diff options
Diffstat (limited to '')
49 files changed, 2780 insertions, 0 deletions
diff --git a/debian/patches/ITS-8964-Do-not-free-original-filter.patch b/debian/patches/ITS-8964-Do-not-free-original-filter.patch new file mode 100644 index 0000000..7714e0a --- /dev/null +++ b/debian/patches/ITS-8964-Do-not-free-original-filter.patch @@ -0,0 +1,36 @@ +From 0f7ec3a81258bb2c33b5d7c7434ef1c11d7fa7cb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net> +Date: Mon, 17 Jun 2019 12:49:25 +0200 +Subject: [PATCH] ITS#8964 Do not free original filter + +--- + servers/slapd/overlays/rwm.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/servers/slapd/overlays/rwm.c b/servers/slapd/overlays/rwm.c +index 36bceaffe..2e24f24cc 100644 +--- a/servers/slapd/overlays/rwm.c ++++ b/servers/slapd/overlays/rwm.c +@@ -125,11 +125,15 @@ rwm_op_rollback( Operation *op, SlapReply *rs, rwm_op_state *ros ) + break; + case LDAP_REQ_SEARCH: + op->o_tmpfree( ros->mapped_attrs, op->o_tmpmemctx ); +- filter_free_x( op, op->ors_filter, 1 ); +- op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); + op->ors_attrs = ros->ors_attrs; +- op->ors_filter = ros->ors_filter; +- op->ors_filterstr = ros->ors_filterstr; ++ if ( op->ors_filter != ros->ors_filter ) { ++ filter_free_x( op, op->ors_filter, 1 ); ++ op->ors_filter = ros->ors_filter; ++ } ++ if ( op->ors_filterstr.bv_val != ros->ors_filterstr.bv_val ) { ++ op->o_tmpfree( op->ors_filterstr.bv_val, op->o_tmpmemctx ); ++ op->ors_filterstr = ros->ors_filterstr; ++ } + break; + case LDAP_REQ_EXTENDED: + if ( op->ore_reqdata != ros->ore_reqdata ) { +-- +2.20.1 + diff --git a/debian/patches/ITS-9038-Another-test028-typo.patch b/debian/patches/ITS-9038-Another-test028-typo.patch new file mode 100644 index 0000000..243e200 --- /dev/null +++ b/debian/patches/ITS-9038-Another-test028-typo.patch @@ -0,0 +1,25 @@ +From 0832ec02f0679cf0862dca2cca5280be1e4fdb37 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net> +Date: Thu, 27 Jun 2019 00:45:29 +0200 +Subject: [PATCH] ITS#9038 Another test028 typo + +--- + tests/scripts/test028-idassert | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert +index 564a615d2..dacd68d8f 100755 +--- a/tests/scripts/test028-idassert ++++ b/tests/scripts/test028-idassert +@@ -252,7 +252,7 @@ if test $USE_SASL != "no" ; then + if test $RC != 50 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC ++ exit 1 + fi + + echo "Filtering ldapsearch results..." +-- +2.20.1 + diff --git a/debian/patches/ITS-9038-Fix-typo-in-test-script.patch b/debian/patches/ITS-9038-Fix-typo-in-test-script.patch new file mode 100644 index 0000000..72cd9fe --- /dev/null +++ b/debian/patches/ITS-9038-Fix-typo-in-test-script.patch @@ -0,0 +1,25 @@ +From c064d45c5d4551f2321276c3a5ed25b1c08e115d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net> +Date: Mon, 24 Jun 2019 16:37:23 +0200 +Subject: [PATCH] ITS#9038 Fix typo in test script + +--- + tests/scripts/test028-idassert | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert +index 9e5e10724..564a615d2 100755 +--- a/tests/scripts/test028-idassert ++++ b/tests/scripts/test028-idassert +@@ -199,7 +199,7 @@ RC=$? + if test $RC != 1 ; then + echo "ldapwhoami should have failed ($RC)!" + test $KILLSERVERS != no && kill -HUP $KILLPIDS +- exit $RC ++ exit 1 + fi + + ID="uid=jaj,ou=People,dc=example,dc=it" +-- +2.20.1 + diff --git a/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch b/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch new file mode 100644 index 0000000..3e8712a --- /dev/null +++ b/debian/patches/ITS-9038-Update-test028-to-test-this-is-enforced.patch @@ -0,0 +1,102 @@ +From ce5869c89a0cf1a9ec23bde014cb4c11f4d0360c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net> +Date: Wed, 19 Jun 2019 18:47:32 +0200 +Subject: [PATCH] ITS#9038 Update test028 to test this is enforced + +--- + tests/data/idassert.out | 5 +++++ + tests/data/slapd-idassert.conf | 1 + + tests/data/test-idassert1.ldif | 6 ++++++ + tests/scripts/test028-idassert | 24 ++++++++++++++++++++++++ + 4 files changed, 36 insertions(+) + +diff --git a/tests/data/idassert.out b/tests/data/idassert.out +index 53d76bb2e..fa51c25d6 100644 +--- a/tests/data/idassert.out ++++ b/tests/data/idassert.out +@@ -4,6 +4,11 @@ objectClass: dcObject + o: Example, Inc. + dc: example + ++dn: cn=Manager,o=Example,c=US ++objectClass: inetOrgPerson ++cn: Manager ++sn: Parson ++ + dn: ou=People,o=Example,c=US + objectClass: organizationalUnit + ou: People +diff --git a/tests/data/slapd-idassert.conf b/tests/data/slapd-idassert.conf +index 88d66a36f..561c5ccc4 100644 +--- a/tests/data/slapd-idassert.conf ++++ b/tests/data/slapd-idassert.conf +@@ -36,6 +36,7 @@ argsfile @TESTDIR@/slapd.1.args + ####################################################################### + + authz-policy both ++authz-regexp "^uid=manager,.+" "cn=Manager,dc=example,dc=com" + authz-regexp "^uid=admin/([^,]+),.+" "ldap:///ou=Admin,dc=example,dc=com??sub?(cn=$1)" + authz-regexp "^uid=it/([^,]+),.+" "ldap:///ou=People,dc=example,dc=it??sub?(uid=$1)" + authz-regexp "^uid=(us/)?([^,]+),.+" "ldap:///ou=People,dc=example,dc=com??sub?(uid=$2)" +diff --git a/tests/data/test-idassert1.ldif b/tests/data/test-idassert1.ldif +index 063d6ec45..3ccbd1a22 100644 +--- a/tests/data/test-idassert1.ldif ++++ b/tests/data/test-idassert1.ldif +@@ -4,6 +4,12 @@ objectClass: dcObject + o: Example, Inc. + dc: example + ++dn: cn=Manager,dc=example,dc=com ++objectClass: inetOrgPerson ++cn: Manager ++sn: Parson ++userPassword: secret ++ + dn: ou=People,dc=example,dc=com + objectClass: organizationalUnit + ou: People +diff --git a/tests/scripts/test028-idassert b/tests/scripts/test028-idassert +index b1e16744a..9e5e10724 100755 +--- a/tests/scripts/test028-idassert ++++ b/tests/scripts/test028-idassert +@@ -191,6 +191,17 @@ if test $RC != 0 ; then + exit $RC + fi + ++AUTHZID="u:it/jaj" ++echo "Checking another DB's rootdn can't assert identity from another DB..." ++$LDAPWHOAMI -h $LOCALHOST -p $PORT1 -D "$MANAGERDN" -w $PASSWD -e\!"authzid=$AUTHZID" ++ ++RC=$? ++if test $RC != 1 ; then ++ echo "ldapwhoami should have failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++fi ++ + ID="uid=jaj,ou=People,dc=example,dc=it" + BASE="o=Example,c=US" + echo "Testing ldapsearch as $ID for \"$BASE\"..." +@@ -231,6 +242,19 @@ if test $USE_SASL != "no" ; then + exit $RC + fi + ++ ID="manager" ++ AUTHZID="u:it/jaj" ++ echo "Checking another DB's rootdn can't assert in another (with SASL bind this time)..." ++ $LDAPSASLWHOAMI -h $LOCALHOST -p $PORT1 \ ++ -Q -U "$ID" -w $PASSWD -Y $MECH -X $AUTHZID ++ ++ RC=$? ++ if test $RC != 50 ; then ++ echo "ldapwhoami should have failed ($RC)!" ++ test $KILLSERVERS != no && kill -HUP $KILLPIDS ++ exit $RC ++ fi ++ + echo "Filtering ldapsearch results..." + $LDIFFILTER < $SEARCHOUT > $SEARCHFLT + echo "Filtering original ldif used to create database..." +-- +2.20.1 + diff --git a/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch b/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch new file mode 100644 index 0000000..a63c6fe --- /dev/null +++ b/debian/patches/ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch @@ -0,0 +1,36 @@ +From f120d0e461178b5974694876ba2d2bdba4f7d122 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Wed, 19 Jun 2019 12:29:02 +0100 +Subject: [PATCH] ITS#9038 restrict rootDN proxyauthz to its own DBs. + +Treat as normal user for any other DB. +--- + servers/slapd/saslauthz.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index 64c70537d..b3727eafe 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -2062,12 +2062,13 @@ int slap_sasl_authorized( Operation *op, + goto DONE; + } + +- /* Allow the manager to authorize as any DN. */ +- if( op->o_conn->c_authz_backend && +- be_isroot_dn( op->o_conn->c_authz_backend, authcDN )) ++ /* Allow the manager to authorize as any DN in its own DBs. */ + { +- rc = LDAP_SUCCESS; +- goto DONE; ++ Backend *zbe = select_backend( authzDN, 1 ); ++ if ( zbe && be_isroot_dn( zbe, authcDN )) { ++ rc = LDAP_SUCCESS; ++ goto DONE; ++ } + } + + /* Check source rules */ +-- +2.20.1 + diff --git a/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch b/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch new file mode 100644 index 0000000..ec09120 --- /dev/null +++ b/debian/patches/ITS-9052-zero-out-sasl_ssf-in-connection_init.patch @@ -0,0 +1,25 @@ +From 744a46a1acb93798f4e027290191d6a11dd4c18c Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Wed, 10 Jul 2019 21:29:39 +0100 +Subject: [PATCH] ITS#9052 zero out sasl_ssf in connection_init + +--- + servers/slapd/connection.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/connection.c b/servers/slapd/connection.c +index b85bcb4c6..704067c55 100644 +--- a/servers/slapd/connection.c ++++ b/servers/slapd/connection.c +@@ -554,7 +554,7 @@ Connection * connection_init( + c->c_close_reason = "?"; /* should never be needed */ + + c->c_ssf = c->c_transport_ssf = ssf; +- c->c_tls_ssf = 0; ++ c->c_tls_ssf = c->c_sasl_ssf = 0; + + #ifdef HAVE_TLS + if ( flags & CONN_IS_TLS ) { +-- +2.20.1 + diff --git a/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch b/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch new file mode 100644 index 0000000..8c547d1 --- /dev/null +++ b/debian/patches/ITS-9202-limit-depth-of-nested-filters.patch @@ -0,0 +1,125 @@ +From 45c18dbd0b2e91841e642ffbe835c46f189f19ee Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Thu, 16 Apr 2020 01:08:19 +0100 +Subject: [PATCH] ITS#9202 limit depth of nested filters + +Using a hardcoded limit for now; no reasonable apps +should ever run into it. +--- + servers/slapd/filter.c | 41 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 9 deletions(-) + +diff --git a/servers/slapd/filter.c b/servers/slapd/filter.c +index cf5ae3daef..e397bebe87 100644 +--- a/servers/slapd/filter.c ++++ b/servers/slapd/filter.c +@@ -37,11 +37,16 @@ + const Filter *slap_filter_objectClass_pres; + const struct berval *slap_filterstr_objectClass_pres; + ++#ifndef SLAPD_MAX_FILTER_DEPTH ++#define SLAPD_MAX_FILTER_DEPTH 5000 ++#endif ++ + static int get_filter_list( + Operation *op, + BerElement *ber, + Filter **f, +- const char **text ); ++ const char **text, ++ int depth ); + + static int get_ssa( + Operation *op, +@@ -80,12 +85,13 @@ filter_destroy( void ) + return; + } + +-int +-get_filter( ++static int ++get_filter0( + Operation *op, + BerElement *ber, + Filter **filt, +- const char **text ) ++ const char **text, ++ int depth ) + { + ber_tag_t tag; + ber_len_t len; +@@ -126,6 +132,11 @@ get_filter( + * + */ + ++ if( depth > SLAPD_MAX_FILTER_DEPTH ) { ++ *text = "filter nested too deeply"; ++ return SLAPD_DISCONNECT; ++ } ++ + tag = ber_peek_tag( ber, &len ); + + if( tag == LBER_ERROR ) { +@@ -221,7 +232,7 @@ get_filter( + + case LDAP_FILTER_AND: + Debug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_and, text ); ++ err = get_filter_list( op, ber, &f.f_and, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -234,7 +245,7 @@ get_filter( + + case LDAP_FILTER_OR: + Debug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); +- err = get_filter_list( op, ber, &f.f_or, text ); ++ err = get_filter_list( op, ber, &f.f_or, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -248,7 +259,7 @@ get_filter( + case LDAP_FILTER_NOT: + Debug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); + (void) ber_skip_tag( ber, &len ); +- err = get_filter( op, ber, &f.f_not, text ); ++ err = get_filter0( op, ber, &f.f_not, text, depth+1 ); + if ( err != LDAP_SUCCESS ) { + break; + } +@@ -311,10 +322,22 @@ get_filter( + return( err ); + } + ++int ++get_filter( ++ Operation *op, ++ BerElement *ber, ++ Filter **filt, ++ const char **text ) ++{ ++ return get_filter0( op, ber, filt, text, 0 ); ++} ++ ++ + static int + get_filter_list( Operation *op, BerElement *ber, + Filter **f, +- const char **text ) ++ const char **text, ++ int depth ) + { + Filter **new; + int err; +@@ -328,7 +351,7 @@ get_filter_list( Operation *op, BerElement *ber, + tag != LBER_DEFAULT; + tag = ber_next_element( ber, &len, last ) ) + { +- err = get_filter( op, ber, new, text ); ++ err = get_filter0( op, ber, new, text, depth ); + if ( err != LDAP_SUCCESS ) + return( err ); + new = &(*new)->f_next; +-- +2.20.1 + diff --git a/debian/patches/ITS-9370-check-for-equality-rule-on-old_rdn.patch b/debian/patches/ITS-9370-check-for-equality-rule-on-old_rdn.patch new file mode 100644 index 0000000..832e41a --- /dev/null +++ b/debian/patches/ITS-9370-check-for-equality-rule-on-old_rdn.patch @@ -0,0 +1,27 @@ +From 4c774220a752bf8e3284984890dc0931fe73165d Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 19 Oct 2020 14:03:41 +0100 +Subject: [PATCH] ITS#9370 check for equality rule on old_rdn + +Just skip normalization if there's no equality rule. We accept +DNs without equality rules already. +--- + servers/slapd/modrdn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/modrdn.c b/servers/slapd/modrdn.c +index c73dd8dbaa..a22975540c 100644 +--- a/servers/slapd/modrdn.c ++++ b/servers/slapd/modrdn.c +@@ -505,7 +505,7 @@ slap_modrdn2mods( + mod_tmp->sml_values = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + ber_dupbv( &mod_tmp->sml_values[0], &old_rdn[d_cnt]->la_value ); + mod_tmp->sml_values[1].bv_val = NULL; +- if( desc->ad_type->sat_equality->smr_normalize) { ++ if( desc->ad_type->sat_equality && desc->ad_type->sat_equality->smr_normalize) { + mod_tmp->sml_nvalues = ( BerVarray )ch_malloc( 2 * sizeof( struct berval ) ); + (void) (*desc->ad_type->sat_equality->smr_normalize)( + SLAP_MR_EQUALITY|SLAP_MR_VALUE_OF_ASSERTION_SYNTAX, +-- +2.20.1 + diff --git a/debian/patches/ITS-9383-remove-assert-in-certificateListValidate.patch b/debian/patches/ITS-9383-remove-assert-in-certificateListValidate.patch new file mode 100644 index 0000000..7000fc2 --- /dev/null +++ b/debian/patches/ITS-9383-remove-assert-in-certificateListValidate.patch @@ -0,0 +1,26 @@ +From 67670f4544e28fb09eb7319c39f404e1d3229e65 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 13:12:10 +0000 +Subject: [PATCH] ITS#9383 remove assert in certificateListValidate + +--- + servers/slapd/schema_init.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index ea0d67aa62..28f9e71a16 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -371,8 +371,7 @@ certificateListValidate( Syntax *syntax, struct berval *in ) + /* Optional version */ + if ( tag == LBER_INTEGER ) { + tag = ber_get_int( ber, &version ); +- assert( tag == LBER_INTEGER ); +- if ( version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; ++ if ( tag != LBER_INTEGER || version != SLAP_X509_V2 ) return LDAP_INVALID_SYNTAX; + } + tag = ber_skip_tag( ber, &len ); /* Signature Algorithm */ + if ( tag != LBER_SEQUENCE ) return LDAP_INVALID_SYNTAX; +-- +2.20.1 + diff --git a/debian/patches/ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch b/debian/patches/ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch new file mode 100644 index 0000000..96f5b67 --- /dev/null +++ b/debian/patches/ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch @@ -0,0 +1,27 @@ +From bdb0d459187522a6063df13871b82ba8dcc6efe2 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 2 Nov 2020 16:01:14 +0000 +Subject: [PATCH] ITS#9384 remove assert in obsolete csnNormalize23() + +--- + servers/slapd/schema_init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 5812bc4b66..ea0d67aa62 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -5327,8 +5327,8 @@ csnNormalize23( + } + *ptr = '\0'; + +- assert( ptr == &bv.bv_val[bv.bv_len] ); +- if ( csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { ++ if ( ptr != &bv.bv_val[bv.bv_len] || ++ csnValidate( syntax, &bv ) != LDAP_SUCCESS ) { + return LDAP_INVALID_SYNTAX; + } + +-- +2.20.1 + diff --git a/debian/patches/ITS-9404-fix-serialNumberAndIssuerCheck.patch b/debian/patches/ITS-9404-fix-serialNumberAndIssuerCheck.patch new file mode 100644 index 0000000..de25ed2 --- /dev/null +++ b/debian/patches/ITS-9404-fix-serialNumberAndIssuerCheck.patch @@ -0,0 +1,58 @@ +From 38ac838e4150c626bbfa0082b7e2cf3a2bb4df31 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 23 Nov 2020 17:14:00 +0000 +Subject: [PATCH] ITS#9404 fix serialNumberAndIssuerCheck + +Tighten validity checks +--- + servers/slapd/schema_init.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 834f54593d..5b577607de 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -3193,7 +3193,7 @@ serialNumberAndIssuerCheck( + + if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX; + +- if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) { ++ if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) { + /* Parse old format */ + is->bv_val = ber_bvchr( in, '$' ); + if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX; +@@ -3224,7 +3224,7 @@ serialNumberAndIssuerCheck( + HAVE_ALL = ( HAVE_ISSUER | HAVE_SN ) + } have = HAVE_NONE; + +- int numdquotes = 0; ++ int numdquotes = 0, gotquote; + struct berval x = *in; + struct berval ni; + x.bv_val++; +@@ -3266,11 +3266,12 @@ serialNumberAndIssuerCheck( + is->bv_val = x.bv_val; + is->bv_len = 0; + +- for ( ; is->bv_len < x.bv_len; ) { ++ for ( gotquote=0; is->bv_len < x.bv_len; ) { + if ( is->bv_val[is->bv_len] != '"' ) { + is->bv_len++; + continue; + } ++ gotquote = 1; + if ( is->bv_val[is->bv_len+1] == '"' ) { + /* double dquote */ + numdquotes++; +@@ -3279,6 +3280,8 @@ serialNumberAndIssuerCheck( + } + break; + } ++ if ( !gotquote ) return LDAP_INVALID_SYNTAX; ++ + x.bv_val += is->bv_len + 1; + x.bv_len -= is->bv_len + 1; + +-- +2.20.1 + diff --git a/debian/patches/ITS-9406-9407-remove-saslauthz-asserts.patch b/debian/patches/ITS-9406-9407-remove-saslauthz-asserts.patch new file mode 100644 index 0000000..a6f085c --- /dev/null +++ b/debian/patches/ITS-9406-9407-remove-saslauthz-asserts.patch @@ -0,0 +1,69 @@ +From 6ed057b5b728b50746c869bcc9c1f85d0bbbf6ed Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Fri, 27 Nov 2020 14:37:10 +0000 +Subject: [PATCH 1/2] ITS#9406, #9407 remove saslauthz asserts + +--- + servers/slapd/saslauthz.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index e05f3f9cf6..2e59eb5598 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -180,14 +180,16 @@ int slap_parse_user( struct berval *id, struct berval *user, + } + + if ( !BER_BVISNULL( mech ) ) { +- assert( mech->bv_val == id->bv_val + 2 ); ++ if ( mech->bv_val != id->bv_val + 2 ) ++ return LDAP_PROTOCOL_ERROR; + + AC_MEMCPY( mech->bv_val - 2, mech->bv_val, mech->bv_len + 1 ); + mech->bv_val -= 2; + } + + if ( !BER_BVISNULL( realm ) ) { +- assert( realm->bv_val >= id->bv_val + 2 ); ++ if ( realm->bv_val < id->bv_val + 2 ) ++ return LDAP_PROTOCOL_ERROR; + + AC_MEMCPY( realm->bv_val - 2, realm->bv_val, realm->bv_len + 1 ); + realm->bv_val -= 2; +@@ -449,9 +451,12 @@ is_dn: bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val ); + } + + /* Grab the searchbase */ +- assert( ludp->lud_dn != NULL ); +- ber_str2bv( ludp->lud_dn, 0, 0, &bv ); +- rc = dnValidate( NULL, &bv ); ++ if ( ludp->lud_dn != NULL ) { ++ ber_str2bv( ludp->lud_dn, 0, 0, &bv ); ++ rc = dnValidate( NULL, &bv ); ++ } else { ++ rc = LDAP_INVALID_SYNTAX; ++ } + + done: + ldap_free_urldesc( ludp ); +@@ -813,7 +818,6 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val ); + } + + /* Grab the searchbase */ +- assert( ludp->lud_dn != NULL ); + if ( ludp->lud_dn ) { + struct berval out = BER_BVNULL; + +@@ -831,6 +835,9 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val ); + } + + ludp->lud_dn = out.bv_val; ++ } else { ++ rc = LDAP_INVALID_SYNTAX; ++ goto done; + } + + ludp->lud_port = 0; +-- +2.20.1 + diff --git a/debian/patches/ITS-9406-fix-debug-msg.patch b/debian/patches/ITS-9406-fix-debug-msg.patch new file mode 100644 index 0000000..92fc31e --- /dev/null +++ b/debian/patches/ITS-9406-fix-debug-msg.patch @@ -0,0 +1,33 @@ +From 02dfc32d658fadc25e4040f78e36592f6e1e1ca0 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Fri, 27 Nov 2020 14:48:26 +0000 +Subject: [PATCH 2/2] ITS#9406 fix debug msg + +--- + servers/slapd/saslauthz.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index 2e59eb5598..982fe3120d 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -488,6 +488,7 @@ authzPrettyNormal( + + assert( val != NULL ); + assert( !BER_BVISNULL( val ) ); ++ BER_BVZERO( normalized ); + + /* + * 2) dn[.{exact|children|subtree|onelevel}]:{*|<DN>} +@@ -906,7 +907,7 @@ authzPretty( + rc = authzPrettyNormal( val, out, ctx, 0 ); + + Debug( LDAP_DEBUG_TRACE, "<<< authzPretty: <%s> (%d)\n", +- out->bv_val, rc, 0 ); ++ out->bv_val ? out->bv_val : "(null)" , rc, 0 ); + + return rc; + } +-- +2.20.1 + diff --git a/debian/patches/ITS-9408-fix-vrfilter-double-free.patch b/debian/patches/ITS-9408-fix-vrfilter-double-free.patch new file mode 100644 index 0000000..c4f1295 --- /dev/null +++ b/debian/patches/ITS-9408-fix-vrfilter-double-free.patch @@ -0,0 +1,28 @@ +From 21981053a1195ae1555e23df4d9ac68d34ede9dd Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Sat, 28 Nov 2020 15:54:17 +0000 +Subject: [PATCH] ITS#9408 fix vrfilter double-free + +--- + servers/slapd/controls.