summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/ITS-8964-Do-not-free-original-filter.patch36
-rw-r--r--debian/patches/ITS-9038-Another-test028-typo.patch25
-rw-r--r--debian/patches/ITS-9038-Fix-typo-in-test-script.patch25
-rw-r--r--debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch102
-rw-r--r--debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch36
-rw-r--r--debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch25
-rw-r--r--debian/patches/ITS-9202-limit-depth-of-nested-filters.patch125
-rw-r--r--debian/patches/ITS-9370-check-for-equality-rule-on-old_rdn.patch27
-rw-r--r--debian/patches/ITS-9383-remove-assert-in-certificateListValidate.patch26
-rw-r--r--debian/patches/ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch27
-rw-r--r--debian/patches/ITS-9404-fix-serialNumberAndIssuerCheck.patch58
-rw-r--r--debian/patches/ITS-9406-9407-remove-saslauthz-asserts.patch69
-rw-r--r--debian/patches/ITS-9406-fix-debug-msg.patch33
-rw-r--r--debian/patches/ITS-9408-fix-vrfilter-double-free.patch28
-rw-r--r--debian/patches/ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch25
-rw-r--r--debian/patches/ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch25
-rw-r--r--debian/patches/ITS-9411-fix-thisUpdate-check.patch25
-rw-r--r--debian/patches/ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch42
-rw-r--r--debian/patches/ITS-9413-fix-slap_parse_user.patch38
-rw-r--r--debian/patches/ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch48
-rw-r--r--debian/patches/ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch25
-rw-r--r--debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch45
-rw-r--r--debian/patches/ITS-9427-fix-issuerAndThisUpdateCheck.patch25
-rw-r--r--debian/patches/ITS-9428-fix-cancel-exop.patch28
-rw-r--r--debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch25
-rw-r--r--debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch268
-rw-r--r--debian/patches/ITS6035-olcauthzregex-needs-restart.patch13
-rw-r--r--debian/patches/add-tlscacert-option-to-ldap-conf10
-rw-r--r--debian/patches/contrib-makefiles159
-rw-r--r--debian/patches/do-not-second-guess-sonames68
-rw-r--r--debian/patches/evolution-ntlm222
-rw-r--r--debian/patches/fix-build-top-mk11
-rw-r--r--debian/patches/getaddrinfo-is-threadsafe43
-rw-r--r--debian/patches/index-files-created-as-root37
-rw-r--r--debian/patches/lastbind-makefile-manpage46
-rw-r--r--debian/patches/ldap-conf-tls-cacertdir29
-rw-r--r--debian/patches/ldapi-socket-place16
-rw-r--r--debian/patches/libldap-symbol-versions161
-rw-r--r--debian/patches/man-slapd60
-rw-r--r--debian/patches/no-AM_INIT_AUTOMAKE25
-rw-r--r--debian/patches/no-bdb-ABI-second-guessing42
-rw-r--r--debian/patches/no-gnutls_global_set_mutex77
-rw-r--r--debian/patches/sasl-default-path55
-rw-r--r--debian/patches/series48
-rw-r--r--debian/patches/set-maintainer-name16
-rw-r--r--debian/patches/slapi-errorlog-file16
-rw-r--r--debian/patches/smbk5pwd-makefile-manpage251
-rw-r--r--debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff40
-rw-r--r--debian/patches/wrong-database-location74
49 files changed, 2780 insertions, 0 deletions
diff --git a/debian/patches/ITS-8964-Do-not-free-original-filter.patch b/debian/patches/ITS-8964-Do-not-free-original-filter.patch
new file mode 100644
index 0000000..7714e0a
--- /dev/null
+++ b/debian/patches/ITS-8964-Do-not-free-original-filter.patch
@@ -0,0 +1,36 @@
+From 0f7ec3a81258bb2c33b5d7c7434ef1c11d7fa7cb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 17 Jun 2019 12:49:25 +0200
+Subject: [PATCH] ITS#8964 Do not free original filter
+
+---
+ servers/slapd/overlays/rwm.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c
+index 36bceaffe..2e24f24cc 100644
+--- a/servers/slapd/overlays/rwm.c
++++ b/servers/slapd/overlays/rwm.c
+@@ -125,11 +125,15 @@ rwm_op_rollback( Operation *op, SlapReply *rs, rwm_op_state *ros )
+ break;
+ case LDAP_REQ_SEARCH:
+ op->o_tmpfree( ros->mapped_attrs, op->o_tmpmemctx );
+- filter_free_x( op, op->ors_filter, 1 );
+- op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
+ op->ors_attrs = ros->ors_attrs;
+- op->ors_filter = ros->ors_filter;
+- op->ors_filterstr = ros->ors_filterstr;
++ if ( op->ors_filter != ros->ors_filter ) {
++ filter_free_x( op, op->ors_filter, 1 );
++ op->ors_filter = ros->ors_filter;
++ }
++ if ( op->ors_filterstr.bv_val != ros->ors_filterstr.bv_val ) {
++ op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx );
++ op->ors_filterstr = ros->ors_filterstr;
++ }
+ break;
+ case LDAP_REQ_EXTENDED:
+ if ( op->ore_reqdata != ros->ore_reqdata ) {
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9038-Another-test028-typo.patch b/debian/patches/ITS-9038-Another-test028-typo.patch
new file mode 100644
index 0000000..243e200
--- /dev/null
+++ b/debian/patches/ITS-9038-Another-test028-typo.patch
@@ -0,0 +1,25 @@
+From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Thu, 27 Jun 2019 00:45:29 +0200
+Subject: [PATCH] ITS#9038 Another test028 typo
+
+---
+ tests/scripts/test028-idassert | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
+index 564a615d2..dacd68d8f 100755
+--- a/tests/scripts/test028-idassert
++++ b/tests/scripts/test028-idassert
+@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then
+ if test $RC != 50 ; then
+ echo "ldapwhoami should have failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+- exit $RC
++ exit 1
+ fi
+
+ echo "Filtering ldapsearch results..."
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9038-Fix-typo-in-test-script.patch b/debian/patches/ITS-9038-Fix-typo-in-test-script.patch
new file mode 100644
index 0000000..72cd9fe
--- /dev/null
+++ b/debian/patches/ITS-9038-Fix-typo-in-test-script.patch
@@ -0,0 +1,25 @@
+From c064d45c5d4551f2321276c3a5ed25b1c08e115d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Mon, 24 Jun 2019 16:37:23 +0200
+Subject: [PATCH] ITS#9038 Fix typo in test script
+
+---
+ tests/scripts/test028-idassert | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
+index 9e5e10724..564a615d2 100755
+--- a/tests/scripts/test028-idassert
++++ b/tests/scripts/test028-idassert
+@@ -199,7 +199,7 @@ RC=$?
+ if test $RC != 1 ; then
+ echo "ldapwhoami should have failed ($RC)!"
+ test $KILLSERVERS != no && kill -HUP $KILLPIDS
+- exit $RC
++ exit 1
+ fi
+
+ ID="uid=jaj,ou=People,dc=example,dc=it"
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch b/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch
new file mode 100644
index 0000000..3e8712a
--- /dev/null
+++ b/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch
@@ -0,0 +1,102 @@
+From ce5869c89a0cf1a9ec23bde014cb4c11f4d0360c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
+Date: Wed, 19 Jun 2019 18:47:32 +0200
+Subject: [PATCH] ITS#9038 Update test028 to test this is enforced
+
+---
+ tests/data/idassert.out | 5 +++++
+ tests/data/slapd-idassert.conf | 1 +
+ tests/data/test-idassert1.ldif | 6 ++++++
+ tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++
+ 4 files changed, 36 insertions(+)
+
+diff --git a/tests/data/idassert.out b/tests/data/idassert.out
+index 53d76bb2e..fa51c25d6 100644
+--- a/tests/data/idassert.out
++++ b/tests/data/idassert.out
+@@ -4,6 +4,11 @@ objectClass: dcObject
+ o: Example, Inc.
+ dc: example
+
++dn: cn=Manager,o=Example,c=US
++objectClass: inetOrgPerson
++cn: Manager
++sn: Parson
++
+ dn: ou=People,o=Example,c=US
+ objectClass: organizationalUnit
+ ou: People
+diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf
+index 88d66a36f..561c5ccc4 100644
+--- a/tests/data/slapd-idassert.conf
++++ b/tests/data/slapd-idassert.conf
+@@ -36,6 +36,7 @@ argsfile @TESTDIR@/slapd.1.args
+ #######################################################################
+
+ authz-policy both
++authz-regexp "^uid=manager,.+" "cn=Manager,dc=example,dc=com"
+ authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)"
+ authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)"
+ authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)"
+diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif
+index 063d6ec45..3ccbd1a22 100644
+--- a/tests/data/test-idassert1.ldif
++++ b/tests/data/test-idassert1.ldif
+@@ -4,6 +4,12 @@ objectClass: dcObject
+ o: Example, Inc.
+ dc: example
+
++dn: cn=Manager,dc=example,dc=com
++objectClass: inetOrgPerson
++cn: Manager
++sn: Parson
++userPassword: secret
++
+ dn: ou=People,dc=example,dc=com
+ objectClass: organizationalUnit
+ ou: People
+diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert
+index b1e16744a..9e5e10724 100755
+--- a/tests/scripts/test028-idassert
++++ b/tests/scripts/test028-idassert
+@@ -191,6 +191,17 @@ if test $RC != 0 ; then
+ exit $RC
+ fi
+
++AUTHZID="u:it/jaj"
++echo "Checking another DB's rootdn can't assert identity from another DB..."
++$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID"
++
++RC=$?
++if test $RC != 1 ; then
++ echo "ldapwhoami should have failed ($RC)!"
++ test $KILLSERVERS != no && kill -HUP $KILLPIDS
++ exit $RC
++fi
++
+ ID="uid=jaj,ou=People,dc=example,dc=it"
+ BASE="o=Example,c=US"
+ echo "Testing ldapsearch as $ID for \"$BASE\"..."
+@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then
+ exit $RC
+ fi
+
++ ID="manager"
++ AUTHZID="u:it/jaj"
++ echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..."
++ $LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \
++ -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID
++
++ RC=$?
++ if test $RC != 50 ; then
++ echo "ldapwhoami should have failed ($RC)!"
++ test $KILLSERVERS != no && kill -HUP $KILLPIDS
++ exit $RC
++ fi
++
+ echo "Filtering ldapsearch results..."
+ $LDIFFILTER < $SEARCHOUT > $SEARCHFLT
+ echo "Filtering original ldif used to create database..."
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch b/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
new file mode 100644
index 0000000..a63c6fe
--- /dev/null
+++ b/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
@@ -0,0 +1,36 @@
+From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 19 Jun 2019 12:29:02 +0100
+Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs.
+
+Treat as normal user for any other DB.
+---
+ servers/slapd/saslauthz.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 64c70537d..b3727eafe 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op,
+ goto DONE;
+ }
+
+- /* Allow the manager to authorize as any DN. */
+- if( op->o_conn->c_authz_backend &&
+- be_isroot_dn( op->o_conn->c_authz_backend, authcDN ))
++ /* Allow the manager to authorize as any DN in its own DBs. */
+ {
+- rc = LDAP_SUCCESS;
+- goto DONE;
++ Backend *zbe = select_backend( authzDN, 1 );
++ if ( zbe && be_isroot_dn( zbe, authcDN )) {
++ rc = LDAP_SUCCESS;
++ goto DONE;
++ }
+ }
+
+ /* Check source rules */
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch b/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
new file mode 100644
index 0000000..ec09120
--- /dev/null
+++ b/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
@@ -0,0 +1,25 @@
+From 744a46a1acb93798f4e027290191d6a11dd4c18c Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 10 Jul 2019 21:29:39 +0100
+Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init
+
+---
+ servers/slapd/connection.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c
+index b85bcb4c6..704067c55 100644
+--- a/servers/slapd/connection.c
++++ b/servers/slapd/connection.c
+@@ -554,7 +554,7 @@ Connection * connection_init(
+ c->c_close_reason = "?"; /* should never be needed */
+
+ c->c_ssf = c->c_transport_ssf = ssf;
+- c->c_tls_ssf = 0;
++ c->c_tls_ssf = c->c_sasl_ssf = 0;
+
+ #ifdef HAVE_TLS
+ if ( flags & CONN_IS_TLS ) {
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch b/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch
new file mode 100644
index 0000000..8c547d1
--- /dev/null
+++ b/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch
@@ -0,0 +1,125 @@
+From 45c18dbd0b2e91841e642ffbe835c46f189f19ee Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Thu, 16 Apr 2020 01:08:19 +0100
+Subject: [PATCH] ITS#9202 limit depth of nested filters
+
+Using a hardcoded limit for now; no reasonable apps
+should ever run into it.
