import openldap-2.6.7-5.el10

.gitignore

@@ -0,0 +1,2 @@
+SOURCES/openldap-2.6.7.tgz
+SOURCES/openldap-ppolicy-check-password-1.1.tar.gz

.openldap.metadata

@@ -0,0 +1,2 @@
+9ac8167b0cad4f9830c123faf9eba52a851c1ae0 SOURCES/openldap-2.6.7.tgz
+d9f2c30aa3ec5760d4eb5923f461ca8eed92703d SOURCES/openldap-ppolicy-check-password-1.1.tar.gz

SOURCES/UPGRADE_INSTRUCTIONS

@@ -0,0 +1,30 @@
+You have upgraded your openldap-servers package.
+Any major version upgrade can cause database corruption or loss.
+Please, make sure that you have up-to-date back up and read this document carefully.
+
+It's still recommended to do the backup even on the minor version upgrade.
+
+Please, review the next links before performing any action:
+
+Upgrading from 2.4.x - https://www.openldap.org/doc/admin25/appendix-upgrading.html
+Upgrading from 2.5.x - https://www.openldap.org/doc/admin26/appendix-upgrading.html
+The normal upgrade procedure - https://www.openldap.org/doc/admin26/maintenance.html
+
+Additionally, please, review and perform the following steps that can help you with the upgrade:
+
+         1. Back up both data and configuration directories into a safe place;
+         2. Export data to an LDIF file using slapcat;
+a. If you have the deprecated DB type and you haven't performed the slapcat command, you need to move your data and configuration to the system with OpenLDAP 2.4 version and run slapcat command there;
+         3. Change the server's configuration according to the changes in the above documents;
+          a. If you are replacing the BDB/HDB with MDB, make sure to replace the BDB/HDB sections with their MDB counterparts;
+4. Clear out the current data directory;
+         5. Import data to a new database from the LDIF file using slapadd;
+         6. Make sure that your data is intact.
+
+After you have completed the above operations, you can remove this file (/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS) and start the server:
+
+        systemctl start slapd.service
+
+Be careful with this document's procedure, make sure you understand it, and test it in a non-production environment first. Always make sure that all backups are in place.
+
+You have been warned about the possibility of data corruption or loss.

SOURCES/check-password-makefile.patch

@@ -0,0 +1,58 @@
+diff --git a/Makefile b/Makefile
+index 4457bad..91de40b 100644
+--- a/Makefile
++++ b/Makefile
+@@ -13,17 +13,10 @@ CRACKLIB=/usr/share/cracklib/pw_dict
+ #
+ CONFIG=/etc/openldap/check_password.conf
+ 
+-
+-# Where to find the OpenLDAP headers.
+-#
+-LDAP_INC=-I/usr/include/openldap/include \
+-	 -I/usr/include/openldap/servers/slapd
+-
+-# Where to find the CrackLib headers.
+-#
+-CRACK_INC=
+-
+-INCS=$(LDAP_INC) $(CRACK_INC)
++CFLAGS+=-fpic                                                  \
++	-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""  \
++	-DCONFIG_FILE="\"$(CONFIG)\""                          \
++	-DDEBUG
+ 
+ LDAP_LIB=-lldap_r -llber
+ 
+@@ -33,27 +26,21 @@ LDAP_LIB=-lldap_r -llber
+ #
+ CRACKLIB_LIB=-lcrack
+ 
+-CC_FLAGS=-g -O2 -Wall -fpic
+-CRACKLIB_OPT=-DHAVE_CRACKLIB -DCRACKLIB_DICTPATH="\"$(CRACKLIB)\""
+-DEBUG_OPT=-DDEBUG
+-CONFIG_OPT=-DCONFIG_FILE="\"$(CONFIG)\""
+-
+-OPT=$(CC_FLAGS) $(CRACKLIB_OPT) $(CONFIG_OPT) $(DEBUG_OPT)
+-
+ LIBS=$(LDAP_LIB) $(CRACKLIB_LIB)
+ 
+ LIBDIR=/usr/lib/openldap/
+ 
++
+ all: 	check_password
+ 
+ check_password.o:
+-	$(CC) $(OPT) -c $(INCS) check_password.c
++	$(CC) $(CFLAGS) -c $(LDAP_INC) check_password.c
+ 
+ check_password: clean check_password.o
+-	$(CC) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
++	$(CC) $(LDFLAGS) -shared -o check_password.so check_password.o $(CRACKLIB_LIB)
+ 
+ install: check_password
+-	cp -f check_password.so $(LIBDIR)
++	cp -f check_password.so ../../../usr/lib/openldap/modules/
+ 
+ clean:
+ 	$(RM) check_password.o check_password.so check_password.lo

