From 2886df93860f983d875b7d6acb418faa31491d5a Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 13:11:40 +0200 Subject: Adding debian version 2.4.57+dfsg-3+deb11u1. Signed-off-by: Daniel Baumann --- ...-Add-debug-logging-for-more-GnuTLS-errors.patch | 110 +++++++++ .../ITS-9454-fix-issuerAndThisUpdateCheck.patch | 25 ++ .../ITS-9815-slapd-sql-escape-filter-values.patch | 268 +++++++++++++++++++++ .../ITS6035-olcauthzregex-needs-restart.patch | 13 + debian/patches/add-tlscacert-option-to-ldap-conf | 10 + debian/patches/contrib-makefiles | 185 ++++++++++++++ debian/patches/debian-version | 14 ++ debian/patches/do-not-second-guess-sonames | 68 ++++++ debian/patches/evolution-ntlm | 222 +++++++++++++++++ debian/patches/fix-build-top-mk | 11 + debian/patches/getaddrinfo-is-threadsafe | 43 ++++ debian/patches/index-files-created-as-root | 37 +++ debian/patches/lastbind-makefile-manpage | 46 ++++ debian/patches/ldap-conf-tls-cacertdir | 29 +++ debian/patches/ldapi-socket-place | 16 ++ debian/patches/libldap-symbol-versions | 161 +++++++++++++ debian/patches/man-slapd | 60 +++++ debian/patches/no-bdb-ABI-second-guessing | 42 ++++ debian/patches/sasl-default-path | 55 +++++ debian/patches/series | 24 ++ debian/patches/set-maintainer-name | 16 ++ debian/patches/slapi-errorlog-file | 16 ++ debian/patches/smbk5pwd-makefile-manpage | 251 +++++++++++++++++++ ...-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff | 40 +++ debian/patches/wrong-database-location | 74 ++++++ 25 files changed, 1836 insertions(+) create mode 100644 debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch create mode 100644 debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch create mode 100644 debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch create mode 100644 debian/patches/ITS6035-olcauthzregex-needs-restart.patch create mode 100644 debian/patches/add-tlscacert-option-to-ldap-conf create mode 100644 debian/patches/contrib-makefiles create mode 100644 debian/patches/debian-version create mode 100644 debian/patches/do-not-second-guess-sonames create mode 100644 debian/patches/evolution-ntlm create mode 100644 debian/patches/fix-build-top-mk create mode 100644 debian/patches/getaddrinfo-is-threadsafe create mode 100644 debian/patches/index-files-created-as-root create mode 100644 debian/patches/lastbind-makefile-manpage create mode 100644 debian/patches/ldap-conf-tls-cacertdir create mode 100644 debian/patches/ldapi-socket-place create mode 100644 debian/patches/libldap-symbol-versions create mode 100644 debian/patches/man-slapd create mode 100644 debian/patches/no-bdb-ABI-second-guessing create mode 100644 debian/patches/sasl-default-path create mode 100644 debian/patches/series create mode 100644 debian/patches/set-maintainer-name create mode 100644 debian/patches/slapi-errorlog-file create mode 100644 debian/patches/smbk5pwd-makefile-manpage create mode 100644 debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff create mode 100644 debian/patches/wrong-database-location (limited to 'debian/patches') diff --git a/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch b/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch new file mode 100644 index 0000000..c391244 --- /dev/null +++ b/debian/patches/ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch @@ -0,0 +1,110 @@ +From 82ce81ee7ad4a252aed2d6a10ea808ff18a65ffd Mon Sep 17 00:00:00 2001 +From: Ryan Tandy +Date: Sun, 22 Sep 2019 03:08:30 +0000 +Subject: [PATCH] ITS#9086 Add debug logging for more GnuTLS errors + +--- + libraries/libldap/tls_g.c | 56 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 49 insertions(+), 7 deletions(-) + +diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c +index f3b4cd710..249f7e8d5 100644 +--- a/libraries/libldap/tls_g.c ++++ b/libraries/libldap/tls_g.c +@@ -188,9 +188,16 @@ tlsg_getfile( const char *path, gnutls_datum_t *buf ) + { + int rc = -1, fd; + struct stat st; ++ char ebuf[128]; + + fd = open( path, O_RDONLY ); +- if ( fd >= 0 && fstat( fd, &st ) == 0 ) { ++ if ( fd < 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: opening `%s' failed: %s\n", ++ path, AC_STRERROR_R( errno, ebuf, sizeof ebuf ), NULL ); ++ return -1; ++ } ++ if ( fstat( fd, &st ) == 0 ) { + buf->size = st.st_size; + buf->data = LDAP_MALLOC( st.st_size + 1 ); + if ( buf->data ) { +@@ -236,7 +243,17 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + ctx->cred, + lt->lt_cacertfile, + GNUTLS_X509_FMT_PEM ); +- if ( rc < 0 ) return -1; ++ if ( rc < 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use CA certificate file `%s': %s (%d)\n", ++ lo->ldo_tls_cacertfile, gnutls_strerror( rc ), rc ); ++ return -1; ++ } else if ( rc == 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: warning: no certificate loaded from CA certificate file `%s'.\n", ++ lo->ldo_tls_cacertfile, NULL, NULL ); ++ /* only warn, no return */ ++ } + } + + if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) { +@@ -254,18 +271,38 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + * do some special checks here... + */ + rc = tlsg_getfile( lt->lt_keyfile, &buf ); +- if ( rc ) return -1; ++ if ( rc ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use private key file `%s`.\n", ++ lt->lt_keyfile, NULL, NULL ); ++ return -1; ++ } + rc = gnutls_x509_privkey_import( key, &buf, + GNUTLS_X509_FMT_PEM ); + LDAP_FREE( buf.data ); +- if ( rc < 0 ) return rc; ++ if ( rc < 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use private key: %s (%d)\n", ++ gnutls_strerror( rc ), rc, NULL ); ++ return rc; ++ } + + rc = tlsg_getfile( lt->lt_certfile, &buf ); +- if ( rc ) return -1; ++ if ( rc ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use certificate file `%s`.\n", ++ lt->lt_certfile, NULL, NULL ); ++ return -1; ++ } + rc = gnutls_x509_crt_list_import( certs, &max, &buf, + GNUTLS_X509_FMT_PEM, 0 ); + LDAP_FREE( buf.data ); +- if ( rc < 0 ) return rc; ++ if ( rc < 0 ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use certificate: %s (%d)\n", ++ gnutls_strerror( rc ), rc, NULL ); ++ return rc; ++ } + + /* If there's only one cert and it's not self-signed, + * then we have to build the cert chain. +@@ -282,7 +319,12 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) + } + } + rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key ); +- if ( rc ) return -1; ++ if ( rc ) { ++ Debug( LDAP_DEBUG_ANY, ++ "TLS: could not use certificate with key: %s (%d)\n", ++ gnutls_strerror( rc ), rc, NULL ); ++ return -1; ++ } + } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) { + Debug( LDAP_DEBUG_ANY, + "TLS: only one of certfile and keyfile specified\n", +-- +2.20.1 + diff --git a/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch b/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch new file mode 100644 index 0000000..a9b724a --- /dev/null +++ b/debian/patches/ITS-9454-fix-issuerAndThisUpdateCheck.patch @@ -0,0 +1,25 @@ +From 9badb73425a67768c09bcaed1a9c26c684af6c30 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Sat, 6 Feb 2021 20:52:06 +0000 +Subject: [PATCH] ITS#9454 fix issuerAndThisUpdateCheck + +--- + servers/slapd/schema_init.