+---
+ servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c
+index cf5ae3daef..e397bebe87 100644
+--- a/servers/slapd/filter.c
++++ b/servers/slapd/filter.c
+@@ -37,11 +37,16 @@
+ const Filter *slap_filter_objectClass_pres;
+ const struct berval *slap_filterstr_objectClass_pres;
+
++#ifndef SLAPD_MAX_FILTER_DEPTH
++#define SLAPD_MAX_FILTER_DEPTH 5000
++#endif
++
+ static int get_filter_list(
+ Operation *op,
+ BerElement *ber,
+ Filter **f,
+- const char **text );
++ const char **text,
++ int depth );
+
+ static int get_ssa(
+ Operation *op,
+@@ -80,12 +85,13 @@ filter_destroy( void )
+ return;
+ }
+
+-int
+-get_filter(
++static int
++get_filter0(
+ Operation *op,
+ BerElement *ber,
+ Filter **filt,
+- const char **text )
++ const char **text,
++ int depth )
+ {
+ ber_tag_t tag;
+ ber_len_t len;
+@@ -126,6 +132,11 @@ get_filter(
+ *
+ */
+
++ if( depth > SLAPD_MAX_FILTER_DEPTH ) {
++ *text = "filter nested too deeply";
++ return SLAPD_DISCONNECT;
++ }
++
+ tag = ber_peek_tag( ber, &len );
+
+ if( tag == LBER_ERROR ) {
+@@ -221,7 +232,7 @@ get_filter(
+
+ case LDAP_FILTER_AND:
+ Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 );
+- err = get_filter_list( op, ber, &f.f_and, text );
++ err = get_filter_list( op, ber, &f.f_and, text, depth+1 );
+ if ( err != LDAP_SUCCESS ) {
+ break;
+ }
+@@ -234,7 +245,7 @@ get_filter(
+
+ case LDAP_FILTER_OR:
+ Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 );
+- err = get_filter_list( op, ber, &f.f_or, text );
++ err = get_filter_list( op, ber, &f.f_or, text, depth+1 );
+ if ( err != LDAP_SUCCESS ) {
+ break;
+ }
+@@ -248,7 +259,7 @@ get_filter(
+ case LDAP_FILTER_NOT:
+ Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 );
+ (void) ber_skip_tag( ber, &len );
+- err = get_filter( op, ber, &f.f_not, text );
++ err = get_filter0( op, ber, &f.f_not, text, depth+1 );
+ if ( err != LDAP_SUCCESS ) {
+ break;
+ }
+@@ -311,10 +322,22 @@ get_filter(
+ return( err );
+ }
+
++int
++get_filter(
++ Operation *op,
++ BerElement *ber,
++ Filter **filt,
++ const char **text )
++{
++ return get_filter0( op, ber, filt, text, 0 );
++}
++
++
+ static int
+ get_filter_list( Operation *op, BerElement *ber,
+ Filter **f,
+- const char **text )
++ const char **text,
++ int depth )
+ {
+ Filter **new;
+ int err;
+@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber,
+ tag != LBER_DEFAULT;
+ tag = ber_next_element( ber, &len, last ) )
+ {
+- err = get_filter( op, ber, new, text );
++ err = get_filter0( op, ber, new, text, depth );
+ if ( err != LDAP_SUCCESS )
+ return( err );
+ new = &(*new)->f_next;
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9370-check-for-equality-rule-on-old_rdn.patch b/debian/patches/ITS-9370-check-for-equality-rule-on-old_rdn.patch
new file mode 100644
index 0000000..832e41a
--- /dev/null
+++ b/debian/patches/ITS-9370-check-for-equality-rule-on-old_rdn.patch
@@ -0,0 +1,27 @@
+From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 19 Oct 2020 14:03:41 +0100
+Subject: [PATCH] ITS#9370 check for equality rule on old_rdn
+
+Just skip normalization if there's no equality rule. We accept
+DNs without equality rules already.
+---
+ servers/slapd/modrdn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c
+index c73dd8dbaa..a22975540c 100644
+--- a/servers/slapd/modrdn.c
++++ b/servers/slapd/modrdn.c
+@@ -505,7 +505,7 @@ slap_modrdn2mods(
+ mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
+ ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value );
+ mod_tmp->sml_values[1].bv_val = NULL;
+- if( desc->ad_type->sat_equality->smr_normalize) {
++ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) {
+ mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) );
+ (void) (*desc->ad_type->sat_equality->smr_normalize)(
+ SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX,
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9383-remove-assert-in-certificateListValidate.patch b/debian/patches/ITS-9383-remove-assert-in-certificateListValidate.patch
new file mode 100644
index 0000000..7000fc2
--- /dev/null
+++ b/debian/patches/ITS-9383-remove-assert-in-certificateListValidate.patch
@@ -0,0 +1,26 @@
+From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 2 Nov 2020 13:12:10 +0000
+Subject: [PATCH] ITS#9383 remove assert in certificateListValidate
+
+---
+ servers/slapd/schema_init.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index ea0d67aa62..28f9e71a16 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in )
+ /* Optional version */
+ if ( tag == LBER_INTEGER ) {
+ tag = ber_get_int( ber, &version );
+- assert( tag == LBER_INTEGER );
+- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
++ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX;
+ }
+ tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */
+ if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX;
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch b/debian/patches/ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
new file mode 100644
index 0000000..96f5b67
--- /dev/null
+++ b/debian/patches/ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
@@ -0,0 +1,27 @@
+From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 2 Nov 2020 16:01:14 +0000
+Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23()
+
+---
+ servers/slapd/schema_init.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 5812bc4b66..ea0d67aa62 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -5327,8 +5327,8 @@ csnNormalize23(
+ }
+ *ptr = '\0';
+
+- assert( ptr == &bv.bv_val[bv.bv_len] );
+- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
++ if ( ptr != &bv.bv_val[bv.bv_len] ||
++ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9404-fix-serialNumberAndIssuerCheck.patch b/debian/patches/ITS-9404-fix-serialNumberAndIssuerCheck.patch
new file mode 100644
index 0000000..de25ed2
--- /dev/null
+++ b/debian/patches/ITS-9404-fix-serialNumberAndIssuerCheck.patch
@@ -0,0 +1,58 @@
+From 38ac838e4150c626bbfa0082b7e2cf3a2bb4df31 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 23 Nov 2020 17:14:00 +0000
+Subject: [PATCH] ITS#9404 fix serialNumberAndIssuerCheck
+
+Tighten validity checks
+---
+ servers/slapd/schema_init.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 834f54593d..5b577607de 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -3193,7 +3193,7 @@ serialNumberAndIssuerCheck(
+
+ if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+
+- if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
++ if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
+ /* Parse old format */
+ is->bv_val = ber_bvchr( in, '$' );
+ if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
+@@ -3224,7 +3224,7 @@ serialNumberAndIssuerCheck(
+ HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
+ } have = HAVE_NONE;
+
+- int numdquotes = 0;
++ int numdquotes = 0, gotquote;
+ struct berval x = *in;
+ struct berval ni;
+ x.bv_val++;
+@@ -3266,11 +3266,12 @@ serialNumberAndIssuerCheck(
+ is->bv_val = x.bv_val;
+ is->bv_len = 0;
+
+- for ( ; is->bv_len < x.bv_len; ) {
++ for ( gotquote=0; is->bv_len < x.bv_len; ) {
+ if ( is->bv_val[is->bv_len] != '"' ) {
+ is->bv_len++;
+ continue;
+ }
++ gotquote = 1;
+ if ( is->bv_val[is->bv_len+1] == '"' ) {
+ /* double dquote */
+ numdquotes++;
+@@ -3279,6 +3280,8 @@ serialNumberAndIssuerCheck(
+ }
+ break;
+ }
++ if ( !gotquote ) return LDAP_INVALID_SYNTAX;
++
+ x.bv_val += is->bv_len + 1;
+ x.bv_len -= is->bv_len + 1;
+
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9406-9407-remove-saslauthz-asserts.patch b/debian/patches/ITS-9406-9407-remove-saslauthz-asserts.patch
new file mode 100644
index 0000000..a6f085c
--- /dev/null
+++ b/debian/patches/ITS-9406-9407-remove-saslauthz-asserts.patch
@@ -0,0 +1,69 @@
+From 6ed057b5b728b50746c869bcc9c1f85d0bbbf6ed Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 27 Nov 2020 14:37:10 +0000
+Subject: [PATCH 1/2] ITS#9406, #9407 remove saslauthz asserts
+
+---
+ servers/slapd/saslauthz.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index e05f3f9cf6..2e59eb5598 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -180,14 +180,16 @@ int slap_parse_user( struct berval *id, struct berval *user,
+ }
+
+ if ( !BER_BVISNULL( mech ) ) {
+- assert( mech->bv_val == id->bv_val + 2 );
++ if ( mech->bv_val != id->bv_val + 2 )
++ return LDAP_PROTOCOL_ERROR;
+
+ AC_MEMCPY( mech->bv_val - 2, mech->bv_val, mech->bv_len + 1 );
+ mech->bv_val -= 2;
+ }
+
+ if ( !BER_BVISNULL( realm ) ) {
+- assert( realm->bv_val >= id->bv_val + 2 );
++ if ( realm->bv_val < id->bv_val + 2 )
++ return LDAP_PROTOCOL_ERROR;
+
+ AC_MEMCPY( realm->bv_val - 2, realm->bv_val, realm->bv_len + 1 );
+ realm->bv_val -= 2;
+@@ -449,9 +451,12 @@ is_dn: bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
+ }
+
+ /* Grab the searchbase */
+- assert( ludp->lud_dn != NULL );
+- ber_str2bv( ludp->lud_dn, 0, 0, &bv );
+- rc = dnValidate( NULL, &bv );
++ if ( ludp->lud_dn != NULL ) {
++ ber_str2bv( ludp->lud_dn, 0, 0, &bv );
++ rc = dnValidate( NULL, &bv );
++ } else {
++ rc = LDAP_INVALID_SYNTAX;
++ }
+
+ done:
+ ldap_free_urldesc( ludp );
+@@ -813,7 +818,6 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
+ }
+
+ /* Grab the searchbase */
+- assert( ludp->lud_dn != NULL );
+ if ( ludp->lud_dn ) {
+ struct berval out = BER_BVNULL;
+
+@@ -831,6 +835,9 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
+ }
+
+ ludp->lud_dn = out.bv_val;
++ } else {
++ rc = LDAP_INVALID_SYNTAX;
++ goto done;
+ }
+
+ ludp->lud_port = 0;
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9406-fix-debug-msg.patch b/debian/patches/ITS-9406-fix-debug-msg.patch
new file mode 100644
index 0000000..92fc31e
--- /dev/null
+++ b/debian/patches/ITS-9406-fix-debug-msg.patch
@@ -0,0 +1,33 @@
+From 02dfc32d658fadc25e4040f78e36592f6e1e1ca0 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Fri, 27 Nov 2020 14:48:26 +0000
+Subject: [PATCH 2/2] ITS#9406 fix debug msg
+
+---
+ servers/slapd/saslauthz.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 2e59eb5598..982fe3120d 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -488,6 +488,7 @@ authzPrettyNormal(
+
+ assert( val != NULL );
+ assert( !BER_BVISNULL( val ) );
++ BER_BVZERO( normalized );
+
+ /*
+ * 2) dn[.{exact|children|subtree|onelevel}]:{*|<DN>}
+@@ -906,7 +907,7 @@ authzPretty(
+ rc = authzPrettyNormal( val, out, ctx, 0 );
+
+ Debug( LDAP_DEBUG_TRACE, "<<< authzPretty: <%s> (%d)\n",
+- out->bv_val, rc, 0 );
++ out->bv_val ? out->bv_val : "(null)" , rc, 0 );
+
+ return rc;
+ }
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9408-fix-vrfilter-double-free.patch b/debian/patches/ITS-9408-fix-vrfilter-double-free.patch
new file mode 100644
index 0000000..c4f1295
--- /dev/null
+++ b/debian/patches/ITS-9408-fix-vrfilter-double-free.patch
@@ -0,0 +1,28 @@
+From 21981053a1195ae1555e23df4d9ac68d34ede9dd Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 28 Nov 2020 15:54:17 +0000
+Subject: [PATCH] ITS#9408 fix vrfilter double-free
+
+---
+ servers/slapd/controls.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c
+index 3455319406..28fa64eb06 100644
+--- a/servers/slapd/controls.c
++++ b/servers/slapd/controls.c
+@@ -1578,7 +1578,10 @@ static int parseValuesReturnFilter (
+ } else {
+ send_ldap_result( op, rs );
+ }
+- if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter );
++ if( op->o_vrFilter != NULL) {
++ vrFilter_free( op, op->o_vrFilter );
++ op->o_vrFilter = NULL;
++ }
+ }
+ #ifdef LDAP_DEBUG
+ else {
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch b/debian/patches/ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch
new file mode 100644
index 0000000..cae29b7
--- /dev/null
+++ b/debian/patches/ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch
@@ -0,0 +1,25 @@
+From c0b61a9486508e5202aa2e0cfb68c9813731b439 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 30 Nov 2020 11:45:46 +0000
+Subject: [PATCH 2/2] ITS#9409 saslauthz: use ch_free on normalized DN
