Adding debian version 2.6.7+dfsg-1~exp1.debian/2.6.7+dfsg-1_exp1debian

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

16 files changed, 590 insertions, 0 deletions

diff --git a/debian/patches/add-tlscacert-option-to-ldap-conf b/debian/patches/add-tlscacert-option-to-ldap-conf
new file mode 100644
index 0000000..7512dc1
--- /dev/null
+++ b/debian/patches/add-tlscacert-option-to-ldap-conf
@@ -0,0 +1,12 @@
+Index: openldap/libraries/libldap/ldap.conf
+===================================================================
+--- openldap.orig/libraries/libldap/ldap.conf	2022-05-20 17:36:15.013248293 -0400
++++ openldap/libraries/libldap/ldap.conf	2022-05-20 17:36:15.013248293 -0400
+@@ -11,3 +11,7 @@
+ #SIZELIMIT	12
+ #TIMELIMIT	15
+ #DEREF		never
++
++# TLS certificates (needed for GnuTLS)
++TLS_CACERT	/etc/ssl/certs/ca-certificates.crt
++
diff --git a/debian/patches/contrib-makefiles b/debian/patches/contrib-makefiles
new file mode 100644
index 0000000..b2c8f99
--- /dev/null
+++ b/debian/patches/contrib-makefiles
@@ -0,0 +1,54 @@
+Index: openldap/contrib/slapd-modules/passwd/Makefile
+===================================================================
+--- openldap.orig/contrib/slapd-modules/passwd/Makefile	2024-02-01 16:22:33.496188990 -0500
++++ openldap/contrib/slapd-modules/passwd/Makefile	2024-02-01 16:22:33.496188990 -0500
+@@ -20,7 +20,7 @@
+ LIBS = $($(PLAT)_LIB) $(LDAP_LIB)
+ LD_FLAGS = $(LDFLAGS) $($(PLAT)_LDFLAGS) -rpath $(moduledir) -module
+ 
+-PROGRAMS = pw-kerberos.la pw-netscape.la pw-radius.la pw-apr1.la
++PROGRAMS = pw-netscape.la pw-apr1.la
+ MANPAGES = slapd-pw-radius.5
+ LTVER = 0:0:0
+ 
+Index: openldap/contrib/slapd-modules/passwd/pbkdf2/Makefile
+===================================================================
+--- openldap.orig/contrib/slapd-modules/passwd/pbkdf2/Makefile	2024-02-01 16:22:33.496188990 -0500
++++ openldap/contrib/slapd-modules/passwd/pbkdf2/Makefile	2024-02-01 16:22:33.496188990 -0500
+@@ -18,7 +18,7 @@
+ #DEFS = -DSLAPD_PBKDF2_DEBUG
+ 
+ SSL_INC =
+-SSL_LIB = -lcrypto
++SSL_LIB = -lnettle
+ 
+ INCS = $(LDAP_INC) $(SSL_INC)
+ LIBS = $($(PLAT)_LIB) $(LDAP_LIB) $(SSL_LIB)
+Index: openldap/contrib/slapd-modules/smbk5pwd/Makefile
+===================================================================
+--- openldap.orig/contrib/slapd-modules/smbk5pwd/Makefile	2024-02-01 16:22:33.496188990 -0500
++++ openldap/contrib/slapd-modules/smbk5pwd/Makefile	2024-02-01 16:23:34.552414593 -0500
+@@ -19,10 +19,10 @@
+ 	$(LDAP_BUILD)/libraries/liblber/liblber.la
+ 
+ SSL_INC = 
+-SSL_LIB = -lcrypto
++SSL_LIB = -lnettle
+ 
+-HEIMDAL_INC = -I/usr/heimdal/include
+-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags krb5 kadm-server)
++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server)
+ 
+ PLAT = UNIX
+ NT_LIB = -L$(LDAP_BUILD)/servers/slapd -lslapd
+@@ -36,7 +36,8 @@
+ # Omit DO_KRB5, DO_SAMBA or DO_SHADOW if you don't want to support it.
