- add %{_sysconfdir}/openldap/cacerts, which authconfig sets as the

TLS_CACERTDIR path in /etc/openldap/ldap.conf now
- use a temporary wrapper script to launch slapd, in case we have arguments
  with embedded whitespace (#158111)

ldap.init

@@ -20,7 +20,8 @@ if [ -r /etc/sysconfig/network ] ; then
 fi
 
 # Source an auxiliary options file if we have one, and pick up OPTIONS,
-# SLAPD_OPTIONS, SLURPD_OPTIONS, and maybe KRB5_KTNAME.
+# SLAPD_OPTIONS, SLURPD_OPTIONS, SLAPD_LDAPS, SLAPD_LDAPI, and maybe
+# KRB5_KTNAME.
 if [ -r /etc/sysconfig/ldap ] ; then
 	. /etc/sysconfig/ldap
 fi
@@ -100,8 +101,8 @@ function configtest() {
 			echo -n $"$file is not owned by \"$user\"" ; warning ; echo
 		done
 		if ! test -s ${dbdir}/id2entry.dbb ; then
-			if ! test -s ${dbdir}/id2entry.bdb ; then
 			if ! test -s ${dbdir}/id2entry.gdbm ; then
+				if ! test -s ${dbdir}/id2entry.bdb ; then
 					slaptestflags=-u
 				fi
 			fi
@@ -135,17 +136,32 @@ function configtest() {
 
 function start() {
 	configtest
-        # Start daemons.
+	# Define a couple of local variables which we'll need. Maybe.
 	user=ldap
 	prog=`basename ${slapd}`
-        echo -n $"Starting $prog: "
+	# Build a wrapper script to exec slapd with the right arguments, to
-	if grep -q ^TLS /etc/openldap/slapd.conf ; then
+	# avoid being tripped out by changes or weirdness in how daemon()
-	    daemon ${slapd} -u ${user} -h "ldap:/// ldaps:///" $OPTIONS $SLAPD_OPTIONS
+	# handles quoted arguments.
-	    RETVAL=$?
+	wrapper=`mktemp ${TMP:-/tmp}/start-slapd.XXXXXX`
-	else
+	harg="ldap:///"
-	    daemon ${slapd} -u ${user} -h "ldap:///" $OPTIONS $SLAPD_OPTIONS
+	if grep -q ^TLS /etc/openldap/slapd.conf || test x$SLAPD_LDAPS = xyes ; then
-	    RETVAL=$?
+	    harg="$harg ldaps:///"
 	fi
+	if test x$SLAPD_LDAPI = xyes ; then
+	    harg="$harg ldapi:///"
+	fi
+	if test -z "$wrapper" ; then
+	    return 1
+	fi
+	cat >> $wrapper <<- EOF
+	exec ${slapd} -h "$harg" -u ${user} $OPTIONS $SLAPD_OPTIONS
+	EOF
+	chmod u+x $wrapper
+	trap "rm -f $wrapper" EXIT
+	# Start daemons.
+	echo -n $"Starting $prog: "
+	daemon --check=$prog $wrapper
+	RETVAL=$?
 	echo
 	if [ $RETVAL -eq 0 ]; then
 	    if grep -q "^replogfile" /etc/openldap/slapd.conf; then

openldap.spec

@@ -503,6 +503,11 @@ pushd openldap-%{version_22}/build-clients
 make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool"
 popd
 
+# Create this directory so that authconfig setting TLS_CACERT to
+# /etc/openldap/cacerts doesn't cause TLS startup of any kind to fail
+# when the directory doesn't exist.
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/openldap/cacerts
+
 # Install the padl.com migration tools.
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/openldap/migration
 install -m 755 MigrationTools-%{migtools_version}/migrate_* \
@@ -619,6 +624,7 @@ fi
 %doc openldap-%{version_22}/LICENSE
 %doc openldap-%{version_22}/README
 %attr(0755,root,root) %dir /etc/openldap
+%attr(0755,root,root) %dir /etc/openldap/cacerts
 %attr(0644,root,root) %config(noreplace) /etc/openldap/ldap*.conf
 %attr(0755,root,root) %{_libdir}/liblber-*.so.*
 %attr(0755,root,root) %{_libdir}/libldap-*.so.*
@@ -711,7 +717,11 @@ fi
 %changelog
 * Thu May 19 2005 Nalin Dahyabhai <nalin@redhat.com>
 - run slaptest with the -u flag if no id2entry db files are found, because
-  you can't read-write access a non-existent database (#156787)
+  you can't check for read-write access to a non-existent database (#156787)
+- add %{_sysconfdir}/openldap/cacerts, which authconfig sets as the
+  TLS_CACERTDIR path in /etc/openldap/ldap.conf now
+- use a temporary wrapper script to launch slapd, in case we have arguments
+  with embedded whitespace (#158111)
 
 * Wed May  4 2005 Nalin Dahyabhai <nalin@redhat.com>
 - update to 2.2.26 (stable 20050429)