SOURCES/check-password.patch

@@ -0,0 +1,321 @@
+--- a/check_password.c	2009-10-31 18:59:06.000000000 +0100
++++ b/check_password.c	2014-12-17 12:25:00.148900907 +0100
+@@ -10,7 +10,7 @@
+ #include <slap.h>
+ 
+ #ifdef HAVE_CRACKLIB
+-#include "crack.h"
++#include <crack.h>
+ #endif
+ 
+ #if defined(DEBUG)
+@@ -34,18 +34,77 @@
+ #define PASSWORD_TOO_SHORT_SZ \
+ 	"Password for dn=\"%s\" is too short (%d/6)"
+ #define PASSWORD_QUALITY_SZ \
+-	"Password for dn=\"%s\" does not pass required number of strength checks (%d of %d)"
++	"Password for dn=\"%s\" does not pass required number of strength checks for the required character sets (%d of %d)"
+ #define BAD_PASSWORD_SZ \
+ 	"Bad password for dn=\"%s\" because %s"
++#define UNKNOWN_ERROR_SZ \
++	"An unknown error occurred, please see your systems administrator"
+ 
+ typedef int (*validator) (char*);
+-static int read_config_file (char *);
++static int read_config_file ();
+ static validator valid_word (char *);
+ static int set_quality (char *);
+ static int set_cracklib (char *);
+ 
+ int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry);
+ 
++struct config_entry {
++	char* key;
++	char* value;
++	char* def_value;
++} config_entries[] = { { "minPoints", NULL, "3"},
++		       { "useCracklib", NULL, "1"},
++		       { "minUpper", NULL, "0"},
++		       { "minLower", NULL, "0"},
++		       { "minDigit", NULL, "0"},
++		       { "minPunct", NULL, "0"},
++		       { NULL, NULL, NULL }};
++
++int get_config_entry_int(char* entry) {
++	struct config_entry* centry = config_entries;
++
++	int i = 0;
++	char* key = centry[i].key;
++	while (key != NULL) {
++		if ( strncmp(key, entry, strlen(key)) == 0 ) {
++			if ( centry[i].value == NULL ) {
++				return atoi(centry[i].def_value);
++			}
++			else {
++				return atoi(centry[i].value);
++			}
++		}
++		i++;
++		key = centry[i].key;
++	}
++
++	return -1;
++}
++
++void dealloc_config_entries() {
++	struct config_entry* centry = config_entries;
++
++	int i = 0;
++	while (centry[i].key != NULL) {
++		if ( centry[i].value != NULL ) {
++			ber_memfree(centry[i].value);
++		}
++		i++;
++	}
++}
++
++char* chomp(char *s)
++{
++	char* t = ber_memalloc(strlen(s)+1);
++	strncpy (t,s,strlen(s)+1);
++
++	if ( t[strlen(t)-1] == '\n' ) {
++		t[strlen(t)-1] = '\0';
++	}
++
++	return t;
++}
++
+ static int set_quality (char *value)
+ {
+ #if defined(DEBUG)
+@@ -84,12 +143,12 @@
+ 		char * parameter;
+ 		validator dealer;
+ 	} list[] = { { "minPoints", set_quality },
+-		{ "useCracklib", set_cracklib },
+-		{ "minUpper", set_digit },
+-		{ "minLower", set_digit },
+-		{ "minDigit", set_digit },
+-		{ "minPunct", set_digit },
+-		{ NULL, NULL } };
++		     { "useCracklib", set_cracklib },
++		     { "minUpper", set_digit },
++		     { "minLower", set_digit },
++		     { "minDigit", set_digit },
++		     { "minPunct", set_digit },
++		     { NULL, NULL } };
+ 	int index = 0;
+ 
+ #if defined(DEBUG)
+@@ -98,7 +157,7 @@
+ 
+ 	while (list[index].parameter != NULL) {
+ 		if (strlen(word) == strlen(list[index].parameter) &&
+-				strcmp(list[index].parameter, word) == 0) {
++		    strcmp(list[index].parameter, word) == 0) {
+ #if defined(DEBUG)
+ 			syslog(LOG_NOTICE, "check_password: Parameter accepted.");
+ #endif
+@@ -114,13 +173,15 @@
+ 	return NULL;
+ }
+ 
+-static int read_config_file (char *keyWord)
++static int read_config_file ()
+ {
+ 	FILE * config;
+ 	char * line;
+ 	int returnValue =  -1;
+ 
+-	if ((line = ber_memcalloc(260, sizeof(char))) == NULL) {
++	line = ber_memcalloc(260, sizeof(char));
++
++	if ( line == NULL ) {
+ 		return returnValue;
+ 	}
+ 
+@@ -133,6 +194,8 @@
+ 		return returnValue;
+ 	}
+ 
++	returnValue = 0;
++
+ 	while (fgets(line, 256, config) != NULL) {
+ 		char *start = line;
+ 		char *word, *value;
+@@ -145,23 +208,40 @@
+ 
+ 		while (isspace(*start) && isascii(*start)) start++;
+ 
+-		if (! isascii(*start))
++		/* If we've got punctuation, just skip the line. */
++		if ( ispunct(*start)) {
++#if defined(DEBUG)
++			/* Debug traces to syslog. */
++			syslog(LOG_NOTICE, "check_password: Skipped line |%s|", line);
++#endif
+ 			continue;
++		}
+ 
+-		if ((word = strtok(start, " \t")) && (dealer = valid_word(word)) && (strcmp(keyWord,word)==0)) {
+-			if ((value = strtok(NULL, " \t")) == NULL)
+-				continue;
++		if( isascii(*start)) {
++
