rpms/openldap
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rebase to 2.4.23

Browse Source 
- package rebased
- removed embeded db4
- removed patches merged by upstream
- removed no longer required patches
- merged patches doing manpage changes
- merged patches exporting ldif API
- reapplied patches and added description to each one
- removed unnecessary BuildRequires
- cleaned %config, %build and %install sections
- updated database upgrade process:
  - database is exported (slapcat) and reimported (slapadd) when minor
	version of openldap changes (safe and recomended way)
  - database is upgraded (db4) when minor version of db4 package changes
	(this is not done in %post anymore, as the database is not embeded,
	but using triggers)

Resolved: #624616 Bogus links in "SEE ALSO" part of several man-pages
Resolved: #625740 openldap-2.4.23 is available
This commit is contained in:
Jan Vcelak 2010-08-24 18:25:50 +02:00
parent b68d557f79
commit 95d8d32fc5
27 changed files with 588 additions and 781 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.nss_ldap
View File

@ -1,9 +0,0 @@
These files are here specifically for use in building the nss_ldap package,
and should not be used for any other purpose.
They contain a backported patch which adds two functions which nss_ldap can
use to avoid blocking in one particular use case, but which are not included
in the 2.2 branch of OpenLDAP.
When the openldap package updates to 2.3, these libraries will simply
disappear.

21
nptl-abi-note.S
View File

@ -1,21 +0,0 @@
/* Gleaned from glibc, though I suppose it's documented in the specs, too.
NPTL requires support that isn't in kernels prior to 2.4.20 (or 2.5.36 if
you're not using a backported TLS implementation in your kernel), but ld.so
will try to use this library on an insufficiently-new system unless we make
a note of the required kernel version here.
We also add in a section which marks the library as not needing an
executable stack to avoid unintentionally disabling exec-shield and the
like (thanks Arjan!). */
.section ".note.ABI-tag", "a"
.p2align 2
.long 1f - 0f
.long 3f - 2f
.long 1
0: .asciz "GNU"
1: .p2align 2
2: .long 0
.long 2,4,20
3: .p2align 2
.section .note.GNU-stack, "", @progbits
.previous

13
openldap-2.0.11-ldaprc.patch
View File

@ -1,13 +0,0 @@
diff -up openldap-2.4.11/libraries/libldap/init.c.patch2 openldap-2.4.11/libraries/libldap/init.c
--- openldap-2.4.11/libraries/libldap/init.c.patch2 2008-02-12 00:26:41.000000000 +0100
+++ openldap-2.4.11/libraries/libldap/init.c 2008-09-01 09:57:09.000000000 +0200
@@ -327,9 +327,6 @@ static void openldap_ldap_init_w_usercon
if(path != NULL) {
LDAP_FREE(path);
}
-
- /* try file */
- openldap_ldap_init_w_conf(file, 1);
}
static void openldap_ldap_init_w_env(

14
openldap-2.2.13-setugid.patch
View File

@ -1,14 +0,0 @@
Don't read the user's configuration file if we're running in a setuid
or setgid application.
diff -up openldap-2.4.14/libraries/libldap/init.c.setugid openldap-2.4.14/libraries/libldap/init.c
--- openldap-2.4.14/libraries/libldap/init.c.setugid 2009-02-17 08:31:19.000000000 +0100
+++ openldap-2.4.14/libraries/libldap/init.c 2009-02-17 08:39:01.000000000 +0100
@@ -634,7 +634,7 @@ void ldap_int_initialize( struct ldapopt
openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
#ifdef HAVE_GETEUID
- if ( geteuid() != getuid() )
+ if ( geteuid() != getuid() || getegid() != getgid() )
return;
#endif

20
openldap-2.3.11-toollinks.patch
View File

@ -1,20 +0,0 @@
If libexecdir and sbindir are the same, avoid making an absolute symlink.
diff -up openldap-2.4.11/servers/slapd/Makefile.in.patch5 openldap-2.4.11/servers/slapd/Makefile.in
--- openldap-2.4.11/servers/slapd/Makefile.in.patch5 2008-09-01 09:57:09.000000000 +0200
+++ openldap-2.4.11/servers/slapd/Makefile.in 2008-09-01 09:57:09.000000000 +0200
@@ -270,7 +270,12 @@ slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
$(WRAP_LIBS)
$(RM) $(SLAPTOOLS)
for i in $(SLAPTOOLS); do \
- $(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); done
+ if test $(libexecdir) != $(sbindir) ; then \
+ $(LN_S) $(libexecdir)/slapd$(EXEEXT) $$i$(EXEEXT); \
+ else \
+ $(LN_S) slapd$(EXEEXT) $$i$(EXEEXT); \
+ fi \
+ done
sslapd: version.o

112
openldap-2.4.12-options.patch
View File

@ -1,112 +0,0 @@
--- openldap/clients/tools/common.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/common.c.option 2009-04-09 14:52:23.000000000 +0200
@@ -267,7 +267,6 @@ void
tool_common_usage( void )
{
static const char *const descriptions[] = {
-N_(" -c continuous operation mode (do not stop on errors)\n"),
N_(" -d level set LDAP debugging level to `level'\n"),
N_(" -D binddn bind DN\n"),
N_(" -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)\n")
@@ -298,18 +297,15 @@ N_(" [!]sessiontracking\n")
N_(" abandon, cancel, ignore (SIGINT sends abandon/cancel,\n"
" or ignores response; if critical, doesn't wait for SIGINT.\n"
" not really controls)\n")
-N_(" -f file read operations from `file'\n"),
N_(" -h host LDAP server\n"),
N_(" -H URI LDAP Uniform Resource Identifier(s)\n"),
N_(" -I use SASL Interactive mode\n"),
-N_(" -M enable Manage DSA IT control (-MM to make critical)\n"),
N_(" -n show what would be done but don't actually do it\n"),
N_(" -N do not use reverse DNS to canonicalize SASL host name\n"),
N_(" -O props SASL security properties\n"),
N_(" -o <opt>[=<optparam] general options\n"),
N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
N_(" -p port port on LDAP server\n"),
-N_(" -P version protocol version (default: 3)\n"),
N_(" -Q use SASL Quiet mode\n"),
N_(" -R realm SASL realm\n"),
N_(" -U authcid SASL authentication identity\n"),
--- openldap/clients/tools/ldapcompare.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapcompare.c.option 2009-04-09 14:46:37.000000000 +0200
@@ -85,6 +85,8 @@ usage( void )
fprintf( stderr, _("Compare options:\n"));
fprintf( stderr, _(" -E [!]<ext>[=<extparam>] compare extensions (! indicates criticality)\n"));
fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
fprintf( stderr, _(" -z Quiet mode,"
" don't print anything, use return values\n"));
tool_common_usage();
--- openldap/clients/tools/ldapdelete.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapdelete.c.option 2009-04-09 14:48:48.000000000 +0200
@@ -71,6 +71,10 @@ usage( void )
fprintf( stderr, _(" dn: list of DNs to delete. If not given, it will be readed from stdin\n"));
fprintf( stderr, _(" or from the file specified with \"-f file\".\n"));
fprintf( stderr, _("Delete Options:\n"));
+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n"));
+ fprintf( stderr, _(" -f file read operations from `file'\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
fprintf( stderr, _(" -r delete recursively\n"));
tool_common_usage();
exit( EXIT_FAILURE );
--- openldap/clients/tools/ldapmodify.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapmodify.c.option 2009-04-09 14:50:14.000000000 +0200
@@ -137,8 +137,12 @@ usage( void )
fprintf( stderr, _("Add or modify options:\n"));
fprintf( stderr, _(" -a add values (%s)\n"),
(ldapadd ? _("default") : _("default is to replace")));
+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n"));
fprintf( stderr, _(" -E [!]ext=extparam modify extensions"
" (! indicate s criticality)\n"));
+ fprintf( stderr, _(" -f file read operations from `file'\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
#ifdef LDAP_X_TXN
fprintf( stderr,
_(" [!]txn=<commit|abort> (transaction)\n"));
--- openldap/clients/tools/ldapmodrdn.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapmodrdn.c.option 2009-04-09 14:50:40.000000000 +0200
@@ -83,6 +83,10 @@ usage( void )
fprintf( stderr, _(" If not given, the list of modifications is read from stdin or\n"));
fprintf( stderr, _(" from the file specified by \"-f file\" (see man page).\n"));
fprintf( stderr, _("Rename options:\n"));
+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n"));
+ fprintf( stderr, _(" -f file read operations from `file'\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
fprintf( stderr, _(" -r remove old RDN\n"));
fprintf( stderr, _(" -s newsup new superior entry\n"));
tool_common_usage();
--- openldap/clients/tools/ldapsearch.c 2009-04-09 11:37:06.000000000 +0200
+++ openldap/clients/tools/ldapsearch.c.option 2009-04-09 14:51:51.000000000 +0200
@@ -123,6 +123,7 @@ usage( void )
fprintf( stderr, _(" -a deref one of never (default), always, search, or find\n"));
fprintf( stderr, _(" -A retrieve attribute names only (no values)\n"));
fprintf( stderr, _(" -b basedn base dn for search\n"));
+ fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n"));
fprintf( stderr, _(" -E [!]<ext>[=<extparam>] search extensions (! indicates criticality)\n"));
fprintf( stderr, _(" [!]domainScope (domain scope)\n"));
fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n"));
@@ -137,12 +138,15 @@ usage( void )
fprintf( stderr, _(" [!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]\n"));
#endif
fprintf( stderr, _(" [!]<oid>=:<value> (generic control; no response handling)\n"));
+ fprintf( stderr, _(" -f file read operations from `file'\n"));
fprintf( stderr, _(" -F prefix URL prefix for files (default: %s)\n"), def_urlpre);
fprintf( stderr, _(" -l limit time limit (in seconds, or \"none\" or \"max\") for search\n"));
fprintf( stderr, _(" -L print responses in LDIFv1 format\n"));
fprintf( stderr, _(" -LL print responses in LDIF format without comments\n"));
fprintf( stderr, _(" -LLL print responses in LDIF format without comments\n"));
fprintf( stderr, _(" and version\n"));
+ fprintf( stderr, _(" -M enable Manage DSA IT control (-MM to make critical)\n"));
+ fprintf( stderr, _(" -P version protocol version (default: 3)\n"));
fprintf( stderr, _(" -s scope one of base, one, sub or children (search scope)\n"));
fprintf( stderr, _(" -S attr sort the results by attribute `attr'\n"));
fprintf( stderr, _(" -t write binary values to files in temporary directory\n"));

