certificate is provided, the session
is immediately terminated. This is the default setting.
.RE
.TP
+.B TLS_REQSAN <level>
+Specifies what checks to perform on the subjectAlternativeName
+(SAN) extensions in a server certificate when validating the certificate
+name against the specified hostname of the server. The
+.B <level>
+can be specified as one of the following keywords:
+.RS
+.TP
+.B never
+The client will not check any SAN in the certificate.
+.TP
+.B allow
+The SAN is checked against the specified hostname. If a SAN is
+present but none match the specified hostname, the SANs are ignored
+and the usual check against the certificate DN is used.
+This is the default setting.
+.TP
+.B try
+The SAN is checked against the specified hostname. If no SAN is present
+in the server certificate, the usual check against the certificate DN
+is used. If a SAN is present but doesn't match the specified hostname,
+the session is immediately terminated. This setting may be preferred
+when a mix of certs with and without SANs are in use.
+.TP
+.B demand | hard
+These keywords are equivalent. The SAN is checked against the specified
+hostname. If no SAN is present in the server certificate, or no SANs
+match, the session is immediately terminated. This setting should be
+used when only certificates with SANs are in use.
+.RE
+.TP
.B TLS_CRLCHECK <level>
Specifies if the Certificate Revocation List (CRL) of the CA should be
used to verify if the server certificates have not been revoked. This
diff --git a/include/ldap.h b/include/ldap.h
index 4b81a6841..4877de24a 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -160,6 +160,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
#define LDAP_OPT_X_TLS_ECNAME 0x6012
#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */
+#define LDAP_OPT_X_TLS_REQUIRE_SAN 0x601a
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index d503019aa..0d91808ec 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -128,6 +128,7 @@ static const struct ol_attribute {
{0, ATTR_TLS, "TLS_CACERT", NULL, LDAP_OPT_X_TLS_CACERTFILE},
{0, ATTR_TLS, "TLS_CACERTDIR", NULL, LDAP_OPT_X_TLS_CACERTDIR},
{0, ATTR_TLS, "TLS_REQCERT", NULL, LDAP_OPT_X_TLS_REQUIRE_CERT},
+ {0, ATTR_TLS, "TLS_REQSAN", NULL, LDAP_OPT_X_TLS_REQUIRE_SAN},
{0, ATTR_TLS, "TLS_RANDFILE", NULL, LDAP_OPT_X_TLS_RANDOM_FILE},
{0, ATTR_TLS, "TLS_CIPHER_SUITE", NULL, LDAP_OPT_X_TLS_CIPHER_SUITE},
{0, ATTR_TLS, "TLS_PROTOCOL_MIN", NULL, LDAP_OPT_X_TLS_PROTOCOL_MIN},
@@ -624,6 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
gopts->ldo_tls_connect_cb = NULL;
gopts->ldo_tls_connect_arg = NULL;
gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
+ gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
#endif
gopts->ldo_keepalive_probes = 0;
gopts->ldo_keepalive_interval = 0;
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 753014ad0..2bf5d4ff6 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -262,6 +262,7 @@ struct ldapoptions {
int ldo_tls_require_cert;
int ldo_tls_impl;
int ldo_tls_crlcheck;
+ int ldo_tls_require_san;
#define LDAP_LDO_TLS_NULLARG ,0,0,0,{0,0,0,0,0,0,0,0,0},0,0,0,0
#else
#define LDAP_LDO_TLS_NULLARG
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 6a2113255..670292c22 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -539,6 +539,7 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
return ldap_pvt_tls_set_option( ld, option, (void *) arg );
case LDAP_OPT_X_TLS_REQUIRE_CERT:
+ case LDAP_OPT_X_TLS_REQUIRE_SAN:
case LDAP_OPT_X_TLS:
i = -1;
if ( strcasecmp( arg, "never" ) == 0 ) {
@@ -669,6 +670,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_REQUIRE_CERT:
*(int *)arg = lo->ldo_tls_require_cert;
break;
+ case LDAP_OPT_X_TLS_REQUIRE_SAN:
+ *(int *)arg = lo->ldo_tls_require_san;
+ break;
#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
*(int *)arg = lo->ldo_tls_crlcheck;
@@ -818,6 +822,18 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
return 0;
}
return -1;
+ case LDAP_OPT_X_TLS_REQUIRE_SAN:
+ if ( !arg ) return -1;
+ switch( *(int *) arg ) {
+ case LDAP_OPT_X_TLS_NEVER:
+ case LDAP_OPT_X_TLS_DEMAND:
+ case LDAP_OPT_X_TLS_ALLOW:
+ case LDAP_OPT_X_TLS_TRY:
+ case LDAP_OPT_X_TLS_HARD:
+ lo->ldo_tls_require_san = * (int *) arg;
+ return 0;
+ }
+ return -1;
#ifdef HAVE_OPENSSL_CRL
case LDAP_OPT_X_TLS_CRLCHECK: /* OpenSSL only */
if ( !arg ) return -1;
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 15ce0bbb8..e3486c9b4 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -496,6 +496,7 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
{
tlsg_session *s = (tlsg_session *)session;
int i, ret;
+ int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
const gnutls_datum_t *peer_cert_list;
unsigned int list_size;
char altname[NI_MAXHOST];
@@ -558,12 +559,14 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
}
}
+ if (chkSAN) {
for ( i=0, ret=0; ret >= 0; i++ ) {
altnamesize = sizeof(altname);
ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
altname, &altnamesize, NULL );
if ( ret < 0 ) break;
+ gotSAN = 1;
/* ignore empty */
if ( altnamesize == 0 ) continue;
@@ -599,7 +602,45 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
}
if ( ret >= 0 ) {
ret = LDAP_SUCCESS;
- } else {
+ }
+ }
+ if (ret != LDAP_SUCCESS && chkSAN) {
+ switch(chkSAN) {
+ case LDAP_OPT_X_TLS_DEMAND:
+ case LDAP_OPT_X_TLS_HARD:
+ if (!gotSAN) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: unable to get subjectAltName from peer certificate.\n",
+ 0, 0, 0 );
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: unable to get subjectAltName from peer certificate"));
+ goto done;
+ }
+ /* FALLTHRU */
+ case LDAP_OPT_X_TLS_TRY:
+ if (gotSAN) {
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+ "subjectAltName in certificate.\n",
+ name, 0, 0 );
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: hostname does not match subjectAltName in peer certificate"));
+ goto done;
+ }
+ break;
+ case LDAP_OPT_X_TLS_ALLOW:
+ break;
+ }
+ }
+
+ if ( ret != LDAP_SUCCESS ){
/* find the last CN */
i=0;
do {
@@ -654,9 +695,10 @@ tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
- _("TLS: hostname does not match CN in peer certificate"));
+ _("TLS: hostname does not match name in peer certificate"));
}
}
+done:
gnutls_x509_crt_deinit( cert );
return ret;
}
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 4006f7a4f..6f27168e9 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -600,6 +600,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
{
tlso_session *s = (tlso_session *)sess;
int i, ret = LDAP_LOCAL_ERROR;
+ int chkSAN = ld->ld_options.ldo_tls_require_san, gotSAN = 0;
X509 *x;
const char *name;
char *ptr;
@@ -638,7 +639,8 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
}
-
+
+ if (chkSAN) {
i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
if (i >= 0) {
X509_EXTENSION *ex;
@@ -651,6 +653,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
char *domain = NULL;
GENERAL_NAME *gn;
+ gotSAN = 1;
if (ntype == IS_DNS) {
domain = strchr(name, '.');
if (domain) {
@@ -709,6 +712,42 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
}
}
}
+ }
+ if (ret != LDAP_SUCCESS && chkSAN) {
+ switch(chkSAN) {
+ case LDAP_OPT_X_TLS_DEMAND:
+ case LDAP_OPT_X_TLS_HARD:
+ if (!gotSAN) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: unable to get subjectAltName from peer certificate.\n",
+ 0, 0, 0 );
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: unable to get subjectAltName from peer certificate"));
+ goto done;
+ }
+ /* FALLTHRU */
+ case LDAP_OPT_X_TLS_TRY:
+ if (gotSAN) {
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+ "subjectAltName in certificate.\n",
+ name, 0, 0 );
+ ret = LDAP_CONNECT_ERROR;
+ if ( ld->ld_error ) {
+ LDAP_FREE( ld->ld_error );
+ }
+ ld->ld_error = LDAP_STRDUP(
+ _("TLS: hostname does not match subjectAltName in peer certificate"));
+ goto done;
+ }
+ break;
+ case LDAP_OPT_X_TLS_ALLOW:
+ break;
+ }
+ }
if (ret != LDAP_SUCCESS) {
X509_NAME *xn;
@@ -772,9 +811,10 @@ no_cn:
LDAP_FREE( ld->ld_error );
}
ld->ld_error = LDAP_STRDUP(
- _("TLS: hostname does not match CN in peer certificate"));
+ _("TLS: hostname does not match name in peer certificate"));
}
}
+done:
X509_free(x);
return ret;
}
--
2.31.1

37
SOURCES/openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch Normal file
View File

@ -0,0 +1,37 @@
From 6779e56fafb0aa8ae5efa7068da34a630b51b530 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Fri, 5 Aug 2022 13:23:52 -0700
Subject: [PATCH] Add export symbols related to LDAP_CONNECTIONLESS
---
libraries/liblber/lber.map | 1 +
libraries/libldap/ldap.map | 1 +
2 files changed, 2 insertions(+)
diff --git a/libraries/liblber/lber.map b/libraries/liblber/lber.map
index 9a4094b0f..083cd1f32 100644
--- a/libraries/liblber/lber.map
+++ b/libraries/liblber/lber.map
@@ -121,6 +121,7 @@ OPENLDAP_2.200
ber_sockbuf_io_fd;
ber_sockbuf_io_readahead;
ber_sockbuf_io_tcp;
+ ber_sockbuf_io_udp;
ber_sockbuf_remove_io;
ber_sos_dump;
ber_start;
diff --git a/libraries/libldap/ldap.map b/libraries/libldap/ldap.map
index b28c9c21e..021aaba63 100644
--- a/libraries/libldap/ldap.map
+++ b/libraries/libldap/ldap.map
@@ -200,6 +200,7 @@ OPENLDAP_2.200
ldap_is_ldap_url;
ldap_is_ldapi_url;
ldap_is_ldaps_url;
+ ldap_is_ldapc_url;
ldap_is_read_ready;
ldap_is_write_ready;
ldap_ld_free;
--
2.37.1

4
SOURCES/openldap-ai-addrconfig.patch
View File

@ -5,10 +5,10 @@ Upstream ITS: #7326
Resolves: #835013
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
index b31e05d..fa361ab 100644
index 14899cc..b25e750 100644
--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -594,8 +594,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
@@ -620,8 +620,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
memset( &hints, '\0', sizeof(hints) );

7
SOURCES/openldap-allop-overlay.patch
View File

@ -4,9 +4,10 @@ Author: Matus Honek <mhonek@redhat.com>
Resolves: #1319782
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
index b5c3fc8..9aa8a4f 100644
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
@@ -38,7 +38,8 @@ SRCS = overlays.c \
translucent.c \
unique.c \
valsort.c \
@ -16,7 +17,7 @@ diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefil
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
@@ -58,7 +59,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
@ -25,7 +26,7 @@ diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefil
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
@@ -148,6 +149,12 @@ smbk5pwd.lo : smbk5pwd.c
smbk5pwd.la : smbk5pwd.lo
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)

291
SOURCES/openldap-cbinding-Add-channel-binding-support.patch
View File

@ -1,291 +0,0 @@
From ca310ebff44f10739fd75aff437c7676e089b134 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Mon, 26 Aug 2013 23:31:48 -0700
Subject: [PATCH] Add channel binding support
Currently only implemented for OpenSSL.
Needs an option to set the criticality flag.
---
include/ldap_pvt.h | 1 +
libraries/libldap/cyrus.c | 22 ++++++++++++++++++++++
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/ldap-tls.h | 2 ++
libraries/libldap/tls2.c | 7 +++++++
libraries/libldap/tls_g.c | 7 +++++++
libraries/libldap/tls_m.c | 7 +++++++
libraries/libldap/tls_o.c | 16 ++++++++++++++++
servers/slapd/connection.c | 8 ++++++++
servers/slapd/sasl.c | 18 ++++++++++++++++++
servers/slapd/slap.h | 1 +
11 files changed, 90 insertions(+)
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 871e7c180..fdc9d2de3 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -430,6 +430,7 @@ LDAP_F (int) ldap_pvt_tls_get_my_dn LDAP_P(( void *ctx, struct berval *dn,
LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
LDAPDN_rewrite_dummy *func, unsigned flags ));
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
+LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
LDAP_END_DECL
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 28c241b0b..a57292800 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -369,6 +369,10 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
lc->lconn_sasl_sockctx = NULL;
lc->lconn_sasl_authctx = NULL;
}
+ if( lc->lconn_sasl_cbind ) {
+ ldap_memfree( lc->lconn_sasl_cbind );
+ lc->lconn_sasl_cbind = NULL;
+ }
return LDAP_SUCCESS;
}
@@ -482,6 +486,24 @@ ldap_int_sasl_bind(
(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
LDAP_FREE( authid.bv_val );
+#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
+ {
+ char cbinding[64];
+ struct berval cbv = { sizeof(cbinding), cbinding };
+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
+ sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
+ cbv.bv_len);
+ cb->name = "ldap";
+ cb->critical = 0;
+ cb->data = (char *)(cb+1);
+ cb->len = cbv.bv_len;
+ memcpy( cb->data, cbv.bv_val, cbv.bv_len );
+ sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
+ SASL_CHANNEL_BINDING, cb );
+ ld->ld_defconn->lconn_sasl_cbind = cb;
+ }
+ }
+#endif
}
#endif
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 37c342e26..1915ecab4 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -305,6 +305,7 @@ typedef struct ldap_conn {
#ifdef HAVE_CYRUS_SASL
void *lconn_sasl_authctx; /* context for bind */
void *lconn_sasl_sockctx; /* for security layer */
+ void *lconn_sasl_cbind; /* for channel binding */
#endif
#ifdef HAVE_GSSAPI
void *lconn_gss_ctx; /* gss_ctx_id_t */
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
index 75661c005..1eb5ae47e 100644
--- a/libraries/libldap/ldap-tls.h
+++ b/libraries/libldap/ldap-tls.h
@@ -41,6 +41,7 @@ typedef char *(TI_session_errmsg)(tls_session *s, int rc, char *buf, size_t len
typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
+typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
typedef void (TI_thr_init)(void);
@@ -64,6 +65,7 @@ typedef struct tls_impl {
TI_session_dn *ti_session_peer_dn;
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
+ TI_session_unique *ti_session_unique;
Sockbuf_IO *ti_sbio;
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index e11d1a8a3..957e73c03 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -981,6 +981,13 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
return rc;
}
+
+int
+ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
+{
+ tls_session *session = s;
+ return tls_imp->ti_session_unique( session, buf, is_server );
+}
#endif /* HAVE_TLS */
int
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index ed1f8f1cb..dfdc35da4 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -780,6 +780,12 @@ tlsg_session_strength( tls_session *session )
return gnutls_cipher_get_key_size( c ) * 8;
}
+static int
+tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
+{
+ return 0;
+}
+
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
@@ -1110,6 +1116,7 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_peer_dn,
tlsg_session_chkhost,
tlsg_session_strength,
+ tlsg_session_unique,
&tlsg_sbio,
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 072d41d56..240bd9ff6 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2838,6 +2838,12 @@ tlsm_session_strength( tls_session *session )
return rc ? 0 : keySize;
}
+static int
+tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
+{
+ return 0;
+}
+
/*
* TLS support for LBER Sockbufs
*/
@@ -3266,6 +3272,7 @@ tls_impl ldap_int_tls_impl = {
tlsm_session_peer_dn,
tlsm_session_chkhost,
tlsm_session_strength,
+ tlsm_session_unique,
&tlsm_sbio,
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 3c077f895..2ecee465b 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -676,6 +676,21 @@ tlso_session_strength( tls_session *sess )
return SSL_CIPHER_get_bits(SSL_get_current_cipher(s), NULL);
}
+static int
+tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
+{
+ tlso_session *s = (tlso_session *)sess;
+
+ /* Usually the client sends the finished msg. But if the
+ * session was resumed, the server sent the msg.
+ */
+ if (SSL_session_reused(s) ^ !is_server)
+ buf->bv_len = SSL_get_finished(s, buf->bv_val, buf->bv_len);
+ else
+ buf->bv_len = SSL_get_peer_finished(s, buf->bv_val, buf->bv_len);
+ return buf->bv_len;
+}
+
/*
* TLS support for LBER Sockbufs
*/
@@ -1283,6 +1298,7 @@ tls_impl ldap_int_tls_impl = {
tlso_session_peer_dn,
tlso_session_chkhost,
tlso_session_strength,
+ tlso_session_unique,
&tlso_sbio,
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index e34703cb3..bc2b8a4d0 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -406,6 +406,7 @@ Connection * connection_init(
c->c_sasl_sockctx = NULL;
c->c_sasl_extra = NULL;
c->c_sasl_bindop = NULL;
+ c->c_sasl_cbind = NULL;
c->c_sb = ber_sockbuf_alloc( );
@@ -451,6 +452,7 @@ Connection * connection_init(
assert( c->c_sasl_sockctx == NULL );
assert( c->c_sasl_extra == NULL );
assert( c->c_sasl_bindop == NULL );
+ assert( c->c_sasl_cbind == NULL );
assert( c->c_currentber == NULL );
assert( c->c_writewaiter == 0);
assert( c->c_writers == 0);
@@ -1408,6 +1410,12 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
slap_sasl_external( c, c->c_tls_ssf, &authid );
if ( authid.bv_val ) free( authid.bv_val );
+ {
+ char cbinding[64];
+ struct berval cbv = { sizeof(cbinding), cbinding };
+ if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
+ slap_sasl_cbinding( c, &cbv );
+ }
} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */
slapd_set_write( s, 1 );
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index 0bd6259be..57907d79b 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1503,6 +1503,21 @@ int slap_sasl_external(
return LDAP_SUCCESS;
}
+int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
+{
+#ifdef SASL_CHANNEL_BINDING
+ sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
+ cb->name = "ldap";
+ cb->critical = 0;
+ cb->data = (char *)(cb+1);
+ cb->len = cbv->bv_len;
+ memcpy( cb->data, cbv->bv_val, cbv->bv_len );
+ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
+ conn->c_sasl_cbind = cb;
+#endif
+ return LDAP_SUCCESS;
+}
+
int slap_sasl_reset( Connection *conn )
{
return LDAP_SUCCESS;
@@ -1568,6 +1583,9 @@ int slap_sasl_close( Connection *conn )
free( conn->c_sasl_extra );
conn->c_sasl_extra = NULL;
+ free( conn->c_sasl_cbind );
+ conn->c_sasl_cbind = NULL;
+
#elif defined(SLAP_BUILTIN_SASL)
SASL_CTX *ctx = conn->c_sasl_authctx;
if( ctx ) {
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 09c1854f8..4b3bbd12e 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -2910,6 +2910,7 @@ struct Connection {
void *c_sasl_authctx; /* SASL authentication context */
void *c_sasl_sockctx; /* SASL security layer context */
void *c_sasl_extra; /* SASL session extra stuff */
+ void *c_sasl_cbind; /* SASL channel binding */
Operation *c_sasl_bindop; /* set to current op if it's a bind */
#ifdef LDAP_X_TXN
--
2.26.2

167
SOURCES/openldap-cbinding-Convert-test077-to-LDIF-config.patch
View File

@ -1,167 +0,0 @@
From 59bdc8158f51fc22cc3c6d6dd2db9e5aa4bcfdc4 Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Mon, 27 Apr 2020 23:24:16 -0700
Subject: [PATCH] Convert test077 to LDIF config
---
tests/data/slapd-sasl-gssapi.conf | 68 -------------------------------
tests/scripts/defines.sh | 1 -
tests/scripts/test077-sasl-gssapi | 35 +++++++++++++---
3 files changed, 30 insertions(+), 74 deletions(-)
delete mode 100644 tests/data/slapd-sasl-gssapi.conf
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
deleted file mode 100644
index 29ab6040b..000000000
--- a/tests/data/slapd-sasl-gssapi.conf
+++ /dev/null
@@ -1,68 +0,0 @@
-# stand-alone slapd config -- for testing (with indexing)
-# $OpenLDAP$
-## This work is part of OpenLDAP Software <http://www.openldap.org/>.
-##
-## Copyright 1998-2020 The OpenLDAP Foundation.
-## All rights reserved.
-##
-## Redistribution and use in source and binary forms, with or without
-## modification, are permitted only as authorized by the OpenLDAP
-## Public License.
-##
-## A copy of this license is available in the file LICENSE in the
-## top-level directory of the distribution or, alternatively, at
-## <http://www.OpenLDAP.org/license.html>.
-
-#
-include @SCHEMADIR@/core.schema
-include @SCHEMADIR@/cosine.schema
-#
-include @SCHEMADIR@/corba.schema
-include @SCHEMADIR@/java.schema
-include @SCHEMADIR@/inetorgperson.schema
-include @SCHEMADIR@/misc.schema
-include @SCHEMADIR@/nis.schema
-include @SCHEMADIR@/openldap.schema
-#
-include @SCHEMADIR@/duaconf.schema
-include @SCHEMADIR@/dyngroup.schema
-
-#
-pidfile @TESTDIR@/slapd.1.pid
-argsfile @TESTDIR@/slapd.1.args
-
-# SSL configuration
-TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
-TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
-TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
-
-#
-rootdse @DATADIR@/rootdse.ldif
-
-#mod#modulepath ../servers/slapd/back-@BACKEND@/
-#mod#moduleload back_@BACKEND@.la
-#monitormod#modulepath ../servers/slapd/back-monitor/
-#monitormod#moduleload back_monitor.la
-
-
-#######################################################################
-# database definitions
-#######################################################################
-
-database @BACKEND@
-suffix "dc=example,dc=com"
-rootdn "cn=Manager,dc=example,dc=com"
-rootpw secret
-#~null~#directory @TESTDIR@/db.1.a
-#indexdb#index objectClass eq
-#indexdb#index mail eq
-#ndb#dbname db_1_a
-#ndb#include @DATADIR@/ndb.conf
-
-#monitor#database monitor
-
-sasl-realm @KRB5REALM@
-sasl-host localhost
-
-database config
-rootpw secret
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index f9e5578ee..a84fd0a65 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -114,7 +114,6 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
SCHEMACONF=$DATADIR/slapd-schema.conf
TLSCONF=$DATADIR/slapd-tls.conf
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
-SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
GLUECONF=$DATADIR/slapd-glue.conf
REFINTCONF=$DATADIR/slapd-refint.conf
RETCODECONF=$DATADIR/slapd-retcode.conf
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index 20c414600..322df60a4 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -21,15 +21,40 @@ if test $WITH_SASL = no ; then
exit 0
fi
+CONFDIR=$TESTDIR/slapd.d
+CONFLDIF=$TESTDIR/slapd.ldif
+
mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR
+$SLAPPASSWD -g -n >$CONFIGPWF
echo "Starting KDC for SASL/GSSAPI tests..."
. $SRCDIR/scripts/setup_kdc.sh
-echo "Running slapadd to build slapd database..."
-. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
-$SLAPADD -f $CONF1 -l $LDIFORDERED
+echo "Configuring slapd..."
+cat > $CONFLDIF <<EOF
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcSaslHost: localhost
+olcSaslRealm: $KRB5REALM
+olcTLSCACertificateFile: $TESTDIR/tls/ca/certs/testsuiteCA.crt
+olcTLSCertificateFile: $TESTDIR/tls/certs/localhost.crt
+olcTLSCertificateKeyFile: $TESTDIR/tls/private/localhost.key
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file://$ABS_SCHEMADIR/core.ldif
+
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcRootPW:< file://$TESTDIR/configpw
+
+EOF
+$SLAPADD -F $CONFDIR -n 0 -l $CONFLDIF
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
@@ -38,7 +63,7 @@ if test $RC != 0 ; then
fi
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
@@ -151,7 +176,7 @@ else
for acb in "none" "tls-unique" "tls-endpoint" ; do
echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
- $LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
+ $LDAPMODIFY -D cn=config -H $URI1 -y $CONFIGPWF <<EOF > $TESTOUT 2>&1
dn: cn=config
changetype: modify
replace: olcSaslCBinding
--
2.26.2

62
SOURCES/openldap-cbinding-Fix-slaptest-in-test077.patch
View File

@ -1,62 +0,0 @@
From e006994d83af9dcb7813a18253cf4e5beacee043 Mon Sep 17 00:00:00 2001
From: Ryan Tandy <ryan@nardis.ca>
Date: Sun, 26 Apr 2020 11:40:23 -0700
Subject: [PATCH] Fix slaptest in test077
The libtool wrapper scripts lose argv[0] when exec'ing the real binary.
In the CI Docker container, where the build runs as root, this was
actually starting a real slapd on the default port.
Outside Docker, running as a non-root user, this slapd would just fail
to start, and wouldn't convert the config either.
Using "slapd -Tt" fixes the issue but also prints a warning from
slaptest since the database hasn't been initialized yet.
Dynamic config isn't actually used in this test script, so let's just
run slapd off the config file directly.
---
tests/scripts/test077-sasl-gssapi | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index 19f665622..20c414600 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -21,22 +21,15 @@ if test $WITH_SASL = no ; then
exit 0
fi
-SLAPTEST="$TESTWD/../servers/slapd/slaptest"
-CONFDIR=$TESTDIR/slapd.d
-
mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR
-cd $TESTWD
-
-
echo "Starting KDC for SASL/GSSAPI tests..."
. $SRCDIR/scripts/setup_kdc.sh
echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
-$SLAPTEST -f $CONF1 -F $CONFDIR
-$SLAPADD -F $CONFDIR -l $LDIFORDERED
+$SLAPADD -f $CONF1 -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
@@ -45,7 +38,7 @@ if test $RC != 0 ; then
fi
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
-$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
--
2.26.2

