openldap/openldap-2.3.11-config.patch

--- openldap-2.3.17/servers/slapd/slapd.conf.config	2004-06-17 22:49:08.000000000 -0400
+++ openldap-2.3.17/servers/slapd/slapd.conf	2006-01-12 15:33:04.000000000 -0500
@@ -3,15 +3,19 @@
 # This file should NOT be world readable.
 #
 include		%SYSCONFDIR%/schema/core.schema
+include		%SYSCONFDIR%/schema/cosine.schema
+include		%SYSCONFDIR%/schema/inetorgperson.schema
+include		%SYSCONFDIR%/schema/nis.schema
 
-# Define global ACLs to disable default read access.
+# Allow LDAPv2 client connections.  This is NOT the default.
+allow bind_v2
 
 # Do not enable referrals until AFTER you have a working directory
 # service AND an understanding of referrals.
 #referral	ldap://root.openldap.org
 
-pidfile		%LOCALSTATEDIR%/run/slapd.pid
-argsfile	%LOCALSTATEDIR%/run/slapd.args
+pidfile		%LOCALSTATEDIR%/run/openldap/slapd.pid
+argsfile	%LOCALSTATEDIR%/run/openldap/slapd.args
 
 # Load dynamic backend modules:
 # modulepath	%MODULEDIR%
@@ -21,6 +25,15 @@
 # moduleload	back_passwd.la
 # moduleload	back_shell.la
 
+# The next three lines allow use of TLS for encrypting connections using a
+# dummy test certificate which you can generate by changing to
+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
+# slapd.pem so that the ldap user or group can read it.  Your client software
+# may balk at self-signed certificates, however.
+# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
+# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
+
 # Sample security restrictions
 #	Require integrity protection (prevent hijacking)
 #	Require 112-bit (3DES or better) encryption for updates
@@ -49,19 +62,32 @@
 # rootdn can always read and write EVERYTHING!
 
 #######################################################################
-# BDB database definitions
+# ldbm and/or bdb database definitions
 #######################################################################
 
 database	bdb
 suffix		"dc=my-domain,dc=com"
 rootdn		"cn=Manager,dc=my-domain,dc=com"
 # Cleartext passwords, especially for the rootdn, should
-# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
+# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
 # Use of strong authentication encouraged.
-rootpw		secret
+# rootpw		secret
+# rootpw		{crypt}ijFYNcSNctBYg
+
 # The database directory MUST exist prior to running slapd AND 
 # should only be accessible by the slapd and slap tools.
 # Mode 700 recommended.
-directory	%LOCALSTATEDIR%/openldap-data
-# Indices to maintain
-index	objectClass	eq
+directory	/var/lib/ldap
+
+# Indices to maintain for this database
+index objectClass                       eq,pres
+index ou,cn,mail,surname,givenname      eq,pres,sub
+index uidNumber,gidNumber,loginShell    eq,pres
+index uid,memberUid                     eq,pres,sub
+index nisMapName,nisMapEntry            eq,pres,sub
+
+# Replicas of this database
+#replogfile /var/lib/ldap/openldap-master-replog
+#replica host=ldap-1.example.com:389 starttls=critical
+#     bindmethod=sasl saslmech=GSSAPI
+#     authcId=host/ldap-master.example.com@EXAMPLE.COM
--- openldap-2.2.13/servers/slurpd/slurp.h	2004-01-01 13:16:42.000000000 -0500
+++ openldap-2.2.13/servers/slurpd/slurp.h	2004-06-15 11:40:04.000000000 -0400
@@ -66,7 +66,7 @@
 #define SERVICE_NAME	OPENLDAP_PACKAGE "-slurpd"
 
 /* Default directory for slurpd's private copy of replication logs */
-#define	DEFAULT_SLURPD_REPLICA_DIR	LDAP_RUNDIR LDAP_DIRSEP "openldap-slurp"
+#define	DEFAULT_SLURPD_REPLICA_DIR	"/var/lib/ldap"
 
 /* Default name for slurpd's private copy of the replication log */
 #define	DEFAULT_SLURPD_REPLOGFILE	"slurpd.replog"
@@ -75,7 +75,7 @@
 #define	DEFAULT_SLURPD_STATUS_FILE	"slurpd.status"
 
 /* slurpd dump file - contents of rq struct are written here (debugging) */
-#define	SLURPD_DUMPFILE			LDAP_TMPDIR LDAP_DIRSEP "slurpd.dump"
+#define	SLURPD_DUMPFILE			DEFAULT_SLURPD_REPLICA_DIR "/slurpd.dump"
 