10
openldap-2.4.16-doc-cacertdir.patch
View File

@ -1,10 +0,0 @@
--- openldap-2.4.16/doc/man/man5/ldap.conf.5.orig 2009-09-16 17:12:01.000000000 +0200
+++ openldap-2.4.16/doc/man/man5/ldap.conf.5 2009-09-16 17:15:32.000000000 +0200
@@ -305,6 +305,7 @@
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GNUtls.
.TP
.B TLS_CERT <filename>

11
openldap-2.4.21-dn2id-segfault.patch
View File

@ -1,11 +0,0 @@
--- openldap-2.4.19/servers/slapd/back-bdb/dn2id.c.orig 2010-02-24 09:55:39.000000000 +0100
+++ openldap-2.4.19/servers/slapd/back-bdb/dn2id.c 2010-02-24 09:56:07.000000000 +0100
@@ -676,7 +676,7 @@ hdb_dn2id_delete(
d->nrdnlen[0] = (BEI(e)->bei_nrdn.bv_len >> 8) | 0x80;
dlen[0] = d->nrdnlen[0];
dlen[1] = d->nrdnlen[1];
- strcpy( d->nrdn, BEI(e)->bei_nrdn.bv_val );
+ memcpy( d->nrdn, BEI(e)->bei_nrdn.bv_val, BEI(e)->bei_nrdn.bv_len+1 );
data.data = d;
rc = db->cursor( db, txn, &cursor, bdb->bi_db_opflags );

22
openldap-2.4.22-ldif_h.patch
View File

@ -1,22 +0,0 @@
--- openldap-2.4.22/include/Makefile.in.orig 2010-06-03 07:38:29.000000000 -0600
+++ openldap-2.4.22/include/Makefile.in 2010-06-03 07:39:21.000000000 -0600
@@ -15,17 +15,18 @@
all-local: ldap_config.h FORCE
install-local: FORCE
-$(MKDIR) $(DESTDIR)$(includedir)
for header in $(srcdir)/lber.h lber_types.h \
$(srcdir)/ldap.h $(srcdir)/ldap_cdefs.h \
$(srcdir)/ldap_schema.h $(srcdir)/ldap_utf8.h \
- $(srcdir)/slapi-plugin.h ldap_features.h; \
+ $(srcdir)/slapi-plugin.h ldap_features.h \
+ $(srcdir)/ldif.h ; \
do \
$(INSTALL) $(INSTALLFLAGS) -m 644 $$header $(DESTDIR)$(includedir); \
done
clean-local: FORCE
$(RM) ldap_config.h
veryclean-local: clean-local FORCE

66
openldap-2.4.22-libldif.patch
View File

@ -1,66 +0,0 @@
--- openldap-2.4.22/libraries/liblutil/Makefile.in.orig 2010-06-03 10:57:01.000000000 -0600
+++ openldap-2.4.22/libraries/liblutil/Makefile.in 2010-06-03 10:59:29.000000000 -0600
@@ -9,16 +9,19 @@
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
LIBRARY = liblutil.a
+
+SHAREDLIB = libldif.la
+
PROGRAM = testavl
LDAP_INCDIR= ../../include
LDAP_LIBDIR= ../../libraries
NT_SRCS = ntservice.c
NT_OBJS = ntservice.o slapdmsg.res
@@ -35,16 +38,18 @@
@LIBSRCS@ $(@PLAT@_SRCS)
OBJS = base64.o entropy.o sasl.o signal.o hash.o passfile.o \
md5.o passwd.o sha1.o getpass.o lockf.o utils.o uuid.o sockpair.o \
avl.o tavl.o ldif.o fetch.o \
meter.o \
@LIBOBJS@ $(@PLAT@_OBJS)
+SHAREDLIBOBJS = ldif.lo fetch.lo
+
testavl: $(XLIBS) testavl.o
(LTLINK) -o $@ testavl.o $(LIBS)
testtavl: $(XLIBS) testtavl.o
(LTLINK) -o $@ testtavl.o $(LIBS)
# These rules are for a Mingw32 build, specifically.
# It's ok for them to be here because the clean rule is harmless, and
@@ -54,8 +59,24 @@
@if [ ! -f $@ ]; then cp $(srcdir)/$@ .; fi
slapdmsg.res: slapdmsg.rc slapdmsg.bin
windres $< -O coff -o $@
clean-local:
$(RM) *.res
+all-local: $(SHAREDLIB)
+
+.SUFFIXES: .c .o .lo
+
+.c.lo:
+ $(LTCOMPILE_LIB) $<
+
+$(LIBRARY): $(SHAREDLIBOBJS) version.lo
+
+$(SHAREDLIB): $(SHAREDLIBOBJS) version.lo
+ $(LTLINK_LIB) -o $(SHAREDLIB) $(SHAREDLIBOBJS) version.lo $(LINK_LIBS)
+
+install-local: FORCE
+ -$(MKDIR) $(DESTDIR)$(libdir)
+ $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(SHAREDLIB) $(DESTDIR)$(libdir)
+ $(LTFINISH) $(DESTDIR)$(libdir)

74
openldap-2.4.22-modrdn-segfault.patch
View File

@ -1,74 +0,0 @@
bz #605448 CVE-2010-0211 openldap: modrdn processing uninitialized pointer free
bz #605452 CVE-2010-0212 openldap: modrdn processing IA5StringNormalize NULL pointer dereference
diff -urp openldap-2.4.22/servers/slapd/dn.c openldap-2.4.22.new/servers/slapd/dn.c
--- openldap-2.4.22/servers/slapd/dn.c 2010-04-13 22:23:14.000000000 +0200
+++ openldap-2.4.22.new/servers/slapd/dn.c 2010-07-19 17:57:51.974346501 +0200
@@ -302,16 +302,13 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f
ava->la_attr = ad->ad_cname;
if( ava->la_flags & LDAP_AVA_BINARY ) {
- if( ava->la_value.bv_len == 0 ) {
- /* BER encoding is empty */
- return LDAP_INVALID_SYNTAX;
- }
+ /* AVA is binary encoded, not supported */
+ return LDAP_INVALID_SYNTAX;
/* Do not allow X-ORDERED 'VALUES' naming attributes */
} else if( ad->ad_type->sat_flags & SLAP_AT_ORDERED_VAL ) {
return LDAP_INVALID_SYNTAX;
- /* AVA is binary encoded, don't muck with it */
} else if( flags & SLAP_LDAPDN_PRETTY ) {
transf = ad->ad_type->sat_syntax->ssyn_pretty;
if( !transf ) {
@@ -379,6 +376,10 @@ LDAPRDN_rewrite( LDAPRDN rdn, unsigned f
ava->la_value = bv;
ava->la_flags |= LDAP_AVA_FREE_VALUE;
}
+ /* reject empty values */
+ if (!ava->la_value.bv_len) {
+ return LDAP_INVALID_SYNTAX;
+ }
}
rc = LDAP_SUCCESS;
diff -urp openldap-2.4.22/servers/slapd/modrdn.c openldap-2.4.22.new/servers/slapd/modrdn.c
--- openldap-2.4.22/servers/slapd/modrdn.c 2010-04-13 22:23:16.000000000 +0200
+++ openldap-2.4.22.new/servers/slapd/modrdn.c 2010-07-19 17:57:51.975346274 +0200
@@ -445,12 +445,19 @@ slap_modrdn2mods(
mod_tmp->sml_values[1].bv_val = NULL;
if( desc->ad_type->sat_equality->smr_normalize) {
mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
- (void) (*desc->ad_type->sat_equality->smr_normalize)(
+ rs->sr_err = desc->ad_type->sat_equality->smr_normalize(
SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
desc->ad_type->sat_syntax,
desc->ad_type->sat_equality,
&mod_tmp->sml_values[0],
&mod_tmp->sml_nvalues[0], NULL );
+ if (rs->sr_err != LDAP_SUCCESS) {
+ ch_free(mod_tmp->sml_nvalues);
+ ch_free(mod_tmp->sml_values[0].bv_val);
+ ch_free(mod_tmp->sml_values);
+ ch_free(mod_tmp);
+ goto done;
+ }
mod_tmp->sml_nvalues[1].bv_val = NULL;
} else {
mod_tmp->sml_nvalues = NULL;
diff -urp openldap-2.4.22/servers/slapd/schema_init.c openldap-2.4.22.new/servers/slapd/schema_init.c
--- openldap-2.4.22/servers/slapd/schema_init.c 2010-04-14 20:12:15.000000000 +0200
+++ openldap-2.4.22.new/servers/slapd/schema_init.c 2010-07-19 17:57:51.978346712 +0200
@@ -1735,8 +1735,9 @@ UTF8StringNormalize(
? LDAP_UTF8_APPROX : 0;
val = UTF8bvnormalize( val, &tmp, flags, ctx );
+ /* out of memory or syntax error, the former is unlikely */
if( val == NULL ) {
- return LDAP_OTHER;
+ return LDAP_INVALID_SYNTAX;
}
/* collapse spaces (in place) */

30
openldap-2.4.6-multilib.patch
View File

@ -1,30 +0,0 @@
diff -up openldap-2.4.11/doc/man/man8/slapd.8.patch9 openldap-2.4.11/doc/man/man8/slapd.8
--- openldap-2.4.11/doc/man/man8/slapd.8.patch9 2008-02-12 00:26:40.000000000 +0100
+++ openldap-2.4.11/doc/man/man8/slapd.8 2008-09-01 09:57:09.000000000 +0200
@@ -5,7 +5,7 @@
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-4 | \-6 ]
[\c
@@ -312,7 +312,7 @@ on voluminous debugging which will be pr
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+ slapd -f /var/tmp/slapd.conf -d 255
.ft
.fi
.LP
@@ -320,7 +320,7 @@ To test whether the configuration file i
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-Tt
+ slapd -Tt
.ft
.fi
.LP

12
openldap-2.4.6-nosql.patch
View File

@ -1,12 +0,0 @@
diff -up openldap-2.4.11/build/top.mk.patch6 openldap-2.4.11/build/top.mk
--- openldap-2.4.11/build/top.mk.patch6 2008-02-12 00:26:38.000000000 +0100
+++ openldap-2.4.11/build/top.mk 2008-09-01 09:57:09.000000000 +0200
@@ -199,7 +199,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@
SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@
SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@
-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
+SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_SLP_LIBS@ $(ICU_LIBS)
# Our Defaults
CC = $(AC_CC)

16
openldap-2.4.6-pie.patch
View File

@ -1,16 +0,0 @@
Build both slapd as position-independent executables. This really
should be threaded into the various autotools, but I guess this is what we have
until that happens, if it happens.
diff -up openldap-2.4.11/servers/slapd/Makefile.in.patch4 openldap-2.4.11/servers/slapd/Makefile.in
--- openldap-2.4.11/servers/slapd/Makefile.in.patch4 2008-02-12 00:26:43.000000000 +0100
+++ openldap-2.4.11/servers/slapd/Makefile.in 2008-09-01 09:57:09.000000000 +0200
@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a
cp slapi/.libs/libslapi.a .
slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \
+ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \
$(WRAP_LIBS)
$(RM) $(SLAPTOOLS)
for i in $(SLAPTOOLS); do \

23
openldap-2.4.6-evolution-ntlm.patch → openldap-evolution-ntlm.patch
View File

@ -1,7 +1,10 @@
diff -up evo-openldap-2.4.14/include/ldap.h.evolution-ntlm evo-openldap-2.4.14/include/ldap.h
--- evo-openldap-2.4.14/include/ldap.h.evolution-ntlm 2009-01-27 00:29:53.000000000 +0100
+++ evo-openldap-2.4.14/include/ldap.h 2009-02-17 10:10:00.000000000 +0100
@@ -2461,5 +2461,26 @@ ldap_parse_deref_control LDAP_P((
Get rid of this patch as soon as possible.
More details are provided in README.evolution
diff -uNPrp openldap-2.4.23.old/include/ldap.h openldap-2.4.23.new/include/ldap.h
--- openldap-2.4.23.old/include/ldap.h 2010-06-10 20:48:36.000000000 +0200
+++ openldap-2.4.23.new/include/ldap.h 2010-08-24 18:17:46.306679878 +0200
@@ -2487,5 +2487,26 @@ ldap_parse_deref_control LDAP_P((
LDAPControl **ctrls,
LDAPDerefRes **drp ));
@ -28,9 +31,9 @@ diff -up evo-openldap-2.4.14/include/ldap.h.evolution-ntlm evo-openldap-2.4.14/i
+
LDAP_END_DECL
#endif /* _LDAP_H */
diff -up evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm evo-openldap-2.4.14/libraries/libldap/Makefile.in
--- evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm 2009-01-27 00:29:53.000000000 +0100
+++ evo-openldap-2.4.14/libraries/libldap/Makefile.in 2009-02-17 10:10:00.000000000 +0100
diff -uNPrp openldap-2.4.23.old/libraries/libldap/Makefile.in openldap-2.4.23.new/libraries/libldap/Makefile.in
--- openldap-2.4.23.old/libraries/libldap/Makefile.in 2010-04-13 22:22:55.000000000 +0200
+++ openldap-2.4.23.new/libraries/libldap/Makefile.in 2010-08-24 18:17:46.306679878 +0200
@@ -20,7 +20,7 @@ PROGRAMS = apitest dntest ftest ltest ur
SRCS = bind.c open.c result.c error.c compare.c search.c \
controls.c messages.c references.c extended.c cyrus.c \
@ -49,9 +52,9 @@ diff -up evo-openldap-2.4.14/libraries/libldap/Makefile.in.evolution-ntlm evo-op
filter.lo free.lo sort.lo passwd.lo whoami.lo \
getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \
request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \
diff -up /dev/null evo-openldap-2.4.14/libraries/libldap/ntlm.c
--- /dev/null 2009-02-17 09:19:52.829004420 +0100
+++ evo-openldap-2.4.14/libraries/libldap/ntlm.c 2009-02-17 10:10:00.000000000 +0100
diff -uNPrp openldap-2.4.23.old/libraries/libldap/ntlm.c openldap-2.4.23.new/libraries/libldap/ntlm.c
--- openldap-2.4.23.old/libraries/libldap/ntlm.c 1970-01-01 01:00:00.000000000 +0100
+++ openldap-2.4.23.new/libraries/libldap/ntlm.c 2010-08-24 18:17:46.330680333 +0200
@@ -0,0 +1,137 @@
+/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */
+/*

61
openldap-export-ldif.patch Normal file
View File

@ -0,0 +1,61 @@
Patch exposes LDIF reading/writing API. This change is required to replace
mozldap with openldap in FreeIPA project.
Upstream: ITS #6194
Author: Rich Megginson <rmeggins@redhat.com>
diff -uNPrp openldap-2.4.23.old/include/Makefile.in openldap-2.4.23.new/include/Makefile.in
--- openldap-2.4.23.old/include/Makefile.in 2010-04-13 22:22:47.000000000 +0200
+++ openldap-2.4.23.new/include/Makefile.in 2010-08-19 17:40:29.073805139 +0200
@@ -20,7 +20,8 @@ install-local: FORCE
for header in $(srcdir)/lber.h lber_types.h \
$(srcdir)/ldap.h $(srcdir)/ldap_cdefs.h \
$(srcdir)/ldap_schema.h $(srcdir)/ldap_utf8.h \
- $(srcdir)/slapi-plugin.h ldap_features.h; \
+ $(srcdir)/slapi-plugin.h ldap_features.h \
+ $(srcdir)/ldif.h ; \
do \
$(INSTALL) $(INSTALLFLAGS) -m 644 $$header $(DESTDIR)$(includedir); \
done
diff -uNPrp openldap-2.4.23.old/libraries/liblutil/Makefile.in openldap-2.4.23.new/libraries/liblutil/Makefile.in
--- openldap-2.4.23.old/libraries/liblutil/Makefile.in 2010-04-19 18:53:01.000000000 +0200
+++ openldap-2.4.23.new/libraries/liblutil/Makefile.in 2010-08-19 17:40:20.424679962 +0200
@@ -14,6 +14,9 @@
## <http://www.OpenLDAP.org/license.html>.
LIBRARY = liblutil.a
+
+SHAREDLIB = libldif.la
+
PROGRAM = testavl
LDAP_INCDIR= ../../include
@@ -40,6 +43,8 @@ OBJS = base64.o entropy.o sasl.o signal.
meter.o \
@LIBOBJS@ $(@PLAT@_OBJS)
+SHAREDLIBOBJS = ldif.lo fetch.lo
+
testavl: $(XLIBS) testavl.o
(LTLINK) -o $@ testavl.o $(LIBS)
@@ -59,3 +64,19 @@ slapdmsg.res: slapdmsg.rc slapdmsg.bin
clean-local:
$(RM) *.res
+all-local: $(SHAREDLIB)
+
+.SUFFIXES: .c .o .lo
+
+.c.lo:
+ $(LTCOMPILE_LIB) $<
+
+$(LIBRARY): $(SHAREDLIBOBJS) version.lo
+
+$(SHAREDLIB): $(SHAREDLIBOBJS) version.lo
+ $(LTLINK_LIB) -o $(SHAREDLIB) $(SHAREDLIBOBJS) version.lo $(LINK_LIBS)
+
+install-local: FORCE
+ -$(MKDIR) $(DESTDIR)$(libdir)
+ $(LTINSTALL) $(INSTALLFLAGS) -m 644 $(SHAREDLIB) $(DESTDIR)$(libdir)
+ $(LTFINISH) $(DESTDIR)$(libdir)

19
openldap-ldaprc-currentdir.patch Normal file
View File

@ -0,0 +1,19 @@
Disables opening of ldaprc file in current directory.
Resolves: #38402
Upstream: ITS #1131
Author: Henning Schmiedehausen <hps@intermeta.de>
diff -u -uNPrp openldap-2.4.23.old/libraries/libldap/init.c openldap-2.4.23.new/libraries/libldap/init.c
--- openldap-2.4.23.old/libraries/libldap/init.c 2010-04-13 22:22:57.000000000 +0200
+++ openldap-2.4.23.new/libraries/libldap/init.c 2010-08-24 15:34:27.780680598 +0200
@@ -346,9 +346,6 @@ static void openldap_ldap_init_w_usercon
if(path != NULL) {
LDAP_FREE(path);
}
-
- /* try file */
- openldap_ldap_init_w_conf(file, 1);
}
static void openldap_ldap_init_w_env(

103
openldap-manpages.patch Normal file
View File

@ -0,0 +1,103 @@
Various manual pages changes:
* removes LIBEXECDIR from slapd.8
* removes references to non-existing manpages (bz 624616)
diff -uNPrp openldap-2.4.23.old/doc/man/man1/ldapmodify.1 openldap-2.4.23.new/doc/man/man1/ldapmodify.1
--- openldap-2.4.23.old/doc/man/man1/ldapmodify.1 2010-04-13 22:22:36.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man1/ldapmodify.1 2010-08-19 17:42:10.256805450 +0200
@@ -364,9 +364,7 @@ exit status and a diagnostic message bei
.BR ldap_add_ext (3),
.BR ldap_delete_ext (3),
.BR ldap_modify_ext (3),
-.BR ldap_modrdn_ext (3),
-.BR ldif (5),
-.BR slapd.replog (5)
+.BR ldif (5)
.SH AUTHOR
The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
diff -uNPrp openldap-2.4.23.old/doc/man/man5/ldap.conf.5 openldap-2.4.23.new/doc/man/man5/ldap.conf.5
--- openldap-2.4.23.old/doc/man/man5/ldap.conf.5 2010-04-13 22:22:41.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man5/ldap.conf.5 2010-08-19 17:43:25.312805428 +0200
@@ -317,6 +317,7 @@ certificates in separate individual file
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
This parameter is ignored with GNUtls.
.TP
.B TLS_CERT <filename>
diff -uNPrp openldap-2.4.23.old/doc/man/man5/ldif.5 openldap-2.4.23.new/doc/man/man5/ldif.5
--- openldap-2.4.23.old/doc/man/man5/ldif.5 2010-04-13 22:22:41.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man5/ldif.5 2010-08-19 17:42:10.256805450 +0200
@@ -270,8 +270,7 @@ commands.
.BR ldapmodify (1),
.BR slapadd (8),
.BR slapcat (8),
-.BR slapd\-ldif (5),
-.BR slapd.replog (5).
+.BR slapd\-ldif (5).
.LP
"LDAP Data Interchange Format," Good, G., RFC 2849.
.SH ACKNOWLEDGEMENTS
diff -uNPrp openldap-2.4.23.old/doc/man/man5/slapd-config.5 openldap-2.4.23.new/doc/man/man5/slapd-config.5
--- openldap-2.4.23.old/doc/man/man5/slapd-config.5 2010-06-10 19:17:53.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man5/slapd-config.5 2010-08-19 17:42:10.258805346 +0200
@@ -1995,7 +1995,6 @@ default slapd configuration directory
.BR slapd.conf (5),
.BR slapd.overlays (5),
.BR slapd.plugin (5),
-.BR slapd.replog (5),
.BR slapd (8),
.BR slapacl (8),
.BR slapadd (8),
diff -uNPrp openldap-2.4.23.old/doc/man/man5/slapd.conf.5 openldap-2.4.23.new/doc/man/man5/slapd.conf.5
--- openldap-2.4.23.old/doc/man/man5/slapd.conf.5 2010-04-16 20:05:07.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man5/slapd.conf.5 2010-08-19 17:42:10.261805644 +0200
@@ -1927,7 +1927,6 @@ default slapd configuration file
.BR slapd.backends (5),
.BR slapd.overlays (5),
.BR slapd.plugin (5),
-.BR slapd.replog (5),
.BR slapd (8),
.BR slapacl (8),
.BR slapadd (8),
diff -uNPrp openldap-2.4.23.old/doc/man/man8/slapd.8 openldap-2.4.23.new/doc/man/man8/slapd.8
--- openldap-2.4.23.old/doc/man/man8/slapd.8 2010-04-13 22:22:46.000000000 +0200
+++ openldap-2.4.23.new/doc/man/man8/slapd.8 2010-08-19 17:44:19.996680613 +0200
@@ -5,7 +5,7 @@
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-4 | \-6 ]
[\c
@@ -301,7 +301,7 @@ the LDAP databases defined in the defaul
.LP
.nf
.ft tt
- LIBEXECDIR/slapd
+ slapd
.ft
.fi
.LP
@@ -312,7 +312,7 @@ on voluminous debugging which will be pr
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+ slapd -f /var/tmp/slapd.conf -d 255
.ft
.fi
.LP
@@ -320,7 +320,7 @@ To test whether the configuration file i
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-Tt
+ slapd -Tt
.ft
.fi
.LP

5
openldap-2.4.23-selfsignedcacert.patch → openldap-nss-ca-selfsigned.patch
View File

@ -1,5 +1,8 @@
#614545 Mozilla NSS - support use of self signed CA certs as server certs
upstream: http://www.openldap.org/its/index.cgi issue 6589
Resolves: #614545
Upstream: ITS #6589
Author: Rich Megginson <rmeggins@redhat.com>
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200

7
openldap-2.4.22-initauthtoken.patch → openldap-nss-delay-token-auth.patch
View File

@ -1,5 +1,8 @@
#616552 Mozilla NSS - delay token auth until needed
upstream: http://www.openldap.org/its/index.cgi issue 6595
Mozilla NSS - delay token auth until needed
Resolves: #616552
Upstream: ITS #6595
Author: Rich Megginson <rmeggins@redhat.com>
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200

15
openldap-2.3.19-gethostbyXXXX_r.patch → openldap-reentrant-gethostby.patch
View File

@ -2,11 +2,14 @@ The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
example if libldap needs to be initialized from within gethostbyXXXX() (which
actually happens if nss_ldap is used for hostname resolution and earlier
modules can't resolve the local host name), so use the reentrant versions of
the functions, even if we're not being compiled for use in libldap_r (patch
from Jeffery Layton, #179730).
diff -up openldap-2.4.11/libraries/libldap/util-int.c.patch7 openldap-2.4.11/libraries/libldap/util-int.c
--- openldap-2.4.11/libraries/libldap/util-int.c.patch7 2008-02-12 00:26:41.000000000 +0100
+++ openldap-2.4.11/libraries/libldap/util-int.c 2008-09-01 09:57:09.000000000 +0200
the functions, even if we're not being compiled for use in libldap_r
Resolves: #179730
Author: Jeffery Layton <jlayton@redhat.com>
diff -uNPrp openldap-2.4.23.old/libraries/libldap/util-int.c openldap-2.4.23.new/libraries/libldap/util-int.c
--- openldap-2.4.23.old/libraries/libldap/util-int.c 2010-04-19 18:53:01.000000000 +0200
+++ openldap-2.4.23.new/libraries/libldap/util-int.c 2010-08-19 17:47:52.456805354 +0200
@@ -52,8 +52,8 @@ extern int h_errno;
#ifndef LDAP_R_COMPILE
# undef HAVE_REENTRANT_FUNCTIONS
@ -18,7 +21,7 @@ diff -up openldap-2.4.11/libraries/libldap/util-int.c.patch7 openldap-2.4.11/lib
#else
# include <ldap_pvt_thread.h>
@@ -110,7 +110,7 @@ char *ldap_pvt_ctime( const time_t *tp,
@@ -330,7 +330,7 @@ ldap_pvt_csnstr(char *buf, size_t len, u
#define BUFSTART (1024-32)
#define BUFMAX (32*1024-32)

17
openldap-security-pie.patch Normal file
View File

@ -0,0 +1,17 @@
Build slapd as position-independent executable (PIE) to take an advantage of
address space layout randomization (ASLD).
Author: Thomas Woerner <twoerner@redhat.com>
diff -uNPrp openldap-2.4.23.old/servers/slapd/Makefile.in openldap-2.4.23.new/servers/slapd/Makefile.in
--- openldap-2.4.23.old/servers/slapd/Makefile.in 2010-04-13 22:23:09.000000000 +0200
+++ openldap-2.4.23.new/servers/slapd/Makefile.in 2010-08-24 15:09:08.999680712 +0200
@@ -266,7 +266,7 @@ libslapi.a: slapi/.libs/libslapi.a
cp slapi/.libs/libslapi.a .
slapd: $(SLAPD_DEPENDS) @LIBSLAPI@
- $(LTLINK) -o $@ $(SLAPD_OBJECTS) $(LIBS) \
+ $(LTLINK) -pie -Wl,-z,defs -o $@ $(SLAPD_OBJECTS) $(LIBS) \
$(WRAP_LIBS)
$(RM) $(SLAPTOOLS)
for i in $(SLAPTOOLS); do \

8
openldap-2.4.6-config.patch → openldap-slapd-conf.patch
View File

@ -1,6 +1,8 @@
diff -up openldap-2.4.11/servers/slapd/slapd.conf.config openldap-2.4.11/servers/slapd/slapd.conf
--- openldap-2.4.11/servers/slapd/slapd.conf.config 2007-02-13 21:22:22.000000000 +0100
+++ openldap-2.4.11/servers/slapd/slapd.conf 2008-10-09 16:13:52.000000000 +0200
Updates initial slapd configuration.
diff -urNPp openldap-2.4.23.old/servers/slapd/slapd.conf openldap-2.4.23.new/servers/slapd/slapd.conf
--- openldap-2.4.23.old/servers/slapd/slapd.conf 2007-02-13 21:22:22.000000000 +0100
+++ openldap-2.4.23.new/servers/slapd/slapd.conf 2010-08-19 15:45:05.835681213 +0200
@@ -2,22 +2,57 @@
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.

27
openldap-2.3.37-smbk5pwd.patch → openldap-smbk5pwd-overlay.patch
View File

@ -1,21 +1,24 @@
Compile smbk5pwd together with other overlays.
diff -up openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README.patch8 openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README
--- openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README.patch8 2005-11-12 16:18:09.000000000 +0100
+++ openldap-2.4.11/contrib/slapd-modules/smbk5pwd/README 2008-09-01 09:57:09.000000000 +0200
Resolves: 550895
Author: Jan Šafránek <jsafrane@redhat.com>
diff -urNPp openldap-2.4.23.old/contrib/slapd-modules/smbk5pwd/README openldap-2.4.23.new/contrib/slapd-modules/smbk5pwd/README
--- openldap-2.4.23.old/contrib/slapd-modules/smbk5pwd/README 2010-04-13 22:22:30.000000000 +0200
+++ openldap-2.4.23.new/contrib/slapd-modules/smbk5pwd/README 2010-08-23 13:20:33.338687818 +0200
@@ -1,3 +1,8 @@
+***************************************************************
+*******************************************************
+Red Hat note: Kerberos support is NOT compiled into
+this version of smbk5pwd because we do not use Heimdall.
+***************************************************************
+this version of smbk5pwd because we do not use Heimdal.
+*******************************************************
+
This directory contains a slapd overlay, smbk5pwd, that extends the
PasswordModify Extended Operation to update Kerberos keys and Samba
password hashes for an LDAP user.
diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4.11/servers/slapd/overlays/Makefile.in
--- openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 2008-02-12 00:26:48.000000000 +0100
+++ openldap-2.4.11/servers/slapd/overlays/Makefile.in 2008-09-01 09:57:09.000000000 +0200
@@ -30,7 +30,8 @@ SRCS = overlays.c \
diff -urNPp openldap-2.4.23.old/servers/slapd/overlays/Makefile.in openldap-2.4.23.new/servers/slapd/overlays/Makefile.in
--- openldap-2.4.23.old/servers/slapd/overlays/Makefile.in 2010-04-13 22:23:44.000000000 +0200
+++ openldap-2.4.23.new/servers/slapd/overlays/Makefile.in 2010-08-23 13:20:33.338687818 +0200
@@ -33,7 +33,8 @@ SRCS = overlays.c \
syncprov.c \
translucent.c \
unique.c \
@ -25,7 +28,7 @@ diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4.
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -43,14 +44,14 @@ LTONLY_MOD = $(LTONLY_mod)
@@ -46,14 +47,14 @@ LTONLY_MOD = $(LTONLY_mod)
LDAP_INCDIR= ../../../include
LDAP_LIBDIR= ../../../libraries
@ -42,7 +45,7 @@ diff -up openldap-2.4.11/servers/slapd/overlays/Makefile.in.patch8 openldap-2.4.
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -113,6 +114,9 @@ unique.la : unique.lo
@@ -125,6 +126,9 @@ unique.la : unique.lo
valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)

15
openldap-sql-linking.patch Normal file
View File

@ -0,0 +1,15 @@
Removes unnecessary linking of SQL libraries into slapd. This makes openldap-servers package
independent on libodbc. (SQL backend is packaged separately in openldap-servers-sql.)
diff -uNPrp openldap-2.4.23.old/build/top.mk openldap-2.4.23.new/build/top.mk
--- openldap-2.4.23.old/build/top.mk 2010-04-13 22:22:22.000000000 +0200
+++ openldap-2.4.23.new/build/top.mk 2010-08-25 15:58:18.477648731 +0200
@@ -201,7 +201,7 @@ SLAPD_SQL_LDFLAGS = @SLAPD_SQL_LDFLAGS@
SLAPD_SQL_INCLUDES = @SLAPD_SQL_INCLUDES@
SLAPD_SQL_LIBS = @SLAPD_SQL_LIBS@
-SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SQL_LDFLAGS@ @SLAPD_SQL_LIBS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
+SLAPD_LIBS = @SLAPD_LIBS@ @SLAPD_PERL_LDFLAGS@ @SLAPD_SLP_LIBS@ @SLAPD_GMP_LIBS@ $(ICU_LIBS)
# Our Defaults
CC = $(AC_CC)

17
openldap-userconfig-setgid.patch Normal file
View File

@ -0,0 +1,17 @@
Normally, skips reading of user configuration file when running with different effective UID.
This patch adds the same behavior for GID.
Author: Nalin Dahyabhai <nalin@redhat.com>
diff -uNPrp openldap-2.4.23.old/libraries/libldap/init.c openldap-2.4.23.new/libraries/libldap/init.c
--- openldap-2.4.23.old/libraries/libldap/init.c 2010-04-13 22:22:57.000000000 +0200
+++ openldap-2.4.23.new/libraries/libldap/init.c 2010-08-24 17:25:07.207682002 +0200
@@ -663,7 +663,7 @@ void ldap_int_initialize( struct ldapopt
openldap_ldap_init_w_sysconf(LDAP_CONF_FILE);
#ifdef HAVE_GETEUID
- if ( geteuid() != getuid() )
+ if ( geteuid() != getuid() || getegid() != getgid() )
return;
#endif

622
openldap.spec
View File

@ -1,59 +1,52 @@
# We distribute own version of Berkeley DB to prevent
# problems on db4.rpm upgrade - some versions of db4 do
# not work with some versions of OpenLDAP.
%define db_version 4.8.26
# TODO: add make test after build
%define ldbm_backend berkeley
%define version 2.4.22
%define evolution_connector_prefix %{_libdir}/evolution-openldap
%define evolution_connector_includedir %{evolution_connector_prefix}/include
%define evolution_connector_libdir %{evolution_connector_prefix}/%{_lib}
Summary: LDAP support libraries
Name: openldap
Version: %{version}
Release: 7%{?dist}
License: OpenLDAP
Version: 2.4.23
Release: 1%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source1: http://download.oracle.com/berkeley-db/db-%{db_version}.tar.gz
Source3: README.migration
Source4: ldap.init
Source5: migration-tools.txt
Source6: autofs.schema
Source7: README.upgrading
Source9: README.evolution
Source10: ldap.sysconfig
# Patches for 2.4
Patch0: openldap-2.4.6-config.patch
Patch1: openldap-2.0.11-ldaprc.patch
Patch2: openldap-2.2.13-setugid.patch
Patch3: openldap-2.4.6-pie.patch
Patch4: openldap-2.3.11-toollinks.patch
Patch5: openldap-2.4.6-nosql.patch
Patch6: openldap-2.3.19-gethostbyXXXX_r.patch
Patch9: openldap-2.3.37-smbk5pwd.patch
Patch10: openldap-2.4.6-multilib.patch
Patch11: openldap-2.4.16-doc-cacertdir.patch
Patch12: openldap-2.4.21-dn2id-segfault.patch
Patch13: openldap-2.4.22-ldif_h.patch
Patch14: openldap-2.4.22-libldif.patch
Patch15: openldap-2.4.22-modrdn-segfault.patch
Patch16: openldap-2.4.23-selfsignedcacert.patch
Patch17: openldap-2.4.22-initauthtoken.patch
# Patches for the evolution library
Patch200: openldap-2.4.6-evolution-ntlm.patch
License: OpenLDAP
URL: http://www.openldap.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: cyrus-sasl-devel >= 2.1, gdbm-devel, libtool >= 1.5.6-2, krb5-devel
BuildRequires: openssl-devel, pam-devel, perl, pkgconfig, tcp_wrappers-devel,
BuildRequires: unixODBC-devel, libtool-ltdl-devel, groff
BuildRequires: nss-devel
Requires: glibc >= 2.2.3-48, mktemp
Obsoletes: compat-openldap < 2.4
Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
Source1: ldap.init
Source2: ldap.sysconfig
Source3: autofs.schema
Source4: migration-tools.txt
Source5: README.migration
Source6: README.upgrading
Source7: README.evolution
# patches for 2.4
Patch0: openldap-slapd-conf.patch
Patch1: openldap-manpages.patch
Patch2: openldap-security-pie.patch
Patch3: openldap-sql-linking.patch
Patch4: openldap-reentrant-gethostby.patch
Patch5: openldap-export-ldif.patch
Patch6: openldap-smbk5pwd-overlay.patch
Patch7: openldap-ldaprc-currentdir.patch
Patch8: openldap-userconfig-setgid.patch
# already merged upstream
Patch100: openldap-nss-ca-selfsigned.patch
Patch101: openldap-nss-delay-token-auth.patch
# patches for the evolution library (see README.evolution)
Patch200: openldap-evolution-ntlm.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: cyrus-sasl-devel >= 2.1, nss-devel, krb5-devel, tcp_wrappers-devel, unixODBC-devel
BuildRequires: glibc-devel, libtool, libtool-ltdl-devel, groff, perl
# smbk5pwd overlay:
BuildRequires: openssl-devel
Obsoletes: compat-openldap < 2.4
# provide ldif2ldbm functionality for migrationtools
Provides: ldif2ldbm
@ -82,9 +75,12 @@ customized LDAP clients.
%package servers
Summary: LDAP server
# OpenLDAP server includes Berkeley DB library, which is licensed under Sleepycat and BSD licenses)
License: OpenLDAP and (Sleepycat and BSD)
Requires: fileutils, make, openldap = %{version}-%{release}, openssl, /usr/sbin/useradd, /usr/sbin/groupadd, /sbin/chkconfig, /sbin/runuser
License: OpenLDAP
Requires: openldap = %{version}-%{release}, openssl
Requires(pre): shadow-utils
Requires(post): chkconfig, /sbin/runuser, make
Requires(preun): chkconfig
BuildRequires: db4-devel >= 4.4, db4-devel <= 4.8
Group: System Environment/Daemons
%description servers
@ -124,101 +120,74 @@ over the Internet. The openldap-clients package contains the client
programs needed for accessing and modifying OpenLDAP directories.
%prep
%setup -q -c -a 1
%setup -q -c -a 0
# setup tree for openldap
pushd openldap-%{version}
%patch0 -p1 -b .config
%patch1 -p1 -b .ldaprc
%patch2 -p1 -b .setugid
%patch3 -p1 -b .pie
%patch4 -p1 -b .toollinks
%patch5 -p1 -b .nosql
%patch6 -p1 -b .gethostbyname_r
%patch9 -p1 -b .smbk5pwd
%patch10 -p1 -b .multilib
%patch11 -p1 -b .cacertdir
%patch12 -p1 -b .segfault
%patch13 -p1 -b .ldif_h
%patch14 -p1 -b .libldif
%patch15 -p1 -b .modrdn-segfault
%patch16 -p1 -b .selfsignedcacert
%patch17 -p1 -b .initauthtoken
%patch1 -p1 -b .manpages
%patch2 -p1 -b .security-pie
%patch3 -p1 -b .sql-linking
%patch4 -p1 -b .reentrant-gethostby
%patch5 -p1 -b .export-ldif
%patch6 -p1 -b .smbk5pwd-overlay
%patch7 -p1 -b .ldaprc-currentdir
%patch8 -p1 -b .userconfig-setgid
%patch100 -p1 -b .nss-ca-selfsigned
%patch101 -p1 -b .nss-delay-token-auth
cp %{_datadir}/libtool/config/config.{sub,guess} build/
for subdir in build-servers build-clients ; do
mkdir $subdir
ln -s ../configure $subdir
done
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
popd
# Set up a build tree for a static version of libldap with the hooks for the
# non-standard NTLM bind type which is needed to connect to Win2k GC servers
# (Win2k3 supports SASL with DIGEST-MD5, so this shouldn't be needed for those
# servers, though as of version 1.4 the connector doesn't try SASL first).
# setup tree for openldap with evolution-specific patches
if ! cp -al openldap-%{version} evo-openldap-%{version} ; then
rm -fr evo-openldap-%{version}
cp -a openldap-%{version} evo-openldap-%{version}
rm -fr evo-openldap-%{version}
cp -a openldap-%{version} evo-openldap-%{version}
fi
pushd evo-openldap-%{version}
%patch200 -p1 -b .evolution-ntlm
popd
pushd openldap-%{version}
for subdir in build-servers build-clients ; do
mkdir $subdir
ln -s ../configure $subdir
done
# build smbk5pwd with other overlays
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
mv contrib/slapd-modules/smbk5pwd/README contrib/slapd-modules/smbk5pwd/README.smbk5pwd
popd
%build
dbdir=`pwd`/db-instroot
libtool='%{_bindir}/libtool'
tagname=CC; export tagname
export tagname=CC
%ifarch ia64
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -O0"
%endif
# Set CFLAGS to incorporate RPM_OPT_FLAGS.
CFLAGS="$RPM_OPT_FLAGS -D_REENTRANT -fPIC"; export CFLAGS
# Build Berkeley DB and install it into a temporary area, isolating OpenLDAP
# from any future changes to the system-wide Berkeley DB library. Version 4.2
# or later is required by the BDB backend in OpenLDAP 2.1 and later.
install -d db-%{db_version}/build-rpm
pushd db-%{db_version}/build-rpm
../dist/configure -C \
--with-pic \
--disable-static \
--enable-shared \
--with-uniquename=_openldap_slapd_46 \
--prefix=${dbdir} \
--includedir=${dbdir}/include \
--libdir=${dbdir}/%{_lib}${subdir:+/${subdir}}
# fix libtool: no rpath
perl -pi -e 's|hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=\"-L\\\$libdir\"|g;' libtool
make %{_smp_mflags} libdb_base=libslapd_db libso_base=libslapd_db
make install libdb_base=libslapd_db libso_base=libslapd_db strip="false"
ln -sf libslapd_db.so ${dbdir}/%{_lib}/${subdir}/libdb.so
popd
export CPPFLAGS="-I${dbdir}/include -I%_includedir/nss3 -I%_includedir/nspr4"
export CFLAGS="$CPPFLAGS $RPM_OPT_FLAGS -D_REENTRANT -DLDAP_CONNECTIONLESS -fPIC -D_GNU_SOURCE -DHAVE_TLS -DHAVE_MOZNSS -DSLAPD_LMHASH"
export LDFLAGS="-L${dbdir}/%{_lib}"
export LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}
MOZNSS_TLS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
export LIBS="$MOZNSS_TLS_LIBS"
export CPPFLAGS="-I%_includedir/nss3 -I%_includedir/nspr4"
export CFLAGS="$RPM_OPT_FLAGS $CPPFLAGS -fPIC -D_REENTRANT -DLDAP_CONNECTIONLESS -D_GNU_SOURCE -DHAVE_TLS -DHAVE_MOZNSS -DSLAPD_LMHASH"
export NSS_LIBS="-lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4"
export LIBS=""
build() {
%configure \
--with-threads=posix \
\
--enable-local --enable-rlookups \
--enable-local \
--enable-rlookups \
\
--with-tls=no \
--with-cyrus-sasl \
\
--enable-wrappers \
--with-wrappers \
\
--enable-passwd \
\
@ -231,24 +200,27 @@ build() {
\
--libexecdir=%{_libdir} \
$@
# HACK HACK HACK
# openldap uses #include <nss/somemoznssfile.h>
# this doesn't work on fedora and similar which uses /usr/include/nss3
# so we have to fake it out
# allow #include <nss/file.h> and <nspr/file.h>
pushd include
if [ ! -d nss ] ; then
ln -s %_includedir/nss3 nss
ln -s %{_includedir}/nss3 nss
fi
if [ ! -d nspr ] ; then
ln -s %_includedir/nspr4 nspr
ln -s %{_includedir}/nspr4 nspr
fi
popd
make %{_smp_mflags} LIBTOOL="$libtool"
}
# Build the servers with Kerberos support (for password checking, mainly).
LIBS="$LIBS -lpthread"; export LIBS
LD_LIBRARY_PATH=${dbdir}/%{_lib}${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}; export LD_LIBRARY_PATH
# Kerberos support:
# - enabled in server (mainly for password checking)
# - disabled in clients (not needed, to avoid stray dependencies)
# build servers
export LIBS="$NSS_LIBS -lpthread"
pushd openldap-%{version}/build-servers
build \
--enable-plugins \
@ -273,12 +245,10 @@ build \
--disable-dynamic \
--with-kerberos=k5only \
--enable-overlays=mod
unset LIBS
popd
# Build clients without Kerberos password-checking support, which is only
# useful in the server anyway, to avoid stray dependencies.
export LIBS="$MOZNSS_TLS_LIBS"
# build clients
export LIBS="$NSS_LIBS"
pushd openldap-%{version}/build-clients
build \
--disable-slapd \
@ -288,8 +258,8 @@ build \
--with-pic
popd
# Build evolution-specific clients just as we would normal clients, except with
# a different installation directory in mind and no shared libraries.
# build evolution-specific clients
# (specific patch, different installation directory, no shared libraries)
pushd evo-openldap-%{version}
build \
--disable-slapd \
@ -303,224 +273,180 @@ build \
popd
%install
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
rm -rf %{buildroot}
libtool='%{_bindir}/libtool'
tagname=CC; export tagname
export tagname=CC
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/
pushd db-instroot/%{_lib}/
install -d $RPM_BUILD_ROOT/%{_libdir}/
install -m755 libslapd_db-*.*.so $RPM_BUILD_ROOT/%{_libdir}/
popd
pushd db-%{db_version}
mv LICENSE LICENSE.bdb-backend
popd
mkdir -p %{buildroot}/%{_libdir}/
# install servers
pushd openldap-%{version}/build-servers
make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool" STRIP=""
make install DESTDIR=%{buildroot} \
libdir=%{_libdir} \
LIBTOOL="$libtool" \
STRIP=""
popd
# Install the bdb maintenance tools.
pushd db-instroot/bin
for binary in db_* ; do
install -m755 ${binary} $RPM_BUILD_ROOT/%{_sbindir}/slapd_${binary}
done
popd
# Install clients and shared libraries. Install the evo-specific versions
# first so that any conflicting files are overwritten by generic versions.
# install evolution-specific clients (conflicting files will be overwriten by generic version)
pushd evo-openldap-%{version}
make install DESTDIR=$RPM_BUILD_ROOT \
make install DESTDIR=%{buildroot} \
includedir=%{evolution_connector_includedir} \
libdir=%{evolution_connector_libdir} \
LIBTOOL="$libtool" \
STRIP=""
install -m644 %SOURCE9 \
$RPM_BUILD_ROOT/%{evolution_connector_prefix}/
install -m 644 %SOURCE7 \
%{buildroot}/%{evolution_connector_prefix}/
popd
# install clients
pushd openldap-%{version}/build-clients
make install DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} LIBTOOL="$libtool" STRIP=""
make install DESTDIR=%{buildroot} \
libdir=%{_libdir} \
LIBTOOL="$libtool" \
STRIP=""
popd
# Create this directory so that authconfig setting TLS_CACERT to
# /etc/openldap/cacerts doesn't cause TLS startup of any kind to fail
# when the directory doesn't exist.
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/openldap/cacerts
# make sure the certs directory exists
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
# Touch the dummy slapd.pem to make rpmbuild happy
touch $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs/slapd.pem
# setup directories for TLS certificates
mkdir -p %{buildroot}%{_sysconfdir}/openldap/cacerts
mkdir -p %{buildroot}%{_sysconfdir}/pki/tls/certs
install -m 644 %SOURCE7 README.upgrading
install -m 644 %SOURCE3 README.migration
# install additional documentation
install -m 644 %SOURCE5 README.migration
install -m 644 %SOURCE6 README.upgrading
# Create the data directory.
mkdir -p $RPM_BUILD_ROOT/var/lib/ldap
# Create the new run directory
mkdir -p $RPM_BUILD_ROOT/var/run/openldap
# setup data and runtime directories
mkdir -p %{buildroot}/var/lib/ldap
mkdir -p %{buildroot}/var/run/openldap
# Hack the build root out of the default config files.
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.conf
# remove build root from config files and manual pages
perl -pi -e "s|%{buildroot}||g" %{buildroot}/%{_sysconfdir}/openldap/*.conf
perl -pi -e "s|%{buildroot}||g" %{buildroot}%{_mandir}/*/*.*
# Get the buildroot out of the man pages.
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/*/*.*
# we don't need the default files -- RPM handles changes
rm -f %{buildroot}/%{_sysconfdir}/openldap/*.default
rm -f %{buildroot}/%{_sysconfdir}/openldap/schema/*.default
# We don't need the default files -- RPM handles changes.
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/*.default
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/schema/*.default
# install an init script for the servers
mkdir -p %{buildroot}%{_sysconfdir}/rc.d/init.d
install -m 755 %SOURCE1 %{buildroot}%{_sysconfdir}/rc.d/init.d/slapd
# Install an init script for the servers.
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d
install -m 755 %SOURCE4 $RPM_BUILD_ROOT%{_sysconfdir}/rc.d/init.d/slapd
# install syconfig/ldap
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
install -m 644 %SOURCE2 %{buildroot}%{_sysconfdir}/sysconfig/ldap
# Install syconfig/ldap
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
install -m 644 %SOURCE10 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/ldap
# add some more schema for the sake of migration scripts
install -d -m755 %{buildroot}%{_sysconfdir}/openldap/schema/redhat
install -m644 %SOURCE3 \
%{buildroot}%{_sysconfdir}/openldap/schema/redhat/
# Add some more schema for the sake of migration scripts.
install -d -m755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat
install -m644 %SOURCE6 \
$RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/redhat/
# move slapd out of _libdir
mv %{buildroot}/%{_libdir}/slapd %{buildroot}/%{_sbindir}/
# Move slapd and slurpd out of _libdir
mv $RPM_BUILD_ROOT/%{_libdir}/slapd $RPM_BUILD_ROOT/%{_sbindir}/
rm -f $RPM_BUILD_ROOT/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
rm -f $RPM_BUILD_ROOT/%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
for X in acl add auth cat dn index passwd test schema; do ln -s slapd $RPM_BUILD_ROOT/%{_sbindir}/slap$X ; done
# setup tools as symlinks to slapd
rm -f %{buildroot}/%{_sbindir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
rm -f %{buildroot}/%{_libdir}/slap{acl,add,auth,cat,dn,index,passwd,test,schema}
for X in acl add auth cat dn index passwd test schema; do ln -s slapd %{buildroot}/%{_sbindir}/slap$X ; done
# Tweak permissions on the libraries to make sure they're correct.
chmod 755 $RPM_BUILD_ROOT/%{_libdir}/lib*.so*
chmod 644 $RPM_BUILD_ROOT/%{_libdir}/lib*.*a
# tweak permissions on the libraries to make sure they're correct
chmod 755 %{buildroot}/%{_libdir}/lib*.so*
chmod 644 %{buildroot}/%{_libdir}/lib*.*a
# slapd.conf(5) is obsoleted since 2.3, see slapd-config(5)
# new configuration will be generated in %post
mkdir -p $RPM_BUILD_ROOT/%{_datadir}/openldap-servers
mkdir $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.d
mv $RPM_BUILD_ROOT/%{_sysconfdir}/openldap/slapd.conf $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete
chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/slapd.conf.obsolete
mkdir -p %{buildroot}/%{_datadir}/openldap-servers
mkdir %{buildroot}/%{_sysconfdir}/openldap/slapd.d
mv %{buildroot}/%{_sysconfdir}/openldap/slapd.conf %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete
chmod 0644 %{buildroot}/%{_datadir}/openldap-servers/slapd.conf.obsolete
# Move doc files out of _sysconfdir
mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/README README.schema
mv $RPM_BUILD_ROOT%{_sysconfdir}/openldap/DB_CONFIG.example $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example
# move doc files out of _sysconfdir
mv %{buildroot}%{_sysconfdir}/openldap/schema/README README.schema
mv %{buildroot}%{_sysconfdir}/openldap/DB_CONFIG.example %{buildroot}/%{_datadir}/openldap-servers/DB_CONFIG.example
chmod 0644 openldap-%{version}/servers/slapd/back-sql/rdbms_depend/timesten/*.sh
chmod 0644 $RPM_BUILD_ROOT/%{_datadir}/openldap-servers/DB_CONFIG.example
chmod 0644 %{buildroot}/%{_datadir}/openldap-servers/DB_CONFIG.example
# Remove files which we don't want packaged.
rm -f $RPM_BUILD_ROOT/%{_libdir}/*.la
rm -f $RPM_BUILD_ROOT/%{_libdir}/*.a
rm -f $RPM_BUILD_ROOT/%{evolution_connector_libdir}/*.la
rm -f $RPM_BUILD_ROOT/%{evolution_connector_libdir}/*.so*
rm -f $RPM_BUILD_ROOT/%{_libdir}/openldap/*.a
rm -f $RPM_BUILD_ROOT/%{_libdir}/openldap/*.so
# remove files which we don't want packaged
rm -f %{buildroot}/%{_libdir}/*.la
rm -f %{buildroot}/%{_libdir}/*.a
rm -f %{buildroot}/%{evolution_connector_libdir}/*.la
rm -f %{buildroot}/%{evolution_connector_libdir}/*.so*
rm -f %{buildroot}/%{_libdir}/openldap/*.a
rm -f %{buildroot}/%{_libdir}/openldap/*.so
rm -f $RPM_BUILD_ROOT%{_localstatedir}/openldap-data/DB_CONFIG.example
rmdir $RPM_BUILD_ROOT%{_localstatedir}/openldap-data
rm -f %{buildroot}%{_localstatedir}/openldap-data/DB_CONFIG.example
rmdir %{buildroot}%{_localstatedir}/openldap-data
%clean
rm -rf $RPM_BUILD_ROOT
rm -rf %{buildroot}
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%pre servers
# Take care to only do ownership-changing if we're adding the user.
getent group ldap > /dev/null || \
/usr/sbin/groupadd -r -g 55 ldap
if /usr/sbin/useradd -c "LDAP User" -u 55 -g ldap \
-s /sbin/nologin -r -d /var/lib/ldap ldap 2> /dev/null ; then
if [ -d /var/lib/ldap ] ; then
for dbfile in /var/lib/ldap/* ; do
if [ -f $dbfile ] ; then
chown ldap:ldap $dbfile
fi
done
fi
# create ldap user and group
getent group ldap >/dev/null || groupadd -r -g 55 ldap
if ! getent passwd ldap >/dev/null; then
useradd -r -g ldap -u 55 -d %{_sharedstatedir}/ldap -s /sbin/nologin -c "LDAP User" ldap
# setup ownership of database files
if [ -d /var/lib/ldap ] ; then
for dbfile in /var/lib/ldap/* ; do
if [ -f $dbfile ] ; then
chown ldap:ldap $dbfile
fi
done
fi
fi
if [ "$1" = "2" ]; then
# guess, if database upgrade is necessary
OLD_BDB_VERSION=$( slapd_db_upgrade -V | sed 's/.* \([0-9\.]*\)\.[0-9]*:.*/\1/' )
NEW_BDB_VERSION=$( echo %{db_version} | sed 's/.[0-9]*$//' )
# upgrade
if [ $1 -eq 2 ]; then
# safe way to migrate the database if minor version number changed (2.x -> 2.y)
# http://www.openldap.org/doc/admin24/maintenance.html
OLD_SLAPD_VERSION=$( rpm -q --qf "%{VERSION}" openldap-servers | sed 's/\.[0-9]*$//' )
NEW_SLAPD_VERSION=$( echo %{version} | sed 's/\.[0-9]*$//' )
# we need to detect how is the init script named
# - in older versions ldap
# - in newer versions slapd
if [ -f %{_initrddir}/ldap ]; then
SERVICE_NAME=ldap
elif [ -f %{_initrddir}/slapd ]; then
SERVICE_NAME=slapd
fi
old_version=$(rpm -q --qf=%%{version} openldap-servers | sed 's/\.[0-9]*$//')
new_version=$(sed 's/\.[0-9]*$//' <<< %{version})
if [ "$OLD_SLAPD_VERSION" != "$NEW_SLAPD_VERSION" ]; then
# Minor version number has changed -> slapcat/slapadd of the BDB database
# is necessary. Save an ldif of the database where the "% post servers"
# scriptlet can restore it. Also save the database files to a "rpmorig"
# directory - Just In Case (TM)
if [ "$old_version" != "$new_version" ]; then
pushd %{_sharedstatedir}/ldap
# stop the server
if /sbin/service $SERVICE_NAME status &>/dev/null; then
touch /var/lib/ldap/need_start
/sbin/service $SERVICE_NAME stop &>/dev/null
fi
# stop the service
if service slapd status &>/dev/null; then
touch need_start
service slapd stop
else
rm -f need_start
fi
files=$(echo /var/lib/ldap/{log.*,__db.*,[a]lock})
if [ "$files" != '/var/lib/ldap/log.* /var/lib/ldap/__db.* /var/lib/ldap/[a]lock' ] ; then
if /usr/sbin/slapcat -l /var/lib/ldap/upgrade.ldif > /dev/null 2>&1 ; then
if [ -f /var/lib/ldap/upgrade.ldif ] ; then
/bin/rm -fr /var/lib/ldap/rpmorig > /dev/null 2>&1 || :
mkdir /var/lib/ldap/rpmorig
mv /var/lib/ldap/{alock,*.bdb,__db.*,log.*} /var/lib/ldap/rpmorig > /dev/null 2>&1 || :
cp -f /var/lib/ldap/DB_CONFIG /var/lib/ldap/rpmorig > /dev/null 2>&1 || :
else
/bin/rm -f /var/lib/ldap/upgrade.ldif
fi
fi
fi
else
if [ "$OLD_BDB_VERSION" != "$NEW_BDB_VERSION" ]; then
# Minor version number of bdb has changed -> run db_upgrade in % post script
# stop the server
if /sbin/service $SERVICE_NAME status &>/dev/null; then
touch /var/lib/ldap/need_start
/sbin/service $SERVICE_NAME stop &>/dev/null
fi
if ls __db.* &>/dev/null; then
# export the database
if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
slapcat -f %{_sysconfdir}/openldap/slapd.conf -l upgrade.ldif &>/dev/null
else
slapcat -F %{_sysconfdir}/openldap/slapd.d -l upgrade.ldif &>/dev/null
fi
# Ensure, that the database is correct
/sbin/runuser -m -s /usr/sbin/slapd_db_recover -- "ldap" -h /var/lib/ldap &>/dev/null
# Just create /var/lib/ldap/need_db_upgrade so % post knows
touch /var/lib/ldap/need_db_upgrade &>/dev/null
fi
fi
# backup the old database
if [ $? -eq 0 ]; then
rm -rf rpmorig
mv alock *.bdb __db.* log.* rpmorig &>/dev/null || :
cp -f rpmorig/DB_CONFIG . &>/dev/null || :
else
rm -f upgrade.ldif
fi
fi
popd
fi
fi
exit 0
%post servers
/sbin/ldconfig
/sbin/chkconfig --add slapd
# If there's a /var/lib/ldap/upgrade.ldif file, slapadd it and delete it.
# It was created by the % pre above.
if [ -f /var/lib/ldap/upgrade.ldif ] ; then
/sbin/runuser -m -s /usr/sbin/slapadd -- "ldap" -l /var/lib/ldap/upgrade.ldif > /dev/null 2>&1
rm -f /var/lib/ldap/upgrade.ldif
fi
# If there's a /var/lib/ldap/need_db_upgrade file, run db_upgrade and delete it.
# It was created by the % pre above.
if [ -f /var/lib/ldap/need_db_upgrade ]; then
if ls /var/lib/ldap/*.bdb > /dev/null 2>&1; then
/sbin/runuser -m -s /usr/sbin/slapd_db_upgrade -- "ldap" -h /var/lib/ldap /var/lib/ldap/*.bdb
fi
/sbin/runuser -m -s /usr/sbin/slapd_db_checkpoint -- "ldap" -h /var/lib/ldap -1
rm -f /var/lib/ldap/need_db_upgrade
fi
# generate sample TLS certificates
if [ ! -f %{_sysconfdir}/pki/tls/certs/slapd.pem ] ; then
pushd %{_sysconfdir}/pki/tls/certs > /dev/null 2>&1
umask 077
@ -538,18 +464,20 @@ chmod 640 slapd.pem
popd
fi
if [ `find %{_sysconfdir}/openldap/slapd.d -maxdepth 0 -empty | wc -l` = "1" ]; then
# configuration in slapd.d not available
# generate configuration in slapd.d
if ! ls -d %{_sysconfdir}/openldap/slapd.d/* &>/dev/null; then
# fresh installation
[ ! -f %{_sysconfdir}/openldap/slapd.conf ]
fresh_install=$?
[ $fresh_install -eq 0 ] && \
cp %{_datadir}/openldap-servers/slapd.conf.obsolete %{_sysconfdir}/openldap/slapd.conf
# convert from old style config slapd.conf
mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
mkdir -p %{_sysconfdir}/openldap/slapd.d/
lines=`egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1`
lines=$(egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1)
lines=$(($lines-1))
head -n $lines %{_sysconfdir}/openldap/slapd.conf.bak > %{_sysconfdir}/openldap/slapd.conf
cat >> %{_sysconfdir}/openldap/slapd.conf << EOF
@ -557,7 +485,7 @@ database config
rootdn "cn=admin,cn=config"
#rootpw secret
EOF
lines_r=`wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" "`
lines_r=$(wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" ")
lines_r=$(($lines_r-$lines))
tail -n $lines_r %{_sysconfdir}/openldap/slapd.conf.bak >> %{_sysconfdir}/openldap/slapd.conf
slaptest -f %{_sysconfdir}/openldap/slapd.conf -F %{_sysconfdir}/openldap/slapd.d > /dev/null 2> /dev/null
@ -570,26 +498,31 @@ EOF
[ $fresh_install -eq 0 ] && rm -f %{_sysconfdir}/openldap/slapd.conf.bak
fi
if [ $1 -ge 1 ] ; then
/sbin/service slapd condrestart &>/dev/null
/sbin/service slapd status &>/dev/null
if [ "$?" != "0" -a -f /var/lib/ldap/need_start ]; then
/sbin/service slapd start &>/dev/null
rm -f /var/lib/ldap/need_start &>/dev/null
fi
# finish database migration (see %pre)
if [ -f %{_sharedstatedir}/ldap/upgrade.ldif ]; then
runuser -m -s /usr/sbin/slapadd -- ldap -l %{_sharedstatedir}/ldap/upgrade.ldif &>/dev/null
rm -f %{_sharedstatedir}/ldap/upgrade.ldif
fi
# restart after upgrade
if [ $1 -ge 1 ]; then
if [ -f %{_sharedstatedir}/ldap/need_start ]; then
service slapd start
rm -f %{_sharedstatedir}/ldap/need_start
else
/sbin/service slapd condrestart
fi
fi
exit 0
%preun servers
if [ "$1" = "0" ] ; then
/sbin/service slapd stop > /dev/null 2>&1 || :
/sbin/chkconfig --del slapd
# Openldap-servers are being removed from system.
# Do not touch the database! Older versions of this
# package attempted to store database in LDIF format, so
# it can be restored later - but it's up to the administrator
# to save the database, if he/she wants so.
if [ $1 -eq 0 ] ; then
/sbin/service slapd stop > /dev/null 2>&1 || :
/sbin/chkconfig --del slapd
# openldap-servers are being removed from system
# do not touch the database!
fi
%postun servers
@ -599,6 +532,58 @@ fi
%postun devel -p /sbin/ldconfig
%triggerin servers -- db4
# db4 upgrade (see %triggerun)
if [ $2 -eq 2 ]; then
pushd %{_sharedstatedir}/ldap
# we are interested in minor version changes (both versions of db4 are installed at this moment)
if [ "$(rpm -q --qf="%%{version}\n" db4 | sed 's/\.[0-9]*$//' | sort -u | wc -l)" != "1" ]; then
# stop the service
if service slapd status &>/dev/null; then
touch need_start
service slapd stop
fi
# ensure the database is consistent
runuser -m -s /usr/sbin/db_recover -- "ldap" -h %{_sharedstatedir}/ldap &>/dev/null
# upgrade will be performed after removing old db4
touch upgrade_db4
else
rm -f upgrade_db4
fi
popd
fi
exit 0
%triggerun servers -- db4
# db4 upgrade (see %triggerin)
if [ -f %{_sharedstatedir}/ldap/upgrade_db4 ]; then
pushd %{_sharedstatedir}/ldap
# perform the upgrade
if ls *.bdb &>/dev/null; then
runuser -m -s /usr/bin/db_upgrade -- "ldap" -h %{_sharedstatedir}/ldap %{_sharedstatedir}/ldap/*.bdb
runuser -m -s /usr/bin/db_checkpoint -- "ldap" -h %{_sharedstatedir}/ldap -1
fi
# start the service
if [ -f need_start ]; then
service slapd start
rm -f need_start
fi
rm -f upgrade_db4
popd
fi
exit 0
%files
%defattr(-,root,root)
%doc openldap-%{version}/ANNOUNCEMENT
@ -618,14 +603,13 @@ fi
%files servers
%defattr(-,root,root)
%doc db-%{db_version}/LICENSE.bdb-backend
%doc README.upgrading
%doc README.migration
%doc openldap-%{version}/contrib/slapd-modules/smbk5pwd/README.smbk5pwd
%doc openldap-%{version}/doc/guide/admin/*.html
%doc openldap-%{version}/doc/guide/admin/*.png
%doc README.schema
%ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem
%attr(0640,root,ldap) %ghost %config(noreplace) %{_sysconfdir}/pki/tls/certs/slapd.pem
%attr(0755,root,root) %{_sysconfdir}/rc.d/init.d/slapd
%attr(0750,ldap,ldap) %dir %config(noreplace) %{_sysconfdir}/openldap/slapd.d
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/ldap
@ -640,7 +624,6 @@ fi
%attr(0644,root,root) %{_mandir}/man5/slapo-*.5*
%attr(0700,ldap,ldap) %dir /var/lib/ldap
%attr(0755,ldap,ldap) %dir /var/run/openldap
%attr(0755,root,root) %{_libdir}/libslapd_db-*.*.so
%attr(0755,root,root) %dir %{_libdir}/openldap
%attr(0755,root,root) %{_libdir}/openldap/[^b]*
%attr(0755,root,root) %dir %{_datadir}/openldap-servers
@ -675,6 +658,11 @@ fi
%attr(0644,root,root) %{evolution_connector_libdir}/*.a
%changelog
* Fri Aug 27 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.23-1
- rebase to 2.4.23
- embeded db4 library removed
- removed bogus links in "SEE ALSO" in several man-pages (#624616)
* Thu Jul 22 2010 Jan Vcelak <jvcelak@redhat.com> 2.4.22-7
- Mozilla NSS - delay token auth until needed (#616552)
- Mozilla NSS - support use of self signed CA certs as server certs (#614545)