220
SOURCES/openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
View File

@ -1,220 +0,0 @@
NOTE: The patch has been adjusted to match the base code before backporting.
From 16f8b0902c28b1eaab93ddf120ce40b89bcda8d1 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Tue, 10 Sep 2013 04:26:51 -0700
Subject: [PATCH] ITS#7398 add LDAP_OPT_X_TLS_PEERCERT
retrieve peer cert for an active TLS session
---
doc/man/man3/ldap_get_option.3 | 8 ++++++++
include/ldap.h | 1 +
libraries/libldap/ldap-tls.h | 2 ++
libraries/libldap/tls2.c | 23 +++++++++++++++++++++++
libraries/libldap/tls_g.c | 19 +++++++++++++++++++
libraries/libldap/tls_m.c | 17 +++++++++++++++++
libraries/libldap/tls_o.c | 16 ++++++++++++++++
7 files changed, 86 insertions(+)
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index e67de75e9..1bb55d357 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -732,6 +732,14 @@ A non-zero value pointed to by
.BR invalue
tells the library to create a context for a server.
.TP
+.B LDAP_OPT_X_TLS_PEERCERT
+Gets the peer's certificate in DER format from an established TLS session.
+.BR outvalue
+must be
+.BR "struct berval *" ,
+and the data it returns needs to be freed by the caller using
+.BR ldap_memfree (3).
+.TP
.B LDAP_OPT_X_TLS_PROTOCOL_MIN
Sets/gets the minimum protocol version.
.BR invalue
diff --git a/include/ldap.h b/include/ldap.h
index 4de3f7f32..97ca524d7 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -161,6 +161,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
#define LDAP_OPT_X_TLS_ECNAME 0x6012
+#define LDAP_OPT_X_TLS_PEERCERT 0x6015 /* read-only */
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
index 548814d7f..890d20dc7 100644
--- a/libraries/libldap/ldap-tls.h
+++ b/libraries/libldap/ldap-tls.h
@@ -43,6 +43,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
+typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
typedef void (TI_thr_init)(void);
@@ -69,6 +70,7 @@ typedef struct tls_impl {
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
TI_session_unique *ti_session_unique;
+ TI_session_peercert *ti_session_peercert;
Sockbuf_IO *ti_sbio;
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 05fce3218..cbf73bdd5 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -718,6 +718,23 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
case LDAP_OPT_X_TLS_CONNECT_ARG:
*(void **)arg = lo->ldo_tls_connect_arg;
break;
+ case LDAP_OPT_X_TLS_PEERCERT: {
+ void *sess = NULL;
+ struct berval *bv = arg;
+ bv->bv_len = 0;
+ bv->bv_val = NULL;
+ if ( ld != NULL ) {
+ LDAPConn *conn = ld->ld_defconn;
+ if ( conn != NULL ) {
+ Sockbuf *sb = conn->lconn_sb;
+ sess = ldap_pvt_tls_sb_ctx( sb );
+ if ( sess != NULL )
+ return ldap_pvt_tls_get_peercert( sess, bv );
+ }
+ }
+ break;
+ }
+
default:
return -1;
}
@@ -1050,6 +1066,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
tls_session *session = s;
return tls_imp->ti_session_unique( session, buf, is_server );
}
+
+int
+ldap_pvt_tls_get_peercert( void *s, struct berval *der )
+{
+ tls_session *session = s;
+ return tls_imp->ti_session_peercert( session, der );
+}
#endif /* HAVE_TLS */
int
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index ce422387c..739680439 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -830,6 +830,24 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
+static int
+tlsg_session_peercert( tls_session *sess, struct berval *der )
+{
+ tlsg_session *s = (tlsg_session *)sess;
+ const gnutls_datum_t *peer_cert_list;
+ unsigned int list_size;
+
+ peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
+ if (!peer_cert_list)
+ return -1;
+ der->bv_len = peer_cert_list[0].size;
+ der->bv_val = LDAP_MALLOC( der->bv_len );
+ if (!der->bv_val)
+ return -1;
+ memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
+ return 0;
+}
+
/* suites is a string of colon-separated cipher suite names. */
static int
tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
@@ -1166,6 +1184,7 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_chkhost,
tlsg_session_strength,
tlsg_session_unique,
+ tlsg_session_peercert,
&tlsg_sbio,
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 4bd9e63cb..36dc989ef 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -2891,6 +2891,22 @@ tlsm_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
+static int
+tlsm_session_peercert( tls_session *sess, struct berval *der )
+{
+ tlsm_session *s = (tlsm_session *)sess;
+ CERTCertificate *cert;
+ cert = SSL_PeerCertificate( s );
+ if (!cert)
+ return -1;
+ der->bv_len = cert->derCert.len;
+ der->bv_val = LDAP_MALLOC( der->bv_len );
+ if (!der->bv_val)
+ return -1;
+ memcpy( der->bv_val, cert->derCert.data, der->bv_len );
+ return 0;
+}
+
/*
* TLS support for LBER Sockbufs
*/
@@ -3322,6 +3338,7 @@ tls_impl ldap_int_tls_impl = {
tlsm_session_chkhost,
tlsm_session_strength,
tlsm_session_unique,
+ tlsm_session_peercert,
&tlsm_sbio,
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 6288456d3..1fa50392f 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -721,6 +721,21 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
return buf->bv_len;
}
+static int
+tlso_session_peercert( tls_session *sess, struct berval *der )
+{
+ tlso_session *s = (tlso_session *)sess;
+ unsigned char *ptr;
+ X509 *x = SSL_get_peer_certificate(s);
+ der->bv_len = i2d_X509(x, NULL);
+ der->bv_val = LDAP_MALLOC(der->bv_len);
+ if ( !der->bv_val )
+ return -1;
+ ptr = der->bv_val;
+ i2d_X509(x, &ptr);
+ return 0;
+}
+
/*
* TLS support for LBER Sockbufs
*/
@@ -1229,6 +1244,7 @@ tls_impl ldap_int_tls_impl = {
tlso_session_chkhost,
tlso_session_strength,
tlso_session_unique,
+ tlso_session_peercert,
&tlso_sbio,
--
2.26.2

70
SOURCES/openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch
View File

@ -1,70 +0,0 @@
From 465b1c5972eef1d4e60eb98ae3776d33e270853d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <okuznik@symas.com>
Date: Fri, 15 Jun 2018 15:12:28 +0100
Subject: [PATCH] ITS#8573 Add missing URI variables for tests
---
tests/scripts/conf.sh | 18 ++++++++++++++++++
tests/scripts/defines.sh | 7 +++++++
2 files changed, 25 insertions(+)
diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
index fe5e60509..02629f190 100755
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@@ -75,6 +75,24 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s;@PORT4@;${PORT4};" \
-e "s;@PORT5@;${PORT5};" \
-e "s;@PORT6@;${PORT6};" \
+ -e "s;@SURI1@;${SURI1};" \
+ -e "s;@SURI2@;${SURI2};" \
+ -e "s;@SURI3@;${SURI3};" \
+ -e "s;@SURI4@;${SURI4};" \
+ -e "s;@SURI5@;${SURI5};" \
+ -e "s;@SURI6@;${SURI6};" \
+ -e "s;@URIP1@;${URIP1};" \
+ -e "s;@URIP2@;${URIP2};" \
+ -e "s;@URIP3@;${URIP3};" \
+ -e "s;@URIP4@;${URIP4};" \
+ -e "s;@URIP5@;${URIP5};" \
+ -e "s;@URIP6@;${URIP6};" \
+ -e "s;@SURIP1@;${SURIP1};" \
+ -e "s;@SURIP2@;${SURIP2};" \
+ -e "s;@SURIP3@;${SURIP3};" \
+ -e "s;@SURIP4@;${SURIP4};" \
+ -e "s;@SURIP5@;${SURIP5};" \
+ -e "s;@SURIP6@;${SURIP6};" \
-e "s/@SASL_MECH@/${SASL_MECH}/" \
-e "s;@TESTDIR@;${TESTDIR};" \
-e "s;@TESTWD@;${TESTWD};" \
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 2c9e8f76a..9816034f9 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -223,16 +223,23 @@ URIP2="ldap://${LOCALIP}:$PORT2/"
URI3="ldap://${LOCALHOST}:$PORT3/"
URIP3="ldap://${LOCALIP}:$PORT3/"
URI4="ldap://${LOCALHOST}:$PORT4/"
+URIP4="ldap://${LOCALIP}:$PORT4/"
URI5="ldap://${LOCALHOST}:$PORT5/"
+URIP5="ldap://${LOCALIP}:$PORT5/"
URI6="ldap://${LOCALHOST}:$PORT6/"
+URIP6="ldap://${LOCALIP}:$PORT6/"
SURI1="ldaps://${LOCALHOST}:$PORT1/"
SURIP1="ldaps://${LOCALIP}:$PORT1/"
SURI2="ldaps://${LOCALHOST}:$PORT2/"
SURIP2="ldaps://${LOCALIP}:$PORT2/"
SURI3="ldaps://${LOCALHOST}:$PORT3/"
+SURIP3="ldaps://${LOCALIP}:$PORT3/"
SURI4="ldaps://${LOCALHOST}:$PORT4/"
+SURIP4="ldaps://${LOCALIP}:$PORT4/"
SURI5="ldaps://${LOCALHOST}:$PORT5/"
+SURIP5="ldaps://${LOCALIP}:$PORT5/"
SURI6="ldaps://${LOCALHOST}:$PORT6/"
+SURIP6="ldaps://${LOCALIP}:$PORT6/"
# LDIF
LDIF=$DATADIR/test.ldif
--
2.26.2

2108
SOURCES/openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
View File

File diff suppressed because it is too large Load Diff

582
SOURCES/openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch
View File

@ -1,582 +0,0 @@
NOTE: The patch has been adjusted to match the base code before backporting.
From 8a259e3df16def3f05828f355e98a5089cd6e6d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Thu, 14 Jun 2018 16:14:15 +0100
Subject: [PATCH] ITS#8573 allow all libldap options in tools -o option
---
clients/tools/common.c | 15 ++-
doc/devel/args | 2 +-
doc/man/man1/ldapcompare.1 | 9 +-
doc/man/man1/ldapdelete.1 | 9 +-
doc/man/man1/ldapexop.1 | 9 +-
doc/man/man1/ldapmodify.1 | 9 +-
doc/man/man1/ldapmodrdn.1 | 9 +-
doc/man/man1/ldappasswd.1 | 9 +-
doc/man/man1/ldapsearch.1 | 9 +-
doc/man/man1/ldapwhoami.1 | 13 ++-
doc/man/man8/slapcat.8 | 2 +-
include/ldap_pvt.h | 5 +
libraries/libldap/init.c | 231 ++++++++++++++++++++++---------------
servers/slapd/slapcommon.c | 5 +-
14 files changed, 200 insertions(+), 136 deletions(-)
diff --git a/clients/tools/common.c b/clients/tools/common.c
index 1cd8a2c1b..b1edffdaf 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -374,9 +374,9 @@ N_(" -I use SASL Interactive mode\n"),
N_(" -n show what would be done but don't actually do it\n"),
N_(" -N do not use reverse DNS to canonicalize SASL host name\n"),
N_(" -O props SASL security properties\n"),
-N_(" -o <opt>[=<optparam>] general options\n"),
+N_(" -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n"),
+N_(" ldif_wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
-N_(" ldif-wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
N_(" -p port port on LDAP server\n"),
N_(" -Q use SASL Quiet mode\n"),
N_(" -R realm SASL realm\n"),
@@ -838,6 +838,11 @@ tool_args( int argc, char **argv )
if ( (cvalue = strchr( control, '=' )) != NULL ) {
*cvalue++ = '\0';
}
+ for ( next=control; *next; next++ ) {
+ if ( *next == '-' ) {
+ *next = '_';
+ }
+ }
if ( strcasecmp( control, "nettimeout" ) == 0 ) {
if( nettimeout.tv_sec != -1 ) {
@@ -867,7 +872,7 @@ tool_args( int argc, char **argv )
exit( EXIT_FAILURE );
}
- } else if ( strcasecmp( control, "ldif-wrap" ) == 0 ) {
+ } else if ( strcasecmp( control, "ldif_wrap" ) == 0 ) {
if ( cvalue == 0 ) {
ldif_wrap = LDIF_LINE_WIDTH;
@@ -878,13 +883,13 @@ tool_args( int argc, char **argv )
unsigned int u;
if ( lutil_atou( &u, cvalue ) ) {
fprintf( stderr,
- _("Unable to parse ldif-wrap=\"%s\"\n"), cvalue );
+ _("Unable to parse ldif_wrap=\"%s\"\n"), cvalue );
exit( EXIT_FAILURE );
}
ldif_wrap = (ber_len_t)u;
}
- } else {
+ } else if ( ldap_pvt_conf_option( control, cvalue, 1 ) ) {
fprintf( stderr, "Invalid general option name: %s\n",
control );
usage();
diff --git a/doc/devel/args b/doc/devel/args
index 9796fe528..c5aa02f11 100644
--- a/doc/devel/args
+++ b/doc/devel/args
@@ -28,7 +28,7 @@ ldapwhoami * DE**HI** NO QR UVWXYZ def*h*** *nop* vwxy
-h host
-n no-op
-N no (SASLprep) normalization of simple bind password
- -o general options (currently nettimeout and ldif-wrap only)
+ -o general libldap options (plus ldif_wrap and nettimeout for backwards comp.)
-p port
-v verbose
-V version
diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
index 9e66cd4b2..a0e58d7c3 100644
--- a/doc/man/man1/ldapcompare.1
+++ b/doc/man/man1/ldapcompare.1
@@ -186,13 +186,14 @@ Compare extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
index 394d35275..85dbf4360 100644
--- a/doc/man/man1/ldapdelete.1
+++ b/doc/man/man1/ldapdelete.1
@@ -192,13 +192,14 @@ Delete extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
index 503d681ca..26e1730a8 100644
--- a/doc/man/man1/ldapexop.1
+++ b/doc/man/man1/ldapexop.1
@@ -189,13 +189,14 @@ Specify general extensions. \'!\' indicates criticality.
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index 2792d460b..6c277d89c 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -255,13 +255,14 @@ Modify extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
index 5d0f3fcd9..b24e500fe 100644
--- a/doc/man/man1/ldapmodrdn.1
+++ b/doc/man/man1/ldapmodrdn.1
@@ -186,13 +186,14 @@ Modrdn extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
index 36857ab8f..a2805e57b 100644
--- a/doc/man/man1/ldappasswd.1
+++ b/doc/man/man1/ldappasswd.1
@@ -188,13 +188,14 @@ Passwd Modify extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
index 036ce6245..1914eafbf 100644
--- a/doc/man/man1/ldapsearch.1
+++ b/doc/man/man1/ldapsearch.1
@@ -332,13 +332,14 @@ Search extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
index 5912af5ba..2c8cfded2 100644
--- a/doc/man/man1/ldapwhoami.1
+++ b/doc/man/man1/ldapwhoami.1
@@ -143,13 +143,18 @@ WhoAmI extensions:
.TP
.BI \-o \ opt \fR[= optparam \fR]
-Specify general options.
-
-General options:
+Specify any
+.BR ldap.conf (5)
+option or one of the following:
.nf
nettimeout=<timeout> (in seconds, or "none" or "max")
- ldif-wrap=<width> (in columns, or "no" for no wrapping)
+ ldif_wrap=<width> (in columns, or "no" for no wrapping)
.fi
+
+.B -o
+option that can be passed here, check
+.BR ldap.conf (5)
+for details.
.TP
.BI \-O \ security-properties
Specify SASL security properties.
diff --git a/doc/man/man8/slapcat.8 b/doc/man/man8/slapcat.8
index 57c41deff..2085e9176 100644
--- a/doc/man/man8/slapcat.8
+++ b/doc/man/man8/slapcat.8
@@ -149,7 +149,7 @@ Possible generic options/values are:
syslog\-level=<level> (see `\-S' in slapd(8))
syslog\-user=<user> (see `\-l' in slapd(8))
- ldif-wrap={no|<n>}
+ ldif_wrap={no|<n>}
.in
\fIn\fP is the number of columns allowed for the LDIF output
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 31f37277c..e86b032cb 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -326,6 +326,11 @@ struct ldifrecord;
LDAP_F ( int ) ldap_pvt_discard LDAP_P((
struct ldap *ld, ber_int_t msgid ));
+/* init.c */
+LDAP_F( int )
+ldap_pvt_conf_option LDAP_P((
+ char *cmd, char *opt, int userconf ));
+
/* messages.c */
LDAP_F( BerElement * )
ldap_get_message_ber LDAP_P((
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 548d2c1cb..4a7e81bdb 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -147,6 +147,141 @@ static const struct ol_attribute {
#define MAX_LDAP_ATTR_LEN sizeof("GSSAPI_ALLOW_REMOTE_PRINCIPAL")
#define MAX_LDAP_ENV_PREFIX_LEN 8
+static int
+ldap_int_conf_option(
+ struct ldapoptions *gopts,
+ char *cmd, char *opt, int userconf )
+{
+ int i;
+
+ for(i=0; attrs[i].type != ATTR_NONE; i++) {
+ void *p;
+
+ if( !userconf && attrs[i].useronly ) {
+ continue;
+ }
+
+ if(strcasecmp(cmd, attrs[i].name) != 0) {
+ continue;
+ }
+
+ switch(attrs[i].type) {
+ case ATTR_BOOL:
+ if((strcasecmp(opt, "on") == 0)
+ || (strcasecmp(opt, "yes") == 0)
+ || (strcasecmp(opt, "true") == 0))
+ {
+ LDAP_BOOL_SET(gopts, attrs[i].offset);
+
+ } else {
+ LDAP_BOOL_CLR(gopts, attrs[i].offset);
+ }
+
+ break;
+
+ case ATTR_INT: {
+ char *next;
+ long l;
+ p = &((char *) gopts)[attrs[i].offset];
+ l = strtol( opt, &next, 10 );
+ if ( next != opt && next[ 0 ] == '\0' ) {
+ * (int*) p = l;
+ }
+ } break;
+
+ case ATTR_KV: {
+ const struct ol_keyvalue *kv;
+
+ for(kv = attrs[i].data;
+ kv->key != NULL;
+ kv++) {
+
+ if(strcasecmp(opt, kv->key) == 0) {
+ p = &((char *) gopts)[attrs[i].offset];
+ * (int*) p = kv->value;
+ break;
+ }
+ }
+ } break;
+
+ case ATTR_STRING:
+ p = &((char *) gopts)[attrs[i].offset];
+ if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
+ * (char**) p = LDAP_STRDUP(opt);
+ break;
+ case ATTR_OPTION:
+ ldap_set_option( NULL, attrs[i].offset, opt );
+ break;
+ case ATTR_SASL:
+#ifdef HAVE_CYRUS_SASL
+ ldap_int_sasl_config( gopts, attrs[i].offset, opt );
+#endif
+ break;
+ case ATTR_GSSAPI:
+#ifdef HAVE_GSSAPI
+ ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
+#endif
+ break;
+ case ATTR_TLS:
+#ifdef HAVE_TLS
+ ldap_int_tls_config( NULL, attrs[i].offset, opt );
+#endif
+ break;
+ case ATTR_OPT_TV: {
+ struct timeval tv;
+ char *next;
+ tv.tv_usec = 0;
+ tv.tv_sec = strtol( opt, &next, 10 );
+ if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
+ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
+ }
+ } break;
+ case ATTR_OPT_INT: {
+ long l;
+ char *next;
+ l = strtol( opt, &next, 10 );
+ if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
+ int v = (int)l;
+ (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
+ }
+ } break;
+ }
+
+ break;
+ }
+
+ if ( attrs[i].type == ATTR_NONE ) {
+ Debug( LDAP_DEBUG_TRACE, "ldap_int_tls_config: "
+ "unknown option '%s'",
+ cmd, 0, 0 );
+ return 1;
+ }
+
+ return 0;
+}
+
+int
+ldap_pvt_conf_option(
+ char *cmd, char *opt, int userconf )
+{
+ struct ldapoptions *gopts;
+ int rc = LDAP_OPT_ERROR;
+
+ /* Get pointer to global option structure */
+ gopts = LDAP_INT_GLOBAL_OPT();
+ if (NULL == gopts) {
+ return LDAP_NO_MEMORY;
+ }
+
+ if ( gopts->ldo_valid != LDAP_INITIALIZED ) {
+ ldap_int_initialize(gopts, NULL);
+ if ( gopts->ldo_valid != LDAP_INITIALIZED )
+ return LDAP_LOCAL_ERROR;
+ }
+
+ return ldap_int_conf_option( gopts, cmd, opt, userconf );
+}
+
static void openldap_ldap_init_w_conf(
const char *file, int userconf )
{
@@ -212,101 +347,7 @@ static void openldap_ldap_init_w_conf(
while(isspace((unsigned char)*start)) start++;
opt = start;
- for(i=0; attrs[i].type != ATTR_NONE; i++) {
- void *p;
-
- if( !userconf && attrs[i].useronly ) {
- continue;
- }
-
- if(strcasecmp(cmd, attrs[i].name) != 0) {
- continue;
- }
-
- switch(attrs[i].type) {
- case ATTR_BOOL:
- if((strcasecmp(opt, "on") == 0)
- || (strcasecmp(opt, "yes") == 0)
- || (strcasecmp(opt, "true") == 0))
- {
- LDAP_BOOL_SET(gopts, attrs[i].offset);
-
- } else {
- LDAP_BOOL_CLR(gopts, attrs[i].offset);
- }
-
- break;
-
- case ATTR_INT: {
- char *next;
- long l;
- p = &((char *) gopts)[attrs[i].offset];
- l = strtol( opt, &next, 10 );
- if ( next != opt && next[ 0 ] == '\0' ) {
- * (int*) p = l;
- }
- } break;
-
- case ATTR_KV: {
- const struct ol_keyvalue *kv;
-
- for(kv = attrs[i].data;
- kv->key != NULL;
- kv++) {
-
- if(strcasecmp(opt, kv->key) == 0) {
- p = &((char *) gopts)[attrs[i].offset];
- * (int*) p = kv->value;
- break;
- }
- }
- } break;
-
- case ATTR_STRING:
- p = &((char *) gopts)[attrs[i].offset];
- if (* (char**) p != NULL) LDAP_FREE(* (char**) p);
- * (char**) p = LDAP_STRDUP(opt);
- break;
- case ATTR_OPTION:
- ldap_set_option( NULL, attrs[i].offset, opt );
- break;
- case ATTR_SASL:
-#ifdef HAVE_CYRUS_SASL
- ldap_int_sasl_config( gopts, attrs[i].offset, opt );
-#endif
- break;
- case ATTR_GSSAPI:
-#ifdef HAVE_GSSAPI
- ldap_int_gssapi_config( gopts, attrs[i].offset, opt );
-#endif
- break;
- case ATTR_TLS:
-#ifdef HAVE_TLS
- ldap_int_tls_config( NULL, attrs[i].offset, opt );
-#endif
- break;
- case ATTR_OPT_TV: {
- struct timeval tv;
- char *next;
- tv.tv_usec = 0;
- tv.tv_sec = strtol( opt, &next, 10 );
- if ( next != opt && next[ 0 ] == '\0' && tv.tv_sec > 0 ) {
- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&tv );
- }
- } break;
- case ATTR_OPT_INT: {
- long l;
- char *next;
- l = strtol( opt, &next, 10 );
- if ( next != opt && next[ 0 ] == '\0' && l > 0 && (long)((int)l) == l ) {
- int v = (int)l;
- (void)ldap_set_option( NULL, attrs[i].offset, (const void *)&v );
- }
- } break;
- }
-
- break;
- }
+ ldap_int_conf_option( gopts, cmd, opt, userconf );
}
fclose(fp);
diff --git a/servers/slapd/slapcommon.c b/servers/slapd/slapcommon.c
index 87ea0ea06..39384e5e9 100644
--- a/servers/slapd/slapcommon.c
+++ b/servers/slapd/slapcommon.c
@@ -228,7 +228,8 @@ parse_slapopt( int tool, int *mode )
break;
}
- } else if ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) {
+ } else if ( ( strncasecmp( optarg, "ldif_wrap", len ) == 0 ) ||
+ ( strncasecmp( optarg, "ldif-wrap", len ) == 0 ) ) {
switch ( tool ) {
case SLAPCAT:
if ( strcasecmp( p, "no" ) == 0 ) {
@@ -237,7 +238,7 @@ parse_slapopt( int tool, int *mode )
} else {
unsigned int u;
if ( lutil_atou( &u, p ) ) {
- Debug( LDAP_DEBUG_ANY, "unable to parse ldif-wrap=\"%s\".\n", p, 0, 0 );
+ Debug( LDAP_DEBUG_ANY, "unable to parse ldif_wrap=\"%s\".\n", p, 0, 0 );
return -1;
}
ldif_wrap = (ber_len_t)u;
--
2.26.2