++			struct config_entry* centry = config_entries;
++			int i = 0;
++			char* keyWord = centry[i].key;
++			if ((word = strtok(start, " \t")) && (value = strtok(NULL, " \t"))) {
++				while ( keyWord != NULL ) {
++					if ((strncmp(keyWord,word,strlen(keyWord)) == 0) && (dealer = valid_word(word)) ) {
+ 
+ #if defined(DEBUG)
+-			syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
++						syslog(LOG_NOTICE, "check_password: Word = %s, value = %s", word, value);
+ #endif
+ 
+-			returnValue = (*dealer)(value);
++						centry[i].value = chomp(value);
++						break;
++					}
++					i++;
++					keyWord = centry[i].key;
++				}
++			}
+ 		}
+ 	}
+-
+ 	fclose(config);
+ 	ber_memfree(line);
++
+ 	return returnValue;
+ }
+ 
+@@ -170,7 +250,7 @@
+ 	if (curlen < nextlen + MEMORY_MARGIN) {
+ #if defined(DEBUG)
+ 		syslog(LOG_WARNING, "check_password: Reallocating szErrStr from %d to %d",
+-				curlen, nextlen + MEMORY_MARGIN);
++		       curlen, nextlen + MEMORY_MARGIN);
+ #endif
+ 		ber_memfree(*target);
+ 		curlen = nextlen + MEMORY_MARGIN;
+@@ -180,7 +260,7 @@
+ 	return curlen;
+ }
+ 
+-	int
++int
+ check_password (char *pPasswd, char **ppErrStr, Entry *pEntry)
+ {
+ 
+@@ -210,20 +290,22 @@
+ 	nLen = strlen (pPasswd);
+ 	if ( nLen < 6) {
+ 		mem_len = realloc_error_message(&szErrStr, mem_len,
+-				strlen(PASSWORD_TOO_SHORT_SZ) +
+-				strlen(pEntry->e_name.bv_val) + 1);
++						strlen(PASSWORD_TOO_SHORT_SZ) +
++						strlen(pEntry->e_name.bv_val) + 1);
+ 		sprintf (szErrStr, PASSWORD_TOO_SHORT_SZ, pEntry->e_name.bv_val, nLen);
+ 		goto fail;
+ 	}
+ 
+-	/* Read config file */
+-	minQuality = read_config_file("minPoints");
++	if (read_config_file() == -1) {
++		syslog(LOG_ERR, "Warning: Could not read values from config file %s. Using defaults.", CONFIG_FILE);
++	}
+ 
+-	useCracklib = read_config_file("useCracklib");
+-	minUpper = read_config_file("minUpper");
+-	minLower = read_config_file("minLower");
+-	minDigit = read_config_file("minDigit");
+-	minPunct = read_config_file("minPunct");
++	minQuality = get_config_entry_int("minPoints");
++	useCracklib = get_config_entry_int("useCracklib");
++	minUpper = get_config_entry_int("minUpper");
++	minLower = get_config_entry_int("minLower");
++	minDigit = get_config_entry_int("minDigit");
++	minPunct = get_config_entry_int("minPunct");
+ 
+ 	/** The password must have at least minQuality strength points with one
+ 	 * point for the first occurrance of a lower, upper, digit and
+@@ -232,8 +314,6 @@
+ 
+ 	for ( i = 0; i < nLen; i++ ) {
+ 
+-		if ( nQuality >= minQuality ) break;
+-
+ 		if ( islower (pPasswd[i]) ) {
+ 			minLower--;
+ 			if ( !nLower && (minLower < 1)) {
+@@ -279,12 +359,23 @@
+ 		}
+ 	}
+ 
+-	if ( nQuality < minQuality ) {
++	/*
++	 * If you have a required field, then it should be required in the strength
++	 * checks.
++	 */
++
++	if (
++		(minLower > 0 ) ||
++		(minUpper > 0 ) ||
++		(minDigit > 0 ) ||
++		(minPunct > 0 ) ||
++		(nQuality < minQuality)
++		) {
+ 		mem_len = realloc_error_message(&szErrStr, mem_len,
+-				strlen(PASSWORD_QUALITY_SZ) +
+-				strlen(pEntry->e_name.bv_val) + 2);
++						strlen(PASSWORD_QUALITY_SZ) +
++						strlen(pEntry->e_name.bv_val) + 2);
+ 		sprintf (szErrStr, PASSWORD_QUALITY_SZ, pEntry->e_name.bv_val,
+-				nQuality, minQuality);
++			 nQuality, minQuality);
+ 		goto fail;
+ 	}
+ 
+@@ -306,7 +397,7 @@
+ 		for ( j = 0; j < 3; j++ ) {
+ 
+ 			snprintf (filename, FILENAME_MAXLEN - 1, "%s.%s", \
+-					CRACKLIB_DICTPATH, ext[j]);
++				  CRACKLIB_DICTPATH, ext[j]);
+ 
+ 			if (( fp = fopen ( filename, "r")) == NULL ) {
+ 
+@@ -326,9 +417,9 @@
+ 			r = (char *) FascistCheck (pPasswd, CRACKLIB_DICTPATH);
+ 			if ( r != NULL ) {
+ 				mem_len = realloc_error_message(&szErrStr, mem_len,
+-						strlen(BAD_PASSWORD_SZ) +
+-						strlen(pEntry->e_name.bv_val) +
+-						strlen(r));
++								strlen(BAD_PASSWORD_SZ) +
++								strlen(pEntry->e_name.bv_val) +
++								strlen(r));
+ 				sprintf (szErrStr, BAD_PASSWORD_SZ, pEntry->e_name.bv_val, r);
+ 				goto fail;
+ 			}
+@@ -342,15 +433,15 @@
+ 	}
+ 
+ #endif
+-
++	dealloc_config_entries();
+ 	*ppErrStr = strdup ("");
+ 	ber_memfree(szErrStr);
+ 	return (LDAP_SUCCESS);
+ 
+ fail:
++	dealloc_config_entries();
+ 	*ppErrStr = strdup (szErrStr);
+ 	ber_memfree(szErrStr);
+ 	return (EXIT_FAILURE);
+ 
+ }
+-