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c +index 31be1154ef..8b1e255393 100644 +--- a/servers/slapd/schema_init.c ++++ b/servers/slapd/schema_init.c +@@ -3900,6 +3900,8 @@ issuerAndThisUpdateCheck( + break; + } + } ++ if ( tu->bv_len < STRLENOF("YYYYmmddHHmmssZ") ) return LDAP_INVALID_SYNTAX; ++ + x.bv_val += tu->bv_len + 1; + x.bv_len -= tu->bv_len + 1; + +-- +2.20.1 + diff --git a/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch b/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch new file mode 100644 index 0000000..28e681d --- /dev/null +++ b/debian/patches/ITS-9815-slapd-sql-escape-filter-values.patch @@ -0,0 +1,268 @@ +From 87df6c19915042430540931d199a39105544a134 Mon Sep 17 00:00:00 2001 +From: Howard Chu +Date: Wed, 23 Mar 2022 12:43:31 +0000 +Subject: [PATCH] ITS#9815 slapd-sql: escape filter values + +--- + servers/slapd/back-sql/search.c | 123 +++++++++++++++++++++++++++----- + 1 file changed, 105 insertions(+), 18 deletions(-) + +--- a/servers/slapd/back-sql/search.c ++++ b/servers/slapd/back-sql/search.c +@@ -63,6 +63,38 @@ + ID *lastid ); + #endif /* ! BACKSQL_ARBITRARY_KEY */ + ++/* Look for chars that need to be escaped, return count of them. ++ * If out is non-NULL, copy escape'd val to it. ++ */ ++static int ++backsql_val_escape( Operation *op, struct berval *in, struct berval *out ) ++{ ++ char *ptr, *end; ++ int q = 0; ++ ++ ptr = in->bv_val; ++ end = ptr + in->bv_len; ++ while (ptr < end) { ++ if ( *ptr == '\'' ) ++ q++; ++ ptr++; ++ } ++ if ( q && out ) { ++ char *dst; ++ out->bv_len = in->bv_len + q; ++ out->bv_val = op->o_tmpalloc( out->bv_len + 1, op->o_tmpmemctx ); ++ ptr = in->bv_val; ++ dst = out->bv_val; ++ while (ptr < end ) { ++ if ( *ptr == '\'' ) ++ *dst++ = '\''; ++ *dst++ = *ptr++; ++ } ++ *dst = '\0'; ++ } ++ return q; ++} ++ + static int + backsql_attrlist_add( backsql_srch_info *bsi, AttributeDescription *ad ) + { +@@ -429,6 +461,8 @@ + backsql_info *bi = (backsql_info *)bsi->bsi_op->o_bd->be_private; + int i; + int casefold = 0; ++ int escaped = 0; ++ struct berval escval, *fvalue; + + if ( !f ) { + return 0; +@@ -462,50 +496,68 @@ + + BER_BVZERO( &bv ); + if ( f->f_sub_initial.bv_val ) { +- bv.bv_len += f->f_sub_initial.bv_len; ++ bv.bv_len += f->f_sub_initial.bv_len + backsql_val_escape( NULL, &f->f_sub_initial, NULL ); + } + if ( f->f_sub_any != NULL ) { + for ( a = 0; f->f_sub_any[ a ].bv_val != NULL; a++ ) { +- bv.bv_len += f->f_sub_any[ a ].bv_len; ++ bv.bv_len += f->f_sub_any[ a ].bv_len + backsql_val_escape( NULL, &f->f_sub_any[ a ], NULL ); + } + } + if ( f->f_sub_final.bv_val ) { +- bv.bv_len += f->f_sub_final.bv_len; ++ bv.bv_len += f->f_sub_final.bv_len + backsql_val_escape( NULL, &f->f_sub_final, NULL ); + } + bv.bv_len = 2 * bv.bv_len - 1; + bv.bv_val = ch_malloc( bv.bv_len + 1 ); + + s = 0; + if ( !BER_BVISNULL( &f->f_sub_initial ) ) { +- bv.bv_val[ s ] = f->f_sub_initial.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_initial.bv_len; i++ ) { ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_initial.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + if ( f->f_sub_any != NULL ) { + for ( a = 0; !BER_BVISNULL( &f->f_sub_any[ a ] ); a++ ) { +- bv.bv_val[ s ] = f->f_sub_any[ a ].bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_any[ a ].bv_len; i++ ) { ++ fvalue = &f->f_sub_any[ a ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_any[ a ].bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } + bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + } + + if ( !BER_BVISNULL( &f->f_sub_final ) ) { +- bv.bv_val[ s ] = f->f_sub_final.bv_val[ 0 ]; +- for ( i = 1; i < f->f_sub_final.bv_len; i++ ) { ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; ++ bv.bv_val[ s ] = fvalue->bv_val[ 0 ]; ++ for ( i = 1; i < fvalue->bv_len; i++ ) { + bv.bv_val[ s + 2 * i - 1 ] = '%'; +- bv.bv_val[ s + 2 * i ] = f->f_sub_final.bv_val[ i ]; ++ bv.bv_val[ s + 2 * i ] = fvalue->bv_val[ i ]; + } +- bv.bv_val[ s + 2 * i - 1 ] = '%'; ++ bv.bv_val[ s + 2 * i - 1 ] = '%'; + s += 2 * i; ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + } + + bv.bv_val[ s - 1 ] = '\0'; +@@ -561,11 +613,17 @@ + f->f_sub_initial.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_initial; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_initial ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -586,12 +644,18 @@ + i, f->f_sub_any[ i ].bv_val ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_any[ i ]; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "bc", +- &f->f_sub_any[ i ], ++ fvalue, + '%' ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + /* + * Note: toupper('%') = '%' +@@ -611,11 +675,17 @@ + f->f_sub_final.bv_val, 0 ); + #endif /* BACKSQL_TRACE */ + ++ fvalue = &f->f_sub_final; ++ escaped = backsql_val_escape( bsi->bsi_op, fvalue, &escval ); ++ if ( escaped ) ++ fvalue = &escval; + start = bsi->bsi_flt_where.bb_val.bv_len; + backsql_strfcat_x( &bsi->bsi_flt_where, + bsi->bsi_op->o_tmpmemctx, + "b", +- &f->f_sub_final ); ++ fvalue ); ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); + if ( casefold && BACKSQL_AT_CANUPPERCASE( at ) ) { + ldap_pvt_str2upper( &bsi->bsi_flt_where.bb_val.bv_val[ start ] ); + } +@@ -1183,6 +1253,8 @@ + struct berval *filter_value = NULL; + MatchingRule *matching_rule = NULL; + struct berval ordering = BER_BVC("<="); ++ struct berval escval; ++ int escaped = 0; + + Debug( LDAP_DEBUG_TRACE, "==>backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); +@@ -1237,6 +1309,10 @@ + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* FIXME: directoryString filtering should use a similar + * approach to deal with non-prettified values like + * " A non prettified value ", by using a LIKE +@@ -1317,6 +1393,10 @@ + casefold = 1; + } + ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; ++ + /* + * FIXME: should we uppercase the operands? + */ +@@ -1350,7 +1430,7 @@ + &at->bam_sel_expr, + &ordering, + '\'', +- &f->f_av_value, ++ filter_value, + (ber_len_t)STRLENOF( /* (' */ "')" ), + /* ( */ "')" ); + } +@@ -1374,13 +1454,17 @@ + case LDAP_FILTER_APPROX: + /* we do our best */ + ++ filter_value = &f->f_av_value; ++ escaped = backsql_val_escape( bsi->bsi_op, filter_value, &escval ); ++ if ( escaped ) ++ filter_value = &escval; + /* + * maybe we should check type of at->sel_expr here somehow, + * to know whether upper_func is applicable, but for now + * upper_func stuff is made for Oracle, where UPPER is + * safely applicable to NUMBER etc. + */ +- (void)backsql_process_filter_like( bsi, at, 1, &f->f_av_value ); ++ (void)backsql_process_filter_like( bsi, at, 1, filter_value ); + break; + + default: +@@ -1394,6 +1478,9 @@ + + } + ++ if ( escaped ) ++ bsi->bsi_op->o_tmpfree( escval.bv_val, bsi->bsi_op->o_tmpmemctx ); ++ + Debug( LDAP_DEBUG_TRACE, "<==backsql_process_filter_attr(%s)\n", + at->bam_ad->ad_cname.bv_val, 0, 0 ); + diff --git a/debian/patches/ITS6035-olcauthzregex-needs-restart.patch b/debian/patches/ITS6035-olcauthzregex-needs-restart.patch new file mode 100644 index 0000000..acd3c6f --- /dev/null +++ b/debian/patches/ITS6035-olcauthzregex-needs-restart.patch @@ -0,0 +1,13 @@ +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -409,6 +409,10 @@ + and replacement patterns. The matching patterns are checked in the order they + appear in the attribute, stopping at the first successful match. + ++Note that changes to ++.B olcAuthzRegexp ++take effect the next time the server is started, not immediately upon ++changing the configuration. + .