631
SOURCES/openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
View File

@ -1,631 +0,0 @@
NOTE: The patch has been adjusted to match the base code before backporting.
From 3cd50fa8b32a21040a9892e2a8a7a9dfc7541ce6 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Apr 2020 16:10:48 +0300
Subject: [PATCH] ITS#9189 rework sasl-cbinding support
Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use,
defaults to "none".
Add "tls-endpoint" binding type implementing "tls-server-end-point" from
RCF 5929, which is compatible with Windows.
Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
---
doc/man/man3/ldap_get_option.3 | 16 +++++
doc/man/man5/ldap.conf.5 | 3 +
doc/man/man5/slapd-config.5 | 4 ++
doc/man/man5/slapd.conf.5 | 3 +
include/ldap.h | 5 ++
include/ldap_pvt.h | 5 ++
libraries/libldap/cyrus.c | 103 ++++++++++++++++++++++++++++-----
libraries/libldap/init.c | 1 +
libraries/libldap/ldap-int.h | 1 +
libraries/libldap/ldap-tls.h | 2 +
libraries/libldap/tls2.c | 7 +++
libraries/libldap/tls_g.c | 59 +++++++++++++++++++
libraries/libldap/tls_o.c | 45 ++++++++++++++
servers/slapd/bconfig.c | 11 +++-
servers/slapd/config.c | 1 +
servers/slapd/connection.c | 9 +--
servers/slapd/proto-slap.h | 4 +-
servers/slapd/sasl.c | 27 ++++++---
18 files changed, 274 insertions(+), 32 deletions(-)
diff --git a/doc/man/man3/ldap_get_option.3 b/doc/man/man3/ldap_get_option.3
index 4f03a01a3..fd1b3c91c 100644
--- a/doc/man/man3/ldap_get_option.3
+++ b/doc/man/man3/ldap_get_option.3
@@ -563,6 +563,22 @@ must be a
.BR "char **" .
Its content needs to be freed by the caller using
.BR ldap_memfree (3).
+.B LDAP_OPT_X_SASL_CBINDING
+Sets/gets the channel-binding type to use in SASL,
+one of
+.BR LDAP_OPT_X_SASL_CBINDING_NONE
+(the default),
+.BR LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE
+the "tls-unique" type from RCF 5929.
+.BR LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT
+the "tls-server-end-point" from RCF 5929, compatible with Windows.
+.BR invalue
+must be
+.BR "const int *" ;
+.BR outvalue
+must be
+.BR "int *" .
+.TP
.SH TCP OPTIONS
The TCP options are OpenLDAP specific.
Mainly intended for use with Linux, they may not be portable.
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 65ad40c1b..4974f8340 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -286,6 +286,9 @@ size allowed. 0 disables security layers. The default is 65536.
.TP
.B SASL_NOCANON <on/true/yes/off/false/no>
Do not perform reverse DNS lookups to canonicalize SASL host names. The default is off.
+.TP
+.B SASL_CBINDING <none/tls-unique/tls-endpoint>
+The channel-binding type to use, see also LDAP_OPT_X_SASL_CBINDING. The default is none.
.SH GSSAPI OPTIONS
If OpenLDAP is built with Generic Security Services Application Programming Interface support,
there are more options you can specify.
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 18518a186..dc0ab769f 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -720,6 +720,10 @@ Used to specify the fully qualified domain name used for SASL processing.
.B olcSaslRealm: <realm>
Specify SASL realm. Default is empty.
.TP
+.B olcSaslCbinding: none | tls-unique | tls-endpoint
+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
+Default is none.
+.TP
.B olcSaslSecProps: <properties>
Used to specify Cyrus SASL security properties.
The
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index f2094b7fd..73a151a70 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -914,6 +914,9 @@ The
property specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536.
.TP
+.B sasl\-cbinding none | tls-unique | tls-endpoint
+Specify the channel-binding type, see also LDAP_OPT_X_SASL_CBINDING.
+.TP
.B schemadn <dn>
Specify the distinguished name for the subschema subentry that
controls the entries on this server. The default is "cn=Subschema".
diff --git a/include/ldap.h b/include/ldap.h
index 7b4fc9d64..9d5679ae8 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -186,6 +186,10 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_1 ((3 << 8) + 2)
#define LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 ((3 << 8) + 3)
+#define LDAP_OPT_X_SASL_CBINDING_NONE 0
+#define LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE 1
+#define LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT 2
+
/* OpenLDAP SASL options */
#define LDAP_OPT_X_SASL_MECH 0x6100
#define LDAP_OPT_X_SASL_REALM 0x6101
@@ -201,6 +205,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_SASL_NOCANON 0x610b
#define LDAP_OPT_X_SASL_USERNAME 0x610c /* read-only */
#define LDAP_OPT_X_SASL_GSS_CREDS 0x610d
+#define LDAP_OPT_X_SASL_CBINDING 0x610e
/* OpenLDAP GSSAPI options */
#define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200
diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h
index 783d280a5..01220d00a 100644
--- a/include/ldap_pvt.h
+++ b/include/ldap_pvt.h
@@ -262,6 +262,10 @@ LDAP_F (void *) ldap_pvt_sasl_mutex_new LDAP_P((void));
LDAP_F (int) ldap_pvt_sasl_mutex_lock LDAP_P((void *mutex));
LDAP_F (int) ldap_pvt_sasl_mutex_unlock LDAP_P((void *mutex));
LDAP_F (void) ldap_pvt_sasl_mutex_dispose LDAP_P((void *mutex));
+
+LDAP_F (int) ldap_pvt_sasl_cbinding_parse LDAP_P(( const char *arg ));
+LDAP_F (void *) ldap_pvt_sasl_cbinding LDAP_P(( void *ssl, int type,
+ int is_server ));
#endif /* HAVE_CYRUS_SASL */
struct sockbuf; /* avoid pulling in <lber.h> */
@@ -438,6 +442,7 @@ LDAP_F (int) ldap_pvt_tls_get_peer_dn LDAP_P(( void *ctx, struct berval *dn,
LDAPDN_rewrite_dummy *func, unsigned flags ));
LDAP_F (int) ldap_pvt_tls_get_strength LDAP_P(( void *ctx ));
LDAP_F (int) ldap_pvt_tls_get_unique LDAP_P(( void *ctx, struct berval *buf, int is_server ));
+LDAP_F (int) ldap_pvt_tls_get_endpoint LDAP_P(( void *ctx, struct berval *buf, int is_server ));
LDAP_END_DECL
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index beb1cf4a0..4d4d5b3e3 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -372,6 +372,65 @@ int ldap_int_sasl_close( LDAP *ld, LDAPConn *lc )
return LDAP_SUCCESS;
}
+int ldap_pvt_sasl_cbinding_parse( const char *arg )
+{
+ int i = -1;
+
+ if ( strcasecmp(arg, "none") == 0 )
+ i = LDAP_OPT_X_SASL_CBINDING_NONE;
+ else if ( strcasecmp(arg, "tls-unique") == 0 )
+ i = LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE;
+ else if ( strcasecmp(arg, "tls-endpoint") == 0 )
+ i = LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT;
+
+ return i;
+}
+
+void *ldap_pvt_sasl_cbinding( void *ssl, int type, int is_server )
+{
+#if defined(SASL_CHANNEL_BINDING) && defined(HAVE_TLS)
+ char unique_prefix[] = "tls-unique:";
+ char endpoint_prefix[] = "tls-server-end-point:";
+ char cbinding[ 64 ];
+ struct berval cbv = { 64, cbinding };
+ void *cb_data; /* used since cb->data is const* */
+ sasl_channel_binding_t *cb;
+ char *prefix;
+ int plen;
+
+ switch (type) {
+ case LDAP_OPT_X_SASL_CBINDING_NONE:
+ return NULL;
+ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
+ if ( !ldap_pvt_tls_get_unique( ssl, &cbv, is_server ))
+ return NULL;
+ prefix = unique_prefix;
+ plen = sizeof(unique_prefix) -1;
+ break;
+ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
+ if ( !ldap_pvt_tls_get_endpoint( ssl, &cbv, is_server ))
+ return NULL;
+ prefix = endpoint_prefix;
+ plen = sizeof(endpoint_prefix) -1;
+ break;
+ default:
+ return NULL;
+ }
+
+ cb = ldap_memalloc( sizeof(*cb) + plen + cbv.bv_len );
+ cb->len = plen + cbv.bv_len;
+ cb->data = cb_data = cb+1;
+ memcpy( cb_data, prefix, plen );
+ memcpy( cb_data + plen, cbv.bv_val, cbv.bv_len );
+ cb->name = "ldap";
+ cb->critical = 0;
+
+ return cb;
+#else
+ return NULL;
+#endif
+}
+
int
ldap_int_sasl_bind(
LDAP *ld,
@@ -497,17 +556,12 @@ ldap_int_sasl_bind(
(void) ldap_int_sasl_external( ld, ld->ld_defconn, authid.bv_val, fac );
LDAP_FREE( authid.bv_val );
#ifdef SASL_CHANNEL_BINDING /* 2.1.25+ */
- {
- char cbinding[64];
- struct berval cbv = { sizeof(cbinding), cbinding };
- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 0 )) {
- sasl_channel_binding_t *cb = ldap_memalloc( sizeof(*cb) +
- cbv.bv_len);
- cb->name = "ldap";
- cb->critical = 0;
- cb->data = (char *)(cb+1);
- cb->len = cbv.bv_len;
- memcpy( cb->data, cbv.bv_val, cbv.bv_len );
+ if ( ld->ld_defconn->lconn_sasl_cbind == NULL ) {
+ void *cb;
+ cb = ldap_pvt_sasl_cbinding( ssl,
+ ld->ld_options.ldo_sasl_cbinding,
+ 0 );
+ if ( cb != NULL ) {
sasl_setprop( ld->ld_defconn->lconn_sasl_authctx,
SASL_CHANNEL_BINDING, cb );
ld->ld_defconn->lconn_sasl_cbind = cb;
@@ -931,12 +983,20 @@ int ldap_pvt_sasl_secprops(
int
ldap_int_sasl_config( struct ldapoptions *lo, int option, const char *arg )
{
- int rc;
+ int rc, i;
switch( option ) {
case LDAP_OPT_X_SASL_SECPROPS:
rc = ldap_pvt_sasl_secprops( arg, &lo->ldo_sasl_secprops );
if( rc == LDAP_SUCCESS ) return 0;
+ break;
+ case LDAP_OPT_X_SASL_CBINDING:
+ i = ldap_pvt_sasl_cbinding_parse( arg );
+ if ( i >= 0 ) {
+ lo->ldo_sasl_cbinding = i;
+ return 0;
+ }
+ break;
}
return -1;
@@ -1042,6 +1102,10 @@ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
/* this option is write only */
return -1;
+ case LDAP_OPT_X_SASL_CBINDING:
+ *(int *)arg = ld->ld_options.ldo_sasl_cbinding;
+ break;
+
#ifdef SASL_GSS_CREDS
case LDAP_OPT_X_SASL_GSS_CREDS: {
sasl_conn_t *ctx;
@@ -1143,6 +1207,17 @@ ldap_int_sasl_set_option( LDAP *ld, int option, void *arg )
return sc == LDAP_SUCCESS ? 0 : -1;
}
+ case LDAP_OPT_X_SASL_CBINDING:
+ if ( !arg ) return -1;
+ switch( *(int *) arg ) {
+ case LDAP_OPT_X_SASL_CBINDING_NONE:
+ case LDAP_OPT_X_SASL_CBINDING_TLS_UNIQUE:
+ case LDAP_OPT_X_SASL_CBINDING_TLS_ENDPOINT:
+ ld->ld_options.ldo_sasl_cbinding = *(int *) arg;
+ return 0;
+ }
+ return -1;
+
#ifdef SASL_GSS_CREDS
case LDAP_OPT_X_SASL_GSS_CREDS: {
sasl_conn_t *ctx;
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 3468ee249..dfe1ea9da 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -110,6 +110,7 @@ static const struct ol_attribute {
offsetof(struct ldapoptions, ldo_def_sasl_authzid)},
{0, ATTR_SASL, "SASL_SECPROPS", NULL, LDAP_OPT_X_SASL_SECPROPS},
{0, ATTR_BOOL, "SASL_NOCANON", NULL, LDAP_BOOL_SASL_NOCANON},
+ {0, ATTR_SASL, "SASL_CBINDING", NULL, LDAP_OPT_X_SASL_CBINDING},
#endif
#ifdef HAVE_GSSAPI
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 67e8bd6da..c6c6891a9 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -300,6 +300,7 @@ struct ldapoptions {
/* SASL Security Properties */
struct sasl_security_properties ldo_sasl_secprops;
+ int ldo_sasl_cbinding;
#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
#else
#define LDAP_LDO_SASL_NULLARG
diff --git a/libraries/libldap/ldap-tls.h b/libraries/libldap/ldap-tls.h
index efd51aaa2..9f01ddda1 100644
--- a/libraries/libldap/ldap-tls.h
+++ b/libraries/libldap/ldap-tls.h
@@ -42,6 +42,7 @@ typedef int (TI_session_dn)(tls_session *sess, struct berval *dn);
typedef int (TI_session_chkhost)(LDAP *ld, tls_session *s, const char *name_in);
typedef int (TI_session_strength)(tls_session *sess);
typedef int (TI_session_unique)(tls_session *sess, struct berval *buf, int is_server);
+typedef int (TI_session_endpoint)(tls_session *sess, struct berval *buf, int is_server);
typedef int (TI_session_peercert)(tls_session *s, struct berval *der);
typedef void (TI_thr_init)(void);
@@ -69,6 +70,7 @@ typedef struct tls_impl {
TI_session_chkhost *ti_session_chkhost;
TI_session_strength *ti_session_strength;
TI_session_unique *ti_session_unique;
+ TI_session_endpoint *ti_session_endpoint;
TI_session_peercert *ti_session_peercert;
Sockbuf_IO *ti_sbio;
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 79a651a38..72827a1a3 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -1200,6 +1200,13 @@ ldap_pvt_tls_get_unique( void *s, struct berval *buf, int is_server )
return tls_imp->ti_session_unique( session, buf, is_server );
}
+int
+ldap_pvt_tls_get_endpoint( void *s, struct berval *buf, int is_server )
+{
+ tls_session *session = s;
+ return tls_imp->ti_session_endpoint( session, buf, is_server );
+}
+
int
ldap_pvt_tls_get_peercert( void *s, struct berval *der )
{
diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index 956a9ec90..ef0f44e20 100644
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -729,6 +729,64 @@ tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
return 0;
}
+static int
+tlsg_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
+{
+ tlsg_session *s = (tlsg_session *)sess;
+ const gnutls_datum_t *cert_data;
+ gnutls_x509_crt_t server_cert;
+ gnutls_digest_algorithm_t md;
+ int sign_algo, md_len, rc;
+
+ if ( is_server )
+ cert_data = gnutls_certificate_get_ours( s->session );
+ else
+ cert_data = gnutls_certificate_get_peers( s->session, NULL );
+
+ if ( cert_data == NULL )
+ return 0;
+
+ rc = gnutls_x509_crt_init( &server_cert );
+ if ( rc != GNUTLS_E_SUCCESS )
+ return 0;
+
+ rc = gnutls_x509_crt_import( server_cert, cert_data, GNUTLS_X509_FMT_DER );
+ if ( rc != GNUTLS_E_SUCCESS ) {
+ gnutls_x509_crt_deinit( server_cert );
+ return 0;
+ }
+
+ sign_algo = gnutls_x509_crt_get_signature_algorithm( server_cert );
+ gnutls_x509_crt_deinit( server_cert );
+ if ( sign_algo <= GNUTLS_SIGN_UNKNOWN )
+ return 0;
+
+ md = gnutls_sign_get_hash_algorithm( sign_algo );
+ if ( md == GNUTLS_DIG_UNKNOWN )
+ return 0;
+
+ /* See RFC 5929 */
+ switch (md) {
+ case GNUTLS_DIG_NULL:
+ case GNUTLS_DIG_MD2:
+ case GNUTLS_DIG_MD5:
+ case GNUTLS_DIG_SHA1:
+ md = GNUTLS_DIG_SHA256;
+ }
+
+ md_len = gnutls_hash_get_len( md );
+ if ( md_len == 0 || md_len > buf->bv_len )
+ return 0;
+
+ rc = gnutls_hash_fast( md, cert_data->data, cert_data->size, buf->bv_val );
+ if ( rc != GNUTLS_E_SUCCESS )
+ return 0;
+
+ buf->bv_len = md_len;
+
+ return md_len;
+}
+
static int
tlsg_session_peercert( tls_session *sess, struct berval *der )
{
@@ -1117,6 +1175,7 @@ tls_impl ldap_int_tls_impl = {
tlsg_session_chkhost,
tlsg_session_strength,
tlsg_session_unique,
+ tlsg_session_endpoint,
tlsg_session_peercert,
&tlsg_sbio,
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index cf97d7632..aa855d77a 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -858,6 +858,50 @@ tlso_session_unique( tls_session *sess, struct berval *buf, int is_server)
return buf->bv_len;
}
+static int
+tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
+{
+ tlso_session *s = (tlso_session *)sess;
+ const EVP_MD *md;
+ unsigned int md_len;
+ X509 *cert;
+
+ if ( buf->bv_len < EVP_MAX_MD_SIZE )
+ return 0;
+
+ if ( is_server )
+ cert = SSL_get_certificate( s );
+ else
+ cert = SSL_get_peer_certificate( s );
+
+ if ( cert == NULL )
+ return 0;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
+#else
+ md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
+#endif
+
+ /* See RFC 5929 */
+ if ( md == NULL ||
+ md == EVP_md_null() ||
+#ifndef OPENSSL_NO_MD2
+ md == EVP_md2() ||
+#endif
+ md == EVP_md4() ||
+ md == EVP_md5() ||
+ md == EVP_sha1() )
+ md = EVP_sha256();
+
+ if ( !X509_digest( cert, md, buf->bv_val, &md_len ))
+ return 0;
+
+ buf->bv_len = md_len;
+
+ return md_len;
+}
+
static int
tlso_session_peercert( tls_session *sess, struct berval *der )
{
@@ -1474,6 +1518,7 @@ tls_impl ldap_int_tls_impl = {
tlso_session_chkhost,
tlso_session_strength,
tlso_session_unique,
+ tlso_session_endpoint,
tlso_session_peercert,
&tlso_sbio,
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 6069ee203..4c90715be 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -630,6 +630,15 @@ static ConfigTable config_back_cf_table[] = {
#endif
"( OLcfgGlAt:89 NAME 'olcSaslAuxprops' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "sasl-cbinding", NULL, 2, 2, 0,
+#ifdef HAVE_CYRUS_SASL
+ ARG_STRING, &sasl_cbinding,
+#else
+ ARG_IGNORED, NULL,
+#endif
+ "( OLcfgGlAt:100 NAME 'olcSaslCBinding' "
+ "EQUALITY caseIgnoreMatch "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "sasl-host", "host", 2, 2, 0,
#ifdef HAVE_CYRUS_SASL
ARG_STRING|ARG_UNIQUE, &sasl_host,
@@ -948,7 +957,7 @@ static ConfigOCs cf_ocs[] = {
"olcPluginLogFile $ olcReadOnly $ olcReferral $ "
"olcReplogFile $ olcRequires $ olcRestrict $ olcReverseLookup $ "
"olcRootDSE $ "
- "olcSaslAuxprops $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
+ "olcSaslAuxprops $ olcSaslCBinding $ olcSaslHost $ olcSaslRealm $ olcSaslSecProps $ "
"olcSecurity $ olcServerID $ olcSizeLimit $ "
"olcSockbufMaxIncoming $ olcSockbufMaxIncomingAuth $ "
"olcTCPBuffer $ "
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 060d3410f..3d713d4fb 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -73,6 +73,7 @@ char *global_host = NULL;
struct berval global_host_bv = BER_BVNULL;
char *global_realm = NULL;
char *sasl_host = NULL;
+char *sasl_cbinding = NULL;
char **default_passwd_hash = NULL;
struct berval default_search_base = BER_BVNULL;
struct berval default_search_nbase = BER_BVNULL;
diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
index 5f11a0cf1..6d9bb8e85 100644
--- a/servers/slapd/connection.c
+++ b/servers/slapd/connection.c
@@ -1440,12 +1440,9 @@ connection_read( ber_socket_t s, conn_readinfo *cri )
c->c_connid, (int) s, c->c_tls_ssf, c->c_ssf, 0 );
slap_sasl_external( c, c->c_tls_ssf, &authid );
if ( authid.bv_val ) free( authid.bv_val );
- {
- char cbinding[64];
- struct berval cbv = { sizeof(cbinding), cbinding };
- if ( ldap_pvt_tls_get_unique( ssl, &cbv, 1 ))
- slap_sasl_cbinding( c, &cbv );
- }
+
+ slap_sasl_cbinding( c, ssl );
+
} else if ( rc == 1 && ber_sockbuf_ctrl( c->c_sb,
LBER_SB_OPT_NEEDS_WRITE, NULL )) { /* need to retry */
slapd_set_write( s, 1 );
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index b89fa836a..0790a8004 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -1681,8 +1681,7 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
slap_ssf_t ssf, /* relative strength of external security */
struct berval *authid ); /* asserted authenication id */
-LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
- struct berval *cbv );
+LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c, void *ssl );
LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
@@ -2072,6 +2071,7 @@ LDAP_SLAPD_V (char *) global_host;
LDAP_SLAPD_V (struct berval) global_host_bv;
LDAP_SLAPD_V (char *) global_realm;
LDAP_SLAPD_V (char *) sasl_host;
+LDAP_SLAPD_V (char *) sasl_cbinding;
LDAP_SLAPD_V (char *) slap_sasl_auxprops;
LDAP_SLAPD_V (char **) default_passwd_hash;
LDAP_SLAPD_V (int) lber_debug;
diff --git a/servers/slapd/sasl.c b/servers/slapd/sasl.c
index fc023904a..5cced358c 100644
--- a/servers/slapd/sasl.c
+++ b/servers/slapd/sasl.c
@@ -1320,6 +1320,8 @@ int slap_sasl_destroy( void )
#endif
free( sasl_host );
sasl_host = NULL;
+ free( sasl_cbinding );
+ sasl_cbinding = NULL;
return 0;
}
@@ -1506,17 +1508,24 @@ int slap_sasl_external(
return LDAP_SUCCESS;
}
-int slap_sasl_cbinding( Connection *conn, struct berval *cbv )
+int slap_sasl_cbinding( Connection *conn, void *ssl )
{
#ifdef SASL_CHANNEL_BINDING
- sasl_channel_binding_t *cb = ch_malloc( sizeof(*cb) + cbv->bv_len );;
- cb->name = "ldap";
- cb->critical = 0;
- cb->data = (char *)(cb+1);
- cb->len = cbv->bv_len;
- memcpy( cb->data, cbv->bv_val, cbv->bv_len );
- sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
- conn->c_sasl_cbind = cb;
+ void *cb;
+ int i;
+
+ if ( sasl_cbinding == NULL )
+ return LDAP_SUCCESS;
+
+ i = ldap_pvt_sasl_cbinding_parse( sasl_cbinding );
+ if ( i < 0 )
+ return LDAP_SUCCESS;
+
+ cb = ldap_pvt_sasl_cbinding( ssl, i, 1 );
+ if ( cb != NULL ) {
+ sasl_setprop( conn->c_sasl_authctx, SASL_CHANNEL_BINDING, cb );
+ conn->c_sasl_cbind = cb;
+ }
#endif
return LDAP_SUCCESS;
}
--
2.26.2