+ DEFS = -DDO_KRB5 -DDO_SAMBA -DDO_SHADOW
+ INCS = $(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC)
+-LIBS = $($(PLAT)_LIB) $(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB)
++# put /usr/lib/heimdal before /usr/lib in case libkrb5-dev is installed, #745356
++LIBS = $($(PLAT)_LIB) $(HEIMDAL_LIB) $(LDAP_LIB) $(SSL_LIB)
+ LD_FLAGS = $(LDFLAGS) $($(PLAT)_LDFLAGS) -rpath $(moduledir) -module
+ 
+ PROGRAMS = smbk5pwd.la
diff --git a/debian/patches/debian-version b/debian/patches/debian-version
new file mode 100644
index 0000000..0529c3e
--- /dev/null
+++ b/debian/patches/debian-version
@@ -0,0 +1,16 @@
+Description: Replace upstream version with Debian version in version strings
+Forwarded: not-needed
+Author: Ryan Tandy <ryan@nardis.ca>
+Index: openldap/build/version.sh
+===================================================================
+--- openldap.orig/build/version.sh	2022-05-20 17:35:48.989227363 -0400
++++ openldap/build/version.sh	2022-05-20 17:35:48.989227363 -0400
+@@ -36,7 +36,7 @@
+ echo OL_PATCH=$ol_patch
+ echo OL_API_INC=$ol_api_inc
+ echo OL_API_LIB_VERSION=$ol_api_lib_version
+-echo OL_VERSION=$ol_version
++echo OL_VERSION=\"${DEB_VERSION:-$ol_version}\"
+ echo OL_TYPE=$ol_type
+ echo OL_STRING=\"${ol_string}\"
+ echo OL_RELEASE_DATE=\"${ol_release_date}\"
diff --git a/debian/patches/do-not-second-guess-sonames b/debian/patches/do-not-second-guess-sonames
new file mode 100644
index 0000000..a5fb328
--- /dev/null
+++ b/debian/patches/do-not-second-guess-sonames
@@ -0,0 +1,73 @@
+Rip out code that second-guesses the libsasl soname / Debian shlibs.  If
+cyrus sasl upstream is breaking the ABI, this needs to be fixed upstream
+there, not kludged around upstream here!
+
+Debian bug #546885
+
+Upstream ITS #6302 filed.
+
+Index: openldap/libraries/libldap/cyrus.c
+===================================================================
+--- openldap.orig/libraries/libldap/cyrus.c	2022-05-20 17:36:13.661247231 -0400
++++ openldap/libraries/libldap/cyrus.c	2022-05-20 17:36:13.661247231 -0400
+@@ -74,29 +74,6 @@
+  */
+ int ldap_int_sasl_init( void )
+ {
+-#ifdef HAVE_SASL_VERSION
+-	/* stringify the version number, sasl.h doesn't do it for us */
+-#define VSTR0(maj, min, pat)	#maj "." #min "." #pat
+-#define VSTR(maj, min, pat)	VSTR0(maj, min, pat)
+-#define SASL_VERSION_STRING	VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+-				SASL_VERSION_STEP)
+-	{ int rc;
+-	sasl_version( NULL, &rc );
+-	if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+-		(rc & 0xffff) < SASL_VERSION_STEP) {
+-		char version[sizeof("xxx.xxx.xxxxx")];
+-		sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+-			rc & 0xffff );
+-
+-		Debug1( LDAP_DEBUG_ANY,
+-		"ldap_int_sasl_init: SASL library version mismatch:"
+-		" expected " SASL_VERSION_STRING ","