\".B Caution: + .\"Because the plus sign + is a character recognized by the regular expression engine, + .\"and it will appear in names that include a REALM, be careful to escape the diff --git a/debian/patches/add-tlscacert-option-to-ldap-conf b/debian/patches/add-tlscacert-option-to-ldap-conf new file mode 100644 index 0000000..e8e731a --- /dev/null +++ b/debian/patches/add-tlscacert-option-to-ldap-conf @@ -0,0 +1,10 @@ +--- a/libraries/libldap/ldap.conf ++++ b/libraries/libldap/ldap.conf +@@ -11,3 +11,7 @@ + #SIZELIMIT 12 + #TIMELIMIT 15 + #DEREF never ++ ++# TLS certificates (needed for GnuTLS) ++TLS_CACERT /etc/ssl/certs/ca-certificates.crt ++ diff --git a/debian/patches/contrib-makefiles b/debian/patches/contrib-makefiles new file mode 100644 index 0000000..2f20843 --- /dev/null +++ b/debian/patches/contrib-makefiles @@ -0,0 +1,185 @@ +--- a/contrib/slapd-modules/passwd/Makefile ++++ b/contrib/slapd-modules/passwd/Makefile +@@ -13,7 +13,7 @@ + INCS = $(LDAP_INC) + LIBS = $(LDAP_LIB) + +-PROGRAMS = pw-kerberos.la pw-netscape.la pw-radius.la pw-apr1.la ++PROGRAMS = pw-netscape.la pw-apr1.la + LTVER = 0:0:0 + + prefix=/usr/local +@@ -27,24 +27,24 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + pw-kerberos.la: kerberos.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? -lkrb5 + + pw-netscape.la: netscape.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? + + pw-radius.la: radius.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? -lradius + + pw-apr1.la: apr1.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? + + clean: +--- a/contrib/slapd-modules/passwd/pbkdf2/Makefile ++++ b/contrib/slapd-modules/passwd/pbkdf2/Makefile +@@ -12,7 +12,7 @@ + #DEFS = -DSLAPD_PBKDF2_DEBUG + + INCS = $(LDAP_INC) +-LIBS = $(LDAP_LIB) -lcrypto ++LIBS = $(LDAP_LIB) -lnettle + + PROGRAMS = pw-pbkdf2.la + LTVER = 0:0:0 +@@ -30,12 +30,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + pw-pbkdf2.la: pw-pbkdf2.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/smbk5pwd/Makefile ++++ b/contrib/slapd-modules/smbk5pwd/Makefile +@@ -19,10 +19,10 @@ + $(LDAP_BUILD)/libraries/liblber/liblber.la + + SSL_INC = +-SSL_LIB = -lcrypto ++SSL_LIB = -lnettle + +-HEIMDAL_INC = -I/usr/heimdal/include +-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv ++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags krb5 kadm-server) ++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server) + + LIBTOOL = $(LDAP_BUILD)/libtool + CC = gcc +@@ -30,7 +30,8 @@ + # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. + DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW + INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC) +-LIBS = $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB) ++# put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356 ++LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB) + + PROGRAMS = smbk5pwd.la + LTVER = 0:0:0 +@@ -46,12 +47,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + smbk5pwd.la: smbk5pwd.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/autogroup/Makefile ++++ b/contrib/slapd-modules/autogroup/Makefile +@@ -27,12 +27,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + autogroup.la: autogroup.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/lastbind/Makefile ++++ b/contrib/slapd-modules/lastbind/Makefile +@@ -37,12 +37,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + lastbind.la: lastbind.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/passwd/sha2/Makefile ++++ b/contrib/slapd-modules/passwd/sha2/Makefile +@@ -28,12 +28,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + pw-sha2.la: slapd-sha2.lo sha2.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: +--- a/contrib/slapd-modules/passwd/argon2/Makefile ++++ b/contrib/slapd-modules/passwd/argon2/Makefile +@@ -14,7 +14,7 @@ + INCS = $(LDAP_INC) + LIBS = $(LDAP_LIB) + +-implementation = sodium ++implementation = argon2 + + ifeq ($(implementation),argon2) + LIBS += -largon2 +@@ -42,12 +42,12 @@ + .SUFFIXES: .c .o .lo + + .c.lo: +- $(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $< ++ $(LIBTOOL) --mode=compile $(CC) $(CFLAGS) $(CPPFLAGS) $(DEFS) $(INCS) -c $< + + all: $(PROGRAMS) + + pw-argon2.la: pw-argon2.lo +- $(LIBTOOL) --mode=link $(CC) $(OPT) -version-info $(LTVER) \ ++ $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -version-info $(LTVER) \ + -rpath $(moduledir) -module -o $@ $? $(LIBS) + + clean: diff --git a/debian/patches/debian-version b/debian/patches/debian-version new file mode 100644 index 0000000..542346b --- /dev/null +++ b/debian/patches/debian-version @@ -0,0 +1,14 @@ +Description: Replace upstream version with Debian version in version strings +Forwarded: not-needed +Author: Ryan Tandy +--- a/build/version.sh ++++ b/build/version.sh +@@ -40,7 +40,7 @@ + echo OL_API_INC=$ol_api_inc + echo OL_API_LIB_RELEASE=$ol_api_lib_release + echo OL_API_LIB_VERSION=$ol_api_lib_version +-echo OL_VERSION=$ol_version ++echo OL_VERSION=\"${DEB_VERSION:-$ol_version}\" + echo OL_TYPE=$ol_type + echo OL_STRING=\"${ol_string}\" + echo OL_RELEASE_DATE=\"${ol_release_date}\" diff --git a/debian/patches/do-not-second-guess-sonames b/debian/patches/do-not-second-guess-sonames new file mode 100644 index 0000000..bbf099c --- /dev/null +++ b/debian/patches/do-not-second-guess-sonames @@ -0,0 +1,68 @@ +Rip out code that second-guesses the libsasl soname / Debian shlibs. If +cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream +there, not kludged around upstream here! + +Debian bug #546885 + +Upstream ITS #6302 filed. + +--- a/libraries/libldap/cyrus.c ++++ b/libraries/libldap/cyrus.c +@@ -74,28 +74,6 @@ + */ + int ldap_int_sasl_init( void ) + { +-#ifdef HAVE_SASL_VERSION +- /* stringify the version number, sasl.h doesn't do it for us */ +-#define VSTR0(maj, min, pat) #maj "." #min "." #pat +-#define VSTR(maj, min, pat) VSTR0(maj, min, pat) +-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \ +- SASL_VERSION_STEP) +- { int rc; +- sasl_version( NULL, &rc ); +- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || +- (rc & 0xffff) < SASL_VERSION_STEP) { +- char version[sizeof("xxx.xxx.xxxxx")]; +- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff, +- rc & 0xffff ); +- +- Debug( LDAP_DEBUG_ANY, +- "ldap_int_sasl_init: SASL library version mismatch:" +- " expected " SASL_VERSION_STRING "," +- " got %s\n", version, 0, 0 ); +- return -1; +- } +- } +-#endif + + /* SASL 2 takes care of its own memory completely internally */ + #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC) +--- a/servers/slapd/sasl.c ++++ b/servers/slapd/sasl.c +@@ -1145,26 +1145,6 @@ int slap_sasl_init( void ) + #endif + + #ifdef HAVE_CYRUS_SASL +-#ifdef HAVE_SASL_VERSION +- /* stringify the version number, sasl.h doesn't do it for us */ +-#define VSTR0(maj, min, pat) #maj "." #min "." #pat +-#define VSTR(maj, min, pat) VSTR0(maj, min, pat) +-#define SASL_VERSION_STRING VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \ +- SASL_VERSION_STEP) +- +- sasl_version( NULL, &rc ); +- if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) || +- (rc & 0xffff) < SASL_VERSION_STEP) +- { +- char