summaryrefslogtreecommitdiffstats
path: root/debian/patches
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch110
-rw-r--r--debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch25
-rw-r--r--debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch268
-rw-r--r--debian/patches/ITS6035-olcauthzregex-needs-restart.patch13
-rw-r--r--debian/patches/add-tlscacert-option-to-ldap-conf10
-rw-r--r--debian/patches/contrib-makefiles185
-rw-r--r--debian/patches/debian-version14
-rw-r--r--debian/patches/do-not-second-guess-sonames68
-rw-r--r--debian/patches/evolution-ntlm222
-rw-r--r--debian/patches/fix-build-top-mk11
-rw-r--r--debian/patches/getaddrinfo-is-threadsafe43
-rw-r--r--debian/patches/index-files-created-as-root37
-rw-r--r--debian/patches/lastbind-makefile-manpage46
-rw-r--r--debian/patches/ldap-conf-tls-cacertdir29
-rw-r--r--debian/patches/ldapi-socket-place16
-rw-r--r--debian/patches/libldap-symbol-versions161
-rw-r--r--debian/patches/man-slapd60
-rw-r--r--debian/patches/no-bdb-ABI-second-guessing42
-rw-r--r--debian/patches/sasl-default-path55
-rw-r--r--debian/patches/series24
-rw-r--r--debian/patches/set-maintainer-name16
-rw-r--r--debian/patches/slapi-errorlog-file16
-rw-r--r--debian/patches/smbk5pwd-makefile-manpage251
-rw-r--r--debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff40
-rw-r--r--debian/patches/wrong-database-location74
25 files changed, 1836 insertions, 0 deletions
diff --git a/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch b/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch
new file mode 100644
index 0000000..c391244
--- /dev/null
+++ b/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch
@@ -0,0 +1,110 @@
+From 82ce81ee7ad4a252aed2d6a10ea808ff18a65ffd Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Sun, 22 Sep 2019 03:08:30 +0000
+Subject: [PATCH] ITS#9086 Add debug logging for more GnuTLS errors
+
+---
+ libraries/libldap/tls_g.c | 56 ++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 49 insertions(+), 7 deletions(-)
+
+diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
+index f3b4cd710..249f7e8d5 100644
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -188,9 +188,16 @@ tlsg_getfile( const char *path, gnutls_datum_t *buf )
+ {
+ int rc = -1, fd;
+ struct stat st;
++ char ebuf[128];
+
+ fd = open( path, O_RDONLY );
+- if ( fd >= 0 && fstat( fd, &st ) == 0 ) {
++ if ( fd < 0 ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: opening `%s' failed: %s\n",
++ path, AC_STRERROR_R( errno, ebuf, sizeof ebuf ), NULL );
++ return -1;
++ }
++ if ( fstat( fd, &st ) == 0 ) {
+ buf->size = st.st_size;
+ buf->data = LDAP_MALLOC( st.st_size + 1 );
+ if ( buf->data ) {
+@@ -236,7 +243,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ ctx->cred,
+ lt->lt_cacertfile,
+ GNUTLS_X509_FMT_PEM );
+- if ( rc < 0 ) return -1;
++ if ( rc < 0 ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use CA certificate file `%s': %s (%d)\n",
++ lo->ldo_tls_cacertfile, gnutls_strerror( rc ), rc );
++ return -1;
++ } else if ( rc == 0 ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: warning: no certificate loaded from CA certificate file `%s'.\n",
++ lo->ldo_tls_cacertfile, NULL, NULL );
++ /* only warn, no return */
++ }
+ }
+
+ if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
+@@ -254,18 +271,38 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ * do some special checks here...
+ */
+ rc = tlsg_getfile( lt->lt_keyfile, &buf );
+- if ( rc ) return -1;
++ if ( rc ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use private key file `%s`.\n",
++ lt->lt_keyfile, NULL, NULL );
++ return -1;
++ }
+ rc = gnutls_x509_privkey_import( key, &buf,
+ GNUTLS_X509_FMT_PEM );
+ LDAP_FREE( buf.data );
+- if ( rc < 0 ) return rc;
++ if ( rc < 0 ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use private key: %s (%d)\n",
++ gnutls_strerror( rc ), rc, NULL );
++ return rc;
++ }
+
+ rc = tlsg_getfile( lt->lt_certfile, &buf );
+- if ( rc ) return -1;
++ if ( rc ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use certificate file `%s`.\n",
++ lt->lt_certfile, NULL, NULL );
++ return -1;
++ }
+ rc = gnutls_x509_crt_list_import( certs, &max, &buf,
+ GNUTLS_X509_FMT_PEM, 0 );
+ LDAP_FREE( buf.data );
+- if ( rc < 0 ) return rc;
++ if ( rc < 0 ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use certificate: %s (%d)\n",
++ gnutls_strerror( rc ), rc, NULL );
++ return rc;
++ }
+
+ /* If there's only one cert and it's not self-signed,
+ * then we have to build the cert chain.
+@@ -282,7 +319,12 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
+ }
+ }
+ rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
+- if ( rc ) return -1;
++ if ( rc ) {
++ Debug( LDAP_DEBUG_ANY,
++ "TLS: could not use certificate with key: %s (%d)\n",
++ gnutls_strerror( rc ), rc, NULL );
++ return -1;
++ }
+ } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: only one of certfile and keyfile specified\n",
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch b/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch
new file mode 100644
index 0000000..a9b724a
--- /dev/null
+++ b/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch
@@ -0,0 +1,25 @@
+From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Sat, 6 Feb 2021 20:52:06 +0000
+Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck
+
+---
+ servers/slapd/schema_init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
+index 31be1154ef..8b1e255393 100644
+--- a/servers/slapd/schema_init.c
++++ b/servers/slapd/schema_init.c
+@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck(
+ break;
+ }
+ }
++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX;
++
+ x.bv_val += tu->bv_len + 1;
+ x.bv_len -= tu->bv_len + 1;
+
+--
+2.20.1
+
diff --git a/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch b/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch
new file mode 100644
index 0000000..28e681d
--- /dev/null
+++ b/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch
@@ -0,0 +1,268 @@
+From 87df6c19915042430540931d199a39105544a134 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@openldap.org>
+Date: Wed, 23 Mar 2022 12:43:31 +0000
+Subject: [PATCH] ITS#9815 slapd-sql: escape filter values
+
+---
+ servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++-----
+ 1 file changed, 105 insertions(+), 18 deletions(-)
+
+--- a/servers/slapd/back-sql/search.c
++++ b/servers/slapd/back-sql/search.c
+@@ -63,6 +63,38 @@
+ ID *lastid );
+ #endif /* ! BACKSQL_ARBITRARY_KEY */
+
++/* Look for chars that need to be escaped, return count of them.
++ * If out is non-NULL, copy escape'd val to it.