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/servers/slapd/controls.c b/servers/slapd/controls.c +index 3455319406..28fa64eb06 100644 +--- a/servers/slapd/controls.c ++++ b/servers/slapd/controls.c +@@ -1578,7 +1578,10 @@ static int parseValuesReturnFilter ( + } else { + send_ldap_result( op, rs ); + } +- if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter ); ++ if( op->o_vrFilter != NULL) { ++ vrFilter_free( op, op->o_vrFilter ); ++ op->o_vrFilter = NULL; ++ } + } + #ifdef LDAP_DEBUG + else { +-- +2.20.1 + diff --git a/debian/patches/ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch b/debian/patches/ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch new file mode 100644 index 0000000..cae29b7 --- /dev/null +++ b/debian/patches/ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch @@ -0,0 +1,25 @@ +From c0b61a9486508e5202aa2e0cfb68c9813731b439 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 30 Nov 2020 11:45:46 +0000 +Subject: [PATCH 2/2] ITS#9409 saslauthz: use ch_free on normalized DN + +--- + servers/slapd/saslauthz.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index 982fe3120d..cc5a292de7 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -860,7 +860,7 @@ done: + + if ( lud_dn ) { + if ( ludp->lud_dn != lud_dn ) { +- ber_memfree( ludp->lud_dn ); ++ ch_free( ludp->lud_dn ); + } + ludp->lud_dn = lud_dn; + } +-- +2.20.1 + diff --git a/debian/patches/ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch b/debian/patches/ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch new file mode 100644 index 0000000..8a2a3fd --- /dev/null +++ b/debian/patches/ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch @@ -0,0 +1,25 @@ +From 554dff1927176579d652f2fe60c90e9abbad4c65 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 30 Nov 2020 16:20:18 +0000 +Subject: [PATCH] ITS#9409 saslauthz: use slap_sl_free in prev commit + +--- + servers/slapd/saslauthz.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index cc5a292de7..4a9420b37c 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -860,7 +860,7 @@ done: + + if ( lud_dn ) { + if ( ludp->lud_dn != lud_dn ) { +- ch_free( ludp->lud_dn ); ++ slap_sl_free( ludp->lud_dn, ctx ); + } + ludp->lud_dn = lud_dn; + } +-- +2.20.1 + diff --git a/debian/patches/ITS-9411-fix-thisUpdate-check.patch b/debian/patches/ITS-9411-fix-thisUpdate-check.patch new file mode 100644 index 0000000..20a39ea --- /dev/null +++ b/debian/patches/ITS-9411-fix-thisUpdate-check.patch @@ -0,0 +1,25 @@ +From 4dfeac8655d964442c00be7e69ee180cc19d1e92 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Tue, 1 Dec 2020 18:02:51 +0000 +Subject: [PATCH] ITS#9411 fix thisUpdate check + +--- + servers/slapd/schema_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 9049c1878d..2780d630e8 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -3885,7 +3885,7 @@ issuerAndThisUpdateCheck( + /* empty */; + } + +- if ( x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; ++ if ( !x.bv_len || x.bv_val[0] != '"' ) return LDAP_INVALID_SYNTAX; + x.bv_val++; + x.bv_len--; + +-- +2.20.1 + diff --git a/debian/patches/ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch b/debian/patches/ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch new file mode 100644 index 0000000..b7e32cc --- /dev/null +++ b/debian/patches/ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch @@ -0,0 +1,42 @@ +From 5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Tue, 1 Dec 2020 18:32:35 +0000 +Subject: [PATCH] ITS#9412 fix AVA_Sort on invalid RDN + +--- + servers/slapd/dn.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/servers/slapd/dn.c b/servers/slapd/dn.c +index 06698b089e..7a095ba9e9 100644 +--- a/servers/slapd/dn.c ++++ b/servers/slapd/dn.c +@@ -233,6 +233,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs ) + { + LDAPAVA *ava_i; + int i; ++ int rc = LDAP_SUCCESS; + + assert( rdn != NULL ); + +@@ -250,7 +251,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs ) + /* RFC4512 does not allow multiple AVAs + * with the same attribute type in RDN (ITS#5968) */ + if ( a == 0 ) +- return LDAP_INVALID_DN_SYNTAX; ++ rc = LDAP_INVALID_DN_SYNTAX; + + if ( a > 0 ) + break; +@@ -259,7 +260,7 @@ AVA_Sort( LDAPRDN rdn, int nAVAs ) + } + rdn[ j+1 ] = ava_i; + } +- return LDAP_SUCCESS; ++ return rc; + } + + static int +-- +2.20.1 + diff --git a/debian/patches/ITS-9413-fix-slap_parse_user.patch b/debian/patches/ITS-9413-fix-slap_parse_user.patch new file mode 100644 index 0000000..7d620e7 --- /dev/null +++ b/debian/patches/ITS-9413-fix-slap_parse_user.patch @@ -0,0 +1,38 @@ +From d169e7958a3e0dc70f59c8374bf8a59833b7bdd8 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Tue, 1 Dec 2020 19:03:24 +0000 +Subject: [PATCH] ITS#9413 fix slap_parse_user + +--- + servers/slapd/saslauthz.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/servers/slapd/saslauthz.c b/servers/slapd/saslauthz.c +index 4a9420b37c..b17f34a211 100644 +--- a/servers/slapd/saslauthz.c ++++ b/servers/slapd/saslauthz.c +@@ -156,10 +156,9 @@ int slap_parse_user( struct berval *id, struct berval *user, + user->bv_val++; + user->bv_len = id->bv_len - ( user->bv_val - id->bv_val ); + +- mech->bv_val = ber_bvchr( id, '.' ); +- if ( !BER_BVISNULL( mech ) ) { +- mech->bv_val[ 0 ] = '\0'; +- mech->bv_val++; ++ if ( id->bv_val[1] == '.' ) { ++ id->bv_val[1] = '\0'; ++ mech->bv_val = id->bv_val + 2; + mech->bv_len = user->bv_val - mech->bv_val - 1; + + realm->bv_val = ber_bvchr( mech, '/' ); +@@ -172,6 +171,7 @@ int slap_parse_user( struct berval *id, struct berval *user, + } + + } else { ++ BER_BVZERO( mech ); + BER_BVZERO( realm ); + } + +-- +2.20.1 + diff --git a/debian/patches/ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch b/debian/patches/ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch new file mode 100644 index 0000000..321a57a --- /dev/null +++ b/debian/patches/ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch @@ -0,0 +1,48 @@ +From 8c1d96ee36ed98b32cd0e28b7069c7b8ea09d793 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Sun, 13 Dec 2020 21:48:45 +0000 +Subject: [PATCH] ITS#9423 ldap_X509dn2bv: check for invalid BER after RDN + count + +--- + libraries/libldap/tls2.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index ca5a44ab0c..e0c82fa9f8 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -1254,6 +1254,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func, + } + } + ++ /* Rewind and prepare to extract */ ++ ber_rewind( ber ); ++ tag = ber_first_element( ber, &len, &dn_end ); ++ if ( tag == LBER_DEFAULT ) ++ return LDAP_DECODING_ERROR; ++ + /* Allocate the DN/RDN/AVA stuff as a single block */ + dnsize = sizeof(LDAPRDN) * (nrdns+1); + dnsize += sizeof(LDAPAVA *) * (navas+nrdns); +@@ -1265,16 +1271,12 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func, + } else { + newDN = (LDAPDN)(char *)ptrs; + } +- ++ + newDN[nrdns] = NULL; + newRDN = (LDAPRDN)(newDN + nrdns+1); + newAVA = (LDAPAVA *)(newRDN + navas + nrdns); + baseAVA = newAVA; + +- /* Rewind and start extracting */ +- ber_rewind( ber ); +- +- tag = ber_first_element( ber, &len, &dn_end ); + for ( i = nrdns - 1; i >= 0; i-- ) { + newDN[i] = newRDN; + +-- +2.20.1 + diff --git a/debian/patches/ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch b/debian/patches/ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch new file mode 100644 index 0000000..9874446 --- /dev/null +++ b/debian/patches/ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch @@ -0,0 +1,25 @@ +From 58c1748e81c843c5b6e61648d2a4d1d82b47e842 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 14 Dec 2020 19:03:27 +0000 +Subject: [PATCH] ITS#9424 fix serialNumberAndIssuerSerialCheck + +--- + servers/slapd/schema_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index d697fa108c..e035c1a6a7 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -4302,7 +4302,7 @@ serialNumberAndIssuerSerialCheck( + if ( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX; + + /* no old format */ +- if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX; ++ if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) return LDAP_INVALID_SYNTAX; + + x.bv_val++; + x.bv_len -= 2; +-- +2.20.1 + diff --git a/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch b/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch new file mode 100644 index 0000000..618eb3d --- /dev/null +++ b/debian/patches/ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch @@ -0,0 +1,45 @@ +From 4bdfffd2889c0c5cdf58bebafbdc8fce4bb2bff0 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Mon, 14 Dec 2020 20:05:44 +0000 +Subject: [PATCH] ITS#9425 add more checks to ldap_X509dn2bv + +--- + libraries/libldap/tls2.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c +index e0c82fa9f8..193d20fdfa 100644 +--- a/libraries/libldap/tls2.c ++++ b/libraries/libldap/tls2.c +@@ -1248,6 +1248,8 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func, + for ( tag = ber_first_element( ber, &len, &rdn_end ); + tag == LBER_SEQUENCE; + tag = ber_next_element( ber, &len, rdn_end )) { ++ if ( rdn_end > dn_end ) ++ return LDAP_DECODING_ERROR; + tag = ber_skip_tag( ber, &len ); + ber_skip_data( ber, len ); + navas++; +@@ -1257,7 +1259,7 @@ ldap_X509dn2bv( void *x509_name, struct berval *bv, LDAPDN_rewrite_func *func, + /* Rewind and prepare to extract */ + ber_rewind( ber ); + tag = ber_first_element( ber, &len, &dn_end ); +- if ( tag == LBER_DEFAULT ) ++ if ( tag != LBER_SET ) + return LDAP_DECODING_ERROR; + + /* Allocate the DN/RDN/AVA stuff as a single block */ +@@ -1370,6 +1372,10 @@ allocd: + /* X.690 bitString value converted to RFC4517 Bit String */ + rc = der_to_ldap_BitString( &Val, &newAVA->la_value ); + goto allocd; ++ case LBER_DEFAULT: ++ /* decode error */ ++ rc = LDAP_DECODING_ERROR; ++ goto nomem; + default: + /* Not a string type at all */ + newAVA->la_flags = 0; +-- +2.20.1 + diff --git a/debian/patches/ITS-9427-fix-issuerAndThisUpdateCheck.patch b/debian/patches/ITS-9427-fix-issuerAndThisUpdateCheck.patch new file mode 100644 index 0000000..3f6ddfb --- /dev/null +++ b/debian/patches/ITS-9427-fix-issuerAndThisUpdateCheck.patch @@ -0,0 +1,25 @@ +From 91dccd25c347733b365adc74cb07d074512ed5ad Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Wed, 16 Dec 2020 18:52:42 +0000 +Subject: [PATCH] ITS#9427 fix issuerAndThisUpdateCheck + +--- + servers/slapd/schema_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index e035c1a6a7..cc7c816937 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -3809,7 +3809,7 @@ issuerAndThisUpdateCheck( + + if ( in->bv_len < STRLENOF( "{issuer \"\",thisUpdate \"YYMMDDhhmmssZ\"}" ) ) return LDAP_INVALID_SYNTAX; + +- if ( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) { ++ if ( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) { + return LDAP_INVALID_SYNTAX; + } + +-- +2.20.1 + diff --git a/debian/patches/ITS-9428-fix-cancel-exop.patch b/debian/patches/ITS-9428-fix-cancel-exop.patch new file mode 100644 index 0000000..65e2026 --- /dev/null +++ b/debian/patches/ITS-9428-fix-cancel-exop.patch @@ -0,0 +1,28 @@ +From 9d0e8485f3113505743baabf1167e01e4558ccf5 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Sun, 20 Dec 2020 21:31:15 +0000 +Subject: [PATCH] ITS#9428 fix cancel exop + +--- + servers/slapd/cancel.