version[sizeof("xxx.xxx.xxxxx")]; +- sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff, +- rc & 0xffff ); +- Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:" +- " expected %s, got %s\n", +- SASL_VERSION_STRING, version, 0 ); +- return -1; +- } +-#endif + + sasl_set_mutex( + ldap_pvt_sasl_mutex_new, diff --git a/debian/patches/evolution-ntlm b/debian/patches/evolution-ntlm new file mode 100644 index 0000000..cd9bc26 --- /dev/null +++ b/debian/patches/evolution-ntlm @@ -0,0 +1,222 @@ +Patch from evolution-exchange (2.10.3). The ldap_ntlm_bind function is +actually called by evolution-data-server, checked at version 1.12.2. +Without this patch, the Exchange addressbook integration uses simple binds +with cleartext passwords. + +Russ checked with openldap-software for upstream's opinion on this patch +on 2007-12-21. Upstream had never received it as a patch submission and +given that it's apparently only for older Exchange servers that can't do +SASL and DIGEST-MD5, it's not very appealing. + +Bug#457374 filed against evolution-data-server asking if this support is +still required on 2007-12-21. + +--- a/include/ldap.h ++++ b/include/ldap.h +@@ -2517,5 +2517,25 @@ ldap_parse_deref_control LDAP_P(( + LDAPControl **ctrls, + LDAPDerefRes **drp )); + ++/* ++ * hacks for NTLM ++ */ ++#define LDAP_AUTH_NTLM_REQUEST ((ber_tag_t) 0x8aU) ++#define LDAP_AUTH_NTLM_RESPONSE ((ber_tag_t) 0x8bU) ++LDAP_F( int ) ++ldap_ntlm_bind LDAP_P(( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp )); ++LDAP_F( int ) ++ldap_parse_ntlm_bind_result LDAP_P(( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge)); ++ + LDAP_END_DECL + #endif /* _LDAP_H */ +--- /dev/null ++++ b/libraries/libldap/ntlm.c +@@ -0,0 +1,138 @@ ++/* $OpenLDAP: pkg/ldap/libraries/libldap/ntlm.c,v 1.1.4.10 2002/01/04 20:38:21 kurt Exp $ */ ++/* ++ * Copyright 1998-2002 The OpenLDAP Foundation, All Rights Reserved. ++ * COPYING RESTRICTIONS APPLY, see COPYRIGHT file ++ */ ++ ++/* Mostly copied from sasl.c */ ++ ++#include "portable.h" ++ ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#include "ldap-int.h" ++ ++int ++ldap_ntlm_bind( ++ LDAP *ld, ++ LDAP_CONST char *dn, ++ ber_tag_t tag, ++ struct berval *cred, ++ LDAPControl **sctrls, ++ LDAPControl **cctrls, ++ int *msgidp ) ++{ ++ BerElement *ber; ++ int rc; ++ ber_int_t id; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_ntlm_bind\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( msgidp != NULL ); ++ ++ if( msgidp == NULL ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ /* create a message to send */ ++ if ( (ber = ldap_alloc_ber_with_options( ld )) == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ assert( LBER_VALID( ber ) ); ++ ++ LDAP_NEXT_MSGID( ld, id ); ++ rc = ber_printf( ber, "{it{istON}" /*}*/, ++ id, LDAP_REQ_BIND, ++ ld->ld_version, dn, tag, ++ cred ); ++ ++ /* Put Server Controls */ ++ if( ldap_int_put_controls( ld, sctrls, ber ) != LDAP_SUCCESS ) { ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ if ( ber_printf( ber, /*{*/ "N}" ) == -1 ) { ++ ld->ld_errno = LDAP_ENCODING_ERROR; ++ ber_free( ber, 1 ); ++ return ld->ld_errno; ++ } ++ ++ /* send the message */ ++ *msgidp = ldap_send_initial_request( ld, LDAP_REQ_BIND, dn, ber, id ); ++ ++ if(*msgidp < 0) ++ return ld->ld_errno; ++ ++ return LDAP_SUCCESS; ++} ++ ++int ++ldap_parse_ntlm_bind_result( ++ LDAP *ld, ++ LDAPMessage *res, ++ struct berval *challenge) ++{ ++ ber_int_t errcode; ++ ber_tag_t tag; ++ BerElement *ber; ++ ber_len_t len; ++ ++ Debug( LDAP_DEBUG_TRACE, "ldap_parse_ntlm_bind_result\n", 0, 0, 0 ); ++ ++ assert( ld != NULL ); ++ assert( LDAP_VALID( ld ) ); ++ assert( res != NULL ); ++ ++ if ( ld == NULL || res == NULL ) { ++ return LDAP_PARAM_ERROR; ++ } ++ ++ if( res->lm_msgtype != LDAP_RES_BIND ) { ++ ld->ld_errno = LDAP_PARAM_ERROR; ++ return ld->ld_errno; ++ } ++ ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); ++ ld->ld_error = NULL; ++ } ++ if ( ld->ld_matched ) { ++ LDAP_FREE( ld->ld_matched ); ++ ld->ld_matched = NULL; ++ } ++ ++ /* parse results */ ++ ++ ber = ber_dup( res->lm_ber ); ++ ++ if( ber == NULL ) { ++ ld->ld_errno = LDAP_NO_MEMORY; ++ return ld->ld_errno; ++ } ++ ++ tag = ber_scanf( ber, "{ioa" /*}*/, ++ &errcode, challenge, &ld->ld_error ); ++ ber_free( ber, 0 ); ++ ++ if( tag == LBER_ERROR ) { ++ ld->ld_errno = LDAP_DECODING_ERROR; ++ return ld->ld_errno; ++ } ++ ++ ld->ld_errno = errcode; ++ ++ return( ld->ld_errno ); ++} ++ +--- a/libraries/libldap/Makefile.in ++++ b/libraries/libldap/Makefile.in +@@ -27,7 +27,7 @@ SRCS = bind.c open.c result.c error.c co + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ + tls2.c tls_o.c tls_g.c tls_m.c \ +- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ ++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \ + assertion.c deref.c ldif.c fetch.c + + OBJS = bind.lo open.lo result.lo error.lo compare.lo search.lo \ +@@ -40,7 +40,7 @@ OBJS = bind.lo open.lo result.lo error.l + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ + tls2.lo tls_o.lo tls_g.lo tls_m.lo \ +- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ ++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + + LDAP_INCDIR= ../../include +--- a/libraries/libldap_r/Makefile.in ++++ b/libraries/libldap_r/Makefile.in +@@ -29,7 +29,7 @@ XXSRCS = apitest.c test.c \ + init.c options.c print.c string.c util-int.c schema.c \ + charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \ + tls2.c tls_o.c tls_g.c tls_m.c \ +- turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \ ++ turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c ntlm.c \ + assertion.c deref.c ldif.c fetch.c + SRCS = threads.c rdwr.c rmutex.c tpool.c rq.c \ + thr_posix.c thr_cthreads.c thr_thr.c thr_nt.c \ +@@ -47,7 +47,7 @@ OBJS = threads.lo rdwr.lo rmutex.lo tpoo + init.lo options.lo print.lo string.lo util-int.lo schema.lo \ + charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \ + tls2.lo tls_o.lo tls_g.lo tls_m.lo \ +- turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \ ++ turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo ntlm.lo \ + assertion.lo deref.lo ldif.lo fetch.lo + + LDAP_INCDIR= ../../include diff --git a/debian/patches/fix-build-top-mk b/debian/patches/fix-build-top-mk new file mode 100644 index 0000000..418fe35 --- /dev/null +++ b/debian/patches/fix-build-top-mk @@ -0,0 +1,11 @@ +--- a/build/top.mk ++++ b/build/top.mk +@@ -20,7 +20,7 @@ + RELEASEDATE= @OPENLDAP_RELEASE_DATE@ + + @SET_MAKE@ +-SHELL = /bin/sh ++SHELL = @SHELL@ + + top_builddir = @top_builddir@ + diff --git a/debian/patches/getaddrinfo-is-threadsafe b/debian/patches/getaddrinfo-is-threadsafe new file mode 100644 index 0000000..ab6e2b7 --- /dev/null +++ b/debian/patches/getaddrinfo-is-threadsafe @@ -0,0 +1,43 @@ +Author: Steve Langasek + +OpenLDAP upstream conservatively assumes that certain resolver functions +(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we +know that the glibc implementations of these functions are thread-safe, so +we should bypass the use of this mutex. This fixes a locking problem when +an application uses libldap and libnss-ldap is also used for hosts +resolution. + +Closes Debian bug #340601. + +Not suitable for forwarding upstream; might be made suitable by adding a +configure-time check for glibc and disabling the mutex only on known +thread-safe implementations. + +--- a/libraries/libldap/os-ip.c ++++ b/libraries/libldap/os-ip.c +@@ -602,13 +602,7 @@ ldap_connect_to_host(LDAP *ld, Sockbuf * + hints.ai_socktype = socktype; + snprintf(serv, sizeof serv, "%d", port ); + +- /* most getaddrinfo(3) use non-threadsafe resolver libraries */ +- LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex); +- + err = getaddrinfo( host, serv, &hints, &res ); +- +- LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex); +- + if ( err != 0 ) { + osip_debug(ld, "ldap_connect_to_host: getaddrinfo failed: %s\n", + AC_GAI_STRERROR(err), 0, 0); +--- a/libraries/libldap/util-int.c ++++ b/libraries/libldap/util-int.c +@@ -431,9 +431,7 @@ int ldap_pvt_get_hname( + int rc; + #if defined( HAVE_GETNAMEINFO ) + +- LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex ); + rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 ); +- LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex ); + if ( rc ) *err = (char *)AC_GAI_STRERROR( rc ); + return rc; + diff --git a/debian/patches/index-files-created-as-root b/debian/patches/index-files-created-as-root new file mode 100644 index 0000000..263b014 --- /dev/null +++ b/debian/patches/index-files-created-as-root @@ -0,0 +1,37 @@ +Document in the man page that slapindex should be run as the same user +as slapd, and print a warning if it's run as root (since Debian defaults +to running slapd as openldap). + +Not suitable for upstream in this form. This patch needs to be reworked +to check the BerkeleyDB database ownership and only warn if running as +root with a database that's not owned by root. + +Upstream ITS #5356 filed requesting better handling of this. Current +upstream discussion leans towards putting the check into the database +backend and aborting if slapd is run as a different user than the database +owner, which is an even better fix. + +--- a/doc/man/man8/slapindex.8 ++++ b/doc/man/man8/slapindex.8 +@@ -148,6 +148,10 @@ + should not be running (at least, not in read-write + mode) when you do this to ensure consistency of the database. + .LP ++slapindex ought to be run as the user specified for ++.BR slapd (8) ++to ensure correct database permissions. ++.LP + This command provides ample opportunity for the user to obtain + and drink their favorite beverage. + .SH EXAMPLES +--- a/servers/slapd/slapindex.c ++++ b/servers/slapd/slapindex.c +@@ -34,6 +34,8 @@ + int + slapindex( int argc, char **argv ) + { ++ if (geteuid() == 0) ++ fprintf( stderr, "\nWARNING!\nRunning as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n"); + ID id; + int rc = EXIT_SUCCESS; + const char *progname = "slapindex"; diff --git a/debian/patches/lastbind-makefile-manpage b/debian/patches/lastbind-makefile-manpage new file mode 100644 index 0000000..66e5a79 --- /dev/null +++ b/debian/patches/lastbind-makefile-manpage @@ -0,0 +1,46 @@ +--- a/contrib/slapd-modules/lastbind/Makefile ++++ b/contrib/slapd-modules/lastbind/Makefile +@@ -17,6 +17,7 @@ + $(LDAP_BUILD)/libraries/liblber/liblber.la + + LIBTOOL = $(LDAP_BUILD)/libtool ++INSTALL = /usr/bin/install + CC = gcc + OPT = -g -O2 -Wall + DEFS = -DSLAPD_OVER_LASTBIND=SLAPD_MOD_DYNAMIC +@@ -25,6 +26,7 @@ + + PROGRAMS = lastbind.la + LTVER = 0:0:0 ++MANPAGES = slapo-lastbind.5 + + prefix=/usr/local + exec_prefix=$(prefix) +@@ -33,6 +35,8 @@ + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec + moduledir = $(libexecdir)$(ldap_subdir) ++mandir = $(exec_prefix)/share/man ++man5dir = $(mandir)/man5 + + .SUFFIXES: .c .o .lo + +@@ -48,9 +52,17 @@ + clean: + rm -rf *.o *.lo *.la .libs + +-install: $(PROGRAMS) ++install: install-lib install-man FORCE ++ ++install-lib: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + ++install-man: $(MANPAGES) ++ mkdir -p $(DESTDIR)$(man5dir) ++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) ++ ++FORCE: ++ diff --git a/debian/patches/ldap-conf-tls-cacertdir b/debian/patches/ldap-conf-tls-cacertdir new file mode 100644 index 0000000..e8aab91 --- /dev/null +++ b/debian/patches/ldap-conf-tls-cacertdir @@ -0,0 +1,29 @@ +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -317,7 +317,7 @@ certificates in separate individual file + .B TLS_CACERT + is always used before + .B TLS_CACERTDIR. +-This parameter is ignored with GnuTLS. ++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS. + + When using Mozilla NSS, may contain a Mozilla NSS cert/key + database. If contains a Mozilla NSS cert/key database and +@@ -428,7 +428,7 @@ This parameter is ignored with GnuTLS. + Specifies the file to obtain random bits from when /dev/[u]random is + not available. Generally set to the name of the EGD/PRNGD socket. + The environment variable RANDFILE can also be used to specify the filename. +-This parameter is ignored with GnuTLS and Mozilla NSS. ++This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS. + .TP + .B TLS_REQCERT + Specifies what checks to perform on server certificates in a TLS session, +@@ -461,7 +461,7 @@ Specifies if the Certificate Revocation + used to verify if the server certificates have not been revoked. This + requires + .B TLS_CACERTDIR +-parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. ++parameter to be set. This parameter is ignored with GnuTLS and Mozilla NSS. On Debian openldap is linked against GnuTLS. + .B + can be specified as one of the following keywords: + .RS diff --git a/debian/patches/ldapi-socket-place b/debian/patches/ldapi-socket-place new file mode 100644 index 0000000..a482bbf --- /dev/null +++ b/debian/patches/ldapi-socket-place @@ -0,0 +1,16 @@ +Move the ldapi socket to /var/run/slapd from /var/run, since /var/run +is only writable by root and slapd runs as openldap. + +Debian-specific. + +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -39,7 +39,7 @@ + #define LDAP_ENV_PREFIX "LDAP" + + /* default ldapi:// socket */ +-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi" ++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi" + + /* + * SLAPD DEFINITIONS diff --git a/debian/patches/libldap-symbol-versions b/debian/patches/libldap-symbol-versions new file mode 100644 index 0000000..fb28f49 --- /dev/null +++ b/debian/patches/libldap-symbol-versions @@ -0,0 +1,161 @@ +Add symbol versioning to the public LDAP libraries. This is required for +library transitions, such as the current transition from 2.1 to 2.4, +since programs will sometimes have both libraries loaded by different +dependency chains during the transition. + +Not yet contributed upstream. + +Upstream ITS #5365 filed requesting symbol versioning for libldap and +libber. + +--- a/libraries/libldap_r/Makefile.in ++++ b/libraries/libldap_r/Makefile.in +@@ -61,6 +61,9 @@ XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + XXXLIBS = $(LTHREAD_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) $(LTHREAD_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = "$(VERSION_OPTION)$(XXDIR)/libldap.map" ++endif + + .links : Makefile + @for i in $(XXSRCS); do \ +--- a/build/top.mk ++++ b/build/top.mk +@@ -104,6 +104,9 @@ LTFLAGS_MOD = $(@PLAT@_LTFLAGS_MOD) + # LINK_LIBS referenced in library and module link commands. + LINK_LIBS = $(MOD_LIBS) $(@PLAT@_LINK_LIBS) + ++# option to