++ */
++static int
++backsql_val_escape( Operation *op, struct berval *in, struct berval *out )
++{
++ char *ptr, *end;
++ int q = 0;
++
++ ptr = in->bv_val;
++ end = ptr + in->bv_len;
++ while (ptr < end) {
++ if ( *ptr == '\'' )
++ q++;
++ ptr++;
++ }
++ if ( q && out ) {
++ char *dst;
++ out->bv_len = in->bv_len + q;
++ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx );
++ ptr = in->bv_val;
++ dst = out->bv_val;
++ while (ptr < end ) {
++ if ( *ptr == '\'' )
++ *dst++ = '\'';
++ *dst++ = *ptr++;
++ }
++ *dst = '\0';
++ }
++ return q;
++}
++
+ static int
+ backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad )
+ {
+@@ -429,6 +461,8 @@
+ backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private;
+ int i;
+ int casefold = 0;
++ int escaped = 0;
++ struct berval escval, *fvalue;
+
+ if ( !f ) {
+ return 0;
+@@ -462,50 +496,68 @@
+
+ BER_BVZERO( &bv );
+ if ( f->f_sub_initial.bv_val ) {
+- bv.bv_len += f->f_sub_initial.bv_len;
++ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL );
+ }
+ if ( f->f_sub_any != NULL ) {
+ for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) {
+- bv.bv_len += f->f_sub_any[ a ].bv_len;
++ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL );
+ }
+ }
+ if ( f->f_sub_final.bv_val ) {
+- bv.bv_len += f->f_sub_final.bv_len;
++ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL );
+ }
+ bv.bv_len = 2 * bv.bv_len - 1;
+ bv.bv_val = ch_malloc( bv.bv_len + 1 );
+
+ s = 0;
+ if ( !BER_BVISNULL( &f->f_sub_initial ) ) {
+- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ];
+- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) {
++ fvalue = &f->f_sub_initial;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++ for ( i = 1; i < fvalue->bv_len; i++ ) {
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ];
++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ }
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+ s += 2 * i;
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ }
+
+ if ( f->f_sub_any != NULL ) {
+ for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) {
+- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ];
+- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) {
++ fvalue = &f->f_sub_any[ a ];
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++ for ( i = 1; i < fvalue->bv_len; i++ ) {
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ];
++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ }
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+ s += 2 * i;
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ }
+ }
+
+ if ( !BER_BVISNULL( &f->f_sub_final ) ) {
+- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ];
+- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) {
++ fvalue = &f->f_sub_final;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ];
++ for ( i = 1; i < fvalue->bv_len; i++ ) {
+ bv.bv_val[ s + 2 * i - 1 ] = '%';
+- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ];
++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ];
+ }
+- bv.bv_val[ s + 2 * i - 1 ] = '%';
++ bv.bv_val[ s + 2 * i - 1 ] = '%';
+ s += 2 * i;
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ }
+
+ bv.bv_val[ s - 1 ] = '\0';
+@@ -561,11 +613,17 @@
+ f->f_sub_initial.bv_val, 0 );
+ #endif /* BACKSQL_TRACE */
+
++ fvalue = &f->f_sub_initial;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
+ start = bsi->bsi_flt_where.bb_val.bv_len;
+ backsql_strfcat_x( &bsi->bsi_flt_where,
+ bsi->bsi_op->o_tmpmemctx,
+ "b",
+- &f->f_sub_initial );
++ fvalue );
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+ ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+ }
+@@ -586,12 +644,18 @@
+ i, f->f_sub_any[ i ].bv_val );
+ #endif /* BACKSQL_TRACE */
+
++ fvalue = &f->f_sub_any[ i ];
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
+ start = bsi->bsi_flt_where.bb_val.bv_len;
+ backsql_strfcat_x( &bsi->bsi_flt_where,
+ bsi->bsi_op->o_tmpmemctx,
+ "bc",
+- &f->f_sub_any[ i ],
++ fvalue,
+ '%' );
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+ /*
+ * Note: toupper('%') = '%'
+@@ -611,11 +675,17 @@
+ f->f_sub_final.bv_val, 0 );
+ #endif /* BACKSQL_TRACE */
+
++ fvalue = &f->f_sub_final;
++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval );
++ if ( escaped )
++ fvalue = &escval;
+ start = bsi->bsi_flt_where.bb_val.bv_len;
+ backsql_strfcat_x( &bsi->bsi_flt_where,
+ bsi->bsi_op->o_tmpmemctx,
+ "b",
+- &f->f_sub_final );
++ fvalue );
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
+ if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) {
+ ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] );
+ }
+@@ -1183,6 +1253,8 @@
+ struct berval *filter_value = NULL;
+ MatchingRule *matching_rule = NULL;
+ struct berval ordering = BER_BVC("<=");
++ struct berval escval;
++ int escaped = 0;
+
+ Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n",
+ at->bam_ad->ad_cname.bv_val, 0, 0 );
+@@ -1237,6 +1309,10 @@
+ casefold = 1;
+ }
+
++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++ if ( escaped )
++ filter_value = &escval;
++
+ /* FIXME: directoryString filtering should use a similar
+ * approach to deal with non-prettified values like
+ * " A non prettified value ", by using a LIKE
+@@ -1317,6 +1393,10 @@
+ casefold = 1;
+ }
+
++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++ if ( escaped )
++ filter_value = &escval;
++
+ /*
+ * FIXME: should we uppercase the operands?
+ */
+@@ -1350,7 +1430,7 @@
+ &at->bam_sel_expr,
+ &ordering,
+ '\'',
+- &f->f_av_value,
++ filter_value,
+ (ber_len_t)STRLENOF( /* (' */ "')" ),
+ /* ( */ "')" );
+ }
+@@ -1374,13 +1454,17 @@
+ case LDAP_FILTER_APPROX:
+ /* we do our best */
+
++ filter_value = &f->f_av_value;
++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval );
++ if ( escaped )
++ filter_value = &escval;
+ /*
+ * maybe we should check type of at->sel_expr here somehow,
+ * to know whether upper_func is applicable, but for now
+ * upper_func stuff is made for Oracle, where UPPER is
+ * safely applicable to NUMBER etc.
+ */
+- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value );
++ (void)backsql_process_filter_like( bsi, at, 1, filter_value );
+ break;
+
+ default:
+@@ -1394,6 +1478,9 @@
+
+ }
+
++ if ( escaped )
++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx );
++
+ Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n",
+ at->bam_ad->ad_cname.bv_val, 0, 0 );
+
diff --git a/debian/patches/ITS6035-olcauthzregex-needs-restart.patch b/debian/patches/ITS6035-olcauthzregex-needs-restart.patch
new file mode 100644
index 0000000..acd3c6f
--- /dev/null
+++ b/debian/patches/ITS6035-olcauthzregex-needs-restart.patch
@@ -0,0 +1,13 @@
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -409,6 +409,10 @@
+ and replacement patterns. The matching patterns are checked in the order they
+ appear in the attribute, stopping at the first successful match.
+
++Note that changes to
++.B olcAuthzRegexp
++take effect the next time the server is started, not immediately upon
++changing the configuration.
+ .\".B Caution:
+ .\"Because the plus sign + is a character recognized by the regular expression engine,
+ .\"and it will appear in names that include a REALM, be careful to escape the
diff --git a/debian/patches/add-tlscacert-option-to-ldap-conf b/debian/patches/add-tlscacert-option-to-ldap-conf
new file mode 100644
index 0000000..e8e731a
--- /dev/null
+++ b/debian/patches/add-tlscacert-option-to-ldap-conf
@@ -0,0 +1,10 @@
+--- a/libraries/libldap/ldap.conf
++++ b/libraries/libldap/ldap.conf
+@@ -11,3 +11,7 @@
+ #SIZELIMIT 12
+ #TIMELIMIT 15
+ #DEREF never
++
++# TLS certificates (needed for GnuTLS)
++TLS_CACERT /etc/ssl/certs/ca-certificates.crt
++
diff --git a/debian/patches/contrib-makefiles b/debian/patches/contrib-makefiles
new file mode 100644
index 0000000..2f20843
--- /dev/null
+++ b/debian/patches/contrib-makefiles
@@ -0,0 +1,185 @@
+--- a/contrib/slapd-modules/passwd/Makefile
++++ b/contrib/slapd-modules/passwd/Makefile
+@@ -13,7 +13,7 @@
+ INCS = $(LDAP_INC)
+ LIBS = $(LDAP_LIB)
+
+-PROGRAMS = pw-kerberos.la pw-netscape.la pw-radius.la pw-apr1.la
++PROGRAMS = pw-netscape.la pw-apr1.la
+ LTVER = 0:0:0
+
+ prefix=/usr/local
+@@ -27,24 +27,24 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ pw-kerberos.la: kerberos.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? -lkrb5
+
+ pw-netscape.la: netscape.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $?
+
+ pw-radius.la: radius.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? -lradius
+
+ pw-apr1.la: apr1.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $?