190
SOURCES/openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
View File

@ -1,190 +0,0 @@
From 7b0017ad49a2290ec26cbcdffded8a527799e981 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 18 Apr 2020 16:30:03 +0200
Subject: [PATCH] ITS#9189 add channel-bindings tests
---
tests/data/slapd-sasl-gssapi.conf | 3 +
tests/scripts/setup_kdc.sh | 8 +++
tests/scripts/test068-sasl-tls-external | 22 +++++++
tests/scripts/test077-sasl-gssapi | 83 ++++++++++++++++++++++++-
4 files changed, 113 insertions(+), 3 deletions(-)
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
index 611fc7097..29ab6040b 100644
--- a/tests/data/slapd-sasl-gssapi.conf
+++ b/tests/data/slapd-sasl-gssapi.conf
@@ -63,3 +63,6 @@ rootpw secret
sasl-realm @KRB5REALM@
sasl-host localhost
+
+database config
+rootpw secret
diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
index 1cb784075..98bcd9f96 100755
--- a/tests/scripts/setup_kdc.sh
+++ b/tests/scripts/setup_kdc.sh
@@ -142,3 +142,11 @@ if test $RC != 0 ; then
exit 0
fi
fi
+
+HAVE_SASL_GSS_CBIND=no
+
+grep CHANNEL_BINDING $TESTDIR/plugin_out > /dev/null 2>&1
+RC=$?
+if test $RC = 0 ; then
+ HAVE_SASL_GSS_CBIND=yes
+fi
diff --git a/tests/scripts/test068-sasl-tls-external b/tests/scripts/test068-sasl-tls-external
index f647b1012..0b91aa197 100755
--- a/tests/scripts/test068-sasl-tls-external
+++ b/tests/scripts/test068-sasl-tls-external
@@ -88,6 +88,28 @@ else
echo "success"
fi
+# Exercise channel-bindings code in builds without SASL support
+for cb in "none" "tls-unique" "tls-endpoint" ; do
+
+ echo -n "Using ldapwhoami with SASL/EXTERNAL and SASL_CBINDING (${cb})...."
+
+ $LDAPSASLWHOAMI -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ -o tls_cert=$TESTDIR/tls/certs/bjensen@mailgw.example.com.crt \
+ -o tls_key=$TESTDIR/tls/private/bjensen@mailgw.example.com.key \
+ -o tls_reqcert=hard -o SASL_CBINDING=$cb -ZZ -Y EXTERNAL -H $URIP1 \
+ > $TESTOUT 2>&1
+
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapwhoami failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $PID
+ exit $RC
+ else
+ echo "success"
+ fi
+done
+
+
test $KILLSERVERS != no && kill -HUP $KILLPIDS
if test $RC != 0 ; then
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
index 64abe16fe..19f665622 100755
--- a/tests/scripts/test077-sasl-gssapi
+++ b/tests/scripts/test077-sasl-gssapi
@@ -21,7 +21,10 @@ if test $WITH_SASL = no ; then
exit 0
fi
-mkdir -p $TESTDIR $DBDIR1
+SLAPTEST="$TESTWD/../servers/slapd/slaptest"
+CONFDIR=$TESTDIR/slapd.d
+
+mkdir -p $TESTDIR $DBDIR1 $CONFDIR
cp -r $DATADIR/tls $TESTDIR
cd $TESTWD
@@ -32,7 +35,8 @@ echo "Starting KDC for SASL/GSSAPI tests..."
echo "Running slapadd to build slapd database..."
. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
-$SLAPADD -f $CONF1 -l $LDIFORDERED
+$SLAPTEST -f $CONF1 -F $CONFDIR
+$SLAPADD -F $CONFDIR -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
@@ -41,7 +45,7 @@ if test $RC != 0 ; then
fi
echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
-$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+$SLAPD -F $CONFDIR -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
PID=$!
if test $WAIT != 0 ; then
echo PID $PID
@@ -144,6 +148,79 @@ else
fi
fi
+if test $WITH_TLS = no ; then
+ echo "TLS support not available, skipping channe-binding test"
+elif test $HAVE_SASL_GSS_CBIND = no ; then
+ echo "SASL has no channel-binding support in GSSAPI, test skipped"
+else
+ echo "Testing SASL/GSSAPI with SASL_CBINDING..."
+
+ for acb in "none" "tls-unique" "tls-endpoint" ; do
+
+ echo "Modifying slapd's olcSaslCBinding to ${acb} ..."
+ $LDAPMODIFY -D cn=config -H $URI1 -w secret <<EOF > $TESTOUT 2>&1
+dn: cn=config
+changetype: modify
+replace: olcSaslCBinding
+olcSaslCBinding: ${acb}
+EOF
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapmodify failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+
+ for icb in "none" "tls-unique" "tls-endpoint" ; do
+
+ # The gnutls implemantation of "tls-unique" seems broken
+ if test $icb = "tls-unique" -o $acb = "tls-unique" ; then
+ if test $WITH_TLS_TYPE == gnutls ; then
+ continue
+ fi
+ fi
+
+ fail="no"
+ if test $icb != $acb -a $acb != "none" ; then
+ # This currently fails in MIT, but it is planned to be
+ # fixed not to fail like in heimdal - avoid testing.
+ if test $icb = "none" ; then
+ continue
+ fi
+ # Otherwise unmatching bindings are expected to fail.
+ fail="yes"
+ fi
+
+ echo -n "Using ldapwhoami with SASL/GSSAPI and SASL_CBINDING "
+ echo -ne "(client: ${icb},\tserver: ${acb}): "
+
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ -o SASL_CBINDING=$icb > $TESTOUT 2>&1
+
+ RC=$?
+ if test $RC != 0 ; then
+ if test $fail = "no" ; then
+ echo "test failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ fi
+ elif test $fail = "yes" ; then
+ echo "failed: command succeeded unexpectedly."
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit 1
+ fi
+
+ echo "success"
+ RC=0
+ done
+ done
+fi
+
+
kill $KDCPROC
test $KILLSERVERS != no && kill -HUP $KILLPIDS
--
2.26.2

27
SOURCES/openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch
View File

@ -1,27 +0,0 @@
From 4cac398b19c21ad56949ef7e67e285c6c8e7ecea Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Thu, 23 Apr 2020 22:47:32 +0200
Subject: [PATCH] ITS#9189 - initialize ldo_sasl_cbinding in
LDAP_LDO_SASL_NULLARG
Reported-by: Ryan Tandy @ryan
---
libraries/libldap/ldap-int.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index c6c6891a9..336448115 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -301,7 +301,7 @@ struct ldapoptions {
/* SASL Security Properties */
struct sasl_security_properties ldo_sasl_secprops;
int ldo_sasl_cbinding;
-#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0}
+#define LDAP_LDO_SASL_NULLARG ,0,0,0,0,{0},0
#else
#define LDAP_LDO_SASL_NULLARG
#endif
--
2.26.2

64
SOURCES/openldap-cbinding-Make-prototypes-available-where-needed.patch
View File

@ -1,64 +0,0 @@
NOTE: The patch has been adjusted to match the base code before backporting.
From cd914149a665167b2c5ae16baa0c438824588819 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Tue, 19 Feb 2019 10:26:39 +0000
Subject: [PATCH] Make prototypes available where needed
---
libraries/libldap/tls2.c | 3 +++
servers/slapd/config.c | 1 +
servers/slapd/proto-slap.h | 4 ++++
3 files changed, 8 insertions(+)
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 1a96b62c3..869de2eb5 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -76,6 +76,9 @@ static oid_name oids[] = {
#ifdef HAVE_TLS
+LDAP_F(int) ldap_pvt_tls_check_hostname LDAP_P(( LDAP *ld, void *s, const char *name_in ));
+LDAP_F(int) ldap_pvt_tls_get_peercert LDAP_P(( void *s, struct berval *der ));
+
void
ldap_pvt_tls_ctx_free ( void *c )
{
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index 778365fd0..2816455a3 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -48,6 +48,7 @@
#endif
#include "lutil.h"
#include "lutil_ldap.h"
+#include "ldif.h"
#include "config.h"
#ifdef _WIN32
diff --git a/servers/slapd/proto-slap.h b/servers/slapd/proto-slap.h
index 4bfdcf930..e33e3b7d9 100644
--- a/servers/slapd/proto-slap.h
+++ b/servers/slapd/proto-slap.h
@@ -755,6 +755,7 @@ LDAP_SLAPD_F (int) bindconf_unparse LDAP_P((
LDAP_SLAPD_F (int) bindconf_tls_set LDAP_P((
slap_bindconf *bc, LDAP *ld ));
LDAP_SLAPD_F (void) bindconf_free LDAP_P(( slap_bindconf *bc ));
+LDAP_SLAPD_F (void) slap_client_keepalive LDAP_P(( LDAP *ld, slap_keepalive *sk ));
LDAP_SLAPD_F (int) slap_client_connect LDAP_P(( LDAP **ldp, slap_bindconf *sb ));
LDAP_SLAPD_F (int) config_generic_wrapper LDAP_P(( Backend *be,
const char *fname, int lineno, int argc, char **argv ));
@@ -1683,6 +1684,9 @@ LDAP_SLAPD_F (int) slap_sasl_external( Connection *c,
slap_ssf_t ssf, /* relative strength of external security */
struct berval *authid ); /* asserted authenication id */
+LDAP_SLAPD_F (int) slap_sasl_cbinding( Connection *c,
+ struct berval *cbv );
+
LDAP_SLAPD_F (int) slap_sasl_reset( Connection *c );
LDAP_SLAPD_F (int) slap_sasl_close( Connection *c );
--
2.26.2