+-		" got %s\n", version );
+-		return -1;
+-	}
+-	}
+-#endif
+-
+ /* SASL 2 takes care of its own memory completely internally */
+ #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
+ 	sasl_set_alloc(
+Index: openldap/servers/slapd/sasl.c
+===================================================================
+--- openldap.orig/servers/slapd/sasl.c	2022-05-20 17:36:13.661247231 -0400
++++ openldap/servers/slapd/sasl.c	2022-05-20 17:36:13.661247231 -0400
+@@ -1271,26 +1271,6 @@
+ 	rewrite_mapper_register( &slapd_mapper );
+ 
+ #ifdef HAVE_CYRUS_SASL
+-#ifdef HAVE_SASL_VERSION
+-	/* stringify the version number, sasl.h doesn't do it for us */
+-#define	VSTR0(maj, min, pat)	#maj "." #min "." #pat
+-#define	VSTR(maj, min, pat)	VSTR0(maj, min, pat)
+-#define	SASL_VERSION_STRING	VSTR(SASL_VERSION_MAJOR, SASL_VERSION_MINOR, \
+-				SASL_VERSION_STEP)
+-
+-	sasl_version( NULL, &rc );
+-	if ( ((rc >> 16) != ((SASL_VERSION_MAJOR << 8)|SASL_VERSION_MINOR)) ||
+-		(rc & 0xffff) < SASL_VERSION_STEP)
+-	{
+-		char version[sizeof("xxx.xxx.xxxxx")];
+-		sprintf( version, "%u.%d.%d", (unsigned)rc >> 24, (rc >> 16) & 0xff,
+-			rc & 0xffff );
+-		Debug( LDAP_DEBUG_ANY, "slap_sasl_init: SASL library version mismatch:"
+-			" expected %s, got %s\n",
+-			SASL_VERSION_STRING, version );
+-		return -1;
+-	}
+-#endif
+ 
+ 	sasl_set_mutex(
+ 		ldap_pvt_sasl_mutex_new,
diff --git a/debian/patches/fix-build-top-mk b/debian/patches/fix-build-top-mk
new file mode 100644
index 0000000..5cb469d
--- /dev/null
+++ b/debian/patches/fix-build-top-mk
@@ -0,0 +1,13 @@
+Index: openldap/build/top.mk
+===================================================================
+--- openldap.orig/build/top.mk	2022-05-20 17:36:15.513248684 -0400
++++ openldap/build/top.mk	2022-05-20 17:36:15.509248681 -0400
+@@ -20,7 +20,7 @@
+ RELEASEDATE= @OPENLDAP_RELEASE_DATE@
+ 
+ @SET_MAKE@
+-SHELL = /bin/sh
++SHELL = @SHELL@
+ 
+ top_builddir = @top_builddir@
+ 
diff --git a/debian/patches/getaddrinfo-is-threadsafe b/debian/patches/getaddrinfo-is-threadsafe
new file mode 100644
index 0000000..b79bcbf
--- /dev/null
+++ b/debian/patches/getaddrinfo-is-threadsafe
@@ -0,0 +1,47 @@
+Author: Steve Langasek <vorlon@debian.org>
+
+OpenLDAP upstream conservatively assumes that certain resolver functions
+(getaddrinfo, getnameinfo, res_query, dn_expand) are not re-entrant; but we
+know that the glibc implementations of these functions are thread-safe, so
+we should bypass the use of this mutex.  This fixes a locking problem when
+an application uses libldap and libnss-ldap is also used for hosts
+resolution.
+
+Closes Debian bug #340601.
+
+Not suitable for forwarding upstream; might be made suitable by adding a
+configure-time check for glibc and disabling the mutex only on known
+thread-safe implementations.