+
+---
+ servers/slapd/saslauthz.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 982fe3120d..cc5a292de7 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -860,7 +860,7 @@ done:
+
+ if ( lud_dn ) {
+ if ( ludp->lud_dn != lud_dn ) {
+- ber_memfree( ludp->lud_dn );
++ ch_free( ludp->lud_dn );
+ }
+ ludp->lud_dn = lud_dn;
+ }
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch b/debian/patches/ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch
new file mode 100644
index 0000000..8a2a3fd
--- /dev/null
+++ b/debian/patches/ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch
@@ -0,0 +1,25 @@
+From 554dff1927176579d652f2fe60c90e9abbad4c65 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 30 Nov 2020 16:20:18 +0000
+Subject: [PATCH] ITS#9409 saslauthz: use slap_sl_free in prev commit
+
+---
+ servers/slapd/saslauthz.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index cc5a292de7..4a9420b37c 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -860,7 +860,7 @@ done:
+
+ if ( lud_dn ) {
+ if ( ludp->lud_dn != lud_dn ) {
+- ch_free( ludp->lud_dn );
++ slap_sl_free( ludp->lud_dn, ctx );
+ }
+ ludp->lud_dn = lud_dn;
+ }
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9411-fix-thisUpdate-check.patch b/debian/patches/ITS-9411-fix-thisUpdate-check.patch
new file mode 100644
index 0000000..20a39ea
--- /dev/null
+++ b/debian/patches/ITS-9411-fix-thisUpdate-check.patch
@@ -0,0 +1,25 @@
+From 4dfeac8655d964442c00be7e69ee180cc19d1e92 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 1 Dec 2020 18:02:51 +0000
+Subject: [PATCH] ITS#9411 fix thisUpdate check
+
+---
+ servers/slapd/schema_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 9049c1878d..2780d630e8 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -3885,7 +3885,7 @@ issuerAndThisUpdateCheck(
+ /* empty */;
+ }
+
+- if ( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
++ if ( !x.bv_len || x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX;
+ x.bv_val++;
+ x.bv_len--;
+
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch b/debian/patches/ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch
new file mode 100644
index 0000000..b7e32cc
--- /dev/null
+++ b/debian/patches/ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch
@@ -0,0 +1,42 @@
+From 5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 1 Dec 2020 18:32:35 +0000
+Subject: [PATCH] ITS#9412 fix AVA_Sort on invalid RDN
+
+---
+ servers/slapd/dn.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c
+index 06698b089e..7a095ba9e9 100644
+--- a/servers/slapd/dn.c
++++ b/servers/slapd/dn.c
+@@ -233,6 +233,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
+ {
+ LDAPAVA *ava_i;
+ int i;
++ int rc = LDAP_SUCCESS;
+
+ assert( rdn != NULL );
+
+@@ -250,7 +251,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
+ /* RFC4512 does not allow multiple AVAs
+ * with the same attribute type in RDN (ITS#5968) */
+ if ( a == 0 )
+- return LDAP_INVALID_DN_SYNTAX;
++ rc = LDAP_INVALID_DN_SYNTAX;
+
+ if ( a > 0 )
+ break;
+@@ -259,7 +260,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs )
+ }
+ rdn[ j+1 ] = ava_i;
+ }
+- return LDAP_SUCCESS;
++ return rc;
+ }
+
+ static int
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9413-fix-slap_parse_user.patch b/debian/patches/ITS-9413-fix-slap_parse_user.patch
new file mode 100644
index 0000000..7d620e7
--- /dev/null
+++ b/debian/patches/ITS-9413-fix-slap_parse_user.patch
@@ -0,0 +1,38 @@
+From d169e7958a3e0dc70f59c8374bf8a59833b7bdd8 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Tue, 1 Dec 2020 19:03:24 +0000
+Subject: [PATCH] ITS#9413 fix slap_parse_user
+
+---
+ servers/slapd/saslauthz.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c
+index 4a9420b37c..b17f34a211 100644
+--- a/servers/slapd/saslauthz.c
++++ b/servers/slapd/saslauthz.c
+@@ -156,10 +156,9 @@ int slap_parse_user( struct berval *id, struct berval *user,
+ user->bv_val++;
+ user->bv_len = id->bv_len - ( user->bv_val - id->bv_val );
+
+- mech->bv_val = ber_bvchr( id, '.' );
+- if ( !BER_BVISNULL( mech ) ) {
+- mech->bv_val[ 0 ] = '\0';
+- mech->bv_val++;
++ if ( id->bv_val[1] == '.' ) {
++ id->bv_val[1] = '\0';
++ mech->bv_val = id->bv_val + 2;
+ mech->bv_len = user->bv_val - mech->bv_val - 1;
+
+ realm->bv_val = ber_bvchr( mech, '/' );
+@@ -172,6 +171,7 @@ int slap_parse_user( struct berval *id, struct berval *user,
+ }
+
+ } else {
++ BER_BVZERO( mech );
+ BER_BVZERO( realm );
+ }
+
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch b/debian/patches/ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch
new file mode 100644
index 0000000..321a57a
--- /dev/null
+++ b/debian/patches/ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch
@@ -0,0 +1,48 @@
+From 8c1d96ee36ed98b32cd0e28b7069c7b8ea09d793 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sun, 13 Dec 2020 21:48:45 +0000
+Subject: [PATCH] ITS#9423 ldap_X509dn2bv: check for invalid BER after RDN
+ count
+
+---
+ libraries/libldap/tls2.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index ca5a44ab0c..e0c82fa9f8 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -1254,6 +1254,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ }
+ }
+
++ /* Rewind and prepare to extract */
++ ber_rewind( ber );
++ tag = ber_first_element( ber, &len, &dn_end );
++ if ( tag == LBER_DEFAULT )
++ return LDAP_DECODING_ERROR;
++
+ /* Allocate the DN/RDN/AVA stuff as a single block */
+ dnsize = sizeof(LDAPRDN) * (nrdns+1);
+ dnsize += sizeof(LDAPAVA *) * (navas+nrdns);
+@@ -1265,16 +1271,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ } else {
+ newDN = (LDAPDN)(char *)ptrs;
+ }
+-
++
+ newDN[nrdns] = NULL;
+ newRDN = (LDAPRDN)(newDN + nrdns+1);
+ newAVA = (LDAPAVA *)(newRDN + navas + nrdns);
+ baseAVA = newAVA;
+
+- /* Rewind and start extracting */
+- ber_rewind( ber );
+-
+- tag = ber_first_element( ber, &len, &dn_end );
+ for ( i = nrdns - 1; i >= 0; i-- ) {
+ newDN[i] = newRDN;
+
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch b/debian/patches/ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch
new file mode 100644
index 0000000..9874446
--- /dev/null
+++ b/debian/patches/ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch
@@ -0,0 +1,25 @@
+From 58c1748e81c843c5b6e61648d2a4d1d82b47e842 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 14 Dec 2020 19:03:27 +0000
+Subject: [PATCH] ITS#9424 fix serialNumberAndIssuerSerialCheck
+
+---
+ servers/slapd/schema_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index d697fa108c..e035c1a6a7 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -4302,7 +4302,7 @@ serialNumberAndIssuerSerialCheck(
+ if ( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
+
+ /* no old format */
+- if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
++ if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX;
+
+ x.bv_val++;
+ x.bv_len -= 2;
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch b/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
new file mode 100644
index 0000000..618eb3d
--- /dev/null
+++ b/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
@@ -0,0 +1,45 @@
+From 4bdfffd2889c0c5cdf58bebafbdc8fce4bb2bff0 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Mon, 14 Dec 2020 20:05:44 +0000
+Subject: [PATCH] ITS#9425 add more checks to ldap_X509dn2bv
+
+---
+ libraries/libldap/tls2.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
+index e0c82fa9f8..193d20fdfa 100644
+--- a/libraries/libldap/tls2.c
++++ b/libraries/libldap/tls2.c
+@@ -1248,6 +1248,8 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ for ( tag = ber_first_element( ber, &len, &rdn_end );
+ tag == LBER_SEQUENCE;
+ tag = ber_next_element( ber, &len, rdn_end )) {
++ if ( rdn_end > dn_end )
++ return LDAP_DECODING_ERROR;
+ tag = ber_skip_tag( ber, &len );
+ ber_skip_data( ber, len );
+ navas++;
+@@ -1257,7 +1259,7 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func,
+ /* Rewind and prepare to extract */
+ ber_rewind( ber );
+ tag = ber_first_element( ber, &len, &dn_end );
+- if ( tag == LBER_DEFAULT )
++ if ( tag != LBER_SET )
+ return LDAP_DECODING_ERROR;
+
+ /* Allocate the DN/RDN/AVA stuff as a single block */
+@@ -1370,6 +1372,10 @@ allocd:
+ /* X.690 bitString value converted to RFC4517 Bit String */
+ rc = der_to_ldap_BitString( &Val, &newAVA->la_value );
+ goto allocd;
++ case LBER_DEFAULT:
++ /* decode error */
++ rc = LDAP_DECODING_ERROR;
++ goto nomem;
+ default:
+ /* Not a string type at all */
+ newAVA->la_flags = 0;
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9427-fix-issuerAndThisUpdateCheck.patch b/debian/patches/ITS-9427-fix-issuerAndThisUpdateCheck.patch
new file mode 100644
index 0000000..3f6ddfb
--- /dev/null
+++ b/debian/patches/ITS-9427-fix-issuerAndThisUpdateCheck.patch
@@ -0,0 +1,25 @@
+From 91dccd25c347733b365adc74cb07d074512ed5ad Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 16 Dec 2020 18:52:42 +0000
+Subject: [PATCH] ITS#9427 fix issuerAndThisUpdateCheck
+
+---
+ servers/slapd/schema_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index e035c1a6a7..cc7c816937 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -3809,7 +3809,7 @@ issuerAndThisUpdateCheck(
+
+ if ( in->bv_len < STRLENOF( "{issuer \"\",thisUpdate \"YYMMDDhhmmssZ\"}" ) ) return LDAP_INVALID_SYNTAX;
+
+- if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
++ if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
+ return LDAP_INVALID_SYNTAX;
+ }
+
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9428-fix-cancel-exop.patch b/debian/patches/ITS-9428-fix-cancel-exop.patch
new file mode 100644
index 0000000..65e2026
--- /dev/null
+++ b/debian/patches/ITS-9428-fix-cancel-exop.patch
@@ -0,0 +1,28 @@
+From 9d0e8485f3113505743baabf1167e01e4558ccf5 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sun, 20 Dec 2020 21:31:15 +0000
+Subject: [PATCH] ITS#9428 fix cancel exop
+
+---
+ servers/slapd/cancel.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/servers/slapd/cancel.c b/servers/slapd/cancel.c
+index 2060312900..b972b18fc3 100644
+--- a/servers/slapd/cancel.c
++++ b/servers/slapd/cancel.c
+@@ -65,6 +65,11 @@ int cancel_extop( Operation *op, SlapReply *rs )
+ return LDAP_PROTOCOL_ERROR;
+ }
+
++ if ( opid == op->o_msgid ) {
++ op->o_cancel = SLAP_CANCEL_DONE;
++ return LDAP_SUCCESS;
++ }
++
+ ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
+
+ if ( op->o_abandon ) {
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch b/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch
new file mode 100644
index 0000000..a9b724a
--- /dev/null
+++ b/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch
@@ -0,0 +1,25 @@
+From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 6 Feb 2021 20:52:06 +0000
+Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck
+
+---
+ servers/slapd/schema_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 31be1154ef..8b1e255393 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck(
+ break;
+ }
+ }
++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX;
++
+ x.bv_val += tu->bv_len + 1;
+ x.bv_len -= tu->bv_len + 1;
+
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch b/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch
new file mode 100644
index 0000000..28e681d
--- /dev/null
+++ b/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch
@@ -0,0 +1,268 @@
+From 87df6c19915042430540931d199a39105544a134 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 23 Mar 2022 12:43:31 +0000
+Subject: [PATCH] ITS#9815 slapd-sql: escape filter values
+
+---
+ servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++-----
+ 1 file changed, 105 insertions(+), 18 deletions(-)
+
+--- a/servers/slapd/back-sql/search.c
++++ b/servers/slapd/back-sql/search.c
+@@ -63,6 +63,38 @@
+ ID *lastid );
+ #endif /* ! BACKSQL_ARBITRARY_KEY */
+
++/* Look for chars that need to be escaped, return count of them.