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/servers/slapd/cancel.c b/servers/slapd/cancel.c +index 2060312900..b972b18fc3 100644 +--- a/servers/slapd/cancel.c ++++ b/servers/slapd/cancel.c +@@ -65,6 +65,11 @@ int cancel_extop( Operation *op, SlapReply *rs ) + return LDAP_PROTOCOL_ERROR; + } + ++ if ( opid == op->o_msgid ) { ++ op->o_cancel = SLAP_CANCEL_DONE; ++ return LDAP_SUCCESS; ++ } ++ + ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); + + if ( op->o_abandon ) { +-- +2.20.1 + diff --git a/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch b/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch new file mode 100644 index 0000000..a9b724a --- /dev/null +++ b/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch @@ -0,0 +1,25 @@ +From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Sat, 6 Feb 2021 20:52:06 +0000 +Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck + +--- + servers/slapd/schema_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 31be1154ef..8b1e255393 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck( + break; + } + } ++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX; ++ + x.bv_val += tu->bv_len + 1; + x.bv_len -= tu->bv_len + 1; + +-- +2.20.1 + diff --git a/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch b/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch new file mode 100644 index 0000000..28e681d --- /dev/null +++ b/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch @@ -0,0 +1,268 @@ +From 87df6c19915042430540931d199a39105544a134 Mon Sep 17 00:00:00 2001 +From: Howard Chu <hyc@openldap.org> +Date: Wed, 23 Mar 2022 12:43:31 +0000 +Subject: [PATCH] ITS#9815 slapd-sql: escape filter values + +--- + servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++----- + 1 file changed, 105 insertions(+), 18 deletions(-) + +--- a/servers/slapd/back-sql/search.c ++++ b/servers/slapd/back-sql/search.c +@@ -63,6 +63,38 @@ + ID *lastid ); + #endif /* ! BACKSQL_ARBITRARY_KEY */ + ++/* Look for chars that need to be escaped, return count of them. ++ * If out is non-NULL, copy escape'd val to it. ++ */ ++static int ++backsql_val_escape( Operation *op, struct berval *in, struct berval *out ) ++{ ++ char *ptr, *end; ++ int q = 0; ++ ++ ptr = in->bv_val; ++ end = ptr + in->bv_len; ++ while (ptr < end) { ++ if ( *ptr == '\'' ) ++ q++; ++ ptr++; ++ } ++ if ( q && out ) { ++ char *dst; ++ out->bv_len = in->bv_len + q; ++ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx ); ++ ptr = in->bv_val; ++ dst = out->bv_val; ++ while (ptr < end ) { ++ if ( *ptr == '\'' ) ++ *dst++ = '\''; ++ *dst++ = *ptr++; ++ } ++ *dst = '\0'; ++ } ++ return q; ++} ++ + static int + backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad ) + { +@@ -429,6 +461,8 @@ + backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private; + int i; + int casefold = 0; ++ int escaped = 0; ++ struct berval escval, *fvalue; + + if ( !f ) { + return 0; +@@ -462,50 +496,68 @@ + + BER_BVZERO( &bv ); + if ( f->f_sub_initial.bv_val ) { +- bv.bv_len += f->f_sub_initial.bv_len; ++ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL ); + } + if ( f->f_sub_any != NULL ) { + for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) { +- bv.bv_len += f->f_sub_any[ a ].bv_len; ++ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL ); + } + } + if ( f->f_sub_final.bv_val ) { +- bv.bv_len += f->f_sub_final.bv_len; ++ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL ); + } + bv.bv_len = 2 * bv.bv_len - 1; + bv.bv_val = ch_malloc( bv.bv_len + 1 ); + + s = 0; + if ( !BER_BVISNULL( &f->f_sub_initial ) ) { +- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) { ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + if ( f->f_sub_any != NULL ) { + for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) { +- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) { ++ fvalue = &f->f_sub_any[ a ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + } + + if ( !BER_BVISNULL( &f->f_sub_final ) ) { +- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) { ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } +- bv.bv_val[ s + 2 * i - 1 ] = '%'; ++ bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + bv.bv_val[ s - 1 ] = '\0'; +@@ -561,11 +613,17 @@ + f->f_sub_initial.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_initial ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -586,12 +644,18 @@ + i, f->f_sub_any[ i ].bv_val ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_any[ i ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "bc", +- &f->f_sub_any[ i ], ++ fvalue, + '%' ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + /* + * Note: toupper('%') = '%' +@@ -611,11 +675,17 @@ + f->f_sub_final.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_final ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -1183,6 +1253,8 @@ + struct berval *filter_value = NULL; + MatchingRule *matching_rule = NULL; + struct berval ordering = BER_BVC("<="); ++ struct berval escval; ++ int escaped = 0; + + Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); +@@ -1237,6 +1309,10 @@ + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* FIXME: directoryString filtering should use a similar + * approach to deal with non-prettified values like + * " A non prettified value ", by using a LIKE +@@ -1317,6 +1393,10 @@ + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* + * FIXME: should we uppercase the operands? + */ +@@ -1350,7 +1430,7 @@ + &at->bam_sel_expr, + &ordering, + '\'', +- &f->f_av_value, ++ filter_value, + (ber_len_t)STRLENOF( /* (' */ "')" ), + /* ( */ "')" ); + } +@@ -1374,13 +1454,17 @@ + case LDAP_FILTER_APPROX: + /* we do our best */ + ++ filter_value = &f->f_av_value; ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; + /* + * maybe we should check type of at->sel_expr here somehow, + * to know whether upper_func is applicable, but for now + * upper_func stuff is made for Oracle, where UPPER is + * safely applicable to NUMBER etc. + */ +- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value ); ++ (void)backsql_process_filter_like( bsi, at, 1, filter_value ); + break; + + default: +@@ -1394,6 +1478,9 @@ + + } + ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); ++ + Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); + diff --git a/debian/patches/ITS6035-olcauthzregex-needs-restart.patch b/debian/patches/ITS6035-olcauthzregex-needs-restart.patch new file mode 100644 index 0000000..acd3c6f --- /dev/null +++ b/debian/patches/ITS6035-olcauthzregex-needs-restart.patch @@ -0,0 +1,13 @@ +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -409,6 +409,10 @@ + and replacement patterns. The matching patterns are checked in the order they + appear in the attribute, stopping at the first successful match. + ++Note that changes to ++.B olcAuthzRegexp ++take effect the next time the server is started, not immediately upon ++changing the configuration. + .\".B Caution: + .\"Because the plus sign + is a character recognized by the regular expression engine, + .\"and it will appear in names that include a REALM, be careful to escape the diff --git a/debian/patches/add-tlscacert-option-to-ldap-conf b/debian/patches/add-tlscacert-option-to-ldap-conf new file mode 100644 index 0000000..e8e731a --- /dev/null +++ b/debian/patches/add-tlscacert-option-to-ldap-conf @@ -0,0 +1,10 @@ +--- a/libraries/libldap/ldap.conf ++++ b/libraries/libldap/ldap.conf +@@ -11,3 +11,7 @@ + #SIZELIMIT 12 + #TIMELIMIT 15 + #DEREF never ++ ++# TLS certificates (needed for GnuTLS) ++TLS_CACERT /etc/ssl/certs/ca-certificates.crt ++ diff --git a/debian/patches/contrib-makefiles b/debian/patches/contrib-makefiles new file mode 100644 index 0000000..07256ba --- /dev/null +++ b/debian/patches/contrib-makefiles @@ -0,0 +1,159 @@ +--- a/contrib/slapd-modules/passwd/Makefile ++++ b/contrib/slapd-modules/passwd/Makefile +@@ -13,7 +13,7 @@ + INCS = $(LDAP_INC) + LIBS = $(LDAP_LIB) + +-PROGRAMS = pw-kerberos.la pw-netscape.la pw-radius.la pw-apr1.la ++PROGRAMS = pw-netscape.la pw-apr1.la + LTVER = 0:0:0 + + prefix=/usr/local +@@ -27,24 +27,24 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + pw-kerberos.la: kerberos.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? -lkrb5 + + pw-netscape.la: netscape.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? + + pw-radius.la: radius.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? -lradius + + pw-apr1.la: apr1.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? + + clean: +--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile ++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile +@@ -12,7 +12,7 @@ + #DEFS = -DSLAPD_PBKDF2_DEBUG + + INCS = $(LDAP_INC) +-LIBS = $(LDAP_LIB) -lcrypto ++LIBS = $(LDAP_LIB) -lnettle + + PROGRAMS = pw-pbkdf2.la + LTVER = 0:0:0 +@@ -30,12 +30,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + pw-pbkdf2.la: pw-pbkdf2.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/smbk5pwd/Makefile ++++ b/contrib/slapd-modules/smbk5pwd/Makefile +@@ -19,10 +19,10 @@ + $(LDAP_BUILD)/libraries/liblber/liblber.la + + SSL_INC = +-SSL_LIB = -lcrypto ++SSL_LIB = -lnettle + +-HEIMDAL_INC = -I/usr/heimdal/include +-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv ++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags kadm-server) ++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server) + + LIBTOOL = $(LDAP_BUILD)/libtool + CC = gcc +@@ -30,7 +30,8 @@ + # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. + DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW + INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC) +-LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB) ++# put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356 ++LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB) + + PROGRAMS = smbk5pwd.la + LTVER = 0:0:0 +@@ -46,12 +47,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + smbk5pwd.la: smbk5pwd.