+
+Index: openldap/libraries/libldap/os-ip.c
+===================================================================
+--- openldap.orig/libraries/libldap/os-ip.c	2022-05-20 17:36:12.989246703 -0400
++++ openldap/libraries/libldap/os-ip.c	2022-05-20 17:36:12.989246703 -0400
+@@ -645,13 +645,7 @@
+ 	hints.ai_socktype = socktype;
+ 	snprintf(serv, sizeof serv, "%d", port );
+ 
+-	/* most getaddrinfo(3) use non-threadsafe resolver libraries */
+-	LDAP_MUTEX_LOCK(&ldap_int_resolv_mutex);
+-
+ 	err = getaddrinfo( host, serv, &hints, &res );
+-
+-	LDAP_MUTEX_UNLOCK(&ldap_int_resolv_mutex);
+-
+ 	if ( err != 0 ) {
+ 		Debug1(LDAP_DEBUG_TRACE,
+ 			"ldap_connect_to_host: getaddrinfo failed: %s\n",
+Index: openldap/libraries/libldap/util-int.c
+===================================================================
+--- openldap.orig/libraries/libldap/util-int.c	2022-05-20 17:36:12.989246703 -0400
++++ openldap/libraries/libldap/util-int.c	2022-05-20 17:36:12.989246703 -0400
+@@ -559,9 +559,7 @@
+ 	int rc;
+ #if defined( HAVE_GETNAMEINFO )
+ 
+-	LDAP_MUTEX_LOCK( &ldap_int_resolv_mutex );
+ 	rc = getnameinfo( sa, len, name, namelen, NULL, 0, 0 );
+-	LDAP_MUTEX_UNLOCK( &ldap_int_resolv_mutex );
+ 	if ( rc ) *err = (char *)AC_GAI_STRERROR( rc );
+ 	return rc;
+ 
diff --git a/debian/patches/index-files-created-as-root b/debian/patches/index-files-created-as-root
new file mode 100644
index 0000000..432113c
--- /dev/null
+++ b/debian/patches/index-files-created-as-root
@@ -0,0 +1,41 @@
+Document in the man page that slapindex should be run as the same user
+as slapd, and print a warning if it's run as root (since Debian defaults
+to running slapd as openldap).
+
+Not suitable for upstream in this form.  This patch needs to be reworked
+to check the BerkeleyDB database ownership and only warn if running as
+root with a database that's not owned by root.
+
+Upstream ITS #5356 filed requesting better handling of this.  Current
+upstream discussion leans towards putting the check into the database
+backend and aborting if slapd is run as a different user than the database
+owner, which is an even better fix.
+
+Index: openldap/doc/man/man8/slapindex.8
+===================================================================
+--- openldap.orig/doc/man/man8/slapindex.8	2022-05-20 17:36:11.609245615 -0400
++++ openldap/doc/man/man8/slapindex.8	2022-05-20 17:36:11.605245612 -0400
+@@ -148,6 +148,10 @@
+ should not be running (at least, not in read-write
+ mode) when you do this to ensure consistency of the database.
+ .LP
++slapindex ought to be run as the user specified for
++.BR slapd (8)
++to ensure correct database permissions.
++.LP
+ This command provides ample opportunity for the user to obtain
+ and drink their favorite beverage.
+ .SH EXAMPLES
+Index: openldap/servers/slapd/slapindex.c
+===================================================================
+--- openldap.orig/servers/slapd/slapindex.c	2022-05-20 17:36:11.609245615 -0400
++++ openldap/servers/slapd/slapindex.c	2022-05-20 17:36:11.605245612 -0400
+@@ -34,6 +34,8 @@
+ int
+ slapindex( int argc, char **argv )
+ {
++    if (geteuid() == 0)
++        fprintf( stderr, "\nWARNING!\nRunning as root!\nThere's a fair chance slapd will fail to start.\nCheck file permissions!\n\n");
+ 	ID id;
+ 	int rc = EXIT_SUCCESS;
+ 	const char *progname = "slapindex";
diff --git a/debian/patches/ldap-conf-tls-cacertdir b/debian/patches/ldap-conf-tls-cacertdir
new file mode 100644
index 0000000..2b83e56
--- /dev/null
+++ b/debian/patches/ldap-conf-tls-cacertdir
@@ -0,0 +1,29 @@
+Index: openldap/doc/man/man5/ldap.conf.5
+===================================================================
+--- openldap.orig/doc/man/man5/ldap.conf.5	2022-05-20 17:36:14.589247961 -0400
++++ openldap/doc/man/man5/ldap.conf.5	2022-05-20 17:36:14.589247961 -0400
+@@ -408,13 +408,13 @@
+ Specifying a minimum that is higher than that supported by the
+ OpenLDAP implementation will result in it requiring the
+ highest level that it does support.
+-This parameter is ignored with GnuTLS.
++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
+ .TP
+ .B TLS_RANDFILE <filename>
+ Specifies the file to obtain random bits from when /dev/[u]random is
+ not available. Generally set to the name of the EGD/PRNGD socket.