++ * If out is non-NULL, copy escape'd val to it.
++ */
++static int
++backsql_val_escape( Operation *op, struct berval *in, struct berval *out )
++{
++ char *ptr, *end;
++ int q = 0;
++
++ ptr = in->bv_val;
++ end = ptr + in->bv_len;
++ while (ptr < end) {
++ if ( *ptr == '\'' )
++ q++;
++ ptr++;
++ }
++ if ( q && out ) {
++ char *dst;
++ out->bv_len = in->bv_len + q;
++ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
++ ptr = in->bv_val;
++ dst = out->bv_val;
++ while (ptr < end ) {
++ if ( *ptr == '\'' )
++ *dst++ = '\'';
++ *dst++ = *ptr++;
++ }
++ *dst = '\0';
++ }
++ return q;
++}
++
+ static int
+ backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad )
+ {
+@@ -429,6 +461,8 @@
+ backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private;
+ int i;
+ int casefold = 0;
++ int escaped = 0;
++ struct berval escval, *fvalue;
+
+ if ( !f ) {
+ return 0;
+@@ -462,50 +496,68 @@
+
+ BER_BVZERO( &bv );
+ if ( f->f_sub_initial.bv_val ) {
+- bv.bv_len += f->f_sub_initial.bv_len;
++ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
+ }
+ if ( f->f_sub_any != NULL ) {
+ for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
+- bv.bv_len += f->f_sub_any[ a ].bv_len;
++ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
+ }
+ }
+ if ( f->f_sub_final.bv_val ) {
+- bv.bv_len += f->f_sub_final.bv_len;
++ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
+ }
+ bv.bv_len = 2 * bv.bv_len - 1;
+ bv.bv_val = ch_malloc( bv.bv_len + 1 );
+
+ s = 0;
+ if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
+- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
+- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
++ fvalue = &f->f_sub_initial;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++ for ( i = 1; i < fvalue->bv_len; i++ ) {
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ }
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+ s += 2 * i;
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ }
+
+ if ( f->f_sub_any != NULL ) {
+ for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
+- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
+- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
++ fvalue = &f->f_sub_any[ a ];
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++ for ( i = 1; i < fvalue->bv_len; i++ ) {
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ }
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+ s += 2 * i;
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ }
+ }
+
+ if ( !BER_BVISNULL( &f->f_sub_final ) ) {
+- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
+- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
++ fvalue = &f->f_sub_final;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++ for ( i = 1; i < fvalue->bv_len; i++ ) {
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ }
+- bv.bv_val[ s + 2 * i - 1 ] = '%';
++ bv.bv_val[ s + 2 * i - 1 ] = '%';
+ s += 2 * i;
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ }
+
+ bv.bv_val[ s - 1 ] = '\0';
+@@ -561,11 +613,17 @@
+ f->f_sub_initial.bv_val, 0 );
+ #endif /* BACKSQL_TRACE */
+
++ fvalue = &f->f_sub_initial;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
+ start = bsi->bsi_flt_where.bb_val.bv_len;
+ backsql_strfcat_x( &bsi->bsi_flt_where,
+ bsi->bsi_op->o_tmpmemctx,
+ "b",
+- &f->f_sub_initial );
++ fvalue );
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+ ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+ }
+@@ -586,12 +644,18 @@
+ i, f->f_sub_any[ i ].bv_val );
+ #endif /* BACKSQL_TRACE */
+
++ fvalue = &f->f_sub_any[ i ];
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
+ start = bsi->bsi_flt_where.bb_val.bv_len;
+ backsql_strfcat_x( &bsi->bsi_flt_where,
+ bsi->bsi_op->o_tmpmemctx,
+ "bc",
+- &f->f_sub_any[ i ],
++ fvalue,
+ '%' );
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+ /*
+ * Note: toupper('%') = '%'
+@@ -611,11 +675,17 @@
+ f->f_sub_final.bv_val, 0 );
+ #endif /* BACKSQL_TRACE */
+
++ fvalue = &f->f_sub_final;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
+ start = bsi->bsi_flt_where.bb_val.bv_len;
+ backsql_strfcat_x( &bsi->bsi_flt_where,
+ bsi->bsi_op->o_tmpmemctx,
+ "b",
+- &f->f_sub_final );
++ fvalue );
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+ ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+ }
+@@ -1183,6 +1253,8 @@
+ struct berval *filter_value = NULL;
+ MatchingRule *matching_rule = NULL;
+ struct berval ordering = BER_BVC("<=");
++ struct berval escval;
++ int escaped = 0;
+
+ Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
+ at->bam_ad->ad_cname.bv_val, 0, 0 );
+@@ -1237,6 +1309,10 @@
+ casefold = 1;
+ }
+
++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++ if ( escaped )
++ filter_value = &escval;
++
+ /* FIXME: directoryString filtering should use a similar
+ * approach to deal with non-prettified values like
+ * " A non prettified value ", by using a LIKE
+@@ -1317,6 +1393,10 @@
+ casefold = 1;
+ }
+
++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++ if ( escaped )
++ filter_value = &escval;
++
+ /*
+ * FIXME: should we uppercase the operands?
+ */
+@@ -1350,7 +1430,7 @@
+ &at->bam_sel_expr,
+ &ordering,
+ '\'',
+- &f->f_av_value,
++ filter_value,
+ (ber_len_t)STRLENOF( /* (' */ "')" ),
+ /* ( */ "')" );
+ }
+@@ -1374,13 +1454,17 @@
+ case LDAP_FILTER_APPROX:
+ /* we do our best */
+
++ filter_value = &f->f_av_value;
++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++ if ( escaped )
++ filter_value = &escval;
+ /*
+ * maybe we should check type of at->sel_expr here somehow,
+ * to know whether upper_func is applicable, but for now
+ * upper_func stuff is made for Oracle, where UPPER is
+ * safely applicable to NUMBER etc.
+ */
+- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
++ (void)backsql_process_filter_like( bsi, at, 1, filter_value );
+ break;
+
+ default:
+@@ -1394,6 +1478,9 @@
+
+ }
+
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
++
+ Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
+ at->bam_ad->ad_cname.bv_val, 0, 0 );
+
diff --git a/debian/patches/ITS6035-olcauthzregex-needs-restart.patch b/debian/patches/ITS6035-olcauthzregex-needs-restart.patch
new file mode 100644
index 0000000..acd3c6f
--- /dev/null
+++ b/debian/patches/ITS6035-olcauthzregex-needs-restart.patch
@@ -0,0 +1,13 @@
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -409,6 +409,10 @@
+ and replacement patterns. The matching patterns are checked in the order they
+ appear in the attribute, stopping at the first successful match.
+
++Note that changes to
++.B olcAuthzRegexp
++take effect the next time the server is started, not immediately upon
++changing the configuration.
+ .\".B Caution:
+ .\"Because the plus sign + is a character recognized by the regular expression engine,
+ .\"and it will appear in names that include a REALM, be careful to escape the
diff --git a/debian/patches/add-tlscacert-option-to-ldap-conf b/debian/patches/add-tlscacert-option-to-ldap-conf
new file mode 100644
index 0000000..e8e731a
--- /dev/null
+++ b/debian/patches/add-tlscacert-option-to-ldap-conf
@@ -0,0 +1,10 @@
+--- a/libraries/libldap/ldap.conf
++++ b/libraries/libldap/ldap.conf
+@@ -11,3 +11,7 @@
+ #SIZELIMIT 12
+ #TIMELIMIT 15
+ #DEREF never
++
++# TLS certificates (needed for GnuTLS)
++TLS_CACERT /etc/ssl/certs/ca-certificates.crt
++
diff --git a/debian/patches/contrib-makefiles b/debian/patches/contrib-makefiles
new file mode 100644
index 0000000..07256ba
--- /dev/null
+++ b/debian/patches/contrib-makefiles
@@ -0,0 +1,159 @@
+--- a/contrib/slapd-modules/passwd/Makefile
++++ b/contrib/slapd-modules/passwd/Makefile
+@@ -13,7 +13,7 @@
+ INCS = $(LDAP_INC)
+ LIBS = $(LDAP_LIB)
+
+-PROGRAMS = pw-kerberos.la pw-netscape.la pw-radius.la pw-apr1.la
++PROGRAMS = pw-netscape.la pw-apr1.la
+ LTVER = 0:0:0
+
+ prefix=/usr/local
+@@ -27,24 +27,24 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ pw-kerberos.la: kerberos.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? -lkrb5
+
+ pw-netscape.la: netscape.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $?
+
+ pw-radius.la: radius.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? -lradius
+
+ pw-apr1.la: apr1.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $?