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/autogroup/Makefile ++++ b/contrib/slapd-modules/autogroup/Makefile +@@ -27,12 +27,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + autogroup.la: autogroup.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/lastbind/Makefile ++++ b/contrib/slapd-modules/lastbind/Makefile +@@ -37,12 +37,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + lastbind.la: lastbind.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/passwd/sha2/Makefile ++++ b/contrib/slapd-modules/passwd/sha2/Makefile +@@ -28,12 +28,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + pw-sha2.la: slapd-sha2.lo sha2.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: diff --git a/debian/patches/do-not-second-guess-sonames b/debian/patches/do-not-second-guess-sonames new file mode 100644 index 0000000..bbf099c --- /dev/null +++ b/debian/patches/do-not-second-guess-sonames @@ -0,0 +1,68 @@ +Rip out code that second-guesses the libsasl soname / Debian shlibs. If +cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream +there, not kludged around upstream here! + +Debian bug #546885 + +Upstream ITS #6302 filed. + +--- a/libraries/libldap/cyrus.c ++++ b/libraries/libldap/cyrus.c +@@ -74,28 +74,6 @@ + */ + int ldap_int_sasl_init( void ) + { +-#ifdef HAVE_SASL_VERSION +- /* stringify the version number, sasl.h doesn't do it for us */ +-#define VSTR0(maj, min, pat) #maj "." #min "." #pat +-#define VSTR(maj, min, pat) VSTR0(maj, min, pat) +-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \ +- SASL_VERSION_STEP) +- { int rc; +- sasl_version( NULL, &rc ); +- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || +- (rc & 0xffff) < SASL_VERSION_STEP) { +- char version[sizeof("xxx.xxx.xxxxx")]; +- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff, +- rc & 0xffff ); +- +- Debug( LDAP_DEBUG_ANY, +- "ldap_int_sasl_init: SASL library version mismatch:" +- " expected " SASL_VERSION_STRING "," +- " got %s\n", version, 0, 0 ); +- return -1; +- } +- } +-#endif + + /* SASL 2 takes care of its own memory completely internally */ + #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC) +--- a/servers/slapd/sasl.c ++++ b/servers/slapd/sasl.c +@@ -1145,26 +1145,6 @@ int slap_sasl_init( void ) + #endif + + #ifdef HAVE_CYRUS_SASL +-#ifdef HAVE_SASL_VERSION +- /* stringify the version number, sasl.h doesn't do it for us */ +-#define VSTR0(maj, min, pat) #maj "." #min "." #pat +-#define VSTR(maj, min, pat) VSTR0(maj, min, pat) +-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \ +- SASL_VERSION_STEP) +- +- sasl_version( NULL, &rc ); +- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || +- (rc & 0xffff) < SASL_VERSION_STEP) +- { +- char version[sizeof("xxx.xxx.xxxxx")]; +- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff, +- rc & 0xffff ); +- Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:" +- " expected %s, got %s\n", +- SASL_VERSION_STRING, version, 0 ); +- return -1; +- } +-#endif + + sasl_set_mutex( + ldap_pvt_sasl_mutex_new, diff --git a/debian/patches/evolution-ntlm b/debian/patches/evolution-ntlm new file mode 100644 index 0000000..cd9bc26 --- /dev/null +++ b/debian/patches/evolution-ntlm @@ -0,0 +1,222 @@ +Patch from evolution-exchange (2.10.3). The ldap_ntlm_bind function is +actually called by evolution-data-server, checked at version 1.12.2. +Without this patch, the Exchange addressbook integration uses simple binds +with cleartext passwords. + +Russ checked with openldap-software for upstream's opinion on this patch +on 2007-12-21. Upstream had never received it as a patch submission and +given that it's apparently only for older Exchange servers that can't do +SASL and DIGEST-MD5, it's not very appealing. + +Bug#457374 filed against evolution-data-server asking if this support is +still required on 2007-12-21. + +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -2517,5 +2517,25 @@ ldap_parse_deref_control LDAP_P(( + LDAPControl **ctrls, + LDAPDerefRes **drp )); + ++/* ++ * hacks for NTLM ++ */ ++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) ++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) ++LDAP_F( int ) ++ldap_ntlm_bind LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp )); ++LDAP_F( int ) ++ldap_parse_ntlm_bind_result LDAP_P(( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge)); ++ + LDAP_END_DECL + #endif /* _LDAP_H */ +--- /dev/null ++++ b/libraries/libldap/ntlm.c +@@ -0,0 +1,138 @@ ++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ ++/* ++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. ++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file ++ */ ++ ++/* Mostly copied from sasl.c */ ++ ++#include "portable.h" ++ ++#include <stdlib.h> ++#include <stdio.h> ++ ++#include <ac/socket.h> ++#include <ac/string.h> ++#include <ac/time.h> ++#include <ac/errno.h> ++ ++#include "ldap-int.h" ++ ++int ++ldap_ntlm_bind( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp ) ++{ ++ BerElement *ber; ++ int rc; ++ ber_int_t id; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( msgidp != NULL ); ++ ++ if( msgidp == NULL ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ /* create a message to send */ ++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ assert( LBER_VALID( ber ) ); ++ ++ LDAP_NEXT_MSGID( ld, id ); ++ rc = ber_printf( ber, "{it{istON}" /*}*/, ++ id, LDAP_REQ_BIND, ++ ld->ld_version, dn, tag, ++ cred ); ++ ++ /* Put Server Controls */ ++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { ++ ld->ld_errno = LDAP_ENCODING_ERROR; ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ /* send the message */ ++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); ++ ++ if(*msgidp < 0) ++ return ld->ld_errno; ++ ++ return LDAP_SUCCESS; ++} ++ ++int ++ldap_parse_ntlm_bind_result( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge) ++{ ++ ber_int_t errcode; ++ ber_tag_t tag; ++ BerElement *ber; ++ ber_len_t len; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( res != NULL ); ++ ++ if ( ld == NULL || res == NULL ) { ++ return LDAP_PARAM_ERROR; ++ } ++ ++ if( res->lm_msgtype != LDAP_RES_BIND ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ ld->ld_error = NULL; ++ } ++ if ( ld->ld_matched ) { ++ LDAP_FREE( ld->ld_matched ); ++ ld->ld_matched = NULL; ++ } ++ ++ /* parse results */ ++ ++ ber = ber_dup( res->lm_ber ); ++ ++ if( ber == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ tag = ber_scanf( ber, "{ioa" /*}*/, ++ &errcode, challenge, &ld->ld_error ); ++ ber_free( ber, 0 ); ++ ++ if( tag == LBER_ERROR ) { ++ ld->ld_errno = LDAP_DECODING_ERROR; ++ return ld->ld_errno; ++ } ++ ++ ld->ld_errno = errcode; ++ ++ return( ld->ld_errno ); ++} ++ +--- a/libraries/libldap/Makefile.in ++++ b/libraries/libldap/Makefile.in +@@ -27,7 +27,7 @@ SRCS = bind.c open.c result.c error.c co + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ + tls2.c tls_o.c tls_g.c tls_m.c \ +- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ ++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \ + assertion.c deref.c ldif.c fetch.c + + OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ +@@ -40,7 +40,7 @@ OBJS = bind.lo open.lo result.lo error.l + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ + tls2.lo tls_o.lo tls_g.lo tls_m.lo \ +- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ ++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + + LDAP_INCDIR= ../../include +--- a/libraries/libldap_r/Makefile.in ++++ b/libraries/libldap_r/Makefile.in +@@ -29,7 +29,7 @@ XXSRCS = apitest.c test.c \ + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ + tls2.c tls_o.c tls_g.c tls_m.c \ +- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ ++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \ + assertion.c deref.c ldif.c fetch.c + SRCS = threads.c rdwr.c rmutex.c tpool.c rq.c \ + thr_posix.c thr_cthreads.c thr_thr.c thr_nt.c \ +@@ -47,7 +47,7 @@ OBJS = threads.lo rdwr.lo rmutex.lo tpoo + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ + tls2.lo tls_o.lo tls_g.lo tls_m.lo \ +- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ ++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + + LDAP_INCDIR= ../../include diff --git a/debian/patches/fix-build-top-mk b/debian/patches/fix-build-top-mk new file mode 100644 index 0000000..418fe35 --- /dev/null +++ b/debian/patches/fix-build-top-mk @@ -0,0 +1,11 @@ +--- a/build/top.mk ++++ b/build/top.mk +@@ -20,7 +20,7 @@ + RELEASEDATE= @OPENLDAP_RELEASE_DATE@ + + @SET_MAKE@ +-SHELL = /bin/sh ++SHELL = @SHELL@ + + top_builddir = @top_builddir@ + diff --git a/debian/patches/getaddrinfo-is-threadsafe b/debian/patches/getaddrinfo-is-threadsafe new file mode 100644 index 0000000..ab6e2b7 --- /dev/null +++ b/debian/patches/getaddrinfo-is-threadsafe @@ -0,0 +1,43 @@ +Author: Steve Langasek <vorlon@debian.org> + +OpenLDAP upstream conservatively assumes that certain resolver functions +(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we +know that the glibc implementations of these functions are thread-safe, so +we should bypass the use of this mutex. This fixes a locking problem when +an application uses libldap and libnss-ldap is also used for hosts +resolution. + +Closes Debian bug #340601. + +Not suitable for forwarding upstream; might be made suitable by adding a +configure-time check for glibc and disabling the mutex only on known +thread-safe implementations. + +--- a/libraries/libldap/os-ip.c ++++ b/libraries/libldap/os-ip.c +@@ -602,13 +602,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf * + hints.ai_socktype = socktype; + snprintf(serv, sizeof serv, "%d", port ); + +- /* most getaddrinfo(3) use non-threadsafe resolver libraries */ +- LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex); +- + err = getaddrinfo( host, serv, &hints, &res ); +- +- LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex); +- + if ( err != 0 ) { + osip_debug(ld, "ldap_connect_to_host: getaddrinfo failed: %s\n", + AC_GAI_STRERROR(err), 0, 0); +--- a/libraries/libldap/util-int.c ++++ b/libraries/libldap/util-int.c +@@ -431,9 +431,7 @@ int ldap_pvt_get_hname( + int rc; + #if defined( HAVE_GETNAMEINFO ) + +- LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex ); + rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 ); +- LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex ); + if ( rc ) *err = (char *)AC_GAI_STRERROR( rc ); + return rc; + diff --git a/debian/patches/index-files-created-as-root b/debian/patches/index-files-created-as-root new file mode 100644 index 0000000..47fc88a --- /dev/null +++ b/debian/patches/index-files-created-as-root @@ -0,0 +1,37 @@ +Document in the man page that slapindex should be run as the same user +as slapd, and print a warning if it's run as root (since Debian defaults +to running slapd as openldap). + +Not suitable for upstream in this form. This patch needs to be reworked +to check the BerkeleyDB database ownership and only warn if running as +root with a database that's not owned by root. + +Upstream ITS #5356 filed requesting better handling of this. Current +upstream discussion leans towards putting the check into the database +backend and aborting if slapd is run as a different user than the database +owner, which is an even better fix. + +--- a/doc/man/man8/slapindex.8 ++++ b/doc/man/man8/slapindex.8 +@@ -148,6 +148,10 @@ + should not be running (at least, not in read-write + mode) when you do this to ensure consistency of the database. + .LP ++slapindex ought to be run as the user specified for ++.BR slapd (8) ++to ensure correct database permissions. ++.LP + This command provides ample opportunity for the user to obtain + and drink their favorite beverage. + .SH EXAMPLES +--- a/servers/slapd/slapindex.c ++++ b/servers/slapd/slapindex.c +@@ -34,6 +34,8 @@ + int + slapindex( int argc, char **argv ) + { ++ if (geteuid() == 0) ++ fprintf( stderr, "\nWARNING!