+
+ clean:
+--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile
++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile
+@@ -12,7 +12,7 @@
+ #DEFS = -DSLAPD_PBKDF2_DEBUG
+
+ INCS = $(LDAP_INC)
+-LIBS = $(LDAP_LIB) -lcrypto
++LIBS = $(LDAP_LIB) -lnettle
+
+ PROGRAMS = pw-pbkdf2.la
+ LTVER = 0:0:0
+@@ -30,12 +30,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ pw-pbkdf2.la: pw-pbkdf2.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+--- a/contrib/slapd-modules/smbk5pwd/Makefile
++++ b/contrib/slapd-modules/smbk5pwd/Makefile
+@@ -19,10 +19,10 @@
+ $(LDAP_BUILD)/libraries/liblber/liblber.la
+
+ SSL_INC =
+-SSL_LIB = -lcrypto
++SSL_LIB = -lnettle
+
+-HEIMDAL_INC = -I/usr/heimdal/include
+-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags krb5 kadm-server)
++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server)
+
+ LIBTOOL = $(LDAP_BUILD)/libtool
+ CC = gcc
+@@ -30,7 +30,8 @@
+ # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
+ DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW
+ INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
+-LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
++# put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356
++LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)
+
+ PROGRAMS = smbk5pwd.la
+ LTVER = 0:0:0
+@@ -46,12 +47,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ smbk5pwd.la: smbk5pwd.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+--- a/contrib/slapd-modules/autogroup/Makefile
++++ b/contrib/slapd-modules/autogroup/Makefile
+@@ -27,12 +27,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ autogroup.la: autogroup.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+--- a/contrib/slapd-modules/lastbind/Makefile
++++ b/contrib/slapd-modules/lastbind/Makefile
+@@ -37,12 +37,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ lastbind.la: lastbind.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+--- a/contrib/slapd-modules/passwd/sha2/Makefile
++++ b/contrib/slapd-modules/passwd/sha2/Makefile
+@@ -28,12 +28,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ pw-sha2.la: slapd-sha2.lo sha2.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
+--- a/contrib/slapd-modules/passwd/argon2/Makefile
++++ b/contrib/slapd-modules/passwd/argon2/Makefile
+@@ -14,7 +14,7 @@
+ INCS = $(LDAP_INC)
+ LIBS = $(LDAP_LIB)
+
+-implementation = sodium
++implementation = argon2
+
+ ifeq ($(implementation),argon2)
+ LIBS += -largon2
+@@ -42,12 +42,12 @@
+ .SUFFIXES: .c .o .lo
+
+ .c.lo:
+- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $<
++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $<
+
+ all: $(PROGRAMS)
+
+ pw-argon2.la: pw-argon2.lo
+- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \
++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \
+ -rpath $(moduledir) -module -o $@ $? $(LIBS)
+
+ clean:
diff --git a/debian/patches/debian-version b/debian/patches/debian-version
new file mode 100644
index 0000000..542346b
--- /dev/null
+++ b/debian/patches/debian-version
@@ -0,0 +1,14 @@
+Description: Replace upstream version with Debian version in version strings
+Forwarded: not-needed
+Author: Ryan Tandy <ryan@nardis.ca>
+--- a/build/version.sh
++++ b/build/version.sh
+@@ -40,7 +40,7 @@
+ echo OL_API_INC=$ol_api_inc
+ echo OL_API_LIB_RELEASE=$ol_api_lib_release
+ echo OL_API_LIB_VERSION=$ol_api_lib_version
+-echo OL_VERSION=$ol_version
++echo OL_VERSION=\"${DEB_VERSION:-$ol_version}\"
+ echo OL_TYPE=$ol_type
+ echo OL_STRING=\"${ol_string}\"
+ echo OL_RELEASE_DATE=\"${ol_release_date}\"
diff --git a/debian/patches/do-not-second-guess-sonames b/debian/patches/do-not-second-guess-sonames
new file mode 100644
index 0000000..bbf099c
--- /dev/null
+++ b/debian/patches/do-not-second-guess-sonames
@@ -0,0 +1,68 @@
+Rip out code that second-guesses the libsasl soname / Debian shlibs. If
+cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
+there, not kludged around upstream here!
+
+Debian bug #546885
+
+Upstream ITS #6302 filed.
+
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -74,28 +74,6 @@
+ */
+ int ldap_int_sasl_init( void )
+ {
+-#ifdef HAVE_SASL_VERSION
+- /* stringify the version number, sasl.h doesn't do it for us */
+-#define VSTR0(maj, min, pat) #maj "." #min "." #pat
+-#define VSTR(maj, min, pat) VSTR0(maj, min, pat)
+-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+- SASL_VERSION_STEP)
+- { int rc;
+- sasl_version( NULL, &rc );
+- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+- (rc & 0xffff) < SASL_VERSION_STEP) {
+- char version[sizeof("xxx.xxx.xxxxx")];
+- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+- rc & 0xffff );
+-
+- Debug( LDAP_DEBUG_ANY,
+- "ldap_int_sasl_init: SASL library version mismatch:"
+- " expected " SASL_VERSION_STRING ","
+- " got %s\n", version, 0, 0 );
+- return -1;
+- }
+- }
+-#endif
+
+ /* SASL 2 takes care of its own memory completely internally */
+ #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1145,26 +1145,6 @@ int slap_sasl_init( void )
+ #endif
+
+ #ifdef HAVE_CYRUS_SASL
+-#ifdef HAVE_SASL_VERSION
+- /* stringify the version number, sasl.h doesn't do it for us */
+-#define VSTR0(maj, min, pat) #maj "." #min "." #pat
+-#define VSTR(maj, min, pat) VSTR0(maj, min, pat)
+-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+- SASL_VERSION_STEP)
+-
+- sasl_version( NULL, &rc );
+- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+- (rc & 0xffff) < SASL_VERSION_STEP)
+- {
+- char version[sizeof("xxx.xxx.xxxxx")];
+- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+- rc & 0xffff );
+- Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:"
+- " expected %s, got %s\n",
+- SASL_VERSION_STRING, version, 0 );
+- return -1;
+- }
+-#endif
+
+ sasl_set_mutex(
+ ldap_pvt_sasl_mutex_new,
diff --git a/debian/patches/evolution-ntlm b/debian/patches/evolution-ntlm
new file mode 100644
index 0000000..cd9bc26
--- /dev/null
+++ b/debian/patches/evolution-ntlm
@@ -0,0 +1,222 @@
+Patch from evolution-exchange (2.10.3). The ldap_ntlm_bind function is
+actually called by evolution-data-server, checked at version 1.12.2.
+Without this patch, the Exchange addressbook integration uses simple binds
+with cleartext passwords.
+
+Russ checked with openldap-software for upstream's opinion on this patch
+on 2007-12-21. Upstream had never received it as a patch submission and
+given that it's apparently only for older Exchange servers that can't do
+SASL and DIGEST-MD5, it's not very appealing.
+
+Bug#457374 filed against evolution-data-server asking if this support is
+still required on 2007-12-21.
+
+--- a/include/ldap.h
++++ b/include/ldap.h
+@@ -2517,5 +2517,25 @@ ldap_parse_deref_control LDAP_P((
+ LDAPControl **ctrls,
+ LDAPDerefRes **drp ));
+
++/*
++ * hacks for NTLM
++ */
++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU)
++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU)
++LDAP_F( int )
++ldap_ntlm_bind LDAP_P((
++ LDAP *ld,
++ LDAP_CONST char *dn,
++ ber_tag_t tag,
++ struct berval *cred,
++ LDAPControl **sctrls,
++ LDAPControl **cctrls,
++ int *msgidp ));
++LDAP_F( int )
++ldap_parse_ntlm_bind_result LDAP_P((
++ LDAP *ld,
++ LDAPMessage *res,
++ struct berval *challenge));
++
+ LDAP_END_DECL
+ #endif /* _LDAP_H */
+--- /dev/null
++++ b/libraries/libldap/ntlm.c
+@@ -0,0 +1,138 @@
++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */
++/*
++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved.