+
+ clean:
+--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile
++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile
+@@ -12,7 +12,7 @@
+ #DEFS = -DSLAPD_PBKDF2_DEBUG
+
+ INCS = $(LDAP_INC)
+-LIBS = $(LDAP_LIB) -lcrypto
++LIBS = $(LDAP_LIB) -lnettle
+
+ PROGRAMS = pw-pbkdf2.la
+ LTVER = 0:0:0
+@@ -30,12 +30,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ pw-pbkdf2.la: pw-pbkdf2.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+--- a/contrib/slapd-modules/smbk5pwd/Makefile
++++ b/contrib/slapd-modules/smbk5pwd/Makefile
+@@ -19,10 +19,10 @@
+ $(LDAP_BUILD)/libraries/liblber/liblber.la
+
+ SSL_INC =
+-SSL_LIB = -lcrypto
++SSL_LIB = -lnettle
+
+-HEIMDAL_INC = -I/usr/heimdal/include
+-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags kadm-server)
++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server)
+
+ LIBTOOL = $(LDAP_BUILD)/libtool
+ CC = gcc
+@@ -30,7 +30,8 @@
+ # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
+ DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW
+ INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
+-LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
++# put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356
++LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)
+
+ PROGRAMS = smbk5pwd.la
+ LTVER = 0:0:0
+@@ -46,12 +47,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ smbk5pwd.la: smbk5pwd.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+--- a/contrib/slapd-modules/autogroup/Makefile
++++ b/contrib/slapd-modules/autogroup/Makefile
+@@ -27,12 +27,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ autogroup.la: autogroup.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+--- a/contrib/slapd-modules/lastbind/Makefile
++++ b/contrib/slapd-modules/lastbind/Makefile
+@@ -37,12 +37,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ lastbind.la: lastbind.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+--- a/contrib/slapd-modules/passwd/sha2/Makefile
++++ b/contrib/slapd-modules/passwd/sha2/Makefile
+@@ -28,12 +28,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ pw-sha2.la: slapd-sha2.lo sha2.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
diff --git a/debian/patches/do-not-second-guess-sonames b/debian/patches/do-not-second-guess-sonames
new file mode 100644
index 0000000..bbf099c
--- /dev/null
+++ b/debian/patches/do-not-second-guess-sonames
@@ -0,0 +1,68 @@
+Rip out code that second-guesses the libsasl soname / Debian shlibs. If
+cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
+there, not kludged around upstream here!
+
+Debian bug #546885
+
+Upstream ITS #6302 filed.
+
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -74,28 +74,6 @@
+ */
+ int ldap_int_sasl_init( void )
+ {
+-#ifdef HAVE_SASL_VERSION
+- /* stringify the version number, sasl.h doesn't do it for us */
+-#define VSTR0(maj, min, pat) #maj "." #min "." #pat
+-#define VSTR(maj, min, pat) VSTR0(maj, min, pat)
+-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+- SASL_VERSION_STEP)
+- { int rc;
+- sasl_version( NULL, &rc );
+- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+- (rc & 0xffff) < SASL_VERSION_STEP) {
+- char version[sizeof("xxx.xxx.xxxxx")];
+- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+- rc & 0xffff );
+-
+- Debug( LDAP_DEBUG_ANY,
+- "ldap_int_sasl_init: SASL library version mismatch:"
+- " expected " SASL_VERSION_STRING ","
+- " got %s\n", version, 0, 0 );
+- return -1;
+- }
+- }
+-#endif
+
+ /* SASL 2 takes care of its own memory completely internally */
+ #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1145,26 +1145,6 @@ int slap_sasl_init( void )
+ #endif
+
+ #ifdef HAVE_CYRUS_SASL
+-#ifdef HAVE_SASL_VERSION
+- /* stringify the version number, sasl.h doesn't do it for us */
+-#define VSTR0(maj, min, pat) #maj "." #min "." #pat
+-#define VSTR(maj, min, pat) VSTR0(maj, min, pat)
+-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+- SASL_VERSION_STEP)
+-
+- sasl_version( NULL, &rc );
+- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+- (rc & 0xffff) < SASL_VERSION_STEP)
+- {
+- char version[sizeof("xxx.xxx.xxxxx")];
+- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+- rc & 0xffff );
+- Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:"
+- " expected %s, got %s\n",
+- SASL_VERSION_STRING, version, 0 );
+- return -1;
+- }
+-#endif
+
+ sasl_set_mutex(
+ ldap_pvt_sasl_mutex_new,
diff --git a/debian/patches/evolution-ntlm b/debian/patches/evolution-ntlm
new file mode 100644
index 0000000..cd9bc26
--- /dev/null
+++ b/debian/patches/evolution-ntlm
@@ -0,0 +1,222 @@
+Patch from evolution-exchange (2.10.3). The ldap_ntlm_bind function is
+actually called by evolution-data-server, checked at version 1.12.2.
+Without this patch, the Exchange addressbook integration uses simple binds
+with cleartext passwords.
+
+Russ checked with openldap-software for upstream's opinion on this patch
+on 2007-12-21. Upstream had never received it as a patch submission and
+given that it's apparently only for older Exchange servers that can't do
+SASL and DIGEST-MD5, it's not very appealing.
+
+Bug#457374 filed against evolution-data-server asking if this support is
+still required on 2007-12-21.
+
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -2517,5 +2517,25 @@ ldap_parse_deref_control LDAP_P((
+ LDAPControl **ctrls,
+ LDAPDerefRes **drp ));
+
++/*
++ * hacks for NTLM
++ */
++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU)
++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU)
++LDAP_F( int )
++ldap_ntlm_bind LDAP_P((
++ LDAP *ld,
++ LDAP_CONST char *dn,
++ ber_tag_t tag,
++ struct berval *cred,
++ LDAPControl **sctrls,
++ LDAPControl **cctrls,
++ int *msgidp ));
++LDAP_F( int )
++ldap_parse_ntlm_bind_result LDAP_P((
++ LDAP *ld,
++ LDAPMessage *res,
++ struct berval *challenge));
++
+ LDAP_END_DECL
+ #endif /* _LDAP_H */
+--- /dev/null
++++ b/libraries/libldap/ntlm.c
+@@ -0,0 +1,138 @@
++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */
++/*
++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
++ */
++
++/* Mostly copied from sasl.c */
++
++#include "portable.h"
++
++#include <stdlib.h>
++#include <stdio.h>
++
++#include <ac/socket.h>
++#include <ac/string.h>
++#include <ac/time.h>
++#include <ac/errno.h>
++
++#include "ldap-int.h"
++
++int
++ldap_ntlm_bind(
++ LDAP *ld,
++ LDAP_CONST char *dn,
++ ber_tag_t tag,
++ struct berval *cred,
++ LDAPControl **sctrls,
++ LDAPControl **cctrls,
++ int *msgidp )
++{
++ BerElement *ber;
++ int rc;
++ ber_int_t id;
++
++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 );
++
++ assert( ld != NULL );
++ assert( LDAP_VALID( ld ) );
++ assert( msgidp != NULL );
++
++ if( msgidp == NULL ) {
++ ld->ld_errno = LDAP_PARAM_ERROR;
++ return ld->ld_errno;
++ }
++
++ /* create a message to send */
++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) {
++ ld->ld_errno = LDAP_NO_MEMORY;
++ return ld->ld_errno;
++ }
++
++ assert( LBER_VALID( ber ) );
++
++ LDAP_NEXT_MSGID( ld, id );
++ rc = ber_printf( ber, "{it{istON}" /*}*/,
++ id, LDAP_REQ_BIND,
++ ld->ld_version, dn, tag,
++ cred );
++
++ /* Put Server Controls */
++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) {
++ ber_free( ber, 1 );
++ return ld->ld_errno;
++ }
++
++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) {
++ ld->ld_errno = LDAP_ENCODING_ERROR;
++ ber_free( ber, 1 );
++ return ld->ld_errno;
++ }
++
++ /* send the message */
++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id );
++
++ if(*msgidp < 0)
++ return ld->ld_errno;
++
++ return LDAP_SUCCESS;
++}
++
++int
++ldap_parse_ntlm_bind_result(
++ LDAP *ld,
++ LDAPMessage *res,
++ struct berval *challenge)
++{
++ ber_int_t errcode;
++ ber_tag_t tag;
++ BerElement *ber;
++ ber_len_t len;
++
++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 );
++
++ assert( ld != NULL );
++ assert( LDAP_VALID( ld ) );
++ assert( res != NULL );
++
++ if ( ld == NULL || res == NULL ) {
++ return LDAP_PARAM_ERROR;
++ }
++
++ if( res->lm_msgtype != LDAP_RES_BIND ) {
++ ld->ld_errno = LDAP_PARAM_ERROR;
++ return ld->ld_errno;
++ }
++
++ if ( ld->ld_error ) {
++ LDAP_FREE( ld->ld_error );
++ ld->ld_error = NULL;
++ }
++ if ( ld->ld_matched ) {
++ LDAP_FREE( ld->ld_matched );
++ ld->ld_matched = NULL;
++ }
++
++ /* parse results */
++
++ ber = ber_dup( res->lm_ber );
++
++ if( ber == NULL ) {
++ ld->ld_errno = LDAP_NO_MEMORY;
++ return ld->ld_errno;
++ }
++
++ tag = ber_scanf( ber, "{ioa" /*}*/,
++ &errcode, challenge, &ld->ld_error );
++ ber_free( ber, 0 );
++
++ if( tag == LBER_ERROR ) {
++ ld->ld_errno = LDAP_DECODING_ERROR;
++ return ld->ld_errno;
++ }
++
++ ld->ld_errno = errcode;
++
++ return( ld->ld_errno );
++}
++
+--- a/libraries/libldap/Makefile.in
++++ b/libraries/libldap/Makefile.in
+@@ -27,7 +27,7 @@ SRCS = bind.c open.c result.c error.c co
+ init.c options.c print.c string.c util-int.c schema.c \
+ charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
+ tls2.c tls_o.c tls_g.c tls_m.c \
+- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \
+ assertion.c deref.c ldif.c fetch.c
+
+ OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \
+@@ -40,7 +40,7 @@ OBJS = bind.lo open.lo result.lo error.l
+ init.lo options.lo print.lo string.lo util-int.lo schema.lo \
+ charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
+ tls2.lo tls_o.lo tls_g.lo tls_m.lo \
+- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \
+ assertion.lo deref.lo ldif.lo fetch.lo
+
+ LDAP_INCDIR= ../../include
+--- a/libraries/libldap_r/Makefile.in
++++ b/libraries/libldap_r/Makefile.in
+@@ -29,7 +29,7 @@ XXSRCS = apitest.c test.c \
+ init.c options.c print.c string.c util-int.c schema.c \
+ charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
+ tls2.c tls_o.c tls_g.c tls_m.c \
+- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \
+ assertion.c deref.c ldif.c fetch.c
+ SRCS = threads.c rdwr.c rmutex.c tpool.c rq.c \
+ thr_posix.c thr_cthreads.c thr_thr.c thr_nt.c \
+@@ -47,7 +47,7 @@ OBJS = threads.lo rdwr.lo rmutex.lo tpoo
+ init.lo options.lo print.lo string.lo util-int.lo schema.lo \
+ charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
+ tls2.lo tls_o.lo tls_g.lo tls_m.lo \
+- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \
+ assertion.lo deref.lo ldif.lo fetch.lo
+
+ LDAP_INCDIR= ../../include
diff --git a/debian/patches/fix-build-top-mk b/debian/patches/fix-build-top-mk
new file mode 100644
index 0000000..418fe35
--- /dev/null
+++ b/debian/patches/fix-build-top-mk
@@ -0,0 +1,11 @@
+--- a/build/top.mk
++++ b/build/top.mk
+@@ -20,7 +20,7 @@
+ RELEASEDATE= @OPENLDAP_RELEASE_DATE@
+
+ @SET_MAKE@
+-SHELL = /bin/sh
++SHELL = @SHELL@
+
+ top_builddir = @top_builddir@
+
diff --git a/debian/patches/getaddrinfo-is-threadsafe b/debian/patches/getaddrinfo-is-threadsafe
new file mode 100644
index 0000000..ab6e2b7
--- /dev/null
+++ b/debian/patches/getaddrinfo-is-threadsafe
@@ -0,0 +1,43 @@
+Author: Steve Langasek <vorlon@debian.org>
+
+OpenLDAP upstream conservatively assumes that certain resolver functions
+(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
+know that the glibc implementations of these functions are thread-safe, so
+we should bypass the use of this mutex. This fixes a locking problem when
+an application uses libldap and libnss-ldap is also used for hosts
+resolution.
+
+Closes Debian bug #340601.
+
+Not suitable for forwarding upstream; might be made suitable by adding a
+configure-time check for glibc and disabling the mutex only on known
+thread-safe implementations.