\nRunnig as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n"); + ID id; + int rc = EXIT_SUCCESS; + const char *progname = "slapindex"; diff --git a/debian/patches/lastbind-makefile-manpage b/debian/patches/lastbind-makefile-manpage new file mode 100644 index 0000000..66e5a79 --- /dev/null +++ b/debian/patches/lastbind-makefile-manpage @@ -0,0 +1,46 @@ +--- a/contrib/slapd-modules/lastbind/Makefile ++++ b/contrib/slapd-modules/lastbind/Makefile +@@ -17,6 +17,7 @@ + $(LDAP_BUILD)/libraries/liblber/liblber.la + + LIBTOOL = $(LDAP_BUILD)/libtool ++INSTALL = /usr/bin/install + CC = gcc + OPT = -g -O2 -Wall + DEFS = -DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC +@@ -25,6 +26,7 @@ + + PROGRAMS = lastbind.la + LTVER = 0:0:0 ++MANPAGES = slapo-lastbind.5 + + prefix=/usr/local + exec_prefix=$(prefix) +@@ -33,6 +35,8 @@ + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec + moduledir = $(libexecdir)$(ldap_subdir) ++mandir = $(exec_prefix)/share/man ++man5dir = $(mandir)/man5 + + .SUFFIXES: .c .o .lo + +@@ -48,9 +52,17 @@ + clean: + rm -rf *.o *.lo *.la .libs + +-install: $(PROGRAMS) ++install: install-lib install-man FORCE ++ ++install-lib: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + ++install-man: $(MANPAGES) ++ mkdir -p $(DESTDIR)$(man5dir) ++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) ++ ++FORCE: ++ diff --git a/debian/patches/ldap-conf-tls-cacertdir b/debian/patches/ldap-conf-tls-cacertdir new file mode 100644 index 0000000..e8aab91 --- /dev/null +++ b/debian/patches/ldap-conf-tls-cacertdir @@ -0,0 +1,29 @@ +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -317,7 +317,7 @@ certificates in separate individual file + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. +-This parameter is ignored with GnuTLS. ++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS. + + When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key + database. If <path> contains a Mozilla NSS cert/key database and +@@ -428,7 +428,7 @@ This parameter is ignored with GnuTLS. + Specifies the file to obtain random bits from when /dev/[u]random is + not available. Generally set to the name of the EGD/PRNGD socket. + The environment variable RANDFILE can also be used to specify the filename. +-This parameter is ignored with GnuTLS and Mozilla NSS. ++This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS. + .TP + .B TLS_REQCERT <level> + Specifies what checks to perform on server certificates in a TLS session, +@@ -461,7 +461,7 @@ Specifies if the Certificate Revocation + used to verify if the server certificates have not been revoked. This + requires + .B TLS_CACERTDIR +-parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. ++parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS. + .B <level> + can be specified as one of the following keywords: + .RS diff --git a/debian/patches/ldapi-socket-place b/debian/patches/ldapi-socket-place new file mode 100644 index 0000000..a482bbf --- /dev/null +++ b/debian/patches/ldapi-socket-place @@ -0,0 +1,16 @@ +Move the ldapi socket to /var/run/slapd from /var/run, since /var/run +is only writable by root and slapd runs as openldap. + +Debian-specific. + +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -39,7 +39,7 @@ + #define LDAP_ENV_PREFIX "LDAP" + + /* default ldapi:// socket */ +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi" + + /* + * SLAPD DEFINITIONS diff --git a/debian/patches/libldap-symbol-versions b/debian/patches/libldap-symbol-versions new file mode 100644 index 0000000..fb28f49 --- /dev/null +++ b/debian/patches/libldap-symbol-versions @@ -0,0 +1,161 @@ +Add symbol versioning to the public LDAP libraries. This is required for +library transitions, such as the current transition from 2.1 to 2.4, +since programs will sometimes have both libraries loaded by different +dependency chains during the transition. + +Not yet contributed upstream. + +Upstream ITS #5365 filed requesting symbol versioning for libldap and +libber. + +--- a/libraries/libldap_r/Makefile.in ++++ b/libraries/libldap_r/Makefile.in +@@ -61,6 +61,9 @@ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + XXXLIBS = $(LTHREAD_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map" ++endif + + .links : Makefile + @for i in $(XXSRCS); do \ +--- a/build/top.mk ++++ b/build/top.mk +@@ -104,6 +104,9 @@ LTFLAGS_MOD = $(@PLAT@_LTFLAGS_MOD) + # LINK_LIBS referenced in library and module link commands. + LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS) + ++# option to pass to $(CC) to support library symbol versioning, if any ++VERSION_OPTION = @VERSION_OPTION@ ++ + LTSTATIC = @LTSTATIC@ + + LTLINK = $(LIBTOOL) --mode=link \ +@@ -113,7 +116,7 @@ LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) + $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c + + LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ +- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) ++ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS) + + LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ + $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c +--- a/build/openldap.m4 ++++ b/build/openldap.m4 +@@ -1136,3 +1136,54 @@ AC_DEFUN([OL_SSL_COMPAT], + #endif + ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])]) + ]) ++ ++dnl ==================================================================== ++dnl check for symbol versioning support ++AC_DEFUN([OL_SYMBOL_VERSIONING], ++[AC_CACHE_CHECK([for .symver assembler directive], ++ [ol_cv_asm_symver_directive],[ ++cat > conftest.s <<EOF ++${libc_cv_dot_text} ++_sym: ++.symver _sym,sym@VERS ++EOF ++if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then ++ ol_cv_asm_symver_directive=yes ++else ++ ol_cv_asm_symver_directive=no ++fi ++rm -f conftest*]) ++AC_CACHE_CHECK([for ld --version-script], ++ [ol_cv_ld_version_script_option],[ ++if test $ol_cv_asm_symver_directive = yes; then ++ cat > conftest.s <<EOF ++${libc_cv_dot_text} ++_sym: ++.symver _sym,sym@VERS ++EOF ++ cat > conftest.map <<EOF ++VERS_1 { ++ global: sym; ++}; ++ ++VERS_2 { ++ global: sym; ++} VERS_1; ++EOF ++ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then ++ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared ++ -o conftest.so conftest.o ++ -Wl,--version-script,conftest.map ++ 1>&AS_MESSAGE_LOG_FD]); ++ then ++ ol_cv_ld_version_script_option=yes ++ else ++ ol_cv_ld_version_script_option=no ++ fi ++ else ++ ol_cv_ld_version_script_option=no ++ fi ++else ++ ol_cv_ld_version_script_option=no ++fi ++rm -f conftest*])]) +--- a/configure.in ++++ b/configure.in +@@ -1909,6 +1909,13 @@ else + fi + AC_SUBST(LTSTATIC)dnl + ++VERSION_OPTION="" ++OL_SYMBOL_VERSIONING ++if test $ol_cv_ld_version_script_option = yes ; then ++ VERSION_OPTION="-Wl,--version-script=" ++fi ++AC_SUBST(VERSION_OPTION) ++ + dnl ---------------------------------------------------------------- + if test $ol_enable_wrappers != no ; then + AC_CHECK_HEADERS(tcpd.h,[ +--- /dev/null ++++ b/libraries/libldap/libldap.map +@@ -0,0 +1,7 @@ ++OPENLDAP_2.4_2 { ++ global: ++ ldap_*; ++ ldif_*; ++ local: ++ *; ++}; +--- a/libraries/libldap/Makefile.in ++++ b/libraries/libldap/Makefile.in +@@ -52,6 +52,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $( + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map ++endif + + apitest: $(XLIBS) apitest.o + $(LTLINK) -o $@ apitest.o $(LIBS) +--- a/libraries/liblber/Makefile.in ++++ b/libraries/liblber/Makefile.in +@@ -38,6 +38,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A) + XXLIBS = + NT_LINK_LIBS = $(AC_LIBS) + UNIX_LINK_LIBS = $(AC_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map" ++endif + + dtest: $(XLIBS) dtest.o + $(LTLINK) -o $@ dtest.o $(LIBS) +--- /dev/null ++++ b/libraries/liblber/liblber.map +@@ -0,0 +1,8 @@ ++OPENLDAP_2.4_2 { ++ global: ++ ber_*; ++ der_alloc; ++ lutil_*; ++ local: ++ *; ++}; diff --git a/debian/patches/man-slapd b/debian/patches/man-slapd new file mode 100644 index 0000000..5f55137 --- /dev/null +++ b/debian/patches/man-slapd @@ -0,0 +1,60 @@ +Patch the slapd man page to not refer to a header file that isn't +installed with the slapd package and to reference the correct path +for slapd. + +Debian-specific. + +--- a/doc/man/man8/slapd.8 ++++ b/doc/man/man8/slapd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B /usr/sbin/slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -103,11 +103,10 @@ + will not fork or disassociate from the invoking terminal. Some general + operation and status messages are printed for any value of \fIdebug-level\fP. + \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a +-different kind of debugging information. See <ldap_log.h> for details. +-Comma-separated arrays of friendly names can be specified to select +-debugging output of the corresponding debugging information. +-All the names recognized by the \fIloglevel\fP directive +-described in \fBslapd.conf\fP(5) are supported. ++different kind of debugging information. Comma-separated arrays of friendly ++names can be specified to select debugging output of the corresponding ++debugging information. All the names recognized by the \fIloglevel\fP ++directive described in \fBslapd.conf\fP(5) are supported. + If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed, + and slapd exits. + +@@ -317,7 +316,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ /usr/sbin/slapd + .ft + .fi + .LP +@@ -328,7 +327,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ /usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255 + .ft + .fi + .LP +@@ -336,7 +335,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ /usr/sbin/slapd \-Tt + .ft + .fi + .LP diff --git a/debian/patches/no-AM_INIT_AUTOMAKE b/debian/patches/no-AM_INIT_AUTOMAKE new file mode 100644 index 0000000..0976036 --- /dev/null +++ b/debian/patches/no-AM_INIT_AUTOMAKE @@ -0,0 +1,25 @@ +Description: don't use AM_INIT_AUTOMAKE macro when we aren't using automake + Calling AM_INIT_AUTOMAKE() in configure.in serves no purpose if we're not + using automake, and it confuses autoreconf. Use AC_INIT() instead. +Author: Steve Langasek <vorlon@debian.org> + +--- a/configure.in ++++ b/configure.in +@@ -26,7 +26,8 @@ dnl Configure.in for OpenLDAP + AC_COPYRIGHT([[Copyright 1998-2018 The OpenLDAP Foundation. All rights reserved. + Restrictions apply, see COPYRIGHT and LICENSE files.]]) + AC_REVISION([$Id: 2a4d29f78fa5f6b25f2c5cecac2126fcc3bd8623 $]) +-AC_INIT([OpenLDAP],,[http://www.openldap.org/its/]) ++AC_INIT([OpenLDAP],[$OL_VERSION],[http://www.openldap.org/its/]) ++AC_PROG_MAKE_SET + m4_define([AC_PACKAGE_BUGREPORT],[<http://www.openldap.org/its/>]) + AC_CONFIG_SRCDIR(build/version.sh)dnl + dnl ---------------------------------------------------------------- +@@ -69,7 +70,6 @@ dnl Determine host platform + dnl we try not to use this for much + AC_CANONICAL_TARGET([]) + +-AM_INIT_AUTOMAKE([$OL_PACKAGE],[$OL_VERSION], [no defines])dnl + AC_SUBST(PACKAGE)dnl + AC_SUBST(VERSION)dnl + AC_DEFINE_UNQUOTED(OPENLDAP_PACKAGE,"$PACKAGE",Package) diff --git a/debian/patches/no-bdb-ABI-second-guessing b/debian/patches/no-bdb-ABI-second-guessing new file mode 100644 index 0000000..db76aa7 --- /dev/null +++ b/debian/patches/no-bdb-ABI-second-guessing @@ -0,0 +1,42 @@ +Author: Steve Langasek <vorlon@debian.org> +Description: don't second-guess BDB ABI + OpenLDAP upstream conservatively assumes that any change to the version + number of libdb can result in an API-breaking change that could impact + the database. In Debian, we know that such changes require bumping the + library soname and changing the package name, and demand such rigor from + our package maintainers even when upstreams don't deliver; so any such + check in the source code works against the packaging system by forcing + database upgrades when we know none are required. Disable this check + so we rely on the packaging system to do its job. +Bug-Debian: http://bugs.debian.org/651333 +Forwarded: not-needed + +--- a/servers/slapd/back-bdb/init.c ++++ b/servers/slapd/back-bdb/init.c +@@ -762,7 +762,7 @@ bdb_back_initialize( + bi->bi_controls = controls; + + { /* version check */ +- int major, minor, patch, ver; ++ int major, minor, patch; + char *version = db_version( &major, &minor, &patch ); + #ifdef HAVE_EBCDIC + char v2[1024]; +@@ -776,17 +776,6 @@ bdb_back_initialize( + version = v2; + #endif + +- ver = (major << 24) | (minor << 16) | patch; +- if( ver != DB_VERSION_FULL ) { +- /* fail if a versions don't match */ +- Debug( LDAP_DEBUG_ANY, +- LDAP_XSTRING(bdb_back_initialize) ": " +- "BDB library version mismatch:" +- " expected " DB_VERSION_STRING "," +- " got %s\n", version, 0, 0 ); +- return -1; +- } +- + Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_back_initialize) + ": %s\n", version, 0, 0 ); + } diff --git a/debian/patches/no-gnutls_global_set_mutex b/debian/patches/no-gnutls_global_set_mutex new file mode 100644 index 0000000..c81f926 --- /dev/null +++ b/debian/patches/no-gnutls_global_set_mutex @@ -0,0 +1,77 @@ +Description: Do not call gnutls_global_set_mutex() + Since GnuTLS moved to implicit initialization on library load, calling + this function deinitializes GnuTLS and then re-initializes it. + . + When GnuTLS uses /dev/urandom as an entropy source (getrandom() not + available, or older versions of GnuTLS), and the application closed all + file descriptors at startup, this could result in GnuTLS opening + /dev/urandom over one of the application's file descriptors when + re-initialized. + . + Additionally, the custom mutex functions are never reset, so if libldap + is unloaded (for example via dlclose()) after calling this, its code + may be unmapped and the application could crash when GnuTLS calls the + mutex functions. + . + The default behaviour of GnuTLS, using pthreads, should be suitable on + all Debian systems, and is probably the same as what libldap uses + anyway. +Author: Ryan Tandy <ryan@nardis.ca> +Bug-Debian: https://bugs.debian.org/803197 +Forwarded: no + +--- a/libraries/libldap/tls_g.c ++++ b/libraries/libldap/tls_g.c +@@ -67,51 +67,10 @@ + + #ifdef LDAP_R_COMPILE + +-static int +-tlsg_mutex_init( void **priv ) +-{ +- int err = 0; +- ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t )); +- +- if ( !lock ) +- err = ENOMEM; +- if ( !err ) { +- err = ldap_pvt_thread_mutex_init( lock ); +- if ( err ) +- LDAP_FREE( lock ); +- else +- *priv = lock; +- } +- return err; +-} +- +-static int +-tlsg_mutex_destroy( void **lock ) +-{ +- int err = ldap_pvt_thread_mutex_destroy( *lock ); +- LDAP_FREE( *lock ); +- return err; +-} +- +-static int +-tlsg_mutex_lock( void **lock ) +-{ +- return ldap_pvt_thread_mutex_lock( *lock ); +-} +- +-static int +-tlsg_mutex_unlock( void **lock ) +-{ +- return ldap_pvt_thread_mutex_unlock( *lock ); +-} +- + static void + tlsg_thr_init( void ) + { +- gnutls_global_set_mutex (tlsg_mutex_init, +- tlsg_mutex_destroy, +- tlsg_mutex_lock, +- tlsg_mutex_unlock); ++ /* do nothing */ + } + #endif /* LDAP_R_COMPILE */ + diff --git a/debian/patches/sasl-default-path b/debian/patches/sasl-default-path new file mode 100644 index 0000000..6d5c7b0 --- /dev/null +++ b/debian/patches/sasl-default-path @@ -0,0 +1,55 @@ +Add /etc/ldap/sasl2 to the SASL configuration search path. + +Not submitted upstream. Somewhat Debian-specific and probably not of +interest upstream. + +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -63,4 +63,6 @@ + /* dn of the default "monitor" subentry */ + #define SLAPD_MONITOR_DN "cn=Monitor" + ++#define SASL_CONFIGPATH LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2" ++ + #endif /* _LDAP_CONFIG_H */ +--- a/servers/slapd/sasl.c ++++ b/servers/slapd/sasl.c +@@ -1103,12 +1103,38 @@ static const rewrite_mapper slapd_mapper + }; + #endif + ++static int ++slap_sasl_getconfpath( void * context, char ** path ) ++{ ++ char * sasl_default_configpath; ++ size_t len; ++ ++#if SASL_VERSION_MAJOR >= 2 ++ sasl_default_configpath = "/usr/lib/sasl2"; ++#else ++ sasl_default_configpath = "/usr/lib/sasl"; ++#endif ++ ++ len = strlen(SASL_CONFIGPATH) + 1 /* colon */ + ++ strlen(sasl_default_configpath) + 1 /* \0 */; ++ *path = malloc( len ); ++ if ( *path == NULL ) ++ return SASL_FAIL; ++ ++ if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH, ++ sasl_default_configpath ) != len-1 ) ++ return SASL_FAIL; ++ ++ return SASL_OK; ++} ++ + int slap_sasl_init( void ) + { + #ifdef HAVE_CYRUS_SASL + int rc; + static sasl_callback_t server_callbacks[] = { + { SASL_CB_LOG, (slap_sasl_cb_ft)&slap_sasl_log, NULL }, ++ { SASL_CB_GETCONFPATH, (slap_sasl_cb_ft)&slap_sasl_getconfpath, NULL }, + { SASL_CB_GETOPT, (slap_sasl_cb_ft)&slap_sasl_getopt, NULL }, + { SASL_CB_LIST_END, NULL, NULL } + }; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..85497de --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,48 @@ +man-slapd +evolution-ntlm +slapi-errorlog-file +ldapi-socket-place +wrong-database-location +index-files-created-as-root +sasl-default-path +libldap-symbol-versions +getaddrinfo-is-threadsafe +do-not-second-guess-sonames +contrib-makefiles +smbk5pwd-makefile-manpage +lastbind-makefile-manpage +ldap-conf-tls-cacertdir +add-tlscacert-option-to-ldap-conf +fix-build-top-mk +no-AM_INIT_AUTOMAKE +switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff +no-bdb-ABI-second-guessing +ITS6035-olcauthzregex-needs-restart.patch +set-maintainer-name +no-gnutls_global_set_mutex +ITS-9038-restrict-rootDN-proxyauthz-to-its-own-DBs.patch +ITS-9038-Update-test028-to-test-this-is-enforced.patch +ITS-9038-Fix-typo-in-test-script.patch +ITS-9038-Another-test028-typo.patch +ITS-9052-zero-out-sasl_ssf-in-connection_init.patch +ITS-8964-Do-not-free-original-filter.patch +ITS-9202-limit-depth-of-nested-filters.patch +ITS-9370-check-for-equality-rule-on-old_rdn.patch +ITS-9383-remove-assert-in-certificateListValidate.patch +ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch +ITS-9404-fix-serialNumberAndIssuerCheck.patch +ITS-9406-9407-remove-saslauthz-asserts.patch +ITS-9406-fix-debug-msg.patch +ITS-9408-fix-vrfilter-double-free.patch +ITS-9409-saslauthz-use-ch_free-on-normalized-DN.patch +ITS-9409-saslauthz-use-slap_sl_free-in-prev-commit.patch +ITS-9411-fix-thisUpdate-check.patch +ITS-9412-fix-AVA_Sort-on-invalid-RDN.patch +ITS-9413-fix-slap_parse_user.patch +ITS-9423-ldap_X509dn2bv-check-for-invalid-BER-after-.patch +ITS-9424-fix-serialNumberAndIssuerSerialCheck.patch +ITS-9425-add-more-checks-to-ldap_X509dn2bv.patch +ITS-9427-fix-issuerAndThisUpdateCheck.patch +ITS-9428-fix-cancel-exop.patch +ITS-9454-fix-issuerAndThisUpdateCheck.patch +ITS-9815-slapd-sql-escape-filter-values.patch diff --git a/debian/patches/set-maintainer-name b/debian/patches/set-maintainer-name new file mode 100644 index 0000000..262b7ef --- /dev/null +++ b/debian/patches/set-maintainer-name @@ -0,0 +1,16 @@ +--- a/build/mkversion ++++ b/build/mkversion +@@ -50,12 +50,7 @@ + fi + + APPLICATION=$1 +-# Reproducible builds set SOURCE_DATE_EPOCH, want constant strings +-if [ -n "${SOURCE_DATE_EPOCH}" ]; then +- WHOWHERE="openldap" +-else +- WHOWHERE="$USER@$(uname -n):$(pwd)" +-fi ++WHOWHERE="Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>" + + cat << __EOF__ + /* This work is part of OpenLDAP Software <http://www.openldap.org/>. diff --git a/debian/patches/slapi-errorlog-file b/debian/patches/slapi-errorlog-file new file mode 100644 index 0000000..4899451 --- /dev/null +++ b/debian/patches/slapi-errorlog-file @@ -0,0 +1,16 @@ +The slapi error log file defaults to /var/errors given our setting +of --localstatedir. Move it to /var/log/slapi-errors instead. + +Debian-specific. + +--- a/servers/slapd/slapi/slapi_overlay.c ++++ b/servers/slapd/slapi/slapi_overlay.c +@@ -930,7 +930,7 @@ int slapi_over_config( BackendDB *be, Co + ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex ); + + if ( slapi_log_file == NULL ) +- slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" ); ++ slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" ); + + rc = slapi_int_init_object_extensions(); + if ( rc != 0 ) diff --git a/debian/patches/smbk5pwd-makefile-manpage b/debian/patches/smbk5pwd-makefile-manpage new file mode 100644 index 0000000..8b09206 --- /dev/null +++ b/debian/patches/smbk5pwd-makefile-manpage @@ -0,0 +1,251 @@ +From: Peter Marschall <peter@adpm.de> +Date: Sun, 26 Jul 2015 15:04:26 +0200 +Subject: [PATCH] contrib/smbk5pwd: add man page, install it too + +Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to +install the new manual page. + +This patch is derived from the corresponding patch upstreamed in ITS#8205 + +--- + contrib/slapd-modules/smbk5pwd/Makefile | 14 +- + contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 | 179 ++++++++++++++++++++++++ + 2 files changed, 192 insertions(+), 1 deletion(-) + create mode 100644 contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 + +diff --git a/contrib/slapd-modules/smbk5pwd/Makefile b/contrib/slapd-modules/smbk5pwd/Makefile +index 676d914..0042a49 100644 +--- a/contrib/slapd-modules/smbk5pwd/Makefile ++++ b/contrib/slapd-modules/smbk5pwd/Makefile +@@ -25,6 +25,7 @@ + HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server) + + LIBTOOL = $(LDAP_BUILD)/libtool ++INSTALL = /usr/bin/install + CC = gcc + OPT = -g -O2 -Wall + # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. +@@ -34,6 +35,7 @@ + LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB) + + PROGRAMS = smbk5pwd.la ++MANPAGES = slapo-smbk5pwd.5 + LTVER = 0:0:0 + + prefix=/usr/local +@@ -43,6 +45,8 @@ + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec + moduledir = $(libexecdir)$(ldap_subdir) ++mandir = $(exec_prefix)/share/man ++man5dir = $(mandir)/man5 + + .SUFFIXES: .c .o .lo + +@@ -58,9 +62,17 @@ + clean: + rm -rf *.o *.lo *.la .libs + +-install: $(PROGRAMS) ++install: install-lib install-man FORCE ++ ++install-lib: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + ++install-man: $(MANPAGES) ++ mkdir -p $(DESTDIR)$(man5dir) ++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) ++ ++FORCE: ++ +diff --git a/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 +new file mode 100644 +index 0000000..431a765 +--- /dev/null ++++ b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 +@@ -0,0 +1,179 @@ ++.TH SLAPO-SMBK5PWD 5 "RELEASEDATE" "OpenLDAP LDVERSION" ++.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved. ++.\" Copying restrictions apply. See COPYRIGHT/LICENSE. ++.\" $OpenLDAP$ ++.SH NAME ++slapo-smbk5pwd \- Samba & Kerberos password sync overlay to slapd ++.SH SYNOPSIS ++ETCDIR/slapd.conf ++.RS ++.LP ++include ++.B "<path to>/krb5-kdc.schema" ++.LP ++include ++.B "<path to>/samba.schema" ++.LP ++moduleload ++.B smbk5pwd.so ++.LP ++ ... ++.LP ++database mdb ++.LP ++ ... ++.LP ++overlay ++.B smbk5pwd ++.RE ++ ++.SH DESCRIPTION ++.LP ++The ++.B smbk5pwd ++overlay to ++.BR slapd (8) ++overloads the Password Modify Extended Operation (RFC 3062) to update ++Kerberos keys and Samba password hashes for an LDAP user, as well as ++updating password change related attributes for Kerberos, Samba and/or ++UNIX user accounts. ++.LP ++The Samba support is written using the Samba 3.0 LDAP schema; ++Kerberos support is written for Heimdal using its hdb-ldap backend. ++.LP ++Additionally, a new ++.B {K5KEY} ++password hash mechanism is provided. ++For ++.B krb5KDCEntry ++objects that have this scheme specifier in their ++.I userPassword ++attribute, Simple Binds will be checked against the Kerberos keys of the entry. ++No data is needed after the ++.B {K5KEY} ++scheme specifier in the ++.IR userPassword , ++it is looked up from the entry directly. ++ ++.SH CONFIGURATION ++The ++.B smbk5pwd ++overlay supports the following ++.B slapd.conf ++configuration options, which should appear after the ++.B overlay ++directive: ++.TP ++.BI smbk5pwd-enable " <module>" ++can be used to enable only the desired modules. ++Legal values for ++.I <module> ++are ++.LP ++.RS ++.TP ++.B krb5 ++If the user has the ++.B krb5KDCEntry ++objectclass, update the ++.B krb5Key ++and ++.B krb5KeyVersionNumber ++attributes using the new password in the Password Modify operation, ++provided the Kerberos account is not expired. ++Exiration is determined by evaluating the ++.B krb5ValidEnd ++attribute. ++.TP ++.B samba ++If the user is a ++.B sambaSamAccount ++object, synchronize the ++.B sambaLMPassword ++and ++.B sambaNTPassword ++to the password entered in the Password Modify operation, and update ++.B sambaPwdLastSet ++accordingly. ++.TP ++.B shadow ++Update the attribute ++.BR shadowLastChange , ++if the entry has the objectclass ++.BR shadowAccount . ++.LP ++By default all modules compiled in are enabled. ++Setting the config statement restricts the enabled modules to the ones ++explicitly mentioned. ++.RE ++.TP ++.BI smbk5pwd-can-change " <seconds>" ++If the ++.B samba ++module is enabled and the user is a ++.BR sambaSamAccount , ++update the attribute ++.B sambaPwdCanChange ++to point ++.I <seconds> ++into the future, essentially denying any Samba password change until then. ++A value of ++.B 0 ++disables this feature. ++.TP ++.BI smbk5pwd-must-change " <seconds>" ++If the ++.B samba ++module is enabled and the user is a ++.BR sambaSamAccount , ++update the attribute ++.B sambaPwdMustChange ++to point ++.I <seconds> ++into the future, essentially setting the Samba password expiration time. ++A value of ++.B 0 ++disables this feature. ++.LP ++Alternatively, the overlay supports table-driven configuration, ++and thus can be run-time loaded and configured via back-config. ++ ++.SH EXAMPLE ++The layout of a slapd.d based, table-driven configuration entry looks like: ++.LP ++.EX ++ # {0}smbk5pwd, {1}bdb, config ++ dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config ++ objectClass: olcOverlayConfig ++ objectClass: olcSmbK5PwdConfig ++ olcOverlay: {0}smbk5pwd ++ olcSmbK5PwdEnable: krb5 ++ olcSmbK5PwdEnable: samba ++ olcSmbK5PwdMustChange: 2592000 ++.EE ++.LP ++which enables both ++.B krb5 ++and ++.B samba ++modules with a Samba password expiration time of 30 days (= ++.B 2592000 ++seconds). ++ ++.SH SEE ALSO ++.BR slapd.conf (5), ++.BR ldappasswd (1), ++.BR ldap (3), ++.LP ++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) ++.LP ++ ++.SH ACKNOWLEDGEMENTS ++This manual page has been writen by Peter Marschall based on the ++module's README file written by Howard Chu. ++.LP ++.B OpenLDAP ++is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). ++.B OpenLDAP ++is derived from University of Michigan LDAP 3.3 Release. ++ +-- +2.5.0 + diff --git a/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff new file mode 100644 index 0000000..f0dd4e1 --- /dev/null +++ b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff @@ -0,0 +1,40 @@ +From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL.
+ Open all modules with RTLD_GLOBAL, needed so that back_perl can load
+ non-trivial Perl extensions that require symbols from back_perl.so itself.
+Bug-Debian: http://bugs.debian.org/327585
+
+---
+--- a/servers/slapd/module.c ++++ b/servers/slapd/module.c +@@ -117,6 +117,20 @@ int module_unload( const char *file_name + return -1; /* not found */ + } + ++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) ++{ ++ lt_dlhandle handle = 0; ++ lt_dladvise advise; ++ ++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) ++ && !lt_dladvise_global (&advise)) ++ handle = lt_dlopenadvise (filename, advise); ++ ++ lt_dladvise_destroy (&advise); ++ ++ return handle; ++} ++ + int module_load(const char* file_name, int argc, char *argv[]) + { + module_loaded_t *module; +@@ -180,7 +194,7 @@ int module_load(const char* file_name, i + * to calling Debug. This is because Debug is a macro that expands + * into multiple function calls. + */ +- if ((module->lib = lt_dlopenext(file)) == NULL) { ++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { + error = lt_dlerror(); + #ifdef HAVE_EBCDIC + strcpy( ebuf, error ); diff --git a/debian/patches/wrong-database-location b/debian/patches/wrong-database-location new file mode 100644 index 0000000..25d96cb --- /dev/null +++ b/debian/patches/wrong-database-location @@ -0,0 +1,74 @@ +Move the default slapd database location to /var/lib/ldap instead of +/var/openldap-data. + +Debian-specific. + +--- a/doc/man/man5/slapd-bdb.5 ++++ b/doc/man/man5/slapd-bdb.5 +@@ -131,7 +131,7 @@ Specify the directory where the BDB file + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap\-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + .B dirtyread + Allow reads of modified but not yet committed data. +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -2007,7 +2007,7 @@ suffix "dc=our\-domain,dc=com" + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-directory LOCALSTATEDIR/openldap\-data ++directory LOCALSTATEDIR/lib/ldap + # Indices to maintain + index objectClass eq + index cn,sn,mail pres,eq,approx,sub +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -47,7 +47,7 @@ + /* location of the default slapd config file */ + #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf" + #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" +-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" ++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap" + #define SLAPD_DEFAULT_DB_MODE 0600 + #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata" + /* default max deref depth for aliases */ +--- a/servers/slapd/Makefile.in ++++ b/servers/slapd/Makefile.in +@@ -445,9 +445,9 @@ install-conf: FORCE + + install-db-config: FORCE + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) +- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data ++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ +- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example ++ $(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example + +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -2051,7 +2051,7 @@ olcSuffix: "dc=our\-domain,dc=com" + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-olcDbDirectory: LOCALSTATEDIR/openldap\-data ++olcDbDirectory: LOCALSTATEDIR/lib/ldap + # Indices to maintain + olcDbIndex: objectClass eq + olcDbIndex: cn,sn,mail pres,eq,approx,sub +--- a/doc/man/man5/slapd-mdb.5 ++++ b/doc/man/man5/slapd-mdb.5 +@@ -52,7 +52,7 @@ Specify the directory where the LMDB fil + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap\-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR} + Specify flags for finer-grained control of the LMDB library's operation. |