++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file
++ */
++
++/* Mostly copied from sasl.c */
++
++#include "portable.h"
++
++#include <stdlib.h>
++#include <stdio.h>
++
++#include <ac/socket.h>
++#include <ac/string.h>
++#include <ac/time.h>
++#include <ac/errno.h>
++
++#include "ldap-int.h"
++
++int
++ldap_ntlm_bind(
++ LDAP *ld,
++ LDAP_CONST char *dn,
++ ber_tag_t tag,
++ struct berval *cred,
++ LDAPControl **sctrls,
++ LDAPControl **cctrls,
++ int *msgidp )
++{
++ BerElement *ber;
++ int rc;
++ ber_int_t id;
++
++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 );
++
++ assert( ld != NULL );
++ assert( LDAP_VALID( ld ) );
++ assert( msgidp != NULL );
++
++ if( msgidp == NULL ) {
++ ld->ld_errno = LDAP_PARAM_ERROR;
++ return ld->ld_errno;
++ }
++
++ /* create a message to send */
++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) {
++ ld->ld_errno = LDAP_NO_MEMORY;
++ return ld->ld_errno;
++ }
++
++ assert( LBER_VALID( ber ) );
++
++ LDAP_NEXT_MSGID( ld, id );
++ rc = ber_printf( ber, "{it{istON}" /*}*/,
++ id, LDAP_REQ_BIND,
++ ld->ld_version, dn, tag,
++ cred );
++
++ /* Put Server Controls */
++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) {
++ ber_free( ber, 1 );
++ return ld->ld_errno;
++ }
++
++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) {
++ ld->ld_errno = LDAP_ENCODING_ERROR;
++ ber_free( ber, 1 );
++ return ld->ld_errno;
++ }
++
++ /* send the message */
++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id );
++
++ if(*msgidp < 0)
++ return ld->ld_errno;
++
++ return LDAP_SUCCESS;
++}
++
++int
++ldap_parse_ntlm_bind_result(
++ LDAP *ld,
++ LDAPMessage *res,
++ struct berval *challenge)
++{
++ ber_int_t errcode;
++ ber_tag_t tag;
++ BerElement *ber;
++ ber_len_t len;
++
++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 );
++
++ assert( ld != NULL );
++ assert( LDAP_VALID( ld ) );
++ assert( res != NULL );
++
++ if ( ld == NULL || res == NULL ) {
++ return LDAP_PARAM_ERROR;
++ }
++
++ if( res->lm_msgtype != LDAP_RES_BIND ) {
++ ld->ld_errno = LDAP_PARAM_ERROR;
++ return ld->ld_errno;
++ }
++
++ if ( ld->ld_error ) {
++ LDAP_FREE( ld->ld_error );
++ ld->ld_error = NULL;
++ }
++ if ( ld->ld_matched ) {
++ LDAP_FREE( ld->ld_matched );
++ ld->ld_matched = NULL;
++ }
++
++ /* parse results */
++
++ ber = ber_dup( res->lm_ber );
++
++ if( ber == NULL ) {
++ ld->ld_errno = LDAP_NO_MEMORY;
++ return ld->ld_errno;
++ }
++
++ tag = ber_scanf( ber, "{ioa" /*}*/,
++ &errcode, challenge, &ld->ld_error );
++ ber_free( ber, 0 );
++
++ if( tag == LBER_ERROR ) {
++ ld->ld_errno = LDAP_DECODING_ERROR;
++ return ld->ld_errno;
++ }
++
++ ld->ld_errno = errcode;
++
++ return( ld->ld_errno );
++}
++
+--- a/libraries/libldap/Makefile.in
++++ b/libraries/libldap/Makefile.in
+@@ -27,7 +27,7 @@ SRCS = bind.c open.c result.c error.c co
+ init.c options.c print.c string.c util-int.c schema.c \
+ charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
+ tls2.c tls_o.c tls_g.c tls_m.c \
+- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \
+ assertion.c deref.c ldif.c fetch.c
+
+ OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \
+@@ -40,7 +40,7 @@ OBJS = bind.lo open.lo result.lo error.l
+ init.lo options.lo print.lo string.lo util-int.lo schema.lo \
+ charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
+ tls2.lo tls_o.lo tls_g.lo tls_m.lo \
+- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \
+ assertion.lo deref.lo ldif.lo fetch.lo
+
+ LDAP_INCDIR= ../../include
+--- a/libraries/libldap_r/Makefile.in
++++ b/libraries/libldap_r/Makefile.in
+@@ -29,7 +29,7 @@ XXSRCS = apitest.c test.c \
+ init.c options.c print.c string.c util-int.c schema.c \
+ charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
+ tls2.c tls_o.c tls_g.c tls_m.c \
+- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \
+ assertion.c deref.c ldif.c fetch.c
+ SRCS = threads.c rdwr.c rmutex.c tpool.c rq.c \
+ thr_posix.c thr_cthreads.c thr_thr.c thr_nt.c \
+@@ -47,7 +47,7 @@ OBJS = threads.lo rdwr.lo rmutex.lo tpoo
+ init.lo options.lo print.lo string.lo util-int.lo schema.lo \
+ charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
+ tls2.lo tls_o.lo tls_g.lo tls_m.lo \
+- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \
+ assertion.lo deref.lo ldif.lo fetch.lo
+
+ LDAP_INCDIR= ../../include
diff --git a/debian/patches/fix-build-top-mk b/debian/patches/fix-build-top-mk
new file mode 100644
index 0000000..418fe35
--- /dev/null
+++ b/debian/patches/fix-build-top-mk
@@ -0,0 +1,11 @@
+--- a/build/top.mk
++++ b/build/top.mk
+@@ -20,7 +20,7 @@
+ RELEASEDATE= @OPENLDAP_RELEASE_DATE@
+
+ @SET_MAKE@
+-SHELL = /bin/sh
++SHELL = @SHELL@
+
+ top_builddir = @top_builddir@
+
diff --git a/debian/patches/getaddrinfo-is-threadsafe b/debian/patches/getaddrinfo-is-threadsafe
new file mode 100644
index 0000000..ab6e2b7
--- /dev/null
+++ b/debian/patches/getaddrinfo-is-threadsafe
@@ -0,0 +1,43 @@
+Author: Steve Langasek <vorlon@debian.org>
+
+OpenLDAP upstream conservatively assumes that certain resolver functions
+(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
+know that the glibc implementations of these functions are thread-safe, so
+we should bypass the use of this mutex. This fixes a locking problem when
+an application uses libldap and libnss-ldap is also used for hosts
+resolution.
+
+Closes Debian bug #340601.
+
+Not suitable for forwarding upstream; might be made suitable by adding a
+configure-time check for glibc and disabling the mutex only on known
+thread-safe implementations.
+
+--- a/libraries/libldap/os-ip.c
++++ b/libraries/libldap/os-ip.c
+@@ -602,13 +602,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf *
+ hints.ai_socktype = socktype;
+ snprintf(serv, sizeof serv, "%d", port );
+
+- /* most getaddrinfo(3) use non-threadsafe resolver libraries */
+- LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex);
+-
+ err = getaddrinfo( host, serv, &hints, &res );
+-
+- LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex);
+-
+ if ( err != 0 ) {
+ osip_debug(ld, "ldap_connect_to_host: getaddrinfo failed: %s\n",
+ AC_GAI_STRERROR(err), 0, 0);
+--- a/libraries/libldap/util-int.c
++++ b/libraries/libldap/util-int.c
+@@ -431,9 +431,7 @@ int ldap_pvt_get_hname(
+ int rc;
+ #if defined( HAVE_GETNAMEINFO )
+
+- LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex );
+ rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 );
+- LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex );
+ if ( rc ) *err = (char *)AC_GAI_STRERROR( rc );
+ return rc;
+
diff --git a/debian/patches/index-files-created-as-root b/debian/patches/index-files-created-as-root
new file mode 100644
index 0000000..263b014
--- /dev/null
+++ b/debian/patches/index-files-created-as-root
@@ -0,0 +1,37 @@
+Document in the man page that slapindex should be run as the same user
+as slapd, and print a warning if it's run as root (since Debian defaults
+to running slapd as openldap).