526
SOURCES/openldap-cbinding-Update-keys-to-RSA-4096.patch
View File

@ -1,526 +0,0 @@
From 3ab98b2fc98843289c1833891518fb3b5b42dcd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@openldap.org>
Date: Tue, 30 Oct 2018 15:42:35 +0000
Subject: [PATCH] Update keys to RSA 4096
---
tests/data/tls/ca/certs/testsuiteCA.crt | 133 ++++++++++++++++--
tests/data/tls/ca/private/testsuiteCA.key | 64 +++++++--
.../tls/certs/bjensen@mailgw.example.com.crt | 44 ++++--
tests/data/tls/certs/localhost.crt | 44 ++++--
tests/data/tls/conf/openssl.cnf | 2 +-
tests/data/tls/create-crt.sh | 9 +-
.../private/bjensen@mailgw.example.com.key | 64 +++++++--
tests/data/tls/private/localhost.key | 64 +++++++--
8 files changed, 336 insertions(+), 88 deletions(-)
diff --git a/tests/data/tls/ca/certs/testsuiteCA.crt b/tests/data/tls/ca/certs/testsuiteCA.crt
index 7458e7461..62c88acca 100644
--- a/tests/data/tls/ca/certs/testsuiteCA.crt
+++ b/tests/data/tls/ca/certs/testsuiteCA.crt
@@ -1,16 +1,121 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ 0b:43:f8:e9:ee:d3:38:37:92:db:19:65:d9:94:17:cc:70:45:d4:06
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
+ Validity
+ Not Before: Oct 30 15:29:02 2018 GMT
+ Not After : Nov 13 15:29:02 2519 GMT
+ Subject: C=US, ST=CA, O=OpenLDAP Foundation, OU=OpenLDAP Test Suite
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public-Key: (4096 bit)
+ Modulus:
+ 00:be:e0:ff:36:89:65:c0:4e:46:e6:24:e8:3d:81:
+ 97:92:28:4b:11:c6:21:ac:28:14:31:b2:a3:64:24:
+ 62:61:24:bd:76:7b:9e:7c:3a:50:65:fa:97:f3:c5:
+ 9d:49:cc:61:3a:31:6f:0d:a4:d8:70:57:73:c8:c6:
+ 66:06:d0:59:3f:24:3b:56:5d:70:20:e4:51:2b:88:
+ 5e:f4:78:82:bc:55:b5:d5:5b:f6:e5:55:1f:3a:af:
+ 59:9f:b7:5d:72:70:fe:b6:a4:dd:4e:f9:d0:38:e8:
+ 15:14:c7:45:ed:5e:d3:4c:ee:02:34:3a:37:d8:75:
+ f1:49:0d:f6:8a:7b:8c:87:39:c9:fb:f2:3a:96:57:
+ cd:7c:18:a7:bb:35:de:d3:c4:79:57:20:48:07:b9:
+ 65:f6:bd:7b:01:5c:99:8a:92:35:7c:b7:e3:96:1c:
+ 6f:4c:47:42:c1:77:d6:62:49:0e:be:01:8f:c9:f4:
+ 64:68:4c:b0:ec:10:12:d0:0e:5f:67:0e:e8:a4:bd:
+ df:9c:fb:5b:04:6f:3c:2a:35:1b:5a:ca:98:ba:f3:
+ 61:f4:3a:77:28:be:a3:63:f1:d6:94:0d:fb:a0:87:
+ e3:a5:9f:56:b6:a6:6a:90:13:80:2a:2e:ae:fe:af:
+ aa:e3:e7:d8:3b:2b:a3:52:4f:73:2d:12:aa:e2:a3:
+ 0c:aa:fb:11:40:86:68:de:be:2b:9b:36:19:9c:d7:
+ d7:5e:13:21:c9:b3:34:6d:09:53:ff:a3:2e:92:f4:
+ 33:80:de:7a:47:1c:47:57:68:53:2a:db:73:6e:6d:
+ fa:40:df:55:25:a1:fc:87:c4:86:ef:6e:16:ec:f8:
+ 48:35:f5:96:b3:55:ce:56:a9:6e:c1:8c:ea:32:85:
+ 26:ea:af:0c:92:24:05:e2:49:12:b7:07:8f:06:96:
+ be:13:fa:ec:49:f7:d4:49:6f:b9:c7:6c:79:53:39:
+ a3:89:c4:4a:92:66:b0:f3:0c:72:6d:50:3c:63:1f:
+ f3:76:63:a8:aa:b7:fd:db:ef:98:b4:5b:49:b6:84:
+ 66:e5:fc:60:0b:c1:f7:b0:f7:84:68:7e:71:5d:ac:
+ fc:a9:cb:f6:02:fc:86:d3:a7:c3:42:ef:ba:f4:1a:
+ 27:71:5d:22:f5:53:e1:a6:f4:a5:dc:31:38:45:0b:
+ a1:6d:ab:9c:05:2e:87:8c:31:02:99:80:6d:3f:66:
+ e8:8a:d7:64:4f:08:7e:2f:f0:1f:28:ff:85:57:22:
+ ee:6a:a7:05:72:f8:cf:5d:07:c6:73:23:82:85:82:
+ 76:4e:36:8a:ec:ea:f1:53:1e:e0:77:d1:4a:9f:df:
+ ec:87:91:0a:56:40:b7:23:19:fa:60:14:d0:f0:32:
+ 4d:11:39
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
+ X509v3 Authority Key Identifier:
+ keyid:90:CF:51:1D:E8:08:D4:4C:34:70:71:6B:D2:0B:00:68:D9:FD:60:50
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ 0f:7f:a0:c5:3c:ac:dc:ed:8f:56:3e:64:89:e6:87:d0:ca:a5:
+ 37:b8:0e:49:aa:93:d3:e5:ac:ff:54:24:91:07:1b:9c:dc:08:
+ e6:cc:15:53:be:85:4c:51:52:d3:88:d0:d8:c7:b7:98:40:41:
+ 8a:a7:7a:4c:96:85:61:8c:98:76:f6:a3:2c:10:31:a1:d8:e6:
+ a7:4c:ec:c3:29:ad:04:8b:e3:f2:2d:4c:30:0d:a4:bc:c8:93:
+ d2:9b:88:1d:a4:25:eb:ff:9f:f2:d9:c5:3b:bf:51:91:71:06:
+ 92:35:96:5c:ca:6d:d6:86:47:63:07:7f:37:35:53:68:e9:4e:
+ d0:d0:25:42:18:e0:00:9e:ca:f5:bd:b7:94:ee:99:51:44:3a:
+ 0c:44:40:e3:87:e6:ce:6c:2b:3f:c1:01:6c:5c:32:d5:59:b5:
+ bd:25:a3:1a:ff:85:a5:89:9c:d8:24:4b:fa:59:99:5a:64:ab:
+ a1:d8:0f:c0:19:28:84:1e:89:c2:a1:15:4e:0f:7e:1f:bf:f8:
+ 92:df:9f:1c:d5:4a:98:40:82:ee:41:1f:de:f7:25:11:fd:76:
+ 0a:cf:37:40:bc:c2:2d:6a:ea:4a:0c:6d:b0:e6:75:37:b5:63:
+ a8:a1:c5:81:d0:84:c0:f3:e0:c3:5c:c4:9f:ec:3b:9f:8a:74:
+ ce:f0:cc:e3:e9:15:08:a0:ea:3e:a9:8e:bc:9a:01:00:96:fe:
+ 37:6f:61:b5:2c:4b:1f:5d:d7:24:09:fe:bf:f4:77:47:e4:ee:
+ 7c:ea:6b:67:84:ee:56:4f:5f:b9:b8:e4:db:70:e1:4a:b3:94:
+ 4d:dd:52:45:05:4d:79:d4:7c:8b:9d:9b:6a:0b:73:9e:f3:0e:
+ d5:d5:46:da:b4:fb:4a:ea:5b:ab:8e:42:68:0e:96:cd:8a:6e:
+ 35:a8:e6:1b:6a:ed:a8:9e:3c:cc:3b:44:54:b8:2d:ba:c7:83:
+ 91:7c:70:40:0c:14:b8:21:7a:12:ac:8c:96:4c:94:a6:ee:fe:
+ cc:77:34:8e:e3:c3:c0:44:19:51:85:07:6c:d8:d1:2e:69:8d:
+ b1:0e:42:fb:e6:16:65:86:c6:e3:2f:a7:3f:b4:8e:4f:1c:83:
+ c4:0a:ae:a0:d9:17:fd:cf:a2:38:a1:9f:70:dc:5c:df:3c:07:
+ 7b:64:01:ff:35:8c:45:43:e8:fa:a4:f6:c4:71:78:17:6e:6a:
+ 7f:d1:6e:66:c6:89:33:3b:28:4a:76:bf:ca:29:05:51:07:98:
+ ce:63:62:25:61:7f:5e:c6:91:23:02:13:15:4f:fd:24:58:9d:
+ 2d:ac:eb:cb:9a:c2:82:2f:50:5c:5a:16:bb:8c:bf:4d:66:2c:
+ 6f:1c:c4:a9:28:e1:3d:4d
-----BEGIN CERTIFICATE-----
-MIICgjCCAeugAwIBAgIJAJGJtO9oGgLiMA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwTT3BlbkxEQVAgRm91bmRhdGlv
-bjEfMB0GA1UECwwWT3BlbkxEQVAgVGVzdCBTdWl0ZSBDQTAgFw0xNzAxMTkyMDI0
-NTFaGA8yNTE4MDIwMjIwMjQ1MVowWTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNB
-MRwwGgYDVQQKDBNPcGVuTERBUCBGb3VuZGF0aW9uMR8wHQYDVQQLDBZPcGVuTERB
-UCBUZXN0IFN1aXRlIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3xcMd
-rvEPxIzZ0FnGVfk6sLXW//4UbBZmmsHSNT7UDNpL301QrsOaATyiOMSPHxmQoLPb
-lYOtTCPaHN9/KIHoCnEQ6tJRe30okA0DFnZvSH5jAm9E2QvsXMVXU5XIi9dZTNdL
-6jwRajPQP3YfK+PyrtIqc0IvhB4Ori39vrFLpQIDAQABo1AwTjAdBgNVHQ4EFgQU
-7fEPwfVJESrieK5MzzjBSK8xEfIwHwYDVR0jBBgwFoAU7fEPwfVJESrieK5MzzjB
-SK8xEfIwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOBgQBtXLZWW6ZKZux/
-wk7uLNZl01kPJUBiI+yMU5uY5PgOph1CpaUXp3QftCb0yRQ2g5d0CNYI5DyXuHws
-ZSZRFF8SRwm3AogkMzYKenPF5m2OXSpvOMdnlbbFmIJnvwUfKhtinw+r0zvW8I8Q
-aL52EFPS0o3tiAJXS82U2wrQdJ0YEw==
+MIIFjzCCA3egAwIBAgIUC0P46e7TODeS2xll2ZQXzHBF1AYwDQYJKoZIhvcNAQEL
+BQAwVjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRwwGgYDVQQKDBNPcGVuTERB
+UCBGb3VuZGF0aW9uMRwwGgYDVQQLDBNPcGVuTERBUCBUZXN0IFN1aXRlMCAXDTE4
+MTAzMDE1MjkwMloYDzI1MTkxMTEzMTUyOTAyWjBWMQswCQYDVQQGEwJVUzELMAkG
+A1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNVBAsM
+E09wZW5MREFQIFRlc3QgU3VpdGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
+AoICAQC+4P82iWXATkbmJOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfz
+xZ1JzGE6MW8NpNhwV3PIxmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mf
+t11ycP62pN1O+dA46BUUx0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7
+Nd7TxHlXIEgHuWX2vXsBXJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQ
+Dl9nDuikvd+c+1sEbzwqNRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4Aq
+Lq7+r6rj59g7K6NST3MtEqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S
+9DOA3npHHEdXaFMq23NubfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbq
+rwySJAXiSRK3B48Glr4T+uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iq
+t/3b75i0W0m2hGbl/GALwfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm
+9KXcMThFC6Ftq5wFLoeMMQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8Zz
+I4KFgnZONors6vFTHuB30Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABo1MwUTAd
+BgNVHQ4EFgQUkM9RHegI1Ew0cHFr0gsAaNn9YFAwHwYDVR0jBBgwFoAUkM9RHegI
+1Ew0cHFr0gsAaNn9YFAwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
+AgEAD3+gxTys3O2PVj5kieaH0MqlN7gOSaqT0+Ws/1QkkQcbnNwI5swVU76FTFFS
+04jQ2Me3mEBBiqd6TJaFYYyYdvajLBAxodjmp0zswymtBIvj8i1MMA2kvMiT0puI
+HaQl6/+f8tnFO79RkXEGkjWWXMpt1oZHYwd/NzVTaOlO0NAlQhjgAJ7K9b23lO6Z
+UUQ6DERA44fmzmwrP8EBbFwy1Vm1vSWjGv+FpYmc2CRL+lmZWmSrodgPwBkohB6J
+wqEVTg9+H7/4kt+fHNVKmECC7kEf3vclEf12Cs83QLzCLWrqSgxtsOZ1N7VjqKHF
+gdCEwPPgw1zEn+w7n4p0zvDM4+kVCKDqPqmOvJoBAJb+N29htSxLH13XJAn+v/R3
+R+TufOprZ4TuVk9fubjk23DhSrOUTd1SRQVNedR8i52bagtznvMO1dVG2rT7Supb
+q45CaA6WzYpuNajmG2rtqJ48zDtEVLgtuseDkXxwQAwUuCF6EqyMlkyUpu7+zHc0
+juPDwEQZUYUHbNjRLmmNsQ5C++YWZYbG4y+nP7SOTxyDxAquoNkX/c+iOKGfcNxc
+3zwHe2QB/zWMRUPo+qT2xHF4F25qf9FuZsaJMzsoSna/yikFUQeYzmNiJWF/XsaR
+IwITFU/9JFidLazry5rCgi9QXFoWu4y/TWYsbxzEqSjhPU0=
-----END CERTIFICATE-----
diff --git a/tests/data/tls/ca/private/testsuiteCA.key b/tests/data/tls/ca/private/testsuiteCA.key
index 2e14d7033..01a6614c1 100644
--- a/tests/data/tls/ca/private/testsuiteCA.key
+++ b/tests/data/tls/ca/private/testsuiteCA.key
@@ -1,16 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALfFwx2u8Q/EjNnQ
-WcZV+Tqwtdb//hRsFmaawdI1PtQM2kvfTVCuw5oBPKI4xI8fGZCgs9uVg61MI9oc
-338ogegKcRDq0lF7fSiQDQMWdm9IfmMCb0TZC+xcxVdTlciL11lM10vqPBFqM9A/
-dh8r4/Ku0ipzQi+EHg6uLf2+sUulAgMBAAECgYBDOb7kjuh0Iix8SXFt0ml3hMkg
-O0kQ43FWW2pnoT64h3MbqjY4O5YmMimiFi4hRPkvJPpma01eCapb0ZAYjhLm1bpf
-7Ey+724CEN3/DnorbQ3b/Fe2AVl4msJKEQFoercnaS9tFDPoijzH/quC2agH41tn
-rGWTpahq6JUIP6xkwQJBAPHJZVHGQ8P/5bGxqOkPLtjIfDLtAgInMxZgDjHhHw2f
-wGoeRrZ3J1yW0tnWtTXBN+5fKjCd6QpEvBmwhiZ+S+0CQQDCk1JBq64UotqeSWnk
-AmhRMyVs87P0DPW2Gg8y96Q3d5Rwmy65ITr4pf/xufcSkrTSObDLhfhRyJKz7W4l
-vjeZAkBq99CtZuugENxLyu+RfDgbjEb2OMjErxb49TISeyhD3MNBr3dVTk3Jtqg9
-27F7wKm/+bYuoA3zjwkwzFntOb7ZAkAY0Hz/DwwGabaD1U0B3SS8pk8xk+rxRu3X
-KX+iul5hDIkLy16sEYbZyyHXDCZsYfVZki3v5sgCdhfvhmozugyRAkBQgCeI8K1N
-I9rHrcMZUjVT/3AdjSu6xIM87Vv/oIzGUNaadnQONRaXZ+Kp5pv9j4B/18rPcQwL
-+b2qljWeZbGH
+MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC+4P82iWXATkbm
+JOg9gZeSKEsRxiGsKBQxsqNkJGJhJL12e558OlBl+pfzxZ1JzGE6MW8NpNhwV3PI
+xmYG0Fk/JDtWXXAg5FEriF70eIK8VbXVW/blVR86r1mft11ycP62pN1O+dA46BUU
+x0XtXtNM7gI0OjfYdfFJDfaKe4yHOcn78jqWV818GKe7Nd7TxHlXIEgHuWX2vXsB
+XJmKkjV8t+OWHG9MR0LBd9ZiSQ6+AY/J9GRoTLDsEBLQDl9nDuikvd+c+1sEbzwq
+NRtaypi682H0OncovqNj8daUDfugh+Oln1a2pmqQE4AqLq7+r6rj59g7K6NST3Mt
+Eqriowyq+xFAhmjeviubNhmc19deEyHJszRtCVP/oy6S9DOA3npHHEdXaFMq23Nu
+bfpA31UlofyHxIbvbhbs+Eg19ZazVc5WqW7BjOoyhSbqrwySJAXiSRK3B48Glr4T
++uxJ99RJb7nHbHlTOaOJxEqSZrDzDHJtUDxjH/N2Y6iqt/3b75i0W0m2hGbl/GAL
+wfew94RofnFdrPypy/YC/IbTp8NC77r0GidxXSL1U+Gm9KXcMThFC6Ftq5wFLoeM
+MQKZgG0/ZuiK12RPCH4v8B8o/4VXIu5qpwVy+M9dB8ZzI4KFgnZONors6vFTHuB3
+0Uqf3+yHkQpWQLcjGfpgFNDwMk0ROQIDAQABAoICAQCVkIdpnE92V9+GBfVT/G9f
+vuLTkoRf+SeZqXgNx9SuebNbW5HblXXZ8nmOMZIFeXfVuVZjQn+1x1CaSZs4S5ki
+uKkmCyEJJN3VVo3Q0XzfRemsvNrA5+oIec2oMG2wdomfY59leqmFbZTXKy3HyT2Y
+Uga4FcYcfo4JyD8eU6DRdJ6oJC10EGiajFchghyPoqvRcSH/q24R4Ha5om1M/zOZ
+/hz+SlmLU2sjXVtGuCgtCdw5Sp5Ce5VF43JaRGjMwAnazEyjHPE8kEx8ZhCBG66B
+DqP6UrV736T3c0/Hww0fxFrENA4mIE/vhNgwNVQ5jDxDSC9ObesTW93Lu4za+Re6
+pmP1eeS/oe1OcI1d/xK2IIQwzB7ZkJ0StbFLnjs7DATO7BGzhC9egC6s+z9oSgTS
+KvmLyoiL5U4fesVJwcCPKwwkVH9n22TuqmvB5mmvZvRTe2+OgDH55Nkfx1SoI8+Q
+/fwV9UXIIg5en+Kv8lOaWCZujmMsjHC79bwxPLeaePRwD/RBkT1MLW/T4fWGpAt3
+H89+yufH31Y/1QMxVVtR9OdxCtljiXno/bArMNZ0oE1TiCcckMzdjKh7RNfkEXRM
+Pga92HBTgtJ3tfWJ4qOtJ4NKJPQ7wRmR03Bug8+bGM4K5HDO08fNuag/pP3AQvrM
+QGbHFVho3I7/DXnmRBq/gQKCAQEA75eptBtP8PWnN9uNsQoWxvFKQBtbLfPKUcVP
++LWOWF4ag2YRRf6TIzvGfIk54OGSL/srWCDKjXWJ0NgUn6yiqOkoP4oxEE1m2QDY
+7oCk9vJipJcrtNCKL6NhKwZDOjlDSROb/hBeMgr14Da/WkPE6zQhuwN5y4Japbjs
+cBYTao2uOg4QQz5Aee+ee55L6iAgMT0PnlQtv1uVW3D46e02CrQKtRmtDxqT3Nux
+nudJdz+rMFM0EDgVKUYRwFCa6xjI4y2K1aCwCtJG9yTJpYqCD9hehfwEije6dNNg
+p5RX3M9ai710Yx4F26cwX/t8AxqgF/2XBI0ZWD6x69cp7suPTQKCAQEAy/NUEgXN
+nymq8NK+umZwFJU7cy3weozRuEkmgmCWj4XYhbvTw6MbK+2R9XKa3ilqSd2sU2lX
+qE66kfAgqZMJ9RB+7nDOaLAMUuGw1DrwFZE7r3mKXgc4NgjtmGav4E3URXPHj5zb
+JbbN95zl96Fm3Nevs5p8sb0KexgbzHe4UzJNYFgT0l+TjJbJUAiNPsEw1bnV4cxn
+b1HO2CWTeGtAOJyjMRNwI+40wnk2N6An+Ddvb2mj2h30HujSZHnL94RAqa7RHDb6
+lU+7JX/ll5G0mFQOFQAs4UPos2bg7hS1mfYO+UVrG4OH9gXns12158WqFED+lhmJ
+O8WDWEVAblVrnQKCAQAB9aOVrYOB3QB5HHqUMBjvl5mb3J1qSswkzxBQYGvBnUNq
+P7N0dxiM+TguXJD0neOsMMmx9tKxRXzTEHFavPa3mvCRVHgCQh/NNoyPps2yl1jn
+L7VTzUDUEuoAiBSUrVM3jcmA0nFyx1QreUcnXdaGde6wsN6WI4LKSDDm2cde37nF
+D8hiRGgSlzscl7bXO1wICw/No7KcFguqq8ndX+tJOx+7S3J25SjAbauOOSYIq6Si
+yItsdoj1xXTvtbkOoy1BbmXsSVwnOoEKFGrxx6g4qPRc9Cq1Vq9XtULdHAF79NYw
+vmPtS5mQqlVi85OYEuesSo6pot3KMvkRjLjzEwchAoIBACEvrvZfy12iwhX9tNtP
+39z5i3rqdr76OwXpoUKFxPoFpX3dWk/zMnCrb5yo0VplEs6CK5BHC+RvKxykHix5
+qJ0f2geig3O1ccvqvYNLM9XOlA+xjzpNom/odADgdK3i/C9w74AG3gH9BPbNqP3q
+XXqB/i0Tbkbdo97zxVI4CN5AySZsLo2Ez9WIk6laOuGDPhcI7iyXvhz3CtlRA/YM
+PZ74nfVWXGD8WclrP889WEOjgZZ3choD1b1R1SpUR0Q3WO5Da/NTXuL83k7zyMAp
+DWHcC46PQL5G9o56pw8Wf5ZV24nkKdGITY9S1qjxDrBwEYTKLqLt9M6tDPpICnvp
+mmECggEBALfnUgpdGugn46UmQUMI1y+NZbSKhJHG+OBWdcc1j4kDZhF/Ei7g8pvk
+hFU5p/YA6JbGioZxiqjdrYLvgTPnJVkxy7arLTN2j2GVlhUA74BY+kNzENk2Tj9c
+zJSMVZn+WZrXNQhfYyA3FyW3wGN67GBXAHPQxFTdU3G4mR1WcyJCxKIyzP+2M8o9
+16tpb80QRnc0OLm9Izppe7JUp2hCQt+O6E8izvLE8k2ldOr5ncTNWlxTJ0yx0hEO
+WTFqhwOM1pEmtxas1gLr8MX0hNsaQR+kjG2f8rPmH+GEZeeAwuhoJY1PcKAOYM5Y
+yu/1yFXYTrmhD/P0+nJn1DfS5JljCJY=
-----END PRIVATE KEY-----
diff --git a/tests/data/tls/certs/bjensen@mailgw.example.com.crt b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
index 93e3a0d39..eb0fc693f 100644
--- a/tests/data/tls/certs/bjensen@mailgw.example.com.crt
+++ b/tests/data/tls/certs/bjensen@mailgw.example.com.crt
@@ -1,16 +1,32 @@
-----BEGIN CERTIFICATE-----
-MIICejCCAeOgAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
-ODA1MjQyMzE2MTFaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNV
-BAoME09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYD
-VQQDDBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYa
-YmplbnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0A
-MIGJAoGBAMjb2C5VL+f/B/f2xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKg
-QbX2w0sPazujt8hG96F2mBv49pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmU
-U++22BSuhthP5VQK7IqNyI7ZyQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAGjDTAL
-MAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADgYEAmAQhIIKqjC13rtAGEQHV/pKn
-wOnLbNOumODqM+0MkEfqXXtR6eNGres2RNAtCJ5fqqDBTQCTqRzIt67cqdlJle2f
-7vXYm8Y6NgxHwG+N1y7S0Xf+oo7/BJ+YJTLF7CLJuPNRqILWvXGlcNDcM1nekeKo
-4DnnYQBDnq48VORVX94=
+MIIFfDCCA2SgAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
+BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNzQwWhgPMjUxOTEx
+MTMxNTM3NDBaMIGbMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHDAaBgNVBAoM
+E09wZW5MREFQIEZvdW5kYXRpb24xETAPBgNVBAsMCE9wZW5MREFQMSMwIQYDVQQD
+DBpiamVuc2VuQG1haWxndy5leGFtcGxlLmNvbTEpMCcGCSqGSIb3DQEJARYaYmpl
+bnNlbkBtYWlsZ3cuZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw
+ggIKAoICAQCcHBkHcUSKG4s7nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA
+7qkZvMJR8ws2u8TQU/18FhH4+0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWg
+qPYe/K3bAtSRtF7wDxF77eb2Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38
+kpIB5WENCEy77QK9GEGAlMVIRXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nN
+LxTdLe1qbZyRgEqRKgW5WcWrW46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yIms
+CbzlSRLC1dfj++2mzCMxoc3xpZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvR
+X9uQOnXnazQvlRfsaHQjGUKyhMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzL
+twWkESVDU0tNg/czWLn56smV7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjI
+LQuEBssrV1h8WblruWRU31Mn+mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5ui
+cNcYTXCfa5ZpPL608f7cWuG2GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4
+yPXHATrCtYO1wqIyu9Yuirdg7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABow0w
+CzAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQCq8VvpcoAgCK/D5yi/2puB
+LD7kYaVaSXxrUQBeLTmKERw3akpgW7QTGCNgM425VVaBQRPtv8YcX9OycUAylAA+
+7lzwdP95OJGnUOjQY4x4iRAwCPkpDCcnwc43c3WAyQb2S46aZJaWK4S0+RM3CmWH
+1Fzb6aODdnoBEKk0XgNrB6/teB+UWgtTSxWiY/HWiArDaZDPMAxqEK0hnB+b/sBD
+ZoBYnfnQXezylqbk9vkzTIbSVrv5ZZdQELOAnPuxUCFpYew1OGKcg+1twYKDHgBS
+s13zN03eMEnC/O4Z01dhu16vqdikdP+tJJrppjvZtJys0KIP24ltDnpA6h/3m/Cl
+U1eiTDgWO+SsfiL1K4gcTL1eLjnCBFfnHN5gfgAV5w5DaKzvKp7Qu8db4DtH+S4o
+W/MBKuaHHKWUPGksvFUiGNgE/XyDU4MK34/5ulzbrWmqb24pYAzm1MyjsdzmXObw
++fzg6EDBB14cWA2hA7mSqnzkiW1pELVym6+uTaIlopSIFr8nNAimwLiY5QJNGYvd
+hgNNvOyUUO+nON3aHsC/rRMgar3eo7A9AkQJ6qKVvPR2h1317PJLuKaLfjbaCzNw
+iA3JSQjcwR2ydlSgKKN2d/XXm/G4PZ9tUcBY4Zngn0ViT0/m7MFy9qsiWG97+yaZ
+nYsN5WfwDZrtG24dTotxVQ==
-----END CERTIFICATE-----
diff --git a/tests/data/tls/certs/localhost.crt b/tests/data/tls/certs/localhost.crt
index 194cb119d..3aeae3c16 100644
--- a/tests/data/tls/certs/localhost.crt
+++ b/tests/data/tls/certs/localhost.crt
@@ -1,16 +1,32 @@
-----BEGIN CERTIFICATE-----
-MIICgzCCAeygAwIBAgIBADANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJVUzEL
-MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHzAdBgNV
-BAsMFk9wZW5MREFQIFRlc3QgU3VpdGUgQ0EwIBcNMTcwNTEwMjMxNjExWhgPMjUx
-ODA1MjQyMzE2MTFaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UE
-CgwTT3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBT
-dWl0ZTESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
-iQKBgQDutp3GaZXGSm7joDm1TYI+dhBAuL1+O+oJlmZL10GX/oHqc8WNobvuZGH4
-7H8mQf7zWwJQWxL805oBDMPi2ncgha5ydaVsf4rBZATpweji04vd+672qtR/dGgv
-8Re5G3ZFYWxUv8nb/DJojG601V2Ye/K3rf+Xwa9u4Q9EJqIivwIDAQABo0gwRjAJ
-BgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAsBgNVHREEJTAjgglsb2NhbGhvc3SHBH8A
-AAGHEAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQELBQADgYEAYItH9TDh/lqG
-8XcBPi0bzGaUPkGlDY615xvsVCflnsfRqLKP/dCfi1GjaDajEmE874pvnmmZfwxl
-0MRTqnhEmFdqjPzVSVKCeNQYWGr3wzKwI7qrhTLMg3Tz98Sz0+HUY8G9fwsNekAR
-GjeZB1FxqDGHjxBq2O828iejw28bSz4=
+MIIFhTCCA22gAwIBAgIBADANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJVUzEL
+MAkGA1UECAwCQ0ExHDAaBgNVBAoME09wZW5MREFQIEZvdW5kYXRpb24xHDAaBgNV
+BAsME09wZW5MREFQIFRlc3QgU3VpdGUwIBcNMTgxMDMwMTUzNjMwWhgPMjUxOTEx
+MTMxNTM2MzBaMGoxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEcMBoGA1UECgwT
+T3BlbkxEQVAgRm91bmRhdGlvbjEcMBoGA1UECwwTT3BlbkxEQVAgVGVzdCBTdWl0
+ZTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEA6Ud89ugah2oWY00q1g+M6NkpluewwvGq4tkMau1gq+Q5Biv61bubgdSA
+Z+Zkkxe3Sx0Zv7i5wldIN4wXqEDlMg2qhfzKDSNKUofc0z7FLMb0Cn46WqlciUCY
+VetHhBghGd+6fxOOz+x98FhiiAif+AdiUWBTKFFohWXo/9aiGgm0ueJj2NS3Eyac
+xOKoTcDd9TMsOJ2fMH2MlquArLobCvuphOrVbqBoeeol2SzFDDOW8ryPDzFGy5xh
+ZHkm/3sGIoDpDkDR0yhvBzn47qdLI5myc6Fj96s7S2xgqiqGXJW0D0FCfpUQXxfm
+ahz/Jdwl+hqs5Eg/aA+LE/7lmS7szo3zwJQ53ApdcaupHi4fU60wPVrdo29wLwDO
+hDuS+Oc1os1UyJt0T0a+zB4PIP2rxifyxI1iWmZFt7tJyLv1k7yMN7CLCWzsSy5P
+BZpGmHV9Wbvb660N6NzlFDMqnjJWDAr1BLoV4ywmpiWPhy/7JtKXFe1V3jT5MvGM
+26IOC+zCwwZVyEIIASeWepZDuto00Lqo7jOKSlLRmuhTX1ELK8xYX6ZU/fz0FwYn
+bLu6bI4mRGfbJ12fWYm5QMje2QAuvndfi759HUeuLl6TgmeQFgqFA/6Kkwoz0Ncb
+Kaaj+ByvLXfI4S3lvkwT26nOAt966fb1bsdkb8P52NdkqeSMk5cCAwEAAaNIMEYw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYDVR0RBCUwI4IJbG9jYWxob3N0hwR/
+AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUAA4ICAQCGQCs10hwY
+t5o3AWjU8oT8HWnLDsEzIvI/Z2dvtsFSOFotH14d8a7CdCKNiry8BbQ82A4sG/Xw
+0aVdP1EscxGhpJuMHG4Ph9PZBm31ZW2VoRHOEs7/Moi6G/1yldVxWUH/qXO00Dw9
+cEsiUQdPrPQDoVBKYAMuV15RP9b3iPpw3GY1EkIu+akGVziHFmFYUoU2gctiGIZ6
+6KiqBFvCP1Yvm3RSZ5t/Kv/jPMetAnCq+9JAUAodAh2+goBvUCAN9Itr/tEs98jq
+9d14J7gzIRDdNHKOLrRFmoMrTaDZNtqBe5jiMf0O55tgjv4BqN4w11M51bjY4umd
+GX+OXoBJG+MK7AZyaHPjHa1NMoLDOUhTvHb4zPNkPiVb8r3lYkQ4VCtre+4qqrEn
+cEt9KWGpHkoz4GSKn6uidQebdi4waexcGttsHbKPaKZqzYXAJ2bjFZnv85zPtpjO
+qxzqrMUruiCU7EfjGAdZ8S0lwjdMihznLATjKuwQkJ2mVg2HbLgxZu578FHTBOHW
+LjVIr/80auF4Ino9ocHpIwL/E4jpYQWP/Uv4KBHwkAktmUOwqyt0iysRaWy4Gp7S
+keBI9FoGtJ1Mq5M2tVINBzt1ESC3t03KqyY+/9r/IeY7A7yukC0YJnJ+HorfuQFf
+0//7DOEA58bRswyWTLOAjYMJHilTKOozSQ==
-----END CERTIFICATE-----
diff --git a/tests/data/tls/conf/openssl.cnf b/tests/data/tls/conf/openssl.cnf
index a3c8ad9f6..632cff11c 100644
--- a/tests/data/tls/conf/openssl.cnf
+++ b/tests/data/tls/conf/openssl.cnf
@@ -51,7 +51,7 @@ commonName = supplied
emailAddress = optional
[ req ]
-default_bits = 2048
+default_bits = @KEY_BITS@
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
diff --git a/tests/data/tls/create-crt.sh b/tests/data/tls/create-crt.sh
index 8c33a24fe..739f8eaf1 100755
--- a/tests/data/tls/create-crt.sh
+++ b/tests/data/tls/create-crt.sh
@@ -5,6 +5,9 @@ if [ x"$openssl" = "x" ]; then
echo "OpenSSL command line binary not found, skipping..."
fi
+KEY_BITS=4096
+KEY_TYPE=rsa:$KEY_BITS
+
USAGE="$0 [-s] [-u <user@domain.com>]"
SERVER=0
USER=0
@@ -45,13 +48,13 @@ echo "00" > cruft/serial
touch cruft/index.txt
touch cruft/index.txt.attr
hn=$(hostname -f)
-sed -e "s;@HOSTNAME@;$hn;" conf/openssl.cnf > ./openssl.cnf
+sed -e "s;@HOSTNAME@;$hn;" -e "s;@KEY_BITS@;$KEY_BITS;" conf/openssl.cnf > ./openssl.cnf
if [ $SERVER = 1 ]; then
rm -rf private/localhost.key certs/localhost.crt
$openssl req -new -nodes -out localhost.csr -keyout private/localhost.key \
- -newkey rsa:1024 -config ./openssl.cnf \
+ -newkey $KEY_TYPE -config ./openssl.cnf \
-subj "/CN=localhost/OU=OpenLDAP Test Suite/O=OpenLDAP Foundation/ST=CA/C=US" \
-batch > /dev/null 2>&1
@@ -66,7 +69,7 @@ if [ $USER = 1 ]; then
rm -f certs/$EMAIL.crt private/$EMAIL.key $EMAIL.csr
$openssl req -new -nodes -out $EMAIL.csr -keyout private/$EMAIL.key \
- -newkey rsa:1024 -config ./openssl.cnf \
+ -newkey $KEY_TYPE -config ./openssl.cnf \
-subj "/emailAddress=$EMAIL/CN=$EMAIL/OU=OpenLDAP/O=OpenLDAP Foundation/ST=CA/C=US" \
-batch >/dev/null 2>&1
diff --git a/tests/data/tls/private/bjensen@mailgw.example.com.key b/tests/data/tls/private/bjensen@mailgw.example.com.key
index 5f4625fd7..e30e11586 100644
--- a/tests/data/tls/private/bjensen@mailgw.example.com.key
+++ b/tests/data/tls/private/bjensen@mailgw.example.com.key
@@ -1,16 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMjb2C5VL+f/B/f2
-xJyhsdXeaGhWdABWqJlCiupk7QVPotpZphqJ2fKgQbX2w0sPazujt8hG96F2mBv4
-9pHqzhSrKN70EA/E7b8d6ynjJpBU2P9ZgVlttnmUU++22BSuhthP5VQK7IqNyI7Z
-yQ4hFzuqb/XrHD1VCDo/Z/JAkw7jAgMBAAECgYEApDgKQadoaZd7nmJlUWJqEV+r
-oVK9uOEhK1zaUtV9bBA2J6uQQLZgORyJXQqJlT7f/3zVb6uGHr7lkkk03wxIu+3e
-nIi7or/Cw6KmxhgslsQamf/ujjeqRlij/4pJIpEYByme9SstfzMBFNWU4t+fguPg
-xXz6lvVZuNiYRWWuXxECQQDwakp31mNczqLPg8fuhdgixz7HCK5g6p4XDw+Cu9Ra
-EenuOJVlnwXdW+g5jooiV5RWhxbTO6ImtgbcBGoeLSbVAkEA1eEcifIzgSi8XODd
-9i6dCSMHKk4FgDRk2DJxRePLK2J1kt2bhOz/N1130fTargDWo8QiQAnd7RBOMJO/
-pGaq1wJAZ2afzrjzlWf+WFgqdmk0k4i0dHBEZ8Sg5/P/TNAyPeb0gRPvFXz2zcUI
-tTCcMrcOQsTpSUKdtB6YBqsTZRUwXQI/FbjHLTtr/7Ijb0tnP5l8WXE1SRajeGHZ
-3BtDZdW8zKszRbc8FEP9p6HWiXxUuVdcdUV2NQrLf0goqMZYsFm9AkBtV3URLS4D
-tw0VPr/TtzDx0UTJU5POdRcNrrpm233A0EyGNmLuM7y0iLxrvCIN9z0RVu7AeMBg
-36Ixj3L+5H18
+MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQCcHBkHcUSKG4s7
+nKmcqZT3EoZkEgxoaMlpxUZtxBtO5ZXEfcpMaxuA7qkZvMJR8ws2u8TQU/18FhH4
++0aZBefM0ExwqvGNJ8F0cTl3439DGNE+/psh5NWgqPYe/K3bAtSRtF7wDxF77eb2
+Yz0J3NIDxFrAbovfg0ydbt9pWJr5pDBvlqSdYu38kpIB5WENCEy77QK9GEGAlMVI
+RXneA5t2CKsljujRG1H5YJeS6qVAEdMllHZ6a0nNLxTdLe1qbZyRgEqRKgW5WcWr
+W46Co9CRDcFeMqoHdwAQsRdOGBivgkeYUST1yImsCbzlSRLC1dfj++2mzCMxoc3x
+pZNPyHyBuRgou8VqWpF2NuG+KS7QBtm1PVUhSAvRX9uQOnXnazQvlRfsaHQjGUKy
+hMUr5dcwpTqThW4BoqtStd6/097sZTZVWmsC+mzLtwWkESVDU0tNg/czWLn56smV
+7DfPjFDDAV6eNcScFfD8w04aPdk8ODalW/wnsTjILQuEBssrV1h8WblruWRU31Mn
++mw9SA3tDfTk9sJiEyiTJh3B1DrEb+pIuk4vz5uicNcYTXCfa5ZpPL608f7cWuG2
+GP8f5ug4PMKyRkh6qCt7BWrVgOheo1ZhjvrbmhI4yPXHATrCtYO1wqIyu9Yuirdg
+7WJD6npu8IV38VEgEBD3UFanY9xN7wIDAQABAoICAQCWY/s40EXXRvG7XBGKe1Sn
+MZGGllyduVVQMFzJIkOsnkDKKuTY+dZlP4Zo5Q/PIvWKpRnWGRP6lsh5tJkukiHd
+jk4VvJk4AzS7mNhkRyYy3ZW3ulB5NpsXS67P610RwIhIVhuf6ORPH8GBW9lRxwoL
+1v4WpGjbywHkKQvR0Sp7lVGULuwnM0dSK2G9sdztUTGbWZlp0hRIawojtcrRt2ft
+Liyy4hooWMmAFS3wu1y3fHSNn5kEFpfis5jF+5jdDvvmsFElx/X7uiBUFMAV2vry
+wu2mceibiGjnq7Nn6I7fhgKzGnkgzzDSLA9uVBde2+RAHlO0fLTq+5YLVhe0pNBM
+J1Y0soNaO3XfVV6Vnyz8X+ruHItW2OBF9AYhIlXq/6d3MMX51BEM6odEtsi8zFgo
+ENN0GAXoyoofg+IvzPiVU2Ud7s4pAlK473d7sAQEeiFWaj7iwueAgofSUFRz7E/H
+umdhytKiJXqcjJ9O2k4sBsmQoPIB++LlUPRIlZY9UvTFxLbd/ifFUv5fqa6z0IX6
+wkIzXmRHhG+ETk1IZBJAAho7iyyYOTP+JnnToUAMWoUaZUO2bzaZfQha8Z3KVtG/
+PJUfHClBXqvFNaAUvA9Df3JoJddJ4pO1g0QjS/dp4C2KwNkH4oqMJctvCersoPWu
+5DYiWY6KR4GjokJ1lBeWAQKCAQEAzSKa+m2C4ANNCJB9tcKYDbYIdibCpzO+k1Fb
+gZUtNi9dEE0Po8rMG0jthm+GKJjNjiG5idSUMo+WNEGBPkELueex81AlEpOqQ6/9
+67cyjAsF/FvgkWOpKJnGOySF/TpK4kPGYyS3ICvs1KNE5HEywHyC4C/MD8N9Z5tX
+/DfW6sBM/wPipE9YDpKfAg3fDG9YJN/gJZ8TlZVqzzw75rKGcMeLc8f0mbMo+KWQ
+VKV4vrgz1eiVrHc5VeGUaXe1Yei5El671wAdtFdmm51A2fWd80fPlQdqfAwpX7x4
+FWuo9z2QX70rM/NTWfk4nQ6ZFEHxtm++OiTfh7RwauI8fxye6QKCAQEAwtF/tOth
+UgHrohB2DCE9gA0rxkynJHK9/SXSd0KBjERO2i41iuC9YlJT/NpNz9fM7l+L02aP
+wWLMqyC7moNmIpJMY2xBGU0EowQ/3xsSNo3u/fvOS4MyGLKENUPMFgO0J7yopiqt
+Ea31TcrFSTMSmFZCv8cGt38EwS6sdJZd/RB+h3yxesit8pouwpfbtLPx6LSGkPHY
+5nNVPgbt6xaxZJ/1kNbLFObSoZ3lzWBwp93dQh/WqeeeI51LGdM1G6fTL8HrmGFJ
+EX0AKpexFVnG/GROJc8taWtMbk9W5oK30JqR7hpSaluYbonpr9k4WQA+EAZjXfcJ
+0V0AMsMUhGtvFwKCAQAQZf7LnCuFKt5im+JgwFCVcALXJxwSb7GBZ1SQVFOL7Fdd
+MTvZ1SFh4P+T6qBn6GcuQIXrfcHnFNFmFgJ17o84akwwbiy4gnNu+8epqzhwN4Vf
++hxGoxfntftByRao+pr34YEfddTpznkdOnwMYvwypQF1WHzQmckRmjp7YB9fHsZI
+8I+SoQEiERiC+oblIJWERR1PBJt1Lr+eF2uWcpkKtPjx5X8pNkhFMD8MdTnkzSbf
+p7snUVSVB/ZsQ/SNAiShUk9jzY+SVhZOxFBl3BunUgtHF5OsnPBFxfQ3iia0tQgw
+jxfADGiSXbjn3T3hf7AJ7H7heQchewwtjy5U3v3ZAoIBAQCEAyRPe0SKJoT+X7su
+QwQClmo4SE7mUt5NAOkaKTXRz6PDEpbzkZCjZHhHGcKqeWgDizkbuh7lg0Z/G4Ik
+lK+L86jRolSGiXr/3+xMCXMRBqKQ9qV24+L5e1Y9JcDQlhfo6V06pCZ8mW1lFmcT
+UAlksucuPvZdNzQIl9ECe7YauqeStbsqIXxFrZbMA808KMde0Z1x8H/ywOpdSqLD
+r6/rKL1lNTeN5U+Ldox228fa6Gt62EpE/Y9aQMbYLBeLsvBXJ0e3DQ1PTW3kbr/v
+YNOGyY1u73GtQqkbAqY3MxLNxz/loW6BZanoFYoFv+L/5Dsp7ro8vR6pASUWQLzR
+cl9nAoIBAQCre87G76UXv6FIggT+cKM9MKS69KIE3mzNTYUo90L74vF65hJqlaIa
+mfEcPpEU+UY+ufZSIHtTDBj/9Rswaf5whJY7RfL42pSGnW2YOMpuwDIKAEvcJedu
+kZhbthBin4pa28X6L5sNxug+7Wykgesd48PmMLG4pTF+D9u7SgO37Ew5UzylPWNi
+Lrv9TlX1vv9rNFh/hOCA93DNrJlNNPltIcMDByVVjrq31QmxMJwE7cdvl1V7eoiO
+NQuGuGyFIEKPtl9dEUaA4SGYZ7fUqPZaZuzzM0Xa5UMpdcIzcuYYNn3G6FvV6vwU
+dH+lv5X1bTB18GK88ANpC2qLCKRJPCTx
-----END PRIVATE KEY-----
diff --git a/tests/data/tls/private/localhost.key b/tests/data/tls/private/localhost.key
index 8a24f69f8..99cb512c4 100644
--- a/tests/data/tls/private/localhost.key
+++ b/tests/data/tls/private/localhost.key
@@ -1,16 +1,52 @@
-----BEGIN PRIVATE KEY-----
-MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAO62ncZplcZKbuOg
-ObVNgj52EEC4vX476gmWZkvXQZf+gepzxY2hu+5kYfjsfyZB/vNbAlBbEvzTmgEM
-w+LadyCFrnJ1pWx/isFkBOnB6OLTi937rvaq1H90aC/xF7kbdkVhbFS/ydv8MmiM
-brTVXZh78ret/5fBr27hD0QmoiK/AgMBAAECgYEA0gs5tNY/BaWFASGA5bj3u4Ij
-Nu/XPPX3Lsx54o3bl6RIKEYKNF91f4QweNmP39f+P596373jbTe7sOTMkBXu7qnf
-2B51VBJ72Uq92gO2VXImK+uuC6JdZfYTlX1QJkaR6mxhBl3KAgUeGUgbL0Xp9XeJ
-bVcPqDOpRyIlW/80EHECQQD6PWRkk+0H4EMRA3GAnMQv/+Cy+sqF0T0OBNsQ846q
-1hQhJfVvjgj2flmJZpH9zBTaqDn4grJDfQ9cViZwf4k7AkEA9DVNHPNVpkeToWrf
-3yH55Ya5WEAl/6oNsHlaSZ88SHCZGqY7hQrpjSycsEezmsnDeqfdVuO97G2nHC7U
-VdPUTQJAAq8r54RKs53tOj5+NjH4TMeC4oicKYlQDVlx/CGQszZuqthcZKDyaap7
-TWUDReStiJbrYEYOoXiy9HucF/LWRwJAQKeH9f06lN5oaJkKEmJFbg5ALew14z1b
-iHhofgtpg2hEMLkIEw4zjUvdZBJnq7h1R5j/0cxT8S+KybxgPSTrFQJBAPTrj7bP
-5M7tPyQtyFxhFhas6g4ZHz/D2yB7BL+hL3IiJf3fdWNcHTzBDFEgDOVjR/7CZ6L3
-b61hkjQZfbEg5cg=
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDpR3z26BqHahZj
+TSrWD4zo2SmW57DC8ari2Qxq7WCr5DkGK/rVu5uB1IBn5mSTF7dLHRm/uLnCV0g3
+jBeoQOUyDaqF/MoNI0pSh9zTPsUsxvQKfjpaqVyJQJhV60eEGCEZ37p/E47P7H3w
+WGKICJ/4B2JRYFMoUWiFZej/1qIaCbS54mPY1LcTJpzE4qhNwN31Myw4nZ8wfYyW
+q4CsuhsK+6mE6tVuoGh56iXZLMUMM5byvI8PMUbLnGFkeSb/ewYigOkOQNHTKG8H
+Ofjup0sjmbJzoWP3qztLbGCqKoZclbQPQUJ+lRBfF+ZqHP8l3CX6GqzkSD9oD4sT
+/uWZLuzOjfPAlDncCl1xq6keLh9TrTA9Wt2jb3AvAM6EO5L45zWizVTIm3RPRr7M
+Hg8g/avGJ/LEjWJaZkW3u0nIu/WTvIw3sIsJbOxLLk8FmkaYdX1Zu9vrrQ3o3OUU
+MyqeMlYMCvUEuhXjLCamJY+HL/sm0pcV7VXeNPky8Yzbog4L7MLDBlXIQggBJ5Z6
+lkO62jTQuqjuM4pKUtGa6FNfUQsrzFhfplT9/PQXBidsu7psjiZEZ9snXZ9ZiblA
+yN7ZAC6+d1+Lvn0dR64uXpOCZ5AWCoUD/oqTCjPQ1xsppqP4HK8td8jhLeW+TBPb
+qc4C33rp9vVux2Rvw/nY12Sp5IyTlwIDAQABAoICADh1+wLvjmwz+xMxvCpvPRWm
+afCCR0AHqeqZye2fYoR4Cm05+837SFoWCrYbB0CqvsxJUNAcb6lf4rS/DYLFojOJ
+JzqiwmyHnBd5lrLyQFrkFHDtuEX1M9ZscfJprbeE944BnmvfWfNtM9YWLlLqc31e
+nCdB/x6FBZ0z2z8Avd87dih/aNc0NNNHxy3IBiA7i/0q04soaz0bRgm5nL0xlhYE
+bzUieWH7JQ5M47g6o76eReyeQqnUrWPeh5v/zraLGiMDvGScv6wx3x2KpHtutjr5
+mj1uVHm/UeyhYIwPGtIR0bDXhLaKcZnyeOw59G8/Z1mvVyUxb1dKW8kNKpj2yI2H
+Y1SjhW5qaOeaDPxAPqVyo6SUQIzOn6SD0l7aGyOyvYULjiw342HQYU4rQeSPOtjt
++NYMirnT7WNnmoSIsXx7nwUe38EWx5gCHy8taF4aZr5K85yZKnmsiX3vX/hH30yc
+GLOnDDa3b0FE2J2eYos14ru8RTqSLSxclr5Ru2yTdwLgE0gg+iygO1/tYYkqxZ09
+j+METJpg4wv+cQUG/BxysISqNjaPSPHdyJeTMzC8B+PUUpbRoBuvLLokkZ9P95nG
+72TFklEOB0m0VMxrEfev0HGSzkQm92s2Bf41TRaHTPSkg+G1s0haZTNqRVTGPrr/
+eyiz0qH2bgDeubJ3VuTBAoIBAQD9N+KeKo+hRWeV/I6BCBOfMeQOqlqIxYfYAxU+
+CuutILbTnGKFMTAx43syh/a5EV7q4yM81RCXKK/Lmja2OIeYJUb88bC/h0x/gq5W
+LLxHbKgFDUDF2VcWShMqDOo8J8FbzWwb9bOOShqASoR6FacJuOqlFvS8gaswZtiW
+fOvlWRKO2ybULgQctX5gOf1ctuab1VrzuHnNB30gVFc95Dg1b6RiyVAa8AFm6gs9
+6Rewk527+4T5Ho5UXvdsTVJsAhzJgVjPSyF2Vc1CRrp8lIffsg5Prb4w8kvB0i64
+09zn+jAfVRpjdGWqMI7BR1pCdheGMqv006ZVYY+QhcBIb0BHAoIBAQDr14d5PPDv
+pCjlJnCKNzX2irU6bdIY+zvXoemj/cYvHqQbPOe/kaCWFNPMxANKMmZSTdSM7qqR
+s0P1RW/R7moWNSesYwW+2Jp2hIhiWmy+E+ksXeTlFwVpuMHSDPS/N61N8XgmT3pI
+Qngl1hgxGbttniKEwI+Nc7Z3FYDDCp206nmC5y33D+ZYHv1L3e33pyqHdHD/uIeU
+57OPr7Mmd/J6pmClh1dqyZwVBClc2V6w0y2G8Lk1v79wOMrn+4/p9KH2BgkFe2gr
+uB8TOLlUhttQ8VfzXCd+Zi9s3oW0h7Vkvt4kDlJm0MrnMmK0aqgKB+7XkKE0ccVQ
+xSodzbBdDYoxAoIBAH2qGmD8JkOWug2JRP9sDrDWhaNxj3SI8x2Uiho8OTG2JoVl
++s621oArsJwnNZ4qrLxM9NPfuVgK7RNR+Qz9iO1MsqodF+Y1MxWkuPgzQ0z+83Nu
+XFLTxZBeOpyHxEcOQ7tXeut1SCK5S+WXFZ+w1zDQAELl3ZcfkuF2aM5mOHuddMRI
+pkBuhcPpnkoK/V3htxhnDbgeOPQzXzmIIbOpauu5+A6+cW6s5UU5qVKUNxl+aK09
+6YPoUiI07v1kch7//WFTO8vEMVsUwcS+bRYecD/nkYqhYt3PoSETOfSnz92gH/ms
+tmfdAAcyCeaJjpWlHY+P3h6mWsnMnP7QIdjQvUkCggEAGFkiBWRDQ5phFndHex2E
+FrXvS972p9mYLgTrSCD1CvxQ2PcKvf5c4+G2lBdQd6KIacrbPMmPFoe5ZmMKzlOc
+5DoMpIF8oF1gZQf9xJmtTFpl4ky3Sud7iZSnffYUdoFbBQb+7oWaDEfAe7eEu9z6
+OrDuw2HV8DaYCedQadJ4warLbLZNSop7r3FTmTeKT90USPO+jsgQR1E8eoMbLceI
+Yx02MSCt57p0wL6zPoC6g+rpclr75A6txvo2CIkyLGczKWEqIUTCVnEl1CgxCgb6
+MXsZJ2jGMwh9sPGwQBkaoxIJgRNxcmfv6rqK8jFos9Bp2ht2aSGty07vsDACGzlA
+oQKCAQEA8PzgkyGYHs2DwNhmv3j5ZFaP0RukwbdChSoxmbC9JP2JJxxYcnww5jYH
+xeM1bahqkdKyG5iDRiYB74EolZUMA3Zny13R4HWxNe4aUZW1H8mdmhllXX90aUOU
+WEvF2yYZbg9CQIq7zQh8HsF/S8sDTsXoZOx30zrPgb44spWKRmxdwUJt944weXvc
+p5XkLvVzBVJ+RD5IgPTBFl1iCkw3eq01CFcbTdfe9cS8V9IgDy0Jq2GvRE3Y2JS6
+xqtBB1MgZvrUoAZ8jPacRRXddg87Hwgs9+R1jaE+ZYixojOFg+JnQOGkUd9FhJAW
+bcnWV4XIPIMbouL4132Ove+GukJlPA==
-----END PRIVATE KEY-----
--
2.26.2