pass to $(CC) to support library symbol versioning, if any ++VERSION_OPTION = @VERSION_OPTION@ ++ + LTSTATIC = @LTSTATIC@ + + LTLINK = $(LIBTOOL) --mode=link \ +@@ -113,7 +116,7 @@ LTCOMPILE_LIB = $(LIBTOOL) $(LTONLY_LIB) + $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(LIB_DEFS) -c + + LTLINK_LIB = $(LIBTOOL) $(LTONLY_LIB) --mode=link \ +- $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) ++ $(CC) $(LT_CFLAGS) $(LDFLAGS) $(LTFLAGS_LIB) $(VERSION_FLAGS) + + LTCOMPILE_MOD = $(LIBTOOL) $(LTONLY_MOD) --mode=compile \ + $(CC) $(LT_CFLAGS) $(LT_CPPFLAGS) $(MOD_DEFS) -c +--- a/build/openldap.m4 ++++ b/build/openldap.m4 +@@ -1136,3 +1136,54 @@ AC_DEFUN([OL_SSL_COMPAT], + #endif + ], [ol_cv_ssl_crl_compat=yes], [ol_cv_ssl_crl_compat=no])]) + ]) ++ ++dnl ==================================================================== ++dnl check for symbol versioning support ++AC_DEFUN([OL_SYMBOL_VERSIONING], ++[AC_CACHE_CHECK([for .symver assembler directive], ++ [ol_cv_asm_symver_directive],[ ++cat > conftest.s <&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then ++ ol_cv_asm_symver_directive=yes ++else ++ ol_cv_asm_symver_directive=no ++fi ++rm -f conftest*]) ++AC_CACHE_CHECK([for ld --version-script], ++ [ol_cv_ld_version_script_option],[ ++if test $ol_cv_asm_symver_directive = yes; then ++ cat > conftest.s < conftest.map <&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD; then ++ if AC_TRY_COMMAND([${CC-cc} $CFLAGS $LDFLAGS -shared ++ -o conftest.so conftest.o ++ -Wl,--version-script,conftest.map ++ 1>&AS_MESSAGE_LOG_FD]); ++ then ++ ol_cv_ld_version_script_option=yes ++ else ++ ol_cv_ld_version_script_option=no ++ fi ++ else ++ ol_cv_ld_version_script_option=no ++ fi ++else ++ ol_cv_ld_version_script_option=no ++fi ++rm -f conftest*])]) +--- a/configure.in ++++ b/configure.in +@@ -1909,6 +1909,13 @@ else + fi + AC_SUBST(LTSTATIC)dnl + ++VERSION_OPTION="" ++OL_SYMBOL_VERSIONING ++if test $ol_cv_ld_version_script_option = yes ; then ++ VERSION_OPTION="-Wl,--version-script=" ++fi ++AC_SUBST(VERSION_OPTION) ++ + dnl ---------------------------------------------------------------- + if test $ol_enable_wrappers != no ; then + AC_CHECK_HEADERS(tcpd.h,[ +--- /dev/null ++++ b/libraries/libldap/libldap.map +@@ -0,0 +1,7 @@ ++OPENLDAP_2.4_2 { ++ global: ++ ldap_*; ++ ldif_*; ++ local: ++ *; ++}; +--- a/libraries/libldap/Makefile.in ++++ b/libraries/libldap/Makefile.in +@@ -52,6 +52,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLBER_LA) $( + XXLIBS = $(SECURITY_LIBS) $(LUTIL_LIBS) + NT_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) + UNIX_LINK_LIBS = $(LDAP_LIBLBER_LA) $(AC_LIBS) $(SECURITY_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = $(VERSION_OPTION)$(srcdir)/libldap.map ++endif + + apitest: $(XLIBS) apitest.o + $(LTLINK) -o $@ apitest.o $(LIBS) +--- a/libraries/liblber/Makefile.in ++++ b/libraries/liblber/Makefile.in +@@ -38,6 +38,9 @@ XLIBS = $(LIBRARY) $(LDAP_LIBLUTIL_A) + XXLIBS = + NT_LINK_LIBS = $(AC_LIBS) + UNIX_LINK_LIBS = $(AC_LIBS) ++ifneq (,$(VERSION_OPTION)) ++ VERSION_FLAGS = "$(VERSION_OPTION)$(srcdir)/liblber.map" ++endif + + dtest: $(XLIBS) dtest.o + $(LTLINK) -o $@ dtest.o $(LIBS) +--- /dev/null ++++ b/libraries/liblber/liblber.map +@@ -0,0 +1,8 @@ ++OPENLDAP_2.4_2 { ++ global: ++ ber_*; ++ der_alloc; ++ lutil_*; ++ local: ++ *; ++}; diff --git a/debian/patches/man-slapd b/debian/patches/man-slapd new file mode 100644 index 0000000..5f55137 --- /dev/null +++ b/debian/patches/man-slapd @@ -0,0 +1,60 @@ +Patch the slapd man page to not refer to a header file that isn't +installed with the slapd package and to reference the correct path +for slapd. + +Debian-specific. + +--- a/doc/man/man8/slapd.8 ++++ b/doc/man/man8/slapd.8 +@@ -5,7 +5,7 @@ + .SH NAME + slapd \- Stand-alone LDAP Daemon + .SH SYNOPSIS +-.B LIBEXECDIR/slapd ++.B /usr/sbin/slapd + [\c + .BR \-4 | \-6 ] + [\c +@@ -103,11 +103,10 @@ + will not fork or disassociate from the invoking terminal. Some general + operation and status messages are printed for any value of \fIdebug-level\fP. + \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a +-different kind of debugging information. See for details. +-Comma-separated arrays of friendly names can be specified to select +-debugging output of the corresponding debugging information. +-All the names recognized by the \fIloglevel\fP directive +-described in \fBslapd.conf\fP(5) are supported. ++different kind of debugging information. Comma-separated arrays of friendly ++names can be specified to select debugging output of the corresponding ++debugging information. All the names recognized by the \fIloglevel\fP ++directive described in \fBslapd.conf\fP(5) are supported. + If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed, + and slapd exits. + +@@ -317,7 +316,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd ++ /usr/sbin/slapd + .ft + .fi + .LP +@@ -328,7 +327,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255 ++ /usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255 + .ft + .fi + .LP +@@ -336,7 +335,7 @@ + .LP + .nf + .ft tt +- LIBEXECDIR/slapd \-Tt ++ /usr/sbin/slapd \-Tt + .ft + .fi + .LP diff --git a/debian/patches/no-bdb-ABI-second-guessing b/debian/patches/no-bdb-ABI-second-guessing new file mode 100644 index 0000000..db76aa7 --- /dev/null +++ b/debian/patches/no-bdb-ABI-second-guessing @@ -0,0 +1,42 @@ +Author: Steve Langasek +Description: don't second-guess BDB ABI + OpenLDAP upstream conservatively assumes that any change to the version + number of libdb can result in an API-breaking change that could impact + the database. In Debian, we know that such changes require bumping the + library soname and changing the package name, and demand such rigor from + our package maintainers even when upstreams don't deliver; so any such + check in the source code works against the packaging system by forcing + database upgrades when we know none are required. Disable this check + so we rely on the packaging system to do its job. +Bug-Debian: http://bugs.debian.org/651333 +Forwarded: not-needed + +--- a/servers/slapd/back-bdb/init.c ++++ b/servers/slapd/back-bdb/init.c +@@ -762,7 +762,7 @@ bdb_back_initialize( + bi->bi_controls = controls; + + { /* version check */ +- int major, minor, patch, ver; ++ int major, minor, patch; + char *version = db_version( &major, &minor, &patch ); + #ifdef HAVE_EBCDIC + char v2[1024]; +@@ -776,17 +776,6 @@ bdb_back_initialize( + version = v2; + #endif + +- ver = (major << 24) | (minor << 16) | patch; +- if( ver != DB_VERSION_FULL ) { +- /* fail if a versions don't match */ +- Debug( LDAP_DEBUG_ANY, +- LDAP_XSTRING(bdb_back_initialize) ": " +- "BDB library version mismatch:" +- " expected " DB_VERSION_STRING "," +- " got %s\n", version, 0, 0 ); +- return -1; +- } +- + Debug( LDAP_DEBUG_TRACE, LDAP_XSTRING(bdb_back_initialize) + ": %s\n", version, 0, 0 ); + } diff --git a/debian/patches/sasl-default-path b/debian/patches/sasl-default-path new file mode 100644 index 0000000..6d5c7b0 --- /dev/null +++ b/debian/patches/sasl-default-path @@ -0,0 +1,55 @@ +Add /etc/ldap/sasl2 to the SASL configuration search path. + +Not submitted upstream. Somewhat Debian-specific and probably not of +interest upstream. + +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -63,4 +63,6 @@ + /* dn of the default "monitor" subentry */ + #define SLAPD_MONITOR_DN "cn=Monitor" + ++#define SASL_CONFIGPATH LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2" ++ + #endif /* _LDAP_CONFIG_H */ +--- a/servers/slapd/sasl.c ++++ b/servers/slapd/sasl.c +@@ -1103,12 +1103,38 @@ static const rewrite_mapper slapd_mapper + }; + #endif + ++static int ++slap_sasl_getconfpath( void * context, char ** path ) ++{ ++ char * sasl_default_configpath; ++ size_t len; ++ ++#if SASL_VERSION_MAJOR >= 2 ++ sasl_default_configpath = "/usr/lib/sasl2"; ++#else ++ sasl_default_configpath = "/usr/lib/sasl"; ++#endif ++ ++ len = strlen(SASL_CONFIGPATH) + 1 /* colon */ + ++ strlen(sasl_default_configpath) + 1 /* \0 */; ++ *path = malloc( len ); ++ if ( *path == NULL ) ++ return SASL_FAIL; ++ ++ if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH, ++ sasl_default_configpath ) != len-1 ) ++ return SASL_FAIL; ++ ++ return SASL_OK; ++} ++ + int slap_sasl_init( void ) + { + #ifdef HAVE_CYRUS_SASL + int rc; + static sasl_callback_t server_callbacks[] = { + { SASL_CB_LOG, (slap_sasl_cb_ft)&slap_sasl_log, NULL }, ++ { SASL_CB_GETCONFPATH, (slap_sasl_cb_ft)&slap_sasl_getconfpath, NULL }, + { SASL_CB_GETOPT, (slap_sasl_cb_ft)&slap_sasl_getopt, NULL }, + { SASL_CB_LIST_END, NULL, NULL } + }; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..6e50b30 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,24 @@ +debian-version +man-slapd +evolution-ntlm +slapi-errorlog-file +ldapi-socket-place +wrong-database-location +index-files-created-as-root +sasl-default-path +libldap-symbol-versions +getaddrinfo-is-threadsafe +do-not-second-guess-sonames +contrib-makefiles +smbk5pwd-makefile-manpage +lastbind-makefile-manpage +ldap-conf-tls-cacertdir +add-tlscacert-option-to-ldap-conf +fix-build-top-mk +switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff +no-bdb-ABI-second-guessing +ITS6035-olcauthzregex-needs-restart.patch +set-maintainer-name +ITS-9086-Add-debug-logging-for-more-GnuTLS-errors.patch +ITS-9454-fix-issuerAndThisUpdateCheck.patch +ITS-9815-slapd-sql-escape-filter-values.patch diff --git a/debian/patches/set-maintainer-name b/debian/patches/set-maintainer-name new file mode 100644 index 0000000..35f8f77 --- /dev/null +++ b/debian/patches/set-maintainer-name @@ -0,0 +1,16 @@ +--- a/build/mkversion ++++ b/build/mkversion +@@ -50,12 +50,7 @@ + fi + + APPLICATION=$1 +-# Reproducible builds set SOURCE_DATE_EPOCH, want constant strings +-if [ -n "${SOURCE_DATE_EPOCH}" ]; then +- WHOWHERE="openldap" +-else +- WHOWHERE="$USER@$(uname -n):$(pwd)" +-fi ++WHOWHERE="${DEB_MAINTAINER:-openldap}" + + cat << __EOF__ + /* This work is part of OpenLDAP Software . diff --git a/debian/patches/slapi-errorlog-file b/debian/patches/slapi-errorlog-file new file mode 100644 index 0000000..4899451 --- /dev/null +++ b/debian/patches/slapi-errorlog-file @@ -0,0 +1,16 @@ +The slapi error log file defaults to /var/errors given our setting +of --localstatedir. Move it to /var/log/slapi-errors instead. + +Debian-specific. + +--- a/servers/slapd/slapi/slapi_overlay.c ++++ b/servers/slapd/slapi/slapi_overlay.c +@@ -930,7 +930,7 @@ int slapi_over_config( BackendDB *be, Co + ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex ); + + if ( slapi_log_file == NULL ) +- slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" ); ++ slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" ); + + rc = slapi_int_init_object_extensions(); + if ( rc != 0 ) diff --git a/debian/patches/smbk5pwd-makefile-manpage b/debian/patches/smbk5pwd-makefile-manpage new file mode 100644 index 0000000..b05cba2 --- /dev/null +++ b/debian/patches/smbk5pwd-makefile-manpage @@ -0,0 +1,251 @@ +From: Peter Marschall +Date: Sun, 26 Jul 2015 15:04:26 +0200 +Subject: [PATCH] contrib/smbk5pwd: add man page, install it too + +Add a manual page slapo-smbk5pwd.5 and update smbk5pwd's Makefile to +install the new manual page. + +This patch is derived from the corresponding patch upstreamed in ITS#8205 + +--- + contrib/slapd-modules/smbk5pwd/Makefile | 14 +- + contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 | 179 ++++++++++++++++++++++++ + 2 files changed, 192 insertions(+), 1 deletion(-) + create mode 100644 contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 + +diff --git a/contrib/slapd-modules/smbk5pwd/Makefile b/contrib/slapd-modules/smbk5pwd/Makefile +index 676d914..0042a49 100644 +--- a/contrib/slapd-modules/smbk5pwd/Makefile ++++ b/contrib/slapd-modules/smbk5pwd/Makefile +@@ -25,6 +25,7 @@ + HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server) + + LIBTOOL = $(LDAP_BUILD)/libtool ++INSTALL = /usr/bin/install + CC = gcc + OPT = -g -O2 -Wall + # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it. +@@ -34,6 +35,7 @@ + LIBS = $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB) + + PROGRAMS = smbk5pwd.la ++MANPAGES = slapo-smbk5pwd.5 + LTVER = 0:0:0 + + prefix=/usr/local +@@ -43,6 +45,8 @@ + libdir=$(exec_prefix)/lib + libexecdir=$(exec_prefix)/libexec + moduledir = $(libexecdir)$(ldap_subdir) ++mandir = $(exec_prefix)/share/man ++man5dir = $(mandir)/man5 + + .SUFFIXES: .c .o .lo + +@@ -58,9 +62,17 @@ + clean: + rm -rf *.o *.lo *.la .libs + +-install: $(PROGRAMS) ++install: install-lib install-man FORCE ++ ++install-lib: $(PROGRAMS) + mkdir -p $(DESTDIR)$(moduledir) + for p in $(PROGRAMS) ; do \ + $(LIBTOOL) --mode=install cp $$p $(DESTDIR)$(moduledir) ; \ + done + ++install-man: $(MANPAGES) ++ mkdir -p $(DESTDIR)$(man5dir) ++ $(INSTALL) -m 644 $(MANPAGES) $(DESTDIR)$(man5dir) ++ ++FORCE: ++ +diff --git a/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 +new file mode 100644 +index 0000000..431a765 +--- /dev/null ++++ b/contrib/slapd-modules/smbk5pwd/slapo-smbk5pwd.5 +@@ -0,0 +1,179 @@ ++.TH SLAPO-SMBK5PWD 5 "RELEASEDATE" "OpenLDAP LDVERSION" ++.\" Copyright 2015 The OpenLDAP Foundation All Rights Reserved. ++.\" Copying restrictions apply. See COPYRIGHT/LICENSE. ++.\" $OpenLDAP$ ++.SH NAME ++slapo-smbk5pwd \- Samba & Kerberos password sync overlay to slapd ++.SH SYNOPSIS ++ETCDIR/slapd.conf ++.RS ++.LP ++include ++.B "/krb5-kdc.schema" ++.LP ++include ++.B "/samba.schema" ++.LP ++moduleload ++.B smbk5pwd.so ++.LP ++ ... ++.LP ++database mdb ++.LP ++ ... ++.LP ++overlay ++.B smbk5pwd ++.RE ++ ++.SH DESCRIPTION ++.LP ++The ++.B smbk5pwd ++overlay to ++.BR slapd (8) ++overloads the Password Modify Extended Operation (RFC 3062) to update ++Kerberos keys and Samba password hashes for an LDAP user, as well as ++updating password change related attributes for Kerberos, Samba and/or ++UNIX user accounts. ++.LP ++The Samba support is written using the Samba 3.0 LDAP schema; ++Kerberos support is written for Heimdal using its hdb-ldap backend. ++.LP ++Additionally, a new ++.B {K5KEY} ++password hash mechanism is provided. ++For ++.B krb5KDCEntry ++objects that have this scheme specifier in their ++.I userPassword ++attribute, Simple Binds will be checked against the Kerberos keys of the entry. ++No data is needed after the ++.B {K5KEY} ++scheme specifier in the ++.IR userPassword , ++it is looked up from the entry directly. ++ ++.SH CONFIGURATION ++The ++.B smbk5pwd ++overlay supports the following ++.B slapd.conf ++configuration