+
+Not suitable for upstream in this form. This patch needs to be reworked
+to check the BerkeleyDB database ownership and only warn if running as
+root with a database that's not owned by root.
+
+Upstream ITS #5356 filed requesting better handling of this. Current
+upstream discussion leans towards putting the check into the database
+backend and aborting if slapd is run as a different user than the database
+owner, which is an even better fix.
+
+--- a/doc/man/man8/slapindex.8
++++ b/doc/man/man8/slapindex.8
+@@ -148,6 +148,10 @@
+ should not be running (at least, not in read-write
+ mode) when you do this to ensure consistency of the database.
+ .LP
++slapindex ought to be run as the user specified for
++.BR slapd (8)
++to ensure correct database permissions.
++.LP
+ This command provides ample opportunity for the user to obtain
+ and drink their favorite beverage.
+ .SH EXAMPLES
+--- a/servers/slapd/slapindex.c
++++ b/servers/slapd/slapindex.c
+@@ -34,6 +34,8 @@
+ int
+ slapindex( int argc, char **argv )
+ {
++ if (geteuid() == 0)
++ fprintf( stderr, "\nWARNING!\nRunning as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n");
+ ID id;
+ int rc = EXIT_SUCCESS;
+ const char *progname = "slapindex";
diff --git a/debian/patches/lastbind-makefile-manpage b/debian/patches/lastbind-makefile-manpage
new file mode 100644
index 0000000..66e5a79
--- /dev/null
+++ b/debian/patches/lastbind-makefile-manpage
@@ -0,0 +1,46 @@
+--- a/contrib/slapd-modules/lastbind/Makefile
++++ b/contrib/slapd-modules/lastbind/Makefile
+@@ -17,6 +17,7 @@
+ $(LDAP_BUILD)/libraries/liblber/liblber.la
+
+ LIBTOOL = $(LDAP_BUILD)/libtool
++INSTALL = /usr/bin/install
+ CC = gcc
+ OPT = -g -O2 -Wall
+ DEFS = -DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC
+@@ -25,6 +26,7 @@
+
+ PROGRAMS = lastbind.la
+ LTVER = 0:0:0
++MANPAGES = slapo-lastbind.5
+
+ prefix=/usr/local
+ exec_prefix=$(prefix)
+@@ -33,6 +35,8 @@
+ libdir=$(exec_prefix)/lib
+ libexecdir=$(exec_prefix)/libexec
+ moduledir = $(libexecdir)$(ldap_subdir)
++mandir = $(exec_prefix)/share/man
++man5dir = $(mandir)/man5
+
+ .SUFFIXES: .c .o .lo
+
+@@ -48,9 +52,17 @@
+ clean:
+ rm -rf *.o *.lo *.la .libs
+
+-install: $(PROGRAMS)
++install: install-lib install-man FORCE
++
++install-lib: $(PROGRAMS)
+ mkdir -p $(DESTDIR)$(moduledir)
+ for p in $(PROGRAMS) ; do \
+ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
+ done
+
++install-man: $(MANPAGES)
++ mkdir -p $(DESTDIR)$(man5dir)
++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
++
++FORCE:
++
diff --git a/debian/patches/ldap-conf-tls-cacertdir b/debian/patches/ldap-conf-tls-cacertdir
new file mode 100644
index 0000000..e8aab91
--- /dev/null
+++ b/debian/patches/ldap-conf-tls-cacertdir
@@ -0,0 +1,29 @@
+--- a/doc/man/man5/ldap.conf.5
++++ b/doc/man/man5/ldap.conf.5
+@@ -317,7 +317,7 @@ certificates in separate individual file
+ .B TLS_CACERT
+ is always used before
+ .B TLS_CACERTDIR.
+-This parameter is ignored with GnuTLS.
++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
+
+ When using Mozilla NSS, <path> may contain a Mozilla NSS cert/key
+ database. If <path> contains a Mozilla NSS cert/key database and
+@@ -428,7 +428,7 @@ This parameter is ignored with GnuTLS.
+ Specifies the file to obtain random bits from when /dev/[u]random is
+ not available. Generally set to the name of the EGD/PRNGD socket.
+ The environment variable RANDFILE can also be used to specify the filename.
+-This parameter is ignored with GnuTLS and Mozilla NSS.
++This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS.
+ .TP
+ .B TLS_REQCERT <level>
+ Specifies what checks to perform on server certificates in a TLS session,
+@@ -461,7 +461,7 @@ Specifies if the Certificate Revocation
+ used to verify if the server certificates have not been revoked. This
+ requires
+ .B TLS_CACERTDIR
+-parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS.
++parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS.
+ .B <level>
+ can be specified as one of the following keywords:
+ .RS
diff --git a/debian/patches/ldapi-socket-place b/debian/patches/ldapi-socket-place
new file mode 100644
index 0000000..a482bbf
--- /dev/null
+++ b/debian/patches/ldapi-socket-place
@@ -0,0 +1,16 @@
+Move the ldapi socket to /var/run/slapd from /var/run, since /var/run
+is only writable by root and slapd runs as openldap.
+
+Debian-specific.
+
+--- a/include/ldap_defaults.h
++++ b/include/ldap_defaults.h
+@@ -39,7 +39,7 @@
+ #define LDAP_ENV_PREFIX "LDAP"
+
+ /* default ldapi:// socket */
+-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi"
+
+ /*
+ * SLAPD DEFINITIONS
diff --git a/debian/patches/libldap-symbol-versions b/debian/patches/libldap-symbol-versions
new file mode 100644
index 0000000..fb28f49
--- /dev/null
+++ b/debian/patches/libldap-symbol-versions
@@ -0,0 +1,161 @@
+Add symbol versioning to the public LDAP libraries. This is required for
+library transitions, such as the current transition from 2.1 to 2.4,
+since programs will sometimes have both libraries loaded by different
+dependency chains during the transition.
+
+Not yet contributed upstream.
+
+Upstream ITS #5365 filed requesting symbol versioning for libldap and
+libber.
+
+--- a/libraries/libldap_r/Makefile.in
++++ b/libraries/libldap_r/Makefile.in
+@@ -61,6 +61,9 @@ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
+ XXXLIBS = $(LTHREAD_LIBS)
+ NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
+ UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS)
++ifneq (,$(VERSION_OPTION))
++ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map"
++endif
+
+ .links : Makefile
+ @for i in $(XXSRCS); do \
+--- a/build/top.mk
++++ b/build/top.mk
+@@ -104,6 +104,9 @@ LTFLAGS_MOD = $(@PLAT@_LTFLAGS_MOD)
+ # LINK_LIBS referenced in library and module link commands.
+ LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS)
+
++# option to pass to $(CC) to support library symbol versioning, if any
++VERSION_OPTION = @VERSION_OPTION@
++
+ LTSTATIC = @LTSTATIC@
+
+ LTLINK = $(LIBTOOL) --mode=link \
+@@ -113,7 +116,7 @@ LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB)
+ $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c
+
+ LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \
+- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB)
++ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS)
+
+ LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \
+ $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c
+--- a/build/openldap.m4
++++ b/build/openldap.m4
+@@ -1136,3 +1136,54 @@ AC_DEFUN([OL_SSL_COMPAT],
+ #endif
+ ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])])
+ ])
++
++dnl ====================================================================
++dnl check for symbol versioning support
++AC_DEFUN([OL_SYMBOL_VERSIONING],
++[AC_CACHE_CHECK([for .symver assembler directive],
++ [ol_cv_asm_symver_directive],[
++cat > conftest.s <<EOF
++${libc_cv_dot_text}
++_sym:
++.symver _sym,sym@VERS
++EOF
++if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
++ ol_cv_asm_symver_directive=yes
++else
++ ol_cv_asm_symver_directive=no
++fi
++rm -f conftest*])
++AC_CACHE_CHECK([for ld --version-script],
++ [ol_cv_ld_version_script_option],[
++if test $ol_cv_asm_symver_directive = yes; then
++ cat > conftest.s <<EOF
++${libc_cv_dot_text}
++_sym:
++.symver _sym,sym@VERS
++EOF
++ cat > conftest.map <<EOF
++VERS_1 {
++ global: sym;
++};
++
++VERS_2 {
++ global: sym;
++} VERS_1;
++EOF
++ if ${CC-cc} -c $ASFLAGS conftest.s 1>&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then
++ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared
++ -o conftest.so conftest.o
++ -Wl,--version-script,conftest.map
++ 1>&AS_MESSAGE_LOG_FD]);
++ then
++ ol_cv_ld_version_script_option=yes
++ else
++ ol_cv_ld_version_script_option=no
++ fi
++ else
++ ol_cv_ld_version_script_option=no
++ fi
++else
++ ol_cv_ld_version_script_option=no
++fi
++rm -f conftest*])])
+--- a/configure.in
++++ b/configure.in
+@@ -1909,6 +1909,13 @@ else
+ fi
+ AC_SUBST(LTSTATIC)dnl
+
++VERSION_OPTION=""
++OL_SYMBOL_VERSIONING
++if test $ol_cv_ld_version_script_option = yes ; then
++ VERSION_OPTION="-Wl,--version-script="
++fi
++AC_SUBST(VERSION_OPTION)
++
+ dnl ----------------------------------------------------------------
+ if test $ol_enable_wrappers != no ; then
+ AC_CHECK_HEADERS(tcpd.h,[
+--- /dev/null
++++ b/libraries/libldap/libldap.map
+@@ -0,0 +1,7 @@
++OPENLDAP_2.4_2 {
++ global:
++ ldap_*;
++ ldif_*;
++ local:
++ *;
++};
+--- a/libraries/libldap/Makefile.in
++++ b/libraries/libldap/Makefile.in
+@@ -52,6 +52,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $(
+ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS)
+ NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
+ UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS)
++ifneq (,$(VERSION_OPTION))
++ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map
++endif
+
+ apitest: $(XLIBS) apitest.o
+ $(LTLINK) -o $@ apitest.o $(LIBS)
+--- a/libraries/liblber/Makefile.in
++++ b/libraries/liblber/Makefile.in
+@@ -38,6 +38,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A)
+ XXLIBS =
+ NT_LINK_LIBS = $(AC_LIBS)
+ UNIX_LINK_LIBS = $(AC_LIBS)
++ifneq (,$(VERSION_OPTION))
++ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map"
++endif
+
+ dtest: $(XLIBS) dtest.o
+ $(LTLINK) -o $@ dtest.o $(LIBS)
+--- /dev/null
++++ b/libraries/liblber/liblber.map
+@@ -0,0 +1,8 @@
++OPENLDAP_2.4_2 {
++ global:
++ ber_*;
++ der_alloc;
++ lutil_*;
++ local:
++ *;
++};
diff --git a/debian/patches/man-slapd b/debian/patches/man-slapd
new file mode 100644
index 0000000..5f55137
--- /dev/null
+++ b/debian/patches/man-slapd
@@ -0,0 +1,60 @@
+Patch the slapd man page to not refer to a header file that isn't
+installed with the slapd package and to reference the correct path
+for slapd.
+
+Debian-specific.
+
+--- a/doc/man/man8/slapd.8
++++ b/doc/man/man8/slapd.8
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd
++.B /usr/sbin/slapd
+ [\c
+ .BR \-4 | \-6 ]
+ [\c
+@@ -103,11 +103,10 @@
+ will not fork or disassociate from the invoking terminal. Some general
+ operation and status messages are printed for any value of \fIdebug-level\fP.
+ \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
+-different kind of debugging information. See <ldap_log.h> for details.
+-Comma-separated arrays of friendly names can be specified to select
+-debugging output of the corresponding debugging information.
+-All the names recognized by the \fIloglevel\fP directive
+-described in \fBslapd.conf\fP(5) are supported.
++different kind of debugging information. Comma-separated arrays of friendly
++names can be specified to select debugging output of the corresponding
++debugging information. All the names recognized by the \fIloglevel\fP
++directive described in \fBslapd.conf\fP(5) are supported.
+ If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
+ and slapd exits.
+
+@@ -317,7 +316,7 @@
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd
++ /usr/sbin/slapd
+ .ft
+ .fi
+ .LP
+@@ -328,7 +327,7 @@
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++ /usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255
+ .ft
+ .fi
+ .LP
+@@ -336,7 +335,7 @@
+ .LP
+ .nf
+ .ft tt
+- LIBEXECDIR/slapd \-Tt
++ /usr/sbin/slapd \-Tt
+ .ft
+ .fi
+ .LP
diff --git a/debian/patches/no-bdb-ABI-second-guessing b/debian/patches/no-bdb-ABI-second-guessing
new file mode 100644
index 0000000..db76aa7
--- /dev/null
+++ b/debian/patches/no-bdb-ABI-second-guessing
@@ -0,0 +1,42 @@
+Author: Steve Langasek <vorlon@debian.org>
+Description: don't second-guess BDB ABI
+ OpenLDAP upstream conservatively assumes that any change to the version
+ number of libdb can result in an API-breaking change that could impact
+ the database. In Debian, we know that such changes require bumping the
+ library soname and changing the package name, and demand such rigor from
+ our package maintainers even when upstreams don't deliver; so any such
+ check in the source code works against the packaging system by forcing
+ database upgrades when we know none are required. Disable this check
+ so we rely on the packaging system to do its job.
+Bug-Debian: http://bugs.debian.org/651333
+Forwarded: not-needed
+
+--- a/servers/slapd/back-bdb/init.c
++++ b/servers/slapd/back-bdb/init.c
+@@ -762,7 +762,7 @@ bdb_back_initialize(
+ bi->bi_controls = controls;
+
+ { /* version check */
+- int major, minor, patch, ver;
++ int major, minor, patch;
+ char *version = db_version( &major, &minor, &patch );
+ #ifdef HAVE_EBCDIC
+ char v2[1024];
+@@ -776,17 +776,6 @@ bdb_back_initialize(
+ version = v2;
+ #endif
+
+- ver = (major << 24) | (minor << 16) | patch;
+- if( ver != DB_VERSION_FULL ) {
+- /* fail if a versions don't match */
+- Debug( LDAP_DEBUG_ANY,
+- LDAP_XSTRING(bdb_back_initialize) ": "
+- "BDB library version mismatch:"
+- " expected " DB_VERSION_STRING ","
+- " got %s\n", version, 0, 0 );
+- return -1;
+- }
+-
+ Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_back_initialize)
+ ": %s\n", version, 0, 0 );
+ }
diff --git a/debian/patches/sasl-default-path b/debian/patches/sasl-default-path
new file mode 100644
index 0000000..6d5c7b0
--- /dev/null
+++ b/debian/patches/sasl-default-path
@@ -0,0 +1,55 @@
+Add /etc/ldap/sasl2 to the SASL configuration search path.
+
+Not submitted upstream. Somewhat Debian-specific and probably not of
+interest upstream.