+
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -602,13 +602,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *
+ hints.ai_socktype = socktype;
+ snprintf(serv, sizeof serv, "%d", port );
+
+- /* most getaddrinfo(3) use non-threadsafe resolver libraries */
+- LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex);
+-
+ err = getaddrinfo( host, serv, &hints, &res );
+-
+- LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex);
+-
+ if ( err != 0 ) {
+ osip_debug(ld, "ldap_connect_to_host: getaddrinfo failed: %s\n",
+ AC_GAI_STRERROR(err), 0, 0);
+--- a/libraries/libldap/util-int.c
++++ b/libraries/libldap/util-int.c
+@@ -431,9 +431,7 @@ int ldap_pvt_get_hname(
+ int rc;
+ #if defined( HAVE_GETNAMEINFO )
+
+- LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex );
+ rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 );
+- LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex );
+ if ( rc ) *err = (char *)AC_GAI_STRERROR( rc );
+ return rc;
+
diff --git a/debian/patches/index-files-created-as-root b/debian/patches/index-files-created-as-root
new file mode 100644
index 0000000..47fc88a
--- /dev/null
+++ b/debian/patches/index-files-created-as-root
@@ -0,0 +1,37 @@
+Document in the man page that slapindex should be run as the same user
+as slapd, and print a warning if it's run as root (since Debian defaults
+to running slapd as openldap).
+
+Not suitable for upstream in this form. This patch needs to be reworked
+to check the BerkeleyDB database ownership and only warn if running as
+root with a database that's not owned by root.
+
+Upstream ITS #5356 filed requesting better handling of this. Current
+upstream discussion leans towards putting the check into the database
+backend and aborting if slapd is run as a different user than the database
+owner, which is an even better fix.
+
+--- a/doc/man/man8/slapindex.8
++++ b/doc/man/man8/slapindex.8
+@@ -148,6 +148,10 @@
+ should not be running (at least, not in read-write
+ mode) when you do this to ensure consistency of the database.
+ .LP
++slapindex ought to be run as the user specified for
++.BR slapd (8)
++to ensure correct database permissions.
++.LP
+ This command provides ample opportunity for the user to obtain
+ and drink their favorite beverage.
+ .SH EXAMPLES
+--- a/servers/slapd/slapindex.c
++++ b/servers/slapd/slapindex.c
+@@ -34,6 +34,8 @@
+ int
+ slapindex( int argc, char **argv )
+ {
++ if (geteuid() == 0)
++ fprintf( stderr, "\nWARNING!\nRunnig as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n");
+ ID id;
+ int rc = EXIT_SUCCESS;
+ const char *progname = "slapindex";
diff --git a/debian/patches/lastbind-makefile-manpage b/debian/patches/lastbind-makefile-manpage
new file mode 100644
index 0000000..66e5a79
--- /dev/null
+++ b/debian/patches/lastbind-makefile-manpage
@@ -0,0 +1,46 @@
+--- a/contrib/slapd-modules/lastbind/Makefile
++++ b/contrib/slapd-modules/lastbind/Makefile
+@@ -17,6 +17,7 @@
+ $(LDAP_BUILD)/libraries/liblber/liblber.la
+
+ LIBTOOL = $(LDAP_BUILD)/libtool
++INSTALL = /usr/bin/install
+ CC = gcc
+ OPT = -g -O2 -Wall
+ DEFS = -DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC
+@@ -25,6 +26,7 @@
+
+ PROGRAMS = lastbind.la
+ LTVER = 0:0:0
++MANPAGES = slapo-lastbind.5
+
+ prefix=/usr/local
+ exec_prefix=$(prefix)
+@@ -33,6 +35,8 @@
+ libdir=$(exec_prefix)/lib
+ libexecdir=$(exec_prefix)/libexec
+ moduledir = $(libexecdir)$(ldap_subdir)
++mandir = $(exec_prefix)/share/man
++man5dir = $(mandir)/man5
+
+ .SUFFIXES: .c .o .lo
+
+@@ -48,9 +52,17 @@
+ clean:
+ rm -rf *.o *.lo *.la .libs
+
+-install: $(PROGRAMS)
++install: install-lib install-man FORCE
++
++install-lib: $(PROGRAMS)
+ mkdir -p $(DESTDIR)$(moduledir)
+ for p in $(PROGRAMS) ; do \
+ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
+ done
+
++install-man: $(MANPAGES)
++ mkdir -p $(DESTDIR)$(man5dir)
++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
++
++FORCE:
++
diff --git a/debian/patches/ldap-conf-tls-cacertdir b/debian/patches/ldap-conf-tls-cacertdir
new file mode 100644
index 0000000..e8aab91
--- /dev/null
+++ b/debian/patches/ldap-conf-tls-cacertdir
@@ -0,0 +1,29 @@
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -317,7 +317,7 @@ certificates in separate individual file
+ .B TLS_CACERT
+ is always used before
+ .B TLS_CACERTDIR.
+-This parameter is ignored with GnuTLS.
++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
+
+ When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+ database. If <path> contains a Mozilla NSS cert/key database and
+@@ -428,7 +428,7 @@ This parameter is ignored with GnuTLS.
+ Specifies the file to obtain random bits from when /dev/[u]random is
+ not available. Generally set to the name of the EGD/PRNGD socket.
+ The environment variable RANDFILE can also be used to specify the filename.
+-This parameter is ignored with GnuTLS and Mozilla NSS.
++This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS.
+ .TP
+ .B TLS_REQCERT <level>
+ Specifies what checks to perform on server certificates in a TLS session,
+@@ -461,7 +461,7 @@ Specifies if the Certificate Revocation
+ used to verify if the server certificates have not been revoked. This
+ requires
+ .B TLS_CACERTDIR
+-parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
++parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS.
+ .B <level>
+ can be specified as one of the following keywords:
+ .RS
diff --git a/debian/patches/ldapi-socket-place b/debian/patches/ldapi-socket-place
new file mode 100644
index 0000000..a482bbf
--- /dev/null
+++ b/debian/patches/ldapi-socket-place
@@ -0,0 +1,16 @@
+Move the ldapi socket to /var/run/slapd from /var/run, since /var/run
+is only writable by root and slapd runs as openldap.
+
+Debian-specific.
+
+--- a/include/ldap_defaults.h
++++ b/include/ldap_defaults.h
+@@ -39,7 +39,7 @@
+ #define LDAP_ENV_PREFIX "LDAP"
+
+ /* default ldapi:// socket */
+-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi"
+
+ /*
+ * SLAPD DEFINITIONS
diff --git a/debian/patches/libldap-symbol-versions b/debian/patches/libldap-symbol-versions
new file mode 100644
index 0000000..fb28f49
--- /dev/null
+++ b/debian/patches/libldap-symbol-versions
@@ -0,0 +1,161 @@
+Add symbol versioning to the public LDAP libraries. This is required for
+library transitions, such as the current transition from 2.1 to 2.4,
+since programs will sometimes have both libraries loaded by different
+dependency chains during the transition.
+
+Not yet contributed upstream.
+
+Upstream ITS #5365 filed requesting symbol versioning for libldap and
+libber.
+
+--- a/libraries/libldap_r/Makefile.in
++++ b/libraries/libldap_r/Makefile.in
+@@ -61,6 +61,9 @@ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
+ XXXLIBS = $(LTHREAD_LIBS)
+ NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
+ UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
++ifneq (,$(VERSION_OPTION))
++ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
++endif
+
+ .links : Makefile
+ @for i in $(XXSRCS); do \
+--- a/build/top.mk
++++ b/build/top.mk
+@@ -104,6 +104,9 @@ LTFLAGS_MOD = $(@PLAT@_LTFLAGS_MOD)
+ # LINK_LIBS referenced in library and module link commands.
+ LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)
+
++# option to pass to $(CC) to support library symbol versioning, if any
++VERSION_OPTION = @VERSION_OPTION@
++
+ LTSTATIC = @LTSTATIC@
+
+ LTLINK = $(LIBTOOL) --mode=link \
+@@ -113,7 +116,7 @@ LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB)
+ $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
+
+ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
+- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)
++ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS)
+
+ LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
+ $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
+--- a/build/openldap.m4
++++ b/build/openldap.m4
+@@ -1136,3 +1136,54 @@ AC_DEFUN([OL_SSL_COMPAT],
+ #endif
+ ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
+ ])
++
++dnl ====================================================================
++dnl check for symbol versioning support
++AC_DEFUN([OL_SYMBOL_VERSIONING],
++[AC_CACHE_CHECK([for .symver assembler directive],
++ [ol_cv_asm_symver_directive],[
++cat > conftest.s <<EOF
++${libc_cv_dot_text}
++_sym:
++.symver _sym,sym@VERS
++EOF
++if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
++ ol_cv_asm_symver_directive=yes
++else
++ ol_cv_asm_symver_directive=no
++fi
++rm -f conftest*])
++AC_CACHE_CHECK([for ld --version-script],
++ [ol_cv_ld_version_script_option],[
++if test $ol_cv_asm_symver_directive = yes; then
++ cat > conftest.s <<EOF
++${libc_cv_dot_text}
++_sym:
++.symver _sym,sym@VERS
++EOF
++ cat > conftest.map <<EOF
++VERS_1 {
++ global: sym;
++};
++
++VERS_2 {
++ global: sym;
++} VERS_1;
++EOF
++ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
++ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
++ -o conftest.so conftest.o
++ -Wl,--version-script,conftest.map
++ 1>&AS_MESSAGE_LOG_FD]);
++ then
++ ol_cv_ld_version_script_option=yes
++ else
++ ol_cv_ld_version_script_option=no
++ fi
++ else
++ ol_cv_ld_version_script_option=no
++ fi
++else
++ ol_cv_ld_version_script_option=no
++fi
++rm -f conftest*])])
+--- a/configure.in
++++ b/configure.in
+@@ -1909,6 +1909,13 @@ else
+ fi
+ AC_SUBST(LTSTATIC)dnl
+
++VERSION_OPTION=""
++OL_SYMBOL_VERSIONING
++if test $ol_cv_ld_version_script_option = yes ; then
++ VERSION_OPTION="-Wl,--version-script="
++fi
++AC_SUBST(VERSION_OPTION)
++
+ dnl ----------------------------------------------------------------
+ if test $ol_enable_wrappers != no ; then
+ AC_CHECK_HEADERS(tcpd.h,[
+--- /dev/null
++++ b/libraries/libldap/libldap.map
+@@ -0,0 +1,7 @@
++OPENLDAP_2.4_2 {
++ global:
++ ldap_*;
++ ldif_*;
++ local:
++ *;
++};
+--- a/libraries/libldap/Makefile.in
++++ b/libraries/libldap/Makefile.in
+@@ -52,6 +52,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(
+ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
+ NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
+ UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
++ifneq (,$(VERSION_OPTION))
++ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
++endif
+
+ apitest: $(XLIBS) apitest.o
+ $(LTLINK) -o $@ apitest.o $(LIBS)
+--- a/libraries/liblber/Makefile.in
++++ b/libraries/liblber/Makefile.in
+@@ -38,6 +38,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A)
+ XXLIBS =
+ NT_LINK_LIBS = $(AC_LIBS)
+ UNIX_LINK_LIBS = $(AC_LIBS)
++ifneq (,$(VERSION_OPTION))
++ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map"
++endif
+
+ dtest: $(XLIBS) dtest.o
+ $(LTLINK) -o $@ dtest.o $(LIBS)
+--- /dev/null
++++ b/libraries/liblber/liblber.map
+@@ -0,0 +1,8 @@
++OPENLDAP_2.4_2 {
++ global:
++ ber_*;
++ der_alloc;
++ lutil_*;
++ local:
++ *;
++};
diff --git a/debian/patches/man-slapd b/debian/patches/man-slapd
new file mode 100644
index 0000000..5f55137
--- /dev/null
+++ b/debian/patches/man-slapd
@@ -0,0 +1,60 @@
+Patch the slapd man page to not refer to a header file that isn't
+installed with the slapd package and to reference the correct path
+for slapd.
+
+Debian-specific.
+
+--- a/doc/man/man8/slapd.8
++++ b/doc/man/man8/slapd.8
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd
++.B /usr/sbin/slapd
+ [\c
+ .BR \-4 | \-6 ]
+ [\c
+@@ -103,11 +103,10 @@
+ will not fork or disassociate from the invoking terminal. Some general
+ operation and status messages are printed for any value of \fIdebug-level\fP.
+ \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
+-different kind of debugging information. See <ldap_log.h> for details.