SOURCES/ldap.conf

@@ -0,0 +1,28 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT	/etc/pki/tls/cert.pem
+
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON	on
+

SOURCES/libexec-check-config.sh

@@ -0,0 +1,102 @@
+#! /usr/bin/sh
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+. /usr/libexec/openldap/functions
+
+function check_config_syntax()
+{
+	retcode=0
+	tmp_slaptest=`mktemp --tmpdir=/var/run/openldap`
+	run_as_ldap "/usr/sbin/slaptest $SLAPD_GLOBAL_OPTIONS -u" &>$tmp_slaptest
+	if [ $? -ne 0 ]; then
+		error "Checking configuration file failed:"
+		cat $tmp_slaptest >&2
+		retcode=1
+	fi
+	rm $tmp_slaptest
+	return $retcode
+}
+
+function check_certs_perms()
+{
+	retcode=0
+	for cert in `certificates`; do
+		run_as_ldap "/usr/bin/test -e \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' was not found." "$cert"
+			retcoder=1
+			continue
+		fi
+		run_as_ldap "/usr/bin/test -r \"$cert\""
+		if [ $? -ne 0 ]; then
+			error "TLS certificate/key/DB '%s' is not readable." "$cert"
+			retcode=1
+		fi
+	done
+	return $retcode
+}
+
+function check_db_perms()
+{
+	retcode=0
+	for dbdir in `databases`; do
+		[ -d "$dbdir" ] || continue
+		for dbfile in `find ${dbdir} -maxdepth 1 -name "*.mdb"` ; do
+			run_as_ldap "/usr/bin/test -r \"$dbfile\" -a -w \"$dbfile\""
+			if [ $? -ne 0 ]; then
+				error "Read/write permissions for DB file '%s' are required." "$dbfile"
+				retcode=1
+			fi
+		done
+	done
+	return $retcode
+}
+
+function check_major_upgrade()
+{
+	retcode=0
+	if [ -f "/usr/share/openldap-servers/UPGRADE_INSTRUCTIONS" ]; then
+		error "You have upgraded your openldap-servers package. There are actions that need to be performed. Please, read the /usr/share/openldap-servers/UPGRADE_INSTRUCTIONS file"
+		retcode=1
+	fi
+	return $retcode
+}
+
+function check_everything()
+{
+	retcode=0
+	check_config_syntax || retcode=1
+	check_certs_perms || retcode=1
+	check_db_perms || retcode=1
+	return $retcode
+}
+
+if [ `id -u` -ne 0 ]; then
+	error "You have to be root to run this script."
+	exit 4
+fi
+
+check_major_upgrade || return 1
+
+load_sysconfig
+
+if [ -n "$SLAPD_CONFIG_DIR" ]; then
+	if [ ! -d "$SLAPD_CONFIG_DIR" ]; then
+		error "Configuration directory '%s' does not exist." "$SLAPD_CONFIG_DIR"
+	else
+		check_everything
+		exit $?
+	fi
+fi
+
+if [ -n "$SLAPD_CONFIG_FILE" ]; then
+	if [ ! -f "$SLAPD_CONFIG_FILE" ]; then
+		error "Configuration file '%s' does not exist." "$SLAPD_CONFIG_FILE"
+	else
+		error "Warning: Usage of a configuration file is obsolete!"
+		check_everything
+		exit $?
+	fi
+fi
+
+exit 1

SOURCES/libexec-functions

@@ -0,0 +1,120 @@
+# Author: Jan Vcelak <jvcelak@redhat.com>
+
+SLAPD_USER=
+SLAPD_CONFIG_FILE=
+SLAPD_CONFIG_DIR=
+SLAPD_CONFIG_CUSTOM=
+SLAPD_GLOBAL_OPTIONS=
+SLAPD_SYSCONFIG_FILE=
+
+function default_config()
+{
+	SLAPD_USER=ldap
+	SLAPD_CONFIG_FILE=/etc/openldap/slapd.conf
+	SLAPD_CONFIG_DIR=/etc/openldap/slapd.d
+	SLAPD_CONFIG_CUSTOM=
+	SLAPD_GLOBAL_OPTIONS=
+	SLAPD_SYSCONFIG_FILE=/etc/sysconfig/slapd
+}
+
+function parse_config_options()
+{
+	user=
+	config_file=
+	config_dir=
+	while getopts :u:f:F: opt; do
+		case "$opt" in
+		u)
+			user="$OPTARG"
+			;;
+		f)
+			config_file="$OPTARG"
+			;;
+		F)
+			config_dir="$OPTARG"
+			;;
+		esac
+	done
+
+	if [ -n "$user" ]; then
+		SLAPD_USER="$user"
+	fi
+
+	if [ -n "$config_dir" ]; then
+		SLAPD_CONFIG_DIR="$config_dir"
+		SLAPD_CONFIG_FILE=
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-F '$config_dir'"
+	elif [ -n "$config_file" ]; then
+		SLAPD_CONFIG_DIR=
+		SLAPD_CONFIG_FILE="$config_file"
+		SLAPD_CONFIG_CUSTOM=1
+		SLAPD_GLOBAL_OPTIONS="-f '$config_file'"
+	fi
+}
+
+function uses_new_config()
+{
+	[ -n "$SLAPD_CONFIG_DIR" ]
+	return $?
+}
+
+function run_as_ldap()
+{
+	/sbin/runuser --shell /bin/sh --session-command "$1" "$SLAPD_USER"
+	return $?
+}
+
+function ldif_unbreak()
+{
+	sed ':a;N;s/\n //;ta;P;D'
+}
+
+function ldif_value()
+{
+	sed 's/^[^:]*: //'
+}
+
+function databases_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c \
+	-H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcDbDirectory: ' | \
+		ldif_value
+}
+
+function certificates_new()
+{
+	slapcat $SLAPD_GLOBAL_OPTIONS -c -H 'ldap:///cn=config???(cn=config)' 2>/dev/null | \
+		ldif_unbreak | \
+		grep '^olcTLS\(CACertificateFile\|CACertificatePath\|CertificateFile\|CertificateKeyFile\): ' | \
+		ldif_value
+}
+
+function certificates()
+{
+	uses_new_config && certificates_new
+}
+
+function databases()
+{
+	uses_new_config && databases_new
+}
+
+
+function error()
+{
+	format="$1\n"; shift
+	printf "$format" $@ >&2
+}
+
+function load_sysconfig()
+{
+	[ -r "$SLAPD_SYSCONFIG_FILE" ] || return
+
+	. "$SLAPD_SYSCONFIG_FILE"
+	[ -n "$SLAPD_OPTIONS" ] && parse_config_options $SLAPD_OPTIONS
+}
+
+default_config