+ The environment variable RANDFILE can also be used to specify the filename.
+-This parameter is ignored with GnuTLS.
++This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
+ .TP
+ .B TLS_REQCERT <level>
+ Specifies what checks to perform on server certificates in a TLS session.
+@@ -476,7 +476,7 @@
+ used to verify if the server certificates have not been revoked. This
+ requires
+ .B TLS_CACERTDIR
+-parameter to be set. This parameter is ignored with GnuTLS.
++parameter to be set. This parameter is ignored with GnuTLS. On Debian openldap is linked against GnuTLS.
+ .B <level>
+ can be specified as one of the following keywords:
+ .RS
diff --git a/debian/patches/ldapi-socket-place b/debian/patches/ldapi-socket-place
new file mode 100644
index 0000000..1a52eca
--- /dev/null
+++ b/debian/patches/ldapi-socket-place
@@ -0,0 +1,18 @@
+Move the ldapi socket to /var/run/slapd from /var/run, since /var/run
+is only writable by root and slapd runs as openldap.
+
+Debian-specific.
+
+Index: openldap/include/ldap_defaults.h
+===================================================================
+--- openldap.orig/include/ldap_defaults.h	2022-05-20 17:36:09.977244324 -0400
++++ openldap/include/ldap_defaults.h	2022-05-20 17:36:09.973244321 -0400
+@@ -40,7 +40,7 @@
+ 
+ /* default ldapi:// socket */
+ #ifndef LDAPI_SOCK
+-#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "ldapi"
++#define LDAPI_SOCK LDAP_RUNDIR LDAP_DIRSEP "run" LDAP_DIRSEP "slapd" LDAP_DIRSEP "ldapi"
+ #endif
+ 
+ /*
diff --git a/debian/patches/man-slapd b/debian/patches/man-slapd
new file mode 100644
index 0000000..aec9515
--- /dev/null
+++ b/debian/patches/man-slapd
@@ -0,0 +1,62 @@
+Patch the slapd man page to not refer to a header file that isn't
+installed with the slapd package and to reference the correct path
+for slapd.
+
+Debian-specific.
+
+Index: openldap/doc/man/man8/slapd.8
+===================================================================
+--- openldap.orig/doc/man/man8/slapd.8	2022-05-20 17:36:07.977242738 -0400
++++ openldap/doc/man/man8/slapd.8	2022-05-20 17:36:07.973242735 -0400
+@@ -5,7 +5,7 @@
+ .SH NAME
+ slapd \- Stand-alone LDAP Daemon
+ .SH SYNOPSIS
+-.B LIBEXECDIR/slapd 
++.B /usr/sbin/slapd 
+ [\c
+ .BR \-V [ V [ V ]]
+ [\c
+@@ -110,11 +110,10 @@
+ will not fork or disassociate from the invoking terminal.  Some general
+ operation and status messages are printed for any value of \fIdebug-level\fP.
+ \fIdebug-level\fP is taken as a bit string, with each bit corresponding to a
+-different kind of debugging information.  See <ldap_log.h> for details.
+-Comma-separated arrays of friendly names can be specified to select
+-debugging output of the corresponding debugging information.
+-All the names recognized by the \fIloglevel\fP directive 
+-described in \fBslapd.conf\fP(5) are supported.
++different kind of debugging information.  Comma-separated arrays of friendly
++names can be specified to select debugging output of the corresponding
++debugging information.  All the names recognized by the \fIloglevel\fP
++directive described in \fBslapd.conf\fP(5) are supported.
+ If \fIdebug-level\fP is \fB?\fP, a list of installed debug-levels is printed,
+ and slapd exits.
+ 
+@@ -332,7 +331,7 @@
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd
++	/usr/sbin/slapd
+ .ft
+ .fi
+ .LP
+@@ -343,7 +342,7 @@
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-f /var/tmp/slapd.conf \-d 255
++	/usr/sbin/slapd \-f /var/tmp/slapd.conf \-d 255
+ .ft
+ .fi
+ .LP
+@@ -351,7 +350,7 @@
+ .LP
+ .nf
+ .ft tt
+-	LIBEXECDIR/slapd \-Tt
++	/usr/sbin/slapd \-Tt
+ .ft
+ .fi
+ .LP
diff --git a/debian/patches/sasl-default-path b/debian/patches/sasl-default-path
new file mode 100644
index 0000000..aced4e5
--- /dev/null
+++ b/debian/patches/sasl-default-path
@@ -0,0 +1,59 @@
+Add /etc/ldap/sasl2 to the SASL configuration search path.
+
+Not submitted upstream.  Somewhat Debian-specific and probably not of
+interest upstream.
+
+Index: openldap/include/ldap_defaults.h
+===================================================================
+--- openldap.orig/include/ldap_defaults.h	2022-05-20 17:36:12.337246188 -0400
++++ openldap/include/ldap_defaults.h	2022-05-20 17:36:12.333246185 -0400
+@@ -75,4 +75,6 @@
+  */
+ #define LLOADD_DEFAULT_CONFIGFILE	LDAP_SYSCONFDIR LDAP_DIRSEP "lloadd.conf"
+ 
++#define SASL_CONFIGPATH                        LDAP_SYSCONFDIR LDAP_DIRSEP "sasl2"
++
+ #endif /* _LDAP_CONFIG_H */
+Index: openldap/servers/slapd/sasl.c
+===================================================================
+--- openldap.orig/servers/slapd/sasl.c	2022-05-20 17:36:12.337246188 -0400
++++ openldap/servers/slapd/sasl.c	2022-05-20 17:36:12.333246185 -0400
+@@ -1231,12 +1231,38 @@
+ 	slapd_rw_destroy
+ };
+ 
++static int
++slap_sasl_getconfpath( void * context, char ** path )
++{
++	char * sasl_default_configpath;
++	size_t len;
++
++#if SASL_VERSION_MAJOR >= 2
++	sasl_default_configpath = "/usr/lib/sasl2";
++#else
++	sasl_default_configpath = "/usr/lib/sasl";
++#endif
++
++	len = strlen(SASL_CONFIGPATH) + 1 /* colon */ +
++		strlen(sasl_default_configpath) + 1 /* \0 */;
++	*path = malloc( len );
++	if ( *path == NULL )
++		return SASL_FAIL;
++
++	if (snprintf( *path, len, "%s:%s", SASL_CONFIGPATH,
++				sasl_default_configpath ) != len-1 )
++		return SASL_FAIL;
++
++	return SASL_OK;
++}
++
+ int slap_sasl_init( void )
+ {
+ #ifdef HAVE_CYRUS_SASL
+ 	int rc;
+ 	static sasl_callback_t server_callbacks[] = {
+ 		{ SASL_CB_LOG, (slap_sasl_cb_ft)&slap_sasl_log, NULL },
++		{ SASL_CB_GETCONFPATH, (slap_sasl_cb_ft)&slap_sasl_getconfpath, NULL },
+ 		{ SASL_CB_GETOPT, (slap_sasl_cb_ft)&slap_sasl_getopt, NULL },
+ 		{ SASL_CB_LIST_END, NULL, NULL }
+ 	};
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..a8d57cb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,15 @@
+debian-version
+man-slapd 
+slapi-errorlog-file 
+ldapi-socket-place 
+wrong-database-location 
+index-files-created-as-root 
+sasl-default-path 
+getaddrinfo-is-threadsafe
+do-not-second-guess-sonames
+contrib-makefiles
+ldap-conf-tls-cacertdir
+add-tlscacert-option-to-ldap-conf
+fix-build-top-mk
+switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
+set-maintainer-name
diff --git a/debian/patches/set-maintainer-name b/debian/patches/set-maintainer-name
new file mode 100644
index 0000000..b537e4e
--- /dev/null
+++ b/debian/patches/set-maintainer-name
@@ -0,0 +1,18 @@
+Index: openldap/build/mkversion
+===================================================================
+--- openldap.orig/build/mkversion	2022-05-20 17:36:16.721249629 -0400
++++ openldap/build/mkversion	2022-05-20 17:36:16.717249626 -0400
+@@ -50,12 +50,7 @@
+ fi
+ 
+ APPLICATION=$1
+-# Reproducible builds set SOURCE_DATE_EPOCH, want constant strings
+-if [ -n "${SOURCE_DATE_EPOCH}" ]; then
+-   WHOWHERE="openldap"
+-else
+-   WHOWHERE="$USER@$(uname -n):$(pwd)"
+-fi
++WHOWHERE="${DEB_MAINTAINER:-openldap}"
+ 
+ cat << __EOF__
+ /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
diff --git a/debian/patches/slapi-errorlog-file b/debian/patches/slapi-errorlog-file
new file mode 100644
index 0000000..f538c10
--- /dev/null
+++ b/debian/patches/slapi-errorlog-file
@@ -0,0 +1,18 @@
+The slapi error log file defaults to /var/errors given our setting
+of --localstatedir.  Move it to /var/log/slapi-errors instead.
+
+Debian-specific.
+
+Index: openldap/servers/slapd/slapi/slapi_overlay.c
+===================================================================
+--- openldap.orig/servers/slapd/slapi/slapi_overlay.c	2022-05-20 17:36:09.141243662 -0400
++++ openldap/servers/slapd/slapi/slapi_overlay.c	2022-05-20 17:36:09.141243662 -0400
+@@ -933,7 +933,7 @@
+ 		ldap_pvt_thread_mutex_init( &slapi_printmessage_mutex );
+ 
+ 		if ( slapi_log_file == NULL )
+-			slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "errors" );
++			slapi_log_file = slapi_ch_strdup( LDAP_RUNDIR LDAP_DIRSEP "log" LDAP_DIRSEP "slapi-errors" );
+ 
+ 		rc = slapi_int_init_object_extensions();
+ 		if ( rc != 0 )
diff --git a/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
new file mode 100644
index 0000000..17b448a
--- /dev/null
+++ b/debian/patches/switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
@@ -0,0 +1,42 @@
+From: Jan-Marek Glogowski <jan-marek.glogowski@muenchen.de>

+Date: Tue, 18 May 2010 17:47:05 +0200

+Subject: Switch to lt_dlopenadvise() so back_perl can be opened with RTLD_GLOBAL.    

+ Open all modules with RTLD_GLOBAL, needed so that back_perl can load

+ non-trivial Perl extensions that require symbols from back_perl.so itself.

+Bug-Debian: http://bugs.debian.org/327585

+

+---

+Index: openldap/servers/slapd/module.c
+===================================================================
+--- openldap.orig/servers/slapd/module.c	2022-05-20 17:36:16.057249110 -0400
++++ openldap/servers/slapd/module.c	2022-05-20 17:36:16.053249107 -0400
+@@ -117,6 +117,20 @@
+ 	return -1;	/* not found */
+ }
+ 
++static lt_dlhandle slapd_lt_dlopenext_global( const char *filename )
++{
++	lt_dlhandle handle = 0;
++	lt_dladvise advise;
++
++	if (!lt_dladvise_init (&advise) && !lt_dladvise_ext (&advise)
++			&& !lt_dladvise_global (&advise))
++		handle = lt_dlopenadvise (filename, advise);
++
++	lt_dladvise_destroy (&advise);
++
++	return handle;
++}
++
+ int module_load(const char* file_name, int argc, char *argv[])
+ {
+ 	module_loaded_t *module;
+@@ -179,7 +193,7 @@
+ 	 * to calling Debug. This is because Debug is a macro that expands
+ 	 * into multiple function calls.
+ 	 */
+-	if ((module->lib = lt_dlopenext(file)) == NULL) {
++	if ((module->lib = slapd_lt_dlopenext_global(file)) == NULL) {
+ 		error = lt_dlerror();
+ #ifdef HAVE_EBCDIC
+ 		strcpy( ebuf, error );
diff --git a/debian/patches/wrong-database-location b/debian/patches/wrong-database-location
new file mode 100644
index 0000000..3900a0e
--- /dev/null
+++ b/debian/patches/wrong-database-location
@@ -0,0 +1,73 @@
+Move the default slapd database location to /var/lib/ldap instead of
+/var/openldap-data.
+
+Debian-specific.
+
+Index: openldap/doc/man/man5/slapd.conf.5
+===================================================================
+--- openldap.orig/doc/man/man5/slapd.conf.5	2022-05-20 17:36:10.817244990 -0400
++++ openldap/doc/man/man5/slapd.conf.5	2022-05-20 17:36:10.813244986 -0400
+@@ -2122,7 +2122,7 @@
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-directory LOCALSTATEDIR/openldap\-data
++directory LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ index     objectClass  eq
+ index     cn,sn,mail   pres,eq,approx,sub
+Index: openldap/include/ldap_defaults.h
+===================================================================
+--- openldap.orig/include/ldap_defaults.h	2022-05-20 17:36:10.817244990 -0400
++++ openldap/include/ldap_defaults.h	2022-05-20 17:36:10.813244986 -0400
+@@ -54,7 +54,7 @@
+ #define SLAPD_DEFAULT_CONFIGDIR		LDAP_SYSCONFDIR LDAP_DIRSEP "slapd.d"
+ #endif
+ #ifndef SLAPD_DEFAULT_DB_DIR
+-#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "openldap-data"
++#define SLAPD_DEFAULT_DB_DIR		LDAP_RUNDIR LDAP_DIRSEP "lib" LDAP_DIRSEP "ldap"
+ #endif
+ #define SLAPD_DEFAULT_DB_MODE		0600
+ 	/* default max deref depth for aliases */
+Index: openldap/servers/slapd/Makefile.in
+===================================================================
+--- openldap.orig/servers/slapd/Makefile.in	2022-05-20 17:36:10.817244990 -0400
++++ openldap/servers/slapd/Makefile.in	2022-05-20 17:36:10.813244986 -0400
+@@ -452,9 +452,9 @@
+ 
+ install-db-config: FORCE
+ 	@-$(MKDIR) $(DESTDIR)$(localstatedir) $(DESTDIR)$(sysconfdir)
+-	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-data
++	@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/lib/ldap
+ 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+-		$(DESTDIR)$(localstatedir)/openldap-data/DB_CONFIG.example
++		$(DESTDIR)$(localstatedir)/lib/ldap/DB_CONFIG.example
+ 	$(INSTALL) $(INSTALLFLAGS) -m 600 $(srcdir)/DB_CONFIG \
+ 		$(DESTDIR)$(sysconfdir)/DB_CONFIG.example
+ 
+Index: openldap/doc/man/man5/slapd-config.5
+===================================================================
+--- openldap.orig/doc/man/man5/slapd-config.5	2022-05-20 17:36:10.817244990 -0400
++++ openldap/doc/man/man5/slapd-config.5	2022-05-20 17:36:10.813244986 -0400
+@@ -2233,7 +2233,7 @@
+ # The database directory MUST exist prior to
+ # running slapd AND should only be accessible
+ # by the slapd/tools. Mode 0700 recommended.
+-olcDbDirectory: LOCALSTATEDIR/openldap\-data
++olcDbDirectory: LOCALSTATEDIR/lib/ldap
+ # Indices to maintain
+ olcDbIndex:     objectClass  eq
+ olcDbIndex:     cn,sn,mail   pres,eq,approx,sub
+Index: openldap/doc/man/man5/slapd-mdb.5
+===================================================================
+--- openldap.orig/doc/man/man5/slapd-mdb.5	2022-05-20 17:36:10.817244990 -0400
++++ openldap/doc/man/man5/slapd-mdb.5	2022-05-20 17:36:10.813244986 -0400
+@@ -63,7 +63,7 @@
+ associated indexes live.
+ A separate directory must be specified for each database.
+ The default is
+-.BR LOCALSTATEDIR/openldap\-data .
++.BR LOCALSTATEDIR/lib/ldap .
+ .TP
+ \fBenvflags \fR{\fBnosync\fR,\fBnometasync\fR,\fBwritemap\fR,\fBmapasync\fR,\fBnordahead\fR}
+ Specify flags for finer-grained control of the LMDB library's operation.