+-Comma-separated arrays of friendly names can be specified to select
+-debugging output of the corresponding debugging information.
+-All the names recognized by the \fIloglevel\fP directive
+-described in \fBslapd.conf\fP(5) are supported.
++different kind of debugging information. Comma-separated arrays of friendly
++names can be specified to select debugging output of the corresponding
++debugging information. All the names recognized by the \fIloglevel\fP
++directive described in \fBslapd.conf\fP(5) are supported.
+ If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
+ and slapd exits.
+
+@@ -317,7 +316,7 @@
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd
++ /usr/sbin/slapd
+ .ft
+ .fi
+ .LP
+@@ -328,7 +327,7 @@
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++ /usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255
+ .ft
+ .fi
+ .LP
+@@ -336,7 +335,7 @@
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-Tt
++ /usr/sbin/slapd \-Tt
+ .ft
+ .fi
+ .LP
diff --git a/debian/patches/no-AM_INIT_AUTOMAKE b/debian/patches/no-AM_INIT_AUTOMAKE
new file mode 100644
index 0000000..0976036
--- /dev/null
+++ b/debian/patches/no-AM_INIT_AUTOMAKE
@@ -0,0 +1,25 @@
+Description: don't use AM_INIT_AUTOMAKE macro when we aren't using automake
+ Calling AM_INIT_AUTOMAKE() in configure.in serves no purpose if we're not
+ using automake, and it confuses autoreconf. Use AC_INIT() instead.
+Author: Steve Langasek <vorlon@debian.org>
+
+--- a/configure.in
++++ b/configure.in
+@@ -26,7 +26,8 @@ dnl Configure.in for OpenLDAP
+ AC_COPYRIGHT([[Copyright 1998-2018 The OpenLDAP Foundation. All rights reserved.
+ Restrictions apply, see COPYRIGHT and LICENSE files.]])
+ AC_REVISION([$Id: 2a4d29f78fa5f6b25f2c5cecac2126fcc3bd8623 $])
+-AC_INIT([OpenLDAP],,[http://www.openldap.org/its/])
++AC_INIT([OpenLDAP],[$OL_VERSION],[http://www.openldap.org/its/])
++AC_PROG_MAKE_SET
+ m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>])
+ AC_CONFIG_SRCDIR(build/version.sh)dnl
+ dnl ----------------------------------------------------------------
+@@ -69,7 +70,6 @@ dnl Determine host platform
+ dnl we try not to use this for much
+ AC_CANONICAL_TARGET([])
+
+-AM_INIT_AUTOMAKE([$OL_PACKAGE],[$OL_VERSION], [no defines])dnl
+ AC_SUBST(PACKAGE)dnl
+ AC_SUBST(VERSION)dnl
+ AC_DEFINE_UNQUOTED(OPENLDAP_PACKAGE,"$PACKAGE",Package)
diff --git a/debian/patches/no-bdb-ABI-second-guessing b/debian/patches/no-bdb-ABI-second-guessing
new file mode 100644
index 0000000..db76aa7
--- /dev/null
+++ b/debian/patches/no-bdb-ABI-second-guessing
@@ -0,0 +1,42 @@
+Author: Steve Langasek <vorlon@debian.org>
+Description: don't second-guess BDB ABI
+ OpenLDAP upstream conservatively assumes that any change to the version
+ number of libdb can result in an API-breaking change that could impact
+ the database. In Debian, we know that such changes require bumping the
+ library soname and changing the package name, and demand such rigor from
+ our package maintainers even when upstreams don't deliver; so any such
+ check in the source code works against the packaging system by forcing
+ database upgrades when we know none are required. Disable this check
+ so we rely on the packaging system to do its job.
+Bug-Debian: http://bugs.debian.org/651333
+Forwarded: not-needed
+
+--- a/servers/slapd/back-bdb/init.c
++++ b/servers/slapd/back-bdb/init.c
+@@ -762,7 +762,7 @@ bdb_back_initialize(
+ bi->bi_controls = controls;
+
+ { /* version check */
+- int major, minor, patch, ver;
++ int major, minor, patch;
+ char *version = db_version( &major, &minor, &patch );
+ #ifdef HAVE_EBCDIC
+ char v2[1024];
+@@ -776,17 +776,6 @@ bdb_back_initialize(
+ version = v2;
+ #endif
+
+- ver = (major << 24) | (minor << 16) | patch;
+- if( ver != DB_VERSION_FULL ) {
+- /* fail if a versions don't match */
+- Debug( LDAP_DEBUG_ANY,
+- LDAP_XSTRING(bdb_back_initialize) ": "
+- "BDB library version mismatch:"
+- " expected " DB_VERSION_STRING ","
+- " got %s\n", version, 0, 0 );
+- return -1;
+- }
+-
+ Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_back_initialize)
+ ": %s\n", version, 0, 0 );
+ }
diff --git a/debian/patches/no-gnutls_global_set_mutex b/debian/patches/no-gnutls_global_set_mutex
new file mode 100644
index 0000000..c81f926
--- /dev/null
+++ b/debian/patches/no-gnutls_global_set_mutex
@@ -0,0 +1,77 @@
+Description: Do not call gnutls_global_set_mutex()
+ Since GnuTLS moved to implicit initialization on library load, calling
+ this function deinitializes GnuTLS and then re-initializes it.
+ .
+ When GnuTLS uses /dev/urandom as an entropy source (getrandom() not
+ available, or older versions of GnuTLS), and the application closed all
+ file descriptors at startup, this could result in GnuTLS opening
+ /dev/urandom over one of the application's file descriptors when
+ re-initialized.
+ .
+ Additionally, the custom mutex functions are never reset, so if libldap
+ is unloaded (for example via dlclose()) after calling this, its code
+ may be unmapped and the application could crash when GnuTLS calls the
+ mutex functions.
+ .
+ The default behaviour of GnuTLS, using pthreads, should be suitable on
+ all Debian systems, and is probably the same as what libldap uses
+ anyway.
+Author: Ryan Tandy <ryan@nardis.ca>
+Bug-Debian: https://bugs.debian.org/803197
+Forwarded: no
+
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -67,51 +67,10 @@
+
+ #ifdef LDAP_R_COMPILE
+
+-static int
+-tlsg_mutex_init( void **priv )
+-{
+- int err = 0;
+- ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
+-
+- if ( !lock )
+- err = ENOMEM;
+- if ( !err ) {
+- err = ldap_pvt_thread_mutex_init( lock );
+- if ( err )
+- LDAP_FREE( lock );
+- else
+- *priv = lock;
+- }
+- return err;
+-}
+-
+-static int
+-tlsg_mutex_destroy( void **lock )
+-{
+- int err = ldap_pvt_thread_mutex_destroy( *lock );
+- LDAP_FREE( *lock );
+- return err;
+-}
+-
+-static int
+-tlsg_mutex_lock( void **lock )
+-{
+- return ldap_pvt_thread_mutex_lock( *lock );
+-}
+-
+-static int
+-tlsg_mutex_unlock( void **lock )
+-{
+- return ldap_pvt_thread_mutex_unlock( *lock );
+-}
+-
+ static void
+ tlsg_thr_init( void )
+ {
+- gnutls_global_set_mutex (tlsg_mutex_init,
+- tlsg_mutex_destroy,
+- tlsg_mutex_lock,
+- tlsg_mutex_unlock);
++ /* do nothing */
+ }
+ #endif /* LDAP_R_COMPILE */
+
diff --git a/debian/patches/sasl-default-path b/debian/patches/sasl-default-path
new file mode 100644
index 0000000..6d5c7b0
--- /dev/null
+++ b/debian/patches/sasl-default-path
@@ -0,0 +1,55 @@
+Add /etc/ldap/sasl2 to the SASL configuration search path.
+
+Not submitted upstream. Somewhat Debian-specific and probably not of
+interest upstream.
+
+--- a/include/ldap_defaults.h
++++ b/include/ldap_defaults.h
+@@ -63,4 +63,6 @@
+ /* dn of the default "monitor" subentry */
+ #define SLAPD_MONITOR_DN "cn=Monitor"
+
++#define SASL_CONFIGPATH LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2"
++
+ #endif /* _LDAP_CONFIG_H */
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1103,12 +1103,38 @@ static const rewrite_mapper slapd_mapper
+ };
+ #endif
+
++static int
++slap_sasl_getconfpath( void * context, char ** path )
++{
++ char * sasl_default_configpath;
++ size_t len;
++
++#if SASL_VERSION_MAJOR >= 2
++ sasl_default_configpath = "/usr/lib/sasl2";
++#else
++ sasl_default_configpath = "/usr/lib/sasl";
++#endif
++
++ len = strlen(SASL_CONFIGPATH) + 1 /* colon */ +
++ strlen(sasl_default_configpath) + 1 /* \0 */;
++ *path = malloc( len );
++ if ( *path == NULL )
++ return SASL_FAIL;
++
++ if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH,
++ sasl_default_configpath ) != len-1 )
++ return SASL_FAIL;
++
++ return SASL_OK;
++}
++
+ int slap_sasl_init( void )
+ {
+ #ifdef HAVE_CYRUS_SASL
+ int rc;
+ static sasl_callback_t server_callbacks[] = {
+ { SASL_CB_LOG, (slap_sasl_cb_ft)&slap_sasl_log, NULL },
++ { SASL_CB_GETCONFPATH, (slap_sasl_cb_ft)&slap_sasl_getconfpath, NULL },
+ { SASL_CB_GETOPT, (slap_sasl_cb_ft)&slap_sasl_getopt, NULL },
+ { SASL_CB_LIST_END, NULL, NULL }
+ };
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..85497de
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,48 @@
+man-slapd
+evolution-ntlm
+slapi-errorlog-file
+ldapi-socket-place
+wrong-database-location
+index-files-created-as-root
+sasl-default-path
+libldap-symbol-versions
+getaddrinfo-is-threadsafe
+do-not-second-guess-sonames
+contrib-makefiles
+smbk5pwd-makefile-manpage
+lastbind-makefile-manpage
+ldap-conf-tls-cacertdir
+add-tlscacert-option-to-ldap-conf
+fix-build-top-mk
+no-AM_INIT_AUTOMAKE
+switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
+no-bdb-ABI-second-guessing
+ITS6035-olcauthzregex-needs-restart.patch
+set-maintainer-name
+no-gnutls_global_set_mutex
+ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch
+ITS-9038-Update-test028-to-test-this-is-enforced.patch
+ITS-9038-Fix-typo-in-test-script.patch
+ITS-9038-Another-test028-typo.patch
+ITS-9052-zero-out-sasl_ssf-in-connection_init.patch
+ITS-8964-Do-not-free-original-filter.patch
+ITS-9202-limit-depth-of-nested-filters.patch
+ITS-9370-check-for-equality-rule-on-old_rdn.patch
+ITS-9383-remove-assert-in-certificateListValidate.patch
+ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
+ITS-9404-fix-serialNumberAndIssuerCheck.patch
+ITS-9406-9407-remove-saslauthz-asserts.patch
+ITS-9406-fix-debug-msg.patch
+ITS-9408-fix-vrfilter-double-free.patch
+ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch
+ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch
+ITS-9411-fix-thisUpdate-check.patch
+ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch
+ITS-9413-fix-slap_parse_user.patch
+ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch
+ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch
+ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch
+ITS-9427-fix-issuerAndThisUpdateCheck.patch
+ITS-9428-fix-cancel-exop.patch
+ITS-9454-fix-issuerAndThisUpdateCheck.patch
+ITS-9815-slapd-sql-escape-filter-values.patch
diff --git a/debian/patches/set-maintainer-name b/debian/patches/set-maintainer-name
new file mode 100644
index 0000000..262b7ef
--- /dev/null
+++ b/debian/patches/set-maintainer-name
@@ -0,0 +1,16 @@
+--- a/build/mkversion
++++ b/build/mkversion
+@@ -50,12 +50,7 @@
+ fi
+
+ APPLICATION=$1
+-# Reproducible builds set SOURCE_DATE_EPOCH, want constant strings
+-if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+- WHOWHERE="openldap"
+-else
+- WHOWHERE="$USER@$(uname -n):$(pwd)"
+-fi
++WHOWHERE="Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>"
+
+ cat << __EOF__
+ /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
diff --git a/debian/patches/slapi-errorlog-file b/debian/patches/slapi-errorlog-file
new file mode 100644
index 0000000..4899451
--- /dev/null
+++ b/debian/patches/slapi-errorlog-file
@@ -0,0 +1,16 @@
+The slapi error log file defaults to /var/errors given our setting
+of --localstatedir. Move it to /var/log/slapi-errors instead.