487
SOURCES/openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
View File

@ -1,487 +0,0 @@
From 8e3e85e329f5cbd989936b0df8a0ac06906a4824 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Tue, 14 Apr 2020 16:19:05 +0300
Subject: [PATCH] auth: add SASL/GSSAPI tests
---
tests/data/krb5.conf | 32 ++++++
tests/data/slapd-sasl-gssapi.conf | 65 ++++++++++++
tests/scripts/conf.sh | 3 +
tests/scripts/defines.sh | 5 +
tests/scripts/setup_kdc.sh | 144 +++++++++++++++++++++++++++
tests/scripts/test077-sasl-gssapi | 159 ++++++++++++++++++++++++++++++
6 files changed, 408 insertions(+)
create mode 100644 tests/data/krb5.conf
create mode 100644 tests/data/slapd-sasl-gssapi.conf
create mode 100755 tests/scripts/setup_kdc.sh
create mode 100755 tests/scripts/test077-sasl-gssapi
diff --git a/tests/data/krb5.conf b/tests/data/krb5.conf
new file mode 100644
index 000000000..739113742
--- /dev/null
+++ b/tests/data/krb5.conf
@@ -0,0 +1,32 @@
+[libdefaults]
+ default_realm = @KRB5REALM@
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ default_ccache_name = FILE://@TESTDIR@/ccache
+ #udp_preference_limit = 1
+[realms]
+ @KRB5REALM@ = {
+ kdc = @KDCHOST@:@KDCPORT@
+ acl_file = @TESTDIR@/kadm.acl
+ database_name = @TESTDIR@/kdc.db
+ key_stash_file = @TESTDIR@/kdc.stash
+ }
+[kdcdefaults]
+ kdc_ports = @KDCPORT@
+ kdc_tcp_ports = @KDCPORT@
+[logging]
+ kdc = FILE:@TESTDIR@/kdc.log
+ admin_server = FILE:@TESTDIR@/kadm.log
+ default = FILE:@TESTDIR@/krb5.log
+
+#Heimdal
+[kdc]
+ database = {
+ dbname = @TESTDIR@/kdc.db
+ realm = @KRB5REALM@
+ mkey_file = @TESTDIR@/kdc.stash
+ log_file = @TESTDIR@/kdc.log
+ acl_file = @TESTDIR@/kadm.acl
+ }
+[hdb]
+ db-dir = @TESTDIR@
diff --git a/tests/data/slapd-sasl-gssapi.conf b/tests/data/slapd-sasl-gssapi.conf
new file mode 100644
index 000000000..611fc7097
--- /dev/null
+++ b/tests/data/slapd-sasl-gssapi.conf
@@ -0,0 +1,65 @@
+# stand-alone slapd config -- for testing (with indexing)
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+#
+include @SCHEMADIR@/core.schema
+include @SCHEMADIR@/cosine.schema
+#
+include @SCHEMADIR@/corba.schema
+include @SCHEMADIR@/java.schema
+include @SCHEMADIR@/inetorgperson.schema
+include @SCHEMADIR@/misc.schema
+include @SCHEMADIR@/nis.schema
+include @SCHEMADIR@/openldap.schema
+#
+include @SCHEMADIR@/duaconf.schema
+include @SCHEMADIR@/dyngroup.schema
+
+#
+pidfile @TESTDIR@/slapd.1.pid
+argsfile @TESTDIR@/slapd.1.args
+
+# SSL configuration
+TLSCACertificateFile @TESTDIR@/tls/ca/certs/testsuiteCA.crt
+TLSCertificateKeyFile @TESTDIR@/tls/private/localhost.key
+TLSCertificateFile @TESTDIR@/tls/certs/localhost.crt
+
+#
+rootdse @DATADIR@/rootdse.ldif
+
+#mod#modulepath ../servers/slapd/back-@BACKEND@/
+#mod#moduleload back_@BACKEND@.la
+#monitormod#modulepath ../servers/slapd/back-monitor/
+#monitormod#moduleload back_monitor.la
+
+
+#######################################################################
+# database definitions
+#######################################################################
+
+database @BACKEND@
+suffix "dc=example,dc=com"
+rootdn "cn=Manager,dc=example,dc=com"
+rootpw secret
+#~null~#directory @TESTDIR@/db.1.a
+#indexdb#index objectClass eq
+#indexdb#index mail eq
+#ndb#dbname db_1_a
+#ndb#include @DATADIR@/ndb.conf
+
+#monitor#database monitor
+
+sasl-realm @KRB5REALM@
+sasl-host localhost
diff --git a/tests/scripts/conf.sh b/tests/scripts/conf.sh
index b0393865d..c9e1a4b0a 100755
--- a/tests/scripts/conf.sh
+++ b/tests/scripts/conf.sh
@@ -99,4 +99,7 @@ sed -e "s/@BACKEND@/${BACKEND}/" \
-e "s;@TESTWD@;${TESTWD};" \
-e "s;@DATADIR@;${DATADIR};" \
-e "s;@SCHEMADIR@;${SCHEMADIR};" \
+ -e "s;@KRB5REALM@;${KRB5REALM};" \
+ -e "s;@KDCHOST@;${KDCHOST};" \
+ -e "s;@KDCPORT@;${KDCPORT};" \
-e "/^#/d"
diff --git a/tests/scripts/defines.sh b/tests/scripts/defines.sh
index 1d6c2b3f1..ccb2e5b41 100755
--- a/tests/scripts/defines.sh
+++ b/tests/scripts/defines.sh
@@ -114,6 +114,7 @@ REFSLAVECONF=$DATADIR/slapd-ref-slave.conf
SCHEMACONF=$DATADIR/slapd-schema.conf
TLSCONF=$DATADIR/slapd-tls.conf
TLSSASLCONF=$DATADIR/slapd-tls-sasl.conf
+SASLGSSAPICONF=$DATADIR/slapd-sasl-gssapi.conf
GLUECONF=$DATADIR/slapd-glue.conf
REFINTCONF=$DATADIR/slapd-refint.conf
RETCODECONF=$DATADIR/slapd-retcode.conf
@@ -223,6 +224,7 @@ PORT3=`expr $BASEPORT + 3`
PORT4=`expr $BASEPORT + 4`
PORT5=`expr $BASEPORT + 5`
PORT6=`expr $BASEPORT + 6`
+KDCPORT=`expr $BASEPORT + 7`
URI1="ldap://${LOCALHOST}:$PORT1/"
URIP1="ldap://${LOCALIP}:$PORT1/"
URI2="ldap://${LOCALHOST}:$PORT2/"
@@ -248,6 +250,9 @@ SURIP5="ldaps://${LOCALIP}:$PORT5/"
SURI6="ldaps://${LOCALHOST}:$PORT6/"
SURIP6="ldaps://${LOCALIP}:$PORT6/"
+KRB5REALM="K5.REALM"
+KDCHOST=$LOCALHOST
+
# LDIF
LDIF=$DATADIR/test.ldif
LDIFADD1=$DATADIR/do_add.1
diff --git a/tests/scripts/setup_kdc.sh b/tests/scripts/setup_kdc.sh
new file mode 100755
index 000000000..1cb784075
--- /dev/null
+++ b/tests/scripts/setup_kdc.sh
@@ -0,0 +1,144 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+export KRB5_TRACE=$TESTDIR/k5_trace
+export KRB5_CONFIG=$TESTDIR/krb5.conf
+export KRB5_KDC_PROFILE=$KRB5_CONFIG
+export KRB5_KTNAME=$TESTDIR/server.kt
+export KRB5_CLIENT_KTNAME=$TESTDIR/client.kt
+export KRB5CCNAME=$TESTDIR/client.ccache
+
+KDCLOG=$TESTDIR/setup_kdc.log
+KSERVICE=ldap/$LOCALHOST
+KUSER=kuser
+
+. $CONFFILTER < $DATADIR/krb5.conf > $KRB5_CONFIG
+
+PATH=${PATH}:/usr/lib/heimdal-servers:/usr/sbin:/usr/local/sbin
+
+echo "Trying Heimdal KDC..."
+
+kdc --version 2>&1 | grep Heimdal > $KDCLOG 2>&1
+RC=$?
+if test $RC = 0 ; then
+
+ kstash --random-key > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kstash failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ flags="--realm-max-ticket-life=1h --realm-max-renewable-life=1h"
+ kadmin -l init $flags $KRB5REALM > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin init failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin -l add --random-key --use-defaults $KSERVICE > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin -l ext -k $KRB5_KTNAME $KSERVICE > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin -l add --random-key --use-defaults $KUSER > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin add failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin -l ext -k $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "Heimdal: kadmin ext failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kdc --addresses=$LOCALIP --ports="$KDCPORT/udp" > $KDCLOG 2>&1 &
+else
+ echo "Trying MIT KDC..."
+
+ kdb5_util create -r $KRB5REALM -s -P password > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: kdb5_util create failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin.local -q "addprinc -randkey $KSERVICE" > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: admin addprinc failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin.local -q "ktadd -k $KRB5_KTNAME $KSERVICE" > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin.local -q "addprinc -randkey $KUSER" > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: kadmin addprinc failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ kadmin.local -q "ktadd -k $KRB5_CLIENT_KTNAME $KUSER" > $KDCLOG 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "MIT: kadmin ktadd failed, skipping GSSAPI tests"
+ exit 0
+ fi
+
+ krb5kdc -n > $KDCLOG 2>&1 &
+fi
+
+KDCPROC=$!
+sleep 1
+
+kinit -kt $KRB5_CLIENT_KTNAME $KUSER > $KDCLOG 2>&1
+RC=$?
+if test $RC != 0 ; then
+ kill $KDCPROC
+ echo "SASL/GSSAPI: kinit failed, skipping GSSAPI tests"
+ exit 0
+fi
+
+pluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
+RC=$?
+if test $RC != 0 ; then
+
+ saslpluginviewer -m GSSAPI > $TESTDIR/plugin_out 2>/dev/null
+ RC=$?
+ if test $RC != 0 ; then
+ kill $KDCPROC
+ echo "cyrus-sasl has no GSSAPI support, test skipped"
+ exit 0
+ fi
+fi
diff --git a/tests/scripts/test077-sasl-gssapi b/tests/scripts/test077-sasl-gssapi
new file mode 100755
index 000000000..64abe16fe
--- /dev/null
+++ b/tests/scripts/test077-sasl-gssapi
@@ -0,0 +1,159 @@
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+if test $WITH_SASL = no ; then
+ echo "SASL support not available, test skipped"
+ exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1
+cp -r $DATADIR/tls $TESTDIR
+
+cd $TESTWD
+
+
+echo "Starting KDC for SASL/GSSAPI tests..."
+. $SRCDIR/scripts/setup_kdc.sh
+
+echo "Running slapadd to build slapd database..."
+. $CONFFILTER $BACKEND $MONITORDB < $SASLGSSAPICONF > $CONF1
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+RC=$?
+if test $RC != 0 ; then
+ echo "slapadd failed ($RC)!"
+ kill $KDCPROC
+ exit $RC
+fi
+
+echo "Starting ldap:/// slapd on TCP/IP port $PORT1 and ldaps:/// slapd on $PORT2..."
+$SLAPD -f $CONF1 -h "$URI1 $SURI2" -d $LVL $TIMING > $LOG1 2>&1 &
+PID=$!
+if test $WAIT != 0 ; then
+ echo PID $PID
+ read foo
+fi
+KILLPIDS="$PID"
+
+sleep 1
+
+for i in 0 1 2 3 4 5; do
+ $LDAPSEARCH -s base -b "" -H $URI1 \
+ 'objectclass=*' > /dev/null 2>&1
+ RC=$?
+ if test $RC = 0 ; then
+ break
+ fi
+ echo "Waiting 5 seconds for slapd to start..."
+ sleep 5
+done
+
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+$LDAPSEARCH -x -H $URI1 -s "base" -b "" supportedSASLMechanisms > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapsearch failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+grep GSSAPI $TESTOUT
+RC=$?
+if test $RC != 0 ; then
+ echo "failed: GSSAPI mechanism not in supportedSASLMechanisms."
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+fi
+
+echo -n "Using ldapwhoami with SASL/GSSAPI: "
+$LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+ echo "ldapwhoami failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+else
+ echo "success"
+fi
+
+echo -n "Validating mapped SASL/GSSAPI ID: "
+echo "dn:uid=$KUSER,cn=$KRB5REALM,cn=gssapi,cn=auth" > $TESTDIR/dn.out
+$CMP $TESTDIR/dn.out $TESTOUT > $CMPOUT
+RC=$?
+if test $RC != 0 ; then
+ echo "Comparison failed"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+else
+ echo "success"
+fi
+
+if test $WITH_TLS = no ; then
+ echo "SASL/GSSAPI: TLS support not available, skipping TLS part."
+else
+ echo -n "Using ldapwhoami with SASL/GSSAPI with start-tls: "
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $URI1 -ZZ -o tls_reqcert=allow \
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ > $TESTOUT 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapwhoami failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ else
+ echo "success"
+ fi
+
+ echo -n "Using ldapwhoami with SASL/GSSAPI with ldaps: "
+ $LDAPSASLWHOAMI -N -Y GSSAPI -H $SURI2 -o tls_reqcert=allow \
+ -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt \
+ > $TESTOUT 2>&1
+ RC=$?
+ if test $RC != 0 ; then
+ echo "ldapwhoami failed ($RC)!"
+ kill $KDCPROC
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+ exit $RC
+ else
+ echo "success"
+ fi
+fi
+
+kill $KDCPROC
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+if test $RC != 0 ; then
+ echo ">>>>> Test failed"
+else
+ echo ">>>>> Test succeeded"
+ RC=0
+fi
+
+test $KILLSERVERS != no && wait
+
+exit $RC
--
2.26.2

18
SOURCES/openldap-cbinding-fix-openssl-digest.patch
View File

@ -1,18 +0,0 @@
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 6f27168..eb7b97c 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -862,7 +862,12 @@ tlso_session_endpoint( tls_session *sess, struct berval *buf, int is_server )
return 0;
#if OPENSSL_VERSION_NUMBER >= 0x10100000
- md = EVP_get_digestbynid( X509_get_signature_nid( cert ));
+ {
+ int mdnid;
+ if ( !OBJ_find_sigid_algs( X509_get_signature_nid( cert ), &mdnid, NULL ))
+ return 0;
+ md = EVP_get_digestbynid( mdnid );
+ }
#else
md = EVP_get_digestbynid(OBJ_obj2nid( cert->sig_alg->algorithm ));
#endif