SOURCES/openldap-ITS-9921-fix-vlvResult-comment.patch

@@ -0,0 +1,25 @@
+From 0b4098ca9080e78436cbd9f383047a9583888376 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 26 Sep 2022 11:55:27 +0100
+Subject: [PATCH] ITS#9921 fix vlvResult comment
+
+---
+ clients/tools/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/clients/tools/common.c b/clients/tools/common.c
+index b88f219b36..3135034ca0 100644
+--- a/clients/tools/common.c
++++ b/clients/tools/common.c
+@@ -2210,7 +2210,7 @@ print_vlv( LDAP *ld, LDAPControl *ctrl )
+ 			ber_memfree( bv.bv_val );
+ 
+ 		tool_write_ldif( ldif ? LDIF_PUT_COMMENT : LDIF_PUT_VALUE,
+-			ldif ? "vlvResult" : "vlvResult", buf, rc );
++			ldif ? "vlvResult: " : "vlvResult", buf, rc );
+ 	}
+ 
+ 	return rc;
+-- 
+GitLab
+

SOURCES/openldap-add-export-symbols-LDAP_CONNECTIONLESS.patch

@@ -0,0 +1,37 @@
+From 6779e56fafb0aa8ae5efa7068da34a630b51b530 Mon Sep 17 00:00:00 2001
+From: Simon Pichugin <spichugi@redhat.com>
+Date: Fri, 5 Aug 2022 13:23:52 -0700
+Subject: [PATCH] Add export symbols related to LDAP_CONNECTIONLESS
+
+---
+ libraries/liblber/lber.map | 1 +
+ libraries/libldap/ldap.map | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/libraries/liblber/lber.map b/libraries/liblber/lber.map
+index 9a4094b0f..083cd1f32 100644
+--- a/libraries/liblber/lber.map
++++ b/libraries/liblber/lber.map
+@@ -121,6 +121,7 @@ OPENLDAP_2.200
+     ber_sockbuf_io_fd;
+     ber_sockbuf_io_readahead;
+     ber_sockbuf_io_tcp;
++    ber_sockbuf_io_udp;
+     ber_sockbuf_remove_io;
+     ber_sos_dump;
+     ber_start;
+diff --git a/libraries/libldap/ldap.map b/libraries/libldap/ldap.map
+index b28c9c21e..021aaba63 100644
+--- a/libraries/libldap/ldap.map
++++ b/libraries/libldap/ldap.map
+@@ -200,6 +200,7 @@ OPENLDAP_2.200
+     ldap_is_ldap_url;
+     ldap_is_ldapi_url;
+     ldap_is_ldaps_url;
++    ldap_is_ldapc_url;
+     ldap_is_read_ready;
+     ldap_is_write_ready;
+     ldap_ld_free;
+-- 
+2.37.1
+

SOURCES/openldap-ai-addrconfig.patch

@@ -0,0 +1,20 @@
+use AI_ADDRCONFIG if defined in the environment
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Upstream ITS: #7326
+Resolves: #835013
+
+diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c
+index 14899cc..b25e750 100644
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -620,8 +620,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *sb,
+ 
+ #if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
+ 	memset( &hints, '\0', sizeof(hints) );
+-#ifdef USE_AI_ADDRCONFIG /* FIXME: configure test needed */
+-	/* Use AI_ADDRCONFIG only on systems where its known to be needed. */
++#ifdef AI_ADDRCONFIG
+ 	hints.ai_flags = AI_ADDRCONFIG;
+ #endif
+ 	hints.ai_family = ldap_int_inet4or6;

SOURCES/openldap-allop-overlay.patch

@@ -0,0 +1,41 @@
+Compile AllOp together with other overlays.
+
+Author: Matus Honek <mhonek@redhat.com>
+Resolves: #1319782
+
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index b5c3fc8..9aa8a4f 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -38,7 +38,8 @@ SRCS = overlays.c \
+ 	translucent.c \
+ 	unique.c \
+ 	valsort.c \
+-	smbk5pwd.c
++	smbk5pwd.c \
++	allop.c
+ OBJS = statover.o \
+ 	@SLAPD_STATIC_OVERLAYS@ \
+ 	overlays.o
+@@ -58,7 +59,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ 
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la allop.la
+ 
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -148,6 +149,12 @@ smbk5pwd.lo : smbk5pwd.c
+ smbk5pwd.la : smbk5pwd.lo
+ 	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
+ 
++allop.lo : allop.c
++	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++allop.la : allop.lo
++	$(LTLINK_MOD) -module -o $@ allop.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local:	$(PROGRAMS)
+ 	@if test -n "$?" ; then \
+ 		$(MKDIR) $(DESTDIR)$(moduledir); \