+
+--- a/include/ldap_defaults.h
++++ b/include/ldap_defaults.h
+@@ -63,4 +63,6 @@
+ /* dn of the default "monitor" subentry */
+ #define SLAPD_MONITOR_DN "cn=Monitor"
+
++#define SASL_CONFIGPATH LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2"
++
+ #endif /* _LDAP_CONFIG_H */
+--- a/servers/slapd/sasl.c
++++ b/servers/slapd/sasl.c
+@@ -1103,12 +1103,38 @@ static const rewrite_mapper slapd_mapper
+ };
+ #endif
+
++static int
++slap_sasl_getconfpath( void * context, char ** path )
++{
++ char * sasl_default_configpath;
++ size_t len;
++
++#if SASL_VERSION_MAJOR >= 2
++ sasl_default_configpath = "/usr/lib/sasl2";
++#else
++ sasl_default_configpath = "/usr/lib/sasl";
++#endif
++
++ len = strlen(SASL_CONFIGPATH) + 1 /* colon */ +
++ strlen(sasl_default_configpath) + 1 /* \0 */;
++ *path = malloc( len );
++ if ( *path == NULL )
++ return SASL_FAIL;
++
++ if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH,
++ sasl_default_configpath ) != len-1 )
++ return SASL_FAIL;
++
++ return SASL_OK;
++}
++
+ int slap_sasl_init( void )
+ {
+ #ifdef HAVE_CYRUS_SASL
+ int rc;
+ static sasl_callback_t server_callbacks[] = {
+ { SASL_CB_LOG, (slap_sasl_cb_ft)&slap_sasl_log, NULL },
++ { SASL_CB_GETCONFPATH, (slap_sasl_cb_ft)&slap_sasl_getconfpath, NULL },
+ { SASL_CB_GETOPT, (slap_sasl_cb_ft)&slap_sasl_getopt, NULL },
+ { SASL_CB_LIST_END, NULL, NULL }
+ };
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..6e50b30
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,24 @@
+debian-version
+man-slapd
+evolution-ntlm
+slapi-errorlog-file
+ldapi-socket-place
+wrong-database-location
+index-files-created-as-root
+sasl-default-path
+libldap-symbol-versions
+getaddrinfo-is-threadsafe
+do-not-second-guess-sonames
+contrib-makefiles
+smbk5pwd-makefile-manpage
+lastbind-makefile-manpage
+ldap-conf-tls-cacertdir
+add-tlscacert-option-to-ldap-conf
+fix-build-top-mk
+switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
+no-bdb-ABI-second-guessing
+ITS6035-olcauthzregex-needs-restart.patch
+set-maintainer-name
+ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch
+ITS-9454-fix-issuerAndThisUpdateCheck.patch
+ITS-9815-slapd-sql-escape-filter-values.patch
diff --git a/debian/patches/set-maintainer-name b/debian/patches/set-maintainer-name
new file mode 100644
index 0000000..35f8f77
--- /dev/null
+++ b/debian/patches/set-maintainer-name
@@ -0,0 +1,16 @@
+--- a/build/mkversion
++++ b/build/mkversion
+@@ -50,12 +50,7 @@
+ fi
+
+ APPLICATION=$1
+-# Reproducible builds set SOURCE_DATE_EPOCH, want constant strings
+-if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+- WHOWHERE="openldap"
+-else
+- WHOWHERE="$USER@$(uname -n):$(pwd)"
+-fi
++WHOWHERE="${DEB_MAINTAINER:-openldap}"
+
+ cat << __EOF__
+ /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
diff --git a/debian/patches/slapi-errorlog-file b/debian/patches/slapi-errorlog-file
new file mode 100644
index 0000000..4899451
--- /dev/null
+++ b/debian/patches/slapi-errorlog-file
@@ -0,0 +1,16 @@
+The slapi error log file defaults to /var/errors given our setting
+of --localstatedir. Move it to /var/log/slapi-errors instead.
+
+Debian-specific.
+
+--- a/servers/slapd/slapi/slapi_overlay.c
++++ b/servers/slapd/slapi/slapi_overlay.c
+@@ -930,7 +930,7 @@ int slapi_over_config( BackendDB *be, Co
+ ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex );
+
+ if ( slapi_log_file == NULL )
+- slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" );
++ slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" );
+
+ rc = slapi_int_init_object_extensions();
+ if ( rc != 0 )
diff --git a/debian/patches/smbk5pwd-makefile-manpage b/debian/patches/smbk5pwd-makefile-manpage
new file mode 100644
index 0000000..b05cba2
--- /dev/null
+++ b/debian/patches/smbk5pwd-makefile-manpage
@@ -0,0 +1,251 @@
+From: Peter Marschall <peter@adpm.de>
+Date: Sun, 26 Jul 2015 15:04:26 +0200
+Subject: [PATCH] contrib/smbk5pwd: add man page, install it too
+
+Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to
+install the new manual page.
+
+This patch is derived from the corresponding patch upstreamed in ITS#8205
+
+---
+ contrib/slapd-modules/smbk5pwd/Makefile | 14 +-
+ contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 | 179 ++++++++++++++++++++++++
+ 2 files changed, 192 insertions(+), 1 deletion(-)
+ create mode 100644 contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5
+
+diff --git a/contrib/slapd-modules/smbk5pwd/Makefile b/contrib/slapd-modules/smbk5pwd/Makefile
+index 676d914..0042a49 100644
+--- a/contrib/slapd-modules/smbk5pwd/Makefile
++++ b/contrib/slapd-modules/smbk5pwd/Makefile
+@@ -25,6 +25,7 @@
+ HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server)
+
+ LIBTOOL = $(LDAP_BUILD)/libtool
++INSTALL = /usr/bin/install
+ CC = gcc
+ OPT = -g -O2 -Wall
+ # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
+@@ -34,6 +35,7 @@
+ LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)
+
+ PROGRAMS = smbk5pwd.la
++MANPAGES = slapo-smbk5pwd.5
+ LTVER = 0:0:0
+
+ prefix=/usr/local
+@@ -43,6 +45,8 @@
+ libdir=$(exec_prefix)/lib
+ libexecdir=$(exec_prefix)/libexec
+ moduledir = $(libexecdir)$(ldap_subdir)
++mandir = $(exec_prefix)/share/man
++man5dir = $(mandir)/man5
+
+ .SUFFIXES: .c .o .lo
+
+@@ -58,9 +62,17 @@
+ clean:
+ rm -rf *.o *.lo *.la .libs
+
+-install: $(PROGRAMS)
++install: install-lib install-man FORCE
++
++install-lib: $(PROGRAMS)
+ mkdir -p $(DESTDIR)$(moduledir)
+ for p in $(PROGRAMS) ; do \
+ $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \
+ done
+
++install-man: $(MANPAGES)
++ mkdir -p $(DESTDIR)$(man5dir)
++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir)
++
++FORCE:
++
+diff --git a/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5
+new file mode 100644
+index 0000000..431a765
+--- /dev/null
++++ b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5
+@@ -0,0 +1,179 @@
++.TH SLAPO-SMBK5PWD 5 "RELEASEDATE" "OpenLDAP LDVERSION"
++.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved.
++.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
++.\" $OpenLDAP$
++.SH NAME
++slapo-smbk5pwd \- Samba & Kerberos password sync overlay to slapd
++.SH SYNOPSIS
++ETCDIR/slapd.conf
++.RS
++.LP
++include
++.B "<path to>/krb5-kdc.schema"
++.LP
++include
++.B "<path to>/samba.schema"
++.LP
++moduleload
++.B smbk5pwd.so
++.LP
++ ...
++.LP
++database mdb
++.LP
++ ...
++.LP
++overlay
++.B smbk5pwd
++.RE
++
++.SH DESCRIPTION
++.LP
++The
++.B smbk5pwd
++overlay to
++.BR slapd (8)
++overloads the Password Modify Extended Operation (RFC 3062) to update
++Kerberos keys and Samba password hashes for an LDAP user, as well as
++updating password change related attributes for Kerberos, Samba and/or
++UNIX user accounts.