46
SOURCES/openldap-change-TLS_REQSAN-default-to-TRY.patch
View File

@ -1,46 +0,0 @@
From 2dfe3f35c7fef4792f15f0b3f9c9a10e5f9a4692 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@rehdat.com>
Date: Thu, 5 Aug 2021 16:15:09 +0200
Subject: [PATCH] Change TLS_REQSAN default to TRY
---
doc/man/man5/ldap.conf.5 | 2 +-
libraries/libldap/init.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index cde2c875f..9f1aa2c0a 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -479,7 +479,6 @@ The client will not check any SAN in the certificate.
The SAN is checked against the specified hostname. If a SAN is
present but none match the specified hostname, the SANs are ignored
and the usual check against the certificate DN is used.
-This is the default setting.
.TP
.B try
The SAN is checked against the specified hostname. If no SAN is present
@@ -487,6 +486,7 @@ in the server certificate, the usual check against the certificate DN
is used. If a SAN is present but doesn't match the specified hostname,
the session is immediately terminated. This setting may be preferred
when a mix of certs with and without SANs are in use.
+This is the default setting.
.TP
.B demand | hard
These keywords are equivalent. The SAN is checked against the specified
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 0d91808ec..fa4c176fd 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -625,7 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
gopts->ldo_tls_connect_cb = NULL;
gopts->ldo_tls_connect_arg = NULL;
gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
- gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
+ gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_TRY;
#endif
gopts->ldo_keepalive_probes = 0;
gopts->ldo_keepalive_interval = 0;
--
2.31.1

41
SOURCES/openldap-cldap-check-for-error-on-connected-socket.patch
View File

@ -1,41 +0,0 @@
From ec5eba5393e5cc65b05e54658c55500cdbff775a Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 26 Aug 2020 13:22:52 +0100
Subject: [PATCH 01/34] ITS#9328 cldap: check for error on connected socket
libldap doesn't use a connected socket for UDP sessions, but 3rd
parties can, passed in with ldap_init_fd().
---
libraries/libldap/result.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
index bdced135b..e2b220630 100644
--- a/libraries/libldap/result.c
+++ b/libraries/libldap/result.c
@@ -486,7 +486,8 @@ retry:
#ifdef LDAP_CONNECTIONLESS
if ( LDAP_IS_UDP(ld) ) {
struct sockaddr_storage from;
- ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) );
+ if ( ber_int_sb_read( lc->lconn_sb, &from, sizeof(struct sockaddr_storage) ) < 0 )
+ goto fail;
if ( ld->ld_options.ldo_version == LDAP_VERSION2 ) isv2 = 1;
}
nextresp3:
@@ -502,10 +503,11 @@ nextresp3:
break;
case LBER_DEFAULT:
+fail:
err = sock_errno();
#ifdef LDAP_DEBUG
Debug( LDAP_DEBUG_CONNS,
- "ber_get_next failed.\n", 0, 0, 0 );
+ "ber_get_next failed, errno=%d.\n", err, 0, 0 );
#endif
if ( err == EWOULDBLOCK ) return LDAP_MSG_X_KEEP_LOOKING;
if ( err == EAGAIN ) return LDAP_MSG_X_KEEP_LOOKING;
--
2.26.2

55
SOURCES/openldap-ldapi-sasl.patch
View File

@ -1,55 +0,0 @@
From 69709289b083c53ba41d2cef7d65120220f8c59b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 May 2013 17:02:57 +0200
Subject: [PATCH] LDAPI SASL fix
Resolves: #960222
---
libraries/libldap/cyrus.c | 19 ++++++++++++++++---
1 Datei geändert, 16 Zeilen hinzugefügt(+), 3 Zeilen entfernt(-)
diff --git a/libraries/libldap/cyrus.c b/libraries/libldap/cyrus.c
index 28c241b..a9acf36 100644
--- a/libraries/libldap/cyrus.c
+++ b/libraries/libldap/cyrus.c
@@ -394,6 +394,8 @@ ldap_int_sasl_bind(
struct berval ccred = BER_BVNULL;
int saslrc, rc;
unsigned credlen;
+ char my_hostname[HOST_NAME_MAX + 1];
+ int free_saslhost = 0;
Debug( LDAP_DEBUG_TRACE, "ldap_int_sasl_bind: %s\n",
mechs ? mechs : "<null>", 0, 0 );
@@ -454,14 +456,25 @@ ldap_int_sasl_bind(
/* If we don't need to canonicalize just use the host
* from the LDAP URI.
+ * Always use the result of gethostname() for LDAPI.
*/
- if ( nocanon )
+ if (ld->ld_defconn->lconn_server->lud_scheme != NULL &&
+ strcmp("ldapi", ld->ld_defconn->lconn_server->lud_scheme) == 0) {
+ rc = gethostname(my_hostname, HOST_NAME_MAX + 1);
+ if (rc == 0) {
+ saslhost = my_hostname;
+ } else {
+ saslhost = "localhost";
+ }
+ } else if ( nocanon )
saslhost = ld->ld_defconn->lconn_server->lud_host;
- else
+ else {
saslhost = ldap_host_connected_to( ld->ld_defconn->lconn_sb,
"localhost" );
+ free_saslhost = 1;
+ }
rc = ldap_int_sasl_open( ld, ld->ld_defconn, saslhost );
- if ( !nocanon )
+ if ( free_saslhost )
LDAP_FREE( saslhost );
}
--
1.7.11.7

27
SOURCES/openldap-manpages.patch
View File

@ -3,10 +3,10 @@ Various manual pages changes:
* removes references to non-existing manpages (bz 624616)
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index 3def6da..466c772 100644
index 353b075..cf37856 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -397,8 +397,7 @@ exit status and a diagnostic message being written to standard error.
@@ -382,8 +382,7 @@ exit status and a diagnostic message being written to standard error.
.BR ldap_add_ext (3),
.BR ldap_delete_ext (3),
.BR ldap_modify_ext (3),
@ -17,19 +17,19 @@ index 3def6da..466c772 100644
The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index cfde143..63592cb 100644
index 17b7154..6084298 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -317,6 +317,7 @@ certificates in separate individual files. The
@@ -338,6 +338,7 @@ certificates in separate individual files. The
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GnuTLS.
When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index b739f4d..e2a1a00 100644
index 8504b37..f02f1fa 100644
--- a/doc/man/man8/slapd.8
+++ b/doc/man/man8/slapd.8
@@ -5,7 +5,7 @@
@ -39,9 +39,9 @@ index b739f4d..e2a1a00 100644
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-4 | \-6 ]
.BR \-V [ V [ V ]]
[\c
@@ -317,7 +317,7 @@ the LDAP databases defined in the default config file, just type:
@@ -332,7 +332,7 @@ the LDAP databases defined in the default config file, just type:
.LP
.nf
.ft tt
@ -50,7 +50,7 @@ index b739f4d..e2a1a00 100644
.ft
.fi
.LP
@@ -328,7 +328,7 @@ on voluminous debugging which will be printed on standard error, type:
@@ -343,7 +343,7 @@ on voluminous debugging which will be printed on standard error, type:
.LP
.nf
.ft tt
@ -59,7 +59,7 @@ index b739f4d..e2a1a00 100644
.ft
.fi
.LP
@@ -336,7 +336,7 @@ To test whether the configuration file is correct or not, type:
@@ -351,7 +351,7 @@ To test whether the configuration file is correct or not, type:
.LP
.nf
.ft tt
@ -68,6 +68,3 @@ index b739f4d..e2a1a00 100644
.ft
.fi
.LP
--
1.8.1.4

227
SOURCES/openldap-openssl-ITS7595-Add-EC-support-1.patch
View File

@ -1,227 +0,0 @@
ITS#7595 Add Elliptic Curve support for OpenSSL
Cherry-picked upstream e631ce808ed56119e61321463d06db7999ba5a08
Author: Howard Chu <hyc@openldap.org>
Date: Sat Sep 7 09:47:19 2013 -0700
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 9c72e8296..2311c3096 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -922,6 +922,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B olcTLSECName: <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B olcTLSProtocolMin: <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index f504adcf9..ef03e0ad8 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1153,6 +1153,13 @@ are not used.
When using Mozilla NSS these parameters are always generated randomly
so this directive is ignored.
.TP
+.B TLSECName <name>
+Specify the name of a curve to use for Elliptic curve Diffie-Hellman
+ephemeral key exchange. This is required to enable ECDHE algorithms in
+OpenSSL. This option is not used with GnuTLS; the curves may be
+chosen in the GnuTLS ciphersuite specification. This option is also
+ignored for Mozilla NSS.
+.TP
.B TLSProtocolMin <major>[.<minor>]
Specifies minimum SSL/TLS protocol version that will be negotiated.
If the server doesn't support at least that version,
diff --git a/include/ldap.h b/include/ldap.h
index c245651c2..0964a193e 100644
--- a/include/ldap.h
+++ b/include/ldap.h
@@ -158,6 +158,7 @@ LDAP_BEGIN_DECL
#define LDAP_OPT_X_TLS_NEWCTX 0x600f
#define LDAP_OPT_X_TLS_CRLFILE 0x6010 /* GNUtls only */
#define LDAP_OPT_X_TLS_PACKAGE 0x6011
+#define LDAP_OPT_X_TLS_ECNAME 0x6012
#define LDAP_OPT_X_TLS_NEVER 0
#define LDAP_OPT_X_TLS_HARD 1
diff --git a/libraries/libldap/ldap-int.h b/libraries/libldap/ldap-int.h
index 66e04ae80..db7193f4f 100644
--- a/libraries/libldap/ldap-int.h
+++ b/libraries/libldap/ldap-int.h
@@ -165,6 +165,7 @@ struct ldaptls {
char *lt_ciphersuite;
char *lt_crlfile;
char *lt_randfile; /* OpenSSL only */
+ char *lt_ecname; /* OpenSSL only */
int lt_protocol_min;
};
#endif
@@ -250,6 +251,7 @@ struct ldapoptions {
#define ldo_tls_certfile ldo_tls_info.lt_certfile
#define ldo_tls_keyfile ldo_tls_info.lt_keyfile
#define ldo_tls_dhfile ldo_tls_info.lt_dhfile
+#define ldo_tls_ecname ldo_tls_info.lt_ecname
#define ldo_tls_cacertfile ldo_tls_info.lt_cacertfile
#define ldo_tls_cacertdir ldo_tls_info.lt_cacertdir
#define ldo_tls_ciphersuite ldo_tls_info.lt_ciphersuite
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index d25c190ea..0451b01af 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -118,6 +118,10 @@ ldap_int_tls_destroy( struct ldapoptions *lo )
LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = NULL;
}
+ if ( lo->ldo_tls_ecname ) {
+ LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = NULL;
+ }
if ( lo->ldo_tls_cacertfile ) {
LDAP_FREE( lo->ldo_tls_cacertfile );
lo->ldo_tls_cacertfile = NULL;
@@ -232,6 +236,10 @@ ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
lts.lt_dhfile = LDAP_STRDUP( lts.lt_dhfile );
__atoe( lts.lt_dhfile );
}
+ if ( lts.lt_ecname ) {
+ lts.lt_ecname = LDAP_STRDUP( lts.lt_ecname );
+ __atoe( lts.lt_ecname );
+ }
#endif
lo->ldo_tls_ctx = ti->ti_ctx_new( lo );
if ( lo->ldo_tls_ctx == NULL ) {
@@ -257,6 +265,7 @@ error_exit:
LDAP_FREE( lts.lt_crlfile );
LDAP_FREE( lts.lt_cacertdir );
LDAP_FREE( lts.lt_dhfile );
+ LDAP_FREE( lts.lt_ecname );
#endif
return rc;
}
@@ -646,6 +655,10 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
*(char **)arg = lo->ldo_tls_dhfile ?
LDAP_STRDUP( lo->ldo_tls_dhfile ) : NULL;
break;
+ case LDAP_OPT_X_TLS_ECNAME:
+ *(char **)arg = lo->ldo_tls_ecname ?
+ LDAP_STRDUP( lo->ldo_tls_ecname ) : NULL;
+ break;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
*(char **)arg = lo->ldo_tls_crlfile ?
LDAP_STRDUP( lo->ldo_tls_crlfile ) : NULL;
@@ -765,6 +778,10 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
if ( lo->ldo_tls_dhfile ) LDAP_FREE( lo->ldo_tls_dhfile );
lo->ldo_tls_dhfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
return 0;
+ case LDAP_OPT_X_TLS_ECNAME:
+ if ( lo->ldo_tls_ecname ) LDAP_FREE( lo->ldo_tls_ecname );
+ lo->ldo_tls_ecname = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
+ return 0;
case LDAP_OPT_X_TLS_CRLFILE: /* GnuTLS only */
if ( lo->ldo_tls_crlfile ) LDAP_FREE( lo->ldo_tls_crlfile );
lo->ldo_tls_crlfile = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index f24060b7e..1370923af 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -373,10 +373,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
- if ( lo->ldo_tls_dhfile ) {
- DH *dh = NULL;
+ if ( is_server && lo->ldo_tls_dhfile ) {
+ DH *dh;
BIO *bio;
- SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
if (( bio=BIO_new_file( lt->lt_dhfile,"r" )) == NULL ) {
Debug( LDAP_DEBUG_ANY,
@@ -395,7 +394,35 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
BIO_free( bio );
SSL_CTX_set_tmp_dh( ctx, dh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_DH_USE );
+ DH_free( dh );
+ }
+
+#ifdef SSL_OP_SINGLE_ECDH_USE
+ if ( is_server && lo->ldo_tls_ecname ) {
+ EC_KEY *ecdh;
+
+ int nid = OBJ_sn2nid( lt->lt_ecname );
+ if ( nid == NID_undef ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not use EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ ecdh = EC_KEY_new_by_curve_name( nid );
+ if ( ecdh == NULL ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: could not generate key for EC name `%s'.\n",
+ lo->ldo_tls_ecname,0,0);
+ tlso_report_error();
+ return -1;
+ }
+ SSL_CTX_set_tmp_ecdh( ctx, ecdh );
+ SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
+ EC_KEY_free( ecdh );
}
+#endif
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );
diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
index 250f14100..8b1e4e582 100644
--- a/servers/slapd/bconfig.c
+++ b/servers/slapd/bconfig.c
@@ -194,6 +194,7 @@ enum {
CFG_ACL_ADD,
CFG_SYNC_SUBENTRY,
CFG_LTHREADS,
+ CFG_TLS_ECNAME,
CFG_LAST
};
@@ -738,6 +739,14 @@ static ConfigTable config_back_cf_table[] = {
#endif
"( OLcfgGlAt:77 NAME 'olcTLSDHParamFile' "
"SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
+ { "TLSECName", NULL, 2, 2, 0,
+#ifdef HAVE_TLS
+ CFG_TLS_ECNAME|ARG_STRING|ARG_MAGIC, &config_tls_option,
+#else
+ ARG_IGNORED, NULL,
+#endif
+ "( OLcfgGlAt:96 NAME 'olcTLSECName' "
+ "SYNTAX OMsDirectoryString SINGLE-VALUE )", NULL, NULL },
{ "TLSProtocolMin", NULL, 2, 2, 0,
#ifdef HAVE_TLS
CFG_TLS_PROTOCOL_MIN|ARG_STRING|ARG_MAGIC, &config_tls_config,
@@ -819,7 +828,7 @@ static ConfigOCs cf_ocs[] = {
"olcThreads $ olcTimeLimit $ olcTLSCACertificateFile $ "
"olcTLSCACertificatePath $ olcTLSCertificateFile $ "
"olcTLSCertificateKeyFile $ olcTLSCipherSuite $ olcTLSCRLCheck $ "
- "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ "
+ "olcTLSRandFile $ olcTLSVerifyClient $ olcTLSDHParamFile $ olcTLSECName $ "
"olcTLSCRLFile $ olcTLSProtocolMin $ olcToolThreads $ olcWriteTimeout $ "
"olcObjectIdentifier $ olcAttributeTypes $ olcObjectClasses $ "
"olcDitContentRules $ olcLdapSyntaxes ) )", Cft_Global },
@@ -3824,6 +3833,7 @@ config_tls_option(ConfigArgs *c) {
case CFG_TLS_CA_PATH: flag = LDAP_OPT_X_TLS_CACERTDIR; break;
case CFG_TLS_CA_FILE: flag = LDAP_OPT_X_TLS_CACERTFILE; break;
case CFG_TLS_DH_FILE: flag = LDAP_OPT_X_TLS_DHFILE; break;
+ case CFG_TLS_ECNAME: flag = LDAP_OPT_X_TLS_ECNAME; break;
#ifdef HAVE_GNUTLS
case CFG_TLS_CRL_FILE: flag = LDAP_OPT_X_TLS_CRLFILE; break;
#endif

34
SOURCES/openldap-openssl-ITS7595-Add-EC-support-2.patch
View File

@ -1,34 +0,0 @@
ITS#7595 don't try to use EC if OpenSSL lacks it
Cherry-picked upstream 721e46fe6695077d63a3df6ea2e397920a72308d
Author: Howard Chu <hyc@openldap.org>
Date: Sun Sep 8 06:32:23 2013 -0700
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 1a81bc625..71c2b055c 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -321,8 +321,12 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
DH_free( dh );
}
-#ifdef SSL_OP_SINGLE_ECDH_USE
if ( is_server && lo->ldo_tls_ecname ) {
+#ifdef OPENSSL_NO_EC
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: Elliptic Curves not supported.\n", 0,0,0 );
+ return -1;
+#else
EC_KEY *ecdh;
int nid = OBJ_sn2nid( lt->lt_ecname );
@@ -344,8 +348,8 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
SSL_CTX_set_tmp_ecdh( ctx, ecdh );
SSL_CTX_set_options( ctx, SSL_OP_SINGLE_ECDH_USE );
EC_KEY_free( ecdh );
- }
#endif
+ }
if ( tlso_opt_trace ) {
SSL_CTX_set_info_callback( ctx, tlso_info_cb );

9
SOURCES/openldap-openssl-manpage-defaultCA.patch
View File

@ -6,9 +6,10 @@ certificates.
Author: Matus Honek <mhonek@redhat.com>
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 6084298..3070bb4 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an
@@ -327,6 +327,9 @@ are more options you can specify. These options are used when an
.B ldaps:// URI
is selected (by default or otherwise) or when the application
negotiates TLS by issuing the LDAP StartTLS operation.
@ -19,9 +20,10 @@ diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index a559b0c..adda87a 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -801,6 +801,10 @@ If
@@ -878,6 +878,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
@ -33,9 +35,10 @@ diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
.B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index b6e9250..1653a1b 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1032,6 +1032,10 @@ If
@@ -1108,6 +1108,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.

4
SOURCES/openldap-reentrant-gethostby.patch
View File

@ -8,7 +8,7 @@ Resolves: #179730
Author: Jeffery Layton <jlayton@redhat.com>
diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
index 373c81c..a012062 100644
index aa69f70..4461bf2 100644
--- a/libraries/libldap/util-int.c
+++ b/libraries/libldap/util-int.c
@@ -52,8 +52,8 @@ extern int h_errno;
@ -22,7 +22,7 @@ index 373c81c..a012062 100644
#else
# include <ldap_pvt_thread.h>
@@ -317,7 +317,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
@@ -442,7 +442,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
#define BUFSTART (1024-32)
#define BUFMAX (32*1024-32)

13
SOURCES/openldap-smbk5pwd-overlay.patch
View File

@ -9,7 +9,7 @@ Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #841560
diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
index f20ad94..b6433ff 100644
index 4a710a7..0cd4e9e 100644
--- a/contrib/slapd-modules/smbk5pwd/README
+++ b/contrib/slapd-modules/smbk5pwd/README
@@ -1,3 +1,8 @@
@ -22,10 +22,10 @@ index f20ad94..b6433ff 100644
PasswordModify Extended Operation to update Kerberos keys and Samba
password hashes for an LDAP user.
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
index 3af20e8..ef73663 100644
index b84bc54..b5c3fc8 100644
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -33,7 +33,8 @@ SRCS = overlays.c \
@@ -37,7 +37,8 @@ SRCS = overlays.c \
syncprov.c \
translucent.c \
unique.c \
@ -35,7 +35,7 @@ index 3af20e8..ef73663 100644
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -53,7 +54,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
@@ -57,7 +58,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
@ -44,7 +44,7 @@ index 3af20e8..ef73663 100644
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -125,6 +126,12 @@ unique.la : unique.lo
@@ -141,6 +142,12 @@ unique.la : unique.lo
valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
@ -57,6 +57,3 @@ index 3af20e8..ef73663 100644
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \
--
1.7.10.4

12
SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
View File

@ -6,10 +6,12 @@ Proof of concept for fixing http://bugs.debian.org/327585
(patch ported from freeradius bug http://bugs.debian.org/416266)
Resolves: #960048
---
--- openldap/servers/slapd/module.c.orig 2010-05-18 17:42:04.000000000 +0200
+++ openldap/servers/slapd/module.c 2010-05-18 17:45:46.000000000 +0200
@@ -117,6 +117,20 @@
diff --git a/servers/slapd/module.c b/servers/slapd/module.c
index e616f1d..52bacff 100644
--- a/servers/slapd/module.c
+++ b/servers/slapd/module.c
@@ -117,6 +117,20 @@ int module_unload( const char *file_name )
return -1; /* not found */
}
@ -30,7 +32,7 @@ Resolves: #960048
int module_load(const char* file_name, int argc, char *argv[])
{
module_loaded_t *module;
@@ -180,7 +194,7 @@
@@ -179,7 +193,7 @@ int module_load(const char* file_name, int argc, char *argv[])
* to calling Debug. This is because Debug is a macro that expands
* into multiple function calls.
*/

15
SOURCES/slapd.ldif
View File

@ -42,36 +42,41 @@ cn: config
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: allop.la
#olcModuleload: auditlog.la
#olcModuleload: autoca.la
#olcModuleload: back_asyncmeta.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: check_password.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: home.la
#olcModuleload: lloadd.la
#olcModuleload: memberof.la
#olcModuleload: otp.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: remoteauth.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la

1
SOURCES/slapd.service
View File

@ -3,7 +3,6 @@ Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-hdb
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html

2
SOURCES/slapd.tmpfiles
View File

@ -1,2 +1,2 @@
# openldap runtime directory for slapd.arg and slapd.pid
d /var/run/openldap 0755 ldap ldap -
d /run/openldap 0755 ldap ldap -