options, which should appear after the ++.B overlay ++directive: ++.TP ++.BI smbk5pwd-enable " " ++can be used to enable only the desired modules. ++Legal values for ++.I ++are ++.LP ++.RS ++.TP ++.B krb5 ++If the user has the ++.B krb5KDCEntry ++objectclass, update the ++.B krb5Key ++and ++.B krb5KeyVersionNumber ++attributes using the new password in the Password Modify operation, ++provided the Kerberos account is not expired. ++Exiration is determined by evaluating the ++.B krb5ValidEnd ++attribute. ++.TP ++.B samba ++If the user is a ++.B sambaSamAccount ++object, synchronize the ++.B sambaLMPassword ++and ++.B sambaNTPassword ++to the password entered in the Password Modify operation, and update ++.B sambaPwdLastSet ++accordingly. ++.TP ++.B shadow ++Update the attribute ++.BR shadowLastChange , ++if the entry has the objectclass ++.BR shadowAccount . ++.LP ++By default all modules compiled in are enabled. ++Setting the config statement restricts the enabled modules to the ones ++explicitly mentioned. ++.RE ++.TP ++.BI smbk5pwd-can-change " " ++If the ++.B samba ++module is enabled and the user is a ++.BR sambaSamAccount , ++update the attribute ++.B sambaPwdCanChange ++to point ++.I ++into the future, essentially denying any Samba password change until then. ++A value of ++.B 0 ++disables this feature. ++.TP ++.BI smbk5pwd-must-change " " ++If the ++.B samba ++module is enabled and the user is a ++.BR sambaSamAccount , ++update the attribute ++.B sambaPwdMustChange ++to point ++.I ++into the future, essentially setting the Samba password expiration time. ++A value of ++.B 0 ++disables this feature. ++.LP ++Alternatively, the overlay supports table-driven configuration, ++and thus can be run-time loaded and configured via back-config. ++ ++.SH EXAMPLE ++The layout of a slapd.d based, table-driven configuration entry looks like: ++.LP ++.EX ++ # {0}smbk5pwd, {1}bdb, config ++ dn: olcOverlay={0}smbk5pwd,olcDatabase={1}mdb,cn=config ++ objectClass: olcOverlayConfig ++ objectClass: olcSmbK5PwdConfig ++ olcOverlay: {0}smbk5pwd ++ olcSmbK5PwdEnable: krb5 ++ olcSmbK5PwdEnable: samba ++ olcSmbK5PwdMustChange: 2592000 ++.EE ++.LP ++which enables both ++.B krb5 ++and ++.B samba ++modules with a Samba password expiration time of 30 days (= ++.B 2592000 ++seconds). ++ ++.SH SEE ALSO ++.BR slapd.conf (5), ++.BR ldappasswd (1), ++.BR ldap (3), ++.LP ++"OpenLDAP Administrator's Guide" (http://www.OpenLDAP.org/doc/admin/) ++.LP ++ ++.SH ACKNOWLEDGEMENTS ++This manual page has been writen by Peter Marschall based on the ++module's README file written by Howard Chu. ++.LP ++.B OpenLDAP ++is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). ++.B OpenLDAP ++is derived from University of Michigan LDAP 3.3 Release. ++ +-- +2.5.0 + diff --git a/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff new file mode 100644 index 0000000..f0dd4e1 --- /dev/null +++ b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff @@ -0,0 +1,40 @@ +From: Jan-Marek Glogowski +Date: Tue, 18 May 2010 17:47:05 +0200 +Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL. + Open all modules with RTLD_GLOBAL, needed so that back_perl can load + non-trivial Perl extensions that require symbols from back_perl.so itself. +Bug-Debian: http://bugs.debian.org/327585 + +--- +--- a/servers/slapd/module.c ++++ b/servers/slapd/module.c +@@ -117,6 +117,20 @@ int module_unload( const char *file_name + return -1; /* not found */ + } + ++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename ) ++{ ++ lt_dlhandle handle = 0; ++ lt_dladvise advise; ++ ++ if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise) ++ && !lt_dladvise_global (&advise)) ++ handle = lt_dlopenadvise (filename, advise); ++ ++ lt_dladvise_destroy (&advise); ++ ++ return handle; ++} ++ + int module_load(const char* file_name, int argc, char *argv[]) + { + module_loaded_t *module; +@@ -180,7 +194,7 @@ int module_load(const char* file_name, i + * to calling Debug. This is because Debug is a macro that expands + * into multiple function calls. + */ +- if ((module->lib = lt_dlopenext(file)) == NULL) { ++ if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) { + error = lt_dlerror(); + #ifdef HAVE_EBCDIC + strcpy( ebuf, error ); diff --git a/debian/patches/wrong-database-location b/debian/patches/wrong-database-location new file mode 100644 index 0000000..25d96cb --- /dev/null +++ b/debian/patches/wrong-database-location @@ -0,0 +1,74 @@ +Move the default slapd database location to /var/lib/ldap instead of +/var/openldap-data. + +Debian-specific. + +--- a/doc/man/man5/slapd-bdb.5 ++++ b/doc/man/man5/slapd-bdb.5 +@@ -131,7 +131,7 @@ Specify the directory where the BDB file + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap\-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + .B dirtyread + Allow reads of modified but not yet committed data. +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -2007,7 +2007,7 @@ suffix "dc=our\-domain,dc=com" + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-directory LOCALSTATEDIR/openldap\-data ++directory LOCALSTATEDIR/lib/ldap + # Indices to maintain + index objectClass eq + index cn,sn,mail pres,eq,approx,sub +--- a/include/ldap_defaults.h ++++ b/include/ldap_defaults.h +@@ -47,7 +47,7 @@ + /* location of the default slapd config file */ + #define SLAPD_DEFAULT_CONFIGFILE LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.conf" + #define SLAPD_DEFAULT_CONFIGDIR LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d" +-#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "openldap-data" ++#define SLAPD_DEFAULT_DB_DIR LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap" + #define SLAPD_DEFAULT_DB_MODE 0600 + #define SLAPD_DEFAULT_UCDATA LDAP_DATADIR LDAP_DIRSEP "ucdata" + /* default max deref depth for aliases */ +--- a/servers/slapd/Makefile.in ++++ b/servers/slapd/Makefile.in +@@ -445,9 +445,9 @@ install-conf: FORCE + + install-db-config: FORCE + @-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir) +- @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data ++ @-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ +- $(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example ++ $(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example + $(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \ + $(DESTDIR)$(sysconfdir)/DB_CONFIG.example + +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -2051,7 +2051,7 @@ olcSuffix: "dc=our\-domain,dc=com" + # The database directory MUST exist prior to + # running slapd AND should only be accessible + # by the slapd/tools. Mode 0700 recommended. +-olcDbDirectory: LOCALSTATEDIR/openldap\-data ++olcDbDirectory: LOCALSTATEDIR/lib/ldap + # Indices to maintain + olcDbIndex: objectClass eq + olcDbIndex: cn,sn,mail pres,eq,approx,sub +--- a/doc/man/man5/slapd-mdb.5 ++++ b/doc/man/man5/slapd-mdb.5 +@@ -52,7 +52,7 @@ Specify the directory where the LMDB fil + associated indexes live. + A separate directory must be specified for each database. + The default is +-.BR LOCALSTATEDIR/openldap\-data . ++.BR LOCALSTATEDIR/lib/ldap . + .TP + \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR} + Specify flags for finer-grained control of the LMDB library's operation. -- cgit v1.2.3