 /* Amount of time to sleep if no more work to do */
 #define	DEFAULT_NO_WORK_INTERVAL	3
--- openldap-2.3.11/doc/man/man8/slurpd.8.config	2005-07-10 00:36:41.000000000 -0400
+++ openldap-2.3.11/doc/man/man8/slurpd.8	2005-10-28 21:07:54.000000000 -0400
@@ -120,7 +120,7 @@
 temporary files may contain sensitive information.
 This option allows you to specify the location of these temporary files. 
 The default is
-.BR LOCALSTATEDIR/openldap-slurp .
+.BR /var/lib/ldap .
 .SH EXAMPLES
 To start 
 .I slurpd
- Upgrade to 2.3.19, which upstream now considers stable - Modify the -config.patch, ldap.init, and this spec file to put the pid file and args file in an ldap-owned openldap subdirectory under /var/run. - Move back_sql* out of %{_sbindir}/openldap , which requires hand-moving slapd and slurpd to _sbindir, and recreating symlinks by hand. - Retire openldap-2.3.11-ads.patch, which went upstream. - Update the ldap.init script to run slaptest as the ldap user rather than as root. This solves bz#150172 Startup failure after database problem - Add to the servers post and preun scriptlets so that on preun, the database is slapcatted to /var/lib/ldap/upgrade.ldif and the database files are saved to /var/lib/ldap/rpmorig. On post, if /var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that on upgrades from 2.3.16-2 to higher versions, the database files may be automatically upgraded. Unfortunatly, because of the changes to the preun scriptlet, users have to do the slapcat, etc by hand when upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig files need to be removed by hand because automatically removing your emergency fallback files is a bad idea. - Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will require that users slapcat their databases into a temp file, move /var/lib/ldap someplace safe, upgrade the openldap rpms, then slapadd the temp file. 2006-01-31 21:47:36 +00:00			`--- openldap-2.3.17/servers/slapd/slapd.conf.config 2004-06-17 22:49:08.000000000 -0400`
			`+++ openldap-2.3.17/servers/slapd/slapd.conf 2006-01-12 15:33:04.000000000 -0500`
			`@@ -3,15 +3,19 @@`
Upgrade to 2.3.11, with much fanfare. 2005-11-11 03:39:40 +00:00			`# This file should NOT be world readable.`
			`#`
			`include %SYSCONFDIR%/schema/core.schema`
			`+include %SYSCONFDIR%/schema/cosine.schema`
			`+include %SYSCONFDIR%/schema/inetorgperson.schema`
			`+include %SYSCONFDIR%/schema/nis.schema`

			`-# Define global ACLs to disable default read access.`
			`+# Allow LDAPv2 client connections. This is NOT the default.`
			`+allow bind_v2`

			`# Do not enable referrals until AFTER you have a working directory`
			`# service AND an understanding of referrals.`
- Upgrade to 2.3.19, which upstream now considers stable - Modify the -config.patch, ldap.init, and this spec file to put the pid file and args file in an ldap-owned openldap subdirectory under /var/run. - Move back_sql* out of %{_sbindir}/openldap , which requires hand-moving slapd and slurpd to _sbindir, and recreating symlinks by hand. - Retire openldap-2.3.11-ads.patch, which went upstream. - Update the ldap.init script to run slaptest as the ldap user rather than as root. This solves bz#150172 Startup failure after database problem - Add to the servers post and preun scriptlets so that on preun, the database is slapcatted to /var/lib/ldap/upgrade.ldif and the database files are saved to /var/lib/ldap/rpmorig. On post, if /var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that on upgrades from 2.3.16-2 to higher versions, the database files may be automatically upgraded. Unfortunatly, because of the changes to the preun scriptlet, users have to do the slapcat, etc by hand when upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig files need to be removed by hand because automatically removing your emergency fallback files is a bad idea. - Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will require that users slapcat their databases into a temp file, move /var/lib/ldap someplace safe, upgrade the openldap rpms, then slapadd the temp file. 2006-01-31 21:47:36 +00:00			`#referral ldap://root.openldap.org`

			`-pidfile %LOCALSTATEDIR%/run/slapd.pid`
			`-argsfile %LOCALSTATEDIR%/run/slapd.args`
			`+pidfile %LOCALSTATEDIR%/run/openldap/slapd.pid`
			`+argsfile %LOCALSTATEDIR%/run/openldap/slapd.args`

			`# Load dynamic backend modules:`
			`# modulepath %MODULEDIR%`
Upgrade to 2.3.11, with much fanfare. 2005-11-11 03:39:40 +00:00			`@@ -21,6 +25,15 @@`
			`# moduleload back_passwd.la`
			`# moduleload back_shell.la`

			`+# The next three lines allow use of TLS for encrypting connections using a`
			`+# dummy test certificate which you can generate by changing to`
			`+# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on`
			`+# slapd.pem so that the ldap user or group can read it. Your client software`
			`+# may balk at self-signed certificates, however.`
			`+# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt`
			`+# TLSCertificateFile /etc/pki/tls/certs/slapd.pem`
			`+# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem`
			`+`
			`# Sample security restrictions`
			`# Require integrity protection (prevent hijacking)`
			`# Require 112-bit (3DES or better) encryption for updates`
			`@@ -49,19 +62,32 @@`
			`# rootdn can always read and write EVERYTHING!`

			`#######################################################################`
			`-# BDB database definitions`
			`+# ldbm and/or bdb database definitions`
			`#######################################################################`

			`database bdb`
			`suffix "dc=my-domain,dc=com"`
			`rootdn "cn=Manager,dc=my-domain,dc=com"`
			`# Cleartext passwords, especially for the rootdn, should`
			`-# be avoid. See slappasswd(8) and slapd.conf(5) for details.`
			`+# be avoided. See slappasswd(8) and slapd.conf(5) for details.`
			`# Use of strong authentication encouraged.`
			`-rootpw secret`
			`+# rootpw secret`
			`+# rootpw {crypt}ijFYNcSNctBYg`
			`+`
			`# The database directory MUST exist prior to running slapd AND`
			`# should only be accessible by the slapd and slap tools.`
			`# Mode 700 recommended.`
			`-directory %LOCALSTATEDIR%/openldap-data`
			`-# Indices to maintain`
			`-index objectClass eq`
- Upgrade to 2.3.19, which upstream now considers stable - Modify the -config.patch, ldap.init, and this spec file to put the pid file and args file in an ldap-owned openldap subdirectory under /var/run. - Move back_sql* out of %{_sbindir}/openldap , which requires hand-moving slapd and slurpd to _sbindir, and recreating symlinks by hand. - Retire openldap-2.3.11-ads.patch, which went upstream. - Update the ldap.init script to run slaptest as the ldap user rather than as root. This solves bz#150172 Startup failure after database problem - Add to the servers post and preun scriptlets so that on preun, the database is slapcatted to /var/lib/ldap/upgrade.ldif and the database files are saved to /var/lib/ldap/rpmorig. On post, if /var/lib/ldap/upgrade.ldif exists, it is slapadded. This means that on upgrades from 2.3.16-2 to higher versions, the database files may be automatically upgraded. Unfortunatly, because of the changes to the preun scriptlet, users have to do the slapcat, etc by hand when upgrading to 2.3.16-2. Also note that the /var/lib/ldap/rpmorig files need to be removed by hand because automatically removing your emergency fallback files is a bad idea. - Upgrade internal bdb to db-4.4.20. For a clean upgrade, this will require that users slapcat their databases into a temp file, move /var/lib/ldap someplace safe, upgrade the openldap rpms, then slapadd the temp file. 2006-01-31 21:47:36 +00:00			`+directory /var/lib/ldap`
			`+`
Upgrade to 2.3.11, with much fanfare. 2005-11-11 03:39:40 +00:00			`+# Indices to maintain for this database`
			`+index objectClass eq,pres`
			`+index ou,cn,mail,surname,givenname eq,pres,sub`
			`+index uidNumber,gidNumber,loginShell eq,pres`
			`+index uid,memberUid eq,pres,sub`
			`+index nisMapName,nisMapEntry eq,pres,sub`
			`+`
			`+# Replicas of this database`
			`+#replogfile /var/lib/ldap/openldap-master-replog`
			`+#replica host=ldap-1.example.com:389 starttls=critical`
			`+# bindmethod=sasl saslmech=GSSAPI`
			`+# authcId=host/ldap-master.example.com@EXAMPLE.COM`
			`--- openldap-2.2.13/servers/slurpd/slurp.h 2004-01-01 13:16:42.000000000 -0500`
			`+++ openldap-2.2.13/servers/slurpd/slurp.h 2004-06-15 11:40:04.000000000 -0400`
			`@@ -66,7 +66,7 @@`
			`#define SERVICE_NAME OPENLDAP_PACKAGE "-slurpd"`

			`/* Default directory for slurpd's private copy of replication logs */`
			`-#define DEFAULT_SLURPD_REPLICA_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-slurp"`
			`+#define DEFAULT_SLURPD_REPLICA_DIR "/var/lib/ldap"`

			`/* Default name for slurpd's private copy of the replication log */`
			`#define DEFAULT_SLURPD_REPLOGFILE "slurpd.replog"`
			`@@ -75,7 +75,7 @@`
			`#define DEFAULT_SLURPD_STATUS_FILE "slurpd.status"`

			`/* slurpd dump file - contents of rq struct are written here (debugging) */`
			`-#define SLURPD_DUMPFILE LDAP_TMPDIR LDAP_DIRSEP "slurpd.dump"`
			`+#define SLURPD_DUMPFILE DEFAULT_SLURPD_REPLICA_DIR "/slurpd.dump"`

			`/* Amount of time to sleep if no more work to do */`
			`#define DEFAULT_NO_WORK_INTERVAL 3`
			`--- openldap-2.3.11/doc/man/man8/slurpd.8.config 2005-07-10 00:36:41.000000000 -0400`
			`+++ openldap-2.3.11/doc/man/man8/slurpd.8 2005-10-28 21:07:54.000000000 -0400`
			`@@ -120,7 +120,7 @@`
			`temporary files may contain sensitive information.`
			`This option allows you to specify the location of these temporary files.`
			`The default is`
			`-.BR LOCALSTATEDIR/openldap-slurp .`
			`+.BR /var/lib/ldap .`
			`.SH EXAMPLES`
			`To start`
			`.I slurpd`