SOURCES/openldap-explicitly-cast-private-values.patch

@@ -0,0 +1,70 @@
+From fb9e6a81bbee880549e7ec18f0a74ddddbd2d1ab Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 6 Feb 2024 21:38:24 -0500
+Subject: [PATCH] ITS#10171 - Explicitly cast private values
+
+Fixes issues with -Werror=incompatible-pointer-types
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ servers/slapd/config.c              | 2 +-
+ servers/slapd/overlays/constraint.c | 2 +-
+ servers/slapd/overlays/dyngroup.c   | 2 +-
+ servers/slapd/overlays/valsort.c    | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/config.c b/servers/slapd/config.c
+index 80333f359c..987c862d91 100644
+--- a/servers/slapd/config.c
++++ b/servers/slapd/config.c
+@@ -151,7 +151,7 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) {
+ 	int rc, arg_user, arg_type, arg_syn, iarg;
+ 	unsigned uiarg;
+ 	long larg;
+-	size_t ularg;
++	unsigned long ularg;
+ 	ber_len_t barg;
+ 	
+ 	if(Conf->arg_type == ARG_IGNORED) {
+diff --git a/servers/slapd/overlays/constraint.c b/servers/slapd/overlays/constraint.c
+index f939b37762..0d6156af4d 100644
+--- a/servers/slapd/overlays/constraint.c
++++ b/servers/slapd/overlays/constraint.c
+@@ -557,7 +557,7 @@ done:;
+ 				a2->restrict_filter = ap.restrict_filter;
+ 				a2->restrict_val = ap.restrict_val;
+ 
+-				for ( app = &on->on_bi.bi_private; *app; app = &(*app)->ap_next )
++				for ( app = (constraint **)&on->on_bi.bi_private; *app; app = &(*app)->ap_next )
+ 					/* Get to the end */ ;
+ 
+ 				a2->ap_next = *app;
+diff --git a/servers/slapd/overlays/dyngroup.c b/servers/slapd/overlays/dyngroup.c
+index 5d890d6650..e0e70af2d9 100644
+--- a/servers/slapd/overlays/dyngroup.c
++++ b/servers/slapd/overlays/dyngroup.c
+@@ -111,7 +111,7 @@ static int dgroup_cf( ConfigArgs *c )
+ 		 */
+ 		a2 = ch_malloc( sizeof(adpair) );
+ 
+-		for ( app = &on->on_bi.bi_private; *app; app = &(*app)->ap_next )
++		for ( app = (adpair **)&on->on_bi.bi_private; *app; app = &(*app)->ap_next )
+ 			/* Get to the end */ ;
+ 
+ 		a2->ap_mem = ap.ap_mem;
+diff --git a/servers/slapd/overlays/valsort.c b/servers/slapd/overlays/valsort.c
+index 3d998e2fcb..e251500d0b 100644
+--- a/servers/slapd/overlays/valsort.c
++++ b/servers/slapd/overlays/valsort.c
+@@ -201,7 +201,7 @@ valsort_cf_func(ConfigArgs *c) {
+ 		return(1);
+ 	}
+ 
+-	for ( vip = &on->on_bi.bi_private; *vip; vip = &(*vip)->vi_next )
++	for ( vip = (valsort_info **)&on->on_bi.bi_private; *vip; vip = &(*vip)->vi_next )
+ 		/* Get to the end */ ;
+ 
+ 	vi = ch_malloc( sizeof(valsort_info) );
+-- 
+GitLab
+

SOURCES/openldap-manpages.patch

@@ -0,0 +1,70 @@
+Various manual pages changes:
+* removes LIBEXECDIR from slapd.8
+* removes references to non-existing manpages (bz 624616)
+
+diff --git a/doc/man/man1/ldapmodify.1 b/doc/man/man1/ldapmodify.1
+index 353b075..cf37856 100644
+--- a/doc/man/man1/ldapmodify.1
++++ b/doc/man/man1/ldapmodify.1
+@@ -382,8 +382,7 @@ exit status and a diagnostic message being written to standard error.
+ .BR ldap_add_ext (3),
+ .BR ldap_delete_ext (3),
+ .BR ldap_modify_ext (3),
+-.BR ldap_modrdn_ext (3),
+-.BR ldif (5).
++.BR ldif (5)
+ .SH AUTHOR
+ The OpenLDAP Project <http://www.openldap.org/>
+ .SH ACKNOWLEDGEMENTS
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index 17b7154..6084298 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -338,6 +338,7 @@ certificates in separate individual files. The
+ .B TLS_CACERT
+ is always used before
+ .B TLS_CACERTDIR.
++The specified directory must be managed with the OpenSSL c_rehash utility.
+ .TP
+ .B TLS_CERT <filename>
+ Specifies the file that contains the client certificate.
+diff --git a/doc/man/man8/slapd.8 b/doc/man/man8/slapd.8
+index 8504b37..f02f1fa 100644
+--- a/doc/man/man8/slapd.8
++++ b/doc/man/man8/slapd.8
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd 
++.B slapd
+ [\c
+ .BR \-V [ V [ V ]]
+ [\c
+@@ -332,7 +332,7 @@ the LDAP databases defined in the default config file, just type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd
++	slapd
+ .ft
+ .fi
+ .LP
+@@ -343,7 +343,7 @@ on voluminous debugging which will be printed on standard error, type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++	slapd -f /var/tmp/slapd.conf -d 255
+ .ft
+ .fi
+ .LP
+@@ -351,7 +351,7 @@ To test whether the configuration file is correct or not, type:
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-Tt
++	slapd -Tt
+ .ft
+ .fi
+ .LP

SOURCES/openldap-openssl-manpage-defaultCA.patch

@@ -0,0 +1,51 @@
+Reference default system-wide CA certificates in manpages
+
+OpenSSL, unless explicitly configured, uses system-wide default set of CA
+certificates.
+
+Author: Matus Honek <mhonek@redhat.com>
+
+diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
+index 6084298..3070bb4 100644
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -327,6 +327,9 @@ are more options you can specify.  These options are used when an
+ .B ldaps:// URI
+ is selected (by default or otherwise) or when the application
+ negotiates TLS by issuing the LDAP StartTLS operation.
++.LP
++When using OpenSSL, if neither  \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP
++is set, the system-wide default set of CA certificates is used.
+ .TP
+ .B TLS_CACERT <filename>
+ Specifies the file that contains certificates for all of the Certificate
+diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
+index a559b0c..adda87a 100644
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -878,6 +878,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither  \fBolcTLSCACertificateFile\fP nor
++\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B olcTLSCipherSuite: <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.
+diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
+index b6e9250..1653a1b 100644
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -1108,6 +1108,10 @@ If
+ .B slapd
+ is built with support for Transport Layer Security, there are more options
+ you can specify.
++.LP
++When using OpenSSL, if neither  \fBTLSCACertificateFile\fP nor
++\fBTLSCACertificatePath\fP is set, the system-wide default set of CA
++certificates is used.
+ .TP
+ .B TLSCipherSuite <cipher-suite-spec>
+ Permits configuring what ciphers will be accepted and the preference order.