++.LP
++The Samba support is written using the Samba 3.0 LDAP schema;
++Kerberos support is written for Heimdal using its hdb-ldap backend.
++.LP
++Additionally, a new
++.B {K5KEY}
++password hash mechanism is provided.
++For
++.B krb5KDCEntry
++objects that have this scheme specifier in their
++.I userPassword
++attribute, Simple Binds will be checked against the Kerberos keys of the entry.
++No data is needed after the
++.B {K5KEY}
++scheme specifier in the
++.IR userPassword ,
++it is looked up from the entry directly.
++
++.SH CONFIGURATION
++The
++.B smbk5pwd
++overlay supports the following
++.B slapd.conf
++configuration options, which should appear after the
++.B overlay
++directive:
++.TP
++.BI smbk5pwd-enable " <module>"
++can be used to enable only the desired modules.
++Legal values for
++.I <module>
++are
++.LP
++.RS
++.TP
++.B krb5
++If the user has the
++.B krb5KDCEntry
++objectclass, update the
++.B krb5Key
++and
++.B krb5KeyVersionNumber
++attributes using the new password in the Password Modify operation,
++provided the Kerberos account is not expired.
++Exiration is determined by evaluating the
++.B krb5ValidEnd
++attribute.
++.TP
++.B samba
++If the user is a
++.B sambaSamAccount
++object, synchronize the
++.B sambaLMPassword
++and
++.B sambaNTPassword
++to the password entered in the Password Modify operation, and update
++.B sambaPwdLastSet
++accordingly.
++.TP
++.B shadow
++Update the attribute
++.BR shadowLastChange ,
++if the entry has the objectclass
++.BR shadowAccount .
++.LP
++By default all modules compiled in are enabled.
++Setting the config statement restricts the enabled modules to the ones
++explicitly mentioned.
++.RE
++.TP
++.BI smbk5pwd-can-change " <seconds>"
++If the
++.B samba
++module is enabled and the user is a
++.BR sambaSamAccount ,
++update the attribute
++.B sambaPwdCanChange
++to point
++.I <seconds>
++into the future, essentially denying any Samba password change until then.
++A value of
++.B 0
++disables this feature.
++.TP
++.BI smbk5pwd-must-change " <seconds>"
++If the
++.B samba
++module is enabled and the user is a
++.BR sambaSamAccount ,
++update the attribute
++.B sambaPwdMustChange
++to point
++.I <seconds>
++into the future, essentially setting the Samba password expiration time.
++A value of
++.B 0
++disables this feature.
++.LP
++Alternatively, the overlay supports table-driven configuration,
++and thus can be run-time loaded and configured via back-config.
++
++.SH EXAMPLE
++The layout of a slapd.d based, table-driven configuration entry looks like:
++.LP
++.EX
++ # {0}smbk5pwd, {1}bdb, config
++ dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config
++ objectClass: olcOverlayConfig
++ objectClass: olcSmbK5PwdConfig
++ olcOverlay: {0}smbk5pwd
++ olcSmbK5PwdEnable: krb5
++ olcSmbK5PwdEnable: samba
++ olcSmbK5PwdMustChange: 2592000
++.EE
++.LP
++which enables both
++.B krb5
++and
++.B samba
++modules with a Samba password expiration time of 30 days (=
++.B 2592000
++seconds).
++
++.SH SEE ALSO
++.BR slapd.conf (5),
++.BR ldappasswd (1),
++.BR ldap (3),
++.LP
++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/)
++.LP
++
++.SH ACKNOWLEDGEMENTS
++This manual page has been writen by Peter Marschall based on the
++module's README file written by Howard Chu.
++.LP
++.B OpenLDAP
++is developed and maintained by The OpenLDAP Project (http://www.openldap.org/).
++.B OpenLDAP
++is derived from University of Michigan LDAP 3.3 Release.
++
+--
+2.5.0
+
diff --git a/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
new file mode 100644
index 0000000..f0dd4e1
--- /dev/null
+++ b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
@@ -0,0 +1,40 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>
+Date: Tue, 18 May 2010 17:47:05 +0200
+Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL.
+ Open all modules with RTLD_GLOBAL, needed so that back_perl can load
+ non-trivial Perl extensions that require symbols from back_perl.so itself.
+Bug-Debian: http://bugs.debian.org/327585
+
+---
+--- a/servers/slapd/module.c
++++ b/servers/slapd/module.c
+@@ -117,6 +117,20 @@ int module_unload( const char *file_name
+ return -1; /* not found */
+ }
+
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++ lt_dlhandle handle = 0;
++ lt_dladvise advise;
++
++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++ && !lt_dladvise_global (&advise))
++ handle = lt_dlopenadvise (filename, advise);
++
++ lt_dladvise_destroy (&advise);
++
++ return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ module_loaded_t *module;
+@@ -180,7 +194,7 @@ int module_load(const char* file_name, i
+ * to calling Debug. This is because Debug is a macro that expands
+ * into multiple function calls.
+ */
+- if ((module->lib = lt_dlopenext(file)) == NULL) {
++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ strcpy( ebuf, error );
diff --git a/debian/patches/wrong-database-location b/debian/patches/wrong-database-location
new file mode 100644
index 0000000..25d96cb
--- /dev/null
+++ b/debian/patches/wrong-database-location
@@ -0,0 +1,74 @@
+Move the default slapd database location to /var/lib/ldap instead of
+/var/openldap-data.
+
+Debian-specific.
+
+--- a/doc/man/man5/slapd-bdb.5
++++ b/doc/man/man5/slapd-bdb.5
+@@ -131,7 +131,7 @@ Specify the directory where the BDB file
+ associated indexes live.
+ A separate directory must be specified for each database.
+ The default is
+-.BR LOCALSTATEDIR/openldap\-data .
++.BR LOCALSTATEDIR/lib/ldap .
+ .TP
+ .B dirtyread
+ Allow reads of modified but not yet committed data.
+--- a/doc/man/man5/slapd.conf.5
++++ b/doc/man/man5/slapd.conf.5
+@@ -2007,7 +2007,7 @@ suffix "dc=our\-domain,dc=com"
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-directory LOCALSTATEDIR/openldap\-data
++directory LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ index objectClass eq
+ index cn,sn,mail pres,eq,approx,sub
+--- a/include/ldap_defaults.h
++++ b/include/ldap_defaults.h
+@@ -47,7 +47,7 @@
+ /* location of the default slapd config file */
+ #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf"
+ #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
+-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap"
+ #define SLAPD_DEFAULT_DB_MODE 0600
+ #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata"
+ /* default max deref depth for aliases */
+--- a/servers/slapd/Makefile.in
++++ b/servers/slapd/Makefile.in
+@@ -445,9 +445,9 @@ install-conf: FORCE
+
+ install-db-config: FORCE
+ @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
+- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap
+ $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
++ $(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example
+ $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+ $(DESTDIR)$(sysconfdir)/DB_CONFIG.example
+
+--- a/doc/man/man5/slapd-config.5
++++ b/doc/man/man5/slapd-config.5
+@@ -2051,7 +2051,7 @@ olcSuffix: "dc=our\-domain,dc=com"
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-olcDbDirectory: LOCALSTATEDIR/openldap\-data
++olcDbDirectory: LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ olcDbIndex: objectClass eq
+ olcDbIndex: cn,sn,mail pres,eq,approx,sub
+--- a/doc/man/man5/slapd-mdb.5
++++ b/doc/man/man5/slapd-mdb.5
+@@ -52,7 +52,7 @@ Specify the directory where the LMDB fil
+ associated indexes live.
+ A separate directory must be specified for each database.
+ The default is
+-.BR LOCALSTATEDIR/openldap\-data .
++.BR LOCALSTATEDIR/lib/ldap .
+ .TP
+ \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR}
+ Specify flags for finer-grained control of the LMDB library's operation.