+
+Debian-specific.
+
+--- a/servers/slapd/slapi/slapi_overlay.c
++++ b/servers/slapd/slapi/slapi_overlay.c
+@@ -930,7 +930,7 @@ int slapi_over_config( BackendDB *be, Co
+ ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex );
+
+ if ( slapi_log_file == NULL )
+- slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" );
++ slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" );
+
+ rc = slapi_int_init_object_extensions();
+ if ( rc != 0 )
diff --git a/debian/patches/smbk5pwd-makefile-manpage b/debian/patches/smbk5pwd-makefile-manpage
new file mode 100644
index 0000000..8b09206
--- /dev/null
+++ b/debian/patches/smbk5pwd-makefile-manpage
@@ -0,0 +1,251 @@
+From: Peter Marschall <peter@adpm.de>
+Date: Sun, 26 Jul 2015 15:04:26 +0200
+Subject: [PATCH] contrib/smbk5pwd: add man page, install it too
+
+Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to
+install the new manual page.
+
+This patch is derived from the corresponding patch upstreamed in ITS#8205
+
+---
+ contrib/slapd-modules/smbk5pwd/Makefile | 14 +-
+ contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 | 179 ++++++++++++++++++++++++
+ 2 files changed, 192 insertions(+), 1 deletion(-)
+ create mode 100644 contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5
+
+diff --git a/contrib/slapd-modules/smbk5pwd/Makefile b/contrib/slapd-modules/smbk5pwd/Makefile
+index 676d914..0042a49 100644
+--- a/contrib/slapd-modules/smbk5pwd/Makefile
++++ b/contrib/slapd-modules/smbk5pwd/Makefile
+@@ -25,6 +25,7 @@
+ HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server)
+
+ LIBTOOL = $(LDAP_BUILD)/libtool
++INSTALL = /usr/bin/install
+ CC = gcc
+ OPT = -g -O2 -Wall
+ # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
+@@ -34,6 +35,7 @@
+ LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)
+
+ PROGRAMS = smbk5pwd.la
++MANPAGES = slapo-smbk5pwd.5
+ LTVER = 0:0:0
+
+ prefix=/usr/local
+@@ -43,6 +45,8 @@
+ libdir=$(exec_prefix)/lib
+ libexecdir=$(exec_prefix)/libexec
+ moduledir = $(libexecdir)$(ldap_subdir)
++mandir = $(exec_prefix)/share/man
++man5dir = $(mandir)/man5
+
+ .SUFFIXES: .c .o .lo
+
+@@ -58,9 +62,17 @@
+ clean:
+ rm -rf *.o *.lo *.la .libs
+
+-install: $(PROGRAMS)
++install: install-lib install-man FORCE
++
++install-lib: $(PROGRAMS)
+ mkdir -p $(DESTDIR)$(moduledir)
+ for p in $(PROGRAMS) ; do \
+ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
+ done
+
++install-man: $(MANPAGES)
++ mkdir -p $(DESTDIR)$(man5dir)
++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
++
++FORCE:
++
+diff --git a/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5
+new file mode 100644
+index 0000000..431a765
+--- /dev/null
++++ b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5
+@@ -0,0 +1,179 @@
++.TH SLAPO-SMBK5PWD 5 "RELEASEDATE" "OpenLDAP LDVERSION"
++.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved.
++.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
++.\" $OpenLDAP$
++.SH NAME
++slapo-smbk5pwd \- Samba & Kerberos password sync overlay to slapd
++.SH SYNOPSIS
++ETCDIR/slapd.conf
++.RS
++.LP
++include
++.B "<path to>/krb5-kdc.schema"
++.LP
++include
++.B "<path to>/samba.schema"
++.LP
++moduleload
++.B smbk5pwd.so
++.LP
++ ...
++.LP
++database mdb
++.LP
++ ...
++.LP
++overlay
++.B smbk5pwd
++.RE
++
++.SH DESCRIPTION
++.LP
++The
++.B smbk5pwd
++overlay to
++.BR slapd (8)
++overloads the Password Modify Extended Operation (RFC 3062) to update
++Kerberos keys and Samba password hashes for an LDAP user, as well as
++updating password change related attributes for Kerberos, Samba and/or
++UNIX user accounts.
++.LP
++The Samba support is written using the Samba 3.0 LDAP schema;
++Kerberos support is written for Heimdal using its hdb-ldap backend.
++.LP
++Additionally, a new
++.B {K5KEY}
++password hash mechanism is provided.
++For
++.B krb5KDCEntry
++objects that have this scheme specifier in their
++.I userPassword
++attribute, Simple Binds will be checked against the Kerberos keys of the entry.
++No data is needed after the
++.B {K5KEY}
++scheme specifier in the
++.IR userPassword ,
++it is looked up from the entry directly.
++
++.SH CONFIGURATION
++The
++.B smbk5pwd
++overlay supports the following
++.B slapd.conf
++configuration options, which should appear after the
++.B overlay
++directive:
++.TP
++.BI smbk5pwd-enable " <module>"
++can be used to enable only the desired modules.
++Legal values for
++.I <module>
++are
++.LP
++.RS
++.TP
++.B krb5
++If the user has the
++.B krb5KDCEntry
++objectclass, update the
++.B krb5Key
++and
++.B krb5KeyVersionNumber
++attributes using the new password in the Password Modify operation,
++provided the Kerberos account is not expired.
++Exiration is determined by evaluating the
++.B krb5ValidEnd
++attribute.
++.TP
++.B samba
++If the user is a
++.B sambaSamAccount
++object, synchronize the
++.B sambaLMPassword
++and
++.B sambaNTPassword
++to the password entered in the Password Modify operation, and update
++.B sambaPwdLastSet
++accordingly.
++.TP
++.B shadow
++Update the attribute
++.BR shadowLastChange ,
++if the entry has the objectclass
++.BR shadowAccount .
++.LP
++By default all modules compiled in are enabled.
++Setting the config statement restricts the enabled modules to the ones
++explicitly mentioned.
++.RE
++.TP
++.BI smbk5pwd-can-change " <seconds>"
++If the
++.B samba
++module is enabled and the user is a
++.BR sambaSamAccount ,
++update the attribute
++.B sambaPwdCanChange
++to point
++.I <seconds>
++into the future, essentially denying any Samba password change until then.
++A value of
++.B 0
++disables this feature.
++.TP
++.BI smbk5pwd-must-change " <seconds>"
++If the
++.B samba
++module is enabled and the user is a
++.BR sambaSamAccount ,
++update the attribute
++.B sambaPwdMustChange
++to point
++.I <seconds>
++into the future, essentially setting the Samba password expiration time.
++A value of
++.B 0
++disables this feature.
++.LP
++Alternatively, the overlay supports table-driven configuration,
++and thus can be run-time loaded and configured via back-config.
++
++.SH EXAMPLE
++The layout of a slapd.d based, table-driven configuration entry looks like:
++.LP
++.EX
++ # {0}smbk5pwd, {1}bdb, config
++ dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
++ objectClass: olcOverlayConfig
++ objectClass: olcSmbK5PwdConfig
++ olcOverlay: {0}smbk5pwd
++ olcSmbK5PwdEnable: krb5
++ olcSmbK5PwdEnable: samba
++ olcSmbK5PwdMustChange: 2592000
++.EE
++.LP
++which enables both
++.B krb5
++and
++.B samba
++modules with a Samba password expiration time of 30 days (=
++.B 2592000
++seconds).
++
++.SH SEE ALSO
++.BR slapd.conf (5),
++.BR ldappasswd (1),
++.BR ldap (3),
++.LP
++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
++.LP
++
++.SH ACKNOWLEDGEMENTS
++This manual page has been writen by Peter Marschall based on the
++module's README file written by Howard Chu.
++.LP
++.B OpenLDAP
++is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
++.B OpenLDAP
++is derived from University of Michigan LDAP 3.3 Release.
++
+--
+2.5.0
+
diff --git a/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
new file mode 100644
index 0000000..f0dd4e1
--- /dev/null
+++ b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
@@ -0,0 +1,40 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL.
+ Open all modules with RTLD_GLOBAL, needed so that back_perl can load
+ non-trivial Perl extensions that require symbols from back_perl.so itself.
+Bug-Debian: http://bugs.debian.org/327585
+
+---
+--- a/servers/slapd/module.c
++++ b/servers/slapd/module.c
+@@ -117,6 +117,20 @@ int module_unload( const char *file_name
+ return -1; /* not found */
+ }
+
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++ lt_dlhandle handle = 0;
++ lt_dladvise advise;
++
++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++ && !lt_dladvise_global (&advise))
++ handle = lt_dlopenadvise (filename, advise);
++
++ lt_dladvise_destroy (&advise);
++
++ return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ module_loaded_t *module;
+@@ -180,7 +194,7 @@ int module_load(const char* file_name, i
+ * to calling Debug. This is because Debug is a macro that expands
+ * into multiple function calls.
+ */
+- if ((module->lib = lt_dlopenext(file)) == NULL) {
++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ strcpy( ebuf, error );
diff --git a/debian/patches/wrong-database-location b/debian/patches/wrong-database-location
new file mode 100644
index 0000000..25d96cb
--- /dev/null
+++ b/debian/patches/wrong-database-location
@@ -0,0 +1,74 @@
+Move the default slapd database location to /var/lib/ldap instead of
+/var/openldap-data.
+
+Debian-specific.
+
+--- a/doc/man/man5/slapd-bdb.5
++++ b/doc/man/man5/slapd-bdb.5
+@@ -131,7 +131,7 @@ Specify the directory where the BDB file
+ associated indexes live.
+ A separate directory must be specified for each database.
+ The default is
+-.BR LOCALSTATEDIR/openldap\-data .
++.BR LOCALSTATEDIR/lib/ldap .
+ .TP
+ .B dirtyread
+ Allow reads of modified but not yet committed data.
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -2007,7 +2007,7 @@ suffix "dc=our\-domain,dc=com"
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-directory LOCALSTATEDIR/openldap\-data
++directory LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ index objectClass eq
+ index cn,sn,mail pres,eq,approx,sub
+--- a/include/ldap_defaults.h
++++ b/include/ldap_defaults.h
+@@ -47,7 +47,7 @@
+ /* location of the default slapd config file */
+ #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"
+ #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
+-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap"
+ #define SLAPD_DEFAULT_DB_MODE 0600
+ #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata"
+ /* default max deref depth for aliases */
+--- a/servers/slapd/Makefile.in
++++ b/servers/slapd/Makefile.in
+@@ -445,9 +445,9 @@ install-conf: FORCE
+
+ install-db-config: FORCE
+ @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
+- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap
+ $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
++ $(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example
+ $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+ $(DESTDIR)$(sysconfdir)/DB_CONFIG.example
+
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -2051,7 +2051,7 @@ olcSuffix: "dc=our\-domain,dc=com"
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-olcDbDirectory: LOCALSTATEDIR/openldap\-data
++olcDbDirectory: LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ olcDbIndex: objectClass eq
+ olcDbIndex: cn,sn,mail pres,eq,approx,sub
+--- a/doc/man/man5/slapd-mdb.5
++++ b/doc/man/man5/slapd-mdb.5
+@@ -52,7 +52,7 @@ Specify the directory where the LMDB fil
+ associated indexes live.
+ A separate directory must be specified for each database.
+ The default is
+-.BR LOCALSTATEDIR/openldap\-data .
++.BR LOCALSTATEDIR/lib/ldap .
+ .TP
+ \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR}
+ Specify flags for finer-grained control of the LMDB library's operation.