530
SPECS/openldap.spec
View File

@ -3,71 +3,74 @@
%global systemctl_bin /usr/bin/systemctl
%global check_password_version 1.1
%global so_ver 2
%global so_ver_compat 2
%bcond_with servers
# When you change "Version: " to the new major version, remember to change this value too
%global major_version 2.6
# Disable automatic .la file removal
%global __brp_remove_la_files %nil
Name: openldap
Version: 2.4.46
Release: 20%{?dist}
Version: 2.6.6
Release: 1%{?dist}
Summary: LDAP support libraries
License: OpenLDAP
URL: http://www.openldap.org/
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source0: https://openldap.org/software/download/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source1: slapd.service
Source2: slapd.tmpfiles
Source3: slapd.ldif
Source4: ldap.conf
Source10: ltb-project-openldap-ppolicy-check-password-%{check_password_version}.tar.gz
Source5: UPGRADE_INSTRUCTIONS
Source10: https://github.com/ltb-project/openldap-ppolicy-check-password/archive/v%{check_password_version}/openldap-ppolicy-check-password-%{check_password_version}.tar.gz
Source50: libexec-functions
Source52: libexec-check-config.sh
Source53: libexec-upgrade-db.sh
# patches for 2.4
# Patches for 2.6
Patch0: openldap-manpages.patch
Patch2: openldap-reentrant-gethostby.patch
Patch1: openldap-reentrant-gethostby.patch
Patch3: openldap-smbk5pwd-overlay.patch
Patch5: openldap-ai-addrconfig.patch
Patch17: openldap-allop-overlay.patch
Patch18: openldap-cldap-check-for-error-on-connected-socket.patch
Patch4: openldap-ai-addrconfig.patch
Patch5: openldap-allop-overlay.patch
# fix back_perl problems with lt_dlopen()
# might cause crashes because of symbol collisions
# the proper fix is to link all perl modules against libperl
# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327585
Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# ldapi sasl fix pending upstream inclusion
Patch20: openldap-ldapi-sasl.patch
Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
Patch24: openldap-openssl-manpage-defaultCA.patch
Patch6: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch
# The below patches come from upstream master and are necessary for Channel Binding
# (both tls-unique and tls-server-end-point) to work properly.
# Additionally, for Samba to be able to implement Channel Binding, the PEERCERT option
# is being included as well.
Patch50: openldap-cbinding-Add-channel-binding-support.patch
Patch51: openldap-cbinding-ITS-8573-allow-all-libldap-options-in-tools-o-option.patch
Patch52: openldap-cbinding-ITS-8573-TLS-option-test-suite.patch
Patch53: openldap-cbinding-ITS-8573-Add-missing-URI-variables-for-tests.patch
Patch54: openldap-cbinding-auth-add-SASL-GSSAPI-tests.patch
Patch55: openldap-cbinding-ITS-7398-add-LDAP_OPT_X_TLS_PEERCERT.patch
Patch56: openldap-cbinding-Make-prototypes-available-where-needed.patch
Patch57: openldap-cbinding-ITS-9189_1-rework-sasl-cbinding-support.patch
Patch58: openldap-cbinding-ITS-9189_2-add-channel-bindings-tests.patch
Patch59: openldap-cbinding-ITS-9189_3-initialize-ldo_sasl_cbinding-in-LDAP_LDO_SA.patch
Patch60: openldap-cbinding-Fix-slaptest-in-test077.patch
Patch61: openldap-cbinding-Convert-test077-to-LDIF-config.patch
Patch62: openldap-cbinding-Update-keys-to-RSA-4096.patch
Patch63: openldap-add-TLS_REQSAN-option.patch
Patch64: openldap-change-TLS_REQSAN-default-to-TRY.patch
Patch65: openldap-cbinding-fix-openssl-digest.patch
Patch66: 0001-ITS-9904-ldap_url_parsehosts-check-for-strdup-failur.patch
Patch67: 0001-ITS-9904-ldif_open_url-check-for-ber_strdup-failure.patch
# System-wide default for CA certs
Patch7: openldap-openssl-manpage-defaultCA.patch
Patch8: openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch
Patch9: openldap-Revert-ITS-8618-Remove-deprecated-h-and-p.patch
# check-password module specific patches
Patch90: check-password-makefile.patch
Patch91: check-password.patch
BuildRequires: cyrus-sasl-devel, openssl-devel, krb5-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl-interpreter, perl-devel, perl-generators, perl(ExtUtils::Embed)
BuildRequires: cyrus-sasl-devel
BuildRequires: gcc
BuildRequires: glibc-devel
BuildRequires: groff
BuildRequires: krb5-devel
BuildRequires: libtool-ltdl-devel
BuildRequires: libevent-devel
BuildRequires: make
BuildRequires: openssl-devel
BuildRequires: perl(ExtUtils::Embed)
BuildRequires: perl-devel
BuildRequires: perl-generators
BuildRequires: perl-interpreter
BuildRequires: unixODBC-devel
BuildRequires: systemd
BuildRequires: libdb-devel
BuildRequires: cracklib-devel
%description
OpenLDAP is an open source suite of LDAP (Lightweight Directory Access
@ -80,7 +83,8 @@ libraries, and documentation for OpenLDAP.
%package devel
Summary: LDAP development libraries and header files
Requires: openldap%{?_isa} = %{version}-%{release}, cyrus-sasl-devel%{?_isa}
Requires: openldap%{?_isa} = %{version}-%{release}
Requires: cyrus-sasl-devel%{?_isa}
%description devel
The openldap-devel package includes the development libraries and
@ -90,15 +94,35 @@ protocols for enabling directory services over the Internet. Install
this package only if you plan to develop or will need to compile
customized LDAP clients.
%package compat
Summary: Package providing legacy non-threaded libldap
Requires: openldap%{?_isa} = %{version}-%{release}
# since libldap is manually linked from libldap_r, the provides is not generated automatically
%ifarch armv7hl i686
Provides: libldap-2.4.so.%{so_ver_compat}
Provides: libldap_r-2.4.so.%{so_ver_compat}
Provides: liblber-2.4.so.%{so_ver_compat}
Provides: libslapi-2.4.so.%{so_ver_compat}
%else
Provides: libldap-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit)
Provides: libldap_r-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit)
Provides: liblber-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit)
Provides: libslapi-2.4.so.%{so_ver_compat}()(%{__isa_bits}bit)
%endif
%description compat
The openldap-compat package contains shared libraries named as libldap-2.4.so,
libldap_r-2.4.so, liblber-2.4.so and libslapi-2.4.so.
The libraries are just links to the current version shared libraries,
and are available for compatibility reasons.
%if %{with servers}
%package servers
Summary: LDAP server
License: OpenLDAP
Requires: openldap%{?_isa} = %{version}-%{release}, libdb-utils
Requires(pre): shadow-utils
BuildRequires: systemd
Requires: openldap%{?_isa} = %{version}-%{release}
%{?systemd_requires}
BuildRequires: libdb-devel
BuildRequires: cracklib-devel
Requires(pre): shadow-utils
# migrationtools (slapadd functionality):
Provides: ldif2ldbm
@ -109,6 +133,8 @@ protocols for accessing directory services (usually phone book style
information, but other information is possible) over the Internet,
similar to the way DNS (Domain Name System) information is propagated
over the Internet. This package contains the slapd server and related files.
# endif with servers
%endif
%package clients
Summary: LDAP client utilities
@ -127,38 +153,15 @@ programs needed for accessing and modifying OpenLDAP directories.
%setup -q -c -a 0 -a 10
pushd openldap-%{version}
AUTOMAKE=%{_bindir}/true autoreconf -fi
%patch0 -p1
%patch2 -p1
%patch1 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
@ -172,13 +175,13 @@ mv servers/slapd/back-perl/README{,.back_perl}
# fix documentation encoding
for filename in doc/drafts/draft-ietf-ldapext-acl-model-xx.txt; do
iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8"
mv "$filename.utf8" "$filename"
iconv -f iso-8859-1 -t utf-8 "$filename" > "$filename.utf8"
mv "$filename.utf8" "$filename"
done
popd
pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
pushd openldap-ppolicy-check-password-%{check_password_version}
%patch90 -p1
%patch91 -p1
popd
@ -187,12 +190,13 @@ popd
%set_build_flags
# enable experimental support for LDAP over UDP (LDAP_CONNECTIONLESS)
export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -DLDAP_CONNECTIONLESS -DLDAP_USE_NON_BLOCKING_TLS -DOPENSSL_NO_MD2"
export CFLAGS="${CFLAGS} ${LDFLAGS} -Wl,--as-needed -Wl,-z,now -DLDAP_CONNECTIONLESS"
pushd openldap-%{version}
%configure \
--enable-debug \
--enable-dynamic \
--enable-versioning \
\
--enable-dynacl \
--enable-cleartext \
@ -200,6 +204,7 @@ pushd openldap-%{version}
--enable-lmpasswd \
--enable-spasswd \
--enable-modules \
--enable-perl \
--enable-rewrite \
--enable-rlookups \
--enable-slapi \
@ -212,11 +217,14 @@ pushd openldap-%{version}
--enable-monitor=yes \
--disable-ndb \
--disable-sql \
--disable-wt \
\
--enable-overlays=mod \
\
--disable-static \
\
--enable-balancer=mod \
\
--with-cyrus-sasl \
--without-fetch \
--with-threads \
@ -225,11 +233,11 @@ pushd openldap-%{version}
\
--libexecdir=%{_libdir}
make %{_smp_mflags}
%make_build
popd
pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
make LDAP_INC="-I../openldap-%{version}/include \
pushd openldap-ppolicy-check-password-%{check_password_version}
%make_build LDAP_INC="-I../openldap-%{version}/include \
-I../openldap-%{version}/servers/slapd \
-I../openldap-%{version}/build-servers/include"
popd
@ -239,11 +247,11 @@ popd
mkdir -p %{buildroot}%{_libdir}/
pushd openldap-%{version}
make install DESTDIR=%{buildroot} STRIP=""
%make_install STRIP_OPTS=""
popd
# install check_password module
pushd ltb-project-openldap-ppolicy-check-password-%{check_password_version}
pushd openldap-ppolicy-check-password-%{check_password_version}
mv check_password.so check_password.so.%{check_password_version}
ln -s check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/check_password.so
install -m 755 check_password.so.%{check_password_version} %{buildroot}%{_libdir}/openldap/
@ -276,7 +284,7 @@ mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 %SOURCE2 %{buildroot}%{_tmpfilesdir}/slapd.conf
# install default ldap.conf (customized)
rm -f %{buildroot}%{_sysconfdir}/openldap/ldap.conf
rm %{buildroot}%{_sysconfdir}/openldap/ldap.conf
install -m 0644 %SOURCE4 %{buildroot}%{_sysconfdir}/openldap/ldap.conf
# setup maintainance scripts
@ -284,15 +292,13 @@ mkdir -p %{buildroot}%{_libexecdir}
install -m 0755 -d %{buildroot}%{_libexecdir}/openldap
install -m 0644 %SOURCE50 %{buildroot}%{_libexecdir}/openldap/functions
install -m 0755 %SOURCE52 %{buildroot}%{_libexecdir}/openldap/check-config.sh
install -m 0755 %SOURCE53 %{buildroot}%{_libexecdir}/openldap/upgrade-db.sh
# remove build root from config files and manual pages
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_sysconfdir}/openldap/*.conf
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*
# we don't need the default files -- RPM handles changes
rm -f %{buildroot}%{_sysconfdir}/openldap/*.default
rm -f %{buildroot}%{_sysconfdir}/openldap/schema/*.default
rm %{buildroot}%{_sysconfdir}/openldap/*.default
# install an init script for the servers
mkdir -p %{buildroot}%{_unitdir}
@ -302,69 +308,92 @@ install -m 0644 %SOURCE1 %{buildroot}%{_unitdir}/slapd.service
mv %{buildroot}%{_libdir}/slapd %{buildroot}%{_sbindir}/
# setup tools as symlinks to slapd
rm -f %{buildroot}%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
rm -f %{buildroot}%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}%{_sbindir}/slap$X ; done
for X in acl add auth cat dn index modify passwd test schema ; do
rm %{buildroot}%{_sbindir}/slap$X
ln -s slapd %{buildroot}%{_sbindir}/slap$X
done
# re-symlink unversioned libraries, so ldconfig is not confused
pushd %{buildroot}%{_libdir}
v=%{version}
version=$(echo ${v%.[0-9]*})
for lib in liblber libldap libldap_r libslapi; do
rm -f ${lib}.so
ln -s ${lib}-${version}.so.2 ${lib}.so
for lib in liblber libldap libslapi; do
rm -f ${lib}.so
ln -s ${lib}.so.%{so_ver} ${lib}.so
done
for lib in $(ls | grep libldap); do
IFS='.'
read -r -a libsplit <<< "$lib"
if [[ -z "${libsplit[3]}" && -n "${libsplit[2]}" ]]
then
so_ver_short_2_4="%{so_ver_compat}"
elif [ -n "${libsplit[3]}" ]
then
so_ver_full_2_4="%{so_ver_compat}.${libsplit[3]}.${libsplit[4]}"
fi
unset IFS
done
# Copy libldap to libldap_r for both 2.4 and 2.6+ versions, make a versioned lib link
# We increase it by 2 because libldap-2.4 has the 'so.2' major version on 2.4.59 (one of the last versions which is EOL)
gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed -Wl,-z,now \
-Wl,-soname -Wl,libldap-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -lldap
gcc -shared -o "%{buildroot}%{_libdir}/libldap_r-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed -Wl,-z,now \
-Wl,-soname -Wl,libldap_r-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -lldap
gcc -shared -o "%{buildroot}%{_libdir}/liblber-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed -Wl,-z,now \
-Wl,-soname -Wl,liblber-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -llber
gcc -shared -o "%{buildroot}%{_libdir}/libslapi-2.4.so.${so_ver_short_2_4}" -Wl,--no-as-needed -Wl,-z,now \
-Wl,-soname -Wl,libslapi-2.4.so.${so_ver_short_2_4} -L "%{buildroot}%{_libdir}" -lslapi
ln -s libldap-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}}
ln -s libldap_r-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}}
ln -s liblber-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}}
ln -s libslapi-2.4.so.{${so_ver_short_2_4},${so_ver_full_2_4}}
cp libldap.so.${so_ver_full_2_4} libldap_r.so.${so_ver_full_2_4}
ln -s libldap_r.so.{${so_ver_full_2_4},${so_ver_short_2_4}}
ln -s libldap_r.so.${so_ver_full_2_4} libldap_r.so
popd
# tweak permissions on the libraries to make sure they're correct
chmod 0755 %{buildroot}%{_libdir}/lib*.so*
chmod 0644 %{buildroot}%{_libdir}/lib*.*a
chmod 0644 %{buildroot}%{_libdir}/openldap/*.la
# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
mkdir -p %{buildroot}%{_datadir}
install -m 0755 -d %{buildroot}%{_datadir}/openldap-servers
install -m 0644 %SOURCE3 %{buildroot}%{_datadir}/openldap-servers/slapd.ldif
install -m 0644 %SOURCE5 %{buildroot}%{_datadir}/openldap-servers/UPGRADE_INSTRUCTIONS
install -m 0700 -d %{buildroot}%{_sysconfdir}/openldap/slapd.d
rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.conf
rm -f %{buildroot}%{_sysconfdir}/openldap/slapd.ldif
rm %{buildroot}%{_sysconfdir}/openldap/slapd.conf
rm %{buildroot}%{_sysconfdir}/openldap/slapd.ldif
# move doc files out of _sysconfdir
mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
chmod 0644 %{buildroot}%{_datadir}/openldap-servers/DB_CONFIG.example
# remove files which we don't want packaged
rm -f %{buildroot}%{_libdir}/*.la # because we do not want files in %{_libdir}/openldap/ removed, yet
rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
rmdir %{buildroot}%{_localstatedir}/openldap-data
rm %{buildroot}%{_libdir}/*.la # because we do not want files in %{_libdir}/openldap/ removed, yet
%ldconfig_scriptlets
%if %{with servers}
%pre servers
# create ldap user and group
getent group ldap &>/dev/null || groupadd -r -g 55 ldap
getent passwd ldap &>/dev/null || \
useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "OpenLDAP server" ldap
if [ $1 -eq 2 ]; then
# package upgrade
old_version=$(rpm -q --qf=%%{version} openldap-servers)
new_version=%{version}
if [ "$old_version" != "$new_version" ]; then
touch %{_sharedstatedir}/ldap/rpm_upgrade_openldap &>/dev/null
fi
fi
exit 0
%post servers
%systemd_post slapd.service
# If it's not upgrade - we remove the UPGRADE_INSTRUCTIONS
if [ $1 -lt 2 ] ; then
rm %{_datadir}/openldap-servers/UPGRADE_INSTRUCTIONS
fi
# generate configuration if necessary
if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
! -f %{_sysconfdir}/openldap/slapd.conf
@ -376,26 +405,9 @@ if [[ ! -f %{_sysconfdir}/openldap/slapd.d/cn=config.ldif && \
%{systemctl_bin} try-restart slapd.service &>/dev/null
fi
start_slapd=0
# upgrade the database
if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap ]; then
if %{systemctl_bin} --quiet is-active slapd.service; then
%{systemctl_bin} stop slapd.service
start_slapd=1
fi
%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
rm -f %{_sharedstatedir}/ldap/rpm_upgrade_openldap
fi
# restart after upgrade
if [ $1 -ge 1 ]; then
if [ $start_slapd -eq 1 ]; then
%{systemctl_bin} start slapd.service &>/dev/null || :
else
%{systemctl_bin} condrestart slapd.service &>/dev/null || :
fi
%{systemctl_bin} condrestart slapd.service &>/dev/null || :
fi
exit 0
@ -405,41 +417,8 @@ exit 0
%postun servers
%systemd_postun_with_restart slapd.service
%triggerin servers -- libdb
# libdb upgrade (setup for %%triggerun)
if [ $2 -eq 2 ]; then
# we are interested in minor version changes (both versions of libdb are installed at this moment)
if [ "$(rpm -q --qf="%%{version}\n" libdb | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
touch %{_sharedstatedir}/ldap/rpm_upgrade_libdb
else
rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
fi
fi
exit 0
%triggerun servers -- libdb
# libdb upgrade (finish %%triggerin)
if [ -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb ]; then
if %{systemctl_bin} --quiet is-active slapd.service; then
%{systemctl_bin} stop slapd.service
start=1
else
start=0
fi
%{_libexecdir}/openldap/upgrade-db.sh &>/dev/null
rm -f %{_sharedstatedir}/ldap/rpm_upgrade_libdb
[ $start -eq 1 ] && %{systemctl_bin} start slapd.service &>/dev/null
fi
exit 0
# endif with servers
%endif
%files
%doc openldap-%{version}/ANNOUNCEMENT
@ -451,21 +430,21 @@ exit 0
%dir %{_sysconfdir}/openldap/certs
%config(noreplace) %{_sysconfdir}/openldap/ldap.conf
%dir %{_libexecdir}/openldap/
%{_libdir}/liblber-2.4*.so.*
%{_libdir}/libldap-2.4*.so.*
%{_libdir}/libldap_r-2.4*.so.*
%{_libdir}/libslapi-2.4*.so.*
%{_libdir}/liblber.so.*
%{_libdir}/libldap.so.*
%{_libdir}/libldap_r.so.*
%{_libdir}/libslapi.so.*
%{_mandir}/man5/ldif.5*
%{_mandir}/man5/ldap.conf.5*
%if %{with servers}
%files servers
%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd
%doc openldap-%{version}/doc/guide/admin/*.html
%doc openldap-%{version}/doc/guide/admin/*.png
%doc openldap-%{version}/servers/slapd/back-perl/SampleLDAP.pm
%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
%doc openldap-%{version}/servers/slapd/back-perl/README.back_perl
%doc ltb-project-openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd
%doc openldap-ppolicy-check-password-%{check_password_version}/README.check_pwd
%doc README.schema
%config(noreplace) %dir %attr(0750,ldap,ldap) %{_sysconfdir}/openldap/slapd.d
%config(noreplace) %{_sysconfdir}/openldap/schema
@ -476,27 +455,32 @@ exit 0
%{_unitdir}/slapd.service
%{_datadir}/openldap-servers/
%{_libdir}/openldap/accesslog*
%{_libdir}/openldap/auditlog*
%{_libdir}/openldap/allop*
%{_libdir}/openldap/auditlog*
%{_libdir}/openldap/autoca*
%{_libdir}/openldap/back_asyncmeta*
%{_libdir}/openldap/back_dnssrv*
%{_libdir}/openldap/back_ldap*
%{_libdir}/openldap/back_meta*
%{_libdir}/openldap/back_null*
%{_libdir}/openldap/back_passwd*
%{_libdir}/openldap/back_relay*
%{_libdir}/openldap/back_shell*
%{_libdir}/openldap/back_sock*
%{_libdir}/openldap/back_perl*
%{_libdir}/openldap/check_password*
%{_libdir}/openldap/collect*
%{_libdir}/openldap/constraint*
%{_libdir}/openldap/dds*
%{_libdir}/openldap/deref*
%{_libdir}/openldap/dyngroup*
%{_libdir}/openldap/dynlist*
%{_libdir}/openldap/home*
%{_libdir}/openldap/lloadd*
%{_libdir}/openldap/memberof*
%{_libdir}/openldap/otp*
%{_libdir}/openldap/pcache*
%{_libdir}/openldap/ppolicy*
%{_libdir}/openldap/refint*
%{_libdir}/openldap/remoteauth*
%{_libdir}/openldap/retcode*
%{_libdir}/openldap/rwm*
%{_libdir}/openldap/seqmod*
@ -506,16 +490,34 @@ exit 0
%{_libdir}/openldap/translucent*
%{_libdir}/openldap/unique*
%{_libdir}/openldap/valsort*
%{_libdir}/openldap/check_password*
%{_libexecdir}/openldap/functions
%{_libexecdir}/openldap/check-config.sh
%{_libexecdir}/openldap/upgrade-db.sh
%{_sbindir}/sl*
%{_mandir}/man8/*
%{_mandir}/man5/lloadd.conf.5*
%{_mandir}/man5/slapd*.5*
%{_mandir}/man5/slapo-*.5*
%{_mandir}/man5/slappw-argon2.5*
# obsolete configuration
%ghost %config(noreplace,missingok) %attr(0640,ldap,ldap) %{_sysconfdir}/openldap/slapd.conf
%else
%exclude %{_datadir}/openldap-servers/
%exclude %{_libdir}/openldap/
%exclude %{_libexecdir}/openldap/check-config.sh
%exclude %{_libexecdir}/openldap/functions
%exclude %{_mandir}/man5/slapd*.5*
%exclude %{_mandir}/man5/slapo-*.5*
%exclude %{_mandir}/man5/lloadd.conf.5*
%exclude %{_mandir}/man5/slappw-argon2.5*
%exclude %{_mandir}/man8/*
%exclude %{_sbindir}/sl*
%exclude %{_sysconfdir}/openldap/check_password.conf
%exclude %{_sysconfdir}/openldap/schema
%exclude %{_tmpfilesdir}/slapd.conf
%exclude %{_unitdir}/slapd.service
# endif with servers
%endif
%files clients
%{_bindir}/*
@ -523,45 +525,163 @@ exit 0
%files devel
%doc openldap-%{version}/doc/drafts openldap-%{version}/doc/rfc
%{_libdir}/lib*.so
%{_libdir}/liblber.so
%{_libdir}/libldap.so
%{_libdir}/libldap_r.so
%{_libdir}/libslapi.so
%{_includedir}/*
%{_libdir}/pkgconfig/lber.pc
%{_libdir}/pkgconfig/ldap.pc
%{_mandir}/man3/*
%files compat
%{_libdir}/libldap-2.4*.so.*
%{_libdir}/libldap_r-2.4*.so.*
%{_libdir}/liblber-2.4*.so.*
%{_libdir}/libslapi-2.4*.so.*
%changelog
* Wed Jul 3 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.46-20
- Bump version to 2.4.46-20
- Resolves: RHEL-35538 - Fix OpenSSL channel binding digest
* Wed Oct 11 2023 Simon Pichugin <spichugi@redhat.com> - 2.6.6-1
- Rebase OpenLDAP in RHEL 9.4
Resolves: RHEL-11306
* Tue Apr 30 2024 Simon Pichugin <spichugi@redhat.com> - 2.4.46-19
- Bump version to 2.4.46-19
- Resolves: RHEL-34283 - openldap: null pointer dereference in ber_memalloc_x function
* Wed Jun 14 2023 Simon Pichugin <spichugi@redhat.com> - 2.6.3-1
- Rebase OpenLDAP to 2.6.3
Related: rhbz#2212983
* Thu Aug 5 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.46-18
- Add TLS_REQSAN option and change the default to TRY (#1814674)
* Fri Aug 5 2022 Simon Pichugin <spichugi@redhat.com> - 2.6.2-3
- Add export symbols related to LDAP_CONNECTIONLESS
Related: rhbz#2115465
* Wed Jun 16 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.46-17
- Rebuild without MP_2 support (#1909037)
* Mon Jun 27 2022 Simon Pichugin <spichugi@redhat.com> - 2.6.2-2
- Change STRIP to STRIP_OPTS
Related: rhbz#2094159
* Thu Sep 10 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.46-16
- CLDAP ldap_result hangs if nobody listens on the port (#1875361)
* Wed Jun 1 2022 Simon Pichugin <spichugi@redhat.com> - 2.6.2-1
- Update to new major release OpenLDAP 2.6.2
- The client tools parameters '-h' and '-p' are officially deprecated,
please, use '-H' parameter instead.
Related: rhbz#2094159
* Thu Jun 18 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-15
- Fix covscan issues from previous release (#1822737)
* Fri Apr 22 2022 Igor Raits <igor.raits@gmail.com> - 2.4.59-5
- Pull systemd only from server subpackage
* Tue Jun 16 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-14
- Backport Channel Binding support (#1822904, #1822737)
* Wed Dec 15 2021 Viktor Ashirov <vashirov@redhat.com> - 2.4.59-4
- Add "with servers" conditional
Related: rhbz#2030665
* Wed Jan 15 2020 Matus Honek <mhonek@redhat.com> - 2.4.46-11
- Use OpenSSL-1.0.2+ API for host name verification (#1788572)
* Thu Sep 23 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.59-3
- Enable BIND_NOW for the linked library too. Related: rhbz#2002747
* Sun Aug 18 2019 Matus Honek <mhonek@redhat.com> - 2.4.46-10
- Do not fallback to checking CN when no SAN matched (#1740070)
* Wed Sep 22 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.59-2
- Enable BIND_NOW to prevent GOT overwrite attacks.
- Ignore badfuncs error in rpminspect because it's a false positive
Related: rhbz#2002747
* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
- Reference default system-wide CA certificates in manpages (#1611624)
* Tue Sep 14 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.59-1
- Rebase openldap to 2.4.59 Related: rhbz#2002747
* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623497)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.57-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Mon Jul 12 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-7
- Fix Channel Binding tests Related: rhbz#1967853
* Thu Jun 24 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-6
- Fix slapd.tmpfiles complaints. Related: rhbz#1969853
- Use https:// for source Related: rhbz#1973597
* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.57-5
- Rebuilt for RHEL 9 BETA for openssl 3.0 Related: rhbz#1971065
* Fri Jun 4 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-4
- Backport Channel Binding support. Related: rhbz#1967853
- Fix coverity issues. Related: rhbz#1938829
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.57-3
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.57-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jan 19 2021 Simon Pichugin <spichugi@redhat.com> - 2.4.57-1
- Rebase to version 2.4.57 (#1917583)
* Thu Nov 26 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-4
- Use gcc to link libldap_r to libldap (#1537260)
* Fri Nov 20 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-3
- Fix 32-bit libraries build (#1537260)
* Fri Nov 20 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-2
- Drop non-threaded libldap (#1537260)
* Wed Nov 18 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.56-1
- Rebase to version 2.4.56 (#1896508)
* Mon Nov 02 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.55-1
- Rebase to version 2.4.55 (#1891622)
* Tue Oct 13 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.54-1
- Rebase to version 2.4.54 (#1887581)
* Thu Sep 10 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.53-1
- Rebase to version 2.4.53 (#1868240)
* Thu Sep 03 2020 Simon Pichugin <spichugi@redhat.com> - 2.4.52-1
- Rebase to version 2.4.52 (#1868240)
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.50-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.50-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jun 22 2020 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.50-2
- Perl 5.32 rebuild
* Wed Jun 17 2020 Matus Honek <mhonek@redhat.com> - 2.4.50-1
- Rebase to version 2.4.50 (#1742285)
* Tue Jun 16 2020 Tom Stellard <tstellar@redhat.com> - 2.4.47-5
- Spec file cleanups
- Add BuildRequres: gcc [1]
- make_build [2] and make_install [3]
- [1] https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/#_buildrequires_and_requires
- [2] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make
- [3] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_why_the_makeinstall_macro_should_not_be_used
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.47-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.47-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu May 30 2019 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.47-2
- Perl 5.30 rebuild
* Wed Feb 13 2019 Matus Honek <mhonek@redhat.com> - 2.4.47-1
- Rebase to upstream version 2.4.47
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Jan 14 2019 Björn Esser <besser82@fedoraproject.org> - 2.4.46-12
- Rebuilt for libcrypt.so.2 (#1666033)
* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-11
- Reference default system-wide CA certificates in manpages (#1611591)
* Tue Oct 16 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-10
- Revert "Fix: Cannot use SSL3 anymore"
* Mon Oct 08 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
- Backport upstream fixes for ITS 7595 - add OpenSSL EC support (#1623495)
* Tue Aug 14 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-8
- Fix: Cannot use SSL3 anymore (#1592431)
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.46-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild