import openldap-2.6.2-3.el9

i9c changed/i9c/openldap-2.6.2-3.el9
MSVSphere Packaging Team 2 years ago
commit de79a9c779

2
.gitignore vendored

@ -0,0 +1,2 @@
SOURCES/openldap-2.6.2.tgz
SOURCES/openldap-ppolicy-check-password-1.1.tar.gz

@ -0,0 +1,2 @@
478066b34ac4e04ecabba11a5675f6c688b360fb SOURCES/openldap-2.6.2.tgz
d9f2c30aa3ec5760d4eb5923f461ca8eed92703d SOURCES/openldap-ppolicy-check-password-1.1.tar.gz

@ -0,0 +1,30 @@
You have upgraded your openldap-servers package.
Any major version upgrade can cause database corruption or loss.
Please, make sure that you have up-to-date back up and read this document carefully.
It's still recommended to do the backup even on the minor version upgrade.
Please, review the next links before performing any action:
Upgrading from 2.4.x - https://www.openldap.org/doc/admin25/appendix-upgrading.html
Upgrading from 2.5.x - https://www.openldap.org/doc/admin26/appendix-upgrading.html
The normal upgrade procedure - https://www.openldap.org/doc/admin26/maintenance.html
Additionally, please, review and perform the following steps that can help you with the upgrade:
1. Back up both data and configuration directories into a safe place;
2. Export data to an LDIF file using slapcat;
a. If you have the deprecated DB type and you haven't performed the slapcat command, you need to move your data and configuration to the system with OpenLDAP 2.4 version and run slapcat command there;
3. Change the server's configuration according to the changes in the above documents;
a. If you are replacing the BDB/HDB with MDB, make sure to replace the BDB/HDB sections with their MDB counterparts;
4. Clear out the current data directory;
5. Import data to a new database from the LDIF file using slapadd;
6. Make sure that your data is intact.
After you have completed the above operations, you can remove this file (/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS) and start the server:
systemctl start slapd.service
Be careful with this document's procedure, make sure you understand it, and test it in a non-production environment first. Always make sure that all backups are in place.
You have been warned about the possibility of data corruption or loss.

@ -0,0 +1,58 @@
diff --git a/Makefile b/Makefile
index 4457bad..91de40b 100644
--- a/Makefile
+++ b/Makefile
@@ -13,17 +13,10 @@ CRACKLIB=/usr/share/cracklib/pw_dict
#
CONFIG=/etc/openldap/check_password.conf
-
-# Where to find the OpenLDAP headers.
-#
-LDAP_INC=-I/usr/include/openldap/include \
- -I/usr/include/openldap/servers/slapd
-
-# Where to find the CrackLib headers.
-#
-CRACK_INC=
-
-INCS=$(LDAP_INC) $(CRACK_INC)
+CFLAGS+=-fpic \
+ -DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\"" \
+ -DCONFIG_FILE="\"$(CONFIG)\"" \
+ -DDEBUG
LDAP_LIB=-lldap_r -llber
@@ -33,27 +26,21 @@ LDAP_LIB=-lldap_r -llber
#
CRACKLIB_LIB=-lcrack
-CC_FLAGS=-g -O2 -Wall -fpic
-CRACKLIB_OPT=-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""
-DEBUG_OPT=-DDEBUG
-CONFIG_OPT=-DCONFIG_FILE="\"$(CONFIG)\""
-
-OPT=$(CC_FLAGS) $(CRACKLIB_OPT) $(CONFIG_OPT) $(DEBUG_OPT)
-
LIBS=$(LDAP_LIB) $(CRACKLIB_LIB)
LIBDIR=/usr/lib/openldap/
+
all: check_password
check_password.o:
- $(CC) $(OPT) -c $(INCS) check_password.c
+ $(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
check_password: clean check_password.o
- $(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ $(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
install: check_password
- cp -f check_password.so $(LIBDIR)
+ cp -f check_password.so ../../../usr/lib/openldap/modules/
clean:
$(RM) check_password.o check_password.so check_password.lo

@ -0,0 +1,321 @@
--- a/check_password.c 2009-10-31 18:59:06.000000000 +0100
+++ b/check_password.c 2014-12-17 12:25:00.148900907 +0100
@@ -10,7 +10,7 @@
#include <slap.h>
#ifdef HAVE_CRACKLIB
-#include "crack.h"
+#include <crack.h>
#endif
#if defined(DEBUG)
@@ -34,18 +34,77 @@
#define PASSWORD_TOO_SHORT_SZ \
"Password for dn=\"%s\" is too short (%d/6)"
#define PASSWORD_QUALITY_SZ \
- "Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
+ "Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
#define BAD_PASSWORD_SZ \
"Bad password for dn=\"%s\" because %s"
+#define UNKNOWN_ERROR_SZ \
+ "An unknown error occurred, please see your systems administrator"
typedef int (*validator) (char*);
-static int read_config_file (char *);
+static int read_config_file ();
static validator valid_word (char *);
static int set_quality (char *);
static int set_cracklib (char *);
int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+struct config_entry {
+ char* key;
+ char* value;
+ char* def_value;
+} config_entries[] = { { "minPoints", NULL, "3"},
+ { "useCracklib", NULL, "1"},
+ { "minUpper", NULL, "0"},
+ { "minLower", NULL, "0"},
+ { "minDigit", NULL, "0"},
+ { "minPunct", NULL, "0"},
+ { NULL, NULL, NULL }};
+
+int get_config_entry_int(char* entry) {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ char* key = centry[i].key;
+ while (key != NULL) {
+ if ( strncmp(key, entry, strlen(key)) == 0 ) {
+ if ( centry[i].value == NULL ) {
+ return atoi(centry[i].def_value);
+ }
+ else {
+ return atoi(centry[i].value);
+ }
+ }
+ i++;
+ key = centry[i].key;
+ }
+
+ return -1;
+}
+
+void dealloc_config_entries() {
+ struct config_entry* centry = config_entries;
+
+ int i = 0;
+ while (centry[i].key != NULL) {
+ if ( centry[i].value != NULL ) {
+ ber_memfree(centry[i].value);
+ }
+ i++;
+ }
+}
+
+char* chomp(char *s)
+{
+ char* t = ber_memalloc(strlen(s)+1);
+ strncpy (t,s,strlen(s)+1);
+
+ if ( t[strlen(t)-1] == '\n' ) {
+ t[strlen(t)-1] = '\0';
+ }
+
+ return t;
+}
+
static int set_quality (char *value)
{
#if defined(DEBUG)
@@ -84,12 +143,12 @@
char * parameter;
validator dealer;
} list[] = { { "minPoints", set_quality },
- { "useCracklib", set_cracklib },
- { "minUpper", set_digit },
- { "minLower", set_digit },
- { "minDigit", set_digit },
- { "minPunct", set_digit },
- { NULL, NULL } };
+ { "useCracklib", set_cracklib },
+ { "minUpper", set_digit },
+ { "minLower", set_digit },
+ { "minDigit", set_digit },
+ { "minPunct", set_digit },
+ { NULL, NULL } };
int index = 0;
#if defined(DEBUG)
@@ -98,7 +157,7 @@
while (list[index].parameter != NULL) {
if (strlen(word) == strlen(list[index].parameter) &&
- strcmp(list[index].parameter, word) == 0) {
+ strcmp(list[index].parameter, word) == 0) {
#if defined(DEBUG)
syslog(LOG_NOTICE, "check_password: Parameter accepted.");
#endif
@@ -114,13 +173,15 @@
return NULL;
}
-static int read_config_file (char *keyWord)
+static int read_config_file ()
{
FILE * config;
char * line;
int returnValue = -1;
- if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
+ line = ber_memcalloc(260, sizeof(char));
+
+ if ( line == NULL ) {
return returnValue;
}
@@ -133,6 +194,8 @@
return returnValue;
}
+ returnValue = 0;
+
while (fgets(line, 256, config) != NULL) {
char *start = line;
char *word, *value;
@@ -145,23 +208,40 @@
while (isspace(*start) && isascii(*start)) start++;
- if (! isascii(*start))
+ /* If we've got punctuation, just skip the line. */
+ if ( ispunct(*start)) {
+#if defined(DEBUG)
+ /* Debug traces to syslog. */
+ syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
+#endif
continue;
+ }
- if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
- if ((value = strtok(NULL, " \t")) == NULL)
- continue;
+ if( isascii(*start)) {
+
+ struct config_entry* centry = config_entries;
+ int i = 0;
+ char* keyWord = centry[i].key;
+ if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
+ while ( keyWord != NULL ) {
+ if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
#if defined(DEBUG)
- syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
#endif
- returnValue = (*dealer)(value);
+ centry[i].value = chomp(value);
+ break;
+ }
+ i++;
+ keyWord = centry[i].key;
+ }
+ }
}
}
-
fclose(config);
ber_memfree(line);
+
return returnValue;
}
@@ -170,7 +250,7 @@
if (curlen < nextlen + MEMORY_MARGIN) {
#if defined(DEBUG)
syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
- curlen, nextlen + MEMORY_MARGIN);
+ curlen, nextlen + MEMORY_MARGIN);
#endif
ber_memfree(*target);
curlen = nextlen + MEMORY_MARGIN;
@@ -180,7 +260,7 @@
return curlen;
}
- int
+int
check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
{
@@ -210,20 +290,22 @@
nLen = strlen (pPasswd);
if ( nLen < 6) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_TOO_SHORT_SZ) +
- strlen(pEntry->e_name.bv_val) + 1);
+ strlen(PASSWORD_TOO_SHORT_SZ) +
+ strlen(pEntry->e_name.bv_val) + 1);
sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
goto fail;
}
- /* Read config file */
- minQuality = read_config_file("minPoints");
+ if (read_config_file() == -1) {
+ syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
+ }
- useCracklib = read_config_file("useCracklib");
- minUpper = read_config_file("minUpper");
- minLower = read_config_file("minLower");
- minDigit = read_config_file("minDigit");
- minPunct = read_config_file("minPunct");
+ minQuality = get_config_entry_int("minPoints");
+ useCracklib = get_config_entry_int("useCracklib");
+ minUpper = get_config_entry_int("minUpper");
+ minLower = get_config_entry_int("minLower");
+ minDigit = get_config_entry_int("minDigit");
+ minPunct = get_config_entry_int("minPunct");
/** The password must have at least minQuality strength points with one
* point for the first occurrance of a lower, upper, digit and
@@ -232,8 +314,6 @@
for ( i = 0; i < nLen; i++ ) {
- if ( nQuality >= minQuality ) break;
-
if ( islower (pPasswd[i]) ) {
minLower--;
if ( !nLower && (minLower < 1)) {
@@ -279,12 +359,23 @@
}
}
- if ( nQuality < minQuality ) {
+ /*
+ * If you have a required field, then it should be required in the strength
+ * checks.
+ */
+
+ if (
+ (minLower > 0 ) ||
+ (minUpper > 0 ) ||
+ (minDigit > 0 ) ||
+ (minPunct > 0 ) ||
+ (nQuality < minQuality)
+ ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(PASSWORD_QUALITY_SZ) +
- strlen(pEntry->e_name.bv_val) + 2);
+ strlen(PASSWORD_QUALITY_SZ) +
+ strlen(pEntry->e_name.bv_val) + 2);
sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
- nQuality, minQuality);
+ nQuality, minQuality);
goto fail;
}
@@ -306,7 +397,7 @@
for ( j = 0; j < 3; j++ ) {
snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
- CRACKLIB_DICTPATH, ext[j]);
+ CRACKLIB_DICTPATH, ext[j]);
if (( fp = fopen ( filename, "r")) == NULL ) {
@@ -326,9 +417,9 @@
r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
if ( r != NULL ) {
mem_len = realloc_error_message(&szErrStr, mem_len,
- strlen(BAD_PASSWORD_SZ) +
- strlen(pEntry->e_name.bv_val) +
- strlen(r));
+ strlen(BAD_PASSWORD_SZ) +
+ strlen(pEntry->e_name.bv_val) +
+ strlen(r));
sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
goto fail;
}
@@ -342,15 +433,15 @@
}
#endif
-
+ dealloc_config_entries();
*ppErrStr = strdup ("");
ber_memfree(szErrStr);
return (LDAP_SUCCESS);
fail:
+ dealloc_config_entries();
*ppErrStr = strdup (szErrStr);
ber_memfree(szErrStr);
return (EXIT_FAILURE);
}
-

@ -0,0 +1,28 @@
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
#TLS_CACERT /etc/pki/tls/cert.pem
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#TLS_CIPHER_SUITE PROFILE=SYSTEM
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on

@ -0,0 +1,102 @@
#!/usr/bin/sh
# Author: Jan Vcelak <jvcelak@redhat.com>
. /usr/libexec/openldap/functions
function check_config_syntax()
{
retcode=0
tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
if [ $? -ne 0 ]; then
error "Checking configuration file failed:"
cat $tmp_slaptest >&2
retcode=1
fi
rm $tmp_slaptest
return $retcode
}
function check_certs_perms()
{
retcode=0
for cert in `certificates`; do
run_as_ldap "/usr/bin/test -e \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' was not found." "$cert"
retcoder=1
continue
fi
run_as_ldap "/usr/bin/test -r \"$cert\""
if [ $? -ne 0 ]; then
error "TLS certificate/key/DB '%s' is not readable." "$cert"
retcode=1
fi
done
return $retcode
}
function check_db_perms()
{
retcode=0
for dbdir in `databases`; do
[ -d "$dbdir" ] || continue
for dbfile in `find ${dbdir} -maxdepth 1 -name "*.mdb"` ; do
run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
if [ $? -ne 0 ]; then
error "Read/write permissions for DB file '%s' are required." "$dbfile"
retcode=1
fi
done
done
return $retcode
}
function check_major_upgrade()
{
retcode=0
if [ -f "/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS" ]; then
error "You have upgraded your openldap-servers package. There are actions that need to be performed. Please, read the /usr/share/openldap-servers/UPGRADE_INSTRUCTIONS file"
retcode=1
fi
return $retcode
}
function check_everything()
{
retcode=0
check_config_syntax || retcode=1
check_certs_perms || retcode=1
check_db_perms || retcode=1
return $retcode
}
if [ `id -u` -ne 0 ]; then
error "You have to be root to run this script."
exit 4
fi
check_major_upgrade || return 1
load_sysconfig
if [ -n "$SLAPD_CONFIG_DIR" ]; then
if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
else
check_everything
exit $?
fi
fi
if [ -n "$SLAPD_CONFIG_FILE" ]; then
if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
else
error "Warning: Usage of a configuration file is obsolete!"
check_everything
exit $?
fi
fi
exit 1

@ -0,0 +1,120 @@
# Author: Jan Vcelak <jvcelak@redhat.com>
SLAPD_USER=
SLAPD_CONFIG_FILE=
SLAPD_CONFIG_DIR=
SLAPD_CONFIG_CUSTOM=
SLAPD_GLOBAL_OPTIONS=
SLAPD_SYSCONFIG_FILE=
function default_config()
{
SLAPD_USER=ldap
SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
SLAPD_CONFIG_CUSTOM=
SLAPD_GLOBAL_OPTIONS=
SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
}
function parse_config_options()
{
user=
config_file=
config_dir=
while getopts :u:f:F: opt; do
case "$opt" in
u)
user="$OPTARG"
;;
f)
config_file="$OPTARG"
;;
F)
config_dir="$OPTARG"
;;
esac
done
if [ -n "$user" ]; then
SLAPD_USER="$user"
fi
if [ -n "$config_dir" ]; then
SLAPD_CONFIG_DIR="$config_dir"
SLAPD_CONFIG_FILE=
SLAPD_CONFIG_CUSTOM=1
SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
elif [ -n "$config_file" ]; then
SLAPD_CONFIG_DIR=
SLAPD_CONFIG_FILE="$config_file"
SLAPD_CONFIG_CUSTOM=1
SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
fi
}
function uses_new_config()
{
[ -n "$SLAPD_CONFIG_DIR" ]
return $?
}
function run_as_ldap()
{
/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
return $?
}
function ldif_unbreak()
{
sed ':a;N;s/\n //;ta;P;D'
}
function ldif_value()
{
sed 's/^[^:]*: //'
}
function databases_new()
{
slapcat $SLAPD_GLOBAL_OPTIONS -c \
-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
ldif_unbreak | \
grep '^olcDbDirectory: ' | \
ldif_value
}
function certificates_new()
{
slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
ldif_unbreak | \
grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
ldif_value
}
function certificates()
{
uses_new_config && certificates_new
}
function databases()
{
uses_new_config && databases_new
}
function error()
{
format="$1\n"; shift
printf "$format" $@ >&2
}
function load_sysconfig()
{
[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
. "$SLAPD_SYSCONFIG_FILE"
[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
}
default_config

@ -0,0 +1,393 @@
From e1782a92cc0e6dde404fa5fb18cb8dba46887fc0 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Thu, 26 May 2022 17:17:39 -0700
Subject: [PATCH] Revert "ITS#8618 - Remove deprecated -h and -p options to
client tools"
Except tests. For tests, use -H option.
---
clients/tools/common.c | 53 +++++++++++++++++++++++++++++++++++++-
clients/tools/common.h | 2 ++
doc/man/man1/ldapcompare.1 | 12 +++++++++
doc/man/man1/ldapdelete.1 | 12 +++++++++
doc/man/man1/ldapexop.1 | 12 +++++++++
doc/man/man1/ldapmodify.1 | 16 ++++++++++++
doc/man/man1/ldapmodrdn.1 | 12 +++++++++
doc/man/man1/ldappasswd.1 | 12 +++++++++
doc/man/man1/ldapsearch.1 | 12 +++++++++
doc/man/man1/ldapwhoami.1 | 12 +++++++++
10 files changed, 154 insertions(+), 1 deletion(-)
diff --git a/clients/tools/common.c b/clients/tools/common.c
index b88f219b3..28178d64c 100644
--- a/clients/tools/common.c
+++ b/clients/tools/common.c
@@ -71,6 +71,8 @@ char *prog = NULL;
/* connection */
char *ldapuri = NULL;
+char *ldaphost = NULL;
+int ldapport = 0;
int use_tls = 0;
int protocol = -1;
int version = 0;
@@ -348,6 +350,7 @@ N_(" [!]sessiontracking[=<username>]\n")
N_(" abandon, cancel, ignore (SIGINT sends abandon/cancel,\n"
" or ignores response; if critical, doesn't wait for SIGINT.\n"
" not really controls)\n")
+N_(" -h host LDAP server (deprecated in favor of \"-H\")\n"),
N_(" -H URI LDAP Uniform Resource Identifier(s)\n"),
N_(" -I use SASL Interactive mode\n"),
N_(" -n show what would be done but don't actually do it\n"),
@@ -356,6 +359,7 @@ N_(" -O props SASL security properties\n"),
N_(" -o <opt>[=<optparam>] any libldap ldap.conf options, plus\n"),
N_(" ldif_wrap=<width> (in columns, or \"no\" for no wrapping)\n"),
N_(" nettimeout=<timeout> (in seconds, or \"none\" or \"max\")\n"),
+N_(" -p port port on LDAP server (deprecated in favor of \"-H\")\n"),
N_(" -Q use SASL Quiet mode\n"),
N_(" -R realm SASL realm\n"),
N_(" -U authcid SASL authentication identity\n"),
@@ -774,6 +778,13 @@ tool_args( int argc, char **argv )
}
infile = optarg;
break;
+ case 'h': /* ldap host */
+ if( ldaphost != NULL ) {
+ fprintf( stderr, "%s: -h previously specified\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ ldaphost = optarg;
+ break;
case 'H': /* ldap URI */
if( ldapuri != NULL ) {
fprintf( stderr, "%s: -H previously specified\n", prog );
@@ -887,6 +898,18 @@ tool_args( int argc, char **argv )
exit( EXIT_FAILURE );
#endif
break;
+ case 'p':
+ if( ldapport ) {
+ fprintf( stderr, "%s: -p previously specified\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ ival = strtol( optarg, &next, 10 );
+ if ( next == NULL || next[0] != '\0' ) {
+ fprintf( stderr, "%s: unable to parse port number \"%s\"\n", prog, optarg );
+ exit( EXIT_FAILURE );
+ }
+ ldapport = ival;
+ break;
case 'P':
ival = strtol( optarg, &next, 10 );
if ( next == NULL || next[0] != '\0' ) {
@@ -1121,6 +1144,22 @@ tool_args( int argc, char **argv )
#endif
}
+ if( ldapuri == NULL ) {
+ if( ldapport && ( ldaphost == NULL )) {
+ fprintf( stderr, "%s: -p without -h is invalid.\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ } else {
+ if( ldaphost != NULL ) {
+ fprintf( stderr, "%s: -H incompatible with -h\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ if( ldapport ) {
+ fprintf( stderr, "%s: -H incompatible with -p\n", prog );
+ exit( EXIT_FAILURE );
+ }
+ }
+
if( protocol == LDAP_VERSION2 ) {
if( assertctl || authzid || manageDIT || manageDSAit ||
#ifdef LDAP_CONTROL_OBSOLETE_PROXY_AUTHZ
@@ -1191,7 +1230,19 @@ tool_conn_setup( int dont, void (*private_setup)( LDAP * ) )
if ( !dont ) {
int rc;
- if ( ldapuri != NULL ) {
+ if( ( ldaphost != NULL || ldapport ) && ( ldapuri == NULL ) ) {
+ /* construct URL */
+ LDAPURLDesc url;
+ memset( &url, 0, sizeof(url));
+
+ url.lud_scheme = "ldap";
+ url.lud_host = ldaphost;
+ url.lud_port = ldapport;
+ url.lud_scope = LDAP_SCOPE_DEFAULT;
+
+ ldapuri = ldap_url_desc2str( &url );
+
+ } else if ( ldapuri != NULL ) {
LDAPURLDesc *ludlist, **ludp;
char **urls = NULL;
int nurls = 0;
diff --git a/clients/tools/common.h b/clients/tools/common.h
index c4377da17..41c3d874a 100644
--- a/clients/tools/common.h
+++ b/clients/tools/common.h
@@ -61,6 +61,8 @@ extern char *prog;
/* connection */
extern char *ldapuri;
+extern char *ldaphost;
+extern int ldapport;
extern int use_tls;
extern int protocol;
extern int version;
diff --git a/doc/man/man1/ldapcompare.1 b/doc/man/man1/ldapcompare.1
index b15b0c4f8..b7747ad8c 100644
--- a/doc/man/man1/ldapcompare.1
+++ b/doc/man/man1/ldapcompare.1
@@ -31,6 +31,10 @@ ldapcompare \- LDAP compare tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -139,6 +143,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldapdelete.1 b/doc/man/man1/ldapdelete.1
index e12cc56bb..84dbd882c 100644
--- a/doc/man/man1/ldapdelete.1
+++ b/doc/man/man1/ldapdelete.1
@@ -37,6 +37,10 @@ ldapdelete \- LDAP delete entry tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -145,6 +149,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldapexop.1 b/doc/man/man1/ldapexop.1
index 2040c3e45..26e1730a8 100644
--- a/doc/man/man1/ldapexop.1
+++ b/doc/man/man1/ldapexop.1
@@ -42,6 +42,10 @@ ldapexop
[\c
.BI \-H \ URI\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BI \-o \ opt \fR[= optparam \fR]]
@@ -156,6 +160,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify the host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify the TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
Specify general extensions. \'!\' indicates criticality.
.nf
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index 1104e9f2a..affc661ea 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -37,6 +37,10 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -93,6 +97,10 @@ ldapmodify, ldapadd \- LDAP modify entry and LDAP add entry tools
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -204,6 +212,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldapmodrdn.1 b/doc/man/man1/ldapmodrdn.1
index 777c539ad..0226db5d2 100644
--- a/doc/man/man1/ldapmodrdn.1
+++ b/doc/man/man1/ldapmodrdn.1
@@ -37,6 +37,10 @@ ldapmodrdn \- LDAP rename entry tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -139,6 +143,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldappasswd.1 b/doc/man/man1/ldappasswd.1
index d1aea0c8b..c9cea59c5 100644
--- a/doc/man/man1/ldappasswd.1
+++ b/doc/man/man1/ldappasswd.1
@@ -39,6 +39,10 @@ ldappasswd \- change the password of an LDAP entry
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -144,6 +148,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
.TP
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1
index 7f3ec4095..7496602b8 100644
--- a/doc/man/man1/ldapsearch.1
+++ b/doc/man/man1/ldapsearch.1
@@ -57,6 +57,10 @@ ldapsearch \- LDAP search tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-P \ { 2 \||\| 3 }]
[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -277,6 +281,14 @@ DNS SRV records, according to RFC 2782. The DN must be a non-empty
sequence of AVAs whose attribute type is "dc" (domain component),
and must be escaped according to RFC 2396.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-P \ { 2 \||\| 3 }
Specify the LDAP protocol version to use.
.TP
diff --git a/doc/man/man1/ldapwhoami.1 b/doc/man/man1/ldapwhoami.1
index 49b1187b2..adbc3f52c 100644
--- a/doc/man/man1/ldapwhoami.1
+++ b/doc/man/man1/ldapwhoami.1
@@ -27,6 +27,10 @@ ldapwhoami \- LDAP who am i? tool
[\c
.BI \-H \ ldapuri\fR]
[\c
+.BI \-h \ ldaphost\fR]
+[\c
+.BI \-p \ ldapport\fR]
+[\c
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
[\c
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]]
@@ -99,6 +103,14 @@ Specify URI(s) referring to the ldap server(s); only the protocol/host/port
fields are allowed; a list of URI, separated by whitespace or commas
is expected.
.TP
+.BI \-h \ ldaphost
+Specify an alternate host on which the ldap server is running.
+Deprecated in favor of \fB\-H\fP.
+.TP
+.BI \-p \ ldapport
+Specify an alternate TCP port where the ldap server is listening.
+Deprecated in favor of \fB\-H\fP.
+.TP
.BR \-e \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
.TP
.BR \-E \ [ ! ] \fIext\fP [ =\fIextparam\fP ]
--
2.35.3

@ -0,0 +1,37 @@
From 6779e56fafb0aa8ae5efa7068da34a630b51b530 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Fri, 5 Aug 2022 13:23:52 -0700
Subject: [PATCH] Add export symbols related to LDAP_CONNECTIONLESS
---
libraries/liblber/lber.map | 1 +
libraries/libldap/ldap.map | 1 +
2 files changed, 2 insertions(+)
diff --git a/libraries/liblber/lber.map b/libraries/liblber/lber.map
index 9a4094b0f..083cd1f32 100644
--- a/libraries/liblber/lber.map
+++ b/libraries/liblber/lber.map
@@ -121,6 +121,7 @@ OPENLDAP_2.200
ber_sockbuf_io_fd;
ber_sockbuf_io_readahead;
ber_sockbuf_io_tcp;
+ ber_sockbuf_io_udp;
ber_sockbuf_remove_io;
ber_sos_dump;
ber_start;
diff --git a/libraries/libldap/ldap.map b/libraries/libldap/ldap.map
index b28c9c21e..021aaba63 100644
--- a/libraries/libldap/ldap.map
+++ b/libraries/libldap/ldap.map
@@ -200,6 +200,7 @@ OPENLDAP_2.200
ldap_is_ldap_url;
ldap_is_ldapi_url;
ldap_is_ldaps_url;
+ ldap_is_ldapc_url;
ldap_is_read_ready;
ldap_is_write_ready;
ldap_ld_free;
--
2.37.1

@ -0,0 +1,20 @@
use AI_ADDRCONFIG if defined in the environment
Author: Jan Vcelak <jvcelak@redhat.com>
Upstream ITS: #7326
Resolves: #835013
diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
index 14899cc..b25e750 100644
--- a/libraries/libldap/os-ip.c
+++ b/libraries/libldap/os-ip.c
@@ -620,8 +620,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
memset( &hints, '\0', sizeof(hints) );
-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
- /* Use AI_ADDRCONFIG only on systems where its known to be needed. */
+#ifdef AI_ADDRCONFIG
hints.ai_flags = AI_ADDRCONFIG;
#endif
hints.ai_family = ldap_int_inet4or6;

@ -0,0 +1,41 @@
Compile AllOp together with other overlays.
Author: Matus Honek <mhonek@redhat.com>
Resolves: #1319782
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
index b5c3fc8..9aa8a4f 100644
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -38,7 +38,8 @@ SRCS = overlays.c \
translucent.c \
unique.c \
valsort.c \
- smbk5pwd.c
+ smbk5pwd.c \
+ allop.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -58,7 +59,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -148,6 +149,12 @@ smbk5pwd.lo : smbk5pwd.c
smbk5pwd.la : smbk5pwd.lo
$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+allop.lo : allop.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
+allop.la : allop.lo
+ $(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \

@ -0,0 +1,70 @@
Various manual pages changes:
* removes LIBEXECDIR from slapd.8
* removes references to non-existing manpages (bz 624616)
diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
index 353b075..cf37856 100644
--- a/doc/man/man1/ldapmodify.1
+++ b/doc/man/man1/ldapmodify.1
@@ -382,8 +382,7 @@ exit status and a diagnostic message being written to standard error.
.BR ldap_add_ext (3),
.BR ldap_delete_ext (3),
.BR ldap_modify_ext (3),
-.BR ldap_modrdn_ext (3),
-.BR ldif (5).
+.BR ldif (5)
.SH AUTHOR
The OpenLDAP Project <http://www.openldap.org/>
.SH ACKNOWLEDGEMENTS
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 17b7154..6084298 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -338,6 +338,7 @@ certificates in separate individual files. The
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
+The specified directory must be managed with the OpenSSL c_rehash utility.
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
index 8504b37..f02f1fa 100644
--- a/doc/man/man8/slapd.8
+++ b/doc/man/man8/slapd.8
@@ -5,7 +5,7 @@
.SH NAME
slapd \- Stand-alone LDAP Daemon
.SH SYNOPSIS
-.B LIBEXECDIR/slapd
+.B slapd
[\c
.BR \-V [ V [ V ]]
[\c
@@ -332,7 +332,7 @@ the LDAP databases defined in the default config file, just type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd
+ slapd
.ft
.fi
.LP
@@ -343,7 +343,7 @@ on voluminous debugging which will be printed on standard error, type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
+ slapd -f /var/tmp/slapd.conf -d 255
.ft
.fi
.LP
@@ -351,7 +351,7 @@ To test whether the configuration file is correct or not, type:
.LP
.nf
.ft tt
- LIBEXECDIR/slapd \-Tt
+ slapd -Tt
.ft
.fi
.LP

@ -0,0 +1,51 @@
Reference default system-wide CA certificates in manpages
OpenSSL, unless explicitly configured, uses system-wide default set of CA
certificates.
Author: Matus Honek <mhonek@redhat.com>
diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 6084298..3070bb4 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -327,6 +327,9 @@ are more options you can specify. These options are used when an
.B ldaps:// URI
is selected (by default or otherwise) or when the application
negotiates TLS by issuing the LDAP StartTLS operation.
+.LP
+When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
+is set, the system-wide default set of CA certificates is used.
.TP
.B TLS_CACERT <filename>
Specifies the file that contains certificates for all of the Certificate
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index a559b0c..adda87a 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -878,6 +878,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor
+\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B olcTLSCipherSuite: <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index b6e9250..1653a1b 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1108,6 +1108,10 @@ If
.B slapd
is built with support for Transport Layer Security, there are more options
you can specify.
+.LP
+When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor
+\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
+certificates is used.
.TP
.B TLSCipherSuite <cipher-suite-spec>
Permits configuring what ciphers will be accepted and the preference order.

@ -0,0 +1,33 @@
The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
example if libldap needs to be initialized from within gethostbyXXXX() (which
actually happens if nss_ldap is used for hostname resolution and earlier
modules can't resolve the local host name), so use the reentrant versions of
the functions, even if we're not being compiled for use in libldap_r
Resolves: #179730
Author: Jeffery Layton <jlayton@redhat.com>
diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
index aa69f70..4461bf2 100644
--- a/libraries/libldap/util-int.c
+++ b/libraries/libldap/util-int.c
@@ -52,8 +52,8 @@ extern int h_errno;
#ifndef LDAP_R_COMPILE
# undef HAVE_REENTRANT_FUNCTIONS
# undef HAVE_CTIME_R
-# undef HAVE_GETHOSTBYNAME_R
-# undef HAVE_GETHOSTBYADDR_R
+/* # undef HAVE_GETHOSTBYNAME_R */
+/* # undef HAVE_GETHOSTBYADDR_R */
#else
# include <ldap_pvt_thread.h>
@@ -442,7 +442,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
#define BUFSTART (1024-32)
#define BUFMAX (32*1024-32)
-#if defined(LDAP_R_COMPILE)
+#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
static char *safe_realloc( char **buf, int len );
#if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

@ -0,0 +1,59 @@
Compile smbk5pwd together with other overlays.
Author: Jan Šafránek <jsafrane@redhat.com>
Resolves: #550895
Update to link against OpenSSL
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #841560
diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
index 4a710a7..0cd4e9e 100644
--- a/contrib/slapd-modules/smbk5pwd/README
+++ b/contrib/slapd-modules/smbk5pwd/README
@@ -1,3 +1,8 @@
+******************************************************************************
+Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
+is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
+******************************************************************************
+
This directory contains a slapd overlay, smbk5pwd, that extends the
PasswordModify Extended Operation to update Kerberos keys and Samba
password hashes for an LDAP user.
diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
index b84bc54..b5c3fc8 100644
--- a/servers/slapd/overlays/Makefile.in
+++ b/servers/slapd/overlays/Makefile.in
@@ -37,7 +37,8 @@ SRCS = overlays.c \
syncprov.c \
translucent.c \
unique.c \
- valsort.c
+ valsort.c \
+ smbk5pwd.c
OBJS = statover.o \
@SLAPD_STATIC_OVERLAYS@ \
overlays.o
@@ -57,7 +58,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
LIBRARY = ../liboverlays.a
-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
+PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
XINCPATH = -I.. -I$(srcdir)/..
XDEFS = $(MODULES_CPPFLAGS)
@@ -141,6 +142,12 @@ unique.la : unique.lo
valsort.la : valsort.lo
$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+smbk5pwd.lo : smbk5pwd.c
+ $(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
+
+smbk5pwd.la : smbk5pwd.lo
+ $(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+
install-local: $(PROGRAMS)
@if test -n "$?" ; then \
$(MKDIR) $(DESTDIR)$(moduledir); \

@ -0,0 +1,43 @@
From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
Date: Tue, 18 May 2010 17:47:05 +0200
Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
Proof of concept for fixing http://bugs.debian.org/327585
(patch ported from freeradius bug http://bugs.debian.org/416266)
Resolves: #960048
diff --git a/servers/slapd/module.c b/servers/slapd/module.c
index e616f1d..52bacff 100644
--- a/servers/slapd/module.c
+++ b/servers/slapd/module.c
@@ -117,6 +117,20 @@ int module_unload( const char *file_name )
return -1; /* not found */
}
+static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
+{
+ lt_dlhandle handle = 0;
+ lt_dladvise advise;
+
+ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
+ && !lt_dladvise_global (&advise))
+ handle = lt_dlopenadvise (filename, advise);
+
+ lt_dladvise_destroy (&advise);
+
+ return handle;
+}
+
int module_load(const char* file_name, int argc, char *argv[])
{
module_loaded_t *module;
@@ -179,7 +193,7 @@ int module_load(const char* file_name, int argc, char *argv[])
* to calling Debug. This is because Debug is a macro that expands
* into multiple function calls.
*/
- if ((module->lib = lt_dlopenext(file)) == NULL) {
+ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
error = lt_dlerror();
#ifdef HAVE_EBCDIC
strcpy( ebuf, error );

@ -0,0 +1,163 @@
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
# TLS settings
#
# When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by oclTLSCACertificatePath one has to include them explicitly:
#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
#
# Private cert and key are not pregenerated.
#olcTLSCertificateFile:
#olcTLSCertificateKeyFile:
#
# System-wide Crypto Policies provide up to date cipher suite which should
# be used unless one needs a finer grinded selection of ciphers. Hence, the
# PROFILE=SYSTEM value represents the default behavior which is in place
# when no explicit setting is used. (see openssl-ciphers(1) for more info)
#olcTLSCipherSuite: PROFILE=SYSTEM
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: allop.la
#olcModuleload: auditlog.la
#olcModuleload: autoca.la
#olcModuleload: back_asyncmeta.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_sock.la
#olcModuleload: check_password.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: home.la
#olcModuleload: lloadd.la
#olcModuleload: memberof.la
#olcModuleload: otp.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: remoteauth.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///etc/openldap/schema/core.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none
#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

@ -0,0 +1,16 @@
[Unit]
Description=OpenLDAP Server Daemon
After=syslog.target network-online.target
Documentation=man:slapd
Documentation=man:slapd-config
Documentation=man:slapd-mdb
Documentation=file:///usr/share/doc/openldap-servers/guide.html
[Service]
Type=forking
ExecStartPre=/usr/libexec/openldap/check-config.sh
ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
[Install]
WantedBy=multi-user.target
Alias=openldap.service

@ -0,0 +1,2 @@
# openldap runtime directory for slapd.arg and slapd.pid
d /run/openldap 0755 ldap ldap -

File diff suppressed because it is too large Load Diff
Loading…
Cancel
Save