SOURCES/openldap-reentrant-gethostby.patch

@@ -0,0 +1,33 @@
+The non-reentrant gethostbyXXXX() functions deadlock if called recursively, for
+example if libldap needs to be initialized from within gethostbyXXXX() (which
+actually happens if nss_ldap is used for hostname resolution and earlier
+modules can't resolve the local host name), so use the reentrant versions of
+the functions, even if we're not being compiled for use in libldap_r
+
+Resolves: #179730
+Author: Jeffery Layton <jlayton@redhat.com>
+
+diff --git a/libraries/libldap/util-int.c b/libraries/libldap/util-int.c
+index aa69f70..4461bf2 100644
+--- a/libraries/libldap/util-int.c
++++ b/libraries/libldap/util-int.c
+@@ -52,8 +52,8 @@ extern int h_errno;
+ #ifndef LDAP_R_COMPILE
+ # undef HAVE_REENTRANT_FUNCTIONS
+ # undef HAVE_CTIME_R
+-# undef HAVE_GETHOSTBYNAME_R
+-# undef HAVE_GETHOSTBYADDR_R
++/* # undef HAVE_GETHOSTBYNAME_R */
++/* # undef HAVE_GETHOSTBYADDR_R */
+ 
+ #else
+ # include <ldap_pvt_thread.h>
+@@ -442,7 +442,7 @@ ldap_pvt_csnstr(char *buf, size_t len, unsigned int replica, unsigned int mod)
+ #define BUFSTART (1024-32)
+ #define BUFMAX (32*1024-32)
+ 
+-#if defined(LDAP_R_COMPILE)
++#if defined(LDAP_R_COMPILE) || defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R)
+ static char *safe_realloc( char **buf, int len );
+ 
+ #if !(defined(HAVE_GETHOSTBYNAME_R) && defined(HAVE_GETHOSTBYADDR_R))

SOURCES/openldap-slapi-fix-plugin-plugin_pblock_new-usage.patch

@@ -0,0 +1,23 @@
+From c7a4bd27f5dcf93806972aab236001f1d4801e80 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 31 Jan 2024 16:00:30 +0000
+Subject: [PATCH] ITS#10166 slapi: fix plugin.c plugin_pblock_new() usage
+
+Broken in 9142da8eaf691720f7d6288954250ef085bd3da0
+---
+ servers/slapd/slapi/plugin.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/slapi/plugin.c b/servers/slapd/slapi/plugin.c
+index ca5dbead59..bfa5c10344 100644
+--- a/servers/slapd/slapi/plugin.c
++++ b/servers/slapd/slapi/plugin.c
+@@ -694,7 +694,7 @@ slapi_int_read_config(
+ 		int rc;
+ 		Slapi_PBlock *pPlugin;
+ 
+-		pPlugin = plugin_pblock_new( iType, numPluginArgc, c->argv );
++		pPlugin = plugin_pblock_new( iType, numPluginArgc, c );
+ 		if (pPlugin == NULL) {
+ 			return 1;
+ 		}

SOURCES/openldap-smbk5pwd-overlay.patch

@@ -0,0 +1,59 @@
+Compile smbk5pwd together with other overlays.
+
+Author: Jan Šafránek <jsafrane@redhat.com>
+Resolves: #550895
+
+Update to link against OpenSSL
+
+Author: Jan Vcelak <jvcelak@redhat.com>
+Resolves: #841560
+
+diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README
+index 4a710a7..0cd4e9e 100644
+--- a/contrib/slapd-modules/smbk5pwd/README
++++ b/contrib/slapd-modules/smbk5pwd/README
+@@ -1,3 +1,8 @@
++******************************************************************************
++Red Hat note: We do not provide Heimdal Kerberos but MIT. Therefore the module
++is compiled only with Samba features in Fedora and Red Hat Enterprise Linux.
++******************************************************************************
++
+ This directory contains a slapd overlay, smbk5pwd, that extends the
+ PasswordModify Extended Operation to update Kerberos keys and Samba
+ password hashes for an LDAP user.
+diff --git a/servers/slapd/overlays/Makefile.in b/servers/slapd/overlays/Makefile.in
+index b84bc54..b5c3fc8 100644
+--- a/servers/slapd/overlays/Makefile.in
++++ b/servers/slapd/overlays/Makefile.in
+@@ -37,7 +37,8 @@ SRCS = overlays.c \
+ 	syncprov.c \
+ 	translucent.c \
+ 	unique.c \
+-	valsort.c
++	valsort.c \
++	smbk5pwd.c
+ OBJS = statover.o \
+ 	@SLAPD_STATIC_OVERLAYS@ \
+ 	overlays.o
+@@ -57,7 +58,7 @@ NT_LINK_LIBS = -L.. -lslapd $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ UNIX_LINK_LIBS = $(@BUILD_LIBS_DYNAMIC@_LDAP_LIBS)
+ 
+ LIBRARY = ../liboverlays.a
+-PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@
++PROGRAMS = @SLAPD_DYNAMIC_OVERLAYS@ smbk5pwd.la
+ 
+ XINCPATH = -I.. -I$(srcdir)/..
+ XDEFS = $(MODULES_CPPFLAGS)
+@@ -141,6 +142,12 @@ unique.la : unique.lo
+ valsort.la : valsort.lo
+ 	$(LTLINK_MOD) -module -o $@ valsort.lo version.lo $(LINK_LIBS)
+ 
++smbk5pwd.lo : smbk5pwd.c
++	$(LTCOMPILE_MOD) -DDO_SAMBA -UHAVE_MOZNSS -DHAVE_OPENSSL $(shell pkg-config openssl --cflags) $<
++
++smbk5pwd.la : smbk5pwd.lo
++	$(LTLINK_MOD) -module -o $@ smbk5pwd.lo version.lo $(LINK_LIBS) $(shell pkg-config openssl --libs)
++
+ install-local:	$(PROGRAMS)
+ 	@if test -n "$?" ; then \
+ 		$(MKDIR) $(DESTDIR)$(moduledir); \

SOURCES/openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch

@@ -0,0 +1,43 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: [PATCH] Switch to lt_dlopenadvise() to get RTLD_GLOBAL set.
+
+Proof of concept for fixing http://bugs.debian.org/327585
+(patch ported from freeradius bug http://bugs.debian.org/416266)
+
+Resolves: #960048
+
+diff --git a/servers/slapd/module.c b/servers/slapd/module.c
+index e616f1d..52bacff 100644
+--- a/servers/slapd/module.c
++++ b/servers/slapd/module.c
+@@ -117,6 +117,20 @@ int module_unload( const char *file_name )
+ 	return -1;	/* not found */
+ }
+ 
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++	lt_dlhandle handle = 0;
++	lt_dladvise advise;
++
++	if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++			&& !lt_dladvise_global (&advise))
++		handle = lt_dlopenadvise (filename, advise);
++
++	lt_dladvise_destroy (&advise);
++
++	return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ 	module_loaded_t *module;
+@@ -179,7 +193,7 @@ int module_load(const char* file_name, int argc, char *argv[])
+ 	 * to calling Debug. This is because Debug is a macro that expands
+ 	 * into multiple function calls.
+ 	 */
+-	if ((module->lib = lt_dlopenext(file)) == NULL) {
++	if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ 		error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ 		strcpy( ebuf, error );

SOURCES/openldap.sysusers

@@ -0,0 +1,3 @@
+#Type Name     ID             GECOS                   Home directory  Shell
+g     ldap     55
+u     ldap     55:55          "OpenLDAP server"       /var/lib/ldap   /sbin/nologin

SOURCES/slapd.ldif

@@ -0,0 +1,163 @@
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+#
+# TLS settings
+#
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by oclTLSCACertificatePath one has to include them explicitly:
+#olcTLSCACertificateFile: /etc/pki/tls/cert.pem
+#
+# Private cert and key are not pregenerated.
+#olcTLSCertificateFile:
+#olcTLSCertificateKeyFile:
+#
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#olcTLSCipherSuite: PROFILE=SYSTEM
+
+
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 64-bit encryption for simple bind
+#
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+# - modulepath is architecture dependent value (32/64-bit system)
+# - dyngroup.la and dynlist.la cannot be used at the same time
+#
+
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath: /usr/lib/openldap
+#olcModulepath: /usr/lib64/openldap
+#olcModuleload: accesslog.la
+#olcModuleload: allop.la
+#olcModuleload: auditlog.la
+#olcModuleload: autoca.la
+#olcModuleload: back_asyncmeta.la
+#olcModuleload: back_dnssrv.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_meta.la
+#olcModuleload: back_null.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_relay.la
+#olcModuleload: back_sock.la
+#olcModuleload: check_password.la
+#olcModuleload: collect.la
+#olcModuleload: constraint.la
+#olcModuleload: dds.la
+#olcModuleload: deref.la
+#olcModuleload: dyngroup.la
+#olcModuleload: dynlist.la
+#olcModuleload: home.la
+#olcModuleload: lloadd.la
+#olcModuleload: memberof.la
+#olcModuleload: otp.la
+#olcModuleload: pcache.la
+#olcModuleload: ppolicy.la
+#olcModuleload: refint.la
+#olcModuleload: remoteauth.la
+#olcModuleload: retcode.la
+#olcModuleload: rwm.la
+#olcModuleload: seqmod.la
+#olcModuleload: smbk5pwd.la
+#olcModuleload: sssvlv.la
+#olcModuleload: syncprov.la
+#olcModuleload: translucent.la
+#olcModuleload: unique.la
+#olcModuleload: valsort.la
+
+
+#
+# Schema settings
+#
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+
+#
+# Frontend settings
+#
+
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+#
+# Configuration database
+#
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+
+#
+# Server status monitoring
+#
+
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none
+
+#
+# Backend database definitions
+#
+
+dn: olcDatabase=mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: mdb
+olcSuffix: dc=my-domain,dc=com
+olcRootDN: cn=Manager,dc=my-domain,dc=com
+olcDbDirectory:	/var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

SOURCES/slapd.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=OpenLDAP Server Daemon
+After=syslog.target network-online.target
+Documentation=man:slapd
+Documentation=man:slapd-config
+Documentation=man:slapd-mdb
+Documentation=file:///usr/share/doc/openldap-servers/guide.html
+
+[Service]
+Type=forking
+ExecStartPre=/usr/libexec/openldap/check-config.sh
+ExecStart=/usr/sbin/slapd -u ldap -h "ldap:/// ldaps:/// ldapi:///"
+
+[Install]
+WantedBy=multi-user.target
+Alias=openldap.service

SOURCES/slapd.tmpfiles

@@ -0,0 +1,2 @@
+# openldap runtime directory for slapd.arg and slapd.pid
+d /run/openldap 0755 ldap ldap -